@mooncompany/uplink-chat 0.5.0

package/server/middleware.js

@@ -0,0 +1,218 @@
+/**
+ * Middleware Module - Security headers, CSRF, rate limiting
+ */
+
+import rateLimit from 'express-rate-limit';
+import cors from 'cors';
+import { timingSafeEqual } from 'crypto';
+import { ALLOWED_ORIGINS, WEBHOOK_TOKEN, GATEWAY_TOKEN as STATIC_GATEWAY_TOKEN } from './config.js';
+import { isPrivateIP } from './utils.js';
+import { loadConfig } from './runtime-config.js';
+import { createLogger } from './logger.js';
+
+const log = createLogger('middleware');
+
+// Re-export isPrivateIP for backward compatibility
+export { isPrivateIP };
+
+// ===========================================
+// Rate Limiting
+// ===========================================
+// Skip rate limiting for localhost/loopback — only limit external IPs
+const isLoopback = (ip) => ip === '127.0.0.1' || ip === '::1' || ip === '::ffff:127.0.0.1';
+
+export const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 500, // Limit each IP to 500 requests per window (increased for active chatting)
+  message: { error: true, message: 'Too many requests, please try again later.', code: 'RATE_LIMITED' },
+  standardHeaders: true,
+  legacyHeaders: false,
+  skip: (req) => isLoopback(req.ip),
+});
+
+export const strictLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 30, // Limit each IP to 30 requests per window (was 10, too aggressive for onboarding)
+  message: { error: true, message: 'Too many requests, please try again later.', code: 'RATE_LIMITED' },
+  standardHeaders: true,
+  legacyHeaders: false,
+  skip: (req) => isLoopback(req.ip),
+});
+
+// ===========================================
+// SSRF Prevention
+// ===========================================
+// isPrivateIP is now consolidated in server/utils.js - import from there
+
+// ===========================================
+// CSRF Protection
+// ===========================================
+export function csrfProtection(req, res, next) {
+  if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {
+    return next();
+  }
+
+  const origin = req.get('Origin');
+  const referer = req.get('Referer');
+  const host = req.get('Host');
+
+  if (!origin && !referer) {
+    return next();
+  }
+
+  if (origin) {
+    try {
+      const originUrl = new URL(origin);
+      const hostWithoutPort = host.split(':')[0];
+      if (originUrl.hostname !== hostWithoutPort && 
+          originUrl.hostname !== 'localhost' && 
+          originUrl.hostname !== '127.0.0.1' &&
+          !originUrl.hostname.endsWith('.ts.net')) {
+        log.warn(`CSRF blocked: origin ${origin} doesn't match host ${host}`);
+        return res.status(403).json({ error: 'CSRF validation failed' });
+      }
+    } catch (e) {
+      return res.status(403).json({ error: 'Invalid origin header' });
+    }
+  }
+
+  next();
+}
+
+// ===========================================
+// Security Headers
+// ===========================================
+export function securityHeaders(req, res, next) {
+  const nonce = res.locals.nonce;
+  
+  // Allow embedding from localhost and production RedOS
+  // Using frame-ancestors instead of X-Frame-Options for more control
+  const allowedFrameAncestors = [
+    "'self'",
+    "http://localhost:3000",      // RedOS dev server
+    "http://127.0.0.1:3000",
+    "https://redos.moonco.pro",   // RedOS production
+  ].join(' ');
+  
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+  
+  // Build CSP with nonce if available
+  const scriptSrc = nonce
+    ? `script-src 'self' 'nonce-${nonce}' 'unsafe-hashes' https://cdnjs.cloudflare.com`
+    : `script-src 'self' 'unsafe-hashes' https://cdnjs.cloudflare.com`;
+  
+  const cspDirectives = [
+    "default-src 'self'",
+    scriptSrc,
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+    "font-src 'self' https://fonts.gstatic.com",
+    "img-src 'self' data: blob:",
+    "connect-src 'self' data: blob: ws: wss: https://api.elevenlabs.io https://fonts.googleapis.com https://fonts.gstatic.com https://static.cloudflareinsights.com",
+    "media-src 'self' blob:",
+    `frame-ancestors ${allowedFrameAncestors}`
+  ];
+  
+  res.setHeader('Content-Security-Policy', cspDirectives.join('; '));
+  next();
+}
+
+// ===========================================
+// CORS Configuration
+// ===========================================
+export const corsMiddleware = cors({
+  origin: (origin, callback) => {
+    if (!origin) return callback(null, true);
+    if (ALLOWED_ORIGINS.includes(origin)) {
+      return callback(null, true);
+    }
+    // Auto-allow Tailscale HTTPS origins (*.ts.net)
+    try {
+      const url = new URL(origin);
+      if (url.hostname.endsWith('.ts.net')) {
+        return callback(null, true);
+      }
+    } catch {}
+    callback(new Error('CORS not allowed'));
+  },
+  methods: ['GET', 'POST', 'DELETE'], // M-25: Added DELETE for cross-origin delete routes
+  credentials: true,
+  maxAge: 86400
+});
+
+// ===========================================
+// Bearer Token Verification (Sync & API auth)
+// ===========================================
+export async function verifyBearerToken(req, res, next) {
+  // Get token dynamically (includes auto-discovered values from OpenClaw config)
+  let expectedToken = STATIC_GATEWAY_TOKEN;
+  if (!expectedToken) {
+    try {
+      const config = await loadConfig();
+      expectedToken = config.gatewayToken;
+    } catch {
+      // Fall through to the check below
+    }
+  }
+  
+  if (!expectedToken) {
+    return res.status(503).json({ error: true, message: 'Authentication not configured', code: 'AUTH_NOT_CONFIGURED' });
+  }
+  const authHeader = req.headers.authorization || '';
+  const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
+  if (!token) {
+    return res.status(401).json({ error: true, message: 'Missing Authorization header', code: 'UNAUTHORIZED' });
+  }
+  const providedBuf = Buffer.from(token);
+  const expectedBuf = Buffer.from(expectedToken);
+  if (providedBuf.length !== expectedBuf.length || !timingSafeEqual(providedBuf, expectedBuf)) {
+    return res.status(401).json({ error: true, message: 'Invalid token', code: 'INVALID_TOKEN' });
+  }
+  next();
+}
+
+// ===========================================
+// Webhook Token Verification
+// ===========================================
+export function verifyWebhookToken(req, res, next) {
+  if (!WEBHOOK_TOKEN) {
+    return res.status(503).json({
+      error: 'Webhooks disabled. Set WEBHOOK_TOKEN in .env to enable.'
+    });
+  }
+  const token = req.headers['x-webhook-token'] || req.query.token || '';
+
+  // Timing-safe comparison to prevent timing attacks
+  const providedBuf = Buffer.from(token);
+  const expectedBuf = Buffer.from(WEBHOOK_TOKEN);
+  if (providedBuf.length !== expectedBuf.length) {
+    return res.status(401).json({ error: 'Invalid webhook token' });
+  }
+  if (!timingSafeEqual(providedBuf, expectedBuf)) {
+    return res.status(401).json({ error: 'Invalid webhook token' });
+  }
+  next();
+}
+
+// ===========================================
+// UTF-8 JSON Response
+// ===========================================
+export function jsonUtf8(req, res, next) {
+  const originalJson = res.json.bind(res);
+  res.json = (data) => {
+    res.setHeader('Content-Type', 'application/json; charset=utf-8');
+    return originalJson(data);
+  };
+  next();
+}
+
+// ===========================================
+// No Cache Headers
+// ===========================================
+export function noCache(req, res, next) {
+  res.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+  res.set('Pragma', 'no-cache');
+  res.set('Expires', '0');
+  next();
+}

package/server/openclaw-discover.js

@@ -0,0 +1,308 @@
+/**
+ * OpenClaw Gateway Auto-Discovery
+ * 
+ * Reads the local OpenClaw config to auto-detect gateway URL and token.
+ * Eliminates manual onboarding for same-machine installs.
+ * 
+ * Discovery order:
+ * 1. Environment variables (GATEWAY_URL, GATEWAY_TOKEN) — highest priority
+ * 2. OPENCLAW_STATE_DIR env var (explicit path override)
+ * 3. Native OS config (~/.openclaw/openclaw.json)
+ * 4. WSL config (Windows only — checks \\wsl.localhost\<distro>\home\<user>\.openclaw\)
+ * 5. Default fallback (http://127.0.0.1:18789, no token)
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+import os from 'os';
+import { execSync } from 'child_process';
+import { createLogger } from './logger.js';
+
+const log = createLogger('Discovery');
+
+// OpenClaw config locations (in priority order)
+const OPENCLAW_STATE_DIR = process.env.OPENCLAW_STATE_DIR || path.join(os.homedir(), '.openclaw');
+const OPENCLAW_CONFIG_PATH = path.join(OPENCLAW_STATE_DIR, 'openclaw.json');
+
+// Default OpenClaw gateway port
+const DEFAULT_GATEWAY_PORT = 18789;
+
+// WSL distros to skip (not real Linux installs)
+const WSL_SKIP_DISTROS = new Set(['docker-desktop', 'docker-desktop-data']);
+
+/**
+ * Attempt to read and parse an OpenClaw config at a given path
+ * @param {string} configPath - Path to openclaw.json
+ * @returns {{ config: Object, path: string }|null} Parsed config + path, or null
+ */
+async function tryReadConfig(configPath) {
+  try {
+    const data = await fs.readFile(configPath, 'utf8');
+    return { config: JSON.parse(data), path: configPath };
+  } catch (err) {
+    if (err.code !== 'ENOENT') {
+      log.warn(`Failed to read config at ${configPath}:`, err.message);
+    }
+    return null;
+  }
+}
+
+/**
+ * Get list of WSL distro names (Windows only)
+ * @returns {string[]} Distro names
+ */
+function getWSLDistros() {
+  if (os.platform() !== 'win32') return [];
+  
+  try {
+    // wsl --list --quiet outputs distro names, one per line
+    // Output is UTF-16LE on some Windows versions, handle encoding
+    const output = execSync('wsl --list --quiet', { 
+      encoding: 'utf8',
+      timeout: 5000,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    
+    return output
+      .replace(/\0/g, '') // Strip null bytes from UTF-16LE artifacts
+      .split(/\r?\n/)
+      .map(line => line.trim())
+      .filter(line => line && !WSL_SKIP_DISTROS.has(line.toLowerCase()));
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Get the WSL user's home directory for a given distro
+ * @param {string} distro - WSL distro name
+ * @returns {string|null} Home directory path or null
+ */
+function getWSLHomePath(distro) {
+  try {
+    const output = execSync(`wsl -d ${distro} -- echo $HOME`, {
+      encoding: 'utf8',
+      timeout: 5000,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    const home = output.trim().replace(/\0/g, '');
+    if (!home) return null;
+    
+    // Convert /home/user to \\wsl.localhost\distro\home\user
+    // Try both \\wsl.localhost\ (Win11+) and \\wsl$\ (older)
+    return { wslPath: home, distro };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Build Windows UNC paths to access a WSL file
+ * @param {string} distro - WSL distro name
+ * @param {string} wslPath - Linux path (e.g., /home/user)
+ * @returns {string[]} Array of UNC paths to try
+ */
+function buildWSLUNCPaths(distro, wslPath) {
+  // Convert forward slashes to backslashes for Windows UNC
+  const winSubPath = wslPath.replace(/\//g, '\\');
+  return [
+    `\\\\wsl.localhost\\${distro}${winSubPath}`,  // Win11+ preferred
+    `\\\\wsl$\\${distro}${winSubPath}`,            // Older Windows 10
+  ];
+}
+
+/**
+ * Search for OpenClaw config in WSL distros
+ * @returns {{ config: Object, path: string, source: string }|null}
+ */
+async function findWSLConfig() {
+  const distros = getWSLDistros();
+  if (distros.length === 0) return null;
+  
+  log.debug(`Found WSL distros: ${distros.join(', ')}`);
+  
+  for (const distro of distros) {
+    const homeInfo = getWSLHomePath(distro);
+    if (!homeInfo) continue;
+    
+    const openclawWslPath = `${homeInfo.wslPath}/.openclaw/openclaw.json`;
+    const uncPaths = buildWSLUNCPaths(distro, openclawWslPath);
+    
+    for (const uncPath of uncPaths) {
+      const result = await tryReadConfig(uncPath);
+      if (result) {
+        log.info(`Found OpenClaw config in WSL (${distro}) at ${uncPath}`);
+        return { ...result, source: `wsl:${distro}` };
+      }
+    }
+  }
+  
+  return null;
+}
+
+/**
+ * Read the OpenClaw config, searching native paths first, then WSL
+ * @returns {{ config: Object, path: string, source: string }|null}
+ */
+async function readOpenClawConfig() {
+  // 1. Try native path (or OPENCLAW_STATE_DIR override)
+  const nativeResult = await tryReadConfig(OPENCLAW_CONFIG_PATH);
+  if (nativeResult) {
+    return { ...nativeResult, source: 'native' };
+  }
+  
+  // 2. On Windows, try WSL paths
+  if (os.platform() === 'win32') {
+    const wslResult = await findWSLConfig();
+    if (wslResult) return wslResult;
+  }
+  
+  return null;
+}
+
+/**
+ * Extract gateway connection details from OpenClaw config
+ * @param {Object} config - Parsed openclaw.json
+ * @returns {{ url: string, token: string|null, source: string }}
+ */
+function extractGatewayDetails(config) {
+  const gateway = config?.gateway || {};
+  const port = gateway.port || DEFAULT_GATEWAY_PORT;
+  const url = `http://127.0.0.1:${port}`;
+
+  // Extract auth token
+  let token = null;
+  if (gateway.auth) {
+    if (gateway.auth.mode === 'token' && gateway.auth.token) {
+      token = gateway.auth.token;
+    } else if (gateway.auth.mode === 'password' && gateway.auth.password) {
+      token = gateway.auth.password;
+    }
+  }
+
+  return { url, token };
+}
+
+/**
+ * Verify gateway is reachable at the given URL
+ * @param {string} url - Gateway URL to check
+ * @param {string|null} token - Auth token (optional)
+ * @returns {Promise<boolean>} True if gateway responds
+ */
+async function verifyGateway(url, token) {
+  try {
+    const headers = {};
+    if (token) {
+      headers['Authorization'] = `Bearer ${token}`;
+    }
+
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 3000);
+
+    const response = await fetch(`${url}/health`, {
+      method: 'GET',
+      headers,
+      signal: controller.signal,
+    });
+
+    clearTimeout(timeout);
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Auto-discover the OpenClaw gateway
+ * 
+ * Returns discovered gateway details, or null if nothing found.
+ * Does NOT override environment variables — those always take priority.
+ * 
+ * @returns {Promise<{ url: string, token: string|null, source: string, verified: boolean }|null>}
+ */
+export async function discoverGateway() {
+  // If env vars are set, don't auto-discover (they take priority in runtime-config)
+  if (process.env.GATEWAY_URL && process.env.GATEWAY_TOKEN) {
+    return {
+      url: process.env.GATEWAY_URL,
+      token: process.env.GATEWAY_TOKEN,
+      source: 'environment',
+      verified: false, // Caller can verify if needed
+    };
+  }
+
+  // Try reading OpenClaw config (native path first, then WSL on Windows)
+  const configResult = await readOpenClawConfig();
+  if (!configResult) {
+    log.info('No OpenClaw config found (checked native + WSL) — manual setup required');
+    return null;
+  }
+
+  const details = extractGatewayDetails(configResult.config);
+  details.source = configResult.source;
+  details.configPath = configResult.path;
+  log.info(`Found OpenClaw config (${configResult.source}) — gateway at ${details.url}`);
+
+  // Verify the gateway is actually running
+  const verified = await verifyGateway(details.url, details.token);
+  if (verified) {
+    log.info(`✓ Gateway verified at ${details.url}`);
+  } else {
+    log.warn(`Gateway configured at ${details.url} but not responding — may not be running yet`);
+  }
+
+  return {
+    ...details,
+    verified,
+  };
+}
+
+/**
+ * Get the OpenClaw config path (for display/debugging)
+ */
+export function getConfigPath() {
+  return OPENCLAW_CONFIG_PATH;
+}
+
+/**
+ * Get the resolved OpenClaw state directory
+ * This may be a WSL UNC path on Windows if that's where the config was found.
+ * Other modules (satellite, status) should use this for session file access.
+ * 
+ * @returns {Promise<string>} Resolved state directory path
+ */
+let _resolvedStateDir = null;
+
+export async function getOpenClawStateDir() {
+  if (_resolvedStateDir) return _resolvedStateDir;
+  
+  // If explicitly set, use that
+  if (process.env.OPENCLAW_STATE_DIR) {
+    _resolvedStateDir = process.env.OPENCLAW_STATE_DIR;
+    return _resolvedStateDir;
+  }
+  
+  // Check native path first
+  const nativePath = path.join(os.homedir(), '.openclaw');
+  const nativeResult = await tryReadConfig(path.join(nativePath, 'openclaw.json'));
+  if (nativeResult) {
+    _resolvedStateDir = nativePath;
+    return _resolvedStateDir;
+  }
+  
+  // On Windows, check WSL
+  if (os.platform() === 'win32') {
+    const wslResult = await findWSLConfig();
+    if (wslResult) {
+      // Derive state dir from config path (remove /openclaw.json)
+      _resolvedStateDir = path.dirname(wslResult.path);
+      return _resolvedStateDir;
+    }
+  }
+  
+  // Fallback to native path
+  _resolvedStateDir = nativePath;
+  return _resolvedStateDir;
+}
+
+export default { discoverGateway, getConfigPath, getOpenClawStateDir };

package/server/premium/index.js

@@ -0,0 +1,156 @@
+/**
+ * Premium Module — Feature gating for Uplink Premium
+ * 
+ * Manages license activation, premium status, and feature access.
+ * License keys are validated locally using HMAC-SHA256 (no phone home).
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { validateLicense } from './license.js';
+import { createLogger } from '../logger.js';
+
+const log = createLogger('Premium');
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+let premiumActive = false;
+let activatedAt = null;
+
+// When true, premium features show "Coming Soon" instead of purchase prompts.
+// Flip to false when LemonSqueezy is approved and you're ready to sell.
+const PREMIUM_COMING_SOON = true;
+
+// Features gated behind premium
+const PREMIUM_FEATURES = [
+  'voice',        // TTS + STT
+  'themes',       // All themes + custom generator (free gets Midnight only)
+  'agents',       // Agent management panel
+  'splitview',    // Split view mode
+];
+
+// Free users get Midnight only
+const FREE_THEMES = ['midnight'];
+const ALL_THEMES = ['midnight', 'daylight', 'ember', 'forest', 'phantom'];
+
+/**
+ * Initialize premium from stored config
+ * Reads config.json synchronously at startup (runs once)
+ */
+export function initPremium(licenseKey) {
+  // If no key passed, try reading from config.json directly
+  if (!licenseKey) {
+    try {
+      const configPath = path.join(__dirname, '..', '..', 'config.json');
+      const data = fs.readFileSync(configPath, 'utf8');
+      const config = JSON.parse(data);
+      licenseKey = config.licenseKey;
+    } catch {
+      // No config file or no key — that's fine
+    }
+  }
+
+  if (!licenseKey) {
+    premiumActive = false;
+    log.info('Running in free mode');
+    return false;
+  }
+
+  const result = validateLicense(licenseKey);
+  if (result.valid) {
+    premiumActive = true;
+    activatedAt = new Date().toISOString();
+    log.info('✓ Uplink Premium active');
+    return true;
+  } else {
+    premiumActive = false;
+    log.warn('Stored license key is invalid — running in free mode');
+    return false;
+  }
+}
+
+/**
+ * Check if premium is active
+ * @returns {boolean}
+ */
+export function isPremium() {
+  return premiumActive;
+}
+
+/**
+ * Check if a specific feature is available
+ * @param {string} feature - Feature name
+ * @returns {boolean}
+ */
+export function hasFeature(feature) {
+  if (premiumActive) return true;
+  // Free features are anything NOT in PREMIUM_FEATURES
+  return !PREMIUM_FEATURES.includes(feature);
+}
+
+/**
+ * Attempt to activate a license key
+ * @param {string} key - License key to validate
+ * @returns {{ success: boolean, error?: string }}
+ */
+export function activateLicense(key) {
+  const result = validateLicense(key);
+  if (result.valid) {
+    premiumActive = true;
+    activatedAt = new Date().toISOString();
+    log.info('✓ License activated');
+    return { success: true };
+  }
+  return { success: false, error: 'Invalid license key' };
+}
+
+/**
+ * Deactivate premium (for key removal)
+ */
+export function deactivateLicense() {
+  premiumActive = false;
+  activatedAt = null;
+  log.info('License deactivated — running in free mode');
+}
+
+/**
+ * Get premium status for client
+ */
+export function getPremiumStatus() {
+  return {
+    active: premiumActive,
+    activatedAt,
+    comingSoon: PREMIUM_COMING_SOON,
+    features: PREMIUM_FEATURES.reduce((acc, f) => {
+      acc[f] = premiumActive;
+      return acc;
+    }, {}),
+    themes: premiumActive ? ALL_THEMES : FREE_THEMES,
+  };
+}
+
+/**
+ * Express middleware: require premium for a route
+ * Returns 403 with upgrade prompt if not premium
+ */
+export function requirePremium(featureName) {
+  return (req, res, next) => {
+    if (premiumActive) return next();
+    return res.status(403).json({
+      error: true,
+      message: `${featureName || 'This feature'} requires Uplink Premium`,
+      code: 'PREMIUM_REQUIRED',
+      upgrade: true,
+    });
+  };
+}
+
+export default {
+  initPremium,
+  isPremium,
+  hasFeature,
+  activateLicense,
+  deactivateLicense,
+  getPremiumStatus,
+  requirePremium,
+};