@nordsym/apiclaw 1.5.17 → 1.5.19

package/src/access-control.ts

@@ -1,174 +0,0 @@
-/**
- * Access Control System
- * Controls which products/agents can access which providers
- * 
- * Rules format:
- * - Wildcard: "hivr:*" = all Hivr agents
- * - Specific: "hivr:bytebee" = only ByteBee
- * - Product-level: "nordsym:*" = all NordSym agents
- * 
- * Provider wildcards:
- * - "*" = all providers
- * - "brave_*" = all Brave providers
- * - Specific: ["brave_search", "groq"]
- */
-
-interface AccessRule {
-  agentPattern: string;
-  allowedProviders: string[];
-  description?: string;
-}
-
-// Default access rules
-// These can be moved to Convex table for dynamic updates
-const DEFAULT_RULES: AccessRule[] = [
-  {
-    agentPattern: 'hivr:*',
-    allowedProviders: ['*'], // Hivr gets everything
-    description: 'All Hivr bees get full access',
-  },
-  {
-    agentPattern: 'nordsym:*',
-    allowedProviders: ['brave_search', 'groq', 'replicate'],
-    description: 'NordSym team gets selected providers',
-  },
-  // Add more rules as needed
-];
-
-// Cache for compiled rules
-let compiledRules: {
-  pattern: RegExp;
-  providers: string[];
-}[] | null = null;
-
-/**
- * Compile agentPattern to RegExp
- */
-function compilePattern(pattern: string): RegExp {
-  // Convert wildcard pattern to regex
-  // "hivr:*" → /^hivr:.+$/
-  // "hivr:byte*" → /^hivr:byte.+$/
-  const escaped = pattern
-    .replace(/[.+^${}()|[\]\\]/g, '\\$&') // Escape regex chars
-    .replace(/\*/g, '.+'); // Replace * with .+
-  
-  return new RegExp(`^${escaped}$`, 'i');
-}
-
-/**
- * Compile all rules (cache for performance)
- */
-function compileRules(): void {
-  compiledRules = DEFAULT_RULES.map(rule => ({
-    pattern: compilePattern(rule.agentPattern),
-    providers: rule.allowedProviders,
-  }));
-}
-
-/**
- * Check if provider matches pattern
- */
-function matchesProvider(provider: string, pattern: string): boolean {
-  if (pattern === '*') return true;
-  if (pattern.endsWith('*')) {
-    const prefix = pattern.slice(0, -1);
-    return provider.startsWith(prefix);
-  }
-  return provider === pattern;
-}
-
-/**
- * Check if agentId is allowed to access provider
- */
-export function canAccessProvider(agentId: string, provider: string): boolean {
-  if (!compiledRules) {
-    compileRules();
-  }
-  
-  const normalized = agentId.toLowerCase().trim();
-  const normalizedProvider = provider.toLowerCase().trim();
-  
-  // Find matching rule
-  for (const rule of compiledRules!) {
-    if (rule.pattern.test(normalized)) {
-      // Check if provider is allowed
-      for (const providerPattern of rule.providers) {
-        if (matchesProvider(normalizedProvider, providerPattern)) {
-          return true;
-        }
-      }
-      // Rule matched but provider not in allowlist
-      return false;
-    }
-  }
-  
-  // No rule matched = deny by default
-  console.warn(`[Access Control] No rule for ${normalized}`);
-  return false;
-}
-
-/**
- * Get allowed providers for agentId
- */
-export function getAllowedProviders(agentId: string): string[] {
-  if (!compiledRules) {
-    compileRules();
-  }
-  
-  const normalized = agentId.toLowerCase().trim();
-  
-  // Find matching rule
-  for (const rule of compiledRules!) {
-    if (rule.pattern.test(normalized)) {
-      return rule.providers;
-    }
-  }
-  
-  return [];
-}
-
-/**
- * Add new access rule (runtime)
- */
-export function addAccessRule(rule: AccessRule): void {
-  DEFAULT_RULES.push(rule);
-  compiledRules = null; // Force recompile
-  console.log(`[Access Control] Added rule for ${rule.agentPattern}`);
-}
-
-/**
- * Get all access rules (for debugging/admin)
- */
-export function getAccessRules(): AccessRule[] {
-  return [...DEFAULT_RULES];
-}
-
-/**
- * Check if agentId + provider combination is allowed
- * Combines whitelist check + access control
- */
-export async function isAllowed(
-  agentId: string | undefined,
-  provider: string
-): Promise<{ allowed: boolean; reason?: string }> {
-  if (!agentId) {
-    return { allowed: false, reason: 'No agentId provided' };
-  }
-  
-  // First check: Is agent whitelisted?
-  const { isAuthorized } = await import('./product-whitelist.js');
-  const whitelisted = await isAuthorized(agentId);
-  
-  if (!whitelisted) {
-    return { allowed: false, reason: 'Agent not whitelisted' };
-  }
-  
-  // Second check: Does agent have access to this provider?
-  const hasAccess = canAccessProvider(agentId, provider);
-  
-  if (!hasAccess) {
-    return { allowed: false, reason: 'Provider not in access list' };
-  }
-  
-  return { allowed: true };
-}

package/src/hivr-whitelist.ts

@@ -1,110 +0,0 @@
-/**
- * Hivr Bees Auto-Whitelist
- * Dynamically fetches active agents from Hivr's Convex deployment
- * Falls back to static whitelist if Convex is unreachable
- */
-
-// Hivr PROD Convex deployment
-const HIVR_CONVEX_URL = "https://sensible-quail-275.convex.cloud";
-
-// Fallback static whitelist (in case Convex is down)
-const STATIC_WHITELIST = [
-  'bytebee',
-  'analyzerbee',
-  'buildbee',
-  'buzzwriter',
-  'hivemind',
-  'hivesage',
-  'symbot',
-  'hivrqueen',
-  'marketmaven',
-  'reconbee',
-  'sprintbee',
-  'quillbee',
-];
-
-// Cache whitelist for 5 minutes
-let cachedWhitelist: string[] | null = null;
-let cacheExpiry: number = 0;
-
-/**
- * Fetch all active agents from Hivr Convex
- */
-async function fetchHivrAgents(): Promise<string[]> {
-  try {
-    // Call Convex HTTP API directly
-    const response = await fetch(`${HIVR_CONVEX_URL}/api/query`, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-      },
-      body: JSON.stringify({
-        path: 'agents:list',
-        args: {},
-      }),
-    });
-    
-    if (!response.ok) {
-      console.warn('[Hivr Whitelist] Convex HTTP API error, using static whitelist');
-      return STATIC_WHITELIST;
-    }
-    
-    const agents = await response.json() as any[];
-    
-    if (!agents || !Array.isArray(agents)) {
-      console.warn('[Hivr Whitelist] Invalid response from Hivr Convex, using static whitelist');
-      return STATIC_WHITELIST;
-    }
-    
-    // Extract handles (Hivr uses 'handle', not 'agentId')
-    const handles = agents
-      .map((a: any) => a.handle?.toLowerCase().trim())
-      .filter((h: string | undefined) => h && h.length > 0);
-    
-    console.log(`[Hivr Whitelist] Fetched ${handles.length} agents from Hivr`);
-    return handles;
-    
-  } catch (error) {
-    console.error('[Hivr Whitelist] Failed to fetch from Hivr Convex:', error);
-    return STATIC_WHITELIST;
-  }
-}
-
-/**
- * Get current whitelist (cached or fresh)
- */
-export async function getWhitelist(): Promise<string[]> {
-  const now = Date.now();
-  
-  // Return cached if still valid
-  if (cachedWhitelist && now < cacheExpiry) {
-    return cachedWhitelist;
-  }
-  
-  // Fetch fresh whitelist
-  cachedWhitelist = await fetchHivrAgents();
-  cacheExpiry = now + (5 * 60 * 1000); // 5 minutes
-  
-  return cachedWhitelist;
-}
-
-/**
- * Check if agent is authorized
- */
-export async function isAuthorized(agentId: string | undefined): Promise<boolean> {
-  if (!agentId) return false;
-  
-  const whitelist = await getWhitelist();
-  const normalized = agentId.toLowerCase().trim();
-  
-  return whitelist.includes(normalized);
-}
-
-/**
- * Force refresh whitelist (call after adding new bee)
- */
-export function invalidateCache(): void {
-  cachedWhitelist = null;
-  cacheExpiry = 0;
-  console.log('[Hivr Whitelist] Cache invalidated');
-}

package/src/http-server-minimal.ts

@@ -1,154 +0,0 @@
-#!/usr/bin/env node
-/**
- * Minimal HTTP API Server for APIClaw
- * Bypasses chain executor imports
- */
-
-import { createServer } from 'http';
-import { URL } from 'url';
-
-const PORT = parseInt(process.env.PORT || '3001');
-
-// Import whitelist directly
-import { isAuthorized, getProduct } from './product-whitelist.js';
-
-interface APIRequest {
-  provider: string;
-  action: string;
-  params: Record<string, any>;
-  agentId: string;
-}
-
-function sendJSON(res: any, status: number, data: any): void {
-  res.writeHead(status, {
-    'Content-Type': 'application/json',
-    'Access-Control-Allow-Origin': '*',
-  });
-  res.end(JSON.stringify(data));
-}
-
-async function parseBody<T>(req: any): Promise<T> {
-  return new Promise((resolve, reject) => {
-    let body = '';
-    req.on('data', (chunk: any) => body += chunk.toString());
-    req.on('end', () => {
-      try {
-        resolve(JSON.parse(body));
-      } catch (e) {
-        reject(new Error('Invalid JSON'));
-      }
-    });
-  });
-}
-
-const server = createServer(async (req, res) => {
-  const url = new URL(req.url || '/', `http://${req.headers.host}`);
-  
-  console.log(`[APIClaw] ${req.method} ${url.pathname}`);
-  
-  // CORS
-  if (req.method === 'OPTIONS') {
-    res.writeHead(204, {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type',
-    });
-    res.end();
-    return;
-  }
-  
-  // Health check
-  if (url.pathname === '/health') {
-    sendJSON(res, 200, { 
-      status: 'ok', 
-      service: 'apiclaw-http-api',
-      version: '2.0.0',
-      whitelist: 'multi-product',
-    });
-    return;
-  }
-  
-  // Discovery endpoint
-  if (url.pathname === '/api/discover' && req.method === 'GET') {
-    const query = url.searchParams.get('query');
-    const agentId = url.searchParams.get('agentId');
-    
-    if (!query) {
-      sendJSON(res, 400, { error: 'Missing query parameter' });
-      return;
-    }
-    
-    const authorized = await isAuthorized(agentId || undefined);
-    
-    if (!authorized) {
-      sendJSON(res, 403, {
-        error: 'Unauthorized',
-        message: 'This endpoint is restricted. Contact admin@nordsym.com',
-      });
-      return;
-    }
-    
-    const product = agentId ? getProduct(agentId) : null;
-    
-    sendJSON(res, 200, {
-      success: true,
-      query,
-      agentId,
-      product,
-      message: 'Whitelist v2.0 active - discovery endpoint placeholder',
-    });
-    return;
-  }
-  
-  // Call API endpoint
-  if (url.pathname === '/api/call_api' && req.method === 'POST') {
-    try {
-      const body = await parseBody<APIRequest>(req);
-      const { provider, action, params, agentId } = body;
-      
-      if (!provider || !action || !agentId) {
-        sendJSON(res, 400, {
-          error: 'Missing required fields',
-          required: ['provider', 'action', 'agentId', 'params'],
-        });
-        return;
-      }
-      
-      const authorized = await isAuthorized(agentId);
-      
-      if (!authorized) {
-        sendJSON(res, 403, {
-          error: 'Unauthorized',
-          message: 'Agent not whitelisted',
-        });
-        return;
-      }
-      
-      const product = getProduct(agentId);
-      
-      sendJSON(res, 200, {
-        success: true,
-        agentId,
-        provider,
-        action,
-        product,
-        message: 'Whitelist v2.0 active - execution placeholder',
-      });
-      
-    } catch (e: any) {
-      sendJSON(res, 400, { error: e.message });
-    }
-    return;
-  }
-  
-  // 404
-  sendJSON(res, 404, { error: 'Not found' });
-});
-
-server.listen(PORT, () => {
-  console.log(`\n🦞 APIClaw HTTP API (Whitelist v2.0)`);
-  console.log(`   Running on http://localhost:${PORT}`);
-  console.log(`   GET  /health`);
-  console.log(`   GET  /api/discover?query=...&agentId=...`);
-  console.log(`   POST /api/call_api\n`);
-});

package/src/product-whitelist.ts

@@ -1,246 +0,0 @@
-/**
- * Multi-Product Whitelist System
- * Supports multiple products (Hivr, NordSym, partners) with namespaced agentIds
- * 
- * Format: product:agentId
- * Examples: hivr:bytebee, nordsym:mollebot, partner_x:agent1
- */
-
-interface ProductSource {
-  name: string;
-  convexUrl: string;
-  queryPath: string;
-  agentIdField: string;
-  authToken?: string;
-}
-
-// Product sources configuration
-const PRODUCT_SOURCES: ProductSource[] = [
-  {
-    name: 'hivr',
-    convexUrl: 'https://sensible-quail-275.convex.cloud',
-    queryPath: 'agents:list',
-    agentIdField: 'handle', // ✅ Fixed: Hivr agents use 'handle', not 'agentId'
-  },
-  // Add more products here as needed
-  // {
-  //   name: 'nordsym',
-  //   convexUrl: 'https://nordsym-deployment.convex.cloud',
-  //   queryPath: 'team:listAgents',
-  //   agentIdField: 'memberId',
-  // },
-];
-
-// Fallback static whitelist (emergency only)
-const STATIC_WHITELIST = [
-  'hivr:bytebee',
-  'hivr:analyzerbee',
-  'hivr:buildbee',
-  'hivr:buzzwriter',
-  'hivr:hivemind',
-  'hivr:hivesage',
-  'hivr:symbot',
-  'hivr:hivrqueen',
-  'hivr:marketmaven',
-  'hivr:reconbee',
-  'hivr:sprintbee',
-  'hivr:quillbee',
-];
-
-// Cache per product (5 minutes TTL)
-interface ProductCache {
-  agents: string[];
-  expiresAt: number;
-}
-
-const cache = new Map<string, ProductCache>();
-const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
-
-/**
- * Fetch agents from a single product source
- */
-async function fetchFromProduct(source: ProductSource): Promise<string[]> {
-  try {
-    const headers: Record<string, string> = {
-      'Content-Type': 'application/json',
-    };
-    
-    if (source.authToken) {
-      headers['Authorization'] = `Bearer ${source.authToken}`;
-    }
-    
-    const response = await fetch(`${source.convexUrl}/api/query`, {
-      method: 'POST',
-      headers,
-      body: JSON.stringify({
-        path: source.queryPath,
-        args: {},
-      }),
-    });
-    
-    if (!response.ok) {
-      console.warn(`[Whitelist] ${source.name}: HTTP ${response.status}`);
-      return [];
-    }
-    
-    const result = await response.json() as any;
-    
-    // Convex HTTP API returns { status: "success", value: [...] }
-    const data = result.value || result;
-    
-    if (!Array.isArray(data)) {
-      console.warn(`[Whitelist] ${source.name}: Invalid response format`, typeof data);
-      return [];
-    }
-    
-    // Extract agentIds and add namespace
-    const agents = data
-      .map((item: any) => {
-        const agentId = item[source.agentIdField];
-        if (!agentId) return null;
-        return `${source.name}:${String(agentId).toLowerCase().trim()}`;
-      })
-      .filter((id): id is string => id !== null && id.length > 0);
-    
-    console.log(`[Whitelist] ${source.name}: Fetched ${agents.length} agents`);
-    return agents;
-    
-  } catch (error) {
-    console.error(`[Whitelist] ${source.name}: Fetch failed`, error);
-    return [];
-  }
-}
-
-/**
- * Fetch and merge agents from all product sources
- */
-async function fetchAllProducts(): Promise<string[]> {
-  const results = await Promise.allSettled(
-    PRODUCT_SOURCES.map(source => fetchFromProduct(source))
-  );
-  
-  const allAgents: string[] = [];
-  
-  for (const result of results) {
-    if (result.status === 'fulfilled') {
-      allAgents.push(...result.value);
-    }
-  }
-  
-  // If no products returned data, use static fallback
-  if (allAgents.length === 0) {
-    console.warn('[Whitelist] All sources failed, using static fallback');
-    return STATIC_WHITELIST;
-  }
-  
-  return allAgents;
-}
-
-/**
- * Get current whitelist (cached or fresh)
- */
-export async function getWhitelist(): Promise<string[]> {
-  const now = Date.now();
-  
-  // Check if any cache entry is still valid
-  const validCaches: string[] = [];
-  for (const [product, cached] of cache.entries()) {
-    if (now < cached.expiresAt) {
-      validCaches.push(...cached.agents);
-    }
-  }
-  
-  // If all caches valid, return merged
-  if (validCaches.length > 0 && cache.size === PRODUCT_SOURCES.length) {
-    return validCaches;
-  }
-  
-  // Fetch fresh data
-  const agents = await fetchAllProducts();
-  
-  // Update cache per product
-  const agentsByProduct = new Map<string, string[]>();
-  for (const agent of agents) {
-    const [product] = agent.split(':');
-    if (!agentsByProduct.has(product)) {
-      agentsByProduct.set(product, []);
-    }
-    agentsByProduct.get(product)!.push(agent);
-  }
-  
-  for (const [product, productAgents] of agentsByProduct.entries()) {
-    cache.set(product, {
-      agents: productAgents,
-      expiresAt: now + CACHE_TTL,
-    });
-  }
-  
-  return agents;
-}
-
-/**
- * Check if agentId is authorized
- * Supports both namespaced (product:agent) and legacy (agent) formats
- */
-export async function isAuthorized(agentId: string | undefined): Promise<boolean> {
-  if (!agentId) return false;
-  
-  const normalized = agentId.toLowerCase().trim();
-  const whitelist = await getWhitelist();
-  
-  // Check exact match (namespaced)
-  if (whitelist.includes(normalized)) {
-    return true;
-  }
-  
-  // Legacy support: check if agentId matches any product's agent (without namespace)
-  // e.g., "bytebee" matches "hivr:bytebee"
-  if (!normalized.includes(':')) {
-    const legacyMatch = whitelist.some(entry => {
-      const [, agent] = entry.split(':');
-      return agent === normalized;
-    });
-    if (legacyMatch) {
-      console.log(`[Whitelist] Legacy match for ${normalized}`);
-      return true;
-    }
-  }
-  
-  return false;
-}
-
-/**
- * Extract product name from agentId
- */
-export function getProduct(agentId: string): string | null {
-  const [product] = agentId.split(':');
-  return product || null;
-}
-
-/**
- * Force refresh whitelist (call after adding new agent)
- */
-export function invalidateCache(product?: string): void {
-  if (product) {
-    cache.delete(product);
-    console.log(`[Whitelist] Cache invalidated for ${product}`);
-  } else {
-    cache.clear();
-    console.log('[Whitelist] All caches invalidated');
-  }
-}
-
-/**
- * Add new product source dynamically
- */
-export function addProductSource(source: ProductSource): void {
-  const existing = PRODUCT_SOURCES.find(s => s.name === source.name);
-  if (existing) {
-    console.warn(`[Whitelist] Product ${source.name} already exists, updating`);
-    Object.assign(existing, source);
-  } else {
-    PRODUCT_SOURCES.push(source);
-    console.log(`[Whitelist] Added product source: ${source.name}`);
-  }
-  invalidateCache(source.name);
-}