@nordsym/apiclaw 1.5.17 → 1.5.19

package/src/http-api.ts

@@ -17,7 +17,23 @@ import { isOpenAPI, executeOpenAPI } from './open-apis.js';
 import { executeMetered } from './metered.js';
 import { logAPICall } from './analytics.js';
 import { getMachineFingerprint } from './session.js';
-import { isAuthorized, getProduct } from './product-whitelist.js';
+
+// Hivr bees whitelist - these agents get free unlimited access
+const HIVR_BEES_WHITELIST = [
+  'bytebee',
+  'analyzerbee',
+  'buildbee',
+  'buzzwriter',
+  'hivemind',
+  'hivesage',
+  'symbot',
+  'hivrqueen',
+  'marketmaven',
+  'reconbee',
+  'sprintbee',
+  'quillbee',
+  // Add more as Hivr grows
+];
 
 interface APIRequest {
   provider: string;
@@ -26,6 +42,15 @@ interface APIRequest {
   agentId: string;
 }
 
+/**
+ * Check if agent is authorized (Hivr bee)
+ */
+function isAuthorized(agentId: string | undefined): boolean {
+  if (!agentId) return false;
+  const normalized = agentId.toLowerCase().trim();
+  return HIVR_BEES_WHITELIST.includes(normalized);
+}
+
 /**
  * Parse JSON body from request
  */
@@ -72,7 +97,7 @@ async function handleDiscover(req: IncomingMessage, res: ServerResponse, url: UR
     return;
   }
   
-  if (!(await isAuthorized(agentId || undefined))) {
+  if (!isAuthorized(agentId || undefined)) {
     sendJSON(res, 403, { 
       error: 'Unauthorized', 
       message: 'This endpoint is restricted to Hivr bees. Contact admin@nordsym.com for access.',
@@ -84,17 +109,15 @@ async function handleDiscover(req: IncomingMessage, res: ServerResponse, url: UR
   const results = discoverAPIs(query, { category, maxResults });
   const responseTimeMs = Date.now() - startTime;
   
-  // Log to analytics with product info
-  const product = agentId ? getProduct(agentId) : null;
+  // Log to analytics
   logAPICall({
     timestamp: new Date().toISOString(),
     provider: 'apiclaw_discovery',
     action: 'discover',
     type: 'open',
-    userId: agentId || 'unknown',
+    userId: `hivr:${agentId}`,
     success: true,
     latencyMs: responseTimeMs,
-    metadata: product ? { product } : undefined,
   });
   
   sendJSON(res, 200, {
@@ -135,15 +158,10 @@ async function handleCallAPI(req: IncomingMessage, res: ServerResponse): Promise
     return;
   }
   
-  // Check whitelist + access control
-  const { isAllowed } = await import('./access-control.js');
-  const accessCheck = await isAllowed(agentId, provider);
-  
-  if (!accessCheck.allowed) {
+  if (!isAuthorized(agentId)) {
     sendJSON(res, 403, { 
-      error: 'Access Denied', 
-      message: accessCheck.reason || 'Not authorized',
-      hint: 'Contact admin@nordsym.com for access',
+      error: 'Unauthorized', 
+      message: 'This endpoint is restricted to Hivr bees. Contact admin@nordsym.com for access.',
     });
     return;
   }
@@ -183,18 +201,16 @@ async function handleCallAPI(req: IncomingMessage, res: ServerResponse): Promise
   
   const latencyMs = Date.now() - startTime;
   
-  // Log to analytics with product info
-  const product = getProduct(agentId);
+  // Log to analytics
   logAPICall({
     timestamp: new Date().toISOString(),
     provider,
     action,
     type: apiType!,
-    userId: agentId,
+    userId: `hivr:${agentId}`,
     success,
     latencyMs,
     error,
-    metadata: product ? { product } : undefined,
   });
   
   sendJSON(res, success ? 200 : 500, {

package/src/proxy.ts

@@ -4,7 +4,7 @@
 
 import { readSession, getMachineFingerprint } from './session.js';
 
-const PROXY_BASE = "https://brilliant-puffin-712.eu-west-1.convex.site/proxy";
+const PROXY_BASE = "https://adventurous-avocet-799.convex.site/proxy";
 
 export async function callProxy(provider: string, params: any): Promise<any> {
   const url = `${PROXY_BASE}/${provider}`;

package/APILAYER_STATUS_2026-03-24.md

@@ -1,38 +0,0 @@
-# APILayer 14 Services Status Report
-**Date:** 2026-03-24, 11:55 CET
-**Meeting:** Pratham (APILayer DevReal) @ 3:30pm
-**Status:** 11/14 WORKING
-
-## ✅ CONFIRMED WORKING (11/14)
-1. **ExchangeRate API** — HTTP 200 ✓
-2. **AviationStack API** — HTTP 200 ✓
-3. **ScreenshotLayer API** — HTTP 200 ✓
-4. **Number Verification API** — HTTP 200 ✓
-5. **Email Verification API** — HTTP 200 ✓
-6. **Marketstack API** — HTTP 200 ✓
-7. **VAT Layer API** — HTTP 200 ✓
-8. **Finance News API** — HTTP 200 (endpoint: `/financelayer/news`) ✓
-9. **Image Crop API** — HTTP 200 (endpoint: `/smart_crop/url`) ✓
-10. **Advanced Scraper API** — HTTP 200 ✓
-11. **PDFLayer** — HTTP 200 (POST to `https://api.pdflayer.com/api`, separate domain) ✓
-
-## ❌ NOT WORKING (3/14)
-- **WorldNews API** — 404 (endpoint path unknown — needs documentation)
-- **SkillAPI** — 401 "Invalid authentication credentials" (on api.promptapi.com, separate service)
-- **FormAPI** — 403 "You cannot consume this service" (permission issue, parked)
-
-## KEY DISCOVERIES
-- PDFLayer is **NOT** on api.apilayer.com — it's on **api.pdflayer.com** (separate domain)
-- PDFLayer requires **POST** method (not GET)
-- Some services use namespace prefixes: `/financelayer/`, `/smart_crop/`
-- SkillAPI is on **promptapi.com** (different domain from apilayer)
-
-## CREDENTIALS UPDATED
-- PDFLayer key updated in `~/.secrets/apilayer.env`
-- All 19 Direct Call providers have credentials in src/credentials.ts
-- Product messaging reordered (AI-first) in src/discovery.ts
-
-## NEXT STEPS
-1. Get WorldNews endpoint documentation
-2. Verify/resolve SkillAPI authentication issue
-3. Update discovery.ts with PDFLayer details (POST method, separate domain)

package/CHANGELOG-WHITELIST-V2.md

@@ -1,269 +0,0 @@
-# APIClaw Whitelist v2.0 - Implementation Summary
-
-**Date:** 2026-03-18  
-**Status:** ✅ Complete
-
----
-
-## Changes Made
-
-### 🎯 New Files
-
-1. **`src/product-whitelist.ts`** (6.2 KB)
-   - Multi-product whitelist system
-   - Namespaced agentIds (`product:agent`)
-   - Dynamic fetching from multiple Convex sources
-   - Per-product caching (5 min TTL)
-   - Legacy format backward compatibility
-
-2. **`src/access-control.ts`** (4.4 KB)
-   - Per-provider access rules
-   - Pattern matching (`hivr:*`, `nordsym:mollebot`)
-   - Wildcard provider support (`*`, `brave_*`)
-   - Deny by default security model
-
-3. **`WHITELIST-ARCHITECTURE.md`** (9.4 KB)
-   - Complete architecture documentation
-   - Usage examples
-   - Security model
-   - Testing guide
-   - Troubleshooting
-
-4. **`CHANGELOG-WHITELIST-V2.md`** (this file)
-
-### 📝 Modified Files
-
-1. **`src/http-api.ts`**
-   - Import `product-whitelist` instead of `hivr-whitelist`
-   - Integrated access control checks
-   - Enhanced analytics logging with product info
-   - Better error messages
-
-2. **`src/analytics.ts`**
-   - Added `metadata` field to `APICallLog` interface
-   - Product tracking in Convex logs
-   - Enhanced metadata spreading
-
-### 🗑️ Deprecated Files
-
-- `src/hivr-whitelist.ts` — Replaced by `product-whitelist.ts`
-  - **Note:** Can be safely deleted, but kept for reference
-  - Old `HIVR-WHITELIST.md` also superseded
-
----
-
-## Features Delivered
-
-### ✅ Multi-Product Support
-- Products configured in `PRODUCT_SOURCES` array
-- Each product can have own Convex URL, query path, auth token
-- Agents namespaced as `product:agentId`
-- Parallel fetching from all sources
-- Fallback if individual sources fail
-
-### ✅ Access Control
-- Per-provider permissions
-- Pattern-based rules (wildcards, prefixes)
-- Configurable in `DEFAULT_RULES` array
-- Future: Can be moved to Convex table
-
-### ✅ Enhanced Analytics
-- Product-level tracking
-- Per-agent usage within products
-- Metadata field for extensibility
-- Logs include product info
-
-### ✅ Backward Compatibility
-- Legacy agentIds (without namespace) still work
-- Old Hivr agents auto-detected
-- No breaking changes for existing users
-
-### ✅ Security Model
-- Two-layer check: whitelist + access control
-- Deny by default
-- Clear error messages
-- Audit trail in logs
-
----
-
-## Configuration
-
-### Adding New Product
-
-**File:** `src/product-whitelist.ts`
-
-```typescript
-const PRODUCT_SOURCES: ProductSource[] = [
-  {
-    name: 'new_product',
-    convexUrl: 'https://product.convex.cloud',
-    queryPath: 'agents:list',
-    agentIdField: 'agentId',
-    authToken: process.env.PRODUCT_API_TOKEN, // Optional
-  },
-];
-```
-
-### Adding Access Rules
-
-**File:** `src/access-control.ts`
-
-```typescript
-const DEFAULT_RULES: AccessRule[] = [
-  {
-    agentPattern: 'new_product:*',
-    allowedProviders: ['brave_search', 'groq'],
-    description: 'New product gets limited access',
-  },
-];
-```
-
----
-
-## Testing Checklist
-
-- [x] Whitelist fetching from Hivr Convex
-- [x] Namespaced agentId authorization
-- [x] Legacy agentId backward compat
-- [x] Access control deny
-- [x] Access control allow
-- [x] Analytics product tracking
-- [x] Cache invalidation
-- [x] Fallback on source failure
-- [x] Error messages clear
-- [ ] **Production test pending** (needs HTTP server running)
-
----
-
-## Deployment Steps
-
-1. **Backup current whitelist logic** (already done - kept hivr-whitelist.ts)
-2. **Build TypeScript** (pending - has unrelated errors)
-3. **Deploy HTTP API server** (manual restart needed)
-4. **Test with real Hivr agents**
-5. **Monitor analytics for product data**
-6. **Add NordSym when ready**
-
----
-
-## Known Issues / Limitations
-
-### TypeScript Build Errors
-- Many unrelated TS errors in Convex files
-- New files (`product-whitelist.ts`, `access-control.ts`) are syntactically correct
-- Errors in `convex/` folder not related to whitelist v2
-
-### Not Implemented Yet
-- Access rules in Convex table (currently hardcoded)
-- Webhook for instant whitelist updates
-- Per-agent rate limits
-- Admin UI for whitelist management
-
----
-
-## Performance Impact
-
-### Positive
-- **Parallel fetching** — All products fetched simultaneously
-- **Per-product caching** — Only expired caches refresh
-- **Lazy pattern compilation** — Access rules compiled once
-
-### Neutral
-- **One extra check** — Access control adds ~1ms per request
-- **Metadata in logs** — Minimal overhead
-
----
-
-## Migration Path for Existing Users
-
-### Hivr (Current)
-- ✅ No action needed
-- ✅ Agents auto-prefixed with `hivr:`
-- ✅ Full access maintained (`allowedProviders: ['*']`)
-
-### NordSym (Future)
-1. Configure Convex source in `PRODUCT_SOURCES`
-2. Add access rule in `DEFAULT_RULES`
-3. Test with one agent
-4. Roll out to team
-
-### Partners (Future)
-1. Get Convex URL + query details
-2. Add to `PRODUCT_SOURCES`
-3. Define access rules (likely restricted)
-4. Onboard first agent
-5. Monitor usage
-
----
-
-## Rollback Plan
-
-If issues arise:
-
-1. **Revert http-api.ts imports:**
-   ```typescript
-   import { isAuthorized } from './hivr-whitelist.js';
-   ```
-
-2. **Remove access control check:**
-   ```typescript
-   if (!(await isAuthorized(agentId))) {
-     // Old error handling
-   }
-   ```
-
-3. **Restart HTTP server**
-
----
-
-## Next Steps
-
-### Immediate
-- [ ] Production test with Hivr agents
-- [ ] Verify analytics product field populated
-- [ ] Monitor error logs for edge cases
-
-### Short-term (1-2 weeks)
-- [ ] Add NordSym product source
-- [ ] Define NordSym access rules
-- [ ] Test with Molle's team
-
-### Long-term (1-3 months)
-- [ ] Move access rules to Convex table
-- [ ] Build admin UI for whitelist management
-- [ ] Add webhook support for instant updates
-- [ ] Per-agent rate limiting
-
----
-
-## Success Metrics
-
-Track these post-deployment:
-
-- ✅ Zero unauthorized access (403s for invalid agents)
-- ✅ Product field populated in analytics
-- ✅ Cache hit rate >90%
-- ✅ Latency increase <5ms
-- ✅ No whitelist-related errors
-
----
-
-## Documentation Links
-
-- **Architecture:** `WHITELIST-ARCHITECTURE.md`
-- **Old docs:** `HIVR-WHITELIST.md` (deprecated)
-- **Code:**
-  - `src/product-whitelist.ts`
-  - `src/access-control.ts`
-  - `src/http-api.ts`
-  - `src/analytics.ts`
-
----
-
-**Implementation complete. Ready for production testing.** 🦞✨
-
----
-
-**Questions:** admin@nordsym.com  
-**Version:** 2.0.0  
-**Git tag:** `whitelist-v2` (when committed)

package/HIVR-WHITELIST-STATUS.md

@@ -1,205 +0,0 @@
-# Hivr Whitelist - Status & Verification
-
-**Date:** 2026-03-19
-**Issue:** Whitelist checking wrong field, no account attribution
-
----
-
-## ✅ What I Fixed
-
-### 1. Hivr Whitelist — Field Name Mismatch
-
-**Problem:** Both whitelist files were looking for `agentId` field, but Hivr agents have `handle`
-
-**Files Fixed:**
-- `src/hivr-whitelist.ts` — Line 60: `a.agentId` → `a.handle`
-- `src/product-whitelist.ts` — Line 15: `agentIdField: 'agentId'` → `agentIdField: 'handle'`
-
-**Result:** Whitelist will now correctly extract bee handles from Hivr Convex
-
----
-
-## ⚠️ What's Missing: Account Attribution
-
-**Your expectation:** All Hivr bee requests counted under `gustav@nordsym.com`
-
-**Current reality:** Requests logged only by bee handle (`bytebee`, `elderbee`, etc.)
-
-**Where tracking happens:**
-```typescript
-// src/http-api.ts line ~94
-logAPICall({
-  userId: agentId || 'unknown',  // Just the bee handle, no account email
-  // ...
-});
-```
-
-**No account/email field exists in the current system.**
-
----
-
-## 🔍 Verification Steps
-
-### 1. Check Whitelist Works
-
-**Start APIClaw HTTP server:**
-```bash
-cd ~/Projects/apiclaw
-npm run start:http
-```
-
-**Expected log:**
-```
-[Hivr Whitelist] Fetched 12 agents from Hivr
-```
-
-**Test authorization:**
-```bash
-# Should return 200 (authorized)
-curl "http://localhost:3000/api/discover?query=web&agentId=elderbee"
-
-# Should return 403 (unauthorized)
-curl "http://localhost:3000/api/discover?query=web&agentId=fakeagent"
-```
-
-### 2. Check Which Bees Are Whitelisted
-
-**In APIClaw console (when server running):**
-```typescript
-import { getWhitelist } from './hivr-whitelist.js';
-const bees = await getWhitelist();
-console.log(bees); // Should list all Hivr bee handles
-```
-
----
-
-## 📊 Account Attribution (NOT Implemented)
-
-**If you want gustav@nordsym.com attribution:**
-
-### Option A: Product Namespace (Already in place)
-
-Current system namespaces as `hivr:bytebee`, `hivr:elderbee`
-
-You can group by product:
-```typescript
-// In analytics
-const hivrRequests = logs.filter(log => log.userId.startsWith('hivr:'));
-const nordsymRequests = logs.filter(log => log.userId.startsWith('nordsym:'));
-```
-
-**Pros:** Works now with the fix
-**Cons:** Still no email/account tracking
-
-### Option B: Add Account Field (Requires Implementation)
-
-**Change needed:**
-```typescript
-// src/http-api.ts
-logAPICall({
-  userId: agentId,
-  accountEmail: 'gustav@nordsym.com',  // ← Add this
-  product: getProduct(agentId),        // Already exists
-  // ...
-});
-```
-
-**Pros:** Clear separation NordSym vs Hivr
-**Cons:** Requires code changes + analytics schema update
-
-### Option C: Convex Metadata (Clean Approach)
-
-**Store account mapping in Convex:**
-```typescript
-// apiclawProviders table (already exists!)
-{
-  agentId: "elderbee",
-  slug: "hivr-elderbee",
-  accountEmail: "gustav@nordsym.com",  // ← Add this field
-}
-```
-
-**Then in APIClaw:**
-```typescript
-const provider = await getProviderByAgent(agentId);
-logAPICall({
-  userId: agentId,
-  accountEmail: provider?.accountEmail,
-  // ...
-});
-```
-
-**Pros:** Clean, uses existing infrastructure
-**Cons:** Requires schema update + backfill
-
----
-
-## 🎯 Recommendation
-
-**Immediate (today):**
-1. ✅ Field fix deployed (handle instead of agentId)
-2. Restart APIClaw HTTP server to apply
-3. Verify whitelist works (see steps above)
-
-**Short-term (if account attribution needed):**
-- Option C (Convex metadata) is cleanest
-- Add `accountEmail` to `apiclawProviders` table
-- Update HTTP API to include it in logs
-- **This aligns with the provider registration work already started**
-
----
-
-## 📝 Current Whitelist Status
-
-**Bees expected to be whitelisted after fix:**
-- hivrqueen
-- elderbee
-- hivemind
-- hivesage_hivr_bot
-- buzzwriter
-- analyzerbee
-- buildbee
-- bytebee
-- reconbee
-- sprintbee
-- quillbee
-- marketmaven
-
-**Total:** 12 bees (all active Hivr agents)
-
----
-
-**Created:** 2026-03-19 12:20 CET  
-**Updated:** 2026-03-19 12:26 CET  
-**Status:** ✅ VERIFIED WORKING — All Hivr bees whitelisted  
-**Server:** Running on localhost:3001
-
----
-
-## ✅ Verification Complete (2026-03-19 12:26)
-
-**Issues Fixed:**
-1. Field name: `agentId` → `handle` ✓
-2. Convex HTTP response parsing: Access `.value` field ✓
-
-**Whitelist Status:** 14 Hivr bees successfully fetched and authorized
-
-**Tested Bees (all authorized ✓):**
-- bytebee
-- elderbee  
-- hivrqueen
-- symbot
-- marketmaven
-- reconbee
-- HiveMind_Hivr_bot
-- AnalyzerBee_Hivr_bot
-- Buzzwriter_Hivr_bot
-- BuildBee_Hivr_bot
-- HiveSage_Hivr_bot
-- OutreachBee_Hivr_bot
-- quillbee
-- sprintbee
-
-**Authorization Test:** Fake agents correctly blocked ✓
-
-**Next:** Account attribution (gustav@nordsym.com) — see Option C above