@nordsym/apiclaw 2.1.0 → 2.2.1

package/src/gateway-client.ts

@@ -1,192 +0,0 @@
-/**
- * APIClaw Gateway Client - Thin HTTP client for the Intelligent Gateway
- *
- * Routes all API execution through POST /v1/execute on Convex,
- * replacing local executeOpenAPI / executeMetered calls.
- */
-
-import { readFileSync } from 'fs';
-import { join } from 'path';
-import { homedir } from 'os';
-
-// ---------------------------------------------------------------------------
-// Types
-// ---------------------------------------------------------------------------
-
-export interface GatewayResponse {
-  success: boolean;
-  provider: string;
-  action: string;
-  data?: any;
-  error?: string;
-  cost?: number;
-  _apiclaw?: {
-    latencyMs: number;
-    route: string;
-    gateway: boolean;
-    model?: string;
-  };
-}
-
-export interface GatewayExecuteOptions {
-  workspaceId?: string;
-  stream?: boolean;
-  routeOverride?: string;
-}
-
-// ---------------------------------------------------------------------------
-// Secret resolution
-// ---------------------------------------------------------------------------
-
-function resolveInternalSecret(): string {
-  // 1. Environment variable
-  const envSecret = process.env.APICLAW_INTERNAL_SECRET;
-  if (envSecret) return envSecret;
-
-  // 2. File on disk
-  try {
-    const secretPath = join(homedir(), '.secrets', 'apiclaw-internal-secret');
-    return readFileSync(secretPath, 'utf-8').trim();
-  } catch {
-    // File doesn't exist or unreadable
-  }
-
-  // 3. Fallback (will fail auth, which is correct)
-  return '';
-}
-
-// ---------------------------------------------------------------------------
-// Feature flag
-// ---------------------------------------------------------------------------
-
-/**
- * Returns true if gateway routing is enabled.
- * Default: enabled. Set APICLAW_USE_GATEWAY=false to disable.
- */
-export function isGatewayEnabled(): boolean {
-  const flag = process.env.APICLAW_USE_GATEWAY;
-  if (flag === undefined || flag === '') return true; // default on
-  return flag.toLowerCase() !== 'false';
-}
-
-// ---------------------------------------------------------------------------
-// Client
-// ---------------------------------------------------------------------------
-
-const GATEWAY_BASE = 'https://adventurous-avocet-799.convex.site';
-const GATEWAY_TIMEOUT_MS = 30_000;
-
-export class GatewayClient {
-  private baseUrl: string;
-  private internalSecret: string;
-
-  constructor() {
-    this.baseUrl = GATEWAY_BASE;
-    this.internalSecret = resolveInternalSecret();
-  }
-
-  async execute(
-    provider: string,
-    action: string,
-    params: Record<string, any>,
-    options?: GatewayExecuteOptions,
-  ): Promise<GatewayResponse> {
-    const url = `${this.baseUrl}/v1/execute`;
-
-    const headers: Record<string, string> = {
-      'Content-Type': 'application/json',
-      'X-APIClaw-Internal': this.internalSecret,
-    };
-
-    if (options?.workspaceId) {
-      headers['X-APIClaw-Workspace'] = options.workspaceId;
-    }
-    if (options?.routeOverride) {
-      headers['X-APIClaw-Route'] = options.routeOverride;
-    }
-
-    const body = JSON.stringify({ provider, action, params });
-
-    // First attempt
-    let response = await this.doFetch(url, headers, body);
-
-    // Retry once on network error
-    if (!response) {
-      response = await this.doFetch(url, headers, body);
-    }
-
-    if (!response) {
-      return {
-        success: false,
-        provider,
-        action,
-        error: 'Gateway unreachable after retry',
-      };
-    }
-
-    try {
-      const json = await response.json() as any;
-
-      if (!response.ok) {
-        return {
-          success: false,
-          provider: json.provider || provider,
-          action: json.action || action,
-          error: json.error || `Gateway HTTP ${response.status}`,
-          _apiclaw: json._apiclaw,
-        };
-      }
-
-      return {
-        success: json.success ?? true,
-        provider: json.provider || provider,
-        action: json.action || action,
-        data: json.data,
-        error: json.error,
-        cost: json.cost,
-        _apiclaw: json._apiclaw,
-      };
-    } catch (e: any) {
-      return {
-        success: false,
-        provider,
-        action,
-        error: `Gateway response parse error: ${e.message}`,
-      };
-    }
-  }
-
-  /**
-   * Perform a single fetch with timeout. Returns null on network error.
-   */
-  private async doFetch(
-    url: string,
-    headers: Record<string, string>,
-    body: string,
-  ): Promise<Response | null> {
-    try {
-      const controller = new AbortController();
-      const timer = setTimeout(() => controller.abort(), GATEWAY_TIMEOUT_MS);
-
-      const response = await fetch(url, {
-        method: 'POST',
-        headers,
-        body,
-        signal: controller.signal,
-      });
-
-      clearTimeout(timer);
-      return response;
-    } catch {
-      return null;
-    }
-  }
-}
-
-// Singleton
-let _gateway: GatewayClient | null = null;
-
-export function getGateway(): GatewayClient {
-  if (!_gateway) _gateway = new GatewayClient();
-  return _gateway;
-}

package/src/hivr-whitelist.ts

@@ -1,110 +0,0 @@
-/**
- * Hivr Bees Auto-Whitelist
- * Dynamically fetches active agents from Hivr's Convex deployment
- * Falls back to static whitelist if Convex is unreachable
- */
-
-// Hivr PROD Convex deployment
-const HIVR_CONVEX_URL = "https://brilliant-puffin-712.eu-west-1.convex.cloud";
-
-// Fallback static whitelist (in case Convex is down)
-const STATIC_WHITELIST = [
-  'bytebee',
-  'analyzerbee',
-  'buildbee',
-  'buzzwriter',
-  'hivemind',
-  'hivesage',
-  'symbot',
-  'hivrqueen',
-  'marketmaven',
-  'reconbee',
-  'sprintbee',
-  'quillbee',
-];
-
-// Cache whitelist for 5 minutes
-let cachedWhitelist: string[] | null = null;
-let cacheExpiry: number = 0;
-
-/**
- * Fetch all active agents from Hivr Convex
- */
-async function fetchHivrAgents(): Promise<string[]> {
-  try {
-    // Call Convex HTTP API directly
-    const response = await fetch(`${HIVR_CONVEX_URL}/api/query`, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-      },
-      body: JSON.stringify({
-        path: 'agents:list',
-        args: {},
-      }),
-    });
-    
-    if (!response.ok) {
-      console.warn('[Hivr Whitelist] Convex HTTP API error, using static whitelist');
-      return STATIC_WHITELIST;
-    }
-    
-    const agents = await response.json() as any[];
-    
-    if (!agents || !Array.isArray(agents)) {
-      console.warn('[Hivr Whitelist] Invalid response from Hivr Convex, using static whitelist');
-      return STATIC_WHITELIST;
-    }
-    
-    // Extract handles (Hivr uses 'handle', not 'agentId')
-    const handles = agents
-      .map((a: any) => a.handle?.toLowerCase().trim())
-      .filter((h: string | undefined) => h && h.length > 0);
-    
-    console.log(`[Hivr Whitelist] Fetched ${handles.length} agents from Hivr`);
-    return handles;
-    
-  } catch (error) {
-    console.error('[Hivr Whitelist] Failed to fetch from Hivr Convex:', error);
-    return STATIC_WHITELIST;
-  }
-}
-
-/**
- * Get current whitelist (cached or fresh)
- */
-export async function getWhitelist(): Promise<string[]> {
-  const now = Date.now();
-  
-  // Return cached if still valid
-  if (cachedWhitelist && now < cacheExpiry) {
-    return cachedWhitelist;
-  }
-  
-  // Fetch fresh whitelist
-  cachedWhitelist = await fetchHivrAgents();
-  cacheExpiry = now + (5 * 60 * 1000); // 5 minutes
-  
-  return cachedWhitelist;
-}
-
-/**
- * Check if agent is authorized
- */
-export async function isAuthorized(agentId: string | undefined): Promise<boolean> {
-  if (!agentId) return false;
-  
-  const whitelist = await getWhitelist();
-  const normalized = agentId.toLowerCase().trim();
-  
-  return whitelist.includes(normalized);
-}
-
-/**
- * Force refresh whitelist (call after adding new bee)
- */
-export function invalidateCache(): void {
-  cachedWhitelist = null;
-  cacheExpiry = 0;
-  console.log('[Hivr Whitelist] Cache invalidated');
-}

package/src/http-api.ts

@@ -1,286 +0,0 @@
-/**
- * APIClaw HTTP API Server
- * Provides REST endpoints for headless agents (Hivr bees, webhooks, etc)
- * 
- * Endpoints:
- * - GET  /api/discover?query=...&agentId=...
- * - POST /api/call_api { provider, action, params, agentId }
- * - GET  /health
- * 
- * Auth: Whitelist-based for Hivr bees
- */
-
-import { createServer, IncomingMessage, ServerResponse } from 'http';
-import { URL } from 'url';
-import { discoverAPIs } from './discovery.js';
-import { isOpenAPI, executeOpenAPI } from './open-apis.js';
-import { executeMetered } from './metered.js';
-import { logAPICall } from './mcp-analytics.js';
-import { getMachineFingerprint } from './session.js';
-import { isAuthorized, getProduct } from './product-whitelist.js';
-
-interface APIRequest {
-  provider: string;
-  action: string;
-  params: Record<string, any>;
-  agentId: string;
-}
-
-/**
- * Parse JSON body from request
- */
-async function parseBody<T>(req: IncomingMessage): Promise<T> {
-  return new Promise((resolve, reject) => {
-    let body = '';
-    req.on('data', chunk => body += chunk.toString());
-    req.on('end', () => {
-      try {
-        resolve(JSON.parse(body));
-      } catch (e) {
-        reject(new Error('Invalid JSON'));
-      }
-    });
-    req.on('error', reject);
-  });
-}
-
-/**
- * Send JSON response
- */
-function sendJSON(res: ServerResponse, status: number, data: any): void {
-  res.writeHead(status, {
-    'Content-Type': 'application/json',
-    'Access-Control-Allow-Origin': '*',
-    'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-    'Access-Control-Allow-Headers': 'Content-Type, X-Agent-Id',
-  });
-  res.end(JSON.stringify(data));
-}
-
-/**
- * Handle /api/discover
- * GET /api/discover?query=web+search&agentId=bytebee&category=Search&maxResults=5
- */
-async function handleDiscover(req: IncomingMessage, res: ServerResponse, url: URL): Promise<void> {
-  const query = url.searchParams.get('query');
-  const agentId = url.searchParams.get('agentId');
-  const category = url.searchParams.get('category') || undefined;
-  const maxResults = parseInt(url.searchParams.get('maxResults') || '5');
-  
-  if (!query) {
-    sendJSON(res, 400, { error: 'Missing query parameter' });
-    return;
-  }
-  
-  if (!(await isAuthorized(agentId || undefined))) {
-    sendJSON(res, 403, { 
-      error: 'Unauthorized', 
-      message: 'This endpoint is restricted to Hivr bees. Contact admin@nordsym.com for access.',
-    });
-    return;
-  }
-  
-  const startTime = Date.now();
-  const results = discoverAPIs(query, { category, maxResults });
-  const responseTimeMs = Date.now() - startTime;
-  
-  // Log to analytics with product info
-  const product = agentId ? getProduct(agentId) : null;
-  logAPICall({
-    timestamp: new Date().toISOString(),
-    provider: 'apiclaw_discovery',
-    action: 'discover',
-    type: 'open',
-    userId: agentId || 'unknown',
-    success: true,
-    latencyMs: responseTimeMs,
-    metadata: product ? { product } : undefined,
-  });
-  
-  sendJSON(res, 200, {
-    success: true,
-    query,
-    results: results.map(r => ({
-      provider: r.provider,
-      score: r.relevance_score,
-      reasons: r.match_reasons,
-    })),
-    count: results.length,
-    responseTimeMs,
-  });
-}
-
-/**
- * Handle /api/call_api
- * POST /api/call_api
- * Body: { provider: "brave_search", action: "search", params: { query: "AI news" }, agentId: "bytebee" }
- */
-async function handleCallAPI(req: IncomingMessage, res: ServerResponse): Promise<void> {
-  let body: APIRequest;
-  
-  try {
-    body = await parseBody<APIRequest>(req);
-  } catch (e) {
-    sendJSON(res, 400, { error: 'Invalid JSON body' });
-    return;
-  }
-  
-  const { provider, action, params, agentId } = body;
-  
-  if (!provider || !action || !params || !agentId) {
-    sendJSON(res, 400, { 
-      error: 'Missing required fields', 
-      required: ['provider', 'action', 'params', 'agentId'] 
-    });
-    return;
-  }
-  
-  // Check whitelist + access control
-  const { isAllowed } = await import('./access-control.js');
-  const accessCheck = await isAllowed(agentId, provider);
-  
-  if (!accessCheck.allowed) {
-    sendJSON(res, 403, { 
-      error: 'Access Denied', 
-      message: accessCheck.reason || 'Not authorized',
-      hint: 'Contact admin@nordsym.com for access',
-    });
-    return;
-  }
-  
-  const startTime = Date.now();
-  let result: any;
-  let apiType: 'open' | 'direct';
-  let success = true;
-  let error: string | undefined;
-  
-  try {
-    if (isOpenAPI(provider)) {
-      apiType = 'open';
-      result = await executeOpenAPI(provider, action, params);
-      success = result.success;
-      error = result.error;
-    } else {
-      apiType = 'direct';
-      // For Direct Call APIs, use Hivr's workspace/credentials
-      // TODO: Get Hivr workspace token from env or config
-      const customerKey = process.env.APICLAW_HIVR_CUSTOMER_KEY;
-      const stripeCustomerId = process.env.APICLAW_HIVR_STRIPE_CUSTOMER;
-      
-      result = await executeMetered(provider, action, params, {
-        customerId: stripeCustomerId,
-        customerKey,
-        userId: `hivr:${agentId}`,
-      });
-      success = result.success;
-      error = result.error;
-    }
-  } catch (e: any) {
-    success = false;
-    error = e.message;
-    result = { success: false, error: error };
-  }
-  
-  const latencyMs = Date.now() - startTime;
-  
-  // Log to analytics with product info
-  const product = getProduct(agentId);
-  logAPICall({
-    timestamp: new Date().toISOString(),
-    provider,
-    action,
-    type: apiType!,
-    userId: agentId,
-    success,
-    latencyMs,
-    error,
-    metadata: product ? { product } : undefined,
-  });
-  
-  sendJSON(res, success ? 200 : 500, {
-    success,
-    provider,
-    action,
-    agentId,
-    data: result.data,
-    error: result.error,
-    latencyMs,
-  });
-}
-
-/**
- * Handle OPTIONS (CORS preflight)
- */
-function handleOptions(res: ServerResponse): void {
-  res.writeHead(204, {
-    'Access-Control-Allow-Origin': '*',
-    'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-    'Access-Control-Allow-Headers': 'Content-Type, X-Agent-Id',
-    'Access-Control-Max-Age': '86400',
-  });
-  res.end();
-}
-
-/**
- * Main request handler
- */
-async function handleRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {
-  const url = new URL(req.url || '/', `http://${req.headers.host}`);
-  
-  console.log(`[APIClaw HTTP] ${req.method} ${url.pathname}`);
-  
-  // CORS preflight
-  if (req.method === 'OPTIONS') {
-    handleOptions(res);
-    return;
-  }
-  
-  // Health check
-  if (url.pathname === '/health') {
-    sendJSON(res, 200, { status: 'ok', service: 'apiclaw-http-api' });
-    return;
-  }
-  
-  // Route requests
-  if (url.pathname === '/api/discover' && req.method === 'GET') {
-    await handleDiscover(req, res, url);
-    return;
-  }
-  
-  if (url.pathname === '/api/call_api' && req.method === 'POST') {
-    await handleCallAPI(req, res);
-    return;
-  }
-  
-  // 404
-  sendJSON(res, 404, { error: 'Not found' });
-}
-
-/**
- * Start HTTP server
- */
-export function startHTTPServer(port: number = 3000): void {
-  const server = createServer(async (req, res) => {
-    try {
-      await handleRequest(req, res);
-    } catch (error: any) {
-      console.error('[APIClaw HTTP] Error:', error);
-      sendJSON(res, 500, { error: 'Internal server error', message: error.message });
-    }
-  });
-  
-  server.listen(port, () => {
-    console.log(`\n🦞 APIClaw HTTP API running on http://localhost:${port}`);
-    console.log(`   GET  /api/discover?query=...&agentId=...`);
-    console.log(`   POST /api/call_api`);
-    console.log(`   GET  /health\n`);
-  });
-  
-  server.on('error', (error: any) => {
-    if (error.code === 'EADDRINUSE') {
-      console.error(`[APIClaw HTTP] Port ${port} is already in use`);
-    } else {
-      console.error('[APIClaw HTTP] Server error:', error);
-    }
-  });
-}