@nordsym/apiclaw 2.2.0 → 2.3.0

package/src/postinstall.ts

@@ -1,40 +0,0 @@
-#!/usr/bin/env node
-/**
- * APIClaw Postinstall Hook
- * Prints a welcome message with links and fires ONE anonymous funnel
- * event (install) so we can measure top-of-funnel truthfully.
- *
- * Disable telemetry: APICLAW_TELEMETRY=false
- */
-import { emitFunnelEvent, hasLocalMarker, setLocalMarker } from './funnel-client.js';
-import { getMachineFingerprint, detectMCPClient } from './session.js';
-
-const CYAN = '\x1b[36m';
-const RESET = '\x1b[0m';
-const DIM = '\x1b[2m';
-
-try {
-  const fp = getMachineFingerprint();
-  const dedupeKey = `install:${fp}`;
-  if (!hasLocalMarker(dedupeKey)) {
-    emitFunnelEvent({
-      event: 'install',
-      fingerprint: fp,
-      mcpClient: detectMCPClient(),
-      platform: process.platform,
-      version: process.env.npm_package_version || 'unknown',
-      dedupeKey,
-    });
-    setLocalMarker(dedupeKey);
-  }
-} catch {
-  /* never block install */
-}
-
-console.log('');
-console.log(`  🦞 APIClaw installed successfully!`);
-console.log('');
-console.log(`  → Sign in:     ${CYAN}npx @nordsym/apiclaw login${RESET}`);
-console.log(`  → Full setup:  ${CYAN}npx @nordsym/apiclaw setup${RESET}  ${DIM}(auto-detects Claude, Cursor, Windsurf)${RESET}`);
-console.log(`  ⭐ Star us: ${CYAN}https://github.com/nordsym/apiclaw${RESET}  ${DIM}(helps more devs find us)${RESET}`);
-console.log('');

package/src/product-whitelist.ts

@@ -1,246 +0,0 @@
-/**
- * Multi-Product Whitelist System
- * Supports multiple products (Hivr, NordSym, partners) with namespaced agentIds
- * 
- * Format: product:agentId
- * Examples: hivr:bytebee, nordsym:mollebot, partner_x:agent1
- */
-
-interface ProductSource {
-  name: string;
-  convexUrl: string;
-  queryPath: string;
-  agentIdField: string;
-  authToken?: string;
-}
-
-// Product sources configuration
-const PRODUCT_SOURCES: ProductSource[] = [
-  {
-    name: 'hivr',
-    convexUrl: 'https://brilliant-puffin-712.eu-west-1.convex.cloud',
-    queryPath: 'agents:list',
-    agentIdField: 'handle', // ✅ Fixed: Hivr agents use 'handle', not 'agentId'
-  },
-  // Add more products here as needed
-  // {
-  //   name: 'nordsym',
-  //   convexUrl: 'https://nordsym-deployment.convex.cloud',
-  //   queryPath: 'team:listAgents',
-  //   agentIdField: 'memberId',
-  // },
-];
-
-// Fallback static whitelist (emergency only)
-const STATIC_WHITELIST = [
-  'hivr:bytebee',
-  'hivr:analyzerbee',
-  'hivr:buildbee',
-  'hivr:buzzwriter',
-  'hivr:hivemind',
-  'hivr:hivesage',
-  'hivr:symbot',
-  'hivr:hivrqueen',
-  'hivr:marketmaven',
-  'hivr:reconbee',
-  'hivr:sprintbee',
-  'hivr:quillbee',
-];
-
-// Cache per product (5 minutes TTL)
-interface ProductCache {
-  agents: string[];
-  expiresAt: number;
-}
-
-const cache = new Map<string, ProductCache>();
-const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
-
-/**
- * Fetch agents from a single product source
- */
-async function fetchFromProduct(source: ProductSource): Promise<string[]> {
-  try {
-    const headers: Record<string, string> = {
-      'Content-Type': 'application/json',
-    };
-    
-    if (source.authToken) {
-      headers['Authorization'] = `Bearer ${source.authToken}`;
-    }
-    
-    const response = await fetch(`${source.convexUrl}/api/query`, {
-      method: 'POST',
-      headers,
-      body: JSON.stringify({
-        path: source.queryPath,
-        args: {},
-      }),
-    });
-    
-    if (!response.ok) {
-      console.warn(`[Whitelist] ${source.name}: HTTP ${response.status}`);
-      return [];
-    }
-    
-    const result = await response.json() as any;
-    
-    // Convex HTTP API returns { status: "success", value: [...] }
-    const data = result.value || result;
-    
-    if (!Array.isArray(data)) {
-      console.warn(`[Whitelist] ${source.name}: Invalid response format`, typeof data);
-      return [];
-    }
-    
-    // Extract agentIds and add namespace
-    const agents = data
-      .map((item: any) => {
-        const agentId = item[source.agentIdField];
-        if (!agentId) return null;
-        return `${source.name}:${String(agentId).toLowerCase().trim()}`;
-      })
-      .filter((id): id is string => id !== null && id.length > 0);
-    
-    console.log(`[Whitelist] ${source.name}: Fetched ${agents.length} agents`);
-    return agents;
-    
-  } catch (error) {
-    console.error(`[Whitelist] ${source.name}: Fetch failed`, error);
-    return [];
-  }
-}
-
-/**
- * Fetch and merge agents from all product sources
- */
-async function fetchAllProducts(): Promise<string[]> {
-  const results = await Promise.allSettled(
-    PRODUCT_SOURCES.map(source => fetchFromProduct(source))
-  );
-  
-  const allAgents: string[] = [];
-  
-  for (const result of results) {
-    if (result.status === 'fulfilled') {
-      allAgents.push(...result.value);
-    }
-  }
-  
-  // If no products returned data, use static fallback
-  if (allAgents.length === 0) {
-    console.warn('[Whitelist] All sources failed, using static fallback');
-    return STATIC_WHITELIST;
-  }
-  
-  return allAgents;
-}
-
-/**
- * Get current whitelist (cached or fresh)
- */
-export async function getWhitelist(): Promise<string[]> {
-  const now = Date.now();
-  
-  // Check if any cache entry is still valid
-  const validCaches: string[] = [];
-  for (const [product, cached] of cache.entries()) {
-    if (now < cached.expiresAt) {
-      validCaches.push(...cached.agents);
-    }
-  }
-  
-  // If all caches valid, return merged
-  if (validCaches.length > 0 && cache.size === PRODUCT_SOURCES.length) {
-    return validCaches;
-  }
-  
-  // Fetch fresh data
-  const agents = await fetchAllProducts();
-  
-  // Update cache per product
-  const agentsByProduct = new Map<string, string[]>();
-  for (const agent of agents) {
-    const [product] = agent.split(':');
-    if (!agentsByProduct.has(product)) {
-      agentsByProduct.set(product, []);
-    }
-    agentsByProduct.get(product)!.push(agent);
-  }
-  
-  for (const [product, productAgents] of agentsByProduct.entries()) {
-    cache.set(product, {
-      agents: productAgents,
-      expiresAt: now + CACHE_TTL,
-    });
-  }
-  
-  return agents;
-}
-
-/**
- * Check if agentId is authorized
- * Supports both namespaced (product:agent) and legacy (agent) formats
- */
-export async function isAuthorized(agentId: string | undefined): Promise<boolean> {
-  if (!agentId) return false;
-  
-  const normalized = agentId.toLowerCase().trim();
-  const whitelist = await getWhitelist();
-  
-  // Check exact match (namespaced)
-  if (whitelist.includes(normalized)) {
-    return true;
-  }
-  
-  // Legacy support: check if agentId matches any product's agent (without namespace)
-  // e.g., "bytebee" matches "hivr:bytebee"
-  if (!normalized.includes(':')) {
-    const legacyMatch = whitelist.some(entry => {
-      const [, agent] = entry.split(':');
-      return agent === normalized;
-    });
-    if (legacyMatch) {
-      console.log(`[Whitelist] Legacy match for ${normalized}`);
-      return true;
-    }
-  }
-  
-  return false;
-}
-
-/**
- * Extract product name from agentId
- */
-export function getProduct(agentId: string): string | null {
-  const [product] = agentId.split(':');
-  return product || null;
-}
-
-/**
- * Force refresh whitelist (call after adding new agent)
- */
-export function invalidateCache(product?: string): void {
-  if (product) {
-    cache.delete(product);
-    console.log(`[Whitelist] Cache invalidated for ${product}`);
-  } else {
-    cache.clear();
-    console.log('[Whitelist] All caches invalidated');
-  }
-}
-
-/**
- * Add new product source dynamically
- */
-export function addProductSource(source: ProductSource): void {
-  const existing = PRODUCT_SOURCES.find(s => s.name === source.name);
-  if (existing) {
-    console.warn(`[Whitelist] Product ${source.name} already exists, updating`);
-    Object.assign(existing, source);
-  } else {
-    PRODUCT_SOURCES.push(source);
-    console.log(`[Whitelist] Added product source: ${source.name}`);
-  }
-  invalidateCache(source.name);
-}

package/src/proxy.ts

@@ -1,36 +0,0 @@
-/**
- * APIClaw Proxy - Fallback to hosted API when no local credentials
- */
-
-import { readSession, getMachineFingerprint } from './session.js';
-
-const PROXY_BASE = "https://brilliant-puffin-712.eu-west-1.convex.site/proxy";
-
-export async function callProxy(provider: string, params: any): Promise<any> {
-  const url = `${PROXY_BASE}/${provider}`;
-  
-  // Get session and fingerprint for tracking
-  const session = readSession();
-  const fingerprint = getMachineFingerprint();
-  const identifier = session?.workspaceId || `anon:${fingerprint}`;
-  
-  const response = await fetch(url, {
-    method: "POST",
-    headers: { 
-      "Content-Type": "application/json",
-      "X-APIClaw-Identifier": identifier,
-      "X-APIClaw-Provider": provider,
-      "X-APIClaw-Action": params.action || "call",
-    },
-    body: JSON.stringify(params),
-  });
-
-  if (!response.ok) {
-    const errorData = await response.json().catch(() => ({ error: "Proxy request failed" })) as { error?: string };
-    throw new Error(errorData.error || `Proxy error: ${response.status}`);
-  }
-
-  return response.json();
-}
-
-export const PROXY_PROVIDERS = ["openrouter", "brave_search", "resend", "elevenlabs", "46elks", "twilio", "replicate", "firecrawl", "e2b", "groq", "deepgram", "serper", "mistral", "cohere", "together", "stability", "assemblyai", "github", "apilayer"];

package/src/registration-guard.ts

@@ -1,117 +0,0 @@
-/**
- * Client-side registration guard — single source of truth for "does this
- * workspaceContext pass the verified-owner check before an API call".
- *
- * Free paths (discover_apis, list_* , *_help) do NOT call this.
- * Paying paths (call_api single + chain, capability, resume_chain) DO.
- */
-
-export interface WorkspaceContextLike {
-  sessionToken: string;
-  workspaceId: string;
-  email: string;
-  tier: string;
-  status: string;
-  usageRemaining: number;
-  usageCount: number;
-}
-
-export type GuardResult =
-  | { ok: true; ctx: WorkspaceContextLike }
-  | { ok: false; reason: GuardReason; payload: Record<string, unknown> };
-
-export type GuardReason =
-  | "no_session"
-  | "not_verified"
-  | "quota_exceeded"
-  | "pending_verification";
-
-// Paths that are allowed without a verified owner.
-export const FREE_CALL_PATHS = new Set<string>([
-  "discover_apis",
-  "list_categories",
-  "list_connected",
-  "list_capabilities",
-  "apiclaw_help",
-  "register_owner",
-  "verify_code",
-  "check_workspace_status",
-  "remind_owner",
-  "get_chain_status",
-  "setup_metered_billing",
-  "get_usage_summary",
-  "estimate_cost",
-  "check_balance",
-  "add_credits",
-  "get_api_details",
-  "purchase_access",
-]);
-
-// Paths that MUST go through requireVerifiedOwner.
-export const ENFORCED_CALL_PATHS = new Set<string>([
-  "call_api",
-  "capability",
-  "resume_chain",
-]);
-
-export function requireVerifiedOwner(
-  workspaceContext: WorkspaceContextLike | null
-): GuardResult {
-  if (!workspaceContext) {
-    return {
-      ok: false,
-      reason: "no_session",
-      payload: {
-        status: "registration_required",
-        error: "Registration required to call APIs.",
-        message:
-          "Ask the user for their email, then call register_owner({ email }). A 6-digit code will be sent. Then call verify_code with the code.",
-        action: "register_owner",
-        free_tier: "50 API calls/month -- completely free.",
-      },
-    };
-  }
-
-  if (!workspaceContext.email) {
-    return {
-      ok: false,
-      reason: "pending_verification",
-      payload: {
-        status: "registration_required",
-        error: "Workspace is not linked to a verified email yet.",
-        message: "Run register_owner({ email }) and verify_code to activate.",
-        action: "register_owner",
-      },
-    };
-  }
-
-  if (workspaceContext.status !== "active") {
-    return {
-      ok: false,
-      reason: "not_verified",
-      payload: {
-        status: "pending_verification",
-        error: `Workspace status: ${workspaceContext.status}. Please verify your email.`,
-        action: "verify_code",
-      },
-    };
-  }
-
-  if (workspaceContext.usageRemaining === 0) {
-    return {
-      ok: false,
-      reason: "quota_exceeded",
-      payload: {
-        status: "quota_exceeded",
-        error:
-          workspaceContext.tier === "free"
-            ? "You've hit the free tier limit. Upgrade at https://apiclaw.cloud/upgrade."
-            : "Quota exceeded.",
-        upgrade_url: "https://apiclaw.cloud/upgrade",
-        action: "upgrade",
-      },
-    };
-  }
-
-  return { ok: true, ctx: workspaceContext };
-}

package/src/session.ts

@@ -1,129 +0,0 @@
-/**
- * Session management for APIClaw MCP server
- * Stores session token locally at ~/.apiclaw/session
- */
-
-import * as fs from 'fs';
-import * as path from 'path';
-import * as os from 'os';
-
-export interface SessionData {
-  sessionToken: string;
-  workspaceId: string;
-  email: string;
-  createdAt: number;
-}
-
-const SESSION_DIR = path.join(os.homedir(), '.apiclaw');
-const SESSION_FILE = path.join(SESSION_DIR, 'session');
-const SESSION_FILE_LEGACY = path.join(SESSION_DIR, 'session.json');
-
-/**
- * Ensure the ~/.apiclaw directory exists
- */
-function ensureSessionDir(): void {
-  if (!fs.existsSync(SESSION_DIR)) {
-    fs.mkdirSync(SESSION_DIR, { mode: 0o700 });
-  }
-}
-
-/**
- * Read session from ~/.apiclaw/session
- * Returns null if no session file exists or if it's invalid
- */
-export function readSession(): SessionData | null {
-  try {
-    // Try primary session file first
-    if (fs.existsSync(SESSION_FILE)) {
-      const content = fs.readFileSync(SESSION_FILE, 'utf8');
-      const data = JSON.parse(content) as SessionData;
-      if (data.sessionToken && data.workspaceId && data.email) {
-        return data;
-      }
-      // Invalid (e.g. empty email from anonymous write) — clear and fall through
-      console.error('[APIClaw] Invalid session file, checking legacy...');
-      fs.unlinkSync(SESSION_FILE);
-    }
-
-    // Fall back to session.json (written by CLI login in older versions)
-    if (fs.existsSync(SESSION_FILE_LEGACY)) {
-      const content = fs.readFileSync(SESSION_FILE_LEGACY, 'utf8');
-      const data = JSON.parse(content) as SessionData;
-      if (data.sessionToken && data.workspaceId && data.email) {
-        console.error(`[APIClaw] Migrating session.json → session for ${data.email}`);
-        // Migrate to canonical location
-        fs.writeFileSync(SESSION_FILE, JSON.stringify({ ...data, createdAt: data.createdAt || Date.now() }, null, 2), { mode: 0o600 });
-        return data;
-      }
-    }
-
-    return null;
-  } catch (error) {
-    console.error('[APIClaw] Error reading session:', error);
-    return null;
-  }
-}
-
-/**
- * Write session to ~/.apiclaw/session
- */
-export function writeSession(sessionToken: string, workspaceId: string, email: string): void {
-  try {
-    ensureSessionDir();
-    
-    const data: SessionData = {
-      sessionToken,
-      workspaceId,
-      email,
-      createdAt: Date.now(),
-    };
-    
-    fs.writeFileSync(SESSION_FILE, JSON.stringify(data, null, 2), {
-      mode: 0o600, // Read/write for owner only
-    });
-    
-    console.error(`[APIClaw] Session saved for ${email}`);
-  } catch (error) {
-    console.error('[APIClaw] Error writing session:', error);
-    throw error;
-  }
-}
-
-/**
- * Clear session file
- */
-export function clearSession(): void {
-  try {
-    if (fs.existsSync(SESSION_FILE)) {
-      fs.unlinkSync(SESSION_FILE);
-      console.error('[APIClaw] Session cleared');
-    }
-  } catch (error) {
-    console.error('[APIClaw] Error clearing session:', error);
-  }
-}
-
-/**
- * Get machine fingerprint (for session binding)
- * Uses hostname + username as a simple fingerprint
- */
-export function getMachineFingerprint(): string {
-  const hostname = os.hostname();
-  const username = os.userInfo().username;
-  return `${hostname}:${username}`;
-}
-
-/**
- * Detect which MCP client is running the server
- * Priority: explicit env (set by mcp-install) → known env hints → fallback
- */
-export function detectMCPClient(): string {
-  // 1. Explicit env (injected by mcp-install adapters)
-  if (process.env.APICLAW_MCP_CLIENT) return process.env.APICLAW_MCP_CLIENT;
-  // 2. Known environment variable hints
-  if (process.env.CURSOR_TRACE_DIR) return 'cursor';
-  if (process.env.CLAUDE_CODE) return 'claude-code';
-  if (process.env.WINDSURF_SESSION) return 'windsurf';
-  // 3. Fallback
-  return 'unknown';
-}