@synap-core/cli 0.9.0

package/dist/lib/auth.d.ts

@@ -0,0 +1,57 @@
+/**
+ * CLI Authentication Module
+ *
+ * Browser-based OAuth flow:
+ * 1. Start temporary HTTP server on localhost (random port)
+ * 2. Open browser to synap.live/auth/cli?callback=http://localhost:PORT/callback
+ * 3. User logs in via Better Auth (email/password, Google, GitHub)
+ * 4. synap.live redirects to localhost callback with session token
+ * 5. CLI stores token in ~/.synap/credentials.json
+ */
+export interface StoredCredentials {
+    token: string;
+    expiresAt: string;
+    userId: string;
+    email: string;
+}
+export declare function getStoredToken(): StoredCredentials | null;
+/** True if local expiry timestamp has passed (does NOT call the server). */
+export declare function isTokenLocallyExpired(creds: StoredCredentials): boolean;
+export declare function logout(): void;
+export declare function isLoggedIn(): Promise<{
+    valid: boolean;
+    email?: string;
+    userId?: string;
+}>;
+/**
+ * Store a manually provided API token (Better Auth session token).
+ * Validates against the CP before saving.
+ *
+ * Usage: synap login --token <token>
+ * Get a token from: https://synap.live/account/tokens
+ */
+export declare function loginWithToken(token: string): Promise<StoredCredentials | null>;
+export declare function login(): Promise<StoredCredentials | null>;
+export interface PodCallbackResult {
+    podUrl: string;
+    workspaceId?: string;
+}
+export declare function waitForPodCallback(timeoutMs?: number): Promise<PodCallbackResult | null>;
+export declare function getCpUrl(): string;
+export interface Pod {
+    id: string;
+    subdomain: string;
+    customDomain: string | null;
+    status: string;
+    region: string;
+    url: string;
+}
+export declare function listPods(token: string): Promise<Pod[]>;
+/**
+ * Get the remote OpenClaw provisioning status from the CP.
+ * Returns null if not provisioned or on network error.
+ */
+export declare function getOpenClawRemoteStatus(cpToken: string, podId: string): Promise<{
+    status: "not_provisioned" | "provisioning" | "running" | "error";
+    url: string | null;
+} | null>;

package/dist/lib/auth.js

@@ -0,0 +1,322 @@
+/**
+ * CLI Authentication Module
+ *
+ * Browser-based OAuth flow:
+ * 1. Start temporary HTTP server on localhost (random port)
+ * 2. Open browser to synap.live/auth/cli?callback=http://localhost:PORT/callback
+ * 3. User logs in via Better Auth (email/password, Google, GitHub)
+ * 4. synap.live redirects to localhost callback with session token
+ * 5. CLI stores token in ~/.synap/credentials.json
+ */
+import http from "node:http";
+import { execSync } from "node:child_process";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+const CP_URL = process.env.SYNAP_CP_URL || "https://api.synap.live";
+const LANDING_URL = process.env.SYNAP_LANDING_URL || "https://synap.live";
+const CREDENTIALS_DIR = path.join(os.homedir(), ".synap");
+const CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, "credentials.json");
+// ─── Credential Storage ────────────────────────────────────────────────────
+function ensureCredentialsDir() {
+    if (!fs.existsSync(CREDENTIALS_DIR)) {
+        fs.mkdirSync(CREDENTIALS_DIR, { recursive: true, mode: 0o700 });
+    }
+}
+function writeCredentials(creds) {
+    ensureCredentialsDir();
+    fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), {
+        mode: 0o600,
+    });
+}
+export function getStoredToken() {
+    try {
+        if (!fs.existsSync(CREDENTIALS_FILE))
+            return null;
+        const raw = fs.readFileSync(CREDENTIALS_FILE, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** True if local expiry timestamp has passed (does NOT call the server). */
+export function isTokenLocallyExpired(creds) {
+    return new Date(creds.expiresAt) < new Date();
+}
+export function logout() {
+    try {
+        if (fs.existsSync(CREDENTIALS_FILE)) {
+            fs.unlinkSync(CREDENTIALS_FILE);
+        }
+    }
+    catch {
+        // ignore
+    }
+}
+// ─── Session Validation ────────────────────────────────────────────────────
+export async function isLoggedIn() {
+    const creds = getStoredToken();
+    if (!creds)
+        return { valid: false };
+    try {
+        const res = await fetch(`${CP_URL}/auth/me`, {
+            headers: { Authorization: `Bearer ${creds.token}` },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!res.ok) {
+            // Server explicitly rejects token — clean up
+            logout();
+            return { valid: false };
+        }
+        const data = (await res.json());
+        // Extend local expiry by 7 days from now — keeps the token alive as long
+        // as the server is still accepting it (avoids false "expired" deletions)
+        writeCredentials({
+            ...creds,
+            email: data.user.email,
+            userId: data.user.id,
+            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+        });
+        return { valid: true, email: data.user.email, userId: data.user.id };
+    }
+    catch {
+        // Network error — keep token, report as invalid for this call only
+        return { valid: false };
+    }
+}
+// ─── Token-based Login (headless / server) ─────────────────────────────────
+/**
+ * Store a manually provided API token (Better Auth session token).
+ * Validates against the CP before saving.
+ *
+ * Usage: synap login --token <token>
+ * Get a token from: https://synap.live/account/tokens
+ */
+export async function loginWithToken(token) {
+    const res = await fetch(`${CP_URL}/auth/me`, {
+        headers: { Authorization: `Bearer ${token}` },
+        signal: AbortSignal.timeout(8000),
+    });
+    if (!res.ok)
+        return null;
+    const data = (await res.json());
+    const creds = {
+        token,
+        email: data.user.email,
+        userId: data.user.id,
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+    };
+    writeCredentials(creds);
+    return creds;
+}
+// ─── Browser Login Flow ────────────────────────────────────────────────────
+function openBrowser(url) {
+    try {
+        switch (process.platform) {
+            case "darwin":
+                execSync(`open "${url}"`);
+                break;
+            case "linux":
+                execSync(`xdg-open "${url}"`);
+                break;
+            case "win32":
+                execSync(`start "" "${url}"`);
+                break;
+            default:
+                // Can't open browser — caller handles fallback
+                throw new Error("Unsupported platform");
+        }
+    }
+    catch {
+        throw new Error("Could not open browser");
+    }
+}
+export async function login() {
+    return new Promise((resolve) => {
+        const server = http.createServer((req, res) => {
+            const url = new URL(req.url ?? "/", `http://localhost`);
+            if (url.pathname === "/callback") {
+                const token = url.searchParams.get("token");
+                const email = url.searchParams.get("email");
+                const userId = url.searchParams.get("userId");
+                const expiresAt = url.searchParams.get("expiresAt");
+                if (token && email && userId) {
+                    const creds = {
+                        token,
+                        email,
+                        userId,
+                        expiresAt: expiresAt ||
+                            new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+                    };
+                    writeCredentials(creds);
+                    // Send success page
+                    res.writeHead(200, { "Content-Type": "text/html" });
+                    res.end(`<!DOCTYPE html>
+<html>
+<head><title>Synap CLI</title></head>
+<body style="font-family: system-ui, sans-serif; display: flex; align-items: center; justify-content: center; height: 100vh; margin: 0; background: #0a0a0a; color: #e5e5e5;">
+  <div style="text-align: center;">
+    <h1 style="font-size: 24px; margin-bottom: 8px;">Authenticated</h1>
+    <p style="color: #888;">You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>`);
+                    cleanup();
+                    resolve(creds);
+                }
+                else {
+                    res.writeHead(400, { "Content-Type": "text/html" });
+                    res.end(`<!DOCTYPE html>
+<html>
+<head><title>Synap CLI</title></head>
+<body style="font-family: system-ui, sans-serif; display: flex; align-items: center; justify-content: center; height: 100vh; margin: 0; background: #0a0a0a; color: #e5e5e5;">
+  <div style="text-align: center;">
+    <h1 style="font-size: 24px; color: #ef4444; margin-bottom: 8px;">Authentication Failed</h1>
+    <p style="color: #888;">Missing token. Please try again.</p>
+  </div>
+</body>
+</html>`);
+                }
+            }
+            else {
+                res.writeHead(404);
+                res.end();
+            }
+        });
+        // Listen on random port
+        server.listen(0, "127.0.0.1", () => {
+            const addr = server.address();
+            if (!addr || typeof addr === "string") {
+                cleanup();
+                resolve(null);
+                return;
+            }
+            const port = addr.port;
+            const callbackUrl = `http://localhost:${port}/callback`;
+            const loginUrl = `${LANDING_URL}/cli?callback=${encodeURIComponent(callbackUrl)}`;
+            try {
+                openBrowser(loginUrl);
+            }
+            catch {
+                // Browser didn't open — show manual URL
+                console.log(`\n  Open this URL in your browser:\n`);
+                console.log(`  ${loginUrl}\n`);
+            }
+        });
+        // Timeout after 120 seconds
+        const timeout = setTimeout(() => {
+            cleanup();
+            resolve(null);
+        }, 120_000);
+        function cleanup() {
+            clearTimeout(timeout);
+            try {
+                server.close();
+            }
+            catch {
+                // ignore
+            }
+        }
+    });
+}
+export async function waitForPodCallback(timeoutMs = 300_000 // 5-minute window
+) {
+    return new Promise((resolve) => {
+        const server = http.createServer((req, res) => {
+            const url = new URL(req.url ?? "/", `http://localhost`);
+            if (url.pathname === "/callback") {
+                const podUrl = url.searchParams.get("podUrl");
+                const workspaceId = url.searchParams.get("workspaceId") ?? undefined;
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end(`<!DOCTYPE html>
+<html>
+<head><title>Synap CLI</title></head>
+<body style="font-family: system-ui, sans-serif; display: flex; align-items: center; justify-content: center; height: 100vh; margin: 0; background: #0a0a0a; color: #e5e5e5;">
+  <div style="text-align: center;">
+    <h1 style="font-size: 24px; margin-bottom: 8px;">Pod connected</h1>
+    <p style="color: #888;">You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>`);
+                cleanup();
+                if (podUrl) {
+                    resolve({ podUrl, workspaceId });
+                }
+                else {
+                    resolve(null);
+                }
+            }
+            else {
+                res.writeHead(404);
+                res.end();
+            }
+        });
+        server.listen(0, "127.0.0.1", () => {
+            const addr = server.address();
+            if (!addr || typeof addr === "string") {
+                cleanup();
+                resolve(null);
+                return;
+            }
+            const port = addr.port;
+            const callbackUrl = `http://localhost:${port}/callback`;
+            const provisionUrl = `${LANDING_URL}/account/pod/provision?cli_callback=${encodeURIComponent(callbackUrl)}`;
+            try {
+                openBrowser(provisionUrl);
+            }
+            catch {
+                console.log(`\n  Open this URL in your browser to provision your pod:\n`);
+                console.log(`  ${provisionUrl}\n`);
+            }
+        });
+        const timeout = setTimeout(() => {
+            cleanup();
+            resolve(null);
+        }, timeoutMs);
+        function cleanup() {
+            clearTimeout(timeout);
+            try {
+                server.close();
+            }
+            catch {
+                // ignore
+            }
+        }
+    });
+}
+// ─── CP API Helpers ────────────────────────────────────────────────────────
+export function getCpUrl() {
+    return CP_URL;
+}
+export async function listPods(token) {
+    const res = await fetch(`${CP_URL}/pods`, {
+        headers: { Authorization: `Bearer ${token}` },
+        signal: AbortSignal.timeout(10000),
+    });
+    if (!res.ok) {
+        throw new Error(`Failed to list pods (HTTP ${res.status})`);
+    }
+    const data = (await res.json());
+    // Only show active/provisioning pods — not deleted/archived
+    return (data.pods ?? []).filter((p) => p.status === "active" || p.status === "provisioning" || p.status === "syncing_intelligence");
+}
+/**
+ * Get the remote OpenClaw provisioning status from the CP.
+ * Returns null if not provisioned or on network error.
+ */
+export async function getOpenClawRemoteStatus(cpToken, podId) {
+    try {
+        const res = await fetch(`${getCpUrl()}/openclaw/status?podId=${encodeURIComponent(podId)}`, {
+            headers: { Authorization: `Bearer ${cpToken}` },
+            signal: AbortSignal.timeout(8000),
+        });
+        if (!res.ok)
+            return null;
+        return (await res.json());
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/lib/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/lib/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,wBAAwB,CAAC;AACvD,MAAM,WAAW,GACf,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,oBAAoB,CAAC;AAExD,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC1D,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,kBAAkB,CAAC,CAAC;AASxE,8EAA8E;AAE9E,SAAS,oBAAoB;IAC3B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QACpC,EAAE,CAAC,SAAS,CAAC,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAwB;IAChD,oBAAoB,EAAE,CAAC;IACvB,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;QACjE,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC;YAAE,OAAO,IAAI,CAAC;QAClD,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAsB,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,qBAAqB,CAAC,KAAwB;IAC5D,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,MAAM;IACpB,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACpC,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,UAAU;IAK9B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAEpC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,UAAU,EAAE;YAC3C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,CAAC,KAAK,EAAE,EAAE;YACnD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,6CAA6C;YAC7C,MAAM,EAAE,CAAC;YACT,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC1B,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAE7B,CAAC;QAEF,yEAAyE;QACzE,yEAAyE;QACzE,gBAAgB,CAAC;YACf,GAAG,KAAK;YACR,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK;YACtB,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;YACpB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;SACxE,CAAC,CAAC;QAEH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;QACnE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAa;IAChD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,UAAU,EAAE;QAC3C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;QAC7C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4C,CAAC;IAC3E,MAAM,KAAK,GAAsB;QAC/B,KAAK;QACL,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK;QACtB,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;QACpB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;KACxE,CAAC;IACF,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAE9E,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,CAAC;QACH,QAAQ,OAAO,CAAC,QAAQ,EAAE,CAAC;YACzB,KAAK,QAAQ;gBACX,QAAQ,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,OAAO;gBACV,QAAQ,CAAC,aAAa,GAAG,GAAG,CAAC,CAAC;gBAC9B,MAAM;YACR,KAAK,OAAO;gBACV,QAAQ,CAAC,aAAa,GAAG,GAAG,CAAC,CAAC;gBAC9B,MAAM;YACR;gBACE,+CAA+C;gBAC/C,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,KAAK;IACzB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC5C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAExD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAC9C,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAEpD,IAAI,KAAK,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAsB;wBAC/B,KAAK;wBACL,KAAK;wBACL,MAAM;wBACN,SAAS,EACP,SAAS;4BACT,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;qBAC/D,CAAC;oBACF,gBAAgB,CAAC,KAAK,CAAC,CAAC;oBAExB,oBAAoB;oBACpB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC;;;;;;;;;QASV,CAAC,CAAC;oBAEA,OAAO,EAAE,CAAC;oBACV,OAAO,CAAC,KAAK,CAAC,CAAC;gBACjB,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC;;;;;;;;;QASV,CAAC,CAAC;gBACF,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,wBAAwB;QACxB,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YAC9B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtC,OAAO,EAAE,CAAC;gBACV,OAAO,CAAC,IAAI,CAAC,CAAC;gBACd,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,MAAM,WAAW,GAAG,oBAAoB,IAAI,WAAW,CAAC;YACxD,MAAM,QAAQ,GAAG,GAAG,WAAW,iBAAiB,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC;YAElF,IAAI,CAAC;gBACH,WAAW,CAAC,QAAQ,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,wCAAwC;gBACxC,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;gBACpD,OAAO,CAAC,GAAG,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC;YACjC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,4BAA4B;QAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,OAAO,EAAE,CAAC;YACV,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,SAAS,OAAO;YACd,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAeD,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAS,GAAG,OAAO,CAAC,kBAAkB;;IAEtC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC5C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAExD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACjC,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAC9C,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC;gBAErE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC;;;;;;;;;QASR,CAAC,CAAC;gBAEF,OAAO,EAAE,CAAC;gBACV,IAAI,MAAM,EAAE,CAAC;oBACX,OAAO,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;gBACnC,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YAC9B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtC,OAAO,EAAE,CAAC;gBACV,OAAO,CAAC,IAAI,CAAC,CAAC;gBACd,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,MAAM,WAAW,GAAG,oBAAoB,IAAI,WAAW,CAAC;YACxD,MAAM,YAAY,GAAG,GAAG,WAAW,uCAAuC,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC;YAE5G,IAAI,CAAC;gBACH,WAAW,CAAC,YAAY,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;gBAC1E,OAAO,CAAC,GAAG,CAAC,KAAK,YAAY,IAAI,CAAC,CAAC;YACrC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,OAAO,EAAE,CAAC;YACV,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,SAAS,OAAO;YACd,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAE9E,MAAM,UAAU,QAAQ;IACtB,OAAO,MAAM,CAAC;AAChB,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAAa;IAC1C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,OAAO,EAAE;QACxC,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;QAC7C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC;IACnD,4DAA4D;IAC5D,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,cAAc,IAAI,CAAC,CAAC,MAAM,KAAK,sBAAsB,CACnG,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAe,EACf,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,EAAE,0BAA0B,kBAAkB,CAAC,KAAK,CAAC,EAAE,EAAE;YAC1F,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,EAAE,EAAE;YAC/C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA6F,CAAC;IACxH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/lib/hardening.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Security hardening checks and fixes for OpenClaw.
+ * Based on CVE research and official OpenClaw security docs.
+ */
+export interface SecurityCheck {
+    id: string;
+    name: string;
+    severity: "critical" | "high" | "medium" | "low";
+    passed: boolean;
+    message: string;
+    fixable: boolean;
+    fix?: () => void;
+}
+/**
+ * Run all 9 security checks against the OpenClaw configuration.
+ */
+export declare function runSecurityChecks(version?: string): SecurityCheck[];
+export declare function computeScore(checks: SecurityCheck[]): string;

package/dist/lib/hardening.js

@@ -0,0 +1,203 @@
+/**
+ * Security hardening checks and fixes for OpenClaw.
+ * Based on CVE research and official OpenClaw security docs.
+ */
+import { chmodSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { readOpenClawConfig, writeOpenClawConfig, getConfigValue, setConfigValue, getConfigPermissions, } from "./openclaw.js";
+/**
+ * Run all 9 security checks against the OpenClaw configuration.
+ */
+export function runSecurityChecks(version) {
+    const config = readOpenClawConfig();
+    const checks = [];
+    // 1. Gateway bound to loopback
+    const bind = config ? getConfigValue(config, "gateway.bind") : undefined;
+    checks.push({
+        id: "gateway-bind",
+        name: "Gateway bound to loopback",
+        severity: "critical",
+        passed: !bind || bind === "loopback" || bind === "127.0.0.1",
+        message: !bind || bind === "loopback" || bind === "127.0.0.1"
+            ? "Gateway only accepts local connections"
+            : `Gateway bound to "${bind}" — exposed to network`,
+        fixable: true,
+        fix: config
+            ? () => {
+                setConfigValue(config, "gateway.bind", "loopback");
+                writeOpenClawConfig(config);
+            }
+            : undefined,
+    });
+    // 2. Token auth enabled
+    const token = config ? getConfigValue(config, "gateway.token") : undefined;
+    checks.push({
+        id: "gateway-token",
+        name: "Token authentication enabled",
+        severity: "critical",
+        passed: !!token,
+        message: token
+            ? "Gateway requires token for access"
+            : "No gateway token set — anyone can connect",
+        fixable: false, // user must set their own token
+    });
+    // 3. OpenClaw version >= 2026.3.12
+    const minVersion = "2026.3.12";
+    const versionOk = version ? compareVersions(version, minVersion) >= 0 : true;
+    checks.push({
+        id: "version",
+        name: `OpenClaw version >= ${minVersion}`,
+        severity: "critical",
+        passed: versionOk,
+        message: version
+            ? versionOk
+                ? `Running v${version}`
+                : `Running v${version} — has 9.9 CVSS vulnerability (CVE-2026-24763)`
+            : "Could not detect version",
+        fixable: false,
+    });
+    // 4. No plaintext credentials in config
+    const hasPlaintext = config
+        ? containsPlaintextCredentials(JSON.stringify(config))
+        : false;
+    checks.push({
+        id: "plaintext-creds",
+        name: "No plaintext credentials in config",
+        severity: "high",
+        passed: !hasPlaintext,
+        message: hasPlaintext
+            ? "Config contains potential plaintext credentials"
+            : "No obvious plaintext credentials found",
+        fixable: false,
+    });
+    // 5. File permissions on ~/.openclaw
+    const perms = getConfigPermissions();
+    checks.push({
+        id: "file-permissions",
+        name: "Config directory permissions",
+        severity: "high",
+        passed: perms.safe,
+        message: perms.safe
+            ? `~/.openclaw mode ${perms.mode} (owner-only)`
+            : `~/.openclaw mode ${perms.mode} — readable by others`,
+        fixable: true,
+        fix: () => {
+            chmodSync(join(homedir(), ".openclaw"), 0o700);
+        },
+    });
+    // 6. WebSocket origin validation
+    const wsOrigin = config
+        ? getConfigValue(config, "gateway.websocket.validateOrigin")
+        : undefined;
+    checks.push({
+        id: "ws-origin",
+        name: "WebSocket origin validation",
+        severity: "medium",
+        passed: wsOrigin !== false,
+        message: wsOrigin === false
+            ? "WebSocket origin validation disabled"
+            : "WebSocket origin validation active",
+        fixable: true,
+        fix: config
+            ? () => {
+                setConfigValue(config, "gateway.websocket.validateOrigin", true);
+                writeOpenClawConfig(config);
+            }
+            : undefined,
+    });
+    // 7. Dangerous skill scanner
+    const scanner = config
+        ? getConfigValue(config, "skills.dangerousCodeScanner")
+        : undefined;
+    checks.push({
+        id: "skill-scanner",
+        name: "Dangerous skill scanner enabled",
+        severity: "medium",
+        passed: scanner !== false,
+        message: scanner === false
+            ? "Skill scanner disabled — malicious skills can run unchecked"
+            : "Skill scanner active",
+        fixable: true,
+        fix: config
+            ? () => {
+                setConfigValue(config, "skills.dangerousCodeScanner", true);
+                writeOpenClawConfig(config);
+            }
+            : undefined,
+    });
+    // 8. Workspace-only filesystem
+    const fsAccess = config
+        ? getConfigValue(config, "tools.filesystem.scope")
+        : undefined;
+    checks.push({
+        id: "fs-scope",
+        name: "Workspace-only filesystem access",
+        severity: "medium",
+        passed: fsAccess === "workspace" || fsAccess === undefined,
+        message: fsAccess && fsAccess !== "workspace"
+            ? `Filesystem scope: "${fsAccess}" — broader than needed`
+            : "Filesystem access scoped to workspace",
+        fixable: true,
+        fix: config
+            ? () => {
+                setConfigValue(config, "tools.filesystem.scope", "workspace");
+                writeOpenClawConfig(config);
+            }
+            : undefined,
+    });
+    // 9. Exec approval gates
+    const execApproval = config
+        ? getConfigValue(config, "tools.exec.requireApproval")
+        : undefined;
+    checks.push({
+        id: "exec-approval",
+        name: "Exec approval gates enabled",
+        severity: "low",
+        passed: execApproval !== false,
+        message: execApproval === false
+            ? "Shell commands execute without approval"
+            : "Exec commands require approval",
+        fixable: true,
+        fix: config
+            ? () => {
+                setConfigValue(config, "tools.exec.requireApproval", true);
+                writeOpenClawConfig(config);
+            }
+            : undefined,
+    });
+    return checks;
+}
+export function computeScore(checks) {
+    const criticalFail = checks.some((c) => !c.passed && c.severity === "critical");
+    const highFail = checks.some((c) => !c.passed && c.severity === "high");
+    const medFail = checks.some((c) => !c.passed && c.severity === "medium");
+    const failCount = checks.filter((c) => !c.passed).length;
+    if (criticalFail)
+        return "D";
+    if (highFail)
+        return "C";
+    if (medFail || failCount > 1)
+        return "B";
+    return "A";
+}
+function compareVersions(a, b) {
+    const pa = a.split(".").map(Number);
+    const pb = b.split(".").map(Number);
+    for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
+        const na = pa[i] ?? 0;
+        const nb = pb[i] ?? 0;
+        if (na !== nb)
+            return na - nb;
+    }
+    return 0;
+}
+function containsPlaintextCredentials(text) {
+    const patterns = [
+        /sk-[a-zA-Z0-9]{20,}/,
+        /sk_live_[a-zA-Z0-9]{20,}/,
+        /password["']\s*:\s*["'][^"']+["']/i,
+    ];
+    return patterns.some((p) => p.test(text));
+}
+//# sourceMappingURL=hardening.js.map

package/dist/lib/hardening.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hardening.js","sourceRoot":"","sources":["../../src/lib/hardening.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,cAAc,EACd,oBAAoB,GACrB,MAAM,eAAe,CAAC;AAYvB;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAgB;IAChD,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAC;IACpC,MAAM,MAAM,GAAoB,EAAE,CAAC;IAEnC,+BAA+B;IAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACzE,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,CAAC,IAAI,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,WAAW;QAC5D,OAAO,EACL,CAAC,IAAI,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,KAAK,WAAW;YAClD,CAAC,CAAC,wCAAwC;YAC1C,CAAC,CAAC,qBAAqB,IAAI,wBAAwB;QACvD,OAAO,EAAE,IAAI;QACb,GAAG,EAAE,MAAM;YACT,CAAC,CAAC,GAAG,EAAE;gBACH,cAAc,CAAC,MAAM,EAAE,cAAc,EAAE,UAAU,CAAC,CAAC;gBACnD,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACH,CAAC,CAAC,SAAS;KACd,CAAC,CAAC;IAEH,wBAAwB;IACxB,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3E,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,CAAC,CAAC,KAAK;QACf,OAAO,EAAE,KAAK;YACZ,CAAC,CAAC,mCAAmC;YACrC,CAAC,CAAC,2CAA2C;QAC/C,OAAO,EAAE,KAAK,EAAE,gCAAgC;KACjD,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,UAAU,GAAG,WAAW,CAAC;IAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7E,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,uBAAuB,UAAU,EAAE;QACzC,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,OAAO;YACd,CAAC,CAAC,SAAS;gBACT,CAAC,CAAC,YAAY,OAAO,EAAE;gBACvB,CAAC,CAAC,YAAY,OAAO,gDAAgD;YACvE,CAAC,CAAC,0BAA0B;QAC9B,OAAO,EAAE,KAAK;KACf,CAAC,CAAC;IAEH,wCAAwC;IACxC,MAAM,YAAY,GAAG,MAAM;QACzB,CAAC,CAAC,4BAA4B,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtD,CAAC,CAAC,KAAK,CAAC;IACV,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,CAAC,YAAY;QACrB,OAAO,EAAE,YAAY;YACnB,CAAC,CAAC,iDAAiD;YACnD,CAAC,CAAC,wCAAwC;QAC5C,OAAO,EAAE,KAAK;KACf,CAAC,CAAC;IAEH,qCAAqC;IACrC,MAAM,KAAK,GAAG,oBAAoB,EAAE,CAAC;IACrC,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,KAAK,CAAC,IAAI;QAClB,OAAO,EAAE,KAAK,CAAC,IAAI;YACjB,CAAC,CAAC,oBAAoB,KAAK,CAAC,IAAI,eAAe;YAC/C,CAAC,CAAC,oBAAoB,KAAK,CAAC,IAAI,uBAAuB;QACzD,OAAO,EAAE,IAAI;QACb,GAAG,EAAE,GAAG,EAAE;YACR,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC;KACF,CAAC,CAAC;IAEH,iCAAiC;IACjC,MAAM,QAAQ,GAAG,MAAM;QACrB,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,kCAAkC,CAAC;QAC5D,CAAC,CAAC,SAAS,CAAC;IACd,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,QAAQ,KAAK,KAAK;QAC1B,OAAO,EACL,QAAQ,KAAK,KAAK;YAChB,CAAC,CAAC,sCAAsC;YACxC,CAAC,CAAC,oCAAoC;QAC1C,OAAO,EAAE,IAAI;QACb,GAAG,EAAE,MAAM;YACT,CAAC,CAAC,GAAG,EAAE;gBACH,cAAc,CAAC,MAAM,EAAE,kCAAkC,EAAE,IAAI,CAAC,CAAC;gBACjE,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACH,CAAC,CAAC,SAAS;KACd,CAAC,CAAC;IAEH,6BAA6B;IAC7B,MAAM,OAAO,GAAG,MAAM;QACpB,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,6BAA6B,CAAC;QACvD,CAAC,CAAC,SAAS,CAAC;IACd,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,OAAO,KAAK,KAAK;QACzB,OAAO,EACL,OAAO,KAAK,KAAK;YACf,CAAC,CAAC,6DAA6D;YAC/D,CAAC,CAAC,sBAAsB;QAC5B,OAAO,EAAE,IAAI;QACb,GAAG,EAAE,MAAM;YACT,CAAC,CAAC,GAAG,EAAE;gBACH,cAAc,CAAC,MAAM,EAAE,6BAA6B,EAAE,IAAI,CAAC,CAAC;gBAC5D,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACH,CAAC,CAAC,SAAS;KACd,CAAC,CAAC;IAEH,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,MAAM;QACrB,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,wBAAwB,CAAC;QAClD,CAAC,CAAC,SAAS,CAAC;IACd,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,UAAU;QACd,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,SAAS;QAC1D,OAAO,EACL,QAAQ,IAAI,QAAQ,KAAK,WAAW;YAClC,CAAC,CAAC,sBAAsB,QAAQ,yBAAyB;YACzD,CAAC,CAAC,uCAAuC;QAC7C,OAAO,EAAE,IAAI;QACb,GAAG,EAAE,MAAM;YACT,CAAC,CAAC,GAAG,EAAE;gBACH,cAAc,CAAC,MAAM,EAAE,wBAAwB,EAAE,WAAW,CAAC,CAAC;gBAC9D,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACH,CAAC,CAAC,SAAS;KACd,CAAC,CAAC;IAEH,yBAAyB;IACzB,MAAM,YAAY,GAAG,MAAM;QACzB,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,4BAA4B,CAAC;QACtD,CAAC,CAAC,SAAS,CAAC;IACd,MAAM,CAAC,IAAI,CAAC;QACV,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,KAAK;QACf,MAAM,EAAE,YAAY,KAAK,KAAK;QAC9B,OAAO,EACL,YAAY,KAAK,KAAK;YACpB,CAAC,CAAC,yCAAyC;YAC3C,CAAC,CAAC,gCAAgC;QACtC,OAAO,EAAE,IAAI;QACb,GAAG,EAAE,MAAM;YACT,CAAC,CAAC,GAAG,EAAE;gBACH,cAAc,CAAC,MAAM,EAAE,4BAA4B,EAAE,IAAI,CAAC,CAAC;gBAC3D,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACH,CAAC,CAAC,SAAS;KACd,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAuB;IAClD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAC9C,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;IACxE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;IACzE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAEzD,IAAI,YAAY;QAAE,OAAO,GAAG,CAAC;IAC7B,IAAI,QAAQ;QAAE,OAAO,GAAG,CAAC;IACzB,IAAI,OAAO,IAAI,SAAS,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IACzC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACpC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACxD,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,4BAA4B,CAAC,IAAY;IAChD,MAAM,QAAQ,GAAG;QACf,qBAAqB;QACrB,0BAA0B;QAC1B,oCAAoC;KACrC,CAAC;IACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC5C,CAAC"}

package/dist/lib/openclaw.d.ts

@@ -0,0 +1,28 @@
+/**
+ * OpenClaw detection and configuration utilities.
+ * Reads/writes OpenClaw config without modifying unrelated settings.
+ */
+export interface OpenClawInfo {
+    found: boolean;
+    version?: string;
+    configPath?: string;
+    config?: Record<string, unknown>;
+    gatewayRunning?: boolean;
+    gatewayPort?: number;
+    skillsDir?: string;
+}
+export declare function detectOpenClaw(): OpenClawInfo;
+export declare function readOpenClawConfig(): Record<string, unknown> | null;
+export declare function writeOpenClawConfig(config: Record<string, unknown>): void;
+export declare function getConfigPermissions(): {
+    mode: string;
+    safe: boolean;
+};
+/**
+ * Get a nested config value safely.
+ */
+export declare function getConfigValue(config: Record<string, unknown>, path: string): unknown;
+/**
+ * Set a nested config value.
+ */
+export declare function setConfigValue(config: Record<string, unknown>, path: string, value: unknown): void;