@zshuangmu/agenthub 0.1.0

package/src/lib/http.js

@@ -0,0 +1,24 @@
+export function sendJson(response, statusCode, payload, extraHeaders = {}) {
+  response.writeHead(statusCode, { "content-type": "application/json; charset=utf-8", ...extraHeaders });
+  response.end(`${JSON.stringify(payload, null, 2)}\n`);
+}
+
+export function sendHtml(response, statusCode, html, extraHeaders = {}) {
+  response.writeHead(statusCode, { "content-type": "text/html; charset=utf-8", ...extraHeaders });
+  response.end(html);
+}
+
+export function notFound(response, extraHeaders = {}) {
+  sendJson(response, 404, { error: "Not Found" }, extraHeaders);
+}
+
+export async function readJsonBody(request) {
+  const chunks = [];
+  for await (const chunk of request) {
+    chunks.push(Buffer.from(chunk));
+  }
+  if (chunks.length === 0) {
+    return {};
+  }
+  return JSON.parse(Buffer.concat(chunks).toString("utf8"));
+}

package/src/lib/install.js

@@ -0,0 +1,14 @@
+import path from "node:path";
+import { copyDir, ensureDir, readJson, writeJson } from "./fs-utils.js";
+import { readAgentInfo } from "./registry.js";
+
+export async function installBundle({ registryDir, agentSpec, targetWorkspace }) {
+  const manifest = await readAgentInfo(registryDir, agentSpec);
+  const bundleDir = path.join(registryDir, "agents", manifest.slug, manifest.version);
+  await ensureDir(targetWorkspace);
+  await copyDir(path.join(bundleDir, "WORKSPACE"), targetWorkspace);
+  const template = await readJson(path.join(bundleDir, "OPENCLAW.template.json"));
+  const appliedPath = path.join(targetWorkspace, ".agenthub", "OPENCLAW.applied.json");
+  await writeJson(appliedPath, template);
+  return { manifest, appliedPath };
+}

package/src/lib/manifest.js

@@ -0,0 +1,123 @@
+/**
+ * MANIFEST Generator
+ * 根据 PRD v1.1 规范生成完整的 MANIFEST.json
+ */
+
+const WORKSPACE_FILES = ["AGENTS.md", "SOUL.md", "USER.md", "IDENTITY.md", "TOOLS.md", "HEARTBEAT.md", "BOOTSTRAP.md"];
+
+export function createManifest({ slug, name, description, author, memoryCounts, openclawTemplate, skills = [], prompts = [], tags = [], category, language = "zh-CN" }) {
+  const hasModel = openclawTemplate?.agents?.defaults?.model?.primary;
+  const totalMemory = memoryCounts.public + memoryCounts.portable + memoryCounts.private;
+
+  return {
+    // 基本信息
+    name: name || slug,
+    slug,
+    version: "1.0.0",
+    description: description || `OpenClaw agent bundle for ${name || slug}`,
+    author: author || "anonymous",
+    icon: undefined,
+    bundleVersion: "1.0",
+
+    // 运行时
+    runtime: {
+      type: "openclaw",
+      version: ">=0.5.0",
+      compatibility: "openclaw-only",
+    },
+
+    // 性格
+    persona: {
+      summary: `Imported from OpenClaw workspace: ${name || slug}`,
+      traits: [],
+      expertise: [],
+      communication_style: undefined,
+    },
+
+    // 包含内容
+    includes: {
+      memory: {
+        count: totalMemory,
+        public: memoryCounts.public,
+        portable: memoryCounts.portable,
+        private: memoryCounts.private,
+      },
+      workspaceFiles: WORKSPACE_FILES,
+      skills: skills,
+      prompts: prompts.length,
+      configTemplates: ["OPENCLAW.template.json"],
+    },
+
+    // 依赖
+    requirements: {
+      env: [],
+      model: hasModel ?? undefined,
+      openclaw: ">=0.5.0",
+    },
+
+    // 分享策略
+    sharingPolicy: {
+      memoryMode: "layered",
+      allowedMemoryLayers: ["public", "portable"],
+      blockedMemoryLayers: ["private"],
+      openclawConfigMode: "template-only",
+    },
+
+    // 元数据
+    metadata: {
+      tags: tags.length > 0 ? tags : ["openclaw"],
+      category: category || "General",
+      language: language,
+      license: "MIT",
+    },
+  };
+}
+
+/**
+ * 验证 MANIFEST 完整性
+ */
+export function validateManifest(manifest) {
+  const errors = [];
+  const warnings = [];
+
+  // 必需字段检查
+  if (!manifest.name) errors.push("name is required");
+  if (!manifest.slug) errors.push("slug is required");
+  if (!manifest.version) errors.push("version is required");
+  if (!manifest.description) errors.push("description is required");
+
+  // 运行时检查
+  if (manifest.runtime?.type !== "openclaw") {
+    errors.push("runtime.type must be 'openclaw'");
+  }
+
+  // 私有记忆检查
+  if (manifest.includes?.memory?.private > 0) {
+    warnings.push("Bundle contains private memory, cannot be published publicly");
+  }
+
+  return {
+    valid: errors.length === 0,
+    canPublish: errors.length === 0 && manifest.includes?.memory?.private === 0,
+    errors,
+    warnings,
+  };
+}
+
+/**
+ * 生成 Bundle ID
+ */
+export function generateBundleId(slug, version) {
+  return `agenthub://${slug}@${version}`;
+}
+
+/**
+ * 解析 Bundle ID
+ */
+export function parseBundleId(bundleId) {
+  const match = bundleId.match(/^agenthub:\/\/([^@]+)@(.+)$/);
+  if (!match) {
+    return null;
+  }
+  return { slug: match[1], version: match[2] };
+}

package/src/lib/openclaw-config.js

@@ -0,0 +1,40 @@
+const ALLOWED_PATHS = [
+  ["agents", "defaults", "model"],
+  ["agents", "defaults", "compaction"],
+  ["agents", "defaults", "memorySearch"],
+  ["agents", "defaults", "sandbox"],
+  ["plugins", "slots"],
+];
+
+function cloneJson(value) {
+  return JSON.parse(JSON.stringify(value));
+}
+
+function setDeep(target, keys, value) {
+  let cursor = target;
+  for (let index = 0; index < keys.length - 1; index += 1) {
+    const key = keys[index];
+    cursor[key] ??= {};
+    cursor = cursor[key];
+  }
+  cursor[keys[keys.length - 1]] = cloneJson(value);
+}
+
+export function extractOpenClawTemplate(config) {
+  const template = {};
+  for (const keys of ALLOWED_PATHS) {
+    let cursor = config;
+    let found = true;
+    for (const key of keys) {
+      if (!cursor || !(key in cursor)) {
+        found = false;
+        break;
+      }
+      cursor = cursor[key];
+    }
+    if (found) {
+      setDeep(template, keys, cursor);
+    }
+  }
+  return template;
+}

package/src/lib/registry.js

@@ -0,0 +1,64 @@
+import path from "node:path";
+import { copyDir, ensureDir, pathExists, readJson, writeJson } from "./fs-utils.js";
+
+function parseSpec(agentSpec) {
+  const [slug, version] = agentSpec.split(":");
+  return { slug, version };
+}
+
+export async function publishBundle(bundleDir, registryDir) {
+  const manifest = await readJson(path.join(bundleDir, "MANIFEST.json"));
+  if (manifest.runtime?.type !== "openclaw") {
+    throw new Error("Only OpenClaw bundles are supported.");
+  }
+  if ((manifest.includes?.memory?.private ?? 0) > 0) {
+    throw new Error("Public publish rejected: private memory detected.");
+  }
+
+  const targetDir = path.join(registryDir, "agents", manifest.slug, manifest.version);
+  await ensureDir(path.join(registryDir, "agents", manifest.slug));
+  await copyDir(bundleDir, targetDir);
+
+  const indexPath = path.join(registryDir, "index.json");
+  const index = (await pathExists(indexPath)) ? await readJson(indexPath) : { agents: [] };
+  index.agents = index.agents.filter(
+    (entry) => !(entry.slug === manifest.slug && entry.version === manifest.version),
+  );
+  index.agents.push({
+    slug: manifest.slug,
+    version: manifest.version,
+    name: manifest.name,
+    description: manifest.description,
+    runtime: manifest.runtime,
+  });
+  index.agents.sort((left, right) => left.slug.localeCompare(right.slug));
+  await writeJson(indexPath, index);
+
+  return manifest;
+}
+
+export async function searchRegistry(registryDir, query) {
+  const indexPath = path.join(registryDir, "index.json");
+  if (!(await pathExists(indexPath))) {
+    return [];
+  }
+  const index = await readJson(indexPath);
+  const normalized = query.toLowerCase();
+  return index.agents.filter((entry) => entry.slug.toLowerCase().includes(normalized));
+}
+
+export async function readAgentInfo(registryDir, agentSpec) {
+  const { slug, version } = parseSpec(agentSpec);
+  const baseDir = path.join(registryDir, "agents", slug);
+  if (!(await pathExists(baseDir))) {
+    throw new Error(`Agent not found: ${slug}`);
+  }
+
+  let selectedVersion = version;
+  if (!selectedVersion) {
+    const index = await readJson(path.join(registryDir, "index.json"));
+    const versions = index.agents.filter((entry) => entry.slug === slug).map((entry) => entry.version).sort();
+    selectedVersion = versions.at(-1);
+  }
+  return readJson(path.join(baseDir, selectedVersion, "MANIFEST.json"));
+}

package/src/lib/security-scanner.js

@@ -0,0 +1,233 @@
+/**
+ * Security Scanner
+ * 安全扫描模块
+ *
+ * 根据 PRD v1.1 安全规范实现
+ */
+
+import { readdir, readFile, stat } from "node:fs/promises";
+import path from "node:path";
+
+// 敏感信息模式
+const SENSITIVE_PATTERNS = [
+  { pattern: /sk-[a-zA-Z0-9]{20,}/g, name: "OpenAI API Key", severity: "high" },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub Personal Token", severity: "high" },
+  { pattern: /gho_[a-zA-Z0-9]{36}/g, name: "GitHub OAuth Token", severity: "high" },
+  { pattern: /ghu_[a-zA-Z0-9]{36}/g, name: "GitHub User Token", severity: "high" },
+  { pattern: /ghs_[a-zA-Z0-9]{36}/g, name: "GitHub Server Token", severity: "high" },
+  { pattern: /ghr_[a-zA-Z0-9]{36}/g, name: "GitHub Refresh Token", severity: "high" },
+  { pattern: /xox[baprs]-[a-zA-Z0-9-]+/g, name: "Slack Token", severity: "high" },
+  { pattern: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g, name: "JWT Token", severity: "medium" },
+  { pattern: /(password|passwd|pwd)\s*[=:]\s*['"][^'"]+['"]/gi, name: "Password", severity: "high" },
+  { pattern: /(secret|api_key|apikey|access_key)\s*[=:]\s*['"][^'"]+['"]/gi, name: "API Key/Secret", severity: "high" },
+  { pattern: /-----BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY-----/g, name: "Private Key", severity: "critical" },
+  { pattern: /(token|bearer)\s*[=:]\s*['"][^'"]+['"]/gi, name: "Token", severity: "medium" },
+];
+
+// 禁止的配置字段路径
+const FORBIDDEN_CONFIG_PATHS = [
+  "channels",
+  "gateway",
+  "wizard",
+  "auth",
+  "credentials",
+  "secrets",
+  "tokens",
+];
+
+// 文件扩展名白名单（跳过二进制文件）
+const TEXT_EXTENSIONS = new Set([
+  ".md", ".txt", ".json", ".yaml", ".yml", ".xml", ".html", ".css", ".js", ".ts",
+  ".py", ".sh", ".bash", ".zsh", ".env", ".conf", ".config", ".ini", ".toml",
+]);
+
+/**
+ * 检查文件是否为文本文件
+ */
+function isTextFile(filename) {
+  const ext = path.extname(filename).toLowerCase();
+  return TEXT_EXTENSIONS.has(ext) || !ext;
+}
+
+/**
+ * 扫描文件内容中的敏感信息
+ */
+async function scanFileContent(filePath, content) {
+  const findings = [];
+
+  for (const { pattern, name, severity } of SENSITIVE_PATTERNS) {
+    const matches = content.match(pattern);
+    if (matches) {
+      findings.push({
+        file: filePath,
+        type: name,
+        severity,
+        count: matches.length,
+        // 不记录具体值，只记录发现
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * 递归扫描目录
+ */
+async function scanDirectory(dirPath, basePath = "") {
+  const findings = [];
+  const entries = await readdir(dirPath, { withFileTypes: true });
+
+  for (const entry of entries) {
+    const relativePath = basePath ? `${basePath}/${entry.name}` : entry.name;
+    const fullPath = path.join(dirPath, entry.name);
+
+    if (entry.isDirectory()) {
+      // 跳过 node_modules 和隐藏目录
+      if (entry.name === "node_modules" || entry.name.startsWith(".")) {
+        continue;
+      }
+      const subFindings = await scanDirectory(fullPath, relativePath);
+      findings.push(...subFindings);
+    } else if (entry.isFile() && isTextFile(entry.name)) {
+      try {
+        const content = await readFile(fullPath, "utf8");
+        const fileFindings = await scanFileContent(relativePath, content);
+        findings.push(...fileFindings);
+      } catch {
+        // 跳过无法读取的文件
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * 检查配置文件中的禁止字段
+ */
+function checkForbiddenFields(config, path = "") {
+  const violations = [];
+
+  for (const key of Object.keys(config)) {
+    const currentPath = path ? `${path}.${key}` : key;
+
+    // 检查是否是禁止的路径
+    for (const forbidden of FORBIDDEN_CONFIG_PATHS) {
+      if (currentPath.startsWith(forbidden) || key === forbidden) {
+        violations.push({
+          path: currentPath,
+          reason: `禁止包含 ${forbidden} 配置`,
+        });
+      }
+    }
+
+    // 递归检查嵌套对象
+    if (typeof config[key] === "object" && config[key] !== null) {
+      const nestedViolations = checkForbiddenFields(config[key], currentPath);
+      violations.push(...nestedViolations);
+    }
+  }
+
+  return violations;
+}
+
+/**
+ * 扫描 Bundle
+ */
+export async function scanBundle(bundleDir) {
+  const result = {
+    warnings: [],
+    errors: [],
+    findings: [],
+    canPublish: true,
+  };
+
+  // 1. 扫描敏感信息
+  const workspacePath = path.join(bundleDir, "WORKSPACE");
+  try {
+    const contentFindings = await scanDirectory(workspacePath, "WORKSPACE");
+    result.findings.push(...contentFindings);
+
+    for (const finding of contentFindings) {
+      const severityIcon = finding.severity === "critical" ? "🔴" : finding.severity === "high" ? "🟠" : "🟡";
+      result.warnings.push(`${severityIcon} ${finding.file}: 发现 ${finding.type} (${finding.count} 处)`);
+
+      if (finding.severity === "critical" || finding.severity === "high") {
+        result.canPublish = false;
+      }
+    }
+  } catch {
+    // WORKSPACE 目录不存在
+  }
+
+  // 2. 检查私有记忆
+  const manifestPath = path.join(bundleDir, "MANIFEST.json");
+  try {
+    const manifest = JSON.parse(await readFile(manifestPath, "utf8"));
+
+    if (manifest.includes?.memory?.private > 0) {
+      result.errors.push("检测到私有记忆 (memory/private)，禁止公开发布");
+      result.canPublish = false;
+    }
+
+    // 3. 检查配置文件
+    const configPath = path.join(bundleDir, "OPENCLAW.template.json");
+    try {
+      const config = JSON.parse(await readFile(configPath, "utf8"));
+      const violations = checkForbiddenFields(config);
+
+      for (const violation of violations) {
+        result.warnings.push(`⚠️ OPENCLAW.template.json: ${violation.reason} (${violation.path})`);
+      }
+
+      if (violations.length > 0) {
+        result.canPublish = false;
+      }
+    } catch {
+      // 配置文件不存在
+    }
+  } catch {
+    // MANIFEST 不存在
+  }
+
+  return result;
+}
+
+/**
+ * 扫描工作区（打包前预扫描）
+ */
+export async function scanWorkspace(workspacePath) {
+  const result = {
+    warnings: [],
+    errors: [],
+    findings: [],
+    canPublish: true,
+  };
+
+  // 扫描敏感信息
+  const contentFindings = await scanDirectory(workspacePath);
+  result.findings.push(...contentFindings);
+
+  for (const finding of contentFindings) {
+    const severityIcon = finding.severity === "critical" ? "🔴" : finding.severity === "high" ? "🟠" : "🟡";
+    result.warnings.push(`${severityIcon} ${finding.file}: 发现 ${finding.type}`);
+  }
+
+  // 检查私有记忆
+  const privateMemoryPath = path.join(workspacePath, "memory", "private");
+  try {
+    const stat_ = await stat(privateMemoryPath);
+    if (stat_.isDirectory()) {
+      const files = await readdir(privateMemoryPath);
+      if (files.length > 0) {
+        result.warnings.push("🚫 检测到 memory/private/ 目录，包含私有记忆");
+        result.warnings.push("   公开发布时将被阻止，建议将私有记忆移出工作区");
+      }
+    }
+  } catch {
+    // 目录不存在，正常
+  }
+
+  return result;
+}

package/src/lib/skill-md.js

@@ -0,0 +1,17 @@
+import path from "node:path";
+import { readFile } from "node:fs/promises";
+
+export async function serveSkillMarkdown(request, response) {
+  const skillPath = path.join(process.cwd(), "skills", "agenthub-discover", "SKILL.md");
+  try {
+    const content = await readFile(skillPath, "utf8");
+    response.writeHead(200, {
+      "Content-Type": "text/markdown; charset=utf-8",
+      "Access-Control-Allow-Origin": "*"
+    });
+    response.end(content);
+  } catch (error) {
+    response.writeHead(404, { "Content-Type": "application/json" });
+    response.end(JSON.stringify({ error: "Skill not found" }));
+  }
+}

package/src/server.js

@@ -0,0 +1,158 @@
+import http from "node:http";
+import path from "node:path";
+import { readFile } from "node:fs/promises";
+import { infoCommand, installCommand, publishCommand, searchCommand } from "./index.js";
+import { publishUploadedBundle } from "./lib/bundle-transfer.js";
+import { notFound, readJsonBody, sendHtml, sendJson } from "./lib/http.js";
+import { renderAgentDetailPage, renderAgentListPage, renderStatsPage } from "./lib/html.js";
+import {
+  initDatabase,
+  incrementDownloads,
+  getAgentDownloads,
+  getAgentsDownloads,
+  getTotalDownloads,
+  getDownloadRanking,
+  getRecentDownloads,
+  getDatabaseStats
+} from "./lib/database.js";
+
+export async function createServer({ registryDir, port = 3000, host = "0.0.0.0" }) {
+  // 初始化数据库
+  await initDatabase(registryDir);
+
+  const server = http.createServer(async (request, response) => {
+    try {
+      const url = new URL(request.url, "http://127.0.0.1");
+
+      // API: 获取 AgentHub Discover Skill
+      if (url.pathname === "/skills/agenthub-discover/SKILL.md") {
+        try {
+          const skillPath = path.join(process.cwd(), "skills", "agenthub-discover", "SKILL.md");
+          const content = await readFile(skillPath, "utf8");
+          response.writeHead(200, {
+            "Content-Type": "text/markdown; charset=utf-8",
+            "Access-Control-Allow-Origin": "*"
+          });
+          response.end(content);
+        } catch {
+          response.writeHead(404, { "Content-Type": "application/json" });
+          response.end(JSON.stringify({ error: "Skill not found" }));
+        }
+        return;
+      }
+
+      if (url.pathname === "/api/agents") {
+        const agents = await searchCommand(url.searchParams.get("q") ?? "", { registry: registryDir });
+        // 添加下载数
+        const slugs = agents.map(a => a.slug);
+        const downloads = await getAgentsDownloads(registryDir, slugs);
+        const agentsWithDownloads = agents.map(a => ({ ...a, downloads: downloads[a.slug] || 0 }));
+        sendJson(response, 200, { agents: agentsWithDownloads });
+        return;
+      }
+
+      if (url.pathname === "/api/publish" && request.method === "POST") {
+        const body = await readJsonBody(request);
+        const manifest = await publishCommand(body.bundleDir, { registry: registryDir });
+        sendJson(response, 200, manifest);
+        return;
+      }
+
+      if (url.pathname === "/api/publish-upload" && request.method === "POST") {
+        const body = await readJsonBody(request);
+        const manifest = await publishUploadedBundle({ payload: body, registryDir });
+        sendJson(response, 200, manifest);
+        return;
+      }
+
+      if (url.pathname === "/api/install" && request.method === "POST") {
+        const body = await readJsonBody(request);
+        const result = await installCommand(body.agent, {
+          registry: registryDir,
+          targetWorkspace: body.targetWorkspace,
+        });
+        // 记录下载（包含元数据）
+        const slug = body.agent.split(":")[0];
+        await incrementDownloads(registryDir, slug, {
+          targetWorkspace: body.targetWorkspace,
+          ip: request.socket.remoteAddress,
+          userAgent: request.headers['user-agent']
+        });
+        sendJson(response, 200, result);
+        return;
+      }
+
+      // API: 获取下载统计
+      if (url.pathname === "/api/stats") {
+        const stats = await getDatabaseStats(registryDir);
+        const ranking = await getDownloadRanking(registryDir, 10);
+        const recent = await getRecentDownloads(registryDir, 20);
+        sendJson(response, 200, { stats, ranking, recent });
+        return;
+      }
+
+      // API: 获取下载排行
+      if (url.pathname === "/api/stats/ranking") {
+        const limit = parseInt(url.searchParams.get("limit") || "10", 10);
+        const ranking = await getDownloadRanking(registryDir, limit);
+        sendJson(response, 200, { ranking });
+        return;
+      }
+
+      if (url.pathname.startsWith("/api/agents/")) {
+        const slug = url.pathname.slice("/api/agents/".length);
+        const manifest = await infoCommand(slug, { registry: registryDir });
+        // 添加下载数
+        const downloads = await getAgentDownloads(registryDir, slug);
+        sendJson(response, 200, { ...manifest, downloads });
+        return;
+      }
+
+      if (url.pathname === "/") {
+        const query = url.searchParams.get("q") ?? "";
+        const agents = await searchCommand(query, { registry: registryDir });
+        // 添加下载数
+        const slugs = agents.map(a => a.slug);
+        const downloads = await getAgentsDownloads(registryDir, slugs);
+        const totalDownloads = await getTotalDownloads(registryDir);
+        const agentsWithDownloads = agents.map(a => ({ ...a, downloads: downloads[a.slug] || 0 }));
+        sendHtml(response, 200, renderAgentListPage({ query, agents: agentsWithDownloads, totalDownloads }));
+        return;
+      }
+
+      if (url.pathname.startsWith("/agents/")) {
+        const slug = url.pathname.slice("/agents/".length);
+        const manifest = await infoCommand(slug, { registry: registryDir });
+        // 添加下载数
+        const downloads = await getAgentDownloads(registryDir, slug);
+        sendHtml(response, 200, renderAgentDetailPage({ ...manifest, downloads }));
+        return;
+      }
+
+      // 统计页面
+      if (url.pathname === "/stats") {
+        const stats = await getDatabaseStats(registryDir);
+        const ranking = await getDownloadRanking(registryDir, 10);
+        const recent = await getRecentDownloads(registryDir, 20);
+        sendHtml(response, 200, renderStatsPage({ stats, ranking, recent }));
+        return;
+      }
+
+      notFound(response);
+    } catch (error) {
+      sendJson(response, 500, { error: error.message });
+    }
+  });
+
+  await new Promise((resolve) => server.listen(port, host, resolve));
+  const address = server.address();
+  const actualPort = typeof address === "object" && address ? address.port : port;
+
+  return {
+    server,
+    port: actualPort,
+    host,
+    baseUrl: `http://${host === "0.0.0.0" ? "127.0.0.1" : host}:${actualPort}`,
+    close: () => new Promise((resolve, reject) => server.close((error) => (error ? reject(error) : resolve()))),
+  };
+}