@zshuangmu/agenthub 0.4.14 → 0.4.16

package/src/lib/manifest.js

@@ -1,124 +1,124 @@
-/**
- * MANIFEST Generator
- * 根据 PRD v1.1 规范生成完整的 MANIFEST.json
- */
-
-const WORKSPACE_FILES = ["AGENTS.md", "SOUL.md", "USER.md", "IDENTITY.md", "TOOLS.md", "HEARTBEAT.md", "BOOTSTRAP.md"];
-
-export function createManifest({ slug, name, description, author, memoryCounts, openclawTemplate, skills = [], prompts = [], tags = [], category, language = "zh-CN", version = "1.0.0", featured = false }) {
-  const hasModel = openclawTemplate?.agents?.defaults?.model?.primary;
-  const totalMemory = memoryCounts.public + memoryCounts.portable + memoryCounts.private;
-
-  return {
-    // 基本信息
-    name: name || slug,
-    slug,
-    version,
-    description: description || `OpenClaw agent bundle for ${name || slug}`,
-    author: author || "anonymous",
-    icon: undefined,
-    bundleVersion: "1.0",
-
-    // 运行时
-    runtime: {
-      type: "openclaw",
-      version: ">=0.5.0",
-      compatibility: "openclaw-only",
-    },
-
-    // 性格
-    persona: {
-      summary: `Imported from OpenClaw workspace: ${name || slug}`,
-      traits: [],
-      expertise: [],
-      communication_style: undefined,
-    },
-
-    // 包含内容
-    includes: {
-      memory: {
-        count: totalMemory,
-        public: memoryCounts.public,
-        portable: memoryCounts.portable,
-        private: memoryCounts.private,
-      },
-      workspaceFiles: WORKSPACE_FILES,
-      skills: skills,
-      prompts: prompts.length,
-      configTemplates: ["OPENCLAW.template.json"],
-    },
-
-    // 依赖
-    requirements: {
-      env: [],
-      model: hasModel ?? undefined,
-      openclaw: ">=0.5.0",
-    },
-
-    // 分享策略
-    sharingPolicy: {
-      memoryMode: "layered",
-      allowedMemoryLayers: ["public", "portable"],
-      blockedMemoryLayers: ["private"],
-      openclawConfigMode: "template-only",
-    },
-
-    // 元数据
-    metadata: {
-      tags: tags.length > 0 ? tags : ["openclaw"],
-      category: category || "General",
-      language: language,
-      license: "MIT",
-      featured,
-    },
-  };
-}
-
-/**
- * 验证 MANIFEST 完整性
- */
-export function validateManifest(manifest) {
-  const errors = [];
-  const warnings = [];
-
-  // 必需字段检查
-  if (!manifest.name) errors.push("name is required");
-  if (!manifest.slug) errors.push("slug is required");
-  if (!manifest.version) errors.push("version is required");
-  if (!manifest.description) errors.push("description is required");
-
-  // 运行时检查
-  if (manifest.runtime?.type !== "openclaw") {
-    errors.push("runtime.type must be 'openclaw'");
-  }
-
-  // 私有记忆检查
-  if (manifest.includes?.memory?.private > 0) {
-    warnings.push("Bundle contains private memory, cannot be published publicly");
-  }
-
-  return {
-    valid: errors.length === 0,
-    canPublish: errors.length === 0 && manifest.includes?.memory?.private === 0,
-    errors,
-    warnings,
-  };
-}
-
-/**
- * 生成 Bundle ID
- */
-export function generateBundleId(slug, version) {
-  return `agenthub://${slug}@${version}`;
-}
-
-/**
- * 解析 Bundle ID
- */
-export function parseBundleId(bundleId) {
-  const match = bundleId.match(/^agenthub:\/\/([^@]+)@(.+)$/);
-  if (!match) {
-    return null;
-  }
-  return { slug: match[1], version: match[2] };
-}
+/**
+ * MANIFEST Generator
+ * 根据 PRD v1.1 规范生成完整的 MANIFEST.json
+ */
+
+const WORKSPACE_FILES = ["AGENTS.md", "SOUL.md", "USER.md", "IDENTITY.md", "TOOLS.md", "HEARTBEAT.md", "BOOTSTRAP.md"];
+
+export function createManifest({ slug, name, description, author, memoryCounts, openclawTemplate, skills = [], prompts = [], tags = [], category, language = "zh-CN", version = "1.0.0", featured = false }) {
+  const hasModel = openclawTemplate?.agents?.defaults?.model?.primary;
+  const totalMemory = memoryCounts.public + memoryCounts.portable + memoryCounts.private;
+
+  return {
+    // 基本信息
+    name: name || slug,
+    slug,
+    version,
+    description: description || `OpenClaw agent bundle for ${name || slug}`,
+    author: author || "anonymous",
+    icon: undefined,
+    bundleVersion: "1.0",
+
+    // 运行时
+    runtime: {
+      type: "openclaw",
+      version: ">=0.5.0",
+      compatibility: "openclaw-only",
+    },
+
+    // 性格
+    persona: {
+      summary: `Imported from OpenClaw workspace: ${name || slug}`,
+      traits: [],
+      expertise: [],
+      communication_style: undefined,
+    },
+
+    // 包含内容
+    includes: {
+      memory: {
+        count: totalMemory,
+        public: memoryCounts.public,
+        portable: memoryCounts.portable,
+        private: memoryCounts.private,
+      },
+      workspaceFiles: WORKSPACE_FILES,
+      skills: skills,
+      prompts: prompts.length,
+      configTemplates: ["OPENCLAW.template.json"],
+    },
+
+    // 依赖
+    requirements: {
+      env: [],
+      model: hasModel ?? undefined,
+      openclaw: ">=0.5.0",
+    },
+
+    // 分享策略
+    sharingPolicy: {
+      memoryMode: "layered",
+      allowedMemoryLayers: ["public", "portable"],
+      blockedMemoryLayers: ["private"],
+      openclawConfigMode: "template-only",
+    },
+
+    // 元数据
+    metadata: {
+      tags: tags.length > 0 ? tags : ["openclaw"],
+      category: category || "General",
+      language: language,
+      license: "MIT",
+      featured,
+    },
+  };
+}
+
+/**
+ * 验证 MANIFEST 完整性
+ */
+export function validateManifest(manifest) {
+  const errors = [];
+  const warnings = [];
+
+  // 必需字段检查
+  if (!manifest.name) errors.push("name is required");
+  if (!manifest.slug) errors.push("slug is required");
+  if (!manifest.version) errors.push("version is required");
+  if (!manifest.description) errors.push("description is required");
+
+  // 运行时检查
+  if (manifest.runtime?.type !== "openclaw") {
+    errors.push("runtime.type must be 'openclaw'");
+  }
+
+  // 私有记忆检查
+  if (manifest.includes?.memory?.private > 0) {
+    warnings.push("Bundle contains private memory, cannot be published publicly");
+  }
+
+  return {
+    valid: errors.length === 0,
+    canPublish: errors.length === 0 && manifest.includes?.memory?.private === 0,
+    errors,
+    warnings,
+  };
+}
+
+/**
+ * 生成 Bundle ID
+ */
+export function generateBundleId(slug, version) {
+  return `agenthub://${slug}@${version}`;
+}
+
+/**
+ * 解析 Bundle ID
+ */
+export function parseBundleId(bundleId) {
+  const match = bundleId.match(/^agenthub:\/\/([^@]+)@(.+)$/);
+  if (!match) {
+    return null;
+  }
+  return { slug: match[1], version: match[2] };
+}

package/src/lib/openclaw-config.js

@@ -1,40 +1,40 @@
-const ALLOWED_PATHS = [
-  ["agents", "defaults", "model"],
-  ["agents", "defaults", "compaction"],
-  ["agents", "defaults", "memorySearch"],
-  ["agents", "defaults", "sandbox"],
-  ["plugins", "slots"],
-];
-
-function cloneJson(value) {
-  return JSON.parse(JSON.stringify(value));
-}
-
-function setDeep(target, keys, value) {
-  let cursor = target;
-  for (let index = 0; index < keys.length - 1; index += 1) {
-    const key = keys[index];
-    cursor[key] ??= {};
-    cursor = cursor[key];
-  }
-  cursor[keys[keys.length - 1]] = cloneJson(value);
-}
-
-export function extractOpenClawTemplate(config) {
-  const template = {};
-  for (const keys of ALLOWED_PATHS) {
-    let cursor = config;
-    let found = true;
-    for (const key of keys) {
-      if (!cursor || !(key in cursor)) {
-        found = false;
-        break;
-      }
-      cursor = cursor[key];
-    }
-    if (found) {
-      setDeep(template, keys, cursor);
-    }
-  }
-  return template;
-}
+const ALLOWED_PATHS = [
+  ["agents", "defaults", "model"],
+  ["agents", "defaults", "compaction"],
+  ["agents", "defaults", "memorySearch"],
+  ["agents", "defaults", "sandbox"],
+  ["plugins", "slots"],
+];
+
+function cloneJson(value) {
+  return JSON.parse(JSON.stringify(value));
+}
+
+function setDeep(target, keys, value) {
+  let cursor = target;
+  for (let index = 0; index < keys.length - 1; index += 1) {
+    const key = keys[index];
+    cursor[key] ??= {};
+    cursor = cursor[key];
+  }
+  cursor[keys[keys.length - 1]] = cloneJson(value);
+}
+
+export function extractOpenClawTemplate(config) {
+  const template = {};
+  for (const keys of ALLOWED_PATHS) {
+    let cursor = config;
+    let found = true;
+    for (const key of keys) {
+      if (!cursor || !(key in cursor)) {
+        found = false;
+        break;
+      }
+      cursor = cursor[key];
+    }
+    if (found) {
+      setDeep(template, keys, cursor);
+    }
+  }
+  return template;
+}

package/src/lib/permissions.js

@@ -0,0 +1,105 @@
+/**
+ * Permissions Module
+ * Agent 可见性与访问控制
+ *
+ * 职责:
+ * 1. Agent 可见性管理 (public/private/team)
+ * 2. 操作权限检查
+ * 3. 团队成员授权
+ */
+
+// === Agent 可见性级别 ===
+export const VISIBILITY = {
+  PUBLIC: "public",
+  PRIVATE: "private",
+  TEAM: "team",
+};
+
+// === 操作类型 ===
+export const ACTIONS = {
+  VIEW: "view",
+  INSTALL: "install",
+  PUBLISH: "publish",
+  UPDATE: "update",
+  DELETE: "delete",
+};
+
+/**
+ * 检查用户是否有权访问 Agent
+ *
+ * @param {object} agent - Agent manifest (含 permissions 字段)
+ * @param {object|null} user - 当前用户 (null 表示匿名)
+ * @param {string} action - 操作类型
+ * @returns {{ allowed: boolean, reason?: string }}
+ */
+export function checkAccess(agent, user, action) {
+  const permissions = agent?.permissions || {};
+  const visibility = permissions.visibility || VISIBILITY.PUBLIC;
+  const owner = permissions.owner || "anonymous";
+
+  // 公开 Agent: 所有人可查看/安装
+  if (visibility === VISIBILITY.PUBLIC) {
+    if (action === ACTIONS.VIEW || action === ACTIONS.INSTALL) {
+      return { allowed: true };
+    }
+    // 发布/更新/删除需要是 owner
+    if (user && (user.username === owner || user.role === "admin")) {
+      return { allowed: true };
+    }
+    return { allowed: false, reason: `Only owner (${owner}) or admin can ${action}` };
+  }
+
+  // 匿名用户对非公开 Agent 无权限
+  if (!user) {
+    return { allowed: false, reason: "Authentication required" };
+  }
+
+  // 私有 Agent: 仅 owner 可访问
+  if (visibility === VISIBILITY.PRIVATE) {
+    if (user.username === owner || user.role === "admin") {
+      return { allowed: true };
+    }
+    return { allowed: false, reason: "This agent is private" };
+  }
+
+  // 团队 Agent: owner + 授权列表中的用户
+  if (visibility === VISIBILITY.TEAM) {
+    const allowedUsers = permissions.allowedUsers || [];
+    if (user.username === owner || user.role === "admin" || allowedUsers.includes(user.username)) {
+      return { allowed: true };
+    }
+    return { allowed: false, reason: "You are not a member of this team" };
+  }
+
+  return { allowed: false, reason: "Unknown visibility level" };
+}
+
+/**
+ * 在 Agent 列表中过滤用户有权查看的 Agent
+ *
+ * @param {Array} agents - Agent 列表
+ * @param {object|null} user - 当前用户
+ * @returns {Array} 过滤后的 Agent 列表
+ */
+export function filterVisibleAgents(agents, user) {
+  return agents.filter((agent) => {
+    const result = checkAccess(agent, user, ACTIONS.VIEW);
+    return result.allowed;
+  });
+}
+
+/**
+ * 创建默认权限配置
+ *
+ * @param {string} owner - 发布者用户名
+ * @param {string} [visibility] - 可见性级别
+ * @returns {object} 权限配置
+ */
+export function createDefaultPermissions(owner = "anonymous", visibility = VISIBILITY.PUBLIC) {
+  return {
+    visibility,
+    owner,
+    allowedUsers: [],
+    createdAt: new Date().toISOString(),
+  };
+}

package/src/lib/privacy-engine.js

@@ -0,0 +1,220 @@
+/**
+ * Privacy Engine
+ * 隐私处理引擎 — AgentHub 核心竞争力模块
+ *
+ * 职责:
+ * 1. 打包前自动剥离私有数据
+ * 2. 对文本内容进行脱敏替换
+ * 3. 生成隐私合规报告
+ */
+
+import { readdir, readFile, stat } from "node:fs/promises";
+import path from "node:path";
+
+// === 默认排除目录 ===
+const DEFAULT_EXCLUDE_DIRS = [
+  "memory/private",
+  ".git",
+  ".env",
+  "node_modules",
+  ".vscode",
+  ".idea",
+];
+
+// === 默认排除文件 ===
+const DEFAULT_EXCLUDE_FILES = [
+  ".env",
+  ".env.local",
+  ".env.production",
+  ".env.development",
+  ".npmrc",
+  ".netrc",
+  "id_rsa",
+  "id_ed25519",
+];
+
+// === 敏感信息模式（与 security-scanner.js 保持一致，增强版） ===
+const REDACT_PATTERNS = [
+  { pattern: /sk-[a-zA-Z0-9]{20,}/g, name: "OpenAI API Key", replacement: "sk-***REDACTED***" },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub Token", replacement: "ghp_***REDACTED***" },
+  { pattern: /gho_[a-zA-Z0-9]{36}/g, name: "GitHub OAuth", replacement: "gho_***REDACTED***" },
+  { pattern: /ghu_[a-zA-Z0-9]{36}/g, name: "GitHub User Token", replacement: "ghu_***REDACTED***" },
+  { pattern: /ghs_[a-zA-Z0-9]{36}/g, name: "GitHub Server Token", replacement: "ghs_***REDACTED***" },
+  { pattern: /ghr_[a-zA-Z0-9]{36}/g, name: "GitHub Refresh Token", replacement: "ghr_***REDACTED***" },
+  { pattern: /xox[baprs]-[a-zA-Z0-9-]+/g, name: "Slack Token", replacement: "xox_-***REDACTED***" },
+  { pattern: /-----BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END \1?PRIVATE KEY-----/g, name: "Private Key", replacement: "***PRIVATE_KEY_REDACTED***" },
+  { pattern: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g, name: "JWT Token", replacement: "***JWT_REDACTED***" },
+  { pattern: /(password|passwd|pwd)\s*[=:]\s*['"][^'"]+['"]/gi, name: "Password", replacement: "$1=***REDACTED***" },
+  { pattern: /(secret|api_key|apikey|access_key)\s*[=:]\s*['"][^'"]+['"]/gi, name: "API Secret", replacement: "$1=***REDACTED***" },
+  { pattern: /(token|bearer)\s*[=:]\s*['"][^'"]+['"]/gi, name: "Token", replacement: "$1=***REDACTED***" },
+  // 邮箱地址脱敏
+  { pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, name: "Email Address", replacement: "***@***.***" },
+];
+
+// 文本文件扩展名
+const TEXT_EXTENSIONS = new Set([
+  ".md", ".txt", ".json", ".yaml", ".yml", ".xml", ".html", ".css", ".js", ".ts",
+  ".py", ".sh", ".bash", ".zsh", ".env", ".conf", ".config", ".ini", ".toml",
+  ".jsx", ".tsx", ".vue", ".svelte", ".astro",
+]);
+
+function isTextFile(filename) {
+  const ext = path.extname(filename).toLowerCase();
+  return TEXT_EXTENSIONS.has(ext) || !ext;
+}
+
+/**
+ * 对文本内容进行脱敏
+ * @param {string} content - 原始内容
+ * @param {Array} [patterns] - 脱敏模式列表
+ * @returns {{ content: string, redactions: Array }} 脱敏后的内容和脱敏记录
+ */
+export function redactContent(content, patterns = REDACT_PATTERNS) {
+  const redactions = [];
+  let result = content;
+
+  for (const { pattern, name, replacement } of patterns) {
+    // 重建 RegExp 以重置 lastIndex
+    const regex = new RegExp(pattern.source, pattern.flags);
+    const matches = result.match(regex);
+    if (matches) {
+      redactions.push({ type: name, count: matches.length });
+      result = result.replace(regex, replacement);
+    }
+  }
+
+  return { content: result, redactions };
+}
+
+/**
+ * 扫描目录，统计隐私风险
+ * @param {string} dirPath - 目录路径
+ * @returns {Promise<object>} 扫描报告
+ */
+export async function scanPrivacyRisks(dirPath) {
+  const report = {
+    hasPrivateMemory: false,
+    privateMemoryCount: 0,
+    sensitiveFindings: [],
+    riskyFiles: [],
+    totalFilesScanned: 0,
+  };
+
+  // 检查 memory/private/
+  const privatePath = path.join(dirPath, "memory", "private");
+  try {
+    const privateStat = await stat(privatePath);
+    if (privateStat.isDirectory()) {
+      const entries = await readdir(privatePath);
+      report.hasPrivateMemory = entries.length > 0;
+      report.privateMemoryCount = entries.length;
+    }
+  } catch {
+    // 不存在，正常
+  }
+
+  // 递归扫描文本文件
+  await scanDirForSensitive(dirPath, report, "");
+
+  return report;
+}
+
+async function scanDirForSensitive(dirPath, report, relativePath) {
+  let entries;
+  try {
+    entries = await readdir(dirPath, { withFileTypes: true });
+  } catch {
+    return;
+  }
+
+  for (const entry of entries) {
+    const fullPath = path.join(dirPath, entry.name);
+    const relPath = relativePath ? `${relativePath}/${entry.name}` : entry.name;
+
+    if (entry.isDirectory()) {
+      // 跳过不需要扫描的目录
+      if (["node_modules", ".git", ".vscode", ".idea"].includes(entry.name)) continue;
+      await scanDirForSensitive(fullPath, report, relPath);
+    } else if (entry.isFile() && isTextFile(entry.name)) {
+      try {
+        const content = await readFile(fullPath, "utf8");
+        report.totalFilesScanned++;
+
+        const { redactions } = redactContent(content);
+        if (redactions.length > 0) {
+          report.sensitiveFindings.push(...redactions.map((r) => ({
+            file: relPath,
+            type: r.type,
+            count: r.count,
+          })));
+          report.riskyFiles.push(relPath);
+        }
+      } catch {
+        // 无法读取，跳过
+      }
+    }
+  }
+}
+
+/**
+ * 获取打包过滤配置
+ * 根据 sharingPolicy 和扫描结果，返回 copyDirFiltered 所需的 options
+ *
+ * @param {object} manifest - MANIFEST 对象
+ * @param {object} [overrides] - 自定义覆盖
+ * @returns {object} copyDirFiltered 的 options
+ */
+export function getPackFilterOptions(manifest, overrides = {}) {
+  const policy = manifest?.sharingPolicy || {};
+  const blockedLayers = policy.blockedMemoryLayers || ["private"];
+
+  const excludeDirs = [
+    ...DEFAULT_EXCLUDE_DIRS,
+    ...blockedLayers.map((layer) => `memory/${layer}`),
+    ...(overrides.excludeDirs || []),
+  ];
+
+  // 去重
+  const uniqueDirs = [...new Set(excludeDirs)];
+
+  return {
+    excludeDirs: uniqueDirs,
+    excludeFiles: [...DEFAULT_EXCLUDE_FILES, ...(overrides.excludeFiles || [])],
+    maxFileSize: overrides.maxFileSize || 50 * 1024 * 1024,
+  };
+}
+
+/**
+ * 生成隐私合规报告
+ * @param {object} scanResult - scanPrivacyRisks 的结果
+ * @param {object} copyReport - copyDirFiltered 的结果
+ * @returns {object} 隐私合规报告
+ */
+export function generatePrivacyReport(scanResult, copyReport) {
+  const severity = scanResult.hasPrivateMemory ? "high" :
+    scanResult.sensitiveFindings.length > 0 ? "medium" : "clean";
+
+  return {
+    version: "1.0",
+    generatedAt: new Date().toISOString(),
+    severity,
+    summary: {
+      totalFilesScanned: scanResult.totalFilesScanned,
+      sensitiveItemsFound: scanResult.sensitiveFindings.length,
+      privateMemoryDetected: scanResult.hasPrivateMemory,
+      privateMemoryCount: scanResult.privateMemoryCount,
+      filesSkipped: copyReport?.skipped?.length || 0,
+      filesCopied: copyReport?.copied?.length || 0,
+    },
+    details: {
+      sensitiveFindings: scanResult.sensitiveFindings,
+      riskyFiles: scanResult.riskyFiles,
+      skippedPaths: copyReport?.skipped || [],
+    },
+    compliance: {
+      privateDataStripped: !scanResult.hasPrivateMemory || severity !== "clean",
+      sensitiveInfoRedacted: scanResult.sensitiveFindings.length === 0,
+      policyEnforced: true,
+    },
+  };
+}