npm - buzzster - Versions diffs - 1.0.0 - Mend

buzzster 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/SKILL.md ADDED Viewed

@@ -0,0 +1,765 @@
+---
+name: biofirewall-client
+version: 3.0.0
+description: Express middleware to protect your APIs with agent authentication.
+homepage: https://github.com/openclaw/biofirewall
+metadata: {"biofirewall-client":{"emoji":"🔒","category":"security"}}
+---
+# BioFirewall Client 🔒 SKILL.md
+**For Developers:** How to protect your APIs with agent-only authentication.
+---
+## What Is biofirewall-client?
+An Express middleware that:
+1. **Blocks browsers** (User-Agent detection)
+2. **Verifies tokens** with central BioFirewall API
+3. **Caches verification** locally (30s, reduces API load)
+4. **Attaches agent info** to `req.agent`
+5. **Returns helpful errors**
+**Think:** A bouncer that only lets verified robots in.
+---
+## Installation
+```bash
+npm install biofirewall-client
+```
+---
+## Quick Start (2 Minutes)
+### 1. Basic Setup
+```javascript
+const express = require('express');
+const BioFirewall = require('biofirewall-client');
+const app = express();
+// Create middleware
+const bioFirewall = new BioFirewall('http://localhost:3333');
+// Protect all routes
+app.use(bioFirewall);
+// Now only agents can access
+app.get('/api/secret', (req, res) => {
+    res.json({
+        message: 'Hello, ' + req.agent.name,
+        agentId: req.agent.id
+    });
+});
+app.listen(8080);
+```
+### 2. Test It
+```bash
+# As a browser (blocked)
+curl http://localhost:8080/api/secret \
+  -H "User-Agent: Mozilla/5.0 Chrome/..."
+# Response: 406 Not Acceptable
+# As an agent (allowed)
+curl http://localhost:8080/api/secret \
+  -H "X-Bio-Agent-Id: agent_abc123" \
+  -H "X-Bio-Token: eyJhbGc..." \
+  -H "User-Agent: MyAgent/1.0" \
+  -H "Accept: application/json"
+# Response: 200 OK
+```
+---
+## Configuration
+```javascript
+const bioFirewall = new BioFirewall({
+    // Required
+    apiUrl: 'http://localhost:3333',
+    // Optional
+    blockBrowsers: true,              // Block User-Agents that look like browsers
+    enforceAuthentication: true,      // Require X-Bio-Token header
+    cacheTokens: true,                // Cache verification results locally
+    cacheTTL: 30000                   // Cache time-to-live (milliseconds)
+});
+app.use(bioFirewall);
+```
+### Configuration Options
+| Option | Default | Purpose |
+|--------|---------|---------|
+| `apiUrl` | required | Central BioFirewall API URL |
+| `blockBrowsers` | true | Block requests that look like browsers |
+| `enforceAuthentication` | true | Require valid authentication |
+| `cacheTokens` | true | Cache token verification locally |
+| `cacheTTL` | 30000 | Cache time-to-live in milliseconds |
+---
+## How It Works
+### Three Layers of Security
+#### Layer 1️⃣: Passive Filtering (Local, <1ms)
+Blocks obvious browsers without API call:
+```
+User-Agent: Mozilla/5.0 Chrome/... → 406 (instant)
+Accept: text/html → 406 (instant)
+Accept-Language: en-US → 406 (instant)
+```
+**Why:** Fast rejection of obvious non-agents.
+#### Layer 2️⃣: Token Verification (Central API, ~20ms)
+For requests that pass Layer 1:
+```
+POST /verify on central API
+{
+  "agentId": "agent_xyz",
+  "token": "eyJhbGc..."
+}
+Response:
+{
+  "valid": true,
+  "agent": { "id": "agent_xyz", "name": "MyAgent" }
+}
+```
+**Why:** Cryptographic verification with central registry.
+#### Layer 3️⃣: Caching (Local, <1ms)
+Result cached for 30 seconds:
+```
+Request 1 (07:00:00) → API call ~20ms
+Request 2 (07:00:10) → Cache hit ~0ms
+Request 3 (07:00:20) → Cache hit ~0ms
+Request 4 (07:00:35) → API call ~20ms (cache expired)
+```
+**Why:** Reduce load on central API during request bursts.
+---
+## Usage Examples
+### Protect Specific Routes
+```javascript
+const express = require('express');
+const BioFirewall = require('biofirewall-client');
+const app = express();
+const bioFirewall = new BioFirewall('http://localhost:3333');
+// Public routes (no auth)
+app.get('/', (req, res) => {
+    res.json({ service: 'My API', status: 'online' });
+});
+// Protected routes (auth required)
+app.get('/api/secret', bioFirewall, (req, res) => {
+    res.json({
+        message: 'Secret data',
+        agent: req.agent
+    });
+});
+app.post('/api/data', bioFirewall, (req, res) => {
+    res.json({
+        success: true,
+        agent: req.agent.id
+    });
+});
+app.listen(8080);
+```
+### Protect All Routes Except /health
+```javascript
+const app = express();
+const bioFirewall = new BioFirewall('http://localhost:3333');
+// Health check (no auth)
+app.get('/health', (req, res) => {
+    res.json({ status: 'ok' });
+});
+// Protect everything else
+app.use(bioFirewall);
+app.get('/api/data', (req, res) => {
+    res.json({ agent: req.agent.name });
+});
+```
+### Access Agent Information
+```javascript
+app.get('/api/profile', bioFirewall, (req, res) => {
+    // req.agent is populated by middleware
+    res.json({
+        you: req.agent.name,
+        yourId: req.agent.id,
+        version: req.agent.version,
+        permissions: req.agent.permissions
+    });
+});
+```
+### Custom Error Handling
+```javascript
+const bioFirewall = new BioFirewall('http://localhost:3333');
+app.use((req, res, next) => {
+    bioFirewall(req, res, (err) => {
+        if (err) {
+            // Custom error handling
+            console.error('Auth error:', err);
+            return res.status(401).json({
+                success: false,
+                message: 'Custom error message'
+            });
+        }
+        next();
+    });
+});
+```
+### With Route Guards
+```javascript
+const bioFirewall = new BioFirewall('http://localhost:3333');
+// Middleware
+const requireAgent = bioFirewall;
+const requireAdmin = (req, res, next) => {
+    if (req.agent.permissions.includes('admin')) {
+        next();
+    } else {
+        res.status(403).json({ error: 'Requires admin permission' });
+    }
+};
+// Routes
+app.get('/api/user-data', requireAgent, (req, res) => {
+    res.json({ data: 'user data' });
+});
+app.post('/api/system-control', requireAgent, requireAdmin, (req, res) => {
+    res.json({ success: true });
+});
+```
+---
+## Request Headers
+### Required Headers (When Accessing Protected Route)
+```
+X-Bio-Agent-Id: agent_a1b2c3d4e5f6g7h8    (your agent ID)
+X-Bio-Token: eyJhbGciOiJSUzI1NiIsInR5cCI... (JWT you signed)
+User-Agent: MyAgent/1.0                    (your agent name/version)
+Accept: application/json                   (ask for JSON, not HTML)
+```
+### Headers NOT to Send
+❌ `Accept: text/html` (looks human)
+❌ `Accept-Language: en-US` (human trait)
+❌ `Accept-Encoding: gzip, deflate` (browser thing)
+❌ Browser User-Agent like `Mozilla/5.0 Chrome/...`
+### Example Correct Request
+```bash
+curl http://localhost:8080/api/secret \
+  -H "X-Bio-Agent-Id: agent_abc123" \
+  -H "X-Bio-Token: eyJhbGc..." \
+  -H "User-Agent: MyAgent/1.0" \
+  -H "Accept: application/json"
+```
+---
+## Response Headers
+Middleware adds these headers when authentication succeeds:
+```
+X-Bio-Verified: true
+X-Bio-Agent-Name: MyAgent
+X-Bio-Version: 3.0
+```
+Use these in your code:
+```javascript
+app.get('/api/secret', bioFirewall, (req, res) => {
+    const headers = res.getHeaders();
+    console.log(headers['x-bio-verified']); // 'true'
+    console.log(headers['x-bio-agent-name']); // 'MyAgent'
+});
+```
+---
+## Error Responses
+### 406 Not Acceptable (Looks Like a Browser)
+```json
+{
+  "success": false,
+  "error": "BIOLOGICAL_ENTITY_DETECTED",
+  "message": "This resource is reserved for automated agents",
+  "tip": "Use an API client. Ensure User-Agent does not look like a browser"
+}
+```
+**Causes:**
+- User-Agent contains "Mozilla", "Chrome", "Safari", etc.
+- Accept header contains `text/html`
+- Accept-Language header present
+**Fix:**
+```bash
+# Don't do this
+curl -H "User-Agent: Mozilla/5.0 Chrome/..." http://localhost:8080/api/secret
+# Do this instead
+curl \
+  -H "User-Agent: MyAgent/1.0" \
+  -H "Accept: application/json" \
+  -H "X-Bio-Agent-Id: agent_abc123" \
+  -H "X-Bio-Token: eyJhbGc..." \
+  http://localhost:8080/api/secret
+```
+### 428 Precondition Required (Missing Headers)
+```json
+{
+  "success": false,
+  "error": "AUTHENTICATION_REQUIRED",
+  "message": "Valid agent token required to access this resource",
+  "protocol": {
+    "version": "3.0",
+    "method": "JWT + RS256",
+    "headers": {
+      "X-Bio-Agent-Id": "Your agent ID from registration",
+      "X-Bio-Token": "JWT token signed with your private key"
+    }
+  }
+}
+```
+**Cause:** Missing `X-Bio-Agent-Id` or `X-Bio-Token` header
+**Fix:** Include both headers with valid values
+### 401 Unauthorized (Invalid Token)
+```json
+{
+  "success": false,
+  "error": "INVALID_TOKEN",
+  "message": "Token signature is invalid"
+}
+```
+**Causes:**
+- Token signed with wrong private key
+- Token expired (>1 hour old)
+- Token corrupted/tampered
+**Fix:**
+```javascript
+// Regenerate token with correct private key
+const newToken = crypto.createToken(privateKey, agentId, metadata, 3600);
+// Then retry request with new token
+```
+### 403 Forbidden (Agent Revoked)
+```json
+{
+  "success": false,
+  "error": "AGENT_NOT_ACTIVE",
+  "message": "Agent status is revoked"
+}
+```
+**Cause:** Agent was revoked by administrator
+**Fix:** Contact administrator to reactivate
+### 404 Agent Not Found
+```json
+{
+  "success": false,
+  "error": "AGENT_NOT_FOUND",
+  "message": "Agent not registered"
+}
+```
+**Cause:** Agent ID doesn't exist in central registry
+**Fix:** Register agent first:
+```bash
+curl -X POST http://localhost:3333/register \
+  -d '{"publicKey": "...", "metadata": {...}}'
+```
+---
+## Token Caching
+By default, token verification results are cached for 30 seconds locally:
+```javascript
+// Prevents hammering central API
+// Typical cache hit rate: 95%+ for normal usage
+// Clear all cache (if needed)
+bioFirewall.clearCache?.();
+// Or disable caching
+const bioFirewall = new BioFirewall({
+    apiUrl: 'http://localhost:3333',
+    cacheTokens: false  // No local caching
+});
+```
+---
+## Performance
+### Typical Response Times
+```
+Browser request (Layer 1):    ~0ms   (instant rejection)
+Agent request (Layer 2 cache): ~1ms  (cached)
+Agent request (Layer 2 API):   ~20ms (central API call)
+```
+### Optimization Tips
+1. **Reuse middleware instance:**
+   ```javascript
+   const bioFirewall = new BioFirewall('http://localhost:3333');
+   app.use('/api', bioFirewall);  // Single instance
+   ```
+2. **Use token caching (default):**
+   ```javascript
+   const bioFirewall = new BioFirewall({
+       apiUrl: 'http://localhost:3333',
+       cacheTokens: true,  // Default: ON
+       cacheTTL: 30000     // 30 seconds
+   });
+   ```
+3. **Keep central API close (low latency):**
+   - Same data center if possible
+   - CDN for geographically distributed apps
+---
+## Testing
+### Unit Tests
+```javascript
+const request = require('supertest');
+const app = require('./app');
+describe('Protected endpoint', () => {
+    it('should reject browsers', async () => {
+        const res = await request(app)
+            .get('/api/secret')
+            .set('User-Agent', 'Mozilla/5.0 Chrome/...');
+        expect(res.status).toBe(406);
+        expect(res.body.error).toBe('BIOLOGICAL_ENTITY_DETECTED');
+    });
+    it('should reject missing auth', async () => {
+        const res = await request(app)
+            .get('/api/secret')
+            .set('User-Agent', 'MyBot/1.0');
+        expect(res.status).toBe(428);
+        expect(res.body.error).toBe('AUTHENTICATION_REQUIRED');
+    });
+    it('should allow valid agents', async () => {
+        const res = await request(app)
+            .get('/api/secret')
+            .set('User-Agent', 'MyBot/1.0')
+            .set('X-Bio-Agent-Id', 'agent_test123')
+            .set('X-Bio-Token', 'valid_jwt_token');
+        expect(res.status).toBe(200);
+        expect(res.body.agent.id).toBe('agent_test123');
+    });
+    it('should include response headers', async () => {
+        const res = await request(app)
+            .get('/api/secret')
+            .set('User-Agent', 'MyBot/1.0')
+            .set('X-Bio-Agent-Id', 'agent_test123')
+            .set('X-Bio-Token', 'valid_jwt_token');
+        expect(res.headers['x-bio-verified']).toBe('true');
+        expect(res.headers['x-bio-agent-name']).toBe('MyAgent');
+    });
+});
+```
+### Integration Test
+```bash
+#!/bin/bash
+# Test 1: Browser blocked
+echo "Test 1: Block browser"
+curl -v \
+  -H "User-Agent: Mozilla/5.0 Chrome/..." \
+  http://localhost:8080/api/secret
+# Expected: 406
+# Test 2: Missing auth
+echo "Test 2: Missing auth"
+curl -v \
+  -H "User-Agent: MyBot/1.0" \
+  http://localhost:8080/api/secret
+# Expected: 428
+# Test 3: Valid agent
+echo "Test 3: Valid agent"
+curl -v \
+  -H "User-Agent: MyBot/1.0" \
+  -H "X-Bio-Agent-Id: agent_test123" \
+  -H "X-Bio-Token: eyJhbGc..." \
+  http://localhost:8080/api/secret
+# Expected: 200
+```
+---
+## Troubleshooting
+### "Cannot connect to central API"
+```javascript
+// Check API URL
+const bioFirewall = new BioFirewall('http://localhost:3333');
+// Verify API is running
+curl http://localhost:3333/health
+// Check firewall rules
+# Allow traffic on 3333
+```
+### "Token always invalid"
+```javascript
+// Ensure token signed with correct private key
+const token = jwt.sign(payload, privateKey, { algorithm: 'RS256' });
+// Verify agent is registered
+curl http://localhost:3333/agents/agent_abc123
+// Check token not expired (max 1 hour old)
+```
+### "Agents keep getting 406"
+```bash
+# Check headers
+curl -v \
+  -H "User-Agent: MyBot/1.0" \
+  -H "Accept: application/json" \
+  -H "X-Bio-Agent-Id: agent_xyz" \
+  -H "X-Bio-Token: ..." \
+  http://localhost:8080/api/secret
+# Don't include:
+# - "Mozilla" in User-Agent
+# - "text/html" in Accept header
+# - "Accept-Language" header
+```
+---
+## Complete Example App
+```javascript
+const express = require('express');
+const BioFirewall = require('biofirewall-client');
+const app = express();
+// Setup
+const bioFirewall = new BioFirewall('http://localhost:3333');
+// Middleware
+app.use(express.json());
+// Public route (no auth)
+app.get('/', (req, res) => {
+    res.json({
+        service: 'Protected API',
+        status: 'online',
+        endpoints: {
+            public: ['GET /'],
+            protected: ['GET /api/secret', 'POST /api/data']
+        }
+    });
+});
+// Protected routes
+app.get('/api/secret', bioFirewall, (req, res) => {
+    res.json({
+        message: 'Secret data',
+        agent: {
+            id: req.agent.id,
+            name: req.agent.name,
+            version: req.agent.version
+        }
+    });
+});
+app.post('/api/data', bioFirewall, (req, res) => {
+    res.json({
+        success: true,
+        message: 'Data received',
+        agent: req.agent.id,
+        data: req.body
+    });
+});
+// Error handler
+app.use((err, req, res, next) => {
+    console.error(err);
+    res.status(500).json({
+        error: 'Internal server error'
+    });
+});
+// Start
+const PORT = process.env.PORT || 8080;
+app.listen(PORT, () => {
+    console.log(`🔒 Protected API running on port ${PORT}`);
+    console.log(`   Central API: http://localhost:3333`);
+});
+```
+---
+## Deployment
+### Docker
+```dockerfile
+FROM node:18-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm install
+COPY . .
+ENV BIOFIREWALL_API=http://biofirewall-api:3333
+ENV PORT=8080
+EXPOSE 8080
+CMD ["npm", "start"]
+```
+### Environment Variables
+```bash
+BIOFIREWALL_API=http://localhost:3333
+NODE_ENV=production
+PORT=8080
+```
+---
+## Security Best Practices
+✅ **DO:**
+- Use HTTPS in production
+- Keep central API URL secret
+- Monitor for unusual patterns
+- Log authentication attempts
+- Update middleware regularly
+- Use caching (reduces API calls)
+❌ **DON'T:**
+- Expose central API URL in client code
+- Log tokens or agent secrets
+- Disable browser detection
+- Disable token verification
+- Use old versions
+---
+## FAQ
+**Q: Can I use biofirewall-client without central API?**
+A: No. It requires a running central API for token verification.
+**Q: How do I set up central API?**
+A: See `/biofirewall-api/README.md` or `npm install biofirewall-api`.
+**Q: Can I customize error messages?**
+A: Yes, implement custom middleware before biofirewall.
+**Q: How do I handle 404 from central API?**
+A: Middleware will return 500. Ensure central API is reachable.
+**Q: Can multiple services use same central API?**
+A: Yes! That's the point. Central API is shared.
+---
+## Support
+- 📖 [biofirewall-api/SKILL.md](../biofirewall-api/SKILL.md) — Agent registration guide
+- 💓 [biofirewall-api/HEARTBEAT.md](../biofirewall-api/HEARTBEAT.md) — Agent activity routine
+- 🏗️ [ARCHITECTURE.md](../ARCHITECTURE.md) — System design
+- 🔗 GitHub: https://github.com/openclaw/biofirewall
+---
+*BioFirewall Client v3.0 | Protect your APIs. Verify silicon.* 🔒