clawarmor 1.1.0

package/lib/fix.js

@@ -0,0 +1,175 @@
+// clawarmor fix — auto-apply safe one-liner fixes
+import { readFileSync } from 'fs';
+import { homedir } from 'os';
+import { join } from 'path';
+import { execSync, spawnSync } from 'child_process';
+import { paint } from './output/colors.js';
+import { loadConfig, get } from './config.js';
+
+const HISTORY_PATH = join(homedir(), '.clawarmor', 'history.json');
+const SEP = paint.dim('─'.repeat(52));
+
+// Fixes that are safe to auto-apply (single config set command, no restart risk)
+const AUTO_FIXABLE = {
+  'browser.ssrf': {
+    cmd: 'openclaw config set browser.ssrfPolicy.dangerouslyAllowPrivateNetwork false',
+    desc: 'Block browser SSRF to private networks',
+    needsRestart: true,
+  },
+  'discovery.mdns': {
+    cmd: 'openclaw config set discovery.mdns.mode minimal',
+    desc: 'Set mDNS to minimal mode',
+    needsRestart: true,
+  },
+  'logging.redact': {
+    cmd: 'openclaw config set logging.redactSensitive tools',
+    desc: 'Enable log redaction',
+    needsRestart: false,
+  },
+  'tools.fs.workspaceOnly': {
+    cmd: 'openclaw config set tools.fs.workspaceOnly true',
+    desc: 'Restrict filesystem to workspace',
+    needsRestart: true,
+  },
+  'tools.applyPatch.workspaceOnly': {
+    cmd: 'openclaw config set tools.exec.applyPatch.workspaceOnly true',
+    desc: 'Restrict apply_patch to workspace',
+    needsRestart: true,
+  },
+  'fs.config.perms': {
+    cmd: 'chmod 600 ~/.openclaw/openclaw.json',
+    desc: 'Lock down config file permissions',
+    needsRestart: false,
+    shell: true,
+  },
+  'fs.accounts.perms': {
+    cmd: 'chmod 600 ~/.openclaw/agent-accounts.json',
+    desc: 'Lock down credentials file permissions',
+    needsRestart: false,
+    shell: true,
+  },
+  'agents.sandbox': {
+    // Multi-step fix: enables sandbox WITH workspace access so Telegram sessions don't lose memory files
+    cmd: "openclaw config set agents.defaults.sandbox.mode non-main && openclaw config set agents.defaults.sandbox.workspaceAccess rw && openclaw config set agents.defaults.sandbox.scope session",
+    desc: 'Enable sandbox isolation (with workspace access preserved for Telegram/group sessions)',
+    needsRestart: true,
+    requiresDocker: true,
+  },
+  'fs.dir.perms': {
+    cmd: 'chmod 700 ~/.openclaw',
+    desc: 'Lock down ~/.openclaw directory',
+    needsRestart: false,
+    shell: true,
+  },
+};
+
+function box(title) {
+  const W=52, pad=W-2-title.length, l=Math.floor(pad/2), r=pad-l;
+  return [paint.dim('╔'+'═'.repeat(W-2)+'╗'),
+    paint.dim('║')+' '.repeat(l)+paint.bold(title)+' '.repeat(r)+paint.dim('║'),
+    paint.dim('╚'+'═'.repeat(W-2)+'╝')].join('\n');
+}
+
+export async function runFix(flags = {}) {
+  console.log(''); console.log(box('ClawArmor Fix  v1.1.0')); console.log('');
+
+  // Load last audit failures
+  let lastFailed = [];
+  try {
+    const h = JSON.parse(readFileSync(HISTORY_PATH,'utf8'));
+    const last = h[h.length-1];
+    lastFailed = last?.failedIds || [];
+  } catch { /* no history */ }
+
+  if (!lastFailed.length) {
+    console.log(`  ${paint.dim('No previous audit found. Run')} ${paint.cyan('clawarmor audit')} ${paint.dim('first.')}`);
+    console.log(''); return 0;
+  }
+
+  const fixable = lastFailed.filter(id => AUTO_FIXABLE[id]);
+  const manual = lastFailed.filter(id => !AUTO_FIXABLE[id]);
+
+  console.log(`  ${paint.dim('Last audit had')} ${paint.bold(String(lastFailed.length))} ${paint.dim('failing checks.')}`);
+  console.log(`  ${paint.bold(String(fixable.length))} ${paint.dim('can be auto-fixed.')} ${paint.dim(String(manual.length))} ${paint.dim('require manual steps.')}`);
+
+  if (!fixable.length) {
+    console.log('');
+    console.log(`  ${paint.yellow('!')} No auto-fixable issues. Fix manually:`);
+    for (const id of manual) console.log(`    ${paint.dim('•')} ${id}`);
+    console.log(''); return 0;
+  }
+
+  // Load config for mainKey check (needed by both dry-run and apply paths)
+  const { config: cfg } = loadConfig();
+  const mainKey = get(cfg, 'agents.mainKey', 'main');
+
+  console.log('');
+  if (flags.dryRun) {
+    console.log(`  ${paint.cyan('Dry run — would apply:')}`);
+    for (const id of fixable) {
+      const f = AUTO_FIXABLE[id];
+      if (id === 'agents.sandbox' && mainKey !== 'main') {
+        console.log(`  ${paint.yellow('⚠')} ${paint.bold('Custom mainKey detected:')} agents.mainKey="${mainKey}"`);
+        console.log(`     ${paint.dim('Verify that sandbox.mode=non-main won\'t affect your main session.')}`);
+      }
+      console.log(`  ${paint.dim('→')} ${f.desc}`);
+      console.log(`    ${paint.dim(f.cmd)}`);
+      if (f.requiresDocker) console.log(`    ${paint.yellow('⚠')} ${paint.dim('Requires Docker Desktop to be installed and running')}`);
+      if (f.needsRestart) console.log(`    ${paint.dim('↻ gateway restart required after applying')}`);
+    }
+    console.log('');
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor fix --apply')} ${paint.dim('to apply these fixes.')}`);
+    console.log(''); return 0;
+  }
+
+  if (!flags.apply) {
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor fix --dry-run')} ${paint.dim('to preview fixes.')}`);
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor fix --apply')} ${paint.dim('to apply them.')}`);
+    console.log(''); return 0;
+  }
+
+  // Apply fixes
+  let applied = 0, failed = 0, needsRestart = false;
+  console.log(SEP);
+  for (const id of fixable) {
+    const f = AUTO_FIXABLE[id];
+
+    // Warn about custom mainKey before sandbox fix
+    if (id === 'agents.sandbox' && mainKey !== 'main') {
+      console.log(`  ${paint.yellow('⚠')} ${paint.bold('Custom mainKey detected:')} agents.mainKey="${mainKey}"`);
+      console.log(`     ${paint.dim('Verify that sandbox.mode=non-main won\'t affect your main session.')}`);
+    }
+
+    process.stdout.write(`  ${paint.dim('→')} ${f.desc}...`);
+    // Check Docker requirement
+    if (f.requiresDocker) {
+      const dockerCheck = spawnSync('docker', ['info'], { stdio: 'ignore' });
+      if (dockerCheck.error || dockerCheck.status !== 0) {
+        process.stdout.write(` ${paint.yellow('⚠')} Docker not running — install Docker Desktop first\n`);
+        failed++;
+        continue;
+      }
+    }
+    try {
+      execSync(f.cmd, { stdio: 'ignore', shell: true });
+      process.stdout.write(` ${paint.green('✓')}\n`);
+      applied++;
+      if (f.needsRestart) needsRestart = true;
+    } catch (e) {
+      process.stdout.write(` ${paint.red('✗')} ${e.message.split('\n')[0]}\n`);
+      failed++;
+    }
+  }
+
+  console.log('');
+  if (needsRestart) {
+    console.log(`  ${paint.yellow('!')} ${paint.bold('Restart required:')} ${paint.dim('openclaw gateway restart')}`);
+  }
+  if (manual.length) {
+    console.log(`  ${paint.dim('Still needs manual fix:')}`);
+    for (const id of manual) console.log(`    ${paint.dim('•')} ${id}`);
+  }
+  console.log('');
+  console.log(`  Applied ${applied} fix${applied!==1?'es':''}. Run ${paint.cyan('clawarmor verify')} to confirm.`);
+  console.log(''); return failed > 0 ? 1 : 0;
+}

package/lib/output/colors.js

@@ -0,0 +1,24 @@
+const C = {
+  reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
+  red: '\x1b[31m', green: '\x1b[32m', yellow: '\x1b[33m',
+  blue: '\x1b[34m', cyan: '\x1b[36m', white: '\x1b[37m',
+  bgRed: '\x1b[41m',
+};
+const noColor = process.env.NO_COLOR || !process.stdout.isTTY;
+const c = (code, s) => noColor ? s : `${code}${s}${C.reset}`;
+
+export const paint = {
+  bold: s => c(C.bold, s), dim: s => c(C.dim, s),
+  red: s => c(C.red, s), green: s => c(C.green, s),
+  yellow: s => c(C.yellow, s), cyan: s => c(C.cyan, s),
+  pass: s => c(C.green, s), high: s => c(C.yellow, s),
+  critical: s => c(C.red, s),
+};
+
+export const severityColor = {
+  CRITICAL: s => c(C.red + C.bold, s),
+  HIGH: s => c(C.yellow, s),
+  MEDIUM: s => c(C.cyan, s),
+  LOW: s => c(C.dim, s),
+  INFO: s => c(C.dim, s),
+};

package/lib/output/formatter.js

@@ -0,0 +1,212 @@
+// Beautiful terminal output for audit + scan results
+import { paint, severityColor } from './colors.js';
+import { progressBar, scoreColor, gradeColor } from './progress.js';
+
+const WIDTH = 46;
+const HR = '─'.repeat(WIDTH);
+
+function line(s = '') {
+  return s;
+}
+
+function box(title) {
+  const pad = Math.max(0, WIDTH - 2 - title.length);
+  const left = Math.floor(pad / 2);
+  const right = pad - left;
+  return [
+    `╔${'═'.repeat(WIDTH - 2)}╗`,
+    `║${' '.repeat(left)}${paint.bold(title)}${' '.repeat(right)}║`,
+    `╚${'═'.repeat(WIDTH - 2)}╝`,
+  ].join('\n');
+}
+
+function sectionHeader(label, count) {
+  const countStr = count !== undefined ? `  (${count} ${count === 1 ? 'finding' : count === 0 ? 'checks' : 'findings'})` : '';
+  const colorFn = severityColor[label] || paint.bold;
+  return [
+    line(HR),
+    line(`  ${colorFn(label)}${paint.dim(countStr)}`),
+    line(HR),
+  ].join('\n');
+}
+
+function passedSection(findings) {
+  const lines = [
+    line(HR),
+    line(`  ${paint.green('PASSED')}${paint.dim(`  (${findings.length} checks)`)}`),
+    line(HR),
+  ];
+  for (const f of findings) {
+    lines.push(`  ${paint.pass('✓')} ${paint.dim(f.passedMsg || f.title)}`);
+  }
+  return lines.join('\n');
+}
+
+function finding(f) {
+  const icon = paint.fail('✗');
+  const title = paint.bold(f.title);
+  const lines = [``, `  ${icon} ${title}`];
+
+  if (f.description) {
+    for (const descLine of f.description.split('\n')) {
+      lines.push(`    ${paint.dim(descLine)}`);
+    }
+  }
+
+  if (f.fix) {
+    lines.push('');
+    const fixLines = f.fix.split('\n');
+    lines.push(`    ${paint.cyan('Fix:')} ${fixLines[0]}`);
+    for (let i = 1; i < fixLines.length; i++) {
+      lines.push(`         ${fixLines[i]}`);
+    }
+  }
+
+  return lines.join('\n');
+}
+
+export function formatAuditReport({ configPath, score, grade, findings, passed, scannedAt }) {
+  const out = [];
+
+  out.push('');
+  out.push(box('ClawArmor Audit Report'));
+  out.push('');
+  out.push(`  ${paint.dim('Config:')}  ${paint.white(configPath)}`);
+  out.push(`  ${paint.dim('Scanned:')} ${paint.white(scannedAt)}`);
+  out.push('');
+
+  const scoreStr = `${score}/100`;
+  const gradeStr = `Grade: ${grade}`;
+  const colorScore = scoreColor(score);
+  const colorGrade = gradeColor(grade);
+  out.push(`  ${paint.bold('Security Score:')} ${colorScore(scoreStr)}  ${paint.dim('┃')}  ${colorGrade(gradeStr)}`);
+  out.push(`  ${progressBar(score)}  ${paint.dim(`${score}%`)}`);
+  out.push('');
+
+  // Group findings by severity
+  const bySeverity = { CRITICAL: [], HIGH: [], MEDIUM: [], LOW: [] };
+  for (const f of findings) {
+    if (bySeverity[f.severity]) bySeverity[f.severity].push(f);
+  }
+
+  for (const [sev, sevFindings] of Object.entries(bySeverity)) {
+    if (sevFindings.length === 0) continue;
+    out.push(sectionHeader(sev, sevFindings.length));
+    for (const f of sevFindings) {
+      out.push(finding(f));
+    }
+    out.push('');
+  }
+
+  if (passed.length > 0) {
+    out.push(passedSection(passed));
+    out.push('');
+  }
+
+  out.push(line(HR));
+  out.push('');
+
+  if (findings.length === 0) {
+    out.push(`  ${paint.pass('✓')} ${paint.bold('All checks passed. Your config looks secure.')}`);
+  } else {
+    out.push(`  ${paint.dim('Run')} ${paint.cyan('clawarmor scan')} ${paint.dim('to check installed skills.')}`);
+    out.push(`  ${paint.dim('Continuous monitoring:')} ${paint.cyan('github.com/pinzasai/clawarmor')}`);
+  }
+  out.push('');
+
+  return out.join('\n');
+}
+
+// ─── Scan formatter ──────────────────────────────────────────────────────────
+
+function scanFinding(f) {
+  const icon = paint.fail('✗');
+  const title = paint.bold(f.title);
+  const lines = [``, `    ${icon} ${title}`];
+  lines.push(`      ${paint.dim('File:')} ${paint.white(f.file)}${f.line ? paint.dim(`:${f.line}`) : ''}`);
+  if (f.snippet) {
+    lines.push(`      ${paint.dim('Code:')} ${paint.yellow(f.snippet.slice(0, 120))}`);
+  }
+  if (f.description) {
+    lines.push(`      ${paint.dim(f.description)}`);
+  }
+  return lines.join('\n');
+}
+
+export function formatScanReport({ skillsScanned, findings, scannedAt, skillsDir }) {
+  const out = [];
+
+  out.push('');
+  out.push(box('ClawArmor Skill Scan'));
+  out.push('');
+  out.push(`  ${paint.dim('Directory:')} ${paint.white(skillsDir || 'multiple locations')}`);
+  out.push(`  ${paint.dim('Scanned:')}   ${paint.white(scannedAt)}`);
+  out.push(`  ${paint.dim('Skills:')}    ${paint.white(String(skillsScanned))}`);
+  out.push('');
+
+  if (findings.length === 0) {
+    out.push(line(HR));
+    out.push('');
+    out.push(`  ${paint.pass('✓')} ${paint.bold('No suspicious patterns found in installed skills.')}`);
+    out.push('');
+    out.push(line(HR));
+    out.push('');
+    return out.join('\n');
+  }
+
+  // Group by skill, then severity
+  const bySkill = {};
+  for (const f of findings) {
+    if (!bySkill[f.skill]) bySkill[f.skill] = [];
+    bySkill[f.skill].push(f);
+  }
+
+  for (const [skillName, skillFindings] of Object.entries(bySkill)) {
+    const critCount = skillFindings.filter(f => f.severity === 'CRITICAL').length;
+    const highCount = skillFindings.filter(f => f.severity === 'HIGH').length;
+    const badge = critCount > 0 ? paint.critical(`CRITICAL`) : highCount > 0 ? paint.high('HIGH') : paint.medium('MEDIUM');
+    out.push(line(HR));
+    out.push(`  ${paint.bold(skillName)}  ${badge}`);
+    out.push(line(HR));
+
+    const bySev = { CRITICAL: [], HIGH: [], MEDIUM: [], LOW: [] };
+    for (const f of skillFindings) {
+      if (bySev[f.severity]) bySev[f.severity].push(f);
+    }
+
+    for (const [sev, sevFindings] of Object.entries(bySev)) {
+      if (sevFindings.length === 0) continue;
+      const colorFn = severityColor[sev];
+      out.push(`  ${colorFn(sev)}  ${paint.dim(`(${sevFindings.length})`)}`);
+      for (const f of sevFindings) {
+        out.push(scanFinding(f));
+      }
+      out.push('');
+    }
+  }
+
+  out.push(line(HR));
+  out.push('');
+  out.push(`  ${paint.bold(`${findings.length} suspicious ${findings.length === 1 ? 'pattern' : 'patterns'} found`)} across ${Object.keys(bySkill).length} ${Object.keys(bySkill).length === 1 ? 'skill' : 'skills'}.`);
+  out.push(`  ${paint.dim('Review findings carefully before using these skills.')}`);
+  out.push('');
+
+  return out.join('\n');
+}
+
+export function formatNoSkills(dirs) {
+  const out = [];
+  out.push('');
+  out.push(box('ClawArmor Skill Scan'));
+  out.push('');
+  out.push(`  ${paint.dim('No installed skills found.')}`);
+  out.push('');
+  out.push(`  ${paint.dim('Checked:')}`);
+  for (const d of dirs) {
+    out.push(`    ${paint.dim('•')} ${d}`);
+  }
+  out.push('');
+  out.push(`  ${paint.dim('Install skills via OpenClaw, then run')} ${paint.cyan('clawarmor scan')} ${paint.dim('again.')}`);
+  out.push('');
+  return out.join('\n');
+}

package/lib/output/progress.js

@@ -0,0 +1,27 @@
+import { paint } from './colors.js';
+
+export function progressBar(score, width = 20) {
+  const filled = Math.round((score / 100) * width);
+  return '█'.repeat(filled) + '░'.repeat(width - filled);
+}
+
+export function scoreToGrade(score) {
+  if (score >= 90) return 'A';
+  if (score >= 75) return 'B';
+  if (score >= 60) return 'C';
+  if (score >= 40) return 'D';
+  return 'F';
+}
+
+export function scoreColor(score) {
+  if (score >= 90) return paint.green;
+  if (score >= 75) return paint.pass;
+  if (score >= 60) return paint.yellow;
+  if (score >= 40) return paint.high;
+  return paint.critical;
+}
+
+export function gradeColor(grade) {
+  const map = { A: paint.green, B: paint.pass, C: paint.yellow, D: paint.high, F: paint.critical };
+  return (map[grade] || paint.dim)(grade);
+}