clawarmor 1.2.0 → 2.0.0-alpha.3

package/lib/checks/skill-pinning.js

@@ -0,0 +1,159 @@
+// T-PERSIST-002 — Skill Version Pinning
+// Checks that installed skills have explicit version pins to prevent
+// update poisoning attacks.
+
+import { existsSync, readdirSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { get } from '../config.js';
+
+const HOME = homedir();
+const OC_DIR = join(HOME, '.openclaw');
+const SKILLS_DIR = join(OC_DIR, 'skills');
+
+// A version pin looks like @1.2.3 or @1.2.3-beta.1 (semver)
+const SEMVER_PIN = /^[\^~]?\d+\.\d+\.\d+/;
+// "latest", "next", "*", ranges like ">=1.0.0" are NOT pins
+const FLOATING = /^(latest|next|beta|alpha|\*|>=|>|<|~\d|^\d)/;
+
+function isPinned(version) {
+  if (!version || typeof version !== 'string') return false;
+  if (FLOATING.test(version)) return false;
+  return SEMVER_PIN.test(version);
+}
+
+function collectUnpinnedFromConfig(config) {
+  const unpinned = [];
+
+  // Check skills.managed (array or object of { name, version })
+  const managed = get(config, 'skills.managed', null);
+  if (Array.isArray(managed)) {
+    for (const entry of managed) {
+      if (typeof entry === 'string') {
+        // "skill-name" with no version
+        unpinned.push({ name: entry, source: 'skills.managed', version: null });
+      } else if (entry && typeof entry === 'object') {
+        const name = entry.name || entry.id || JSON.stringify(entry);
+        if (!isPinned(entry.version)) {
+          unpinned.push({ name, source: 'skills.managed', version: entry.version || null });
+        }
+      }
+    }
+  } else if (managed && typeof managed === 'object') {
+    for (const [name, value] of Object.entries(managed)) {
+      const version = typeof value === 'string' ? value : value?.version;
+      if (!isPinned(version)) {
+        unpinned.push({ name, source: 'skills.managed', version: version || null });
+      }
+    }
+  }
+
+  // Check skills.installed
+  const installed = get(config, 'skills.installed', null);
+  if (Array.isArray(installed)) {
+    for (const entry of installed) {
+      if (typeof entry === 'string') {
+        // May be "name@version" or just "name"
+        const atIdx = entry.lastIndexOf('@');
+        if (atIdx > 0) {
+          const version = entry.slice(atIdx + 1);
+          const name = entry.slice(0, atIdx);
+          if (!isPinned(version)) unpinned.push({ name, source: 'skills.installed', version });
+        } else {
+          unpinned.push({ name: entry, source: 'skills.installed', version: null });
+        }
+      } else if (entry && typeof entry === 'object') {
+        const name = entry.name || entry.id || JSON.stringify(entry);
+        if (!isPinned(entry.version)) {
+          unpinned.push({ name, source: 'skills.installed', version: entry.version || null });
+        }
+      }
+    }
+  }
+
+  return unpinned;
+}
+
+function collectUnpinnedFromDisk() {
+  const unpinned = [];
+  if (!existsSync(SKILLS_DIR)) return unpinned;
+
+  let entries;
+  try { entries = readdirSync(SKILLS_DIR, { withFileTypes: true }); }
+  catch { return unpinned; }
+
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    const skillDir = join(SKILLS_DIR, entry.name);
+
+    // Look for a package.json to find version
+    const pkgPath = join(skillDir, 'package.json');
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+        // If installed from a range or "latest", flag it
+        // We check _resolved or _requested for npm install metadata
+        const requested = pkg._requested?.rawSpec || pkg._spec;
+        if (requested && !isPinned(requested)) {
+          unpinned.push({ name: entry.name, source: 'skills/', version: requested });
+          continue;
+        }
+        // If no version at all in package.json
+        if (!pkg.version) {
+          unpinned.push({ name: entry.name, source: 'skills/', version: null });
+        }
+        // If version looks like a range (shouldn't happen for installed, but defensive)
+      } catch { /* skip */ }
+    } else {
+      // Directory exists but no package.json — unpinned / manual install
+      const skillMd = join(skillDir, 'SKILL.md');
+      if (existsSync(skillMd)) {
+        // Check frontmatter for version
+        try {
+          const md = readFileSync(skillMd, 'utf8');
+          const versionMatch = md.match(/^version:\s*(.+)$/m);
+          const version = versionMatch ? versionMatch[1].trim() : null;
+          if (!isPinned(version)) {
+            unpinned.push({ name: entry.name, source: 'skills/', version });
+          }
+        } catch {
+          unpinned.push({ name: entry.name, source: 'skills/', version: null });
+        }
+      }
+    }
+  }
+
+  return unpinned;
+}
+
+export function checkSkillPinning(config) {
+  const fromConfig = collectUnpinnedFromConfig(config);
+  const fromDisk = collectUnpinnedFromDisk();
+
+  // Merge, dedup by name
+  const seen = new Set(fromConfig.map(s => s.name));
+  const all = [...fromConfig];
+  for (const s of fromDisk) {
+    if (!seen.has(s.name)) { all.push(s); seen.add(s.name); }
+  }
+
+  if (!all.length) {
+    return { id: 'persist.skill_pinning', severity: 'MEDIUM', passed: true,
+      passedMsg: 'All installed skills have explicit version pins' };
+  }
+
+  const list = all.map(({ name, version }) =>
+    `• ${name}${version ? ` (version: "${version}" — not pinned)` : ' (no version specified)'}`
+  ).join('\n');
+
+  return {
+    id: 'persist.skill_pinning',
+    severity: 'MEDIUM',
+    passed: false,
+    title: `${all.length} skill${all.length > 1 ? 's' : ''} installed without a version pin`,
+    description: `Skills without a pinned version can silently update to a malicious release.\nAttack (T-PERSIST-002): attacker publishes a new "latest" version of a skill\nyou use — your next gateway start runs the malicious code automatically.\n\n${list}`,
+    fix: `Pin skills to a specific version when installing:\n  openclaw clawhub install <skill>@<version>\n\nExample:\n  openclaw clawhub install weather@1.4.2`,
+  };
+}
+
+export default [checkSkillPinning];

package/lib/checks/token-age.js

@@ -0,0 +1,180 @@
+// T-ACCESS-003 — Token Age Hygiene
+// Checks agent-accounts.json for stale credentials (by date fields only).
+// NEVER logs or prints actual credential values.
+
+import { readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const HOME = homedir();
+const ACCOUNTS_FILE = join(HOME, '.openclaw', 'agent-accounts.json');
+
+const CRED_KEY_PATTERN = /token|key|secret|password|credential/i;
+const DATE_KEY_PATTERN = /creat|updat|generat|issu|born|added|refresh|rotat|expir|since|timestamp|date|time/i;
+
+const WARN_DAYS = 90;
+const HIGH_DAYS = 180;
+const MS_PER_DAY = 86400000;
+
+function parseDate(value) {
+  if (value == null) return null;
+  // Unix timestamp (seconds) — must be between 2015 and 2040
+  if (typeof value === 'number' && value > 1420000000 && value < 2208988800) {
+    return new Date(value * 1000);
+  }
+  if (typeof value === 'string' && value.length >= 8) {
+    const d = new Date(value);
+    if (!isNaN(d.getTime()) && d.getFullYear() >= 2015 && d.getFullYear() <= 2040) {
+      return d;
+    }
+  }
+  return null;
+}
+
+function ageInDays(date) {
+  return Math.floor((Date.now() - date.getTime()) / MS_PER_DAY);
+}
+
+// Walk an object and collect { keyPath, date } for any date-like values
+// that appear alongside credential-like keys.
+function collectDateFields(obj, parentPath = '') {
+  const results = [];
+  if (!obj || typeof obj !== 'object' || Array.isArray(obj)) return results;
+
+  for (const [key, value] of Object.entries(obj)) {
+    const keyPath = parentPath ? `${parentPath}.${key}` : key;
+
+    if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+      results.push(...collectDateFields(value, keyPath));
+      continue;
+    }
+
+    if (Array.isArray(value)) {
+      value.forEach((item, i) => {
+        if (typeof item === 'object' && item !== null) {
+          results.push(...collectDateFields(item, `${keyPath}[${i}]`));
+        }
+      });
+      continue;
+    }
+
+    // Only consider date-like values attached to date-named keys
+    // that appear in an object that also has credential-like keys
+    if (DATE_KEY_PATTERN.test(key)) {
+      const date = parseDate(value);
+      if (date) {
+        results.push({ keyPath, date });
+      }
+    }
+  }
+
+  return results;
+}
+
+// Find objects in the tree that contain at least one credential-key
+// and return any date fields within those objects.
+function findCredentialDates(obj, parentPath = '') {
+  const results = [];
+  if (!obj || typeof obj !== 'object') return results;
+
+  if (Array.isArray(obj)) {
+    obj.forEach((item, i) => {
+      results.push(...findCredentialDates(item, `${parentPath}[${i}]`));
+    });
+    return results;
+  }
+
+  const keys = Object.keys(obj);
+  const hasCredKey = keys.some(k => CRED_KEY_PATTERN.test(k));
+
+  if (hasCredKey) {
+    // This object has credential-like keys; look for date fields within it
+    for (const [key, value] of Object.entries(obj)) {
+      const keyPath = parentPath ? `${parentPath}.${key}` : key;
+      if (DATE_KEY_PATTERN.test(key)) {
+        const date = parseDate(value);
+        if (date) results.push({ keyPath, date });
+      }
+    }
+  }
+
+  // Always recurse into child objects
+  for (const [key, value] of Object.entries(obj)) {
+    const keyPath = parentPath ? `${parentPath}.${key}` : key;
+    if (value && typeof value === 'object') {
+      results.push(...findCredentialDates(value, keyPath));
+    }
+  }
+
+  return results;
+}
+
+export function checkTokenAge() {
+  if (!existsSync(ACCOUNTS_FILE)) {
+    return { id: 'access.token_age', severity: 'INFO', passed: true,
+      passedMsg: 'agent-accounts.json not found — token age check skipped' };
+  }
+
+  let accounts;
+  try {
+    accounts = JSON.parse(readFileSync(ACCOUNTS_FILE, 'utf8'));
+  } catch {
+    return { id: 'access.token_age', severity: 'INFO', passed: true,
+      passedMsg: 'agent-accounts.json could not be parsed — token age check skipped' };
+  }
+
+  const dateFields = findCredentialDates(accounts);
+  if (!dateFields.length) {
+    return { id: 'access.token_age', severity: 'INFO', passed: true,
+      passedMsg: 'No date fields found in agent-accounts.json — token age check skipped' };
+  }
+
+  // Deduplicate by keyPath, keep earliest date
+  const byPath = new Map();
+  for (const { keyPath, date } of dateFields) {
+    if (!byPath.has(keyPath) || date < byPath.get(keyPath)) {
+      byPath.set(keyPath, date);
+    }
+  }
+
+  const critical180 = [];
+  const warn90 = [];
+
+  for (const [keyPath, date] of byPath) {
+    const days = ageInDays(date);
+    if (days >= HIGH_DAYS) {
+      critical180.push({ keyPath, days });
+    } else if (days >= WARN_DAYS) {
+      warn90.push({ keyPath, days });
+    }
+  }
+
+  if (critical180.length) {
+    const list = critical180.map(({ keyPath, days }) => `• ${keyPath} (${days} days old)`).join('\n');
+    return {
+      id: 'access.token_age',
+      severity: 'HIGH',
+      passed: false,
+      title: `Credentials older than ${HIGH_DAYS} days detected`,
+      description: `The following credential date fields indicate tokens/keys that have not been\nrotated in over ${HIGH_DAYS} days. Stale credentials increase exposure window if leaked.\n\n${list}`,
+      fix: `Rotate these credentials at their respective service dashboards.\nThen update agent-accounts.json with new values and fresh dates.`,
+    };
+  }
+
+  if (warn90.length) {
+    const list = warn90.map(({ keyPath, days }) => `• ${keyPath} (${days} days old)`).join('\n');
+    return {
+      id: 'access.token_age',
+      severity: 'MEDIUM',
+      passed: false,
+      title: `Credentials older than ${WARN_DAYS} days detected`,
+      description: `The following credential date fields indicate tokens/keys not rotated in\nover ${WARN_DAYS} days. Consider rotating them proactively.\n\n${list}`,
+      fix: `Rotate these credentials at their respective service dashboards.\nThen update agent-accounts.json with new values and fresh dates.`,
+    };
+  }
+
+  return { id: 'access.token_age', severity: 'INFO', passed: true,
+    passedMsg: `All credential date fields are within ${WARN_DAYS} days` };
+}
+
+export default [checkTokenAge];

package/lib/digest.js

@@ -0,0 +1,157 @@
+// clawarmor digest — Weekly security digest + cron job installer.
+// Reads ~/.clawarmor/audit.log for past 7 days and outputs a formatted summary.
+
+import { existsSync, readFileSync, mkdirSync, writeFileSync, renameSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { paint } from './output/colors.js';
+import { scoreToGrade } from './output/progress.js';
+
+const HOME = homedir();
+const OC_DIR = join(HOME, '.openclaw');
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const AUDIT_LOG = join(CLAWARMOR_DIR, 'audit.log');
+const HISTORY_FILE = join(CLAWARMOR_DIR, 'history.json');
+const CRON_DIR = join(OC_DIR, 'cron');
+const CRON_JOBS_FILE = join(CRON_DIR, 'jobs.json');
+
+// ── Cron installer ────────────────────────────────────────────────────────────
+
+export function installDigestCron() {
+  try {
+    mkdirSync(CRON_DIR, { recursive: true });
+
+    let jobs = [];
+    if (existsSync(CRON_JOBS_FILE)) {
+      try { jobs = JSON.parse(readFileSync(CRON_JOBS_FILE, 'utf8')); }
+      catch { jobs = []; }
+      if (!Array.isArray(jobs)) jobs = [];
+    }
+
+    // Remove existing entry with same ID to avoid duplicates
+    jobs = jobs.filter(j => j.id !== 'clawarmor-weekly-digest');
+
+    jobs.push({
+      id: 'clawarmor-weekly-digest',
+      schedule: '0 9 * * 0',
+      task: 'clawarmor digest',
+      announce: true,
+      deliver: 'main',
+      description: 'ClawArmor weekly security digest — every Sunday at 9am',
+    });
+
+    const tmp = CRON_JOBS_FILE + '.tmp';
+    writeFileSync(tmp, JSON.stringify(jobs, null, 2), 'utf8');
+    renameSync(tmp, CRON_JOBS_FILE);
+    return true;
+  } catch { return false; }
+}
+
+// ── Log parsing ───────────────────────────────────────────────────────────────
+
+function parseLog() {
+  if (!existsSync(AUDIT_LOG)) return [];
+  try {
+    return readFileSync(AUDIT_LOG, 'utf8')
+      .split('\n')
+      .filter(Boolean)
+      .map(l => { try { return JSON.parse(l); } catch { return null; } })
+      .filter(Boolean);
+  } catch { return []; }
+}
+
+function readHistory() {
+  try {
+    if (!existsSync(HISTORY_FILE)) return [];
+    return JSON.parse(readFileSync(HISTORY_FILE, 'utf8')) || [];
+  } catch { return []; }
+}
+
+function formatDateRange(from, to) {
+  const opts = { month: 'short', day: 'numeric' };
+  const f = from.toLocaleDateString('en-US', opts);
+  const t = to.toLocaleDateString('en-US', opts);
+  const year = to.getFullYear();
+  return `${f} – ${t}, ${year}`;
+}
+
+function nextSunday() {
+  const now = new Date();
+  const day = now.getDay();
+  const daysUntil = day === 0 ? 7 : 7 - day;
+  const next = new Date(now);
+  next.setDate(now.getDate() + daysUntil);
+  next.setHours(9, 0, 0, 0);
+  return next.toLocaleDateString('en-US', { weekday: 'long', month: 'long', day: 'numeric' });
+}
+
+// ── Main export ───────────────────────────────────────────────────────────────
+
+export async function runDigest() {
+  const now = new Date();
+  const weekAgo = new Date(now.getTime() - 7 * 86_400_000);
+
+  const allEntries = parseLog();
+  const weekEntries = allEntries.filter(e => new Date(e.ts) >= weekAgo);
+
+  const history = readHistory();
+  const weekAgoHistory = [...history].reverse().find(h => new Date(h.timestamp) < weekAgo);
+
+  // Current score from latest history entry
+  const latestHistory = history[history.length - 1];
+  const currentScore = latestHistory?.score ?? null;
+  const currentGrade = latestHistory?.grade ?? (currentScore != null ? scoreToGrade(currentScore) : null);
+  const prevScore = weekAgoHistory?.score ?? null;
+  const scoreDelta = (currentScore != null && prevScore != null) ? currentScore - prevScore : null;
+
+  // Stats from this week's log entries
+  const auditsRun = weekEntries.filter(e => e.cmd === 'audit').length;
+  const skillsScanned = weekEntries.filter(e => e.cmd === 'scan' || e.cmd === 'prescan').length;
+  const incidents = weekEntries.filter(e =>
+    Array.isArray(e.findings) && e.findings.some(f => f.severity === 'CRITICAL')
+  ).length;
+  const configChanges = weekEntries.filter(e => e.trigger === 'watch').length;
+
+  // Collect still-open findings from latest audit history entry
+  const openFindings = latestHistory?.failedIds ?? [];
+
+  // ── Output ─────────────────────────────────────────────────────────────────
+  const dateRange = formatDateRange(weekAgo, now);
+  const arrowStr = scoreDelta != null
+    ? (scoreDelta > 0 ? `↑+${scoreDelta}` : scoreDelta < 0 ? `↓${scoreDelta}` : '→±0')
+    : '';
+
+  console.log('');
+  console.log(`  🛡 ClawArmor Weekly — ${dateRange}`);
+  console.log('');
+
+  if (currentScore != null) {
+    const scoreStr = `${currentScore}/100 ${currentGrade}`;
+    const deltaStr = arrowStr ? ` ${arrowStr} vs last week` : '';
+    console.log(`  Security posture: ${scoreStr}${deltaStr}`);
+  } else {
+    console.log(`  Security posture: no data — run: clawarmor audit`);
+  }
+
+  console.log(`  Skills installed: ${skillsScanned} scanned this week`);
+  console.log(`  Config changes:   ${configChanges}`);
+  console.log(`  Audits run:       ${auditsRun}`);
+  console.log(`  Incidents:        ${incidents}`);
+
+  if (openFindings.length) {
+    console.log('');
+    console.log(`  Recommendations:`);
+    for (const id of openFindings.slice(0, 5)) {
+      console.log(`    • ${id}`);
+    }
+    if (openFindings.length > 5) {
+      console.log(`    • … and ${openFindings.length - 5} more (run: clawarmor audit)`);
+    }
+  }
+
+  console.log('');
+  console.log(`  Next digest: ${nextSunday()}`);
+  console.log('');
+
+  return 0;
+}