npm - clawarmor - Versions diffs - 2.0.0-alpha.2 → 2.0.0 - Mend

clawarmor 2.0.0-alpha.2 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/lib/protect.js CHANGED Viewed

@@ -18,6 +18,9 @@ const HOOKS_DIR = join(OC_DIR, 'hooks');
 const GUARD_HOOK_DIR = join(HOOKS_DIR, 'clawarmor-guard');
 const CLI_PATH = new URL('../cli.js', import.meta.url).pathname;
+const FISH_FUNCTIONS_DIR = join(HOME, '.config', 'fish', 'functions');
+const FISH_FUNCTION_FILE = join(FISH_FUNCTIONS_DIR, 'openclaw.fish');
 const SHELL_FUNCTION = `
 # ClawArmor intercept — added by: clawarmor protect --install
 # Wraps 'openclaw clawhub install' to scan skills before activation.
@@ -34,6 +37,17 @@ openclaw() {
 const SHELL_MARKER_START = '# ClawArmor intercept — added by: clawarmor protect --install';
 const SHELL_MARKER_END = '# End ClawArmor intercept';
+const FISH_FUNCTION = `# ClawArmor intercept — added by: clawarmor protect --install
+function openclaw
+    if test (count $argv) -ge 3 -a "$argv[1]" = clawhub -a "$argv[2]" = install
+        echo "🛡 ClawArmor: scanning $argv[3] before install..."
+        clawarmor prescan $argv[3]; or begin; echo "❌ Blocked."; return 1; end
+    end
+    command openclaw $argv
+end
+`;
+const FISH_MARKER = '# ClawArmor intercept — added by: clawarmor protect --install';
 const HOOK_MD = `---
 name: clawarmor-guard
 description: Runs a silent security audit on gateway startup and alerts on regressions
@@ -148,6 +162,39 @@ export default async function handler(event) {
 }
 `;
+// ── Fish shell ────────────────────────────────────────────────────────────────
+function fishConfigExists() {
+  return existsSync(join(HOME, '.config', 'fish', 'config.fish'));
+}
+function fishFunctionPresent() {
+  if (!existsSync(FISH_FUNCTION_FILE)) return false;
+  try {
+    return readFileSync(FISH_FUNCTION_FILE, 'utf8').includes(FISH_MARKER);
+  } catch { return false; }
+}
+function injectFishFunction() {
+  if (!fishConfigExists()) return false;
+  if (fishFunctionPresent()) return true;
+  try {
+    mkdirSync(FISH_FUNCTIONS_DIR, { recursive: true });
+    writeFileSync(FISH_FUNCTION_FILE, FISH_FUNCTION, 'utf8');
+    return true;
+  } catch { return false; }
+}
+function removeFishFunction() {
+  if (!existsSync(FISH_FUNCTION_FILE)) return false;
+  try {
+    const content = readFileSync(FISH_FUNCTION_FILE, 'utf8');
+    if (!content.includes(FISH_MARKER)) return false;
+    rmSync(FISH_FUNCTION_FILE, { force: true });
+    return true;
+  } catch { return false; }
+}
 // ── Install ──────────────────────────────────────────────────────────────────
 function writeHookFiles() {
@@ -222,29 +269,52 @@ export async function runProtect(flags = {}) {
     // 1. Hook files
     writeHookFiles();
-    console.log(`  ✓  Hook files written to: ~/.openclaw/hooks/clawarmor-guard/`);
+    console.log(`  ✓ Gateway hook installed (clawarmor-guard)`);
-    // 2. Shell intercept
+    // 2. Start watch daemon
+    const daemonStarted = startWatchDaemon();
+    let daemonPid = null;
+    if (daemonStarted) {
+      // Read the PID that was written by the daemon
+      try {
+        const pidFile = join(CLAWARMOR_DIR, 'watch.pid');
+        if (existsSync(pidFile)) daemonPid = readFileSync(pidFile, 'utf8').trim();
+      } catch { /* non-fatal */ }
+      const pidStr = daemonPid ? ` (PID ${daemonPid})` : '';
+      console.log(`  ✓ Watch daemon started${pidStr}`);
+    } else {
+      console.log(`  !  Watch daemon could not be started automatically`);
+      console.log(`     Run manually: clawarmor watch --daemon`);
+    }
+    // 3. Shell intercept
     let shellInstalled = false;
+    let shellPath = null;
     if (injectShellFunction(zshrc)) {
-      console.log(`  ✓  Shell intercept added to ~/.zshrc`);
+      shellPath = '~/.zshrc';
       shellInstalled = true;
     }
     if (injectShellFunction(bashrc)) {
-      console.log(`  ✓  Shell intercept added to ~/.bashrc`);
+      shellPath = shellPath ? shellPath + ', ~/.bashrc' : '~/.bashrc';
+      shellInstalled = true;
+    }
+    if (injectFishFunction()) {
+      shellPath = shellPath ? shellPath + ', ~/.config/fish' : '~/.config/fish';
       shellInstalled = true;
     }
-    if (!shellInstalled) {
-      console.log(`  !  No ~/.zshrc or ~/.bashrc found — shell intercept skipped`);
+    if (shellInstalled) {
+      console.log(`  ✓ Shell intercept added (${shellPath})`);
+    } else {
+      console.log(`  !  No ~/.zshrc, ~/.bashrc, or fish config found — shell intercept skipped`);
     }
-    // 3. Start watch daemon
-    const daemonStarted = startWatchDaemon();
-    if (daemonStarted) {
-      console.log(`  ✓  Watch daemon started`);
+    // 4. Weekly digest cron
+    const { installDigestCron } = await import('./digest.js');
+    const cronOk = installDigestCron();
+    if (cronOk) {
+      console.log(`  ✓ Weekly digest scheduled (Sundays 9am)`);
     } else {
-      console.log(`  !  Watch daemon could not be started automatically`);
-      console.log(`     Run manually: clawarmor watch --daemon`);
+      console.log(`  !  Could not write digest cron job`);
     }
     console.log('\n  ClawArmor Protect is now active.\n');
@@ -277,6 +347,10 @@ export async function runProtect(flags = {}) {
       console.log(`  ✓  Shell intercept removed from ~/.bashrc`);
       shellRemoved = true;
     }
+    if (removeFishFunction()) {
+      console.log(`  ✓  Shell intercept removed from ~/.config/fish/functions/openclaw.fish`);
+      shellRemoved = true;
+    }
     if (!shellRemoved) {
       console.log(`  -  No shell intercept found to remove`);
     }
@@ -303,14 +377,15 @@ export async function runProtect(flags = {}) {
     // Shell function
     const inZsh = shellFunctionPresent(zshrc);
     const inBash = shellFunctionPresent(bashrc);
-    if (inZsh || inBash) {
-      const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc'].filter(Boolean).join(', ');
+    const inFish = fishFunctionPresent();
+    if (inZsh || inBash || inFish) {
+      const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc', inFish && '~/.config/fish'].filter(Boolean).join(', ');
       console.log(`  Shell intercept          ✓ active  (${where})`);
     } else {
       console.log(`  Shell intercept          ✗ not installed`);
     }
-    const allActive = hookOk && daemon.running && (inZsh || inBash);
+    const allActive = hookOk && daemon.running && (inZsh || inBash || inFish);
     console.log('');
     if (allActive) {
       console.log(`  Full protection active.`);

package/lib/status.js ADDED Viewed

@@ -0,0 +1,273 @@
+// clawarmor status — One-screen security posture dashboard.
+// Shows: score+grade+trend, last audit, watcher, intercept, log, skills, config, credentials, next digest.
+import { existsSync, readFileSync, readdirSync, statSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { paint } from './output/colors.js';
+import { scoreToGrade, scoreColor, gradeColor } from './output/progress.js';
+import { watchDaemonStatus } from './watch.js';
+const HOME = homedir();
+const OC_DIR = join(HOME, '.openclaw');
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const LAST_SCORE_FILE = join(CLAWARMOR_DIR, 'last-score.json');
+const HISTORY_FILE = join(CLAWARMOR_DIR, 'history.json');
+const AUDIT_LOG = join(CLAWARMOR_DIR, 'audit.log');
+const ZSHRC = join(HOME, '.zshrc');
+const BASHRC = join(HOME, '.bashrc');
+const FISH_FUNCTION_FILE = join(HOME, '.config', 'fish', 'functions', 'openclaw.fish');
+const SHELL_MARKER = '# ClawArmor intercept — added by: clawarmor protect --install';
+const CRON_JOBS_FILE = join(OC_DIR, 'cron', 'jobs.json');
+const HOOKS_DIR = join(OC_DIR, 'hooks', 'clawarmor-guard');
+const VERSION = '2.0.0';
+const SEP = paint.dim('─'.repeat(52));
+// ── Helpers ─────────────────────────────────────────────────────────────────
+function readJson(file) {
+  try {
+    if (!existsSync(file)) return null;
+    return JSON.parse(readFileSync(file, 'utf8'));
+  } catch { return null; }
+}
+function timeAgo(isoString) {
+  if (!isoString) return 'never';
+  const ms = Date.now() - new Date(isoString).getTime();
+  const secs = Math.floor(ms / 1000);
+  if (secs < 60) return `${secs}s ago`;
+  const mins = Math.floor(secs / 60);
+  if (mins < 60) return `${mins}m ago`;
+  const hours = Math.floor(mins / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}
+function trendArrow(delta) {
+  if (delta == null) return paint.dim('—');
+  if (delta > 0) return paint.green(`↑+${delta}`);
+  if (delta < 0) return paint.red(`↓${delta}`);
+  return paint.dim('→±0');
+}
+function intercept() {
+  const inZsh = existsSync(ZSHRC) && readFileSync(ZSHRC, 'utf8').includes(SHELL_MARKER);
+  const inBash = existsSync(BASHRC) && readFileSync(BASHRC, 'utf8').includes(SHELL_MARKER);
+  const inFish = existsSync(FISH_FUNCTION_FILE) && readFileSync(FISH_FUNCTION_FILE, 'utf8').includes(SHELL_MARKER);
+  if (inZsh || inBash || inFish) {
+    const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc', inFish && '~/.config/fish'].filter(Boolean).join(', ');
+    return { active: true, where };
+  }
+  return { active: false, where: null };
+}
+function hookFilesExist() {
+  return existsSync(join(HOOKS_DIR, 'HOOK.md')) &&
+         existsSync(join(HOOKS_DIR, 'handler.js'));
+}
+function parseAuditLog() {
+  if (!existsSync(AUDIT_LOG)) return { count: 0, lastEntry: null };
+  try {
+    const lines = readFileSync(AUDIT_LOG, 'utf8')
+      .split('\n')
+      .filter(Boolean)
+      .map(l => { try { return JSON.parse(l); } catch { return null; } })
+      .filter(Boolean);
+    return { count: lines.length, lastEntry: lines[lines.length - 1] || null };
+  } catch { return { count: 0, lastEntry: null }; }
+}
+function countInstalledSkills() {
+  const dirs = [];
+  const userSkillsDir = join(OC_DIR, 'skills');
+  if (existsSync(userSkillsDir)) {
+    try {
+      dirs.push(...readdirSync(userSkillsDir, { withFileTypes: true })
+        .filter(e => e.isDirectory())
+        .map(e => join(userSkillsDir, e.name)));
+    } catch { /* skip */ }
+  }
+  return dirs.length;
+}
+function credentialSummary() {
+  const credFile = join(OC_DIR, 'agent-accounts.json');
+  if (!existsSync(credFile)) return { count: 0, oldestDays: null };
+  try {
+    const data = JSON.parse(readFileSync(credFile, 'utf8'));
+    let tokens = [];
+    if (Array.isArray(data)) tokens = data;
+    else if (data.accounts) tokens = Object.values(data.accounts);
+    else if (typeof data === 'object') tokens = Object.values(data);
+    const count = tokens.length;
+    let oldest = null;
+    for (const tok of tokens) {
+      if (tok && typeof tok === 'object') {
+        const dateStr = tok.createdAt || tok.created_at || tok.timestamp || null;
+        if (dateStr) {
+          const d = new Date(dateStr);
+          if (!isNaN(d) && (!oldest || d < oldest)) oldest = d;
+        }
+      }
+    }
+    const oldestDays = oldest ? Math.floor((Date.now() - oldest.getTime()) / 86_400_000) : null;
+    return { count, oldestDays };
+  } catch { return { count: 0, oldestDays: null }; }
+}
+function configBaselineStatus() {
+  const baselineFile = join(CLAWARMOR_DIR, 'config-baseline.json');
+  if (!existsSync(baselineFile)) return { status: 'unknown' };
+  try {
+    const baseline = JSON.parse(readFileSync(baselineFile, 'utf8'));
+    return { status: 'baseline', at: baseline.at || null };
+  } catch { return { status: 'unknown' }; }
+}
+function nextDigestDate() {
+  const now = new Date();
+  const dayOfWeek = now.getDay();
+  const daysUntilSunday = dayOfWeek === 0 ? 7 : 7 - dayOfWeek;
+  const next = new Date(now);
+  next.setDate(now.getDate() + daysUntilSunday);
+  next.setHours(9, 0, 0, 0);
+  const daysUntil = Math.ceil((next - now) / 86_400_000);
+  return {
+    label: next.toLocaleDateString('en-US', { weekday: 'long', month: 'short', day: 'numeric' }),
+    daysUntil,
+  };
+}
+function digestInstalled() {
+  const jobs = readJson(CRON_JOBS_FILE);
+  if (!Array.isArray(jobs)) return false;
+  return jobs.some(j => j.id === 'clawarmor-weekly-digest');
+}
+// ── Grade color (A+/A=green, B=yellow, C=orange/yellow, D/F=red) ─────────────
+function gradeStatusColor(grade) {
+  if (grade === 'A+' || grade === 'A') return paint.green;
+  if (grade === 'B') return paint.yellow;
+  if (grade === 'C') return paint.yellow; // no orange in ANSI; yellow is closest
+  return paint.red; // D, F
+}
+// ── Main export ───────────────────────────────────────────────────────────────
+export async function runStatus() {
+  console.log('');
+  console.log(`  ${paint.bold('ClawArmor')} ${paint.dim('v' + VERSION)} ${paint.dim('—')} ${paint.bold('Security Status')}`);
+  console.log('');
+  // ── Posture ──────────────────────────────────────────────────────────────
+  const lastScore = readJson(LAST_SCORE_FILE);
+  const history = readJson(HISTORY_FILE) || [];
+  const latestHistoryForPosture = history.length ? history[history.length - 1] : null;
+  let score = lastScore?.score ?? latestHistoryForPosture?.score ?? null;
+  let grade = lastScore?.grade ?? latestHistoryForPosture?.grade ?? null;
+  let scoreTs = lastScore?.timestamp ?? latestHistoryForPosture?.timestamp ?? null;
+  let weekDelta = null;
+  if (history.length >= 2) {
+    const weekAgo = Date.now() - 7 * 86_400_000;
+    const weekEntry = [...history].reverse().find(h => new Date(h.timestamp).getTime() < weekAgo);
+    if (weekEntry && score != null) {
+      weekDelta = score - weekEntry.score;
+    }
+  }
+  if (score != null) {
+    const grade2 = grade || scoreToGrade(score);
+    const colorFn = scoreColor(score);
+    const gradeFn = gradeStatusColor(grade2);
+    const arrow = trendArrow(weekDelta);
+    const weekNote = weekDelta != null ? paint.dim(' vs last week') : '';
+    console.log(`  ${paint.dim('Posture')}       ${gradeFn(grade2)} ${colorFn(score + '/100')}   ${arrow}${weekNote}`);
+  } else {
+    console.log(`  ${paint.dim('Posture')}       ${paint.dim('No audit data — run: clawarmor audit')}`);
+  }
+  // ── Last audit ────────────────────────────────────────────────────────────
+  const { count: logCount, lastEntry } = parseAuditLog();
+  const lastAuditTs = lastEntry?.ts ?? scoreTs ?? null;
+  const trigger = lastEntry?.trigger ?? 'manual';
+  const auditAgo = lastAuditTs ? timeAgo(lastAuditTs) : 'never';
+  console.log(`  ${paint.dim('Last audit')}    ${paint.bold(auditAgo)}  ${paint.dim('(' + trigger + ')')}`);
+  // ── Watcher ───────────────────────────────────────────────────────────────
+  const daemon = watchDaemonStatus();
+  let watchStr;
+  if (daemon.running) {
+    watchStr = `${paint.green('●')} ${paint.bold('running')} ${paint.dim('(PID ' + daemon.pid + ')')}`;
+  } else {
+    watchStr = `${paint.red('○')} ${paint.red('stopped')}  ${paint.dim('→ run: clawarmor watch --daemon')}`;
+  }
+  console.log(`  ${paint.dim('Watcher')}       ${watchStr}`);
+  // ── Shell intercept ───────────────────────────────────────────────────────
+  const icp = intercept();
+  const icpStr = icp.active
+    ? `${paint.green('✓')} ${paint.bold('active')} ${paint.dim('(' + icp.where + ')')}`
+    : `${paint.red('✗')} ${paint.dim('not installed')}`;
+  console.log(`  ${paint.dim('Intercept')}     ${icpStr}`);
+  // ── Audit log ─────────────────────────────────────────────────────────────
+  console.log(`  ${paint.dim('Audit log')}     ${paint.bold(String(logCount))} ${paint.dim('events')}  ${paint.dim('(clawarmor log to view)')}`);
+  console.log('');
+  console.log(SEP);
+  // ── Skills ────────────────────────────────────────────────────────────────
+  const skillCount = countInstalledSkills();
+  console.log(`  ${paint.dim('Skills')}        ${paint.bold(String(skillCount))} ${paint.dim('installed')}  ${paint.dim('(clawarmor scan to check)')}`);
+  // ── Config baseline ───────────────────────────────────────────────────────
+  const baseline = configBaselineStatus();
+  const configStr = baseline.status === 'baseline'
+    ? `${paint.green('Baseline match')} ${paint.green('✓')}`
+    : paint.dim('No baseline yet — run: clawarmor audit');
+  console.log(`  ${paint.dim('Config')}        ${configStr}`);
+  // ── Credentials ───────────────────────────────────────────────────────────
+  const creds = credentialSummary();
+  let credStr = creds.count > 0
+    ? `${paint.bold(String(creds.count))} ${paint.dim('tokens')}`
+    : paint.dim('none found');
+  if (creds.oldestDays != null) {
+    const ageMark = creds.oldestDays > 90 ? paint.yellow('!') : paint.green('✓');
+    credStr += `${paint.dim(', oldest:')} ${creds.oldestDays}d ${ageMark}`;
+  }
+  console.log(`  ${paint.dim('Credentials')}   ${credStr}`);
+  console.log('');
+  console.log(SEP);
+  // ── Next digest ───────────────────────────────────────────────────────────
+  const digestOk = digestInstalled();
+  const nextDigest = nextDigestDate();
+  if (digestOk) {
+    console.log(`  ${paint.dim('Next digest')}   ${paint.bold(nextDigest.label)} ${paint.dim('(' + nextDigest.daysUntil + ' days)')}`);
+  } else {
+    console.log(`  ${paint.dim('Next digest')}   ${paint.dim('not scheduled')}  ${paint.dim('(run: clawarmor protect --install)')}`);
+  }
+  // ── Full protection footer ────────────────────────────────────────────────
+  const hookOk = hookFilesExist();
+  const fullProtection = hookOk && daemon.running && icp.active;
+  console.log('');
+  if (fullProtection) {
+    console.log(`  Full protection: ${paint.green('[✓ YES]')}`);
+  } else {
+    console.log(`  Full protection: ${paint.red('[✗ NO')} ${paint.dim('— run clawarmor protect --install]')}`);
+  }
+  console.log('');
+  return 0;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clawarmor",
-  "version": "2.0.0-alpha.2",
+  "version": "2.0.0",
   "description": "Security armor for OpenClaw agents — audit, scan, monitor",
   "bin": {
     "clawarmor": "cli.js"