clawmoat 0.4.0 → 0.7.0

package/server/index.js

@@ -6,15 +6,28 @@ const PORT = process.env.PORT || 3000;
 const SITE_URL = process.env.SITE_URL || 'https://clawmoat.com';
 
 const PRICES = {
-  // One-time purchase
-  'pro-skill':     process.env.PRICE_PRO_SKILL     || 'price_1T1avaAUiOw2ZIordarLcoff',
-  // Subscriptions (30-day free trial)
-  'shield-monthly': process.env.PRICE_SHIELD_MONTHLY || 'price_1T1avaAUiOw2ZIorQXuxNyM3',
-  'shield-yearly':  process.env.PRICE_SHIELD_YEARLY  || 'price_1T1avaAUiOw2ZIorAtBLXBOg',
-  'team-monthly':   process.env.PRICE_TEAM_MONTHLY   || 'price_1T1avaAUiOw2ZIorAqeOaahQ',
-  'team-yearly':    process.env.PRICE_TEAM_YEARLY    || 'price_1T1avbAUiOw2ZIorDLUicwin',
+  // Pro subscriptions
+  'shield-monthly': process.env.PRICE_SHIELD_MONTHLY || 'price_1T0an4AUiOw2ZIorxQRyAxvQ',  // $14.99/mo
+  'shield-yearly':  process.env.PRICE_SHIELD_YEARLY  || 'price_1T0an4AUiOw2ZIorfHx7RowT',  // $149/yr
+  // Team subscriptions
+  'team-monthly':   process.env.PRICE_TEAM_MONTHLY   || 'price_1T0aqrAUiOw2ZIorh4gjBPGt',  // $49/mo
+  'team-yearly':    process.env.PRICE_TEAM_YEARLY    || 'price_1T0asRAUiOw2ZIorxAi69uwl',  // $499/yr
 };
 
+// In-memory license store (replace with DB in production)
+const licenses = new Map();
+
+function generateLicenseKey() {
+  const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
+  const segments = [];
+  for (let s = 0; s < 4; s++) {
+    let seg = '';
+    for (let i = 0; i < 5; i++) seg += chars[Math.floor(Math.random() * chars.length)];
+    segments.push(seg);
+  }
+  return 'CM-' + segments.join('-');
+}
+
 function cors(res) {
   res.setHeader('Access-Control-Allow-Origin', '*');
   res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
@@ -57,30 +70,103 @@ const server = http.createServer(async (req, res) => {
     const priceId = PRICES[body.plan];
 
     if (!priceId) {
-      return json(res, 400, { error: 'Invalid plan. Use: pro-monthly, pro-yearly, team-monthly, team-yearly' });
+      return json(res, 400, { error: 'Invalid plan. Use: shield-monthly, shield-yearly, team-monthly, team-yearly' });
     }
 
     try {
-      const mode = body.plan === 'pro-skill' ? 'payment' : 'subscription';
-      const session = await stripe.checkout.sessions.create({
-        mode,
+      const sessionParams = {
+        mode: 'subscription',
         line_items: [{ price: priceId, quantity: 1 }],
         success_url: `${SITE_URL}/thanks.html?session_id={CHECKOUT_SESSION_ID}`,
         cancel_url: `${SITE_URL}/#pricing`,
         allow_promotion_codes: true,
-      });
+        customer_email: body.email || undefined,
+        subscription_data: {
+          trial_period_days: 30,
+          metadata: { plan: body.plan },
+        },
+      };
+      const session = await stripe.checkout.sessions.create(sessionParams);
       return json(res, 200, { url: session.url });
     } catch (err) {
       return json(res, 500, { error: err.message });
     }
   }
 
-  // Stripe webhook (for future use)
+  // Stripe webhook
   if (req.method === 'POST' && req.url === '/api/webhook') {
-    // TODO: handle subscription events
+    const rawBody = await new Promise((resolve) => {
+      let body = '';
+      req.on('data', c => body += c);
+      req.on('end', () => resolve(body));
+    });
+
+    const sig = req.headers['stripe-signature'];
+    const endpointSecret = process.env.STRIPE_WEBHOOK_SECRET;
+
+    let event;
+    if (endpointSecret && sig) {
+      try {
+        event = stripe.webhooks.constructEvent(rawBody, sig, endpointSecret);
+      } catch (err) {
+        console.error('Webhook signature verification failed:', err.message);
+        return json(res, 400, { error: 'Invalid signature' });
+      }
+    } else {
+      try { event = JSON.parse(rawBody); }
+      catch { return json(res, 400, { error: 'Invalid JSON' }); }
+    }
+
+    console.log(`Webhook: ${event.type}`);
+
+    switch (event.type) {
+      case 'checkout.session.completed': {
+        const session = event.data.object;
+        const email = session.customer_email || session.customer_details?.email;
+        const licenseKey = generateLicenseKey();
+        console.log(`New customer: ${email}, license: ${licenseKey}`);
+        // TODO: Store in database, send welcome email with license key
+        // For now, log it — license fulfillment is manual via email
+        licenses.set(licenseKey, {
+          email,
+          customerId: session.customer,
+          subscriptionId: session.subscription,
+          plan: session.metadata?.plan || 'unknown',
+          createdAt: new Date().toISOString(),
+          active: true,
+        });
+        break;
+      }
+      case 'customer.subscription.deleted':
+      case 'customer.subscription.updated': {
+        const sub = event.data.object;
+        // Deactivate license if subscription cancelled
+        for (const [key, lic] of licenses.entries()) {
+          if (lic.subscriptionId === sub.id) {
+            lic.active = sub.status === 'active' || sub.status === 'trialing';
+            console.log(`License ${key}: active=${lic.active} (status=${sub.status})`);
+          }
+        }
+        break;
+      }
+    }
+
     return json(res, 200, { received: true });
   }
 
+  // License validation endpoint (called by CLI)
+  if (req.method === 'POST' && req.url === '/api/validate') {
+    const body = await readBody(req);
+    const key = body.key;
+    if (!key) return json(res, 400, { error: 'Missing key' });
+
+    const lic = licenses.get(key);
+    if (!lic || !lic.active) {
+      return json(res, 200, { valid: false });
+    }
+    return json(res, 200, { valid: true, plan: lic.plan, email: lic.email });
+  }
+
   json(res, 404, { error: 'Not found' });
 });
 

package/src/guardian/alerts.js

@@ -0,0 +1,138 @@
+/**
+ * ClawMoat Alert Delivery System
+ * 
+ * Unified alerting with console, file, and webhook delivery.
+ * Rate-limited to avoid alert storms.
+ * 
+ * @module clawmoat/guardian/alerts
+ */
+
+const fs = require('fs');
+const path = require('path');
+const http = require('http');
+const https = require('https');
+
+const SEVERITY_RANK = { info: 0, warning: 1, critical: 2 };
+
+class AlertManager {
+  /**
+   * @param {Object} opts
+   * @param {string[]} [opts.channels] - ['console', 'file', 'webhook']
+   * @param {string} [opts.logFile] - Path for file channel (default: audit.log)
+   * @param {string} [opts.webhookUrl] - URL for webhook channel
+   * @param {number} [opts.rateLimitMs] - Min ms between duplicate alerts (default: 300000 = 5 min)
+   * @param {boolean} [opts.quiet] - Suppress console output
+   */
+  constructor(opts = {}) {
+    this.channels = opts.channels || ['console'];
+    this.logFile = opts.logFile || 'audit.log';
+    this.webhookUrl = opts.webhookUrl || null;
+    this.rateLimitMs = opts.rateLimitMs ?? 300000;
+    this.quiet = opts.quiet || false;
+    this._recentAlerts = new Map(); // key -> timestamp
+    this._alertCount = 0;
+  }
+
+  /**
+   * Send an alert through configured channels.
+   * @param {Object} alert
+   * @param {string} alert.severity - 'info' | 'warning' | 'critical'
+   * @param {string} alert.type - Alert category
+   * @param {string} alert.message - Human-readable message
+   * @param {Object} [alert.details] - Additional data
+   * @returns {{ delivered: boolean, rateLimited: boolean }}
+   */
+  send(alert) {
+    const key = `${alert.type}:${alert.message}`;
+    const now = Date.now();
+    const lastSent = this._recentAlerts.get(key);
+
+    if (lastSent && (now - lastSent) < this.rateLimitMs) {
+      return { delivered: false, rateLimited: true };
+    }
+
+    this._recentAlerts.set(key, now);
+    this._alertCount++;
+
+    // Prune old entries periodically
+    if (this._recentAlerts.size > 1000) {
+      for (const [k, ts] of this._recentAlerts) {
+        if (now - ts > this.rateLimitMs) this._recentAlerts.delete(k);
+      }
+    }
+
+    const entry = {
+      timestamp: new Date().toISOString(),
+      severity: alert.severity || 'info',
+      type: alert.type || 'unknown',
+      message: alert.message || '',
+      details: alert.details || null,
+    };
+
+    for (const channel of this.channels) {
+      switch (channel) {
+        case 'console':
+          this._deliverConsole(entry);
+          break;
+        case 'file':
+          this._deliverFile(entry);
+          break;
+        case 'webhook':
+          this._deliverWebhook(entry);
+          break;
+      }
+    }
+
+    return { delivered: true, rateLimited: false };
+  }
+
+  _deliverConsole(entry) {
+    if (this.quiet) return;
+    const colors = { info: '\x1b[36m', warning: '\x1b[33m', critical: '\x1b[31m' };
+    const icons = { info: 'ℹ️', warning: '⚠️', critical: '🚨' };
+    const c = colors[entry.severity] || '';
+    const icon = icons[entry.severity] || '•';
+    console.error(
+      `${icon} ${c}[${entry.severity.toUpperCase()}]\x1b[0m ${entry.type}: ${entry.message}`
+    );
+  }
+
+  _deliverFile(entry) {
+    try {
+      const dir = path.dirname(this.logFile);
+      if (dir !== '.' && !fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+      fs.appendFileSync(this.logFile, JSON.stringify(entry) + '\n');
+    } catch {}
+  }
+
+  _deliverWebhook(entry) {
+    if (!this.webhookUrl) return;
+    try {
+      const url = new URL(this.webhookUrl);
+      const transport = url.protocol === 'https:' ? https : http;
+      const body = JSON.stringify(entry);
+      const req = transport.request({
+        hostname: url.hostname,
+        port: url.port,
+        path: url.pathname + url.search,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) },
+      });
+      req.on('error', () => {});
+      req.write(body);
+      req.end();
+    } catch {}
+  }
+
+  /** Get total alerts sent. */
+  get count() {
+    return this._alertCount;
+  }
+
+  /** Clear rate limit cache. */
+  clearRateLimit() {
+    this._recentAlerts.clear();
+  }
+}
+
+module.exports = { AlertManager, SEVERITY_RANK };

package/src/guardian/cve-verify.js

@@ -0,0 +1,129 @@
+/**
+ * CVE Verifier — validates CVE IDs against GitHub Advisory Database
+ * No external dependencies; uses Node.js built-in https module.
+ */
+
+const https = require('https');
+
+class CVEVerifier {
+  /**
+   * @param {object} [opts]
+   * @param {string} [opts.githubToken] - Optional GitHub PAT for higher rate limits
+   */
+  constructor(opts = {}) {
+    this.githubToken = opts.githubToken || process.env.GITHUB_TOKEN || null;
+  }
+
+  /**
+   * Validate CVE ID format
+   * @param {string} cveId
+   * @returns {boolean}
+   */
+  static isValidCVEFormat(cveId) {
+    return /^CVE-\d{4}-\d{4,}$/.test(cveId);
+  }
+
+  /**
+   * Fetch advisory data from GitHub Advisory Database API
+   * @param {string} cveId  e.g. "CVE-2026-26960"
+   * @returns {Promise<object>} { valid, severity, summary, publishedAt, references, affectedPackages, raw }
+   */
+  async lookup(cveId) {
+    if (!CVEVerifier.isValidCVEFormat(cveId)) {
+      return { valid: false, error: `Invalid CVE format: ${cveId}` };
+    }
+
+    const url = `https://api.github.com/advisories?cve_id=${encodeURIComponent(cveId)}`;
+    let data;
+    try {
+      data = await this._fetch(url);
+    } catch (err) {
+      return { valid: false, error: `API request failed: ${err.message}` };
+    }
+
+    if (!Array.isArray(data) || data.length === 0) {
+      return { valid: false, cveId, severity: null, summary: null, publishedAt: null, references: [], affectedPackages: [] };
+    }
+
+    const advisory = data[0];
+    return {
+      valid: true,
+      cveId,
+      severity: advisory.severity || null,
+      summary: advisory.summary || null,
+      publishedAt: advisory.published_at || null,
+      references: (advisory.references || []).map(r => (typeof r === 'string' ? r : r.url)).filter(Boolean),
+      affectedPackages: (advisory.vulnerabilities || []).map(v => ({
+        ecosystem: v.package?.ecosystem || null,
+        name: v.package?.name || null,
+        vulnerableRange: v.vulnerable_version_range || null,
+      })),
+      ghsaId: advisory.ghsa_id || null,
+      htmlUrl: advisory.html_url || null,
+      raw: advisory,
+    };
+  }
+
+  /**
+   * Check whether a URL is a legitimate GitHub advisory link
+   * @param {string} url
+   * @returns {{ legitimate: boolean, reason: string }}
+   */
+  static checkAdvisoryUrl(url) {
+    try {
+      const parsed = new URL(url);
+      const isGitHub = parsed.hostname === 'github.com' && parsed.pathname.startsWith('/advisories/');
+      if (isGitHub) {
+        return { legitimate: true, reason: 'URL points to official GitHub Advisory Database' };
+      }
+      return { legitimate: false, reason: `Domain "${parsed.hostname}" is not github.com/advisories` };
+    } catch {
+      return { legitimate: false, reason: 'Invalid URL' };
+    }
+  }
+
+  /**
+   * Verify a CVE + optional suspicious URL together
+   * @param {string} cveId
+   * @param {string} [suspiciousUrl]
+   * @returns {Promise<object>}
+   */
+  async verify(cveId, suspiciousUrl) {
+    const result = await this.lookup(cveId);
+    if (suspiciousUrl) {
+      result.urlCheck = CVEVerifier.checkAdvisoryUrl(suspiciousUrl);
+    }
+    return result;
+  }
+
+  /** @private */
+  _fetch(url) {
+    return new Promise((resolve, reject) => {
+      const headers = {
+        'User-Agent': 'ClawMoat-CVE-Verifier',
+        'Accept': 'application/vnd.github+json',
+      };
+      if (this.githubToken) {
+        headers['Authorization'] = `Bearer ${this.githubToken}`;
+      }
+
+      https.get(url, { headers }, (res) => {
+        let body = '';
+        res.on('data', chunk => body += chunk);
+        res.on('end', () => {
+          if (res.statusCode !== 200) {
+            return reject(new Error(`HTTP ${res.statusCode}: ${body.slice(0, 200)}`));
+          }
+          try {
+            resolve(JSON.parse(body));
+          } catch (e) {
+            reject(new Error(`JSON parse error: ${e.message}`));
+          }
+        });
+        res.on('error', reject);
+      }).on('error', reject);
+    });
+  }
+}
+
+module.exports = { CVEVerifier };

package/src/guardian/index.js

@@ -22,8 +22,10 @@
  * const log = guardian.audit();
  */
 
+const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const crypto = require('crypto');
 const { SecurityLogger } = require('../utils/logger');
 
 // ─── Permission Tiers ───────────────────────────────────────────────
@@ -539,4 +541,148 @@ class HostGuardian {
   }
 }
 
-module.exports = { HostGuardian, TIERS, FORBIDDEN_ZONES, DANGEROUS_COMMANDS, SAFE_COMMANDS };
+// ─── Credential Monitor ─────────────────────────────────────────
+
+class CredentialMonitor {
+  /**
+   * Watch ~/.openclaw/credentials/ for file access and modifications.
+   * @param {Object} opts
+   * @param {string} [opts.credDir] - Credentials directory path
+   * @param {Function} [opts.onAlert] - Alert callback
+   * @param {boolean} [opts.quiet] - Suppress console output
+   */
+  constructor(opts = {}) {
+    this.credDir = opts.credDir || path.join(os.homedir(), '.openclaw', 'credentials');
+    this.onAlert = opts.onAlert || null;
+    this.quiet = opts.quiet || false;
+    this.watcher = null;
+    this.fileHashes = {};
+  }
+
+  /**
+   * Hash all credential files and start watching.
+   * @returns {{ files: number, watching: boolean }}
+   */
+  start() {
+    // Initial hash of all credential files
+    this._hashAllFiles();
+
+    if (!fs.existsSync(this.credDir)) {
+      return { files: 0, watching: false };
+    }
+
+    this.watcher = fs.watch(this.credDir, (eventType, filename) => {
+      if (!filename) return;
+      const filePath = path.join(this.credDir, filename);
+
+      if (eventType === 'change') {
+        const oldHash = this.fileHashes[filename];
+        const newHash = this._hashFile(filePath);
+
+        if (oldHash && newHash && oldHash !== newHash) {
+          this._alert({
+            severity: 'critical',
+            type: 'credential_modified',
+            message: `Credential file modified: ${filename}`,
+            details: { file: filename, oldHash, newHash },
+          });
+          this.fileHashes[filename] = newHash;
+        } else if (!oldHash && newHash) {
+          this._alert({
+            severity: 'warning',
+            type: 'credential_accessed',
+            message: `Credential file accessed: ${filename}`,
+            details: { file: filename },
+          });
+          this.fileHashes[filename] = newHash;
+        }
+      }
+
+      if (eventType === 'rename') {
+        if (fs.existsSync(filePath)) {
+          // File created
+          const hash = this._hashFile(filePath);
+          this._alert({
+            severity: 'warning',
+            type: 'credential_created',
+            message: `New credential file: ${filename}`,
+            details: { file: filename, hash },
+          });
+          this.fileHashes[filename] = hash;
+        } else {
+          // File deleted
+          this._alert({
+            severity: 'critical',
+            type: 'credential_deleted',
+            message: `Credential file deleted: ${filename}`,
+            details: { file: filename },
+          });
+          delete this.fileHashes[filename];
+        }
+      }
+    });
+
+    return { files: Object.keys(this.fileHashes).length, watching: true };
+  }
+
+  stop() {
+    if (this.watcher) {
+      this.watcher.close();
+      this.watcher = null;
+    }
+  }
+
+  /** Verify credential file integrity against stored hashes. */
+  verify() {
+    const results = { ok: true, changed: [], missing: [] };
+    for (const [filename, storedHash] of Object.entries(this.fileHashes)) {
+      const filePath = path.join(this.credDir, filename);
+      const currentHash = this._hashFile(filePath);
+      if (!currentHash) {
+        results.missing.push(filename);
+        results.ok = false;
+      } else if (currentHash !== storedHash) {
+        results.changed.push(filename);
+        results.ok = false;
+      }
+    }
+    return results;
+  }
+
+  /** Get current file hashes. */
+  getHashes() {
+    return { ...this.fileHashes };
+  }
+
+  _hashAllFiles() {
+    if (!fs.existsSync(this.credDir)) return;
+    try {
+      const files = fs.readdirSync(this.credDir);
+      for (const f of files) {
+        const hash = this._hashFile(path.join(this.credDir, f));
+        if (hash) this.fileHashes[f] = hash;
+      }
+    } catch {}
+  }
+
+  _hashFile(filePath) {
+    try {
+      const content = fs.readFileSync(filePath);
+      return crypto.createHash('sha256').update(content).digest('hex');
+    } catch {
+      return null;
+    }
+  }
+
+  _alert(alert) {
+    if (!this.quiet) {
+      const icons = { info: 'ℹ️', warning: '⚠️', critical: '🚨' };
+      console.error(`${icons[alert.severity] || '•'} [CredentialMonitor] ${alert.message}`);
+    }
+    if (this.onAlert) this.onAlert(alert);
+  }
+}
+
+const { CVEVerifier } = require('./cve-verify');
+
+module.exports = { HostGuardian, CredentialMonitor, CVEVerifier, TIERS, FORBIDDEN_ZONES, DANGEROUS_COMMANDS, SAFE_COMMANDS };