clawsecure 1.0.0

package/src/component-scanner.js

@@ -0,0 +1,238 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const logger = require('./logger');
+
+/**
+ * SHA-256 hash a single file.
+ * @param {string} filePath Absolute path
+ * @returns {string|null} Hex hash string, or null if file unreadable
+ */
+function hashFile(filePath) {
+  try {
+    const content = fs.readFileSync(filePath);
+    return crypto.createHash('sha256').update(content).digest('hex');
+  } catch (err) {
+    logger.debug(`Cannot hash file ${filePath}: ${err.message}`);
+    return null;
+  }
+}
+
+/**
+ * Hash all files in a directory (non-recursive, top-level files only).
+ * Returns a combined hash representing the directory state.
+ * @param {string} dir Absolute directory path
+ * @returns {{ files: Map<string, string>, combined: string|null }}
+ */
+function hashDirectory(dir) {
+  const fileHashes = new Map();
+
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isFile()) continue;
+      if (entry.name.startsWith('.')) continue;
+      const fullPath = path.join(dir, entry.name);
+      const hash = hashFile(fullPath);
+      if (hash) {
+        fileHashes.set(fullPath, hash);
+      }
+    }
+  } catch (err) {
+    logger.debug(`Cannot read directory ${dir}: ${err.message}`);
+    return { files: fileHashes, combined: null };
+  }
+
+  // Combined hash from sorted file hashes
+  if (fileHashes.size === 0) return { files: fileHashes, combined: null };
+
+  const sorted = Array.from(fileHashes.entries()).sort((a, b) => a[0].localeCompare(b[0]));
+  const combinedInput = sorted.map(([p, h]) => `${p}:${h}`).join('\n');
+  const combined = crypto.createHash('sha256').update(combinedInput).digest('hex');
+
+  return { files: fileHashes, combined };
+}
+
+/**
+ * Extract name and description from SKILL.md YAML frontmatter.
+ * Uses simple regex to avoid a heavy YAML dependency.
+ * @param {string} filePath Path to SKILL.md
+ * @returns {{ name: string, description: string }|null}
+ */
+function extractSkillFrontmatter(filePath) {
+  try {
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const match = content.match(/^---\s*\n([\s\S]*?)\n---/);
+    if (!match) return null;
+
+    const frontmatter = match[1];
+    const name = extractYamlField(frontmatter, 'name');
+    const description = extractYamlField(frontmatter, 'description');
+
+    return {
+      name: name || path.basename(path.dirname(filePath)),
+      description: description || ''
+    };
+  } catch (err) {
+    logger.debug(`Cannot read frontmatter from ${filePath}: ${err.message}`);
+    return null;
+  }
+}
+
+/**
+ * Extract a simple scalar YAML field value.
+ * Handles: `key: value` and `key: "quoted value"`
+ * @param {string} yaml Raw YAML string
+ * @param {string} field Field name
+ * @returns {string|null}
+ */
+function extractYamlField(yaml, field) {
+  const regex = new RegExp(`^${field}:\\s*["']?(.+?)["']?\\s*$`, 'm');
+  const match = yaml.match(regex);
+  return match ? match[1].trim() : null;
+}
+
+/**
+ * Scan a single skill directory for SKILL.md and all component files.
+ * @param {string} dir Absolute path to a skill directory
+ * @returns {Array<object>} Discovered skill components
+ */
+function scanSkillDirectory(dir) {
+  const skills = [];
+
+  if (!fs.existsSync(dir)) {
+    logger.debug(`Skill directory does not exist: ${dir}`);
+    return skills;
+  }
+
+  let entries;
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch (err) {
+    logger.debug(`Cannot read skill directory ${dir}: ${err.message}`);
+    return skills;
+  }
+
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    if (entry.name.startsWith('.')) continue;
+
+    const skillDir = path.join(dir, entry.name);
+    const skillMdPath = path.join(skillDir, 'SKILL.md');
+
+    // A valid skill has a SKILL.md file
+    if (!fs.existsSync(skillMdPath)) {
+      logger.debug(`No SKILL.md in ${skillDir}, skipping`);
+      continue;
+    }
+
+    const frontmatter = extractSkillFrontmatter(skillMdPath);
+    const dirHash = hashDirectory(skillDir);
+
+    skills.push({
+      name: frontmatter ? frontmatter.name : entry.name,
+      type: 'skill',
+      source: 'local',
+      enabled: true,
+      path: skillDir,
+      description: frontmatter ? frontmatter.description : '',
+      hash: dirHash.combined,
+      fileHashes: dirHash.files
+    });
+  }
+
+  return skills;
+}
+
+/**
+ * Run a full disk scan across all skill directories.
+ * Merges config-based inventory with on-disk discovery.
+ *
+ * @param {object} configInventory From config-parser.extractComponents()
+ * @param {string[]} skillDirs From config-parser.extractSkillDirs()
+ * @returns {{ components: Array<object>, snapshot: Map<string, string> }}
+ */
+function scanAll(configInventory, skillDirs) {
+  const components = [];
+  const snapshot = new Map();
+
+  // 1. Scan skill directories on disk
+  for (const dir of skillDirs) {
+    const discovered = scanSkillDirectory(dir);
+    for (const skill of discovered) {
+      components.push(skill);
+      // Add all file hashes to snapshot
+      if (skill.fileHashes) {
+        for (const [filePath, hash] of skill.fileHashes) {
+          snapshot.set(filePath, hash);
+        }
+      }
+    }
+  }
+
+  // 2. Add config-based components (MCP servers, CLI tools, agents, plugins, repos)
+  // These don't have on-disk files to hash (they're config references)
+  for (const type of ['mcpServers', 'cliTools', 'agents', 'plugins', 'repos']) {
+    if (configInventory[type]) {
+      for (const item of configInventory[type]) {
+        components.push(Object.assign({}, item, { hash: null, fileHashes: null }));
+      }
+    }
+  }
+
+  // 3. Hash the openclaw.json config file itself
+  const configDir = require('./config-parser').getOpenClawDir();
+  const configFilePath = path.join(configDir, 'openclaw.json');
+  const configHash = hashFile(configFilePath);
+  if (configHash) {
+    snapshot.set(configFilePath, configHash);
+  }
+
+  logger.info(
+    `Scan complete: ${components.length} components, ${snapshot.size} files hashed`
+  );
+
+  return { components, snapshot };
+}
+
+/**
+ * Compute the delta between two snapshots.
+ * @param {Map<string, string>} previous Previous file hash snapshot
+ * @param {Map<string, string>} current Current file hash snapshot
+ * @returns {{ added: string[], changed: string[], removed: string[] }}
+ */
+function computeDelta(previous, current) {
+  const added = [];
+  const changed = [];
+  const removed = [];
+
+  // Files in current but not previous = added
+  // Files in both but hash differs = changed
+  for (const [filePath, hash] of current) {
+    if (!previous.has(filePath)) {
+      added.push(filePath);
+    } else if (previous.get(filePath) !== hash) {
+      changed.push(filePath);
+    }
+  }
+
+  // Files in previous but not current = removed
+  for (const filePath of previous.keys()) {
+    if (!current.has(filePath)) {
+      removed.push(filePath);
+    }
+  }
+
+  return { added, changed, removed };
+}
+
+module.exports = {
+  hashFile,
+  hashDirectory,
+  extractSkillFrontmatter,
+  scanSkillDirectory,
+  scanAll,
+  computeDelta
+};

package/src/config-parser.js

@@ -0,0 +1,352 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const JSON5 = require('json5');
+const logger = require('./logger');
+
+const DEFAULT_CONFIG_DIR = path.join(os.homedir(), '.openclaw');
+const DEFAULT_CONFIG_FILE = 'openclaw.json';
+
+/**
+ * Resolve the path to openclaw.json.
+ * Priority: OPENCLAW_CONFIG_PATH env > --profile flag > default ~/.openclaw/openclaw.json
+ * @param {{ profile?: string | null }} opts
+ * @returns {string} Absolute path to config file
+ */
+function findConfigPath(opts) {
+  // 1. Environment variable override
+  const envPath = process.env.OPENCLAW_CONFIG_PATH;
+  if (envPath) {
+    logger.debug(`Config path from OPENCLAW_CONFIG_PATH: ${envPath}`);
+    return path.resolve(envPath);
+  }
+
+  // 2. Profile flag (uses ~/.openclaw/profiles/<name>/openclaw.json)
+  if (opts && opts.profile) {
+    const profilePath = path.join(DEFAULT_CONFIG_DIR, 'profiles', opts.profile, DEFAULT_CONFIG_FILE);
+    logger.debug(`Config path from --profile "${opts.profile}": ${profilePath}`);
+    return profilePath;
+  }
+
+  // 3. Default
+  const defaultPath = path.join(DEFAULT_CONFIG_DIR, DEFAULT_CONFIG_FILE);
+  logger.debug(`Config path (default): ${defaultPath}`);
+  return defaultPath;
+}
+
+/**
+ * Read and parse the openclaw.json file (JSON5 format).
+ * @param {string} filePath Absolute path to config file
+ * @returns {object} Parsed config object
+ * @throws {Error} If file not found or JSON5 parse fails
+ */
+function parseConfig(filePath) {
+  if (!fs.existsSync(filePath)) {
+    throw new Error(
+      `OpenClaw config not found at ${filePath}. ` +
+      `Make sure OpenClaw is installed and configured. ` +
+      `You can set a custom path with the OPENCLAW_CONFIG_PATH environment variable.`
+    );
+  }
+
+  let raw;
+  try {
+    raw = fs.readFileSync(filePath, 'utf-8');
+  } catch (err) {
+    throw new Error(`Cannot read config file at ${filePath}: ${err.message}`);
+  }
+
+  try {
+    return JSON5.parse(raw);
+  } catch (err) {
+    throw new Error(`Invalid JSON5 in ${filePath}: ${err.message}`);
+  }
+}
+
+/**
+ * Extract all components from parsed config into a normalized inventory.
+ * Returns arrays of { name, source, type, enabled } objects.
+ * @param {object} config Parsed openclaw.json
+ * @returns {object} Component inventory
+ */
+function extractComponents(config) {
+  const inventory = {
+    skills: extractSkills(config),
+    mcpServers: extractMcpServers(config),
+    cliTools: extractCliTools(config),
+    agents: extractAgents(config),
+    plugins: extractPlugins(config),
+    repos: extractRepos(config)
+  };
+
+  return inventory;
+}
+
+/**
+ * Extract skill entries from config.
+ * Skills can be in config.skills (managed), config.skills.load.extraDirs, etc.
+ * @param {object} config
+ * @returns {Array<object>}
+ */
+function extractSkills(config) {
+  const skills = [];
+
+  // Skills listed directly in config
+  if (config.skills && typeof config.skills === 'object') {
+    // skills can be an array or an object with named entries
+    if (Array.isArray(config.skills)) {
+      for (const skill of config.skills) {
+        skills.push(normalizeComponent(skill, 'skill'));
+      }
+    } else {
+      // Object format: { "skill-name": { ... } }
+      for (const [name, value] of Object.entries(config.skills)) {
+        if (name === 'load') continue; // skip the load config block
+        const entry = typeof value === 'object' && value !== null ? value : {};
+        skills.push(normalizeComponent({ name, ...entry }, 'skill'));
+      }
+    }
+  }
+
+  return skills;
+}
+
+/**
+ * Extract MCP server configurations.
+ * Looks in config.mcpServers or config.mcp.servers (per-agent or global).
+ * @param {object} config
+ * @returns {Array<object>}
+ */
+function extractMcpServers(config) {
+  const servers = [];
+
+  // Global mcpServers
+  const globalServers = config.mcpServers || (config.mcp && config.mcp.servers) || {};
+  if (typeof globalServers === 'object' && !Array.isArray(globalServers)) {
+    for (const [name, value] of Object.entries(globalServers)) {
+      const entry = typeof value === 'object' && value !== null ? value : {};
+      servers.push({
+        name,
+        type: 'mcp_server',
+        source: entry.command || entry.url || 'unknown',
+        enabled: entry.disabled !== true,
+        serverType: classifyMcpServerType(entry),
+        accessScope: entry.command || ''
+      });
+    }
+  }
+
+  // Per-agent MCP servers
+  if (config.agents && typeof config.agents === 'object') {
+    for (const [agentName, agentConfig] of Object.entries(config.agents)) {
+      const agentServers = agentConfig.mcpServers || (agentConfig.mcp && agentConfig.mcp.servers) || {};
+      if (typeof agentServers === 'object' && !Array.isArray(agentServers)) {
+        for (const [name, value] of Object.entries(agentServers)) {
+          const entry = typeof value === 'object' && value !== null ? value : {};
+          // Only add if not already in global list
+          if (!servers.find((s) => s.name === name)) {
+            servers.push({
+              name,
+              type: 'mcp_server',
+              source: entry.command || entry.url || 'unknown',
+              enabled: entry.disabled !== true,
+              serverType: classifyMcpServerType(entry),
+              accessScope: entry.command || '',
+              agent: agentName
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return servers;
+}
+
+/**
+ * Classify MCP server type based on config.
+ * @param {object} entry MCP server config entry
+ * @returns {string} npx | docker | sse | stdio | unknown
+ */
+function classifyMcpServerType(entry) {
+  if (!entry || !entry.command) return 'unknown';
+  const cmd = String(entry.command);
+  if (cmd.includes('npx') || cmd.includes('npm')) return 'npx';
+  if (cmd.includes('docker')) return 'docker';
+  if (entry.url) return 'sse';
+  return 'stdio';
+}
+
+/**
+ * Extract CLI tool references from config.
+ * Looks in config.tools and skill metadata for required bins.
+ * @param {object} config
+ * @returns {Array<object>}
+ */
+function extractCliTools(config) {
+  const tools = [];
+
+  if (config.tools && typeof config.tools === 'object') {
+    for (const [name, value] of Object.entries(config.tools)) {
+      const entry = typeof value === 'object' && value !== null ? value : {};
+      tools.push(normalizeComponent({ name, ...entry }, 'cli_tool'));
+    }
+  }
+
+  return tools;
+}
+
+/**
+ * Extract agent configurations.
+ * @param {object} config
+ * @returns {Array<object>}
+ */
+function extractAgents(config) {
+  const agents = [];
+
+  if (config.agents && typeof config.agents === 'object') {
+    for (const [name, value] of Object.entries(config.agents)) {
+      const entry = typeof value === 'object' && value !== null ? value : {};
+      agents.push({
+        name,
+        type: 'agent',
+        source: 'local',
+        enabled: entry.disabled !== true
+      });
+    }
+  }
+
+  return agents;
+}
+
+/**
+ * Extract plugin entries from config.
+ * @param {object} config
+ * @returns {Array<object>}
+ */
+function extractPlugins(config) {
+  const plugins = [];
+
+  if (config.plugins && typeof config.plugins === 'object') {
+    const items = Array.isArray(config.plugins) ? config.plugins : Object.entries(config.plugins);
+    for (const item of items) {
+      if (Array.isArray(item)) {
+        const [name, value] = item;
+        const entry = typeof value === 'object' && value !== null ? value : {};
+        plugins.push(normalizeComponent({ name, ...entry }, 'plugin'));
+      } else if (typeof item === 'object') {
+        plugins.push(normalizeComponent(item, 'plugin'));
+      }
+    }
+  }
+
+  return plugins;
+}
+
+/**
+ * Extract repo references from config.
+ * @param {object} config
+ * @returns {Array<object>}
+ */
+function extractRepos(config) {
+  const repos = [];
+
+  if (config.repos && typeof config.repos === 'object') {
+    const items = Array.isArray(config.repos) ? config.repos : Object.entries(config.repos);
+    for (const item of items) {
+      if (Array.isArray(item)) {
+        const [name, value] = item;
+        const entry = typeof value === 'object' && value !== null ? value : {};
+        repos.push(normalizeComponent({ name, ...entry }, 'repo'));
+      } else if (typeof item === 'string') {
+        repos.push({ name: item, type: 'repo', source: item, enabled: true });
+      } else if (typeof item === 'object') {
+        repos.push(normalizeComponent(item, 'repo'));
+      }
+    }
+  }
+
+  return repos;
+}
+
+/**
+ * Normalize a component entry to a standard shape.
+ * @param {object} entry Raw config entry
+ * @param {string} type Component type
+ * @returns {{ name: string, type: string, source: string, enabled: boolean }}
+ */
+function normalizeComponent(entry, type) {
+  return {
+    name: entry.name || entry.id || 'unnamed',
+    type,
+    source: entry.source || entry.url || entry.repo || entry.package || 'local',
+    enabled: entry.disabled !== true && entry.enabled !== false
+  };
+}
+
+/**
+ * Get all directories that should be watched for skill files.
+ * @param {object} config Parsed openclaw.json
+ * @returns {string[]} Array of absolute directory paths
+ */
+function extractSkillDirs(config) {
+  const dirs = [];
+
+  // Default shared skills directory
+  const defaultSkillsDir = path.join(DEFAULT_CONFIG_DIR, 'skills');
+  dirs.push(defaultSkillsDir);
+
+  // Extra skill directories from config
+  if (config.skills && config.skills.load && Array.isArray(config.skills.load.extraDirs)) {
+    for (const dir of config.skills.load.extraDirs) {
+      dirs.push(path.resolve(dir));
+    }
+  }
+
+  // Per-agent workspace skill directories
+  if (config.agents && typeof config.agents === 'object') {
+    for (const [, agentConfig] of Object.entries(config.agents)) {
+      if (agentConfig.workspace) {
+        const workspaceSkills = path.join(path.resolve(agentConfig.workspace), 'skills');
+        dirs.push(workspaceSkills);
+      }
+    }
+  }
+
+  // Deduplicate
+  return [...new Set(dirs)];
+}
+
+/**
+ * Get the base OpenClaw directory path.
+ * @returns {string}
+ */
+function getOpenClawDir() {
+  return process.env.OPENCLAW_CONFIG_PATH
+    ? path.dirname(process.env.OPENCLAW_CONFIG_PATH)
+    : DEFAULT_CONFIG_DIR;
+}
+
+/**
+ * Count total components in an inventory.
+ * @param {object} inventory From extractComponents()
+ * @returns {number}
+ */
+function countComponents(inventory) {
+  let total = 0;
+  for (const key of Object.keys(inventory)) {
+    total += inventory[key].length;
+  }
+  return total;
+}
+
+module.exports = {
+  findConfigPath,
+  parseConfig,
+  extractComponents,
+  extractSkillDirs,
+  getOpenClawDir,
+  countComponents
+};