npm - clawsecure - Versions diffs - 1.0.0 - Mend

clawsecure 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/LICENSE +21 -0
package/README.md +127 -0
package/bin/clawsecure.js +84 -0
package/package.json +48 -0
package/skill/.clawsecure-version +1 -0
package/skill/HEARTBEAT.md +18 -0
package/skill/README.md +146 -0
package/skill/SKILL.md +83 -0
package/skill/references/commands.md +40 -0
package/skill/references/config-audit-checklist.md +81 -0
package/skill/references/mcp-risk-classifications.md +43 -0
package/skill/references/onboarding.md +48 -0
package/skill/references/response-templates.md +102 -0
package/skill/references/secure-install-guide.md +91 -0
package/src/api-client.js +227 -0
package/src/component-scanner.js +238 -0
package/src/config-parser.js +352 -0
package/src/daemon.js +452 -0
package/src/logger.js +60 -0
package/src/metadata-stripper.js +181 -0
package/src/process-manager.js +220 -0
package/src/session-parser.js +241 -0
package/src/skill-installer.js +199 -0
package/src/sync-manager.js +246 -0
package/src/threat-intel.js +180 -0
package/src/watcher.js +155 -0

package/src/process-manager.js ADDED Viewed

@@ -0,0 +1,220 @@
+'use strict';
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const logger = require('./logger');
+const CLAWSECURE_DIR = path.join(os.homedir(), '.clawsecure');
+const PID_FILE = path.join(CLAWSECURE_DIR, 'daemon.pid');
+const CONFIG_FILE = path.join(CLAWSECURE_DIR, 'config.json');
+/**
+ * Ensure ~/.clawsecure/ directory exists with secure permissions.
+ */
+function ensureConfigDir() {
+  if (!fs.existsSync(CLAWSECURE_DIR)) {
+    fs.mkdirSync(CLAWSECURE_DIR, { recursive: true, mode: 0o700 });
+    logger.debug(`Created config directory: ${CLAWSECURE_DIR}`);
+  }
+}
+// --- PID File Management ---
+/**
+ * Write the current process PID to the PID file.
+ * @returns {boolean}
+ */
+function writePid() {
+  ensureConfigDir();
+  try {
+    fs.writeFileSync(PID_FILE, String(process.pid), { mode: 0o600 });
+    logger.debug(`PID file written: ${PID_FILE} (${process.pid})`);
+    return true;
+  } catch (err) {
+    logger.error(`Cannot write PID file: ${err.message}`);
+    return false;
+  }
+}
+/**
+ * Read the PID from the PID file.
+ * @returns {number|null}
+ */
+function readPid() {
+  try {
+    if (!fs.existsSync(PID_FILE)) return null;
+    const raw = fs.readFileSync(PID_FILE, 'utf-8').trim();
+    const pid = parseInt(raw, 10);
+    return isNaN(pid) ? null : pid;
+  } catch (err) {
+    return null;
+  }
+}
+/**
+ * Remove the PID file.
+ */
+function removePid() {
+  try {
+    if (fs.existsSync(PID_FILE)) {
+      fs.unlinkSync(PID_FILE);
+      logger.debug('PID file removed');
+    }
+  } catch (err) {
+    logger.debug(`Cannot remove PID file: ${err.message}`);
+  }
+}
+/**
+ * Check if a process with the given PID is running.
+ * @param {number} pid
+ * @returns {boolean}
+ */
+function isProcessRunning(pid) {
+  try {
+    process.kill(pid, 0); // Signal 0 = existence check, no actual signal sent
+    return true;
+  } catch (err) {
+    return false;
+  }
+}
+/**
+ * Check if another daemon instance is already running.
+ * Cleans up stale PID files.
+ * @returns {{ running: boolean, pid: number|null }}
+ */
+function checkExisting() {
+  const pid = readPid();
+  if (pid === null) {
+    return { running: false, pid: null };
+  }
+  if (isProcessRunning(pid)) {
+    return { running: true, pid };
+  }
+  // Stale PID file, clean up
+  logger.debug(`Stale PID file found (process ${pid} not running), removing`);
+  removePid();
+  return { running: false, pid: null };
+}
+/**
+ * Send SIGTERM to a running daemon process.
+ * @param {number} pid
+ * @returns {boolean}
+ */
+function stopProcess(pid) {
+  try {
+    process.kill(pid, 'SIGTERM');
+    return true;
+  } catch (err) {
+    logger.error(`Cannot stop process ${pid}: ${err.message}`);
+    return false;
+  }
+}
+// --- Token / Config Storage ---
+/**
+ * Read the daemon config file (~/.clawsecure/config.json).
+ * @returns {object} Config object (may be empty)
+ */
+function readConfig() {
+  try {
+    if (!fs.existsSync(CONFIG_FILE)) return {};
+    const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');
+    return JSON.parse(raw);
+  } catch (err) {
+    logger.debug(`Cannot read config: ${err.message}`);
+    return {};
+  }
+}
+/**
+ * Write the daemon config file with secure permissions.
+ * @param {object} config
+ * @returns {boolean}
+ */
+function writeConfig(config) {
+  ensureConfigDir();
+  try {
+    fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', { mode: 0o600 });
+    logger.debug(`Config written to ${CONFIG_FILE}`);
+    return true;
+  } catch (err) {
+    logger.error(`Cannot write config: ${err.message}`);
+    return false;
+  }
+}
+/**
+ * Get the daemon API token.
+ * Priority: CLAWSECURE_TOKEN env var > config file > null
+ * @returns {string|null}
+ */
+function getToken() {
+  // 1. Environment variable
+  const envToken = process.env.CLAWSECURE_TOKEN;
+  if (envToken && envToken.trim()) {
+    logger.debug('Using token from CLAWSECURE_TOKEN environment variable');
+    return envToken.trim();
+  }
+  // 2. Config file
+  const config = readConfig();
+  if (config.token && config.token.trim()) {
+    logger.debug('Using token from config file');
+    return config.token.trim();
+  }
+  return null;
+}
+/**
+ * Save a token to the config file.
+ * @param {string} token
+ * @returns {boolean}
+ */
+function saveToken(token) {
+  const config = readConfig();
+  config.token = token;
+  return writeConfig(config);
+}
+/**
+ * Get the API base URL.
+ * Priority: CLAWSECURE_API_URL env var > config file > default
+ * @returns {string}
+ */
+function getApiUrl() {
+  const envUrl = process.env.CLAWSECURE_API_URL;
+  if (envUrl && envUrl.trim()) {
+    return envUrl.trim().replace(/\/$/, '');
+  }
+  const config = readConfig();
+  if (config.apiUrl && config.apiUrl.trim()) {
+    return config.apiUrl.trim().replace(/\/$/, '');
+  }
+  return 'https://api.clawsecure.ai';
+}
+module.exports = {
+  writePid,
+  readPid,
+  removePid,
+  checkExisting,
+  stopProcess,
+  readConfig,
+  writeConfig,
+  getToken,
+  saveToken,
+  getApiUrl,
+  CLAWSECURE_DIR,
+  PID_FILE,
+  CONFIG_FILE
+};

package/src/session-parser.js ADDED Viewed

@@ -0,0 +1,241 @@
+'use strict';
+const fs = require('fs');
+const path = require('path');
+const logger = require('./logger');
+/**
+ * Discover agent directories under ~/.openclaw/agents/.
+ * @param {string} openclawDir Path to ~/.openclaw/
+ * @returns {Array<{ id: string, path: string }>} Agent IDs and paths
+ */
+function discoverAgents(openclawDir) {
+  const agentsDir = path.join(openclawDir, 'agents');
+  const agents = [];
+  if (!fs.existsSync(agentsDir)) {
+    logger.debug(`No agents directory at ${agentsDir}`);
+    return agents;
+  }
+  try {
+    const entries = fs.readdirSync(agentsDir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+      if (entry.name.startsWith('.')) continue;
+      agents.push({
+        id: entry.name,
+        path: path.join(agentsDir, entry.name)
+      });
+    }
+  } catch (err) {
+    logger.error(`Cannot read agents directory: ${err.message}`);
+  }
+  return agents;
+}
+/**
+ * Discover session JSONL files for a given agent.
+ * @param {string} agentDir Path to agent directory
+ * @returns {Array<{ id: string, path: string }>} Session IDs and file paths
+ */
+function discoverSessions(agentDir) {
+  const sessionsDir = path.join(agentDir, 'sessions');
+  const sessions = [];
+  if (!fs.existsSync(sessionsDir)) {
+    logger.debug(`No sessions directory at ${sessionsDir}`);
+    return sessions;
+  }
+  try {
+    const entries = fs.readdirSync(sessionsDir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isFile()) continue;
+      if (!entry.name.endsWith('.jsonl')) continue;
+      const sessionId = entry.name.replace('.jsonl', '');
+      sessions.push({
+        id: sessionId,
+        path: path.join(sessionsDir, entry.name)
+      });
+    }
+  } catch (err) {
+    logger.debug(`Cannot read sessions directory: ${err.message}`);
+  }
+  return sessions;
+}
+/**
+ * Extract toolCall entries from a single JSONL line.
+ * Returns an array of { toolName, timestamp } objects.
+ *
+ * Expected JSONL format:
+ * { "timestamp": "...", "message": { "role": "...", "content": [{ "type": "toolCall", "name": "..." }] } }
+ *
+ * @param {string} line Single JSONL line
+ * @returns {Array<{ toolName: string, timestamp: string }>}
+ */
+function extractToolCalls(line) {
+  const trimmed = line.trim();
+  if (!trimmed) return [];
+  let entry;
+  try {
+    entry = JSON.parse(trimmed);
+  } catch (err) {
+    // Malformed line, skip silently
+    return [];
+  }
+  const results = [];
+  const timestamp = entry.timestamp || null;
+  const content = entry.message && entry.message.content;
+  if (!Array.isArray(content)) return results;
+  for (const item of content) {
+    if (item && item.type === 'toolCall' && item.name) {
+      results.push({
+        toolName: item.name,
+        timestamp: timestamp
+      });
+    }
+  }
+  return results;
+}
+/**
+ * Parse a session JSONL file from a given byte offset (tail-like behavior).
+ * Returns extracted tool calls and the new file offset.
+ *
+ * @param {string} filePath Absolute path to .jsonl file
+ * @param {number} [fromOffset=0] Byte offset to start reading from
+ * @returns {{ toolCalls: Array<{ toolName: string, timestamp: string }>, newOffset: number }}
+ */
+function parseSessionFile(filePath, fromOffset) {
+  const result = { toolCalls: [], newOffset: fromOffset || 0 };
+  let stat;
+  try {
+    stat = fs.statSync(filePath);
+  } catch (err) {
+    logger.debug(`Cannot stat session file ${filePath}: ${err.message}`);
+    return result;
+  }
+  // Nothing new to read
+  if (stat.size <= result.newOffset) {
+    return result;
+  }
+  // Handle file truncation (e.g., session reset)
+  if (stat.size < result.newOffset) {
+    logger.debug(`Session file ${filePath} was truncated, reading from start`);
+    result.newOffset = 0;
+  }
+  let content;
+  try {
+    const fd = fs.openSync(filePath, 'r');
+    const buffer = Buffer.alloc(stat.size - result.newOffset);
+    fs.readSync(fd, buffer, 0, buffer.length, result.newOffset);
+    fs.closeSync(fd);
+    content = buffer.toString('utf-8');
+  } catch (err) {
+    logger.debug(`Cannot read session file ${filePath}: ${err.message}`);
+    return result;
+  }
+  // Process each line
+  const lines = content.split('\n');
+  for (const line of lines) {
+    const calls = extractToolCalls(line);
+    result.toolCalls.push(...calls);
+  }
+  result.newOffset = stat.size;
+  return result;
+}
+/**
+ * Scan all agents and sessions, extract all tool call data.
+ * Tracks read offsets per file for incremental reads.
+ *
+ * @param {string} openclawDir Path to ~/.openclaw/
+ * @param {Map<string, number>} [offsets] Previous read offsets (filepath -> byte offset)
+ * @returns {{ toolCalls: Array<object>, offsets: Map<string, number>, stats: object }}
+ */
+function scanAllSessions(openclawDir, offsets) {
+  const currentOffsets = offsets || new Map();
+  const allToolCalls = [];
+  let totalFiles = 0;
+  let totalAgents = 0;
+  const agents = discoverAgents(openclawDir);
+  totalAgents = agents.length;
+  for (const agent of agents) {
+    const sessions = discoverSessions(agent.path);
+    totalFiles += sessions.length;
+    for (const session of sessions) {
+      const prevOffset = currentOffsets.get(session.path) || 0;
+      const result = parseSessionFile(session.path, prevOffset);
+      // Tag each tool call with agent and session context
+      for (const tc of result.toolCalls) {
+        allToolCalls.push({
+          toolName: tc.toolName,
+          timestamp: tc.timestamp,
+          agentId: agent.id,
+          sessionId: session.id
+        });
+      }
+      currentOffsets.set(session.path, result.newOffset);
+    }
+  }
+  logger.info(
+    `Session scan: ${totalAgents} agent${totalAgents === 1 ? '' : 's'}, ` +
+    `${totalFiles} session file${totalFiles === 1 ? '' : 's'}, ` +
+    `${allToolCalls.length} tool call${allToolCalls.length === 1 ? '' : 's'} extracted`
+  );
+  return {
+    toolCalls: allToolCalls,
+    offsets: currentOffsets,
+    stats: { agents: totalAgents, files: totalFiles, toolCalls: allToolCalls.length }
+  };
+}
+/**
+ * Get all session directories that should be watched.
+ * @param {string} openclawDir Path to ~/.openclaw/
+ * @returns {string[]} Array of session directory paths
+ */
+function getSessionDirs(openclawDir) {
+  const dirs = [];
+  const agents = discoverAgents(openclawDir);
+  for (const agent of agents) {
+    const sessionsDir = path.join(agent.path, 'sessions');
+    if (fs.existsSync(sessionsDir)) {
+      dirs.push(sessionsDir);
+    }
+  }
+  return dirs;
+}
+module.exports = {
+  discoverAgents,
+  discoverSessions,
+  extractToolCalls,
+  parseSessionFile,
+  scanAllSessions,
+  getSessionDirs
+};

package/src/skill-installer.js ADDED Viewed

@@ -0,0 +1,199 @@
+'use strict';
+const fs = require('fs');
+const path = require('path');
+const readline = require('readline');
+const os = require('os');
+const logger = require('./logger');
+const OPENCLAW_DIR = path.join(os.homedir(), '.openclaw');
+const SKILLS_DIR = path.join(OPENCLAW_DIR, 'skills');
+const INSTALL_DIR = path.join(SKILLS_DIR, 'clawsecure');
+const VERSION_FILE = '.clawsecure-version';
+const BUNDLED_SKILL_DIR = path.join(__dirname, '..', 'skill');
+/**
+ * Get the bundled skill version from the npm package.
+ * @returns {string|null}
+ */
+function getBundledVersion() {
+  const versionPath = path.join(BUNDLED_SKILL_DIR, VERSION_FILE);
+  try {
+    return fs.readFileSync(versionPath, 'utf8').trim();
+  } catch (err) {
+    logger.warn('Could not read bundled skill version: ' + err.message);
+    return null;
+  }
+}
+/**
+ * Get the installed skill version from the user's OpenClaw directory.
+ * @returns {string|null}
+ */
+function getInstalledVersion() {
+  const versionPath = path.join(INSTALL_DIR, VERSION_FILE);
+  try {
+    return fs.readFileSync(versionPath, 'utf8').trim();
+  } catch (err) {
+    return null;
+  }
+}
+/**
+ * Compare two semver-like version strings.
+ * @param {string} a
+ * @param {string} b
+ * @returns {number} 1 if a > b, -1 if a < b, 0 if equal
+ */
+function compareVersions(a, b) {
+  const partsA = a.split('.').map(Number);
+  const partsB = b.split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    const na = partsA[i] || 0;
+    const nb = partsB[i] || 0;
+    if (na > nb) return 1;
+    if (na < nb) return -1;
+  }
+  return 0;
+}
+/**
+ * Copy all bundled skill files to the install directory.
+ * Preserves directory structure (references/ subdirectory).
+ */
+function copySkillFiles() {
+  if (!fs.existsSync(INSTALL_DIR)) {
+    fs.mkdirSync(INSTALL_DIR, { recursive: true });
+  }
+  const refsSource = path.join(BUNDLED_SKILL_DIR, 'references');
+  const refsDest = path.join(INSTALL_DIR, 'references');
+  if (!fs.existsSync(refsDest)) {
+    fs.mkdirSync(refsDest, { recursive: true });
+  }
+  // Copy top-level skill files
+  const topFiles = fs.readdirSync(BUNDLED_SKILL_DIR).filter(f => {
+    const full = path.join(BUNDLED_SKILL_DIR, f);
+    return fs.statSync(full).isFile();
+  });
+  for (const file of topFiles) {
+    fs.copyFileSync(
+      path.join(BUNDLED_SKILL_DIR, file),
+      path.join(INSTALL_DIR, file)
+    );
+  }
+  // Copy references/ files
+  if (fs.existsSync(refsSource)) {
+    const refFiles = fs.readdirSync(refsSource).filter(f => {
+      return fs.statSync(path.join(refsSource, f)).isFile();
+    });
+    for (const file of refFiles) {
+      fs.copyFileSync(
+        path.join(refsSource, file),
+        path.join(refsDest, file)
+      );
+    }
+  }
+}
+/**
+ * Prompt the user for Y/n input. Returns true for Y/Enter, false for n.
+ * Times out after 10 seconds and returns false (never blocks startup).
+ */
+function promptUser(question) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    const timeout = setTimeout(() => {
+      rl.close();
+      resolve(false);
+    }, 10000);
+    rl.question(question, (answer) => {
+      clearTimeout(timeout);
+      rl.close();
+      const trimmed = answer.trim().toLowerCase();
+      resolve(trimmed === '' || trimmed === 'y' || trimmed === 'yes');
+    });
+  });
+}
+/**
+ * Main entry point. Checks for OpenClaw installation and installs/updates
+ * the Claw security skill as needed.
+ *
+ * Never throws. Never blocks daemon startup on failure.
+ * @returns {Promise<void>}
+ */
+async function installSkill() {
+  try {
+    // Check if OpenClaw is installed
+    if (!fs.existsSync(OPENCLAW_DIR)) {
+      logger.debug('OpenClaw directory not found at ' + OPENCLAW_DIR + '. Skipping skill install.');
+      return;
+    }
+    // Ensure skills directory exists
+    if (!fs.existsSync(SKILLS_DIR)) {
+      fs.mkdirSync(SKILLS_DIR, { recursive: true });
+      logger.debug('Created skills directory: ' + SKILLS_DIR);
+    }
+    const bundledVersion = getBundledVersion();
+    if (!bundledVersion) {
+      logger.warn('Bundled skill version unavailable. Skipping skill install.');
+      return;
+    }
+    // First install: directory does not exist
+    if (!fs.existsSync(INSTALL_DIR)) {
+      copySkillFiles();
+      logger.info('Claw security skill installed (v' + bundledVersion + ') to ' + INSTALL_DIR);
+      return;
+    }
+    // Directory exists but no version file: user-created, do not overwrite
+    const installedVersion = getInstalledVersion();
+    if (!installedVersion) {
+      logger.debug('Skill directory exists without version file. Skipping to avoid overwriting user content.');
+      return;
+    }
+    // Compare versions
+    const cmp = compareVersions(bundledVersion, installedVersion);
+    if (cmp === 0) {
+      logger.debug('Claw security skill is up to date (v' + installedVersion + ').');
+      return;
+    }
+    if (cmp < 0) {
+      logger.debug('Installed skill (v' + installedVersion + ') is newer than bundled (v' + bundledVersion + '). Skipping.');
+      return;
+    }
+    // Bundled is newer, prompt for update
+    const shouldUpdate = await promptUser(
+      'A new version of the Claw security skill is available (v' +
+      installedVersion + ' -> v' + bundledVersion + '). Update? (Y/n) '
+    );
+    if (shouldUpdate) {
+      copySkillFiles();
+      logger.info('Claw security skill updated to v' + bundledVersion + '.');
+    } else {
+      logger.info('Skill update skipped. Continuing with v' + installedVersion + '.');
+    }
+  } catch (err) {
+    logger.warn('Skill install check failed: ' + err.message + '. Continuing without skill update.');
+  }
+}
+module.exports = { installSkill };