clawsecure 1.0.0

package/src/sync-manager.js

@@ -0,0 +1,246 @@
+'use strict';
+
+const apiClientModule = require('./api-client');
+const threatIntel = require('./threat-intel');
+const processManager = require('./process-manager');
+const logger = require('./logger');
+
+const MAX_OFFLINE_QUEUE = 100;
+const HEARTBEAT_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes
+const RECONNECT_INTERVAL_MS = 60 * 1000; // 1 minute
+
+// Module state
+let apiClient = null;
+let envId = null;
+let isOnline = false;
+let offlineQueue = [];
+let heartbeatTimer = null;
+
+/**
+ * Connect to the ClawSecure API and fetch tier config.
+ * @returns {Promise<{ tier: string, envId: string|null, online: boolean }>}
+ */
+async function connect() {
+  const token = processManager.getToken();
+  const baseUrl = processManager.getApiUrl();
+
+  if (!token) {
+    logger.warn('No API token configured. Run "clawsecure setup" to connect your account.');
+    logger.warn('Running in offline mode. Local monitoring is active.');
+    isOnline = false;
+    return { tier: detectTierFallback(), envId: null, online: false };
+  }
+
+  apiClient = apiClientModule.create({ baseUrl, token });
+  logger.info(`Connecting to ClawSecure API at ${baseUrl}...`);
+
+  const config = await apiClient.fetchConfig();
+  if (config) {
+    envId = config.envId || null;
+    isOnline = true;
+    logger.success('API connected');
+    return { tier: config.tier || 'shield', envId, online: true };
+  }
+
+  logger.warn('API unreachable. Running in offline mode. Data will sync when connection is restored.');
+  isOnline = false;
+  scheduleReconnect();
+  return { tier: detectTierFallback(), envId: null, online: false };
+}
+
+/**
+ * Fallback tier detection via environment variable.
+ * @returns {string}
+ */
+function detectTierFallback() {
+  const envTier = process.env.CLAWSECURE_TIER;
+  if (envTier && envTier.toLowerCase() === 'sentinel') return 'sentinel';
+  return 'shield';
+}
+
+/**
+ * Send environment sync data to the API, or queue if offline.
+ * @param {object} payload
+ */
+function syncEnvironment(payload) {
+  if (isOnline && apiClient && envId) {
+    apiClient.syncEnvironment(envId, payload).catch((err) => {
+      logger.debug(`Sync failed, queueing: ${err.message}`);
+      queueOffline({ type: 'sync', payload });
+    });
+  } else {
+    queueOffline({ type: 'sync', payload });
+  }
+}
+
+/**
+ * Send tool call data to the API, or queue if offline.
+ * @param {Array<object>} toolCalls
+ */
+function sendToolCalls(toolCalls) {
+  if (isOnline && apiClient && envId) {
+    apiClient.sendToolCalls(envId, toolCalls).catch((err) => {
+      logger.debug(`Tool call send failed, queueing: ${err.message}`);
+      queueOffline({ type: 'toolcalls', payload: toolCalls });
+    });
+  } else {
+    queueOffline({ type: 'toolcalls', payload: toolCalls });
+  }
+}
+
+/**
+ * Send initial environment state to the API.
+ * @param {Array<object>} components
+ * @param {Map<string, string>} snapshot
+ * @returns {Promise<boolean>}
+ */
+async function sendInitialSync(components, snapshot) {
+  if (!isOnline || !apiClient || !envId) return false;
+
+  const syncPayload = {
+    components: components.map((c) => ({
+      name: c.name, type: c.type, source: c.source,
+      enabled: c.enabled, hash: c.hash || null
+    })),
+    snapshot: Object.fromEntries(snapshot)
+  };
+  const synced = await apiClient.syncEnvironment(envId, syncPayload);
+  if (synced) logger.success('Initial environment sync complete');
+  return synced;
+}
+
+/**
+ * Load threat intelligence from the API.
+ * @returns {Promise<boolean>}
+ */
+async function loadThreats() {
+  if (!isOnline || !apiClient) return false;
+  const loaded = await threatIntel.load(apiClient);
+  if (loaded) threatIntel.startAutoRefresh();
+  return loaded;
+}
+
+/**
+ * Add an event to the offline queue.
+ * @param {object} event
+ */
+function queueOffline(event) {
+  if (offlineQueue.length >= MAX_OFFLINE_QUEUE) {
+    offlineQueue.shift();
+    logger.debug('Offline queue full, dropping oldest event');
+  }
+  offlineQueue.push(event);
+}
+
+/**
+ * Flush the offline queue to the API.
+ */
+async function flushOfflineQueue() {
+  if (offlineQueue.length === 0) return;
+  logger.info(`Flushing ${offlineQueue.length} queued events...`);
+
+  const queue = offlineQueue.slice();
+  offlineQueue = [];
+
+  for (const event of queue) {
+    try {
+      if (event.type === 'sync') {
+        await apiClient.syncEnvironment(envId, event.payload);
+      } else if (event.type === 'toolcalls') {
+        await apiClient.sendToolCalls(envId, event.payload);
+      }
+    } catch (err) {
+      logger.debug(`Failed to flush event: ${err.message}`);
+      offlineQueue.push(event);
+      break;
+    }
+  }
+}
+
+/**
+ * Schedule periodic reconnection attempts.
+ */
+function scheduleReconnect() {
+  const timer = setInterval(async () => {
+    if (isOnline) {
+      clearInterval(timer);
+      return;
+    }
+    logger.debug('Attempting API reconnection...');
+    const token = processManager.getToken();
+    if (!token) return;
+
+    const baseUrl = processManager.getApiUrl();
+    if (!apiClient) {
+      apiClient = apiClientModule.create({ baseUrl, token });
+    }
+
+    const config = await apiClient.fetchConfig();
+    if (config) {
+      envId = config.envId || null;
+      isOnline = true;
+      clearInterval(timer);
+      logger.success('API reconnected');
+      await threatIntel.load(apiClient);
+      threatIntel.startAutoRefresh();
+      await flushOfflineQueue();
+    }
+  }, RECONNECT_INTERVAL_MS);
+
+  if (timer.unref) timer.unref();
+}
+
+/**
+ * Start the heartbeat interval.
+ * @param {function} getStatus Callback that returns current daemon status
+ */
+function startHeartbeat(getStatus) {
+  if (heartbeatTimer) return;
+  heartbeatTimer = setInterval(() => {
+    if (isOnline && apiClient && envId) {
+      const status = getStatus ? getStatus() : {};
+      apiClient.syncEnvironment(envId, {
+        heartbeat: true,
+        ...status
+      }).catch((err) => {
+        logger.debug(`Heartbeat failed: ${err.message}`);
+      });
+    }
+  }, HEARTBEAT_INTERVAL_MS);
+
+  if (heartbeatTimer.unref) heartbeatTimer.unref();
+}
+
+/**
+ * Clean up all sync resources.
+ */
+function cleanup() {
+  if (heartbeatTimer) {
+    clearInterval(heartbeatTimer);
+    heartbeatTimer = null;
+  }
+  threatIntel.stopAutoRefresh();
+  apiClient = null;
+  envId = null;
+  isOnline = false;
+  offlineQueue = [];
+}
+
+/**
+ * Get current connection state.
+ * @returns {{ online: boolean, queueSize: number }}
+ */
+function getState() {
+  return { online: isOnline, queueSize: offlineQueue.length };
+}
+
+module.exports = {
+  connect,
+  syncEnvironment,
+  sendToolCalls,
+  sendInitialSync,
+  loadThreats,
+  startHeartbeat,
+  cleanup,
+  getState
+};

package/src/threat-intel.js

@@ -0,0 +1,180 @@
+'use strict';
+
+const logger = require('./logger');
+
+const REFRESH_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6 hours
+
+let cachedThreats = null;
+let refreshTimer = null;
+let apiClientRef = null;
+
+/**
+ * Load threat intelligence data from the API.
+ * @param {object} apiClient API client instance
+ * @returns {Promise<boolean>} Whether load succeeded
+ */
+async function load(apiClient) {
+  apiClientRef = apiClient;
+
+  const data = await apiClient.fetchThreats();
+  if (data) {
+    cachedThreats = normalizeThreatData(data);
+    logger.success(
+      `Threat intelligence loaded: ${cachedThreats.components.size} known threats, ` +
+      `${cachedThreats.hashes.size} known malicious hashes`
+    );
+    return true;
+  }
+
+  logger.warn('Could not load threat intelligence. Will retry on next refresh.');
+  cachedThreats = emptyThreatCache();
+  return false;
+}
+
+/**
+ * Start periodic threat intelligence refresh.
+ */
+function startAutoRefresh() {
+  if (refreshTimer) return;
+  refreshTimer = setInterval(async () => {
+    await refresh();
+  }, REFRESH_INTERVAL_MS);
+
+  // Unref so it doesn't keep the process alive
+  if (refreshTimer.unref) refreshTimer.unref();
+  logger.debug('Threat intelligence auto-refresh enabled (every 6 hours)');
+}
+
+/**
+ * Refresh threat intelligence from the API.
+ * @returns {Promise<boolean>}
+ */
+async function refresh() {
+  if (!apiClientRef) {
+    logger.debug('No API client available for threat refresh');
+    return false;
+  }
+
+  logger.info('Refreshing threat intelligence...');
+  const data = await apiClientRef.fetchThreats();
+  if (data) {
+    cachedThreats = normalizeThreatData(data);
+    logger.success('Threat intelligence refreshed');
+    return true;
+  }
+
+  logger.warn('Threat intelligence refresh failed, using cached data');
+  return false;
+}
+
+/**
+ * Stop auto-refresh timer.
+ */
+function stopAutoRefresh() {
+  if (refreshTimer) {
+    clearInterval(refreshTimer);
+    refreshTimer = null;
+  }
+}
+
+/**
+ * Check if a component is a known threat.
+ * @param {string} componentName
+ * @param {string|null} hash SHA-256 hash
+ * @returns {{ isThreat: boolean, reason: string|null }}
+ */
+function isKnownThreat(componentName, hash) {
+  if (!cachedThreats) {
+    return { isThreat: false, reason: null };
+  }
+
+  // Check by name
+  const nameKey = componentName.toLowerCase();
+  if (cachedThreats.components.has(nameKey)) {
+    return {
+      isThreat: true,
+      reason: cachedThreats.components.get(nameKey)
+    };
+  }
+
+  // Check by hash
+  if (hash && cachedThreats.hashes.has(hash)) {
+    return {
+      isThreat: true,
+      reason: cachedThreats.hashes.get(hash)
+    };
+  }
+
+  return { isThreat: false, reason: null };
+}
+
+/**
+ * Get the current cached threat data.
+ * @returns {object|null}
+ */
+function getThreats() {
+  return cachedThreats;
+}
+
+/**
+ * Normalize raw threat API response into lookup-friendly structure.
+ * @param {object} data Raw API response
+ * @returns {object} Normalized cache
+ */
+function normalizeThreatData(data) {
+  const cache = emptyThreatCache();
+
+  // Known bad components (by name)
+  if (Array.isArray(data.components)) {
+    for (const item of data.components) {
+      if (item.name) {
+        cache.components.set(item.name.toLowerCase(), item.reason || 'Known threat');
+      }
+    }
+  }
+
+  // Known malicious hashes
+  if (Array.isArray(data.hashes)) {
+    for (const item of data.hashes) {
+      if (item.hash) {
+        cache.hashes.set(item.hash, item.reason || 'Malicious hash');
+      }
+    }
+  }
+
+  // Metadata
+  cache.updatedAt = data.updatedAt || new Date().toISOString();
+
+  return cache;
+}
+
+/**
+ * Create an empty threat cache.
+ * @returns {object}
+ */
+function emptyThreatCache() {
+  return {
+    components: new Map(),
+    hashes: new Map(),
+    updatedAt: null
+  };
+}
+
+/**
+ * Reset all state (for testing/cleanup).
+ */
+function reset() {
+  stopAutoRefresh();
+  cachedThreats = null;
+  apiClientRef = null;
+}
+
+module.exports = {
+  load,
+  startAutoRefresh,
+  stopAutoRefresh,
+  refresh,
+  isKnownThreat,
+  getThreats,
+  reset
+};

package/src/watcher.js

@@ -0,0 +1,155 @@
+'use strict';
+
+const chokidar = require('chokidar');
+const path = require('path');
+const logger = require('./logger');
+
+const DEFAULT_DEBOUNCE_MS = 500;
+
+/**
+ * Creates a file watcher on the given directories.
+ * Debounces rapid changes into batched callbacks.
+ *
+ * @param {string[]} dirs Directories to watch
+ * @param {object} [options]
+ * @param {number} [options.debounceMs=500] Debounce interval in ms
+ * @param {boolean} [options.ignoreInitial=true] Skip initial add events
+ * @returns {object} Watcher controller with onFileChange(), close()
+ */
+function createWatcher(dirs, options) {
+  const opts = Object.assign({ debounceMs: DEFAULT_DEBOUNCE_MS, ignoreInitial: true }, options);
+
+  // Filter to only directories that exist
+  const validDirs = dirs.filter((dir) => {
+    try {
+      require('fs').accessSync(dir);
+      return true;
+    } catch (e) {
+      logger.debug(`Skipping non-existent watch dir: ${dir}`);
+      return false;
+    }
+  });
+
+  if (validDirs.length === 0) {
+    logger.warn('No valid directories to watch.');
+  }
+
+  logger.info(`Watching ${validDirs.length} director${validDirs.length === 1 ? 'y' : 'ies'} for changes`);
+  for (const dir of validDirs) {
+    logger.debug(`  Watching: ${dir}`);
+  }
+
+  const watcher = chokidar.watch(validDirs, {
+    persistent: true,
+    ignoreInitial: opts.ignoreInitial,
+    followSymlinks: false,
+    depth: 5,
+    ignored: [
+      '**/node_modules/**',
+      '**/.git/**',
+      '**/.DS_Store'
+    ],
+    awaitWriteFinish: {
+      stabilityThreshold: 200,
+      pollInterval: 50
+    }
+  });
+
+  let changeBuffer = [];
+  let debounceTimer = null;
+  let changeCallback = null;
+
+  /**
+   * Internal handler for all file events.
+   * Buffers events and flushes after debounce interval.
+   */
+  function handleEvent(eventType, filePath) {
+    logger.debug(`File ${eventType}: ${filePath}`);
+
+    changeBuffer.push({
+      type: eventType,
+      path: filePath,
+      dir: path.dirname(filePath),
+      timestamp: Date.now()
+    });
+
+    // Reset debounce timer
+    if (debounceTimer) clearTimeout(debounceTimer);
+    debounceTimer = setTimeout(flushChanges, opts.debounceMs);
+  }
+
+  /**
+   * Flush buffered changes to the registered callback.
+   */
+  function flushChanges() {
+    if (changeBuffer.length === 0) return;
+    if (!changeCallback) return;
+
+    const events = changeBuffer.slice();
+    changeBuffer = [];
+    debounceTimer = null;
+
+    // Deduplicate: keep latest event per file path
+    const seen = new Map();
+    for (const evt of events) {
+      seen.set(evt.path, evt);
+    }
+    const deduped = Array.from(seen.values());
+
+    logger.info(`Detected ${deduped.length} file change${deduped.length === 1 ? '' : 's'}`);
+    try {
+      changeCallback(deduped);
+    } catch (err) {
+      logger.error(`Error in change handler: ${err.message}`);
+    }
+  }
+
+  // Register chokidar events
+  watcher.on('add', (fp) => handleEvent('add', fp));
+  watcher.on('change', (fp) => handleEvent('change', fp));
+  watcher.on('unlink', (fp) => handleEvent('unlink', fp));
+  watcher.on('error', (err) => logger.error(`Watcher error: ${err.message}`));
+
+  watcher.on('ready', () => {
+    logger.success('File watcher ready');
+  });
+
+  return {
+    /**
+     * Register a callback for batched file changes.
+     * @param {function(Array<{type: string, path: string, dir: string, timestamp: number}>)} callback
+     */
+    onFileChange(callback) {
+      changeCallback = callback;
+    },
+
+    /**
+     * Gracefully close the watcher and flush pending changes.
+     * @returns {Promise<void>}
+     */
+    async close() {
+      if (debounceTimer) {
+        clearTimeout(debounceTimer);
+        debounceTimer = null;
+      }
+      // Flush any remaining buffered changes
+      if (changeBuffer.length > 0 && changeCallback) {
+        flushChanges();
+      }
+      await watcher.close();
+      logger.debug('File watcher closed');
+    },
+
+    /**
+     * Get the list of watched directories.
+     * @returns {object}
+     */
+    getWatched() {
+      return watcher.getWatched();
+    }
+  };
+}
+
+module.exports = {
+  createWatcher
+};