forge-openclaw-plugin 0.2.4 → 0.2.7

package/dist/server/managers/platform/search-index-manager.js

@@ -0,0 +1,4 @@
+import { AbstractManager } from "../base.js";
+export class SearchIndexManager extends AbstractManager {
+    name = "SearchIndexManager";
+}

package/dist/server/managers/platform/secrets-manager.js

@@ -0,0 +1,19 @@
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+import { AbstractManager } from "../base.js";
+export class SecretsManager extends AbstractManager {
+    name = "SecretsManager";
+    createSecret(prefix) {
+        return `${prefix}_${randomBytes(18).toString("hex")}`;
+    }
+    hashSecret(value) {
+        return createHash("sha256").update(value).digest("hex");
+    }
+    secureEquals(left, right) {
+        const leftBuffer = Buffer.from(left);
+        const rightBuffer = Buffer.from(right);
+        if (leftBuffer.length !== rightBuffer.length) {
+            return false;
+        }
+        return timingSafeEqual(leftBuffer, rightBuffer);
+    }
+}

package/dist/server/managers/platform/session-manager.js

@@ -0,0 +1,121 @@
+import { randomUUID } from "node:crypto";
+import { AbstractAuditedManager } from "../base.js";
+import { getSettings } from "../../repositories/settings.js";
+import { isTrustedOperatorNetworkEntry } from "./trusted-network.js";
+function cookieHeaderValue(name, value, maxAgeSeconds) {
+    return `${name}=${encodeURIComponent(value)}; Path=/; HttpOnly; SameSite=Strict; Max-Age=${maxAgeSeconds}`;
+}
+export class SessionManager extends AbstractAuditedManager {
+    databaseManager;
+    secretsManager;
+    configurationManager;
+    auditManager;
+    name = "SessionManager";
+    constructor(databaseManager, secretsManager, configurationManager, auditManager) {
+        super();
+        this.databaseManager = databaseManager;
+        this.secretsManager = secretsManager;
+        this.configurationManager = configurationManager;
+        this.auditManager = auditManager;
+    }
+    ensureLocalOperatorSession(headers, reply) {
+        const existing = this.readSessionFromHeaders(headers);
+        if (existing) {
+            return existing;
+        }
+        if (!this.isLocalOperatorRequest(headers)) {
+            throw new Error("Operator session bootstrap is only available on local loopback origins.");
+        }
+        const settings = getSettings();
+        const actorLabel = settings.profile.operatorName?.trim() || "Local Operator";
+        const issuedAt = new Date();
+        const expiresAt = new Date(issuedAt.getTime() + this.configurationManager.readRuntimeConfig().sessionTtlSeconds * 1000);
+        const sessionToken = this.secretsManager.createSecret("fg_session");
+        const sessionId = `ses_${randomUUID().replaceAll("-", "").slice(0, 10)}`;
+        this.databaseManager
+            .getConnection()
+            .prepare(`INSERT INTO operator_sessions (
+          id, session_hash, actor_label, issued_at, last_used_at, expires_at, revoked_at, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, NULL, ?, ?)`)
+            .run(sessionId, this.secretsManager.hashSecret(sessionToken), actorLabel, issuedAt.toISOString(), issuedAt.toISOString(), expiresAt.toISOString(), issuedAt.toISOString(), issuedAt.toISOString());
+        reply.header("Set-Cookie", cookieHeaderValue(this.configurationManager.readRuntimeConfig().sessionCookieName, sessionToken, this.configurationManager.readRuntimeConfig().sessionTtlSeconds));
+        const session = {
+            id: sessionId,
+            actorLabel,
+            expiresAt: expiresAt.toISOString()
+        };
+        this.auditManager.record("operator.session_issued", "operator_session", sessionId, {
+            actor: actorLabel,
+            source: "ui",
+            origin: null,
+            host: null,
+            ip: null,
+            token: null,
+            session
+        }, {
+            actorLabel
+        });
+        return session;
+    }
+    revokeCurrentSession(headers, reply) {
+        const session = this.readSessionFromHeaders(headers);
+        if (!session) {
+            reply.header("Set-Cookie", cookieHeaderValue(this.configurationManager.readRuntimeConfig().sessionCookieName, "", 0));
+            return false;
+        }
+        this.databaseManager
+            .getConnection()
+            .prepare(`UPDATE operator_sessions SET revoked_at = ?, updated_at = ? WHERE id = ?`)
+            .run(new Date().toISOString(), new Date().toISOString(), session.id);
+        reply.header("Set-Cookie", cookieHeaderValue(this.configurationManager.readRuntimeConfig().sessionCookieName, "", 0));
+        return true;
+    }
+    readSessionFromHeaders(headers) {
+        const rawCookie = headers.cookie;
+        const cookieHeader = Array.isArray(rawCookie) ? rawCookie[0] : typeof rawCookie === "string" ? rawCookie : "";
+        if (!cookieHeader) {
+            return null;
+        }
+        const pairs = cookieHeader.split(";").map((entry) => entry.trim());
+        const needle = `${this.configurationManager.readRuntimeConfig().sessionCookieName}=`;
+        const sessionCookie = pairs.find((entry) => entry.startsWith(needle));
+        if (!sessionCookie) {
+            return null;
+        }
+        const sessionToken = decodeURIComponent(sessionCookie.slice(needle.length));
+        if (!sessionToken) {
+            return null;
+        }
+        const row = this.databaseManager
+            .getConnection()
+            .prepare(`SELECT id, actor_label, expires_at, revoked_at
+         FROM operator_sessions
+         WHERE session_hash = ?`)
+            .get(this.secretsManager.hashSecret(sessionToken));
+        if (!row || row.revoked_at) {
+            return null;
+        }
+        if (Date.parse(row.expires_at) <= Date.now()) {
+            this.databaseManager
+                .getConnection()
+                .prepare(`UPDATE operator_sessions SET revoked_at = ?, updated_at = ? WHERE id = ?`)
+                .run(new Date().toISOString(), new Date().toISOString(), row.id);
+            return null;
+        }
+        this.databaseManager
+            .getConnection()
+            .prepare(`UPDATE operator_sessions SET last_used_at = ?, updated_at = ? WHERE id = ?`)
+            .run(new Date().toISOString(), new Date().toISOString(), row.id);
+        return {
+            id: row.id,
+            actorLabel: row.actor_label,
+            expiresAt: row.expires_at
+        };
+    }
+    isLocalOperatorRequest(headers) {
+        const rawOrigin = Array.isArray(headers.origin) ? headers.origin[0] : headers.origin;
+        const rawHost = Array.isArray(headers.host) ? headers.host[0] : headers.host;
+        const candidates = [typeof rawOrigin === "string" ? rawOrigin : "", typeof rawHost === "string" ? rawHost : ""].filter(Boolean);
+        return candidates.some((entry) => isTrustedOperatorNetworkEntry(entry));
+    }
+}

package/dist/server/managers/platform/storage-manager.js

@@ -0,0 +1,16 @@
+import path from "node:path";
+import { AbstractManager } from "../base.js";
+export class StorageManager extends AbstractManager {
+    cwd;
+    name = "StorageManager";
+    constructor(cwd = process.cwd()) {
+        super();
+        this.cwd = cwd;
+    }
+    resolveDataDir() {
+        return path.join(this.cwd, "data");
+    }
+    resolveClientDir() {
+        return path.join(this.cwd, "dist");
+    }
+}

package/dist/server/managers/platform/token-manager.js

@@ -0,0 +1,37 @@
+import { AbstractAuditedManager } from "../base.js";
+import { createAgentToken, getAgentTokenById, revokeAgentToken, rotateAgentToken, verifyAgentToken } from "../../repositories/settings.js";
+export class TokenManager extends AbstractAuditedManager {
+    auditManager;
+    name = "TokenManager";
+    constructor(auditManager) {
+        super();
+        this.auditManager = auditManager;
+    }
+    verifyBearerToken(token) {
+        return verifyAgentToken(token);
+    }
+    issueLocalAgentToken(input, context) {
+        const created = createAgentToken(input, { actor: context.actor, source: context.source });
+        this.auditManager.record("token.issued", "agent_token", created.tokenSummary.id, context, {
+            label: created.tokenSummary.label
+        });
+        return created;
+    }
+    rotateLocalAgentToken(tokenId, context) {
+        const rotated = rotateAgentToken(tokenId, { actor: context.actor, source: context.source });
+        if (rotated) {
+            this.auditManager.record("token.rotated", "agent_token", tokenId, context);
+        }
+        return rotated;
+    }
+    revokeLocalAgentToken(tokenId, context) {
+        const revoked = revokeAgentToken(tokenId, { actor: context.actor, source: context.source });
+        if (revoked) {
+            this.auditManager.record("token.revoked", "agent_token", tokenId, context);
+        }
+        return revoked;
+    }
+    getTokenById(tokenId) {
+        return getAgentTokenById(tokenId) ?? null;
+    }
+}

package/dist/server/managers/platform/transaction-manager.js

@@ -0,0 +1,8 @@
+import { AbstractManager } from "../base.js";
+import { runInTransaction } from "../../db.js";
+export class TransactionManager extends AbstractManager {
+    name = "TransactionManager";
+    run(operation) {
+        return runInTransaction(operation);
+    }
+}

package/dist/server/managers/platform/trusted-network.js

@@ -0,0 +1,39 @@
+function readHostnameOrAddress(input) {
+    const trimmed = input.trim();
+    if (!trimmed) {
+        return null;
+    }
+    try {
+        return new URL(trimmed.includes("://") ? trimmed : `http://${trimmed}`).hostname.toLowerCase();
+    }
+    catch {
+        return trimmed
+            .replace(/^\[/, "")
+            .replace(/\]$/, "")
+            .split(":")[0]
+            .toLowerCase();
+    }
+}
+function isTailscaleIpv4(hostname) {
+    const match = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
+    if (!match) {
+        return false;
+    }
+    const octets = match.slice(1).map((value) => Number(value));
+    if (octets.some((value) => !Number.isInteger(value) || value < 0 || value > 255)) {
+        return false;
+    }
+    const [a, b] = octets;
+    return a === 100 && b >= 64 && b <= 127;
+}
+export function isTrustedOperatorNetworkEntry(input) {
+    const hostname = readHostnameOrAddress(input);
+    if (!hostname) {
+        return false;
+    }
+    return (hostname === "localhost" ||
+        hostname === "127.0.0.1" ||
+        hostname === "::1" ||
+        hostname.endsWith(".ts.net") ||
+        isTailscaleIpv4(hostname));
+}

package/dist/server/managers/runtime.js

@@ -0,0 +1,56 @@
+import { ConfigurationManager } from "./platform/configuration-manager.js";
+import { SecretsManager } from "./platform/secrets-manager.js";
+import { DatabaseManager } from "./platform/database-manager.js";
+import { TransactionManager } from "./platform/transaction-manager.js";
+import { MigrationManager } from "./platform/migration-manager.js";
+import { StorageManager } from "./platform/storage-manager.js";
+import { AuditManager } from "./platform/audit-manager.js";
+import { SessionManager } from "./platform/session-manager.js";
+import { TokenManager } from "./platform/token-manager.js";
+import { AuthenticationManager } from "./platform/authentication-manager.js";
+import { AuthorizationManager } from "./platform/authorization-manager.js";
+import { EventBusManager } from "./platform/event-bus-manager.js";
+import { HealthManager } from "./platform/health-manager.js";
+import { BackgroundJobManager } from "./platform/background-job-manager.js";
+import { ApiGatewayManager } from "./platform/api-gateway-manager.js";
+import { ExternalServiceManager } from "./platform/external-service-manager.js";
+import { SearchIndexManager } from "./platform/search-index-manager.js";
+export function createManagerRuntime(options = {}) {
+    const configuration = new ConfigurationManager();
+    const database = new DatabaseManager();
+    database.configure(configuration.readRuntimeConfig({ dataRoot: options.dataRoot }).dataRoot);
+    const secrets = new SecretsManager();
+    const transaction = new TransactionManager();
+    const migration = new MigrationManager();
+    const storage = new StorageManager();
+    const audit = new AuditManager();
+    const session = new SessionManager(database, secrets, configuration, audit);
+    const token = new TokenManager(audit);
+    const authentication = new AuthenticationManager(session, token);
+    const authorization = new AuthorizationManager();
+    const eventBus = new EventBusManager();
+    const health = new HealthManager();
+    const backgroundJobs = new BackgroundJobManager();
+    const apiGateway = new ApiGatewayManager();
+    const externalServices = new ExternalServiceManager();
+    const searchIndex = new SearchIndexManager();
+    return {
+        configuration,
+        secrets,
+        database,
+        transaction,
+        migration,
+        storage,
+        authentication,
+        authorization,
+        session,
+        token,
+        eventBus,
+        audit,
+        health,
+        backgroundJobs,
+        apiGateway,
+        externalServices,
+        searchIndex
+    };
+}

package/dist/server/managers/type-guards.js

@@ -0,0 +1,4 @@
+import { ManagerError } from "./contracts.js";
+export function isManagerError(value) {
+    return value instanceof ManagerError;
+}