hyperclaw 5.2.8 → 5.2.9

package/dist/developer-keys-BWXHaWxY.js

@@ -0,0 +1,127 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const crypto = require_chunk.__toESM(require("crypto"));
+
+//#region src/infra/developer-keys.ts
+require_paths.init_paths();
+const KEYS_FILE = "developer-keys.json";
+function getKeysPath(baseDir) {
+	const root = baseDir ?? require_paths.getHyperClawDir();
+	return path.default.join(root, KEYS_FILE);
+}
+function hashKey(key) {
+	return crypto.default.createHash("sha256").update(key, "utf8").digest("hex");
+}
+function generateKey() {
+	return `hc_${crypto.default.randomBytes(24).toString("base64url")}`;
+}
+async function loadKeys(baseDir) {
+	const fp = getKeysPath(baseDir);
+	if (!await fs_extra.default.pathExists(fp)) return [];
+	try {
+		const data = await fs_extra.default.readJson(fp);
+		return Array.isArray(data.keys) ? data.keys : [];
+	} catch {
+		return [];
+	}
+}
+async function saveKeys(keys, baseDir) {
+	const fp = getKeysPath(baseDir);
+	const dir = path.default.dirname(fp);
+	await fs_extra.default.ensureDir(dir);
+	await fs_extra.default.writeJson(fp, {
+		keys,
+		updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+	}, { spaces: 2 });
+}
+/** Create a new developer key. Returns the raw key (show once). Optional tenantId for multi-tenant. */
+async function createDeveloperKey(name, opts) {
+	const rawKey = generateKey();
+	const keyHash = hashKey(rawKey);
+	const id = `key_${crypto.default.randomBytes(8).toString("hex")}`;
+	const entry = {
+		id,
+		name: name || "Unnamed",
+		keyHash,
+		tenantId: opts?.tenantId,
+		createdAt: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	const keys = await loadKeys(opts?.baseDir);
+	keys.push(entry);
+	await saveKeys(keys, opts?.baseDir);
+	return {
+		id,
+		key: rawKey,
+		name: entry.name,
+		tenantId: entry.tenantId
+	};
+}
+/** List developer keys (without raw keys). Optional tenantId filter. */
+async function listDeveloperKeys(opts) {
+	let keys = await loadKeys(opts?.baseDir);
+	if (opts?.tenantId) keys = keys.filter((k) => k.tenantId === opts.tenantId);
+	return keys.map((k) => ({
+		id: k.id,
+		name: k.name,
+		tenantId: k.tenantId,
+		createdAt: k.createdAt,
+		lastUsedAt: k.lastUsedAt
+	}));
+}
+/** Revoke a developer key by id. */
+async function revokeDeveloperKey(id) {
+	const keys = await loadKeys();
+	const before = keys.length;
+	const filtered = keys.filter((k) => k.id !== id);
+	if (filtered.length === before) return false;
+	await saveKeys(filtered);
+	return true;
+}
+/**
+
+* Validate a Bearer token. Returns { valid: true, tenantId?: string } or { valid: false }.
+
+* Use with gateway token check: valid = gatewayToken OR result.valid.
+
+*/
+async function validateDeveloperKey(bearer, opts) {
+	if (!bearer || bearer.length < 20) return { valid: false };
+	const keys = await loadKeys(opts?.baseDir);
+	const hash = hashKey(bearer);
+	const idx = keys.findIndex((k) => k.keyHash === hash);
+	if (idx < 0) return { valid: false };
+	keys[idx].lastUsedAt = (/* @__PURE__ */ new Date()).toISOString();
+	await saveKeys(keys, opts?.baseDir).catch(() => {});
+	return {
+		valid: true,
+		tenantId: keys[idx].tenantId
+	};
+}
+
+//#endregion
+Object.defineProperty(exports, 'createDeveloperKey', {
+  enumerable: true,
+  get: function () {
+    return createDeveloperKey;
+  }
+});
+Object.defineProperty(exports, 'listDeveloperKeys', {
+  enumerable: true,
+  get: function () {
+    return listDeveloperKeys;
+  }
+});
+Object.defineProperty(exports, 'revokeDeveloperKey', {
+  enumerable: true,
+  get: function () {
+    return revokeDeveloperKey;
+  }
+});
+Object.defineProperty(exports, 'validateDeveloperKey', {
+  enumerable: true,
+  get: function () {
+    return validateDeveloperKey;
+  }
+});

package/dist/developer-keys-CzDxVczE.js

@@ -0,0 +1,8 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+require('./paths-AIyBxIzm.js');
+const require_developer_keys = require('./developer-keys-BWXHaWxY.js');
+
+exports.createDeveloperKey = require_developer_keys.createDeveloperKey;
+exports.listDeveloperKeys = require_developer_keys.listDeveloperKeys;
+exports.revokeDeveloperKey = require_developer_keys.revokeDeveloperKey;
+exports.validateDeveloperKey = require_developer_keys.validateDeveloperKey;

package/dist/device-auth-store-C1bCwXO2.js

@@ -0,0 +1,7 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+require('./paths-AIyBxIzm.js');
+require('./paths-DPovhojT.js');
+const require_device_auth_store = require('./device-auth-store-DIZTOz4V.js');
+
+require_device_auth_store.init_device_auth_store();
+exports.AuthStore = require_device_auth_store.AuthStore;

package/dist/device-auth-store-DIZTOz4V.js

@@ -0,0 +1,88 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const require_paths$1 = require('./paths-DPovhojT.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+
+//#region src/infra/device-auth-store.ts
+var AuthStore;
+var init_device_auth_store = require_chunk.__esm({ "src/infra/device-auth-store.ts"() {
+	require_paths$1.init_paths();
+	AuthStore = class {
+		storePath;
+		constructor(storeDir) {
+			const dir = storeDir ?? require_paths.getHyperClawDir();
+			this.storePath = path.default.join(dir, "auth.json");
+		}
+		async readStore() {
+			try {
+				const stat = await fs_extra.default.stat(this.storePath);
+				if ((stat.mode & 63) !== 0) {
+					console.log(chalk.default.yellow("  ⚠  Auth store has unsafe permissions — fixing..."));
+					await fs_extra.default.chmod(this.storePath, 384);
+				}
+				return await fs_extra.default.readJson(this.storePath);
+			} catch {
+				return null;
+			}
+		}
+		async writeStore(store) {
+			await fs_extra.default.ensureDir(path.default.dirname(this.storePath));
+			await fs_extra.default.writeFile(this.storePath, `${JSON.stringify(store, null, 2)}\n`, { mode: 384 });
+		}
+		async getGatewayToken() {
+			return (await this.readStore())?.gatewayToken;
+		}
+		async setGatewayToken(token) {
+			const store = await this.readStore() || this.emptyStore();
+			store.gatewayToken = token;
+			store.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+			await this.writeStore(store);
+		}
+		async setProviderKey(providerId, apiKey) {
+			const store = await this.readStore() || this.emptyStore();
+			store.providers[providerId] = { apiKey };
+			store.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+			await this.writeStore(store);
+		}
+		async getProviderKey(providerId) {
+			return (await this.readStore())?.providers[providerId]?.apiKey;
+		}
+		async listProviders() {
+			return Object.keys((await this.readStore())?.providers || {});
+		}
+		async scrubSensitive() {
+			const store = await this.readStore();
+			if (!store) return null;
+			const scrubbed = JSON.parse(JSON.stringify(store));
+			if (scrubbed.gatewayToken) scrubbed.gatewayToken = "***";
+			for (const p of Object.keys(scrubbed.providers || {})) {
+				if (scrubbed.providers[p].apiKey) scrubbed.providers[p].apiKey = "***";
+				if (scrubbed.providers[p].refreshToken) scrubbed.providers[p].refreshToken = "***";
+			}
+			return scrubbed;
+		}
+		emptyStore() {
+			return {
+				providers: {},
+				createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+				updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+			};
+		}
+	};
+} });
+
+//#endregion
+Object.defineProperty(exports, 'AuthStore', {
+  enumerable: true,
+  get: function () {
+    return AuthStore;
+  }
+});
+Object.defineProperty(exports, 'init_device_auth_store', {
+  enumerable: true,
+  get: function () {
+    return init_device_auth_store;
+  }
+});

package/dist/doctor-C6nAGdH8.js

@@ -0,0 +1,233 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_paths = require('./paths-AIyBxIzm.js');
+const require_paths$1 = require('./paths-DPovhojT.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const ora = require_chunk.__toESM(require("ora"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const net = require_chunk.__toESM(require("net"));
+
+//#region src/commands/doctor.ts
+require_paths$1.init_paths();
+async function isPortOpen(port) {
+	return new Promise((resolve) => {
+		const s = new net.default.Socket();
+		s.setTimeout(500);
+		s.on("connect", () => {
+			s.destroy();
+			resolve(true);
+		});
+		s.on("error", () => resolve(false));
+		s.on("timeout", () => resolve(false));
+		try {
+			s.connect(port, "127.0.0.1");
+		} catch {
+			resolve(false);
+		}
+	});
+}
+async function runDoctor(fix = false, opts = {}) {
+	const doFix = fix || opts.repair || opts.fix || false;
+	const force = opts.force || false;
+	const nonInteractive = opts.nonInteractive || opts.yes || false;
+	const deep = opts.deep || false;
+	const spinner = (0, ora.default)("Running health checks...").start();
+	await new Promise((r) => setTimeout(r, 400));
+	spinner.stop();
+	const configDir = require_paths.getHyperClawDir();
+	const configFile = require_paths.getConfigPath();
+	const agentsFile = path.default.join(configDir, "AGENTS.md");
+	const authFile = path.default.join(configDir, "auth.json");
+	const credentialsDir = path.default.join(configDir, "credentials");
+	const pairingFile = path.default.join(credentialsDir, "discord-pairing.json");
+	let cfg = null;
+	try {
+		cfg = await fs_extra.default.readJson(configFile);
+	} catch {}
+	const issues = [];
+	if (!cfg) issues.push({
+		id: "no-config",
+		severity: "error",
+		title: "No configuration found",
+		detail: "Run: hyperclaw init",
+		fixable: false
+	});
+	else {
+		const hasToken = !!cfg.gateway?.authToken;
+		issues.push({
+			id: "gateway-token",
+			severity: hasToken ? "ok" : "warn",
+			title: hasToken ? "Gateway auth token set" : "Gateway auth token missing",
+			detail: hasToken ? "Token is configured" : "Set a strong token in gateway config",
+			fixable: !hasToken,
+			fix: async () => {
+				const crypto = await import("crypto");
+				cfg.gateway = cfg.gateway || {};
+				cfg.gateway.authToken = crypto.randomBytes(32).toString("hex");
+				const tmp = configFile + ".tmp";
+				fs_extra.default.writeJsonSync(tmp, cfg, { spaces: 2 });
+				fs_extra.default.renameSync(tmp, configFile);
+				console.log(chalk.default.green("  ✔  Generated and saved gateway auth token"));
+			}
+		});
+		const channels = cfg.gateway?.enabledChannels || cfg.channels || [];
+		const channelConfigs = typeof cfg.channelConfigs === "object" && !Array.isArray(cfg.channelConfigs) ? cfg.channelConfigs : {};
+		const chList = Array.isArray(channels) ? channels : Object.keys(channelConfigs);
+		for (const ch of chList) {
+			const chCfg = typeof channelConfigs === "object" && !Array.isArray(channelConfigs) ? channelConfigs[ch] : null;
+			const dmPolicy = chCfg?.dmPolicy?.policy ?? (typeof chCfg?.dmPolicy === "string" ? chCfg.dmPolicy : null);
+			if (dmPolicy === "open") issues.push({
+				id: `dm-open-${ch}`,
+				severity: "warn",
+				title: `DM policy is "open" on ${ch}`,
+				detail: `Anyone can DM your agent on ${ch}. Consider using "pairing" or "allowlist".`,
+				fixable: false
+			});
+			if (dmPolicy === "allowlist") {
+				const allowFrom = chCfg?.dmPolicy?.allowFrom ?? chCfg?.allowFrom ?? [];
+				const arr = Array.isArray(allowFrom) ? allowFrom : [];
+				if (arr.length === 0) issues.push({
+					id: `dm-empty-allowlist-${ch}`,
+					severity: "error",
+					title: `Empty allowlist on ${ch} — DMs will be silently dropped`,
+					detail: `channel.${ch}.allowFrom or dmPolicy.allowFrom is empty. Add users or change policy.`,
+					fixable: true,
+					fix: async () => {
+						try {
+							const allowFromPath = path.default.join(credentialsDir, `${ch}-allowFrom.json`);
+							if (await fs_extra.default.pathExists(allowFromPath)) {
+								const af = await fs_extra.default.readJson(allowFromPath);
+								const ids = af.senderIds;
+								if (ids?.length) {
+									cfg.channelConfigs = cfg.channelConfigs || {};
+									const existing = cfg.channelConfigs[ch] || {};
+									const merged = {
+										...existing,
+										allowFrom: ids
+									};
+									if (typeof existing.dmPolicy === "object") merged.dmPolicy = {
+										...existing.dmPolicy,
+										allowFrom: ids
+									};
+									cfg.channelConfigs[ch] = merged;
+									const tmp = configFile + ".tmp";
+									await fs_extra.default.writeJson(tmp, cfg, { spaces: 2 });
+									await fs_extra.default.rename(tmp, configFile);
+									console.log(chalk.default.green(`  ✔  Restored ${ids.length} user(s) from allowFrom store`));
+								}
+							}
+						} catch (e) {
+							if (process.env.DEBUG) console.error("[doctor] restore allowFrom:", e?.message);
+						}
+					}
+				});
+			}
+		}
+		const hasApiKey = !!cfg.provider?.apiKey;
+		const isLocal = cfg.provider?.providerId === "local";
+		if (!hasApiKey && !isLocal) issues.push({
+			id: "no-api-key",
+			severity: "error",
+			title: "No AI provider API key configured",
+			detail: "Run: hyperclaw config set-key",
+			fixable: false
+		});
+		else issues.push({
+			id: "api-key",
+			severity: "ok",
+			title: "AI provider key configured",
+			detail: `Provider: ${cfg.provider?.providerId}`,
+			fixable: false
+		});
+		issues.push({
+			id: "agents-md",
+			severity: await fs_extra.default.pathExists(agentsFile) ? "ok" : "warn",
+			title: await fs_extra.default.pathExists(agentsFile) ? "AGENTS.md exists" : "AGENTS.md missing",
+			detail: await fs_extra.default.pathExists(agentsFile) ? agentsFile : "Run: hyperclaw memory init to generate",
+			fixable: false
+		});
+		const port = cfg.gateway?.port || 18789;
+		const running = await isPortOpen(port);
+		issues.push({
+			id: "gateway-running",
+			severity: running ? "ok" : "warn",
+			title: running ? `Gateway running on port ${port}` : `Gateway not running on port ${port}`,
+			detail: running ? `ws://127.0.0.1:${port}` : "Run: hyperclaw daemon start",
+			fixable: false
+		});
+		if (await fs_extra.default.pathExists(configFile)) {
+			const stat = await fs_extra.default.stat(configFile);
+			const unsafe = (stat.mode & 63) !== 0;
+			if (unsafe) issues.push({
+				id: "config-permissions",
+				severity: "warn",
+				title: "Config file has unsafe permissions",
+				detail: `chmod 600 ${configFile}`,
+				fixable: true,
+				fix: async () => {
+					await fs_extra.default.chmod(configFile, 384);
+					console.log(chalk.default.green(`  ✔  Fixed permissions on ${configFile}`));
+				}
+			});
+		}
+		const stateWritable = await fs_extra.default.pathExists(configDir) && (await fs_extra.default.stat(configDir).catch(() => null))?.isDirectory?.();
+		issues.push({
+			id: "state-dir",
+			severity: stateWritable ? "ok" : "error",
+			title: stateWritable ? "State directory OK" : "State directory missing or not writable",
+			detail: stateWritable ? configDir : `Ensure ${configDir} exists and is writable`,
+			fixable: !stateWritable,
+			fix: async () => {
+				await fs_extra.default.ensureDir(configDir);
+				console.log(chalk.default.green(`  ✔  Created state directory: ${configDir}`));
+			}
+		});
+		if (await fs_extra.default.pathExists(authFile)) {
+			const stat = await fs_extra.default.stat(authFile);
+			const unsafe = (stat.mode & 63) !== 0;
+			issues.push({
+				id: "auth-permissions",
+				severity: unsafe ? "warn" : "ok",
+				title: unsafe ? "Auth store has unsafe permissions" : "Auth store permissions OK",
+				detail: unsafe ? `chmod 600 ${authFile}` : `Mode: 600`,
+				fixable: unsafe,
+				fix: async () => {
+					await fs_extra.default.chmod(authFile, 384);
+					console.log(chalk.default.green(`  ✔  Fixed permissions on ${authFile}`));
+				}
+			});
+		}
+	}
+	console.log(chalk.default.bold.cyan("\n  🩺 HYPERCLAW DOCTOR\n"));
+	let errorCount = 0, warnCount = 0;
+	for (const issue of issues) {
+		const icon = {
+			error: chalk.default.red("✖"),
+			warn: chalk.default.yellow("⚠"),
+			ok: chalk.default.green("✔")
+		}[issue.severity];
+		console.log(`  ${icon} ${chalk.default.white(issue.title)}`);
+		console.log(`     ${chalk.default.gray(issue.detail)}`);
+		if (issue.fixable && doFix && issue.fix) await issue.fix();
+		else if (issue.fixable && !fix) console.log(chalk.default.gray("     Run with --fix to auto-repair"));
+		if (issue.severity === "error") errorCount++;
+		if (issue.severity === "warn") warnCount++;
+		console.log();
+	}
+	const total = issues.length;
+	const okCount = total - errorCount - warnCount;
+	console.log(`  ${chalk.default.bold("Summary:")} ${chalk.default.green(`${okCount} ok`)}  ${chalk.default.yellow(`${warnCount} warnings`)}  ${chalk.default.red(`${errorCount} errors`)}`);
+	if (errorCount > 0 || warnCount > 0) {
+		console.log(chalk.default.gray("\n  Run: hyperclaw doctor --fix   to auto-repair fixable issues"));
+		if (deep) console.log(chalk.default.gray("  Use --deep to scan for extra gateway services (launchd/systemd/schtasks)\n"));
+		else console.log();
+	} else console.log(chalk.default.green("\n  ✔  All checks passed!\n"));
+}
+
+//#endregion
+Object.defineProperty(exports, 'runDoctor', {
+  enumerable: true,
+  get: function () {
+    return runDoctor;
+  }
+});

package/dist/doctor-mgWumA25.js

@@ -0,0 +1,6 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+require('./paths-AIyBxIzm.js');
+require('./paths-DPovhojT.js');
+const require_doctor = require('./doctor-C6nAGdH8.js');
+
+exports.runDoctor = require_doctor.runDoctor;