nox-openclaw-hunter 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +140 -0
- package/bin/nox.js +2 -0
- package/dist/branding.d.ts +39 -0
- package/dist/branding.d.ts.map +1 -0
- package/dist/branding.js +66 -0
- package/dist/branding.js.map +1 -0
- package/dist/cli.d.ts +15 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +94 -0
- package/dist/cli.js.map +1 -0
- package/dist/commands/export.d.ts +21 -0
- package/dist/commands/export.d.ts.map +1 -0
- package/dist/commands/export.js +616 -0
- package/dist/commands/export.js.map +1 -0
- package/dist/commands/index.d.ts +8 -0
- package/dist/commands/index.d.ts.map +1 -0
- package/dist/commands/index.js +8 -0
- package/dist/commands/index.js.map +1 -0
- package/dist/commands/isolate.d.ts +30 -0
- package/dist/commands/isolate.d.ts.map +1 -0
- package/dist/commands/isolate.js +547 -0
- package/dist/commands/isolate.js.map +1 -0
- package/dist/commands/purge.d.ts +22 -0
- package/dist/commands/purge.d.ts.map +1 -0
- package/dist/commands/purge.js +295 -0
- package/dist/commands/purge.js.map +1 -0
- package/dist/commands/scan.d.ts +23 -0
- package/dist/commands/scan.d.ts.map +1 -0
- package/dist/commands/scan.js +155 -0
- package/dist/commands/scan.js.map +1 -0
- package/dist/detector/app-bundle.d.ts +13 -0
- package/dist/detector/app-bundle.d.ts.map +1 -0
- package/dist/detector/app-bundle.js +27 -0
- package/dist/detector/app-bundle.js.map +1 -0
- package/dist/detector/cli-binary.d.ts +12 -0
- package/dist/detector/cli-binary.d.ts.map +1 -0
- package/dist/detector/cli-binary.js +66 -0
- package/dist/detector/cli-binary.js.map +1 -0
- package/dist/detector/config.d.ts +21 -0
- package/dist/detector/config.d.ts.map +1 -0
- package/dist/detector/config.js +337 -0
- package/dist/detector/config.js.map +1 -0
- package/dist/detector/detection-config.d.ts +24 -0
- package/dist/detector/detection-config.d.ts.map +1 -0
- package/dist/detector/detection-config.js +242 -0
- package/dist/detector/detection-config.js.map +1 -0
- package/dist/detector/docker.d.ts +10 -0
- package/dist/detector/docker.d.ts.map +1 -0
- package/dist/detector/docker.js +94 -0
- package/dist/detector/docker.js.map +1 -0
- package/dist/detector/index.d.ts +50 -0
- package/dist/detector/index.d.ts.map +1 -0
- package/dist/detector/index.js +155 -0
- package/dist/detector/index.js.map +1 -0
- package/dist/detector/network.d.ts +34 -0
- package/dist/detector/network.d.ts.map +1 -0
- package/dist/detector/network.js +205 -0
- package/dist/detector/network.js.map +1 -0
- package/dist/detector/process.d.ts +16 -0
- package/dist/detector/process.d.ts.map +1 -0
- package/dist/detector/process.js +47 -0
- package/dist/detector/process.js.map +1 -0
- package/dist/detector/service.d.ts +17 -0
- package/dist/detector/service.d.ts.map +1 -0
- package/dist/detector/service.js +51 -0
- package/dist/detector/service.js.map +1 -0
- package/dist/enforcer/docker-cleaner.d.ts +30 -0
- package/dist/enforcer/docker-cleaner.d.ts.map +1 -0
- package/dist/enforcer/docker-cleaner.js +163 -0
- package/dist/enforcer/docker-cleaner.js.map +1 -0
- package/dist/enforcer/file-remover.d.ts +34 -0
- package/dist/enforcer/file-remover.d.ts.map +1 -0
- package/dist/enforcer/file-remover.js +137 -0
- package/dist/enforcer/file-remover.js.map +1 -0
- package/dist/enforcer/index.d.ts +33 -0
- package/dist/enforcer/index.d.ts.map +1 -0
- package/dist/enforcer/index.js +142 -0
- package/dist/enforcer/index.js.map +1 -0
- package/dist/enforcer/process-killer.d.ts +18 -0
- package/dist/enforcer/process-killer.d.ts.map +1 -0
- package/dist/enforcer/process-killer.js +80 -0
- package/dist/enforcer/process-killer.js.map +1 -0
- package/dist/enforcer/service-stopper.d.ts +23 -0
- package/dist/enforcer/service-stopper.d.ts.map +1 -0
- package/dist/enforcer/service-stopper.js +95 -0
- package/dist/enforcer/service-stopper.js.map +1 -0
- package/dist/index.d.ts +6 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +10 -0
- package/dist/index.js.map +1 -0
- package/dist/isolator/firewall.d.ts +25 -0
- package/dist/isolator/firewall.d.ts.map +1 -0
- package/dist/isolator/firewall.js +114 -0
- package/dist/isolator/firewall.js.map +1 -0
- package/dist/isolator/index.d.ts +63 -0
- package/dist/isolator/index.d.ts.map +1 -0
- package/dist/isolator/index.js +201 -0
- package/dist/isolator/index.js.map +1 -0
- package/dist/isolator/lockdown.d.ts +22 -0
- package/dist/isolator/lockdown.d.ts.map +1 -0
- package/dist/isolator/lockdown.js +401 -0
- package/dist/isolator/lockdown.js.map +1 -0
- package/dist/isolator/quarantine.d.ts +39 -0
- package/dist/isolator/quarantine.d.ts.map +1 -0
- package/dist/isolator/quarantine.js +364 -0
- package/dist/isolator/quarantine.js.map +1 -0
- package/dist/mdm/index.d.ts +93 -0
- package/dist/mdm/index.d.ts.map +1 -0
- package/dist/mdm/index.js +414 -0
- package/dist/mdm/index.js.map +1 -0
- package/dist/mdm/intune.d.ts +69 -0
- package/dist/mdm/intune.d.ts.map +1 -0
- package/dist/mdm/intune.js +409 -0
- package/dist/mdm/intune.js.map +1 -0
- package/dist/mdm/jamf.d.ts +58 -0
- package/dist/mdm/jamf.d.ts.map +1 -0
- package/dist/mdm/jamf.js +441 -0
- package/dist/mdm/jamf.js.map +1 -0
- package/dist/mdm/jumpcloud.d.ts +73 -0
- package/dist/mdm/jumpcloud.d.ts.map +1 -0
- package/dist/mdm/jumpcloud.js +470 -0
- package/dist/mdm/jumpcloud.js.map +1 -0
- package/dist/mdm/templates/detect.ps1.d.ts +30 -0
- package/dist/mdm/templates/detect.ps1.d.ts.map +1 -0
- package/dist/mdm/templates/detect.ps1.js +463 -0
- package/dist/mdm/templates/detect.ps1.js.map +1 -0
- package/dist/mdm/templates/detect.sh.d.ts +30 -0
- package/dist/mdm/templates/detect.sh.d.ts.map +1 -0
- package/dist/mdm/templates/detect.sh.js +474 -0
- package/dist/mdm/templates/detect.sh.js.map +1 -0
- package/dist/mdm/templates/enforce.ps1.d.ts +33 -0
- package/dist/mdm/templates/enforce.ps1.d.ts.map +1 -0
- package/dist/mdm/templates/enforce.ps1.js +681 -0
- package/dist/mdm/templates/enforce.ps1.js.map +1 -0
- package/dist/mdm/templates/enforce.sh.d.ts +33 -0
- package/dist/mdm/templates/enforce.sh.d.ts.map +1 -0
- package/dist/mdm/templates/enforce.sh.js +591 -0
- package/dist/mdm/templates/enforce.sh.js.map +1 -0
- package/dist/platform/darwin.d.ts +6 -0
- package/dist/platform/darwin.d.ts.map +1 -0
- package/dist/platform/darwin.js +192 -0
- package/dist/platform/darwin.js.map +1 -0
- package/dist/platform/index.d.ts +43 -0
- package/dist/platform/index.d.ts.map +1 -0
- package/dist/platform/index.js +27 -0
- package/dist/platform/index.js.map +1 -0
- package/dist/platform/linux.d.ts +6 -0
- package/dist/platform/linux.d.ts.map +1 -0
- package/dist/platform/linux.js +134 -0
- package/dist/platform/linux.js.map +1 -0
- package/dist/platform/windows.d.ts +6 -0
- package/dist/platform/windows.d.ts.map +1 -0
- package/dist/platform/windows.js +134 -0
- package/dist/platform/windows.js.map +1 -0
- package/dist/reporter/console.d.ts +27 -0
- package/dist/reporter/console.d.ts.map +1 -0
- package/dist/reporter/console.js +431 -0
- package/dist/reporter/console.js.map +1 -0
- package/dist/reporter/index.d.ts +11 -0
- package/dist/reporter/index.d.ts.map +1 -0
- package/dist/reporter/index.js +13 -0
- package/dist/reporter/index.js.map +1 -0
- package/dist/reporter/json.d.ts +61 -0
- package/dist/reporter/json.d.ts.map +1 -0
- package/dist/reporter/json.js +75 -0
- package/dist/reporter/json.js.map +1 -0
- package/dist/reporter/webhook.d.ts +57 -0
- package/dist/reporter/webhook.d.ts.map +1 -0
- package/dist/reporter/webhook.js +230 -0
- package/dist/reporter/webhook.js.map +1 -0
- package/dist/types/config.d.ts +116 -0
- package/dist/types/config.d.ts.map +1 -0
- package/dist/types/config.js +6 -0
- package/dist/types/config.js.map +1 -0
- package/dist/types/detection.d.ts +85 -0
- package/dist/types/detection.d.ts.map +1 -0
- package/dist/types/detection.js +5 -0
- package/dist/types/detection.js.map +1 -0
- package/dist/types/enforcement.d.ts +33 -0
- package/dist/types/enforcement.d.ts.map +1 -0
- package/dist/types/enforcement.js +5 -0
- package/dist/types/enforcement.js.map +1 -0
- package/dist/types/index.d.ts +8 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +8 -0
- package/dist/types/index.js.map +1 -0
- package/dist/types/isolation.d.ts +55 -0
- package/dist/types/isolation.d.ts.map +1 -0
- package/dist/types/isolation.js +5 -0
- package/dist/types/isolation.js.map +1 -0
- package/dist/utils/exec.d.ts +48 -0
- package/dist/utils/exec.d.ts.map +1 -0
- package/dist/utils/exec.js +103 -0
- package/dist/utils/exec.js.map +1 -0
- package/dist/utils/fs.d.ts +34 -0
- package/dist/utils/fs.d.ts.map +1 -0
- package/dist/utils/fs.js +111 -0
- package/dist/utils/fs.js.map +1 -0
- package/dist/utils/index.d.ts +7 -0
- package/dist/utils/index.d.ts.map +1 -0
- package/dist/utils/index.js +7 -0
- package/dist/utils/index.js.map +1 -0
- package/dist/utils/logger.d.ts +14 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +48 -0
- package/dist/utils/logger.js.map +1 -0
- package/docs/intune.md +390 -0
- package/docs/jamf.md +400 -0
- package/docs/jumpcloud.md +510 -0
- package/package.json +65 -0
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Webhook delivery for SIEM/alerting integrations.
|
|
3
|
+
*/
|
|
4
|
+
import type { DetectionResult, EnforcementResult, IsolationResult, WebhookOptions } from '../types/index.js';
|
|
5
|
+
export type WebhookEventType = 'openclaw.detection' | 'openclaw.enforcement' | 'openclaw.isolation';
|
|
6
|
+
export type WebhookSeverity = 'low' | 'medium' | 'high' | 'critical';
|
|
7
|
+
export interface WebhookPayload {
|
|
8
|
+
event: WebhookEventType;
|
|
9
|
+
timestamp: string;
|
|
10
|
+
severity: WebhookSeverity;
|
|
11
|
+
host: {
|
|
12
|
+
hostname: string;
|
|
13
|
+
platform: string;
|
|
14
|
+
};
|
|
15
|
+
nox: {
|
|
16
|
+
version: string;
|
|
17
|
+
tool: string;
|
|
18
|
+
};
|
|
19
|
+
detection: DetectionResult;
|
|
20
|
+
enforcement?: EnforcementResult;
|
|
21
|
+
isolation?: IsolationResult;
|
|
22
|
+
}
|
|
23
|
+
export interface WebhookResult {
|
|
24
|
+
success: boolean;
|
|
25
|
+
statusCode?: number;
|
|
26
|
+
error?: string;
|
|
27
|
+
duration: number;
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Build webhook payload for detection event.
|
|
31
|
+
*/
|
|
32
|
+
export declare function buildDetectionPayload(detection: DetectionResult): WebhookPayload;
|
|
33
|
+
/**
|
|
34
|
+
* Build webhook payload for enforcement event.
|
|
35
|
+
*/
|
|
36
|
+
export declare function buildEnforcementPayload(detection: DetectionResult, enforcement: EnforcementResult): WebhookPayload;
|
|
37
|
+
/**
|
|
38
|
+
* Build webhook payload for isolation event.
|
|
39
|
+
*/
|
|
40
|
+
export declare function buildIsolationPayload(detection: DetectionResult, isolation: IsolationResult, enforcement?: EnforcementResult): WebhookPayload;
|
|
41
|
+
/**
|
|
42
|
+
* Send webhook payload to URL.
|
|
43
|
+
*/
|
|
44
|
+
export declare function sendWebhook(url: string, payload: WebhookPayload, options?: WebhookOptions): Promise<WebhookResult>;
|
|
45
|
+
/**
|
|
46
|
+
* Send detection results to webhook.
|
|
47
|
+
*/
|
|
48
|
+
export declare function sendDetectionWebhook(url: string, detection: DetectionResult, options?: WebhookOptions): Promise<WebhookResult>;
|
|
49
|
+
/**
|
|
50
|
+
* Send enforcement results to webhook.
|
|
51
|
+
*/
|
|
52
|
+
export declare function sendEnforcementWebhook(url: string, detection: DetectionResult, enforcement: EnforcementResult, options?: WebhookOptions): Promise<WebhookResult>;
|
|
53
|
+
/**
|
|
54
|
+
* Send isolation results to webhook.
|
|
55
|
+
*/
|
|
56
|
+
export declare function sendIsolationWebhook(url: string, detection: DetectionResult, isolation: IsolationResult, enforcement?: EnforcementResult, options?: WebhookOptions): Promise<WebhookResult>;
|
|
57
|
+
//# sourceMappingURL=webhook.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/reporter/webhook.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,cAAc,EACf,MAAM,mBAAmB,CAAC;AAkE3B,MAAM,MAAM,gBAAgB,GACxB,oBAAoB,GACpB,sBAAsB,GACtB,oBAAoB,CAAC;AAEzB,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAErE,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,gBAAgB,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,eAAe,CAAC;IAC1B,IAAI,EAAE;QACJ,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,GAAG,EAAE;QACH,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;IACF,SAAS,EAAE,eAAe,CAAC;IAC3B,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,SAAS,CAAC,EAAE,eAAe,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAgBD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,eAAe,GAAG,cAAc,CAehF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,eAAe,EAC1B,WAAW,EAAE,iBAAiB,GAC7B,cAAc,CAgBhB;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,eAAe,EAC1B,SAAS,EAAE,eAAe,EAC1B,WAAW,CAAC,EAAE,iBAAiB,GAC9B,cAAc,CAmBhB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,cAAc,EACvB,OAAO,GAAE,cAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CA+ExB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,eAAe,EAC1B,OAAO,GAAE,cAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAGxB;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,eAAe,EAC1B,WAAW,EAAE,iBAAiB,EAC9B,OAAO,GAAE,cAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAGxB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,eAAe,EAC1B,SAAS,EAAE,eAAe,EAC1B,WAAW,CAAC,EAAE,iBAAiB,EAC/B,OAAO,GAAE,cAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAGxB"}
|
|
@@ -0,0 +1,230 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Webhook delivery for SIEM/alerting integrations.
|
|
3
|
+
*/
|
|
4
|
+
import { logger } from '../utils/logger.js';
|
|
5
|
+
import { VERSION, TOOL_NAME } from '../branding.js';
|
|
6
|
+
const DEFAULT_TIMEOUT = 30000; // 30 seconds
|
|
7
|
+
/**
|
|
8
|
+
* Validate a webhook URL for security.
|
|
9
|
+
* Prevents SSRF by blocking internal/private IP ranges and non-HTTPS URLs in production.
|
|
10
|
+
*/
|
|
11
|
+
function validateWebhookUrl(url) {
|
|
12
|
+
let parsed;
|
|
13
|
+
try {
|
|
14
|
+
parsed = new URL(url);
|
|
15
|
+
}
|
|
16
|
+
catch {
|
|
17
|
+
throw new Error(`Invalid webhook URL: ${url}`);
|
|
18
|
+
}
|
|
19
|
+
// Only allow http and https protocols
|
|
20
|
+
if (!['http:', 'https:'].includes(parsed.protocol)) {
|
|
21
|
+
throw new Error(`Invalid webhook URL protocol: ${parsed.protocol} (only http/https allowed)`);
|
|
22
|
+
}
|
|
23
|
+
// Block private/internal IP addresses to prevent SSRF
|
|
24
|
+
const hostname = parsed.hostname.toLowerCase();
|
|
25
|
+
// Block localhost and loopback
|
|
26
|
+
if (hostname === 'localhost' ||
|
|
27
|
+
hostname === '127.0.0.1' ||
|
|
28
|
+
hostname === '::1' ||
|
|
29
|
+
hostname.endsWith('.localhost')) {
|
|
30
|
+
throw new Error('Webhook URLs to localhost are not allowed');
|
|
31
|
+
}
|
|
32
|
+
// Block private IP ranges (RFC 1918)
|
|
33
|
+
const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
|
|
34
|
+
if (ipv4Match) {
|
|
35
|
+
const [, a, b] = ipv4Match.map(Number);
|
|
36
|
+
// 10.0.0.0/8
|
|
37
|
+
if (a === 10) {
|
|
38
|
+
throw new Error('Webhook URLs to private IP ranges are not allowed');
|
|
39
|
+
}
|
|
40
|
+
// 172.16.0.0/12
|
|
41
|
+
if (a === 172 && b >= 16 && b <= 31) {
|
|
42
|
+
throw new Error('Webhook URLs to private IP ranges are not allowed');
|
|
43
|
+
}
|
|
44
|
+
// 192.168.0.0/16
|
|
45
|
+
if (a === 192 && b === 168) {
|
|
46
|
+
throw new Error('Webhook URLs to private IP ranges are not allowed');
|
|
47
|
+
}
|
|
48
|
+
// 169.254.0.0/16 (link-local)
|
|
49
|
+
if (a === 169 && b === 254) {
|
|
50
|
+
throw new Error('Webhook URLs to link-local addresses are not allowed');
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
// Block internal cloud metadata endpoints
|
|
54
|
+
if (hostname === '169.254.169.254' ||
|
|
55
|
+
hostname === 'metadata.google.internal' ||
|
|
56
|
+
hostname.endsWith('.internal')) {
|
|
57
|
+
throw new Error('Webhook URLs to cloud metadata endpoints are not allowed');
|
|
58
|
+
}
|
|
59
|
+
return parsed;
|
|
60
|
+
}
|
|
61
|
+
/**
|
|
62
|
+
* Determine severity based on detection summary.
|
|
63
|
+
*/
|
|
64
|
+
function getSeverity(result) {
|
|
65
|
+
switch (result.summary) {
|
|
66
|
+
case 'installed-and-running':
|
|
67
|
+
return 'high';
|
|
68
|
+
case 'installed-not-running':
|
|
69
|
+
return 'medium';
|
|
70
|
+
case 'not-installed':
|
|
71
|
+
return 'low';
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
/**
|
|
75
|
+
* Build webhook payload for detection event.
|
|
76
|
+
*/
|
|
77
|
+
export function buildDetectionPayload(detection) {
|
|
78
|
+
return {
|
|
79
|
+
event: 'openclaw.detection',
|
|
80
|
+
timestamp: new Date().toISOString(),
|
|
81
|
+
severity: getSeverity(detection),
|
|
82
|
+
host: {
|
|
83
|
+
hostname: detection.hostname,
|
|
84
|
+
platform: detection.platform,
|
|
85
|
+
},
|
|
86
|
+
nox: {
|
|
87
|
+
version: VERSION,
|
|
88
|
+
tool: TOOL_NAME,
|
|
89
|
+
},
|
|
90
|
+
detection,
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
/**
|
|
94
|
+
* Build webhook payload for enforcement event.
|
|
95
|
+
*/
|
|
96
|
+
export function buildEnforcementPayload(detection, enforcement) {
|
|
97
|
+
return {
|
|
98
|
+
event: 'openclaw.enforcement',
|
|
99
|
+
timestamp: new Date().toISOString(),
|
|
100
|
+
severity: enforcement.summary.failed > 0 ? 'high' : 'medium',
|
|
101
|
+
host: {
|
|
102
|
+
hostname: detection.hostname,
|
|
103
|
+
platform: detection.platform,
|
|
104
|
+
},
|
|
105
|
+
nox: {
|
|
106
|
+
version: VERSION,
|
|
107
|
+
tool: TOOL_NAME,
|
|
108
|
+
},
|
|
109
|
+
detection,
|
|
110
|
+
enforcement,
|
|
111
|
+
};
|
|
112
|
+
}
|
|
113
|
+
/**
|
|
114
|
+
* Build webhook payload for isolation event.
|
|
115
|
+
*/
|
|
116
|
+
export function buildIsolationPayload(detection, isolation, enforcement) {
|
|
117
|
+
const hasFailedIsolation = isolation.actions.some(a => a.status === 'failed');
|
|
118
|
+
return {
|
|
119
|
+
event: 'openclaw.isolation',
|
|
120
|
+
timestamp: new Date().toISOString(),
|
|
121
|
+
severity: hasFailedIsolation ? 'critical' : 'high',
|
|
122
|
+
host: {
|
|
123
|
+
hostname: detection.hostname,
|
|
124
|
+
platform: detection.platform,
|
|
125
|
+
},
|
|
126
|
+
nox: {
|
|
127
|
+
version: VERSION,
|
|
128
|
+
tool: TOOL_NAME,
|
|
129
|
+
},
|
|
130
|
+
detection,
|
|
131
|
+
...(enforcement && { enforcement }),
|
|
132
|
+
isolation,
|
|
133
|
+
};
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* Send webhook payload to URL.
|
|
137
|
+
*/
|
|
138
|
+
export async function sendWebhook(url, payload, options = {}) {
|
|
139
|
+
const startTime = Date.now();
|
|
140
|
+
const timeout = options.timeout ?? DEFAULT_TIMEOUT;
|
|
141
|
+
// Validate URL to prevent SSRF attacks
|
|
142
|
+
let validatedUrl;
|
|
143
|
+
try {
|
|
144
|
+
validatedUrl = validateWebhookUrl(url);
|
|
145
|
+
}
|
|
146
|
+
catch (err) {
|
|
147
|
+
const errorMessage = err instanceof Error ? err.message : 'Invalid URL';
|
|
148
|
+
logger.error(`Webhook URL validation failed: ${errorMessage}`);
|
|
149
|
+
return {
|
|
150
|
+
success: false,
|
|
151
|
+
error: errorMessage,
|
|
152
|
+
duration: Date.now() - startTime,
|
|
153
|
+
};
|
|
154
|
+
}
|
|
155
|
+
const headers = {
|
|
156
|
+
'Content-Type': 'application/json',
|
|
157
|
+
'User-Agent': `nox-openclaw-detector/${VERSION}`,
|
|
158
|
+
};
|
|
159
|
+
if (options.token) {
|
|
160
|
+
headers['Authorization'] = `Bearer ${options.token}`;
|
|
161
|
+
}
|
|
162
|
+
const controller = new AbortController();
|
|
163
|
+
const timeoutId = setTimeout(() => controller.abort(), timeout);
|
|
164
|
+
try {
|
|
165
|
+
logger.debug(`Sending webhook to ${validatedUrl.href}`);
|
|
166
|
+
const response = await fetch(validatedUrl.href, {
|
|
167
|
+
method: 'POST',
|
|
168
|
+
headers,
|
|
169
|
+
body: JSON.stringify(payload),
|
|
170
|
+
signal: controller.signal,
|
|
171
|
+
});
|
|
172
|
+
clearTimeout(timeoutId);
|
|
173
|
+
const duration = Date.now() - startTime;
|
|
174
|
+
if (response.ok) {
|
|
175
|
+
logger.debug(`Webhook sent successfully (${response.status}) in ${duration}ms`);
|
|
176
|
+
return {
|
|
177
|
+
success: true,
|
|
178
|
+
statusCode: response.status,
|
|
179
|
+
duration,
|
|
180
|
+
};
|
|
181
|
+
}
|
|
182
|
+
else {
|
|
183
|
+
const errorText = await response.text().catch(() => 'Unknown error');
|
|
184
|
+
logger.warn(`Webhook failed with status ${response.status}: ${errorText}`);
|
|
185
|
+
return {
|
|
186
|
+
success: false,
|
|
187
|
+
statusCode: response.status,
|
|
188
|
+
error: `HTTP ${response.status}: ${errorText}`,
|
|
189
|
+
duration,
|
|
190
|
+
};
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
catch (error) {
|
|
194
|
+
clearTimeout(timeoutId);
|
|
195
|
+
const duration = Date.now() - startTime;
|
|
196
|
+
const errorMessage = error instanceof Error
|
|
197
|
+
? error.name === 'AbortError'
|
|
198
|
+
? `Timeout after ${timeout}ms`
|
|
199
|
+
: error.message
|
|
200
|
+
: 'Unknown error';
|
|
201
|
+
logger.error(`Webhook error: ${errorMessage}`);
|
|
202
|
+
return {
|
|
203
|
+
success: false,
|
|
204
|
+
error: errorMessage,
|
|
205
|
+
duration,
|
|
206
|
+
};
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
/**
|
|
210
|
+
* Send detection results to webhook.
|
|
211
|
+
*/
|
|
212
|
+
export async function sendDetectionWebhook(url, detection, options = {}) {
|
|
213
|
+
const payload = buildDetectionPayload(detection);
|
|
214
|
+
return sendWebhook(url, payload, options);
|
|
215
|
+
}
|
|
216
|
+
/**
|
|
217
|
+
* Send enforcement results to webhook.
|
|
218
|
+
*/
|
|
219
|
+
export async function sendEnforcementWebhook(url, detection, enforcement, options = {}) {
|
|
220
|
+
const payload = buildEnforcementPayload(detection, enforcement);
|
|
221
|
+
return sendWebhook(url, payload, options);
|
|
222
|
+
}
|
|
223
|
+
/**
|
|
224
|
+
* Send isolation results to webhook.
|
|
225
|
+
*/
|
|
226
|
+
export async function sendIsolationWebhook(url, detection, isolation, enforcement, options = {}) {
|
|
227
|
+
const payload = buildIsolationPayload(detection, isolation, enforcement);
|
|
228
|
+
return sendWebhook(url, payload, options);
|
|
229
|
+
}
|
|
230
|
+
//# sourceMappingURL=webhook.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/reporter/webhook.ts"],"names":[],"mappings":"AAAA;;GAEG;AAQH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEpD,MAAM,eAAe,GAAG,KAAK,CAAC,CAAC,aAAa;AAE5C;;;GAGG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,sCAAsC;IACtC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,CAAC,QAAQ,4BAA4B,CAAC,CAAC;IAChG,CAAC;IAED,sDAAsD;IACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAE/C,+BAA+B;IAC/B,IAAI,QAAQ,KAAK,WAAW;QACxB,QAAQ,KAAK,WAAW;QACxB,QAAQ,KAAK,KAAK;QAClB,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,qCAAqC;IACrC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;IACjF,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvC,aAAa;QACb,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QACD,gBAAgB;QAChB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QACD,iBAAiB;QACjB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QACD,8BAA8B;QAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,IAAI,QAAQ,KAAK,iBAAiB;QAC9B,QAAQ,KAAK,0BAA0B;QACvC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAiCD;;GAEG;AACH,SAAS,WAAW,CAAC,MAAuB;IAC1C,QAAQ,MAAM,CAAC,OAAO,EAAE,CAAC;QACvB,KAAK,uBAAuB;YAC1B,OAAO,MAAM,CAAC;QAChB,KAAK,uBAAuB;YAC1B,OAAO,QAAQ,CAAC;QAClB,KAAK,eAAe;YAClB,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,SAA0B;IAC9D,OAAO;QACL,KAAK,EAAE,oBAAoB;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,WAAW,CAAC,SAAS,CAAC;QAChC,IAAI,EAAE;YACJ,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,QAAQ,EAAE,SAAS,CAAC,QAAQ;SAC7B;QACD,GAAG,EAAE;YACH,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,SAAS;SAChB;QACD,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,SAA0B,EAC1B,WAA8B;IAE9B,OAAO;QACL,KAAK,EAAE,sBAAsB;QAC7B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QAC5D,IAAI,EAAE;YACJ,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,QAAQ,EAAE,SAAS,CAAC,QAAQ;SAC7B;QACD,GAAG,EAAE;YACH,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,SAAS;SAChB;QACD,SAAS;QACT,WAAW;KACZ,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,SAA0B,EAC1B,SAA0B,EAC1B,WAA+B;IAE/B,MAAM,kBAAkB,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;IAE9E,OAAO;QACL,KAAK,EAAE,oBAAoB;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;QAClD,IAAI,EAAE;YACJ,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,QAAQ,EAAE,SAAS,CAAC,QAAQ;SAC7B;QACD,GAAG,EAAE;YACH,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,SAAS;SAChB;QACD,SAAS;QACT,GAAG,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,CAAC;QACnC,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,OAAuB,EACvB,UAA0B,EAAE;IAE5B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,eAAe,CAAC;IAEnD,uCAAuC;IACvC,IAAI,YAAiB,CAAC;IACtB,IAAI,CAAC;QACH,YAAY,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,YAAY,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC;QACxE,MAAM,CAAC,KAAK,CAAC,kCAAkC,YAAY,EAAE,CAAC,CAAC;QAC/D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,YAAY;YACnB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;SACjC,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;QAClC,YAAY,EAAE,yBAAyB,OAAO,EAAE;KACjD,CAAC;IAEF,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,OAAO,CAAC,KAAK,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,sBAAsB,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC;QAExD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YAC7B,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,YAAY,CAAC,SAAS,CAAC,CAAC;QAExB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,CAAC,KAAK,CAAC,8BAA8B,QAAQ,CAAC,MAAM,QAAQ,QAAQ,IAAI,CAAC,CAAC;YAChF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,UAAU,EAAE,QAAQ,CAAC,MAAM;gBAC3B,QAAQ;aACT,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YACrE,MAAM,CAAC,IAAI,CAAC,8BAA8B,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC,CAAC;YAC3E,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,QAAQ,CAAC,MAAM;gBAC3B,KAAK,EAAE,QAAQ,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE;gBAC9C,QAAQ;aACT,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,YAAY,CAAC,SAAS,CAAC,CAAC;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK;YACzC,CAAC,CAAC,KAAK,CAAC,IAAI,KAAK,YAAY;gBAC3B,CAAC,CAAC,iBAAiB,OAAO,IAAI;gBAC9B,CAAC,CAAC,KAAK,CAAC,OAAO;YACjB,CAAC,CAAC,eAAe,CAAC;QAEpB,MAAM,CAAC,KAAK,CAAC,kBAAkB,YAAY,EAAE,CAAC,CAAC;QAE/C,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,YAAY;YACnB,QAAQ;SACT,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,GAAW,EACX,SAA0B,EAC1B,UAA0B,EAAE;IAE5B,MAAM,OAAO,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACjD,OAAO,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,GAAW,EACX,SAA0B,EAC1B,WAA8B,EAC9B,UAA0B,EAAE;IAE5B,MAAM,OAAO,GAAG,uBAAuB,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAChE,OAAO,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,GAAW,EACX,SAA0B,EAC1B,SAA0B,EAC1B,WAA+B,EAC/B,UAA0B,EAAE;IAE5B,MAAM,OAAO,GAAG,qBAAqB,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IACzE,OAAO,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC"}
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Configuration types for the Nox OpenClaw Detector CLI.
|
|
3
|
+
* Includes both CLI options and detection pattern configurations.
|
|
4
|
+
*/
|
|
5
|
+
/**
|
|
6
|
+
* Options for detection operations.
|
|
7
|
+
*/
|
|
8
|
+
export interface DetectOptions {
|
|
9
|
+
/** Scan all user directories (requires root/admin) */
|
|
10
|
+
allUsers?: boolean;
|
|
11
|
+
/** Specific gateway port to check */
|
|
12
|
+
port?: number;
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Options for webhook delivery.
|
|
16
|
+
*/
|
|
17
|
+
export interface WebhookOptions {
|
|
18
|
+
/** Webhook URL to send results to */
|
|
19
|
+
url?: string;
|
|
20
|
+
/** Bearer token for authentication */
|
|
21
|
+
token?: string;
|
|
22
|
+
/** Timeout in milliseconds */
|
|
23
|
+
timeout?: number;
|
|
24
|
+
}
|
|
25
|
+
/**
|
|
26
|
+
* Pattern for locating state directories.
|
|
27
|
+
*/
|
|
28
|
+
export interface StateDirPattern {
|
|
29
|
+
/** Directory name relative to home (e.g., '.clawdbot') */
|
|
30
|
+
name: string;
|
|
31
|
+
/** Human-readable description */
|
|
32
|
+
description?: string;
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Pattern for locating config files.
|
|
36
|
+
*/
|
|
37
|
+
export interface ConfigFilePattern {
|
|
38
|
+
/** Directory name relative to home (e.g., '.clawdbot') */
|
|
39
|
+
dir: string;
|
|
40
|
+
/** Config filename (e.g., 'clawdbot.json') */
|
|
41
|
+
file: string;
|
|
42
|
+
/** Human-readable description */
|
|
43
|
+
description?: string;
|
|
44
|
+
}
|
|
45
|
+
/**
|
|
46
|
+
* Path pattern for extracting values from nested config objects.
|
|
47
|
+
* Uses dot notation (e.g., 'agents.defaults.model.primary').
|
|
48
|
+
*/
|
|
49
|
+
export type ConfigPath = string;
|
|
50
|
+
/**
|
|
51
|
+
* Configuration extraction patterns.
|
|
52
|
+
* Defines where to look for various configuration values in the parsed config.
|
|
53
|
+
*/
|
|
54
|
+
export interface ConfigExtractionPatterns {
|
|
55
|
+
/** Paths to check for model configuration (in order of priority) */
|
|
56
|
+
model: ConfigPath[];
|
|
57
|
+
/** Paths to check for API provider */
|
|
58
|
+
apiProvider: ConfigPath[];
|
|
59
|
+
/** Paths to check for autonomous mode setting */
|
|
60
|
+
autonomousMode: ConfigPath[];
|
|
61
|
+
/** Paths to check for workspace/workdir */
|
|
62
|
+
workspace: ConfigPath[];
|
|
63
|
+
/** Paths to check for communication channels object */
|
|
64
|
+
channels: ConfigPath[];
|
|
65
|
+
/** Paths to check for permissions/capabilities */
|
|
66
|
+
permissions: ConfigPath[];
|
|
67
|
+
/** Paths to check for max concurrent agents (indicates autonomous capability) */
|
|
68
|
+
maxConcurrent: ConfigPath[];
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Patterns for detecting known AI providers from model names.
|
|
72
|
+
*/
|
|
73
|
+
export interface ProviderDetectionPattern {
|
|
74
|
+
/** Provider identifier (e.g., 'anthropic', 'openai') */
|
|
75
|
+
provider: string;
|
|
76
|
+
/** Substrings to match in model name (case-insensitive) */
|
|
77
|
+
modelPatterns: string[];
|
|
78
|
+
}
|
|
79
|
+
/**
|
|
80
|
+
* Known communication channel identifiers.
|
|
81
|
+
*/
|
|
82
|
+
export interface ChannelPattern {
|
|
83
|
+
/** Channel identifier (e.g., 'telegram') */
|
|
84
|
+
id: string;
|
|
85
|
+
/** Display name (e.g., 'Telegram') */
|
|
86
|
+
displayName: string;
|
|
87
|
+
/** Alternative identifiers to check */
|
|
88
|
+
aliases?: string[];
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Sensitive field patterns for redaction.
|
|
92
|
+
*/
|
|
93
|
+
export interface SensitiveFieldPattern {
|
|
94
|
+
/** Field name to redact */
|
|
95
|
+
field: string;
|
|
96
|
+
/** Optional parent path (e.g., 'gateway.auth' means redact 'auth' under 'gateway') */
|
|
97
|
+
parent?: string;
|
|
98
|
+
}
|
|
99
|
+
/**
|
|
100
|
+
* Complete detection configuration.
|
|
101
|
+
*/
|
|
102
|
+
export interface DetectionConfig {
|
|
103
|
+
/** State directory patterns to check */
|
|
104
|
+
stateDirs: StateDirPattern[];
|
|
105
|
+
/** Config file patterns to check */
|
|
106
|
+
configFiles: ConfigFilePattern[];
|
|
107
|
+
/** Paths for extracting config values */
|
|
108
|
+
extractionPatterns: ConfigExtractionPatterns;
|
|
109
|
+
/** Patterns for inferring provider from model name */
|
|
110
|
+
providerPatterns: ProviderDetectionPattern[];
|
|
111
|
+
/** Known communication channels */
|
|
112
|
+
channelPatterns: ChannelPattern[];
|
|
113
|
+
/** Sensitive fields to redact from raw config */
|
|
114
|
+
sensitiveFields: SensitiveFieldPattern[];
|
|
115
|
+
}
|
|
116
|
+
//# sourceMappingURL=config.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,sDAAsD;IACtD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,qCAAqC;IACrC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,qCAAqC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,sCAAsC;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,0DAA0D;IAC1D,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,0DAA0D;IAC1D,GAAG,EAAE,MAAM,CAAC;IACZ,8CAA8C;IAC9C,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;GAGG;AACH,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAEhC;;;GAGG;AACH,MAAM,WAAW,wBAAwB;IACvC,oEAAoE;IACpE,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,sCAAsC;IACtC,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,iDAAiD;IACjD,cAAc,EAAE,UAAU,EAAE,CAAC;IAC7B,2CAA2C;IAC3C,SAAS,EAAE,UAAU,EAAE,CAAC;IACxB,uDAAuD;IACvD,QAAQ,EAAE,UAAU,EAAE,CAAC;IACvB,kDAAkD;IAClD,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,iFAAiF;IACjF,aAAa,EAAE,UAAU,EAAE,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,wDAAwD;IACxD,QAAQ,EAAE,MAAM,CAAC;IACjB,2DAA2D;IAC3D,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,4CAA4C;IAC5C,EAAE,EAAE,MAAM,CAAC;IACX,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,2BAA2B;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,sFAAsF;IACtF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,wCAAwC;IACxC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,oCAAoC;IACpC,WAAW,EAAE,iBAAiB,EAAE,CAAC;IACjC,yCAAyC;IACzC,kBAAkB,EAAE,wBAAwB,CAAC;IAC7C,sDAAsD;IACtD,gBAAgB,EAAE,wBAAwB,EAAE,CAAC;IAC7C,mCAAmC;IACnC,eAAe,EAAE,cAAc,EAAE,CAAC;IAClC,iDAAiD;IACjD,eAAe,EAAE,qBAAqB,EAAE,CAAC;CAC1C"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;;GAGG"}
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Detection result types for OpenClaw detection.
|
|
3
|
+
*/
|
|
4
|
+
export type DetectionSummary = 'not-installed' | 'installed-not-running' | 'installed-and-running';
|
|
5
|
+
export type PlatformName = 'darwin' | 'linux' | 'windows';
|
|
6
|
+
export interface CliBinaryDetection {
|
|
7
|
+
found: boolean;
|
|
8
|
+
path?: string;
|
|
9
|
+
version?: string;
|
|
10
|
+
}
|
|
11
|
+
export interface AppBundleDetection {
|
|
12
|
+
found: boolean;
|
|
13
|
+
path?: string;
|
|
14
|
+
}
|
|
15
|
+
export interface StateDirDetection {
|
|
16
|
+
found: boolean;
|
|
17
|
+
path?: string;
|
|
18
|
+
}
|
|
19
|
+
export interface OpenClawConfigDetails {
|
|
20
|
+
/** AI model being used (e.g., claude-3-opus, gpt-4, etc.) */
|
|
21
|
+
model?: string;
|
|
22
|
+
/** Communication channels configured */
|
|
23
|
+
channels?: {
|
|
24
|
+
telegram?: boolean;
|
|
25
|
+
whatsapp?: boolean;
|
|
26
|
+
slack?: boolean;
|
|
27
|
+
discord?: boolean;
|
|
28
|
+
email?: boolean;
|
|
29
|
+
sms?: boolean;
|
|
30
|
+
other?: string[];
|
|
31
|
+
};
|
|
32
|
+
/** Whether autonomous mode is enabled */
|
|
33
|
+
autonomousMode?: boolean;
|
|
34
|
+
/** API provider (anthropic, openai, etc.) */
|
|
35
|
+
apiProvider?: string;
|
|
36
|
+
/** Permissions granted */
|
|
37
|
+
permissions?: string[];
|
|
38
|
+
/** Raw config for additional inspection */
|
|
39
|
+
raw?: Record<string, unknown>;
|
|
40
|
+
}
|
|
41
|
+
export interface ConfigDetection {
|
|
42
|
+
found: boolean;
|
|
43
|
+
path?: string;
|
|
44
|
+
/** Parsed configuration details */
|
|
45
|
+
details?: OpenClawConfigDetails;
|
|
46
|
+
}
|
|
47
|
+
export interface ServiceDetection {
|
|
48
|
+
found: boolean;
|
|
49
|
+
name?: string;
|
|
50
|
+
running?: boolean;
|
|
51
|
+
}
|
|
52
|
+
export interface GatewayDetection {
|
|
53
|
+
found: boolean;
|
|
54
|
+
port?: number;
|
|
55
|
+
listening?: boolean;
|
|
56
|
+
}
|
|
57
|
+
/** Platform-level process info (e.g. from ps/tasklist). */
|
|
58
|
+
export interface ProcessInfo {
|
|
59
|
+
pid: number;
|
|
60
|
+
name: string;
|
|
61
|
+
memory?: number;
|
|
62
|
+
user?: string;
|
|
63
|
+
}
|
|
64
|
+
export interface ProcessDetection extends ProcessInfo {
|
|
65
|
+
}
|
|
66
|
+
export interface DockerDetection {
|
|
67
|
+
found: boolean;
|
|
68
|
+
containers?: string[];
|
|
69
|
+
images?: string[];
|
|
70
|
+
}
|
|
71
|
+
export interface DetectionResult {
|
|
72
|
+
summary: DetectionSummary;
|
|
73
|
+
platform: PlatformName;
|
|
74
|
+
hostname: string;
|
|
75
|
+
timestamp: string;
|
|
76
|
+
cli: CliBinaryDetection;
|
|
77
|
+
app: AppBundleDetection;
|
|
78
|
+
stateDir: StateDirDetection;
|
|
79
|
+
config: ConfigDetection;
|
|
80
|
+
service: ServiceDetection;
|
|
81
|
+
gateway: GatewayDetection;
|
|
82
|
+
processes: ProcessDetection[];
|
|
83
|
+
docker: DockerDetection;
|
|
84
|
+
}
|
|
85
|
+
//# sourceMappingURL=detection.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"detection.d.ts","sourceRoot":"","sources":["../../src/types/detection.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,gBAAgB,GACxB,eAAe,GACf,uBAAuB,GACvB,uBAAuB,CAAC;AAE5B,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1D,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,qBAAqB;IACpC,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wCAAwC;IACxC,QAAQ,CAAC,EAAE;QACT,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,KAAK,CAAC,EAAE,OAAO,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,KAAK,CAAC,EAAE,OAAO,CAAC;QAChB,GAAG,CAAC,EAAE,OAAO,CAAC;QACd,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,yCAAyC;IACzC,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,0BAA0B;IAC1B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,2CAA2C;IAC3C,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,mCAAmC;IACnC,OAAO,CAAC,EAAE,qBAAqB,CAAC;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,2DAA2D;AAC3D,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,gBAAiB,SAAQ,WAAW;CAAG;AAExD,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,QAAQ,EAAE,YAAY,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,kBAAkB,CAAC;IACxB,GAAG,EAAE,kBAAkB,CAAC;IACxB,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,MAAM,EAAE,eAAe,CAAC;IACxB,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,MAAM,EAAE,eAAe,CAAC;CACzB"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"detection.js","sourceRoot":"","sources":["../../src/types/detection.ts"],"names":[],"mappings":"AAAA;;GAEG"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Enforcement action types for OpenClaw removal.
|
|
3
|
+
*/
|
|
4
|
+
export type EnforcementActionType = 'kill-process' | 'stop-service' | 'remove-file' | 'remove-dir' | 'docker-rm';
|
|
5
|
+
export type EnforcementActionStatus = 'pending' | 'success' | 'failed' | 'skipped';
|
|
6
|
+
export interface EnforcementAction {
|
|
7
|
+
type: EnforcementActionType;
|
|
8
|
+
target: string;
|
|
9
|
+
status: EnforcementActionStatus;
|
|
10
|
+
error?: string;
|
|
11
|
+
dryRun: boolean;
|
|
12
|
+
}
|
|
13
|
+
export interface EnforcementResult {
|
|
14
|
+
actions: EnforcementAction[];
|
|
15
|
+
summary: EnforcementSummary;
|
|
16
|
+
}
|
|
17
|
+
export interface EnforcementSummary {
|
|
18
|
+
total: number;
|
|
19
|
+
success: number;
|
|
20
|
+
failed: number;
|
|
21
|
+
skipped: number;
|
|
22
|
+
}
|
|
23
|
+
export interface EnforceOptions {
|
|
24
|
+
kill?: boolean;
|
|
25
|
+
stopService?: boolean;
|
|
26
|
+
removeCli?: boolean;
|
|
27
|
+
removeApp?: boolean;
|
|
28
|
+
removeConfig?: boolean;
|
|
29
|
+
all?: boolean;
|
|
30
|
+
dryRun?: boolean;
|
|
31
|
+
force?: boolean;
|
|
32
|
+
}
|
|
33
|
+
//# sourceMappingURL=enforcement.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"enforcement.d.ts","sourceRoot":"","sources":["../../src/types/enforcement.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,qBAAqB,GAC7B,cAAc,GACd,cAAc,GACd,aAAa,GACb,YAAY,GACZ,WAAW,CAAC;AAEhB,MAAM,MAAM,uBAAuB,GAC/B,SAAS,GACT,SAAS,GACT,QAAQ,GACR,SAAS,CAAC;AAEd,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,qBAAqB,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,uBAAuB,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,iBAAiB,EAAE,CAAC;IAC7B,OAAO,EAAE,kBAAkB,CAAC;CAC7B;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"enforcement.js","sourceRoot":"","sources":["../../src/types/enforcement.ts"],"names":[],"mappings":"AAAA;;GAEG"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,aAAa,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,aAAa,CAAC"}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Isolation action types for firewall, quarantine, and lockdown.
|
|
3
|
+
*/
|
|
4
|
+
export type IsolationActionType = 'block-port' | 'quarantine' | 'lockdown';
|
|
5
|
+
export type IsolationActionStatus = 'pending' | 'success' | 'failed';
|
|
6
|
+
export interface IsolationAction {
|
|
7
|
+
type: IsolationActionType;
|
|
8
|
+
target: string;
|
|
9
|
+
status: IsolationActionStatus;
|
|
10
|
+
quarantinePath?: string;
|
|
11
|
+
error?: string;
|
|
12
|
+
}
|
|
13
|
+
export interface QuarantineArtifact {
|
|
14
|
+
type: 'binary' | 'config' | 'app';
|
|
15
|
+
original: string;
|
|
16
|
+
quarantined: string;
|
|
17
|
+
}
|
|
18
|
+
export interface QuarantineManifest {
|
|
19
|
+
id: string;
|
|
20
|
+
timestamp: string;
|
|
21
|
+
hostname: string;
|
|
22
|
+
artifacts: QuarantineArtifact[];
|
|
23
|
+
/** Detection details captured at quarantine time */
|
|
24
|
+
detection?: {
|
|
25
|
+
/** AI model configured */
|
|
26
|
+
model?: string;
|
|
27
|
+
/** API provider (anthropic, openai, google, etc.) */
|
|
28
|
+
provider?: string;
|
|
29
|
+
/** Communication channels enabled */
|
|
30
|
+
channels?: string[];
|
|
31
|
+
/** Whether autonomous mode was enabled */
|
|
32
|
+
autonomous?: boolean;
|
|
33
|
+
/** Gateway port if detected */
|
|
34
|
+
gatewayPort?: number;
|
|
35
|
+
/** Running process count at quarantine time */
|
|
36
|
+
processCount?: number;
|
|
37
|
+
};
|
|
38
|
+
}
|
|
39
|
+
export interface QuarantineResult {
|
|
40
|
+
id: string;
|
|
41
|
+
path: string;
|
|
42
|
+
manifest: QuarantineManifest;
|
|
43
|
+
}
|
|
44
|
+
export interface IsolationResult {
|
|
45
|
+
actions: IsolationAction[];
|
|
46
|
+
quarantine?: QuarantineResult;
|
|
47
|
+
}
|
|
48
|
+
export interface IsolateOptions {
|
|
49
|
+
blockPort?: boolean;
|
|
50
|
+
quarantine?: boolean;
|
|
51
|
+
lockdown?: boolean;
|
|
52
|
+
all?: boolean;
|
|
53
|
+
webhook?: string;
|
|
54
|
+
}
|
|
55
|
+
//# sourceMappingURL=isolation.d.ts.map
|