npm - openclaw-multi-auto - Versions diffs - 1.0.9 → 1.1.1 - Mend

openclaw-multi-auto 1.0.9 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (490) hide show

package/scripts/check-no-pairing-store-group-auth.mjs ADDED Viewed

@@ -0,0 +1,180 @@
+#!/usr/bin/env node
+import ts from "typescript";
+import { createPairingGuardContext } from "./lib/pairing-guard-context.mjs";
+import {
+  collectFileViolations,
+  getPropertyNameText,
+  runAsScript,
+  toLine,
+} from "./lib/ts-guard-utils.mjs";
+const { repoRoot, sourceRoots, resolveFromRepo } = createPairingGuardContext(import.meta.url);
+const allowedFiles = new Set([
+  resolveFromRepo("src/security/dm-policy-shared.ts"),
+  resolveFromRepo("src/channels/allow-from.ts"),
+  // Config migration/audit logic may intentionally reference store + group fields.
+  resolveFromRepo("src/security/fix.ts"),
+  resolveFromRepo("src/security/audit-channel.ts"),
+]);
+const storeIdentifierRe = /^(?:storeAllowFrom|storedAllowFrom|storeAllowList)$/i;
+const groupNameRe =
+  /(?:groupAllowFrom|effectiveGroupAllowFrom|groupAllowed|groupAllow|groupAuth|groupSender)/i;
+const storeSourceCallNames = new Set([
+  "readChannelAllowFromStore",
+  "readChannelAllowFromStoreSync",
+  "readStoreAllowFromForDmPolicy",
+]);
+const allowedResolverCallNames = new Set([
+  "resolveEffectiveAllowFromLists",
+  "resolveDmGroupAccessWithLists",
+  "resolveMattermostEffectiveAllowFromLists",
+  "resolveIrcEffectiveAllowlists",
+]);
+function getDeclarationNameText(name) {
+  if (ts.isIdentifier(name)) {
+    return name.text;
+  }
+  if (ts.isObjectBindingPattern(name) || ts.isArrayBindingPattern(name)) {
+    return name.getText();
+  }
+  return null;
+}
+function containsPairingStoreSource(node) {
+  let found = false;
+  const visit = (current) => {
+    if (found) {
+      return;
+    }
+    if (ts.isIdentifier(current) && storeIdentifierRe.test(current.text)) {
+      found = true;
+      return;
+    }
+    if (ts.isCallExpression(current)) {
+      const callName = getCallName(current);
+      if (callName && storeSourceCallNames.has(callName)) {
+        found = true;
+        return;
+      }
+    }
+    ts.forEachChild(current, visit);
+  };
+  visit(node);
+  return found;
+}
+function getCallName(node) {
+  if (!ts.isCallExpression(node)) {
+    return null;
+  }
+  if (ts.isIdentifier(node.expression)) {
+    return node.expression.text;
+  }
+  if (ts.isPropertyAccessExpression(node.expression)) {
+    return node.expression.name.text;
+  }
+  return null;
+}
+function isSuspiciousNormalizeWithStoreCall(node) {
+  if (!ts.isCallExpression(node)) {
+    return false;
+  }
+  if (!ts.isIdentifier(node.expression) || node.expression.text !== "normalizeAllowFromWithStore") {
+    return false;
+  }
+  const firstArg = node.arguments[0];
+  if (!firstArg || !ts.isObjectLiteralExpression(firstArg)) {
+    return false;
+  }
+  let hasStoreProp = false;
+  let hasGroupAllowProp = false;
+  for (const property of firstArg.properties) {
+    if (!ts.isPropertyAssignment(property)) {
+      continue;
+    }
+    const name = getPropertyNameText(property.name);
+    if (!name) {
+      continue;
+    }
+    if (name === "storeAllowFrom" && containsPairingStoreSource(property.initializer)) {
+      hasStoreProp = true;
+    }
+    if (name === "allowFrom" && groupNameRe.test(property.initializer.getText())) {
+      hasGroupAllowProp = true;
+    }
+  }
+  return hasStoreProp && hasGroupAllowProp;
+}
+function findViolations(content, filePath) {
+  const sourceFile = ts.createSourceFile(filePath, content, ts.ScriptTarget.Latest, true);
+  const violations = [];
+  const visit = (node) => {
+    if (ts.isVariableDeclaration(node) && node.initializer) {
+      const name = getDeclarationNameText(node.name);
+      if (name && groupNameRe.test(name) && containsPairingStoreSource(node.initializer)) {
+        const callName = getCallName(node.initializer);
+        if (callName && allowedResolverCallNames.has(callName)) {
+          ts.forEachChild(node, visit);
+          return;
+        }
+        violations.push({
+          line: toLine(sourceFile, node),
+          reason: `group-scoped variable "${name}" references pairing-store identifiers`,
+        });
+      }
+    }
+    if (ts.isPropertyAssignment(node)) {
+      const propName = getPropertyNameText(node.name);
+      if (propName && groupNameRe.test(propName) && containsPairingStoreSource(node.initializer)) {
+        violations.push({
+          line: toLine(sourceFile, node),
+          reason: `group-scoped property "${propName}" references pairing-store identifiers`,
+        });
+      }
+    }
+    if (isSuspiciousNormalizeWithStoreCall(node)) {
+      violations.push({
+        line: toLine(sourceFile, node),
+        reason: "group allowlist uses normalizeAllowFromWithStore(...) with pairing-store entries",
+      });
+    }
+    ts.forEachChild(node, visit);
+  };
+  visit(sourceFile);
+  return violations;
+}
+async function main() {
+  const violations = await collectFileViolations({
+    sourceRoots,
+    repoRoot,
+    findViolations,
+    skipFile: (filePath) => allowedFiles.has(filePath),
+  });
+  if (violations.length === 0) {
+    return;
+  }
+  console.error("Found pairing-store identifiers referenced in group auth composition:");
+  for (const violation of violations) {
+    console.error(`- ${violation.path}:${violation.line} (${violation.reason})`);
+  }
+  console.error(
+    "Group auth must be composed via shared resolvers (resolveDmGroupAccessWithLists / resolveEffectiveAllowFromLists).",
+  );
+  process.exit(1);
+}
+runAsScript(import.meta.url, main);

package/scripts/check-no-random-messaging-tmp.mjs ADDED Viewed

@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+import ts from "typescript";
+import { runCallsiteGuard } from "./lib/callsite-guard.mjs";
+import { runAsScript, toLine, unwrapExpression } from "./lib/ts-guard-utils.mjs";
+const sourceRoots = [
+  "src/channels",
+  "src/infra/outbound",
+  "src/line",
+  "src/media-understanding",
+  "extensions",
+];
+const allowedRelativePaths = new Set(["extensions/feishu/src/dedup.ts"]);
+function collectOsTmpdirImports(sourceFile) {
+  const osModuleSpecifiers = new Set(["node:os", "os"]);
+  const osNamespaceOrDefault = new Set();
+  const namedTmpdir = new Set();
+  for (const statement of sourceFile.statements) {
+    if (!ts.isImportDeclaration(statement)) {
+      continue;
+    }
+    if (!statement.importClause || !ts.isStringLiteral(statement.moduleSpecifier)) {
+      continue;
+    }
+    if (!osModuleSpecifiers.has(statement.moduleSpecifier.text)) {
+      continue;
+    }
+    const clause = statement.importClause;
+    if (clause.name) {
+      osNamespaceOrDefault.add(clause.name.text);
+    }
+    if (!clause.namedBindings) {
+      continue;
+    }
+    if (ts.isNamespaceImport(clause.namedBindings)) {
+      osNamespaceOrDefault.add(clause.namedBindings.name.text);
+      continue;
+    }
+    for (const element of clause.namedBindings.elements) {
+      if ((element.propertyName?.text ?? element.name.text) === "tmpdir") {
+        namedTmpdir.add(element.name.text);
+      }
+    }
+  }
+  return { osNamespaceOrDefault, namedTmpdir };
+}
+export function findMessagingTmpdirCallLines(content, fileName = "source.ts") {
+  const sourceFile = ts.createSourceFile(fileName, content, ts.ScriptTarget.Latest, true);
+  const { osNamespaceOrDefault, namedTmpdir } = collectOsTmpdirImports(sourceFile);
+  const lines = [];
+  const visit = (node) => {
+    if (ts.isCallExpression(node)) {
+      const callee = unwrapExpression(node.expression);
+      if (
+        ts.isPropertyAccessExpression(callee) &&
+        callee.name.text === "tmpdir" &&
+        ts.isIdentifier(callee.expression) &&
+        osNamespaceOrDefault.has(callee.expression.text)
+      ) {
+        lines.push(toLine(sourceFile, callee));
+      } else if (ts.isIdentifier(callee) && namedTmpdir.has(callee.text)) {
+        lines.push(toLine(sourceFile, callee));
+      }
+    }
+    ts.forEachChild(node, visit);
+  };
+  visit(sourceFile);
+  return lines;
+}
+export async function main() {
+  await runCallsiteGuard({
+    importMetaUrl: import.meta.url,
+    sourceRoots,
+    findCallLines: findMessagingTmpdirCallLines,
+    skipRelativePath: (relativePath) => allowedRelativePaths.has(relativePath),
+    header: "Found os.tmpdir()/tmpdir() usage in messaging/channel runtime sources:",
+    footer:
+      "Use resolvePreferredOpenClawTmpDir() or plugin-sdk temp helpers instead of host tmp defaults.",
+    sortViolations: false,
+  });
+}
+runAsScript(import.meta.url, main);

package/scripts/check-no-raw-channel-fetch.mjs ADDED Viewed

@@ -0,0 +1,107 @@
+#!/usr/bin/env node
+import ts from "typescript";
+import { runCallsiteGuard } from "./lib/callsite-guard.mjs";
+import { runAsScript, toLine, unwrapExpression } from "./lib/ts-guard-utils.mjs";
+const sourceRoots = [
+  "src/telegram",
+  "src/discord",
+  "src/slack",
+  "src/signal",
+  "src/imessage",
+  "src/web",
+  "src/channels",
+  "src/routing",
+  "src/line",
+  "extensions",
+];
+// Temporary allowlist for legacy callsites. New raw fetch callsites in channel/plugin runtime
+// code should be rejected and migrated to fetchWithSsrFGuard/shared channel helpers.
+const allowedRawFetchCallsites = new Set([
+  "extensions/bluebubbles/src/types.ts:133",
+  "extensions/feishu/src/streaming-card.ts:31",
+  "extensions/feishu/src/streaming-card.ts:101",
+  "extensions/feishu/src/streaming-card.ts:143",
+  "extensions/feishu/src/streaming-card.ts:199",
+  "extensions/google-gemini-cli-auth/oauth.ts:372",
+  "extensions/google-gemini-cli-auth/oauth.ts:408",
+  "extensions/google-gemini-cli-auth/oauth.ts:447",
+  "extensions/google-gemini-cli-auth/oauth.ts:507",
+  "extensions/google-gemini-cli-auth/oauth.ts:575",
+  "extensions/googlechat/src/api.ts:22",
+  "extensions/googlechat/src/api.ts:43",
+  "extensions/googlechat/src/api.ts:63",
+  "extensions/googlechat/src/api.ts:188",
+  "extensions/googlechat/src/auth.ts:82",
+  "extensions/matrix/src/directory-live.ts:41",
+  "extensions/matrix/src/matrix/client/config.ts:171",
+  "extensions/mattermost/src/mattermost/client.ts:211",
+  "extensions/mattermost/src/mattermost/monitor.ts:230",
+  "extensions/mattermost/src/mattermost/probe.ts:27",
+  "extensions/minimax-portal-auth/oauth.ts:71",
+  "extensions/minimax-portal-auth/oauth.ts:112",
+  "extensions/msteams/src/graph.ts:39",
+  "extensions/nextcloud-talk/src/room-info.ts:92",
+  "extensions/nextcloud-talk/src/send.ts:107",
+  "extensions/nextcloud-talk/src/send.ts:198",
+  "extensions/qwen-portal-auth/oauth.ts:46",
+  "extensions/qwen-portal-auth/oauth.ts:80",
+  "extensions/talk-voice/index.ts:27",
+  "extensions/thread-ownership/index.ts:105",
+  "extensions/voice-call/src/providers/plivo.ts:95",
+  "extensions/voice-call/src/providers/telnyx.ts:61",
+  "extensions/voice-call/src/providers/tts-openai.ts:111",
+  "extensions/voice-call/src/providers/twilio/api.ts:23",
+  "src/channels/telegram/api.ts:8",
+  "src/discord/send.outbound.ts:347",
+  "src/discord/voice-message.ts:264",
+  "src/discord/voice-message.ts:308",
+  "src/slack/monitor/media.ts:64",
+  "src/slack/monitor/media.ts:68",
+  "src/slack/monitor/media.ts:82",
+  "src/slack/monitor/media.ts:108",
+]);
+function isRawFetchCall(expression) {
+  const callee = unwrapExpression(expression);
+  if (ts.isIdentifier(callee)) {
+    return callee.text === "fetch";
+  }
+  if (ts.isPropertyAccessExpression(callee)) {
+    return (
+      ts.isIdentifier(callee.expression) &&
+      callee.expression.text === "globalThis" &&
+      callee.name.text === "fetch"
+    );
+  }
+  return false;
+}
+export function findRawFetchCallLines(content, fileName = "source.ts") {
+  const sourceFile = ts.createSourceFile(fileName, content, ts.ScriptTarget.Latest, true);
+  const lines = [];
+  const visit = (node) => {
+    if (ts.isCallExpression(node) && isRawFetchCall(node.expression)) {
+      lines.push(toLine(sourceFile, node.expression));
+    }
+    ts.forEachChild(node, visit);
+  };
+  visit(sourceFile);
+  return lines;
+}
+export async function main() {
+  await runCallsiteGuard({
+    importMetaUrl: import.meta.url,
+    sourceRoots,
+    extraTestSuffixes: [".browser.test.ts", ".node.test.ts"],
+    findCallLines: findRawFetchCallLines,
+    allowCallsite: (callsite) => allowedRawFetchCallsites.has(callsite),
+    header: "Found raw fetch() usage in channel/plugin runtime sources outside allowlist:",
+    footer: "Use fetchWithSsrFGuard() or existing channel/plugin SDK wrappers for network calls.",
+  });
+}
+runAsScript(import.meta.url, main);

package/scripts/check-no-raw-window-open.mjs ADDED Viewed

@@ -0,0 +1,86 @@
+#!/usr/bin/env node
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import ts from "typescript";
+import {
+  collectTypeScriptFiles,
+  resolveRepoRoot,
+  runAsScript,
+  toLine,
+  unwrapExpression,
+} from "./lib/ts-guard-utils.mjs";
+const repoRoot = resolveRepoRoot(import.meta.url);
+const uiSourceDir = path.join(repoRoot, "ui", "src", "ui");
+const allowedCallsites = new Set([path.join(uiSourceDir, "open-external-url.ts")]);
+function asPropertyAccess(expression) {
+  if (ts.isPropertyAccessExpression(expression)) {
+    return expression;
+  }
+  if (typeof ts.isPropertyAccessChain === "function" && ts.isPropertyAccessChain(expression)) {
+    return expression;
+  }
+  return null;
+}
+function isRawWindowOpenCall(expression) {
+  const propertyAccess = asPropertyAccess(unwrapExpression(expression));
+  if (!propertyAccess || propertyAccess.name.text !== "open") {
+    return false;
+  }
+  const receiver = unwrapExpression(propertyAccess.expression);
+  return (
+    ts.isIdentifier(receiver) && (receiver.text === "window" || receiver.text === "globalThis")
+  );
+}
+export function findRawWindowOpenLines(content, fileName = "source.ts") {
+  const sourceFile = ts.createSourceFile(fileName, content, ts.ScriptTarget.Latest, true);
+  const lines = [];
+  const visit = (node) => {
+    if (ts.isCallExpression(node) && isRawWindowOpenCall(node.expression)) {
+      lines.push(toLine(sourceFile, node.expression));
+    }
+    ts.forEachChild(node, visit);
+  };
+  visit(sourceFile);
+  return lines;
+}
+export async function main() {
+  const files = await collectTypeScriptFiles(uiSourceDir, {
+    extraTestSuffixes: [".browser.test.ts", ".node.test.ts"],
+    ignoreMissing: true,
+  });
+  const violations = [];
+  for (const filePath of files) {
+    if (allowedCallsites.has(filePath)) {
+      continue;
+    }
+    const content = await fs.readFile(filePath, "utf8");
+    for (const line of findRawWindowOpenLines(content, filePath)) {
+      const relPath = path.relative(repoRoot, filePath);
+      violations.push(`${relPath}:${line}`);
+    }
+  }
+  if (violations.length === 0) {
+    return;
+  }
+  console.error("Found raw window.open usage outside safe helper:");
+  for (const violation of violations) {
+    console.error(`- ${violation}`);
+  }
+  console.error("Use openExternalUrlSafe(...) from ui/src/ui/open-external-url.ts instead.");
+  process.exit(1);
+}
+runAsScript(import.meta.url, main);

package/scripts/check-no-register-http-handler.mjs ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env node
+import ts from "typescript";
+import { runCallsiteGuard } from "./lib/callsite-guard.mjs";
+import { runAsScript, toLine, unwrapExpression } from "./lib/ts-guard-utils.mjs";
+const sourceRoots = ["src", "extensions"];
+function isDeprecatedRegisterHttpHandlerCall(expression) {
+  const callee = unwrapExpression(expression);
+  return ts.isPropertyAccessExpression(callee) && callee.name.text === "registerHttpHandler";
+}
+export function findDeprecatedRegisterHttpHandlerLines(content, fileName = "source.ts") {
+  const sourceFile = ts.createSourceFile(fileName, content, ts.ScriptTarget.Latest, true);
+  const lines = [];
+  const visit = (node) => {
+    if (ts.isCallExpression(node) && isDeprecatedRegisterHttpHandlerCall(node.expression)) {
+      lines.push(toLine(sourceFile, node.expression));
+    }
+    ts.forEachChild(node, visit);
+  };
+  visit(sourceFile);
+  return lines;
+}
+export async function main() {
+  await runCallsiteGuard({
+    importMetaUrl: import.meta.url,
+    sourceRoots,
+    findCallLines: findDeprecatedRegisterHttpHandlerLines,
+    header: "Found deprecated plugin API call registerHttpHandler(...):",
+    footer:
+      "Use registerHttpRoute({ path, auth, match, handler }) and registerPluginHttpRoute for dynamic webhook paths.",
+  });
+}
+runAsScript(import.meta.url, main);

package/scripts/check-pairing-account-scope.mjs ADDED Viewed

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+import ts from "typescript";
+import { createPairingGuardContext } from "./lib/pairing-guard-context.mjs";
+import {
+  collectFileViolations,
+  getPropertyNameText,
+  runAsScript,
+  toLine,
+} from "./lib/ts-guard-utils.mjs";
+const { repoRoot, sourceRoots } = createPairingGuardContext(import.meta.url);
+function isUndefinedLikeExpression(node) {
+  if (ts.isIdentifier(node) && node.text === "undefined") {
+    return true;
+  }
+  return node.kind === ts.SyntaxKind.NullKeyword;
+}
+function hasRequiredAccountIdProperty(node) {
+  if (!ts.isObjectLiteralExpression(node)) {
+    return false;
+  }
+  for (const property of node.properties) {
+    if (ts.isShorthandPropertyAssignment(property) && property.name.text === "accountId") {
+      return true;
+    }
+    if (!ts.isPropertyAssignment(property)) {
+      continue;
+    }
+    if (getPropertyNameText(property.name) !== "accountId") {
+      continue;
+    }
+    if (isUndefinedLikeExpression(property.initializer)) {
+      return false;
+    }
+    return true;
+  }
+  return false;
+}
+function findViolations(content, filePath) {
+  const sourceFile = ts.createSourceFile(filePath, content, ts.ScriptTarget.Latest, true);
+  const violations = [];
+  const visit = (node) => {
+    if (ts.isCallExpression(node) && ts.isIdentifier(node.expression)) {
+      const callName = node.expression.text;
+      if (callName === "readChannelAllowFromStore") {
+        if (node.arguments.length < 3 || isUndefinedLikeExpression(node.arguments[2])) {
+          violations.push({
+            line: toLine(sourceFile, node),
+            reason: "readChannelAllowFromStore call must pass explicit accountId as 3rd arg",
+          });
+        }
+      } else if (
+        callName === "readLegacyChannelAllowFromStore" ||
+        callName === "readLegacyChannelAllowFromStoreSync"
+      ) {
+        violations.push({
+          line: toLine(sourceFile, node),
+          reason: `${callName} is legacy-only; use account-scoped readChannelAllowFromStore* APIs`,
+        });
+      } else if (callName === "upsertChannelPairingRequest") {
+        const firstArg = node.arguments[0];
+        if (!firstArg || !hasRequiredAccountIdProperty(firstArg)) {
+          violations.push({
+            line: toLine(sourceFile, node),
+            reason: "upsertChannelPairingRequest call must include accountId in params",
+          });
+        }
+      }
+    }
+    ts.forEachChild(node, visit);
+  };
+  visit(sourceFile);
+  return violations;
+}
+async function main() {
+  const violations = await collectFileViolations({
+    sourceRoots,
+    repoRoot,
+    findViolations,
+  });
+  if (violations.length === 0) {
+    return;
+  }
+  console.error("Found unscoped pairing-store calls:");
+  for (const violation of violations) {
+    console.error(`- ${violation.path}:${violation.line} (${violation.reason})`);
+  }
+  process.exit(1);
+}
+runAsScript(import.meta.url, main);