openclaw-node-harness 2.1.0 → 2.1.1

package/mission-control/src/lib/db/index.ts

@@ -2,7 +2,7 @@ import Database from "better-sqlite3";
 import { drizzle } from "drizzle-orm/better-sqlite3";
 import * as schema from "./schema";
 import { DB_PATH } from "../config";
-import fs from "fs";
+import fs, { chmodSync, existsSync } from "fs";
 import path from "path";
 
 let _db: ReturnType<typeof drizzle<typeof schema>> | null = null;
@@ -488,6 +488,21 @@ export function getDb() {
 
   runMigrations(_sqlite);
 
+  // Lock down DB file permissions — owner read/write only
+  try {
+    if (existsSync(DB_PATH)) {
+      chmodSync(DB_PATH, 0o600);
+    }
+    const walPath = DB_PATH + "-wal";
+    if (existsSync(walPath)) {
+      chmodSync(walPath, 0o600);
+    }
+    const journalPath = DB_PATH + "-journal";
+    if (existsSync(journalPath)) {
+      chmodSync(journalPath, 0o600);
+    }
+  } catch {}
+
   _db = drizzle(_sqlite, { schema });
   return _db;
 }

package/mission-control/src/lib/memory/extract.ts

@@ -263,7 +263,8 @@ export function getItemsWithSource(limit = 50, offset = 0) {
  */
 export function searchItems(query: string, category?: string, limit = 20) {
   const raw = getRawDb();
-  const safeQuery = query.replace(/"/g, '""');
+  const safeQuery = query.replace(/"/g, '""').replace(/[*(){}^]/g, '').trim();
+  if (!safeQuery) return [];
 
   if (category) {
     return raw

package/mission-control/src/lib/memory/retrieval.ts

@@ -35,8 +35,9 @@ function decay(relevance: number, daysOld: number, rate = 0.01): number {
  * Multi-word  → ("word1 word2") OR ("word1"* OR "word2"*)
  */
 function buildFtsQuery(query: string): string {
-  const safe = query.replace(/"/g, '""');
-  const terms = safe.trim().split(/\s+/).filter((t) => t.length >= 2);
+  const safe = query.replace(/"/g, '""').replace(/[*(){}^]/g, '').trim();
+  if (!safe) return '""';
+  const terms = safe.split(/\s+/).filter((t) => t.length >= 2);
   if (terms.length <= 1) return `"${safe}"*`;
   const phrase = `"${safe}"`;
   const individual = terms.map((t) => `"${t}"*`).join(" OR ");

package/mission-control/src/middleware.ts

@@ -0,0 +1,82 @@
+import { NextRequest, NextResponse } from "next/server";
+
+/**
+ * API authentication middleware.
+ *
+ * Protects all /api/* routes with a Bearer token check.
+ * Token is read from MC_AUTH_TOKEN env var. If unset, auth is disabled
+ * (localhost-only deployments). When set, every API request must include:
+ *   Authorization: Bearer <token>
+ *
+ * Page routes (non-API) are not gated — the dashboard is a local UI.
+ */
+
+const AUTH_TOKEN = process.env.MC_AUTH_TOKEN || "";
+
+export function middleware(request: NextRequest) {
+  // Only gate API routes
+  if (!request.nextUrl.pathname.startsWith("/api/")) {
+    return NextResponse.next();
+  }
+
+  // Body size limit (1MB) for mutation requests
+  const contentLength = parseInt(request.headers.get("content-length") || "0", 10);
+  const MAX_BODY_SIZE = 1024 * 1024; // 1MB
+  if (contentLength > MAX_BODY_SIZE) {
+    return NextResponse.json(
+      { error: `Request body too large (${contentLength} bytes, max ${MAX_BODY_SIZE})` },
+      { status: 413 }
+    );
+  }
+
+  // SSE endpoints use EventSource which can't set headers — allow if
+  // the token is passed as a query param instead.
+  const tokenFromQuery = request.nextUrl.searchParams.get("token");
+
+  // If no token is configured, auth is disabled (backwards-compatible)
+  if (!AUTH_TOKEN) {
+    return NextResponse.next();
+  }
+
+  const authHeader = request.headers.get("authorization") || "";
+  const bearer = authHeader.startsWith("Bearer ")
+    ? authHeader.slice(7).trim()
+    : "";
+
+  const providedToken = bearer || tokenFromQuery || "";
+
+  if (!providedToken) {
+    return NextResponse.json(
+      { error: "Missing Authorization header" },
+      { status: 401 }
+    );
+  }
+
+  // Constant-time comparison to prevent timing attacks
+  if (!timingSafeEqual(providedToken, AUTH_TOKEN)) {
+    return NextResponse.json({ error: "Invalid token" }, { status: 403 });
+  }
+
+  return NextResponse.next();
+}
+
+/** Constant-time string comparison (Edge Runtime compatible). */
+function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) {
+    // Still do a full comparison to avoid length-based timing leak
+    let result = a.length ^ b.length;
+    for (let i = 0; i < a.length; i++) {
+      result |= a.charCodeAt(i) ^ (b.charCodeAt(i % b.length) || 0);
+    }
+    return result === 0;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+export const config = {
+  matcher: "/api/:path*",
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-node-harness",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "One-command installer for the OpenClaw node layer — identity, skills, souls, daemon, and Mission Control.",
   "bin": {
     "openclaw-node": "./cli.js"

package/services/launchd/ai.openclaw.log-rotate.plist

@@ -20,6 +20,17 @@
       <key>Minute</key>
       <integer>0</integer>
     </dict>
+    <key>RunAtLoad</key>
+    <false/>
+    <key>KeepAlive</key>
+    <false/>
+    <key>EnvironmentVariables</key>
+    <dict>
+      <key>HOME</key>
+      <string>${HOME}</string>
+      <key>PATH</key>
+      <string>${HOME}/.bun/bin:${HOME}/.local/bin:${HOME}/.npm-global/bin:${HOME}/bin:${HOME}/.volta/bin:${HOME}/.asdf/shims:${HOME}/Library/Application Support/fnm/aliases/default/bin:${HOME}/.fnm/aliases/default/bin:${HOME}/Library/pnpm:${HOME}/.local/share/pnpm:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
+    </dict>
     <key>StandardOutPath</key>
     <string>${HOME}/.openclaw/logs/log-rotate.log</string>
     <key>StandardErrorPath</key>

package/services/launchd/ai.openclaw.mesh-deploy-listener.plist

@@ -12,6 +12,10 @@
   </array>
   <key>EnvironmentVariables</key>
   <dict>
+    <key>HOME</key>
+    <string>${HOME}</string>
+    <key>PATH</key>
+    <string>${HOME}/.bun/bin:${HOME}/.local/bin:${HOME}/.npm-global/bin:${HOME}/bin:${HOME}/.volta/bin:${HOME}/.asdf/shims:${HOME}/Library/Application Support/fnm/aliases/default/bin:${HOME}/.fnm/aliases/default/bin:${HOME}/Library/pnpm:${HOME}/.local/share/pnpm:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
     <key>OPENCLAW_NODE_ID</key>
     <string>${OPENCLAW_NODE_ID}</string>
     <key>OPENCLAW_NATS</key>

package/services/launchd/ai.openclaw.mesh-health-publisher.plist

@@ -12,6 +12,10 @@
   </array>
   <key>EnvironmentVariables</key>
   <dict>
+    <key>HOME</key>
+    <string>${HOME}</string>
+    <key>PATH</key>
+    <string>${HOME}/.bun/bin:${HOME}/.local/bin:${HOME}/.npm-global/bin:${HOME}/bin:${HOME}/.volta/bin:${HOME}/.asdf/shims:${HOME}/Library/Application Support/fnm/aliases/default/bin:${HOME}/.fnm/aliases/default/bin:${HOME}/Library/pnpm:${HOME}/.local/share/pnpm:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
     <key>OPENCLAW_NODE_ID</key>
     <string>${OPENCLAW_NODE_ID}</string>
     <key>OPENCLAW_NATS</key>

package/services/launchd/ai.openclaw.mission-control.plist

@@ -20,7 +20,7 @@
         <key>PATH</key>
         <string>/usr/local/bin:/usr/bin:/bin</string>
         <key>NODE_ENV</key>
-        <string>development</string>
+        <string>production</string>
     </dict>
 
     <key>RunAtLoad</key>

package/uninstall.sh

@@ -35,24 +35,52 @@ if [ -f "$WORKSPACE/bin/install-daemon" ]; then
   bash "$WORKSPACE/bin/install-daemon" --uninstall 2>/dev/null || true
 fi
 
-# Stop and remove mesh agent service (if installed)
+# Stop and remove services
 OS="$(uname -s)"
 if [ "$OS" = "Linux" ]; then
+  # --- Current services: openclaw-*.service under user systemd ---
+  SYSTEMD_USER_DIR="$HOME/.config/systemd/user"
+  if [ -d "$SYSTEMD_USER_DIR" ]; then
+    for unit in "$SYSTEMD_USER_DIR"/openclaw-*.service "$SYSTEMD_USER_DIR"/openclaw-*.timer; do
+      [ -f "$unit" ] || continue
+      UNIT_NAME="$(basename "$unit")"
+      info "Stopping $UNIT_NAME..."
+      systemctl --user stop "$UNIT_NAME" 2>/dev/null || true
+      systemctl --user disable "$UNIT_NAME" 2>/dev/null || true
+      rm -f "$unit"
+      info "Removed $UNIT_NAME"
+    done
+    systemctl --user daemon-reload 2>/dev/null || true
+  fi
+  # --- Legacy fallback: old system-level openclaw-agent ---
   if systemctl is-active --quiet openclaw-agent 2>/dev/null; then
-    info "Stopping mesh agent..."
+    info "Stopping legacy mesh agent (openclaw-agent)..."
     sudo systemctl stop openclaw-agent 2>/dev/null || true
     sudo systemctl disable openclaw-agent 2>/dev/null || true
     sudo rm -f /etc/systemd/system/openclaw-agent.service
     sudo systemctl daemon-reload 2>/dev/null || true
-    info "Mesh agent service removed"
+    info "Legacy mesh agent service removed"
   fi
 elif [ "$OS" = "Darwin" ]; then
-  MESH_PLIST="/Library/LaunchDaemons/com.openclaw.agent.plist"
-  if [ -f "$MESH_PLIST" ]; then
-    info "Stopping mesh agent..."
-    sudo launchctl unload "$MESH_PLIST" 2>/dev/null || true
-    sudo rm -f "$MESH_PLIST"
-    info "Mesh agent LaunchDaemon removed"
+  # --- Current services: ai.openclaw.*.plist under ~/Library/LaunchAgents ---
+  LAUNCHD_AGENTS_DIR="$HOME/Library/LaunchAgents"
+  if [ -d "$LAUNCHD_AGENTS_DIR" ]; then
+    for plist in "$LAUNCHD_AGENTS_DIR"/ai.openclaw.*.plist; do
+      [ -f "$plist" ] || continue
+      PLIST_NAME="$(basename "$plist")"
+      info "Unloading $PLIST_NAME..."
+      launchctl unload "$plist" 2>/dev/null || true
+      rm -f "$plist"
+      info "Removed $PLIST_NAME"
+    done
+  fi
+  # --- Legacy fallback: old system-level com.openclaw.agent ---
+  LEGACY_PLIST="/Library/LaunchDaemons/com.openclaw.agent.plist"
+  if [ -f "$LEGACY_PLIST" ]; then
+    info "Stopping legacy mesh agent (com.openclaw.agent)..."
+    sudo launchctl unload "$LEGACY_PLIST" 2>/dev/null || true
+    sudo rm -f "$LEGACY_PLIST"
+    info "Legacy mesh agent LaunchDaemon removed"
   fi
 fi
 # Remove mesh symlinks