npm - qlogicagent - Versions diffs - 0.2.1 → 0.3.0 - Mend

qlogicagent 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (229) hide show

package/dist/skills/skill-frontmatter.js DELETED Viewed

@@ -1,344 +0,0 @@
-// ---------------------------------------------------------------------------
-// SKILL.md frontmatter parser — portable, zero external dependencies.
-// Mirrors openclaw/src/markdown/frontmatter.ts + src/agents/skills/frontmatter.ts
-// but without YAML library (uses simple line parser + JSON5-free metadata).
-// ---------------------------------------------------------------------------
-// ---------------------------------------------------------------------------
-// Block extraction
-// ---------------------------------------------------------------------------
-function extractFrontmatterBlock(content) {
-    const normalized = content.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
-    if (!normalized.startsWith("---")) {
-        return undefined;
-    }
-    const endIndex = normalized.indexOf("\n---", 3);
-    if (endIndex === -1) {
-        return undefined;
-    }
-    return normalized.slice(4, endIndex);
-}
-// ---------------------------------------------------------------------------
-// Line parser (handles both inline and multi-line values)
-// ---------------------------------------------------------------------------
-function stripQuotes(value) {
-    if ((value.startsWith('"') && value.endsWith('"')) ||
-        (value.startsWith("'") && value.endsWith("'"))) {
-        return value.slice(1, -1);
-    }
-    return value;
-}
-function extractMultiLineValue(lines, startIndex) {
-    const valueLines = [];
-    let i = startIndex + 1;
-    while (i < lines.length) {
-        const line = lines[i];
-        if (line.length > 0 && !line.startsWith(" ") && !line.startsWith("\t")) {
-            break;
-        }
-        valueLines.push(line);
-        i += 1;
-    }
-    return { value: valueLines.join("\n").trim(), linesConsumed: i - startIndex };
-}
-/**
- * Parse a YAML-like frontmatter block into a flat key→value record.
- * Uses a lightweight line parser to avoid a YAML library dependency.
- */
-export function parseFrontmatter(content) {
-    const block = extractFrontmatterBlock(content);
-    if (!block) {
-        return {};
-    }
-    const result = {};
-    const lines = block.split("\n");
-    let i = 0;
-    while (i < lines.length) {
-        const line = lines[i];
-        const match = line.match(/^([\w-]+):\s*(.*)$/);
-        if (!match) {
-            i += 1;
-            continue;
-        }
-        const key = match[1];
-        const inlineValue = match[2].trim();
-        if (!key) {
-            i += 1;
-            continue;
-        }
-        // Check for multi-line value
-        if (!inlineValue && i + 1 < lines.length) {
-            const nextLine = lines[i + 1];
-            if (nextLine.startsWith(" ") || nextLine.startsWith("\t")) {
-                const { value, linesConsumed } = extractMultiLineValue(lines, i);
-                if (value) {
-                    result[key] = value;
-                }
-                i += linesConsumed;
-                continue;
-            }
-        }
-        const value = stripQuotes(inlineValue);
-        if (value) {
-            result[key] = value;
-        }
-        i += 1;
-    }
-    return result;
-}
-// ---------------------------------------------------------------------------
-// Metadata resolver (from `metadata:` JSON block)
-// ---------------------------------------------------------------------------
-function parseMetadataJson(raw) {
-    // Try direct JSON first: `metadata: {"openclaw": {...}}`
-    try {
-        const parsed = JSON.parse(raw);
-        if (parsed && typeof parsed === "object") {
-            const obj = parsed;
-            const nested = obj["openclaw"];
-            if (nested && typeof nested === "object") {
-                return nested;
-            }
-            return obj;
-        }
-    }
-    catch {
-        // Not JSON — fall through to YAML-like parser
-    }
-    // Handle YAML-like multi-line: `key: value` per line
-    return parseYamlLikeMetadata(raw);
-}
-/**
- * Parse simple YAML-like `key: value` lines where values may be JSON
- * literals (objects, arrays, booleans, numbers) or plain strings.
- */
-function parseYamlLikeMetadata(raw) {
-    const result = {};
-    let found = false;
-    for (const line of raw.split("\n")) {
-        const trimmed = line.trim();
-        if (!trimmed)
-            continue;
-        const m = trimmed.match(/^([\w-]+):\s*(.+)$/);
-        if (!m)
-            continue;
-        const key = m[1];
-        const val = m[2].trim();
-        found = true;
-        // Try JSON parse for objects / arrays / booleans / numbers
-        try {
-            result[key] = JSON.parse(val);
-        }
-        catch {
-            // Plain string — normalise booleans / numbers
-            if (val === "true")
-                result[key] = true;
-            else if (val === "false")
-                result[key] = false;
-            else if (/^-?\d+(\.\d+)?$/.test(val))
-                result[key] = Number(val);
-            else
-                result[key] = val;
-        }
-    }
-    return found ? result : undefined;
-}
-function normalizeStringList(input) {
-    if (!input)
-        return [];
-    if (Array.isArray(input)) {
-        return input.map((v) => String(v).trim()).filter(Boolean);
-    }
-    if (typeof input === "string") {
-        return input
-            .split(",")
-            .map((v) => v.trim())
-            .filter(Boolean);
-    }
-    return [];
-}
-function parseBool(value, fallback) {
-    if (value === undefined)
-        return fallback;
-    const lower = value.toLowerCase().trim();
-    if (lower === "true" || lower === "1" || lower === "yes")
-        return true;
-    if (lower === "false" || lower === "0" || lower === "no")
-        return false;
-    return fallback;
-}
-// ---------------------------------------------------------------------------
-// Install spec validation (safe input normalization)
-// ---------------------------------------------------------------------------
-const BREW_FORMULA_PATTERN = /^[A-Za-z0-9][A-Za-z0-9@+._/-]*$/;
-const GO_MODULE_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._~+\-/]*(?:@[A-Za-z0-9][A-Za-z0-9._~+\-/]*)?$/;
-const UV_PACKAGE_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._\-[\]=<>!~+,]*$/;
-const NPM_SPEC_PATTERN = /^(@[a-z0-9][\w.\-]*\/)?[a-z0-9][\w.\-]*(@[~^]?[\d.*]+[\w.\-+]*)?$/;
-function normalizeSafeBrewFormula(raw) {
-    if (typeof raw !== "string")
-        return undefined;
-    const formula = raw.trim();
-    if (!formula || formula.startsWith("-") || formula.includes("\\") || formula.includes("..")) {
-        return undefined;
-    }
-    return BREW_FORMULA_PATTERN.test(formula) ? formula : undefined;
-}
-function normalizeSafeNpmSpec(raw) {
-    if (typeof raw !== "string")
-        return undefined;
-    const spec = raw.trim();
-    if (!spec || spec.startsWith("-"))
-        return undefined;
-    return NPM_SPEC_PATTERN.test(spec) ? spec : undefined;
-}
-function normalizeSafeGoModule(raw) {
-    if (typeof raw !== "string")
-        return undefined;
-    const mod = raw.trim();
-    if (!mod || mod.startsWith("-") || mod.includes("\\") || mod.includes("://"))
-        return undefined;
-    return GO_MODULE_PATTERN.test(mod) ? mod : undefined;
-}
-function normalizeSafeUvPackage(raw) {
-    if (typeof raw !== "string")
-        return undefined;
-    const pkg = raw.trim();
-    if (!pkg || pkg.startsWith("-") || pkg.includes("\\") || pkg.includes("://"))
-        return undefined;
-    return UV_PACKAGE_PATTERN.test(pkg) ? pkg : undefined;
-}
-function normalizeSafeDownloadUrl(raw) {
-    if (typeof raw !== "string")
-        return undefined;
-    const value = raw.trim();
-    if (!value || /\s/.test(value))
-        return undefined;
-    try {
-        const parsed = new URL(value);
-        if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
-            return undefined;
-        return parsed.toString();
-    }
-    catch {
-        return undefined;
-    }
-}
-function parseInstallSpec(input) {
-    if (!input || typeof input !== "object")
-        return undefined;
-    const raw = input;
-    const kindRaw = typeof raw.kind === "string" ? raw.kind : typeof raw.type === "string" ? raw.type : "";
-    const kind = kindRaw.trim().toLowerCase();
-    const ALLOWED_KINDS = ["brew", "node", "go", "uv", "download"];
-    if (!ALLOWED_KINDS.includes(kind))
-        return undefined;
-    const spec = { kind: kind };
-    if (typeof raw.id === "string")
-        spec.id = raw.id;
-    if (typeof raw.label === "string")
-        spec.label = raw.label;
-    const bins = normalizeStringList(raw.bins);
-    if (bins.length > 0)
-        spec.bins = bins;
-    const osList = normalizeStringList(raw.os);
-    if (osList.length > 0)
-        spec.os = osList;
-    // Kind-specific fields
-    const formula = normalizeSafeBrewFormula(raw.formula) ?? normalizeSafeBrewFormula(raw.cask);
-    if (formula)
-        spec.formula = formula;
-    if (kind === "node") {
-        const pkg = normalizeSafeNpmSpec(raw.package);
-        if (pkg)
-            spec.package = pkg;
-    }
-    else if (kind === "uv") {
-        const pkg = normalizeSafeUvPackage(raw.package);
-        if (pkg)
-            spec.package = pkg;
-    }
-    const mod = normalizeSafeGoModule(raw.module);
-    if (mod)
-        spec.module = mod;
-    const url = normalizeSafeDownloadUrl(raw.url);
-    if (url)
-        spec.url = url;
-    if (typeof raw.archive === "string")
-        spec.archive = raw.archive;
-    if (typeof raw.extract === "boolean")
-        spec.extract = raw.extract;
-    if (typeof raw.stripComponents === "number")
-        spec.stripComponents = raw.stripComponents;
-    if (typeof raw.targetDir === "string")
-        spec.targetDir = raw.targetDir;
-    // Validate required field per kind
-    if (kind === "brew" && !spec.formula)
-        return undefined;
-    if (kind === "node" && !spec.package)
-        return undefined;
-    if (kind === "go" && !spec.module)
-        return undefined;
-    if (kind === "uv" && !spec.package)
-        return undefined;
-    if (kind === "download" && !spec.url)
-        return undefined;
-    return spec;
-}
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-/**
- * Resolve structured metadata from the `metadata:` frontmatter field.
- * Expects `metadata: {"openclaw": {...}}` (JSON format).
- */
-export function resolveSkillMetadata(frontmatter) {
-    const raw = frontmatter["metadata"];
-    if (!raw)
-        return undefined;
-    const metadataObj = parseMetadataJson(raw);
-    if (!metadataObj)
-        return undefined;
-    const requiresRaw = typeof metadataObj.requires === "object" && metadataObj.requires !== null
-        ? metadataObj.requires
-        : undefined;
-    const requires = requiresRaw
-        ? {
-            bins: normalizeStringList(requiresRaw.bins),
-            anyBins: normalizeStringList(requiresRaw.anyBins),
-            env: normalizeStringList(requiresRaw.env),
-            config: normalizeStringList(requiresRaw.config),
-        }
-        : undefined;
-    const installRaw = Array.isArray(metadataObj.install)
-        ? metadataObj.install
-        : [];
-    const install = installRaw
-        .map((entry) => parseInstallSpec(entry))
-        .filter((entry) => Boolean(entry));
-    const osRaw = normalizeStringList(metadataObj.os);
-    return {
-        always: typeof metadataObj.always === "boolean" ? metadataObj.always : undefined,
-        emoji: typeof metadataObj.emoji === "string" ? metadataObj.emoji : undefined,
-        homepage: typeof metadataObj.homepage === "string" ? metadataObj.homepage : undefined,
-        skillKey: typeof metadataObj.skillKey === "string" ? metadataObj.skillKey : undefined,
-        primaryEnv: typeof metadataObj.primaryEnv === "string" ? metadataObj.primaryEnv : undefined,
-        os: osRaw.length > 0 ? osRaw : undefined,
-        category: typeof metadataObj.category === "string" ? metadataObj.category : undefined,
-        requires,
-        install: install.length > 0 ? install : undefined,
-    };
-}
-/**
- * Resolve invocation policy from frontmatter fields.
- */
-export function resolveSkillInvocationPolicy(frontmatter) {
-    return {
-        userInvocable: parseBool(frontmatter["user-invocable"], true),
-        disableModelInvocation: parseBool(frontmatter["disable-model-invocation"], false),
-    };
-}
-/**
- * Get the canonical key for a skill (metadata.skillKey or skill.name).
- */
-export function resolveSkillKey(skillName, metadata) {
-    return metadata?.skillKey ?? skillName;
-}

package/dist/skills/skill-guard.js DELETED Viewed

@@ -1,229 +0,0 @@
-// ---------------------------------------------------------------------------
-// Skill security scanner — portable, zero external dependencies.
-// Mirrors openclaw/src/security/skill-scanner.ts rules but uses DI deps
-// instead of Node.js fs/path directly.
-// ---------------------------------------------------------------------------
-const LINE_RULES = [
-    {
-        ruleId: "dangerous-exec",
-        severity: "critical",
-        message: "Shell command execution detected (child_process)",
-        pattern: /\b(exec|execSync|spawn|spawnSync|execFile|execFileSync)\s*\(/,
-        requiresContext: /child_process/,
-    },
-    {
-        ruleId: "dynamic-code-execution",
-        severity: "critical",
-        message: "Dynamic code execution detected",
-        pattern: /\beval\s*\(|new\s+Function\s*\(/,
-    },
-    {
-        ruleId: "crypto-mining",
-        severity: "critical",
-        message: "Possible crypto-mining reference detected",
-        pattern: /stratum\+tcp|stratum\+ssl|coinhive|cryptonight|xmrig/i,
-    },
-    {
-        ruleId: "suspicious-network",
-        severity: "warn",
-        message: "WebSocket connection to non-standard port",
-        pattern: /new\s+WebSocket\s*\(\s*["']wss?:\/\/[^"']*:(\d+)/,
-    },
-];
-const STANDARD_PORTS = new Set([80, 443, 8080, 8443, 3000]);
-const SOURCE_RULES = [
-    {
-        ruleId: "potential-exfiltration",
-        severity: "warn",
-        message: "File read combined with network send — possible data exfiltration",
-        pattern: /readFileSync|readFile/,
-        requiresContext: /\bfetch\b|\bpost\b|http\.request/i,
-    },
-    {
-        ruleId: "obfuscated-code",
-        severity: "warn",
-        message: "Hex-encoded string sequence detected (possible obfuscation)",
-        pattern: /(\\x[0-9a-fA-F]{2}){6,}/,
-    },
-    {
-        ruleId: "obfuscated-code",
-        severity: "warn",
-        message: "Large base64 payload with decode call detected (possible obfuscation)",
-        pattern: /(?:atob|Buffer\.from)\s*\(\s*["'][A-Za-z0-9+/=]{200,}["']/,
-    },
-    {
-        ruleId: "env-harvesting",
-        severity: "critical",
-        message: "Environment variable access combined with network send — possible credential harvesting",
-        pattern: /process\.env/,
-        requiresContext: /\bfetch\b|\bpost\b|http\.request/i,
-    },
-];
-// ---------------------------------------------------------------------------
-// Scannable extensions
-// ---------------------------------------------------------------------------
-const SCANNABLE_EXTENSIONS = new Set([
-    ".js", ".ts", ".mjs", ".cjs", ".mts", ".cts", ".jsx", ".tsx",
-]);
-const DEFAULT_MAX_SCAN_FILES = 500;
-const DEFAULT_MAX_FILE_BYTES = 1024 * 1024;
-// ---------------------------------------------------------------------------
-// Core scanner (operates on source text — no FS dependency)
-// ---------------------------------------------------------------------------
-function truncateEvidence(evidence, maxLen = 120) {
-    return evidence.length <= maxLen ? evidence : `${evidence.slice(0, maxLen)}…`;
-}
-/**
- * Scan a source string for security findings.
- * This is a pure function — no file I/O.
- */
-export function scanSource(source, filePath) {
-    const findings = [];
-    const lines = source.split("\n");
-    const matchedLineRules = new Set();
-    // Line rules
-    for (const rule of LINE_RULES) {
-        if (matchedLineRules.has(rule.ruleId))
-            continue;
-        if (rule.requiresContext && !rule.requiresContext.test(source))
-            continue;
-        for (let i = 0; i < lines.length; i++) {
-            const line = lines[i];
-            const match = rule.pattern.exec(line);
-            if (!match)
-                continue;
-            // Special: suspicious-network checks port number
-            if (rule.ruleId === "suspicious-network") {
-                const port = parseInt(match[1], 10);
-                if (STANDARD_PORTS.has(port))
-                    continue;
-            }
-            findings.push({
-                ruleId: rule.ruleId,
-                severity: rule.severity,
-                file: filePath,
-                line: i + 1,
-                message: rule.message,
-                evidence: truncateEvidence(line.trim()),
-            });
-            matchedLineRules.add(rule.ruleId);
-            break; // one finding per line-rule per file
-        }
-    }
-    // Source rules
-    const matchedSourceRules = new Set();
-    for (const rule of SOURCE_RULES) {
-        const ruleKey = `${rule.ruleId}::${rule.message}`;
-        if (matchedSourceRules.has(ruleKey))
-            continue;
-        if (!rule.pattern.test(source))
-            continue;
-        if (rule.requiresContext && !rule.requiresContext.test(source))
-            continue;
-        let matchLine = 0;
-        let matchEvidence = "";
-        for (let i = 0; i < lines.length; i++) {
-            if (rule.pattern.test(lines[i])) {
-                matchLine = i + 1;
-                matchEvidence = lines[i].trim();
-                break;
-            }
-        }
-        if (matchLine === 0) {
-            matchLine = 1;
-            matchEvidence = source.slice(0, 120);
-        }
-        findings.push({
-            ruleId: rule.ruleId,
-            severity: rule.severity,
-            file: filePath,
-            line: matchLine,
-            message: rule.message,
-            evidence: truncateEvidence(matchEvidence),
-        });
-        matchedSourceRules.add(ruleKey);
-    }
-    return findings;
-}
-async function walkDirWithLimit(deps, dirPath, maxFiles) {
-    const files = [];
-    const stack = [dirPath];
-    while (stack.length > 0 && files.length < maxFiles) {
-        const currentDir = stack.pop();
-        if (!currentDir)
-            break;
-        let entries;
-        try {
-            entries = deps.fs.readdirSync(currentDir, { withFileTypes: true });
-        }
-        catch {
-            continue;
-        }
-        for (const entry of entries) {
-            if (files.length >= maxFiles)
-                break;
-            if (entry.name.startsWith(".") || entry.name === "node_modules")
-                continue;
-            const fullPath = deps.path.join(currentDir, entry.name);
-            if (entry.isDirectory()) {
-                stack.push(fullPath);
-            }
-            else if (SCANNABLE_EXTENSIONS.has(deps.path.extname(entry.name).toLowerCase())) {
-                files.push(fullPath);
-            }
-        }
-    }
-    return files;
-}
-/**
- * Scan an entire skill directory for security issues.
- * Returns a summary with per-file findings.
- */
-export async function scanSkillDirectory(deps, skillDir, opts) {
-    const maxFiles = Math.max(1, opts?.maxFiles ?? DEFAULT_MAX_SCAN_FILES);
-    const maxFileBytes = Math.max(1, opts?.maxFileBytes ?? DEFAULT_MAX_FILE_BYTES);
-    const files = opts?.includeFiles && opts.includeFiles.length > 0
-        ? opts.includeFiles
-        : await walkDirWithLimit(deps, skillDir, maxFiles);
-    const allFindings = [];
-    let scannedFiles = 0;
-    for (const filePath of files) {
-        try {
-            const stat = deps.fs.statSync(filePath);
-            if (stat.size > maxFileBytes)
-                continue;
-        }
-        catch {
-            continue;
-        }
-        let source;
-        try {
-            source = await deps.fs.readFile(filePath, "utf-8");
-        }
-        catch {
-            continue;
-        }
-        scannedFiles += 1;
-        const findings = scanSource(source, filePath);
-        allFindings.push(...findings);
-    }
-    return {
-        scannedFiles,
-        critical: allFindings.filter((f) => f.severity === "critical").length,
-        warn: allFindings.filter((f) => f.severity === "warn").length,
-        info: allFindings.filter((f) => f.severity === "info").length,
-        findings: allFindings,
-    };
-}
-/**
- * Quick check: does this source have any critical findings?
- */
-export function hasCriticalFindings(source, filePath) {
-    return scanSource(source, filePath).some((f) => f.severity === "critical");
-}
-/**
- * Check if a file extension is scannable by the guard.
- */
-export function isScannable(filePath, pathDeps) {
-    return SCANNABLE_EXTENSIONS.has(pathDeps.extname(filePath).toLowerCase());
-}