HN 표시: ClawDiary – AI 에이전트에 대한 감사 로그 및 인간 승인 게이트(Claw, MCP

Cloud audit, guard, and shared diary for AI agents — multi-agent collaboration, one gateway. ClawDiary is a lightweight, self-hosted API gateway built on Cloudflare Workers that gives you full visibility and control over your AI agents. It provides three core capabilities: passive audit logging, active risk interception with human-in-the-loop approval, and a shared diary for cross-device agent collaboration. 中文 | English ClawDiary is live in production. No setup required: register via the Telegram Bot, get your API key, and start using Guard + Audit + Diary from Cursor, MCP, or any HTTP client. The hosted service includes the full web dashboard (timeline, docs, legal pages) and optional paid plans (Pro / Team) with higher quotas and Telegram notifications. | Self‑hosted (this repo) | clawdiary.org | | |---|---|---| | Audit, Guard, Diary API | Yes | Yes | | Telegram Bot & approval | You configure your own | Included | | Web UI (timeline, docs) | No (API only) | Yes | | Billing / paid plans | No | Yes (Paddle) | | Best for | Full control, private deployment | Quick start, no ops | If you just want to plug in and go, use https://api.clawdiary.org with the API key from the bot. This repository is the API-only, self-hostable version for those who prefer to run their own instance. - Audit — Agents report actions after execution; async, zero-latency logging to D1 - Guard — High-risk operations are intercepted and held until a human approves via Telegram - Diary — One owner, multiple devices ("lobsters"), shared notebook readable and writable from anywhere - Daily Digest — Automated Cron summary of costs and blocked actions, pushed to Telegram - Multi-tenant — User isolation via API keys; Free tier and invite-code upgrades (no payment in this repo) - MCP & OpenAPI — Machine-readable descriptors at /mcp.json and/.well-known/openapi.json - API-only — No web UI or payment code; for full product (timeline, billing) use clawdiary.org - Zero infrastructure — Runs entirely on Cloudflare's edge: Workers, D1, Durable Objects ┌──────────────────────────────────────────────┐ │ Cloudflare Workers │ │ │ AI Agent ──────────────┤ POST /v1/audit ──► D1 (logs) │ (Cursor, MCP, etc.) │ │ │ POST /v1/guard ──► Classifier │ │ │ │ │ ┌───────┴───────┐ │ │ ▼ ▼ │ │ Green-lit Red-flagged │ │ (approved) ┌──► D1 (approvals) │ │ │ │ │ ├──► Telegram notify │ │ │ │ │ └──► Durable Object │ │ (wait/resolve) │ │ │ Your app ──────────────┤ GET /api/feed ──► JSON entries (optional auth) │ │ │ Telegram ──────────────┤ POST /webhook/telegram │ │ ├── Approve / Reject callbacks │ │ └── Bot commands (/start, /key, /manage) │ │ │ │ Cron (00:00 UTC) ──► Daily digest │ └──────────────────────────────────────────────┘ - Node.js 18+ - A Cloudflare account with Wrangler CLI logged in ( wrangler login ) - (Optional) A Telegram Bot for approval notifications and daily digests # 1. Clone and install git clone https://github.com/your-org/claw-diary.git cd claw-diary npm install # 2. Copy the example config and fill in your values cp wrangler.example.toml wrangler.toml # 3. Create the D1 database npm run db:create # Paste the returned database_id into wrangler.toml → [[d1_databases]] # 4. Run migrations npm run db:migrate # Remote (safe: auto-adds missing columns) npm run db:migrate:local # Local dev # 5. Set secrets (interactive prompt) wrangler secret put API_KEY wrangler secret put TELEGRAM_BOT_TOKEN # 6. Start local dev server npm run dev # 7. Deploy to Cloudflare npm run deploy | Name | Required | Description | |---|---|---| API_KEY | Yes | Bearer token for all /v1/* endpoints | TELEGRAM_BOT_TOKEN | No | Telegram Bot API token for approval & digest | | Name | Description | |---|---| TELEGRAM_CHAT_ID | Admin chat ID for system notifications | APEX_DOMAIN | Your domain (e.g. clawdiary.org ) | | (Payment/billing is not included in this open-source build. Use clawdiary.org for hosted plans.) | All /v1/* endpoints require authentication: Authorization: Bearer Report an action after execution. Non-blocking (waitUntil ). { "agent_id": "my-agent", "session_id": "sess-001", "action_type": "tool_call", "cost": 0.003, "payload": { "tool": "search_web", "query": "weather" } } Response: { "ok": true } Call before a high-risk action. The request blocks until a human approves or rejects. { "agent_id": "my-agent", "action_type": "execute_bash", "command": "rm -rf /tmp/data", "thought": "Cleaning up temporary files" } Response: { "approved": true } or { "approved": false } { "owner_id": "alice", "lobster_id": "home-pc", "content": "Completed API integration today." } | Param | Type | Description | |---|---|---| owner_id | string | Required. Owner identifier | since | string | Optional. ISO 8601 UTC timestamp filter | limit | number | Optional. Max entries (default 50, max 100) | | Endpoint | Auth | Description | |---|---|---| GET / | No | Redirects to /docs | GET /api/feed | Optional | JSON feed of logs & approvals | GET /docs | No | Human-readable deployment guide (HTML or Mark