feelgoodbot 🛡️
Pronounced "Feel good, bot"
macOS file integrity monitor + TOTP step-up authentication for AI agents.
GitHub: https://github.com/kris-hansen/feelgoodbot
⭐ If you find this useful, please star the repo! It helps others discover it.
Features
- 1. File Integrity Monitoring — Detects tampering of system files
- TOTP Step-Up Auth — Requires OTP for sensitive agent actions
Part 1: File Integrity Monitoring
Requirements
- - Go 1.21+ — Install with �INLINECODE0
- macOS — Uses launchd for daemon
Quick Setup
CODEBLOCK0
Clawdbot Integration (Alerts)
Enable webhooks:
�CODEBLOCK1
Configure ~/.config/feelgoodbot/config.yaml:
�CODEBLOCK2
What It Monitors
- - System binaries (
/usr/bin, /usr/sbin) - Launch daemons/agents (persistence mechanisms)
- SSH authorized_keys, sudoers, PAM
- Shell configs (
.zshrc, .bashrc) - Browser extensions
- AI agent configs (Claude, Cursor)
Part 2: TOTP Step-Up Authentication
Step-up auth requires the user to enter an OTP code from Google Authenticator before the agent can perform sensitive actions.
Setup (User runs in terminal)
CODEBLOCK3
Configure Protected Actions
CODEBLOCK4
TOTP Commands
| Command | Description |
|---|
| INLINECODE6 | Set up TOTP with QR code |
| INLINECODE7 |
Test a code |
|
feelgoodbot totp status | Show TOTP status and session |
|
feelgoodbot totp check <action> | Check if action needs step-up, prompt if needed |
|
feelgoodbot totp reset | Remove TOTP config (requires code) |
|
feelgoodbot totp backup show | Show remaining backup codes |
|
feelgoodbot totp backup regenerate | Generate new backup codes |
|
feelgoodbot totp actions list | List protected actions |
|
feelgoodbot totp actions add <action> | Add protected action |
|
feelgoodbot totp actions remove <action> | Remove protected action |
|
feelgoodbot totp respond <code> | Submit OTP response (for async flow) |
Session Caching
After successful authentication, a session is cached for 15 minutes (configurable). Subsequent actions within this window don't require re-authentication.
Agent Integration (IMPORTANT)
Before performing any sensitive action, the agent MUST check step-up requirements.
Action Mapping
Map your intended actions to step-up patterns:
| Agent Action | Step-Up Pattern |
|---|
| Sending email | INLINECODE17 |
| Making payments |
payment:* |
| Deleting files |
delete:* |
| SSH/remote access |
ssh:* |
| Publishing code |
publish:* |
| Modifying Clawdbot config |
gateway:* |
| Making phone calls |
voice_call:* |
| Messaging external contacts |
message:external |
| Modifying step-up config |
config:update |
Step-Up Check Flow
Before executing a sensitive action:
CODEBLOCK5
If session is valid: Command succeeds immediately (exit 0)
If step-up required and no session:
- 1. Agent sends Telegram message: "🔐 Action
<action> requires step-up. Reply with your OTP code." - Wait for user to reply with 6-digit code
- Validate: �INLINECODE27
- If valid, create session and proceed
- If invalid, deny action and notify user
Example Agent Flow (Pseudocode)
CODEBLOCK6
Quick Reference for Agent
Check before these actions:
- -
send_email — Before sending any email - INLINECODE29� — Before any financial transaction
- INLINECODE30� — Before deleting files (
delete:file, delete:backup, etc.) - INLINECODE33� — Before SSH connections
- INLINECODE34� — Before publishing/deploying
- INLINECODE35� — Before modifying Clawdbot config
- INLINECODE36� — Before making phone calls
- INLINECODE37� — Before messaging non-owner contacts
- INLINECODE38� — Before modifying step-up config
Commands to use:
# Check and prompt (interactive)
feelgoodbot totp check send_email
# Just validate a code
feelgoodbot totp verify 123456
# Check session status
feelgoodbot totp status
File Locations
| File | Purpose |
|---|
| INLINECODE39 | Main config |
| INLINECODE40 |
TOTP secret + backup codes |
|
~/.config/feelgoodbot/stepup-config.json | Protected actions |
|
~/.config/feelgoodbot/totp-session | Session cache |
|
~/.config/feelgoodbot/snapshots/ | File integrity baselines |
|
~/.config/feelgoodbot/daemon.log | Daemon logs |
Troubleshooting
TOTP code always invalid:
- - Check system clock is accurate (
date) - Ensure you're using the correct authenticator entry
- Try a backup code
Step-up not prompting:
- - Verify action is in protected list: �INLINECODE46
- Check TOTP is initialized: �INLINECODE47
Reset everything:
# Reset TOTP (requires valid code or backup code)
feelgoodbot totp reset
# Or manually remove (loses access without backup codes!)
rm ~/.config/feelgoodbot/totp.json
rm ~/.config/feelgoodbot/totp-session
⭐
Like feelgoodbot? Star it on GitHub: https://github.com/kris-hansen/feelgoodbot
feelgoodbot 🛡️
发音为Feel good, bot
macOS 文件完整性监控 + 面向AI代理的TOTP升级认证。
GitHub: https://github.com/kris-hansen/feelgoodbot
⭐ 如果您觉得这个工具有用,请给仓库点个星! 这有助于其他人发现它。
功能特性
- 1. 文件完整性监控 — 检测系统文件是否被篡改
- TOTP升级认证 — 对敏感代理操作要求一次性密码
第一部分:文件完整性监控
系统要求
- - Go 1.21+ — 使用 brew install go 安装
- macOS — 使用 launchd 作为守护进程
快速设置
bash
通过 go install 安装
go install github.com/kris-hansen/feelgoodbot/cmd/feelgoodbot@latest
初始化基线快照
feelgoodbot init
安装并启动守护进程
feelgoodbot daemon install
feelgoodbot daemon start
检查运行状态
feelgoodbot status
Clawdbot 集成(告警)
启用 Webhook:
bash
clawdbot config set hooks.enabled true
clawdbot config set hooks.token $(openssl rand -base64 32)
clawdbot gateway restart
配置 ~/.config/feelgoodbot/config.yaml:
yaml
scan_interval: 5m
alerts:
clawdbot:
enabled: true
webhook: http://127.0.0.1:18789/hooks/wake
secret: <来自 clawdbot config get hooks.token 的 hooks.token>
local_notification: true
监控内容
- - 系统二进制文件(/usr/bin、/usr/sbin)
- Launch 守护进程/代理(持久化机制)
- SSH 授权密钥、sudoers、PAM
- Shell 配置文件(.zshrc、.bashrc)
- 浏览器扩展
- AI 代理配置(Claude、Cursor)
第二部分:TOTP 升级认证
升级认证要求用户在代理执行敏感操作前,输入 Google Authenticator 生成的一次性密码。
设置(用户在终端中运行)
bash
初始化 TOTP(显示二维码供扫描)
feelgoodbot totp init --account user@feelgoodbot
验证是否正常工作
feelgoodbot totp verify
检查状态
feelgoodbot totp status
配置受保护操作
bash
列出当前受保护操作
feelgoodbot totp actions list
添加需要升级认证的操作
feelgoodbot totp actions add send_email
feelgoodbot totp actions add payment:*
feelgoodbot totp actions add delete:*
feelgoodbot totp actions add ssh:*
feelgoodbot totp actions add publish:*
feelgoodbot totp actions add gateway:*
feelgoodbot totp actions add voice_call:*
feelgoodbot totp actions add message:external
移除某个操作
feelgoodbot totp actions remove send_email
TOTP 命令
| 命令 | 描述 |
|---|
| feelgoodbot totp init | 使用二维码设置 TOTP |
| feelgoodbot totp verify [code] |
测试验证码 |
| feelgoodbot totp status | 显示 TOTP 状态和会话 |
| feelgoodbot totp check
| 检查操作是否需要升级认证,如需则提示 |
| feelgoodbot totp reset | 移除 TOTP 配置(需要验证码) |
| feelgoodbot totp backup show | 显示剩余备用验证码 |
| feelgoodbot totp backup regenerate | 生成新的备用验证码 |
| feelgoodbot totp actions list | 列出受保护操作 |
| feelgoodbot totp actions add | 添加受保护操作 |
| feelgoodbot totp actions remove | 移除受保护操作 |
| feelgoodbot totp respond | 提交 OTP 响应(用于异步流程) |
会话缓存
成功认证后,会话会被缓存 15 分钟(可配置)。在此窗口内的后续操作无需重新认证。
代理集成(重要)
在执行任何敏感操作之前,代理必须检查升级认证要求。
操作映射
将您的预期操作映射到升级认证模式:
| 代理操作 | 升级认证模式 |
|---|
| 发送邮件 | send_email |
| 进行支付 |
payment:* |
| 删除文件 | delete:* |
| SSH/远程访问 | ssh:* |
| 发布代码 | publish:* |
| 修改 Clawdbot 配置 | gateway:* |
| 拨打电话 | voice_call:* |
| 向外部联系人发送消息 | message:external |
| 修改升级认证配置 | config:update |
升级认证检查流程
在执行敏感操作之前:
bash
检查操作是否需要升级认证(非交互式检查)
feelgoodbot totp check
退出码 0 = 继续执行,退出码 1 = 拒绝/未认证
如果会话有效: 命令立即成功(退出码 0)
如果需要升级认证且无会话:
- 1. 代理发送 Telegram 消息:🔐 操作 需要升级认证。请回复您的 OTP 验证码。
- 等待用户回复 6 位验证码
- 验证:feelgoodbot totp verify
- 如果有效,创建会话并继续执行
- 如果无效,拒绝操作并通知用户
代理流程示例(伪代码)
function performSensitiveAction(action, execute_fn):
# 检查升级认证要求
result = exec(feelgoodbot totp check + action)
if result.exit_code == 0:
# 会话有效或操作未受保护
execute_fn()
return success
# 需要提示用户
send_telegram(🔐 操作 {action} 需要升级认证。\n请回复 Google Authenticator 中的 OTP 验证码。)
code = waitforuser_reply(timeout=120s)
if code is None:
send_telegram(⏰ 升级认证超时。操作已取消。)
return denied
# 验证验证码
valid = exec(feelgoodbot totp verify + code)
if valid.exit_code != 0:
send_telegram(❌ 验证码无效。操作已取消。)
return denied
# 通过再次运行检查来创建会话(现在会通过)
exec(feelgoodbot totp check + action)
execute_fn()
send_telegram(✅ 操作已完成。)
return success
代理快速参考
在执行这些操作前进行检查:
- - sendemail — 发送任何邮件前
- payment: — 任何金融交易前
- delete: — 删除文件前(delete:file、delete:backup 等)
- ssh: — SSH 连接前
- publish: — 发布/部署前
- gateway: — 修改 Clawdbot 配置前
- voicecall: — 拨打电话前
- message:external — 向非所有者联系人发送消息前
- config:update — 修改升级认证配置前
要使用的命令:
bash
检查并提示(交互式)
feelgoodbot totp check send_email
仅验证验证码
feelgoodbot totp verify 123456
检查会话状态
feelgoodbot totp status
文件位置
| 文件 | 用途 |
|---|
| ~/.config/feelgoodbot/config.yaml | 主配置文件 |
| ~/.config/feelgoodbot/totp.json |
TOTP 密钥 + 备用验证码 |
| ~/.config/feelgoodbot/stepup-config.json | 受保护操作 |
| ~/.config/feelgoodbot/totp-session | 会话缓存 |
| ~/.config/feelgoodbot/snapshots/ | 文件完整性基线 |
| ~/.config/feelgoodbot/daemon.log | 守护进程日志 |
故障排除
TOTP 验证码始终无效:
- - 检查系统时钟是否准确(date)
- 确保您使用的是正确的验证器条目
- 尝试使用备用验证码
升级认证未提示:
- - 确认操作在受保护列表中:feelgoodbot totp actions list
- 检查 TOTP 是否已
