🛡️ JEP Guard for ClawHub — Browser Extension v1.1.0

The official browser companion for JEP Guard, designed specifically for the ClawHub ecosystem.

Not just a monitor. A safety layer that lives inside your browser, enhancing every ClawHub page with pre-install accountability, real-time causal overlays, and cross-tab session visualization.

✨ What Makes This Different

🚀 Installation

One-Command Start (Recommended)

# macOS / Linux
./start.sh

# Windows
start.bat

The launcher will:

• Check if Node.js is installed (prompt to download if not)
• Start the JEP Guard daemon automatically
• Open your browser extensions page

Manual Setup

1. Download and unzip this package.
2. Start the daemon:

   node daemon.js
   

3. Open chrome://extensions → Enable Developer mode.
4. Click Load unpacked → Select the folder.
5. Pin 🛡️ to your toolbar.

Firefox

1. Open about:debugging → This Firefox → Load Temporary Add-on.
2. Select manifest.json.
3. Start the daemon: node daemon.js.

🔌 Start the Daemon

JEP Guard ships with a built-in minimal daemon. No separate download needed.

Quick Start

# From the extension folder
node daemon.js

The daemon will start on http://127.0.0.1:9745 (localhost only, no remote access) and automatically create a ~/.jep-data/ directory for event storage.

Security Notes

• Zero-config pairing: The first time you start the daemon and enable the extension, they automatically negotiate a secure token within a 60-second window. No manual setup required.
• Binding: Daemon binds exclusively to 127.0.0.1. It cannot be accessed from other machines on your network.
• Authentication: After auto-pairing, all daemon endpoints require a secret token. The token is stored locally: daemon in ~/.jep-data/state.json, extension in chrome.storage.local (device-only, never cloud-synced).
• CORS: Only browser extension origins (chrome-extension://, moz-extension://, edge-extension://) and localhost are permitted. No arbitrary web pages can access your event data.
• Data location: Events are stored in ~/.jep-data/events.jsonl (plain text, human-readable). Review this file before sharing; it may contain nonces and payloads from your AI sessions.

Environment Variables

Data Storage

• Events: Append-only JSONL file (events.jsonl) — human readable, grep-friendly
• State: JSON snapshot (state.json) — daemon stats and hash chain head
• Hash chain: Every event includes prev (previous hash) and hash (self hash) for tamper evidence

Stop the Daemon

Press Ctrl+C. State is automatically saved.

🚀 Installation

🖥️ Feature Breakdown

1. First-Run Onboarding

• No data collection until you say yes
• Granular toggle for every feature: daemon connection, ClawHub enhancement, install gating, overlay, notifications
• Minimal mode: storage-only, zero network calls

2. Popup Dashboard (Ctrl+Shift+J / Cmd+Shift+J)

• Live daemon status with color-coded pill
• Active session card — shows which skill currently owns the active tab
• Mini Session Graph — SVG visualization of cross-tab skill chains
• 6-stat grid — J/D/V/T/Total/Skills
• Recent chain + Skill reputation snapshot
• Quick actions: Settings · Export JSON · Generate Report · Pause All

3. ClawHub Store Enhancement (Content Script)

When you browse clawhub.ai:

• Skill cards get a "🛡️ JEP Ready" badge + colored risk bar (critical/high/medium/low)
• Detail pages inject a pre-install accountability panel:
  • Risk level tag
  • Permission chips
  • Auto-start warning
  • Shell command detection
• Install gating: The install button is disabled until you check "I acknowledge this skill will be causally traced by JEP Guard"

4. Causal Overlay (All AI Pages)

A draggable, minimizable floating widget on any page:

• Real-time daemon status
• Live J/D/V/T counts
• One-click hide/show (Ctrl+Shift+K)

5. Options Page

• General: Daemon host, poll interval, notification toggles
• Event Log: Search, verb filter, pagination, JSON export
• Session Graph: Full-size interactive SVG of cross-tab chains
• Skills: Reputation cards with completion-rate bars
• ClawHub: Fine-grained control over store enhancement, install gating, and badges
• Privacy: Emergency pause, clear data, revoke permissions, transparency log
• About: Links to GitHub, IETF draft, contact

7. Token Budget Layer (Extension)

A JEP-native token optimization extension that records every MCP call cost, deduplicates redundant calls, and enforces user-defined daily budgets — with full causal traceability.

Every optimization decision is logged as a JEP event (Verb: V — Verify), so you can audit why a call was skipped or merged.

6. Compliance Report (report.html)

A printable, PDF-ready audit report with:

• Generation timestamp
• Event summary
• Recent events table with verb badges
• Skill reputation snapshot
• Legal declaration footer

⌨️ Keyboard Shortcuts

🔒 Security & Privacy

• localhost only — No remote servers. Ever.
• No credential storage — Only user preferences in chrome.storage.sync.
• Optional permissions — notifications, tabs, scripting. No nativeMessaging required.
• User autonomy first — Every feature is opt-in. You can pause or revoke everything at any time.
• Transparency log — Every permission request and data access is logged.
• MIT-0 License — Public domain.

📦 Compatibility

• Extension: v1.0.0
• Required Daemon: JEP Guard ≥ v2.0.4
• Manifest: V3 (Chrome 88+, Edge 88+, Firefox 109+)

📬 Links

• IETF JEP Draft: https://datatracker.ietf.org/doc/draft-wang-jep-judgment-event-protocol/
• Contact: signal@humanjudgment.org

Because "it works" is not enough. You need to know why it works — on ClawHub, in your browser, everywhere.