@agenshield/ipc 0.1.0

package/types/api.d.ts

@@ -0,0 +1,59 @@
+/**
+ * API types for AgenShield daemon communication
+ */
+import type { DaemonStatus } from './daemon';
+import type { ShieldConfig } from './config';
+export interface ApiResponse<T> {
+    success: boolean;
+    data?: T;
+    error?: ApiError;
+}
+export interface ApiError {
+    code: string;
+    message: string;
+    details?: unknown;
+}
+/**
+ * Security status data
+ */
+export interface SecurityStatusData {
+    /** Is the current process running as root? */
+    runningAsRoot: boolean;
+    /** Current user */
+    currentUser: string;
+    /** Is sandbox user created? */
+    sandboxUserExists: boolean;
+    /** Is OpenClaw isolated to sandbox user? */
+    isIsolated: boolean;
+    /** Is guarded shell installed? */
+    guardedShellInstalled: boolean;
+    /** Exposed secrets found in environment (names only) */
+    exposedSecrets: string[];
+    /** Security warnings */
+    warnings: string[];
+    /** Critical security issues */
+    critical: string[];
+    /** Recommendations */
+    recommendations: string[];
+    /** Overall security level */
+    level: 'secure' | 'partial' | 'unprotected' | 'critical';
+}
+export type GetStatusResponse = ApiResponse<DaemonStatus>;
+export type GetConfigResponse = ApiResponse<ShieldConfig>;
+export type UpdateConfigResponse = ApiResponse<ShieldConfig>;
+export type HealthResponse = ApiResponse<{
+    ok: boolean;
+    timestamp: string;
+    mode?: 'daemon' | 'setup';
+}>;
+export type GetSecurityStatusResponse = ApiResponse<SecurityStatusData>;
+export interface FsBrowseEntry {
+    name: string;
+    path: string;
+    type: 'file' | 'directory';
+}
+export type FsBrowseResponse = ApiResponse<{
+    entries: FsBrowseEntry[];
+}>;
+export type UpdateConfigRequest = Partial<ShieldConfig>;
+//# sourceMappingURL=api.d.ts.map

package/types/api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../src/types/api.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAC7C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAE7C,MAAM,WAAW,WAAW,CAAC,CAAC;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,CAAC,CAAC;IACT,KAAK,CAAC,EAAE,QAAQ,CAAC;CAClB;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,8CAA8C;IAC9C,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,4CAA4C;IAC5C,UAAU,EAAE,OAAO,CAAC;IACpB,kCAAkC;IAClC,qBAAqB,EAAE,OAAO,CAAC;IAC/B,wDAAwD;IACxD,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,wBAAwB;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,sBAAsB;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,6BAA6B;IAC7B,KAAK,EAAE,QAAQ,GAAG,SAAS,GAAG,aAAa,GAAG,UAAU,CAAC;CAC1D;AAGD,MAAM,MAAM,iBAAiB,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;AAC1D,MAAM,MAAM,iBAAiB,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;AAC1D,MAAM,MAAM,oBAAoB,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;AAC7D,MAAM,MAAM,cAAc,GAAG,WAAW,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAA;CAAE,CAAC,CAAC;AACxG,MAAM,MAAM,yBAAyB,GAAG,WAAW,CAAC,kBAAkB,CAAC,CAAC;AAGxE,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,WAAW,CAAC;CAC5B;AACD,MAAM,MAAM,gBAAgB,GAAG,WAAW,CAAC;IAAE,OAAO,EAAE,aAAa,EAAE,CAAA;CAAE,CAAC,CAAC;AAGzE,MAAM,MAAM,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC"}

package/types/auth.d.ts

@@ -0,0 +1,121 @@
+/**
+ * Authentication types
+ *
+ * Types for passcode authentication and session management
+ */
+/**
+ * Auth status response - check if passcode is set and protection enabled
+ */
+export interface AuthStatusResponse {
+    /** Whether a passcode has been set */
+    passcodeSet: boolean;
+    /** Whether passcode protection is enabled */
+    protectionEnabled: boolean;
+    /** Whether anonymous read-only access is allowed (default: true) */
+    allowAnonymousReadOnly: boolean;
+    /** Whether the account is currently locked out due to failed attempts */
+    lockedOut: boolean;
+    /** ISO timestamp when lockout expires (if locked) */
+    lockedUntil?: string;
+}
+/**
+ * Unlock request - authenticate with passcode
+ */
+export interface UnlockRequest {
+    /** The passcode to verify */
+    passcode: string;
+}
+/**
+ * Unlock response - returns session token on success
+ */
+export interface UnlockResponse {
+    /** Whether authentication succeeded */
+    success: boolean;
+    /** Session token (only on success) */
+    token?: string;
+    /** Token expiration timestamp in ms (only on success) */
+    expiresAt?: number;
+    /** Error message (only on failure) */
+    error?: string;
+    /** Remaining attempts before lockout (only on failure) */
+    remainingAttempts?: number;
+}
+/**
+ * Lock request - invalidate session
+ */
+export interface LockRequest {
+    /** Session token to invalidate */
+    token: string;
+}
+/**
+ * Lock response
+ */
+export interface LockResponse {
+    /** Whether the session was invalidated */
+    success: boolean;
+}
+/**
+ * Setup request - set initial passcode
+ */
+export interface SetupPasscodeRequest {
+    /** The passcode to set */
+    passcode: string;
+    /** Whether to enable protection immediately */
+    enableProtection?: boolean;
+}
+/**
+ * Setup response
+ */
+export interface SetupPasscodeResponse {
+    /** Whether setup succeeded */
+    success: boolean;
+    /** Error message (only on failure) */
+    error?: string;
+}
+/**
+ * Change passcode request
+ */
+export interface ChangePasscodeRequest {
+    /** Current passcode (required unless running as root) */
+    oldPasscode?: string;
+    /** New passcode to set */
+    newPasscode: string;
+}
+/**
+ * Change passcode response
+ */
+export interface ChangePasscodeResponse {
+    /** Whether change succeeded */
+    success: boolean;
+    /** Error message (only on failure) */
+    error?: string;
+}
+/**
+ * Session info (internal use)
+ */
+export interface Session {
+    /** Session token */
+    token: string;
+    /** When session was created */
+    createdAt: number;
+    /** When session expires */
+    expiresAt: number;
+    /** Client identifier (optional) */
+    clientId?: string;
+}
+/**
+ * Auth configuration
+ */
+export interface AuthConfig {
+    /** Session TTL in milliseconds (default: 30 minutes) */
+    sessionTtlMs: number;
+    /** Maximum failed attempts before lockout */
+    maxFailedAttempts: number;
+    /** Lockout duration in milliseconds */
+    lockoutDurationMs: number;
+}
+/**
+ * Default auth configuration
+ */
+export declare const DEFAULT_AUTH_CONFIG: AuthConfig;
+//# sourceMappingURL=auth.d.ts.map

package/types/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/types/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,sCAAsC;IACtC,WAAW,EAAE,OAAO,CAAC;IACrB,6CAA6C;IAC7C,iBAAiB,EAAE,OAAO,CAAC;IAC3B,oEAAoE;IACpE,sBAAsB,EAAE,OAAO,CAAC;IAChC,yEAAyE;IACzE,SAAS,EAAE,OAAO,CAAC;IACnB,qDAAqD;IACrD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,yDAAyD;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sCAAsC;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,0DAA0D;IAC1D,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,kCAAkC;IAClC,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,0BAA0B;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,8BAA8B;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,+BAA+B;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,+BAA+B;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,wDAAwD;IACxD,YAAY,EAAE,MAAM,CAAC;IACrB,6CAA6C;IAC7C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,uCAAuC;IACvC,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,UAIjC,CAAC"}

package/types/backup.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Types for installation backup and restore
+ */
+/**
+ * Information about the original OpenClaw installation
+ */
+export interface OriginalInstallation {
+    /** Installation method */
+    method: 'npm' | 'git';
+    /** Path to the original package directory */
+    packagePath: string;
+    /** Path to the original binary */
+    binaryPath?: string;
+    /** Path to the original config directory */
+    configPath?: string;
+    /** Original config backup path (renamed to .backup-<timestamp>) */
+    configBackupPath?: string;
+    /** Installed version */
+    version?: string;
+    /** Path to the git repo (for git installs) */
+    gitRepoPath?: string;
+}
+/**
+ * Information about the sandbox user
+ */
+export interface SandboxUserInfo {
+    /** Username (typically 'openclaw') */
+    username: string;
+    /** User ID */
+    uid: number;
+    /** Group ID */
+    gid: number;
+    /** Home directory */
+    homeDir: string;
+}
+/**
+ * Paths where files were migrated to
+ */
+export interface MigratedPaths {
+    /** Path to the migrated package */
+    packagePath: string;
+    /** Path to the migrated config */
+    configPath: string;
+    /** Path to the new binary wrapper */
+    binaryPath: string;
+}
+/**
+ * Complete installation backup for safe reversal
+ */
+export interface InstallationBackup {
+    /** Backup file format version */
+    version: '1.0';
+    /** Timestamp when backup was created (ISO 8601) */
+    timestamp: string;
+    /** Original user who ran the setup */
+    originalUser: string;
+    /** Original user's home directory */
+    originalUserHome: string;
+    /** Details about the original installation */
+    originalInstallation: OriginalInstallation;
+    /** Details about the sandbox user */
+    sandboxUser: SandboxUserInfo;
+    /** Paths where files were migrated */
+    migratedPaths: MigratedPaths;
+}
+/**
+ * Backup file location and permissions
+ */
+export declare const BACKUP_CONFIG: {
+    /** Directory for AgenShield configuration */
+    readonly configDir: "/etc/agenshield";
+    /** Backup file path */
+    readonly backupPath: "/etc/agenshield/backup.json";
+    /** Directory permissions (readable by all, writable by root) */
+    readonly dirMode: 493;
+    /** File permissions (root only) */
+    readonly fileMode: 384;
+};
+//# sourceMappingURL=backup.d.ts.map

package/types/backup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"backup.d.ts","sourceRoot":"","sources":["../../src/types/backup.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,0BAA0B;IAC1B,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,wBAAwB;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,eAAe;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,qBAAqB;IACrB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,iCAAiC;IACjC,OAAO,EAAE,KAAK,CAAC;IACf,mDAAmD;IACnD,SAAS,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAC;IACrB,qCAAqC;IACrC,gBAAgB,EAAE,MAAM,CAAC;IACzB,8CAA8C;IAC9C,oBAAoB,EAAE,oBAAoB,CAAC;IAC3C,qCAAqC;IACrC,WAAW,EAAE,eAAe,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED;;GAEG;AACH,eAAO,MAAM,aAAa;IACxB,6CAA6C;;IAE7C,uBAAuB;;IAEvB,gEAAgE;;IAEhE,mCAAmC;;CAE3B,CAAC"}

package/types/catalog.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Command Catalog types — shared across packages
+ */
+export type SecurityRisk = 'high' | 'medium' | 'low' | 'info';
+export type CommandCategory = 'system' | 'package-manager' | 'network' | 'shell' | 'language-runtime' | 'other';
+export interface CatalogEntry {
+    description: string;
+    category: CommandCategory;
+    risk: SecurityRisk;
+    riskReason: string;
+    tags: string[];
+}
+//# sourceMappingURL=catalog.d.ts.map

package/types/catalog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog.d.ts","sourceRoot":"","sources":["../../src/types/catalog.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAC9D,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,iBAAiB,GAAG,SAAS,GAAG,OAAO,GAAG,kBAAkB,GAAG,OAAO,CAAC;AAEhH,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,CAAC;IAC1B,IAAI,EAAE,YAAY,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB"}

package/types/config.d.ts

@@ -0,0 +1,208 @@
+/**
+ * Configuration types for AgenShield
+ */
+/**
+ * User definition for dynamic user creation
+ */
+export interface UserDefinition {
+    /** Username (e.g., 'agenshield_agent' or 'test1_agenshield_agent') */
+    username: string;
+    /** User ID */
+    uid: number;
+    /** Primary group ID */
+    gid: number;
+    /** User shell */
+    shell: string;
+    /** Home directory */
+    home: string;
+    /** Real name / description */
+    realname: string;
+    /** Additional groups */
+    groups: string[];
+}
+/**
+ * Group definition for dynamic group creation
+ */
+export interface GroupDefinition {
+    /** Group name (e.g., 'agenshield' or 'test1_agenshield') */
+    name: string;
+    /** Group ID */
+    gid: number;
+    /** Description */
+    description: string;
+}
+/**
+ * Configuration for user and group creation
+ * Supports optional prefix for testing/multiple instances
+ */
+export interface UserConfig {
+    /** Agent user definition */
+    agentUser: UserDefinition;
+    /** Broker user definition */
+    brokerUser: UserDefinition;
+    /** Groups to create */
+    groups: {
+        /** Socket access group (clawshield) */
+        socket: GroupDefinition;
+        /** Workspace access group (clawworkspace) */
+        workspace: GroupDefinition;
+    };
+    /** Optional prefix for all names (e.g., 'test1' → 'test1_agenshield_agent') */
+    prefix: string;
+    /** Base name for users/groups (default: 'agenshield') */
+    baseName: string;
+    /** Base UID for user creation */
+    baseUid: number;
+    /** Base GID for group creation */
+    baseGid: number;
+}
+/**
+ * Paths configuration (can be derived from UserConfig)
+ */
+export interface PathsConfig {
+    /** Socket path */
+    socketPath: string;
+    /** Main config directory */
+    configDir: string;
+    /** Policies directory */
+    policiesDir: string;
+    /** Seatbelt profiles directory */
+    seatbeltDir: string;
+    /** Log directory */
+    logDir: string;
+    /** Agent home directory */
+    agentHomeDir: string;
+    /** Socket directory */
+    socketDir: string;
+}
+/**
+ * Full installation configuration
+ */
+export interface InstallationConfig {
+    /** User and group configuration */
+    users: UserConfig;
+    /** Paths configuration */
+    paths: PathsConfig;
+    /** Whether to enable HTTP fallback */
+    httpFallback: boolean;
+    /** HTTP fallback port */
+    httpPort: number;
+}
+export interface ShieldConfig {
+    version: string;
+    daemon: DaemonConfig;
+    broker?: BrokerConfig;
+    policies: PolicyConfig[];
+    vault?: VaultConfig;
+    skills?: SkillsConfig;
+    soul?: SoulConfig;
+}
+export interface DaemonConfig {
+    /** HTTP server port (default: 5200) */
+    port: number;
+    /** HTTP server host (default: 'localhost') */
+    host: string;
+    /** Logging level */
+    logLevel: 'debug' | 'info' | 'warn' | 'error';
+    /** Whether to add agen.shield to /etc/hosts */
+    enableHostsEntry: boolean;
+}
+export interface BrokerConfig {
+    /** Unix socket path */
+    socketPath: string;
+    /** Whether HTTP fallback is enabled */
+    httpEnabled: boolean;
+    /** HTTP fallback port */
+    httpPort: number;
+    /** HTTP fallback host */
+    httpHost: string;
+    /** Path to policies directory */
+    policiesPath: string;
+    /** Path to audit log */
+    auditLogPath: string;
+    /** Whether to fail open if policy check fails */
+    failOpen: boolean;
+    /** Socket file permissions (octal) */
+    socketMode?: number;
+    /** Socket owner user */
+    socketOwner?: string;
+    /** Socket owner group */
+    socketGroup?: string;
+}
+export interface PolicyConfig {
+    /** Unique identifier for the policy */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Policy action: allow, deny, or approval (future) */
+    action: 'allow' | 'deny' | 'approval';
+    /** What this policy targets */
+    target: 'skill' | 'command' | 'url' | 'filesystem';
+    /** URL/command patterns to match */
+    patterns: string[];
+    /** Whether this policy is active */
+    enabled: boolean;
+    /** Priority (higher = evaluated first) */
+    priority?: number;
+    /** Operations this policy applies to */
+    operations?: string[];
+}
+export interface VaultConfig {
+    /** Whether vault is enabled */
+    enabled: boolean;
+    /** Secret provider type */
+    provider: 'local' | 'env';
+    /** Path to encrypted vault file */
+    vaultPath?: string;
+}
+export interface SkillsConfig {
+    /** Whether skills are enabled */
+    enabled: boolean;
+    /** Directories to load skills from */
+    directories: string[];
+    /** Built-in skills to enable */
+    builtinSkills?: string[];
+}
+export interface SoulConfig {
+    /** Whether soul injection is enabled */
+    enabled: boolean;
+    /** Injection mode */
+    mode: 'prepend' | 'append' | 'replace';
+    /** Custom soul content */
+    content?: string;
+    /** Security level */
+    securityLevel?: 'low' | 'medium' | 'high';
+}
+export interface SkillAnalysis {
+    status: 'pending' | 'analyzing' | 'complete' | 'error';
+    analyzedAt?: string;
+    analyzerId: string;
+    vulnerability?: {
+        level: 'safe' | 'low' | 'medium' | 'high' | 'critical';
+        details: string[];
+        suggestions?: string[];
+    };
+    commands: ExtractedCommand[];
+    error?: string;
+}
+export interface ExtractedCommand {
+    name: string;
+    source: 'metadata' | 'analysis';
+    field?: string;
+    resolvedPath?: string;
+    available: boolean;
+    required: boolean;
+}
+export interface AnalyzerConfig {
+    id: string;
+    name: string;
+    type: 'agenshield' | 'custom';
+    endpoint?: string;
+    enabled: boolean;
+    apiKey?: string;
+}
+export interface SystemBinary {
+    name: string;
+    path: string;
+}
+//# sourceMappingURL=config.d.ts.map

package/types/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,qBAAqB;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,4DAA4D;IAC5D,IAAI,EAAE,MAAM,CAAC;IACb,eAAe;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,kBAAkB;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB,4BAA4B;IAC5B,SAAS,EAAE,cAAc,CAAC;IAC1B,6BAA6B;IAC7B,UAAU,EAAE,cAAc,CAAC;IAC3B,uBAAuB;IACvB,MAAM,EAAE;QACN,uCAAuC;QACvC,MAAM,EAAE,eAAe,CAAC;QACxB,6CAA6C;QAC7C,SAAS,EAAE,eAAe,CAAC;KAC5B,CAAC;IACF,+EAA+E;IAC/E,MAAM,EAAE,MAAM,CAAC;IACf,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,2BAA2B;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,mCAAmC;IACnC,KAAK,EAAE,UAAU,CAAC;IAClB,0BAA0B;IAC1B,KAAK,EAAE,WAAW,CAAC;IACnB,sCAAsC;IACtC,YAAY,EAAE,OAAO,CAAC;IACtB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,uCAAuC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,8CAA8C;IAC9C,IAAI,EAAE,MAAM,CAAC;IACb,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C,+CAA+C;IAC/C,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IACrB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,wBAAwB;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,QAAQ,EAAE,OAAO,CAAC;IAClB,sCAAsC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wBAAwB;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yBAAyB;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,uCAAuC;IACvC,EAAE,EAAE,MAAM,CAAC;IACX,0BAA0B;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,uDAAuD;IACvD,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,UAAU,CAAC;IACtC,+BAA+B;IAC/B,MAAM,EAAE,OAAO,GAAG,SAAS,GAAG,KAAK,GAAG,YAAY,CAAC;IACnD,oCAAoC;IACpC,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,0CAA0C;IAC1C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,+BAA+B;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,QAAQ,EAAE,OAAO,GAAG,KAAK,CAAC;IAC1B,mCAAmC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,iCAAiC;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,gCAAgC;IAChC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,UAAU;IACzB,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,qBAAqB;IACrB,IAAI,EAAE,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;IACvC,0BAA0B;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qBAAqB;IACrB,aAAa,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;CAC3C;AAID,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,UAAU,GAAG,OAAO,CAAC;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE;QACd,KAAK,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;QACvD,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,YAAY,GAAG,QAAQ,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd"}

package/types/daemon.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Daemon status types for AgenShield
+ */
+export interface DaemonStatus {
+    /** Whether the daemon is currently running */
+    running: boolean;
+    /** Process ID of the daemon */
+    pid?: number;
+    /** Uptime in seconds */
+    uptime?: number;
+    /** Version of the daemon */
+    version: string;
+    /** Port the daemon is listening on */
+    port: number;
+    /** ISO timestamp when the daemon started */
+    startedAt?: string;
+    /** Agent username from state (type='agent') */
+    agentUsername?: string;
+    /** Workspace group name from state (type='workspace') */
+    workspaceGroup?: string;
+}
+//# sourceMappingURL=daemon.d.ts.map

package/types/daemon.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../src/types/daemon.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,YAAY;IAC3B,8CAA8C;IAC9C,OAAO,EAAE,OAAO,CAAC;IACjB,+BAA+B;IAC/B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wBAAwB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,yDAAyD;IACzD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB"}

package/types/discovery.d.ts

@@ -0,0 +1,121 @@
+/**
+ * Discovery types — shared across packages for binary/skill scanning
+ */
+import type { CommandCategory } from './catalog';
+export type ExecutionContext = 'root' | 'user' | 'workspace';
+export type BinarySourceKind = 'system' | 'homebrew' | 'npm-global' | 'yarn-global' | 'agent-bin' | 'workspace-bin' | 'path-other';
+export type ProtectionKind = 'proxied' | 'wrapped' | 'allowed' | 'unprotected';
+export interface DiscoveredBinary {
+    name: string;
+    path: string;
+    dir: string;
+    sourceKind: BinarySourceKind;
+    contexts: ExecutionContext[];
+    protection: ProtectionKind;
+    category: CommandCategory;
+    isShieldExecSymlink: boolean;
+}
+export interface BinaryDirectory {
+    path: string;
+    sourceKind: BinarySourceKind;
+    contexts: ExecutionContext[];
+    count: number;
+}
+export interface SkillMetadata {
+    name?: string;
+    description?: string;
+    version?: string;
+    homepage?: string;
+    emoji?: string;
+    'user-invocable'?: boolean;
+    'disable-model-invocation'?: boolean;
+    'command-dispatch'?: string;
+    'command-tool'?: string;
+    'command-arg-mode'?: string;
+    requires?: {
+        bins?: string[];
+        anyBins?: string[];
+        env?: string[];
+        config?: string[];
+        [key: string]: unknown;
+    };
+    metadata?: {
+        openclaw?: OpenClawSkillMetadata;
+        [key: string]: unknown;
+    };
+    agenshield?: {
+        allowedCommands?: string[];
+        [key: string]: unknown;
+    };
+    [key: string]: unknown;
+}
+export interface OpenClawSkillMetadata {
+    always?: boolean;
+    os?: string[];
+    requires?: {
+        bins?: string[];
+        anyBins?: string[];
+        env?: string[];
+        config?: string[];
+    };
+    primaryEnv?: string;
+    homepage?: string;
+    install?: Array<{
+        id: string;
+        kind: string;
+        formula?: string;
+        bins?: string[];
+    }>;
+}
+export interface SkillExtractedInfo {
+    /** API keys / env vars required */
+    apiKeys: string[];
+    /** Binary dependencies */
+    bins: string[];
+    /** Optional binary alternatives */
+    anyBins: string[];
+    /** OpenClaw config paths required */
+    configOptions: string[];
+    /** Install instructions */
+    installSteps: OpenClawSkillMetadata['install'];
+}
+export interface DiscoveredSkill {
+    name: string;
+    path: string;
+    hasSkillMd: boolean;
+    metadata: SkillMetadata | null;
+    requiredCommands: SkillCommandRequirement[];
+    approval: 'approved' | 'quarantined' | 'unknown';
+    extractedInfo?: SkillExtractedInfo;
+}
+export interface SkillCommandRequirement {
+    name: string;
+    source: 'metadata' | 'analysis';
+    available: boolean;
+    resolvedPath?: string;
+    protection?: ProtectionKind;
+    required: boolean;
+}
+export interface DiscoveryOptions {
+    agentHome?: string;
+    workspaceDir?: string;
+    scanSkills?: boolean;
+    extraDirs?: string[];
+}
+export interface DiscoveryResult {
+    scannedAt: string;
+    binaries: DiscoveredBinary[];
+    directories: BinaryDirectory[];
+    skills: DiscoveredSkill[];
+    summary: DiscoverySummary;
+}
+export interface DiscoverySummary {
+    totalBinaries: number;
+    totalDirectories: number;
+    totalSkills: number;
+    byContext: Record<ExecutionContext, number>;
+    byProtection: Record<ProtectionKind, number>;
+    bySourceKind: Partial<Record<BinarySourceKind, number>>;
+    skillsWithMissingDeps: number;
+}
+//# sourceMappingURL=discovery.d.ts.map

package/types/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/types/discovery.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAEjD,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,WAAW,CAAC;AAE7D,MAAM,MAAM,gBAAgB,GACxB,QAAQ,GACR,UAAU,GACV,YAAY,GACZ,aAAa,GACb,WAAW,GACX,eAAe,GACf,YAAY,CAAC;AAEjB,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,GAAG,aAAa,CAAC;AAE/E,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,gBAAgB,CAAC;IAC7B,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,UAAU,EAAE,cAAc,CAAC;IAC3B,QAAQ,EAAE,eAAe,CAAC;IAC1B,mBAAmB,EAAE,OAAO,CAAC;CAC9B;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,gBAAgB,CAAC;IAC7B,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,EAAE;QACT,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;QAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,QAAQ,CAAC,EAAE;QACT,QAAQ,CAAC,EAAE,qBAAqB,CAAC;QACjC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,UAAU,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC;IACpE,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC;IACd,QAAQ,CAAC,EAAE;QACT,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,KAAK,CAAC;QACd,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,kBAAkB;IACjC,mCAAmC;IACnC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,0BAA0B;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,mCAAmC;IACnC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,qCAAqC;IACrC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,2BAA2B;IAC3B,YAAY,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAC;CAChD;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,OAAO,CAAC;IACpB,QAAQ,EAAE,aAAa,GAAG,IAAI,CAAC;IAC/B,gBAAgB,EAAE,uBAAuB,EAAE,CAAC;IAC5C,QAAQ,EAAE,UAAU,GAAG,aAAa,GAAG,SAAS,CAAC;IACjD,aAAa,CAAC,EAAE,kBAAkB,CAAC;CACpC;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC;IAChC,SAAS,EAAE,OAAO,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;CAC3B;AAED,MAAM,WAAW,gBAAgB;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAC5C,YAAY,EAAE,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IAC7C,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAAC;IACxD,qBAAqB,EAAE,MAAM,CAAC;CAC/B"}