@poolzin/pool-bot 2026.3.17 → 2026.3.19

package/dist/security/audit.js

@@ -1,17 +1,11 @@
-import { resolveSandboxConfigForAgent } from "../agents/sandbox.js";
-import { resolveBrowserConfig, resolveProfile } from "../browser/config.js";
-import { resolveBrowserControlAuth } from "../browser/control-auth.js";
-import { listChannelPlugins } from "../channels/plugins/index.js";
-import { formatCliCommand } from "../cli/command-format.js";
+/**
+ * Pool Bot Security Audit Framework
+ *
+ * Comprehensive security auditing for configuration, gateway, channels, and plugins.
+ * Ported from OpenClaw with adaptations for Pool Bot architecture.
+ */
 import { resolveConfigPath, resolveStateDir } from "../config/paths.js";
-import { resolveGatewayAuth } from "../gateway/auth.js";
-import { buildGatewayConnectionDetails } from "../gateway/call.js";
-import { resolveGatewayProbeAuth } from "../gateway/probe-auth.js";
-import { probeGateway } from "../gateway/probe.js";
-import { collectChannelSecurityFindings } from "./audit-channel.js";
-import { collectAttackSurfaceSummaryFindings, collectExposureMatrixFindings, collectGatewayHttpNoAuthFindings, collectGatewayHttpSessionKeyOverrideFindings, collectHooksHardeningFindings, collectIncludeFilePermFindings, collectInstalledSkillsCodeSafetyFindings, collectSandboxBrowserHashLabelFindings, collectMinimalProfileOverrideFindings, collectModelHygieneFindings, collectNodeDenyCommandPatternFindings, collectSmallModelRiskFindings, collectSandboxDangerousConfigFindings, collectSandboxDockerNoopFindings, collectPluginsTrustFindings, collectSecretsInConfigFindings, collectPluginsCodeSafetyFindings, collectStateDeepFilesystemFindings, collectSyncedFolderFindings, readConfigSnapshotForAudit, } from "./audit-extra.js";
-import { formatPermissionDetail, formatPermissionRemediation, inspectPathPermissions, } from "./audit-fs.js";
-import { DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools.js";
+import { collectSecurityAuditFindings } from "./audit-findings.js";
 function countBySeverity(findings) {
     let critical = 0;
     let warn = 0;
@@ -29,575 +23,150 @@ function countBySeverity(findings) {
     }
     return { critical, warn, info };
 }
-function normalizeAllowFromList(list) {
-    if (!Array.isArray(list)) {
-        return [];
-    }
-    return list.map((v) => String(v).trim()).filter(Boolean);
-}
-function collectEnabledInsecureOrDangerousFlags(cfg) {
-    const enabledFlags = [];
-    if (cfg.gateway?.controlUi?.allowInsecureAuth === true) {
-        enabledFlags.push("gateway.controlUi.allowInsecureAuth=true");
-    }
-    if (cfg.gateway?.controlUi?.dangerouslyDisableDeviceAuth === true) {
-        enabledFlags.push("gateway.controlUi.dangerouslyDisableDeviceAuth=true");
-    }
-    if (cfg.hooks?.gmail?.allowUnsafeExternalContent === true) {
-        enabledFlags.push("hooks.gmail.allowUnsafeExternalContent=true");
-    }
-    if (Array.isArray(cfg.hooks?.mappings)) {
-        for (const [index, mapping] of cfg.hooks.mappings.entries()) {
-            if (mapping?.allowUnsafeExternalContent === true) {
-                enabledFlags.push(`hooks.mappings[${index}].allowUnsafeExternalContent=true`);
-            }
-        }
-    }
-    if (cfg.tools?.exec?.applyPatch?.workspaceOnly === false) {
-        enabledFlags.push("tools.exec.applyPatch.workspaceOnly=false");
-    }
-    return enabledFlags;
-}
-async function collectFilesystemFindings(params) {
+/**
+ * Perform comprehensive security audit
+ */
+export async function performSecurityAudit(options) {
+    const ts = Date.now();
     const findings = [];
-    const stateDirPerms = await inspectPathPermissions(params.stateDir, {
-        env: params.env,
-        platform: params.platform,
-        exec: params.execIcacls,
-    });
-    if (stateDirPerms.ok) {
-        if (stateDirPerms.isSymlink) {
-            findings.push({
-                checkId: "fs.state_dir.symlink",
-                severity: "warn",
-                title: "State dir is a symlink",
-                detail: `${params.stateDir} is a symlink; treat this as an extra trust boundary.`,
-            });
-        }
-        if (stateDirPerms.worldWritable) {
-            findings.push({
-                checkId: "fs.state_dir.perms_world_writable",
-                severity: "critical",
-                title: "State dir is world-writable",
-                detail: `${formatPermissionDetail(params.stateDir, stateDirPerms)}; other users can write into your Pool Bot state.`,
-                remediation: formatPermissionRemediation({
-                    targetPath: params.stateDir,
-                    perms: stateDirPerms,
-                    isDir: true,
-                    posixMode: 0o700,
-                    env: params.env,
-                }),
-            });
-        }
-        else if (stateDirPerms.groupWritable) {
-            findings.push({
-                checkId: "fs.state_dir.perms_group_writable",
-                severity: "warn",
-                title: "State dir is group-writable",
-                detail: `${formatPermissionDetail(params.stateDir, stateDirPerms)}; group users can write into your Pool Bot state.`,
-                remediation: formatPermissionRemediation({
-                    targetPath: params.stateDir,
-                    perms: stateDirPerms,
-                    isDir: true,
-                    posixMode: 0o700,
-                    env: params.env,
-                }),
-            });
-        }
-        else if (stateDirPerms.groupReadable || stateDirPerms.worldReadable) {
-            findings.push({
-                checkId: "fs.state_dir.perms_readable",
-                severity: "warn",
-                title: "State dir is readable by others",
-                detail: `${formatPermissionDetail(params.stateDir, stateDirPerms)}; consider restricting to 700.`,
-                remediation: formatPermissionRemediation({
-                    targetPath: params.stateDir,
-                    perms: stateDirPerms,
-                    isDir: true,
-                    posixMode: 0o700,
-                    env: params.env,
-                }),
-            });
-        }
-    }
-    const configPerms = await inspectPathPermissions(params.configPath, {
-        env: params.env,
-        platform: params.platform,
-        exec: params.execIcacls,
+    const cfg = options.config;
+    const sourceConfig = options.sourceConfig ?? cfg;
+    const env = options.env ?? process.env;
+    const platform = options.platform ?? process.platform;
+    const deep = options.deep ?? false;
+    const includeFilesystem = options.includeFilesystem ?? deep;
+    const includeChannelSecurity = options.includeChannelSecurity ?? true;
+    const stateDir = options.stateDir ?? resolveStateDir();
+    const configPath = options.configPath ?? resolveConfigPath();
+    const deepTimeoutMs = options.deepTimeoutMs ?? 10000;
+    const collectedFindings = await collectSecurityAuditFindings({
+        config: cfg,
+        sourceConfig,
+        env,
+        platform,
+        stateDir,
+        configPath,
+        deep,
+        includeFilesystem,
+        includeChannelSecurity,
+        deepTimeoutMs,
     });
-    if (configPerms.ok) {
-        const skipReadablePermWarnings = configPerms.isSymlink;
-        if (configPerms.isSymlink) {
-            findings.push({
-                checkId: "fs.config.symlink",
-                severity: "warn",
-                title: "Config file is a symlink",
-                detail: `${params.configPath} is a symlink; make sure you trust its target.`,
-            });
-        }
-        if (configPerms.worldWritable || configPerms.groupWritable) {
-            findings.push({
-                checkId: "fs.config.perms_writable",
-                severity: "critical",
-                title: "Config file is writable by others",
-                detail: `${formatPermissionDetail(params.configPath, configPerms)}; another user could change gateway/auth/tool policies.`,
-                remediation: formatPermissionRemediation({
-                    targetPath: params.configPath,
-                    perms: configPerms,
-                    isDir: false,
-                    posixMode: 0o600,
-                    env: params.env,
-                }),
-            });
-        }
-        else if (!skipReadablePermWarnings && configPerms.worldReadable) {
-            findings.push({
-                checkId: "fs.config.perms_world_readable",
-                severity: "critical",
-                title: "Config file is world-readable",
-                detail: `${formatPermissionDetail(params.configPath, configPerms)}; config can contain tokens and private settings.`,
-                remediation: formatPermissionRemediation({
-                    targetPath: params.configPath,
-                    perms: configPerms,
-                    isDir: false,
-                    posixMode: 0o600,
-                    env: params.env,
-                }),
-            });
-        }
-        else if (!skipReadablePermWarnings && configPerms.groupReadable) {
-            findings.push({
-                checkId: "fs.config.perms_group_readable",
-                severity: "warn",
-                title: "Config file is group-readable",
-                detail: `${formatPermissionDetail(params.configPath, configPerms)}; config can contain tokens and private settings.`,
-                remediation: formatPermissionRemediation({
-                    targetPath: params.configPath,
-                    perms: configPerms,
-                    isDir: false,
-                    posixMode: 0o600,
-                    env: params.env,
-                }),
-            });
-        }
-    }
-    return findings;
-}
-function collectGatewayConfigFindings(cfg, env) {
-    const findings = [];
-    const bind = typeof cfg.gateway?.bind === "string" ? cfg.gateway.bind : "loopback";
-    const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
-    const auth = resolveGatewayAuth({ authConfig: cfg.gateway?.auth, tailscaleMode, env });
-    const controlUiEnabled = cfg.gateway?.controlUi?.enabled !== false;
-    const trustedProxies = Array.isArray(cfg.gateway?.trustedProxies)
-        ? cfg.gateway.trustedProxies
-        : [];
-    const hasToken = typeof auth.token === "string" && auth.token.trim().length > 0;
-    const hasPassword = typeof auth.password === "string" && auth.password.trim().length > 0;
-    const hasSharedSecret = (auth.mode === "token" && hasToken) || (auth.mode === "password" && hasPassword);
-    const hasTailscaleAuth = auth.allowTailscale && tailscaleMode === "serve";
-    const hasGatewayAuth = hasSharedSecret || hasTailscaleAuth;
-    // HTTP /tools/invoke is intended for narrow automation, not session orchestration/admin operations.
-    // If operators opt-in to re-enabling these tools over HTTP, warn loudly so the choice is explicit.
-    const gatewayToolsAllowRaw = Array.isArray(cfg.gateway?.tools?.allow)
-        ? cfg.gateway?.tools?.allow
-        : [];
-    const gatewayToolsAllow = new Set(gatewayToolsAllowRaw
-        .map((v) => (typeof v === "string" ? v.trim().toLowerCase() : ""))
-        .filter(Boolean));
-    const reenabledOverHttp = DEFAULT_GATEWAY_HTTP_TOOL_DENY.filter((name) => gatewayToolsAllow.has(name));
-    if (reenabledOverHttp.length > 0) {
-        const extraRisk = bind !== "loopback" || tailscaleMode === "funnel";
-        findings.push({
-            checkId: "gateway.tools_invoke_http.dangerous_allow",
-            severity: extraRisk ? "critical" : "warn",
-            title: "Gateway HTTP /tools/invoke re-enables dangerous tools",
-            detail: `gateway.tools.allow includes ${reenabledOverHttp.join(", ")} which removes them from the default HTTP deny list. ` +
-                "This can allow remote session spawning / control-plane actions via HTTP and increases RCE blast radius if the gateway is reachable.",
-            remediation: "Remove these entries from gateway.tools.allow (recommended). " +
-                "If you keep them enabled, keep gateway.bind loopback-only (or tailnet-only), restrict network exposure, and treat the gateway token/password as full-admin.",
-        });
-    }
-    if (bind !== "loopback" && !hasSharedSecret && auth.mode !== "trusted-proxy") {
-        findings.push({
-            checkId: "gateway.bind_no_auth",
-            severity: "critical",
-            title: "Gateway binds beyond loopback without auth",
-            detail: `gateway.bind="${bind}" but no gateway.auth token/password is configured.`,
-            remediation: `Set gateway.auth (token recommended) or bind to loopback.`,
-        });
-    }
-    if (bind === "loopback" && controlUiEnabled && trustedProxies.length === 0) {
-        findings.push({
-            checkId: "gateway.trusted_proxies_missing",
-            severity: "warn",
-            title: "Reverse proxy headers are not trusted",
-            detail: "gateway.bind is loopback and gateway.trustedProxies is empty. " +
-                "If you expose the Control UI through a reverse proxy, configure trusted proxies " +
-                "so local-client checks cannot be spoofed.",
-            remediation: "Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only.",
-        });
-    }
-    if (bind === "loopback" && controlUiEnabled && !hasGatewayAuth) {
-        findings.push({
-            checkId: "gateway.loopback_no_auth",
-            severity: "critical",
-            title: "Gateway auth missing on loopback",
-            detail: "gateway.bind is loopback but no gateway auth secret is configured. " +
-                "If the Control UI is exposed through a reverse proxy, unauthenticated access is possible.",
-            remediation: "Set gateway.auth (token recommended) or keep the Control UI local-only.",
-        });
-    }
-    if (tailscaleMode === "funnel") {
-        findings.push({
-            checkId: "gateway.tailscale_funnel",
-            severity: "critical",
-            title: "Tailscale Funnel exposure enabled",
-            detail: `gateway.tailscale.mode="funnel" exposes the Gateway publicly; keep auth strict and treat it as internet-facing.`,
-            remediation: `Prefer tailscale.mode="serve" (tailnet-only) or set tailscale.mode="off".`,
-        });
-    }
-    else if (tailscaleMode === "serve") {
-        findings.push({
-            checkId: "gateway.tailscale_serve",
-            severity: "info",
-            title: "Tailscale Serve exposure enabled",
-            detail: `gateway.tailscale.mode="serve" exposes the Gateway to your tailnet (loopback behind Tailscale).`,
-        });
-    }
-    if (cfg.gateway?.controlUi?.allowInsecureAuth === true) {
-        findings.push({
-            checkId: "gateway.control_ui.insecure_auth",
-            severity: "warn",
-            title: "Control UI insecure auth toggle enabled",
-            detail: "gateway.controlUi.allowInsecureAuth=true does not bypass secure context or device identity checks; only dangerouslyDisableDeviceAuth disables Control UI device identity checks.",
-            remediation: "Disable it or switch to HTTPS (Tailscale Serve) or localhost.",
-        });
-    }
-    if (cfg.gateway?.controlUi?.dangerouslyDisableDeviceAuth === true) {
-        findings.push({
-            checkId: "gateway.control_ui.device_auth_disabled",
-            severity: "critical",
-            title: "DANGEROUS: Control UI device auth disabled",
-            detail: "gateway.controlUi.dangerouslyDisableDeviceAuth=true disables device identity checks for the Control UI.",
-            remediation: "Disable it unless you are in a short-lived break-glass scenario.",
-        });
-    }
-    const enabledDangerousFlags = collectEnabledInsecureOrDangerousFlags(cfg);
-    if (enabledDangerousFlags.length > 0) {
-        findings.push({
-            checkId: "config.insecure_or_dangerous_flags",
-            severity: "warn",
-            title: "Insecure or dangerous config flags enabled",
-            detail: `Detected ${enabledDangerousFlags.length} enabled flag(s): ${enabledDangerousFlags.join(", ")}.`,
-            remediation: "Disable these flags when not actively debugging, or keep deployment scoped to trusted/local-only networks.",
-        });
-    }
-    const token = typeof auth.token === "string" && auth.token.trim().length > 0 ? auth.token.trim() : null;
-    if (auth.mode === "token" && token && token.length < 24) {
-        findings.push({
-            checkId: "gateway.token_too_short",
-            severity: "warn",
-            title: "Gateway token looks short",
-            detail: `gateway auth token is ${token.length} chars; prefer a long random token.`,
-        });
-    }
-    if (auth.mode === "trusted-proxy") {
-        const trustedProxies = cfg.gateway?.trustedProxies ?? [];
-        const trustedProxyConfig = cfg.gateway?.auth?.trustedProxy;
-        findings.push({
-            checkId: "gateway.trusted_proxy_auth",
-            severity: "critical",
-            title: "Trusted-proxy auth mode enabled",
-            detail: 'gateway.auth.mode="trusted-proxy" delegates authentication to a reverse proxy. ' +
-                "Ensure your proxy (Pomerium, Caddy, nginx) handles auth correctly and that gateway.trustedProxies " +
-                "only contains IPs of your actual proxy servers.",
-            remediation: "Verify: (1) Your proxy terminates TLS and authenticates users. " +
-                "(2) gateway.trustedProxies is restricted to proxy IPs only. " +
-                "(3) Direct access to the Gateway port is blocked by firewall. " +
-                "See /gateway/trusted-proxy-auth for setup guidance.",
-        });
-        if (trustedProxies.length === 0) {
-            findings.push({
-                checkId: "gateway.trusted_proxy_no_proxies",
-                severity: "critical",
-                title: "Trusted-proxy auth enabled but no trusted proxies configured",
-                detail: 'gateway.auth.mode="trusted-proxy" but gateway.trustedProxies is empty. ' +
-                    "All requests will be rejected.",
-                remediation: "Set gateway.trustedProxies to the IP(s) of your reverse proxy.",
-            });
-        }
-        if (!trustedProxyConfig?.userHeader) {
-            findings.push({
-                checkId: "gateway.trusted_proxy_no_user_header",
-                severity: "critical",
-                title: "Trusted-proxy auth missing userHeader config",
-                detail: 'gateway.auth.mode="trusted-proxy" but gateway.auth.trustedProxy.userHeader is not configured.',
-                remediation: "Set gateway.auth.trustedProxy.userHeader to the header name your proxy uses " +
-                    '(e.g., "x-forwarded-user", "x-pomerium-claim-email").',
-            });
-        }
-        const allowUsers = trustedProxyConfig?.allowUsers ?? [];
-        if (allowUsers.length === 0) {
-            findings.push({
-                checkId: "gateway.trusted_proxy_no_allowlist",
-                severity: "warn",
-                title: "Trusted-proxy auth allows all authenticated users",
-                detail: "gateway.auth.trustedProxy.allowUsers is empty, so any user authenticated by your proxy can access the Gateway.",
-                remediation: "Consider setting gateway.auth.trustedProxy.allowUsers to restrict access to specific users " +
-                    '(e.g., ["nick@example.com"]).',
-            });
-        }
-    }
-    if (bind !== "loopback" && auth.mode !== "trusted-proxy" && !cfg.gateway?.auth?.rateLimit) {
-        findings.push({
-            checkId: "gateway.auth_no_rate_limit",
-            severity: "warn",
-            title: "No auth rate limiting configured",
-            detail: "gateway.bind is not loopback but no gateway.auth.rateLimit is configured. " +
-                "Without rate limiting, brute-force auth attacks are not mitigated.",
-            remediation: "Set gateway.auth.rateLimit (e.g. { maxAttempts: 10, windowMs: 60000, lockoutMs: 300000 }).",
-        });
+    findings.push(...collectedFindings);
+    const summary = countBySeverity(findings);
+    const report = {
+        ts,
+        summary,
+        findings,
+    };
+    if (deep) {
+        report.deep = await performDeepGatewayAudit(cfg, deepTimeoutMs);
     }
-    return findings;
+    return report;
 }
-function collectBrowserControlFindings(cfg, env) {
-    const findings = [];
-    let resolved;
+/**
+ * Perform deep gateway audit (optional, time-consuming)
+ */
+async function performDeepGatewayAudit(config, timeoutMs) {
+    const result = {};
     try {
-        resolved = resolveBrowserConfig(cfg.browser, cfg);
-    }
-    catch (err) {
-        findings.push({
-            checkId: "browser.control_invalid_config",
-            severity: "warn",
-            title: "Browser control config looks invalid",
-            detail: String(err),
-            remediation: `Fix browser.cdpUrl in ${resolveConfigPath()} and re-run "${formatCliCommand("poolbot security audit --deep")}".`,
-        });
-        return findings;
-    }
-    if (!resolved.enabled) {
-        return findings;
-    }
-    const browserAuth = resolveBrowserControlAuth(cfg, env);
-    if (!browserAuth.token && !browserAuth.password) {
-        findings.push({
-            checkId: "browser.control_no_auth",
-            severity: "critical",
-            title: "Browser control has no auth",
-            detail: "Browser control HTTP routes are enabled but no gateway.auth token/password is configured. " +
-                "Any local process (or SSRF to loopback) can call browser control endpoints.",
-            remediation: "Set gateway.auth.token (recommended) or gateway.auth.password so browser control HTTP routes require authentication. Restarting the gateway will auto-generate gateway.auth.token when browser control is enabled.",
-        });
-    }
-    for (const name of Object.keys(resolved.profiles)) {
-        const profile = resolveProfile(resolved, name);
-        if (!profile || profile.cdpIsLoopback) {
-            continue;
-        }
-        let url;
+        const gateway = config.gateway;
+        if (!gateway) {
+            result.gateway = {
+                attempted: false,
+                url: null,
+                ok: false,
+                error: "Gateway not configured",
+            };
+            return result;
+        }
+        const port = gateway.port ?? 18789;
+        const host = gateway.host ?? "127.0.0.1";
+        const url = `http://${host}:${port}`;
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
         try {
-            url = new URL(profile.cdpUrl);
-        }
-        catch {
-            continue;
-        }
-        if (url.protocol === "http:") {
-            findings.push({
-                checkId: "browser.remote_cdp_http",
-                severity: "warn",
-                title: "Remote CDP uses HTTP",
-                detail: `browser profile "${name}" uses http CDP (${profile.cdpUrl}); this is OK only if it's tailnet-only or behind an encrypted tunnel.`,
-                remediation: `Prefer HTTPS/TLS or a tailnet-only endpoint for remote CDP.`,
+            const response = await fetch(`${url}/probe`, {
+                method: "GET",
+                signal: controller.signal,
             });
-        }
-    }
-    return findings;
+            clearTimeout(timeoutId);
+            result.gateway = {
+                attempted: true,
+                url,
+                ok: response.ok,
+                error: response.ok ? null : `HTTP ${response.status}`,
+            };
+        }
+        catch (error) {
+            clearTimeout(timeoutId);
+            result.gateway = {
+                attempted: true,
+                url,
+                ok: false,
+                error: error instanceof Error ? error.message : "Unknown error",
+            };
+        }
+    }
+    catch {
+        result.gateway = {
+            attempted: false,
+            url: null,
+            ok: false,
+            error: "Gateway audit failed",
+        };
+    }
+    return result;
 }
-function collectLoggingFindings(cfg) {
-    const redact = cfg.logging?.redactSensitive;
-    if (redact !== "off") {
-        return [];
-    }
-    return [
-        {
-            checkId: "logging.redact_off",
-            severity: "warn",
-            title: "Tool summary redaction is disabled",
-            detail: `logging.redactSensitive="off" can leak secrets into logs and status output.`,
-            remediation: `Set logging.redactSensitive="tools".`,
-        },
-    ];
-}
-function collectElevatedFindings(cfg) {
-    const findings = [];
-    const enabled = cfg.tools?.elevated?.enabled;
-    const allowFrom = cfg.tools?.elevated?.allowFrom ?? {};
-    const anyAllowFromKeys = Object.keys(allowFrom).length > 0;
-    if (enabled === false) {
-        return findings;
-    }
-    if (!anyAllowFromKeys) {
-        return findings;
-    }
-    for (const [provider, list] of Object.entries(allowFrom)) {
-        const normalized = normalizeAllowFromList(list);
-        if (normalized.includes("*")) {
-            findings.push({
-                checkId: `tools.elevated.allowFrom.${provider}.wildcard`,
-                severity: "critical",
-                title: "Elevated exec allowlist contains wildcard",
-                detail: `tools.elevated.allowFrom.${provider} includes "*" which effectively approves everyone on that channel for elevated mode.`,
-            });
-        }
-        else if (normalized.length > 25) {
-            findings.push({
-                checkId: `tools.elevated.allowFrom.${provider}.large`,
-                severity: "warn",
-                title: "Elevated exec allowlist is large",
-                detail: `tools.elevated.allowFrom.${provider} has ${normalized.length} entries; consider tightening elevated access.`,
-            });
-        }
-    }
-    return findings;
-}
-function collectExecRuntimeFindings(cfg) {
-    const findings = [];
-    const globalExecHost = cfg.tools?.exec?.host;
-    const defaultSandboxMode = resolveSandboxConfigForAgent(cfg).mode;
-    const defaultHostIsExplicitSandbox = globalExecHost === "sandbox";
-    if (defaultHostIsExplicitSandbox && defaultSandboxMode === "off") {
-        findings.push({
-            checkId: "tools.exec.host_sandbox_no_sandbox_defaults",
-            severity: "warn",
-            title: "Exec host is sandbox but sandbox mode is off",
-            detail: "tools.exec.host is explicitly set to sandbox while agents.defaults.sandbox.mode=off. " +
-                "In this mode, exec runs directly on the gateway host.",
-            remediation: 'Enable sandbox mode (`agents.defaults.sandbox.mode="non-main"` or `"all"`) or set tools.exec.host to "gateway" with approvals.',
-        });
-    }
-    const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
-    const riskyAgents = agents
-        .filter((entry) => entry &&
-        typeof entry === "object" &&
-        typeof entry.id === "string" &&
-        entry.tools?.exec?.host === "sandbox" &&
-        resolveSandboxConfigForAgent(cfg, entry.id).mode === "off")
-        .map((entry) => entry.id)
-        .slice(0, 5);
-    if (riskyAgents.length > 0) {
-        findings.push({
-            checkId: "tools.exec.host_sandbox_no_sandbox_agents",
-            severity: "warn",
-            title: "Agent exec host uses sandbox while sandbox mode is off",
-            detail: `agents.list.*.tools.exec.host is set to sandbox for: ${riskyAgents.join(", ")}. ` +
-                "With sandbox mode off, exec runs directly on the gateway host.",
-            remediation: 'Enable sandbox mode for these agents (`agents.list[].sandbox.mode`) or set their tools.exec.host to "gateway".',
-        });
-    }
-    return findings;
+/**
+ * Quick security check (non-deep audit)
+ */
+export async function quickSecurityCheck(config) {
+    const report = await performSecurityAudit({
+        config,
+        deep: false,
+        includeFilesystem: false,
+    });
+    const ok = report.summary.critical === 0;
+    return { ok, findings: report.findings };
 }
-async function maybeProbeGateway(params) {
-    const connection = buildGatewayConnectionDetails({ config: params.cfg });
-    const url = connection.url;
-    const isRemoteMode = params.cfg.gateway?.mode === "remote";
-    const remoteUrlRaw = typeof params.cfg.gateway?.remote?.url === "string" ? params.cfg.gateway.remote.url.trim() : "";
-    const remoteUrlMissing = isRemoteMode && !remoteUrlRaw;
-    const auth = !isRemoteMode || remoteUrlMissing
-        ? resolveGatewayProbeAuth({ cfg: params.cfg, mode: "local" })
-        : resolveGatewayProbeAuth({ cfg: params.cfg, mode: "remote" });
-    const res = await params.probe({ url, auth, timeoutMs: params.timeoutMs }).catch((err) => ({
-        ok: false,
-        url,
-        connectLatencyMs: null,
-        error: String(err),
-        close: null,
-        health: null,
-        status: null,
-        presence: null,
-        configSnapshot: null,
-    }));
-    return {
-        gateway: {
-            attempted: true,
-            url,
-            ok: res.ok,
-            error: res.ok ? null : res.error,
-            close: res.close ? { code: res.close.code, reason: res.close.reason } : null,
-        },
+/**
+ * Format audit report for CLI output
+ */
+export function formatAuditReport(report) {
+    const lines = [];
+    lines.push(`Security Audit Report (${new Date(report.ts).toISOString()})`);
+    lines.push("");
+    lines.push(`Summary: ${report.summary.critical} critical, ${report.summary.warn} warnings, ${report.summary.info} info`);
+    lines.push("");
+    if (report.findings.length === 0) {
+        lines.push("✅ No security issues found!");
+        return lines.join("\n");
+    }
+    const bySeverity = {
+        critical: report.findings.filter((f) => f.severity === "critical"),
+        warn: report.findings.filter((f) => f.severity === "warn"),
+        info: report.findings.filter((f) => f.severity === "info"),
     };
-}
-export async function runSecurityAudit(opts) {
-    const findings = [];
-    const cfg = opts.config;
-    const env = opts.env ?? process.env;
-    const platform = opts.platform ?? process.platform;
-    const execIcacls = opts.execIcacls;
-    const stateDir = opts.stateDir ?? resolveStateDir(env);
-    const configPath = opts.configPath ?? resolveConfigPath(env, stateDir);
-    findings.push(...collectAttackSurfaceSummaryFindings(cfg));
-    findings.push(...collectSyncedFolderFindings({ stateDir, configPath }));
-    findings.push(...collectGatewayConfigFindings(cfg, env));
-    findings.push(...collectBrowserControlFindings(cfg, env));
-    findings.push(...collectLoggingFindings(cfg));
-    findings.push(...collectElevatedFindings(cfg));
-    findings.push(...collectExecRuntimeFindings(cfg));
-    findings.push(...collectHooksHardeningFindings(cfg, env));
-    findings.push(...collectGatewayHttpNoAuthFindings(cfg, env));
-    findings.push(...collectGatewayHttpSessionKeyOverrideFindings(cfg));
-    findings.push(...collectSandboxDockerNoopFindings(cfg));
-    findings.push(...collectSandboxDangerousConfigFindings(cfg));
-    findings.push(...collectNodeDenyCommandPatternFindings(cfg));
-    findings.push(...collectMinimalProfileOverrideFindings(cfg));
-    findings.push(...collectSecretsInConfigFindings(cfg));
-    findings.push(...collectModelHygieneFindings(cfg));
-    findings.push(...collectSmallModelRiskFindings({ cfg, env }));
-    findings.push(...collectExposureMatrixFindings(cfg));
-    const configSnapshot = opts.includeFilesystem !== false
-        ? await readConfigSnapshotForAudit({ env, configPath }).catch(() => null)
-        : null;
-    if (opts.includeFilesystem !== false) {
-        findings.push(...(await collectFilesystemFindings({
-            stateDir,
-            configPath,
-            env,
-            platform,
-            execIcacls,
-        })));
-        if (configSnapshot) {
-            findings.push(...(await collectIncludeFilePermFindings({ configSnapshot, env, platform, execIcacls })));
-        }
-        findings.push(...(await collectStateDeepFilesystemFindings({ cfg, env, stateDir, platform, execIcacls })));
-        findings.push(...(await collectSandboxBrowserHashLabelFindings({
-            execDockerRawFn: opts.execDockerRawFn,
-        })));
-        findings.push(...(await collectPluginsTrustFindings({ cfg, stateDir })));
-        if (opts.deep === true) {
-            findings.push(...(await collectPluginsCodeSafetyFindings({ stateDir })));
-            findings.push(...(await collectInstalledSkillsCodeSafetyFindings({ cfg, stateDir })));
+    for (const [severity, findings] of Object.entries(bySeverity)) {
+        if (findings.length === 0)
+            continue;
+        const icon = severity === "critical" ? "🔴" : severity === "warn" ? "🟡" : "🔵";
+        lines.push(`${icon} ${severity.toUpperCase()} (${findings.length})`);
+        lines.push("");
+        for (const finding of findings) {
+            lines.push(`  [${finding.checkId}] ${finding.title}`);
+            lines.push(`    ${finding.detail}`);
+            if (finding.remediation) {
+                lines.push(`    💡 Fix: ${finding.remediation}`);
+            }
+            lines.push("");
         }
     }
-    if (opts.includeChannelSecurity !== false) {
-        const plugins = opts.plugins ?? listChannelPlugins();
-        findings.push(...(await collectChannelSecurityFindings({ cfg, plugins })));
-    }
-    const deep = opts.deep === true
-        ? await maybeProbeGateway({
-            cfg,
-            timeoutMs: Math.max(250, opts.deepTimeoutMs ?? 5000),
-            probe: opts.probeGatewayFn ?? probeGateway,
-        })
-        : undefined;
-    if (deep?.gateway?.attempted && !deep.gateway.ok) {
-        findings.push({
-            checkId: "gateway.probe_failed",
-            severity: "warn",
-            title: "Gateway probe failed (deep)",
-            detail: deep.gateway.error ?? "gateway unreachable",
-            remediation: `Run "${formatCliCommand("poolbot status --all")}" to debug connectivity/auth, then re-run "${formatCliCommand("poolbot security audit --deep")}".`,
-        });
-    }
-    const summary = countBySeverity(findings);
-    return { ts: Date.now(), summary, findings, deep };
+    return lines.join("\n");
+}
+/**
+ * CLI-compatible audit function (alias for performSecurityAudit)
+ */
+export async function runSecurityAudit(options) {
+    return performSecurityAudit(options);
 }