@token-security/clawdit 0.1.0

package/dist/checks/sec-007-no-redact-patterns.js

@@ -0,0 +1,39 @@
+/**
+ * SEC-007: No custom redact patterns
+ *
+ * Detects when logging.redactPatterns is empty or not configured,
+ * relying only on built-in redaction patterns.
+ */
+import { getValueAtPath } from '../utils.js';
+const check = {
+    id: 'SEC-007',
+    severity: 'LOW',
+    name: 'No custom redact patterns',
+    execute(ctx) {
+        const redactPatterns = getValueAtPath(ctx.config, 'logging.redactPatterns');
+        const redactSensitive = getValueAtPath(ctx.config, 'logging.redactSensitive');
+        // Only flag if redaction is enabled but no custom patterns
+        if (redactSensitive === 'off' || redactSensitive === false)
+            return [];
+        const hasPatterns = Array.isArray(redactPatterns) && redactPatterns.length > 0;
+        if (!hasPatterns) {
+            return [{
+                    id: 'SEC-007',
+                    severity: 'LOW',
+                    name: 'No custom redact patterns',
+                    location: { file: ctx.configPath, path: 'logging.redactPatterns' },
+                    currentValue: redactPatterns ?? 'not set',
+                    expectedValue: 'Array of regex patterns for sensitive data',
+                    risk: 'Only built-in redaction patterns are active. Organization-specific sensitive data patterns (internal project names, custom tokens) may not be redacted.',
+                    fix: {
+                        description: 'Add custom redaction patterns for organization-specific sensitive data',
+                        command: `jq '.logging.redactPatterns = ["(?i)internal-project-.*", "(?i)secret-.*"]' ${ctx.configPath} > tmp.json && mv tmp.json ${ctx.configPath}`,
+                    },
+                    references: ['https://docs.openclaw.ai/logging/security#custom-redaction'],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=sec-007-no-redact-patterns.js.map

package/dist/checks/sec-008-state-dir-permissions.d.ts

@@ -0,0 +1,10 @@
+/**
+ * SEC-008: State directory has insecure permissions
+ *
+ * Detects when the OpenClaw state directory (~/.openclaw) exists with
+ * permissions that allow other users to read it.
+ */
+import type { Check } from './types.js';
+declare const check: Check;
+export default check;
+//# sourceMappingURL=sec-008-state-dir-permissions.d.ts.map

package/dist/checks/sec-008-state-dir-permissions.js

@@ -0,0 +1,49 @@
+/**
+ * SEC-008: State directory has insecure permissions
+ *
+ * Detects when the OpenClaw state directory (~/.openclaw) exists with
+ * permissions that allow other users to read it.
+ */
+import { existsSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { getFileMode, formatMode } from '../utils.js';
+const check = {
+    id: 'SEC-008',
+    severity: 'MEDIUM',
+    name: 'State directory has insecure permissions',
+    execute(ctx) {
+        const stateDir = join(homedir(), '.openclaw');
+        // State directory doesn't exist yet - nothing to check
+        if (!existsSync(stateDir))
+            return [];
+        const mode = getFileMode(stateDir);
+        // Skip on Windows or if we can't read permissions
+        if (mode === null)
+            return [];
+        // Check if group or other has any permissions
+        const groupOther = mode & 0o077;
+        if (groupOther !== 0) {
+            return [{
+                    id: 'SEC-008',
+                    severity: 'MEDIUM',
+                    name: 'State directory has insecure permissions',
+                    location: {
+                        file: stateDir,
+                        path: null,
+                    },
+                    currentValue: formatMode(mode),
+                    expectedValue: '700',
+                    risk: 'The state directory may contain sensitive session data, tokens, or transcripts. Group/world-readable permissions expose this data to other users on the system.',
+                    fix: {
+                        description: 'Restrict directory permissions',
+                        command: `chmod 700 ${stateDir}`,
+                    },
+                    references: [],
+                }];
+        }
+        return [];
+    },
+};
+export default check;
+//# sourceMappingURL=sec-008-state-dir-permissions.js.map

package/dist/checks/types.d.ts

@@ -0,0 +1,45 @@
+export type Severity = 'HIGH' | 'MEDIUM' | 'LOW';
+export interface Location {
+    file: string;
+    path: string | null;
+}
+export interface Fix {
+    description: string;
+    command: string;
+}
+export interface Finding {
+    id: string;
+    severity: Severity;
+    name: string;
+    location: Location;
+    currentValue: unknown;
+    expectedValue: unknown;
+    risk: string;
+    fix: Fix;
+    references: string[];
+}
+export interface CheckContext {
+    config: Record<string, unknown>;
+    configPath: string;
+    configDir: string;
+}
+export interface Check {
+    id: string;
+    severity: Severity;
+    name: string;
+    execute(ctx: CheckContext): Finding[];
+}
+export interface Summary {
+    total: number;
+    high: number;
+    medium: number;
+    low: number;
+    passed: number;
+    result: 'PASS' | 'FAIL';
+}
+export interface AuditResult {
+    findings: Finding[];
+    passed: string[];
+    summary: Summary;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/checks/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/clawdit-output.schema.json

@@ -0,0 +1,162 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://clawdit.dev/schemas/output.schema.json",
+  "title": "clawdit Output",
+  "description": "JSON output format for clawdit security audit tool",
+  "type": "object",
+  "required": ["version", "timestamp", "config_path", "summary", "findings", "checks_passed"],
+  "additionalProperties": false,
+  "properties": {
+    "version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+\\.\\d+$",
+      "description": "clawdit version that produced this output"
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO 8601 timestamp when the audit was run"
+    },
+    "config_path": {
+      "type": "string",
+      "description": "Path to the configuration file that was audited"
+    },
+    "summary": {
+      "$ref": "#/definitions/Summary"
+    },
+    "findings": {
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/Finding"
+      },
+      "description": "List of security findings (empty if all checks passed)"
+    },
+    "checks_passed": {
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/CheckId"
+      },
+      "description": "List of check IDs that passed"
+    }
+  },
+  "definitions": {
+    "Severity": {
+      "type": "string",
+      "enum": ["HIGH", "MEDIUM", "LOW"],
+      "description": "Severity level of a finding"
+    },
+    "CheckId": {
+      "type": "string",
+      "pattern": "^[A-Z]{2,5}-\\d{3}$",
+      "description": "Check identifier in format CAT-NNN (e.g., NET-001, AUTH-002)"
+    },
+    "Summary": {
+      "type": "object",
+      "required": ["total", "high", "medium", "low", "passed", "result"],
+      "additionalProperties": false,
+      "properties": {
+        "total": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Total number of findings"
+        },
+        "high": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Number of HIGH severity findings"
+        },
+        "medium": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Number of MEDIUM severity findings"
+        },
+        "low": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Number of LOW severity findings"
+        },
+        "passed": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Number of checks that passed"
+        },
+        "result": {
+          "type": "string",
+          "enum": ["PASS", "FAIL"],
+          "description": "Overall audit result"
+        }
+      }
+    },
+    "Location": {
+      "type": "object",
+      "required": ["file", "path"],
+      "additionalProperties": false,
+      "properties": {
+        "file": {
+          "type": "string",
+          "description": "Path to the configuration file"
+        },
+        "path": {
+          "type": ["string", "null"],
+          "description": "JSON path to the problematic value (null if file-level issue)"
+        }
+      }
+    },
+    "Fix": {
+      "type": "object",
+      "required": ["description", "command"],
+      "additionalProperties": false,
+      "properties": {
+        "description": {
+          "type": "string",
+          "description": "Human-readable description of the fix"
+        },
+        "command": {
+          "type": "string",
+          "description": "Command or code snippet to apply the fix"
+        }
+      }
+    },
+    "Finding": {
+      "type": "object",
+      "required": ["id", "severity", "name", "location", "current_value", "expected_value", "risk", "fix", "references"],
+      "additionalProperties": false,
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/CheckId"
+        },
+        "severity": {
+          "$ref": "#/definitions/Severity"
+        },
+        "name": {
+          "type": "string",
+          "description": "Short description of the security issue"
+        },
+        "location": {
+          "$ref": "#/definitions/Location"
+        },
+        "current_value": {
+          "description": "The current (problematic) value found in the config"
+        },
+        "expected_value": {
+          "description": "The expected (secure) value"
+        },
+        "risk": {
+          "type": "string",
+          "description": "Explanation of the security risk"
+        },
+        "fix": {
+          "$ref": "#/definitions/Fix"
+        },
+        "references": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "format": "uri"
+          },
+          "description": "URLs to relevant documentation or security resources"
+        }
+      }
+    }
+  }
+}

package/dist/cli.d.ts

@@ -0,0 +1,23 @@
+import type { Check, Severity } from './checks/types.js';
+export type OutputFormat = 'text' | 'json' | 'sarif';
+export interface CliOptions {
+    configPath?: string;
+    outputFile?: string;
+    severity: Severity;
+    format: OutputFormat;
+    noColor: boolean;
+    quiet: boolean;
+    verbose: boolean;
+    version: boolean;
+    help: boolean;
+    listChecks: boolean;
+    checks?: string[];
+    skipChecks?: string[];
+}
+export declare function parseCliArgs(args: string[]): CliOptions;
+export declare function validateCheckIds(ids: string[], validIds: string[]): string[];
+export declare function printHelp(): void;
+export declare function printVersion(): void;
+export declare function printListChecksText(checks: Check[], noColor: boolean): void;
+export declare function printListChecksJson(checks: Check[]): void;
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.js

@@ -0,0 +1,132 @@
+import { parseArgs } from 'node:util';
+const HELP_TEXT = `
+clawdit - OpenClaw Security Audit Tool
+
+Usage: clawdit [OPTIONS] [CONFIG_PATH]
+
+ARGUMENTS:
+  CONFIG_PATH    Path to moltbot.json, or - to read from stdin (default: auto-discovered)
+
+OPTIONS:
+  -o, --output <FILE>    Write output to file instead of stdout
+  -s, --severity <LEVEL> Minimum severity to report: low, medium, high (default: low)
+  -f, --format <FORMAT>  Output format: text, json, sarif (default: text if TTY, json otherwise)
+  --checks <IDS>         Run only specified checks (comma-separated)
+  --skip-checks <IDS>    Skip specified checks (comma-separated)
+  --no-color             Disable colored output
+  -q, --quiet            Suppress banner and summary; output findings only
+  -v, --verbose          Show check execution progress
+  --list-checks          List all available security checks and exit
+  --version              Print version and exit
+  --help                 Show this help message
+
+EXAMPLES:
+  clawdit                           # Auto-discover config, audit with text output
+  clawdit ~/.clawdbot/moltbot.json  # Audit specific config
+  cat config.json | clawdit -       # Read config from stdin
+  clawdit --severity high           # Only report HIGH severity findings
+  clawdit -o audit.txt              # Write output to file
+
+EXIT CODES:
+  0   All checks passed
+  1   HIGH severity findings
+  2   MEDIUM severity findings (no HIGH)
+  3   LOW severity findings only
+  10  Configuration file not found
+  11  Configuration parse error
+  12  Invalid CLI arguments
+  13  Permission denied
+  14  $include directive failed
+  20  Internal error
+`;
+export function parseCliArgs(args) {
+    try {
+        const { values, positionals } = parseArgs({
+            args,
+            options: {
+                output: { type: 'string', short: 'o' },
+                severity: { type: 'string', short: 's', default: 'low' },
+                format: { type: 'string', short: 'f' },
+                checks: { type: 'string' },
+                'skip-checks': { type: 'string' },
+                'no-color': { type: 'boolean', default: false },
+                quiet: { type: 'boolean', short: 'q', default: false },
+                verbose: { type: 'boolean', short: 'v', default: false },
+                'list-checks': { type: 'boolean', default: false },
+                version: { type: 'boolean', default: false },
+                help: { type: 'boolean', default: false },
+            },
+            allowPositionals: true,
+        });
+        // Validate severity
+        const severityMap = {
+            low: 'LOW',
+            medium: 'MEDIUM',
+            high: 'HIGH',
+        };
+        const severityInput = values.severity.toLowerCase();
+        if (!severityMap[severityInput]) {
+            throw new Error(`Invalid severity level: ${values.severity}. Must be: low, medium, high`);
+        }
+        // Validate format (default to text for TTY, json otherwise)
+        const formatInput = values.format
+            ? values.format.toLowerCase()
+            : (process.stdout.isTTY ? 'text' : 'json');
+        if (formatInput !== 'text' && formatInput !== 'json' && formatInput !== 'sarif') {
+            throw new Error(`Invalid format: ${values.format}. Must be: text, json, sarif`);
+        }
+        return {
+            configPath: positionals[0],
+            outputFile: values.output,
+            severity: severityMap[severityInput],
+            format: formatInput,
+            noColor: values['no-color'] || !process.stdout.isTTY,
+            quiet: values.quiet,
+            verbose: values.verbose,
+            version: values.version,
+            help: values.help,
+            listChecks: values['list-checks'],
+            checks: values.checks
+                ? values.checks.split(',').map(s => s.trim().toUpperCase())
+                : undefined,
+            skipChecks: values['skip-checks']
+                ? values['skip-checks'].split(',').map(s => s.trim().toUpperCase())
+                : undefined,
+        };
+    }
+    catch (error) {
+        const err = error;
+        console.error(`Error: ${err.message}`);
+        console.error('Use --help for usage information');
+        process.exit(12);
+    }
+}
+export function validateCheckIds(ids, validIds) {
+    const validSet = new Set(validIds);
+    return ids.filter(id => !validSet.has(id));
+}
+export function printHelp() {
+    console.log(HELP_TEXT.trim());
+}
+export function printVersion() {
+    console.log('clawdit v0.1.0');
+}
+export function printListChecksText(checks, noColor) {
+    const c = noColor
+        ? { reset: '', bold: '', dim: '', red: '', yellow: '', cyan: '' }
+        : { reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m', red: '\x1b[31m', yellow: '\x1b[33m', cyan: '\x1b[36m' };
+    const severityColor = (s) => s === 'HIGH' ? c.red : s === 'MEDIUM' ? c.yellow : c.cyan;
+    console.log(`${c.bold}ID          SEVERITY  NAME${c.reset}`);
+    for (const check of checks) {
+        const sev = severityColor(check.severity) + check.severity.padEnd(8) + c.reset;
+        console.log(`${check.id.padEnd(12)}${sev}  ${check.name}`);
+    }
+    console.log(`${c.dim}${checks.length} checks available${c.reset}`);
+}
+export function printListChecksJson(checks) {
+    const output = {
+        checks: checks.map(c => ({ id: c.id, severity: c.severity, name: c.name }))
+    };
+    console.log(JSON.stringify(output, null, 2));
+}
+//# sourceMappingURL=cli.js.map

package/dist/config.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Read content from stdin synchronously
+ */
+export declare function readStdinSync(): string;
+export declare class ConfigError extends Error {
+    code: number;
+    details?: string | undefined;
+    constructor(message: string, code: number, details?: string | undefined);
+}
+/**
+ * Discover config file path in priority order
+ */
+export declare function discoverConfig(cliPath?: string): string;
+/**
+ * Parse config from string content with $include resolution
+ */
+export declare function parseConfigFromString(content: string, baseDir: string, sourceName?: string): Record<string, unknown>;
+/**
+ * Parse config file with $include resolution
+ */
+export declare function parseConfig(configPath: string): Record<string, unknown>;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.js

@@ -0,0 +1,150 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve, dirname, join } from 'node:path';
+import { homedir } from 'node:os';
+import JSON5 from 'json5';
+/**
+ * Read content from stdin synchronously
+ */
+export function readStdinSync() {
+    try {
+        return readFileSync(0, 'utf-8');
+    }
+    catch (error) {
+        throw new ConfigError('Failed to read from stdin', 20, error.message);
+    }
+}
+export class ConfigError extends Error {
+    code;
+    details;
+    constructor(message, code, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = 'ConfigError';
+    }
+}
+/**
+ * Discover config file path in priority order
+ */
+export function discoverConfig(cliPath) {
+    // 1. CLI argument (highest priority)
+    if (cliPath) {
+        const resolved = resolve(cliPath);
+        if (!existsSync(resolved)) {
+            throw new ConfigError('Configuration file not found', 10, `Path: ${resolved}\n\nPossible causes:\n  - OpenClaw is not installed\n  - Config is in a non-standard location\n  - Running as wrong user`);
+        }
+        return resolved;
+    }
+    // 2. CLAWDBOT_CONFIG environment variable
+    const envPath = process.env.CLAWDBOT_CONFIG;
+    if (envPath) {
+        const resolved = resolve(envPath);
+        if (existsSync(resolved))
+            return resolved;
+    }
+    // 3. Search paths in priority order
+    const home = homedir();
+    const CONFIG_FILENAMES = ['openclaw.json', 'moltbot.json', 'clawdbot.json'];
+    const CONFIG_DIRS = [
+        '.',
+        join(home, '.openclaw'),
+        join(home, '.clawdbot'),
+        join(home, '.moltbot'),
+    ];
+    // Generate all combinations, prioritizing openclaw.json in each directory
+    const searchPaths = CONFIG_DIRS.flatMap(dir => CONFIG_FILENAMES.map(file => join(dir, file)));
+    for (const searchPath of searchPaths) {
+        const resolved = resolve(searchPath);
+        if (existsSync(resolved))
+            return resolved;
+    }
+    throw new ConfigError('Configuration file not found', 10, `Searched paths:\n${searchPaths.map(p => `  - ${p}`).join('\n')}\n\nActions:\n  1. Install OpenClaw: curl -fsSL https://get.openclaw.ai | sh\n  2. Or specify path: clawdit /path/to/openclaw.json`);
+}
+/**
+ * Parse config from string content with $include resolution
+ */
+export function parseConfigFromString(content, baseDir, sourceName = '<stdin>') {
+    let config;
+    try {
+        config = JSON5.parse(content);
+    }
+    catch (error) {
+        throw new ConfigError(`JSON5 parse error`, 11, `Source: ${sourceName}\nError: ${error.message}`);
+    }
+    // Process $include directives with empty inclusion chain
+    return processIncludes(config, baseDir, new Set());
+}
+/**
+ * Parse config file with $include resolution
+ */
+export function parseConfig(configPath) {
+    const inclusionChain = new Set();
+    return parseConfigRecursive(configPath, inclusionChain);
+}
+function parseConfigRecursive(configPath, inclusionChain) {
+    const resolvedPath = resolve(configPath);
+    // Check for circular inclusion
+    if (inclusionChain.has(resolvedPath)) {
+        throw new ConfigError('$include directive failed: circular reference detected', 14, `Circular inclusion chain:\n${[...inclusionChain, resolvedPath].map(p => `  -> ${p}`).join('\n')}`);
+    }
+    inclusionChain.add(resolvedPath);
+    // Read and parse file
+    let content;
+    try {
+        content = readFileSync(resolvedPath, 'utf-8');
+    }
+    catch (err) {
+        const error = err;
+        if (error.code === 'ENOENT') {
+            throw new ConfigError('Configuration file not found', 10, `Path: ${resolvedPath}`);
+        }
+        if (error.code === 'EACCES') {
+            throw new ConfigError('Permission denied reading configuration', 13, `Path: ${resolvedPath}\n\nCheck file permissions: ls -la ${resolvedPath}`);
+        }
+        throw new ConfigError('Failed to read configuration file', 20, `Path: ${resolvedPath}\nError: ${error.message}`);
+    }
+    let config;
+    try {
+        config = JSON5.parse(content);
+    }
+    catch (err) {
+        const error = err;
+        throw new ConfigError('JSON5 parse error', 11, `Path: ${resolvedPath}\nError: ${error.message}`);
+    }
+    // Process $include directives
+    const configDir = dirname(resolvedPath);
+    config = processIncludes(config, configDir, inclusionChain);
+    inclusionChain.delete(resolvedPath);
+    return config;
+}
+function processIncludes(config, baseDir, inclusionChain) {
+    const result = {};
+    for (const [key, value] of Object.entries(config)) {
+        if (key === '$include') {
+            // Handle $include directive
+            if (typeof value === 'string') {
+                const includePath = resolve(baseDir, value);
+                const included = parseConfigRecursive(includePath, new Set(inclusionChain));
+                Object.assign(result, included);
+            }
+            else if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (typeof item === 'string') {
+                        const includePath = resolve(baseDir, item);
+                        const included = parseConfigRecursive(includePath, new Set(inclusionChain));
+                        Object.assign(result, included);
+                    }
+                }
+            }
+        }
+        else if (value !== null && typeof value === 'object' && !Array.isArray(value)) {
+            // Recursively process nested objects
+            result[key] = processIncludes(value, baseDir, inclusionChain);
+        }
+        else {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=config.js.map

package/dist/formatter.d.ts

@@ -0,0 +1,42 @@
+import type { AuditResult } from './checks/types.js';
+interface FormatOptions {
+    noColor: boolean;
+    quiet: boolean;
+    configPath: string;
+}
+/**
+ * Result of formatText split into parts for proper stream separation
+ * - banner: Goes to stderr (chrome/metadata)
+ * - findings: Goes to stdout (data)
+ * - summary: Goes to stderr (chrome/metadata)
+ */
+export interface TextFormatResult {
+    banner: string;
+    findings: string;
+    summary: string;
+}
+/**
+ * Format audit result as text, split into parts for proper stream separation
+ */
+export declare function formatText(result: AuditResult, options: FormatOptions): TextFormatResult;
+/**
+ * Format audit result as text, joined as a single string.
+ * Used for file output where stream separation is not needed.
+ */
+export declare function formatTextFull(result: AuditResult, options: FormatOptions): string;
+interface JsonFormatOptions {
+    configPath: string;
+}
+interface SarifFormatOptions {
+    configPath: string;
+}
+/**
+ * Format audit result as SARIF 2.1.0
+ */
+export declare function formatSarif(result: AuditResult, options: SarifFormatOptions): string;
+/**
+ * Format audit result as JSON
+ */
+export declare function formatJson(result: AuditResult, options: JsonFormatOptions): string;
+export {};
+//# sourceMappingURL=formatter.d.ts.map