@token-security/clawdit 0.1.0

package/dist/formatter.js

@@ -0,0 +1,233 @@
+// ANSI color codes
+const colors = {
+    reset: '\x1b[0m',
+    red: '\x1b[31m',
+    yellow: '\x1b[33m',
+    cyan: '\x1b[36m',
+    green: '\x1b[32m',
+    bold: '\x1b[1m',
+    dim: '\x1b[2m',
+};
+function color(text, colorCode, noColor) {
+    if (noColor)
+        return text;
+    return `${colorCode}${text}${colors.reset}`;
+}
+function severityColor(severity, noColor) {
+    if (noColor)
+        return severity;
+    switch (severity) {
+        case 'HIGH': return color(severity, colors.red + colors.bold, false);
+        case 'MEDIUM': return color(severity, colors.yellow, false);
+        case 'LOW': return color(severity, colors.cyan, false);
+    }
+}
+/**
+ * Format audit result as text, split into parts for proper stream separation
+ */
+export function formatText(result, options) {
+    const bannerLines = [];
+    const findingsLines = [];
+    const summaryLines = [];
+    const { noColor, quiet, configPath } = options;
+    // Banner (unless quiet)
+    if (!quiet) {
+        const timestamp = new Date().toISOString();
+        bannerLines.push('╭──────────────────────────────────────────────────────────────╮');
+        bannerLines.push('│  clawdit v0.1.0 - OpenClaw Security Audit                    │');
+        bannerLines.push(`│  Config: ${configPath.padEnd(51)}│`);
+        bannerLines.push(`│  Time: ${timestamp.padEnd(53)}│`);
+        bannerLines.push('╰──────────────────────────────────────────────────────────────╯');
+        bannerLines.push('');
+    }
+    // Findings
+    if (result.findings.length === 0) {
+        if (!quiet) {
+            findingsLines.push(color('✓ All security checks passed', colors.green, noColor));
+            findingsLines.push('');
+        }
+    }
+    else {
+        for (const finding of result.findings) {
+            findingsLines.push(formatFinding(finding, noColor));
+            findingsLines.push('');
+        }
+    }
+    // Summary (unless quiet)
+    if (!quiet) {
+        summaryLines.push('────────────────────────────────────────────────────────────────');
+        const summaryParts = [
+            `${result.summary.high} ${severityColor('HIGH', noColor)}`,
+            `${result.summary.medium} MEDIUM`,
+            `${result.summary.low} LOW`,
+        ];
+        summaryLines.push(`Summary: ${summaryParts.join(' | ')}`);
+        if (result.summary.result === 'PASS') {
+            summaryLines.push(`Result:  ${color('PASS', colors.green, noColor)} - All security checks passed`);
+        }
+        else if (result.summary.high > 0) {
+            summaryLines.push(`Result:  ${color('FAIL', colors.red, noColor)} - Remediate HIGH severity findings before deployment`);
+        }
+        else if (result.summary.medium > 0) {
+            summaryLines.push(`Result:  ${color('FAIL', colors.yellow, noColor)} - Review MEDIUM severity findings before deployment`);
+        }
+        else {
+            summaryLines.push(`Result:  ${color('FAIL', colors.cyan, noColor)} - Consider remediating LOW severity findings`);
+        }
+    }
+    return {
+        banner: bannerLines.join('\n'),
+        findings: findingsLines.join('\n'),
+        summary: summaryLines.join('\n'),
+    };
+}
+/**
+ * Format audit result as text, joined as a single string.
+ * Used for file output where stream separation is not needed.
+ */
+export function formatTextFull(result, options) {
+    const parts = formatText(result, options);
+    return [parts.banner, parts.findings, parts.summary].filter(Boolean).join('\n');
+}
+function formatFinding(finding, noColor) {
+    const lines = [];
+    // Header
+    lines.push(`[${severityColor(finding.severity, noColor)}] ${finding.id}: ${finding.name}`);
+    // Location
+    if (finding.location.path) {
+        lines.push(`  Location: ${finding.location.path}`);
+    }
+    else {
+        lines.push(`  Location: ${finding.location.file}`);
+    }
+    // Values
+    lines.push(`  Current:  ${formatValue(finding.currentValue)}`);
+    lines.push(`  Expected: ${formatValue(finding.expectedValue)}`);
+    lines.push('');
+    // Risk (indented, wrapped)
+    lines.push('  Risk: ' + finding.risk.split('\n').join('\n        '));
+    lines.push('');
+    // Fix
+    lines.push('  Fix:');
+    lines.push(`    ${color('#', colors.dim, noColor)} ${finding.fix.description}`);
+    for (const cmdLine of finding.fix.command.split('\n')) {
+        lines.push(`    ${cmdLine}`);
+    }
+    // References
+    if (finding.references.length > 0) {
+        lines.push('');
+        lines.push('  References:');
+        for (const ref of finding.references) {
+            lines.push(`    - ${ref}`);
+        }
+    }
+    return lines.join('\n');
+}
+function formatValue(value) {
+    if (value === null)
+        return 'null';
+    if (value === undefined)
+        return 'not set';
+    if (typeof value === 'string')
+        return value;
+    if (typeof value === 'boolean')
+        return String(value);
+    if (typeof value === 'number')
+        return String(value);
+    if (Array.isArray(value))
+        return JSON.stringify(value);
+    if (typeof value === 'object')
+        return JSON.stringify(value);
+    return String(value);
+}
+/**
+ * Format audit result as SARIF 2.1.0
+ */
+export function formatSarif(result, options) {
+    const severityToLevel = {
+        HIGH: 'error',
+        MEDIUM: 'warning',
+        LOW: 'note',
+    };
+    // Build unique rules from findings (deduplicate by id)
+    const seenRuleIds = new Set();
+    const rules = [];
+    for (const f of result.findings) {
+        if (seenRuleIds.has(f.id))
+            continue;
+        seenRuleIds.add(f.id);
+        rules.push({
+            id: f.id,
+            name: f.name,
+            shortDescription: { text: f.name },
+            fullDescription: { text: f.risk },
+            help: {
+                text: f.fix.description,
+                markdown: `**Fix:** ${f.fix.description}\n\n\`\`\`bash\n${f.fix.command}\n\`\`\``,
+            },
+            helpUri: f.references[0] || undefined,
+            defaultConfiguration: { level: severityToLevel[f.severity] },
+        });
+    }
+    // Build results
+    const results = result.findings.map((f) => ({
+        ruleId: f.id,
+        level: severityToLevel[f.severity],
+        message: { text: f.risk },
+        locations: [{
+                physicalLocation: {
+                    artifactLocation: { uri: f.location.file },
+                },
+                ...(f.location.path ? { logicalLocations: [{ name: f.location.path }] } : {}),
+            }],
+        properties: {
+            currentValue: f.currentValue,
+            expectedValue: f.expectedValue,
+        },
+    }));
+    const sarif = {
+        $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
+        version: '2.1.0',
+        runs: [{
+                tool: {
+                    driver: {
+                        name: 'clawdit',
+                        version: '0.1.0',
+                        informationUri: 'https://github.com/token-security/clawdit',
+                        rules,
+                    },
+                },
+                results,
+                invocations: [{
+                        executionSuccessful: true,
+                        endTimeUtc: new Date().toISOString(),
+                    }],
+            }],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+/**
+ * Format audit result as JSON
+ */
+export function formatJson(result, options) {
+    const output = {
+        version: '0.1.0',
+        timestamp: new Date().toISOString(),
+        config_path: options.configPath,
+        summary: result.summary,
+        findings: result.findings.map((f) => ({
+            id: f.id,
+            severity: f.severity,
+            name: f.name,
+            location: f.location,
+            current_value: f.currentValue,
+            expected_value: f.expectedValue,
+            risk: f.risk,
+            fix: f.fix,
+            references: f.references,
+        })),
+        checks_passed: result.passed,
+    };
+    return JSON.stringify(output, null, 2);
+}
+//# sourceMappingURL=formatter.js.map

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -0,0 +1,168 @@
+#!/usr/bin/env node
+import { writeFileSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { parseCliArgs, printHelp, printVersion, printListChecksText, printListChecksJson, validateCheckIds } from './cli.js';
+import { discoverConfig, parseConfig, parseConfigFromString, readStdinSync, ConfigError } from './config.js';
+import { checks } from './checks/index.js';
+import { runChecks, getExitCode } from './checks/runner.js';
+import { formatText, formatJson, formatSarif } from './formatter.js';
+// Error code to type mapping for structured JSON errors
+const ERROR_TYPES = {
+    10: 'CONFIG_NOT_FOUND',
+    11: 'CONFIG_PARSE_ERROR',
+    12: 'INVALID_ARGUMENTS',
+    13: 'PERMISSION_DENIED',
+    14: 'CIRCULAR_INCLUDE',
+    20: 'INTERNAL_ERROR',
+};
+function outputError(code, message, format, details) {
+    if (format === 'json') {
+        const errorObj = {
+            error: {
+                code,
+                type: ERROR_TYPES[code] || 'UNKNOWN_ERROR',
+                message,
+            },
+        };
+        if (details) {
+            errorObj.error.details = details;
+        }
+        console.log(JSON.stringify(errorObj, null, 2));
+    }
+    else {
+        console.error(`ERROR [E${code}]: ${message}`);
+        if (details) {
+            console.error('');
+            console.error(details);
+        }
+    }
+}
+async function main() {
+    const opts = parseCliArgs(process.argv.slice(2));
+    // Handle --help and --version
+    if (opts.help) {
+        printHelp();
+        process.exit(0);
+    }
+    if (opts.version) {
+        printVersion();
+        process.exit(0);
+    }
+    if (opts.listChecks) {
+        if (opts.format === 'json') {
+            printListChecksJson(checks);
+        }
+        else {
+            printListChecksText(checks, opts.noColor);
+        }
+        process.exit(0);
+    }
+    try {
+        // Discover and parse config
+        let config;
+        let configPath;
+        let configDir;
+        if (opts.configPath === '-') {
+            // Read from stdin
+            const content = readStdinSync();
+            config = parseConfigFromString(content, process.cwd());
+            configPath = '<stdin>';
+            configDir = process.cwd();
+        }
+        else {
+            // Normal file-based flow
+            configPath = discoverConfig(opts.configPath);
+            config = parseConfig(configPath);
+            configDir = dirname(configPath);
+        }
+        // Create check context
+        const ctx = {
+            config,
+            configPath,
+            configDir,
+        };
+        // Validate and filter checks
+        const allCheckIds = checks.map(c => c.id);
+        if (opts.checks) {
+            const unknownIds = validateCheckIds(opts.checks, allCheckIds);
+            if (unknownIds.length > 0) {
+                outputError(12, `Unknown check IDs: ${unknownIds.join(', ')}`, opts.format);
+                process.exit(12);
+            }
+        }
+        if (opts.skipChecks) {
+            const unknownIds = validateCheckIds(opts.skipChecks, allCheckIds);
+            if (unknownIds.length > 0) {
+                outputError(12, `Unknown check IDs: ${unknownIds.join(', ')}`, opts.format);
+                process.exit(12);
+            }
+        }
+        let checksToRun = checks;
+        if (opts.checks) {
+            const includeSet = new Set(opts.checks);
+            checksToRun = checksToRun.filter(c => includeSet.has(c.id));
+        }
+        if (opts.skipChecks) {
+            const excludeSet = new Set(opts.skipChecks);
+            checksToRun = checksToRun.filter(c => !excludeSet.has(c.id));
+        }
+        // Run checks
+        const result = runChecks(checksToRun, ctx, {
+            minSeverity: opts.severity,
+            onCheckComplete: opts.verbose
+                ? (id, passed) => console.error(`Checking ${id}... ${passed ? 'PASS' : 'FAIL'}`)
+                : undefined,
+        });
+        // Format and write output
+        if (opts.format === 'text') {
+            const parts = formatText(result, {
+                noColor: opts.noColor,
+                quiet: opts.quiet,
+                configPath,
+            });
+            if (opts.outputFile) {
+                // File output: write everything to file
+                const fullOutput = [parts.banner, parts.findings, parts.summary].filter(Boolean).join('\n');
+                writeFileSync(opts.outputFile, fullOutput + '\n');
+            }
+            else {
+                // Console output: banner/summary to stderr, findings to stdout
+                if (parts.banner)
+                    console.error(parts.banner);
+                if (parts.findings)
+                    console.log(parts.findings);
+                if (parts.summary)
+                    console.error(parts.summary);
+            }
+        }
+        else {
+            // JSON/SARIF: all to stdout
+            let output;
+            if (opts.format === 'json') {
+                output = formatJson(result, { configPath });
+            }
+            else {
+                output = formatSarif(result, { configPath });
+            }
+            if (opts.outputFile) {
+                writeFileSync(opts.outputFile, output + '\n');
+            }
+            else {
+                console.log(output);
+            }
+        }
+        // Exit with appropriate code
+        process.exit(getExitCode(result));
+    }
+    catch (error) {
+        if (error instanceof ConfigError) {
+            outputError(error.code, error.message, opts.format, error.details);
+            process.exit(error.code);
+        }
+        // Unexpected error
+        outputError(20, 'Internal error', opts.format, error.message);
+        process.exit(20);
+    }
+}
+main();
+//# sourceMappingURL=index.js.map

package/dist/utils.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Get a value from an object using dot notation path
+ */
+export declare function getValueAtPath(obj: unknown, path: string): unknown;
+/**
+ * Set a value in an object using dot notation path
+ */
+export declare function setValueAtPath(obj: Record<string, unknown>, path: string, value: unknown): void;
+/**
+ * Get file mode (permissions) as octal number. Returns null on Windows.
+ */
+export declare function getFileMode(filePath: string): number | null;
+/**
+ * Format file mode as octal string (e.g., "644")
+ */
+export declare function formatMode(mode: number): string;
+/**
+ * Redact sensitive values like API keys
+ */
+export declare function redactValue(value: unknown): string;
+/**
+ * Check if an IP address is private (RFC1918 or RFC6598 CGNAT)
+ */
+export declare function isPrivateIP(ip: string): boolean;
+/**
+ * Check if gateway binding requires authentication
+ * Returns true if auth is configured
+ */
+export declare function hasGatewayAuth(config: Record<string, unknown>): boolean;
+/**
+ * API key patterns to detect
+ */
+export declare const API_KEY_PATTERNS: Array<{
+    key: string;
+    pattern: RegExp;
+    name: string;
+}>;
+/**
+ * Find hardcoded API keys in config
+ */
+export declare function findHardcodedApiKeys(config: Record<string, unknown>): Array<{
+    key: string;
+    value: string;
+    name: string;
+}>;
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils.js

@@ -0,0 +1,146 @@
+import { statSync } from 'node:fs';
+import { platform } from 'node:os';
+/**
+ * Get a value from an object using dot notation path
+ */
+export function getValueAtPath(obj, path) {
+    if (obj === null || obj === undefined)
+        return undefined;
+    const parts = path.split('.');
+    let current = obj;
+    for (const part of parts) {
+        if (current === null || current === undefined)
+            return undefined;
+        if (typeof current !== 'object')
+            return undefined;
+        current = current[part];
+    }
+    return current;
+}
+/**
+ * Set a value in an object using dot notation path
+ */
+export function setValueAtPath(obj, path, value) {
+    const parts = path.split('.');
+    let current = obj;
+    for (let i = 0; i < parts.length - 1; i++) {
+        const part = parts[i];
+        if (!(part in current) || typeof current[part] !== 'object' || current[part] === null) {
+            current[part] = {};
+        }
+        current = current[part];
+    }
+    current[parts[parts.length - 1]] = value;
+}
+/**
+ * Get file mode (permissions) as octal number. Returns null on Windows.
+ */
+export function getFileMode(filePath) {
+    if (platform() === 'win32')
+        return null;
+    try {
+        const stats = statSync(filePath);
+        // Extract permission bits (last 9 bits)
+        return stats.mode & 0o777;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Format file mode as octal string (e.g., "644")
+ */
+export function formatMode(mode) {
+    return mode.toString(8).padStart(3, '0');
+}
+/**
+ * Redact sensitive values like API keys
+ */
+export function redactValue(value) {
+    if (typeof value !== 'string')
+        return String(value);
+    // API key patterns
+    if (value.startsWith('sk-ant-'))
+        return 'sk-ant-***';
+    if (value.startsWith('sk-'))
+        return 'sk-***';
+    if (value.startsWith('r8_'))
+        return 'r8_***';
+    if (value.startsWith('hf_'))
+        return 'hf_***';
+    if (/^[A-Za-z0-9_-]{20,}$/.test(value))
+        return value.slice(0, 4) + '***';
+    return value;
+}
+/**
+ * Check if an IP address is private (RFC1918 or RFC6598 CGNAT)
+ */
+export function isPrivateIP(ip) {
+    // Handle special values
+    if (ip === 'loopback' || ip === '127.0.0.1' || ip === '::1')
+        return true;
+    if (ip === 'localhost')
+        return true;
+    // Parse IPv4
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return false;
+    const nums = parts.map(p => parseInt(p, 10));
+    if (nums.some(n => isNaN(n) || n < 0 || n > 255))
+        return false;
+    const [a, b] = nums;
+    // RFC1918: 10.0.0.0/8
+    if (a === 10)
+        return true;
+    // RFC1918: 172.16.0.0/12
+    if (a === 172 && b >= 16 && b <= 31)
+        return true;
+    // RFC1918: 192.168.0.0/16
+    if (a === 192 && b === 168)
+        return true;
+    // RFC6598 CGNAT: 100.64.0.0/10
+    if (a === 100 && b >= 64 && b <= 127)
+        return true;
+    // Loopback: 127.0.0.0/8
+    if (a === 127)
+        return true;
+    return false;
+}
+/**
+ * Check if gateway binding requires authentication
+ * Returns true if auth is configured
+ */
+export function hasGatewayAuth(config) {
+    const token = getValueAtPath(config, 'gateway.auth.token');
+    const password = getValueAtPath(config, 'gateway.auth.password');
+    return (typeof token === 'string' && token.length > 0) ||
+        (typeof password === 'string' && password.length > 0);
+}
+/**
+ * API key patterns to detect
+ */
+export const API_KEY_PATTERNS = [
+    { key: 'ANTHROPIC_API_KEY', pattern: /^sk-ant-/, name: 'Anthropic API key' },
+    { key: 'OPENAI_API_KEY', pattern: /^sk-/, name: 'OpenAI API key' },
+    { key: 'OPENAI_ORG_ID', pattern: /^org-/, name: 'OpenAI Organization ID' },
+    { key: 'COHERE_API_KEY', pattern: /^[A-Za-z0-9]{40}$/, name: 'Cohere API key' },
+    { key: 'GOOGLE_AI_API_KEY', pattern: /^AIza/, name: 'Google AI API key' },
+    { key: 'MISTRAL_API_KEY', pattern: /^[A-Za-z0-9]{32}$/, name: 'Mistral API key' },
+    { key: 'HUGGINGFACE_API_KEY', pattern: /^hf_/, name: 'HuggingFace API key' },
+    { key: 'REPLICATE_API_TOKEN', pattern: /^r8_/, name: 'Replicate API token' },
+    { key: 'AI21_API_KEY', pattern: /^[A-Za-z0-9]{40,}$/, name: 'AI21 API key' },
+];
+/**
+ * Find hardcoded API keys in config
+ */
+export function findHardcodedApiKeys(config) {
+    const found = [];
+    for (const { key, pattern, name } of API_KEY_PATTERNS) {
+        const value = config[key];
+        if (typeof value === 'string' && pattern.test(value)) {
+            found.push({ key, value, name });
+        }
+    }
+    return found;
+}
+//# sourceMappingURL=utils.js.map

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@token-security/clawdit",
+  "version": "0.1.0",
+  "description": "Security audit tool for OpenClaw configurations",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/token-security/clawdit.git"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "clawdit": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc && chmod +x dist/index.js && cp src/schema/output.schema.json dist/clawdit-output.schema.json",
+    "start": "node dist/index.js",
+    "dev": "tsc --watch",
+    "test": "node --test tests/*.test.mjs dist/checks/*.test.js"
+  },
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.d.ts",
+    "dist/**/*.json",
+    "!dist/**/*.test.*",
+    "!dist/**/_template.*",
+    "!dist/**/*.map"
+  ],
+  "keywords": [
+    "openclaw",
+    "security",
+    "audit",
+    "cli"
+  ],
+  "author": "Token Security (Ido Shlomo)",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "json5": "^2.2.3"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "ajv": "^8.17.1",
+    "ajv-formats": "^3.0.1",
+    "typescript": "^5.7.0"
+  }
+}