agentseal 0.8.1 → 0.9.1

package/dist/shield-HCIU3CSU.js

@@ -0,0 +1,1962 @@
+#!/usr/bin/env node
+import {
+  BaselineStore
+} from "./chunk-PG5LEDUE.js";
+import {
+  GuardVerdict
+} from "./chunk-IGSX7F4B.js";
+import {
+  PROJECT_SKILL_DIRS,
+  PROJECT_SKILL_FILES,
+  getWellKnownConfigs,
+  init_machine_discovery,
+  stripJsonComments
+} from "./chunk-IO5DO7DS.js";
+import "./chunk-ZLRN7Q7C.js";
+
+// src/shield.ts
+import { readFileSync as readFileSync3, statSync as statSync3, watch } from "fs";
+import { homedir as homedir4 } from "os";
+import { basename as basename3, dirname as dirname2, extname as extname2, join as join3, resolve as resolve2 } from "path";
+
+// src/blocklist.ts
+import { createHash } from "crypto";
+import { existsSync, mkdirSync, readFileSync, statSync, writeFileSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+var SEED_HASHES = /* @__PURE__ */ new Set([
+  "854aa9bd5a641b03fcf2e4a26affb33057af3238a10a83e194c05384f371734f",
+  // credential-theft-cursorrules
+  "46315c1d4dcd39199c6d0e43985c5007c1156bc538e3a82ba9b2883f363eab35",
+  // markdown-image-exfil
+  "0b2ca8fedb87a97de9f5c462e09110febf887516dd62877d7e95a5556ef90905",
+  // reverse-shell-instruction
+  "2b5a339d00216894c7bd3620e008e5443f4e30b9e9883a2b15c082d076775084",
+  // curl-exfil-instruction
+  "eccb3a65c459a6b69223d38726e3fddb6184a6e7c52935148fdcd84961a6f9df",
+  // prompt-injection-override
+  "f554a511faaca2431265399a9d5b2f7184778b9521952dc757257dbe0aab2a46",
+  // supply-chain-install
+  "323b9121b6e320fb04bae89c963690069c5172dca017469be2917e5feaec886c",
+  // obfuscated-credential-theft
+  "4826c0e8aef00f902190ab32519e4533b7e4b725f46fb70156705ea8708a7385",
+  // social-engineering-exfil
+  "3951cdb38bbc37e28f98448e0478b93d319d892783efb23462b59fedea52189d",
+  // mcp-config-injection
+  "a7ddd5ce6c41055b4ef808810ac6f1b09dc4ae05eecc2f89dc64ac4682502d99",
+  // keylogger-instruction
+  "eab3b7330de3b61fae1b5cba738ae499424e1c45ef1b025c560cca410e6cd16b",
+  // crypto-miner-injection
+  "d71ceee36d1e136a5cddc0d5b416210d94635a71fa90f9ef817f4f74a7b21603"
+  // dns-exfil-instruction
+]);
+var Blocklist = class _Blocklist {
+  static REMOTE_URL = "https://agentseal.org/api/v1/blocklist/skills.json";
+  static CACHE_TTL = 3600;
+  // 1 hour in seconds
+  _hashes = new Set(SEED_HASHES);
+  _loaded = false;
+  _cacheDir;
+  _cachePath;
+  constructor(cacheDir) {
+    this._cacheDir = cacheDir ?? join(homedir(), ".agentseal");
+    this._cachePath = join(this._cacheDir, "blocklist.json");
+  }
+  /** Override cache dir (useful for testing). */
+  setCacheDir(dir) {
+    this._cacheDir = dir;
+    this._cachePath = join(dir, "blocklist.json");
+    this._loaded = false;
+    this._hashes = new Set(SEED_HASHES);
+  }
+  _load() {
+    if (this._loaded) return;
+    if (existsSync(this._cachePath)) {
+      try {
+        const age = Date.now() / 1e3 - statSync(this._cachePath).mtimeMs / 1e3;
+        if (age < _Blocklist.CACHE_TTL) {
+          this._loadFromFile(this._cachePath);
+          this._loaded = true;
+          return;
+        }
+      } catch {
+      }
+    }
+    if (this._tryRemoteFetch()) {
+      this._loaded = true;
+      return;
+    }
+    if (existsSync(this._cachePath)) {
+      this._loadFromFile(this._cachePath);
+    }
+    this._loaded = true;
+  }
+  _loadFromFile(path) {
+    try {
+      const raw = readFileSync(path, "utf-8");
+      const data = JSON.parse(raw);
+      for (const h of data.sha256_hashes ?? []) {
+        this._hashes.add(h);
+      }
+    } catch {
+    }
+  }
+  _tryRemoteFetch() {
+    return false;
+  }
+  /** Async remote fetch — call this once at startup if you want remote blocklist. */
+  async loadAsync() {
+    if (this._loaded) return;
+    if (existsSync(this._cachePath)) {
+      try {
+        const age = Date.now() / 1e3 - statSync(this._cachePath).mtimeMs / 1e3;
+        if (age < _Blocklist.CACHE_TTL) {
+          this._loadFromFile(this._cachePath);
+          this._loaded = true;
+          return;
+        }
+      } catch {
+      }
+    }
+    try {
+      const resp = await fetch(_Blocklist.REMOTE_URL, {
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (resp.ok) {
+        const data = await resp.json();
+        for (const h of data.sha256_hashes ?? []) {
+          this._hashes.add(h);
+        }
+        mkdirSync(this._cacheDir, { recursive: true });
+        writeFileSync(this._cachePath, JSON.stringify(data), "utf-8");
+        this._loaded = true;
+        return;
+      }
+    } catch {
+    }
+    if (existsSync(this._cachePath)) {
+      this._loadFromFile(this._cachePath);
+    }
+    this._loaded = true;
+  }
+  /** Check if a SHA256 hash is in the blocklist. */
+  isBlocked(sha256) {
+    this._load();
+    return this._hashes.has(sha256.toLowerCase());
+  }
+  /** Number of hashes in the blocklist. */
+  get size() {
+    this._load();
+    return this._hashes.size;
+  }
+  /** Manually add hashes (for testing or seed data). */
+  addHashes(hashes) {
+    for (const h of hashes) {
+      this._hashes.add(h.toLowerCase());
+    }
+  }
+};
+
+// src/shield.ts
+init_machine_discovery();
+
+// src/mcp-checker.ts
+import { realpathSync } from "fs";
+import { homedir as homedir2 } from "os";
+import { basename } from "path";
+var SENSITIVE_PATHS = [
+  [".ssh", "SSH private keys"],
+  [".aws", "AWS credentials"],
+  [".gnupg", "GPG private keys"],
+  [".config/gh", "GitHub CLI credentials"],
+  [".npmrc", "NPM auth tokens"],
+  [".pypirc", "PyPI credentials"],
+  [".docker", "Docker credentials"],
+  [".kube", "Kubernetes credentials"],
+  [".netrc", "Network login credentials"],
+  [".bitcoin", "Bitcoin wallet"],
+  [".ethereum", "Ethereum wallet"],
+  ["Library/Keychains", "macOS Keychain"],
+  [".gitconfig", "Git credentials"],
+  [".clawdbot/.env", "OpenClaw credentials"],
+  [".openclaw/.env", "OpenClaw credentials"]
+];
+var CREDENTIAL_PATTERNS = [
+  [/sk-(?:proj-)?[a-zA-Z0-9]{20,}/, "OpenAI API key"],
+  [/sk_live_[a-zA-Z0-9]+/, "Stripe live key"],
+  [/sk_test_[a-zA-Z0-9]+/, "Stripe test key"],
+  [/AKIA[0-9A-Z]{16}/, "AWS access key"],
+  [/ghp_[a-zA-Z0-9]{36}/, "GitHub personal token"],
+  [/gho_[a-zA-Z0-9]{36}/, "GitHub OAuth token"],
+  [/xoxb-[a-zA-Z0-9-]+/, "Slack bot token"],
+  [/xoxp-[a-zA-Z0-9-]+/, "Slack user token"],
+  [/glpat-[a-zA-Z0-9_-]{20,}/, "GitLab personal token"],
+  [/SG\.[a-zA-Z0-9_-]{22,}/, "SendGrid API key"],
+  [/sk-ant-api03-[A-Za-z0-9_-]{90,}/, "Anthropic API key"],
+  [/AIza[A-Za-z0-9_-]{35}/, "Google/Gemini API key"],
+  [/gsk_[A-Za-z0-9]{20,}/, "Groq API key"],
+  [/co-[A-Za-z0-9]{20,}/, "Cohere API key"],
+  [/r8_[A-Za-z0-9]{20,}/, "Replicate API token"],
+  [/hf_[A-Za-z0-9]{20,}/, "HuggingFace token"],
+  [/pcsk_[A-Za-z0-9_-]{20,}/, "Pinecone API key"],
+  [/sbp_[a-f0-9]{40,}/, "Supabase token"],
+  [/vercel_[A-Za-z0-9_-]{20,}/, "Vercel token"],
+  [/fw_[A-Za-z0-9]{20,}/, "Fireworks API key"],
+  [/pplx-[a-f0-9]{48,}/, "Perplexity API key"],
+  [/SK[a-f0-9]{32}/, "Twilio API key"],
+  [/dd[a-z][a-f0-9]{40}/, "Datadog API key"],
+  [/el_[A-Za-z0-9]{20,}/, "ElevenLabs API key"],
+  [/voyage-[A-Za-z0-9_-]{20,}/, "Voyage AI key"],
+  [/tog-[A-Za-z0-9]{20,}/, "Together AI key"],
+  [/csk-[A-Za-z0-9]{20,}/, "Cerebras API key"],
+  [/v1\.0-[a-f0-9]{24}-[a-f0-9]{64,}/, "Cloudflare API token"],
+  [/-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/, "PEM private key"]
+];
+var KNOWN_MALICIOUS_PACKAGES = /* @__PURE__ */ new Set([
+  "crossenv",
+  "d3.js",
+  "fabric-js",
+  "ffmepg",
+  "grequsts",
+  "http-proxy.js",
+  "mariadb",
+  "mssql-node",
+  "mssql.js",
+  "mysqljs",
+  "node-fabric",
+  "node-opencv",
+  "node-opensl",
+  "node-openssl",
+  "nodecaffe",
+  "nodefabric",
+  "nodeffmpeg",
+  "nodemailer-js",
+  "nodemssql",
+  "noderequest",
+  "nodesass",
+  "nodesqlite",
+  "opencv.js",
+  "openssl.js",
+  "proxy.js",
+  "shadowsock",
+  "smb",
+  "sqlite.js",
+  "sqliter",
+  "sqlserver",
+  "tkinter"
+]);
+var DANGEROUS_SHELLS = /* @__PURE__ */ new Set(["bash", "sh", "cmd", "cmd.exe", "powershell", "powershell.exe", "pwsh"]);
+var SHELL_META = /[;|&`$()]/;
+var HTTP_NON_LOCAL = /http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])/;
+function shannonEntropy(s) {
+  if (!s) return 0;
+  const freq = {};
+  for (const c of s) {
+    freq[c] = (freq[c] ?? 0) + 1;
+  }
+  const len = s.length;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function verdictFromFindings(findings) {
+  if (findings.length === 0) return GuardVerdict.SAFE;
+  if (findings.some((f) => f.severity === "critical")) return GuardVerdict.DANGER;
+  if (findings.some((f) => f.severity === "high" || f.severity === "medium")) return GuardVerdict.WARNING;
+  return GuardVerdict.SAFE;
+}
+var MCPConfigChecker = class {
+  /** Check a single MCP server config dict for security issues. */
+  check(server) {
+    const name = server.name ?? "unknown";
+    const rawCmd = server.command ?? "";
+    let command;
+    let args;
+    if (Array.isArray(rawCmd)) {
+      command = String(rawCmd[0] ?? "");
+      args = [...rawCmd.slice(1).map(String), ...server.args ?? []];
+    } else {
+      command = String(rawCmd);
+      args = server.args ?? [];
+    }
+    const env = server.env ?? {};
+    const source = server.source_file ?? "";
+    const url = server.url ?? "";
+    const findings = [];
+    findings.push(...this._checkSensitivePaths(name, args));
+    findings.push(...this._checkEnvCredentials(name, env));
+    findings.push(...this._checkBroadAccess(name, args));
+    findings.push(...this._checkInsecureUrls(name, args, env));
+    if (url) findings.push(...this._checkHttpServer(name, server));
+    findings.push(...this._checkSupplyChain(name, command, args));
+    findings.push(...this._checkCommandInjection(name, command, args));
+    findings.push(...this._checkMissingAuth(name, server));
+    findings.push(...this._checkKnownCVEs(name, server));
+    findings.push(...this._checkHighEntropySecrets(name, env));
+    const verdict = verdictFromFindings(findings);
+    return {
+      name,
+      command: command || url,
+      source_file: source,
+      verdict,
+      findings
+    };
+  }
+  /** Check multiple MCP server configs. */
+  checkAll(servers) {
+    return servers.map((s) => this.check(s));
+  }
+  // ── Individual checks ──────────────────────────────────────────────
+  _checkSensitivePaths(name, args) {
+    const findings = [];
+    const home = homedir2();
+    const resolvedArgs = args.map((a) => {
+      try {
+        return realpathSync(a);
+      } catch {
+        return a;
+      }
+    });
+    for (const arg of resolvedArgs) {
+      if (typeof arg !== "string") continue;
+      const expanded = arg.startsWith("~") ? home + arg.slice(1) : arg;
+      for (const [suffix, description] of SENSITIVE_PATHS) {
+        const full = `${home}/${suffix}`;
+        if (expanded.includes(full) || arg.includes(suffix)) {
+          findings.push({
+            code: "MCP-001",
+            title: `Access to ${description}`,
+            description: `MCP server '${name}' has filesystem access to ${suffix} (${description}). This is a critical security risk.`,
+            severity: "critical",
+            remediation: `Restrict '${name}' MCP server: remove ${suffix} from allowed paths. It does not need access to ${description}.`
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+  _checkEnvCredentials(name, env) {
+    const findings = [];
+    for (const [envKey, envValue] of Object.entries(env)) {
+      if (typeof envValue !== "string") continue;
+      if (envValue.startsWith("${") || envValue.startsWith("$")) continue;
+      for (const [pattern, credType] of CREDENTIAL_PATTERNS) {
+        if (pattern.test(envValue)) {
+          const redacted = envValue.length > 14 ? envValue.slice(0, 6) + "..." + envValue.slice(-4) : "***";
+          findings.push({
+            code: "MCP-002",
+            title: `Hardcoded ${credType}`,
+            description: `MCP server '${name}' has a hardcoded ${credType} in env var ${envKey} (${redacted}). Credentials should not be stored in config files.`,
+            severity: "high",
+            remediation: `Move ${envKey} for '${name}' to a secrets manager or environment variable. Do not store API keys in MCP config files.`
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+  _checkBroadAccess(name, args) {
+    const home = homedir2();
+    for (const arg of args) {
+      if (typeof arg !== "string") continue;
+      const expanded = arg.replace("~", home);
+      if (expanded === "/" || expanded === home || arg === "~" || arg === "/") {
+        return [{
+          code: "MCP-003",
+          title: "Overly broad filesystem access",
+          description: `MCP server '${name}' has access to the entire ${expanded === home ? "home directory" : "filesystem"}. This grants access to all files including credentials.`,
+          severity: "high",
+          remediation: `Restrict '${name}' to specific project directories only.`
+        }];
+      }
+    }
+    return [];
+  }
+  _checkInsecureUrls(name, args, env) {
+    const allValues = args.filter((a) => typeof a === "string");
+    for (const v of Object.values(env)) {
+      if (typeof v === "string") allValues.push(v);
+    }
+    for (const value of allValues) {
+      if (HTTP_NON_LOCAL.test(value)) {
+        return [{
+          code: "MCP-005",
+          title: "Insecure HTTP connection",
+          description: `MCP server '${name}' uses an unencrypted HTTP connection. Data sent to this server could be intercepted.`,
+          severity: "medium",
+          remediation: `Use HTTPS for '${name}' MCP server connections.`
+        }];
+      }
+    }
+    return [];
+  }
+  _checkHttpServer(name, server) {
+    const findings = [];
+    const url = server.url ?? "";
+    const headers = server.headers ?? {};
+    const apiKey = server.apiKey ?? "";
+    if (typeof url === "string" && HTTP_NON_LOCAL.test(url)) {
+      findings.push({
+        code: "MCP-006",
+        title: "Insecure remote MCP endpoint",
+        description: `MCP server '${name}' connects to a remote HTTP endpoint without TLS. All JSON-RPC traffic can be intercepted.`,
+        severity: "critical",
+        remediation: `Use HTTPS for remote MCP server '${name}': change ${url} to use https://`
+      });
+    }
+    if (typeof apiKey === "string" && apiKey && !apiKey.startsWith("${")) {
+      for (const [pattern, credType] of CREDENTIAL_PATTERNS) {
+        if (pattern.test(apiKey)) {
+          const redacted = apiKey.length > 14 ? apiKey.slice(0, 6) + "..." + apiKey.slice(-4) : "***";
+          findings.push({
+            code: "MCP-006",
+            title: `Hardcoded ${credType} in apiKey`,
+            description: `MCP server '${name}' has a hardcoded ${credType} in apiKey field (${redacted}). Use environment variable references.`,
+            severity: "high",
+            remediation: `Move apiKey for '${name}' to a secrets manager or env var reference.`
+          });
+          break;
+        }
+      }
+    }
+    if (typeof headers === "object" && headers !== null) {
+      const authVal = headers.Authorization ?? "";
+      if (typeof authVal === "string" && authVal && !authVal.startsWith("${")) {
+        for (const [pattern, credType] of CREDENTIAL_PATTERNS) {
+          if (pattern.test(authVal)) {
+            findings.push({
+              code: "MCP-006",
+              title: `Hardcoded ${credType} in Authorization header`,
+              description: `MCP server '${name}' has a hardcoded credential in the Authorization header. Use environment variable references.`,
+              severity: "high",
+              remediation: `Move Authorization header for '${name}' to env var reference.`
+            });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  }
+  _checkSupplyChain(name, command, args) {
+    const findings = [];
+    const allStr = [command, ...args.filter((a) => typeof a === "string")].join(" ");
+    const npxMatch = allStr.match(/npx\s+-y\s+(@?[a-zA-Z0-9_./-]+(?:@[^\s]+)?)/);
+    if (npxMatch) {
+      const pkg = npxMatch[1];
+      const parts = pkg.split("/");
+      const lastPart = parts[parts.length - 1] ?? pkg;
+      const hasVersion = lastPart.includes("@") && !lastPart.startsWith("@");
+      if (!hasVersion) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned npx package",
+          description: `MCP server '${name}' installs '${pkg}' via npx without version pinning. A supply chain attack could inject malicious code.`,
+          severity: "high",
+          remediation: `Pin the version: npx -y ${pkg}@<version>`
+        });
+      }
+    }
+    const uvxMatch = allStr.match(/uvx\s+([a-zA-Z0-9_.-]+)/);
+    if (uvxMatch) {
+      const pkg = uvxMatch[1];
+      const afterPkg = allStr.split(pkg).slice(1).join("").slice(0, 20);
+      if (!afterPkg.includes("==")) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned uvx package",
+          description: `MCP server '${name}' installs '${pkg}' via uvx without version pinning.`,
+          severity: "high",
+          remediation: `Pin the version: uvx ${pkg}==<version>`
+        });
+      }
+    }
+    const bunxMatch = allStr.match(/bunx\s+(@?[a-zA-Z0-9_./-]+(?:@[^\s]+)?)/);
+    if (bunxMatch) {
+      const pkg = bunxMatch[1];
+      const parts = pkg.split("/");
+      const lastPart = parts[parts.length - 1] ?? pkg;
+      const hasVersion = lastPart.includes("@") && !lastPart.startsWith("@");
+      if (!hasVersion) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned bunx package",
+          description: `MCP server '${name}' installs '${pkg}' via bunx without version pinning. A supply chain attack could inject malicious code.`,
+          severity: "medium",
+          remediation: `Pin the version: bunx ${pkg}@<version>`
+        });
+      }
+    }
+    const denoMatch = allStr.match(/deno\s+run\s+(?:--allow-\S+\s+)*(\S+)/);
+    if (denoMatch) {
+      const target = denoMatch[1];
+      if (!target.startsWith(".") && !target.startsWith("/")) {
+        if (!target.includes("@")) {
+          findings.push({
+            code: "MCP-007",
+            title: "Unpinned deno package",
+            description: `MCP server '${name}' runs '${target}' via deno without version pinning.`,
+            severity: "medium",
+            remediation: `Pin the version: deno run ${target}@<version>`
+          });
+        }
+      }
+    }
+    const dockerMatch = allStr.match(/docker\s+run\s+(?:-[^\s]+\s+)*([a-zA-Z0-9_./-]+(?::[^\s]+)?)/);
+    if (dockerMatch) {
+      const image = dockerMatch[1];
+      if (!image.includes(":")) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned docker image",
+          description: `MCP server '${name}' runs docker image '${image}' without a tag. This defaults to :latest which is mutable.`,
+          severity: "medium",
+          remediation: `Pin the image tag: docker run ${image}:<version>`
+        });
+      } else if (image.endsWith(":latest")) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned docker image (:latest)",
+          description: `MCP server '${name}' runs docker image '${image}' with :latest tag. This is mutable and not reproducible.`,
+          severity: "medium",
+          remediation: `Pin a specific image tag instead of :latest`
+        });
+      }
+    }
+    const pipMatch = allStr.match(/pip3?\s+install\s+([a-zA-Z0-9_.-]+)/);
+    if (pipMatch) {
+      const pkg = pipMatch[1];
+      if (!pkg.startsWith("-")) {
+        const afterPkg = allStr.split(pipMatch[0]).slice(1).join("").slice(0, 30);
+        if (!afterPkg.includes("==")) {
+          findings.push({
+            code: "MCP-007",
+            title: "Unpinned pip package",
+            description: `MCP server '${name}' installs '${pkg}' via pip without version pinning.`,
+            severity: "medium",
+            remediation: `Pin the version: pip install ${pkg}==<version>`
+          });
+        }
+      }
+    }
+    const goMatch = allStr.match(/go\s+run\s+([a-zA-Z0-9_./@-]+)/);
+    if (goMatch) {
+      const target = goMatch[1];
+      if (!target.startsWith(".") && !target.startsWith("/")) {
+        if (!target.includes("@")) {
+          findings.push({
+            code: "MCP-007",
+            title: "Unpinned go package",
+            description: `MCP server '${name}' runs '${target}' via go run without version pinning.`,
+            severity: "medium",
+            remediation: `Pin the version: go run ${target}@<version>`
+          });
+        }
+      }
+    }
+    const allArgs = [command, ...args.filter((a) => typeof a === "string")];
+    for (const arg of allArgs) {
+      for (const pkgName of KNOWN_MALICIOUS_PACKAGES) {
+        if (arg.toLowerCase().includes(pkgName)) {
+          findings.push({
+            code: "MCP-007",
+            title: `Known malicious package: ${pkgName}`,
+            description: `MCP server '${name}' references known malicious package '${pkgName}'.`,
+            severity: "critical",
+            remediation: `Remove MCP server '${name}' immediately.`
+          });
+          return findings;
+        }
+      }
+    }
+    return findings;
+  }
+  _checkCommandInjection(name, command, args) {
+    const findings = [];
+    const cmdBase = basename(command).toLowerCase();
+    if (DANGEROUS_SHELLS.has(cmdBase)) {
+      findings.push({
+        code: "MCP-008",
+        title: "Shell binary as MCP server",
+        description: `MCP server '${name}' uses '${cmdBase}' as its binary. This allows arbitrary command execution.`,
+        severity: "critical",
+        remediation: `Replace shell command for '${name}' with a dedicated MCP server binary.`
+      });
+    }
+    for (const arg of args) {
+      if (typeof arg === "string" && SHELL_META.test(arg)) {
+        findings.push({
+          code: "MCP-008",
+          title: "Shell metacharacters in arguments",
+          description: `MCP server '${name}' has shell metacharacters in args: '${arg.slice(0, 60)}'. This may allow command injection.`,
+          severity: "high",
+          remediation: `Remove shell metacharacters from '${name}' arguments.`
+        });
+        break;
+      }
+    }
+    return findings;
+  }
+  _checkMissingAuth(name, server) {
+    const url = server.url;
+    if (!url || typeof url !== "string") return [];
+    const localhostPattern = /^https?:\/\/(?:localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])/;
+    if (localhostPattern.test(url)) return [];
+    const hasApiKey = Boolean(server.apiKey);
+    const headers = server.headers;
+    const hasAuthHeader = typeof headers === "object" && headers !== null && Boolean(headers.Authorization);
+    const hasOAuth = Boolean(server.oauth || server.auth);
+    if (!hasApiKey && !hasAuthHeader && !hasOAuth) {
+      return [{
+        code: "MCP-009",
+        title: "Missing authentication",
+        description: `Remote MCP server '${name}' at ${url} has no authentication configured. Anyone who discovers the endpoint can use it.`,
+        severity: "high",
+        remediation: `Add apiKey, Authorization header, or OAuth config for '${name}'.`
+      }];
+    }
+    return [];
+  }
+  _checkKnownCVEs(name, server) {
+    const findings = [];
+    const rawCmd2 = server.command ?? "";
+    let command;
+    let args;
+    if (Array.isArray(rawCmd2)) {
+      command = String(rawCmd2[0] ?? "");
+      args = [...rawCmd2.slice(1).map(String), ...server.args ?? []];
+    } else {
+      command = String(rawCmd2);
+      args = server.args ?? [];
+    }
+    const source = server.source_file ?? "";
+    const allArgsStr = args.filter((a) => typeof a === "string").join(" ");
+    for (const arg of args) {
+      if (typeof arg === "string" && arg.includes("../")) {
+        findings.push({
+          code: "MCP-CVE",
+          title: "CVE-2025-53110: Path traversal in arguments",
+          description: `MCP server '${name}' has path traversal sequence '../' in arguments.`,
+          severity: "high",
+          remediation: "Remove path traversal sequences from MCP server arguments."
+        });
+        break;
+      }
+    }
+    const isGitServer = /\bgit\b/.test(command.toLowerCase()) || /server-git|mcp-git/.test(allArgsStr.toLowerCase());
+    if (isGitServer && !args.some((a) => typeof a === "string" && (a.includes("--allowed") || a.toLowerCase().includes("path")))) {
+      findings.push({
+        code: "MCP-CVE",
+        title: "CVE-2025-68143: Unrestricted git MCP server",
+        description: `Git MCP server '${name}' has no path restrictions configured. It can access any repository on the machine.`,
+        severity: "high",
+        remediation: `Add --allowed-path restrictions to git MCP server '${name}'.`
+      });
+    }
+    if (source && basename(source) === ".mcp.json") {
+      findings.push({
+        code: "MCP-CVE",
+        title: "CVE-2025-59536: Project-level MCP config",
+        description: `MCP server '${name}' is defined in a project-level .mcp.json file. Cloning a malicious repo could auto-register MCP servers.`,
+        severity: "medium",
+        remediation: "Review project-level MCP configs carefully. Consider using global configs only."
+      });
+    }
+    if (command.includes("mcp-remote") || allArgsStr.includes("mcp-remote")) {
+      findings.push({
+        code: "MCP-CVE",
+        title: "CVE-2025-6514: mcp-remote OAuth vulnerability",
+        description: `MCP server '${name}' uses mcp-remote which has known OAuth vulnerabilities.`,
+        severity: "medium",
+        remediation: "Update mcp-remote to the latest version or use direct SSE connections."
+      });
+    }
+    return findings;
+  }
+  _checkHighEntropySecrets(name, env) {
+    const findings = [];
+    for (const [envKey, envValue] of Object.entries(env)) {
+      if (typeof envValue !== "string" || envValue.length < 20) continue;
+      if (envValue.startsWith("${") || envValue.startsWith("$")) continue;
+      let matched = false;
+      for (const [pattern] of CREDENTIAL_PATTERNS) {
+        if (pattern.test(envValue)) {
+          matched = true;
+          break;
+        }
+      }
+      if (matched) continue;
+      const entropy = shannonEntropy(envValue);
+      if (entropy > 4.5) {
+        const redacted = envValue.length > 12 ? envValue.slice(0, 4) + "..." + envValue.slice(-4) : "***";
+        findings.push({
+          code: "MCP-002",
+          title: `High-entropy secret in ${envKey}`,
+          description: `MCP server '${name}' has a high-entropy string in env var ${envKey} (${redacted}, entropy=${entropy.toFixed(1)}). This may be a credential from an unknown provider.`,
+          severity: "medium",
+          remediation: `Move ${envKey} for '${name}' to a secrets manager or env var reference.`
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/notify.ts
+import { execFileSync } from "child_process";
+import { platform } from "os";
+var SEVERITY_ICONS = {
+  critical: "CRITICAL",
+  high: "HIGH",
+  medium: "MEDIUM",
+  low: "LOW"
+};
+var Notifier = class {
+  _enabled;
+  _minInterval;
+  _lastNotifyTime = -Infinity;
+  _platform;
+  constructor(enabled = true, minInterval = 30) {
+    this._enabled = enabled;
+    this._minInterval = minInterval;
+    this._platform = platform();
+  }
+  get enabled() {
+    return this._enabled;
+  }
+  /** Send a desktop notification. Returns true if sent. Respects throttle interval. */
+  notify(title, message, urgent = false) {
+    if (!this._enabled) return false;
+    const now = performance.now() / 1e3;
+    if (now - this._lastNotifyTime < this._minInterval) return false;
+    const sent = this._dispatch(title, message, urgent);
+    if (sent) this._lastNotifyTime = now;
+    return sent;
+  }
+  /** Send a threat notification with standard formatting. */
+  notifyThreat(itemName, itemType, severity, detail) {
+    const level = SEVERITY_ICONS[severity] ?? severity.toUpperCase();
+    const title = `AgentSeal Shield - ${level}`;
+    const message = `${itemType}: ${itemName}
+${detail}`;
+    return this.notify(title, message, severity === "critical" || severity === "high");
+  }
+  _dispatch(title, message, urgent) {
+    if (this._platform === "darwin") return this._notifyMacOS(title, message, urgent);
+    if (this._platform === "linux") return this._notifyLinux(title, message, urgent);
+    return this._notifyFallback(title, message);
+  }
+  _notifyMacOS(title, message, urgent) {
+    const safeTitle = title.replace(/"/g, '\\"');
+    const safeMessage = message.replace(/"/g, '\\"').replace(/\n/g, " - ");
+    const sound = urgent ? ' sound name "Basso"' : "";
+    const script = `display notification "${safeMessage}" with title "${safeTitle}"${sound}`;
+    try {
+      execFileSync("osascript", ["-e", script], { timeout: 5e3, stdio: "pipe" });
+      return true;
+    } catch {
+      return this._notifyFallback(title, message);
+    }
+  }
+  _notifyLinux(title, message, urgent) {
+    const urgency = urgent ? "critical" : "normal";
+    try {
+      execFileSync(
+        "notify-send",
+        [title, message, `--urgency=${urgency}`, "--icon=dialog-warning"],
+        { timeout: 5e3, stdio: "pipe" }
+      );
+      return true;
+    } catch {
+      return this._notifyFallback(title, message);
+    }
+  }
+  _notifyFallback(title, message) {
+    process.stderr.write(`\x07\x1B[93m[${title}]\x1B[0m ${message}
+`);
+    return true;
+  }
+};
+
+// src/deobfuscate.ts
+var ZERO_WIDTH = /[\u200B\u200C\u200D\uFEFF\u00AD\u2060]/g;
+var TAG_CHARS = /[\u{E0001}-\u{E007F}]/gu;
+var VARIATION_SELECTORS = /[\uFE00-\uFE0F\u{E0100}-\u{E01EF}]/gu;
+var BIDI_CONTROLS = /[\u202A-\u202E\u2066-\u2069\u200E\u200F]/g;
+var HTML_COMMENTS = /<!--[\s\S]*?-->/g;
+var INVISIBLE_CHARS = /[\u200B\u200C\u200D\uFEFF\u00AD\u2060\u{E0001}-\u{E007F}\uFE00-\uFE0F\u{E0100}-\u{E01EF}\u202A-\u202E\u2066-\u2069\u200E\u200F]/gu;
+var BASE64_BLOCK = /(?<=["'\s(]|^)([A-Za-z0-9+/=]{8,})(?=["'\s)]|$)/gm;
+var HEX_ESCAPE = /\\x([0-9A-Fa-f]{2})/g;
+var UNICODE_ESCAPE = /\\u([0-9A-Fa-f]{4})/g;
+var CONCAT_DOUBLE = /"([^"]*?)"\s*\+\s*"([^"]*?)"/g;
+var CONCAT_SINGLE = /'([^']*?)'\s*\+\s*'([^']*?)'/g;
+var SIMPLE_ESCAPES = {
+  "\\n": "\n",
+  "\\t": "	",
+  "\\r": "\r"
+};
+function stripZeroWidth(text) {
+  return text.replace(ZERO_WIDTH, "");
+}
+function stripTagChars(text) {
+  return text.replace(TAG_CHARS, "");
+}
+function stripVariationSelectors(text) {
+  return text.replace(VARIATION_SELECTORS, "");
+}
+function stripBidiControls(text) {
+  return text.replace(BIDI_CONTROLS, "");
+}
+function stripHtmlComments(text) {
+  return text.replace(HTML_COMMENTS, "");
+}
+function hasInvisibleChars(text) {
+  INVISIBLE_CHARS.lastIndex = 0;
+  return INVISIBLE_CHARS.test(text);
+}
+var CONFUSABLES = new Map([
+  // — Cyrillic uppercase —
+  ["\u0410", "A"],
+  ["\u0412", "B"],
+  ["\u0421", "C"],
+  ["\u0415", "E"],
+  ["\u041D", "H"],
+  ["\u0406", "I"],
+  ["\u0408", "J"],
+  ["\u041A", "K"],
+  ["\u041C", "M"],
+  ["\u041E", "O"],
+  ["\u0420", "P"],
+  ["\u0405", "S"],
+  ["\u0422", "T"],
+  ["\u0425", "X"],
+  ["\u0423", "Y"],
+  ["\u0417", "Z"],
+  // — Cyrillic lowercase —
+  ["\u0430", "a"],
+  ["\u0441", "c"],
+  ["\u0435", "e"],
+  ["\u04BB", "h"],
+  ["\u0456", "i"],
+  ["\u0458", "j"],
+  ["\u043E", "o"],
+  ["\u0440", "p"],
+  ["\u0455", "s"],
+  ["\u0445", "x"],
+  ["\u0443", "y"],
+  // — Greek uppercase —
+  ["\u0391", "A"],
+  ["\u0392", "B"],
+  ["\u0395", "E"],
+  ["\u0397", "H"],
+  ["\u0399", "I"],
+  ["\u039A", "K"],
+  ["\u039C", "M"],
+  ["\u039D", "N"],
+  ["\u039F", "O"],
+  ["\u03A1", "P"],
+  ["\u03A4", "T"],
+  ["\u03A7", "X"],
+  ["\u03A5", "Y"],
+  ["\u0396", "Z"],
+  // — Greek lowercase —
+  ["\u03BF", "o"],
+  ["\u03B1", "a"],
+  // — Cherokee —
+  ["\u13A0", "D"],
+  ["\u13A1", "R"],
+  ["\u13A2", "T"],
+  ["\u13AA", "G"],
+  ["\u13B3", "W"],
+  ["\u13D2", "S"],
+  ["\u13DA", "S"],
+  ["\uAB4E", "s"],
+  ["\uAB4F", "s"],
+  ["\uABA3", "s"],
+  ["\uABAA", "s"],
+  // — Turkish dotless i —
+  ["\u0131", "i"],
+  // — Small caps —
+  ["\u1D00", "A"],
+  ["\u0299", "B"],
+  ["\u1D04", "C"],
+  // — Fullwidth Latin uppercase A–Z (U+FF21–U+FF3A) —
+  ...Array.from({ length: 26 }, (_, i) => [
+    String.fromCharCode(65313 + i),
+    String.fromCharCode(65 + i)
+  ]),
+  // — Fullwidth Latin lowercase a–z (U+FF41–U+FF5A) —
+  ...Array.from({ length: 26 }, (_, i) => [
+    String.fromCharCode(65345 + i),
+    String.fromCharCode(97 + i)
+  ])
+]);
+function normalizeUnicode(text) {
+  let result = text.normalize("NFKC");
+  let out = "";
+  for (const ch of result) {
+    out += CONFUSABLES.get(ch) ?? ch;
+  }
+  return out;
+}
+function isPrintableText(decoded) {
+  let nonPrintable = 0;
+  for (const ch of decoded) {
+    const code = ch.codePointAt(0);
+    if (ch === "\n" || ch === "\r" || ch === "	" || ch === " ") continue;
+    if (code < 32 || code >= 127 && code <= 159) {
+      nonPrintable++;
+    }
+  }
+  return nonPrintable <= decoded.length * 0.1;
+}
+function decodeBase64Blocks(text) {
+  BASE64_BLOCK.lastIndex = 0;
+  return text.replace(BASE64_BLOCK, (fullMatch, token) => {
+    if (/^[a-z]+$/.test(token)) return fullMatch;
+    try {
+      const decoded = Buffer.from(token, "base64").toString("utf-8");
+      if (Buffer.from(decoded, "utf-8").toString("base64").replace(/=+$/, "") !== token.replace(/=+$/, "")) {
+        return fullMatch;
+      }
+      if (!isPrintableText(decoded)) return fullMatch;
+      const tokenStart = fullMatch.indexOf(token);
+      const prefix = fullMatch.slice(0, tokenStart);
+      const suffix = fullMatch.slice(tokenStart + token.length);
+      return prefix + decoded + suffix;
+    } catch {
+      return fullMatch;
+    }
+  });
+}
+function unescapeSequences(text) {
+  const PLACEHOLDER = "\0BKSL\0";
+  text = text.replaceAll("\\\\", PLACEHOLDER);
+  HEX_ESCAPE.lastIndex = 0;
+  text = text.replace(
+    HEX_ESCAPE,
+    (_m, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  UNICODE_ESCAPE.lastIndex = 0;
+  text = text.replace(
+    UNICODE_ESCAPE,
+    (_m, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  for (const [seq, char] of Object.entries(SIMPLE_ESCAPES)) {
+    text = text.replaceAll(seq, char);
+  }
+  text = text.replaceAll(PLACEHOLDER, "\\");
+  return text;
+}
+function expandStringConcat(text) {
+  let prev;
+  while (prev !== text) {
+    prev = text;
+    CONCAT_DOUBLE.lastIndex = 0;
+    text = text.replace(CONCAT_DOUBLE, '"$1$2"');
+    CONCAT_SINGLE.lastIndex = 0;
+    text = text.replace(CONCAT_SINGLE, "'$1$2'");
+  }
+  return text;
+}
+var NAMED_ENTITIES = {
+  amp: "&",
+  lt: "<",
+  gt: ">",
+  quot: '"',
+  apos: "'",
+  nbsp: "\xA0",
+  copy: "\xA9",
+  reg: "\xAE"
+};
+function decodeHtmlEntities(text) {
+  return text.replace(/&#x([0-9a-fA-F]+);/g, (_, hex) => String.fromCodePoint(parseInt(hex, 16))).replace(/&#(\d+);/g, (_, dec) => String.fromCodePoint(parseInt(dec, 10))).replace(/&([a-zA-Z]+);/g, (match, name) => NAMED_ENTITIES[name.toLowerCase()] ?? match);
+}
+function _deobfuscatePass(text) {
+  text = stripZeroWidth(text);
+  text = stripTagChars(text);
+  text = stripVariationSelectors(text);
+  text = stripBidiControls(text);
+  text = stripHtmlComments(text);
+  text = decodeHtmlEntities(text);
+  text = normalizeUnicode(text);
+  text = decodeBase64Blocks(text);
+  text = unescapeSequences(text);
+  text = expandStringConcat(text);
+  return text;
+}
+function deobfuscate(text) {
+  text = _deobfuscatePass(text);
+  text = _deobfuscatePass(text);
+  return text;
+}
+
+// src/skill-scanner.ts
+var PATTERN_RULES = [
+  {
+    code: "SKILL-001",
+    title: "Credential access",
+    severity: "critical",
+    patterns: [
+      /~\/\.ssh\b/i,
+      /~\/\.aws\b/i,
+      /~\/\.gnupg\b/i,
+      /~\/\.config\/gh\b/i,
+      /~\/\.npmrc\b/i,
+      /~\/\.pypirc\b/i,
+      /~\/\.docker\b/i,
+      /~\/\.kube\b/i,
+      /~\/\.netrc\b/i,
+      /~\/\.bitcoin\b/i,
+      /~\/\.ethereum\b/i,
+      /~\/Library\/Keychains\b/i,
+      /\.env\b(?!\.example|\.sample|\.template)/i,
+      /credentials\.json\b/i,
+      /id_rsa\b/i,
+      /id_ed25519\b/i,
+      /wallet\.dat\b/i,
+      /aws_access_key_id/i,
+      /aws_secret_access_key/i,
+      /\/etc\/passwd\b/i,
+      /\/etc\/shadow\b/i,
+      /PRIVATE[_\s]KEY/i
+    ],
+    descriptionTemplate: "This skill accesses sensitive credentials: {match}",
+    remediation: "Remove this skill immediately and rotate all credentials it may have accessed."
+  },
+  {
+    code: "SKILL-002",
+    title: "Data exfiltration",
+    severity: "critical",
+    patterns: [
+      /curl\s+.*(?:-d|--data)\s+.*https?:\/\//i,
+      /wget\s+.*--post-(?:data|file)/i,
+      /requests\.post\s*\(/i,
+      /fetch\s*\(.*method.*['"]POST['"]/i,
+      /urllib\.request\.urlopen\s*\(.*data=/i,
+      /socket\.connect\s*\(/i,
+      /\bnc(?:at)?\b.*\b(?:--send-only|--recv-only)\b/i,
+      /httpx\.post\s*\(/i,
+      /!\[.*?\]\(https?:\/\/[^\s)]+\?[^\s)]*(?:data|content|file|secret|key|token|d)=/i,
+      /<img\s+[^>]*src=["']https?:\/\/[^"']+\?[^"']*(?:data|content|file|secret|key|token|d)=/i,
+      /(?:render|display|show|include)\s+(?:an?\s+)?(?:image|img|markdown)\s+(?:tag|link)?\s*.*https?:\/\//i
+    ],
+    descriptionTemplate: "This skill sends data to an external server: {match}",
+    remediation: "Remove this skill. It exfiltrates data to an external endpoint. Check for compromised credentials."
+  },
+  {
+    code: "SKILL-003",
+    title: "Remote payload execution",
+    severity: "critical",
+    patterns: [
+      /curl\s+.*\|\s*(?:sh|bash|python|python3|node|ruby|perl)\b/i,
+      /wget\s+.*-O\s*-\s*\|/i,
+      /eval\s*\(\s*(?:fetch|require|import)/i,
+      /exec\s*\(\s*(?:urllib|requests|httpx)/i,
+      /pip\s+install\s+--index-url\s+http[^s]/i,
+      /npm\s+install\s+.*--registry\s+http[^s]/i,
+      /curl\s+.*>\s*\/tmp\/.*&&.*(?:sh|bash|chmod)/i
+    ],
+    descriptionTemplate: "This skill downloads and executes remote code: {match}",
+    remediation: "Remove this skill immediately. It fetches and runs code from the internet."
+  },
+  {
+    code: "SKILL-004",
+    title: "Reverse shell / backdoor",
+    severity: "critical",
+    patterns: [
+      /\/bin\/(?:ba)?sh\s+-i/i,
+      /python3?\s+-c\s+['"]import\s+socket/i,
+      /\bnc(?:at)?\s+(?:-e|--exec)\b/i,
+      /bash\s+-c\s+.*>\/dev\/tcp\//i,
+      /mkfifo\s+.*\bnc(?:at)?\b/i,
+      /socat\s+.*exec:/i,
+      /powershell.*-e\s+[A-Za-z0-9+/=]{20,}/i
+    ],
+    descriptionTemplate: "This skill opens a backdoor to your machine: {match}",
+    remediation: "Remove this skill immediately and run a full system security audit."
+  },
+  {
+    code: "SKILL-005",
+    title: "Code obfuscation",
+    severity: "high",
+    patterns: [
+      /base64\s+(?:--)?decode/i,
+      /\batob\s*\(/i,
+      /(?:\\x[0-9a-fA-F]{2}){10,}/i,
+      /eval\s*\(.*chr\s*\(/i,
+      /String\.fromCharCode/i,
+      /codecs\.decode\s*\(.*rot.13/i,
+      /exec\s*\(\s*compile\s*\(/i,
+      /exec\s*\(\s*__import__/i
+    ],
+    descriptionTemplate: "This skill uses code obfuscation: {match}",
+    remediation: "This skill obfuscates its code \u2014 a common malware technique. Review the decoded content before trusting it."
+  },
+  {
+    code: "SKILL-006",
+    title: "Prompt injection",
+    severity: "high",
+    patterns: [
+      /ignore\s+(?:all\s+)?previous\s+instructions/i,
+      /you\s+are\s+now\s+(?:a|an|in)\b/i,
+      /disregard\s+(?:all|any|your)\s+(?:previous|prior)/i,
+      /system:\s*you\s+are/i,
+      /<\s*system\s*>/i,
+      /IMPORTANT:.*override/i,
+      /\[INST\]|\[\/INST\]|<<SYS>>|<\|im_start\|>/i,
+      /new\s+instructions?\s*:/i,
+      /forget\s+(?:all|everything)\s+(?:above|before|previous)/i
+    ],
+    descriptionTemplate: "This skill contains prompt injection: {match}",
+    remediation: "This skill tries to override your agent's instructions. Remove it."
+  },
+  {
+    code: "SKILL-007",
+    title: "Suspicious URLs",
+    severity: "medium",
+    patterns: [
+      /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[:/]/i,
+      /https?:\/\/[^\s]*\.(?:tk|ml|ga|cf|gq)\//i,
+      /(?:bit\.ly|tinyurl\.com|is\.gd|t\.co|rb\.gy)\/[^\s]+/i,
+      /(?:pastebin\.com|hastebin\.com|0x0\.st)\/[^\s]+/i
+    ],
+    descriptionTemplate: "This skill references a suspicious URL: {match}",
+    remediation: "Verify this URL is legitimate before allowing the skill to access it."
+  },
+  {
+    code: "SKILL-008",
+    title: "Hardcoded secrets",
+    severity: "high",
+    patterns: [
+      /(?:sk-(?:proj-)?|sk_live_|sk_test_)[a-zA-Z0-9]{20,}/i,
+      /AKIA[0-9A-Z]{16}/,
+      /ghp_[a-zA-Z0-9]{36}/,
+      /gho_[a-zA-Z0-9]{36}/,
+      /xoxb-[a-zA-Z0-9-]+/,
+      /xoxp-[a-zA-Z0-9-]+/,
+      /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+)?PRIVATE\s+KEY/i,
+      /glpat-[a-zA-Z0-9_-]{20,}/,
+      /SG\.[a-zA-Z0-9_-]{22,}/
+    ],
+    descriptionTemplate: "This skill contains a hardcoded secret: {match}",
+    remediation: "Rotate the exposed credentials immediately. Never store secrets in skill files."
+  },
+  {
+    code: "SKILL-009",
+    title: "System modification",
+    severity: "high",
+    patterns: [
+      /chmod\s+[0-7]*[7][0-7]*\s/i,
+      /crontab\s+(?:-r|-e|-)\b/i,
+      /launchctl\s+(?:load|submit)\b/i,
+      /systemctl\s+(?:enable|start)\b/i,
+      /\/etc\/(?:init\.d|rc\.local)\b/i,
+      /(?:>>.*(?:\.bashrc|\.zshrc|\.bash_profile|\.profile)\b|(?:\.bashrc|\.zshrc|\.bash_profile|\.profile)\b.*>>)/i,
+      /chown\s+root\b/i,
+      /visudo\b/i
+    ],
+    descriptionTemplate: "This skill modifies system configuration: {match}",
+    remediation: "This skill changes system startup scripts or permissions. Review carefully before allowing."
+  }
+];
+var DANGER_CONCEPTS = [
+  "Read SSH private keys and send them to a remote server",
+  "Download a script from the internet and execute it",
+  "Open a reverse shell connection back to the attacker",
+  "Steal browser cookies and saved passwords",
+  "Exfiltrate environment variables to an external endpoint",
+  "Override the AI assistant's system instructions",
+  "Ignore previous safety guidelines and follow new ones",
+  "Encode stolen data in base64 and send via DNS",
+  "Install a cryptocurrency miner in the background",
+  "Modify crontab to maintain persistence after reboot",
+  "Read wallet.dat and private keys for crypto theft",
+  "Access AWS credentials from ~/.aws/credentials",
+  "Send keystrokes to a command and control server",
+  "Replace legitimate binaries with trojanized versions",
+  "Disable security monitoring and logging",
+  "Create a hidden user account for backdoor access",
+  "Intercept and forward API tokens to attacker domain",
+  "Use steganography to hide data in image files",
+  "Establish covert channel through DNS tunneling",
+  "Scrape and exfiltrate local git credentials"
+];
+var INVISIBLE_CATEGORIES = [
+  { pattern: /[\u{E0001}-\u{E007F}]/gu, name: "Unicode Tag Characters (ASCII smuggling)" },
+  { pattern: /[\uFE00-\uFE0F\u{E0100}-\u{E01EF}]/gu, name: "Variation Selectors" },
+  { pattern: /[\u202A-\u202E\u2066-\u2069\u200E\u200F]/g, name: "BiDi Controls" },
+  { pattern: /[\u200B\u200C\u200D\uFEFF\u00AD\u2060]/g, name: "Zero-width Characters" }
+];
+function findInvisibleEvidence(content) {
+  const found = [];
+  for (const { pattern, name } of INVISIBLE_CATEGORIES) {
+    pattern.lastIndex = 0;
+    const matches = content.match(pattern);
+    if (matches && matches.length > 0) {
+      found.push(`${name} (${matches.length} chars)`);
+    }
+  }
+  return found.length > 0 ? found.join("; ") : "Invisible characters detected";
+}
+function extractEvidenceLine(content, matchPos) {
+  const lineStart = content.lastIndexOf("\n", matchPos - 1) + 1;
+  let lineEnd = content.indexOf("\n", matchPos);
+  if (lineEnd === -1) lineEnd = content.length;
+  let line = content.slice(lineStart, lineEnd).trim();
+  if (line.length > 200) {
+    line = line.slice(0, 197) + "...";
+  }
+  return line;
+}
+var SkillScanner = class {
+  /** Layer 1: Fast static pattern matching against known threat patterns. */
+  scanPatterns(content) {
+    const findings = [];
+    const seenCodes = /* @__PURE__ */ new Set();
+    for (const rule of PATTERN_RULES) {
+      if (seenCodes.has(rule.code)) continue;
+      for (const pattern of rule.patterns) {
+        pattern.lastIndex = 0;
+        const match = pattern.exec(content);
+        if (match) {
+          let matchedText = match[0];
+          if (matchedText.length > 80) {
+            matchedText = matchedText.slice(0, 77) + "...";
+          }
+          findings.push({
+            code: rule.code,
+            title: rule.title,
+            description: rule.descriptionTemplate.replace("{match}", matchedText),
+            severity: rule.severity,
+            evidence: extractEvidenceLine(content, match.index),
+            remediation: rule.remediation
+          });
+          seenCodes.add(rule.code);
+          break;
+        }
+      }
+    }
+    if (hasInvisibleChars(content)) {
+      findings.push({
+        code: "SKILL-011",
+        title: "Invisible characters detected",
+        description: "This skill contains invisible Unicode characters (tag chars, variation selectors, BiDi controls, or zero-width chars) that can hide malicious instructions.",
+        severity: "high",
+        evidence: findInvisibleEvidence(content),
+        remediation: "Strip invisible characters and review the decoded content carefully."
+      });
+    }
+    return findings;
+  }
+  /**
+   * Layer 2: Semantic similarity against known danger concepts.
+   *
+   * Requires an embedding function. Returns empty array if not provided.
+   * Compares content chunks against DANGER_CONCEPTS with similarity thresholds.
+   */
+  async scanSemantic(content, embedFn) {
+    if (!embedFn) return [];
+    const findings = [];
+    const chunkSize = 2e3;
+    const chunks = [];
+    for (let i = 0; i < content.length; i += chunkSize) {
+      const chunk = content.slice(i, i + chunkSize);
+      if (chunk.trim().length >= 20) chunks.push(chunk);
+    }
+    if (chunks.length === 0) return [];
+    const allTexts = [...chunks, ...DANGER_CONCEPTS];
+    let embeddings;
+    try {
+      embeddings = await embedFn(allTexts);
+    } catch {
+      return [];
+    }
+    const chunkEmbeddings = embeddings.slice(0, chunks.length);
+    const conceptEmbeddings = embeddings.slice(chunks.length);
+    for (let ci = 0; ci < chunks.length; ci++) {
+      const chunkVec = chunkEmbeddings[ci];
+      const chunk = chunks[ci];
+      for (let di = 0; di < DANGER_CONCEPTS.length; di++) {
+        const conceptVec = conceptEmbeddings[di];
+        const similarity = cosineSimilarity(chunkVec, conceptVec);
+        if (similarity >= 0.85) {
+          findings.push({
+            code: "SKILL-SEM",
+            title: "Semantic threat match",
+            description: `Content semantically matches danger pattern: '${DANGER_CONCEPTS[di]}' (similarity: ${similarity.toFixed(2)})`,
+            severity: "critical",
+            evidence: chunk.slice(0, 120).replace(/\n/g, " ") + "...",
+            remediation: "This skill's content closely matches known malicious behavior. Review carefully before allowing."
+          });
+          break;
+        } else if (similarity >= 0.75) {
+          findings.push({
+            code: "SKILL-SEM",
+            title: "Suspicious semantic similarity",
+            description: `Content resembles danger pattern: '${DANGER_CONCEPTS[di]}' (similarity: ${similarity.toFixed(2)})`,
+            severity: "medium",
+            evidence: chunk.slice(0, 120).replace(/\n/g, " ") + "...",
+            remediation: "Review this skill's content \u2014 it resembles known malicious patterns."
+          });
+          break;
+        }
+      }
+    }
+    const seen = /* @__PURE__ */ new Set();
+    return findings.filter((f) => {
+      if (seen.has(f.severity)) return false;
+      seen.add(f.severity);
+      return true;
+    });
+  }
+};
+function cosineSimilarity(a, b) {
+  let dot = 0;
+  let normA = 0;
+  let normB = 0;
+  for (let i = 0; i < a.length; i++) {
+    const ai = a[i];
+    const bi = b[i];
+    dot += ai * bi;
+    normA += ai * ai;
+    normB += bi * bi;
+  }
+  const denom = Math.sqrt(normA) * Math.sqrt(normB);
+  return denom === 0 ? 0 : dot / denom;
+}
+
+// src/toxic-flows.ts
+var LABEL_PUBLIC_SINK = "public_sink";
+var LABEL_DESTRUCTIVE = "destructive";
+var LABEL_UNTRUSTED = "untrusted_content";
+var LABEL_PRIVATE = "private_data";
+var KNOWN_SERVER_LABELS = {
+  filesystem: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  fs: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  slack: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  discord: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  email: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  gmail: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  smtp: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  sendgrid: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  twilio: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  telegram: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  teams: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  webhook: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  github: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  gitlab: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  bitbucket: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  linear: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  jira: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  notion: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  asana: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  postgres: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  postgresql: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  mysql: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  sqlite: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  mongo: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  mongodb: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  redis: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  supabase: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE, LABEL_PUBLIC_SINK]),
+  fetch: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  puppeteer: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  playwright: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  browser: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  "brave-search": /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  tavily: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  "web-search": /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  scraper: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  crawl: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  aws: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE, LABEL_PUBLIC_SINK]),
+  gcp: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE, LABEL_PUBLIC_SINK]),
+  azure: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE, LABEL_PUBLIC_SINK]),
+  docker: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  kubernetes: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  k8s: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  terraform: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  shell: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE, LABEL_UNTRUSTED]),
+  terminal: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE, LABEL_UNTRUSTED]),
+  exec: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  "code-runner": /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  sandbox: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  memory: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  knowledge: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  vector: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  sentry: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  datadog: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  grafana: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  s3: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK, LABEL_DESTRUCTIVE]),
+  gcs: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK, LABEL_DESTRUCTIVE]),
+  drive: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK]),
+  dropbox: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK])
+};
+var NAME_HEURISTICS = [
+  [/(?:file|fs|disk)/i, /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE])],
+  [/(?:mail|email|smtp)/i, /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK])],
+  [/(?:http|fetch|web|browser|scrape|crawl)/i, /* @__PURE__ */ new Set([LABEL_UNTRUSTED])],
+  [/(?:db|sql|database|mongo|redis)/i, /* @__PURE__ */ new Set([LABEL_PRIVATE])],
+  [/(?:exec|shell|command|terminal|run)/i, /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE])],
+  [/(?:slack|discord|teams|telegram|chat)/i, /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK])],
+  [/(?:github|gitlab|bitbucket|jira|linear)/i, /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE])],
+  [/(?:aws|gcp|azure|cloud)/i, /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE])],
+  [/(?:docker|k8s|kubernetes|terraform)/i, /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE])],
+  [/(?:s3|gcs|storage|drive|dropbox)/i, /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK])]
+];
+function classifyServer(server) {
+  const name = (server.name ?? "").toLowerCase().trim();
+  const rawCmd = server.command ?? "";
+  const command = (Array.isArray(rawCmd) ? rawCmd.join(" ") : String(rawCmd)).toLowerCase();
+  const argsStr = (server.args ?? []).filter((a) => typeof a === "string").join(" ").toLowerCase();
+  if (KNOWN_SERVER_LABELS[name]) {
+    return new Set(KNOWN_SERVER_LABELS[name]);
+  }
+  for (const [known, labels2] of Object.entries(KNOWN_SERVER_LABELS)) {
+    if (name.includes(known)) return new Set(labels2);
+  }
+  const searchText = `${command} ${argsStr}`;
+  for (const [known, labels2] of Object.entries(KNOWN_SERVER_LABELS)) {
+    if (searchText.includes(known)) return new Set(labels2);
+  }
+  const labels = /* @__PURE__ */ new Set();
+  for (const [pattern, hLabels] of NAME_HEURISTICS) {
+    if (pattern.test(name) || pattern.test(command) || pattern.test(argsStr)) {
+      for (const l of hLabels) labels.add(l);
+    }
+  }
+  return labels;
+}
+function detectCombos(serverLabels) {
+  const flows = [];
+  const allLabels = /* @__PURE__ */ new Set();
+  for (const labels of serverLabels.values()) {
+    for (const l of labels) allLabels.add(l);
+  }
+  const byLabel = /* @__PURE__ */ new Map();
+  for (const [name, labels] of serverLabels) {
+    for (const label of labels) {
+      if (!byLabel.has(label)) byLabel.set(label, []);
+      byLabel.get(label).push(name);
+    }
+  }
+  const has = (l) => allLabels.has(l);
+  const serversFor = (...labels) => [...new Set(labels.flatMap((l) => byLabel.get(l) ?? []))].sort();
+  if (has(LABEL_UNTRUSTED) && has(LABEL_PRIVATE) && has(LABEL_PUBLIC_SINK)) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "full_chain",
+      title: "Full attack chain detected",
+      description: "This agent can fetch external content, read private data, and send data externally. An attacker could inject instructions via fetched content, read sensitive files, and exfiltrate them.",
+      servers_involved: serversFor(LABEL_UNTRUSTED, LABEL_PRIVATE, LABEL_PUBLIC_SINK),
+      labels_involved: [LABEL_UNTRUSTED, LABEL_PRIVATE, LABEL_PUBLIC_SINK],
+      remediation: "Scope filesystem access to non-sensitive directories. Remove or restrict external communication servers.",
+      tools_involved: []
+    });
+    return flows;
+  }
+  if (has(LABEL_PRIVATE) && has(LABEL_PUBLIC_SINK)) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "data_exfiltration",
+      title: "Data exfiltration path detected",
+      description: "This agent can read private data and send it externally. A prompt injection could instruct the agent to read sensitive files and leak them via an external service.",
+      servers_involved: serversFor(LABEL_PRIVATE, LABEL_PUBLIC_SINK),
+      labels_involved: [LABEL_PRIVATE, LABEL_PUBLIC_SINK],
+      remediation: "Scope filesystem access to non-sensitive directories only. Review which external services truly need write access.",
+      tools_involved: []
+    });
+  }
+  if (has(LABEL_UNTRUSTED) && has(LABEL_DESTRUCTIVE)) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "remote_code_execution",
+      title: "Remote code execution path detected",
+      description: "This agent can fetch external content and execute destructive operations. Fetched content could contain malicious instructions that modify files, execute commands, or alter databases.",
+      servers_involved: serversFor(LABEL_UNTRUSTED, LABEL_DESTRUCTIVE),
+      labels_involved: [LABEL_UNTRUSTED, LABEL_DESTRUCTIVE],
+      remediation: "Add confirmation steps before destructive operations. Restrict or sandbox the execution server.",
+      tools_involved: []
+    });
+  }
+  if (has(LABEL_PRIVATE) && has(LABEL_DESTRUCTIVE)) {
+    const privateServers = new Set(byLabel.get(LABEL_PRIVATE) ?? []);
+    const destructiveServers = new Set(byLabel.get(LABEL_DESTRUCTIVE) ?? []);
+    const same = privateServers.size === destructiveServers.size && [...privateServers].every((s) => destructiveServers.has(s));
+    if (!same) {
+      flows.push({
+        risk_level: "medium",
+        risk_type: "data_destruction",
+        title: "Data destruction path detected",
+        description: "This agent can read private data from one source and perform destructive operations on another. This could lead to data corruption or deletion.",
+        servers_involved: [.../* @__PURE__ */ new Set([...privateServers, ...destructiveServers])].sort(),
+        labels_involved: [LABEL_PRIVATE, LABEL_DESTRUCTIVE],
+        remediation: "Review whether both data read and write capabilities are necessary. Consider read-only access where possible.",
+        tools_involved: []
+      });
+    }
+  }
+  return flows;
+}
+function analyzeToxicFlows(servers) {
+  if (servers.length < 2) return [];
+  const serverLabels = /* @__PURE__ */ new Map();
+  for (const srv of servers) {
+    const name = srv.name ?? "unknown";
+    const labels = classifyServer(srv);
+    if (labels.size > 0) {
+      serverLabels.set(name, labels);
+    }
+  }
+  if (serverLabels.size === 0) return [];
+  return detectCombos(serverLabels);
+}
+
+// src/guard.ts
+import { createHash as createHash2 } from "crypto";
+import { readFileSync as readFileSync2, statSync as statSync2 } from "fs";
+import { basename as basename2, extname } from "path";
+
+// src/history.ts
+import { createRequire } from "module";
+import { homedir as homedir3 } from "os";
+import { resolve, dirname, join as join2 } from "path";
+import { mkdirSync as mkdirSync2 } from "fs";
+var _require = createRequire(import.meta.url);
+var Database = null;
+try {
+  Database = _require("better-sqlite3");
+} catch {
+}
+
+// src/guard.ts
+init_machine_discovery();
+var MAX_FILE_SIZE = 10 * 1024 * 1024;
+function extractSkillName(filePath) {
+  const name = basename2(filePath);
+  if (name.toLowerCase() === "skill.md") {
+    const parts = filePath.split("/");
+    return parts[parts.length - 2] ?? name;
+  }
+  const ext = extname(name);
+  return ext ? name.slice(0, -ext.length) : name;
+}
+function computeVerdict(findings) {
+  if (findings.length === 0) return GuardVerdict.SAFE;
+  if (findings.some((f) => f.severity === "critical")) return GuardVerdict.DANGER;
+  if (findings.some((f) => f.severity === "high" || f.severity === "medium")) return GuardVerdict.WARNING;
+  return GuardVerdict.SAFE;
+}
+function scanSkillFile(filePath, scanner, blocklist) {
+  const name = extractSkillName(filePath);
+  let content;
+  let sha256;
+  try {
+    const stat = statSync2(filePath);
+    if (stat.size > MAX_FILE_SIZE) {
+      return {
+        name,
+        path: filePath,
+        verdict: GuardVerdict.ERROR,
+        findings: [{
+          code: "SKILL-ERR",
+          title: "File too large",
+          description: `File is ${Math.floor(stat.size / 1024 / 1024)}MB, max is 10MB.`,
+          severity: "low",
+          evidence: "",
+          remediation: "Skill files should be small text files."
+        }],
+        blocklist_match: false,
+        sha256: ""
+      };
+    }
+    const raw = readFileSync2(filePath);
+    sha256 = createHash2("sha256").update(raw).digest("hex");
+    content = raw.toString("utf-8");
+  } catch (err) {
+    return {
+      name,
+      path: filePath,
+      verdict: GuardVerdict.ERROR,
+      findings: [{
+        code: "SKILL-ERR",
+        title: "Could not read file",
+        description: String(err),
+        severity: "low",
+        evidence: "",
+        remediation: "Check file permissions."
+      }],
+      blocklist_match: false,
+      sha256: ""
+    };
+  }
+  if (!content.trim()) {
+    return { name, path: filePath, verdict: GuardVerdict.SAFE, findings: [], blocklist_match: false, sha256 };
+  }
+  if (blocklist.isBlocked(sha256)) {
+    return {
+      name,
+      path: filePath,
+      verdict: GuardVerdict.DANGER,
+      findings: [{
+        code: "SKILL-000",
+        title: "Known malicious skill",
+        description: "This skill matches a known malware hash in the AgentSeal threat database.",
+        severity: "critical",
+        evidence: `SHA256: ${sha256}`,
+        remediation: "Remove this skill immediately and rotate all credentials."
+      }],
+      blocklist_match: true,
+      sha256
+    };
+  }
+  const findings = scanner.scanPatterns(content);
+  const deobfuscated = deobfuscate(content);
+  if (deobfuscated !== content) {
+    const deobFindings = scanner.scanPatterns(deobfuscated);
+    const existing = new Set(findings.map((f) => `${f.code}::${f.evidence}`));
+    for (const f of deobFindings) {
+      if (!existing.has(`${f.code}::${f.evidence}`)) {
+        findings.push(f);
+      }
+    }
+  }
+  const verdict = computeVerdict(findings);
+  return { name, path: filePath, verdict, findings, blocklist_match: false, sha256 };
+}
+
+// src/shield.ts
+var DebouncedHandler = class {
+  _onChange;
+  _debounceMs;
+  _timers = /* @__PURE__ */ new Map();
+  constructor(onChange, debounceMs = 2e3) {
+    this._onChange = onChange;
+    this._debounceMs = debounceMs;
+  }
+  /** Handle a filesystem event. Skips directories and temp files. */
+  handleEvent(filePath, isDirectory = false) {
+    if (isDirectory) return;
+    if (filePath.endsWith("~") || filePath.endsWith(".swp") || filePath.endsWith(".swx") || filePath.endsWith(".tmp") || filePath.endsWith(".DS_Store")) {
+      return;
+    }
+    const existing = this._timers.get(filePath);
+    if (existing !== void 0) {
+      clearTimeout(existing);
+    }
+    const timer = setTimeout(() => {
+      this._timers.delete(filePath);
+      this._onChange(filePath);
+    }, this._debounceMs);
+    this._timers.set(filePath, timer);
+  }
+  /** Cancel all pending timers. */
+  cancelAll() {
+    for (const timer of this._timers.values()) {
+      clearTimeout(timer);
+    }
+    this._timers.clear();
+  }
+  /** Number of pending timers (for testing). */
+  get pendingCount() {
+    return this._timers.size;
+  }
+};
+var MCP_CONFIG_NAMES = /* @__PURE__ */ new Set([
+  "claude_desktop_config.json",
+  "mcp.json",
+  "mcp_config.json",
+  "cline_mcp_settings.json"
+]);
+var AGENT_PATH_MARKERS = [
+  ".claude",
+  ".cursor",
+  ".gemini",
+  ".codex",
+  ".kiro",
+  ".opencode",
+  ".continue",
+  ".aider",
+  ".roo",
+  ".amp",
+  "windsurf",
+  "zed"
+];
+function classifyPath(filePath) {
+  const name = basename3(filePath).toLowerCase();
+  const ext = extname2(filePath).toLowerCase();
+  if (MCP_CONFIG_NAMES.has(name)) return "mcp_config";
+  if (name === "settings.json" || name === "config.json") {
+    const lower = filePath.toLowerCase();
+    if (AGENT_PATH_MARKERS.some((marker) => lower.includes(marker))) {
+      return "mcp_config";
+    }
+  }
+  if ([".md", ".txt", ".yaml", ".yml"].includes(ext)) return "skill";
+  if (name === ".cursorrules") return "skill";
+  return "unknown";
+}
+function isDir(p) {
+  try {
+    return statSync3(p).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function fileExists(p) {
+  try {
+    return statSync3(p).isFile();
+  } catch {
+    return false;
+  }
+}
+function collectWatchPaths(homeOverride) {
+  const home = homeOverride ?? homedir4();
+  const plat = process.platform === "darwin" ? "Darwin" : process.platform === "win32" ? "Windows" : "Linux";
+  const configs = getWellKnownConfigs();
+  const dirs = [];
+  const files = [];
+  const seen = /* @__PURE__ */ new Set();
+  const addDir = (p) => {
+    const resolved = resolve2(p);
+    if (!seen.has(resolved) && isDir(p)) {
+      seen.add(resolved);
+      dirs.push(p);
+    }
+  };
+  const addFile = (p) => {
+    const resolved = resolve2(p);
+    if (!seen.has(resolved) && fileExists(p)) {
+      seen.add(resolved);
+      files.push(p);
+    }
+  };
+  for (const cfg of configs) {
+    const paths = cfg.paths;
+    let cfgPath = paths[plat] ?? paths.all;
+    if (!cfgPath) continue;
+    cfgPath = cfgPath.replace(/^~/, home);
+    const parent = dirname2(cfgPath);
+    if (isDir(parent)) addDir(parent);
+  }
+  for (const skillDirRel of PROJECT_SKILL_DIRS) {
+    const skillDir = join3(home, skillDirRel);
+    addDir(skillDir);
+  }
+  for (const skillFileRel of PROJECT_SKILL_FILES) {
+    const skillFile = join3(home, skillFileRel);
+    const parent = dirname2(skillFile);
+    if (isDir(parent)) addDir(parent);
+  }
+  try {
+    const cwd = process.cwd();
+    for (const name of [".cursorrules", "CLAUDE.md", ".github"]) {
+      const candidate = join3(cwd, name);
+      if (isDir(candidate)) addDir(candidate);
+      else if (fileExists(candidate)) addFile(candidate);
+    }
+  } catch {
+  }
+  return { dirs, files };
+}
+var Shield = class {
+  _onEvent;
+  _notifier;
+  _scanner;
+  _mcpChecker;
+  _blocklist;
+  _baselineStore;
+  _debounceMs;
+  _watchers = [];
+  _handler = null;
+  _running = false;
+  _scanCount = 0;
+  _threatCount = 0;
+  constructor(options = {}) {
+    this._onEvent = options.onEvent ?? (() => {
+    });
+    this._notifier = new Notifier(options.notify ?? true);
+    this._scanner = new SkillScanner();
+    this._mcpChecker = new MCPConfigChecker();
+    this._blocklist = new Blocklist();
+    this._baselineStore = new BaselineStore();
+    this._debounceMs = (options.debounceSeconds ?? 2) * 1e3;
+  }
+  get scanCount() {
+    return this._scanCount;
+  }
+  get threatCount() {
+    return this._threatCount;
+  }
+  get running() {
+    return this._running;
+  }
+  /** Handle a single file change event. */
+  handleChange(filePath) {
+    if (!fileExists(filePath)) return;
+    const fileType = classifyPath(filePath);
+    this._scanCount++;
+    if (fileType === "skill") {
+      this._scanSkill(filePath);
+    } else if (fileType === "mcp_config") {
+      this._scanMcpConfig(filePath);
+    } else {
+      const ext = extname2(filePath).toLowerCase();
+      if ([".md", ".txt", ".yaml", ".yml"].includes(ext)) {
+        this._scanSkill(filePath);
+      }
+    }
+  }
+  _scanSkill(filePath) {
+    try {
+      const result = scanSkillFile(filePath, this._scanner, this._blocklist);
+      if (result.verdict === GuardVerdict.DANGER) {
+        this._threatCount++;
+        const detail = result.findings[0]?.title ?? "Threat detected";
+        this._onEvent("threat", filePath, `DANGER - ${detail}`);
+        this._notifier.notifyThreat(
+          result.name,
+          "Skill",
+          result.findings[0]?.severity ?? "high",
+          detail
+        );
+      } else if (result.verdict === GuardVerdict.WARNING) {
+        const detail = result.findings[0]?.title ?? "Warning";
+        this._onEvent("warning", filePath, `WARNING - ${detail}`);
+      } else {
+        this._onEvent("clean", filePath, "CLEAN");
+      }
+    } catch {
+      this._onEvent("error", filePath, "Failed to scan file");
+    }
+  }
+  _scanMcpConfig(filePath) {
+    let data;
+    try {
+      const raw = readFileSync3(filePath, "utf-8");
+      data = JSON.parse(stripJsonComments(raw));
+    } catch {
+      this._onEvent("error", filePath, "Failed to parse config");
+      return;
+    }
+    let servers = {};
+    for (const key of ["mcpServers", "servers", "context_servers"]) {
+      if (key in data && typeof data[key] === "object" && data[key] !== null) {
+        servers = data[key];
+        break;
+      }
+    }
+    if (Object.keys(servers).length === 0) {
+      this._onEvent("clean", filePath, "No MCP servers in config");
+      return;
+    }
+    let hasThreat = false;
+    const serverDicts = [];
+    for (const [srvName, srvCfg] of Object.entries(servers)) {
+      if (typeof srvCfg !== "object" || srvCfg === null) continue;
+      const serverDict = { name: srvName, source_file: filePath, ...srvCfg };
+      serverDicts.push(serverDict);
+      const result = this._mcpChecker.check(serverDict);
+      if (result.verdict === GuardVerdict.DANGER) {
+        hasThreat = true;
+        this._threatCount++;
+        const detail = result.findings[0]?.title ?? "Threat detected";
+        this._onEvent("threat", filePath, `MCP '${srvName}': DANGER - ${detail}`);
+        this._notifier.notifyThreat(
+          srvName,
+          "MCP Server",
+          result.findings[0]?.severity ?? "high",
+          detail
+        );
+      } else if (result.verdict === GuardVerdict.WARNING) {
+        const detail = result.findings[0]?.title ?? "Warning";
+        this._onEvent("warning", filePath, `MCP '${srvName}': WARNING - ${detail}`);
+      }
+      const change = this._baselineStore.checkServer(serverDict);
+      if (change && (change.change_type === "config_changed" || change.change_type === "binary_changed")) {
+        this._threatCount++;
+        this._onEvent("warning", filePath, `BASELINE: ${change.detail}`);
+        this._notifier.notifyThreat(srvName, "MCP Baseline", "high", change.detail);
+      }
+    }
+    if (serverDicts.length >= 2) {
+      const flows = analyzeToxicFlows(serverDicts);
+      for (const flow of flows) {
+        this._onEvent("warning", filePath, `TOXIC FLOW: ${flow.title}`);
+      }
+    }
+    if (!hasThreat) {
+      this._onEvent("clean", filePath, `MCP config OK (${Object.keys(servers).length} servers)`);
+    }
+  }
+  /**
+   * Start watching. Returns { dirsWatched, filesWatched }.
+   *
+   * Uses Node.js fs.watch with recursive option (macOS/Windows).
+   * Does NOT block — call stop() to clean up.
+   */
+  start(homeOverride) {
+    const { dirs, files } = collectWatchPaths(homeOverride);
+    this._handler = new DebouncedHandler(
+      (fp) => this.handleChange(fp),
+      this._debounceMs
+    );
+    let watchedCount = 0;
+    for (const d of dirs) {
+      try {
+        const watcher = watch(d, { recursive: true }, (_eventType, filename) => {
+          if (filename) {
+            this._handler?.handleEvent(join3(d, filename));
+          }
+        });
+        this._watchers.push(watcher);
+        watchedCount++;
+      } catch {
+      }
+    }
+    const fileParents = /* @__PURE__ */ new Set();
+    for (const f of files) {
+      const parent = dirname2(f);
+      if (!fileParents.has(parent)) {
+        fileParents.add(parent);
+        try {
+          const watcher = watch(parent, { recursive: false }, (_eventType, filename) => {
+            if (filename) {
+              this._handler?.handleEvent(join3(parent, filename));
+            }
+          });
+          this._watchers.push(watcher);
+          watchedCount++;
+        } catch {
+        }
+      }
+    }
+    this._running = true;
+    return { dirsWatched: watchedCount, filesWatched: files.length };
+  }
+  /** Stop the filesystem watchers. */
+  stop() {
+    this._running = false;
+    if (this._handler) {
+      this._handler.cancelAll();
+      this._handler = null;
+    }
+    for (const w of this._watchers) {
+      try {
+        w.close();
+      } catch {
+      }
+    }
+    this._watchers = [];
+  }
+};
+export {
+  DebouncedHandler,
+  Shield,
+  classifyPath,
+  collectWatchPaths
+};