chainwall 2.1.0 → 2.2.2

package/dist/monitor/persistence-scanner.js

@@ -0,0 +1,156 @@
+import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir, platform } from 'node:os';
+import { execFileSync } from 'node:child_process';
+import { parseCrontabOutput, MINER_PATTERN, CURL_BASH_PATTERN, STRATUM_PATTERN, POOL_PATTERN } from '../auditor/miner-detector.js';
+import { SIGNAL_WEIGHTS } from './types.js';
+const SEVEN_DAYS_MS = 7 * 24 * 60 * 60 * 1000;
+const SUSPICIOUS_RC_PATTERNS = [CURL_BASH_PATTERN, /base64\s+-d/i, /\beval\b.*\$\(/i, /python.*-c.*import/i, /\bexec\b.*\$\(/i];
+const RC_FILES = ['.bashrc', '.zshrc', '.bash_profile', '.profile', '.zshenv', '.zprofile'];
+function isRecentlyModified(filePath) {
+    try {
+        return (Date.now() - statSync(filePath).mtimeMs) < SEVEN_DAYS_MS;
+    }
+    catch {
+        return false;
+    }
+}
+export function scanPersistence(config, knownGood) {
+    const start = Date.now();
+    const findings = [];
+    const home = homedir();
+    const isMac = platform() === 'darwin';
+    // 1. Crontab entries
+    try {
+        const output = execFileSync('crontab', ['-l'], { timeout: 5000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+        const lines = parseCrontabOutput(output);
+        for (const line of lines) {
+            const signals = [{ type: 'persistence-mechanism', weight: SIGNAL_WEIGHTS['persistence-mechanism'], detail: 'Crontab entry' }];
+            if (MINER_PATTERN.test(line)) {
+                signals.push({ type: 'known-miner', weight: SIGNAL_WEIGHTS['known-miner'], detail: 'Mining binary in crontab' });
+                findings.push({ id: `persist-cron-miner-${line.slice(0, 20)}`, category: 'persistence', severity: 'critical', title: 'Mining crontab entry', description: line.slice(0, 100), signals, target: line });
+            }
+            else if (CURL_BASH_PATTERN.test(line)) {
+                findings.push({ id: `persist-cron-curl-${line.slice(0, 20)}`, category: 'persistence', severity: 'high', title: 'Remote script execution in crontab', description: line.slice(0, 100), signals, target: line });
+            }
+            else if (STRATUM_PATTERN.test(line) || POOL_PATTERN.test(line)) {
+                signals.push({ type: 'known-miner', weight: SIGNAL_WEIGHTS['known-miner'], detail: 'Mining pool in crontab' });
+                findings.push({ id: `persist-cron-pool-${line.slice(0, 20)}`, category: 'persistence', severity: 'high', title: 'Mining pool reference in crontab', description: line.slice(0, 100), signals, target: line });
+            }
+        }
+    }
+    catch { /* no crontab */ }
+    // 2. macOS Launch Agents
+    if (isMac) {
+        const launchAgentDir = join(home, 'Library/LaunchAgents');
+        if (existsSync(launchAgentDir)) {
+            try {
+                const plistFiles = readdirSync(launchAgentDir).filter(f => f.endsWith('.plist'));
+                for (const plistFile of plistFiles) {
+                    if (knownGood.persistenceEntries.some(e => plistFile.startsWith(e)))
+                        continue;
+                    const fullPath = join(launchAgentDir, plistFile);
+                    const recent = isRecentlyModified(fullPath);
+                    let content = '';
+                    try {
+                        content = readFileSync(fullPath, 'utf-8');
+                    }
+                    catch {
+                        continue;
+                    }
+                    const signals = [{ type: 'persistence-mechanism', weight: SIGNAL_WEIGHTS['persistence-mechanism'], detail: `Launch Agent: ${plistFile}` }];
+                    if (CURL_BASH_PATTERN.test(content) || MINER_PATTERN.test(content)) {
+                        signals.push({ type: 'known-miner', weight: SIGNAL_WEIGHTS['known-miner'], detail: 'Suspicious content in plist' });
+                        findings.push({ id: `persist-launchagent-${plistFile}`, category: 'persistence', severity: 'high', title: `Suspicious Launch Agent: ${plistFile}`, description: 'Contains suspicious commands', signals, target: fullPath });
+                    }
+                    else if (recent) {
+                        findings.push({ id: `persist-launchagent-recent-${plistFile}`, category: 'persistence', severity: 'low', title: `Recently modified Launch Agent: ${plistFile}`, description: `Modified within last 7 days`, signals, target: fullPath });
+                    }
+                }
+            }
+            catch { /* dir read failed */ }
+        }
+    }
+    // 3. Linux systemd user services + autostart
+    if (!isMac) {
+        const systemdDir = join(home, '.config/systemd/user');
+        if (existsSync(systemdDir)) {
+            try {
+                for (const svc of readdirSync(systemdDir).filter(f => f.endsWith('.service'))) {
+                    const fullPath = join(systemdDir, svc);
+                    let content = '';
+                    try {
+                        content = readFileSync(fullPath, 'utf-8');
+                    }
+                    catch {
+                        continue;
+                    }
+                    const signals = [{ type: 'persistence-mechanism', weight: SIGNAL_WEIGHTS['persistence-mechanism'], detail: `Systemd service: ${svc}` }];
+                    if (CURL_BASH_PATTERN.test(content) || MINER_PATTERN.test(content)) {
+                        findings.push({ id: `persist-systemd-${svc}`, category: 'persistence', severity: 'high', title: `Suspicious systemd service: ${svc}`, description: 'Contains suspicious commands', signals, target: fullPath });
+                    }
+                }
+            }
+            catch { /* */ }
+        }
+        const autostartDir = join(home, '.config/autostart');
+        if (existsSync(autostartDir)) {
+            try {
+                for (const desktop of readdirSync(autostartDir).filter(f => f.endsWith('.desktop'))) {
+                    const fullPath = join(autostartDir, desktop);
+                    let content = '';
+                    try {
+                        content = readFileSync(fullPath, 'utf-8');
+                    }
+                    catch {
+                        continue;
+                    }
+                    const signals = [{ type: 'persistence-mechanism', weight: SIGNAL_WEIGHTS['persistence-mechanism'], detail: `Autostart: ${desktop}` }];
+                    if (CURL_BASH_PATTERN.test(content) || MINER_PATTERN.test(content)) {
+                        findings.push({ id: `persist-autostart-${desktop}`, category: 'persistence', severity: 'high', title: `Suspicious autostart entry: ${desktop}`, description: 'Contains suspicious commands', signals, target: fullPath });
+                    }
+                }
+            }
+            catch { /* */ }
+        }
+    }
+    // 4. Shell RC files — check for suspicious appended lines
+    for (const rcFile of RC_FILES) {
+        const rcPath = join(home, rcFile);
+        if (!existsSync(rcPath))
+            continue;
+        let content;
+        try {
+            content = readFileSync(rcPath, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (!line || line.startsWith('#'))
+                continue;
+            for (const pattern of SUSPICIOUS_RC_PATTERNS) {
+                if (pattern.test(line)) {
+                    const signals = [{ type: 'persistence-mechanism', weight: SIGNAL_WEIGHTS['persistence-mechanism'], detail: `In ${rcFile} line ${i + 1}` }];
+                    const recent = isRecentlyModified(rcPath);
+                    if (recent)
+                        signals.push({ type: 'new-since-baseline', weight: SIGNAL_WEIGHTS['new-since-baseline'], detail: 'Recently modified' });
+                    findings.push({
+                        id: `persist-rc-${rcFile}-${i}`,
+                        category: 'persistence',
+                        severity: recent ? 'high' : 'medium',
+                        title: `Suspicious line in ${rcFile}`,
+                        description: line.slice(0, 100),
+                        signals,
+                        target: rcPath,
+                    });
+                    break;
+                }
+            }
+        }
+    }
+    return { category: 'persistence', findings, durationMs: Date.now() - start };
+}
+//# sourceMappingURL=persistence-scanner.js.map

package/dist/monitor/persistence-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"persistence-scanner.js","sourceRoot":"","sources":["../../src/monitor/persistence-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,iBAAiB,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAGnI,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAC9C,MAAM,sBAAsB,GAAG,CAAC,iBAAiB,EAAE,cAAc,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,iBAAiB,CAAC,CAAC;AAChI,MAAM,QAAQ,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;AAE5F,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,IAAI,CAAC;QAAC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,GAAG,aAAa,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,KAAK,CAAC;IAAC,CAAC;AACnG,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAqB,EAAE,SAAwB;IAC7E,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;IACvB,MAAM,KAAK,GAAG,QAAQ,EAAE,KAAK,QAAQ,CAAC;IAEtC,qBAAqB;IACrB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACtH,MAAM,KAAK,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QACzC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAwB,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;YAEnJ,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC,CAAC;gBACjH,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,sBAAsB,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;YACzM,CAAC;iBAAM,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxC,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,qBAAqB,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,oCAAoC,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;YAClN,CAAC;iBAAM,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC,CAAC;gBAC/G,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,qBAAqB,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,kCAAkC,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;YAChN,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,gBAAgB,CAAC,CAAC;IAE5B,yBAAyB;IACzB,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,EAAE,sBAAsB,CAAC,CAAC;QAC1D,IAAI,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;gBACjF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;oBACnC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;wBAAE,SAAS;oBAC9E,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC;oBACjD,MAAM,MAAM,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;oBAE5C,IAAI,OAAO,GAAG,EAAE,CAAC;oBACjB,IAAI,CAAC;wBAAC,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBAAC,CAAC;oBAAC,MAAM,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAEtE,MAAM,OAAO,GAAwB,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,iBAAiB,SAAS,EAAE,EAAE,CAAC,CAAC;oBAEhK,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBACnE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC,CAAC;wBACpH,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,uBAAuB,SAAS,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,4BAA4B,SAAS,EAAE,EAAE,WAAW,EAAE,8BAA8B,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAC/N,CAAC;yBAAM,IAAI,MAAM,EAAE,CAAC;wBAClB,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,8BAA8B,SAAS,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,SAAS,EAAE,EAAE,WAAW,EAAE,6BAA6B,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAC3O,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAC,qBAAqB,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,sBAAsB,CAAC,CAAC;QACtD,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,KAAK,MAAM,GAAG,IAAI,WAAW,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;oBAC9E,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;oBACvC,IAAI,OAAO,GAAG,EAAE,CAAC;oBACjB,IAAI,CAAC;wBAAC,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBAAC,CAAC;oBAAC,MAAM,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAEtE,MAAM,OAAO,GAAwB,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,oBAAoB,GAAG,EAAE,EAAE,CAAC,CAAC;oBAC7J,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBACnE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,mBAAmB,GAAG,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,+BAA+B,GAAG,EAAE,EAAE,WAAW,EAAE,8BAA8B,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAClN,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC;QACnB,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;QACrD,IAAI,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;oBACpF,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;oBAC7C,IAAI,OAAO,GAAG,EAAE,CAAC;oBACjB,IAAI,CAAC;wBAAC,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBAAC,CAAC;oBAAC,MAAM,CAAC;wBAAC,SAAS;oBAAC,CAAC;oBAEtE,MAAM,OAAO,GAAwB,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,cAAc,OAAO,EAAE,EAAE,CAAC,CAAC;oBAC3J,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBACnE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,qBAAqB,OAAO,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,+BAA+B,OAAO,EAAE,EAAE,WAAW,EAAE,8BAA8B,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAC5N,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAClC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,SAAS;QAElC,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YAAC,OAAO,GAAG,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,SAAS;QAAC,CAAC;QAEpE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAE5C,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;gBAC7C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvB,MAAM,OAAO,GAAwB,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,MAAM,MAAM,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;oBAChK,MAAM,MAAM,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;oBAC1C,IAAI,MAAM;wBAAE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,MAAM,EAAE,cAAc,CAAC,oBAAoB,CAAC,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;oBAEpI,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,cAAc,MAAM,IAAI,CAAC,EAAE;wBAC/B,QAAQ,EAAE,aAAa;wBACvB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;wBACpC,KAAK,EAAE,sBAAsB,MAAM,EAAE;wBACrC,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC/B,OAAO;wBACP,MAAM,EAAE,MAAM;qBACf,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;AAC/E,CAAC"}

package/dist/monitor/process-scanner.d.ts

@@ -0,0 +1,6 @@
+import { type KnownGoodList } from './known-good.js';
+import type { ScannerResult, ProcessInfo, MonitorConfig } from './types.js';
+export declare function scanProcesses(config: MonitorConfig, knownGood: KnownGoodList): ScannerResult;
+/** Exported for use by other scanners needing the process map */
+export declare function getProcessMap(config: MonitorConfig, knownGood: KnownGoodList): Map<number, ProcessInfo>;
+//# sourceMappingURL=process-scanner.d.ts.map

package/dist/monitor/process-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"process-scanner.d.ts","sourceRoot":"","sources":["../../src/monitor/process-scanner.ts"],"names":[],"mappings":"AAEA,OAAO,EAAwC,KAAK,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAE3F,OAAO,KAAK,EAAkB,aAAa,EAAE,WAAW,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC;AAS/G,wBAAgB,aAAa,CAAC,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,GAAG,aAAa,CAiF5F;AAED,iEAAiE;AACjE,wBAAgB,aAAa,CAAC,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,GAAG,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAYvG"}

package/dist/monitor/process-scanner.js

@@ -0,0 +1,101 @@
+import { execFileSync } from 'node:child_process';
+import { parseProcessList, MINER_PATTERN, STRATUM_PATTERN } from '../auditor/miner-detector.js';
+import { isKnownGoodProcess, isKnownGoodChain } from './known-good.js';
+import { TOOL_DEFINITIONS } from '../auditor/tool-detector.js';
+import { SIGNAL_WEIGHTS } from './types.js';
+const AI_PROCESS_NAMES = TOOL_DEFINITIONS.map(t => t.name.toLowerCase().replace(/\s+/g, '-'));
+const KEYLOGGER_PATTERNS = [/keylog/i, /keystroke/i, /inputcapture/i];
+const SCREEN_CAPTURE_PATTERNS = [/screencapture.*-x/i, /screenshot.*loop/i, /scrot.*-d/i];
+const MALWARE_NAMES = ['cryptonight', 'coinhive', 'minergate', 'webmine'];
+export function scanProcesses(config, knownGood) {
+    const start = Date.now();
+    const findings = [];
+    let processes = [];
+    try {
+        const output = execFileSync('ps', ['-eo', 'pid,ppid,user,%cpu,%mem,lstart,command'], {
+            timeout: 5000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        processes = parseProcessList(output);
+    }
+    catch {
+        return { category: 'process', findings: [], durationMs: Date.now() - start };
+    }
+    // Build parent map
+    const pidMap = new Map();
+    for (const p of processes)
+        pidMap.set(p.pid, p);
+    // User allowlist
+    const userAllowed = new Set((config.processAllowlist ?? []).map(s => s.toLowerCase()));
+    for (const proc of processes) {
+        if (proc.command.includes('chainwall') || proc.command.includes('vitest'))
+            continue;
+        if (isKnownGoodProcess(proc.name, knownGood))
+            continue;
+        if (userAllowed.has(proc.name.toLowerCase()))
+            continue;
+        const parent = pidMap.get(proc.ppid);
+        if (parent && isKnownGoodChain(parent.name, proc.name, knownGood))
+            continue;
+        const signals = [];
+        // Check keylogger
+        if (KEYLOGGER_PATTERNS.some(p => p.test(proc.command))) {
+            signals.push({ type: 'sensitive-file-access', weight: SIGNAL_WEIGHTS['sensitive-file-access'], detail: 'Keylogger-like process' });
+            findings.push({ id: `proc-keylogger-${proc.pid}`, category: 'process', severity: 'critical', title: `Possible keylogger: ${proc.name}`, description: `Process ${proc.pid} (${proc.command.slice(0, 80)}) matches keylogger patterns`, signals, pid: proc.pid, processName: proc.name });
+            continue;
+        }
+        // Check screen capture
+        if (SCREEN_CAPTURE_PATTERNS.some(p => p.test(proc.command))) {
+            signals.push({ type: 'sensitive-file-access', weight: SIGNAL_WEIGHTS['sensitive-file-access'], detail: 'Screen capture process' });
+            findings.push({ id: `proc-screencap-${proc.pid}`, category: 'process', severity: 'high', title: `Screen capture: ${proc.name}`, description: `Process ${proc.pid} appears to be capturing screen`, signals, pid: proc.pid, processName: proc.name });
+            continue;
+        }
+        // Check known malware
+        if (MALWARE_NAMES.some(m => proc.command.toLowerCase().includes(m))) {
+            signals.push({ type: 'known-miner', weight: SIGNAL_WEIGHTS['known-miner'], detail: 'Known malware process' });
+            findings.push({ id: `proc-malware-${proc.pid}`, category: 'process', severity: 'critical', title: `Known malware: ${proc.name}`, description: `Process matches known malware pattern`, signals, pid: proc.pid, processName: proc.name });
+            continue;
+        }
+        // Check known miners
+        if (MINER_PATTERN.test(proc.command) || STRATUM_PATTERN.test(proc.command)) {
+            signals.push({ type: 'known-miner', weight: SIGNAL_WEIGHTS['known-miner'], detail: 'Mining process detected' });
+            findings.push({ id: `proc-miner-${proc.pid}`, category: 'process', severity: 'critical', title: `Cryptocurrency miner: ${proc.name}`, description: `Process ${proc.pid} matches mining patterns`, signals, pid: proc.pid, processName: proc.name });
+            continue;
+        }
+        // Check suspicious AI child processes
+        if (parent) {
+            const parentIsAI = AI_PROCESS_NAMES.some(n => parent.name.toLowerCase().includes(n));
+            if (parentIsAI && !isKnownGoodProcess(proc.name, knownGood)) {
+                signals.push({ type: 'ai-child-process', weight: SIGNAL_WEIGHTS['ai-child-process'], detail: `Child of AI tool: ${parent.name}` });
+                if (proc.command.includes('curl') || proc.command.includes('wget') || proc.command.includes('nc ')) {
+                    signals.push({ type: 'data-transfer-args', weight: SIGNAL_WEIGHTS['data-transfer-args'], detail: 'Data transfer command from AI tool' });
+                }
+                if (signals.length > 0) {
+                    findings.push({ id: `proc-ai-child-${proc.pid}`, category: 'process', severity: 'medium', title: `Suspicious AI child process: ${proc.name}`, description: `${proc.name} (PID ${proc.pid}) spawned by ${parent.name}`, signals: [...signals], pid: proc.pid, processName: proc.name });
+                }
+            }
+        }
+        // Check high CPU unknown processes
+        if (proc.cpu > 80 && !isKnownGoodProcess(proc.name, knownGood)) {
+            const highCpuSignals = [{ type: 'high-cpu', weight: SIGNAL_WEIGHTS['high-cpu'], detail: `CPU: ${proc.cpu}%` }];
+            findings.push({ id: `proc-highcpu-${proc.pid}`, category: 'process', severity: 'low', title: `High CPU process: ${proc.name} (${proc.cpu}%)`, description: `Unknown process consuming high CPU`, signals: highCpuSignals, pid: proc.pid, processName: proc.name });
+        }
+    }
+    return { category: 'process', findings, durationMs: Date.now() - start };
+}
+/** Exported for use by other scanners needing the process map */
+export function getProcessMap(config, knownGood) {
+    try {
+        const output = execFileSync('ps', ['-eo', 'pid,ppid,user,%cpu,%mem,lstart,command'], {
+            timeout: 5000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        const procs = parseProcessList(output);
+        const map = new Map();
+        for (const p of procs)
+            map.set(p.pid, p);
+        return map;
+    }
+    catch {
+        return new Map();
+    }
+}
+//# sourceMappingURL=process-scanner.js.map

package/dist/monitor/process-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"process-scanner.js","sourceRoot":"","sources":["../../src/monitor/process-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAqB,aAAa,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AACnH,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAsB,MAAM,iBAAiB,CAAC;AAC3F,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAE/D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;AAE9F,MAAM,kBAAkB,GAAG,CAAC,SAAS,EAAE,YAAY,EAAE,eAAe,CAAC,CAAC;AACtE,MAAM,uBAAuB,GAAG,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,YAAY,CAAC,CAAC;AAC1F,MAAM,aAAa,GAAG,CAAC,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;AAE1E,MAAM,UAAU,aAAa,CAAC,MAAqB,EAAE,SAAwB;IAC3E,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,IAAI,SAAS,GAAkB,EAAE,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,wCAAwC,CAAC,EAAE;YACnF,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAClE,CAAC,CAAC;QACH,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;IAC/E,CAAC;IAED,mBAAmB;IACnB,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,SAAS;QAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAEhD,iBAAiB;IACjB,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAEvF,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,SAAS;QACpF,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC;YAAE,SAAS;QACvD,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YAAE,SAAS;QAEvD,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,MAAM,IAAI,gBAAgB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC;YAAE,SAAS;QAE5E,MAAM,OAAO,GAAwB,EAAE,CAAC;QAExC,kBAAkB;QAClB,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC,CAAC;YACnI,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,uBAAuB,IAAI,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,WAAW,IAAI,CAAC,GAAG,KAAK,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,8BAA8B,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACxR,SAAS;QACX,CAAC;QAED,uBAAuB;QACvB,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC,CAAC;YACnI,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,mBAAmB,IAAI,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,WAAW,IAAI,CAAC,GAAG,iCAAiC,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACrP,SAAS;QACX,CAAC;QAED,sBAAsB;QACtB,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACpE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC,CAAC;YAC9G,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,gBAAgB,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,IAAI,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,uCAAuC,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACzO,SAAS;QACX,CAAC;QAED,qBAAqB;QACrB,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3E,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,CAAC,aAAa,CAAC,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC,CAAC;YAChH,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,yBAAyB,IAAI,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,WAAW,IAAI,CAAC,GAAG,0BAA0B,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACpP,SAAS;QACX,CAAC;QAED,sCAAsC;QACtC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACrF,IAAI,UAAU,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;gBAC5D,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,cAAc,CAAC,kBAAkB,CAAC,EAAE,MAAM,EAAE,qBAAqB,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBACnI,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnG,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,MAAM,EAAE,cAAc,CAAC,oBAAoB,CAAC,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC,CAAC;gBAC3I,CAAC;gBACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,gCAAgC,IAAI,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,IAAI,SAAS,IAAI,CAAC,GAAG,gBAAgB,MAAM,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBACzR,CAAC;YACH,CAAC;QACH,CAAC;QAED,mCAAmC;QACnC,IAAI,IAAI,CAAC,GAAG,GAAG,EAAE,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;YAC/D,MAAM,cAAc,GAAwB,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,QAAQ,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC;YACpI,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,gBAAgB,IAAI,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,GAAG,IAAI,EAAE,WAAW,EAAE,oCAAoC,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACrQ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;AAC3E,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,aAAa,CAAC,MAAqB,EAAE,SAAwB;IAC3E,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,wCAAwC,CAAC,EAAE;YACnF,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAClE,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAuB,CAAC;QAC3C,KAAK,MAAM,CAAC,IAAI,KAAK;YAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACzC,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,GAAG,EAAE,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/monitor/shadow-ai-scanner.d.ts

@@ -0,0 +1,3 @@
+import type { ScannerResult, ProcessInfo, MonitorConfig } from './types.js';
+export declare function scanShadowAI(processMap: Map<number, ProcessInfo>, knownToolNames: string[], config: MonitorConfig): ScannerResult;
+//# sourceMappingURL=shadow-ai-scanner.d.ts.map

package/dist/monitor/shadow-ai-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shadow-ai-scanner.d.ts","sourceRoot":"","sources":["../../src/monitor/shadow-ai-scanner.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAkB,aAAa,EAAE,WAAW,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC;AAgB/G,wBAAgB,YAAY,CAAC,UAAU,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,aAAa,GAAG,aAAa,CAoDjI"}

package/dist/monitor/shadow-ai-scanner.js

@@ -0,0 +1,70 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { TOOL_DEFINITIONS } from '../auditor/tool-detector.js';
+import { SIGNAL_WEIGHTS } from './types.js';
+const SHADOW_AI_PATTERNS = [
+    { name: 'Ollama', process: /\bollama\b/i, configDir: '.ollama' },
+    { name: 'LM Studio', process: /\blm[-_]?studio\b/i, configDir: '.lmstudio' },
+    { name: 'Tabnine', process: /\btabnine\b/i, configDir: '.tabnine' },
+    { name: 'Cody', process: /\bcody\b/i, configDir: '.sourcegraph' },
+    { name: 'Supermaven', process: /\bsupermaven\b/i, configDir: '.supermaven' },
+    { name: 'Codeium', process: /\bcodeium\b/i, configDir: '.codeium' },
+    { name: 'Amazon Q', process: /\bamazon[_-]?q\b/i, configDir: '.aws/amazonq' },
+    { name: 'Replit AI', process: /\breplit\b/i, configDir: '.replit' },
+    { name: 'JetBrains AI', process: /\bjetbrains[-_]ai\b/i, configDir: '.jetbrains' },
+    { name: 'Pieces', process: /\bpieces[-_]?os\b/i, configDir: '.pieces' },
+];
+export function scanShadowAI(processMap, knownToolNames, config) {
+    const start = Date.now();
+    const findings = [];
+    const knownLower = new Set(knownToolNames.map(n => n.toLowerCase()));
+    // Also consider TOOL_DEFINITIONS names as "known"
+    for (const td of TOOL_DEFINITIONS)
+        knownLower.add(td.name.toLowerCase());
+    // Check running processes for shadow AI tools
+    for (const [pid, proc] of processMap) {
+        for (const pattern of SHADOW_AI_PATTERNS) {
+            if (knownLower.has(pattern.name.toLowerCase()))
+                continue;
+            if (!pattern.process.test(proc.command))
+                continue;
+            const signals = [
+                { type: 'ai-child-process', weight: SIGNAL_WEIGHTS['ai-child-process'], detail: `Unregistered AI tool: ${pattern.name}` },
+            ];
+            findings.push({
+                id: `shadow-ai-proc-${pattern.name.toLowerCase().replace(/\s+/g, '-')}-${pid}`,
+                category: 'shadow_ai',
+                severity: 'medium',
+                title: `Shadow AI tool running: ${pattern.name}`,
+                description: `${pattern.name} (PID ${pid}) is running but not in your registered AI tools`,
+                signals,
+                pid,
+                processName: proc.name,
+            });
+        }
+    }
+    // Check for shadow AI config directories
+    const home = homedir();
+    for (const pattern of SHADOW_AI_PATTERNS) {
+        if (knownLower.has(pattern.name.toLowerCase()))
+            continue;
+        const configPath = join(home, pattern.configDir);
+        if (existsSync(configPath)) {
+            // Only flag if no process finding already exists for this tool
+            const alreadyFound = findings.some(f => f.id.startsWith(`shadow-ai-proc-${pattern.name.toLowerCase().replace(/\s+/g, '-')}`));
+            if (!alreadyFound) {
+                findings.push({
+                    id: `shadow-ai-dir-${pattern.name.toLowerCase().replace(/\s+/g, '-')}`,
+                    category: 'shadow_ai',
+                    severity: 'low',
+                    title: `Shadow AI config found: ${pattern.name}`,
+                    description: `Config directory ${configPath} exists but tool is not in registered AI tools`,
+                    signals: [{ type: 'ai-child-process', weight: SIGNAL_WEIGHTS['ai-child-process'] * 0.5, detail: `Config dir: ${pattern.configDir}` }],
+                });
+            }
+        }
+    }
+    return { category: 'shadow_ai', findings, durationMs: Date.now() - start };
+}
+//# sourceMappingURL=shadow-ai-scanner.js.map

package/dist/monitor/shadow-ai-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shadow-ai-scanner.js","sourceRoot":"","sources":["../../src/monitor/shadow-ai-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAE/D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C,MAAM,kBAAkB,GAAG;IACzB,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE;IAChE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,oBAAoB,EAAE,SAAS,EAAE,WAAW,EAAE;IAC5E,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,UAAU,EAAE;IACnE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,cAAc,EAAE;IACjE,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,aAAa,EAAE;IAC5E,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,UAAU,EAAE;IACnE,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,cAAc,EAAE;IAC7E,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE;IACnE,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,sBAAsB,EAAE,SAAS,EAAE,YAAY,EAAE;IAClF,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,oBAAoB,EAAE,SAAS,EAAE,SAAS,EAAE;CACxE,CAAC;AAEF,MAAM,UAAU,YAAY,CAAC,UAAoC,EAAE,cAAwB,EAAE,MAAqB;IAChH,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACrE,kDAAkD;IAClD,KAAK,MAAM,EAAE,IAAI,gBAAgB;QAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAEzE,8CAA8C;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,UAAU,EAAE,CAAC;QACrC,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;YACzC,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAAE,SAAS;YACzD,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,SAAS;YAElD,MAAM,OAAO,GAAwB;gBACnC,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,cAAc,CAAC,kBAAkB,CAAC,EAAE,MAAM,EAAE,yBAAyB,OAAO,CAAC,IAAI,EAAE,EAAE;aAC1H,CAAC;YAEF,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,kBAAkB,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,GAAG,EAAE;gBAC9E,QAAQ,EAAE,WAAW;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,2BAA2B,OAAO,CAAC,IAAI,EAAE;gBAChD,WAAW,EAAE,GAAG,OAAO,CAAC,IAAI,SAAS,GAAG,kDAAkD;gBAC1F,OAAO;gBACP,GAAG;gBACH,WAAW,EAAE,IAAI,CAAC,IAAI;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,yCAAyC;IACzC,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;IACvB,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YAAE,SAAS;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,+DAA+D;YAC/D,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,kBAAkB,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YAC9H,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE;oBACtE,QAAQ,EAAE,WAAW;oBACrB,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,2BAA2B,OAAO,CAAC,IAAI,EAAE;oBAChD,WAAW,EAAE,oBAAoB,UAAU,gDAAgD;oBAC3F,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,cAAc,CAAC,kBAAkB,CAAC,GAAG,GAAG,EAAE,MAAM,EAAE,eAAe,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;iBACtI,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;AAC7E,CAAC"}

package/dist/monitor/types.d.ts

@@ -0,0 +1,79 @@
+import type { Severity } from '../rules/types.js';
+export type MonitorCategory = 'process' | 'network' | 'browser' | 'shadow_ai' | 'clipboard' | 'persistence';
+export type SignalType = 'ai-child-process' | 'sensitive-file-access' | 'unknown-destination' | 'suspicious-destination' | 'data-transfer-args' | 'high-cpu' | 'new-since-baseline' | 'persistence-mechanism' | 'known-miner';
+export interface CorrelationSignal {
+    type: SignalType;
+    weight: number;
+    detail: string;
+}
+export declare const SIGNAL_WEIGHTS: Record<SignalType, number>;
+export interface ProcessInfo {
+    pid: number;
+    ppid: number;
+    user: string;
+    cpu: number;
+    mem: number;
+    startTime: string;
+    command: string;
+    name: string;
+}
+export interface NetworkConnection {
+    pid: number;
+    protocol: string;
+    localAddress: string;
+    remoteAddress: string;
+    state: string;
+    processName: string;
+}
+export interface MonitorFinding {
+    id: string;
+    category: MonitorCategory;
+    severity: Severity;
+    title: string;
+    description: string;
+    signals: CorrelationSignal[];
+    pid?: number;
+    processName?: string;
+    detail?: string;
+    target?: string;
+}
+export interface ScannerResult {
+    category: MonitorCategory;
+    findings: MonitorFinding[];
+    durationMs: number;
+}
+export interface MonitorResult {
+    findings: MonitorFinding[];
+    scannerResults: ScannerResult[];
+    riskScore: number;
+    riskLabel: string;
+    durationMs: number;
+    baselineDelta?: BaselineDelta;
+}
+export interface MonitorConfig {
+    processAllowlist?: string[];
+    networkAllowlist?: string[];
+    browserAllowlist?: string[];
+    clipboardScanEnabled?: boolean;
+    baselinePath?: string;
+}
+export interface BaselineState {
+    capturedAt: string;
+    processes: Array<{
+        name: string;
+        command: string;
+    }>;
+    connections: Array<{
+        remoteAddress: string;
+        processName: string;
+    }>;
+    extensions: string[];
+    persistence: string[];
+}
+export interface BaselineDelta {
+    newProcesses: string[];
+    newConnections: string[];
+    newExtensions: string[];
+    newPersistence: string[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/monitor/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/monitor/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAElD,MAAM,MAAM,eAAe,GACvB,SAAS,GACT,SAAS,GACT,SAAS,GACT,WAAW,GACX,WAAW,GACX,aAAa,CAAC;AAElB,MAAM,MAAM,UAAU,GAClB,kBAAkB,GAClB,uBAAuB,GACvB,qBAAqB,GACrB,wBAAwB,GACxB,oBAAoB,GACpB,UAAU,GACV,oBAAoB,GACpB,uBAAuB,GACvB,aAAa,CAAC;AAElB,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,UAAU,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAUrD,CAAC;AAEF,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,iBAAiB,EAAE,CAAC;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,cAAc,EAAE,aAAa,EAAE,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,aAAa,CAAC;CAC/B;AAED,MAAM,WAAW,aAAa;IAC5B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpD,WAAW,EAAE,KAAK,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnE,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B"}

package/dist/monitor/types.js

@@ -0,0 +1,12 @@
+export const SIGNAL_WEIGHTS = {
+    'ai-child-process': 0.6,
+    'sensitive-file-access': 0.8,
+    'unknown-destination': 0.4,
+    'suspicious-destination': 0.9,
+    'data-transfer-args': 0.7,
+    'high-cpu': 0.3,
+    'new-since-baseline': 0.5,
+    'persistence-mechanism': 0.6,
+    'known-miner': 1.0,
+};
+//# sourceMappingURL=types.js.map

package/dist/monitor/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/monitor/types.ts"],"names":[],"mappings":"AA2BA,MAAM,CAAC,MAAM,cAAc,GAA+B;IACxD,kBAAkB,EAAE,GAAG;IACvB,uBAAuB,EAAE,GAAG;IAC5B,qBAAqB,EAAE,GAAG;IAC1B,wBAAwB,EAAE,GAAG;IAC7B,oBAAoB,EAAE,GAAG;IACzB,UAAU,EAAE,GAAG;IACf,oBAAoB,EAAE,GAAG;IACzB,uBAAuB,EAAE,GAAG;IAC5B,aAAa,EAAE,GAAG;CACnB,CAAC"}

package/dist/reporter/monitor-report.d.ts

@@ -0,0 +1,3 @@
+import type { MonitorResult } from '../monitor/types.js';
+export declare function printMonitorReport(result: MonitorResult, verbose: boolean): void;
+//# sourceMappingURL=monitor-report.d.ts.map

package/dist/reporter/monitor-report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"monitor-report.d.ts","sourceRoot":"","sources":["../../src/reporter/monitor-report.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAkD,MAAM,qBAAqB,CAAC;AAmBzG,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAwEhF"}

package/dist/reporter/monitor-report.js

@@ -0,0 +1,89 @@
+import chalk from 'chalk';
+import { SEVERITY_COLOR } from './shared.js';
+const CATEGORY_LABELS = {
+    process: 'Process Monitor',
+    network: 'Network Monitor',
+    browser: 'Browser Extensions',
+    shadow_ai: 'Shadow AI Tools',
+    clipboard: 'Clipboard',
+    persistence: 'Persistence Mechanisms',
+};
+const SEVERITY_ICON = {
+    critical: '[!]',
+    high: '[H]',
+    medium: '[M]',
+    low: '[-]',
+};
+export function printMonitorReport(result, verbose) {
+    console.log('');
+    console.log(chalk.bold('ChainWall Monitor Report'));
+    console.log(chalk.dim('─'.repeat(50)));
+    console.log('');
+    // Risk summary
+    const riskColor = result.riskScore > 8 ? chalk.red.bold :
+        result.riskScore > 5 ? chalk.red :
+            result.riskScore > 2 ? chalk.yellow : chalk.green;
+    console.log(`  Risk Score: ${riskColor(`${result.riskScore}/10 (${result.riskLabel})`)}`);
+    console.log(`  Duration:   ${result.durationMs}ms`);
+    console.log(`  Findings:   ${result.findings.length}`);
+    console.log('');
+    // Baseline delta
+    if (result.baselineDelta) {
+        const delta = result.baselineDelta;
+        const hasNew = delta.newProcesses.length + delta.newConnections.length +
+            delta.newExtensions.length + delta.newPersistence.length > 0;
+        if (hasNew) {
+            console.log(chalk.yellow.bold('  Baseline Changes:'));
+            if (delta.newProcesses.length > 0)
+                console.log(`    [NEW] ${delta.newProcesses.length} new process(es)`);
+            if (delta.newConnections.length > 0)
+                console.log(`    [NEW] ${delta.newConnections.length} new connection(s)`);
+            if (delta.newExtensions.length > 0)
+                console.log(`    [NEW] ${delta.newExtensions.length} new extension(s)`);
+            if (delta.newPersistence.length > 0)
+                console.log(`    [NEW] ${delta.newPersistence.length} new persistence item(s)`);
+            console.log('');
+        }
+    }
+    // Group findings by scanner category
+    const categories = ['process', 'network', 'browser', 'shadow_ai', 'clipboard', 'persistence'];
+    for (const cat of categories) {
+        const scannerResult = result.scannerResults.find(sr => sr.category === cat);
+        const catFindings = result.findings.filter(f => f.category === cat);
+        // Skip categories with no findings unless verbose
+        const visibleFindings = verbose ? catFindings : catFindings.filter(f => f.severity !== 'low');
+        if (visibleFindings.length === 0 && !verbose)
+            continue;
+        console.log(chalk.bold(`  ${CATEGORY_LABELS[cat]}`));
+        if (scannerResult) {
+            console.log(chalk.dim(`  (${scannerResult.durationMs}ms)`));
+        }
+        if (visibleFindings.length === 0) {
+            console.log(chalk.green('    No findings.'));
+        }
+        else {
+            for (const f of visibleFindings) {
+                const color = SEVERITY_COLOR[f.severity];
+                const icon = SEVERITY_ICON[f.severity] ?? '[-]';
+                const signalCount = f.signals.length;
+                const signalBadge = signalCount > 1 ? chalk.dim(` (${signalCount} signals)`) : '';
+                console.log(`    ${color(icon)} ${color(f.title)}${signalBadge}`);
+                if (verbose) {
+                    console.log(chalk.dim(`        ${f.description}`));
+                    if (f.pid)
+                        console.log(chalk.dim(`        PID: ${f.pid}`));
+                }
+            }
+        }
+        console.log('');
+    }
+    // Hidden info-level count
+    if (!verbose) {
+        const hiddenCount = result.findings.filter(f => f.severity === 'low').length;
+        if (hiddenCount > 0) {
+            console.log(chalk.dim(`  ${hiddenCount} low-severity finding(s) hidden. Use --verbose to show.`));
+            console.log('');
+        }
+    }
+}
+//# sourceMappingURL=monitor-report.js.map

package/dist/reporter/monitor-report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"monitor-report.js","sourceRoot":"","sources":["../../src/reporter/monitor-report.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,eAAe,GAAoC;IACvD,OAAO,EAAE,iBAAiB;IAC1B,OAAO,EAAE,iBAAiB;IAC1B,OAAO,EAAE,oBAAoB;IAC7B,SAAS,EAAE,iBAAiB;IAC5B,SAAS,EAAE,WAAW;IACtB,WAAW,EAAE,wBAAwB;CACtC,CAAC;AAEF,MAAM,aAAa,GAA2B;IAC5C,QAAQ,EAAE,KAAK;IACf,IAAI,EAAE,KAAK;IACX,MAAM,EAAE,KAAK;IACb,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,MAAM,UAAU,kBAAkB,CAAC,MAAqB,EAAE,OAAgB;IACxE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,eAAe;IACf,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAClC,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,iBAAiB,SAAS,CAAC,GAAG,MAAM,CAAC,SAAS,QAAQ,MAAM,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC,CAAC;IAC1F,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,iBAAiB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,iBAAiB;IACjB,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC;QACnC,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,CAAC,MAAM,GAAG,KAAK,CAAC,cAAc,CAAC,MAAM;YACpE,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QAC/D,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;YACtD,IAAI,KAAK,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,YAAY,CAAC,MAAM,kBAAkB,CAAC,CAAC;YACzG,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,cAAc,CAAC,MAAM,oBAAoB,CAAC,CAAC;YAC/G,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,aAAa,CAAC,MAAM,mBAAmB,CAAC,CAAC;YAC5G,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,CAAC,cAAc,CAAC,MAAM,0BAA0B,CAAC,CAAC;YACrH,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,MAAM,UAAU,GAAsB,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;IACjH,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;QAC5E,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;QAEpE,kDAAkD;QAClD,MAAM,eAAe,GAAG,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC;QAC9F,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACrD,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC,UAAU,KAAK,CAAC,CAAC,CAAC;QAC9D,CAAC;QAED,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;gBAChC,MAAM,KAAK,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;gBACzC,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC;gBAChD,MAAM,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;gBACrC,MAAM,WAAW,GAAG,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,WAAW,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAElF,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,WAAW,EAAE,CAAC,CAAC;gBAClE,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;oBACnD,IAAI,CAAC,CAAC,GAAG;wBAAE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAED,0BAA0B;IAC1B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC;QAC7E,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,WAAW,yDAAyD,CAAC,CAAC,CAAC;YAClG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/reporter/risk-scorer.d.ts

@@ -1,8 +1,10 @@
 import type { ScanFinding } from '../rules/types.js';
+import type { MonitorFinding } from '../monitor/types.js';
 export interface RiskScoreResult {
     score: number;
     label: string;
     rawPoints: number;
 }
 export declare function calculateRiskScore(findings: ScanFinding[]): RiskScoreResult;
+export declare function calculateMonitorRiskScore(findings: MonitorFinding[]): RiskScoreResult;
 //# sourceMappingURL=risk-scorer.d.ts.map

package/dist/reporter/risk-scorer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"risk-scorer.d.ts","sourceRoot":"","sources":["../../src/reporter/risk-scorer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAerD,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,WAAW,EAAE,GAAG,eAAe,CAwB3E"}
+{"version":3,"file":"risk-scorer.d.ts","sourceRoot":"","sources":["../../src/reporter/risk-scorer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAY,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAe1D,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,WAAW,EAAE,GAAG,eAAe,CAwB3E;AAYD,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,eAAe,CAWrF"}