clawarmor 1.1.0

package/lib/audit.js

@@ -0,0 +1,257 @@
+import { loadConfig } from './config.js';
+import { paint, severityColor } from './output/colors.js';
+import { progressBar, scoreColor, gradeColor, scoreToGrade } from './output/progress.js';
+import { probeGatewayLive } from './probes/gateway-probe.js';
+import { discoverRunningInstance } from './discovery.js';
+import gatewayChecks from './checks/gateway.js';
+import filesystemChecks from './checks/filesystem.js';
+import channelChecks from './checks/channels.js';
+import authChecks from './checks/auth.js';
+import toolChecks from './checks/tools.js';
+import versionChecks from './checks/version.js';
+import hooksChecks from './checks/hooks.js';
+import allowFromChecks from './checks/allowfrom.js';
+import { writeFileSync, mkdirSync, existsSync, readFileSync, renameSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const W = { CRITICAL: 25, HIGH: 15, MEDIUM: 8, LOW: 3, INFO: 0 };
+const SEP = paint.dim('─'.repeat(52));
+const W52 = 52;
+const VERSION = '1.1.0';
+
+const HISTORY_DIR = join(homedir(), '.clawarmor');
+const HISTORY_FILE = join(HISTORY_DIR, 'history.json');
+
+function box(title) {
+  const pad = W52 - 2 - title.length;
+  const l = Math.floor(pad/2), r = pad - l;
+  return [
+    paint.dim('╔' + '═'.repeat(W52-2) + '╗'),
+    paint.dim('║') + ' '.repeat(l) + paint.bold(title) + ' '.repeat(r) + paint.dim('║'),
+    paint.dim('╚' + '═'.repeat(W52-2) + '╝'),
+  ].join('\n');
+}
+
+function printFinding(f) {
+  console.log('');
+  console.log(`  ${paint.red('✗')} ${paint.bold(f.title)}`);
+  for (const line of (f.description||'').split('\n'))
+    console.log(`    ${paint.dim(line)}`);
+  if (f.fix) {
+    console.log('');
+    const lines = f.fix.split('\n');
+    console.log(`    ${paint.cyan('Fix:')} ${lines[0]}`);
+    for (let i=1;i<lines.length;i++) console.log(`         ${lines[i]}`);
+  }
+}
+
+export function loadHistory() {
+  if (!existsSync(HISTORY_FILE)) return [];
+  try { return JSON.parse(readFileSync(HISTORY_FILE, 'utf8')); }
+  catch { return []; }
+}
+
+function appendHistory(entry) {
+  try {
+    mkdirSync(HISTORY_DIR, { recursive: true });
+    const existing = loadHistory();
+    existing.push(entry);
+    // Atomic write: temp file → rename
+    const tmp = HISTORY_FILE + '.tmp';
+    writeFileSync(tmp, JSON.stringify(existing, null, 2), 'utf8');
+    renameSync(tmp, HISTORY_FILE);
+  } catch { /* non-fatal */ }
+}
+
+export async function runAudit(flags = {}) {
+  const GATEWAY_PORT_DEFAULT = 18789;
+
+  // ── DISCOVERY: find what's actually running ──────────────────────────────
+  let discovery = null;
+  // Only auto-discover when no --url override was given
+  if (!flags.targetHost) {
+    try { discovery = await discoverRunningInstance(); }
+    catch { discovery = null; }
+  }
+
+  // Resolve target host/port
+  const targetHost = flags.targetHost || '127.0.0.1';
+  let targetPort = flags.targetPort || null;
+
+  // Load config — prefer CLI override, then discovered path, then default
+  const configOverridePath = flags.configPath || (discovery?.configPath !== undefined ? discovery.configPath : null);
+  const { config, configPath, error } = loadConfig(configOverridePath);
+
+  if (!targetPort) {
+    targetPort = config?.gateway?.port || GATEWAY_PORT_DEFAULT;
+  }
+
+  console.log(''); console.log(box('ClawArmor Audit  v' + VERSION)); console.log('');
+
+  if (error) {
+    console.log(`  ${paint.red('✗')} ${error}`); console.log(''); process.exit(2);
+  }
+
+  // Discovery warnings
+  if (discovery?.multiple) {
+    const chosen = targetPort;
+    console.log(`  ${paint.yellow('!')} Found ${discovery.instances.length} running OpenClaw instances. Auditing the one on port ${chosen}. Use --url to specify a different one.`);
+    console.log('');
+  }
+
+  const isRemote = targetHost !== '127.0.0.1' && targetHost !== 'localhost' && targetHost !== '::1';
+  const probeTarget = `${targetHost}:${targetPort}`;
+
+  // Show config path info
+  if (isRemote || (discovery?.configPath && discovery.configPath !== configPath)) {
+    console.log(`  ${paint.dim('Config:')}  ${configPath}  ${paint.dim('(local)')}`);
+    console.log(`  ${paint.dim('Probes:')}  ${probeTarget}`);
+  } else {
+    console.log(`  ${paint.dim('Config:')}  ${configPath}`);
+  }
+  console.log(`  ${paint.dim('Scanned:')} ${new Date().toLocaleString('en-US',{dateStyle:'medium',timeStyle:'short'})}`);
+  console.log('');
+
+  // ── LIVE GATEWAY PROBES ─────────────────────────────────────────────────
+  console.log(SEP);
+  const probeLabel = isRemote
+    ? `  ${paint.cyan('LIVE GATEWAY PROBES')}${paint.dim('  (connecting to ' + probeTarget + ')')}`
+    : `  ${paint.cyan('LIVE GATEWAY PROBES')}${paint.dim('  (connecting to ' + probeTarget + ')')}`;
+  console.log(probeLabel);
+  console.log(SEP);
+
+  let liveResults = [];
+  try {
+    liveResults = await probeGatewayLive(config, { host: targetHost, port: targetPort });
+  } catch (e) {
+    liveResults = [];
+  }
+
+  const probeRunningResult = liveResults.find(r => r.id === 'probe.gateway_running');
+  const gatewayRunning = probeRunningResult?.gatewayRunning ?? false;
+
+  if (!gatewayRunning) {
+    if (isRemote) {
+      console.log(`  ${paint.red('✗')}  Gateway not reachable at ${probeTarget}`);
+      console.log(`     ${paint.dim('Check that the host is reachable and the port is correct.')}`);
+    } else {
+      console.log(`  ${paint.dim('ℹ')}  ${paint.dim('Gateway not running — skipping live probes')}`);
+    }
+  } else {
+    for (const r of liveResults) {
+      if (r.passed) {
+        console.log(`  ${paint.green('✓')} ${paint.dim(r.passedMsg || r.title)}`);
+      } else {
+        const sc = severityColor[r.severity] || paint.dim;
+        console.log(`  ${paint.red('✗')} ${r.title}  ${paint.dim('←')} ${sc(r.severity)}`);
+      }
+    }
+  }
+  console.log('');
+
+  // ── STATIC CONFIG CHECKS ────────────────────────────────────────────────
+  const allChecks = [
+    ...gatewayChecks, ...filesystemChecks, ...channelChecks,
+    ...authChecks, ...toolChecks, ...versionChecks, ...hooksChecks,
+    ...allowFromChecks,
+  ];
+  const staticResults = [];
+  for (const check of allChecks) {
+    try { staticResults.push(await check(config)); }
+    catch (e) { staticResults.push({ id:'err', severity:'LOW', passed:true, passedMsg:`Check error: ${e.message}` }); }
+  }
+
+  // Merge: live (non-probe.gateway_running) + static
+  const liveFindingResults = gatewayRunning
+    ? liveResults.filter(r => r.id !== 'probe.gateway_running')
+    : [];
+
+  const results = [...liveFindingResults, ...staticResults];
+  const failed = results.filter(r => !r.passed);
+  const passed = results.filter(r => r.passed);
+  const criticals = failed.filter(r => r.severity === 'CRITICAL').length;
+
+  // Score with floor rules
+  let score = 100;
+  for (const f of failed) score -= (W[f.severity] || 0);
+  score = Math.max(0, score);
+  if (criticals >= 2) score = Math.min(score, 25);
+  else if (criticals >= 1) score = Math.min(score, 50);
+
+  const grade = scoreToGrade(score);
+  const colorFn = scoreColor(score);
+
+  console.log(SEP);
+  console.log(`  ${paint.bold('Security Score:')} ${colorFn(score+'/100')}  ${paint.dim('┃')}  Grade: ${gradeColor(grade)}`);
+  console.log(`  ${colorFn(progressBar(score,20))}  ${paint.dim(score+'%')}`);
+
+  // Human verdict
+  {
+    const openCriticals = failed.filter(f => f.severity === 'CRITICAL').length;
+    const openHighs = failed.filter(f => f.severity === 'HIGH').length;
+    let verdict;
+    if (!failed.length) {
+      verdict = paint.green('Your instance is secure. No issues found.');
+    } else if (openCriticals >= 1) {
+      verdict = paint.red('Your instance has CRITICAL exposure. Fix immediately before using.');
+    } else if (openHighs >= 1) {
+      verdict = paint.yellow('Your instance has HIGH-risk issues. Fix before going to production.');
+    } else {
+      verdict = paint.dim('Your instance is well-configured. Open items are low-risk hardening.');
+    }
+    console.log('');
+    console.log(`  ${paint.dim('Verdict:')}  ${verdict}`);
+  }
+
+  if (flags.json) {
+    console.log(JSON.stringify({score,grade,failed,passed},null,2));
+    appendHistory({ timestamp: new Date().toISOString(), score, grade,
+      findings: failed.length, criticals, version: VERSION,
+      failedIds: failed.map(f => f.id) });
+    return 0;
+  }
+
+  for (const sev of ['CRITICAL','HIGH','MEDIUM','LOW']) {
+    const group = failed.filter(f => f.severity === sev);
+    if (!group.length) continue;
+    console.log(''); console.log(SEP);
+    console.log(`  ${severityColor[sev](sev)}${paint.dim('  ('+group.length+' finding'+(group.length>1?'s':'')+')')}`);
+    console.log(SEP);
+    for (const f of group) printFinding(f);
+  }
+
+  if (passed.length) {
+    console.log(''); console.log(SEP);
+    console.log(`  ${paint.green('PASSED')}${paint.dim('  ('+passed.filter(p=>!(p.id||'').startsWith('probe.')).length+' checks)')}`);
+    console.log(SEP);
+    for (const p of passed) {
+      if ((p.id||'').startsWith('probe.')) continue;
+      console.log(`  ${paint.green('✓')} ${paint.dim(p.passedMsg||p.title||p.id)}`);
+    }
+  }
+
+  console.log(''); console.log(SEP);
+  if (!failed.length) {
+    console.log(`  ${paint.green('✓')} ${paint.bold('All checks passed.')}`);
+  } else {
+    console.log(`  ${failed.length} issue${failed.length>1?'s':''} found. Fix above to improve score.`);
+  }
+  console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor scan')} ${paint.dim('to check installed skills.')}`);
+  console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor trend')} ${paint.dim('to see score history.')}`);
+  console.log(`  ${paint.dim('Continuous monitoring:')} ${paint.cyan('github.com/pinzasai/clawarmor')}`);
+  console.log('');
+
+  // Persist history (atomic)
+  appendHistory({
+    timestamp: new Date().toISOString(),
+    score,
+    grade,
+    findings: failed.length,
+    criticals,
+    version: VERSION,
+    failedIds: failed.map(f => f.id),
+  });
+
+  return failed.length > 0 ? 1 : 0;
+}

package/lib/checks/allowfrom.js

@@ -0,0 +1,104 @@
+// ClawArmor v0.6 — allowFrom permissiveness check
+// Scans all channel configs for dangerously open allowFrom settings.
+
+import { get } from '../config.js';
+
+const CHANNEL_KEYS = ['telegram', 'discord', 'whatsapp', 'signal', 'slack', 'imessage', 'matrix', 'email'];
+
+function isWildcard(arr) {
+  if (!Array.isArray(arr)) return false;
+  return arr.some(v => v === '*' || (typeof v === 'string' && v.includes('*')));
+}
+
+function isEmptyArray(arr) {
+  return Array.isArray(arr) && arr.length === 0;
+}
+
+export function checkAllowFrom(config) {
+  const channels = get(config, 'channels', {});
+  const issues = [];
+
+  for (const chanKey of CHANNEL_KEYS) {
+    const cfg = channels[chanKey];
+    if (!cfg?.enabled) continue;
+
+    const allowFrom = cfg.allowFrom ?? cfg.dmAllowFrom ?? null;
+    const groupAllowFrom = cfg.groupAllowFrom ?? null;
+    const dmPolicy = cfg.dmPolicy || '';
+    const groupPolicy = cfg.groupPolicy || '';
+
+    // Explicit wildcard
+    if (isWildcard(allowFrom)) {
+      issues.push({
+        path: `channels.${chanKey}.allowFrom`,
+        reason: `allowFrom: ["*"] — explicitly open to anyone`,
+        severity: 'CRITICAL',
+      });
+    }
+
+    // Empty array with non-restrictive dmPolicy
+    if (isEmptyArray(allowFrom) && dmPolicy !== 'pairing' && dmPolicy !== 'disabled') {
+      issues.push({
+        path: `channels.${chanKey}.allowFrom`,
+        reason: `allowFrom: [] (empty) with dmPolicy="${dmPolicy||'unset'}" — may default to open`,
+        severity: 'HIGH',
+      });
+    }
+
+    // groupAllowFrom empty + groupPolicy not disabled
+    if (isEmptyArray(groupAllowFrom) && groupPolicy !== 'disabled') {
+      issues.push({
+        path: `channels.${chanKey}.groupAllowFrom`,
+        reason: `groupAllowFrom: [] (empty) with groupPolicy="${groupPolicy||'unset'}" — group access unscoped`,
+        severity: 'HIGH',
+      });
+    }
+
+    // Check nested group entries
+    const groups = cfg.groups || {};
+    for (const [gid, gcfg] of Object.entries(groups)) {
+      if (!gcfg || typeof gcfg !== 'object') continue;
+      const gAllowFrom = gcfg.allowFrom ?? null;
+      const gPolicy = gcfg.groupPolicy || '';
+
+      if (isWildcard(gAllowFrom)) {
+        issues.push({
+          path: `channels.${chanKey}.groups.${gid}.allowFrom`,
+          reason: `allowFrom: ["*"] — wildcard in group config`,
+          severity: 'CRITICAL',
+        });
+      }
+      if (isEmptyArray(gAllowFrom) && gPolicy !== 'disabled') {
+        issues.push({
+          path: `channels.${chanKey}.groups.${gid}.allowFrom`,
+          reason: `allowFrom: [] (empty) with groupPolicy="${gPolicy||'unset'}"`,
+          severity: 'MEDIUM',
+        });
+      }
+    }
+  }
+
+  if (!issues.length) {
+    return {
+      id: 'channels.allowfrom',
+      severity: 'HIGH',
+      passed: true,
+      passedMsg: 'All channel allowFrom settings are restricted',
+    };
+  }
+
+  const criticals = issues.filter(i => i.severity === 'CRITICAL');
+  const topSeverity = criticals.length ? 'CRITICAL' : 'HIGH';
+
+  return {
+    id: 'channels.allowfrom',
+    severity: topSeverity,
+    passed: false,
+    title: `Dangerously permissive allowFrom settings (${issues.length} issue${issues.length > 1 ? 's' : ''})`,
+    description: issues.map(i => `• ${i.path}: ${i.reason}`).join('\n') +
+      `\nAny user who discovers your bot/channel can send commands to your agent.`,
+    fix: issues.map(i => `openclaw config set ${i.path} '["your-user-id"]'`).join('\n'),
+  };
+}
+
+export default [checkAllowFrom];

package/lib/checks/auth.js

@@ -0,0 +1,63 @@
+import { get } from '../config.js';
+import { execSync } from 'child_process';
+
+function dockerAvailable() {
+  try { execSync('docker --version', { stdio: 'ignore', timeout: 2000 }); return true; }
+  catch { return false; }
+}
+
+export function checkAgentSandbox(config) {
+  const mode = get(config, 'agents.defaults.sandbox.mode', null);
+  const mainKey = get(config, 'agents.mainKey', 'main');
+  const hasCustomMainKey = mainKey !== 'main';
+  const secureModes = ['non-main', 'all', 'strict'];
+
+  if (secureModes.includes(mode)) {
+    const mainKeyNote = hasCustomMainKey
+      ? ` (mainKey="${mainKey}" — verify non-main scope is correct)`
+      : '';
+    return { id: 'agents.sandbox', severity: 'HIGH', passed: true,
+      passedMsg: `Agent sandbox mode: "${mode}" (sessions isolated)${mainKeyNote}` };
+  }
+  if (!dockerAvailable()) {
+    return { id: 'agents.sandbox', severity: 'LOW', passed: false,
+      title: 'Sandbox isolation not configured (Docker not installed)',
+      description: `Sandbox isolation is not enabled. OpenClaw sandboxes require Docker.\nDocker is not installed on this machine — sandbox cannot be enabled yet.\nInstall Docker first, then enable sandbox isolation.`,
+      fix: `1. Install Docker: brew install --cask docker\n2. Open Docker.app to complete setup\n3. openclaw config set agents.defaults.sandbox.mode non-main\n4. openclaw gateway restart` };
+  }
+  const mainKeyNote = hasCustomMainKey
+    ? `\nNote: agents.mainKey="${mainKey}" — "non-main" sandbox mode will isolate sessions that are not "${mainKey}".`
+    : '';
+  return { id: 'agents.sandbox', severity: 'HIGH', passed: false,
+    title: 'Agent sessions have no sandbox isolation',
+    description: `agents.defaults.sandbox.mode not set — tool calls from Telegram/Discord\nrun directly on your host with no container boundary.\nAttack: prompt injection via fetched webpage causes exec with full host access.${mainKeyNote}`,
+    fix: `openclaw config set agents.defaults.sandbox.mode non-main\nopenctl gateway restart` };
+}
+
+export function checkSandboxExecFootgun(config) {
+  const sandboxMode = get(config, 'agents.defaults.sandbox.mode', null);
+  const execHost = get(config, 'tools.exec.host', null);
+  if (execHost === 'sandbox' && (!sandboxMode || sandboxMode === 'off')) {
+    return { id: 'tools.exec.sandbox_off', severity: 'HIGH', passed: false,
+      title: 'exec host=sandbox but sandbox mode is off (silent footgun)',
+      description: `tools.exec.host="sandbox" suggests exec should run in a container.\nBut agents.defaults.sandbox.mode is "${sandboxMode||'off'}" — exec runs on your HOST.\nYou think you're sandboxed. You're not.\nAttack: any exec call bypasses the sandbox you expected.`,
+      fix: `openclaw config set agents.defaults.sandbox.mode non-main\nOR: openclaw config set tools.exec.host gateway` };
+  }
+  return { id: 'tools.exec.sandbox_off', severity: 'HIGH', passed: true,
+    passedMsg: 'exec sandbox configuration is consistent' };
+}
+
+export function checkThinkingStream(config) {
+  const thinking = get(config, 'agents.defaults.thinkingDefault', 'off');
+  const stream = get(config, 'agents.defaults.stream', null);
+  if (thinking === 'on' && stream === 'stream') {
+    return { id: 'agents.thinking.stream', severity: 'LOW', passed: false,
+      title: 'Thinking mode streaming leaks reasoning to channel observers',
+      description: `thinkingDefault="on" with stream mode — partial chain-of-thought\nvisible to channel participants before agent finishes reasoning.`,
+      fix: `openclaw config set agents.defaults.thinkingDefault off` };
+  }
+  return { id: 'agents.thinking.stream', severity: 'LOW', passed: true,
+    passedMsg: 'Thinking stream not leaking reasoning' };
+}
+
+export default [checkAgentSandbox, checkSandboxExecFootgun, checkThinkingStream];

package/lib/checks/channels.js

@@ -0,0 +1,69 @@
+import { get } from '../config.js';
+
+export function checkTelegramDmPolicy(config) {
+  const tg = get(config, 'channels.telegram', null);
+  if (!tg?.enabled) return { id: 'telegram.dmPolicy', severity: 'HIGH', passed: true, passedMsg: 'Telegram not enabled' };
+  const dmPolicy = tg.dmPolicy || '';
+  const allowFrom = tg.allowFrom || tg.dmAllowFrom || null;
+  if (dmPolicy === 'open' && !allowFrom) {
+    return { id: 'telegram.dmPolicy', severity: 'HIGH', passed: false,
+      title: 'Telegram DMs open to anyone',
+      description: `dmPolicy="open" with no allowFrom — anyone who finds your bot can\nsend commands. Attack: attacker DMs bot "exec cat ~/.openclaw/openclaw.json".`,
+      fix: `openclaw config set channels.telegram.dmPolicy pairing` };
+  }
+  return { id: 'telegram.dmPolicy', severity: 'HIGH', passed: true,
+    passedMsg: `Telegram DM policy: "${dmPolicy}" (restricted)` };
+}
+
+export function checkGroupPolicies(config) {
+  const openGroups = [];
+  for (const [chan, cfg] of Object.entries(get(config, 'channels', {}))) {
+    if (!cfg?.enabled) continue;
+    if (cfg.groupPolicy === 'open') openGroups.push(`channels.${chan}.groupPolicy`);
+    const groups = cfg.groups || {};
+    for (const [gid, gcfg] of Object.entries(groups)) {
+      if (gcfg?.groupPolicy === 'open') openGroups.push(`channels.${chan}.groups.${gid}.groupPolicy`);
+    }
+  }
+  if (openGroups.length) {
+    return { id: 'channel.groupPolicy', severity: 'MEDIUM', passed: false,
+      title: 'Group policy allows anyone to trigger agent',
+      description: `Open group policies found:\n${openGroups.map(p=>`  • ${p}`).join('\n')}\nAnyone in those groups can send commands to your agent.\nAttack: attacker joins group, sends injected content, triggers tool calls.`,
+      fix: `openclaw config set channels.telegram.groupPolicy allowlist` };
+  }
+  return { id: 'channel.groupPolicy', severity: 'MEDIUM', passed: true, passedMsg: 'All group policies use allowlist' };
+}
+
+export function checkOpenGroupsWithElevated(config) {
+  // CRITICAL combo: open groups + elevated tools = attacker can run elevated exec
+  const elevatedEnabled = get(config, 'tools.elevated.enabled', false) ||
+    get(config, 'tools.elevated', null) !== null;
+  const hasOpenGroup = Object.values(get(config, 'channels', {})).some(cfg =>
+    cfg?.enabled && cfg?.groupPolicy === 'open'
+  );
+  if (hasOpenGroup && elevatedEnabled) {
+    return { id: 'security.open_groups_elevated', severity: 'CRITICAL', passed: false,
+      title: 'CRITICAL: Open groups + elevated tools = remote code execution',
+      description: `You have group channels with groupPolicy="open" AND elevated tools enabled.\nAnyone in those groups can send a message that causes elevated exec on your host.\nAttack: attacker joins group, sends "run rm -rf /" — agent executes it with elevated perms.\nThis is the highest-risk configuration possible.`,
+      fix: `openclaw config set channels.telegram.groupPolicy allowlist\nOR: openclaw config set tools.elevated.enabled false` };
+  }
+  return { id: 'security.open_groups_elevated', severity: 'CRITICAL', passed: true,
+    passedMsg: 'No open groups with elevated tools (safe)' };
+}
+
+export function checkDmSessionScope(config) {
+  const dmScope = get(config, 'session.dmScope', 'main');
+  // Only flag if multiple users could DM (open DM policy or large allowFrom)
+  const tgAllowFrom = get(config, 'channels.telegram.allowFrom', []);
+  const multiUser = Array.isArray(tgAllowFrom) && tgAllowFrom.length > 1;
+  if (multiUser && dmScope === 'main') {
+    return { id: 'session.dmScope', severity: 'MEDIUM', passed: false,
+      title: 'Multiple DM users share the same session context',
+      description: `session.dmScope="main" with ${tgAllowFrom.length} allowed DM users — all share\none conversation context. User A can ask agent to recall what User B said.\nAttack: authorized user extracts another authorized user's conversation history.`,
+      fix: `openclaw config set session.dmScope per-channel-peer` };
+  }
+  return { id: 'session.dmScope', severity: 'MEDIUM', passed: true,
+    passedMsg: dmScope === 'per-channel-peer' ? 'DM sessions are isolated per user' : 'Single-user DM (session isolation not needed)' };
+}
+
+export default [checkTelegramDmPolicy, checkGroupPolicies, checkOpenGroupsWithElevated, checkDmSessionScope];

package/lib/checks/filesystem.js

@@ -0,0 +1,87 @@
+import { existsSync, statSync, readdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { getOctalPermissions, getConfigPath, getAgentAccountsPath } from '../config.js';
+
+const HOME = homedir();
+const OC_DIR = join(HOME, '.openclaw');
+
+function checkPerms(filePath, expected, label) {
+  if (!existsSync(filePath)) return null;
+  const p = getOctalPermissions(filePath);
+  if (p !== expected) return { perms: p, path: filePath, label };
+  return null;
+}
+
+export function checkOpenclawDirPerms() {
+  if (!existsSync(OC_DIR)) return { id: 'fs.dir.perms', severity: 'HIGH', passed: true, passedMsg: '~/.openclaw/ not found' };
+  const p = getOctalPermissions(OC_DIR);
+  if (p !== '700') {
+    return { id: 'fs.dir.perms', severity: 'HIGH', passed: false,
+      title: '~/.openclaw/ directory is group/world readable',
+      description: `~/.openclaw/ has permissions ${p}. Other users on this system can list\nyour config files, session transcripts, credentials, and installed skills.\nAttack: local user runs ls ~/.openclaw/credentials/ and reads your bot token.`,
+      fix: `chmod 700 ~/.openclaw` };
+  }
+  return { id: 'fs.dir.perms', severity: 'HIGH', passed: true, passedMsg: '~/.openclaw/ is owner-only (700)' };
+}
+
+export function checkConfigFilePermissions() {
+  const p = getOctalPermissions(getConfigPath());
+  if (!p) return { id: 'fs.config.perms', severity: 'HIGH', passed: true, passedMsg: 'Config file not found' };
+  if (p !== '600') {
+    return { id: 'fs.config.perms', severity: 'HIGH', passed: false,
+      title: 'openclaw.json is readable by other users',
+      description: `~/.openclaw/openclaw.json has permissions ${p}. Contains bot tokens,\nAPI keys, and channel credentials readable by any local user.\nAttack: local user cat ~/.openclaw/openclaw.json → gets your Telegram bot token.`,
+      fix: `chmod 600 ~/.openclaw/openclaw.json` };
+  }
+  return { id: 'fs.config.perms', severity: 'HIGH', passed: true, passedMsg: 'openclaw.json is owner-only (600)' };
+}
+
+export function checkAgentAccountsPermissions() {
+  const fp = getAgentAccountsPath();
+  if (!existsSync(fp)) return { id: 'fs.accounts.perms', severity: 'HIGH', passed: true, passedMsg: 'agent-accounts.json not found' };
+  const p = getOctalPermissions(fp);
+  if (p !== '600') {
+    return { id: 'fs.accounts.perms', severity: 'HIGH', passed: false,
+      title: 'agent-accounts.json is readable by other users',
+      description: `Permissions ${p}. This file contains all API keys and passwords.\nAttack: one command gets every credential your agent holds.`,
+      fix: `chmod 600 ~/.openclaw/agent-accounts.json` };
+  }
+  return { id: 'fs.accounts.perms', severity: 'HIGH', passed: true, passedMsg: 'agent-accounts.json is owner-only (600)' };
+}
+
+export function checkCredentialsDirPermissions() {
+  const credDir = join(OC_DIR, 'credentials');
+  if (!existsSync(credDir)) return { id: 'fs.creds.perms', severity: 'MEDIUM', passed: true, passedMsg: 'credentials/ not found' };
+  const p = getOctalPermissions(credDir);
+  if (p !== '700' && p !== '600') {
+    return { id: 'fs.creds.perms', severity: 'MEDIUM', passed: false,
+      title: 'credentials/ directory is not locked down',
+      description: `~/.openclaw/credentials/ has permissions ${p}.\nContains channel auth tokens and pairing allowlists.`,
+      fix: `chmod 700 ~/.openclaw/credentials\nchmod 600 ~/.openclaw/credentials/*.json 2>/dev/null || true` };
+  }
+  return { id: 'fs.creds.perms', severity: 'MEDIUM', passed: true, passedMsg: 'credentials/ directory is locked down' };
+}
+
+export function checkSessionTranscriptPermissions() {
+  const agentsDir = join(OC_DIR, 'agents');
+  if (!existsSync(agentsDir)) return { id: 'fs.sessions.perms', severity: 'LOW', passed: true, passedMsg: 'No agent sessions found' };
+  // Check first session dir found
+  try {
+    const agents = readdirSync(agentsDir);
+    for (const agent of agents) {
+      const sessDir = join(agentsDir, agent, 'sessions');
+      if (!existsSync(sessDir)) continue;
+      const p = getOctalPermissions(sessDir);
+      if (p && p !== '700' && p !== '600') {
+        return { id: 'fs.sessions.perms', severity: 'LOW', passed: false,
+          title: 'Session transcripts readable by other users',
+          description: `~/.openclaw/agents/${agent}/sessions/ has permissions ${p}.\nTranscripts contain your full conversation history, tool outputs, and potentially secrets.`,
+          fix: `chmod -R 700 ~/.openclaw/agents/` };
+      }
+    }
+  } catch { /* skip */ }
+  return { id: 'fs.sessions.perms', severity: 'LOW', passed: true, passedMsg: 'Session transcripts are private' };
+}
+
+export default [checkOpenclawDirPerms, checkConfigFilePermissions, checkAgentAccountsPermissions, checkCredentialsDirPermissions, checkSessionTranscriptPermissions];