clawarmor 1.2.0 → 2.0.0-alpha.3

package/lib/harden.js

@@ -0,0 +1,312 @@
+// clawarmor harden — Interactive security hardening wizard.
+// Modes:
+//   default:    show each fix, prompt y/N before applying
+//   --dry-run:  show what WOULD be fixed, no writes
+//   --auto:     apply all safe fixes without confirmation (CI mode)
+
+import { existsSync, readdirSync, statSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { execSync, spawnSync } from 'child_process';
+import { createInterface } from 'readline';
+import { paint } from './output/colors.js';
+import { scoreToGrade, scoreColor, gradeColor } from './output/progress.js';
+import { loadConfig, get } from './config.js';
+
+const HOME = homedir();
+const OC_DIR = join(HOME, '.openclaw');
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const HISTORY_FILE = join(CLAWARMOR_DIR, 'history.json');
+const CLI_PATH = new URL('../cli.js', import.meta.url).pathname;
+const SEP = paint.dim('─'.repeat(52));
+
+function box(title) {
+  const W = 52, pad = W - 2 - title.length, l = Math.floor(pad / 2), r = pad - l;
+  return [
+    paint.dim('╔' + '═'.repeat(W - 2) + '╗'),
+    paint.dim('║') + ' '.repeat(l) + paint.bold(title) + ' '.repeat(r) + paint.dim('║'),
+    paint.dim('╚' + '═'.repeat(W - 2) + '╝'),
+  ].join('\n');
+}
+
+// ── Fix discovery ────────────────────────────────────────────────────────────
+
+function findWorldReadableCredFiles() {
+  if (!existsSync(OC_DIR)) return [];
+  const bad = [];
+  try {
+    const entries = readdirSync(OC_DIR, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isFile()) continue;
+      const filePath = join(OC_DIR, entry.name);
+      let s;
+      try { s = statSync(filePath); } catch { continue; }
+      const mode = s.mode & 0o777;
+      if (mode & 0o004 || mode & 0o040) {
+        bad.push({ path: filePath, name: entry.name, mode: mode.toString(8) });
+      }
+    }
+  } catch { /* non-fatal */ }
+  return bad;
+}
+
+function buildFixes(config) {
+  const fixes = [];
+
+  // Fix 1: world/group-readable credential files — chmod 600
+  const badFiles = findWorldReadableCredFiles();
+  for (const f of badFiles) {
+    fixes.push({
+      id: `cred.perms.${f.name}`,
+      problem: `${f.name} is readable by other users (permissions: ${f.mode})`,
+      action: `chmod 600 ${f.path}`,
+      description: `Set permissions to 600 (owner-only) on ${f.path}`,
+      type: 'shell',
+      manualNote: null,
+    });
+  }
+
+  // Fix 2: gateway.host = 0.0.0.0 → 127.0.0.1
+  const gwHost = get(config, 'gateway.host', null);
+  if (gwHost === '0.0.0.0') {
+    fixes.push({
+      id: 'gateway.host.open',
+      problem: 'gateway.host is set to 0.0.0.0 — listens on all network interfaces',
+      action: 'openclaw config set gateway.host 127.0.0.1',
+      description: 'Change gateway.host to 127.0.0.1 (loopback only)',
+      type: 'openclaw',
+      manualNote: 'Restart gateway after applying: openclaw gateway restart',
+    });
+  }
+
+  // Fix 3: exec.ask = off → always
+  const execAsk = get(config, 'exec.ask', null) ?? get(config, 'tools.exec.ask', null);
+  if (execAsk === 'off' || execAsk === false) {
+    fixes.push({
+      id: 'exec.ask.off',
+      problem: 'exec.ask is off — shell commands run without user confirmation',
+      action: 'openclaw config set exec.ask always',
+      description: 'Enable exec.ask so shell commands require confirmation',
+      type: 'openclaw',
+      manualNote: 'Restart gateway after applying: openclaw gateway restart',
+    });
+  }
+
+  return fixes;
+}
+
+// ── Apply a single fix ────────────────────────────────────────────────────────
+
+function applyFix(fix) {
+  try {
+    execSync(fix.action, { stdio: 'ignore', shell: true });
+    return { ok: true };
+  } catch (e) {
+    return { ok: false, err: e.message.split('\n')[0] };
+  }
+}
+
+// ── Re-run audit (JSON) for before/after score ────────────────────────────────
+
+function runAuditJson() {
+  try {
+    const result = spawnSync(process.execPath, [CLI_PATH, 'audit', '--json'], {
+      encoding: 'utf8',
+      timeout: 30000,
+      maxBuffer: 1024 * 1024,
+    });
+    if (result.stdout) {
+      const jsonStart = result.stdout.indexOf('{');
+      if (jsonStart !== -1) return JSON.parse(result.stdout.slice(jsonStart));
+    }
+  } catch { /* non-fatal */ }
+  return null;
+}
+
+// ── Interactive y/N prompt ────────────────────────────────────────────────────
+
+async function askYN(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise(resolve => {
+    rl.question(question, answer => {
+      rl.close();
+      const a = answer.trim().toLowerCase();
+      resolve(a === 'y' || a === 'yes');
+    });
+  });
+}
+
+// ── Load last history entry for before score ─────────────────────────────────
+
+function loadLastHistoryEntry() {
+  try {
+    if (!existsSync(HISTORY_FILE)) return null;
+    const h = JSON.parse(readFileSync(HISTORY_FILE, 'utf8'));
+    if (!Array.isArray(h) || !h.length) return null;
+    return h[h.length - 1];
+  } catch { return null; }
+}
+
+// ── Manual follow-up items (things that require human action) ─────────────────
+
+function getManualItems() {
+  return [
+    'Rotate tokens older than 90 days (run: clawarmor log --tokens)',
+    'Review and rotate any compromised or exposed credentials',
+    'Enable agent sandbox isolation if Docker Desktop is available',
+  ];
+}
+
+// ── Main export ───────────────────────────────────────────────────────────────
+
+export async function runHarden(flags = {}) {
+  console.log(''); console.log(box('ClawArmor Harden  v2.0')); console.log('');
+
+  const { config } = loadConfig();
+  const fixes = buildFixes(config);
+
+  // Snapshot before score
+  const before = loadLastHistoryEntry();
+  const beforeScore = before?.score ?? null;
+  const beforeGrade = before?.grade ?? null;
+
+  // ── DRY RUN ────────────────────────────────────────────────────────────────
+  if (flags.dryRun) {
+    console.log(`  ${paint.cyan('Dry run — showing what would be fixed (no changes applied):')}`);
+    console.log('');
+
+    if (!fixes.length) {
+      console.log(`  ${paint.green('✓')} No auto-fixable issues found.`);
+      console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor audit')} ${paint.dim('to see all findings.')}`);
+      console.log('');
+      return 0;
+    }
+
+    for (const fix of fixes) {
+      console.log(`  ${paint.yellow('!')}  ${paint.bold(fix.problem)}`);
+      console.log(`     ${paint.dim('Fix:')} ${fix.description}`);
+      console.log(`     ${paint.dim('Cmd:')} ${fix.action}`);
+      if (fix.manualNote) console.log(`     ${paint.dim('Note:')} ${fix.manualNote}`);
+      console.log('');
+    }
+
+    console.log(SEP);
+    console.log(`  ${fixes.length} fix${fixes.length !== 1 ? 'es' : ''} available.`);
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor harden')} ${paint.dim('to apply interactively.')}`);
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor harden --auto')} ${paint.dim('to apply all without prompts.')}`);
+    console.log('');
+
+    const manualItems = getManualItems();
+    console.log(SEP);
+    console.log(`  ${paint.bold('Manual follow-up required:')}`);
+    for (const item of manualItems) {
+      console.log(`    ${paint.dim('•')} ${item}`);
+    }
+    console.log('');
+    return 0;
+  }
+
+  // ── AUTO or INTERACTIVE ────────────────────────────────────────────────────
+
+  if (!fixes.length) {
+    console.log(`  ${paint.green('✓')} No auto-fixable issues found. Your config looks good.`);
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor audit')} ${paint.dim('for the full picture.')}`);
+    console.log('');
+
+    const manualItems = getManualItems();
+    console.log(SEP);
+    console.log(`  ${paint.bold('Manual follow-up required:')}`);
+    for (const item of manualItems) {
+      console.log(`    ${paint.dim('•')} ${item}`);
+    }
+    console.log('');
+    return 0;
+  }
+
+  const modeLabel = flags.auto
+    ? paint.cyan('Auto mode — applying all safe fixes without confirmation')
+    : paint.cyan('Interactive mode — review and apply fixes one by one');
+  console.log(`  ${modeLabel}`);
+  console.log('');
+
+  let applied = 0, skipped = 0, failed = 0;
+  const restartNotes = [];
+
+  for (const fix of fixes) {
+    console.log(SEP);
+    console.log(`  ${paint.bold('Problem:')}  ${fix.problem}`);
+    console.log(`  ${paint.dim('Fix:')}      ${fix.description}`);
+    console.log(`  ${paint.dim('Command:')} ${paint.dim(fix.action)}`);
+    console.log('');
+
+    let doApply = flags.auto;
+
+    if (!flags.auto) {
+      doApply = await askYN(`  Apply this fix? [y/N] `);
+    }
+
+    if (!doApply) {
+      console.log(`  ${paint.dim('✗ Skipped')}`);
+      skipped++;
+      console.log('');
+      continue;
+    }
+
+    const result = applyFix(fix);
+    if (result.ok) {
+      console.log(`  ${paint.green('✓ Fixed')}`);
+      applied++;
+      if (fix.manualNote) restartNotes.push(fix.manualNote);
+    } else {
+      console.log(`  ${paint.red('✗ Failed:')} ${result.err}`);
+      failed++;
+    }
+    console.log('');
+  }
+
+  console.log(SEP);
+  console.log('');
+  console.log(`  Applied: ${paint.green(String(applied))}  Skipped: ${paint.dim(String(skipped))}  Failed: ${failed > 0 ? paint.red(String(failed)) : paint.dim('0')}`);
+
+  // Restart notes
+  if (restartNotes.length) {
+    console.log('');
+    for (const note of [...new Set(restartNotes)]) {
+      console.log(`  ${paint.yellow('!')} ${note}`);
+    }
+  }
+
+  // Manual follow-up
+  console.log('');
+  console.log(SEP);
+  console.log(`  ${paint.bold('Manual follow-up required:')}`);
+  const manualItems = getManualItems();
+  for (const item of manualItems) {
+    console.log(`    ${paint.dim('•')} ${item}`);
+  }
+
+  // Before/after score comparison (only if we applied something)
+  if (applied > 0) {
+    console.log('');
+    console.log(SEP);
+    console.log(`  ${paint.dim('Re-running audit to measure impact...')}`);
+    const after = runAuditJson();
+    const afterScore = after?.score ?? null;
+    const afterGrade = after?.grade ?? null;
+
+    if (afterScore !== null) {
+      console.log('');
+      if (beforeScore !== null) {
+        const delta = afterScore - beforeScore;
+        const deltaStr = delta > 0 ? paint.green(`+${delta}`) : delta < 0 ? paint.red(String(delta)) : paint.dim('±0');
+        console.log(`  Before: ${scoreColor(beforeScore)(beforeScore + '/100')}  ${paint.dim('Grade:')} ${gradeColor(beforeGrade || scoreToGrade(beforeScore))}`);
+        console.log(`  After:  ${scoreColor(afterScore)(afterScore + '/100')}  ${paint.dim('Grade:')} ${gradeColor(afterGrade || scoreToGrade(afterScore))}  ${deltaStr}`);
+      } else {
+        console.log(`  Score: ${scoreColor(afterScore)(afterScore + '/100')}  ${paint.dim('Grade:')} ${gradeColor(afterGrade || scoreToGrade(afterScore))}`);
+      }
+    }
+  }
+
+  console.log('');
+  return failed > 0 ? 1 : 0;
+}

package/lib/log-viewer.js

@@ -0,0 +1,140 @@
+// ClawArmor v2.0 — Audit Log Viewer
+// Reads ~/.clawarmor/audit.log (JSONL) and displays events in human-readable form.
+// Flags: --since <Nd|Nh>  --json  --tokens
+
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { paint, severityColor } from './output/colors.js';
+
+const LOG_FILE = join(homedir(), '.clawarmor', 'audit.log');
+const SEP = paint.dim('─'.repeat(52));
+
+function parseEntries() {
+  if (!existsSync(LOG_FILE)) return null;
+  const raw = readFileSync(LOG_FILE, 'utf8');
+  return raw
+    .split('\n')
+    .filter(Boolean)
+    .map(line => { try { return JSON.parse(line); } catch { return null; } })
+    .filter(Boolean);
+}
+
+function parseSince(sinceArg) {
+  if (!sinceArg) return null;
+  const m = sinceArg.match(/^(\d+)(d|h)$/);
+  if (!m) return null;
+  const n = parseInt(m[1], 10);
+  const ms = m[2] === 'd' ? n * 86_400_000 : n * 3_600_000;
+  return new Date(Date.now() - ms);
+}
+
+function cmdColor(cmd) {
+  switch (cmd) {
+    case 'audit':   return paint.cyan(cmd.padEnd(7));
+    case 'scan':    return paint.cyan(cmd.padEnd(7));
+    case 'prescan': return paint.cyan(cmd.padEnd(7));
+    case 'watch':   return paint.dim(cmd.padEnd(7));
+    default:        return paint.dim((cmd || '?').padEnd(7));
+  }
+}
+
+function formatScore(score, delta) {
+  if (score == null) return '';
+  const s = `${score}/100`;
+  if (delta == null) return paint.bold(s);
+  const dStr = delta >= 0 ? `+${delta}` : `${delta}`;
+  const dColor = delta >= 0 ? paint.green : paint.red;
+  return `${paint.bold(s)} ${dColor(dStr)}`;
+}
+
+function formatFindings(findings) {
+  if (!Array.isArray(findings) || !findings.length) return paint.green('clean');
+  const bySev = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0, INFO: 0 };
+  for (const f of findings) bySev[f.severity] = (bySev[f.severity] || 0) + 1;
+  const parts = [];
+  if (bySev.CRITICAL) parts.push(paint.red(`${bySev.CRITICAL}C`));
+  if (bySev.HIGH)     parts.push(paint.yellow(`${bySev.HIGH}H`));
+  if (bySev.MEDIUM)   parts.push(paint.cyan(`${bySev.MEDIUM}M`));
+  if (bySev.LOW || bySev.INFO)
+    parts.push(paint.dim(`${(bySev.LOW || 0) + (bySev.INFO || 0)}L`));
+  return parts.join(' ') || paint.green('clean');
+}
+
+function formatEntry(e) {
+  const ts = new Date(e.ts).toLocaleString('en-US', { dateStyle: 'medium', timeStyle: 'short' });
+  const cmd = cmdColor(e.cmd);
+  const trigger = paint.dim(`[${e.trigger || 'manual'}]`);
+  const scoreStr = formatScore(e.score, e.delta);
+  const findingsStr = formatFindings(e.findings);
+  const blocked = e.blocked === true ? `  ${paint.red('BLOCKED')}` : '';
+  const skill = e.skill ? `  ${paint.cyan(e.skill)}` : '';
+
+  const parts = [paint.dim(ts), cmd, trigger];
+  if (scoreStr) parts.push(scoreStr);
+  parts.push(findingsStr);
+
+  return `  ${parts.join('  ')}${skill}${blocked}`;
+}
+
+export async function runLog(flags = {}) {
+  const entries = parseEntries();
+
+  if (!entries) {
+    console.log('');
+    console.log(`  No audit log yet. Run ${paint.cyan('clawarmor audit')} to start.`);
+    console.log('');
+    return 0;
+  }
+
+  let filtered = entries;
+
+  // --since filter
+  const since = parseSince(flags.since);
+  if (since) {
+    filtered = filtered.filter(e => new Date(e.ts) >= since);
+  }
+
+  // --tokens filter
+  if (flags.tokens) {
+    filtered = filtered.filter(e =>
+      Array.isArray(e.findings) &&
+      e.findings.some(f => (f.id || '').includes('token') || (f.id || '').includes('access'))
+    );
+  }
+
+  // --json: raw JSONL output
+  if (flags.json) {
+    for (const e of filtered) console.log(JSON.stringify(e));
+    return 0;
+  }
+
+  // Default: last 10 events
+  const recent = filtered.slice(-10);
+
+  console.log('');
+  if (!recent.length) {
+    console.log(`  No log entries match the given filters.`);
+    console.log(`  ${paint.dim('Total entries in log:')} ${entries.length}`);
+    console.log('');
+    return 0;
+  }
+
+  console.log(SEP);
+  const label = flags.since ? ` — since ${flags.since}` : ` — last ${recent.length}`;
+  console.log(`  ${paint.bold('ClawArmor Audit Log')}${paint.dim(label)}`);
+  console.log(SEP);
+  console.log('');
+
+  for (const e of recent) {
+    console.log(formatEntry(e));
+  }
+
+  if (filtered.length > 10) {
+    console.log('');
+    console.log(`  ${paint.dim(`(showing 10 of ${filtered.length} entries — use --since to filter)`)}`);
+  }
+
+  console.log('');
+  return 0;
+}

package/lib/output/progress.js

@@ -6,6 +6,7 @@ export function progressBar(score, width = 20) {
 }
 
 export function scoreToGrade(score) {
+  if (score === 100) return 'A+';
   if (score >= 90) return 'A';
   if (score >= 75) return 'B';
   if (score >= 60) return 'C';
@@ -22,6 +23,6 @@ export function scoreColor(score) {
 }
 
 export function gradeColor(grade) {
-  const map = { A: paint.green, B: paint.pass, C: paint.yellow, D: paint.high, F: paint.critical };
+  const map = { 'A+': paint.green, A: paint.green, B: paint.pass, C: paint.yellow, D: paint.high, F: paint.critical };
   return (map[grade] || paint.dim)(grade);
 }

package/lib/prescan.js

@@ -0,0 +1,167 @@
+// ClawArmor v2.0 — Pre-scan a skill before installing
+// Downloads the npm package to a temp dir, scans it with the full
+// ClawArmor scanner, and exits 1 (blocks install) only on CRITICAL findings.
+
+import { mkdirSync, rmSync, readdirSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
+import { execSync } from 'child_process';
+import { scanFile } from './scanner/file-scanner.js';
+import { scanSkillMdFiles } from './scanner/skill-md-scanner.js';
+import { paint, severityColor } from './output/colors.js';
+import { append } from './audit-log.js';
+
+const SEP = paint.dim('─'.repeat(52));
+
+function getAllFiles(dir, files = []) {
+  try {
+    for (const e of readdirSync(dir, { withFileTypes: true })) {
+      if (e.name.startsWith('.') || e.name === 'node_modules' || e.name === '__pycache__') continue;
+      const fp = join(dir, e.name);
+      if (e.isDirectory()) getAllFiles(fp, files);
+      else files.push(fp);
+    }
+  } catch { /* permission denied */ }
+  return files;
+}
+
+function cleanupTmp(dir) {
+  try { rmSync(dir, { recursive: true, force: true }); } catch { /* non-fatal */ }
+}
+
+export async function runPrescan(skillName) {
+  console.log('');
+  console.log(`  ${paint.bold('ClawArmor Prescan')} — ${paint.cyan(skillName)}`);
+  console.log(`  ${paint.dim('Fetching package from npm registry...')}`);
+  console.log('');
+
+  const tmpDir = join(tmpdir(), `clawarmor-prescan-${Date.now()}`);
+  mkdirSync(tmpDir, { recursive: true });
+
+  // ── Step 1: Download via npm pack ─────────────────────────────────────────
+  let tarball;
+  try {
+    execSync(`npm pack ${skillName}`, {
+      cwd: tmpDir,
+      timeout: 30000,
+      stdio: ['ignore', 'pipe', 'ignore'],
+    });
+    const tarballs = readdirSync(tmpDir).filter(f => f.endsWith('.tgz'));
+    if (!tarballs.length) throw new Error('npm pack produced no tarball');
+    tarball = join(tmpDir, tarballs[0]);
+  } catch {
+    cleanupTmp(tmpDir);
+    console.log(`  ${paint.dim('ℹ')}  Could not fetch skill for scanning`);
+    console.log(`     ${paint.dim('(package not found or network error — install not blocked)')}`);
+    console.log('');
+    return 0;
+  }
+
+  // ── Step 2: Extract tarball ────────────────────────────────────────────────
+  const extractDir = join(tmpDir, 'extracted');
+  mkdirSync(extractDir, { recursive: true });
+  try {
+    execSync(`tar -xzf "${tarball}" -C "${extractDir}"`, {
+      timeout: 15000,
+      stdio: ['ignore', 'ignore', 'ignore'],
+    });
+  } catch {
+    cleanupTmp(tmpDir);
+    console.log(`  ${paint.dim('ℹ')}  Could not extract skill package — install not blocked`);
+    console.log('');
+    return 0;
+  }
+
+  // ── Step 3: Collect all files ──────────────────────────────────────────────
+  const allFiles = getAllFiles(extractDir);
+  console.log(`  ${paint.dim('Scanning')} ${allFiles.length} file${allFiles.length !== 1 ? 's' : ''}...`);
+  console.log('');
+
+  // ── Step 4: Run ClawArmor scanners ────────────────────────────────────────
+  // Not a built-in — treat as third-party (isBuiltin = false)
+  const codeFindings = allFiles.flatMap(f => scanFile(f, false));
+  const mdResults = scanSkillMdFiles(allFiles, false);
+  const mdFindings = mdResults.flatMap(r => r.findings);
+  const allFindings = [...codeFindings, ...mdFindings];
+
+  const criticals = allFindings.filter(f => f.severity === 'CRITICAL');
+  const highs = allFindings.filter(f => f.severity === 'HIGH');
+  const mediums = allFindings.filter(f => f.severity === 'MEDIUM');
+  const lows = allFindings.filter(f => f.severity === 'LOW' || f.severity === 'INFO');
+
+  // ── Cleanup (always) ──────────────────────────────────────────────────────
+  cleanupTmp(tmpDir);
+
+  // ── Audit log ─────────────────────────────────────────────────────────────
+  append({
+    cmd: 'prescan',
+    trigger: 'prescan',
+    score: null,
+    delta: null,
+    findings: allFindings.map(f => ({ id: f.patternId || f.id || '?', severity: f.severity })),
+    blocked: criticals.length > 0,
+    skill: skillName,
+  });
+
+  // ── Output ────────────────────────────────────────────────────────────────
+  if (!allFindings.length) {
+    console.log(`  ${paint.green('✓')} ClawArmor prescan: clean — 0 findings`);
+    console.log('');
+    return 0;
+  }
+
+  // CRITICAL → print details, block install (exit 1)
+  if (criticals.length) {
+    console.log(SEP);
+    console.log(`  ${paint.red('✗')} ${paint.bold(`CRITICAL (${criticals.length}) — install blocked`)}`);
+    console.log(SEP);
+    for (const f of criticals) {
+      console.log('');
+      console.log(`  ${paint.red('✗')} ${(severityColor['CRITICAL'] || paint.red)('[CRITICAL]')} ${paint.bold(f.title)}`);
+      console.log(`    ${paint.dim(f.description || '')}`);
+      for (const m of (f.matches || []).slice(0, 2)) {
+        console.log(`    ${paint.dim('→')} ${paint.cyan(':' + m.line)}  ${paint.dim(m.snippet)}`);
+      }
+    }
+
+    if (highs.length || mediums.length) {
+      console.log('');
+      const extra = [];
+      if (highs.length) extra.push(`${highs.length} HIGH`);
+      if (mediums.length) extra.push(`${mediums.length} MEDIUM`);
+      console.log(`  ${paint.yellow('!')} Additional: ${extra.join(', ')} (fix criticals first)`);
+    }
+
+    console.log('');
+    console.log(`  ${paint.red('✗')} Skill blocked. Do NOT install ${paint.bold(skillName)}.`);
+    console.log('');
+    return 1;
+  }
+
+  // HIGH → warn, allow install
+  if (highs.length) {
+    console.log(SEP);
+    console.log(`  ${paint.yellow('⚠')} ${paint.bold(`HIGH (${highs.length}) — review before using`)}`);
+    console.log(SEP);
+    for (const f of highs) {
+      console.log('');
+      console.log(`  ${paint.yellow('!')} ${(severityColor['HIGH'] || paint.yellow)('[HIGH]')} ${paint.bold(f.title)}`);
+      console.log(`    ${paint.dim(f.description || '')}`);
+      for (const m of (f.matches || []).slice(0, 2)) {
+        console.log(`    ${paint.dim('→')} ${paint.cyan(':' + m.line)}  ${paint.dim(m.snippet)}`);
+      }
+    }
+    console.log('');
+  }
+
+  // MEDIUM/LOW → summary line only
+  if (mediums.length || lows.length) {
+    const parts = [];
+    if (mediums.length) parts.push(`${mediums.length} medium`);
+    if (lows.length) parts.push(`${lows.length} low/info`);
+    console.log(`  ${paint.dim('ℹ')}  ${parts.join(', ')} additional finding${(mediums.length + lows.length) > 1 ? 's' : ''} (review manually)`);
+    console.log('');
+  }
+
+  return 0;
+}