clawarmor 1.2.0 → 2.0.0-alpha.3

package/lib/protect.js

@@ -0,0 +1,352 @@
+// clawarmor protect — Install/uninstall/status the full ClawArmor guard system.
+// --install:   writes hook files, adds shell intercept, starts watch daemon
+// --uninstall: reverses all of the above cleanly
+// --status:    shows current state without modifying anything
+
+import {
+  existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync, readdirSync, rmSync,
+} from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { spawnSync } from 'child_process';
+import { watchDaemonStatus } from './watch.js';
+
+const HOME = homedir();
+const OC_DIR = join(HOME, '.openclaw');
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const HOOKS_DIR = join(OC_DIR, 'hooks');
+const GUARD_HOOK_DIR = join(HOOKS_DIR, 'clawarmor-guard');
+const CLI_PATH = new URL('../cli.js', import.meta.url).pathname;
+
+const SHELL_FUNCTION = `
+# ClawArmor intercept — added by: clawarmor protect --install
+# Wraps 'openclaw clawhub install' to scan skills before activation.
+openclaw() {
+  if [ "$1" = "clawhub" ] && [ "$2" = "install" ] && [ -n "$3" ]; then
+    echo "ClawArmor: scanning $3 before install..."
+    clawarmor prescan "$3" || { echo "Blocked by ClawArmor. Use --force to override."; return 1; }
+  fi
+  command openclaw "$@"
+}
+# End ClawArmor intercept
+`;
+
+const SHELL_MARKER_START = '# ClawArmor intercept — added by: clawarmor protect --install';
+const SHELL_MARKER_END = '# End ClawArmor intercept';
+
+const HOOK_MD = `---
+name: clawarmor-guard
+description: Runs a silent security audit on gateway startup and alerts on regressions
+events:
+  - gateway:startup
+requires:
+  bins:
+    - clawarmor
+---
+
+# clawarmor-guard
+
+Fires on every gateway startup. Runs \`clawarmor audit --json\` in the background,
+compares the score to the last known baseline, and alerts the agent if the score
+drops by 5 or more points, or if a new CRITICAL finding appears.
+
+Install with: \`clawarmor protect --install\`
+`;
+
+const HANDLER_JS = `// clawarmor-guard hook handler
+// Fires on gateway:startup. Silent unless score drops or CRITICAL finding appears.
+// No external dependencies.
+
+import { spawnSync } from 'child_process';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const HOME = homedir();
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const LAST_SCORE_FILE = join(CLAWARMOR_DIR, 'last-score.json');
+
+function readLastScore() {
+  try {
+    if (existsSync(LAST_SCORE_FILE)) return JSON.parse(readFileSync(LAST_SCORE_FILE, 'utf8'));
+  } catch {}
+  return null;
+}
+
+function writeLastScore(data) {
+  try {
+    mkdirSync(CLAWARMOR_DIR, { recursive: true });
+    writeFileSync(LAST_SCORE_FILE, JSON.stringify(data, null, 2), 'utf8');
+  } catch {}
+}
+
+function runAuditJson() {
+  try {
+    const result = spawnSync('clawarmor', ['audit', '--json'], {
+      encoding: 'utf8',
+      timeout: 30000,
+      maxBuffer: 1024 * 1024,
+    });
+    if (result.stdout) {
+      const jsonStart = result.stdout.indexOf('{');
+      if (jsonStart !== -1) return JSON.parse(result.stdout.slice(jsonStart));
+    }
+  } catch {}
+  return null;
+}
+
+// Main hook entry point — called by openclaw on gateway:startup
+export default async function handler(event) {
+  let auditResult;
+  try {
+    auditResult = runAuditJson();
+  } catch (e) {
+    // If clawarmor itself fails, don't block startup
+    return;
+  }
+
+  if (!auditResult) return;
+
+  const newScore = auditResult.score ?? null;
+  const lastState = readLastScore();
+  const lastScore = lastState?.score ?? null;
+  const isFirstRun = lastScore === null;
+
+  if (newScore !== null) {
+    if (isFirstRun) {
+      writeLastScore({ score: newScore, grade: auditResult.grade, timestamp: new Date().toISOString() });
+      // First run — establish baseline silently
+      return;
+    }
+
+    const drop = lastScore - newScore;
+    const newCriticals = (auditResult.failed || []).filter(f => f.severity === 'CRITICAL');
+    const hadCriticals = (lastState?.criticals || 0);
+    const newCriticalCount = newCriticals.length;
+
+    writeLastScore({
+      score: newScore,
+      grade: auditResult.grade,
+      criticals: newCriticalCount,
+      timestamp: new Date().toISOString(),
+    });
+
+    if (newCriticalCount > hadCriticals) {
+      // New CRITICAL finding — alert immediately
+      const names = newCriticals.map(f => f.id || f.title).join(', ');
+      console.error(\`[ClawArmor] CRITICAL security finding: \${names}\`);
+      console.error(\`[ClawArmor] Run: clawarmor audit   for details and fix commands.\`);
+      return;
+    }
+
+    if (drop >= 5) {
+      console.error(\`[ClawArmor] Security score dropped \${drop} points (\${lastScore} → \${newScore})\`);
+      console.error(\`[ClawArmor] Run: clawarmor audit   to see what changed.\`);
+    }
+    // Score improved or unchanged — no output (don't interrupt users with good news)
+  }
+}
+`;
+
+// ── Install ──────────────────────────────────────────────────────────────────
+
+function writeHookFiles() {
+  mkdirSync(GUARD_HOOK_DIR, { recursive: true });
+  writeFileSync(join(GUARD_HOOK_DIR, 'HOOK.md'), HOOK_MD, 'utf8');
+  writeFileSync(join(GUARD_HOOK_DIR, 'handler.js'), HANDLER_JS, 'utf8');
+}
+
+function removeHookFiles() {
+  if (!existsSync(GUARD_HOOK_DIR)) return false;
+  try {
+    rmSync(GUARD_HOOK_DIR, { recursive: true, force: true });
+    return true;
+  } catch { return false; }
+}
+
+function hookFilesExist() {
+  return existsSync(join(GUARD_HOOK_DIR, 'HOOK.md')) &&
+         existsSync(join(GUARD_HOOK_DIR, 'handler.js'));
+}
+
+// ── Shell function ────────────────────────────────────────────────────────────
+
+function shellFunctionPresent(rcPath) {
+  if (!existsSync(rcPath)) return false;
+  try {
+    return readFileSync(rcPath, 'utf8').includes(SHELL_MARKER_START);
+  } catch { return false; }
+}
+
+function injectShellFunction(rcPath) {
+  if (!existsSync(rcPath)) return false;
+  if (shellFunctionPresent(rcPath)) return true; // already there
+  try {
+    const existing = readFileSync(rcPath, 'utf8');
+    writeFileSync(rcPath, existing + '\n' + SHELL_FUNCTION, 'utf8');
+    return true;
+  } catch { return false; }
+}
+
+function removeShellFunction(rcPath) {
+  if (!existsSync(rcPath)) return false;
+  try {
+    const content = readFileSync(rcPath, 'utf8');
+    const start = content.indexOf(SHELL_MARKER_START);
+    const end = content.indexOf(SHELL_MARKER_END);
+    if (start === -1) return false;
+    const after = end !== -1 ? end + SHELL_MARKER_END.length : start;
+    const newContent = content.slice(0, start).trimEnd() + '\n' + content.slice(after + 1);
+    writeFileSync(rcPath, newContent, 'utf8');
+    return true;
+  } catch { return false; }
+}
+
+function startWatchDaemon() {
+  const result = spawnSync(process.execPath, [CLI_PATH, 'watch', '--daemon'], {
+    encoding: 'utf8',
+    timeout: 10000,
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+  return result.status === 0;
+}
+
+// ── Public API ────────────────────────────────────────────────────────────────
+
+export async function runProtect(flags = {}) {
+  const zshrc = join(HOME, '.zshrc');
+  const bashrc = join(HOME, '.bashrc');
+
+  if (flags.install) {
+    console.log('\n  ClawArmor Protect — installing...\n');
+
+    // 1. Hook files
+    writeHookFiles();
+    console.log(`  ✓ Gateway hook installed (clawarmor-guard)`);
+
+    // 2. Start watch daemon
+    const daemonStarted = startWatchDaemon();
+    let daemonPid = null;
+    if (daemonStarted) {
+      // Read the PID that was written by the daemon
+      try {
+        const pidFile = join(CLAWARMOR_DIR, 'watch.pid');
+        if (existsSync(pidFile)) daemonPid = readFileSync(pidFile, 'utf8').trim();
+      } catch { /* non-fatal */ }
+      const pidStr = daemonPid ? ` (PID ${daemonPid})` : '';
+      console.log(`  ✓ Watch daemon started${pidStr}`);
+    } else {
+      console.log(`  !  Watch daemon could not be started automatically`);
+      console.log(`     Run manually: clawarmor watch --daemon`);
+    }
+
+    // 3. Shell intercept
+    let shellInstalled = false;
+    let shellPath = null;
+    if (injectShellFunction(zshrc)) {
+      shellPath = '~/.zshrc';
+      shellInstalled = true;
+    }
+    if (injectShellFunction(bashrc)) {
+      shellPath = shellPath ? shellPath + ', ~/.bashrc' : '~/.bashrc';
+      shellInstalled = true;
+    }
+    if (shellInstalled) {
+      console.log(`  ✓ Shell intercept added (${shellPath})`);
+    } else {
+      console.log(`  !  No ~/.zshrc or ~/.bashrc found — shell intercept skipped`);
+    }
+
+    // 4. Weekly digest cron
+    const { installDigestCron } = await import('./digest.js');
+    const cronOk = installDigestCron();
+    if (cronOk) {
+      console.log(`  ✓ Weekly digest scheduled (Sundays 9am)`);
+    } else {
+      console.log(`  !  Could not write digest cron job`);
+    }
+
+    console.log('\n  ClawArmor Protect is now active.\n');
+    console.log(`  The guard hook fires on every gateway startup.`);
+    console.log(`  The watcher monitors config and skill changes in real time.`);
+    if (shellInstalled) {
+      console.log(`  Restart your shell (or: source ~/.zshrc) for the intercept to take effect.`);
+    }
+    console.log('');
+    return 0;
+  }
+
+  if (flags.uninstall) {
+    console.log('\n  ClawArmor Protect — uninstalling...\n');
+
+    // 1. Hook files
+    if (removeHookFiles()) {
+      console.log(`  ✓  Hook files removed`);
+    } else {
+      console.log(`  -  Hook files were not present`);
+    }
+
+    // 2. Shell function
+    let shellRemoved = false;
+    if (removeShellFunction(zshrc)) {
+      console.log(`  ✓  Shell intercept removed from ~/.zshrc`);
+      shellRemoved = true;
+    }
+    if (removeShellFunction(bashrc)) {
+      console.log(`  ✓  Shell intercept removed from ~/.bashrc`);
+      shellRemoved = true;
+    }
+    if (!shellRemoved) {
+      console.log(`  -  No shell intercept found to remove`);
+    }
+
+    // 3. Stop watch daemon
+    const { stopDaemon } = await import('./watch.js');
+    stopDaemon();
+
+    console.log('\n  ClawArmor Protect has been uninstalled.\n');
+    return 0;
+  }
+
+  if (flags.status) {
+    console.log('\n  ClawArmor Protect — Status\n');
+
+    // Hook files
+    const hookOk = hookFilesExist();
+    console.log(`  Hook (gateway:startup)   ${hookOk ? '✓ installed' : '✗ not installed'}`);
+
+    // Watch daemon
+    const daemon = watchDaemonStatus();
+    console.log(`  Watch daemon             ${daemon.running ? `● running  (PID ${daemon.pid})` : '○ not running'}`);
+
+    // Shell function
+    const inZsh = shellFunctionPresent(zshrc);
+    const inBash = shellFunctionPresent(bashrc);
+    if (inZsh || inBash) {
+      const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc'].filter(Boolean).join(', ');
+      console.log(`  Shell intercept          ✓ active  (${where})`);
+    } else {
+      console.log(`  Shell intercept          ✗ not installed`);
+    }
+
+    const allActive = hookOk && daemon.running && (inZsh || inBash);
+    console.log('');
+    if (allActive) {
+      console.log(`  Full protection active.`);
+    } else {
+      console.log(`  Protection incomplete. Run: clawarmor protect --install`);
+    }
+    console.log('');
+    return 0;
+  }
+
+  // No flag — show usage
+  console.log('');
+  console.log(`  Usage: clawarmor protect [--install | --uninstall | --status]`);
+  console.log('');
+  console.log(`    --install    Install the guard hook, shell intercept, and watch daemon`);
+  console.log(`    --uninstall  Remove all ClawArmor protect components`);
+  console.log(`    --status     Show current protection state`);
+  console.log('');
+  return 0;
+}

package/lib/scan.js

@@ -2,6 +2,7 @@ import { paint, severityColor } from './output/colors.js';
 import { scanFile } from './scanner/file-scanner.js';
 import { findInstalledSkills } from './scanner/skill-finder.js';
 import { scanSkillMdFiles } from './scanner/skill-md-scanner.js';
+import { append as auditLogAppend } from './audit-log.js';
 
 const SEP = paint.dim('─'.repeat(52));
 const HOME = process.env.HOME || '';
@@ -33,6 +34,7 @@ export async function runScan() {
 
   let totalCritical = 0, totalHigh = 0;
   const flagged = [];
+  const auditFindings = []; // accumulated for audit log
 
   for (const skill of skills) {
     process.stdout.write(`  ${skill.isBuiltin ? paint.dim('⊙') : paint.cyan('▶')} ${paint.bold(skill.name)}${paint.dim(skill.isBuiltin?' [built-in]':' [user]')}...`);
@@ -45,6 +47,7 @@ export async function runScan() {
     const mdFindings = mdResults.flatMap(r => r.findings);
 
     const allFindings = [...codeFindings, ...mdFindings];
+    for (const f of allFindings) auditFindings.push({ id: f.patternId || f.id || '?', severity: f.severity });
 
     const critical = allFindings.filter(f => f.severity==='CRITICAL');
     const high = allFindings.filter(f => f.severity==='HIGH');
@@ -125,5 +128,16 @@ export async function runScan() {
   }
   console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor audit')} ${paint.dim('to check your config.')}`);
   console.log('');
+
+  auditLogAppend({
+    cmd: 'scan',
+    trigger: 'manual',
+    score: null,
+    delta: null,
+    findings: auditFindings,
+    blocked: null,
+    skill: null,
+  });
+
   return totalCritical > 0 ? 1 : 0;
 }

package/lib/status.js

@@ -0,0 +1,250 @@
+// clawarmor status — One-screen security posture dashboard.
+// Shows: score+grade+trend, last audit, watcher, intercept, log, skills, config, credentials, next digest.
+
+import { existsSync, readFileSync, readdirSync, statSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { paint } from './output/colors.js';
+import { scoreToGrade, scoreColor, gradeColor } from './output/progress.js';
+import { watchDaemonStatus } from './watch.js';
+
+const HOME = homedir();
+const OC_DIR = join(HOME, '.openclaw');
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const LAST_SCORE_FILE = join(CLAWARMOR_DIR, 'last-score.json');
+const HISTORY_FILE = join(CLAWARMOR_DIR, 'history.json');
+const AUDIT_LOG = join(CLAWARMOR_DIR, 'audit.log');
+const ZSHRC = join(HOME, '.zshrc');
+const BASHRC = join(HOME, '.bashrc');
+const SHELL_MARKER = '# ClawArmor intercept — added by: clawarmor protect --install';
+const CRON_JOBS_FILE = join(OC_DIR, 'cron', 'jobs.json');
+const VERSION = '2.0.0-alpha.3';
+
+const SEP = paint.dim('─'.repeat(52));
+
+// ── Helpers ─────────────────────────────────────────────────────────────────
+
+function readJson(file) {
+  try {
+    if (!existsSync(file)) return null;
+    return JSON.parse(readFileSync(file, 'utf8'));
+  } catch { return null; }
+}
+
+function timeAgo(isoString) {
+  if (!isoString) return 'never';
+  const ms = Date.now() - new Date(isoString).getTime();
+  const secs = Math.floor(ms / 1000);
+  if (secs < 60) return `${secs}s ago`;
+  const mins = Math.floor(secs / 60);
+  if (mins < 60) return `${mins}m ago`;
+  const hours = Math.floor(mins / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}
+
+function trendArrow(delta) {
+  if (delta == null) return paint.dim('—');
+  if (delta > 0) return paint.green(`↑+${delta}`);
+  if (delta < 0) return paint.red(`↓${delta}`);
+  return paint.dim('→±0');
+}
+
+function intercept() {
+  const inZsh = existsSync(ZSHRC) && readFileSync(ZSHRC, 'utf8').includes(SHELL_MARKER);
+  const inBash = existsSync(BASHRC) && readFileSync(BASHRC, 'utf8').includes(SHELL_MARKER);
+  if (inZsh || inBash) {
+    const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc'].filter(Boolean).join(', ');
+    return { active: true, where };
+  }
+  return { active: false, where: null };
+}
+
+function parseAuditLog() {
+  if (!existsSync(AUDIT_LOG)) return { count: 0, lastEntry: null };
+  try {
+    const lines = readFileSync(AUDIT_LOG, 'utf8')
+      .split('\n')
+      .filter(Boolean)
+      .map(l => { try { return JSON.parse(l); } catch { return null; } })
+      .filter(Boolean);
+    return { count: lines.length, lastEntry: lines[lines.length - 1] || null };
+  } catch { return { count: 0, lastEntry: null }; }
+}
+
+function countInstalledSkills() {
+  const dirs = [];
+  const userSkillsDir = join(OC_DIR, 'skills');
+  if (existsSync(userSkillsDir)) {
+    try {
+      dirs.push(...readdirSync(userSkillsDir, { withFileTypes: true })
+        .filter(e => e.isDirectory())
+        .map(e => join(userSkillsDir, e.name)));
+    } catch { /* skip */ }
+  }
+  return dirs.length;
+}
+
+function credentialSummary() {
+  const credFile = join(OC_DIR, 'agent-accounts.json');
+  if (!existsSync(credFile)) return { count: 0, oldestDays: null };
+  try {
+    const data = JSON.parse(readFileSync(credFile, 'utf8'));
+    // Count token entries — format varies; try common patterns
+    let tokens = [];
+    if (Array.isArray(data)) tokens = data;
+    else if (data.accounts) tokens = Object.values(data.accounts);
+    else if (typeof data === 'object') tokens = Object.values(data);
+
+    const count = tokens.length;
+
+    // Try to find oldest by looking for date fields
+    let oldest = null;
+    for (const tok of tokens) {
+      if (tok && typeof tok === 'object') {
+        const dateStr = tok.createdAt || tok.created_at || tok.timestamp || null;
+        if (dateStr) {
+          const d = new Date(dateStr);
+          if (!isNaN(d) && (!oldest || d < oldest)) oldest = d;
+        }
+      }
+    }
+    const oldestDays = oldest ? Math.floor((Date.now() - oldest.getTime()) / 86_400_000) : null;
+    return { count, oldestDays };
+  } catch { return { count: 0, oldestDays: null }; }
+}
+
+function configBaselineStatus() {
+  const baselineFile = join(CLAWARMOR_DIR, 'config-baseline.json');
+  if (!existsSync(baselineFile)) return { status: 'unknown' };
+  try {
+    const baseline = JSON.parse(readFileSync(baselineFile, 'utf8'));
+    // Simple presence check — full integrity is handled by lib/integrity.js
+    return { status: 'baseline', at: baseline.at || null };
+  } catch { return { status: 'unknown' }; }
+}
+
+function nextDigestDate() {
+  // Next Sunday at 9am
+  const now = new Date();
+  const dayOfWeek = now.getDay(); // 0=Sun
+  const daysUntilSunday = dayOfWeek === 0 ? 7 : 7 - dayOfWeek;
+  const next = new Date(now);
+  next.setDate(now.getDate() + daysUntilSunday);
+  next.setHours(9, 0, 0, 0);
+  const daysUntil = Math.ceil((next - now) / 86_400_000);
+  return {
+    label: next.toLocaleDateString('en-US', { weekday: 'long', month: 'short', day: 'numeric' }),
+    daysUntil,
+  };
+}
+
+function digestInstalled() {
+  const jobs = readJson(CRON_JOBS_FILE);
+  if (!Array.isArray(jobs)) return false;
+  return jobs.some(j => j.id === 'clawarmor-weekly-digest');
+}
+
+// ── Main export ───────────────────────────────────────────────────────────────
+
+export async function runStatus() {
+  console.log('');
+  console.log(`  ${paint.bold('ClawArmor')} ${paint.dim('v' + VERSION)} ${paint.dim('—')} ${paint.bold('Security Status')}`);
+  console.log('');
+
+  // ── Posture ──────────────────────────────────────────────────────────────
+  const lastScore = readJson(LAST_SCORE_FILE);
+  const history = readJson(HISTORY_FILE) || [];
+  const latestHistoryForPosture = history.length ? history[history.length - 1] : null;
+
+  // Prefer last-score.json (written by watch/guard hook), fall back to history.json
+  let score = lastScore?.score ?? latestHistoryForPosture?.score ?? null;
+  let grade = lastScore?.grade ?? latestHistoryForPosture?.grade ?? null;
+  let scoreTs = lastScore?.timestamp ?? latestHistoryForPosture?.timestamp ?? null;
+
+  // Trend: compare to ~7 days ago from history
+  let weekDelta = null;
+  if (history.length >= 2) {
+    const weekAgo = Date.now() - 7 * 86_400_000;
+    const weekEntry = [...history].reverse().find(h => new Date(h.timestamp).getTime() < weekAgo);
+    if (weekEntry && score != null) {
+      weekDelta = score - weekEntry.score;
+    }
+  }
+
+  // Score line
+  if (score != null) {
+    const grade2 = grade || scoreToGrade(score);
+    const colorFn = scoreColor(score);
+    const arrow = trendArrow(weekDelta);
+    const weekNote = weekDelta != null ? paint.dim(' vs last week') : '';
+    console.log(`  ${paint.dim('Posture')}       ${gradeColor(grade2)} ${colorFn(score + '/100')}   ${arrow}${weekNote}`);
+  } else {
+    console.log(`  ${paint.dim('Posture')}       ${paint.dim('No audit data — run: clawarmor audit')}`);
+  }
+
+  // ── Last audit ────────────────────────────────────────────────────────────
+  const { count: logCount, lastEntry } = parseAuditLog();
+  const lastAuditTs = lastEntry?.ts ?? scoreTs ?? null;
+  const trigger = lastEntry?.trigger ?? 'manual';
+  const auditAgo = lastAuditTs ? timeAgo(lastAuditTs) : 'never';
+  console.log(`  ${paint.dim('Last audit')}    ${paint.bold(auditAgo)}  ${paint.dim('(' + trigger + ')')}`);
+
+  // ── Watcher ───────────────────────────────────────────────────────────────
+  const daemon = watchDaemonStatus();
+  const watchStr = daemon.running
+    ? `${paint.green('●')} ${paint.bold('running')} ${paint.dim('(PID ' + daemon.pid + ')')}`
+    : `${paint.dim('○')} ${paint.dim('stopped')}`;
+  console.log(`  ${paint.dim('Watcher')}       ${watchStr}`);
+
+  // ── Shell intercept ───────────────────────────────────────────────────────
+  const icp = intercept();
+  const icpStr = icp.active
+    ? `${paint.green('✓')} ${paint.bold('active')} ${paint.dim('(' + icp.where + ')')}`
+    : `${paint.red('✗')} ${paint.dim('not installed')}`;
+  console.log(`  ${paint.dim('Intercept')}     ${icpStr}`);
+
+  // ── Audit log ─────────────────────────────────────────────────────────────
+  console.log(`  ${paint.dim('Audit log')}     ${paint.bold(String(logCount))} ${paint.dim('events')}  ${paint.dim('(clawarmor log to view)')}`);
+
+  console.log('');
+  console.log(SEP);
+
+  // ── Skills ────────────────────────────────────────────────────────────────
+  const skillCount = countInstalledSkills();
+  console.log(`  ${paint.dim('Skills')}        ${paint.bold(String(skillCount))} ${paint.dim('installed')}  ${paint.dim('(clawarmor scan to check)')}`);
+
+  // ── Config baseline ───────────────────────────────────────────────────────
+  const baseline = configBaselineStatus();
+  const configStr = baseline.status === 'baseline'
+    ? `${paint.green('Baseline match')} ${paint.green('✓')}`
+    : paint.dim('No baseline yet — run: clawarmor audit');
+  console.log(`  ${paint.dim('Config')}        ${configStr}`);
+
+  // ── Credentials ───────────────────────────────────────────────────────────
+  const creds = credentialSummary();
+  let credStr = creds.count > 0
+    ? `${paint.bold(String(creds.count))} ${paint.dim('tokens')}`
+    : paint.dim('none found');
+  if (creds.oldestDays != null) {
+    const ageMark = creds.oldestDays > 90 ? paint.yellow('!') : paint.green('✓');
+    credStr += `${paint.dim(', oldest:')} ${creds.oldestDays}d ${ageMark}`;
+  }
+  console.log(`  ${paint.dim('Credentials')}   ${credStr}`);
+
+  console.log('');
+  console.log(SEP);
+
+  // ── Next digest ───────────────────────────────────────────────────────────
+  const digestOk = digestInstalled();
+  const nextDigest = nextDigestDate();
+  if (digestOk) {
+    console.log(`  ${paint.dim('Next digest')}   ${paint.bold(nextDigest.label)} ${paint.dim('(' + nextDigest.daysUntil + ' days)')}`);
+  } else {
+    console.log(`  ${paint.dim('Next digest')}   ${paint.dim('not scheduled')}  ${paint.dim('(run: clawarmor protect --install)')}`);
+  }
+
+  console.log('');
+  return 0;
+}