clawarmor 2.0.0-alpha.3 → 2.1.0

package/lib/prescan.js

@@ -1,16 +1,17 @@
 // ClawArmor v2.0 — Pre-scan a skill before installing
-// Downloads the npm package to a temp dir, scans it with the full
-// ClawArmor scanner, and exits 1 (blocks install) only on CRITICAL findings.
+// Supports both npm packages and ClawHub skills.
+// ClawHub skills are checked locally first; npm is used as fallback.
 
-import { mkdirSync, rmSync, readdirSync } from 'fs';
+import { mkdirSync, rmSync, readdirSync, existsSync } from 'fs';
 import { join } from 'path';
-import { tmpdir } from 'os';
+import { tmpdir, homedir } from 'os';
 import { execSync } from 'child_process';
 import { scanFile } from './scanner/file-scanner.js';
 import { scanSkillMdFiles } from './scanner/skill-md-scanner.js';
 import { paint, severityColor } from './output/colors.js';
 import { append } from './audit-log.js';
 
+const HOME = homedir();
 const SEP = paint.dim('─'.repeat(52));
 
 function getAllFiles(dir, files = []) {
@@ -29,91 +30,83 @@ function cleanupTmp(dir) {
   try { rmSync(dir, { recursive: true, force: true }); } catch { /* non-fatal */ }
 }
 
-export async function runPrescan(skillName) {
-  console.log('');
-  console.log(`  ${paint.bold('ClawArmor Prescan')} — ${paint.cyan(skillName)}`);
-  console.log(`  ${paint.dim('Fetching package from npm registry...')}`);
-  console.log('');
+// ── ClawHub skill detection ──────────────────────────────────────────────────
 
-  const tmpDir = join(tmpdir(), `clawarmor-prescan-${Date.now()}`);
-  mkdirSync(tmpDir, { recursive: true });
+function isNpmScoped(name) {
+  // Scoped npm package: @org/pkg
+  return name.startsWith('@') && name.includes('/');
+}
 
-  // ── Step 1: Download via npm pack ─────────────────────────────────────────
-  let tarball;
+function looksLikeClawHubSkill(name) {
+  // Plain name, no scope, no slash — could be a ClawHub skill; try local first
+  return !name.startsWith('@') && !name.includes('/');
+}
+
+// Returns the local install path for a ClawHub skill, or null if not found.
+function findLocalClawHubSkill(name) {
+  // Path 1: ~/.openclaw/skills/<name>/
+  const userSkillsPath = join(HOME, '.openclaw', 'skills', name);
+  if (existsSync(userSkillsPath)) return userSkillsPath;
+
+  // Path 2: openclaw npm module's skills directory
+  // Try common global npm locations
+  const candidates = [
+    join(HOME, '.npm-global', 'lib', 'node_modules', 'openclaw', 'skills', name),
+    '/usr/local/lib/node_modules/openclaw/skills/' + name,
+    '/usr/lib/node_modules/openclaw/skills/' + name,
+    join(HOME, '.nvm', 'versions', 'node'),  // nvm — we check dirs below
+  ];
+
+  // Try to resolve openclaw via node resolution from this file's location
   try {
-    execSync(`npm pack ${skillName}`, {
-      cwd: tmpDir,
-      timeout: 30000,
+    const result = execSync('node -e "console.log(require.resolve(\'openclaw/package.json\'))"', {
+      encoding: 'utf8',
+      timeout: 5000,
       stdio: ['ignore', 'pipe', 'ignore'],
-    });
-    const tarballs = readdirSync(tmpDir).filter(f => f.endsWith('.tgz'));
-    if (!tarballs.length) throw new Error('npm pack produced no tarball');
-    tarball = join(tmpDir, tarballs[0]);
-  } catch {
-    cleanupTmp(tmpDir);
-    console.log(`  ${paint.dim('ℹ')}  Could not fetch skill for scanning`);
-    console.log(`     ${paint.dim('(package not found or network error — install not blocked)')}`);
-    console.log('');
-    return 0;
-  }
+    }).trim();
+    if (result) {
+      // result is like /path/to/node_modules/openclaw/package.json
+      const ocDir = result.replace(/[\\/]package\.json$/, '');
+      const skillPath = join(ocDir, 'skills', name);
+      if (existsSync(skillPath)) return skillPath;
+    }
+  } catch { /* openclaw may not be installed */ }
 
-  // ── Step 2: Extract tarball ────────────────────────────────────────────────
-  const extractDir = join(tmpDir, 'extracted');
-  mkdirSync(extractDir, { recursive: true });
-  try {
-    execSync(`tar -xzf "${tarball}" -C "${extractDir}"`, {
-      timeout: 15000,
-      stdio: ['ignore', 'ignore', 'ignore'],
-    });
-  } catch {
-    cleanupTmp(tmpDir);
-    console.log(`  ${paint.dim('ℹ')}  Could not extract skill package — install not blocked`);
-    console.log('');
-    return 0;
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) return candidate;
   }
 
-  // ── Step 3: Collect all files ──────────────────────────────────────────────
-  const allFiles = getAllFiles(extractDir);
-  console.log(`  ${paint.dim('Scanning')} ${allFiles.length} file${allFiles.length !== 1 ? 's' : ''}...`);
-  console.log('');
+  return null;
+}
+
+// ── Scan a directory of files ────────────────────────────────────────────────
 
-  // ── Step 4: Run ClawArmor scanners ────────────────────────────────────────
-  // Not a built-in — treat as third-party (isBuiltin = false)
+function scanDirectory(dir) {
+  const allFiles = getAllFiles(dir);
   const codeFindings = allFiles.flatMap(f => scanFile(f, false));
   const mdResults = scanSkillMdFiles(allFiles, false);
   const mdFindings = mdResults.flatMap(r => r.findings);
-  const allFindings = [...codeFindings, ...mdFindings];
+  return { allFiles, allFindings: [...codeFindings, ...mdFindings] };
+}
+
+// ── Result printer ───────────────────────────────────────────────────────────
 
+function printResult(skillName, allFiles, allFindings) {
   const criticals = allFindings.filter(f => f.severity === 'CRITICAL');
   const highs = allFindings.filter(f => f.severity === 'HIGH');
   const mediums = allFindings.filter(f => f.severity === 'MEDIUM');
   const lows = allFindings.filter(f => f.severity === 'LOW' || f.severity === 'INFO');
+  const fileCount = allFiles.length;
 
-  // ── Cleanup (always) ──────────────────────────────────────────────────────
-  cleanupTmp(tmpDir);
-
-  // ── Audit log ─────────────────────────────────────────────────────────────
-  append({
-    cmd: 'prescan',
-    trigger: 'prescan',
-    score: null,
-    delta: null,
-    findings: allFindings.map(f => ({ id: f.patternId || f.id || '?', severity: f.severity })),
-    blocked: criticals.length > 0,
-    skill: skillName,
-  });
-
-  // ── Output ────────────────────────────────────────────────────────────────
   if (!allFindings.length) {
-    console.log(`  ${paint.green('✓')} ClawArmor prescan: clean — 0 findings`);
+    console.log(`  ${paint.green('✓')} ${paint.bold(skillName)} ${paint.dim('—')} clean ${paint.dim('(' + fileCount + ' file' + (fileCount !== 1 ? 's' : '') + ' scanned, 0 findings)')}`);
     console.log('');
     return 0;
   }
 
-  // CRITICAL → print details, block install (exit 1)
   if (criticals.length) {
-    console.log(SEP);
-    console.log(`  ${paint.red('✗')} ${paint.bold(`CRITICAL (${criticals.length}) — install blocked`)}`);
+    console.log(`  ${paint.red('✗')} ${paint.bold(skillName)} ${paint.dim('—')} ${paint.red('BLOCKED')} ${paint.dim('(' + criticals.length + ' critical finding' + (criticals.length !== 1 ? 's' : '') + ')')}`);
+    console.log('');
     console.log(SEP);
     for (const f of criticals) {
       console.log('');
@@ -138,10 +131,10 @@ export async function runPrescan(skillName) {
     return 1;
   }
 
-  // HIGH → warn, allow install
+  // HIGH → warn, allow
   if (highs.length) {
-    console.log(SEP);
-    console.log(`  ${paint.yellow('⚠')} ${paint.bold(`HIGH (${highs.length}) — review before using`)}`);
+    console.log(`  ${paint.yellow('⚠')} ${paint.bold(skillName)} ${paint.dim('—')} ${paint.yellow('review recommended')} ${paint.dim('(' + highs.length + ' high finding' + (highs.length !== 1 ? 's' : '') + ', ' + fileCount + ' files)')}`);
+    console.log('');
     console.log(SEP);
     for (const f of highs) {
       console.log('');
@@ -152,9 +145,10 @@ export async function runPrescan(skillName) {
       }
     }
     console.log('');
+  } else {
+    console.log(`  ${paint.yellow('!')} ${paint.bold(skillName)} ${paint.dim('—')} ${paint.dim(fileCount + ' files scanned, ' + (mediums.length + lows.length) + ' low/medium findings')}`);
   }
 
-  // MEDIUM/LOW → summary line only
   if (mediums.length || lows.length) {
     const parts = [];
     if (mediums.length) parts.push(`${mediums.length} medium`);
@@ -165,3 +159,105 @@ export async function runPrescan(skillName) {
 
   return 0;
 }
+
+// ── Download via npm pack ────────────────────────────────────────────────────
+
+async function scanViaNpm(skillName, tmpDir) {
+  let tarball;
+  try {
+    execSync(`npm pack ${skillName}`, {
+      cwd: tmpDir,
+      timeout: 30000,
+      stdio: ['ignore', 'pipe', 'ignore'],
+    });
+    const tarballs = readdirSync(tmpDir).filter(f => f.endsWith('.tgz'));
+    if (!tarballs.length) throw new Error('npm pack produced no tarball');
+    tarball = join(tmpDir, tarballs[0]);
+  } catch {
+    return null; // not found or network error
+  }
+
+  const extractDir = join(tmpDir, 'extracted');
+  mkdirSync(extractDir, { recursive: true });
+  try {
+    execSync(`tar -xzf "${tarball}" -C "${extractDir}"`, {
+      timeout: 15000,
+      stdio: ['ignore', 'ignore', 'ignore'],
+    });
+  } catch {
+    return null;
+  }
+
+  return extractDir;
+}
+
+// ── Main export ───────────────────────────────────────────────────────────────
+
+export async function runPrescan(skillName) {
+  console.log('');
+  console.log(`  ${paint.bold('ClawArmor Prescan')} — ${paint.cyan(skillName)}`);
+  console.log('');
+
+  let scanDir = null;
+  let usedTmp = null;
+  let source = 'npm';
+
+  // ── Step 1: Check local ClawHub install (for plain skill names) ───────────
+  if (looksLikeClawHubSkill(skillName)) {
+    const localPath = findLocalClawHubSkill(skillName);
+    if (localPath) {
+      console.log(`  ${paint.dim('Found locally:')} ${paint.dim(localPath)}`);
+      console.log(`  ${paint.dim('Scanning local files...')}`);
+      console.log('');
+      scanDir = localPath;
+      source = 'local';
+    } else {
+      console.log(`  ${paint.dim('Not found locally — fetching from npm registry...')}`);
+      console.log('');
+    }
+  } else {
+    console.log(`  ${paint.dim('Fetching package from npm registry...')}`);
+    console.log('');
+  }
+
+  // ── Step 2: Fallback to npm pack if not local ─────────────────────────────
+  if (!scanDir) {
+    const tmpDir = join(tmpdir(), `clawarmor-prescan-${Date.now()}`);
+    mkdirSync(tmpDir, { recursive: true });
+    usedTmp = tmpDir;
+
+    const extractDir = await scanViaNpm(skillName, tmpDir);
+    if (!extractDir) {
+      cleanupTmp(tmpDir);
+      console.log(`  ${paint.dim('ℹ')}  Could not fetch skill for scanning`);
+      console.log(`     ${paint.dim('(package not found or network error — install not blocked)')}`);
+      console.log('');
+      return 0;
+    }
+    scanDir = extractDir;
+  }
+
+  // ── Step 3: Scan ──────────────────────────────────────────────────────────
+  const { allFiles, allFindings } = scanDirectory(scanDir);
+  console.log(`  ${paint.dim('Scanning')} ${allFiles.length} file${allFiles.length !== 1 ? 's' : ''}...`);
+  console.log('');
+
+  // ── Cleanup tmp (always, only if we created one) ──────────────────────────
+  if (usedTmp) cleanupTmp(usedTmp);
+
+  // ── Audit log ─────────────────────────────────────────────────────────────
+  const criticals = allFindings.filter(f => f.severity === 'CRITICAL');
+  append({
+    cmd: 'prescan',
+    trigger: 'prescan',
+    score: null,
+    delta: null,
+    findings: allFindings.map(f => ({ id: f.patternId || f.id || '?', severity: f.severity })),
+    blocked: criticals.length > 0,
+    skill: skillName,
+    source,
+  });
+
+  // ── Output ────────────────────────────────────────────────────────────────
+  return printResult(skillName, allFiles, allFindings);
+}

package/lib/protect.js

@@ -18,6 +18,9 @@ const HOOKS_DIR = join(OC_DIR, 'hooks');
 const GUARD_HOOK_DIR = join(HOOKS_DIR, 'clawarmor-guard');
 const CLI_PATH = new URL('../cli.js', import.meta.url).pathname;
 
+const FISH_FUNCTIONS_DIR = join(HOME, '.config', 'fish', 'functions');
+const FISH_FUNCTION_FILE = join(FISH_FUNCTIONS_DIR, 'openclaw.fish');
+
 const SHELL_FUNCTION = `
 # ClawArmor intercept — added by: clawarmor protect --install
 # Wraps 'openclaw clawhub install' to scan skills before activation.
@@ -34,6 +37,17 @@ openclaw() {
 const SHELL_MARKER_START = '# ClawArmor intercept — added by: clawarmor protect --install';
 const SHELL_MARKER_END = '# End ClawArmor intercept';
 
+const FISH_FUNCTION = `# ClawArmor intercept — added by: clawarmor protect --install
+function openclaw
+    if test (count $argv) -ge 3 -a "$argv[1]" = clawhub -a "$argv[2]" = install
+        echo "🛡 ClawArmor: scanning $argv[3] before install..."
+        clawarmor prescan $argv[3]; or begin; echo "❌ Blocked."; return 1; end
+    end
+    command openclaw $argv
+end
+`;
+const FISH_MARKER = '# ClawArmor intercept — added by: clawarmor protect --install';
+
 const HOOK_MD = `---
 name: clawarmor-guard
 description: Runs a silent security audit on gateway startup and alerts on regressions
@@ -148,6 +162,39 @@ export default async function handler(event) {
 }
 `;
 
+// ── Fish shell ────────────────────────────────────────────────────────────────
+
+function fishConfigExists() {
+  return existsSync(join(HOME, '.config', 'fish', 'config.fish'));
+}
+
+function fishFunctionPresent() {
+  if (!existsSync(FISH_FUNCTION_FILE)) return false;
+  try {
+    return readFileSync(FISH_FUNCTION_FILE, 'utf8').includes(FISH_MARKER);
+  } catch { return false; }
+}
+
+function injectFishFunction() {
+  if (!fishConfigExists()) return false;
+  if (fishFunctionPresent()) return true;
+  try {
+    mkdirSync(FISH_FUNCTIONS_DIR, { recursive: true });
+    writeFileSync(FISH_FUNCTION_FILE, FISH_FUNCTION, 'utf8');
+    return true;
+  } catch { return false; }
+}
+
+function removeFishFunction() {
+  if (!existsSync(FISH_FUNCTION_FILE)) return false;
+  try {
+    const content = readFileSync(FISH_FUNCTION_FILE, 'utf8');
+    if (!content.includes(FISH_MARKER)) return false;
+    rmSync(FISH_FUNCTION_FILE, { force: true });
+    return true;
+  } catch { return false; }
+}
+
 // ── Install ──────────────────────────────────────────────────────────────────
 
 function writeHookFiles() {
@@ -251,10 +298,14 @@ export async function runProtect(flags = {}) {
       shellPath = shellPath ? shellPath + ', ~/.bashrc' : '~/.bashrc';
       shellInstalled = true;
     }
+    if (injectFishFunction()) {
+      shellPath = shellPath ? shellPath + ', ~/.config/fish' : '~/.config/fish';
+      shellInstalled = true;
+    }
     if (shellInstalled) {
       console.log(`  ✓ Shell intercept added (${shellPath})`);
     } else {
-      console.log(`  !  No ~/.zshrc or ~/.bashrc found — shell intercept skipped`);
+      console.log(`  !  No ~/.zshrc, ~/.bashrc, or fish config found — shell intercept skipped`);
     }
 
     // 4. Weekly digest cron
@@ -296,6 +347,10 @@ export async function runProtect(flags = {}) {
       console.log(`  ✓  Shell intercept removed from ~/.bashrc`);
       shellRemoved = true;
     }
+    if (removeFishFunction()) {
+      console.log(`  ✓  Shell intercept removed from ~/.config/fish/functions/openclaw.fish`);
+      shellRemoved = true;
+    }
     if (!shellRemoved) {
       console.log(`  -  No shell intercept found to remove`);
     }
@@ -322,14 +377,15 @@ export async function runProtect(flags = {}) {
     // Shell function
     const inZsh = shellFunctionPresent(zshrc);
     const inBash = shellFunctionPresent(bashrc);
-    if (inZsh || inBash) {
-      const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc'].filter(Boolean).join(', ');
+    const inFish = fishFunctionPresent();
+    if (inZsh || inBash || inFish) {
+      const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc', inFish && '~/.config/fish'].filter(Boolean).join(', ');
       console.log(`  Shell intercept          ✓ active  (${where})`);
     } else {
       console.log(`  Shell intercept          ✗ not installed`);
     }
 
-    const allActive = hookOk && daemon.running && (inZsh || inBash);
+    const allActive = hookOk && daemon.running && (inZsh || inBash || inFish);
     console.log('');
     if (allActive) {
       console.log(`  Full protection active.`);

package/lib/status.js

@@ -16,9 +16,11 @@ const HISTORY_FILE = join(CLAWARMOR_DIR, 'history.json');
 const AUDIT_LOG = join(CLAWARMOR_DIR, 'audit.log');
 const ZSHRC = join(HOME, '.zshrc');
 const BASHRC = join(HOME, '.bashrc');
+const FISH_FUNCTION_FILE = join(HOME, '.config', 'fish', 'functions', 'openclaw.fish');
 const SHELL_MARKER = '# ClawArmor intercept — added by: clawarmor protect --install';
 const CRON_JOBS_FILE = join(OC_DIR, 'cron', 'jobs.json');
-const VERSION = '2.0.0-alpha.3';
+const HOOKS_DIR = join(OC_DIR, 'hooks', 'clawarmor-guard');
+const VERSION = '2.0.0';
 
 const SEP = paint.dim('─'.repeat(52));
 
@@ -54,13 +56,19 @@ function trendArrow(delta) {
 function intercept() {
   const inZsh = existsSync(ZSHRC) && readFileSync(ZSHRC, 'utf8').includes(SHELL_MARKER);
   const inBash = existsSync(BASHRC) && readFileSync(BASHRC, 'utf8').includes(SHELL_MARKER);
-  if (inZsh || inBash) {
-    const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc'].filter(Boolean).join(', ');
+  const inFish = existsSync(FISH_FUNCTION_FILE) && readFileSync(FISH_FUNCTION_FILE, 'utf8').includes(SHELL_MARKER);
+  if (inZsh || inBash || inFish) {
+    const where = [inZsh && '~/.zshrc', inBash && '~/.bashrc', inFish && '~/.config/fish'].filter(Boolean).join(', ');
     return { active: true, where };
   }
   return { active: false, where: null };
 }
 
+function hookFilesExist() {
+  return existsSync(join(HOOKS_DIR, 'HOOK.md')) &&
+         existsSync(join(HOOKS_DIR, 'handler.js'));
+}
+
 function parseAuditLog() {
   if (!existsSync(AUDIT_LOG)) return { count: 0, lastEntry: null };
   try {
@@ -91,7 +99,6 @@ function credentialSummary() {
   if (!existsSync(credFile)) return { count: 0, oldestDays: null };
   try {
     const data = JSON.parse(readFileSync(credFile, 'utf8'));
-    // Count token entries — format varies; try common patterns
     let tokens = [];
     if (Array.isArray(data)) tokens = data;
     else if (data.accounts) tokens = Object.values(data.accounts);
@@ -99,7 +106,6 @@ function credentialSummary() {
 
     const count = tokens.length;
 
-    // Try to find oldest by looking for date fields
     let oldest = null;
     for (const tok of tokens) {
       if (tok && typeof tok === 'object') {
@@ -120,15 +126,13 @@ function configBaselineStatus() {
   if (!existsSync(baselineFile)) return { status: 'unknown' };
   try {
     const baseline = JSON.parse(readFileSync(baselineFile, 'utf8'));
-    // Simple presence check — full integrity is handled by lib/integrity.js
     return { status: 'baseline', at: baseline.at || null };
   } catch { return { status: 'unknown' }; }
 }
 
 function nextDigestDate() {
-  // Next Sunday at 9am
   const now = new Date();
-  const dayOfWeek = now.getDay(); // 0=Sun
+  const dayOfWeek = now.getDay();
   const daysUntilSunday = dayOfWeek === 0 ? 7 : 7 - dayOfWeek;
   const next = new Date(now);
   next.setDate(now.getDate() + daysUntilSunday);
@@ -146,6 +150,15 @@ function digestInstalled() {
   return jobs.some(j => j.id === 'clawarmor-weekly-digest');
 }
 
+// ── Grade color (A+/A=green, B=yellow, C=orange/yellow, D/F=red) ─────────────
+
+function gradeStatusColor(grade) {
+  if (grade === 'A+' || grade === 'A') return paint.green;
+  if (grade === 'B') return paint.yellow;
+  if (grade === 'C') return paint.yellow; // no orange in ANSI; yellow is closest
+  return paint.red; // D, F
+}
+
 // ── Main export ───────────────────────────────────────────────────────────────
 
 export async function runStatus() {
@@ -158,12 +171,10 @@ export async function runStatus() {
   const history = readJson(HISTORY_FILE) || [];
   const latestHistoryForPosture = history.length ? history[history.length - 1] : null;
 
-  // Prefer last-score.json (written by watch/guard hook), fall back to history.json
   let score = lastScore?.score ?? latestHistoryForPosture?.score ?? null;
   let grade = lastScore?.grade ?? latestHistoryForPosture?.grade ?? null;
   let scoreTs = lastScore?.timestamp ?? latestHistoryForPosture?.timestamp ?? null;
 
-  // Trend: compare to ~7 days ago from history
   let weekDelta = null;
   if (history.length >= 2) {
     const weekAgo = Date.now() - 7 * 86_400_000;
@@ -173,13 +184,13 @@ export async function runStatus() {
     }
   }
 
-  // Score line
   if (score != null) {
     const grade2 = grade || scoreToGrade(score);
     const colorFn = scoreColor(score);
+    const gradeFn = gradeStatusColor(grade2);
     const arrow = trendArrow(weekDelta);
     const weekNote = weekDelta != null ? paint.dim(' vs last week') : '';
-    console.log(`  ${paint.dim('Posture')}       ${gradeColor(grade2)} ${colorFn(score + '/100')}   ${arrow}${weekNote}`);
+    console.log(`  ${paint.dim('Posture')}       ${gradeFn(grade2)} ${colorFn(score + '/100')}   ${arrow}${weekNote}`);
   } else {
     console.log(`  ${paint.dim('Posture')}       ${paint.dim('No audit data — run: clawarmor audit')}`);
   }
@@ -193,9 +204,12 @@ export async function runStatus() {
 
   // ── Watcher ───────────────────────────────────────────────────────────────
   const daemon = watchDaemonStatus();
-  const watchStr = daemon.running
-    ? `${paint.green('●')} ${paint.bold('running')} ${paint.dim('(PID ' + daemon.pid + ')')}`
-    : `${paint.dim('○')} ${paint.dim('stopped')}`;
+  let watchStr;
+  if (daemon.running) {
+    watchStr = `${paint.green('●')} ${paint.bold('running')} ${paint.dim('(PID ' + daemon.pid + ')')}`;
+  } else {
+    watchStr = `${paint.red('○')} ${paint.red('stopped')}  ${paint.dim('→ run: clawarmor watch --daemon')}`;
+  }
   console.log(`  ${paint.dim('Watcher')}       ${watchStr}`);
 
   // ── Shell intercept ───────────────────────────────────────────────────────
@@ -245,6 +259,15 @@ export async function runStatus() {
     console.log(`  ${paint.dim('Next digest')}   ${paint.dim('not scheduled')}  ${paint.dim('(run: clawarmor protect --install)')}`);
   }
 
+  // ── Full protection footer ────────────────────────────────────────────────
+  const hookOk = hookFilesExist();
+  const fullProtection = hookOk && daemon.running && icp.active;
+  console.log('');
+  if (fullProtection) {
+    console.log(`  Full protection: ${paint.green('[✓ YES]')}`);
+  } else {
+    console.log(`  Full protection: ${paint.red('[✗ NO')} ${paint.dim('— run clawarmor protect --install]')}`);
+  }
   console.log('');
   return 0;
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "clawarmor",
-  "version": "2.0.0-alpha.3",
-  "description": "Security armor for OpenClaw agents — audit, scan, monitor",
+  "version": "2.1.0",
+  "description": "Security armor for OpenClaw agents \u2014 audit, scan, monitor",
   "bin": {
     "clawarmor": "cli.js"
   },