clawarmor 2.1.0 → 2.2.0

package/cli.js

@@ -3,7 +3,7 @@
 
 import { paint } from './lib/output/colors.js';
 
-const VERSION = '2.1.0';
+const VERSION = '2.2.0';
 const GATEWAY_PORT_DEFAULT = 18789;
 
 function isLocalhost(host) {
@@ -45,7 +45,8 @@ function usage() {
   console.log(`    ${paint.cyan('trend')}    Show score over last N audits (ASCII chart)`);
   console.log(`    ${paint.cyan('compare')}  Compare coverage vs openclaw security audit`);
   console.log(`    ${paint.cyan('fix')}      Auto-apply safe fixes (--dry-run to preview, --apply to run)`);
-  console.log(`    ${paint.cyan('harden')}   Interactive hardening wizard (--dry-run, --auto)`);
+  console.log(`    ${paint.cyan('harden')}   Interactive hardening wizard (--dry-run, --auto, --monitor)`);
+  console.log(`    ${paint.cyan('rollback')} Restore config from a snapshot (--list, --id <id>)`);
   console.log(`    ${paint.cyan('status')}   One-screen security posture dashboard`);
   console.log(`    ${paint.cyan('watch')}    Monitor config and skill changes in real time`);
   console.log(`    ${paint.cyan('protect')}  Install/uninstall/status the full guard system`);
@@ -203,11 +204,24 @@ if (cmd === 'harden') {
     dryRun: args.includes('--dry-run'),
     auto: args.includes('--auto'),
     force: args.includes('--force'),
+    monitor: args.includes('--monitor'),
+    monitorReport: args.includes('--monitor-report'),
+    monitorOff: args.includes('--monitor-off'),
   };
   const { runHarden } = await import('./lib/harden.js');
   process.exit(await runHarden(hardenFlags));
 }
 
+if (cmd === 'rollback') {
+  const idIdx = args.indexOf('--id');
+  const rollbackFlags = {
+    list: args.includes('--list'),
+    id: idIdx !== -1 ? args[idIdx + 1] : null,
+  };
+  const { runRollback } = await import('./lib/rollback.js');
+  process.exit(await runRollback(rollbackFlags));
+}
+
 if (cmd === 'status') {
   const { runStatus } = await import('./lib/status.js');
   process.exit(await runStatus());

package/lib/fix.js

@@ -1,13 +1,15 @@
 // clawarmor fix — auto-apply safe one-liner fixes
 // Now with impact classification: safe / caution / breaking
-import { readFileSync } from 'fs';
+import { readFileSync, existsSync, statSync } from 'fs';
 import { homedir } from 'os';
 import { join } from 'path';
 import { execSync, spawnSync } from 'child_process';
 import { paint } from './output/colors.js';
 import { loadConfig, get } from './config.js';
+import { saveSnapshot } from './snapshot.js';
 
-const HISTORY_PATH = join(homedir(), '.clawarmor', 'history.json');
+const HOME = homedir();
+const HISTORY_PATH = join(HOME, '.clawarmor', 'history.json');
 const SEP = paint.dim('─'.repeat(52));
 
 // Impact levels
@@ -97,6 +99,26 @@ const AUTO_FIXABLE = {
   },
 };
 
+function expandHome(p) {
+  return p.startsWith('~') ? HOME + p.slice(1) : p;
+}
+
+function collectFilePermissions(ids) {
+  const perms = {};
+  for (const id of ids) {
+    const f = AUTO_FIXABLE[id];
+    if (!f || !f.shell) continue;
+    const m = f.cmd.match(/^chmod\s+\d+\s+(.+)$/);
+    if (!m) continue;
+    const p = expandHome(m[1].trim());
+    try {
+      const mode = statSync(p).mode & 0o777;
+      perms[p] = mode.toString(8).padStart(3, '0');
+    } catch { /* file may not exist */ }
+  }
+  return perms;
+}
+
 function box(title) {
   const W=52, pad=W-2-title.length, l=Math.floor(pad/2), r=pad-l;
   return [paint.dim('╔'+'═'.repeat(W-2)+'╗'),
@@ -139,7 +161,7 @@ export async function runFix(flags = {}) {
   }
 
   // Load config for mainKey check
-  const { config: cfg } = loadConfig();
+  const { config: cfg, configPath } = loadConfig();
   const mainKey = get(cfg, 'agents.mainKey', 'main');
 
   console.log('');
@@ -176,6 +198,12 @@ export async function runFix(flags = {}) {
     console.log(''); return 0;
   }
 
+  // ── Snapshot before applying any fix ──────────────────────────────────────
+  const applyTrigger = flags.force ? 'fix --apply --force' : 'fix --apply';
+  const toApply = fixable.filter(id => flags.force || AUTO_FIXABLE[id].impact !== IMPACT.BREAKING);
+  const configContent = (() => { try { return readFileSync(configPath, 'utf8'); } catch { return null; } })();
+  saveSnapshot({ trigger: applyTrigger, configPath, configContent, filePermissions: collectFilePermissions(toApply), appliedFixes: toApply });
+
   // Apply fixes
   let applied = 0, failed = 0, skippedBreaking = 0, needsRestart = false;
   console.log(SEP);

package/lib/harden.js

@@ -13,6 +13,8 @@ import { createInterface } from 'readline';
 import { paint } from './output/colors.js';
 import { scoreToGrade, scoreColor, gradeColor } from './output/progress.js';
 import { loadConfig, get } from './config.js';
+import { saveSnapshot } from './snapshot.js';
+import { enableMonitor, disableMonitor, getMonitorStatus, printMonitorReport } from './monitor.js';
 
 const HOME = homedir();
 const OC_DIR = join(HOME, '.openclaw');
@@ -202,6 +204,23 @@ function getManualItems() {
   ];
 }
 
+// ── Collect current file permissions for shell chmod fixes ────────────────────
+
+function collectFilePermissions(fixes) {
+  const perms = {};
+  for (const fix of fixes) {
+    if (fix.type !== 'shell') continue;
+    const m = fix.action.match(/^chmod\s+\d+\s+(.+)$/);
+    if (!m) continue;
+    const p = m[1].trim();
+    try {
+      const mode = statSync(p).mode & 0o777;
+      perms[p] = mode.toString(8).padStart(3, '0');
+    } catch { /* file may not exist */ }
+  }
+  return perms;
+}
+
 // ── Print impact summary ──────────────────────────────────────────────────────
 
 function printImpactSummary(fixes) {
@@ -219,11 +238,44 @@ function printImpactSummary(fixes) {
 // ── Main export ───────────────────────────────────────────────────────────────
 
 export async function runHarden(flags = {}) {
+  // ── Monitor advisory flags (early return, no box) ──────────────────────────
+  if (flags.monitorOff) {
+    const ok = disableMonitor();
+    console.log('');
+    console.log(ok
+      ? `  ${paint.green('✓')} Monitor mode disabled.`
+      : `  ${paint.red('✗')} Failed to disable monitor mode.`);
+    console.log('');
+    return ok ? 0 : 1;
+  }
+
+  if (flags.monitorReport) {
+    const status = getMonitorStatus();
+    printMonitorReport(status);
+    return 0;
+  }
+
   console.log(''); console.log(box('ClawArmor Harden  v2.1')); console.log('');
 
-  const { config } = loadConfig();
+  const { config, configPath } = loadConfig();
   const fixes = buildFixes(config);
 
+  // ── Monitor enable (advisory only, no apply) ───────────────────────────────
+  if (flags.monitor) {
+    const fixIds = fixes.map(f => f.id);
+    const ok = enableMonitor(fixIds);
+    if (ok) {
+      console.log(`  ${paint.green('✓')} Monitor mode enabled.`);
+      console.log(`  ${paint.dim('Observing:')} ${fixIds.length ? fixIds.join(', ') : 'no current fixes found'}`);
+      console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor harden --monitor-report')} ${paint.dim('to see what would have changed.')}`);
+      console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor harden --monitor-off')} ${paint.dim('to disable.')}`);
+    } else {
+      console.log(`  ${paint.red('✗')} Failed to enable monitor mode.`);
+    }
+    console.log('');
+    return ok ? 0 : 1;
+  }
+
   // Snapshot before score
   const before = loadLastHistoryEntry();
   const beforeScore = before?.score ?? null;
@@ -306,6 +358,13 @@ export async function runHarden(flags = {}) {
   }
   console.log('');
 
+  // ── Snapshot before applying any fix ──────────────────────────────────────
+  const trigger = flags.auto
+    ? (flags.force ? 'harden --auto --force' : 'harden --auto')
+    : 'harden --interactive';
+  const configContent = (() => { try { return readFileSync(configPath, 'utf8'); } catch { return null; } })();
+  saveSnapshot({ trigger, configPath, configContent, filePermissions: collectFilePermissions(fixes), appliedFixes: fixes.map(f => f.id) });
+
   let applied = 0, skipped = 0, failed = 0, skippedBreaking = 0;
   const restartNotes = [];
 

package/lib/monitor.js

@@ -0,0 +1,131 @@
+// clawarmor monitor — Monitor mode state management and reporting.
+// Monitor state stored in ~/.clawarmor/monitor.json:
+//   { enabled: true, startedAt: ISO, fixes: [fix ids being monitored] }
+// Advisory only — no config changes are applied.
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { paint } from './output/colors.js';
+
+const HOME = homedir();
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const MONITOR_FILE = join(CLAWARMOR_DIR, 'monitor.json');
+const AUDIT_LOG = join(CLAWARMOR_DIR, 'audit.log');
+
+const SEP = paint.dim('─'.repeat(52));
+
+/**
+ * Get current monitor mode status.
+ * @returns {{ enabled: boolean, startedAt?: string, fixes?: string[] }}
+ */
+export function getMonitorStatus() {
+  if (!existsSync(MONITOR_FILE)) return { enabled: false };
+  try { return JSON.parse(readFileSync(MONITOR_FILE, 'utf8')); } catch { return { enabled: false }; }
+}
+
+/**
+ * Enable monitor mode, recording the fix ids to observe.
+ * @param {string[]} fixIds
+ * @returns {boolean} success
+ */
+export function enableMonitor(fixIds = []) {
+  try {
+    if (!existsSync(CLAWARMOR_DIR)) mkdirSync(CLAWARMOR_DIR, { recursive: true });
+    const data = { enabled: true, startedAt: new Date().toISOString(), fixes: fixIds };
+    writeFileSync(MONITOR_FILE, JSON.stringify(data, null, 2), 'utf8');
+    return true;
+  } catch { return false; }
+}
+
+/**
+ * Disable monitor mode by removing the state file.
+ * @returns {boolean} success
+ */
+export function disableMonitor() {
+  try {
+    if (existsSync(MONITOR_FILE)) unlinkSync(MONITOR_FILE);
+    return true;
+  } catch { return false; }
+}
+
+/** @returns {Array<Object>} parsed audit log entries since given ISO timestamp */
+function readAuditsSince(sinceIso) {
+  if (!existsSync(AUDIT_LOG)) return [];
+  try {
+    const since = new Date(sinceIso).getTime();
+    return readFileSync(AUDIT_LOG, 'utf8')
+      .split('\n').filter(Boolean)
+      .map(l => { try { return JSON.parse(l); } catch { return null; } })
+      .filter(l => l && new Date(l.ts).getTime() >= since);
+  } catch { return []; }
+}
+
+/**
+ * Print a monitor mode report showing audit activity since monitoring started.
+ * @param {{ enabled: boolean, startedAt?: string, fixes?: string[] }} status
+ */
+export function printMonitorReport(status) {
+  console.log('');
+  console.log(`  ${paint.bold('Monitor Mode Report')}`);
+  console.log('');
+
+  if (!status.enabled || !status.startedAt) {
+    console.log(`  ${paint.dim('Monitor mode is not active.')}`);
+    console.log(`  ${paint.dim('Enable with:')} ${paint.cyan('clawarmor harden --monitor')}`);
+    console.log('');
+    return;
+  }
+
+  const monitoredFixes = status.fixes || [];
+  const audits = readAuditsSince(status.startedAt);
+
+  console.log(`  ${paint.dim('Started:')}      ${new Date(status.startedAt).toLocaleString()}`);
+  console.log(`  ${paint.dim('Monitoring:')}   ${monitoredFixes.length ? monitoredFixes.join(', ') : 'all available fixes'}`);
+  console.log(`  ${paint.dim('Audits run:')}   ${audits.length}`);
+  console.log('');
+
+  if (!audits.length) {
+    console.log(`  ${paint.dim('No audits found since monitoring started.')}`);
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor audit')} ${paint.dim('to generate data.')}`);
+    console.log('');
+    return;
+  }
+
+  console.log(SEP);
+  console.log('');
+
+  const scores = audits.map(a => a.score).filter(s => typeof s === 'number');
+  if (scores.length >= 2) {
+    const delta = scores[scores.length - 1] - scores[0];
+    const deltaStr = delta > 0 ? paint.green(`+${delta}`) : delta < 0 ? paint.red(String(delta)) : paint.dim('±0');
+    console.log(`  ${paint.dim('Score change:')} ${scores[0]} → ${scores[scores.length - 1]} (${deltaStr})`);
+  } else if (scores.length === 1) {
+    console.log(`  ${paint.dim('Score observed:')} ${scores[0]}`);
+  }
+
+  let criticalCount = 0, highCount = 0;
+  for (const a of audits) {
+    if (Array.isArray(a.findings)) {
+      for (const f of a.findings) {
+        if (f.severity === 'CRITICAL') criticalCount++;
+        else if (f.severity === 'HIGH') highCount++;
+      }
+    }
+  }
+  if (criticalCount > 0 || highCount > 0) {
+    console.log(`  ${paint.dim('Findings:')}     ${paint.red(String(criticalCount) + ' critical')} ${paint.dim('·')} ${paint.yellow(String(highCount) + ' high')}`);
+  }
+
+  console.log('');
+
+  const lastScore = scores.length ? scores[scores.length - 1] : null;
+  if (lastScore !== null && lastScore < 75) {
+    console.log(`  ${paint.yellow('!')} ${paint.bold('Recommendation:')} Score is below 75. Consider applying fixes:`);
+    console.log(`     ${paint.dim('Run:')} ${paint.cyan('clawarmor harden')}`);
+  } else {
+    console.log(`  ${paint.green('✓')} Monitoring period looks stable.`);
+    console.log(`  ${paint.dim('When ready, apply fixes with:')} ${paint.cyan('clawarmor harden')}`);
+  }
+  console.log('');
+}

package/lib/rollback.js

@@ -0,0 +1,98 @@
+// clawarmor rollback — Restore config from a saved snapshot.
+//   clawarmor rollback           Restore most recent snapshot
+//   clawarmor rollback --list    List all available snapshots with details
+//   clawarmor rollback --id <id> Restore a specific snapshot by id
+
+import { paint } from './output/colors.js';
+import { listSnapshots, loadSnapshot, loadLatestSnapshot, restoreSnapshot } from './snapshot.js';
+
+const SEP = paint.dim('─'.repeat(52));
+
+function box(title) {
+  const W = 52, pad = W - 2 - title.length, l = Math.floor(pad / 2), r = pad - l;
+  return [
+    paint.dim('╔' + '═'.repeat(W - 2) + '╗'),
+    paint.dim('║') + ' '.repeat(l) + paint.bold(title) + ' '.repeat(r) + paint.dim('║'),
+    paint.dim('╚' + '═'.repeat(W - 2) + '╝'),
+  ].join('\n');
+}
+
+function fmtDate(isoString) {
+  if (!isoString) return 'unknown';
+  try { return new Date(isoString).toLocaleString(); } catch { return isoString; }
+}
+
+/**
+ * Main rollback command.
+ * @param {{ list?: boolean, id?: string }} flags
+ */
+export async function runRollback(flags = {}) {
+  console.log(''); console.log(box('ClawArmor Rollback')); console.log('');
+
+  // ── LIST mode ─────────────────────────────────────────────────────────────
+  if (flags.list) {
+    const snapshots = listSnapshots();
+    if (!snapshots.length) {
+      console.log(`  ${paint.dim('No snapshots found.')}`);
+      console.log(`  ${paint.dim('Snapshots are created automatically before every harden or fix run.')}`);
+      console.log('');
+      return 0;
+    }
+
+    console.log(`  ${paint.bold(String(snapshots.length))} snapshot${snapshots.length !== 1 ? 's' : ''} available:`);
+    console.log('');
+    for (const s of snapshots) {
+      const fixList = s.appliedFixes.length ? s.appliedFixes.join(', ') : 'no fixes recorded';
+      console.log(`  ${paint.cyan(s.id)}`);
+      console.log(`    ${paint.dim('Date:')}    ${fmtDate(s.timestamp)}`);
+      console.log(`    ${paint.dim('Trigger:')} ${s.trigger}`);
+      console.log(`    ${paint.dim('Fixes:')}   ${fixList}`);
+      console.log('');
+    }
+    console.log(`  ${paint.dim('To restore a specific snapshot:')} clawarmor rollback --id <id>`);
+    console.log('');
+    return 0;
+  }
+
+  // ── RESTORE specific snapshot or most recent ───────────────────────────────
+  let snapshot;
+  if (flags.id) {
+    snapshot = loadSnapshot(flags.id);
+    if (!snapshot) {
+      console.log(`  ${paint.red('✗')} Snapshot not found: ${paint.bold(flags.id)}`);
+      console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor rollback --list')} ${paint.dim('to see available snapshots.')}`);
+      console.log('');
+      return 1;
+    }
+  } else {
+    snapshot = loadLatestSnapshot();
+    if (!snapshot) {
+      console.log(`  ${paint.dim('No snapshots found.')}`);
+      console.log(`  ${paint.dim('Snapshots are created automatically before every harden or fix run.')}`);
+      console.log('');
+      return 0;
+    }
+  }
+
+  console.log(`  ${paint.dim('Snapshot:')}  ${fmtDate(snapshot.timestamp)}`);
+  console.log(`  ${paint.dim('Trigger:')}   ${snapshot.trigger}`);
+  if (snapshot.appliedFixes?.length) {
+    console.log(`  ${paint.dim('Fixes:')}     ${snapshot.appliedFixes.join(', ')}`);
+  }
+  console.log('');
+  console.log(SEP);
+  console.log('');
+
+  const result = restoreSnapshot(snapshot);
+  if (!result.ok) {
+    console.log(`  ${paint.red('✗')} Restore failed: ${result.err}`);
+    console.log('');
+    return 1;
+  }
+
+  const dateStr = fmtDate(snapshot.timestamp);
+  console.log(`  ${paint.green('✓')} Restored to snapshot from ${paint.bold(dateStr)}.`);
+  console.log(`  ${paint.dim('Run')} ${paint.cyan('openclaw gateway restart')} ${paint.dim('to apply.')}`);
+  console.log('');
+  return 0;
+}

package/lib/snapshot.js

@@ -0,0 +1,104 @@
+// clawarmor snapshot — Config snapshot save/load/list/restore.
+// Snapshots are saved to ~/.clawarmor/snapshots/<timestamp>.json.
+// Max 20 snapshots are kept; oldest are pruned on new save.
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync, readdirSync, unlinkSync, chmodSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const HOME = homedir();
+const SNAPSHOTS_DIR = join(HOME, '.clawarmor', 'snapshots');
+const MAX_SNAPSHOTS = 20;
+
+/** @returns {string[]} snapshot filenames sorted oldest-first */
+function listSnapshotFiles() {
+  if (!existsSync(SNAPSHOTS_DIR)) return [];
+  try {
+    return readdirSync(SNAPSHOTS_DIR).filter(f => f.endsWith('.json')).sort();
+  } catch { return []; }
+}
+
+/** Prune to MAX_SNAPSHOTS, removing oldest entries. */
+function pruneSnapshots() {
+  const files = listSnapshotFiles();
+  if (files.length <= MAX_SNAPSHOTS) return;
+  for (const f of files.slice(0, files.length - MAX_SNAPSHOTS)) {
+    try { unlinkSync(join(SNAPSHOTS_DIR, f)); } catch { /* non-fatal */ }
+  }
+}
+
+/**
+ * Save a snapshot before applying fixes.
+ * @param {{ trigger: string, configPath: string, configContent: string|null, filePermissions: Object, appliedFixes: string[] }} opts
+ * @returns {string|null} snapshot id or null on failure
+ */
+export function saveSnapshot({ trigger, configPath, configContent, filePermissions = {}, appliedFixes = [] }) {
+  try {
+    if (!existsSync(SNAPSHOTS_DIR)) mkdirSync(SNAPSHOTS_DIR, { recursive: true });
+    const timestamp = new Date().toISOString();
+    const id = timestamp.replace(/[:.]/g, '-');
+    const snapshot = { timestamp, trigger, configPath, configContent, filePermissions, appliedFixes };
+    writeFileSync(join(SNAPSHOTS_DIR, `${id}.json`), JSON.stringify(snapshot, null, 2), 'utf8');
+    pruneSnapshots();
+    return id;
+  } catch { return null; }
+}
+
+/**
+ * List all snapshots, newest first.
+ * @returns {Array<{ id: string, timestamp: string, trigger: string, appliedFixes: string[], configPath: string }>}
+ */
+export function listSnapshots() {
+  return listSnapshotFiles().reverse().map(f => {
+    try {
+      const data = JSON.parse(readFileSync(join(SNAPSHOTS_DIR, f), 'utf8'));
+      return {
+        id: f.replace('.json', ''),
+        timestamp: data.timestamp,
+        trigger: data.trigger || 'unknown',
+        appliedFixes: data.appliedFixes || [],
+        configPath: data.configPath || null,
+      };
+    } catch { return null; }
+  }).filter(Boolean);
+}
+
+/**
+ * Load a specific snapshot by id.
+ * @param {string} id
+ * @returns {Object|null}
+ */
+export function loadSnapshot(id) {
+  const filePath = join(SNAPSHOTS_DIR, `${id}.json`);
+  if (!existsSync(filePath)) return null;
+  try { return JSON.parse(readFileSync(filePath, 'utf8')); } catch { return null; }
+}
+
+/**
+ * Load the most recent snapshot.
+ * @returns {Object|null}
+ */
+export function loadLatestSnapshot() {
+  const files = listSnapshotFiles();
+  if (!files.length) return null;
+  try { return JSON.parse(readFileSync(join(SNAPSHOTS_DIR, files[files.length - 1]), 'utf8')); } catch { return null; }
+}
+
+/**
+ * Restore a snapshot: writes config content and restores file permissions.
+ * @param {Object} snapshot
+ * @returns {{ ok: boolean, err?: string }}
+ */
+export function restoreSnapshot(snapshot) {
+  try {
+    if (snapshot.configPath && snapshot.configContent != null) {
+      writeFileSync(snapshot.configPath, snapshot.configContent, 'utf8');
+    }
+    for (const [filePath, octalStr] of Object.entries(snapshot.filePermissions || {})) {
+      try {
+        if (existsSync(filePath)) chmodSync(filePath, parseInt(octalStr, 8));
+      } catch { /* non-fatal per-file */ }
+    }
+    return { ok: true };
+  } catch (e) { return { ok: false, err: e.message }; }
+}

package/lib/status.js

@@ -7,6 +7,7 @@ import { homedir } from 'os';
 import { paint } from './output/colors.js';
 import { scoreToGrade, scoreColor, gradeColor } from './output/progress.js';
 import { watchDaemonStatus } from './watch.js';
+import { getMonitorStatus } from './monitor.js';
 
 const HOME = homedir();
 const OC_DIR = join(HOME, '.openclaw');
@@ -20,7 +21,7 @@ const FISH_FUNCTION_FILE = join(HOME, '.config', 'fish', 'functions', 'openclaw.
 const SHELL_MARKER = '# ClawArmor intercept — added by: clawarmor protect --install';
 const CRON_JOBS_FILE = join(OC_DIR, 'cron', 'jobs.json');
 const HOOKS_DIR = join(OC_DIR, 'hooks', 'clawarmor-guard');
-const VERSION = '2.0.0';
+const VERSION = '2.2.0';
 
 const SEP = paint.dim('─'.repeat(52));
 
@@ -212,6 +213,14 @@ export async function runStatus() {
   }
   console.log(`  ${paint.dim('Watcher')}       ${watchStr}`);
 
+  // ── Monitor mode ──────────────────────────────────────────────────────────
+  const monitorStatus = getMonitorStatus();
+  if (monitorStatus.enabled) {
+    const startedAgo = timeAgo(monitorStatus.startedAt);
+    const fixCount = monitorStatus.fixes?.length || 0;
+    console.log(`  ${paint.dim('Monitor')}       ${paint.yellow('●')} ${paint.bold('active')} ${paint.dim('(started ' + startedAgo + ', ' + fixCount + ' fix' + (fixCount !== 1 ? 'es' : '') + ')')}  ${paint.dim('→ clawarmor harden --monitor-report')}`);
+  }
+
   // ── Shell intercept ───────────────────────────────────────────────────────
   const icp = intercept();
   const icpStr = icp.active

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawarmor",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Security armor for OpenClaw agents \u2014 audit, scan, monitor",
   "bin": {
     "clawarmor": "cli.js"