npm - clawarmor - Versions diffs - 3.0.1 → 3.1.0 - Mend

clawarmor 3.0.1 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/cli.js CHANGED Viewed

@@ -3,7 +3,7 @@
 import { paint } from './lib/output/colors.js';
-const VERSION = '3.0.0';
+const VERSION = '3.1.0';
 const GATEWAY_PORT_DEFAULT = 18789;
 function isLocalhost(host) {
@@ -51,9 +51,11 @@ function usage() {
   console.log(`    ${paint.cyan('watch')}    Monitor config and skill changes in real time`);
   console.log(`    ${paint.cyan('protect')}  Install/uninstall/status the full guard system`);
   console.log(`    ${paint.cyan('prescan')}  Pre-scan a skill before installing it`);
-  console.log(`    ${paint.cyan('stack')}    Security orchestrator — deploy Invariant + IronCurtain from audit data`);
-  console.log(`    ${paint.cyan('log')}      View the audit event log`);
-  console.log(`    ${paint.cyan('digest')}   Show weekly security digest`);
+  console.log(`    ${paint.cyan('stack')}         Security orchestrator — deploy Invariant + IronCurtain from audit data`);
+  console.log(`    ${paint.cyan('skill-report')}  Show post-install audit impact of last skill install`);
+  console.log(`    ${paint.cyan('profile')}       Manage contextual hardening profiles`);
+  console.log(`    ${paint.cyan('log')}            View the audit event log`);
+  console.log(`    ${paint.cyan('digest')}         Show weekly security digest`);
   console.log('');
   console.log(`  ${paint.dim('Flags:')}`);
   console.log(`    ${paint.dim('--url <host:port>')}   Probe a specific host:port instead of 127.0.0.1`);
@@ -83,6 +85,9 @@ const parsedUrl = parseUrlFlag(urlArg);
 const configIdx = args.indexOf('--config');
 const configPathArg = configIdx !== -1 ? args[configIdx + 1] : null;
+const profileIdx = args.indexOf('--profile');
+const profileArg = profileIdx !== -1 ? args[profileIdx + 1] : null;
 const flags = {
   json: args.includes('--json'),
   explainReads: args.includes('--explain-reads'),
@@ -90,6 +95,7 @@ const flags = {
   targetPort: parsedUrl?.port || null,
   configPath: configPathArg || null,
   acceptChanges: args.includes('--accept-changes'),
+  profile: profileArg || null,
 };
 if (!cmd || cmd === '--help' || cmd === '-h' || cmd === 'help') { usage(); process.exit(0); }
@@ -201,6 +207,7 @@ if (cmd === 'log') {
 }
 if (cmd === 'harden') {
+  const hardenProfileIdx = args.indexOf('--profile');
   const hardenFlags = {
     dryRun: args.includes('--dry-run'),
     auto: args.includes('--auto'),
@@ -208,6 +215,7 @@ if (cmd === 'harden') {
     monitor: args.includes('--monitor'),
     monitorReport: args.includes('--monitor-report'),
     monitorOff: args.includes('--monitor-off'),
+    profile: hardenProfileIdx !== -1 ? args[hardenProfileIdx + 1] : null,
   };
   const { runHarden } = await import('./lib/harden.js');
   process.exit(await runHarden(hardenFlags));
@@ -239,5 +247,17 @@ if (cmd === 'stack') {
   process.exit(await runStack(stackArgs));
 }
+if (cmd === 'skill-report') {
+  const { runSkillReport } = await import('./lib/skill-report.js');
+  const srFlags = { apply: args.includes('--apply') };
+  process.exit(await runSkillReport(srFlags));
+}
+if (cmd === 'profile') {
+  const { runProfileCmd } = await import('./lib/profile-cmd.js');
+  const profileArgs = args.slice(1);
+  process.exit(await runProfileCmd(profileArgs));
+}
 console.log(`  ${paint.red('✗')} Unknown command: ${paint.bold(cmd)}`);
 usage(); process.exit(1);

package/lib/audit.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { loadConfig } from './config.js';
 import { paint, severityColor } from './output/colors.js';
+import { getProfile, isExpectedFinding } from './profiles.js';
 import { progressBar, scoreColor, gradeColor, scoreToGrade } from './output/progress.js';
 import { probeGatewayLive } from './probes/gateway-probe.js';
 import { discoverRunningInstance } from './discovery.js';
@@ -74,6 +75,19 @@ function appendHistory(entry) {
 export async function runAudit(flags = {}) {
   const GATEWAY_PORT_DEFAULT = 18789;
+  // Load active profile (from flag or saved file)
+  let profileName = flags.profile || null;
+  if (!profileName) {
+    try {
+      const { readFileSync: rfs, existsSync: efs } = await import('fs');
+      const { join: pjoin } = await import('path');
+      const { homedir: phome } = await import('os');
+      const pFile = pjoin(phome(), '.clawarmor', 'profile.json');
+      if (efs(pFile)) profileName = JSON.parse(rfs(pFile, 'utf8')).name || null;
+    } catch { /* non-fatal */ }
+  }
+  const activeProfile = profileName ? getProfile(profileName) : null;
   // ── DISCOVERY: find what's actually running ──────────────────────────────
   let discovery = null;
   // Only auto-discover when no --url override was given
@@ -96,6 +110,11 @@ export async function runAudit(flags = {}) {
   console.log(''); console.log(box('ClawArmor Audit  v' + VERSION)); console.log('');
+  if (activeProfile) {
+    console.log(`  ${paint.dim('Profile:')} ${paint.cyan(activeProfile.name)} ${paint.dim('—')} ${activeProfile.description}`);
+    console.log('');
+  }
   if (error) {
     console.log(`  ${paint.red('✗')} ${error}`); console.log(''); process.exit(2);
   }
@@ -180,11 +199,25 @@ export async function runAudit(flags = {}) {
   const results = [...liveFindingResults, ...staticResults];
   const failed = results.filter(r => !r.passed);
   const passed = results.filter(r => r.passed);
-  const criticals = failed.filter(r => r.severity === 'CRITICAL').length;
+  // Annotate expected findings for active profile
+  const annotatedFailed = failed.map(f => {
+    if (activeProfile && isExpectedFinding(activeProfile.name, f.id)) {
+      return { ...f, _profileExpected: true };
+    }
+    return f;
+  });
+  // Score: expected findings don't count against the score
+  const scoringFailed = activeProfile
+    ? annotatedFailed.filter(f => !f._profileExpected)
+    : annotatedFailed;
+  const criticals = scoringFailed.filter(r => r.severity === 'CRITICAL').length;
   // Score with floor rules
   let score = 100;
-  for (const f of failed) score -= (W[f.severity] || 0);
+  for (const f of scoringFailed) score -= (W[f.severity] || 0);
   score = Math.max(0, score);
   if (criticals >= 2) score = Math.min(score, 25);
   else if (criticals >= 1) score = Math.min(score, 50);
@@ -196,12 +229,12 @@ export async function runAudit(flags = {}) {
   console.log(`  ${paint.bold('Security Score:')} ${colorFn(score+'/100')}  ${paint.dim('┃')}  Grade: ${gradeColor(grade)}`);
   console.log(`  ${colorFn(progressBar(score,20))}  ${paint.dim(score+'%')}`);
-  // Human verdict
+  // Human verdict (uses scoringFailed for accurate verdict)
   {
-    const openCriticals = failed.filter(f => f.severity === 'CRITICAL').length;
-    const openHighs = failed.filter(f => f.severity === 'HIGH').length;
+    const openCriticals = scoringFailed.filter(f => f.severity === 'CRITICAL').length;
+    const openHighs = scoringFailed.filter(f => f.severity === 'HIGH').length;
     let verdict;
-    if (!failed.length) {
+    if (!scoringFailed.length) {
       verdict = paint.green('Your instance is secure. No issues found.');
     } else if (openCriticals >= 1) {
       verdict = paint.red('Your instance has CRITICAL exposure. Fix immediately before using.');
@@ -215,7 +248,7 @@ export async function runAudit(flags = {}) {
   }
   if (flags.json) {
-    console.log(JSON.stringify({score,grade,failed,passed},null,2));
+    console.log(JSON.stringify({score,grade,failed: annotatedFailed,passed},null,2));
     const histJ = loadHistory();
     const prevScoreJ = histJ.length ? histJ[histJ.length - 1].score : null;
     const deltaJ = prevScoreJ != null ? score - prevScoreJ : null;
@@ -224,23 +257,30 @@ export async function runAudit(flags = {}) {
       trigger: 'manual',
       score,
       delta: deltaJ,
-      findings: failed.map(f => ({ id: f.id, severity: f.severity })),
+      findings: annotatedFailed.map(f => ({ id: f.id, severity: f.severity })),
       blocked: null,
       skill: null,
     });
     appendHistory({ timestamp: new Date().toISOString(), score, grade,
-      findings: failed.length, criticals, version: VERSION,
-      failedIds: failed.map(f => f.id) });
+      findings: annotatedFailed.length, criticals, version: VERSION,
+      failedIds: annotatedFailed.map(f => f.id) });
     return 0;
   }
   for (const sev of ['CRITICAL','HIGH','MEDIUM','LOW']) {
-    const group = failed.filter(f => f.severity === sev);
+    const group = annotatedFailed.filter(f => f.severity === sev);
     if (!group.length) continue;
     console.log(''); console.log(SEP);
     console.log(`  ${severityColor[sev](sev)}${paint.dim('  ('+group.length+' finding'+(group.length>1?'s':'')+')')}`);
     console.log(SEP);
-    for (const f of group) printFinding(f);
+    for (const f of group) {
+      if (f._profileExpected) {
+        console.log('');
+        console.log(`  ${paint.dim('○')} ${paint.dim('[profile: expected]')} ${paint.dim(f.title)}`);
+      } else {
+        printFinding(f);
+      }
+    }
   }
   if (passed.length) {
@@ -254,10 +294,12 @@ export async function runAudit(flags = {}) {
   }
   console.log(''); console.log(SEP);
-  if (!failed.length) {
+  if (!scoringFailed.length) {
     console.log(`  ${paint.green('✓')} ${paint.bold('All checks passed.')}`);
   } else {
-    console.log(`  ${failed.length} issue${failed.length>1?'s':''} found. Fix above to improve score.`);
+    const expectedCount = annotatedFailed.length - scoringFailed.length;
+    const suffix = expectedCount > 0 ? ` ${paint.dim(`(${expectedCount} expected for profile)`)}` : '';
+    console.log(`  ${scoringFailed.length} issue${scoringFailed.length>1?'s':''} found. Fix above to improve score.${suffix}`);
   }
   console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor scan')} ${paint.dim('to check installed skills.')}`);
   console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor trend')} ${paint.dim('to see score history.')}`);
@@ -291,7 +333,7 @@ export async function runAudit(flags = {}) {
     trigger: 'manual',
     score,
     delta,
-    findings: failed.map(f => ({ id: f.id, severity: f.severity })),
+    findings: annotatedFailed.map(f => ({ id: f.id, severity: f.severity })),
     blocked: null,
     skill: null,
   });
@@ -301,10 +343,10 @@ export async function runAudit(flags = {}) {
     timestamp: new Date().toISOString(),
     score,
     grade,
-    findings: failed.length,
+    findings: annotatedFailed.length,
     criticals,
     version: VERSION,
-    failedIds: failed.map(f => f.id),
+    failedIds: annotatedFailed.map(f => f.id),
   });
   return failed.length > 0 ? 1 : 0;

package/lib/harden.js CHANGED Viewed

@@ -15,6 +15,7 @@ import { scoreToGrade, scoreColor, gradeColor } from './output/progress.js';
 import { loadConfig, get } from './config.js';
 import { saveSnapshot } from './snapshot.js';
 import { enableMonitor, disableMonitor, getMonitorStatus, printMonitorReport } from './monitor.js';
+import { getProfile, isExpectedFinding, getOverriddenSeverity } from './profiles.js';
 const HOME = homedir();
 const OC_DIR = join(HOME, '.openclaw');
@@ -255,10 +256,47 @@ export async function runHarden(flags = {}) {
     return 0;
   }
+  // Load active profile (from flag or saved file)
+  let profileName = flags.profile || null;
+  if (!profileName) {
+    try {
+      const { readFileSync: rfs, existsSync: efs } = await import('fs');
+      const { join: pjoin } = await import('path');
+      const { homedir: phome } = await import('os');
+      const pFile = pjoin(phome(), '.clawarmor', 'profile.json');
+      if (efs(pFile)) profileName = JSON.parse(rfs(pFile, 'utf8')).name || null;
+    } catch { /* non-fatal */ }
+  }
+  const profile = profileName ? getProfile(profileName) : null;
   console.log(''); console.log(box('ClawArmor Harden  v2.1')); console.log('');
+  if (profile) {
+    console.log(`  ${paint.dim('Profile:')} ${paint.cyan(profile.name)} ${paint.dim('—')} ${profile.description}`);
+    console.log('');
+  }
   const { config, configPath } = loadConfig();
-  const fixes = buildFixes(config);
+  const allFixes = buildFixes(config);
+  // When profile is set, skip or adjust fixes for expected capabilities
+  const fixes = allFixes.map(fix => {
+    if (!profile) return fix;
+    const overrideSev = getOverriddenSeverity(profile.name, fix.id);
+    const expected = isExpectedFinding(profile.name, fix.id);
+    if (expected) {
+      // Mark as expected — skip entirely from harden output
+      return { ...fix, _skipForProfile: true };
+    }
+    if (overrideSev) {
+      // Upgrade to higher severity if unexpected for this profile
+      const currentWeight = { SAFE: 1, CAUTION: 2, BREAKING: 3 };
+      const upgradeMap = { HIGH: IMPACT.BREAKING, MEDIUM: IMPACT.CAUTION, INFO: IMPACT.SAFE };
+      const newImpact = upgradeMap[overrideSev] || fix.impact;
+      return { ...fix, impact: newImpact, _profileOverride: overrideSev };
+    }
+    return fix;
+  }).filter(fix => !fix._skipForProfile);
   // ── Monitor enable (advisory only, no apply) ───────────────────────────────
   if (flags.monitor) {

package/lib/profile-cmd.js ADDED Viewed

@@ -0,0 +1,214 @@
+// lib/profile-cmd.js — clawarmor profile command
+// Subcommands: list, detect, set <name>, show
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { paint } from './output/colors.js';
+import { listProfiles, getProfile, detectProfile } from './profiles.js';
+import { loadConfig } from './config.js';
+const HOME = homedir();
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const PROFILE_FILE = join(CLAWARMOR_DIR, 'profile.json');
+const SEP = paint.dim('─'.repeat(52));
+function box(title) {
+  const W = 52, pad = W - 2 - title.length, l = Math.floor(pad / 2), r = pad - l;
+  return [
+    paint.dim('╔' + '═'.repeat(W - 2) + '╗'),
+    paint.dim('║') + ' '.repeat(l) + paint.bold(title) + ' '.repeat(r) + paint.dim('║'),
+    paint.dim('╚' + '═'.repeat(W - 2) + '╝'),
+  ].join('\n');
+}
+function readCurrentProfile() {
+  try {
+    if (!existsSync(PROFILE_FILE)) return null;
+    return JSON.parse(readFileSync(PROFILE_FILE, 'utf8'));
+  } catch { return null; }
+}
+function writeProfile(name) {
+  try {
+    mkdirSync(CLAWARMOR_DIR, { recursive: true });
+    writeFileSync(PROFILE_FILE, JSON.stringify({ name, setAt: new Date().toISOString() }, null, 2), 'utf8');
+    return true;
+  } catch { return false; }
+}
+function profileBadge(name) {
+  const badges = {
+    coding:    paint.cyan('coding'),
+    browsing:  paint.green('browsing'),
+    messaging: paint.yellow('messaging'),
+    general:   paint.dim('general'),
+  };
+  return badges[name] || paint.dim(name);
+}
+async function listCmd() {
+  console.log(''); console.log(box('ClawArmor Profiles')); console.log('');
+  console.log(`  ${paint.bold('Available profiles:')}`);
+  console.log('');
+  const current = readCurrentProfile();
+  const profiles = listProfiles();
+  for (const p of profiles) {
+    const isCurrent = current?.name === p.name;
+    const marker = isCurrent ? paint.green('→') : paint.dim('·');
+    const badge = profileBadge(p.name);
+    console.log(`  ${marker} ${badge.padEnd(12)}  ${p.description}`);
+    if (p.allowedCapabilities.length > 0) {
+      console.log(`       ${paint.dim('allows:')} ${paint.dim(p.allowedCapabilities.join(', '))}`);
+    }
+    if (p.restrictedCapabilities.length > 0) {
+      console.log(`       ${paint.dim('restricts:')} ${paint.dim(p.restrictedCapabilities.join(', '))}`);
+    }
+    console.log('');
+  }
+  if (current) {
+    console.log(`  ${paint.dim('Current profile:')} ${profileBadge(current.name)}`);
+  } else {
+    console.log(`  ${paint.dim('No profile set. Defaulting to')} ${profileBadge('general')}`);
+    console.log(`  ${paint.dim('Set with:')} ${paint.cyan('clawarmor profile set <name>')}`);
+  }
+  console.log('');
+  return 0;
+}
+async function detectCmd() {
+  console.log(''); console.log(box('ClawArmor Profile Detect')); console.log('');
+  const { config } = loadConfig();
+  const { profile: detected, reasons } = detectProfile(config);
+  console.log(`  ${paint.bold('Auto-detected profile:')} ${profileBadge(detected)}`);
+  console.log('');
+  console.log(`  ${paint.dim('Reasoning:')}`);
+  for (const reason of reasons) {
+    console.log(`    ${paint.dim('·')} ${reason}`);
+  }
+  console.log('');
+  const profileDef = getProfile(detected);
+  if (profileDef) {
+    console.log(`  ${paint.dim('Profile description:')} ${profileDef.description}`);
+  }
+  const current = readCurrentProfile();
+  if (current && current.name !== detected) {
+    console.log('');
+    console.log(`  ${paint.yellow('!')} Current profile is ${profileBadge(current.name)}, detected ${profileBadge(detected)}`);
+    console.log(`  ${paint.dim('Run')} ${paint.cyan(`clawarmor profile set ${detected}`)} ${paint.dim('to switch.')}`);
+  } else if (!current) {
+    console.log('');
+    console.log(`  ${paint.dim('Run')} ${paint.cyan(`clawarmor profile set ${detected}`)} ${paint.dim('to activate this profile.')}`);
+  }
+  console.log('');
+  return 0;
+}
+async function setCmd(name) {
+  if (!name) {
+    console.log('');
+    console.log(`  ${paint.red('✗')} Profile name required.`);
+    console.log(`  Usage: ${paint.cyan('clawarmor profile set <name>')}`);
+    console.log(`  Available: ${listProfiles().map(p => p.name).join(', ')}`);
+    console.log('');
+    return 1;
+  }
+  const profile = getProfile(name);
+  if (!profile) {
+    console.log('');
+    console.log(`  ${paint.red('✗')} Unknown profile: ${paint.bold(name)}`);
+    console.log(`  Available: ${listProfiles().map(p => p.name).join(', ')}`);
+    console.log('');
+    return 1;
+  }
+  const ok = writeProfile(name);
+  console.log('');
+  if (ok) {
+    console.log(`  ${paint.green('✓')} Profile set to ${profileBadge(name)}`);
+    console.log(`  ${paint.dim(profile.description)}`);
+    console.log('');
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor harden --profile ' + name)} ${paint.dim('for profile-aware recommendations.')}`);
+    console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor audit --profile ' + name)} ${paint.dim('for profile-adjusted scoring.')}`);
+  } else {
+    console.log(`  ${paint.red('✗')} Failed to write profile to ${PROFILE_FILE}`);
+  }
+  console.log('');
+  return ok ? 0 : 1;
+}
+async function showCmd() {
+  console.log(''); console.log(box('ClawArmor Current Profile')); console.log('');
+  const current = readCurrentProfile();
+  if (!current) {
+    console.log(`  ${paint.dim('No profile set.')}`);
+    console.log(`  ${paint.dim('Defaulting to general — no relaxations or restrictions applied.')}`);
+    console.log('');
+    console.log(`  ${paint.dim('Set a profile:')} ${paint.cyan('clawarmor profile set <name>')}`);
+    console.log(`  ${paint.dim('Auto-detect:')}   ${paint.cyan('clawarmor profile detect')}`);
+    console.log('');
+    return 0;
+  }
+  const profileDef = getProfile(current.name);
+  const setAt = current.setAt ? new Date(current.setAt).toLocaleString('en-US', { dateStyle: 'medium', timeStyle: 'short' }) : 'unknown';
+  console.log(`  ${paint.bold('Profile:')}  ${profileBadge(current.name)}`);
+  console.log(`  ${paint.bold('Set at:')}   ${setAt}`);
+  console.log('');
+  if (profileDef) {
+    console.log(`  ${paint.dim(profileDef.description)}`);
+    console.log('');
+    if (profileDef.allowedCapabilities.length > 0) {
+      console.log(`  ${paint.green('Allowed:')}    ${profileDef.allowedCapabilities.join(', ')}`);
+    }
+    if (profileDef.restrictedCapabilities.length > 0) {
+      console.log(`  ${paint.yellow('Restricted:')} ${profileDef.restrictedCapabilities.join(', ')}`);
+    }
+    if (Object.keys(profileDef.checkWeightOverrides).length > 0) {
+      console.log('');
+      console.log(`  ${paint.dim('Check overrides:')}`);
+      for (const [check, severity] of Object.entries(profileDef.checkWeightOverrides)) {
+        console.log(`    ${paint.dim(check)} → ${severity}`);
+      }
+    }
+  }
+  console.log('');
+  console.log(`  ${paint.dim('Change profile:')} ${paint.cyan('clawarmor profile set <name>')}`);
+  console.log(`  ${paint.dim('List profiles:')}  ${paint.cyan('clawarmor profile list')}`);
+  console.log('');
+  return 0;
+}
+export async function runProfileCmd(args = []) {
+  const sub = args[0];
+  if (!sub || sub === 'list') return listCmd();
+  if (sub === 'detect')       return detectCmd();
+  if (sub === 'set')          return setCmd(args[1]);
+  if (sub === 'show')         return showCmd();
+  console.log('');
+  console.log(`  ${paint.red('✗')} Unknown profile subcommand: ${paint.bold(sub)}`);
+  console.log('');
+  console.log(`  ${paint.bold('Profile subcommands:')}`);
+  console.log(`    ${paint.cyan('clawarmor profile list')}`);
+  console.log(`    ${paint.cyan('clawarmor profile detect')}`);
+  console.log(`    ${paint.cyan('clawarmor profile set <name>')}`);
+  console.log(`    ${paint.cyan('clawarmor profile show')}`);
+  console.log('');
+  return 1;
+}

package/lib/profiles.js ADDED Viewed

@@ -0,0 +1,159 @@
+// lib/profiles.js — Contextual hardening profiles
+// Profiles adjust harden/audit recommendations based on what the agent actually does.
+const PROFILES = {
+  coding: {
+    name: 'coding',
+    description: 'Code-focused agent — exec, file write, git are expected. External sends are restricted.',
+    allowedCapabilities: ['exec', 'file.write', 'git', 'file.read'],
+    restrictedCapabilities: ['external.send', 'external.network', 'channel.external'],
+    checkWeightOverrides: {
+      // exec being enabled is EXPECTED for a coding agent — downgrade severity
+      'exec.ask.off': 'INFO',
+      'exec.approval': 'INFO',
+      // external sends from a coding agent are UNEXPECTED — upgrade severity
+      'channel.groupPolicy': 'HIGH',
+      'channel.allowFrom': 'HIGH',
+    },
+  },
+  browsing: {
+    name: 'browsing',
+    description: 'Web browsing agent — fetch and read are expected. File writes and exec are restricted.',
+    allowedCapabilities: ['fetch', 'file.read', 'web'],
+    restrictedCapabilities: ['exec', 'file.write', 'channel.external'],
+    checkWeightOverrides: {
+      // file writes from a browsing agent are UNEXPECTED
+      'filesystem.perms': 'HIGH',
+      // exec from a browsing agent is UNEXPECTED
+      'exec.ask.off': 'HIGH',
+      'exec.approval': 'HIGH',
+    },
+  },
+  messaging: {
+    name: 'messaging',
+    description: 'Messaging agent — channel access and send are expected. Exec and file access are restricted.',
+    allowedCapabilities: ['channel.send', 'channel.read', 'message'],
+    restrictedCapabilities: ['exec', 'file.write', 'file.read'],
+    checkWeightOverrides: {
+      // channel sends are EXPECTED for a messaging agent — downgrade severity
+      'channel.groupPolicy': 'INFO',
+      'channel.allowFrom': 'INFO',
+      // exec from a messaging agent is UNEXPECTED
+      'exec.ask.off': 'HIGH',
+      'exec.approval': 'HIGH',
+    },
+  },
+  general: {
+    name: 'general',
+    description: 'General-purpose agent — balanced defaults. No relaxations or extra restrictions.',
+    allowedCapabilities: [],
+    restrictedCapabilities: [],
+    checkWeightOverrides: {},
+  },
+};
+/**
+ * Get a profile by name.
+ * @param {string} name
+ * @returns {object|null}
+ */
+export function getProfile(name) {
+  return PROFILES[name] || null;
+}
+/**
+ * List all available profiles.
+ * @returns {object[]}
+ */
+export function listProfiles() {
+  return Object.values(PROFILES);
+}
+/**
+ * Auto-detect profile from openclaw config.
+ * @param {object} config - parsed openclaw.json
+ * @returns {{ profile: string, reasons: string[] }}
+ */
+export function detectProfile(config) {
+  if (!config) return { profile: 'general', reasons: ['No config found — using general profile'] };
+  const reasons = [];
+  // Check for exec tools
+  const execEnabled = config?.tools?.exec?.enabled !== false && config?.exec?.enabled !== false;
+  const execAsk = config?.tools?.exec?.ask ?? config?.exec?.ask;
+  const hasExec = execEnabled && execAsk !== 'always';
+  // Check for web/fetch tools
+  const hasWeb = !!(
+    config?.tools?.fetch || config?.tools?.web ||
+    (config?.skills && JSON.stringify(config.skills).toLowerCase().includes('browser'))
+  );
+  // Check for channel/messaging tools
+  const hasChannels = !!(
+    config?.channels || config?.messaging ||
+    (config?.tools && JSON.stringify(config.tools).toLowerCase().includes('channel'))
+  );
+  // Check for git
+  const hasGit = !!(
+    config?.tools?.git ||
+    (config?.skills && JSON.stringify(config.skills).toLowerCase().includes('git'))
+  );
+  // Decision logic
+  if (hasExec && hasGit && !hasChannels) {
+    reasons.push('exec tools present → coding agent');
+    if (hasGit) reasons.push('git tools detected → coding profile');
+    return { profile: 'coding', reasons };
+  }
+  if (hasChannels && !hasExec) {
+    reasons.push('channel/messaging tools present → messaging agent');
+    return { profile: 'messaging', reasons };
+  }
+  if (hasWeb && !hasExec && !hasChannels) {
+    reasons.push('web/fetch tools present → browsing agent');
+    return { profile: 'browsing', reasons };
+  }
+  reasons.push('No strong signal detected → using general profile');
+  return { profile: 'general', reasons };
+}
+/**
+ * Check if a finding is expected for a given profile.
+ * @param {string} profileName
+ * @param {string} checkId - the check/finding id
+ * @returns {boolean}
+ */
+export function isExpectedFinding(profileName, checkId) {
+  const profile = getProfile(profileName);
+  if (!profile) return false;
+  const id = (checkId || '').toLowerCase();
+  // Check if this finding's id matches any allowed capability patterns
+  // For exec findings in a coding profile, they're expected
+  if (profileName === 'coding' && (id.includes('exec') && (id.includes('ask') || id.includes('approval')))) return true;
+  if (profileName === 'messaging' && (id.includes('channel') && (id.includes('group') || id.includes('allow')))) return true;
+  return false;
+}
+/**
+ * Get overridden severity for a check in a given profile.
+ * @param {string} profileName
+ * @param {string} checkId
+ * @param {string} defaultSeverity
+ * @returns {string} overridden or original severity
+ */
+export function getOverriddenSeverity(profileName, checkId) {
+  const profile = getProfile(profileName);
+  if (!profile) return null;
+  const id = (checkId || '').toLowerCase();
+  // Check overrides by matching check id prefixes
+  for (const [pattern, overrideSev] of Object.entries(profile.checkWeightOverrides)) {
+    if (id.includes(pattern.toLowerCase())) return overrideSev;
+  }
+  return null;
+}

package/lib/protect.js CHANGED Viewed

@@ -68,7 +68,8 @@ Install with: \`clawarmor protect --install\`
 `;
 const HANDLER_JS = `// clawarmor-guard hook handler
-// Fires on gateway:startup. Silent unless score drops or CRITICAL finding appears.
+// Fires on gateway:startup and after clawhub skill installs.
+// Silent unless score drops or CRITICAL finding appears.
 // No external dependencies.
 import { spawnSync } from 'child_process';
@@ -79,6 +80,7 @@ import { homedir } from 'os';
 const HOME = homedir();
 const CLAWARMOR_DIR = join(HOME, '.clawarmor');
 const LAST_SCORE_FILE = join(CLAWARMOR_DIR, 'last-score.json');
+const SKILL_REPORT_FILE = join(CLAWARMOR_DIR, 'skill-install-report.json');
 function readLastScore() {
   try {
@@ -109,8 +111,81 @@ function runAuditJson() {
   return null;
 }
-// Main hook entry point — called by openclaw on gateway:startup
+function runStackSync() {
+  try {
+    spawnSync('clawarmor', ['stack', 'sync'], {
+      encoding: 'utf8',
+      timeout: 60000,
+      stdio: 'ignore',
+    });
+  } catch {}
+}
+function buildProposedFixes(newFindings) {
+  const fixes = [];
+  for (const f of newFindings) {
+    const id = (f.id || '').toLowerCase();
+    if (id.includes('exec') && id.includes('ask')) {
+      fixes.push('openclaw config set tools.exec.ask on-miss');
+    } else if (id.includes('gateway') && id.includes('host')) {
+      fixes.push('openclaw config set gateway.host 127.0.0.1');
+    } else if (id.includes('cred') || id.includes('filesystem')) {
+      fixes.push('clawarmor harden --auto');
+    } else if (id.includes('skill')) {
+      fixes.push('clawarmor scan');
+    }
+  }
+  return [...new Set(fixes)];
+}
+function handleSkillInstall(skillName, scoreBefore, auditResult) {
+  const scoreAfter = auditResult?.score ?? null;
+  if (scoreAfter === null) return;
+  // Regenerate stack rules for new tool surface
+  runStackSync();
+  const scoreDelta = scoreAfter - scoreBefore;
+  if (scoreDelta < 0) {
+    const prevFailed = [];
+    const newFailed = auditResult.failed || [];
+    // newFindings = findings in new audit not previously known
+    const lastState = readLastScore();
+    const prevIds = new Set((lastState?.failedIds || []));
+    const newFindings = newFailed.filter(f => !prevIds.has(f.id));
+    const proposedFixes = buildProposedFixes(newFindings);
+    const report = {
+      skill: skillName,
+      installedAt: new Date().toISOString(),
+      scoreBefore,
+      scoreAfter,
+      scoreDelta,
+      newFindings,
+      proposedFixes,
+    };
+    try {
+      mkdirSync(CLAWARMOR_DIR, { recursive: true });
+      writeFileSync(SKILL_REPORT_FILE, JSON.stringify(report, null, 2), 'utf8');
+    } catch {}
+    console.error(\`⚠ ClawArmor: skill install dropped score \${scoreBefore}→\${scoreAfter} (\${scoreDelta}). Run: clawarmor stack sync && clawarmor fix --dry-run\`);
+  } else {
+    console.error(\`✓ ClawArmor: score unchanged after install (\${scoreAfter}/100)\`);
+  }
+}
+// Main hook entry point — called by openclaw on gateway:startup and clawhub install
 export default async function handler(event) {
+  const isSkillInstall = event?.type === 'clawhub:install' || event?.skill;
+  const skillName = event?.skill || event?.args?.[0] || null;
+  // Capture score before install (for skill diff)
+  const lastState = readLastScore();
+  const lastScore = lastState?.score ?? null;
   let auditResult;
   try {
     auditResult = runAuditJson();
@@ -122,14 +197,20 @@ export default async function handler(event) {
   if (!auditResult) return;
   const newScore = auditResult.score ?? null;
-  const lastState = readLastScore();
-  const lastScore = lastState?.score ?? null;
   const isFirstRun = lastScore === null;
   if (newScore !== null) {
     if (isFirstRun) {
-      writeLastScore({ score: newScore, grade: auditResult.grade, timestamp: new Date().toISOString() });
+      writeLastScore({
+        score: newScore,
+        grade: auditResult.grade,
+        failedIds: (auditResult.failed || []).map(f => f.id),
+        timestamp: new Date().toISOString(),
+      });
       // First run — establish baseline silently
+      if (isSkillInstall && skillName) {
+        runStackSync();
+      }
       return;
     }
@@ -142,9 +223,16 @@ export default async function handler(event) {
       score: newScore,
       grade: auditResult.grade,
       criticals: newCriticalCount,
+      failedIds: (auditResult.failed || []).map(f => f.id),
       timestamp: new Date().toISOString(),
     });
+    // Skill install post-audit diff
+    if (isSkillInstall && skillName) {
+      handleSkillInstall(skillName, lastScore, auditResult);
+      return;
+    }
     if (newCriticalCount > hadCriticals) {
       // New CRITICAL finding — alert immediately
       const names = newCriticals.map(f => f.id || f.title).join(', ');

package/lib/skill-report.js ADDED Viewed

@@ -0,0 +1,124 @@
+// lib/skill-report.js — Show post-install skill audit impact report
+// Generated automatically after each skill install via the clawarmor-guard hook.
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { spawnSync } from 'child_process';
+import { paint } from './output/colors.js';
+const HOME = homedir();
+const CLAWARMOR_DIR = join(HOME, '.clawarmor');
+const SKILL_REPORT_FILE = join(CLAWARMOR_DIR, 'skill-install-report.json');
+const SEP = paint.dim('─'.repeat(52));
+function box(title) {
+  const W = 52, pad = W - 2 - title.length, l = Math.floor(pad / 2), r = pad - l;
+  return [
+    paint.dim('╔' + '═'.repeat(W - 2) + '╗'),
+    paint.dim('║') + ' '.repeat(l) + paint.bold(title) + ' '.repeat(r) + paint.dim('║'),
+    paint.dim('╚' + '═'.repeat(W - 2) + '╝'),
+  ].join('\n');
+}
+function readReport() {
+  try {
+    if (!existsSync(SKILL_REPORT_FILE)) return null;
+    return JSON.parse(readFileSync(SKILL_REPORT_FILE, 'utf8'));
+  } catch { return null; }
+}
+function applyFixes(fixes) {
+  let applied = 0, failed = 0;
+  for (const fix of fixes) {
+    try {
+      const result = spawnSync(fix, { shell: true, encoding: 'utf8', timeout: 30000, stdio: 'pipe' });
+      if (result.status === 0) {
+        console.log(`  ${paint.green('✓')} ${fix}`);
+        applied++;
+      } else {
+        console.log(`  ${paint.red('✗')} ${fix} — ${(result.stderr || '').split('\n')[0]}`);
+        failed++;
+      }
+    } catch (e) {
+      console.log(`  ${paint.red('✗')} ${fix} — ${e.message?.split('\n')[0]}`);
+      failed++;
+    }
+  }
+  return { applied, failed };
+}
+export async function runSkillReport(flags = {}) {
+  console.log(''); console.log(box('ClawArmor Skill Report')); console.log('');
+  const report = readReport();
+  if (!report) {
+    console.log(`  ${paint.dim('No skill install report found.')}`);
+    console.log(`  ${paint.dim('Reports are generated automatically after each skill install.')}`);
+    console.log('');
+    return 0;
+  }
+  const installedAt = new Date(report.installedAt).toLocaleString('en-US', { dateStyle: 'medium', timeStyle: 'short' });
+  const deltaStr = report.scoreDelta > 0
+    ? paint.green(`+${report.scoreDelta}`)
+    : report.scoreDelta < 0
+      ? paint.red(String(report.scoreDelta))
+      : paint.dim('±0');
+  console.log(`  ${paint.bold('Skill:')}        ${report.skill}`);
+  console.log(`  ${paint.bold('Installed:')}    ${installedAt}`);
+  console.log(`  ${paint.bold('Score:')}        ${report.scoreBefore}/100 → ${report.scoreAfter}/100  (${deltaStr})`);
+  console.log('');
+  if (report.newFindings && report.newFindings.length > 0) {
+    console.log(SEP);
+    console.log(`  ${paint.bold('New findings after install:')}`);
+    console.log('');
+    for (const f of report.newFindings) {
+      const sev = f.severity || 'INFO';
+      const sevColors = { CRITICAL: paint.red, HIGH: paint.red, MEDIUM: paint.yellow, LOW: paint.dim, INFO: paint.dim };
+      const sevColor = sevColors[sev] || paint.dim;
+      console.log(`  ${paint.red('✗')} ${paint.bold(f.title || f.id)}  ${paint.dim('←')} ${sevColor(sev)}`);
+      if (f.description) {
+        for (const line of (f.description || '').split('\n').slice(0, 2)) {
+          console.log(`    ${paint.dim(line)}`);
+        }
+      }
+    }
+    console.log('');
+  } else {
+    console.log(`  ${paint.green('✓')} No new findings introduced by this install.`);
+    console.log('');
+  }
+  if (report.proposedFixes && report.proposedFixes.length > 0) {
+    console.log(SEP);
+    console.log(`  ${paint.bold('Proposed fixes:')}`);
+    console.log('');
+    for (const fix of report.proposedFixes) {
+      console.log(`    ${paint.cyan('$')} ${fix}`);
+    }
+    console.log('');
+    if (flags.apply) {
+      console.log(SEP);
+      console.log(`  ${paint.cyan('Applying proposed fixes...')}`);
+      console.log('');
+      const { applied, failed } = applyFixes(report.proposedFixes);
+      console.log('');
+      console.log(`  Applied: ${paint.green(String(applied))}  Failed: ${failed > 0 ? paint.red(String(failed)) : paint.dim('0')}`);
+      console.log('');
+      return failed > 0 ? 1 : 0;
+    } else {
+      console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor skill-report --apply')} ${paint.dim('to apply these fixes.')}`);
+      console.log('');
+    }
+  } else {
+    console.log(`  ${paint.dim('No auto-fixable issues proposed.')}`);
+    console.log('');
+  }
+  return 0;
+}

package/lib/stack/invariant.js CHANGED Viewed

@@ -207,7 +207,7 @@ export function deploy(rulesContent) {
 /**
  * Get current status of Invariant integration.
- * @returns {{ installed: boolean, rulesExist: boolean, rulesPath: string, ruleCount: number, lastDeployed: string|null }}
+ * @returns {{ installed: boolean, rulesExist: boolean, rulesPath: string, ruleCount: number, lastDeployed: string|null, enforcing: boolean }}
  */
 export function getStatus() {
   const installed = checkInstalled();
@@ -216,9 +216,12 @@ export function getStatus() {
   if (rulesExist) {
     try {
       const content = readFileSync(RULES_PATH, 'utf8');
+      // Count non-comment rules (lines starting with 'raise')
       ruleCount = (content.match(/^raise /gm) || []).length;
       lastDeployed = statSync(RULES_PATH).mtime.toISOString();
     } catch { /* non-fatal */ }
   }
-  return { installed, rulesExist, rulesPath: RULES_PATH, ruleCount, lastDeployed };
+  // enforcing = pip installed + rules file exists + at least 1 non-comment rule
+  const enforcing = installed && rulesExist && ruleCount > 0;
+  return { installed, rulesExist, rulesPath: RULES_PATH, ruleCount, lastDeployed, enforcing };
 }

package/lib/stack/ironcurtain.js CHANGED Viewed

@@ -2,7 +2,7 @@
 // IronCurtain: English constitution → LLM compiles to deterministic rules → runtime enforcement.
 // We generate the Markdown constitution from audit findings. User runs compile-policy themselves.
-import { existsSync, writeFileSync, mkdirSync, statSync } from 'fs';
+import { existsSync, writeFileSync, mkdirSync, statSync, readdirSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { spawnSync } from 'child_process';
@@ -180,16 +180,32 @@ export function writeConstitution(content) {
   }
 }
+/**
+ * Check if ~/.ironcurtain/generated/ exists and has compiled output.
+ * @returns {boolean}
+ */
+function checkCompiled() {
+  const generatedDir = join(IRONCURTAIN_DIR, 'generated');
+  if (!existsSync(generatedDir)) return false;
+  try {
+    const entries = readdirSync(generatedDir);
+    return entries.length > 0;
+  } catch { return false; }
+}
 /**
  * Get current status of IronCurtain integration.
- * @returns {{ installed: boolean, constitutionExists: boolean, constitutionPath: string, lastGenerated: string|null }}
+ * @returns {{ installed: boolean, constitutionExists: boolean, constitutionPath: string, lastGenerated: string|null, compiled: boolean, enforcing: boolean }}
  */
 export function getStatus() {
-  const installed = checkInstalled();
+  const cliInstalled = checkInstalled();
   const constitutionExists = existsSync(CONSTITUTION_PATH);
+  const compiled = checkCompiled();
   let lastGenerated = null;
   if (constitutionExists) {
     try { lastGenerated = statSync(CONSTITUTION_PATH).mtime.toISOString(); } catch { /* non-fatal */ }
   }
-  return { installed, constitutionExists, constitutionPath: CONSTITUTION_PATH, lastGenerated };
+  // enforcing = cli installed + compiled output exists
+  const enforcing = cliInstalled && compiled;
+  return { installed: cliInstalled, cliInstalled, constitutionExists, constitutionPath: CONSTITUTION_PATH, lastGenerated, compiled, enforcing };
 }

package/lib/stack.js CHANGED Viewed

@@ -8,7 +8,7 @@ import * as Invariant from './stack/invariant.js';
 import * as IronCurtain from './stack/ironcurtain.js';
 const SEP = paint.dim('─'.repeat(52));
-const VERSION = '3.0.0';
+const VERSION = '3.1.0';
 function box(title) {
   const W = 52, pad = W - 2 - title.length, l = Math.floor(pad / 2), r = pad - l;
@@ -39,41 +39,62 @@ async function stackStatus() {
   // Invariant
   const inv = Invariant.getStatus();
-  const invIcon   = inv.rulesExist ? paint.green('✓') : paint.yellow('○');
-  const invStatus = inv.rulesExist
-    ? `${paint.green('deployed')} ${paint.dim(`(${inv.ruleCount} rule${inv.ruleCount !== 1 ? 's' : ''}, ~/.clawarmor/invariant-rules.inv)`)}`
-    : paint.dim('not deployed');
+  let invIcon, invStatus;
+  if (inv.enforcing) {
+    invIcon = paint.green('✓');
+    invStatus = `${paint.green('✓ actively enforcing')} ${paint.dim(`(${inv.ruleCount} rule${inv.ruleCount !== 1 ? 's' : ''})`)}`;
+  } else if (inv.rulesExist && inv.ruleCount > 0) {
+    invIcon = paint.yellow('○');
+    invStatus = `${paint.yellow('✓ rules generated')} ${paint.dim(`(${inv.ruleCount} rule${inv.ruleCount !== 1 ? 's' : ''}, not enforcing)`)}`;
+  } else {
+    invIcon = paint.yellow('○');
+    invStatus = paint.dim('not deployed');
+  }
   const invPip = inv.installed ? paint.green('pip: installed') : paint.yellow('pip: not installed');
   console.log(`  ${invIcon} ${paint.bold('Invariant')}     ${invStatus}`);
   console.log(`      ${paint.dim('Flow guardrails — detects multi-step attack chains')}`);
   console.log(`      ${paint.dim(invPip)}`);
   if (!inv.rulesExist) {
     console.log(`      ${paint.dim('→ run: clawarmor stack deploy --invariant')}`);
+  } else if (!inv.enforcing) {
+    console.log(`      ${paint.yellow('⚠')} Rules generated but not enforcing — install invariant-ai to activate: ${paint.cyan('pip3 install invariant-ai')}`);
   }
   console.log('');
   // IronCurtain
   const ic = IronCurtain.getStatus();
-  const icIcon   = ic.constitutionExists ? paint.green('✓') : paint.yellow('○');
-  const icStatus = ic.constitutionExists
-    ? `${paint.green('constitution exists')} ${paint.dim('(~/.ironcurtain/constitution-clawarmor.md)')}`
-    : paint.dim('not configured');
-  const icCli = ic.installed ? paint.green('cli: installed') : paint.yellow('cli: not installed');
+  let icIcon, icStatus;
+  if (ic.enforcing) {
+    icIcon = paint.green('✓');
+    icStatus = paint.green('✓ compiled + running');
+  } else if (ic.constitutionExists) {
+    icIcon = paint.yellow('○');
+    icStatus = `${paint.yellow('✓ constitution written')} ${paint.dim('(not compiled)')}`;
+  } else {
+    icIcon = paint.yellow('○');
+    icStatus = paint.dim('not configured');
+  }
+  const icCli = ic.cliInstalled ? paint.green('cli: installed') : paint.yellow('cli: not installed');
   console.log(`  ${icIcon} ${paint.bold('IronCurtain')}   ${icStatus}`);
   console.log(`      ${paint.dim('Runtime constitution — policy-enforced tool call interception')}`);
   console.log(`      ${paint.dim(icCli)}`);
   if (!ic.constitutionExists) {
     console.log(`      ${paint.dim('→ run: clawarmor stack deploy --ironcurtain')}`);
-  } else {
-    console.log(`      ${paint.dim('→ compile: ironcurtain compile-policy ~/.ironcurtain/constitution-clawarmor.md')}`);
+  } else if (!ic.enforcing) {
+    console.log(`      ${paint.yellow('⚠')} Constitution written but not compiled — run: ${paint.cyan('ironcurtain compile-policy ~/.ironcurtain/constitution-clawarmor.md')}`);
   }
   console.log('');
   console.log(SEP);
-  const layers = (inv.rulesExist ? 1 : 0) + (ic.constitutionExists ? 1 : 0);
-  const layerColor = layers >= 2 ? paint.green : layers === 1 ? paint.yellow : paint.red;
-  console.log(`  Stack coverage:  ${layerColor(String(layers))} / 2 layers active`);
-  if (layers < 2) {
+  // Count enforcing layers, not just deployed
+  const enforcingLayers = (inv.enforcing ? 1 : 0) + (ic.enforcing ? 1 : 0);
+  const layerColor = enforcingLayers >= 2 ? paint.green : enforcingLayers === 1 ? paint.yellow : paint.red;
+  console.log(`  Stack coverage:  ${layerColor(String(enforcingLayers))} / 2 layers enforcing`);
+  if (enforcingLayers < 2) {
+    const generatedLayers = (inv.rulesExist ? 1 : 0) + (ic.constitutionExists ? 1 : 0);
+    if (generatedLayers > enforcingLayers) {
+      console.log(`  ${paint.dim(`(${generatedLayers} layer${generatedLayers !== 1 ? 's' : ''} generated but not yet enforcing)`)}`);
+    }
     console.log(`  ${paint.dim('→ run: clawarmor stack deploy --all')}`);
   }
   console.log('');
@@ -240,9 +261,9 @@ async function stackDeploy(flags) {
   console.log(SEP);
   const invS = Invariant.getStatus();
   const icS  = IronCurtain.getStatus();
-  const layers = (invS.rulesExist ? 1 : 0) + (icS.constitutionExists ? 1 : 0);
-  const layerColor = layers >= 2 ? paint.green : layers === 1 ? paint.yellow : paint.red;
-  console.log(`  Stack coverage: ${layerColor(String(layers))} / 2 layers active`);
+  const deployedLayers = (invS.rulesExist ? 1 : 0) + (icS.constitutionExists ? 1 : 0);
+  const layerColor = deployedLayers >= 2 ? paint.green : deployedLayers === 1 ? paint.yellow : paint.red;
+  console.log(`  Stack coverage: ${layerColor(String(deployedLayers))} / 2 layers generated`);
   if (exitCode === 0) {
     console.log(`  ${paint.green('✓')} Done. Run ${paint.cyan('clawarmor stack status')} to verify.`);
   } else {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clawarmor",
-  "version": "3.0.1",
+  "version": "3.1.0",
   "description": "Security armor for OpenClaw agents — audit, scan, monitor",
   "bin": {
     "clawarmor": "cli.js"