clawhatch 0.1.0

package/dist/reporter.js

@@ -0,0 +1,133 @@
+/**
+ * Terminal output reporter.
+ *
+ * Formats scan results as colored terminal output.
+ * Separates high-confidence "Findings" from low-confidence "Suggestions".
+ */
+import chalk from "chalk";
+import { Severity } from "./types.js";
+import { getScoreGrade } from "./scoring.js";
+const SEVERITY_ICONS = {
+    [Severity.Critical]: chalk.red("!!"),
+    [Severity.High]: chalk.yellow("!"),
+    [Severity.Medium]: chalk.cyan("~"),
+    [Severity.Low]: chalk.dim("-"),
+};
+const SEVERITY_LABELS = {
+    [Severity.Critical]: chalk.red.bold("CRITICAL"),
+    [Severity.High]: chalk.yellow.bold("HIGH"),
+    [Severity.Medium]: chalk.cyan("MEDIUM"),
+    [Severity.Low]: chalk.dim("LOW"),
+};
+function formatFinding(finding, index) {
+    const icon = SEVERITY_ICONS[finding.severity];
+    const lines = [];
+    lines.push(`  ${icon} ${chalk.white.bold(finding.title)}`);
+    lines.push(`     ${chalk.dim(finding.description)}`);
+    lines.push(`     ${chalk.dim("Risk:")} ${finding.risk}`);
+    lines.push(`     ${chalk.dim("Fix:")} ${finding.remediation}`);
+    if (finding.file) {
+        const loc = finding.line ? `${finding.file}:${finding.line}` : finding.file;
+        lines.push(`     ${chalk.dim("File:")} ${loc}`);
+    }
+    if (finding.autoFixable) {
+        lines.push(`     ${chalk.green("Auto-fixable with --fix")}`);
+    }
+    return lines.join("\n");
+}
+function groupBySeverity(findings) {
+    const groups = new Map();
+    const order = [Severity.Critical, Severity.High, Severity.Medium, Severity.Low];
+    for (const sev of order) {
+        groups.set(sev, []);
+    }
+    for (const f of findings) {
+        groups.get(f.severity).push(f);
+    }
+    return groups;
+}
+export function reportFindings(result) {
+    const { grade, label, color } = getScoreGrade(result.score);
+    const colorFn = chalk[color];
+    // Header
+    console.log("");
+    console.log(chalk.cyan.bold("  Clawhatch Security Scan"));
+    console.log(chalk.dim("  " + "=".repeat(50)));
+    console.log("");
+    // Score
+    console.log(`  ${chalk.dim("Security Score:")} ${colorFn(`${result.score}/100`)} ${colorFn(`(${grade} — ${label})`)}`);
+    console.log("");
+    // Metadata
+    console.log(chalk.dim(`  Platform: ${result.platform}`));
+    if (result.openclawVersion) {
+        console.log(chalk.dim(`  OpenClaw: ${result.openclawVersion}`));
+    }
+    console.log(chalk.dim(`  Checks: ${result.checksRun} run, ${result.checksPassed} passed, ${result.findings.length} findings`));
+    console.log(chalk.dim(`  Duration: ${result.duration}ms`));
+    console.log(chalk.dim(`  Scanned: ${result.filesScanned} files`));
+    console.log("");
+    console.log(chalk.dim("  " + "-".repeat(50)));
+    // Findings (high/medium confidence)
+    if (result.findings.length === 0) {
+        console.log("");
+        console.log(chalk.green.bold("  No security findings! Your setup looks solid."));
+    }
+    else {
+        const grouped = groupBySeverity(result.findings);
+        for (const [severity, findings] of grouped) {
+            if (findings.length === 0)
+                continue;
+            console.log("");
+            console.log(`  ${SEVERITY_LABELS[severity]} (${findings.length} finding${findings.length > 1 ? "s" : ""})`);
+            console.log("");
+            for (let i = 0; i < findings.length; i++) {
+                console.log(formatFinding(findings[i], i));
+                if (i < findings.length - 1)
+                    console.log("");
+            }
+        }
+    }
+    // Suggestions (low confidence)
+    if (result.suggestions.length > 0) {
+        console.log("");
+        console.log(chalk.dim("  " + "-".repeat(50)));
+        console.log("");
+        console.log(chalk.dim.bold(`  SUGGESTIONS (${result.suggestions.length} — lower confidence, review manually)`));
+        console.log("");
+        for (const s of result.suggestions) {
+            console.log(`  ${chalk.dim("~")} ${chalk.dim(s.title)}`);
+            console.log(`     ${chalk.dim(s.remediation)}`);
+        }
+    }
+    // Footer
+    console.log("");
+    console.log(chalk.dim("  " + "=".repeat(50)));
+    console.log("");
+    const autoFixCount = result.findings.filter((f) => f.autoFixable).length;
+    if (autoFixCount > 0) {
+        console.log(chalk.green(`  ${autoFixCount} issue(s) can be auto-fixed. Run with --fix`));
+    }
+    console.log(chalk.dim("  Run with --json for machine-readable output"));
+    console.log(chalk.dim("  Run with --deep for thorough session log scanning"));
+    console.log("");
+}
+export function reportJson(result) {
+    // Output clean JSON for piping to other tools
+    const output = {
+        ...result,
+        // Flatten for convenience
+        summary: {
+            score: result.score,
+            grade: getScoreGrade(result.score).grade,
+            label: getScoreGrade(result.score).label,
+            critical: result.findings.filter((f) => f.severity === Severity.Critical).length,
+            high: result.findings.filter((f) => f.severity === Severity.High).length,
+            medium: result.findings.filter((f) => f.severity === Severity.Medium).length,
+            low: result.findings.filter((f) => f.severity === Severity.Low).length,
+            suggestions: result.suggestions.length,
+            autoFixable: result.findings.filter((f) => f.autoFixable).length,
+        },
+    };
+    console.log(JSON.stringify(output, null, 2));
+}
+//# sourceMappingURL=reporter.js.map

package/dist/reporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.js","sourceRoot":"","sources":["../src/reporter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,QAAQ,EAAiC,MAAM,YAAY,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,MAAM,cAAc,GAA6B;IAC/C,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC;IACpC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC;IAClC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;IAClC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC;CAC/B,CAAC;AAEF,MAAM,eAAe,GAA6B;IAChD,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC;IAC/C,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;IAC1C,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;IACvC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC;CACjC,CAAC;AAEF,SAAS,aAAa,CAAC,OAAgB,EAAE,KAAa;IACpD,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACrD,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAE/D,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;QAC5E,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,CAAC,KAAK,CAAC,yBAAyB,CAAC,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,eAAe,CAAC,QAAmB;IAC1C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,MAAM,KAAK,GAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC;IAEhF,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAkB;IAC/C,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAA0B,CAAC;IAEtD,SAAS;IACT,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CAAC,IAAI,CACb,2BAA2B,CAC5B,CACF,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,QAAQ;IACR,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAC1C,GAAG,MAAM,CAAC,KAAK,MAAM,CACtB,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,KAAK,GAAG,CAAC,EAAE,CACxC,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,WAAW;IACX,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IACzD,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CACP,aAAa,MAAM,CAAC,SAAS,SAAS,MAAM,CAAC,YAAY,YAAY,MAAM,CAAC,QAAQ,CAAC,MAAM,WAAW,CACvG,CACF,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,YAAY,QAAQ,CAAC,CAAC,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAE9C,oCAAoC;IACpC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC,CAAC;IACnF,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEjD,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,OAAO,EAAE,CAAC;YAC3C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEpC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,KAAK,eAAe,CAAC,QAAQ,CAAC,KAAK,QAAQ,CAAC,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAC/F,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAEhB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC3C,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,IAAI,CACZ,kBAAkB,MAAM,CAAC,WAAW,CAAC,MAAM,uCAAuC,CACnF,CACF,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,SAAS;IACT,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;IACzE,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,KAAK,CAAC,KAAK,YAAY,6CAA6C,CAAC,CAC5E,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC,CAAC;IAC9E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,8CAA8C;IAC9C,MAAM,MAAM,GAAG;QACb,GAAG,MAAM;QACT,0BAA0B;QAC1B,OAAO,EAAE;YACP,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK;YACxC,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK;YACxC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,MAAM;YAChF,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM;YACxE,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM;YAC5E,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,GAAG,CAAC,CAAC,MAAM;YACtE,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM;YACtC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,MAAM;SACjE;KACF,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC/C,CAAC"}

package/dist/sanitize.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Sanitize findings before JSON serialization or upload.
+ * Policy: Finding objects must NEVER contain secret values.
+ * Only metadata about secrets (length, entropy score, masked preview).
+ */
+import type { Finding } from "./types.js";
+/**
+ * Sanitize all findings in an array.
+ * Call this before any JSON.stringify() or upload operation.
+ */
+export declare function sanitizeFindings(findings: Finding[]): Finding[];
+/**
+ * Redact file paths from findings for safe sharing.
+ * Replaces full paths with just the filename or a generic placeholder.
+ */
+export declare function redactPaths(findings: Finding[]): Finding[];
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../src/sanitize.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAsD1C;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,OAAO,EAAE,CAE/D;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,OAAO,EAAE,CAyB1D"}

package/dist/sanitize.js

@@ -0,0 +1,83 @@
+/**
+ * Sanitize findings before JSON serialization or upload.
+ * Policy: Finding objects must NEVER contain secret values.
+ * Only metadata about secrets (length, entropy score, masked preview).
+ */
+/**
+ * Patterns that might indicate a secret value leaked into a finding field.
+ */
+const SECRET_INDICATORS = [
+    /sk-[a-zA-Z0-9]{20,}/,
+    /sk-ant-[a-zA-Z0-9\-]{20,}/,
+    /AIza[a-zA-Z0-9_\-]{30,}/,
+    /AKIA[A-Z0-9]{16}/,
+    /(?:ghp|gho|ghu|ghs|ghr)_[a-zA-Z0-9]{30,}/,
+    /xox[bpras]-[a-zA-Z0-9\-]{10,}/,
+    /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/,
+    /(?:sk|pk)_(?:live|test)_[a-zA-Z0-9]{20,}/,
+    /\d{8,10}:[a-zA-Z0-9_-]{35}/,
+    // FIX: Additional patterns to match secrets detected by the scanner
+    /whsec_[a-zA-Z0-9]{20,}/, // Stripe webhook secrets
+    /rk_live_[a-zA-Z0-9]{20,}/, // Stripe restricted keys
+    /[MN][a-zA-Z0-9]{23,}\.[a-zA-Z0-9_-]{6}\.[a-zA-Z0-9_-]{27,}/, // Discord tokens
+];
+function containsSecret(text) {
+    return SECRET_INDICATORS.some((pattern) => pattern.test(text));
+}
+function redactSecrets(text) {
+    let result = text;
+    for (const pattern of SECRET_INDICATORS) {
+        result = result.replace(new RegExp(pattern.source, "g"), "[REDACTED]");
+    }
+    return result;
+}
+/**
+ * Sanitize a single finding — strip any secret values from all string fields.
+ */
+function sanitizeFinding(finding) {
+    return {
+        ...finding,
+        title: containsSecret(finding.title)
+            ? redactSecrets(finding.title)
+            : finding.title,
+        description: containsSecret(finding.description)
+            ? redactSecrets(finding.description)
+            : finding.description,
+        risk: containsSecret(finding.risk)
+            ? redactSecrets(finding.risk)
+            : finding.risk,
+        remediation: containsSecret(finding.remediation)
+            ? redactSecrets(finding.remediation)
+            : finding.remediation,
+    };
+}
+/**
+ * Sanitize all findings in an array.
+ * Call this before any JSON.stringify() or upload operation.
+ */
+export function sanitizeFindings(findings) {
+    return findings.map(sanitizeFinding);
+}
+/**
+ * Redact file paths from findings for safe sharing.
+ * Replaces full paths with just the filename or a generic placeholder.
+ */
+export function redactPaths(findings) {
+    return findings.map((finding) => {
+        let description = finding.description;
+        // Redact full paths in description, keeping just filename
+        // Windows paths: C:\Users\...\filename -> [path]/filename
+        // Unix paths: /home/user/.../filename -> [path]/filename
+        description = description.replace(/[A-Z]:\\[^"'\s]+\\([^"'\s\\]+)/gi, "[path]/$1");
+        description = description.replace(/\/(?:home|Users|root|var|etc)[^"'\s]*\/([^"'\s/]+)/g, "[path]/$1");
+        return {
+            ...finding,
+            description,
+            // Remove the file path entirely, keep just the line number concept
+            file: finding.file
+                ? `[redacted]/${finding.file.split(/[/\\]/).pop()}`
+                : undefined,
+        };
+    });
+}
+//# sourceMappingURL=sanitize.js.map

package/dist/sanitize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../src/sanitize.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;GAEG;AACH,MAAM,iBAAiB,GAAG;IACxB,qBAAqB;IACrB,2BAA2B;IAC3B,yBAAyB;IACzB,kBAAkB;IAClB,0CAA0C;IAC1C,+BAA+B;IAC/B,+CAA+C;IAC/C,0CAA0C;IAC1C,4BAA4B;IAC5B,oEAAoE;IACpE,wBAAwB,EAAiB,yBAAyB;IAClE,0BAA0B,EAAe,yBAAyB;IAClE,4DAA4D,EAAE,iBAAiB;CAChF,CAAC;AAEF,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,YAAY,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAgB;IACvC,OAAO;QACL,GAAG,OAAO;QACV,KAAK,EAAE,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC;YAC9B,CAAC,CAAC,OAAO,CAAC,KAAK;QACjB,WAAW,EAAE,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC;YAC9C,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,WAAW,CAAC;YACpC,CAAC,CAAC,OAAO,CAAC,WAAW;QACvB,IAAI,EAAE,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC;YAChC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC;YAC7B,CAAC,CAAC,OAAO,CAAC,IAAI;QAChB,WAAW,EAAE,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC;YAC9C,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,WAAW,CAAC;YACpC,CAAC,CAAC,OAAO,CAAC,WAAW;KACxB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAmB;IAClD,OAAO,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,QAAmB;IAC7C,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QAC9B,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QAEtC,0DAA0D;QAC1D,0DAA0D;QAC1D,yDAAyD;QACzD,WAAW,GAAG,WAAW,CAAC,OAAO,CAC/B,kCAAkC,EAClC,WAAW,CACZ,CAAC;QACF,WAAW,GAAG,WAAW,CAAC,OAAO,CAC/B,qDAAqD,EACrD,WAAW,CACZ,CAAC;QAEF,OAAO;YACL,GAAG,OAAO;YACV,WAAW;YACX,mEAAmE;YACnE,IAAI,EAAE,OAAO,CAAC,IAAI;gBAChB,CAAC,CAAC,cAAc,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;gBACnD,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/scanner.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Main scanner orchestrator.
+ *
+ * Pipeline:
+ * 1. Discover files
+ * 2. Parse config, env, markdown
+ * 3. Run all check categories
+ * 4. Score results
+ * 5. Sanitize findings
+ * 6. Separate findings from suggestions (by confidence)
+ * 7. Return ScanResult
+ */
+import type { ScanOptions, ScanResult } from "./types.js";
+/**
+ * Run the full security scan.
+ */
+export declare function scan(options: ScanOptions): Promise<ScanResult>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAoBH,OAAO,KAAK,EAAW,WAAW,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AA0EnE;;GAEG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CA0LpE"}

package/dist/scanner.js

@@ -0,0 +1,236 @@
+/**
+ * Main scanner orchestrator.
+ *
+ * Pipeline:
+ * 1. Discover files
+ * 2. Parse config, env, markdown
+ * 3. Run all check categories
+ * 4. Score results
+ * 5. Sanitize findings
+ * 6. Separate findings from suggestions (by confidence)
+ * 7. Return ScanResult
+ */
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import chalk from "chalk";
+import { findOpenClawDir, discoverFiles } from "./discover.js";
+import { parseConfig, readConfigRaw } from "./parsers/config.js";
+import { runIdentityChecks } from "./checks/identity.js";
+import { runNetworkChecks } from "./checks/network.js";
+import { runSandboxChecks } from "./checks/sandbox.js";
+import { runSecretChecks } from "./checks/secrets.js";
+import { runModelChecks } from "./checks/model.js";
+import { runCloudSyncCheck } from "./checks/cloud-sync.js";
+import { runToolChecks } from "./checks/tools.js";
+import { runSkillChecks } from "./checks/skills.js";
+import { runDataProtectionChecks } from "./checks/data-protection.js";
+import { runOperationalChecks } from "./checks/operational.js";
+import { calculateScore } from "./scoring.js";
+import { sanitizeFindings } from "./sanitize.js";
+const execFileAsync = promisify(execFile);
+/**
+ * Deduplicate findings by check ID.
+ * When the same check fires for multiple files (e.g., SECRET-005 for each credential file),
+ * aggregate them into a single finding with updated description showing the count and file list.
+ */
+function deduplicateFindings(findings) {
+    const grouped = new Map();
+    for (const f of findings) {
+        const existing = grouped.get(f.id) || [];
+        existing.push(f);
+        grouped.set(f.id, existing);
+    }
+    const deduplicated = [];
+    for (const [id, group] of grouped) {
+        if (group.length === 1) {
+            deduplicated.push(group[0]);
+        }
+        else {
+            // Aggregate multiple findings with same ID
+            const first = group[0];
+            const files = group.map((f) => f.file).filter(Boolean);
+            const uniqueFiles = [...new Set(files)];
+            // Build aggregated description
+            let description = first.description;
+            if (uniqueFiles.length > 1) {
+                const fileList = uniqueFiles.length <= 3
+                    ? uniqueFiles.map((f) => f.split(/[/\\]/).pop()).join(", ")
+                    : `${uniqueFiles.slice(0, 3).map((f) => f.split(/[/\\]/).pop()).join(", ")}... and ${uniqueFiles.length - 3} more`;
+                description = `${first.title} (${group.length} occurrences in: ${fileList})`;
+            }
+            deduplicated.push({
+                ...first,
+                description,
+                // Keep the first file for reference, but note there are more
+                file: uniqueFiles[0],
+            });
+        }
+    }
+    return deduplicated;
+}
+/**
+ * TOTAL_CHECKS: This is the "marketed" number of checks (100-point audit).
+ * The actual number of check IDs varies based on config and files found,
+ * since some checks only fire conditionally. We track checksRun separately
+ * from this constant, which represents the maximum possible checks in a
+ * comprehensive scan. The score formula uses actual findings, not this number.
+ */
+const TOTAL_CHECKS = 100;
+/**
+ * Detect OpenClaw version by running `openclaw --version`.
+ */
+async function detectVersion() {
+    try {
+        const { stdout } = await execFileAsync("openclaw", ["--version"], {
+            timeout: 5000,
+        });
+        return stdout.trim();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Run the full security scan.
+ */
+export async function scan(options) {
+    const startTime = Date.now();
+    // Use stderr for progress messages when JSON output is requested
+    const log = options.json
+        ? (...args) => console.error(...args)
+        : (...args) => console.log(...args);
+    // Step 0: Find OpenClaw installation
+    const openclawDir = await findOpenClawDir(options.openclawPath);
+    if (!openclawDir) {
+        console.error(chalk.red("\n  OpenClaw installation not found."));
+        console.error(chalk.dim("  Try: clawhatch scan --path /custom/path"));
+        console.error(chalk.dim("  Common locations:"));
+        if (process.platform === "win32") {
+            console.error(chalk.dim("    Windows: %APPDATA%\\openclaw"));
+        }
+        console.error(chalk.dim("    macOS/Linux: ~/.openclaw"));
+        process.exit(1);
+    }
+    // Step 0.5: Detect version
+    const version = await detectVersion();
+    if (version) {
+        log(chalk.dim(`  OpenClaw version: ${version}`));
+    }
+    // Step 1: Discover files
+    log(chalk.dim("  Discovering files..."));
+    const { files, symlinkWarnings } = await discoverFiles(openclawDir, options.workspacePath ?? null);
+    // Report symlink warnings
+    for (const warning of symlinkWarnings) {
+        log(chalk.yellow(`  Warning: ${warning}`));
+    }
+    let filesScanned = 0;
+    if (files.configPath)
+        filesScanned++;
+    if (files.envPath)
+        filesScanned++;
+    filesScanned += files.credentialFiles.length;
+    filesScanned += files.authProfileFiles.length;
+    filesScanned += files.sessionLogFiles.length;
+    filesScanned += files.workspaceMarkdownFiles.length;
+    filesScanned += files.skillFiles.length;
+    filesScanned += files.customCommandFiles.length;
+    filesScanned += files.skillPackageFiles.length;
+    filesScanned += files.privateKeyFiles.length;
+    filesScanned += files.sshKeyFiles.length;
+    if (!files.configPath) {
+        log(chalk.yellow("  Warning: openclaw.json not found — config-based checks will be limited"));
+    }
+    if (!options.workspacePath) {
+        log(chalk.dim("  Tip: Run with --workspace <path> for full scan including SOUL.md, skills, etc."));
+    }
+    // Step 2: Parse files
+    log(chalk.dim("  Parsing configuration..."));
+    const config = files.configPath
+        ? await parseConfig(files.configPath)
+        : null;
+    const configRaw = files.configPath
+        ? await readConfigRaw(files.configPath)
+        : null;
+    // FIX: Warn if config file exists but couldn't be parsed (corrupt JSON, encoding issues, etc.)
+    if (files.configPath && !config) {
+        log(chalk.yellow("  Warning: openclaw.json exists but could not be parsed — config-based checks will be skipped"));
+    }
+    // Step 3: Run all checks
+    log(chalk.dim("  Running 100 security checks..."));
+    const allFindings = [];
+    if (config) {
+        // Identity & Access (checks 1-15)
+        const identityFindings = await runIdentityChecks(config, {
+            credentialFiles: files.credentialFiles,
+            authProfileFiles: files.authProfileFiles,
+        });
+        allFindings.push(...identityFindings);
+        // Network Exposure (checks 16-25)
+        const networkFindings = await runNetworkChecks(config);
+        allFindings.push(...networkFindings);
+        // Sandbox Configuration (checks 26-33)
+        const sandboxFindings = await runSandboxChecks(config);
+        allFindings.push(...sandboxFindings);
+    }
+    // Secret Scanning (checks 34-43)
+    if (config || files.workspaceMarkdownFiles.length > 0) {
+        const secretFindings = await runSecretChecks(config || {}, configRaw, files, options.deep);
+        allFindings.push(...secretFindings);
+    }
+    // Model Security (checks 44-50)
+    if (config) {
+        const soulMdPath = files.workspaceMarkdownFiles.find((f) => f.toLowerCase().endsWith("soul.md")) ?? null;
+        const modelFindings = await runModelChecks(config, soulMdPath);
+        allFindings.push(...modelFindings);
+    }
+    // Tool Security (checks TOOLS-001 to TOOLS-020)
+    if (config) {
+        const toolFindings = await runToolChecks(config, files);
+        allFindings.push(...toolFindings);
+    }
+    // Skill Security (checks SKILLS-001 to SKILLS-012)
+    if (config || files.skillFiles.length > 0) {
+        const skillFindings = await runSkillChecks(config || {}, files);
+        allFindings.push(...skillFindings);
+    }
+    // Data Protection (checks DATA-001 to DATA-010)
+    {
+        const dataFindings = await runDataProtectionChecks(config || {}, files);
+        allFindings.push(...dataFindings);
+    }
+    // Operational Security (checks OPS-001 to OPS-007)
+    {
+        const opsFindings = await runOperationalChecks(config || {}, files);
+        allFindings.push(...opsFindings);
+    }
+    // Cloud Sync Detection (check 51)
+    const cloudFindings = await runCloudSyncCheck(openclawDir);
+    allFindings.push(...cloudFindings);
+    // Step 4: Deduplicate findings by check ID
+    // When the same issue (e.g., SECRET-005 for loose permissions) appears in multiple files,
+    // aggregate them into a single finding with a count, rather than N separate findings.
+    const deduplicatedFindings = deduplicateFindings(allFindings);
+    // Step 5: Separate findings from suggestions
+    const findings = deduplicatedFindings.filter((f) => f.confidence !== "low");
+    const suggestions = deduplicatedFindings.filter((f) => f.confidence === "low");
+    // Step 6: Sanitize (strip any accidental secret values)
+    const sanitizedFindings = sanitizeFindings(findings);
+    const sanitizedSuggestions = sanitizeFindings(suggestions);
+    // Step 7: Calculate score (only high-confidence findings count)
+    const score = calculateScore(sanitizedFindings);
+    const duration = Date.now() - startTime;
+    return {
+        timestamp: new Date().toISOString(),
+        openclawVersion: version,
+        score,
+        findings: sanitizedFindings,
+        suggestions: sanitizedSuggestions,
+        filesScanned,
+        checksRun: TOTAL_CHECKS,
+        // FIX: Clamp to 0 — more findings than checks is possible since some checks emit multiple findings
+        checksPassed: Math.max(0, TOTAL_CHECKS - sanitizedFindings.length),
+        duration,
+        platform: process.platform,
+    };
+}
+//# sourceMappingURL=scanner.js.map

package/dist/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAIjD,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,QAAmB;IAC9C,MAAM,OAAO,GAAG,IAAI,GAAG,EAAqB,CAAC;IAE7C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QACzC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,YAAY,GAAc,EAAE,CAAC;IACnC,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;QAClC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,2CAA2C;YAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACvB,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAa,CAAC;YACnE,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;YAExC,+BAA+B;YAC/B,IAAI,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;YACpC,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,MAAM,QAAQ,GACZ,WAAW,CAAC,MAAM,IAAI,CAAC;oBACrB,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;oBAC3D,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,WAAW,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC;gBACvH,WAAW,GAAG,GAAG,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,MAAM,oBAAoB,QAAQ,GAAG,CAAC;YAC/E,CAAC;YAED,YAAY,CAAC,IAAI,CAAC;gBAChB,GAAG,KAAK;gBACR,WAAW;gBACX,6DAA6D;gBAC7D,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC;aACrB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,YAAY,GAAG,GAAG,CAAC;AAEzB;;GAEG;AACH,KAAK,UAAU,aAAa;IAC1B,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,CAAC,WAAW,CAAC,EAAE;YAChE,OAAO,EAAE,IAAI;SACd,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,iEAAiE;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI;QACtB,CAAC,CAAC,CAAC,GAAG,IAAe,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAChD,CAAC,CAAC,CAAC,GAAG,IAAe,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IAEjD,qCAAqC;IACrC,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAChE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAChD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,2BAA2B;IAC3B,MAAM,OAAO,GAAG,MAAM,aAAa,EAAE,CAAC;IACtC,IAAI,OAAO,EAAE,CAAC;QACZ,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,uBAAuB,OAAO,EAAE,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,yBAAyB;IACzB,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC,CAAC;IACzC,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,GAAG,MAAM,aAAa,CACpD,WAAW,EACX,OAAO,CAAC,aAAa,IAAI,IAAI,CAC9B,CAAC;IAEF,0BAA0B;IAC1B,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,KAAK,CAAC,UAAU;QAAE,YAAY,EAAE,CAAC;IACrC,IAAI,KAAK,CAAC,OAAO;QAAE,YAAY,EAAE,CAAC;IAClC,YAAY,IAAI,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC;IAC7C,YAAY,IAAI,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC;IAC9C,YAAY,IAAI,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC;IAC7C,YAAY,IAAI,KAAK,CAAC,sBAAsB,CAAC,MAAM,CAAC;IACpD,YAAY,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;IACxC,YAAY,IAAI,KAAK,CAAC,kBAAkB,CAAC,MAAM,CAAC;IAChD,YAAY,IAAI,KAAK,CAAC,iBAAiB,CAAC,MAAM,CAAC;IAC/C,YAAY,IAAI,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC;IAC7C,YAAY,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC;IAEzC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QACtB,GAAG,CACD,KAAK,CAAC,MAAM,CACV,0EAA0E,CAC3E,CACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAC3B,GAAG,CACD,KAAK,CAAC,GAAG,CACP,kFAAkF,CACnF,CACF,CAAC;IACJ,CAAC;IAED,sBAAsB;IACtB,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,UAAU;QAC7B,CAAC,CAAC,MAAM,WAAW,CAAC,KAAK,CAAC,UAAU,CAAC;QACrC,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU;QAChC,CAAC,CAAC,MAAM,aAAa,CAAC,KAAK,CAAC,UAAU,CAAC;QACvC,CAAC,CAAC,IAAI,CAAC;IAET,+FAA+F;IAC/F,IAAI,KAAK,CAAC,UAAU,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,GAAG,CACD,KAAK,CAAC,MAAM,CACV,+FAA+F,CAChG,CACF,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC,CAAC;IACnD,MAAM,WAAW,GAAc,EAAE,CAAC;IAElC,IAAI,MAAM,EAAE,CAAC;QACX,kCAAkC;QAClC,MAAM,gBAAgB,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE;YACvD,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;SACzC,CAAC,CAAC;QACH,WAAW,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC;QAEtC,kCAAkC;QAClC,MAAM,eAAe,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACvD,WAAW,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;QAErC,uCAAuC;QACvC,MAAM,eAAe,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACvD,WAAW,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;IACvC,CAAC;IAED,iCAAiC;IACjC,IAAI,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,cAAc,GAAG,MAAM,eAAe,CAC1C,MAAM,IAAI,EAAE,EACZ,SAAS,EACT,KAAK,EACL,OAAO,CAAC,IAAI,CACb,CAAC;QACF,WAAW,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC;IACtC,CAAC;IAED,gCAAgC;IAChC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,UAAU,GAAG,KAAK,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACzD,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CACpC,IAAI,IAAI,CAAC;QACV,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC/D,WAAW,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;IACrC,CAAC;IAED,gDAAgD;IAChD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QACxD,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IACpC,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,MAAM,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;QAChE,WAAW,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;IACrC,CAAC;IAED,gDAAgD;IAChD,CAAC;QACC,MAAM,YAAY,GAAG,MAAM,uBAAuB,CAAC,MAAM,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;QACxE,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IACpC,CAAC;IAED,mDAAmD;IACnD,CAAC;QACC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,MAAM,IAAI,EAAE,EAAE,KAAK,CAAC,CAAC;QACpE,WAAW,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IACnC,CAAC;IAED,kCAAkC;IAClC,MAAM,aAAa,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IAC3D,WAAW,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;IAEnC,2CAA2C;IAC3C,0FAA0F;IAC1F,sFAAsF;IACtF,MAAM,oBAAoB,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;IAE9D,6CAA6C;IAC7C,MAAM,QAAQ,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC;IAC5E,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC;IAE/E,wDAAwD;IACxD,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACrD,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAE3D,gEAAgE;IAChE,MAAM,KAAK,GAAG,cAAc,CAAC,iBAAiB,CAAC,CAAC;IAEhD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAExC,OAAO;QACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,eAAe,EAAE,OAAO;QACxB,KAAK;QACL,QAAQ,EAAE,iBAAiB;QAC3B,WAAW,EAAE,oBAAoB;QACjC,YAAY;QACZ,SAAS,EAAE,YAAY;QACvB,mGAAmG;QACnG,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,GAAG,iBAAiB,CAAC,MAAM,CAAC;QAClE,QAAQ;QACR,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC;AACJ,CAAC"}

package/dist/scoring.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Score calculation engine.
+ *
+ * Formula:
+ *   base = 100
+ *   penalties: CRITICAL=-15, HIGH=-8, MEDIUM=-3, LOW=-1
+ *   score = max(0, base - sum(penalties))
+ *   Cap: any CRITICAL finding hard-caps score at 40
+ */
+import { type Finding } from "./types.js";
+export declare function calculateScore(findings: Finding[]): number;
+export declare function getScoreGrade(score: number): {
+    grade: string;
+    label: string;
+    color: "green" | "yellow" | "red" | "magenta";
+};
+//# sourceMappingURL=scoring.d.ts.map

package/dist/scoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.d.ts","sourceRoot":"","sources":["../src/scoring.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAY,KAAK,OAAO,EAAE,MAAM,YAAY,CAAC;AAWpD,wBAAgB,cAAc,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAmB1D;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;CAC/C,CASA"}

package/dist/scoring.js

@@ -0,0 +1,47 @@
+/**
+ * Score calculation engine.
+ *
+ * Formula:
+ *   base = 100
+ *   penalties: CRITICAL=-15, HIGH=-8, MEDIUM=-3, LOW=-1
+ *   score = max(0, base - sum(penalties))
+ *   Cap: any CRITICAL finding hard-caps score at 40
+ */
+import { Severity } from "./types.js";
+const PENALTIES = {
+    [Severity.Critical]: 15,
+    [Severity.High]: 8,
+    [Severity.Medium]: 3,
+    [Severity.Low]: 1,
+};
+const CRITICAL_CAP = 40;
+export function calculateScore(findings) {
+    const base = 100;
+    let totalPenalty = 0;
+    let hasCritical = false;
+    for (const finding of findings) {
+        totalPenalty += PENALTIES[finding.severity];
+        if (finding.severity === Severity.Critical) {
+            hasCritical = true;
+        }
+    }
+    let score = Math.max(0, base - totalPenalty);
+    if (hasCritical && score > CRITICAL_CAP) {
+        score = CRITICAL_CAP;
+    }
+    return score;
+}
+export function getScoreGrade(score) {
+    if (score >= 90)
+        return { grade: "A+", label: "Excellent", color: "green" };
+    if (score >= 80)
+        return { grade: "A", label: "Good", color: "green" };
+    if (score >= 70)
+        return { grade: "B", label: "Acceptable", color: "yellow" };
+    if (score >= 50)
+        return { grade: "C", label: "Needs Work", color: "yellow" };
+    if (score >= 30)
+        return { grade: "D", label: "Poor", color: "red" };
+    return { grade: "F", label: "Critical", color: "magenta" };
+}
+//# sourceMappingURL=scoring.js.map

package/dist/scoring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.js","sourceRoot":"","sources":["../src/scoring.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAgB,MAAM,YAAY,CAAC;AAEpD,MAAM,SAAS,GAA6B;IAC1C,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE;IACvB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IAClB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;IACpB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;CAClB,CAAC;AAEF,MAAM,YAAY,GAAG,EAAE,CAAC;AAExB,MAAM,UAAU,cAAc,CAAC,QAAmB;IAChD,MAAM,IAAI,GAAG,GAAG,CAAC;IACjB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,WAAW,GAAG,KAAK,CAAC;IAExB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,YAAY,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAC3C,WAAW,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,YAAY,CAAC,CAAC;IAE7C,IAAI,WAAW,IAAI,KAAK,GAAG,YAAY,EAAE,CAAC;QACxC,KAAK,GAAG,YAAY,CAAC;IACvB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IAKzC,IAAI,KAAK,IAAI,EAAE;QACb,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC7D,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IACtE,IAAI,KAAK,IAAI,EAAE;QACb,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IAC9D,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IAC7E,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACpE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC7D,CAAC"}

package/dist/telemetry.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Telemetry module — anonymizes scan results and uploads threat reports.
+ * Only shares check IDs, severities, and categories. Never sends file paths,
+ * descriptions, or remediation text.
+ */
+import type { ScanResult, ThreatReport } from "./types.js";
+/** Stable per-machine identifier (first 16 hex chars of SHA-256 of hostname:username). */
+export declare function getInstanceId(): string;
+/** Strip a ScanResult down to only safe-to-share metadata. */
+export declare function anonymizeScanResult(result: ScanResult): ThreatReport;
+/** POST a ThreatReport to the community API. Never throws. */
+export declare function uploadThreatReport(report: ThreatReport, apiUrl: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+//# sourceMappingURL=telemetry.d.ts.map

package/dist/telemetry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE3D,0FAA0F;AAC1F,wBAAgB,aAAa,IAAI,MAAM,CAGtC;AAED,8DAA8D;AAC9D,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,UAAU,GAAG,YAAY,CAepE;AAED,8DAA8D;AAC9D,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,YAAY,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsB/C"}