clawmoat 0.5.0 → 0.8.0

package/docs/business/install.html

@@ -0,0 +1,247 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Install ClawMoat — One Command, Enterprise-Grade Agent Security</title>
+<meta name="description" content="Install ClawMoat in 60 seconds. One command sets up permission tiers, credential protection, audit trails, and secret scanning for your AI agents.">
+<link rel="canonical" href="https://clawmoat.com/business/install.html">
+<link rel="icon" type="image/png" href="/favicon.png">
+<link rel="apple-touch-icon" href="/apple-touch-icon.png">
+
+<meta property="og:title" content="One Command. Enterprise-Grade Agent Security.">
+<meta property="og:description" content="Install ClawMoat in 60 seconds — permission tiers, credential protection, audit trails for AI agents.">
+<meta property="og:image" content="https://clawmoat.com/og-image.png">
+<meta property="og:url" content="https://clawmoat.com/business/install.html">
+<meta property="og:type" content="website">
+
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444;--amber:#F59E0B;--cyan:#06B6D4}
+html{scroll-behavior:smooth}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.7}
+a{color:var(--blue);text-decoration:none}
+a:hover{text-decoration:underline}
+
+/* Nav */
+.nav{padding:1rem 2rem;display:flex;align-items:center;gap:1rem;border-bottom:1px solid rgba(255,255,255,.06)}
+.nav-logo{font-size:1.3rem;font-weight:700;color:var(--white)}
+.nav a{color:var(--gray);font-size:.9rem}
+.nav a:hover{color:var(--white)}
+
+/* Hero */
+.hero{text-align:center;padding:5rem 2rem 4rem;max-width:800px;margin:0 auto}
+.hero h1{font-size:clamp(2rem,5vw,3.2rem);line-height:1.2;margin-bottom:1rem}
+.hero h1 span{color:var(--emerald)}
+.hero p{color:var(--gray);font-size:1.15rem;margin-bottom:2.5rem;max-width:600px;margin-left:auto;margin-right:auto}
+
+/* Install box */
+.install-box{background:var(--navy-light);border:1px solid var(--navy-mid);border-radius:12px;padding:2rem;max-width:700px;margin:0 auto 1.5rem;position:relative}
+.install-box code{font-family:'SF Mono',Monaco,'Cascadia Code',monospace;font-size:1.1rem;color:var(--emerald);display:block;padding:.8rem;background:rgba(0,0,0,.3);border-radius:8px;cursor:pointer;transition:background .2s}
+.install-box code:hover{background:rgba(0,0,0,.5)}
+.install-box .label{color:var(--gray);font-size:.85rem;margin-bottom:.5rem}
+.install-box .enterprise{margin-top:1rem;padding-top:1rem;border-top:1px solid var(--navy-mid)}
+.install-box .enterprise code{color:var(--amber);font-size:.95rem}
+.copy-hint{color:var(--gray);font-size:.8rem;text-align:center;margin-bottom:3rem}
+.copied{color:var(--emerald) !important}
+
+/* Sections */
+.section{max-width:900px;margin:0 auto;padding:3rem 2rem}
+.section h2{font-size:1.8rem;margin-bottom:1.5rem;text-align:center}
+.section h2 span{color:var(--emerald)}
+
+/* Steps */
+.steps{display:grid;gap:1.5rem}
+.step{display:flex;gap:1.2rem;align-items:flex-start;background:var(--navy-light);padding:1.5rem;border-radius:10px;border:1px solid var(--navy-mid)}
+.step-num{background:var(--emerald);color:var(--navy);font-weight:700;width:36px;height:36px;border-radius:50%;display:flex;align-items:center;justify-content:center;flex-shrink:0;font-size:.9rem}
+.step h3{font-size:1.05rem;margin-bottom:.3rem}
+.step p{color:var(--gray);font-size:.9rem}
+
+/* Comparison table */
+.compare{display:grid;grid-template-columns:1fr 1fr;gap:2rem;margin-top:1.5rem}
+@media(max-width:600px){.compare{grid-template-columns:1fr}}
+.compare-col{background:var(--navy-light);border-radius:10px;padding:1.5rem;border:1px solid var(--navy-mid)}
+.compare-col.bad{border-color:rgba(239,68,68,.3)}
+.compare-col.good{border-color:rgba(16,185,129,.3)}
+.compare-col h3{font-size:1.1rem;margin-bottom:1rem;display:flex;align-items:center;gap:.5rem}
+.compare-col ul{list-style:none;display:flex;flex-direction:column;gap:.6rem}
+.compare-col.bad li::before{content:'❌ '}
+.compare-col.good li::before{content:'✅ '}
+.compare-col li{color:var(--gray);font-size:.9rem}
+
+/* FAQ */
+.faq{display:grid;gap:1rem;margin-top:1.5rem}
+.faq-item{background:var(--navy-light);border-radius:10px;padding:1.5rem;border:1px solid var(--navy-mid)}
+.faq-item h3{font-size:1rem;margin-bottom:.5rem;color:var(--white)}
+.faq-item p{color:var(--gray);font-size:.9rem}
+
+/* CTA */
+.cta{text-align:center;padding:4rem 2rem;border-top:1px solid var(--navy-mid)}
+.cta h2{font-size:1.8rem;margin-bottom:1rem}
+.cta p{color:var(--gray);margin-bottom:2rem}
+.cta-buttons{display:flex;gap:1rem;justify-content:center;flex-wrap:wrap}
+.btn{display:inline-flex;align-items:center;gap:.5rem;padding:.8rem 1.5rem;border-radius:8px;font-weight:600;font-size:.95rem;transition:transform .2s,opacity .2s}
+.btn:hover{transform:translateY(-1px);text-decoration:none;opacity:.9}
+.btn-primary{background:var(--emerald);color:var(--navy)}
+.btn-secondary{background:var(--navy-light);color:var(--white);border:1px solid var(--navy-mid)}
+
+/* Footer */
+.footer{text-align:center;padding:2rem;color:var(--gray);font-size:.85rem;border-top:1px solid rgba(255,255,255,.06)}
+</style>
+</head>
+<body>
+
+<nav class="nav">
+  <a href="/" class="nav-logo">🏰 ClawMoat</a>
+  <a href="/business/">Business</a>
+  <a href="/blog/">Blog</a>
+  <a href="https://github.com/ClawMoat/clawmoat">GitHub</a>
+</nav>
+
+<!-- Hero -->
+<section class="hero">
+  <h1>One Command.<br><span>Enterprise-Grade Agent Security.</span></h1>
+  <p>Install ClawMoat in 60 seconds. Hardened config, credential protection, audit trails — all running locally on your machine.</p>
+
+  <div class="install-box">
+    <div class="label">Run this in your terminal:</div>
+    <code onclick="copyCmd(this, 'curl -fsSL https://clawmoat.com/install.sh | bash')">curl -fsSL https://clawmoat.com/install.sh | bash</code>
+    <div class="enterprise">
+      <div class="label">Enterprise (adds FinanceGuard, MCP Firewall, SOX templates):</div>
+      <code onclick="copyCmd(this, 'curl -fsSL https://clawmoat.com/install.sh | bash -s -- --enterprise')">curl -fsSL https://clawmoat.com/install.sh | bash -s -- --enterprise</code>
+    </div>
+  </div>
+  <div class="copy-hint">Click to copy • Works on Linux, macOS, and WSL</div>
+</section>
+
+<!-- What it does -->
+<section class="section">
+  <h2>What <span>It Does</span></h2>
+  <div class="steps">
+    <div class="step">
+      <div class="step-num">1</div>
+      <div>
+        <h3>Detects Your OS</h3>
+        <p>Identifies Linux, macOS, or WSL and adapts accordingly. No sudo required.</p>
+      </div>
+    </div>
+    <div class="step">
+      <div class="step-num">2</div>
+      <div>
+        <h3>Checks Node.js</h3>
+        <p>Verifies Node.js v18+ is installed. Offers to install via nvm if missing — no system packages modified.</p>
+      </div>
+    </div>
+    <div class="step">
+      <div class="step-num">3</div>
+      <div>
+        <h3>Installs ClawMoat</h3>
+        <p><code style="background:none;padding:0;color:var(--cyan);font-size:.85rem">npm install -g clawmoat</code> — the open-source AI agent security toolkit.</p>
+      </div>
+    </div>
+    <div class="step">
+      <div class="step-num">4</div>
+      <div>
+        <h3>Generates Hardened Config</h3>
+        <p>Creates <code style="background:none;padding:0;color:var(--cyan);font-size:.85rem">~/.clawmoat/config.json</code> with worker-tier permissions, 17+ forbidden credential zones, secret scanning, network logging, and full audit trails.</p>
+      </div>
+    </div>
+    <div class="step">
+      <div class="step-num">5</div>
+      <div>
+        <h3>Runs Security Scan</h3>
+        <p>Scans your machine for exposed credentials, insecure permissions, and .env files. Generates a report showing what it found and what's now protected.</p>
+      </div>
+    </div>
+    <div class="step">
+      <div class="step-num">6</div>
+      <div>
+        <h3>Prints Next Steps</h3>
+        <p>Configure alert webhooks, run your first scan, connect to your team dashboard.</p>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Comparison -->
+<section class="section">
+  <h2>Without vs. <span>With ClawMoat</span></h2>
+  <div class="compare">
+    <div class="compare-col bad">
+      <h3>🚫 Without ClawMoat</h3>
+      <ul>
+        <li>Agents can read ~/.ssh, ~/.aws, any credential file</li>
+        <li>No record of what agents accessed or modified</li>
+        <li>Secrets leak silently in agent output</li>
+        <li>Network requests go unmonitored</li>
+        <li>No compliance evidence for auditors</li>
+        <li>One compromised agent = full system access</li>
+      </ul>
+    </div>
+    <div class="compare-col good">
+      <h3>🏰 With ClawMoat</h3>
+      <ul>
+        <li>17+ credential zones blocked by default</li>
+        <li>Tamper-protected audit trail of every action</li>
+        <li>Real-time secret detection with alerts</li>
+        <li>Full network egress logging</li>
+        <li>SOX-ready compliance templates (Enterprise)</li>
+        <li>Least-privilege tiers contain blast radius</li>
+      </ul>
+    </div>
+  </div>
+</section>
+
+<!-- FAQ -->
+<section class="section">
+  <h2>Frequently Asked <span>Questions</span></h2>
+  <div class="faq">
+    <div class="faq-item">
+      <h3>🔒 Is it safe to run?</h3>
+      <p>Yes. The script runs entirely locally — no data is sent anywhere. It installs an npm package, creates a config file in ~/.clawmoat/, and scans for existing credential exposure. No files are modified or deleted. The script is open-source and auditable on <a href="https://github.com/ClawMoat/clawmoat">GitHub</a>.</p>
+    </div>
+    <div class="faq-item">
+      <h3>📁 What does it change on my system?</h3>
+      <p>It installs the <code>clawmoat</code> npm package globally, creates the <code>~/.clawmoat/</code> directory with a config and audit logs, and optionally installs nvm if Node.js is missing. No system files are modified. No sudo required.</p>
+    </div>
+    <div class="faq-item">
+      <h3>🔄 Can I run it multiple times?</h3>
+      <p>Yes, the script is idempotent. Running it again updates ClawMoat and backs up your existing config before generating a new one.</p>
+    </div>
+    <div class="faq-item">
+      <h3>🗑️ Can I uninstall?</h3>
+      <p>Completely. Run <code>npm uninstall -g clawmoat</code> and <code>rm -rf ~/.clawmoat</code>. That's it — nothing else to clean up.</p>
+    </div>
+    <div class="faq-item">
+      <h3>💼 What does --enterprise add?</h3>
+      <p>FinanceGuard for monitoring high-value operations, MCP Firewall in read-only mode for tool-call governance, and SOX compliance audit templates with controls mapping.</p>
+    </div>
+  </div>
+</section>
+
+<!-- CTA -->
+<section class="cta">
+  <h2>Secure Your AI Agents Today</h2>
+  <p>Open-source core. Enterprise features for teams that need compliance.</p>
+  <div class="cta-buttons">
+    <a href="https://github.com/ClawMoat/clawmoat" class="btn btn-secondary">⭐ Star on GitHub</a>
+    <a href="/business/" class="btn btn-primary">Get ClawMoat Pro →</a>
+  </div>
+</section>
+
+<footer class="footer">
+  © 2026 ClawMoat · <a href="/privacy-policy/">Privacy</a> · <a href="/terms-of-service/">Terms</a> · <a href="/support/">Support</a>
+</footer>
+
+<script>
+function copyCmd(el, text) {
+  navigator.clipboard.writeText(text).then(() => {
+    const orig = el.textContent;
+    el.textContent = '✅ Copied!';
+    el.classList.add('copied');
+    setTimeout(() => { el.textContent = orig; el.classList.remove('copied'); }, 1500);
+  });
+}
+</script>
+</body>
+</html>

package/docs/checklist.html

@@ -0,0 +1,168 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>AI Agent Security Checklist (2026) — ClawMoat</title>
+<meta name="description" content="Free security checklist for AI agent operators. 20 actionable steps to protect your machine, credentials, and data from autonomous AI agents.">
+<meta property="og:title" content="AI Agent Security Checklist (2026)">
+<meta property="og:description" content="20 actionable security steps for AI agent operators. Free, open-source.">
+<link rel="canonical" href="https://clawmoat.com/checklist">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:#0F172A;color:#F8FAFC;line-height:1.8}
+a{color:#3B82F6}
+.container{max-width:760px;margin:0 auto;padding:40px 24px}
+nav{background:rgba(15,23,42,.95);padding:16px 24px;position:fixed;top:0;left:0;right:0;z-index:100;border-bottom:1px solid rgba(59,130,246,.15)}
+nav a{color:#94A3B8;text-decoration:none;margin-right:24px;font-size:.9rem}
+nav a:first-child{color:#F8FAFC;font-weight:700;font-size:1.1rem}
+h1{font-size:2.2rem;font-weight:800;line-height:1.2;margin-bottom:8px;padding-top:80px}
+h2{font-size:1.4rem;font-weight:700;margin:40px 0 16px;color:#10B981}
+p{margin-bottom:16px;color:#CBD5E1}
+.subtitle{color:#94A3B8;font-size:1.1rem;margin-bottom:40px}
+.check-group{background:#1E293B;border:1px solid rgba(255,255,255,.06);border-radius:12px;padding:24px;margin:16px 0}
+.check-item{display:flex;gap:12px;padding:10px 0;border-bottom:1px solid rgba(255,255,255,.04)}
+.check-item:last-child{border-bottom:none}
+.check-box{width:24px;height:24px;border:2px solid #334155;border-radius:6px;flex-shrink:0;margin-top:2px;cursor:pointer}
+.check-item strong{color:#F8FAFC}
+.check-item p{color:#94A3B8;font-size:.9rem;margin:4px 0 0}
+.priority-high{border-left:3px solid #EF4444;padding-left:12px}
+.priority-med{border-left:3px solid #F59E0B;padding-left:12px}
+.priority-low{border-left:3px solid #10B981;padding-left:12px}
+code{background:#0a0e17;padding:2px 8px;border-radius:4px;font-size:.85rem}
+.cta{background:#1E293B;border:1px solid rgba(59,130,246,.3);border-radius:14px;padding:32px;text-align:center;margin:48px 0}
+.btn{display:inline-block;padding:12px 28px;background:#3B82F6;color:#fff;border-radius:8px;text-decoration:none;font-weight:600;margin:8px}
+.legend{display:flex;gap:24px;margin:24px 0;font-size:.85rem;color:#94A3B8}
+.legend span{display:flex;align-items:center;gap:6px}
+.dot{width:12px;height:12px;border-radius:3px;display:inline-block}
+.dot-high{background:#EF4444}
+.dot-med{background:#F59E0B}
+.dot-low{background:#10B981}
+</style>
+</head>
+<body>
+<nav>
+<a href="/">🏰 ClawMoat</a>
+<a href="/blog/">Blog</a>
+<a href="https://github.com/darfaz/clawmoat">GitHub</a>
+<a href="/#pricing">Pricing</a>
+</nav>
+<div class="container">
+<h1>AI Agent Security Checklist</h1>
+<p class="subtitle">20 actionable steps to protect your machine from autonomous AI agents. Updated February 2026.</p>
+
+<div class="legend">
+<span><span class="dot dot-high"></span> Critical</span>
+<span><span class="dot dot-med"></span> Important</span>
+<span><span class="dot dot-low"></span> Recommended</span>
+</div>
+
+<h2>🔐 Credential Protection</h2>
+<div class="check-group">
+<div class="check-item priority-high">
+<div class="check-box"></div>
+<div><strong>Move SSH keys out of agent's reach</strong><p>Use a separate user account or forbidden zone to protect <code>~/.ssh/</code></p></div>
+</div>
+<div class="check-item priority-high">
+<div class="check-box"></div>
+<div><strong>Protect cloud credentials</strong><p>Lock down <code>~/.aws/</code>, <code>~/.gcloud/</code>, <code>~/.azure/</code>, <code>~/.kube/</code></p></div>
+</div>
+<div class="check-item priority-high">
+<div class="check-box"></div>
+<div><strong>Secure browser data</strong><p>Prevent access to browser profile directories (cookies, saved passwords, sessions)</p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Protect GPG/PGP keys</strong><p>Lock down <code>~/.gnupg/</code></p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Protect crypto wallets</strong><p>Lock down wallet files, seed phrases, and key stores</p></div>
+</div>
+</div>
+
+<h2>🛡️ Permission Controls</h2>
+<div class="check-group">
+<div class="check-item priority-high">
+<div class="check-box"></div>
+<div><strong>Set a permission tier</strong><p>Start with <code>observer</code> or <code>worker</code> and escalate only as needed</p></div>
+</div>
+<div class="check-item priority-high">
+<div class="check-box"></div>
+<div><strong>Block dangerous shell commands</strong><p>Prevent <code>rm -rf</code>, <code>chmod 777</code>, <code>curl | bash</code>, <code>dd</code></p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Restrict network access</strong><p>Use domain allow/blocklists to control where the agent can connect</p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Limit file system scope</strong><p>Restrict the agent to a workspace directory; block access to system files</p></div>
+</div>
+</div>
+
+<h2>🔍 Monitoring & Auditing</h2>
+<div class="check-group">
+<div class="check-item priority-high">
+<div class="check-box"></div>
+<div><strong>Enable audit logging</strong><p>Log every tool call, file access, and shell command</p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Monitor credential directories</strong><p>Set up alerts for any access attempts to sensitive directories</p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Log network egress</strong><p>Track all outbound URLs and connections</p></div>
+</div>
+<div class="check-item priority-low">
+<div class="check-box"></div>
+<div><strong>Set up webhook alerts</strong><p>Send security events to Slack, Discord, Telegram, or email</p></div>
+</div>
+</div>
+
+<h2>📦 Supply Chain</h2>
+<div class="check-group">
+<div class="check-item priority-high">
+<div class="check-box"></div>
+<div><strong>Audit installed skills/plugins</strong><p>Run integrity checks on all installed agent skills. 13.4% of ClawHub skills have critical issues (Snyk).</p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Verify skill hashes after updates</strong><p>Re-check integrity after any skill update or installation</p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Scan for suspicious patterns</strong><p>Look for base64-encoded URLs, credential access patterns, obfuscated code</p></div>
+</div>
+</div>
+
+<h2>💬 Input/Output Security</h2>
+<div class="check-group">
+<div class="check-item priority-high">
+<div class="check-box"></div>
+<div><strong>Scan inbound content for prompt injection</strong><p>Emails, web pages, and documents can contain hidden instructions</p></div>
+</div>
+<div class="check-item priority-med">
+<div class="check-box"></div>
+<div><strong>Scan outbound content for secrets</strong><p>Catch API keys, tokens, and credentials before they leave the machine</p></div>
+</div>
+<div class="check-item priority-low">
+<div class="check-box"></div>
+<div><strong>Scan inter-agent messages</strong><p>If running multi-agent systems, scan messages between agents for attack patterns</p></div>
+</div>
+</div>
+
+<div class="cta">
+<h3 style="color:#F8FAFC;margin-bottom:8px">Automate this checklist</h3>
+<p style="color:#94A3B8;margin-bottom:16px">ClawMoat implements all 20 checks. Zero dependencies. MIT licensed.</p>
+<code style="font-size:1rem;background:#0a0e17;padding:8px 16px">npm install -g clawmoat</code>
+<br><br>
+<a href="https://github.com/darfaz/clawmoat" class="btn">⭐ Star on GitHub</a>
+<a href="/#pricing" class="btn" style="background:#10B981">See Plans</a>
+</div>
+
+<p style="font-size:.85rem;color:#64748B;margin-top:40px">Based on OWASP Top 10 for Agentic AI (2026), Cisco AI Defense research, SecurityScorecard STRIKE findings, and Snyk ClawHub analysis.</p>
+</div>
+</body>
+</html>

package/docs/finance/index.html

@@ -0,0 +1,217 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>ClawMoat Finance — Financial Security for AI Agents</title>
+<meta name="description" content="Protect financial data when AI agents handle payments, banking, crypto, and accounting. Transaction guardrails, credential protection, SOX/PCI-DSS compliance.">
+<meta property="og:title" content="ClawMoat Finance — Your AI Agent Shouldn't Have Access to Your Bank">
+<meta property="og:description" content="Transaction approval thresholds, financial credential protection, crypto wallet guards, and compliance-ready audit trails for AI agents.">
+<link rel="canonical" href="https://clawmoat.com/finance/">
+<style>
+  :root { --bg: #0a0a0f; --fg: #e0e0e8; --accent: #00d4aa; --gold: #f5c542; --muted: #888; --card: #14141f; --red: #ff4444; }
+  * { margin:0; padding:0; box-sizing:border-box; }
+  body { background:var(--bg); color:var(--fg); font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif; line-height:1.7; }
+  .container { max-width:900px; margin:0 auto; padding:2rem 1.5rem; }
+  .nav { padding:1rem 0; border-bottom:1px solid #2a2a3a; margin-bottom:2rem; display:flex; justify-content:space-between; align-items:center; }
+  .nav a { color:var(--fg); text-decoration:none; margin-right:1.5rem; }
+  .nav a:hover { color:var(--accent); }
+  h1 { font-size:2.8rem; line-height:1.15; margin-bottom:1rem; }
+  h1 span { color:var(--gold); }
+  h2 { color:var(--accent); margin:2.5rem 0 1rem; font-size:1.6rem; }
+  h3 { margin:1.5rem 0 .75rem; font-size:1.2rem; }
+  p { margin-bottom:1rem; }
+  a { color:var(--accent); }
+  .hero { text-align:center; padding:3rem 0; }
+  .hero-sub { color:var(--muted); font-size:1.2rem; max-width:600px; margin:0 auto 2rem; }
+  .badge { display:inline-block; background:var(--gold); color:#000; padding:4px 12px; border-radius:20px; font-size:.8rem; font-weight:700; margin-bottom:1rem; }
+  pre { background:#1a1a2e; padding:1.25rem; border-radius:8px; overflow-x:auto; margin:1rem 0; }
+  code { background:#1a1a2e; padding:.15em .4em; border-radius:4px; font-size:.9em; }
+  pre code { background:none; padding:0; }
+  .feature-grid { display:grid; grid-template-columns:repeat(auto-fit, minmax(260px, 1fr)); gap:1.5rem; margin:2rem 0; }
+  .feature-card { background:var(--card); border:1px solid #2a2a3a; border-radius:12px; padding:1.5rem; }
+  .feature-card h3 { margin-top:0; color:var(--gold); }
+  .feature-card .icon { font-size:2rem; margin-bottom:.5rem; }
+  .who-grid { display:grid; grid-template-columns:repeat(auto-fit, minmax(200px, 1fr)); gap:1rem; margin:1.5rem 0; }
+  .who-card { background:var(--card); border:1px solid #2a2a3a; border-radius:8px; padding:1rem; text-align:center; }
+  .cta { background:var(--gold); color:#000; padding:.75rem 2rem; border-radius:6px; text-decoration:none; font-weight:700; display:inline-block; margin:1rem .5rem 1rem 0; font-size:1.1rem; }
+  .cta:hover { opacity:.9; }
+  .cta-outline { border:2px solid var(--accent); color:var(--accent); background:transparent; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem 0; }
+  .protection-list { list-style:none; padding:0; margin:1rem 0; }
+  .protection-list li { padding:.5rem 0; border-bottom:1px solid #1a1a2e; display:flex; align-items:center; }
+  .protection-list .severity { width:70px; font-size:.75rem; font-weight:bold; border-radius:4px; padding:2px 6px; text-align:center; margin-right:12px; flex-shrink:0; }
+  .severity-critical { background:var(--red); color:#fff; }
+  .severity-high { background:#ff8800; color:#fff; }
+  .stat-grid { display:grid; grid-template-columns:repeat(auto-fit,minmax(140px,1fr)); gap:1rem; margin:2rem 0; }
+  .stat { text-align:center; }
+  .stat .number { font-size:2.5rem; font-weight:bold; color:var(--gold); }
+  .stat .label { color:var(--muted); font-size:.85rem; }
+  .pricing { background:var(--card); border:2px solid var(--gold); border-radius:12px; padding:2rem; margin:2rem 0; text-align:center; }
+  .pricing h3 { color:var(--gold); font-size:1.8rem; margin:0 0 .5rem; }
+  .pricing .price { font-size:2.5rem; font-weight:bold; margin:.5rem 0; }
+  .pricing .price span { font-size:1rem; color:var(--muted); }
+  .pricing ul { text-align:left; max-width:400px; margin:1rem auto; list-style:none; padding:0; }
+  .pricing li { padding:.4rem 0; }
+  .pricing li::before { content:'✅ '; }
+</style>
+</head>
+<body>
+<div class="container">
+<nav class="nav">
+  <div>
+    <a href="/" style="font-weight:bold;font-size:1.1rem">ClawMoat</a>
+    <a href="/blog/">Blog</a>
+    <a href="/finance/" style="color:var(--gold)">Finance</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+  </div>
+  <a href="#pricing" class="cta" style="margin:0;font-size:.9rem;padding:.5rem 1rem">Get Started</a>
+</nav>
+
+<div class="hero">
+  <div class="badge">NEW IN v0.8.0</div>
+  <h1>Your AI Agent Shouldn't Have<br>Access to Your <span>Bank Account</span></h1>
+  <p class="hero-sub">Financial-grade security for AI agents handling payments, crypto, accounting, and banking. Transaction guardrails. Credential protection. Compliance-ready audit trails.</p>
+  <pre style="display:inline-block;text-align:left"><code>npm install clawmoat
+
+const { FinanceGuard } = require('clawmoat');
+const guard = new FinanceGuard({
+  transactionLimit: 1000,       // Approval above $1K
+  dualApprovalThreshold: 10000, // Two approvals above $10K
+  auditFormat: 'sox',           // SOX-compliant trails
+});</code></pre>
+</div>
+
+<div class="stat-grid">
+  <div class="stat"><div class="number">30+</div><div class="label">Financial forbidden zones</div></div>
+  <div class="stat"><div class="number">15+</div><div class="label">Secret patterns detected</div></div>
+  <div class="stat"><div class="number">15</div><div class="label">Financial APIs monitored</div></div>
+  <div class="stat"><div class="number">240</div><div class="label">Tests passing</div></div>
+</div>
+
+<h2>What FinanceGuard Protects</h2>
+
+<div class="feature-grid">
+  <div class="feature-card">
+    <div class="icon">💳</div>
+    <h3>Payment Credentials</h3>
+    <p>Blocks agent access to Stripe keys, Plaid tokens, PayPal configs, Square credentials, and 10+ payment providers.</p>
+  </div>
+  <div class="feature-card">
+    <div class="icon">🪙</div>
+    <h3>Crypto Wallets</h3>
+    <p>Protects Bitcoin, Ethereum, Solana wallets. Detects seed phrases, private keys, keystore files, MetaMask/Phantom data.</p>
+  </div>
+  <div class="feature-card">
+    <div class="icon">🏦</div>
+    <h3>Banking Data</h3>
+    <p>Guards ACH files, SWIFT MT940 statements, BAI files, NACHA payment files, routing numbers, and account data.</p>
+  </div>
+  <div class="feature-card">
+    <div class="icon">📊</div>
+    <h3>Accounting Software</h3>
+    <p>Protects QuickBooks (.qbw/.qbo), Xero, FreshBooks credentials and data files from unauthorized agent access.</p>
+  </div>
+  <div class="feature-card">
+    <div class="icon">💰</div>
+    <h3>Transaction Guardrails</h3>
+    <p>Configurable approval thresholds. Dual-approval for high-value transactions. Rate limiting on financial API calls.</p>
+  </div>
+  <div class="feature-card">
+    <div class="icon">📋</div>
+    <h3>Compliance Reports</h3>
+    <p>SOX and PCI-DSS compliant audit trail generation. Every transaction, every access attempt, every alert — documented.</p>
+  </div>
+</div>
+
+<h2>Transaction Approval Workflow</h2>
+
+<pre><code>// Agent tries to make a $5,000 payment
+const result = guard.evaluateTransaction({
+  amount: 5000,
+  type: 'transfer',
+  recipient: 'vendor@company.com',
+});
+
+// result.approved = false
+// result.requiresApproval = true
+// result.reason = "Amount $5,000 exceeds threshold ($1,000)"
+
+// Human approves
+guard.approveTransaction(result.transactionId, 'cfo@company.com');
+// ✅ Transaction approved, audit trail logged
+
+// For $15K+ transfers: TWO people must approve
+const bigTx = guard.evaluateTransaction({ amount: 15000, type: 'wire' });
+guard.approveTransaction(bigTx.transactionId, 'cfo@company.com');
+// Still pending — needs second approval
+guard.approveTransaction(bigTx.transactionId, 'ceo@company.com');
+// ✅ Now approved</code></pre>
+
+<h2>Who Needs This</h2>
+
+<div class="who-grid">
+  <div class="who-card">
+    <div style="font-size:2rem">🏢</div>
+    <h3>Fintech Startups</h3>
+    <p>Using AI for invoicing, reconciliation, or payment processing</p>
+  </div>
+  <div class="who-card">
+    <div style="font-size:2rem">🪙</div>
+    <h3>Crypto Projects</h3>
+    <p>AI agents managing wallets, DeFi operations, or trading</p>
+  </div>
+  <div class="who-card">
+    <div style="font-size:2rem">📒</div>
+    <h3>Accounting Firms</h3>
+    <p>AI assistants with access to client financial data</p>
+  </div>
+  <div class="who-card">
+    <div style="font-size:2rem">👔</div>
+    <h3>CFOs & Controllers</h3>
+    <p>Automating financial workflows with AI agents</p>
+  </div>
+</div>
+
+<h2>Secrets It Catches</h2>
+
+<ul class="protection-list">
+  <li><span class="severity severity-critical">CRITICAL</span> Stripe secret/restricted keys</li>
+  <li><span class="severity severity-critical">CRITICAL</span> Plaid access tokens</li>
+  <li><span class="severity severity-critical">CRITICAL</span> Bitcoin/Ethereum/Solana private keys</li>
+  <li><span class="severity severity-critical">CRITICAL</span> BIP-39 seed phrases</li>
+  <li><span class="severity severity-critical">CRITICAL</span> Credit card numbers (Visa/MC/Amex/Discover)</li>
+  <li><span class="severity severity-critical">CRITICAL</span> Social Security Numbers</li>
+  <li><span class="severity severity-critical">CRITICAL</span> Bank account + routing numbers</li>
+  <li><span class="severity severity-critical">CRITICAL</span> IBAN numbers</li>
+  <li><span class="severity severity-high">HIGH</span> Stripe publishable keys</li>
+  <li><span class="severity severity-high">HIGH</span> SWIFT/BIC codes</li>
+  <li><span class="severity severity-high">HIGH</span> EIN (Employer ID Numbers)</li>
+  <li><span class="severity severity-high">HIGH</span> Square API keys</li>
+</ul>
+
+<div id="pricing" class="pricing">
+  <h3>ClawMoat Finance</h3>
+  <p style="color:var(--muted)">Included in ClawMoat Pro</p>
+  <div class="price">$14.99<span>/mo</span></div>
+  <ul>
+    <li>All FinanceGuard features</li>
+    <li>30+ financial forbidden zones</li>
+    <li>Transaction approval workflows</li>
+    <li>Dual-approval for high-value ops</li>
+    <li>SOX & PCI-DSS audit reports</li>
+    <li>15 financial API monitors</li>
+    <li>Real-time alerts (Slack/Discord/email)</li>
+    <li>Priority support</li>
+  </ul>
+  <a href="/#pricing" class="cta">Start Free Trial</a>
+  <p style="margin-top:1rem;color:var(--muted);font-size:.85rem">Open-source core available free. Pro adds threat intel, persistent audit, and dashboard.</p>
+</div>
+
+<div style="text-align:center;padding:2rem 0">
+  <p style="color:var(--muted)">Part of the ClawMoat security suite — 240 tests, zero dependencies, MIT license.</p>
+  <a href="https://github.com/darfaz/clawmoat" class="cta-outline">View on GitHub</a>
+</div>
+
+</div>
+</body>
+</html>