npm - clawmoat - Versions diffs - 0.7.0 → 1.0.0 - Mend

clawmoat 0.7.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/.dockerignore +9 -0
package/CHANGELOG.md +18 -0
package/CONTRIBUTING.md +4 -2
package/DEMO.md +87 -0
package/Dockerfile +5 -18
package/README.md +294 -8
package/SECURITY.md +58 -10
package/THREAT_MODEL.md +129 -0
package/agent/README.md +131 -0
package/agent/index.js +471 -0
package/agent/install-service.sh +94 -0
package/agent/openclaw-hook.js +453 -0
package/agent/provider-setup.js +649 -0
package/agent/setup.js +274 -0
package/assets/BADGE-USAGE.md +20 -0
package/assets/clawmoat-badge.svg +21 -0
package/bin/clawmoat.js +468 -111
package/docs/affiliates/dashboard.html +124 -0
package/docs/affiliates/index.html +236 -0
package/docs/agent-install.html +183 -0
package/docs/ai-agent-security-scanner.html +10 -6
package/docs/badge/index.html +149 -0
package/docs/badge/scanning.svg +23 -0
package/docs/blog/386-malicious-skills.html +262 -0
package/docs/blog/40000-exposed-openclaw-instances.html +201 -0
package/docs/blog/agent-trust-protocol.html +198 -0
package/docs/blog/ai-agent-earns-commissions.html +230 -0
package/docs/blog/bugmageddon-agent-firewall.html +174 -0
package/docs/blog/calculator-math.html +180 -0
package/docs/blog/clawmoat-vs-llamafirewall-nemo-guardrails.html +229 -0
package/docs/blog/host-guardian-launch.html +18 -8
package/docs/blog/ibm-experts-agent-runtime-protection.html +247 -0
package/docs/blog/index.html +211 -9
package/docs/blog/langchain-security-tutorial.html +18 -8
package/docs/blog/mcp-30-cves-security-crisis.html +286 -0
package/docs/blog/meta-researcher-rogue-agent.html +201 -0
package/docs/blog/microsoft-openclaw-workstation-security.html +235 -0
package/docs/blog/nist-ai-agent-standards-clawmoat.html +377 -0
package/docs/blog/oasis-websocket-hijack.html +212 -0
package/docs/blog/ollama-openclaw-security.html +160 -0
package/docs/blog/openclaw-enterprise-readiness-claw10.html +199 -0
package/docs/blog/openclaw-security-reckoning-2026.html +368 -0
package/docs/blog/owasp-agentic-ai-top10.html +18 -8
package/docs/blog/securing-ai-agents.html +18 -8
package/docs/blog/supply-chain-agents.html +18 -8
package/docs/business/index.html +525 -0
package/docs/business/install.html +261 -0
package/docs/checklist.html +174 -0
package/docs/compare/index.html +122 -0
package/docs/compare/lakera/index.html +62 -0
package/docs/compare/llm-guard/index.html +49 -0
package/docs/compare/snyk-agent-scan/index.html +63 -0
package/docs/compare.html +10 -6
package/docs/dashboard/index.html +520 -0
package/docs/finance/index.html +220 -0
package/docs/guides/business-deployment.html +770 -0
package/docs/hall-of-fame.html +174 -0
package/docs/index.html +447 -154
package/docs/install.sh +557 -0
package/docs/integrations/langchain.html +14 -6
package/docs/integrations/openai.html +14 -6
package/docs/integrations/openclaw.html +55 -7
package/docs/plans/2026-03-26-threat-intel-api.md +255 -0
package/docs/plans/2026-04-14-bugmageddon-marketing-pack.md +329 -0
package/docs/plans/2026-04-14-clawmoat-v1-bugmageddon.md +248 -0
package/docs/plans/2026-04-14-v1-release-update.md +91 -0
package/docs/plans/2026-04-19-supabase-audit.md +68 -0
package/docs/plans/2026-05-12-sales-push.md +303 -0
package/docs/playground/index.html +893 -0
package/docs/playground.html +4 -7
package/docs/privacy-policy/index.html +122 -0
package/docs/rfcs/defense-in-depth.md +467 -0
package/docs/scan/index.html +358 -0
package/docs/services/case-study.html +255 -0
package/docs/services/downloads/install-openclaw.bat +45 -0
package/docs/services/downloads/install-openclaw.command +38 -0
package/docs/services/downloads/install-openclaw.sh +38 -0
package/docs/services/get-started.html +165 -0
package/docs/services/index.html +598 -0
package/docs/services/multi-agent-security.html +284 -0
package/docs/services/one-pager.html +99 -0
package/docs/services/pitch-deck.html +229 -0
package/docs/services/roi-calculator.html +258 -0
package/docs/sitemap.xml +192 -2
package/docs/support/index.html +135 -0
package/docs/templates/customer-service/HEARTBEAT.md +61 -0
package/docs/templates/customer-service/MEMORY.md +89 -0
package/docs/templates/customer-service/SOUL.md +41 -0
package/docs/templates/customer-service/USER.md +56 -0
package/docs/templates/executive/HEARTBEAT.md +86 -0
package/docs/templates/executive/MEMORY.md +92 -0
package/docs/templates/executive/SOUL.md +44 -0
package/docs/templates/executive/USER.md +62 -0
package/docs/templates/finance/HEARTBEAT.md +58 -0
package/docs/templates/finance/MEMORY.md +87 -0
package/docs/templates/finance/SOUL.md +38 -0
package/docs/templates/finance/USER.md +53 -0
package/docs/templates/index.html +115 -0
package/docs/templates/operations/HEARTBEAT.md +63 -0
package/docs/templates/operations/MEMORY.md +68 -0
package/docs/templates/operations/SOUL.md +38 -0
package/docs/templates/operations/USER.md +49 -0
package/docs/templates/sales/HEARTBEAT.md +55 -0
package/docs/templates/sales/MEMORY.md +89 -0
package/docs/templates/sales/SOUL.md +34 -0
package/docs/templates/sales/USER.md +54 -0
package/docs/terms-of-service/index.html +122 -0
package/eslint.config.js +32 -0
package/evals/README.md +29 -0
package/evals/cases.json +390 -0
package/evals/results.md +68 -0
package/evals/run.js +180 -0
package/examples/basic-usage.js +38 -0
package/examples/demo-attack/demo.js +186 -0
package/examples/python-quickstart/README.md +54 -0
package/examples/python-quickstart/clawmoat_client.py +167 -0
package/examples/video-demo/README.md +14 -0
package/examples/video-demo/scene-a-normal.js +29 -0
package/examples/video-demo/scene-b-attack-arrives.js +31 -0
package/examples/video-demo/scene-c-hijack.js +44 -0
package/examples/video-demo/scene-d-clawmoat.js +46 -0
package/integrations/crewai/README.md +32 -0
package/integrations/crewai/clawmoat_crewai/__init__.py +17 -0
package/integrations/crewai/clawmoat_crewai/guard.py +103 -0
package/integrations/crewai/pyproject.toml +21 -0
package/integrations/langchain/README.md +91 -0
package/integrations/langchain/clawmoat_langchain/__init__.py +17 -0
package/integrations/langchain/clawmoat_langchain/callback.py +489 -0
package/integrations/langchain/pyproject.toml +32 -0
package/integrations/litellm/README.md +324 -0
package/integrations/litellm/clawmoat_litellm/__init__.py +21 -0
package/integrations/litellm/clawmoat_litellm/callback.py +329 -0
package/integrations/litellm/clawmoat_litellm/proxy_middleware.py +224 -0
package/integrations/litellm/pyproject.toml +74 -0
package/integrations/openai-agents/README.md +392 -0
package/integrations/openai-agents/clawmoat_openai_agents/__init__.py +20 -0
package/integrations/openai-agents/clawmoat_openai_agents/guardrail.py +431 -0
package/integrations/openai-agents/clawmoat_openai_agents/middleware.py +311 -0
package/integrations/openai-agents/pyproject.toml +76 -0
package/package.json +6 -5
package/plugins/openclaw-adapter/PHASE1.md +439 -0
package/plugins/openclaw-adapter/README.md +103 -0
package/plugins/openclaw-adapter/SPEC.md +1644 -0
package/plugins/openclaw-adapter/package.json +31 -0
package/plugins/openclaw-adapter/src/index.test.ts +226 -0
package/plugins/openclaw-adapter/src/index.ts +140 -0
package/plugins/openclaw-adapter/tsconfig.json +14 -0
package/server/data/threats.json +290 -0
package/server/index.js +224 -10
package/src/adapters/express.js +161 -0
package/src/adapters/index.js +92 -0
package/src/adapters/langchain.js +185 -0
package/src/approval/index.js +456 -0
package/src/ban-scanner.js +200 -0
package/src/boundary-scanner.js +296 -0
package/src/ci-scanner.js +279 -0
package/src/code-scanner.js +245 -0
package/src/enforce.js +166 -0
package/src/finance/index.js +585 -0
package/src/finance/mcp-firewall.js +486 -0
package/src/formatters/json.js +80 -0
package/src/formatters/sarif.js +388 -0
package/src/guardian/alerts.js +34 -3
package/src/guardian/gateway-monitor.js +590 -0
package/src/guardian/index.js +41 -2
package/src/index.js +105 -0
package/src/integrations/agentmesh.js +501 -0
package/src/language-detector.js +201 -0
package/src/mcp-scanner.js +253 -0
package/src/multimodal/index.js +579 -0
package/src/obfuscation-scanner.js +457 -0
package/src/policy-engine.js +402 -0
package/src/scanners/dependency-attacks.js +128 -0
package/src/scanners/prompt-injection.js +18 -0
package/src/scanners/supply-chain.js +14 -0
package/src/templates/default-config.yml +90 -0
package/src/vuln-ops/exploitability.js +46 -0
package/src/watch/live-monitor.js +720 -0

package/docs/install.sh ADDED Viewed

@@ -0,0 +1,557 @@
+#!/usr/bin/env bash
+# ============================================================================
+# ClawMoat Installer — Enterprise-Grade AI Agent Security
+# https://clawmoat.com/business/install.html
+#
+# Usage:
+#   curl -fsSL https://clawmoat.com/install.sh | bash
+#   curl -fsSL https://clawmoat.com/install.sh | bash -s -- --enterprise
+#
+# ⚠️  This script runs locally — no data is sent anywhere.
+#     It installs ClawMoat via npm and generates a local config.
+#     Source: https://github.com/ClawMoat/clawmoat
+#
+# Exit codes: 0 = success, 1 = error
+# ============================================================================
+set -euo pipefail
+# ─── Colors & Formatting ────────────────────────────────────────────────────
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+CYAN='\033[0;36m'
+BOLD='\033[1m'
+DIM='\033[2m'
+RESET='\033[0m'
+# Disable colors if not a terminal
+if [ ! -t 1 ]; then
+  RED='' GREEN='' YELLOW='' BLUE='' CYAN='' BOLD='' DIM='' RESET=''
+fi
+# ─── Helpers ─────────────────────────────────────────────────────────────────
+info()    { echo -e "${BLUE}ℹ${RESET}  $*"; }
+success() { echo -e "${GREEN}✅${RESET} $*"; }
+warn()    { echo -e "${YELLOW}⚠️${RESET}  $*"; }
+error()   { echo -e "${RED}❌${RESET} $*" >&2; }
+step()    { echo -e "\n${BOLD}${CYAN}▸ $*${RESET}"; }
+divider() { echo -e "${DIM}────────────────────────────────────────────────────${RESET}"; }
+# ─── Flags ───────────────────────────────────────────────────────────────────
+ENTERPRISE=false
+DRY_RUN=false
+CLAWMOAT_DIR="$HOME/.clawmoat"
+CONFIG_FILE="$CLAWMOAT_DIR/config.json"
+for arg in "$@"; do
+  case "$arg" in
+    --enterprise) ENTERPRISE=true ;;
+    --dry-run)    DRY_RUN=true ;;
+    --help|-h)
+      echo "ClawMoat Installer"
+      echo ""
+      echo "Usage: bash install.sh [OPTIONS]"
+      echo ""
+      echo "Options:"
+      echo "  --enterprise  Enable FinanceGuard, McpFirewall, SOX templates"
+      echo "  --dry-run     Show what would be done without making changes"
+      echo "  --help        Show this help message"
+      exit 0
+      ;;
+    *)
+      error "Unknown option: $arg"
+      exit 1
+      ;;
+  esac
+done
+# ─── Banner ──────────────────────────────────────────────────────────────────
+echo ""
+echo -e "${BOLD}🏰 ClawMoat Installer${RESET}"
+echo -e "${DIM}   Enterprise-Grade AI Agent Security${RESET}"
+divider
+echo ""
+echo -e "${DIM}⚠️  This script runs locally — no data is sent anywhere.${RESET}"
+echo -e "${DIM}   All configuration stays on your machine at ~/.clawmoat/${RESET}"
+echo ""
+if $ENTERPRISE; then
+  info "Enterprise mode enabled"
+fi
+if $DRY_RUN; then
+  warn "Dry run — no changes will be made"
+fi
+# ─── Step 1: Detect OS ──────────────────────────────────────────────────────
+step "Detecting operating system..."
+OS="unknown"
+ARCH="$(uname -m)"
+case "$(uname -s)" in
+  Linux*)
+    if grep -qiE "microsoft|wsl" /proc/version 2>/dev/null; then
+      OS="wsl"
+      info "Detected: WSL (Windows Subsystem for Linux) — $ARCH"
+    else
+      OS="linux"
+      info "Detected: Linux — $ARCH"
+    fi
+    ;;
+  Darwin*)
+    OS="macos"
+    info "Detected: macOS — $ARCH"
+    ;;
+  *)
+    error "Unsupported operating system: $(uname -s)"
+    error "ClawMoat supports Linux, macOS, and WSL."
+    exit 1
+    ;;
+esac
+# ─── Step 2: Check Node.js ──────────────────────────────────────────────────
+step "Checking Node.js..."
+NODE_OK=false
+MIN_NODE_MAJOR=18
+check_node_version() {
+  if command -v node &>/dev/null; then
+    NODE_VERSION="$(node -v 2>/dev/null | sed 's/^v//')"
+    NODE_MAJOR="${NODE_VERSION%%.*}"
+    if [ "$NODE_MAJOR" -ge "$MIN_NODE_MAJOR" ] 2>/dev/null; then
+      return 0
+    fi
+  fi
+  return 1
+}
+if check_node_version; then
+  NODE_OK=true
+  success "Node.js v$NODE_VERSION found"
+else
+  warn "Node.js v${MIN_NODE_MAJOR}+ is required but not found."
+  echo ""
+  if $DRY_RUN; then
+    info "Would install Node.js via nvm"
+  else
+    echo -e "  ${BOLD}Install Node.js via nvm?${RESET} (recommended)"
+    echo -e "  This installs nvm and Node.js LTS in your home directory."
+    echo ""
+    read -rp "  Install? [Y/n] " INSTALL_NODE
+    INSTALL_NODE="${INSTALL_NODE:-Y}"
+    if [[ "$INSTALL_NODE" =~ ^[Yy]$ ]]; then
+      step "Installing nvm..."
+      export NVM_DIR="${NVM_DIR:-$HOME/.nvm}"
+      if [ ! -d "$NVM_DIR" ]; then
+        curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash
+      fi
+      # Source nvm
+      # shellcheck source=/dev/null
+      [ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
+      info "Installing Node.js LTS..."
+      nvm install --lts
+      nvm use --lts
+      if check_node_version; then
+        NODE_OK=true
+        success "Node.js v$NODE_VERSION installed"
+      else
+        error "Node.js installation failed. Please install manually:"
+        echo "  https://nodejs.org/"
+        exit 1
+      fi
+    else
+      error "Node.js v${MIN_NODE_MAJOR}+ is required. Install it from https://nodejs.org/"
+      exit 1
+    fi
+  fi
+fi
+# ─── Step 3: Install ClawMoat ───────────────────────────────────────────────
+step "Installing ClawMoat..."
+if $DRY_RUN; then
+  info "Would run: npm install -g clawmoat"
+else
+  if command -v clawmoat &>/dev/null; then
+    CURRENT_VERSION="$(clawmoat --version 2>/dev/null || echo 'unknown')"
+    info "ClawMoat already installed (v$CURRENT_VERSION). Updating..."
+  fi
+  npm install -g clawmoat 2>&1 | tail -3
+  success "ClawMoat installed: $(clawmoat --version 2>/dev/null || echo 'latest')"
+fi
+# ─── Step 4: Create directory structure ──────────────────────────────────────
+step "Setting up ~/.clawmoat/..."
+DIRS=(
+  "$CLAWMOAT_DIR"
+  "$CLAWMOAT_DIR/audit"
+  "$CLAWMOAT_DIR/reports"
+  "$CLAWMOAT_DIR/templates"
+)
+if $ENTERPRISE; then
+  DIRS+=(
+    "$CLAWMOAT_DIR/finance"
+    "$CLAWMOAT_DIR/mcp-firewall"
+    "$CLAWMOAT_DIR/sox"
+  )
+fi
+if $DRY_RUN; then
+  for d in "${DIRS[@]}"; do
+    info "Would create: $d"
+  done
+else
+  for d in "${DIRS[@]}"; do
+    mkdir -p "$d"
+  done
+  success "Directory structure created"
+fi
+# ─── Step 5: Generate hardened config ────────────────────────────────────────
+step "Generating hardened security configuration..."
+TIMESTAMP="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+# Build the enterprise section if needed
+ENTERPRISE_JSON=""
+if $ENTERPRISE; then
+  ENTERPRISE_JSON=',
+    "enterprise": {
+      "financeGuard": {
+        "enabled": true,
+        "mode": "monitor",
+        "alertOnHighValue": true,
+        "thresholdUsd": 1000
+      },
+      "mcpFirewall": {
+        "enabled": true,
+        "mode": "read-only",
+        "allowedTools": [],
+        "blockedServers": [],
+        "logAllCalls": true
+      },
+      "soxCompliance": {
+        "enabled": true,
+        "auditRetentionDays": 2555,
+        "templateDir": "~/.clawmoat/sox",
+        "controlsFile": "~/.clawmoat/sox/controls.json",
+        "segregationOfDuties": true
+      }
+    }'
+fi
+CONFIG_CONTENT='{
+  "_clawmoat": {
+    "version": "1.0.0",
+    "generatedAt": "'"$TIMESTAMP"'",
+    "generatedBy": "install.sh",
+    "os": "'"$OS"'"
+  },
+  "permissions": {
+    "tier": "worker",
+    "note": "Worker tier: read workspace, write workspace, no system changes. Upgrade to standard/full in config if needed."
+  },
+  "forbiddenZones": [
+    { "path": "~/.ssh",              "label": "SSH keys",              "severity": "critical" },
+    { "path": "~/.gnupg",            "label": "GPG keys",              "severity": "critical" },
+    { "path": "~/.aws",              "label": "AWS credentials",       "severity": "critical" },
+    { "path": "~/.gcloud",           "label": "Google Cloud creds",    "severity": "critical" },
+    { "path": "~/.azure",            "label": "Azure credentials",     "severity": "critical" },
+    { "path": "~/.kube",             "label": "Kubernetes config",     "severity": "critical" },
+    { "path": "~/.docker",           "label": "Docker credentials",    "severity": "high" },
+    { "path": "~/.npmrc",            "label": "npm credentials",       "severity": "high" },
+    { "path": "~/.pypirc",           "label": "PyPI credentials",      "severity": "high" },
+    { "path": "~/.netrc",            "label": "Network credentials",   "severity": "critical" },
+    { "path": "~/.git-credentials",  "label": "Git credentials",       "severity": "critical" },
+    { "path": "~/.config/gcloud",    "label": "Google Cloud config",   "severity": "high" },
+    { "path": "~/.config/gh",        "label": "GitHub CLI tokens",     "severity": "high" },
+    { "path": "~/.password-store",   "label": "Password store",        "severity": "critical" },
+    { "path": "~/.1password",        "label": "1Password data",        "severity": "critical" },
+    { "path": "/etc/shadow",         "label": "System passwords",      "severity": "critical" },
+    { "path": "/etc/sudoers",        "label": "Sudo configuration",    "severity": "critical" }
+  ],
+  "forbiddenPatterns": [
+    { "pattern": "Cookies|Login Data|Web Data", "label": "Browser credentials", "severity": "critical" },
+    { "pattern": ".keychain|.keychain-db",      "label": "macOS Keychain",      "severity": "critical" },
+    { "pattern": "wallet.dat|seed.txt|mnemonic", "label": "Crypto wallet",      "severity": "critical" },
+    { "pattern": ".kdbx|KeePass",               "label": "KeePass database",    "severity": "critical" },
+    { "pattern": ".env|.env.local|.env.prod",    "label": "Environment secrets", "severity": "high" }
+  ],
+  "network": {
+    "egressLogging": true,
+    "logFile": "~/.clawmoat/audit/network.log",
+    "allowedDomains": [],
+    "blockedDomains": [],
+    "alertOnUnknownEgress": true
+  },
+  "secretScanning": {
+    "enabled": true,
+    "scanOnFileAccess": true,
+    "patterns": ["AWS_ACCESS_KEY", "GITHUB_TOKEN", "PRIVATE_KEY", "password", "secret", "api_key"],
+    "alertOnDetection": true
+  },
+  "audit": {
+    "enabled": true,
+    "logDir": "~/.clawmoat/audit",
+    "retentionDays": 90,
+    "logFileAccess": true,
+    "logCommandExecution": true,
+    "logNetworkRequests": true,
+    "tamperProtection": true
+  },
+  "alerts": {
+    "webhookUrl": "",
+    "emailTo": "",
+    "slackChannel": "",
+    "note": "Configure at least one alert channel. Webhook receives JSON POST on security events."
+  }'"$ENTERPRISE_JSON"'
+}'
+if $DRY_RUN; then
+  info "Would write config to: $CONFIG_FILE"
+  echo -e "${DIM}$CONFIG_CONTENT${RESET}" | head -20
+  echo -e "${DIM}  ... (truncated)${RESET}"
+else
+  if [ -f "$CONFIG_FILE" ]; then
+    BACKUP="$CONFIG_FILE.backup.$(date +%s)"
+    cp "$CONFIG_FILE" "$BACKUP"
+    warn "Existing config backed up to: $BACKUP"
+  fi
+  echo "$CONFIG_CONTENT" > "$CONFIG_FILE"
+  chmod 600 "$CONFIG_FILE"
+  success "Config written to $CONFIG_FILE (mode 600)"
+fi
+# ─── Step 5b: Enterprise templates ──────────────────────────────────────────
+if $ENTERPRISE && ! $DRY_RUN; then
+  step "Setting up enterprise templates..."
+  # SOX audit control template
+  cat > "$CLAWMOAT_DIR/sox/controls.json" << 'SOXEOF'
+{
+  "framework": "SOX-AI-Agent",
+  "version": "1.0",
+  "controls": [
+    {
+      "id": "AC-01",
+      "name": "Agent Permission Tiers",
+      "description": "AI agents operate under least-privilege permission tiers",
+      "frequency": "continuous",
+      "evidence": "~/.clawmoat/audit/*.log"
+    },
+    {
+      "id": "AC-02",
+      "name": "Credential Zone Protection",
+      "description": "Forbidden zones prevent agent access to credentials",
+      "frequency": "continuous",
+      "evidence": "~/.clawmoat/config.json → forbiddenZones"
+    },
+    {
+      "id": "AC-03",
+      "name": "Secret Detection",
+      "description": "Real-time scanning for leaked secrets in agent output",
+      "frequency": "continuous",
+      "evidence": "~/.clawmoat/audit/secrets.log"
+    },
+    {
+      "id": "AU-01",
+      "name": "Audit Trail Integrity",
+      "description": "Tamper-protected logging of all agent actions",
+      "frequency": "continuous",
+      "evidence": "~/.clawmoat/audit/"
+    },
+    {
+      "id": "NW-01",
+      "name": "Network Egress Monitoring",
+      "description": "All outbound network requests logged and reviewed",
+      "frequency": "continuous",
+      "evidence": "~/.clawmoat/audit/network.log"
+    }
+  ]
+}
+SOXEOF
+  chmod 600 "$CLAWMOAT_DIR/sox/controls.json"
+  success "SOX audit templates created"
+  # MCP Firewall default config
+  cat > "$CLAWMOAT_DIR/mcp-firewall/config.json" << 'MCPEOF'
+{
+  "mode": "read-only",
+  "logAllCalls": true,
+  "allowedTools": [],
+  "blockedServers": [],
+  "rateLimiting": {
+    "enabled": true,
+    "maxCallsPerMinute": 60
+  }
+}
+MCPEOF
+  chmod 600 "$CLAWMOAT_DIR/mcp-firewall/config.json"
+  success "MCP Firewall configured (read-only mode)"
+fi
+# ─── Step 6: Security scan ──────────────────────────────────────────────────
+step "Running initial security scan..."
+REPORT_FILE="$CLAWMOAT_DIR/reports/initial-scan-$(date +%Y%m%d-%H%M%S).txt"
+FINDINGS=0
+CRITICAL=0
+scan_report() {
+  echo "$*" >> "$REPORT_FILE"
+}
+if ! $DRY_RUN; then
+echo "# ClawMoat Initial Security Report" > "$REPORT_FILE"
+echo "# Generated: $TIMESTAMP" >> "$REPORT_FILE"
+echo "# OS: $OS ($ARCH)" >> "$REPORT_FILE"
+echo "" >> "$REPORT_FILE"
+# Check for exposed credential files
+echo "## Credential Exposure Check" >> "$REPORT_FILE"
+CRED_PATHS=(
+  "$HOME/.ssh"
+  "$HOME/.aws"
+  "$HOME/.gnupg"
+  "$HOME/.gcloud"
+  "$HOME/.azure"
+  "$HOME/.kube"
+  "$HOME/.docker"
+  "$HOME/.npmrc"
+  "$HOME/.pypirc"
+  "$HOME/.netrc"
+  "$HOME/.git-credentials"
+  "$HOME/.password-store"
+  "$HOME/.1password"
+  "$HOME/.env"
+)
+for cred in "${CRED_PATHS[@]}"; do
+  if [ -e "$cred" ]; then
+    FINDINGS=$((FINDINGS + 1))
+    CRITICAL=$((CRITICAL + 1))
+    label="$(basename "$cred")"
+    scan_report "  [FOUND] $cred — will be protected by ClawMoat"
+    warn "Found: $cred — ${GREEN}now protected${RESET}"
+  fi
+done
+# Check file permissions on sensitive items
+echo "" >> "$REPORT_FILE"
+echo "## Permission Check" >> "$REPORT_FILE"
+if [ -d "$HOME/.ssh" ]; then
+  SSH_PERMS="$(stat -c '%a' "$HOME/.ssh" 2>/dev/null || stat -f '%A' "$HOME/.ssh" 2>/dev/null || echo 'unknown')"
+  if [ "$SSH_PERMS" != "700" ] && [ "$SSH_PERMS" != "unknown" ]; then
+    scan_report "  [WARN] ~/.ssh permissions are $SSH_PERMS (should be 700)"
+    warn "~/.ssh permissions: $SSH_PERMS (recommended: 700)"
+    FINDINGS=$((FINDINGS + 1))
+  fi
+fi
+# Check for .env files in common locations
+echo "" >> "$REPORT_FILE"
+echo "## Environment File Check" >> "$REPORT_FILE"
+ENV_COUNT=0
+while IFS= read -r -d '' envfile; do
+  ENV_COUNT=$((ENV_COUNT + 1))
+  scan_report "  [FOUND] $envfile"
+done < <(find "$HOME" -maxdepth 3 -name '.env*' -type f -print0 2>/dev/null | head -z -20)
+if [ "$ENV_COUNT" -gt 0 ]; then
+  FINDINGS=$((FINDINGS + ENV_COUNT))
+  info "Found $ENV_COUNT .env file(s) — secret scanning will monitor these"
+fi
+# Node/npm global check
+echo "" >> "$REPORT_FILE"
+echo "## Node.js Environment" >> "$REPORT_FILE"
+scan_report "  Node.js: $(node -v 2>/dev/null || echo 'not found')"
+scan_report "  npm: $(npm -v 2>/dev/null || echo 'not found')"
+scan_report "  Global prefix: $(npm prefix -g 2>/dev/null || echo 'unknown')"
+chmod 600 "$REPORT_FILE"
+success "Security report saved to: $REPORT_FILE"
+fi  # end if not dry-run
+# ─── Summary ─────────────────────────────────────────────────────────────────
+echo ""
+divider
+echo ""
+echo -e "${BOLD}🏰 ClawMoat Installation Complete!${RESET}"
+echo ""
+echo -e "  ${GREEN}✅${RESET} OS detected:         $OS ($ARCH)"
+if $NODE_OK; then
+echo -e "  ${GREEN}✅${RESET} Node.js:             v${NODE_VERSION:-unknown}"
+fi
+echo -e "  ${GREEN}✅${RESET} ClawMoat:            installed"
+echo -e "  ${GREEN}✅${RESET} Config:              $CONFIG_FILE"
+echo -e "  ${GREEN}✅${RESET} Permission tier:     worker (least-privilege)"
+echo -e "  ${GREEN}✅${RESET} Forbidden zones:     17 credential paths protected"
+echo -e "  ${GREEN}✅${RESET} Secret scanning:     enabled"
+echo -e "  ${GREEN}✅${RESET} Network logging:     enabled"
+echo -e "  ${GREEN}✅${RESET} Audit trail:         enabled"
+if $ENTERPRISE; then
+echo -e "  ${GREEN}✅${RESET} FinanceGuard:        monitor mode"
+echo -e "  ${GREEN}✅${RESET} MCP Firewall:        read-only"
+echo -e "  ${GREEN}✅${RESET} SOX templates:       installed"
+fi
+if [ "${FINDINGS:-0}" -gt 0 ]; then
+echo ""
+echo -e "  ${YELLOW}📊${RESET} Security findings:   ${BOLD}$FINDINGS${RESET} items found and now protected"
+fi
+echo ""
+divider
+echo ""
+echo -e "${BOLD}Next steps:${RESET}"
+echo ""
+echo -e "  1. ${CYAN}Configure alerts${RESET} — edit ~/.clawmoat/config.json"
+echo -e "     Set webhookUrl, emailTo, or slackChannel for security alerts"
+echo ""
+echo -e "  2. ${CYAN}Test your setup${RESET}"
+echo -e "     $ clawmoat scan"
+echo ""
+echo -e "  3. ${CYAN}View documentation${RESET}"
+echo -e "     https://clawmoat.com/docs"
+echo ""
+if ! $ENTERPRISE; then
+echo -e "  💼 ${BOLD}Need enterprise features?${RESET} Re-run with --enterprise:"
+echo -e "     $ curl -fsSL https://clawmoat.com/install.sh | bash -s -- --enterprise"
+echo ""
+fi
+echo -e "${DIM}Questions? https://clawmoat.com/support/ • GitHub: ClawMoat/clawmoat${RESET}"
+echo ""

package/docs/integrations/langchain.html CHANGED Viewed

@@ -66,14 +66,14 @@ footer{border-top:1px solid var(--navy-mid);padding:40px 0;text-align:center;col
 <body>
 <nav>
-<div class="container" style="max-width:1140px">
+<div class="container">
   <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
   <div class="nav-links">
-    <a href="/">Home</a>
-    <a href="/integrations/langchain.html" style="color:var(--white)">Integrations</a>
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
     <a href="/blog/">Blog</a>
-    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
-    <a href="/#waitlist" class="btn-sm">Get Early Access</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
   </div>
 </div>
 </nav>
@@ -276,7 +276,15 @@ audit:
 </article>
 <footer>
-  <p>🏰 ClawMoat — Security moat for AI agents</p>
+<div class="container">
+  <div style="display:flex;gap:24px;justify-content:center;flex-wrap:wrap;margin-bottom:16px">
+    <a href="https://github.com/darfaz/clawmoat" style="color:var(--gray)">GitHub</a>
+    <a href="https://www.npmjs.com/package/clawmoat" style="color:var(--gray)">npm</a>
+    <a href="/blog/" style="color:var(--gray)">Blog</a>
+    <a href="mailto:hello@clawmoat.com" style="color:var(--gray)">hello@clawmoat.com</a>
+  </div>
+  <p style="text-align:center;color:var(--gray);font-size:.85rem">© 2026 ClawMoat</p>
+</div>
 </footer>
 </body>

package/docs/integrations/openai.html CHANGED Viewed

@@ -66,14 +66,14 @@ footer{border-top:1px solid var(--navy-mid);padding:40px 0;text-align:center;col
 <body>
 <nav>
-<div class="container" style="max-width:1140px">
+<div class="container">
   <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
   <div class="nav-links">
-    <a href="/">Home</a>
-    <a href="/integrations/openai.html" style="color:var(--white)">Integrations</a>
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
     <a href="/blog/">Blog</a>
-    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
-    <a href="/#waitlist" class="btn-sm">Get Early Access</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
   </div>
 </div>
 </nav>
@@ -297,7 +297,15 @@ tools:
 </article>
 <footer>
-  <p>🏰 ClawMoat — Security moat for AI agents</p>
+<div class="container">
+  <div style="display:flex;gap:24px;justify-content:center;flex-wrap:wrap;margin-bottom:16px">
+    <a href="https://github.com/darfaz/clawmoat" style="color:var(--gray)">GitHub</a>
+    <a href="https://www.npmjs.com/package/clawmoat" style="color:var(--gray)">npm</a>
+    <a href="/blog/" style="color:var(--gray)">Blog</a>
+    <a href="mailto:hello@clawmoat.com" style="color:var(--gray)">hello@clawmoat.com</a>
+  </div>
+  <p style="text-align:center;color:var(--gray);font-size:.85rem">© 2026 ClawMoat</p>
+</div>
 </footer>
 </body>