clawmoat 0.7.0 → 1.0.0

package/bin/clawmoat.js

@@ -7,6 +7,7 @@
  *   clawmoat scan <text>           Scan text for threats
  *   clawmoat scan --file <path>    Scan file contents
  *   clawmoat audit <session-dir>   Audit OpenClaw session logs
+ *   clawmoat providers [cmd]       Configure AI provider connections (Claude/ChatGPT/Kimi)
  *   clawmoat test                  Run built-in test suite against detection engines
  *   clawmoat version               Show version
  */
@@ -21,6 +22,8 @@ const { NetworkEgressLogger } = require('../src/guardian/network-log');
 const { AlertManager } = require('../src/guardian/alerts');
 const { CredentialMonitor, CVEVerifier } = require('../src/guardian/index');
 const { InsiderThreatDetector } = require('../src/guardian/insider-threat');
+const { formatReport, formatScanResult, formatAuditResult } = require('../src/formatters/json');
+const { formatScanResultAsSarif, formatAuditResultAsSarif } = require('../src/formatters/sarif');
 
 const VERSION = require('../package.json').version;
 const BOLD = '\x1b[1m';
@@ -58,6 +61,12 @@ switch (command) {
   case 'verify-cve':
     cmdVerifyCve(args.slice(1));
     break;
+  case 'init':
+    cmdInit(args.slice(1));
+    break;
+  case 'ci':
+    cmdCI(args.slice(1));
+    break;
   case 'test':
     cmdTest();
     break;
@@ -68,6 +77,13 @@ switch (command) {
   case 'pro':
     printUpgrade();
     break;
+  case 'providers':
+  case 'provider':
+    cmdProviders(args.slice(1));
+    break;
+  case 'scan-mcp':
+    cmdScanMCP(args.slice(1));
+    break;
   case 'version':
   case '--version':
   case '-v':
@@ -81,6 +97,23 @@ switch (command) {
     break;
 }
 
+async function cmdProviders(args) {
+  const { cmdSetup, cmdList, cmdTest, cmdOpenClaw } = require('../agent/provider-setup');
+  const sub = args[0] || 'setup';
+  switch (sub) {
+    case 'setup': return cmdSetup();
+    case 'list': return cmdList();
+    case 'test': return cmdTest();
+    case 'openclaw': return cmdOpenClaw();
+    default:
+      console.log('Usage: clawmoat providers [setup|list|test|openclaw]');
+      console.log('  setup    Configure AI providers (Claude, ChatGPT, Kimi)');
+      console.log('  list     Show configured providers');
+      console.log('  test     Test all connections');
+      console.log('  openclaw Generate OpenClaw config snippet');
+  }
+}
+
 async function cmdVerifyCve(args) {
   const cveId = args[0];
   const suspiciousUrl = args[1] || null;
@@ -161,14 +194,38 @@ function colorSeverity(severity) {
 }
 
 function cmdScan(args) {
+  // Parse arguments
   let text;
+  let sourceFile = 'stdin';
+  let format = 'text';
+  
+  // Extract format flag
+  const formatIndex = args.indexOf('--format');
+  if (formatIndex >= 0 && formatIndex + 1 < args.length) {
+    format = args[formatIndex + 1];
+    args = args.filter((arg, i) => arg !== '--format' && i !== formatIndex + 1);
+  }
+
+  if (!['text', 'json', 'sarif'].includes(format)) {
+    console.error(`${RED}Error: Invalid format "${format}". Supported: text, json, sarif${RESET}`);
+    process.exit(1);
+  }
   
   if (args[0] === '--file' && args[1]) {
     try {
-      text = fs.readFileSync(args[1], 'utf8');
-      console.log(`${DIM}Scanning file: ${args[1]} (${text.length} chars)${RESET}\n`);
+      sourceFile = args[1];
+      text = fs.readFileSync(sourceFile, 'utf8');
+      if (format === 'text') {
+        console.log(`${DIM}Scanning file: ${sourceFile} (${text.length} chars)${RESET}\n`);
+      }
     } catch (err) {
-      console.error(`Error reading file: ${err.message}`);
+      if (format === 'json') {
+        console.log(JSON.stringify({ error: `Error reading file: ${err.message}` }));
+      } else if (format === 'sarif') {
+        console.log(JSON.stringify({ error: `Error reading file: ${err.message}` }));
+      } else {
+        console.error(`Error reading file: ${err.message}`);
+      }
       process.exit(1);
     }
   } else if (args.length > 0) {
@@ -179,59 +236,94 @@ function cmdScan(args) {
   }
 
   if (!text) {
-    console.error('No text to scan. Usage: clawmoat scan "text to scan"');
+    const errorMsg = 'No text to scan. Usage: clawmoat scan "text to scan"';
+    if (format === 'json') {
+      console.log(JSON.stringify({ error: errorMsg }));
+    } else if (format === 'sarif') {
+      console.log(JSON.stringify({ error: errorMsg }));
+    } else {
+      console.error(errorMsg);
+    }
     process.exit(1);
   }
 
   const result = moat.scan(text, { context: 'cli' });
 
-  console.log(`${BOLD}🏰 ClawMoat Scan Results${RESET}\n`);
+  // Output based on format
+  if (format === 'json') {
+    const jsonResult = formatScanResult(result);
+    console.log(JSON.stringify(jsonResult, null, 2));
+  } else if (format === 'sarif') {
+    const sarifResult = formatScanResultAsSarif(result, sourceFile);
+    console.log(JSON.stringify(sarifResult, null, 2));
+  } else {
+    // Original text output
+    console.log(`${BOLD}🏰 ClawMoat Scan Results${RESET}\n`);
 
-  if (result.safe) {
-    console.log(`${GREEN}✅ CLEAN${RESET} — No threats detected\n`);
-    process.exit(0);
-  }
+    if (result.safe) {
+      console.log(`${GREEN}✅ CLEAN${RESET} — No threats detected\n`);
+      process.exit(0);
+    }
 
-  const icon = { critical: '🚨', high: '⚠️', medium: '⚡', low: 'ℹ️' };
-  const color = { critical: RED, high: RED, medium: YELLOW, low: CYAN };
+    const icon = { critical: '🚨', high: '⚠️', medium: '⚡', low: 'ℹ️' };
+    const color = { critical: RED, high: RED, medium: YELLOW, low: CYAN };
 
-  for (const finding of result.findings) {
-    const sev = finding.severity || 'medium';
-    console.log(
-      `${icon[sev] || '•'} ${color[sev] || ''}${sev.toUpperCase()}${RESET} ` +
-      `${BOLD}${finding.type}${RESET}` +
-      (finding.subtype ? ` (${finding.subtype})` : '') +
-      (finding.matched ? `\n  ${DIM}Matched: "${finding.matched}"${RESET}` : '') +
-      (finding.reason ? `\n  ${DIM}${finding.reason}${RESET}` : '')
-    );
-    console.log();
-  }
+    for (const finding of result.findings) {
+      const sev = finding.severity || 'medium';
+      console.log(
+        `${icon[sev] || '•'} ${color[sev] || ''}${sev.toUpperCase()}${RESET} ` +
+        `${BOLD}${finding.type}${RESET}` +
+        (finding.subtype ? ` (${finding.subtype})` : '') +
+        (finding.matched ? `\n  ${DIM}Matched: "${finding.matched}"${RESET}` : '') +
+        (finding.reason ? `\n  ${DIM}${finding.reason}${RESET}` : '')
+      );
+      console.log();
+    }
 
-  console.log(`${DIM}Total findings: ${result.findings.length}${RESET}`);
+    console.log(`${DIM}Total findings: ${result.findings.length}${RESET}`);
 
-  if (!getLicense()) {
-    console.log(`\n${DIM}💡 Upgrade to Pro for real-time alerts, dashboard & threat intel → clawmoat upgrade${RESET}`);
+    if (!getLicense()) {
+      console.log(`\n${DIM}💡 Upgrade to Pro for real-time alerts, dashboard & threat intel → clawmoat upgrade${RESET}`);
+    }
   }
 
   process.exit(result.findings.some(f => f.severity === 'critical') ? 2 : 1);
 }
 
 function cmdAudit(args) {
+  // Parse arguments
   const badgeFlag = args.includes('--badge');
-  const filteredArgs = args.filter(a => a !== '--badge');
+  const formatIndex = args.indexOf('--format');
+  const format = formatIndex >= 0 ? args[formatIndex + 1] : 'text';
+  const filteredArgs = args.filter((arg, i) => arg !== '--badge' && arg !== '--format' && i !== formatIndex + 1);
   const sessionDir = filteredArgs[0] || path.join(process.env.HOME, '.openclaw/agents/main/sessions');
 
+  if (format !== 'text' && format !== 'json' && format !== 'sarif') {
+    console.error(`${RED}Error: Invalid format "${format}". Supported: text, json, sarif${RESET}`);
+    process.exit(1);
+  }
+
   if (!fs.existsSync(sessionDir)) {
-    console.error(`Session directory not found: ${sessionDir}`);
+    if (format === 'json') {
+      console.log(JSON.stringify({ error: 'Session directory not found', directory: sessionDir }));
+    } else if (format === 'sarif') {
+      console.log(JSON.stringify({ error: 'Session directory not found', directory: sessionDir }));
+    } else {
+      console.error(`Session directory not found: ${sessionDir}`);
+    }
     process.exit(1);
   }
 
-  console.log(`${BOLD}🏰 ClawMoat Session Audit${RESET}`);
-  console.log(`${DIM}Directory: ${sessionDir}${RESET}\n`);
+  if (format === 'text') {
+    console.log(`${BOLD}🏰 ClawMoat Session Audit${RESET}`);
+    console.log(`${DIM}Directory: ${sessionDir}${RESET}\n`);
+  }
 
   const files = fs.readdirSync(sessionDir).filter(f => f.endsWith('.jsonl'));
   let totalFindings = 0;
   let filesScanned = 0;
+  const findingsByFile = {};
+  const allFindings = [];
 
   for (const file of files) {
     const filePath = path.join(sessionDir, file);
@@ -246,6 +338,14 @@ function cmdAudit(args) {
           const result = moat.scan(content, { context: 'session_log' });
           if (!result.safe) {
             fileFindings += result.findings.length;
+            for (const finding of result.findings) {
+              allFindings.push({
+                ...finding,
+                source: file,
+                timestamp: entry.timestamp || new Date().toISOString(),
+                entry_id: entry.id || null
+              });
+            }
           }
         }
 
@@ -258,6 +358,14 @@ function cmdAudit(args) {
             const evalResult = moat.evaluateTool(tc.name, tc.arguments || {});
             if (evalResult.decision !== 'allow') {
               fileFindings++;
+              allFindings.push({
+                type: 'tool_policy_violation',
+                severity: 'medium',
+                reason: `Tool ${tc.name} blocked by policy: ${evalResult.reason}`,
+                source: file,
+                timestamp: entry.timestamp || new Date().toISOString(),
+                entry_id: entry.id || null
+              });
             }
           }
         }
@@ -266,34 +374,56 @@ function cmdAudit(args) {
 
     filesScanned++;
     totalFindings += fileFindings;
+    findingsByFile[file] = fileFindings;
 
-    if (fileFindings > 0) {
-      console.log(`${RED}⚠ ${file}${RESET}: ${fileFindings} finding(s)`);
-    } else {
-      console.log(`${GREEN}✓ ${file}${RESET}: clean`);
+    if (format === 'text') {
+      if (fileFindings > 0) {
+        console.log(`${RED}⚠ ${file}${RESET}: ${fileFindings} finding(s)`);
+      } else {
+        console.log(`${GREEN}✓ ${file}${RESET}: clean`);
+      }
     }
   }
 
-  console.log(`\n${BOLD}Summary:${RESET} ${filesScanned} sessions scanned, ${totalFindings} total findings`);
+  // Prepare audit data
+  const auditData = {
+    filesScanned,
+    totalFindings,
+    sessionDir,
+    findingsByFile,
+    findings: allFindings
+  };
+
+  // Output based on format
+  if (format === 'json') {
+    const jsonResult = formatAuditResult(auditData);
+    console.log(JSON.stringify(jsonResult, null, 2));
+  } else if (format === 'sarif') {
+    const sarifResult = formatAuditResultAsSarif(auditData);
+    console.log(JSON.stringify(sarifResult, null, 2));
+  } else {
+    // Original text output
+    console.log(`\n${BOLD}Summary:${RESET} ${filesScanned} sessions scanned, ${totalFindings} total findings`);
 
-  const summary = moat.getSummary();
-  if (summary.events.byType) {
-    console.log(`${DIM}Breakdown: ${JSON.stringify(summary.events.byType)}${RESET}`);
-  }
+    const summary = moat.getSummary();
+    if (summary.events.byType) {
+      console.log(`${DIM}Breakdown: ${JSON.stringify(summary.events.byType)}${RESET}`);
+    }
 
-  // Badge generation
-  if (badgeFlag) {
-    const criticalFindings = 0; // TODO: track critical findings separately
-    const grade = calculateGrade({ totalFindings, criticalFindings, filesScanned });
-    const svg = generateBadgeSVG(grade);
-    const badgePath = path.join(process.cwd(), 'clawmoat-badge.svg');
-    fs.writeFileSync(badgePath, svg);
-    console.log(`\n${BOLD}🏷️  Security Badge${RESET}`);
-    console.log(`   Grade: ${grade}`);
-    console.log(`   SVG saved: ${badgePath}`);
-    console.log(`   Shields.io: ${getShieldsURL(grade)}`);
-    console.log(`\n   ${DIM}Add to README:${RESET}`);
-    console.log(`   ![ClawMoat Security Score](${getShieldsURL(grade)})`);
+    // Badge generation
+    if (badgeFlag) {
+      const criticalFindings = allFindings.filter(f => f.severity === 'critical').length;
+      const grade = calculateGrade({ totalFindings, criticalFindings, filesScanned });
+      const svg = generateBadgeSVG(grade);
+      const badgePath = path.join(process.cwd(), 'clawmoat-badge.svg');
+      fs.writeFileSync(badgePath, svg);
+      console.log(`\n${BOLD}🏷️  Security Badge${RESET}`);
+      console.log(`   Grade: ${grade}`);
+      console.log(`   SVG saved: ${badgePath}`);
+      console.log(`   Shields.io: ${getShieldsURL(grade)}`);
+      console.log(`\n   ${DIM}Add to README:${RESET}`);
+      console.log(`   ![ClawMoat Security Score](${getShieldsURL(grade)})`);
+    }
   }
 
   process.exit(totalFindings > 0 ? 1 : 0);
@@ -446,13 +576,13 @@ function cmdTest() {
   process.exit(failed > 0 ? 1 : 0);
 }
 
-function cmdWatch(args) {
+async function cmdWatch(args) {
   const isDaemon = args.includes('--daemon');
   const webhookArg = args.find(a => a.startsWith('--alert-webhook='));
   const webhookUrl = webhookArg ? webhookArg.split('=').slice(1).join('=') : null;
   const filteredArgs = args.filter(a => a !== '--daemon' && !a.startsWith('--alert-webhook='));
-  const agentDir = filteredArgs[0] || path.join(process.env.HOME, '.openclaw/agents/main');
-  const { watchSessions } = require('../src/middleware/openclaw');
+  const watchDir = filteredArgs[0] || path.join(process.env.HOME, '.openclaw');
+  const { LiveMonitor } = require('../src/watch/live-monitor');
 
   // Daemon mode: fork to background
   if (isDaemon) {
@@ -475,33 +605,45 @@ function cmdWatch(args) {
   if (webhookUrl) alertChannels.push('webhook');
   const alertMgr = new AlertManager({ channels: alertChannels, webhookUrl });
 
-  console.log(`${BOLD}🏰 ClawMoat Live Monitor${RESET}`);
-  console.log(`${DIM}Watching: ${agentDir}${RESET}`);
-  if (webhookUrl) console.log(`${DIM}Webhook: ${webhookUrl}${RESET}`);
-  console.log(`${DIM}Press Ctrl+C to stop${RESET}\n`);
+  // Create and start live monitor
+  const monitor = new LiveMonitor({
+    watchDir,
+    refreshRate: 1000,
+    showNetworkGraph: true,
+    showThreatMap: true,
+    maxHistoryItems: 100,
+    animateCharts: true
+  });
 
-  const monitor = watchSessions({ agentDir });
-  if (!monitor) process.exit(1);
+  // Connect alert manager to monitor events
+  monitor.on('threat-detected', (threat) => {
+    alertMgr.send({
+      type: 'threat',
+      severity: threat.severity,
+      message: `Threat detected: ${threat.type}/${threat.subtype}`
+    });
+  });
 
   // Also start credential monitor
-  const credMon = new CredentialMonitor({ quiet: false, onAlert: (a) => alertMgr.send(a) });
+  const credMon = new CredentialMonitor({ quiet: true, onAlert: (a) => alertMgr.send(a) });
   credMon.start();
 
-  // Print summary every 60s
-  setInterval(() => {
-    const summary = monitor.getSummary();
-    if (summary.scanned > 0) {
-      console.log(`${DIM}[ClawMoat] Stats: ${summary.scanned} scanned, ${summary.blocked} blocked, ${summary.warnings} warnings${RESET}`);
-    }
-  }, 60000);
-
+  // Handle shutdown gracefully
   process.on('SIGINT', () => {
     monitor.stop();
     credMon.stop();
-    const summary = monitor.getSummary();
-    console.log(`\n${BOLD}Session Summary:${RESET} ${summary.scanned} scanned, ${summary.blocked} blocked, ${summary.warnings} warnings`);
+    console.log(`\n${GREEN}ClawMoat Live Monitor stopped.${RESET}`);
+    process.exit(0);
+  });
+
+  process.on('SIGTERM', () => {
+    monitor.stop();
+    credMon.stop();
     process.exit(0);
   });
+
+  // Start the live monitor
+  await monitor.start();
 }
 
 function cmdSkillAudit(args) {
@@ -546,16 +688,27 @@ function cmdSkillAudit(args) {
 }
 
 function cmdReport(args) {
-  const sessionsDir = args[0] || path.join(process.env.HOME, '.openclaw/agents/main/sessions');
-
-  console.log(`${BOLD}🏰 ClawMoat Activity Report (Last 24h)${RESET}`);
-  console.log(`${DIM}Sessions: ${sessionsDir}${RESET}\n`);
+  // Parse arguments
+  const formatIndex = args.indexOf('--format');
+  const format = formatIndex >= 0 ? args[formatIndex + 1] : 'text';
+  const otherArgs = args.filter((arg, i) => arg !== '--format' && i !== formatIndex + 1);
+  const sessionsDir = otherArgs[0] || path.join(process.env.HOME, '.openclaw/agents/main/sessions');
+
+  if (format !== 'text' && format !== 'json') {
+    console.error(`${RED}Error: Invalid format "${format}". Supported: text, json${RESET}`);
+    process.exit(1);
+  }
 
   if (!fs.existsSync(sessionsDir)) {
-    console.log(`${YELLOW}Sessions directory not found${RESET}`);
+    if (format === 'json') {
+      console.log(JSON.stringify({ error: 'Sessions directory not found', directory: sessionsDir }));
+    } else {
+      console.log(`${YELLOW}Sessions directory not found: ${sessionsDir}${RESET}`);
+    }
     process.exit(0);
   }
 
+  // Collect all data
   const oneDayAgo = Date.now() - 86400000;
   const files = fs.readdirSync(sessionsDir).filter(f => f.endsWith('.jsonl'));
   let recentFiles = 0;
@@ -563,6 +716,7 @@ function cmdReport(args) {
   let toolCalls = 0;
   let threats = 0;
   const toolUsage = {};
+  const findings = [];
 
   for (const file of files) {
     const filePath = path.join(sessionsDir, file);
@@ -592,7 +746,17 @@ function cmdReport(args) {
         const text = extractContent(entry);
         if (text) {
           const result = moat.scan(text, { context: 'report' });
-          if (!result.safe) threats++;
+          if (!result.safe) {
+            threats++;
+            for (const finding of result.findings) {
+              findings.push({
+                ...finding,
+                timestamp: entry.timestamp || new Date().toISOString(),
+                source: file,
+                entry_id: entry.id || null
+              });
+            }
+          }
         }
       } catch {}
     }
@@ -602,22 +766,6 @@ function cmdReport(args) {
   const netLogger = new NetworkEgressLogger();
   const netResult = netLogger.scanSessions(sessionsDir, { maxAge: 86400000 });
 
-  console.log(`${BOLD}Activity:${RESET}`);
-  console.log(`  Sessions active: ${recentFiles}`);
-  console.log(`  Total entries: ${totalEntries}`);
-  console.log(`  Tool calls: ${toolCalls}`);
-  console.log(`  Threats detected: ${threats}`);
-  console.log();
-
-  if (Object.keys(toolUsage).length > 0) {
-    console.log(`${BOLD}Tool Usage:${RESET}`);
-    const sorted = Object.entries(toolUsage).sort((a, b) => b[1] - a[1]);
-    for (const [tool, count] of sorted.slice(0, 15)) {
-      console.log(`  ${tool}: ${count}`);
-    }
-    console.log();
-  }
-
   // Insider threat scan on recent sessions
   const insiderDetector = new InsiderThreatDetector();
   let insiderThreats = 0;
@@ -636,28 +784,68 @@ function cmdReport(args) {
     if (insiderResult.riskScore > insiderHighScore) insiderHighScore = insiderResult.riskScore;
   }
 
-  console.log(`${BOLD}Insider Threats:${RESET}`);
-  console.log(`  Threats detected: ${insiderThreats}`);
-  console.log(`  Highest risk score: ${insiderHighScore}/100`);
-  console.log();
+  // Prepare report data
+  const reportData = {
+    recentFiles,
+    totalEntries,
+    toolCalls,
+    threats,
+    toolUsage,
+    netResult,
+    insiderThreats,
+    insiderHighScore,
+    findings,
+    sessionDir: sessionsDir
+  };
+
+  // Output based on format
+  if (format === 'json') {
+    const jsonReport = formatReport(reportData);
+    console.log(JSON.stringify(jsonReport, null, 2));
+  } else {
+    // Original text output
+    console.log(`${BOLD}🏰 ClawMoat Activity Report (Last 24h)${RESET}`);
+    console.log(`${DIM}Sessions: ${sessionsDir}${RESET}\n`);
+
+    console.log(`${BOLD}Activity:${RESET}`);
+    console.log(`  Sessions active: ${recentFiles}`);
+    console.log(`  Total entries: ${totalEntries}`);
+    console.log(`  Tool calls: ${toolCalls}`);
+    console.log(`  Threats detected: ${threats}`);
+    console.log();
+
+    if (Object.keys(toolUsage).length > 0) {
+      console.log(`${BOLD}Tool Usage:${RESET}`);
+      const sorted = Object.entries(toolUsage).sort((a, b) => b[1] - a[1]);
+      for (const [tool, count] of sorted.slice(0, 15)) {
+        console.log(`  ${tool}: ${count}`);
+      }
+      console.log();
+    }
+
+    console.log(`${BOLD}Insider Threats:${RESET}`);
+    console.log(`  Threats detected: ${insiderThreats}`);
+    console.log(`  Highest risk score: ${insiderHighScore}/100`);
+    console.log();
 
-  console.log(`${BOLD}Network Egress:${RESET}`);
-  console.log(`  URLs contacted: ${netResult.totalUrls}`);
-  console.log(`  Unique domains: ${netResult.domains.length}`);
-  console.log(`  Flagged (not in allowlist): ${netResult.flagged.length}`);
-  console.log(`  Known-bad domains: ${netResult.badDomains.length}`);
+    console.log(`${BOLD}Network Egress:${RESET}`);
+    console.log(`  URLs contacted: ${netResult.totalUrls}`);
+    console.log(`  Unique domains: ${netResult.domains.length}`);
+    console.log(`  Flagged (not in allowlist): ${netResult.flagged.length}`);
+    console.log(`  Known-bad domains: ${netResult.badDomains.length}`);
 
-  if (netResult.flagged.length > 0) {
-    console.log(`\n  ${YELLOW}Flagged domains:${RESET}`);
-    for (const d of netResult.flagged.slice(0, 20)) {
-      console.log(`    • ${d}`);
+    if (netResult.flagged.length > 0) {
+      console.log(`\n  ${YELLOW}Flagged domains:${RESET}`);
+      for (const d of netResult.flagged.slice(0, 20)) {
+        console.log(`    • ${d}`);
+      }
     }
-  }
 
-  if (netResult.badDomains.length > 0) {
-    console.log(`\n  ${RED}Bad domains:${RESET}`);
-    for (const b of netResult.badDomains) {
-      console.log(`    🚨 ${b.domain} (in ${b.file})`);
+    if (netResult.badDomains.length > 0) {
+      console.log(`\n  ${RED}Bad domains:${RESET}`);
+      for (const b of netResult.badDomains) {
+        console.log(`    🚨 ${b.domain} (in ${b.file})`);
+      }
     }
   }
 
@@ -837,6 +1025,160 @@ function cmdActivate(args) {
   req.end();
 }
 
+function cmdScanMCP(args) {
+  const { scanMCP, discoverMCPConfigs } = require('../src/mcp-scanner');
+  const extraPaths = args.filter(a => !a.startsWith('-'));
+  const verbose = args.includes('--verbose') || args.includes('-v');
+  const jsonOut = args.includes('--json');
+
+  console.log('\n🏰 ClawMoat MCP Scanner\n');
+
+  // Run scan
+  const report = scanMCP({ extraPaths, verbose });
+
+  if (jsonOut) {
+    console.log(JSON.stringify(report, null, 2));
+    return;
+  }
+
+  // Discovery
+  console.log(`📁 Configs discovered: ${report.configsFound.length}`);
+  for (const c of report.configsFound) {
+    console.log(`   ✓ ${c.name}: ${c.path}`);
+  }
+
+  if (report.configsFound.length === 0) {
+    // Show what we looked for
+    console.log('\n   No MCP configs found. Searched:');
+    const all = discoverMCPConfigs();
+    for (const c of all.slice(0, 6)) {
+      console.log(`   · ${c.name}: ${c.path}`);
+    }
+    console.log(`   ... and ${all.length - 6} more locations`);
+    console.log('\n   Tip: pass a config path directly: clawmoat scan-mcp ~/.cursor/mcp.json\n');
+    return;
+  }
+
+  // Servers
+  console.log(`\n🔌 MCP servers found: ${report.servers.length}`);
+  for (const s of report.servers) {
+    console.log(`   · ${s.name} (${s.config})`);
+  }
+
+  // Findings
+  if (report.findings.length === 0) {
+    console.log('\n✅ No security issues found.\n');
+    return;
+  }
+
+  console.log(`\n⚠️  Findings: ${report.summary.total}`);
+  if (report.summary.critical) console.log(`   🔴 ${report.summary.critical} CRITICAL`);
+  if (report.summary.high) console.log(`   🟠 ${report.summary.high} HIGH`);
+  if (report.summary.medium) console.log(`   🟡 ${report.summary.medium} MEDIUM`);
+  if (report.summary.low) console.log(`   🔵 ${report.summary.low} LOW`);
+
+  console.log('');
+  for (const f of report.findings) {
+    const icon = f.severity === 'critical' ? '🔴' : f.severity === 'high' ? '🟠' : f.severity === 'medium' ? '🟡' : '🔵';
+    console.log(`${icon} [${f.severity.toUpperCase()}] ${f.label}`);
+    console.log(`   Server: ${f.server} (${f.configName})`);
+    console.log(`   Fix: ${f.fix}`);
+    console.log('');
+  }
+}
+
+function cmdInit(args) {
+  const force = args.includes('--force') || args.includes('-f');
+  const configPath = path.join(process.cwd(), 'clawmoat.yml');
+  const templatePath = path.join(__dirname, '../src/templates/default-config.yml');
+
+  // Check if config already exists
+  if (fs.existsSync(configPath) && !force) {
+    console.log(`${YELLOW}⚠️  Configuration file already exists: ${configPath}${RESET}`);
+    console.log(`${DIM}Use --force to overwrite${RESET}`);
+    process.exit(1);
+  }
+
+  // Read template
+  let template;
+  try {
+    template = fs.readFileSync(templatePath, 'utf8');
+  } catch (err) {
+    console.error(`${RED}Error reading config template: ${err.message}${RESET}`);
+    process.exit(1);
+  }
+
+  // Write config file
+  try {
+    fs.writeFileSync(configPath, template);
+    console.log(`${GREEN}✅ Created ${configPath}${RESET}`);
+    console.log(`${DIM}Edit the file to customize your security policies.${RESET}`);
+    console.log(`${DIM}Documentation: https://github.com/darfaz/clawmoat${RESET}`);
+  } catch (err) {
+    console.error(`${RED}Error writing config file: ${err.message}${RESET}`);
+    process.exit(1);
+  }
+}
+
+function cmdCI(args) {
+  const { scanRepo } = require('../src/ci-scanner');
+  const jsonOut = args.includes('--json');
+  const dir = args.find(a => !a.startsWith('-')) || '.';
+  const failOn = (args.find(a => a.startsWith('--fail-on=')) || '--fail-on=high').split('=')[1];
+
+  if (!jsonOut) {
+    console.log(`\n${BOLD}🏰 ClawMoat CI Scanner${RESET}`);
+    console.log(`${DIM}Scanning: ${require('path').resolve(dir)}${RESET}\n`);
+  }
+
+  const result = scanRepo({ rootDir: dir, failOn });
+
+  if (jsonOut) {
+    console.log(JSON.stringify(result, null, 2));
+    process.exit(result.passed ? 0 : 1);
+    return;
+  }
+
+  if (result.findings.length === 0) {
+    console.log(`${GREEN}✅ No security issues found.${RESET}\n`);
+    process.exit(0);
+    return;
+  }
+
+  // Group by type
+  const byType = {};
+  for (const f of result.findings) {
+    if (!byType[f.type]) byType[f.type] = [];
+    byType[f.type].push(f);
+  }
+
+  for (const [type, findings] of Object.entries(byType)) {
+    const label = type.replace(/_/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
+    console.log(`${BOLD}${label}${RESET}`);
+    for (const f of findings) {
+      const icon = f.severity === 'critical' ? `${RED}🔴` : f.severity === 'high' ? `${YELLOW}🟠` : '🟡';
+      console.log(`  ${icon} [${f.severity.toUpperCase()}] ${f.evidence}${RESET}`);
+      console.log(`${DIM}       File: ${f.file}${RESET}`);
+      console.log(`${DIM}       Fix: ${f.fix}${RESET}`);
+    }
+    console.log('');
+  }
+
+  console.log(`${BOLD}Summary:${RESET} ${result.summary.total} issue(s) found`);
+  if (result.summary.critical) console.log(`  ${RED}${result.summary.critical} critical${RESET}`);
+  if (result.summary.high)     console.log(`  ${YELLOW}${result.summary.high} high${RESET}`);
+  if (result.summary.medium)   console.log(`  ${DIM}${result.summary.medium} medium${RESET}`);
+  console.log('');
+
+  if (!result.passed) {
+    console.log(`${RED}❌ CI check FAILED (found ${failOn}+ severity issues)${RESET}\n`);
+    process.exit(1);
+  } else {
+    console.log(`${YELLOW}⚠️  Issues found but none at fail-on severity (${failOn})${RESET}\n`);
+    process.exit(0);
+  }
+}
+
 function getLicense() {
   try {
     const licPath = path.join(process.env.HOME, '.clawmoat', 'license.json');
@@ -852,30 +1194,45 @@ ${BOLD}🏰 ClawMoat v${VERSION}${RESET} — Security moat for AI agents
   Plan: ${planLabel}
 
 ${BOLD}USAGE${RESET}
+  clawmoat ci [dir]               Scan repo for secrets, compromised deps, CI risks, MCP issues
+  clawmoat ci --json              Output JSON for CI/CD integration
+  clawmoat ci --fail-on=critical  Only fail on critical severity (default: high)
+  clawmoat init                   Generate a starter config file (clawmoat.yml)
   clawmoat scan <text>            Scan text for threats
   clawmoat scan --file <path>     Scan file contents
+  clawmoat scan --format sarif    Output SARIF format for CI/CD integration
   cat file.txt | clawmoat scan    Scan from stdin
   clawmoat audit [session-dir]    Audit OpenClaw session logs
   clawmoat audit --badge          Audit + generate security score badge SVG
+  clawmoat audit --format sarif   Generate SARIF report for security platforms
   clawmoat watch [agent-dir]      Live monitor OpenClaw sessions
   clawmoat watch --daemon         Daemonize watch mode (background, PID file)
   clawmoat watch --alert-webhook=URL   Send alerts to webhook
   clawmoat skill-audit [skills-dir]    Verify skill file integrity & scan for suspicious patterns
   clawmoat insider-scan [session-file]  Scan sessions for insider threats (self-preservation, blackmail, deception)
   clawmoat report [sessions-dir]  24-hour activity summary report
+  clawmoat report --format json   Generate JSON report for programmatic use
   clawmoat verify-cve <CVE-ID> [url]  Verify a CVE against GitHub Advisory DB
   clawmoat test                   Run detection test suite
+  clawmoat providers              Configure AI providers (Claude/ChatGPT/Kimi)
+  clawmoat providers list         Show configured providers
+  clawmoat providers test         Test all provider connections
+  clawmoat providers openclaw     Generate OpenClaw config snippet
   clawmoat activate <KEY>         Activate a Pro/Team license key
   clawmoat upgrade                Show upgrade options & pricing
   clawmoat version                Show version
 
 ${BOLD}EXAMPLES${RESET}
+  clawmoat init                   # Create clawmoat.yml config file
   clawmoat scan "Ignore all previous instructions"
   clawmoat scan --file suspicious-email.txt
+  clawmoat scan --format sarif --file agent-input.txt  # For GitHub Code Scanning
   clawmoat audit ~/.openclaw/agents/main/sessions/
+  clawmoat audit --format sarif   # SARIF output for CI/CD
   clawmoat watch --daemon --alert-webhook=https://hooks.example.com/alerts
   clawmoat skill-audit ~/.openclaw/workspace/skills
   clawmoat report
+  clawmoat report --format json   # For dashboards/automation
   clawmoat test
 
 ${BOLD}CONFIG${RESET}