fengming 0.3.3 → 0.3.5

package/dist/audit.nondeep.runtime-DeYwRDYj.js

@@ -1,1416 +0,0 @@
-import { c as normalizeOptionalString, f as normalizeStringifiedOptionalString, s as normalizeOptionalLowercaseString } from "./string-coerce-DKw2K5wM.js";
-import { t as formatCliCommand } from "./command-format-Jv8eeOPe.js";
-import { p as normalizeUniqueStringEntries } from "./string-normalization-B8G0vlWE.js";
-import { i as isPathInside } from "./path-BlG8lhgR.js";
-import { n as loadInstalledPluginIndexInstallRecords } from "./installed-plugin-index-record-reader-ClxK20w6.js";
-import { s as normalizePluginsConfig } from "./config-state-DuITXGx-.js";
-import { i as resolveAgentModelPrimaryValue, r as resolveAgentModelFallbackValues } from "./model-input-CET5RLn0.js";
-import { g as createPluginRegistryIdNormalizer, p as loadPluginRegistrySnapshot } from "./plugin-registry-yMlCZsZh.js";
-import "./scan-paths-DEbtXKcA.js";
-import { n as resolveGatewayAuth } from "./auth-resolve-DQPFGhog.js";
-import "./auth-zd4y6lgs.js";
-import { r as DEFAULT_PROVIDER } from "./defaults-DNFU4TYx.js";
-import { n as isDangerousNetworkMode, r as normalizeNetworkMode } from "./network-mode-BdBmduyW.js";
-import { s as loadManifestMetadataSnapshot } from "./manifest-contract-eligibility-DLT0v43Z.js";
-import { i as buildModelAliasIndex, x as resolveModelRefFromString } from "./model-selection-shared-BOcnt3fQ.js";
-import { i as parseModelRef, n as modelKey } from "./model-selection-normalize-CAYf_2p2.js";
-import { n as pickSandboxToolPolicy } from "./sandbox-tool-policy-CJznRBe4.js";
-import { h as resolveToolProfilePolicy } from "./tool-policy-Dv92jaRW.js";
-import { t as isToolAllowedByPolicies } from "./tool-policy-match-BK9FXN4N.js";
-import { r as resolveSandboxToolPolicyForAgent } from "./tool-policy-vM91cFrT.js";
-import { i as resolveSandboxConfigForAgent } from "./config-Ck3GVCd_.js";
-import { a as resolveProviderToolPolicy } from "./agent-tools.policy-BhqSsYtP.js";
-import { n as listReadOnlyChannelPluginsForConfig } from "./read-only-DG3oNfr3.js";
-import { t as getBlockedBindReason } from "./validate-sandbox-security-DDvEE5KG.js";
-import { t as inspectReadOnlyChannelAccount } from "./read-only-account-inspect-Bc44Ix5X.js";
-import { r as resolveNativeSkillsEnabled } from "./commands-CLLRufEM.js";
-import { t as listAgentWorkspaceDirs } from "./workspace-dirs-D_jaKwRw.js";
-import { i as listDangerousPluginNodeCommands, o as resolveNodeCommandAllowlist, t as DEFAULT_DANGEROUS_NODE_COMMANDS } from "./node-command-policy-B0ezpI_O.js";
-import { t as resolveAllowedAgentIds } from "./hooks-policy-DUxw4pXH.js";
-import { n as readInstalledPackageVersion } from "./package-update-utils-diapjeFJ.js";
-import { t as inferParamBFromIdOrName } from "./model-param-b-DQc5oue4.js";
-import { t as hasConfiguredInternalHooks } from "./configured-DmQDjcF5.js";
-import { a as collectStateDeepFilesystemFindings, i as collectSandboxBrowserHashLabelFindings, o as readConfigSnapshotForAudit, s as shouldIgnoreInstalledPluginDirName, t as collectIncludeFilePermFindings } from "./audit-extra.async-D1vkCuPp.js";
-import path from "node:path";
-import fs from "node:fs/promises";
-//#region src/security/audit-plugins-trust.ts
-let pluginTrustPolicyDepsPromise;
-async function loadPluginTrustPolicyDeps() {
-	pluginTrustPolicyDepsPromise ??= Promise.all([
-		import("./config-BkBtC4-W.js"),
-		import("./tool-policy-mKXH4IOK.js"),
-		import("./tool-policy-match-BSG-8STh.js"),
-		import("./tool-policy-DmEXR9ta.js"),
-		import("./audit-tool-policy-CHVmxMdq.js")
-	]).then(([sandboxConfig, sandboxToolPolicy, toolPolicyMatch, toolPolicy, auditToolPolicy]) => ({
-		isToolAllowedByPolicies: toolPolicyMatch.isToolAllowedByPolicies,
-		pickSandboxToolPolicy: auditToolPolicy.pickSandboxToolPolicy,
-		resolveSandboxConfigForAgent: sandboxConfig.resolveSandboxConfigForAgent,
-		resolveSandboxToolPolicyForAgent: sandboxToolPolicy.resolveSandboxToolPolicyForAgent,
-		resolveToolProfilePolicy: toolPolicy.resolveToolProfilePolicy
-	}));
-	return await pluginTrustPolicyDepsPromise;
-}
-function readChannelCommandSetting(cfg, channelId, key) {
-	const channelCfg = cfg.channels?.[channelId];
-	if (!channelCfg || typeof channelCfg !== "object" || Array.isArray(channelCfg)) return;
-	const commands = channelCfg.commands;
-	if (!commands || typeof commands !== "object" || Array.isArray(commands)) return;
-	return commands[key];
-}
-async function isChannelPluginConfigured(cfg, plugin) {
-	const accountIds = plugin.config.listAccountIds(cfg);
-	const candidates = accountIds.length > 0 ? accountIds : [void 0];
-	for (const accountId of candidates) {
-		const inspected = plugin.config.inspectAccount?.(cfg, accountId) ?? await inspectReadOnlyChannelAccount({
-			channelId: plugin.id,
-			cfg,
-			accountId
-		});
-		const inspectedRecord = inspected && typeof inspected === "object" && !Array.isArray(inspected) ? inspected : null;
-		let resolvedAccount = inspected;
-		if (!resolvedAccount) try {
-			resolvedAccount = plugin.config.resolveAccount(cfg, accountId);
-		} catch {
-			resolvedAccount = null;
-		}
-		let enabled = typeof inspectedRecord?.enabled === "boolean" ? inspectedRecord.enabled : resolvedAccount != null;
-		if (typeof inspectedRecord?.enabled !== "boolean" && resolvedAccount != null && plugin.config.isEnabled) try {
-			enabled = plugin.config.isEnabled(resolvedAccount, cfg);
-		} catch {
-			enabled = false;
-		}
-		let configured = typeof inspectedRecord?.configured === "boolean" ? inspectedRecord.configured : resolvedAccount != null;
-		if (typeof inspectedRecord?.configured !== "boolean" && resolvedAccount != null && plugin.config.isConfigured) try {
-			configured = await plugin.config.isConfigured(resolvedAccount, cfg);
-		} catch {
-			configured = false;
-		}
-		if (enabled && configured) return true;
-	}
-	return false;
-}
-async function listInstalledPluginDirs(params) {
-	const extensionsDir = path.join(params.stateDir, "extensions");
-	if (!(await fs.stat(extensionsDir).catch((err) => {
-		params.onReadError?.(err);
-		return null;
-	}))?.isDirectory()) return {
-		extensionsDir,
-		pluginDirs: []
-	};
-	return {
-		extensionsDir,
-		pluginDirs: (await fs.readdir(extensionsDir, { withFileTypes: true }).catch((err) => {
-			params.onReadError?.(err);
-			return [];
-		})).filter((entry) => entry.isDirectory()).map((entry) => entry.name).filter((name) => !shouldIgnoreInstalledPluginDirName(name)).filter(Boolean)
-	};
-}
-function resolveToolPolicies$2(params) {
-	const profile = params.agentTools?.profile ?? params.cfg.tools?.profile;
-	const policies = [
-		params.deps.resolveToolProfilePolicy(profile),
-		params.deps.pickSandboxToolPolicy(params.cfg.tools ?? void 0),
-		params.deps.pickSandboxToolPolicy(params.agentTools)
-	];
-	if (params.sandboxMode === "all") policies.push(params.deps.resolveSandboxToolPolicyForAgent(params.cfg, params.agentId ?? void 0));
-	return policies;
-}
-function normalizePluginIdSet(entries) {
-	return new Set(entries.map((entry) => normalizeOptionalLowercaseString(entry)).filter((entry) => Boolean(entry)));
-}
-function resolveEnabledExtensionPluginIds(params) {
-	const normalized = normalizePluginsConfig(params.cfg.plugins);
-	if (!normalized.enabled) return [];
-	const allowSet = normalizePluginIdSet(normalized.allow);
-	const denySet = normalizePluginIdSet(normalized.deny);
-	const entryById = /* @__PURE__ */ new Map();
-	for (const [id, entry] of Object.entries(normalized.entries)) {
-		const normalizedId = normalizeOptionalLowercaseString(id);
-		if (!normalizedId) continue;
-		entryById.set(normalizedId, entry);
-	}
-	const enabled = [];
-	for (const id of params.pluginDirs) {
-		const normalizedId = normalizeOptionalLowercaseString(id);
-		if (!normalizedId) continue;
-		if (denySet.has(normalizedId)) continue;
-		if (allowSet.size > 0 && !allowSet.has(normalizedId)) continue;
-		if (entryById.get(normalizedId)?.enabled === false) continue;
-		enabled.push(normalizedId);
-	}
-	return enabled;
-}
-function collectAllowEntries(config) {
-	const out = [];
-	if (Array.isArray(config?.allow)) out.push(...config.allow);
-	if (Array.isArray(config?.alsoAllow)) out.push(...config.alsoAllow);
-	return out.map((entry) => normalizeOptionalLowercaseString(entry)).filter((entry) => Boolean(entry));
-}
-function hasExplicitPluginAllow(params) {
-	return params.allowEntries.some((entry) => entry === "group:plugins" || params.enabledPluginIds.has(entry));
-}
-function hasProviderPluginAllow(params) {
-	if (!params.byProvider) return false;
-	for (const policy of Object.values(params.byProvider)) if (hasExplicitPluginAllow({
-		allowEntries: collectAllowEntries(policy),
-		enabledPluginIds: params.enabledPluginIds
-	})) return true;
-	return false;
-}
-function isPinnedRegistrySpec(spec) {
-	const value = spec.trim();
-	if (!value) return false;
-	const at = value.lastIndexOf("@");
-	if (at <= 0 || at >= value.length - 1) return false;
-	const version = value.slice(at + 1).trim();
-	return /^v?\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/.test(version);
-}
-async function collectPluginsTrustFindings(params) {
-	const findings = [];
-	const { extensionsDir, pluginDirs } = await listInstalledPluginDirs({ stateDir: params.stateDir });
-	if (pluginDirs.length > 0) {
-		const allow = params.cfg.plugins?.allow;
-		const allowConfigured = Array.isArray(allow) && allow.length > 0;
-		if (allowConfigured) {
-			const installedPluginIds = new Set(pluginDirs.map((dir) => path.basename(dir).toLowerCase()));
-			const pluginIndex = loadPluginRegistrySnapshot({
-				config: params.cfg,
-				stateDir: params.stateDir
-			});
-			const normalizePluginId = createPluginRegistryIdNormalizer(pluginIndex);
-			const indexedPluginIds = new Set(pluginIndex.plugins.map((plugin) => plugin.pluginId.toLowerCase()));
-			const phantomEntries = allow.filter((entry) => {
-				if (typeof entry !== "string" || entry === "group:plugins") return false;
-				const lower = entry.toLowerCase();
-				if (installedPluginIds.has(lower) || indexedPluginIds.has(lower)) return false;
-				const canonicalId = normalizeOptionalLowercaseString(normalizePluginId(entry)) ?? "";
-				return !canonicalId || !indexedPluginIds.has(canonicalId);
-			});
-			if (phantomEntries.length > 0) findings.push({
-				checkId: "plugins.allow_phantom_entries",
-				severity: "warn",
-				title: "plugins.allow contains entries with no matching installed plugin",
-				detail: `The following plugins.allow entries do not correspond to any installed plugin: ${phantomEntries.join(", ")}.\nPhantom entries could be exploited by registering a new plugin with an allowlisted ID.`,
-				remediation: "Remove unused entries from plugins.allow, or verify the expected plugins are installed."
-			});
-		}
-		if (!allowConfigured) {
-			const channelPlugins = listReadOnlyChannelPluginsForConfig(params.cfg, { stateDir: params.stateDir });
-			const skillCommandsLikelyExposed = (await Promise.all(channelPlugins.map(async (plugin) => {
-				if (plugin.capabilities.nativeCommands !== true && plugin.commands?.nativeSkillsAutoEnabled !== true) return false;
-				if (!await isChannelPluginConfigured(params.cfg, plugin)) return false;
-				return resolveNativeSkillsEnabled({
-					providerId: plugin.id,
-					providerSetting: readChannelCommandSetting(params.cfg, plugin.id, "nativeSkills"),
-					globalSetting: params.cfg.commands?.nativeSkills,
-					stateDir: params.stateDir,
-					autoDefault: plugin.commands?.nativeSkillsAutoEnabled === true
-				});
-			}))).some(Boolean);
-			findings.push({
-				checkId: "plugins.extensions_no_allowlist",
-				severity: skillCommandsLikelyExposed ? "critical" : "warn",
-				title: "Extensions exist but plugins.allow is not set",
-				detail: `Found ${pluginDirs.length} extension(s) under ${extensionsDir}. Without plugins.allow, any discovered plugin id may load (depending on config and plugin behavior).` + (skillCommandsLikelyExposed ? "\nNative skill commands are enabled on at least one configured chat surface; treat unpinned/unallowlisted extensions as high risk." : ""),
-				remediation: "Set plugins.allow to an explicit list of plugin ids you trust."
-			});
-		}
-		const enabledExtensionPluginIds = resolveEnabledExtensionPluginIds({
-			cfg: params.cfg,
-			pluginDirs
-		});
-		if (enabledExtensionPluginIds.length > 0) {
-			const deps = await loadPluginTrustPolicyDeps();
-			const enabledPluginSet = new Set(enabledExtensionPluginIds);
-			const contexts = [{ label: "default" }];
-			for (const entry of params.cfg.agents?.list ?? []) {
-				if (!entry || typeof entry !== "object" || typeof entry.id !== "string") continue;
-				contexts.push({
-					label: `agents.list.${entry.id}`,
-					agentId: entry.id,
-					tools: entry.tools
-				});
-			}
-			const permissiveContexts = [];
-			for (const context of contexts) {
-				const profile = context.tools?.profile ?? params.cfg.tools?.profile;
-				const restrictiveProfile = Boolean(deps.resolveToolProfilePolicy(profile));
-				const sandboxMode = deps.resolveSandboxConfigForAgent(params.cfg, context.agentId).mode;
-				const policies = resolveToolPolicies$2({
-					cfg: params.cfg,
-					deps,
-					agentTools: context.tools,
-					sandboxMode,
-					agentId: context.agentId
-				});
-				const broadPolicy = deps.isToolAllowedByPolicies("__fengming_plugin_probe__", policies);
-				const explicitPluginAllow = !restrictiveProfile && (hasExplicitPluginAllow({
-					allowEntries: collectAllowEntries(params.cfg.tools),
-					enabledPluginIds: enabledPluginSet
-				}) || hasProviderPluginAllow({
-					byProvider: params.cfg.tools?.byProvider,
-					enabledPluginIds: enabledPluginSet
-				}) || hasExplicitPluginAllow({
-					allowEntries: collectAllowEntries(context.tools),
-					enabledPluginIds: enabledPluginSet
-				}) || hasProviderPluginAllow({
-					byProvider: context.tools?.byProvider,
-					enabledPluginIds: enabledPluginSet
-				}));
-				if (broadPolicy || explicitPluginAllow) permissiveContexts.push(context.label);
-			}
-			if (permissiveContexts.length > 0) findings.push({
-				checkId: "plugins.tools_reachable_permissive_policy",
-				severity: "warn",
-				title: "Extension plugin tools may be reachable under permissive tool policy",
-				detail: `Enabled extension plugins: ${enabledExtensionPluginIds.join(", ")}.\nPermissive tool policy contexts:\n${permissiveContexts.map((entry) => `- ${entry}`).join("\n")}`,
-				remediation: "Use restrictive profiles (`minimal`/`coding`) or explicit tool allowlists that exclude plugin tools for agents handling untrusted input."
-			});
-		}
-	}
-	const pluginInstalls = await loadInstalledPluginIndexInstallRecords({ stateDir: params.stateDir });
-	const npmPluginInstalls = Object.entries(pluginInstalls).filter(([, record]) => record?.source === "npm");
-	if (npmPluginInstalls.length > 0) {
-		const unpinned = npmPluginInstalls.filter(([, record]) => typeof record.spec === "string" && !isPinnedRegistrySpec(record.spec)).map(([pluginId, record]) => `${pluginId} (${record.spec})`);
-		if (unpinned.length > 0) findings.push({
-			checkId: "plugins.installs_unpinned_npm_specs",
-			severity: "warn",
-			title: "Plugin index includes unpinned npm specs",
-			detail: `Unpinned plugin index install records:\n${unpinned.map((entry) => `- ${entry}`).join("\n")}`,
-			remediation: "Pin install specs to exact versions (for example, `@scope/pkg@1.2.3`) for higher supply-chain stability."
-		});
-		const missingIntegrity = npmPluginInstalls.filter(([, record]) => typeof record.integrity !== "string" || record.integrity.trim() === "").map(([pluginId]) => pluginId);
-		if (missingIntegrity.length > 0) findings.push({
-			checkId: "plugins.installs_missing_integrity",
-			severity: "warn",
-			title: "Plugin index is missing integrity metadata",
-			detail: `Plugin index records missing integrity:\n${missingIntegrity.map((entry) => `- ${entry}`).join("\n")}`,
-			remediation: "Reinstall or update plugins to refresh install metadata with resolved integrity hashes."
-		});
-		const pluginVersionDrift = [];
-		for (const [pluginId, record] of npmPluginInstalls) {
-			const recordedVersion = record.resolvedVersion ?? record.version;
-			if (!recordedVersion) continue;
-			const installedVersion = await readInstalledPackageVersion(record.installPath ?? path.join(params.stateDir, "extensions", pluginId));
-			if (!installedVersion || installedVersion === recordedVersion) continue;
-			pluginVersionDrift.push(`${pluginId} (recorded ${recordedVersion}, installed ${installedVersion})`);
-		}
-		if (pluginVersionDrift.length > 0) findings.push({
-			checkId: "plugins.installs_version_drift",
-			severity: "warn",
-			title: "Plugin index records drift from installed package versions",
-			detail: `Detected plugin install metadata drift:\n${pluginVersionDrift.map((entry) => `- ${entry}`).join("\n")}`,
-			remediation: "Run `fengming plugins update --all` (or reinstall affected plugins) to refresh install metadata."
-		});
-	}
-	const hookInstalls = params.cfg.hooks?.internal?.installs ?? {};
-	const npmHookInstalls = Object.entries(hookInstalls).filter(([, record]) => record?.source === "npm");
-	if (npmHookInstalls.length > 0) {
-		const unpinned = npmHookInstalls.filter(([, record]) => typeof record.spec === "string" && !isPinnedRegistrySpec(record.spec)).map(([hookId, record]) => `${hookId} (${record.spec})`);
-		if (unpinned.length > 0) findings.push({
-			checkId: "hooks.installs_unpinned_npm_specs",
-			severity: "warn",
-			title: "Hook installs include unpinned npm specs",
-			detail: `Unpinned hook install records:\n${unpinned.map((entry) => `- ${entry}`).join("\n")}`,
-			remediation: "Pin hook install specs to exact versions (for example, `@scope/pkg@1.2.3`) for higher supply-chain stability."
-		});
-		const missingIntegrity = npmHookInstalls.filter(([, record]) => typeof record.integrity !== "string" || record.integrity.trim() === "").map(([hookId]) => hookId);
-		if (missingIntegrity.length > 0) findings.push({
-			checkId: "hooks.installs_missing_integrity",
-			severity: "warn",
-			title: "Hook installs are missing integrity metadata",
-			detail: `Hook install records missing integrity:\n${missingIntegrity.map((entry) => `- ${entry}`).join("\n")}`,
-			remediation: "Reinstall or update hooks to refresh install metadata with resolved integrity hashes."
-		});
-		const hookVersionDrift = [];
-		for (const [hookId, record] of npmHookInstalls) {
-			const recordedVersion = record.resolvedVersion ?? record.version;
-			if (!recordedVersion) continue;
-			const installedVersion = await readInstalledPackageVersion(record.installPath ?? path.join(params.stateDir, "hooks", hookId));
-			if (!installedVersion || installedVersion === recordedVersion) continue;
-			hookVersionDrift.push(`${hookId} (recorded ${recordedVersion}, installed ${installedVersion})`);
-		}
-		if (hookVersionDrift.length > 0) findings.push({
-			checkId: "hooks.installs_version_drift",
-			severity: "warn",
-			title: "Hook install records drift from installed package versions",
-			detail: `Detected hook install metadata drift:\n${hookVersionDrift.map((entry) => `- ${entry}`).join("\n")}`,
-			remediation: "Run `fengming hooks update --all` (or reinstall affected hooks) to refresh install metadata."
-		});
-	}
-	return findings;
-}
-//#endregion
-//#region src/plugins/web-search-credential-presence.ts
-function hasConfiguredCredentialValue(value) {
-	if (typeof value === "string") return value.trim().length > 0;
-	return value !== void 0 && value !== null;
-}
-function isRecord(value) {
-	return typeof value === "object" && value !== null;
-}
-function hasConfiguredSearchCredentialCandidate(searchConfig) {
-	if (!isRecord(searchConfig)) return false;
-	return Object.entries(searchConfig).some(([key, value]) => key !== "enabled" && hasConfiguredCredentialValue(value));
-}
-function hasConfiguredPluginWebSearchCandidate(config) {
-	const entries = isRecord(config.plugins?.entries) ? config.plugins.entries : void 0;
-	if (!entries) return false;
-	return Object.values(entries).some((entry) => {
-		const pluginConfig = isRecord(entry) ? entry.config : void 0;
-		return isRecord(pluginConfig) && hasConfiguredSearchCredentialCandidate(pluginConfig.webSearch);
-	});
-}
-function hasManifestWebSearchEnvCredentialCandidate(params) {
-	const env = params.env;
-	if (!env) return false;
-	return loadManifestMetadataSnapshot({
-		config: params.config,
-		env
-	}).plugins.some((plugin) => {
-		if (params.origin && plugin.origin !== params.origin) return false;
-		if ((plugin.contracts?.webSearchProviders?.length ?? 0) === 0) return false;
-		return [...(plugin.setup?.providers ?? []).flatMap((provider) => provider.envVars ?? []), ...Object.values(plugin.providerAuthEnvVars ?? {}).flat()].some((envVar) => hasConfiguredCredentialValue(env[envVar]));
-	});
-}
-function hasConfiguredWebSearchCredential(params) {
-	return hasConfiguredSearchCredentialCandidate(params.searchConfig ?? params.config.tools?.web?.search) || hasConfiguredPluginWebSearchCandidate(params.config) || hasManifestWebSearchEnvCredentialCandidate({
-		config: params.config,
-		env: params.env,
-		origin: params.origin
-	});
-}
-//#endregion
-//#region src/security/audit-model-refs.ts
-function resolveAuditModelId(cfg, raw, aliasIndex) {
-	const resolved = resolveModelRefFromString({
-		cfg,
-		raw,
-		defaultProvider: DEFAULT_PROVIDER,
-		aliasIndex,
-		allowPluginNormalization: false
-	})?.ref;
-	return resolved ? modelKey(resolved.provider, resolved.model) : raw;
-}
-function addModelRef(params) {
-	if (typeof params.raw !== "string") return;
-	const raw = params.raw.trim();
-	if (!raw) return;
-	params.out.push({
-		id: resolveAuditModelId(params.cfg, raw, params.aliasIndex),
-		source: params.source
-	});
-}
-function collectAuditModelRefs(cfg) {
-	const aliasIndex = buildModelAliasIndex({
-		cfg,
-		defaultProvider: DEFAULT_PROVIDER,
-		allowPluginNormalization: false
-	});
-	const out = [];
-	const add = (raw, source) => addModelRef({
-		out,
-		cfg,
-		aliasIndex,
-		raw,
-		source
-	});
-	add(resolveAgentModelPrimaryValue(cfg.agents?.defaults?.model), "agents.defaults.model.primary");
-	for (const fallback of resolveAgentModelFallbackValues(cfg.agents?.defaults?.model)) add(fallback, "agents.defaults.model.fallbacks");
-	add(resolveAgentModelPrimaryValue(cfg.agents?.defaults?.imageModel), "agents.defaults.imageModel.primary");
-	for (const fallback of resolveAgentModelFallbackValues(cfg.agents?.defaults?.imageModel)) add(fallback, "agents.defaults.imageModel.fallbacks");
-	const list = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
-	for (const agent of list) {
-		if (!agent || typeof agent !== "object") continue;
-		const id = typeof agent.id === "string" ? agent.id : "";
-		const model = agent.model;
-		if (typeof model === "string") add(model, `agents.list.${id}.model`);
-		else if (model && typeof model === "object") {
-			add(model.primary, `agents.list.${id}.model.primary`);
-			const fallbacks = model.fallbacks;
-			if (Array.isArray(fallbacks)) for (const fallback of fallbacks) add(fallback, `agents.list.${id}.model.fallbacks`);
-		}
-	}
-	return out;
-}
-//#endregion
-//#region src/security/audit-extra.summary.ts
-const SMALL_MODEL_PARAM_B_MAX = 300;
-function summarizeGroupPolicy(cfg) {
-	const channels = cfg.channels;
-	if (!channels || typeof channels !== "object") return {
-		open: 0,
-		allowlist: 0,
-		other: 0
-	};
-	let open = 0;
-	let allowlist = 0;
-	let other = 0;
-	for (const value of Object.values(channels)) {
-		if (!value || typeof value !== "object") continue;
-		const policy = value.groupPolicy;
-		if (policy === "open") open += 1;
-		else if (policy === "allowlist") allowlist += 1;
-		else other += 1;
-	}
-	return {
-		open,
-		allowlist,
-		other
-	};
-}
-function extractAgentIdFromSource(source) {
-	return source.match(/^agents\.list\.([^.]*)\./)?.[1] ?? null;
-}
-function resolveToolPolicies$1(params) {
-	const policies = [];
-	const profilePolicy = resolveToolProfilePolicy(params.agentTools?.profile ?? params.cfg.tools?.profile);
-	if (profilePolicy) policies.push(profilePolicy);
-	const globalPolicy = pickSandboxToolPolicy(params.cfg.tools ?? void 0);
-	if (globalPolicy) policies.push(globalPolicy);
-	const agentPolicy = pickSandboxToolPolicy(params.agentTools);
-	if (agentPolicy) policies.push(agentPolicy);
-	const globalProviderPolicy = resolveProviderToolPolicy({
-		byProvider: params.cfg.tools?.byProvider,
-		modelProvider: params.modelProvider,
-		modelId: params.modelId
-	});
-	if (globalProviderPolicy) policies.push(globalProviderPolicy);
-	const agentProviderPolicy = resolveProviderToolPolicy({
-		byProvider: params.agentTools?.byProvider,
-		modelProvider: params.modelProvider,
-		modelId: params.modelId
-	});
-	if (agentProviderPolicy) policies.push(agentProviderPolicy);
-	if (params.sandboxMode === "all") policies.push(resolveSandboxToolPolicyForAgent(params.cfg, params.agentId ?? void 0));
-	return policies;
-}
-function hasWebSearchKey(cfg, env) {
-	return hasConfiguredWebSearchCredential({
-		config: cfg,
-		env,
-		origin: "bundled"
-	});
-}
-function isWebSearchEnabled(cfg, env) {
-	const enabled = cfg.tools?.web?.search?.enabled;
-	if (enabled === false) return false;
-	if (enabled === true) return true;
-	return hasWebSearchKey(cfg, env);
-}
-function isWebFetchEnabled(cfg) {
-	if (cfg.tools?.web?.fetch?.enabled === false) return false;
-	return true;
-}
-function isBrowserEnabled(cfg) {
-	return cfg.browser?.enabled !== false;
-}
-function collectAttackSurfaceSummaryFindings(cfg) {
-	const group = summarizeGroupPolicy(cfg);
-	const elevated = cfg.tools?.elevated?.enabled !== false;
-	const webhooksEnabled = cfg.hooks?.enabled === true;
-	const internalHooksEnabled = hasConfiguredInternalHooks(cfg);
-	const browserEnabled = cfg.browser?.enabled ?? true;
-	return [{
-		checkId: "summary.attack_surface",
-		severity: "info",
-		title: "Attack surface summary",
-		detail: `groups: open=${group.open}, allowlist=${group.allowlist}\ntools.elevated: ${elevated ? "enabled" : "disabled"}\nhooks.webhooks: ${webhooksEnabled ? "enabled" : "disabled"}\nhooks.internal: ${internalHooksEnabled ? "enabled" : "disabled"}\nbrowser control: ${browserEnabled ? "enabled" : "disabled"}\ntrust model: personal assistant (one trusted operator boundary), not hostile multi-tenant on one shared gateway`
-	}];
-}
-function collectSmallModelRiskFindings(params) {
-	const findings = [];
-	const models = collectAuditModelRefs(params.cfg).filter((entry) => !entry.source.includes("imageModel"));
-	if (models.length === 0) return findings;
-	const smallModels = models.map((entry) => {
-		const paramB = inferParamBFromIdOrName(entry.id);
-		if (!paramB || paramB > SMALL_MODEL_PARAM_B_MAX) return null;
-		return {
-			...entry,
-			paramB
-		};
-	}).filter((entry) => Boolean(entry));
-	if (smallModels.length === 0) return findings;
-	let hasUnsafe = false;
-	const modelLines = [];
-	const exposureSet = /* @__PURE__ */ new Set();
-	for (const entry of smallModels) {
-		const agentId = extractAgentIdFromSource(entry.source);
-		const modelRef = parseModelRef(entry.id, "openai", { allowPluginNormalization: false });
-		const sandboxMode = resolveSandboxConfigForAgent(params.cfg, agentId ?? void 0).mode;
-		const agentTools = agentId && params.cfg.agents?.list ? params.cfg.agents.list.find((agent) => agent?.id === agentId)?.tools : void 0;
-		const policies = resolveToolPolicies$1({
-			cfg: params.cfg,
-			agentTools,
-			sandboxMode,
-			agentId,
-			modelProvider: modelRef?.provider,
-			modelId: modelRef?.model
-		});
-		const exposed = [];
-		if (isWebSearchEnabled(params.cfg, params.env) && isToolAllowedByPolicies("web_search", policies)) exposed.push("web_search");
-		if (isWebFetchEnabled(params.cfg) && isToolAllowedByPolicies("web_fetch", policies)) exposed.push("web_fetch");
-		if (isBrowserEnabled(params.cfg) && isToolAllowedByPolicies("browser", policies)) exposed.push("browser");
-		for (const tool of exposed) exposureSet.add(tool);
-		const sandboxLabel = sandboxMode === "all" ? "sandbox=all" : `sandbox=${sandboxMode}`;
-		const exposureLabel = exposed.length > 0 ? ` web=[${exposed.join(", ")}]` : " web=[off]";
-		const safe = exposed.length === 0;
-		if (!safe) hasUnsafe = true;
-		const statusLabel = safe ? "ok" : "unsafe";
-		modelLines.push(`- ${entry.id} (${entry.paramB}B) @ ${entry.source} (${statusLabel}; ${sandboxLabel};${exposureLabel})`);
-	}
-	const exposureList = Array.from(exposureSet);
-	const exposureDetail = exposureList.length > 0 ? `Uncontrolled input tools allowed: ${exposureList.join(", ")}.` : "No web/browser tools detected for these models.";
-	findings.push({
-		checkId: "models.small_params",
-		severity: hasUnsafe ? "critical" : "info",
-		title: "Small models require sandboxing and web tools disabled",
-		detail: `Small models (<=${SMALL_MODEL_PARAM_B_MAX}B params) detected:\n` + modelLines.join("\n") + `\n` + exposureDetail + "\nSmall models are not recommended for untrusted inputs.",
-		remediation: "If you must use small models, disable web_search/web_fetch/browser globally or for each small model with tools.byProvider[\"provider/model\"].deny=[\"group:web\",\"browser\"]; use agents.defaults.sandbox.mode=\"all\" for defense in depth."
-	});
-	return findings;
-}
-//#endregion
-//#region src/security/audit-extra.sync.ts
-function isProbablySyncedPath(p) {
-	const s = p.toLowerCase();
-	return s.includes("icloud") || s.includes("dropbox") || s.includes("google drive") || s.includes("googledrive") || s.includes("onedrive");
-}
-function looksLikeEnvRef(value) {
-	const v = value.trim();
-	return v.startsWith("${") && v.endsWith("}");
-}
-function isGatewayRemotelyExposed(cfg) {
-	if ((typeof cfg.gateway?.bind === "string" ? cfg.gateway.bind : "loopback") !== "loopback") return true;
-	const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
-	return tailscaleMode === "serve" || tailscaleMode === "funnel";
-}
-function formatGatewayAuthDisplayLabel(label) {
-	if (label === "gateway auth password") return "Gateway password";
-	return "Gateway token";
-}
-function formatHooksTokenReuseDetail(reusedGatewayAuthLabel) {
-	if (reusedGatewayAuthLabel === "gateway auth password") return "hooks.token matches gateway.auth password; compromise of hooks expands blast radius to Gateway password auth.";
-	return "hooks.token matches gateway.auth token; compromise of hooks expands blast radius to the Gateway API.";
-}
-function listActiveGatewaySharedSecrets(auth) {
-	if (auth.mode === "token") return [{
-		label: "gateway auth token",
-		value: auth.token
-	}];
-	if (auth.mode === "password" || auth.mode === "trusted-proxy") return [{
-		label: "gateway auth password",
-		value: auth.password
-	}];
-	return [];
-}
-function findGatewayAuthLabelMatchingHooksToken(params) {
-	return listActiveGatewaySharedSecrets(params.auth).find((candidate) => normalizeOptionalString(candidate.value) === params.hooksToken)?.label;
-}
-function findHooksTokenGatewayAuthReuseLabel(params) {
-	const configReuseLabel = findGatewayAuthLabelMatchingHooksToken({
-		hooksToken: params.hooksToken,
-		auth: params.configGatewayAuth
-	});
-	if (configReuseLabel) return configReuseLabel;
-	return params.overrideGatewayAuth ? findGatewayAuthLabelMatchingHooksToken({
-		hooksToken: params.hooksToken,
-		auth: params.overrideGatewayAuth
-	}) : void 0;
-}
-function hasResolvedGatewayHttpAuth(auth) {
-	if (auth.mode === "token") return Boolean(normalizeOptionalString(auth.token));
-	if (auth.mode === "password") return Boolean(normalizeOptionalString(auth.password));
-	if (auth.mode === "trusted-proxy") return true;
-	return false;
-}
-const LEGACY_MODEL_PATTERNS = [
-	{
-		id: "openai.gpt35",
-		re: /\bgpt-3\.5\b/i,
-		label: "GPT-3.5 family"
-	},
-	{
-		id: "anthropic.claude2",
-		re: /\bclaude-(instant|2)\b/i,
-		label: "Claude 2/Instant family"
-	},
-	{
-		id: "openai.gpt4_legacy",
-		re: /\bgpt-4-(0314|0613)\b/i,
-		label: "Legacy GPT-4 snapshots"
-	}
-];
-const WEAK_TIER_MODEL_PATTERNS = [{
-	id: "anthropic.haiku",
-	re: /\bhaiku\b/i,
-	label: "Haiku tier (smaller model)"
-}];
-function isGptModel(id) {
-	return /\bgpt-/i.test(id);
-}
-function isGpt5OrHigher(id) {
-	return /\bgpt-5(?:\b|[.-])/i.test(id);
-}
-function isClaudeModel(id) {
-	return /\bclaude-/i.test(id);
-}
-function isClaude45OrHigher(id) {
-	return /\bclaude-[^\s/]*?(?:-4-?(?:[5-9]|[1-9]\d)\b|4\.(?:[5-9]|[1-9]\d)\b|-[5-9](?:\b|[.-]))/i.test(id);
-}
-function hasConfiguredDockerConfig(docker) {
-	if (!docker || typeof docker !== "object") return false;
-	return Object.values(docker).some((value) => value !== void 0);
-}
-function normalizeNodeCommand(value) {
-	return normalizeOptionalString(value) ?? "";
-}
-function isWildcardEntry(value) {
-	return normalizeStringifiedOptionalString(value) === "*";
-}
-function listKnownNodeCommands(cfg) {
-	const baseCfg = {
-		...cfg,
-		gateway: {
-			...cfg.gateway,
-			nodes: {
-				...cfg.gateway?.nodes,
-				denyCommands: []
-			}
-		}
-	};
-	const out = /* @__PURE__ */ new Set();
-	for (const node of [
-		{
-			platform: "ios",
-			deviceFamily: "iPhone"
-		},
-		{
-			platform: "android",
-			deviceFamily: "Android"
-		},
-		{
-			platform: "macos",
-			deviceFamily: "Mac",
-			approvedCommands: [
-				"system.run",
-				"system.run.prepare",
-				"system.which",
-				"browser.proxy",
-				"screen.snapshot"
-			]
-		},
-		{
-			platform: "linux",
-			deviceFamily: "Linux",
-			approvedCommands: [
-				"system.run",
-				"system.run.prepare",
-				"system.which",
-				"browser.proxy"
-			]
-		},
-		{
-			platform: "windows",
-			deviceFamily: "Windows",
-			approvedCommands: [
-				"system.run",
-				"system.run.prepare",
-				"system.which",
-				"browser.proxy",
-				"screen.snapshot"
-			]
-		},
-		{ platform: "unknown" }
-	]) {
-		const allow = resolveNodeCommandAllowlist(baseCfg, node);
-		for (const cmd of allow) {
-			const normalized = normalizeNodeCommand(cmd);
-			if (normalized) out.add(normalized);
-		}
-	}
-	for (const cmd of resolveNodeCommandAllowlist(baseCfg, { caps: ["talk"] })) {
-		const normalized = normalizeNodeCommand(cmd);
-		if (normalized) out.add(normalized);
-	}
-	for (const cmd of DEFAULT_DANGEROUS_NODE_COMMANDS) {
-		const normalized = normalizeNodeCommand(cmd);
-		if (normalized) out.add(normalized);
-	}
-	return out;
-}
-function resolveToolPolicies(params) {
-	const policies = [];
-	const profilePolicy = resolveToolProfilePolicy(params.agentTools?.profile ?? params.cfg.tools?.profile);
-	if (profilePolicy) policies.push(profilePolicy);
-	const globalPolicy = pickSandboxToolPolicy(params.cfg.tools ?? void 0);
-	if (globalPolicy) policies.push(globalPolicy);
-	const agentPolicy = pickSandboxToolPolicy(params.agentTools);
-	if (agentPolicy) policies.push(agentPolicy);
-	if (params.sandboxMode === "all") policies.push(resolveSandboxToolPolicyForAgent(params.cfg, params.agentId ?? void 0));
-	return policies;
-}
-function looksLikeNodeCommandPattern(value) {
-	if (!value) return false;
-	if (/[?*[\]{}(),|]/.test(value)) return true;
-	if (value.startsWith("/") || value.endsWith("/") || value.startsWith("^") || value.endsWith("$")) return true;
-	return /\s/.test(value) || value.includes("group:");
-}
-function editDistance(a, b) {
-	if (a === b) return 0;
-	if (!a) return b.length;
-	if (!b) return a.length;
-	const dp = Array.from({ length: b.length + 1 }, (_, j) => j);
-	for (let i = 1; i <= a.length; i++) {
-		let prev = dp[0];
-		dp[0] = i;
-		for (let j = 1; j <= b.length; j++) {
-			const temp = dp[j];
-			const cost = a[i - 1] === b[j - 1] ? 0 : 1;
-			dp[j] = Math.min(dp[j] + 1, dp[j - 1] + 1, prev + cost);
-			prev = temp;
-		}
-	}
-	return dp[b.length];
-}
-function suggestKnownNodeCommands(unknown, known) {
-	const needle = unknown.trim();
-	if (!needle) return [];
-	const prefix = needle.includes(".") ? needle.split(".").slice(0, 2).join(".") : needle;
-	const prefixHits = Array.from(known).filter((cmd) => cmd.startsWith(prefix)).slice(0, 3);
-	if (prefixHits.length > 0) return prefixHits;
-	const ranked = Array.from(known).map((cmd) => ({
-		cmd,
-		d: editDistance(needle, cmd)
-	})).toSorted((a, b) => a.d - b.d || a.cmd.localeCompare(b.cmd));
-	const best = ranked[0]?.d ?? Infinity;
-	const threshold = Math.max(2, Math.min(4, best));
-	return ranked.filter((r) => r.d <= threshold).slice(0, 3).map((r) => r.cmd);
-}
-function listGroupPolicyOpen(cfg) {
-	const out = [];
-	const channels = cfg.channels;
-	if (!channels || typeof channels !== "object") return out;
-	for (const [channelId, value] of Object.entries(channels)) {
-		if (!value || typeof value !== "object") continue;
-		const section = value;
-		if (section.groupPolicy === "open") out.push(`channels.${channelId}.groupPolicy`);
-		const accounts = section.accounts;
-		if (accounts && typeof accounts === "object") for (const [accountId, accountVal] of Object.entries(accounts)) {
-			if (!accountVal || typeof accountVal !== "object") continue;
-			if (accountVal.groupPolicy === "open") out.push(`channels.${channelId}.accounts.${accountId}.groupPolicy`);
-		}
-	}
-	return out;
-}
-function hasConfiguredGroupTargets(section) {
-	return [
-		"groups",
-		"guilds",
-		"channels",
-		"rooms"
-	].some((key) => {
-		const value = section[key];
-		return Boolean(value && typeof value === "object" && Object.keys(value).length > 0);
-	});
-}
-function listPotentialMultiUserSignals(cfg) {
-	const out = /* @__PURE__ */ new Set();
-	const channels = cfg.channels;
-	if (!channels || typeof channels !== "object") return [];
-	const inspectSection = (section, basePath) => {
-		const groupPolicy = typeof section.groupPolicy === "string" ? section.groupPolicy : null;
-		if (groupPolicy === "open") out.add(`${basePath}.groupPolicy="open"`);
-		else if (groupPolicy === "allowlist" && hasConfiguredGroupTargets(section)) out.add(`${basePath}.groupPolicy="allowlist" with configured group targets`);
-		if ((typeof section.dmPolicy === "string" ? section.dmPolicy : null) === "open") out.add(`${basePath}.dmPolicy="open"`);
-		if ((Array.isArray(section.allowFrom) ? section.allowFrom : []).some((entry) => isWildcardEntry(entry))) out.add(`${basePath}.allowFrom includes "*"`);
-		if ((Array.isArray(section.groupAllowFrom) ? section.groupAllowFrom : []).some((entry) => isWildcardEntry(entry))) out.add(`${basePath}.groupAllowFrom includes "*"`);
-		const dm = section.dm;
-		if (dm && typeof dm === "object") {
-			const dmSection = dm;
-			if ((typeof dmSection.policy === "string" ? dmSection.policy : null) === "open") out.add(`${basePath}.dm.policy="open"`);
-			if ((Array.isArray(dmSection.allowFrom) ? dmSection.allowFrom : []).some((entry) => isWildcardEntry(entry))) out.add(`${basePath}.dm.allowFrom includes "*"`);
-		}
-	};
-	for (const [channelId, value] of Object.entries(channels)) {
-		if (!value || typeof value !== "object") continue;
-		const section = value;
-		inspectSection(section, `channels.${channelId}`);
-		const accounts = section.accounts;
-		if (!accounts || typeof accounts !== "object") continue;
-		for (const [accountId, accountValue] of Object.entries(accounts)) {
-			if (!accountValue || typeof accountValue !== "object") continue;
-			inspectSection(accountValue, `channels.${channelId}.accounts.${accountId}`);
-		}
-	}
-	return Array.from(out);
-}
-function collectRiskyToolExposureContexts(cfg) {
-	const contexts = [{ label: "agents.defaults" }];
-	for (const agent of cfg.agents?.list ?? []) {
-		if (!agent || typeof agent !== "object" || typeof agent.id !== "string") continue;
-		contexts.push({
-			label: `agents.list.${agent.id}`,
-			agentId: agent.id,
-			tools: agent.tools
-		});
-	}
-	const riskyContexts = [];
-	let hasRuntimeRisk = false;
-	for (const context of contexts) {
-		const sandboxMode = resolveSandboxConfigForAgent(cfg, context.agentId).mode;
-		const policies = resolveToolPolicies({
-			cfg,
-			agentTools: context.tools,
-			sandboxMode,
-			agentId: context.agentId ?? null
-		});
-		const runtimeTools = ["exec", "process"].filter((tool) => isToolAllowedByPolicies(tool, policies));
-		const fsTools = [
-			"read",
-			"write",
-			"edit",
-			"apply_patch"
-		].filter((tool) => isToolAllowedByPolicies(tool, policies));
-		const fsWorkspaceOnly = context.tools?.fs?.workspaceOnly ?? cfg.tools?.fs?.workspaceOnly;
-		const runtimeUnguarded = runtimeTools.length > 0 && sandboxMode !== "all";
-		const fsUnguarded = fsTools.length > 0 && sandboxMode !== "all" && fsWorkspaceOnly !== true;
-		if (!runtimeUnguarded && !fsUnguarded) continue;
-		if (runtimeUnguarded) hasRuntimeRisk = true;
-		riskyContexts.push(`${context.label} (sandbox=${sandboxMode}; runtime=[${runtimeTools.join(", ") || "off"}]; fs=[${fsTools.join(", ") || "off"}]; fs.workspaceOnly=${fsWorkspaceOnly === true ? "true" : "false"})`);
-	}
-	return {
-		riskyContexts,
-		hasRuntimeRisk
-	};
-}
-function collectSyncedFolderFindings(params) {
-	const findings = [];
-	if (isProbablySyncedPath(params.stateDir) || isProbablySyncedPath(params.configPath)) findings.push({
-		checkId: "fs.synced_dir",
-		severity: "warn",
-		title: "State/config path looks like a synced folder",
-		detail: `stateDir=${params.stateDir}, configPath=${params.configPath}. Synced folders (iCloud/Dropbox/OneDrive/Google Drive) can leak tokens and transcripts onto other devices.`,
-		remediation: `Keep FENGMING_STATE_DIR on a local-only volume and re-run "${formatCliCommand("fengming security audit --fix")}".`
-	});
-	return findings;
-}
-function collectSecretsInConfigFindings(cfg) {
-	const findings = [];
-	const password = normalizeOptionalString(cfg.gateway?.auth?.password) ?? "";
-	if (password && !looksLikeEnvRef(password)) findings.push({
-		checkId: "config.secrets.gateway_password_in_config",
-		severity: "warn",
-		title: "Gateway password is stored in config",
-		detail: "gateway.auth.password is set in the config file; prefer environment variables for secrets when possible.",
-		remediation: "Prefer FENGMING_GATEWAY_PASSWORD (env) and remove gateway.auth.password from disk."
-	});
-	const hooksToken = normalizeOptionalString(cfg.hooks?.token) ?? "";
-	if (cfg.hooks?.enabled === true && hooksToken && !looksLikeEnvRef(hooksToken)) findings.push({
-		checkId: "config.secrets.hooks_token_in_config",
-		severity: "info",
-		title: "Hooks token is stored in config",
-		detail: "hooks.token is set in the config file; keep config perms tight and treat it like an API secret."
-	});
-	return findings;
-}
-function collectHooksHardeningFindings(cfg, env = process.env, options = {}) {
-	const findings = [];
-	if (cfg.hooks?.enabled !== true) return findings;
-	const token = normalizeOptionalString(cfg.hooks?.token) ?? "";
-	if (token && token.length < 24) findings.push({
-		checkId: "hooks.token_too_short",
-		severity: "warn",
-		title: "Hooks token looks short",
-		detail: `hooks.token is ${token.length} chars; prefer a long random token.`
-	});
-	const reusedGatewayAuthLabel = findHooksTokenGatewayAuthReuseLabel({
-		hooksToken: token,
-		configGatewayAuth: resolveGatewayAuth({
-			authConfig: cfg.gateway?.auth,
-			tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
-			env
-		}),
-		overrideGatewayAuth: options.gatewayAuthOverride ? resolveGatewayAuth({
-			authConfig: cfg.gateway?.auth,
-			authOverride: options.gatewayAuthOverride,
-			tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
-			env
-		}) : void 0
-	});
-	if (reusedGatewayAuthLabel) findings.push({
-		checkId: "hooks.token_reuse_gateway_token",
-		severity: "critical",
-		title: `Hooks token reuses the ${formatGatewayAuthDisplayLabel(reusedGatewayAuthLabel)}`,
-		detail: formatHooksTokenReuseDetail(reusedGatewayAuthLabel),
-		remediation: "Use a separate hooks.token dedicated to hook ingress and keep it distinct from Gateway token/password shared-secret auth."
-	});
-	if ((normalizeOptionalString(cfg.hooks?.path) ?? "") === "/") findings.push({
-		checkId: "hooks.path_root",
-		severity: "critical",
-		title: "Hooks base path is '/'",
-		detail: "hooks.path='/' would shadow other HTTP endpoints and is unsafe.",
-		remediation: "Use a dedicated path like '/hooks'."
-	});
-	const allowRequestSessionKey = cfg.hooks?.allowRequestSessionKey === true;
-	const defaultSessionKey = normalizeOptionalString(cfg.hooks?.defaultSessionKey) ?? "";
-	const allowedAgentIds = resolveAllowedAgentIds(cfg.hooks?.allowedAgentIds);
-	const allowedPrefixes = Array.isArray(cfg.hooks?.allowedSessionKeyPrefixes) ? cfg.hooks.allowedSessionKeyPrefixes.map((prefix) => prefix.trim()).filter((prefix) => prefix.length > 0) : [];
-	const remoteExposure = isGatewayRemotelyExposed(cfg);
-	if (!defaultSessionKey) findings.push({
-		checkId: "hooks.default_session_key_unset",
-		severity: "warn",
-		title: "hooks.defaultSessionKey is not configured",
-		detail: "Hook agent runs without explicit sessionKey use generated per-request keys. Set hooks.defaultSessionKey to keep hook ingress scoped to a known session.",
-		remediation: "Set hooks.defaultSessionKey (for example, \"hook:ingress\")."
-	});
-	if (allowedAgentIds === void 0) findings.push({
-		checkId: "hooks.allowed_agent_ids_unrestricted",
-		severity: remoteExposure ? "critical" : "warn",
-		title: "Hook agent routing allows any configured agent",
-		detail: "hooks.allowedAgentIds is unset or includes '*', so authenticated hook callers may route to any configured agent id, including the default agent when agentId is omitted.",
-		remediation: "Set hooks.allowedAgentIds to an explicit allowlist (for example, [\"hooks\", \"main\"]) or [] to deny hook agent routing."
-	});
-	if (allowRequestSessionKey) findings.push({
-		checkId: "hooks.request_session_key_enabled",
-		severity: remoteExposure ? "critical" : "warn",
-		title: "External hook payloads may override sessionKey",
-		detail: "hooks.allowRequestSessionKey=true allows `/hooks/agent` callers to choose the session key. Treat hook token holders as full-trust unless you also restrict prefixes.",
-		remediation: "Set hooks.allowRequestSessionKey=false (recommended) or constrain hooks.allowedSessionKeyPrefixes."
-	});
-	if (allowRequestSessionKey && allowedPrefixes.length === 0) findings.push({
-		checkId: "hooks.request_session_key_prefixes_missing",
-		severity: remoteExposure ? "critical" : "warn",
-		title: "Request sessionKey override is enabled without prefix restrictions",
-		detail: "hooks.allowRequestSessionKey=true and hooks.allowedSessionKeyPrefixes is unset/empty, so request payloads can target arbitrary session key shapes.",
-		remediation: "Set hooks.allowedSessionKeyPrefixes (for example, [\"hook:\"]) or disable request overrides."
-	});
-	return findings;
-}
-function collectGatewayHttpSessionKeyOverrideFindings(cfg) {
-	const findings = [];
-	const chatCompletionsEnabled = cfg.gateway?.http?.endpoints?.chatCompletions?.enabled === true;
-	const responsesEnabled = cfg.gateway?.http?.endpoints?.responses?.enabled === true;
-	if (!chatCompletionsEnabled && !responsesEnabled) return findings;
-	const enabledEndpoints = [chatCompletionsEnabled ? "/v1/chat/completions" : null, responsesEnabled ? "/v1/responses" : null].filter((entry) => Boolean(entry));
-	findings.push({
-		checkId: "gateway.http.session_key_override_enabled",
-		severity: "info",
-		title: "HTTP API session-key override is enabled",
-		detail: `${enabledEndpoints.join(", ")} accept x-fengming-session-key for per-request session routing. Treat API credential holders as trusted principals.`
-	});
-	return findings;
-}
-function collectGatewayHttpNoAuthFindings(cfg, env, options = {}) {
-	const findings = [];
-	const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
-	if (hasResolvedGatewayHttpAuth(resolveGatewayAuth({
-		authConfig: cfg.gateway?.auth,
-		authOverride: options.gatewayAuthOverride,
-		tailscaleMode,
-		env
-	}))) return findings;
-	const chatCompletionsEnabled = cfg.gateway?.http?.endpoints?.chatCompletions?.enabled === true;
-	const responsesEnabled = cfg.gateway?.http?.endpoints?.responses?.enabled === true;
-	const adminHttpRpcEnabled = cfg.plugins?.entries?.["admin-http-rpc"]?.enabled === true;
-	const enabledEndpoints = [
-		"/tools/invoke",
-		chatCompletionsEnabled ? "/v1/chat/completions" : null,
-		responsesEnabled ? "/v1/responses" : null,
-		adminHttpRpcEnabled ? "/api/v1/admin/rpc" : null
-	].filter((entry) => Boolean(entry));
-	const remoteExposure = isGatewayRemotelyExposed(cfg);
-	findings.push({
-		checkId: "gateway.http.no_auth",
-		severity: remoteExposure ? "critical" : "warn",
-		title: "Gateway HTTP APIs are reachable without auth",
-		detail: `gateway.auth.mode="none" leaves ${enabledEndpoints.join(", ")} callable without a shared secret. Treat this as trusted-local only and avoid exposing the gateway beyond loopback.`,
-		remediation: "Set gateway.auth.mode to token/password (recommended). If you intentionally keep mode=none, keep gateway.bind=loopback and disable optional HTTP endpoints/plugins."
-	});
-	return findings;
-}
-function collectSandboxDockerNoopFindings(cfg) {
-	const findings = [];
-	const configuredPaths = [];
-	const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
-	const defaultsSandbox = cfg.agents?.defaults?.sandbox;
-	const hasDefaultDocker = hasConfiguredDockerConfig(defaultsSandbox?.docker);
-	const defaultMode = defaultsSandbox?.mode ?? "off";
-	const hasAnySandboxEnabledAgent = agents.some((entry) => {
-		if (!entry || typeof entry !== "object" || typeof entry.id !== "string") return false;
-		return resolveSandboxConfigForAgent(cfg, entry.id).mode !== "off";
-	});
-	if (hasDefaultDocker && defaultMode === "off" && !hasAnySandboxEnabledAgent) configuredPaths.push("agents.defaults.sandbox.docker");
-	for (const entry of agents) {
-		if (!entry || typeof entry !== "object" || typeof entry.id !== "string") continue;
-		if (!hasConfiguredDockerConfig(entry.sandbox?.docker)) continue;
-		if (resolveSandboxConfigForAgent(cfg, entry.id).mode === "off") configuredPaths.push(`agents.list.${entry.id}.sandbox.docker`);
-	}
-	if (configuredPaths.length === 0) return findings;
-	findings.push({
-		checkId: "sandbox.docker_config_mode_off",
-		severity: "warn",
-		title: "Sandbox docker settings configured while sandbox mode is off",
-		detail: "These docker settings will not take effect until sandbox mode is enabled:\n" + configuredPaths.map((entry) => `- ${entry}`).join("\n"),
-		remediation: "Enable sandbox mode (`agents.defaults.sandbox.mode=\"non-main\"` or `\"all\"`) where needed, or remove unused docker settings."
-	});
-	return findings;
-}
-function collectSandboxDangerousConfigFindings(cfg) {
-	const findings = [];
-	const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
-	const configs = [];
-	const defaultDocker = cfg.agents?.defaults?.sandbox?.docker;
-	if (defaultDocker && typeof defaultDocker === "object") configs.push({
-		source: "agents.defaults.sandbox.docker",
-		docker: defaultDocker
-	});
-	for (const entry of agents) {
-		if (!entry || typeof entry !== "object" || typeof entry.id !== "string") continue;
-		const agentDocker = entry.sandbox?.docker;
-		if (agentDocker && typeof agentDocker === "object") configs.push({
-			source: `agents.list.${entry.id}.sandbox.docker`,
-			docker: agentDocker
-		});
-	}
-	for (const { source, docker } of configs) {
-		const binds = Array.isArray(docker.binds) ? docker.binds : [];
-		for (const bind of binds) {
-			if (typeof bind !== "string") continue;
-			const blocked = getBlockedBindReason(bind);
-			if (!blocked) continue;
-			if (blocked.kind === "non_absolute") {
-				findings.push({
-					checkId: "sandbox.bind_mount_non_absolute",
-					severity: "warn",
-					title: "Sandbox bind mount uses a non-absolute source path",
-					detail: `${source}.binds contains "${bind}" which uses source path "${blocked.sourcePath}". Non-absolute bind sources are hard to validate safely and may resolve unexpectedly.`,
-					remediation: `Rewrite "${bind}" to use an absolute host path (for example: /home/user/project:/project:ro).`
-				});
-				continue;
-			}
-			if (blocked.kind !== "covers" && blocked.kind !== "targets") continue;
-			const verb = blocked.kind === "covers" ? "covers" : "targets";
-			findings.push({
-				checkId: "sandbox.dangerous_bind_mount",
-				severity: "critical",
-				title: "Dangerous bind mount in sandbox config",
-				detail: `${source}.binds contains "${bind}" which ${verb} blocked path "${blocked.blockedPath}". This can expose host system directories or the Docker socket to sandbox containers.`,
-				remediation: `Remove "${bind}" from ${source}.binds. Use project-specific paths instead.`
-			});
-		}
-		const network = typeof docker.network === "string" ? docker.network : void 0;
-		const normalizedNetwork = normalizeNetworkMode(network);
-		if (isDangerousNetworkMode(network)) {
-			const modeLabel = normalizedNetwork === "host" ? "\"host\"" : `"${network}"`;
-			const detail = normalizedNetwork === "host" ? `${source}.network is "host" which bypasses container network isolation entirely.` : `${source}.network is ${modeLabel} which joins another container namespace and can bypass sandbox network isolation.`;
-			findings.push({
-				checkId: "sandbox.dangerous_network_mode",
-				severity: "critical",
-				title: "Dangerous network mode in sandbox config",
-				detail,
-				remediation: `Set ${source}.network to "bridge", "none", or a custom bridge network name. Use ${source}.dangerouslyAllowContainerNamespaceJoin=true only as a break-glass override when you fully trust this runtime.`
-			});
-		}
-		if (normalizeOptionalLowercaseString(typeof docker.seccompProfile === "string" ? docker.seccompProfile : void 0) === "unconfined") findings.push({
-			checkId: "sandbox.dangerous_seccomp_profile",
-			severity: "critical",
-			title: "Seccomp unconfined in sandbox config",
-			detail: `${source}.seccompProfile is "unconfined" which disables syscall filtering.`,
-			remediation: `Remove ${source}.seccompProfile or use a custom seccomp profile file.`
-		});
-		if (normalizeOptionalLowercaseString(typeof docker.apparmorProfile === "string" ? docker.apparmorProfile : void 0) === "unconfined") findings.push({
-			checkId: "sandbox.dangerous_apparmor_profile",
-			severity: "critical",
-			title: "AppArmor unconfined in sandbox config",
-			detail: `${source}.apparmorProfile is "unconfined" which disables AppArmor enforcement.`,
-			remediation: `Remove ${source}.apparmorProfile or use a named AppArmor profile.`
-		});
-	}
-	return findings;
-}
-function collectNodeDenyCommandPatternFindings(cfg) {
-	const findings = [];
-	const denyListRaw = cfg.gateway?.nodes?.denyCommands;
-	if (!Array.isArray(denyListRaw) || denyListRaw.length === 0) return findings;
-	const denyList = denyListRaw.map(normalizeNodeCommand).filter(Boolean);
-	if (denyList.length === 0) return findings;
-	const knownCommands = listKnownNodeCommands(cfg);
-	const patternLike = denyList.filter((entry) => looksLikeNodeCommandPattern(entry));
-	const unknownExact = denyList.filter((entry) => !looksLikeNodeCommandPattern(entry) && !knownCommands.has(entry));
-	if (patternLike.length === 0 && unknownExact.length === 0) return findings;
-	const detailParts = [];
-	if (patternLike.length > 0) detailParts.push(`Pattern-like entries (not supported by exact matching): ${patternLike.join(", ")}`);
-	if (unknownExact.length > 0) {
-		const unknownDetails = unknownExact.map((entry) => {
-			const suggestions = suggestKnownNodeCommands(entry, knownCommands);
-			if (suggestions.length === 0) return entry;
-			return `${entry} (did you mean: ${suggestions.join(", ")})`;
-		}).join(", ");
-		detailParts.push(`Unknown command names (not in defaults/allowCommands): ${unknownDetails}`);
-	}
-	const examples = Array.from(knownCommands).slice(0, 8);
-	findings.push({
-		checkId: "gateway.nodes.deny_commands_ineffective",
-		severity: "warn",
-		title: "Some gateway.nodes.denyCommands entries are ineffective",
-		detail: "gateway.nodes.denyCommands uses exact node command-name matching only (for example `system.run`), not shell-text filtering inside a command payload.\n" + detailParts.map((entry) => `- ${entry}`).join("\n"),
-		remediation: `Use exact command names (for example: ${examples.join(", ")}). If you need broader restrictions, remove risky command IDs from allowCommands/default workflows and tighten tools.exec policy.`
-	});
-	return findings;
-}
-function collectNodeDangerousAllowCommandFindings(cfg) {
-	const findings = [];
-	const allowRaw = cfg.gateway?.nodes?.allowCommands;
-	if (!Array.isArray(allowRaw) || allowRaw.length === 0) return findings;
-	const allow = new Set(normalizeUniqueStringEntries(allowRaw.map(normalizeNodeCommand)));
-	if (allow.size === 0) return findings;
-	const deny = new Set((cfg.gateway?.nodes?.denyCommands ?? []).map(normalizeNodeCommand));
-	const dangerousAllowed = [...DEFAULT_DANGEROUS_NODE_COMMANDS, ...listDangerousPluginNodeCommands()].filter((cmd) => allow.has(cmd) && !deny.has(cmd));
-	if (dangerousAllowed.length === 0) return findings;
-	findings.push({
-		checkId: "gateway.nodes.allow_commands_dangerous",
-		severity: isGatewayRemotelyExposed(cfg) ? "critical" : "warn",
-		title: "Dangerous node commands explicitly enabled",
-		detail: `gateway.nodes.allowCommands includes: ${dangerousAllowed.join(", ")}. These commands can trigger high-impact device actions or read node files (camera/screen/contacts/calendar/reminders/SMS/file).`,
-		remediation: "Remove these entries from gateway.nodes.allowCommands (recommended). If you keep them, treat gateway auth as full operator access and keep gateway exposure local/tailnet-only."
-	});
-	return findings;
-}
-function collectMinimalProfileOverrideFindings(cfg) {
-	const findings = [];
-	if (cfg.tools?.profile !== "minimal") return findings;
-	const overrides = (cfg.agents?.list ?? []).filter((entry) => {
-		return Boolean(entry && typeof entry === "object" && typeof entry.id === "string" && entry.tools?.profile && entry.tools.profile !== "minimal");
-	}).map((entry) => `${entry.id}=${entry.tools?.profile}`);
-	if (overrides.length === 0) return findings;
-	findings.push({
-		checkId: "tools.profile_minimal_overridden",
-		severity: "warn",
-		title: "Global tools.profile=minimal is overridden by agent profiles",
-		detail: "Global minimal profile is set, but these agent profiles take precedence:\n" + overrides.map((entry) => `- agents.list.${entry}`).join("\n"),
-		remediation: "Set those agents to `tools.profile=\"minimal\"` (or remove the agent override) if you want minimal tools enforced globally."
-	});
-	return findings;
-}
-function collectModelHygieneFindings(cfg) {
-	const findings = [];
-	const models = collectAuditModelRefs(cfg);
-	if (models.length === 0) return findings;
-	const weakMatches = /* @__PURE__ */ new Map();
-	const addWeakMatch = (model, source, reason) => {
-		const key = `${model}@@${source}`;
-		const existing = weakMatches.get(key);
-		if (!existing) {
-			weakMatches.set(key, {
-				model,
-				source,
-				reasons: [reason]
-			});
-			return;
-		}
-		if (!existing.reasons.includes(reason)) existing.reasons.push(reason);
-	};
-	for (const entry of models) {
-		for (const pat of WEAK_TIER_MODEL_PATTERNS) if (pat.re.test(entry.id)) {
-			addWeakMatch(entry.id, entry.source, pat.label);
-			break;
-		}
-		if (isGptModel(entry.id) && !isGpt5OrHigher(entry.id)) addWeakMatch(entry.id, entry.source, "Below GPT-5 family");
-		if (isClaudeModel(entry.id) && !isClaude45OrHigher(entry.id)) addWeakMatch(entry.id, entry.source, "Below Claude 4.5");
-	}
-	const matches = [];
-	for (const entry of models) for (const pat of LEGACY_MODEL_PATTERNS) if (pat.re.test(entry.id)) {
-		matches.push({
-			model: entry.id,
-			source: entry.source,
-			reason: pat.label
-		});
-		break;
-	}
-	if (matches.length > 0) {
-		const lines = matches.slice(0, 12).map((m) => `- ${m.model} (${m.reason}) @ ${m.source}`).join("\n");
-		const more = matches.length > 12 ? `\n…${matches.length - 12} more` : "";
-		findings.push({
-			checkId: "models.legacy",
-			severity: "warn",
-			title: "Some configured models look legacy",
-			detail: "Older/legacy models can be less robust against prompt injection and tool misuse.\n" + lines + more,
-			remediation: "Prefer modern, instruction-hardened models for any bot that can run tools."
-		});
-	}
-	if (weakMatches.size > 0) {
-		const lines = Array.from(weakMatches.values()).slice(0, 12).map((m) => `- ${m.model} (${m.reasons.join("; ")}) @ ${m.source}`).join("\n");
-		const more = weakMatches.size > 12 ? `\n…${weakMatches.size - 12} more` : "";
-		findings.push({
-			checkId: "models.weak_tier",
-			severity: "warn",
-			title: "Some configured models are below recommended tiers",
-			detail: "Smaller/older models are generally more susceptible to prompt injection and tool misuse.\n" + lines + more,
-			remediation: "Use the latest, top-tier model for any bot with tools or untrusted inboxes. Avoid Haiku tiers; prefer GPT-5+ and Claude 4.5+."
-		});
-	}
-	return findings;
-}
-function collectExposureMatrixFindings(cfg) {
-	const findings = [];
-	const openGroups = listGroupPolicyOpen(cfg);
-	if (openGroups.length === 0) return findings;
-	if (cfg.tools?.elevated?.enabled !== false) findings.push({
-		checkId: "security.exposure.open_groups_with_elevated",
-		severity: "critical",
-		title: "Open groupPolicy with elevated tools enabled",
-		detail: `Found groupPolicy="open" at:\n${openGroups.map((p) => `- ${p}`).join("\n")}\nWith tools.elevated enabled, a prompt injection in those rooms can become a high-impact incident.`,
-		remediation: `Set groupPolicy="allowlist" and keep elevated allowlists extremely tight.`
-	});
-	const { riskyContexts, hasRuntimeRisk } = collectRiskyToolExposureContexts(cfg);
-	if (riskyContexts.length > 0) findings.push({
-		checkId: "security.exposure.open_groups_with_runtime_or_fs",
-		severity: hasRuntimeRisk ? "critical" : "warn",
-		title: "Open groupPolicy with runtime/filesystem tools exposed",
-		detail: `Found groupPolicy="open" at:\n${openGroups.map((p) => `- ${p}`).join("\n")}\nRisky tool exposure contexts:\n${riskyContexts.map((line) => `- ${line}`).join("\n")}\nPrompt injection in open groups can trigger command/file actions in these contexts.`,
-		remediation: "For open groups, prefer tools.profile=\"messaging\" (or deny group:runtime/group:fs), set tools.fs.workspaceOnly=true, and use agents.defaults.sandbox.mode=\"all\" for exposed agents."
-	});
-	return findings;
-}
-function collectLikelyMultiUserSetupFindings(cfg) {
-	const findings = [];
-	const signals = listPotentialMultiUserSignals(cfg);
-	if (signals.length === 0) return findings;
-	const { riskyContexts, hasRuntimeRisk } = collectRiskyToolExposureContexts(cfg);
-	const impactLine = hasRuntimeRisk ? "Runtime/process tools are exposed without full sandboxing in at least one context." : "No unguarded runtime/process tools were detected by this heuristic.";
-	const riskyContextsDetail = riskyContexts.length > 0 ? `Potential high-impact tool exposure contexts:\n${riskyContexts.map((line) => `- ${line}`).join("\n")}` : "No unguarded runtime/filesystem contexts detected.";
-	findings.push({
-		checkId: "security.trust_model.multi_user_heuristic",
-		severity: "warn",
-		title: "Potential multi-user setup detected (personal-assistant model warning)",
-		detail: "Heuristic signals indicate this gateway may be reachable by multiple users:\n" + signals.map((signal) => `- ${signal}`).join("\n") + `\n${impactLine}\n${riskyContextsDetail}\nFengMing's default security model is personal-assistant (one trusted operator boundary), not hostile multi-tenant isolation on one shared gateway.`,
-		remediation: "If users may be mutually untrusted, split trust boundaries (separate gateways + credentials, ideally separate OS users/hosts). If you intentionally run shared-user access, set agents.defaults.sandbox.mode=\"all\", keep tools.fs.workspaceOnly=true, deny runtime/fs/web tools unless required, and keep personal/private identities + credentials off that runtime."
-	});
-	return findings;
-}
-//#endregion
-//#region src/skills/security/workspace-audit.ts
-const MAX_WORKSPACE_SKILL_SCAN_FILES_PER_WORKSPACE = 2e3;
-const MAX_WORKSPACE_SKILL_ESCAPE_DETAIL_ROWS = 12;
-async function safeStat(targetPath) {
-	try {
-		return {
-			ok: true,
-			isDir: (await fs.lstat(targetPath)).isDirectory()
-		};
-	} catch {
-		return {
-			ok: false,
-			isDir: false
-		};
-	}
-}
-function realpathWithTimeout(p, timeoutMs = 2e3) {
-	let timerHandle;
-	const realpathPromise = fs.realpath(p).catch(() => null).then((result) => {
-		clearTimeout(timerHandle);
-		return result;
-	});
-	const timeoutPromise = new Promise((resolve) => {
-		timerHandle = setTimeout(() => resolve(null), timeoutMs);
-		timerHandle.unref?.();
-	});
-	return Promise.race([realpathPromise, timeoutPromise]);
-}
-async function listWorkspaceSkillMarkdownFiles(workspaceDir, limits = {}) {
-	const skillsRoot = path.join(workspaceDir, "skills");
-	const rootStat = await safeStat(skillsRoot);
-	if (!rootStat.ok || !rootStat.isDir) return {
-		skillFilePaths: [],
-		truncated: false
-	};
-	const maxFiles = limits.maxFiles ?? MAX_WORKSPACE_SKILL_SCAN_FILES_PER_WORKSPACE;
-	const maxTotalDirVisits = limits.maxDirVisits ?? maxFiles * 20;
-	const skillFiles = [];
-	const queue = [skillsRoot];
-	const visitedDirs = /* @__PURE__ */ new Set();
-	let totalDirVisits = 0;
-	while (queue.length > 0 && skillFiles.length < maxFiles && totalDirVisits++ < maxTotalDirVisits) {
-		const dir = queue.shift();
-		const dirRealPath = await realpathWithTimeout(dir) ?? path.resolve(dir);
-		if (visitedDirs.has(dirRealPath)) continue;
-		visitedDirs.add(dirRealPath);
-		const entries = await fs.readdir(dir, { withFileTypes: true }).catch(() => []);
-		for (const entry of entries) {
-			if (entry.name.startsWith(".") || entry.name === "node_modules") continue;
-			const fullPath = path.join(dir, entry.name);
-			if (entry.isDirectory()) {
-				queue.push(fullPath);
-				continue;
-			}
-			if (entry.isSymbolicLink()) {
-				const stat = await fs.stat(fullPath).catch(() => null);
-				if (!stat) continue;
-				if (stat.isDirectory()) {
-					queue.push(fullPath);
-					continue;
-				}
-				if (stat.isFile() && entry.name === "SKILL.md") skillFiles.push(fullPath);
-				continue;
-			}
-			if (entry.isFile() && entry.name === "SKILL.md") skillFiles.push(fullPath);
-		}
-	}
-	return {
-		skillFilePaths: skillFiles,
-		truncated: queue.length > 0
-	};
-}
-async function collectWorkspaceSkillSymlinkEscapeFindings(params) {
-	const findings = [];
-	const workspaceDirs = listAgentWorkspaceDirs(params.cfg);
-	if (workspaceDirs.length === 0) return findings;
-	const escapedSkillFiles = [];
-	const seenSkillPaths = /* @__PURE__ */ new Set();
-	for (const workspaceDir of workspaceDirs) {
-		const workspacePath = path.resolve(workspaceDir);
-		const workspaceRealPath = await realpathWithTimeout(workspacePath) ?? workspacePath;
-		const { skillFilePaths, truncated } = await listWorkspaceSkillMarkdownFiles(workspacePath, params.skillScanLimits);
-		if (truncated) findings.push({
-			checkId: "skills.workspace.scan_truncated",
-			severity: "warn",
-			title: "Workspace skill scan reached the directory visit limit",
-			detail: `The skills/ directory scan in ${workspacePath} stopped early after reaching the BFS visit cap. Skill files in the unscanned portion of the tree were not checked for symlink escapes.`,
-			remediation: "Flatten or simplify the skills/ directory hierarchy to stay within the scan budget, or move deeply-nested skill collections to a managed skill location."
-		});
-		for (const skillFilePath of skillFilePaths) {
-			const canonicalSkillPath = path.resolve(skillFilePath);
-			if (seenSkillPaths.has(canonicalSkillPath)) continue;
-			seenSkillPaths.add(canonicalSkillPath);
-			const skillRealPath = await realpathWithTimeout(canonicalSkillPath);
-			if (!skillRealPath) {
-				escapedSkillFiles.push({
-					workspaceDir: workspacePath,
-					skillFilePath: canonicalSkillPath,
-					skillRealPath: "(realpath timed out - symlink target unverifiable)"
-				});
-				continue;
-			}
-			if (isPathInside(workspaceRealPath, skillRealPath)) continue;
-			escapedSkillFiles.push({
-				workspaceDir: workspacePath,
-				skillFilePath: canonicalSkillPath,
-				skillRealPath
-			});
-		}
-	}
-	if (escapedSkillFiles.length === 0) return findings;
-	findings.push({
-		checkId: "skills.workspace.symlink_escape",
-		severity: "warn",
-		title: "Workspace skill files resolve outside the workspace root",
-		detail: "Detected workspace `skills/**/SKILL.md` paths whose realpath escapes their workspace root:\n" + escapedSkillFiles.slice(0, MAX_WORKSPACE_SKILL_ESCAPE_DETAIL_ROWS).map((entry) => `- workspace=${entry.workspaceDir}\n  skill=${entry.skillFilePath}\n  realpath=${entry.skillRealPath}`).join("\n") + (escapedSkillFiles.length > MAX_WORKSPACE_SKILL_ESCAPE_DETAIL_ROWS ? `\n- +${escapedSkillFiles.length - MAX_WORKSPACE_SKILL_ESCAPE_DETAIL_ROWS} more` : ""),
-		remediation: "Keep workspace skills inside the workspace root (replace symlinked escapes with real in-workspace files), or move trusted shared skills to managed/bundled skill locations."
-	});
-	return findings;
-}
-//#endregion
-export { collectAttackSurfaceSummaryFindings, collectExposureMatrixFindings, collectGatewayHttpNoAuthFindings, collectGatewayHttpSessionKeyOverrideFindings, collectHooksHardeningFindings, collectIncludeFilePermFindings, collectLikelyMultiUserSetupFindings, collectMinimalProfileOverrideFindings, collectModelHygieneFindings, collectNodeDangerousAllowCommandFindings, collectNodeDenyCommandPatternFindings, collectPluginsTrustFindings, collectSandboxBrowserHashLabelFindings, collectSandboxDangerousConfigFindings, collectSandboxDockerNoopFindings, collectSecretsInConfigFindings, collectSmallModelRiskFindings, collectStateDeepFilesystemFindings, collectSyncedFolderFindings, collectWorkspaceSkillSymlinkEscapeFindings, readConfigSnapshotForAudit };