npm - getcrabb - Versions diffs - 0.1.0 - Mend

getcrabb 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,115 @@
+# CRABB - Security Scanner for OpenClaw AI Agents
+CLI security scanner that produces a CRABB SCORE (0-100) with prioritized findings.
+## Installation
+```bash
+npm install -g getcrabb
+```
+## Usage
+```bash
+# Scan default OpenClaw installation (~/.openclaw/)
+crabb
+# Scan custom directory
+crabb --path ./my-openclaw
+# Output as JSON
+crabb --json
+# Create shareable score card
+crabb --share
+# CI-friendly (no colors)
+crabb --no-color
+```
+## Options
+| Flag | Short | Description |
+|------|-------|-------------|
+| `--path <dir>` | `-p` | Path to OpenClaw directory |
+| `--json` | `-j` | Output results as JSON |
+| `--share` | `-s` | Share score card to crabb.ai |
+| `--no-color` | | Disable colored output |
+| `--help` | `-h` | Show help message |
+| `--version` | `-v` | Show version number |
+## Exit Codes
+| Code | Description |
+|------|-------------|
+| 0 | Score >= 75, no Critical/High findings |
+| 1 | Score < 75 or Critical/High findings present |
+| 2 | Scan failed (IO error, OpenClaw not found) |
+## Scanners
+### Credentials Scanner (max 40 points)
+Detects API keys, tokens, and secrets in:
+- `openclaw.json`
+- `credentials/*`
+- `agents/*/auth-profiles.json`
+- `agents/*/sessions/*.jsonl`
+- `.env` files
+Supports: Anthropic, OpenAI, AWS, GitHub, Slack, Stripe, Discord, Telegram, and generic patterns.
+### Skills Scanner (max 30 points)
+Static analysis for suspicious patterns in SKILL.md files:
+- **Critical**: Remote code execution, curl piped to bash
+- **High**: Data exfiltration, environment access
+- **Medium**: Broad file access patterns
+- **Low**: General network/file operations
+### Permissions Scanner (max 20 points)
+Analyzes `openclaw.json` configuration:
+- Sandbox mode (strict/permissive/disabled)
+- DM policy settings
+- Allowlist wildcards
+- Gateway bind/auth/TLS settings
+- File permissions (700/600)
+### Network Scanner (max 10 points)
+Checks gateway configuration and local ports:
+- Gateway bind mode analysis
+- TLS and auth configuration
+- Localhost port scan (18789, 8080, 3000)
+## Score Calculation
+```
+score = 100 - sum(min(module_cap, module_penalty))
+penalty = sum(severity_base × confidence)
+Severity base:
+- Critical: 27.5
+- High: 17.5
+- Medium: 7.5
+- Low: 2.5
+```
+## Grades
+| Grade | Score | Notes |
+|-------|-------|-------|
+| A | 90+ | Excellent security posture |
+| B | 75+ | Good, minor improvements recommended |
+| C | 60+ | Fair, review findings |
+| D | 40+ | Poor, immediate action needed |
+| F | <40 | Critical security issues |
+**Note**: Critical findings cap the maximum grade at C.
+## Privacy
+- **Offline by default**: No network calls without `--share`
+- **No secrets in output**: All findings show type, file, and line only (redacted)
+- **Share payload**: Contains only aggregates (score, grade, counts)
+## License
+MIT

package/dist/cli.js ADDED Viewed

@@ -0,0 +1,1055 @@
+#!/usr/bin/env node
+// src/cli.ts
+import { parseArgs } from "util";
+import { exit } from "process";
+// src/config/paths.ts
+import { homedir } from "os";
+import { join } from "path";
+function getDefaultOpenClawPath() {
+  return join(homedir(), ".openclaw");
+}
+// src/scanners/credentials.ts
+import { join as join3 } from "path";
+// src/utils/fs.ts
+import { readFile, readdir, stat, access } from "fs/promises";
+import { join as join2, relative } from "path";
+import { constants } from "fs";
+async function fileExists(path) {
+  try {
+    await access(path, constants.F_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function readTextFile(path) {
+  try {
+    return await readFile(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+async function readJsonFile(path) {
+  const content = await readTextFile(path);
+  if (!content) return null;
+  try {
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function getFileStats(path) {
+  try {
+    return await stat(path);
+  } catch {
+    return null;
+  }
+}
+async function* walkDirectory(dir, basePath = dir) {
+  try {
+    const entries = await readdir(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = join2(dir, entry.name);
+      const relativePath = relative(basePath, fullPath);
+      if (entry.isDirectory()) {
+        yield* walkDirectory(fullPath, basePath);
+      } else if (entry.isFile()) {
+        yield { path: fullPath, relativePath };
+      }
+    }
+  } catch {
+  }
+}
+// src/scanners/credentials.ts
+var CAP = 40;
+var CREDENTIAL_PATTERNS = [
+  // Anthropic
+  {
+    name: "Anthropic API Key",
+    pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  // OpenAI
+  {
+    name: "OpenAI API Key",
+    pattern: /sk-[a-zA-Z0-9]{20,}(?!-ant)/g,
+    severity: "critical",
+    confidence: 0.9
+  },
+  // Discord
+  {
+    name: "Discord Bot Token",
+    pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27,}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  // Telegram
+  {
+    name: "Telegram Bot Token",
+    pattern: /\d{8,10}:[A-Za-z0-9_-]{35}/g,
+    severity: "critical",
+    confidence: 0.9
+  },
+  // AWS
+  {
+    name: "AWS Access Key ID",
+    pattern: /AKIA[0-9A-Z]{16}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "AWS Secret Access Key",
+    pattern: /(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/g,
+    severity: "high",
+    confidence: 0.6
+  },
+  // GitHub
+  {
+    name: "GitHub Personal Access Token",
+    pattern: /ghp_[a-zA-Z0-9]{36}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "GitHub OAuth Token",
+    pattern: /gho_[a-zA-Z0-9]{36}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "GitHub Fine-grained PAT",
+    pattern: /github_pat_[a-zA-Z0-9_]{22,}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  // Slack
+  {
+    name: "Slack Bot Token",
+    pattern: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "Slack User Token",
+    pattern: /xoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  // Stripe
+  {
+    name: "Stripe Secret Key",
+    pattern: /sk_live_[0-9a-zA-Z]{24,}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "Stripe Test Key",
+    pattern: /sk_test_[0-9a-zA-Z]{24,}/g,
+    severity: "medium",
+    confidence: 0.9
+  },
+  // Generic patterns
+  {
+    name: "Generic API Key",
+    pattern: /(?:api[_-]?key|apikey|api[_-]?token)\s*[=:]\s*["']?([a-zA-Z0-9_-]{20,})["']?/gi,
+    severity: "high",
+    confidence: 0.7
+  },
+  {
+    name: "Generic Secret",
+    pattern: /(?:secret|password|passwd|pwd)\s*[=:]\s*["']?([a-zA-Z0-9_!@#$%^&*-]{8,})["']?/gi,
+    severity: "high",
+    confidence: 0.6
+  },
+  // Private Keys
+  {
+    name: "Private Key",
+    pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+    severity: "critical",
+    confidence: 0.99
+  }
+];
+var PLACEHOLDER_PATTERNS = [
+  /^your[-_]?api[-_]?key[-_]?here$/i,
+  /^xxx+$/i,
+  /^placeholder$/i,
+  /^example$/i,
+  /^test[-_]?key$/i,
+  /^\$\{[^}]+\}$/,
+  /^<[^>]+>$/,
+  /^{{[^}]+}}$/,
+  /^%[^%]+%$/,
+  /^INSERT[-_]?YOUR[-_]?KEY$/i,
+  /^REPLACE[-_]?ME$/i,
+  /^TODO$/i,
+  /^changeme$/i
+];
+function isPlaceholder(value) {
+  return PLACEHOLDER_PATTERNS.some((pattern) => pattern.test(value.trim()));
+}
+function extractValue(match) {
+  return match[1] ?? match[0];
+}
+async function scanFile(filePath, relativePath) {
+  const content = await readTextFile(filePath);
+  if (!content) return [];
+  const findings = [];
+  const lines = content.split("\n");
+  for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+    const line = lines[lineNum];
+    for (const credPattern of CREDENTIAL_PATTERNS) {
+      credPattern.pattern.lastIndex = 0;
+      let match;
+      while ((match = credPattern.pattern.exec(line)) !== null) {
+        const value = extractValue(match);
+        if (isPlaceholder(value)) {
+          continue;
+        }
+        if (value.length < 8) {
+          continue;
+        }
+        findings.push({
+          scanner: "credentials",
+          severity: credPattern.severity,
+          title: credPattern.name,
+          description: `Detected ${credPattern.name} in configuration file`,
+          file: relativePath,
+          line: lineNum + 1,
+          confidence: credPattern.confidence
+        });
+      }
+    }
+  }
+  return findings;
+}
+async function scanCredentials(openclawPath) {
+  const findings = [];
+  const filesToScan = [
+    { path: join3(openclawPath, "openclaw.json"), relative: "openclaw.json" },
+    { path: join3(openclawPath, ".env"), relative: ".env" }
+  ];
+  const credentialsDir = join3(openclawPath, "credentials");
+  if (await fileExists(credentialsDir)) {
+    for await (const file of walkDirectory(credentialsDir, openclawPath)) {
+      filesToScan.push({ path: file.path, relative: file.relativePath });
+    }
+  }
+  const agentsDir = join3(openclawPath, "agents");
+  if (await fileExists(agentsDir)) {
+    for await (const file of walkDirectory(agentsDir, openclawPath)) {
+      if (file.relativePath.includes("auth-profiles.json") || file.relativePath.endsWith(".jsonl") || file.relativePath.endsWith(".json")) {
+        filesToScan.push({ path: file.path, relative: file.relativePath });
+      }
+    }
+  }
+  for (const file of filesToScan) {
+    if (await fileExists(file.path)) {
+      const fileFindings = await scanFile(file.path, file.relative);
+      findings.push(...fileFindings);
+    }
+  }
+  const severityScores = {
+    critical: 27.5,
+    high: 17.5,
+    medium: 7.5,
+    low: 2.5
+  };
+  let penalty = 0;
+  for (const finding of findings) {
+    penalty += severityScores[finding.severity] * finding.confidence;
+  }
+  return {
+    scanner: "credentials",
+    findings,
+    penalty: Math.min(penalty, CAP),
+    cap: CAP
+  };
+}
+// src/scanners/skills.ts
+import { join as join4 } from "path";
+var CAP2 = 30;
+var SKILL_PATTERNS = [
+  // Critical: Remote code execution
+  {
+    name: "Curl piped to shell",
+    pattern: /curl\s+[^|]*\|\s*(?:bash|sh|zsh)/gi,
+    severity: "critical",
+    confidence: 0.95,
+    description: "Downloading and executing remote scripts is extremely dangerous"
+  },
+  {
+    name: "Wget piped to shell",
+    pattern: /wget\s+[^|]*\|\s*(?:bash|sh|zsh)/gi,
+    severity: "critical",
+    confidence: 0.95,
+    description: "Downloading and executing remote scripts is extremely dangerous"
+  },
+  {
+    name: "Code execution function",
+    pattern: /\b(?:eval|Function)\s*\(/gi,
+    severity: "critical",
+    confidence: 0.8,
+    description: "Dynamic code execution can lead to arbitrary code execution"
+  },
+  {
+    name: "System command execution",
+    pattern: /\b(?:os\.system|subprocess\.call|subprocess\.run|child_process)\s*\(/gi,
+    severity: "critical",
+    confidence: 0.85,
+    description: "System command execution may allow arbitrary command injection"
+  },
+  // Critical: Sensitive file access
+  {
+    name: "SSH key access",
+    pattern: /\.ssh\/(?:id_rsa|id_ed25519|id_dsa|authorized_keys)/gi,
+    severity: "critical",
+    confidence: 0.9,
+    description: "Accessing SSH keys can compromise authentication"
+  },
+  {
+    name: "Password file access",
+    pattern: /\/etc\/(?:passwd|shadow)/gi,
+    severity: "critical",
+    confidence: 0.95,
+    description: "Accessing system password files is a security risk"
+  },
+  // High: Data exfiltration patterns
+  {
+    name: "POST request with data",
+    pattern: /(?:curl|wget|fetch|axios|request)\s+.*(?:-d|--data|POST)/gi,
+    severity: "high",
+    confidence: 0.7,
+    description: "Outbound data transmission may indicate exfiltration"
+  },
+  {
+    name: "Base64 encode and send",
+    pattern: /base64.*(?:curl|wget|fetch|send|post)/gi,
+    severity: "high",
+    confidence: 0.75,
+    description: "Encoding and transmitting data may indicate exfiltration"
+  },
+  {
+    name: "Environment variable dump",
+    pattern: /\benv\b|\$ENV|\bprocess\.env\b|\bos\.environ\b/gi,
+    severity: "high",
+    confidence: 0.6,
+    description: "Environment access may expose sensitive configuration"
+  },
+  // Medium: File system access
+  {
+    name: "Unrestricted file read",
+    pattern: /(?:fs\.readFile|open\s*\(|read\s*\().*(?:\*|\.\.)/gi,
+    severity: "medium",
+    confidence: 0.6,
+    description: "Broad file read patterns may access unintended files"
+  },
+  {
+    name: "Home directory access",
+    pattern: /~\/|\/home\/|\$HOME/gi,
+    severity: "medium",
+    confidence: 0.5,
+    description: "Accessing user home directory may expose sensitive data"
+  },
+  {
+    name: "Recursive directory operations",
+    pattern: /(?:-r|--recursive|walk|glob\*\*)/gi,
+    severity: "medium",
+    confidence: 0.4,
+    description: "Recursive operations may access more files than intended"
+  },
+  // Low: Suspicious but not necessarily harmful
+  {
+    name: "Network connection",
+    pattern: /(?:socket|connect|http|https):\/\//gi,
+    severity: "low",
+    confidence: 0.3,
+    description: "Network connections should be reviewed for necessity"
+  },
+  {
+    name: "File write operation",
+    pattern: /(?:fs\.writeFile|open\s*\([^)]*['"]\s*w|>+\s*[a-zA-Z])/gi,
+    severity: "low",
+    confidence: 0.4,
+    description: "File write operations should be reviewed"
+  }
+];
+async function scanSkillFile(filePath, relativePath) {
+  const content = await readTextFile(filePath);
+  if (!content) return [];
+  const findings = [];
+  const lines = content.split("\n");
+  for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+    const line = lines[lineNum];
+    for (const skillPattern of SKILL_PATTERNS) {
+      skillPattern.pattern.lastIndex = 0;
+      if (skillPattern.pattern.test(line)) {
+        findings.push({
+          scanner: "skills",
+          severity: skillPattern.severity,
+          title: skillPattern.name,
+          description: skillPattern.description,
+          file: relativePath,
+          line: lineNum + 1,
+          confidence: skillPattern.confidence
+        });
+      }
+    }
+  }
+  return findings;
+}
+async function scanSkills(openclawPath) {
+  const findings = [];
+  const skillsDirs = [
+    join4(openclawPath, "skills"),
+    join4(openclawPath, "workspace", "skills")
+  ];
+  for (const skillsDir of skillsDirs) {
+    if (await fileExists(skillsDir)) {
+      for await (const file of walkDirectory(skillsDir, openclawPath)) {
+        if (file.relativePath.endsWith(".md")) {
+          const fileFindings = await scanSkillFile(file.path, file.relativePath);
+          findings.push(...fileFindings);
+        }
+      }
+    }
+  }
+  const severityScores = {
+    critical: 27.5,
+    high: 17.5,
+    medium: 7.5,
+    low: 2.5
+  };
+  let penalty = 0;
+  for (const finding of findings) {
+    penalty += severityScores[finding.severity] * finding.confidence;
+  }
+  return {
+    scanner: "skills",
+    findings,
+    penalty: Math.min(penalty, CAP2),
+    cap: CAP2
+  };
+}
+// src/scanners/permissions.ts
+import { join as join5 } from "path";
+var CAP3 = 20;
+function checkSandboxMode(config) {
+  const mode = config.sandbox?.mode;
+  if (mode === "disabled") {
+    return {
+      scanner: "permissions",
+      severity: "critical",
+      title: "Sandbox disabled",
+      description: "Agent sandbox is completely disabled, allowing unrestricted system access",
+      file: "openclaw.json",
+      confidence: 0.95
+    };
+  }
+  if (mode === "permissive") {
+    return {
+      scanner: "permissions",
+      severity: "high",
+      title: "Sandbox in permissive mode",
+      description: "Agent sandbox is in permissive mode, may allow unintended access",
+      file: "openclaw.json",
+      confidence: 0.85
+    };
+  }
+  return null;
+}
+function checkDmPolicy(config) {
+  const policy = config.dmPolicy;
+  if (policy === "allow") {
+    return {
+      scanner: "permissions",
+      severity: "medium",
+      title: "DM policy allows all",
+      description: "Direct message policy allows all messages without filtering",
+      file: "openclaw.json",
+      confidence: 0.7
+    };
+  }
+  return null;
+}
+function checkAllowlist(config) {
+  const findings = [];
+  const allowlist = config.allowlist ?? [];
+  for (const entry of allowlist) {
+    if (entry === "*" || entry === "**") {
+      findings.push({
+        scanner: "permissions",
+        severity: "critical",
+        title: "Wildcard allowlist",
+        description: "Allowlist contains unrestricted wildcard, allowing all access",
+        file: "openclaw.json",
+        confidence: 0.95
+      });
+    } else if (entry.includes("*")) {
+      findings.push({
+        scanner: "permissions",
+        severity: "medium",
+        title: "Broad allowlist pattern",
+        description: `Allowlist pattern "${entry}" may be too permissive`,
+        file: "openclaw.json",
+        confidence: 0.6
+      });
+    }
+  }
+  return findings;
+}
+function checkGateway(config) {
+  const findings = [];
+  const gateway = config.gateway;
+  if (!gateway) return findings;
+  if (gateway.bind === "0.0.0.0" || gateway.bind === "::") {
+    findings.push({
+      scanner: "permissions",
+      severity: "high",
+      title: "Gateway binds to all interfaces",
+      description: "Gateway is exposed on all network interfaces, should bind to localhost",
+      file: "openclaw.json",
+      confidence: 0.9
+    });
+  }
+  if (gateway.auth === false) {
+    findings.push({
+      scanner: "permissions",
+      severity: "high",
+      title: "Gateway authentication disabled",
+      description: "Gateway has authentication disabled, allowing unauthenticated access",
+      file: "openclaw.json",
+      confidence: 0.9
+    });
+  }
+  if (gateway.tls === false && gateway.bind !== "localhost" && gateway.bind !== "127.0.0.1") {
+    findings.push({
+      scanner: "permissions",
+      severity: "medium",
+      title: "Gateway TLS disabled",
+      description: "Gateway TLS is disabled for non-localhost connections",
+      file: "openclaw.json",
+      confidence: 0.75
+    });
+  }
+  return findings;
+}
+async function checkFilePermissions(openclawPath) {
+  const findings = [];
+  const rootStats = await getFileStats(openclawPath);
+  if (rootStats) {
+    const mode = rootStats.mode & 511;
+    if ((mode & 63) !== 0) {
+      findings.push({
+        scanner: "permissions",
+        severity: "medium",
+        title: "OpenClaw directory too permissive",
+        description: `Directory permissions ${mode.toString(8)} allow group/other access, recommend 700`,
+        file: openclawPath,
+        confidence: 0.8
+      });
+    }
+  }
+  const credentialsDir = join5(openclawPath, "credentials");
+  if (await fileExists(credentialsDir)) {
+    const credStats = await getFileStats(credentialsDir);
+    if (credStats) {
+      const mode = credStats.mode & 511;
+      if ((mode & 63) !== 0) {
+        findings.push({
+          scanner: "permissions",
+          severity: "high",
+          title: "Credentials directory too permissive",
+          description: `Credentials permissions ${mode.toString(8)} allow group/other access, recommend 700`,
+          file: "credentials/",
+          confidence: 0.9
+        });
+      }
+    }
+  }
+  return findings;
+}
+async function scanPermissions(openclawPath) {
+  const findings = [];
+  const configPath = join5(openclawPath, "openclaw.json");
+  const config = await readJsonFile(configPath);
+  if (config) {
+    const sandboxFinding = checkSandboxMode(config);
+    if (sandboxFinding) findings.push(sandboxFinding);
+    const dmFinding = checkDmPolicy(config);
+    if (dmFinding) findings.push(dmFinding);
+    findings.push(...checkAllowlist(config));
+    findings.push(...checkGateway(config));
+  }
+  findings.push(...await checkFilePermissions(openclawPath));
+  const severityScores = {
+    critical: 27.5,
+    high: 17.5,
+    medium: 7.5,
+    low: 2.5
+  };
+  let penalty = 0;
+  for (const finding of findings) {
+    penalty += severityScores[finding.severity] * finding.confidence;
+  }
+  return {
+    scanner: "permissions",
+    findings,
+    penalty: Math.min(penalty, CAP3),
+    cap: CAP3
+  };
+}
+// src/scanners/network.ts
+import { join as join6 } from "path";
+import { createConnection } from "net";
+var CAP4 = 10;
+var DEFAULT_PORTS = [18789, 8080, 3e3];
+var PORT_SCAN_TIMEOUT = 1e3;
+async function checkPortOpen(port, host = "localhost") {
+  return new Promise((resolve) => {
+    const socket = createConnection({ port, host, timeout: PORT_SCAN_TIMEOUT });
+    socket.on("connect", () => {
+      socket.destroy();
+      resolve(true);
+    });
+    socket.on("timeout", () => {
+      socket.destroy();
+      resolve(false);
+    });
+    socket.on("error", () => {
+      socket.destroy();
+      resolve(false);
+    });
+  });
+}
+async function scanOpenPorts() {
+  const findings = [];
+  for (const port of DEFAULT_PORTS) {
+    const isOpen = await checkPortOpen(port);
+    if (isOpen) {
+      findings.push({
+        scanner: "network",
+        severity: "low",
+        title: `Port ${port} is open`,
+        description: `Localhost port ${port} is listening, verify if this is expected`,
+        confidence: 0.5
+      });
+    }
+  }
+  return findings;
+}
+function analyzeGatewayConfig(config) {
+  const findings = [];
+  const gateway = config.gateway;
+  if (!gateway) return findings;
+  const bind = gateway.bind ?? "localhost";
+  const isExposed = bind === "0.0.0.0" || bind === "::";
+  if (isExposed) {
+    if (!gateway.tls) {
+      findings.push({
+        scanner: "network",
+        severity: "high",
+        title: "Exposed gateway without TLS",
+        description: "Gateway is exposed to network without TLS encryption",
+        file: "openclaw.json",
+        confidence: 0.9
+      });
+    }
+    if (!gateway.auth) {
+      findings.push({
+        scanner: "network",
+        severity: "critical",
+        title: "Exposed gateway without authentication",
+        description: "Gateway is exposed to network without authentication",
+        file: "openclaw.json",
+        confidence: 0.95
+      });
+    }
+  }
+  const port = gateway.port ?? 18789;
+  if (port < 1024 && port !== 443 && port !== 80) {
+    findings.push({
+      scanner: "network",
+      severity: "medium",
+      title: "Non-standard privileged port",
+      description: `Gateway uses privileged port ${port}, requires elevated permissions`,
+      file: "openclaw.json",
+      confidence: 0.7
+    });
+  }
+  return findings;
+}
+async function scanNetwork(openclawPath) {
+  const findings = [];
+  const configPath = join6(openclawPath, "openclaw.json");
+  const config = await readJsonFile(configPath);
+  if (config) {
+    findings.push(...analyzeGatewayConfig(config));
+  }
+  findings.push(...await scanOpenPorts());
+  const severityScores = {
+    critical: 27.5,
+    high: 17.5,
+    medium: 7.5,
+    low: 2.5
+  };
+  let penalty = 0;
+  for (const finding of findings) {
+    penalty += severityScores[finding.severity] * finding.confidence;
+  }
+  return {
+    scanner: "network",
+    findings,
+    penalty: Math.min(penalty, CAP4),
+    cap: CAP4
+  };
+}
+// src/scanners/index.ts
+async function runAllScanners(options) {
+  const { openclawPath } = options;
+  const results = await Promise.all([
+    scanCredentials(openclawPath),
+    scanSkills(openclawPath),
+    scanPermissions(openclawPath),
+    scanNetwork(openclawPath)
+  ]);
+  return results;
+}
+// src/scoring/index.ts
+function calculateScore(results) {
+  const totalPenalty = results.reduce((sum, r) => sum + r.penalty, 0);
+  return Math.max(0, Math.round(100 - totalPenalty));
+}
+function determineGrade(score, findings) {
+  const hasCritical = findings.some((f) => f.severity === "critical");
+  if (hasCritical) {
+    if (score >= 75) return "C";
+    if (score >= 60) return "C";
+    if (score >= 40) return "D";
+    return "F";
+  }
+  if (score >= 90) return "A";
+  if (score >= 75) return "B";
+  if (score >= 60) return "C";
+  if (score >= 40) return "D";
+  return "F";
+}
+function buildScanResult(results, openclawPath) {
+  const findings = results.flatMap((r) => r.findings);
+  const score = calculateScore(results);
+  const grade = determineGrade(score, findings);
+  return {
+    score,
+    grade,
+    scanners: results,
+    findings,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    openclawPath
+  };
+}
+function getExitCode(result) {
+  const hasCriticalOrHigh = result.findings.some(
+    (f) => f.severity === "critical" || f.severity === "high"
+  );
+  if (result.score < 75 || hasCriticalOrHigh) {
+    return 1;
+  }
+  return 0;
+}
+function countBySeverity(findings) {
+  return {
+    critical: findings.filter((f) => f.severity === "critical").length,
+    high: findings.filter((f) => f.severity === "high").length,
+    medium: findings.filter((f) => f.severity === "medium").length,
+    low: findings.filter((f) => f.severity === "low").length
+  };
+}
+// src/output/terminal.ts
+import chalk from "chalk";
+import ora from "ora";
+import boxen from "boxen";
+// src/utils/redact.ts
+function formatFindingLocation(file, line) {
+  if (line !== void 0) {
+    return `${file}:${line}`;
+  }
+  return file;
+}
+// src/output/terminal.ts
+var CRAB = "\u{1F980}";
+var GRADE_COLORS = {
+  A: chalk.green,
+  B: chalk.greenBright,
+  C: chalk.yellow,
+  D: chalk.hex("#FFA500"),
+  F: chalk.red
+};
+var SEVERITY_COLORS = {
+  critical: chalk.bgRed.white,
+  high: chalk.red,
+  medium: chalk.yellow,
+  low: chalk.gray
+};
+var SEVERITY_ICONS = {
+  critical: "\u{1F6A8}",
+  high: "\u26A0\uFE0F",
+  medium: "\u{1F7E1}",
+  low: "\u2139\uFE0F"
+};
+function createSpinner(text) {
+  return ora({
+    text,
+    spinner: "dots"
+  });
+}
+function printHeader() {
+  console.log(
+    boxen(
+      `${CRAB} ${chalk.bold("CRABB")} ${chalk.dim("Security Scanner for OpenClaw")}`,
+      {
+        padding: { top: 0, bottom: 0, left: 1, right: 1 },
+        borderColor: "cyan",
+        borderStyle: "round"
+      }
+    )
+  );
+  console.log();
+}
+function printScore(result) {
+  const gradeColor = GRADE_COLORS[result.grade];
+  const counts = countBySeverity(result.findings);
+  const scoreDisplay = boxen(
+    [
+      `${CRAB} ${chalk.bold("CRABB SCORE")}`,
+      "",
+      `   ${gradeColor(chalk.bold(`${result.score}`))} ${chalk.dim("/ 100")}`,
+      `   Grade: ${gradeColor(chalk.bold(result.grade))}`,
+      "",
+      chalk.dim("\u2500".repeat(24)),
+      "",
+      `${SEVERITY_ICONS.critical} Critical: ${counts.critical > 0 ? chalk.red(counts.critical) : chalk.dim("0")}`,
+      `${SEVERITY_ICONS.high} High:     ${counts.high > 0 ? chalk.red(counts.high) : chalk.dim("0")}`,
+      `${SEVERITY_ICONS.medium} Medium:   ${counts.medium > 0 ? chalk.yellow(counts.medium) : chalk.dim("0")}`,
+      `${SEVERITY_ICONS.low} Low:      ${counts.low > 0 ? chalk.gray(counts.low) : chalk.dim("0")}`
+    ].join("\n"),
+    {
+      padding: 1,
+      borderColor: result.grade === "A" || result.grade === "B" ? "green" : result.grade === "C" ? "yellow" : "red",
+      borderStyle: "round"
+    }
+  );
+  console.log(scoreDisplay);
+  console.log();
+}
+function printFindings(findings) {
+  if (findings.length === 0) {
+    console.log(chalk.green(`${CRAB} No security issues found!`));
+    return;
+  }
+  const sortedFindings = [...findings].sort((a, b) => {
+    const order = { critical: 0, high: 1, medium: 2, low: 3 };
+    return order[a.severity] - order[b.severity];
+  });
+  console.log(chalk.bold("Findings:\n"));
+  for (const finding of sortedFindings) {
+    const severityColor = SEVERITY_COLORS[finding.severity];
+    const icon = SEVERITY_ICONS[finding.severity];
+    console.log(`${icon} ${severityColor(finding.severity.toUpperCase())} ${chalk.bold(finding.title)}`);
+    console.log(`   ${chalk.dim(finding.description)}`);
+    if (finding.file) {
+      console.log(`   ${chalk.cyan(formatFindingLocation(finding.file, finding.line))}`);
+    }
+    console.log();
+  }
+}
+function printScannerSummary(result) {
+  console.log(chalk.bold("Scanner Summary:\n"));
+  for (const scanner of result.scanners) {
+    const penaltyColor = scanner.penalty > 0 ? chalk.red : chalk.green;
+    const bar = createProgressBar(scanner.cap - scanner.penalty, scanner.cap);
+    console.log(
+      `  ${scanner.scanner.padEnd(12)} ${bar} ${penaltyColor(`-${scanner.penalty.toFixed(1)}`)} ${chalk.dim(`/ ${scanner.cap}`)}`
+    );
+  }
+  console.log();
+}
+function createProgressBar(value, max, width = 20) {
+  const percentage = Math.max(0, Math.min(1, value / max));
+  const filled = Math.round(percentage * width);
+  const empty = width - filled;
+  const color = percentage >= 0.75 ? chalk.green : percentage >= 0.5 ? chalk.yellow : chalk.red;
+  return color("\u2588".repeat(filled)) + chalk.dim("\u2591".repeat(empty));
+}
+function printError(message) {
+  console.error(chalk.red(`\u2717 Error: ${message}`));
+}
+function printSuccess(message) {
+  console.log(chalk.green(`\u2713 ${message}`));
+}
+// src/output/json.ts
+function formatJsonOutput(result) {
+  return JSON.stringify(result, null, 2);
+}
+function buildSharePayload(result) {
+  const counts = countBySeverity(result.findings);
+  return {
+    score: result.score,
+    grade: result.grade,
+    scannerSummary: result.scanners.map((s) => ({
+      scanner: s.scanner,
+      findingsCount: s.findings.length,
+      penalty: s.penalty
+    })),
+    criticalCount: counts.critical,
+    highCount: counts.high,
+    mediumCount: counts.medium,
+    lowCount: counts.low,
+    timestamp: result.timestamp
+  };
+}
+// src/share/index.ts
+var SHARE_API_URL = "https://crabb.ai/api/share";
+async function shareResult(result) {
+  const payload = buildSharePayload(result);
+  const response = await fetch(SHARE_API_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(payload)
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to share result: ${response.status} ${response.statusText}`);
+  }
+  return response.json();
+}
+// src/cli.ts
+function printHelp() {
+  console.log(`
+\u{1F980} CRABB - Security Scanner for OpenClaw AI Agents
+Usage: crabb [options]
+Options:
+  -p, --path <dir>   Path to OpenClaw directory (default: ~/.openclaw/)
+  -j, --json         Output results as JSON
+  -s, --share        Share score card to crabb.ai
+      --no-color     Disable colored output
+  -h, --help         Show this help message
+  -v, --version      Show version number
+Examples:
+  crabb                          # Scan default OpenClaw installation
+  crabb --path ./my-openclaw     # Scan custom directory
+  crabb --json                   # Output as JSON
+  crabb --share                  # Create shareable score card
+Exit codes:
+  0 - Score >= 75, no Critical/High findings
+  1 - Score < 75 or Critical/High findings present
+  2 - Scan failed (IO error, OpenClaw not found)
+`);
+}
+function printVersion() {
+  console.log("crabb v0.1.0");
+}
+async function main() {
+  let options;
+  try {
+    const { values } = parseArgs({
+      options: {
+        path: { type: "string", short: "p" },
+        json: { type: "boolean", short: "j", default: false },
+        share: { type: "boolean", short: "s", default: false },
+        "no-color": { type: "boolean", default: false },
+        help: { type: "boolean", short: "h", default: false },
+        version: { type: "boolean", short: "v", default: false }
+      },
+      strict: true,
+      allowPositionals: false
+    });
+    if (values.help) {
+      printHelp();
+      exit(0);
+    }
+    if (values.version) {
+      printVersion();
+      exit(0);
+    }
+    options = {
+      path: values.path ?? getDefaultOpenClawPath(),
+      json: values.json ?? false,
+      share: values.share ?? false,
+      noColor: values["no-color"] ?? false
+    };
+  } catch (err) {
+    printError(`Invalid arguments: ${err instanceof Error ? err.message : String(err)}`);
+    printHelp();
+    exit(2);
+  }
+  if (options.noColor) {
+    process.env["FORCE_COLOR"] = "0";
+  }
+  if (!options.json) {
+    printHeader();
+  }
+  if (!await fileExists(options.path)) {
+    printError(`OpenClaw directory not found: ${options.path}`);
+    exit(2);
+  }
+  const spinner = options.json ? null : createSpinner("Scanning OpenClaw configuration...");
+  spinner?.start();
+  try {
+    const scannerResults = await runAllScanners({ openclawPath: options.path });
+    const result = buildScanResult(scannerResults, options.path);
+    spinner?.stop();
+    if (options.json) {
+      console.log(formatJsonOutput(result));
+    } else {
+      printScore(result);
+      printScannerSummary(result);
+      printFindings(result.findings);
+    }
+    if (options.share) {
+      const shareSpinner = options.json ? null : createSpinner("Sharing score card...");
+      shareSpinner?.start();
+      try {
+        const shareResponse = await shareResult(result);
+        shareSpinner?.stop();
+        if (options.json) {
+          console.log(JSON.stringify({ shared: shareResponse }, null, 2));
+        } else {
+          printSuccess(`Score card shared: ${shareResponse.url}`);
+          console.log(`   Delete token: ${shareResponse.deleteToken}`);
+        }
+      } catch (err) {
+        shareSpinner?.stop();
+        printError(`Failed to share: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+    const exitCode = getExitCode(result);
+    exit(exitCode);
+  } catch (err) {
+    spinner?.stop();
+    printError(`Scan failed: ${err instanceof Error ? err.message : String(err)}`);
+    exit(2);
+  }
+}
+main();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/cli.ts","../src/config/paths.ts","../src/scanners/credentials.ts","../src/utils/fs.ts","../src/scanners/skills.ts","../src/scanners/permissions.ts","../src/scanners/network.ts","../src/scanners/index.ts","../src/scoring/index.ts","../src/output/terminal.ts","../src/utils/redact.ts","../src/output/json.ts","../src/share/index.ts"],"sourcesContent":["import { parseArgs } from 'node:util';\nimport { exit } from 'node:process';\nimport type { CliOptions } from './types/index.js';\nimport { getDefaultOpenClawPath } from './config/paths.js';\nimport { runAllScanners } from './scanners/index.js';\nimport { buildScanResult, getExitCode } from './scoring/index.js';\nimport {\n printHeader,\n printScore,\n printFindings,\n printScannerSummary,\n printError,\n printSuccess,\n createSpinner,\n} from './output/terminal.js';\nimport { formatJsonOutput } from './output/json.js';\nimport { shareResult } from './share/index.js';\nimport { fileExists } from './utils/fs.js';\n\nfunction parseCliArgs(): CliOptions {\n const { values } = parseArgs({\n options: {\n path: {\n type: 'string',\n short: 'p',\n },\n json: {\n type: 'boolean',\n short: 'j',\n default: false,\n },\n share: {\n type: 'boolean',\n short: 's',\n default: false,\n },\n 'no-color': {\n type: 'boolean',\n default: false,\n },\n help: {\n type: 'boolean',\n short: 'h',\n default: false,\n },\n version: {\n type: 'boolean',\n short: 'v',\n default: false,\n },\n },\n strict: true,\n allowPositionals: false,\n });\n\n return {\n path: values.path ?? getDefaultOpenClawPath(),\n json: values.json ?? false,\n share: values.share ?? false,\n noColor: values['no-color'] ?? false,\n };\n}\n\nfunction printHelp() {\n console.log(`\n\\u{1F980} CRABB - Security Scanner for OpenClaw AI Agents\n\nUsage: crabb [options]\n\nOptions:\n -p, --path <dir> Path to OpenClaw directory (default: ~/.openclaw/)\n -j, --json Output results as JSON\n -s, --share Share score card to crabb.ai\n --no-color Disable colored output\n -h, --help Show this help message\n -v, --version Show version number\n\nExamples:\n crabb # Scan default OpenClaw installation\n crabb --path ./my-openclaw # Scan custom directory\n crabb --json # Output as JSON\n crabb --share # Create shareable score card\n\nExit codes:\n 0 - Score >= 75, no Critical/High findings\n 1 - Score < 75 or Critical/High findings present\n 2 - Scan failed (IO error, OpenClaw not found)\n`);\n}\n\nfunction printVersion() {\n console.log('crabb v0.1.0');\n}\n\nasync function main() {\n let options: CliOptions;\n\n try {\n const { values } = parseArgs({\n options: {\n path: { type: 'string', short: 'p' },\n json: { type: 'boolean', short: 'j', default: false },\n share: { type: 'boolean', short: 's', default: false },\n 'no-color': { type: 'boolean', default: false },\n help: { type: 'boolean', short: 'h', default: false },\n version: { type: 'boolean', short: 'v', default: false },\n },\n strict: true,\n allowPositionals: false,\n });\n\n if (values.help) {\n printHelp();\n exit(0);\n }\n\n if (values.version) {\n printVersion();\n exit(0);\n }\n\n options = {\n path: values.path ?? getDefaultOpenClawPath(),\n json: values.json ?? false,\n share: values.share ?? false,\n noColor: values['no-color'] ?? false,\n };\n } catch (err) {\n printError(`Invalid arguments: ${err instanceof Error ? err.message : String(err)}`);\n printHelp();\n exit(2);\n }\n\n if (options.noColor) {\n process.env['FORCE_COLOR'] = '0';\n }\n\n if (!options.json) {\n printHeader();\n }\n\n if (!await fileExists(options.path)) {\n printError(`OpenClaw directory not found: ${options.path}`);\n exit(2);\n }\n\n const spinner = options.json ? null : createSpinner('Scanning OpenClaw configuration...');\n spinner?.start();\n\n try {\n const scannerResults = await runAllScanners({ openclawPath: options.path });\n const result = buildScanResult(scannerResults, options.path);\n\n spinner?.stop();\n\n if (options.json) {\n console.log(formatJsonOutput(result));\n } else {\n printScore(result);\n printScannerSummary(result);\n printFindings(result.findings);\n }\n\n if (options.share) {\n const shareSpinner = options.json ? null : createSpinner('Sharing score card...');\n shareSpinner?.start();\n\n try {\n const shareResponse = await shareResult(result);\n shareSpinner?.stop();\n\n if (options.json) {\n console.log(JSON.stringify({ shared: shareResponse }, null, 2));\n } else {\n printSuccess(`Score card shared: ${shareResponse.url}`);\n console.log(` Delete token: ${shareResponse.deleteToken}`);\n }\n } catch (err) {\n shareSpinner?.stop();\n printError(`Failed to share: ${err instanceof Error ? err.message : String(err)}`);\n }\n }\n\n const exitCode = getExitCode(result);\n exit(exitCode);\n } catch (err) {\n spinner?.stop();\n printError(`Scan failed: ${err instanceof Error ? err.message : String(err)}`);\n exit(2);\n }\n}\n\nmain();\n","import { homedir } from 'node:os';\nimport { join } from 'node:path';\n\nexport function getDefaultOpenClawPath(): string {\n return join(homedir(), '.openclaw');\n}\n\nexport function getOpenClawPaths(basePath: string) {\n return {\n root: basePath,\n config: join(basePath, 'openclaw.json'),\n credentials: join(basePath, 'credentials'),\n agents: join(basePath, 'agents'),\n skills: join(basePath, 'skills'),\n workspaceSkills: join(basePath, 'workspace', 'skills'),\n };\n}\n\nexport const SCAN_FILE_PATTERNS = {\n credentials: [\n 'openclaw.json',\n 'credentials/**/*',\n 'agents/*/agent/auth-profiles.json',\n 'agents/*/sessions/*.jsonl',\n '.env',\n '.env.*',\n ],\n skills: [\n 'skills/**/*.md',\n 'skills/**/SKILL.md',\n 'workspace/skills/**/*.md',\n ],\n} as const;\n","import { join } from 'node:path';\nimport type { Finding, ScannerResult } from '../types/index.js';\nimport { readTextFile, walkDirectory, fileExists } from '../utils/fs.js';\n\nconst CAP = 40;\n\ninterface CredentialPattern {\n name: string;\n pattern: RegExp;\n severity: 'critical' | 'high' | 'medium';\n confidence: number;\n}\n\nconst CREDENTIAL_PATTERNS: CredentialPattern[] = [\n // Anthropic\n {\n name: 'Anthropic API Key',\n pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n // OpenAI\n {\n name: 'OpenAI API Key',\n pattern: /sk-[a-zA-Z0-9]{20,}(?!-ant)/g,\n severity: 'critical',\n confidence: 0.9,\n },\n // Discord\n {\n name: 'Discord Bot Token',\n pattern: /[MN][A-Za-z\\d]{23,}\\.[\\w-]{6}\\.[\\w-]{27,}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n // Telegram\n {\n name: 'Telegram Bot Token',\n pattern: /\\d{8,10}:[A-Za-z0-9_-]{35}/g,\n severity: 'critical',\n confidence: 0.9,\n },\n // AWS\n {\n name: 'AWS Access Key ID',\n pattern: /AKIA[0-9A-Z]{16}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n {\n name: 'AWS Secret Access Key',\n pattern: /(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/g,\n severity: 'high',\n confidence: 0.6,\n },\n // GitHub\n {\n name: 'GitHub Personal Access Token',\n pattern: /ghp_[a-zA-Z0-9]{36}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n {\n name: 'GitHub OAuth Token',\n pattern: /gho_[a-zA-Z0-9]{36}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n {\n name: 'GitHub Fine-grained PAT',\n pattern: /github_pat_[a-zA-Z0-9_]{22,}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n // Slack\n {\n name: 'Slack Bot Token',\n pattern: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n {\n name: 'Slack User Token',\n pattern: /xoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n // Stripe\n {\n name: 'Stripe Secret Key',\n pattern: /sk_live_[0-9a-zA-Z]{24,}/g,\n severity: 'critical',\n confidence: 0.95,\n },\n {\n name: 'Stripe Test Key',\n pattern: /sk_test_[0-9a-zA-Z]{24,}/g,\n severity: 'medium',\n confidence: 0.9,\n },\n // Generic patterns\n {\n name: 'Generic API Key',\n pattern: /(?:api[_-]?key|apikey|api[_-]?token)\\s*[=:]\\s*[\"']?([a-zA-Z0-9_-]{20,})[\"']?/gi,\n severity: 'high',\n confidence: 0.7,\n },\n {\n name: 'Generic Secret',\n pattern: /(?:secret|password|passwd|pwd)\\s*[=:]\\s*[\"']?([a-zA-Z0-9_!@#$%^&*-]{8,})[\"']?/gi,\n severity: 'high',\n confidence: 0.6,\n },\n // Private Keys\n {\n name: 'Private Key',\n pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,\n severity: 'critical',\n confidence: 0.99,\n },\n];\n\nconst PLACEHOLDER_PATTERNS = [\n /^your[-_]?api[-_]?key[-_]?here$/i,\n /^xxx+$/i,\n /^placeholder$/i,\n /^example$/i,\n /^test[-_]?key$/i,\n /^\\$\\{[^}]+\\}$/,\n /^<[^>]+>$/,\n /^{{[^}]+}}$/,\n /^%[^%]+%$/,\n /^INSERT[-_]?YOUR[-_]?KEY$/i,\n /^REPLACE[-_]?ME$/i,\n /^TODO$/i,\n /^changeme$/i,\n];\n\nfunction isPlaceholder(value: string): boolean {\n return PLACEHOLDER_PATTERNS.some(pattern => pattern.test(value.trim()));\n}\n\nfunction extractValue(match: RegExpMatchArray): string {\n return match[1] ?? match[0];\n}\n\nasync function scanFile(\n filePath: string,\n relativePath: string\n): Promise<Finding[]> {\n const content = await readTextFile(filePath);\n if (!content) return [];\n\n const findings: Finding[] = [];\n const lines = content.split('\\n');\n\n for (let lineNum = 0; lineNum < lines.length; lineNum++) {\n const line = lines[lineNum]!;\n\n for (const credPattern of CREDENTIAL_PATTERNS) {\n credPattern.pattern.lastIndex = 0;\n\n let match: RegExpExecArray | null;\n while ((match = credPattern.pattern.exec(line)) !== null) {\n const value = extractValue(match);\n\n if (isPlaceholder(value)) {\n continue;\n }\n\n if (value.length < 8) {\n continue;\n }\n\n findings.push({\n scanner: 'credentials',\n severity: credPattern.severity,\n title: credPattern.name,\n description: `Detected ${credPattern.name} in configuration file`,\n file: relativePath,\n line: lineNum + 1,\n confidence: credPattern.confidence,\n });\n }\n }\n }\n\n return findings;\n}\n\nexport async function scanCredentials(openclawPath: string): Promise<ScannerResult> {\n const findings: Finding[] = [];\n\n const filesToScan = [\n { path: join(openclawPath, 'openclaw.json'), relative: 'openclaw.json' },\n { path: join(openclawPath, '.env'), relative: '.env' },\n ];\n\n const credentialsDir = join(openclawPath, 'credentials');\n if (await fileExists(credentialsDir)) {\n for await (const file of walkDirectory(credentialsDir, openclawPath)) {\n filesToScan.push({ path: file.path, relative: file.relativePath });\n }\n }\n\n const agentsDir = join(openclawPath, 'agents');\n if (await fileExists(agentsDir)) {\n for await (const file of walkDirectory(agentsDir, openclawPath)) {\n if (\n file.relativePath.includes('auth-profiles.json') ||\n file.relativePath.endsWith('.jsonl') ||\n file.relativePath.endsWith('.json')\n ) {\n filesToScan.push({ path: file.path, relative: file.relativePath });\n }\n }\n }\n\n for (const file of filesToScan) {\n if (await fileExists(file.path)) {\n const fileFindings = await scanFile(file.path, file.relative);\n findings.push(...fileFindings);\n }\n }\n\n const severityScores = {\n critical: 27.5,\n high: 17.5,\n medium: 7.5,\n low: 2.5,\n };\n\n let penalty = 0;\n for (const finding of findings) {\n penalty += severityScores[finding.severity] * finding.confidence;\n }\n\n return {\n scanner: 'credentials',\n findings,\n penalty: Math.min(penalty, CAP),\n cap: CAP,\n };\n}\n","import { readFile, readdir, stat, access } from 'node:fs/promises';\nimport { join, relative } from 'node:path';\nimport { constants } from 'node:fs';\n\nexport async function fileExists(path: string): Promise<boolean> {\n try {\n await access(path, constants.F_OK);\n return true;\n } catch {\n return false;\n }\n}\n\nexport async function readTextFile(path: string): Promise<string | null> {\n try {\n return await readFile(path, 'utf-8');\n } catch {\n return null;\n }\n}\n\nexport async function readJsonFile<T>(path: string): Promise<T | null> {\n const content = await readTextFile(path);\n if (!content) return null;\n try {\n return JSON.parse(content) as T;\n } catch {\n return null;\n }\n}\n\nexport async function getFileStats(path: string) {\n try {\n return await stat(path);\n } catch {\n return null;\n }\n}\n\nexport async function* walkDirectory(\n dir: string,\n basePath: string = dir\n): AsyncGenerator<{ path: string; relativePath: string }> {\n try {\n const entries = await readdir(dir, { withFileTypes: true });\n for (const entry of entries) {\n const fullPath = join(dir, entry.name);\n const relativePath = relative(basePath, fullPath);\n\n if (entry.isDirectory()) {\n yield* walkDirectory(fullPath, basePath);\n } else if (entry.isFile()) {\n yield { path: fullPath, relativePath };\n }\n }\n } catch {\n // Directory doesn't exist or not accessible\n }\n}\n\nexport function matchesPattern(filePath: string, pattern: string): boolean {\n // Simple glob matching\n const regexPattern = pattern\n .replace(/\\./g, '\\\\.')\n .replace(/\\*\\*/g, '{{GLOBSTAR}}')\n .replace(/\\*/g, '[^/]*')\n .replace(/\\{\\{GLOBSTAR\\}\\}/g, '.*');\n\n return new RegExp(`^${regexPattern}$`).test(filePath);\n}\n\nexport function matchesAnyPattern(filePath: string, patterns: readonly string[]): boolean {\n return patterns.some(pattern => matchesPattern(filePath, pattern));\n}\n","import { join } from 'node:path';\nimport type { Finding, ScannerResult } from '../types/index.js';\nimport { readTextFile, walkDirectory, fileExists } from '../utils/fs.js';\n\nconst CAP = 30;\n\ninterface SkillPattern {\n name: string;\n pattern: RegExp;\n severity: 'critical' | 'high' | 'medium' | 'low';\n confidence: number;\n description: string;\n}\n\nconst SKILL_PATTERNS: SkillPattern[] = [\n // Critical: Remote code execution\n {\n name: 'Curl piped to shell',\n pattern: /curl\\s+[^|]*\\|\\s*(?:bash|sh|zsh)/gi,\n severity: 'critical',\n confidence: 0.95,\n description: 'Downloading and executing remote scripts is extremely dangerous',\n },\n {\n name: 'Wget piped to shell',\n pattern: /wget\\s+[^|]*\\|\\s*(?:bash|sh|zsh)/gi,\n severity: 'critical',\n confidence: 0.95,\n description: 'Downloading and executing remote scripts is extremely dangerous',\n },\n {\n name: 'Code execution function',\n pattern: /\\b(?:eval|Function)\\s*\\(/gi,\n severity: 'critical',\n confidence: 0.8,\n description: 'Dynamic code execution can lead to arbitrary code execution',\n },\n {\n name: 'System command execution',\n pattern: /\\b(?:os\\.system|subprocess\\.call|subprocess\\.run|child_process)\\s*\\(/gi,\n severity: 'critical',\n confidence: 0.85,\n description: 'System command execution may allow arbitrary command injection',\n },\n // Critical: Sensitive file access\n {\n name: 'SSH key access',\n pattern: /\\.ssh\\/(?:id_rsa|id_ed25519|id_dsa|authorized_keys)/gi,\n severity: 'critical',\n confidence: 0.9,\n description: 'Accessing SSH keys can compromise authentication',\n },\n {\n name: 'Password file access',\n pattern: /\\/etc\\/(?:passwd|shadow)/gi,\n severity: 'critical',\n confidence: 0.95,\n description: 'Accessing system password files is a security risk',\n },\n // High: Data exfiltration patterns\n {\n name: 'POST request with data',\n pattern: /(?:curl|wget|fetch|axios|request)\\s+.*(?:-d|--data|POST)/gi,\n severity: 'high',\n confidence: 0.7,\n description: 'Outbound data transmission may indicate exfiltration',\n },\n {\n name: 'Base64 encode and send',\n pattern: /base64.*(?:curl|wget|fetch|send|post)/gi,\n severity: 'high',\n confidence: 0.75,\n description: 'Encoding and transmitting data may indicate exfiltration',\n },\n {\n name: 'Environment variable dump',\n pattern: /\\benv\\b|\\$ENV|\\bprocess\\.env\\b|\\bos\\.environ\\b/gi,\n severity: 'high',\n confidence: 0.6,\n description: 'Environment access may expose sensitive configuration',\n },\n // Medium: File system access\n {\n name: 'Unrestricted file read',\n pattern: /(?:fs\\.readFile|open\\s*\\(|read\\s*\\().*(?:\\*|\\.\\.)/gi,\n severity: 'medium',\n confidence: 0.6,\n description: 'Broad file read patterns may access unintended files',\n },\n {\n name: 'Home directory access',\n pattern: /~\\/|\\/home\\/|\\$HOME/gi,\n severity: 'medium',\n confidence: 0.5,\n description: 'Accessing user home directory may expose sensitive data',\n },\n {\n name: 'Recursive directory operations',\n pattern: /(?:-r|--recursive|walk|glob\\*\\*)/gi,\n severity: 'medium',\n confidence: 0.4,\n description: 'Recursive operations may access more files than intended',\n },\n // Low: Suspicious but not necessarily harmful\n {\n name: 'Network connection',\n pattern: /(?:socket|connect|http|https):\\/\\//gi,\n severity: 'low',\n confidence: 0.3,\n description: 'Network connections should be reviewed for necessity',\n },\n {\n name: 'File write operation',\n pattern: /(?:fs\\.writeFile|open\\s*\\([^)]*['\"]\\s*w|>+\\s*[a-zA-Z])/gi,\n severity: 'low',\n confidence: 0.4,\n description: 'File write operations should be reviewed',\n },\n];\n\nasync function scanSkillFile(\n filePath: string,\n relativePath: string\n): Promise<Finding[]> {\n const content = await readTextFile(filePath);\n if (!content) return [];\n\n const findings: Finding[] = [];\n const lines = content.split('\\n');\n\n for (let lineNum = 0; lineNum < lines.length; lineNum++) {\n const line = lines[lineNum]!;\n\n for (const skillPattern of SKILL_PATTERNS) {\n skillPattern.pattern.lastIndex = 0;\n\n if (skillPattern.pattern.test(line)) {\n findings.push({\n scanner: 'skills',\n severity: skillPattern.severity,\n title: skillPattern.name,\n description: skillPattern.description,\n file: relativePath,\n line: lineNum + 1,\n confidence: skillPattern.confidence,\n });\n }\n }\n }\n\n return findings;\n}\n\nexport async function scanSkills(openclawPath: string): Promise<ScannerResult> {\n const findings: Finding[] = [];\n\n const skillsDirs = [\n join(openclawPath, 'skills'),\n join(openclawPath, 'workspace', 'skills'),\n ];\n\n for (const skillsDir of skillsDirs) {\n if (await fileExists(skillsDir)) {\n for await (const file of walkDirectory(skillsDir, openclawPath)) {\n if (file.relativePath.endsWith('.md')) {\n const fileFindings = await scanSkillFile(file.path, file.relativePath);\n findings.push(...fileFindings);\n }\n }\n }\n }\n\n const severityScores = {\n critical: 27.5,\n high: 17.5,\n medium: 7.5,\n low: 2.5,\n };\n\n let penalty = 0;\n for (const finding of findings) {\n penalty += severityScores[finding.severity] * finding.confidence;\n }\n\n return {\n scanner: 'skills',\n findings,\n penalty: Math.min(penalty, CAP),\n cap: CAP,\n };\n}\n","import { join } from 'node:path';\nimport type { Finding, ScannerResult } from '../types/index.js';\nimport { readJsonFile, getFileStats, fileExists } from '../utils/fs.js';\n\nconst CAP = 20;\n\ninterface OpenClawConfig {\n sandbox?: {\n mode?: 'strict' | 'permissive' | 'disabled';\n };\n dmPolicy?: 'allow' | 'deny' | 'ask';\n allowlist?: string[];\n gateway?: {\n bind?: string;\n auth?: boolean;\n tls?: boolean;\n };\n [key: string]: unknown;\n}\n\nfunction checkSandboxMode(config: OpenClawConfig): Finding | null {\n const mode = config.sandbox?.mode;\n\n if (mode === 'disabled') {\n return {\n scanner: 'permissions',\n severity: 'critical',\n title: 'Sandbox disabled',\n description: 'Agent sandbox is completely disabled, allowing unrestricted system access',\n file: 'openclaw.json',\n confidence: 0.95,\n };\n }\n\n if (mode === 'permissive') {\n return {\n scanner: 'permissions',\n severity: 'high',\n title: 'Sandbox in permissive mode',\n description: 'Agent sandbox is in permissive mode, may allow unintended access',\n file: 'openclaw.json',\n confidence: 0.85,\n };\n }\n\n return null;\n}\n\nfunction checkDmPolicy(config: OpenClawConfig): Finding | null {\n const policy = config.dmPolicy;\n\n if (policy === 'allow') {\n return {\n scanner: 'permissions',\n severity: 'medium',\n title: 'DM policy allows all',\n description: 'Direct message policy allows all messages without filtering',\n file: 'openclaw.json',\n confidence: 0.7,\n };\n }\n\n return null;\n}\n\nfunction checkAllowlist(config: OpenClawConfig): Finding[] {\n const findings: Finding[] = [];\n const allowlist = config.allowlist ?? [];\n\n for (const entry of allowlist) {\n if (entry === '*' || entry === '**') {\n findings.push({\n scanner: 'permissions',\n severity: 'critical',\n title: 'Wildcard allowlist',\n description: 'Allowlist contains unrestricted wildcard, allowing all access',\n file: 'openclaw.json',\n confidence: 0.95,\n });\n } else if (entry.includes('*')) {\n findings.push({\n scanner: 'permissions',\n severity: 'medium',\n title: 'Broad allowlist pattern',\n description: `Allowlist pattern \"${entry}\" may be too permissive`,\n file: 'openclaw.json',\n confidence: 0.6,\n });\n }\n }\n\n return findings;\n}\n\nfunction checkGateway(config: OpenClawConfig): Finding[] {\n const findings: Finding[] = [];\n const gateway = config.gateway;\n\n if (!gateway) return findings;\n\n if (gateway.bind === '0.0.0.0' || gateway.bind === '::') {\n findings.push({\n scanner: 'permissions',\n severity: 'high',\n title: 'Gateway binds to all interfaces',\n description: 'Gateway is exposed on all network interfaces, should bind to localhost',\n file: 'openclaw.json',\n confidence: 0.9,\n });\n }\n\n if (gateway.auth === false) {\n findings.push({\n scanner: 'permissions',\n severity: 'high',\n title: 'Gateway authentication disabled',\n description: 'Gateway has authentication disabled, allowing unauthenticated access',\n file: 'openclaw.json',\n confidence: 0.9,\n });\n }\n\n if (gateway.tls === false && gateway.bind !== 'localhost' && gateway.bind !== '127.0.0.1') {\n findings.push({\n scanner: 'permissions',\n severity: 'medium',\n title: 'Gateway TLS disabled',\n description: 'Gateway TLS is disabled for non-localhost connections',\n file: 'openclaw.json',\n confidence: 0.75,\n });\n }\n\n return findings;\n}\n\nasync function checkFilePermissions(openclawPath: string): Promise<Finding[]> {\n const findings: Finding[] = [];\n\n const rootStats = await getFileStats(openclawPath);\n if (rootStats) {\n const mode = rootStats.mode & 0o777;\n if ((mode & 0o077) !== 0) {\n findings.push({\n scanner: 'permissions',\n severity: 'medium',\n title: 'OpenClaw directory too permissive',\n description: `Directory permissions ${mode.toString(8)} allow group/other access, recommend 700`,\n file: openclawPath,\n confidence: 0.8,\n });\n }\n }\n\n const credentialsDir = join(openclawPath, 'credentials');\n if (await fileExists(credentialsDir)) {\n const credStats = await getFileStats(credentialsDir);\n if (credStats) {\n const mode = credStats.mode & 0o777;\n if ((mode & 0o077) !== 0) {\n findings.push({\n scanner: 'permissions',\n severity: 'high',\n title: 'Credentials directory too permissive',\n description: `Credentials permissions ${mode.toString(8)} allow group/other access, recommend 700`,\n file: 'credentials/',\n confidence: 0.9,\n });\n }\n }\n }\n\n return findings;\n}\n\nexport async function scanPermissions(openclawPath: string): Promise<ScannerResult> {\n const findings: Finding[] = [];\n\n const configPath = join(openclawPath, 'openclaw.json');\n const config = await readJsonFile<OpenClawConfig>(configPath);\n\n if (config) {\n const sandboxFinding = checkSandboxMode(config);\n if (sandboxFinding) findings.push(sandboxFinding);\n\n const dmFinding = checkDmPolicy(config);\n if (dmFinding) findings.push(dmFinding);\n\n findings.push(...checkAllowlist(config));\n findings.push(...checkGateway(config));\n }\n\n findings.push(...await checkFilePermissions(openclawPath));\n\n const severityScores = {\n critical: 27.5,\n high: 17.5,\n medium: 7.5,\n low: 2.5,\n };\n\n let penalty = 0;\n for (const finding of findings) {\n penalty += severityScores[finding.severity] * finding.confidence;\n }\n\n return {\n scanner: 'permissions',\n findings,\n penalty: Math.min(penalty, CAP),\n cap: CAP,\n };\n}\n","import { join } from 'node:path';\nimport { createConnection } from 'node:net';\nimport type { Finding, ScannerResult } from '../types/index.js';\nimport { readJsonFile } from '../utils/fs.js';\n\nconst CAP = 10;\n\ninterface GatewayConfig {\n bind?: string;\n port?: number;\n auth?: boolean;\n tls?: boolean;\n}\n\ninterface OpenClawConfig {\n gateway?: GatewayConfig;\n [key: string]: unknown;\n}\n\nconst DEFAULT_PORTS = [18789, 8080, 3000];\nconst PORT_SCAN_TIMEOUT = 1000;\n\nasync function checkPortOpen(port: number, host: string = 'localhost'): Promise<boolean> {\n return new Promise((resolve) => {\n const socket = createConnection({ port, host, timeout: PORT_SCAN_TIMEOUT });\n\n socket.on('connect', () => {\n socket.destroy();\n resolve(true);\n });\n\n socket.on('timeout', () => {\n socket.destroy();\n resolve(false);\n });\n\n socket.on('error', () => {\n socket.destroy();\n resolve(false);\n });\n });\n}\n\nasync function scanOpenPorts(): Promise<Finding[]> {\n const findings: Finding[] = [];\n\n for (const port of DEFAULT_PORTS) {\n const isOpen = await checkPortOpen(port);\n if (isOpen) {\n findings.push({\n scanner: 'network',\n severity: 'low',\n title: `Port ${port} is open`,\n description: `Localhost port ${port} is listening, verify if this is expected`,\n confidence: 0.5,\n });\n }\n }\n\n return findings;\n}\n\nfunction analyzeGatewayConfig(config: OpenClawConfig): Finding[] {\n const findings: Finding[] = [];\n const gateway = config.gateway;\n\n if (!gateway) return findings;\n\n const bind = gateway.bind ?? 'localhost';\n const isExposed = bind === '0.0.0.0' || bind === '::';\n\n if (isExposed) {\n if (!gateway.tls) {\n findings.push({\n scanner: 'network',\n severity: 'high',\n title: 'Exposed gateway without TLS',\n description: 'Gateway is exposed to network without TLS encryption',\n file: 'openclaw.json',\n confidence: 0.9,\n });\n }\n\n if (!gateway.auth) {\n findings.push({\n scanner: 'network',\n severity: 'critical',\n title: 'Exposed gateway without authentication',\n description: 'Gateway is exposed to network without authentication',\n file: 'openclaw.json',\n confidence: 0.95,\n });\n }\n }\n\n const port = gateway.port ?? 18789;\n if (port < 1024 && port !== 443 && port !== 80) {\n findings.push({\n scanner: 'network',\n severity: 'medium',\n title: 'Non-standard privileged port',\n description: `Gateway uses privileged port ${port}, requires elevated permissions`,\n file: 'openclaw.json',\n confidence: 0.7,\n });\n }\n\n return findings;\n}\n\nexport async function scanNetwork(openclawPath: string): Promise<ScannerResult> {\n const findings: Finding[] = [];\n\n const configPath = join(openclawPath, 'openclaw.json');\n const config = await readJsonFile<OpenClawConfig>(configPath);\n\n if (config) {\n findings.push(...analyzeGatewayConfig(config));\n }\n\n findings.push(...await scanOpenPorts());\n\n const severityScores = {\n critical: 27.5,\n high: 17.5,\n medium: 7.5,\n low: 2.5,\n };\n\n let penalty = 0;\n for (const finding of findings) {\n penalty += severityScores[finding.severity] * finding.confidence;\n }\n\n return {\n scanner: 'network',\n findings,\n penalty: Math.min(penalty, CAP),\n cap: CAP,\n };\n}\n","import type { ScannerResult, Finding } from '../types/index.js';\nimport { scanCredentials } from './credentials.js';\nimport { scanSkills } from './skills.js';\nimport { scanPermissions } from './permissions.js';\nimport { scanNetwork } from './network.js';\n\nexport interface ScanOptions {\n openclawPath: string;\n}\n\nexport async function runAllScanners(options: ScanOptions): Promise<ScannerResult[]> {\n const { openclawPath } = options;\n\n const results = await Promise.all([\n scanCredentials(openclawPath),\n scanSkills(openclawPath),\n scanPermissions(openclawPath),\n scanNetwork(openclawPath),\n ]);\n\n return results;\n}\n\nexport function getAllFindings(results: ScannerResult[]): Finding[] {\n return results.flatMap(r => r.findings);\n}\n\nexport function getTotalPenalty(results: ScannerResult[]): number {\n return results.reduce((sum, r) => sum + r.penalty, 0);\n}\n\nexport { scanCredentials, scanSkills, scanPermissions, scanNetwork };\n","import type { ScannerResult, Finding, Grade, ScanResult } from '../types/index.js';\n\nexport function calculateScore(results: ScannerResult[]): number {\n const totalPenalty = results.reduce((sum, r) => sum + r.penalty, 0);\n return Math.max(0, Math.round(100 - totalPenalty));\n}\n\nexport function determineGrade(score: number, findings: Finding[]): Grade {\n const hasCritical = findings.some(f => f.severity === 'critical');\n\n if (hasCritical) {\n if (score >= 75) return 'C';\n if (score >= 60) return 'C';\n if (score >= 40) return 'D';\n return 'F';\n }\n\n if (score >= 90) return 'A';\n if (score >= 75) return 'B';\n if (score >= 60) return 'C';\n if (score >= 40) return 'D';\n return 'F';\n}\n\nexport function buildScanResult(\n results: ScannerResult[],\n openclawPath: string\n): ScanResult {\n const findings = results.flatMap(r => r.findings);\n const score = calculateScore(results);\n const grade = determineGrade(score, findings);\n\n return {\n score,\n grade,\n scanners: results,\n findings,\n timestamp: new Date().toISOString(),\n openclawPath,\n };\n}\n\nexport function getExitCode(result: ScanResult): number {\n const hasCriticalOrHigh = result.findings.some(\n f => f.severity === 'critical' || f.severity === 'high'\n );\n\n if (result.score < 75 || hasCriticalOrHigh) {\n return 1;\n }\n\n return 0;\n}\n\nexport function countBySeverity(findings: Finding[]) {\n return {\n critical: findings.filter(f => f.severity === 'critical').length,\n high: findings.filter(f => f.severity === 'high').length,\n medium: findings.filter(f => f.severity === 'medium').length,\n low: findings.filter(f => f.severity === 'low').length,\n };\n}\n","import chalk from 'chalk';\nimport ora from 'ora';\nimport boxen from 'boxen';\nimport type { ScanResult, Finding, Grade } from '../types/index.js';\nimport { countBySeverity } from '../scoring/index.js';\nimport { formatFindingLocation } from '../utils/redact.js';\n\nconst CRAB = '\\u{1F980}';\n\nconst GRADE_COLORS: Record<Grade, (text: string) => string> = {\n A: chalk.green,\n B: chalk.greenBright,\n C: chalk.yellow,\n D: chalk.hex('#FFA500'),\n F: chalk.red,\n};\n\nconst SEVERITY_COLORS = {\n critical: chalk.bgRed.white,\n high: chalk.red,\n medium: chalk.yellow,\n low: chalk.gray,\n};\n\nconst SEVERITY_ICONS = {\n critical: '\\u{1F6A8}',\n high: '\\u26A0\\uFE0F',\n medium: '\\u{1F7E1}',\n low: '\\u2139\\uFE0F',\n};\n\nexport function createSpinner(text: string) {\n return ora({\n text,\n spinner: 'dots',\n });\n}\n\nexport function printHeader() {\n console.log(\n boxen(\n `${CRAB} ${chalk.bold('CRABB')} ${chalk.dim('Security Scanner for OpenClaw')}`,\n {\n padding: { top: 0, bottom: 0, left: 1, right: 1 },\n borderColor: 'cyan',\n borderStyle: 'round',\n }\n )\n );\n console.log();\n}\n\nexport function printScore(result: ScanResult) {\n const gradeColor = GRADE_COLORS[result.grade];\n const counts = countBySeverity(result.findings);\n\n const scoreDisplay = boxen(\n [\n `${CRAB} ${chalk.bold('CRABB SCORE')}`,\n '',\n ` ${gradeColor(chalk.bold(`${result.score}`))} ${chalk.dim('/ 100')}`,\n ` Grade: ${gradeColor(chalk.bold(result.grade))}`,\n '',\n chalk.dim('─'.repeat(24)),\n '',\n `${SEVERITY_ICONS.critical} Critical: ${counts.critical > 0 ? chalk.red(counts.critical) : chalk.dim('0')}`,\n `${SEVERITY_ICONS.high} High: ${counts.high > 0 ? chalk.red(counts.high) : chalk.dim('0')}`,\n `${SEVERITY_ICONS.medium} Medium: ${counts.medium > 0 ? chalk.yellow(counts.medium) : chalk.dim('0')}`,\n `${SEVERITY_ICONS.low} Low: ${counts.low > 0 ? chalk.gray(counts.low) : chalk.dim('0')}`,\n ].join('\\n'),\n {\n padding: 1,\n borderColor: result.grade === 'A' || result.grade === 'B' ? 'green' : result.grade === 'C' ? 'yellow' : 'red',\n borderStyle: 'round',\n }\n );\n\n console.log(scoreDisplay);\n console.log();\n}\n\nexport function printFindings(findings: Finding[]) {\n if (findings.length === 0) {\n console.log(chalk.green(`${CRAB} No security issues found!`));\n return;\n }\n\n const sortedFindings = [...findings].sort((a, b) => {\n const order = { critical: 0, high: 1, medium: 2, low: 3 };\n return order[a.severity] - order[b.severity];\n });\n\n console.log(chalk.bold('Findings:\\n'));\n\n for (const finding of sortedFindings) {\n const severityColor = SEVERITY_COLORS[finding.severity];\n const icon = SEVERITY_ICONS[finding.severity];\n\n console.log(`${icon} ${severityColor(finding.severity.toUpperCase())} ${chalk.bold(finding.title)}`);\n console.log(` ${chalk.dim(finding.description)}`);\n if (finding.file) {\n console.log(` ${chalk.cyan(formatFindingLocation(finding.file, finding.line))}`);\n }\n console.log();\n }\n}\n\nexport function printScannerSummary(result: ScanResult) {\n console.log(chalk.bold('Scanner Summary:\\n'));\n\n for (const scanner of result.scanners) {\n const penaltyColor = scanner.penalty > 0 ? chalk.red : chalk.green;\n const bar = createProgressBar(scanner.cap - scanner.penalty, scanner.cap);\n\n console.log(\n ` ${scanner.scanner.padEnd(12)} ${bar} ${penaltyColor(`-${scanner.penalty.toFixed(1)}`)} ${chalk.dim(`/ ${scanner.cap}`)}`\n );\n }\n\n console.log();\n}\n\nfunction createProgressBar(value: number, max: number, width: number = 20): string {\n const percentage = Math.max(0, Math.min(1, value / max));\n const filled = Math.round(percentage * width);\n const empty = width - filled;\n\n const color = percentage >= 0.75 ? chalk.green : percentage >= 0.5 ? chalk.yellow : chalk.red;\n\n return color('\\u2588'.repeat(filled)) + chalk.dim('\\u2591'.repeat(empty));\n}\n\nexport function printError(message: string) {\n console.error(chalk.red(`\\u2717 Error: ${message}`));\n}\n\nexport function printSuccess(message: string) {\n console.log(chalk.green(`\\u2713 ${message}`));\n}\n","/**\n * Redaction utilities - NEVER output real secrets\n */\n\nconst REDACT_PATTERNS = [\n // API Keys with known prefixes\n /sk-[a-zA-Z0-9]{20,}/g,\n /sk-ant-[a-zA-Z0-9-]{20,}/g,\n /xoxb-[a-zA-Z0-9-]+/g,\n /xoxp-[a-zA-Z0-9-]+/g,\n /ghp_[a-zA-Z0-9]{36}/g,\n /gho_[a-zA-Z0-9]{36}/g,\n /github_pat_[a-zA-Z0-9_]{22,}/g,\n\n // Generic secrets\n /[a-zA-Z0-9_-]{32,}/g,\n];\n\nexport function redactValue(value: string): string {\n if (value.length <= 8) {\n return '*'.repeat(value.length);\n }\n\n const visibleStart = 4;\n const visibleEnd = 4;\n const redactedLength = value.length - visibleStart - visibleEnd;\n\n return `${value.slice(0, visibleStart)}${'*'.repeat(Math.max(4, redactedLength))}${value.slice(-visibleEnd)}`;\n}\n\nexport function redactLine(line: string): string {\n let result = line;\n\n for (const pattern of REDACT_PATTERNS) {\n result = result.replace(pattern, (match) => redactValue(match));\n }\n\n return result;\n}\n\nexport function formatFindingLocation(file: string, line?: number): string {\n if (line !== undefined) {\n return `${file}:${line}`;\n }\n return file;\n}\n","import type { ScanResult, SharePayload } from '../types/index.js';\nimport { countBySeverity } from '../scoring/index.js';\n\nexport function formatJsonOutput(result: ScanResult): string {\n return JSON.stringify(result, null, 2);\n}\n\nexport function buildSharePayload(result: ScanResult): SharePayload {\n const counts = countBySeverity(result.findings);\n\n return {\n score: result.score,\n grade: result.grade,\n scannerSummary: result.scanners.map(s => ({\n scanner: s.scanner,\n findingsCount: s.findings.length,\n penalty: s.penalty,\n })),\n criticalCount: counts.critical,\n highCount: counts.high,\n mediumCount: counts.medium,\n lowCount: counts.low,\n timestamp: result.timestamp,\n };\n}\n","import type { ScanResult, ShareResponse } from '../types/index.js';\nimport { buildSharePayload } from '../output/json.js';\n\nconst SHARE_API_URL = 'https://crabb.ai/api/share';\n\nexport async function shareResult(result: ScanResult): Promise<ShareResponse> {\n const payload = buildSharePayload(result);\n\n const response = await fetch(SHARE_API_URL, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(payload),\n });\n\n if (!response.ok) {\n throw new Error(`Failed to share result: ${response.status} ${response.statusText}`);\n }\n\n return response.json() as Promise<ShareResponse>;\n}\n\nexport async function shareResultMock(result: ScanResult): Promise<ShareResponse> {\n const payload = buildSharePayload(result);\n\n const mockId = `mock-${Date.now().toString(36)}`;\n\n return {\n id: mockId,\n url: `https://crabb.ai/score/${mockId}`,\n deleteToken: `delete-${mockId}`,\n };\n}\n"],"mappings":";;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,YAAY;;;ACDrB,SAAS,eAAe;AACxB,SAAS,YAAY;AAEd,SAAS,yBAAiC;AAC/C,SAAO,KAAK,QAAQ,GAAG,WAAW;AACpC;;;ACLA,SAAS,QAAAA,aAAY;;;ACArB,SAAS,UAAU,SAAS,MAAM,cAAc;AAChD,SAAS,QAAAC,OAAM,gBAAgB;AAC/B,SAAS,iBAAiB;AAE1B,eAAsB,WAAW,MAAgC;AAC/D,MAAI;AACF,UAAM,OAAO,MAAM,UAAU,IAAI;AACjC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,aAAa,MAAsC;AACvE,MAAI;AACF,WAAO,MAAM,SAAS,MAAM,OAAO;AAAA,EACrC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,aAAgB,MAAiC;AACrE,QAAM,UAAU,MAAM,aAAa,IAAI;AACvC,MAAI,CAAC,QAAS,QAAO;AACrB,MAAI;AACF,WAAO,KAAK,MAAM,OAAO;AAAA,EAC3B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,aAAa,MAAc;AAC/C,MAAI;AACF,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,gBAAuB,cACrB,KACA,WAAmB,KACqC;AACxD,MAAI;AACF,UAAM,UAAU,MAAM,QAAQ,KAAK,EAAE,eAAe,KAAK,CAAC;AAC1D,eAAW,SAAS,SAAS;AAC3B,YAAM,WAAWA,MAAK,KAAK,MAAM,IAAI;AACrC,YAAM,eAAe,SAAS,UAAU,QAAQ;AAEhD,UAAI,MAAM,YAAY,GAAG;AACvB,eAAO,cAAc,UAAU,QAAQ;AAAA,MACzC,WAAW,MAAM,OAAO,GAAG;AACzB,cAAM,EAAE,MAAM,UAAU,aAAa;AAAA,MACvC;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AACF;;;ADtDA,IAAM,MAAM;AASZ,IAAM,sBAA2C;AAAA;AAAA,EAE/C;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AACF;AAEA,IAAM,uBAAuB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,cAAc,OAAwB;AAC7C,SAAO,qBAAqB,KAAK,aAAW,QAAQ,KAAK,MAAM,KAAK,CAAC,CAAC;AACxE;AAEA,SAAS,aAAa,OAAiC;AACrD,SAAO,MAAM,CAAC,KAAK,MAAM,CAAC;AAC5B;AAEA,eAAe,SACb,UACA,cACoB;AACpB,QAAM,UAAU,MAAM,aAAa,QAAQ;AAC3C,MAAI,CAAC,QAAS,QAAO,CAAC;AAEtB,QAAM,WAAsB,CAAC;AAC7B,QAAM,QAAQ,QAAQ,MAAM,IAAI;AAEhC,WAAS,UAAU,GAAG,UAAU,MAAM,QAAQ,WAAW;AACvD,UAAM,OAAO,MAAM,OAAO;AAE1B,eAAW,eAAe,qBAAqB;AAC7C,kBAAY,QAAQ,YAAY;AAEhC,UAAI;AACJ,cAAQ,QAAQ,YAAY,QAAQ,KAAK,IAAI,OAAO,MAAM;AACxD,cAAM,QAAQ,aAAa,KAAK;AAEhC,YAAI,cAAc,KAAK,GAAG;AACxB;AAAA,QACF;AAEA,YAAI,MAAM,SAAS,GAAG;AACpB;AAAA,QACF;AAEA,iBAAS,KAAK;AAAA,UACZ,SAAS;AAAA,UACT,UAAU,YAAY;AAAA,UACtB,OAAO,YAAY;AAAA,UACnB,aAAa,YAAY,YAAY,IAAI;AAAA,UACzC,MAAM;AAAA,UACN,MAAM,UAAU;AAAA,UAChB,YAAY,YAAY;AAAA,QAC1B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,gBAAgB,cAA8C;AAClF,QAAM,WAAsB,CAAC;AAE7B,QAAM,cAAc;AAAA,IAClB,EAAE,MAAMC,MAAK,cAAc,eAAe,GAAG,UAAU,gBAAgB;AAAA,IACvE,EAAE,MAAMA,MAAK,cAAc,MAAM,GAAG,UAAU,OAAO;AAAA,EACvD;AAEA,QAAM,iBAAiBA,MAAK,cAAc,aAAa;AACvD,MAAI,MAAM,WAAW,cAAc,GAAG;AACpC,qBAAiB,QAAQ,cAAc,gBAAgB,YAAY,GAAG;AACpE,kBAAY,KAAK,EAAE,MAAM,KAAK,MAAM,UAAU,KAAK,aAAa,CAAC;AAAA,IACnE;AAAA,EACF;AAEA,QAAM,YAAYA,MAAK,cAAc,QAAQ;AAC7C,MAAI,MAAM,WAAW,SAAS,GAAG;AAC/B,qBAAiB,QAAQ,cAAc,WAAW,YAAY,GAAG;AAC/D,UACE,KAAK,aAAa,SAAS,oBAAoB,KAC/C,KAAK,aAAa,SAAS,QAAQ,KACnC,KAAK,aAAa,SAAS,OAAO,GAClC;AACA,oBAAY,KAAK,EAAE,MAAM,KAAK,MAAM,UAAU,KAAK,aAAa,CAAC;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AAEA,aAAW,QAAQ,aAAa;AAC9B,QAAI,MAAM,WAAW,KAAK,IAAI,GAAG;AAC/B,YAAM,eAAe,MAAM,SAAS,KAAK,MAAM,KAAK,QAAQ;AAC5D,eAAS,KAAK,GAAG,YAAY;AAAA,IAC/B;AAAA,EACF;AAEA,QAAM,iBAAiB;AAAA,IACrB,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP;AAEA,MAAI,UAAU;AACd,aAAW,WAAW,UAAU;AAC9B,eAAW,eAAe,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EACxD;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,SAAS,KAAK,IAAI,SAAS,GAAG;AAAA,IAC9B,KAAK;AAAA,EACP;AACF;;;AEnPA,SAAS,QAAAC,aAAY;AAIrB,IAAMC,OAAM;AAUZ,IAAM,iBAAiC;AAAA;AAAA,EAErC;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AACF;AAEA,eAAe,cACb,UACA,cACoB;AACpB,QAAM,UAAU,MAAM,aAAa,QAAQ;AAC3C,MAAI,CAAC,QAAS,QAAO,CAAC;AAEtB,QAAM,WAAsB,CAAC;AAC7B,QAAM,QAAQ,QAAQ,MAAM,IAAI;AAEhC,WAAS,UAAU,GAAG,UAAU,MAAM,QAAQ,WAAW;AACvD,UAAM,OAAO,MAAM,OAAO;AAE1B,eAAW,gBAAgB,gBAAgB;AACzC,mBAAa,QAAQ,YAAY;AAEjC,UAAI,aAAa,QAAQ,KAAK,IAAI,GAAG;AACnC,iBAAS,KAAK;AAAA,UACZ,SAAS;AAAA,UACT,UAAU,aAAa;AAAA,UACvB,OAAO,aAAa;AAAA,UACpB,aAAa,aAAa;AAAA,UAC1B,MAAM;AAAA,UACN,MAAM,UAAU;AAAA,UAChB,YAAY,aAAa;AAAA,QAC3B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,WAAW,cAA8C;AAC7E,QAAM,WAAsB,CAAC;AAE7B,QAAM,aAAa;AAAA,IACjBC,MAAK,cAAc,QAAQ;AAAA,IAC3BA,MAAK,cAAc,aAAa,QAAQ;AAAA,EAC1C;AAEA,aAAW,aAAa,YAAY;AAClC,QAAI,MAAM,WAAW,SAAS,GAAG;AAC/B,uBAAiB,QAAQ,cAAc,WAAW,YAAY,GAAG;AAC/D,YAAI,KAAK,aAAa,SAAS,KAAK,GAAG;AACrC,gBAAM,eAAe,MAAM,cAAc,KAAK,MAAM,KAAK,YAAY;AACrE,mBAAS,KAAK,GAAG,YAAY;AAAA,QAC/B;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB;AAAA,IACrB,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP;AAEA,MAAI,UAAU;AACd,aAAW,WAAW,UAAU;AAC9B,eAAW,eAAe,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EACxD;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,SAAS,KAAK,IAAI,SAASD,IAAG;AAAA,IAC9B,KAAKA;AAAA,EACP;AACF;;;AC9LA,SAAS,QAAAE,aAAY;AAIrB,IAAMC,OAAM;AAgBZ,SAAS,iBAAiB,QAAwC;AAChE,QAAM,OAAO,OAAO,SAAS;AAE7B,MAAI,SAAS,YAAY;AACvB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd;AAAA,EACF;AAEA,MAAI,SAAS,cAAc;AACzB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,QAAwC;AAC7D,QAAM,SAAS,OAAO;AAEtB,MAAI,WAAW,SAAS;AACtB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,eAAe,QAAmC;AACzD,QAAM,WAAsB,CAAC;AAC7B,QAAM,YAAY,OAAO,aAAa,CAAC;AAEvC,aAAW,SAAS,WAAW;AAC7B,QAAI,UAAU,OAAO,UAAU,MAAM;AACnC,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH,WAAW,MAAM,SAAS,GAAG,GAAG;AAC9B,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa,sBAAsB,KAAK;AAAA,QACxC,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,aAAa,QAAmC;AACvD,QAAM,WAAsB,CAAC;AAC7B,QAAM,UAAU,OAAO;AAEvB,MAAI,CAAC,QAAS,QAAO;AAErB,MAAI,QAAQ,SAAS,aAAa,QAAQ,SAAS,MAAM;AACvD,aAAS,KAAK;AAAA,MACZ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,SAAS,OAAO;AAC1B,aAAS,KAAK;AAAA,MACZ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,QAAQ,SAAS,QAAQ,SAAS,eAAe,QAAQ,SAAS,aAAa;AACzF,aAAS,KAAK;AAAA,MACZ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,qBAAqB,cAA0C;AAC5E,QAAM,WAAsB,CAAC;AAE7B,QAAM,YAAY,MAAM,aAAa,YAAY;AACjD,MAAI,WAAW;AACb,UAAM,OAAO,UAAU,OAAO;AAC9B,SAAK,OAAO,QAAW,GAAG;AACxB,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa,yBAAyB,KAAK,SAAS,CAAC,CAAC;AAAA,QACtD,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,iBAAiBC,MAAK,cAAc,aAAa;AACvD,MAAI,MAAM,WAAW,cAAc,GAAG;AACpC,UAAM,YAAY,MAAM,aAAa,cAAc;AACnD,QAAI,WAAW;AACb,YAAM,OAAO,UAAU,OAAO;AAC9B,WAAK,OAAO,QAAW,GAAG;AACxB,iBAAS,KAAK;AAAA,UACZ,SAAS;AAAA,UACT,UAAU;AAAA,UACV,OAAO;AAAA,UACP,aAAa,2BAA2B,KAAK,SAAS,CAAC,CAAC;AAAA,UACxD,MAAM;AAAA,UACN,YAAY;AAAA,QACd,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,gBAAgB,cAA8C;AAClF,QAAM,WAAsB,CAAC;AAE7B,QAAM,aAAaA,MAAK,cAAc,eAAe;AACrD,QAAM,SAAS,MAAM,aAA6B,UAAU;AAE5D,MAAI,QAAQ;AACV,UAAM,iBAAiB,iBAAiB,MAAM;AAC9C,QAAI,eAAgB,UAAS,KAAK,cAAc;AAEhD,UAAM,YAAY,cAAc,MAAM;AACtC,QAAI,UAAW,UAAS,KAAK,SAAS;AAEtC,aAAS,KAAK,GAAG,eAAe,MAAM,CAAC;AACvC,aAAS,KAAK,GAAG,aAAa,MAAM,CAAC;AAAA,EACvC;AAEA,WAAS,KAAK,GAAG,MAAM,qBAAqB,YAAY,CAAC;AAEzD,QAAM,iBAAiB;AAAA,IACrB,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP;AAEA,MAAI,UAAU;AACd,aAAW,WAAW,UAAU;AAC9B,eAAW,eAAe,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EACxD;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,SAAS,KAAK,IAAI,SAASD,IAAG;AAAA,IAC9B,KAAKA;AAAA,EACP;AACF;;;ACpNA,SAAS,QAAAE,aAAY;AACrB,SAAS,wBAAwB;AAIjC,IAAMC,OAAM;AAcZ,IAAM,gBAAgB,CAAC,OAAO,MAAM,GAAI;AACxC,IAAM,oBAAoB;AAE1B,eAAe,cAAc,MAAc,OAAe,aAA+B;AACvF,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,UAAM,SAAS,iBAAiB,EAAE,MAAM,MAAM,SAAS,kBAAkB,CAAC;AAE1E,WAAO,GAAG,WAAW,MAAM;AACzB,aAAO,QAAQ;AACf,cAAQ,IAAI;AAAA,IACd,CAAC;AAED,WAAO,GAAG,WAAW,MAAM;AACzB,aAAO,QAAQ;AACf,cAAQ,KAAK;AAAA,IACf,CAAC;AAED,WAAO,GAAG,SAAS,MAAM;AACvB,aAAO,QAAQ;AACf,cAAQ,KAAK;AAAA,IACf,CAAC;AAAA,EACH,CAAC;AACH;AAEA,eAAe,gBAAoC;AACjD,QAAM,WAAsB,CAAC;AAE7B,aAAW,QAAQ,eAAe;AAChC,UAAM,SAAS,MAAM,cAAc,IAAI;AACvC,QAAI,QAAQ;AACV,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO,QAAQ,IAAI;AAAA,QACnB,aAAa,kBAAkB,IAAI;AAAA,QACnC,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,qBAAqB,QAAmC;AAC/D,QAAM,WAAsB,CAAC;AAC7B,QAAM,UAAU,OAAO;AAEvB,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,OAAO,QAAQ,QAAQ;AAC7B,QAAM,YAAY,SAAS,aAAa,SAAS;AAEjD,MAAI,WAAW;AACb,QAAI,CAAC,QAAQ,KAAK;AAChB,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,QAAQ,MAAM;AACjB,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,OAAO,QAAQ,QAAQ;AAC7B,MAAI,OAAO,QAAQ,SAAS,OAAO,SAAS,IAAI;AAC9C,aAAS,KAAK;AAAA,MACZ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa,gCAAgC,IAAI;AAAA,MACjD,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAsB,YAAY,cAA8C;AAC9E,QAAM,WAAsB,CAAC;AAE7B,QAAM,aAAaC,MAAK,cAAc,eAAe;AACrD,QAAM,SAAS,MAAM,aAA6B,UAAU;AAE5D,MAAI,QAAQ;AACV,aAAS,KAAK,GAAG,qBAAqB,MAAM,CAAC;AAAA,EAC/C;AAEA,WAAS,KAAK,GAAG,MAAM,cAAc,CAAC;AAEtC,QAAM,iBAAiB;AAAA,IACrB,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP;AAEA,MAAI,UAAU;AACd,aAAW,WAAW,UAAU;AAC9B,eAAW,eAAe,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EACxD;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,SAAS,KAAK,IAAI,SAASD,IAAG;AAAA,IAC9B,KAAKA;AAAA,EACP;AACF;;;AClIA,eAAsB,eAAe,SAAgD;AACnF,QAAM,EAAE,aAAa,IAAI;AAEzB,QAAM,UAAU,MAAM,QAAQ,IAAI;AAAA,IAChC,gBAAgB,YAAY;AAAA,IAC5B,WAAW,YAAY;AAAA,IACvB,gBAAgB,YAAY;AAAA,IAC5B,YAAY,YAAY;AAAA,EAC1B,CAAC;AAED,SAAO;AACT;;;ACnBO,SAAS,eAAe,SAAkC;AAC/D,QAAM,eAAe,QAAQ,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,SAAS,CAAC;AAClE,SAAO,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,YAAY,CAAC;AACnD;AAEO,SAAS,eAAe,OAAe,UAA4B;AACxE,QAAM,cAAc,SAAS,KAAK,OAAK,EAAE,aAAa,UAAU;AAEhE,MAAI,aAAa;AACf,QAAI,SAAS,GAAI,QAAO;AACxB,QAAI,SAAS,GAAI,QAAO;AACxB,QAAI,SAAS,GAAI,QAAO;AACxB,WAAO;AAAA,EACT;AAEA,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,SAAO;AACT;AAEO,SAAS,gBACd,SACA,cACY;AACZ,QAAM,WAAW,QAAQ,QAAQ,OAAK,EAAE,QAAQ;AAChD,QAAM,QAAQ,eAAe,OAAO;AACpC,QAAM,QAAQ,eAAe,OAAO,QAAQ;AAE5C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,UAAU;AAAA,IACV;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC;AAAA,EACF;AACF;AAEO,SAAS,YAAY,QAA4B;AACtD,QAAM,oBAAoB,OAAO,SAAS;AAAA,IACxC,OAAK,EAAE,aAAa,cAAc,EAAE,aAAa;AAAA,EACnD;AAEA,MAAI,OAAO,QAAQ,MAAM,mBAAmB;AAC1C,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,gBAAgB,UAAqB;AACnD,SAAO;AAAA,IACL,UAAU,SAAS,OAAO,OAAK,EAAE,aAAa,UAAU,EAAE;AAAA,IAC1D,MAAM,SAAS,OAAO,OAAK,EAAE,aAAa,MAAM,EAAE;AAAA,IAClD,QAAQ,SAAS,OAAO,OAAK,EAAE,aAAa,QAAQ,EAAE;AAAA,IACtD,KAAK,SAAS,OAAO,OAAK,EAAE,aAAa,KAAK,EAAE;AAAA,EAClD;AACF;;;AC7DA,OAAO,WAAW;AAClB,OAAO,SAAS;AAChB,OAAO,WAAW;;;ACsCX,SAAS,sBAAsB,MAAc,MAAuB;AACzE,MAAI,SAAS,QAAW;AACtB,WAAO,GAAG,IAAI,IAAI,IAAI;AAAA,EACxB;AACA,SAAO;AACT;;;ADtCA,IAAM,OAAO;AAEb,IAAM,eAAwD;AAAA,EAC5D,GAAG,MAAM;AAAA,EACT,GAAG,MAAM;AAAA,EACT,GAAG,MAAM;AAAA,EACT,GAAG,MAAM,IAAI,SAAS;AAAA,EACtB,GAAG,MAAM;AACX;AAEA,IAAM,kBAAkB;AAAA,EACtB,UAAU,MAAM,MAAM;AAAA,EACtB,MAAM,MAAM;AAAA,EACZ,QAAQ,MAAM;AAAA,EACd,KAAK,MAAM;AACb;AAEA,IAAM,iBAAiB;AAAA,EACrB,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEO,SAAS,cAAc,MAAc;AAC1C,SAAO,IAAI;AAAA,IACT;AAAA,IACA,SAAS;AAAA,EACX,CAAC;AACH;AAEO,SAAS,cAAc;AAC5B,UAAQ;AAAA,IACN;AAAA,MACE,GAAG,IAAI,IAAI,MAAM,KAAK,OAAO,CAAC,IAAI,MAAM,IAAI,+BAA+B,CAAC;AAAA,MAC5E;AAAA,QACE,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,EAAE;AAAA,QAChD,aAAa;AAAA,QACb,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AACA,UAAQ,IAAI;AACd;AAEO,SAAS,WAAW,QAAoB;AAC7C,QAAM,aAAa,aAAa,OAAO,KAAK;AAC5C,QAAM,SAAS,gBAAgB,OAAO,QAAQ;AAE9C,QAAM,eAAe;AAAA,IACnB;AAAA,MACE,GAAG,IAAI,IAAI,MAAM,KAAK,aAAa,CAAC;AAAA,MACpC;AAAA,MACA,MAAM,WAAW,MAAM,KAAK,GAAG,OAAO,KAAK,EAAE,CAAC,CAAC,IAAI,MAAM,IAAI,OAAO,CAAC;AAAA,MACrE,aAAa,WAAW,MAAM,KAAK,OAAO,KAAK,CAAC,CAAC;AAAA,MACjD;AAAA,MACA,MAAM,IAAI,SAAI,OAAO,EAAE,CAAC;AAAA,MACxB;AAAA,MACA,GAAG,eAAe,QAAQ,cAAc,OAAO,WAAW,IAAI,MAAM,IAAI,OAAO,QAAQ,IAAI,MAAM,IAAI,GAAG,CAAC;AAAA,MACzG,GAAG,eAAe,IAAI,cAAc,OAAO,OAAO,IAAI,MAAM,IAAI,OAAO,IAAI,IAAI,MAAM,IAAI,GAAG,CAAC;AAAA,MAC7F,GAAG,eAAe,MAAM,cAAc,OAAO,SAAS,IAAI,MAAM,OAAO,OAAO,MAAM,IAAI,MAAM,IAAI,GAAG,CAAC;AAAA,MACtG,GAAG,eAAe,GAAG,cAAc,OAAO,MAAM,IAAI,MAAM,KAAK,OAAO,GAAG,IAAI,MAAM,IAAI,GAAG,CAAC;AAAA,IAC7F,EAAE,KAAK,IAAI;AAAA,IACX;AAAA,MACE,SAAS;AAAA,MACT,aAAa,OAAO,UAAU,OAAO,OAAO,UAAU,MAAM,UAAU,OAAO,UAAU,MAAM,WAAW;AAAA,MACxG,aAAa;AAAA,IACf;AAAA,EACF;AAEA,UAAQ,IAAI,YAAY;AACxB,UAAQ,IAAI;AACd;AAEO,SAAS,cAAc,UAAqB;AACjD,MAAI,SAAS,WAAW,GAAG;AACzB,YAAQ,IAAI,MAAM,MAAM,GAAG,IAAI,4BAA4B,CAAC;AAC5D;AAAA,EACF;AAEA,QAAM,iBAAiB,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM;AAClD,UAAM,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,EAAE;AACxD,WAAO,MAAM,EAAE,QAAQ,IAAI,MAAM,EAAE,QAAQ;AAAA,EAC7C,CAAC;AAED,UAAQ,IAAI,MAAM,KAAK,aAAa,CAAC;AAErC,aAAW,WAAW,gBAAgB;AACpC,UAAM,gBAAgB,gBAAgB,QAAQ,QAAQ;AACtD,UAAM,OAAO,eAAe,QAAQ,QAAQ;AAE5C,YAAQ,IAAI,GAAG,IAAI,IAAI,cAAc,QAAQ,SAAS,YAAY,CAAC,CAAC,IAAI,MAAM,KAAK,QAAQ,KAAK,CAAC,EAAE;AACnG,YAAQ,IAAI,MAAM,MAAM,IAAI,QAAQ,WAAW,CAAC,EAAE;AAClD,QAAI,QAAQ,MAAM;AAChB,cAAQ,IAAI,MAAM,MAAM,KAAK,sBAAsB,QAAQ,MAAM,QAAQ,IAAI,CAAC,CAAC,EAAE;AAAA,IACnF;AACA,YAAQ,IAAI;AAAA,EACd;AACF;AAEO,SAAS,oBAAoB,QAAoB;AACtD,UAAQ,IAAI,MAAM,KAAK,oBAAoB,CAAC;AAE5C,aAAW,WAAW,OAAO,UAAU;AACrC,UAAM,eAAe,QAAQ,UAAU,IAAI,MAAM,MAAM,MAAM;AAC7D,UAAM,MAAM,kBAAkB,QAAQ,MAAM,QAAQ,SAAS,QAAQ,GAAG;AAExE,YAAQ;AAAA,MACN,KAAK,QAAQ,QAAQ,OAAO,EAAE,CAAC,IAAI,GAAG,IAAI,aAAa,IAAI,QAAQ,QAAQ,QAAQ,CAAC,CAAC,EAAE,CAAC,IAAI,MAAM,IAAI,KAAK,QAAQ,GAAG,EAAE,CAAC;AAAA,IAC3H;AAAA,EACF;AAEA,UAAQ,IAAI;AACd;AAEA,SAAS,kBAAkB,OAAe,KAAa,QAAgB,IAAY;AACjF,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,IAAI,GAAG,QAAQ,GAAG,CAAC;AACvD,QAAM,SAAS,KAAK,MAAM,aAAa,KAAK;AAC5C,QAAM,QAAQ,QAAQ;AAEtB,QAAM,QAAQ,cAAc,OAAO,MAAM,QAAQ,cAAc,MAAM,MAAM,SAAS,MAAM;AAE1F,SAAO,MAAM,SAAS,OAAO,MAAM,CAAC,IAAI,MAAM,IAAI,SAAS,OAAO,KAAK,CAAC;AAC1E;AAEO,SAAS,WAAW,SAAiB;AAC1C,UAAQ,MAAM,MAAM,IAAI,iBAAiB,OAAO,EAAE,CAAC;AACrD;AAEO,SAAS,aAAa,SAAiB;AAC5C,UAAQ,IAAI,MAAM,MAAM,UAAU,OAAO,EAAE,CAAC;AAC9C;;;AEvIO,SAAS,iBAAiB,QAA4B;AAC3D,SAAO,KAAK,UAAU,QAAQ,MAAM,CAAC;AACvC;AAEO,SAAS,kBAAkB,QAAkC;AAClE,QAAM,SAAS,gBAAgB,OAAO,QAAQ;AAE9C,SAAO;AAAA,IACL,OAAO,OAAO;AAAA,IACd,OAAO,OAAO;AAAA,IACd,gBAAgB,OAAO,SAAS,IAAI,QAAM;AAAA,MACxC,SAAS,EAAE;AAAA,MACX,eAAe,EAAE,SAAS;AAAA,MAC1B,SAAS,EAAE;AAAA,IACb,EAAE;AAAA,IACF,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,IAClB,aAAa,OAAO;AAAA,IACpB,UAAU,OAAO;AAAA,IACjB,WAAW,OAAO;AAAA,EACpB;AACF;;;ACrBA,IAAM,gBAAgB;AAEtB,eAAsB,YAAY,QAA4C;AAC5E,QAAM,UAAU,kBAAkB,MAAM;AAExC,QAAM,WAAW,MAAM,MAAM,eAAe;AAAA,IAC1C,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,IAClB;AAAA,IACA,MAAM,KAAK,UAAU,OAAO;AAAA,EAC9B,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,MAAM,2BAA2B,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACrF;AAEA,SAAO,SAAS,KAAK;AACvB;;;AZ0CA,SAAS,YAAY;AACnB,UAAQ,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAuBb;AACD;AAEA,SAAS,eAAe;AACtB,UAAQ,IAAI,cAAc;AAC5B;AAEA,eAAe,OAAO;AACpB,MAAI;AAEJ,MAAI;AACF,UAAM,EAAE,OAAO,IAAI,UAAU;AAAA,MAC3B,SAAS;AAAA,QACP,MAAM,EAAE,MAAM,UAAU,OAAO,IAAI;AAAA,QACnC,MAAM,EAAE,MAAM,WAAW,OAAO,KAAK,SAAS,MAAM;AAAA,QACpD,OAAO,EAAE,MAAM,WAAW,OAAO,KAAK,SAAS,MAAM;AAAA,QACrD,YAAY,EAAE,MAAM,WAAW,SAAS,MAAM;AAAA,QAC9C,MAAM,EAAE,MAAM,WAAW,OAAO,KAAK,SAAS,MAAM;AAAA,QACpD,SAAS,EAAE,MAAM,WAAW,OAAO,KAAK,SAAS,MAAM;AAAA,MACzD;AAAA,MACA,QAAQ;AAAA,MACR,kBAAkB;AAAA,IACpB,CAAC;AAED,QAAI,OAAO,MAAM;AACf,gBAAU;AACV,WAAK,CAAC;AAAA,IACR;AAEA,QAAI,OAAO,SAAS;AAClB,mBAAa;AACb,WAAK,CAAC;AAAA,IACR;AAEA,cAAU;AAAA,MACR,MAAM,OAAO,QAAQ,uBAAuB;AAAA,MAC5C,MAAM,OAAO,QAAQ;AAAA,MACrB,OAAO,OAAO,SAAS;AAAA,MACvB,SAAS,OAAO,UAAU,KAAK;AAAA,IACjC;AAAA,EACF,SAAS,KAAK;AACZ,eAAW,sBAAsB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AACnF,cAAU;AACV,SAAK,CAAC;AAAA,EACR;AAEA,MAAI,QAAQ,SAAS;AACnB,YAAQ,IAAI,aAAa,IAAI;AAAA,EAC/B;AAEA,MAAI,CAAC,QAAQ,MAAM;AACjB,gBAAY;AAAA,EACd;AAEA,MAAI,CAAC,MAAM,WAAW,QAAQ,IAAI,GAAG;AACnC,eAAW,iCAAiC,QAAQ,IAAI,EAAE;AAC1D,SAAK,CAAC;AAAA,EACR;AAEA,QAAM,UAAU,QAAQ,OAAO,OAAO,cAAc,oCAAoC;AACxF,WAAS,MAAM;AAEf,MAAI;AACF,UAAM,iBAAiB,MAAM,eAAe,EAAE,cAAc,QAAQ,KAAK,CAAC;AAC1E,UAAM,SAAS,gBAAgB,gBAAgB,QAAQ,IAAI;AAE3D,aAAS,KAAK;AAEd,QAAI,QAAQ,MAAM;AAChB,cAAQ,IAAI,iBAAiB,MAAM,CAAC;AAAA,IACtC,OAAO;AACL,iBAAW,MAAM;AACjB,0BAAoB,MAAM;AAC1B,oBAAc,OAAO,QAAQ;AAAA,IAC/B;AAEA,QAAI,QAAQ,OAAO;AACjB,YAAM,eAAe,QAAQ,OAAO,OAAO,cAAc,uBAAuB;AAChF,oBAAc,MAAM;AAEpB,UAAI;AACF,cAAM,gBAAgB,MAAM,YAAY,MAAM;AAC9C,sBAAc,KAAK;AAEnB,YAAI,QAAQ,MAAM;AAChB,kBAAQ,IAAI,KAAK,UAAU,EAAE,QAAQ,cAAc,GAAG,MAAM,CAAC,CAAC;AAAA,QAChE,OAAO;AACL,uBAAa,sBAAsB,cAAc,GAAG,EAAE;AACtD,kBAAQ,IAAI,oBAAoB,cAAc,WAAW,EAAE;AAAA,QAC7D;AAAA,MACF,SAAS,KAAK;AACZ,sBAAc,KAAK;AACnB,mBAAW,oBAAoB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AAAA,MACnF;AAAA,IACF;AAEA,UAAM,WAAW,YAAY,MAAM;AACnC,SAAK,QAAQ;AAAA,EACf,SAAS,KAAK;AACZ,aAAS,KAAK;AACd,eAAW,gBAAgB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AAC7E,SAAK,CAAC;AAAA,EACR;AACF;AAEA,KAAK;","names":["join","join","join","join","CAP","join","join","CAP","join","join","CAP","join"]}

package/package.json ADDED Viewed

@@ -0,0 +1,46 @@
+{
+  "name": "getcrabb",
+  "version": "0.1.0",
+  "description": "CLI security scanner for OpenClaw AI agents",
+  "type": "module",
+  "main": "./dist/cli.js",
+  "bin": {
+    "crabb": "./dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsx src/cli.ts",
+    "lint": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "openclaw",
+    "ai",
+    "agents",
+    "cli"
+  ],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "boxen": "^8.0.1",
+    "chalk": "^5.3.0",
+    "ora": "^8.1.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "tsup": "^8.3.5",
+    "tsx": "^4.19.2",
+    "typescript": "^5.3.0",
+    "vitest": "^2.1.0"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}