getcrabb 0.1.0

package/README.md

@@ -0,0 +1,115 @@
+# CRABB - Security Scanner for OpenClaw AI Agents
+
+CLI security scanner that produces a CRABB SCORE (0-100) with prioritized findings.
+
+## Installation
+
+```bash
+npm install -g getcrabb
+```
+
+## Usage
+
+```bash
+# Scan default OpenClaw installation (~/.openclaw/)
+crabb
+
+# Scan custom directory
+crabb --path ./my-openclaw
+
+# Output as JSON
+crabb --json
+
+# Create shareable score card
+crabb --share
+
+# CI-friendly (no colors)
+crabb --no-color
+```
+
+## Options
+
+| Flag | Short | Description |
+|------|-------|-------------|
+| `--path <dir>` | `-p` | Path to OpenClaw directory |
+| `--json` | `-j` | Output results as JSON |
+| `--share` | `-s` | Share score card to crabb.ai |
+| `--no-color` | | Disable colored output |
+| `--help` | `-h` | Show help message |
+| `--version` | `-v` | Show version number |
+
+## Exit Codes
+
+| Code | Description |
+|------|-------------|
+| 0 | Score >= 75, no Critical/High findings |
+| 1 | Score < 75 or Critical/High findings present |
+| 2 | Scan failed (IO error, OpenClaw not found) |
+
+## Scanners
+
+### Credentials Scanner (max 40 points)
+Detects API keys, tokens, and secrets in:
+- `openclaw.json`
+- `credentials/*`
+- `agents/*/auth-profiles.json`
+- `agents/*/sessions/*.jsonl`
+- `.env` files
+
+Supports: Anthropic, OpenAI, AWS, GitHub, Slack, Stripe, Discord, Telegram, and generic patterns.
+
+### Skills Scanner (max 30 points)
+Static analysis for suspicious patterns in SKILL.md files:
+- **Critical**: Remote code execution, curl piped to bash
+- **High**: Data exfiltration, environment access
+- **Medium**: Broad file access patterns
+- **Low**: General network/file operations
+
+### Permissions Scanner (max 20 points)
+Analyzes `openclaw.json` configuration:
+- Sandbox mode (strict/permissive/disabled)
+- DM policy settings
+- Allowlist wildcards
+- Gateway bind/auth/TLS settings
+- File permissions (700/600)
+
+### Network Scanner (max 10 points)
+Checks gateway configuration and local ports:
+- Gateway bind mode analysis
+- TLS and auth configuration
+- Localhost port scan (18789, 8080, 3000)
+
+## Score Calculation
+
+```
+score = 100 - sum(min(module_cap, module_penalty))
+penalty = sum(severity_base × confidence)
+
+Severity base:
+- Critical: 27.5
+- High: 17.5
+- Medium: 7.5
+- Low: 2.5
+```
+
+## Grades
+
+| Grade | Score | Notes |
+|-------|-------|-------|
+| A | 90+ | Excellent security posture |
+| B | 75+ | Good, minor improvements recommended |
+| C | 60+ | Fair, review findings |
+| D | 40+ | Poor, immediate action needed |
+| F | <40 | Critical security issues |
+
+**Note**: Critical findings cap the maximum grade at C.
+
+## Privacy
+
+- **Offline by default**: No network calls without `--share`
+- **No secrets in output**: All findings show type, file, and line only (redacted)
+- **Share payload**: Contains only aggregates (score, grade, counts)
+
+## License
+
+MIT

package/dist/cli.js

@@ -0,0 +1,1055 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { parseArgs } from "util";
+import { exit } from "process";
+
+// src/config/paths.ts
+import { homedir } from "os";
+import { join } from "path";
+function getDefaultOpenClawPath() {
+  return join(homedir(), ".openclaw");
+}
+
+// src/scanners/credentials.ts
+import { join as join3 } from "path";
+
+// src/utils/fs.ts
+import { readFile, readdir, stat, access } from "fs/promises";
+import { join as join2, relative } from "path";
+import { constants } from "fs";
+async function fileExists(path) {
+  try {
+    await access(path, constants.F_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function readTextFile(path) {
+  try {
+    return await readFile(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+async function readJsonFile(path) {
+  const content = await readTextFile(path);
+  if (!content) return null;
+  try {
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function getFileStats(path) {
+  try {
+    return await stat(path);
+  } catch {
+    return null;
+  }
+}
+async function* walkDirectory(dir, basePath = dir) {
+  try {
+    const entries = await readdir(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = join2(dir, entry.name);
+      const relativePath = relative(basePath, fullPath);
+      if (entry.isDirectory()) {
+        yield* walkDirectory(fullPath, basePath);
+      } else if (entry.isFile()) {
+        yield { path: fullPath, relativePath };
+      }
+    }
+  } catch {
+  }
+}
+
+// src/scanners/credentials.ts
+var CAP = 40;
+var CREDENTIAL_PATTERNS = [
+  // Anthropic
+  {
+    name: "Anthropic API Key",
+    pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  // OpenAI
+  {
+    name: "OpenAI API Key",
+    pattern: /sk-[a-zA-Z0-9]{20,}(?!-ant)/g,
+    severity: "critical",
+    confidence: 0.9
+  },
+  // Discord
+  {
+    name: "Discord Bot Token",
+    pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27,}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  // Telegram
+  {
+    name: "Telegram Bot Token",
+    pattern: /\d{8,10}:[A-Za-z0-9_-]{35}/g,
+    severity: "critical",
+    confidence: 0.9
+  },
+  // AWS
+  {
+    name: "AWS Access Key ID",
+    pattern: /AKIA[0-9A-Z]{16}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "AWS Secret Access Key",
+    pattern: /(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/g,
+    severity: "high",
+    confidence: 0.6
+  },
+  // GitHub
+  {
+    name: "GitHub Personal Access Token",
+    pattern: /ghp_[a-zA-Z0-9]{36}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "GitHub OAuth Token",
+    pattern: /gho_[a-zA-Z0-9]{36}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "GitHub Fine-grained PAT",
+    pattern: /github_pat_[a-zA-Z0-9_]{22,}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  // Slack
+  {
+    name: "Slack Bot Token",
+    pattern: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "Slack User Token",
+    pattern: /xoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  // Stripe
+  {
+    name: "Stripe Secret Key",
+    pattern: /sk_live_[0-9a-zA-Z]{24,}/g,
+    severity: "critical",
+    confidence: 0.95
+  },
+  {
+    name: "Stripe Test Key",
+    pattern: /sk_test_[0-9a-zA-Z]{24,}/g,
+    severity: "medium",
+    confidence: 0.9
+  },
+  // Generic patterns
+  {
+    name: "Generic API Key",
+    pattern: /(?:api[_-]?key|apikey|api[_-]?token)\s*[=:]\s*["']?([a-zA-Z0-9_-]{20,})["']?/gi,
+    severity: "high",
+    confidence: 0.7
+  },
+  {
+    name: "Generic Secret",
+    pattern: /(?:secret|password|passwd|pwd)\s*[=:]\s*["']?([a-zA-Z0-9_!@#$%^&*-]{8,})["']?/gi,
+    severity: "high",
+    confidence: 0.6
+  },
+  // Private Keys
+  {
+    name: "Private Key",
+    pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+    severity: "critical",
+    confidence: 0.99
+  }
+];
+var PLACEHOLDER_PATTERNS = [
+  /^your[-_]?api[-_]?key[-_]?here$/i,
+  /^xxx+$/i,
+  /^placeholder$/i,
+  /^example$/i,
+  /^test[-_]?key$/i,
+  /^\$\{[^}]+\}$/,
+  /^<[^>]+>$/,
+  /^{{[^}]+}}$/,
+  /^%[^%]+%$/,
+  /^INSERT[-_]?YOUR[-_]?KEY$/i,
+  /^REPLACE[-_]?ME$/i,
+  /^TODO$/i,
+  /^changeme$/i
+];
+function isPlaceholder(value) {
+  return PLACEHOLDER_PATTERNS.some((pattern) => pattern.test(value.trim()));
+}
+function extractValue(match) {
+  return match[1] ?? match[0];
+}
+async function scanFile(filePath, relativePath) {
+  const content = await readTextFile(filePath);
+  if (!content) return [];
+  const findings = [];
+  const lines = content.split("\n");
+  for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+    const line = lines[lineNum];
+    for (const credPattern of CREDENTIAL_PATTERNS) {
+      credPattern.pattern.lastIndex = 0;
+      let match;
+      while ((match = credPattern.pattern.exec(line)) !== null) {
+        const value = extractValue(match);
+        if (isPlaceholder(value)) {
+          continue;
+        }
+        if (value.length < 8) {
+          continue;
+        }
+        findings.push({
+          scanner: "credentials",
+          severity: credPattern.severity,
+          title: credPattern.name,
+          description: `Detected ${credPattern.name} in configuration file`,
+          file: relativePath,
+          line: lineNum + 1,
+          confidence: credPattern.confidence
+        });
+      }
+    }
+  }
+  return findings;
+}
+async function scanCredentials(openclawPath) {
+  const findings = [];
+  const filesToScan = [
+    { path: join3(openclawPath, "openclaw.json"), relative: "openclaw.json" },
+    { path: join3(openclawPath, ".env"), relative: ".env" }
+  ];
+  const credentialsDir = join3(openclawPath, "credentials");
+  if (await fileExists(credentialsDir)) {
+    for await (const file of walkDirectory(credentialsDir, openclawPath)) {
+      filesToScan.push({ path: file.path, relative: file.relativePath });
+    }
+  }
+  const agentsDir = join3(openclawPath, "agents");
+  if (await fileExists(agentsDir)) {
+    for await (const file of walkDirectory(agentsDir, openclawPath)) {
+      if (file.relativePath.includes("auth-profiles.json") || file.relativePath.endsWith(".jsonl") || file.relativePath.endsWith(".json")) {
+        filesToScan.push({ path: file.path, relative: file.relativePath });
+      }
+    }
+  }
+  for (const file of filesToScan) {
+    if (await fileExists(file.path)) {
+      const fileFindings = await scanFile(file.path, file.relative);
+      findings.push(...fileFindings);
+    }
+  }
+  const severityScores = {
+    critical: 27.5,
+    high: 17.5,
+    medium: 7.5,
+    low: 2.5
+  };
+  let penalty = 0;
+  for (const finding of findings) {
+    penalty += severityScores[finding.severity] * finding.confidence;
+  }
+  return {
+    scanner: "credentials",
+    findings,
+    penalty: Math.min(penalty, CAP),
+    cap: CAP
+  };
+}
+
+// src/scanners/skills.ts
+import { join as join4 } from "path";
+var CAP2 = 30;
+var SKILL_PATTERNS = [
+  // Critical: Remote code execution
+  {
+    name: "Curl piped to shell",
+    pattern: /curl\s+[^|]*\|\s*(?:bash|sh|zsh)/gi,
+    severity: "critical",
+    confidence: 0.95,
+    description: "Downloading and executing remote scripts is extremely dangerous"
+  },
+  {
+    name: "Wget piped to shell",
+    pattern: /wget\s+[^|]*\|\s*(?:bash|sh|zsh)/gi,
+    severity: "critical",
+    confidence: 0.95,
+    description: "Downloading and executing remote scripts is extremely dangerous"
+  },
+  {
+    name: "Code execution function",
+    pattern: /\b(?:eval|Function)\s*\(/gi,
+    severity: "critical",
+    confidence: 0.8,
+    description: "Dynamic code execution can lead to arbitrary code execution"
+  },
+  {
+    name: "System command execution",
+    pattern: /\b(?:os\.system|subprocess\.call|subprocess\.run|child_process)\s*\(/gi,
+    severity: "critical",
+    confidence: 0.85,
+    description: "System command execution may allow arbitrary command injection"
+  },
+  // Critical: Sensitive file access
+  {
+    name: "SSH key access",
+    pattern: /\.ssh\/(?:id_rsa|id_ed25519|id_dsa|authorized_keys)/gi,
+    severity: "critical",
+    confidence: 0.9,
+    description: "Accessing SSH keys can compromise authentication"
+  },
+  {
+    name: "Password file access",
+    pattern: /\/etc\/(?:passwd|shadow)/gi,
+    severity: "critical",
+    confidence: 0.95,
+    description: "Accessing system password files is a security risk"
+  },
+  // High: Data exfiltration patterns
+  {
+    name: "POST request with data",
+    pattern: /(?:curl|wget|fetch|axios|request)\s+.*(?:-d|--data|POST)/gi,
+    severity: "high",
+    confidence: 0.7,
+    description: "Outbound data transmission may indicate exfiltration"
+  },
+  {
+    name: "Base64 encode and send",
+    pattern: /base64.*(?:curl|wget|fetch|send|post)/gi,
+    severity: "high",
+    confidence: 0.75,
+    description: "Encoding and transmitting data may indicate exfiltration"
+  },
+  {
+    name: "Environment variable dump",
+    pattern: /\benv\b|\$ENV|\bprocess\.env\b|\bos\.environ\b/gi,
+    severity: "high",
+    confidence: 0.6,
+    description: "Environment access may expose sensitive configuration"
+  },
+  // Medium: File system access
+  {
+    name: "Unrestricted file read",
+    pattern: /(?:fs\.readFile|open\s*\(|read\s*\().*(?:\*|\.\.)/gi,
+    severity: "medium",
+    confidence: 0.6,
+    description: "Broad file read patterns may access unintended files"
+  },
+  {
+    name: "Home directory access",
+    pattern: /~\/|\/home\/|\$HOME/gi,
+    severity: "medium",
+    confidence: 0.5,
+    description: "Accessing user home directory may expose sensitive data"
+  },
+  {
+    name: "Recursive directory operations",
+    pattern: /(?:-r|--recursive|walk|glob\*\*)/gi,
+    severity: "medium",
+    confidence: 0.4,
+    description: "Recursive operations may access more files than intended"
+  },
+  // Low: Suspicious but not necessarily harmful
+  {
+    name: "Network connection",
+    pattern: /(?:socket|connect|http|https):\/\//gi,
+    severity: "low",
+    confidence: 0.3,
+    description: "Network connections should be reviewed for necessity"
+  },
+  {
+    name: "File write operation",
+    pattern: /(?:fs\.writeFile|open\s*\([^)]*['"]\s*w|>+\s*[a-zA-Z])/gi,
+    severity: "low",
+    confidence: 0.4,
+    description: "File write operations should be reviewed"
+  }
+];
+async function scanSkillFile(filePath, relativePath) {
+  const content = await readTextFile(filePath);
+  if (!content) return [];
+  const findings = [];
+  const lines = content.split("\n");
+  for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+    const line = lines[lineNum];
+    for (const skillPattern of SKILL_PATTERNS) {
+      skillPattern.pattern.lastIndex = 0;
+      if (skillPattern.pattern.test(line)) {
+        findings.push({
+          scanner: "skills",
+          severity: skillPattern.severity,
+          title: skillPattern.name,
+          description: skillPattern.description,
+          file: relativePath,
+          line: lineNum + 1,
+          confidence: skillPattern.confidence
+        });
+      }
+    }
+  }
+  return findings;
+}
+async function scanSkills(openclawPath) {
+  const findings = [];
+  const skillsDirs = [
+    join4(openclawPath, "skills"),
+    join4(openclawPath, "workspace", "skills")
+  ];
+  for (const skillsDir of skillsDirs) {
+    if (await fileExists(skillsDir)) {
+      for await (const file of walkDirectory(skillsDir, openclawPath)) {
+        if (file.relativePath.endsWith(".md")) {
+          const fileFindings = await scanSkillFile(file.path, file.relativePath);
+          findings.push(...fileFindings);
+        }
+      }
+    }
+  }
+  const severityScores = {
+    critical: 27.5,
+    high: 17.5,
+    medium: 7.5,
+    low: 2.5
+  };
+  let penalty = 0;
+  for (const finding of findings) {
+    penalty += severityScores[finding.severity] * finding.confidence;
+  }
+  return {
+    scanner: "skills",
+    findings,
+    penalty: Math.min(penalty, CAP2),
+    cap: CAP2
+  };
+}
+
+// src/scanners/permissions.ts
+import { join as join5 } from "path";
+var CAP3 = 20;
+function checkSandboxMode(config) {
+  const mode = config.sandbox?.mode;
+  if (mode === "disabled") {
+    return {
+      scanner: "permissions",
+      severity: "critical",
+      title: "Sandbox disabled",
+      description: "Agent sandbox is completely disabled, allowing unrestricted system access",
+      file: "openclaw.json",
+      confidence: 0.95
+    };
+  }
+  if (mode === "permissive") {
+    return {
+      scanner: "permissions",
+      severity: "high",
+      title: "Sandbox in permissive mode",
+      description: "Agent sandbox is in permissive mode, may allow unintended access",
+      file: "openclaw.json",
+      confidence: 0.85
+    };
+  }
+  return null;
+}
+function checkDmPolicy(config) {
+  const policy = config.dmPolicy;
+  if (policy === "allow") {
+    return {
+      scanner: "permissions",
+      severity: "medium",
+      title: "DM policy allows all",
+      description: "Direct message policy allows all messages without filtering",
+      file: "openclaw.json",
+      confidence: 0.7
+    };
+  }
+  return null;
+}
+function checkAllowlist(config) {
+  const findings = [];
+  const allowlist = config.allowlist ?? [];
+  for (const entry of allowlist) {
+    if (entry === "*" || entry === "**") {
+      findings.push({
+        scanner: "permissions",
+        severity: "critical",
+        title: "Wildcard allowlist",
+        description: "Allowlist contains unrestricted wildcard, allowing all access",
+        file: "openclaw.json",
+        confidence: 0.95
+      });
+    } else if (entry.includes("*")) {
+      findings.push({
+        scanner: "permissions",
+        severity: "medium",
+        title: "Broad allowlist pattern",
+        description: `Allowlist pattern "${entry}" may be too permissive`,
+        file: "openclaw.json",
+        confidence: 0.6
+      });
+    }
+  }
+  return findings;
+}
+function checkGateway(config) {
+  const findings = [];
+  const gateway = config.gateway;
+  if (!gateway) return findings;
+  if (gateway.bind === "0.0.0.0" || gateway.bind === "::") {
+    findings.push({
+      scanner: "permissions",
+      severity: "high",
+      title: "Gateway binds to all interfaces",
+      description: "Gateway is exposed on all network interfaces, should bind to localhost",
+      file: "openclaw.json",
+      confidence: 0.9
+    });
+  }
+  if (gateway.auth === false) {
+    findings.push({
+      scanner: "permissions",
+      severity: "high",
+      title: "Gateway authentication disabled",
+      description: "Gateway has authentication disabled, allowing unauthenticated access",
+      file: "openclaw.json",
+      confidence: 0.9
+    });
+  }
+  if (gateway.tls === false && gateway.bind !== "localhost" && gateway.bind !== "127.0.0.1") {
+    findings.push({
+      scanner: "permissions",
+      severity: "medium",
+      title: "Gateway TLS disabled",
+      description: "Gateway TLS is disabled for non-localhost connections",
+      file: "openclaw.json",
+      confidence: 0.75
+    });
+  }
+  return findings;
+}
+async function checkFilePermissions(openclawPath) {
+  const findings = [];
+  const rootStats = await getFileStats(openclawPath);
+  if (rootStats) {
+    const mode = rootStats.mode & 511;
+    if ((mode & 63) !== 0) {
+      findings.push({
+        scanner: "permissions",
+        severity: "medium",
+        title: "OpenClaw directory too permissive",
+        description: `Directory permissions ${mode.toString(8)} allow group/other access, recommend 700`,
+        file: openclawPath,
+        confidence: 0.8
+      });
+    }
+  }
+  const credentialsDir = join5(openclawPath, "credentials");
+  if (await fileExists(credentialsDir)) {
+    const credStats = await getFileStats(credentialsDir);
+    if (credStats) {
+      const mode = credStats.mode & 511;
+      if ((mode & 63) !== 0) {
+        findings.push({
+          scanner: "permissions",
+          severity: "high",
+          title: "Credentials directory too permissive",
+          description: `Credentials permissions ${mode.toString(8)} allow group/other access, recommend 700`,
+          file: "credentials/",
+          confidence: 0.9
+        });
+      }
+    }
+  }
+  return findings;
+}
+async function scanPermissions(openclawPath) {
+  const findings = [];
+  const configPath = join5(openclawPath, "openclaw.json");
+  const config = await readJsonFile(configPath);
+  if (config) {
+    const sandboxFinding = checkSandboxMode(config);
+    if (sandboxFinding) findings.push(sandboxFinding);
+    const dmFinding = checkDmPolicy(config);
+    if (dmFinding) findings.push(dmFinding);
+    findings.push(...checkAllowlist(config));
+    findings.push(...checkGateway(config));
+  }
+  findings.push(...await checkFilePermissions(openclawPath));
+  const severityScores = {
+    critical: 27.5,
+    high: 17.5,
+    medium: 7.5,
+    low: 2.5
+  };
+  let penalty = 0;
+  for (const finding of findings) {
+    penalty += severityScores[finding.severity] * finding.confidence;
+  }
+  return {
+    scanner: "permissions",
+    findings,
+    penalty: Math.min(penalty, CAP3),
+    cap: CAP3
+  };
+}
+
+// src/scanners/network.ts
+import { join as join6 } from "path";
+import { createConnection } from "net";
+var CAP4 = 10;
+var DEFAULT_PORTS = [18789, 8080, 3e3];
+var PORT_SCAN_TIMEOUT = 1e3;
+async function checkPortOpen(port, host = "localhost") {
+  return new Promise((resolve) => {
+    const socket = createConnection({ port, host, timeout: PORT_SCAN_TIMEOUT });
+    socket.on("connect", () => {
+      socket.destroy();
+      resolve(true);
+    });
+    socket.on("timeout", () => {
+      socket.destroy();
+      resolve(false);
+    });
+    socket.on("error", () => {
+      socket.destroy();
+      resolve(false);
+    });
+  });
+}
+async function scanOpenPorts() {
+  const findings = [];
+  for (const port of DEFAULT_PORTS) {
+    const isOpen = await checkPortOpen(port);
+    if (isOpen) {
+      findings.push({
+        scanner: "network",
+        severity: "low",
+        title: `Port ${port} is open`,
+        description: `Localhost port ${port} is listening, verify if this is expected`,
+        confidence: 0.5
+      });
+    }
+  }
+  return findings;
+}
+function analyzeGatewayConfig(config) {
+  const findings = [];
+  const gateway = config.gateway;
+  if (!gateway) return findings;
+  const bind = gateway.bind ?? "localhost";
+  const isExposed = bind === "0.0.0.0" || bind === "::";
+  if (isExposed) {
+    if (!gateway.tls) {
+      findings.push({
+        scanner: "network",
+        severity: "high",
+        title: "Exposed gateway without TLS",
+        description: "Gateway is exposed to network without TLS encryption",
+        file: "openclaw.json",
+        confidence: 0.9
+      });
+    }
+    if (!gateway.auth) {
+      findings.push({
+        scanner: "network",
+        severity: "critical",
+        title: "Exposed gateway without authentication",
+        description: "Gateway is exposed to network without authentication",
+        file: "openclaw.json",
+        confidence: 0.95
+      });
+    }
+  }
+  const port = gateway.port ?? 18789;
+  if (port < 1024 && port !== 443 && port !== 80) {
+    findings.push({
+      scanner: "network",
+      severity: "medium",
+      title: "Non-standard privileged port",
+      description: `Gateway uses privileged port ${port}, requires elevated permissions`,
+      file: "openclaw.json",
+      confidence: 0.7
+    });
+  }
+  return findings;
+}
+async function scanNetwork(openclawPath) {
+  const findings = [];
+  const configPath = join6(openclawPath, "openclaw.json");
+  const config = await readJsonFile(configPath);
+  if (config) {
+    findings.push(...analyzeGatewayConfig(config));
+  }
+  findings.push(...await scanOpenPorts());
+  const severityScores = {
+    critical: 27.5,
+    high: 17.5,
+    medium: 7.5,
+    low: 2.5
+  };
+  let penalty = 0;
+  for (const finding of findings) {
+    penalty += severityScores[finding.severity] * finding.confidence;
+  }
+  return {
+    scanner: "network",
+    findings,
+    penalty: Math.min(penalty, CAP4),
+    cap: CAP4
+  };
+}
+
+// src/scanners/index.ts
+async function runAllScanners(options) {
+  const { openclawPath } = options;
+  const results = await Promise.all([
+    scanCredentials(openclawPath),
+    scanSkills(openclawPath),
+    scanPermissions(openclawPath),
+    scanNetwork(openclawPath)
+  ]);
+  return results;
+}
+
+// src/scoring/index.ts
+function calculateScore(results) {
+  const totalPenalty = results.reduce((sum, r) => sum + r.penalty, 0);
+  return Math.max(0, Math.round(100 - totalPenalty));
+}
+function determineGrade(score, findings) {
+  const hasCritical = findings.some((f) => f.severity === "critical");
+  if (hasCritical) {
+    if (score >= 75) return "C";
+    if (score >= 60) return "C";
+    if (score >= 40) return "D";
+    return "F";
+  }
+  if (score >= 90) return "A";
+  if (score >= 75) return "B";
+  if (score >= 60) return "C";
+  if (score >= 40) return "D";
+  return "F";
+}
+function buildScanResult(results, openclawPath) {
+  const findings = results.flatMap((r) => r.findings);
+  const score = calculateScore(results);
+  const grade = determineGrade(score, findings);
+  return {
+    score,
+    grade,
+    scanners: results,
+    findings,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    openclawPath
+  };
+}
+function getExitCode(result) {
+  const hasCriticalOrHigh = result.findings.some(
+    (f) => f.severity === "critical" || f.severity === "high"
+  );
+  if (result.score < 75 || hasCriticalOrHigh) {
+    return 1;
+  }
+  return 0;
+}
+function countBySeverity(findings) {
+  return {
+    critical: findings.filter((f) => f.severity === "critical").length,
+    high: findings.filter((f) => f.severity === "high").length,
+    medium: findings.filter((f) => f.severity === "medium").length,
+    low: findings.filter((f) => f.severity === "low").length
+  };
+}
+
+// src/output/terminal.ts
+import chalk from "chalk";
+import ora from "ora";
+import boxen from "boxen";
+
+// src/utils/redact.ts
+function formatFindingLocation(file, line) {
+  if (line !== void 0) {
+    return `${file}:${line}`;
+  }
+  return file;
+}
+
+// src/output/terminal.ts
+var CRAB = "\u{1F980}";
+var GRADE_COLORS = {
+  A: chalk.green,
+  B: chalk.greenBright,
+  C: chalk.yellow,
+  D: chalk.hex("#FFA500"),
+  F: chalk.red
+};
+var SEVERITY_COLORS = {
+  critical: chalk.bgRed.white,
+  high: chalk.red,
+  medium: chalk.yellow,
+  low: chalk.gray
+};
+var SEVERITY_ICONS = {
+  critical: "\u{1F6A8}",
+  high: "\u26A0\uFE0F",
+  medium: "\u{1F7E1}",
+  low: "\u2139\uFE0F"
+};
+function createSpinner(text) {
+  return ora({
+    text,
+    spinner: "dots"
+  });
+}
+function printHeader() {
+  console.log(
+    boxen(
+      `${CRAB} ${chalk.bold("CRABB")} ${chalk.dim("Security Scanner for OpenClaw")}`,
+      {
+        padding: { top: 0, bottom: 0, left: 1, right: 1 },
+        borderColor: "cyan",
+        borderStyle: "round"
+      }
+    )
+  );
+  console.log();
+}
+function printScore(result) {
+  const gradeColor = GRADE_COLORS[result.grade];
+  const counts = countBySeverity(result.findings);
+  const scoreDisplay = boxen(
+    [
+      `${CRAB} ${chalk.bold("CRABB SCORE")}`,
+      "",
+      `   ${gradeColor(chalk.bold(`${result.score}`))} ${chalk.dim("/ 100")}`,
+      `   Grade: ${gradeColor(chalk.bold(result.grade))}`,
+      "",
+      chalk.dim("\u2500".repeat(24)),
+      "",
+      `${SEVERITY_ICONS.critical} Critical: ${counts.critical > 0 ? chalk.red(counts.critical) : chalk.dim("0")}`,
+      `${SEVERITY_ICONS.high} High:     ${counts.high > 0 ? chalk.red(counts.high) : chalk.dim("0")}`,
+      `${SEVERITY_ICONS.medium} Medium:   ${counts.medium > 0 ? chalk.yellow(counts.medium) : chalk.dim("0")}`,
+      `${SEVERITY_ICONS.low} Low:      ${counts.low > 0 ? chalk.gray(counts.low) : chalk.dim("0")}`
+    ].join("\n"),
+    {
+      padding: 1,
+      borderColor: result.grade === "A" || result.grade === "B" ? "green" : result.grade === "C" ? "yellow" : "red",
+      borderStyle: "round"
+    }
+  );
+  console.log(scoreDisplay);
+  console.log();
+}
+function printFindings(findings) {
+  if (findings.length === 0) {
+    console.log(chalk.green(`${CRAB} No security issues found!`));
+    return;
+  }
+  const sortedFindings = [...findings].sort((a, b) => {
+    const order = { critical: 0, high: 1, medium: 2, low: 3 };
+    return order[a.severity] - order[b.severity];
+  });
+  console.log(chalk.bold("Findings:\n"));
+  for (const finding of sortedFindings) {
+    const severityColor = SEVERITY_COLORS[finding.severity];
+    const icon = SEVERITY_ICONS[finding.severity];
+    console.log(`${icon} ${severityColor(finding.severity.toUpperCase())} ${chalk.bold(finding.title)}`);
+    console.log(`   ${chalk.dim(finding.description)}`);
+    if (finding.file) {
+      console.log(`   ${chalk.cyan(formatFindingLocation(finding.file, finding.line))}`);
+    }
+    console.log();
+  }
+}
+function printScannerSummary(result) {
+  console.log(chalk.bold("Scanner Summary:\n"));
+  for (const scanner of result.scanners) {
+    const penaltyColor = scanner.penalty > 0 ? chalk.red : chalk.green;
+    const bar = createProgressBar(scanner.cap - scanner.penalty, scanner.cap);
+    console.log(
+      `  ${scanner.scanner.padEnd(12)} ${bar} ${penaltyColor(`-${scanner.penalty.toFixed(1)}`)} ${chalk.dim(`/ ${scanner.cap}`)}`
+    );
+  }
+  console.log();
+}
+function createProgressBar(value, max, width = 20) {
+  const percentage = Math.max(0, Math.min(1, value / max));
+  const filled = Math.round(percentage * width);
+  const empty = width - filled;
+  const color = percentage >= 0.75 ? chalk.green : percentage >= 0.5 ? chalk.yellow : chalk.red;
+  return color("\u2588".repeat(filled)) + chalk.dim("\u2591".repeat(empty));
+}
+function printError(message) {
+  console.error(chalk.red(`\u2717 Error: ${message}`));
+}
+function printSuccess(message) {
+  console.log(chalk.green(`\u2713 ${message}`));
+}
+
+// src/output/json.ts
+function formatJsonOutput(result) {
+  return JSON.stringify(result, null, 2);
+}
+function buildSharePayload(result) {
+  const counts = countBySeverity(result.findings);
+  return {
+    score: result.score,
+    grade: result.grade,
+    scannerSummary: result.scanners.map((s) => ({
+      scanner: s.scanner,
+      findingsCount: s.findings.length,
+      penalty: s.penalty
+    })),
+    criticalCount: counts.critical,
+    highCount: counts.high,
+    mediumCount: counts.medium,
+    lowCount: counts.low,
+    timestamp: result.timestamp
+  };
+}
+
+// src/share/index.ts
+var SHARE_API_URL = "https://crabb.ai/api/share";
+async function shareResult(result) {
+  const payload = buildSharePayload(result);
+  const response = await fetch(SHARE_API_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(payload)
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to share result: ${response.status} ${response.statusText}`);
+  }
+  return response.json();
+}
+
+// src/cli.ts
+function printHelp() {
+  console.log(`
+\u{1F980} CRABB - Security Scanner for OpenClaw AI Agents
+
+Usage: crabb [options]
+
+Options:
+  -p, --path <dir>   Path to OpenClaw directory (default: ~/.openclaw/)
+  -j, --json         Output results as JSON
+  -s, --share        Share score card to crabb.ai
+      --no-color     Disable colored output
+  -h, --help         Show this help message
+  -v, --version      Show version number
+
+Examples:
+  crabb                          # Scan default OpenClaw installation
+  crabb --path ./my-openclaw     # Scan custom directory
+  crabb --json                   # Output as JSON
+  crabb --share                  # Create shareable score card
+
+Exit codes:
+  0 - Score >= 75, no Critical/High findings
+  1 - Score < 75 or Critical/High findings present
+  2 - Scan failed (IO error, OpenClaw not found)
+`);
+}
+function printVersion() {
+  console.log("crabb v0.1.0");
+}
+async function main() {
+  let options;
+  try {
+    const { values } = parseArgs({
+      options: {
+        path: { type: "string", short: "p" },
+        json: { type: "boolean", short: "j", default: false },
+        share: { type: "boolean", short: "s", default: false },
+        "no-color": { type: "boolean", default: false },
+        help: { type: "boolean", short: "h", default: false },
+        version: { type: "boolean", short: "v", default: false }
+      },
+      strict: true,
+      allowPositionals: false
+    });
+    if (values.help) {
+      printHelp();
+      exit(0);
+    }
+    if (values.version) {
+      printVersion();
+      exit(0);
+    }
+    options = {
+      path: values.path ?? getDefaultOpenClawPath(),
+      json: values.json ?? false,
+      share: values.share ?? false,
+      noColor: values["no-color"] ?? false
+    };
+  } catch (err) {
+    printError(`Invalid arguments: ${err instanceof Error ? err.message : String(err)}`);
+    printHelp();
+    exit(2);
+  }
+  if (options.noColor) {
+    process.env["FORCE_COLOR"] = "0";
+  }
+  if (!options.json) {
+    printHeader();
+  }
+  if (!await fileExists(options.path)) {
+    printError(`OpenClaw directory not found: ${options.path}`);
+    exit(2);
+  }
+  const spinner = options.json ? null : createSpinner("Scanning OpenClaw configuration...");
+  spinner?.start();
+  try {
+    const scannerResults = await runAllScanners({ openclawPath: options.path });
+    const result = buildScanResult(scannerResults, options.path);
+    spinner?.stop();
+    if (options.json) {
+      console.log(formatJsonOutput(result));
+    } else {
+      printScore(result);
+      printScannerSummary(result);
+      printFindings(result.findings);
+    }
+    if (options.share) {
+      const shareSpinner = options.json ? null : createSpinner("Sharing score card...");
+      shareSpinner?.start();
+      try {
+        const shareResponse = await shareResult(result);
+        shareSpinner?.stop();
+        if (options.json) {
+          console.log(JSON.stringify({ shared: shareResponse }, null, 2));
+        } else {
+          printSuccess(`Score card shared: ${shareResponse.url}`);
+          console.log(`   Delete token: ${shareResponse.deleteToken}`);
+        }
+      } catch (err) {
+        shareSpinner?.stop();
+        printError(`Failed to share: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+    const exitCode = getExitCode(result);
+    exit(exitCode);
+  } catch (err) {
+    spinner?.stop();
+    printError(`Scan failed: ${err instanceof Error ? err.message : String(err)}`);
+    exit(2);
+  }
+}
+main();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli.ts","../src/config/paths.ts","../src/scanners/credentials.ts","../src/utils/fs.ts","../src/scanners/skills.ts","../src/scanners/permissions.ts","../src/scanners/network.ts","../src/scanners/index.ts","../src/scoring/index.ts","../src/output/terminal.ts","../src/utils/redact.ts","../src/output/json.ts","../src/share/index.ts"],"sourcesContent":["import { parseArgs } from 'node:util';\nimport { exit } from 'node:process';\nimport type { CliOptions } from './types/index.js';\nimport { getDefaultOpenClawPath } from './config/paths.js';\nimport { runAllScanners } from './scanners/index.js';\nimport { buildScanResult, getExitCode } from './scoring/index.js';\nimport {\n  printHeader,\n  printScore,\n  printFindings,\n  printScannerSummary,\n  printError,\n  printSuccess,\n  createSpinner,\n} from './output/terminal.js';\nimport { formatJsonOutput } from './output/json.js';\nimport { shareResult } from './share/index.js';\nimport { fileExists } from './utils/fs.js';\n\nfunction parseCliArgs(): CliOptions {\n  const { values } = parseArgs({\n    options: {\n      path: {\n        type: 'string',\n        short: 'p',\n      },\n      json: {\n        type: 'boolean',\n        short: 'j',\n        default: false,\n      },\n      share: {\n        type: 'boolean',\n        short: 's',\n        default: false,\n      },\n      'no-color': {\n        type: 'boolean',\n        default: false,\n      },\n      help: {\n        type: 'boolean',\n        short: 'h',\n        default: false,\n      },\n      version: {\n        type: 'boolean',\n        short: 'v',\n        default: false,\n      },\n    },\n    strict: true,\n    allowPositionals: false,\n  });\n\n  return {\n    path: values.path ?? getDefaultOpenClawPath(),\n    json: values.json ?? false,\n    share: values.share ?? false,\n    noColor: values['no-color'] ?? false,\n  };\n}\n\nfunction printHelp() {\n  console.log(`\n\\u{1F980} CRABB - Security Scanner for OpenClaw AI Agents\n\nUsage: crabb [options]\n\nOptions:\n  -p, --path <dir>   Path to OpenClaw directory (default: ~/.openclaw/)\n  -j, --json         Output results as JSON\n  -s, --share        Share score card to crabb.ai\n      --no-color     Disable colored output\n  -h, --help         Show this help message\n  -v, --version      Show version number\n\nExamples:\n  crabb                          # Scan default OpenClaw installation\n  crabb --path ./my-openclaw     # Scan custom directory\n  crabb --json                   # Output as JSON\n  crabb --share                  # Create shareable score card\n\nExit codes:\n  0 - Score >= 75, no Critical/High findings\n  1 - Score < 75 or Critical/High findings present\n  2 - Scan failed (IO error, OpenClaw not found)\n`);\n}\n\nfunction printVersion() {\n  console.log('crabb v0.1.0');\n}\n\nasync function main() {\n  let options: CliOptions;\n\n  try {\n    const { values } = parseArgs({\n      options: {\n        path: { type: 'string', short: 'p' },\n        json: { type: 'boolean', short: 'j', default: false },\n        share: { type: 'boolean', short: 's', default: false },\n        'no-color': { type: 'boolean', default: false },\n        help: { type: 'boolean', short: 'h', default: false },\n        version: { type: 'boolean', short: 'v', default: false },\n      },\n      strict: true,\n      allowPositionals: false,\n    });\n\n    if (values.help) {\n      printHelp();\n      exit(0);\n    }\n\n    if (values.version) {\n      printVersion();\n      exit(0);\n    }\n\n    options = {\n      path: values.path ?? getDefaultOpenClawPath(),\n      json: values.json ?? false,\n      share: values.share ?? false,\n      noColor: values['no-color'] ?? false,\n    };\n  } catch (err) {\n    printError(`Invalid arguments: ${err instanceof Error ? err.message : String(err)}`);\n    printHelp();\n    exit(2);\n  }\n\n  if (options.noColor) {\n    process.env['FORCE_COLOR'] = '0';\n  }\n\n  if (!options.json) {\n    printHeader();\n  }\n\n  if (!await fileExists(options.path)) {\n    printError(`OpenClaw directory not found: ${options.path}`);\n    exit(2);\n  }\n\n  const spinner = options.json ? null : createSpinner('Scanning OpenClaw configuration...');\n  spinner?.start();\n\n  try {\n    const scannerResults = await runAllScanners({ openclawPath: options.path });\n    const result = buildScanResult(scannerResults, options.path);\n\n    spinner?.stop();\n\n    if (options.json) {\n      console.log(formatJsonOutput(result));\n    } else {\n      printScore(result);\n      printScannerSummary(result);\n      printFindings(result.findings);\n    }\n\n    if (options.share) {\n      const shareSpinner = options.json ? null : createSpinner('Sharing score card...');\n      shareSpinner?.start();\n\n      try {\n        const shareResponse = await shareResult(result);\n        shareSpinner?.stop();\n\n        if (options.json) {\n          console.log(JSON.stringify({ shared: shareResponse }, null, 2));\n        } else {\n          printSuccess(`Score card shared: ${shareResponse.url}`);\n          console.log(`   Delete token: ${shareResponse.deleteToken}`);\n        }\n      } catch (err) {\n        shareSpinner?.stop();\n        printError(`Failed to share: ${err instanceof Error ? err.message : String(err)}`);\n      }\n    }\n\n    const exitCode = getExitCode(result);\n    exit(exitCode);\n  } catch (err) {\n    spinner?.stop();\n    printError(`Scan failed: ${err instanceof Error ? err.message : String(err)}`);\n    exit(2);\n  }\n}\n\nmain();\n","import { homedir } from 'node:os';\nimport { join } from 'node:path';\n\nexport function getDefaultOpenClawPath(): string {\n  return join(homedir(), '.openclaw');\n}\n\nexport function getOpenClawPaths(basePath: string) {\n  return {\n    root: basePath,\n    config: join(basePath, 'openclaw.json'),\n    credentials: join(basePath, 'credentials'),\n    agents: join(basePath, 'agents'),\n    skills: join(basePath, 'skills'),\n    workspaceSkills: join(basePath, 'workspace', 'skills'),\n  };\n}\n\nexport const SCAN_FILE_PATTERNS = {\n  credentials: [\n    'openclaw.json',\n    'credentials/**/*',\n    'agents/*/agent/auth-profiles.json',\n    'agents/*/sessions/*.jsonl',\n    '.env',\n    '.env.*',\n  ],\n  skills: [\n    'skills/**/*.md',\n    'skills/**/SKILL.md',\n    'workspace/skills/**/*.md',\n  ],\n} as const;\n","import { join } from 'node:path';\nimport type { Finding, ScannerResult } from '../types/index.js';\nimport { readTextFile, walkDirectory, fileExists } from '../utils/fs.js';\n\nconst CAP = 40;\n\ninterface CredentialPattern {\n  name: string;\n  pattern: RegExp;\n  severity: 'critical' | 'high' | 'medium';\n  confidence: number;\n}\n\nconst CREDENTIAL_PATTERNS: CredentialPattern[] = [\n  // Anthropic\n  {\n    name: 'Anthropic API Key',\n    pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  // OpenAI\n  {\n    name: 'OpenAI API Key',\n    pattern: /sk-[a-zA-Z0-9]{20,}(?!-ant)/g,\n    severity: 'critical',\n    confidence: 0.9,\n  },\n  // Discord\n  {\n    name: 'Discord Bot Token',\n    pattern: /[MN][A-Za-z\\d]{23,}\\.[\\w-]{6}\\.[\\w-]{27,}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  // Telegram\n  {\n    name: 'Telegram Bot Token',\n    pattern: /\\d{8,10}:[A-Za-z0-9_-]{35}/g,\n    severity: 'critical',\n    confidence: 0.9,\n  },\n  // AWS\n  {\n    name: 'AWS Access Key ID',\n    pattern: /AKIA[0-9A-Z]{16}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  {\n    name: 'AWS Secret Access Key',\n    pattern: /(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/g,\n    severity: 'high',\n    confidence: 0.6,\n  },\n  // GitHub\n  {\n    name: 'GitHub Personal Access Token',\n    pattern: /ghp_[a-zA-Z0-9]{36}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  {\n    name: 'GitHub OAuth Token',\n    pattern: /gho_[a-zA-Z0-9]{36}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  {\n    name: 'GitHub Fine-grained PAT',\n    pattern: /github_pat_[a-zA-Z0-9_]{22,}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  // Slack\n  {\n    name: 'Slack Bot Token',\n    pattern: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  {\n    name: 'Slack User Token',\n    pattern: /xoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  // Stripe\n  {\n    name: 'Stripe Secret Key',\n    pattern: /sk_live_[0-9a-zA-Z]{24,}/g,\n    severity: 'critical',\n    confidence: 0.95,\n  },\n  {\n    name: 'Stripe Test Key',\n    pattern: /sk_test_[0-9a-zA-Z]{24,}/g,\n    severity: 'medium',\n    confidence: 0.9,\n  },\n  // Generic patterns\n  {\n    name: 'Generic API Key',\n    pattern: /(?:api[_-]?key|apikey|api[_-]?token)\\s*[=:]\\s*[\"']?([a-zA-Z0-9_-]{20,})[\"']?/gi,\n    severity: 'high',\n    confidence: 0.7,\n  },\n  {\n    name: 'Generic Secret',\n    pattern: /(?:secret|password|passwd|pwd)\\s*[=:]\\s*[\"']?([a-zA-Z0-9_!@#$%^&*-]{8,})[\"']?/gi,\n    severity: 'high',\n    confidence: 0.6,\n  },\n  // Private Keys\n  {\n    name: 'Private Key',\n    pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,\n    severity: 'critical',\n    confidence: 0.99,\n  },\n];\n\nconst PLACEHOLDER_PATTERNS = [\n  /^your[-_]?api[-_]?key[-_]?here$/i,\n  /^xxx+$/i,\n  /^placeholder$/i,\n  /^example$/i,\n  /^test[-_]?key$/i,\n  /^\\$\\{[^}]+\\}$/,\n  /^<[^>]+>$/,\n  /^{{[^}]+}}$/,\n  /^%[^%]+%$/,\n  /^INSERT[-_]?YOUR[-_]?KEY$/i,\n  /^REPLACE[-_]?ME$/i,\n  /^TODO$/i,\n  /^changeme$/i,\n];\n\nfunction isPlaceholder(value: string): boolean {\n  return PLACEHOLDER_PATTERNS.some(pattern => pattern.test(value.trim()));\n}\n\nfunction extractValue(match: RegExpMatchArray): string {\n  return match[1] ?? match[0];\n}\n\nasync function scanFile(\n  filePath: string,\n  relativePath: string\n): Promise<Finding[]> {\n  const content = await readTextFile(filePath);\n  if (!content) return [];\n\n  const findings: Finding[] = [];\n  const lines = content.split('\\n');\n\n  for (let lineNum = 0; lineNum < lines.length; lineNum++) {\n    const line = lines[lineNum]!;\n\n    for (const credPattern of CREDENTIAL_PATTERNS) {\n      credPattern.pattern.lastIndex = 0;\n\n      let match: RegExpExecArray | null;\n      while ((match = credPattern.pattern.exec(line)) !== null) {\n        const value = extractValue(match);\n\n        if (isPlaceholder(value)) {\n          continue;\n        }\n\n        if (value.length < 8) {\n          continue;\n        }\n\n        findings.push({\n          scanner: 'credentials',\n          severity: credPattern.severity,\n          title: credPattern.name,\n          description: `Detected ${credPattern.name} in configuration file`,\n          file: relativePath,\n          line: lineNum + 1,\n          confidence: credPattern.confidence,\n        });\n      }\n    }\n  }\n\n  return findings;\n}\n\nexport async function scanCredentials(openclawPath: string): Promise<ScannerResult> {\n  const findings: Finding[] = [];\n\n  const filesToScan = [\n    { path: join(openclawPath, 'openclaw.json'), relative: 'openclaw.json' },\n    { path: join(openclawPath, '.env'), relative: '.env' },\n  ];\n\n  const credentialsDir = join(openclawPath, 'credentials');\n  if (await fileExists(credentialsDir)) {\n    for await (const file of walkDirectory(credentialsDir, openclawPath)) {\n      filesToScan.push({ path: file.path, relative: file.relativePath });\n    }\n  }\n\n  const agentsDir = join(openclawPath, 'agents');\n  if (await fileExists(agentsDir)) {\n    for await (const file of walkDirectory(agentsDir, openclawPath)) {\n      if (\n        file.relativePath.includes('auth-profiles.json') ||\n        file.relativePath.endsWith('.jsonl') ||\n        file.relativePath.endsWith('.json')\n      ) {\n        filesToScan.push({ path: file.path, relative: file.relativePath });\n      }\n    }\n  }\n\n  for (const file of filesToScan) {\n    if (await fileExists(file.path)) {\n      const fileFindings = await scanFile(file.path, file.relative);\n      findings.push(...fileFindings);\n    }\n  }\n\n  const severityScores = {\n    critical: 27.5,\n    high: 17.5,\n    medium: 7.5,\n    low: 2.5,\n  };\n\n  let penalty = 0;\n  for (const finding of findings) {\n    penalty += severityScores[finding.severity] * finding.confidence;\n  }\n\n  return {\n    scanner: 'credentials',\n    findings,\n    penalty: Math.min(penalty, CAP),\n    cap: CAP,\n  };\n}\n","import { readFile, readdir, stat, access } from 'node:fs/promises';\nimport { join, relative } from 'node:path';\nimport { constants } from 'node:fs';\n\nexport async function fileExists(path: string): Promise<boolean> {\n  try {\n    await access(path, constants.F_OK);\n    return true;\n  } catch {\n    return false;\n  }\n}\n\nexport async function readTextFile(path: string): Promise<string | null> {\n  try {\n    return await readFile(path, 'utf-8');\n  } catch {\n    return null;\n  }\n}\n\nexport async function readJsonFile<T>(path: string): Promise<T | null> {\n  const content = await readTextFile(path);\n  if (!content) return null;\n  try {\n    return JSON.parse(content) as T;\n  } catch {\n    return null;\n  }\n}\n\nexport async function getFileStats(path: string) {\n  try {\n    return await stat(path);\n  } catch {\n    return null;\n  }\n}\n\nexport async function* walkDirectory(\n  dir: string,\n  basePath: string = dir\n): AsyncGenerator<{ path: string; relativePath: string }> {\n  try {\n    const entries = await readdir(dir, { withFileTypes: true });\n    for (const entry of entries) {\n      const fullPath = join(dir, entry.name);\n      const relativePath = relative(basePath, fullPath);\n\n      if (entry.isDirectory()) {\n        yield* walkDirectory(fullPath, basePath);\n      } else if (entry.isFile()) {\n        yield { path: fullPath, relativePath };\n      }\n    }\n  } catch {\n    // Directory doesn't exist or not accessible\n  }\n}\n\nexport function matchesPattern(filePath: string, pattern: string): boolean {\n  // Simple glob matching\n  const regexPattern = pattern\n    .replace(/\\./g, '\\\\.')\n    .replace(/\\*\\*/g, '{{GLOBSTAR}}')\n    .replace(/\\*/g, '[^/]*')\n    .replace(/\\{\\{GLOBSTAR\\}\\}/g, '.*');\n\n  return new RegExp(`^${regexPattern}$`).test(filePath);\n}\n\nexport function matchesAnyPattern(filePath: string, patterns: readonly string[]): boolean {\n  return patterns.some(pattern => matchesPattern(filePath, pattern));\n}\n","import { join } from 'node:path';\nimport type { Finding, ScannerResult } from '../types/index.js';\nimport { readTextFile, walkDirectory, fileExists } from '../utils/fs.js';\n\nconst CAP = 30;\n\ninterface SkillPattern {\n  name: string;\n  pattern: RegExp;\n  severity: 'critical' | 'high' | 'medium' | 'low';\n  confidence: number;\n  description: string;\n}\n\nconst SKILL_PATTERNS: SkillPattern[] = [\n  // Critical: Remote code execution\n  {\n    name: 'Curl piped to shell',\n    pattern: /curl\\s+[^|]*\\|\\s*(?:bash|sh|zsh)/gi,\n    severity: 'critical',\n    confidence: 0.95,\n    description: 'Downloading and executing remote scripts is extremely dangerous',\n  },\n  {\n    name: 'Wget piped to shell',\n    pattern: /wget\\s+[^|]*\\|\\s*(?:bash|sh|zsh)/gi,\n    severity: 'critical',\n    confidence: 0.95,\n    description: 'Downloading and executing remote scripts is extremely dangerous',\n  },\n  {\n    name: 'Code execution function',\n    pattern: /\\b(?:eval|Function)\\s*\\(/gi,\n    severity: 'critical',\n    confidence: 0.8,\n    description: 'Dynamic code execution can lead to arbitrary code execution',\n  },\n  {\n    name: 'System command execution',\n    pattern: /\\b(?:os\\.system|subprocess\\.call|subprocess\\.run|child_process)\\s*\\(/gi,\n    severity: 'critical',\n    confidence: 0.85,\n    description: 'System command execution may allow arbitrary command injection',\n  },\n  // Critical: Sensitive file access\n  {\n    name: 'SSH key access',\n    pattern: /\\.ssh\\/(?:id_rsa|id_ed25519|id_dsa|authorized_keys)/gi,\n    severity: 'critical',\n    confidence: 0.9,\n    description: 'Accessing SSH keys can compromise authentication',\n  },\n  {\n    name: 'Password file access',\n    pattern: /\\/etc\\/(?:passwd|shadow)/gi,\n    severity: 'critical',\n    confidence: 0.95,\n    description: 'Accessing system password files is a security risk',\n  },\n  // High: Data exfiltration patterns\n  {\n    name: 'POST request with data',\n    pattern: /(?:curl|wget|fetch|axios|request)\\s+.*(?:-d|--data|POST)/gi,\n    severity: 'high',\n    confidence: 0.7,\n    description: 'Outbound data transmission may indicate exfiltration',\n  },\n  {\n    name: 'Base64 encode and send',\n    pattern: /base64.*(?:curl|wget|fetch|send|post)/gi,\n    severity: 'high',\n    confidence: 0.75,\n    description: 'Encoding and transmitting data may indicate exfiltration',\n  },\n  {\n    name: 'Environment variable dump',\n    pattern: /\\benv\\b|\\$ENV|\\bprocess\\.env\\b|\\bos\\.environ\\b/gi,\n    severity: 'high',\n    confidence: 0.6,\n    description: 'Environment access may expose sensitive configuration',\n  },\n  // Medium: File system access\n  {\n    name: 'Unrestricted file read',\n    pattern: /(?:fs\\.readFile|open\\s*\\(|read\\s*\\().*(?:\\*|\\.\\.)/gi,\n    severity: 'medium',\n    confidence: 0.6,\n    description: 'Broad file read patterns may access unintended files',\n  },\n  {\n    name: 'Home directory access',\n    pattern: /~\\/|\\/home\\/|\\$HOME/gi,\n    severity: 'medium',\n    confidence: 0.5,\n    description: 'Accessing user home directory may expose sensitive data',\n  },\n  {\n    name: 'Recursive directory operations',\n    pattern: /(?:-r|--recursive|walk|glob\\*\\*)/gi,\n    severity: 'medium',\n    confidence: 0.4,\n    description: 'Recursive operations may access more files than intended',\n  },\n  // Low: Suspicious but not necessarily harmful\n  {\n    name: 'Network connection',\n    pattern: /(?:socket|connect|http|https):\\/\\//gi,\n    severity: 'low',\n    confidence: 0.3,\n    description: 'Network connections should be reviewed for necessity',\n  },\n  {\n    name: 'File write operation',\n    pattern: /(?:fs\\.writeFile|open\\s*\\([^)]*['\"]\\s*w|>+\\s*[a-zA-Z])/gi,\n    severity: 'low',\n    confidence: 0.4,\n    description: 'File write operations should be reviewed',\n  },\n];\n\nasync function scanSkillFile(\n  filePath: string,\n  relativePath: string\n): Promise<Finding[]> {\n  const content = await readTextFile(filePath);\n  if (!content) return [];\n\n  const findings: Finding[] = [];\n  const lines = content.split('\\n');\n\n  for (let lineNum = 0; lineNum < lines.length; lineNum++) {\n    const line = lines[lineNum]!;\n\n    for (const skillPattern of SKILL_PATTERNS) {\n      skillPattern.pattern.lastIndex = 0;\n\n      if (skillPattern.pattern.test(line)) {\n        findings.push({\n          scanner: 'skills',\n          severity: skillPattern.severity,\n          title: skillPattern.name,\n          description: skillPattern.description,\n          file: relativePath,\n          line: lineNum + 1,\n          confidence: skillPattern.confidence,\n        });\n      }\n    }\n  }\n\n  return findings;\n}\n\nexport async function scanSkills(openclawPath: string): Promise<ScannerResult> {\n  const findings: Finding[] = [];\n\n  const skillsDirs = [\n    join(openclawPath, 'skills'),\n    join(openclawPath, 'workspace', 'skills'),\n  ];\n\n  for (const skillsDir of skillsDirs) {\n    if (await fileExists(skillsDir)) {\n      for await (const file of walkDirectory(skillsDir, openclawPath)) {\n        if (file.relativePath.endsWith('.md')) {\n          const fileFindings = await scanSkillFile(file.path, file.relativePath);\n          findings.push(...fileFindings);\n        }\n      }\n    }\n  }\n\n  const severityScores = {\n    critical: 27.5,\n    high: 17.5,\n    medium: 7.5,\n    low: 2.5,\n  };\n\n  let penalty = 0;\n  for (const finding of findings) {\n    penalty += severityScores[finding.severity] * finding.confidence;\n  }\n\n  return {\n    scanner: 'skills',\n    findings,\n    penalty: Math.min(penalty, CAP),\n    cap: CAP,\n  };\n}\n","import { join } from 'node:path';\nimport type { Finding, ScannerResult } from '../types/index.js';\nimport { readJsonFile, getFileStats, fileExists } from '../utils/fs.js';\n\nconst CAP = 20;\n\ninterface OpenClawConfig {\n  sandbox?: {\n    mode?: 'strict' | 'permissive' | 'disabled';\n  };\n  dmPolicy?: 'allow' | 'deny' | 'ask';\n  allowlist?: string[];\n  gateway?: {\n    bind?: string;\n    auth?: boolean;\n    tls?: boolean;\n  };\n  [key: string]: unknown;\n}\n\nfunction checkSandboxMode(config: OpenClawConfig): Finding | null {\n  const mode = config.sandbox?.mode;\n\n  if (mode === 'disabled') {\n    return {\n      scanner: 'permissions',\n      severity: 'critical',\n      title: 'Sandbox disabled',\n      description: 'Agent sandbox is completely disabled, allowing unrestricted system access',\n      file: 'openclaw.json',\n      confidence: 0.95,\n    };\n  }\n\n  if (mode === 'permissive') {\n    return {\n      scanner: 'permissions',\n      severity: 'high',\n      title: 'Sandbox in permissive mode',\n      description: 'Agent sandbox is in permissive mode, may allow unintended access',\n      file: 'openclaw.json',\n      confidence: 0.85,\n    };\n  }\n\n  return null;\n}\n\nfunction checkDmPolicy(config: OpenClawConfig): Finding | null {\n  const policy = config.dmPolicy;\n\n  if (policy === 'allow') {\n    return {\n      scanner: 'permissions',\n      severity: 'medium',\n      title: 'DM policy allows all',\n      description: 'Direct message policy allows all messages without filtering',\n      file: 'openclaw.json',\n      confidence: 0.7,\n    };\n  }\n\n  return null;\n}\n\nfunction checkAllowlist(config: OpenClawConfig): Finding[] {\n  const findings: Finding[] = [];\n  const allowlist = config.allowlist ?? [];\n\n  for (const entry of allowlist) {\n    if (entry === '*' || entry === '**') {\n      findings.push({\n        scanner: 'permissions',\n        severity: 'critical',\n        title: 'Wildcard allowlist',\n        description: 'Allowlist contains unrestricted wildcard, allowing all access',\n        file: 'openclaw.json',\n        confidence: 0.95,\n      });\n    } else if (entry.includes('*')) {\n      findings.push({\n        scanner: 'permissions',\n        severity: 'medium',\n        title: 'Broad allowlist pattern',\n        description: `Allowlist pattern \"${entry}\" may be too permissive`,\n        file: 'openclaw.json',\n        confidence: 0.6,\n      });\n    }\n  }\n\n  return findings;\n}\n\nfunction checkGateway(config: OpenClawConfig): Finding[] {\n  const findings: Finding[] = [];\n  const gateway = config.gateway;\n\n  if (!gateway) return findings;\n\n  if (gateway.bind === '0.0.0.0' || gateway.bind === '::') {\n    findings.push({\n      scanner: 'permissions',\n      severity: 'high',\n      title: 'Gateway binds to all interfaces',\n      description: 'Gateway is exposed on all network interfaces, should bind to localhost',\n      file: 'openclaw.json',\n      confidence: 0.9,\n    });\n  }\n\n  if (gateway.auth === false) {\n    findings.push({\n      scanner: 'permissions',\n      severity: 'high',\n      title: 'Gateway authentication disabled',\n      description: 'Gateway has authentication disabled, allowing unauthenticated access',\n      file: 'openclaw.json',\n      confidence: 0.9,\n    });\n  }\n\n  if (gateway.tls === false && gateway.bind !== 'localhost' && gateway.bind !== '127.0.0.1') {\n    findings.push({\n      scanner: 'permissions',\n      severity: 'medium',\n      title: 'Gateway TLS disabled',\n      description: 'Gateway TLS is disabled for non-localhost connections',\n      file: 'openclaw.json',\n      confidence: 0.75,\n    });\n  }\n\n  return findings;\n}\n\nasync function checkFilePermissions(openclawPath: string): Promise<Finding[]> {\n  const findings: Finding[] = [];\n\n  const rootStats = await getFileStats(openclawPath);\n  if (rootStats) {\n    const mode = rootStats.mode & 0o777;\n    if ((mode & 0o077) !== 0) {\n      findings.push({\n        scanner: 'permissions',\n        severity: 'medium',\n        title: 'OpenClaw directory too permissive',\n        description: `Directory permissions ${mode.toString(8)} allow group/other access, recommend 700`,\n        file: openclawPath,\n        confidence: 0.8,\n      });\n    }\n  }\n\n  const credentialsDir = join(openclawPath, 'credentials');\n  if (await fileExists(credentialsDir)) {\n    const credStats = await getFileStats(credentialsDir);\n    if (credStats) {\n      const mode = credStats.mode & 0o777;\n      if ((mode & 0o077) !== 0) {\n        findings.push({\n          scanner: 'permissions',\n          severity: 'high',\n          title: 'Credentials directory too permissive',\n          description: `Credentials permissions ${mode.toString(8)} allow group/other access, recommend 700`,\n          file: 'credentials/',\n          confidence: 0.9,\n        });\n      }\n    }\n  }\n\n  return findings;\n}\n\nexport async function scanPermissions(openclawPath: string): Promise<ScannerResult> {\n  const findings: Finding[] = [];\n\n  const configPath = join(openclawPath, 'openclaw.json');\n  const config = await readJsonFile<OpenClawConfig>(configPath);\n\n  if (config) {\n    const sandboxFinding = checkSandboxMode(config);\n    if (sandboxFinding) findings.push(sandboxFinding);\n\n    const dmFinding = checkDmPolicy(config);\n    if (dmFinding) findings.push(dmFinding);\n\n    findings.push(...checkAllowlist(config));\n    findings.push(...checkGateway(config));\n  }\n\n  findings.push(...await checkFilePermissions(openclawPath));\n\n  const severityScores = {\n    critical: 27.5,\n    high: 17.5,\n    medium: 7.5,\n    low: 2.5,\n  };\n\n  let penalty = 0;\n  for (const finding of findings) {\n    penalty += severityScores[finding.severity] * finding.confidence;\n  }\n\n  return {\n    scanner: 'permissions',\n    findings,\n    penalty: Math.min(penalty, CAP),\n    cap: CAP,\n  };\n}\n","import { join } from 'node:path';\nimport { createConnection } from 'node:net';\nimport type { Finding, ScannerResult } from '../types/index.js';\nimport { readJsonFile } from '../utils/fs.js';\n\nconst CAP = 10;\n\ninterface GatewayConfig {\n  bind?: string;\n  port?: number;\n  auth?: boolean;\n  tls?: boolean;\n}\n\ninterface OpenClawConfig {\n  gateway?: GatewayConfig;\n  [key: string]: unknown;\n}\n\nconst DEFAULT_PORTS = [18789, 8080, 3000];\nconst PORT_SCAN_TIMEOUT = 1000;\n\nasync function checkPortOpen(port: number, host: string = 'localhost'): Promise<boolean> {\n  return new Promise((resolve) => {\n    const socket = createConnection({ port, host, timeout: PORT_SCAN_TIMEOUT });\n\n    socket.on('connect', () => {\n      socket.destroy();\n      resolve(true);\n    });\n\n    socket.on('timeout', () => {\n      socket.destroy();\n      resolve(false);\n    });\n\n    socket.on('error', () => {\n      socket.destroy();\n      resolve(false);\n    });\n  });\n}\n\nasync function scanOpenPorts(): Promise<Finding[]> {\n  const findings: Finding[] = [];\n\n  for (const port of DEFAULT_PORTS) {\n    const isOpen = await checkPortOpen(port);\n    if (isOpen) {\n      findings.push({\n        scanner: 'network',\n        severity: 'low',\n        title: `Port ${port} is open`,\n        description: `Localhost port ${port} is listening, verify if this is expected`,\n        confidence: 0.5,\n      });\n    }\n  }\n\n  return findings;\n}\n\nfunction analyzeGatewayConfig(config: OpenClawConfig): Finding[] {\n  const findings: Finding[] = [];\n  const gateway = config.gateway;\n\n  if (!gateway) return findings;\n\n  const bind = gateway.bind ?? 'localhost';\n  const isExposed = bind === '0.0.0.0' || bind === '::';\n\n  if (isExposed) {\n    if (!gateway.tls) {\n      findings.push({\n        scanner: 'network',\n        severity: 'high',\n        title: 'Exposed gateway without TLS',\n        description: 'Gateway is exposed to network without TLS encryption',\n        file: 'openclaw.json',\n        confidence: 0.9,\n      });\n    }\n\n    if (!gateway.auth) {\n      findings.push({\n        scanner: 'network',\n        severity: 'critical',\n        title: 'Exposed gateway without authentication',\n        description: 'Gateway is exposed to network without authentication',\n        file: 'openclaw.json',\n        confidence: 0.95,\n      });\n    }\n  }\n\n  const port = gateway.port ?? 18789;\n  if (port < 1024 && port !== 443 && port !== 80) {\n    findings.push({\n      scanner: 'network',\n      severity: 'medium',\n      title: 'Non-standard privileged port',\n      description: `Gateway uses privileged port ${port}, requires elevated permissions`,\n      file: 'openclaw.json',\n      confidence: 0.7,\n    });\n  }\n\n  return findings;\n}\n\nexport async function scanNetwork(openclawPath: string): Promise<ScannerResult> {\n  const findings: Finding[] = [];\n\n  const configPath = join(openclawPath, 'openclaw.json');\n  const config = await readJsonFile<OpenClawConfig>(configPath);\n\n  if (config) {\n    findings.push(...analyzeGatewayConfig(config));\n  }\n\n  findings.push(...await scanOpenPorts());\n\n  const severityScores = {\n    critical: 27.5,\n    high: 17.5,\n    medium: 7.5,\n    low: 2.5,\n  };\n\n  let penalty = 0;\n  for (const finding of findings) {\n    penalty += severityScores[finding.severity] * finding.confidence;\n  }\n\n  return {\n    scanner: 'network',\n    findings,\n    penalty: Math.min(penalty, CAP),\n    cap: CAP,\n  };\n}\n","import type { ScannerResult, Finding } from '../types/index.js';\nimport { scanCredentials } from './credentials.js';\nimport { scanSkills } from './skills.js';\nimport { scanPermissions } from './permissions.js';\nimport { scanNetwork } from './network.js';\n\nexport interface ScanOptions {\n  openclawPath: string;\n}\n\nexport async function runAllScanners(options: ScanOptions): Promise<ScannerResult[]> {\n  const { openclawPath } = options;\n\n  const results = await Promise.all([\n    scanCredentials(openclawPath),\n    scanSkills(openclawPath),\n    scanPermissions(openclawPath),\n    scanNetwork(openclawPath),\n  ]);\n\n  return results;\n}\n\nexport function getAllFindings(results: ScannerResult[]): Finding[] {\n  return results.flatMap(r => r.findings);\n}\n\nexport function getTotalPenalty(results: ScannerResult[]): number {\n  return results.reduce((sum, r) => sum + r.penalty, 0);\n}\n\nexport { scanCredentials, scanSkills, scanPermissions, scanNetwork };\n","import type { ScannerResult, Finding, Grade, ScanResult } from '../types/index.js';\n\nexport function calculateScore(results: ScannerResult[]): number {\n  const totalPenalty = results.reduce((sum, r) => sum + r.penalty, 0);\n  return Math.max(0, Math.round(100 - totalPenalty));\n}\n\nexport function determineGrade(score: number, findings: Finding[]): Grade {\n  const hasCritical = findings.some(f => f.severity === 'critical');\n\n  if (hasCritical) {\n    if (score >= 75) return 'C';\n    if (score >= 60) return 'C';\n    if (score >= 40) return 'D';\n    return 'F';\n  }\n\n  if (score >= 90) return 'A';\n  if (score >= 75) return 'B';\n  if (score >= 60) return 'C';\n  if (score >= 40) return 'D';\n  return 'F';\n}\n\nexport function buildScanResult(\n  results: ScannerResult[],\n  openclawPath: string\n): ScanResult {\n  const findings = results.flatMap(r => r.findings);\n  const score = calculateScore(results);\n  const grade = determineGrade(score, findings);\n\n  return {\n    score,\n    grade,\n    scanners: results,\n    findings,\n    timestamp: new Date().toISOString(),\n    openclawPath,\n  };\n}\n\nexport function getExitCode(result: ScanResult): number {\n  const hasCriticalOrHigh = result.findings.some(\n    f => f.severity === 'critical' || f.severity === 'high'\n  );\n\n  if (result.score < 75 || hasCriticalOrHigh) {\n    return 1;\n  }\n\n  return 0;\n}\n\nexport function countBySeverity(findings: Finding[]) {\n  return {\n    critical: findings.filter(f => f.severity === 'critical').length,\n    high: findings.filter(f => f.severity === 'high').length,\n    medium: findings.filter(f => f.severity === 'medium').length,\n    low: findings.filter(f => f.severity === 'low').length,\n  };\n}\n","import chalk from 'chalk';\nimport ora from 'ora';\nimport boxen from 'boxen';\nimport type { ScanResult, Finding, Grade } from '../types/index.js';\nimport { countBySeverity } from '../scoring/index.js';\nimport { formatFindingLocation } from '../utils/redact.js';\n\nconst CRAB = '\\u{1F980}';\n\nconst GRADE_COLORS: Record<Grade, (text: string) => string> = {\n  A: chalk.green,\n  B: chalk.greenBright,\n  C: chalk.yellow,\n  D: chalk.hex('#FFA500'),\n  F: chalk.red,\n};\n\nconst SEVERITY_COLORS = {\n  critical: chalk.bgRed.white,\n  high: chalk.red,\n  medium: chalk.yellow,\n  low: chalk.gray,\n};\n\nconst SEVERITY_ICONS = {\n  critical: '\\u{1F6A8}',\n  high: '\\u26A0\\uFE0F',\n  medium: '\\u{1F7E1}',\n  low: '\\u2139\\uFE0F',\n};\n\nexport function createSpinner(text: string) {\n  return ora({\n    text,\n    spinner: 'dots',\n  });\n}\n\nexport function printHeader() {\n  console.log(\n    boxen(\n      `${CRAB} ${chalk.bold('CRABB')} ${chalk.dim('Security Scanner for OpenClaw')}`,\n      {\n        padding: { top: 0, bottom: 0, left: 1, right: 1 },\n        borderColor: 'cyan',\n        borderStyle: 'round',\n      }\n    )\n  );\n  console.log();\n}\n\nexport function printScore(result: ScanResult) {\n  const gradeColor = GRADE_COLORS[result.grade];\n  const counts = countBySeverity(result.findings);\n\n  const scoreDisplay = boxen(\n    [\n      `${CRAB} ${chalk.bold('CRABB SCORE')}`,\n      '',\n      `   ${gradeColor(chalk.bold(`${result.score}`))} ${chalk.dim('/ 100')}`,\n      `   Grade: ${gradeColor(chalk.bold(result.grade))}`,\n      '',\n      chalk.dim('─'.repeat(24)),\n      '',\n      `${SEVERITY_ICONS.critical} Critical: ${counts.critical > 0 ? chalk.red(counts.critical) : chalk.dim('0')}`,\n      `${SEVERITY_ICONS.high} High:     ${counts.high > 0 ? chalk.red(counts.high) : chalk.dim('0')}`,\n      `${SEVERITY_ICONS.medium} Medium:   ${counts.medium > 0 ? chalk.yellow(counts.medium) : chalk.dim('0')}`,\n      `${SEVERITY_ICONS.low} Low:      ${counts.low > 0 ? chalk.gray(counts.low) : chalk.dim('0')}`,\n    ].join('\\n'),\n    {\n      padding: 1,\n      borderColor: result.grade === 'A' || result.grade === 'B' ? 'green' : result.grade === 'C' ? 'yellow' : 'red',\n      borderStyle: 'round',\n    }\n  );\n\n  console.log(scoreDisplay);\n  console.log();\n}\n\nexport function printFindings(findings: Finding[]) {\n  if (findings.length === 0) {\n    console.log(chalk.green(`${CRAB} No security issues found!`));\n    return;\n  }\n\n  const sortedFindings = [...findings].sort((a, b) => {\n    const order = { critical: 0, high: 1, medium: 2, low: 3 };\n    return order[a.severity] - order[b.severity];\n  });\n\n  console.log(chalk.bold('Findings:\\n'));\n\n  for (const finding of sortedFindings) {\n    const severityColor = SEVERITY_COLORS[finding.severity];\n    const icon = SEVERITY_ICONS[finding.severity];\n\n    console.log(`${icon} ${severityColor(finding.severity.toUpperCase())} ${chalk.bold(finding.title)}`);\n    console.log(`   ${chalk.dim(finding.description)}`);\n    if (finding.file) {\n      console.log(`   ${chalk.cyan(formatFindingLocation(finding.file, finding.line))}`);\n    }\n    console.log();\n  }\n}\n\nexport function printScannerSummary(result: ScanResult) {\n  console.log(chalk.bold('Scanner Summary:\\n'));\n\n  for (const scanner of result.scanners) {\n    const penaltyColor = scanner.penalty > 0 ? chalk.red : chalk.green;\n    const bar = createProgressBar(scanner.cap - scanner.penalty, scanner.cap);\n\n    console.log(\n      `  ${scanner.scanner.padEnd(12)} ${bar} ${penaltyColor(`-${scanner.penalty.toFixed(1)}`)} ${chalk.dim(`/ ${scanner.cap}`)}`\n    );\n  }\n\n  console.log();\n}\n\nfunction createProgressBar(value: number, max: number, width: number = 20): string {\n  const percentage = Math.max(0, Math.min(1, value / max));\n  const filled = Math.round(percentage * width);\n  const empty = width - filled;\n\n  const color = percentage >= 0.75 ? chalk.green : percentage >= 0.5 ? chalk.yellow : chalk.red;\n\n  return color('\\u2588'.repeat(filled)) + chalk.dim('\\u2591'.repeat(empty));\n}\n\nexport function printError(message: string) {\n  console.error(chalk.red(`\\u2717 Error: ${message}`));\n}\n\nexport function printSuccess(message: string) {\n  console.log(chalk.green(`\\u2713 ${message}`));\n}\n","/**\n * Redaction utilities - NEVER output real secrets\n */\n\nconst REDACT_PATTERNS = [\n  // API Keys with known prefixes\n  /sk-[a-zA-Z0-9]{20,}/g,\n  /sk-ant-[a-zA-Z0-9-]{20,}/g,\n  /xoxb-[a-zA-Z0-9-]+/g,\n  /xoxp-[a-zA-Z0-9-]+/g,\n  /ghp_[a-zA-Z0-9]{36}/g,\n  /gho_[a-zA-Z0-9]{36}/g,\n  /github_pat_[a-zA-Z0-9_]{22,}/g,\n\n  // Generic secrets\n  /[a-zA-Z0-9_-]{32,}/g,\n];\n\nexport function redactValue(value: string): string {\n  if (value.length <= 8) {\n    return '*'.repeat(value.length);\n  }\n\n  const visibleStart = 4;\n  const visibleEnd = 4;\n  const redactedLength = value.length - visibleStart - visibleEnd;\n\n  return `${value.slice(0, visibleStart)}${'*'.repeat(Math.max(4, redactedLength))}${value.slice(-visibleEnd)}`;\n}\n\nexport function redactLine(line: string): string {\n  let result = line;\n\n  for (const pattern of REDACT_PATTERNS) {\n    result = result.replace(pattern, (match) => redactValue(match));\n  }\n\n  return result;\n}\n\nexport function formatFindingLocation(file: string, line?: number): string {\n  if (line !== undefined) {\n    return `${file}:${line}`;\n  }\n  return file;\n}\n","import type { ScanResult, SharePayload } from '../types/index.js';\nimport { countBySeverity } from '../scoring/index.js';\n\nexport function formatJsonOutput(result: ScanResult): string {\n  return JSON.stringify(result, null, 2);\n}\n\nexport function buildSharePayload(result: ScanResult): SharePayload {\n  const counts = countBySeverity(result.findings);\n\n  return {\n    score: result.score,\n    grade: result.grade,\n    scannerSummary: result.scanners.map(s => ({\n      scanner: s.scanner,\n      findingsCount: s.findings.length,\n      penalty: s.penalty,\n    })),\n    criticalCount: counts.critical,\n    highCount: counts.high,\n    mediumCount: counts.medium,\n    lowCount: counts.low,\n    timestamp: result.timestamp,\n  };\n}\n","import type { ScanResult, ShareResponse } from '../types/index.js';\nimport { buildSharePayload } from '../output/json.js';\n\nconst SHARE_API_URL = 'https://crabb.ai/api/share';\n\nexport async function shareResult(result: ScanResult): Promise<ShareResponse> {\n  const payload = buildSharePayload(result);\n\n  const response = await fetch(SHARE_API_URL, {\n    method: 'POST',\n    headers: {\n      'Content-Type': 'application/json',\n    },\n    body: JSON.stringify(payload),\n  });\n\n  if (!response.ok) {\n    throw new Error(`Failed to share result: ${response.status} ${response.statusText}`);\n  }\n\n  return response.json() as Promise<ShareResponse>;\n}\n\nexport async function shareResultMock(result: ScanResult): Promise<ShareResponse> {\n  const payload = buildSharePayload(result);\n\n  const mockId = `mock-${Date.now().toString(36)}`;\n\n  return {\n    id: mockId,\n    url: `https://crabb.ai/score/${mockId}`,\n    deleteToken: `delete-${mockId}`,\n  };\n}\n"],"mappings":";;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,YAAY;;;ACDrB,SAAS,eAAe;AACxB,SAAS,YAAY;AAEd,SAAS,yBAAiC;AAC/C,SAAO,KAAK,QAAQ,GAAG,WAAW;AACpC;;;ACLA,SAAS,QAAAA,aAAY;;;ACArB,SAAS,UAAU,SAAS,MAAM,cAAc;AAChD,SAAS,QAAAC,OAAM,gBAAgB;AAC/B,SAAS,iBAAiB;AAE1B,eAAsB,WAAW,MAAgC;AAC/D,MAAI;AACF,UAAM,OAAO,MAAM,UAAU,IAAI;AACjC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,aAAa,MAAsC;AACvE,MAAI;AACF,WAAO,MAAM,SAAS,MAAM,OAAO;AAAA,EACrC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,aAAgB,MAAiC;AACrE,QAAM,UAAU,MAAM,aAAa,IAAI;AACvC,MAAI,CAAC,QAAS,QAAO;AACrB,MAAI;AACF,WAAO,KAAK,MAAM,OAAO;AAAA,EAC3B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,aAAa,MAAc;AAC/C,MAAI;AACF,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,gBAAuB,cACrB,KACA,WAAmB,KACqC;AACxD,MAAI;AACF,UAAM,UAAU,MAAM,QAAQ,KAAK,EAAE,eAAe,KAAK,CAAC;AAC1D,eAAW,SAAS,SAAS;AAC3B,YAAM,WAAWA,MAAK,KAAK,MAAM,IAAI;AACrC,YAAM,eAAe,SAAS,UAAU,QAAQ;AAEhD,UAAI,MAAM,YAAY,GAAG;AACvB,eAAO,cAAc,UAAU,QAAQ;AAAA,MACzC,WAAW,MAAM,OAAO,GAAG;AACzB,cAAM,EAAE,MAAM,UAAU,aAAa;AAAA,MACvC;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AACF;;;ADtDA,IAAM,MAAM;AASZ,IAAM,sBAA2C;AAAA;AAAA,EAE/C;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,EACd;AACF;AAEA,IAAM,uBAAuB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,cAAc,OAAwB;AAC7C,SAAO,qBAAqB,KAAK,aAAW,QAAQ,KAAK,MAAM,KAAK,CAAC,CAAC;AACxE;AAEA,SAAS,aAAa,OAAiC;AACrD,SAAO,MAAM,CAAC,KAAK,MAAM,CAAC;AAC5B;AAEA,eAAe,SACb,UACA,cACoB;AACpB,QAAM,UAAU,MAAM,aAAa,QAAQ;AAC3C,MAAI,CAAC,QAAS,QAAO,CAAC;AAEtB,QAAM,WAAsB,CAAC;AAC7B,QAAM,QAAQ,QAAQ,MAAM,IAAI;AAEhC,WAAS,UAAU,GAAG,UAAU,MAAM,QAAQ,WAAW;AACvD,UAAM,OAAO,MAAM,OAAO;AAE1B,eAAW,eAAe,qBAAqB;AAC7C,kBAAY,QAAQ,YAAY;AAEhC,UAAI;AACJ,cAAQ,QAAQ,YAAY,QAAQ,KAAK,IAAI,OAAO,MAAM;AACxD,cAAM,QAAQ,aAAa,KAAK;AAEhC,YAAI,cAAc,KAAK,GAAG;AACxB;AAAA,QACF;AAEA,YAAI,MAAM,SAAS,GAAG;AACpB;AAAA,QACF;AAEA,iBAAS,KAAK;AAAA,UACZ,SAAS;AAAA,UACT,UAAU,YAAY;AAAA,UACtB,OAAO,YAAY;AAAA,UACnB,aAAa,YAAY,YAAY,IAAI;AAAA,UACzC,MAAM;AAAA,UACN,MAAM,UAAU;AAAA,UAChB,YAAY,YAAY;AAAA,QAC1B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,gBAAgB,cAA8C;AAClF,QAAM,WAAsB,CAAC;AAE7B,QAAM,cAAc;AAAA,IAClB,EAAE,MAAMC,MAAK,cAAc,eAAe,GAAG,UAAU,gBAAgB;AAAA,IACvE,EAAE,MAAMA,MAAK,cAAc,MAAM,GAAG,UAAU,OAAO;AAAA,EACvD;AAEA,QAAM,iBAAiBA,MAAK,cAAc,aAAa;AACvD,MAAI,MAAM,WAAW,cAAc,GAAG;AACpC,qBAAiB,QAAQ,cAAc,gBAAgB,YAAY,GAAG;AACpE,kBAAY,KAAK,EAAE,MAAM,KAAK,MAAM,UAAU,KAAK,aAAa,CAAC;AAAA,IACnE;AAAA,EACF;AAEA,QAAM,YAAYA,MAAK,cAAc,QAAQ;AAC7C,MAAI,MAAM,WAAW,SAAS,GAAG;AAC/B,qBAAiB,QAAQ,cAAc,WAAW,YAAY,GAAG;AAC/D,UACE,KAAK,aAAa,SAAS,oBAAoB,KAC/C,KAAK,aAAa,SAAS,QAAQ,KACnC,KAAK,aAAa,SAAS,OAAO,GAClC;AACA,oBAAY,KAAK,EAAE,MAAM,KAAK,MAAM,UAAU,KAAK,aAAa,CAAC;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AAEA,aAAW,QAAQ,aAAa;AAC9B,QAAI,MAAM,WAAW,KAAK,IAAI,GAAG;AAC/B,YAAM,eAAe,MAAM,SAAS,KAAK,MAAM,KAAK,QAAQ;AAC5D,eAAS,KAAK,GAAG,YAAY;AAAA,IAC/B;AAAA,EACF;AAEA,QAAM,iBAAiB;AAAA,IACrB,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP;AAEA,MAAI,UAAU;AACd,aAAW,WAAW,UAAU;AAC9B,eAAW,eAAe,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EACxD;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,SAAS,KAAK,IAAI,SAAS,GAAG;AAAA,IAC9B,KAAK;AAAA,EACP;AACF;;;AEnPA,SAAS,QAAAC,aAAY;AAIrB,IAAMC,OAAM;AAUZ,IAAM,iBAAiC;AAAA;AAAA,EAErC;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA;AAAA,EAEA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf;AACF;AAEA,eAAe,cACb,UACA,cACoB;AACpB,QAAM,UAAU,MAAM,aAAa,QAAQ;AAC3C,MAAI,CAAC,QAAS,QAAO,CAAC;AAEtB,QAAM,WAAsB,CAAC;AAC7B,QAAM,QAAQ,QAAQ,MAAM,IAAI;AAEhC,WAAS,UAAU,GAAG,UAAU,MAAM,QAAQ,WAAW;AACvD,UAAM,OAAO,MAAM,OAAO;AAE1B,eAAW,gBAAgB,gBAAgB;AACzC,mBAAa,QAAQ,YAAY;AAEjC,UAAI,aAAa,QAAQ,KAAK,IAAI,GAAG;AACnC,iBAAS,KAAK;AAAA,UACZ,SAAS;AAAA,UACT,UAAU,aAAa;AAAA,UACvB,OAAO,aAAa;AAAA,UACpB,aAAa,aAAa;AAAA,UAC1B,MAAM;AAAA,UACN,MAAM,UAAU;AAAA,UAChB,YAAY,aAAa;AAAA,QAC3B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,WAAW,cAA8C;AAC7E,QAAM,WAAsB,CAAC;AAE7B,QAAM,aAAa;AAAA,IACjBC,MAAK,cAAc,QAAQ;AAAA,IAC3BA,MAAK,cAAc,aAAa,QAAQ;AAAA,EAC1C;AAEA,aAAW,aAAa,YAAY;AAClC,QAAI,MAAM,WAAW,SAAS,GAAG;AAC/B,uBAAiB,QAAQ,cAAc,WAAW,YAAY,GAAG;AAC/D,YAAI,KAAK,aAAa,SAAS,KAAK,GAAG;AACrC,gBAAM,eAAe,MAAM,cAAc,KAAK,MAAM,KAAK,YAAY;AACrE,mBAAS,KAAK,GAAG,YAAY;AAAA,QAC/B;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB;AAAA,IACrB,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP;AAEA,MAAI,UAAU;AACd,aAAW,WAAW,UAAU;AAC9B,eAAW,eAAe,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EACxD;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,SAAS,KAAK,IAAI,SAASD,IAAG;AAAA,IAC9B,KAAKA;AAAA,EACP;AACF;;;AC9LA,SAAS,QAAAE,aAAY;AAIrB,IAAMC,OAAM;AAgBZ,SAAS,iBAAiB,QAAwC;AAChE,QAAM,OAAO,OAAO,SAAS;AAE7B,MAAI,SAAS,YAAY;AACvB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd;AAAA,EACF;AAEA,MAAI,SAAS,cAAc;AACzB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,QAAwC;AAC7D,QAAM,SAAS,OAAO;AAEtB,MAAI,WAAW,SAAS;AACtB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,eAAe,QAAmC;AACzD,QAAM,WAAsB,CAAC;AAC7B,QAAM,YAAY,OAAO,aAAa,CAAC;AAEvC,aAAW,SAAS,WAAW;AAC7B,QAAI,UAAU,OAAO,UAAU,MAAM;AACnC,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH,WAAW,MAAM,SAAS,GAAG,GAAG;AAC9B,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa,sBAAsB,KAAK;AAAA,QACxC,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,aAAa,QAAmC;AACvD,QAAM,WAAsB,CAAC;AAC7B,QAAM,UAAU,OAAO;AAEvB,MAAI,CAAC,QAAS,QAAO;AAErB,MAAI,QAAQ,SAAS,aAAa,QAAQ,SAAS,MAAM;AACvD,aAAS,KAAK;AAAA,MACZ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,SAAS,OAAO;AAC1B,aAAS,KAAK;AAAA,MACZ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,QAAQ,SAAS,QAAQ,SAAS,eAAe,QAAQ,SAAS,aAAa;AACzF,aAAS,KAAK;AAAA,MACZ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,qBAAqB,cAA0C;AAC5E,QAAM,WAAsB,CAAC;AAE7B,QAAM,YAAY,MAAM,aAAa,YAAY;AACjD,MAAI,WAAW;AACb,UAAM,OAAO,UAAU,OAAO;AAC9B,SAAK,OAAO,QAAW,GAAG;AACxB,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa,yBAAyB,KAAK,SAAS,CAAC,CAAC;AAAA,QACtD,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,iBAAiBC,MAAK,cAAc,aAAa;AACvD,MAAI,MAAM,WAAW,cAAc,GAAG;AACpC,UAAM,YAAY,MAAM,aAAa,cAAc;AACnD,QAAI,WAAW;AACb,YAAM,OAAO,UAAU,OAAO;AAC9B,WAAK,OAAO,QAAW,GAAG;AACxB,iBAAS,KAAK;AAAA,UACZ,SAAS;AAAA,UACT,UAAU;AAAA,UACV,OAAO;AAAA,UACP,aAAa,2BAA2B,KAAK,SAAS,CAAC,CAAC;AAAA,UACxD,MAAM;AAAA,UACN,YAAY;AAAA,QACd,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,gBAAgB,cAA8C;AAClF,QAAM,WAAsB,CAAC;AAE7B,QAAM,aAAaA,MAAK,cAAc,eAAe;AACrD,QAAM,SAAS,MAAM,aAA6B,UAAU;AAE5D,MAAI,QAAQ;AACV,UAAM,iBAAiB,iBAAiB,MAAM;AAC9C,QAAI,eAAgB,UAAS,KAAK,cAAc;AAEhD,UAAM,YAAY,cAAc,MAAM;AACtC,QAAI,UAAW,UAAS,KAAK,SAAS;AAEtC,aAAS,KAAK,GAAG,eAAe,MAAM,CAAC;AACvC,aAAS,KAAK,GAAG,aAAa,MAAM,CAAC;AAAA,EACvC;AAEA,WAAS,KAAK,GAAG,MAAM,qBAAqB,YAAY,CAAC;AAEzD,QAAM,iBAAiB;AAAA,IACrB,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP;AAEA,MAAI,UAAU;AACd,aAAW,WAAW,UAAU;AAC9B,eAAW,eAAe,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EACxD;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,SAAS,KAAK,IAAI,SAASD,IAAG;AAAA,IAC9B,KAAKA;AAAA,EACP;AACF;;;ACpNA,SAAS,QAAAE,aAAY;AACrB,SAAS,wBAAwB;AAIjC,IAAMC,OAAM;AAcZ,IAAM,gBAAgB,CAAC,OAAO,MAAM,GAAI;AACxC,IAAM,oBAAoB;AAE1B,eAAe,cAAc,MAAc,OAAe,aAA+B;AACvF,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,UAAM,SAAS,iBAAiB,EAAE,MAAM,MAAM,SAAS,kBAAkB,CAAC;AAE1E,WAAO,GAAG,WAAW,MAAM;AACzB,aAAO,QAAQ;AACf,cAAQ,IAAI;AAAA,IACd,CAAC;AAED,WAAO,GAAG,WAAW,MAAM;AACzB,aAAO,QAAQ;AACf,cAAQ,KAAK;AAAA,IACf,CAAC;AAED,WAAO,GAAG,SAAS,MAAM;AACvB,aAAO,QAAQ;AACf,cAAQ,KAAK;AAAA,IACf,CAAC;AAAA,EACH,CAAC;AACH;AAEA,eAAe,gBAAoC;AACjD,QAAM,WAAsB,CAAC;AAE7B,aAAW,QAAQ,eAAe;AAChC,UAAM,SAAS,MAAM,cAAc,IAAI;AACvC,QAAI,QAAQ;AACV,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO,QAAQ,IAAI;AAAA,QACnB,aAAa,kBAAkB,IAAI;AAAA,QACnC,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,qBAAqB,QAAmC;AAC/D,QAAM,WAAsB,CAAC;AAC7B,QAAM,UAAU,OAAO;AAEvB,MAAI,CAAC,QAAS,QAAO;AAErB,QAAM,OAAO,QAAQ,QAAQ;AAC7B,QAAM,YAAY,SAAS,aAAa,SAAS;AAEjD,MAAI,WAAW;AACb,QAAI,CAAC,QAAQ,KAAK;AAChB,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,QAAQ,MAAM;AACjB,eAAS,KAAK;AAAA,QACZ,SAAS;AAAA,QACT,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa;AAAA,QACb,MAAM;AAAA,QACN,YAAY;AAAA,MACd,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,OAAO,QAAQ,QAAQ;AAC7B,MAAI,OAAO,QAAQ,SAAS,OAAO,SAAS,IAAI;AAC9C,aAAS,KAAK;AAAA,MACZ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,OAAO;AAAA,MACP,aAAa,gCAAgC,IAAI;AAAA,MACjD,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAsB,YAAY,cAA8C;AAC9E,QAAM,WAAsB,CAAC;AAE7B,QAAM,aAAaC,MAAK,cAAc,eAAe;AACrD,QAAM,SAAS,MAAM,aAA6B,UAAU;AAE5D,MAAI,QAAQ;AACV,aAAS,KAAK,GAAG,qBAAqB,MAAM,CAAC;AAAA,EAC/C;AAEA,WAAS,KAAK,GAAG,MAAM,cAAc,CAAC;AAEtC,QAAM,iBAAiB;AAAA,IACrB,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,EACP;AAEA,MAAI,UAAU;AACd,aAAW,WAAW,UAAU;AAC9B,eAAW,eAAe,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EACxD;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,SAAS,KAAK,IAAI,SAASD,IAAG;AAAA,IAC9B,KAAKA;AAAA,EACP;AACF;;;AClIA,eAAsB,eAAe,SAAgD;AACnF,QAAM,EAAE,aAAa,IAAI;AAEzB,QAAM,UAAU,MAAM,QAAQ,IAAI;AAAA,IAChC,gBAAgB,YAAY;AAAA,IAC5B,WAAW,YAAY;AAAA,IACvB,gBAAgB,YAAY;AAAA,IAC5B,YAAY,YAAY;AAAA,EAC1B,CAAC;AAED,SAAO;AACT;;;ACnBO,SAAS,eAAe,SAAkC;AAC/D,QAAM,eAAe,QAAQ,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,SAAS,CAAC;AAClE,SAAO,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,YAAY,CAAC;AACnD;AAEO,SAAS,eAAe,OAAe,UAA4B;AACxE,QAAM,cAAc,SAAS,KAAK,OAAK,EAAE,aAAa,UAAU;AAEhE,MAAI,aAAa;AACf,QAAI,SAAS,GAAI,QAAO;AACxB,QAAI,SAAS,GAAI,QAAO;AACxB,QAAI,SAAS,GAAI,QAAO;AACxB,WAAO;AAAA,EACT;AAEA,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,SAAO;AACT;AAEO,SAAS,gBACd,SACA,cACY;AACZ,QAAM,WAAW,QAAQ,QAAQ,OAAK,EAAE,QAAQ;AAChD,QAAM,QAAQ,eAAe,OAAO;AACpC,QAAM,QAAQ,eAAe,OAAO,QAAQ;AAE5C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,UAAU;AAAA,IACV;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC;AAAA,EACF;AACF;AAEO,SAAS,YAAY,QAA4B;AACtD,QAAM,oBAAoB,OAAO,SAAS;AAAA,IACxC,OAAK,EAAE,aAAa,cAAc,EAAE,aAAa;AAAA,EACnD;AAEA,MAAI,OAAO,QAAQ,MAAM,mBAAmB;AAC1C,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,gBAAgB,UAAqB;AACnD,SAAO;AAAA,IACL,UAAU,SAAS,OAAO,OAAK,EAAE,aAAa,UAAU,EAAE;AAAA,IAC1D,MAAM,SAAS,OAAO,OAAK,EAAE,aAAa,MAAM,EAAE;AAAA,IAClD,QAAQ,SAAS,OAAO,OAAK,EAAE,aAAa,QAAQ,EAAE;AAAA,IACtD,KAAK,SAAS,OAAO,OAAK,EAAE,aAAa,KAAK,EAAE;AAAA,EAClD;AACF;;;AC7DA,OAAO,WAAW;AAClB,OAAO,SAAS;AAChB,OAAO,WAAW;;;ACsCX,SAAS,sBAAsB,MAAc,MAAuB;AACzE,MAAI,SAAS,QAAW;AACtB,WAAO,GAAG,IAAI,IAAI,IAAI;AAAA,EACxB;AACA,SAAO;AACT;;;ADtCA,IAAM,OAAO;AAEb,IAAM,eAAwD;AAAA,EAC5D,GAAG,MAAM;AAAA,EACT,GAAG,MAAM;AAAA,EACT,GAAG,MAAM;AAAA,EACT,GAAG,MAAM,IAAI,SAAS;AAAA,EACtB,GAAG,MAAM;AACX;AAEA,IAAM,kBAAkB;AAAA,EACtB,UAAU,MAAM,MAAM;AAAA,EACtB,MAAM,MAAM;AAAA,EACZ,QAAQ,MAAM;AAAA,EACd,KAAK,MAAM;AACb;AAEA,IAAM,iBAAiB;AAAA,EACrB,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,KAAK;AACP;AAEO,SAAS,cAAc,MAAc;AAC1C,SAAO,IAAI;AAAA,IACT;AAAA,IACA,SAAS;AAAA,EACX,CAAC;AACH;AAEO,SAAS,cAAc;AAC5B,UAAQ;AAAA,IACN;AAAA,MACE,GAAG,IAAI,IAAI,MAAM,KAAK,OAAO,CAAC,IAAI,MAAM,IAAI,+BAA+B,CAAC;AAAA,MAC5E;AAAA,QACE,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,EAAE;AAAA,QAChD,aAAa;AAAA,QACb,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AACA,UAAQ,IAAI;AACd;AAEO,SAAS,WAAW,QAAoB;AAC7C,QAAM,aAAa,aAAa,OAAO,KAAK;AAC5C,QAAM,SAAS,gBAAgB,OAAO,QAAQ;AAE9C,QAAM,eAAe;AAAA,IACnB;AAAA,MACE,GAAG,IAAI,IAAI,MAAM,KAAK,aAAa,CAAC;AAAA,MACpC;AAAA,MACA,MAAM,WAAW,MAAM,KAAK,GAAG,OAAO,KAAK,EAAE,CAAC,CAAC,IAAI,MAAM,IAAI,OAAO,CAAC;AAAA,MACrE,aAAa,WAAW,MAAM,KAAK,OAAO,KAAK,CAAC,CAAC;AAAA,MACjD;AAAA,MACA,MAAM,IAAI,SAAI,OAAO,EAAE,CAAC;AAAA,MACxB;AAAA,MACA,GAAG,eAAe,QAAQ,cAAc,OAAO,WAAW,IAAI,MAAM,IAAI,OAAO,QAAQ,IAAI,MAAM,IAAI,GAAG,CAAC;AAAA,MACzG,GAAG,eAAe,IAAI,cAAc,OAAO,OAAO,IAAI,MAAM,IAAI,OAAO,IAAI,IAAI,MAAM,IAAI,GAAG,CAAC;AAAA,MAC7F,GAAG,eAAe,MAAM,cAAc,OAAO,SAAS,IAAI,MAAM,OAAO,OAAO,MAAM,IAAI,MAAM,IAAI,GAAG,CAAC;AAAA,MACtG,GAAG,eAAe,GAAG,cAAc,OAAO,MAAM,IAAI,MAAM,KAAK,OAAO,GAAG,IAAI,MAAM,IAAI,GAAG,CAAC;AAAA,IAC7F,EAAE,KAAK,IAAI;AAAA,IACX;AAAA,MACE,SAAS;AAAA,MACT,aAAa,OAAO,UAAU,OAAO,OAAO,UAAU,MAAM,UAAU,OAAO,UAAU,MAAM,WAAW;AAAA,MACxG,aAAa;AAAA,IACf;AAAA,EACF;AAEA,UAAQ,IAAI,YAAY;AACxB,UAAQ,IAAI;AACd;AAEO,SAAS,cAAc,UAAqB;AACjD,MAAI,SAAS,WAAW,GAAG;AACzB,YAAQ,IAAI,MAAM,MAAM,GAAG,IAAI,4BAA4B,CAAC;AAC5D;AAAA,EACF;AAEA,QAAM,iBAAiB,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM;AAClD,UAAM,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,EAAE;AACxD,WAAO,MAAM,EAAE,QAAQ,IAAI,MAAM,EAAE,QAAQ;AAAA,EAC7C,CAAC;AAED,UAAQ,IAAI,MAAM,KAAK,aAAa,CAAC;AAErC,aAAW,WAAW,gBAAgB;AACpC,UAAM,gBAAgB,gBAAgB,QAAQ,QAAQ;AACtD,UAAM,OAAO,eAAe,QAAQ,QAAQ;AAE5C,YAAQ,IAAI,GAAG,IAAI,IAAI,cAAc,QAAQ,SAAS,YAAY,CAAC,CAAC,IAAI,MAAM,KAAK,QAAQ,KAAK,CAAC,EAAE;AACnG,YAAQ,IAAI,MAAM,MAAM,IAAI,QAAQ,WAAW,CAAC,EAAE;AAClD,QAAI,QAAQ,MAAM;AAChB,cAAQ,IAAI,MAAM,MAAM,KAAK,sBAAsB,QAAQ,MAAM,QAAQ,IAAI,CAAC,CAAC,EAAE;AAAA,IACnF;AACA,YAAQ,IAAI;AAAA,EACd;AACF;AAEO,SAAS,oBAAoB,QAAoB;AACtD,UAAQ,IAAI,MAAM,KAAK,oBAAoB,CAAC;AAE5C,aAAW,WAAW,OAAO,UAAU;AACrC,UAAM,eAAe,QAAQ,UAAU,IAAI,MAAM,MAAM,MAAM;AAC7D,UAAM,MAAM,kBAAkB,QAAQ,MAAM,QAAQ,SAAS,QAAQ,GAAG;AAExE,YAAQ;AAAA,MACN,KAAK,QAAQ,QAAQ,OAAO,EAAE,CAAC,IAAI,GAAG,IAAI,aAAa,IAAI,QAAQ,QAAQ,QAAQ,CAAC,CAAC,EAAE,CAAC,IAAI,MAAM,IAAI,KAAK,QAAQ,GAAG,EAAE,CAAC;AAAA,IAC3H;AAAA,EACF;AAEA,UAAQ,IAAI;AACd;AAEA,SAAS,kBAAkB,OAAe,KAAa,QAAgB,IAAY;AACjF,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,IAAI,GAAG,QAAQ,GAAG,CAAC;AACvD,QAAM,SAAS,KAAK,MAAM,aAAa,KAAK;AAC5C,QAAM,QAAQ,QAAQ;AAEtB,QAAM,QAAQ,cAAc,OAAO,MAAM,QAAQ,cAAc,MAAM,MAAM,SAAS,MAAM;AAE1F,SAAO,MAAM,SAAS,OAAO,MAAM,CAAC,IAAI,MAAM,IAAI,SAAS,OAAO,KAAK,CAAC;AAC1E;AAEO,SAAS,WAAW,SAAiB;AAC1C,UAAQ,MAAM,MAAM,IAAI,iBAAiB,OAAO,EAAE,CAAC;AACrD;AAEO,SAAS,aAAa,SAAiB;AAC5C,UAAQ,IAAI,MAAM,MAAM,UAAU,OAAO,EAAE,CAAC;AAC9C;;;AEvIO,SAAS,iBAAiB,QAA4B;AAC3D,SAAO,KAAK,UAAU,QAAQ,MAAM,CAAC;AACvC;AAEO,SAAS,kBAAkB,QAAkC;AAClE,QAAM,SAAS,gBAAgB,OAAO,QAAQ;AAE9C,SAAO;AAAA,IACL,OAAO,OAAO;AAAA,IACd,OAAO,OAAO;AAAA,IACd,gBAAgB,OAAO,SAAS,IAAI,QAAM;AAAA,MACxC,SAAS,EAAE;AAAA,MACX,eAAe,EAAE,SAAS;AAAA,MAC1B,SAAS,EAAE;AAAA,IACb,EAAE;AAAA,IACF,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,IAClB,aAAa,OAAO;AAAA,IACpB,UAAU,OAAO;AAAA,IACjB,WAAW,OAAO;AAAA,EACpB;AACF;;;ACrBA,IAAM,gBAAgB;AAEtB,eAAsB,YAAY,QAA4C;AAC5E,QAAM,UAAU,kBAAkB,MAAM;AAExC,QAAM,WAAW,MAAM,MAAM,eAAe;AAAA,IAC1C,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,IAClB;AAAA,IACA,MAAM,KAAK,UAAU,OAAO;AAAA,EAC9B,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,MAAM,2BAA2B,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,EACrF;AAEA,SAAO,SAAS,KAAK;AACvB;;;AZ0CA,SAAS,YAAY;AACnB,UAAQ,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAuBb;AACD;AAEA,SAAS,eAAe;AACtB,UAAQ,IAAI,cAAc;AAC5B;AAEA,eAAe,OAAO;AACpB,MAAI;AAEJ,MAAI;AACF,UAAM,EAAE,OAAO,IAAI,UAAU;AAAA,MAC3B,SAAS;AAAA,QACP,MAAM,EAAE,MAAM,UAAU,OAAO,IAAI;AAAA,QACnC,MAAM,EAAE,MAAM,WAAW,OAAO,KAAK,SAAS,MAAM;AAAA,QACpD,OAAO,EAAE,MAAM,WAAW,OAAO,KAAK,SAAS,MAAM;AAAA,QACrD,YAAY,EAAE,MAAM,WAAW,SAAS,MAAM;AAAA,QAC9C,MAAM,EAAE,MAAM,WAAW,OAAO,KAAK,SAAS,MAAM;AAAA,QACpD,SAAS,EAAE,MAAM,WAAW,OAAO,KAAK,SAAS,MAAM;AAAA,MACzD;AAAA,MACA,QAAQ;AAAA,MACR,kBAAkB;AAAA,IACpB,CAAC;AAED,QAAI,OAAO,MAAM;AACf,gBAAU;AACV,WAAK,CAAC;AAAA,IACR;AAEA,QAAI,OAAO,SAAS;AAClB,mBAAa;AACb,WAAK,CAAC;AAAA,IACR;AAEA,cAAU;AAAA,MACR,MAAM,OAAO,QAAQ,uBAAuB;AAAA,MAC5C,MAAM,OAAO,QAAQ;AAAA,MACrB,OAAO,OAAO,SAAS;AAAA,MACvB,SAAS,OAAO,UAAU,KAAK;AAAA,IACjC;AAAA,EACF,SAAS,KAAK;AACZ,eAAW,sBAAsB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AACnF,cAAU;AACV,SAAK,CAAC;AAAA,EACR;AAEA,MAAI,QAAQ,SAAS;AACnB,YAAQ,IAAI,aAAa,IAAI;AAAA,EAC/B;AAEA,MAAI,CAAC,QAAQ,MAAM;AACjB,gBAAY;AAAA,EACd;AAEA,MAAI,CAAC,MAAM,WAAW,QAAQ,IAAI,GAAG;AACnC,eAAW,iCAAiC,QAAQ,IAAI,EAAE;AAC1D,SAAK,CAAC;AAAA,EACR;AAEA,QAAM,UAAU,QAAQ,OAAO,OAAO,cAAc,oCAAoC;AACxF,WAAS,MAAM;AAEf,MAAI;AACF,UAAM,iBAAiB,MAAM,eAAe,EAAE,cAAc,QAAQ,KAAK,CAAC;AAC1E,UAAM,SAAS,gBAAgB,gBAAgB,QAAQ,IAAI;AAE3D,aAAS,KAAK;AAEd,QAAI,QAAQ,MAAM;AAChB,cAAQ,IAAI,iBAAiB,MAAM,CAAC;AAAA,IACtC,OAAO;AACL,iBAAW,MAAM;AACjB,0BAAoB,MAAM;AAC1B,oBAAc,OAAO,QAAQ;AAAA,IAC/B;AAEA,QAAI,QAAQ,OAAO;AACjB,YAAM,eAAe,QAAQ,OAAO,OAAO,cAAc,uBAAuB;AAChF,oBAAc,MAAM;AAEpB,UAAI;AACF,cAAM,gBAAgB,MAAM,YAAY,MAAM;AAC9C,sBAAc,KAAK;AAEnB,YAAI,QAAQ,MAAM;AAChB,kBAAQ,IAAI,KAAK,UAAU,EAAE,QAAQ,cAAc,GAAG,MAAM,CAAC,CAAC;AAAA,QAChE,OAAO;AACL,uBAAa,sBAAsB,cAAc,GAAG,EAAE;AACtD,kBAAQ,IAAI,oBAAoB,cAAc,WAAW,EAAE;AAAA,QAC7D;AAAA,MACF,SAAS,KAAK;AACZ,sBAAc,KAAK;AACnB,mBAAW,oBAAoB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AAAA,MACnF;AAAA,IACF;AAEA,UAAM,WAAW,YAAY,MAAM;AACnC,SAAK,QAAQ;AAAA,EACf,SAAS,KAAK;AACZ,aAAS,KAAK;AACd,eAAW,gBAAgB,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AAC7E,SAAK,CAAC;AAAA,EACR;AACF;AAEA,KAAK;","names":["join","join","join","join","CAP","join","join","CAP","join","join","CAP","join"]}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "getcrabb",
+  "version": "0.1.0",
+  "description": "CLI security scanner for OpenClaw AI agents",
+  "type": "module",
+  "main": "./dist/cli.js",
+  "bin": {
+    "crabb": "./dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsx src/cli.ts",
+    "lint": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "openclaw",
+    "ai",
+    "agents",
+    "cli"
+  ],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "boxen": "^8.0.1",
+    "chalk": "^5.3.0",
+    "ora": "^8.1.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "tsup": "^8.3.5",
+    "tsx": "^4.19.2",
+    "typescript": "^5.3.0",
+    "vitest": "^2.1.0"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}