hyperclaw 4.0.1 → 4.0.2

package/README.md

@@ -1,4 +1,4 @@
-<p align="center">
+<p align="center">
   <img src="assets/icon.png" width="120" alt="HyperClaw">
   <br>
   <h1 align="center">🦅 HyperClaw — Personal AI Assistant</h1>
@@ -6,7 +6,7 @@
 
 <p align="center">
   <img src="https://img.shields.io/badge/build-passing-brightgreen?style=flat-square" alt="build">
-  <img src="https://img.shields.io/badge/release-v4.0.1-blue?style=flat-square" alt="release">
+  <img src="https://img.shields.io/badge/release-v4.0.2-blue?style=flat-square" alt="release">
   <img src="https://img.shields.io/badge/node-%E2%89%A522-green?style=flat-square" alt="node">
   <img src="https://img.shields.io/badge/license-MIT-gray?style=flat-square" alt="license">
   <img src="https://img.shields.io/badge/typescript-5.4-3178c6?style=flat-square&logo=typescript&logoColor=white" alt="typescript">
@@ -55,7 +55,7 @@
 
 ## Install
 
-Runtime: Node ≥ 22.
+Runtime: Node ≥ 22. Runs **natively on Windows, macOS, and Linux** — no WSL2 required.
 
 ```bash
 npm install -g hyperclaw@latest
@@ -68,8 +68,11 @@ hyperclaw onboard
 hyperclaw onboard --install-daemon
 ```
 
+> **Windows users**: HyperClaw runs natively via Node.js. No WSL2, no admin rights needed.
+> The daemon uses **Task Scheduler** and runs as your user account with full desktop access.
+
 The wizard guides you step by step — provider, model, gateway, channels, and skills.
-Works on **macOS, Linux, and Windows** (via WSL2 recommended). Compatible with npm, pnpm, and bun.
+Works on **macOS, Linux, and Windows** (native — no WSL2 required). Compatible with npm, pnpm, and bun.
 
 ---
 

package/dist/a2ui-protocol-CT_jDEU9.js

@@ -0,0 +1,75 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+
+//#region src/canvas/a2ui-protocol.ts
+/** Map HyperClaw component type to A2UI-compatible type. */
+function toA2UIType(t) {
+	const map = {
+		chart: "chart",
+		table: "table",
+		form: "form",
+		markdown: "markdown",
+		image: "image",
+		custom: "custom",
+		script: "script"
+	};
+	return map[t] || "custom";
+}
+/** Convert a CanvasComponent to A2UI surface. */
+function componentToSurface(c) {
+	return {
+		id: c.id,
+		type: toA2UIType(c.type),
+		props: {
+			title: c.title,
+			width: c.width || "half"
+		},
+		data: c.data
+	};
+}
+/** Generate beginRendering from canvas state (full sync). */
+function toBeginRendering(canvas) {
+	const surfaces = canvas.components.map(componentToSurface);
+	const dataModel = {};
+	for (const c of canvas.components) if (c.data != null) dataModel[c.id] = c.data;
+	return {
+		type: "beginRendering",
+		surfaceId: canvas.id,
+		surfaces,
+		dataModel: Object.keys(dataModel).length ? dataModel : void 0
+	};
+}
+/** Generate surfaceUpdate for newly added component. */
+function toSurfaceUpdate(canvasId, component) {
+	return {
+		type: "surfaceUpdate",
+		surfaceId: canvasId,
+		surfaces: [componentToSurface(component)]
+	};
+}
+/** Generate dataModelUpdate when component data changes. */
+function toDataModelUpdate(canvasId, componentId, data) {
+	return {
+		type: "dataModelUpdate",
+		surfaceId: canvasId,
+		updates: { [componentId]: data }
+	};
+}
+/** Generate deleteSurface for removed components. */
+function toDeleteSurface(canvasId, componentIds) {
+	return {
+		type: "deleteSurface",
+		surfaceId: canvasId,
+		surfaceIds: componentIds
+	};
+}
+/** Serialize A2UI messages to JSONL (one message per line). */
+function toJSONL(messages) {
+	return messages.map((m) => JSON.stringify(m)).join("\n");
+}
+
+//#endregion
+exports.toBeginRendering = toBeginRendering;
+exports.toDataModelUpdate = toDataModelUpdate;
+exports.toDeleteSurface = toDeleteSurface;
+exports.toJSONL = toJSONL;
+exports.toSurfaceUpdate = toSurfaceUpdate;

package/dist/agents-routing-683Q2JGp.js

@@ -0,0 +1,129 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const inquirer = require_chunk.__toESM(require("inquirer"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const os = require_chunk.__toESM(require("os"));
+
+//#region src/routing/agents-routing.ts
+var AgentRouter = class {
+	stateFile;
+	agents = [];
+	constructor() {
+		this.stateFile = path.default.join(os.default.homedir(), ".hyperclaw", "agents.json");
+		this.load();
+	}
+	load() {
+		try {
+			this.agents = fs_extra.default.readJsonSync(this.stateFile);
+		} catch {
+			this.agents = [{
+				workspace: path.default.join(os.default.homedir(), ".hyperclaw", "workspace"),
+				name: "default",
+				model: void 0,
+				bindings: []
+			}];
+		}
+	}
+	save() {
+		fs_extra.default.ensureDirSync(path.default.dirname(this.stateFile));
+		fs_extra.default.writeJsonSync(this.stateFile, this.agents, { spaces: 2 });
+	}
+	listBindings() {
+		console.log(chalk.default.bold.cyan("\n  🦅 AGENT BINDINGS\n"));
+		if (this.agents.length === 0) {
+			console.log(chalk.default.gray("  No agents configured."));
+			return;
+		}
+		for (const agent of this.agents) {
+			console.log(`  ${chalk.default.bold(agent.name)}  ${chalk.default.gray(agent.workspace)}`);
+			if (agent.bindings.length === 0) console.log(`    ${chalk.default.gray("No channel bindings — receives from all channels")}`);
+			else for (const b of agent.bindings) {
+				const acct = b.accountId ? chalk.default.gray(`@${b.accountId}`) : chalk.default.gray("(all accounts)");
+				const role = b.role === "primary" ? chalk.default.green("[primary]") : chalk.default.gray("[secondary]");
+				console.log(`    ${chalk.default.cyan(b.channelId)} ${acct} ${role}`);
+			}
+			console.log();
+		}
+	}
+	async bind() {
+		console.log(chalk.default.cyan("\n  Bind a channel to an agent workspace\n"));
+		const { channel, workspace, role } = await inquirer.default.prompt([
+			{
+				type: "input",
+				name: "channel",
+				message: "Channel ID (e.g. telegram, discord, slack):",
+				validate: (v) => v.trim().length > 0 || "Required"
+			},
+			{
+				type: "input",
+				name: "workspace",
+				message: "Agent workspace (directory or name):",
+				default: "default"
+			},
+			{
+				type: "list",
+				name: "role",
+				message: "Binding role:",
+				choices: [{
+					name: "primary — routes all traffic from this channel",
+					value: "primary"
+				}, {
+					name: "secondary — fallback if primary is busy",
+					value: "secondary"
+				}]
+			}
+		]);
+		let agent = this.agents.find((a) => a.name === workspace || a.workspace === workspace);
+		if (!agent) {
+			agent = {
+				workspace,
+				name: workspace,
+				bindings: []
+			};
+			this.agents.push(agent);
+		}
+		agent.bindings.push({
+			channelId: channel,
+			agentWorkspace: agent.workspace,
+			role,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString()
+		});
+		this.save();
+		console.log(chalk.default.green(`\n  ✔  Bound ${channel} → ${workspace} (${role})\n`));
+	}
+	async unbind() {
+		const allBindings = [];
+		for (const agent of this.agents) for (const b of agent.bindings) allBindings.push({
+			agent: agent.name,
+			channel: b.channelId
+		});
+		if (allBindings.length === 0) {
+			console.log(chalk.default.gray("\n  No bindings to remove.\n"));
+			return;
+		}
+		const { toRemove } = await inquirer.default.prompt([{
+			type: "checkbox",
+			name: "toRemove",
+			message: "Select bindings to remove:",
+			choices: allBindings.map((b) => ({
+				name: `${b.channel} → ${b.agent}`,
+				value: b
+			}))
+		}]);
+		for (const { agent: agentName, channel } of toRemove) {
+			const agent = this.agents.find((a) => a.name === agentName);
+			if (agent) agent.bindings = agent.bindings.filter((b) => b.channelId !== channel);
+		}
+		this.save();
+		console.log(chalk.default.green(`\n  ✔  Removed ${toRemove.length} binding(s)\n`));
+	}
+};
+
+//#endregion
+Object.defineProperty(exports, 'AgentRouter', {
+  enumerable: true,
+  get: function () {
+    return AgentRouter;
+  }
+});

package/dist/agents-routing-BpZBswBH.js

@@ -0,0 +1,4 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const require_agents_routing = require('./agents-routing-683Q2JGp.js');
+
+exports.AgentRouter = require_agents_routing.AgentRouter;

package/dist/api-keys-guide-Dq5Obbp4.js

@@ -0,0 +1,149 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+
+//#region src/infra/api-keys-guide.ts
+const API_KEYS_GUIDE = [
+	{
+		serviceId: "anthropic",
+		name: "Anthropic (Claude)",
+		envVar: "ANTHROPIC_API_KEY",
+		url: "platform.anthropic.com",
+		setupSteps: [
+			"1. Go to platform.anthropic.com → API Keys.",
+			"2. Sign up / sign in with an Anthropic account.",
+			"3. Create Key — copy it (starts with sk-ant-). Not shown again!",
+			"",
+			"  🔗 platform.anthropic.com/settings/keys"
+		]
+	},
+	{
+		serviceId: "openai",
+		name: "OpenAI (GPT)",
+		envVar: "OPENAI_API_KEY",
+		url: "platform.openai.com",
+		setupSteps: [
+			"1. Go to platform.openai.com → API keys.",
+			"2. Create new secret key — copy it (starts with sk-). Not shown again!",
+			"3. You need billing enabled for production use.",
+			"",
+			"  🔗 platform.openai.com/api-keys"
+		]
+	},
+	{
+		serviceId: "openrouter",
+		name: "OpenRouter",
+		envVar: "OPENROUTER_API_KEY",
+		url: "openrouter.ai",
+		setupSteps: [
+			"1. Go to openrouter.ai → Keys.",
+			"2. Sign in (Google/GitHub).",
+			"3. Create Key — copy it. OpenRouter provides access to many models (Claude, GPT etc.).",
+			"",
+			"  🔗 openrouter.ai/keys"
+		]
+	},
+	{
+		serviceId: "tavily",
+		name: "Tavily (Web Search)",
+		envVar: "TAVILY_API_KEY",
+		url: "tavily.com",
+		setupSteps: [
+			"1. Go to tavily.com → Sign up.",
+			"2. Dashboard → API Keys → Create API Key.",
+			"3. Copy the key. Used for the web-search skill.",
+			"",
+			"  🔗 app.tavily.com"
+		]
+	},
+	{
+		serviceId: "elevenlabs",
+		name: "ElevenLabs (TTS)",
+		envVar: "ELEVENLABS_API_KEY",
+		url: "elevenlabs.io",
+		setupSteps: [
+			"1. Go to elevenlabs.io → Profile → API Key.",
+			"2. Copy the API key (or create a new one).",
+			"3. Used for talk mode (voice responses).",
+			"",
+			"  🔗 elevenlabs.io/app/settings/api-keys"
+		]
+	},
+	{
+		serviceId: "deepl",
+		name: "DeepL (Translation)",
+		envVar: "DEEPL_API_KEY",
+		url: "deepl.com",
+		setupSteps: [
+			"1. Go to deepl.com/pro-api → Get API key.",
+			"2. Sign up (free tier available).",
+			"3. Account → API keys — copy the Authentication Key.",
+			"",
+			"  🔗 deepl.com/pro-api"
+		]
+	},
+	{
+		serviceId: "github",
+		name: "GitHub (PAT)",
+		envVar: "GITHUB_TOKEN",
+		url: "github.com",
+		setupSteps: [
+			"1. GitHub → Settings → Developer settings → Personal access tokens.",
+			"2. Generate new token (classic or fine-grained).",
+			"3. Select scopes: repo, read:user etc. depending on use case.",
+			"",
+			"  🔗 github.com/settings/tokens"
+		]
+	},
+	{
+		serviceId: "xai",
+		name: "xAI (Grok)",
+		envVar: "XAI_API_KEY",
+		url: "x.ai",
+		setupSteps: [
+			"1. Go to console.x.ai → API keys.",
+			"2. Sign in and create a new key.",
+			"3. Copy the key.",
+			"",
+			"  🔗 console.x.ai"
+		]
+	},
+	{
+		serviceId: "google",
+		name: "Google AI (Gemini)",
+		envVar: "GOOGLE_AI_API_KEY",
+		url: "ai.google.dev",
+		setupSteps: [
+			"1. Go to aistudio.google.com/apikey.",
+			"2. Get API key or Create API key.",
+			"3. Copy the key.",
+			"",
+			"  🔗 aistudio.google.com/apikey"
+		]
+	}
+];
+const SERVICE_ID_MAP = new Map(API_KEYS_GUIDE.map((g) => [g.serviceId.toLowerCase(), g]));
+/** Known name aliases (e.g. anthropic, claude -> anthropic) */
+const ALIASES = {
+	claude: "anthropic",
+	gpt: "openai",
+	xai: "xai",
+	google: "google"
+};
+function getApiKeyGuide(serviceId) {
+	const id = serviceId.toLowerCase().replace(/[^a-z0-9-]/g, "");
+	return SERVICE_ID_MAP.get(id) ?? SERVICE_ID_MAP.get(ALIASES[id] ?? "") ?? null;
+}
+/** For unknown services — generic API key instructions */
+const GENERIC_API_KEY_STEPS = [
+	"For an unknown service:",
+	"1. Go to the official service website (e.g. developers.xxx.com).",
+	"2. Sign up / sign in. An account is usually required.",
+	"3. Look for \"API Keys\", \"Credentials\", \"Developer\" or \"Integrations\" section.",
+	"4. Create a new API key or token. Copy it immediately — many services do not show it again.",
+	"5. Keep it secret — do not share it or commit it to a repo.",
+	"",
+	"  💡 Known services: anthropic, openai, openrouter, tavily, elevenlabs, deepl, github, xai, google"
+];
+
+//#endregion
+exports.GENERIC_API_KEY_STEPS = GENERIC_API_KEY_STEPS;
+exports.getApiKeyGuide = getApiKeyGuide;

package/dist/audit-BYxPlnTQ.js

@@ -0,0 +1,248 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const ora = require_chunk.__toESM(require("ora"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const os = require_chunk.__toESM(require("os"));
+
+//#region src/security/audit.ts
+const HC_DIR = path.default.join(os.default.homedir(), ".hyperclaw");
+async function checkFilePermissions() {
+	const findings = [];
+	const sensitiveFiles = [
+		path.default.join(HC_DIR, "hyperclaw.json"),
+		path.default.join(HC_DIR, "auth.json"),
+		path.default.join(HC_DIR, ".env"),
+		path.default.join(HC_DIR, "AGENTS.md")
+	];
+	for (const f of sensitiveFiles) if (await fs_extra.default.pathExists(f)) {
+		const stat = await fs_extra.default.stat(f);
+		if ((stat.mode & 63) !== 0) findings.push({
+			severity: "high",
+			category: "File Permissions",
+			title: `Unsafe permissions on ${path.default.basename(f)}`,
+			detail: `Mode ${(stat.mode & 511).toString(8)} allows group/other read`,
+			remediation: `chmod 600 ${f}`,
+			cvss: 7.5
+		});
+	}
+	const credsDir = path.default.join(HC_DIR, "credentials");
+	if (await fs_extra.default.pathExists(credsDir)) {
+		const stat = await fs_extra.default.stat(credsDir);
+		if ((stat.mode & 63) !== 0) findings.push({
+			severity: "critical",
+			category: "File Permissions",
+			title: "credentials/ directory is world-readable",
+			detail: `Mode ${(stat.mode & 511).toString(8)} — all credential files are exposed`,
+			remediation: `chmod 700 ${credsDir}`,
+			cvss: 9.1
+		});
+	}
+	return findings;
+}
+async function checkGatewayConfig() {
+	const findings = [];
+	let cfg = null;
+	try {
+		cfg = await fs_extra.default.readJson(path.default.join(HC_DIR, "hyperclaw.json"));
+	} catch {
+		return findings;
+	}
+	const token = cfg.gateway?.authToken;
+	if (!token) findings.push({
+		severity: "critical",
+		category: "Authentication",
+		title: "Gateway auth token not set",
+		detail: "Any client can connect to the gateway without authentication",
+		remediation: "hyperclaw gateway config --set-token",
+		cvss: 9.8
+	});
+	else if (token.length < 32) findings.push({
+		severity: "high",
+		category: "Authentication",
+		title: "Gateway auth token is too short",
+		detail: `Token is ${token.length} chars — minimum recommended is 32`,
+		remediation: "hyperclaw gateway config --regenerate-token",
+		cvss: 7.3
+	});
+	if (cfg.gateway?.bind === "0.0.0.0") findings.push({
+		severity: "medium",
+		category: "Network Exposure",
+		title: "Gateway bound to all interfaces (0.0.0.0)",
+		detail: "Gateway is accessible from the local network. Ensure auth token is strong.",
+		remediation: "Use 127.0.0.1 unless you need LAN access",
+		cvss: 5.3
+	});
+	if (cfg.gateway?.tailscaleExposure === "funnel") findings.push({
+		severity: "medium",
+		category: "Network Exposure",
+		title: "Gateway exposed via Tailscale Funnel (public internet)",
+		detail: "Your gateway is reachable from the public internet via Tailscale Funnel",
+		remediation: "Ensure auth token is strong and DM policies are restrictive",
+		cvss: 5.8
+	});
+	for (const [ch, chCfg] of Object.entries(cfg.channelConfigs || {})) {
+		const policy = chCfg?.dmPolicy?.policy;
+		if (policy === "open") findings.push({
+			severity: "high",
+			category: "DM Policy",
+			title: `DM policy is "open" on ${ch}`,
+			detail: "Anyone can send DMs to your agent. This is a prompt injection risk.",
+			remediation: `hyperclaw channels add ${ch}  # and choose pairing or allowlist`,
+			cvss: 7.1
+		});
+		if (policy === "allowlist") {
+			const allowFrom = chCfg?.dmPolicy?.allowFrom || [];
+			if (allowFrom.length === 0) findings.push({
+				severity: "high",
+				category: "DM Policy",
+				title: `Empty allowlist on ${ch} — DMs are silently dropped`,
+				detail: `allowFrom is [] — no one can reach your agent on ${ch}`,
+				remediation: `hyperclaw pairing approve ${ch} <code>`,
+				cvss: 4
+			});
+		}
+	}
+	return findings;
+}
+async function checkSecretsInPrompts() {
+	const findings = [];
+	const secretPatterns = [
+		{
+			pattern: /sk-[a-zA-Z0-9]{20,}/,
+			name: "OpenAI API key"
+		},
+		{
+			pattern: /tvly-[a-zA-Z0-9]{20,}/,
+			name: "Tavily API key"
+		},
+		{
+			pattern: /xai-[a-zA-Z0-9]{20,}/,
+			name: "xAI API key"
+		},
+		{
+			pattern: /ghp_[a-zA-Z0-9]{36}/,
+			name: "GitHub PAT"
+		},
+		{
+			pattern: /or-[a-zA-Z0-9]{20,}/,
+			name: "OpenRouter API key"
+		},
+		{
+			pattern: /[a-f0-9]{64}/,
+			name: "Potential hex secret"
+		}
+	];
+	const filesToScan = [
+		path.default.join(HC_DIR, "AGENTS.md"),
+		path.default.join(HC_DIR, "MEMORY.md"),
+		path.default.join(HC_DIR, "hyperclaw.json")
+	];
+	for (const f of filesToScan) {
+		if (!await fs_extra.default.pathExists(f)) continue;
+		const content = await fs_extra.default.readFile(f, "utf8");
+		for (const { pattern, name } of secretPatterns) if (pattern.test(content)) findings.push({
+			severity: "critical",
+			category: "Secret Exposure",
+			title: `${name} potentially embedded in ${path.default.basename(f)}`,
+			detail: `Found pattern matching ${name} in plaintext file. Secrets in prompts are a serious risk.`,
+			remediation: `Remove the secret and use: hyperclaw secrets set KEY=value`,
+			cvss: 9.1
+		});
+	}
+	return findings;
+}
+async function deepScan() {
+	const findings = [];
+	const hubState = path.default.join(HC_DIR, "hub-state.json");
+	if (await fs_extra.default.pathExists(hubState)) {
+		const state = await fs_extra.default.readJson(hubState);
+		const dangerous = state.installed?.filter((s) => s.risk === "dangerous") || [];
+		for (const s of dangerous) findings.push({
+			severity: "critical",
+			category: "Installed Skills",
+			title: `Dangerous skill installed: ${s.name}`,
+			detail: s.riskReason || "Skill is flagged as dangerous",
+			remediation: `hyperclaw hub --uninstall ${s.id}`,
+			cvss: 8.5
+		});
+	}
+	let cfg = null;
+	try {
+		cfg = await fs_extra.default.readJson(path.default.join(HC_DIR, "hyperclaw.json"));
+	} catch {}
+	if (cfg?.gateway?.authToken) {
+		const token = cfg.gateway.authToken;
+		const entropy = estimateEntropy(token);
+		if (entropy < 3.5) findings.push({
+			severity: "high",
+			category: "Token Quality",
+			title: "Gateway auth token has low entropy",
+			detail: `Estimated entropy: ${entropy.toFixed(2)} bits/char — token may be guessable`,
+			remediation: "hyperclaw gateway config --regenerate-token",
+			cvss: 6.5
+		});
+	}
+	return findings;
+}
+function estimateEntropy(str) {
+	const freq = /* @__PURE__ */ new Map();
+	for (const ch of str) freq.set(ch, (freq.get(ch) || 0) + 1);
+	let entropy = 0;
+	for (const count of freq.values()) {
+		const p = count / str.length;
+		entropy -= p * Math.log2(p);
+	}
+	return entropy;
+}
+const SEVERITY_ORDER = [
+	"critical",
+	"high",
+	"medium",
+	"low",
+	"info"
+];
+const SEVERITY_COLOR = {
+	critical: chalk.default.bgRed.white.bold,
+	high: chalk.default.red,
+	medium: chalk.default.yellow,
+	low: chalk.default.cyan,
+	info: chalk.default.gray
+};
+async function runSecurityAudit(deep = false) {
+	console.log(chalk.default.bold.cyan("\n  🔐 HYPERCLAW SECURITY AUDIT\n"));
+	const spinner = (0, ora.default)("Running security checks...").start();
+	const allFindings = [
+		...await checkFilePermissions(),
+		...await checkGatewayConfig(),
+		...await checkSecretsInPrompts(),
+		...deep ? await deepScan() : []
+	];
+	spinner.stop();
+	if (deep) console.log(chalk.default.gray("  Mode: DEEP SCAN\n"));
+	else console.log(chalk.default.gray("  Mode: standard (run with --deep for full scan)\n"));
+	if (allFindings.length === 0) {
+		console.log(chalk.default.green("  ✔  No security issues found!\n"));
+		return;
+	}
+	allFindings.sort((a, b) => SEVERITY_ORDER.indexOf(a.severity) - SEVERITY_ORDER.indexOf(b.severity));
+	for (const f of allFindings) {
+		const color = SEVERITY_COLOR[f.severity];
+		const badge = color(` ${f.severity.toUpperCase()} `);
+		const cvss = f.cvss ? chalk.default.gray(` CVSS ${f.cvss}`) : "";
+		console.log(`  ${badge}${cvss}  ${chalk.default.white(f.title)}`);
+		console.log(`     ${chalk.default.gray(`Category: ${f.category}`)}`);
+		console.log(`     ${chalk.default.gray(f.detail)}`);
+		console.log(`     ${chalk.default.cyan("Fix: " + f.remediation)}`);
+		console.log();
+	}
+	const counts = SEVERITY_ORDER.reduce((acc, sev) => {
+		acc[sev] = allFindings.filter((f) => f.severity === sev).length;
+		return acc;
+	}, {});
+	console.log(`  ${chalk.default.bold("Summary:")} ${chalk.default.bgRed.white.bold(` ${counts.critical} CRITICAL `)}  ${chalk.default.red(`${counts.high} high`)}  ${chalk.default.yellow(`${counts.medium} medium`)}  ${chalk.default.cyan(`${counts.low} low`)}\n`);
+	if (!deep) console.log(chalk.default.gray("  Run: hyperclaw security audit --deep   for full credential entropy scan\n"));
+}
+
+//#endregion
+exports.runSecurityAudit = runSecurityAudit;