npm - nox-openclaw-hunter - Versions diffs - 1.0.0 - Mend

nox-openclaw-hunter 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (211) hide show

package/LICENSE +21 -0
package/README.md +140 -0
package/bin/nox.js +2 -0
package/dist/branding.d.ts +39 -0
package/dist/branding.d.ts.map +1 -0
package/dist/branding.js +66 -0
package/dist/branding.js.map +1 -0
package/dist/cli.d.ts +15 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +94 -0
package/dist/cli.js.map +1 -0
package/dist/commands/export.d.ts +21 -0
package/dist/commands/export.d.ts.map +1 -0
package/dist/commands/export.js +616 -0
package/dist/commands/export.js.map +1 -0
package/dist/commands/index.d.ts +8 -0
package/dist/commands/index.d.ts.map +1 -0
package/dist/commands/index.js +8 -0
package/dist/commands/index.js.map +1 -0
package/dist/commands/isolate.d.ts +30 -0
package/dist/commands/isolate.d.ts.map +1 -0
package/dist/commands/isolate.js +547 -0
package/dist/commands/isolate.js.map +1 -0
package/dist/commands/purge.d.ts +22 -0
package/dist/commands/purge.d.ts.map +1 -0
package/dist/commands/purge.js +295 -0
package/dist/commands/purge.js.map +1 -0
package/dist/commands/scan.d.ts +23 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +155 -0
package/dist/commands/scan.js.map +1 -0
package/dist/detector/app-bundle.d.ts +13 -0
package/dist/detector/app-bundle.d.ts.map +1 -0
package/dist/detector/app-bundle.js +27 -0
package/dist/detector/app-bundle.js.map +1 -0
package/dist/detector/cli-binary.d.ts +12 -0
package/dist/detector/cli-binary.d.ts.map +1 -0
package/dist/detector/cli-binary.js +66 -0
package/dist/detector/cli-binary.js.map +1 -0
package/dist/detector/config.d.ts +21 -0
package/dist/detector/config.d.ts.map +1 -0
package/dist/detector/config.js +337 -0
package/dist/detector/config.js.map +1 -0
package/dist/detector/detection-config.d.ts +24 -0
package/dist/detector/detection-config.d.ts.map +1 -0
package/dist/detector/detection-config.js +242 -0
package/dist/detector/detection-config.js.map +1 -0
package/dist/detector/docker.d.ts +10 -0
package/dist/detector/docker.d.ts.map +1 -0
package/dist/detector/docker.js +94 -0
package/dist/detector/docker.js.map +1 -0
package/dist/detector/index.d.ts +50 -0
package/dist/detector/index.d.ts.map +1 -0
package/dist/detector/index.js +155 -0
package/dist/detector/index.js.map +1 -0
package/dist/detector/network.d.ts +34 -0
package/dist/detector/network.d.ts.map +1 -0
package/dist/detector/network.js +205 -0
package/dist/detector/network.js.map +1 -0
package/dist/detector/process.d.ts +16 -0
package/dist/detector/process.d.ts.map +1 -0
package/dist/detector/process.js +47 -0
package/dist/detector/process.js.map +1 -0
package/dist/detector/service.d.ts +17 -0
package/dist/detector/service.d.ts.map +1 -0
package/dist/detector/service.js +51 -0
package/dist/detector/service.js.map +1 -0
package/dist/enforcer/docker-cleaner.d.ts +30 -0
package/dist/enforcer/docker-cleaner.d.ts.map +1 -0
package/dist/enforcer/docker-cleaner.js +163 -0
package/dist/enforcer/docker-cleaner.js.map +1 -0
package/dist/enforcer/file-remover.d.ts +34 -0
package/dist/enforcer/file-remover.d.ts.map +1 -0
package/dist/enforcer/file-remover.js +137 -0
package/dist/enforcer/file-remover.js.map +1 -0
package/dist/enforcer/index.d.ts +33 -0
package/dist/enforcer/index.d.ts.map +1 -0
package/dist/enforcer/index.js +142 -0
package/dist/enforcer/index.js.map +1 -0
package/dist/enforcer/process-killer.d.ts +18 -0
package/dist/enforcer/process-killer.d.ts.map +1 -0
package/dist/enforcer/process-killer.js +80 -0
package/dist/enforcer/process-killer.js.map +1 -0
package/dist/enforcer/service-stopper.d.ts +23 -0
package/dist/enforcer/service-stopper.d.ts.map +1 -0
package/dist/enforcer/service-stopper.js +95 -0
package/dist/enforcer/service-stopper.js.map +1 -0
package/dist/index.d.ts +6 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +10 -0
package/dist/index.js.map +1 -0
package/dist/isolator/firewall.d.ts +25 -0
package/dist/isolator/firewall.d.ts.map +1 -0
package/dist/isolator/firewall.js +114 -0
package/dist/isolator/firewall.js.map +1 -0
package/dist/isolator/index.d.ts +63 -0
package/dist/isolator/index.d.ts.map +1 -0
package/dist/isolator/index.js +201 -0
package/dist/isolator/index.js.map +1 -0
package/dist/isolator/lockdown.d.ts +22 -0
package/dist/isolator/lockdown.d.ts.map +1 -0
package/dist/isolator/lockdown.js +401 -0
package/dist/isolator/lockdown.js.map +1 -0
package/dist/isolator/quarantine.d.ts +39 -0
package/dist/isolator/quarantine.d.ts.map +1 -0
package/dist/isolator/quarantine.js +364 -0
package/dist/isolator/quarantine.js.map +1 -0
package/dist/mdm/index.d.ts +93 -0
package/dist/mdm/index.d.ts.map +1 -0
package/dist/mdm/index.js +414 -0
package/dist/mdm/index.js.map +1 -0
package/dist/mdm/intune.d.ts +69 -0
package/dist/mdm/intune.d.ts.map +1 -0
package/dist/mdm/intune.js +409 -0
package/dist/mdm/intune.js.map +1 -0
package/dist/mdm/jamf.d.ts +58 -0
package/dist/mdm/jamf.d.ts.map +1 -0
package/dist/mdm/jamf.js +441 -0
package/dist/mdm/jamf.js.map +1 -0
package/dist/mdm/jumpcloud.d.ts +73 -0
package/dist/mdm/jumpcloud.d.ts.map +1 -0
package/dist/mdm/jumpcloud.js +470 -0
package/dist/mdm/jumpcloud.js.map +1 -0
package/dist/mdm/templates/detect.ps1.d.ts +30 -0
package/dist/mdm/templates/detect.ps1.d.ts.map +1 -0
package/dist/mdm/templates/detect.ps1.js +463 -0
package/dist/mdm/templates/detect.ps1.js.map +1 -0
package/dist/mdm/templates/detect.sh.d.ts +30 -0
package/dist/mdm/templates/detect.sh.d.ts.map +1 -0
package/dist/mdm/templates/detect.sh.js +474 -0
package/dist/mdm/templates/detect.sh.js.map +1 -0
package/dist/mdm/templates/enforce.ps1.d.ts +33 -0
package/dist/mdm/templates/enforce.ps1.d.ts.map +1 -0
package/dist/mdm/templates/enforce.ps1.js +681 -0
package/dist/mdm/templates/enforce.ps1.js.map +1 -0
package/dist/mdm/templates/enforce.sh.d.ts +33 -0
package/dist/mdm/templates/enforce.sh.d.ts.map +1 -0
package/dist/mdm/templates/enforce.sh.js +591 -0
package/dist/mdm/templates/enforce.sh.js.map +1 -0
package/dist/platform/darwin.d.ts +6 -0
package/dist/platform/darwin.d.ts.map +1 -0
package/dist/platform/darwin.js +192 -0
package/dist/platform/darwin.js.map +1 -0
package/dist/platform/index.d.ts +43 -0
package/dist/platform/index.d.ts.map +1 -0
package/dist/platform/index.js +27 -0
package/dist/platform/index.js.map +1 -0
package/dist/platform/linux.d.ts +6 -0
package/dist/platform/linux.d.ts.map +1 -0
package/dist/platform/linux.js +134 -0
package/dist/platform/linux.js.map +1 -0
package/dist/platform/windows.d.ts +6 -0
package/dist/platform/windows.d.ts.map +1 -0
package/dist/platform/windows.js +134 -0
package/dist/platform/windows.js.map +1 -0
package/dist/reporter/console.d.ts +27 -0
package/dist/reporter/console.d.ts.map +1 -0
package/dist/reporter/console.js +431 -0
package/dist/reporter/console.js.map +1 -0
package/dist/reporter/index.d.ts +11 -0
package/dist/reporter/index.d.ts.map +1 -0
package/dist/reporter/index.js +13 -0
package/dist/reporter/index.js.map +1 -0
package/dist/reporter/json.d.ts +61 -0
package/dist/reporter/json.d.ts.map +1 -0
package/dist/reporter/json.js +75 -0
package/dist/reporter/json.js.map +1 -0
package/dist/reporter/webhook.d.ts +57 -0
package/dist/reporter/webhook.d.ts.map +1 -0
package/dist/reporter/webhook.js +230 -0
package/dist/reporter/webhook.js.map +1 -0
package/dist/types/config.d.ts +116 -0
package/dist/types/config.d.ts.map +1 -0
package/dist/types/config.js +6 -0
package/dist/types/config.js.map +1 -0
package/dist/types/detection.d.ts +85 -0
package/dist/types/detection.d.ts.map +1 -0
package/dist/types/detection.js +5 -0
package/dist/types/detection.js.map +1 -0
package/dist/types/enforcement.d.ts +33 -0
package/dist/types/enforcement.d.ts.map +1 -0
package/dist/types/enforcement.js +5 -0
package/dist/types/enforcement.js.map +1 -0
package/dist/types/index.d.ts +8 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +8 -0
package/dist/types/index.js.map +1 -0
package/dist/types/isolation.d.ts +55 -0
package/dist/types/isolation.d.ts.map +1 -0
package/dist/types/isolation.js +5 -0
package/dist/types/isolation.js.map +1 -0
package/dist/utils/exec.d.ts +48 -0
package/dist/utils/exec.d.ts.map +1 -0
package/dist/utils/exec.js +103 -0
package/dist/utils/exec.js.map +1 -0
package/dist/utils/fs.d.ts +34 -0
package/dist/utils/fs.d.ts.map +1 -0
package/dist/utils/fs.js +111 -0
package/dist/utils/fs.js.map +1 -0
package/dist/utils/index.d.ts +7 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +7 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/logger.d.ts +14 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +48 -0
package/dist/utils/logger.js.map +1 -0
package/docs/intune.md +390 -0
package/docs/jamf.md +400 -0
package/docs/jumpcloud.md +510 -0
package/package.json +65 -0

package/dist/mdm/templates/enforce.sh.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * Shell enforcement script template for MDM deployment.
+ * Targets macOS and Linux systems.
+ */
+export interface EnforceShellOptions {
+    webhookUrl?: string;
+    webhookToken?: string;
+    gatewayPort?: number;
+    verbose?: boolean;
+    dryRun?: boolean;
+    quarantine?: boolean;
+}
+/**
+ * Generate enforcement shell script.
+ */
+export declare function generateEnforceShellScript(options?: EnforceShellOptions): string;
+/**
+ * Get script metadata for documentation.
+ */
+export declare function getEnforceShellMetadata(): {
+    filename: string;
+    extension: string;
+    platform: string;
+    description: string;
+    requirements: string[];
+    exitCodes: {
+        0: string;
+        1: string;
+        2: string;
+        3: string;
+    };
+};
+//# sourceMappingURL=enforce.sh.d.ts.map

package/dist/mdm/templates/enforce.sh.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enforce.sh.d.ts","sourceRoot":"","sources":["../../../src/mdm/templates/enforce.sh.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,WAAW,mBAAmB;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAmCD;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,GAAE,mBAAwB,GAAG,MAAM,CAiiBpF;AAED;;GAEG;AACH,wBAAgB,uBAAuB;;;;;;;;;;;;EActC"}

package/dist/mdm/templates/enforce.sh.js ADDED Viewed

@@ -0,0 +1,591 @@
+/**
+ * Shell enforcement script template for MDM deployment.
+ * Targets macOS and Linux systems.
+ */
+import { VERSION, COMPANY } from '../../branding.js';
+/**
+ * Escape a string for safe use in shell scripts.
+ * Escapes characters that could enable shell injection.
+ */
+function escapeShellString(str) {
+    // Remove null bytes
+    let escaped = str.replace(/\0/g, '');
+    // Escape backslashes first, then single quotes
+    escaped = escaped.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/'/g, "'\\''");
+    // Escape special shell characters
+    escaped = escaped.replace(/\$/g, '\\$');
+    escaped = escaped.replace(/`/g, '\\`');
+    escaped = escaped.replace(/"/g, '\\"');
+    escaped = escaped.replace(/!/g, '\\!');
+    return escaped;
+}
+/**
+ * Validate URL format for MDM scripts.
+ */
+function validateMdmUrl(url) {
+    try {
+        const parsed = new URL(url);
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            throw new Error('Invalid protocol');
+        }
+        return escapeShellString(url);
+    }
+    catch {
+        throw new Error(`Invalid webhook URL: ${url}`);
+    }
+}
+/**
+ * Generate enforcement shell script.
+ */
+export function generateEnforceShellScript(options = {}) {
+    const { webhookUrl, webhookToken, gatewayPort = 18789, verbose = false, dryRun = false, quarantine = false, } = options;
+    // Validate and sanitize inputs to prevent shell injection
+    const safeWebhookUrl = webhookUrl ? validateMdmUrl(webhookUrl) : undefined;
+    const safeWebhookToken = webhookToken ? escapeShellString(webhookToken) : undefined;
+    // Validate gateway port
+    if (gatewayPort < 1 || gatewayPort > 65535 || !Number.isInteger(gatewayPort)) {
+        throw new Error(`Invalid gateway port: ${gatewayPort}`);
+    }
+    const webhookSection = safeWebhookUrl
+        ? `
+# Webhook configuration
+WEBHOOK_URL="${safeWebhookUrl}"
+${safeWebhookToken ? `WEBHOOK_TOKEN="${safeWebhookToken}"` : 'WEBHOOK_TOKEN=""'}
+send_webhook() {
+    local status="$1"
+    local severity="$2"
+    local details="$3"
+    local payload
+    payload=$(cat <<PAYLOAD
+{
+    "event": "openclaw.enforcement",
+    "version": "1.0",
+    "timestamp": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
+    "status": "$status",
+    "severity": "$severity",
+    "host": {
+        "hostname": "$(hostname)",
+        "os": "$(uname -s)",
+        "arch": "$(uname -m)",
+        "user": "$USER"
+    },
+    "actions": "$details",
+    "dryRun": ${dryRun},
+    "source": {
+        "tool": "nox-openclaw-detector",
+        "version": "${VERSION}",
+        "vendor": "${COMPANY}"
+    }
+}
+PAYLOAD
+)
+    local auth_header=""
+    if [[ -n "$WEBHOOK_TOKEN" ]]; then
+        auth_header="-H \\"Authorization: Bearer $WEBHOOK_TOKEN\\""
+    fi
+    curl -s -X POST "$WEBHOOK_URL" \\
+        -H "Content-Type: application/json" \\
+        $auth_header \\
+        -d "$payload" \\
+        --connect-timeout 10 \\
+        --max-time 30 > /dev/null 2>&1 || true
+}
+`
+        : '';
+    const verboseLog = verbose
+        ? `
+log_verbose() {
+    echo "[DEBUG] $(date '+%Y-%m-%d %H:%M:%S') $1"
+}
+`
+        : `
+log_verbose() { :; }  # No-op when not verbose
+`;
+    const dryRunCheck = dryRun
+        ? `
+DRY_RUN=true
+execute() {
+    log_action "[DRY RUN] Would execute: $*"
+}
+`
+        : `
+DRY_RUN=false
+execute() {
+    "$@"
+}
+`;
+    const quarantineSection = quarantine
+        ? `
+# Quarantine configuration
+QUARANTINE_BASE="/var/nox-quarantine"
+QUARANTINE_ID="$(date +%Y%m%d_%H%M%S)_$(whoami)"
+QUARANTINE_DIR="$QUARANTINE_BASE/$QUARANTINE_ID"
+setup_quarantine() {
+    if [[ $DRY_RUN == true ]]; then
+        log_action "[DRY RUN] Would create quarantine directory: $QUARANTINE_DIR"
+        return
+    fi
+    mkdir -p "$QUARANTINE_DIR/binaries"
+    mkdir -p "$QUARANTINE_DIR/config"
+    mkdir -p "$QUARANTINE_DIR/services"
+    # Create manifest
+    cat > "$QUARANTINE_DIR/manifest.json" <<MANIFEST
+{
+    "id": "$QUARANTINE_ID",
+    "timestamp": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
+    "hostname": "$(hostname)",
+    "user": "$(whoami)",
+    "artifacts": []
+}
+MANIFEST
+    log_action "Quarantine directory created: $QUARANTINE_DIR"
+}
+quarantine_file() {
+    local src="$1"
+    local category="$2"
+    local dest="$QUARANTINE_DIR/$category/$(basename "$src")"
+    if [[ $DRY_RUN == true ]]; then
+        log_action "[DRY RUN] Would quarantine: $src -> $dest"
+        return
+    fi
+    if [[ -e "$src" ]]; then
+        mv "$src" "$dest" 2>/dev/null || cp -r "$src" "$dest" && rm -rf "$src"
+        log_action "Quarantined: $src -> $dest"
+    fi
+}
+`
+        : `
+quarantine_file() {
+    local src="$1"
+    # No quarantine, just remove
+    remove_path "$src"
+}
+`;
+    return `#!/bin/bash
+# ==============================================================================
+# Nox OpenClaw Enforcement Script
+# ==============================================================================
+# Generated by nox-openclaw-detector v${VERSION}
+# ${COMPANY} - https://nox.security
+#
+# WARNING: This script will remove OpenClaw installations!
+# Run with sudo/root for full enforcement capabilities.
+#
+# Exit Codes:
+#   0 - Enforcement successful
+#   1 - Enforcement partially failed
+#   2 - Script error
+#   3 - Nothing to enforce (clean system)
+#
+# Usage:
+#   sudo ./enforce-openclaw.sh
+#   sudo ./enforce-openclaw.sh --verbose
+# ==============================================================================
+set -uo pipefail
+# Configuration
+GATEWAY_PORT=${gatewayPort}
+ENFORCEMENT_ACTIONS=()
+FAILED_ACTIONS=()
+OPENCLAW_DETECTED=false
+${verboseLog}
+${dryRunCheck}
+${webhookSection}
+${quarantine ? quarantineSection : ''}
+# Log enforcement action
+log_action() {
+    local msg="[$(date '+%Y-%m-%d %H:%M:%S')] $1"
+    echo "$msg"
+    ENFORCEMENT_ACTIONS+=("$1")
+}
+# Log failed action
+log_failure() {
+    local msg="[$(date '+%Y-%m-%d %H:%M:%S')] FAILED: $1"
+    echo "$msg" >&2
+    FAILED_ACTIONS+=("$1")
+}
+# Remove file or directory
+remove_path() {
+    local path="$1"
+    if [[ ! -e "$path" ]]; then
+        return 0
+    fi
+    OPENCLAW_DETECTED=true
+    if [[ $DRY_RUN == true ]]; then
+        log_action "[DRY RUN] Would remove: $path"
+        return 0
+    fi
+    if rm -rf "$path" 2>/dev/null; then
+        log_action "Removed: $path"
+        return 0
+    else
+        log_failure "Could not remove: $path"
+        return 1
+    fi
+}
+# Check if running as root
+check_privileges() {
+    if [[ $EUID -ne 0 ]]; then
+        echo "Warning: Not running as root. Some enforcement actions may fail."
+        echo "For complete enforcement, run: sudo $0"
+        echo ""
+    fi
+}
+# Kill OpenClaw processes
+kill_processes() {
+    log_action "Checking for OpenClaw processes..."
+    local pids
+    pids=$(pgrep -f "openclaw" 2>/dev/null || true)
+    if [[ -n "$pids" ]]; then
+        OPENCLAW_DETECTED=true
+        if [[ $DRY_RUN == true ]]; then
+            log_action "[DRY RUN] Would kill processes: $pids"
+            return 0
+        fi
+        for pid in $pids; do
+            if kill -9 "$pid" 2>/dev/null; then
+                log_action "Killed process: $pid"
+            else
+                log_failure "Could not kill process: $pid"
+            fi
+        done
+    else
+        log_verbose "No OpenClaw processes found"
+    fi
+}
+# Stop and disable launchd services (macOS)
+enforce_launchd() {
+    if [[ "$(uname -s)" != "Darwin" ]]; then
+        return
+    fi
+    log_action "Checking launchd services..."
+    local plist_patterns=("bot.molt" "openclaw")
+    local search_dirs=(
+        "$HOME/Library/LaunchAgents"
+        "/Library/LaunchAgents"
+        "/Library/LaunchDaemons"
+    )
+    for dir in "\${search_dirs[@]}"; do
+        if [[ ! -d "$dir" ]]; then
+            continue
+        fi
+        for pattern in "\${plist_patterns[@]}"; do
+            for plist in "$dir"/*"$pattern"*.plist; do
+                if [[ -f "$plist" ]]; then
+                    OPENCLAW_DETECTED=true
+                    if [[ $DRY_RUN == true ]]; then
+                        log_action "[DRY RUN] Would unload and remove: $plist"
+                        continue
+                    fi
+                    # Unload the service
+                    launchctl unload "$plist" 2>/dev/null || true
+                    launchctl bootout system "$plist" 2>/dev/null || true
+                    launchctl bootout gui/$(id -u) "$plist" 2>/dev/null || true
+                    # Quarantine or remove the plist
+                    ${quarantine ? 'quarantine_file "$plist" "services"' : 'remove_path "$plist"'}
+                    log_action "Disabled launchd service: $plist"
+                fi
+            done
+        done
+    done
+}
+# Stop and disable systemd services (Linux)
+enforce_systemd() {
+    if ! command -v systemctl &>/dev/null; then
+        return
+    fi
+    log_action "Checking systemd services..."
+    local service_names=("openclaw" "openclaw.service" "bot.molt.gateway")
+    for service in "\${service_names[@]}"; do
+        if systemctl list-unit-files "$service" &>/dev/null 2>&1; then
+            OPENCLAW_DETECTED=true
+            if [[ $DRY_RUN == true ]]; then
+                log_action "[DRY RUN] Would stop and disable: $service"
+                continue
+            fi
+            systemctl stop "$service" 2>/dev/null || true
+            systemctl disable "$service" 2>/dev/null || true
+            log_action "Stopped and disabled systemd service: $service"
+        fi
+    done
+    # Remove service files
+    local service_paths=(
+        "/etc/systemd/system/openclaw.service"
+        "/usr/lib/systemd/system/openclaw.service"
+        "$HOME/.config/systemd/user/openclaw.service"
+    )
+    for service_path in "\${service_paths[@]}"; do
+        if [[ -f "$service_path" ]]; then
+            OPENCLAW_DETECTED=true
+            ${quarantine ? 'quarantine_file "$service_path" "services"' : 'remove_path "$service_path"'}
+        fi
+    done
+    # Reload systemd
+    if [[ $DRY_RUN == false ]]; then
+        systemctl daemon-reload 2>/dev/null || true
+    fi
+}
+# Remove CLI binaries
+remove_cli_binaries() {
+    log_action "Checking for CLI binaries..."
+    local cli_paths=(
+        "/usr/local/bin/openclaw"
+        "/opt/homebrew/bin/openclaw"
+        "/usr/bin/openclaw"
+        "$HOME/.local/bin/openclaw"
+        "$HOME/bin/openclaw"
+    )
+    for cli_path in "\${cli_paths[@]}"; do
+        if [[ -f "$cli_path" ]]; then
+            OPENCLAW_DETECTED=true
+            ${quarantine ? 'quarantine_file "$cli_path" "binaries"' : 'remove_path "$cli_path"'}
+        fi
+    done
+}
+# Remove macOS app bundle
+remove_app_bundle() {
+    if [[ "$(uname -s)" != "Darwin" ]]; then
+        return
+    fi
+    log_action "Checking for macOS app bundle..."
+    local app_paths=(
+        "/Applications/OpenClaw.app"
+        "$HOME/Applications/OpenClaw.app"
+    )
+    for app_path in "\${app_paths[@]}"; do
+        if [[ -d "$app_path" ]]; then
+            OPENCLAW_DETECTED=true
+            ${quarantine ? 'quarantine_file "$app_path" "binaries"' : 'remove_path "$app_path"'}
+        fi
+    done
+}
+# Remove configuration directories
+remove_config_directories() {
+    log_action "Checking for configuration directories..."
+    # Current user
+    if [[ -d "$HOME/.openclaw" ]]; then
+        OPENCLAW_DETECTED=true
+        ${quarantine ? 'quarantine_file "$HOME/.openclaw" "config"' : 'remove_path "$HOME/.openclaw"'}
+    fi
+    # Other users (requires root)
+    if [[ $EUID -eq 0 ]]; then
+        for user_home in /Users/* /home/*; do
+            local config_dir="$user_home/.openclaw"
+            if [[ -d "$config_dir" && "$config_dir" != "$HOME/.openclaw" ]]; then
+                OPENCLAW_DETECTED=true
+                ${quarantine ? 'quarantine_file "$config_dir" "config"' : 'remove_path "$config_dir"'}
+            fi
+        done
+    fi
+}
+# Clean Docker artifacts
+clean_docker() {
+    if ! command -v docker &>/dev/null; then
+        return
+    fi
+    log_action "Checking for Docker artifacts..."
+    # Stop and remove containers
+    local containers
+    containers=$(docker ps -a --filter "name=openclaw" --format "{{.ID}}" 2>/dev/null || true)
+    if [[ -n "$containers" ]]; then
+        OPENCLAW_DETECTED=true
+        if [[ $DRY_RUN == true ]]; then
+            log_action "[DRY RUN] Would remove Docker containers: $containers"
+        else
+            for container in $containers; do
+                docker stop "$container" 2>/dev/null || true
+                docker rm -f "$container" 2>/dev/null || true
+                log_action "Removed Docker container: $container"
+            done
+        fi
+    fi
+    # Remove images
+    local images
+    images=$(docker images --filter "reference=*openclaw*" --format "{{.ID}}" 2>/dev/null || true)
+    if [[ -n "$images" ]]; then
+        OPENCLAW_DETECTED=true
+        if [[ $DRY_RUN == true ]]; then
+            log_action "[DRY RUN] Would remove Docker images: $images"
+        else
+            for image in $images; do
+                docker rmi -f "$image" 2>/dev/null || true
+                log_action "Removed Docker image: $image"
+            done
+        fi
+    fi
+}
+# Block gateway port (optional isolation)
+block_gateway_port() {
+    if [[ "${options.quarantine ? 'true' : 'false'}" != "true" ]]; then
+        return
+    fi
+    log_action "Blocking gateway port $GATEWAY_PORT..."
+    if [[ $DRY_RUN == true ]]; then
+        log_action "[DRY RUN] Would block port $GATEWAY_PORT"
+        return
+    fi
+    if [[ "$(uname -s)" == "Darwin" ]]; then
+        # macOS: use pf
+        echo "block drop out proto tcp from any to any port $GATEWAY_PORT" | pfctl -ef - 2>/dev/null && \
+            log_action "Blocked port $GATEWAY_PORT via pf" || \
+            log_failure "Could not block port via pf"
+    else
+        # Linux: use iptables
+        iptables -A OUTPUT -p tcp --dport "$GATEWAY_PORT" -j DROP 2>/dev/null && \
+            log_action "Blocked port $GATEWAY_PORT via iptables" || \
+            log_failure "Could not block port via iptables"
+    fi
+}
+# Main enforcement routine
+main() {
+    echo "=============================================="
+    echo "Nox OpenClaw Enforcement"
+    echo "=============================================="
+    ${dryRun ? 'echo "[DRY RUN MODE - No changes will be made]"' : ''}
+    echo ""
+    check_privileges
+    ${quarantine ? 'setup_quarantine' : ''}
+    # Execute enforcement actions in order
+    kill_processes
+    enforce_launchd
+    enforce_systemd
+    remove_cli_binaries
+    remove_app_bundle
+    remove_config_directories
+    clean_docker
+    block_gateway_port
+    # Compile results
+    local actions_string=""
+    if [[ \${#ENFORCEMENT_ACTIONS[@]} -gt 0 ]]; then
+        actions_string=$(IFS="; "; echo "\${ENFORCEMENT_ACTIONS[*]}")
+    fi
+    echo ""
+    echo "=============================================="
+    echo "Enforcement Summary"
+    echo "=============================================="
+    # Send webhook notification
+    ${safeWebhookUrl ? `
+    if [[ $OPENCLAW_DETECTED == true ]]; then
+        if [[ \${#FAILED_ACTIONS[@]} -eq 0 ]]; then
+            send_webhook "success" "high" "$actions_string"
+        else
+            send_webhook "partial" "high" "$actions_string"
+        fi
+    else
+        send_webhook "clean" "info" "No OpenClaw installation found"
+    fi
+    ` : ''}
+    if [[ $OPENCLAW_DETECTED == false ]]; then
+        echo "No OpenClaw installation detected. System is clean."
+        exit 3
+    elif [[ \${#FAILED_ACTIONS[@]} -gt 0 ]]; then
+        echo "Enforcement partially completed with \${#FAILED_ACTIONS[@]} failures:"
+        for failure in "\${FAILED_ACTIONS[@]}"; do
+            echo "  - $failure"
+        done
+        exit 1
+    else
+        echo "Enforcement completed successfully."
+        echo "Actions taken: \${#ENFORCEMENT_ACTIONS[@]}"
+        ${quarantine ? 'echo "Quarantine location: $QUARANTINE_DIR"' : ''}
+        exit 0
+    fi
+}
+# Run main function
+main "$@"
+`;
+}
+/**
+ * Get script metadata for documentation.
+ */
+export function getEnforceShellMetadata() {
+    return {
+        filename: 'enforce-openclaw.sh',
+        extension: '.sh',
+        platform: 'unix',
+        description: 'Shell enforcement script for macOS and Linux',
+        requirements: ['bash 4.0+', 'Root/sudo access (recommended)', 'Standard Unix utilities'],
+        exitCodes: {
+            0: 'Enforcement successful',
+            1: 'Enforcement partially failed',
+            2: 'Script error',
+            3: 'Nothing to enforce (clean system)',
+        },
+    };
+}
+//# sourceMappingURL=enforce.sh.js.map

package/dist/mdm/templates/enforce.sh.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enforce.sh.js","sourceRoot":"","sources":["../../../src/mdm/templates/enforce.sh.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAWrD;;;GAGG;AACH,SAAS,iBAAiB,CAAC,GAAW;IACpC,oBAAoB;IACpB,IAAI,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACrC,+CAA+C;IAC/C,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACzC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACzC,kCAAkC;IAClC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACxC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACtC,CAAC;QACD,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CAAC,UAA+B,EAAE;IAC1E,MAAM,EACJ,UAAU,EACV,YAAY,EACZ,WAAW,GAAG,KAAK,EACnB,OAAO,GAAG,KAAK,EACf,MAAM,GAAG,KAAK,EACd,UAAU,GAAG,KAAK,GACnB,GAAG,OAAO,CAAC;IAEZ,0DAA0D;IAC1D,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3E,MAAM,gBAAgB,GAAG,YAAY,CAAC,CAAC,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAEpF,wBAAwB;IACxB,IAAI,WAAW,GAAG,CAAC,IAAI,WAAW,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,cAAc,GAAG,cAAc;QACnC,CAAC,CAAC;;eAES,cAAc;EAC3B,gBAAgB,CAAC,CAAC,CAAC,kBAAkB,gBAAgB,GAAG,CAAC,CAAC,CAAC,kBAAkB;;;;;;;;;;;;;;;;;;;;;;gBAsB/D,MAAM;;;sBAGA,OAAO;qBACR,OAAO;;;;;;;;;;;;;;;;;;CAkB3B;QACG,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,UAAU,GAAG,OAAO;QACxB,CAAC,CAAC;;;;CAIL;QACG,CAAC,CAAC;;CAEL,CAAC;IAEA,MAAM,WAAW,GAAG,MAAM;QACxB,CAAC,CAAC;;;;;CAKL;QACG,CAAC,CAAC;;;;;CAKL,CAAC;IAEA,MAAM,iBAAiB,GAAG,UAAU;QAClC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6CL;QACG,CAAC,CAAC;;;;;;CAML,CAAC;IAEA,OAAO;;;;wCAI+B,OAAO;IAC3C,OAAO;;;;;;;;;;;;;;;;;;;eAmBI,WAAW;;;;EAIxB,UAAU;EACV,WAAW;EACX,cAAc;EACd,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAgHf,UAAU,CAAC,CAAC,CAAC,qCAAqC,CAAC,CAAC,CAAC,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cA4CnF,UAAU,CAAC,CAAC,CAAC,4CAA4C,CAAC,CAAC,CAAC,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;cAyBzF,UAAU,CAAC,CAAC,CAAC,wCAAwC,CAAC,CAAC,CAAC,yBAAyB;;;;;;;;;;;;;;;;;;;;;cAqBjF,UAAU,CAAC,CAAC,CAAC,wCAAwC,CAAC,CAAC,CAAC,yBAAyB;;;;;;;;;;;;UAYrF,UAAU,CAAC,CAAC,CAAC,4CAA4C,CAAC,CAAC,CAAC,+BAA+B;;;;;;;;;kBASnF,UAAU,CAAC,CAAC,CAAC,wCAAwC,CAAC,CAAC,CAAC,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;aAoDxF,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MA6B5C,MAAM,CAAC,CAAC,CAAC,iDAAiD,CAAC,CAAC,CAAC,EAAE;;;;;MAK/D,UAAU,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;;;;;;MAwBpC,cAAc,CAAC,CAAC,CAAC;;;;;;;;;;KAUlB,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;UAcA,UAAU,CAAC,CAAC,CAAC,6CAA6C,CAAC,CAAC,CAAC,EAAE;;;;;;;CAOxE,CAAC;AACF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO;QACL,QAAQ,EAAE,qBAAqB;QAC/B,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,CAAC,WAAW,EAAE,gCAAgC,EAAE,yBAAyB,CAAC;QACxF,SAAS,EAAE;YACT,CAAC,EAAE,wBAAwB;YAC3B,CAAC,EAAE,8BAA8B;YACjC,CAAC,EAAE,cAAc;YACjB,CAAC,EAAE,mCAAmC;SACvC;KACF,CAAC;AACJ,CAAC"}

package/dist/platform/darwin.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * macOS (Darwin) platform implementation.
+ */
+import type { Platform } from './index.js';
+export declare const darwin: Platform;
+//# sourceMappingURL=darwin.d.ts.map

package/dist/platform/darwin.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"darwin.d.ts","sourceRoot":"","sources":["../../src/platform/darwin.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAe,MAAM,YAAY,CAAC;AAQxD,eAAO,MAAM,MAAM,EAAE,QAyMpB,CAAC"}