nox-openclaw-hunter 1.0.0

package/dist/platform/darwin.js

@@ -0,0 +1,192 @@
+/**
+ * macOS (Darwin) platform implementation.
+ */
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { exec, validateServiceName, validateProcessName, validatePid, validatePort } from '../utils/exec.js';
+import { pathExists } from '../utils/fs.js';
+const GATEWAY_SERVICE_LABEL = 'bot.molt.gateway';
+const QUARANTINE_BASE = '/var/nox-quarantine';
+export const darwin = {
+    name: 'darwin',
+    getCliLocations() {
+        return ['/usr/local/bin/openclaw', '/opt/homebrew/bin/openclaw'];
+    },
+    getAppLocations() {
+        return ['/Applications/OpenClaw.app'];
+    },
+    getStateDirPath(user) {
+        const home = user === 'root' || !user ? '/var/root' : path.join('/Users', user);
+        return path.join(home, '.openclaw');
+    },
+    getServiceName(_profile) {
+        return GATEWAY_SERVICE_LABEL;
+    },
+    async checkServiceRunning(name) {
+        try {
+            const safeName = validateServiceName(name);
+            const { stdout } = await exec(`launchctl list ${safeName} 2>/dev/null || true`, {
+                timeout: 5000,
+            });
+            return stdout.includes(safeName) && !stdout.includes('Could not find');
+        }
+        catch {
+            return false;
+        }
+    },
+    async stopService(name) {
+        const safeName = validateServiceName(name);
+        await exec(`launchctl unload ~/Library/LaunchAgents/${safeName}.plist 2>/dev/null || true`);
+        await exec(`launchctl bootout gui/$(id -u) ${safeName} 2>/dev/null || true`);
+        await exec(`launchctl remove ${safeName} 2>/dev/null || true`);
+    },
+    async disableService(name) {
+        await this.stopService(name);
+        // Remove plist to prevent reload
+        const plistPaths = [
+            path.join(os.homedir(), 'Library', 'LaunchAgents', `${name}.plist`),
+            `/Library/LaunchAgents/${name}.plist`,
+            `/Library/LaunchDaemons/${name}.plist`,
+        ];
+        for (const p of plistPaths) {
+            if (await pathExists(p)) {
+                const { rm } = await import('node:fs/promises');
+                await rm(p, { force: true }).catch(() => { });
+            }
+        }
+    },
+    async findProcesses(name) {
+        const results = [];
+        try {
+            // Validate process name to prevent command injection
+            const safeName = validateProcessName(name);
+            // Use ps to find processes, then filter by actual process name (not full command line)
+            // This avoids false positives from matching directory paths or arguments
+            const { stdout } = await exec(`ps -axo pid,comm 2>/dev/null | grep -i "${safeName}" || true`, { timeout: 5000 });
+            const lines = stdout.trim().split('\n').filter(Boolean);
+            for (const line of lines) {
+                const match = line.match(/^\s*(\d+)\s+(.+)$/);
+                if (match) {
+                    const pid = parseInt(match[1], 10);
+                    const comm = match[2].trim();
+                    // Extract just the binary name from the path
+                    const processName = comm.split('/').pop() ?? comm;
+                    // Only include if the process name itself matches (not just the path)
+                    if (processName.toLowerCase().includes(name.toLowerCase())) {
+                        results.push({
+                            pid,
+                            name: processName,
+                            user: undefined,
+                        });
+                    }
+                }
+            }
+            // Optional: get RSS via ps for memory
+            for (const p of results) {
+                try {
+                    const { stdout: psOut } = await exec(`ps -o rss= -p ${p.pid} 2>/dev/null || true`);
+                    const kb = parseInt(psOut.trim(), 10);
+                    if (!Number.isNaN(kb))
+                        p.memory = kb * 1024;
+                }
+                catch {
+                    /* ignore */
+                }
+            }
+        }
+        catch {
+            /* return empty */
+        }
+        return results;
+    },
+    async killProcess(pid) {
+        const safePid = validatePid(pid);
+        await exec(`kill -9 ${safePid}`);
+    },
+    async blockPort(port) {
+        // Validate port number to prevent command injection
+        const safePort = validatePort(port);
+        // Check if running as root (required for pfctl)
+        const isRoot = process.getuid?.() === 0;
+        if (!isRoot) {
+            throw new Error('Port blocking requires root privileges. Run with: sudo nox isolate --block-port');
+        }
+        // Use a dedicated anchor so we can add/remove rules without affecting other firewall rules
+        const anchor = 'com.nox.openclaw';
+        // Block ALL traffic to/from this port (inbound, outbound, and loopback)
+        const rules = [
+            `block drop in proto tcp from any to any port ${safePort}`,
+            `block drop out proto tcp from any to any port ${safePort}`,
+            `block drop in proto tcp from any to 127.0.0.1 port ${safePort}`,
+            `block drop out proto tcp from any to 127.0.0.1 port ${safePort}`,
+        ].join('\n');
+        // Create anchor rules file with secure random name to prevent symlink attacks
+        const { randomBytes } = await import('node:crypto');
+        const randomSuffix = randomBytes(16).toString('hex');
+        const rulesFile = `/tmp/nox-pf-rules-${randomSuffix}.conf`;
+        // Write rules file using Node.js fs to avoid shell injection
+        const { writeFile, unlink } = await import('node:fs/promises');
+        await writeFile(rulesFile, rules, { mode: 0o600 });
+        try {
+            // Check if pfctl is enabled
+            const { stdout: status } = await exec(`pfctl -s info 2>&1 | head -1 || true`);
+            const isEnabled = status.includes('Enabled');
+            // Load rules into our anchor
+            const { stderr } = await exec(`pfctl -a ${anchor} -f ${rulesFile} 2>&1`);
+            if (stderr && (stderr.includes('Permission denied') || stderr.includes('Operation not permitted'))) {
+                throw new Error('Permission denied - run with sudo');
+            }
+            // Enable pfctl if not already enabled
+            if (!isEnabled) {
+                await exec(`pfctl -e 2>&1 || true`);
+            }
+        }
+        finally {
+            // Clean up temp file securely
+            await unlink(rulesFile).catch(() => { });
+        }
+    },
+    async unblockPort(port) {
+        // Validate port number (even though we flush all rules, good practice)
+        validatePort(port);
+        // Check if running as root (required for pfctl)
+        const isRoot = process.getuid?.() === 0;
+        if (!isRoot) {
+            throw new Error('Port unblocking requires root privileges. Run with: sudo nox isolate revert --unblock-port');
+        }
+        // Flush only our anchor, leaving other firewall rules intact
+        const anchor = 'com.nox.openclaw';
+        const { stderr } = await exec(`pfctl -a ${anchor} -F all 2>&1`);
+        if (stderr && (stderr.includes('Permission denied') || stderr.includes('Operation not permitted'))) {
+            throw new Error('Permission denied - run with sudo');
+        }
+        // Note: We don't disable pfctl entirely as other rules may be active
+        // The anchor is now empty, so our blocking rule is removed
+    },
+    getQuarantinePath() {
+        return QUARANTINE_BASE;
+    },
+    async getAllUsers() {
+        const users = [];
+        try {
+            const { stdout } = await exec('dscl . list /Users UniqueID 2>/dev/null || true', {
+                timeout: 5000,
+            });
+            const lines = stdout.trim().split('\n').filter(Boolean);
+            for (const line of lines) {
+                const parts = line.split(/\s+/);
+                const name = parts[0];
+                if (name && name !== '_' && name !== 'nobody' && name !== 'daemon') {
+                    const uid = parseInt(parts[1], 10);
+                    if (uid >= 500 || uid === 0)
+                        users.push(name);
+                }
+            }
+        }
+        catch {
+            users.push(os.userInfo().username);
+        }
+        return users.length > 0 ? users : [os.userInfo().username];
+    },
+};
+//# sourceMappingURL=darwin.js.map

package/dist/platform/darwin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"darwin.js","sourceRoot":"","sources":["../../src/platform/darwin.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC7G,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAE5C,MAAM,qBAAqB,GAAG,kBAAkB,CAAC;AACjD,MAAM,eAAe,GAAG,qBAAqB,CAAC;AAE9C,MAAM,CAAC,MAAM,MAAM,GAAa;IAC9B,IAAI,EAAE,QAAwB;IAE9B,eAAe;QACb,OAAO,CAAC,yBAAyB,EAAE,4BAA4B,CAAC,CAAC;IACnE,CAAC;IAED,eAAe;QACb,OAAO,CAAC,4BAA4B,CAAC,CAAC;IACxC,CAAC;IAED,eAAe,CAAC,IAAY;QAC1B,MAAM,IAAI,GAAG,IAAI,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACtC,CAAC;IAED,cAAc,CAAC,QAAiB;QAC9B,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,IAAY;QACpC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,QAAQ,sBAAsB,EAAE;gBAC9E,OAAO,EAAE,IAAI;aACd,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QACzE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAY;QAC5B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,2CAA2C,QAAQ,4BAA4B,CAAC,CAAC;QAC5F,MAAM,IAAI,CAAC,kCAAkC,QAAQ,sBAAsB,CAAC,CAAC;QAC7E,MAAM,IAAI,CAAC,oBAAoB,QAAQ,sBAAsB,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAC7B,iCAAiC;QACjC,MAAM,UAAU,GAAG;YACjB,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,cAAc,EAAE,GAAG,IAAI,QAAQ,CAAC;YACnE,yBAAyB,IAAI,QAAQ;YACrC,0BAA0B,IAAI,QAAQ;SACvC,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,MAAM,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxB,MAAM,EAAE,EAAE,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;gBAChD,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,IAAY;QAC9B,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,qDAAqD;YACrD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC3C,uFAAuF;YACvF,yEAAyE;YACzE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,2CAA2C,QAAQ,WAAW,EAC9D,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACxD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;gBAC9C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACnC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7B,6CAA6C;oBAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC;oBAClD,sEAAsE;oBACtE,IAAI,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;wBAC3D,OAAO,CAAC,IAAI,CAAC;4BACX,GAAG;4BACH,IAAI,EAAE,WAAW;4BACjB,IAAI,EAAE,SAAS;yBAChB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YACD,sCAAsC;YACtC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,CAAC,GAAG,sBAAsB,CAAC,CAAC;oBACnF,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;oBACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;wBAAE,CAAC,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC;gBAC9C,CAAC;gBAAC,MAAM,CAAC;oBACP,YAAY;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,kBAAkB;QACpB,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,IAAI,CAAC,WAAW,OAAO,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,oDAAoD;QACpD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QAEpC,gDAAgD;QAChD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,iFAAiF,CAAC,CAAC;QACrG,CAAC;QAED,2FAA2F;QAC3F,MAAM,MAAM,GAAG,kBAAkB,CAAC;QAElC,wEAAwE;QACxE,MAAM,KAAK,GAAG;YACZ,gDAAgD,QAAQ,EAAE;YAC1D,iDAAiD,QAAQ,EAAE;YAC3D,sDAAsD,QAAQ,EAAE;YAChE,uDAAuD,QAAQ,EAAE;SAClE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEb,8EAA8E;QAC9E,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACpD,MAAM,YAAY,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,qBAAqB,YAAY,OAAO,CAAC;QAE3D,6DAA6D;QAC7D,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC/D,MAAM,SAAS,CAAC,SAAS,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAEnD,IAAI,CAAC;YACH,4BAA4B;YAC5B,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,sCAAsC,CAAC,CAAC;YAC9E,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAE7C,6BAA6B;YAC7B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,YAAY,MAAM,OAAO,SAAS,OAAO,CAAC,CAAC;YACzE,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,yBAAyB,CAAC,CAAC,EAAE,CAAC;gBACnG,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;YACvD,CAAC;YAED,sCAAsC;YACtC,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;gBAAS,CAAC;YACT,8BAA8B;YAC9B,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAY;QAC5B,uEAAuE;QACvE,YAAY,CAAC,IAAI,CAAC,CAAC;QAEnB,gDAAgD;QAChD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,EAAE,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,4FAA4F,CAAC,CAAC;QAChH,CAAC;QAED,6DAA6D;QAC7D,MAAM,MAAM,GAAG,kBAAkB,CAAC;QAClC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,YAAY,MAAM,cAAc,CAAC,CAAC;QAChE,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,yBAAyB,CAAC,CAAC,EAAE,CAAC;YACnG,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QAED,qEAAqE;QACrE,2DAA2D;IAC7D,CAAC;IAED,iBAAiB;QACf,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,iDAAiD,EAAE;gBAC/E,OAAO,EAAE,IAAI;aACd,CAAC,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACxD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAChC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,IAAI,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACnE,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACnC,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,KAAK,CAAC;wBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAChD,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC;IAC7D,CAAC;CACF,CAAC"}

package/dist/platform/index.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Platform abstraction layer for detection, enforcement, and isolation.
+ */
+import type { PlatformName } from '../types/detection.js';
+import type { ProcessInfo } from '../types/detection.js';
+export type { ProcessInfo };
+export interface Platform {
+    name: PlatformName;
+    /** Paths to check for OpenClaw CLI binary. */
+    getCliLocations(): string[];
+    /** Paths to check for OpenClaw app bundle (e.g. macOS .app). */
+    getAppLocations(): string[];
+    /** State directory path for a given user (e.g. ~/.openclaw). */
+    getStateDirPath(user: string): string;
+    /** Service name for the gateway (e.g. launchd label, systemd unit). */
+    getServiceName(profile?: string): string;
+    /** Whether the given service is currently running. */
+    checkServiceRunning(name: string): Promise<boolean>;
+    /** Stop the given service. */
+    stopService(name: string): Promise<void>;
+    /** Disable the service from starting on boot. */
+    disableService(name: string): Promise<void>;
+    /** Find processes matching the given name. */
+    findProcesses(name: string): Promise<ProcessInfo[]>;
+    /** Kill process by PID. */
+    killProcess(pid: number): Promise<void>;
+    /** Block outbound TCP traffic to the given port (firewall). */
+    blockPort(port: number): Promise<void>;
+    /** Remove firewall block for the given port. */
+    unblockPort(port: number): Promise<void>;
+    /** Base directory for quarantined artifacts. */
+    getQuarantinePath(): string;
+    /** List of local user account names (for multi-user scan). */
+    getAllUsers(): Promise<string[]>;
+}
+export { darwin } from './darwin.js';
+export { linux } from './linux.js';
+export { windows } from './windows.js';
+/**
+ * Return the platform implementation for the current OS.
+ */
+export declare function getPlatform(): Platform;
+//# sourceMappingURL=index.d.ts.map

package/dist/platform/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/platform/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD,YAAY,EAAE,WAAW,EAAE,CAAC;AAE5B,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAC;IAEnB,8CAA8C;IAC9C,eAAe,IAAI,MAAM,EAAE,CAAC;IAE5B,gEAAgE;IAChE,eAAe,IAAI,MAAM,EAAE,CAAC;IAE5B,gEAAgE;IAChE,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAEtC,uEAAuE;IACvE,cAAc,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAEzC,sDAAsD;IACtD,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEpD,8BAA8B;IAC9B,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,iDAAiD;IACjD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5C,8CAA8C;IAC9C,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAEpD,2BAA2B;IAC3B,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExC,+DAA+D;IAC/D,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvC,gDAAgD;IAChD,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,gDAAgD;IAChD,iBAAiB,IAAI,MAAM,CAAC;IAE5B,8DAA8D;IAC9D,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CAClC;AAMD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC;;GAEG;AACH,wBAAgB,WAAW,IAAI,QAAQ,CAYtC"}

package/dist/platform/index.js

@@ -0,0 +1,27 @@
+/**
+ * Platform abstraction layer for detection, enforcement, and isolation.
+ */
+import * as os from 'node:os';
+import { darwin } from './darwin.js';
+import { linux } from './linux.js';
+import { windows } from './windows.js';
+export { darwin } from './darwin.js';
+export { linux } from './linux.js';
+export { windows } from './windows.js';
+/**
+ * Return the platform implementation for the current OS.
+ */
+export function getPlatform() {
+    const platform = os.platform();
+    switch (platform) {
+        case 'darwin':
+            return darwin;
+        case 'linux':
+            return linux;
+        case 'win32':
+            return windows;
+        default:
+            throw new Error(`Unsupported platform: ${platform}`);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/platform/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/platform/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAiD9B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,MAAM,CAAC;QAChB,KAAK,OAAO;YACV,OAAO,KAAK,CAAC;QACf,KAAK,OAAO;YACV,OAAO,OAAO,CAAC;QACjB;YACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC"}

package/dist/platform/linux.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Linux platform implementation.
+ */
+import type { Platform } from './index.js';
+export declare const linux: Platform;
+//# sourceMappingURL=linux.d.ts.map

package/dist/platform/linux.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"linux.d.ts","sourceRoot":"","sources":["../../src/platform/linux.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAe,MAAM,YAAY,CAAC;AASxD,eAAO,MAAM,KAAK,EAAE,QAuInB,CAAC"}

package/dist/platform/linux.js

@@ -0,0 +1,134 @@
+/**
+ * Linux platform implementation.
+ */
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { exec, validateServiceName, validateProcessName, validatePid, validatePort } from '../utils/exec.js';
+const GATEWAY_SERVICE_NAME = 'openclaw-gateway';
+const GATEWAY_SERVICE_LEGACY = 'bot.molt.gateway';
+const QUARANTINE_BASE = '/var/lib/nox-quarantine';
+export const linux = {
+    name: 'linux',
+    getCliLocations() {
+        return ['/usr/local/bin/openclaw', '/usr/bin/openclaw'];
+    },
+    getAppLocations() {
+        return [];
+    },
+    getStateDirPath(user) {
+        const home = user === 'root' || !user ? '/root' : path.join('/home', user);
+        return path.join(home, '.openclaw');
+    },
+    getServiceName(_profile) {
+        return GATEWAY_SERVICE_NAME;
+    },
+    async checkServiceRunning(name) {
+        try {
+            const safeName = validateServiceName(name);
+            const { stdout } = await exec(`systemctl is-active ${safeName} 2>/dev/null || true`, {
+                timeout: 5000,
+            });
+            if (stdout.trim() === 'active')
+                return true;
+            // GATEWAY_SERVICE_LEGACY is a constant, so it's safe
+            const { stdout: legacy } = await exec(`systemctl is-active ${GATEWAY_SERVICE_LEGACY} 2>/dev/null || true`, { timeout: 5000 });
+            return legacy.trim() === 'active';
+        }
+        catch {
+            return false;
+        }
+    },
+    async stopService(name) {
+        const safeName = validateServiceName(name);
+        await exec(`sudo systemctl stop ${safeName} 2>/dev/null || true`);
+        await exec(`sudo systemctl stop ${GATEWAY_SERVICE_LEGACY} 2>/dev/null || true`);
+    },
+    async disableService(name) {
+        const safeName = validateServiceName(name);
+        await this.stopService(safeName);
+        await exec(`sudo systemctl disable ${safeName} 2>/dev/null || true`);
+        await exec(`sudo systemctl disable ${GATEWAY_SERVICE_LEGACY} 2>/dev/null || true`);
+    },
+    async findProcesses(name) {
+        const results = [];
+        try {
+            // Validate process name to prevent command injection
+            const safeName = validateProcessName(name);
+            // Use ps to find processes, then filter by actual process name (not full command line)
+            // This avoids false positives from matching directory paths or arguments
+            const { stdout } = await exec(`ps -eo pid,comm 2>/dev/null | grep -i "${safeName}" || true`, { timeout: 5000 });
+            const lines = stdout.trim().split('\n').filter(Boolean);
+            for (const line of lines) {
+                const match = line.match(/^\s*(\d+)\s+(.+)$/);
+                if (match) {
+                    const pid = parseInt(match[1], 10);
+                    const comm = match[2].trim();
+                    // Extract just the binary name from the path
+                    const processName = comm.split('/').pop() ?? comm;
+                    // Only include if the process name itself matches (not just the path)
+                    if (processName.toLowerCase().includes(name.toLowerCase())) {
+                        results.push({
+                            pid,
+                            name: processName,
+                            user: undefined,
+                        });
+                    }
+                }
+            }
+            for (const p of results) {
+                try {
+                    const { stdout: psOut } = await exec(`ps -o rss= -p ${p.pid} 2>/dev/null || true`);
+                    const kb = parseInt(psOut.trim(), 10);
+                    if (!Number.isNaN(kb))
+                        p.memory = kb * 1024;
+                }
+                catch {
+                    /* ignore */
+                }
+            }
+        }
+        catch {
+            /* return empty */
+        }
+        return results;
+    },
+    async killProcess(pid) {
+        const safePid = validatePid(pid);
+        await exec(`kill -9 ${safePid}`);
+    },
+    async blockPort(port) {
+        const safePort = validatePort(port);
+        await exec(`sudo iptables -A OUTPUT -p tcp --dport ${safePort} -j DROP 2>/dev/null || true`);
+    },
+    async unblockPort(port) {
+        const safePort = validatePort(port);
+        await exec(`sudo iptables -D OUTPUT -p tcp --dport ${safePort} -j DROP 2>/dev/null || true`);
+    },
+    getQuarantinePath() {
+        return QUARANTINE_BASE;
+    },
+    async getAllUsers() {
+        const users = [];
+        try {
+            const { pathExists: exists } = await import('../utils/fs.js');
+            if (await exists('/etc/passwd')) {
+                const { readFile } = await import('node:fs/promises');
+                const content = await readFile('/etc/passwd', 'utf8');
+                for (const line of content.split('\n')) {
+                    const parts = line.split(':');
+                    if (parts.length >= 3) {
+                        const name = parts[0];
+                        const uid = parseInt(parts[2], 10);
+                        if (uid >= 1000 || uid === 0)
+                            users.push(name);
+                    }
+                }
+            }
+        }
+        catch {
+            /* fallback */
+        }
+        return users.length > 0 ? users : [os.userInfo().username];
+    },
+};
+//# sourceMappingURL=linux.js.map

package/dist/platform/linux.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"linux.js","sourceRoot":"","sources":["../../src/platform/linux.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAG7G,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AAChD,MAAM,sBAAsB,GAAG,kBAAkB,CAAC;AAClD,MAAM,eAAe,GAAG,yBAAyB,CAAC;AAElD,MAAM,CAAC,MAAM,KAAK,GAAa;IAC7B,IAAI,EAAE,OAAuB;IAE7B,eAAe;QACb,OAAO,CAAC,yBAAyB,EAAE,mBAAmB,CAAC,CAAC;IAC1D,CAAC;IAED,eAAe;QACb,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,eAAe,CAAC,IAAY;QAC1B,MAAM,IAAI,GAAG,IAAI,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC3E,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACtC,CAAC;IAED,cAAc,CAAC,QAAiB;QAC9B,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,IAAY;QACpC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,uBAAuB,QAAQ,sBAAsB,EAAE;gBACnF,OAAO,EAAE,IAAI;aACd,CAAC,CAAC;YACH,IAAI,MAAM,CAAC,IAAI,EAAE,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC5C,qDAAqD;YACrD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CACnC,uBAAuB,sBAAsB,sBAAsB,EACnE,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;YACF,OAAO,MAAM,CAAC,IAAI,EAAE,KAAK,QAAQ,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAY;QAC5B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,uBAAuB,QAAQ,sBAAsB,CAAC,CAAC;QAClE,MAAM,IAAI,CAAC,uBAAuB,sBAAsB,sBAAsB,CAAC,CAAC;IAClF,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,IAAI,CAAC,0BAA0B,QAAQ,sBAAsB,CAAC,CAAC;QACrE,MAAM,IAAI,CAAC,0BAA0B,sBAAsB,sBAAsB,CAAC,CAAC;IACrF,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,IAAY;QAC9B,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,qDAAqD;YACrD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC3C,uFAAuF;YACvF,yEAAyE;YACzE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,0CAA0C,QAAQ,WAAW,EAC7D,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACxD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;gBAC9C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACnC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7B,6CAA6C;oBAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC;oBAClD,sEAAsE;oBACtE,IAAI,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;wBAC3D,OAAO,CAAC,IAAI,CAAC;4BACX,GAAG;4BACH,IAAI,EAAE,WAAW;4BACjB,IAAI,EAAE,SAAS;yBAChB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YACD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,CAAC,GAAG,sBAAsB,CAAC,CAAC;oBACnF,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;oBACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;wBAAE,CAAC,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC;gBAC9C,CAAC;gBAAC,MAAM,CAAC;oBACP,YAAY;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,kBAAkB;QACpB,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,IAAI,CAAC,WAAW,OAAO,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,IAAI,CAAC,0CAA0C,QAAQ,8BAA8B,CAAC,CAAC;IAC/F,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAY;QAC5B,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,IAAI,CAAC,0CAA0C,QAAQ,8BAA8B,CAAC,CAAC;IAC/F,CAAC;IAED,iBAAiB;QACf,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAC9D,IAAI,MAAM,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;gBAChC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;gBACtD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;gBACtD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC9B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;wBACtB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;wBACtB,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBACnC,IAAI,GAAG,IAAI,IAAI,IAAI,GAAG,KAAK,CAAC;4BAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACjD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;QACD,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC;IAC7D,CAAC;CACF,CAAC"}

package/dist/platform/windows.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Windows platform implementation.
+ */
+import type { Platform } from './index.js';
+export declare const windows: Platform;
+//# sourceMappingURL=windows.d.ts.map

package/dist/platform/windows.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"windows.d.ts","sourceRoot":"","sources":["../../src/platform/windows.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAe,MAAM,YAAY,CAAC;AAWxD,eAAO,MAAM,OAAO,EAAE,QAiJrB,CAAC"}

package/dist/platform/windows.js

@@ -0,0 +1,134 @@
+/**
+ * Windows platform implementation.
+ */
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { exec, validateServiceName, validateProcessName, validatePid, validatePort } from '../utils/exec.js';
+const GATEWAY_SERVICE_NAME = 'OpenClawGateway';
+const QUARANTINE_BASE = path.join(process.env.ProgramData ?? 'C:\\ProgramData', 'NoxQuarantine');
+function getLocalAppData() {
+    return process.env.LOCALAPPDATA ?? path.join(process.env.USERPROFILE ?? 'C:\\Users\\User', 'AppData', 'Local');
+}
+export const windows = {
+    name: 'windows',
+    getCliLocations() {
+        const localAppData = getLocalAppData();
+        return [
+            path.join(localAppData, 'Programs', 'openclaw', 'openclaw.exe'),
+            path.join(process.env.ProgramFiles ?? 'C:\\Program Files', 'openclaw', 'openclaw.exe'),
+            path.join(process.env['ProgramFiles(x86)'] ?? 'C:\\Program Files (x86)', 'openclaw', 'openclaw.exe'),
+        ];
+    },
+    getAppLocations() {
+        return [];
+    },
+    getStateDirPath(user) {
+        const base = process.env.SYSTEMDRIVE ?? 'C:';
+        const home = user && user !== 'SYSTEM'
+            ? path.join(base, 'Users', user)
+            : path.join(base, 'Users', os.userInfo().username);
+        return path.join(home, '.openclaw');
+    },
+    getServiceName(_profile) {
+        return GATEWAY_SERVICE_NAME;
+    },
+    async checkServiceRunning(name) {
+        try {
+            const safeName = validateServiceName(name);
+            const { stdout } = await exec(`sc query ${safeName} 2>nul | findstr /C:"RUNNING"`, { timeout: 5000 });
+            return stdout.trim().length > 0;
+        }
+        catch {
+            return false;
+        }
+    },
+    async stopService(name) {
+        const safeName = validateServiceName(name);
+        await exec(`sc stop ${safeName} 2>nul`, { timeout: 15000 });
+    },
+    async disableService(name) {
+        const safeName = validateServiceName(name);
+        await this.stopService(safeName);
+        await exec(`sc config ${safeName} start= disabled 2>nul`, { timeout: 5000 });
+    },
+    async findProcesses(name) {
+        const results = [];
+        try {
+            // Validate process name to prevent command injection
+            const safeName = validateProcessName(name);
+            const { stdout } = await exec(`wmic process where "name like '%${safeName}%'" get ProcessId,Name,WorkingSetSize 2>nul`, { timeout: 10000 });
+            const lines = stdout.trim().split('\r\n').filter(Boolean);
+            const header = lines[0]?.toLowerCase() ?? '';
+            const pidIdx = header.includes('processid') ? header.split(/\s+/).indexOf('processid') : -1;
+            const nameIdx = header.includes('name') ? header.split(/\s+/).indexOf('name') : -1;
+            const memIdx = header.includes('workingsetsize') ? header.split(/\s+/).indexOf('workingsetsize') : -1;
+            for (let i = 1; i < lines.length; i++) {
+                const parts = lines[i].trim().split(/\s+/);
+                const pid = pidIdx >= 0 ? parseInt(parts[pidIdx], 10) : NaN;
+                const procName = nameIdx >= 0 ? parts[nameIdx] ?? 'openclaw' : 'openclaw';
+                const mem = memIdx >= 0 ? parseInt(parts[memIdx], 10) : undefined;
+                if (!Number.isNaN(pid)) {
+                    results.push({
+                        pid,
+                        name: procName,
+                        memory: Number.isNaN(mem) ? undefined : mem,
+                        user: undefined,
+                    });
+                }
+            }
+            // Fallback: tasklist
+            if (results.length === 0) {
+                const { stdout: taskOut } = await exec(`tasklist /FI "IMAGENAME eq ${safeName}*" /FO CSV /NH 2>nul`, { timeout: 5000 });
+                const taskLines = taskOut.trim().split('\n').filter(Boolean);
+                for (const line of taskLines) {
+                    const match = line.match(/"([^"]+)","(\d+)"/);
+                    if (match) {
+                        results.push({
+                            pid: parseInt(match[2], 10),
+                            name: match[1],
+                            user: undefined,
+                        });
+                    }
+                }
+            }
+        }
+        catch {
+            /* return empty */
+        }
+        return results;
+    },
+    async killProcess(pid) {
+        const safePid = validatePid(pid);
+        await exec(`taskkill /F /PID ${safePid} 2>nul`);
+    },
+    async blockPort(port) {
+        const safePort = validatePort(port);
+        const ruleName = 'Nox Block OpenClaw';
+        await exec(`netsh advfirewall firewall add rule name="${ruleName}" dir=out action=block protocol=TCP remoteport=${safePort} 2>nul`, { timeout: 5000 });
+    },
+    async unblockPort(port) {
+        await exec('netsh advfirewall firewall delete rule name="Nox Block OpenClaw" 2>nul', { timeout: 5000 });
+    },
+    getQuarantinePath() {
+        return QUARANTINE_BASE;
+    },
+    async getAllUsers() {
+        const users = [];
+        try {
+            const { stdout } = await exec('wmic useraccount where localaccount="true" get name 2>nul', {
+                timeout: 10000,
+            });
+            const lines = stdout.trim().split(/\r?\n/).filter(Boolean);
+            for (let i = 1; i < lines.length; i++) {
+                const name = lines[i].trim();
+                if (name && name !== 'Name')
+                    users.push(name);
+            }
+        }
+        catch {
+            /* fallback */
+        }
+        return users.length > 0 ? users : [os.userInfo().username];
+    },
+};
+//# sourceMappingURL=windows.js.map

package/dist/platform/windows.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"windows.js","sourceRoot":"","sources":["../../src/platform/windows.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAE7G,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AAC/C,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,iBAAiB,EAAE,eAAe,CAAC,CAAC;AAEjG,SAAS,eAAe;IACtB,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,iBAAiB,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AACjH,CAAC;AAED,MAAM,CAAC,MAAM,OAAO,GAAa;IAC/B,IAAI,EAAE,SAAyB;IAE/B,eAAe;QACb,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;QACvC,OAAO;YACL,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,CAAC;YAC/D,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,mBAAmB,EAAE,UAAU,EAAE,cAAc,CAAC;YACtF,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,yBAAyB,EAAE,UAAU,EAAE,cAAc,CAAC;SACrG,CAAC;IACJ,CAAC;IAED,eAAe;QACb,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,eAAe,CAAC,IAAY;QAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,IAAI,CAAC;QAC7C,MAAM,IAAI,GAAG,IAAI,IAAI,IAAI,KAAK,QAAQ;YACpC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC;YAChC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACtC,CAAC;IAED,cAAc,CAAC,QAAiB;QAC9B,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,IAAY;QACpC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,YAAY,QAAQ,+BAA+B,EACnD,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;YACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAY;QAC5B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,WAAW,QAAQ,QAAQ,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,IAAI,CAAC,aAAa,QAAQ,wBAAwB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,IAAY;QAC9B,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,qDAAqD;YACrD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,mCAAmC,QAAQ,6CAA6C,EACxF,EAAE,OAAO,EAAE,KAAK,EAAE,CACnB,CAAC;YACF,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC1D,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5F,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACnF,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACtG,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC3C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC5D,MAAM,QAAQ,GAAG,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;gBAC1E,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBAClE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;oBACvB,OAAO,CAAC,IAAI,CAAC;wBACX,GAAG;wBACH,IAAI,EAAE,QAAQ;wBACd,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG;wBAC3C,IAAI,EAAE,SAAS;qBAChB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,qBAAqB;YACrB,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzB,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CACpC,8BAA8B,QAAQ,sBAAsB,EAC5D,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;gBACF,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC7D,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;oBAC9C,IAAI,KAAK,EAAE,CAAC;wBACV,OAAO,CAAC,IAAI,CAAC;4BACX,GAAG,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;4BAC3B,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;4BACd,IAAI,EAAE,SAAS;yBAChB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,kBAAkB;QACpB,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,IAAI,CAAC,oBAAoB,OAAO,QAAQ,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,QAAQ,GAAG,oBAAoB,CAAC;QACtC,MAAM,IAAI,CACR,6CAA6C,QAAQ,kDAAkD,QAAQ,QAAQ,EACvH,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAY;QAC5B,MAAM,IAAI,CACR,wEAAwE,EACxE,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;IACJ,CAAC;IAED,iBAAiB;QACf,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,2DAA2D,EAAE;gBACzF,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7B,IAAI,IAAI,IAAI,IAAI,KAAK,MAAM;oBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;QACD,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC;IAC7D,CAAC;CACF,CAAC"}

package/dist/reporter/console.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Console output formatting with branding and tables.
+ */
+import type { DetectionResult, EnforcementResult, IsolationResult, QuarantineManifest } from '../types/index.js';
+import { printBanner } from '../branding.js';
+export { printBanner };
+/**
+ * Print detection results to console.
+ */
+export declare function printDetectionResult(result: DetectionResult, quarantined?: QuarantineManifest[]): void;
+/**
+ * Print enforcement results to console.
+ */
+export declare function printEnforcementResult(result: EnforcementResult): void;
+/**
+ * Print isolation results to console.
+ */
+export declare function printIsolationResult(result: IsolationResult): void;
+/**
+ * Print a simple status message.
+ */
+export declare function printStatus(message: string, type?: 'info' | 'success' | 'warning' | 'error'): void;
+/**
+ * Print quarantine notice box for scan results.
+ */
+export declare function printQuarantineNotice(quarantined: QuarantineManifest[]): void;
+//# sourceMappingURL=console.d.ts.map

package/dist/reporter/console.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"console.d.ts","sourceRoot":"","sources":["../../src/reporter/console.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EACV,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAI7C,OAAO,EAAE,WAAW,EAAE,CAAC;AA6CvB;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,eAAe,EAAE,WAAW,GAAE,kBAAkB,EAAO,GAAG,IAAI,CA4O1G;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CA8DtE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,eAAe,GAAG,IAAI,CAyDlE;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,GAAG,SAAS,GAAG,SAAS,GAAG,OAAgB,GAAG,IAAI,CAQ1G;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,kBAAkB,EAAE,GAAG,IAAI,CAoD7E"}