nox-openclaw-hunter 1.0.0

package/dist/enforcer/process-killer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"process-killer.d.ts","sourceRoot":"","sources":["../../src/enforcer/process-killer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAGjE;;GAEG;AACH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,OAAe,EACvB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,iBAAiB,CAAC,CA2B5B;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,MAAM,GAAE,OAAe,GACtB,OAAO,CAAC,iBAAiB,EAAE,CAAC,CA8B9B;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,QAAQ,EAClB,SAAS,EAAE,WAAW,EAAE,EACxB,MAAM,GAAE,OAAe,GACtB,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAgB9B"}

package/dist/enforcer/process-killer.js

@@ -0,0 +1,80 @@
+/**
+ * Process killer for terminating OpenClaw processes.
+ */
+import { logger } from '../utils/logger.js';
+/**
+ * Kill a single process by PID.
+ */
+export async function killProcess(platform, pid, dryRun = false, processName) {
+    const targetLabel = processName ? `${processName} (PID ${pid})` : `PID ${pid}`;
+    const action = {
+        type: 'kill-process',
+        target: targetLabel,
+        status: 'pending',
+        dryRun,
+    };
+    if (dryRun) {
+        logger.info(`[dry-run] Would kill process: ${targetLabel}`);
+        action.status = 'skipped';
+        return action;
+    }
+    try {
+        await platform.killProcess(pid);
+        logger.success(`Killed process: ${targetLabel}`);
+        action.status = 'success';
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`Failed to kill process ${targetLabel}: ${message}`);
+        action.status = 'failed';
+        action.error = message;
+    }
+    return action;
+}
+/**
+ * Kill all processes matching a given name.
+ */
+export async function killProcessesByName(platform, name, dryRun = false) {
+    const actions = [];
+    try {
+        const processes = await platform.findProcesses(name);
+        if (processes.length === 0) {
+            logger.info(`No processes found matching: ${name}`);
+            return actions;
+        }
+        logger.info(`Found ${processes.length} process(es) matching: ${name}`);
+        for (const proc of processes) {
+            const action = await killProcess(platform, proc.pid, dryRun, proc.name);
+            actions.push(action);
+        }
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`Failed to find processes matching ${name}: ${message}`);
+        actions.push({
+            type: 'kill-process',
+            target: name,
+            status: 'failed',
+            error: message,
+            dryRun,
+        });
+    }
+    return actions;
+}
+/**
+ * Kill all OpenClaw-related processes from detection results.
+ */
+export async function killDetectedProcesses(platform, processes, dryRun = false) {
+    const actions = [];
+    if (processes.length === 0) {
+        logger.info('No OpenClaw processes detected to kill');
+        return actions;
+    }
+    logger.info(`Killing ${processes.length} detected OpenClaw process(es)...`);
+    for (const proc of processes) {
+        const action = await killProcess(platform, proc.pid, dryRun, proc.name);
+        actions.push(action);
+    }
+    return actions;
+}
+//# sourceMappingURL=process-killer.js.map

package/dist/enforcer/process-killer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"process-killer.js","sourceRoot":"","sources":["../../src/enforcer/process-killer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAkB,EAClB,GAAW,EACX,SAAkB,KAAK,EACvB,WAAoB;IAEpB,MAAM,WAAW,GAAG,WAAW,CAAC,CAAC,CAAC,GAAG,WAAW,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,OAAO,GAAG,EAAE,CAAC;IAC/E,MAAM,MAAM,GAAsB;QAChC,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,WAAW;QACnB,MAAM,EAAE,SAAS;QACjB,MAAM;KACP,CAAC;IAEF,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,iCAAiC,WAAW,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,mBAAmB,WAAW,EAAE,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,MAAM,CAAC,KAAK,CAAC,0BAA0B,WAAW,KAAK,OAAO,EAAE,CAAC,CAAC;QAClE,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC;QACzB,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAkB,EAClB,IAAY,EACZ,SAAkB,KAAK;IAEvB,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QAErD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,gCAAgC,IAAI,EAAE,CAAC,CAAC;YACpD,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,SAAS,SAAS,CAAC,MAAM,0BAA0B,IAAI,EAAE,CAAC,CAAC;QAEvE,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YACxE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,MAAM,CAAC,KAAK,CAAC,qCAAqC,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,OAAO;YACd,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAAkB,EAClB,SAAwB,EACxB,SAAkB,KAAK;IAEvB,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;QACtD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,WAAW,SAAS,CAAC,MAAM,mCAAmC,CAAC,CAAC;IAE5E,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/enforcer/service-stopper.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Service stopper for stopping and disabling OpenClaw services.
+ */
+import type { Platform } from '../platform/index.js';
+import type { EnforcementAction } from '../types/enforcement.js';
+import type { ServiceDetection } from '../types/detection.js';
+/**
+ * Stop a service by name.
+ */
+export declare function stopService(platform: Platform, serviceName: string, dryRun?: boolean): Promise<EnforcementAction>;
+/**
+ * Disable a service from starting on boot.
+ */
+export declare function disableService(platform: Platform, serviceName: string, dryRun?: boolean): Promise<EnforcementAction>;
+/**
+ * Stop and disable the OpenClaw gateway service.
+ */
+export declare function stopAndDisableService(platform: Platform, serviceName: string, dryRun?: boolean): Promise<EnforcementAction[]>;
+/**
+ * Stop the detected OpenClaw service.
+ */
+export declare function stopDetectedService(platform: Platform, service: ServiceDetection, dryRun?: boolean): Promise<EnforcementAction[]>;
+//# sourceMappingURL=service-stopper.d.ts.map

package/dist/enforcer/service-stopper.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-stopper.d.ts","sourceRoot":"","sources":["../../src/enforcer/service-stopper.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAG9D;;GAEG;AACH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,QAAQ,EAClB,WAAW,EAAE,MAAM,EACnB,MAAM,GAAE,OAAe,GACtB,OAAO,CAAC,iBAAiB,CAAC,CAmC5B;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,QAAQ,EAClB,WAAW,EAAE,MAAM,EACnB,MAAM,GAAE,OAAe,GACtB,OAAO,CAAC,iBAAiB,CAAC,CA0B5B;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,QAAQ,EAClB,WAAW,EAAE,MAAM,EACnB,MAAM,GAAE,OAAe,GACtB,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAY9B;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,gBAAgB,EACzB,MAAM,GAAE,OAAe,GACtB,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAkB9B"}

package/dist/enforcer/service-stopper.js

@@ -0,0 +1,95 @@
+/**
+ * Service stopper for stopping and disabling OpenClaw services.
+ */
+import { logger } from '../utils/logger.js';
+/**
+ * Stop a service by name.
+ */
+export async function stopService(platform, serviceName, dryRun = false) {
+    const action = {
+        type: 'stop-service',
+        target: serviceName,
+        status: 'pending',
+        dryRun,
+    };
+    if (dryRun) {
+        logger.info(`[dry-run] Would stop service: ${serviceName}`);
+        action.status = 'skipped';
+        return action;
+    }
+    try {
+        // Check if service is running first
+        const isRunning = await platform.checkServiceRunning(serviceName);
+        if (!isRunning) {
+            logger.info(`Service not running: ${serviceName}`);
+            action.status = 'skipped';
+            return action;
+        }
+        await platform.stopService(serviceName);
+        logger.success(`Stopped service: ${serviceName}`);
+        action.status = 'success';
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`Failed to stop service ${serviceName}: ${message}`);
+        action.status = 'failed';
+        action.error = message;
+    }
+    return action;
+}
+/**
+ * Disable a service from starting on boot.
+ */
+export async function disableService(platform, serviceName, dryRun = false) {
+    const action = {
+        type: 'stop-service',
+        target: `${serviceName} (disable)`,
+        status: 'pending',
+        dryRun,
+    };
+    if (dryRun) {
+        logger.info(`[dry-run] Would disable service: ${serviceName}`);
+        action.status = 'skipped';
+        return action;
+    }
+    try {
+        await platform.disableService(serviceName);
+        logger.success(`Disabled service: ${serviceName}`);
+        action.status = 'success';
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`Failed to disable service ${serviceName}: ${message}`);
+        action.status = 'failed';
+        action.error = message;
+    }
+    return action;
+}
+/**
+ * Stop and disable the OpenClaw gateway service.
+ */
+export async function stopAndDisableService(platform, serviceName, dryRun = false) {
+    const actions = [];
+    // Stop the service first
+    const stopAction = await stopService(platform, serviceName, dryRun);
+    actions.push(stopAction);
+    // Then disable it from starting on boot
+    const disableAction = await disableService(platform, serviceName, dryRun);
+    actions.push(disableAction);
+    return actions;
+}
+/**
+ * Stop the detected OpenClaw service.
+ */
+export async function stopDetectedService(platform, service, dryRun = false) {
+    const actions = [];
+    if (!service.found || !service.name) {
+        logger.info('No OpenClaw service detected');
+        return actions;
+    }
+    logger.info(`Stopping OpenClaw service: ${service.name}...`);
+    const serviceActions = await stopAndDisableService(platform, service.name, dryRun);
+    actions.push(...serviceActions);
+    return actions;
+}
+//# sourceMappingURL=service-stopper.js.map

package/dist/enforcer/service-stopper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-stopper.js","sourceRoot":"","sources":["../../src/enforcer/service-stopper.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAkB,EAClB,WAAmB,EACnB,SAAkB,KAAK;IAEvB,MAAM,MAAM,GAAsB;QAChC,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,WAAW;QACnB,MAAM,EAAE,SAAS;QACjB,MAAM;KACP,CAAC;IAEF,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,iCAAiC,WAAW,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACH,oCAAoC;QACpC,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;QAElE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,wBAAwB,WAAW,EAAE,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;YAC1B,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,QAAQ,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QACxC,MAAM,CAAC,OAAO,CAAC,oBAAoB,WAAW,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,MAAM,CAAC,KAAK,CAAC,0BAA0B,WAAW,KAAK,OAAO,EAAE,CAAC,CAAC;QAClE,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC;QACzB,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAAkB,EAClB,WAAmB,EACnB,SAAkB,KAAK;IAEvB,MAAM,MAAM,GAAsB;QAChC,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,GAAG,WAAW,YAAY;QAClC,MAAM,EAAE,SAAS;QACjB,MAAM;KACP,CAAC;IAEF,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,oCAAoC,WAAW,EAAE,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;QAC3C,MAAM,CAAC,OAAO,CAAC,qBAAqB,WAAW,EAAE,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,MAAM,CAAC,KAAK,CAAC,6BAA6B,WAAW,KAAK,OAAO,EAAE,CAAC,CAAC;QACrE,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC;QACzB,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAAkB,EAClB,WAAmB,EACnB,SAAkB,KAAK;IAEvB,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,yBAAyB;IACzB,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;IACpE,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEzB,wCAAwC;IACxC,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;IAC1E,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAE5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAkB,EAClB,OAAyB,EACzB,SAAkB,KAAK;IAEvB,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,8BAA8B,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC;IAE7D,MAAM,cAAc,GAAG,MAAM,qBAAqB,CAChD,QAAQ,EACR,OAAO,CAAC,IAAI,EACZ,MAAM,CACP,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC;IAEhC,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Nox OpenClaw Detector CLI - Entry point
+ * OpenClaw Detection & Enforcement by Nox Security
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/index.js

@@ -0,0 +1,10 @@
+/**
+ * Nox OpenClaw Detector CLI - Entry point
+ * OpenClaw Detection & Enforcement by Nox Security
+ */
+import { run } from './cli.js';
+run().catch((error) => {
+    console.error('Fatal error:', error);
+    process.exit(2);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAE/B,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACpB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/isolator/firewall.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Firewall management for blocking OpenClaw gateway traffic.
+ */
+import type { IsolationAction } from '../types/isolation.js';
+import type { Platform } from '../platform/index.js';
+export interface FirewallOptions {
+    port?: number;
+    dryRun?: boolean;
+}
+/**
+ * Block outbound traffic to the OpenClaw gateway port.
+ * Requires explicit port - never falls back to default to avoid blocking legitimate services.
+ */
+export declare function blockGatewayPort(platform: Platform, options?: FirewallOptions): Promise<IsolationAction>;
+/**
+ * Unblock outbound traffic to the OpenClaw gateway port.
+ * Requires explicit port - never falls back to default.
+ */
+export declare function unblockGatewayPort(platform: Platform, options?: FirewallOptions): Promise<IsolationAction>;
+/**
+ * Check if a firewall rule is currently blocking the gateway port.
+ * Note: Implementation varies by platform and may require elevated permissions.
+ */
+export declare function isPortBlocked(platform: Platform, port?: number): Promise<boolean>;
+//# sourceMappingURL=firewall.d.ts.map

package/dist/isolator/firewall.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"firewall.d.ts","sourceRoot":"","sources":["../../src/isolator/firewall.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAMrD,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,QAAQ,EAClB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAqC1B;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,QAAQ,EAClB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAqC1B;AAED;;;GAGG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,QAAQ,EAClB,IAAI,GAAE,MAA6B,GAClC,OAAO,CAAC,OAAO,CAAC,CAsBlB"}

package/dist/isolator/firewall.js

@@ -0,0 +1,114 @@
+/**
+ * Firewall management for blocking OpenClaw gateway traffic.
+ */
+import { logger } from '../utils/logger.js';
+import { validatePort } from '../utils/exec.js';
+const DEFAULT_GATEWAY_PORT = 18789;
+/**
+ * Block outbound traffic to the OpenClaw gateway port.
+ * Requires explicit port - never falls back to default to avoid blocking legitimate services.
+ */
+export async function blockGatewayPort(platform, options = {}) {
+    if (!options.port) {
+        const action = {
+            type: 'block-port',
+            target: 'No port specified',
+            status: 'failed',
+            error: 'Port must be explicitly specified. Refusing to block default port to avoid blocking legitimate services.',
+        };
+        logger.error('Port blocking requires explicit port - refusing to use default');
+        return action;
+    }
+    const port = options.port;
+    const action = {
+        type: 'block-port',
+        target: `tcp/${port}`,
+        status: 'pending',
+    };
+    if (options.dryRun) {
+        logger.info(`[dry-run] Would block outbound TCP port ${port}`);
+        action.status = 'success';
+        return action;
+    }
+    try {
+        logger.info(`Blocking outbound TCP port ${port}...`);
+        await platform.blockPort(port);
+        action.status = 'success';
+        logger.success(`Blocked outbound TCP port ${port}`);
+    }
+    catch (err) {
+        action.status = 'failed';
+        action.error = err instanceof Error ? err.message : String(err);
+        logger.error(`Failed to block port ${port}: ${action.error}`);
+    }
+    return action;
+}
+/**
+ * Unblock outbound traffic to the OpenClaw gateway port.
+ * Requires explicit port - never falls back to default.
+ */
+export async function unblockGatewayPort(platform, options = {}) {
+    if (!options.port) {
+        const action = {
+            type: 'block-port',
+            target: 'No port specified',
+            status: 'failed',
+            error: 'Port must be explicitly specified for unblocking.',
+        };
+        logger.error('Port unblocking requires explicit port');
+        return action;
+    }
+    const port = options.port;
+    const action = {
+        type: 'block-port',
+        target: `tcp/${port}`,
+        status: 'pending',
+    };
+    if (options.dryRun) {
+        logger.info(`[dry-run] Would unblock outbound TCP port ${port}`);
+        action.status = 'success';
+        return action;
+    }
+    try {
+        logger.info(`Unblocking outbound TCP port ${port}...`);
+        await platform.unblockPort(port);
+        action.status = 'success';
+        logger.success(`Unblocked outbound TCP port ${port}`);
+    }
+    catch (err) {
+        action.status = 'failed';
+        action.error = err instanceof Error ? err.message : String(err);
+        logger.error(`Failed to unblock port ${port}: ${action.error}`);
+    }
+    return action;
+}
+/**
+ * Check if a firewall rule is currently blocking the gateway port.
+ * Note: Implementation varies by platform and may require elevated permissions.
+ */
+export async function isPortBlocked(platform, port = DEFAULT_GATEWAY_PORT) {
+    try {
+        // Validate port to prevent command injection
+        const safePort = validatePort(port);
+        const { exec } = await import('../utils/exec.js');
+        if (platform.name === 'darwin') {
+            // Check our dedicated anchor for blocking rules
+            const anchor = 'com.nox.openclaw';
+            const { stdout } = await exec(`sudo pfctl -a ${anchor} -sr 2>/dev/null || true`);
+            return stdout.includes(`port ${safePort}`) && stdout.includes('block');
+        }
+        else if (platform.name === 'linux') {
+            const { stdout } = await exec(`sudo iptables -L OUTPUT -n 2>/dev/null | grep "${safePort}" || true`);
+            return stdout.includes(`${safePort}`) && stdout.includes('DROP');
+        }
+        else if (platform.name === 'windows') {
+            const { stdout } = await exec(`netsh advfirewall firewall show rule name="Nox Block OpenClaw" 2>nul || echo notfound`);
+            return !stdout.includes('notfound') && stdout.includes('Block');
+        }
+    }
+    catch {
+        // If we can't check, assume not blocked
+    }
+    return false;
+}
+//# sourceMappingURL=firewall.js.map

package/dist/isolator/firewall.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"firewall.js","sourceRoot":"","sources":["../../src/isolator/firewall.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,oBAAoB,GAAG,KAAK,CAAC;AAOnC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAkB,EAClB,UAA2B,EAAE;IAE7B,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,MAAM,GAAoB;YAC9B,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,mBAAmB;YAC3B,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,0GAA0G;SAClH,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;QAC/E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,MAAM,MAAM,GAAoB;QAC9B,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,OAAO,IAAI,EAAE;QACrB,MAAM,EAAE,SAAS;KAClB,CAAC;IAEF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,2CAA2C,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,8BAA8B,IAAI,KAAK,CAAC,CAAC;QACrD,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;QAC1B,MAAM,CAAC,OAAO,CAAC,6BAA6B,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC;QACzB,MAAM,CAAC,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,wBAAwB,IAAI,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,QAAkB,EAClB,UAA2B,EAAE;IAE7B,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,MAAM,GAAoB;YAC9B,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,mBAAmB;YAC3B,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,mDAAmD;SAC3D,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACvD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,MAAM,MAAM,GAAoB;QAC9B,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,OAAO,IAAI,EAAE;QACrB,MAAM,EAAE,SAAS;KAClB,CAAC;IAEF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,6CAA6C,IAAI,EAAE,CAAC,CAAC;QACjE,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,gCAAgC,IAAI,KAAK,CAAC,CAAC;QACvD,MAAM,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;QAC1B,MAAM,CAAC,OAAO,CAAC,+BAA+B,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC;QACzB,MAAM,CAAC,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,0BAA0B,IAAI,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAkB,EAClB,OAAe,oBAAoB;IAEnC,IAAI,CAAC;QACH,6CAA6C;QAC7C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAElD,IAAI,QAAQ,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC/B,gDAAgD;YAChD,MAAM,MAAM,GAAG,kBAAkB,CAAC;YAClC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,iBAAiB,MAAM,0BAA0B,CAAC,CAAC;YACjF,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,QAAQ,EAAE,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACzE,CAAC;aAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACrC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,kDAAkD,QAAQ,WAAW,CAAC,CAAC;YACrG,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,QAAQ,EAAE,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnE,CAAC;aAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACvC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,uFAAuF,CAAC,CAAC;YACvH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wCAAwC;IAC1C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/isolator/index.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Isolator module - orchestrates firewall, quarantine, and lockdown operations.
+ */
+import type { DetectionResult } from '../types/detection.js';
+import type { IsolationResult, IsolateOptions, QuarantineManifest } from '../types/isolation.js';
+export * from './firewall.js';
+export * from './quarantine.js';
+export * from './lockdown.js';
+export interface IsolatorOptions extends IsolateOptions {
+    dryRun?: boolean;
+    port?: number;
+}
+/**
+ * Apply isolation actions based on detection results and options.
+ */
+export declare function isolate(detection: DetectionResult, options?: IsolatorOptions): Promise<IsolationResult>;
+/**
+ * Remove all isolation measures.
+ */
+export declare function unisolate(options?: IsolatorOptions): Promise<IsolationResult>;
+/**
+ * Get current isolation status.
+ */
+export interface IsolationStatusDetails {
+    portBlocked: boolean;
+    blockedPort?: number;
+    lockdownActive: boolean;
+    lockdownPaths?: string[];
+    quarantinedItems: number;
+    quarantineSummary?: {
+        id: string;
+        timestamp: string;
+        artifactCount: number;
+        model?: string;
+        channels?: string[];
+    }[];
+}
+export declare function getIsolationStatus(): Promise<IsolationStatusDetails>;
+/**
+ * Quarantine management utilities.
+ */
+export declare const quarantine: {
+    /**
+     * List all quarantined items.
+     */
+    list(): Promise<QuarantineManifest[]>;
+    /**
+     * Restore a quarantined item by ID.
+     */
+    restore(id: string): Promise<{
+        success: boolean;
+        restored: number;
+        errors: string[];
+    }>;
+    /**
+     * Permanently delete a quarantined item.
+     */
+    delete(id: string): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/isolator/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/isolator/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAEV,eAAe,EACf,cAAc,EACd,kBAAkB,EAEnB,MAAM,uBAAuB,CAAC;AAa/B,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,eAAe,CAAC;AAI9B,MAAM,WAAW,eAAgB,SAAQ,cAAc;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,eAAe,EAC1B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CA0E1B;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,eAAe,CAAC,CA4BvF;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,WAAW,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,CAAC,EAAE;QAClB,EAAE,EAAE,MAAM,CAAC;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,EAAE,MAAM,CAAC;QACtB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,EAAE,CAAC;CACL;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,sBAAsB,CAAC,CAgC1E;AAsCD;;GAEG;AACH,eAAO,MAAM,UAAU;IACrB;;OAEG;YACW,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAK3C;;OAEG;gBAEG,MAAM,GACT,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAKpE;;OAEG;eACc,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAIxE,CAAC"}

package/dist/isolator/index.js

@@ -0,0 +1,201 @@
+/**
+ * Isolator module - orchestrates firewall, quarantine, and lockdown operations.
+ */
+import { getPlatform } from '../platform/index.js';
+import { logger } from '../utils/logger.js';
+import { blockGatewayPort, unblockGatewayPort, isPortBlocked } from './firewall.js';
+import { quarantineArtifacts, listQuarantined, restoreQuarantined, deleteQuarantined, } from './quarantine.js';
+import { applyLockdown, removeLockdown, isLockdownActive } from './lockdown.js';
+// Re-export sub-modules for direct access
+export * from './firewall.js';
+export * from './quarantine.js';
+export * from './lockdown.js';
+const DEFAULT_GATEWAY_PORT = 18789;
+/**
+ * Apply isolation actions based on detection results and options.
+ */
+export async function isolate(detection, options = {}) {
+    const platform = getPlatform();
+    const actions = [];
+    let quarantineResult;
+    const shouldBlockPort = options.blockPort || options.all;
+    const shouldQuarantine = options.quarantine || options.all;
+    const shouldLockdown = options.lockdown || options.all;
+    logger.info('Starting isolation procedures...');
+    // 1. Block gateway port
+    if (shouldBlockPort) {
+        // Only block if:
+        // 1. Explicit port provided (user knows what they're doing), OR
+        // 2. Gateway was actually detected AND we know the port
+        // NEVER fall back to default port - could block legitimate services!
+        if (options.port) {
+            // User explicitly specified a port - proceed
+            const action = await blockGatewayPort(platform, {
+                port: options.port,
+                dryRun: options.dryRun,
+            });
+            actions.push(action);
+        }
+        else if (detection.gateway.found && detection.gateway.port) {
+            // Gateway was detected - safe to block
+            const action = await blockGatewayPort(platform, {
+                port: detection.gateway.port,
+                dryRun: options.dryRun,
+            });
+            actions.push(action);
+        }
+        else {
+            // No gateway detected and no explicit port - skip blocking
+            logger.warn('Skipping port block: No OpenClaw gateway detected. Use --port <port> to block a specific port.');
+            actions.push({
+                type: 'block-port',
+                target: 'No gateway detected',
+                status: 'failed',
+                error: 'Gateway not detected - refusing to block default port to avoid blocking legitimate services',
+            });
+        }
+    }
+    // 2. Quarantine artifacts
+    if (shouldQuarantine) {
+        const { action, result } = await quarantineArtifacts(platform, detection, {
+            dryRun: options.dryRun,
+        });
+        actions.push(action);
+        quarantineResult = result;
+    }
+    // 3. Apply lockdown
+    if (shouldLockdown) {
+        const lockdownActions = await applyLockdown(platform, {
+            dryRun: options.dryRun,
+        });
+        actions.push(...lockdownActions);
+    }
+    // Log summary
+    const successful = actions.filter((a) => a.status === 'success').length;
+    const failed = actions.filter((a) => a.status === 'failed').length;
+    if (failed === 0) {
+        logger.success(`Isolation complete: ${successful} action(s) successful`);
+    }
+    else {
+        logger.warn(`Isolation complete: ${successful} successful, ${failed} failed`);
+    }
+    return {
+        actions,
+        quarantine: quarantineResult,
+    };
+}
+/**
+ * Remove all isolation measures.
+ */
+export async function unisolate(options = {}) {
+    const platform = getPlatform();
+    const actions = [];
+    const shouldUnblockPort = options.blockPort || options.all;
+    const shouldRemoveLockdown = options.lockdown || options.all;
+    logger.info('Removing isolation measures...');
+    // 1. Unblock gateway port
+    if (shouldUnblockPort) {
+        // Note: unisolate doesn't have detection context, so use explicit port or default
+        const action = await unblockGatewayPort(platform, {
+            port: options.port ?? DEFAULT_GATEWAY_PORT,
+            dryRun: options.dryRun,
+        });
+        actions.push(action);
+    }
+    // 2. Remove lockdown
+    if (shouldRemoveLockdown) {
+        const lockdownActions = await removeLockdown(platform, {
+            dryRun: options.dryRun,
+        });
+        actions.push(...lockdownActions);
+    }
+    return { actions };
+}
+export async function getIsolationStatus() {
+    const platform = getPlatform();
+    const [portBlocked, lockdownActive, quarantined] = await Promise.all([
+        isPortBlocked(platform, DEFAULT_GATEWAY_PORT),
+        isLockdownActive(platform),
+        listQuarantined(platform),
+    ]);
+    // Get locked paths if lockdown is active
+    let lockdownPaths;
+    if (lockdownActive) {
+        lockdownPaths = await getLockedPaths(platform);
+    }
+    // Build quarantine summary
+    const quarantineSummary = quarantined.map(q => ({
+        id: q.id,
+        timestamp: q.timestamp,
+        artifactCount: q.artifacts.length,
+        model: q.detection?.model,
+        channels: q.detection?.channels,
+    }));
+    return {
+        portBlocked,
+        blockedPort: portBlocked ? DEFAULT_GATEWAY_PORT : undefined,
+        lockdownActive,
+        lockdownPaths,
+        quarantinedItems: quarantined.length,
+        quarantineSummary: quarantineSummary.length > 0 ? quarantineSummary : undefined,
+    };
+}
+/**
+ * Get list of paths that are currently locked down.
+ */
+async function getLockedPaths(platform) {
+    const locked = [];
+    const { pathExists } = await import('../utils/fs.js');
+    const path = await import('node:path');
+    // Check CLI paths
+    for (const location of platform.getCliLocations()) {
+        if (await pathExists(location)) {
+            locked.push(location);
+        }
+    }
+    // Check app paths
+    for (const location of platform.getAppLocations()) {
+        if (await pathExists(location)) {
+            locked.push(location);
+        }
+    }
+    // Check for hosts file blocks
+    try {
+        const { readFile } = await import('node:fs/promises');
+        const hosts = await readFile('/etc/hosts', 'utf8');
+        if (hosts.includes('# NOX-OPENCLAW-BLOCK')) {
+            locked.push('/etc/hosts (domain blocks)');
+        }
+    }
+    catch {
+        // Ignore if can't read hosts
+    }
+    return locked;
+}
+/**
+ * Quarantine management utilities.
+ */
+export const quarantine = {
+    /**
+     * List all quarantined items.
+     */
+    async list() {
+        const platform = getPlatform();
+        return listQuarantined(platform);
+    },
+    /**
+     * Restore a quarantined item by ID.
+     */
+    async restore(id) {
+        const platform = getPlatform();
+        return restoreQuarantined(platform, id);
+    },
+    /**
+     * Permanently delete a quarantined item.
+     */
+    async delete(id) {
+        const platform = getPlatform();
+        return deleteQuarantined(platform, id);
+    },
+};
+//# sourceMappingURL=index.js.map