opena2a-cli 0.1.1 → 0.2.0

package/dist/shield/signing.js

@@ -0,0 +1,161 @@
+"use strict";
+// Shield artifact signing and verification.
+//
+// Uses SHA-256 hashing (same pattern as guard.ts) to protect Shield's own
+// artifacts: policy.yaml, scan.json, llm-cache.json. Signatures are stored
+// in ~/.opena2a/shield/signatures.json with 0o600 permissions.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signArtifact = signArtifact;
+exports.verifyArtifact = verifyArtifact;
+exports.signAllArtifacts = signAllArtifacts;
+exports.loadSignatures = loadSignatures;
+exports.saveSignatures = saveSignatures;
+exports.verifyAllArtifacts = verifyAllArtifacts;
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const types_js_1 = require("./types.js");
+const events_js_1 = require("./events.js");
+// Files that Shield signs (relative to shield dir)
+const SHIELD_ARTIFACT_FILES = [
+    types_js_1.SHIELD_POLICY_FILE,
+    types_js_1.SHIELD_SCAN_FILE,
+    types_js_1.SHIELD_LLM_CACHE_FILE,
+];
+/**
+ * Compute a SHA-256 signature for a single artifact file.
+ */
+function signArtifact(filePath) {
+    const content = (0, node_fs_1.readFileSync)(filePath);
+    const hash = 'sha256:' + (0, node_crypto_1.createHash)('sha256').update(content).digest('hex');
+    const stat = (0, node_fs_1.statSync)(filePath);
+    const shieldDir = (0, events_js_1.getShieldDir)();
+    // Compute relative path from shield dir
+    let relPath = filePath;
+    if (filePath.startsWith(shieldDir)) {
+        relPath = filePath.slice(shieldDir.length + 1);
+    }
+    return {
+        filePath: relPath,
+        hash,
+        signedAt: new Date().toISOString(),
+        signedBy: (0, node_os_1.userInfo)().username + '@opena2a-cli',
+        fileSize: stat.size,
+    };
+}
+/**
+ * Verify an artifact file against its stored signature.
+ *
+ * Returns { valid: true } when:
+ *   - No signatures file exists (never signed = acceptable)
+ *   - The file has no stored signature (not yet tracked)
+ *   - The current hash matches the stored hash
+ *
+ * Returns { valid: false, detail } when signatures exist and hash doesn't match.
+ */
+function verifyArtifact(filePath) {
+    const store = loadSignatures();
+    if (!store) {
+        return { valid: true, detail: 'No signatures file found; skipping verification.' };
+    }
+    const shieldDir = (0, events_js_1.getShieldDir)();
+    let relPath = filePath;
+    if (filePath.startsWith(shieldDir)) {
+        relPath = filePath.slice(shieldDir.length + 1);
+    }
+    const sig = store.signatures.find(s => s.filePath === relPath);
+    if (!sig) {
+        return { valid: true, detail: `No signature recorded for ${relPath}.` };
+    }
+    if (!(0, node_fs_1.existsSync)(filePath)) {
+        return { valid: false, detail: `Signed file ${relPath} is missing.` };
+    }
+    const content = (0, node_fs_1.readFileSync)(filePath);
+    const currentHash = 'sha256:' + (0, node_crypto_1.createHash)('sha256').update(content).digest('hex');
+    if (currentHash === sig.hash) {
+        return { valid: true, detail: `${relPath} integrity verified.` };
+    }
+    return {
+        valid: false,
+        detail: `${relPath} has been modified since ${sig.signedAt}. Expected ${sig.hash}, got ${currentHash}.`,
+    };
+}
+/**
+ * Sign all known Shield artifacts that exist on disk.
+ */
+function signAllArtifacts() {
+    const shieldDir = (0, events_js_1.getShieldDir)();
+    const signatures = [];
+    for (const relPath of SHIELD_ARTIFACT_FILES) {
+        const fullPath = (0, node_path_1.join)(shieldDir, relPath);
+        if (!(0, node_fs_1.existsSync)(fullPath))
+            continue;
+        signatures.push(signArtifact(fullPath));
+    }
+    const store = {
+        version: 1,
+        signatures,
+        updatedAt: new Date().toISOString(),
+    };
+    saveSignatures(store);
+}
+/**
+ * Load the signatures store from disk.
+ * Returns null if the file does not exist or is malformed.
+ */
+function loadSignatures() {
+    const sigPath = (0, node_path_1.join)((0, events_js_1.getShieldDir)(), types_js_1.SHIELD_SIGNATURES_FILE);
+    if (!(0, node_fs_1.existsSync)(sigPath))
+        return null;
+    try {
+        const raw = (0, node_fs_1.readFileSync)(sigPath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed.version !== 1)
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Save the signatures store to disk with restricted permissions.
+ */
+function saveSignatures(store) {
+    const sigPath = (0, node_path_1.join)((0, events_js_1.getShieldDir)(), types_js_1.SHIELD_SIGNATURES_FILE);
+    (0, node_fs_1.writeFileSync)(sigPath, JSON.stringify(store, null, 2), {
+        encoding: 'utf-8',
+        mode: 0o600,
+    });
+}
+/**
+ * Verify all Shield artifact signatures.
+ * Returns a summary suitable for use as an IntegrityCheck.
+ */
+function verifyAllArtifacts() {
+    const store = loadSignatures();
+    if (!store) {
+        return { valid: true, detail: 'No artifact signatures recorded; skipping.' };
+    }
+    const shieldDir = (0, events_js_1.getShieldDir)();
+    const failures = [];
+    for (const sig of store.signatures) {
+        const fullPath = (0, node_path_1.join)(shieldDir, sig.filePath);
+        const result = verifyArtifact(fullPath);
+        if (!result.valid) {
+            failures.push(result.detail);
+        }
+    }
+    if (failures.length === 0) {
+        return {
+            valid: true,
+            detail: `All ${store.signatures.length} artifact signatures verified.`,
+        };
+    }
+    return {
+        valid: false,
+        detail: failures.join(' '),
+    };
+}
+//# sourceMappingURL=signing.js.map

package/dist/shield/signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.js","sourceRoot":"","sources":["../../src/shield/signing.ts"],"names":[],"mappings":";AAAA,4CAA4C;AAC5C,EAAE;AACF,0EAA0E;AAC1E,2EAA2E;AAC3E,+DAA+D;;AA0B/D,oCAmBC;AAYD,wCAgCC;AAKD,4CAiBC;AAMD,wCAYC;AAKD,wCAMC;AAMD,gDA4BC;AA5KD,6CAAyC;AACzC,qCAA4E;AAC5E,yCAAiC;AACjC,qCAAmC;AAGnC,yCAKoB;AACpB,2CAA2C;AAE3C,mDAAmD;AACnD,MAAM,qBAAqB,GAAG;IAC5B,6BAAkB;IAClB,2BAAgB;IAChB,gCAAqB;CACtB,CAAC;AAEF;;GAEG;AACH,SAAgB,YAAY,CAAC,QAAgB;IAC3C,MAAM,OAAO,GAAG,IAAA,sBAAY,EAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5E,MAAM,IAAI,GAAG,IAAA,kBAAQ,EAAC,QAAQ,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,IAAA,wBAAY,GAAE,CAAC;IAEjC,wCAAwC;IACxC,IAAI,OAAO,GAAG,QAAQ,CAAC;IACvB,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,IAAI;QACJ,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAClC,QAAQ,EAAE,IAAA,kBAAQ,GAAE,CAAC,QAAQ,GAAG,cAAc;QAC9C,QAAQ,EAAE,IAAI,CAAC,IAAI;KACpB,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,cAAc,CAAC,QAAgB;IAC7C,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,kDAAkD,EAAE,CAAC;IACrF,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,wBAAY,GAAE,CAAC;IACjC,IAAI,OAAO,GAAG,QAAQ,CAAC;IACvB,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;IAC/D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,6BAA6B,OAAO,GAAG,EAAE,CAAC;IAC1E,CAAC;IAED,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,OAAO,cAAc,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,sBAAY,EAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,WAAW,GAAG,SAAS,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEnF,IAAI,WAAW,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;QAC7B,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,sBAAsB,EAAE,CAAC;IACnE,CAAC;IAED,OAAO;QACL,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,GAAG,OAAO,4BAA4B,GAAG,CAAC,QAAQ,cAAc,GAAG,CAAC,IAAI,SAAS,WAAW,GAAG;KACxG,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB;IAC9B,MAAM,SAAS,GAAG,IAAA,wBAAY,GAAE,CAAC;IACjC,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC5C,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC;YAAE,SAAS;QACpC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,KAAK,GAAyB;QAClC,OAAO,EAAE,CAAC;QACV,UAAU;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,cAAc,CAAC,KAAK,CAAC,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc;IAC5B,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,IAAA,wBAAY,GAAE,EAAE,iCAAsB,CAAC,CAAC;IAC7D,IAAI,CAAC,IAAA,oBAAU,EAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyB,CAAC;QACvD,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACtC,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,KAA2B;IACxD,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,IAAA,wBAAY,GAAE,EAAE,iCAAsB,CAAC,CAAC;IAC7D,IAAA,uBAAa,EAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;QACrD,QAAQ,EAAE,OAAO;QACjB,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB;IAChC,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,4CAA4C,EAAE,CAAC;IAC/E,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,wBAAY,GAAE,CAAC;IACjC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,gCAAgC;SACvE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,KAAK;QACZ,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;KAC3B,CAAC;AACJ,CAAC"}

package/dist/shield/status.d.ts

@@ -0,0 +1,4 @@
+import type { ShieldStatus } from './types.js';
+export declare function getShieldStatus(targetDir?: string): ShieldStatus;
+export declare function formatStatus(status: ShieldStatus, format: 'text' | 'json'): string;
+//# sourceMappingURL=status.d.ts.map

package/dist/shield/status.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../src/shield/status.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAA8C,MAAM,YAAY,CAAC;AAkH3F,wBAAgB,eAAe,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,YAAY,CA+EhE;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAuDlF"}

package/dist/shield/status.js

@@ -0,0 +1,241 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getShieldStatus = getShieldStatus;
+exports.formatStatus = formatStatus;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const node_child_process_1 = require("node:child_process");
+const types_js_1 = require("./types.js");
+function getShieldDir() {
+    return (0, node_path_1.join)((0, node_os_1.homedir)(), '.opena2a', 'shield');
+}
+function tryExec(cmd) {
+    try {
+        return (0, node_child_process_1.execSync)(cmd, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+/** Resolve a binary via which, returning the path or null. */
+function whichBinary(name) {
+    try {
+        return (0, node_child_process_1.execFileSync)('which', [name], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+function detectProduct(name) {
+    switch (name) {
+        case 'Secretless': {
+            const version = whichBinary('secretless-ai') ? tryExec('secretless-ai --version 2>/dev/null') : null;
+            const configExists = (0, node_fs_1.existsSync)((0, node_path_1.join)(process.cwd(), '.secretless.json')) ||
+                (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.secretless', 'config.json'));
+            return {
+                name: 'Secretless',
+                installed: version !== null,
+                active: configExists,
+                version,
+                keyMetric: configExists ? 'configured' : 'not configured',
+            };
+        }
+        case 'ARP': {
+            const configExists = (0, node_fs_1.existsSync)((0, node_path_1.join)(process.cwd(), '.arp.yaml')) ||
+                (0, node_fs_1.existsSync)((0, node_path_1.join)(process.cwd(), 'arp.yaml'));
+            const eventsPath = (0, node_path_1.join)(process.cwd(), '.opena2a', 'arp', 'events.jsonl');
+            const hasEvents = (0, node_fs_1.existsSync)(eventsPath);
+            return {
+                name: 'Runtime Guard (ARP)',
+                installed: configExists,
+                active: hasEvents,
+                version: null,
+                keyMetric: hasEvents ? 'monitoring' : configExists ? 'configured' : 'not configured',
+            };
+        }
+        case 'Browser Guard': {
+            const configPaths = [
+                (0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'opena2a', 'browser-guard.json'),
+                (0, node_path_1.join)((0, node_os_1.homedir)(), '.opena2a', 'browser-guard.json'),
+            ];
+            const found = configPaths.some(p => (0, node_fs_1.existsSync)(p));
+            return {
+                name: 'Browser Guard',
+                installed: found,
+                active: found,
+                version: null,
+                keyMetric: found ? 'active' : 'not installed',
+            };
+        }
+        case 'HMA': {
+            const version = whichBinary('hackmyagent') ? tryExec('hackmyagent --version 2>/dev/null') : null;
+            return {
+                name: 'HackMyAgent',
+                installed: version !== null,
+                active: version !== null,
+                version,
+                keyMetric: version ? `v${version}` : 'not installed',
+            };
+        }
+        case 'Registry': {
+            // Registry is typically a remote service; check if CLI supports it
+            const hasRegistry = whichBinary('opena2a') !== null;
+            return {
+                name: 'Registry',
+                installed: hasRegistry !== null,
+                active: false,
+                version: null,
+                keyMetric: hasRegistry ? 'available' : 'not available',
+            };
+        }
+        case 'ConfigGuard': {
+            const sigFile = (0, node_path_1.join)(process.cwd(), '.opena2a', 'guard', 'signatures.json');
+            let fileCount = 0;
+            if ((0, node_fs_1.existsSync)(sigFile)) {
+                try {
+                    const store = JSON.parse((0, node_fs_1.readFileSync)(sigFile, 'utf-8'));
+                    fileCount = Array.isArray(store.signatures) ? store.signatures.length : 0;
+                }
+                catch { /* ok */ }
+            }
+            return {
+                name: 'ConfigGuard',
+                installed: true, // Built into CLI
+                active: fileCount > 0,
+                version: null,
+                keyMetric: fileCount > 0 ? `${fileCount} files signed` : 'no signatures',
+            };
+        }
+        default:
+            return { name, installed: false, active: false, version: null, keyMetric: 'unknown' };
+    }
+}
+function getShieldStatus(targetDir) {
+    const shieldDir = getShieldDir();
+    const products = [
+        detectProduct('Secretless'),
+        detectProduct('ARP'),
+        detectProduct('Browser Guard'),
+        detectProduct('HMA'),
+        detectProduct('Registry'),
+        detectProduct('ConfigGuard'),
+    ];
+    // Policy status
+    const policyPath = (0, node_path_1.join)(shieldDir, types_js_1.SHIELD_POLICY_FILE);
+    let policyLoaded = false;
+    let policyMode = null;
+    if ((0, node_fs_1.existsSync)(policyPath)) {
+        policyLoaded = true;
+        try {
+            const raw = (0, node_fs_1.readFileSync)(policyPath, 'utf-8');
+            const policy = JSON.parse(raw);
+            policyMode = policy.mode ?? 'adaptive';
+        }
+        catch {
+            policyMode = null;
+        }
+    }
+    // Shell integration
+    const shell = process.env.SHELL?.includes('zsh') ? 'zsh'
+        : process.env.SHELL?.includes('bash') ? 'bash'
+            : null;
+    let shellIntegration = false;
+    if (shell) {
+        const rcFile = shell === 'zsh'
+            ? (0, node_path_1.join)((0, node_os_1.homedir)(), '.zshrc')
+            : (0, node_path_1.join)((0, node_os_1.homedir)(), '.bashrc');
+        try {
+            const content = (0, node_fs_1.readFileSync)(rcFile, 'utf-8');
+            shellIntegration = content.includes('opena2a_shield_preexec') ||
+                content.includes('opena2a_shield_debug');
+        }
+        catch { /* ok */ }
+    }
+    // Integrity status
+    let integrityStatus = 'healthy';
+    const lockdownPath = (0, node_path_1.join)(shieldDir, 'lockdown');
+    if ((0, node_fs_1.existsSync)(lockdownPath)) {
+        integrityStatus = 'lockdown';
+    }
+    // Last report
+    let lastReportScore = null;
+    let lastReportDate = null;
+    const reportsDir = (0, node_path_1.join)(shieldDir, types_js_1.SHIELD_REPORTS_DIR);
+    if ((0, node_fs_1.existsSync)(reportsDir)) {
+        try {
+            const files = (0, node_fs_1.readdirSync)(reportsDir)
+                .filter(f => f.endsWith('.json'))
+                .sort()
+                .reverse();
+            if (files.length > 0) {
+                const latestReport = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(reportsDir, files[0]), 'utf-8'));
+                lastReportScore = latestReport.posture?.score ?? null;
+                lastReportDate = latestReport.generatedAt ?? null;
+            }
+        }
+        catch { /* ok */ }
+    }
+    return {
+        timestamp: new Date().toISOString(),
+        products,
+        policyLoaded,
+        policyMode,
+        shellIntegration,
+        integrityStatus,
+        lastReportScore,
+        lastReportDate,
+    };
+}
+function formatStatus(status, format) {
+    if (format === 'json') {
+        return JSON.stringify(status, null, 2);
+    }
+    const lines = [];
+    lines.push('Shield Status\n');
+    // Products table
+    lines.push('Products:');
+    for (const p of status.products) {
+        const state = p.active ? 'ACTIVE' : p.installed ? 'INSTALLED' : '  --  ';
+        lines.push(`  ${state.padEnd(10)} ${p.name.padEnd(22)} ${p.keyMetric}`);
+    }
+    lines.push('');
+    // Policy
+    if (status.policyLoaded) {
+        lines.push(`Policy: loaded (${status.policyMode ?? 'unknown'} mode)`);
+    }
+    else {
+        lines.push('Policy: not loaded (run: opena2a shield init)');
+    }
+    // Shell integration
+    lines.push(`Shell integration: ${status.shellIntegration ? 'active' : 'inactive'}`);
+    // Integrity
+    lines.push(`Integrity: ${status.integrityStatus.toUpperCase()}`);
+    // Last report
+    if (status.lastReportScore !== null) {
+        lines.push(`Last report: ${status.lastReportScore}/100 (${status.lastReportDate ?? 'unknown'})`);
+    }
+    // Recommendations
+    const recs = [];
+    if (!status.policyLoaded)
+        recs.push('Run: opena2a shield init');
+    if (!status.shellIntegration)
+        recs.push('Shell hooks not installed. Re-run: opena2a shield init');
+    if (status.integrityStatus === 'lockdown')
+        recs.push('LOCKDOWN active. Run: opena2a shield recover --verify');
+    if (status.integrityStatus === 'compromised')
+        recs.push('Integrity issues detected. Run: opena2a shield selfcheck');
+    const inactiveProducts = status.products.filter(p => !p.active && p.name !== 'Registry');
+    if (inactiveProducts.length > 0) {
+        recs.push(`Inactive products: ${inactiveProducts.map(p => p.name).join(', ')}`);
+    }
+    if (recs.length > 0) {
+        lines.push('');
+        lines.push('Recommendations:');
+        for (const r of recs) {
+            lines.push(`  - ${r}`);
+        }
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=status.js.map

package/dist/shield/status.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.js","sourceRoot":"","sources":["../../src/shield/status.ts"],"names":[],"mappings":";;AAsHA,0CA+EC;AAED,oCAuDC;AA9PD,qCAAgE;AAChE,yCAAiC;AACjC,qCAAkC;AAClC,2DAA4D;AAE5D,yCAAwF;AAExF,SAAS,YAAY;IACnB,OAAO,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,IAAI,CAAC;QACH,OAAO,IAAA,6BAAQ,EAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACtF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8DAA8D;AAC9D,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,CAAC;QACH,OAAO,IAAA,iCAAY,EAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACtG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,YAAY,CAAC,CAAC,CAAC;YAClB,MAAM,OAAO,GAAG,WAAW,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACrG,MAAM,YAAY,GAAG,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,kBAAkB,CAAC,CAAC;gBACtE,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC;YAC5D,OAAO;gBACL,IAAI,EAAE,YAAY;gBAClB,SAAS,EAAE,OAAO,KAAK,IAAI;gBAC3B,MAAM,EAAE,YAAY;gBACpB,OAAO;gBACP,SAAS,EAAE,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,gBAAgB;aAC1D,CAAC;QACJ,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,MAAM,YAAY,GAAG,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,WAAW,CAAC,CAAC;gBAC/D,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;YAC9C,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;YAC1E,MAAM,SAAS,GAAG,IAAA,oBAAU,EAAC,UAAU,CAAC,CAAC;YACzC,OAAO;gBACL,IAAI,EAAE,qBAAqB;gBAC3B,SAAS,EAAE,YAAY;gBACvB,MAAM,EAAE,SAAS;gBACjB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,gBAAgB;aACrF,CAAC;QACJ,CAAC;QAED,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,MAAM,WAAW,GAAG;gBAClB,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,EAAE,SAAS,EAAE,oBAAoB,CAAC;gBAC3D,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,UAAU,EAAE,oBAAoB,CAAC;aAClD,CAAC;YACF,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,oBAAU,EAAC,CAAC,CAAC,CAAC,CAAC;YACnD,OAAO;gBACL,IAAI,EAAE,eAAe;gBACrB,SAAS,EAAE,KAAK;gBAChB,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,eAAe;aAC9C,CAAC;QACJ,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,MAAM,OAAO,GAAG,WAAW,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACjG,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,SAAS,EAAE,OAAO,KAAK,IAAI;gBAC3B,MAAM,EAAE,OAAO,KAAK,IAAI;gBACxB,OAAO;gBACP,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,eAAe;aACrD,CAAC;QACJ,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,mEAAmE;YACnE,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,KAAK,IAAI,CAAC;YACpD,OAAO;gBACL,IAAI,EAAE,UAAU;gBAChB,SAAS,EAAE,WAAW,KAAK,IAAI;gBAC/B,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe;aACvD,CAAC;QACJ,CAAC;QAED,KAAK,aAAa,CAAC,CAAC,CAAC;YACnB,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC;YAC5E,IAAI,SAAS,GAAG,CAAC,CAAC;YAClB,IAAI,IAAA,oBAAU,EAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,sBAAY,EAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;oBACzD,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5E,CAAC;gBAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC;YACtB,CAAC;YACD,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,SAAS,EAAE,IAAI,EAAE,iBAAiB;gBAClC,MAAM,EAAE,SAAS,GAAG,CAAC;gBACrB,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,SAAS,eAAe,CAAC,CAAC,CAAC,eAAe;aACzE,CAAC;QACJ,CAAC;QAED;YACE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IAC1F,CAAC;AACH,CAAC;AAED,SAAgB,eAAe,CAAC,SAAkB;IAChD,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAoB;QAChC,aAAa,CAAC,YAAY,CAAC;QAC3B,aAAa,CAAC,KAAK,CAAC;QACpB,aAAa,CAAC,eAAe,CAAC;QAC9B,aAAa,CAAC,KAAK,CAAC;QACpB,aAAa,CAAC,UAAU,CAAC;QACzB,aAAa,CAAC,aAAa,CAAC;KAC7B,CAAC;IAEF,gBAAgB;IAChB,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,6BAAkB,CAAC,CAAC;IACvD,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,UAAU,GAAsB,IAAI,CAAC;IAEzC,IAAI,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,YAAY,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,UAAU,GAAG,MAAM,CAAC,IAAI,IAAI,UAAU,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK;QACtD,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM;YAC9C,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,gBAAgB,GAAG,KAAK,CAAC;IAC7B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,MAAM,GAAG,KAAK,KAAK,KAAK;YAC5B,CAAC,CAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,QAAQ,CAAC;YAC3B,CAAC,CAAC,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,SAAS,CAAC,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAA,sBAAY,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC9C,gBAAgB,GAAG,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;gBAC3D,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC;IACtB,CAAC;IAED,mBAAmB;IACnB,IAAI,eAAe,GAAoB,SAAS,CAAC;IACjD,MAAM,YAAY,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACjD,IAAI,IAAA,oBAAU,EAAC,YAAY,CAAC,EAAE,CAAC;QAC7B,eAAe,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,cAAc;IACd,IAAI,eAAe,GAAkB,IAAI,CAAC;IAC1C,IAAI,cAAc,GAAkB,IAAI,CAAC;IACzC,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,6BAAkB,CAAC,CAAC;IACvD,IAAI,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAA,qBAAW,EAAC,UAAU,CAAC;iBAClC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;iBAChC,IAAI,EAAE;iBACN,OAAO,EAAE,CAAC;YACb,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrB,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,sBAAY,EAAC,IAAA,gBAAI,EAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;gBACnF,eAAe,GAAG,YAAY,CAAC,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC;gBACtD,cAAc,GAAG,YAAY,CAAC,WAAW,IAAI,IAAI,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC;IACtB,CAAC;IAED,OAAO;QACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ;QACR,YAAY;QACZ,UAAU;QACV,gBAAgB;QAChB,eAAe;QACf,eAAe;QACf,cAAc;KACf,CAAC;AACJ,CAAC;AAED,SAAgB,YAAY,CAAC,MAAoB,EAAE,MAAuB;IACxE,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE9B,iBAAiB;IACjB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;QACzE,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,SAAS;IACT,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,UAAU,IAAI,SAAS,QAAQ,CAAC,CAAC;IACxE,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IAC9D,CAAC;IAED,oBAAoB;IACpB,KAAK,CAAC,IAAI,CAAC,sBAAsB,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;IAEpF,YAAY;IACZ,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAEjE,cAAc;IACd,IAAI,MAAM,CAAC,eAAe,KAAK,IAAI,EAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,eAAe,SAAS,MAAM,CAAC,cAAc,IAAI,SAAS,GAAG,CAAC,CAAC;IACnG,CAAC;IAED,kBAAkB;IAClB,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,IAAI,CAAC,MAAM,CAAC,YAAY;QAAE,IAAI,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAChE,IAAI,CAAC,MAAM,CAAC,gBAAgB;QAAE,IAAI,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;IAClG,IAAI,MAAM,CAAC,eAAe,KAAK,UAAU;QAAE,IAAI,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IAC9G,IAAI,MAAM,CAAC,eAAe,KAAK,aAAa;QAAE,IAAI,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;IAEpH,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IACzF,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,sBAAsB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}