podwatch 1.0.2

package/dist/index.js

@@ -0,0 +1,120 @@
+"use strict";
+/**
+ * Podwatch Plugin — OpenClaw cost monitoring, budget enforcement, and security alerts.
+ *
+ * Registers hook handlers and subscribes to diagnostic events to capture:
+ * - Cost/token data per LLM call (onDiagnosticEvent → model.usage)
+ * - Tool security scanning + budget blocking (before_tool_call)
+ * - Tool latency + success/failure (after_tool_call)
+ * - Session lifecycle (session_start, session_end)
+ * - Context pressure (before_compaction)
+ * - Pulse alive-ping + skill/plugin scanning (register())
+ * - Graceful shutdown (gateway_stop)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = register;
+const cost_js_1 = require("./hooks/cost.js");
+const security_js_1 = require("./hooks/security.js");
+const sessions_js_1 = require("./hooks/sessions.js");
+const lifecycle_js_1 = require("./hooks/lifecycle.js");
+const transmitter_js_1 = require("./transmitter.js");
+const updater_js_1 = require("./updater.js");
+// ---------------------------------------------------------------------------
+// Plugin registration
+// ---------------------------------------------------------------------------
+const DEBUG = !!process.env.PODWATCH_DEBUG;
+/**
+ * Redact sensitive fields from an object for safe debug logging.
+ * Returns a shallow copy with secret values replaced by '***'.
+ */
+function redactForLog(obj) {
+    if (!obj || typeof obj !== "object")
+        return obj;
+    const SENSITIVE_KEYS = ["apiKey", "apiSecret", "secret", "token", "password", "key"];
+    const redacted = { ...obj };
+    for (const k of SENSITIVE_KEYS) {
+        if (k in redacted && redacted[k]) {
+            redacted[k] = "***";
+        }
+    }
+    return redacted;
+}
+/**
+ * OpenClaw plugin entry point.
+ * Called by the Gateway when the plugin is loaded.
+ */
+function register(api) {
+    if (DEBUG) {
+        console.log("[podwatch:debug] register() called");
+        console.log("[podwatch:debug] api object keys:", Object.keys(api));
+        // Log only safe gateway config fields — never dump the full api.config
+        const safeConfigKeys = api.config
+            ? { diagnostics: api.config.diagnostics, agents: api.config.agents ? "(present)" : "(absent)" }
+            : "(undefined)";
+        console.log("[podwatch:debug] api.config (safe fields):", JSON.stringify(safeConfigKeys, null, 2));
+        console.log("[podwatch:debug] api.pluginConfig:", JSON.stringify(redactForLog(api.pluginConfig ?? {}), null, 2));
+        console.log("[podwatch:debug] api.runtime keys:", api.runtime ? Object.keys(api.runtime) : "undefined");
+    }
+    const config = resolveConfig(api);
+    if (DEBUG) {
+        console.log("[podwatch:debug] Resolved config:", JSON.stringify(redactForLog(config), null, 2));
+    }
+    if (!config.apiKey) {
+        api.logger.error("[podwatch] No API key configured. Set it in plugins.entries.podwatch.config.apiKey");
+        return;
+    }
+    // Start the transmitter (batched HTTP to Podwatch cloud)
+    transmitter_js_1.transmitter.start({
+        apiKey: config.apiKey,
+        endpoint: config.endpoint ?? "https://podwatch.app/api",
+        batchSize: 50,
+        flushIntervalMs: 30_000,
+    });
+    // Check if diagnostics are enabled
+    const diagnosticsEnabled = api.config?.diagnostics?.enabled === true;
+    if (!diagnosticsEnabled) {
+        api.logger.warn("[podwatch] diagnostics.enabled is not set to true in gateway config. " +
+            "Cost tracking will not work. Enable it: diagnostics: { enabled: true }");
+        // POST setup warning to dashboard
+        transmitter_js_1.transmitter.enqueue({
+            type: "setup_warning",
+            message: "Enable diagnostics for cost tracking: set diagnostics.enabled: true in openclaw.json",
+            ts: Date.now(),
+        });
+    }
+    // Register all hook handlers
+    (0, cost_js_1.registerCostHandler)(api, config, diagnosticsEnabled);
+    (0, security_js_1.registerSecurityHandlers)(api, config);
+    (0, sessions_js_1.registerSessionHandlers)(api);
+    (0, lifecycle_js_1.registerLifecycleHandlers)(api, config);
+    // Schedule non-blocking auto-update check (30s after boot, 24h cooldown)
+    // Auto-update is opt-in (default false) for supply chain security.
+    const currentVersion = api.version ?? "0.0.0";
+    const endpoint = config.endpoint ?? "https://podwatch.app/api";
+    (0, updater_js_1.scheduleUpdateCheck)(currentVersion, endpoint, api.logger, { autoUpdate: config.autoUpdate });
+    api.logger.info(`[podwatch] Plugin loaded (v${currentVersion}). Budget enforcement: ${config.enableBudgetEnforcement ? "ON" : "OFF"}, ` +
+        `Security alerts: ${config.enableSecurityAlerts ? "ON" : "OFF"}, ` +
+        `Diagnostics: ${diagnosticsEnabled ? "ON" : "OFF"}`);
+}
+// ---------------------------------------------------------------------------
+// Config resolution
+// ---------------------------------------------------------------------------
+function resolveConfig(api) {
+    const pluginConfig = api.pluginConfig ?? {};
+    if (DEBUG) {
+        console.log("[podwatch:debug] resolveConfig() — raw pluginConfig:", JSON.stringify(redactForLog(pluginConfig), null, 2));
+        console.log("[podwatch:debug] resolveConfig() — env PODWATCH_API_KEY set:", !!process.env.PODWATCH_API_KEY);
+        console.log("[podwatch:debug] resolveConfig() — env PODWATCH_ENDPOINT:", process.env.PODWATCH_ENDPOINT ?? "(unset)");
+    }
+    return {
+        apiKey: pluginConfig.apiKey ?? process.env.PODWATCH_API_KEY ?? "",
+        endpoint: pluginConfig.endpoint ?? process.env.PODWATCH_ENDPOINT,
+        enableBudgetEnforcement: pluginConfig.enableBudgetEnforcement ?? true,
+        enableSecurityAlerts: pluginConfig.enableSecurityAlerts ?? true,
+        autoUpdate: pluginConfig.autoUpdate ?? false,
+        // Backward compat: fall back to heartbeatIntervalMs if pulseIntervalMs not set
+        pulseIntervalMs: pluginConfig.pulseIntervalMs ?? pluginConfig.heartbeatIntervalMs ?? 300_000,
+        scanIntervalMs: pluginConfig.scanIntervalMs ?? 21_600_000, // 6 hours
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAsDH,2BAiEC;AApHD,6CAAsD;AACtD,qDAA+D;AAC/D,qDAA8D;AAC9D,uDAAiE;AACjE,qDAA+C;AAC/C,6CAAmD;AAoBnD,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;AAE3C;;;GAGG;AACH,SAAS,YAAY,CAAC,GAA4B;IAChD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IAChD,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IACrF,MAAM,QAAQ,GAA4B,EAAE,GAAG,GAAG,EAAE,CAAC;IACrD,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;QAC/B,IAAI,CAAC,IAAI,QAAQ,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;YACjC,QAAQ,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAwB,QAAQ,CAAC,GAAc;IAC7C,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,mCAAmC,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACnE,uEAAuE;QACvE,MAAM,cAAc,GAAG,GAAG,CAAC,MAAM;YAC/B,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,UAAU,EAAE;YAC/F,CAAC,CAAC,aAAa,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,4CAA4C,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACnG,OAAO,CAAC,GAAG,CAAC,oCAAoC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACjH,OAAO,CAAC,GAAG,CAAC,oCAAoC,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;IAC1G,CAAC;IAED,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,mCAAmC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,MAAa,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACzG,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,GAAG,CAAC,MAAM,CAAC,KAAK,CACd,oFAAoF,CACrF,CAAC;QACF,OAAO;IACT,CAAC;IAED,yDAAyD;IACzD,4BAAW,CAAC,KAAK,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,0BAA0B;QACvD,SAAS,EAAE,EAAE;QACb,eAAe,EAAE,MAAM;KACxB,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,kBAAkB,GAAG,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,KAAK,IAAI,CAAC;IACrE,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,GAAG,CAAC,MAAM,CAAC,IAAI,CACb,uEAAuE;YACrE,wEAAwE,CAC3E,CAAC;QACF,kCAAkC;QAClC,4BAAW,CAAC,OAAO,CAAC;YAClB,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,sFAAsF;YAC/F,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;SACf,CAAC,CAAC;IACL,CAAC;IAED,6BAA6B;IAC7B,IAAA,6BAAmB,EAAC,GAAG,EAAE,MAAM,EAAE,kBAAkB,CAAC,CAAC;IACrD,IAAA,sCAAwB,EAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACtC,IAAA,qCAAuB,EAAC,GAAG,CAAC,CAAC;IAC7B,IAAA,wCAAyB,EAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAEvC,yEAAyE;IACzE,mEAAmE;IACnE,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,0BAA0B,CAAC;IAC/D,IAAA,gCAAmB,EAAC,cAAc,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IAE7F,GAAG,CAAC,MAAM,CAAC,IAAI,CACb,8BAA8B,cAAc,0BAA0B,MAAM,CAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI;QACrH,oBAAoB,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI;QAClE,gBAAgB,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,EAAE,CACtD,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,SAAS,aAAa,CAAC,GAAc;IACnC,MAAM,YAAY,GAAG,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;IAC5C,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,sDAAsD,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACzH,OAAO,CAAC,GAAG,CAAC,8DAA8D,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC5G,OAAO,CAAC,GAAG,CAAC,2DAA2D,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,SAAS,CAAC,CAAC;IACvH,CAAC;IAED,OAAO;QACL,MAAM,EAAE,YAAY,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,EAAE;QACjE,QAAQ,EAAE,YAAY,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAChE,uBAAuB,EAAE,YAAY,CAAC,uBAAuB,IAAI,IAAI;QACrE,oBAAoB,EAAE,YAAY,CAAC,oBAAoB,IAAI,IAAI;QAC/D,UAAU,EAAE,YAAY,CAAC,UAAU,IAAI,KAAK;QAC5C,+EAA+E;QAC/E,eAAe,EAAE,YAAY,CAAC,eAAe,IAAI,YAAY,CAAC,mBAAmB,IAAI,OAAO;QAC5F,cAAc,EAAE,YAAY,CAAC,cAAc,IAAI,UAAU,EAAE,UAAU;KACtE,CAAC;AACJ,CAAC"}

package/dist/redact.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Param redaction — strips sensitive values before transmitting to dashboard.
+ *
+ * Keeps structure but replaces values of sensitive keys with "[REDACTED]".
+ * Truncates long string values to prevent bloated payloads.
+ *
+ * Returns { result, redactedCount } so callers can track how many fields
+ * were scrubbed (heavy redaction > 3 feeds into risk classification).
+ */
+declare const SENSITIVE_KEYS: Set<string>;
+declare const SENSITIVE_VALUE_PATTERNS: RegExp[];
+/**
+ * Calculate Shannon entropy of a string.
+ * Higher values indicate more randomness (potential secrets).
+ */
+declare function shannonEntropy(s: string): number;
+declare function looksLikeToken(s: string): boolean;
+/**
+ * Length-based entropy thresholds.
+ * Short high-entropy strings (20-32 chars) are often UUIDs/hashes, not secrets.
+ * Longer strings need less entropy to be suspicious.
+ */
+declare function getEntropyThreshold(length: number): number;
+declare function isHighEntropySecret(s: string): boolean;
+export interface RedactResult {
+    result: Record<string, unknown>;
+    redactedCount: number;
+}
+/**
+ * Redact sensitive values from tool call params.
+ * Returns the scrubbed object and a count of how many values were redacted.
+ */
+export declare function redactParams(params: Record<string, unknown>): RedactResult;
+export { shannonEntropy, looksLikeToken, isHighEntropySecret, getEntropyThreshold, SENSITIVE_VALUE_PATTERNS, SENSITIVE_KEYS };
+//# sourceMappingURL=redact.d.ts.map

package/dist/redact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,QAAA,MAAM,cAAc,aAgFlB,CAAC;AAMH,QAAA,MAAM,wBAAwB,EAAE,MAAM,EAmGrC,CAAC;AAMF;;;GAGG;AACH,iBAAS,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAYzC;AAcD,iBAAS,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAY1C;AAID;;;;GAIG;AACH,iBAAS,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAInD;AAED,iBAAS,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAI/C;AAaD,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,aAAa,EAAE,MAAM,CAAC;CACvB;AA4CD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,YAAY,CAK1E;AA+ED,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,cAAc,EAAE,CAAC"}

package/dist/redact.js

@@ -0,0 +1,372 @@
+"use strict";
+/**
+ * Param redaction — strips sensitive values before transmitting to dashboard.
+ *
+ * Keeps structure but replaces values of sensitive keys with "[REDACTED]".
+ * Truncates long string values to prevent bloated payloads.
+ *
+ * Returns { result, redactedCount } so callers can track how many fields
+ * were scrubbed (heavy redaction > 3 feeds into risk classification).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SENSITIVE_KEYS = exports.SENSITIVE_VALUE_PATTERNS = void 0;
+exports.redactParams = redactParams;
+exports.shannonEntropy = shannonEntropy;
+exports.looksLikeToken = looksLikeToken;
+exports.isHighEntropySecret = isHighEntropySecret;
+exports.getEntropyThreshold = getEntropyThreshold;
+// ---------------------------------------------------------------------------
+// Sensitive key patterns (normalized: lowercase, no hyphens/underscores)
+// ---------------------------------------------------------------------------
+const SENSITIVE_KEYS = new Set([
+    // Original
+    "password",
+    "secret",
+    "token",
+    "apikey",
+    "api_key",
+    "authorization",
+    "credentials",
+    "private_key",
+    "privatekey",
+    "access_token",
+    "accesstoken",
+    "refresh_token",
+    "refreshtoken",
+    "client_secret",
+    "clientsecret",
+    "bearer",
+    "cookie",
+    "session_id",
+    "sessionid",
+    "passphrase",
+    // Encryption / signing
+    "encryptionkey",
+    "encryption_key",
+    "signingkey",
+    "signing_key",
+    "masterkey",
+    "master_key",
+    // Database
+    "databaseurl",
+    "database_url",
+    "dburl",
+    "db_url",
+    "dbpassword",
+    "db_password",
+    "connectionstring",
+    "connection_string",
+    // Communication / SMTP
+    "smtppassword",
+    "smtp_password",
+    "webhooksecret",
+    "webhook_secret",
+    // JWT / App
+    "jwtsecret",
+    "jwt_secret",
+    "appsecret",
+    "app_secret",
+    // Crypto primitives (when used as keys)
+    "hmac",
+    "nonce",
+    "salt",
+    // Provider-specific key names
+    "resendapikey",
+    "resend_api_key",
+    "inngestkey",
+    "inngest_signing_key",
+    "planetscaletoken",
+    "planetscale_token",
+    "railwaytoken",
+    "railway_token",
+    "renderkey",
+    "render_api_key",
+    "postmarktoken",
+    "postmark_server_token",
+    "postmark_api_token",
+    "lemonsqueezyapikey",
+    "lemon_squeezy_api_key",
+    "pineconeapikey",
+    "pinecone_api_key",
+    "weaviateapikey",
+    "weaviate_api_key",
+    "flyapitoken",
+    "fly_api_token",
+]);
+exports.SENSITIVE_KEYS = SENSITIVE_KEYS;
+// ---------------------------------------------------------------------------
+// Value-based patterns (regex detection on string values)
+// ---------------------------------------------------------------------------
+const SENSITIVE_VALUE_PATTERNS = [
+    // --- AI / LLM Providers ---
+    /^sk-[a-zA-Z0-9]{20,}/, // OpenAI keys
+    /sk-ant-api03-[a-zA-Z0-9_-]{93}AA/, // Anthropic API key
+    /sk-ant-admin01-[a-zA-Z0-9_-]{93}AA/, // Anthropic admin key
+    /AIza[0-9A-Za-z_-]{35}/, // Google/GCP API key
+    /GOCSPX-[a-zA-Z0-9_-]+/, // Google OAuth client secret
+    /^co-[a-zA-Z0-9]{40}$/, // Cohere API key
+    /^r8_[a-zA-Z0-9]{40}$/, // Replicate API key
+    /^hf_[a-zA-Z0-9]{34}$/, // HuggingFace token
+    // --- Auth / Identity Providers ---
+    /^sk_live_[a-zA-Z0-9]+/, // Clerk/Stripe live secret
+    /^pk_live_[a-zA-Z0-9]+/, // Clerk/Stripe live public
+    /^sk_test_[a-zA-Z0-9]+/, // Clerk/Stripe test secret
+    /^pk_test_[a-zA-Z0-9]+/, // Clerk/Stripe test public
+    /^sbp_[a-zA-Z0-9]+/, // Supabase project token
+    /^eyJ[a-zA-Z0-9._-]{50,}/, // JWT tokens (also catches Supabase service role JWTs)
+    // --- Cloud / Infrastructure ---
+    /^AKIA[A-Z0-9]{16}/, // AWS access key (permanent)
+    /^ASIA[A-Z0-9]{16}/, // AWS access key (temporary/STS)
+    /^ABIA[A-Z0-9]{16}/, // AWS access key (STS for billing)
+    /^vercel_[a-zA-Z0-9_]+/, // Vercel token
+    /^hvs\.[a-zA-Z0-9_-]+/, // Hashicorp Vault token
+    /^dp\.st\.[a-zA-Z0-9_-]+/, // Doppler service token
+    /[a-zA-Z0-9]{14}\.atlasv1\.[a-zA-Z0-9_-]{60,}/, // Terraform Cloud token
+    // --- Database / Connection Strings (CRITICAL) ---
+    /postgres(?:ql)?:\/\/[^:]+:[^@]+@[^\s]+/, // Postgres connection string
+    /mysql:\/\/[^:]+:[^@]+@[^\s]+/, // MySQL connection string
+    /mongodb(?:\+srv)?:\/\/[^:]+:[^@]+@[^\s]+/, // MongoDB connection string
+    /redis:\/\/[^:]+:[^@]+@[^\s]+/, // Redis connection string
+    /[a-zA-Z][a-zA-Z0-9+.-]*:\/\/[^:]+:[^@]+@/, // Any URI with embedded credentials
+    // --- Communication ---
+    /^xoxb-[0-9]+-[0-9A-Za-z]+/, // Slack bot token
+    /^xoxp-[0-9]+-[0-9A-Za-z]+/, // Slack user token
+    /^xapp-[0-9]+-[0-9A-Za-z]+/, // Slack app token
+    /^SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}$/, // SendGrid API key
+    /^SK[a-f0-9]{32}$/, // Twilio API key
+    /[0-9]+:AA[a-zA-Z0-9_-]{33}/, // Telegram bot token
+    // --- Package Registries ---
+    /^npm_[a-zA-Z0-9]{36}$/, // npm token
+    /^pypi-[a-zA-Z0-9_-]{100,}/, // PyPI token
+    // --- Secret Management ---
+    /^ops_eyJ[a-zA-Z0-9+/]{250,}={0,3}$/, // 1Password service token
+    /^A3-[A-Z0-9]{6}-[A-Z0-9]{6,11}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}$/, // 1Password secret key
+    // --- Crypto ---
+    /^AGE-SECRET-KEY-1[A-Z0-9]{58}$/, // Age encryption key
+    // --- SSH / Certificates ---
+    /-----BEGIN\s+PRIVATE\s+KEY/, // PKCS8 generic
+    /-----BEGIN\s+RSA\s+PRIVATE\s+KEY/, // RSA
+    /-----BEGIN\s+OPENSSH\s+PRIVATE\s+KEY/, // OpenSSH
+    /-----BEGIN\s+EC\s+PRIVATE\s+KEY/, // EC
+    /-----BEGIN\s+DSA\s+PRIVATE\s+KEY/, // DSA
+    /-----BEGIN\s+ENCRYPTED\s+PRIVATE\s+KEY/, // Encrypted PKCS8
+    /-----BEGIN\s+CERTIFICATE/, // X.509 certificate
+    // --- Auth headers ---
+    /^Bearer\s+[a-zA-Z0-9._-]{20,}/i, // Bearer tokens
+    /^Basic\s+[a-zA-Z0-9+/=]{20,}/i, // Basic auth
+    // --- GitHub ---
+    /^ghp_[a-zA-Z0-9]{36,}/, // GitHub PAT
+    /^gho_[a-zA-Z0-9]{36,}/, // GitHub OAuth
+    /^ghs_[a-zA-Z0-9]{36,}/, // GitHub App installation
+    /^ghr_[a-zA-Z0-9]{36,}/, // GitHub refresh token
+    // --- Podwatch ---
+    /^pw_[a-zA-Z0-9]{20,}/, // Podwatch keys
+    // --- Tavily ---
+    /^tvly-[a-zA-Z0-9]{20,}/, // Tavily keys
+    // --- Discord ---
+    /[MN][A-Za-z0-9]{23,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}/, // Discord bot token
+    // --- Resend ---
+    /^re_[a-zA-Z0-9]{20,}/, // Resend API key
+    // --- PlanetScale ---
+    /^pscale_(?:tkn|pw|oauth)_[a-zA-Z0-9_-]{20,}/, // PlanetScale token/password
+    // --- Fly.io ---
+    /^fo1_[a-zA-Z0-9_-]{20,}/, // Fly.io token
+    // --- Render ---
+    /^rnd_[a-zA-Z0-9]{20,}/, // Render API key
+    // --- Inngest ---
+    /^signkey-[a-zA-Z0-9_-]{20,}/, // Inngest signing key
+    // --- Pinecone ---
+    /^pcsk_[a-zA-Z0-9_-]{20,}/, // Pinecone API key
+];
+exports.SENSITIVE_VALUE_PATTERNS = SENSITIVE_VALUE_PATTERNS;
+// ---------------------------------------------------------------------------
+// Shannon entropy for high-entropy catch-all
+// ---------------------------------------------------------------------------
+/**
+ * Calculate Shannon entropy of a string.
+ * Higher values indicate more randomness (potential secrets).
+ */
+function shannonEntropy(s) {
+    const freq = new Map();
+    for (const c of s) {
+        freq.set(c, (freq.get(c) ?? 0) + 1);
+    }
+    const len = s.length;
+    let entropy = 0;
+    for (const count of freq.values()) {
+        const p = count / len;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+/**
+ * Heuristic: does this string look like a random token/secret?
+ * - No spaces
+ * - Primarily alphanumeric + limited special chars (-_=+/.)
+ * - Not a common word or path-like string
+ */
+const TOKEN_CHARS_RE = /^[a-zA-Z0-9_+/=.-]+$/;
+const COMMON_WORD_RE = /^[a-z]+$/i; // pure alpha could be a word
+const PATH_LIKE_RE = /^(\/[a-zA-Z0-9._-]+)+\/?$/; // e.g. /usr/bin/node
+const HEX_LIKE_RE = /^(0x)?[0-9a-fA-F]+$/; // plain hex number
+const URL_LIKE_NO_CREDS = /^https?:\/\/[^@]+$/; // URL without embedded creds
+function looksLikeToken(s) {
+    // Must match token character set (no spaces, no weird chars)
+    if (!TOKEN_CHARS_RE.test(s))
+        return false;
+    // Skip pure alphabetic (could be a word/identifier)
+    if (COMMON_WORD_RE.test(s) && s.length < 40)
+        return false;
+    // Skip path-like strings
+    if (PATH_LIKE_RE.test(s))
+        return false;
+    // Skip plain hex numbers (hashes, IDs)
+    if (HEX_LIKE_RE.test(s) && s.length < 40)
+        return false;
+    // Skip normal URLs without credentials
+    if (URL_LIKE_NO_CREDS.test(s))
+        return false;
+    return true;
+}
+const ENTROPY_MIN_LENGTH = 20;
+/**
+ * Length-based entropy thresholds.
+ * Short high-entropy strings (20-32 chars) are often UUIDs/hashes, not secrets.
+ * Longer strings need less entropy to be suspicious.
+ */
+function getEntropyThreshold(length) {
+    if (length <= 32)
+        return 4.8; // Short: stricter (avoid UUID false positives)
+    if (length <= 64)
+        return 4.5; // Medium: standard
+    return 4.2; // Long: slightly relaxed (long random tokens)
+}
+function isHighEntropySecret(s) {
+    if (s.length < ENTROPY_MIN_LENGTH)
+        return false;
+    if (!looksLikeToken(s))
+        return false;
+    return shannonEntropy(s) >= getEntropyThreshold(s.length);
+}
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const MAX_VALUE_LENGTH = 500;
+const REDACTED = "[REDACTED]";
+// ---------------------------------------------------------------------------
+// Redaction audit mode (opt-in via PODWATCH_REDACTION_AUDIT env var)
+// ---------------------------------------------------------------------------
+const REDACTION_AUDIT = !!process.env.PODWATCH_REDACTION_AUDIT;
+/**
+ * Log fields that were NOT redacted so we can spot gaps.
+ * Shows field name + first 4 chars + entropy score without exposing actual values.
+ */
+function auditUnredactedFields(obj, prefix = '') {
+    if (!REDACTION_AUDIT)
+        return;
+    for (const [key, value] of Object.entries(obj)) {
+        const fieldPath = prefix ? `${prefix}.${key}` : key;
+        if (typeof value === 'string') {
+            if (value !== REDACTED && !value.startsWith('[truncated]')) {
+                const preview = value.slice(0, 4);
+                const entropy = shannonEntropy(value).toFixed(2);
+                console.log(`[podwatch:audit] PASS field="${fieldPath}" preview="${preview}…" len=${value.length} entropy=${entropy}`);
+            }
+        }
+        else if (value !== null && typeof value === 'object' && !Array.isArray(value)) {
+            auditUnredactedFields(value, fieldPath);
+        }
+        else if (Array.isArray(value)) {
+            value.forEach((item, i) => {
+                if (typeof item === 'string' && item !== REDACTED) {
+                    const preview = item.slice(0, 4);
+                    const entropy = shannonEntropy(item).toFixed(2);
+                    console.log(`[podwatch:audit] PASS field="${fieldPath}[${i}]" preview="${preview}…" len=${item.length} entropy=${entropy}`);
+                }
+                else if (item !== null && typeof item === 'object') {
+                    auditUnredactedFields(item, `${fieldPath}[${i}]`);
+                }
+            });
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Redact sensitive values from tool call params.
+ * Returns the scrubbed object and a count of how many values were redacted.
+ */
+function redactParams(params) {
+    const counter = { count: 0 };
+    const result = redactObject(params, 0, counter);
+    auditUnredactedFields(result);
+    return { result, redactedCount: counter.count };
+}
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+function isSensitiveValue(value) {
+    if (SENSITIVE_VALUE_PATTERNS.some((p) => p.test(value)))
+        return true;
+    if (isHighEntropySecret(value))
+        return true;
+    return false;
+}
+function redactObject(obj, depth, counter) {
+    if (depth > 5)
+        return { "[truncated]": "nested too deep" };
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+        const keyLower = key.toLowerCase().replace(/[-_]/g, "");
+        // Key-based redaction
+        if (SENSITIVE_KEYS.has(key.toLowerCase()) || SENSITIVE_KEYS.has(keyLower)) {
+            result[key] = REDACTED;
+            counter.count++;
+            continue;
+        }
+        // Value-based redaction + truncation
+        if (typeof value === "string") {
+            if (isSensitiveValue(value)) {
+                result[key] = REDACTED;
+                counter.count++;
+            }
+            else if (value.length > MAX_VALUE_LENGTH) {
+                result[key] = value.slice(0, MAX_VALUE_LENGTH) + `… [${value.length} chars]`;
+            }
+            else {
+                result[key] = value;
+            }
+            continue;
+        }
+        // Recurse into nested objects
+        if (value !== null && typeof value === "object" && !Array.isArray(value)) {
+            result[key] = redactObject(value, depth + 1, counter);
+            continue;
+        }
+        // Arrays — redact string elements, recurse into objects
+        if (Array.isArray(value)) {
+            result[key] = value.map((item) => {
+                if (typeof item === "string") {
+                    if (isSensitiveValue(item)) {
+                        counter.count++;
+                        return REDACTED;
+                    }
+                    if (item.length > MAX_VALUE_LENGTH) {
+                        return item.slice(0, MAX_VALUE_LENGTH) + `… [${item.length} chars]`;
+                    }
+                    return item;
+                }
+                if (item !== null && typeof item === "object" && !Array.isArray(item)) {
+                    return redactObject(item, depth + 1, counter);
+                }
+                return item;
+            });
+            continue;
+        }
+        // Primitives pass through
+        result[key] = value;
+    }
+    return result;
+}
+//# sourceMappingURL=redact.js.map

package/dist/redact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.js","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAkUH,oCAKC;AA+EQ,wCAAc;AAAE,wCAAc;AAAE,kDAAmB;AAAE,kDAAmB;AApZjF,8EAA8E;AAC9E,yEAAyE;AACzE,8EAA8E;AAE9E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,WAAW;IACX,UAAU;IACV,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,SAAS;IACT,eAAe;IACf,aAAa;IACb,aAAa;IACb,YAAY;IACZ,cAAc;IACd,aAAa;IACb,eAAe;IACf,cAAc;IACd,eAAe;IACf,cAAc;IACd,QAAQ;IACR,QAAQ;IACR,YAAY;IACZ,WAAW;IACX,YAAY;IAEZ,uBAAuB;IACvB,eAAe;IACf,gBAAgB;IAChB,YAAY;IACZ,aAAa;IACb,WAAW;IACX,YAAY;IAEZ,WAAW;IACX,aAAa;IACb,cAAc;IACd,OAAO;IACP,QAAQ;IACR,YAAY;IACZ,aAAa;IACb,kBAAkB;IAClB,mBAAmB;IAEnB,uBAAuB;IACvB,cAAc;IACd,eAAe;IACf,eAAe;IACf,gBAAgB;IAEhB,YAAY;IACZ,WAAW;IACX,YAAY;IACZ,WAAW;IACX,YAAY;IAEZ,wCAAwC;IACxC,MAAM;IACN,OAAO;IACP,MAAM;IAEN,8BAA8B;IAC9B,cAAc;IACd,gBAAgB;IAChB,YAAY;IACZ,qBAAqB;IACrB,kBAAkB;IAClB,mBAAmB;IACnB,cAAc;IACd,eAAe;IACf,WAAW;IACX,gBAAgB;IAChB,eAAe;IACf,uBAAuB;IACvB,oBAAoB;IACpB,oBAAoB;IACpB,uBAAuB;IACvB,gBAAgB;IAChB,kBAAkB;IAClB,gBAAgB;IAChB,kBAAkB;IAClB,aAAa;IACb,eAAe;CAChB,CAAC,CAAC;AAgU0G,wCAAc;AA9T3H,8EAA8E;AAC9E,0DAA0D;AAC1D,8EAA8E;AAE9E,MAAM,wBAAwB,GAAa;IACzC,6BAA6B;IAC7B,sBAAsB,EAAiC,cAAc;IACrE,kCAAkC,EAAqB,oBAAoB;IAC3E,oCAAoC,EAAmB,sBAAsB;IAC7E,uBAAuB,EAAiC,qBAAqB;IAC7E,uBAAuB,EAAgC,6BAA6B;IACpF,sBAAsB,EAAkC,iBAAiB;IACzE,sBAAsB,EAAkC,oBAAoB;IAC5E,sBAAsB,EAAkC,oBAAoB;IAE5E,oCAAoC;IACpC,uBAAuB,EAAiC,2BAA2B;IACnF,uBAAuB,EAAiC,2BAA2B;IACnF,uBAAuB,EAAiC,2BAA2B;IACnF,uBAAuB,EAAiC,2BAA2B;IACnF,mBAAmB,EAAqC,yBAAyB;IACjF,yBAAyB,EAA+B,uDAAuD;IAE/G,iCAAiC;IACjC,mBAAmB,EAAqC,6BAA6B;IACrF,mBAAmB,EAAqC,iCAAiC;IACzF,mBAAmB,EAAqC,mCAAmC;IAC3F,uBAAuB,EAAiC,eAAe;IACvE,sBAAsB,EAAkC,wBAAwB;IAChF,yBAAyB,EAA+B,wBAAwB;IAChF,8CAA8C,EAAS,wBAAwB;IAE/E,mDAAmD;IACnD,wCAAwC,EAAgB,6BAA6B;IACrF,8BAA8B,EAA0B,0BAA0B;IAClF,0CAA0C,EAAc,4BAA4B;IACpF,8BAA8B,EAA0B,0BAA0B;IAClF,0CAA0C,EAAa,oCAAoC;IAE3F,wBAAwB;IACxB,2BAA2B,EAA6B,kBAAkB;IAC1E,2BAA2B,EAA6B,mBAAmB;IAC3E,2BAA2B,EAA6B,kBAAkB;IAC1E,4CAA4C,EAAW,mBAAmB;IAC1E,kBAAkB,EAAsC,iBAAiB;IACzE,4BAA4B,EAA4B,qBAAqB;IAE7E,6BAA6B;IAC7B,uBAAuB,EAAiC,YAAY;IACpE,2BAA2B,EAA6B,aAAa;IAErE,4BAA4B;IAC5B,oCAAoC,EAAmB,0BAA0B;IACjF,qEAAqE,EAAE,uBAAuB;IAE9F,iBAAiB;IACjB,gCAAgC,EAAwB,qBAAqB;IAE7E,6BAA6B;IAC7B,4BAA4B,EAA6B,gBAAgB;IACzE,kCAAkC,EAAuB,MAAM;IAC/D,sCAAsC,EAAmB,UAAU;IACnE,iCAAiC,EAAwB,KAAK;IAC9D,kCAAkC,EAAuB,MAAM;IAC/D,wCAAwC,EAAiB,kBAAkB;IAC3E,0BAA0B,EAA+B,oBAAoB;IAE7E,uBAAuB;IACvB,gCAAgC,EAAwB,gBAAgB;IACxE,+BAA+B,EAAyB,aAAa;IAErE,iBAAiB;IACjB,uBAAuB,EAAiC,aAAa;IACrE,uBAAuB,EAAiC,eAAe;IACvE,uBAAuB,EAAiC,0BAA0B;IAClF,uBAAuB,EAAiC,uBAAuB;IAE/E,mBAAmB;IACnB,sBAAsB,EAAkC,gBAAgB;IAExE,iBAAiB;IACjB,wBAAwB,EAAgC,cAAc;IAEtE,kBAAkB;IAClB,4DAA4D,EAAE,oBAAoB;IAElF,iBAAiB;IACjB,sBAAsB,EAAkC,iBAAiB;IAEzE,sBAAsB;IACtB,6CAA6C,EAAU,6BAA6B;IAEpF,iBAAiB;IACjB,yBAAyB,EAA+B,eAAe;IAEvE,iBAAiB;IACjB,uBAAuB,EAAiC,iBAAiB;IAEzE,kBAAkB;IAClB,6BAA6B,EAA2B,sBAAsB;IAE9E,mBAAmB;IACnB,0BAA0B,EAA8B,mBAAmB;CAC5E,CAAC;AAuNiF,4DAAwB;AArN3G,8EAA8E;AAC9E,6CAA6C;AAC7C,8EAA8E;AAE9E;;;GAGG;AACH,SAAS,cAAc,CAAC,CAAS;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAClB,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACrB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAC9C,MAAM,cAAc,GAAG,WAAW,CAAC,CAAC,6BAA6B;AACjE,MAAM,YAAY,GAAG,2BAA2B,CAAC,CAAC,qBAAqB;AACvE,MAAM,WAAW,GAAG,qBAAqB,CAAC,CAAC,mBAAmB;AAC9D,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,CAAC,6BAA6B;AAE7E,SAAS,cAAc,CAAC,CAAS;IAC/B,6DAA6D;IAC7D,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,oDAAoD;IACpD,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAC1D,yBAAyB;IACzB,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,uCAAuC;IACvC,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IACvD,uCAAuC;IACvC,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAE9B;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,MAAc;IACzC,IAAI,MAAM,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC,CAAG,+CAA+C;IAC/E,IAAI,MAAM,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC,CAAG,mBAAmB;IACnD,OAAO,GAAG,CAAC,CAAsB,8CAA8C;AACjF,CAAC;AAED,SAAS,mBAAmB,CAAC,CAAS;IACpC,IAAI,CAAC,CAAC,MAAM,GAAG,kBAAkB;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,cAAc,CAAC,CAAC,CAAC,IAAI,mBAAmB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;AAC5D,CAAC;AAED,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAC7B,MAAM,QAAQ,GAAG,YAAY,CAAC;AAW9B,8EAA8E;AAC9E,qEAAqE;AACrE,8EAA8E;AAE9E,MAAM,eAAe,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;AAE/D;;;GAGG;AACH,SAAS,qBAAqB,CAAC,GAA4B,EAAE,MAAM,GAAG,EAAE;IACtE,IAAI,CAAC,eAAe;QAAE,OAAO;IAE7B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;QAEpD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,IAAI,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC3D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAClC,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBACjD,OAAO,CAAC,GAAG,CAAC,gCAAgC,SAAS,cAAc,OAAO,UAAU,KAAK,CAAC,MAAM,YAAY,OAAO,EAAE,CAAC,CAAC;YACzH,CAAC;QACH,CAAC;aAAM,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChF,qBAAqB,CAAC,KAAgC,EAAE,SAAS,CAAC,CAAC;QACrE,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;gBACxB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAClD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;oBACjC,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBAChD,OAAO,CAAC,GAAG,CAAC,gCAAgC,SAAS,IAAI,CAAC,eAAe,OAAO,UAAU,IAAI,CAAC,MAAM,YAAY,OAAO,EAAE,CAAC,CAAC;gBAC9H,CAAC;qBAAM,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACrD,qBAAqB,CAAC,IAA+B,EAAE,GAAG,SAAS,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC/E,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;GAGG;AACH,SAAgB,YAAY,CAAC,MAA+B;IAC1D,MAAM,OAAO,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IAChD,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC9B,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;AAClD,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACrE,IAAI,mBAAmB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CACnB,GAA4B,EAC5B,KAAa,EACb,OAA0B;IAE1B,IAAI,KAAK,GAAG,CAAC;QAAE,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,CAAC;IAE3D,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAExD,sBAAsB;QACtB,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1E,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC;YACvB,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,SAAS;QACX,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,IAAI,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC;gBACvB,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,CAAC;iBAAM,IAAI,KAAK,CAAC,MAAM,GAAG,gBAAgB,EAAE,CAAC;gBAC3C,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,GAAG,MAAM,KAAK,CAAC,MAAM,SAAS,CAAC;YAC/E,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtB,CAAC;YACD,SAAS;QACX,CAAC;QAED,8BAA8B;QAC9B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzE,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAgC,EAAE,KAAK,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;YACjF,SAAS;QACX,CAAC;QAED,wDAAwD;QACxD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC7B,IAAI,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3B,OAAO,CAAC,KAAK,EAAE,CAAC;wBAChB,OAAO,QAAQ,CAAC;oBAClB,CAAC;oBACD,IAAI,IAAI,CAAC,MAAM,GAAG,gBAAgB,EAAE,CAAC;wBACnC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,GAAG,MAAM,IAAI,CAAC,MAAM,SAAS,CAAC;oBACtE,CAAC;oBACD,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBACtE,OAAO,YAAY,CAAC,IAA+B,EAAE,KAAK,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;gBAC3E,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,0BAA0B;QAC1B,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACtB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/scanner.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Skill/plugin scanner — scans installed skills and plugins.
+ *
+ * Scans:
+ * - ~/.openclaw/skills/ (managed skills)
+ * - <workspace>/skills/ (workspace skills)
+ * - ~/.openclaw/extensions/ (installed plugins)
+ *
+ * Reports: name, version, source, permissions, risk indicators.
+ */
+interface ScannedItem {
+    name: string;
+    type: "skill" | "plugin";
+    source: string;
+    version?: string;
+    description?: string;
+    permissions?: string[];
+    riskIndicators?: string[];
+}
+interface ScanResults {
+    skills: ScannedItem[];
+    plugins: ScannedItem[];
+    scannedAt: number;
+}
+export declare function scanSkillsAndPlugins(workspaceDir?: string): Promise<ScanResults>;
+export {};
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAUH,UAAU,WAAW;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,UAAU,WAAW;IACnB,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,OAAO,EAAE,WAAW,EAAE,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAMD,wBAAsB,oBAAoB,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAoCtF"}