safeclaw 0.1.4 → 0.1.6

package/dist/main.js

@@ -8,15 +8,16 @@ var __export = (target, all) => {
 import { Command } from "commander";
 
 // src/lib/version.ts
-var VERSION = "0.1.3";
+var VERSION = "0.1.6";
 
 // src/server/index.ts
 import Fastify from "fastify";
 import fastifyStatic from "@fastify/static";
 import fastifyCors from "@fastify/cors";
-import fs7 from "fs";
+import fs10 from "fs";
 
 // src/lib/paths.ts
+import fs from "fs";
 import path from "path";
 import os from "os";
 var HOME = os.homedir();
@@ -31,9 +32,12 @@ var OPENCLAW_IDENTITY_DIR = path.join(OPENCLAW_DIR, "identity");
 var OPENCLAW_DEVICE_JSON = path.join(OPENCLAW_IDENTITY_DIR, "device.json");
 var OPENCLAW_DEVICE_AUTH_JSON = path.join(OPENCLAW_IDENTITY_DIR, "device-auth.json");
 var OPENCLAW_EXEC_APPROVALS_PATH = path.join(OPENCLAW_DIR, "exec-approvals.json");
+var SRT_SETTINGS_PATH = path.join(HOME, ".srt-settings.json");
 function getPublicDir() {
   const currentDir = path.dirname(new URL(import.meta.url).pathname);
-  return path.resolve(currentDir, "..", "..", "public");
+  const bundledPath = path.resolve(currentDir, "..", "public");
+  const devPath = path.resolve(currentDir, "..", "..", "public");
+  return fs.existsSync(bundledPath) ? bundledPath : devPath;
 }
 
 // src/server/socket.ts
@@ -44,7 +48,7 @@ import Database from "better-sqlite3";
 import { drizzle } from "drizzle-orm/better-sqlite3";
 
 // src/lib/config.ts
-import fs from "fs";
+import fs2 from "fs";
 
 // ../../packages/shared/dist/schemas.js
 import { z } from "zod";
@@ -81,8 +85,12 @@ var safeClawConfigSchema = z.object({
   port: z.number().int().min(1024).max(65535).default(54335),
   autoOpenBrowser: z.boolean().default(true),
   premium: z.boolean().default(false),
-  userId: z.string().nullable().default(null)
-});
+  userId: z.string().nullable().default(null),
+  srt: z.object({
+    enabled: z.boolean(),
+    settingsPath: z.string().optional()
+  }).optional()
+}).passthrough();
 var activityTypeSchema = z.enum([
   "file_read",
   "file_write",
@@ -260,7 +268,7 @@ var execApprovalEntrySchema = z.object({
   requestedAt: z.string(),
   expiresAt: z.string(),
   decision: execDecisionSchema.nullable(),
-  decidedBy: z.enum(["user", "auto-deny"]).nullable(),
+  decidedBy: z.enum(["user", "auto-deny", "auto-approve", "access-control"]).nullable(),
   decidedAt: z.string().nullable()
 });
 var allowlistPatternSchema = z.object({
@@ -269,6 +277,104 @@ var allowlistPatternSchema = z.object({
 var allowlistStateSchema = z.object({
   patterns: z.array(allowlistPatternSchema)
 });
+var skillScanCategoryIdSchema = z.enum([
+  "SK-HID",
+  "SK-INJ",
+  "SK-EXE",
+  "SK-EXF",
+  "SK-SEC",
+  "SK-SFA",
+  "SK-MEM",
+  "SK-SUP",
+  "SK-B64",
+  "SK-IMG",
+  "SK-SYS",
+  "SK-ARG",
+  "SK-XTL",
+  "SK-PRM",
+  "SK-STR"
+]);
+var skillScanRequestSchema = z.object({
+  content: z.string().min(1).max(5e5)
+});
+var skillScanFindingSchema = z.object({
+  categoryId: skillScanCategoryIdSchema,
+  categoryName: z.string(),
+  severity: threatLevelSchema,
+  reason: z.string(),
+  evidence: z.string().optional(),
+  owaspRef: z.string().optional(),
+  remediation: z.string().optional(),
+  lineNumber: z.number().optional()
+});
+var skillScanResultSchema = z.object({
+  overallSeverity: threatLevelSchema,
+  findings: z.array(skillScanFindingSchema),
+  summary: z.object({
+    critical: z.number(),
+    high: z.number(),
+    medium: z.number(),
+    low: z.number()
+  }),
+  scannedAt: z.string(),
+  contentLength: z.number(),
+  scanDurationMs: z.number()
+});
+var skillCleanResultSchema = z.object({
+  cleanedContent: z.string(),
+  removedCount: z.number()
+});
+var securityLayerStatusSchema = z.enum([
+  "configured",
+  "partial",
+  "unconfigured",
+  "error"
+]);
+var securityCheckSchema = z.object({
+  id: z.string(),
+  label: z.string(),
+  passed: z.boolean(),
+  detail: z.string(),
+  severity: z.enum(["info", "warning", "critical"])
+}).passthrough();
+var securityLayerSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  status: securityLayerStatusSchema,
+  checks: z.array(securityCheckSchema),
+  passedCount: z.number(),
+  totalCount: z.number()
+}).passthrough();
+var securityPostureSchema = z.object({
+  layers: z.array(securityLayerSchema),
+  overallScore: z.number(),
+  configuredLayers: z.number(),
+  partialLayers: z.number(),
+  unconfiguredLayers: z.number(),
+  totalLayers: z.number(),
+  checkedAt: z.string()
+}).passthrough();
+var srtNetworkConfigSchema = z.object({
+  allowedDomains: z.array(z.string()),
+  deniedDomains: z.array(z.string()),
+  allowLocalBinding: z.boolean()
+}).passthrough();
+var srtFilesystemConfigSchema = z.object({
+  denyRead: z.array(z.string()),
+  allowWrite: z.array(z.string()),
+  denyWrite: z.array(z.string())
+}).passthrough();
+var srtSettingsSchema = z.object({
+  network: srtNetworkConfigSchema,
+  filesystem: srtFilesystemConfigSchema
+}).passthrough();
+var srtStatusSchema = z.object({
+  installed: z.boolean(),
+  version: z.string().nullable(),
+  enabled: z.boolean(),
+  settingsPath: z.string(),
+  settings: srtSettingsSchema.nullable()
+}).passthrough();
 
 // src/lib/config.ts
 var DEFAULT_CONFIG = {
@@ -276,28 +382,31 @@ var DEFAULT_CONFIG = {
   port: 54335,
   autoOpenBrowser: true,
   premium: false,
-  userId: null
+  userId: null,
+  srt: {
+    enabled: false
+  }
 };
 function ensureDataDir() {
-  if (!fs.existsSync(SAFECLAW_DIR)) {
-    fs.mkdirSync(SAFECLAW_DIR, { recursive: true });
+  if (!fs2.existsSync(SAFECLAW_DIR)) {
+    fs2.mkdirSync(SAFECLAW_DIR, { recursive: true });
   }
-  if (!fs.existsSync(LOGS_DIR)) {
-    fs.mkdirSync(LOGS_DIR, { recursive: true });
+  if (!fs2.existsSync(LOGS_DIR)) {
+    fs2.mkdirSync(LOGS_DIR, { recursive: true });
   }
 }
 function readConfig() {
   ensureDataDir();
-  if (!fs.existsSync(CONFIG_PATH)) {
-    fs.writeFileSync(CONFIG_PATH, JSON.stringify(DEFAULT_CONFIG, null, 2));
+  if (!fs2.existsSync(CONFIG_PATH)) {
+    fs2.writeFileSync(CONFIG_PATH, JSON.stringify(DEFAULT_CONFIG, null, 2));
     return DEFAULT_CONFIG;
   }
-  const raw = JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8"));
+  const raw = JSON.parse(fs2.readFileSync(CONFIG_PATH, "utf-8"));
   return safeClawConfigSchema.parse(raw);
 }
 function writeConfig(config) {
   ensureDataDir();
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+  fs2.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
 }
 function resetConfig() {
   writeConfig(DEFAULT_CONFIG);
@@ -400,7 +509,7 @@ var execApprovals = sqliteTable("exec_approvals", {
     enum: ["allow-once", "allow-always", "deny"]
   }),
   decidedBy: text("decided_by", {
-    enum: ["user", "auto-deny"]
+    enum: ["user", "auto-deny", "auto-approve", "access-control"]
   }),
   decidedAt: text("decided_at"),
   matchedPattern: text("matched_pattern")
@@ -423,9 +532,9 @@ import { eq as eq4, desc as desc3 } from "drizzle-orm";
 
 // src/lib/logger.ts
 import pino from "pino";
-import fs2 from "fs";
-if (!fs2.existsSync(LOGS_DIR)) {
-  fs2.mkdirSync(LOGS_DIR, { recursive: true });
+import fs3 from "fs";
+if (!fs3.existsSync(LOGS_DIR)) {
+  fs3.mkdirSync(LOGS_DIR, { recursive: true });
 }
 function createLogger(consoleLevel = "info") {
   return pino({
@@ -454,20 +563,21 @@ function setVerbose(verbose) {
 }
 
 // src/lib/openclaw-config.ts
-import fs3 from "fs";
+import fs4 from "fs";
 function readOpenClawConfig() {
-  if (!fs3.existsSync(OPENCLAW_CONFIG_PATH)) {
+  if (!fs4.existsSync(OPENCLAW_CONFIG_PATH)) {
     return null;
   }
-  const raw = JSON.parse(fs3.readFileSync(OPENCLAW_CONFIG_PATH, "utf-8"));
+  const raw = JSON.parse(fs4.readFileSync(OPENCLAW_CONFIG_PATH, "utf-8"));
   return openClawConfigSchema.parse(raw);
 }
 function writeOpenClawConfig(updates) {
   const current = readOpenClawConfig();
   if (!current) return null;
   const merged = deepMerge(current, updates);
-  fs3.writeFileSync(OPENCLAW_CONFIG_PATH, JSON.stringify(merged, null, 2));
-  return merged;
+  const cleaned = stripNulls(merged);
+  fs4.writeFileSync(OPENCLAW_CONFIG_PATH, JSON.stringify(cleaned, null, 2));
+  return cleaned;
 }
 function deepMerge(target, source) {
   const result = { ...target };
@@ -482,15 +592,30 @@ function deepMerge(target, source) {
   }
   return result;
 }
+function stripNulls(obj) {
+  const result = {};
+  for (const [key, val] of Object.entries(obj)) {
+    if (val === null) continue;
+    if (typeof val === "object" && !Array.isArray(val)) {
+      const cleaned = stripNulls(val);
+      if (Object.keys(cleaned).length > 0) {
+        result[key] = cleaned;
+      }
+    } else {
+      result[key] = val;
+    }
+  }
+  return result;
+}
 
 // src/lib/openclaw-client.ts
 import { EventEmitter } from "events";
 import crypto from "crypto";
-import fs4 from "fs";
+import fs5 from "fs";
 import { WebSocket } from "ws";
 function readDeviceIdentity() {
   try {
-    const raw = fs4.readFileSync(OPENCLAW_DEVICE_JSON, "utf-8");
+    const raw = fs5.readFileSync(OPENCLAW_DEVICE_JSON, "utf-8");
     const data = JSON.parse(raw);
     if (!data.deviceId || !data.publicKeyPem || !data.privateKeyPem) return null;
     return {
@@ -1008,7 +1133,7 @@ var OpenClawClient = class extends EventEmitter {
 
 // src/services/session-watcher.ts
 import { EventEmitter as EventEmitter2 } from "events";
-import fs5 from "fs";
+import fs6 from "fs";
 import path2 from "path";
 var MAX_CONTENT_PREVIEW = 10 * 1024;
 var SessionWatcher = class extends EventEmitter2 {
@@ -1027,7 +1152,7 @@ var SessionWatcher = class extends EventEmitter2 {
   start() {
     if (this.destroyed) return;
     const agentsDir = path2.join(OPENCLAW_DIR, "agents");
-    if (!fs5.existsSync(agentsDir)) {
+    if (!fs6.existsSync(agentsDir)) {
       logger.debug("OpenClaw agents directory not found, will retry");
     }
     this.scanForSessions();
@@ -1035,8 +1160,8 @@ var SessionWatcher = class extends EventEmitter2 {
       if (!this.destroyed) this.scanForSessions();
     }, 1e4);
     try {
-      if (fs5.existsSync(agentsDir)) {
-        this.agentsDirWatcher = fs5.watch(agentsDir, { recursive: true }, () => {
+      if (fs6.existsSync(agentsDir)) {
+        this.agentsDirWatcher = fs6.watch(agentsDir, { recursive: true }, () => {
           if (!this.destroyed) this.scanForSessions();
         });
       }
@@ -1064,10 +1189,10 @@ var SessionWatcher = class extends EventEmitter2 {
   }
   scanForSessions() {
     const agentsDir = path2.join(OPENCLAW_DIR, "agents");
-    if (!fs5.existsSync(agentsDir)) return;
+    if (!fs6.existsSync(agentsDir)) return;
     try {
-      const agentNames = fs5.readdirSync(agentsDir).filter((name) => {
-        const stat = fs5.statSync(path2.join(agentsDir, name));
+      const agentNames = fs6.readdirSync(agentsDir).filter((name) => {
+        const stat = fs6.statSync(path2.join(agentsDir, name));
         return stat.isDirectory();
       });
       for (const agentName of agentNames) {
@@ -1079,11 +1204,11 @@ var SessionWatcher = class extends EventEmitter2 {
   }
   discoverSessionFiles(agentName) {
     const sessionsDir = path2.join(OPENCLAW_DIR, "agents", agentName, "sessions");
-    if (!fs5.existsSync(sessionsDir)) return;
+    if (!fs6.existsSync(sessionsDir)) return;
     const sessionsJsonPath = path2.join(sessionsDir, "sessions.json");
-    if (fs5.existsSync(sessionsJsonPath)) {
+    if (fs6.existsSync(sessionsJsonPath)) {
       try {
-        const raw = fs5.readFileSync(sessionsJsonPath, "utf-8");
+        const raw = fs6.readFileSync(sessionsJsonPath, "utf-8");
         const sessionsData = JSON.parse(raw);
         const sessions2 = sessionsData.sessions ?? [];
         for (const session of sessions2) {
@@ -1095,7 +1220,7 @@ var SessionWatcher = class extends EventEmitter2 {
       }
     }
     try {
-      const files = fs5.readdirSync(sessionsDir).filter((f) => f.endsWith(".jsonl"));
+      const files = fs6.readdirSync(sessionsDir).filter((f) => f.endsWith(".jsonl"));
       for (const file of files) {
         const filePath = path2.join(sessionsDir, file);
         const sessionId = path2.basename(file, ".jsonl");
@@ -1106,8 +1231,8 @@ var SessionWatcher = class extends EventEmitter2 {
   }
   watchSessionFile(filePath, sessionId, agentName) {
     if (this.watchedFiles.has(filePath)) return;
-    if (!fs5.existsSync(filePath)) return;
-    const stat = fs5.statSync(filePath);
+    if (!fs6.existsSync(filePath)) return;
+    const stat = fs6.statSync(filePath);
     const watched = {
       path: filePath,
       position: stat.size,
@@ -1117,7 +1242,7 @@ var SessionWatcher = class extends EventEmitter2 {
       agentName
     };
     try {
-      watched.watcher = fs5.watch(filePath, () => {
+      watched.watcher = fs6.watch(filePath, () => {
         if (!this.destroyed) {
           this.readNewEntries(watched);
         }
@@ -1131,13 +1256,13 @@ var SessionWatcher = class extends EventEmitter2 {
   }
   readNewEntries(watched) {
     try {
-      const stat = fs5.statSync(watched.path);
+      const stat = fs6.statSync(watched.path);
       if (stat.size <= watched.position) return;
-      const fd = fs5.openSync(watched.path, "r");
+      const fd = fs6.openSync(watched.path, "r");
       const bufferSize = stat.size - watched.position;
       const buffer = Buffer.alloc(bufferSize);
-      fs5.readSync(fd, buffer, 0, bufferSize, watched.position);
-      fs5.closeSync(fd);
+      fs6.readSync(fd, buffer, 0, bufferSize, watched.position);
+      fs6.closeSync(fd);
       watched.position = stat.size;
       const text2 = buffer.toString("utf-8");
       const lines = text2.split("\n").filter((l) => l.trim());
@@ -1308,8 +1433,228 @@ var SessionWatcher = class extends EventEmitter2 {
 };
 
 // src/services/exec-approval-service.ts
-import { eq, desc, sql as sql2 } from "drizzle-orm";
+import { eq as eq2, desc, sql as sql3 } from "drizzle-orm";
 import path3 from "path";
+
+// src/services/access-control.ts
+import { eq, and, sql as sql2 } from "drizzle-orm";
+var TOOL_GROUP_MAP = {
+  filesystem: "group:fs",
+  system_commands: "group:runtime",
+  network: "group:web"
+};
+function deriveMcpServerStates(config, denyList) {
+  const pluginEntries = config.plugins?.entries ?? {};
+  return Object.keys(pluginEntries).map((name) => {
+    const pluginEnabled = pluginEntries[name].enabled !== false;
+    const toolsDenyBlocked = denyList.includes(`mcp__${name}`);
+    return {
+      name,
+      pluginEnabled,
+      toolsDenyBlocked,
+      effectivelyEnabled: pluginEnabled && !toolsDenyBlocked
+    };
+  });
+}
+function deriveAccessState() {
+  const config = readOpenClawConfig();
+  if (!config) {
+    return {
+      toggles: [
+        { category: "filesystem", enabled: true },
+        { category: "mcp_servers", enabled: true },
+        { category: "network", enabled: true },
+        { category: "system_commands", enabled: true }
+      ],
+      mcpServers: [],
+      openclawConfigAvailable: false
+    };
+  }
+  const denyList = config.tools?.deny ?? [];
+  const filesystemEnabled = !denyList.includes("group:fs");
+  const systemCommandsEnabled = !denyList.includes("group:runtime");
+  const networkEnabled = !denyList.includes("group:web") && config.browser?.enabled !== false;
+  const pluginEntries = config.plugins?.entries ?? {};
+  const pluginNames = Object.keys(pluginEntries);
+  const mcpEnabled = pluginNames.length === 0 || pluginNames.some((name) => pluginEntries[name].enabled !== false);
+  const toggles = [
+    { category: "filesystem", enabled: filesystemEnabled },
+    { category: "mcp_servers", enabled: mcpEnabled },
+    { category: "network", enabled: networkEnabled },
+    { category: "system_commands", enabled: systemCommandsEnabled }
+  ];
+  const mcpServers = deriveMcpServerStates(config, denyList);
+  return { toggles, mcpServers, openclawConfigAvailable: true };
+}
+async function applyAccessToggle(category, enabled) {
+  const config = readOpenClawConfig();
+  if (!config) {
+    throw new Error("OpenClaw config not found");
+  }
+  if (category === "mcp_servers") {
+    await applyMcpToggle(config, enabled);
+  } else if (category === "network") {
+    applyNetworkToggle(config, enabled);
+  } else {
+    applyToolGroupToggle(config, category, enabled);
+  }
+  await updateAuditDb(category, enabled);
+  return deriveAccessState();
+}
+async function applyMcpServerToggle(serverName, enabled) {
+  const config = readOpenClawConfig();
+  if (!config) {
+    throw new Error("OpenClaw config not found");
+  }
+  const denyPattern = `mcp__${serverName}`;
+  const currentDeny = [...config.tools?.deny ?? []];
+  if (enabled) {
+    const filtered = currentDeny.filter((entry) => entry !== denyPattern);
+    writeOpenClawConfig({ tools: { deny: filtered } });
+  } else {
+    if (!currentDeny.includes(denyPattern)) {
+      currentDeny.push(denyPattern);
+    }
+    writeOpenClawConfig({ tools: { deny: currentDeny } });
+  }
+  await updateAuditDb(`mcp_server:${serverName}`, enabled);
+  return deriveAccessState();
+}
+function applyToolGroupToggle(config, category, enabled) {
+  const groupName = TOOL_GROUP_MAP[category];
+  if (!groupName) return;
+  const currentDeny = [...config.tools?.deny ?? []];
+  if (enabled) {
+    const filtered = currentDeny.filter((entry) => entry !== groupName);
+    writeOpenClawConfig({ tools: { deny: filtered } });
+  } else {
+    if (!currentDeny.includes(groupName)) {
+      currentDeny.push(groupName);
+    }
+    writeOpenClawConfig({ tools: { deny: currentDeny } });
+  }
+}
+function applyNetworkToggle(config, enabled) {
+  const currentDeny = [...config.tools?.deny ?? []];
+  const groupName = "group:web";
+  if (enabled) {
+    const filtered = currentDeny.filter((entry) => entry !== groupName);
+    writeOpenClawConfig({
+      tools: { deny: filtered },
+      browser: { enabled: true }
+    });
+  } else {
+    if (!currentDeny.includes(groupName)) {
+      currentDeny.push(groupName);
+    }
+    writeOpenClawConfig({
+      tools: { deny: currentDeny },
+      browser: { enabled: false }
+    });
+  }
+}
+async function applyMcpToggle(config, enabled) {
+  const pluginEntries = config.plugins?.entries ?? {};
+  const pluginNames = Object.keys(pluginEntries);
+  if (pluginNames.length === 0) return;
+  const currentDeny = [...config.tools?.deny ?? []];
+  if (!enabled) {
+    const stateMap = {};
+    for (const name of pluginNames) {
+      stateMap[name] = pluginEntries[name].enabled !== false;
+    }
+    await savePreviousPluginState(stateMap);
+    const disabledEntries = {};
+    for (const name of pluginNames) {
+      disabledEntries[name] = { enabled: false };
+    }
+    for (const name of pluginNames) {
+      const denyPattern = `mcp__${name}`;
+      if (!currentDeny.includes(denyPattern)) {
+        currentDeny.push(denyPattern);
+      }
+    }
+    writeOpenClawConfig({
+      plugins: { entries: disabledEntries },
+      tools: { deny: currentDeny }
+    });
+  } else {
+    const previousState = await loadPreviousPluginState();
+    const restoredEntries = {};
+    for (const name of pluginNames) {
+      restoredEntries[name] = {
+        enabled: previousState?.[name] ?? true
+      };
+    }
+    const mcpDenyPatterns = new Set(pluginNames.map((n) => `mcp__${n}`));
+    const filteredDeny = currentDeny.filter(
+      (entry) => !mcpDenyPatterns.has(entry)
+    );
+    writeOpenClawConfig({
+      plugins: { entries: restoredEntries },
+      tools: { deny: filteredDeny }
+    });
+  }
+}
+async function savePreviousPluginState(stateMap) {
+  const db = getDb();
+  const existing = await db.select().from(schema_exports.accessConfig).where(
+    and(
+      eq(schema_exports.accessConfig.category, "mcp_servers"),
+      eq(schema_exports.accessConfig.key, "previous_plugin_state")
+    )
+  );
+  if (existing.length > 0) {
+    await db.update(schema_exports.accessConfig).set({
+      value: JSON.stringify(stateMap),
+      updatedAt: sql2`datetime('now')`
+    }).where(
+      and(
+        eq(schema_exports.accessConfig.category, "mcp_servers"),
+        eq(schema_exports.accessConfig.key, "previous_plugin_state")
+      )
+    );
+  } else {
+    await db.insert(schema_exports.accessConfig).values({
+      category: "mcp_servers",
+      key: "previous_plugin_state",
+      value: JSON.stringify(stateMap)
+    });
+  }
+}
+async function loadPreviousPluginState() {
+  const db = getDb();
+  const rows = await db.select().from(schema_exports.accessConfig).where(
+    and(
+      eq(schema_exports.accessConfig.category, "mcp_servers"),
+      eq(schema_exports.accessConfig.key, "previous_plugin_state")
+    )
+  );
+  if (rows.length === 0) return null;
+  try {
+    return JSON.parse(rows[0].value);
+  } catch {
+    return null;
+  }
+}
+async function updateAuditDb(category, enabled) {
+  const db = getDb();
+  try {
+    await db.update(schema_exports.accessConfig).set({
+      value: enabled ? "true" : "false",
+      updatedAt: sql2`datetime('now')`
+    }).where(
+      and(
+        eq(schema_exports.accessConfig.category, category),
+        eq(schema_exports.accessConfig.key, "enabled")
+      )
+    );
+  } catch (err) {
+    logger.warn({ err, category, enabled }, "Failed to update audit DB");
+  }
+}
+
+// src/services/exec-approval-service.ts
 var DEFAULT_TIMEOUT_MS = 6e5;
 var instance = null;
 function matchesPattern(command, pattern) {
@@ -1317,6 +1662,37 @@ function matchesPattern(command, pattern) {
   const regexStr = "^" + escaped.replace(/\*/g, ".*") + "$";
   return new RegExp(regexStr, "i").test(command);
 }
+var NETWORK_BINARIES = /* @__PURE__ */ new Set([
+  "curl",
+  "wget",
+  "httpie",
+  "http",
+  "ssh",
+  "scp",
+  "sftp",
+  "nc",
+  "ncat",
+  "netcat",
+  "dig",
+  "nslookup",
+  "host",
+  "ping",
+  "traceroute",
+  "tracepath",
+  "mtr",
+  "telnet",
+  "ftp",
+  "lftp",
+  "rsync",
+  "socat",
+  "nmap"
+]);
+function isNetworkCommand(command) {
+  const firstToken = command.trim().split(/\s+/)[0];
+  if (!firstToken) return false;
+  const basename = firstToken.includes("/") ? firstToken.split("/").pop() : firstToken;
+  return NETWORK_BINARIES.has(basename.toLowerCase());
+}
 var ExecApprovalService = class {
   client;
   io;
@@ -1357,11 +1733,62 @@ var ExecApprovalService = class {
   handleRequest(request) {
     const matchedPattern = this.findMatchingPattern(request.command);
     if (!matchedPattern) {
-      this.resolveToGateway(request.id, "allow-once");
-      logger.debug(
-        { command: request.command },
-        "Command auto-approved (not restricted)"
-      );
+      if (isNetworkCommand(request.command)) {
+        try {
+          const accessState = deriveAccessState();
+          const networkToggle = accessState.toggles.find(
+            (t) => t.category === "network"
+          );
+          if (networkToggle && !networkToggle.enabled) {
+            this.resolveToGateway(request.id, "deny");
+            const now3 = /* @__PURE__ */ new Date();
+            const entry3 = {
+              id: request.id,
+              command: request.command,
+              cwd: request.cwd,
+              security: request.security,
+              sessionKey: request.sessionKey,
+              requestedAt: now3.toISOString(),
+              expiresAt: now3.toISOString(),
+              decision: "deny",
+              decidedBy: "access-control",
+              decidedAt: now3.toISOString()
+            };
+            this.persistApproval(entry3, null);
+            this.io.emit("safeclaw:execApprovalResolved", entry3);
+            logger.info(
+              { command: request.command },
+              "Network command auto-denied (network toggle OFF)"
+            );
+            return;
+          }
+        } catch {
+          logger.debug(
+            { command: request.command },
+            "Could not read access state for network check, falling through"
+          );
+        }
+      }
+      this.resolveToGateway(request.id, "allow-once");
+      const now2 = /* @__PURE__ */ new Date();
+      const entry2 = {
+        id: request.id,
+        command: request.command,
+        cwd: request.cwd,
+        security: request.security,
+        sessionKey: request.sessionKey,
+        requestedAt: now2.toISOString(),
+        expiresAt: now2.toISOString(),
+        decision: "allow-once",
+        decidedBy: "auto-approve",
+        decidedAt: now2.toISOString()
+      };
+      this.persistApproval(entry2, null);
+      this.io.emit("safeclaw:execApprovalResolved", entry2);
+      logger.debug(
+        { command: request.command },
+        "Command auto-approved (not restricted)"
+      );
       return;
     }
     const now = /* @__PURE__ */ new Date();
@@ -1476,7 +1903,7 @@ var ExecApprovalService = class {
         decision: entry.decision,
         decidedBy: entry.decidedBy,
         decidedAt: entry.decidedAt
-      }).where(eq(schema_exports.execApprovals.id, entry.id)).run();
+      }).where(eq2(schema_exports.execApprovals.id, entry.id)).run();
     } catch (err) {
       logger.error(
         { err, id: entry.id },
@@ -1525,7 +1952,7 @@ var ExecApprovalService = class {
     );
     try {
       const db = getDb();
-      db.delete(schema_exports.restrictedPatterns).where(eq(schema_exports.restrictedPatterns.pattern, pattern)).run();
+      db.delete(schema_exports.restrictedPatterns).where(eq2(schema_exports.restrictedPatterns.pattern, pattern)).run();
     } catch (err) {
       logger.error({ err, pattern }, "Failed to remove restricted pattern from database");
     }
@@ -1628,7 +2055,7 @@ var ExecApprovalService = class {
   getHistory(limit = 50) {
     try {
       const db = getDb();
-      const rows = db.select().from(schema_exports.execApprovals).where(sql2`${schema_exports.execApprovals.decision} IS NOT NULL`).orderBy(desc(schema_exports.execApprovals.decidedAt)).limit(limit).all();
+      const rows = db.select().from(schema_exports.execApprovals).where(sql3`${schema_exports.execApprovals.decision} IS NOT NULL`).orderBy(desc(schema_exports.execApprovals.decidedAt)).limit(limit).all();
       return rows.map((r) => ({
         id: r.id,
         command: r.command,
@@ -1691,11 +2118,11 @@ function createExecApprovalService(client, io2, timeoutMs) {
 }
 
 // src/lib/exec-approvals-config.ts
-import fs6 from "fs";
+import fs7 from "fs";
 function readExecApprovalsConfig() {
   try {
-    if (!fs6.existsSync(OPENCLAW_EXEC_APPROVALS_PATH)) return null;
-    const raw = fs6.readFileSync(OPENCLAW_EXEC_APPROVALS_PATH, "utf-8");
+    if (!fs7.existsSync(OPENCLAW_EXEC_APPROVALS_PATH)) return null;
+    const raw = fs7.readFileSync(OPENCLAW_EXEC_APPROVALS_PATH, "utf-8");
     return JSON.parse(raw);
   } catch (err) {
     logger.warn({ err }, "Failed to read exec-approvals.json");
@@ -1703,7 +2130,7 @@ function readExecApprovalsConfig() {
   }
 }
 function writeExecApprovalsConfig(config) {
-  fs6.writeFileSync(
+  fs7.writeFileSync(
     OPENCLAW_EXEC_APPROVALS_PATH,
     JSON.stringify(config, null, 2)
   );
@@ -1789,7 +2216,7 @@ var SECRET_PATTERNS = [
 function scanForSecrets(content) {
   if (!content) return { types: [], maxSeverity: "NONE" };
   const found = /* @__PURE__ */ new Set();
-  let maxSeverity = "NONE";
+  let maxSeverity2 = "NONE";
   const severityOrder = {
     NONE: 0,
     LOW: 1,
@@ -1800,12 +2227,12 @@ function scanForSecrets(content) {
   for (const { pattern, type, severity } of SECRET_PATTERNS) {
     if (pattern.test(content)) {
       found.add(type);
-      if (severityOrder[severity] > severityOrder[maxSeverity]) {
-        maxSeverity = severity;
+      if (severityOrder[severity] > severityOrder[maxSeverity2]) {
+        maxSeverity2 = severity;
       }
     }
   }
-  return { types: Array.from(found), maxSeverity };
+  return { types: Array.from(found), maxSeverity: maxSeverity2 };
 }
 
 // src/lib/threat-patterns.ts
@@ -2442,7 +2869,7 @@ function analyzeActivityThreat(activityType, detail, targetPath, contentPreview,
 }
 
 // src/services/openclaw-monitor.ts
-import { eq as eq2, ne, desc as desc2, and, sql as sql3 } from "drizzle-orm";
+import { eq as eq3, ne, desc as desc2, and as and2, sql as sql4 } from "drizzle-orm";
 var instance2 = null;
 var OpenClawMonitor = class {
   client;
@@ -2507,7 +2934,7 @@ var OpenClawMonitor = class {
       parsed.toolName
     );
     const db = getDb();
-    const existingSession = await db.select().from(schema_exports.openclawSessions).where(eq2(schema_exports.openclawSessions.id, parsed.openclawSessionId)).limit(1);
+    const existingSession = await db.select().from(schema_exports.openclawSessions).where(eq3(schema_exports.openclawSessions.id, parsed.openclawSessionId)).limit(1);
     if (existingSession.length === 0) {
       await db.insert(schema_exports.openclawSessions).values({
         id: parsed.openclawSessionId,
@@ -2596,7 +3023,7 @@ var OpenClawMonitor = class {
   }
   async handleSessionStart(sessionId, model) {
     const db = getDb();
-    const existing = await db.select().from(schema_exports.openclawSessions).where(eq2(schema_exports.openclawSessions.id, sessionId)).limit(1);
+    const existing = await db.select().from(schema_exports.openclawSessions).where(eq3(schema_exports.openclawSessions.id, sessionId)).limit(1);
     if (existing.length === 0) {
       await db.insert(schema_exports.openclawSessions).values({
         id: sessionId,
@@ -2604,7 +3031,7 @@ var OpenClawMonitor = class {
         model: model ?? null
       });
     } else {
-      await db.update(schema_exports.openclawSessions).set({ status: "ACTIVE", model: model ?? null }).where(eq2(schema_exports.openclawSessions.id, sessionId));
+      await db.update(schema_exports.openclawSessions).set({ status: "ACTIVE", model: model ?? null }).where(eq3(schema_exports.openclawSessions.id, sessionId));
     }
     const session = await this.buildSessionPayload(sessionId);
     if (session) {
@@ -2615,8 +3042,8 @@ var OpenClawMonitor = class {
     const db = getDb();
     await db.update(schema_exports.openclawSessions).set({
       status: "ENDED",
-      endedAt: sql3`datetime('now')`
-    }).where(eq2(schema_exports.openclawSessions.id, sessionId));
+      endedAt: sql4`datetime('now')`
+    }).where(eq3(schema_exports.openclawSessions.id, sessionId));
     const session = await this.buildSessionPayload(sessionId);
     if (session) {
       this.io.emit("safeclaw:openclawSessionUpdate", session);
@@ -2624,9 +3051,9 @@ var OpenClawMonitor = class {
   }
   async buildSessionPayload(sessionId) {
     const db = getDb();
-    const [row] = await db.select().from(schema_exports.openclawSessions).where(eq2(schema_exports.openclawSessions.id, sessionId));
+    const [row] = await db.select().from(schema_exports.openclawSessions).where(eq3(schema_exports.openclawSessions.id, sessionId));
     if (!row) return null;
-    const activities = await db.select().from(schema_exports.agentActivities).where(eq2(schema_exports.agentActivities.openclawSessionId, sessionId));
+    const activities = await db.select().from(schema_exports.agentActivities).where(eq3(schema_exports.agentActivities.openclawSessionId, sessionId));
     const threatSummary = {
       NONE: 0,
       LOW: 0,
@@ -2688,8 +3115,8 @@ var OpenClawMonitor = class {
     await db.update(schema_exports.agentActivities).set({
       resolved: resolved ? 1 : 0,
       resolvedAt: resolved ? (/* @__PURE__ */ new Date()).toISOString() : null
-    }).where(eq2(schema_exports.agentActivities.id, activityId));
-    const [row] = await db.select().from(schema_exports.agentActivities).where(eq2(schema_exports.agentActivities.id, activityId));
+    }).where(eq3(schema_exports.agentActivities.id, activityId));
+    const [row] = await db.select().from(schema_exports.agentActivities).where(eq3(schema_exports.agentActivities.id, activityId));
     if (!row) return null;
     return this.mapRowToActivity(row);
   }
@@ -2697,19 +3124,19 @@ var OpenClawMonitor = class {
     const db = getDb();
     const conditions = [ne(schema_exports.agentActivities.threatLevel, "NONE")];
     if (severity) {
-      conditions.push(eq2(schema_exports.agentActivities.threatLevel, severity));
+      conditions.push(eq3(schema_exports.agentActivities.threatLevel, severity));
     }
     if (resolved !== void 0) {
-      conditions.push(eq2(schema_exports.agentActivities.resolved, resolved ? 1 : 0));
+      conditions.push(eq3(schema_exports.agentActivities.resolved, resolved ? 1 : 0));
     }
-    const rows = await db.select().from(schema_exports.agentActivities).where(and(...conditions)).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
+    const rows = await db.select().from(schema_exports.agentActivities).where(and2(...conditions)).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
     return rows.map((r) => this.mapRowToActivity(r));
   }
   async getActivities(sessionId, limit = 50) {
     const db = getDb();
     let rows;
     if (sessionId) {
-      rows = await db.select().from(schema_exports.agentActivities).where(eq2(schema_exports.agentActivities.openclawSessionId, sessionId)).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
+      rows = await db.select().from(schema_exports.agentActivities).where(eq3(schema_exports.agentActivities.openclawSessionId, sessionId)).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
     } else {
       rows = await db.select().from(schema_exports.agentActivities).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
     }
@@ -2764,222 +3191,130 @@ function getOpenClawMonitor() {
   return instance2;
 }
 
-// src/services/access-control.ts
-import { eq as eq3, and as and2, sql as sql4 } from "drizzle-orm";
-var TOOL_GROUP_MAP = {
-  filesystem: "group:fs",
-  system_commands: "group:runtime",
-  network: "group:web"
+// src/lib/srt-config.ts
+import fs8 from "fs";
+import { execSync } from "child_process";
+var DEFAULT_SRT_SETTINGS = {
+  network: {
+    allowedDomains: [],
+    deniedDomains: [],
+    allowLocalBinding: false
+  },
+  filesystem: {
+    denyRead: [],
+    allowWrite: [],
+    denyWrite: []
+  }
 };
-function deriveMcpServerStates(config, denyList) {
-  const pluginEntries = config.plugins?.entries ?? {};
-  return Object.keys(pluginEntries).map((name) => {
-    const pluginEnabled = pluginEntries[name].enabled !== false;
-    const toolsDenyBlocked = denyList.includes(`mcp__${name}`);
-    return {
-      name,
-      pluginEnabled,
-      toolsDenyBlocked,
-      effectivelyEnabled: pluginEnabled && !toolsDenyBlocked
-    };
-  });
+var srtInstalledCache = null;
+function getSrtSettingsPath() {
+  const config = readConfig();
+  return config.srt?.settingsPath ?? SRT_SETTINGS_PATH;
 }
-function deriveAccessState() {
-  const config = readOpenClawConfig();
-  if (!config) {
-    return {
-      toggles: [
-        { category: "filesystem", enabled: true },
-        { category: "mcp_servers", enabled: true },
-        { category: "network", enabled: true },
-        { category: "system_commands", enabled: true }
-      ],
-      mcpServers: [],
-      openclawConfigAvailable: false
-    };
+function isSrtInstalled() {
+  if (srtInstalledCache?.installed) return srtInstalledCache;
+  try {
+    const output = execSync("srt --version", { timeout: 3e3, encoding: "utf-8" }).trim();
+    const version = output.replace(/^srt\s*/i, "").trim() || output;
+    srtInstalledCache = { installed: true, version };
+    return srtInstalledCache;
+  } catch {
+    return { installed: false, version: null };
   }
-  const denyList = config.tools?.deny ?? [];
-  const filesystemEnabled = !denyList.includes("group:fs");
-  const systemCommandsEnabled = !denyList.includes("group:runtime");
-  const networkEnabled = !denyList.includes("group:web") && config.browser?.enabled !== false;
-  const pluginEntries = config.plugins?.entries ?? {};
-  const pluginNames = Object.keys(pluginEntries);
-  const mcpEnabled = pluginNames.length === 0 || pluginNames.some((name) => pluginEntries[name].enabled !== false);
-  const toggles = [
-    { category: "filesystem", enabled: filesystemEnabled },
-    { category: "mcp_servers", enabled: mcpEnabled },
-    { category: "network", enabled: networkEnabled },
-    { category: "system_commands", enabled: systemCommandsEnabled }
-  ];
-  const mcpServers = deriveMcpServerStates(config, denyList);
-  return { toggles, mcpServers, openclawConfigAvailable: true };
 }
-async function applyAccessToggle(category, enabled) {
-  const config = readOpenClawConfig();
-  if (!config) {
-    throw new Error("OpenClaw config not found");
-  }
-  if (category === "mcp_servers") {
-    await applyMcpToggle(config, enabled);
-  } else if (category === "network") {
-    applyNetworkToggle(config, enabled);
-  } else {
-    applyToolGroupToggle(config, category, enabled);
+function readSrtSettings() {
+  const settingsPath = getSrtSettingsPath();
+  if (!fs8.existsSync(settingsPath)) return null;
+  try {
+    const raw = JSON.parse(fs8.readFileSync(settingsPath, "utf-8"));
+    return srtSettingsSchema.parse(raw);
+  } catch {
+    return null;
   }
-  await updateAuditDb(category, enabled);
-  return deriveAccessState();
 }
-async function applyMcpServerToggle(serverName, enabled) {
-  const config = readOpenClawConfig();
-  if (!config) {
-    throw new Error("OpenClaw config not found");
-  }
-  const denyPattern = `mcp__${serverName}`;
-  const currentDeny = [...config.tools?.deny ?? []];
-  if (enabled) {
-    const filtered = currentDeny.filter((entry) => entry !== denyPattern);
-    writeOpenClawConfig({ tools: { deny: filtered } });
-  } else {
-    if (!currentDeny.includes(denyPattern)) {
-      currentDeny.push(denyPattern);
-    }
-    writeOpenClawConfig({ tools: { deny: currentDeny } });
-  }
-  await updateAuditDb(`mcp_server:${serverName}`, enabled);
-  return deriveAccessState();
+function writeSrtSettings(settings) {
+  const settingsPath = getSrtSettingsPath();
+  fs8.writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
 }
-function applyToolGroupToggle(config, category, enabled) {
-  const groupName = TOOL_GROUP_MAP[category];
-  if (!groupName) return;
-  const currentDeny = [...config.tools?.deny ?? []];
-  if (enabled) {
-    const filtered = currentDeny.filter((entry) => entry !== groupName);
-    writeOpenClawConfig({ tools: { deny: filtered } });
-  } else {
-    if (!currentDeny.includes(groupName)) {
-      currentDeny.push(groupName);
-    }
-    writeOpenClawConfig({ tools: { deny: currentDeny } });
-  }
+function ensureSrtSettings() {
+  const existing = readSrtSettings();
+  if (existing) return existing;
+  writeSrtSettings(DEFAULT_SRT_SETTINGS);
+  return DEFAULT_SRT_SETTINGS;
 }
-function applyNetworkToggle(config, enabled) {
-  const currentDeny = [...config.tools?.deny ?? []];
-  const groupName = "group:web";
+function getSrtStatus() {
+  const { installed, version } = isSrtInstalled();
+  const config = readConfig();
+  const enabled = config.srt?.enabled ?? false;
+  const settingsPath = getSrtSettingsPath();
+  const settings = readSrtSettings();
+  return { installed, version, enabled, settingsPath, settings };
+}
+function toggleSrt(enabled) {
+  const config = readConfig();
+  writeConfig({
+    ...config,
+    srt: { ...config.srt, enabled }
+  });
   if (enabled) {
-    const filtered = currentDeny.filter((entry) => entry !== groupName);
-    writeOpenClawConfig({
-      tools: { deny: filtered },
-      browser: { enabled: true }
-    });
-  } else {
-    if (!currentDeny.includes(groupName)) {
-      currentDeny.push(groupName);
-    }
-    writeOpenClawConfig({
-      tools: { deny: currentDeny },
-      browser: { enabled: false }
-    });
+    ensureSrtSettings();
   }
+  return getSrtStatus();
 }
-async function applyMcpToggle(config, enabled) {
-  const pluginEntries = config.plugins?.entries ?? {};
-  const pluginNames = Object.keys(pluginEntries);
-  if (pluginNames.length === 0) return;
-  const currentDeny = [...config.tools?.deny ?? []];
-  if (!enabled) {
-    const stateMap = {};
-    for (const name of pluginNames) {
-      stateMap[name] = pluginEntries[name].enabled !== false;
-    }
-    await savePreviousPluginState(stateMap);
-    const disabledEntries = {};
-    for (const name of pluginNames) {
-      disabledEntries[name] = { enabled: false };
-    }
-    for (const name of pluginNames) {
-      const denyPattern = `mcp__${name}`;
-      if (!currentDeny.includes(denyPattern)) {
-        currentDeny.push(denyPattern);
-      }
-    }
-    writeOpenClawConfig({
-      plugins: { entries: disabledEntries },
-      tools: { deny: currentDeny }
-    });
-  } else {
-    const previousState = await loadPreviousPluginState();
-    const restoredEntries = {};
-    for (const name of pluginNames) {
-      restoredEntries[name] = {
-        enabled: previousState?.[name] ?? true
-      };
-    }
-    const mcpDenyPatterns = new Set(pluginNames.map((n) => `mcp__${n}`));
-    const filteredDeny = currentDeny.filter(
-      (entry) => !mcpDenyPatterns.has(entry)
-    );
-    writeOpenClawConfig({
-      plugins: { entries: restoredEntries },
-      tools: { deny: filteredDeny }
-    });
+function addAllowedDomain(domain) {
+  const settings = ensureSrtSettings();
+  const normalized = domain.trim().toLowerCase();
+  if (!normalized) return settings;
+  settings.network.deniedDomains = settings.network.deniedDomains.filter(
+    (d) => d !== normalized
+  );
+  if (!settings.network.allowedDomains.includes(normalized)) {
+    settings.network.allowedDomains.push(normalized);
   }
+  writeSrtSettings(settings);
+  return settings;
 }
-async function savePreviousPluginState(stateMap) {
-  const db = getDb();
-  const existing = await db.select().from(schema_exports.accessConfig).where(
-    and2(
-      eq3(schema_exports.accessConfig.category, "mcp_servers"),
-      eq3(schema_exports.accessConfig.key, "previous_plugin_state")
-    )
+function removeAllowedDomain(domain) {
+  const settings = ensureSrtSettings();
+  const normalized = domain.trim().toLowerCase();
+  settings.network.allowedDomains = settings.network.allowedDomains.filter(
+    (d) => d !== normalized
   );
-  if (existing.length > 0) {
-    await db.update(schema_exports.accessConfig).set({
-      value: JSON.stringify(stateMap),
-      updatedAt: sql4`datetime('now')`
-    }).where(
-      and2(
-        eq3(schema_exports.accessConfig.category, "mcp_servers"),
-        eq3(schema_exports.accessConfig.key, "previous_plugin_state")
-      )
-    );
-  } else {
-    await db.insert(schema_exports.accessConfig).values({
-      category: "mcp_servers",
-      key: "previous_plugin_state",
-      value: JSON.stringify(stateMap)
-    });
-  }
+  writeSrtSettings(settings);
+  return settings;
 }
-async function loadPreviousPluginState() {
-  const db = getDb();
-  const rows = await db.select().from(schema_exports.accessConfig).where(
-    and2(
-      eq3(schema_exports.accessConfig.category, "mcp_servers"),
-      eq3(schema_exports.accessConfig.key, "previous_plugin_state")
-    )
+function addDeniedDomain(domain) {
+  const settings = ensureSrtSettings();
+  const normalized = domain.trim().toLowerCase();
+  if (!normalized) return settings;
+  settings.network.allowedDomains = settings.network.allowedDomains.filter(
+    (d) => d !== normalized
   );
-  if (rows.length === 0) return null;
-  try {
-    return JSON.parse(rows[0].value);
-  } catch {
-    return null;
+  if (!settings.network.deniedDomains.includes(normalized)) {
+    settings.network.deniedDomains.push(normalized);
   }
+  writeSrtSettings(settings);
+  return settings;
 }
-async function updateAuditDb(category, enabled) {
-  const db = getDb();
-  try {
-    await db.update(schema_exports.accessConfig).set({
-      value: enabled ? "true" : "false",
-      updatedAt: sql4`datetime('now')`
-    }).where(
-      and2(
-        eq3(schema_exports.accessConfig.category, category),
-        eq3(schema_exports.accessConfig.key, "enabled")
-      )
-    );
-  } catch (err) {
-    logger.warn({ err, category, enabled }, "Failed to update audit DB");
+function removeDeniedDomain(domain) {
+  const settings = ensureSrtSettings();
+  const normalized = domain.trim().toLowerCase();
+  settings.network.deniedDomains = settings.network.deniedDomains.filter(
+    (d) => d !== normalized
+  );
+  writeSrtSettings(settings);
+  return settings;
+}
+function updateSrtSettings(updates) {
+  const settings = ensureSrtSettings();
+  if (updates.network) {
+    settings.network = { ...settings.network, ...updates.network };
   }
+  if (updates.filesystem) {
+    settings.filesystem = { ...settings.filesystem, ...updates.filesystem };
+  }
+  writeSrtSettings(settings);
+  return settings;
 }
 
 // src/server/socket.ts
@@ -3234,6 +3569,38 @@ function setupSocketIO(httpServer) {
         logger.error({ err, pattern }, "Failed to remove restricted pattern");
       }
     });
+    socket.on("safeclaw:getSrtStatus", () => {
+      socket.emit("safeclaw:srtStatus", getSrtStatus());
+    });
+    socket.on("safeclaw:toggleSrt", ({ enabled }) => {
+      const status = toggleSrt(enabled);
+      logger.info(`SRT toggled: enabled=${enabled}`);
+      io.emit("safeclaw:srtStatus", status);
+    });
+    socket.on("safeclaw:updateSrtDomains", ({ list, action, domain }) => {
+      try {
+        if (list === "allow") {
+          if (action === "add") addAllowedDomain(domain);
+          else removeAllowedDomain(domain);
+        } else {
+          if (action === "add") addDeniedDomain(domain);
+          else removeDeniedDomain(domain);
+        }
+        logger.info({ list, action, domain }, "SRT domain updated");
+        io.emit("safeclaw:srtStatus", getSrtStatus());
+      } catch (err) {
+        logger.error({ err, list, action, domain }, "Failed to update SRT domain");
+      }
+    });
+    socket.on("safeclaw:updateSrtSettings", (updates) => {
+      try {
+        updateSrtSettings(updates);
+        logger.info({ updates }, "SRT settings updated");
+        io.emit("safeclaw:srtStatus", getSrtStatus());
+      } catch (err) {
+        logger.error({ err }, "Failed to update SRT settings");
+      }
+    });
     socket.on("disconnect", () => {
       logger.info(`Client disconnected: ${socket.id}`);
     });
@@ -3242,7 +3609,1054 @@ function setupSocketIO(httpServer) {
 }
 
 // src/server/routes.ts
-import { desc as desc4, eq as eq5, and as and4, sql as sql6 } from "drizzle-orm";
+import { desc as desc4, eq as eq6, and as and5, sql as sql7 } from "drizzle-orm";
+
+// src/lib/skill-scanner-patterns.ts
+var HIDDEN_CONTENT_PATTERNS = [
+  // HTML comments with instructional content
+  { pattern: /<!--[\s\S]*?(?:instruction|command|execute|ignore|override|system|prompt|inject|do not|must|should|always|never)[\s\S]*?-->/i, label: "HTML comment with instructions", severity: "CRITICAL" },
+  { pattern: /<!--[\s\S]{50,}?-->/s, label: "Large HTML comment (>50 chars)", severity: "HIGH" },
+  // Zero-width Unicode characters
+  { pattern: /[\u200B\u200C\u200D\u200E\u200F]/, label: "Zero-width Unicode character (U+200B-200F)", severity: "CRITICAL" },
+  { pattern: /[\u2060\u2061\u2062\u2063\u2064]/, label: "Invisible Unicode separator (U+2060-2064)", severity: "CRITICAL" },
+  { pattern: /[\uFEFF]/, label: "Zero-width no-break space (BOM)", severity: "HIGH" },
+  // CSS hiding
+  { pattern: /display\s*:\s*none/i, label: "CSS display:none", severity: "HIGH" },
+  { pattern: /opacity\s*:\s*0(?:[;\s]|$)/i, label: "CSS opacity:0", severity: "HIGH" },
+  { pattern: /visibility\s*:\s*hidden/i, label: "CSS visibility:hidden", severity: "HIGH" },
+  // Bidi overrides
+  { pattern: /[\u202A\u202B\u202C\u202D\u202E]/, label: "Bidi override character", severity: "CRITICAL" },
+  { pattern: /[\u2066\u2067\u2068\u2069]/, label: "Bidi isolate character", severity: "CRITICAL" }
+];
+var PROMPT_INJECTION_PATTERNS = [
+  { pattern: /\b(?:ignore|disregard|forget|override)\s+(?:all\s+)?(?:previous|prior|above|your)\s+(?:instructions?|rules?|prompts?|guidelines?|constraints?)/i, label: "Override previous instructions", severity: "CRITICAL" },
+  { pattern: /\b(?:you\s+(?:are|must|should|will)\s+(?:now|henceforth|from\s+now)\s+(?:be|act|behave|respond)\s+(?:as|like))/i, label: "Role reassignment", severity: "CRITICAL" },
+  { pattern: /\bnew\s+instructions?\s*:/i, label: "New instructions directive", severity: "CRITICAL" },
+  { pattern: /\[INST\]|\[\/INST\]|<\|im_start\|>|<\|im_end\|>/i, label: "Special model tokens", severity: "CRITICAL" },
+  { pattern: /\bsystem\s*prompt\s*(?:override|injection|:)/i, label: "System prompt manipulation", severity: "CRITICAL" },
+  { pattern: /\bdo\s+not\s+(?:follow|obey|listen\s+to)\s+(?:the|your|any)\s+(?:original|previous|prior)/i, label: "Instruction disobedience", severity: "CRITICAL" },
+  { pattern: /\b(?:IMPORTANT|CRITICAL|URGENT)\s*:\s*(?:ignore|override|disregard|you must)/i, label: "Urgent override phrasing", severity: "HIGH" },
+  { pattern: /\b(?:pretend|imagine|suppose)\s+(?:you\s+are|that\s+you)/i, label: "Persona manipulation", severity: "MEDIUM" },
+  { pattern: /\bact\s+as\s+(?:a|an|if)\b/i, label: "Act-as directive", severity: "MEDIUM" }
+];
+var SHELL_EXECUTION_PATTERNS = [
+  { pattern: /(?:curl|wget)\s+[^\n]*\|\s*(?:sh|bash|zsh|node|python)/i, label: "Download and execute (curl|bash)", severity: "CRITICAL" },
+  { pattern: /\beval\s*\(/, label: "eval() call", severity: "CRITICAL" },
+  { pattern: /\bexec\s*\(/, label: "exec() call", severity: "HIGH" },
+  { pattern: /\bnpx\s+-y\s+/, label: "npx -y (auto-confirm remote package)", severity: "HIGH" },
+  { pattern: /\/dev\/tcp\//, label: "Reverse shell via /dev/tcp", severity: "CRITICAL" },
+  { pattern: /\bnc\s+.*-e\s+/, label: "Netcat with exec (nc -e)", severity: "CRITICAL" },
+  { pattern: /\bmkfifo\b.*\bnc\b/s, label: "Named pipe + netcat (reverse shell)", severity: "CRITICAL" },
+  { pattern: /python[23]?\s+-c\s+.*(?:socket|subprocess|os\.system)/i, label: "Python one-liner with system access", severity: "CRITICAL" },
+  { pattern: /\bphp\s+-r\s+.*(?:exec|system|passthru|shell_exec)/i, label: "PHP exec one-liner", severity: "CRITICAL" },
+  { pattern: /\bperl\s+-e\s+.*(?:socket|exec|system)/i, label: "Perl exec one-liner", severity: "CRITICAL" },
+  { pattern: /\bruby\s+-e\s+.*(?:exec|system|spawn)/i, label: "Ruby exec one-liner", severity: "CRITICAL" },
+  { pattern: /\bchmod\s+\+x\b/, label: "Make file executable", severity: "MEDIUM" }
+];
+var DATA_EXFILTRATION_PATTERNS = [
+  { pattern: /pastebin\.com/, label: "pastebin.com", severity: "HIGH" },
+  { pattern: /paste\.ee/, label: "paste.ee", severity: "HIGH" },
+  { pattern: /transfer\.sh/, label: "transfer.sh", severity: "HIGH" },
+  { pattern: /ngrok\.io/, label: "ngrok.io", severity: "HIGH" },
+  { pattern: /requestbin/i, label: "requestbin", severity: "HIGH" },
+  { pattern: /webhook\.site/, label: "webhook.site", severity: "HIGH" },
+  { pattern: /pipedream\.net/, label: "pipedream.net", severity: "HIGH" },
+  { pattern: /hookbin\.com/, label: "hookbin.com", severity: "HIGH" },
+  { pattern: /beeceptor\.com/, label: "beeceptor.com", severity: "HIGH" },
+  { pattern: /postb\.in/, label: "postb.in", severity: "HIGH" },
+  { pattern: /https?:\/\/hooks\.slack\.com\/services\//, label: "Slack webhook URL", severity: "HIGH" },
+  { pattern: /https?:\/\/discord(?:app)?\.com\/api\/webhooks\//, label: "Discord webhook URL", severity: "HIGH" },
+  { pattern: /https?:\/\/api\.telegram\.org\/bot/, label: "Telegram bot API URL", severity: "HIGH" },
+  { pattern: /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/, label: "Raw IP URL", severity: "HIGH" }
+];
+var MEMORY_POISONING_PATTERNS = [
+  { pattern: /\bSOUL\.md\b/, label: "SOUL.md reference", severity: "CRITICAL" },
+  { pattern: /\bMEMORY\.md\b/, label: "MEMORY.md reference", severity: "CRITICAL" },
+  { pattern: /\.claude\//, label: ".claude/ directory reference", severity: "CRITICAL" },
+  { pattern: /\bCLAUDE\.md\b/, label: "CLAUDE.md reference", severity: "CRITICAL" },
+  { pattern: /\.cursorrules\b/, label: ".cursorrules reference", severity: "CRITICAL" },
+  { pattern: /\.windsurfrules\b/, label: ".windsurfrules reference", severity: "CRITICAL" },
+  { pattern: /\.clinerules\b/, label: ".clinerules reference", severity: "HIGH" },
+  { pattern: /\bCODEX\.md\b/, label: "CODEX.md reference", severity: "HIGH" },
+  { pattern: /(?:write|modify|edit|append|create|overwrite)\s+(?:to\s+)?(?:the\s+)?(?:SOUL|MEMORY|CLAUDE|CODEX)\.md/i, label: "Instruction to modify agent config file", severity: "CRITICAL" },
+  { pattern: /(?:write|modify|edit|append|create|overwrite)\s+(?:to\s+)?(?:the\s+)?\.(?:cursorrules|windsurfrules|clinerules)/i, label: "Instruction to modify IDE rules file", severity: "CRITICAL" }
+];
+var SUPPLY_CHAIN_PATTERNS = [
+  { pattern: /https?:\/\/raw\.githubusercontent\.com\/[^\s]+\.(?:sh|py|js|rb|pl)\b/, label: "Raw GitHub script URL", severity: "HIGH" },
+  { pattern: /https?:\/\/[^\s]+\.(?:sh|py|js|rb|pl)(?:\s|$)/, label: "External script URL", severity: "HIGH" },
+  { pattern: /\bnpm\s+install\s+(?:-g\s+)?[a-zA-Z@]/, label: "npm install command", severity: "HIGH" },
+  { pattern: /\bpip\s+install\s+[a-zA-Z]/, label: "pip install command", severity: "HIGH" },
+  { pattern: /\bgem\s+install\s+/, label: "gem install command", severity: "HIGH" },
+  { pattern: /\bcargo\s+install\s+/, label: "cargo install command", severity: "MEDIUM" },
+  { pattern: /\bgo\s+install\s+/, label: "go install command", severity: "MEDIUM" },
+  { pattern: /\bbrew\s+install\s+/, label: "brew install command", severity: "MEDIUM" }
+];
+var ENCODED_PAYLOAD_PATTERNS = [
+  { pattern: /[A-Za-z0-9+/]{40,}={0,2}/, label: "Base64 string (>40 chars)", severity: "HIGH" },
+  { pattern: /\batob\s*\(/, label: "atob() call (base64 decode)", severity: "HIGH" },
+  { pattern: /\bbtoa\s*\(/, label: "btoa() call (base64 encode)", severity: "MEDIUM" },
+  { pattern: /\bBuffer\.from\s*\([^)]*,\s*['"]base64['"]\)/, label: "Buffer.from base64", severity: "HIGH" },
+  { pattern: /(?:\\x[0-9a-fA-F]{2}){8,}/, label: "Hex escape sequence (8+ bytes)", severity: "HIGH" },
+  { pattern: /String\.fromCharCode\s*\((?:\s*\d+\s*,?\s*){5,}\)/, label: "String.fromCharCode (5+ codes)", severity: "HIGH" },
+  { pattern: /\|\s*base64\s+(?:-d|--decode)/, label: "Piped base64 decode", severity: "CRITICAL" }
+];
+var IMAGE_EXFIL_PATTERNS = [
+  // URL-based exfiltration (original 5)
+  { pattern: /!\[.*?\]\(https?:\/\/[^\s)]*(?:\?|&)(?:data|content|file|token|secret|key|password|env)=[^\s)]*\)/i, label: "Image URL with exfil query params", severity: "CRITICAL" },
+  { pattern: /!\[.*?\]\(https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[^\s)]*\)/, label: "Image from raw IP address", severity: "CRITICAL" },
+  { pattern: /!\[.*?\]\([^)]*\$\{[^}]+\}[^)]*\)/, label: "Variable interpolation in image URL", severity: "CRITICAL" },
+  { pattern: /!\[.*?\]\([^)]*\$\([^)]+\)[^)]*\)/, label: "Command substitution in image URL", severity: "CRITICAL" },
+  { pattern: /<img[^>]+src\s*=\s*["'][^"']*\$\{[^}]+\}[^"']*["']/i, label: "Variable interpolation in img src", severity: "CRITICAL" },
+  // Group A: Data URI image payloads
+  { pattern: /!\[.*?\]\(data:image\/[^\s)]+\)/i, label: "Data URI image in markdown", severity: "CRITICAL" },
+  { pattern: /<img[^>]+src\s*=\s*["']data:image\/[^"']+["']/i, label: "Data URI image in HTML img tag", severity: "CRITICAL" },
+  { pattern: /data:image\/[^;]+;base64,[A-Za-z0-9+/]{200,}/, label: "Large base64 data URI (steganographic carrier)", severity: "CRITICAL" },
+  // Group B: SVG embedded scripts & data
+  { pattern: /<svg[\s>][\s\S]*?<script[\s>]/i, label: "SVG with embedded script tag", severity: "CRITICAL" },
+  { pattern: /<svg[\s>][\s\S]*?\bon(?:load|error|click|mouseover)\s*=/i, label: "SVG with event handler", severity: "CRITICAL" },
+  { pattern: /<svg[\s>][\s\S]*?<foreignObject[\s>]/i, label: "SVG with foreignObject (arbitrary HTML embed)", severity: "HIGH" },
+  { pattern: /data:image\/svg\+xml[^"'\s)]+/i, label: "SVG data URI (inline payload + script risk)", severity: "CRITICAL" },
+  // Group C: Web beacons / tracking pixels
+  { pattern: /<img[^>]+(?:width\s*=\s*["']?1["']?[^>]+height\s*=\s*["']?1["']?|height\s*=\s*["']?1["']?[^>]+width\s*=\s*["']?1["']?)/i, label: "1x1 tracking pixel (web beacon)", severity: "HIGH" },
+  { pattern: /<img[^>]+style\s*=\s*["'][^"']*(?:display\s*:\s*none|visibility\s*:\s*hidden|opacity\s*:\s*0|width\s*:\s*0|height\s*:\s*0)/i, label: "CSS-hidden image beacon", severity: "HIGH" },
+  // Group D: Steganography tool references
+  { pattern: /\b(?:steghide|stegano|openstego|zsteg|stegsolve|stegdetect|steganograph(?:y|ic)?|outguess|pixelknot|deepsteg|stegpy)\b/i, label: "Steganography tool/library reference", severity: "HIGH" },
+  // Group E: Canvas pixel manipulation
+  { pattern: /\b(?:getImageData|putImageData|createImageData|toDataURL|drawImage)\s*\(/i, label: "Canvas API pixel manipulation", severity: "HIGH" },
+  // Group F: Double extension disguise
+  { pattern: /\.(?:png|jpe?g|gif|bmp|webp|svg|ico|tiff?)\.(?:exe|sh|bat|cmd|ps1|py|rb|pl|js|vbs|com|scr|msi)\b/i, label: "Double file extension (executable disguised as image)", severity: "CRITICAL" },
+  // Group G: Obfuscated image URLs
+  { pattern: /!\[.*?\]\([^)]*(?:%[0-9a-fA-F]{2}){5,}[^)]*\)/, label: "Excessive URL encoding in image URL", severity: "MEDIUM" }
+];
+var SYSTEM_PROMPT_EXTRACTION_PATTERNS = [
+  { pattern: /\b(?:reveal|show|print|output|display|repeat|echo)\s+(?:your\s+)?(?:system\s+)?(?:prompt|instructions|rules|guidelines)/i, label: "System prompt reveal request", severity: "HIGH" },
+  { pattern: /\brepeat\s+(?:the\s+)?(?:words?|text|everything)\s+above\b/i, label: "Repeat words above", severity: "HIGH" },
+  { pattern: /\bprint\s+everything\s+above\b/i, label: "Print everything above", severity: "HIGH" },
+  { pattern: /\bwhat\s+(?:are|were)\s+your\s+(?:original\s+)?(?:instructions|directives|rules)\b/i, label: "Ask for original instructions", severity: "MEDIUM" },
+  { pattern: /\btell\s+me\s+your\s+(?:system\s+)?prompt\b/i, label: "Ask for system prompt", severity: "HIGH" }
+];
+var ARGUMENT_INJECTION_PATTERNS = [
+  { pattern: /\$\([^)]+\)/, label: "Command substitution $()", severity: "CRITICAL" },
+  { pattern: /\$\{[^}]+\}/, label: "Variable expansion ${}", severity: "HIGH" },
+  { pattern: /`[^`]+`/, label: "Backtick command substitution", severity: "HIGH" },
+  { pattern: /;\s*(?:rm|cat|curl|wget|nc|python|perl|ruby|sh|bash)\b/, label: "Shell metachar chained command", severity: "CRITICAL" },
+  { pattern: /\|\s*(?:sh|bash|zsh|python|perl|ruby|node)\b/, label: "Pipe to interpreter", severity: "CRITICAL" },
+  { pattern: /&&\s*(?:rm|curl|wget|nc|python|perl|ruby)\b/, label: "AND-chained dangerous command", severity: "HIGH" },
+  // GTFOBINS exploitation flags
+  { pattern: /\b(?:tar|zip|find|vim|less|more|man|nmap)\b.*--(?:exec|checkpoint-action|to-command)/i, label: "GTFOBINS exploitation flags", severity: "CRITICAL" }
+];
+var CROSS_TOOL_PATTERNS = [
+  { pattern: /(?:read|cat|view)\s+(?:the\s+)?(?:file|content)[\s\S]{0,100}(?:send|post|upload|transmit|exfiltrate)/is, label: "Read-then-exfiltrate pattern", severity: "HIGH" },
+  { pattern: /(?:first|step\s*1)[\s\S]{0,200}(?:then|step\s*2|next|after\s+that)[\s\S]{0,200}(?:then|step\s*3|finally)/is, label: "Multi-step tool invocation", severity: "HIGH" },
+  { pattern: /\b(?:use_mcp_tool|call_tool|execute_tool|run_tool|invoke_tool)\b/i, label: "Direct tool reference", severity: "MEDIUM" },
+  { pattern: /\b(?:read_file|write_file|execute_command|list_directory|search_files)\s*\(/i, label: "Tool function call syntax", severity: "MEDIUM" }
+];
+var EXCESSIVE_PERMISSION_PATTERNS = [
+  { pattern: /\bunrestricted\s+access\b/i, label: "Unrestricted access request", severity: "HIGH" },
+  { pattern: /\bbypass\s+(?:security|restrictions?|permissions?|safeguards?|protections?|filters?)\b/i, label: "Security bypass request", severity: "HIGH" },
+  { pattern: /\bno\s+restrictions?\b/i, label: "No restrictions request", severity: "HIGH" },
+  { pattern: /\b(?:root|admin(?:istrator)?|superuser)\s+(?:access|privileges?|permissions?)\b/i, label: "Root/admin access request", severity: "HIGH" },
+  { pattern: /\bdisable\s+(?:all\s+)?(?:safety|security|restrictions?|protections?|checks?|filters?)\b/i, label: "Disable safety request", severity: "HIGH" },
+  { pattern: /\bfull\s+(?:system\s+)?(?:access|control|permissions?)\b/i, label: "Full access request", severity: "MEDIUM" }
+];
+
+// src/lib/skill-scanner.ts
+var SEVERITY_ORDER2 = {
+  NONE: 0,
+  LOW: 1,
+  MEDIUM: 2,
+  HIGH: 3,
+  CRITICAL: 4
+};
+function getLineNumber(content, index) {
+  let line = 1;
+  for (let i = 0; i < index && i < content.length; i++) {
+    if (content[i] === "\n") line++;
+  }
+  return line;
+}
+function maxSeverity(a, b) {
+  return SEVERITY_ORDER2[a] >= SEVERITY_ORDER2[b] ? a : b;
+}
+function runPatternScan(content, patterns, categoryId, categoryName, owaspRef, remediation) {
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const { pattern, label, severity } of patterns) {
+    const globalPattern = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g");
+    let match;
+    while ((match = globalPattern.exec(content)) !== null) {
+      const key = `${categoryId}:${label}:${match.index}`;
+      if (seen.has(key)) break;
+      seen.add(key);
+      const evidence = match[0].length > 120 ? match[0].slice(0, 120) + "..." : match[0];
+      findings.push({
+        categoryId,
+        categoryName,
+        severity,
+        reason: label,
+        evidence,
+        owaspRef,
+        remediation,
+        lineNumber: getLineNumber(content, match.index)
+      });
+      break;
+    }
+  }
+  return findings;
+}
+function scanHiddenContent(content) {
+  return runPatternScan(
+    content,
+    HIDDEN_CONTENT_PATTERNS,
+    "SK-HID",
+    "Hidden Content",
+    "LLM01",
+    "Remove all hidden content. HTML comments, zero-width characters, and CSS hiding can conceal malicious instructions from human reviewers."
+  );
+}
+function scanPromptInjection(content) {
+  return runPatternScan(
+    content,
+    PROMPT_INJECTION_PATTERNS,
+    "SK-INJ",
+    "Prompt Injection",
+    "LLM01",
+    "Remove prompt injection vectors. These phrases attempt to override the agent's instructions and redirect its behavior."
+  );
+}
+function scanShellExecution(content) {
+  return runPatternScan(
+    content,
+    SHELL_EXECUTION_PATTERNS,
+    "SK-EXE",
+    "Shell Execution",
+    "LLM06",
+    "Remove dangerous shell commands. Skill definitions should not contain executable code, reverse shells, or remote code execution patterns."
+  );
+}
+function scanDataExfiltration(content) {
+  const findings = runPatternScan(
+    content,
+    DATA_EXFILTRATION_PATTERNS,
+    "SK-EXF",
+    "Data Exfiltration",
+    "LLM02",
+    "Remove or replace exfiltration URLs. These destinations are commonly used to steal data from compromised systems."
+  );
+  for (const { pattern, label } of EXFILTRATION_URLS) {
+    const globalPattern = new RegExp(pattern.source, "gi");
+    const match = globalPattern.exec(content);
+    if (match) {
+      const alreadyFound = findings.some((f) => f.evidence?.includes(match[0]));
+      if (!alreadyFound) {
+        findings.push({
+          categoryId: "SK-EXF",
+          categoryName: "Data Exfiltration",
+          severity: "HIGH",
+          reason: `Exfiltration URL: ${label}`,
+          evidence: match[0],
+          owaspRef: "LLM02",
+          remediation: "Remove or replace exfiltration URLs.",
+          lineNumber: getLineNumber(content, match.index)
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanEmbeddedSecrets(content) {
+  const { types } = scanForSecrets(content);
+  if (types.length === 0) return [];
+  const findings = [];
+  for (const secretType of types) {
+    findings.push({
+      categoryId: "SK-SEC",
+      categoryName: "Embedded Secrets",
+      severity: "CRITICAL",
+      reason: `Embedded credential: ${secretType}`,
+      owaspRef: "LLM02",
+      remediation: "Remove all hardcoded credentials. Use environment variables or a secrets manager instead."
+    });
+  }
+  return findings;
+}
+function scanSensitiveFileRefs(content) {
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const { pattern, label, readSeverity } of SENSITIVE_PATH_RULES) {
+    const globalPattern = new RegExp(pattern.source, "g");
+    const match = globalPattern.exec(content);
+    if (match && !seen.has(label)) {
+      seen.add(label);
+      findings.push({
+        categoryId: "SK-SFA",
+        categoryName: "Sensitive File References",
+        severity: readSeverity,
+        reason: `Reference to sensitive path: ${label}`,
+        evidence: match[0],
+        owaspRef: "LLM02",
+        remediation: "Remove references to sensitive files and directories. Skills should not instruct agents to access credentials, keys, or system auth files.",
+        lineNumber: getLineNumber(content, match.index)
+      });
+    }
+  }
+  return findings;
+}
+function scanMemoryPoisoning(content) {
+  return runPatternScan(
+    content,
+    MEMORY_POISONING_PATTERNS,
+    "SK-MEM",
+    "Memory/Config Poisoning",
+    "LLM05",
+    "Remove instructions that modify agent memory or configuration files. This is a persistence technique that can compromise future sessions."
+  );
+}
+function scanSupplyChainRisk(content) {
+  return runPatternScan(
+    content,
+    SUPPLY_CHAIN_PATTERNS,
+    "SK-SUP",
+    "Supply Chain Risk",
+    "LLM03",
+    "Verify all external dependencies and script URLs. Prefer pinned versions and checksums over arbitrary remote scripts."
+  );
+}
+function scanEncodedPayloads(content) {
+  return runPatternScan(
+    content,
+    ENCODED_PAYLOAD_PATTERNS,
+    "SK-B64",
+    "Encoded Payloads",
+    "LLM01",
+    "Decode and inspect encoded content. Base64 and hex encoding is commonly used to evade pattern detection in malicious skills."
+  );
+}
+function scanImageExfiltration(content) {
+  return runPatternScan(
+    content,
+    IMAGE_EXFIL_PATTERNS,
+    "SK-IMG",
+    "Image Exfiltration",
+    "LLM02",
+    "Remove image tags with dynamic, suspicious, or embedded content. Images can exfiltrate data via query parameters, inline data URIs, SVG scripts, tracking pixels, or steganographic encoding. Avoid data: URIs, SVG images with scripts, and references to steganography tools."
+  );
+}
+function scanSystemPromptExtraction(content) {
+  return runPatternScan(
+    content,
+    SYSTEM_PROMPT_EXTRACTION_PATTERNS,
+    "SK-SYS",
+    "System Prompt Extraction",
+    "LLM01",
+    "Remove instructions that attempt to extract system prompts. This information can be used to craft more effective attacks."
+  );
+}
+function scanArgumentInjection(content) {
+  return runPatternScan(
+    content,
+    ARGUMENT_INJECTION_PATTERNS,
+    "SK-ARG",
+    "Argument Injection",
+    "LLM01",
+    "Remove shell metacharacters and command substitution patterns. These can be used to inject arbitrary commands via tool arguments."
+  );
+}
+function scanCrossToolChaining(content) {
+  return runPatternScan(
+    content,
+    CROSS_TOOL_PATTERNS,
+    "SK-XTL",
+    "Cross-Tool Chaining",
+    "LLM05",
+    "Review multi-step tool invocation instructions carefully. Attackers chain legitimate tools to achieve malicious outcomes."
+  );
+}
+function scanExcessivePermissions(content) {
+  return runPatternScan(
+    content,
+    EXCESSIVE_PERMISSION_PATTERNS,
+    "SK-PRM",
+    "Excessive Permissions",
+    "LLM01",
+    "Remove requests for unrestricted access or security bypasses. Skills should operate with minimal required permissions."
+  );
+}
+function scanSuspiciousStructure(content) {
+  const findings = [];
+  if (content.length > 1e4) {
+    findings.push({
+      categoryId: "SK-STR",
+      categoryName: "Suspicious Structure",
+      severity: "MEDIUM",
+      reason: `Unusually large skill definition (${content.length.toLocaleString()} characters)`,
+      remediation: "Large skill definitions have more surface area for hidden threats. Consider splitting into smaller, focused skills."
+    });
+  }
+  const lines = content.split("\n").filter((l) => l.trim().length > 0);
+  if (lines.length > 10) {
+    const imperativePattern = /^\s*(?:you\s+(?:must|should|will|need\s+to)|always|never|do\s+not|ensure|make\s+sure|immediately|execute|run|create|write|read|send|post|upload|download|install|delete|remove|modify|change|update)/i;
+    const imperativeCount = lines.filter((l) => imperativePattern.test(l)).length;
+    const ratio = imperativeCount / lines.length;
+    if (ratio > 0.3) {
+      findings.push({
+        categoryId: "SK-STR",
+        categoryName: "Suspicious Structure",
+        severity: "MEDIUM",
+        reason: `High imperative instruction density (${Math.round(ratio * 100)}% of lines are directives)`,
+        remediation: "Skills with a high density of imperative instructions may be attempting to control agent behavior beyond their stated purpose."
+      });
+    }
+  }
+  return findings;
+}
+function scanSkillDefinition(content) {
+  const startTime = performance.now();
+  const allFindings = [
+    ...scanHiddenContent(content),
+    ...scanPromptInjection(content),
+    ...scanShellExecution(content),
+    ...scanDataExfiltration(content),
+    ...scanEmbeddedSecrets(content),
+    ...scanSensitiveFileRefs(content),
+    ...scanMemoryPoisoning(content),
+    ...scanSupplyChainRisk(content),
+    ...scanEncodedPayloads(content),
+    ...scanImageExfiltration(content),
+    ...scanSystemPromptExtraction(content),
+    ...scanArgumentInjection(content),
+    ...scanCrossToolChaining(content),
+    ...scanExcessivePermissions(content),
+    ...scanSuspiciousStructure(content)
+  ];
+  const scanDurationMs = Math.round(performance.now() - startTime);
+  const summary = { critical: 0, high: 0, medium: 0, low: 0 };
+  let overallSeverity = "NONE";
+  for (const f of allFindings) {
+    if (f.severity === "CRITICAL") summary.critical++;
+    else if (f.severity === "HIGH") summary.high++;
+    else if (f.severity === "MEDIUM") summary.medium++;
+    else if (f.severity === "LOW") summary.low++;
+    overallSeverity = maxSeverity(overallSeverity, f.severity);
+  }
+  allFindings.sort((a, b) => SEVERITY_ORDER2[b.severity] - SEVERITY_ORDER2[a.severity]);
+  return {
+    overallSeverity,
+    findings: allFindings,
+    summary,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    contentLength: content.length,
+    scanDurationMs
+  };
+}
+function collectRanges(content, pattern) {
+  const ranges = [];
+  const flags = pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g";
+  const re = new RegExp(pattern.source, flags);
+  let m;
+  while ((m = re.exec(content)) !== null) {
+    ranges.push({ start: m.index, end: m.index + m[0].length });
+    if (m[0].length === 0) break;
+  }
+  return ranges;
+}
+function cleanSkillDefinition(content) {
+  const ranges = [];
+  const allScanPatterns = [
+    ...HIDDEN_CONTENT_PATTERNS,
+    ...PROMPT_INJECTION_PATTERNS,
+    ...SHELL_EXECUTION_PATTERNS,
+    ...DATA_EXFILTRATION_PATTERNS,
+    ...MEMORY_POISONING_PATTERNS,
+    ...SUPPLY_CHAIN_PATTERNS,
+    ...ENCODED_PAYLOAD_PATTERNS,
+    ...IMAGE_EXFIL_PATTERNS,
+    ...SYSTEM_PROMPT_EXTRACTION_PATTERNS,
+    ...ARGUMENT_INJECTION_PATTERNS,
+    ...CROSS_TOOL_PATTERNS,
+    ...EXCESSIVE_PERMISSION_PATTERNS
+  ];
+  for (const { pattern } of allScanPatterns) {
+    ranges.push(...collectRanges(content, pattern));
+  }
+  for (const { pattern } of EXFILTRATION_URLS) {
+    ranges.push(...collectRanges(content, pattern));
+  }
+  for (const { pattern } of SENSITIVE_PATH_RULES) {
+    ranges.push(...collectRanges(content, pattern));
+  }
+  for (const { pattern } of SECRET_PATTERNS) {
+    ranges.push(...collectRanges(content, pattern));
+  }
+  if (ranges.length === 0) return { cleanedContent: content, removedCount: 0 };
+  ranges.sort((a, b) => a.start - b.start);
+  const merged = [{ ...ranges[0] }];
+  for (let i = 1; i < ranges.length; i++) {
+    const last = merged[merged.length - 1];
+    if (ranges[i].start <= last.end) {
+      last.end = Math.max(last.end, ranges[i].end);
+    } else {
+      merged.push({ ...ranges[i] });
+    }
+  }
+  let cleaned = content;
+  for (let i = merged.length - 1; i >= 0; i--) {
+    cleaned = cleaned.slice(0, merged[i].start) + cleaned.slice(merged[i].end);
+  }
+  cleaned = cleaned.replace(/\n{3,}/g, "\n\n").trim() + "\n";
+  return { cleanedContent: cleaned, removedCount: ranges.length };
+}
+
+// src/services/security-posture.ts
+import fs9 from "fs";
+import { eq as eq5, ne as ne2, and as and4, sql as sql6 } from "drizzle-orm";
+function buildLayer(id, name, checks) {
+  const passedCount = checks.filter((c) => c.passed).length;
+  const totalCount = checks.length;
+  let status;
+  if (passedCount === totalCount) {
+    status = "configured";
+  } else if (passedCount === 0) {
+    status = "unconfigured";
+  } else {
+    status = "partial";
+  }
+  return { id, name, status, checks, passedCount, totalCount };
+}
+function checkSandboxLayer() {
+  const config = readOpenClawConfig();
+  const sandbox = config?.agents?.defaults?.sandbox;
+  const mode = sandbox?.mode;
+  const workspaceAccess = sandbox?.workspaceAccess;
+  const dockerNetwork = sandbox?.docker?.network;
+  const checks = [
+    {
+      id: "sandbox-mode",
+      label: "Sandbox mode enabled",
+      passed: mode === "all" || mode === "non-main",
+      detail: mode ? `Sandbox mode is "${mode}"` : "Sandbox mode is not configured",
+      severity: "critical"
+    },
+    {
+      id: "sandbox-workspace",
+      label: "Workspace access restricted",
+      passed: workspaceAccess === "ro" || workspaceAccess === "none",
+      detail: workspaceAccess ? `Workspace access is "${workspaceAccess}"` : "Workspace access not configured (defaults to rw)",
+      severity: "warning"
+    },
+    {
+      id: "sandbox-network",
+      label: "Docker network isolated",
+      passed: dockerNetwork != null && dockerNetwork !== "host",
+      detail: dockerNetwork ? `Docker network set to "${dockerNetwork}"` : "Docker network not configured",
+      severity: "info"
+    }
+  ];
+  return buildLayer("sandbox", "Sandbox Isolation", checks);
+}
+function checkFilesystemLayer() {
+  const accessState = deriveAccessState();
+  const fsToggle = accessState.toggles.find((t) => t.category === "filesystem");
+  const config = readOpenClawConfig();
+  const workspace = config?.agents?.defaults?.workspace;
+  const workspaceAccess = config?.agents?.defaults?.sandbox?.workspaceAccess;
+  const checks = [
+    {
+      id: "fs-toggle",
+      label: "Filesystem access controlled",
+      passed: fsToggle != null && !fsToggle.enabled,
+      detail: fsToggle?.enabled === false ? "Filesystem tool group is disabled" : "Filesystem tool group is enabled (agent has file access)",
+      severity: "warning"
+    },
+    {
+      id: "fs-workspace",
+      label: "Workspace path configured",
+      passed: workspace != null && workspace.length > 0,
+      detail: workspace ? `Workspace: ${workspace}` : "No explicit workspace path configured",
+      severity: "info"
+    },
+    {
+      id: "fs-workspace-restriction",
+      label: "Workspace access restricted",
+      passed: workspaceAccess === "ro" || workspaceAccess === "none",
+      detail: workspaceAccess ? `Workspace access level: "${workspaceAccess}"` : "Workspace access not restricted (defaults to rw)",
+      severity: "warning"
+    }
+  ];
+  return buildLayer("filesystem", "Filesystem Access", checks);
+}
+function checkNetworkLayer() {
+  const accessState = deriveAccessState();
+  const netToggle = accessState.toggles.find((t) => t.category === "network");
+  const config = readOpenClawConfig();
+  const browserEnabled = config?.browser?.enabled;
+  const sandbox = config?.agents?.defaults?.sandbox;
+  const dockerNetwork = sandbox?.docker?.network;
+  const sandboxMode = sandbox?.mode;
+  const checks = [
+    {
+      id: "net-toggle",
+      label: "Network access controlled",
+      passed: netToggle != null && !netToggle.enabled,
+      detail: netToggle?.enabled === false ? "Network tool group is disabled" : "Network tool group is enabled",
+      severity: "warning"
+    },
+    {
+      id: "net-browser",
+      label: "Browser disabled",
+      passed: browserEnabled === false,
+      detail: browserEnabled === false ? "Browser is disabled" : "Browser is enabled (agent can browse web)",
+      severity: "info"
+    },
+    {
+      id: "net-docker-isolation",
+      label: "Network isolated in sandbox",
+      passed: (sandboxMode === "all" || sandboxMode === "non-main") && dockerNetwork != null && dockerNetwork !== "host",
+      detail: sandboxMode === "all" || sandboxMode === "non-main" ? dockerNetwork && dockerNetwork !== "host" ? `Sandboxed with isolated network "${dockerNetwork}"` : "Sandboxed but no network isolation configured" : "Not sandboxed \u2014 no network isolation",
+      severity: "critical"
+    }
+  ];
+  return buildLayer("network", "Network & Egress Control", checks);
+}
+async function checkCommandExecLayer() {
+  const accessState = deriveAccessState();
+  const sysToggle = accessState.toggles.find(
+    (t) => t.category === "system_commands"
+  );
+  const config = readOpenClawConfig();
+  const execSecurity = config?.tools?.exec?.security;
+  const db = getDb();
+  const patternRows = await db.select().from(schema_exports.restrictedPatterns);
+  const patternCount = patternRows.length;
+  const patternTexts = patternRows.map((r) => r.pattern.toLowerCase());
+  const criticalPatterns = ["sudo", "rm -rf", "chmod", "curl"];
+  const hasCritical = criticalPatterns.some(
+    (cp) => patternTexts.some((pt) => pt.includes(cp))
+  );
+  const checks = [
+    {
+      id: "exec-toggle",
+      label: "System commands controlled",
+      passed: sysToggle != null && !sysToggle.enabled,
+      detail: sysToggle?.enabled === false ? "System commands tool group is disabled" : "System commands tool group is enabled",
+      severity: "warning"
+    },
+    {
+      id: "exec-security-mode",
+      label: "Exec security mode restrictive",
+      passed: execSecurity === "deny" || execSecurity === "allowlist",
+      detail: execSecurity ? `Exec security mode: "${execSecurity}"` : "Exec security mode not configured",
+      severity: "critical"
+    },
+    {
+      id: "exec-patterns",
+      label: "Restricted patterns configured",
+      passed: patternCount > 0,
+      detail: patternCount > 0 ? `${patternCount} restricted pattern(s) in blocklist` : "No restricted patterns \u2014 all commands pass through",
+      severity: "warning"
+    },
+    {
+      id: "exec-critical-patterns",
+      label: "Critical command patterns blocked",
+      passed: hasCritical,
+      detail: hasCritical ? "Critical patterns (sudo, rm -rf, chmod, curl|bash) present" : "No critical patterns found \u2014 consider adding sudo, rm -rf, chmod",
+      severity: "critical"
+    }
+  ];
+  return buildLayer("exec", "Command Execution Controls", checks);
+}
+function checkMcpLayer() {
+  const accessState = deriveAccessState();
+  const mcpToggle = accessState.toggles.find(
+    (t) => t.category === "mcp_servers"
+  );
+  const servers = accessState.mcpServers;
+  const config = readOpenClawConfig();
+  const denyList = config?.tools?.deny ?? [];
+  const mcpDenyEntries = denyList.filter((d) => d.startsWith("mcp__"));
+  const totalServers = servers.length;
+  const enabledServers = servers.filter((s) => s.effectivelyEnabled).length;
+  const disabledServers = totalServers - enabledServers;
+  const checks = [
+    {
+      id: "mcp-toggle",
+      label: "MCP servers controlled",
+      passed: mcpToggle != null && accessState.openclawConfigAvailable,
+      detail: !accessState.openclawConfigAvailable ? "OpenClaw config unavailable" : mcpToggle?.enabled ? "MCP servers toggle is enabled" : "MCP servers toggle is disabled (all servers blocked)",
+      severity: "info"
+    },
+    {
+      id: "mcp-server-review",
+      label: "Servers individually reviewed",
+      passed: totalServers === 0 || disabledServers > 0 || mcpDenyEntries.length > 0,
+      detail: totalServers === 0 ? "No MCP servers configured" : disabledServers > 0 ? `${disabledServers}/${totalServers} server(s) disabled` : "All servers enabled \u2014 consider reviewing each server",
+      severity: "warning"
+    },
+    {
+      id: "mcp-tools-deny",
+      label: "MCP tools in deny list",
+      passed: mcpDenyEntries.length > 0,
+      detail: mcpDenyEntries.length > 0 ? `${mcpDenyEntries.length} MCP tool deny entr(ies) configured` : "No MCP-specific deny entries",
+      severity: "info"
+    }
+  ];
+  return buildLayer("mcp", "MCP Server Security", checks);
+}
+async function checkSecretLayer() {
+  const db = getDb();
+  const secretActivities = await db.select().from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-SEC%'`
+    )
+  );
+  const sfaActivities = await db.select().from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-SFA%'`
+    )
+  );
+  const checks = [
+    {
+      id: "secret-scanner",
+      label: "Secret scanner active",
+      passed: true,
+      detail: "Built-in secret scanner is always active",
+      severity: "info"
+    },
+    {
+      id: "secret-exposure",
+      label: "No unresolved secret exposures",
+      passed: secretActivities.length === 0,
+      detail: secretActivities.length === 0 ? "No unresolved secret exposure threats" : `${secretActivities.length} unresolved secret exposure threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "secret-file-access",
+      label: "No unresolved sensitive file access",
+      passed: sfaActivities.length === 0,
+      detail: sfaActivities.length === 0 ? "No unresolved sensitive file access threats" : `${sfaActivities.length} unresolved sensitive file access threat(s)`,
+      severity: "warning"
+    }
+  ];
+  return buildLayer("secrets", "Secret & Credential Protection", checks);
+}
+async function checkThreatMonitoringLayer() {
+  const monitor = getOpenClawMonitor();
+  const connectionStatus = monitor?.getStatus() ?? "not_configured";
+  const config = readOpenClawConfig();
+  const db = getDb();
+  const activeSessions = await db.select({ count: sql6`count(*)` }).from(schema_exports.openclawSessions).where(eq5(schema_exports.openclawSessions.status, "ACTIVE"));
+  const totalThreats = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(ne2(schema_exports.agentActivities.threatLevel, "NONE"));
+  const resolvedThreats = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      ne2(schema_exports.agentActivities.threatLevel, "NONE"),
+      eq5(schema_exports.agentActivities.resolved, 1)
+    )
+  );
+  const total = totalThreats[0]?.count ?? 0;
+  const resolved = resolvedThreats[0]?.count ?? 0;
+  const resolutionRate = total > 0 ? Math.round(resolved / total * 100) : 100;
+  const checks = [
+    {
+      id: "monitor-connection",
+      label: "OpenClaw connected",
+      passed: connectionStatus === "connected",
+      detail: connectionStatus === "connected" ? "Connected to OpenClaw gateway" : config ? `Connection status: ${connectionStatus}` : "OpenClaw config not found",
+      severity: "critical"
+    },
+    {
+      id: "monitor-sessions",
+      label: "Session tracking active",
+      passed: (activeSessions[0]?.count ?? 0) > 0 || connectionStatus === "connected",
+      detail: (activeSessions[0]?.count ?? 0) > 0 ? `${activeSessions[0].count} active session(s)` : connectionStatus === "connected" ? "Connected, no active sessions" : "No active sessions (disconnected)",
+      severity: "info"
+    },
+    {
+      id: "monitor-resolution",
+      label: "Threats being resolved",
+      passed: resolutionRate >= 50 || total === 0,
+      detail: total === 0 ? "No threats detected yet" : `${resolved}/${total} threats resolved (${resolutionRate}%)`,
+      severity: "warning"
+    }
+  ];
+  return buildLayer("monitoring", "Threat Monitoring", checks);
+}
+async function checkHumanInLoopLayer() {
+  const monitor = getOpenClawMonitor();
+  const db = getDb();
+  const patternRows = await db.select().from(schema_exports.restrictedPatterns);
+  const patternCount = patternRows.length;
+  const totalApprovals = await db.select({ count: sql6`count(*)` }).from(schema_exports.execApprovals);
+  const timedOut = await db.select({ count: sql6`count(*)` }).from(schema_exports.execApprovals).where(eq5(schema_exports.execApprovals.decidedBy, "auto-deny"));
+  const total = totalApprovals[0]?.count ?? 0;
+  const timedOutCount = timedOut[0]?.count ?? 0;
+  const timeoutRate = total > 0 ? Math.round(timedOutCount / total * 100) : 0;
+  const checks = [
+    {
+      id: "hitl-active",
+      label: "Exec approval system active",
+      passed: monitor != null,
+      detail: monitor ? "Exec approval system is running" : "Exec approval system not initialized",
+      severity: "critical"
+    },
+    {
+      id: "hitl-timeout-rate",
+      label: "Approval timeout rate acceptable",
+      passed: timeoutRate < 20 || total === 0,
+      detail: total === 0 ? "No approval requests yet" : `${timedOutCount}/${total} approvals timed out (${timeoutRate}%)`,
+      severity: "warning"
+    },
+    {
+      id: "hitl-patterns",
+      label: "Restricted patterns configured",
+      passed: patternCount > 0,
+      detail: patternCount > 0 ? `${patternCount} restricted pattern(s) for interception` : "No restricted patterns \u2014 nothing to intercept",
+      severity: "warning"
+    }
+  ];
+  return buildLayer("human-in-loop", "Human-in-the-Loop Controls", checks);
+}
+async function checkEgressProxyLayer() {
+  const proxyConfigured = !!(process.env.HTTP_PROXY || process.env.HTTPS_PROXY || process.env.http_proxy || process.env.https_proxy);
+  const noProxy = process.env.NO_PROXY || process.env.no_proxy || "";
+  const proxyBypassed = noProxy.trim() === "*";
+  const srtStatus = getSrtStatus();
+  const srtActive = srtStatus.enabled && srtStatus.installed;
+  const srtHasDomainRules = srtStatus.settings != null && (srtStatus.settings.network.allowedDomains.length > 0 || srtStatus.settings.network.deniedDomains.length > 0);
+  const db = getDb();
+  const exfilActivities = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-EXF%'`
+    )
+  );
+  const netActivities = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-NET%'`
+    )
+  );
+  const exfilCount = exfilActivities[0]?.count ?? 0;
+  const netCount = netActivities[0]?.count ?? 0;
+  const checks = [
+    {
+      id: "egress-filtering-configured",
+      label: "Egress filtering configured",
+      passed: proxyConfigured || srtActive,
+      detail: srtActive ? "Sandbox Runtime (srt) is active \u2014 network egress is filtered" : proxyConfigured ? "HTTP/HTTPS proxy environment variables are set" : "No egress filtering \u2014 configure srt or set HTTP_PROXY/HTTPS_PROXY",
+      severity: "warning"
+    },
+    {
+      id: "egress-domain-rules",
+      label: "Domain filtering rules configured",
+      passed: srtHasDomainRules,
+      detail: srtHasDomainRules ? `srt domain rules: ${srtStatus.settings.network.allowedDomains.length} allowed, ${srtStatus.settings.network.deniedDomains.length} denied` : srtActive ? "srt is active but no domain allow/deny rules configured" : "No domain filtering rules \u2014 enable srt and add allowed domains",
+      severity: "warning"
+    },
+    {
+      id: "egress-no-proxy-safe",
+      label: "Proxy not globally bypassed",
+      passed: !proxyBypassed,
+      detail: proxyBypassed ? "NO_PROXY is set to '*' \u2014 all proxy filtering is bypassed" : noProxy ? `NO_PROXY exceptions: ${noProxy}` : "No NO_PROXY exceptions set",
+      severity: "critical"
+    },
+    {
+      id: "egress-exfiltration-clean",
+      label: "No unresolved exfiltration threats",
+      passed: exfilCount === 0,
+      detail: exfilCount === 0 ? "No unresolved data exfiltration threats" : `${exfilCount} unresolved exfiltration threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "egress-network-threats-clean",
+      label: "No unresolved network threats",
+      passed: netCount === 0,
+      detail: netCount === 0 ? "No unresolved network threats" : `${netCount} unresolved network threat(s)`,
+      severity: "warning"
+    }
+  ];
+  return buildLayer("egress-proxy", "Egress Proxy & Domain Filtering", checks);
+}
+function checkGatewaySecurityLayer() {
+  const config = readOpenClawConfig();
+  const deviceExists = fs9.existsSync(OPENCLAW_DEVICE_JSON);
+  const authMode = config?.gateway ? config.gateway?.auth ? config.gateway.auth?.mode : void 0 : void 0;
+  const gwBind = config?.gateway ? config.gateway?.bind : void 0;
+  const bindLocal = gwBind === void 0 || gwBind === null || gwBind === "127.0.0.1" || gwBind === "localhost" || gwBind === "loopback" || gwBind === "::1";
+  const channels = config?.channels;
+  const whatsapp = channels?.whatsapp;
+  const allowFrom = whatsapp?.allowFrom;
+  const channelRestricted = !whatsapp || Array.isArray(allowFrom) && allowFrom.length > 0;
+  const checks = [
+    {
+      id: "gw-device-identity",
+      label: "Device identity configured",
+      passed: deviceExists,
+      detail: deviceExists ? "Ed25519 device identity file exists" : "No device identity found \u2014 gateway authentication unavailable",
+      severity: "critical"
+    },
+    {
+      id: "gw-auth-mode",
+      label: "Gateway authentication enabled",
+      passed: authMode != null && authMode !== "",
+      detail: authMode ? `Gateway auth mode: "${authMode}"` : "Gateway auth mode not configured",
+      severity: "critical"
+    },
+    {
+      id: "gw-bind-local",
+      label: "Gateway bound to localhost",
+      passed: bindLocal,
+      detail: bindLocal ? `Gateway bind: ${gwBind ?? "default (localhost)"}` : `Gateway bound to ${gwBind} \u2014 accessible from network`,
+      severity: "warning"
+    },
+    {
+      id: "gw-channel-restricted",
+      label: "External channels restricted",
+      passed: channelRestricted,
+      detail: channelRestricted ? whatsapp ? `WhatsApp allowFrom has ${allowFrom?.length ?? 0} entry/entries` : "No external channels configured" : "WhatsApp is open to all senders \u2014 restrict with allowFrom",
+      severity: "info"
+    }
+  ];
+  return buildLayer("gateway", "Gateway & Inbound Security", checks);
+}
+async function checkSupplyChainLayer() {
+  const db = getDb();
+  const supplyThreats = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-SUP%'`
+    )
+  );
+  const patternRows = await db.select().from(schema_exports.restrictedPatterns);
+  const patternTexts = patternRows.map((r) => r.pattern.toLowerCase());
+  const supplyKeywords = ["npm install", "pip install", "brew install", "curl"];
+  const hasSupplyPattern = supplyKeywords.some(
+    (kw) => patternTexts.some((pt) => pt.includes(kw))
+  );
+  const config = readOpenClawConfig();
+  const execSecurity = config?.tools?.exec?.security;
+  const supplyCount = supplyThreats[0]?.count ?? 0;
+  const checks = [
+    {
+      id: "supply-chain-threats-clean",
+      label: "No unresolved supply chain threats",
+      passed: supplyCount === 0,
+      detail: supplyCount === 0 ? "No unresolved supply chain threats" : `${supplyCount} unresolved supply chain threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "supply-exec-restricted",
+      label: "Package install commands restricted",
+      passed: hasSupplyPattern,
+      detail: hasSupplyPattern ? "Restricted patterns cover package install commands" : "No restricted patterns for npm install, pip install, curl, etc.",
+      severity: "warning"
+    },
+    {
+      id: "supply-exec-mode",
+      label: "Exec security prevents blind installs",
+      passed: execSecurity === "deny" || execSecurity === "allowlist",
+      detail: execSecurity ? `Exec security mode: "${execSecurity}"` : "Exec security mode not configured",
+      severity: "warning"
+    }
+  ];
+  return buildLayer("supply-chain", "Supply Chain Protection", checks);
+}
+async function checkInputOutputLayer() {
+  const db = getDb();
+  const injectionThreats = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-INJ%'`
+    )
+  );
+  const mcpPoisoning = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-MCP%'`
+    )
+  );
+  const injCount = injectionThreats[0]?.count ?? 0;
+  const mcpCount = mcpPoisoning[0]?.count ?? 0;
+  const checks = [
+    {
+      id: "io-injection-clean",
+      label: "No unresolved prompt injection threats",
+      passed: injCount === 0,
+      detail: injCount === 0 ? "No unresolved prompt injection threats" : `${injCount} unresolved prompt injection threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "io-mcp-poisoning-clean",
+      label: "No unresolved MCP poisoning threats",
+      passed: mcpCount === 0,
+      detail: mcpCount === 0 ? "No unresolved MCP tool poisoning threats" : `${mcpCount} unresolved MCP tool poisoning threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "io-content-scanner-active",
+      label: "Content threat scanner active",
+      passed: true,
+      detail: "Built-in 10-category threat classifier is always active",
+      severity: "info"
+    },
+    {
+      id: "io-skill-scanner-available",
+      label: "Skill definition scanner available",
+      passed: true,
+      detail: "Built-in SK-* skill scanner is available for MCP auditing",
+      severity: "info"
+    }
+  ];
+  return buildLayer("input-output", "Input/Output Validation", checks);
+}
+async function computeSecurityPosture() {
+  const [
+    execLayer,
+    egressLayer,
+    secretLayer,
+    supplyChainLayer,
+    inputOutputLayer,
+    monitoringLayer,
+    humanLayer
+  ] = await Promise.all([
+    checkCommandExecLayer(),
+    checkEgressProxyLayer(),
+    checkSecretLayer(),
+    checkSupplyChainLayer(),
+    checkInputOutputLayer(),
+    checkThreatMonitoringLayer(),
+    checkHumanInLoopLayer()
+  ]);
+  const layers = [
+    checkSandboxLayer(),
+    checkFilesystemLayer(),
+    checkNetworkLayer(),
+    egressLayer,
+    execLayer,
+    checkMcpLayer(),
+    checkGatewaySecurityLayer(),
+    secretLayer,
+    supplyChainLayer,
+    inputOutputLayer,
+    monitoringLayer,
+    humanLayer
+  ];
+  const totalChecks = layers.reduce((sum, l) => sum + l.totalCount, 0);
+  const passedChecks = layers.reduce((sum, l) => sum + l.passedCount, 0);
+  const overallScore = totalChecks > 0 ? Math.round(passedChecks / totalChecks * 100) : 0;
+  return {
+    layers,
+    overallScore,
+    configuredLayers: layers.filter((l) => l.status === "configured").length,
+    partialLayers: layers.filter((l) => l.status === "partial").length,
+    unconfiguredLayers: layers.filter((l) => l.status === "unconfigured").length,
+    totalLayers: layers.length,
+    checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+
+// src/server/routes.ts
 async function registerRoutes(app) {
   app.get("/api/health", async () => {
     return { status: "ok", timestamp: (/* @__PURE__ */ new Date()).toISOString() };
@@ -3277,11 +4691,11 @@ async function registerRoutes(app) {
       const db = getDb();
       await db.update(schema_exports.accessConfig).set({
         value: enabled ? "true" : "false",
-        updatedAt: sql6`datetime('now')`
+        updatedAt: sql7`datetime('now')`
       }).where(
-        and4(
-          eq5(schema_exports.accessConfig.category, category),
-          eq5(schema_exports.accessConfig.key, "enabled")
+        and5(
+          eq6(schema_exports.accessConfig.category, category),
+          eq6(schema_exports.accessConfig.key, "enabled")
         )
       );
       return deriveAccessState();
@@ -3310,8 +4724,8 @@ async function registerRoutes(app) {
     const { action } = request.body;
     const db = getDb();
     const newStatus = action === "ALLOW" ? "ALLOWED" : "BLOCKED";
-    await db.update(schema_exports.commandLogs).set({ status: newStatus, decisionBy: "USER" }).where(eq5(schema_exports.commandLogs.id, Number(id)));
-    const [updated] = await db.select().from(schema_exports.commandLogs).where(eq5(schema_exports.commandLogs.id, Number(id)));
+    await db.update(schema_exports.commandLogs).set({ status: newStatus, decisionBy: "USER" }).where(eq6(schema_exports.commandLogs.id, Number(id)));
+    const [updated] = await db.select().from(schema_exports.commandLogs).where(eq6(schema_exports.commandLogs.id, Number(id)));
     return updated;
   });
   app.get("/api/openclaw/config", async () => {
@@ -3413,6 +4827,59 @@ async function registerRoutes(app) {
     const patterns = monitor.getExecApprovalService().removeRestrictedPattern(pattern);
     return { patterns: patterns.map((p) => ({ pattern: p })) };
   });
+  app.get("/api/security-posture", async () => {
+    return computeSecurityPosture();
+  });
+  app.post("/api/skill-scanner/scan", async (request, reply) => {
+    const parsed = skillScanRequestSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: "Invalid request. Provide { content: string } (1 to 500K chars)." });
+    }
+    const result = scanSkillDefinition(parsed.data.content);
+    return result;
+  });
+  app.post("/api/skill-scanner/clean", async (request, reply) => {
+    const parsed = skillScanRequestSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: "Invalid request. Provide { content: string } (1 to 500K chars)." });
+    }
+    const result = cleanSkillDefinition(parsed.data.content);
+    return result;
+  });
+  app.get("/api/srt/status", async () => {
+    return getSrtStatus();
+  });
+  app.put("/api/srt/toggle", async (request) => {
+    const { enabled } = request.body;
+    return toggleSrt(enabled);
+  });
+  app.get("/api/srt/settings", async () => {
+    return readSrtSettings() ?? { error: "SRT settings file not found" };
+  });
+  app.put("/api/srt/settings", async (request) => {
+    const updates = request.body;
+    return updateSrtSettings(updates);
+  });
+  app.post("/api/srt/domains/:list", async (request, reply) => {
+    const { list } = request.params;
+    const { domain } = request.body;
+    if (!domain?.trim()) {
+      return reply.status(400).send({ error: "Domain is required" });
+    }
+    if (list === "allow") return addAllowedDomain(domain);
+    if (list === "deny") return addDeniedDomain(domain);
+    return reply.status(400).send({ error: "List must be 'allow' or 'deny'" });
+  });
+  app.delete("/api/srt/domains/:list", async (request, reply) => {
+    const { list } = request.params;
+    const { domain } = request.body;
+    if (!domain?.trim()) {
+      return reply.status(400).send({ error: "Domain is required" });
+    }
+    if (list === "allow") return removeAllowedDomain(domain);
+    if (list === "deny") return removeDeniedDomain(domain);
+    return reply.status(400).send({ error: "List must be 'allow' or 'deny'" });
+  });
 }
 
 // src/server/index.ts
@@ -3423,7 +4890,7 @@ async function createAppServer(port) {
   await app.register(fastifyCors, { origin: "*" });
   await registerRoutes(app);
   const publicDir = getPublicDir();
-  if (fs7.existsSync(publicDir) && fs7.readdirSync(publicDir).filter((f) => f !== ".gitkeep").length > 0) {
+  if (fs10.existsSync(publicDir) && fs10.readdirSync(publicDir).filter((f) => f !== ".gitkeep").length > 0) {
     await app.register(fastifyStatic, {
       root: publicDir,
       prefix: "/",
@@ -3685,7 +5152,7 @@ Permission denied for port ${port}.
 }
 
 // src/commands/reset.ts
-import fs8 from "fs";
+import fs11 from "fs";
 import readline from "readline/promises";
 import pc3 from "picocolors";
 async function resetCommand(options) {
@@ -3704,12 +5171,12 @@ async function resetCommand(options) {
     }
   }
   console.log(pc3.bold("Resetting SafeClaw..."));
-  if (fs8.existsSync(DB_PATH)) {
-    fs8.unlinkSync(DB_PATH);
+  if (fs11.existsSync(DB_PATH)) {
+    fs11.unlinkSync(DB_PATH);
     const walPath = DB_PATH + "-wal";
     const shmPath = DB_PATH + "-shm";
-    if (fs8.existsSync(walPath)) fs8.unlinkSync(walPath);
-    if (fs8.existsSync(shmPath)) fs8.unlinkSync(shmPath);
+    if (fs11.existsSync(walPath)) fs11.unlinkSync(walPath);
+    if (fs11.existsSync(shmPath)) fs11.unlinkSync(shmPath);
     console.log(pc3.green("  Database deleted."));
   } else {
     console.log(pc3.dim("  No database found, skipping."));
@@ -3722,11 +5189,11 @@ async function resetCommand(options) {
 }
 
 // src/commands/status.ts
-import fs9 from "fs";
+import fs12 from "fs";
 import Database3 from "better-sqlite3";
 import pc4 from "picocolors";
 async function statusCommand(options) {
-  const exists = fs9.existsSync(SAFECLAW_DIR);
+  const exists = fs12.existsSync(SAFECLAW_DIR);
   if (!exists) {
     if (options.json) {
       console.log(JSON.stringify({ initialized: false }, null, 2));
@@ -3740,7 +5207,7 @@ async function statusCommand(options) {
   const config = readConfig();
   let logCount = 0;
   let activityCount = 0;
-  const dbExists = fs9.existsSync(DB_PATH);
+  const dbExists = fs12.existsSync(DB_PATH);
   if (dbExists) {
     try {
       const sqlite = new Database3(DB_PATH, { readonly: true });
@@ -3754,14 +5221,14 @@ async function statusCommand(options) {
       activityCount = -1;
     }
   }
-  const openclawConfigExists = fs9.existsSync(OPENCLAW_CONFIG_PATH);
+  const openclawConfigExists = fs12.existsSync(OPENCLAW_CONFIG_PATH);
   if (options.json) {
     const data = {
       version: VERSION,
       initialized: true,
       dataDir: SAFECLAW_DIR,
       database: dbExists ? "exists" : "not_found",
-      config: fs9.existsSync(CONFIG_PATH) ? "exists" : "not_found",
+      config: fs12.existsSync(CONFIG_PATH) ? "exists" : "not_found",
       port: config.port,
       autoOpenBrowser: config.autoOpenBrowser,
       premium: config.premium,
@@ -3779,7 +5246,7 @@ async function statusCommand(options) {
     `  ${pc4.dim("Database:")}   ${dbExists ? pc4.green("exists") : pc4.red("not found")}`
   );
   console.log(
-    `  ${pc4.dim("Config:")}     ${fs9.existsSync(CONFIG_PATH) ? pc4.green("exists") : pc4.red("not found")}`
+    `  ${pc4.dim("Config:")}     ${fs12.existsSync(CONFIG_PATH) ? pc4.green("exists") : pc4.red("not found")}`
   );
   console.log(`  ${pc4.dim("Port:")}       ${config.port}`);
   console.log(`  ${pc4.dim("Auto-open:")}  ${config.autoOpenBrowser ? "Yes" : "No"}`);
@@ -3797,7 +5264,7 @@ async function statusCommand(options) {
 }
 
 // src/commands/doctor.ts
-import fs10 from "fs";
+import fs13 from "fs";
 import net from "net";
 import Database4 from "better-sqlite3";
 import pc5 from "picocolors";
@@ -3819,7 +5286,7 @@ function checkNodeVersion() {
 function checkDataDir() {
   try {
     ensureDataDir();
-    fs10.accessSync(SAFECLAW_DIR, fs10.constants.W_OK);
+    fs13.accessSync(SAFECLAW_DIR, fs13.constants.W_OK);
     return {
       name: "Data directory writable",
       status: "pass",
@@ -3834,7 +5301,7 @@ function checkDataDir() {
   }
 }
 function checkDatabase() {
-  if (!fs10.existsSync(DB_PATH)) {
+  if (!fs13.existsSync(DB_PATH)) {
     return {
       name: "Database",
       status: "warn",
@@ -3877,7 +5344,7 @@ function checkDatabase() {
   }
 }
 function checkConfig() {
-  if (!fs10.existsSync(CONFIG_PATH)) {
+  if (!fs13.existsSync(CONFIG_PATH)) {
     return {
       name: "Config file",
       status: "warn",
@@ -3919,14 +5386,14 @@ async function checkPort() {
   };
 }
 function checkOpenClawConfig() {
-  if (!fs10.existsSync(OPENCLAW_DIR)) {
+  if (!fs13.existsSync(OPENCLAW_DIR)) {
     return {
       name: "OpenClaw directory",
       status: "warn",
       message: `${OPENCLAW_DIR} not found`
     };
   }
-  if (!fs10.existsSync(OPENCLAW_CONFIG_PATH)) {
+  if (!fs13.existsSync(OPENCLAW_CONFIG_PATH)) {
     return {
       name: "OpenClaw config",
       status: "warn",
@@ -3958,7 +5425,7 @@ function isPortInUse(port) {
   });
 }
 async function checkOpenClawGateway() {
-  if (!fs10.existsSync(OPENCLAW_CONFIG_PATH)) {
+  if (!fs13.existsSync(OPENCLAW_CONFIG_PATH)) {
     return {
       name: "OpenClaw gateway",
       status: "warn",
@@ -3966,7 +5433,7 @@ async function checkOpenClawGateway() {
     };
   }
   try {
-    const raw = JSON.parse(fs10.readFileSync(OPENCLAW_CONFIG_PATH, "utf-8"));
+    const raw = JSON.parse(fs13.readFileSync(OPENCLAW_CONFIG_PATH, "utf-8"));
     const port = raw?.gateway?.port ?? 18789;
     const reachable = await isPortInUse(port);
     if (reachable) {
@@ -3991,10 +5458,10 @@ async function checkOpenClawGateway() {
 }
 function checkLogDir() {
   try {
-    if (!fs10.existsSync(LOGS_DIR)) {
-      fs10.mkdirSync(LOGS_DIR, { recursive: true });
+    if (!fs13.existsSync(LOGS_DIR)) {
+      fs13.mkdirSync(LOGS_DIR, { recursive: true });
     }
-    fs10.accessSync(LOGS_DIR, fs10.constants.W_OK);
+    fs13.accessSync(LOGS_DIR, fs13.constants.W_OK);
     return {
       name: "Log directory writable",
       status: "pass",
@@ -4136,14 +5603,14 @@ async function configSetCommand(key, value) {
 }
 
 // src/commands/logs.ts
-import fs11 from "fs";
+import fs14 from "fs";
 import pc7 from "picocolors";
 async function logsCommand(options) {
   if (options.clear) {
     await clearLogs();
     return;
   }
-  if (!fs11.existsSync(DEBUG_LOG_PATH)) {
+  if (!fs14.existsSync(DEBUG_LOG_PATH)) {
     console.log(
       pc7.yellow("No log file found.") + " Run " + pc7.cyan("safeclaw start") + " to generate logs."
     );
@@ -4156,7 +5623,7 @@ async function logsCommand(options) {
   }
 }
 async function tailLogs(lineCount) {
-  const content = fs11.readFileSync(DEBUG_LOG_PATH, "utf-8");
+  const content = fs14.readFileSync(DEBUG_LOG_PATH, "utf-8");
   const lines = content.split("\n").filter(Boolean);
   const tail = lines.slice(-lineCount);
   if (tail.length === 0) {
@@ -4174,23 +5641,23 @@ async function tailLogs(lineCount) {
 async function followLogs() {
   console.log(pc7.dim(`Following ${DEBUG_LOG_PATH} (Ctrl+C to stop)
 `));
-  if (fs11.existsSync(DEBUG_LOG_PATH)) {
-    const content = fs11.readFileSync(DEBUG_LOG_PATH, "utf-8");
+  if (fs14.existsSync(DEBUG_LOG_PATH)) {
+    const content = fs14.readFileSync(DEBUG_LOG_PATH, "utf-8");
     const lines = content.split("\n").filter(Boolean);
     const tail = lines.slice(-20);
     for (const line of tail) {
       process.stdout.write(line + "\n");
     }
   }
-  let position = fs11.existsSync(DEBUG_LOG_PATH) ? fs11.statSync(DEBUG_LOG_PATH).size : 0;
-  const watcher = fs11.watch(DEBUG_LOG_PATH, () => {
+  let position = fs14.existsSync(DEBUG_LOG_PATH) ? fs14.statSync(DEBUG_LOG_PATH).size : 0;
+  const watcher = fs14.watch(DEBUG_LOG_PATH, () => {
     try {
-      const stat = fs11.statSync(DEBUG_LOG_PATH);
+      const stat = fs14.statSync(DEBUG_LOG_PATH);
       if (stat.size > position) {
-        const fd = fs11.openSync(DEBUG_LOG_PATH, "r");
+        const fd = fs14.openSync(DEBUG_LOG_PATH, "r");
         const buffer = Buffer.alloc(stat.size - position);
-        fs11.readSync(fd, buffer, 0, buffer.length, position);
-        fs11.closeSync(fd);
+        fs14.readSync(fd, buffer, 0, buffer.length, position);
+        fs14.closeSync(fd);
         process.stdout.write(buffer.toString("utf-8"));
         position = stat.size;
       } else if (stat.size < position) {
@@ -4208,11 +5675,11 @@ async function followLogs() {
   });
 }
 async function clearLogs() {
-  if (!fs11.existsSync(DEBUG_LOG_PATH)) {
+  if (!fs14.existsSync(DEBUG_LOG_PATH)) {
     console.log(pc7.dim("No log file to clear."));
     return;
   }
-  fs11.writeFileSync(DEBUG_LOG_PATH, "");
+  fs14.writeFileSync(DEBUG_LOG_PATH, "");
   console.log(pc7.green("Log file cleared."));
 }