npm - safeclaw - Versions diffs - 0.1.5 → 0.1.6 - Mend

safeclaw 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/main.js +1736 -272
package/package.json +15 -15
package/public/assets/index-Bou4RiFv.css +1 -0
package/public/assets/index-C_nCUaJ0.js +226 -0
package/public/index.html +2 -2
package/LICENSE +0 -295
package/public/assets/index-8apm98QE.js +0 -126
package/public/assets/index-Ck6Q-RL6.css +0 -1

package/dist/main.js CHANGED Viewed

@@ -8,13 +8,13 @@ var __export = (target, all) => {
 import { Command } from "commander";
 // src/lib/version.ts
-var VERSION = "0.1.5";
+var VERSION = "0.1.6";
 // src/server/index.ts
 import Fastify from "fastify";
 import fastifyStatic from "@fastify/static";
 import fastifyCors from "@fastify/cors";
-import fs8 from "fs";
+import fs10 from "fs";
 // src/lib/paths.ts
 import fs from "fs";
@@ -32,6 +32,7 @@ var OPENCLAW_IDENTITY_DIR = path.join(OPENCLAW_DIR, "identity");
 var OPENCLAW_DEVICE_JSON = path.join(OPENCLAW_IDENTITY_DIR, "device.json");
 var OPENCLAW_DEVICE_AUTH_JSON = path.join(OPENCLAW_IDENTITY_DIR, "device-auth.json");
 var OPENCLAW_EXEC_APPROVALS_PATH = path.join(OPENCLAW_DIR, "exec-approvals.json");
+var SRT_SETTINGS_PATH = path.join(HOME, ".srt-settings.json");
 function getPublicDir() {
   const currentDir = path.dirname(new URL(import.meta.url).pathname);
   const bundledPath = path.resolve(currentDir, "..", "public");
@@ -84,8 +85,12 @@ var safeClawConfigSchema = z.object({
   port: z.number().int().min(1024).max(65535).default(54335),
   autoOpenBrowser: z.boolean().default(true),
   premium: z.boolean().default(false),
-  userId: z.string().nullable().default(null)
-});
+  userId: z.string().nullable().default(null),
+  srt: z.object({
+    enabled: z.boolean(),
+    settingsPath: z.string().optional()
+  }).optional()
+}).passthrough();
 var activityTypeSchema = z.enum([
   "file_read",
   "file_write",
@@ -263,7 +268,7 @@ var execApprovalEntrySchema = z.object({
   requestedAt: z.string(),
   expiresAt: z.string(),
   decision: execDecisionSchema.nullable(),
-  decidedBy: z.enum(["user", "auto-deny"]).nullable(),
+  decidedBy: z.enum(["user", "auto-deny", "auto-approve", "access-control"]).nullable(),
   decidedAt: z.string().nullable()
 });
 var allowlistPatternSchema = z.object({
@@ -272,6 +277,104 @@ var allowlistPatternSchema = z.object({
 var allowlistStateSchema = z.object({
   patterns: z.array(allowlistPatternSchema)
 });
+var skillScanCategoryIdSchema = z.enum([
+  "SK-HID",
+  "SK-INJ",
+  "SK-EXE",
+  "SK-EXF",
+  "SK-SEC",
+  "SK-SFA",
+  "SK-MEM",
+  "SK-SUP",
+  "SK-B64",
+  "SK-IMG",
+  "SK-SYS",
+  "SK-ARG",
+  "SK-XTL",
+  "SK-PRM",
+  "SK-STR"
+]);
+var skillScanRequestSchema = z.object({
+  content: z.string().min(1).max(5e5)
+});
+var skillScanFindingSchema = z.object({
+  categoryId: skillScanCategoryIdSchema,
+  categoryName: z.string(),
+  severity: threatLevelSchema,
+  reason: z.string(),
+  evidence: z.string().optional(),
+  owaspRef: z.string().optional(),
+  remediation: z.string().optional(),
+  lineNumber: z.number().optional()
+});
+var skillScanResultSchema = z.object({
+  overallSeverity: threatLevelSchema,
+  findings: z.array(skillScanFindingSchema),
+  summary: z.object({
+    critical: z.number(),
+    high: z.number(),
+    medium: z.number(),
+    low: z.number()
+  }),
+  scannedAt: z.string(),
+  contentLength: z.number(),
+  scanDurationMs: z.number()
+});
+var skillCleanResultSchema = z.object({
+  cleanedContent: z.string(),
+  removedCount: z.number()
+});
+var securityLayerStatusSchema = z.enum([
+  "configured",
+  "partial",
+  "unconfigured",
+  "error"
+]);
+var securityCheckSchema = z.object({
+  id: z.string(),
+  label: z.string(),
+  passed: z.boolean(),
+  detail: z.string(),
+  severity: z.enum(["info", "warning", "critical"])
+}).passthrough();
+var securityLayerSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  status: securityLayerStatusSchema,
+  checks: z.array(securityCheckSchema),
+  passedCount: z.number(),
+  totalCount: z.number()
+}).passthrough();
+var securityPostureSchema = z.object({
+  layers: z.array(securityLayerSchema),
+  overallScore: z.number(),
+  configuredLayers: z.number(),
+  partialLayers: z.number(),
+  unconfiguredLayers: z.number(),
+  totalLayers: z.number(),
+  checkedAt: z.string()
+}).passthrough();
+var srtNetworkConfigSchema = z.object({
+  allowedDomains: z.array(z.string()),
+  deniedDomains: z.array(z.string()),
+  allowLocalBinding: z.boolean()
+}).passthrough();
+var srtFilesystemConfigSchema = z.object({
+  denyRead: z.array(z.string()),
+  allowWrite: z.array(z.string()),
+  denyWrite: z.array(z.string())
+}).passthrough();
+var srtSettingsSchema = z.object({
+  network: srtNetworkConfigSchema,
+  filesystem: srtFilesystemConfigSchema
+}).passthrough();
+var srtStatusSchema = z.object({
+  installed: z.boolean(),
+  version: z.string().nullable(),
+  enabled: z.boolean(),
+  settingsPath: z.string(),
+  settings: srtSettingsSchema.nullable()
+}).passthrough();
 // src/lib/config.ts
 var DEFAULT_CONFIG = {
@@ -279,7 +382,10 @@ var DEFAULT_CONFIG = {
   port: 54335,
   autoOpenBrowser: true,
   premium: false,
-  userId: null
+  userId: null,
+  srt: {
+    enabled: false
+  }
 };
 function ensureDataDir() {
   if (!fs2.existsSync(SAFECLAW_DIR)) {
@@ -403,7 +509,7 @@ var execApprovals = sqliteTable("exec_approvals", {
     enum: ["allow-once", "allow-always", "deny"]
   }),
   decidedBy: text("decided_by", {
-    enum: ["user", "auto-deny"]
+    enum: ["user", "auto-deny", "auto-approve", "access-control"]
   }),
   decidedAt: text("decided_at"),
   matchedPattern: text("matched_pattern")
@@ -469,8 +575,9 @@ function writeOpenClawConfig(updates) {
   const current = readOpenClawConfig();
   if (!current) return null;
   const merged = deepMerge(current, updates);
-  fs4.writeFileSync(OPENCLAW_CONFIG_PATH, JSON.stringify(merged, null, 2));
-  return merged;
+  const cleaned = stripNulls(merged);
+  fs4.writeFileSync(OPENCLAW_CONFIG_PATH, JSON.stringify(cleaned, null, 2));
+  return cleaned;
 }
 function deepMerge(target, source) {
   const result = { ...target };
@@ -485,6 +592,21 @@ function deepMerge(target, source) {
   }
   return result;
 }
+function stripNulls(obj) {
+  const result = {};
+  for (const [key, val] of Object.entries(obj)) {
+    if (val === null) continue;
+    if (typeof val === "object" && !Array.isArray(val)) {
+      const cleaned = stripNulls(val);
+      if (Object.keys(cleaned).length > 0) {
+        result[key] = cleaned;
+      }
+    } else {
+      result[key] = val;
+    }
+  }
+  return result;
+}
 // src/lib/openclaw-client.ts
 import { EventEmitter } from "events";
@@ -1311,8 +1433,228 @@ var SessionWatcher = class extends EventEmitter2 {
 };
 // src/services/exec-approval-service.ts
-import { eq, desc, sql as sql2 } from "drizzle-orm";
+import { eq as eq2, desc, sql as sql3 } from "drizzle-orm";
 import path3 from "path";
+// src/services/access-control.ts
+import { eq, and, sql as sql2 } from "drizzle-orm";
+var TOOL_GROUP_MAP = {
+  filesystem: "group:fs",
+  system_commands: "group:runtime",
+  network: "group:web"
+};
+function deriveMcpServerStates(config, denyList) {
+  const pluginEntries = config.plugins?.entries ?? {};
+  return Object.keys(pluginEntries).map((name) => {
+    const pluginEnabled = pluginEntries[name].enabled !== false;
+    const toolsDenyBlocked = denyList.includes(`mcp__${name}`);
+    return {
+      name,
+      pluginEnabled,
+      toolsDenyBlocked,
+      effectivelyEnabled: pluginEnabled && !toolsDenyBlocked
+    };
+  });
+}
+function deriveAccessState() {
+  const config = readOpenClawConfig();
+  if (!config) {
+    return {
+      toggles: [
+        { category: "filesystem", enabled: true },
+        { category: "mcp_servers", enabled: true },
+        { category: "network", enabled: true },
+        { category: "system_commands", enabled: true }
+      ],
+      mcpServers: [],
+      openclawConfigAvailable: false
+    };
+  }
+  const denyList = config.tools?.deny ?? [];
+  const filesystemEnabled = !denyList.includes("group:fs");
+  const systemCommandsEnabled = !denyList.includes("group:runtime");
+  const networkEnabled = !denyList.includes("group:web") && config.browser?.enabled !== false;
+  const pluginEntries = config.plugins?.entries ?? {};
+  const pluginNames = Object.keys(pluginEntries);
+  const mcpEnabled = pluginNames.length === 0 || pluginNames.some((name) => pluginEntries[name].enabled !== false);
+  const toggles = [
+    { category: "filesystem", enabled: filesystemEnabled },
+    { category: "mcp_servers", enabled: mcpEnabled },
+    { category: "network", enabled: networkEnabled },
+    { category: "system_commands", enabled: systemCommandsEnabled }
+  ];
+  const mcpServers = deriveMcpServerStates(config, denyList);
+  return { toggles, mcpServers, openclawConfigAvailable: true };
+}
+async function applyAccessToggle(category, enabled) {
+  const config = readOpenClawConfig();
+  if (!config) {
+    throw new Error("OpenClaw config not found");
+  }
+  if (category === "mcp_servers") {
+    await applyMcpToggle(config, enabled);
+  } else if (category === "network") {
+    applyNetworkToggle(config, enabled);
+  } else {
+    applyToolGroupToggle(config, category, enabled);
+  }
+  await updateAuditDb(category, enabled);
+  return deriveAccessState();
+}
+async function applyMcpServerToggle(serverName, enabled) {
+  const config = readOpenClawConfig();
+  if (!config) {
+    throw new Error("OpenClaw config not found");
+  }
+  const denyPattern = `mcp__${serverName}`;
+  const currentDeny = [...config.tools?.deny ?? []];
+  if (enabled) {
+    const filtered = currentDeny.filter((entry) => entry !== denyPattern);
+    writeOpenClawConfig({ tools: { deny: filtered } });
+  } else {
+    if (!currentDeny.includes(denyPattern)) {
+      currentDeny.push(denyPattern);
+    }
+    writeOpenClawConfig({ tools: { deny: currentDeny } });
+  }
+  await updateAuditDb(`mcp_server:${serverName}`, enabled);
+  return deriveAccessState();
+}
+function applyToolGroupToggle(config, category, enabled) {
+  const groupName = TOOL_GROUP_MAP[category];
+  if (!groupName) return;
+  const currentDeny = [...config.tools?.deny ?? []];
+  if (enabled) {
+    const filtered = currentDeny.filter((entry) => entry !== groupName);
+    writeOpenClawConfig({ tools: { deny: filtered } });
+  } else {
+    if (!currentDeny.includes(groupName)) {
+      currentDeny.push(groupName);
+    }
+    writeOpenClawConfig({ tools: { deny: currentDeny } });
+  }
+}
+function applyNetworkToggle(config, enabled) {
+  const currentDeny = [...config.tools?.deny ?? []];
+  const groupName = "group:web";
+  if (enabled) {
+    const filtered = currentDeny.filter((entry) => entry !== groupName);
+    writeOpenClawConfig({
+      tools: { deny: filtered },
+      browser: { enabled: true }
+    });
+  } else {
+    if (!currentDeny.includes(groupName)) {
+      currentDeny.push(groupName);
+    }
+    writeOpenClawConfig({
+      tools: { deny: currentDeny },
+      browser: { enabled: false }
+    });
+  }
+}
+async function applyMcpToggle(config, enabled) {
+  const pluginEntries = config.plugins?.entries ?? {};
+  const pluginNames = Object.keys(pluginEntries);
+  if (pluginNames.length === 0) return;
+  const currentDeny = [...config.tools?.deny ?? []];
+  if (!enabled) {
+    const stateMap = {};
+    for (const name of pluginNames) {
+      stateMap[name] = pluginEntries[name].enabled !== false;
+    }
+    await savePreviousPluginState(stateMap);
+    const disabledEntries = {};
+    for (const name of pluginNames) {
+      disabledEntries[name] = { enabled: false };
+    }
+    for (const name of pluginNames) {
+      const denyPattern = `mcp__${name}`;
+      if (!currentDeny.includes(denyPattern)) {
+        currentDeny.push(denyPattern);
+      }
+    }
+    writeOpenClawConfig({
+      plugins: { entries: disabledEntries },
+      tools: { deny: currentDeny }
+    });
+  } else {
+    const previousState = await loadPreviousPluginState();
+    const restoredEntries = {};
+    for (const name of pluginNames) {
+      restoredEntries[name] = {
+        enabled: previousState?.[name] ?? true
+      };
+    }
+    const mcpDenyPatterns = new Set(pluginNames.map((n) => `mcp__${n}`));
+    const filteredDeny = currentDeny.filter(
+      (entry) => !mcpDenyPatterns.has(entry)
+    );
+    writeOpenClawConfig({
+      plugins: { entries: restoredEntries },
+      tools: { deny: filteredDeny }
+    });
+  }
+}
+async function savePreviousPluginState(stateMap) {
+  const db = getDb();
+  const existing = await db.select().from(schema_exports.accessConfig).where(
+    and(
+      eq(schema_exports.accessConfig.category, "mcp_servers"),
+      eq(schema_exports.accessConfig.key, "previous_plugin_state")
+    )
+  );
+  if (existing.length > 0) {
+    await db.update(schema_exports.accessConfig).set({
+      value: JSON.stringify(stateMap),
+      updatedAt: sql2`datetime('now')`
+    }).where(
+      and(
+        eq(schema_exports.accessConfig.category, "mcp_servers"),
+        eq(schema_exports.accessConfig.key, "previous_plugin_state")
+      )
+    );
+  } else {
+    await db.insert(schema_exports.accessConfig).values({
+      category: "mcp_servers",
+      key: "previous_plugin_state",
+      value: JSON.stringify(stateMap)
+    });
+  }
+}
+async function loadPreviousPluginState() {
+  const db = getDb();
+  const rows = await db.select().from(schema_exports.accessConfig).where(
+    and(
+      eq(schema_exports.accessConfig.category, "mcp_servers"),
+      eq(schema_exports.accessConfig.key, "previous_plugin_state")
+    )
+  );
+  if (rows.length === 0) return null;
+  try {
+    return JSON.parse(rows[0].value);
+  } catch {
+    return null;
+  }
+}
+async function updateAuditDb(category, enabled) {
+  const db = getDb();
+  try {
+    await db.update(schema_exports.accessConfig).set({
+      value: enabled ? "true" : "false",
+      updatedAt: sql2`datetime('now')`
+    }).where(
+      and(
+        eq(schema_exports.accessConfig.category, category),
+        eq(schema_exports.accessConfig.key, "enabled")
+      )
+    );
+  } catch (err) {
+    logger.warn({ err, category, enabled }, "Failed to update audit DB");
+  }
+}
+// src/services/exec-approval-service.ts
 var DEFAULT_TIMEOUT_MS = 6e5;
 var instance = null;
 function matchesPattern(command, pattern) {
@@ -1320,6 +1662,37 @@ function matchesPattern(command, pattern) {
   const regexStr = "^" + escaped.replace(/\*/g, ".*") + "$";
   return new RegExp(regexStr, "i").test(command);
 }
+var NETWORK_BINARIES = /* @__PURE__ */ new Set([
+  "curl",
+  "wget",
+  "httpie",
+  "http",
+  "ssh",
+  "scp",
+  "sftp",
+  "nc",
+  "ncat",
+  "netcat",
+  "dig",
+  "nslookup",
+  "host",
+  "ping",
+  "traceroute",
+  "tracepath",
+  "mtr",
+  "telnet",
+  "ftp",
+  "lftp",
+  "rsync",
+  "socat",
+  "nmap"
+]);
+function isNetworkCommand(command) {
+  const firstToken = command.trim().split(/\s+/)[0];
+  if (!firstToken) return false;
+  const basename = firstToken.includes("/") ? firstToken.split("/").pop() : firstToken;
+  return NETWORK_BINARIES.has(basename.toLowerCase());
+}
 var ExecApprovalService = class {
   client;
   io;
@@ -1360,7 +1733,58 @@ var ExecApprovalService = class {
   handleRequest(request) {
     const matchedPattern = this.findMatchingPattern(request.command);
     if (!matchedPattern) {
+      if (isNetworkCommand(request.command)) {
+        try {
+          const accessState = deriveAccessState();
+          const networkToggle = accessState.toggles.find(
+            (t) => t.category === "network"
+          );
+          if (networkToggle && !networkToggle.enabled) {
+            this.resolveToGateway(request.id, "deny");
+            const now3 = /* @__PURE__ */ new Date();
+            const entry3 = {
+              id: request.id,
+              command: request.command,
+              cwd: request.cwd,
+              security: request.security,
+              sessionKey: request.sessionKey,
+              requestedAt: now3.toISOString(),
+              expiresAt: now3.toISOString(),
+              decision: "deny",
+              decidedBy: "access-control",
+              decidedAt: now3.toISOString()
+            };
+            this.persistApproval(entry3, null);
+            this.io.emit("safeclaw:execApprovalResolved", entry3);
+            logger.info(
+              { command: request.command },
+              "Network command auto-denied (network toggle OFF)"
+            );
+            return;
+          }
+        } catch {
+          logger.debug(
+            { command: request.command },
+            "Could not read access state for network check, falling through"
+          );
+        }
+      }
       this.resolveToGateway(request.id, "allow-once");
+      const now2 = /* @__PURE__ */ new Date();
+      const entry2 = {
+        id: request.id,
+        command: request.command,
+        cwd: request.cwd,
+        security: request.security,
+        sessionKey: request.sessionKey,
+        requestedAt: now2.toISOString(),
+        expiresAt: now2.toISOString(),
+        decision: "allow-once",
+        decidedBy: "auto-approve",
+        decidedAt: now2.toISOString()
+      };
+      this.persistApproval(entry2, null);
+      this.io.emit("safeclaw:execApprovalResolved", entry2);
       logger.debug(
         { command: request.command },
         "Command auto-approved (not restricted)"
@@ -1479,7 +1903,7 @@ var ExecApprovalService = class {
         decision: entry.decision,
         decidedBy: entry.decidedBy,
         decidedAt: entry.decidedAt
-      }).where(eq(schema_exports.execApprovals.id, entry.id)).run();
+      }).where(eq2(schema_exports.execApprovals.id, entry.id)).run();
     } catch (err) {
       logger.error(
         { err, id: entry.id },
@@ -1528,7 +1952,7 @@ var ExecApprovalService = class {
     );
     try {
       const db = getDb();
-      db.delete(schema_exports.restrictedPatterns).where(eq(schema_exports.restrictedPatterns.pattern, pattern)).run();
+      db.delete(schema_exports.restrictedPatterns).where(eq2(schema_exports.restrictedPatterns.pattern, pattern)).run();
     } catch (err) {
       logger.error({ err, pattern }, "Failed to remove restricted pattern from database");
     }
@@ -1631,7 +2055,7 @@ var ExecApprovalService = class {
   getHistory(limit = 50) {
     try {
       const db = getDb();
-      const rows = db.select().from(schema_exports.execApprovals).where(sql2`${schema_exports.execApprovals.decision} IS NOT NULL`).orderBy(desc(schema_exports.execApprovals.decidedAt)).limit(limit).all();
+      const rows = db.select().from(schema_exports.execApprovals).where(sql3`${schema_exports.execApprovals.decision} IS NOT NULL`).orderBy(desc(schema_exports.execApprovals.decidedAt)).limit(limit).all();
       return rows.map((r) => ({
         id: r.id,
         command: r.command,
@@ -1792,7 +2216,7 @@ var SECRET_PATTERNS = [
 function scanForSecrets(content) {
   if (!content) return { types: [], maxSeverity: "NONE" };
   const found = /* @__PURE__ */ new Set();
-  let maxSeverity = "NONE";
+  let maxSeverity2 = "NONE";
   const severityOrder = {
     NONE: 0,
     LOW: 1,
@@ -1803,12 +2227,12 @@ function scanForSecrets(content) {
   for (const { pattern, type, severity } of SECRET_PATTERNS) {
     if (pattern.test(content)) {
       found.add(type);
-      if (severityOrder[severity] > severityOrder[maxSeverity]) {
-        maxSeverity = severity;
+      if (severityOrder[severity] > severityOrder[maxSeverity2]) {
+        maxSeverity2 = severity;
       }
     }
   }
-  return { types: Array.from(found), maxSeverity };
+  return { types: Array.from(found), maxSeverity: maxSeverity2 };
 }
 // src/lib/threat-patterns.ts
@@ -2445,7 +2869,7 @@ function analyzeActivityThreat(activityType, detail, targetPath, contentPreview,
 }
 // src/services/openclaw-monitor.ts
-import { eq as eq2, ne, desc as desc2, and, sql as sql3 } from "drizzle-orm";
+import { eq as eq3, ne, desc as desc2, and as and2, sql as sql4 } from "drizzle-orm";
 var instance2 = null;
 var OpenClawMonitor = class {
   client;
@@ -2510,7 +2934,7 @@ var OpenClawMonitor = class {
       parsed.toolName
     );
     const db = getDb();
-    const existingSession = await db.select().from(schema_exports.openclawSessions).where(eq2(schema_exports.openclawSessions.id, parsed.openclawSessionId)).limit(1);
+    const existingSession = await db.select().from(schema_exports.openclawSessions).where(eq3(schema_exports.openclawSessions.id, parsed.openclawSessionId)).limit(1);
     if (existingSession.length === 0) {
       await db.insert(schema_exports.openclawSessions).values({
         id: parsed.openclawSessionId,
@@ -2599,7 +3023,7 @@ var OpenClawMonitor = class {
   }
   async handleSessionStart(sessionId, model) {
     const db = getDb();
-    const existing = await db.select().from(schema_exports.openclawSessions).where(eq2(schema_exports.openclawSessions.id, sessionId)).limit(1);
+    const existing = await db.select().from(schema_exports.openclawSessions).where(eq3(schema_exports.openclawSessions.id, sessionId)).limit(1);
     if (existing.length === 0) {
       await db.insert(schema_exports.openclawSessions).values({
         id: sessionId,
@@ -2607,7 +3031,7 @@ var OpenClawMonitor = class {
         model: model ?? null
       });
     } else {
-      await db.update(schema_exports.openclawSessions).set({ status: "ACTIVE", model: model ?? null }).where(eq2(schema_exports.openclawSessions.id, sessionId));
+      await db.update(schema_exports.openclawSessions).set({ status: "ACTIVE", model: model ?? null }).where(eq3(schema_exports.openclawSessions.id, sessionId));
     }
     const session = await this.buildSessionPayload(sessionId);
     if (session) {
@@ -2618,8 +3042,8 @@ var OpenClawMonitor = class {
     const db = getDb();
     await db.update(schema_exports.openclawSessions).set({
       status: "ENDED",
-      endedAt: sql3`datetime('now')`
-    }).where(eq2(schema_exports.openclawSessions.id, sessionId));
+      endedAt: sql4`datetime('now')`
+    }).where(eq3(schema_exports.openclawSessions.id, sessionId));
     const session = await this.buildSessionPayload(sessionId);
     if (session) {
       this.io.emit("safeclaw:openclawSessionUpdate", session);
@@ -2627,9 +3051,9 @@ var OpenClawMonitor = class {
   }
   async buildSessionPayload(sessionId) {
     const db = getDb();
-    const [row] = await db.select().from(schema_exports.openclawSessions).where(eq2(schema_exports.openclawSessions.id, sessionId));
+    const [row] = await db.select().from(schema_exports.openclawSessions).where(eq3(schema_exports.openclawSessions.id, sessionId));
     if (!row) return null;
-    const activities = await db.select().from(schema_exports.agentActivities).where(eq2(schema_exports.agentActivities.openclawSessionId, sessionId));
+    const activities = await db.select().from(schema_exports.agentActivities).where(eq3(schema_exports.agentActivities.openclawSessionId, sessionId));
     const threatSummary = {
       NONE: 0,
       LOW: 0,
@@ -2691,8 +3115,8 @@ var OpenClawMonitor = class {
     await db.update(schema_exports.agentActivities).set({
       resolved: resolved ? 1 : 0,
       resolvedAt: resolved ? (/* @__PURE__ */ new Date()).toISOString() : null
-    }).where(eq2(schema_exports.agentActivities.id, activityId));
-    const [row] = await db.select().from(schema_exports.agentActivities).where(eq2(schema_exports.agentActivities.id, activityId));
+    }).where(eq3(schema_exports.agentActivities.id, activityId));
+    const [row] = await db.select().from(schema_exports.agentActivities).where(eq3(schema_exports.agentActivities.id, activityId));
     if (!row) return null;
     return this.mapRowToActivity(row);
   }
@@ -2700,19 +3124,19 @@ var OpenClawMonitor = class {
     const db = getDb();
     const conditions = [ne(schema_exports.agentActivities.threatLevel, "NONE")];
     if (severity) {
-      conditions.push(eq2(schema_exports.agentActivities.threatLevel, severity));
+      conditions.push(eq3(schema_exports.agentActivities.threatLevel, severity));
     }
     if (resolved !== void 0) {
-      conditions.push(eq2(schema_exports.agentActivities.resolved, resolved ? 1 : 0));
+      conditions.push(eq3(schema_exports.agentActivities.resolved, resolved ? 1 : 0));
     }
-    const rows = await db.select().from(schema_exports.agentActivities).where(and(...conditions)).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
+    const rows = await db.select().from(schema_exports.agentActivities).where(and2(...conditions)).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
     return rows.map((r) => this.mapRowToActivity(r));
   }
   async getActivities(sessionId, limit = 50) {
     const db = getDb();
     let rows;
     if (sessionId) {
-      rows = await db.select().from(schema_exports.agentActivities).where(eq2(schema_exports.agentActivities.openclawSessionId, sessionId)).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
+      rows = await db.select().from(schema_exports.agentActivities).where(eq3(schema_exports.agentActivities.openclawSessionId, sessionId)).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
     } else {
       rows = await db.select().from(schema_exports.agentActivities).orderBy(desc2(schema_exports.agentActivities.id)).limit(limit);
     }
@@ -2767,222 +3191,130 @@ function getOpenClawMonitor() {
   return instance2;
 }
-// src/services/access-control.ts
-import { eq as eq3, and as and2, sql as sql4 } from "drizzle-orm";
-var TOOL_GROUP_MAP = {
-  filesystem: "group:fs",
-  system_commands: "group:runtime",
-  network: "group:web"
-};
-function deriveMcpServerStates(config, denyList) {
-  const pluginEntries = config.plugins?.entries ?? {};
-  return Object.keys(pluginEntries).map((name) => {
-    const pluginEnabled = pluginEntries[name].enabled !== false;
-    const toolsDenyBlocked = denyList.includes(`mcp__${name}`);
-    return {
-      name,
-      pluginEnabled,
-      toolsDenyBlocked,
-      effectivelyEnabled: pluginEnabled && !toolsDenyBlocked
-    };
-  });
-}
-function deriveAccessState() {
-  const config = readOpenClawConfig();
-  if (!config) {
-    return {
-      toggles: [
-        { category: "filesystem", enabled: true },
-        { category: "mcp_servers", enabled: true },
-        { category: "network", enabled: true },
-        { category: "system_commands", enabled: true }
-      ],
-      mcpServers: [],
-      openclawConfigAvailable: false
-    };
+// src/lib/srt-config.ts
+import fs8 from "fs";
+import { execSync } from "child_process";
+var DEFAULT_SRT_SETTINGS = {
+  network: {
+    allowedDomains: [],
+    deniedDomains: [],
+    allowLocalBinding: false
+  },
+  filesystem: {
+    denyRead: [],
+    allowWrite: [],
+    denyWrite: []
   }
-  const denyList = config.tools?.deny ?? [];
-  const filesystemEnabled = !denyList.includes("group:fs");
-  const systemCommandsEnabled = !denyList.includes("group:runtime");
-  const networkEnabled = !denyList.includes("group:web") && config.browser?.enabled !== false;
-  const pluginEntries = config.plugins?.entries ?? {};
-  const pluginNames = Object.keys(pluginEntries);
-  const mcpEnabled = pluginNames.length === 0 || pluginNames.some((name) => pluginEntries[name].enabled !== false);
-  const toggles = [
-    { category: "filesystem", enabled: filesystemEnabled },
-    { category: "mcp_servers", enabled: mcpEnabled },
-    { category: "network", enabled: networkEnabled },
-    { category: "system_commands", enabled: systemCommandsEnabled }
-  ];
-  const mcpServers = deriveMcpServerStates(config, denyList);
-  return { toggles, mcpServers, openclawConfigAvailable: true };
+};
+var srtInstalledCache = null;
+function getSrtSettingsPath() {
+  const config = readConfig();
+  return config.srt?.settingsPath ?? SRT_SETTINGS_PATH;
 }
-async function applyAccessToggle(category, enabled) {
-  const config = readOpenClawConfig();
-  if (!config) {
-    throw new Error("OpenClaw config not found");
-  }
-  if (category === "mcp_servers") {
-    await applyMcpToggle(config, enabled);
-  } else if (category === "network") {
-    applyNetworkToggle(config, enabled);
-  } else {
-    applyToolGroupToggle(config, category, enabled);
+function isSrtInstalled() {
+  if (srtInstalledCache?.installed) return srtInstalledCache;
+  try {
+    const output = execSync("srt --version", { timeout: 3e3, encoding: "utf-8" }).trim();
+    const version = output.replace(/^srt\s*/i, "").trim() || output;
+    srtInstalledCache = { installed: true, version };
+    return srtInstalledCache;
+  } catch {
+    return { installed: false, version: null };
   }
-  await updateAuditDb(category, enabled);
-  return deriveAccessState();
 }
-async function applyMcpServerToggle(serverName, enabled) {
-  const config = readOpenClawConfig();
-  if (!config) {
-    throw new Error("OpenClaw config not found");
-  }
-  const denyPattern = `mcp__${serverName}`;
-  const currentDeny = [...config.tools?.deny ?? []];
-  if (enabled) {
-    const filtered = currentDeny.filter((entry) => entry !== denyPattern);
-    writeOpenClawConfig({ tools: { deny: filtered } });
-  } else {
-    if (!currentDeny.includes(denyPattern)) {
-      currentDeny.push(denyPattern);
-    }
-    writeOpenClawConfig({ tools: { deny: currentDeny } });
+function readSrtSettings() {
+  const settingsPath = getSrtSettingsPath();
+  if (!fs8.existsSync(settingsPath)) return null;
+  try {
+    const raw = JSON.parse(fs8.readFileSync(settingsPath, "utf-8"));
+    return srtSettingsSchema.parse(raw);
+  } catch {
+    return null;
   }
-  await updateAuditDb(`mcp_server:${serverName}`, enabled);
-  return deriveAccessState();
 }
-function applyToolGroupToggle(config, category, enabled) {
-  const groupName = TOOL_GROUP_MAP[category];
-  if (!groupName) return;
-  const currentDeny = [...config.tools?.deny ?? []];
-  if (enabled) {
-    const filtered = currentDeny.filter((entry) => entry !== groupName);
-    writeOpenClawConfig({ tools: { deny: filtered } });
-  } else {
-    if (!currentDeny.includes(groupName)) {
-      currentDeny.push(groupName);
-    }
-    writeOpenClawConfig({ tools: { deny: currentDeny } });
-  }
+function writeSrtSettings(settings) {
+  const settingsPath = getSrtSettingsPath();
+  fs8.writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
 }
-function applyNetworkToggle(config, enabled) {
-  const currentDeny = [...config.tools?.deny ?? []];
-  const groupName = "group:web";
+function ensureSrtSettings() {
+  const existing = readSrtSettings();
+  if (existing) return existing;
+  writeSrtSettings(DEFAULT_SRT_SETTINGS);
+  return DEFAULT_SRT_SETTINGS;
+}
+function getSrtStatus() {
+  const { installed, version } = isSrtInstalled();
+  const config = readConfig();
+  const enabled = config.srt?.enabled ?? false;
+  const settingsPath = getSrtSettingsPath();
+  const settings = readSrtSettings();
+  return { installed, version, enabled, settingsPath, settings };
+}
+function toggleSrt(enabled) {
+  const config = readConfig();
+  writeConfig({
+    ...config,
+    srt: { ...config.srt, enabled }
+  });
   if (enabled) {
-    const filtered = currentDeny.filter((entry) => entry !== groupName);
-    writeOpenClawConfig({
-      tools: { deny: filtered },
-      browser: { enabled: true }
-    });
-  } else {
-    if (!currentDeny.includes(groupName)) {
-      currentDeny.push(groupName);
-    }
-    writeOpenClawConfig({
-      tools: { deny: currentDeny },
-      browser: { enabled: false }
-    });
+    ensureSrtSettings();
   }
+  return getSrtStatus();
 }
-async function applyMcpToggle(config, enabled) {
-  const pluginEntries = config.plugins?.entries ?? {};
-  const pluginNames = Object.keys(pluginEntries);
-  if (pluginNames.length === 0) return;
-  const currentDeny = [...config.tools?.deny ?? []];
-  if (!enabled) {
-    const stateMap = {};
-    for (const name of pluginNames) {
-      stateMap[name] = pluginEntries[name].enabled !== false;
-    }
-    await savePreviousPluginState(stateMap);
-    const disabledEntries = {};
-    for (const name of pluginNames) {
-      disabledEntries[name] = { enabled: false };
-    }
-    for (const name of pluginNames) {
-      const denyPattern = `mcp__${name}`;
-      if (!currentDeny.includes(denyPattern)) {
-        currentDeny.push(denyPattern);
-      }
-    }
-    writeOpenClawConfig({
-      plugins: { entries: disabledEntries },
-      tools: { deny: currentDeny }
-    });
-  } else {
-    const previousState = await loadPreviousPluginState();
-    const restoredEntries = {};
-    for (const name of pluginNames) {
-      restoredEntries[name] = {
-        enabled: previousState?.[name] ?? true
-      };
-    }
-    const mcpDenyPatterns = new Set(pluginNames.map((n) => `mcp__${n}`));
-    const filteredDeny = currentDeny.filter(
-      (entry) => !mcpDenyPatterns.has(entry)
-    );
-    writeOpenClawConfig({
-      plugins: { entries: restoredEntries },
-      tools: { deny: filteredDeny }
-    });
+function addAllowedDomain(domain) {
+  const settings = ensureSrtSettings();
+  const normalized = domain.trim().toLowerCase();
+  if (!normalized) return settings;
+  settings.network.deniedDomains = settings.network.deniedDomains.filter(
+    (d) => d !== normalized
+  );
+  if (!settings.network.allowedDomains.includes(normalized)) {
+    settings.network.allowedDomains.push(normalized);
   }
+  writeSrtSettings(settings);
+  return settings;
 }
-async function savePreviousPluginState(stateMap) {
-  const db = getDb();
-  const existing = await db.select().from(schema_exports.accessConfig).where(
-    and2(
-      eq3(schema_exports.accessConfig.category, "mcp_servers"),
-      eq3(schema_exports.accessConfig.key, "previous_plugin_state")
-    )
+function removeAllowedDomain(domain) {
+  const settings = ensureSrtSettings();
+  const normalized = domain.trim().toLowerCase();
+  settings.network.allowedDomains = settings.network.allowedDomains.filter(
+    (d) => d !== normalized
   );
-  if (existing.length > 0) {
-    await db.update(schema_exports.accessConfig).set({
-      value: JSON.stringify(stateMap),
-      updatedAt: sql4`datetime('now')`
-    }).where(
-      and2(
-        eq3(schema_exports.accessConfig.category, "mcp_servers"),
-        eq3(schema_exports.accessConfig.key, "previous_plugin_state")
-      )
-    );
-  } else {
-    await db.insert(schema_exports.accessConfig).values({
-      category: "mcp_servers",
-      key: "previous_plugin_state",
-      value: JSON.stringify(stateMap)
-    });
-  }
+  writeSrtSettings(settings);
+  return settings;
 }
-async function loadPreviousPluginState() {
-  const db = getDb();
-  const rows = await db.select().from(schema_exports.accessConfig).where(
-    and2(
-      eq3(schema_exports.accessConfig.category, "mcp_servers"),
-      eq3(schema_exports.accessConfig.key, "previous_plugin_state")
-    )
+function addDeniedDomain(domain) {
+  const settings = ensureSrtSettings();
+  const normalized = domain.trim().toLowerCase();
+  if (!normalized) return settings;
+  settings.network.allowedDomains = settings.network.allowedDomains.filter(
+    (d) => d !== normalized
   );
-  if (rows.length === 0) return null;
-  try {
-    return JSON.parse(rows[0].value);
-  } catch {
-    return null;
+  if (!settings.network.deniedDomains.includes(normalized)) {
+    settings.network.deniedDomains.push(normalized);
   }
+  writeSrtSettings(settings);
+  return settings;
 }
-async function updateAuditDb(category, enabled) {
-  const db = getDb();
-  try {
-    await db.update(schema_exports.accessConfig).set({
-      value: enabled ? "true" : "false",
-      updatedAt: sql4`datetime('now')`
-    }).where(
-      and2(
-        eq3(schema_exports.accessConfig.category, category),
-        eq3(schema_exports.accessConfig.key, "enabled")
-      )
-    );
-  } catch (err) {
-    logger.warn({ err, category, enabled }, "Failed to update audit DB");
+function removeDeniedDomain(domain) {
+  const settings = ensureSrtSettings();
+  const normalized = domain.trim().toLowerCase();
+  settings.network.deniedDomains = settings.network.deniedDomains.filter(
+    (d) => d !== normalized
+  );
+  writeSrtSettings(settings);
+  return settings;
+}
+function updateSrtSettings(updates) {
+  const settings = ensureSrtSettings();
+  if (updates.network) {
+    settings.network = { ...settings.network, ...updates.network };
   }
+  if (updates.filesystem) {
+    settings.filesystem = { ...settings.filesystem, ...updates.filesystem };
+  }
+  writeSrtSettings(settings);
+  return settings;
 }
 // src/server/socket.ts
@@ -3237,6 +3569,38 @@ function setupSocketIO(httpServer) {
         logger.error({ err, pattern }, "Failed to remove restricted pattern");
       }
     });
+    socket.on("safeclaw:getSrtStatus", () => {
+      socket.emit("safeclaw:srtStatus", getSrtStatus());
+    });
+    socket.on("safeclaw:toggleSrt", ({ enabled }) => {
+      const status = toggleSrt(enabled);
+      logger.info(`SRT toggled: enabled=${enabled}`);
+      io.emit("safeclaw:srtStatus", status);
+    });
+    socket.on("safeclaw:updateSrtDomains", ({ list, action, domain }) => {
+      try {
+        if (list === "allow") {
+          if (action === "add") addAllowedDomain(domain);
+          else removeAllowedDomain(domain);
+        } else {
+          if (action === "add") addDeniedDomain(domain);
+          else removeDeniedDomain(domain);
+        }
+        logger.info({ list, action, domain }, "SRT domain updated");
+        io.emit("safeclaw:srtStatus", getSrtStatus());
+      } catch (err) {
+        logger.error({ err, list, action, domain }, "Failed to update SRT domain");
+      }
+    });
+    socket.on("safeclaw:updateSrtSettings", (updates) => {
+      try {
+        updateSrtSettings(updates);
+        logger.info({ updates }, "SRT settings updated");
+        io.emit("safeclaw:srtStatus", getSrtStatus());
+      } catch (err) {
+        logger.error({ err }, "Failed to update SRT settings");
+      }
+    });
     socket.on("disconnect", () => {
       logger.info(`Client disconnected: ${socket.id}`);
     });
@@ -3245,7 +3609,1054 @@ function setupSocketIO(httpServer) {
 }
 // src/server/routes.ts
-import { desc as desc4, eq as eq5, and as and4, sql as sql6 } from "drizzle-orm";
+import { desc as desc4, eq as eq6, and as and5, sql as sql7 } from "drizzle-orm";
+// src/lib/skill-scanner-patterns.ts
+var HIDDEN_CONTENT_PATTERNS = [
+  // HTML comments with instructional content
+  { pattern: /<!--[\s\S]*?(?:instruction|command|execute|ignore|override|system|prompt|inject|do not|must|should|always|never)[\s\S]*?-->/i, label: "HTML comment with instructions", severity: "CRITICAL" },
+  { pattern: /<!--[\s\S]{50,}?-->/s, label: "Large HTML comment (>50 chars)", severity: "HIGH" },
+  // Zero-width Unicode characters
+  { pattern: /[\u200B\u200C\u200D\u200E\u200F]/, label: "Zero-width Unicode character (U+200B-200F)", severity: "CRITICAL" },
+  { pattern: /[\u2060\u2061\u2062\u2063\u2064]/, label: "Invisible Unicode separator (U+2060-2064)", severity: "CRITICAL" },
+  { pattern: /[\uFEFF]/, label: "Zero-width no-break space (BOM)", severity: "HIGH" },
+  // CSS hiding
+  { pattern: /display\s*:\s*none/i, label: "CSS display:none", severity: "HIGH" },
+  { pattern: /opacity\s*:\s*0(?:[;\s]|$)/i, label: "CSS opacity:0", severity: "HIGH" },
+  { pattern: /visibility\s*:\s*hidden/i, label: "CSS visibility:hidden", severity: "HIGH" },
+  // Bidi overrides
+  { pattern: /[\u202A\u202B\u202C\u202D\u202E]/, label: "Bidi override character", severity: "CRITICAL" },
+  { pattern: /[\u2066\u2067\u2068\u2069]/, label: "Bidi isolate character", severity: "CRITICAL" }
+];
+var PROMPT_INJECTION_PATTERNS = [
+  { pattern: /\b(?:ignore|disregard|forget|override)\s+(?:all\s+)?(?:previous|prior|above|your)\s+(?:instructions?|rules?|prompts?|guidelines?|constraints?)/i, label: "Override previous instructions", severity: "CRITICAL" },
+  { pattern: /\b(?:you\s+(?:are|must|should|will)\s+(?:now|henceforth|from\s+now)\s+(?:be|act|behave|respond)\s+(?:as|like))/i, label: "Role reassignment", severity: "CRITICAL" },
+  { pattern: /\bnew\s+instructions?\s*:/i, label: "New instructions directive", severity: "CRITICAL" },
+  { pattern: /\[INST\]|\[\/INST\]|<\|im_start\|>|<\|im_end\|>/i, label: "Special model tokens", severity: "CRITICAL" },
+  { pattern: /\bsystem\s*prompt\s*(?:override|injection|:)/i, label: "System prompt manipulation", severity: "CRITICAL" },
+  { pattern: /\bdo\s+not\s+(?:follow|obey|listen\s+to)\s+(?:the|your|any)\s+(?:original|previous|prior)/i, label: "Instruction disobedience", severity: "CRITICAL" },
+  { pattern: /\b(?:IMPORTANT|CRITICAL|URGENT)\s*:\s*(?:ignore|override|disregard|you must)/i, label: "Urgent override phrasing", severity: "HIGH" },
+  { pattern: /\b(?:pretend|imagine|suppose)\s+(?:you\s+are|that\s+you)/i, label: "Persona manipulation", severity: "MEDIUM" },
+  { pattern: /\bact\s+as\s+(?:a|an|if)\b/i, label: "Act-as directive", severity: "MEDIUM" }
+];
+var SHELL_EXECUTION_PATTERNS = [
+  { pattern: /(?:curl|wget)\s+[^\n]*\|\s*(?:sh|bash|zsh|node|python)/i, label: "Download and execute (curl|bash)", severity: "CRITICAL" },
+  { pattern: /\beval\s*\(/, label: "eval() call", severity: "CRITICAL" },
+  { pattern: /\bexec\s*\(/, label: "exec() call", severity: "HIGH" },
+  { pattern: /\bnpx\s+-y\s+/, label: "npx -y (auto-confirm remote package)", severity: "HIGH" },
+  { pattern: /\/dev\/tcp\//, label: "Reverse shell via /dev/tcp", severity: "CRITICAL" },
+  { pattern: /\bnc\s+.*-e\s+/, label: "Netcat with exec (nc -e)", severity: "CRITICAL" },
+  { pattern: /\bmkfifo\b.*\bnc\b/s, label: "Named pipe + netcat (reverse shell)", severity: "CRITICAL" },
+  { pattern: /python[23]?\s+-c\s+.*(?:socket|subprocess|os\.system)/i, label: "Python one-liner with system access", severity: "CRITICAL" },
+  { pattern: /\bphp\s+-r\s+.*(?:exec|system|passthru|shell_exec)/i, label: "PHP exec one-liner", severity: "CRITICAL" },
+  { pattern: /\bperl\s+-e\s+.*(?:socket|exec|system)/i, label: "Perl exec one-liner", severity: "CRITICAL" },
+  { pattern: /\bruby\s+-e\s+.*(?:exec|system|spawn)/i, label: "Ruby exec one-liner", severity: "CRITICAL" },
+  { pattern: /\bchmod\s+\+x\b/, label: "Make file executable", severity: "MEDIUM" }
+];
+var DATA_EXFILTRATION_PATTERNS = [
+  { pattern: /pastebin\.com/, label: "pastebin.com", severity: "HIGH" },
+  { pattern: /paste\.ee/, label: "paste.ee", severity: "HIGH" },
+  { pattern: /transfer\.sh/, label: "transfer.sh", severity: "HIGH" },
+  { pattern: /ngrok\.io/, label: "ngrok.io", severity: "HIGH" },
+  { pattern: /requestbin/i, label: "requestbin", severity: "HIGH" },
+  { pattern: /webhook\.site/, label: "webhook.site", severity: "HIGH" },
+  { pattern: /pipedream\.net/, label: "pipedream.net", severity: "HIGH" },
+  { pattern: /hookbin\.com/, label: "hookbin.com", severity: "HIGH" },
+  { pattern: /beeceptor\.com/, label: "beeceptor.com", severity: "HIGH" },
+  { pattern: /postb\.in/, label: "postb.in", severity: "HIGH" },
+  { pattern: /https?:\/\/hooks\.slack\.com\/services\//, label: "Slack webhook URL", severity: "HIGH" },
+  { pattern: /https?:\/\/discord(?:app)?\.com\/api\/webhooks\//, label: "Discord webhook URL", severity: "HIGH" },
+  { pattern: /https?:\/\/api\.telegram\.org\/bot/, label: "Telegram bot API URL", severity: "HIGH" },
+  { pattern: /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/, label: "Raw IP URL", severity: "HIGH" }
+];
+var MEMORY_POISONING_PATTERNS = [
+  { pattern: /\bSOUL\.md\b/, label: "SOUL.md reference", severity: "CRITICAL" },
+  { pattern: /\bMEMORY\.md\b/, label: "MEMORY.md reference", severity: "CRITICAL" },
+  { pattern: /\.claude\//, label: ".claude/ directory reference", severity: "CRITICAL" },
+  { pattern: /\bCLAUDE\.md\b/, label: "CLAUDE.md reference", severity: "CRITICAL" },
+  { pattern: /\.cursorrules\b/, label: ".cursorrules reference", severity: "CRITICAL" },
+  { pattern: /\.windsurfrules\b/, label: ".windsurfrules reference", severity: "CRITICAL" },
+  { pattern: /\.clinerules\b/, label: ".clinerules reference", severity: "HIGH" },
+  { pattern: /\bCODEX\.md\b/, label: "CODEX.md reference", severity: "HIGH" },
+  { pattern: /(?:write|modify|edit|append|create|overwrite)\s+(?:to\s+)?(?:the\s+)?(?:SOUL|MEMORY|CLAUDE|CODEX)\.md/i, label: "Instruction to modify agent config file", severity: "CRITICAL" },
+  { pattern: /(?:write|modify|edit|append|create|overwrite)\s+(?:to\s+)?(?:the\s+)?\.(?:cursorrules|windsurfrules|clinerules)/i, label: "Instruction to modify IDE rules file", severity: "CRITICAL" }
+];
+var SUPPLY_CHAIN_PATTERNS = [
+  { pattern: /https?:\/\/raw\.githubusercontent\.com\/[^\s]+\.(?:sh|py|js|rb|pl)\b/, label: "Raw GitHub script URL", severity: "HIGH" },
+  { pattern: /https?:\/\/[^\s]+\.(?:sh|py|js|rb|pl)(?:\s|$)/, label: "External script URL", severity: "HIGH" },
+  { pattern: /\bnpm\s+install\s+(?:-g\s+)?[a-zA-Z@]/, label: "npm install command", severity: "HIGH" },
+  { pattern: /\bpip\s+install\s+[a-zA-Z]/, label: "pip install command", severity: "HIGH" },
+  { pattern: /\bgem\s+install\s+/, label: "gem install command", severity: "HIGH" },
+  { pattern: /\bcargo\s+install\s+/, label: "cargo install command", severity: "MEDIUM" },
+  { pattern: /\bgo\s+install\s+/, label: "go install command", severity: "MEDIUM" },
+  { pattern: /\bbrew\s+install\s+/, label: "brew install command", severity: "MEDIUM" }
+];
+var ENCODED_PAYLOAD_PATTERNS = [
+  { pattern: /[A-Za-z0-9+/]{40,}={0,2}/, label: "Base64 string (>40 chars)", severity: "HIGH" },
+  { pattern: /\batob\s*\(/, label: "atob() call (base64 decode)", severity: "HIGH" },
+  { pattern: /\bbtoa\s*\(/, label: "btoa() call (base64 encode)", severity: "MEDIUM" },
+  { pattern: /\bBuffer\.from\s*\([^)]*,\s*['"]base64['"]\)/, label: "Buffer.from base64", severity: "HIGH" },
+  { pattern: /(?:\\x[0-9a-fA-F]{2}){8,}/, label: "Hex escape sequence (8+ bytes)", severity: "HIGH" },
+  { pattern: /String\.fromCharCode\s*\((?:\s*\d+\s*,?\s*){5,}\)/, label: "String.fromCharCode (5+ codes)", severity: "HIGH" },
+  { pattern: /\|\s*base64\s+(?:-d|--decode)/, label: "Piped base64 decode", severity: "CRITICAL" }
+];
+var IMAGE_EXFIL_PATTERNS = [
+  // URL-based exfiltration (original 5)
+  { pattern: /!\[.*?\]\(https?:\/\/[^\s)]*(?:\?|&)(?:data|content|file|token|secret|key|password|env)=[^\s)]*\)/i, label: "Image URL with exfil query params", severity: "CRITICAL" },
+  { pattern: /!\[.*?\]\(https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[^\s)]*\)/, label: "Image from raw IP address", severity: "CRITICAL" },
+  { pattern: /!\[.*?\]\([^)]*\$\{[^}]+\}[^)]*\)/, label: "Variable interpolation in image URL", severity: "CRITICAL" },
+  { pattern: /!\[.*?\]\([^)]*\$\([^)]+\)[^)]*\)/, label: "Command substitution in image URL", severity: "CRITICAL" },
+  { pattern: /<img[^>]+src\s*=\s*["'][^"']*\$\{[^}]+\}[^"']*["']/i, label: "Variable interpolation in img src", severity: "CRITICAL" },
+  // Group A: Data URI image payloads
+  { pattern: /!\[.*?\]\(data:image\/[^\s)]+\)/i, label: "Data URI image in markdown", severity: "CRITICAL" },
+  { pattern: /<img[^>]+src\s*=\s*["']data:image\/[^"']+["']/i, label: "Data URI image in HTML img tag", severity: "CRITICAL" },
+  { pattern: /data:image\/[^;]+;base64,[A-Za-z0-9+/]{200,}/, label: "Large base64 data URI (steganographic carrier)", severity: "CRITICAL" },
+  // Group B: SVG embedded scripts & data
+  { pattern: /<svg[\s>][\s\S]*?<script[\s>]/i, label: "SVG with embedded script tag", severity: "CRITICAL" },
+  { pattern: /<svg[\s>][\s\S]*?\bon(?:load|error|click|mouseover)\s*=/i, label: "SVG with event handler", severity: "CRITICAL" },
+  { pattern: /<svg[\s>][\s\S]*?<foreignObject[\s>]/i, label: "SVG with foreignObject (arbitrary HTML embed)", severity: "HIGH" },
+  { pattern: /data:image\/svg\+xml[^"'\s)]+/i, label: "SVG data URI (inline payload + script risk)", severity: "CRITICAL" },
+  // Group C: Web beacons / tracking pixels
+  { pattern: /<img[^>]+(?:width\s*=\s*["']?1["']?[^>]+height\s*=\s*["']?1["']?|height\s*=\s*["']?1["']?[^>]+width\s*=\s*["']?1["']?)/i, label: "1x1 tracking pixel (web beacon)", severity: "HIGH" },
+  { pattern: /<img[^>]+style\s*=\s*["'][^"']*(?:display\s*:\s*none|visibility\s*:\s*hidden|opacity\s*:\s*0|width\s*:\s*0|height\s*:\s*0)/i, label: "CSS-hidden image beacon", severity: "HIGH" },
+  // Group D: Steganography tool references
+  { pattern: /\b(?:steghide|stegano|openstego|zsteg|stegsolve|stegdetect|steganograph(?:y|ic)?|outguess|pixelknot|deepsteg|stegpy)\b/i, label: "Steganography tool/library reference", severity: "HIGH" },
+  // Group E: Canvas pixel manipulation
+  { pattern: /\b(?:getImageData|putImageData|createImageData|toDataURL|drawImage)\s*\(/i, label: "Canvas API pixel manipulation", severity: "HIGH" },
+  // Group F: Double extension disguise
+  { pattern: /\.(?:png|jpe?g|gif|bmp|webp|svg|ico|tiff?)\.(?:exe|sh|bat|cmd|ps1|py|rb|pl|js|vbs|com|scr|msi)\b/i, label: "Double file extension (executable disguised as image)", severity: "CRITICAL" },
+  // Group G: Obfuscated image URLs
+  { pattern: /!\[.*?\]\([^)]*(?:%[0-9a-fA-F]{2}){5,}[^)]*\)/, label: "Excessive URL encoding in image URL", severity: "MEDIUM" }
+];
+var SYSTEM_PROMPT_EXTRACTION_PATTERNS = [
+  { pattern: /\b(?:reveal|show|print|output|display|repeat|echo)\s+(?:your\s+)?(?:system\s+)?(?:prompt|instructions|rules|guidelines)/i, label: "System prompt reveal request", severity: "HIGH" },
+  { pattern: /\brepeat\s+(?:the\s+)?(?:words?|text|everything)\s+above\b/i, label: "Repeat words above", severity: "HIGH" },
+  { pattern: /\bprint\s+everything\s+above\b/i, label: "Print everything above", severity: "HIGH" },
+  { pattern: /\bwhat\s+(?:are|were)\s+your\s+(?:original\s+)?(?:instructions|directives|rules)\b/i, label: "Ask for original instructions", severity: "MEDIUM" },
+  { pattern: /\btell\s+me\s+your\s+(?:system\s+)?prompt\b/i, label: "Ask for system prompt", severity: "HIGH" }
+];
+var ARGUMENT_INJECTION_PATTERNS = [
+  { pattern: /\$\([^)]+\)/, label: "Command substitution $()", severity: "CRITICAL" },
+  { pattern: /\$\{[^}]+\}/, label: "Variable expansion ${}", severity: "HIGH" },
+  { pattern: /`[^`]+`/, label: "Backtick command substitution", severity: "HIGH" },
+  { pattern: /;\s*(?:rm|cat|curl|wget|nc|python|perl|ruby|sh|bash)\b/, label: "Shell metachar chained command", severity: "CRITICAL" },
+  { pattern: /\|\s*(?:sh|bash|zsh|python|perl|ruby|node)\b/, label: "Pipe to interpreter", severity: "CRITICAL" },
+  { pattern: /&&\s*(?:rm|curl|wget|nc|python|perl|ruby)\b/, label: "AND-chained dangerous command", severity: "HIGH" },
+  // GTFOBINS exploitation flags
+  { pattern: /\b(?:tar|zip|find|vim|less|more|man|nmap)\b.*--(?:exec|checkpoint-action|to-command)/i, label: "GTFOBINS exploitation flags", severity: "CRITICAL" }
+];
+var CROSS_TOOL_PATTERNS = [
+  { pattern: /(?:read|cat|view)\s+(?:the\s+)?(?:file|content)[\s\S]{0,100}(?:send|post|upload|transmit|exfiltrate)/is, label: "Read-then-exfiltrate pattern", severity: "HIGH" },
+  { pattern: /(?:first|step\s*1)[\s\S]{0,200}(?:then|step\s*2|next|after\s+that)[\s\S]{0,200}(?:then|step\s*3|finally)/is, label: "Multi-step tool invocation", severity: "HIGH" },
+  { pattern: /\b(?:use_mcp_tool|call_tool|execute_tool|run_tool|invoke_tool)\b/i, label: "Direct tool reference", severity: "MEDIUM" },
+  { pattern: /\b(?:read_file|write_file|execute_command|list_directory|search_files)\s*\(/i, label: "Tool function call syntax", severity: "MEDIUM" }
+];
+var EXCESSIVE_PERMISSION_PATTERNS = [
+  { pattern: /\bunrestricted\s+access\b/i, label: "Unrestricted access request", severity: "HIGH" },
+  { pattern: /\bbypass\s+(?:security|restrictions?|permissions?|safeguards?|protections?|filters?)\b/i, label: "Security bypass request", severity: "HIGH" },
+  { pattern: /\bno\s+restrictions?\b/i, label: "No restrictions request", severity: "HIGH" },
+  { pattern: /\b(?:root|admin(?:istrator)?|superuser)\s+(?:access|privileges?|permissions?)\b/i, label: "Root/admin access request", severity: "HIGH" },
+  { pattern: /\bdisable\s+(?:all\s+)?(?:safety|security|restrictions?|protections?|checks?|filters?)\b/i, label: "Disable safety request", severity: "HIGH" },
+  { pattern: /\bfull\s+(?:system\s+)?(?:access|control|permissions?)\b/i, label: "Full access request", severity: "MEDIUM" }
+];
+// src/lib/skill-scanner.ts
+var SEVERITY_ORDER2 = {
+  NONE: 0,
+  LOW: 1,
+  MEDIUM: 2,
+  HIGH: 3,
+  CRITICAL: 4
+};
+function getLineNumber(content, index) {
+  let line = 1;
+  for (let i = 0; i < index && i < content.length; i++) {
+    if (content[i] === "\n") line++;
+  }
+  return line;
+}
+function maxSeverity(a, b) {
+  return SEVERITY_ORDER2[a] >= SEVERITY_ORDER2[b] ? a : b;
+}
+function runPatternScan(content, patterns, categoryId, categoryName, owaspRef, remediation) {
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const { pattern, label, severity } of patterns) {
+    const globalPattern = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g");
+    let match;
+    while ((match = globalPattern.exec(content)) !== null) {
+      const key = `${categoryId}:${label}:${match.index}`;
+      if (seen.has(key)) break;
+      seen.add(key);
+      const evidence = match[0].length > 120 ? match[0].slice(0, 120) + "..." : match[0];
+      findings.push({
+        categoryId,
+        categoryName,
+        severity,
+        reason: label,
+        evidence,
+        owaspRef,
+        remediation,
+        lineNumber: getLineNumber(content, match.index)
+      });
+      break;
+    }
+  }
+  return findings;
+}
+function scanHiddenContent(content) {
+  return runPatternScan(
+    content,
+    HIDDEN_CONTENT_PATTERNS,
+    "SK-HID",
+    "Hidden Content",
+    "LLM01",
+    "Remove all hidden content. HTML comments, zero-width characters, and CSS hiding can conceal malicious instructions from human reviewers."
+  );
+}
+function scanPromptInjection(content) {
+  return runPatternScan(
+    content,
+    PROMPT_INJECTION_PATTERNS,
+    "SK-INJ",
+    "Prompt Injection",
+    "LLM01",
+    "Remove prompt injection vectors. These phrases attempt to override the agent's instructions and redirect its behavior."
+  );
+}
+function scanShellExecution(content) {
+  return runPatternScan(
+    content,
+    SHELL_EXECUTION_PATTERNS,
+    "SK-EXE",
+    "Shell Execution",
+    "LLM06",
+    "Remove dangerous shell commands. Skill definitions should not contain executable code, reverse shells, or remote code execution patterns."
+  );
+}
+function scanDataExfiltration(content) {
+  const findings = runPatternScan(
+    content,
+    DATA_EXFILTRATION_PATTERNS,
+    "SK-EXF",
+    "Data Exfiltration",
+    "LLM02",
+    "Remove or replace exfiltration URLs. These destinations are commonly used to steal data from compromised systems."
+  );
+  for (const { pattern, label } of EXFILTRATION_URLS) {
+    const globalPattern = new RegExp(pattern.source, "gi");
+    const match = globalPattern.exec(content);
+    if (match) {
+      const alreadyFound = findings.some((f) => f.evidence?.includes(match[0]));
+      if (!alreadyFound) {
+        findings.push({
+          categoryId: "SK-EXF",
+          categoryName: "Data Exfiltration",
+          severity: "HIGH",
+          reason: `Exfiltration URL: ${label}`,
+          evidence: match[0],
+          owaspRef: "LLM02",
+          remediation: "Remove or replace exfiltration URLs.",
+          lineNumber: getLineNumber(content, match.index)
+        });
+      }
+    }
+  }
+  return findings;
+}
+function scanEmbeddedSecrets(content) {
+  const { types } = scanForSecrets(content);
+  if (types.length === 0) return [];
+  const findings = [];
+  for (const secretType of types) {
+    findings.push({
+      categoryId: "SK-SEC",
+      categoryName: "Embedded Secrets",
+      severity: "CRITICAL",
+      reason: `Embedded credential: ${secretType}`,
+      owaspRef: "LLM02",
+      remediation: "Remove all hardcoded credentials. Use environment variables or a secrets manager instead."
+    });
+  }
+  return findings;
+}
+function scanSensitiveFileRefs(content) {
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const { pattern, label, readSeverity } of SENSITIVE_PATH_RULES) {
+    const globalPattern = new RegExp(pattern.source, "g");
+    const match = globalPattern.exec(content);
+    if (match && !seen.has(label)) {
+      seen.add(label);
+      findings.push({
+        categoryId: "SK-SFA",
+        categoryName: "Sensitive File References",
+        severity: readSeverity,
+        reason: `Reference to sensitive path: ${label}`,
+        evidence: match[0],
+        owaspRef: "LLM02",
+        remediation: "Remove references to sensitive files and directories. Skills should not instruct agents to access credentials, keys, or system auth files.",
+        lineNumber: getLineNumber(content, match.index)
+      });
+    }
+  }
+  return findings;
+}
+function scanMemoryPoisoning(content) {
+  return runPatternScan(
+    content,
+    MEMORY_POISONING_PATTERNS,
+    "SK-MEM",
+    "Memory/Config Poisoning",
+    "LLM05",
+    "Remove instructions that modify agent memory or configuration files. This is a persistence technique that can compromise future sessions."
+  );
+}
+function scanSupplyChainRisk(content) {
+  return runPatternScan(
+    content,
+    SUPPLY_CHAIN_PATTERNS,
+    "SK-SUP",
+    "Supply Chain Risk",
+    "LLM03",
+    "Verify all external dependencies and script URLs. Prefer pinned versions and checksums over arbitrary remote scripts."
+  );
+}
+function scanEncodedPayloads(content) {
+  return runPatternScan(
+    content,
+    ENCODED_PAYLOAD_PATTERNS,
+    "SK-B64",
+    "Encoded Payloads",
+    "LLM01",
+    "Decode and inspect encoded content. Base64 and hex encoding is commonly used to evade pattern detection in malicious skills."
+  );
+}
+function scanImageExfiltration(content) {
+  return runPatternScan(
+    content,
+    IMAGE_EXFIL_PATTERNS,
+    "SK-IMG",
+    "Image Exfiltration",
+    "LLM02",
+    "Remove image tags with dynamic, suspicious, or embedded content. Images can exfiltrate data via query parameters, inline data URIs, SVG scripts, tracking pixels, or steganographic encoding. Avoid data: URIs, SVG images with scripts, and references to steganography tools."
+  );
+}
+function scanSystemPromptExtraction(content) {
+  return runPatternScan(
+    content,
+    SYSTEM_PROMPT_EXTRACTION_PATTERNS,
+    "SK-SYS",
+    "System Prompt Extraction",
+    "LLM01",
+    "Remove instructions that attempt to extract system prompts. This information can be used to craft more effective attacks."
+  );
+}
+function scanArgumentInjection(content) {
+  return runPatternScan(
+    content,
+    ARGUMENT_INJECTION_PATTERNS,
+    "SK-ARG",
+    "Argument Injection",
+    "LLM01",
+    "Remove shell metacharacters and command substitution patterns. These can be used to inject arbitrary commands via tool arguments."
+  );
+}
+function scanCrossToolChaining(content) {
+  return runPatternScan(
+    content,
+    CROSS_TOOL_PATTERNS,
+    "SK-XTL",
+    "Cross-Tool Chaining",
+    "LLM05",
+    "Review multi-step tool invocation instructions carefully. Attackers chain legitimate tools to achieve malicious outcomes."
+  );
+}
+function scanExcessivePermissions(content) {
+  return runPatternScan(
+    content,
+    EXCESSIVE_PERMISSION_PATTERNS,
+    "SK-PRM",
+    "Excessive Permissions",
+    "LLM01",
+    "Remove requests for unrestricted access or security bypasses. Skills should operate with minimal required permissions."
+  );
+}
+function scanSuspiciousStructure(content) {
+  const findings = [];
+  if (content.length > 1e4) {
+    findings.push({
+      categoryId: "SK-STR",
+      categoryName: "Suspicious Structure",
+      severity: "MEDIUM",
+      reason: `Unusually large skill definition (${content.length.toLocaleString()} characters)`,
+      remediation: "Large skill definitions have more surface area for hidden threats. Consider splitting into smaller, focused skills."
+    });
+  }
+  const lines = content.split("\n").filter((l) => l.trim().length > 0);
+  if (lines.length > 10) {
+    const imperativePattern = /^\s*(?:you\s+(?:must|should|will|need\s+to)|always|never|do\s+not|ensure|make\s+sure|immediately|execute|run|create|write|read|send|post|upload|download|install|delete|remove|modify|change|update)/i;
+    const imperativeCount = lines.filter((l) => imperativePattern.test(l)).length;
+    const ratio = imperativeCount / lines.length;
+    if (ratio > 0.3) {
+      findings.push({
+        categoryId: "SK-STR",
+        categoryName: "Suspicious Structure",
+        severity: "MEDIUM",
+        reason: `High imperative instruction density (${Math.round(ratio * 100)}% of lines are directives)`,
+        remediation: "Skills with a high density of imperative instructions may be attempting to control agent behavior beyond their stated purpose."
+      });
+    }
+  }
+  return findings;
+}
+function scanSkillDefinition(content) {
+  const startTime = performance.now();
+  const allFindings = [
+    ...scanHiddenContent(content),
+    ...scanPromptInjection(content),
+    ...scanShellExecution(content),
+    ...scanDataExfiltration(content),
+    ...scanEmbeddedSecrets(content),
+    ...scanSensitiveFileRefs(content),
+    ...scanMemoryPoisoning(content),
+    ...scanSupplyChainRisk(content),
+    ...scanEncodedPayloads(content),
+    ...scanImageExfiltration(content),
+    ...scanSystemPromptExtraction(content),
+    ...scanArgumentInjection(content),
+    ...scanCrossToolChaining(content),
+    ...scanExcessivePermissions(content),
+    ...scanSuspiciousStructure(content)
+  ];
+  const scanDurationMs = Math.round(performance.now() - startTime);
+  const summary = { critical: 0, high: 0, medium: 0, low: 0 };
+  let overallSeverity = "NONE";
+  for (const f of allFindings) {
+    if (f.severity === "CRITICAL") summary.critical++;
+    else if (f.severity === "HIGH") summary.high++;
+    else if (f.severity === "MEDIUM") summary.medium++;
+    else if (f.severity === "LOW") summary.low++;
+    overallSeverity = maxSeverity(overallSeverity, f.severity);
+  }
+  allFindings.sort((a, b) => SEVERITY_ORDER2[b.severity] - SEVERITY_ORDER2[a.severity]);
+  return {
+    overallSeverity,
+    findings: allFindings,
+    summary,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    contentLength: content.length,
+    scanDurationMs
+  };
+}
+function collectRanges(content, pattern) {
+  const ranges = [];
+  const flags = pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g";
+  const re = new RegExp(pattern.source, flags);
+  let m;
+  while ((m = re.exec(content)) !== null) {
+    ranges.push({ start: m.index, end: m.index + m[0].length });
+    if (m[0].length === 0) break;
+  }
+  return ranges;
+}
+function cleanSkillDefinition(content) {
+  const ranges = [];
+  const allScanPatterns = [
+    ...HIDDEN_CONTENT_PATTERNS,
+    ...PROMPT_INJECTION_PATTERNS,
+    ...SHELL_EXECUTION_PATTERNS,
+    ...DATA_EXFILTRATION_PATTERNS,
+    ...MEMORY_POISONING_PATTERNS,
+    ...SUPPLY_CHAIN_PATTERNS,
+    ...ENCODED_PAYLOAD_PATTERNS,
+    ...IMAGE_EXFIL_PATTERNS,
+    ...SYSTEM_PROMPT_EXTRACTION_PATTERNS,
+    ...ARGUMENT_INJECTION_PATTERNS,
+    ...CROSS_TOOL_PATTERNS,
+    ...EXCESSIVE_PERMISSION_PATTERNS
+  ];
+  for (const { pattern } of allScanPatterns) {
+    ranges.push(...collectRanges(content, pattern));
+  }
+  for (const { pattern } of EXFILTRATION_URLS) {
+    ranges.push(...collectRanges(content, pattern));
+  }
+  for (const { pattern } of SENSITIVE_PATH_RULES) {
+    ranges.push(...collectRanges(content, pattern));
+  }
+  for (const { pattern } of SECRET_PATTERNS) {
+    ranges.push(...collectRanges(content, pattern));
+  }
+  if (ranges.length === 0) return { cleanedContent: content, removedCount: 0 };
+  ranges.sort((a, b) => a.start - b.start);
+  const merged = [{ ...ranges[0] }];
+  for (let i = 1; i < ranges.length; i++) {
+    const last = merged[merged.length - 1];
+    if (ranges[i].start <= last.end) {
+      last.end = Math.max(last.end, ranges[i].end);
+    } else {
+      merged.push({ ...ranges[i] });
+    }
+  }
+  let cleaned = content;
+  for (let i = merged.length - 1; i >= 0; i--) {
+    cleaned = cleaned.slice(0, merged[i].start) + cleaned.slice(merged[i].end);
+  }
+  cleaned = cleaned.replace(/\n{3,}/g, "\n\n").trim() + "\n";
+  return { cleanedContent: cleaned, removedCount: ranges.length };
+}
+// src/services/security-posture.ts
+import fs9 from "fs";
+import { eq as eq5, ne as ne2, and as and4, sql as sql6 } from "drizzle-orm";
+function buildLayer(id, name, checks) {
+  const passedCount = checks.filter((c) => c.passed).length;
+  const totalCount = checks.length;
+  let status;
+  if (passedCount === totalCount) {
+    status = "configured";
+  } else if (passedCount === 0) {
+    status = "unconfigured";
+  } else {
+    status = "partial";
+  }
+  return { id, name, status, checks, passedCount, totalCount };
+}
+function checkSandboxLayer() {
+  const config = readOpenClawConfig();
+  const sandbox = config?.agents?.defaults?.sandbox;
+  const mode = sandbox?.mode;
+  const workspaceAccess = sandbox?.workspaceAccess;
+  const dockerNetwork = sandbox?.docker?.network;
+  const checks = [
+    {
+      id: "sandbox-mode",
+      label: "Sandbox mode enabled",
+      passed: mode === "all" || mode === "non-main",
+      detail: mode ? `Sandbox mode is "${mode}"` : "Sandbox mode is not configured",
+      severity: "critical"
+    },
+    {
+      id: "sandbox-workspace",
+      label: "Workspace access restricted",
+      passed: workspaceAccess === "ro" || workspaceAccess === "none",
+      detail: workspaceAccess ? `Workspace access is "${workspaceAccess}"` : "Workspace access not configured (defaults to rw)",
+      severity: "warning"
+    },
+    {
+      id: "sandbox-network",
+      label: "Docker network isolated",
+      passed: dockerNetwork != null && dockerNetwork !== "host",
+      detail: dockerNetwork ? `Docker network set to "${dockerNetwork}"` : "Docker network not configured",
+      severity: "info"
+    }
+  ];
+  return buildLayer("sandbox", "Sandbox Isolation", checks);
+}
+function checkFilesystemLayer() {
+  const accessState = deriveAccessState();
+  const fsToggle = accessState.toggles.find((t) => t.category === "filesystem");
+  const config = readOpenClawConfig();
+  const workspace = config?.agents?.defaults?.workspace;
+  const workspaceAccess = config?.agents?.defaults?.sandbox?.workspaceAccess;
+  const checks = [
+    {
+      id: "fs-toggle",
+      label: "Filesystem access controlled",
+      passed: fsToggle != null && !fsToggle.enabled,
+      detail: fsToggle?.enabled === false ? "Filesystem tool group is disabled" : "Filesystem tool group is enabled (agent has file access)",
+      severity: "warning"
+    },
+    {
+      id: "fs-workspace",
+      label: "Workspace path configured",
+      passed: workspace != null && workspace.length > 0,
+      detail: workspace ? `Workspace: ${workspace}` : "No explicit workspace path configured",
+      severity: "info"
+    },
+    {
+      id: "fs-workspace-restriction",
+      label: "Workspace access restricted",
+      passed: workspaceAccess === "ro" || workspaceAccess === "none",
+      detail: workspaceAccess ? `Workspace access level: "${workspaceAccess}"` : "Workspace access not restricted (defaults to rw)",
+      severity: "warning"
+    }
+  ];
+  return buildLayer("filesystem", "Filesystem Access", checks);
+}
+function checkNetworkLayer() {
+  const accessState = deriveAccessState();
+  const netToggle = accessState.toggles.find((t) => t.category === "network");
+  const config = readOpenClawConfig();
+  const browserEnabled = config?.browser?.enabled;
+  const sandbox = config?.agents?.defaults?.sandbox;
+  const dockerNetwork = sandbox?.docker?.network;
+  const sandboxMode = sandbox?.mode;
+  const checks = [
+    {
+      id: "net-toggle",
+      label: "Network access controlled",
+      passed: netToggle != null && !netToggle.enabled,
+      detail: netToggle?.enabled === false ? "Network tool group is disabled" : "Network tool group is enabled",
+      severity: "warning"
+    },
+    {
+      id: "net-browser",
+      label: "Browser disabled",
+      passed: browserEnabled === false,
+      detail: browserEnabled === false ? "Browser is disabled" : "Browser is enabled (agent can browse web)",
+      severity: "info"
+    },
+    {
+      id: "net-docker-isolation",
+      label: "Network isolated in sandbox",
+      passed: (sandboxMode === "all" || sandboxMode === "non-main") && dockerNetwork != null && dockerNetwork !== "host",
+      detail: sandboxMode === "all" || sandboxMode === "non-main" ? dockerNetwork && dockerNetwork !== "host" ? `Sandboxed with isolated network "${dockerNetwork}"` : "Sandboxed but no network isolation configured" : "Not sandboxed \u2014 no network isolation",
+      severity: "critical"
+    }
+  ];
+  return buildLayer("network", "Network & Egress Control", checks);
+}
+async function checkCommandExecLayer() {
+  const accessState = deriveAccessState();
+  const sysToggle = accessState.toggles.find(
+    (t) => t.category === "system_commands"
+  );
+  const config = readOpenClawConfig();
+  const execSecurity = config?.tools?.exec?.security;
+  const db = getDb();
+  const patternRows = await db.select().from(schema_exports.restrictedPatterns);
+  const patternCount = patternRows.length;
+  const patternTexts = patternRows.map((r) => r.pattern.toLowerCase());
+  const criticalPatterns = ["sudo", "rm -rf", "chmod", "curl"];
+  const hasCritical = criticalPatterns.some(
+    (cp) => patternTexts.some((pt) => pt.includes(cp))
+  );
+  const checks = [
+    {
+      id: "exec-toggle",
+      label: "System commands controlled",
+      passed: sysToggle != null && !sysToggle.enabled,
+      detail: sysToggle?.enabled === false ? "System commands tool group is disabled" : "System commands tool group is enabled",
+      severity: "warning"
+    },
+    {
+      id: "exec-security-mode",
+      label: "Exec security mode restrictive",
+      passed: execSecurity === "deny" || execSecurity === "allowlist",
+      detail: execSecurity ? `Exec security mode: "${execSecurity}"` : "Exec security mode not configured",
+      severity: "critical"
+    },
+    {
+      id: "exec-patterns",
+      label: "Restricted patterns configured",
+      passed: patternCount > 0,
+      detail: patternCount > 0 ? `${patternCount} restricted pattern(s) in blocklist` : "No restricted patterns \u2014 all commands pass through",
+      severity: "warning"
+    },
+    {
+      id: "exec-critical-patterns",
+      label: "Critical command patterns blocked",
+      passed: hasCritical,
+      detail: hasCritical ? "Critical patterns (sudo, rm -rf, chmod, curl|bash) present" : "No critical patterns found \u2014 consider adding sudo, rm -rf, chmod",
+      severity: "critical"
+    }
+  ];
+  return buildLayer("exec", "Command Execution Controls", checks);
+}
+function checkMcpLayer() {
+  const accessState = deriveAccessState();
+  const mcpToggle = accessState.toggles.find(
+    (t) => t.category === "mcp_servers"
+  );
+  const servers = accessState.mcpServers;
+  const config = readOpenClawConfig();
+  const denyList = config?.tools?.deny ?? [];
+  const mcpDenyEntries = denyList.filter((d) => d.startsWith("mcp__"));
+  const totalServers = servers.length;
+  const enabledServers = servers.filter((s) => s.effectivelyEnabled).length;
+  const disabledServers = totalServers - enabledServers;
+  const checks = [
+    {
+      id: "mcp-toggle",
+      label: "MCP servers controlled",
+      passed: mcpToggle != null && accessState.openclawConfigAvailable,
+      detail: !accessState.openclawConfigAvailable ? "OpenClaw config unavailable" : mcpToggle?.enabled ? "MCP servers toggle is enabled" : "MCP servers toggle is disabled (all servers blocked)",
+      severity: "info"
+    },
+    {
+      id: "mcp-server-review",
+      label: "Servers individually reviewed",
+      passed: totalServers === 0 || disabledServers > 0 || mcpDenyEntries.length > 0,
+      detail: totalServers === 0 ? "No MCP servers configured" : disabledServers > 0 ? `${disabledServers}/${totalServers} server(s) disabled` : "All servers enabled \u2014 consider reviewing each server",
+      severity: "warning"
+    },
+    {
+      id: "mcp-tools-deny",
+      label: "MCP tools in deny list",
+      passed: mcpDenyEntries.length > 0,
+      detail: mcpDenyEntries.length > 0 ? `${mcpDenyEntries.length} MCP tool deny entr(ies) configured` : "No MCP-specific deny entries",
+      severity: "info"
+    }
+  ];
+  return buildLayer("mcp", "MCP Server Security", checks);
+}
+async function checkSecretLayer() {
+  const db = getDb();
+  const secretActivities = await db.select().from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-SEC%'`
+    )
+  );
+  const sfaActivities = await db.select().from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-SFA%'`
+    )
+  );
+  const checks = [
+    {
+      id: "secret-scanner",
+      label: "Secret scanner active",
+      passed: true,
+      detail: "Built-in secret scanner is always active",
+      severity: "info"
+    },
+    {
+      id: "secret-exposure",
+      label: "No unresolved secret exposures",
+      passed: secretActivities.length === 0,
+      detail: secretActivities.length === 0 ? "No unresolved secret exposure threats" : `${secretActivities.length} unresolved secret exposure threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "secret-file-access",
+      label: "No unresolved sensitive file access",
+      passed: sfaActivities.length === 0,
+      detail: sfaActivities.length === 0 ? "No unresolved sensitive file access threats" : `${sfaActivities.length} unresolved sensitive file access threat(s)`,
+      severity: "warning"
+    }
+  ];
+  return buildLayer("secrets", "Secret & Credential Protection", checks);
+}
+async function checkThreatMonitoringLayer() {
+  const monitor = getOpenClawMonitor();
+  const connectionStatus = monitor?.getStatus() ?? "not_configured";
+  const config = readOpenClawConfig();
+  const db = getDb();
+  const activeSessions = await db.select({ count: sql6`count(*)` }).from(schema_exports.openclawSessions).where(eq5(schema_exports.openclawSessions.status, "ACTIVE"));
+  const totalThreats = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(ne2(schema_exports.agentActivities.threatLevel, "NONE"));
+  const resolvedThreats = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      ne2(schema_exports.agentActivities.threatLevel, "NONE"),
+      eq5(schema_exports.agentActivities.resolved, 1)
+    )
+  );
+  const total = totalThreats[0]?.count ?? 0;
+  const resolved = resolvedThreats[0]?.count ?? 0;
+  const resolutionRate = total > 0 ? Math.round(resolved / total * 100) : 100;
+  const checks = [
+    {
+      id: "monitor-connection",
+      label: "OpenClaw connected",
+      passed: connectionStatus === "connected",
+      detail: connectionStatus === "connected" ? "Connected to OpenClaw gateway" : config ? `Connection status: ${connectionStatus}` : "OpenClaw config not found",
+      severity: "critical"
+    },
+    {
+      id: "monitor-sessions",
+      label: "Session tracking active",
+      passed: (activeSessions[0]?.count ?? 0) > 0 || connectionStatus === "connected",
+      detail: (activeSessions[0]?.count ?? 0) > 0 ? `${activeSessions[0].count} active session(s)` : connectionStatus === "connected" ? "Connected, no active sessions" : "No active sessions (disconnected)",
+      severity: "info"
+    },
+    {
+      id: "monitor-resolution",
+      label: "Threats being resolved",
+      passed: resolutionRate >= 50 || total === 0,
+      detail: total === 0 ? "No threats detected yet" : `${resolved}/${total} threats resolved (${resolutionRate}%)`,
+      severity: "warning"
+    }
+  ];
+  return buildLayer("monitoring", "Threat Monitoring", checks);
+}
+async function checkHumanInLoopLayer() {
+  const monitor = getOpenClawMonitor();
+  const db = getDb();
+  const patternRows = await db.select().from(schema_exports.restrictedPatterns);
+  const patternCount = patternRows.length;
+  const totalApprovals = await db.select({ count: sql6`count(*)` }).from(schema_exports.execApprovals);
+  const timedOut = await db.select({ count: sql6`count(*)` }).from(schema_exports.execApprovals).where(eq5(schema_exports.execApprovals.decidedBy, "auto-deny"));
+  const total = totalApprovals[0]?.count ?? 0;
+  const timedOutCount = timedOut[0]?.count ?? 0;
+  const timeoutRate = total > 0 ? Math.round(timedOutCount / total * 100) : 0;
+  const checks = [
+    {
+      id: "hitl-active",
+      label: "Exec approval system active",
+      passed: monitor != null,
+      detail: monitor ? "Exec approval system is running" : "Exec approval system not initialized",
+      severity: "critical"
+    },
+    {
+      id: "hitl-timeout-rate",
+      label: "Approval timeout rate acceptable",
+      passed: timeoutRate < 20 || total === 0,
+      detail: total === 0 ? "No approval requests yet" : `${timedOutCount}/${total} approvals timed out (${timeoutRate}%)`,
+      severity: "warning"
+    },
+    {
+      id: "hitl-patterns",
+      label: "Restricted patterns configured",
+      passed: patternCount > 0,
+      detail: patternCount > 0 ? `${patternCount} restricted pattern(s) for interception` : "No restricted patterns \u2014 nothing to intercept",
+      severity: "warning"
+    }
+  ];
+  return buildLayer("human-in-loop", "Human-in-the-Loop Controls", checks);
+}
+async function checkEgressProxyLayer() {
+  const proxyConfigured = !!(process.env.HTTP_PROXY || process.env.HTTPS_PROXY || process.env.http_proxy || process.env.https_proxy);
+  const noProxy = process.env.NO_PROXY || process.env.no_proxy || "";
+  const proxyBypassed = noProxy.trim() === "*";
+  const srtStatus = getSrtStatus();
+  const srtActive = srtStatus.enabled && srtStatus.installed;
+  const srtHasDomainRules = srtStatus.settings != null && (srtStatus.settings.network.allowedDomains.length > 0 || srtStatus.settings.network.deniedDomains.length > 0);
+  const db = getDb();
+  const exfilActivities = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-EXF%'`
+    )
+  );
+  const netActivities = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-NET%'`
+    )
+  );
+  const exfilCount = exfilActivities[0]?.count ?? 0;
+  const netCount = netActivities[0]?.count ?? 0;
+  const checks = [
+    {
+      id: "egress-filtering-configured",
+      label: "Egress filtering configured",
+      passed: proxyConfigured || srtActive,
+      detail: srtActive ? "Sandbox Runtime (srt) is active \u2014 network egress is filtered" : proxyConfigured ? "HTTP/HTTPS proxy environment variables are set" : "No egress filtering \u2014 configure srt or set HTTP_PROXY/HTTPS_PROXY",
+      severity: "warning"
+    },
+    {
+      id: "egress-domain-rules",
+      label: "Domain filtering rules configured",
+      passed: srtHasDomainRules,
+      detail: srtHasDomainRules ? `srt domain rules: ${srtStatus.settings.network.allowedDomains.length} allowed, ${srtStatus.settings.network.deniedDomains.length} denied` : srtActive ? "srt is active but no domain allow/deny rules configured" : "No domain filtering rules \u2014 enable srt and add allowed domains",
+      severity: "warning"
+    },
+    {
+      id: "egress-no-proxy-safe",
+      label: "Proxy not globally bypassed",
+      passed: !proxyBypassed,
+      detail: proxyBypassed ? "NO_PROXY is set to '*' \u2014 all proxy filtering is bypassed" : noProxy ? `NO_PROXY exceptions: ${noProxy}` : "No NO_PROXY exceptions set",
+      severity: "critical"
+    },
+    {
+      id: "egress-exfiltration-clean",
+      label: "No unresolved exfiltration threats",
+      passed: exfilCount === 0,
+      detail: exfilCount === 0 ? "No unresolved data exfiltration threats" : `${exfilCount} unresolved exfiltration threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "egress-network-threats-clean",
+      label: "No unresolved network threats",
+      passed: netCount === 0,
+      detail: netCount === 0 ? "No unresolved network threats" : `${netCount} unresolved network threat(s)`,
+      severity: "warning"
+    }
+  ];
+  return buildLayer("egress-proxy", "Egress Proxy & Domain Filtering", checks);
+}
+function checkGatewaySecurityLayer() {
+  const config = readOpenClawConfig();
+  const deviceExists = fs9.existsSync(OPENCLAW_DEVICE_JSON);
+  const authMode = config?.gateway ? config.gateway?.auth ? config.gateway.auth?.mode : void 0 : void 0;
+  const gwBind = config?.gateway ? config.gateway?.bind : void 0;
+  const bindLocal = gwBind === void 0 || gwBind === null || gwBind === "127.0.0.1" || gwBind === "localhost" || gwBind === "loopback" || gwBind === "::1";
+  const channels = config?.channels;
+  const whatsapp = channels?.whatsapp;
+  const allowFrom = whatsapp?.allowFrom;
+  const channelRestricted = !whatsapp || Array.isArray(allowFrom) && allowFrom.length > 0;
+  const checks = [
+    {
+      id: "gw-device-identity",
+      label: "Device identity configured",
+      passed: deviceExists,
+      detail: deviceExists ? "Ed25519 device identity file exists" : "No device identity found \u2014 gateway authentication unavailable",
+      severity: "critical"
+    },
+    {
+      id: "gw-auth-mode",
+      label: "Gateway authentication enabled",
+      passed: authMode != null && authMode !== "",
+      detail: authMode ? `Gateway auth mode: "${authMode}"` : "Gateway auth mode not configured",
+      severity: "critical"
+    },
+    {
+      id: "gw-bind-local",
+      label: "Gateway bound to localhost",
+      passed: bindLocal,
+      detail: bindLocal ? `Gateway bind: ${gwBind ?? "default (localhost)"}` : `Gateway bound to ${gwBind} \u2014 accessible from network`,
+      severity: "warning"
+    },
+    {
+      id: "gw-channel-restricted",
+      label: "External channels restricted",
+      passed: channelRestricted,
+      detail: channelRestricted ? whatsapp ? `WhatsApp allowFrom has ${allowFrom?.length ?? 0} entry/entries` : "No external channels configured" : "WhatsApp is open to all senders \u2014 restrict with allowFrom",
+      severity: "info"
+    }
+  ];
+  return buildLayer("gateway", "Gateway & Inbound Security", checks);
+}
+async function checkSupplyChainLayer() {
+  const db = getDb();
+  const supplyThreats = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-SUP%'`
+    )
+  );
+  const patternRows = await db.select().from(schema_exports.restrictedPatterns);
+  const patternTexts = patternRows.map((r) => r.pattern.toLowerCase());
+  const supplyKeywords = ["npm install", "pip install", "brew install", "curl"];
+  const hasSupplyPattern = supplyKeywords.some(
+    (kw) => patternTexts.some((pt) => pt.includes(kw))
+  );
+  const config = readOpenClawConfig();
+  const execSecurity = config?.tools?.exec?.security;
+  const supplyCount = supplyThreats[0]?.count ?? 0;
+  const checks = [
+    {
+      id: "supply-chain-threats-clean",
+      label: "No unresolved supply chain threats",
+      passed: supplyCount === 0,
+      detail: supplyCount === 0 ? "No unresolved supply chain threats" : `${supplyCount} unresolved supply chain threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "supply-exec-restricted",
+      label: "Package install commands restricted",
+      passed: hasSupplyPattern,
+      detail: hasSupplyPattern ? "Restricted patterns cover package install commands" : "No restricted patterns for npm install, pip install, curl, etc.",
+      severity: "warning"
+    },
+    {
+      id: "supply-exec-mode",
+      label: "Exec security prevents blind installs",
+      passed: execSecurity === "deny" || execSecurity === "allowlist",
+      detail: execSecurity ? `Exec security mode: "${execSecurity}"` : "Exec security mode not configured",
+      severity: "warning"
+    }
+  ];
+  return buildLayer("supply-chain", "Supply Chain Protection", checks);
+}
+async function checkInputOutputLayer() {
+  const db = getDb();
+  const injectionThreats = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-INJ%'`
+    )
+  );
+  const mcpPoisoning = await db.select({ count: sql6`count(*)` }).from(schema_exports.agentActivities).where(
+    and4(
+      eq5(schema_exports.agentActivities.resolved, 0),
+      sql6`${schema_exports.agentActivities.threatFindings} LIKE '%TC-MCP%'`
+    )
+  );
+  const injCount = injectionThreats[0]?.count ?? 0;
+  const mcpCount = mcpPoisoning[0]?.count ?? 0;
+  const checks = [
+    {
+      id: "io-injection-clean",
+      label: "No unresolved prompt injection threats",
+      passed: injCount === 0,
+      detail: injCount === 0 ? "No unresolved prompt injection threats" : `${injCount} unresolved prompt injection threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "io-mcp-poisoning-clean",
+      label: "No unresolved MCP poisoning threats",
+      passed: mcpCount === 0,
+      detail: mcpCount === 0 ? "No unresolved MCP tool poisoning threats" : `${mcpCount} unresolved MCP tool poisoning threat(s)`,
+      severity: "critical"
+    },
+    {
+      id: "io-content-scanner-active",
+      label: "Content threat scanner active",
+      passed: true,
+      detail: "Built-in 10-category threat classifier is always active",
+      severity: "info"
+    },
+    {
+      id: "io-skill-scanner-available",
+      label: "Skill definition scanner available",
+      passed: true,
+      detail: "Built-in SK-* skill scanner is available for MCP auditing",
+      severity: "info"
+    }
+  ];
+  return buildLayer("input-output", "Input/Output Validation", checks);
+}
+async function computeSecurityPosture() {
+  const [
+    execLayer,
+    egressLayer,
+    secretLayer,
+    supplyChainLayer,
+    inputOutputLayer,
+    monitoringLayer,
+    humanLayer
+  ] = await Promise.all([
+    checkCommandExecLayer(),
+    checkEgressProxyLayer(),
+    checkSecretLayer(),
+    checkSupplyChainLayer(),
+    checkInputOutputLayer(),
+    checkThreatMonitoringLayer(),
+    checkHumanInLoopLayer()
+  ]);
+  const layers = [
+    checkSandboxLayer(),
+    checkFilesystemLayer(),
+    checkNetworkLayer(),
+    egressLayer,
+    execLayer,
+    checkMcpLayer(),
+    checkGatewaySecurityLayer(),
+    secretLayer,
+    supplyChainLayer,
+    inputOutputLayer,
+    monitoringLayer,
+    humanLayer
+  ];
+  const totalChecks = layers.reduce((sum, l) => sum + l.totalCount, 0);
+  const passedChecks = layers.reduce((sum, l) => sum + l.passedCount, 0);
+  const overallScore = totalChecks > 0 ? Math.round(passedChecks / totalChecks * 100) : 0;
+  return {
+    layers,
+    overallScore,
+    configuredLayers: layers.filter((l) => l.status === "configured").length,
+    partialLayers: layers.filter((l) => l.status === "partial").length,
+    unconfiguredLayers: layers.filter((l) => l.status === "unconfigured").length,
+    totalLayers: layers.length,
+    checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+// src/server/routes.ts
 async function registerRoutes(app) {
   app.get("/api/health", async () => {
     return { status: "ok", timestamp: (/* @__PURE__ */ new Date()).toISOString() };
@@ -3280,11 +4691,11 @@ async function registerRoutes(app) {
       const db = getDb();
       await db.update(schema_exports.accessConfig).set({
         value: enabled ? "true" : "false",
-        updatedAt: sql6`datetime('now')`
+        updatedAt: sql7`datetime('now')`
       }).where(
-        and4(
-          eq5(schema_exports.accessConfig.category, category),
-          eq5(schema_exports.accessConfig.key, "enabled")
+        and5(
+          eq6(schema_exports.accessConfig.category, category),
+          eq6(schema_exports.accessConfig.key, "enabled")
         )
       );
       return deriveAccessState();
@@ -3313,8 +4724,8 @@ async function registerRoutes(app) {
     const { action } = request.body;
     const db = getDb();
     const newStatus = action === "ALLOW" ? "ALLOWED" : "BLOCKED";
-    await db.update(schema_exports.commandLogs).set({ status: newStatus, decisionBy: "USER" }).where(eq5(schema_exports.commandLogs.id, Number(id)));
-    const [updated] = await db.select().from(schema_exports.commandLogs).where(eq5(schema_exports.commandLogs.id, Number(id)));
+    await db.update(schema_exports.commandLogs).set({ status: newStatus, decisionBy: "USER" }).where(eq6(schema_exports.commandLogs.id, Number(id)));
+    const [updated] = await db.select().from(schema_exports.commandLogs).where(eq6(schema_exports.commandLogs.id, Number(id)));
     return updated;
   });
   app.get("/api/openclaw/config", async () => {
@@ -3416,6 +4827,59 @@ async function registerRoutes(app) {
     const patterns = monitor.getExecApprovalService().removeRestrictedPattern(pattern);
     return { patterns: patterns.map((p) => ({ pattern: p })) };
   });
+  app.get("/api/security-posture", async () => {
+    return computeSecurityPosture();
+  });
+  app.post("/api/skill-scanner/scan", async (request, reply) => {
+    const parsed = skillScanRequestSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: "Invalid request. Provide { content: string } (1 to 500K chars)." });
+    }
+    const result = scanSkillDefinition(parsed.data.content);
+    return result;
+  });
+  app.post("/api/skill-scanner/clean", async (request, reply) => {
+    const parsed = skillScanRequestSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({ error: "Invalid request. Provide { content: string } (1 to 500K chars)." });
+    }
+    const result = cleanSkillDefinition(parsed.data.content);
+    return result;
+  });
+  app.get("/api/srt/status", async () => {
+    return getSrtStatus();
+  });
+  app.put("/api/srt/toggle", async (request) => {
+    const { enabled } = request.body;
+    return toggleSrt(enabled);
+  });
+  app.get("/api/srt/settings", async () => {
+    return readSrtSettings() ?? { error: "SRT settings file not found" };
+  });
+  app.put("/api/srt/settings", async (request) => {
+    const updates = request.body;
+    return updateSrtSettings(updates);
+  });
+  app.post("/api/srt/domains/:list", async (request, reply) => {
+    const { list } = request.params;
+    const { domain } = request.body;
+    if (!domain?.trim()) {
+      return reply.status(400).send({ error: "Domain is required" });
+    }
+    if (list === "allow") return addAllowedDomain(domain);
+    if (list === "deny") return addDeniedDomain(domain);
+    return reply.status(400).send({ error: "List must be 'allow' or 'deny'" });
+  });
+  app.delete("/api/srt/domains/:list", async (request, reply) => {
+    const { list } = request.params;
+    const { domain } = request.body;
+    if (!domain?.trim()) {
+      return reply.status(400).send({ error: "Domain is required" });
+    }
+    if (list === "allow") return removeAllowedDomain(domain);
+    if (list === "deny") return removeDeniedDomain(domain);
+    return reply.status(400).send({ error: "List must be 'allow' or 'deny'" });
+  });
 }
 // src/server/index.ts
@@ -3426,7 +4890,7 @@ async function createAppServer(port) {
   await app.register(fastifyCors, { origin: "*" });
   await registerRoutes(app);
   const publicDir = getPublicDir();
-  if (fs8.existsSync(publicDir) && fs8.readdirSync(publicDir).filter((f) => f !== ".gitkeep").length > 0) {
+  if (fs10.existsSync(publicDir) && fs10.readdirSync(publicDir).filter((f) => f !== ".gitkeep").length > 0) {
     await app.register(fastifyStatic, {
       root: publicDir,
       prefix: "/",
@@ -3688,7 +5152,7 @@ Permission denied for port ${port}.
 }
 // src/commands/reset.ts
-import fs9 from "fs";
+import fs11 from "fs";
 import readline from "readline/promises";
 import pc3 from "picocolors";
 async function resetCommand(options) {
@@ -3707,12 +5171,12 @@ async function resetCommand(options) {
     }
   }
   console.log(pc3.bold("Resetting SafeClaw..."));
-  if (fs9.existsSync(DB_PATH)) {
-    fs9.unlinkSync(DB_PATH);
+  if (fs11.existsSync(DB_PATH)) {
+    fs11.unlinkSync(DB_PATH);
     const walPath = DB_PATH + "-wal";
     const shmPath = DB_PATH + "-shm";
-    if (fs9.existsSync(walPath)) fs9.unlinkSync(walPath);
-    if (fs9.existsSync(shmPath)) fs9.unlinkSync(shmPath);
+    if (fs11.existsSync(walPath)) fs11.unlinkSync(walPath);
+    if (fs11.existsSync(shmPath)) fs11.unlinkSync(shmPath);
     console.log(pc3.green("  Database deleted."));
   } else {
     console.log(pc3.dim("  No database found, skipping."));
@@ -3725,11 +5189,11 @@ async function resetCommand(options) {
 }
 // src/commands/status.ts
-import fs10 from "fs";
+import fs12 from "fs";
 import Database3 from "better-sqlite3";
 import pc4 from "picocolors";
 async function statusCommand(options) {
-  const exists = fs10.existsSync(SAFECLAW_DIR);
+  const exists = fs12.existsSync(SAFECLAW_DIR);
   if (!exists) {
     if (options.json) {
       console.log(JSON.stringify({ initialized: false }, null, 2));
@@ -3743,7 +5207,7 @@ async function statusCommand(options) {
   const config = readConfig();
   let logCount = 0;
   let activityCount = 0;
-  const dbExists = fs10.existsSync(DB_PATH);
+  const dbExists = fs12.existsSync(DB_PATH);
   if (dbExists) {
     try {
       const sqlite = new Database3(DB_PATH, { readonly: true });
@@ -3757,14 +5221,14 @@ async function statusCommand(options) {
       activityCount = -1;
     }
   }
-  const openclawConfigExists = fs10.existsSync(OPENCLAW_CONFIG_PATH);
+  const openclawConfigExists = fs12.existsSync(OPENCLAW_CONFIG_PATH);
   if (options.json) {
     const data = {
       version: VERSION,
       initialized: true,
       dataDir: SAFECLAW_DIR,
       database: dbExists ? "exists" : "not_found",
-      config: fs10.existsSync(CONFIG_PATH) ? "exists" : "not_found",
+      config: fs12.existsSync(CONFIG_PATH) ? "exists" : "not_found",
       port: config.port,
       autoOpenBrowser: config.autoOpenBrowser,
       premium: config.premium,
@@ -3782,7 +5246,7 @@ async function statusCommand(options) {
     `  ${pc4.dim("Database:")}   ${dbExists ? pc4.green("exists") : pc4.red("not found")}`
   );
   console.log(
-    `  ${pc4.dim("Config:")}     ${fs10.existsSync(CONFIG_PATH) ? pc4.green("exists") : pc4.red("not found")}`
+    `  ${pc4.dim("Config:")}     ${fs12.existsSync(CONFIG_PATH) ? pc4.green("exists") : pc4.red("not found")}`
   );
   console.log(`  ${pc4.dim("Port:")}       ${config.port}`);
   console.log(`  ${pc4.dim("Auto-open:")}  ${config.autoOpenBrowser ? "Yes" : "No"}`);
@@ -3800,7 +5264,7 @@ async function statusCommand(options) {
 }
 // src/commands/doctor.ts
-import fs11 from "fs";
+import fs13 from "fs";
 import net from "net";
 import Database4 from "better-sqlite3";
 import pc5 from "picocolors";
@@ -3822,7 +5286,7 @@ function checkNodeVersion() {
 function checkDataDir() {
   try {
     ensureDataDir();
-    fs11.accessSync(SAFECLAW_DIR, fs11.constants.W_OK);
+    fs13.accessSync(SAFECLAW_DIR, fs13.constants.W_OK);
     return {
       name: "Data directory writable",
       status: "pass",
@@ -3837,7 +5301,7 @@ function checkDataDir() {
   }
 }
 function checkDatabase() {
-  if (!fs11.existsSync(DB_PATH)) {
+  if (!fs13.existsSync(DB_PATH)) {
     return {
       name: "Database",
       status: "warn",
@@ -3880,7 +5344,7 @@ function checkDatabase() {
   }
 }
 function checkConfig() {
-  if (!fs11.existsSync(CONFIG_PATH)) {
+  if (!fs13.existsSync(CONFIG_PATH)) {
     return {
       name: "Config file",
       status: "warn",
@@ -3922,14 +5386,14 @@ async function checkPort() {
   };
 }
 function checkOpenClawConfig() {
-  if (!fs11.existsSync(OPENCLAW_DIR)) {
+  if (!fs13.existsSync(OPENCLAW_DIR)) {
     return {
       name: "OpenClaw directory",
       status: "warn",
       message: `${OPENCLAW_DIR} not found`
     };
   }
-  if (!fs11.existsSync(OPENCLAW_CONFIG_PATH)) {
+  if (!fs13.existsSync(OPENCLAW_CONFIG_PATH)) {
     return {
       name: "OpenClaw config",
       status: "warn",
@@ -3961,7 +5425,7 @@ function isPortInUse(port) {
   });
 }
 async function checkOpenClawGateway() {
-  if (!fs11.existsSync(OPENCLAW_CONFIG_PATH)) {
+  if (!fs13.existsSync(OPENCLAW_CONFIG_PATH)) {
     return {
       name: "OpenClaw gateway",
       status: "warn",
@@ -3969,7 +5433,7 @@ async function checkOpenClawGateway() {
     };
   }
   try {
-    const raw = JSON.parse(fs11.readFileSync(OPENCLAW_CONFIG_PATH, "utf-8"));
+    const raw = JSON.parse(fs13.readFileSync(OPENCLAW_CONFIG_PATH, "utf-8"));
     const port = raw?.gateway?.port ?? 18789;
     const reachable = await isPortInUse(port);
     if (reachable) {
@@ -3994,10 +5458,10 @@ async function checkOpenClawGateway() {
 }
 function checkLogDir() {
   try {
-    if (!fs11.existsSync(LOGS_DIR)) {
-      fs11.mkdirSync(LOGS_DIR, { recursive: true });
+    if (!fs13.existsSync(LOGS_DIR)) {
+      fs13.mkdirSync(LOGS_DIR, { recursive: true });
     }
-    fs11.accessSync(LOGS_DIR, fs11.constants.W_OK);
+    fs13.accessSync(LOGS_DIR, fs13.constants.W_OK);
     return {
       name: "Log directory writable",
       status: "pass",
@@ -4139,14 +5603,14 @@ async function configSetCommand(key, value) {
 }
 // src/commands/logs.ts
-import fs12 from "fs";
+import fs14 from "fs";
 import pc7 from "picocolors";
 async function logsCommand(options) {
   if (options.clear) {
     await clearLogs();
     return;
   }
-  if (!fs12.existsSync(DEBUG_LOG_PATH)) {
+  if (!fs14.existsSync(DEBUG_LOG_PATH)) {
     console.log(
       pc7.yellow("No log file found.") + " Run " + pc7.cyan("safeclaw start") + " to generate logs."
     );
@@ -4159,7 +5623,7 @@ async function logsCommand(options) {
   }
 }
 async function tailLogs(lineCount) {
-  const content = fs12.readFileSync(DEBUG_LOG_PATH, "utf-8");
+  const content = fs14.readFileSync(DEBUG_LOG_PATH, "utf-8");
   const lines = content.split("\n").filter(Boolean);
   const tail = lines.slice(-lineCount);
   if (tail.length === 0) {
@@ -4177,23 +5641,23 @@ async function tailLogs(lineCount) {
 async function followLogs() {
   console.log(pc7.dim(`Following ${DEBUG_LOG_PATH} (Ctrl+C to stop)
 `));
-  if (fs12.existsSync(DEBUG_LOG_PATH)) {
-    const content = fs12.readFileSync(DEBUG_LOG_PATH, "utf-8");
+  if (fs14.existsSync(DEBUG_LOG_PATH)) {
+    const content = fs14.readFileSync(DEBUG_LOG_PATH, "utf-8");
     const lines = content.split("\n").filter(Boolean);
     const tail = lines.slice(-20);
     for (const line of tail) {
       process.stdout.write(line + "\n");
     }
   }
-  let position = fs12.existsSync(DEBUG_LOG_PATH) ? fs12.statSync(DEBUG_LOG_PATH).size : 0;
-  const watcher = fs12.watch(DEBUG_LOG_PATH, () => {
+  let position = fs14.existsSync(DEBUG_LOG_PATH) ? fs14.statSync(DEBUG_LOG_PATH).size : 0;
+  const watcher = fs14.watch(DEBUG_LOG_PATH, () => {
     try {
-      const stat = fs12.statSync(DEBUG_LOG_PATH);
+      const stat = fs14.statSync(DEBUG_LOG_PATH);
       if (stat.size > position) {
-        const fd = fs12.openSync(DEBUG_LOG_PATH, "r");
+        const fd = fs14.openSync(DEBUG_LOG_PATH, "r");
         const buffer = Buffer.alloc(stat.size - position);
-        fs12.readSync(fd, buffer, 0, buffer.length, position);
-        fs12.closeSync(fd);
+        fs14.readSync(fd, buffer, 0, buffer.length, position);
+        fs14.closeSync(fd);
         process.stdout.write(buffer.toString("utf-8"));
         position = stat.size;
       } else if (stat.size < position) {
@@ -4211,11 +5675,11 @@ async function followLogs() {
   });
 }
 async function clearLogs() {
-  if (!fs12.existsSync(DEBUG_LOG_PATH)) {
+  if (!fs14.existsSync(DEBUG_LOG_PATH)) {
     console.log(pc7.dim("No log file to clear."));
     return;
   }
-  fs12.writeFileSync(DEBUG_LOG_PATH, "");
+  fs14.writeFileSync(DEBUG_LOG_PATH, "");
   console.log(pc7.green("Log file cleared."));
 }