shellward 0.3.2

package/src/commands/harden.ts

@@ -0,0 +1,192 @@
+// src/commands/harden.ts — /harden command: one-click security hardening
+
+import { existsSync, statSync, chmodSync, readFileSync, readdirSync } from 'fs'
+import { join } from 'path'
+import { execSync } from 'child_process'
+import type { ShellWardConfig } from '../types'
+import { resolveLocale } from '../types'
+
+const HOME = process.env.HOME || '~'
+
+export function registerHardenCommand(api: any, config: ShellWardConfig) {
+  const locale = resolveLocale(config)
+
+  api.registerCommand({
+    name: 'harden',
+    description: locale === 'zh'
+      ? '🔒 一键安全加固 (权限修复、凭证扫描、端口检查)'
+      : '🔒 One-click security hardening (permissions, credentials, ports)',
+    acceptsArgs: true,
+    handler: (ctx: any) => {
+      const zh = locale === 'zh'
+      const args = (ctx.args || '').trim().toLowerCase()
+      const dryRun = args !== 'fix'
+
+      const lines: string[] = []
+      const issues: string[] = []
+      const fixed: string[] = []
+
+      lines.push(zh ? '🔒 **安全加固扫描**' : '🔒 **Security Hardening Scan**')
+      if (dryRun) {
+        lines.push(zh
+          ? '_(扫描模式 — 使用 `/harden fix` 自动修复)_'
+          : '_(scan mode — use `/harden fix` to auto-fix)_')
+      }
+      lines.push('')
+
+      // === 1. File Permission Checks ===
+      lines.push(zh ? '### 文件权限检查' : '### File Permission Checks')
+
+      const sensitiveFiles = [
+        ['.env', 0o600],
+        ['.env.local', 0o600],
+        ['.env.production', 0o600],
+        ['.ssh/id_rsa', 0o600],
+        ['.ssh/id_ed25519', 0o600],
+        ['.ssh/config', 0o600],
+        ['.aws/credentials', 0o600],
+        ['.npmrc', 0o600],
+        ['.git-credentials', 0o600],
+        ['.openclaw/openclaw.json', 0o600],
+      ] as const
+
+      for (const [rel, target] of sensitiveFiles) {
+        const full = join(HOME, rel)
+        if (!existsSync(full)) continue
+        try {
+          const stat = statSync(full)
+          const current = stat.mode & 0o777
+          if (current > target) {
+            const msg = zh
+              ? `⚠️ ${rel}: 权限 ${current.toString(8)} → 建议 ${target.toString(8)}`
+              : `⚠️ ${rel}: permissions ${current.toString(8)} → should be ${target.toString(8)}`
+            issues.push(msg)
+            lines.push(`  ${msg}`)
+
+            if (!dryRun) {
+              try {
+                chmodSync(full, target)
+                fixed.push(rel)
+                lines.push(zh ? `    ✅ 已修复` : `    ✅ Fixed`)
+              } catch {
+                lines.push(zh ? `    ❌ 修复失败（权限不足）` : `    ❌ Fix failed (permission denied)`)
+              }
+            }
+          } else {
+            lines.push(zh ? `  ✅ ${rel}: ${current.toString(8)}` : `  ✅ ${rel}: ${current.toString(8)}`)
+          }
+        } catch { /* skip */ }
+      }
+      lines.push('')
+
+      // === 2. Plaintext Credential Scan ===
+      lines.push(zh ? '### 明文凭证扫描' : '### Plaintext Credential Scan')
+
+      const credPatterns = [
+        /(?:api[_-]?key|api[_-]?token|access[_-]?token)\s*[=:]\s*['"]?[A-Za-z0-9_\-]{20,}/i,
+        /sk-[a-zA-Z0-9]{20,}/,
+        /AKIA[0-9A-Z]{16}/,
+        /ghp_[A-Za-z0-9_]{36,}/,
+        /password\s*[=:]\s*['"]?\S{6,}/i,
+      ]
+
+      const envFiles = ['.env', '.env.local', '.env.production', '.bashrc', '.zshrc', '.bash_profile']
+      let credFound = 0
+      for (const rel of envFiles) {
+        const full = join(HOME, rel)
+        if (!existsSync(full)) continue
+        try {
+          const content = readFileSync(full, 'utf-8')
+          for (const pat of credPatterns) {
+            if (pat.test(content)) {
+              credFound++
+              const msg = zh
+                ? `⚠️ ${rel}: 发现明文凭证（建议使用密钥管理工具）`
+                : `⚠️ ${rel}: plaintext credentials found (use a secret manager)`
+              issues.push(msg)
+              lines.push(`  ${msg}`)
+              break
+            }
+          }
+        } catch { /* skip */ }
+      }
+      if (credFound === 0) {
+        lines.push(zh ? '  ✅ 未发现明文凭证' : '  ✅ No plaintext credentials found')
+      }
+      lines.push('')
+
+      // === 3. Network Exposure ===
+      lines.push(zh ? '### 网络暴露检查' : '### Network Exposure Check')
+      try {
+        const listening = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { timeout: 5000 }).toString()
+        const dangerPorts = [
+          ['19000', 'OpenClaw Gateway'],
+          ['19001', 'OpenClaw Dev'],
+          ['3000', 'Dev Server'],
+          ['8080', 'HTTP Alt'],
+          ['5432', 'PostgreSQL'],
+          ['3306', 'MySQL'],
+          ['6379', 'Redis'],
+          ['27017', 'MongoDB'],
+        ]
+        let portIssues = 0
+        for (const [port, name] of dangerPorts) {
+          // Check if listening on 0.0.0.0 (all interfaces)
+          const allInterfaces = listening.includes(`0.0.0.0:${port}`) || listening.includes(`:::${port}`)
+          if (allInterfaces) {
+            portIssues++
+            const msg = zh
+              ? `⚠️ ${name} (${port}) 监听在所有接口 — 建议绑定 127.0.0.1`
+              : `⚠️ ${name} (${port}) listening on all interfaces — bind to 127.0.0.1`
+            issues.push(msg)
+            lines.push(`  ${msg}`)
+          }
+        }
+        if (portIssues === 0) {
+          lines.push(zh ? '  ✅ 未发现危险端口暴露' : '  ✅ No dangerous port exposure detected')
+        }
+      } catch {
+        lines.push(zh ? '  ℹ️ 无法检查网络状态' : '  ℹ️ Cannot check network status')
+      }
+      lines.push('')
+
+      // === 4. Running as root ===
+      lines.push(zh ? '### 运行权限' : '### Runtime Privileges')
+      if (process.getuid && process.getuid() === 0) {
+        const msg = zh
+          ? '⚠️ 以 root 身份运行 — 强烈建议使用普通用户 + 容器隔离'
+          : '⚠️ Running as root — strongly recommend non-root user + container isolation'
+        issues.push(msg)
+        lines.push(`  ${msg}`)
+      } else {
+        lines.push(zh ? '  ✅ 非 root 运行' : '  ✅ Not running as root')
+      }
+
+      // Check if Docker available
+      try {
+        execSync('which docker 2>/dev/null', { timeout: 3000 })
+        lines.push(zh ? '  ✅ Docker 可用（可用于容器隔离）' : '  ✅ Docker available (for container isolation)')
+      } catch {
+        lines.push(zh ? '  ℹ️ Docker 未安装（建议安装以支持容器隔离）' : '  ℹ️ Docker not installed (recommended for isolation)')
+      }
+      lines.push('')
+
+      // === Summary ===
+      lines.push('---')
+      if (issues.length === 0) {
+        lines.push(zh ? '✅ **安全检查通过！未发现问题。**' : '✅ **All checks passed! No issues found.**')
+      } else {
+        lines.push(zh
+          ? `⚠️ **发现 ${issues.length} 个安全问题**${fixed.length > 0 ? `，已自动修复 ${fixed.length} 个` : ''}`
+          : `⚠️ **Found ${issues.length} security issues**${fixed.length > 0 ? `, auto-fixed ${fixed.length}` : ''}`)
+        if (dryRun && issues.some(i => i.includes('权限') || i.includes('permissions'))) {
+          lines.push(zh
+            ? '💡 使用 `/harden fix` 自动修复文件权限问题'
+            : '💡 Use `/harden fix` to auto-fix file permission issues')
+        }
+      }
+
+      return { text: lines.join('\n') }
+    },
+  })
+}

package/src/commands/index.ts

@@ -0,0 +1,57 @@
+// src/commands/index.ts — Register all ShellWard commands
+
+import type { ShellWardConfig } from '../types'
+import { resolveLocale } from '../types'
+import { registerSecurityCommand } from './security'
+import { registerAuditCommand } from './audit'
+import { registerHardenCommand } from './harden'
+import { registerScanPluginsCommand } from './scan-plugins'
+import { registerCheckUpdatesCommand } from './check-updates'
+
+export function registerAllCommands(api: any, config: ShellWardConfig) {
+  const locale = resolveLocale(config)
+
+  // Register individual commands
+  registerSecurityCommand(api, config)
+  registerAuditCommand(api, config)
+  registerHardenCommand(api, config)
+  registerScanPluginsCommand(api, config)
+  registerCheckUpdatesCommand(api, config)
+
+  // Register /cg shortcut with help
+  api.registerCommand({
+    name: 'cg',
+    description: locale === 'zh'
+      ? '🛡️ ShellWard 安全命令帮助'
+      : '🛡️ ShellWard security command help',
+    acceptsArgs: false,
+    handler: () => ({
+      text: locale === 'zh' ? `🛡️ **ShellWard 快捷命令**
+
+| 命令 | 说明 |
+|------|------|
+| \`/security\` | 安全状态总览（防御层、审计统计、系统检查） |
+| \`/audit [数量] [过滤]\` | 查看审计日志 (过滤: block/redact/critical/high) |
+| \`/harden\` | 安全扫描 · \`/harden fix\` 自动修复权限 |
+| \`/scan-plugins\` | 扫描已安装插件的安全风险 |
+| \`/check-updates\` | 检查 OpenClaw 版本和已知漏洞 |
+
+**当前防御层 (8层):**
+L1 提示注入 · L2 输出脱敏 · L3 工具拦截 · L4 注入检测
+L5 安全门 · L6 回复脱敏 · L7 数据流监控 · L8 会话安全`
+        : `🛡️ **ShellWard Quick Commands**
+
+| Command | Description |
+|---------|-------------|
+| \`/security\` | Security status overview (layers, audit stats, system checks) |
+| \`/audit [count] [filter]\` | View audit log (filter: block/redact/critical/high) |
+| \`/harden\` | Security scan · \`/harden fix\` to auto-fix permissions |
+| \`/scan-plugins\` | Scan installed plugins for security risks |
+| \`/check-updates\` | Check OpenClaw version and known vulnerabilities |
+
+**Active Defense Layers (8):**
+L1 Prompt Guard · L2 Output Scanner · L3 Tool Blocker · L4 Input Auditor
+L5 Security Gate · L6 Outbound Guard · L7 Data Flow Guard · L8 Session Guard`,
+    }),
+  })
+}

package/src/commands/scan-plugins.ts

@@ -0,0 +1,187 @@
+// src/commands/scan-plugins.ts — /scan-plugins: scan installed plugins for security risks
+
+import { existsSync, readFileSync, readdirSync, statSync } from 'fs'
+import { join } from 'path'
+import type { ShellWardConfig } from '../types'
+import { resolveLocale } from '../types'
+
+const HOME = process.env.HOME || '~'
+const OPENCLAW_DIR = join(HOME, '.openclaw')
+
+// Known suspicious patterns in plugin code
+const SUSPICIOUS_PATTERNS = [
+  { pattern: /eval\s*\(/, name: 'eval()', risk: 'code injection' },
+  { pattern: /child_process|execSync|spawnSync|exec\(/, name: 'shell exec', risk: 'command execution' },
+  { pattern: /\/dev\/tcp|nc\s+-e|ncat/, name: 'reverse shell', risk: 'remote access' },
+  { pattern: /fetch\s*\([^)]*(?:webhook|exfil|callback)/, name: 'data exfiltration', risk: 'data leak' },
+  { pattern: /process\.env\.[A-Z_]*(?:KEY|TOKEN|SECRET|PASSWORD)/i, name: 'env secret access', risk: 'credential access' },
+  { pattern: /writeFileSync.*(?:\.ssh|\.env|\.aws|\.npmrc)/, name: 'sensitive file write', risk: 'credential tampering' },
+  { pattern: /crypto\.createHash|Buffer\.from.*base64/, name: 'crypto/encoding', risk: 'possible obfuscation' },
+  { pattern: /https?:\/\/(?!(?:github\.com|npmjs\.com|registry\.npmjs\.org))[^\s'"]+/g, name: 'external URL', risk: 'data exfiltration' },
+]
+
+export function registerScanPluginsCommand(api: any, config: ShellWardConfig) {
+  const locale = resolveLocale(config)
+
+  api.registerCommand({
+    name: 'scan-plugins',
+    description: locale === 'zh'
+      ? '🔍 扫描已安装插件的安全风险'
+      : '🔍 Scan installed plugins for security risks',
+    acceptsArgs: false,
+    handler: () => {
+      const zh = locale === 'zh'
+      const lines: string[] = []
+
+      lines.push(zh ? '🔍 **插件安全扫描报告**' : '🔍 **Plugin Security Scan Report**')
+      lines.push('')
+
+      // Find installed plugins
+      const pluginDirs: { name: string; path: string }[] = []
+
+      // Check global extensions
+      const extensionsDir = join(OPENCLAW_DIR, 'extensions')
+      if (existsSync(extensionsDir)) {
+        try {
+          for (const name of readdirSync(extensionsDir)) {
+            const p = join(extensionsDir, name)
+            if (statSync(p).isDirectory()) {
+              pluginDirs.push({ name, path: p })
+            }
+          }
+        } catch { /* skip */ }
+      }
+
+      // Check linked plugins
+      const pluginsDir = join(OPENCLAW_DIR, 'plugins')
+      if (existsSync(pluginsDir)) {
+        try {
+          for (const name of readdirSync(pluginsDir)) {
+            const p = join(pluginsDir, name)
+            pluginDirs.push({ name, path: p })
+          }
+        } catch { /* skip */ }
+      }
+
+      if (pluginDirs.length === 0) {
+        lines.push(zh ? 'ℹ️ 未发现已安装的第三方插件。' : 'ℹ️ No third-party plugins found.')
+        return { text: lines.join('\n') }
+      }
+
+      lines.push(zh
+        ? `${zh ? '发现' : 'Found'} ${pluginDirs.length} ${zh ? '个插件' : 'plugins'}`
+        : `Found ${pluginDirs.length} plugins`)
+      lines.push('')
+
+      let totalRisks = 0
+
+      for (const plugin of pluginDirs) {
+        const risks: string[] = []
+
+        // 1. Check for package.json
+        const pkgPath = join(plugin.path, 'package.json')
+        let pkg: any = null
+        if (existsSync(pkgPath)) {
+          try {
+            pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+          } catch { /* skip */ }
+        }
+
+        // 2. Check dependencies count (more deps = more supply chain risk)
+        if (pkg) {
+          const depCount = Object.keys(pkg.dependencies || {}).length
+          if (depCount > 20) {
+            risks.push(zh
+              ? `⚠️ 依赖过多 (${depCount} 个) — 供应链攻击风险`
+              : `⚠️ Too many deps (${depCount}) — supply chain risk`)
+          }
+
+          // Check for suspicious scripts
+          const scripts = pkg.scripts || {}
+          for (const [key, val] of Object.entries(scripts)) {
+            if (/curl|wget|eval|nc\s/.test(String(val))) {
+              risks.push(zh
+                ? `🔴 可疑脚本: scripts.${key}`
+                : `🔴 Suspicious script: scripts.${key}`)
+            }
+          }
+        }
+
+        // 3. Scan source files for suspicious patterns
+        const srcFiles = collectSourceFiles(plugin.path, 3) // max depth 3
+        for (const file of srcFiles) {
+          try {
+            const content = readFileSync(file, 'utf-8')
+            for (const rule of SUSPICIOUS_PATTERNS) {
+              if (rule.pattern.test(content)) {
+                // Reset lastIndex for global regexes
+                rule.pattern.lastIndex = 0
+                const relPath = file.replace(plugin.path + '/', '')
+                risks.push(zh
+                  ? `⚠️ ${relPath}: ${rule.name} (${rule.risk})`
+                  : `⚠️ ${relPath}: ${rule.name} (${rule.risk})`)
+              }
+            }
+          } catch { /* skip */ }
+        }
+
+        // 4. Check if plugin has signature/checksum
+        const hasSignature = existsSync(join(plugin.path, 'SIGNATURE')) || existsSync(join(plugin.path, '.signature'))
+        if (!hasSignature) {
+          risks.push(zh ? 'ℹ️ 无签名验证文件' : 'ℹ️ No signature file')
+        }
+
+        // Output plugin report
+        const icon = risks.filter(r => r.startsWith('🔴')).length > 0 ? '🔴'
+          : risks.filter(r => r.startsWith('⚠️')).length > 0 ? '⚠️' : '✅'
+
+        lines.push(`### ${icon} ${plugin.name}`)
+        if (pkg) {
+          lines.push(`  v${pkg.version || '?'} | ${pkg.author || 'unknown author'} | ${Object.keys(pkg.dependencies || {}).length} deps`)
+        }
+
+        if (risks.length === 0) {
+          lines.push(zh ? '  ✅ 未发现安全风险' : '  ✅ No security risks found')
+        } else {
+          for (const risk of risks) {
+            lines.push(`  ${risk}`)
+            totalRisks++
+          }
+        }
+        lines.push('')
+      }
+
+      // Summary
+      lines.push('---')
+      if (totalRisks === 0) {
+        lines.push(zh ? '✅ **所有插件扫描通过**' : '✅ **All plugins passed scan**')
+      } else {
+        lines.push(zh
+          ? `⚠️ **发现 ${totalRisks} 个潜在风险** — 请审查标记的插件`
+          : `⚠️ **${totalRisks} potential risks found** — review flagged plugins`)
+        lines.push(zh
+          ? '💡 建议: 仅从可信渠道安装插件，定期运行 `/scan-plugins` 检查'
+          : '💡 Tip: Only install plugins from trusted sources, run `/scan-plugins` regularly')
+      }
+
+      return { text: lines.join('\n') }
+    },
+  })
+}
+
+function collectSourceFiles(dir: string, maxDepth: number, depth = 0): string[] {
+  if (depth > maxDepth) return []
+  const files: string[] = []
+  try {
+    for (const entry of readdirSync(dir, { withFileTypes: true })) {
+      if (entry.name === 'node_modules' || entry.name === '.git' || entry.name === 'dist') continue
+      const full = join(dir, entry.name)
+      if (entry.isDirectory()) {
+        files.push(...collectSourceFiles(full, maxDepth, depth + 1))
+      } else if (/\.(ts|js|mjs|cjs)$/.test(entry.name)) {
+        files.push(full)
+      }
+    }
+  } catch { /* skip */ }
+  return files
+}

package/src/commands/security.ts

@@ -0,0 +1,113 @@
+// src/commands/security.ts — /security command: full security status overview
+
+import { readFileSync, statSync, existsSync, readdirSync } from 'fs'
+import { join } from 'path'
+import { execSync } from 'child_process'
+import type { ShellWardConfig } from '../types'
+import { resolveLocale } from '../types'
+
+const LOG_DIR = join(process.env.HOME || '~', '.openclaw', 'shellward')
+const LOG_FILE = join(LOG_DIR, 'audit.jsonl')
+
+export function registerSecurityCommand(api: any, config: ShellWardConfig) {
+  const locale = resolveLocale(config)
+
+  api.registerCommand({
+    name: 'security',
+    description: locale === 'zh'
+      ? '🛡️ ShellWard 安全状态总览'
+      : '🛡️ ShellWard security status overview',
+    acceptsArgs: false,
+    handler: () => {
+      const lines: string[] = []
+      const zh = locale === 'zh'
+
+      lines.push(zh ? '🛡️ **ShellWard 安全状态报告**' : '🛡️ **ShellWard Security Status Report**')
+      lines.push('')
+
+      // 1. Layer status
+      lines.push(zh ? '## 防御层状态' : '## Defense Layers')
+      const layers = [
+        ['L1 Prompt Guard', config.layers.promptGuard],
+        ['L2 Output Scanner', config.layers.outputScanner],
+        ['L3 Tool Blocker', config.layers.toolBlocker],
+        ['L4 Input Auditor', config.layers.inputAuditor],
+        ['L5 Security Gate', config.layers.securityGate],
+      ]
+      for (const [name, enabled] of layers) {
+        lines.push(`  ${enabled ? '✅' : '❌'} ${name}`)
+      }
+      lines.push(`  ${zh ? '模式' : 'Mode'}: **${config.mode}**`)
+      lines.push(`  ${zh ? '注入阈值' : 'Injection threshold'}: **${config.injectionThreshold}**`)
+      lines.push('')
+
+      // 2. Audit log stats
+      lines.push(zh ? '## 审计日志' : '## Audit Log')
+      try {
+        const stat = statSync(LOG_FILE)
+        const sizeMB = (stat.size / 1024 / 1024).toFixed(2)
+        lines.push(`  ${zh ? '文件' : 'File'}: ${LOG_FILE}`)
+        lines.push(`  ${zh ? '大小' : 'Size'}: ${sizeMB} MB`)
+
+        // Count recent events
+        const content = readFileSync(LOG_FILE, 'utf-8')
+        const allLines = content.trim().split('\n').filter(Boolean)
+        const total = allLines.length
+        let blocks = 0
+        let redacts = 0
+        let criticals = 0
+        for (const line of allLines) {
+          if (line.includes('"action":"block"')) blocks++
+          if (line.includes('"action":"redact"')) redacts++
+          if (line.includes('"level":"CRITICAL"')) criticals++
+        }
+        lines.push(`  ${zh ? '总事件' : 'Total events'}: ${total}`)
+        lines.push(`  ${zh ? '拦截' : 'Blocked'}: ${blocks} | ${zh ? '脱敏' : 'Redacted'}: ${redacts} | ${zh ? '严重' : 'Critical'}: ${criticals}`)
+      } catch {
+        lines.push(zh ? '  ⚠️ 日志文件不存在' : '  ⚠️ Log file not found')
+      }
+      lines.push('')
+
+      // 3. Quick system security checks
+      lines.push(zh ? '## 系统安全快检' : '## Quick System Security Check')
+
+      // Check exposed ports
+      try {
+        const listening = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { timeout: 5000 }).toString()
+        const openClawPort = listening.includes(':19000') || listening.includes(':19001')
+        lines.push(openClawPort
+          ? (zh ? '  ⚠️ OpenClaw 端口正在监听 (建议限制访问)' : '  ⚠️ OpenClaw port is listening (restrict access)')
+          : (zh ? '  ✅ OpenClaw 端口未暴露' : '  ✅ OpenClaw port not exposed'))
+      } catch {
+        lines.push(zh ? '  ℹ️ 无法检查端口状态' : '  ℹ️ Cannot check port status')
+      }
+
+      // Check .env exposure
+      const envFile = join(process.cwd(), '.env')
+      if (existsSync(envFile)) {
+        try {
+          const mode = statSync(envFile).mode & 0o777
+          lines.push(mode > 0o600
+            ? (zh ? `  ⚠️ .env 文件权限过宽 (${mode.toString(8)})，建议 chmod 600` : `  ⚠️ .env file permissions too open (${mode.toString(8)}), suggest chmod 600`)
+            : (zh ? '  ✅ .env 文件权限正常' : '  ✅ .env file permissions OK'))
+        } catch { /* skip */ }
+      }
+
+      // Check if running as root
+      if (process.getuid && process.getuid() === 0) {
+        lines.push(zh
+          ? '  ⚠️ 正在以 root 运行 (建议使用普通用户 + 容器隔离)'
+          : '  ⚠️ Running as root (use non-root user + container isolation)')
+      } else {
+        lines.push(zh ? '  ✅ 非 root 运行' : '  ✅ Not running as root')
+      }
+
+      lines.push('')
+      lines.push(zh
+        ? '💡 使用 `/audit` 查看日志, `/harden` 执行安全加固, `/scan-plugins` 扫描插件'
+        : '💡 Use `/audit` for logs, `/harden` for hardening, `/scan-plugins` to scan plugins')
+
+      return { text: lines.join('\n') }
+    },
+  })
+}

package/src/index.ts

@@ -0,0 +1,119 @@
+// src/index.ts — ShellWard plugin entry point (v0.3.1)
+// 8 defense layers + 6 slash commands + 1 security skill
+
+import { AuditLog } from './audit-log'
+import { setupPromptGuard } from './layers/prompt-guard'
+import { setupOutputScanner } from './layers/output-scanner'
+import { setupToolBlocker } from './layers/tool-blocker'
+import { setupInputAuditor } from './layers/input-auditor'
+import { setupSecurityGate } from './layers/security-gate'
+import { setupOutboundGuard } from './layers/outbound-guard'
+import { setupDataFlowGuard } from './layers/data-flow-guard'
+import { setupSessionGuard } from './layers/session-guard'
+import { registerAllCommands } from './commands/index'
+import { DEFAULT_CONFIG, resolveLocale } from './types'
+import type { ShellWardConfig } from './types'
+
+function mergeConfig(userConfig: Partial<ShellWardConfig> | undefined): ShellWardConfig {
+  if (!userConfig) return { ...DEFAULT_CONFIG }
+
+  // Validate mode
+  const mode = userConfig.mode === 'audit' ? 'audit' : 'enforce'
+
+  // Validate locale
+  const validLocales = ['auto', 'zh', 'en'] as const
+  const locale = validLocales.includes(userConfig.locale as any)
+    ? (userConfig.locale as typeof validLocales[number])
+    : DEFAULT_CONFIG.locale
+
+  // Validate injectionThreshold: clamp to 0-100
+  let threshold = userConfig.injectionThreshold ?? DEFAULT_CONFIG.injectionThreshold
+  threshold = Math.max(0, Math.min(100, Math.round(threshold)))
+
+  return {
+    mode,
+    locale,
+    injectionThreshold: threshold,
+    layers: {
+      ...DEFAULT_CONFIG.layers,
+      ...(userConfig.layers || {}),
+    },
+  }
+}
+
+export default {
+  id: 'shellward',
+
+  register(api: any) {
+    const config = mergeConfig(api.config)
+    const log = new AuditLog(config)
+    const enforce = config.mode === 'enforce'
+    const locale = resolveLocale(config)
+
+    const modeLabel = locale === 'zh'
+      ? `模式: ${config.mode}`
+      : `mode: ${config.mode}`
+    api.logger.info(`[ShellWard] Security plugin started (${modeLabel})`)
+
+    // === Defense Layers (L1-L8) ===
+
+    // L1: Prompt Guard (before_prompt_build — prependSystemContext for caching)
+    if (config.layers.promptGuard) {
+      setupPromptGuard(api, config, log)
+    }
+
+    // L2: Output Scanner (tool_result_persist — redact PII in tool results)
+    if (config.layers.outputScanner) {
+      setupOutputScanner(api, config, log, enforce)
+    }
+
+    // L3: Tool Blocker (before_tool_call — block dangerous commands/paths)
+    if (config.layers.toolBlocker) {
+      setupToolBlocker(api, config, log, enforce)
+    }
+
+    // L4: Input Auditor (before_tool_call + message_received — injection detection)
+    if (config.layers.inputAuditor) {
+      setupInputAuditor(api, config, log, enforce)
+    }
+
+    // L5: Security Gate (registerTool — defense in depth)
+    if (config.layers.securityGate) {
+      setupSecurityGate(api, config, log, enforce)
+    }
+
+    // L6: Outbound Guard (message_sending — redact PII in LLM responses + canary detection)
+    if (config.layers.outboundGuard) {
+      setupOutboundGuard(api, config, log, enforce)
+    }
+
+    // L7: Data Flow Guard (after_tool_call + before_tool_call — anti-exfiltration)
+    if (config.layers.dataFlowGuard) {
+      setupDataFlowGuard(api, config, log, enforce)
+    }
+
+    // L8: Session Guard (session_end + subagent_spawning — lifecycle security)
+    if (config.layers.sessionGuard) {
+      setupSessionGuard(api, config, log, enforce)
+    }
+
+    // === Slash Commands ===
+    if (api.registerCommand) {
+      registerAllCommands(api, config)
+      api.logger.info('[ShellWard] 6 commands registered: /security /audit /harden /scan-plugins /check-updates /cg')
+    }
+
+    // Count enabled layers
+    const allLayers = ['promptGuard', 'outputScanner', 'toolBlocker', 'inputAuditor', 'securityGate', 'outboundGuard', 'dataFlowGuard', 'sessionGuard']
+    const enabledCount = allLayers.filter(k => (config.layers as any)[k]).length
+
+    api.logger.info(`[ShellWard] ${enabledCount} defense layers active`)
+
+    log.write({
+      level: 'INFO',
+      layer: 'L1',
+      action: 'allow',
+      detail: `ShellWard v0.3.2 started with ${enabledCount} layers`,
+    })
+  },
+}