.dockerignore

@@ -0,0 +1,4 @@
+node_modules/
+coverage/
+.git/
+*.log

.editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.eslintrc.json

@@ -0,0 +1,18 @@
+{
+  "env": {
+    "node": true,
+    "es2020": true
+  },
+  "parserOptions": {
+    "ecmaVersion": 2020
+  },
+  "plugins": ["security"],
+  "extends": ["eslint:recommended"],
+  "rules": {
+    "no-unused-vars": ["error", { "argsIgnorePattern": "^_", "varsIgnorePattern": "^_" }],
+    "no-console": "warn",
+    "security/detect-object-injection": "warn",
+    "security/detect-non-literal-fs-filename": "warn",
+    "security/detect-eval-with-expression": "error"
+  }
+}

.gitignore

@@ -0,0 +1,3 @@
+node_modules/
+coverage/
+*.log

.prettierignore

@@ -0,0 +1,4 @@
+node_modules/
+coverage/
+dist/
+package-lock.json

.prettierrc

@@ -0,0 +1,6 @@
+{
+  "singleQuote": true,
+  "trailingComma": "all",
+  "printWidth": 100,
+  "tabWidth": 2
+}

Makefile

@@ -0,0 +1,23 @@
+export NODE_ENV := development
+
+.PHONY: check install test lint fmt fmt-check secret-scan
+
+check: install lint fmt-check secret-scan test
+
+install:
+	npm install
+
+test:
+	@echo "[SKIP] No tests found"
+
+lint:
+	npx eslint .
+
+fmt:
+	npx prettier --write .
+
+fmt-check:
+	npx prettier --check .
+
+secret-scan:
+	bash tools/secret-scan.sh .

README.md

@@ -3,6 +3,7 @@
 A lightweight CLI tool for OpenClaw agents to provide "Antigravity-style" live status updates in Mattermost channels (and others) without spamming.
 
 ## Features
+
 - **Live Updates:** Create a single message and update it repeatedly.
 - **Sub-Agent Support:** Works in clean environments via embedded config or CLI flags.
 - **Cross-Channel:** Supports dynamic channel targeting via `--channel`.
@@ -11,6 +12,7 @@ A lightweight CLI tool for OpenClaw agents to provide "Antigravity-style" live s
 ## Installation
 
 Run the interactive installer wizard:
+
 ```bash
 ./install.sh
 ```

package.json

@@ -0,0 +1,11 @@
+{
+  "name": "mattermost-openclaw-livestatus",
+  "version": "1.0.0",
+  "private": true,
+  "description": "OpenClaw Live Status Tool for Mattermost",
+  "devDependencies": {
+    "eslint": "^8.56.0",
+    "eslint-plugin-security": "^2.1.0",
+    "prettier": "^3.2.0"
+  }
+}

skill/SKILL.md

@@ -6,15 +6,20 @@ It allows you to create a "Live Log" post that you update in-place, reducing cha
 ## Usage
 
 ### 1. Initialize (Start of Task)
+
 Create a new status post. It will print the `POST_ID`.
 **Required:** Pass the `CHANNEL_ID` if known (otherwise it defaults to system channel).
+
 ```bash
 live-status create <CHANNEL_ID> "🚀 **Task Started:** Initializing..."
 ```
+
 **Output:** `p6...` (The Post ID)
 
 ### 2. Update (During Task)
+
 Update the post with new log lines. Use a code block for logs.
+
 ```bash
 live-status update <POST_ID> "🚀 **Task Started:** Initializing...
 \`\`\`
@@ -24,7 +29,9 @@ live-status update <POST_ID> "🚀 **Task Started:** Initializing...
 ```
 
 ### 3. Complete (End of Task)
+
 Mark as done.
+
 ```bash
 live-status update <POST_ID> "✅ **Task Complete.**
 \`\`\`
@@ -35,6 +42,7 @@ live-status update <POST_ID> "✅ **Task Complete.**
 ```
 
 ## Protocol
+
 - **Always** capture the `POST_ID` from the `create` command.
 - **Always** append to the previous log (maintain history).
 - **Use Code Blocks** for technical logs.

src/live-status.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 const https = require('http'); // Using http for mattermost:8065 (no ssl inside docker network)
-const fs = require('fs');
+const _fs = require('fs');
 
 // --- HELPER: PARSE ARGS ---
 const args = process.argv.slice(2);
@@ -10,101 +10,105 @@ let options = {};
 let otherArgs = [];
 
 for (let i = 0; i < args.length; i++) {
-    if (args[i] === '--channel') {
-        options.channel = args[i+1];
-        i++; // Skip next arg (the channel ID)
-    } else if (!command && (args[i] === 'create' || args[i] === 'update')) {
-        command = args[i];
-    } else {
-        otherArgs.push(args[i]);
-    }
+  if (args[i] === '--channel') {
+    options.channel = args[i + 1];
+    i++; // Skip next arg (the channel ID)
+  } else if (!command && (args[i] === 'create' || args[i] === 'update')) {
+    command = args[i];
+  } else {
+    otherArgs.push(args[i]);
+  }
 }
 
 // --- CONFIGURATION (DYNAMIC) ---
 const CONFIG = {
-    host: 'mattermost',
-    port: 8065,
-    token: 'DEFAULT_TOKEN_PLACEHOLDER', // Set via install.sh wizard
-    // Priority: 1. CLI Flag, 2. Env Var, 3. Hardcoded Fallback (Project-0)
-    channel_id: options.channel || process.env.MM_CHANNEL_ID || process.env.CHANNEL_ID || 'obzja4hb8pd85xk45xn4p31jye'
+  host: 'mattermost',
+  port: 8065,
+  token: 'DEFAULT_TOKEN_PLACEHOLDER', // Set via install.sh wizard
+  // Priority: 1. CLI Flag, 2. Env Var, 3. Hardcoded Fallback (Project-0)
+  channel_id:
+    options.channel ||
+    process.env.MM_CHANNEL_ID ||
+    process.env.CHANNEL_ID ||
+    'obzja4hb8pd85xk45xn4p31jye',
 };
 
 // --- HELPER: HTTP REQUEST ---
 function request(method, path, data) {
-    return new Promise((resolve, reject) => {
-        const options = {
-            hostname: CONFIG.host,
-            port: CONFIG.port,
-            path: '/api/v4' + path,
-            method: method,
-            headers: {
-                'Authorization': `Bearer ${CONFIG.token}`,
-                'Content-Type': 'application/json'
-            }
-        };
+  return new Promise((resolve, reject) => {
+    const options = {
+      hostname: CONFIG.host,
+      port: CONFIG.port,
+      path: '/api/v4' + path,
+      method: method,
+      headers: {
+        Authorization: `Bearer ${CONFIG.token}`,
+        'Content-Type': 'application/json',
+      },
+    };
 
-        const req = https.request(options, (res) => {
-            let body = '';
-            res.on('data', (chunk) => body += chunk);
-            res.on('end', () => {
-                if (res.statusCode >= 200 && res.statusCode < 300) {
-                    try {
-                        resolve(JSON.parse(body));
-                    } catch (e) {
-                        resolve(body);
-                    }
-                } else {
-                    reject(new Error(`Request Failed (${res.statusCode}): ${body}`));
-                }
-            });
-        });
-
-        req.on('error', (e) => reject(e));
-        if (data) req.write(JSON.stringify(data));
-        req.end();
+    const req = https.request(options, (res) => {
+      let body = '';
+      res.on('data', (chunk) => (body += chunk));
+      res.on('end', () => {
+        if (res.statusCode >= 200 && res.statusCode < 300) {
+          try {
+            resolve(JSON.parse(body));
+          } catch (e) {
+            resolve(body);
+          }
+        } else {
+          reject(new Error(`Request Failed (${res.statusCode}): ${body}`));
+        }
+      });
     });
+
+    req.on('error', (e) => reject(e));
+    if (data) req.write(JSON.stringify(data));
+    req.end();
+  });
 }
 
 // --- COMMANDS ---
 
 async function createPost(text) {
-    try {
-        const result = await request('POST', '/posts', {
-            channel_id: CONFIG.channel_id,
-            message: text
-        });
-        console.log(result.id);
-    } catch (e) {
-        console.error(`Error creating post in channel ${CONFIG.channel_id}:`, e.message);
-        process.exit(1);
-    }
+  try {
+    const result = await request('POST', '/posts', {
+      channel_id: CONFIG.channel_id,
+      message: text,
+    });
+    console.log(result.id);
+  } catch (e) {
+    console.error(`Error creating post in channel ${CONFIG.channel_id}:`, e.message);
+    process.exit(1);
+  }
 }
 
 async function updatePost(postId, text) {
-    try {
-        const current = await request('GET', `/posts/${postId}`);
-        await request('PUT', `/posts/${postId}`, {
-            id: postId,
-            message: text,
-            props: current.props
-        });
-        console.log("updated");
-    } catch (e) {
-        console.error("Error updating post:", e.message);
-        process.exit(1);
-    }
+  try {
+    const current = await request('GET', `/posts/${postId}`);
+    await request('PUT', `/posts/${postId}`, {
+      id: postId,
+      message: text,
+      props: current.props,
+    });
+    console.log('updated');
+  } catch (e) {
+    console.error('Error updating post:', e.message);
+    process.exit(1);
+  }
 }
 
 // --- CLI ROUTER ---
 if (command === 'create') {
-    const text = otherArgs.join(' ');
-    createPost(text);
+  const text = otherArgs.join(' ');
+  createPost(text);
 } else if (command === 'update') {
-    const id = otherArgs[0];
-    const text = otherArgs.slice(1).join(' ');
-    updatePost(id, text);
+  const id = otherArgs[0];
+  const text = otherArgs.slice(1).join(' ');
+  updatePost(id, text);
 } else {
-    console.log("Usage: live-status [--channel ID] create <text>");
-    console.log("       live-status update <id> <text>");
-    process.exit(1);
+  console.log('Usage: live-status [--channel ID] create <text>');
+  console.log('       live-status update <id> <text>');
+  process.exit(1);
 }

tools/secret-scan.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# secret-scan.sh — Scans for private keys and high-entropy secrets
+# Usage: bash tools/secret-scan.sh [directory]
+# Uses .secret-scan-allowlist for false positives (one file path per line)
+
+set -e
+
+SCAN_DIR="${1:-.}"
+ALLOWLIST=".secret-scan-allowlist"
+FINDINGS=0
+
+# Build find exclusions
+EXCLUDES=(-not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/coverage/*" -not -path "*/dist/*")
+
+# Load allowlist
+ALLOWLIST_PATHS=()
+if [ -f "$ALLOWLIST" ]; then
+    while IFS= read -r line || [ -n "$line" ]; do
+        [[ "$line" =~ ^#.*$ || -z "$line" ]] && continue
+        ALLOWLIST_PATHS+=("$line")
+    done < "$ALLOWLIST"
+fi
+
+is_allowed() {
+    local file="$1"
+    for allowed in "${ALLOWLIST_PATHS[@]}"; do
+        if [[ "$file" == *"$allowed"* ]]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+echo "Scanning $SCAN_DIR for secrets..."
+
+# Scan for private keys
+while IFS= read -r file; do
+    [ -f "$file" ] || continue
+    is_allowed "$file" && continue
+    if grep -qE '-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null; then
+        echo "FINDING [private-key]: $file"
+        FINDINGS=$((FINDINGS + 1))
+    fi
+done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f)
+
+# Scan for high-entropy hex strings (40+ chars)
+while IFS= read -r file; do
+    [ -f "$file" ] || continue
+    is_allowed "$file" && continue
+    if grep -qE '[0-9a-f]{40,}' "$file" 2>/dev/null; then
+        # Filter out common false positives (git SHAs in lock files, etc.)
+        BASENAME=$(basename "$file")
+        if [[ "$BASENAME" != "package-lock.json" && "$BASENAME" != "*.lock" ]]; then
+            MATCHES=$(grep -oE '[0-9a-f]{40,}' "$file" 2>/dev/null || true)
+            if [ -n "$MATCHES" ]; then
+                echo "FINDING [high-entropy-hex]: $file"
+                FINDINGS=$((FINDINGS + 1))
+            fi
+        fi
+    fi
+done < <(find "$SCAN_DIR" "${EXCLUDES[@]}" -type f -not -name "package-lock.json" -not -name "*.lock")
+
+if [ "$FINDINGS" -gt 0 ]; then
+    echo "secret-scan: $FINDINGS finding(s) — FAIL"
+    exit 1
+else
+    echo "secret-scan: clean — PASS"
+    exit 0
+fi