@agent-wall/cli 0.1.0

package/src/commands/doctor.test.ts

@@ -0,0 +1,108 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import { doctorCommand } from "./doctor.js";
+
+vi.mock("node:fs");
+vi.mock("node:os");
+vi.mock("@agent-wall/core", () => {
+  class MockPolicyEngine {
+    evaluate() {
+      return { action: "allow", rule: null, message: "Default allow" };
+    }
+  }
+  return {
+    loadPolicy: (_configPath?: string) => ({
+      config: {
+        rules: [{ name: "test-rule", tools: ["*"], action: "allow" }],
+        defaultAction: "deny",
+      },
+      filePath: _configPath ?? "/test/agent-wall.yaml",
+    }),
+    PolicyEngine: MockPolicyEngine,
+  };
+});
+
+const mockFs = vi.mocked(fs);
+const mockOs = vi.mocked(os);
+
+describe("doctorCommand", () => {
+  let stderrSpy: any;
+
+  beforeEach(() => {
+    stderrSpy = vi.spyOn(process.stderr, "write").mockReturnValue(true);
+    mockOs.homedir.mockReturnValue("/home/testuser");
+    mockOs.platform.mockReturnValue("linux" as NodeJS.Platform);
+    mockFs.existsSync.mockReturnValue(false);
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("shows doctor header", () => {
+    doctorCommand({});
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Agent Wall Doctor");
+  });
+
+  it("checks Node.js version", () => {
+    doctorCommand({});
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Node.js version");
+    expect(allOutput).toContain(process.versions.node);
+  });
+
+  it("checks policy config is valid", () => {
+    doctorCommand({});
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Policy config");
+    expect(allOutput).toContain("1 rules");
+  });
+
+  it("reports MCP clients status", () => {
+    doctorCommand({});
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("MCP clients found");
+  });
+
+  it("detects MCP client when config exists", () => {
+    mockFs.existsSync.mockImplementation((p: fs.PathLike) => {
+      return String(p).includes(".cursor");
+    });
+
+    doctorCommand({});
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Cursor");
+  });
+
+  it("reports environment variable overrides", () => {
+    const originalConfig = process.env.AGENT_WALL_CONFIG;
+    process.env.AGENT_WALL_CONFIG = "/custom/config.yaml";
+
+    doctorCommand({});
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("AGENT_WALL_CONFIG");
+
+    if (originalConfig === undefined) {
+      delete process.env.AGENT_WALL_CONFIG;
+    } else {
+      process.env.AGENT_WALL_CONFIG = originalConfig;
+    }
+  });
+
+  it("shows all-pass summary when everything is ok", () => {
+    // With valid config and Node >= 18, only MCP detection might fail
+    // but that's just informational
+    doctorCommand({});
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Summary");
+  });
+});

package/src/commands/doctor.ts

@@ -0,0 +1,146 @@
+/**
+ * agent-wall doctor — Health check for your Agent Wall setup.
+ *
+ * Verifies: config file exists & is valid, Node.js version,
+ * MCP clients detected, and whether servers are wrapped.
+ *
+ * Usage:
+ *   agent-wall doctor
+ *   agent-wall doctor --config ./agent-wall.yaml
+ */
+
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import chalk from "chalk";
+import { loadPolicy, PolicyEngine } from "@agent-wall/core";
+
+export interface DoctorOptions {
+  config?: string;
+}
+
+interface CheckResult {
+  label: string;
+  ok: boolean;
+  detail: string;
+}
+
+export function doctorCommand(options: DoctorOptions): void {
+  const checks: CheckResult[] = [];
+
+  process.stderr.write("\n");
+  process.stderr.write(
+    chalk.cyan("─── Agent Wall Doctor ───────────────────────────\n\n")
+  );
+
+  // ── Check 1: Node.js version ────────────────────────────────────
+  const nodeVersion = process.versions.node;
+  const [major] = nodeVersion.split(".").map(Number);
+  checks.push({
+    label: "Node.js version",
+    ok: major >= 18,
+    detail: `v${nodeVersion}${major < 18 ? " (requires >= 18)" : ""}`,
+  });
+
+  // ── Check 2: Config file ────────────────────────────────────────
+  let configOk = false;
+  let configDetail = "";
+  let ruleCount = 0;
+  try {
+    const { config, filePath } = loadPolicy(options.config);
+    configOk = true;
+    ruleCount = config.rules.length;
+    configDetail = `${filePath ?? "built-in defaults"} (${ruleCount} rules)`;
+
+    // Also validate the engine can initialize
+    const engine = new PolicyEngine(config);
+    engine.evaluate({ name: "__doctor_test__", arguments: {} });
+  } catch (err) {
+    configDetail = err instanceof Error ? err.message : String(err);
+  }
+  checks.push({
+    label: "Policy config",
+    ok: configOk,
+    detail: configDetail,
+  });
+
+  // ── Check 3: MCP client configs detected ────────────────────────
+  const home = os.homedir();
+  const platform = os.platform();
+  const mcpClients: Array<{ name: string; path: string }> = [
+    { name: "Claude Code", path: path.join(home, ".claude", "mcp_servers.json") },
+    { name: "Cursor", path: path.join(home, ".cursor", "mcp.json") },
+    { name: "VS Code", path: path.join(process.cwd(), ".vscode", "mcp.json") },
+    { name: "Windsurf", path: path.join(home, ".codeium", "windsurf", "mcp_config.json") },
+    { name: "Cline", path: path.join(home, ".cline", "mcp_settings.json") },
+  ];
+  if (platform === "win32") {
+    mcpClients.push({
+      name: "Claude Desktop",
+      path: path.join(home, "AppData", "Roaming", "Claude", "claude_desktop_config.json"),
+    });
+  } else if (platform === "darwin") {
+    mcpClients.push({
+      name: "Claude Desktop",
+      path: path.join(home, "Library", "Application Support", "Claude", "claude_desktop_config.json"),
+    });
+  } else {
+    mcpClients.push({
+      name: "Claude Desktop",
+      path: path.join(home, ".config", "Claude", "claude_desktop_config.json"),
+    });
+  }
+
+  const detected = mcpClients.filter((c) => fs.existsSync(c.path));
+  checks.push({
+    label: "MCP clients found",
+    ok: detected.length > 0,
+    detail:
+      detected.length > 0
+        ? detected.map((c) => c.name).join(", ")
+        : "None detected (run 'agent-wall scan' for details)",
+  });
+
+  // ── Check 4: Environment variables ──────────────────────────────
+  const envVars: string[] = [];
+  if (process.env.AGENT_WALL_CONFIG) envVars.push("AGENT_WALL_CONFIG");
+  if (process.env.AGENT_WALL_LOG) envVars.push("AGENT_WALL_LOG");
+  checks.push({
+    label: "Env overrides",
+    ok: true, // Always "ok" — just informational
+    detail: envVars.length > 0 ? envVars.join(", ") : "None set",
+  });
+
+  // ── Print results ───────────────────────────────────────────────
+  for (const check of checks) {
+    const icon = check.ok ? chalk.green("✓") : chalk.red("✗");
+    process.stderr.write(
+      `  ${icon} ${chalk.bold.white(check.label)}\n`
+    );
+    process.stderr.write(chalk.gray(`    ${check.detail}\n\n`));
+  }
+
+  // ── Summary ─────────────────────────────────────────────────────
+  const failures = checks.filter((c) => !c.ok);
+  process.stderr.write(
+    chalk.cyan("─── Summary ────────────────────────────────────\n")
+  );
+  if (failures.length === 0) {
+    process.stderr.write(
+      chalk.green("  All checks passed. Agent Wall is ready.\n\n")
+    );
+  } else {
+    process.stderr.write(
+      chalk.yellow(
+        `  ${failures.length} issue(s) found:\n`
+      )
+    );
+    for (const f of failures) {
+      process.stderr.write(chalk.yellow(`    • ${f.label}: ${f.detail}\n`));
+    }
+    process.stderr.write("\n");
+  }
+  process.stderr.write(
+    chalk.cyan("─────────────────────────────────────────────────\n\n")
+  );
+}

package/src/commands/init.test.ts

@@ -0,0 +1,85 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { initCommand } from "./init.js";
+
+vi.mock("node:fs");
+vi.mock("@agent-wall/core", () => ({
+  generateDefaultConfigYaml: () =>
+    "version: 1\ndefaultAction: deny\nrules: []\n",
+}));
+
+const mockFs = vi.mocked(fs);
+
+describe("initCommand", () => {
+  let exitSpy: any;
+  let stderrSpy: any;
+
+  beforeEach(() => {
+    exitSpy = vi.spyOn(process, "exit").mockImplementation(() => {
+      throw new Error("process.exit");
+    });
+    stderrSpy = vi.spyOn(process.stderr, "write").mockReturnValue(true);
+    mockFs.existsSync.mockReturnValue(false);
+    mockFs.writeFileSync.mockReturnValue(undefined);
+    mockFs.mkdirSync.mockReturnValue(undefined);
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("creates a new config file at default path", () => {
+    initCommand({});
+    expect(mockFs.writeFileSync).toHaveBeenCalledWith(
+      expect.stringContaining("agent-wall.yaml"),
+      expect.stringContaining("version: 1"),
+      "utf-8"
+    );
+  });
+
+  it("creates config at custom path", () => {
+    initCommand({ path: "./custom/policy.yaml" });
+    expect(mockFs.writeFileSync).toHaveBeenCalledWith(
+      expect.stringContaining("policy.yaml"),
+      expect.any(String),
+      "utf-8"
+    );
+  });
+
+  it("exits with error when file exists and no --force", () => {
+    mockFs.existsSync.mockReturnValue(true);
+    expect(() => initCommand({})).toThrow("process.exit");
+    expect(exitSpy).toHaveBeenCalledWith(1);
+    expect(stderrSpy).toHaveBeenCalledWith(
+      expect.stringContaining("already exists")
+    );
+  });
+
+  it("overwrites when --force is used", () => {
+    mockFs.existsSync.mockImplementation((p) => {
+      // File exists, but force overwrite
+      return String(p).endsWith("agent-wall.yaml");
+    });
+    initCommand({ force: true });
+    expect(mockFs.writeFileSync).toHaveBeenCalled();
+  });
+
+  it("creates parent directory recursively", () => {
+    // First existsSync check: file doesn't exist; second: dir doesn't exist
+    mockFs.existsSync.mockReturnValue(false);
+    initCommand({ path: "./deep/nested/config.yaml" });
+    expect(mockFs.mkdirSync).toHaveBeenCalledWith(
+      expect.any(String),
+      { recursive: true }
+    );
+  });
+
+  it("prints success message with next steps", () => {
+    initCommand({});
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Created");
+    expect(allOutput).toContain("Next steps");
+    expect(allOutput).toContain("agent-wall wrap");
+  });
+});

package/src/commands/init.ts

@@ -0,0 +1,52 @@
+/**
+ * agent-wall init — Generate a starter agent-wall.yaml config.
+ *
+ * Usage:
+ *   agent-wall init
+ *   agent-wall init --path ./config/agent-wall.yaml
+ */
+
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { generateDefaultConfigYaml } from "@agent-wall/core";
+import chalk from "chalk";
+
+export interface InitOptions {
+  path?: string;
+  force?: boolean;
+}
+
+export function initCommand(options: InitOptions): void {
+  const outputPath = path.resolve(options.path ?? "agent-wall.yaml");
+
+  if (fs.existsSync(outputPath) && !options.force) {
+    process.stderr.write(
+      chalk.yellow(
+        `\n⚠  File already exists: ${outputPath}\n` +
+          "   Use --force to overwrite.\n\n"
+      )
+    );
+    process.exit(1);
+  }
+
+  const content = generateDefaultConfigYaml();
+  const dir = path.dirname(outputPath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  fs.writeFileSync(outputPath, content, "utf-8");
+
+  process.stderr.write(
+    chalk.green("\n✓ ") +
+      chalk.white("Created ") +
+      chalk.bold(outputPath) +
+      "\n\n" +
+      chalk.gray("  Next steps:\n") +
+      chalk.gray("  1. Edit the rules to fit your project\n") +
+      chalk.gray("  2. Wrap your MCP server:\n\n") +
+      chalk.white(
+        "     agent-wall wrap -- npx @modelcontextprotocol/server-filesystem /path\n"
+      ) +
+      "\n"
+  );
+}

package/src/commands/scan.test.ts

@@ -0,0 +1,279 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import { scanCommand } from "./scan.js";
+
+vi.mock("node:fs");
+vi.mock("node:os");
+
+const mockFs = vi.mocked(fs);
+const mockOs = vi.mocked(os);
+
+describe("scanCommand", () => {
+  let exitSpy: any;
+  let stderrSpy: any;
+  let stdoutSpy: any;
+
+  beforeEach(() => {
+    exitSpy = vi.spyOn(process, "exit").mockImplementation(() => {
+      throw new Error("process.exit");
+    });
+    stderrSpy = vi.spyOn(process.stderr, "write").mockReturnValue(true);
+    stdoutSpy = vi.spyOn(process.stdout, "write").mockReturnValue(true);
+    mockOs.homedir.mockReturnValue("/home/testuser");
+    mockOs.platform.mockReturnValue("linux" as NodeJS.Platform);
+    // Default: no config files found
+    mockFs.existsSync.mockReturnValue(false);
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("shows warning when no config files are found", () => {
+    expect(() => scanCommand({})).toThrow("process.exit");
+    expect(exitSpy).toHaveBeenCalledWith(0);
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("No MCP configuration files found");
+  });
+
+  it("exits with error when specified config does not exist", () => {
+    expect(() =>
+      scanCommand({ config: "/nonexistent/mcp.json" })
+    ).toThrow("process.exit");
+    expect(exitSpy).toHaveBeenCalledWith(1);
+  });
+
+  it("scans a config with risky filesystem server", () => {
+    const mcpConfig = {
+      mcpServers: {
+        myFiles: {
+          command: "npx",
+          args: ["@modelcontextprotocol/server-filesystem", "/home/user"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("myFiles");
+    expect(allOutput).toContain("filesystem");
+    expect(allOutput).toContain("Risks found");
+  });
+
+  it("detects multiple risk types in a single server", () => {
+    const mcpConfig = {
+      mcpServers: {
+        dangerousServer: {
+          command: "node",
+          args: ["server-with-shell-and-filesystem.js"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("shell");
+    expect(allOutput).toContain("filesystem");
+  });
+
+  it("shows protected status for agent-wall wrapped servers", () => {
+    const mcpConfig = {
+      mcpServers: {
+        secureServer: {
+          command: "agent-wall",
+          args: ["wrap", "--", "npx", "server-filesystem", "/path"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Protected by Agent Wall");
+  });
+
+  it("reports clean scan for safe servers", () => {
+    const mcpConfig = {
+      mcpServers: {
+        safeServer: {
+          command: "node",
+          args: ["safe-read-only-server.js"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("No known risks detected");
+  });
+
+  it("detects critical cloud provider risks", () => {
+    const mcpConfig = {
+      mcpServers: {
+        cloud: {
+          command: "npx",
+          args: ["mcp-server-aws", "--region", "us-east-1"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("CRITICAL");
+    expect(allOutput).toContain("AWS");
+  });
+
+  it("handles invalid JSON config gracefully", () => {
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue("NOT_VALID_JSON{{{");
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Failed to parse");
+  });
+
+  it("suggests agent-wall wrap fix for risky servers", () => {
+    const mcpConfig = {
+      mcpServers: {
+        db: {
+          command: "npx",
+          args: ["mcp-server-postgres", "postgresql://localhost/mydb"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("agent-wall wrap");
+  });
+
+  it("handles flat MCP config format (no mcpServers wrapper)", () => {
+    const flatConfig = {
+      myServer: {
+        command: "npx",
+        args: ["server-filesystem", "/tmp"],
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(flatConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("myServer");
+  });
+
+  it("detects Playwright browser automation risk", () => {
+    const mcpConfig = {
+      mcpServers: {
+        browser: {
+          command: "npx",
+          args: ["@anthropic/mcp-server-playwright"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("Playwright");
+  });
+
+  it("detects critical payment/financial risks (Stripe)", () => {
+    const mcpConfig = {
+      mcpServers: {
+        payments: {
+          command: "npx",
+          args: ["@stripe/mcp-server-stripe"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("CRITICAL");
+    expect(allOutput).toContain("Payment");
+  });
+
+  it("detects SSH remote access as critical", () => {
+    const mcpConfig = {
+      mcpServers: {
+        remote: {
+          command: "npx",
+          args: ["mcp-server-ssh", "--host", "prod.example.com"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("CRITICAL");
+    expect(allOutput).toContain("SSH");
+  });
+
+  it("detects GitHub MCP server as medium risk", () => {
+    const mcpConfig = {
+      mcpServers: {
+        gh: {
+          command: "npx",
+          args: ["@modelcontextprotocol/server-github"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json" });
+
+    const allOutput = stderrSpy.mock.calls.map((c: any) => c[0]).join("");
+    expect(allOutput).toContain("GitHub");
+  });
+
+  it("outputs JSON when --json flag is set", () => {
+    const mcpConfig = {
+      mcpServers: {
+        myDb: {
+          command: "npx",
+          args: ["mcp-server-postgres", "postgresql://localhost/db"],
+        },
+      },
+    };
+    mockFs.existsSync.mockReturnValue(true);
+    mockFs.readFileSync.mockReturnValue(JSON.stringify(mcpConfig));
+
+    scanCommand({ config: "/test/mcp.json", json: true });
+
+    const jsonOut = stdoutSpy.mock.calls.map((c: any) => c[0]).join("");
+    const parsed = JSON.parse(jsonOut);
+    expect(parsed.servers).toHaveLength(1);
+    expect(parsed.servers[0].name).toBe("myDb");
+    expect(parsed.totalRisks).toBeGreaterThan(0);
+  });
+});