@bryan-thompson/inspector-assessment-cli 1.43.1 → 1.43.3

package/build/assess-security.js

@@ -11,73 +11,58 @@
  */
 import * as fs from "fs";
 import * as path from "path";
-import { execSync } from "child_process";
+import * as os from "os";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
-// Import shared server config loading (Issue #84 - Zod validation)
-import { loadServerConfig } from "./lib/assessment-runner/server-config.js";
-/**
- * Validate that a command is safe to execute
- * - Must be an absolute path or resolvable via PATH
- * - Must not contain shell metacharacters
- */
-function validateCommand(command) {
-    // Check for shell metacharacters that could indicate injection
-    const dangerousChars = /[;&|`$(){}[\]<>!\\]/;
-    if (dangerousChars.test(command)) {
-        throw new Error(`Invalid command: contains shell metacharacters: ${command}`);
-    }
-    // Verify the command exists and is executable
-    try {
-        // Use 'which' on Unix-like systems, 'where' on Windows
-        const whichCmd = process.platform === "win32" ? "where" : "which";
-        execSync(`${whichCmd} "${command}"`, { stdio: "pipe" });
-    }
-    catch {
-        // Check if it's an absolute path that exists
-        if (path.isAbsolute(command) && fs.existsSync(command)) {
-            try {
-                fs.accessSync(command, fs.constants.X_OK);
-                return; // Command exists and is executable
-            }
-            catch {
-                throw new Error(`Command not executable: ${command}`);
-            }
-        }
-        throw new Error(`Command not found: ${command}`);
-    }
-}
+// Import from local client lib (will use package exports when published)
+import { SecurityAssessor } from "../../client/lib/services/assessment/modules/SecurityAssessor.js";
+import { DEFAULT_ASSESSMENT_CONFIG, } from "../../client/lib/lib/assessmentTypes.js";
 /**
- * Validate environment variables from config
- * - Keys must be valid env var names (alphanumeric + underscore)
- * - Values should not contain null bytes
+ * Load server configuration from Claude Code's MCP settings
  */
-function validateEnvVars(env) {
-    if (!env)
-        return {};
-    const validatedEnv = {};
-    const validKeyPattern = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
-    for (const [key, value] of Object.entries(env)) {
-        // Validate key format
-        if (!validKeyPattern.test(key)) {
-            console.warn(`Skipping invalid environment variable name: ${key} (must match [a-zA-Z_][a-zA-Z0-9_]*)`);
+function loadServerConfig(serverName, configPath) {
+    const possiblePaths = [
+        configPath,
+        path.join(os.homedir(), ".config", "mcp", "servers", `${serverName}.json`),
+        path.join(os.homedir(), ".config", "claude", "claude_desktop_config.json"),
+    ].filter(Boolean);
+    for (const tryPath of possiblePaths) {
+        if (!fs.existsSync(tryPath))
             continue;
+        const config = JSON.parse(fs.readFileSync(tryPath, "utf-8"));
+        if (config.mcpServers && config.mcpServers[serverName]) {
+            const serverConfig = config.mcpServers[serverName];
+            return {
+                transport: "stdio",
+                command: serverConfig.command,
+                args: serverConfig.args || [],
+                env: serverConfig.env || {},
+            };
         }
-        // Check for null bytes in value (could truncate strings)
-        if (typeof value === "string" && value.includes("\0")) {
-            console.warn(`Skipping environment variable with null byte: ${key}`);
-            continue;
+        if (config.url ||
+            config.transport === "http" ||
+            config.transport === "sse") {
+            if (!config.url) {
+                throw new Error(`Invalid server config: transport is '${config.transport}' but 'url' is missing`);
+            }
+            return {
+                transport: config.transport || "http",
+                url: config.url,
+            };
+        }
+        if (config.command) {
+            return {
+                transport: "stdio",
+                command: config.command,
+                args: config.args || [],
+                env: config.env || {},
+            };
         }
-        validatedEnv[key] = String(value);
     }
-    return validatedEnv;
+    throw new Error(`Server config not found for: ${serverName}\nTried: ${possiblePaths.join(", ")}`);
 }
-// Import from local client lib (will use package exports when published)
-import { SecurityAssessor } from "../../client/lib/services/assessment/modules/SecurityAssessor.js";
-import { DEFAULT_ASSESSMENT_CONFIG, } from "../../client/lib/lib/assessmentTypes.js";
-import { loadPerformanceConfig } from "../../client/lib/services/assessment/config/performanceConfig.js";
 /**
  * Connect to MCP server via configured transport
  */
@@ -98,16 +83,12 @@ async function connectToServer(config) {
         default:
             if (!config.command)
                 throw new Error("Command required for stdio transport");
-            // Validate command before execution to prevent injection attacks
-            validateCommand(config.command);
-            // Validate and sanitize environment variables from config
-            const validatedEnv = validateEnvVars(config.env);
             transport = new StdioClientTransport({
                 command: config.command,
                 args: config.args,
                 env: {
                     ...Object.fromEntries(Object.entries(process.env).filter(([, v]) => v !== undefined)),
-                    ...validatedEnv,
+                    ...config.env,
                 },
                 stderr: "pipe",
             });
@@ -172,22 +153,6 @@ function createCallToolWrapper(client) {
 async function runSecurityAssessment(options) {
     console.log(`\n🔍 Connecting to MCP server: ${options.serverName}`);
     const serverConfig = loadServerConfig(options.serverName, options.serverConfigPath);
-    // Load custom performance config if provided (Issue #37)
-    // Note: Currently, modules use DEFAULT_PERFORMANCE_CONFIG directly.
-    // This validates the config file but doesn't override runtime values yet.
-    if (options.performanceConfigPath) {
-        try {
-            const performanceConfig = loadPerformanceConfig(options.performanceConfigPath);
-            console.log(`📊 Performance config loaded from: ${options.performanceConfigPath}`);
-            console.log(`   Batch interval: ${performanceConfig.batchFlushIntervalMs}ms, ` +
-                `Security batch: ${performanceConfig.securityBatchSize}`);
-            // TODO: Wire performanceConfig through to SecurityAssessor
-        }
-        catch (error) {
-            console.error(`❌ Failed to load performance config: ${error instanceof Error ? error.message : String(error)}`);
-            throw error;
-        }
-    }
     const client = await connectToServer(serverConfig);
     console.log("✅ Connected successfully");
     const tools = await getTools(client, options.toolName);
@@ -197,7 +162,7 @@ async function runSecurityAssessment(options) {
     }
     const config = {
         ...DEFAULT_ASSESSMENT_CONFIG,
-        securityPatternsToTest: 30,
+        securityPatternsToTest: 13,
         reviewerMode: false,
         testTimeout: 30000,
     };
@@ -206,8 +171,9 @@ async function runSecurityAssessment(options) {
         tools,
         callTool: createCallToolWrapper(client),
         config,
+        transportType: serverConfig.transport || "stdio",
     };
-    console.log(`🛡️  Running security assessment with 30 attack patterns...`);
+    console.log(`🛡️  Running security assessment with 13 attack patterns...`);
     const assessor = new SecurityAssessor(config);
     const results = await assessor.assess(context);
     await client.close();
@@ -287,9 +253,6 @@ function parseArgs() {
             case "-v":
                 options.verbose = true;
                 break;
-            case "--performance-config":
-                options.performanceConfigPath = args[++i];
-                break;
             case "--help":
             case "-h":
                 printHelp();
@@ -326,23 +289,24 @@ function printHelp() {
     console.log(`
 Usage: mcp-assess-security [options] [server-name]
 
-Run security assessment against an MCP server with 30 attack patterns.
+Run security assessment against an MCP server with 13 attack patterns.
 
 Options:
   --server, -s <name>    Server name (required, or pass as first positional arg)
   --config, -c <path>    Path to server config JSON
   --output, -o <path>    Output JSON path (default: /tmp/inspector-security-assessment-<server>.json)
   --tool, -t <name>      Test only specific tool (default: test all tools)
-  --performance-config <path>  Path to performance tuning JSON (batch sizes, timeouts, etc.)
   --verbose, -v          Enable verbose logging
   --help, -h             Show this help message
 
-Attack Patterns Tested (30 total):
-  • Command Injection, SQL Injection, Path Traversal
-  • Calculator Injection, Code Execution, XXE
-  • Data Exfiltration, Token Theft, NoSQL Injection
-  • Unicode Bypass, Nested Injection, Package Squatting
-  • Session Management, Auth Bypass, and more...
+Attack Patterns Tested (13 total):
+  • Command Injection        • SQL Injection
+  • Calculator Injection     • Path Traversal
+  • Type Safety              • Boundary Testing
+  • Required Fields          • MCP Error Format
+  • Timeout Handling         • Indirect Prompt Injection
+  • Unicode Bypass           • Nested Injection
+  • Package Squatting
 
 Examples:
   mcp-assess-security my-server

package/build/lib/assessment-runner/assessment-executor.js

@@ -26,6 +26,10 @@ import { ExternalAPIDependencyDetector } from "../../../../client/lib/services/a
 import { StdioTransportDetector } from "../../../../client/lib/services/assessment/helpers/StdioTransportDetector.js";
 // Issue #170: Import tool annotation extractor for security severity adjustment
 import { extractToolAnnotationsContext } from "../../../../client/lib/services/assessment/helpers/ToolAnnotationExtractor.js";
+// Issue #212: Import native module detector for pre-flight warnings
+import { detectNativeModules } from "./native-module-detector.js";
+// Issue #213: Import static modules for static-only assessment
+import { RUNTIME_MODULES } from "../static-modules.js";
 /**
  * Run full assessment against an MCP server
  *
@@ -33,6 +37,174 @@ import { extractToolAnnotationsContext } from "../../../../client/lib/services/a
  * @returns Assessment results
  */
 export async function runFullAssessment(options) {
+    // Issue #213: Handle static-only mode
+    if (options.staticOnly) {
+        return runStaticOnlyAssessment(options);
+    }
+    // Issue #213: Handle fallback-static mode
+    if (options.fallbackStatic) {
+        try {
+            return await runRuntimeAssessment(options);
+        }
+        catch (error) {
+            if (!options.jsonOnly) {
+                console.log(`\n⚠️  Runtime assessment failed: ${error instanceof Error ? error.message : String(error)}`);
+                console.log("   Falling back to static-only assessment...\n");
+            }
+            // Fall back to static assessment
+            return runStaticOnlyAssessment(options);
+        }
+    }
+    // Default: runtime assessment
+    return runRuntimeAssessment(options);
+}
+/**
+ * Run static-only assessment (no server connection)
+ *
+ * Validates source code, manifest, documentation, and code quality
+ * without connecting to or executing the MCP server.
+ *
+ * @param options - CLI assessment options (must include sourceCodePath)
+ * @returns Assessment results from static-capable modules
+ * @see Issue #213
+ */
+async function runStaticOnlyAssessment(options) {
+    // Issue #155: Enable annotation debug mode if flag is set
+    if (options.debugAnnotations) {
+        setAnnotationDebugMode(true);
+        if (!options.jsonOnly) {
+            console.log("🔍 Annotation debug mode enabled (--debug-annotations)");
+        }
+    }
+    if (!options.jsonOnly) {
+        console.log(`\n📋 Starting static-only assessment for: ${options.serverName}`);
+        console.log("   Mode: No server connection (static analysis only)\n");
+    }
+    // Validate source code path is provided (should be caught by CLI validation)
+    if (!options.sourceCodePath) {
+        throw new Error("--static-only requires --source <path>");
+    }
+    // Phase 1: Static Discovery
+    const discoveryStart = Date.now();
+    emitPhaseStarted("discovery");
+    // Resolve and load source files
+    const resolvedSourcePath = resolveSourcePath(options.sourceCodePath);
+    if (!fs.existsSync(resolvedSourcePath)) {
+        throw new Error(`Source path not found: ${resolvedSourcePath}`);
+    }
+    const sourceFiles = loadSourceFiles(resolvedSourcePath, options.debugSource);
+    if (!options.jsonOnly) {
+        console.log(`📁 Loaded source files from: ${resolvedSourcePath}`);
+        console.log(`   README: ${sourceFiles.readmeContent ? "found" : "not found"}`);
+        console.log(`   package.json: ${sourceFiles.packageJson ? "found" : "not found"}`);
+        console.log(`   manifest.json: ${sourceFiles.manifestJson ? "found" : "not found"}`);
+        console.log(`   Source files: ${sourceFiles.sourceCodeFiles?.size || 0} file(s)`);
+    }
+    let tools = [];
+    if (sourceFiles.manifestJson) {
+        const manifest = sourceFiles.manifestJson;
+        if (manifest.mcp_config?.tools) {
+            // Convert manifest tools to expected schema format
+            tools = manifest.mcp_config.tools.map((t) => ({
+                name: t.name,
+                description: t.description,
+                inputSchema: {
+                    type: "object",
+                    properties: t.inputSchema?.properties || {},
+                },
+            }));
+            if (!options.jsonOnly) {
+                console.log(`   Tools from manifest: ${tools.length} tool(s)`);
+            }
+        }
+    }
+    // Emit discovery events (minimal - no server discovery)
+    emitToolsDiscoveryComplete(tools.length);
+    emitPhaseComplete("discovery", Date.now() - discoveryStart);
+    // Build static-mode configuration
+    const config = buildConfig(options);
+    // Emit modules_configured event
+    if (config.assessmentCategories) {
+        const enabled = [];
+        const skipped = [];
+        for (const [key, value] of Object.entries(config.assessmentCategories)) {
+            if (value) {
+                enabled.push(key);
+            }
+            else {
+                skipped.push(key);
+            }
+        }
+        emitModulesConfigured(enabled, skipped, "static-only");
+    }
+    const orchestrator = new AssessmentOrchestrator(config);
+    if (!options.jsonOnly) {
+        const enabledCount = Object.values(config.assessmentCategories || {}).filter(Boolean).length;
+        console.log(`\n🏃 Running ${enabledCount} static module(s)...`);
+        console.log(`   Skipped: ${RUNTIME_MODULES.length} runtime-only module(s)\n`);
+    }
+    // Phase 2: Static Assessment
+    const assessmentStart = Date.now();
+    emitPhaseStarted("assessment");
+    // Build assessment context WITHOUT server connection
+    // Use type assertion for tools - in static mode, tools are informational only
+    // and many static modules don't require them at all
+    const context = {
+        serverName: options.serverName,
+        tools: tools,
+        // NO callTool - static mode doesn't execute tools
+        callTool: undefined,
+        // NO listTools - static mode doesn't refresh tool list
+        listTools: undefined,
+        config,
+        sourceCodePath: options.sourceCodePath,
+        // Include all source files
+        ...sourceFiles,
+        // No resources/prompts in static mode
+        resources: [],
+        resourceTemplates: [],
+        prompts: [],
+        // No server info in static mode
+        serverInfo: undefined,
+        serverCapabilities: undefined,
+    };
+    const results = await orchestrator.runFullAssessment(context);
+    // End of assessment phase
+    emitPhaseComplete("assessment", Date.now() - assessmentStart);
+    // Mark results as static-only mode
+    const staticResults = {
+        ...results,
+        assessmentMode: "static-only",
+        staticContext: {
+            sourceCodePath: resolvedSourcePath,
+            manifestFound: !!sourceFiles.manifestJson,
+            packageJsonFound: !!sourceFiles.packageJson,
+            readmeFound: !!sourceFiles.readmeContent,
+            toolsExtracted: tools.length,
+            sourceFilesLoaded: sourceFiles.sourceCodeFiles?.size || 0,
+        },
+        skippedModules: RUNTIME_MODULES.map((name) => ({
+            name,
+            reason: "requires_runtime",
+        })),
+    };
+    // Emit assessment complete event
+    const defaultOutputPath = `/tmp/inspector-static-assessment-${options.serverName}.json`;
+    emitAssessmentComplete(staticResults.overallStatus, staticResults.totalTestsRun, staticResults.executionTime, options.outputPath || defaultOutputPath);
+    if (!options.jsonOnly) {
+        console.log(`\n✅ Static assessment complete`);
+        console.log(`   Tests run: ${staticResults.totalTestsRun}`);
+        console.log(`   Status: ${staticResults.overallStatus}`);
+    }
+    return staticResults;
+}
+/**
+ * Run runtime assessment (standard mode with server connection)
+ *
+ * @param options - CLI assessment options
+ * @returns Assessment results
+ */
+async function runRuntimeAssessment(options) {
     // Issue #155: Enable annotation debug mode if flag is set
     if (options.debugAnnotations) {
         setAnnotationDebugMode(true);
@@ -72,6 +244,28 @@ export async function runFullAssessment(options) {
             console.log("✅ Server config loaded");
         }
     }
+    // Issue #212: Pre-flight native module detection
+    // Run before server connection to warn about potential Gatekeeper/native issues
+    if (options.sourceCodePath) {
+        try {
+            const preflightSourcePath = resolveSourcePath(options.sourceCodePath);
+            if (fs.existsSync(preflightSourcePath)) {
+                const preflightSource = loadSourceFiles(preflightSourcePath, false);
+                if (preflightSource.packageJson) {
+                    const nativeModuleResult = detectNativeModules(preflightSource.packageJson, {
+                        jsonOnly: options.jsonOnly,
+                        serverName: options.serverName,
+                    });
+                    if (nativeModuleResult.detected && !options.jsonOnly) {
+                        console.log(`\u{1F4E6} Pre-flight check: ${nativeModuleResult.count} native module(s) detected`);
+                    }
+                }
+            }
+        }
+        catch {
+            // Pre-flight is best-effort; don't fail assessment if source path is invalid
+        }
+    }
     // Phase 1: Discovery
     const discoveryStart = Date.now();
     emitPhaseStarted("discovery");

package/build/lib/assessment-runner/config-builder.js

@@ -10,6 +10,7 @@ import { FULL_CLAUDE_CODE_CONFIG } from "../../../../client/lib/services/assessm
 import { loadPerformanceConfig } from "../../../../client/lib/services/assessment/config/performanceConfig.js";
 import { safeParseAssessmentConfig } from "../../../../client/lib/lib/assessment/configSchemas.js";
 import { getProfileModules, resolveModuleNames, modulesToLegacyConfig, } from "../../profiles.js";
+import { STATIC_MODULES } from "../static-modules.js";
 /**
  * Build assessment configuration from CLI options
  *
@@ -24,7 +25,51 @@ export function buildConfig(options) {
         testTimeout: 30000,
         enableSourceCodeAnalysis: Boolean(options.sourceCodePath),
     };
-    if (options.fullAssessment !== false) {
+    // Issue #213: Static-only mode - enable only static-capable modules
+    if (options.staticOnly) {
+        const staticModuleConfig = {};
+        // Start with all modules disabled
+        const allModules = getAllModulesConfig({
+            sourceCodePath: true, // Static mode always has source
+            skipTemporal: true, // Temporal requires runtime
+        });
+        for (const key of Object.keys(allModules)) {
+            staticModuleConfig[key] = false;
+        }
+        // Enable only static-capable modules
+        for (const module of STATIC_MODULES) {
+            staticModuleConfig[module] = true;
+        }
+        // Apply --only-modules filter if provided (whitelist within static modules)
+        if (options.onlyModules?.length) {
+            const resolved = resolveModuleNames(options.onlyModules);
+            for (const key of Object.keys(staticModuleConfig)) {
+                // Module must be in whitelist AND be static-capable
+                staticModuleConfig[key] =
+                    resolved.includes(key) && STATIC_MODULES.includes(key);
+            }
+        }
+        // Apply --skip-modules filter if provided
+        if (options.skipModules?.length) {
+            const resolved = resolveModuleNames(options.skipModules);
+            for (const module of resolved) {
+                if (module in staticModuleConfig) {
+                    staticModuleConfig[module] = false;
+                }
+            }
+        }
+        config.assessmentCategories =
+            staticModuleConfig;
+        // Log static mode info
+        const enabledModules = Object.entries(staticModuleConfig)
+            .filter(([_, enabled]) => enabled)
+            .map(([name]) => name);
+        console.log(`📋 Static-only mode: ${enabledModules.length} modules enabled`);
+        console.log(`   Modules: ${enabledModules.join(", ")}`);
+        // Skip the rest of the module configuration logic
+        // (claudeCode, performance config, logging will still be applied below)
+    }
+    else if (options.fullAssessment !== false) {
         // Priority: --profile > --only-modules > --skip-modules > default (all)
         if (options.profile) {
             // Use profile-based module selection

package/build/lib/assessment-runner/index.js

@@ -22,3 +22,5 @@ export { buildConfig } from "./config-builder.js";
 export { runFullAssessment } from "./assessment-executor.js";
 // Single Module Execution (Issue #184)
 export { runSingleModule, getValidModuleNames, } from "./single-module-runner.js";
+// Native Module Detection (Issue #212)
+export { detectNativeModules, } from "./native-module-detector.js";

package/build/lib/assessment-runner/native-module-detector.js

@@ -0,0 +1,107 @@
+/**
+ * Native Module Detector
+ *
+ * Pre-flight detection of native modules that may cause issues
+ * during MCP server connection (hangs, Gatekeeper blocks, etc.)
+ *
+ * This runs BEFORE server connection to warn users about potential
+ * issues with native binaries that may be blocked by macOS Gatekeeper
+ * or require platform-specific compilation.
+ *
+ * @module cli/lib/assessment-runner/native-module-detector
+ * @see https://github.com/triepod-ai/inspector-assessment/issues/212
+ */
+import { checkPackageJsonNativeModules, } from "../../../../client/lib/lib/nativeModules.js";
+import { emitNativeModuleWarning } from "../jsonl-events.js";
+/**
+ * Detect native modules in package.json and emit warnings
+ *
+ * This function should be called BEFORE attempting to connect to an MCP server.
+ * It scans package.json for known problematic native modules and:
+ * 1. Emits JSONL warning events for each detected module
+ * 2. Prints console warnings (unless jsonOnly is true)
+ * 3. Returns aggregated results for potential use in error messages
+ *
+ * @param packageJson - Parsed package.json content (or undefined if not available)
+ * @param options - Detection options
+ * @returns Detection result with warnings and suggestions
+ *
+ * @example
+ * ```typescript
+ * const result = detectNativeModules(sourceFiles.packageJson, {
+ *   jsonOnly: options.jsonOnly,
+ *   serverName: options.serverName,
+ * });
+ *
+ * if (result.detected) {
+ *   // Native modules found - warnings have been emitted
+ *   // result.suggestedEnvVars contains mitigation suggestions
+ * }
+ * ```
+ */
+export function detectNativeModules(packageJson, options = {}) {
+    const result = {
+        detected: false,
+        count: 0,
+        modules: [],
+        suggestedEnvVars: {},
+    };
+    // No package.json available - nothing to check
+    if (!packageJson) {
+        return result;
+    }
+    // Check for native modules
+    const matches = checkPackageJsonNativeModules(packageJson);
+    if (matches.length === 0) {
+        return result;
+    }
+    // Found native modules
+    result.detected = true;
+    result.count = matches.length;
+    // Process each match
+    for (const match of matches) {
+        // Add to result modules list
+        result.modules.push({
+            name: match.module.name,
+            category: match.module.category,
+            severity: match.module.severity,
+            warningMessage: match.module.warningMessage,
+            suggestedEnvVars: match.module.suggestedEnvVars,
+            dependencyType: match.dependencyType,
+            version: match.version,
+        });
+        // Collect suggested env vars
+        if (match.module.suggestedEnvVars) {
+            Object.assign(result.suggestedEnvVars, match.module.suggestedEnvVars);
+        }
+        // Emit JSONL event for each native module
+        emitNativeModuleWarning(match.module.name, match.module.category, match.module.severity, match.module.warningMessage, match.dependencyType, match.version, match.module.suggestedEnvVars);
+    }
+    // Print console warnings if not in JSON-only mode
+    if (!options.jsonOnly) {
+        printConsoleWarnings(matches, options.serverName);
+    }
+    return result;
+}
+/**
+ * Print formatted console warnings for detected native modules
+ */
+function printConsoleWarnings(matches, serverName) {
+    console.log("");
+    console.log(`\x1b[33m\u26a0\ufe0f  Native Module Warning: Detected ${matches.length} native module(s) that may cause issues:\x1b[0m`);
+    for (const match of matches) {
+        const severityIcon = match.module.severity === "HIGH" ? "\u{1F534}" : "\u{1F7E1}";
+        console.log(`   ${severityIcon} \x1b[1m${match.module.name}\x1b[0m (${match.dependencyType})`);
+        console.log(`      ${match.module.warningMessage}`);
+        if (match.module.suggestedEnvVars) {
+            const envVars = Object.entries(match.module.suggestedEnvVars)
+                .map(([k, v]) => `${k}=${v}`)
+                .join(" ");
+            console.log(`      \x1b[36mSuggested:\x1b[0m ${envVars}`);
+        }
+    }
+    console.log("");
+    console.log("   If server hangs or times out, native binaries may be blocked by macOS Gatekeeper.");
+    console.log("   See: https://support.apple.com/en-us/HT202491");
+    console.log("");
+}