npm - @emilia-protocol/fire-drill - Versions diffs - 0.2.0 → 0.3.1 - Mend

@emilia-protocol/fire-drill 0.2.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/corpus.js ADDED Viewed

@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * A representative sample of common MCP server tool surfaces, modeled on the
+ * publicly-documented tools of widely-used servers. This is a SAMPLE for the
+ * Report's computed figure — not the whole ecosystem. Point `corpus.mjs` at a
+ * directory of real manifests to compute the index over a larger corpus.
+ *
+ * Each entry is { name, manifest } where manifest is an MCP-style { tools }.
+ */
+export const REPRESENTATIVE_CORPUS = [
+  {
+    name: 'filesystem',
+    manifest: { tools: [{ name: 'read_file' }, { name: 'write_file' }, { name: 'list_directory' }, { name: 'delete_file', description: 'delete a file from disk' }, { name: 'move_file' }] },
+  },
+  {
+    name: 'github',
+    manifest: { tools: [{ name: 'get_repo' }, { name: 'create_issue' }, { name: 'delete_repository', description: 'delete a repo' }, { name: 'add_collaborator', description: 'grant access' }] },
+  },
+  {
+    name: 'postgres',
+    manifest: { tools: [{ name: 'query', description: 'run a read query' }, { name: 'execute_sql', description: 'run arbitrary SQL including DELETE and DROP' }] },
+  },
+  {
+    name: 'stripe',
+    manifest: { tools: [{ name: 'list_charges' }, { name: 'create_payout', description: 'pay out funds' }, { name: 'refund_charge', description: 'refund a charge' }] },
+  },
+  {
+    name: 'shopify',
+    manifest: { tools: [{ name: 'get_product' }, { name: 'delete_product', description: 'remove a product' }, { name: 'cancel_order', description: 'cancel a customer order' }] },
+  },
+  {
+    name: 'slack',
+    manifest: { tools: [{ name: 'post_message' }, { name: 'list_channels' }, { name: 'delete_message', description: 'delete a message' }] },
+  },
+  {
+    name: 'google-drive',
+    manifest: { tools: [{ name: 'search_files' }, { name: 'export_file', description: 'export and download a document' }, { name: 'delete_file' }] },
+  },
+  {
+    name: 'aws',
+    manifest: { tools: [{ name: 'describe_instances' }, { name: 'attach_user_policy', description: 'grant IAM permissions' }, { name: 'delete_user' }] },
+  },
+  {
+    name: 'notion',
+    manifest: { tools: [{ name: 'search' }, { name: 'create_page' }, { name: 'delete_block', description: 'delete content' }] },
+  },
+  {
+    name: 'weather (read-only)',
+    manifest: { tools: [{ name: 'get_forecast' }, { name: 'get_alerts' }, { name: 'list_stations' }] },
+  },
+];
+export default { REPRESENTATIVE_CORPUS };

package/corpus.mjs ADDED Viewed

@@ -0,0 +1,61 @@
+#!/usr/bin/env node
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Agent Action Firewall Index — scan a corpus of MCP manifests / OpenAPI specs
+ * and aggregate. The number behind the Report.
+ *
+ *   node corpus.mjs <dir>     scan every *.json under <dir>
+ *   node corpus.mjs           scan the bundled representative sample
+ *   node corpus.mjs <dir> --json
+ *
+ * @license Apache-2.0
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { scan, aggregate } from './index.js';
+import { REPRESENTATIVE_CORPUS } from './corpus.js';
+const argv = process.argv.slice(2);
+const json = argv.includes('--json');
+const dir = argv.find((a) => !a.startsWith('--'));
+const reports = [];
+const labels = [];
+if (dir) {
+  const files = fs.readdirSync(dir).filter((f) => f.endsWith('.json'));
+  for (const f of files) {
+    try {
+      reports.push(scan(JSON.parse(fs.readFileSync(path.join(dir, f), 'utf8'))));
+      labels.push(f);
+    } catch (e) {
+      console.error(`skip ${f}: ${e.message}`);
+    }
+  }
+} else {
+  for (const { name, manifest } of REPRESENTATIVE_CORPUS) {
+    reports.push(scan(manifest));
+    labels.push(name);
+  }
+}
+const agg = aggregate(reports);
+if (json) {
+  console.log(JSON.stringify(agg, null, 2));
+  process.exit(0);
+}
+const R = (s) => `\x1b[31m${s}\x1b[0m`;
+const G = (s) => `\x1b[32m${s}\x1b[0m`;
+console.log('='.repeat(66));
+console.log('  Agent Action Firewall Index');
+console.log('='.repeat(66));
+reports.forEach((r, i) => {
+  const tag = r.eg1 === 'pass' ? G('EG-1') : R(`${r.summary.ungated} unguarded`);
+  console.log(`  ${String(r.score).padStart(3)}/100  ${labels[i].padEnd(22)} ${tag}`);
+});
+console.log('  ' + '-'.repeat(62));
+console.log(`  ${agg.servers} servers · ${R(`${agg.pct_servers_with_unguarded_action}%`)} expose a dangerous action with NO receipt requirement`);
+console.log(`  ${agg.unguarded_operations} unguarded dangerous operations · mean score ${agg.mean_score}/100`);
+console.log(`  by family: ${Object.entries(agg.by_family).map(([k, v]) => `${k}=${v}`).join(' · ') || 'none'}`);
+console.log('='.repeat(66));

package/index.js CHANGED Viewed

@@ -211,7 +211,13 @@ export function badgeSvg({ eg1, score, label = 'agent action firewall' } = {}) {
   const lw = segWidth(label);
   const mw = segWidth(message);
   const w = lw + mw;
-  const esc = (s) => String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  // Escape ALL XML-significant chars — including quotes — because `label`/`message`
+  // are interpolated into a double-quoted SVG attribute (aria-label). Missing the
+  // quote escape allowed attribute breakout / event-handler injection when the SVG
+  // is served as image/svg+xml from a public route.
+  const esc = (s) => String(s)
+    .replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;').replace(/'/g, '&#39;');
   return `<svg xmlns="http://www.w3.org/2000/svg" width="${w}" height="20" role="img" aria-label="${esc(label)}: ${esc(message)}">`
     + `<linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient>`
     + `<rect rx="3" width="${w}" height="20" fill="#555"/>`
@@ -223,6 +229,40 @@ export function badgeSvg({ eg1, score, label = 'agent action firewall' } = {}) {
     + `</g></svg>`;
 }
+// ── Corpus aggregation (the Report) ──────────────────────────────────────────
+/**
+ * Aggregate many scan reports into one Agent Action Firewall Index — the figure
+ * behind the Report. Honest by construction: it only summarizes the reports it
+ * was given; the caller decides the corpus.
+ * @param {object[]} reports  buildReport() results
+ */
+export function aggregate(reports = []) {
+  const servers = reports.length;
+  let dangerous = 0;
+  let ungated = 0;
+  let withUnguarded = 0;
+  let scoreSum = 0;
+  const byFamily = {};
+  for (const r of reports) {
+    dangerous += r.summary.dangerous;
+    ungated += r.summary.ungated;
+    if (r.summary.ungated > 0) withUnguarded += 1;
+    scoreSum += r.score;
+    for (const f of (r.findings || [])) byFamily[f.family] = (byFamily[f.family] || 0) + 1;
+  }
+  return {
+    '@version': FIRE_DRILL_VERSION,
+    servers,
+    servers_with_unguarded_action: withUnguarded,
+    pct_servers_with_unguarded_action: servers ? Math.round((withUnguarded / servers) * 100) : 0,
+    dangerous_operations: dangerous,
+    unguarded_operations: ungated,
+    mean_score: servers ? Math.round(scoreSum / servers) : 100,
+    by_family: byFamily,
+  };
+}
 // ── Generate-PR ──────────────────────────────────────────────────────────────
 /**
@@ -257,5 +297,5 @@ export default {
   FIRE_DRILL_VERSION, TAGLINE,
   classifyOperation, detectReceiptGate, buildReport,
   scan, scanMcpManifest, scanOpenApi, scanToolList,
-  badgeSvg, generatePullRequest,
+  badgeSvg, generatePullRequest, aggregate,
 };

package/package.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "name": "@emilia-protocol/fire-drill",
-  "version": "0.2.0",
+  "version": "0.3.1",
   "description": "The Agent Action Firewall Test. Scan any MCP server manifest, OpenAPI spec, or tool list for dangerous actions an AI agent can take without an accountable human receipt — money movement, data destruction, production deploy, permission change, bulk export, regulated override. Reports an Agent Action Firewall score, the failing operations, the fix (EMILIA Gate), and EG-1 pass/fail. Static, zero-dependency, CI-friendly.",
   "license": "Apache-2.0",
   "type": "module",
   "main": "index.js",
   "bin": { "fire-drill": "cli.mjs" },
-  "exports": { ".": "./index.js", "./package.json": "./package.json" },
-  "files": ["index.js", "cli.mjs", "README.md"],
+  "exports": { ".": "./index.js", "./corpus.js": "./corpus.js", "./package.json": "./package.json" },
+  "files": ["index.js", "cli.mjs", "corpus.js", "corpus.mjs", "README.md"],
   "scripts": { "test": "node --test" },
   "keywords": ["emilia", "mcp", "mcp-security", "agent", "ai-safety", "ai-agent-security", "firewall", "openapi", "scanner", "fire-drill", "authorization", "receipt", "eg-1"]
 }