@getvetai/cli 0.1.0 → 0.2.0

package/README.md

@@ -10,19 +10,35 @@ Security audit CLI for AI skills and MCP servers. Scan, audit, and score tools b
 npm install -g @getvetai/cli
 ```
 
+## What's New in v0.2.0
+
+- **Registry integration** — instant results for known tools from the getvet.ai catalog
+- **Expanded MCP config discovery** — Claude, Cursor, VS Code, Windsurf, Cline, Zed, Continue, OpenClaw
+- **`--offline` flag** — skip registry lookup for air-gapped environments
+- **`--deep` flag** — request a deep scan from the registry
+- **Better display** — trust score bars, registry links, badge indicators
+
 ## Commands
 
 ### `vet scan <target>`
 
 Scan a single tool for security issues. Accepts file paths, URLs, npm packages, or GitHub repos.
 
+For npm packages, the CLI first checks the getvet.ai registry for existing scan results. If a deep scan is available, it returns instantly without local analysis.
+
 ```bash
+# Scan an npm package (checks registry first)
+vet scan @modelcontextprotocol/server-filesystem
+
+# Skip registry, local analysis only
+vet scan @modelcontextprotocol/server-filesystem --offline
+
+# Request a deep scan from registry
+vet scan @modelcontextprotocol/server-filesystem --deep
+
 # Scan a local SKILL.md
 vet scan ./my-skill/SKILL.md
 
-# Scan an npm package
-vet scan @modelcontextprotocol/server-filesystem
-
 # Scan a GitHub repo
 vet scan https://github.com/modelcontextprotocol/servers
 
@@ -30,11 +46,22 @@ vet scan https://github.com/modelcontextprotocol/servers
 vet scan ./SKILL.md --json
 ```
 
-**Output includes:** trust score, badge (certified/reviewed/unverified/flagged), detected permissions, security issues, risk factors, and tools list.
+**Output includes:** trust score, badge (certified/reviewed/unverified/flagged), detected permissions, security issues, risk factors, tools list, and registry link.
 
 ### `vet audit [path]`
 
-Audit all AI tools in a project. Discovers tools from `package.json`, MCP configs (`.cursor/mcp.json`, Claude Desktop config), OpenClaw configs, and `SKILL.md` files.
+Audit all AI tools in a project. Discovers tools from:
+
+- `package.json` (MCP dependencies)
+- Cursor (`.cursor/mcp.json`)
+- Claude Desktop (`claude_desktop_config.json`)
+- VS Code (`settings.json` → `mcp.servers`)
+- Windsurf (`mcp.json`)
+- Cline (`mcp_settings.json`)
+- Zed (`settings.json` → `mcp`)
+- Continue (`config.json` → `mcpServers`)
+- OpenClaw (`openclaw.json`)
+- `SKILL.md` files
 
 ```bash
 # Audit current directory
@@ -61,9 +88,6 @@ vet find "database query tool"
 
 # JSON output
 vet find "weather" --json
-
-# Use local API
-vet find "search" --api http://localhost:3300
 ```
 
 ### `vet install <package>`
@@ -98,10 +122,6 @@ vet install --skill weather
 
 **MCP-specific:** tool parameter analysis, transport detection (stdio/http/sse), runtime detection, environment variable scanning.
 
-## API
-
-By default, `vet find` uses the public API at `https://getvet.ai`. Use `--api` to point to a different instance.
-
 ## License
 
 MIT — [getvet.ai](https://getvet.ai)

package/dist/commands/find.d.ts

@@ -1,4 +1,3 @@
 export declare function findCommand(query: string, options: {
     json?: boolean;
-    api?: string;
 }): Promise<void>;

package/dist/commands/find.js

@@ -1,16 +1,11 @@
 import ora from 'ora';
+import { searchTools } from '../utils/api.js';
 import { displayFindResults } from '../utils/display.js';
 export async function findCommand(query, options) {
     const spinner = ora(`Searching "${query}"...`).start();
-    const api = options.api || 'https://getvet.ai';
     try {
-        const r = await fetch(`${api}/api/skills/search?q=${encodeURIComponent(query)}`);
-        if (!r.ok)
-            throw new Error(`API returned ${r.status}`);
-        const data = await r.json();
-        // Handle both array response and { results: [...] } response
-        const items = Array.isArray(data) ? data : (data.results || []);
-        const results = items.map(x => ({
+        const items = await searchTools(query);
+        const results = items.map((x) => ({
             name: x.name,
             slug: x.slug,
             description: x.description,
@@ -28,7 +23,6 @@ export async function findCommand(query, options) {
     }
     catch (err) {
         spinner.fail(`Search failed: ${err.message}`);
-        console.log('  Tip: use --api http://localhost:3300 for local dev');
         process.exitCode = 1;
     }
 }

package/dist/commands/scan.d.ts

@@ -1,4 +1,6 @@
 export declare function scanCommand(target: string, options: {
     json?: boolean;
     overview?: boolean;
+    offline?: boolean;
+    deep?: boolean;
 }): Promise<void>;

package/dist/commands/scan.js

@@ -1,8 +1,10 @@
 import { readFileSync, existsSync } from 'fs';
+import chalk from 'chalk';
 import ora from 'ora';
 import { analyzeSkill } from '../utils/analyzer.js';
 import { analyzeMcp } from '../utils/mcp-analyzer.js';
 import { displayScanReport } from '../utils/display.js';
+import { lookupTool, requestDeepScan } from '../utils/api.js';
 function detect(t) {
     if (/^https?:\/\/github\.com\//.test(t))
         return 'github';
@@ -17,6 +19,59 @@ export async function scanCommand(target, options) {
     try {
         const tt = detect(target);
         let result;
+        let registrySlug;
+        // Try registry lookup first for npm packages (unless --offline)
+        if (tt === 'npm' && !options.offline) {
+            spinner.text = `Checking Vet registry for ${target}...`;
+            const registryData = await lookupTool(target);
+            if (registryData && registryData.scanTier === 'deep') {
+                spinner.succeed(chalk.green('✓ Found in Vet registry (deep scan available)'));
+                registrySlug = registryData.slug || target;
+                result = {
+                    name: registryData.name || target,
+                    description: registryData.description,
+                    type: registryData.type || 'mcp',
+                    transport: registryData.transport,
+                    runtime: registryData.runtime,
+                    tools: registryData.tools || [],
+                    permissions: registryData.permissions || [],
+                    issues: registryData.issues || [],
+                    trustScore: registryData.trustScore ?? registryData.trust_score ?? 50,
+                    badge: registryData.badge || 'unverified',
+                    codeQuality: registryData.codeQuality || { hasTests: false, hasDocs: false, linesOfCode: 0 },
+                    riskFactors: registryData.riskFactors || [],
+                    overview: registryData.overview,
+                    envVars: registryData.envVars,
+                };
+                if (options.json)
+                    console.log(JSON.stringify(result, null, 2));
+                else
+                    displayScanReport(result, registrySlug);
+                process.exitCode = result.badge === 'flagged' ? 1 : 0;
+                return;
+            }
+            if (registryData) {
+                registrySlug = registryData.slug || target;
+                console.log(chalk.cyan(`  ℹ Found in Vet registry (indexed) — running local analysis too`));
+                console.log(chalk.gray(`  View: https://getvet.ai/catalog/${registrySlug}`));
+                console.log();
+            }
+        }
+        // Deep scan request
+        if (options.deep && tt === 'npm') {
+            spinner.text = `Requesting deep scan for ${target}...`;
+            const deepResult = await requestDeepScan(target);
+            if (deepResult) {
+                spinner.succeed(chalk.green('✓ Deep scan requested'));
+                if (deepResult.status === 'queued') {
+                    console.log(chalk.gray(`  Deep scan queued. Check back soon at https://getvet.ai/catalog/${target}`));
+                }
+            }
+            else {
+                spinner.info('Deep scan request failed — proceeding with local analysis');
+            }
+        }
+        // Local analysis (current behavior)
         if (tt === 'npm') {
             spinner.text = `Fetching npm: ${target}`;
             result = await analyzeMcp({ npmPackage: target });
@@ -43,7 +98,7 @@ export async function scanCommand(target, options) {
         if (options.json)
             console.log(JSON.stringify(result, null, 2));
         else
-            displayScanReport(result);
+            displayScanReport(result, registrySlug);
         process.exitCode = result.badge === 'flagged' ? 1 : 0;
     }
     catch (err) {

package/dist/index.js

@@ -8,13 +8,15 @@ const program = new Command();
 program
     .name('vet')
     .description('Security audit CLI for AI skills & MCP servers')
-    .version('0.1.0');
+    .version('0.2.0');
 program
     .command('scan')
     .description('Scan a single tool for security issues')
     .argument('<target>', 'URL, npm package, file path, or GitHub repo')
     .option('--json', 'Output JSON instead of formatted report')
     .option('--overview', 'Include AI-generated overview')
+    .option('--offline', 'Skip registry lookup')
+    .option('--deep', 'Request deep scan from registry')
     .action(scanCommand);
 program
     .command('audit')
@@ -29,7 +31,6 @@ program
     .description('Search for tools by description')
     .argument('<query>', 'Natural language search query')
     .option('--json', 'Output JSON')
-    .option('--api <url>', 'API endpoint (default: https://getvet.ai)')
     .action(findCommand);
 program
     .command('install')

package/dist/utils/api.d.ts

@@ -0,0 +1,3 @@
+export declare function lookupTool(slug: string): Promise<any | null>;
+export declare function searchTools(query: string): Promise<any[]>;
+export declare function requestDeepScan(slug: string): Promise<any | null>;

package/dist/utils/api.js

@@ -0,0 +1,46 @@
+const API_BASE = 'https://getvet.ai';
+export async function lookupTool(slug) {
+    try {
+        const resp = await fetch(`${API_BASE}/api/skills/${encodeURIComponent(slug)}`, {
+            headers: { 'User-Agent': 'vet-cli/0.2.0' },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (resp.ok)
+            return await resp.json();
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function searchTools(query) {
+    try {
+        const resp = await fetch(`${API_BASE}/api/skills/search?q=${encodeURIComponent(query)}`, {
+            headers: { 'User-Agent': 'vet-cli/0.2.0' },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (resp.ok) {
+            const data = await resp.json();
+            return Array.isArray(data) ? data : data.results || data.items || [];
+        }
+        return [];
+    }
+    catch {
+        return [];
+    }
+}
+export async function requestDeepScan(slug) {
+    try {
+        const resp = await fetch(`${API_BASE}/api/tools/${encodeURIComponent(slug)}/deep-scan`, {
+            method: 'POST',
+            headers: { 'User-Agent': 'vet-cli/0.2.0', 'Content-Type': 'application/json' },
+            signal: AbortSignal.timeout(10000),
+        });
+        if (resp.ok)
+            return await resp.json();
+        return null;
+    }
+    catch {
+        return null;
+    }
+}

package/dist/utils/config.js

@@ -21,11 +21,15 @@ export function discoverTools(projectPath) {
         }
         catch { /* skip */ }
     }
+    // Standard MCP config files (mcpServers or servers key at top level)
     const mcpPaths = [
         join(projectPath, '.cursor', 'mcp.json'),
         join(projectPath, 'mcp.json'),
         join(homedir(), '.config', 'claude', 'claude_desktop_config.json'),
         join(homedir(), 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json'),
+        join(homedir(), '.windsurf', 'mcp.json'),
+        join(homedir(), '.config', 'windsurf', 'mcp.json'),
+        join(homedir(), '.config', 'cline', 'mcp_settings.json'),
     ];
     for (const cp of mcpPaths) {
         if (!existsSync(cp))
@@ -43,6 +47,56 @@ export function discoverTools(projectPath) {
         }
         catch { /* skip */ }
     }
+    // VS Code settings.json — look for mcp.servers key
+    const vscodePath = join(homedir(), '.config', 'Code', 'User', 'settings.json');
+    if (existsSync(vscodePath)) {
+        try {
+            const cfg = JSON.parse(readFileSync(vscodePath, 'utf-8'));
+            const svrs = cfg['mcp.servers'] || cfg?.mcp?.servers || {};
+            let c = 0;
+            for (const [n, v] of Object.entries(svrs)) {
+                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
+                tools.push({ name: n, source: vscodePath.replace(homedir(), '~'), type: 'mcp-config', target });
+                c++;
+            }
+            add(vscodePath.replace(homedir(), '~'), c);
+        }
+        catch { /* skip */ }
+    }
+    // Zed settings.json — look for mcp key
+    const zedPath = join(homedir(), '.config', 'zed', 'settings.json');
+    if (existsSync(zedPath)) {
+        try {
+            const cfg = JSON.parse(readFileSync(zedPath, 'utf-8'));
+            const svrs = cfg?.mcp?.servers || cfg?.mcp || {};
+            let c = 0;
+            for (const [n, v] of Object.entries(svrs)) {
+                if (typeof v !== 'object' || v === null)
+                    continue;
+                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
+                tools.push({ name: n, source: zedPath.replace(homedir(), '~'), type: 'mcp-config', target });
+                c++;
+            }
+            add(zedPath.replace(homedir(), '~'), c);
+        }
+        catch { /* skip */ }
+    }
+    // Continue config.json — look for mcpServers key
+    const continuePath = join(homedir(), '.continue', 'config.json');
+    if (existsSync(continuePath)) {
+        try {
+            const cfg = JSON.parse(readFileSync(continuePath, 'utf-8'));
+            const svrs = cfg.mcpServers || {};
+            let c = 0;
+            for (const [n, v] of Object.entries(svrs)) {
+                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
+                tools.push({ name: n, source: continuePath.replace(homedir(), '~'), type: 'mcp-config', target });
+                c++;
+            }
+            add(continuePath.replace(homedir(), '~'), c);
+        }
+        catch { /* skip */ }
+    }
     for (const op of [join(projectPath, 'openclaw.json'), join(homedir(), '.openclaw', 'openclaw.json')]) {
         if (!existsSync(op))
             continue;

package/dist/utils/display.d.ts

@@ -1,12 +1,16 @@
 import type { AnalysisResult, BadgeType } from '../types.js';
-export declare function displayScanReport(r: AnalysisResult): void;
+export declare function displayScanReport(r: AnalysisResult, registrySlug?: string): void;
 export declare function displayAuditReport(results: AnalysisResult[], sources: {
     source: string;
     count: number;
 }[]): void;
 export declare function displayFindResults(results: Array<{
     name: string;
+    slug?: string;
     description?: string;
     trustScore?: number;
     badge?: BadgeType;
+    author?: string;
+    version?: string;
+    installs?: number;
 }>): void;

package/dist/utils/display.js

@@ -23,7 +23,7 @@ function overallRisk(r) {
         return 'medium';
     return 'low';
 }
-export function displayScanReport(r) {
+export function displayScanReport(r, registrySlug) {
     const b = BADGE[r.badge], rk = overallRisk(r);
     console.log();
     console.log(chalk.bold('  🔍 Vet Security Report'));
@@ -86,6 +86,10 @@ export function displayScanReport(r) {
         for (const l of r.overview.split('\n'))
             console.log(`  ${chalk.gray(l)}`);
     }
+    if (registrySlug) {
+        console.log();
+        console.log(`  ${chalk.gray('View full report:')} ${chalk.cyan(`https://getvet.ai/catalog/${registrySlug}`)}`);
+    }
     console.log();
     console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
     console.log();
@@ -128,10 +132,14 @@ export function displayFindResults(results) {
     for (const r of results) {
         const b = r.badge ? BADGE[r.badge] : BADGE.unverified;
         console.log();
-        console.log(`  ${b.emoji} ${chalk.bold(r.name)}`);
+        console.log(`  ${b.emoji} ${chalk.bold(r.name)}${r.version ? chalk.gray(` v${r.version}`) : ''}${r.author ? chalk.gray(` by ${r.author}`) : ''}`);
         if (r.description)
             console.log(`    ${chalk.gray(r.description.slice(0, 80))}`);
-        console.log(`    Score: ${r.trustScore != null ? bar(r.trustScore) : chalk.gray('N/A')}`);
+        console.log(`    Score: ${r.trustScore != null ? bar(r.trustScore) : chalk.gray('N/A')}  Badge: ${b.emoji} ${b.color(b.label)}`);
+        if (r.installs != null)
+            console.log(`    ${chalk.gray(`${r.installs.toLocaleString()} installs`)}`);
+        if (r.slug)
+            console.log(`    ${chalk.cyan(`https://getvet.ai/catalog/${r.slug}`)}`);
     }
     console.log();
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@getvetai/cli",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Security audit CLI for AI skills and MCP servers — scan, audit, and score tools before you install them",
   "type": "module",
   "license": "MIT",