@getvetai/cli 0.2.0 → 0.4.0

package/README.md

@@ -1,8 +1,8 @@
 # @getvetai/cli
 
-Security audit CLI for AI skills and MCP servers. Scan, audit, and score tools before you install them.
+Security audit CLI for AI skills and MCP servers. Scan, audit, and discover tools before you install them.
 
-🌐 **Registry:** [getvet.ai](https://getvet.ai) — 12,000+ AI tools cataloged and scored
+🌐 **Registry:** [getvet.ai](https://getvet.ai) — 23,000+ AI tools verified and scored
 
 ## Install
 
@@ -10,58 +10,43 @@ Security audit CLI for AI skills and MCP servers. Scan, audit, and score tools b
 npm install -g @getvetai/cli
 ```
 
-## What's New in v0.2.0
+Or run without installing:
 
-- **Registry integration** — instant results for known tools from the getvet.ai catalog
-- **Expanded MCP config discovery** — Claude, Cursor, VS Code, Windsurf, Cline, Zed, Continue, OpenClaw
-- **`--offline` flag** — skip registry lookup for air-gapped environments
-- **`--deep` flag** — request a deep scan from the registry
-- **Better display** — trust score bars, registry links, badge indicators
+```bash
+npx @getvetai/cli scan .
+```
 
 ## Commands
 
 ### `vet scan <target>`
 
-Scan a single tool for security issues. Accepts file paths, URLs, npm packages, or GitHub repos.
-
-For npm packages, the CLI first checks the getvet.ai registry for existing scan results. If a deep scan is available, it returns instantly without local analysis.
+Scan a tool for security issues. Checks the [getvet.ai](https://getvet.ai) registry first for instant results.
 
 ```bash
 # Scan an npm package (checks registry first)
 vet scan @modelcontextprotocol/server-filesystem
 
-# Skip registry, local analysis only
+# Local analysis only (skip registry)
 vet scan @modelcontextprotocol/server-filesystem --offline
 
 # Request a deep scan from registry
 vet scan @modelcontextprotocol/server-filesystem --deep
 
-# Scan a local SKILL.md
-vet scan ./my-skill/SKILL.md
+# Scan a local project
+vet scan ./my-mcp-server
 
 # Scan a GitHub repo
 vet scan https://github.com/modelcontextprotocol/servers
 
-# Output JSON
+# JSON output
 vet scan ./SKILL.md --json
 ```
 
-**Output includes:** trust score, badge (certified/reviewed/unverified/flagged), detected permissions, security issues, risk factors, tools list, and registry link.
-
 ### `vet audit [path]`
 
-Audit all AI tools in a project. Discovers tools from:
+Audit all AI tools in a project. Auto-discovers MCP configurations from:
 
-- `package.json` (MCP dependencies)
-- Cursor (`.cursor/mcp.json`)
-- Claude Desktop (`claude_desktop_config.json`)
-- VS Code (`settings.json` → `mcp.servers`)
-- Windsurf (`mcp.json`)
-- Cline (`mcp_settings.json`)
-- Zed (`settings.json` → `mcp`)
-- Continue (`config.json` → `mcpServers`)
-- OpenClaw (`openclaw.json`)
-- `SKILL.md` files
+**Claude Desktop** · **Cursor** · **VS Code** · **Windsurf** · **Cline** · **Zed** · **Continue** · **OpenClaw**
 
 ```bash
 # Audit current directory
@@ -70,7 +55,7 @@ vet audit
 # Audit a specific project
 vet audit ./my-project
 
-# Strict mode — exit code 1 if any tool is unverified or flagged
+# Strict mode — exit 1 if any tool is unverified/flagged
 vet audit --strict
 
 # JSON output
@@ -79,12 +64,18 @@ vet audit --json
 
 ### `vet find <query>`
 
-Search the getvet.ai registry by description.
+Search the getvet.ai registry for tools by description.
 
 ```bash
 # Search for tools
-vet find "file management"
-vet find "database query tool"
+vet find "web scraping"
+vet find "database access"
+
+# Limit results
+vet find "browser automation" --limit 20
+
+# Filter by type
+vet find "file management" --type mcp
 
 # JSON output
 vet find "weather" --json
@@ -92,36 +83,57 @@ vet find "weather" --json
 
 ### `vet install <package>`
 
-Install a package with a pre-install security audit. Shows the security report and asks for confirmation if the tool is flagged.
+Install a package with a pre-install security audit.
 
 ```bash
-# Audit + install npm package
+# Audit + install
 vet install @modelcontextprotocol/server-github
 
 # Install globally
 vet install -g some-mcp-server
-
-# Install as OpenClaw skill
-vet install --skill weather
 ```
 
-## Trust Scores
+## Verification Levels
 
-| Score | Badge | Meaning |
+| Level | Badge | Meaning |
 |-------|-------|---------|
-| 75+ | ✅ Certified | No critical issues, good practices |
-| 50-74 | 🔍 Reviewed | Some concerns, use with caution |
-| 25-49 | ⚠️ Unverified | Not yet reviewed or limited info |
-| 0-24 | 🚫 Flagged | Critical security issues found |
+| L2 | ✅ Verified | Installs, boots, tools discovered and tested |
+| L1 | 🔍 Boots | Installs and boots successfully |
+| L0 | ⚠️ Indexed | Cataloged, not yet verified |
 
 ## What It Detects
 
-**Permissions:** shell execution, file read/write, network access, browser control, message sending, device access (camera, screen, location), database queries, crypto operations.
+- **Permissions:** shell execution, file I/O, network access, browser control, database queries, crypto operations
+- **Security issues:** destructive commands, remote code execution, dynamic eval, credential patterns, elevated privileges
+- **MCP-specific:** tool parameter analysis, transport detection (stdio/http/sse), runtime detection
+- **Requirements:** environment variables, API keys, Docker dependencies
+
+## API Access
+
+Access verified tool schemas programmatically. Create a free API key at [getvet.ai/dashboard](https://getvet.ai/dashboard) → API Keys.
+
+```bash
+# Fetch tool schemas
+curl -H "x-api-key: vet_sk_YOUR_KEY" https://getvet.ai/api/v1/tools/TOOL_SLUG/schemas
+
+# Or use Bearer token
+curl -H "Authorization: Bearer vet_sk_YOUR_KEY" https://getvet.ai/api/v1/tools/TOOL_SLUG/schemas
+
+# Bulk fetch (multiple tools at once)
+curl -X POST \
+  -H "x-api-key: vet_sk_YOUR_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"slugs":["tool-1","tool-2"]}' \
+  https://getvet.ai/api/v1/tools/schemas/bulk
+```
+
+See [getvet.ai/get-started](https://getvet.ai/get-started) for full documentation.
 
-**Security Issues:** destructive commands (`rm -rf`), remote code execution (`curl | bash`), dynamic code eval, credential patterns, elevated privileges (`sudo`), permissive file permissions.
+## Links
 
-**MCP-specific:** tool parameter analysis, transport detection (stdio/http/sse), runtime detection, environment variable scanning.
+- 🌐 [getvet.ai](https://getvet.ai) — Browse the registry
+- 📦 [npm](https://www.npmjs.com/package/@getvetai/cli) — Package page
 
 ## License
 
-MIT — [getvet.ai](https://getvet.ai)
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@getvetai/cli",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "Security audit CLI for AI skills and MCP servers — scan, audit, and score tools before you install them",
   "type": "module",
   "license": "MIT",
@@ -14,11 +14,10 @@
   ],
   "repository": {
     "type": "git",
-    "url": "https://github.com/getvetai/vet.git",
-    "directory": "cli"
+    "url": "https://github.com/getvetai/cli.git"
   },
+  "bugs": "https://github.com/getvetai/cli/issues",
   "homepage": "https://getvet.ai",
-  "bugs": "https://github.com/getvetai/vet/issues",
   "keywords": [
     "ai",
     "security",

package/dist/commands/audit.d.ts

@@ -1,5 +0,0 @@
-export declare function auditCommand(path: string | undefined, options: {
-    json?: boolean;
-    strict?: boolean;
-    fix?: boolean;
-}): Promise<void>;

package/dist/commands/audit.js

@@ -1,45 +0,0 @@
-import { resolve } from 'path';
-import ora from 'ora';
-import { discoverTools } from '../utils/config.js';
-import { analyzeSkill } from '../utils/analyzer.js';
-import { analyzeMcp } from '../utils/mcp-analyzer.js';
-import { displayAuditReport } from '../utils/display.js';
-export async function auditCommand(path, options) {
-    const pp = resolve(path || '.');
-    const spinner = ora(`Scanning ${pp}...`).start();
-    try {
-        const { tools, sources } = discoverTools(pp);
-        if (!tools.length) {
-            spinner.info('No AI tools found.');
-            return;
-        }
-        spinner.text = `Found ${tools.length} tools...`;
-        const results = [];
-        for (const t of tools) {
-            spinner.text = `Analyzing ${t.name}...`;
-            try {
-                if (t.type === 'skill' && t.content)
-                    results.push(analyzeSkill(t.content, t.name));
-                else if (t.type === 'mcp-package' || t.type === 'mcp-config')
-                    results.push(await analyzeMcp({ npmPackage: t.target }));
-                else
-                    results.push(analyzeSkill('', t.name));
-            }
-            catch {
-                results.push({ name: t.name, permissions: [], issues: [{ severity: 'warning', message: 'Analysis failed' }], trustScore: 0, badge: 'unverified', codeQuality: { hasTests: false, hasDocs: false, linesOfCode: 0 }, riskFactors: [] });
-            }
-        }
-        spinner.stop();
-        if (options.json)
-            console.log(JSON.stringify({ sources, results }, null, 2));
-        else
-            displayAuditReport(results, sources);
-        process.exitCode = options.strict
-            ? (results.some(r => r.badge === 'unverified' || r.badge === 'flagged') ? 1 : 0)
-            : (results.some(r => r.badge === 'flagged') ? 1 : 0);
-    }
-    catch (err) {
-        spinner.fail(`Failed: ${err.message}`);
-        process.exitCode = 2;
-    }
-}

package/dist/commands/find.d.ts

@@ -1,3 +0,0 @@
-export declare function findCommand(query: string, options: {
-    json?: boolean;
-}): Promise<void>;

package/dist/commands/find.js

@@ -1,28 +0,0 @@
-import ora from 'ora';
-import { searchTools } from '../utils/api.js';
-import { displayFindResults } from '../utils/display.js';
-export async function findCommand(query, options) {
-    const spinner = ora(`Searching "${query}"...`).start();
-    try {
-        const items = await searchTools(query);
-        const results = items.map((x) => ({
-            name: x.name,
-            slug: x.slug,
-            description: x.description,
-            trustScore: x.trustScore ?? x.trust_score,
-            badge: x.badge,
-            author: x.author,
-            version: x.version,
-            installs: x.installs,
-        }));
-        spinner.stop();
-        if (options.json)
-            console.log(JSON.stringify(results, null, 2));
-        else
-            displayFindResults(results);
-    }
-    catch (err) {
-        spinner.fail(`Search failed: ${err.message}`);
-        process.exitCode = 1;
-    }
-}

package/dist/commands/install.d.ts

@@ -1,5 +0,0 @@
-export declare function installCommand(pkg: string, options: {
-    json?: boolean;
-    global?: boolean;
-    skill?: boolean;
-}): Promise<void>;

package/dist/commands/install.js

@@ -1,44 +0,0 @@
-import { createInterface } from 'readline';
-import { execSync } from 'child_process';
-import ora from 'ora';
-import chalk from 'chalk';
-import { analyzeMcp } from '../utils/mcp-analyzer.js';
-import { displayScanReport } from '../utils/display.js';
-async function confirm(msg) {
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    return new Promise(res => {
-        rl.question(msg, a => { rl.close(); res(a.toLowerCase() === 'y' || a.toLowerCase() === 'yes'); });
-    });
-}
-export async function installCommand(pkg, options) {
-    const spinner = ora(`Auditing ${pkg}...`).start();
-    try {
-        const result = await analyzeMcp({ npmPackage: pkg });
-        spinner.stop();
-        displayScanReport(result);
-        if (result.badge === 'flagged') {
-            console.log(chalk.red.bold('  ⚠️  This package has been flagged!'));
-            if (!await confirm(chalk.yellow('  Install anyway? (y/N) '))) {
-                console.log(chalk.gray('  Cancelled.'));
-                process.exitCode = 1;
-                return;
-            }
-        }
-        const s2 = ora(`Installing ${pkg}...`).start();
-        try {
-            if (options.skill)
-                execSync(`npx clawhub install ${pkg}`, { stdio: 'pipe' });
-            else
-                execSync(`npm install${options.global ? ' -g' : ''} ${pkg}`, { stdio: 'pipe' });
-            s2.succeed(`${pkg} installed`);
-        }
-        catch (e) {
-            s2.fail(`Install failed: ${e.message}`);
-            process.exitCode = 1;
-        }
-    }
-    catch (err) {
-        spinner.fail(`Audit failed: ${err.message}`);
-        process.exitCode = 2;
-    }
-}

package/dist/commands/scan.d.ts

@@ -1,6 +0,0 @@
-export declare function scanCommand(target: string, options: {
-    json?: boolean;
-    overview?: boolean;
-    offline?: boolean;
-    deep?: boolean;
-}): Promise<void>;

package/dist/commands/scan.js

@@ -1,108 +0,0 @@
-import { readFileSync, existsSync } from 'fs';
-import chalk from 'chalk';
-import ora from 'ora';
-import { analyzeSkill } from '../utils/analyzer.js';
-import { analyzeMcp } from '../utils/mcp-analyzer.js';
-import { displayScanReport } from '../utils/display.js';
-import { lookupTool, requestDeepScan } from '../utils/api.js';
-function detect(t) {
-    if (/^https?:\/\/github\.com\//.test(t))
-        return 'github';
-    if (/^https?:\/\//.test(t))
-        return 'url';
-    if (existsSync(t))
-        return 'file';
-    return 'npm';
-}
-export async function scanCommand(target, options) {
-    const spinner = ora('Analyzing...').start();
-    try {
-        const tt = detect(target);
-        let result;
-        let registrySlug;
-        // Try registry lookup first for npm packages (unless --offline)
-        if (tt === 'npm' && !options.offline) {
-            spinner.text = `Checking Vet registry for ${target}...`;
-            const registryData = await lookupTool(target);
-            if (registryData && registryData.scanTier === 'deep') {
-                spinner.succeed(chalk.green('✓ Found in Vet registry (deep scan available)'));
-                registrySlug = registryData.slug || target;
-                result = {
-                    name: registryData.name || target,
-                    description: registryData.description,
-                    type: registryData.type || 'mcp',
-                    transport: registryData.transport,
-                    runtime: registryData.runtime,
-                    tools: registryData.tools || [],
-                    permissions: registryData.permissions || [],
-                    issues: registryData.issues || [],
-                    trustScore: registryData.trustScore ?? registryData.trust_score ?? 50,
-                    badge: registryData.badge || 'unverified',
-                    codeQuality: registryData.codeQuality || { hasTests: false, hasDocs: false, linesOfCode: 0 },
-                    riskFactors: registryData.riskFactors || [],
-                    overview: registryData.overview,
-                    envVars: registryData.envVars,
-                };
-                if (options.json)
-                    console.log(JSON.stringify(result, null, 2));
-                else
-                    displayScanReport(result, registrySlug);
-                process.exitCode = result.badge === 'flagged' ? 1 : 0;
-                return;
-            }
-            if (registryData) {
-                registrySlug = registryData.slug || target;
-                console.log(chalk.cyan(`  ℹ Found in Vet registry (indexed) — running local analysis too`));
-                console.log(chalk.gray(`  View: https://getvet.ai/catalog/${registrySlug}`));
-                console.log();
-            }
-        }
-        // Deep scan request
-        if (options.deep && tt === 'npm') {
-            spinner.text = `Requesting deep scan for ${target}...`;
-            const deepResult = await requestDeepScan(target);
-            if (deepResult) {
-                spinner.succeed(chalk.green('✓ Deep scan requested'));
-                if (deepResult.status === 'queued') {
-                    console.log(chalk.gray(`  Deep scan queued. Check back soon at https://getvet.ai/catalog/${target}`));
-                }
-            }
-            else {
-                spinner.info('Deep scan request failed — proceeding with local analysis');
-            }
-        }
-        // Local analysis (current behavior)
-        if (tt === 'npm') {
-            spinner.text = `Fetching npm: ${target}`;
-            result = await analyzeMcp({ npmPackage: target });
-        }
-        else if (tt === 'github') {
-            spinner.text = `Fetching GitHub: ${target}`;
-            result = await analyzeMcp({ githubUrl: target });
-        }
-        else if (tt === 'url') {
-            spinner.text = `Fetching: ${target}`;
-            const resp = await fetch(target, { headers: { 'User-Agent': 'Vet/1.0' } });
-            if (!resp.ok)
-                throw new Error(`HTTP ${resp.status}`);
-            const content = await resp.text();
-            result = target.endsWith('SKILL.md') ? analyzeSkill(content) : await analyzeMcp({ readme: content, name: target.split('/').pop()?.replace(/\.(md|json)$/, '') });
-        }
-        else {
-            const content = readFileSync(target, 'utf-8');
-            result = target.endsWith('SKILL.md') ? analyzeSkill(content)
-                : (content.includes('MCP') || target.includes('mcp')) ? await analyzeMcp({ readme: content, name: target.split('/').pop()?.replace(/\.(md|json)$/, '') })
-                    : analyzeSkill(content);
-        }
-        spinner.stop();
-        if (options.json)
-            console.log(JSON.stringify(result, null, 2));
-        else
-            displayScanReport(result, registrySlug);
-        process.exitCode = result.badge === 'flagged' ? 1 : 0;
-    }
-    catch (err) {
-        spinner.fail(`Failed: ${err.message}`);
-        process.exitCode = 2;
-    }
-}

package/dist/index.d.ts

@@ -1,2 +0,0 @@
-#!/usr/bin/env node
-export {};

package/dist/index.js

@@ -1,43 +0,0 @@
-#!/usr/bin/env node
-import { Command } from 'commander';
-import { scanCommand } from './commands/scan.js';
-import { auditCommand } from './commands/audit.js';
-import { findCommand } from './commands/find.js';
-import { installCommand } from './commands/install.js';
-const program = new Command();
-program
-    .name('vet')
-    .description('Security audit CLI for AI skills & MCP servers')
-    .version('0.2.0');
-program
-    .command('scan')
-    .description('Scan a single tool for security issues')
-    .argument('<target>', 'URL, npm package, file path, or GitHub repo')
-    .option('--json', 'Output JSON instead of formatted report')
-    .option('--overview', 'Include AI-generated overview')
-    .option('--offline', 'Skip registry lookup')
-    .option('--deep', 'Request deep scan from registry')
-    .action(scanCommand);
-program
-    .command('audit')
-    .description('Audit all AI tools in a project')
-    .argument('[path]', 'Project path (defaults to current directory)')
-    .option('--json', 'Output JSON')
-    .option('--strict', 'Exit code 1 if any tool is unverified or flagged')
-    .option('--fix', 'Suggest safer alternatives for flagged tools')
-    .action(auditCommand);
-program
-    .command('find')
-    .description('Search for tools by description')
-    .argument('<query>', 'Natural language search query')
-    .option('--json', 'Output JSON')
-    .action(findCommand);
-program
-    .command('install')
-    .description('Install a package with pre-install security audit')
-    .argument('<package>', 'npm package name')
-    .option('--json', 'Output JSON')
-    .option('-g, --global', 'Install globally')
-    .option('--skill', 'Install as OpenClaw skill via clawhub')
-    .action(installCommand);
-program.parse();

package/dist/types.d.ts

@@ -1,52 +0,0 @@
-export type BadgeType = 'certified' | 'reviewed' | 'unverified' | 'flagged';
-export type RiskLevel = 'low' | 'medium' | 'high' | 'critical';
-export type SkillType = 'skill' | 'mcp';
-export type Transport = 'stdio' | 'http' | 'sse';
-export interface Permission {
-    type: string;
-    target?: string;
-    risk: RiskLevel;
-    detected_by?: string;
-    evidence?: string[];
-}
-export interface SecurityIssue {
-    severity: RiskLevel | 'info' | 'warning';
-    message: string;
-    count?: number;
-    evidence?: string[];
-}
-export interface CodeQuality {
-    hasTests: boolean;
-    hasDocs: boolean;
-    hasLicense?: boolean;
-    hasPermissionDeclaration?: boolean;
-    linesOfCode: number;
-    dependencyCount?: number;
-}
-export interface McpTool {
-    name: string;
-    description?: string;
-    inputSchema?: McpToolParam[];
-    permissions?: Permission[];
-}
-export interface McpToolParam {
-    name: string;
-    type: string;
-    description: string;
-}
-export interface AnalysisResult {
-    name: string;
-    description?: string;
-    type?: SkillType;
-    transport?: Transport;
-    runtime?: string;
-    tools?: McpTool[];
-    permissions: Permission[];
-    issues: SecurityIssue[];
-    trustScore: number;
-    badge: BadgeType;
-    codeQuality: CodeQuality;
-    riskFactors: string[];
-    overview?: string;
-    envVars?: string[];
-}

package/dist/types.js

@@ -1 +0,0 @@
-export {};

package/dist/utils/analyzer.d.ts

@@ -1,3 +0,0 @@
-import type { AnalysisResult } from '../types.js';
-export declare function parseSkillName(content: string, fallback?: string): string;
-export declare function analyzeSkill(content: string, name?: string): AnalysisResult;

package/dist/utils/analyzer.js

@@ -1,94 +0,0 @@
-const PERM_PATTERNS = [
-    { pattern: /\bexec\b|\bshell\b|\bcommand\b|\bspawn\b|\bchild_process\b/gi, type: 'exec:shell', risk: 'critical' },
-    { pattern: /\bread\b.*file|\bfs[:\.]read|\bReadFile|\bfile.*read/gi, type: 'fs:read', risk: 'low' },
-    { pattern: /\bwrite\b.*file|\bfs[:\.]write|\bWriteFile|\bfile.*write|\bcreate.*file/gi, type: 'fs:write', risk: 'medium' },
-    { pattern: /\bweb_fetch\b|\bfetch\b|\bhttp[s]?:\/\/|\baxios\b|\brequest\b/gi, type: 'net:outbound', risk: 'medium' },
-    { pattern: /\bbrowser\b|\bpuppeteer\b|\bplaywright\b|\bselenium\b/gi, type: 'browser:control', risk: 'high' },
-    { pattern: /\bmessage\b.*send|\bsend.*message|\bemail\b|\bslack\b|\bdiscord\b|\btelegram\b/gi, type: 'msg:send', risk: 'high' },
-    { pattern: /\bprocess\b|\bbackground\b|\bdaemon\b/gi, type: 'exec:process', risk: 'medium' },
-    { pattern: /\bweb_search\b|\bsearch.*web/gi, type: 'net:search', risk: 'low' },
-    { pattern: /\bcrypto\b|\bsign\b|\bencrypt\b|\bdecrypt\b/gi, type: 'crypto:sign', risk: 'medium' },
-    { pattern: /\bimage\b.*analy|\bvision\b|\bocr\b/gi, type: 'media:analyze', risk: 'low' },
-    { pattern: /\btts\b|\btext.to.speech\b|\bspeech\b/gi, type: 'media:tts', risk: 'low' },
-    { pattern: /\bcanvas\b|\bpresent\b.*ui/gi, type: 'ui:canvas', risk: 'low' },
-    { pattern: /\bnodes?\b.*camera|\bcamera\b.*snap/gi, type: 'device:camera', risk: 'high' },
-    { pattern: /\bscreen\b.*record|\bscreenshot\b/gi, type: 'device:screen', risk: 'medium' },
-    { pattern: /\blocation\b|\bgps\b|\bgeolocat/gi, type: 'device:location', risk: 'high' },
-];
-const RISKY_PATTERNS = [
-    { pattern: /rm\s+-rf\b/g, message: 'Destructive file deletion (rm -rf)', severity: 'critical' },
-    { pattern: /curl\s.*\|\s*bash/g, message: 'Remote code execution (curl | bash)', severity: 'critical' },
-    { pattern: /\beval\s*\(/g, message: 'Dynamic code execution (eval)', severity: 'critical' },
-    { pattern: /\bnew\s+Function\s*\(/g, message: 'Dynamic function creation', severity: 'high' },
-    { pattern: /\b(password|secret|token|api[_-]?key|private[_-]?key|mnemonic)\b/gi, message: 'Credential/secret pattern detected', severity: 'high' },
-    { pattern: /\bchmod\s+[0-7]*7[0-7]*\b/g, message: 'Permissive file permissions', severity: 'high' },
-    { pattern: /\bsudo\b/g, message: 'Sudo/elevated privilege usage', severity: 'critical' },
-    { pattern: /\bssh\b.*connect|\bssh\s+-/g, message: 'SSH connection', severity: 'high' },
-    { pattern: /\bcrontab\b|\bsystemctl\b/g, message: 'System service manipulation', severity: 'high' },
-];
-export function parseSkillName(content, fallback = 'unknown') {
-    const h = content.match(/^#\s+(.+)$/m);
-    if (h) {
-        const n = h[1].trim().replace(/[*_`]/g, '').trim();
-        if (n.length > 0 && n.length < 100)
-            return n;
-    }
-    if (fallback !== 'unknown')
-        return fallback.replace(/[-_]/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
-    return fallback;
-}
-export function analyzeSkill(content, name = 'unknown') {
-    const parsedName = parseSkillName(content, name);
-    const permissions = [], issues = [], seen = new Set();
-    for (const p of PERM_PATTERNS) {
-        const m = content.match(p.pattern);
-        if (m && !seen.has(p.type)) {
-            seen.add(p.type);
-            permissions.push({ type: p.type, risk: p.risk, detected_by: 'static', evidence: m.slice(0, 3).map(x => x.trim()) });
-        }
-    }
-    for (const r of RISKY_PATTERNS) {
-        const m = content.match(r.pattern);
-        if (m)
-            issues.push({ severity: r.severity, message: r.message, count: m.length, evidence: m.slice(0, 3).map(x => x.trim()) });
-    }
-    let ts = 80;
-    for (const p of permissions) {
-        if (p.risk === 'critical')
-            ts -= 15;
-        else if (p.risk === 'high')
-            ts -= 10;
-        else if (p.risk === 'medium')
-            ts -= 5;
-    }
-    for (const i of issues) {
-        if (i.severity === 'critical')
-            ts -= 20;
-        else if (i.severity === 'high')
-            ts -= 10;
-        else if (i.severity === 'medium')
-            ts -= 5;
-    }
-    const cq = {
-        hasTests: /\btest\b|\bspec\b|\bjest\b/i.test(content), hasDocs: /\b(readme|documentation|usage|example)\b/i.test(content),
-        hasLicense: /\blicense\b|\bMIT\b|\bApache\b/i.test(content), hasPermissionDeclaration: /\bpermission\b|\baccess\b|\brequire\b/i.test(content),
-        linesOfCode: content.split('\n').length,
-    };
-    if (cq.hasTests)
-        ts += 5;
-    if (cq.hasDocs)
-        ts += 3;
-    if (cq.hasLicense)
-        ts += 2;
-    if (cq.hasPermissionDeclaration)
-        ts += 5;
-    ts = Math.max(0, Math.min(100, ts));
-    let badge = 'unverified';
-    if (issues.some(i => i.severity === 'critical'))
-        badge = 'flagged';
-    else if (ts >= 80)
-        badge = 'certified';
-    else if (ts >= 50)
-        badge = 'reviewed';
-    return { name: parsedName, type: 'skill', permissions, issues, trustScore: ts, badge, codeQuality: cq, riskFactors: issues.filter(i => i.severity === 'critical' || i.severity === 'high').map(i => i.message) };
-}

package/dist/utils/api.d.ts

@@ -1,3 +0,0 @@
-export declare function lookupTool(slug: string): Promise<any | null>;
-export declare function searchTools(query: string): Promise<any[]>;
-export declare function requestDeepScan(slug: string): Promise<any | null>;

package/dist/utils/api.js

@@ -1,46 +0,0 @@
-const API_BASE = 'https://getvet.ai';
-export async function lookupTool(slug) {
-    try {
-        const resp = await fetch(`${API_BASE}/api/skills/${encodeURIComponent(slug)}`, {
-            headers: { 'User-Agent': 'vet-cli/0.2.0' },
-            signal: AbortSignal.timeout(5000),
-        });
-        if (resp.ok)
-            return await resp.json();
-        return null;
-    }
-    catch {
-        return null;
-    }
-}
-export async function searchTools(query) {
-    try {
-        const resp = await fetch(`${API_BASE}/api/skills/search?q=${encodeURIComponent(query)}`, {
-            headers: { 'User-Agent': 'vet-cli/0.2.0' },
-            signal: AbortSignal.timeout(5000),
-        });
-        if (resp.ok) {
-            const data = await resp.json();
-            return Array.isArray(data) ? data : data.results || data.items || [];
-        }
-        return [];
-    }
-    catch {
-        return [];
-    }
-}
-export async function requestDeepScan(slug) {
-    try {
-        const resp = await fetch(`${API_BASE}/api/tools/${encodeURIComponent(slug)}/deep-scan`, {
-            method: 'POST',
-            headers: { 'User-Agent': 'vet-cli/0.2.0', 'Content-Type': 'application/json' },
-            signal: AbortSignal.timeout(10000),
-        });
-        if (resp.ok)
-            return await resp.json();
-        return null;
-    }
-    catch {
-        return null;
-    }
-}

package/dist/utils/config.d.ts

@@ -1,14 +0,0 @@
-export interface DiscoveredTool {
-    name: string;
-    source: string;
-    type: 'mcp-config' | 'mcp-package' | 'skill' | 'openclaw-skill';
-    target?: string;
-    content?: string;
-}
-export declare function discoverTools(projectPath: string): {
-    tools: DiscoveredTool[];
-    sources: {
-        source: string;
-        count: number;
-    }[];
-};

package/dist/utils/config.js

@@ -1,140 +0,0 @@
-import { readFileSync, existsSync, readdirSync } from 'fs';
-import { join } from 'path';
-import { homedir } from 'os';
-export function discoverTools(projectPath) {
-    const tools = [], sc = new Map();
-    const add = (s, n) => { if (n > 0)
-        sc.set(s, (sc.get(s) || 0) + n); };
-    const pkgPath = join(projectPath, 'package.json');
-    if (existsSync(pkgPath)) {
-        try {
-            const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
-            const all = { ...pkg.dependencies, ...pkg.devDependencies };
-            let c = 0;
-            for (const d of Object.keys(all)) {
-                if (d.includes('mcp') || d.startsWith('@modelcontextprotocol/')) {
-                    tools.push({ name: d, source: 'package.json', type: 'mcp-package', target: d });
-                    c++;
-                }
-            }
-            add('package.json', c);
-        }
-        catch { /* skip */ }
-    }
-    // Standard MCP config files (mcpServers or servers key at top level)
-    const mcpPaths = [
-        join(projectPath, '.cursor', 'mcp.json'),
-        join(projectPath, 'mcp.json'),
-        join(homedir(), '.config', 'claude', 'claude_desktop_config.json'),
-        join(homedir(), 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json'),
-        join(homedir(), '.windsurf', 'mcp.json'),
-        join(homedir(), '.config', 'windsurf', 'mcp.json'),
-        join(homedir(), '.config', 'cline', 'mcp_settings.json'),
-    ];
-    for (const cp of mcpPaths) {
-        if (!existsSync(cp))
-            continue;
-        try {
-            const cfg = JSON.parse(readFileSync(cp, 'utf-8'));
-            const svrs = cfg.mcpServers || cfg.servers || {};
-            let c = 0;
-            for (const [n, v] of Object.entries(svrs)) {
-                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
-                tools.push({ name: n, source: cp.replace(homedir(), '~'), type: 'mcp-config', target });
-                c++;
-            }
-            add(cp.replace(homedir(), '~'), c);
-        }
-        catch { /* skip */ }
-    }
-    // VS Code settings.json — look for mcp.servers key
-    const vscodePath = join(homedir(), '.config', 'Code', 'User', 'settings.json');
-    if (existsSync(vscodePath)) {
-        try {
-            const cfg = JSON.parse(readFileSync(vscodePath, 'utf-8'));
-            const svrs = cfg['mcp.servers'] || cfg?.mcp?.servers || {};
-            let c = 0;
-            for (const [n, v] of Object.entries(svrs)) {
-                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
-                tools.push({ name: n, source: vscodePath.replace(homedir(), '~'), type: 'mcp-config', target });
-                c++;
-            }
-            add(vscodePath.replace(homedir(), '~'), c);
-        }
-        catch { /* skip */ }
-    }
-    // Zed settings.json — look for mcp key
-    const zedPath = join(homedir(), '.config', 'zed', 'settings.json');
-    if (existsSync(zedPath)) {
-        try {
-            const cfg = JSON.parse(readFileSync(zedPath, 'utf-8'));
-            const svrs = cfg?.mcp?.servers || cfg?.mcp || {};
-            let c = 0;
-            for (const [n, v] of Object.entries(svrs)) {
-                if (typeof v !== 'object' || v === null)
-                    continue;
-                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
-                tools.push({ name: n, source: zedPath.replace(homedir(), '~'), type: 'mcp-config', target });
-                c++;
-            }
-            add(zedPath.replace(homedir(), '~'), c);
-        }
-        catch { /* skip */ }
-    }
-    // Continue config.json — look for mcpServers key
-    const continuePath = join(homedir(), '.continue', 'config.json');
-    if (existsSync(continuePath)) {
-        try {
-            const cfg = JSON.parse(readFileSync(continuePath, 'utf-8'));
-            const svrs = cfg.mcpServers || {};
-            let c = 0;
-            for (const [n, v] of Object.entries(svrs)) {
-                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
-                tools.push({ name: n, source: continuePath.replace(homedir(), '~'), type: 'mcp-config', target });
-                c++;
-            }
-            add(continuePath.replace(homedir(), '~'), c);
-        }
-        catch { /* skip */ }
-    }
-    for (const op of [join(projectPath, 'openclaw.json'), join(homedir(), '.openclaw', 'openclaw.json')]) {
-        if (!existsSync(op))
-            continue;
-        try {
-            const cfg = JSON.parse(readFileSync(op, 'utf-8'));
-            const skills = cfg.skills || cfg.installedSkills || [];
-            let c = 0;
-            if (Array.isArray(skills)) {
-                for (const s of skills) {
-                    const n = typeof s === 'string' ? s : s.name;
-                    tools.push({ name: n, source: op.replace(homedir(), '~'), type: 'openclaw-skill', target: n });
-                    c++;
-                }
-            }
-            add(op.replace(homedir(), '~'), c);
-        }
-        catch { /* skip */ }
-    }
-    findSkills(projectPath, tools, sc, 0);
-    return { tools, sources: [...sc.entries()].map(([source, count]) => ({ source, count })) };
-}
-function findSkills(dir, tools, sc, depth) {
-    if (depth > 4)
-        return;
-    try {
-        for (const e of readdirSync(dir, { withFileTypes: true })) {
-            if (e.name === 'node_modules' || e.name === '.git' || e.name === 'dist')
-                continue;
-            const fp = join(dir, e.name);
-            if (e.isFile() && e.name === 'SKILL.md') {
-                const content = readFileSync(fp, 'utf-8');
-                const nm = content.match(/^#\s+(.+)$/m)?.[1]?.trim().replace(/[*_`]/g, '') || e.name;
-                tools.push({ name: nm, source: fp, type: 'skill', target: fp, content });
-                sc.set('SKILL.md files', (sc.get('SKILL.md files') || 0) + 1);
-            }
-            if (e.isDirectory())
-                findSkills(fp, tools, sc, depth + 1);
-        }
-    }
-    catch { /* permission denied */ }
-}

package/dist/utils/display.d.ts

@@ -1,16 +0,0 @@
-import type { AnalysisResult, BadgeType } from '../types.js';
-export declare function displayScanReport(r: AnalysisResult, registrySlug?: string): void;
-export declare function displayAuditReport(results: AnalysisResult[], sources: {
-    source: string;
-    count: number;
-}[]): void;
-export declare function displayFindResults(results: Array<{
-    name: string;
-    slug?: string;
-    description?: string;
-    trustScore?: number;
-    badge?: BadgeType;
-    author?: string;
-    version?: string;
-    installs?: number;
-}>): void;

package/dist/utils/display.js

@@ -1,145 +0,0 @@
-import chalk from 'chalk';
-const BADGE = {
-    certified: { emoji: '✅', label: 'Certified', color: chalk.green },
-    reviewed: { emoji: '🔍', label: 'Reviewed', color: chalk.blue },
-    unverified: { emoji: '⚠️', label: 'Unverified', color: chalk.yellow },
-    flagged: { emoji: '🚫', label: 'Flagged', color: chalk.red },
-};
-const RC = { low: chalk.green, medium: chalk.yellow, high: chalk.red, critical: chalk.redBright.bold };
-function bar(score) {
-    const f = Math.round(score / 10), e = 10 - f;
-    const c = score >= 75 ? chalk.green : score >= 50 ? chalk.yellow : chalk.red;
-    return c('█'.repeat(f)) + chalk.gray('░'.repeat(e)) + ' ' + c(`${score}/100`);
-}
-function dot(risk) {
-    return RC[risk](`⬤ ${risk.charAt(0).toUpperCase() + risk.slice(1)}`);
-}
-function overallRisk(r) {
-    if (r.badge === 'flagged')
-        return 'critical';
-    if (r.trustScore < 50)
-        return 'high';
-    if (r.trustScore < 75)
-        return 'medium';
-    return 'low';
-}
-export function displayScanReport(r, registrySlug) {
-    const b = BADGE[r.badge], rk = overallRisk(r);
-    console.log();
-    console.log(chalk.bold('  🔍 Vet Security Report'));
-    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-    console.log();
-    console.log(`  ${chalk.gray('Name:')}        ${chalk.bold(r.name)}`);
-    if (r.description)
-        console.log(`  ${chalk.gray('Description:')} ${r.description.slice(0, 80)}`);
-    if (r.type === 'mcp') {
-        console.log(`  ${chalk.gray('Type:')}        MCP Server`);
-        if (r.transport)
-            console.log(`  ${chalk.gray('Transport:')}   ${r.transport}`);
-        if (r.runtime)
-            console.log(`  ${chalk.gray('Runtime:')}     ${r.runtime}`);
-    }
-    else
-        console.log(`  ${chalk.gray('Type:')}        AI Skill`);
-    console.log();
-    console.log(`  ${chalk.gray('Trust Score:')} ${bar(r.trustScore)}`);
-    console.log(`  ${chalk.gray('Badge:')}       ${b.emoji} ${b.color(b.label)}`);
-    console.log(`  ${chalk.gray('Risk:')}        ${dot(rk)}`);
-    if (r.permissions.length > 0) {
-        console.log();
-        console.log(chalk.bold('  📋 Permissions'));
-        console.log(chalk.gray(`  ${'Permission'.padEnd(25)} ${'Risk'.padEnd(12)} Evidence`));
-        console.log(chalk.gray(`  ${'─'.repeat(25)} ${'─'.repeat(12)} ${'─'.repeat(30)}`));
-        for (const p of r.permissions)
-            console.log(`  ${p.type.padEnd(25)} ${RC[p.risk](p.risk.padEnd(12))} ${chalk.gray(p.evidence?.slice(0, 2).join(', ') || '')}`);
-    }
-    if (r.issues.length > 0) {
-        console.log();
-        console.log(chalk.bold('  ⚠️  Issues'));
-        for (const i of r.issues) {
-            const icon = i.severity === 'critical' ? '🔴' : i.severity === 'high' ? '🟠' : i.severity === 'medium' ? '🟡' : '🔵';
-            const cf = RC[i.severity];
-            console.log(`  ${icon} ${cf ? cf(i.message) : i.message}`);
-        }
-    }
-    if (r.tools && r.tools.length > 0) {
-        console.log();
-        console.log(chalk.bold(`  🔧 Tools (${r.tools.length})`));
-        for (const t of r.tools.slice(0, 15)) {
-            console.log(`  ${chalk.cyan(t.name.padEnd(25))} ${chalk.gray(t.description?.slice(0, 40) || '')}`);
-            const ps = t.inputSchema?.map(p => p.name).join(', ');
-            if (ps)
-                console.log(`  ${' '.repeat(25)} ${chalk.gray(`params: ${ps}`)}`);
-        }
-        if (r.tools.length > 15)
-            console.log(chalk.gray(`  ... and ${r.tools.length - 15} more`));
-    }
-    if (r.envVars && r.envVars.length > 0) {
-        console.log();
-        console.log(chalk.bold('  🔑 Environment Variables'));
-        for (const v of r.envVars)
-            console.log(`  ${chalk.yellow(v)}`);
-    }
-    if (r.overview) {
-        console.log();
-        console.log(chalk.bold('  📝 Overview'));
-        for (const l of r.overview.split('\n'))
-            console.log(`  ${chalk.gray(l)}`);
-    }
-    if (registrySlug) {
-        console.log();
-        console.log(`  ${chalk.gray('View full report:')} ${chalk.cyan(`https://getvet.ai/catalog/${registrySlug}`)}`);
-    }
-    console.log();
-    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-    console.log();
-}
-export function displayAuditReport(results, sources) {
-    console.log();
-    console.log(chalk.bold('  🔍 Vet Audit Report'));
-    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-    console.log();
-    for (const s of sources)
-        console.log(`  📦 Found ${s.count} tool${s.count !== 1 ? 's' : ''} in ${s.source}`);
-    console.log();
-    const W = 35;
-    console.log(chalk.gray(`  ${'Tool'.padEnd(W)} ${'Score'.padEnd(7)} ${'Badge'.padEnd(16)} Risk`));
-    console.log(chalk.gray(`  ${'─'.repeat(W)} ${'─'.repeat(7)} ${'─'.repeat(16)} ${'─'.repeat(12)}`));
-    for (const r of results) {
-        const b = BADGE[r.badge], rk = overallRisk(r);
-        const nm = r.name.length > W - 1 ? r.name.slice(0, W - 4) + '...' : r.name;
-        const sc = r.trustScore >= 75 ? chalk.green : r.trustScore >= 50 ? chalk.yellow : chalk.red;
-        console.log(`  ${nm.padEnd(W)} ${sc(String(r.trustScore).padEnd(7))} ${b.emoji} ${b.color(b.label.padEnd(13))} ${dot(rk)}`);
-    }
-    console.log();
-    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-    const c = { certified: 0, reviewed: 0, unverified: 0, flagged: 0 };
-    for (const r of results)
-        c[r.badge]++;
-    console.log(`  Summary: ${results.length} tools audited | ${c.certified} certified | ${c.reviewed} reviewed | ${c.unverified} unverified | ${c.flagged} flagged`);
-    if (c.flagged > 0)
-        console.log(chalk.red.bold(`  ⚠️  ${c.flagged} tool${c.flagged > 1 ? 's' : ''} requires attention`));
-    console.log();
-}
-export function displayFindResults(results) {
-    if (!results.length) {
-        console.log(chalk.yellow('\n  No results found.\n'));
-        return;
-    }
-    console.log();
-    console.log(chalk.bold(`  🔎 Search Results (${results.length})`));
-    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
-    for (const r of results) {
-        const b = r.badge ? BADGE[r.badge] : BADGE.unverified;
-        console.log();
-        console.log(`  ${b.emoji} ${chalk.bold(r.name)}${r.version ? chalk.gray(` v${r.version}`) : ''}${r.author ? chalk.gray(` by ${r.author}`) : ''}`);
-        if (r.description)
-            console.log(`    ${chalk.gray(r.description.slice(0, 80))}`);
-        console.log(`    Score: ${r.trustScore != null ? bar(r.trustScore) : chalk.gray('N/A')}  Badge: ${b.emoji} ${b.color(b.label)}`);
-        if (r.installs != null)
-            console.log(`    ${chalk.gray(`${r.installs.toLocaleString()} installs`)}`);
-        if (r.slug)
-            console.log(`    ${chalk.cyan(`https://getvet.ai/catalog/${r.slug}`)}`);
-    }
-    console.log();
-}

package/dist/utils/fetch.d.ts

@@ -1,6 +0,0 @@
-export interface FetchedContent {
-    content: string;
-    type: 'skill' | 'mcp' | 'unknown';
-    name: string;
-}
-export declare function fetchTarget(target: string): Promise<FetchedContent>;

package/dist/utils/fetch.js

@@ -1,38 +0,0 @@
-import { readFileSync, existsSync } from 'fs';
-function detect(content, source) {
-    if (/SKILL\.md/i.test(source) || /^#\s+.*skill/im.test(content))
-        return 'skill';
-    if (/mcp|model.context.protocol/i.test(content))
-        return 'mcp';
-    if (/^#\s+/m.test(content))
-        return 'skill';
-    return 'unknown';
-}
-export async function fetchTarget(target) {
-    if (existsSync(target)) {
-        const c = readFileSync(target, 'utf-8');
-        return { content: c, type: detect(c, target), name: target.split('/').pop() || target };
-    }
-    if (/^https?:\/\//i.test(target)) {
-        const r = await fetch(target);
-        if (!r.ok)
-            throw new Error('HTTP ' + r.status);
-        const c = await r.text();
-        return { content: c, type: detect(c, target), name: target.split('/').pop()?.replace(/\?.*$/, '') || target };
-    }
-    if (/^[\w-]+\/[\w.-]+$/.test(target) && !target.startsWith('@')) {
-        const r = await fetch('https://raw.githubusercontent.com/' + target + '/main/README.md');
-        if (r.ok)
-            return { content: await r.text(), type: 'mcp', name: target.split('/')[1] };
-        throw new Error('GitHub fetch failed: ' + target);
-    }
-    if (/^@?[\w-]/.test(target)) {
-        const r = await fetch('https://registry.npmjs.org/' + encodeURIComponent(target));
-        if (r.ok) {
-            const d = await r.json();
-            return { content: d.readme || '', type: 'mcp', name: d.name || target };
-        }
-        throw new Error('npm not found: ' + target);
-    }
-    throw new Error('Unknown target: ' + target);
-}

package/dist/utils/mcp-analyzer.d.ts

@@ -1,19 +0,0 @@
-import type { AnalysisResult } from '../types.js';
-interface PJ {
-    name?: string;
-    description?: string;
-    version?: string;
-    dependencies?: Record<string, string>;
-    devDependencies?: Record<string, string>;
-    engines?: {
-        node?: string;
-    };
-}
-export declare function analyzeMcp(input: {
-    npmPackage?: string;
-    githubUrl?: string;
-    readme?: string;
-    name?: string;
-    packageJson?: PJ;
-}): Promise<AnalysisResult>;
-export {};

package/dist/utils/mcp-analyzer.js

@@ -1,187 +0,0 @@
-const TOOL_RULES = [
-    { paramPattern: /\bcommand\b|\bcmd\b|\bshell\b/i, namePattern: /\bexec\b|\brun\b|\bshell\b/i, type: 'exec:shell', risk: 'critical' },
-    { paramPattern: /\burl\b|\bendpoint\b|\bhref\b/i, namePattern: /\bfetch\b|\brequest\b|\bhttp\b/i, type: 'net:outbound', risk: 'medium' },
-    { paramPattern: /\bpath\b|\bfile\b|\bfilename\b|\bdirectory\b/i, namePattern: /\bread\b|\bget\b|\blist\b|\bsearch\b/i, type: 'fs:read', risk: 'medium' },
-    { paramPattern: /\bpath\b|\bfile\b|\bfilename\b/i, namePattern: /\bwrite\b|\bcreate\b|\bsave\b|\bupdate\b|\bedit\b/i, type: 'fs:write', risk: 'medium' },
-    { paramPattern: /\bquery\b|\bsql\b|\bstatement\b/i, namePattern: /\bquery\b|\bsql\b|\bdb\b|\bdatabase\b/i, type: 'db:query', risk: 'medium' },
-    { paramPattern: null, namePattern: /\bemail\b|\bmessage\b|\bsend\b|\bnotif/i, type: 'msg:send', risk: 'medium' },
-    { paramPattern: null, namePattern: /\bdelete\b|\bremove\b|\bdrop\b|\bpurge\b|\bdestroy\b/i, type: 'data:delete', risk: 'high' },
-];
-const RISKY = [
-    { pattern: /rm\s+-rf\b/g, message: 'Destructive file deletion (rm -rf)', severity: 'critical' },
-    { pattern: /curl\s.*\|\s*bash/g, message: 'Remote code execution (curl | bash)', severity: 'critical' },
-    { pattern: /\beval\s*\(/g, message: 'Dynamic code execution (eval)', severity: 'critical' },
-    { pattern: /\bnew\s+Function\s*\(/g, message: 'Dynamic function creation', severity: 'high' },
-    { pattern: /\bchild_process\b|\bspawn\b|\bexecSync\b/g, message: 'Shell execution via child_process', severity: 'high' },
-    { pattern: /\bsudo\b/g, message: 'Sudo/elevated privilege usage', severity: 'critical' },
-    { pattern: /\b(password|secret|token|api[_-]?key|private[_-]?key)\b/gi, message: 'Credential/secret pattern detected', severity: 'medium' },
-];
-const SENS_ENV = /key|token|secret|password|credential|auth/i;
-function detectTransport(t) {
-    if (/\bsse\b|server.sent.event/i.test(t))
-        return 'sse';
-    if (/\bhttp\b.*transport|streamablehttp|\/mcp\b/i.test(t) && !/\bstdio\b/i.test(t))
-        return 'http';
-    return 'stdio';
-}
-function detectRuntime(pj, t) {
-    if (pj?.dependencies?.['@modelcontextprotocol/sdk'] || pj?.devDependencies?.['typescript'] || pj?.engines?.node)
-        return 'node';
-    if (/pyproject\.toml|requirements\.txt|\bpip\b|\bpython\b/i.test(t))
-        return 'python';
-    if (/\bgo\.mod\b/i.test(t))
-        return 'go';
-    if (/\bCargo\.toml\b/i.test(t))
-        return 'rust';
-    return 'node';
-}
-function parseTools(text) {
-    const tools = [];
-    for (const m of text.matchAll(/###\s+`?(\w[\w_-]*)`?\s*\n([\s\S]*?)(?=\n###\s|\n##\s|$)/g)) {
-        const name = m[1], body = m[2];
-        if (/^(installation|setup|configuration|usage|example|prerequisites|requirements|license|contributing)/i.test(name))
-            continue;
-        const desc = body.split('\n').find((l) => l.trim() && !l.startsWith('#') && !l.startsWith('|') && !l.startsWith('-'))?.trim() || '';
-        const params = [];
-        for (const r of body.matchAll(/\|\s*`?(\w+)`?\s*\|\s*(\w+)\s*\|\s*([^|]*)\|/g))
-            params.push({ name: r[1], type: r[2], description: r[3].trim() });
-        for (const b of body.matchAll(/-\s+[`*]*(\w+)[`*]*\s*(?:\((\w+)\))?[:\s-]+(.+)/g)) {
-            if (!params.find((p) => p.name === b[1]))
-                params.push({ name: b[1], type: b[2] || 'string', description: b[3].trim() });
-        }
-        if (params.length > 0 || /tool|function|method|action|command/i.test(body.slice(0, 200)))
-            tools.push({ name, description: desc.slice(0, 300), inputSchema: params });
-    }
-    if (tools.length === 0) {
-        for (const m of text.matchAll(/-\s+\*\*(\w[\w_-]*)\*\*\s*[-:\u2013]\s*(.+)/g)) {
-            if (!/install|setup|config|require|license|example|usage/i.test(m[1]))
-                tools.push({ name: m[1], description: m[2].trim().slice(0, 300), inputSchema: [] });
-        }
-    }
-    return tools;
-}
-function detectEnvVars(text) {
-    const vars = new Set();
-    for (const m of text.matchAll(/\b([A-Z][A-Z0-9_]{2,})\b/g)) {
-        const v = m[1];
-        if (/^(API|AWS|AZURE|GCP|GITHUB|OPENAI|ANTHROPIC|DATABASE|DB_|REDIS|MONGO|POSTGRES|MYSQL|SECRET|TOKEN|KEY|PASSWORD|AUTH|SMTP|SLACK|DISCORD|STRIPE)/.test(v) ||
-            /_KEY$|_TOKEN$|_SECRET$|_PASSWORD$|_URL$|_URI$|_HOST$|_PORT$/.test(v))
-            vars.add(v);
-    }
-    return [...vars];
-}
-function toolPerms(tool) {
-    const perms = [], seen = new Set();
-    for (const r of TOOL_RULES) {
-        let hit = false;
-        if (r.namePattern?.test(tool.name))
-            hit = true;
-        if (r.paramPattern && tool.inputSchema?.some((p) => r.paramPattern.test(p.name)))
-            hit = true;
-        if (hit && !seen.has(r.type)) {
-            seen.add(r.type);
-            perms.push({ type: r.type, risk: r.risk, detected_by: 'mcp-static', evidence: [tool.name] });
-        }
-    }
-    return perms;
-}
-export async function analyzeMcp(input) {
-    let text = input.readme || '', pj = input.packageJson || null, pkgName = input.name || input.npmPackage || '', desc = '', deps = 0;
-    if (input.npmPackage) {
-        try {
-            const r = await fetch(`https://registry.npmjs.org/${encodeURIComponent(input.npmPackage)}`);
-            if (r.ok) {
-                const d = await r.json();
-                const lat = d['dist-tags']?.latest;
-                const vers = d.versions;
-                const lv = lat && vers ? vers[lat] : null;
-                pkgName = d.name || input.npmPackage;
-                desc = d.description || '';
-                text = d.readme || text;
-                if (lv) {
-                    pj = lv;
-                    deps = Object.keys(lv.dependencies || {}).length + Object.keys(lv.devDependencies || {}).length;
-                }
-            }
-        }
-        catch { /* continue */ }
-    }
-    if (input.githubUrl) {
-        const m = input.githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
-        if (m) {
-            const owner = m[1], rn = m[2].replace(/\.git$/, '');
-            try {
-                const rr = await fetch(`https://raw.githubusercontent.com/${owner}/${rn}/main/README.md`, { headers: { 'User-Agent': 'Vet/1.0' } });
-                if (rr.ok)
-                    text = await rr.text();
-                const pr = await fetch(`https://raw.githubusercontent.com/${owner}/${rn}/main/package.json`, { headers: { 'User-Agent': 'Vet/1.0' } });
-                if (pr.ok) {
-                    pj = await pr.json();
-                    pkgName = pj.name || pkgName || rn;
-                    desc = desc || pj.description || '';
-                    deps = Object.keys(pj.dependencies || {}).length + Object.keys(pj.devDependencies || {}).length;
-                }
-                if (!pkgName)
-                    pkgName = rn;
-            }
-            catch { /* continue */ }
-        }
-    }
-    if (!pkgName)
-        pkgName = input.name || 'unknown-mcp';
-    const transport = detectTransport(text), runtime = detectRuntime(pj, text), tools = parseTools(text), envVars = detectEnvVars(text);
-    const allPerms = [], seenP = new Set();
-    for (const tool of tools) {
-        tool.permissions = toolPerms(tool);
-        for (const p of tool.permissions) {
-            if (!seenP.has(p.type)) {
-                seenP.add(p.type);
-                allPerms.push(p);
-            }
-        }
-    }
-    const issues = [];
-    for (const r of RISKY) {
-        const m = text.match(r.pattern);
-        if (m)
-            issues.push({ severity: r.severity, message: r.message, count: m.length, evidence: m.slice(0, 3) });
-    }
-    const sensEnv = envVars.filter(v => SENS_ENV.test(v));
-    if (sensEnv.length > 0)
-        issues.push({ severity: 'medium', message: `Requires sensitive env vars: ${sensEnv.join(', ')}`, count: sensEnv.length, evidence: sensEnv });
-    let ts = 75;
-    for (const p of allPerms) {
-        if (p.risk === 'critical')
-            ts -= 15;
-        else if (p.risk === 'high')
-            ts -= 10;
-        else if (p.risk === 'medium')
-            ts -= 5;
-    }
-    for (const i of issues) {
-        if (i.severity === 'critical')
-            ts -= 20;
-        else if (i.severity === 'high')
-            ts -= 10;
-        else if (i.severity === 'medium')
-            ts -= 3;
-    }
-    if (tools.length > 0)
-        ts += 5;
-    if (text.length > 500)
-        ts += 3;
-    ts = Math.max(0, Math.min(100, ts));
-    let badge = 'unverified';
-    if (issues.some(i => i.severity === 'critical'))
-        badge = 'flagged';
-    else if (ts >= 75)
-        badge = 'certified';
-    else if (ts >= 50)
-        badge = 'reviewed';
-    return {
-        name: pkgName, description: desc || text.split('\n').find(l => l.trim() && !l.startsWith('#'))?.trim()?.slice(0, 300) || '',
-        type: 'mcp', transport, runtime, tools, permissions: allPerms, issues, trustScore: ts, badge,
-        codeQuality: { hasTests: /\btest\b|\bspec\b/i.test(text), hasDocs: text.length > 300, hasLicense: /\blicense\b|\bMIT\b|\bApache\b/i.test(text), hasPermissionDeclaration: /\bpermission\b|\baccess\b/i.test(text), linesOfCode: text.split('\n').length, dependencyCount: deps },
-        riskFactors: issues.filter(i => i.severity === 'critical' || i.severity === 'high').map(i => i.message), envVars,
-    };
-}