@guava-parity/guard-scanner 13.0.0 → 15.0.0

package/src/html-template.js

@@ -1,7 +1,7 @@
 /**
  * guard-scanner — HTML Report Template
  * Dark Glassmorphism + Conic-gradient Risk Gauges
- * Zero dependencies. Pure CSS animations.
+ * Lightweight HTML report template. Pure CSS animations.
  */
 
 'use strict';
@@ -229,7 +229,7 @@ ${total > 0 ? `<div class="ag">
 </div>
 
 <div class="ft">
-  guard-scanner v${version} &mdash; Zero dependencies. Zero compromises. 🛡️<br>
+  guard-scanner v${version} &mdash; Lightweight runtime footprint (1 dependency: ws). 🛡️<br>
   Built by <a href="https://github.com/koatora20">Guava 🍈 &amp; Dee</a>
 </div>
 </div>

package/src/mcp-server.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * guard-scanner MCP Server — Zero-dependency stdio JSON-RPC 2.0
+ * guard-scanner MCP Server — Lightweight stdio JSON-RPC 2.0
  *
  * @security-manifest
  *   env-read: [VT_API_KEY (optional, for audit vt-scan)]
@@ -15,7 +15,7 @@
  * Implements: initialize, tools/list, tools/call, notifications
  *
  * Tools:
- *   scan_skill      — Scan a directory for security threats (166 patterns)
+ *   scan_skill      — Scan a directory for security threats
  *   scan_text       — Scan a code/text snippet inline
  *   check_tool_call — Runtime check before a tool call (26 checks, 5 layers)
  *   audit_assets    — Audit npm/GitHub/ClawHub assets for exposure
@@ -30,6 +30,7 @@ const { AssetAuditor, AUDIT_VERSION } = require('./asset-auditor.js');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const CAPABILITIES = require('../docs/spec/capabilities.json');
 
 // ── MCP Protocol Constants ──
 
@@ -45,6 +46,8 @@ const SERVER_CAPABILITIES = {
     tools: {},
 };
 
+const STATIC_SUMMARY = `${CAPABILITIES.static_pattern_count} threat patterns across ${CAPABILITIES.threat_category_count} categories`;
+
 // ── Async Task Store (run_async / status / result / cancel) ──
 
 const TASK_DIR = process.env.GUARD_SCANNER_TASK_DIR || path.join(os.homedir(), '.openclaw', 'guard-scanner', 'tasks');
@@ -121,7 +124,7 @@ function runTaskAsync(taskId, toolName, toolArgs) {
 const TOOLS = [
     {
         name: 'scan_skill',
-        description: 'Scan a directory for agent security threats. Detects prompt injection, data exfiltration, credential theft, reverse shells, and 166+ threat patterns across 23 categories. Returns risk score, verdict, and detailed findings.',
+        description: `Scan a directory for agent security threats. Detects prompt injection, data exfiltration, credential theft, reverse shells, and ${STATIC_SUMMARY}. Returns risk score, verdict, and detailed findings.`,
         inputSchema: {
             type: 'object',
             properties: {
@@ -216,8 +219,8 @@ const TOOLS = [
         },
     },
     {
-        name: 'run_async',
-        description: 'Run a supported guard-scanner tool asynchronously. Returns taskId immediately; use task_status/task_result to retrieve output.',
+        name: 'experimental.run_async',
+        description: '[Experimental] Run a supported guard-scanner tool asynchronously. Returns taskId immediately; use experimental.task_status/experimental.task_result to retrieve output.',
         inputSchema: {
             type: 'object',
             properties: {
@@ -228,8 +231,8 @@ const TOOLS = [
         },
     },
     {
-        name: 'task_status',
-        description: 'Get async task status by taskId.',
+        name: 'experimental.task_status',
+        description: '[Experimental] Get async task status by taskId.',
         inputSchema: {
             type: 'object',
             properties: { taskId: { type: 'string' } },
@@ -237,8 +240,8 @@ const TOOLS = [
         },
     },
     {
-        name: 'task_result',
-        description: 'Get async task final result by taskId.',
+        name: 'experimental.task_result',
+        description: '[Experimental] Get async task final result by taskId.',
         inputSchema: {
             type: 'object',
             properties: { taskId: { type: 'string' } },
@@ -246,33 +249,18 @@ const TOOLS = [
         },
     },
     {
-        name: 'task_cancel',
-        description: 'Cancel async task by taskId (best-effort).',
+        name: 'experimental.task_cancel',
+        description: '[Experimental] Cancel async task by taskId (best-effort).',
         inputSchema: {
             type: 'object',
             properties: { taskId: { type: 'string' }, reason: { type: 'string' } },
             required: ['taskId'],
         },
     },
-    {
-        name: 'cron_glm5_config',
-        description: 'Build a safe OpenClaw cron config and CLI command using model zai/glm-5 for MCP/cron automation.',
-        inputSchema: {
-            type: 'object',
-            properties: {
-                name: { type: 'string' },
-                cron: { type: 'string', description: '5-field cron expr (e.g. 0 7 * * *)' },
-                tz: { type: 'string', default: 'Asia/Tokyo' },
-                message: { type: 'string' },
-                channel: { type: 'string', default: 'last' },
-                to: { type: 'string' },
-                wake: { type: 'string', enum: ['now', 'next-heartbeat'], default: 'next-heartbeat' }
-            },
-            required: ['name', 'cron', 'message'],
-        },
-    },
 ];
 
+// NOTE: cron_glm5_config was removed in v14.0.0 — not guard-scanner's responsibility
+
 // ── Tool Handlers ──
 
 function handleScanSkill({ path: scanPath, verbose = false, strict = false }) {
@@ -357,10 +345,11 @@ function handleCheckToolCall({ tool, args, mode = 'enforce' }) {
     if (args === undefined) return errorResult('args is required');
 
     const result = scanToolCall(tool, args, { mode, auditLog: true });
+    const runtimeCheckCount = getCheckStats().total;
 
     if (result.detections.length === 0) {
         return successResult(
-            `✅ Tool call "${tool}" passed all 26 runtime checks.\nMode: ${mode}`
+            `✅ Tool call "${tool}" passed all ${runtimeCheckCount} runtime checks.\nMode: ${mode}`
         );
     }
 
@@ -416,7 +405,7 @@ function handleGetStats() {
     return successResult(
         `🛡️ guard-scanner v${VERSION}\n\n` +
         `Static Analysis:\n` +
-        `  • 166 threat patterns across 23 categories\n` +
+        `  • ${STATIC_SUMMARY}\n` +
         `  • Entropy-based secret detection\n` +
         `  • Data flow analysis (JS)\n` +
         `  • Cross-file reference checking\n` +
@@ -495,43 +484,7 @@ function handleTaskCancel({ taskId, reason = 'user cancel' }) {
     return successResult(`taskId=${taskId}\nstate=cancelled`);
 }
 
-function handleCronGlm5Config({ name, cron, tz = 'Asia/Tokyo', message, channel = 'last', to, wake = 'next-heartbeat' }) {
-    if (!name || !cron || !message) return errorResult('name, cron, message are required');
-    const parts = String(cron).trim().split(/\s+/);
-    if (parts.length !== 5) return errorResult('cron must be 5 fields (minute hour day month weekday)');
-
-    const payload = {
-        name,
-        schedule: { kind: 'cron', expr: cron, tz },
-        sessionTarget: 'isolated',
-        wakeMode: wake,
-        payload: { kind: 'agentTurn', message, model: 'zai/glm-5' },
-        delivery: {
-            mode: 'announce',
-            channel,
-            ...(to ? { to } : {}),
-            bestEffort: true,
-        },
-    };
-
-    const cli = [
-        'openclaw cron add',
-        `--name ${JSON.stringify(name)}`,
-        `--cron ${JSON.stringify(cron)}`,
-        `--tz ${JSON.stringify(tz)}`,
-        '--session isolated',
-        `--message ${JSON.stringify(message)}`,
-        '--model "zai/glm-5"',
-        `--wake ${wake}`,
-        '--announce',
-        `--channel ${channel}`,
-        ...(to ? [`--to ${JSON.stringify(to)}`] : []),
-    ].join(' \\\n  ');
-
-    return successResult(
-        `cron_glm5_config_ready\n\nCLI:\n${cli}\n\nJSON:\n${JSON.stringify(payload, null, 2)}`
-    );
-}
+// handleCronGlm5Config removed in v14.0.0 — not guard-scanner's responsibility
 
 // ── Result helpers ──
 
@@ -670,16 +623,14 @@ class MCPServer {
                 return await handleAuditAssets(args);
             case 'get_stats':
                 return handleGetStats();
-            case 'run_async':
+            case 'experimental.run_async':
                 return handleRunAsync(args);
-            case 'task_status':
+            case 'experimental.task_status':
                 return handleTaskStatus(args);
-            case 'task_result':
+            case 'experimental.task_result':
                 return handleTaskResult(args);
-            case 'task_cancel':
+            case 'experimental.task_cancel':
                 return handleTaskCancel(args);
-            case 'cron_glm5_config':
-                return handleCronGlm5Config(args);
             default:
                 return errorResult(`Unknown tool: ${name}`);
         }

package/src/openclaw-upstream.js

@@ -0,0 +1,128 @@
+const https = require('node:https');
+
+function parseVersion(version) {
+    const [stable, prerelease = ''] = String(version).split('-', 2);
+    const parts = stable.split('.').map((value) => Number.parseInt(value, 10));
+    while (parts.length < 3) parts.push(0);
+
+    return {
+        raw: version,
+        parts,
+        prerelease,
+    };
+}
+
+function compareOpenClawVersions(left, right) {
+    const a = parseVersion(left);
+    const b = parseVersion(right);
+
+    for (let index = 0; index < 3; index += 1) {
+        if (a.parts[index] > b.parts[index]) return 1;
+        if (a.parts[index] < b.parts[index]) return -1;
+    }
+
+    if (!a.prerelease && b.prerelease) return 1;
+    if (a.prerelease && !b.prerelease) return -1;
+    if (a.prerelease > b.prerelease) return 1;
+    if (a.prerelease < b.prerelease) return -1;
+    return 0;
+}
+
+function evaluateOpenClawBaseline({ pinnedVersion, latestVersion, latestPublishedAt, source }) {
+    const comparison = compareOpenClawVersions(pinnedVersion, latestVersion);
+
+    return {
+        pinnedVersion,
+        latestVersion,
+        latestPublishedAt,
+        source,
+        upToDate: comparison === 0,
+        ahead: comparison > 0,
+        behind: comparison < 0,
+    };
+}
+
+function normalizeGitHubReleaseVersion(tagName) {
+    return String(tagName).replace(/^v/i, '');
+}
+
+function evaluateOpenClawSourceParity({ npmLatestVersion, githubLatestVersion }) {
+    const normalizedGitHubVersion = normalizeGitHubReleaseVersion(githubLatestVersion);
+    return {
+        npmLatestVersion,
+        githubLatestVersion: normalizedGitHubVersion,
+        inParity: compareOpenClawVersions(npmLatestVersion, normalizedGitHubVersion) === 0,
+    };
+}
+
+function httpGetJson(url) {
+    return new Promise((resolve, reject) => {
+        https
+            .get(
+                url,
+                {
+                    headers: {
+                        'user-agent': 'guard-scanner-openclaw-upstream-check',
+                        accept: 'application/json',
+                    },
+                },
+                (response) => {
+                    let body = '';
+                    response.setEncoding('utf8');
+                    response.on('data', (chunk) => {
+                        body += chunk;
+                    });
+                    response.on('end', () => {
+                        if (response.statusCode && response.statusCode >= 400) {
+                            reject(new Error(`GET ${url} failed with status ${response.statusCode}`));
+                            return;
+                        }
+                        try {
+                            resolve(JSON.parse(body));
+                        } catch (error) {
+                            reject(error);
+                        }
+                    });
+                },
+            )
+            .on('error', reject);
+    });
+}
+
+async function fetchLatestOpenClawRelease(fetchJson = httpGetJson) {
+    const npmMeta = await fetchJson('https://registry.npmjs.org/openclaw');
+    const latestVersion = npmMeta['dist-tags']?.latest;
+    if (!latestVersion) {
+        throw new Error('npm registry metadata missing dist-tags.latest for openclaw');
+    }
+
+    const githubRelease = await fetchJson('https://api.github.com/repos/openclaw/openclaw/releases/latest');
+    const githubLatestVersion = normalizeGitHubReleaseVersion(githubRelease.tag_name || '');
+    if (!githubLatestVersion) {
+        throw new Error('GitHub releases/latest missing tag_name for openclaw/openclaw');
+    }
+
+    const parity = evaluateOpenClawSourceParity({
+        npmLatestVersion: latestVersion,
+        githubLatestVersion,
+    });
+
+    return {
+        latestVersion,
+        latestPublishedAt: npmMeta.time?.[latestVersion] ?? null,
+        source: 'npm',
+        registryModifiedAt: npmMeta.time?.modified ?? null,
+        githubLatestVersion,
+        githubPublishedAt: githubRelease.published_at ?? null,
+        githubUrl: githubRelease.html_url ?? null,
+        sourceParity: parity,
+    };
+}
+
+module.exports = {
+    compareOpenClawVersions,
+    evaluateOpenClawBaseline,
+    evaluateOpenClawSourceParity,
+    fetchLatestOpenClawRelease,
+    normalizeGitHubReleaseVersion,
+};