npm - @guava-parity/guard-scanner - Versions diffs - 13.0.0 → 15.0.0 - Mend

@guava-parity/guard-scanner 13.0.0 → 15.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/README.md +42 -253
package/SECURITY.md +12 -4
package/SKILL.md +121 -59
package/dist/openclaw-plugin.mjs +41 -0
package/docs/EVIDENCE_DRIVEN.md +182 -0
package/docs/banner.png +0 -0
package/docs/data/corpus-metrics.json +11 -0
package/docs/data/latest.json +25837 -2481
package/docs/generated/npm-audit-20260312.json +96 -0
package/docs/generated/openclaw-upstream-status.json +25 -0
package/docs/glossary.md +46 -0
package/docs/index.html +1085 -496
package/docs/logo.png +0 -0
package/docs/openclaw-compatibility-audit.md +44 -0
package/docs/openclaw-continuous-compatibility-plan.md +36 -0
package/docs/rules/a2a-contagion.md +68 -0
package/docs/rules/advanced-exfil.md +52 -0
package/docs/rules/agent-protocol.md +108 -0
package/docs/rules/api-abuse.md +68 -0
package/docs/rules/autonomous-risk.md +92 -0
package/docs/rules/config-impact.md +132 -0
package/docs/rules/credential-handling.md +100 -0
package/docs/rules/cve-patterns.md +332 -0
package/docs/rules/data-exposure.md +84 -0
package/docs/rules/exfiltration.md +36 -0
package/docs/rules/financial-access.md +84 -0
package/docs/rules/identity-hijack.md +140 -0
package/docs/rules/inference-manipulation.md +60 -0
package/docs/rules/leaky-skills.md +52 -0
package/docs/rules/malicious-code.md +108 -0
package/docs/rules/mcp-security.md +148 -0
package/docs/rules/memory-poisoning.md +84 -0
package/docs/rules/model-poisoning.md +44 -0
package/docs/rules/obfuscation.md +60 -0
package/docs/rules/persistence.md +108 -0
package/docs/rules/pii-exposure.md +116 -0
package/docs/rules/prompt-injection.md +148 -0
package/docs/rules/prompt-worm.md +44 -0
package/docs/rules/safeguard-bypass.md +44 -0
package/docs/rules/sandbox-escape.md +100 -0
package/docs/rules/secret-detection.md +44 -0
package/docs/rules/supply-chain-v2.md +92 -0
package/docs/rules/suspicious-download.md +60 -0
package/docs/rules/trust-boundary.md +76 -0
package/docs/rules/trust-exploitation.md +92 -0
package/docs/rules/unverifiable-deps.md +84 -0
package/docs/rules/vdb-injection.md +84 -0
package/docs/security-vulnerability-report-20260312.md +53 -0
package/docs/spec/PRD_V2_ARCHITECTURE.md +55 -0
package/docs/spec/capabilities.json +42 -0
package/docs/spec/finding.schema.json +104 -0
package/docs/spec/integration-manifest.md +39 -0
package/docs/spec/sbom.json +33 -0
package/docs/threat-model.md +65 -0
package/docs/v13-architecture-manifest.md +55 -0
package/hooks/context.js +305 -0
package/hooks/guard-scanner/plugin.ts +24 -1
package/openclaw-plugin.mts +91 -0
package/openclaw.plugin.json +30 -53
package/package.json +23 -8
package/src/cli.js +174 -34
package/src/core/content-loader.js +42 -0
package/src/core/inventory.js +73 -0
package/src/core/report-adapters.js +171 -0
package/src/core/risk-engine.js +93 -0
package/src/core/rule-registry.js +73 -0
package/src/core/semantic-validators.js +85 -0
package/src/finding-schema.js +191 -0
package/src/hooks/context.ts +49 -0
package/src/html-template.js +2 -2
package/src/mcp-server.js +24 -73
package/src/openclaw-upstream.js +128 -0
package/src/patterns.js +371 -353
package/src/policy-engine.js +32 -0
package/src/runtime-guard.js +40 -2
package/src/scanner.js +101 -216
package/src/skill-crawler.js +254 -0
package/src/threat-model.js +50 -0
package/src/validation-layer.js +39 -0

package/docs/EVIDENCE_DRIVEN.md ADDED Viewed

@@ -0,0 +1,182 @@
+# Evidence-Driven Metrics
+guard-scanner uses a **single source of truth (SSoT)** architecture for all public metrics. This ensures that numbers in README, documentation, and tests are always in sync with the implementation.
+## Architecture
+```
+┌─────────────────────────────────────┐
+│ Source Code (patterns.js, etc.)    │
+└──────────────┬──────────────────────┘
+               │
+               ▼
+┌─────────────────────────────────────┐
+│ generate-capabilities.js           │
+│ Generates: docs/spec/capabilities.json
+└──────────────┬──────────────────────┘
+               │
+               ▼
+┌─────────────────────────────────────┐
+│ capabilities.json (SSoT)            │
+│ - static_pattern_count: 352         │
+│ - threat_category_count: 32         │
+│ - runtime_check_count: 26           │
+│ - mcp_tools: [...]                  │
+└──────┬───────────────────────┬──────┘
+       │                       │
+       ▼                       ▼
+┌──────────────┐      ┌────────────────┐
+│ generate-    │      │ verify-        │
+│ readme-      │      │ capabilities.js│
+│ metrics.js   │      │ (CI check)     │
+└──────┬───────┘      └────────────────┘
+       │
+       ▼
+┌─────────────────────────────────────┐
+│ README.md                           │
+│ (Auto-updated metrics)              │
+└─────────────────────────────────────┘
+```
+## Scripts
+### 1. `generate-capabilities.js`
+**Purpose:** Generate `docs/spec/capabilities.json` from source code.
+**Runs:**
+- Counts patterns from `src/patterns.js`
+- Counts runtime checks from `src/runtime-guard.js`
+- Lists MCP tools from `src/mcp-server.js`
+- Reads versions from `package.json` and `openclaw.plugin.json`
+**Usage:**
+```bash
+node scripts/generate-capabilities.js
+```
+**Output:** `docs/spec/capabilities.json`
+### 2. `generate-readme-metrics.js`
+**Purpose:** Inject metrics from `capabilities.json` into `README.md`.
+**Updates:**
+- Header metrics line (categories, patterns, checks)
+- Dependency badge
+- Capability table entries
+- MCP tool descriptions
+**Usage:**
+```bash
+# Update README
+node scripts/generate-readme-metrics.js
+# CI mode: fail if drift detected
+node scripts/generate-readme-metrics.js --check
+```
+### 3. `generate-readme-stats.js`
+**Purpose:** Inject test counts from `npm test` output into README.
+**Updates:**
+- Test badge: `tests-336%20passed`
+- Test results block
+**Usage:**
+```bash
+# Update README
+node scripts/generate-readme-stats.js
+# CI mode: fail if drift detected
+node scripts/generate-readme-stats.js --check
+```
+### 4. `verify-capabilities.js`
+**Purpose:** Verify all documentation matches `capabilities.json`.
+**Checks:**
+- README.md metrics
+- README_ja.md metrics
+- SKILL.md metrics
+- package.json version
+- openclaw.plugin.json version
+- Test file count
+**Usage:**
+```bash
+node scripts/verify-capabilities.js
+# Exits 1 if any drift detected
+```
+## CI Integration
+The CI workflow enforces zero-tolerance for drift:
+```yaml
+# .github/workflows/ci.yml
+- name: Generate capabilities manifest
+  run: node scripts/generate-capabilities.js
+- name: Check README metrics drift
+  run: |
+    node scripts/generate-readme-metrics.js --check
+    node scripts/generate-readme-stats.js --check
+- name: Verify all capability claims
+  run: node scripts/verify-capabilities.js
+```
+## Local Development
+**Sync all README metrics:**
+```bash
+npm run sync:readme
+```
+This runs:
+1. `generate-capabilities.js` (update SSoT)
+2. `generate-readme-metrics.js` (update metrics)
+3. `generate-readme-stats.js` (update test counts)
+## Adding New Metrics
+1. **Add to source code:** Update `patterns.js`, `runtime-guard.js`, etc.
+2. **Update generator:** Edit `generate-capabilities.js` to extract new metric
+3. **Update README generator:** Edit `generate-readme-metrics.js` to inject into README
+4. **Update verifier:** Edit `verify-capabilities.js` to check for drift
+5. **Run sync:** `npm run sync:readme`
+6. **Commit changes:** Include updated `capabilities.json` and `README.md`
+## Philosophy
+**Why evidence-driven?**
+- **Trust:** Users can verify claims match implementation
+- **Marketing-first avoidance:** Numbers come from code, not marketing
+- **Drift prevention:** CI blocks PRs with mismatched numbers
+- **Single source of truth:** One canonical source (`capabilities.json`)
+- **Audit trail:** All changes go through generators
+**Zero tolerance for hardcoded numbers in public docs.**
+## MCP Integration
+The `get_stats` MCP tool reads from `capabilities.json`:
+```javascript
+function handleGetStats() {
+    const runtimeStats = getCheckStats();
+    return successResult(
+        `🛡️ guard-scanner v${VERSION}\n\n` +
+        `Static Analysis:\n` +
+        `  • ${STATIC_SUMMARY}\n` +  // from capabilities.json
+        `  • ${runtimeStats.total} checks across ${Object.keys(runtimeStats.byLayer).length} layers\n` +
+        // ...
+    );
+}
+```
+This ensures MCP clients always get accurate, up-to-date metrics.

package/docs/banner.png CHANGED Viewed

Binary file

package/docs/data/corpus-metrics.json ADDED Viewed

@@ -0,0 +1,11 @@
+{
+  "generatedAt": "2026-03-10T10:00:34.307Z",
+  "corpus": {
+    "benign": 3,
+    "malicious": 3
+  },
+  "precision": 1,
+  "recall": 1,
+  "false_positive_rate": 0,
+  "false_negative_rate": 0
+}