npm - @guava-parity/guard-scanner - Versions diffs - 13.0.0 → 16.0.0 - Mend

@guava-parity/guard-scanner 13.0.0 → 16.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (96) hide show

package/README.md +170 -215
package/README_ja.md +252 -0
package/SECURITY.md +12 -4
package/SKILL.md +148 -57
package/dist/cli.cjs +5997 -0
package/dist/cli.d.mts +1 -0
package/dist/cli.d.ts +1 -0
package/dist/cli.mjs +6003 -0
package/dist/index.cjs +4825 -0
package/dist/index.d.mts +17 -0
package/dist/index.d.ts +17 -0
package/dist/index.mjs +4798 -0
package/dist/mcp-server.cjs +4756 -0
package/dist/mcp-server.d.mts +1 -0
package/dist/mcp-server.d.ts +1 -0
package/dist/mcp-server.mjs +4767 -0
package/dist/openclaw-plugin.cjs +4863 -0
package/dist/openclaw-plugin.d.mts +11 -0
package/dist/openclaw-plugin.d.ts +11 -0
package/dist/openclaw-plugin.mjs +4854 -0
package/dist/types.cjs +18 -0
package/dist/types.d.mts +215 -0
package/dist/types.d.ts +215 -0
package/dist/types.mjs +1 -0
package/docs/EVIDENCE_DRIVEN.md +182 -0
package/docs/banner.png +0 -0
package/docs/data/benchmark-ledger.json +1428 -0
package/docs/data/corpus-metrics.json +11 -0
package/docs/data/fp-ledger.json +18 -0
package/docs/data/latest.json +25837 -2481
package/docs/data/quality-contract.json +36 -0
package/docs/generated/npm-audit-20260312.json +96 -0
package/docs/generated/openclaw-upstream-status.json +25 -0
package/docs/glossary.md +46 -0
package/docs/index.html +1085 -496
package/docs/logo.png +0 -0
package/docs/openclaw-compatibility-audit.md +45 -0
package/docs/openclaw-continuous-compatibility-plan.md +37 -0
package/docs/rules/a2a-contagion.md +68 -0
package/docs/rules/advanced-exfil.md +52 -0
package/docs/rules/agent-protocol.md +108 -0
package/docs/rules/api-abuse.md +68 -0
package/docs/rules/autonomous-risk.md +92 -0
package/docs/rules/config-impact.md +132 -0
package/docs/rules/credential-handling.md +100 -0
package/docs/rules/cve-patterns.md +332 -0
package/docs/rules/data-exposure.md +84 -0
package/docs/rules/exfiltration.md +36 -0
package/docs/rules/financial-access.md +84 -0
package/docs/rules/identity-hijack.md +140 -0
package/docs/rules/inference-manipulation.md +60 -0
package/docs/rules/leaky-skills.md +52 -0
package/docs/rules/malicious-code.md +108 -0
package/docs/rules/mcp-security.md +148 -0
package/docs/rules/memory-poisoning.md +84 -0
package/docs/rules/model-poisoning.md +44 -0
package/docs/rules/obfuscation.md +60 -0
package/docs/rules/persistence.md +108 -0
package/docs/rules/pii-exposure.md +116 -0
package/docs/rules/prompt-injection.md +148 -0
package/docs/rules/prompt-worm.md +44 -0
package/docs/rules/safeguard-bypass.md +44 -0
package/docs/rules/sandbox-escape.md +100 -0
package/docs/rules/secret-detection.md +44 -0
package/docs/rules/supply-chain-v2.md +92 -0
package/docs/rules/suspicious-download.md +60 -0
package/docs/rules/trust-boundary.md +76 -0
package/docs/rules/trust-exploitation.md +92 -0
package/docs/rules/unverifiable-deps.md +84 -0
package/docs/rules/vdb-injection.md +84 -0
package/docs/security-vulnerability-report-20260312.md +53 -0
package/docs/spec/PRD_V2_ARCHITECTURE.md +55 -0
package/docs/spec/capabilities.json +174 -0
package/docs/spec/finding.schema.json +104 -0
package/docs/spec/integration-manifest.md +39 -0
package/docs/spec/plugin-trust.json +11 -0
package/docs/spec/sbom.json +33 -0
package/docs/threat-model.md +65 -0
package/docs/v13-architecture-manifest.md +55 -0
package/hooks/context.ts +306 -0
package/hooks/guard-scanner/plugin.ts +24 -1
package/openclaw-plugin.mts +107 -0
package/openclaw.plugin.json +30 -53
package/package.json +66 -13
package/src/asset-auditor.js +0 -508
package/src/ci-reporter.js +0 -135
package/src/cli.js +0 -294
package/src/html-template.js +0 -239
package/src/ioc-db.js +0 -54
package/src/mcp-server.js +0 -702
package/src/patterns.js +0 -611
package/src/quarantine.js +0 -41
package/src/runtime-guard.js +0 -346
package/src/scanner.js +0 -1157
package/src/vt-client.js +0 -202
package/src/watcher.js +0 -170

package/dist/types.cjs ADDED Viewed

@@ -0,0 +1,18 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/types.ts
+var types_exports = {};
+module.exports = __toCommonJS(types_exports);

package/dist/types.d.mts ADDED Viewed

@@ -0,0 +1,215 @@
+type Severity = "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+type GuardMode = "monitor" | "enforce" | "strict";
+type RuntimeAction = "blocked" | "warned";
+interface EvidenceSpan {
+    file?: string;
+    start_line: number;
+    end_line: number;
+}
+interface FindingEvidence {
+    file?: string;
+    line?: number | null;
+    sample?: string;
+    match_count?: number;
+    tool_name?: string;
+    params_preview?: string;
+    layer?: number;
+    layer_name?: string;
+    owasp_asi?: string[];
+    protocol_surface?: string[];
+}
+interface Finding {
+    schema_version?: string;
+    source?: "static" | "runtime";
+    id: string;
+    rule_id?: string;
+    cat?: string;
+    category: string;
+    severity: Severity;
+    desc?: string;
+    description: string;
+    file?: string;
+    line?: number | null;
+    matchCount?: number;
+    sample?: string;
+    rationale: string;
+    preconditions: string;
+    remediation_hint: string;
+    false_positive_scenarios: string[];
+    validation_state: string;
+    validation_status: string;
+    confidence: number;
+    attack_chain_id: string | null;
+    evidence: FindingEvidence;
+    evidence_spans: EvidenceSpan[];
+    layer?: number;
+    layer_name?: string;
+    owasp_asi?: string[];
+    protocol_surface?: string[];
+    action?: RuntimeAction;
+}
+interface SkillFindingResult {
+    skill: string;
+    risk: number;
+    verdict: string;
+    findings: Finding[];
+}
+interface ThresholdBand {
+    suspicious: number;
+    malicious: number;
+}
+interface ScanStats {
+    scanned: number;
+    clean: number;
+    low: number;
+    suspicious: number;
+    malicious: number;
+}
+interface Recommendation {
+    skill: string;
+    actions: string[];
+}
+interface ScanReport {
+    schema_version: string;
+    timestamp: string;
+    scanner: string;
+    finding_schema_version: string;
+    mode: "normal" | "strict";
+    compliance_mode?: "owasp-asi" | null;
+    stats: ScanStats;
+    thresholds: ThresholdBand;
+    findings: SkillFindingResult[];
+    recommendations: Recommendation[];
+    layer_summary?: Array<Record<string, unknown>>;
+    owasp_asi_coverage?: Array<Record<string, unknown>>;
+    threat_model?: Record<string, unknown>;
+    iocVersion: string;
+}
+interface TextScanResult {
+    safe: boolean;
+    risk: number;
+    detections: Finding[];
+}
+interface ScannerOptions {
+    verbose?: boolean;
+    selfExclude?: boolean;
+    strict?: boolean;
+    summaryOnly?: boolean;
+    quiet?: boolean;
+    checkDeps?: boolean;
+    soulLock?: boolean;
+    plugins?: string[];
+    rulesFile?: string;
+    compliance?: "owasp-asi";
+}
+interface CustomRule {
+    id: string;
+    cat: string;
+    regex: RegExp;
+    severity: Severity;
+    desc: string;
+    codeOnly?: boolean;
+    docOnly?: boolean;
+    all?: boolean;
+    soulLock?: boolean;
+}
+interface PluginConfig {
+    mode?: GuardMode;
+    auditLog?: boolean;
+    customRules?: string;
+}
+interface RuntimeDecision {
+    blocked: boolean;
+    blockReason: string | null;
+    detections: Finding[];
+    mode: GuardMode;
+    toolName?: string;
+    matchedPolicyId?: string | null;
+    policyRationale?: string | null;
+    riskAmplificationReasons?: string[];
+    remediationSuggestion?: string | null;
+    policyDecision?: RuntimePolicyDecision | null;
+}
+interface McpRequest {
+    method: string;
+    params?: Record<string, unknown>;
+    id?: string | number | null;
+}
+interface SarifReport {
+    version: string;
+    $schema?: string;
+    runs: Array<Record<string, unknown>>;
+}
+interface CapabilityMetrics {
+    static_pattern_count: number;
+    runtime_check_count?: number;
+    threat_category_count: number;
+    runtime_layer_count?: number;
+    runtime_layers?: number;
+    benchmark_corpus_version?: string;
+    explainability_completeness_rate?: number;
+    runtime_check_latency_budget_ms?: number;
+    quality_targets?: QualityTargets;
+    [key: string]: unknown;
+}
+interface RuntimeCheckStats {
+    total: number;
+    byLayer: Record<number, number>;
+    bySeverity: Partial<Record<Severity, number>>;
+}
+interface QualityTargets {
+    precision_min: number;
+    recall_min: number;
+    false_positive_rate_max: number;
+    false_negative_rate_max: number;
+    explainability_completeness_rate_min: number;
+    runtime_check_latency_budget_ms: number;
+    false_positive_budget_by_category: Record<string, number>;
+}
+interface RuntimePolicyContract {
+    id?: string;
+    allowed_tools?: string[];
+    blocked_tools?: string[];
+    max_network_scope?: "none" | "internal-only" | "external-ok";
+    secret_bearing_context?: boolean;
+    memory_write_permission?: boolean;
+}
+interface RuntimePolicyDecision {
+    action: "allow" | "block";
+    reason: string;
+    policyId: string;
+    amplificationReasons: string[];
+    remediationSuggestion: string;
+}
+interface ThreatModel {
+    timestamp: string;
+    surface: Record<string, boolean>;
+    summary: string;
+    owasp_asi?: string[];
+    layer_summary?: Array<Record<string, unknown>>;
+    protocol_surfaces?: string[];
+}
+interface GuardScannerInstance {
+    verbose: boolean;
+    strict: boolean;
+    summaryOnly: boolean;
+    quiet: boolean;
+    checkDeps: boolean;
+    soulLock: boolean;
+    thresholds: ThresholdBand;
+    findings: SkillFindingResult[];
+    stats: ScanStats;
+    scanText(text: string): TextScanResult;
+    scanDirectory(dir: string): SkillFindingResult[];
+    scanTarget(targetPath: string): ScanReport;
+    toJSON(): ScanReport;
+    toSARIF(scanDir: string): SarifReport;
+    toHTML(): string;
+    generateThreatModel(findings: Finding[]): ThreatModel;
+}
+interface GuardScannerConstructor {
+    new (options?: ScannerOptions): GuardScannerInstance;
+}
+type ScanResult = SkillFindingResult;
+export type { CapabilityMetrics, CustomRule, EvidenceSpan, Finding, FindingEvidence, GuardMode, GuardScannerConstructor, GuardScannerInstance, McpRequest, PluginConfig, QualityTargets, Recommendation, RuntimeAction, RuntimeCheckStats, RuntimeDecision, RuntimePolicyContract, RuntimePolicyDecision, SarifReport, ScanReport, ScanResult, ScanStats, ScannerOptions, Severity, SkillFindingResult, TextScanResult, ThreatModel, ThresholdBand };

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,215 @@
+type Severity = "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+type GuardMode = "monitor" | "enforce" | "strict";
+type RuntimeAction = "blocked" | "warned";
+interface EvidenceSpan {
+    file?: string;
+    start_line: number;
+    end_line: number;
+}
+interface FindingEvidence {
+    file?: string;
+    line?: number | null;
+    sample?: string;
+    match_count?: number;
+    tool_name?: string;
+    params_preview?: string;
+    layer?: number;
+    layer_name?: string;
+    owasp_asi?: string[];
+    protocol_surface?: string[];
+}
+interface Finding {
+    schema_version?: string;
+    source?: "static" | "runtime";
+    id: string;
+    rule_id?: string;
+    cat?: string;
+    category: string;
+    severity: Severity;
+    desc?: string;
+    description: string;
+    file?: string;
+    line?: number | null;
+    matchCount?: number;
+    sample?: string;
+    rationale: string;
+    preconditions: string;
+    remediation_hint: string;
+    false_positive_scenarios: string[];
+    validation_state: string;
+    validation_status: string;
+    confidence: number;
+    attack_chain_id: string | null;
+    evidence: FindingEvidence;
+    evidence_spans: EvidenceSpan[];
+    layer?: number;
+    layer_name?: string;
+    owasp_asi?: string[];
+    protocol_surface?: string[];
+    action?: RuntimeAction;
+}
+interface SkillFindingResult {
+    skill: string;
+    risk: number;
+    verdict: string;
+    findings: Finding[];
+}
+interface ThresholdBand {
+    suspicious: number;
+    malicious: number;
+}
+interface ScanStats {
+    scanned: number;
+    clean: number;
+    low: number;
+    suspicious: number;
+    malicious: number;
+}
+interface Recommendation {
+    skill: string;
+    actions: string[];
+}
+interface ScanReport {
+    schema_version: string;
+    timestamp: string;
+    scanner: string;
+    finding_schema_version: string;
+    mode: "normal" | "strict";
+    compliance_mode?: "owasp-asi" | null;
+    stats: ScanStats;
+    thresholds: ThresholdBand;
+    findings: SkillFindingResult[];
+    recommendations: Recommendation[];
+    layer_summary?: Array<Record<string, unknown>>;
+    owasp_asi_coverage?: Array<Record<string, unknown>>;
+    threat_model?: Record<string, unknown>;
+    iocVersion: string;
+}
+interface TextScanResult {
+    safe: boolean;
+    risk: number;
+    detections: Finding[];
+}
+interface ScannerOptions {
+    verbose?: boolean;
+    selfExclude?: boolean;
+    strict?: boolean;
+    summaryOnly?: boolean;
+    quiet?: boolean;
+    checkDeps?: boolean;
+    soulLock?: boolean;
+    plugins?: string[];
+    rulesFile?: string;
+    compliance?: "owasp-asi";
+}
+interface CustomRule {
+    id: string;
+    cat: string;
+    regex: RegExp;
+    severity: Severity;
+    desc: string;
+    codeOnly?: boolean;
+    docOnly?: boolean;
+    all?: boolean;
+    soulLock?: boolean;
+}
+interface PluginConfig {
+    mode?: GuardMode;
+    auditLog?: boolean;
+    customRules?: string;
+}
+interface RuntimeDecision {
+    blocked: boolean;
+    blockReason: string | null;
+    detections: Finding[];
+    mode: GuardMode;
+    toolName?: string;
+    matchedPolicyId?: string | null;
+    policyRationale?: string | null;
+    riskAmplificationReasons?: string[];
+    remediationSuggestion?: string | null;
+    policyDecision?: RuntimePolicyDecision | null;
+}
+interface McpRequest {
+    method: string;
+    params?: Record<string, unknown>;
+    id?: string | number | null;
+}
+interface SarifReport {
+    version: string;
+    $schema?: string;
+    runs: Array<Record<string, unknown>>;
+}
+interface CapabilityMetrics {
+    static_pattern_count: number;
+    runtime_check_count?: number;
+    threat_category_count: number;
+    runtime_layer_count?: number;
+    runtime_layers?: number;
+    benchmark_corpus_version?: string;
+    explainability_completeness_rate?: number;
+    runtime_check_latency_budget_ms?: number;
+    quality_targets?: QualityTargets;
+    [key: string]: unknown;
+}
+interface RuntimeCheckStats {
+    total: number;
+    byLayer: Record<number, number>;
+    bySeverity: Partial<Record<Severity, number>>;
+}
+interface QualityTargets {
+    precision_min: number;
+    recall_min: number;
+    false_positive_rate_max: number;
+    false_negative_rate_max: number;
+    explainability_completeness_rate_min: number;
+    runtime_check_latency_budget_ms: number;
+    false_positive_budget_by_category: Record<string, number>;
+}
+interface RuntimePolicyContract {
+    id?: string;
+    allowed_tools?: string[];
+    blocked_tools?: string[];
+    max_network_scope?: "none" | "internal-only" | "external-ok";
+    secret_bearing_context?: boolean;
+    memory_write_permission?: boolean;
+}
+interface RuntimePolicyDecision {
+    action: "allow" | "block";
+    reason: string;
+    policyId: string;
+    amplificationReasons: string[];
+    remediationSuggestion: string;
+}
+interface ThreatModel {
+    timestamp: string;
+    surface: Record<string, boolean>;
+    summary: string;
+    owasp_asi?: string[];
+    layer_summary?: Array<Record<string, unknown>>;
+    protocol_surfaces?: string[];
+}
+interface GuardScannerInstance {
+    verbose: boolean;
+    strict: boolean;
+    summaryOnly: boolean;
+    quiet: boolean;
+    checkDeps: boolean;
+    soulLock: boolean;
+    thresholds: ThresholdBand;
+    findings: SkillFindingResult[];
+    stats: ScanStats;
+    scanText(text: string): TextScanResult;
+    scanDirectory(dir: string): SkillFindingResult[];
+    scanTarget(targetPath: string): ScanReport;
+    toJSON(): ScanReport;
+    toSARIF(scanDir: string): SarifReport;
+    toHTML(): string;
+    generateThreatModel(findings: Finding[]): ThreatModel;
+}
+interface GuardScannerConstructor {
+    new (options?: ScannerOptions): GuardScannerInstance;
+}
+type ScanResult = SkillFindingResult;
+export type { CapabilityMetrics, CustomRule, EvidenceSpan, Finding, FindingEvidence, GuardMode, GuardScannerConstructor, GuardScannerInstance, McpRequest, PluginConfig, QualityTargets, Recommendation, RuntimeAction, RuntimeCheckStats, RuntimeDecision, RuntimePolicyContract, RuntimePolicyDecision, SarifReport, ScanReport, ScanResult, ScanStats, ScannerOptions, Severity, SkillFindingResult, TextScanResult, ThreatModel, ThresholdBand };

package/dist/types.mjs ADDED Viewed

	@@ -0,0 +1 @@
1	+ import { createRequire as __createRequire } from "node:module"; const require = __createRequire(import.meta.url);

package/docs/EVIDENCE_DRIVEN.md ADDED Viewed

@@ -0,0 +1,182 @@
+# Evidence-Driven Metrics
+guard-scanner uses a **single source of truth (SSoT)** architecture for all public metrics. This ensures that numbers in README, documentation, and tests are always in sync with the implementation.
+## Architecture
+```
+┌─────────────────────────────────────┐
+│ Source Code (patterns.js, etc.)    │
+└──────────────┬──────────────────────┘
+               │
+               ▼
+┌─────────────────────────────────────┐
+│ generate-capabilities.js           │
+│ Generates: docs/spec/capabilities.json
+└──────────────┬──────────────────────┘
+               │
+               ▼
+┌─────────────────────────────────────┐
+│ capabilities.json (SSoT)            │
+│ - static_pattern_count: 352         │
+│ - threat_category_count: 32         │
+│ - runtime_check_count: 26           │
+│ - mcp_tools: [...]                  │
+└──────┬───────────────────────┬──────┘
+       │                       │
+       ▼                       ▼
+┌──────────────┐      ┌────────────────┐
+│ generate-    │      │ verify-        │
+│ readme-      │      │ capabilities.js│
+│ metrics.js   │      │ (CI check)     │
+└──────┬───────┘      └────────────────┘
+       │
+       ▼
+┌─────────────────────────────────────┐
+│ README.md                           │
+│ (Auto-updated metrics)              │
+└─────────────────────────────────────┘
+```
+## Scripts
+### 1. `generate-capabilities.js`
+**Purpose:** Generate `docs/spec/capabilities.json` from source code.
+**Runs:**
+- Counts patterns from `src/patterns.js`
+- Counts runtime checks from `src/runtime-guard.js`
+- Lists MCP tools from `src/mcp-server.js`
+- Reads versions from `package.json` and `openclaw.plugin.json`
+**Usage:**
+```bash
+node scripts/generate-capabilities.js
+```
+**Output:** `docs/spec/capabilities.json`
+### 2. `generate-readme-metrics.js`
+**Purpose:** Inject metrics from `capabilities.json` into `README.md`.
+**Updates:**
+- Header metrics line (categories, patterns, checks)
+- Dependency badge
+- Capability table entries
+- MCP tool descriptions
+**Usage:**
+```bash
+# Update README
+node scripts/generate-readme-metrics.js
+# CI mode: fail if drift detected
+node scripts/generate-readme-metrics.js --check
+```
+### 3. `generate-readme-stats.js`
+**Purpose:** Inject test counts from `npm test` output into README.
+**Updates:**
+- Test badge: `tests-336%20passed`
+- Test results block
+**Usage:**
+```bash
+# Update README
+node scripts/generate-readme-stats.js
+# CI mode: fail if drift detected
+node scripts/generate-readme-stats.js --check
+```
+### 4. `verify-capabilities.js`
+**Purpose:** Verify all documentation matches `capabilities.json`.
+**Checks:**
+- README.md metrics
+- README_ja.md metrics
+- SKILL.md metrics
+- package.json version
+- openclaw.plugin.json version
+- Test file count
+**Usage:**
+```bash
+node scripts/verify-capabilities.js
+# Exits 1 if any drift detected
+```
+## CI Integration
+The CI workflow enforces zero-tolerance for drift:
+```yaml
+# .github/workflows/ci.yml
+- name: Generate capabilities manifest
+  run: node scripts/generate-capabilities.js
+- name: Check README metrics drift
+  run: |
+    node scripts/generate-readme-metrics.js --check
+    node scripts/generate-readme-stats.js --check
+- name: Verify all capability claims
+  run: node scripts/verify-capabilities.js
+```
+## Local Development
+**Sync all README metrics:**
+```bash
+npm run sync:readme
+```
+This runs:
+1. `generate-capabilities.js` (update SSoT)
+2. `generate-readme-metrics.js` (update metrics)
+3. `generate-readme-stats.js` (update test counts)
+## Adding New Metrics
+1. **Add to source code:** Update `patterns.js`, `runtime-guard.js`, etc.
+2. **Update generator:** Edit `generate-capabilities.js` to extract new metric
+3. **Update README generator:** Edit `generate-readme-metrics.js` to inject into README
+4. **Update verifier:** Edit `verify-capabilities.js` to check for drift
+5. **Run sync:** `npm run sync:readme`
+6. **Commit changes:** Include updated `capabilities.json` and `README.md`
+## Philosophy
+**Why evidence-driven?**
+- **Trust:** Users can verify claims match implementation
+- **Marketing-first avoidance:** Numbers come from code, not marketing
+- **Drift prevention:** CI blocks PRs with mismatched numbers
+- **Single source of truth:** One canonical source (`capabilities.json`)
+- **Audit trail:** All changes go through generators
+**Zero tolerance for hardcoded numbers in public docs.**
+## MCP Integration
+The `get_stats` MCP tool reads from `capabilities.json`:
+```javascript
+function handleGetStats() {
+    const runtimeStats = getCheckStats();
+    return successResult(
+        `🛡️ guard-scanner v${VERSION}\n\n` +
+        `Static Analysis:\n` +
+        `  • ${STATIC_SUMMARY}\n` +  // from capabilities.json
+        `  • ${runtimeStats.total} checks across ${Object.keys(runtimeStats.byLayer).length} layers\n` +
+        // ...
+    );
+}
+```
+This ensures MCP clients always get accurate, up-to-date metrics.

package/docs/banner.png CHANGED Viewed

Binary file