@guava-parity/guard-scanner 16.0.1 → 17.0.0

package/README.md

@@ -12,14 +12,14 @@
 <p align="center">
   <a href="https://www.npmjs.com/package/@guava-parity/guard-scanner"><img src="https://img.shields.io/npm/v/@guava-parity/guard-scanner?color=cb3837&label=npm" alt="npm" /></a>
   <a href="https://www.npmjs.com/package/@guava-parity/guard-scanner"><img src="https://img.shields.io/npm/dm/@guava-parity/guard-scanner?color=blue&label=downloads" alt="downloads" /></a>
-  <a href="#test-results"><img src="https://img.shields.io/badge/tests-363%20passed-brightgreen" alt="tests" /></a>
+  <a href="#test-results"><img src="https://img.shields.io/badge/tests-362%20passed-brightgreen" alt="tests" /></a>
   <a href="https://github.com/koatora20/guard-scanner/actions/workflows/codeql.yml"><img src="https://img.shields.io/badge/CodeQL-enabled-181717" alt="CodeQL" /></a>
   <a href="https://doi.org/10.5281/zenodo.18906684"><img src="https://img.shields.io/badge/DOI-Zenodo-blue" alt="DOI" /></a>
   <a href="https://github.com/koatora20/guard-scanner/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="MIT" /></a>
 </p>
 
 <p align="center">
-  <strong>358</strong> detection patterns · <strong>35</strong> threat categories · <strong>27</strong> runtime checks · <strong>1</strong> dependency (<code>ws</code>)
+  <strong>364</strong> detection patterns · <strong>35</strong> threat categories · <strong>27</strong> runtime checks · <strong>1</strong> dependency (<code>ws</code>)
 </p>
 
 ---
@@ -29,7 +29,7 @@ Traditional security tools catch malware. **guard-scanner** catches what they mi
 ```
 $ npx @guava-parity/guard-scanner ./skills/ --strict --soul-lock --compliance owasp-asi
 
-  guard-scanner v16.0.1
+  guard-scanner v16.0.2
 
   ⚠  CRITICAL  identity-hijack   SOUL_OVERWRITE_ATTEMPT
      skills/imported-tool/SKILL.md:47
@@ -153,7 +153,7 @@ Every v16 finding can now carry `layer`, `layer_name`, `owasp_asi`, and `protoco
 | 4. Behavioral Analysis | No-research execution, hallucination-driven actions |
 | 5. Trust Exploitation | Authority claim attacks, creator impersonation |
 
-**27 runtime checks** across 5 layers. Public compatibility is pinned to OpenClaw `v2026.3.8` for manifest/discovery/`before_tool_call`; newer upstream releases are tracked separately by the upstream drift watchdog.
+**27 runtime checks** across 5 layers. Validated stable target: OpenClaw `v2026.3.13`. Regression baseline: `v2026.3.8` for manifest/discovery/`before_tool_call`.
 
 Modes: `monitor` (log only) · `enforce` (block CRITICAL, default) · `strict` (block HIGH+)
 
@@ -219,6 +219,10 @@ When running as an MCP server, guard-scanner exposes:
 | `check_tool_call` | Runtime validation of a single tool invocation |
 | `audit_assets` | Audit npm/GitHub/ClawHub for credential exposure |
 | `get_stats` | Return scanner capabilities, 5-layer summary, and ASI coverage |
+| `experimental.run_async` | Start a long-running async scan task |
+| `experimental.task_status` | Check the status of an async task |
+| `experimental.task_result` | Retrieve the result of a completed async task |
+| `experimental.task_cancel` | Cancel a running async task |
 
 ---
 
@@ -228,7 +232,7 @@ guard-scanner ships a measured quality contract, not a vague strength claim.
 
 | Metric | Contract |
 |--------|----------|
-| Benchmark corpus | `2026-03-13.quality-v1` |
+| Benchmark corpus | `2026-03-15.quality-v17` |
 | Precision target | `>= 0.90` |
 | Recall target | `>= 0.90` |
 | False Positive Rate budget | `<= 0.10` |
@@ -247,13 +251,13 @@ Evidence artifacts:
 ## Test Results
 
 ```
-ℹ tests    363
-ℹ suites   94
-ℹ pass     363
+ℹ tests    362
+ℹ suites   38
+ℹ pass     362
 ℹ fail     0
 ```
 
-28 test files. Run `npm test` to reproduce. 100% pass rate on [benchmark corpus](docs/data/corpus-metrics.json).
+38 test files. Run `npm test` to reproduce. 100% pass rate on [benchmark corpus](docs/data/corpus-metrics.json).
 
 ---
 

package/README_ja.md

@@ -12,14 +12,14 @@
 <p align="center">
   <a href="https://www.npmjs.com/package/@guava-parity/guard-scanner"><img src="https://img.shields.io/npm/v/@guava-parity/guard-scanner?color=cb3837&label=npm" alt="npm" /></a>
   <a href="https://www.npmjs.com/package/@guava-parity/guard-scanner"><img src="https://img.shields.io/npm/dm/@guava-parity/guard-scanner?color=blue&label=downloads" alt="downloads" /></a>
-  <a href="#テスト結果"><img src="https://img.shields.io/badge/テスト-363_passed-brightgreen" alt="tests" /></a>
+  <a href="#テスト結果"><img src="https://img.shields.io/badge/テスト-362_passed-brightgreen" alt="tests" /></a>
   <a href="https://github.com/koatora20/guard-scanner/actions/workflows/codeql.yml"><img src="https://img.shields.io/badge/CodeQL-有効-181717" alt="CodeQL" /></a>
   <a href="https://doi.org/10.5281/zenodo.18906684"><img src="https://img.shields.io/badge/DOI-Zenodo-blue" alt="DOI" /></a>
   <a href="https://github.com/koatora20/guard-scanner/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="MIT" /></a>
 </p>
 
 <p align="center">
-  <strong>358</strong> 検出パターン · <strong>35</strong> 脅威カテゴリ · <strong>27</strong> ランタイムチェック · 依存: <strong>1</strong> (<code>ws</code> のみ)
+  <strong>364</strong> 検出パターン · <strong>35</strong> 脅威カテゴリ · <strong>27</strong> ランタイムチェック · 依存: <strong>1</strong> (<code>ws</code> のみ)
 </p>
 
 <p align="center">
@@ -33,7 +33,7 @@
 ```
 $ npx @guava-parity/guard-scanner ./skills/ --strict --soul-lock --compliance owasp-asi
 
-  guard-scanner v16.0.1
+  guard-scanner v16.0.2
 
   ⚠  CRITICAL  identity-hijack   SOUL_OVERWRITE_ATTEMPT
      skills/imported-tool/SKILL.md:47
@@ -157,7 +157,7 @@ v16 の JSON / MCP 出力では各 finding に `layer`, `layer_name`, `owasp_asi
 | 4. 行動分析 | リサーチ未実施での実行、ハルシネーション駆動アクション |
 | 5. 信頼搾取 | 権限主張攻撃、作成者なりすまし |
 
-**27のランタイムチェック**を5層で実行。公開互換の保証面は OpenClaw `v2026.3.8` の manifest/discovery/`before_tool_call` に固定し、新しい upstream は drift watchdog で別途追跡する。
+**27のランタイムチェック**を5層で実行。検証済みの安定ターゲットは OpenClaw `v2026.3.13`、回帰ベースラインは manifest/discovery/`before_tool_call` の `v2026.3.8`。
 
 モード: `monitor`（ログのみ）· `enforce`（CRITICAL をブロック、デフォルト）· `strict`（HIGH+をブロック）
 
@@ -223,19 +223,23 @@ MCPサーバーとして実行時に公開されるツール：
 | `check_tool_call` | 単一ツール呼び出しのランタイム検証 |
 | `audit_assets` | npm/GitHub/ClawHubの認証情報露出監査 |
 | `get_stats` | スキャナー能力、5-layer 概要、ASI カバレッジの取得 |
+| `experimental.run_async` | 非同期スキャンタスクの開始 |
+| `experimental.task_status` | 非同期タスクの状態確認 |
+| `experimental.task_result` | 完了した非同期タスクの結果取得 |
+| `experimental.task_cancel` | 実行中の非同期タスクのキャンセル |
 
 ---
 
 ## テスト結果
 
 ```
-ℹ tests    363
-ℹ suites   94
-ℹ pass     363
+ℹ tests    362
+ℹ suites   38
+ℹ pass     362
 ℹ fail     0
 ```
 
-テストファイル28件。`npm test` で再現可能。[ベンチマークコーパス](docs/data/corpus-metrics.json) 100%パス。
+テストファイル38件。`npm test` で再現可能。[ベンチマークコーパス](docs/data/corpus-metrics.json) 100%パス。
 
 ---
 

package/SECURITY.md

@@ -14,14 +14,14 @@ We will respond within 48 hours and provide a fix within 7 days for critical iss
 
 | Version | Status |
 |---------|--------|
-| Latest major (`14.x`) | ✅ Supported |
+| Latest major (`16.x`) | ✅ Supported |
 | Older releases | ⚠️ Best effort only |
 
 ## Scope
 
 guard-scanner is a **static analysis tool** — it reads files but never executes them. It does not:
 - Execute any code from scanned skills
-- Make network requests
+- Make network requests (except optional VirusTotal integration)
 - Modify any files in the scan directory
 - Require elevated privileges
 
@@ -29,7 +29,7 @@ The only files guard-scanner writes are output reports (`--json`, `--sarif`, `--
 
 ## Supply Chain Security
 
-guard-scanner itself keeps runtime dependencies intentionally small. As of `14.0.0`, it ships with **one runtime dependency** (`ws`) to support the MCP server.
+guard-scanner itself keeps runtime dependencies intentionally small. As of `16.0.1`, it ships with **one runtime dependency** (`ws`) to support the MCP server.
 
 - Small runtime surface area
 - No `postinstall` scripts
@@ -38,16 +38,16 @@ guard-scanner itself keeps runtime dependencies intentionally small. As of `14.0
 
 ## Pattern Updates
 
-The threat pattern database (`src/patterns.js`) and IoC database (`src/ioc-db.js`) are updated based on:
+The threat pattern database (`src/patterns.ts`) and IoC database (`src/ioc-db.ts`) are updated based on:
 - Snyk ToxicSkills taxonomy
-- OWASP MCP Top 10
+- OWASP LLM Top 10 & Agentic Security Top 10
 - CVE reports affecting AI agents
 - Community-reported incidents
 - Original research from real-world attacks
 
 ## Responsible Disclosure
 
-The test fixtures in `test/fixtures/malicious-skill/` contain **intentionally malicious patterns** for testing purposes. These files are:
+The test fixtures in `tests/fixtures/malicious-skill/` contain **intentionally malicious patterns** for testing purposes. These files are:
 - Clearly marked as test fixtures
 - Non-functional (will error if executed)
 - Necessary for validating detection capabilities

package/SKILL.md

@@ -1,13 +1,15 @@
 ---
 name: guard-scanner
-description: "Security scanner and runtime guard for AI agent skills. 358 static threat patterns across 35 categories + 27 runtime checks, with v16 5-layer analysis output (`layer`, `layer_name`, `owasp_asi`, `protocol_surface`) and `--compliance owasp-asi`. Use when scanning skill directories for security threats, auditing npm/GitHub/ClawHub assets for leaked credentials, running real-time file watch during development, integrating security checks into CI/CD pipelines (SARIF/JSON), setting up MCP server for editor-integrated scanning (Cursor, Windsurf, Claude Code, OpenClaw), or runtime guarding tool calls via the OpenClaw v2026.3.8 before_tool_call compatibility surface. Single dependency (ws). MIT licensed."
+description: "Security scanner and runtime guard for OpenClaw skills, MCP servers, and AI agent workflows. Detects prompt injection, identity hijacking, memory poisoning, A2A contagion, secret leaks, supply-chain abuse, and dangerous tool calls with 364 static threat patterns across 35 threat categories plus 27 runtime checks. Use when reviewing a new skill before install, scanning a workspace in CI/CD (SARIF/JSON/HTML), auditing npm/GitHub/ClawHub assets for leaked credentials, running watch mode during development, exposing scanner tools over MCP for Cursor/Windsurf/Claude Code/OpenClaw, or enforcing before_tool_call policy in OpenClaw. v16 adds 5-layer analysis output (`layer`, `layer_name`, `owasp_asi`, `protocol_surface`) and `--compliance owasp-asi`. MIT licensed; single runtime dependency (`ws`)."
 license: MIT
 metadata: {"openclaw": {"requires": {"bins": ["node"]}}}
 ---
 
 # guard-scanner
 
-Scan AI agent skills for 35 categories of threats. v16 adds a 5-layer analysis pipeline, OWASP ASI projection mode, richer finding metadata, and Rust runtime evidence integration on top of the existing prompt injection, identity hijacking, memory poisoning, MCP poisoning, and supply chain coverage.
+Security scanner and runtime guard for the agentic stack. Use it before installing a skill from ClawHub, when auditing MCP servers or OpenClaw workspaces, when wiring security checks into CI/CD, or when you want OpenClaw to block dangerous tool calls at runtime.
+
+It covers prompt injection, identity hijacking, memory poisoning, A2A contagion, MCP abuse, secret leakage, supply-chain abuse, and dangerous execution patterns. v16 adds a 5-layer analysis pipeline, OWASP ASI projection mode, richer finding metadata, and Rust runtime evidence integration.
 
 ## Quick Start
 
@@ -79,7 +81,7 @@ MCP tools: `scan_skill`, `scan_text`, `check_tool_call`, `audit_assets`, `get_st
 
 Public quality contract:
 
-- Benchmark corpus version: `2026-03-13.quality-v1`
+- Benchmark corpus version: `2026-03-15.quality-v17`
 - Precision target: `>= 0.90`
 - Recall target: `>= 0.90`
 - FPR/FNR budgets: `<= 0.10`
@@ -112,7 +114,7 @@ guard-scanner scan ./skills/ --vt-scan
 
 ## Runtime Guard
 
-The validated OpenClaw surface is the compiled runtime plugin entry (`dist/openclaw-plugin.mjs`) discovered through `package.json > openclaw.extensions` and mounted on `before_tool_call` for OpenClaw `v2026.3.8`. Newer upstream releases are measured by the drift watchdog before any public compatibility claim is widened.
+The validated OpenClaw surface is the compiled runtime plugin entry (`dist/openclaw-plugin.mjs`) discovered through `package.json > openclaw.extensions` and mounted on `before_tool_call` for OpenClaw `v2026.3.13`, with regression coverage kept on `v2026.3.8`.
 
 The `before_tool_call` hook provides 27 runtime checks across 5 defense layers, while v16 scan output adds a second 5-layer analysis view:
 
@@ -175,7 +177,7 @@ guard-scanner ./skills/ --plugin ./my-plugin.js
 
 ## Threat Categories
 
-35 categories covering OWASP LLM Top 10 + Agentic Security Top 10. See `src/patterns.js` for the full pattern database. Key categories:
+35 categories covering OWASP LLM Top 10 + Agentic Security Top 10. See `src/patterns.ts` for the full pattern database. Key categories:
 
 - **Prompt Injection** — hidden instructions, invisible Unicode, homoglyphs
 - **Identity Hijacking** ⚿ — persona swap, SOUL.md overwrites, memory wipe