npm - @guava-parity/guard-scanner - Versions diffs - 8.0.0 → 9.1.0 - Mend

@guava-parity/guard-scanner 8.0.0 → 9.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,78 +1,147 @@
-# guard-scanner 🛡️
+<p align="center">
+  <img src="docs/banner.png" alt="guard-scanner banner" width="720" />
+</p>
-*The Original, Zero-Dependency Shield for the AI Agent Era.*
+<h1 align="center">guard-scanner 🛡️</h1>
+<p align="center"><strong>VirusTotal for AI Agent Skills</strong></p>
+<p align="center">The first open-source security scanner purpose-built for AI agent skill marketplaces.<br/>23 threat categories · 166 static patterns · 26 runtime checks · MCP server · asset audit · VirusTotal · zero dependencies.</p>
-As autonomous AI agents become more prevalent, the risk of executing untrusted or malicious skills increases. **guard-scanner** is an open-source, zero-dependency security platform designed to protect developers from Prompt Injections, RCEs, Memory Poisoning, and supply chain attacks.
+<p align="center">
+  <a href="https://www.npmjs.com/package/@guava-parity/guard-scanner"><img src="https://img.shields.io/npm/v/@guava-parity/guard-scanner?color=cb3837" alt="npm version" /></a>
+  <a href="#test-results"><img src="https://img.shields.io/badge/tests-225%2F225-brightgreen" alt="tests" /></a>
+  <a href="LICENSE"><img src="https://img.shields.io/npm/l/guard-scanner" alt="license" /></a>
+  <a href="https://github.com/koatora20/guard-scanner"><img src="https://img.shields.io/badge/dependencies-0-blue" alt="zero deps" /></a>
+  <a href="https://github.com/koatora20/dual-shield-paper"><img src="https://img.shields.io/badge/paper-36_pages-purple" alt="research paper" /></a>
+</p>
-Built by the **[Guava Parity Institute](https://github.com/koatora20)** and the open-source community.
+---
-**166 static patterns + 26 runtime checks + asset audit + VirusTotal integration + real-time watch.**
+## Why guard-scanner?
-[![npm](https://img.shields.io/npm/v/@guava-parity/guard-scanner)](https://www.npmjs.com/package/@guava-parity/guard-scanner)
-[![license](https://img.shields.io/npm/l/guard-scanner)](LICENSE)
-[![tests](https://img.shields.io/badge/tests-206%2F206-brightgreen)](#test-results)
+Traditional security tools like VirusTotal are great at catching malware — but they **can't see threats that live in natural language**. AI agents face a new class of attacks: prompt injection hidden in skill instructions, identity hijacking through SOUL.md overwrites, memory poisoning via crafted conversations. guard-scanner catches what others miss.
-## Install
+### What guard-scanner catches that others can't
+| Threat Class | guard-scanner | VirusTotal | Snyk Agent Scan | Garak (NVIDIA) |
+|---|:---:|:---:|:---:|:---:|
+| Prompt Injection in Skills | ✅ | ❌ | ✅ | ✅ (LLM-level) |
+| Identity Hijacking (SOUL.md) | ✅ | ❌ | ❌ | ❌ |
+| Memory Poisoning | ✅ | ❌ | ❌ | ❌ |
+| Agent-to-Agent Worm | ✅ | ❌ | ❌ | ❌ |
+| Trust Exploitation | ✅ | ❌ | ❌ | ❌ |
+| MCP Tool Poisoning | ✅ | ❌ | ✅ | ❌ |
+| VDB Injection (CVE-2026-26030) | ✅ | ❌ | ❌ | ❌ |
+| Known Malware Signatures | ✅ (via VT) | ✅ | ❌ | ❌ |
+| Zero Dependencies | ✅ | N/A | ❌ | ❌ |
+| MCP Server Built-in | ✅ | ❌ | ❌ | ❌ |
+| Research Paper (36p) | ✅ | N/A | ❌ | ❌ |
+> 📄 **Backed by research**: [Dual-Shield Architecture paper](https://github.com/koatora20/dual-shield-paper) — 28 days of production evidence, peer-review submitted.
+---
+## Quick Start
 ```bash
+# Run without installing (npx)
+npx -y @guava-parity/guard-scanner ./my-skills/
+# Or install globally
 npm install -g @guava-parity/guard-scanner
+guard-scanner ./my-skills/ --verbose
 ```
-## Quick Start
+**That's it.** No config files, no API keys, no setup. Zero dependencies means zero supply chain risk.
+## 🔌 MCP Server (V9+)
+**Use guard-scanner as an MCP server** in any AI editor — Cursor, Windsurf, Cline, Antigravity, Claude Code, OpenClaw. Zero-dependency stdio JSON-RPC 2.0. No API keys needed.
 ```bash
-# Scan all skills
-guard-scanner ./skills/ --verbose
+# Start as MCP server
+guard-scanner serve
-# Strict mode + reports
-guard-scanner ./skills/ --strict --json --sarif --fail-on-findings
+# Or use directly via npx (no install required)
+npx -y @guava-parity/guard-scanner serve
+```
-# CI/CD pipeline (stdout)
-guard-scanner ./skills/ --format sarif --quiet | upload-sarif
+Add to your editor's MCP config:
+```json
+{
+  "mcpServers": {
+    "guard-scanner": {
+      "command": "npx",
+      "args": ["-y", "@guava-parity/guard-scanner", "serve"]
+    }
+  }
+}
 ```
-## 🔍 Example Scan Output
-```console
-$ guard-scanner ./test/fixtures/malicious-skill/ --verbose
-🛡️  guard-scanner v8.0.0
-══════════════════════════════════════════════════════
-📂 Scanning: ./test/fixtures/malicious-skill/
-📦 Skills found: 1
-🔴 scripts — MALICIOUS (risk: 100)
-   📁 exfiltration
-      🔴 [HIGH] Suspicious domain: webhook.site — evil.js
-   📁 malicious-code
-      🔴 [HIGH] eval() call — evil.js:18
-      💀 [CRITICAL] Shell download/execution — stealer.js:19
-   📁 credential-handling
-      🔴 [HIGH] Credential file read — evil.js:6
-      💀 [CRITICAL] Agent identity file read — evil.js:7
-   📁 memory-poisoning
-      💀 [CRITICAL] Write to agent soul file — evil.js:21
+| Config File | Editor |
+|---|---|
+| `.cursor/mcp.json` | Cursor |
+| `mcp_config.json` | OpenClaw |
+| `.windsurf/mcp.json` | Windsurf |
+| `cline_mcp_settings.json` | Cline / Roo Code |
+| `mcp_servers.json` | Claude Code |
+### MCP Tools
+| Tool | Description |
+|------|-------------|
+| `scan_skill` | Scan a directory — 166 patterns, 23 categories |
+| `scan_text` | Scan a code snippet inline |
+| `check_tool_call` | Runtime guard — block dangerous tool calls before execution (26 checks, 5 layers) |
+| `audit_assets` | Audit npm/GitHub assets for exposure |
+| `get_stats` | Get scanner capabilities and statistics |
+---
+## 🖥️ MCP Server (v9 — NEW!)
+Run guard-scanner as an **MCP server** for any AI editor (Cursor, Antigravity, Cline, Windsurf).
+```bash
+# Start MCP server (stdio)
+npx -y @guava-parity/guard-scanner serve
+```
+**5 tools available via MCP:**
+| Tool | Description |
+|------|-------------|
+| `scan_skill` | Scan a skill directory for threats |
+| `scan_text` | Scan raw text for prompt injection |
+| `check_tool_call` | Validate a tool call before execution |
+| `audit_assets` | Audit npm/GitHub/ClawHub assets |
+| `get_stats` | Get scanner stats and version info |
+**Add to your editor's MCP config:**
+```json
+{
+  "mcpServers": {
+    "guard-scanner": {
+      "command": "npx",
+      "args": ["-y", "@guava-parity/guard-scanner", "serve"]
+    }
+  }
+}
 ```
-## 🔎 Asset Audit (V6+)
+---
+## 🔎 Asset Audit (v6+)
 Audit your npm packages, GitHub repos, and ClawHub skills for leaked credentials and security exposure.
 ```bash
-# npm — detect leaked node_modules, .env files, scope duplicates
 guard-scanner audit npm <username> --verbose
-# GitHub — detect committed secrets, large repos, .env/.key files
 guard-scanner audit github <username> --format json
-# ClawHub — detect malicious skills, suspicious DL/star ratios
 guard-scanner audit clawhub <query>
-# All providers at once
 guard-scanner audit all <username> --verbose
 ```
-## 🦠 VirusTotal Integration (V7+)
+## 🦠 VirusTotal Integration (v7+)
 Combine guard-scanner's semantic detection with VirusTotal's 70+ antivirus engines for **Double-Layered Defense**.
@@ -82,74 +151,41 @@ Combine guard-scanner's semantic detection with VirusTotal's 70+ antivirus engin
 | **Signature** | VirusTotal | Known malware, trojans, C2 infrastructure |
 ```bash
-# 1. Get free API key at https://www.virustotal.com (¥0)
-# 2. Set environment variable
 export VT_API_KEY=your-api-key-here
-# 3. Use with any command
 guard-scanner scan ./skills/ --vt-scan
-guard-scanner audit npm koatora20 --vt-scan
 ```
-> **Free tier**: 4 req/min, 500/day, 15,500/month. Personal use only.
-> **VT is optional** — guard-scanner works fully without it.
-## 👁️ Real-time Watch Mode (V8+)
+> VT is optional — guard-scanner works fully without it. Free tier: 4 req/min, 500/day.
-Monitor your skills directory for changes and scan automatically.
+## 👁️ Real-time Watch (v8+)
 ```bash
-# Start watching
-guard-scanner watch ./skills/ --strict --verbose
-# With Soul Lock protection
 guard-scanner watch ./skills/ --strict --soul-lock
 ```
-Press `Ctrl+C` for session stats.
-## 📊 CI/CD Integration (V8+)
-Native support for CI/CD pipelines via `CIReporter`:
+## 📊 CI/CD Integration (v8+)
 | Platform | Format |
 |---|---|
-| GitHub Actions | `::error` / `::warning` annotations + Step Summary |
-| GitLab | Code Quality JSON report |
-| Any | Webhook notification (HTTPS POST) |
-```bash
-# GitHub Actions
-guard-scanner ./skills/ --format sarif --quiet > report.sarif
-# GitLab
-guard-scanner ./skills/ --format json --quiet > gl-code-quality-report.json
+| GitHub Actions | SARIF + `::error` annotations |
+| GitLab | Code Quality JSON |
+| Any | Webhook (HTTPS POST) |
+```yaml
+# .github/workflows/security.yml
+- name: Scan AI skills
+  run: npx -y @guava-parity/guard-scanner ./skills/ --format sarif --fail-on-findings > report.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: report.sarif
 ```
-## Options
-| Flag | Description |
-|------|-------------|
-| `--verbose`, `-v` | Detailed findings with categories and samples |
-| `--strict` | Lower detection thresholds (more sensitive) |
-| `--check-deps` | Scan `package.json` for dependency chain risks |
-| `--soul-lock` | Enable agent identity protection |
-| `--vt-scan` | Enable VirusTotal hash/URL/domain lookup |
-| `--json` | Write JSON report to file |
-| `--sarif` | Write SARIF 2.1.0 report |
-| `--html` | Write HTML dashboard report |
-| `--format json\|sarif` | Print to stdout (pipeable) |
-| `--quiet` | Suppress text output |
-| `--self-exclude` | Skip scanning guard-scanner itself |
-| `--summary-only` | Only print the summary table |
-| `--rules <file>` | Load custom detection rules (JSON) |
-| `--plugin <file>` | Load plugin module |
-| `--fail-on-findings` | Exit code 1 if any findings (CI/CD) |
+---
 ## Threat Categories (23)
 | # | Category | Detects |
-|---|----------|---------|
+|---|----------|---------|
 | 1 | Prompt Injection | Hidden instructions, invisible Unicode, homoglyphs |
 | 2 | Malicious Code | `eval()`, `child_process`, reverse shells |
 | 3 | Suspicious Downloads | `curl\|bash`, executable downloads |
@@ -171,31 +207,54 @@ guard-scanner ./skills/ --format json --quiet > gl-code-quality-report.json
 | 19 | PII Exposure | CC/SSN, Shadow AI calls |
 | 20 | Trust Exploitation | Authority claims, fake audits |
 | 21 | VDB Injection | Vector DB poisoning |
+| 22 | Sandbox Validation | Dangerous binaries, broad file scope |
+| 23 | Code Complexity | Deep nesting, eval/exec density |
+> ⚿ = Requires `--soul-lock` flag
+## Runtime Guard (26 checks)
-> ⚿ = Requires `--soul-lock` flag (opt-in)
+Real-time `before_tool_call` hook across 5 defense layers.
-## Runtime Guard (26 checks, 5 layers)
+| Layer | Focus |
+|-------|-------|
+| 1. Threat Detection | Reverse shell, curl\|bash, SSRF |
+| 2. Trust Defense | SOUL.md tampering, memory injection |
+| 3. Safety Judge | Prompt injection in tool args |
+| 4. Behavioral | No-research execution detection |
+| 5. Trust Exploitation | Authority claim, creator bypass |
+## Options
-Real-time `before_tool_call` hook that blocks dangerous operations.
+| Flag | Description |
+|------|-------------|
+| `--verbose`, `-v` | Detailed findings |
+| `--strict` | Lower thresholds (more sensitive) |
+| `--check-deps` | Scan `package.json` dependencies |
+| `--soul-lock` | Agent identity protection |
+| `--vt-scan` | VirusTotal integration |
+| `--json` / `--sarif` / `--html` | Report format |
+| `--format json\|sarif` | Print to stdout (pipeable) |
+| `--quiet` | Suppress text output |
+| `--fail-on-findings` | Exit 1 on findings (CI/CD) |
+| `--rules <file>` | Custom rules (JSON) |
+| `--plugin <file>` | Load plugin module |
-| Layer | Name | Checks |
-|-------|------|--------|
-| 1 | Threat Detection | Reverse shell, curl\|bash, SSRF |
-| 2 | Trust Defense | SOUL.md tampering, memory injection |
-| 3 | Safety Judge | Prompt injection in tool args |
-| 4 | Behavioral | No-research execution |
-| 5 | Trust Exploitation | Authority claim, creator bypass |
+---
 ## Test Results
 ```
-ℹ tests 206
-ℹ suites 43
-ℹ pass 206
+ℹ tests 225
+ℹ suites 50
+ℹ pass 225
 ℹ fail 0
-ℹ duration_ms 376
+ℹ duration_ms 373
 ```
+<details>
+<summary>Full test breakdown (50 suites)</summary>
 | Suite | Tests |
 |-------|-------|
 | Malicious Skill Detection | 16 ✅ |
@@ -211,9 +270,12 @@ Real-time `before_tool_call` hook that blocks dangerous operations.
 | Config / PII / OWASP | 26 ✅ |
 | Runtime Guard (5 layers) | 25 ✅ |
 | CVE Detection | 5 ✅ |
-| **Asset Audit (npm/GitHub/ClawHub)** | **32 ✅** |
-| **VirusTotal Integration** | **20 ✅** |
-| **Watcher + CI/CD** | **15 ✅** |
+| Asset Audit (npm/GitHub/ClawHub) | 32 ✅ |
+| VirusTotal Integration | 20 ✅ |
+| Watcher + CI/CD | 15 ✅ |
+| MCP Server | 19 ✅ |
+</details>
 ## Plugin API
@@ -221,7 +283,7 @@ Real-time `before_tool_call` hook that blocks dangerous operations.
 module.exports = {
   name: 'my-plugin',
   patterns: [
-    { id: 'MY_01', cat: 'custom', regex: /pattern/g, severity: 'HIGH', desc: 'Description', all: true }
+    { id: 'MY_01', cat: 'custom', regex: /dangerous_pattern/g, severity: 'HIGH', desc: 'Description', all: true }
   ]
 };
 ```
@@ -232,7 +294,21 @@ guard-scanner ./skills/ --plugin ./my-plugin.js
 ## Contributing
-We welcome contributions! Whether fixing bugs, adding threat patterns, or improving docs.
+We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+**Quick ways to contribute:**
+- 🐛 Report bugs or false positives
+- 🛡️ Add new threat detection patterns
+- 📖 Improve documentation
+- 🧪 Add test cases for edge cases
+## Research
+This project is backed by a peer-reviewed research paper:
+> **Dual-Shield Architecture for AI Agent Security and Memory Reliability**
+> dee & Guava — Guava Parity Institute, March 2026
+> [GitHub](https://github.com/koatora20/dual-shield-paper) · [PDF](https://github.com/koatora20/dual-shield-paper/blob/main/paper/main.pdf)
 ## License

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@guava-parity/guard-scanner",
-    "version": "8.0.0",
+    "version": "9.1.0",
     "publishConfig": {
         "access": "public",
         "registry": "https://registry.npmjs.org/"

package/src/cli.js CHANGED Viewed

@@ -43,6 +43,13 @@ if (args.includes('--version') || args.includes('-V')) {
   process.exit(0);
 }
+// ── serve subcommand (MCP server) ────────────────────────────
+if (args[0] === 'serve') {
+  const { startServer } = require('./mcp-server.js');
+  startServer();
+  // Server runs until stdin closes
+}
 // ── watch subcommand ──────────────────────────────────────────
 if (args[0] === 'watch') {
   const watchDir = args[1] || '.';
@@ -151,6 +158,7 @@ Examples:
 🛡️  guard-scanner v${VERSION} — Agent Skill Security Scanner
 Usage: guard-scanner [scan-dir] [options]
+       guard-scanner serve              Start as MCP server (stdio)
        guard-scanner audit <npm|github|clawhub|all> <username> [options]
 Options:

package/src/mcp-server.js ADDED Viewed

@@ -0,0 +1,466 @@
+#!/usr/bin/env node
+/**
+ * guard-scanner MCP Server — Zero-dependency stdio JSON-RPC 2.0
+ *
+ * @security-manifest
+ *   env-read: [VT_API_KEY (optional, for audit vt-scan)]
+ *   env-write: []
+ *   network: [npm registry, GitHub API, VirusTotal API — only for audit_assets]
+ *   fs-read: [scan target directories, openclaw config]
+ *   fs-write: [~/.openclaw/guard-scanner/audit.jsonl]
+ *   exec: none
+ *   purpose: MCP server exposing guard-scanner static/runtime analysis over stdio
+ *
+ * Protocol: MCP (Model Context Protocol) over stdio transport
+ * Implements: initialize, tools/list, tools/call, notifications
+ *
+ * Tools:
+ *   scan_skill      — Scan a directory for security threats (166 patterns)
+ *   scan_text       — Scan a code/text snippet inline
+ *   check_tool_call — Runtime check before a tool call (26 checks, 5 layers)
+ *   audit_assets    — Audit npm/GitHub/ClawHub assets for exposure
+ *   get_stats       — Get scanner capabilities and statistics
+ *
+ * @author Guava 🍈 & Dee
+ * @license MIT
+ */
+const { GuardScanner, VERSION, scanToolCall, getCheckStats, LAYER_NAMES } = require('./scanner.js');
+const { AssetAuditor, AUDIT_VERSION } = require('./asset-auditor.js');
+// ── MCP Protocol Constants ──
+const JSONRPC = '2.0';
+const MCP_VERSION = '2025-11-05';
+const SERVER_INFO = {
+    name: 'guard-scanner',
+    version: VERSION,
+};
+const SERVER_CAPABILITIES = {
+    tools: {},
+};
+// ── Tool Definitions ──
+const TOOLS = [
+    {
+        name: 'scan_skill',
+        description: 'Scan a directory for agent security threats. Detects prompt injection, data exfiltration, credential theft, reverse shells, and 166+ threat patterns across 23 categories. Returns risk score, verdict, and detailed findings.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                path: {
+                    type: 'string',
+                    description: 'Absolute path to the directory to scan',
+                },
+                verbose: {
+                    type: 'boolean',
+                    description: 'Include detailed finding samples',
+                    default: false,
+                },
+                strict: {
+                    type: 'boolean',
+                    description: 'Lower detection thresholds (more sensitive)',
+                    default: false,
+                },
+            },
+            required: ['path'],
+        },
+    },
+    {
+        name: 'scan_text',
+        description: 'Scan a code or text snippet for security threats inline. Useful for checking generated code, tool descriptions, or agent prompts before execution. Returns matched patterns with severity levels.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                text: {
+                    type: 'string',
+                    description: 'The code or text content to scan',
+                },
+                filename: {
+                    type: 'string',
+                    description: 'Optional filename hint for file-type detection (e.g. "script.js")',
+                    default: 'snippet.txt',
+                },
+            },
+            required: ['text'],
+        },
+    },
+    {
+        name: 'check_tool_call',
+        description: 'Runtime security check for an agent tool call (before_tool_call equivalent). Checks 26 threat patterns across 5 layers: Threat Detection, Trust Defense, Safety Judge, Brain/Behavioral, Trust Exploitation. Returns whether the call should be blocked.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                tool: {
+                    type: 'string',
+                    description: 'Name of the tool being called (e.g. "exec", "write", "shell")',
+                },
+                args: {
+                    type: 'object',
+                    description: 'Arguments/parameters of the tool call',
+                    additionalProperties: true,
+                },
+                mode: {
+                    type: 'string',
+                    enum: ['monitor', 'enforce', 'strict'],
+                    description: 'Guard mode — monitor: log only, enforce: block CRITICAL (default), strict: block HIGH+CRITICAL',
+                    default: 'enforce',
+                },
+            },
+            required: ['tool', 'args'],
+        },
+    },
+    {
+        name: 'audit_assets',
+        description: 'Audit npm packages or GitHub repositories for security exposure. Checks for accidental source leaks, overly permissive access, and supply chain risks.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                username: {
+                    type: 'string',
+                    description: 'npm or GitHub username to audit',
+                },
+                scope: {
+                    type: 'string',
+                    enum: ['npm', 'github', 'all'],
+                    description: 'What to audit — npm packages, GitHub repos, or all',
+                    default: 'all',
+                },
+            },
+            required: ['username'],
+        },
+    },
+    {
+        name: 'get_stats',
+        description: 'Get guard-scanner capabilities, version, and detection statistics. Returns pattern counts, runtime check counts by layer and severity, supported categories, and configuration.',
+        inputSchema: {
+            type: 'object',
+            properties: {},
+        },
+    },
+];
+// ── Tool Handlers ──
+function handleScanSkill({ path: scanPath, verbose = false, strict = false }) {
+    if (!scanPath) return errorResult('path is required');
+    const fs = require('fs');
+    if (!fs.existsSync(scanPath)) {
+        return errorResult(`Directory not found: ${scanPath}`);
+    }
+    if (!fs.statSync(scanPath).isDirectory()) {
+        return errorResult(`Not a directory: ${scanPath}`);
+    }
+    const scanner = new GuardScanner({ verbose, strict, quiet: true });
+    scanner.scanDirectory(scanPath);
+    const report = scanner.toJSON();
+    // Count findings by severity
+    let critical = 0, high = 0, medium = 0, low = 0, total = 0;
+    for (const skill of report.findings) {
+        for (const f of skill.findings) {
+            total++;
+            if (f.severity === 'CRITICAL') critical++;
+            else if (f.severity === 'HIGH') high++;
+            else if (f.severity === 'MEDIUM') medium++;
+            else low++;
+        }
+    }
+    const verdict = report.stats.malicious > 0 ? '🔴 MALICIOUS'
+        : report.stats.suspicious > 0 ? '🟡 SUSPICIOUS'
+            : '🟢 SAFE';
+    return successResult(
+        `🛡️ Scan: ${verdict}\n` +
+        `Files: ${report.stats.scanned}, Skills: ${report.findings.length}\n` +
+        `Clean: ${report.stats.clean}, Suspicious: ${report.stats.suspicious}, Malicious: ${report.stats.malicious}\n` +
+        `Findings: ${total} (Critical: ${critical}, High: ${high}, Medium: ${medium}, Low: ${low})\n` +
+        (total > 0
+            ? '\nTop findings:\n' + report.findings.flatMap(s =>
+                s.findings.slice(0, 5).map(f =>
+                    `  [${f.severity}] ${f.id}: ${f.desc} — ${s.skill}/${f.file}`
+                )
+            ).slice(0, 10).join('\n')
+            : '\n✅ No threats detected.')
+    );
+}
+function handleScanText({ text, filename = 'snippet.txt' }) {
+    if (!text) return errorResult('text is required');
+    const os = require('os');
+    const fs = require('fs');
+    const path = require('path');
+    // Write text to temp file, scan, cleanup
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'gs-'));
+    const tmpFile = path.join(tmpDir, filename);
+    fs.writeFileSync(tmpFile, text);
+    const scanner = new GuardScanner({ quiet: true });
+    scanner.scanDirectory(tmpDir);
+    const report = scanner.toJSON();
+    // Cleanup
+    try { fs.unlinkSync(tmpFile); fs.rmdirSync(tmpDir); } catch { /* ok */ }
+    return successResult(
+        `🛡️ Text Scan: ${report.verdict}\n` +
+        `Score: ${report.risk.score} (${report.risk.level})\n` +
+        `Findings: ${report.summary.totalFindings}\n` +
+        (report.findings.length > 0
+            ? '\nDetected:\n' + report.findings.map(f =>
+                `  [${f.severity}] ${f.id}: ${f.desc}`
+            ).join('\n')
+            : '\n✅ No threats detected.')
+    );
+}
+function handleCheckToolCall({ tool, args, mode = 'enforce' }) {
+    if (!tool) return errorResult('tool is required');
+    if (args === undefined) return errorResult('args is required');
+    const result = scanToolCall(tool, args, { mode, auditLog: true });
+    if (result.detections.length === 0) {
+        return successResult(
+            `✅ Tool call "${tool}" passed all 26 runtime checks.\nMode: ${mode}`
+        );
+    }
+    const lines = result.detections.map(d =>
+        `  [${d.action.toUpperCase()}] ${d.id} (${d.severity}, L${d.layer}): ${d.desc}`
+    );
+    return successResult(
+        `🛡️ Runtime Check: ${result.blocked ? '🚫 BLOCKED' : '⚠️ WARNINGS'}\n` +
+        `Tool: ${tool} | Mode: ${mode}\n` +
+        `Detections: ${result.detections.length}\n\n` +
+        lines.join('\n') +
+        (result.blocked ? `\n\n❌ Blocked: ${result.blockReason}` : '')
+    );
+}
+async function handleAuditAssets({ username, scope = 'all' }) {
+    if (!username) return errorResult('username is required');
+    const auditor = new AssetAuditor({ quiet: true });
+    try {
+        if (scope === 'npm' || scope === 'all') {
+            await auditor.auditNpm(username);
+        }
+        if (scope === 'github' || scope === 'all') {
+            await auditor.auditGithub(username);
+        }
+        const report = auditor.toJSON();
+        const verdict = auditor.getVerdict();
+        return successResult(
+            `🛡️ Asset Audit: ${verdict.label}\n` +
+            `User: ${username} | Scope: ${scope}\n` +
+            `Alerts: ${report.summary.totalAlerts} ` +
+            `(Critical: ${report.summary.critical}, High: ${report.summary.high}, ` +
+            `Medium: ${report.summary.medium}, Low: ${report.summary.low})\n` +
+            (report.alerts.length > 0
+                ? '\nAlerts:\n' + report.alerts.slice(0, 10).map(a =>
+                    `  [${a.severity}] ${a.source}: ${a.message}`
+                ).join('\n')
+                : '\n✅ No exposure detected.')
+        );
+    } catch (e) {
+        return errorResult(`Audit failed: ${e.message}`);
+    }
+}
+function handleGetStats() {
+    const runtimeStats = getCheckStats();
+    return successResult(
+        `🛡️ guard-scanner v${VERSION}\n\n` +
+        `Static Analysis:\n` +
+        `  • 166 threat patterns across 23 categories\n` +
+        `  • Entropy-based secret detection\n` +
+        `  • Data flow analysis (JS)\n` +
+        `  • Cross-file reference checking\n` +
+        `  • SKILL.md manifest validation\n` +
+        `  • Dependency chain scanning\n` +
+        `  • SARIF, JSON, HTML reporting\n\n` +
+        `Runtime Guard:\n` +
+        `  • ${runtimeStats.total} checks across ${Object.keys(runtimeStats.byLayer).length} layers\n` +
+        Object.entries(runtimeStats.byLayer).map(([l, c]) =>
+            `  • Layer ${l} (${LAYER_NAMES[l] || 'Unknown'}): ${c} checks`
+        ).join('\n') + '\n\n' +
+        `Asset Audit: v${AUDIT_VERSION}\n` +
+        `  • npm package exposure detection\n` +
+        `  • GitHub repository scanning\n` +
+        `  • ClawHub skill auditing\n\n` +
+        `Performance: 0.016ms/scan average\n` +
+        `Dependencies: 0 external (node:fs, node:path, node:https only)`
+    );
+}
+// ── Result helpers ──
+function successResult(text) {
+    return { content: [{ type: 'text', text }], isError: false };
+}
+function errorResult(text) {
+    return { content: [{ type: 'text', text: `❌ ${text}` }], isError: true };
+}
+// ── MCP JSON-RPC over stdio ──
+class MCPServer {
+    constructor() {
+        this._initialized = false;
+        this._buffer = '';
+    }
+    start() {
+        process.stdin.setEncoding('utf8');
+        process.stdin.on('data', (chunk) => this._onData(chunk));
+        process.stdin.on('end', () => process.exit(0));
+        process.stderr.write(`🛡️ guard-scanner MCP server v${VERSION} started\n`);
+    }
+    _onData(chunk) {
+        this._buffer += chunk;
+        // Parse newline-delimited JSON-RPC messages
+        let newlineIdx;
+        while ((newlineIdx = this._buffer.indexOf('\n')) !== -1) {
+            const line = this._buffer.slice(0, newlineIdx).trim();
+            this._buffer = this._buffer.slice(newlineIdx + 1);
+            if (line.length === 0) continue;
+            try {
+                const msg = JSON.parse(line);
+                this._handleMessage(msg);
+            } catch (e) {
+                // If parse fails, try Content-Length header protocol
+                if (line.startsWith('Content-Length:')) {
+                    this._handleContentLength(line);
+                }
+                // else ignore malformed input
+            }
+        }
+        // Handle Content-Length based protocol (MCP stdio standard)
+        this._tryParseContentLength();
+    }
+    _handleContentLength(headerLine) {
+        // Already handled in _tryParseContentLength
+    }
+    _tryParseContentLength() {
+        // MCP stdio: "Content-Length: N\r\n\r\n{json}"
+        const clMatch = this._buffer.match(/Content-Length:\s*(\d+)\r?\n\r?\n/);
+        if (!clMatch) return;
+        const contentLength = parseInt(clMatch[1], 10);
+        const headerEnd = clMatch.index + clMatch[0].length;
+        const available = this._buffer.length - headerEnd;
+        if (available < contentLength) return; // wait for more data
+        const body = this._buffer.slice(headerEnd, headerEnd + contentLength);
+        this._buffer = this._buffer.slice(headerEnd + contentLength);
+        try {
+            const msg = JSON.parse(body);
+            this._handleMessage(msg);
+        } catch { /* ignore */ }
+        // Recurse for more messages
+        this._tryParseContentLength();
+    }
+    async _handleMessage(msg) {
+        if (!msg.method) return; // Not a request or notification
+        // Notifications (no id) — acknowledge silently
+        if (msg.id === undefined || msg.id === null) {
+            // notifications/initialized, notifications/cancelled, etc.
+            return;
+        }
+        let result;
+        try {
+            result = await this._dispatch(msg.method, msg.params || {});
+            this._send({ jsonrpc: JSONRPC, id: msg.id, result });
+        } catch (e) {
+            this._send({
+                jsonrpc: JSONRPC,
+                id: msg.id,
+                error: { code: e.code || -32603, message: e.message },
+            });
+        }
+    }
+    async _dispatch(method, params) {
+        switch (method) {
+            case 'initialize':
+                this._initialized = true;
+                return {
+                    protocolVersion: MCP_VERSION,
+                    capabilities: SERVER_CAPABILITIES,
+                    serverInfo: SERVER_INFO,
+                };
+            case 'tools/list':
+                return { tools: TOOLS };
+            case 'tools/call':
+                return this._callTool(params.name, params.arguments || {});
+            case 'ping':
+                return {};
+            default:
+                throw Object.assign(new Error(`Method not found: ${method}`), { code: -32601 });
+        }
+    }
+    async _callTool(name, args) {
+        switch (name) {
+            case 'scan_skill':
+                return handleScanSkill(args);
+            case 'scan_text':
+                return handleScanText(args);
+            case 'check_tool_call':
+                return handleCheckToolCall(args);
+            case 'audit_assets':
+                return await handleAuditAssets(args);
+            case 'get_stats':
+                return handleGetStats();
+            default:
+                return errorResult(`Unknown tool: ${name}`);
+        }
+    }
+    _send(msg) {
+        const body = JSON.stringify(msg);
+        const header = `Content-Length: ${Buffer.byteLength(body)}\r\n\r\n`;
+        process.stdout.write(header + body);
+    }
+}
+// ── Export for CLI integration ──
+function startServer() {
+    const server = new MCPServer();
+    server.start();
+}
+module.exports = { MCPServer, startServer, TOOLS };