@guava-parity/guard-scanner 9.1.0 → 15.0.0

package/src/html-template.js

@@ -1,7 +1,7 @@
 /**
  * guard-scanner — HTML Report Template
  * Dark Glassmorphism + Conic-gradient Risk Gauges
- * Zero dependencies. Pure CSS animations.
+ * Lightweight HTML report template. Pure CSS animations.
  */
 
 'use strict';
@@ -229,7 +229,7 @@ ${total > 0 ? `<div class="ag">
 </div>
 
 <div class="ft">
-  guard-scanner v${version} &mdash; Zero dependencies. Zero compromises. 🛡️<br>
+  guard-scanner v${version} &mdash; Lightweight runtime footprint (1 dependency: ws). 🛡️<br>
   Built by <a href="https://github.com/koatora20">Guava 🍈 &amp; Dee</a>
 </div>
 </div>

package/src/mcp-server.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * guard-scanner MCP Server — Zero-dependency stdio JSON-RPC 2.0
+ * guard-scanner MCP Server — Lightweight stdio JSON-RPC 2.0
  *
  * @security-manifest
  *   env-read: [VT_API_KEY (optional, for audit vt-scan)]
@@ -15,7 +15,7 @@
  * Implements: initialize, tools/list, tools/call, notifications
  *
  * Tools:
- *   scan_skill      — Scan a directory for security threats (166 patterns)
+ *   scan_skill      — Scan a directory for security threats
  *   scan_text       — Scan a code/text snippet inline
  *   check_tool_call — Runtime check before a tool call (26 checks, 5 layers)
  *   audit_assets    — Audit npm/GitHub/ClawHub assets for exposure
@@ -27,6 +27,10 @@
 
 const { GuardScanner, VERSION, scanToolCall, getCheckStats, LAYER_NAMES } = require('./scanner.js');
 const { AssetAuditor, AUDIT_VERSION } = require('./asset-auditor.js');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const CAPABILITIES = require('../docs/spec/capabilities.json');
 
 // ── MCP Protocol Constants ──
 
@@ -42,12 +46,85 @@ const SERVER_CAPABILITIES = {
     tools: {},
 };
 
+const STATIC_SUMMARY = `${CAPABILITIES.static_pattern_count} threat patterns across ${CAPABILITIES.threat_category_count} categories`;
+
+// ── Async Task Store (run_async / status / result / cancel) ──
+
+const TASK_DIR = process.env.GUARD_SCANNER_TASK_DIR || path.join(os.homedir(), '.openclaw', 'guard-scanner', 'tasks');
+const TASK_FILE = path.join(TASK_DIR, 'tasks.json');
+
+function ensureTaskStore() {
+    fs.mkdirSync(TASK_DIR, { recursive: true });
+    if (!fs.existsSync(TASK_FILE)) fs.writeFileSync(TASK_FILE, '{}');
+}
+
+function loadTasks() {
+    ensureTaskStore();
+    try {
+        return JSON.parse(fs.readFileSync(TASK_FILE, 'utf8') || '{}');
+    } catch {
+        return {};
+    }
+}
+
+function saveTasks(tasks) {
+    ensureTaskStore();
+    fs.writeFileSync(TASK_FILE, JSON.stringify(tasks, null, 2));
+}
+
+function makeTaskId() {
+    return `task_${Date.now()}_${Math.random().toString(36).slice(2, 10)}`;
+}
+
+function nowIso() {
+    return new Date().toISOString();
+}
+
+function runTaskAsync(taskId, toolName, toolArgs) {
+    setImmediate(async () => {
+        const tasks = loadTasks();
+        const t = tasks[taskId];
+        if (!t || t.state === 'cancelled') return;
+
+        t.state = 'running';
+        t.startedAt = nowIso();
+        t.updatedAt = nowIso();
+        saveTasks(tasks);
+
+        try {
+            let result;
+            if (toolName === 'scan_skill') result = handleScanSkill(toolArgs);
+            else if (toolName === 'scan_text') result = handleScanText(toolArgs);
+            else if (toolName === 'check_tool_call') result = handleCheckToolCall(toolArgs);
+            else if (toolName === 'audit_assets') result = await handleAuditAssets(toolArgs);
+            else if (toolName === 'get_stats') result = handleGetStats(toolArgs);
+            else throw new Error(`Unsupported async tool: ${toolName}`);
+
+            const latest = loadTasks();
+            if (!latest[taskId] || latest[taskId].state === 'cancelled') return;
+            latest[taskId].state = result?.isError ? 'failed' : 'succeeded';
+            latest[taskId].updatedAt = nowIso();
+            latest[taskId].finishedAt = nowIso();
+            latest[taskId].result = result;
+            saveTasks(latest);
+        } catch (e) {
+            const latest = loadTasks();
+            if (!latest[taskId]) return;
+            latest[taskId].state = 'failed';
+            latest[taskId].updatedAt = nowIso();
+            latest[taskId].finishedAt = nowIso();
+            latest[taskId].error = e.message;
+            saveTasks(latest);
+        }
+    });
+}
+
 // ── Tool Definitions ──
 
 const TOOLS = [
     {
         name: 'scan_skill',
-        description: 'Scan a directory for agent security threats. Detects prompt injection, data exfiltration, credential theft, reverse shells, and 166+ threat patterns across 23 categories. Returns risk score, verdict, and detailed findings.',
+        description: `Scan a directory for agent security threats. Detects prompt injection, data exfiltration, credential theft, reverse shells, and ${STATIC_SUMMARY}. Returns risk score, verdict, and detailed findings.`,
         inputSchema: {
             type: 'object',
             properties: {
@@ -141,8 +218,49 @@ const TOOLS = [
             properties: {},
         },
     },
+    {
+        name: 'experimental.run_async',
+        description: '[Experimental] Run a supported guard-scanner tool asynchronously. Returns taskId immediately; use experimental.task_status/experimental.task_result to retrieve output.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                tool: { type: 'string', enum: ['scan_skill', 'scan_text', 'check_tool_call', 'audit_assets', 'get_stats'] },
+                args: { type: 'object', additionalProperties: true, default: {} },
+            },
+            required: ['tool'],
+        },
+    },
+    {
+        name: 'experimental.task_status',
+        description: '[Experimental] Get async task status by taskId.',
+        inputSchema: {
+            type: 'object',
+            properties: { taskId: { type: 'string' } },
+            required: ['taskId'],
+        },
+    },
+    {
+        name: 'experimental.task_result',
+        description: '[Experimental] Get async task final result by taskId.',
+        inputSchema: {
+            type: 'object',
+            properties: { taskId: { type: 'string' } },
+            required: ['taskId'],
+        },
+    },
+    {
+        name: 'experimental.task_cancel',
+        description: '[Experimental] Cancel async task by taskId (best-effort).',
+        inputSchema: {
+            type: 'object',
+            properties: { taskId: { type: 'string' }, reason: { type: 'string' } },
+            required: ['taskId'],
+        },
+    },
 ];
 
+// NOTE: cron_glm5_config was removed in v14.0.0 — not guard-scanner's responsibility
+
 // ── Tool Handlers ──
 
 function handleScanSkill({ path: scanPath, verbose = false, strict = false }) {
@@ -227,10 +345,11 @@ function handleCheckToolCall({ tool, args, mode = 'enforce' }) {
     if (args === undefined) return errorResult('args is required');
 
     const result = scanToolCall(tool, args, { mode, auditLog: true });
+    const runtimeCheckCount = getCheckStats().total;
 
     if (result.detections.length === 0) {
         return successResult(
-            `✅ Tool call "${tool}" passed all 26 runtime checks.\nMode: ${mode}`
+            `✅ Tool call "${tool}" passed all ${runtimeCheckCount} runtime checks.\nMode: ${mode}`
         );
     }
 
@@ -286,7 +405,7 @@ function handleGetStats() {
     return successResult(
         `🛡️ guard-scanner v${VERSION}\n\n` +
         `Static Analysis:\n` +
-        `  • 166 threat patterns across 23 categories\n` +
+        `  • ${STATIC_SUMMARY}\n` +
         `  • Entropy-based secret detection\n` +
         `  • Data flow analysis (JS)\n` +
         `  • Cross-file reference checking\n` +
@@ -307,6 +426,66 @@ function handleGetStats() {
     );
 }
 
+function handleRunAsync({ tool, args = {} }) {
+    if (!tool) return errorResult('tool is required');
+    const supported = new Set(['scan_skill', 'scan_text', 'check_tool_call', 'audit_assets', 'get_stats']);
+    if (!supported.has(tool)) return errorResult(`Unsupported async tool: ${tool}`);
+
+    const taskId = makeTaskId();
+    const tasks = loadTasks();
+    tasks[taskId] = {
+        taskId,
+        tool,
+        args,
+        state: 'queued',
+        createdAt: nowIso(),
+        updatedAt: nowIso(),
+    };
+    saveTasks(tasks);
+    runTaskAsync(taskId, tool, args);
+
+    return successResult(`accepted\ntaskId=${taskId}\nstate=queued\npollAfterMs=800`);
+}
+
+function handleTaskStatus({ taskId }) {
+    if (!taskId) return errorResult('taskId is required');
+    const tasks = loadTasks();
+    const t = tasks[taskId];
+    if (!t) return errorResult(`Task not found: ${taskId}`);
+    return successResult(`taskId=${taskId}\nstate=${t.state}\nupdatedAt=${t.updatedAt}`);
+}
+
+function handleTaskResult({ taskId }) {
+    if (!taskId) return errorResult('taskId is required');
+    const tasks = loadTasks();
+    const t = tasks[taskId];
+    if (!t) return errorResult(`Task not found: ${taskId}`);
+    if (t.state === 'queued' || t.state === 'running') {
+        return successResult(`taskId=${taskId}\nstate=${t.state}\nmessage=not ready`);
+    }
+    if (t.error) return errorResult(`taskId=${taskId}\nstate=${t.state}\nerror=${t.error}`);
+    if (!t.result) return errorResult(`taskId=${taskId}\nstate=${t.state}\nerror=no result`);
+    return t.result;
+}
+
+function handleTaskCancel({ taskId, reason = 'user cancel' }) {
+    if (!taskId) return errorResult('taskId is required');
+    const tasks = loadTasks();
+    const t = tasks[taskId];
+    if (!t) return errorResult(`Task not found: ${taskId}`);
+    if (t.state === 'succeeded' || t.state === 'failed' || t.state === 'cancelled') {
+        return successResult(`taskId=${taskId}\nstate=${t.state}\nmessage=already terminal`);
+    }
+    t.state = 'cancelled';
+    t.updatedAt = nowIso();
+    t.finishedAt = nowIso();
+    t.cancelReason = reason;
+    saveTasks(tasks);
+    return successResult(`taskId=${taskId}\nstate=cancelled`);
+}
+
+// handleCronGlm5Config removed in v14.0.0 — not guard-scanner's responsibility
+
 // ── Result helpers ──
 
 function successResult(text) {
@@ -444,6 +623,14 @@ class MCPServer {
                 return await handleAuditAssets(args);
             case 'get_stats':
                 return handleGetStats();
+            case 'experimental.run_async':
+                return handleRunAsync(args);
+            case 'experimental.task_status':
+                return handleTaskStatus(args);
+            case 'experimental.task_result':
+                return handleTaskResult(args);
+            case 'experimental.task_cancel':
+                return handleTaskCancel(args);
             default:
                 return errorResult(`Unknown tool: ${name}`);
         }

package/src/openclaw-upstream.js

@@ -0,0 +1,128 @@
+const https = require('node:https');
+
+function parseVersion(version) {
+    const [stable, prerelease = ''] = String(version).split('-', 2);
+    const parts = stable.split('.').map((value) => Number.parseInt(value, 10));
+    while (parts.length < 3) parts.push(0);
+
+    return {
+        raw: version,
+        parts,
+        prerelease,
+    };
+}
+
+function compareOpenClawVersions(left, right) {
+    const a = parseVersion(left);
+    const b = parseVersion(right);
+
+    for (let index = 0; index < 3; index += 1) {
+        if (a.parts[index] > b.parts[index]) return 1;
+        if (a.parts[index] < b.parts[index]) return -1;
+    }
+
+    if (!a.prerelease && b.prerelease) return 1;
+    if (a.prerelease && !b.prerelease) return -1;
+    if (a.prerelease > b.prerelease) return 1;
+    if (a.prerelease < b.prerelease) return -1;
+    return 0;
+}
+
+function evaluateOpenClawBaseline({ pinnedVersion, latestVersion, latestPublishedAt, source }) {
+    const comparison = compareOpenClawVersions(pinnedVersion, latestVersion);
+
+    return {
+        pinnedVersion,
+        latestVersion,
+        latestPublishedAt,
+        source,
+        upToDate: comparison === 0,
+        ahead: comparison > 0,
+        behind: comparison < 0,
+    };
+}
+
+function normalizeGitHubReleaseVersion(tagName) {
+    return String(tagName).replace(/^v/i, '');
+}
+
+function evaluateOpenClawSourceParity({ npmLatestVersion, githubLatestVersion }) {
+    const normalizedGitHubVersion = normalizeGitHubReleaseVersion(githubLatestVersion);
+    return {
+        npmLatestVersion,
+        githubLatestVersion: normalizedGitHubVersion,
+        inParity: compareOpenClawVersions(npmLatestVersion, normalizedGitHubVersion) === 0,
+    };
+}
+
+function httpGetJson(url) {
+    return new Promise((resolve, reject) => {
+        https
+            .get(
+                url,
+                {
+                    headers: {
+                        'user-agent': 'guard-scanner-openclaw-upstream-check',
+                        accept: 'application/json',
+                    },
+                },
+                (response) => {
+                    let body = '';
+                    response.setEncoding('utf8');
+                    response.on('data', (chunk) => {
+                        body += chunk;
+                    });
+                    response.on('end', () => {
+                        if (response.statusCode && response.statusCode >= 400) {
+                            reject(new Error(`GET ${url} failed with status ${response.statusCode}`));
+                            return;
+                        }
+                        try {
+                            resolve(JSON.parse(body));
+                        } catch (error) {
+                            reject(error);
+                        }
+                    });
+                },
+            )
+            .on('error', reject);
+    });
+}
+
+async function fetchLatestOpenClawRelease(fetchJson = httpGetJson) {
+    const npmMeta = await fetchJson('https://registry.npmjs.org/openclaw');
+    const latestVersion = npmMeta['dist-tags']?.latest;
+    if (!latestVersion) {
+        throw new Error('npm registry metadata missing dist-tags.latest for openclaw');
+    }
+
+    const githubRelease = await fetchJson('https://api.github.com/repos/openclaw/openclaw/releases/latest');
+    const githubLatestVersion = normalizeGitHubReleaseVersion(githubRelease.tag_name || '');
+    if (!githubLatestVersion) {
+        throw new Error('GitHub releases/latest missing tag_name for openclaw/openclaw');
+    }
+
+    const parity = evaluateOpenClawSourceParity({
+        npmLatestVersion: latestVersion,
+        githubLatestVersion,
+    });
+
+    return {
+        latestVersion,
+        latestPublishedAt: npmMeta.time?.[latestVersion] ?? null,
+        source: 'npm',
+        registryModifiedAt: npmMeta.time?.modified ?? null,
+        githubLatestVersion,
+        githubPublishedAt: githubRelease.published_at ?? null,
+        githubUrl: githubRelease.html_url ?? null,
+        sourceParity: parity,
+    };
+}
+
+module.exports = {
+    compareOpenClawVersions,
+    evaluateOpenClawBaseline,
+    evaluateOpenClawSourceParity,
+    fetchLatestOpenClawRelease,
+    normalizeGitHubReleaseVersion,
+};