@musashimiyamoto/agent-guard 0.4.2 → 0.4.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@musashimiyamoto/agent-guard",
-  "version": "0.4.2",
+  "version": "0.4.4",
   "description": "Security scanner for AI agent configurations. Detects misconfigurations, exposed secrets, and unsafe skill patterns.",
   "main": "src/index.js",
   "bin": {
@@ -45,6 +45,6 @@
     "README.md"
   ],
   "dependencies": {
-    "yaml": "^2.3.0"
+    "yaml": "^2.8.2"
   }
 }

package/src/cli.js

@@ -9,7 +9,7 @@ import { resolve } from 'path';
 import { createProxy } from './proxy/index.js';
 import { getLicense, getUpgradePrompt } from './license.js';
 
-const VERSION = '0.4.2';
+const VERSION = '0.4.3';
 
 const FEEDBACK_URL = 'https://github.com/MusashiMiyamoto1-cloud/agent-guard/issues/new';
 const REPO_URL = 'https://github.com/MusashiMiyamoto1-cloud/agent-guard';
@@ -74,6 +74,7 @@ ${COLORS.bold}Options:${COLORS.reset}
   --json                      Output results as JSON (Pro)
   --quiet                     Only show findings (no banner)
   --policy <file>             Use custom policy file
+  --ignore-file <file>        Read accepted risks from file (.agentguard.ignore)
 
 ${COLORS.bold}Free vs Pro:${COLORS.reset}
   Free: 50 files, 10 findings, 5 basic rules
@@ -103,6 +104,10 @@ function printScore(report) {
   
   const bar = '█'.repeat(Math.floor(score / 5)) + '░'.repeat(20 - Math.floor(score / 5));
   
+  const ignoredInfo = report.ignoredFindings > 0 
+    ? `\n  ${COLORS.gray}Accepted risks: ${report.ignoredFindings} (skipped)${COLORS.reset}` 
+    : '';
+  
   console.log(`
 ${COLORS.bold}Security Score:${COLORS.reset} ${gradeColor}${score}/100 (${grade})${COLORS.reset}
 
@@ -114,7 +119,7 @@ ${COLORS.bold}Summary:${COLORS.reset}
   ${COLORS.yellow}Medium:${COLORS.reset}   ${report.summary.medium}
   ${COLORS.cyan}Low:${COLORS.reset}      ${report.summary.low}
 
-  Files scanned: ${report.scannedFiles}
+  Files scanned: ${report.scannedFiles}${ignoredInfo}
 `);
 }
 
@@ -307,7 +312,15 @@ async function main() {
   
   const jsonOutput = args.includes('--json');
   const quiet = args.includes('--quiet');
-  const filteredArgs = args.filter(a => !a.startsWith('--'));
+  
+  // Parse --ignore-file option
+  let ignoreFile = null;
+  const ignoreFileIdx = args.findIndex(a => a === '--ignore-file');
+  if (ignoreFileIdx >= 0 && args[ignoreFileIdx + 1]) {
+    ignoreFile = args[ignoreFileIdx + 1];
+  }
+  
+  const filteredArgs = args.filter((a, i) => !a.startsWith('--') && args[i - 1] !== '--ignore-file');
   
   // Load license early
   const license = await getLicense();
@@ -391,7 +404,7 @@ async function main() {
   }
   
   try {
-    const report = await scan(targetPath, { license });
+    const report = await scan(targetPath, { license, ignoreFile });
     
     // Apply license limits
     const limits = license.getLimits();

package/src/license.js

@@ -10,7 +10,7 @@ const CONFIG_DIR = join(homedir(), '.agent-guard');
 const LICENSE_FILE = join(CONFIG_DIR, 'license.json');
 
 // Keygen account & product IDs
-const KEYGEN_ACCOUNT = process.env.KEYGEN_ACCOUNT || 'd4e0f169-7857-4b98-85f5-68e56b7a6e1b';
+const KEYGEN_ACCOUNT = process.env.KEYGEN_ACCOUNT || 'musashimiyamoto1';
 const KEYGEN_PRODUCT = '96d1b566-bd48-4bc9-9185-6ddbcb54683b';
 const KEYGEN_API = `https://api.keygen.sh/v1/accounts/${KEYGEN_ACCOUNT}`;
 
@@ -150,17 +150,22 @@ export class License {
           'FINGERPRINT_SCOPE_MISMATCH': 'License is activated on another machine. Deactivate first or upgrade to Team.',
           'NO_MACHINES': 'License needs activation. Activating now...',
           'NO_MACHINE': 'License needs activation. Activating now...',
+          'FINGERPRINT_SCOPE_REQUIRED': 'Activating machine...',
           'EXPIRED': 'License has expired. Please renew.',
           'SUSPENDED': 'License has been suspended. Contact support.',
           'NOT_FOUND': 'Invalid license key.',
         };
         
-        if (code === 'NO_MACHINES' || code === 'NO_MACHINE' || code === 'FINGERPRINT_SCOPE_MISMATCH') {
+        // These codes mean the license key itself is valid but needs machine activation
+        const needsActivation = ['NO_MACHINES', 'NO_MACHINE', 'FINGERPRINT_SCOPE_MISMATCH', 'FINGERPRINT_SCOPE_REQUIRED'];
+        
+        if (needsActivation.includes(code)) {
           // Try to activate this machine
           const activateResult = await this.activateMachine(key, validateData.data?.id);
-          if (!activateResult.success) {
+          if (!activateResult.success && !activateResult.skipMachine) {
             return activateResult;
           }
+          // If skipMachine is true, the license is valid but policy doesn't require machine activation
         } else {
           return { 
             success: false, 
@@ -216,11 +221,12 @@ export class License {
 
   async activateMachine(licenseKey, licenseId) {
     try {
+      // Use the license key as Bearer token for machine activation
       const res = await fetch(`${KEYGEN_API}/machines`, {
         method: 'POST',
         headers: {
-          'Content-Type': 'application/json',
-          'Accept': 'application/json',
+          'Content-Type': 'application/vnd.api+json',
+          'Accept': 'application/vnd.api+json',
           'Authorization': `License ${licenseKey}`,
         },
         body: JSON.stringify({
@@ -250,10 +256,15 @@ export class License {
             message: 'Machine limit reached. Deactivate another machine or upgrade.' 
           };
         }
+        if (err.code === 'FORBIDDEN' || err.detail?.includes('not allowed')) {
+          // Policy doesn't allow license key auth - but license is valid
+          // Return success to use the license without machine activation
+          return { success: true, skipMachine: true };
+        }
         return { success: false, message: err.detail || 'Activation failed' };
       }
       
-      return { success: true };
+      return { success: true, machineId: data.data?.id };
     } catch (err) {
       return { success: false, message: err.message };
     }

package/src/scanner.js

@@ -2,8 +2,10 @@
 // Phase 1: Configuration & Secret Scanner
 
 import { readdir, readFile, stat } from 'fs/promises';
-import { join, basename, extname } from 'path';
+import { join, basename, extname, relative } from 'path';
+import { existsSync } from 'fs';
 import { rules } from './rules/index.js';
+import { parse as parseYAML } from 'yaml';
 
 const IGNORE_DIRS = [
   'node_modules', '.git', '.venv', '__pycache__', 
@@ -21,10 +23,13 @@ export class Scanner {
   constructor(options = {}) {
     this.findings = [];
     this.scannedFiles = 0;
+    this.ignoredFindings = 0;
+    this.acceptedRisks = [];
     this.options = {
       maxFileSize: options.maxFileSize || 1024 * 1024, // 1MB
       followSymlinks: options.followSymlinks || false,
       maxFiles: options.maxFiles || Infinity,
+      ignoreFile: options.ignoreFile || null,
       ...options
     };
     
@@ -34,9 +39,65 @@ export class Scanner {
       : rules.filter(r => BASIC_RULE_IDS.includes(r.id));
   }
 
+  async loadIgnoreFile(basePath) {
+    // Look for ignore file
+    const ignoreFilePath = this.options.ignoreFile || join(basePath, '.agentguard.ignore');
+    
+    if (!existsSync(ignoreFilePath)) {
+      return;
+    }
+    
+    try {
+      const content = await readFile(ignoreFilePath, 'utf-8');
+      const parsed = parseYAML(content);
+      
+      if (parsed?.accepted_risks && Array.isArray(parsed.accepted_risks)) {
+        this.acceptedRisks = parsed.accepted_risks;
+      }
+    } catch (err) {
+      // Invalid ignore file, skip
+      console.warn(`Warning: Could not parse ${ignoreFilePath}: ${err.message}`);
+    }
+  }
+
+  isAcceptedRisk(rule, filePath, lineNum) {
+    if (this.acceptedRisks.length === 0) return false;
+    
+    for (const risk of this.acceptedRisks) {
+      // Match rule
+      if (risk.rule && risk.rule !== rule) continue;
+      
+      // Match file (supports glob patterns)
+      if (risk.file) {
+        const riskFile = risk.file;
+        if (riskFile.includes('*')) {
+          // Glob pattern
+          const regex = new RegExp('^' + riskFile.replace(/\*\*/g, '.*').replace(/\*/g, '[^/]*') + '$');
+          if (!regex.test(filePath)) continue;
+        } else {
+          // Exact match or suffix match
+          if (!filePath.endsWith(riskFile) && filePath !== riskFile) continue;
+        }
+      }
+      
+      // Match line (optional)
+      if (risk.line !== undefined && risk.line !== null && risk.line !== lineNum) continue;
+      
+      // All criteria matched - this is an accepted risk
+      return true;
+    }
+    
+    return false;
+  }
+
   async scan(targetPath) {
     this.findings = [];
     this.scannedFiles = 0;
+    this.ignoredFindings = 0;
+    this.basePath = targetPath;
+    
+    // Load accepted risks from ignore file
+    await this.loadIgnoreFile(targetPath);
     
     const stats = await stat(targetPath);
     
@@ -191,6 +252,21 @@ export class Scanner {
       }
     }
     
+    // Deduplicate key for this finding
+    const findingKey = `${rule.id}:${filePath}:${lineNum}`;
+    
+    // Check if this is an accepted risk
+    const relPath = this.basePath ? relative(this.basePath, filePath) : filePath;
+    if (this.isAcceptedRisk(rule.id, relPath, lineNum) || this.isAcceptedRisk(rule.id, filePath, lineNum)) {
+      // Only count once per unique finding
+      if (!this.ignoredFindingKeys) this.ignoredFindingKeys = new Set();
+      if (!this.ignoredFindingKeys.has(findingKey)) {
+        this.ignoredFindingKeys.add(findingKey);
+        this.ignoredFindings++;
+      }
+      return; // Skip accepted risks
+    }
+    
     // Deduplicate: skip if same rule+file+line already recorded
     const isDuplicate = this.findings.some(f => 
       f.rule === rule.id && f.file === filePath && f.line === lineNum
@@ -254,6 +330,8 @@ export class Scanner {
       grade,
       scannedFiles: this.scannedFiles,
       totalFindings: this.findings.length,
+      ignoredFindings: this.ignoredFindings,
+      acceptedRisks: this.acceptedRisks.length,
       summary: {
         critical: critical.length,
         high: high.length,