@rexymayderio/sentinel 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +10 -3
- package/dist/analyzers/install-script-analyzer.js +2 -2
- package/dist/analyzers/install-script-analyzer.js.map +1 -1
- package/dist/analyzers/network-analyzer.d.ts.map +1 -1
- package/dist/analyzers/network-analyzer.js +85 -4
- package/dist/analyzers/network-analyzer.js.map +1 -1
- package/dist/core/sentinel.d.ts +1 -0
- package/dist/core/sentinel.d.ts.map +1 -1
- package/dist/core/sentinel.js +4 -3
- package/dist/core/sentinel.js.map +1 -1
- package/dist/mcp/server.js +4 -3
- package/dist/mcp/server.js.map +1 -1
- package/package.json +1 -1
- package/skills/sentinel/SKILL.md +83 -54
package/README.md
CHANGED
|
@@ -4,8 +4,15 @@
|
|
|
4
4
|
|
|
5
5
|
Sentinel sits between an AI agent (or a human) and any installer. Nothing installs until the target has been **acquired (download-only, never executed)**, **analyzed**, **risk-scored**, **policy-checked**, and **explicitly approved**.
|
|
6
6
|
|
|
7
|
-
```
|
|
8
|
-
|
|
7
|
+
```mermaid
|
|
8
|
+
flowchart TD
|
|
9
|
+
A[AI / User] --> B[Sentinel]
|
|
10
|
+
B --> C[Acquire]
|
|
11
|
+
C --> D[Analyze]
|
|
12
|
+
D --> E[Score]
|
|
13
|
+
E --> F[Policy]
|
|
14
|
+
F --> G[Approve]
|
|
15
|
+
G --> H[Install]
|
|
9
16
|
```
|
|
10
17
|
|
|
11
18
|
The installer never runs directly. Acquirers only download and read files; install scripts are never executed during analysis.
|
|
@@ -105,7 +112,7 @@ MCP tools: `verify_package`, `verify_repository`, `verify_skill`, `verify_mcp`,
|
|
|
105
112
|
|
|
106
113
|
### Agent Skill
|
|
107
114
|
|
|
108
|
-
Install the Sentinel agent skill so your AI assistant intercepts install requests, verifies via the MCP above, explains risks, and only installs after approval.
|
|
115
|
+
Install the [Sentinel agent skill](https://github.com/RexySaragih/sentinel/blob/master/skills/sentinel/SKILL.md) so your AI assistant intercepts install requests, verifies via the MCP above, explains risks, and only installs after approval.
|
|
109
116
|
|
|
110
117
|
Copy or symlink [skills/sentinel/SKILL.md](skills/sentinel/SKILL.md) into your agent's skills directory (e.g. `~/.cursor/skills/sentinel/SKILL.md` for Cursor).
|
|
111
118
|
|
|
@@ -26,9 +26,9 @@ export class InstallScriptAnalyzer {
|
|
|
26
26
|
continue;
|
|
27
27
|
findings.push(createFinding({
|
|
28
28
|
category: 'install-script',
|
|
29
|
-
severity: '
|
|
29
|
+
severity: 'LOW',
|
|
30
30
|
title: `Install script: ${key}`,
|
|
31
|
-
description: `Package defines a ${key} script`,
|
|
31
|
+
description: `Package defines a ${key} script - it runs automatically on install`,
|
|
32
32
|
ruleId: `script-${key}`,
|
|
33
33
|
evidence: script,
|
|
34
34
|
}));
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"install-script-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/install-script-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAGrD,MAAM,mBAAmB,GAAG,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;AAC9F,MAAM,0BAA0B,GAAG;IACjC,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,UAAmB,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAC3H,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,UAAmB,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAC3H,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,0CAA0C,EAAE;IAClI,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACrF,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC7F,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,0BAA0B,EAAE;IACtF,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IACnF,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC5F,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,+BAA+B,EAAE;IAClG,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,+BAA+B,EAAE;CACnG,CAAC;AAEF,MAAM,OAAO,qBAAqB;IACvB,EAAE,GAAG,gBAAgB,CAAC;IAE/B,QAAQ,CAAC,GAAoB;QAC3B,OAAO,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;QAEpD,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEtB,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC1B,QAAQ,EAAE,gBAAgB;gBAC1B,QAAQ,EAAE,
|
|
1
|
+
{"version":3,"file":"install-script-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/install-script-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAGrD,MAAM,mBAAmB,GAAG,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;AAC9F,MAAM,0BAA0B,GAAG;IACjC,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,UAAmB,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAC3H,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,UAAmB,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAC3H,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,0CAA0C,EAAE;IAClI,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACrF,EAAE,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC7F,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAe,EAAE,KAAK,EAAE,0BAA0B,EAAE;IACtF,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IACnF,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC5F,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,+BAA+B,EAAE;IAClG,EAAE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAiB,EAAE,KAAK,EAAE,+BAA+B,EAAE;CACnG,CAAC;AAEF,MAAM,OAAO,qBAAqB;IACvB,EAAE,GAAG,gBAAgB,CAAC;IAE/B,QAAQ,CAAC,GAAoB;QAC3B,OAAO,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;QAEpD,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEtB,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC1B,QAAQ,EAAE,gBAAgB;gBAC1B,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,mBAAmB,GAAG,EAAE;gBAC/B,WAAW,EAAE,qBAAqB,GAAG,4CAA4C;gBACjF,MAAM,EAAE,UAAU,GAAG,EAAE;gBACvB,QAAQ,EAAE,MAAM;aACjB,CAAC,CAAC,CAAC;YAEJ,KAAK,MAAM,KAAK,IAAI,0BAA0B,EAAE,CAAC;gBAC/C,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC5B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC/B,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;wBAC1B,QAAQ,EAAE,gBAAgB;wBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;wBACxB,KAAK,EAAE,KAAK,CAAC,KAAK;wBAClB,WAAW,EAAE,wBAAwB,GAAG,YAAY,KAAK,CAAC,KAAK,EAAE;wBACjE,MAAM,EAAE,aAAa,GAAG,EAAE;wBAC1B,QAAQ,EAAE,MAAM;qBACjB,CAAC,CAAC,CAAC;gBACN,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACtC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,4BAA4B,CAAC,EAAE,CAAC;gBAClD,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,gBAAgB;oBAC1B,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,gCAAgC;oBACvC,WAAW,EAAE,8BAA8B,IAAI,CAAC,IAAI,EAAE;oBACtD,MAAM,EAAE,mBAAmB;oBAC3B,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"network-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/network-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"network-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/network-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AA2D/D,qBAAa,eAAgB,YAAW,QAAQ;IAC9C,QAAQ,CAAC,EAAE,aAAa;IAExB,QAAQ,IAAI,OAAO;IAIb,OAAO,CAAC,GAAG,EAAE,eAAe;CA+DnC"}
|
|
@@ -1,7 +1,67 @@
|
|
|
1
1
|
import { createFinding } from '../domain/finding.js';
|
|
2
2
|
import { findMatchingLine } from './match-evidence.js';
|
|
3
|
+
import { stripComments } from './strip-comments.js';
|
|
3
4
|
import { NETWORK_RULES } from './rules/index.js';
|
|
5
|
+
const HARDCODED_IP_RULE_ID = 'hardcoded-ip';
|
|
6
|
+
const IPV4_PATTERN = /\b(?:\d{1,3}\.){3}\d{1,3}\b/g;
|
|
4
7
|
const PRIVATE_IP_PATTERN = /\b(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3})\b/g;
|
|
8
|
+
const MAX_OCTET = 255;
|
|
9
|
+
const DOC_FILE_PATTERN = /(?:^|\/)(?:README|CHANGELOG|HISTORY|CONTRIBUTING|LICENSE|NOTICE)(?:\.\w+)?$|\.(?:md|mdx|markdown|rst|txt|adoc)$/i;
|
|
10
|
+
function isDocumentationFile(path) {
|
|
11
|
+
return DOC_FILE_PATTERN.test(path);
|
|
12
|
+
}
|
|
13
|
+
function parseOctets(ip) {
|
|
14
|
+
const octets = ip.split('.').map((part) => Number(part));
|
|
15
|
+
if (octets.length !== 4)
|
|
16
|
+
return undefined;
|
|
17
|
+
if (octets.some((n) => !Number.isInteger(n) || n < 0 || n > MAX_OCTET))
|
|
18
|
+
return undefined;
|
|
19
|
+
return octets;
|
|
20
|
+
}
|
|
21
|
+
/**
|
|
22
|
+
* A routable public IPv4 address - the only kind worth flagging as a hardcoded
|
|
23
|
+
* endpoint (potential C2 / exfil host). Loopback, private, link-local, CGNAT,
|
|
24
|
+
* documentation (RFC 5737), multicast, and reserved ranges are excluded: they
|
|
25
|
+
* are either benign examples or covered by the lower-severity private-ip rule.
|
|
26
|
+
*/
|
|
27
|
+
function isRoutablePublicIp(ip) {
|
|
28
|
+
const octets = parseOctets(ip);
|
|
29
|
+
if (!octets)
|
|
30
|
+
return false;
|
|
31
|
+
const [a, b, c] = octets;
|
|
32
|
+
if (a === 0 || a === 127)
|
|
33
|
+
return false;
|
|
34
|
+
if (a === 10)
|
|
35
|
+
return false;
|
|
36
|
+
if (a === 172 && b >= 16 && b <= 31)
|
|
37
|
+
return false;
|
|
38
|
+
if (a === 192 && b === 168)
|
|
39
|
+
return false;
|
|
40
|
+
if (a === 169 && b === 254)
|
|
41
|
+
return false;
|
|
42
|
+
if (a === 100 && b >= 64 && b <= 127)
|
|
43
|
+
return false;
|
|
44
|
+
if (a === 192 && b === 0 && c === 2)
|
|
45
|
+
return false;
|
|
46
|
+
if (a === 198 && b === 51 && c === 100)
|
|
47
|
+
return false;
|
|
48
|
+
if (a === 203 && b === 0 && c === 113)
|
|
49
|
+
return false;
|
|
50
|
+
if (a >= 224)
|
|
51
|
+
return false;
|
|
52
|
+
return true;
|
|
53
|
+
}
|
|
54
|
+
function findRoutablePublicIp(content) {
|
|
55
|
+
IPV4_PATTERN.lastIndex = 0;
|
|
56
|
+
for (const match of content.matchAll(IPV4_PATTERN)) {
|
|
57
|
+
if (isRoutablePublicIp(match[0]))
|
|
58
|
+
return match[0];
|
|
59
|
+
}
|
|
60
|
+
return undefined;
|
|
61
|
+
}
|
|
62
|
+
function escapeRegExp(value) {
|
|
63
|
+
return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
|
|
64
|
+
}
|
|
5
65
|
export class NetworkAnalyzer {
|
|
6
66
|
id = 'network';
|
|
7
67
|
supports() {
|
|
@@ -10,10 +70,13 @@ export class NetworkAnalyzer {
|
|
|
10
70
|
async analyze(ctx) {
|
|
11
71
|
const findings = [];
|
|
12
72
|
for (const file of ctx.artifact.files) {
|
|
73
|
+
const scanContent = stripComments(file.content, file.path);
|
|
13
74
|
for (const rule of NETWORK_RULES) {
|
|
75
|
+
if (rule.id === HARDCODED_IP_RULE_ID)
|
|
76
|
+
continue;
|
|
14
77
|
rule.pattern.lastIndex = 0;
|
|
15
|
-
if (rule.pattern.test(
|
|
16
|
-
const match = findMatchingLine(
|
|
78
|
+
if (rule.pattern.test(scanContent)) {
|
|
79
|
+
const match = findMatchingLine(scanContent, rule.pattern, file.content);
|
|
17
80
|
findings.push(createFinding({
|
|
18
81
|
category: 'network',
|
|
19
82
|
severity: rule.severity,
|
|
@@ -26,9 +89,27 @@ export class NetworkAnalyzer {
|
|
|
26
89
|
}));
|
|
27
90
|
}
|
|
28
91
|
}
|
|
92
|
+
const publicIp = findRoutablePublicIp(scanContent);
|
|
93
|
+
if (publicIp) {
|
|
94
|
+
const match = findMatchingLine(scanContent, new RegExp(escapeRegExp(publicIp)), file.content);
|
|
95
|
+
findings.push(createFinding({
|
|
96
|
+
category: 'network',
|
|
97
|
+
severity: 'MEDIUM',
|
|
98
|
+
title: 'Hardcoded IP',
|
|
99
|
+
description: `Hardcoded public IP address detected: ${publicIp}`,
|
|
100
|
+
ruleId: HARDCODED_IP_RULE_ID,
|
|
101
|
+
file: file.path,
|
|
102
|
+
line: match?.line,
|
|
103
|
+
evidence: match?.evidence,
|
|
104
|
+
}));
|
|
105
|
+
}
|
|
106
|
+
// Private/loopback IPs are only a (low) signal in real code, never in docs
|
|
107
|
+
// or test fixtures where localhost examples are routine.
|
|
29
108
|
PRIVATE_IP_PATTERN.lastIndex = 0;
|
|
30
|
-
if (
|
|
31
|
-
|
|
109
|
+
if (!isDocumentationFile(file.path) &&
|
|
110
|
+
!file.path.includes('test') &&
|
|
111
|
+
PRIVATE_IP_PATTERN.test(scanContent)) {
|
|
112
|
+
const match = findMatchingLine(scanContent, PRIVATE_IP_PATTERN, file.content);
|
|
32
113
|
findings.push(createFinding({
|
|
33
114
|
category: 'network',
|
|
34
115
|
severity: 'LOW',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"network-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/network-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,MAAM,kBAAkB,GAAG,8IAA8I,CAAC;
|
|
1
|
+
{"version":3,"file":"network-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/network-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,MAAM,oBAAoB,GAAG,cAAc,CAAC;AAC5C,MAAM,YAAY,GAAG,8BAA8B,CAAC;AACpD,MAAM,kBAAkB,GAAG,8IAA8I,CAAC;AAC1K,MAAM,SAAS,GAAG,GAAG,CAAC;AACtB,MAAM,gBAAgB,GAAG,kHAAkH,CAAC;AAE5I,SAAS,mBAAmB,CAAC,IAAY;IACvC,OAAO,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,WAAW,CAAC,EAAU;IAC7B,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACzD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IACzF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,EAAU;IACpC,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,MAA0C,CAAC;IAE7D,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACrD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACpD,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IAE3B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe;IAC3C,YAAY,CAAC,SAAS,GAAG,CAAC,CAAC;IAC3B,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QACnD,IAAI,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,OAAO,KAAK,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,OAAO,eAAe;IACjB,EAAE,GAAG,SAAS,CAAC;IAExB,QAAQ;QACN,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QAEpB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACtC,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAE3D,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;gBACjC,IAAI,IAAI,CAAC,EAAE,KAAK,oBAAoB;oBAAE,SAAS;gBAC/C,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBACnC,MAAM,KAAK,GAAG,gBAAgB,CAAC,WAAW,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;oBACxE,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;wBAC1B,QAAQ,EAAE,SAAS;wBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,WAAW,EAAE,IAAI,CAAC,WAAW;wBAC7B,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,KAAK,EAAE,IAAI;wBACjB,QAAQ,EAAE,KAAK,EAAE,QAAQ;qBAC1B,CAAC,CAAC,CAAC;gBACN,CAAC;YACH,CAAC;YAED,MAAM,QAAQ,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;YACnD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,KAAK,GAAG,gBAAgB,CAAC,WAAW,EAAE,IAAI,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC9F,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,SAAS;oBACnB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,cAAc;oBACrB,WAAW,EAAE,yCAAyC,QAAQ,EAAE;oBAChE,MAAM,EAAE,oBAAoB;oBAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,KAAK,EAAE,IAAI;oBACjB,QAAQ,EAAE,KAAK,EAAE,QAAQ;iBAC1B,CAAC,CAAC,CAAC;YACN,CAAC;YAED,2EAA2E;YAC3E,yDAAyD;YACzD,kBAAkB,CAAC,SAAS,GAAG,CAAC,CAAC;YACjC,IACE,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC/B,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAC3B,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,EACpC,CAAC;gBACD,MAAM,KAAK,GAAG,gBAAgB,CAAC,WAAW,EAAE,kBAAkB,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,SAAS;oBACnB,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,sBAAsB;oBAC7B,WAAW,EAAE,qCAAqC,IAAI,CAAC,IAAI,EAAE;oBAC7D,MAAM,EAAE,YAAY;oBACpB,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,KAAK,EAAE,IAAI;oBACjB,QAAQ,EAAE,KAAK,EAAE,QAAQ;iBAC1B,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
package/dist/core/sentinel.d.ts
CHANGED
|
@@ -24,6 +24,7 @@ export declare class Sentinel {
|
|
|
24
24
|
install(ecosystem: string, raw: string, options?: {
|
|
25
25
|
forceApprove?: boolean;
|
|
26
26
|
onVerified?: () => void;
|
|
27
|
+
cwd?: string;
|
|
27
28
|
}): Promise<InstallResult>;
|
|
28
29
|
generateReport(report: VerificationReport, format?: ReportFormat): string;
|
|
29
30
|
private runInstaller;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAKzD,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAgB,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAGzG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAKhE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAGhE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAC5C,QAAQ,CAAC,SAAS,EAAE,QAAQ,EAAE,CAAC;IAC/B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;CACtC;AAED,qBAAa,QAAQ;IAMP,OAAO,CAAC,QAAQ,CAAC,OAAO;IALpC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAwB;IACvD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAyB;IACzD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;gBAEf,OAAO,EAAE,eAAe;IAO/C,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA6CzE,OAAO,CAAC,uBAAuB;IA6BzB,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,IAAI,CAAA;KAAE,
|
|
1
|
+
{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAKzD,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAgB,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAGzG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAKhE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAGhE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAC5C,QAAQ,CAAC,SAAS,EAAE,QAAQ,EAAE,CAAC;IAC/B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;CACtC;AAED,qBAAa,QAAQ;IAMP,OAAO,CAAC,QAAQ,CAAC,OAAO;IALpC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAwB;IACvD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAyB;IACzD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;gBAEf,OAAO,EAAE,eAAe;IAO/C,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA6CzE,OAAO,CAAC,uBAAuB;IA6BzB,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,IAAI,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,aAAa,CAAC;IAoCzB,cAAc,CAAC,MAAM,EAAE,kBAAkB,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,MAAM;YAI3D,YAAY;CAoB3B;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CAEjE"}
|
package/dist/core/sentinel.js
CHANGED
|
@@ -111,7 +111,7 @@ export class Sentinel {
|
|
|
111
111
|
};
|
|
112
112
|
}
|
|
113
113
|
const target = report.target;
|
|
114
|
-
const installResult = await this.runInstaller(target);
|
|
114
|
+
const installResult = await this.runInstaller(target, options?.cwd);
|
|
115
115
|
return {
|
|
116
116
|
success: installResult.exitCode === 0,
|
|
117
117
|
message: installResult.exitCode === 0
|
|
@@ -123,16 +123,17 @@ export class Sentinel {
|
|
|
123
123
|
generateReport(report, format) {
|
|
124
124
|
return this.reportGenerator.generate(report, format ?? this.options.reportFormat ?? 'terminal');
|
|
125
125
|
}
|
|
126
|
-
async runInstaller(target) {
|
|
126
|
+
async runInstaller(target, cwd) {
|
|
127
127
|
const { processRunner } = this.options;
|
|
128
128
|
switch (target.ecosystem) {
|
|
129
129
|
case 'npm':
|
|
130
130
|
return processRunner.run('npm', ['install', target.name, '--ignore-scripts'], {
|
|
131
|
+
cwd,
|
|
131
132
|
env: { npm_config_ignore_scripts: 'true' },
|
|
132
133
|
});
|
|
133
134
|
case 'github': {
|
|
134
135
|
const [owner, repo] = target.name.split('/');
|
|
135
|
-
return processRunner.run('git', ['clone', `https://github.com/${owner}/${repo}.git`]);
|
|
136
|
+
return processRunner.run('git', ['clone', `https://github.com/${owner}/${repo}.git`], { cwd });
|
|
136
137
|
}
|
|
137
138
|
case 'skill':
|
|
138
139
|
case 'local':
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sentinel.js","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAG9E,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,EAAE,WAAW,EAAe,MAAM,qBAAqB,CAAC;AAG/D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AACzG,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAG9D,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAWhE,MAAM,OAAO,QAAQ;IAMU;IALZ,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC;IACtC,YAAY,CAAe;IAC3B,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;IACxC,YAAY,CAAe;IAE5C,YAA6B,OAAwB;QAAxB,YAAO,GAAP,OAAO,CAAiB;QACnD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY;YACtC,CAAC,CAAC,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE;YAChD,CAAC,CAAC,cAAc,CAAC;QACnB,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,GAAW;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAErE,IAAI,QAA8B,CAAC;QACnC,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,OAAO,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACrF,MAAM,QAAQ,GAAG,mBAAmB,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;YACxF,MAAM,WAAW,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG;gBACf,WAAW,EAAE,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACrD,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,MAAM;aACjC,CAAC;YACF,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/D,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YACvF,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;YAE/F,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;YAC9F,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,WAAW,aAAa,oBAAoB,CAAC;YAE9F,OAAO;gBACL,MAAM;gBACN,QAAQ;gBACR,IAAI;gBACJ,MAAM;gBACN,WAAW;gBACX,cAAc;gBACd,OAAO;gBACP,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;gBACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;aAC/B,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAEO,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,KAAa;QAC3E,MAAM,cAAc,GAAG,sBAAsB,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;QACrF,MAAM,IAAI,GAAc;YACtB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,CAAC;YACb,eAAe,EAAE,CAAC;YAClB,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,MAAM,MAAM,GAAiB;YAC3B,QAAQ,EAAE,kBAAkB;YAC5B,OAAO,EAAE,CAAC,kEAAkE,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC;YACxG,SAAS,EAAE,EAAE;SACd,CAAC;QAEF,OAAO;YACL,MAAM;YACN,QAAQ,EAAE,EAAE;YACZ,IAAI;YACJ,MAAM;YACN,WAAW,EAAE,EAAE;YACf,cAAc;YACd,OAAO,EAAE,gDAAgD;YACzD,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;YACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,SAAiB,EACjB,GAAW,EACX,
|
|
1
|
+
{"version":3,"file":"sentinel.js","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAG9E,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,EAAE,WAAW,EAAe,MAAM,qBAAqB,CAAC;AAG/D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AACzG,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAG9D,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAWhE,MAAM,OAAO,QAAQ;IAMU;IALZ,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC;IACtC,YAAY,CAAe;IAC3B,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;IACxC,YAAY,CAAe;IAE5C,YAA6B,OAAwB;QAAxB,YAAO,GAAP,OAAO,CAAiB;QACnD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY;YACtC,CAAC,CAAC,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE;YAChD,CAAC,CAAC,cAAc,CAAC;QACnB,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,GAAW;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAErE,IAAI,QAA8B,CAAC;QACnC,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,OAAO,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACrF,MAAM,QAAQ,GAAG,mBAAmB,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;YACxF,MAAM,WAAW,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG;gBACf,WAAW,EAAE,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACrD,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,MAAM;aACjC,CAAC;YACF,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/D,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YACvF,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;YAE/F,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;YAC9F,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,WAAW,aAAa,oBAAoB,CAAC;YAE9F,OAAO;gBACL,MAAM;gBACN,QAAQ;gBACR,IAAI;gBACJ,MAAM;gBACN,WAAW;gBACX,cAAc;gBACd,OAAO;gBACP,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;gBACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;aAC/B,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAEO,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,KAAa;QAC3E,MAAM,cAAc,GAAG,sBAAsB,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;QACrF,MAAM,IAAI,GAAc;YACtB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,CAAC;YACb,eAAe,EAAE,CAAC;YAClB,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,MAAM,MAAM,GAAiB;YAC3B,QAAQ,EAAE,kBAAkB;YAC5B,OAAO,EAAE,CAAC,kEAAkE,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC;YACxG,SAAS,EAAE,EAAE;SACd,CAAC;QAEF,OAAO;YACL,MAAM;YACN,QAAQ,EAAE,EAAE;YACZ,IAAI;YACJ,MAAM;YACN,WAAW,EAAE,EAAE;YACf,cAAc;YACd,OAAO,EAAE,gDAAgD;YACzD,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;YACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,SAAiB,EACjB,GAAW,EACX,OAA2E;QAE3E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACjD,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;QAExB,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,gCAAgC;gBACzC,MAAM;aACP,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,EAAE,YAAY;YACpC,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAE9D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,6BAA6B;gBACtC,MAAM;aACP,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC7B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAEpE,OAAO;YACL,OAAO,EAAE,aAAa,CAAC,QAAQ,KAAK,CAAC;YACrC,OAAO,EAAE,aAAa,CAAC,QAAQ,KAAK,CAAC;gBACnC,CAAC,CAAC,0BAA0B,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,EAAE;gBAC7D,CAAC,CAAC,wBAAwB,aAAa,CAAC,MAAM,IAAI,aAAa,CAAC,MAAM,EAAE;YAC1E,MAAM;SACP,CAAC;IACJ,CAAC;IAED,cAAc,CAAC,MAA0B,EAAE,MAAqB;QAC9D,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,UAAU,CAAC,CAAC;IAClG,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,MAAc,EAAE,GAAY;QACrD,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEvC,QAAQ,MAAM,CAAC,SAAS,EAAE,CAAC;YACzB,KAAK,KAAK;gBACR,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,EAAE;oBAC5E,GAAG;oBACH,GAAG,EAAE,EAAE,yBAAyB,EAAE,MAAM,EAAE;iBAC3C,CAAC,CAAC;YACL,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC7C,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,sBAAsB,KAAK,IAAI,IAAI,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;YACjG,CAAC;YACD,KAAK,OAAO,CAAC;YACb,KAAK,OAAO;gBACV,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,yDAAyD,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;YACxG;gBACE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,+BAA+B,MAAM,CAAC,SAAS,EAAE,EAAE,CAAC;QAClG,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,cAAc,CAAC,OAAwB;IACrD,OAAO,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,QAAmB,EAAE,kBAA2B;IAC3E,MAAM,MAAM,GAAc,EAAE,CAAC;IAC7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1E,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,kBAAkB,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,SAAS;QACX,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAkC;IAC9D,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,gBAAgB,CAAC;QAC1B,KAAK,kBAAkB;YACrB,OAAO,sCAAsC,CAAC;QAChD,KAAK,MAAM;YACT,OAAO,sBAAsB,CAAC;QAChC;YACE,OAAO,iBAAiB,CAAC;IAC7B,CAAC;AACH,CAAC"}
|
package/dist/mcp/server.js
CHANGED
|
@@ -5,7 +5,7 @@ import { z } from 'zod';
|
|
|
5
5
|
import { createDefaultSentinel } from '../factory.js';
|
|
6
6
|
const server = new McpServer({
|
|
7
7
|
name: 'sentinel',
|
|
8
|
-
version: '0.1.
|
|
8
|
+
version: '0.1.3',
|
|
9
9
|
});
|
|
10
10
|
const sentinel = createDefaultSentinel();
|
|
11
11
|
server.tool('verify_package', 'Verify an npm package for security risks', { name: z.string(), version: z.string().optional() }, async ({ name, version }) => {
|
|
@@ -104,7 +104,8 @@ server.tool('install', 'Verify and install a target (requires explicit confirm f
|
|
|
104
104
|
type: z.string(),
|
|
105
105
|
target: z.string(),
|
|
106
106
|
confirm: z.boolean().describe('Must be true to proceed with installation'),
|
|
107
|
-
|
|
107
|
+
cwd: z.string().optional().describe('Project directory to install into (required for npm/github in MCP — use the workspace root)'),
|
|
108
|
+
}, async ({ type, target, confirm, cwd }) => {
|
|
108
109
|
if (!confirm) {
|
|
109
110
|
return {
|
|
110
111
|
content: [{
|
|
@@ -116,7 +117,7 @@ server.tool('install', 'Verify and install a target (requires explicit confirm f
|
|
|
116
117
|
}],
|
|
117
118
|
};
|
|
118
119
|
}
|
|
119
|
-
const result = await sentinel.install(type, target, { forceApprove: true });
|
|
120
|
+
const result = await sentinel.install(type, target, { forceApprove: true, cwd });
|
|
120
121
|
if (result.report.policy.decision === 'BLOCK') {
|
|
121
122
|
return {
|
|
122
123
|
content: [{
|
package/dist/mcp/server.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGtD,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE,OAAO;CACjB,CAAC,CAAC;AAEH,MAAM,QAAQ,GAAG,qBAAqB,EAAE,CAAC;AAEzC,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,0CAA0C,EAC1C,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,EACpD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE;IAC1B,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACpD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AACjG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,+CAA+C,EAC/C,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACvC,KAAK,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE;IACxB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,IAAI,EAAE,CAAC,CAAC;IACnE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AACjG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,oDAAoD,EACpD,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AACjG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,4DAA4D,EAC5D,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAClD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,kBAAkB,EAClB,iEAAiE,EACjE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACrD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,eAAe,EACf,6DAA6D,EAC7D,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACrB,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;IAClB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACtD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,iDAAiD,EACjD,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACxC,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;IACzB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnD,OAAO;QACL,OAAO,EAAE,CAAC;gBACR,IAAI,EAAE,MAAe;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;oBACxB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;oBACxB,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU;oBAClC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;iBACjC,CAAC;aACH,CAAC;KACH,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,yCAAyC,EACzC;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC5D,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE;IACjC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,YAAY,GAAG,CAAC,MAAM,IAAI,MAAM,CAAiB,CAAC;IACxD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;AACvG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,4CAA4C,EAC5C,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AACjG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,gEAAgE,EAChE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAClD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,sDAAsD,EACtD,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACxC,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;IACzB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC;IACtD,OAAO;QACL,OAAO,EAAE,CAAC;gBACR,IAAI,EAAE,MAAe;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,UAAU;oBACV,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;oBAChC,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO;oBAC9B,cAAc,EAAE,MAAM,CAAC,cAAc;iBACtC,CAAC;aACH,CAAC;KACH,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,SAAS,EACT,8DAA8D,EAC9D;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,2CAA2C,CAAC;
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGtD,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE,OAAO;CACjB,CAAC,CAAC;AAEH,MAAM,QAAQ,GAAG,qBAAqB,EAAE,CAAC;AAEzC,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,0CAA0C,EAC1C,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,EACpD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE;IAC1B,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACrD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACpD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AACjG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,+CAA+C,EAC/C,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACvC,KAAK,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE;IACxB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,IAAI,EAAE,CAAC,CAAC;IACnE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AACjG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,oDAAoD,EACpD,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AACjG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,4DAA4D,EAC5D,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAClD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,kBAAkB,EAClB,iEAAiE,EACjE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACrD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,eAAe,EACf,6DAA6D,EAC7D,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACrB,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;IAClB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACtD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,iDAAiD,EACjD,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACxC,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;IACzB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnD,OAAO;QACL,OAAO,EAAE,CAAC;gBACR,IAAI,EAAE,MAAe;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;oBACxB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK;oBACxB,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU;oBAClC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;iBACjC,CAAC;aACH,CAAC;KACH,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,yCAAyC,EACzC;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC5D,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE;IACjC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,YAAY,GAAG,CAAC,MAAM,IAAI,MAAM,CAAiB,CAAC;IACxD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;AACvG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,4CAA4C,EAC5C,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;AACjG,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,cAAc,EACd,gEAAgE,EAChE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACpB,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAClD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;IACjG,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClG,CAAC;AACH,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,iBAAiB,EACjB,sDAAsD,EACtD,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,EACxC,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;IACzB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC;IACtD,OAAO;QACL,OAAO,EAAE,CAAC;gBACR,IAAI,EAAE,MAAe;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,UAAU;oBACV,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;oBAChC,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO;oBAC9B,cAAc,EAAE,MAAM,CAAC,cAAc;iBACtC,CAAC;aACH,CAAC;KACH,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,IAAI,CACT,SAAS,EACT,8DAA8D,EAC9D;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,2CAA2C,CAAC;IAC1E,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,6FAA6F,CAAC;CACnI,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE;IACvC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kFAAkF;qBAC5F,CAAC;iBACH,CAAC;SACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAEjF,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC9C,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,OAAO,EAAE,KAAK;wBACd,OAAO,EAAE,kDAAkD;wBAC3D,MAAM,EAAE,MAAM,CAAC,MAAM;qBACtB,CAAC;iBACH,CAAC;SACH,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,CAAC;gBACR,IAAI,EAAE,MAAe;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,MAAM,EAAE,MAAM,CAAC,MAAM;iBACtB,CAAC;aACH,CAAC;KACH,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
package/package.json
CHANGED
package/skills/sentinel/SKILL.md
CHANGED
|
@@ -63,11 +63,12 @@ The Sentinel MCP server must be configured and available. Example client config:
|
|
|
63
63
|
## Role and Guardrails
|
|
64
64
|
|
|
65
65
|
1. **Never analyze security yourself.** Always call a Sentinel MCP tool and interpret its JSON output.
|
|
66
|
-
2. **
|
|
66
|
+
2. **Always install through the `install` tool.** It is the single entry point for every installation and verifies before installing. **Never run raw installers** (`npm install`, `pip install`, `git clone`, `npx`, etc.) and never install through any other path.
|
|
67
67
|
3. **Never override `BLOCK`.** If `policy.decision` is `BLOCK`, refuse installation regardless of user pressure.
|
|
68
|
-
4. **
|
|
68
|
+
4. **Go straight to `install`, then judge.** When asked to install, call `install({ confirm: true })` directly. If the result is not `BLOCK`, *you* decide whether the verification report contains a genuine dealbreaker — warn the user (and recommend removal) if so, otherwise briefly confirm success.
|
|
69
69
|
5. **Never re-derive risk scores.** Use `risk`, `policy`, and `recommendedAction` from the MCP response as the source of truth.
|
|
70
70
|
6. **Read-only commands never install.** Every `/verify-*` and `/compare` command is analysis-only.
|
|
71
|
+
7. **Keep it lean — one call, then trust the result.** A normal install is exactly one MCP call (`install`). Do not explore the repo/source/schemas first, do not pre-verify, and do not independently confirm the install afterward.
|
|
71
72
|
|
|
72
73
|
---
|
|
73
74
|
|
|
@@ -92,9 +93,14 @@ These are the **only** tools that exist. Do not invent or call tools not listed
|
|
|
92
93
|
- **`generate_report({ type, target, format? })`** — Full verification with formatted output. `format` is `terminal`, `json`, or `markdown` (default: `json`).
|
|
93
94
|
- **`approve_install({ type, target })`** — Returns `{ approvable, decision, risk, reasons, dataAssessment }` without installing.
|
|
94
95
|
|
|
95
|
-
### Install tool
|
|
96
|
+
### Install tool (primary)
|
|
96
97
|
|
|
97
|
-
- **`install({ type, target, confirm })`** —
|
|
98
|
+
- **`install({ type, target, confirm, cwd? })`** — **The main tool for every installation. Call it directly and first.** It runs the full verification pipeline *internally before installing*, refuses `BLOCK` decisions (cannot be overridden), and returns the complete report (`risk`, `policy`, `findings`, `permissions`, `recommendedAction`) in its response.
|
|
99
|
+
- **`confirm` must be `true`** to proceed; otherwise it returns without installing.
|
|
100
|
+
- **`cwd` must be the user's workspace/project root** for `npm` and `github` installs. The MCP server does not run in the user's project — without `cwd`, `npm install` lands in the MCP process directory (often `$HOME`), so `package.json` in the workspace will not change. Example: `install({ type: "npm", target: "axios", confirm: true, cwd: "/path/to/workspace" })`.
|
|
101
|
+
- **Go straight to this tool.** Do not call `approve_install`/`verify_*` first, and do not read Sentinel's source, MCP schemas, `package.json`, or the repo beforehand. When the user asks to install something, your first action is `install({ type, target, confirm: true, cwd })`.
|
|
102
|
+
- **When the result is not `BLOCK`, you (the agent) judge** whether anything in the returned verification report is a genuine dealbreaker (see "Dealbreaker judgment" below). `BLOCK` is the only decision the tool refuses outright.
|
|
103
|
+
- **Never run raw installers** (`npm install`, `pip install`, `git clone`, `npx`, etc.). Every installation goes through this tool.
|
|
98
104
|
|
|
99
105
|
### Ecosystem `type` values for `calculate_risk`, `generate_report`, `approve_install`, and `install`
|
|
100
106
|
|
|
@@ -130,37 +136,62 @@ Activate this skill automatically when the user says things like:
|
|
|
130
136
|
- "Install GitHub repository"
|
|
131
137
|
- "Install anything from GitHub"
|
|
132
138
|
|
|
133
|
-
**
|
|
139
|
+
**Go straight to the `install` tool.** It verifies first, so the moment the user asks to install something, your first action is to call `install({ type, target, confirm: true })`. No preamble, no exploration, no separate preview.
|
|
134
140
|
|
|
135
141
|
### Interception flow
|
|
136
142
|
|
|
137
143
|
```mermaid
|
|
138
144
|
flowchart TD
|
|
139
145
|
userIntent[UserInstallIntent] --> mapTarget[MapToEcosystemAndTarget]
|
|
140
|
-
mapTarget -->
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
decision -->|REQUIRE_APPROVAL| requireYes[ShowReasonsRequireExplicitYes]
|
|
147
|
-
decision -->|BLOCK| refuse[RefuseDoNotInstall]
|
|
148
|
-
askConfirm -->|UserYes| install[install confirm true]
|
|
149
|
-
warnAndAsk -->|UserYes| install
|
|
150
|
-
requireYes -->|UserYes| install
|
|
151
|
-
refuse --> done[End]
|
|
152
|
-
install --> result[ReportInstallResult]
|
|
146
|
+
mapTarget --> install[install confirm true verifies then installs]
|
|
147
|
+
install --> blocked{policy.decision is BLOCK?}
|
|
148
|
+
blocked -->|Yes| refuse[RefuseExplainStop]
|
|
149
|
+
blocked -->|No| judge{AgentJudgesDealbreaker}
|
|
150
|
+
judge -->|Dealbreaker| warnUser[WarnUserCiteFindingRecommendRemoval]
|
|
151
|
+
judge -->|No dealbreaker| report[ConfirmSuccessBriefly]
|
|
153
152
|
```
|
|
154
153
|
|
|
155
154
|
### Step-by-step
|
|
156
155
|
|
|
157
|
-
1. **Map intent** to ecosystem `type` and `target` (see table above)
|
|
158
|
-
2. **
|
|
159
|
-
3. **
|
|
160
|
-
4. **
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
156
|
+
1. **Map intent** to ecosystem `type` and `target` (see table above), and resolve the **workspace root** as `cwd` for `npm`/`github`.
|
|
157
|
+
2. **Immediately call `install({ type, target, confirm: true, cwd })`** — the main tool. It verifies, enforces `BLOCK`, installs when allowed, and returns the full report. Do not call anything before it.
|
|
158
|
+
3. **If `policy.decision` is `BLOCK`:** nothing was installed. Refuse, explain the blocking finding(s), and stop.
|
|
159
|
+
4. **If not `BLOCK`:** the target is installed. **Judge the returned report yourself** for a genuine dealbreaker (see "Dealbreaker judgment").
|
|
160
|
+
- **No dealbreaker** → briefly confirm the install succeeded (1-2 lines). Done.
|
|
161
|
+
- **Dealbreaker found** → prominently warn the user, cite the specific finding(s), and recommend removing the package. Do not pretend it is safe.
|
|
162
|
+
|
|
163
|
+
> The `install` tool is the only tool that performs installation, and it always verifies first. You do not need a separate verify/preview call — the verification result comes back inside the `install` response.
|
|
164
|
+
|
|
165
|
+
### Dealbreaker judgment
|
|
166
|
+
|
|
167
|
+
When the result is **not `BLOCK`**, decide whether the verification evidence is serious enough to warn the user. Use the report's `findings`, `risk`, `policy.reasons`, and `dataAssessment` — never re-derive scores.
|
|
168
|
+
|
|
169
|
+
**Treat as a dealbreaker (warn + recommend removal):**
|
|
170
|
+
|
|
171
|
+
- Any `CRITICAL` or `HIGH` severity finding.
|
|
172
|
+
- Findings in categories that indicate malice: `secret` (leaked credentials), `network` exfiltration / C2 (webhooks, pastebin, miners, Tor), `ai-prompt` injection, `behavioral`/malware, or an `install-script` that fetches and executes remote code (`curl … | sh`, `wget … | sh`).
|
|
173
|
+
- `dataAssessment.sufficient: false` combined with a remote/untrusted target (you cannot vouch for what you could not inspect).
|
|
174
|
+
|
|
175
|
+
**Not a dealbreaker (proceed, mention briefly at most):**
|
|
176
|
+
|
|
177
|
+
- Routine install scripts (`prepare`/`postinstall`) on a reputable, established package.
|
|
178
|
+
- Network access for a package whose job is networking (e.g. `axios`).
|
|
179
|
+
- `LOW`/`MEDIUM` metadata or reputation notes (recently updated, modest download count, etc.).
|
|
180
|
+
|
|
181
|
+
### Keep the flow lean (do NOT overthink)
|
|
182
|
+
|
|
183
|
+
A normal install is **one MCP call**: `install`. The response already contains `success`, `message`, and the full `report` — that is the source of truth.
|
|
184
|
+
|
|
185
|
+
**Do NOT do any of the following** — they are wasted steps:
|
|
186
|
+
|
|
187
|
+
- ❌ Exploring or reading Sentinel's own source, MCP tool schemas, `package.json`, or the repo before calling `install`. Go straight to the tool.
|
|
188
|
+
- ❌ Calling `approve_install`/`verify_*` before `install` in the normal install flow. `install` already verifies.
|
|
189
|
+
- ❌ Re-checking the result after `install` returns: listing `node_modules`, stat-ing files/timestamps, running `npm ls`/dependency-tree checks, or `git status`/diff to "confirm" the install. The response already tells you.
|
|
190
|
+
- ❌ Running raw shell/`npm`/`git` commands at any point in the flow.
|
|
191
|
+
|
|
192
|
+
When `install` returns, **report its `success` and `message` directly and stop** — unless `BLOCK` or a dealbreaker requires a warning, or `install` returns `success: false`.
|
|
193
|
+
|
|
194
|
+
For a clean, low-risk target, keep the explanation to a couple of lines — full Explain Mode detail is for dealbreakers and `BLOCK`.
|
|
164
195
|
|
|
165
196
|
---
|
|
166
197
|
|
|
@@ -401,23 +432,23 @@ Do not invent scores or decisions. If `dataAssessment.sufficient` is `false`, su
|
|
|
401
432
|
|
|
402
433
|
## Approval Rules
|
|
403
434
|
|
|
404
|
-
|
|
435
|
+
You call `install({ confirm: true })` directly; the tool returns `policy.decision`. `BLOCK` is the only hard stop. For every other decision the package is installed, and *you* decide whether to warn the user based on the dealbreaker judgment.
|
|
405
436
|
|
|
406
|
-
| Decision | Behavior |
|
|
407
|
-
|
|
408
|
-
| `AUTO_APPROVE` |
|
|
409
|
-
| `APPROVE` |
|
|
410
|
-
| `WARN` |
|
|
411
|
-
| `REQUIRE_APPROVAL` |
|
|
412
|
-
| `BLOCK` | **
|
|
437
|
+
| Decision | Behavior after `install` returns |
|
|
438
|
+
|----------|----------------------------------|
|
|
439
|
+
| `AUTO_APPROVE` | Installed. Confirm success in 1-2 lines. |
|
|
440
|
+
| `APPROVE` | Installed. Confirm success in 1-2 lines. |
|
|
441
|
+
| `WARN` | Installed. If the findings are a dealbreaker, warn and recommend removal; otherwise note the caveat in one line. |
|
|
442
|
+
| `REQUIRE_APPROVAL` | Installed. Judge the findings/`dataAssessment`: warn and recommend removal if it's a dealbreaker; otherwise confirm with a brief note. |
|
|
443
|
+
| `BLOCK` | **Not installed — refused by the tool.** Explain why using specific findings and stop. |
|
|
413
444
|
|
|
414
|
-
`install` with `confirm: true` still fails on `BLOCK`. Never attempt to bypass it.
|
|
445
|
+
`install` with `confirm: true` still fails on `BLOCK`. Never attempt to bypass it. Use the dealbreaker judgment (not custom risk thresholds) to decide whether a non-`BLOCK` result deserves a warning.
|
|
415
446
|
|
|
416
447
|
---
|
|
417
448
|
|
|
418
449
|
## Explain Mode
|
|
419
450
|
|
|
420
|
-
|
|
451
|
+
Use the full structure below **only for dealbreakers, `BLOCK`, and explicit `/verify-*` requests**. For a clean, non-dealbreaker install, skip it and confirm success in 1-2 lines.
|
|
421
452
|
|
|
422
453
|
### Executive Summary
|
|
423
454
|
|
|
@@ -455,27 +486,25 @@ Map `recommendedAction` to user language:
|
|
|
455
486
|
|
|
456
487
|
## Conversation Workflows
|
|
457
488
|
|
|
458
|
-
### Installation flow
|
|
489
|
+
### Installation flow (clean target)
|
|
490
|
+
|
|
491
|
+
**User:** Install axios
|
|
459
492
|
|
|
460
|
-
**
|
|
493
|
+
**Skill:** Running Sentinel security verification...
|
|
461
494
|
|
|
462
|
-
**
|
|
495
|
+
**MCP (first and only call):** `install({ type: "npm", target: "axios", confirm: true, cwd: "<workspace-root>" })`
|
|
463
496
|
|
|
464
|
-
**
|
|
497
|
+
**Skill:** Installed `axios`. Sentinel verified it first — MEDIUM risk (routine `prepare` install script + network access, which is expected for an HTTP client), no critical findings. Nothing here is a dealbreaker. Done.
|
|
498
|
+
|
|
499
|
+
---
|
|
465
500
|
|
|
466
|
-
|
|
467
|
-
- Risk: MEDIUM (31/100)
|
|
468
|
-
- Confidence: 94%
|
|
469
|
-
- Decision: REQUIRE_APPROVAL
|
|
470
|
-
- Install script: prepare
|
|
471
|
-
- Network: yes
|
|
472
|
-
- Critical findings: 0
|
|
501
|
+
### Installation flow (dealbreaker)
|
|
473
502
|
|
|
474
|
-
|
|
503
|
+
**User:** Install some-sketchy-pkg
|
|
475
504
|
|
|
476
|
-
**
|
|
505
|
+
**MCP (first and only call):** `install({ type: "npm", target: "some-sketchy-pkg", confirm: true })`
|
|
477
506
|
|
|
478
|
-
|
|
507
|
+
Result is `BLOCK` → not installed. Or non-`BLOCK` but a HIGH/CRITICAL or malware/exfiltration finding → the package installed, so **warn the user, cite the specific finding, and recommend removing it.**
|
|
479
508
|
|
|
480
509
|
---
|
|
481
510
|
|
|
@@ -483,9 +512,9 @@ Would you like to install it?
|
|
|
483
512
|
|
|
484
513
|
**User:** Install github.com/owner/project
|
|
485
514
|
|
|
486
|
-
**MCP:** `
|
|
515
|
+
**MCP (first and only call):** `install({ type: "github", target: "owner/project", confirm: true })`
|
|
487
516
|
|
|
488
|
-
|
|
517
|
+
If `BLOCK`, refuse and explain. Otherwise judge the returned findings/permissions; warn and recommend removal only if there's a genuine dealbreaker, else confirm briefly.
|
|
489
518
|
|
|
490
519
|
---
|
|
491
520
|
|
|
@@ -493,9 +522,9 @@ Present repository analysis, dependency findings, permissions, recommendation, t
|
|
|
493
522
|
|
|
494
523
|
**User:** Install this skill at ./my-skill
|
|
495
524
|
|
|
496
|
-
**MCP:** `
|
|
525
|
+
**MCP (first and only call):** `install({ type: "skill", target: "./my-skill", confirm: true })`
|
|
497
526
|
|
|
498
|
-
|
|
527
|
+
If `BLOCK`, refuse and explain. Otherwise judge the returned findings for dealbreakers — prompt injection, hidden instructions, dangerous permissions, autonomous behaviors. Warn and recommend removal if any are present; otherwise confirm briefly.
|
|
499
528
|
|
|
500
529
|
---
|
|
501
530
|
|
|
@@ -522,4 +551,4 @@ Highlight prompt injection, hidden instructions, permission requests, autonomous
|
|
|
522
551
|
|
|
523
552
|
## Commands That Can Install
|
|
524
553
|
|
|
525
|
-
Only `install` — and
|
|
554
|
+
Only `install` — it is the **main tool** for every installation. Call it directly and first; it verifies before installing, refuses `BLOCK`, and is the only path that may install. When the result is not `BLOCK`, judge the returned report for a dealbreaker: warn and recommend removal if present, otherwise confirm success briefly. Never use a raw installer, and never pre-verify or explore before calling it.
|