@safetnsr/vet 1.3.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +92 -89
- package/dist/checks/permissions.d.ts +2 -0
- package/dist/checks/permissions.js +248 -0
- package/dist/cli.js +30 -3
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,26 +1,63 @@
|
|
|
1
1
|
# vet
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
your AI coding agent doesn't know what it broke. you need a second opinion.
|
|
4
4
|
|
|
5
5
|
```bash
|
|
6
6
|
npx @safetnsr/vet
|
|
7
7
|
```
|
|
8
8
|
|
|
9
|
+
vet checks your codebase **before** and **after** AI coding sessions. before: is your repo set up so the agent does good work? after: did it leave behind anti-patterns, stale tests, leaked secrets, or technical debt?
|
|
10
|
+
|
|
9
11
|
works with Claude Code, Cursor, Copilot, Codex, Aider, Windsurf, Cline — anything that writes code in a git repo.
|
|
10
12
|
|
|
11
|
-
##
|
|
13
|
+
## two flows, one command
|
|
14
|
+
|
|
15
|
+
`npx @safetnsr/vet` runs everything. but the checks split into two categories:
|
|
16
|
+
|
|
17
|
+
### before the session — is your codebase ready?
|
|
18
|
+
|
|
19
|
+
| check | what it does |
|
|
20
|
+
|-------|-------------|
|
|
21
|
+
| **ready** | scores your codebase structure: docs, types, tests, AI-friendliness |
|
|
22
|
+
| **config** | deep analysis of CLAUDE.md, .cursorrules, copilot-instructions — completeness, consistency, specificity |
|
|
23
|
+
| **scan** | detects prompt injection, shell injection, exfiltration in agent config files |
|
|
24
|
+
| **permissions** | flags MCP servers with dangerous filesystem access (writes to ~/.ssh, /etc, outside cwd) |
|
|
25
|
+
| **models** | finds deprecated/sunset model strings across OpenAI, Anthropic, Google, Cohere |
|
|
26
|
+
| **map** | verifies your codebase has navigable structure for agents |
|
|
27
|
+
| **memory** | catches stale facts, contradictions, and drift in CLAUDE.md, AGENTS.md, memory/ files |
|
|
28
|
+
|
|
29
|
+
a codebase that scores well here gives AI agents better context, fewer hallucinations, and less cleanup.
|
|
30
|
+
|
|
31
|
+
### after the session — did the AI leave problems?
|
|
32
|
+
|
|
33
|
+
| check | what it does |
|
|
34
|
+
|-------|-------------|
|
|
35
|
+
| **diff** | AI-specific anti-patterns: wholesale rewrites, orphaned imports, catch-all error handling, over-commenting |
|
|
36
|
+
| **tests** | test theater: tautological assertions, empty test bodies, tests that prove nothing |
|
|
37
|
+
| **debt** | near-duplicate functions, orphaned exports, wrapper pass-throughs, naming drift |
|
|
38
|
+
| **secrets** | scans dist/, build/, .next/ + .env files for leaked API keys using pattern + entropy analysis |
|
|
39
|
+
| **history** | git commit churn, AI attribution ratios, suspiciously large changes |
|
|
40
|
+
| **receipt** | parses Claude Code session logs — files changed, commands run, packages installed, SHA256 integrity hash |
|
|
41
|
+
|
|
42
|
+
plus: **integrity** (hallucinated imports), **deps** (unused/phantom dependencies), **owasp** (OWASP Top 10 for AI agents), **verify** (validates agent claims against actual changes).
|
|
43
|
+
|
|
44
|
+
## output
|
|
45
|
+
|
|
46
|
+
```
|
|
47
|
+
my-project B 75/100
|
|
48
|
+
|
|
49
|
+
security ████████░░ 82 scan ✓ secrets ✓ config 3/10 owasp ✓
|
|
50
|
+
integrity ███████░░░ 68 diff: 3 issues integrity ✓ memory: 1 stale
|
|
51
|
+
debt ██████░░░░ 58 ready 4/10 history ✓ debt: 2 duplicates
|
|
52
|
+
deps ██████████ 98 all clean
|
|
53
|
+
|
|
54
|
+
✗ no README — AI agents have no project context
|
|
55
|
+
✗ [ai] wholesale rewrite: 40 lines removed, 45 added in utils.ts
|
|
56
|
+
! config: "strict TS" but tsconfig.strict is false
|
|
57
|
+
! memory: CLAUDE.md references vitest but package.json uses jest
|
|
12
58
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
| **ready** | is your codebase AI-friendly? | scans structure, docs, types, tests |
|
|
16
|
-
| **diff** | did the AI leave anti-patterns? | AI-specific patterns: wholesale rewrites, orphaned imports, catch-alls, over-commenting, plus secrets & stubs |
|
|
17
|
-
| **models** | using deprecated AI models? | scans code for sunset model strings across OpenAI, Anthropic, Google, Cohere |
|
|
18
|
-
| **config** | agent configs in place? | deep analysis of CLAUDE.md, .cursorrules, copilot-instructions — checks completeness, consistency, and specificity against your actual codebase |
|
|
19
|
-
| **history** | git patterns healthy? | analyzes commit churn, AI attribution, large changes |
|
|
20
|
-
| **scan** | malicious patterns in agent configs? | scans .claude/, .cursorrules, CLAUDE.md, .mcp/ for prompt injection, shell injection, exfiltration endpoints |
|
|
21
|
-
| **secrets** | leaked secrets in build output? | scans dist/, build/, .next/ + .env files for API keys, tokens, connection strings using pattern + entropy analysis |
|
|
22
|
-
| **receipt** | what did the last agent session do? | parses ~/.claude/projects/ JSONL session logs — files changed, commands run, packages installed, SHA256 integrity hash |
|
|
23
|
-
| **debt** | AI-generated technical debt (duplicates, orphans, wrappers) | detects near-duplicate functions, orphaned exports, wrapper pass-throughs, naming drift |
|
|
59
|
+
run --fix to auto-repair 4 issues
|
|
60
|
+
```
|
|
24
61
|
|
|
25
62
|
## usage
|
|
26
63
|
|
|
@@ -28,19 +65,19 @@ works with Claude Code, Cursor, Copilot, Codex, Aider, Windsurf, Cline — anyth
|
|
|
28
65
|
# run all checks
|
|
29
66
|
npx @safetnsr/vet
|
|
30
67
|
|
|
31
|
-
#
|
|
68
|
+
# specific directory
|
|
32
69
|
npx @safetnsr/vet ./my-project
|
|
33
70
|
|
|
34
71
|
# auto-fix: generate CLAUDE.md, .cursorrules, fix deprecated models
|
|
35
72
|
npx @safetnsr/vet --fix
|
|
36
73
|
|
|
37
|
-
#
|
|
74
|
+
# specific commit range
|
|
38
75
|
npx @safetnsr/vet --since HEAD~5
|
|
39
76
|
|
|
40
77
|
# live monitoring during AI sessions
|
|
41
78
|
npx @safetnsr/vet --watch
|
|
42
79
|
|
|
43
|
-
# CI mode — exit
|
|
80
|
+
# CI mode — exit 1 if score below threshold
|
|
44
81
|
npx @safetnsr/vet --ci
|
|
45
82
|
|
|
46
83
|
# JSON output
|
|
@@ -49,78 +86,72 @@ npx @safetnsr/vet --json
|
|
|
49
86
|
# generate configs + pre-commit hook
|
|
50
87
|
npx @safetnsr/vet init
|
|
51
88
|
|
|
52
|
-
#
|
|
89
|
+
# agent session receipt
|
|
53
90
|
npx @safetnsr/vet receipt
|
|
54
91
|
npx @safetnsr/vet receipt --json
|
|
55
92
|
```
|
|
56
93
|
|
|
57
|
-
## output
|
|
58
|
-
|
|
59
|
-
```
|
|
60
|
-
my-project 7.5/10
|
|
61
|
-
|
|
62
|
-
ready ████░░░░░░ 4 3 readiness issues
|
|
63
|
-
diff ████████░░ 8 3 issues (2 AI-specific) in 5 files
|
|
64
|
-
models ██████████ 10 all models current
|
|
65
|
-
config ███░░░░░░░ 3 Cursor — needs work (3/10)
|
|
66
|
-
history █████████░ 9 41 commits (~15% AI-attributed)
|
|
67
|
-
scan ██████████ 10 no malicious patterns found
|
|
68
|
-
secrets ██████████ 10 no leaked secrets
|
|
69
|
-
receipt ██████████ 10 last session: 3 files, 2 commands
|
|
70
|
-
|
|
71
|
-
✗ no README — AI agents have no project context
|
|
72
|
-
✗ no tests — AI agents produce better code when tests exist
|
|
73
|
-
! [ai] wholesale rewrite: 40 lines removed, 45 added in utils.ts
|
|
74
|
-
! [ai] imported "lodash" but never used in new code
|
|
75
|
-
|
|
76
|
-
run --fix to auto-repair 4 issues
|
|
77
|
-
```
|
|
78
|
-
|
|
79
94
|
## --fix
|
|
80
95
|
|
|
81
|
-
|
|
96
|
+
analyzes your codebase and generates project-specific configs:
|
|
82
97
|
|
|
83
98
|
```bash
|
|
84
99
|
$ npx @safetnsr/vet --fix
|
|
85
100
|
|
|
86
101
|
vet --fix
|
|
87
102
|
|
|
88
|
-
+ CLAUDE.md (generated
|
|
103
|
+
+ CLAUDE.md (generated: Next.js + React, Vitest, Tailwind CSS, TypeScript)
|
|
89
104
|
+ .cursorrules (generated)
|
|
90
105
|
✓ src/api.ts: "gpt-3.5-turbo" → "gpt-4o-mini"
|
|
91
106
|
|
|
92
107
|
fixed 3 issues
|
|
93
108
|
```
|
|
94
109
|
|
|
95
|
-
the generated CLAUDE.md includes your actual stack, directory structure, and framework-specific rules.
|
|
110
|
+
the generated CLAUDE.md includes your actual stack, directory structure, and framework-specific rules — not a template.
|
|
96
111
|
|
|
97
|
-
##
|
|
112
|
+
## --watch
|
|
98
113
|
|
|
99
|
-
|
|
100
|
-
|---------|----------------|
|
|
101
|
-
| `[ai] wholesale rewrite` | AI rewrote an entire function when a small edit would suffice |
|
|
102
|
-
| `[ai] orphaned imports` | AI added imports it never uses |
|
|
103
|
-
| `[ai] catch-all handling` | `catch(e) { console.error(e) }` instead of specific error handling |
|
|
104
|
-
| `[ai] comment density` | AI over-commented obvious code |
|
|
105
|
-
| `[ai] empty test body` | AI stubbed a test without implementation |
|
|
106
|
-
| `[ai] trivial assertion` | `expect(true).toBe(true)` — test proves nothing |
|
|
114
|
+
monitors your repo during an active AI session. re-runs checks on every file change:
|
|
107
115
|
|
|
108
|
-
|
|
116
|
+
```bash
|
|
117
|
+
npx @safetnsr/vet --watch
|
|
118
|
+
```
|
|
109
119
|
|
|
110
|
-
|
|
120
|
+
catch problems as the agent creates them, not after it's done.
|
|
111
121
|
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
122
|
+
## CI/CD
|
|
123
|
+
|
|
124
|
+
```yaml
|
|
125
|
+
# .github/workflows/vet.yml
|
|
126
|
+
name: vet
|
|
127
|
+
on: [pull_request]
|
|
128
|
+
jobs:
|
|
129
|
+
vet:
|
|
130
|
+
runs-on: ubuntu-latest
|
|
131
|
+
steps:
|
|
132
|
+
- uses: actions/checkout@v4
|
|
133
|
+
with:
|
|
134
|
+
fetch-depth: 50
|
|
135
|
+
- run: npx @safetnsr/vet --ci
|
|
117
136
|
```
|
|
118
137
|
|
|
119
|
-
|
|
138
|
+
GitHub Action: [`safetnsr/vet-action`](https://github.com/safetnsr/vet-action) (coming soon)
|
|
120
139
|
|
|
121
|
-
|
|
140
|
+
## config
|
|
122
141
|
|
|
123
|
-
|
|
142
|
+
optional `.vetrc` in your project root:
|
|
143
|
+
|
|
144
|
+
```json
|
|
145
|
+
{
|
|
146
|
+
"checks": ["ready", "diff", "models", "config", "scan", "secrets"],
|
|
147
|
+
"ignore": ["vendor/", "generated/"],
|
|
148
|
+
"thresholds": { "min": 60 }
|
|
149
|
+
}
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
## receipt
|
|
153
|
+
|
|
154
|
+
shows what the last Claude Code session actually did — files touched, commands run, packages installed, with a SHA256 integrity hash:
|
|
124
155
|
|
|
125
156
|
```
|
|
126
157
|
╔══════════════════════════════════════════════╗
|
|
@@ -139,34 +170,6 @@ Shows a receipt for the last Claude Code agent session — what files it touched
|
|
|
139
170
|
╚══════════════════════════════════════════════╝
|
|
140
171
|
```
|
|
141
172
|
|
|
142
|
-
## config
|
|
143
|
-
|
|
144
|
-
create `.vetrc` in your project root (optional):
|
|
145
|
-
|
|
146
|
-
```json
|
|
147
|
-
{
|
|
148
|
-
"checks": ["ready", "diff", "models", "config", "history", "scan", "secrets", "receipt"],
|
|
149
|
-
"ignore": ["vendor/", "generated/"],
|
|
150
|
-
"thresholds": { "min": 6 }
|
|
151
|
-
}
|
|
152
|
-
```
|
|
153
|
-
|
|
154
|
-
## ci
|
|
155
|
-
|
|
156
|
-
```yaml
|
|
157
|
-
# .github/workflows/vet.yml
|
|
158
|
-
name: vet
|
|
159
|
-
on: [pull_request]
|
|
160
|
-
jobs:
|
|
161
|
-
vet:
|
|
162
|
-
runs-on: ubuntu-latest
|
|
163
|
-
steps:
|
|
164
|
-
- uses: actions/checkout@v4
|
|
165
|
-
with:
|
|
166
|
-
fetch-depth: 50
|
|
167
|
-
- run: npx @safetnsr/vet --ci
|
|
168
|
-
```
|
|
169
|
-
|
|
170
173
|
## zero dependencies
|
|
171
174
|
|
|
172
175
|
vet uses only Node.js built-ins. no runtime dependencies. works with Node 18+.
|
|
@@ -0,0 +1,248 @@
|
|
|
1
|
+
import { join, resolve, isAbsolute } from 'node:path';
|
|
2
|
+
import { homedir } from 'node:os';
|
|
3
|
+
import { readFile, fileExists } from '../util.js';
|
|
4
|
+
// ── Sensitive directories that trigger DANGER if MCP server writes there ──
|
|
5
|
+
const SENSITIVE_DIRS = [
|
|
6
|
+
'~/.ssh',
|
|
7
|
+
'~/.aws',
|
|
8
|
+
'/etc',
|
|
9
|
+
'/var/www',
|
|
10
|
+
];
|
|
11
|
+
function expandHome(p) {
|
|
12
|
+
if (p.startsWith('~/'))
|
|
13
|
+
return join(homedir(), p.slice(2));
|
|
14
|
+
if (p === '~')
|
|
15
|
+
return homedir();
|
|
16
|
+
return p;
|
|
17
|
+
}
|
|
18
|
+
function isSensitiveDir(p) {
|
|
19
|
+
const expanded = expandHome(p);
|
|
20
|
+
return SENSITIVE_DIRS.some(d => {
|
|
21
|
+
const expandedSensitive = expandHome(d);
|
|
22
|
+
return expanded === expandedSensitive || expanded.startsWith(expandedSensitive + '/');
|
|
23
|
+
});
|
|
24
|
+
}
|
|
25
|
+
function isOutsideCwd(p, cwd) {
|
|
26
|
+
const expanded = expandHome(p);
|
|
27
|
+
const abs = isAbsolute(expanded) ? expanded : resolve(cwd, expanded);
|
|
28
|
+
const resolvedCwd = resolve(cwd);
|
|
29
|
+
return !abs.startsWith(resolvedCwd + '/') && abs !== resolvedCwd;
|
|
30
|
+
}
|
|
31
|
+
/** Score helper */
|
|
32
|
+
function applyPenalty(score, severity) {
|
|
33
|
+
const penalties = { error: 30, warning: 15, info: 5 };
|
|
34
|
+
return Math.max(0, score - penalties[severity]);
|
|
35
|
+
}
|
|
36
|
+
// ── A. Scan .claude/settings.json ─────────────────────────────────────────
|
|
37
|
+
function checkSettingsJson(cwd, issues) {
|
|
38
|
+
const settingsPath = join(cwd, '.claude', 'settings.json');
|
|
39
|
+
if (!fileExists(settingsPath))
|
|
40
|
+
return;
|
|
41
|
+
const raw = readFile(settingsPath);
|
|
42
|
+
if (!raw)
|
|
43
|
+
return;
|
|
44
|
+
let settings;
|
|
45
|
+
try {
|
|
46
|
+
settings = JSON.parse(raw);
|
|
47
|
+
}
|
|
48
|
+
catch {
|
|
49
|
+
issues.push({
|
|
50
|
+
severity: 'warning',
|
|
51
|
+
message: '.claude/settings.json is not valid JSON — cannot audit permissions',
|
|
52
|
+
file: '.claude/settings.json',
|
|
53
|
+
fixable: false,
|
|
54
|
+
});
|
|
55
|
+
return;
|
|
56
|
+
}
|
|
57
|
+
// allowedTools containing bare "Bash" or "Bash(*)"
|
|
58
|
+
const allowedTools = settings.allowedTools;
|
|
59
|
+
if (Array.isArray(allowedTools)) {
|
|
60
|
+
for (const tool of allowedTools) {
|
|
61
|
+
if (typeof tool === 'string') {
|
|
62
|
+
if (tool === 'Bash' || tool === 'Bash(*)') {
|
|
63
|
+
issues.push({
|
|
64
|
+
severity: 'error',
|
|
65
|
+
message: `allowedTools contains "${tool}" without path restrictions — unrestricted shell access`,
|
|
66
|
+
file: '.claude/settings.json',
|
|
67
|
+
fixable: true,
|
|
68
|
+
fixHint: `Replace "${tool}" with specific allowed commands, e.g. "Bash(npm run *)"`,
|
|
69
|
+
});
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
// permissions.allow with wildcards
|
|
75
|
+
const permissions = settings.permissions;
|
|
76
|
+
if (permissions && Array.isArray(permissions.allow)) {
|
|
77
|
+
for (const rule of permissions.allow) {
|
|
78
|
+
if (typeof rule === 'string' && (rule === 'Bash(*)' || rule === '**' || rule.includes('**'))) {
|
|
79
|
+
issues.push({
|
|
80
|
+
severity: 'error',
|
|
81
|
+
message: `permissions.allow contains wildcard "${rule}" — grants broad access`,
|
|
82
|
+
file: '.claude/settings.json',
|
|
83
|
+
fixable: true,
|
|
84
|
+
fixHint: 'Remove wildcard rules and enumerate specific allowed operations',
|
|
85
|
+
});
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
// defaultMode: "bypassPermissions"
|
|
90
|
+
if (settings.defaultMode === 'bypassPermissions') {
|
|
91
|
+
issues.push({
|
|
92
|
+
severity: 'error',
|
|
93
|
+
message: 'defaultMode is "bypassPermissions" — skips all permission checks',
|
|
94
|
+
file: '.claude/settings.json',
|
|
95
|
+
fixable: true,
|
|
96
|
+
fixHint: 'Remove defaultMode or set to "default"',
|
|
97
|
+
});
|
|
98
|
+
}
|
|
99
|
+
// No blockedTools or deny list
|
|
100
|
+
const hasBlockedTools = Array.isArray(settings.blockedTools) && settings.blockedTools.length > 0;
|
|
101
|
+
const hasDenyList = permissions && Array.isArray(permissions.deny) && permissions.deny.length > 0;
|
|
102
|
+
if (!hasBlockedTools && !hasDenyList) {
|
|
103
|
+
issues.push({
|
|
104
|
+
severity: 'warning',
|
|
105
|
+
message: 'No blockedTools or deny list defined — all unlisted tools remain available',
|
|
106
|
+
file: '.claude/settings.json',
|
|
107
|
+
fixable: true,
|
|
108
|
+
fixHint: 'Add blockedTools: ["Bash", "Write"] to restrict dangerous operations',
|
|
109
|
+
});
|
|
110
|
+
}
|
|
111
|
+
// ── B. MCP server configs ────────────────────────────────────────────────
|
|
112
|
+
checkMcpServers(cwd, settings, '.claude/settings.json', issues);
|
|
113
|
+
}
|
|
114
|
+
// ── B. MCP server analysis ─────────────────────────────────────────────────
|
|
115
|
+
function checkMcpServers(cwd, settings, filePath, issues) {
|
|
116
|
+
const mcpServers = settings.mcpServers;
|
|
117
|
+
if (!mcpServers || typeof mcpServers !== 'object')
|
|
118
|
+
return;
|
|
119
|
+
for (const [serverName, serverConfig] of Object.entries(mcpServers)) {
|
|
120
|
+
if (typeof serverConfig !== 'object' || serverConfig === null)
|
|
121
|
+
continue;
|
|
122
|
+
const config = serverConfig;
|
|
123
|
+
// Check server args for filesystem paths
|
|
124
|
+
const args = config.args;
|
|
125
|
+
const isFilesystemServer = (typeof config.command === 'string' && config.command.includes('filesystem')) ||
|
|
126
|
+
(Array.isArray(args) && args.some((a) => typeof a === 'string' && a.includes('filesystem')));
|
|
127
|
+
// Detect if server is read-only
|
|
128
|
+
const isReadOnly = Array.isArray(args) && args.some((a) => typeof a === 'string' && (a === '--read-only' || a === 'readonly' || a === '--readonly'));
|
|
129
|
+
// Collect root paths from args
|
|
130
|
+
const rootPaths = [];
|
|
131
|
+
if (Array.isArray(args)) {
|
|
132
|
+
for (const arg of args) {
|
|
133
|
+
if (typeof arg === 'string' && !arg.startsWith('-') && (arg.startsWith('/') || arg.startsWith('~/') || arg.startsWith('.'))) {
|
|
134
|
+
rootPaths.push(arg);
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
// Also check explicit root config
|
|
139
|
+
if (typeof config.root === 'string') {
|
|
140
|
+
rootPaths.push(config.root);
|
|
141
|
+
}
|
|
142
|
+
if (Array.isArray(config.roots)) {
|
|
143
|
+
for (const r of config.roots) {
|
|
144
|
+
if (typeof r === 'string')
|
|
145
|
+
rootPaths.push(r);
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
if (rootPaths.length === 0) {
|
|
149
|
+
// No path restrictions at all
|
|
150
|
+
issues.push({
|
|
151
|
+
severity: 'warning',
|
|
152
|
+
message: `MCP server "${serverName}" has no explicit path restrictions`,
|
|
153
|
+
file: filePath,
|
|
154
|
+
fixable: true,
|
|
155
|
+
fixHint: `Add root path restriction to "${serverName}" in mcpServers config`,
|
|
156
|
+
});
|
|
157
|
+
continue;
|
|
158
|
+
}
|
|
159
|
+
for (const rootPath of rootPaths) {
|
|
160
|
+
// Check sensitive directory access
|
|
161
|
+
if (isSensitiveDir(rootPath)) {
|
|
162
|
+
issues.push({
|
|
163
|
+
severity: 'error',
|
|
164
|
+
message: `MCP server "${serverName}" has access to sensitive directory: ${rootPath}`,
|
|
165
|
+
file: filePath,
|
|
166
|
+
fixable: true,
|
|
167
|
+
fixHint: `Remove sensitive path "${rootPath}" from MCP server config`,
|
|
168
|
+
});
|
|
169
|
+
continue;
|
|
170
|
+
}
|
|
171
|
+
// Check if root is outside cwd and not read-only
|
|
172
|
+
if (isOutsideCwd(rootPath, cwd) && !isReadOnly) {
|
|
173
|
+
issues.push({
|
|
174
|
+
severity: 'error',
|
|
175
|
+
message: `MCP server "${serverName}" has write access outside project dir: ${rootPath}`,
|
|
176
|
+
file: filePath,
|
|
177
|
+
fixable: true,
|
|
178
|
+
fixHint: `Restrict to project directory or add --read-only flag`,
|
|
179
|
+
});
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
// ── C. CLAUDE.md and AGENTS.md text heuristics ────────────────────────────
|
|
185
|
+
const DANGEROUS_PHRASES = [
|
|
186
|
+
/full\s+access/i,
|
|
187
|
+
/unrestricted/i,
|
|
188
|
+
/\bsudo\b/i,
|
|
189
|
+
/skip\s+confirmation/i,
|
|
190
|
+
/no\s+restrictions/i,
|
|
191
|
+
];
|
|
192
|
+
function checkMarkdownFiles(cwd, issues) {
|
|
193
|
+
for (const filename of ['CLAUDE.md', 'AGENTS.md']) {
|
|
194
|
+
const filePath = join(cwd, filename);
|
|
195
|
+
if (!fileExists(filePath))
|
|
196
|
+
continue;
|
|
197
|
+
const content = readFile(filePath);
|
|
198
|
+
if (!content)
|
|
199
|
+
continue;
|
|
200
|
+
const lines = content.split('\n');
|
|
201
|
+
for (const pattern of DANGEROUS_PHRASES) {
|
|
202
|
+
for (let i = 0; i < lines.length; i++) {
|
|
203
|
+
if (pattern.test(lines[i])) {
|
|
204
|
+
const matchText = lines[i].match(pattern)?.[0] ?? pattern.source;
|
|
205
|
+
issues.push({
|
|
206
|
+
severity: 'warning',
|
|
207
|
+
message: `${filename} contains potentially dangerous instruction: "${matchText.trim()}"`,
|
|
208
|
+
file: filename,
|
|
209
|
+
line: i + 1,
|
|
210
|
+
fixable: false,
|
|
211
|
+
fixHint: `Review line ${i + 1} in ${filename} — ensure it doesn't grant unintended permissions`,
|
|
212
|
+
});
|
|
213
|
+
break; // one issue per pattern per file
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
}
|
|
219
|
+
// ── Main export ────────────────────────────────────────────────────────────
|
|
220
|
+
export function checkPermissions(cwd) {
|
|
221
|
+
const issues = [];
|
|
222
|
+
checkSettingsJson(cwd, issues);
|
|
223
|
+
checkMarkdownFiles(cwd, issues);
|
|
224
|
+
// Score: start at 100, deduct per issue
|
|
225
|
+
let score = 100;
|
|
226
|
+
for (const issue of issues) {
|
|
227
|
+
score = applyPenalty(score, issue.severity);
|
|
228
|
+
}
|
|
229
|
+
const errorCount = issues.filter(i => i.severity === 'error').length;
|
|
230
|
+
const warnCount = issues.filter(i => i.severity === 'warning').length;
|
|
231
|
+
let summary;
|
|
232
|
+
if (issues.length === 0) {
|
|
233
|
+
summary = 'no dangerous permission grants detected';
|
|
234
|
+
}
|
|
235
|
+
else if (errorCount > 0) {
|
|
236
|
+
summary = `${errorCount} dangerous grant${errorCount !== 1 ? 's' : ''} detected — review before running agent`;
|
|
237
|
+
}
|
|
238
|
+
else {
|
|
239
|
+
summary = `${warnCount} permission warning${warnCount !== 1 ? 's' : ''} — tighten config before agent session`;
|
|
240
|
+
}
|
|
241
|
+
return {
|
|
242
|
+
name: 'permissions',
|
|
243
|
+
score,
|
|
244
|
+
maxScore: 100,
|
|
245
|
+
issues,
|
|
246
|
+
summary,
|
|
247
|
+
};
|
|
248
|
+
}
|
package/dist/cli.js
CHANGED
|
@@ -18,6 +18,7 @@ import { checkMemory } from './checks/memory.js';
|
|
|
18
18
|
import { checkVerify } from './checks/verify.js';
|
|
19
19
|
import { checkTests } from './checks/tests.js';
|
|
20
20
|
import { checkMap, renderMapReport } from './checks/map.js';
|
|
21
|
+
import { checkPermissions } from './checks/permissions.js';
|
|
21
22
|
import { score } from './scorer.js';
|
|
22
23
|
import { reportPretty, reportJSON, reportBadge } from './reporter.js';
|
|
23
24
|
const args = process.argv.slice(2);
|
|
@@ -49,6 +50,7 @@ if (flags.has('--help') || flags.has('-h')) {
|
|
|
49
50
|
npx @safetnsr/vet init generate configs + hooks
|
|
50
51
|
npx @safetnsr/vet receipt show last agent session receipt
|
|
51
52
|
npx @safetnsr/vet map [dir] show agent visibility map
|
|
53
|
+
npx @safetnsr/vet permissions [dir] audit Claude Code config for dangerous grants
|
|
52
54
|
|
|
53
55
|
${c.dim}categories:${c.reset}
|
|
54
56
|
security (30%) scan, secrets, config, model usage
|
|
@@ -83,7 +85,7 @@ if (flags.has('--version') || flags.has('-v')) {
|
|
|
83
85
|
}
|
|
84
86
|
process.exit(0);
|
|
85
87
|
}
|
|
86
|
-
const COMMANDS = ['init', 'receipt', 'map'];
|
|
88
|
+
const COMMANDS = ['init', 'receipt', 'map', 'permissions'];
|
|
87
89
|
const command = COMMANDS.includes(positional[0]) ? positional[0] : undefined;
|
|
88
90
|
const cwd = resolve(positional.find(p => !COMMANDS.includes(p)) || '.');
|
|
89
91
|
const isCI = flags.has('--ci');
|
|
@@ -123,6 +125,30 @@ if (command === 'map') {
|
|
|
123
125
|
}
|
|
124
126
|
process.exit(0);
|
|
125
127
|
}
|
|
128
|
+
if (command === 'permissions') {
|
|
129
|
+
const result = checkPermissions(cwd);
|
|
130
|
+
if (isJSON) {
|
|
131
|
+
console.log(JSON.stringify(result, null, 2));
|
|
132
|
+
}
|
|
133
|
+
else {
|
|
134
|
+
console.log(`\n ${c.bold}vet permissions${c.reset} — ${result.summary}\n`);
|
|
135
|
+
console.log(` score: ${result.score}/100\n`);
|
|
136
|
+
if (result.issues.length === 0) {
|
|
137
|
+
console.log(` ${c.green}no issues found${c.reset}\n`);
|
|
138
|
+
}
|
|
139
|
+
else {
|
|
140
|
+
for (const issue of result.issues) {
|
|
141
|
+
const icon = issue.severity === 'error' ? c.red + '✗' : issue.severity === 'warning' ? c.yellow + '⚠' : c.dim + 'i';
|
|
142
|
+
const loc = issue.file ? ` ${c.dim}(${issue.file}${issue.line ? `:${issue.line}` : ''})${c.reset}` : '';
|
|
143
|
+
console.log(` ${icon}${c.reset} ${issue.message}${loc}`);
|
|
144
|
+
if (issue.fixHint)
|
|
145
|
+
console.log(` ${c.dim}→ ${issue.fixHint}${c.reset}`);
|
|
146
|
+
}
|
|
147
|
+
console.log('');
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
process.exit(result.score < 60 ? 1 : 0);
|
|
151
|
+
}
|
|
126
152
|
if (!isGitRepo(cwd)) {
|
|
127
153
|
console.error(`${c.red}not a git repository${c.reset}. vet operates on git repos.`);
|
|
128
154
|
process.exit(1);
|
|
@@ -145,7 +171,7 @@ if (isFix) {
|
|
|
145
171
|
}
|
|
146
172
|
async function runChecks() {
|
|
147
173
|
// Run all checks, grouped into categories
|
|
148
|
-
// Security: scan, secrets, config, models, owasp
|
|
174
|
+
// Security: scan, secrets, config, models, owasp, permissions
|
|
149
175
|
const [scanResult, secretsResult, configResult, modelsResult, owaspResult] = await Promise.all([
|
|
150
176
|
Promise.resolve(checkScan(cwd)),
|
|
151
177
|
checkSecrets(cwd),
|
|
@@ -153,6 +179,7 @@ async function runChecks() {
|
|
|
153
179
|
checkModels(cwd, ignore),
|
|
154
180
|
Promise.resolve(checkOwasp(cwd)),
|
|
155
181
|
]);
|
|
182
|
+
const permissionsResult = checkPermissions(cwd);
|
|
156
183
|
// Integrity: diff, integrity checks
|
|
157
184
|
const diffResult = checkDiff(cwd, { since });
|
|
158
185
|
const integrityResult = await checkIntegrity(cwd, ignore);
|
|
@@ -173,7 +200,7 @@ async function runChecks() {
|
|
|
173
200
|
// Tests: test theater detection
|
|
174
201
|
const testsResult = checkTests(cwd, ignore);
|
|
175
202
|
return score(cwd, {
|
|
176
|
-
security: [scanResult, secretsResult, configResult, modelsResult, owaspResult],
|
|
203
|
+
security: [scanResult, secretsResult, configResult, modelsResult, owaspResult, permissionsResult],
|
|
177
204
|
integrity: [diffResult, integrityResult, receiptResult, memoryResult, verifyResult, testsResult],
|
|
178
205
|
debt: [readyResult, historyResult, debtResult],
|
|
179
206
|
deps: [depsResult],
|