@sentinel-atl/scanner 0.3.0

package/dist/stc.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Sentinel Trust Certificate (STC) — A signed, verifiable scan result.
+ *
+ * An STC is a cryptographically signed certificate that attests to the
+ * security posture of an MCP server package at a specific point in time.
+ *
+ * Think of it as:
+ * - SSL certificate meets npm audit report
+ * - A "nutrition label" for MCP servers
+ * - Machine-readable trust evidence
+ *
+ * Format:
+ * {
+ *   "@context": "https://sentinel.trust/stc/v1",
+ *   "type": "SentinelTrustCertificate",
+ *   "id": "stc:<hash>",
+ *   "issuedAt": ISO timestamp,
+ *   "expiresAt": ISO timestamp,
+ *   "issuer": { did, name },
+ *   "subject": { packageName, packageVersion, codeHash },
+ *   "trustScore": { overall, grade, breakdown },
+ *   "findings": { critical, high, medium, low, info },
+ *   "permissions": [...],
+ *   "proof": { type: "Ed25519Signature2024", ... }
+ * }
+ */
+import { type KeyProvider } from '@sentinel-atl/core';
+import type { ScanReport, TrustScore } from './scanner.js';
+export interface STCIssuer {
+    did: string;
+    name?: string;
+}
+export interface STCSubject {
+    packageName: string;
+    packageVersion: string;
+    codeHash: string;
+}
+export interface STCFindingSummary {
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    info: number;
+    total: number;
+}
+export interface STCProof {
+    type: 'Ed25519Signature2024';
+    created: string;
+    verificationMethod: string;
+    signature: string;
+}
+export interface SentinelTrustCertificate {
+    '@context': 'https://sentinel.trust/stc/v1';
+    type: 'SentinelTrustCertificate';
+    id: string;
+    issuedAt: string;
+    expiresAt: string;
+    issuer: STCIssuer;
+    subject: STCSubject;
+    trustScore: TrustScore;
+    findingSummary: STCFindingSummary;
+    permissions: string[];
+    scannerVersion: string;
+    proof: STCProof;
+}
+export interface STCVerifyResult {
+    valid: boolean;
+    error?: string;
+    certificate?: SentinelTrustCertificate;
+}
+export interface IssueSTCOptions {
+    scanReport: ScanReport;
+    codeHash: string;
+    issuerDid: string;
+    issuerKeyId: string;
+    issuerName?: string;
+    /** Certificate validity in hours (default: 720 = 30 days) */
+    validityHours?: number;
+}
+/**
+ * Issue a Sentinel Trust Certificate from a scan report.
+ */
+export declare function issueSTC(keyProvider: KeyProvider, options: IssueSTCOptions): Promise<SentinelTrustCertificate>;
+/**
+ * Verify a Sentinel Trust Certificate's signature and validity.
+ */
+export declare function verifySTC(certificate: SentinelTrustCertificate): Promise<STCVerifyResult>;
+//# sourceMappingURL=stc.d.ts.map

package/dist/stc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stc.d.ts","sourceRoot":"","sources":["../src/stc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EACL,KAAK,WAAW,EASjB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI3D,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,sBAAsB,CAAC;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,UAAU,EAAE,+BAA+B,CAAC;IAC5C,IAAI,EAAE,0BAA0B,CAAC;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,UAAU,CAAC;IACpB,UAAU,EAAE,UAAU,CAAC;IACvB,cAAc,EAAE,iBAAiB,CAAC;IAClC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,QAAQ,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,wBAAwB,CAAC;CACxC;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAID;;GAEG;AACH,wBAAsB,QAAQ,CAC5B,WAAW,EAAE,WAAW,EACxB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,wBAAwB,CAAC,CAyDnC;AAID;;GAEG;AACH,wBAAsB,SAAS,CAC7B,WAAW,EAAE,wBAAwB,GACpC,OAAO,CAAC,eAAe,CAAC,CAwB1B"}

package/dist/stc.js

@@ -0,0 +1,115 @@
+/**
+ * Sentinel Trust Certificate (STC) — A signed, verifiable scan result.
+ *
+ * An STC is a cryptographically signed certificate that attests to the
+ * security posture of an MCP server package at a specific point in time.
+ *
+ * Think of it as:
+ * - SSL certificate meets npm audit report
+ * - A "nutrition label" for MCP servers
+ * - Machine-readable trust evidence
+ *
+ * Format:
+ * {
+ *   "@context": "https://sentinel.trust/stc/v1",
+ *   "type": "SentinelTrustCertificate",
+ *   "id": "stc:<hash>",
+ *   "issuedAt": ISO timestamp,
+ *   "expiresAt": ISO timestamp,
+ *   "issuer": { did, name },
+ *   "subject": { packageName, packageVersion, codeHash },
+ *   "trustScore": { overall, grade, breakdown },
+ *   "findings": { critical, high, medium, low, info },
+ *   "permissions": [...],
+ *   "proof": { type: "Ed25519Signature2024", ... }
+ * }
+ */
+import { verify, toBase64Url, fromBase64Url, textToBytes, toHex, hash, didToPublicKey, } from '@sentinel-atl/core';
+// ─── STC Issuance ────────────────────────────────────────────────────
+/**
+ * Issue a Sentinel Trust Certificate from a scan report.
+ */
+export async function issueSTC(keyProvider, options) {
+    const { scanReport, codeHash, issuerDid, issuerKeyId, issuerName, validityHours = 720, } = options;
+    const now = new Date();
+    const expiresAt = new Date(now.getTime() + validityHours * 3600_000);
+    // Count findings by severity
+    const findingSummary = {
+        critical: 0, high: 0, medium: 0, low: 0, info: 0, total: scanReport.findings.length,
+    };
+    for (const f of scanReport.findings) {
+        findingSummary[f.severity]++;
+    }
+    // Build unsigned certificate body
+    const body = {
+        '@context': 'https://sentinel.trust/stc/v1',
+        type: 'SentinelTrustCertificate',
+        id: '', // computed after hashing
+        issuedAt: now.toISOString(),
+        expiresAt: expiresAt.toISOString(),
+        issuer: { did: issuerDid, name: issuerName },
+        subject: {
+            packageName: scanReport.packageName,
+            packageVersion: scanReport.packageVersion,
+            codeHash,
+        },
+        trustScore: scanReport.trustScore,
+        findingSummary,
+        permissions: scanReport.permissions.kinds,
+        scannerVersion: scanReport.scannerVersion,
+    };
+    // Generate deterministic ID from body hash
+    const bodyBytes = textToBytes(JSON.stringify(sortDeep(body)));
+    const bodyHash = toHex(hash(bodyBytes));
+    body.id = `stc:${bodyHash.slice(0, 16)}`;
+    // Sign the canonical body
+    const canonicalBytes = textToBytes(JSON.stringify(sortDeep(body)));
+    const sig = await keyProvider.sign(issuerKeyId, canonicalBytes);
+    const proof = {
+        type: 'Ed25519Signature2024',
+        created: now.toISOString(),
+        verificationMethod: `${issuerDid}#key-0`,
+        signature: toBase64Url(sig),
+    };
+    return { ...body, proof };
+}
+// ─── STC Verification ────────────────────────────────────────────────
+/**
+ * Verify a Sentinel Trust Certificate's signature and validity.
+ */
+export async function verifySTC(certificate) {
+    try {
+        // Check expiry
+        if (new Date(certificate.expiresAt) < new Date()) {
+            return { valid: false, error: 'Certificate has expired' };
+        }
+        // Extract the body (everything except proof)
+        const { proof, ...body } = certificate;
+        // Reconstruct canonical form and verify signature
+        const canonicalBytes = textToBytes(JSON.stringify(sortDeep(body)));
+        const sigBytes = fromBase64Url(proof.signature);
+        const publicKey = didToPublicKey(certificate.issuer.did);
+        const isValid = await verify(sigBytes, canonicalBytes, publicKey);
+        if (!isValid) {
+            return { valid: false, error: 'Invalid certificate signature' };
+        }
+        return { valid: true, certificate };
+    }
+    catch (e) {
+        return { valid: false, error: `Verification failed: ${e.message}` };
+    }
+}
+// ─── Helpers ─────────────────────────────────────────────────────────
+function sortDeep(value) {
+    if (Array.isArray(value))
+        return value.map(sortDeep);
+    if (value !== null && typeof value === 'object') {
+        const sorted = {};
+        for (const key of Object.keys(value).sort()) {
+            sorted[key] = sortDeep(value[key]);
+        }
+        return sorted;
+    }
+    return value;
+}
+//# sourceMappingURL=stc.js.map

package/dist/stc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stc.js","sourceRoot":"","sources":["../src/stc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAGL,MAAM,EACN,WAAW,EACX,aAAa,EACb,WAAW,EACX,KAAK,EACL,IAAI,EACJ,cAAc,GACf,MAAM,oBAAoB,CAAC;AA+D5B,wEAAwE;AAExE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,WAAwB,EACxB,OAAwB;IAExB,MAAM,EACJ,UAAU,EACV,QAAQ,EACR,SAAS,EACT,WAAW,EACX,UAAU,EACV,aAAa,GAAG,GAAG,GACpB,GAAG,OAAO,CAAC;IAEZ,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,aAAa,GAAG,QAAQ,CAAC,CAAC;IAErE,6BAA6B;IAC7B,MAAM,cAAc,GAAsB;QACxC,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,QAAQ,CAAC,MAAM;KACpF,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QACpC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC/B,CAAC;IAED,kCAAkC;IAClC,MAAM,IAAI,GAAG;QACX,UAAU,EAAE,+BAAwC;QACpD,IAAI,EAAE,0BAAmC;QACzC,EAAE,EAAE,EAAE,EAAE,yBAAyB;QACjC,QAAQ,EAAE,GAAG,CAAC,WAAW,EAAE;QAC3B,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;QAClC,MAAM,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE;QAC5C,OAAO,EAAE;YACP,WAAW,EAAE,UAAU,CAAC,WAAW;YACnC,cAAc,EAAE,UAAU,CAAC,cAAc;YACzC,QAAQ;SACT;QACD,UAAU,EAAE,UAAU,CAAC,UAAU;QACjC,cAAc;QACd,WAAW,EAAE,UAAU,CAAC,WAAW,CAAC,KAAK;QACzC,cAAc,EAAE,UAAU,CAAC,cAAc;KAC1C,CAAC;IAEF,2CAA2C;IAC3C,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC,EAAE,GAAG,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAEzC,0BAA0B;IAC1B,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnE,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IAEhE,MAAM,KAAK,GAAa;QACtB,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,GAAG,CAAC,WAAW,EAAE;QAC1B,kBAAkB,EAAE,GAAG,SAAS,QAAQ;QACxC,SAAS,EAAE,WAAW,CAAC,GAAG,CAAC;KAC5B,CAAC;IAEF,OAAO,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED,wEAAwE;AAExE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,WAAqC;IAErC,IAAI,CAAC;QACH,eAAe;QACf,IAAI,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACjD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC5D,CAAC;QAED,6CAA6C;QAC7C,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,EAAE,GAAG,WAAW,CAAC;QAEvC,kDAAkD;QAClD,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;QAElE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QAClE,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IACtC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAyB,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC;IACjF,CAAC;AACH,CAAC;AAED,wEAAwE;AAExE,SAAS,QAAQ,CAAC,KAAc;IAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACrD,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,MAAM,GAA4B,EAAE,CAAC;QAC3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,KAAgC,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YACvE,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAE,KAAiC,CAAC,GAAG,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/tool-prober.d.ts

@@ -0,0 +1,46 @@
+/**
+ * MCP Tool Prober — connects to an MCP server and discovers its tool declarations.
+ *
+ * Starts the server in a sandboxed subprocess and calls `tools/list`
+ * to enumerate what tools the server exposes. This is runtime analysis
+ * that complements the static code scanning.
+ */
+import type { Finding } from './scanner.js';
+export interface MCPTool {
+    name: string;
+    description?: string;
+    inputSchema?: Record<string, unknown>;
+}
+export interface ToolProbeResult {
+    /** Whether the probe succeeded */
+    success: boolean;
+    /** Error message if probe failed */
+    error?: string;
+    /** Server name from initialize response */
+    serverName?: string;
+    /** Server version from initialize response */
+    serverVersion?: string;
+    /** Discovered tools */
+    tools: MCPTool[];
+    /** Findings from tool analysis */
+    findings: Finding[];
+    /** Probe duration in ms */
+    durationMs: number;
+}
+export interface ProbeOptions {
+    /** Command to start the MCP server (e.g., "node dist/index.js") */
+    command: string;
+    /** Arguments to pass to the command */
+    args?: string[];
+    /** Working directory */
+    cwd?: string;
+    /** Timeout for the entire probe in ms (default: 15000) */
+    timeoutMs?: number;
+    /** Environment variables to set */
+    env?: Record<string, string>;
+}
+/**
+ * Probe an MCP server to discover its tools.
+ */
+export declare function probeTools(options: ProbeOptions): Promise<ToolProbeResult>;
+//# sourceMappingURL=tool-prober.d.ts.map

package/dist/tool-prober.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-prober.d.ts","sourceRoot":"","sources":["../src/tool-prober.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAI5C,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2CAA2C;IAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,uBAAuB;IACvB,KAAK,EAAE,OAAO,EAAE,CAAC;IACjB,kCAAkC;IAClC,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,mEAAmE;IACnE,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,wBAAwB;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,0DAA0D;IAC1D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC9B;AAoBD;;GAEG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,CA4IhF"}

package/dist/tool-prober.js

@@ -0,0 +1,158 @@
+/**
+ * MCP Tool Prober — connects to an MCP server and discovers its tool declarations.
+ *
+ * Starts the server in a sandboxed subprocess and calls `tools/list`
+ * to enumerate what tools the server exposes. This is runtime analysis
+ * that complements the static code scanning.
+ */
+import { spawn } from 'node:child_process';
+import { createInterface } from 'node:readline';
+import { randomUUID } from 'node:crypto';
+// ─── Suspicious tool patterns ─────────────────────────────────────────
+const SUSPICIOUS_TOOL_NAMES = [
+    /exec/i, /shell/i, /command/i, /run_code/i, /system/i,
+    /eval/i, /upload/i, /download/i, /delete_all/i, /drop/i,
+    /admin/i, /root/i, /sudo/i, /install/i, /uninstall/i,
+];
+const DANGEROUS_TOOL_DESCRIPTIONS = [
+    /execut(?:e|ing)\s+(?:arbitrary|any|shell|system)/i,
+    /run\s+(?:any|arbitrary|shell)/i,
+    /delete\s+(?:all|everything|any)/i,
+    /access\s+(?:all|any)\s+files/i,
+    /modify\s+system/i,
+];
+// ─── Prober ───────────────────────────────────────────────────────────
+/**
+ * Probe an MCP server to discover its tools.
+ */
+export async function probeTools(options) {
+    const start = Date.now();
+    const timeoutMs = options.timeoutMs ?? 15_000;
+    const findings = [];
+    let child = null;
+    try {
+        // Start the server process
+        child = spawn(options.command, options.args ?? [], {
+            cwd: options.cwd,
+            stdio: ['pipe', 'pipe', 'pipe'],
+            env: { ...process.env, ...options.env },
+            timeout: timeoutMs,
+        });
+        const reader = createInterface({ input: child.stdout });
+        // Helper: send JSON-RPC message and wait for response
+        const sendRequest = (method, params) => {
+            return new Promise((resolve, reject) => {
+                const id = randomUUID();
+                const msg = JSON.stringify({ jsonrpc: '2.0', id, method, params }) + '\n';
+                const timeout = setTimeout(() => {
+                    cleanup();
+                    reject(new Error(`Request timed out: ${method}`));
+                }, Math.min(timeoutMs, 10_000));
+                const onLine = (line) => {
+                    try {
+                        const resp = JSON.parse(line);
+                        if (resp.id === id) {
+                            cleanup();
+                            if (resp.error) {
+                                reject(new Error(resp.error.message ?? 'RPC error'));
+                            }
+                            else {
+                                resolve(resp.result);
+                            }
+                        }
+                    }
+                    catch {
+                        // Not our response
+                    }
+                };
+                const cleanup = () => {
+                    clearTimeout(timeout);
+                    reader.removeListener('line', onLine);
+                };
+                reader.on('line', onLine);
+                child.stdin.write(msg);
+            });
+        };
+        // Step 1: Initialize
+        const initResult = await sendRequest('initialize', {
+            protocolVersion: '2024-11-05',
+            capabilities: {},
+            clientInfo: { name: 'sentinel-prober', version: '0.3.0' },
+        });
+        const serverName = initResult?.serverInfo?.name;
+        const serverVersion = initResult?.serverInfo?.version;
+        // Send initialized notification
+        child.stdin.write(JSON.stringify({ jsonrpc: '2.0', method: 'notifications/initialized' }) + '\n');
+        // Step 2: List tools
+        const toolsResult = await sendRequest('tools/list', {});
+        const tools = (toolsResult?.tools ?? []).map((t) => ({
+            name: t.name,
+            description: t.description,
+            inputSchema: t.inputSchema,
+        }));
+        // Step 3: Analyze tool declarations for suspicious patterns
+        for (const tool of tools) {
+            for (const pattern of SUSPICIOUS_TOOL_NAMES) {
+                if (pattern.test(tool.name)) {
+                    findings.push({
+                        severity: 'high',
+                        category: 'dangerous-pattern',
+                        title: `Suspicious tool name: "${tool.name}"`,
+                        description: `Tool "${tool.name}" has a name matching a dangerous pattern (${pattern.source})`,
+                    });
+                    break;
+                }
+            }
+            if (tool.description) {
+                for (const pattern of DANGEROUS_TOOL_DESCRIPTIONS) {
+                    if (pattern.test(tool.description)) {
+                        findings.push({
+                            severity: 'high',
+                            category: 'dangerous-pattern',
+                            title: `Dangerous tool description: "${tool.name}"`,
+                            description: `Tool "${tool.name}" description suggests dangerous capabilities: ${tool.description.slice(0, 100)}`,
+                        });
+                        break;
+                    }
+                }
+            }
+        }
+        // Many tools is itself a code smell
+        if (tools.length > 50) {
+            findings.push({
+                severity: 'medium',
+                category: 'dangerous-pattern',
+                title: `Excessive tool count: ${tools.length} tools`,
+                description: 'Servers with many tools may have an overly broad attack surface',
+            });
+        }
+        return {
+            success: true,
+            serverName,
+            serverVersion,
+            tools,
+            findings,
+            durationMs: Date.now() - start,
+        };
+    }
+    catch (err) {
+        return {
+            success: false,
+            error: err.message,
+            tools: [],
+            findings,
+            durationMs: Date.now() - start,
+        };
+    }
+    finally {
+        if (child && !child.killed) {
+            child.kill('SIGTERM');
+            // Force kill after 2s
+            setTimeout(() => {
+                if (child && !child.killed)
+                    child.kill('SIGKILL');
+            }, 2000);
+        }
+    }
+}
+//# sourceMappingURL=tool-prober.js.map

package/dist/tool-prober.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-prober.js","sourceRoot":"","sources":["../src/tool-prober.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAyCzC,yEAAyE;AAEzE,MAAM,qBAAqB,GAAG;IAC5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS;IACrD,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,OAAO;IACvD,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY;CACrD,CAAC;AAEF,MAAM,2BAA2B,GAAG;IAClC,mDAAmD;IACnD,gCAAgC;IAChC,kCAAkC;IAClC,+BAA+B;IAC/B,kBAAkB;CACnB,CAAC;AAEF,yEAAyE;AAEzE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAqB;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;IAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,IAAI,KAAK,GAAwB,IAAI,CAAC;IAEtC,IAAI,CAAC;QACH,2BAA2B;QAC3B,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,IAAI,EAAE,EAAE;YACjD,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE;YACvC,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,MAAO,EAAE,CAAC,CAAC;QAEzD,sDAAsD;QACtD,MAAM,WAAW,GAAG,CAAC,MAAc,EAAE,MAAgC,EAAgB,EAAE;YACrF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;gBACxB,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,IAAI,CAAC;gBAE1E,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC9B,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,MAAM,EAAE,CAAC,CAAC,CAAC;gBACpD,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;gBAEhC,MAAM,MAAM,GAAG,CAAC,IAAY,EAAE,EAAE;oBAC9B,IAAI,CAAC;wBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBAC9B,IAAI,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;4BACnB,OAAO,EAAE,CAAC;4BACV,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gCACf,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,WAAW,CAAC,CAAC,CAAC;4BACvD,CAAC;iCAAM,CAAC;gCACN,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;4BACvB,CAAC;wBACH,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,mBAAmB;oBACrB,CAAC;gBACH,CAAC,CAAC;gBAEF,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,YAAY,CAAC,OAAO,CAAC,CAAC;oBACtB,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACxC,CAAC,CAAC;gBAEF,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC1B,KAAM,CAAC,KAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,qBAAqB;QACrB,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE;YACjD,eAAe,EAAE,YAAY;YAC7B,YAAY,EAAE,EAAE;YAChB,UAAU,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,OAAO,EAAE;SAC1D,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,UAAU,EAAE,UAAU,EAAE,IAAI,CAAC;QAChD,MAAM,aAAa,GAAG,UAAU,EAAE,UAAU,EAAE,OAAO,CAAC;QAEtD,gCAAgC;QAChC,KAAK,CAAC,KAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QAEnG,qBAAqB;QACrB,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QACxD,MAAM,KAAK,GAAc,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;YACnE,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B,CAAC,CAAC,CAAC;QAEJ,4DAA4D;QAC5D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;gBAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC5B,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,mBAAmB;wBAC7B,KAAK,EAAE,0BAA0B,IAAI,CAAC,IAAI,GAAG;wBAC7C,WAAW,EAAE,SAAS,IAAI,CAAC,IAAI,8CAA8C,OAAO,CAAC,MAAM,GAAG;qBAC/F,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,KAAK,MAAM,OAAO,IAAI,2BAA2B,EAAE,CAAC;oBAClD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBACnC,QAAQ,CAAC,IAAI,CAAC;4BACZ,QAAQ,EAAE,MAAM;4BAChB,QAAQ,EAAE,mBAAmB;4BAC7B,KAAK,EAAE,gCAAgC,IAAI,CAAC,IAAI,GAAG;4BACnD,WAAW,EAAE,SAAS,IAAI,CAAC,IAAI,kDAAkD,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;yBAClH,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACtB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,mBAAmB;gBAC7B,KAAK,EAAE,yBAAyB,KAAK,CAAC,MAAM,QAAQ;gBACpD,WAAW,EAAE,iEAAiE;aAC/E,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,UAAU;YACV,aAAa;YACb,KAAK;YACL,QAAQ;YACR,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC/B,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAG,GAAa,CAAC,OAAO;YAC7B,KAAK,EAAE,EAAE;YACT,QAAQ;YACR,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC/B,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC3B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACtB,sBAAsB;YACtB,UAAU,CAAC,GAAG,EAAE;gBACd,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM;oBAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACpD,CAAC,EAAE,IAAI,CAAC,CAAC;QACX,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/trust-score.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Trust score computation — converts raw findings into a 0-100 score.
+ *
+ * Weights:
+ * - Dependencies (25%): vulnerability count and severity
+ * - Code-Patterns (30%): dangerous patterns and obfuscation
+ * - Permissions (25%): scope of system access
+ * - Publisher (20%): npm registry identity verification
+ */
+import type { Finding } from './scanner.js';
+import type { DependencyScanResult } from './dependency-scanner.js';
+import type { PatternScanResult } from './pattern-scanner.js';
+import type { PermissionScanResult } from './permission-scanner.js';
+import type { PublisherScanResult } from './publisher-scanner.js';
+export interface ScoreBreakdown {
+    /** 0-100 score for dependency health */
+    dependencies: number;
+    /** 0-100 score for code patterns */
+    codePatterns: number;
+    /** 0-100 score for permission scope */
+    permissions: number;
+    /** 0-100 score for publisher identity */
+    publisher: number;
+}
+export declare function computeTrustScore(findings: Finding[], deps: DependencyScanResult, patterns: PatternScanResult, permissions: PermissionScanResult, publisher?: PublisherScanResult): ScoreBreakdown;
+//# sourceMappingURL=trust-score.d.ts.map

package/dist/trust-score.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-score.d.ts","sourceRoot":"","sources":["../src/trust-score.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAElE,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,YAAY,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,uCAAuC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAC;CACnB;AAUD,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,OAAO,EAAE,EACnB,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,iBAAiB,EAC3B,WAAW,EAAE,oBAAoB,EACjC,SAAS,CAAC,EAAE,mBAAmB,GAC9B,cAAc,CAOhB"}

package/dist/trust-score.js

@@ -0,0 +1,65 @@
+/**
+ * Trust score computation — converts raw findings into a 0-100 score.
+ *
+ * Weights:
+ * - Dependencies (25%): vulnerability count and severity
+ * - Code-Patterns (30%): dangerous patterns and obfuscation
+ * - Permissions (25%): scope of system access
+ * - Publisher (20%): npm registry identity verification
+ */
+const SEVERITY_PENALTIES = {
+    critical: 30,
+    high: 20,
+    medium: 10,
+    low: 5,
+    info: 1,
+};
+export function computeTrustScore(findings, deps, patterns, permissions, publisher) {
+    return {
+        dependencies: computeDependencyScore(deps),
+        codePatterns: computePatternScore(patterns),
+        permissions: computePermissionScore(permissions),
+        publisher: publisher?.score ?? 50,
+    };
+}
+function computeDependencyScore(deps) {
+    if (deps.vulnerabilities.length === 0)
+        return 100;
+    let penalty = 0;
+    for (const vuln of deps.vulnerabilities) {
+        const sev = vuln.severity === 'moderate' ? 'medium' : vuln.severity;
+        penalty += SEVERITY_PENALTIES[sev] ?? 5;
+    }
+    return Math.max(0, 100 - penalty);
+}
+function computePatternScore(patterns) {
+    if (patterns.findings.length === 0)
+        return 100;
+    let penalty = 0;
+    for (const finding of patterns.findings) {
+        penalty += SEVERITY_PENALTIES[finding.severity] ?? 5;
+    }
+    return Math.max(0, 100 - penalty);
+}
+function computePermissionScore(permissions) {
+    // Base score starts at 100, penalize for each permission kind + detections
+    let penalty = 0;
+    const kindPenalties = {
+        process: 25,
+        network: 15,
+        native: 20,
+        filesystem: 10,
+        environment: 5,
+        crypto: 0, // crypto is usually fine
+    };
+    for (const kind of permissions.kinds) {
+        penalty += kindPenalties[kind] ?? 5;
+    }
+    // Additional penalty for high number of detections
+    if (permissions.detections.length > 20)
+        penalty += 10;
+    if (permissions.detections.length > 50)
+        penalty += 10;
+    return Math.max(0, 100 - penalty);
+}
+//# sourceMappingURL=trust-score.js.map

package/dist/trust-score.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-score.js","sourceRoot":"","sources":["../src/trust-score.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAmBH,MAAM,kBAAkB,GAA2B;IACjD,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,EAAE;IACV,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAC/B,QAAmB,EACnB,IAA0B,EAC1B,QAA2B,EAC3B,WAAiC,EACjC,SAA+B;IAE/B,OAAO;QACL,YAAY,EAAE,sBAAsB,CAAC,IAAI,CAAC;QAC1C,YAAY,EAAE,mBAAmB,CAAC,QAAQ,CAAC;QAC3C,WAAW,EAAE,sBAAsB,CAAC,WAAW,CAAC;QAChD,SAAS,EAAE,SAAS,EAAE,KAAK,IAAI,EAAE;KAClC,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,IAA0B;IACxD,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAElD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;QACpE,OAAO,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,mBAAmB,CAAC,QAA2B;IACtD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAE/C,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACxC,OAAO,IAAI,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,sBAAsB,CAAC,WAAiC;IAC/D,2EAA2E;IAC3E,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,MAAM,aAAa,GAA2B;QAC5C,OAAO,EAAE,EAAE;QACX,OAAO,EAAE,EAAE;QACX,MAAM,EAAE,EAAE;QACV,UAAU,EAAE,EAAE;QACd,WAAW,EAAE,CAAC;QACd,MAAM,EAAE,CAAC,EAAE,yBAAyB;KACrC,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,KAAK,EAAE,CAAC;QACrC,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,mDAAmD;IACnD,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,IAAI,EAAE,CAAC;IACtD,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,IAAI,EAAE,CAAC;IAEtD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;AACpC,CAAC"}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@sentinel-atl/scanner",
+  "version": "0.3.0",
+  "description": "MCP server security scanner — npm audit meets AI agent trust verification",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "lint": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@sentinel-atl/core": "*",
+    "@sentinel-atl/attestation": "*"
+  },
+  "devDependencies": {
+    "vitest": "^3.2.4",
+    "typescript": "^5.7.0",
+    "@types/node": "^20.0.0"
+  },
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sentinel-atl/project-sentinel.git",
+    "directory": "packages/scanner"
+  },
+  "keywords": [
+    "mcp",
+    "security",
+    "scanner",
+    "trust",
+    "ai-agent",
+    "verification",
+    "audit"
+  ],
+  "homepage": "https://github.com/sentinel-atl/project-sentinel#readme",
+  "bugs": {
+    "url": "https://github.com/sentinel-atl/project-sentinel/issues"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ]
+}