acidtest 0.3.0 → 0.5.0

package/.github/workflows/acidtest-example.yml

@@ -0,0 +1,156 @@
+# Example GitHub Actions workflow for AcidTest
+# This file demonstrates how to use AcidTest in CI/CD pipelines
+# Copy and adapt this to your skill/MCP server repository
+
+name: AcidTest Security Scan
+
+on:
+  pull_request:
+    paths:
+      - '**.ts'
+      - '**.js'
+      - '**/SKILL.md'
+      - '**/mcp.json'
+      - '**/server.json'
+  push:
+    branches: [main]
+
+jobs:
+  # Example 1: Simple scan
+  scan-simple:
+    name: Simple Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run AcidTest
+        run: npx acidtest@latest scan .
+
+  # Example 2: Scan with failure threshold
+  scan-with-threshold:
+    name: Scan with Threshold
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run AcidTest
+        id: acidtest
+        run: |
+          # Run scan and capture output
+          npx acidtest@latest scan . --json > scan-results.json
+
+          # Parse results
+          SCORE=$(jq -r '.score' scan-results.json)
+          STATUS=$(jq -r '.status' scan-results.json)
+
+          echo "score=$SCORE" >> $GITHUB_OUTPUT
+          echo "status=$STATUS" >> $GITHUB_OUTPUT
+
+          # Display results
+          cat scan-results.json | jq '.'
+
+          # Fail if status is FAIL or DANGER
+          if [ "$STATUS" = "FAIL" ] || [ "$STATUS" = "DANGER" ]; then
+            echo "❌ Security scan failed with status: $STATUS (score: $SCORE)"
+            exit 1
+          elif [ "$STATUS" = "WARN" ]; then
+            echo "⚠️  Security scan warning: $STATUS (score: $SCORE)"
+            echo "Review findings before merging"
+          else
+            echo "✅ Security scan passed: $STATUS (score: $SCORE)"
+          fi
+
+      - name: Upload scan results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: acidtest-results
+          path: scan-results.json
+
+  # Example 3: Scan all skills in directory
+  scan-all:
+    name: Scan All Skills
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run AcidTest on all skills
+        run: |
+          npx acidtest@latest scan-all ./skills --json > results.json
+
+          # Check if any skill failed
+          FAILURES=$(jq '[.[] | select(.status == "FAIL" or .status == "DANGER")] | length' results.json)
+
+          if [ "$FAILURES" -gt 0 ]; then
+            echo "❌ $FAILURES skill(s) failed security scan"
+            jq -r '.[] | select(.status == "FAIL" or .status == "DANGER") | "  - \(.skill.name): \(.status) (score: \(.score))"' results.json
+            exit 1
+          else
+            echo "✅ All skills passed security scan"
+          fi
+
+  # Example 4: Comment results on PR (requires GITHUB_TOKEN with write permissions)
+  scan-and-comment:
+    name: Scan and Comment
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      pull-requests: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run AcidTest
+        id: scan
+        run: |
+          npx acidtest@latest scan . --json > scan-results.json
+
+          SCORE=$(jq -r '.score' scan-results.json)
+          STATUS=$(jq -r '.status' scan-results.json)
+          RECOMMENDATION=$(jq -r '.recommendation' scan-results.json)
+
+          echo "score=$SCORE" >> $GITHUB_OUTPUT
+          echo "status=$STATUS" >> $GITHUB_OUTPUT
+
+          # Create markdown comment
+          cat > comment.md << 'EOF'
+          ## 🛡️ AcidTest Security Scan
+
+          **Score:** $SCORE/100
+          **Status:** $STATUS
+
+          **Recommendation:** $RECOMMENDATION
+
+          <details>
+          <summary>View full results</summary>
+
+          ```json
+          EOF
+
+          cat scan-results.json | jq '.' >> comment.md
+
+          cat >> comment.md << 'EOF'
+          ```
+
+          </details>
+          EOF
+
+      - name: Comment PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const comment = fs.readFileSync('comment.md', 'utf8');
+
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: comment
+            });
+
+      - name: Fail if dangerous
+        if: steps.scan.outputs.status == 'FAIL' || steps.scan.outputs.status == 'DANGER'
+        run: |
+          echo "❌ Security scan failed"
+          exit 1

package/.github/workflows/acidtest-template.yml

@@ -0,0 +1,53 @@
+# AcidTest GitHub Action Template
+# Copy this file to your skill/MCP server repository as .github/workflows/acidtest.yml
+# Automatically scans for security issues on every PR
+
+name: Security Scan
+
+on:
+  pull_request:
+  push:
+    branches: [main, master]
+
+jobs:
+  acidtest:
+    name: AcidTest Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run AcidTest
+        run: |
+          # Install and run AcidTest
+          npx acidtest@latest scan . --json > results.json
+
+          # Parse results
+          SCORE=$(jq -r '.score' results.json)
+          STATUS=$(jq -r '.status' results.json)
+
+          echo "🛡️ AcidTest Results"
+          echo "Score: $SCORE/100"
+          echo "Status: $STATUS"
+          echo ""
+
+          # Display findings
+          jq -r '.findings[] | "  [\(.severity)] \(.title)"' results.json || true
+
+          # Fail on FAIL or DANGER status
+          if [ "$STATUS" = "FAIL" ] || [ "$STATUS" = "DANGER" ]; then
+            echo ""
+            echo "❌ Security scan failed"
+            exit 1
+          fi
+
+          echo ""
+          echo "✅ Security scan passed"
+
+      - name: Upload results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: acidtest-results
+          path: results.json

package/README.md

@@ -26,7 +26,7 @@ No API keys. No configuration. No Python.
 
 ## Example Output
 ```
-AcidTest v0.3.0
+AcidTest v0.5.0
 
 Scanning: proactive-agent
 Source:   test-skills/proactive-agent-1-2-4-1
@@ -62,7 +62,7 @@ RECOMMENDATION: Do not install. Prompt injection attempt detected.
 - Credential harvesting
 - Permission mismatches
 - Data exfiltration patterns
-- Obfuscated payloads
+- Obfuscated payloads (regex + entropy analysis)
 
 **For MCP Servers:**
 - Dangerous command execution
@@ -76,9 +76,14 @@ RECOMMENDATION: Do not install. Prompt injection attempt detected.
 AcidTest runs four analysis layers:
 1. **Permission Audit**: Analyzes declared permissions (bins, env, tools)
 2. **Prompt Injection Scan**: Detects instruction override attempts (AgentSkills)
-3. **Code Analysis**: AST-based analysis of JavaScript/TypeScript files
+3. **Code Analysis**: AST-based analysis + Shannon entropy detection for obfuscation
 4. **Cross-Reference**: Catches code behavior not matching declared permissions
 
+**Advanced Features:**
+- Entropy analysis detects base64/hex encoding and obfuscated strings
+- Pattern-based detection with 48 security patterns
+- CI/CD integration via GitHub Actions and pre-commit hooks
+
 Works with both SKILL.md (AgentSkills) and MCP manifests (mcp.json, server.json, package.json).
 
 ## Install
@@ -164,6 +169,54 @@ User: "Can you scan this MCP server before I install it?"
 Claude: [Uses acidtest scan_skill tool to analyze the server]
 ```
 
+### Use in CI/CD
+
+Automate security scanning in your GitHub Actions workflows.
+
+#### Quick Setup
+
+Copy this workflow to `.github/workflows/acidtest.yml` in your skill repository:
+
+```yaml
+name: Security Scan
+
+on: [pull_request, push]
+
+jobs:
+  acidtest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npx acidtest@latest scan . --json > results.json
+      - run: |
+          STATUS=$(jq -r '.status' results.json)
+          if [ "$STATUS" = "FAIL" ] || [ "$STATUS" = "DANGER" ]; then
+            echo "❌ Security scan failed"
+            exit 1
+          fi
+```
+
+See [`.github/workflows/acidtest-template.yml`](.github/workflows/acidtest-template.yml) for a production-ready template, or [`.github/workflows/acidtest-example.yml`](.github/workflows/acidtest-example.yml) for advanced examples including:
+- Failure thresholds
+- Bulk scanning
+- PR comments
+- Artifact uploads
+
+#### Pre-Commit Hook
+
+Catch issues before committing:
+
+```bash
+# Install pre-commit hook
+curl -o .git/hooks/pre-commit https://raw.githubusercontent.com/currentlycurrently/acidtest/main/hooks/pre-commit
+chmod +x .git/hooks/pre-commit
+
+# Now every commit runs AcidTest automatically
+git commit -m "Add new feature"  # Scans before committing
+```
+
+See [`hooks/README.md`](hooks/README.md) for installation options and configuration.
+
 ## Scoring
 
 Starts at 100, deducts by severity (CRITICAL: -25, HIGH: -15, MEDIUM: -8, LOW: -3). Score 80+ is PASS, 50-79 is WARN, 20-49 is FAIL, below 20 is DANGER.

package/dist/index.js

@@ -8,7 +8,7 @@ import { reportToTerminal, reportAsJSON } from "./reporter.js";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";
 import { spawn } from "child_process";
-const VERSION = "0.3.0";
+const VERSION = "0.5.0";
 /**
  * Main CLI function
  */

package/dist/layers/code.js

@@ -95,6 +95,9 @@ function scanCodeWithAST(codeFile) {
         // Check for suspicious patterns
         const suspiciousFindings = detectSuspiciousPatterns(sourceFile, relativePath);
         findings.push(...suspiciousFindings);
+        // Entropy-based obfuscation detection
+        const entropyFindings = detectHighEntropyStrings(sourceFile, relativePath);
+        findings.push(...entropyFindings);
     }
     catch (error) {
         // If parsing fails, the code might be malformed or obfuscated
@@ -182,6 +185,77 @@ function detectSuspiciousPatterns(sourceFile, filePath) {
     }
     return findings;
 }
+/**
+ * Calculate Shannon entropy of a string
+ * Returns a value between 0 (no randomness) and ~8 (maximum randomness for byte strings)
+ */
+function calculateEntropy(str) {
+    if (str.length === 0)
+        return 0;
+    // Count character frequencies
+    const freq = new Map();
+    for (const char of str) {
+        freq.set(char, (freq.get(char) || 0) + 1);
+    }
+    // Calculate entropy using Shannon formula: -Σ(p * log2(p))
+    let entropy = 0;
+    const length = str.length;
+    for (const count of freq.values()) {
+        const probability = count / length;
+        entropy -= probability * Math.log2(probability);
+    }
+    return entropy;
+}
+/**
+ * Detect high-entropy strings that may indicate obfuscation
+ */
+function detectHighEntropyStrings(sourceFile, filePath) {
+    const findings = [];
+    const ENTROPY_THRESHOLD = 4.5; // Strings above this are suspicious
+    const MIN_LENGTH = 20; // Only check strings longer than this
+    const highEntropyStrings = [];
+    function visit(node) {
+        // Check string literals and template literals
+        if (ts.isStringLiteral(node) || ts.isNoSubstitutionTemplateLiteral(node)) {
+            const text = node.text;
+            // Skip short strings and URLs (already detected elsewhere)
+            if (text.length < MIN_LENGTH) {
+                ts.forEachChild(node, visit);
+                return;
+            }
+            // Skip URLs, they naturally have high entropy
+            if (/^https?:\/\//.test(text)) {
+                ts.forEachChild(node, visit);
+                return;
+            }
+            const entropy = calculateEntropy(text);
+            if (entropy > ENTROPY_THRESHOLD) {
+                const lineNumber = sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1;
+                highEntropyStrings.push({
+                    text: text.substring(0, 50) + (text.length > 50 ? '...' : ''),
+                    entropy: Math.round(entropy * 100) / 100,
+                    line: lineNumber
+                });
+            }
+        }
+        ts.forEachChild(node, visit);
+    }
+    visit(sourceFile);
+    // Only create a finding if we found high-entropy strings
+    if (highEntropyStrings.length > 0) {
+        const first = highEntropyStrings[0];
+        findings.push({
+            severity: 'MEDIUM',
+            category: 'obfuscation',
+            title: 'High-entropy strings detected',
+            file: filePath,
+            line: first.line,
+            detail: `Found ${highEntropyStrings.length} string(s) with high entropy (>${ENTROPY_THRESHOLD})`,
+            evidence: `Entropy: ${first.entropy}, Example: "${first.text}"`
+        });
+    }
+    return findings;
+}
 /**
  * Find line number for a match in text
  */

package/dist/layers/code.js.map

@@ -1 +1 @@
-{"version":3,"file":"code.js","sourceRoot":"","sources":["../../src/layers/code.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,YAAY,CAAC;AAE5B,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEpD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAAY;IACzC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,oCAAoC;IACpC,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO;YACL,KAAK,EAAE,MAAM;YACb,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,MAAM,gBAAgB,GAAG,MAAM,YAAY,CAAC,mBAAmB,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,iBAAiB,CAAC,CAAC;IAC3D,MAAM,oBAAoB,GAAG,MAAM,YAAY,CAAC,oBAAoB,CAAC,CAAC;IACtE,MAAM,mBAAmB,GAAG,MAAM,YAAY,CAAC,aAAa,CAAC,CAAC;IAC9D,MAAM,kBAAkB,GAAG,MAAM,YAAY,CAAC,qBAAqB,CAAC,CAAC;IAErE,kCAAkC;IAClC,MAAM,WAAW,GAAG;QAClB,GAAG,gBAAgB;QACnB,GAAG,YAAY;QACf,GAAG,oBAAoB;QACvB,GAAG,mBAAmB;QACtB,GAAG,kBAAkB;KACtB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,CAAC;IAElC,sBAAsB;IACtB,KAAK,MAAM,QAAQ,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACvC,+BAA+B;QAC/B,MAAM,aAAa,GAAG,iBAAiB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;QAEhC,qBAAqB;QACrB,MAAM,WAAW,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IAChC,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM;QACb,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,QAAkB,EAAE,QAAe;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IACjC,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC;IAEnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;QACzE,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,mCAAmC;YACnC,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;YAEvD,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,YAAY;gBAC1C,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,UAAU;gBAChB,MAAM,EAAE,OAAO,CAAC,WAAW,IAAI,kBAAkB,OAAO,CAAC,IAAI,EAAE;gBAC/D,QAAQ,EAAE,SAAS,OAAO,CAAC,MAAM,gBAAgB;gBACjD,SAAS,EAAE,OAAO,CAAC,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,QAAkB;IACzC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC;IAEnC,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,UAAU,GAAG,EAAE,CAAC,gBAAgB,CACpC,QAAQ,CAAC,IAAI,EACb,QAAQ,CAAC,OAAO,EAChB,EAAE,CAAC,YAAY,CAAC,MAAM,EACtB,IAAI,CACL,CAAC;QAEF,wCAAwC;QACxC,MAAM,IAAI,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;QACrC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,4BAA4B;gBACnC,IAAI,EAAE,YAAY;gBAClB,MAAM,EAAE,SAAS,IAAI,CAAC,MAAM,iBAAiB;gBAC7C,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;aACvE,CAAC,CAAC;QACL,CAAC;QAED,gCAAgC;QAChC,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAC9E,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,CAAC;IAEvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,8DAA8D;QAC9D,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,aAAa;YACvB,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,qDAAqD;YAC7D,QAAQ,EAAE,2CAA2C;SACtD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,UAAyB;IAC5C,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,0CAA0C,CAAC;IAE9D,SAAS,KAAK,CAAC,IAAa;QAC1B,IAAI,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,+BAA+B,CAAC,IAAI,CAAC,EAAE,CAAC;YACzE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,CAAC;IAClB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,UAAyB,EAAE,QAAgB;IAC3E,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,SAAS,KAAK,CAAC,IAAa;QAC1B,yBAAyB;QACzB,IAAI,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YACnC,IAAI,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAC9D,MAAM,UAAU,GAAG,UAAU,CAAC,6BAA6B,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;gBACtF,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACzB,CAAC;YAED,iDAAiD;YACjD,IAAI,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACjE,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oBAC9B,IAAI,CAAC,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,+BAA+B,CAAC,GAAG,CAAC,EAAE,CAAC;wBACzE,MAAM,UAAU,GAAG,UAAU,CAAC,6BAA6B,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;wBACtF,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;oBACnC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,CAAC;IAElB,oCAAoC;IACpC,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,iBAAiB;YAC3B,KAAK,EAAE,4BAA4B;YACnC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC;YACxB,MAAM,EAAE,SAAS,eAAe,CAAC,MAAM,4BAA4B;YACnE,QAAQ,EAAE,4CAA4C;SACvD,CAAC,CAAC;IACL,CAAC;IAED,8BAA8B;IAC9B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,YAAY;YACtB,KAAK,EAAE,uBAAuB;YAC9B,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;YACd,MAAM,EAAE,SAAS,KAAK,CAAC,MAAM,iBAAiB;YAC9C,QAAQ,EAAE,mCAAmC;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY,EAAE,KAAa;IACjD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IAEnC,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;IAElD,OAAO,UAAU,CAAC;AACpB,CAAC"}
+{"version":3,"file":"code.js","sourceRoot":"","sources":["../../src/layers/code.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,YAAY,CAAC;AAE5B,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEpD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAAY;IACzC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,oCAAoC;IACpC,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO;YACL,KAAK,EAAE,MAAM;YACb,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,MAAM,gBAAgB,GAAG,MAAM,YAAY,CAAC,mBAAmB,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,iBAAiB,CAAC,CAAC;IAC3D,MAAM,oBAAoB,GAAG,MAAM,YAAY,CAAC,oBAAoB,CAAC,CAAC;IACtE,MAAM,mBAAmB,GAAG,MAAM,YAAY,CAAC,aAAa,CAAC,CAAC;IAC9D,MAAM,kBAAkB,GAAG,MAAM,YAAY,CAAC,qBAAqB,CAAC,CAAC;IAErE,kCAAkC;IAClC,MAAM,WAAW,GAAG;QAClB,GAAG,gBAAgB;QACnB,GAAG,YAAY;QACf,GAAG,oBAAoB;QACvB,GAAG,mBAAmB;QACtB,GAAG,kBAAkB;KACtB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,MAAM,CAAC,CAAC;IAElC,sBAAsB;IACtB,KAAK,MAAM,QAAQ,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACvC,+BAA+B;QAC/B,MAAM,aAAa,GAAG,iBAAiB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;QAEhC,qBAAqB;QACrB,MAAM,WAAW,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IAChC,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM;QACb,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,QAAkB,EAAE,QAAe;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IACjC,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC;IAEnC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;QACzE,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,mCAAmC;YACnC,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;YAEvD,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,YAAY;gBAC1C,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,UAAU;gBAChB,MAAM,EAAE,OAAO,CAAC,WAAW,IAAI,kBAAkB,OAAO,CAAC,IAAI,EAAE;gBAC/D,QAAQ,EAAE,SAAS,OAAO,CAAC,MAAM,gBAAgB;gBACjD,SAAS,EAAE,OAAO,CAAC,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,QAAkB;IACzC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC;IAEnC,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,UAAU,GAAG,EAAE,CAAC,gBAAgB,CACpC,QAAQ,CAAC,IAAI,EACb,QAAQ,CAAC,OAAO,EAChB,EAAE,CAAC,YAAY,CAAC,MAAM,EACtB,IAAI,CACL,CAAC;QAEF,wCAAwC;QACxC,MAAM,IAAI,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;QACrC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,4BAA4B;gBACnC,IAAI,EAAE,YAAY;gBAClB,MAAM,EAAE,SAAS,IAAI,CAAC,MAAM,iBAAiB;gBAC7C,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;aACvE,CAAC,CAAC;QACL,CAAC;QAED,gCAAgC;QAChC,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAC9E,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,CAAC;QAErC,sCAAsC;QACtC,MAAM,eAAe,GAAG,wBAAwB,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAC3E,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;IAEpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,8DAA8D;QAC9D,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,aAAa;YACvB,KAAK,EAAE,2BAA2B;YAClC,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,qDAAqD;YAC7D,QAAQ,EAAE,2CAA2C;SACtD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,UAAyB;IAC5C,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,0CAA0C,CAAC;IAE9D,SAAS,KAAK,CAAC,IAAa;QAC1B,IAAI,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,+BAA+B,CAAC,IAAI,CAAC,EAAE,CAAC;YACzE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,CAAC;IAClB,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,UAAyB,EAAE,QAAgB;IAC3E,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,SAAS,KAAK,CAAC,IAAa;QAC1B,yBAAyB;QACzB,IAAI,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YACnC,IAAI,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAC9D,MAAM,UAAU,GAAG,UAAU,CAAC,6BAA6B,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;gBACtF,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACzB,CAAC;YAED,iDAAiD;YACjD,IAAI,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACjE,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;oBAC9B,IAAI,CAAC,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,+BAA+B,CAAC,GAAG,CAAC,EAAE,CAAC;wBACzE,MAAM,UAAU,GAAG,UAAU,CAAC,6BAA6B,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;wBACtF,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;oBACnC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,CAAC;IAElB,oCAAoC;IACpC,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,iBAAiB;YAC3B,KAAK,EAAE,4BAA4B;YACnC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC;YACxB,MAAM,EAAE,SAAS,eAAe,CAAC,MAAM,4BAA4B;YACnE,QAAQ,EAAE,4CAA4C;SACvD,CAAC,CAAC;IACL,CAAC;IAED,8BAA8B;IAC9B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,YAAY;YACtB,KAAK,EAAE,uBAAuB;YAC9B,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;YACd,MAAM,EAAE,SAAS,KAAK,CAAC,MAAM,iBAAiB;YAC9C,QAAQ,EAAE,mCAAmC;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAE/B,8BAA8B;IAC9B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,2DAA2D;IAC3D,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;IAE1B,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,CAAC;QACnC,OAAO,IAAI,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,UAAyB,EAAE,QAAgB;IAC3E,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,iBAAiB,GAAG,GAAG,CAAC,CAAC,oCAAoC;IACnE,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,sCAAsC;IAC7D,MAAM,kBAAkB,GAA2D,EAAE,CAAC;IAEtF,SAAS,KAAK,CAAC,IAAa;QAC1B,8CAA8C;QAC9C,IAAI,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,+BAA+B,CAAC,IAAI,CAAC,EAAE,CAAC;YACzE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YAEvB,2DAA2D;YAC3D,IAAI,IAAI,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;gBAC7B,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,8CAA8C;YAC9C,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;YAEvC,IAAI,OAAO,GAAG,iBAAiB,EAAE,CAAC;gBAChC,MAAM,UAAU,GAAG,UAAU,CAAC,6BAA6B,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;gBACtF,kBAAkB,CAAC,IAAI,CAAC;oBACtB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC7D,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,GAAG;oBACxC,IAAI,EAAE,UAAU;iBACjB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,CAAC;IAElB,yDAAyD;IACzD,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,aAAa;YACvB,KAAK,EAAE,+BAA+B;YACtC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,MAAM,EAAE,SAAS,kBAAkB,CAAC,MAAM,kCAAkC,iBAAiB,GAAG;YAChG,QAAQ,EAAE,YAAY,KAAK,CAAC,OAAO,eAAe,KAAK,CAAC,IAAI,GAAG;SAChE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY,EAAE,KAAa;IACjD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IAEnC,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;IAElD,OAAO,UAAU,CAAC;AACpB,CAAC"}

package/dist/mcp-server.js

@@ -7,7 +7,7 @@ import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
 import { scanSkill, scanAllSkills } from "./scanner.js";
-const VERSION = "0.3.0";
+const VERSION = "0.5.0";
 /**
  * Create and configure the MCP server
  */

package/dist/scanner.js

@@ -12,7 +12,7 @@ import { scanCode } from "./layers/code.js";
 import { scanCrossReference } from "./layers/crossref.js";
 import { calculateScore, determineStatus, generateRecommendation, } from "./scoring.js";
 import { detectMCPManifest, parseMCPManifest } from "./loaders/mcp-loader.js";
-const VERSION = "0.3.0";
+const VERSION = "0.5.0";
 /**
  * Main scan function
  * Scans a skill directory or SKILL.md file

package/hooks/README.md

@@ -0,0 +1,104 @@
+# AcidTest Git Hooks
+
+Pre-commit hooks to automatically scan your skills/MCP servers for security issues before committing.
+
+## Pre-Commit Hook
+
+Runs AcidTest before each commit to catch security issues early.
+
+### Installation
+
+**Option 1: Copy directly**
+```bash
+cp hooks/pre-commit .git/hooks/pre-commit
+chmod +x .git/hooks/pre-commit
+```
+
+**Option 2: Download from GitHub**
+```bash
+curl -o .git/hooks/pre-commit https://raw.githubusercontent.com/currentlycurrently/acidtest/main/hooks/pre-commit
+chmod +x .git/hooks/pre-commit
+```
+
+**Option 3: Symlink (for development)**
+```bash
+ln -s ../../hooks/pre-commit .git/hooks/pre-commit
+```
+
+### Behavior
+
+The pre-commit hook will:
+- ✅ Run AcidTest scan on your code
+- ✅ Display score and status
+- ✅ Show CRITICAL and HIGH severity findings
+- ❌ **Block commits** on DANGER status
+- ⚠️  **Warn** on FAIL status (doesn't block by default)
+- ✅ **Pass** on WARN and PASS status
+
+### Configuration
+
+To make the hook **block on FAIL status**, edit `.git/hooks/pre-commit` and uncomment this line:
+
+```bash
+# exit 1  # <- Remove the # to block on FAIL
+```
+
+### Bypassing the Hook
+
+If you need to bypass the pre-commit check (not recommended):
+
+```bash
+git commit --no-verify
+```
+
+### Uninstalling
+
+```bash
+rm .git/hooks/pre-commit
+```
+
+## Example Output
+
+### Clean commit (PASS)
+```
+🛡️  Running AcidTest security scan...
+
+Score:  100/100
+Status: PASS
+
+✅ Security scan passed
+```
+
+### Blocked commit (DANGER)
+```
+🛡️  Running AcidTest security scan...
+
+Score:  0/100
+Status: DANGER
+
+Findings:
+  [CRITICAL] eval() usage detected: Found 2 eval() call(s)
+  [CRITICAL] instruction-override: Attempts to override agent instructions
+
+❌ Commit blocked: DANGER status detected
+   Fix critical security issues before committing
+
+   To bypass this check (NOT recommended):
+   git commit --no-verify
+```
+
+## Troubleshooting
+
+**Hook doesn't run:**
+- Ensure it's executable: `chmod +x .git/hooks/pre-commit`
+- Verify it's in the right location: `.git/hooks/pre-commit`
+
+**"acidtest not found" error:**
+- The hook will automatically use `npx` if acidtest isn't globally installed
+- Or install globally: `npm install -g acidtest`
+
+**"jq: command not found" error:**
+- Install jq:
+  - macOS: `brew install jq`
+  - Ubuntu: `sudo apt install jq`
+  - Or the hook will skip JSON parsing (still runs scan)

package/hooks/pre-commit

@@ -0,0 +1,74 @@
+#!/bin/bash
+# AcidTest Pre-Commit Hook
+#
+# Installation:
+#   1. Copy this file to .git/hooks/pre-commit
+#   2. Make it executable: chmod +x .git/hooks/pre-commit
+#
+# Or use this one-liner:
+#   curl -o .git/hooks/pre-commit https://raw.githubusercontent.com/currentlycurrently/acidtest/main/hooks/pre-commit && chmod +x .git/hooks/pre-commit
+#
+# This hook runs AcidTest before each commit to catch security issues early
+
+set -e
+
+echo "🛡️  Running AcidTest security scan..."
+
+# Check if acidtest is installed
+if ! command -v acidtest &> /dev/null; then
+    echo "⚠️  acidtest not found, using npx..."
+    ACIDTEST_CMD="npx -y acidtest@latest"
+else
+    ACIDTEST_CMD="acidtest"
+fi
+
+# Run scan with JSON output
+$ACIDTEST_CMD scan . --json > /tmp/acidtest-results.json 2>&1 || true
+
+# Parse results
+SCORE=$(jq -r '.score' /tmp/acidtest-results.json 2>/dev/null || echo "0")
+STATUS=$(jq -r '.status' /tmp/acidtest-results.json 2>/dev/null || echo "UNKNOWN")
+
+echo ""
+echo "Score:  $SCORE/100"
+echo "Status: $STATUS"
+
+# Display critical/high findings
+CRITICAL_COUNT=$(jq '[.findings[] | select(.severity == "CRITICAL")] | length' /tmp/acidtest-results.json 2>/dev/null || echo "0")
+HIGH_COUNT=$(jq '[.findings[] | select(.severity == "HIGH")] | length' /tmp/acidtest-results.json 2>/dev/null || echo "0")
+
+if [ "$CRITICAL_COUNT" -gt 0 ] || [ "$HIGH_COUNT" -gt 0 ]; then
+    echo ""
+    echo "Findings:"
+    jq -r '.findings[] | select(.severity == "CRITICAL" or .severity == "HIGH") | "  [\(.severity)] \(.title): \(.detail)"' /tmp/acidtest-results.json 2>/dev/null || true
+fi
+
+echo ""
+
+# Decide whether to block commit
+if [ "$STATUS" = "DANGER" ]; then
+    echo "❌ Commit blocked: DANGER status detected"
+    echo "   Fix critical security issues before committing"
+    echo ""
+    echo "   To bypass this check (NOT recommended):"
+    echo "   git commit --no-verify"
+    exit 1
+elif [ "$STATUS" = "FAIL" ]; then
+    echo "⚠️  Warning: FAIL status detected"
+    echo "   Consider fixing security issues before committing"
+    echo ""
+    echo "   To bypass this check:"
+    echo "   git commit --no-verify"
+    # Uncomment the next line to block commits on FAIL status:
+    # exit 1
+elif [ "$STATUS" = "WARN" ]; then
+    echo "⚠️  Warning: Security concerns detected (score: $SCORE)"
+    echo "   Review findings before pushing"
+else
+    echo "✅ Security scan passed"
+fi
+
+# Cleanup
+rm -f /tmp/acidtest-results.json
+
+exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "acidtest",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "type": "module",
   "description": "Security scanner for AI agent skills. Scan before you install.",
   "bin": {
@@ -14,7 +14,9 @@
   },
   "files": [
     "dist",
-    "test-fixtures"
+    "test-fixtures",
+    ".github",
+    "hooks"
   ],
   "keywords": [
     "security",

package/test-fixtures/fixture-entropy/SKILL.md

@@ -0,0 +1,8 @@
+---
+name: entropy-test
+description: Test skill for entropy detection
+---
+
+# Entropy Test Skill
+
+This skill has high-entropy obfuscated strings for testing.

package/test-fixtures/fixture-entropy/handler.ts

@@ -0,0 +1,19 @@
+/**
+ * Test file with obfuscated high-entropy strings
+ */
+
+// This is a normal string - low entropy
+const greeting = "Hello, this is a normal message";
+
+// This is a high-entropy obfuscated string (base64-like)
+const obfuscatedPayload = "U2FsdGVkX1+gkxMjR3uK8vQz0pBz9YxM3Q5hNkR8Qw7X1ZpLmK4vT2sW8dF";
+
+// Another high-entropy string (random characters)
+const suspiciousData = "9xK3mP8qL2zN7vB4tY6wR1jC5hD0fG";
+
+// Base64 encoded malicious code
+const encodedCommand = "ZXZhbChhd2FpdCBmZXRjaCgnaHR0cHM6Ly9ldmlsLmNvbS9wYXlsb2FkLmpzJykudGhlbihyID0+IHIudGV4dCgpKSk=";
+
+export async function run() {
+  console.log("Testing entropy detection");
+}