agent-mcp-guard 0.4.6 → 0.4.8

package/README.md

@@ -19,7 +19,7 @@ Live demo PR: [mcp-guard-demo#1](https://github.com/ChaoYue0307/mcp-guard-demo/p
   <a href="https://github.com/marketplace/actions/mcp-guard-mcp-security-scanner"><img alt="GitHub Marketplace" src="https://img.shields.io/badge/Marketplace-mcp--guard-0f766e?logo=github"></a>
   <a href="https://github.com/ChaoYue0307/mcp-guard/actions"><img alt="CI" src="https://github.com/ChaoYue0307/mcp-guard/actions/workflows/ci.yml/badge.svg"></a>
   <a href="LICENSE"><img alt="License" src="https://img.shields.io/badge/license-Apache--2.0-111827"></a>
-  <a href="https://github.com/ChaoYue0307/mcp-guard/releases/tag/v0.4.6"><img alt="Release" src="https://img.shields.io/github/v/release/ChaoYue0307/mcp-guard?color=7c2d12"></a>
+  <a href="https://github.com/ChaoYue0307/mcp-guard/releases/tag/v0.4.8"><img alt="Release" src="https://img.shields.io/github/v/release/ChaoYue0307/mcp-guard?color=7c2d12"></a>
 </p>
 
 ## Install
@@ -69,6 +69,7 @@ Generate a review-ready audit pack:
 
 ```bash
 mcp-guard audit --config .mcp.json --policy .mcp-guard-policy.json --output-dir mcp-guard-audit
+mcp-guard verify-audit --manifest mcp-guard-audit/mcp-guard-audit-manifest.json
 ```
 
 Use in CI:
@@ -93,7 +94,7 @@ mcp-guard scan --config .mcp.json --baseline .mcp-guard-baseline.json --fail-on
 Use the GitHub Action:
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
   with:
     config: .mcp.json
     # policy: .mcp-guard-policy.json
@@ -117,8 +118,9 @@ Use the transparent example to evaluate what the scanner actually does:
 - generated audit summary: [site/e2e/audit/mcp-guard-executive-summary.md](site/e2e/audit/mcp-guard-executive-summary.md)
 - generated remediation plan: [site/e2e/audit/mcp-guard-remediation.md](site/e2e/audit/mcp-guard-remediation.md)
 - generated remediation checklist: [site/e2e/audit/mcp-guard-remediation-checklist.md](site/e2e/audit/mcp-guard-remediation-checklist.md)
+- generated audit manifest: [site/e2e/audit/mcp-guard-audit-manifest.json](site/e2e/audit/mcp-guard-audit-manifest.json)
 
-The example scans 3 MCP servers and reports 9 active findings with a risk score of 98. It is synthetic, but fully reproducible from committed files.
+The example scans 3 MCP servers and reports 9 active findings with a risk score of 98. It is synthetic, but fully reproducible from committed files. The audit manifest can be verified with `mcp-guard verify-audit` to confirm the generated reports still match their recorded SHA-256 hashes.
 
 For the GitHub Action workflow, inspect the public demo repository: [ChaoYue0307/mcp-guard-demo](https://github.com/ChaoYue0307/mcp-guard-demo).
 
@@ -152,7 +154,7 @@ For paid setup or internal review handoff, `mcp-guard audit` writes a complete e
 - remediation plan grouped by MCP server;
 - remediation checklist for PR or handoff tracking;
 - Markdown, HTML, JSON, and SARIF reports;
-- machine-readable audit manifest.
+- machine-readable audit manifest with artifact hashes and a CLI verifier.
 
 For stricter governance, commit `.mcp-guard-policy.json` and define the commands, remote packages, filesystem roots, and remote MCP endpoints the team has approved. See [Policy files](docs/policy.md).
 

package/docs/audit.md

@@ -26,6 +26,14 @@ Use `--fail-on` in CI when the audit should write artifacts and then fail on act
 mcp-guard audit --config .mcp.json --fail-on high
 ```
 
+Verify the audit pack before handoff or after downloading a CI artifact:
+
+```bash
+mcp-guard verify-audit --manifest mcp-guard-audit/mcp-guard-audit-manifest.json
+```
+
+`verify-audit` recalculates every recorded artifact size and SHA-256 hash. It exits `0` when the pack still matches the manifest and exits `2` when a report is missing or changed.
+
 ## Generated Files
 
 | File | Purpose |
@@ -37,7 +45,7 @@ mcp-guard audit --config .mcp.json --fail-on high
 | `mcp-guard-report.html` | Readable HTML report for review artifacts. |
 | `mcp-guard-report.json` | Redacted machine-readable report for automation. |
 | `mcp-guard.sarif` | SARIF 2.1.0 report for GitHub code scanning. |
-| `mcp-guard-audit-manifest.json` | Manifest listing status, summary, policy/baseline context, and file paths. |
+| `mcp-guard-audit-manifest.json` | Manifest listing status, summary, policy/baseline context, file paths, SHA-256 hashes, and artifact sizes. |
 
 ## Review Flow
 
@@ -46,7 +54,8 @@ mcp-guard audit --config .mcp.json --fail-on high
 3. Work through `mcp-guard-remediation.md` with the engineering team.
 4. Track concrete work in `mcp-guard-remediation-checklist.md`.
 5. Use `mcp-guard-report.html` for readable evidence and `mcp-guard-report.json` or `mcp-guard.sarif` for automation.
-6. Commit a reviewed policy and baseline only after the team has decided what risk is intentionally accepted.
+6. Run `mcp-guard verify-audit --manifest mcp-guard-audit/mcp-guard-audit-manifest.json` when you need to prove an audit artifact has not changed.
+7. Commit a reviewed policy and baseline only after the team has decided what risk is intentionally accepted.
 
 ## Privacy
 

package/docs/baseline.md

@@ -30,7 +30,7 @@ If the scan finds only baseline-accepted findings, the exit code is `0`. If a ne
 ## GitHub Action
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json
@@ -45,7 +45,7 @@ The generated Markdown, HTML, JSON, and PR comment separate active findings from
 {
   "version": 1,
   "generatedAt": "2026-05-10T00:00:00.000Z",
-  "toolVersion": "0.4.6",
+  "toolVersion": "0.4.8",
   "findings": [
     {
       "fingerprint": "mcpg_a009b2c2",

package/docs/business-playbook.md

@@ -17,7 +17,7 @@ Deliverables:
 - install the CLI and GitHub Action;
 - run `mcp-guard init` or generate an equivalent workflow manually;
 - generate Markdown, HTML, JSON, and SARIF reports;
-- generate a customer handoff audit pack with executive summary, remediation plan, remediation checklist, reports, and manifest;
+- generate a customer handoff audit pack with executive summary, remediation plan, remediation checklist, reports, hashed manifest, and verifier output;
 - define an initial `.mcp-guard-policy.json` for approved commands, packages, directories, and remote URLs;
 - create an initial baseline for accepted known findings;
 - enable PR comments and optional SARIF upload;

package/docs/examples/e2e-example.md

@@ -24,6 +24,7 @@ node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --form
 node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format json --output site/e2e/report.json
 node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format sarif --output site/e2e/report.sarif
 node ./bin/mcp-guard.js audit --config site/e2e/claude_desktop_config.json --output-dir site/e2e/audit
+node ./bin/mcp-guard.js verify-audit --manifest site/e2e/audit/mcp-guard-audit-manifest.json
 ```
 
 ## Expected Result
@@ -63,3 +64,4 @@ Important findings include:
 - Secret-like values are redacted in reports.
 - Findings include rule IDs, severity, evidence, and remediation guidance.
 - The same scan can feed a human-readable HTML report, automation JSON, GitHub code scanning SARIF, and a review-ready audit handoff package with a remediation checklist.
+- The audit handoff can be verified later because the manifest records SHA-256 hashes and byte sizes for each generated report.

package/docs/github-action.md

@@ -2,10 +2,12 @@
 
 Use the `mcp-guard` action to scan MCP and AI agent tool configuration in pull requests and CI.
 
-The action runs the CLI from the pinned GitHub Action tag, generates an audit pack with Markdown, HTML, JSON, SARIF, remediation, checklist, and manifest files, writes a job summary, uploads reports as an artifact, and fails the job when findings meet your selected severity threshold.
+The action runs the CLI from the pinned GitHub Action tag, generates an audit pack with Markdown, HTML, JSON, SARIF, remediation, checklist, and hashed manifest files, writes a job summary, uploads reports as an artifact, and fails the job when findings meet your selected severity threshold.
 
 It can also use a committed baseline to accept known findings, enforce a committed policy file, and optionally post a pull request comment with only the active findings.
 
+After downloading the artifact, run `mcp-guard verify-audit --manifest mcp-guard-report/mcp-guard-audit-manifest.json` to confirm the generated reports still match the manifest hashes.
+
 If `.mcp-guard-policy.json` is committed at the repository root, the CLI auto-loads it. Use the `policy` input when the policy file lives elsewhere.
 
 Marketplace/action repository: <https://github.com/ChaoYue0307/mcp-guard-action>
@@ -37,7 +39,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: ChaoYue0307/mcp-guard-action@v0.4.6
+      - uses: ChaoYue0307/mcp-guard-action@v0.4.8
         with:
           config: .mcp.json
           fail-on: high
@@ -65,7 +67,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: ChaoYue0307/mcp-guard-action@v0.4.6
+      - uses: ChaoYue0307/mcp-guard-action@v0.4.8
         with:
           config: .mcp.json
           fail-on: high
@@ -77,7 +79,7 @@ jobs:
 Use `fail-on: none` when you want artifacts and summaries without blocking a pull request.
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
   with:
     fail-on: none
 ```
@@ -93,7 +95,7 @@ mcp-guard scan --config .mcp.json --write-baseline .mcp-guard-baseline.json
 Commit `.mcp-guard-baseline.json`, then reference it from the action:
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json
@@ -107,7 +109,7 @@ Reports will show active findings separately from findings accepted by the basel
 Use a policy when you want CI to enforce approved commands, packages, directories, and remote URLs.
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
   with:
     config: .mcp.json
     policy: .mcp-guard-policy.json

package/docs/launch-checklist.md

@@ -32,12 +32,13 @@ mcp-guard scan --config .mcp.json --fail-on high
 
 ```bash
 mcp-guard audit --config .mcp.json --policy .mcp-guard-policy.json --output-dir mcp-guard-audit
+mcp-guard verify-audit --manifest mcp-guard-audit/mcp-guard-audit-manifest.json
 ```
 
 ## GitHub Action Setup
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json

package/docs/marketplace-action-readme.md

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: ChaoYue0307/mcp-guard-action@v0.4.6
+      - uses: ChaoYue0307/mcp-guard-action@v0.4.8
         with:
           config: .mcp.json
           fail-on: high
@@ -42,7 +42,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: ChaoYue0307/mcp-guard-action@v0.4.6
+      - uses: ChaoYue0307/mcp-guard-action@v0.4.8
         with:
           config: .mcp.json
           fail-on: high
@@ -88,7 +88,7 @@ The action generates an audit pack:
 - SARIF 2.1.0 for GitHub code scanning.
 - Remediation Markdown for server-by-server handoff.
 - Remediation checklist for PR and setup tracking.
-- Audit manifest JSON for downstream automation.
+- Audit manifest JSON with SHA-256 hashes, byte sizes, and `mcp-guard verify-audit` support for downloaded artifacts.
 
 Secret-like values are redacted before reports are written.
 
@@ -103,7 +103,7 @@ mcp-guard scan --config .mcp.json --write-baseline .mcp-guard-baseline.json
 Then enforce only new findings:
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json
@@ -115,7 +115,7 @@ Then enforce only new findings:
 Commit `.mcp-guard-policy.json` or pass `policy` to enforce approved commands, remote packages, directories, and remote MCP URLs.
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
   with:
     config: .mcp.json
     policy: .mcp-guard-policy.json

package/docs/marketplace.md

@@ -82,17 +82,18 @@ Code quality
 Current release title:
 
 ```text
-v0.4.6
+v0.4.8
 ```
 
 Release notes:
 
 ```text
-Remediation checklist release.
+Audit verification release.
 
-- Adds a checkbox remediation checklist to every `mcp-guard audit` pack.
-- PR comments and job summaries now include first remediation steps, not only finding counts.
-- Keeps executive summary, remediation plan, Markdown, HTML, JSON, SARIF, manifest, policy, baseline, artifacts, and SARIF upload support.
+- Adds `mcp-guard verify-audit` so downloaded audit packs can be checked against the manifest without custom scripts.
+- Verifies SHA-256 checksums and byte sizes for generated audit artifacts in `mcp-guard-audit-manifest.json`.
+- Keeps remediation checklist, first remediation steps in PR comments, executive summary, remediation plan, Markdown, HTML, JSON, SARIF, policy, baseline, artifacts, and SARIF upload support.
+- Improves paid setup and internal review handoff by making generated evidence easier to verify after delivery or CI download.
 ```
 
 ## Manual Publishing Steps
@@ -105,7 +106,7 @@ Completed:
 - README, docs, and website examples now use:
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.6
+- uses: ChaoYue0307/mcp-guard-action@v0.4.8
 ```
 
 Remaining Marketplace web step:

package/docs/paid-audit.md

@@ -13,7 +13,7 @@ It is not currently advertised as an active consulting service. Keep public webs
 ## Deliverables
 
 - MCP and agent tool inventory.
-- `mcp-guard audit` evidence pack with executive summary, remediation plan, remediation checklist, reports, and manifest.
+- `mcp-guard audit` evidence pack with executive summary, remediation plan, remediation checklist, reports, hashed manifest, and `verify-audit` output.
 - Risk report covering shell access, package execution, filesystem scope, secrets, remote servers, and dangerous commands.
 - Practical remediation checklist.
 - Optional PR with safer config and policy changes.

package/docs/roadmap.md

@@ -13,7 +13,7 @@
 - Optional GitHub pull request comments from the Marketplace Action.
 - `mcp-guard init` for bootstrapping a GitHub Action workflow and optional baseline.
 - Policy file enforcement for approved commands, packages, directories, and remote URLs.
-- `mcp-guard audit` for review-ready executive summaries, remediation plans, remediation checklists, reports, and manifests.
+- `mcp-guard audit` and `mcp-guard verify-audit` for review-ready summaries, remediation plans, checklists, reports, and verifiable manifests.
 - npm Trusted Publishing workflow prepared for tokenless release publishing.
 
 ## Next

package/docs/trusted-publishing.md

@@ -36,7 +36,7 @@ Configure this once on npmjs.com:
 After this is saved, run the workflow from GitHub Actions with the release tag, for example:
 
 ```text
-v0.4.6
+v0.4.8
 ```
 
 ## Release Flow After Setup
@@ -44,7 +44,7 @@ v0.4.6
 1. Update `package.json` and `src/cli.js`.
 2. Run `npm test` and `npm run release:check`.
 3. Commit and push to `main`.
-4. Create a GitHub release tag such as `v0.4.6`.
+4. Create a GitHub release tag such as `v0.4.8`.
 5. Run the `Publish npm` workflow with the same tag.
 6. Verify npm:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-mcp-guard",
-  "version": "0.4.6",
+  "version": "0.4.8",
   "description": "Open-source CLI scanner for risky MCP server and AI agent tool configuration.",
   "type": "module",
   "homepage": "https://chaoyue0307.github.io/mcp-guard/",

package/site/e2e/audit/mcp-guard-audit-manifest.json

@@ -2,9 +2,9 @@
   "version": 1,
   "tool": {
     "name": "mcp-guard",
-    "version": "0.4.6"
+    "version": "0.4.8"
   },
-  "generatedAt": "2026-05-10T19:56:07.107Z",
+  "generatedAt": "2026-05-10T20:20:35.470Z",
   "status": "needs_review",
   "failOn": "none",
   "outputDir": "site/e2e/audit",
@@ -36,5 +36,52 @@
     "jsonReport": "site/e2e/audit/mcp-guard-report.json",
     "sarifReport": "site/e2e/audit/mcp-guard.sarif",
     "manifest": "site/e2e/audit/mcp-guard-audit-manifest.json"
+  },
+  "integrity": {
+    "algorithm": "sha256",
+    "artifacts": [
+      {
+        "key": "executiveSummary",
+        "path": "site/e2e/audit/mcp-guard-executive-summary.md",
+        "bytes": 1764,
+        "sha256": "63e42ed47cc429f8ccdfe1bb47c35c62d47f483e4ed6582c87d2542e7cbaf7e6"
+      },
+      {
+        "key": "remediation",
+        "path": "site/e2e/audit/mcp-guard-remediation.md",
+        "bytes": 2752,
+        "sha256": "2a71e9fb0f426ee99ee045112264bc24d220610098c1e991e0a3dc409310fed8"
+      },
+      {
+        "key": "remediationChecklist",
+        "path": "site/e2e/audit/mcp-guard-remediation-checklist.md",
+        "bytes": 2056,
+        "sha256": "26902af05eb8d4c880b32ec96130177c0ff00ade96b004e15564caa82cd01d48"
+      },
+      {
+        "key": "markdownReport",
+        "path": "site/e2e/audit/mcp-guard-report.md",
+        "bytes": 3297,
+        "sha256": "6882a79e02c821697e8e4a02168f9f87372822ac2b1e135ea399621c77f742c0"
+      },
+      {
+        "key": "htmlReport",
+        "path": "site/e2e/audit/mcp-guard-report.html",
+        "bytes": 12988,
+        "sha256": "eefc4b523c90dcb46c2ebad6dff6b7885be913d1a8bfb36ff930b35dd0da7ca9"
+      },
+      {
+        "key": "jsonReport",
+        "path": "site/e2e/audit/mcp-guard-report.json",
+        "bytes": 5938,
+        "sha256": "e7c65a367d5115e25042a71e9408427e25c357c762a00747d2046167980b54f5"
+      },
+      {
+        "key": "sarifReport",
+        "path": "site/e2e/audit/mcp-guard.sarif",
+        "bytes": 20856,
+        "sha256": "16bfca40d3158c8864bc2d0dd120ffb48e2277f60e576477c65b22fd3eb2bbd0"
+      }
+    ]
   }
 }

package/site/e2e/audit/mcp-guard-executive-summary.md

@@ -1,6 +1,6 @@
 # mcp-guard Executive Summary
 
-Generated: 2026-05-10T19:56:07.107Z
+Generated: 2026-05-10T20:20:35.470Z
 Status: **Needs review**
 Risk score: **98**
 Fail threshold: **none**

package/site/e2e/audit/mcp-guard-remediation-checklist.md

@@ -1,6 +1,6 @@
 # mcp-guard Remediation Checklist
 
-Generated: 2026-05-10T19:56:07.107Z
+Generated: 2026-05-10T20:20:35.470Z
 Risk score: **98**
 Active findings: **9**
 

package/site/e2e/audit/mcp-guard-remediation.md

@@ -1,6 +1,6 @@
 # mcp-guard Remediation Plan
 
-Generated: 2026-05-10T19:56:07.107Z
+Generated: 2026-05-10T20:20:35.470Z
 
 ## Priority
 

package/site/e2e/audit/mcp-guard-report.html

@@ -297,7 +297,7 @@
           <div class="metric"><strong>1</strong><span>Scanned files</span></div>
           <div class="metric"><strong>3</strong><span>MCP servers</span></div>
           <div class="metric"><strong>9</strong><span>Active findings</span></div>
-          <div class="metric"><strong>2026-05-10 19:56 UTC</strong><span>Generated</span></div>
+          <div class="metric"><strong>2026-05-10 20:20 UTC</strong><span>Generated</span></div>
         </div>
       </div>
       <aside class="scorecard" aria-label="Risk score">

package/site/e2e/audit/mcp-guard-report.json

@@ -1,11 +1,11 @@
 {
   "metadata": {
-    "generatedAt": "2026-05-10T19:56:07.107Z",
+    "generatedAt": "2026-05-10T20:20:35.470Z",
     "cwd": ".",
     "home": "~",
     "policyPath": "",
     "policyEnabled": false,
-    "toolVersion": "0.4.6"
+    "toolVersion": "0.4.8"
   },
   "policy": null,
   "scannedFiles": [

package/site/e2e/audit/mcp-guard-report.md

@@ -1,6 +1,6 @@
 # mcp-guard Scan Report
 
-Generated: 2026-05-10T19:56:07.107Z
+Generated: 2026-05-10T20:20:35.470Z
 
 ## Summary
 

package/site/e2e/audit/mcp-guard.sarif

@@ -7,7 +7,7 @@
         "driver": {
           "name": "mcp-guard",
           "informationUri": "https://github.com/ChaoYue0307/mcp-guard",
-          "semanticVersion": "0.4.6",
+          "semanticVersion": "0.4.8",
           "rules": [
             {
               "id": "MCP010",

package/site/e2e/report.html

@@ -297,7 +297,7 @@
           <div class="metric"><strong>1</strong><span>Scanned files</span></div>
           <div class="metric"><strong>3</strong><span>MCP servers</span></div>
           <div class="metric"><strong>9</strong><span>Active findings</span></div>
-          <div class="metric"><strong>2026-05-10 19:56 UTC</strong><span>Generated</span></div>
+          <div class="metric"><strong>2026-05-10 20:20 UTC</strong><span>Generated</span></div>
         </div>
       </div>
       <aside class="scorecard" aria-label="Risk score">

package/site/e2e/report.json

@@ -1,11 +1,11 @@
 {
   "metadata": {
-    "generatedAt": "2026-05-10T19:56:04.165Z",
+    "generatedAt": "2026-05-10T20:20:32.748Z",
     "cwd": ".",
     "home": "~",
     "policyPath": "",
     "policyEnabled": false,
-    "toolVersion": "0.4.6"
+    "toolVersion": "0.4.8"
   },
   "policy": null,
   "scannedFiles": [

package/site/e2e/report.md

@@ -1,6 +1,6 @@
 # mcp-guard Scan Report
 
-Generated: 2026-05-10T19:55:57.838Z
+Generated: 2026-05-10T20:20:32.709Z
 
 ## Summary
 

package/site/e2e/report.sarif

@@ -7,7 +7,7 @@
         "driver": {
           "name": "mcp-guard",
           "informationUri": "https://github.com/ChaoYue0307/mcp-guard",
-          "semanticVersion": "0.4.6",
+          "semanticVersion": "0.4.8",
           "rules": [
             {
               "id": "MCP010",

package/src/audit.js

@@ -1,4 +1,5 @@
 import fs from "node:fs/promises";
+import crypto from "node:crypto";
 import path from "node:path";
 import { applyBaseline, loadBaselineFile } from "./baseline.js";
 import { displayPath } from "./fingerprint.js";
@@ -44,12 +45,6 @@ export async function writeAuditPack({
 
   await fs.mkdir(resolvedOutputDir, { recursive: true });
 
-  const manifest = buildAuditManifest(result, files, {
-    cwd,
-    outputDir: resolvedOutputDir,
-    failOn
-  });
-
   await Promise.all([
     fs.writeFile(files.executiveSummary, generateExecutiveSummary(result, { failOn }), "utf8"),
     fs.writeFile(files.remediation, generateRemediationPlan(result), "utf8"),
@@ -59,6 +54,14 @@ export async function writeAuditPack({
     fs.writeFile(files.jsonReport, `${generateJsonReport(result)}\n`, "utf8"),
     fs.writeFile(files.sarifReport, `${generateSarifReport(result)}\n`, "utf8")
   ]);
+
+  const artifacts = await auditArtifacts(files, cwd);
+  const manifest = buildAuditManifest(result, files, {
+    cwd,
+    outputDir: resolvedOutputDir,
+    failOn,
+    artifacts
+  });
   await fs.writeFile(files.manifest, `${JSON.stringify(manifest, null, 2)}\n`, "utf8");
 
   return {
@@ -69,6 +72,76 @@ export async function writeAuditPack({
   };
 }
 
+export async function verifyAuditPack({ cwd, manifestPath = "" }) {
+  const resolvedManifestPath = path.resolve(cwd, manifestPath || path.join("mcp-guard-audit", AUDIT_FILENAMES.manifest));
+  const manifestDir = path.dirname(resolvedManifestPath);
+  const manifest = JSON.parse(await fs.readFile(resolvedManifestPath, "utf8"));
+  const algorithm = manifest.integrity?.algorithm;
+  const artifacts = Array.isArray(manifest.integrity?.artifacts) ? manifest.integrity.artifacts : [];
+  const results = [];
+
+  if (algorithm !== "sha256") {
+    results.push({
+      key: "manifest",
+      path: displayPath(resolvedManifestPath, cwd),
+      status: "failed",
+      reason: `Unsupported or missing integrity algorithm: ${algorithm || "none"}`
+    });
+  }
+
+  if (artifacts.length === 0) {
+    results.push({
+      key: "manifest",
+      path: displayPath(resolvedManifestPath, cwd),
+      status: "failed",
+      reason: "No integrity artifacts found in manifest."
+    });
+  }
+
+  for (const artifact of artifacts) {
+    results.push(await verifyAuditArtifact(artifact, { cwd, manifestDir }));
+  }
+
+  const failedCount = results.filter((result) => result.status !== "passed").length;
+  const checkedCount = artifacts.length;
+  return {
+    manifestPath: resolvedManifestPath,
+    status: failedCount === 0 ? "passed" : "failed",
+    checkedCount,
+    passedCount: results.filter((result) => result.status === "passed").length,
+    failedCount,
+    results
+  };
+}
+
+export function generateAuditVerificationSummary(verification, cwd) {
+  const lines = [];
+  lines.push("mcp-guard audit verification");
+  lines.push(`Manifest: ${displayPath(verification.manifestPath, cwd)}`);
+  lines.push(`Status: ${verification.status}`);
+  lines.push(`Artifacts checked: ${verification.checkedCount}`);
+  lines.push(`Passed: ${verification.passedCount}`);
+  lines.push(`Failed: ${verification.failedCount}`);
+  lines.push("");
+
+  for (const result of verification.results) {
+    lines.push(`- [${result.status === "passed" ? "ok" : "failed"}] ${result.key}: ${result.path}`);
+    if (result.status !== "passed") {
+      lines.push(`  Reason: ${result.reason}`);
+      if (result.expectedSha256 || result.actualSha256) {
+        lines.push(`  Expected sha256: ${result.expectedSha256 || "-"}`);
+        lines.push(`  Actual sha256: ${result.actualSha256 || "-"}`);
+      }
+      if (Number.isInteger(result.expectedBytes) || Number.isInteger(result.actualBytes)) {
+        lines.push(`  Expected bytes: ${result.expectedBytes ?? "-"}`);
+        lines.push(`  Actual bytes: ${result.actualBytes ?? "-"}`);
+      }
+    }
+  }
+
+  return `${lines.join("\n")}\n`;
+}
+
 export function auditFilePaths(outputDir) {
   return Object.fromEntries(
     Object.entries(AUDIT_FILENAMES).map(([key, filename]) => [key, path.join(outputDir, filename)])
@@ -246,7 +319,7 @@ function generateRemediationChecklist(result) {
   return `${lines.join("\n")}\n`;
 }
 
-function buildAuditManifest(result, files, { cwd, outputDir, failOn }) {
+function buildAuditManifest(result, files, { cwd, outputDir, failOn, artifacts }) {
   return {
     version: 1,
     tool: {
@@ -268,10 +341,92 @@ function buildAuditManifest(result, files, { cwd, outputDir, failOn }) {
     baseline: result.baseline || { enabled: false },
     files: Object.fromEntries(
       Object.entries(files).map(([key, filePath]) => [key, displayPath(filePath, cwd)])
-    )
+    ),
+    integrity: {
+      algorithm: "sha256",
+      artifacts
+    }
+  };
+}
+
+async function auditArtifacts(files, cwd) {
+  const artifacts = [];
+  for (const [key, filePath] of Object.entries(files)) {
+    if (key === "manifest") continue;
+    const content = await fs.readFile(filePath);
+    artifacts.push({
+      key,
+      path: displayPath(filePath, cwd),
+      bytes: content.byteLength,
+      sha256: crypto.createHash("sha256").update(content).digest("hex")
+    });
+  }
+  return artifacts;
+}
+
+async function verifyAuditArtifact(artifact, { cwd, manifestDir }) {
+  if (!artifact?.key || !artifact?.path) {
+    return {
+      key: artifact?.key || "<unknown>",
+      path: artifact?.path || "<missing>",
+      status: "failed",
+      reason: "Artifact entry is missing key or path."
+    };
+  }
+
+  const resolvedPath = await resolveAuditArtifactPath(artifact.path, { cwd, manifestDir });
+  let content;
+  try {
+    content = await fs.readFile(resolvedPath);
+  } catch {
+    return {
+      key: artifact.key,
+      path: artifact.path,
+      resolvedPath: displayPath(resolvedPath, cwd),
+      status: "failed",
+      reason: "Artifact file is missing.",
+      expectedBytes: artifact.bytes,
+      expectedSha256: artifact.sha256
+    };
+  }
+
+  const actualBytes = content.byteLength;
+  const actualSha256 = crypto.createHash("sha256").update(content).digest("hex");
+  const bytesMatch = actualBytes === artifact.bytes;
+  const hashMatch = actualSha256 === artifact.sha256;
+  return {
+    key: artifact.key,
+    path: artifact.path,
+    resolvedPath: displayPath(resolvedPath, cwd),
+    status: bytesMatch && hashMatch ? "passed" : "failed",
+    reason: bytesMatch && hashMatch ? "" : "Artifact content does not match manifest integrity metadata.",
+    expectedBytes: artifact.bytes,
+    actualBytes,
+    expectedSha256: artifact.sha256,
+    actualSha256
   };
 }
 
+async function resolveAuditArtifactPath(artifactPath, { cwd, manifestDir }) {
+  if (path.isAbsolute(artifactPath)) return artifactPath;
+
+  const candidates = [
+    path.join(manifestDir, path.basename(artifactPath)),
+    path.resolve(cwd, artifactPath)
+  ];
+
+  for (const candidate of candidates) {
+    try {
+      await fs.access(candidate);
+      return candidate;
+    } catch {
+      // Try the next candidate.
+    }
+  }
+
+  return candidates[0];
+}
+
 function decisionGuidance(result) {
   if (result.findings.length === 0) {
     return ["No active findings were detected. Continue reviewing new MCP servers before adding them."];

package/src/cli.js

@@ -1,13 +1,13 @@
 import fs from "node:fs/promises";
 import path from "node:path";
-import { generateAuditSummary, writeAuditPack } from "./audit.js";
+import { generateAuditSummary, generateAuditVerificationSummary, verifyAuditPack, writeAuditPack } from "./audit.js";
 import { applyBaseline, loadBaselineFile, writeBaselineFile } from "./baseline.js";
 import { initProject, renderInitSummary } from "./init.js";
 import { scan } from "./scan.js";
 import { generateHtmlReport, generateJsonReport, generateMarkdownReport, generateSarifReport, generateTextReport } from "./report.js";
 import { compareSeverity, severityRank } from "./severity.js";
 
-const VERSION = "0.4.6";
+const VERSION = "0.4.8";
 
 export async function runCli(argv, io) {
   const args = argv.slice(2);
@@ -84,6 +84,25 @@ export async function runCli(argv, io) {
     return 0;
   }
 
+  if (command === "verify-audit") {
+    if (args.includes("--help") || args.includes("-h")) {
+      io.stdout.write(helpText());
+      return 0;
+    }
+
+    const options = parseVerifyAuditArgs(args.slice(1), io.cwd);
+    const verification = await verifyAuditPack({
+      cwd: options.cwd,
+      manifestPath: options.manifestPath
+    });
+    io.stdout.write(generateAuditVerificationSummary(verification, options.cwd));
+    if (verification.status !== "passed") {
+      process.exitCode = 2;
+      return 2;
+    }
+    return 0;
+  }
+
   if (command !== "scan") {
     io.stderr.write(`Unknown command: ${command}\n\n`);
     io.stderr.write(helpText());
@@ -329,6 +348,30 @@ function parseAuditArgs(args, defaultCwd) {
   return options;
 }
 
+function parseVerifyAuditArgs(args, defaultCwd) {
+  const options = {
+    cwd: defaultCwd,
+    manifestPath: ""
+  };
+  let manifestValue = "";
+
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === "--manifest" || arg === "-m") {
+      manifestValue = readValue(args, index, arg);
+      index += 1;
+    } else if (arg === "--cwd") {
+      options.cwd = path.resolve(readValue(args, index, arg));
+      index += 1;
+    } else {
+      throw new Error(`Unknown verify-audit option: ${arg}`);
+    }
+  }
+
+  options.manifestPath = manifestValue ? resolveInputPath(manifestValue, options.cwd) : "";
+  return options;
+}
+
 function readValue(args, index, optionName) {
   const value = args[index + 1];
   if (!value || value.startsWith("--")) {
@@ -370,6 +413,7 @@ Open-source scanner for risky MCP server and AI agent tool configuration.
 Usage:
   mcp-guard scan [options]
   mcp-guard audit [options]
+  mcp-guard verify-audit [options]
   mcp-guard init [options]
   mcp-guard version
   mcp-guard help
@@ -420,11 +464,17 @@ Audit options:
       --no-policy           Do not auto-load .mcp-guard-policy.json.
       --no-defaults         Only scan paths passed with --config.
 
+Verify audit options:
+  -m, --manifest <path>     Audit manifest to verify.
+                            Default: mcp-guard-audit/mcp-guard-audit-manifest.json.
+      --cwd <path>          Working directory for resolving relative artifact paths.
+
 Examples:
   mcp-guard init
   mcp-guard init --write-baseline --upload-sarif
   mcp-guard scan
   mcp-guard audit --config .mcp.json --output-dir mcp-guard-audit
+  mcp-guard verify-audit --manifest mcp-guard-audit/mcp-guard-audit-manifest.json
   mcp-guard audit --config .mcp.json --policy .mcp-guard-policy.json --fail-on high
   mcp-guard scan --format markdown --output mcp-guard-report.md
   mcp-guard scan --format html --output mcp-guard-report.html