agent-security-lens 0.1.0 → 0.1.2

package/.env.example

@@ -1,8 +1,8 @@
 # AgentSecurityLens public MCP client configuration.
 ASL_MODE=online
 ASL_DISABLE_CLOUD=0
-ASL_API_URL=https://api.agentsecuritylens.com
-ASL_API_URLS=https://api.agentsecuritylens.com
+ASL_API_URL=https://agentsecuritylens-api.agentsecuritylens.workers.dev
+ASL_API_URLS=https://agentsecuritylens-api.agentsecuritylens.workers.dev
 ASL_API_TIMEOUT_MS=3500
 ASL_API_KEY=
 ASL_AGENT_ID=

package/.mcp/server.json

@@ -8,12 +8,12 @@
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.0",
+  "version": "0.1.2",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.0",
+      "version": "0.1.2",
       "transport": {
         "type": "stdio"
       },
@@ -22,7 +22,7 @@
           "name": "ASL_API_URL",
           "description": "AgentSecurityLens Cloud Intelligence API URL.",
           "isRequired": false,
-          "default": "https://api.agentsecuritylens.com"
+          "default": "https://agentsecuritylens-api.agentsecuritylens.workers.dev"
         },
         {
           "name": "ASL_API_KEY",

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 0.1.2
+
+- Add public security intelligence index for agents and package readers.
+- Add public MCP, Skill, and Agent Framework decision reports.
+- Add machine-readable public install-decision export.
+- Add GitHub OIDC workflow for publishing to the MCP Registry.
+- Keep internal operations, private sync scripts, queues, and team telemetry out of the public release.
+
+## 0.1.1
+
+- Connect the MCP to the live AgentSecurityLens Cloud Intelligence API by default.
+- Fix D1 strict-review selection when superseded assessment history is retained.
+- Normalize D1 evidence into the public Evidence Schema.
+- Align production release readiness with D1, R2 and operational KV storage.
+
 ## 0.1.0
 
 First public release.

package/README.md

@@ -4,6 +4,19 @@ AgentSecurityLens (ASL) is a security intelligence MCP for autonomous agents.
 
 Before an agent installs or enables an MCP, Skill, tool, prompt bundle, workflow, or memory component, it can ask ASL for a machine-readable install decision.
 
+ASL is not a malware verdict tool. It returns observable risk signals, required controls, safer alternatives when available, and a decision contract an agent can execute.
+
+## Public Intelligence
+
+The public package includes a reviewed baseline so agents can still make conservative decisions when the cloud API is unavailable.
+
+- [Public Security Index v0.1](docs/public-intelligence/asl-public-security-index-v0.1.md)
+- [Top MCP Security Signals v0.1](docs/public-intelligence/top-mcp-security-signals-v0.1.md)
+- [Top Skill Security Signals v0.1](docs/public-intelligence/top-skill-security-signals-v0.1.md)
+- [Agent Framework Install Decisions v0.1](docs/public-intelligence/agent-framework-install-decisions-v0.1.md)
+
+The online ASL intelligence API serves the current expanded catalog. The npm package intentionally does not ship the complete private intelligence database.
+
 ## Install
 
 ```json
@@ -24,8 +37,8 @@ Node.js 20 or newer is required.
 The public MCP uses online intelligence by default:
 
 ```text
-ASL_API_URL=https://api.agentsecuritylens.com
-ASL_API_URLS=https://api.agentsecuritylens.com
+ASL_API_URL=https://agentsecuritylens-api.agentsecuritylens.workers.dev
+ASL_API_URLS=https://agentsecuritylens-api.agentsecuritylens.workers.dev
 ```
 
 `ASL_API_URLS` may contain multiple comma-separated endpoints. The MCP tries them in order and falls back automatically.

package/RELEASE-MANIFEST.json

@@ -1,14 +1,14 @@
 {
   "schema_version": "0.1.0",
   "package": "agent-security-lens",
-  "version": "0.1.0",
-  "generated_at": "2026-06-15T10:17:03.672Z",
+  "version": "0.1.2",
+  "generated_at": "2026-06-21T15:24:09.597Z",
   "source": "ASL verified public release exporter",
   "files": [
     {
       "path": ".env.example",
-      "bytes": 270,
-      "sha256": "5a933f6d2a954f7438b89418631425bdcb0d2f5d53acc129a221282c976caef3"
+      "bytes": 322,
+      "sha256": "6a920a289e9b1c900fceeee7ba65a1c3518b61dd0e8ecedda8703219d7e6733a"
     },
     {
       "path": ".github/ISSUE_TEMPLATE/bug.yml",
@@ -30,6 +30,11 @@
       "bytes": 444,
       "sha256": "86ac5975ffafc51f4045fbe6cb9959f938fa52c0ed59d87f294d8d701ab01a50"
     },
+    {
+      "path": ".github/workflows/publish-mcp-registry.yml",
+      "bytes": 1074,
+      "sha256": "fd2bed721b5fdf3f1e8b09656b7aac46e333a827bfc7ea6d7756b1bcb2499cd2"
+    },
     {
       "path": ".gitignore",
       "bytes": 80,
@@ -37,8 +42,8 @@
     },
     {
       "path": ".mcp/server.json",
-      "bytes": 1261,
-      "sha256": "b8bd6fabc24bbe8bec904d4093c7506574c97ad5d8c344917144934904feba26"
+      "bytes": 1287,
+      "sha256": "befc15416fd0b04b1cca08796e3b98c9062ffe4717791d570e9c452d132acfc0"
     },
     {
       "path": ".npmignore",
@@ -47,8 +52,8 @@
     },
     {
       "path": "CHANGELOG.md",
-      "bytes": 583,
-      "sha256": "8a2b684447e6adc75d860fd962802d685329e110d359a6e6ca0045b2e12fd1db"
+      "bytes": 1261,
+      "sha256": "8bfa163446c5354f78427edd24c8419cc435ee024913ff08266f75a59cd6c651"
     },
     {
       "path": "CODE_OF_CONDUCT.md",
@@ -72,8 +77,8 @@
     },
     {
       "path": "README.md",
-      "bytes": 4898,
-      "sha256": "51fb4da9a0888d824d9a62366eb303987daedcef90aa8cd4a810847513852053"
+      "bytes": 5829,
+      "sha256": "e4bf0eacff185b9bdb2314b66ac7a2432b35f51ef8c7b010231bdc08809f7f35"
     },
     {
       "path": "SECURITY.md",
@@ -120,6 +125,31 @@
       "bytes": 3044,
       "sha256": "8411a4bfacdd0f416fc79674e060524a03082aca18193347ef934771e06a65f1"
     },
+    {
+      "path": "docs/public-intelligence/agent-framework-install-decisions-v0.1.md",
+      "bytes": 8855,
+      "sha256": "3f3edfd42a69f987bd90c2cb2867bb1f14db26877305bd522941134ded149a01"
+    },
+    {
+      "path": "docs/public-intelligence/agent-install-decisions-v0.1.json",
+      "bytes": 43605,
+      "sha256": "93fc1945488747e22f064e0bf3755d95e1558f41ebbd001322ec46c6c719fa3e"
+    },
+    {
+      "path": "docs/public-intelligence/asl-public-security-index-v0.1.md",
+      "bytes": 11404,
+      "sha256": "828fdcd367057a3b5583a80dc095b5e5365ef5e5f947ccf6ba95d964a1f50403"
+    },
+    {
+      "path": "docs/public-intelligence/top-mcp-security-signals-v0.1.md",
+      "bytes": 11894,
+      "sha256": "bd0cddfbb21bc55ec969df11e175fa0353ec4f855b86469bb7f971caf8ad6876"
+    },
+    {
+      "path": "docs/public-intelligence/top-skill-security-signals-v0.1.md",
+      "bytes": 7452,
+      "sha256": "7af2e8f359c4c5df94ea60092c40f8abde9d41f1b3d815bc023324730a676bda"
+    },
     {
       "path": "examples/dot-hermes/.hermes/config.json",
       "bytes": 286,
@@ -172,13 +202,13 @@
     },
     {
       "path": "llms.txt",
-      "bytes": 1386,
-      "sha256": "55576fd6c869f40ae2a41017dc7978bd1bef33c642cdfa509525d2a218eebd9d"
+      "bytes": 1727,
+      "sha256": "adcbc320f9c5e13e4b71b57f47337d06008fdbfe567b39902643b9a3d1c9e010"
     },
     {
       "path": "package.json",
       "bytes": 1973,
-      "sha256": "1f7527425a0c1c55eaec1a42ec99a7084abb7771453c38246187ef1362243ed0"
+      "sha256": "e2227a4030693158a795e445a5330956eb96e003eeba7a7c2ba5e1e2b0b70e9a"
     },
     {
       "path": "profiles/generic-agent/profile.json",
@@ -307,8 +337,8 @@
     },
     {
       "path": "server.json",
-      "bytes": 1261,
-      "sha256": "b8bd6fabc24bbe8bec904d4093c7506574c97ad5d8c344917144934904feba26"
+      "bytes": 1287,
+      "sha256": "befc15416fd0b04b1cca08796e3b98c9062ffe4717791d570e9c452d132acfc0"
     },
     {
       "path": "src/assessment/assess.mjs",
@@ -337,8 +367,8 @@
     },
     {
       "path": "src/intelligence/cloud-client.mjs",
-      "bytes": 7479,
-      "sha256": "b8541e1cab43ccac3a7de16b7402c82108b0b113d4834499a0913f71750a6f33"
+      "bytes": 7505,
+      "sha256": "0878d7a3efdccd5fc788034f08d25712fe52b4c2107bf23d697bd961c0e6bfbb"
     },
     {
       "path": "src/intelligence/component-intelligence.mjs",
@@ -357,8 +387,8 @@
     },
     {
       "path": "src/intelligence/safety-score-v0.2.mjs",
-      "bytes": 11957,
-      "sha256": "9a9b302826d180e073be7bb98bcd506b5bb2cd430e480ee32d36838074b2b101"
+      "bytes": 12015,
+      "sha256": "f0c9f7b816403034c54ca0b86ae6d523102e209cabd10075a0cf4e159a633c16"
     },
     {
       "path": "src/observations/json-observations.mjs",

package/docs/public-intelligence/agent-framework-install-decisions-v0.1.md

@@ -0,0 +1,210 @@
+# Agent Framework Install Decisions v0.1
+
+A public ASL decision view for autonomous agent frameworks and agent runtimes.
+
+This public index is designed for autonomous agents. It exposes install decisions and evidence summaries, not ASL internal research operations.
+
+## Coverage
+
+- Published components in this report: 14
+- strict_reviewed: 8
+- curated_baseline: 6
+- allow_with_restrictions: 7
+- ask_user: 4
+- avoid: 3
+
+Unknown or automatic-only components should not receive automatic-install authorization.
+
+### astron-agent
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `allow_with_restrictions`
+- Trust score: `80`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: mcp-tool-surface
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Grant only the permissions required for the current task and remove unused capabilities.
+
+### oh-my-agent
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `allow_with_restrictions`
+- Trust score: `62`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: network-access, credential-access
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Allowlist required remote endpoints and deny undeclared destinations.
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Grant only the permissions required for the current task and remove unused capabilities.
+
+### Chorus
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `ask_user`
+- Trust score: `53`
+- Agent action: Pause automatic installation and ask the user before enabling this component.
+- Risk signals: license-undisclosed, remote-code-install
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Confirm usage rights and provenance before redistribution or enterprise deployment.
+  - Pin the exact package version, release or commit and install only inside an isolated environment.
+  - Grant only the permissions required for the current task and remove unused capabilities.
+
+### cua
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `ask_user`
+- Trust score: `52`
+- Agent action: Pause automatic installation and ask the user before enabling this component.
+- Risk signals: credential-access, background-execution, network-access
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Disable unattended triggers until audit logging and an explicit stop control are configured.
+  - Allowlist required remote endpoints and deny undeclared destinations.
+
+### Agent-S
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `ask_user`
+- Trust score: `40`
+- Agent action: Pause automatic installation and ask the user before enabling this component.
+- Risk signals: credential-access, filesystem-write, background-execution, browser-access
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Restrict write access to a dedicated workspace or temporary copy.
+  - Disable unattended triggers until audit logging and an explicit stop control are configured.
+
+### OpenAgentsControl
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `avoid`
+- Trust score: `34`
+- Agent action: Do not install automatically; choose an alternative or request explicit human approval.
+- Risk signals: credential-access, dynamic-code-execution, filesystem-write, network-access
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Disable dynamic code paths when possible and isolate execution from host credentials.
+  - Restrict write access to a dedicated workspace or temporary copy.
+
+### lamda
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `avoid`
+- Trust score: `14`
+- Agent action: Do not install automatically; choose an alternative or request explicit human approval.
+- Risk signals: credential-access, filesystem-write, dynamic-code-execution, shell-execution, background-execution
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Restrict write access to a dedicated workspace or temporary copy.
+  - Disable dynamic code paths when possible and isolate execution from host credentials.
+
+### CowAgent
+
+- Type: `agent-framework`
+- State: `strict_reviewed`
+- Decision: `avoid`
+- Trust score: `6`
+- Agent action: Do not install automatically; choose an alternative or request explicit human approval.
+- Risk signals: credential-access, browser-access, shell-execution, background-execution, filesystem-write
+- Evidence: source, technical_scan, permission_and_risk_analysis, independent_quality_review, recommendation_review (4 records)
+- Safe-install controls:
+  - Use a dedicated least-privilege credential with explicit scope and rotation.
+  - Use an isolated browser profile without personal cookies or sessions.
+  - Require confirmation for every command and run inside an isolated environment.
+
+### LangGraph
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `73`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: agent-orchestration, tool-chaining, network-access
+- Evidence: baseline
+- Safe-install controls:
+  - Review graph nodes that can call tools or external APIs.
+  - Apply allowlists to write-capable tools.
+  - Log state transitions for autonomous workflows.
+
+### AutoGen
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `72`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: network-access, code-execution, multi-agent-delegation
+- Evidence: baseline
+- Safe-install controls:
+  - Restrict code execution tools until the task requires them.
+  - Use scoped API keys and avoid sharing personal credentials across agents.
+  - Log delegated tool calls for later review.
+
+### CrewAI
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `70`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: network-access, multi-agent-delegation, tool-chaining
+- Evidence: baseline
+- Safe-install controls:
+  - Review tool assignments before running autonomous crews.
+  - Use least-privilege API credentials per task.
+  - Disable write-capable tools unless needed.
+
+### Dify
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `67`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: workflow-automation, network-access, plugin-access, credential-access
+- Evidence: baseline
+- Safe-install controls:
+  - Review connected tools, plugins and workflow triggers before autonomous execution.
+  - Use scoped credentials for each integration.
+  - Separate test workflows from production workflows.
+
+### OpenHands
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `allow_with_restrictions`
+- Trust score: `63`
+- Agent action: Install only after applying every safe-install control.
+- Risk signals: shell-execution, filesystem-write, network-access, credential-access
+- Evidence: baseline
+- Safe-install controls:
+  - Run inside a dedicated workspace or container.
+  - Do not mount personal home directories by default.
+  - Use scoped credentials and review tool permissions before autonomous execution.
+
+### OpenManus
+
+- Type: `agent-framework`
+- State: `curated_baseline`
+- Decision: `ask_user`
+- Trust score: `56`
+- Agent action: Pause automatic installation and ask the user before enabling this component.
+- Risk signals: shell-execution, network-access, browser-access, unknown-source
+- Evidence: baseline
+- Safe-install controls:
+  - Require user confirmation before enabling autonomous tool execution.
+  - Use a separate browser profile and isolated workspace.
+  - Record exact source URL and version before installation.