agent-security-lens 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (81) hide show
  1. package/.env.example +10 -0
  2. package/.mcp/server.json +42 -0
  3. package/CHANGELOG.md +17 -0
  4. package/LICENSE +17 -0
  5. package/PRIVACY.md +37 -0
  6. package/README.md +150 -0
  7. package/RELEASE-MANIFEST.json +449 -0
  8. package/SECURITY.md +24 -0
  9. package/apps/mcp-server/agent-security-lens-mcp.mjs +441 -0
  10. package/bin/agent-security-lens.mjs +117 -0
  11. package/data/ecosystems/agent-candidates.json +230 -0
  12. package/data/intelligence/components.json +22989 -0
  13. package/data/intelligence/security-evaluation-standard.json +221 -0
  14. package/data/recommendations/core/recommendations.json +256 -0
  15. package/data/trust/signal-taxonomy.json +107 -0
  16. package/docs/asl-agent-component-safety-standard-v0.2.md +56 -0
  17. package/examples/dot-hermes/.hermes/config.json +17 -0
  18. package/examples/dot-openclaw/.openclaw/openclaw.json +17 -0
  19. package/examples/hermes-like/.env.example +2 -0
  20. package/examples/hermes-like/config.json +37 -0
  21. package/examples/hermes-like/optional-mcps/github-tools.json +8 -0
  22. package/examples/hermes-like/skills/openclaw-imports/browser-skill/SKILL.md +8 -0
  23. package/examples/openclaw-like/.env.example +2 -0
  24. package/examples/openclaw-like/AGENTS.md +7 -0
  25. package/examples/openclaw-like/openclaw.json +28 -0
  26. package/examples/openclaw-like/workspace/skills/browser-control/SKILL.md +8 -0
  27. package/llms.txt +25 -0
  28. package/package.json +50 -0
  29. package/profiles/generic-agent/profile.json +19 -0
  30. package/profiles/hermes-like/profile.json +23 -0
  31. package/profiles/mcp-server/profile.json +18 -0
  32. package/profiles/openclaw-like/profile.json +22 -0
  33. package/profiles/skill-runtime/profile.json +19 -0
  34. package/rule-packs/core/rules.json +82 -0
  35. package/rule-packs/hermes/rules.json +44 -0
  36. package/rule-packs/mcp/rules.json +65 -0
  37. package/rule-packs/openclaw/rules.json +46 -0
  38. package/rule-packs/skills/rules.json +45 -0
  39. package/schemas/agent-install-decision.schema.json +432 -0
  40. package/schemas/agent-usage-event.schema.json +45 -0
  41. package/schemas/assessment-result.schema.json +361 -0
  42. package/schemas/comparison-result.schema.json +113 -0
  43. package/schemas/component-alternative-graph.schema.json +187 -0
  44. package/schemas/component-intelligence.schema.json +93 -0
  45. package/schemas/decision-feedback.schema.json +49 -0
  46. package/schemas/ecosystem-candidate-registry.schema.json +98 -0
  47. package/schemas/profile.schema.json +65 -0
  48. package/schemas/recommendation-pack.schema.json +114 -0
  49. package/schemas/rule-pack.schema.json +113 -0
  50. package/schemas/trust-signal-taxonomy.schema.json +68 -0
  51. package/scripts/verify-examples.mjs +121 -0
  52. package/scripts/verify-mcp-server.mjs +278 -0
  53. package/scripts/verify-registry.mjs +264 -0
  54. package/server.json +42 -0
  55. package/src/assessment/assess.mjs +108 -0
  56. package/src/assessment/discover-targets.mjs +127 -0
  57. package/src/assessment/risk-domains.mjs +83 -0
  58. package/src/assessment/summarize.mjs +57 -0
  59. package/src/core/files.mjs +74 -0
  60. package/src/intelligence/cloud-client.mjs +260 -0
  61. package/src/intelligence/component-intelligence.mjs +358 -0
  62. package/src/intelligence/decision-engine.mjs +772 -0
  63. package/src/intelligence/finding-context.mjs +180 -0
  64. package/src/intelligence/safety-score-v0.2.mjs +294 -0
  65. package/src/observations/json-observations.mjs +211 -0
  66. package/src/observations/observation-rules.mjs +157 -0
  67. package/src/profiles/load-profiles.mjs +130 -0
  68. package/src/recommendations/component-alternative-graph.mjs +94 -0
  69. package/src/recommendations/load-recommendations.mjs +17 -0
  70. package/src/recommendations/match-recommendations.mjs +79 -0
  71. package/src/report/comparison-console.mjs +71 -0
  72. package/src/report/console.mjs +103 -0
  73. package/src/report/markdown.mjs +145 -0
  74. package/src/results/compare-results.mjs +106 -0
  75. package/src/results/save-result.mjs +29 -0
  76. package/src/rules/load-rules.mjs +22 -0
  77. package/src/rules/match-rules.mjs +99 -0
  78. package/src/rules/supersedes.mjs +39 -0
  79. package/src/store/assessment-store.mjs +78 -0
  80. package/src/trust/derive-trust-signals.mjs +73 -0
  81. package/src/trust/load-trust-signals.mjs +17 -0
package/schemas/agent-install-decision.schema.json ADDED
@@ -0,0 +1,432 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://agentsecuritylens.dev/schemas/agent-install-decision.schema.json",
4
+ "title": "AgentSecurityLens Agent Install Decision",
5
+ "type": "object",
6
+ "required": [
7
+ "schema_version",
8
+ "schema_id",
9
+ "service",
10
+ "result_type",
11
+ "component",
12
+ "decision",
13
+ "trust_score",
14
+ "safety_assessment",
15
+ "score_breakdown",
16
+ "risk_level",
17
+ "risk_signals",
18
+ "required_user_confirmation",
19
+ "safe_install_plan",
20
+ "alternatives",
21
+ "recommended_alternatives",
22
+ "alternative_coverage",
23
+ "next_action",
24
+ "one_step_action",
25
+ "agent_decision_contract",
26
+ "agent_actions",
27
+ "agent_instruction",
28
+ "intelligence_coverage"
29
+ ],
30
+ "properties": {
31
+ "schema_version": { "type": "string" },
32
+ "schema_id": { "type": "string" },
33
+ "service": { "const": "AgentSecurityLens" },
34
+ "result_type": { "const": "agent_install_decision" },
35
+ "component": {
36
+ "type": "object",
37
+ "required": ["known", "id", "name", "type", "source_url"],
38
+ "properties": {
39
+ "known": { "type": "boolean" },
40
+ "reviewed": { "type": "boolean" },
41
+ "strict_reviewed": { "type": "boolean" },
42
+ "curated_baseline": { "type": "boolean" },
43
+ "cataloged": { "type": "boolean" },
44
+ "intelligence_state": {
45
+ "type": "string",
46
+ "enum": ["strict_reviewed", "curated_baseline", "monitored", "candidate", "unknown"]
47
+ },
48
+ "id": { "type": ["string", "null"] },
49
+ "name": { "type": ["string", "null"] },
50
+ "type": {
51
+ "type": "string",
52
+ "enum": ["agent", "agent-framework", "mcp", "skill", "tool", "prompt", "prompt-bundle", "workflow", "memory", "unknown"]
53
+ },
54
+ "source_url": { "type": ["string", "null"] },
55
+ "full_name": { "type": ["string", "null"] },
56
+ "stars": { "type": ["integer", "null"] }
57
+ },
58
+ "additionalProperties": false
59
+ },
60
+ "decision": {
61
+ "type": "string",
62
+ "enum": ["allow", "allow_with_restrictions", "ask_user", "avoid"]
63
+ },
64
+ "trust_score": {
65
+ "type": "integer",
66
+ "minimum": 0,
67
+ "maximum": 100
68
+ },
69
+ "safety_assessment": {
70
+ "type": "object",
71
+ "required": [
72
+ "standard",
73
+ "model_version",
74
+ "context_safety_score",
75
+ "dimensions",
76
+ "residual_risk",
77
+ "decision",
78
+ "hard_failures",
79
+ "required_controls",
80
+ "missing_controls",
81
+ "scoring_disclosure"
82
+ ],
83
+ "properties": {
84
+ "standard": { "type": "string" },
85
+ "model_version": { "const": "asl-safety-standard@0.2.0" },
86
+ "context_safety_score": { "type": "integer", "minimum": 0, "maximum": 100 },
87
+ "dimensions": {
88
+ "type": "object",
89
+ "required": [
90
+ "exposure_risk",
91
+ "control_strength",
92
+ "supply_chain_trust",
93
+ "evidence_confidence",
94
+ "incident_risk"
95
+ ],
96
+ "additionalProperties": true
97
+ },
98
+ "residual_risk": { "type": "integer", "minimum": 0, "maximum": 100 },
99
+ "decision": {
100
+ "type": "string",
101
+ "enum": ["allow", "allow_with_restrictions", "ask_user", "avoid"]
102
+ },
103
+ "hard_failures": { "type": "array", "items": { "type": "string" } },
104
+ "required_controls": { "type": "array", "items": { "type": "string" } },
105
+ "missing_controls": { "type": "array", "items": { "type": "string" } },
106
+ "scoring_disclosure": { "type": "string" }
107
+ },
108
+ "additionalProperties": false
109
+ },
110
+ "score_breakdown": {
111
+ "type": ["object", "null"],
112
+ "required": [
113
+ "model_version",
114
+ "mode",
115
+ "base_score",
116
+ "risk_penalty",
117
+ "trust_adjustment",
118
+ "source_reliability",
119
+ "applied_risk_weights",
120
+ "applied_trust_signals",
121
+ "sentiment",
122
+ "decision_thresholds"
123
+ ],
124
+ "properties": {
125
+ "model_version": { "type": "string" },
126
+ "mode": {
127
+ "type": "string",
128
+ "enum": [
129
+ "strict_reviewed_intelligence_record",
130
+ "curated_baseline_record",
131
+ "monitored_catalog_record",
132
+ "candidate_catalog_record",
133
+ "inferred_from_submitted_metadata"
134
+ ]
135
+ },
136
+ "base_score": { "type": "integer" },
137
+ "risk_penalty": { "type": "integer" },
138
+ "trust_adjustment": { "type": "integer" },
139
+ "source_reliability": { "type": "number" },
140
+ "source_reliability_adjustment": { "type": "integer" },
141
+ "applied_risk_weights": {
142
+ "type": "array",
143
+ "items": {
144
+ "type": "object",
145
+ "required": ["signal", "weight"],
146
+ "properties": {
147
+ "signal": { "type": "string" },
148
+ "weight": { "type": "integer" }
149
+ },
150
+ "additionalProperties": false
151
+ }
152
+ },
153
+ "applied_trust_signals": {
154
+ "type": "array",
155
+ "items": {
156
+ "type": "object",
157
+ "required": ["signal", "weight"],
158
+ "properties": {
159
+ "signal": { "type": "string" },
160
+ "weight": { "type": "integer" }
161
+ },
162
+ "additionalProperties": false
163
+ }
164
+ },
165
+ "sentiment": {
166
+ "type": "object",
167
+ "required": ["auxiliary_only", "negative_count", "positive_count", "rule"],
168
+ "properties": {
169
+ "auxiliary_only": { "type": "boolean" },
170
+ "negative_count": { "type": "integer" },
171
+ "positive_count": { "type": "integer" },
172
+ "rule": { "type": "string" }
173
+ },
174
+ "additionalProperties": false
175
+ },
176
+ "dimensions": { "type": "object", "additionalProperties": true },
177
+ "residual_risk": { "type": "integer" },
178
+ "hard_failures": { "type": "array", "items": { "type": "string" } },
179
+ "required_controls": { "type": "array", "items": { "type": "string" } },
180
+ "missing_controls": { "type": "array", "items": { "type": "string" } },
181
+ "decision_thresholds": {
182
+ "type": "object",
183
+ "additionalProperties": true
184
+ }
185
+ },
186
+ "additionalProperties": false
187
+ },
188
+ "risk_level": {
189
+ "type": "string",
190
+ "enum": ["low", "medium", "high"]
191
+ },
192
+ "risk_signals": {
193
+ "type": "array",
194
+ "items": { "type": "string" }
195
+ },
196
+ "required_user_confirmation": { "type": "boolean" },
197
+ "safe_install_plan": {
198
+ "type": "array",
199
+ "items": { "type": "string" }
200
+ },
201
+ "alternatives": {
202
+ "type": "array",
203
+ "items": { "type": "string" }
204
+ },
205
+ "recommended_alternatives": {
206
+ "type": "array",
207
+ "items": {
208
+ "type": "object",
209
+ "required": ["id", "name", "reason", "action"],
210
+ "properties": {
211
+ "id": { "type": "string" },
212
+ "name": { "type": "string" },
213
+ "reason": { "type": "string" },
214
+ "action": { "type": "string" }
215
+ },
216
+ "additionalProperties": true
217
+ }
218
+ },
219
+ "alternative_coverage": {
220
+ "type": "object",
221
+ "required": ["status", "reviewed_alternative_count", "reason", "graph_version"],
222
+ "properties": {
223
+ "status": {
224
+ "enum": ["verified", "conditional", "gap", "not_applicable"]
225
+ },
226
+ "reviewed_alternative_count": { "type": "integer", "minimum": 0 },
227
+ "reason": { "type": ["string", "null"] },
228
+ "target_research_queries": {
229
+ "type": "array",
230
+ "items": { "type": "string" }
231
+ },
232
+ "graph_version": { "type": ["string", "null"] }
233
+ },
234
+ "additionalProperties": false
235
+ },
236
+ "next_action": {
237
+ "type": "string",
238
+ "enum": ["install", "apply_restrictions_then_install", "ask_user_before_install", "do_not_install"]
239
+ },
240
+ "one_step_action": {
241
+ "type": "object",
242
+ "required": ["action_type", "agent_instruction", "requires_user_confirmation", "blocks_install"],
243
+ "properties": {
244
+ "action_type": {
245
+ "type": "string",
246
+ "enum": ["install", "apply_restrictions_then_install", "ask_user_before_install", "do_not_install"]
247
+ },
248
+ "command": { "type": ["string", "null"] },
249
+ "agent_instruction": { "type": "string" },
250
+ "requires_user_confirmation": { "type": "boolean" },
251
+ "blocks_install": { "type": "boolean" }
252
+ },
253
+ "additionalProperties": false
254
+ },
255
+ "agent_decision_contract": {
256
+ "type": "object",
257
+ "required": [
258
+ "contract_version",
259
+ "install_allowed",
260
+ "automatic_install_allowed",
261
+ "user_confirmation_required",
262
+ "restrictions_required",
263
+ "submit_unknown_required",
264
+ "research_status_required_before_retry",
265
+ "outcome_report_required",
266
+ "feedback_requested",
267
+ "blocks_install",
268
+ "blocking_reasons",
269
+ "required_tools",
270
+ "allowed_outcomes",
271
+ "retry_policy",
272
+ "component_fingerprint_fields"
273
+ ],
274
+ "properties": {
275
+ "contract_version": { "type": "string" },
276
+ "install_allowed": { "type": "boolean" },
277
+ "automatic_install_allowed": { "type": "boolean" },
278
+ "user_confirmation_required": { "type": "boolean" },
279
+ "restrictions_required": { "type": "boolean" },
280
+ "submit_unknown_required": { "type": "boolean" },
281
+ "research_status_required_before_retry": { "type": "boolean" },
282
+ "outcome_report_required": { "type": "boolean" },
283
+ "feedback_requested": { "type": "boolean" },
284
+ "blocks_install": { "type": "boolean" },
285
+ "blocking_reasons": {
286
+ "type": "array",
287
+ "items": { "type": "string" }
288
+ },
289
+ "required_tools": {
290
+ "type": "array",
291
+ "items": { "type": "string" }
292
+ },
293
+ "allowed_outcomes": {
294
+ "type": "array",
295
+ "items": {
296
+ "type": "string",
297
+ "enum": ["installed", "blocked", "user_approved", "user_rejected", "restriction_applied", "failed", "skipped"]
298
+ }
299
+ },
300
+ "retry_policy": {
301
+ "type": "object",
302
+ "required": ["unknown_component", "decision_cache_ttl_hours"],
303
+ "properties": {
304
+ "unknown_component": { "type": "string" },
305
+ "decision_cache_ttl_hours": { "type": "number" }
306
+ },
307
+ "additionalProperties": true
308
+ },
309
+ "component_fingerprint_fields": {
310
+ "type": "object",
311
+ "required": ["component_name", "component_type", "source_url", "install_command"],
312
+ "properties": {
313
+ "component_name": { "type": ["string", "null"] },
314
+ "component_type": { "type": "string" },
315
+ "source_url": { "type": ["string", "null"] },
316
+ "install_command": { "type": ["string", "null"] }
317
+ },
318
+ "additionalProperties": true
319
+ },
320
+ "safe_install_plan_required": {
321
+ "type": "array",
322
+ "items": { "type": "string" }
323
+ },
324
+ "recommended_alternative_count": { "type": "integer" }
325
+ },
326
+ "additionalProperties": false
327
+ },
328
+ "agent_actions": {
329
+ "type": "array",
330
+ "items": {
331
+ "type": "object",
332
+ "required": ["id", "stage", "action_type", "required", "status", "instruction"],
333
+ "properties": {
334
+ "id": { "type": "string" },
335
+ "stage": {
336
+ "type": "string",
337
+ "enum": ["before_install", "after_decision"]
338
+ },
339
+ "action_type": {
340
+ "type": "string",
341
+ "enum": [
342
+ "record",
343
+ "call_asl_tool",
344
+ "apply_restrictions",
345
+ "ask_user",
346
+ "recommend_alternative"
347
+ ]
348
+ },
349
+ "required": { "type": "boolean" },
350
+ "status": { "type": "string" },
351
+ "instruction": { "type": "string" },
352
+ "tool": { "type": ["string", "null"] },
353
+ "arguments": { "type": "object", "additionalProperties": true },
354
+ "arguments_template": { "type": "object", "additionalProperties": true },
355
+ "checklist": {
356
+ "type": "array",
357
+ "items": { "type": "string" }
358
+ },
359
+ "alternatives": {
360
+ "type": "array",
361
+ "items": { "type": "string" }
362
+ }
363
+ },
364
+ "additionalProperties": false
365
+ }
366
+ },
367
+ "agent_instruction": { "type": "string" },
368
+ "intelligence_coverage": {
369
+ "type": "object",
370
+ "required": ["state", "reviewed", "cataloged", "source", "confidence"],
371
+ "properties": {
372
+ "state": {
373
+ "type": "string",
374
+ "enum": ["strict_reviewed", "curated_baseline", "monitored", "candidate", "unknown"]
375
+ },
376
+ "reviewed": { "type": "boolean" },
377
+ "strict_reviewed": { "type": "boolean" },
378
+ "curated_baseline": { "type": "boolean" },
379
+ "cataloged": { "type": "boolean" },
380
+ "monitored": { "type": "boolean" },
381
+ "source": { "type": "string" },
382
+ "confidence": {
383
+ "type": "string",
384
+ "enum": ["high", "medium_high", "medium", "low"]
385
+ },
386
+ "disclosure": { "type": ["string", "null"] },
387
+ "catalog": {
388
+ "type": ["object", "null"],
389
+ "additionalProperties": true
390
+ }
391
+ },
392
+ "additionalProperties": false
393
+ },
394
+ "unknown_component": {
395
+ "type": ["object", "null"],
396
+ "properties": {
397
+ "should_submit": { "type": "boolean" },
398
+ "submission_required": { "type": "boolean" },
399
+ "reason": { "type": "string" },
400
+ "submit_tool": { "type": "string" },
401
+ "research_status_tool": { "type": "string" },
402
+ "retry_policy": { "type": "string" },
403
+ "submission": {
404
+ "type": "object",
405
+ "properties": {
406
+ "queued": { "type": "boolean" },
407
+ "id": { "type": "string" },
408
+ "path": { "type": "string" }
409
+ },
410
+ "additionalProperties": true
411
+ }
412
+ },
413
+ "additionalProperties": true
414
+ },
415
+ "resolution": {
416
+ "type": "object",
417
+ "required": ["source", "checked_at", "local_fallback_used"],
418
+ "properties": {
419
+ "source": {
420
+ "type": "string",
421
+ "enum": ["asl_cloud", "local_fallback", "local_only"]
422
+ },
423
+ "api_url": { "type": "string" },
424
+ "checked_at": { "type": "string" },
425
+ "local_fallback_used": { "type": "boolean" },
426
+ "fallback_reason": { "type": ["string", "null"] }
427
+ },
428
+ "additionalProperties": false
429
+ }
430
+ },
431
+ "additionalProperties": false
432
+ }
package/schemas/agent-usage-event.schema.json ADDED
@@ -0,0 +1,45 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://agentsecuritylens.dev/schemas/agent-usage-event.schema.json",
4
+ "title": "AgentSecurityLens Agent Usage Event",
5
+ "type": "object",
6
+ "required": ["schema_version", "client", "event"],
7
+ "properties": {
8
+ "schema_version": { "type": "string" },
9
+ "client": {
10
+ "type": "object",
11
+ "properties": {
12
+ "name": { "type": "string" },
13
+ "agent_id": { "type": "string" },
14
+ "agent_name": { "type": "string" },
15
+ "client_type": { "type": "string" },
16
+ "mode": { "type": "string" },
17
+ "protocol": { "type": "string" },
18
+ "tier": { "type": "string" }
19
+ },
20
+ "additionalProperties": true
21
+ },
22
+ "event": {
23
+ "type": "object",
24
+ "required": ["event_type"],
25
+ "properties": {
26
+ "event_type": { "type": "string" },
27
+ "component_name": { "type": "string" },
28
+ "component_type": { "type": "string" },
29
+ "source_url": { "type": "string" },
30
+ "decision": { "type": "string" },
31
+ "outcome": { "type": "string" },
32
+ "restriction_applied": { "type": "boolean" },
33
+ "alternative_used": { "type": "string" },
34
+ "error_summary": { "type": "string" },
35
+ "recorded_at": { "type": "string" }
36
+ },
37
+ "additionalProperties": true
38
+ },
39
+ "privacy_policy": {
40
+ "type": "object",
41
+ "additionalProperties": true
42
+ }
43
+ },
44
+ "additionalProperties": true
45
+ }