agent-security-lens 0.1.4 → 0.1.6

package/.dockerignore

@@ -0,0 +1,11 @@
+.git
+.agentsecuritylens
+.agentsecuritylens-test
+.asl-data-production-batch-20260615
+.npm-cache
+.release-worktree
+assessment-runs
+node_modules
+*.tgz
+*.log
+dist

package/.mcp/server.json

@@ -8,12 +8,12 @@
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.4",
+  "version": "0.1.6",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.4",
+      "version": "0.1.6",
       "transport": {
         "type": "stdio"
       },

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## 0.1.6
+
+- Route `agent-security-lens review ...` to the quick pre-install decision CLI while preserving MCP stdio mode for normal agent configuration.
+- Prefer the package main command in quick-start docs so agents can call the same package they install as an MCP.
+
+## 0.1.5
+
+- Add `asl-review` and `agent-security-lens-review` quick decision commands for pre-install checks without configuring an MCP client first.
+- Add first-screen quick review instructions for agents and developers.
+- Record quick-review usage events so npm installs can convert into measurable ASL decision calls.
+
 ## 0.1.4
 
 - Add copy-ready MCP install snippets for Claude Desktop, Cursor, VS Code, Codex-style clients and generic MCP clients.

package/Dockerfile

@@ -0,0 +1,11 @@
+FROM node:22-alpine
+
+WORKDIR /app
+
+ENV NODE_ENV=production \
+    ASL_MODE=local \
+    ASL_DISABLE_CLOUD=1
+
+COPY . .
+
+CMD ["node", "./apps/mcp-server/agent-security-lens-mcp.mjs"]

package/README.md

@@ -8,6 +8,21 @@ ASL is not a malware verdict tool. It returns observable risk signals, required
 
 ## Agent Quick Install
 
+Try one pre-install decision first:
+
+```bash
+npx -y agent-security-lens review filesystem \
+  --type mcp \
+  --source-url https://github.com/modelcontextprotocol/servers \
+  --install-command "npx -y @modelcontextprotocol/server-filesystem ." \
+  --permission filesystem-read \
+  --permission filesystem-write
+```
+
+The command returns an agent-readable decision, trust score, risk signals, safe install plan, and whether automatic installation is allowed.
+
+If your shell does not expose npm temporary binaries correctly, use `npm install -g agent-security-lens` once, then run the same command without `npx -y`.
+
 Add ASL as a pre-install trust check MCP:
 
 ```json

package/RELEASE-MANIFEST.json

@@ -1,10 +1,15 @@
 {
   "schema_version": "0.1.0",
   "package": "agent-security-lens",
-  "version": "0.1.4",
-  "generated_at": "2026-06-22T14:44:46.552Z",
+  "version": "0.1.6",
+  "generated_at": "2026-06-24T12:17:11.165Z",
   "source": "ASL verified public release exporter",
   "files": [
+    {
+      "path": ".dockerignore",
+      "bytes": 159,
+      "sha256": "78fb3128cefbfdc369a213140894c3ffb189cefe519569a0a6f06add6f4e160d"
+    },
     {
       "path": ".env.example",
       "bytes": 322,
@@ -43,7 +48,7 @@
     {
       "path": ".mcp/server.json",
       "bytes": 1316,
-      "sha256": "207a4751a1bce53409434134d14a9a7ee955aafe77aeb5c50c7448f832045675"
+      "sha256": "ccd53b1ecd798c344991cb136945a256b21e6b9929a594df08be8d4da4f9fcb3"
     },
     {
       "path": ".npmignore",
@@ -52,8 +57,8 @@
     },
     {
       "path": "CHANGELOG.md",
-      "bytes": 2051,
-      "sha256": "b236067b6a60d16ae7ffc080030dc4b4d6a41ba2035e0de4c0f81bf3fe05f013"
+      "bytes": 2641,
+      "sha256": "2ed80a454a044e14aaf185d0b8498bc3d9abaec6ae78159416ceacec9b68227c"
     },
     {
       "path": "CODE_OF_CONDUCT.md",
@@ -65,6 +70,11 @@
       "bytes": 620,
       "sha256": "b74ec3539a56b9af93cb25e59cdcb75ef1c9125611552d4bd6f7764d283e8736"
     },
+    {
+      "path": "Dockerfile",
+      "bytes": 179,
+      "sha256": "b00c41e62cdc82eb1a40d9a9fd25024a482f6b6a36c54e05c33ce41353b08e9a"
+    },
     {
       "path": "LICENSE",
       "bytes": 645,
@@ -77,8 +87,8 @@
     },
     {
       "path": "README.md",
-      "bytes": 6626,
-      "sha256": "b19f05cbc38747ca63ccbd40595621a4dd618fe644bfff9d18e33cf290e33d5a"
+      "bytes": 7239,
+      "sha256": "23bfccd78e24d3bcd671d8eb1ea3228d38577145580aa9c8239e26634908bc89"
     },
     {
       "path": "SECURITY.md",
@@ -87,8 +97,13 @@
     },
     {
       "path": "apps/mcp-server/agent-security-lens-mcp.mjs",
-      "bytes": 15239,
-      "sha256": "612a1c12ed4a646d9208e8393ac0964b89b6034f5559d32f23a9217f1ff37376"
+      "bytes": 15475,
+      "sha256": "b52fd8db2d26868d5403664420b631f08e7e1616b787b61644d79b647c1884e7"
+    },
+    {
+      "path": "bin/agent-security-lens-review.mjs",
+      "bytes": 7016,
+      "sha256": "a11cfd8a70882c7d4ba4aa3af58f184db1acbfa4aa1a68e08f77ca4c232278f3"
     },
     {
       "path": "bin/agent-security-lens.mjs",
@@ -255,15 +270,20 @@
       "bytes": 224,
       "sha256": "003dd29edfdb95a22e2dee21b889c53f388c7188b4eb2b0e785d1fb7031a58f5"
     },
+    {
+      "path": "glama.json",
+      "bytes": 1109,
+      "sha256": "4f9f78280c53f256e2020d114afaef357f0ee899f87443d63bccd2e01e3ef950"
+    },
     {
       "path": "llms.txt",
-      "bytes": 1991,
-      "sha256": "4bf6ae7fdd917f8d45e097e65fef32d7c051f500dfcd922be087eab74a3bfebe"
+      "bytes": 2137,
+      "sha256": "b54be6efb874b5972956313a3c436edcb1f236de1e700ce7557cee6d940d43f6"
     },
     {
       "path": "package.json",
-      "bytes": 2156,
-      "sha256": "dbe2016295ba12a8f38dbf441dd1f908414ceb06e98cc0b6580adf3576045b09"
+      "bytes": 2568,
+      "sha256": "a56f3b0f99b1ebb8fc1e36524dc250ba79632c290ad2471adc197c41277f8e44"
     },
     {
       "path": "profiles/generic-agent/profile.json",
@@ -393,7 +413,7 @@
     {
       "path": "server.json",
       "bytes": 1316,
-      "sha256": "207a4751a1bce53409434134d14a9a7ee955aafe77aeb5c50c7448f832045675"
+      "sha256": "ccd53b1ecd798c344991cb136945a256b21e6b9929a594df08be8d4da4f9fcb3"
     },
     {
       "path": "src/assessment/assess.mjs",

package/apps/mcp-server/agent-security-lens-mcp.mjs

@@ -17,6 +17,11 @@ const serverInfo = {
   version: "0.1.0"
 };
 
+if (process.argv[2] === "review" || process.argv[2] === "quick-review" || process.argv[2] === "--help" || process.argv[2] === "-h") {
+  await import("../../bin/agent-security-lens-review.mjs");
+  process.exit(process.exitCode || 0);
+}
+
 const tools = [
   {
     name: "get_install_policy",

package/bin/agent-security-lens-review.mjs

@@ -0,0 +1,194 @@
+#!/usr/bin/env node
+
+import { recordUsageEvent, reviewBeforeInstall, submitUnknownComponent } from "../src/intelligence/component-intelligence.mjs";
+
+function printHelp() {
+  console.log(`AgentSecurityLens quick review
+
+Ask ASL for a pre-install decision without configuring an MCP client first.
+
+Usage:
+  asl-review <component-name> [--type <mcp|skill|tool|agent-framework|unknown>] [--source-url <url>]
+             [--install-command <command>] [--permission <id>] [--planned-use <text>]
+             [--submit-if-unknown] [--format console|json]
+
+Examples:
+  asl-review filesystem --type mcp --source-url https://github.com/modelcontextprotocol/servers \\
+    --install-command "npx -y @modelcontextprotocol/server-filesystem ." \\
+    --permission filesystem-read --permission filesystem-write
+
+  asl-review @modelcontextprotocol/server-filesystem --type mcp --format json
+`);
+}
+
+function readValue(argv, index, flag) {
+  const value = argv[index + 1];
+  if (!value || value.startsWith("--")) {
+    throw new Error(`Missing value for ${flag}`);
+  }
+  return value;
+}
+
+function parseArgs(argv) {
+  const args = {
+    component_name: null,
+    component_type: "unknown",
+    source_url: null,
+    install_command: null,
+    planned_use: null,
+    requested_permissions: [],
+    submit_if_unknown: false,
+    format: "console"
+  };
+
+  const rest = argv.slice(2);
+  if (rest[0] === "review" || rest[0] === "quick-review") rest.shift();
+  if (!rest.length || rest.includes("--help") || rest.includes("-h")) return { help: true };
+
+  args.component_name = rest[0];
+  for (let i = 1; i < rest.length; i += 1) {
+    const arg = rest[i];
+    if (arg === "--type") {
+      args.component_type = readValue(rest, i, arg);
+      i += 1;
+    } else if (arg === "--source-url") {
+      args.source_url = readValue(rest, i, arg);
+      i += 1;
+    } else if (arg === "--install-command") {
+      args.install_command = readValue(rest, i, arg);
+      i += 1;
+    } else if (arg === "--planned-use") {
+      args.planned_use = readValue(rest, i, arg);
+      i += 1;
+    } else if (arg === "--permission") {
+      args.requested_permissions.push(readValue(rest, i, arg));
+      i += 1;
+    } else if (arg === "--permissions") {
+      args.requested_permissions.push(
+        ...readValue(rest, i, arg)
+          .split(",")
+          .map((item) => item.trim())
+          .filter(Boolean)
+      );
+      i += 1;
+    } else if (arg === "--submit-if-unknown") {
+      args.submit_if_unknown = true;
+    } else if (arg === "--format") {
+      args.format = readValue(rest, i, arg);
+      i += 1;
+    } else {
+      throw new Error(`Unknown option: ${arg}`);
+    }
+  }
+
+  if (!args.component_name) throw new Error("Missing component name.");
+  if (!["console", "json"].includes(args.format)) throw new Error("Unsupported format. Use console or json.");
+  return args;
+}
+
+function compactList(items, max = 5) {
+  if (!Array.isArray(items) || !items.length) return "none";
+  const shown = items.slice(0, max);
+  const suffix = items.length > max ? `, +${items.length - max} more` : "";
+  return `${shown.join(", ")}${suffix}`;
+}
+
+function renderConsole({ review, submission, usage }) {
+  const component = review.component || {};
+  const contract = review.agent_decision_contract || {};
+  const oneStep = review.one_step_action || {};
+  const lines = [
+    "AgentSecurityLens pre-install decision",
+    "",
+    `Component: ${component.name || component.full_name || "unknown"} (${component.type || "unknown"})`,
+    `Coverage: ${review.intelligence_coverage?.state || component.intelligence_state || "unknown"} / ${
+      review.intelligence_coverage?.confidence || "unknown"
+    } confidence`,
+    `Decision: ${review.decision || "unknown"}`,
+    `Trust score: ${review.trust_score ?? "unknown"} / 100`,
+    `Risk level: ${review.risk_level || "unknown"}`,
+    `Risk signals: ${compactList(review.risk_signals)}`,
+    "",
+    `Automatic install allowed: ${contract.automatic_install_allowed === true ? "yes" : "no"}`,
+    `User confirmation required: ${contract.user_confirmation_required === false ? "no" : "yes"}`,
+    `One-step action: ${oneStep.action_type || review.next_action || "follow_agent_decision_contract"}`
+  ];
+
+  if (Array.isArray(review.safe_install_plan) && review.safe_install_plan.length) {
+    lines.push("", "Safe install plan:");
+    review.safe_install_plan.slice(0, 5).forEach((step, index) => lines.push(`  ${index + 1}. ${step}`));
+  }
+
+  const alternatives = review.recommended_alternatives || review.alternatives || [];
+  if (alternatives.length) {
+    lines.push("", "Recommended alternatives:");
+    alternatives.slice(0, 5).forEach((item, index) => {
+      const name = item.name || item.component_name || item.id || "unknown";
+      const reason = item.reason || item.rationale || item.summary || "";
+      lines.push(`  ${index + 1}. ${name}${reason ? ` - ${reason}` : ""}`);
+    });
+  }
+
+  if (submission) {
+    lines.push("", `Unknown submission: ${submission.status || "queued"} (${submission.id || "no id"})`);
+  }
+
+  lines.push("", `Usage telemetry: ${usage?.source || "local"} / ${usage?.status || (usage?.recorded ? "recorded" : "queued")}`);
+  lines.push("", review.agent_instruction || "Follow the returned decision before installing this component.");
+  return lines.join("\n");
+}
+
+async function main() {
+  const args = parseArgs(process.argv);
+  if (args.help) {
+    printHelp();
+    return;
+  }
+
+  const startedAt = Date.now();
+  const input = {
+    component_name: args.component_name,
+    component_type: args.component_type,
+    source_url: args.source_url,
+    install_command: args.install_command,
+    planned_use: args.planned_use,
+    requested_permissions: args.requested_permissions.length ? args.requested_permissions : undefined,
+    submit_if_unknown: args.submit_if_unknown
+  };
+
+  const review = await reviewBeforeInstall(input);
+  let submission = null;
+  if (
+    args.submit_if_unknown &&
+    (review.unknown_component?.should_submit || (review.component?.cataloged && !review.component?.reviewed))
+  ) {
+    submission = await submitUnknownComponent(input);
+  }
+
+  const usage = await recordUsageEvent({
+    event_type: "review_before_install",
+    source: "asl-review-cli",
+    recorded_at: new Date().toISOString(),
+    duration_ms: Date.now() - startedAt,
+    component_name: input.component_name,
+    component_type: input.component_type,
+    source_url: input.source_url,
+    install_command: input.install_command,
+    decision: review.decision || "unknown",
+    trust_score: review.trust_score ?? null,
+    risk_level: review.risk_level || null,
+    intelligence_state: review.intelligence_coverage?.state || review.component?.intelligence_state || "unknown"
+  });
+
+  const output = { review, submission, usage };
+  if (args.format === "json") {
+    console.log(JSON.stringify(output, null, 2));
+  } else {
+    console.log(renderConsole(output));
+  }
+}
+
+await main().catch((error) => {
+  console.error(error?.stack || String(error));
+  process.exitCode = 1;
+});

package/glama.json

@@ -0,0 +1,45 @@
+{
+  "$schema": "https://glama.ai/mcp/schemas/server.json",
+  "maintainers": [
+    "professor2k8"
+  ],
+  "name": "agent-security-lens",
+  "description": "Safe-install and trust-check MCP for autonomous agents before they install MCPs, Skills or tools.",
+  "type": "mcp_server",
+  "status": "active",
+  "framework": "Model Context Protocol",
+  "tools": 10,
+  "transport": [
+    "stdio"
+  ],
+  "keywords": [
+    "agent-security",
+    "mcp-security",
+    "safe-install",
+    "trust-check",
+    "skill-security",
+    "tool-safety",
+    "security-audit",
+    "autonomous-agents"
+  ],
+  "features": {
+    "pre_install_review": {
+      "enabled": true,
+      "description": "Agents call review_before_install before installing MCPs, Skills or tools."
+    },
+    "decision_contract": {
+      "enabled": true,
+      "decisions": [
+        "allow",
+        "allow_with_restrictions",
+        "ask_user",
+        "avoid"
+      ]
+    },
+    "unknown_component_research": {
+      "enabled": true,
+      "description": "Unknown public components can be submitted for ASL research without sending private data."
+    }
+  }
+}
+

package/llms.txt

@@ -5,6 +5,9 @@ AgentSecurityLens (ASL) is an agent-facing security intelligence service.
 Primary use:
 Before installing or enabling any MCP, Skill, tool, prompt bundle or workflow, call the AgentSecurityLens MCP tool `review_before_install`.
 
+Quick pre-install review command:
+`npx -y agent-security-lens review <component-name> --type mcp --source-url <url> --install-command <command>`
+
 Public intelligence files:
 - docs/agent-install.md
 - docs/install-snippets/README.md

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-lens",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "private": false,
   "mcpName": "io.github.professor2k8/agent-security-lens",
   "description": "Safe-install and trust-check MCP for autonomous agents before they install MCPs, Skills or tools.",
@@ -41,12 +41,15 @@
     "agent-security-lens-mcp": "./apps/mcp-server/agent-security-lens-mcp.mjs",
     "asl-mcp": "./apps/mcp-server/agent-security-lens-mcp.mjs",
     "asl-scan": "./bin/agent-security-lens.mjs",
-    "agent-security-lens-scan": "./bin/agent-security-lens.mjs"
+    "agent-security-lens-scan": "./bin/agent-security-lens.mjs",
+    "asl-review": "./bin/agent-security-lens-review.mjs",
+    "agent-security-lens-review": "./bin/agent-security-lens-review.mjs"
   },
   "scripts": {
     "assess:example": "node ./bin/agent-security-lens.mjs assess ./examples/openclaw-like --profile openclaw-like",
     "assess:json": "node ./bin/agent-security-lens.mjs assess ./examples/openclaw-like --profile openclaw-like --format json",
     "assess:markdown": "node ./bin/agent-security-lens.mjs assess ./examples/openclaw-like --profile openclaw-like --format markdown",
+    "review:example": "node ./bin/agent-security-lens-review.mjs filesystem --type mcp --source-url https://github.com/modelcontextprotocol/servers --install-command \"npx -y @modelcontextprotocol/server-filesystem .\" --permission filesystem-read --permission filesystem-write",
     "mcp:start": "node ./apps/mcp-server/agent-security-lens-mcp.mjs",
     "mcp:smoke": "node ./scripts/verify-mcp-server.mjs",
     "verify:registry": "node ./scripts/verify-registry.mjs",

package/server.json

@@ -8,12 +8,12 @@
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.4",
+  "version": "0.1.6",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.4",
+      "version": "0.1.6",
       "transport": {
         "type": "stdio"
       },