agent-security-scanner-mcp 3.10.3 → 3.12.0

package/src/cli/audit.js

@@ -1,10 +1,11 @@
 // src/cli/audit.js — OpenClaw configuration security audit (stub)
 
 export async function runAudit(args) {
-  console.log('\n  Security Audit [EXPERIMENTAL STUB]\n');
+  const allowStub = args.includes('--allow-stub');
+
+  console.log('\n  Security Audit [NOT YET IMPLEMENTED]\n');
   console.log('  This command will check your OpenClaw configuration for security issues.');
-  console.log('  Full implementation coming in Sprint 3.\n');
-  console.log('  WARNING: This is an experimental stub. No actual checks are performed.\n');
+  console.log('  Implementation is in progress.\n');
   console.log('  Planned checks (60+):');
   console.log('    - Gateway: bind mode, auth, token strength, HTTPS, CORS');
   console.log('    - Permissions: config files, credentials, session transcripts');
@@ -15,4 +16,10 @@ export async function runAudit(args) {
   console.log('    - Plugins: unsigned, permissive, outdated');
   console.log('    - Credentials: plaintext secrets, exposed API keys\n');
   console.log('  OWASP ASI Top 10 mapping for all findings.\n');
+
+  if (!allowStub) {
+    console.error('  ERROR: audit is not yet implemented. No checks were performed.');
+    console.error('  Pass --allow-stub to suppress this error in CI.\n');
+    throw new Error('audit command is not yet implemented');
+  }
 }

package/src/cli/demo.js

@@ -4,6 +4,7 @@ import { join } from "path";
 import { createInterface } from "readline";
 import { dirname } from "path";
 import { fileURLToPath } from "url";
+import { resolvePythonCommand, pythonArgs } from "../python.js";
 
 // Handle both ESM and CJS bundling (Smithery bundles to CJS)
 let __dirname;
@@ -178,22 +179,11 @@ export async function runDemo(args) {
 
   // Run the analyzer
   const analyzerPath = join(__dirname, '..', '..', 'analyzer.py');
-  let pythonCmd = 'python3';
-  const py3 = checkCommand('python3', ['--version']);
-  if (!py3.ok) {
-    const py = checkCommand('python', ['--version']);
-    if (py.ok && py.output.includes('3.')) {
-      pythonCmd = 'python';
-    } else {
-      console.log(`  Error: Python 3 not found. Run "npx agent-security-scanner-mcp doctor" to diagnose.\n`);
-      unlinkSync(filepath);
-      process.exit(1);
-    }
-  }
+  const pythonCmd = resolvePythonCommand();
 
   let results;
   try {
-    const output = execFileSync(pythonCmd, [analyzerPath, filepath], { timeout: 30000, encoding: 'utf-8' });
+    const output = execFileSync(pythonCmd, [...pythonArgs(), analyzerPath, filepath], { timeout: 30000, encoding: 'utf-8' });
     results = JSON.parse(output);
   } catch (e) {
     console.log(`  Error running analyzer: ${e.message}\n`);

package/src/cli/doctor.js

@@ -4,6 +4,7 @@ import { dirname, join } from "path";
 import { homedir, platform } from "os";
 import { fileURLToPath } from "url";
 import { getDaemonClient } from '../daemon-client.js';
+import { resolvePythonCommand, pythonArgs } from '../python.js';
 
 // Handle both ESM and CJS bundling (Smithery bundles to CJS)
 let __dirname;
@@ -123,22 +124,23 @@ export async function runDoctor(args) {
     issues++;
   }
 
-  // 2. Python 3
+  // 2. Python 3 (uses the same resolver as the runtime)
   let pythonCmd = null;
-  const py3 = checkCommand('python3', ['--version']);
-  if (py3.ok) {
-    pythonCmd = 'python3';
-    console.log(`    \u2713 ${py3.output}`);
-  } else {
-    const py = checkCommand('python', ['--version']);
-    if (py.ok && py.output.includes('3.')) {
-      pythonCmd = 'python';
-      console.log(`    \u2713 ${py.output}`);
+  try {
+    pythonCmd = resolvePythonCommand();
+    const pyVer = checkCommand(pythonCmd, [...pythonArgs(), '--version']);
+    if (pyVer.ok) {
+      console.log(`    \u2713 ${pyVer.output} (resolved as '${pythonCmd}${pythonArgs().length ? ' ' + pythonArgs().join(' ') : ''}')`);
     } else {
+      pythonCmd = null;
       console.log(`    \u2717 Python 3 not found`);
       console.log(`      Install: https://python.org/downloads/`);
       issues++;
     }
+  } catch {
+    console.log(`    \u2717 Python 3 not found`);
+    console.log(`      Install: https://python.org/downloads/`);
+    issues++;
   }
 
   // 3. analyzer.py reachable
@@ -173,7 +175,7 @@ export async function runDoctor(args) {
 
   // 4. Python can import yaml (analyzer dependency check)
   if (pythonCmd && existsSync(analyzerPath)) {
-    const yamlCheck = checkCommand(pythonCmd, ['-c', 'import yaml; print("ok")']);
+    const yamlCheck = checkCommand(pythonCmd, [...pythonArgs(), '-c', 'import yaml; print("ok")']);
     if (yamlCheck.ok && yamlCheck.output === 'ok') {
       console.log(`    \u2713 Analyzer engine ready (PyYAML installed)`);
     } else {
@@ -184,7 +186,7 @@ export async function runDoctor(args) {
 
   // 5. tree-sitter AST engine (optional but recommended)
   if (pythonCmd) {
-    const tsCheck = checkCommand(pythonCmd, ['-c', 'import tree_sitter; print(tree_sitter.__version__)']);
+    const tsCheck = checkCommand(pythonCmd, [...pythonArgs(), '-c', 'import tree_sitter; print(tree_sitter.__version__)']);
     if (tsCheck.ok && tsCheck.output) {
       console.log(`    \u2713 AST engine ready (tree-sitter ${tsCheck.output})`);
     } else {
@@ -193,7 +195,7 @@ export async function runDoctor(args) {
         console.log(`      Installing tree-sitter dependencies...`);
         const requirementsPath = join(__dirname, '..', '..', 'requirements.txt');
         if (existsSync(requirementsPath)) {
-          const installResult = checkCommand(pythonCmd, ['-m', 'pip', 'install', '-r', requirementsPath, '--user', '--quiet']);
+          const installResult = checkCommand(pythonCmd, [...pythonArgs(), '-m', 'pip', 'install', '-r', requirementsPath, '--user', '--quiet']);
           if (installResult.ok) {
             console.log(`      \u2713 Fixed: tree-sitter dependencies installed — AST engine enabled`);
             fixed++;

package/src/cli/harden.js

@@ -1,10 +1,11 @@
 // src/cli/harden.js — OpenClaw auto-hardening (stub)
 
 export async function runHarden(args) {
-  console.log('\n  Auto-Hardening [EXPERIMENTAL STUB]\n');
+  const allowStub = args.includes('--allow-stub');
+
+  console.log('\n  Auto-Hardening [NOT YET IMPLEMENTED]\n');
   console.log('  This command will automatically fix security issues in your OpenClaw config.');
-  console.log('  Full implementation coming in Sprint 3.\n');
-  console.log('  WARNING: This is an experimental stub. No actions are performed.\n');
+  console.log('  Implementation is in progress.\n');
   console.log('  Planned actions:');
   console.log('    - Bind gateway to 127.0.0.1');
   console.log('    - Enable token authentication');
@@ -12,4 +13,10 @@ export async function runHarden(args) {
   console.log('    - Disable mDNS discovery');
   console.log('    - Remove plaintext credentials\n');
   console.log('  Usage: agent-security-scanner-mcp harden --fix [--dry-run]\n');
+
+  if (!allowStub) {
+    console.error('  ERROR: harden is not yet implemented. No actions were performed.');
+    console.error('  Pass --allow-stub to suppress this error in CI.\n');
+    throw new Error('harden command is not yet implemented');
+  }
 }

package/src/cli/init.js

@@ -1,6 +1,7 @@
 import { readFileSync, existsSync, writeFileSync, copyFileSync, mkdirSync } from "fs";
 import { spawnSync } from "child_process";
 import { dirname, join } from "path";
+import { fileURLToPath } from "url";
 import { homedir, platform } from "os";
 import { createInterface } from "readline";
 
@@ -167,8 +168,13 @@ async function installOpenClawSkill(client, flags) {
   const skillFile = client.configPath();
 
   // Find the source skill file (bundled with the package)
-  const __dirname = dirname(new URL(import.meta.url).pathname);
-  const sourceSkill = join(__dirname, '..', '..', 'skills', 'openclaw', 'SKILL.md');
+  let __initDir;
+  try {
+    __initDir = dirname(fileURLToPath(import.meta.url));
+  } catch {
+    __initDir = process.cwd();
+  }
+  const sourceSkill = join(__initDir, '..', '..', 'skills', 'openclaw', 'SKILL.md');
 
   console.log(`\n  Client:  ${client.name}`);
   console.log(`  Skill:   ${skillDir}`);
@@ -248,9 +254,9 @@ async function installCodexMCP(flags, serverName) {
   console.log(`  Config:  ~/.codex/config.toml (managed by codex CLI)`);
   console.log(`  OS:      ${platform()} (${process.arch})\n`);
 
-  // Check codex CLI is available
-  const which = spawnSync('which', ['codex'], { encoding: 'utf-8' });
-  if (which.status !== 0) {
+  // Check codex CLI is available (cross-platform: probe directly instead of using which/where)
+  const codexCheck = spawnSync('codex', ['--version'], { encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'] });
+  if (codexCheck.status !== 0 || codexCheck.error) {
     console.error(`  ERROR: 'codex' CLI not found in PATH.`);
     console.error(`  Install it first: https://github.com/openai/codex\n`);
     process.exit(1);