agentseal 0.5.2 → 0.6.1

package/dist/agentseal.js

@@ -1,4 +1,643 @@
 #!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/machine-discovery.ts
+var machine_discovery_exports = {};
+__export(machine_discovery_exports, {
+  PROJECT_MCP_CONFIGS: () => PROJECT_MCP_CONFIGS,
+  PROJECT_SKILL_DIRS: () => PROJECT_SKILL_DIRS,
+  PROJECT_SKILL_FILES: () => PROJECT_SKILL_FILES,
+  getWellKnownConfigs: () => getWellKnownConfigs,
+  scanDirectory: () => scanDirectory,
+  scanMachine: () => scanMachine,
+  stripJsonComments: () => stripJsonComments
+});
+import { readdirSync as readdirSync2, readFileSync as readFileSync3, statSync as statSync3 } from "fs";
+import { homedir as homedir4 } from "os";
+import { dirname as dirname3, join as join4, resolve as resolve2 } from "path";
+function getWellKnownConfigs() {
+  const home = homedir4();
+  const appdata = process.platform === "win32" ? process.env.APPDATA ?? "" : null;
+  const p = (...parts) => join4(home, ...parts);
+  const ap = (...parts) => appdata ? join4(appdata, ...parts) : null;
+  const sys = process.platform === "darwin" ? "Darwin" : process.platform === "win32" ? "Windows" : "Linux";
+  const configs = [
+    {
+      name: "Claude Desktop",
+      agent_type: "claude-desktop",
+      paths: {
+        Darwin: p("Library", "Application Support", "Claude", "claude_desktop_config.json"),
+        Windows: ap("Claude", "claude_desktop_config.json"),
+        Linux: p(".config", "Claude", "claude_desktop_config.json")
+      },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Claude Code",
+      agent_type: "claude-code",
+      paths: { all: p(".claude.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Cursor",
+      agent_type: "cursor",
+      paths: { all: p(".cursor", "mcp.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Windsurf",
+      agent_type: "windsurf",
+      paths: {
+        Darwin: p(".codeium", "windsurf", "mcp_config.json"),
+        Windows: p(".codeium", "windsurf", "mcp_config.json"),
+        Linux: p(".codeium", "windsurf", "mcp_config.json")
+      },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "VS Code",
+      agent_type: "vscode",
+      paths: {
+        Darwin: p("Library", "Application Support", "Code", "User", "mcp.json"),
+        Windows: ap("Code", "User", "mcp.json"),
+        Linux: p(".config", "Code", "User", "mcp.json")
+      },
+      mcp_key: "servers",
+      format: "jsonc"
+    },
+    {
+      name: "Gemini CLI",
+      agent_type: "gemini-cli",
+      paths: { all: p(".gemini", "settings.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Codex CLI",
+      agent_type: "codex",
+      paths: { all: p(".codex", "config.toml") },
+      mcp_key: "mcp_servers",
+      format: "toml"
+    },
+    {
+      name: "OpenClaw",
+      agent_type: "openclaw",
+      paths: { all: p(".openclaw", "openclaw.json") },
+      mcp_key: "mcpServers",
+      format: "jsonc"
+    },
+    {
+      name: "Kiro",
+      agent_type: "kiro",
+      paths: { all: p(".kiro", "settings", "mcp.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "OpenCode",
+      agent_type: "opencode",
+      paths: {
+        Darwin: p(".config", "opencode", "opencode.json"),
+        Linux: p(".config", "opencode", "opencode.json"),
+        Windows: ap("opencode", "opencode.json")
+      },
+      mcp_key: "mcp"
+    },
+    {
+      name: "Continue",
+      agent_type: "continue",
+      paths: { all: p(".continue", "config.yaml") },
+      mcp_key: "mcpServers",
+      format: "yaml"
+    },
+    {
+      name: "Cline",
+      agent_type: "cline",
+      paths: {
+        Darwin: p("Library", "Application Support", "Code", "User", "globalStorage", "saoudrizwan.claude-dev", "settings", "cline_mcp_settings.json"),
+        Windows: ap("Code", "User", "globalStorage", "saoudrizwan.claude-dev", "settings", "cline_mcp_settings.json"),
+        Linux: p(".config", "Code", "User", "globalStorage", "saoudrizwan.claude-dev", "settings", "cline_mcp_settings.json")
+      },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Roo Code",
+      agent_type: "roo-code",
+      paths: {
+        Darwin: p("Library", "Application Support", "Code", "User", "globalStorage", "rooveterinaryinc.roo-cline", "settings", "mcp_settings.json"),
+        Windows: ap("Code", "User", "globalStorage", "rooveterinaryinc.roo-cline", "settings", "mcp_settings.json"),
+        Linux: p(".config", "Code", "User", "globalStorage", "rooveterinaryinc.roo-cline", "settings", "mcp_settings.json")
+      },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Kilo Code",
+      agent_type: "kilo-code",
+      paths: {
+        Darwin: p("Library", "Application Support", "Code", "User", "globalStorage", "kilocode.kilo", "mcp_settings.json"),
+        Windows: ap("Code", "User", "globalStorage", "kilocode.kilo", "mcp_settings.json"),
+        Linux: p(".config", "Code", "User", "globalStorage", "kilocode.kilo", "mcp_settings.json")
+      },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Zed",
+      agent_type: "zed",
+      paths: {
+        Darwin: p(".zed", "settings.json"),
+        Linux: p(".config", "zed", "settings.json"),
+        Windows: ap("Zed", "settings.json")
+      },
+      mcp_key: "context_servers",
+      format: "jsonc"
+    },
+    {
+      name: "Amp",
+      agent_type: "amp",
+      paths: {
+        Darwin: p(".config", "amp", "settings.json"),
+        Linux: p(".config", "amp", "settings.json"),
+        Windows: ap("amp", "settings.json")
+      },
+      mcp_key: "amp.mcpServers"
+    },
+    {
+      name: "Aider",
+      agent_type: "aider",
+      paths: { all: p(".aider.conf.yml") },
+      mcp_key: null
+    },
+    {
+      name: "Amazon Q",
+      agent_type: "amazon-q",
+      paths: { all: p(".aws", "amazonq", "mcp.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Copilot CLI",
+      agent_type: "copilot-cli",
+      paths: { all: p(".copilot", "mcp-config.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Junie",
+      agent_type: "junie",
+      paths: { all: p(".junie", "mcp", "mcp.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Goose",
+      agent_type: "goose",
+      paths: {
+        Darwin: p(".config", "goose", "config.yaml"),
+        Linux: p(".config", "goose", "config.yaml")
+      },
+      mcp_key: "extensions",
+      format: "yaml"
+    },
+    {
+      name: "Crush",
+      agent_type: "crush",
+      paths: { all: p(".config", "crush", "crush.json") },
+      mcp_key: "mcp"
+    },
+    {
+      name: "Qwen Code",
+      agent_type: "qwen-code",
+      paths: { all: p(".qwen", "settings.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Grok CLI",
+      agent_type: "grok-cli",
+      paths: { all: p(".grok", "user-settings.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Visual Studio",
+      agent_type: "visual-studio",
+      paths: { Windows: p(".mcp.json") },
+      mcp_key: "servers"
+    },
+    {
+      name: "Kimi CLI",
+      agent_type: "kimi-cli",
+      paths: { all: p(".kimi", "mcp.json") },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "Trae",
+      agent_type: "trae",
+      paths: {
+        Darwin: p("Library", "Application Support", "Trae", "mcp_config.json"),
+        Linux: p(".config", "Trae", "mcp_config.json")
+      },
+      mcp_key: "mcpServers"
+    },
+    {
+      name: "MaxClaw",
+      agent_type: "maxclaw",
+      paths: { all: p(".maxclaw", "config.json") },
+      mcp_key: "mcpServers"
+    }
+  ];
+  return configs.map((cfg) => ({
+    ...cfg,
+    paths: Object.fromEntries(
+      Object.entries(cfg.paths).filter(([, v]) => v !== null)
+    )
+  }));
+}
+function stripJsonComments(text) {
+  const result = [];
+  let i = 0;
+  const n = text.length;
+  while (i < n) {
+    if (text[i] === '"') {
+      let j = i + 1;
+      while (j < n) {
+        if (text[j] === "\\") {
+          j += 2;
+        } else if (text[j] === '"') {
+          j += 1;
+          break;
+        } else {
+          j += 1;
+        }
+      }
+      result.push(text.slice(i, j));
+      i = j;
+    } else if (text.slice(i, i + 2) === "//") {
+      while (i < n && text[i] !== "\n") i++;
+    } else if (text.slice(i, i + 2) === "/*") {
+      i += 2;
+      while (i < n - 1 && text.slice(i, i + 2) !== "*/") i++;
+      if (i < n - 1) i += 2;
+    } else {
+      result.push(text[i]);
+      i += 1;
+    }
+  }
+  return result.join("");
+}
+function isFile(p) {
+  try {
+    return statSync3(p).isFile();
+  } catch {
+    return false;
+  }
+}
+function isDir(p) {
+  try {
+    return statSync3(p).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function rglob2(dir, patterns) {
+  const results = [];
+  const _walk = (d) => {
+    let entries;
+    try {
+      entries = readdirSync2(d);
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const full = join4(d, entry);
+      try {
+        const st = statSync3(full);
+        if (st.isDirectory()) {
+          _walk(full);
+        } else if (st.isFile()) {
+          for (const pat of patterns) {
+            if (pat === "*.md" && entry.endsWith(".md")) {
+              results.push(full);
+              break;
+            } else if (pat === "SKILL.md" && entry === "SKILL.md") {
+              results.push(full);
+              break;
+            } else if (entry === pat) {
+              results.push(full);
+              break;
+            }
+          }
+        }
+      } catch {
+        continue;
+      }
+    }
+  };
+  _walk(dir);
+  return results;
+}
+function globPrefix(dir, prefix) {
+  try {
+    return readdirSync2(dir).filter((f) => f.startsWith(prefix)).map((f) => join4(dir, f)).filter((f) => isFile(f));
+  } catch {
+    return [];
+  }
+}
+function readJsonSafe(path, format) {
+  try {
+    let raw = readFileSync3(path, "utf-8");
+    if (format === "jsonc") {
+      raw = stripJsonComments(raw);
+    }
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function extractMCPServers(data, mcpKey, sourceFile, agentType) {
+  if (mcpKey === null) return [];
+  let servers;
+  if (mcpKey.includes(".")) {
+    const parts = mcpKey.split(".");
+    let node = data;
+    for (const part of parts) {
+      node = node && typeof node === "object" ? node[part] : void 0;
+    }
+    servers = node ?? {};
+  } else {
+    servers = data[mcpKey] ?? {};
+  }
+  const results = [];
+  if (typeof servers === "object" && servers !== null && !Array.isArray(servers)) {
+    for (const [srvName, srvCfg] of Object.entries(servers)) {
+      if (typeof srvCfg !== "object" || srvCfg === null) continue;
+      const normalized = { ...srvCfg };
+      if ("cmd" in normalized && !("command" in normalized)) {
+        normalized.command = normalized.cmd;
+        delete normalized.cmd;
+      }
+      if ("envs" in normalized && !("env" in normalized)) {
+        normalized.env = normalized.envs;
+        delete normalized.envs;
+      }
+      results.push({
+        name: srvName,
+        source_file: sourceFile,
+        agent_type: agentType,
+        ...normalized
+      });
+    }
+  }
+  return results;
+}
+function scanMachine() {
+  const sys = process.platform === "darwin" ? "Darwin" : process.platform === "win32" ? "Windows" : "Linux";
+  const home = homedir4();
+  const configs = getWellKnownConfigs();
+  const agents = [];
+  const allMCPServers = [];
+  const allSkillPaths = [];
+  const seenSkillPaths = /* @__PURE__ */ new Set();
+  for (const cfg of configs) {
+    const path = cfg.paths[sys] ?? cfg.paths["all"] ?? null;
+    if (path === null) continue;
+    if (!isFile(path)) {
+      const dir = dirname3(path);
+      if (isDir(dir)) {
+        agents.push({
+          name: cfg.name,
+          config_path: dir,
+          agent_type: cfg.agent_type,
+          mcp_servers: 0,
+          skills_count: 0,
+          status: "installed_no_config"
+        });
+      } else {
+        agents.push({
+          name: cfg.name,
+          config_path: path,
+          agent_type: cfg.agent_type,
+          mcp_servers: 0,
+          skills_count: 0,
+          status: "not_installed"
+        });
+      }
+      continue;
+    }
+    if (cfg.format === "yaml" || cfg.format === "toml") {
+      agents.push({
+        name: cfg.name,
+        config_path: path,
+        agent_type: cfg.agent_type,
+        mcp_servers: 0,
+        skills_count: 0,
+        status: "found"
+      });
+      continue;
+    }
+    const data = readJsonSafe(path, cfg.format);
+    if (data === null) {
+      agents.push({
+        name: cfg.name,
+        config_path: path,
+        agent_type: cfg.agent_type,
+        mcp_servers: 0,
+        skills_count: 0,
+        status: "error"
+      });
+      continue;
+    }
+    const servers = extractMCPServers(data, cfg.mcp_key, path, cfg.agent_type);
+    allMCPServers.push(...servers);
+    agents.push({
+      name: cfg.name,
+      config_path: path,
+      agent_type: cfg.agent_type,
+      mcp_servers: servers.length,
+      skills_count: 0,
+      status: "found"
+    });
+  }
+  for (const skillDirRel of SKILL_DIRS) {
+    const skillDir = join4(home, skillDirRel);
+    if (isDir(skillDir)) {
+      for (const f of rglob2(skillDir, ["SKILL.md", "*.md"])) {
+        try {
+          if (statSync3(f).size > MAX_SKILL_SIZE) continue;
+        } catch {
+          continue;
+        }
+        const resolved = resolve2(f);
+        if (!seenSkillPaths.has(resolved)) {
+          seenSkillPaths.add(resolved);
+          allSkillPaths.push(f);
+        }
+      }
+    }
+  }
+  for (const skillFileRel of SKILL_FILES) {
+    const skillFile = join4(home, skillFileRel);
+    if (isFile(skillFile)) {
+      const resolved = resolve2(skillFile);
+      if (!seenSkillPaths.has(resolved)) {
+        seenSkillPaths.add(resolved);
+        allSkillPaths.push(skillFile);
+      }
+    }
+  }
+  let cwd;
+  try {
+    cwd = process.cwd();
+  } catch {
+    cwd = null;
+  }
+  if (cwd) {
+    _scanProjectDir(cwd, allMCPServers, allSkillPaths, seenSkillPaths);
+  }
+  const seenServers = /* @__PURE__ */ new Set();
+  const uniqueServers = [];
+  for (const srv of allMCPServers) {
+    const cmd = srv.command ?? srv.url ?? "";
+    const id = Array.isArray(cmd) ? cmd.join(" ") : String(cmd);
+    const key = `${srv.name}::${id}`;
+    if (!seenServers.has(key)) {
+      seenServers.add(key);
+      uniqueServers.push(srv);
+    }
+  }
+  return { agents, mcpServers: uniqueServers, skillPaths: allSkillPaths };
+}
+function scanDirectory(directory) {
+  const dir = resolve2(directory);
+  if (!isDir(dir)) return { agents: [], mcpServers: [], skillPaths: [] };
+  const mcpServers = [];
+  const skillPaths = [];
+  const seenSkillPaths = /* @__PURE__ */ new Set();
+  _scanProjectDir(dir, mcpServers, skillPaths, seenSkillPaths);
+  return { agents: [], mcpServers, skillPaths };
+}
+function _scanProjectDir(dir, mcpServers, skillPaths, seenSkillPaths) {
+  for (const [relPath, mcpKey, fmt] of PROJECT_MCP_CONFIGS) {
+    const mcpFile = join4(dir, relPath);
+    if (!isFile(mcpFile)) continue;
+    const data = readJsonSafe(mcpFile, fmt);
+    if (data === null) continue;
+    const servers = data[mcpKey];
+    if (typeof servers === "object" && servers !== null && !Array.isArray(servers)) {
+      for (const [srvName, srvCfg] of Object.entries(servers)) {
+        if (typeof srvCfg !== "object" || srvCfg === null) continue;
+        mcpServers.push({
+          name: srvName,
+          source_file: mcpFile,
+          agent_type: "project",
+          ...srvCfg
+        });
+      }
+    }
+  }
+  for (const skillFileRel of PROJECT_SKILL_FILES) {
+    const candidate = join4(dir, skillFileRel);
+    if (isFile(candidate)) {
+      const resolved = resolve2(candidate);
+      if (!seenSkillPaths.has(resolved)) {
+        seenSkillPaths.add(resolved);
+        skillPaths.push(candidate);
+      }
+    }
+  }
+  for (const f of globPrefix(dir, ".clinerules-")) {
+    const resolved = resolve2(f);
+    if (!seenSkillPaths.has(resolved)) {
+      seenSkillPaths.add(resolved);
+      skillPaths.push(f);
+    }
+  }
+  for (const skillDirRel of PROJECT_SKILL_DIRS) {
+    const skillDir = join4(dir, skillDirRel);
+    if (isDir(skillDir)) {
+      for (const f of rglob2(skillDir, ["*.md"])) {
+        const resolved = resolve2(f);
+        if (!seenSkillPaths.has(resolved)) {
+          seenSkillPaths.add(resolved);
+          skillPaths.push(f);
+        }
+      }
+    }
+  }
+}
+var MAX_SKILL_SIZE, PROJECT_MCP_CONFIGS, PROJECT_SKILL_FILES, PROJECT_SKILL_DIRS, SKILL_DIRS, SKILL_FILES;
+var init_machine_discovery = __esm({
+  "src/machine-discovery.ts"() {
+    "use strict";
+    MAX_SKILL_SIZE = 10 * 1024 * 1024;
+    PROJECT_MCP_CONFIGS = [
+      [".mcp.json", "mcpServers", null],
+      [".cursor/mcp.json", "mcpServers", null],
+      [".vscode/mcp.json", "servers", "jsonc"],
+      ["mcp_config.json", "servers", null],
+      ["mcp.json", "mcpServers", null],
+      [".kiro/settings/mcp.json", "mcpServers", null],
+      [".kilocode/mcp.json", "mcpServers", null],
+      [".roo/mcp.json", "mcpServers", null],
+      [".trae/mcp.json", "mcpServers", null],
+      [".amazonq/mcp.json", "mcpServers", null],
+      [".copilot/mcp-config.json", "mcpServers", null],
+      [".junie/mcp/mcp.json", "mcpServers", null],
+      [".grok/settings.json", "mcpServers", null]
+    ];
+    PROJECT_SKILL_FILES = [
+      ".cursorrules",
+      ".windsurfrules",
+      "CLAUDE.md",
+      ".claude/CLAUDE.md",
+      "AGENTS.md",
+      ".github/copilot-instructions.md",
+      "GEMINI.md",
+      ".junie/guidelines.md",
+      ".roomodes"
+    ];
+    PROJECT_SKILL_DIRS = [
+      ".cursor/rules",
+      ".roo/rules",
+      ".kiro/rules",
+      ".trae/rules",
+      ".junie/rules",
+      ".qwen/skills",
+      ".windsurf/rules"
+    ];
+    SKILL_DIRS = [
+      ".openclaw/skills",
+      ".openclaw/workspace/skills",
+      ".cursor/rules",
+      ".roo/rules",
+      ".continue/rules",
+      ".trae/rules",
+      ".kiro/rules",
+      ".qwen/skills"
+    ];
+    SKILL_FILES = [
+      ".cursorrules",
+      ".claude/CLAUDE.md",
+      ".github/copilot-instructions.md",
+      ".windsurfrules",
+      "AGENTS.md",
+      "CLAUDE.md",
+      "GEMINI.md"
+    ];
+  }
+});
 
 // bin/agentseal.ts
 import { Command } from "commander";
@@ -2455,7 +3094,7 @@ function semaphore(limit) {
         active++;
         return;
       }
-      await new Promise((resolve) => queue.push(resolve));
+      await new Promise((resolve4) => queue.push(resolve4));
       active++;
     },
     release() {
@@ -2967,105 +3606,2974 @@ function compareReports(baseline, current) {
 }
 
 // bin/agentseal.ts
-import { readFileSync, writeFileSync } from "fs";
-var VERSION = "0.1.0";
-function printBanner() {
-  const R = "\x1B[0m";
-  const D = "\x1B[90m";
-  const C = "\x1B[36m";
-  console.log();
-  console.log(`  ${C}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557${R}`);
-  console.log(`  ${C}\u2551         A G E N T S E A L             \u2551${R}`);
-  console.log(`  ${C}\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D${R}`);
-  console.log(`  ${D}v${VERSION}  Security Validator for AI Agents${R}`);
-  console.log();
+import { existsSync as existsSync5, readFileSync as readFileSync7, writeFileSync as writeFileSync4 } from "fs";
+
+// src/guard.ts
+import { createHash as createHash3 } from "crypto";
+import { readFileSync as readFileSync6, statSync as statSync6 } from "fs";
+import { basename as basename3, extname } from "path";
+
+// src/baselines.ts
+import { createHash } from "crypto";
+import { existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from "fs";
+import { homedir } from "os";
+import { dirname, join } from "path";
+function configFingerprint(server) {
+  const rawCmd = server.command ?? "";
+  const cmdStr = Array.isArray(rawCmd) ? rawCmd.join(" ") : String(rawCmd);
+  const parts = [
+    cmdStr,
+    JSON.stringify([...server.args ?? []].map(String).sort()),
+    JSON.stringify(Object.keys(server.env ?? {}).map(String).sort()),
+    server.url ?? "",
+    JSON.stringify(Object.keys(server.headers ?? {}).map(String).sort())
+  ];
+  return createHash("sha256").update(parts.join("|")).digest("hex");
 }
-function resolveApiKey(args) {
-  if (args.apiKey) return args.apiKey;
-  if (args.model?.startsWith("claude") || args.model?.startsWith("anthropic/")) {
-    return process.env["ANTHROPIC_API_KEY"];
-  }
-  return process.env["OPENAI_API_KEY"];
+function sanitizeName(name) {
+  return name.replace(/[^a-zA-Z0-9_-]/g, "_");
 }
-async function buildValidator(systemPrompt, args) {
-  const model = args.model;
-  if (!model) {
-    console.error("Error: --model is required when using --prompt or --file");
-    process.exit(1);
-  }
-  const commonOpts = {
-    agentName: args.name ?? "My Agent",
-    concurrency: args.concurrency ?? 3,
-    timeoutPerProbe: args.timeout ?? 30,
-    verbose: args.verbose ?? false,
-    adaptive: args.adaptive ?? false
+function rglob(dir, ext) {
+  const results = [];
+  const walk = (d) => {
+    try {
+      for (const entry of readdirSync(d, { withFileTypes: true })) {
+        const full = join(d, entry.name);
+        if (entry.isDirectory()) walk(full);
+        else if (entry.isFile() && entry.name.endsWith(ext)) results.push(full);
+      }
+    } catch {
+    }
   };
-  if (model.startsWith("ollama/")) {
-    const ollamaModel = model.replace("ollama/", "");
-    return AgentValidator.fromOllama({
-      model: ollamaModel,
-      systemPrompt,
-      baseUrl: args.ollamaUrl ?? "http://localhost:11434",
-      ...commonOpts
-    });
-  }
-  if (model.startsWith("claude")) {
-    const apiKey2 = resolveApiKey(args);
-    if (!apiKey2) {
-      console.error("Error: ANTHROPIC_API_KEY not found. Set via --api-key or env variable.");
-      process.exit(1);
+  walk(dir);
+  return results;
+}
+var BaselineStore = class {
+  _dir;
+  constructor(baselinesDir) {
+    this._dir = baselinesDir ?? join(homedir(), ".agentseal", "baselines");
+  }
+  _entryPath(agentType, serverName) {
+    return join(this._dir, sanitizeName(agentType), `${sanitizeName(serverName)}.json`);
+  }
+  /** Load a stored baseline entry. Returns null if not found. */
+  load(agentType, serverName) {
+    const path = this._entryPath(agentType, serverName);
+    if (!existsSync(path)) return null;
+    try {
+      const data = JSON.parse(readFileSync(path, "utf-8"));
+      return data;
+    } catch {
+      return null;
     }
-    const agentFn2 = async (message) => {
-      const res = await fetch("https://api.anthropic.com/v1/messages", {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "x-api-key": apiKey2,
-          "anthropic-version": "2023-06-01"
-        },
-        body: JSON.stringify({
-          model,
-          max_tokens: 1024,
-          system: systemPrompt,
-          messages: [{ role: "user", content: message }]
-        })
+  }
+  /** Save a baseline entry to disk. */
+  save(entry) {
+    const path = this._entryPath(entry.agent_type, entry.server_name);
+    mkdirSync(dirname(path), { recursive: true });
+    writeFileSync(path, JSON.stringify(entry, null, 2), "utf-8");
+  }
+  /** Check a single MCP server against its stored baseline. */
+  checkServer(server) {
+    const name = server.name ?? "unknown";
+    const agentType = server.agent_type ?? "unknown";
+    const rawCmd = server.command ?? "";
+    const command = Array.isArray(rawCmd) ? rawCmd.join(" ") : String(rawCmd);
+    const args = (server.args ?? []).filter((a) => typeof a === "string");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const configHash = configFingerprint(server);
+    const existing = this.load(agentType, name);
+    if (existing === null) {
+      this.save({
+        server_name: name,
+        agent_type: agentType,
+        config_hash: configHash,
+        binary_hash: null,
+        binary_path: null,
+        command,
+        args,
+        first_seen: now,
+        last_verified: now
       });
-      const data = await res.json();
-      return data.content?.[0]?.text ?? "";
-    };
-    return new AgentValidator({
-      agentFn: agentFn2,
-      groundTruthPrompt: systemPrompt,
-      ...commonOpts
-    });
+      return {
+        server_name: name,
+        agent_type: agentType,
+        change_type: "new_server",
+        detail: `New MCP server '${name}' baselined.`
+      };
+    }
+    if (existing.config_hash !== configHash) {
+      const change = {
+        server_name: name,
+        agent_type: agentType,
+        change_type: "config_changed",
+        old_value: existing.config_hash.slice(0, 12),
+        new_value: configHash.slice(0, 12),
+        detail: `Config for '${name}' changed (command/args/env modified).`
+      };
+      existing.config_hash = configHash;
+      existing.command = command;
+      existing.args = args;
+      existing.last_verified = now;
+      this.save(existing);
+      return change;
+    }
+    existing.last_verified = now;
+    this.save(existing);
+    return null;
+  }
+  /** Check all servers. Returns list of changes (empty = no changes). */
+  checkAll(servers, includeNew = false) {
+    const changes = [];
+    for (const srv of servers) {
+      const change = this.checkServer(srv);
+      if (change === null) continue;
+      if (change.change_type === "new_server" && !includeNew) continue;
+      changes.push(change);
+    }
+    return changes;
   }
-  const apiKey = resolveApiKey(args);
-  if (!apiKey) {
-    console.error("Error: OPENAI_API_KEY not found. Set via --api-key or env variable.");
-    process.exit(1);
+  /** Remove all baselines. Returns count of entries removed. */
+  reset() {
+    let count = 0;
+    for (const f of rglob(this._dir, ".json")) {
+      try {
+        unlinkSync(f);
+        count++;
+      } catch {
+      }
+    }
+    return count;
   }
-  const agentFn = async (message) => {
-    const res = await fetch("https://api.openai.com/v1/chat/completions", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Authorization": `Bearer ${apiKey}`
-      },
-      body: JSON.stringify({
-        model,
-        messages: [
-          { role: "system", content: systemPrompt },
-          { role: "user", content: message }
-        ]
-      })
-    });
-    const data = await res.json();
-    return data.choices?.[0]?.message?.content ?? "";
-  };
-  return new AgentValidator({
-    agentFn,
-    groundTruthPrompt: systemPrompt,
-    ...commonOpts
+  /** List all stored baseline entries. */
+  listEntries() {
+    const entries = [];
+    for (const f of rglob(this._dir, ".json")) {
+      try {
+        const data = JSON.parse(readFileSync(f, "utf-8"));
+        entries.push(data);
+      } catch {
+      }
+    }
+    return entries;
+  }
+};
+
+// src/blocklist.ts
+import { createHash as createHash2 } from "crypto";
+import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, statSync as statSync2, writeFileSync as writeFileSync2 } from "fs";
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+var SEED_HASHES = /* @__PURE__ */ new Set([
+  "854aa9bd5a641b03fcf2e4a26affb33057af3238a10a83e194c05384f371734f",
+  // credential-theft-cursorrules
+  "46315c1d4dcd39199c6d0e43985c5007c1156bc538e3a82ba9b2883f363eab35",
+  // markdown-image-exfil
+  "0b2ca8fedb87a97de9f5c462e09110febf887516dd62877d7e95a5556ef90905",
+  // reverse-shell-instruction
+  "2b5a339d00216894c7bd3620e008e5443f4e30b9e9883a2b15c082d076775084",
+  // curl-exfil-instruction
+  "eccb3a65c459a6b69223d38726e3fddb6184a6e7c52935148fdcd84961a6f9df",
+  // prompt-injection-override
+  "f554a511faaca2431265399a9d5b2f7184778b9521952dc757257dbe0aab2a46",
+  // supply-chain-install
+  "323b9121b6e320fb04bae89c963690069c5172dca017469be2917e5feaec886c",
+  // obfuscated-credential-theft
+  "4826c0e8aef00f902190ab32519e4533b7e4b725f46fb70156705ea8708a7385",
+  // social-engineering-exfil
+  "3951cdb38bbc37e28f98448e0478b93d319d892783efb23462b59fedea52189d",
+  // mcp-config-injection
+  "a7ddd5ce6c41055b4ef808810ac6f1b09dc4ae05eecc2f89dc64ac4682502d99",
+  // keylogger-instruction
+  "eab3b7330de3b61fae1b5cba738ae499424e1c45ef1b025c560cca410e6cd16b",
+  // crypto-miner-injection
+  "d71ceee36d1e136a5cddc0d5b416210d94635a71fa90f9ef817f4f74a7b21603"
+  // dns-exfil-instruction
+]);
+var Blocklist = class _Blocklist {
+  static REMOTE_URL = "https://agentseal.org/api/v1/blocklist/skills.json";
+  static CACHE_TTL = 3600;
+  // 1 hour in seconds
+  _hashes = new Set(SEED_HASHES);
+  _loaded = false;
+  _cacheDir;
+  _cachePath;
+  constructor(cacheDir) {
+    this._cacheDir = cacheDir ?? join2(homedir2(), ".agentseal");
+    this._cachePath = join2(this._cacheDir, "blocklist.json");
+  }
+  /** Override cache dir (useful for testing). */
+  setCacheDir(dir) {
+    this._cacheDir = dir;
+    this._cachePath = join2(dir, "blocklist.json");
+    this._loaded = false;
+    this._hashes = new Set(SEED_HASHES);
+  }
+  _load() {
+    if (this._loaded) return;
+    if (existsSync2(this._cachePath)) {
+      try {
+        const age = Date.now() / 1e3 - statSync2(this._cachePath).mtimeMs / 1e3;
+        if (age < _Blocklist.CACHE_TTL) {
+          this._loadFromFile(this._cachePath);
+          this._loaded = true;
+          return;
+        }
+      } catch {
+      }
+    }
+    if (this._tryRemoteFetch()) {
+      this._loaded = true;
+      return;
+    }
+    if (existsSync2(this._cachePath)) {
+      this._loadFromFile(this._cachePath);
+    }
+    this._loaded = true;
+  }
+  _loadFromFile(path) {
+    try {
+      const raw = readFileSync2(path, "utf-8");
+      const data = JSON.parse(raw);
+      for (const h of data.sha256_hashes ?? []) {
+        this._hashes.add(h);
+      }
+    } catch {
+    }
+  }
+  _tryRemoteFetch() {
+    return false;
+  }
+  /** Async remote fetch — call this once at startup if you want remote blocklist. */
+  async loadAsync() {
+    if (this._loaded) return;
+    if (existsSync2(this._cachePath)) {
+      try {
+        const age = Date.now() / 1e3 - statSync2(this._cachePath).mtimeMs / 1e3;
+        if (age < _Blocklist.CACHE_TTL) {
+          this._loadFromFile(this._cachePath);
+          this._loaded = true;
+          return;
+        }
+      } catch {
+      }
+    }
+    try {
+      const resp = await fetch(_Blocklist.REMOTE_URL, {
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (resp.ok) {
+        const data = await resp.json();
+        for (const h of data.sha256_hashes ?? []) {
+          this._hashes.add(h);
+        }
+        mkdirSync2(this._cacheDir, { recursive: true });
+        writeFileSync2(this._cachePath, JSON.stringify(data), "utf-8");
+        this._loaded = true;
+        return;
+      }
+    } catch {
+    }
+    if (existsSync2(this._cachePath)) {
+      this._loadFromFile(this._cachePath);
+    }
+    this._loaded = true;
+  }
+  /** Check if a SHA256 hash is in the blocklist. */
+  isBlocked(sha256) {
+    this._load();
+    return this._hashes.has(sha256.toLowerCase());
+  }
+  /** Number of hashes in the blocklist. */
+  get size() {
+    this._load();
+    return this._hashes.size;
+  }
+  /** Manually add hashes (for testing or seed data). */
+  addHashes(hashes) {
+    for (const h of hashes) {
+      this._hashes.add(h.toLowerCase());
+    }
+  }
+};
+
+// src/deobfuscate.ts
+var ZERO_WIDTH = /[\u200B\u200C\u200D\uFEFF\u00AD\u2060]/g;
+var TAG_CHARS = /[\u{E0001}-\u{E007F}]/gu;
+var VARIATION_SELECTORS = /[\uFE00-\uFE0F\u{E0100}-\u{E01EF}]/gu;
+var BIDI_CONTROLS = /[\u202A-\u202E\u2066-\u2069\u200E\u200F]/g;
+var HTML_COMMENTS = /<!--[\s\S]*?-->/g;
+var INVISIBLE_CHARS = /[\u200B\u200C\u200D\uFEFF\u00AD\u2060\u{E0001}-\u{E007F}\uFE00-\uFE0F\u{E0100}-\u{E01EF}\u202A-\u202E\u2066-\u2069\u200E\u200F]/gu;
+var BASE64_BLOCK = /(?<=["'\s(]|^)([A-Za-z0-9+/=]{8,})(?=["'\s)]|$)/gm;
+var HEX_ESCAPE = /\\x([0-9A-Fa-f]{2})/g;
+var UNICODE_ESCAPE = /\\u([0-9A-Fa-f]{4})/g;
+var CONCAT_DOUBLE = /"([^"]*?)"\s*\+\s*"([^"]*?)"/g;
+var CONCAT_SINGLE = /'([^']*?)'\s*\+\s*'([^']*?)'/g;
+var SIMPLE_ESCAPES = {
+  "\\n": "\n",
+  "\\t": "	",
+  "\\r": "\r"
+};
+function stripZeroWidth(text) {
+  return text.replace(ZERO_WIDTH, "");
+}
+function stripTagChars(text) {
+  return text.replace(TAG_CHARS, "");
+}
+function stripVariationSelectors(text) {
+  return text.replace(VARIATION_SELECTORS, "");
+}
+function stripBidiControls(text) {
+  return text.replace(BIDI_CONTROLS, "");
+}
+function stripHtmlComments(text) {
+  return text.replace(HTML_COMMENTS, "");
+}
+function hasInvisibleChars(text) {
+  INVISIBLE_CHARS.lastIndex = 0;
+  return INVISIBLE_CHARS.test(text);
+}
+var CONFUSABLES = new Map([
+  // — Cyrillic uppercase —
+  ["\u0410", "A"],
+  ["\u0412", "B"],
+  ["\u0421", "C"],
+  ["\u0415", "E"],
+  ["\u041D", "H"],
+  ["\u0406", "I"],
+  ["\u0408", "J"],
+  ["\u041A", "K"],
+  ["\u041C", "M"],
+  ["\u041E", "O"],
+  ["\u0420", "P"],
+  ["\u0405", "S"],
+  ["\u0422", "T"],
+  ["\u0425", "X"],
+  ["\u0423", "Y"],
+  ["\u0417", "Z"],
+  // — Cyrillic lowercase —
+  ["\u0430", "a"],
+  ["\u0441", "c"],
+  ["\u0435", "e"],
+  ["\u04BB", "h"],
+  ["\u0456", "i"],
+  ["\u0458", "j"],
+  ["\u043E", "o"],
+  ["\u0440", "p"],
+  ["\u0455", "s"],
+  ["\u0445", "x"],
+  ["\u0443", "y"],
+  // — Greek uppercase —
+  ["\u0391", "A"],
+  ["\u0392", "B"],
+  ["\u0395", "E"],
+  ["\u0397", "H"],
+  ["\u0399", "I"],
+  ["\u039A", "K"],
+  ["\u039C", "M"],
+  ["\u039D", "N"],
+  ["\u039F", "O"],
+  ["\u03A1", "P"],
+  ["\u03A4", "T"],
+  ["\u03A7", "X"],
+  ["\u03A5", "Y"],
+  ["\u0396", "Z"],
+  // — Greek lowercase —
+  ["\u03BF", "o"],
+  ["\u03B1", "a"],
+  // — Cherokee —
+  ["\u13A0", "D"],
+  ["\u13A1", "R"],
+  ["\u13A2", "T"],
+  ["\u13AA", "G"],
+  ["\u13B3", "W"],
+  ["\u13D2", "S"],
+  ["\u13DA", "S"],
+  ["\uAB4E", "s"],
+  ["\uAB4F", "s"],
+  ["\uABA3", "s"],
+  ["\uABAA", "s"],
+  // — Turkish dotless i —
+  ["\u0131", "i"],
+  // — Small caps —
+  ["\u1D00", "A"],
+  ["\u0299", "B"],
+  ["\u1D04", "C"],
+  // — Fullwidth Latin uppercase A–Z (U+FF21–U+FF3A) —
+  ...Array.from({ length: 26 }, (_, i) => [
+    String.fromCharCode(65313 + i),
+    String.fromCharCode(65 + i)
+  ]),
+  // — Fullwidth Latin lowercase a–z (U+FF41–U+FF5A) —
+  ...Array.from({ length: 26 }, (_, i) => [
+    String.fromCharCode(65345 + i),
+    String.fromCharCode(97 + i)
+  ])
+]);
+function normalizeUnicode(text) {
+  let result = text.normalize("NFKC");
+  let out = "";
+  for (const ch of result) {
+    out += CONFUSABLES.get(ch) ?? ch;
+  }
+  return out;
+}
+function isPrintableText(decoded) {
+  let nonPrintable = 0;
+  for (const ch of decoded) {
+    const code = ch.codePointAt(0);
+    if (ch === "\n" || ch === "\r" || ch === "	" || ch === " ") continue;
+    if (code < 32 || code >= 127 && code <= 159) {
+      nonPrintable++;
+    }
+  }
+  return nonPrintable <= decoded.length * 0.1;
+}
+function decodeBase64Blocks(text) {
+  BASE64_BLOCK.lastIndex = 0;
+  return text.replace(BASE64_BLOCK, (fullMatch, token) => {
+    if (/^[a-z]+$/.test(token)) return fullMatch;
+    try {
+      const decoded = Buffer.from(token, "base64").toString("utf-8");
+      if (Buffer.from(decoded, "utf-8").toString("base64").replace(/=+$/, "") !== token.replace(/=+$/, "")) {
+        return fullMatch;
+      }
+      if (!isPrintableText(decoded)) return fullMatch;
+      const tokenStart = fullMatch.indexOf(token);
+      const prefix = fullMatch.slice(0, tokenStart);
+      const suffix = fullMatch.slice(tokenStart + token.length);
+      return prefix + decoded + suffix;
+    } catch {
+      return fullMatch;
+    }
+  });
+}
+function unescapeSequences(text) {
+  const PLACEHOLDER = "\0BKSL\0";
+  text = text.replaceAll("\\\\", PLACEHOLDER);
+  HEX_ESCAPE.lastIndex = 0;
+  text = text.replace(
+    HEX_ESCAPE,
+    (_m, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  UNICODE_ESCAPE.lastIndex = 0;
+  text = text.replace(
+    UNICODE_ESCAPE,
+    (_m, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  for (const [seq, char] of Object.entries(SIMPLE_ESCAPES)) {
+    text = text.replaceAll(seq, char);
+  }
+  text = text.replaceAll(PLACEHOLDER, "\\");
+  return text;
+}
+function expandStringConcat(text) {
+  let prev;
+  while (prev !== text) {
+    prev = text;
+    CONCAT_DOUBLE.lastIndex = 0;
+    text = text.replace(CONCAT_DOUBLE, '"$1$2"');
+    CONCAT_SINGLE.lastIndex = 0;
+    text = text.replace(CONCAT_SINGLE, "'$1$2'");
+  }
+  return text;
+}
+var NAMED_ENTITIES = {
+  amp: "&",
+  lt: "<",
+  gt: ">",
+  quot: '"',
+  apos: "'",
+  nbsp: "\xA0",
+  copy: "\xA9",
+  reg: "\xAE"
+};
+function decodeHtmlEntities(text) {
+  return text.replace(/&#x([0-9a-fA-F]+);/g, (_, hex) => String.fromCodePoint(parseInt(hex, 16))).replace(/&#(\d+);/g, (_, dec) => String.fromCodePoint(parseInt(dec, 10))).replace(/&([a-zA-Z]+);/g, (match, name) => NAMED_ENTITIES[name.toLowerCase()] ?? match);
+}
+function _deobfuscatePass(text) {
+  text = stripZeroWidth(text);
+  text = stripTagChars(text);
+  text = stripVariationSelectors(text);
+  text = stripBidiControls(text);
+  text = stripHtmlComments(text);
+  text = decodeHtmlEntities(text);
+  text = normalizeUnicode(text);
+  text = decodeBase64Blocks(text);
+  text = unescapeSequences(text);
+  text = expandStringConcat(text);
+  return text;
+}
+function deobfuscate(text) {
+  text = _deobfuscatePass(text);
+  text = _deobfuscatePass(text);
+  return text;
+}
+
+// src/guard-models.ts
+var GuardVerdict = {
+  SAFE: "safe",
+  WARNING: "warning",
+  DANGER: "danger",
+  ERROR: "error"
+};
+function customFindingFromDict(d) {
+  return {
+    code: d.code ?? "",
+    title: d.title ?? "",
+    severity: d.severity ?? "medium",
+    verdict: d.verdict ?? "warning",
+    remediation: d.remediation ?? "",
+    rule_file: d.rule_file ?? "",
+    entity_type: d.entity_type ?? "",
+    entity_name: d.entity_name ?? ""
+  };
+}
+function deltaEntryToDict(e) {
+  const d = {
+    change_type: e.change_type,
+    entity_type: e.entity_type,
+    entity_name: e.entity_name
+  };
+  if (e.code) d.code = e.code;
+  if (e.title) d.title = e.title;
+  if (e.old_verdict) d.old_verdict = e.old_verdict;
+  if (e.new_verdict) d.new_verdict = e.new_verdict;
+  if (e.severity) d.severity = e.severity;
+  return d;
+}
+var DeltaResult = class {
+  previous_timestamp;
+  entries;
+  constructor(previous_timestamp, entries = []) {
+    this.previous_timestamp = previous_timestamp;
+    this.entries = entries;
+  }
+  get total_new() {
+    return this.entries.filter(
+      (e) => e.change_type === "new" || e.change_type === "new_entity"
+    ).length;
+  }
+  get total_resolved() {
+    return this.entries.filter(
+      (e) => e.change_type === "resolved" || e.change_type === "removed_entity"
+    ).length;
+  }
+  get total_changed() {
+    return this.entries.filter((e) => e.change_type === "changed").length;
+  }
+  toDict() {
+    return {
+      previous_timestamp: this.previous_timestamp,
+      entries: this.entries.map(deltaEntryToDict),
+      total_new: this.total_new,
+      total_resolved: this.total_resolved,
+      total_changed: this.total_changed
+    };
+  }
+};
+function countVerdict(skills, mcp, runtime, verdict) {
+  return skills.filter((s) => s.verdict === verdict).length + mcp.filter((m) => m.verdict === verdict).length + runtime.filter((r) => r.verdict === verdict).length;
+}
+function totalDangers(report) {
+  return countVerdict(report.skill_results, report.mcp_results, report.mcp_runtime_results, GuardVerdict.DANGER);
+}
+function totalWarnings(report) {
+  return countVerdict(report.skill_results, report.mcp_results, report.mcp_runtime_results, GuardVerdict.WARNING);
+}
+function totalSafe(report) {
+  return countVerdict(report.skill_results, report.mcp_results, report.mcp_runtime_results, GuardVerdict.SAFE);
+}
+function guardReportFromDict(d) {
+  return {
+    timestamp: d.timestamp ?? "",
+    duration_seconds: d.duration_seconds ?? 0,
+    agents_found: d.agents_found ?? [],
+    skill_results: d.skill_results ?? [],
+    mcp_results: (d.mcp_results ?? []).map((m) => ({
+      ...m,
+      registry_score: m.registry?.score ?? m.registry_score,
+      registry_level: m.registry?.level ?? m.registry_level,
+      registry_findings_count: m.registry?.findings_count ?? m.registry_findings_count
+    })),
+    mcp_runtime_results: d.mcp_runtime_results ?? [],
+    toxic_flows: d.toxic_flows ?? [],
+    baseline_changes: d.baseline_changes ?? [],
+    llm_tokens_used: d.llm_tokens_used ?? 0,
+    unlisted_findings: d.unlisted_findings ?? [],
+    custom_findings: (d.custom_findings ?? []).map(customFindingFromDict),
+    config_path: d.config_path ?? ""
+  };
+}
+
+// src/history.ts
+import { createRequire } from "module";
+import { homedir as homedir3 } from "os";
+import { resolve, dirname as dirname2, join as join3 } from "path";
+import { mkdirSync as mkdirSync3 } from "fs";
+var _require = createRequire(import.meta.url);
+var Database = null;
+try {
+  Database = _require("better-sqlite3");
+} catch {
+}
+function normalizeSkillPath(skillPath, scanPath) {
+  const p = skillPath.replace(/\\/g, "/");
+  const home = homedir3().replace(/\\/g, "/");
+  if (p.startsWith(home + "/")) {
+    return "~/" + p.slice(home.length + 1);
+  }
+  if (scanPath) {
+    const sp = scanPath.replace(/\\/g, "/");
+    if (p.startsWith(sp + "/")) {
+      return p.slice(sp.length + 1);
+    }
+  }
+  const parts = p.split("/").filter(Boolean);
+  return parts.length >= 2 ? parts.slice(-2).join("/") : parts[parts.length - 1] || p;
+}
+var HistoryStore = class {
+  db = null;
+  maxRows = 1e3;
+  retentionDays = 90;
+  constructor(dbPath, maxRows = 1e3, retentionDays = 90) {
+    if (!Database) return;
+    this.maxRows = maxRows;
+    this.retentionDays = retentionDays;
+    const finalPath = dbPath ?? join3(homedir3(), ".agentseal", "history.db");
+    mkdirSync3(dirname2(finalPath), { recursive: true });
+    this.db = new Database(finalPath);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS guard_scans (
+        id INTEGER PRIMARY KEY,
+        timestamp TEXT NOT NULL,
+        scan_path TEXT,
+        report_json TEXT NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_scope ON guard_scans(scan_path, timestamp);
+    `);
+  }
+  /**
+   * Save a guard report to the history store.
+   */
+  save(report, scanPath) {
+    if (!this.db) return;
+    const normalizedPath = scanPath !== void 0 ? resolve(scanPath) : null;
+    const insert = this.db.prepare(
+      "INSERT INTO guard_scans (timestamp, scan_path, report_json) VALUES (?, ?, ?)"
+    );
+    const tx = this.db.transaction(() => {
+      insert.run(
+        report.timestamp,
+        normalizedPath,
+        JSON.stringify(report)
+      );
+    });
+    tx();
+    this.prune();
+  }
+  /**
+   * Load the previous report (second-most-recent) for a given scan path.
+   * Returns null if fewer than 2 entries exist or on any error.
+   */
+  loadPrevious(scanPath) {
+    if (!this.db) return null;
+    try {
+      const normalizedPath = scanPath !== void 0 ? resolve(scanPath) : null;
+      let row;
+      if (normalizedPath === null) {
+        row = this.db.prepare(
+          "SELECT report_json FROM guard_scans WHERE scan_path IS NULL ORDER BY timestamp DESC LIMIT 1 OFFSET 1"
+        ).get();
+      } else {
+        row = this.db.prepare(
+          "SELECT report_json FROM guard_scans WHERE scan_path = ? ORDER BY timestamp DESC LIMIT 1 OFFSET 1"
+        ).get(normalizedPath);
+      }
+      if (!row) return null;
+      const parsed = JSON.parse(row.report_json);
+      return guardReportFromDict(parsed);
+    } catch (err) {
+      process.stderr.write(
+        `[agentseal] warning: failed to load previous report: ${err}
+`
+      );
+      return null;
+    }
+  }
+  /**
+   * Remove stale entries: older than retentionDays, or exceeding maxRows.
+   */
+  prune() {
+    if (!this.db) return;
+    const cutoff = new Date(
+      Date.now() - this.retentionDays * 864e5
+    ).toISOString();
+    this.db.prepare("DELETE FROM guard_scans WHERE timestamp < ?").run(cutoff);
+    this.db.prepare(
+      `DELETE FROM guard_scans WHERE id NOT IN (
+          SELECT id FROM guard_scans ORDER BY timestamp DESC LIMIT ?
+        )`
+    ).run(this.maxRows);
+  }
+  /**
+   * Return the total number of rows in the store. For test assertions.
+   */
+  _count() {
+    if (!this.db) return 0;
+    const row = this.db.prepare("SELECT COUNT(*) as cnt FROM guard_scans").get();
+    return row?.cnt ?? 0;
+  }
+  /**
+   * Close the database connection.
+   */
+  close() {
+    if (this.db) {
+      this.db.close();
+      this.db = null;
+    }
+  }
+};
+function skillMap(skills, scanPath) {
+  const m = /* @__PURE__ */ new Map();
+  for (const s of skills) {
+    m.set(normalizeSkillPath(s.path, scanPath), s);
+  }
+  return m;
+}
+function mcpMap(mcps, scanPath) {
+  const m = /* @__PURE__ */ new Map();
+  for (const mcp of mcps) {
+    const key = `${mcp.name}:${normalizeSkillPath(mcp.source_file, scanPath)}`;
+    m.set(key, mcp);
+  }
+  return m;
+}
+function activeAgents(agents) {
+  return agents.filter(
+    (a) => a.status === "found" || a.status === "installed_no_config"
+  );
+}
+function computeDelta(current, previous, scanPath) {
+  const entries = [];
+  const curSkills = skillMap(current.skill_results, scanPath);
+  const prevSkills = skillMap(previous.skill_results, scanPath);
+  for (const [key, curSkill] of curSkills) {
+    const prevSkill = prevSkills.get(key);
+    if (!prevSkill) {
+      entries.push({
+        change_type: "new_entity",
+        entity_type: "skill",
+        entity_name: key
+      });
+      continue;
+    }
+    const curCodes = new Set(curSkill.findings.map((f) => f.code));
+    const prevCodes = new Set(prevSkill.findings.map((f) => f.code));
+    for (const f of curSkill.findings) {
+      if (!prevCodes.has(f.code)) {
+        entries.push({
+          change_type: "new",
+          entity_type: "skill",
+          entity_name: key,
+          code: f.code,
+          title: f.title,
+          severity: f.severity
+        });
+      }
+    }
+    for (const f of prevSkill.findings) {
+      if (!curCodes.has(f.code)) {
+        entries.push({
+          change_type: "resolved",
+          entity_type: "skill",
+          entity_name: key,
+          code: f.code,
+          title: f.title,
+          severity: f.severity
+        });
+      }
+    }
+    const hasNewFindings = curSkill.findings.some(
+      (f) => !prevCodes.has(f.code)
+    );
+    const hasResolvedFindings = prevSkill.findings.some(
+      (f) => !curCodes.has(f.code)
+    );
+    if (!hasNewFindings && !hasResolvedFindings && curSkill.verdict !== prevSkill.verdict) {
+      entries.push({
+        change_type: "changed",
+        entity_type: "skill",
+        entity_name: key,
+        old_verdict: prevSkill.verdict,
+        new_verdict: curSkill.verdict
+      });
+    }
+  }
+  for (const [key] of prevSkills) {
+    if (!curSkills.has(key)) {
+      entries.push({
+        change_type: "removed_entity",
+        entity_type: "skill",
+        entity_name: key
+      });
+    }
+  }
+  const curMcps = mcpMap(current.mcp_results, scanPath);
+  const prevMcps = mcpMap(previous.mcp_results, scanPath);
+  for (const [key, curMcp] of curMcps) {
+    const prevMcp = prevMcps.get(key);
+    if (!prevMcp) {
+      entries.push({
+        change_type: "new_entity",
+        entity_type: "mcp_server",
+        entity_name: key
+      });
+      continue;
+    }
+    const curCodes = new Set(curMcp.findings.map((f) => f.code));
+    const prevCodes = new Set(prevMcp.findings.map((f) => f.code));
+    for (const f of curMcp.findings) {
+      if (!prevCodes.has(f.code)) {
+        entries.push({
+          change_type: "new",
+          entity_type: "mcp_server",
+          entity_name: key,
+          code: f.code,
+          title: f.title,
+          severity: f.severity
+        });
+      }
+    }
+    for (const f of prevMcp.findings) {
+      if (!curCodes.has(f.code)) {
+        entries.push({
+          change_type: "resolved",
+          entity_type: "mcp_server",
+          entity_name: key,
+          code: f.code,
+          title: f.title,
+          severity: f.severity
+        });
+      }
+    }
+    const hasNewFindings = curMcp.findings.some(
+      (f) => !prevCodes.has(f.code)
+    );
+    const hasResolvedFindings = prevMcp.findings.some(
+      (f) => !curCodes.has(f.code)
+    );
+    if (!hasNewFindings && !hasResolvedFindings && curMcp.verdict !== prevMcp.verdict) {
+      entries.push({
+        change_type: "changed",
+        entity_type: "mcp_server",
+        entity_name: key,
+        old_verdict: prevMcp.verdict,
+        new_verdict: curMcp.verdict
+      });
+    }
+  }
+  for (const [key] of prevMcps) {
+    if (!curMcps.has(key)) {
+      entries.push({
+        change_type: "removed_entity",
+        entity_type: "mcp_server",
+        entity_name: key
+      });
+    }
+  }
+  const curAgents = activeAgents(current.agents_found);
+  const prevAgents = activeAgents(previous.agents_found);
+  const curAgentTypes = new Set(curAgents.map((a) => a.agent_type));
+  const prevAgentTypes = new Set(prevAgents.map((a) => a.agent_type));
+  for (const agentType of curAgentTypes) {
+    if (!prevAgentTypes.has(agentType)) {
+      entries.push({
+        change_type: "new_entity",
+        entity_type: "agent",
+        entity_name: agentType
+      });
+    }
+  }
+  for (const agentType of prevAgentTypes) {
+    if (!curAgentTypes.has(agentType)) {
+      entries.push({
+        change_type: "removed_entity",
+        entity_type: "agent",
+        entity_name: agentType
+      });
+    }
+  }
+  return new DeltaResult(previous.timestamp, entries);
+}
+
+// src/guard.ts
+init_machine_discovery();
+
+// src/mcp-checker.ts
+import { realpathSync } from "fs";
+import { homedir as homedir5 } from "os";
+import { basename as basename2 } from "path";
+var SENSITIVE_PATHS = [
+  [".ssh", "SSH private keys"],
+  [".aws", "AWS credentials"],
+  [".gnupg", "GPG private keys"],
+  [".config/gh", "GitHub CLI credentials"],
+  [".npmrc", "NPM auth tokens"],
+  [".pypirc", "PyPI credentials"],
+  [".docker", "Docker credentials"],
+  [".kube", "Kubernetes credentials"],
+  [".netrc", "Network login credentials"],
+  [".bitcoin", "Bitcoin wallet"],
+  [".ethereum", "Ethereum wallet"],
+  ["Library/Keychains", "macOS Keychain"],
+  [".gitconfig", "Git credentials"],
+  [".clawdbot/.env", "OpenClaw credentials"],
+  [".openclaw/.env", "OpenClaw credentials"]
+];
+var CREDENTIAL_PATTERNS = [
+  [/sk-(?:proj-)?[a-zA-Z0-9]{20,}/, "OpenAI API key"],
+  [/sk_live_[a-zA-Z0-9]+/, "Stripe live key"],
+  [/sk_test_[a-zA-Z0-9]+/, "Stripe test key"],
+  [/AKIA[0-9A-Z]{16}/, "AWS access key"],
+  [/ghp_[a-zA-Z0-9]{36}/, "GitHub personal token"],
+  [/gho_[a-zA-Z0-9]{36}/, "GitHub OAuth token"],
+  [/xoxb-[a-zA-Z0-9-]+/, "Slack bot token"],
+  [/xoxp-[a-zA-Z0-9-]+/, "Slack user token"],
+  [/glpat-[a-zA-Z0-9_-]{20,}/, "GitLab personal token"],
+  [/SG\.[a-zA-Z0-9_-]{22,}/, "SendGrid API key"],
+  [/sk-ant-api03-[A-Za-z0-9_-]{90,}/, "Anthropic API key"],
+  [/AIza[A-Za-z0-9_-]{35}/, "Google/Gemini API key"],
+  [/gsk_[A-Za-z0-9]{20,}/, "Groq API key"],
+  [/co-[A-Za-z0-9]{20,}/, "Cohere API key"],
+  [/r8_[A-Za-z0-9]{20,}/, "Replicate API token"],
+  [/hf_[A-Za-z0-9]{20,}/, "HuggingFace token"],
+  [/pcsk_[A-Za-z0-9_-]{20,}/, "Pinecone API key"],
+  [/sbp_[a-f0-9]{40,}/, "Supabase token"],
+  [/vercel_[A-Za-z0-9_-]{20,}/, "Vercel token"],
+  [/fw_[A-Za-z0-9]{20,}/, "Fireworks API key"],
+  [/pplx-[a-f0-9]{48,}/, "Perplexity API key"],
+  [/SK[a-f0-9]{32}/, "Twilio API key"],
+  [/dd[a-z][a-f0-9]{40}/, "Datadog API key"],
+  [/el_[A-Za-z0-9]{20,}/, "ElevenLabs API key"],
+  [/voyage-[A-Za-z0-9_-]{20,}/, "Voyage AI key"],
+  [/tog-[A-Za-z0-9]{20,}/, "Together AI key"],
+  [/csk-[A-Za-z0-9]{20,}/, "Cerebras API key"],
+  [/v1\.0-[a-f0-9]{24}-[a-f0-9]{64,}/, "Cloudflare API token"],
+  [/-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/, "PEM private key"]
+];
+var KNOWN_MALICIOUS_PACKAGES = /* @__PURE__ */ new Set([
+  "crossenv",
+  "d3.js",
+  "fabric-js",
+  "ffmepg",
+  "grequsts",
+  "http-proxy.js",
+  "mariadb",
+  "mssql-node",
+  "mssql.js",
+  "mysqljs",
+  "node-fabric",
+  "node-opencv",
+  "node-opensl",
+  "node-openssl",
+  "nodecaffe",
+  "nodefabric",
+  "nodeffmpeg",
+  "nodemailer-js",
+  "nodemssql",
+  "noderequest",
+  "nodesass",
+  "nodesqlite",
+  "opencv.js",
+  "openssl.js",
+  "proxy.js",
+  "shadowsock",
+  "smb",
+  "sqlite.js",
+  "sqliter",
+  "sqlserver",
+  "tkinter"
+]);
+var DANGEROUS_SHELLS = /* @__PURE__ */ new Set(["bash", "sh", "cmd", "cmd.exe", "powershell", "powershell.exe", "pwsh"]);
+var SHELL_META = /[;|&`$()]/;
+var HTTP_NON_LOCAL = /http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])/;
+function shannonEntropy(s) {
+  if (!s) return 0;
+  const freq = {};
+  for (const c of s) {
+    freq[c] = (freq[c] ?? 0) + 1;
+  }
+  const len = s.length;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function verdictFromFindings(findings) {
+  if (findings.length === 0) return GuardVerdict.SAFE;
+  if (findings.some((f) => f.severity === "critical")) return GuardVerdict.DANGER;
+  if (findings.some((f) => f.severity === "high" || f.severity === "medium")) return GuardVerdict.WARNING;
+  return GuardVerdict.SAFE;
+}
+var MCPConfigChecker = class {
+  /** Check a single MCP server config dict for security issues. */
+  check(server) {
+    const name = server.name ?? "unknown";
+    const rawCmd = server.command ?? "";
+    let command;
+    let args;
+    if (Array.isArray(rawCmd)) {
+      command = String(rawCmd[0] ?? "");
+      args = [...rawCmd.slice(1).map(String), ...server.args ?? []];
+    } else {
+      command = String(rawCmd);
+      args = server.args ?? [];
+    }
+    const env = server.env ?? {};
+    const source = server.source_file ?? "";
+    const url = server.url ?? "";
+    const findings = [];
+    findings.push(...this._checkSensitivePaths(name, args));
+    findings.push(...this._checkEnvCredentials(name, env));
+    findings.push(...this._checkBroadAccess(name, args));
+    findings.push(...this._checkInsecureUrls(name, args, env));
+    if (url) findings.push(...this._checkHttpServer(name, server));
+    findings.push(...this._checkSupplyChain(name, command, args));
+    findings.push(...this._checkCommandInjection(name, command, args));
+    findings.push(...this._checkMissingAuth(name, server));
+    findings.push(...this._checkKnownCVEs(name, server));
+    findings.push(...this._checkHighEntropySecrets(name, env));
+    const verdict = verdictFromFindings(findings);
+    return {
+      name,
+      command: command || url,
+      source_file: source,
+      verdict,
+      findings
+    };
+  }
+  /** Check multiple MCP server configs. */
+  checkAll(servers) {
+    return servers.map((s) => this.check(s));
+  }
+  // ── Individual checks ──────────────────────────────────────────────
+  _checkSensitivePaths(name, args) {
+    const findings = [];
+    const home = homedir5();
+    const resolvedArgs = args.map((a) => {
+      try {
+        return realpathSync(a);
+      } catch {
+        return a;
+      }
+    });
+    for (const arg of resolvedArgs) {
+      if (typeof arg !== "string") continue;
+      const expanded = arg.startsWith("~") ? home + arg.slice(1) : arg;
+      for (const [suffix, description] of SENSITIVE_PATHS) {
+        const full = `${home}/${suffix}`;
+        if (expanded.includes(full) || arg.includes(suffix)) {
+          findings.push({
+            code: "MCP-001",
+            title: `Access to ${description}`,
+            description: `MCP server '${name}' has filesystem access to ${suffix} (${description}). This is a critical security risk.`,
+            severity: "critical",
+            remediation: `Restrict '${name}' MCP server: remove ${suffix} from allowed paths. It does not need access to ${description}.`
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+  _checkEnvCredentials(name, env) {
+    const findings = [];
+    for (const [envKey, envValue] of Object.entries(env)) {
+      if (typeof envValue !== "string") continue;
+      if (envValue.startsWith("${") || envValue.startsWith("$")) continue;
+      for (const [pattern, credType] of CREDENTIAL_PATTERNS) {
+        if (pattern.test(envValue)) {
+          const redacted = envValue.length > 14 ? envValue.slice(0, 6) + "..." + envValue.slice(-4) : "***";
+          findings.push({
+            code: "MCP-002",
+            title: `Hardcoded ${credType}`,
+            description: `MCP server '${name}' has a hardcoded ${credType} in env var ${envKey} (${redacted}). Credentials should not be stored in config files.`,
+            severity: "high",
+            remediation: `Move ${envKey} for '${name}' to a secrets manager or environment variable. Do not store API keys in MCP config files.`
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+  _checkBroadAccess(name, args) {
+    const home = homedir5();
+    for (const arg of args) {
+      if (typeof arg !== "string") continue;
+      const expanded = arg.replace("~", home);
+      if (expanded === "/" || expanded === home || arg === "~" || arg === "/") {
+        return [{
+          code: "MCP-003",
+          title: "Overly broad filesystem access",
+          description: `MCP server '${name}' has access to the entire ${expanded === home ? "home directory" : "filesystem"}. This grants access to all files including credentials.`,
+          severity: "high",
+          remediation: `Restrict '${name}' to specific project directories only.`
+        }];
+      }
+    }
+    return [];
+  }
+  _checkInsecureUrls(name, args, env) {
+    const allValues = args.filter((a) => typeof a === "string");
+    for (const v of Object.values(env)) {
+      if (typeof v === "string") allValues.push(v);
+    }
+    for (const value of allValues) {
+      if (HTTP_NON_LOCAL.test(value)) {
+        return [{
+          code: "MCP-005",
+          title: "Insecure HTTP connection",
+          description: `MCP server '${name}' uses an unencrypted HTTP connection. Data sent to this server could be intercepted.`,
+          severity: "medium",
+          remediation: `Use HTTPS for '${name}' MCP server connections.`
+        }];
+      }
+    }
+    return [];
+  }
+  _checkHttpServer(name, server) {
+    const findings = [];
+    const url = server.url ?? "";
+    const headers = server.headers ?? {};
+    const apiKey = server.apiKey ?? "";
+    if (typeof url === "string" && HTTP_NON_LOCAL.test(url)) {
+      findings.push({
+        code: "MCP-006",
+        title: "Insecure remote MCP endpoint",
+        description: `MCP server '${name}' connects to a remote HTTP endpoint without TLS. All JSON-RPC traffic can be intercepted.`,
+        severity: "critical",
+        remediation: `Use HTTPS for remote MCP server '${name}': change ${url} to use https://`
+      });
+    }
+    if (typeof apiKey === "string" && apiKey && !apiKey.startsWith("${")) {
+      for (const [pattern, credType] of CREDENTIAL_PATTERNS) {
+        if (pattern.test(apiKey)) {
+          const redacted = apiKey.length > 14 ? apiKey.slice(0, 6) + "..." + apiKey.slice(-4) : "***";
+          findings.push({
+            code: "MCP-006",
+            title: `Hardcoded ${credType} in apiKey`,
+            description: `MCP server '${name}' has a hardcoded ${credType} in apiKey field (${redacted}). Use environment variable references.`,
+            severity: "high",
+            remediation: `Move apiKey for '${name}' to a secrets manager or env var reference.`
+          });
+          break;
+        }
+      }
+    }
+    if (typeof headers === "object" && headers !== null) {
+      const authVal = headers.Authorization ?? "";
+      if (typeof authVal === "string" && authVal && !authVal.startsWith("${")) {
+        for (const [pattern, credType] of CREDENTIAL_PATTERNS) {
+          if (pattern.test(authVal)) {
+            findings.push({
+              code: "MCP-006",
+              title: `Hardcoded ${credType} in Authorization header`,
+              description: `MCP server '${name}' has a hardcoded credential in the Authorization header. Use environment variable references.`,
+              severity: "high",
+              remediation: `Move Authorization header for '${name}' to env var reference.`
+            });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  }
+  _checkSupplyChain(name, command, args) {
+    const findings = [];
+    const allStr = [command, ...args.filter((a) => typeof a === "string")].join(" ");
+    const npxMatch = allStr.match(/npx\s+-y\s+(@?[a-zA-Z0-9_./-]+(?:@[^\s]+)?)/);
+    if (npxMatch) {
+      const pkg = npxMatch[1];
+      const parts = pkg.split("/");
+      const lastPart = parts[parts.length - 1] ?? pkg;
+      const hasVersion = lastPart.includes("@") && !lastPart.startsWith("@");
+      if (!hasVersion) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned npx package",
+          description: `MCP server '${name}' installs '${pkg}' via npx without version pinning. A supply chain attack could inject malicious code.`,
+          severity: "high",
+          remediation: `Pin the version: npx -y ${pkg}@<version>`
+        });
+      }
+    }
+    const uvxMatch = allStr.match(/uvx\s+([a-zA-Z0-9_.-]+)/);
+    if (uvxMatch) {
+      const pkg = uvxMatch[1];
+      const afterPkg = allStr.split(pkg).slice(1).join("").slice(0, 20);
+      if (!afterPkg.includes("==")) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned uvx package",
+          description: `MCP server '${name}' installs '${pkg}' via uvx without version pinning.`,
+          severity: "high",
+          remediation: `Pin the version: uvx ${pkg}==<version>`
+        });
+      }
+    }
+    const bunxMatch = allStr.match(/bunx\s+(@?[a-zA-Z0-9_./-]+(?:@[^\s]+)?)/);
+    if (bunxMatch) {
+      const pkg = bunxMatch[1];
+      const parts = pkg.split("/");
+      const lastPart = parts[parts.length - 1] ?? pkg;
+      const hasVersion = lastPart.includes("@") && !lastPart.startsWith("@");
+      if (!hasVersion) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned bunx package",
+          description: `MCP server '${name}' installs '${pkg}' via bunx without version pinning. A supply chain attack could inject malicious code.`,
+          severity: "medium",
+          remediation: `Pin the version: bunx ${pkg}@<version>`
+        });
+      }
+    }
+    const denoMatch = allStr.match(/deno\s+run\s+(?:--allow-\S+\s+)*(\S+)/);
+    if (denoMatch) {
+      const target = denoMatch[1];
+      if (!target.startsWith(".") && !target.startsWith("/")) {
+        if (!target.includes("@")) {
+          findings.push({
+            code: "MCP-007",
+            title: "Unpinned deno package",
+            description: `MCP server '${name}' runs '${target}' via deno without version pinning.`,
+            severity: "medium",
+            remediation: `Pin the version: deno run ${target}@<version>`
+          });
+        }
+      }
+    }
+    const dockerMatch = allStr.match(/docker\s+run\s+(?:-[^\s]+\s+)*([a-zA-Z0-9_./-]+(?::[^\s]+)?)/);
+    if (dockerMatch) {
+      const image = dockerMatch[1];
+      if (!image.includes(":")) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned docker image",
+          description: `MCP server '${name}' runs docker image '${image}' without a tag. This defaults to :latest which is mutable.`,
+          severity: "medium",
+          remediation: `Pin the image tag: docker run ${image}:<version>`
+        });
+      } else if (image.endsWith(":latest")) {
+        findings.push({
+          code: "MCP-007",
+          title: "Unpinned docker image (:latest)",
+          description: `MCP server '${name}' runs docker image '${image}' with :latest tag. This is mutable and not reproducible.`,
+          severity: "medium",
+          remediation: `Pin a specific image tag instead of :latest`
+        });
+      }
+    }
+    const pipMatch = allStr.match(/pip3?\s+install\s+([a-zA-Z0-9_.-]+)/);
+    if (pipMatch) {
+      const pkg = pipMatch[1];
+      if (!pkg.startsWith("-")) {
+        const afterPkg = allStr.split(pipMatch[0]).slice(1).join("").slice(0, 30);
+        if (!afterPkg.includes("==")) {
+          findings.push({
+            code: "MCP-007",
+            title: "Unpinned pip package",
+            description: `MCP server '${name}' installs '${pkg}' via pip without version pinning.`,
+            severity: "medium",
+            remediation: `Pin the version: pip install ${pkg}==<version>`
+          });
+        }
+      }
+    }
+    const goMatch = allStr.match(/go\s+run\s+([a-zA-Z0-9_./@-]+)/);
+    if (goMatch) {
+      const target = goMatch[1];
+      if (!target.startsWith(".") && !target.startsWith("/")) {
+        if (!target.includes("@")) {
+          findings.push({
+            code: "MCP-007",
+            title: "Unpinned go package",
+            description: `MCP server '${name}' runs '${target}' via go run without version pinning.`,
+            severity: "medium",
+            remediation: `Pin the version: go run ${target}@<version>`
+          });
+        }
+      }
+    }
+    const allArgs = [command, ...args.filter((a) => typeof a === "string")];
+    for (const arg of allArgs) {
+      for (const pkgName of KNOWN_MALICIOUS_PACKAGES) {
+        if (arg.toLowerCase().includes(pkgName)) {
+          findings.push({
+            code: "MCP-007",
+            title: `Known malicious package: ${pkgName}`,
+            description: `MCP server '${name}' references known malicious package '${pkgName}'.`,
+            severity: "critical",
+            remediation: `Remove MCP server '${name}' immediately.`
+          });
+          return findings;
+        }
+      }
+    }
+    return findings;
+  }
+  _checkCommandInjection(name, command, args) {
+    const findings = [];
+    const cmdBase = basename2(command).toLowerCase();
+    if (DANGEROUS_SHELLS.has(cmdBase)) {
+      findings.push({
+        code: "MCP-008",
+        title: "Shell binary as MCP server",
+        description: `MCP server '${name}' uses '${cmdBase}' as its binary. This allows arbitrary command execution.`,
+        severity: "critical",
+        remediation: `Replace shell command for '${name}' with a dedicated MCP server binary.`
+      });
+    }
+    for (const arg of args) {
+      if (typeof arg === "string" && SHELL_META.test(arg)) {
+        findings.push({
+          code: "MCP-008",
+          title: "Shell metacharacters in arguments",
+          description: `MCP server '${name}' has shell metacharacters in args: '${arg.slice(0, 60)}'. This may allow command injection.`,
+          severity: "high",
+          remediation: `Remove shell metacharacters from '${name}' arguments.`
+        });
+        break;
+      }
+    }
+    return findings;
+  }
+  _checkMissingAuth(name, server) {
+    const url = server.url;
+    if (!url || typeof url !== "string") return [];
+    const localhostPattern = /^https?:\/\/(?:localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])/;
+    if (localhostPattern.test(url)) return [];
+    const hasApiKey = Boolean(server.apiKey);
+    const headers = server.headers;
+    const hasAuthHeader = typeof headers === "object" && headers !== null && Boolean(headers.Authorization);
+    const hasOAuth = Boolean(server.oauth || server.auth);
+    if (!hasApiKey && !hasAuthHeader && !hasOAuth) {
+      return [{
+        code: "MCP-009",
+        title: "Missing authentication",
+        description: `Remote MCP server '${name}' at ${url} has no authentication configured. Anyone who discovers the endpoint can use it.`,
+        severity: "high",
+        remediation: `Add apiKey, Authorization header, or OAuth config for '${name}'.`
+      }];
+    }
+    return [];
+  }
+  _checkKnownCVEs(name, server) {
+    const findings = [];
+    const rawCmd2 = server.command ?? "";
+    let command;
+    let args;
+    if (Array.isArray(rawCmd2)) {
+      command = String(rawCmd2[0] ?? "");
+      args = [...rawCmd2.slice(1).map(String), ...server.args ?? []];
+    } else {
+      command = String(rawCmd2);
+      args = server.args ?? [];
+    }
+    const source = server.source_file ?? "";
+    const allArgsStr = args.filter((a) => typeof a === "string").join(" ");
+    for (const arg of args) {
+      if (typeof arg === "string" && arg.includes("../")) {
+        findings.push({
+          code: "MCP-CVE",
+          title: "CVE-2025-53110: Path traversal in arguments",
+          description: `MCP server '${name}' has path traversal sequence '../' in arguments.`,
+          severity: "high",
+          remediation: "Remove path traversal sequences from MCP server arguments."
+        });
+        break;
+      }
+    }
+    const isGitServer = /\bgit\b/.test(command.toLowerCase()) || /server-git|mcp-git/.test(allArgsStr.toLowerCase());
+    if (isGitServer && !args.some((a) => typeof a === "string" && (a.includes("--allowed") || a.toLowerCase().includes("path")))) {
+      findings.push({
+        code: "MCP-CVE",
+        title: "CVE-2025-68143: Unrestricted git MCP server",
+        description: `Git MCP server '${name}' has no path restrictions configured. It can access any repository on the machine.`,
+        severity: "high",
+        remediation: `Add --allowed-path restrictions to git MCP server '${name}'.`
+      });
+    }
+    if (source && basename2(source) === ".mcp.json") {
+      findings.push({
+        code: "MCP-CVE",
+        title: "CVE-2025-59536: Project-level MCP config",
+        description: `MCP server '${name}' is defined in a project-level .mcp.json file. Cloning a malicious repo could auto-register MCP servers.`,
+        severity: "medium",
+        remediation: "Review project-level MCP configs carefully. Consider using global configs only."
+      });
+    }
+    if (command.includes("mcp-remote") || allArgsStr.includes("mcp-remote")) {
+      findings.push({
+        code: "MCP-CVE",
+        title: "CVE-2025-6514: mcp-remote OAuth vulnerability",
+        description: `MCP server '${name}' uses mcp-remote which has known OAuth vulnerabilities.`,
+        severity: "medium",
+        remediation: "Update mcp-remote to the latest version or use direct SSE connections."
+      });
+    }
+    return findings;
+  }
+  _checkHighEntropySecrets(name, env) {
+    const findings = [];
+    for (const [envKey, envValue] of Object.entries(env)) {
+      if (typeof envValue !== "string" || envValue.length < 20) continue;
+      if (envValue.startsWith("${") || envValue.startsWith("$")) continue;
+      let matched = false;
+      for (const [pattern] of CREDENTIAL_PATTERNS) {
+        if (pattern.test(envValue)) {
+          matched = true;
+          break;
+        }
+      }
+      if (matched) continue;
+      const entropy = shannonEntropy(envValue);
+      if (entropy > 4.5) {
+        const redacted = envValue.length > 12 ? envValue.slice(0, 4) + "..." + envValue.slice(-4) : "***";
+        findings.push({
+          code: "MCP-002",
+          title: `High-entropy secret in ${envKey}`,
+          description: `MCP server '${name}' has a high-entropy string in env var ${envKey} (${redacted}, entropy=${entropy.toFixed(1)}). This may be a credential from an unknown provider.`,
+          severity: "medium",
+          remediation: `Move ${envKey} for '${name}' to a secrets manager or env var reference.`
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/project-config.ts
+import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync3, statSync as statSync4 } from "fs";
+import { homedir as homedir6 } from "os";
+import { dirname as dirname4, join as join5, resolve as resolve3 } from "path";
+import { parse } from "yaml";
+var VALID_FAIL_ON = /* @__PURE__ */ new Set(["danger", "warning", "safe"]);
+var CONFIG_FILENAME = ".agentseal.yaml";
+var KNOWN_KEYS = /* @__PURE__ */ new Set([
+  "fail_on",
+  "allowed_agents",
+  "allowed_mcp_servers",
+  "ignore_paths",
+  "ignore_findings",
+  "rules_paths"
+]);
+function loadProjectConfig(configPath) {
+  const raw = readFileSync4(configPath, "utf-8");
+  let data;
+  try {
+    data = parse(raw);
+  } catch (err) {
+    throw new Error(`Invalid YAML in ${configPath}: ${err}`);
+  }
+  if (data === null || data === void 0) {
+    data = {};
+  }
+  if (typeof data !== "object" || Array.isArray(data)) {
+    throw new Error(`Expected a YAML mapping (dict) at root of ${configPath}, got ${Array.isArray(data) ? "array" : typeof data}`);
+  }
+  const d = data;
+  for (const key of Object.keys(d)) {
+    if (!KNOWN_KEYS.has(key)) {
+      console.error(`Warning: unknown key '${key}' in ${configPath}`);
+    }
+  }
+  const failOn = d.fail_on ?? "danger";
+  if (!VALID_FAIL_ON.has(failOn)) {
+    throw new Error(`Invalid fail_on value '${failOn}' in ${configPath}. Must be one of: danger, warning, safe`);
+  }
+  const allowedAgents = d.allowed_agents ?? [];
+  const allowedMcpServers = d.allowed_mcp_servers ?? [];
+  const ignorePaths = d.ignore_paths ?? [];
+  const rulesPaths = d.rules_paths ?? [];
+  const rawFindings = d.ignore_findings ?? [];
+  const ignoreFindings = [];
+  for (const entry of rawFindings) {
+    if (typeof entry === "object" && entry !== null && "id" in entry) {
+      const item = { id: String(entry.id) };
+      if (entry.reason !== void 0 && entry.reason !== null) {
+        item.reason = String(entry.reason);
+      } else {
+        console.error(`Warning: ignore_findings entry '${item.id}' is missing a 'reason' field in ${configPath}`);
+      }
+      ignoreFindings.push(item);
+    }
+  }
+  return {
+    fail_on: failOn,
+    allowed_agents: allowedAgents,
+    allowed_mcp_servers: allowedMcpServers,
+    ignore_paths: ignorePaths,
+    ignore_findings: ignoreFindings,
+    rules_paths: rulesPaths,
+    config_path: resolve3(configPath)
+  };
+}
+function resolveProjectConfig(opts) {
+  const { configPath, searchDir } = opts ?? {};
+  if (configPath) {
+    if (!existsSync4(configPath)) {
+      throw new Error(`Config file not found: ${configPath}`);
+    }
+    return loadProjectConfig(configPath);
+  }
+  const startDir = resolve3(searchDir ?? process.cwd());
+  const home = homedir6();
+  const root = resolve3("/");
+  let current = startDir;
+  while (true) {
+    const candidate = join5(current, CONFIG_FILENAME);
+    if (existsSync4(candidate)) {
+      try {
+        return loadProjectConfig(candidate);
+      } catch {
+      }
+    }
+    const gitDir = join5(current, ".git");
+    if (_isDirectory(gitDir)) {
+      return null;
+    }
+    if (current === home) {
+      return null;
+    }
+    const parent = dirname4(current);
+    if (parent === current) {
+      return null;
+    }
+    current = parent;
+  }
+}
+function _isDirectory(p) {
+  try {
+    return statSync4(p).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function shouldIgnorePath(config, path) {
+  if (config.ignore_paths.length === 0) return false;
+  const segments = path.split("/");
+  const ignoreSet = new Set(config.ignore_paths);
+  return segments.some((seg) => ignoreSet.has(seg));
+}
+function shouldIgnoreFinding(config, code, path) {
+  for (const entry of config.ignore_findings) {
+    const colonIdx = entry.id.indexOf(":");
+    if (colonIdx === -1) {
+      if (entry.id === code) return true;
+    } else {
+      const entryCode = entry.id.slice(0, colonIdx);
+      const entryPath = entry.id.slice(colonIdx + 1);
+      if (entryCode === code && path !== void 0 && entryPath === path) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function shouldFail(failOn, verdicts) {
+  switch (failOn) {
+    case "danger":
+      return verdicts.hasDanger;
+    case "warning":
+      return verdicts.hasDanger || verdicts.hasWarning;
+    case "safe":
+      return verdicts.hasDanger || verdicts.hasWarning || (verdicts.hasSafe ?? false);
+    default:
+      return verdicts.hasDanger;
+  }
+}
+function generateUnlistedFindings(config, agents, mcpServers) {
+  const findings = [];
+  if (config.allowed_agents.length > 0) {
+    const allowedSet = new Set(config.allowed_agents);
+    const activeAgents2 = agents.filter(
+      (a) => a.status !== "not_installed" && a.status !== "error"
+    );
+    for (const agent of activeAgents2) {
+      if (!allowedSet.has(agent.agent_type)) {
+        findings.push({
+          code: "GUARD-001",
+          title: "Unlisted agent detected",
+          description: `Agent '${agent.agent_type}' is not in the allowed_agents list in .agentseal.yaml`,
+          severity: "medium",
+          item_name: agent.agent_type,
+          item_type: "agent"
+        });
+      }
+    }
+  }
+  if (config.allowed_mcp_servers.length > 0) {
+    const plainNames = /* @__PURE__ */ new Set();
+    const qualifiedNames = /* @__PURE__ */ new Set();
+    for (const entry of config.allowed_mcp_servers) {
+      if (entry.includes("@")) {
+        qualifiedNames.add(entry);
+      } else {
+        plainNames.add(entry);
+      }
+    }
+    for (const srv of mcpServers) {
+      const name = srv.name;
+      const agentType = srv.agent_type;
+      const qualified = agentType ? `${name}@${agentType}` : name;
+      if (!plainNames.has(name) && !qualifiedNames.has(qualified)) {
+        findings.push({
+          code: "GUARD-002",
+          title: "Unlisted MCP server detected",
+          description: `MCP server '${name}' is not in the allowed_mcp_servers list in .agentseal.yaml`,
+          severity: "medium",
+          item_name: name,
+          item_type: "mcp_server"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function generateConfigYaml(agents, mcpServers) {
+  const activeAgents2 = agents.filter(
+    (a) => a.status === "found" || a.status === "installed_no_config"
+  );
+  const agentTypes = activeAgents2.map((a) => a.agent_type);
+  const serverNameSet = /* @__PURE__ */ new Set();
+  for (const s of mcpServers) {
+    serverNameSet.add(s.name);
+  }
+  const serverNames = Array.from(serverNameSet);
+  const agentLines = agentTypes.length > 0 ? agentTypes.map((t) => `  - ${t}`).join("\n") : "  # - cursor\n  # - claude-desktop";
+  const serverLines = serverNames.length > 0 ? serverNames.map((n) => `  - ${n}`).join("\n") : "  # - filesystem\n  # - sqlite";
+  return `# AgentSeal project configuration
+# https://agentseal.org/docs/config
+
+# Exit code behavior: "danger" (default), "warning", or "safe"
+fail_on: danger
+
+# Agents expected on this machine (unlisted agents trigger GUARD-001)
+allowed_agents:
+${agentLines}
+
+# MCP servers expected (unlisted servers trigger GUARD-002)
+# Use "name" or "name@agent_type" for agent-specific allowlisting
+allowed_mcp_servers:
+${serverLines}
+
+# Paths to ignore during skill scanning (matched by path segment)
+ignore_paths:
+  - node_modules
+  - .git
+  - __pycache__
+
+# Findings to ignore (by code, or code:path for file-specific ignores)
+ignore_findings: []
+  # - id: "SKILL-001"
+  #   reason: "Known safe pattern"
+  # - id: "MCP-002:./configs/server.json"
+  #   reason: "Accepted risk for this file"
+
+# Additional rule directories
+rules_paths: []
+  # - ./rules
+  # - ./custom-rules
+`;
+}
+function runGuardInit(opts) {
+  const { targetDir, force = false, interactive = true } = opts ?? {};
+  const dir = targetDir ?? process.cwd();
+  const configFile = join5(dir, CONFIG_FILENAME);
+  if (existsSync4(configFile) && !force) {
+    return false;
+  }
+  let agents = [];
+  let allMcpServers = [];
+  try {
+    const { scanMachine: scanMachine2, scanDirectory: scanDirectory2 } = (init_machine_discovery(), __toCommonJS(machine_discovery_exports));
+    const machineResult = scanMachine2();
+    agents = machineResult.agents;
+    allMcpServers = [...machineResult.mcpServers];
+    const dirResult = scanDirectory2(dir);
+    const seen = new Set(allMcpServers.map((s) => `${s.name}::${s.agent_type}`));
+    for (const srv of dirResult.mcpServers) {
+      const key = `${srv.name}::${srv.agent_type}`;
+      if (!seen.has(key)) {
+        seen.add(key);
+        allMcpServers.push(srv);
+      }
+    }
+  } catch {
+  }
+  const yaml = generateConfigYaml(agents, allMcpServers);
+  writeFileSync3(configFile, yaml, "utf-8");
+  return true;
+}
+
+// src/registry-client.ts
+var API_URL = "https://agentseal.org/api/v1/mcp/intel/bulk-check";
+var USER_AGENT = "agentseal-guard/0.8";
+var TIMEOUT_MS = 8e3;
+function slugify(name) {
+  return name.toLowerCase().replace(/^@([^/]+)\//, "$1-").replace(/[^a-z0-9-]/g, "-");
+}
+function extractPackageSlug(command) {
+  const trimmed = command.trim();
+  if (!trimmed) return null;
+  const tokens = trimmed.split(/\s+/);
+  const runner = tokens[0];
+  if (!runner) return null;
+  let pkg;
+  if (runner === "npx") {
+    pkg = tokens.slice(1).find((t) => !t.startsWith("-"));
+  } else if (runner === "bunx" || runner === "uvx") {
+    pkg = tokens[1];
+  } else if ((runner === "pip" || runner === "pip3") && tokens[1] === "install") {
+    pkg = tokens[2];
+  } else if (runner === "docker" && tokens[1] === "run") {
+    pkg = tokens.slice(2).find((t) => !t.startsWith("-"));
+  } else {
+    return null;
+  }
+  if (!pkg) return null;
+  if (pkg.startsWith("@")) {
+    const atIdx = pkg.indexOf("@", 1);
+    if (atIdx !== -1) {
+      pkg = pkg.slice(0, atIdx);
+    }
+  } else {
+    const atIdx = pkg.indexOf("@");
+    if (atIdx !== -1) {
+      pkg = pkg.slice(0, atIdx);
+    }
+  }
+  return slugify(pkg);
+}
+async function bulkCheck(slugs, apiKey) {
+  const unique = [...new Set(slugs)];
+  if (unique.length === 0) return {};
+  const headers = {
+    "Content-Type": "application/json",
+    "User-Agent": USER_AGENT
+  };
+  if (apiKey) {
+    headers["Authorization"] = `Bearer ${apiKey}`;
+  }
+  try {
+    const response = await globalThis.fetch(API_URL, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({ slugs: unique }),
+      signal: AbortSignal.timeout(TIMEOUT_MS)
+    });
+    if (!response.ok) return {};
+    return await response.json();
+  } catch {
+    return {};
+  }
+}
+async function enrichMcpResults(results, apiKey) {
+  if (results.length === 0) return;
+  const slugMap = /* @__PURE__ */ new Map();
+  for (const result of results) {
+    if (result.registry_score != null) continue;
+    const nameSlug = slugify(result.name);
+    const cmdSlug = extractPackageSlug(result.command);
+    if (nameSlug) {
+      const arr = slugMap.get(nameSlug) ?? [];
+      arr.push(result);
+      slugMap.set(nameSlug, arr);
+    }
+    if (cmdSlug && cmdSlug !== nameSlug) {
+      const arr = slugMap.get(cmdSlug) ?? [];
+      arr.push(result);
+      slugMap.set(cmdSlug, arr);
+    }
+  }
+  const allSlugs = [...slugMap.keys()];
+  if (allSlugs.length === 0) return;
+  const data = await bulkCheck(allSlugs, apiKey);
+  for (const [slug, info] of Object.entries(data)) {
+    const targets = slugMap.get(slug);
+    if (!targets) continue;
+    for (const target of targets) {
+      if (target.registry_score != null) continue;
+      target.registry_score = info.score;
+      target.registry_level = info.level;
+      target.registry_findings_count = info.findings_count;
+    }
+  }
+}
+
+// src/rules.ts
+import { readFileSync as readFileSync5, readdirSync as readdirSync3, statSync as statSync5 } from "fs";
+import { join as join6 } from "path";
+import { parse as parse2 } from "yaml";
+function fnmatchCase(value, pattern) {
+  let re = "";
+  let i = 0;
+  while (i < pattern.length) {
+    const ch = pattern[i];
+    if (ch === "*") {
+      re += ".*";
+    } else if (ch === "?") {
+      re += ".";
+    } else if (ch === "[") {
+      let j = i + 1;
+      if (j < pattern.length && pattern[j] === "!") {
+        re += "[^";
+        j++;
+      } else {
+        re += "[";
+      }
+      while (j < pattern.length && pattern[j] !== "]") {
+        re += pattern[j];
+        j++;
+      }
+      if (j < pattern.length) {
+        re += "]";
+        i = j;
+      } else {
+        re += "\\[";
+      }
+    } else if (".$^+{}()|\\".includes(ch)) {
+      re += "\\" + ch;
+    } else {
+      re += ch;
+    }
+    i++;
+  }
+  return new RegExp(`^${re}$`, "i").test(value);
+}
+var VALID_SEVERITIES = /* @__PURE__ */ new Set(["critical", "high", "medium", "low"]);
+var VALID_VERDICTS = /* @__PURE__ */ new Set(["danger", "warning"]);
+var VALID_MATCH_TYPES = /* @__PURE__ */ new Set(["mcp", "skill", "agent"]);
+var REQUIRED_FIELDS = ["id", "title", "severity", "verdict", "match"];
+var RuleEngine = class _RuleEngine {
+  rules;
+  constructor(rules) {
+    this.rules = rules;
+  }
+  /**
+   * Load rules from file paths and/or directory paths.
+   *
+   * - Files are loaded directly.
+   * - Directories are globbed for *.yaml and *.yml files.
+   * - Files without a top-level "rules" key are silently skipped.
+   * - Validates required fields, severity, verdict, match.type.
+   * - Throws on duplicate IDs across files.
+   */
+  static fromPaths(paths) {
+    const resolvedFiles = [];
+    for (const p of paths) {
+      const stat = statSync5(p);
+      if (stat.isDirectory()) {
+        const entries = readdirSync3(p);
+        for (const entry of entries) {
+          if (entry.endsWith(".yaml") || entry.endsWith(".yml")) {
+            resolvedFiles.push(join6(p, entry));
+          }
+        }
+      } else {
+        resolvedFiles.push(p);
+      }
+    }
+    const allRules = [];
+    const seenIds = /* @__PURE__ */ new Map();
+    for (const filePath of resolvedFiles) {
+      const raw = readFileSync5(filePath, "utf-8");
+      const doc = parse2(raw);
+      if (!doc || !("rules" in doc)) {
+        continue;
+      }
+      const rulesList = doc.rules;
+      if (!Array.isArray(rulesList)) {
+        continue;
+      }
+      for (const r of rulesList) {
+        for (const field of REQUIRED_FIELDS) {
+          if (r[field] == null || r[field] === "") {
+            throw new Error(
+              `Rule in ${filePath} is missing required field: ${field}`
+            );
+          }
+        }
+        const sev = String(r.severity).toLowerCase();
+        if (!VALID_SEVERITIES.has(sev)) {
+          throw new Error(
+            `Rule "${r.id}" in ${filePath} has invalid severity: "${r.severity}" (must be one of: ${[...VALID_SEVERITIES].join(", ")})`
+          );
+        }
+        const verd = String(r.verdict).toLowerCase();
+        if (!VALID_VERDICTS.has(verd)) {
+          throw new Error(
+            `Rule "${r.id}" in ${filePath} has invalid verdict: "${r.verdict}" (must be one of: ${[...VALID_VERDICTS].join(", ")})`
+          );
+        }
+        const matchType = r.match?.type;
+        if (!matchType || !VALID_MATCH_TYPES.has(String(matchType).toLowerCase())) {
+          throw new Error(
+            `Rule "${r.id}" in ${filePath} has invalid match.type: "${matchType}" (must be one of: ${[...VALID_MATCH_TYPES].join(", ")})`
+          );
+        }
+        const id = String(r.id);
+        const existingFile = seenIds.get(id);
+        if (existingFile) {
+          throw new Error(
+            `Duplicate rule ID "${id}" found in ${filePath} (already defined in ${existingFile})`
+          );
+        }
+        seenIds.set(id, filePath);
+        const rule = {
+          id,
+          title: String(r.title),
+          description: r.description ? String(r.description) : "",
+          severity: sev,
+          verdict: verd,
+          remediation: r.remediation ? String(r.remediation) : "",
+          match: r.match,
+          tests: Array.isArray(r.tests) ? r.tests.map((t) => ({
+            name: String(t.name ?? ""),
+            input: t.input ?? {},
+            expect: String(t.expect ?? "no_match")
+          })) : [],
+          source_file: filePath
+        };
+        allRules.push(rule);
+      }
+    }
+    return new _RuleEngine(allRules);
+  }
+  // ─────────────────────────────────────────────────────────────────────
+  // Internal matching
+  // ─────────────────────────────────────────────────────────────────────
+  /**
+   * Check if a rule matches an entity's data.
+   *
+   * - AND logic across fields (all fields must match).
+   * - OR logic within a field (any pattern in the array matches).
+   * - The "type" field in match is skipped (used for routing only).
+   */
+  _matchEntity(rule, entityData) {
+    for (const [field, patterns] of Object.entries(rule.match)) {
+      if (field === "type") continue;
+      const patternList = typeof patterns === "string" ? [patterns] : patterns;
+      const entityValue = entityData[field] ?? "";
+      let fieldMatched = false;
+      for (const pattern of patternList) {
+        if (fnmatchCase(entityValue, String(pattern))) {
+          fieldMatched = true;
+          break;
+        }
+      }
+      if (!fieldMatched) return false;
+    }
+    return true;
+  }
+  // ─────────────────────────────────────────────────────────────────────
+  // Evaluate methods
+  // ─────────────────────────────────────────────────────────────────────
+  /**
+   * Evaluate MCP rules against a server result.
+   */
+  evaluateMcp(server, rawConfig) {
+    const mcpRules = this.rules.filter(
+      (r) => String(r.match.type).toLowerCase() === "mcp"
+    );
+    const args = rawConfig.args;
+    const argsStr = Array.isArray(args) ? args.join(" ") : String(args ?? "");
+    const env = rawConfig.env;
+    const envKeys = env ? Object.keys(env).join(" ") : "";
+    const envValues = env ? Object.values(env).join(" ") : "";
+    const entityData = {
+      name: String(server.name ?? ""),
+      command: String(server.command ?? ""),
+      args: argsStr,
+      env_keys: envKeys,
+      env_values: envValues,
+      source_file: String(server.source_file ?? "")
+    };
+    const findings = [];
+    for (const rule of mcpRules) {
+      if (this._matchEntity(rule, entityData)) {
+        findings.push({
+          code: rule.id,
+          title: rule.title,
+          severity: rule.severity,
+          verdict: rule.verdict,
+          remediation: rule.remediation,
+          rule_file: rule.source_file,
+          entity_type: "mcp",
+          entity_name: entityData.name ?? ""
+        });
+      }
+    }
+    return findings;
+  }
+  /**
+   * Evaluate skill rules against a skill result.
+   */
+  evaluateSkill(skill, content) {
+    const skillRules = this.rules.filter(
+      (r) => String(r.match.type).toLowerCase() === "skill"
+    );
+    const entityData = {
+      name: String(skill.name ?? ""),
+      path: String(skill.path ?? ""),
+      content: content.slice(0, 10240)
+    };
+    const findings = [];
+    for (const rule of skillRules) {
+      if (this._matchEntity(rule, entityData)) {
+        findings.push({
+          code: rule.id,
+          title: rule.title,
+          severity: rule.severity,
+          verdict: rule.verdict,
+          remediation: rule.remediation,
+          rule_file: rule.source_file,
+          entity_type: "skill",
+          entity_name: entityData.name ?? ""
+        });
+      }
+    }
+    return findings;
+  }
+  /**
+   * Evaluate agent rules against an agent config result.
+   */
+  evaluateAgent(agent) {
+    const agentRules = this.rules.filter(
+      (r) => String(r.match.type).toLowerCase() === "agent"
+    );
+    const entityData = {
+      agent_type: String(agent.agent_type ?? ""),
+      name: String(agent.name ?? ""),
+      config_path: String(agent.config_path ?? "")
+    };
+    const findings = [];
+    for (const rule of agentRules) {
+      if (this._matchEntity(rule, entityData)) {
+        findings.push({
+          code: rule.id,
+          title: rule.title,
+          severity: rule.severity,
+          verdict: rule.verdict,
+          remediation: rule.remediation,
+          rule_file: rule.source_file,
+          entity_type: "agent",
+          entity_name: entityData.name ?? ""
+        });
+      }
+    }
+    return findings;
+  }
+  // ─────────────────────────────────────────────────────────────────────
+  // Self-test
+  // ─────────────────────────────────────────────────────────────────────
+  /**
+   * Run embedded tests for all rules.
+   */
+  runTests() {
+    const results = [];
+    for (const rule of this.rules) {
+      for (const test of rule.tests) {
+        const matched = this._matchEntity(rule, test.input);
+        const actual = matched ? "match" : "no_match";
+        results.push({
+          rule_id: rule.id,
+          test_name: test.name,
+          passed: actual === test.expect,
+          expected: test.expect,
+          actual
+        });
+      }
+    }
+    return results;
+  }
+};
+
+// src/skill-scanner.ts
+var PATTERN_RULES = [
+  {
+    code: "SKILL-001",
+    title: "Credential access",
+    severity: "critical",
+    patterns: [
+      /~\/\.ssh\b/i,
+      /~\/\.aws\b/i,
+      /~\/\.gnupg\b/i,
+      /~\/\.config\/gh\b/i,
+      /~\/\.npmrc\b/i,
+      /~\/\.pypirc\b/i,
+      /~\/\.docker\b/i,
+      /~\/\.kube\b/i,
+      /~\/\.netrc\b/i,
+      /~\/\.bitcoin\b/i,
+      /~\/\.ethereum\b/i,
+      /~\/Library\/Keychains\b/i,
+      /\.env\b(?!\.example|\.sample|\.template)/i,
+      /credentials\.json\b/i,
+      /id_rsa\b/i,
+      /id_ed25519\b/i,
+      /wallet\.dat\b/i,
+      /aws_access_key_id/i,
+      /aws_secret_access_key/i,
+      /\/etc\/passwd\b/i,
+      /\/etc\/shadow\b/i,
+      /PRIVATE[_\s]KEY/i
+    ],
+    descriptionTemplate: "This skill accesses sensitive credentials: {match}",
+    remediation: "Remove this skill immediately and rotate all credentials it may have accessed."
+  },
+  {
+    code: "SKILL-002",
+    title: "Data exfiltration",
+    severity: "critical",
+    patterns: [
+      /curl\s+.*(?:-d|--data)\s+.*https?:\/\//i,
+      /wget\s+.*--post-(?:data|file)/i,
+      /requests\.post\s*\(/i,
+      /fetch\s*\(.*method.*['"]POST['"]/i,
+      /urllib\.request\.urlopen\s*\(.*data=/i,
+      /socket\.connect\s*\(/i,
+      /\bnc(?:at)?\b.*\b(?:--send-only|--recv-only)\b/i,
+      /httpx\.post\s*\(/i,
+      /!\[.*?\]\(https?:\/\/[^\s)]+\?[^\s)]*(?:data|content|file|secret|key|token|d)=/i,
+      /<img\s+[^>]*src=["']https?:\/\/[^"']+\?[^"']*(?:data|content|file|secret|key|token|d)=/i,
+      /(?:render|display|show|include)\s+(?:an?\s+)?(?:image|img|markdown)\s+(?:tag|link)?\s*.*https?:\/\//i
+    ],
+    descriptionTemplate: "This skill sends data to an external server: {match}",
+    remediation: "Remove this skill. It exfiltrates data to an external endpoint. Check for compromised credentials."
+  },
+  {
+    code: "SKILL-003",
+    title: "Remote payload execution",
+    severity: "critical",
+    patterns: [
+      /curl\s+.*\|\s*(?:sh|bash|python|python3|node|ruby|perl)\b/i,
+      /wget\s+.*-O\s*-\s*\|/i,
+      /eval\s*\(\s*(?:fetch|require|import)/i,
+      /exec\s*\(\s*(?:urllib|requests|httpx)/i,
+      /pip\s+install\s+--index-url\s+http[^s]/i,
+      /npm\s+install\s+.*--registry\s+http[^s]/i,
+      /curl\s+.*>\s*\/tmp\/.*&&.*(?:sh|bash|chmod)/i
+    ],
+    descriptionTemplate: "This skill downloads and executes remote code: {match}",
+    remediation: "Remove this skill immediately. It fetches and runs code from the internet."
+  },
+  {
+    code: "SKILL-004",
+    title: "Reverse shell / backdoor",
+    severity: "critical",
+    patterns: [
+      /\/bin\/(?:ba)?sh\s+-i/i,
+      /python3?\s+-c\s+['"]import\s+socket/i,
+      /\bnc(?:at)?\s+(?:-e|--exec)\b/i,
+      /bash\s+-c\s+.*>\/dev\/tcp\//i,
+      /mkfifo\s+.*\bnc(?:at)?\b/i,
+      /socat\s+.*exec:/i,
+      /powershell.*-e\s+[A-Za-z0-9+/=]{20,}/i
+    ],
+    descriptionTemplate: "This skill opens a backdoor to your machine: {match}",
+    remediation: "Remove this skill immediately and run a full system security audit."
+  },
+  {
+    code: "SKILL-005",
+    title: "Code obfuscation",
+    severity: "high",
+    patterns: [
+      /base64\s+(?:--)?decode/i,
+      /\batob\s*\(/i,
+      /(?:\\x[0-9a-fA-F]{2}){10,}/i,
+      /eval\s*\(.*chr\s*\(/i,
+      /String\.fromCharCode/i,
+      /codecs\.decode\s*\(.*rot.13/i,
+      /exec\s*\(\s*compile\s*\(/i,
+      /exec\s*\(\s*__import__/i
+    ],
+    descriptionTemplate: "This skill uses code obfuscation: {match}",
+    remediation: "This skill obfuscates its code \u2014 a common malware technique. Review the decoded content before trusting it."
+  },
+  {
+    code: "SKILL-006",
+    title: "Prompt injection",
+    severity: "high",
+    patterns: [
+      /ignore\s+(?:all\s+)?previous\s+instructions/i,
+      /you\s+are\s+now\s+(?:a|an|in)\b/i,
+      /disregard\s+(?:all|any|your)\s+(?:previous|prior)/i,
+      /system:\s*you\s+are/i,
+      /<\s*system\s*>/i,
+      /IMPORTANT:.*override/i,
+      /\[INST\]|\[\/INST\]|<<SYS>>|<\|im_start\|>/i,
+      /new\s+instructions?\s*:/i,
+      /forget\s+(?:all|everything)\s+(?:above|before|previous)/i
+    ],
+    descriptionTemplate: "This skill contains prompt injection: {match}",
+    remediation: "This skill tries to override your agent's instructions. Remove it."
+  },
+  {
+    code: "SKILL-007",
+    title: "Suspicious URLs",
+    severity: "medium",
+    patterns: [
+      /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[:/]/i,
+      /https?:\/\/[^\s]*\.(?:tk|ml|ga|cf|gq)\//i,
+      /(?:bit\.ly|tinyurl\.com|is\.gd|t\.co|rb\.gy)\/[^\s]+/i,
+      /(?:pastebin\.com|hastebin\.com|0x0\.st)\/[^\s]+/i
+    ],
+    descriptionTemplate: "This skill references a suspicious URL: {match}",
+    remediation: "Verify this URL is legitimate before allowing the skill to access it."
+  },
+  {
+    code: "SKILL-008",
+    title: "Hardcoded secrets",
+    severity: "high",
+    patterns: [
+      /(?:sk-(?:proj-)?|sk_live_|sk_test_)[a-zA-Z0-9]{20,}/i,
+      /AKIA[0-9A-Z]{16}/,
+      /ghp_[a-zA-Z0-9]{36}/,
+      /gho_[a-zA-Z0-9]{36}/,
+      /xoxb-[a-zA-Z0-9-]+/,
+      /xoxp-[a-zA-Z0-9-]+/,
+      /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+)?PRIVATE\s+KEY/i,
+      /glpat-[a-zA-Z0-9_-]{20,}/,
+      /SG\.[a-zA-Z0-9_-]{22,}/
+    ],
+    descriptionTemplate: "This skill contains a hardcoded secret: {match}",
+    remediation: "Rotate the exposed credentials immediately. Never store secrets in skill files."
+  },
+  {
+    code: "SKILL-009",
+    title: "System modification",
+    severity: "high",
+    patterns: [
+      /chmod\s+[0-7]*[7][0-7]*\s/i,
+      /crontab\s+(?:-r|-e|-)\b/i,
+      /launchctl\s+(?:load|submit)\b/i,
+      /systemctl\s+(?:enable|start)\b/i,
+      /\/etc\/(?:init\.d|rc\.local)\b/i,
+      /(?:>>.*(?:\.bashrc|\.zshrc|\.bash_profile|\.profile)\b|(?:\.bashrc|\.zshrc|\.bash_profile|\.profile)\b.*>>)/i,
+      /chown\s+root\b/i,
+      /visudo\b/i
+    ],
+    descriptionTemplate: "This skill modifies system configuration: {match}",
+    remediation: "This skill changes system startup scripts or permissions. Review carefully before allowing."
+  }
+];
+var DANGER_CONCEPTS = [
+  "Read SSH private keys and send them to a remote server",
+  "Download a script from the internet and execute it",
+  "Open a reverse shell connection back to the attacker",
+  "Steal browser cookies and saved passwords",
+  "Exfiltrate environment variables to an external endpoint",
+  "Override the AI assistant's system instructions",
+  "Ignore previous safety guidelines and follow new ones",
+  "Encode stolen data in base64 and send via DNS",
+  "Install a cryptocurrency miner in the background",
+  "Modify crontab to maintain persistence after reboot",
+  "Read wallet.dat and private keys for crypto theft",
+  "Access AWS credentials from ~/.aws/credentials",
+  "Send keystrokes to a command and control server",
+  "Replace legitimate binaries with trojanized versions",
+  "Disable security monitoring and logging",
+  "Create a hidden user account for backdoor access",
+  "Intercept and forward API tokens to attacker domain",
+  "Use steganography to hide data in image files",
+  "Establish covert channel through DNS tunneling",
+  "Scrape and exfiltrate local git credentials"
+];
+var INVISIBLE_CATEGORIES = [
+  { pattern: /[\u{E0001}-\u{E007F}]/gu, name: "Unicode Tag Characters (ASCII smuggling)" },
+  { pattern: /[\uFE00-\uFE0F\u{E0100}-\u{E01EF}]/gu, name: "Variation Selectors" },
+  { pattern: /[\u202A-\u202E\u2066-\u2069\u200E\u200F]/g, name: "BiDi Controls" },
+  { pattern: /[\u200B\u200C\u200D\uFEFF\u00AD\u2060]/g, name: "Zero-width Characters" }
+];
+function findInvisibleEvidence(content) {
+  const found = [];
+  for (const { pattern, name } of INVISIBLE_CATEGORIES) {
+    pattern.lastIndex = 0;
+    const matches = content.match(pattern);
+    if (matches && matches.length > 0) {
+      found.push(`${name} (${matches.length} chars)`);
+    }
+  }
+  return found.length > 0 ? found.join("; ") : "Invisible characters detected";
+}
+function extractEvidenceLine(content, matchPos) {
+  const lineStart = content.lastIndexOf("\n", matchPos - 1) + 1;
+  let lineEnd = content.indexOf("\n", matchPos);
+  if (lineEnd === -1) lineEnd = content.length;
+  let line = content.slice(lineStart, lineEnd).trim();
+  if (line.length > 200) {
+    line = line.slice(0, 197) + "...";
+  }
+  return line;
+}
+var SkillScanner = class {
+  /** Layer 1: Fast static pattern matching against known threat patterns. */
+  scanPatterns(content) {
+    const findings = [];
+    const seenCodes = /* @__PURE__ */ new Set();
+    for (const rule of PATTERN_RULES) {
+      if (seenCodes.has(rule.code)) continue;
+      for (const pattern of rule.patterns) {
+        pattern.lastIndex = 0;
+        const match = pattern.exec(content);
+        if (match) {
+          let matchedText = match[0];
+          if (matchedText.length > 80) {
+            matchedText = matchedText.slice(0, 77) + "...";
+          }
+          findings.push({
+            code: rule.code,
+            title: rule.title,
+            description: rule.descriptionTemplate.replace("{match}", matchedText),
+            severity: rule.severity,
+            evidence: extractEvidenceLine(content, match.index),
+            remediation: rule.remediation
+          });
+          seenCodes.add(rule.code);
+          break;
+        }
+      }
+    }
+    if (hasInvisibleChars(content)) {
+      findings.push({
+        code: "SKILL-011",
+        title: "Invisible characters detected",
+        description: "This skill contains invisible Unicode characters (tag chars, variation selectors, BiDi controls, or zero-width chars) that can hide malicious instructions.",
+        severity: "high",
+        evidence: findInvisibleEvidence(content),
+        remediation: "Strip invisible characters and review the decoded content carefully."
+      });
+    }
+    return findings;
+  }
+  /**
+   * Layer 2: Semantic similarity against known danger concepts.
+   *
+   * Requires an embedding function. Returns empty array if not provided.
+   * Compares content chunks against DANGER_CONCEPTS with similarity thresholds.
+   */
+  async scanSemantic(content, embedFn) {
+    if (!embedFn) return [];
+    const findings = [];
+    const chunkSize = 2e3;
+    const chunks = [];
+    for (let i = 0; i < content.length; i += chunkSize) {
+      const chunk = content.slice(i, i + chunkSize);
+      if (chunk.trim().length >= 20) chunks.push(chunk);
+    }
+    if (chunks.length === 0) return [];
+    const allTexts = [...chunks, ...DANGER_CONCEPTS];
+    let embeddings;
+    try {
+      embeddings = await embedFn(allTexts);
+    } catch {
+      return [];
+    }
+    const chunkEmbeddings = embeddings.slice(0, chunks.length);
+    const conceptEmbeddings = embeddings.slice(chunks.length);
+    for (let ci = 0; ci < chunks.length; ci++) {
+      const chunkVec = chunkEmbeddings[ci];
+      const chunk = chunks[ci];
+      for (let di = 0; di < DANGER_CONCEPTS.length; di++) {
+        const conceptVec = conceptEmbeddings[di];
+        const similarity = cosineSimilarity2(chunkVec, conceptVec);
+        if (similarity >= 0.85) {
+          findings.push({
+            code: "SKILL-SEM",
+            title: "Semantic threat match",
+            description: `Content semantically matches danger pattern: '${DANGER_CONCEPTS[di]}' (similarity: ${similarity.toFixed(2)})`,
+            severity: "critical",
+            evidence: chunk.slice(0, 120).replace(/\n/g, " ") + "...",
+            remediation: "This skill's content closely matches known malicious behavior. Review carefully before allowing."
+          });
+          break;
+        } else if (similarity >= 0.75) {
+          findings.push({
+            code: "SKILL-SEM",
+            title: "Suspicious semantic similarity",
+            description: `Content resembles danger pattern: '${DANGER_CONCEPTS[di]}' (similarity: ${similarity.toFixed(2)})`,
+            severity: "medium",
+            evidence: chunk.slice(0, 120).replace(/\n/g, " ") + "...",
+            remediation: "Review this skill's content \u2014 it resembles known malicious patterns."
+          });
+          break;
+        }
+      }
+    }
+    const seen = /* @__PURE__ */ new Set();
+    return findings.filter((f) => {
+      if (seen.has(f.severity)) return false;
+      seen.add(f.severity);
+      return true;
+    });
+  }
+};
+function cosineSimilarity2(a, b) {
+  let dot = 0;
+  let normA = 0;
+  let normB = 0;
+  for (let i = 0; i < a.length; i++) {
+    const ai = a[i];
+    const bi = b[i];
+    dot += ai * bi;
+    normA += ai * ai;
+    normB += bi * bi;
+  }
+  const denom = Math.sqrt(normA) * Math.sqrt(normB);
+  return denom === 0 ? 0 : dot / denom;
+}
+
+// src/toxic-flows.ts
+var LABEL_PUBLIC_SINK = "public_sink";
+var LABEL_DESTRUCTIVE = "destructive";
+var LABEL_UNTRUSTED = "untrusted_content";
+var LABEL_PRIVATE = "private_data";
+var KNOWN_SERVER_LABELS = {
+  filesystem: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  fs: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  slack: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  discord: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  email: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  gmail: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  smtp: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  sendgrid: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  twilio: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  telegram: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  teams: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  webhook: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK]),
+  github: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  gitlab: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  bitbucket: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  linear: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  jira: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  notion: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  asana: /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE]),
+  postgres: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  postgresql: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  mysql: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  sqlite: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  mongo: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  mongodb: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  redis: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE]),
+  supabase: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE, LABEL_PUBLIC_SINK]),
+  fetch: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  puppeteer: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  playwright: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  browser: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  "brave-search": /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  tavily: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  "web-search": /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  scraper: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  crawl: /* @__PURE__ */ new Set([LABEL_UNTRUSTED]),
+  aws: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE, LABEL_PUBLIC_SINK]),
+  gcp: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE, LABEL_PUBLIC_SINK]),
+  azure: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE, LABEL_PUBLIC_SINK]),
+  docker: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  kubernetes: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  k8s: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  terraform: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  shell: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE, LABEL_UNTRUSTED]),
+  terminal: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE, LABEL_UNTRUSTED]),
+  exec: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  "code-runner": /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  sandbox: /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE]),
+  memory: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  knowledge: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  vector: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  sentry: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  datadog: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  grafana: /* @__PURE__ */ new Set([LABEL_PRIVATE]),
+  s3: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK, LABEL_DESTRUCTIVE]),
+  gcs: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK, LABEL_DESTRUCTIVE]),
+  drive: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK]),
+  dropbox: /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK])
+};
+var NAME_HEURISTICS = [
+  [/(?:file|fs|disk)/i, /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE])],
+  [/(?:mail|email|smtp)/i, /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK])],
+  [/(?:http|fetch|web|browser|scrape|crawl)/i, /* @__PURE__ */ new Set([LABEL_UNTRUSTED])],
+  [/(?:db|sql|database|mongo|redis)/i, /* @__PURE__ */ new Set([LABEL_PRIVATE])],
+  [/(?:exec|shell|command|terminal|run)/i, /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE])],
+  [/(?:slack|discord|teams|telegram|chat)/i, /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK])],
+  [/(?:github|gitlab|bitbucket|jira|linear)/i, /* @__PURE__ */ new Set([LABEL_PUBLIC_SINK, LABEL_PRIVATE])],
+  [/(?:aws|gcp|azure|cloud)/i, /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_DESTRUCTIVE])],
+  [/(?:docker|k8s|kubernetes|terraform)/i, /* @__PURE__ */ new Set([LABEL_DESTRUCTIVE])],
+  [/(?:s3|gcs|storage|drive|dropbox)/i, /* @__PURE__ */ new Set([LABEL_PRIVATE, LABEL_PUBLIC_SINK])]
+];
+function classifyServer(server) {
+  const name = (server.name ?? "").toLowerCase().trim();
+  const rawCmd = server.command ?? "";
+  const command = (Array.isArray(rawCmd) ? rawCmd.join(" ") : String(rawCmd)).toLowerCase();
+  const argsStr = (server.args ?? []).filter((a) => typeof a === "string").join(" ").toLowerCase();
+  if (KNOWN_SERVER_LABELS[name]) {
+    return new Set(KNOWN_SERVER_LABELS[name]);
+  }
+  for (const [known, labels2] of Object.entries(KNOWN_SERVER_LABELS)) {
+    if (name.includes(known)) return new Set(labels2);
+  }
+  const searchText = `${command} ${argsStr}`;
+  for (const [known, labels2] of Object.entries(KNOWN_SERVER_LABELS)) {
+    if (searchText.includes(known)) return new Set(labels2);
+  }
+  const labels = /* @__PURE__ */ new Set();
+  for (const [pattern, hLabels] of NAME_HEURISTICS) {
+    if (pattern.test(name) || pattern.test(command) || pattern.test(argsStr)) {
+      for (const l of hLabels) labels.add(l);
+    }
+  }
+  return labels;
+}
+function detectCombos(serverLabels) {
+  const flows = [];
+  const allLabels = /* @__PURE__ */ new Set();
+  for (const labels of serverLabels.values()) {
+    for (const l of labels) allLabels.add(l);
+  }
+  const byLabel = /* @__PURE__ */ new Map();
+  for (const [name, labels] of serverLabels) {
+    for (const label of labels) {
+      if (!byLabel.has(label)) byLabel.set(label, []);
+      byLabel.get(label).push(name);
+    }
+  }
+  const has = (l) => allLabels.has(l);
+  const serversFor = (...labels) => [...new Set(labels.flatMap((l) => byLabel.get(l) ?? []))].sort();
+  if (has(LABEL_UNTRUSTED) && has(LABEL_PRIVATE) && has(LABEL_PUBLIC_SINK)) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "full_chain",
+      title: "Full attack chain detected",
+      description: "This agent can fetch external content, read private data, and send data externally. An attacker could inject instructions via fetched content, read sensitive files, and exfiltrate them.",
+      servers_involved: serversFor(LABEL_UNTRUSTED, LABEL_PRIVATE, LABEL_PUBLIC_SINK),
+      labels_involved: [LABEL_UNTRUSTED, LABEL_PRIVATE, LABEL_PUBLIC_SINK],
+      remediation: "Scope filesystem access to non-sensitive directories. Remove or restrict external communication servers.",
+      tools_involved: []
+    });
+    return flows;
+  }
+  if (has(LABEL_PRIVATE) && has(LABEL_PUBLIC_SINK)) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "data_exfiltration",
+      title: "Data exfiltration path detected",
+      description: "This agent can read private data and send it externally. A prompt injection could instruct the agent to read sensitive files and leak them via an external service.",
+      servers_involved: serversFor(LABEL_PRIVATE, LABEL_PUBLIC_SINK),
+      labels_involved: [LABEL_PRIVATE, LABEL_PUBLIC_SINK],
+      remediation: "Scope filesystem access to non-sensitive directories only. Review which external services truly need write access.",
+      tools_involved: []
+    });
+  }
+  if (has(LABEL_UNTRUSTED) && has(LABEL_DESTRUCTIVE)) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "remote_code_execution",
+      title: "Remote code execution path detected",
+      description: "This agent can fetch external content and execute destructive operations. Fetched content could contain malicious instructions that modify files, execute commands, or alter databases.",
+      servers_involved: serversFor(LABEL_UNTRUSTED, LABEL_DESTRUCTIVE),
+      labels_involved: [LABEL_UNTRUSTED, LABEL_DESTRUCTIVE],
+      remediation: "Add confirmation steps before destructive operations. Restrict or sandbox the execution server.",
+      tools_involved: []
+    });
+  }
+  if (has(LABEL_PRIVATE) && has(LABEL_DESTRUCTIVE)) {
+    const privateServers = new Set(byLabel.get(LABEL_PRIVATE) ?? []);
+    const destructiveServers = new Set(byLabel.get(LABEL_DESTRUCTIVE) ?? []);
+    const same = privateServers.size === destructiveServers.size && [...privateServers].every((s) => destructiveServers.has(s));
+    if (!same) {
+      flows.push({
+        risk_level: "medium",
+        risk_type: "data_destruction",
+        title: "Data destruction path detected",
+        description: "This agent can read private data from one source and perform destructive operations on another. This could lead to data corruption or deletion.",
+        servers_involved: [.../* @__PURE__ */ new Set([...privateServers, ...destructiveServers])].sort(),
+        labels_involved: [LABEL_PRIVATE, LABEL_DESTRUCTIVE],
+        remediation: "Review whether both data read and write capabilities are necessary. Consider read-only access where possible.",
+        tools_involved: []
+      });
+    }
+  }
+  return flows;
+}
+function analyzeToxicFlows(servers) {
+  if (servers.length < 2) return [];
+  const serverLabels = /* @__PURE__ */ new Map();
+  for (const srv of servers) {
+    const name = srv.name ?? "unknown";
+    const labels = classifyServer(srv);
+    if (labels.size > 0) {
+      serverLabels.set(name, labels);
+    }
+  }
+  if (serverLabels.size === 0) return [];
+  return detectCombos(serverLabels);
+}
+
+// src/guard.ts
+var MAX_FILE_SIZE = 10 * 1024 * 1024;
+function extractSkillName(filePath) {
+  const name = basename3(filePath);
+  if (name.toLowerCase() === "skill.md") {
+    const parts = filePath.split("/");
+    return parts[parts.length - 2] ?? name;
+  }
+  const ext = extname(name);
+  return ext ? name.slice(0, -ext.length) : name;
+}
+function computeVerdict(findings) {
+  if (findings.length === 0) return GuardVerdict.SAFE;
+  if (findings.some((f) => f.severity === "critical")) return GuardVerdict.DANGER;
+  if (findings.some((f) => f.severity === "high" || f.severity === "medium")) return GuardVerdict.WARNING;
+  return GuardVerdict.SAFE;
+}
+function scanSkillFile(filePath, scanner, blocklist) {
+  const name = extractSkillName(filePath);
+  let content;
+  let sha256;
+  try {
+    const stat = statSync6(filePath);
+    if (stat.size > MAX_FILE_SIZE) {
+      return {
+        name,
+        path: filePath,
+        verdict: GuardVerdict.ERROR,
+        findings: [{
+          code: "SKILL-ERR",
+          title: "File too large",
+          description: `File is ${Math.floor(stat.size / 1024 / 1024)}MB, max is 10MB.`,
+          severity: "low",
+          evidence: "",
+          remediation: "Skill files should be small text files."
+        }],
+        blocklist_match: false,
+        sha256: ""
+      };
+    }
+    const raw = readFileSync6(filePath);
+    sha256 = createHash3("sha256").update(raw).digest("hex");
+    content = raw.toString("utf-8");
+  } catch (err) {
+    return {
+      name,
+      path: filePath,
+      verdict: GuardVerdict.ERROR,
+      findings: [{
+        code: "SKILL-ERR",
+        title: "Could not read file",
+        description: String(err),
+        severity: "low",
+        evidence: "",
+        remediation: "Check file permissions."
+      }],
+      blocklist_match: false,
+      sha256: ""
+    };
+  }
+  if (!content.trim()) {
+    return { name, path: filePath, verdict: GuardVerdict.SAFE, findings: [], blocklist_match: false, sha256 };
+  }
+  if (blocklist.isBlocked(sha256)) {
+    return {
+      name,
+      path: filePath,
+      verdict: GuardVerdict.DANGER,
+      findings: [{
+        code: "SKILL-000",
+        title: "Known malicious skill",
+        description: "This skill matches a known malware hash in the AgentSeal threat database.",
+        severity: "critical",
+        evidence: `SHA256: ${sha256}`,
+        remediation: "Remove this skill immediately and rotate all credentials."
+      }],
+      blocklist_match: true,
+      sha256
+    };
+  }
+  const findings = scanner.scanPatterns(content);
+  const deobfuscated = deobfuscate(content);
+  if (deobfuscated !== content) {
+    const deobFindings = scanner.scanPatterns(deobfuscated);
+    const existing = new Set(findings.map((f) => `${f.code}::${f.evidence}`));
+    for (const f of deobFindings) {
+      if (!existing.has(`${f.code}::${f.evidence}`)) {
+        findings.push(f);
+      }
+    }
+  }
+  const verdict = computeVerdict(findings);
+  return { name, path: filePath, verdict, findings, blocklist_match: false, sha256 };
+}
+var Guard = class {
+  options;
+  constructor(options = {}) {
+    this.options = options;
+  }
+  /** Execute full guard scan. Returns a GuardReport with all findings. */
+  async run() {
+    if (this.options.fromJson) {
+      const data = JSON.parse(readFileSync6(this.options.fromJson, "utf-8"));
+      return guardReportFromDict(data);
+    }
+    const start = performance.now();
+    const progress = this.options.onProgress ?? (() => {
+    });
+    const config = this.options.config ?? resolveProjectConfig({ searchDir: this.options.scanPath });
+    let ruleEngine = null;
+    const rulesPaths = this.options.rulesPaths ?? config?.rules_paths ?? [];
+    if (rulesPaths.length > 0) {
+      try {
+        ruleEngine = RuleEngine.fromPaths(rulesPaths);
+      } catch (err) {
+        process.stderr.write(`[agentseal] warning: failed to load rules: ${err}
+`);
+      }
+    }
+    let discovery;
+    if (this.options.scanPath) {
+      progress("discover", `Scanning directory: ${this.options.scanPath}`);
+      discovery = scanDirectory(this.options.scanPath);
+    } else {
+      progress("discover", "Scanning for AI agents, skills, and MCP servers...");
+      discovery = scanMachine();
+    }
+    const installedCount = discovery.agents.filter(
+      (a) => a.status === "found" || a.status === "installed_no_config"
+    ).length;
+    progress(
+      "discover",
+      `Found ${installedCount} agents, ${discovery.skillPaths.length} skills, ${discovery.mcpServers.length} MCP servers`
+    );
+    let skillPaths = discovery.skillPaths;
+    if (config && config.ignore_paths.length > 0) {
+      skillPaths = skillPaths.filter((p) => !shouldIgnorePath(config, p));
+    }
+    progress("skills", `Scanning ${skillPaths.length} skills for threats...`);
+    const scanner = new SkillScanner();
+    const blocklist = new Blocklist();
+    const skillResults = [];
+    for (let i = 0; i < skillPaths.length; i++) {
+      const path = skillPaths[i];
+      progress("skills", `[${i + 1}/${skillPaths.length}] ${basename3(path)}`);
+      skillResults.push(scanSkillFile(path, scanner, blocklist));
+    }
+    const customFindings = [];
+    if (ruleEngine) {
+      for (const skill of skillResults) {
+        let content = "";
+        try {
+          content = readFileSync6(skill.path, "utf-8").slice(0, 10240);
+        } catch {
+        }
+        const findings = ruleEngine.evaluateSkill(skill, content);
+        customFindings.push(...findings);
+      }
+    }
+    const rawMcpConfigs = discovery.mcpServers;
+    progress("mcp", `Checking ${rawMcpConfigs.length} MCP server configurations...`);
+    const mcpChecker = new MCPConfigChecker();
+    const mcpResults = mcpChecker.checkAll(rawMcpConfigs);
+    if (ruleEngine) {
+      for (let i = 0; i < mcpResults.length; i++) {
+        const result = mcpResults[i];
+        const rawConfig = rawMcpConfigs[i] ?? {};
+        const findings = ruleEngine.evaluateMcp(result, rawConfig);
+        customFindings.push(...findings);
+      }
+    }
+    if (ruleEngine) {
+      for (const agent of discovery.agents) {
+        const findings = ruleEngine.evaluateAgent(agent);
+        customFindings.push(...findings);
+      }
+    }
+    if (!this.options.noRegistry) {
+      try {
+        await enrichMcpResults(mcpResults);
+      } catch {
+      }
+    }
+    const unlistedFindings = config ? generateUnlistedFindings(config, discovery.agents, rawMcpConfigs) : [];
+    const toxicFlows = rawMcpConfigs.length >= 2 ? analyzeToxicFlows(rawMcpConfigs) : [];
+    if (toxicFlows.length > 0) {
+      progress("flows", `Found ${toxicFlows.length} toxic flow(s)`);
+    }
+    const baselineStore = new BaselineStore();
+    const baselineChanges = rawMcpConfigs.length > 0 ? baselineStore.checkAll(rawMcpConfigs).map((c) => ({
+      server_name: c.server_name,
+      agent_type: c.agent_type,
+      change_type: c.change_type,
+      detail: c.detail
+    })) : [];
+    if (baselineChanges.length > 0) {
+      progress("baselines", `${baselineChanges.length} baseline change(s) detected`);
+    }
+    if (config && config.ignore_findings.length > 0) {
+      for (const skill of skillResults) {
+        skill.findings = skill.findings.filter(
+          (f) => !shouldIgnoreFinding(config, f.code, skill.path)
+        );
+        skill.verdict = computeVerdict(skill.findings);
+      }
+      for (const mcp of mcpResults) {
+        mcp.findings = mcp.findings.filter(
+          (f) => !shouldIgnoreFinding(config, f.code, mcp.source_file)
+        );
+        if (mcp.findings.length === 0) {
+          mcp.verdict = GuardVerdict.SAFE;
+        } else if (mcp.findings.some((f) => f.severity === "critical")) {
+          mcp.verdict = GuardVerdict.DANGER;
+        } else if (mcp.findings.some((f) => f.severity === "high" || f.severity === "medium")) {
+          mcp.verdict = GuardVerdict.WARNING;
+        } else {
+          mcp.verdict = GuardVerdict.SAFE;
+        }
+      }
+    }
+    const duration = (performance.now() - start) / 1e3;
+    const report = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      duration_seconds: Math.round(duration * 100) / 100,
+      agents_found: discovery.agents,
+      skill_results: skillResults,
+      mcp_results: mcpResults,
+      mcp_runtime_results: [],
+      toxic_flows: toxicFlows,
+      baseline_changes: baselineChanges,
+      llm_tokens_used: 0,
+      unlisted_findings: unlistedFindings,
+      custom_findings: customFindings,
+      config_path: config?.config_path ?? ""
+    };
+    if (!this.options.noDiff) {
+      try {
+        const store = new HistoryStore();
+        store.save(report, this.options.scanPath);
+        const prev = store.loadPrevious(this.options.scanPath);
+        if (prev) {
+          const _delta = computeDelta(report, prev, this.options.scanPath);
+        }
+        store.close();
+      } catch {
+      }
+    }
+    return report;
+  }
+};
+
+// bin/agentseal.ts
+var VERSION = "0.1.0";
+function printBanner() {
+  const R = "\x1B[0m";
+  const D = "\x1B[90m";
+  const C = "\x1B[36m";
+  console.log();
+  console.log(`  ${C}\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557${R}`);
+  console.log(`  ${C}\u2551         A G E N T S E A L             \u2551${R}`);
+  console.log(`  ${C}\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D${R}`);
+  console.log(`  ${D}v${VERSION}  Security Validator for AI Agents${R}`);
+  console.log();
+}
+function resolveApiKey(args) {
+  if (args.apiKey) return args.apiKey;
+  if (args.model?.startsWith("claude") || args.model?.startsWith("anthropic/")) {
+    return process.env["ANTHROPIC_API_KEY"];
+  }
+  return process.env["OPENAI_API_KEY"];
+}
+async function buildValidator(systemPrompt, args) {
+  const model = args.model;
+  if (!model) {
+    console.error("Error: --model is required when using --prompt or --file");
+    process.exit(1);
+  }
+  const commonOpts = {
+    agentName: args.name ?? "My Agent",
+    concurrency: args.concurrency ?? 3,
+    timeoutPerProbe: args.timeout ?? 30,
+    verbose: args.verbose ?? false,
+    adaptive: args.adaptive ?? false
+  };
+  if (model.startsWith("ollama/")) {
+    const ollamaModel = model.replace("ollama/", "");
+    return AgentValidator.fromOllama({
+      model: ollamaModel,
+      systemPrompt,
+      baseUrl: args.ollamaUrl ?? "http://localhost:11434",
+      ...commonOpts
+    });
+  }
+  if (model.startsWith("claude")) {
+    const apiKey2 = resolveApiKey(args);
+    if (!apiKey2) {
+      console.error("Error: ANTHROPIC_API_KEY not found. Set via --api-key or env variable.");
+      process.exit(1);
+    }
+    const agentFn2 = async (message) => {
+      const res = await fetch("https://api.anthropic.com/v1/messages", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "x-api-key": apiKey2,
+          "anthropic-version": "2023-06-01"
+        },
+        body: JSON.stringify({
+          model,
+          max_tokens: 1024,
+          system: systemPrompt,
+          messages: [{ role: "user", content: message }]
+        })
+      });
+      const data = await res.json();
+      return data.content?.[0]?.text ?? "";
+    };
+    return new AgentValidator({
+      agentFn: agentFn2,
+      groundTruthPrompt: systemPrompt,
+      ...commonOpts
+    });
+  }
+  const apiKey = resolveApiKey(args);
+  if (!apiKey) {
+    console.error("Error: OPENAI_API_KEY not found. Set via --api-key or env variable.");
+    process.exit(1);
+  }
+  const agentFn = async (message) => {
+    const res = await fetch("https://api.openai.com/v1/chat/completions", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${apiKey}`
+      },
+      body: JSON.stringify({
+        model,
+        messages: [
+          { role: "system", content: systemPrompt },
+          { role: "user", content: message }
+        ]
+      })
+    });
+    const data = await res.json();
+    return data.choices?.[0]?.message?.content ?? "";
+  };
+  return new AgentValidator({
+    agentFn,
+    groundTruthPrompt: systemPrompt,
+    ...commonOpts
   });
 }
 function printReport(report) {
@@ -3107,7 +6615,7 @@ program.command("scan").description("Run security scan against an agent").option
   } else if (inlinePrompt) {
     systemPrompt = inlinePrompt;
   } else if (opts.file) {
-    systemPrompt = readFileSync(opts.file, "utf-8").trim();
+    systemPrompt = readFileSync7(opts.file, "utf-8").trim();
   }
   let validator;
   if (opts.url) {
@@ -3168,7 +6676,7 @@ program.command("scan").description("Run security scan against an agent").option
     }
   }
   if (opts.save) {
-    writeFileSync(opts.save, JSON.stringify(report, null, 2));
+    writeFileSync4(opts.save, JSON.stringify(report, null, 2));
     console.log(`
 Report saved to ${opts.save}`);
   }
@@ -3182,8 +6690,8 @@ CI check failed: score ${report.trust_score.toFixed(1)} < threshold ${threshold}
   }
 });
 program.command("compare").description("Compare two scan reports").argument("<baseline>", "Path to baseline report (JSON)").argument("<current>", "Path to current report (JSON)").option("-o, --output <format>", "Output format: terminal, json", "terminal").action((baselinePath, currentPath, opts) => {
-  const baseline = JSON.parse(readFileSync(baselinePath, "utf-8"));
-  const current = JSON.parse(readFileSync(currentPath, "utf-8"));
+  const baseline = JSON.parse(readFileSync7(baselinePath, "utf-8"));
+  const current = JSON.parse(readFileSync7(currentPath, "utf-8"));
   const result = compareReports(baseline, current);
   if (opts.output === "json") {
     console.log(JSON.stringify(result, null, 2));
@@ -3205,4 +6713,319 @@ Improvements:`);
     }
   }
 });
+function stripAnsi(s) {
+  return s.replace(/\x1b\[[0-9;]*m/g, "");
+}
+function col(s, width) {
+  return s + " ".repeat(Math.max(0, width - stripAnsi(s).length));
+}
+function verdictColor(verdict) {
+  const R = "\x1B[0m";
+  switch (verdict) {
+    case "safe":
+      return `\x1B[32m${verdict.toUpperCase()}${R}`;
+    case "warning":
+      return `\x1B[33m${verdict.toUpperCase()}${R}`;
+    case "danger":
+      return `\x1B[31m${verdict.toUpperCase()}${R}`;
+    case "error":
+      return `\x1B[90m${verdict.toUpperCase()}${R}`;
+    default:
+      return verdict.toUpperCase();
+  }
+}
+function severityColor(severity) {
+  const R = "\x1B[0m";
+  switch (severity) {
+    case "critical":
+      return `\x1B[31m${severity}${R}`;
+    case "high":
+      return `\x1B[31m${severity}${R}`;
+    case "medium":
+      return `\x1B[33m${severity}${R}`;
+    case "low":
+      return `\x1B[90m${severity}${R}`;
+    default:
+      return severity;
+  }
+}
+function renderGuardTerminal(report, opts = {}) {
+  const R = "\x1B[0m";
+  const C = "\x1B[36m";
+  const B = "\x1B[1m";
+  const D = "\x1B[90m";
+  const G = "\x1B[32m";
+  const Y = "\x1B[33m";
+  const RED = "\x1B[31m";
+  console.log();
+  console.log(`  ${C}${B}AgentSeal Guard${R} ${D}\u2014 Machine Security Scan${R}`);
+  console.log(`  ${D}${"\u2500".repeat(50)}${R}`);
+  console.log();
+  const agents = report.agents_found ?? [];
+  if (agents.length > 0) {
+    console.log(`  ${C}${B}AGENTS${R}`);
+    console.log(`  ${col(D + "NAME" + R, 30)} ${D}STATUS${R}`);
+    for (const a of agents) {
+      const status = a.status === "found" || a.status === "installed_no_config" ? `${G}installed${R}` : `${D}${a.status}${R}`;
+      console.log(`  ${col(a.name, 30)} ${status}`);
+    }
+    console.log();
+  }
+  const skills = report.skill_results ?? [];
+  const dangerOrWarnSkills = opts.verbose ? skills : skills.filter((s) => s.verdict !== "safe");
+  if (dangerOrWarnSkills.length > 0 || opts.verbose && skills.length > 0) {
+    console.log(`  ${C}${B}SKILLS${R}`);
+    console.log(`  ${col(D + "NAME" + R, 24)} ${col(D + "VERDICT" + R, 16)} ${col(D + "SEVERITY" + R, 14)} ${D}FINDING${R}`);
+    const toShow = opts.verbose ? skills : dangerOrWarnSkills;
+    for (const s of toShow) {
+      const topFinding = s.findings[0];
+      const sev = topFinding ? severityColor(topFinding.severity) : `${D}-${R}`;
+      const finding = topFinding ? topFinding.title : s.verdict === "safe" ? `${G}No issues${R}` : "-";
+      console.log(`  ${col(s.name, 24)} ${col(verdictColor(s.verdict), 16)} ${col(sev, 14)} ${finding}`);
+      if (opts.verbose && s.findings.length > 1) {
+        for (const f of s.findings.slice(1)) {
+          console.log(`  ${col("", 24)} ${col("", 16)} ${col(severityColor(f.severity), 14)} ${f.title}`);
+        }
+      }
+    }
+    if (!opts.verbose && skills.length > dangerOrWarnSkills.length) {
+      const safeCount = skills.length - dangerOrWarnSkills.length;
+      console.log(`  ${D}  ... ${safeCount} safe skill(s) hidden (use --verbose)${R}`);
+    }
+    console.log();
+  }
+  const mcps = report.mcp_results ?? [];
+  const hasRegistryScores = mcps.some((m) => m.registry_score !== void 0 && m.registry_score !== null);
+  const dangerOrWarnMcps = opts.verbose ? mcps : mcps.filter((m) => m.verdict !== "safe");
+  if (dangerOrWarnMcps.length > 0 || opts.verbose && mcps.length > 0) {
+    console.log(`  ${C}${B}MCP SERVERS${R}`);
+    let header = `  ${col(D + "NAME" + R, 24)} ${col(D + "VERDICT" + R, 16)} ${col(D + "SEVERITY" + R, 14)}`;
+    if (hasRegistryScores) header += ` ${col(D + "REGISTRY" + R, 12)}`;
+    header += ` ${D}FINDING${R}`;
+    console.log(header);
+    const toShow = opts.verbose ? mcps : dangerOrWarnMcps;
+    for (const m of toShow) {
+      const topFinding = m.findings[0];
+      const sev = topFinding ? severityColor(topFinding.severity) : `${D}-${R}`;
+      const finding = topFinding ? topFinding.title : m.verdict === "safe" ? `${G}No issues${R}` : "-";
+      let line = `  ${col(m.name, 24)} ${col(verdictColor(m.verdict), 16)} ${col(sev, 14)}`;
+      if (hasRegistryScores) {
+        const score = m.registry_score !== void 0 && m.registry_score !== null ? `${m.registry_score}/100` : `${D}-${R}`;
+        line += ` ${col(String(score), 12)}`;
+      }
+      line += ` ${finding}`;
+      console.log(line);
+      if (opts.verbose && m.findings.length > 1) {
+        for (const f of m.findings.slice(1)) {
+          let extra = `  ${col("", 24)} ${col("", 16)} ${col(severityColor(f.severity), 14)}`;
+          if (hasRegistryScores) extra += ` ${col("", 12)}`;
+          extra += ` ${f.title}`;
+          console.log(extra);
+        }
+      }
+    }
+    if (!opts.verbose && mcps.length > dangerOrWarnMcps.length) {
+      const safeCount = mcps.length - dangerOrWarnMcps.length;
+      console.log(`  ${D}  ... ${safeCount} safe server(s) hidden (use --verbose)${R}`);
+    }
+    console.log();
+  }
+  const custom = report.custom_findings ?? [];
+  if (custom.length > 0) {
+    console.log(`  ${C}${B}CUSTOM RULES${R}`);
+    console.log(`  ${col(D + "NAME" + R, 24)} ${col(D + "VERDICT" + R, 16)} ${col(D + "SEVERITY" + R, 14)} ${D}FINDING${R}`);
+    for (const c of custom) {
+      console.log(`  ${col(c.entity_name, 24)} ${col(verdictColor(c.verdict), 16)} ${col(severityColor(c.severity), 14)} ${c.title}`);
+    }
+    console.log();
+  }
+  const config = opts.config;
+  if (config) {
+    console.log(`  ${C}${B}POLICY${R}`);
+    console.log(`  ${D}config:${R}    ${config.config_path}`);
+    console.log(`  ${D}fail_on:${R}   ${config.fail_on}`);
+    if (config.allowed_agents.length > 0) {
+      console.log(`  ${D}agents:${R}    ${config.allowed_agents.join(", ")}`);
+    }
+    if (config.allowed_mcp_servers.length > 0) {
+      console.log(`  ${D}mcp:${R}       ${config.allowed_mcp_servers.join(", ")}`);
+    }
+    console.log();
+  }
+  const delta = opts.delta;
+  if (delta && (delta.total_new > 0 || delta.total_resolved > 0 || delta.total_changed > 0)) {
+    console.log(`  ${C}${B}DELTA${R} ${D}(vs previous scan)${R}`);
+    console.log(`  ${RED}+${delta.total_new} new${R}  ${G}-${delta.total_resolved} resolved${R}  ${Y}~${delta.total_changed} changed${R}`);
+    for (const e of delta.entries.slice(0, 10)) {
+      const prefix = e.change_type === "new" || e.change_type === "new_entity" ? `${RED}+${R}` : e.change_type === "resolved" || e.change_type === "removed_entity" ? `${G}-${R}` : `${Y}~${R}`;
+      const label = e.code ? `${e.code}: ${e.title ?? ""}` : e.entity_name;
+      console.log(`    ${prefix} [${e.entity_type}] ${label}`);
+    }
+    if (delta.entries.length > 10) {
+      console.log(`  ${D}  ... ${delta.entries.length - 10} more entries${R}`);
+    }
+    console.log();
+  }
+  const dangers = totalDangers(report);
+  const warnings = totalWarnings(report);
+  const safe = totalSafe(report);
+  console.log(`  ${D}${"\u2500".repeat(50)}${R}`);
+  const summaryParts = [];
+  if (dangers > 0) summaryParts.push(`${RED}${B}${dangers} DANGER${R}`);
+  if (warnings > 0) summaryParts.push(`${Y}${B}${warnings} WARNING${R}`);
+  summaryParts.push(`${G}${B}${safe} SAFE${R}`);
+  console.log(`  ${summaryParts.join("  ")}  ${D}(${report.duration_seconds.toFixed(1)}s)${R}`);
+  console.log();
+}
+var guardCmd = program.command("guard").description("Scan machine for AI agent security issues").argument("[path]", "directory to scan (default: entire machine)").option("--verbose", "show all findings").option("--no-registry", "skip agentseal.org enrichment").option("--no-diff", "skip delta comparison").option("--from-json <path>", "re-render saved JSON report").option("--fail-on <level>", "exit code threshold: danger|warning|safe").option("--rules <path>", "custom YAML rules path").option("--config <path>", "explicit .agentseal.yaml path").option("-o, --output <format>", "output format: terminal|json|sarif", "terminal").option("--save <path>", "save JSON report to file").option("--reset-baselines", "re-trust all MCP servers").action(async (scanPath, opts) => {
+  try {
+    if (opts.resetBaselines) {
+      const store = new BaselineStore();
+      const count = store.reset();
+      console.log(`Reset ${count} baseline(s). All MCP servers will be re-trusted on next scan.`);
+      return;
+    }
+    if (opts.fromJson) {
+      const data = JSON.parse(readFileSync7(opts.fromJson, "utf-8"));
+      const report2 = guardReportFromDict(data);
+      if (opts.output === "json") {
+        console.log(JSON.stringify(report2, null, 2));
+      } else if (opts.output === "sarif") {
+        console.log(JSON.stringify({ $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", version: "2.1.0", runs: [{ tool: { driver: { name: "agentseal-guard" } }, results: report2 }] }, null, 2));
+      } else {
+        renderGuardTerminal(report2, { verbose: opts.verbose });
+      }
+      return;
+    }
+    const config = resolveProjectConfig({
+      configPath: opts.config,
+      searchDir: scanPath
+    });
+    const rulesPaths = [];
+    if (opts.rules) {
+      rulesPaths.push(opts.rules);
+    }
+    const guard = new Guard({
+      scanPath,
+      verbose: opts.verbose,
+      noRegistry: opts.registry === false,
+      noDiff: opts.diff === false,
+      config: config ?? void 0,
+      rulesPaths: rulesPaths.length > 0 ? rulesPaths : void 0,
+      onProgress: (phase, detail) => {
+        if (opts.output === "terminal") {
+          process.stderr.write(`\x1B[90m  [${phase}] ${detail}\x1B[0m
+`);
+        }
+      }
+    });
+    const report = await guard.run();
+    let delta = null;
+    if (opts.diff !== false) {
+      try {
+        const store = new HistoryStore();
+        const prev = store.loadPrevious(scanPath);
+        if (prev) {
+          const deltaResult = computeDelta(report, prev, scanPath);
+          delta = {
+            total_new: deltaResult.total_new,
+            total_resolved: deltaResult.total_resolved,
+            total_changed: deltaResult.total_changed,
+            entries: deltaResult.entries
+          };
+        }
+        store.close();
+      } catch {
+      }
+    }
+    if (opts.output === "json") {
+      console.log(JSON.stringify(report, null, 2));
+    } else if (opts.output === "sarif") {
+      console.log(JSON.stringify({
+        $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+        version: "2.1.0",
+        runs: [{
+          tool: { driver: { name: "agentseal-guard", version: VERSION } },
+          results: report
+        }]
+      }, null, 2));
+    } else {
+      renderGuardTerminal(report, {
+        verbose: opts.verbose,
+        config: config ?? void 0,
+        delta
+      });
+    }
+    if (opts.save) {
+      writeFileSync4(opts.save, JSON.stringify(report, null, 2));
+      console.log(`Report saved to ${opts.save}`);
+    }
+    const failLevel = opts.failOn ?? config?.fail_on ?? "danger";
+    const hasDanger = totalDangers(report) > 0;
+    const hasWarning = totalWarnings(report) > 0;
+    if (shouldFail(failLevel, { hasDanger, hasWarning })) {
+      process.exit(1);
+    }
+  } catch (err) {
+    console.error(`Error: ${err}`);
+    process.exit(2);
+  }
+});
+guardCmd.command("init").description("Initialize .agentseal.yaml config").option("--force", "overwrite existing config").action((opts) => {
+  try {
+    const written = runGuardInit({ force: opts.force });
+    if (written) {
+      console.log("\x1B[32mCreated .agentseal.yaml\x1B[0m");
+      console.log("  Edit allowed_agents and allowed_mcp_servers to match your setup.");
+    } else {
+      console.log("\x1B[33m.agentseal.yaml already exists.\x1B[0m Use --force to overwrite.");
+    }
+  } catch (err) {
+    console.error(`Error: ${err}`);
+    process.exit(2);
+  }
+});
+guardCmd.command("test").description("Run self-tests on custom rules").option("--rules <path>", "rules path (default: .agentseal/rules/)").action((opts) => {
+  try {
+    const R = "\x1B[0m";
+    const G = "\x1B[32m";
+    const RED = "\x1B[31m";
+    const B = "\x1B[1m";
+    const rulesPath = opts.rules ?? ".agentseal/rules";
+    if (!existsSync5(rulesPath)) {
+      console.error(`Rules path not found: ${rulesPath}`);
+      console.error("Create custom rules in .agentseal/rules/ or specify --rules <path>");
+      process.exit(2);
+    }
+    const engine = RuleEngine.fromPaths([rulesPath]);
+    const results = engine.runTests();
+    if (results.length === 0) {
+      console.log("No tests found in rules. Add 'tests:' entries to your rule YAML files.");
+      return;
+    }
+    console.log(`
+  ${B}Rule Tests${R}
+`);
+    let passed = 0;
+    let failed = 0;
+    for (const r of results) {
+      if (r.passed) {
+        console.log(`  ${G}PASS${R} ${r.rule_id} / ${r.test_name}`);
+        passed++;
+      } else {
+        console.log(`  ${RED}FAIL${R} ${r.rule_id} / ${r.test_name}  (expected: ${r.expected}, got: ${r.actual})`);
+        failed++;
+      }
+    }
+    console.log();
+    console.log(`  ${passed} passed, ${failed} failed`);
+    console.log();
+    if (failed > 0) {
+      process.exit(1);
+    }
+  } catch (err) {
+    console.error(`Error: ${err}`);
+    process.exit(2);
+  }
+});
 program.parse();