agentseal 0.9.0 → 0.9.2

package/dist/llm-client-7C4LHDD4.js

@@ -0,0 +1,156 @@
+#!/usr/bin/env node
+import "./chunk-7N7GSU6K.js";
+
+// src/guard/llm-client.ts
+var LLMClient = class {
+};
+var OllamaClient = class extends LLMClient {
+  _model;
+  _baseUrl;
+  constructor(model, baseUrl = "http://localhost:11434") {
+    super();
+    this._model = model;
+    this._baseUrl = baseUrl;
+  }
+  async complete(system, user) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), 3e5);
+    try {
+      const resp = await fetch(`${this._baseUrl}/api/chat`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          model: this._model,
+          messages: [
+            { role: "system", content: system },
+            { role: "user", content: user }
+          ],
+          stream: false
+        }),
+        signal: controller.signal
+      });
+      if (!resp.ok) {
+        throw new Error(`Ollama request failed: ${resp.status} ${resp.statusText}`);
+      }
+      const data = await resp.json();
+      return data.message.content;
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+};
+var AnthropicClient = class extends LLMClient {
+  _model;
+  _apiKey;
+  constructor(model, apiKey) {
+    super();
+    this._model = model;
+    this._apiKey = apiKey;
+  }
+  async complete(system, user) {
+    const resp = await fetch("https://api.anthropic.com/v1/messages", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-api-key": this._apiKey,
+        "anthropic-version": "2023-06-01"
+      },
+      body: JSON.stringify({
+        model: this._model,
+        max_tokens: 4096,
+        system,
+        messages: [{ role: "user", content: user }]
+      })
+    });
+    if (!resp.ok) {
+      throw new Error(`Anthropic request failed: ${resp.status} ${resp.statusText}`);
+    }
+    const data = await resp.json();
+    return data.content[0].text;
+  }
+};
+var OpenAICompatClient = class extends LLMClient {
+  _model;
+  _apiKey;
+  _baseUrl;
+  constructor(model, apiKey, baseUrl = "https://api.openai.com/v1") {
+    super();
+    this._model = model;
+    this._apiKey = apiKey;
+    this._baseUrl = baseUrl;
+  }
+  async complete(system, user) {
+    const resp = await fetch(`${this._baseUrl}/chat/completions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this._apiKey}`
+      },
+      body: JSON.stringify({
+        model: this._model,
+        messages: [
+          { role: "system", content: system },
+          { role: "user", content: user }
+        ],
+        max_tokens: 4096
+      })
+    });
+    if (!resp.ok) {
+      throw new Error(`OpenAI-compat request failed: ${resp.status} ${resp.statusText}`);
+    }
+    const data = await resp.json();
+    return data.choices[0].message.content;
+  }
+};
+async function detectOllamaModel() {
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), 3e3);
+    try {
+      const resp = await fetch("http://localhost:11434/api/tags", {
+        signal: controller.signal
+      });
+      if (resp.ok) {
+        const data = await resp.json();
+        const models = data.models ?? [];
+        if (models.length > 0) {
+          return models[0].name;
+        }
+      }
+    } finally {
+      clearTimeout(timer);
+    }
+  } catch {
+  }
+  return null;
+}
+function resolveClient(model, opts) {
+  if (model.startsWith("ollama:") || model.startsWith("ollama/")) {
+    const name = model.startsWith("ollama:") ? model.slice("ollama:".length) : model.slice("ollama/".length);
+    return new OllamaClient(name);
+  }
+  if (model.startsWith("claude")) {
+    const key2 = opts?.apiKey ?? process.env["ANTHROPIC_API_KEY"];
+    if (!key2) {
+      throw new Error(
+        "Claude models require apiKey option or ANTHROPIC_API_KEY env var"
+      );
+    }
+    return new AnthropicClient(model, key2);
+  }
+  const key = opts?.apiKey ?? process.env["OPENAI_API_KEY"];
+  if (!key) {
+    throw new Error(
+      `Model '${model}' requires apiKey option or OPENAI_API_KEY env var`
+    );
+  }
+  return new OpenAICompatClient(model, key);
+}
+export {
+  AnthropicClient,
+  LLMClient,
+  OllamaClient,
+  OpenAICompatClient,
+  detectOllamaModel,
+  resolveClient
+};

package/dist/profiles-7SYXUQLY.js

@@ -0,0 +1,108 @@
+#!/usr/bin/env node
+import "./chunk-7N7GSU6K.js";
+
+// src/profiles.ts
+var BOOL_FLAGS = [
+  "adaptive",
+  "semantic",
+  "mcp",
+  "rag",
+  "multimodal",
+  "genome",
+  "useCanaryOnly"
+];
+var OPT_FIELDS = ["concurrency", "timeout", "output", "minScore"];
+var PROFILES = {
+  quick: {
+    description: "Fast canary check (5 probes, ~10s)",
+    useCanaryOnly: true,
+    concurrency: 5,
+    timeout: 15
+  },
+  default: {
+    description: "Standard scan (225 probes)"
+  },
+  "code-agent": {
+    description: "Coding assistant scan (225+ probes)",
+    adaptive: true,
+    mcp: true,
+    semantic: true
+  },
+  "support-bot": {
+    description: "Customer-facing chatbot scan",
+    adaptive: true,
+    semantic: true
+  },
+  "rag-agent": {
+    description: "RAG pipeline agent scan",
+    adaptive: true,
+    rag: true,
+    semantic: true
+  },
+  "mcp-heavy": {
+    description: "Multi-tool MCP agent scan",
+    adaptive: true,
+    mcp: true,
+    semantic: true
+  },
+  full: {
+    description: "Full scan - all probes and analysis",
+    adaptive: true,
+    mcp: true,
+    rag: true,
+    multimodal: true,
+    genome: true,
+    semantic: true
+  },
+  ci: {
+    description: "CI/CD pipeline optimized",
+    concurrency: 5,
+    timeout: 15,
+    output: "json"
+  }
+};
+function resolveProfile(name) {
+  const key = name.toLowerCase();
+  if (key in PROFILES) return PROFILES[key];
+  const valid = Object.keys(PROFILES).sort().join(", ");
+  throw new Error(`Unknown profile '${name}'. Valid profiles: ${valid}`);
+}
+function applyProfile(opts, profile) {
+  for (const flag of BOOL_FLAGS) {
+    if (!opts[flag]) {
+      const val = profile[flag];
+      if (val) opts[flag] = val;
+    }
+  }
+  for (const field of OPT_FIELDS) {
+    const val = profile[field];
+    if (val !== void 0 && val !== null && (opts[field] === void 0 || opts[field] === null)) {
+      opts[field] = val;
+    }
+  }
+}
+function listProfiles() {
+  const lines = [];
+  lines.push(`${"Profile".padEnd(14)} ${"Description".padEnd(42)} Enables`);
+  lines.push("-".repeat(80));
+  for (const [name, cfg] of Object.entries(PROFILES)) {
+    const enabled = [];
+    for (const f of BOOL_FLAGS) {
+      if (cfg[f]) enabled.push(f);
+    }
+    const extras = [];
+    for (const f of OPT_FIELDS) {
+      const v = cfg[f];
+      if (v !== void 0 && v !== null) extras.push(`${f}=${v}`);
+    }
+    const parts = [...enabled, ...extras];
+    lines.push(`${name.padEnd(14)} ${cfg.description.padEnd(42)} ${parts.join(", ") || "-"}`);
+  }
+  return lines.join("\n");
+}
+export {
+  PROFILES,
+  applyProfile,
+  listProfiles,
+  resolveProfile
+};

package/dist/project-IIYVIGAI.js

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+import {
+  setProjectDir
+} from "./chunk-2WEF3SNR.js";
+import "./chunk-OWUAAOL5.js";
+import "./chunk-4EOVMNW5.js";
+import "./chunk-7N7GSU6K.js";
+export {
+  setProjectDir
+};

package/dist/scan-mcp-NDDHRBKV.js

@@ -0,0 +1,380 @@
+#!/usr/bin/env node
+import {
+  GuardVerdict,
+  SEVERITY_ORDER
+} from "./chunk-IGSX7F4B.js";
+import "./chunk-7N7GSU6K.js";
+
+// src/scan-mcp.ts
+var TOOL_PATTERNS = [
+  {
+    code: "MCPR-101",
+    title: "Data exfiltration capability",
+    severity: "high",
+    remediation: "Review whether this tool needs network write access to external hosts.",
+    label: "public_sink",
+    patterns: [
+      /\bsend\b.*\b(email|mail|message|webhook|http|post)\b/i,
+      /\b(exfiltrat|upload|transmit|forward)\b/i,
+      /\b(slack|discord|telegram|teams|notify)\b.*\b(send|post|message)\b/i
+    ]
+  },
+  {
+    code: "MCPR-102",
+    title: "Remote code execution capability",
+    severity: "critical",
+    remediation: "Audit all code execution paths. Ensure inputs are strictly validated.",
+    label: "code_exec",
+    patterns: [
+      /\b(exec|execute|run|spawn|shell|bash|cmd|powershell)\b/i,
+      /\b(eval|interpret|compile)\b.*\b(code|script|command)\b/i,
+      /arbitrary\s+(code|command|script)/i
+    ]
+  },
+  {
+    code: "MCPR-103",
+    title: "Credential or secret access",
+    severity: "critical",
+    remediation: "Ensure secrets are never passed through tool arguments or returned in tool output.",
+    label: "credential_access",
+    patterns: [
+      /\b(password|passwd|secret|credential|token|api.?key|private.?key)\b/i,
+      /\b(keychain|credential.?store|secret.?manager)\b/i,
+      /\.ssh\/|\.aws\/credentials|\.env\b/i
+    ]
+  },
+  {
+    code: "MCPR-104",
+    title: "File system write access",
+    severity: "medium",
+    remediation: "Restrict write paths to known-safe directories. Reject path traversal inputs.",
+    label: "fs_write",
+    patterns: [
+      /\b(write|create|delete|remove|modify|overwrite)\b.*\bfile\b/i,
+      /\b(mkdir|rmdir|unlink|chmod|chown)\b/i
+    ]
+  },
+  {
+    code: "MCPR-105",
+    title: "Private data read access",
+    severity: "medium",
+    remediation: "Confirm this tool cannot be tricked into reading files outside its intended scope.",
+    label: "private_data",
+    patterns: [
+      /\b(read|fetch|load|get)\b.*\bfile\b/i,
+      /home.?director|user.?data|document|download/i
+    ]
+  }
+];
+function analyzeTools(serverName, tools) {
+  const findings = [];
+  for (const tool of tools) {
+    const text = `${tool.name} ${tool.description ?? ""}`;
+    for (const pattern of TOOL_PATTERNS) {
+      const matched = pattern.patterns.some((p) => p.test(text));
+      if (matched) {
+        findings.push({
+          code: pattern.code,
+          title: pattern.title,
+          description: `Tool '${tool.name}' matches ${pattern.label} pattern.`,
+          severity: pattern.severity,
+          evidence: tool.description?.slice(0, 200) ?? tool.name,
+          remediation: pattern.remediation,
+          tool_name: tool.name,
+          server_name: serverName
+        });
+        break;
+      }
+    }
+  }
+  return findings;
+}
+function computeServerVerdict(findings) {
+  if (findings.length === 0) return GuardVerdict.SAFE;
+  const minOrder = Math.min(
+    ...findings.map((f) => SEVERITY_ORDER[f.severity] ?? 99)
+  );
+  if (minOrder <= SEVERITY_ORDER["high"]) return GuardVerdict.DANGER;
+  return GuardVerdict.WARNING;
+}
+function computeServerScore(findings) {
+  if (findings.length === 0) return 100;
+  const deductions = {
+    critical: 40,
+    high: 25,
+    medium: 10,
+    low: 3
+  };
+  const total = findings.reduce(
+    (acc, f) => acc + (deductions[f.severity] ?? 0),
+    0
+  );
+  return Math.max(0, 100 - total);
+}
+async function tryConnectServer(server, timeoutMs) {
+  let sdk = null;
+  try {
+    sdk = await import("@modelcontextprotocol/sdk/client/index.js");
+  } catch {
+    return {
+      errorType: "sdk_missing",
+      detail: "Install @modelcontextprotocol/sdk to enable live MCP connections: npm install @modelcontextprotocol/sdk"
+    };
+  }
+  const { Client } = sdk;
+  const withTimeout = (promise) => Promise.race([
+    promise,
+    new Promise(
+      (_, reject) => setTimeout(() => reject(new Error("timeout")), timeoutMs)
+    )
+  ]);
+  try {
+    const client = new Client({ name: "agentseal-scan-mcp", version: "0.1.0" });
+    if (server.url) {
+      const { SSEClientTransport } = await import("@modelcontextprotocol/sdk/client/sse.js");
+      const transport = new SSEClientTransport(new URL(server.url));
+      await withTimeout(client.connect(transport));
+    } else if (server.command) {
+      const { StdioClientTransport } = await import("@modelcontextprotocol/sdk/client/stdio.js");
+      const transport = new StdioClientTransport({
+        command: server.command,
+        args: server.args ?? [],
+        env: server.env
+      });
+      await withTimeout(client.connect(transport));
+    } else {
+      return { errorType: "config_error", detail: "Server has no command or url." };
+    }
+    const listResult = await withTimeout(client.listTools());
+    await client.close().catch(() => {
+    });
+    return (listResult.tools ?? []).map((t) => ({
+      name: t.name,
+      description: t.description ?? "",
+      inputSchema: t.inputSchema
+    }));
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg === "timeout") {
+      return { errorType: "timeout", detail: `Server did not respond within ${timeoutMs / 1e3}s.` };
+    }
+    if (/auth|401|403|unauthorized/i.test(msg)) {
+      return { errorType: "auth_failed", detail: msg };
+    }
+    return { errorType: "error", detail: msg };
+  }
+}
+var ScanMCPReport = class {
+  timestamp;
+  durationSeconds;
+  serversScanned;
+  serversConnected;
+  serversFailed;
+  totalTools;
+  runtimeResults;
+  toxicFlows;
+  baselineChanges;
+  connectionErrors;
+  constructor(init) {
+    this.timestamp = init.timestamp;
+    this.durationSeconds = init.durationSeconds;
+    this.serversScanned = init.serversScanned;
+    this.serversConnected = init.serversConnected;
+    this.serversFailed = init.serversFailed;
+    this.totalTools = init.totalTools;
+    this.runtimeResults = init.runtimeResults;
+    this.toxicFlows = init.toxicFlows;
+    this.baselineChanges = init.baselineChanges;
+    this.connectionErrors = init.connectionErrors;
+  }
+  get totalFindings() {
+    return this.runtimeResults.reduce((acc, r) => acc + r.findings.length, 0);
+  }
+  get hasCritical() {
+    return this.runtimeResults.some(
+      (r) => r.findings.some((f) => f.severity === "critical")
+    );
+  }
+  get minScore() {
+    if (this.runtimeResults.length === 0) return 100;
+    return Math.min(...this.runtimeResults.map((r) => computeServerScore(r.findings)));
+  }
+  toDict() {
+    return {
+      timestamp: this.timestamp,
+      duration_seconds: this.durationSeconds,
+      servers_scanned: this.serversScanned,
+      servers_connected: this.serversConnected,
+      servers_failed: this.serversFailed,
+      total_tools: this.totalTools,
+      total_findings: this.totalFindings,
+      has_critical: this.hasCritical,
+      min_score: this.minScore,
+      runtime_results: this.runtimeResults,
+      toxic_flows: this.toxicFlows,
+      baseline_changes: this.baselineChanges,
+      connection_errors: this.connectionErrors
+    };
+  }
+  toJson() {
+    return JSON.stringify(this.toDict(), null, 2);
+  }
+};
+function detectToxicFlows(results) {
+  const flows = [];
+  const byLabel = {};
+  for (const r of results) {
+    for (const f of r.findings) {
+      const pattern = TOOL_PATTERNS.find((p) => p.code === f.code);
+      if (!pattern) continue;
+      if (!byLabel[pattern.label]) byLabel[pattern.label] = [];
+      byLabel[pattern.label].push(`${r.server_name}:${f.tool_name}`);
+    }
+  }
+  const hasPrivate = (byLabel["private_data"]?.length ?? 0) > 0;
+  const hasSink = (byLabel["public_sink"]?.length ?? 0) > 0;
+  const hasExec = (byLabel["code_exec"]?.length ?? 0) > 0;
+  const hasCreds = (byLabel["credential_access"]?.length ?? 0) > 0;
+  const hasFsWrite = (byLabel["fs_write"]?.length ?? 0) > 0;
+  if (hasPrivate && hasSink) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "data_exfiltration",
+      title: "Private data \u2192 public sink",
+      description: "One or more servers can read private data and also send data externally. A compromised agent could exfiltrate files.",
+      servers_involved: [
+        .../* @__PURE__ */ new Set([
+          ...(byLabel["private_data"] ?? []).map((t) => t.split(":")[0]),
+          ...(byLabel["public_sink"] ?? []).map((t) => t.split(":")[0])
+        ])
+      ],
+      remediation: "Isolate read and write capabilities to separate servers with distinct trust levels.",
+      tools_involved: [
+        ...byLabel["private_data"] ?? [],
+        ...byLabel["public_sink"] ?? []
+      ],
+      labels_involved: ["private_data", "public_sink"]
+    });
+  }
+  if (hasExec && hasCreds) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "remote_code_execution",
+      title: "Code execution + credential access",
+      description: "Servers with code execution capability coexist with credential access. Prompt injection could trigger credential theft via code.",
+      servers_involved: [
+        .../* @__PURE__ */ new Set([
+          ...(byLabel["code_exec"] ?? []).map((t) => t.split(":")[0]),
+          ...(byLabel["credential_access"] ?? []).map((t) => t.split(":")[0])
+        ])
+      ],
+      remediation: "Separate execution and credential access into isolated environments.",
+      tools_involved: [
+        ...byLabel["code_exec"] ?? [],
+        ...byLabel["credential_access"] ?? []
+      ],
+      labels_involved: ["code_exec", "credential_access"]
+    });
+  }
+  if (hasExec && hasFsWrite) {
+    flows.push({
+      risk_level: "high",
+      risk_type: "persistence",
+      title: "Code execution + file system write",
+      description: "Servers can both execute code and write files, enabling persistent malware installation.",
+      servers_involved: [
+        .../* @__PURE__ */ new Set([
+          ...(byLabel["code_exec"] ?? []).map((t) => t.split(":")[0]),
+          ...(byLabel["fs_write"] ?? []).map((t) => t.split(":")[0])
+        ])
+      ],
+      remediation: "Review whether the same agent context truly needs both capabilities.",
+      tools_involved: [
+        ...byLabel["code_exec"] ?? [],
+        ...byLabel["fs_write"] ?? []
+      ],
+      labels_involved: ["code_exec", "fs_write"]
+    });
+  }
+  return flows;
+}
+var ScanMCP = class {
+  timeout;
+  concurrency;
+  onProgress;
+  constructor(opts) {
+    this.timeout = (opts?.timeout ?? 30) * 1e3;
+    this.concurrency = opts?.concurrency ?? 3;
+    this.onProgress = opts?.onProgress;
+  }
+  async run(servers) {
+    const start = Date.now();
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const runtimeResults = [];
+    const connectionErrors = [];
+    let serversConnected = 0;
+    let totalTools = 0;
+    const queue = [...servers];
+    const inFlight = /* @__PURE__ */ new Set();
+    const processOne = async (server) => {
+      this.onProgress?.("connecting", server.name);
+      const result = await tryConnectServer(server, this.timeout);
+      if ("errorType" in result) {
+        connectionErrors.push({
+          serverName: server.name,
+          errorType: result.errorType,
+          detail: result.detail
+        });
+        runtimeResults.push({
+          server_name: server.name,
+          tools_found: 0,
+          findings: [],
+          verdict: GuardVerdict.ERROR,
+          connection_status: result.errorType
+        });
+      } else {
+        serversConnected++;
+        totalTools += result.length;
+        this.onProgress?.("analyzing", server.name);
+        const findings = analyzeTools(server.name, result);
+        runtimeResults.push({
+          server_name: server.name,
+          tools_found: result.length,
+          findings,
+          verdict: computeServerVerdict(findings),
+          connection_status: "connected"
+        });
+      }
+    };
+    while (queue.length > 0 || inFlight.size > 0) {
+      while (queue.length > 0 && inFlight.size < this.concurrency) {
+        const server = queue.shift();
+        const p = processOne(server).then(() => {
+          inFlight.delete(p);
+        });
+        inFlight.add(p);
+      }
+      if (inFlight.size > 0) {
+        await Promise.race(inFlight);
+      }
+    }
+    const toxicFlows = detectToxicFlows(runtimeResults);
+    const durationSeconds = (Date.now() - start) / 1e3;
+    return new ScanMCPReport({
+      timestamp,
+      durationSeconds,
+      serversScanned: servers.length,
+      serversConnected,
+      serversFailed: servers.length - serversConnected,
+      totalTools,
+      runtimeResults,
+      toxicFlows,
+      baselineChanges: [],
+      connectionErrors
+    });
+  }
+};
+export {
+  ScanMCP,
+  ScanMCPReport
+};