defense-mcp-server 0.9.2 → 0.9.3

package/build/core/preflight.js

@@ -236,7 +236,7 @@ export class PreflightEngine {
             };
             result.summary = this.formatSummary(result);
             this.cacheResult(toolName, result);
-            console.error(`[preflight] ⚠ No manifest for '${toolName}' — skipping (${Date.now() - startTime}ms)`);
+            console.error(`[preflight] WARNING: No manifest for '${toolName}' — skipping (${Date.now() - startTime}ms)`);
             return result;
         }
         // ── Step 3–4: Use cached dep results or run fresh checks ───────────
@@ -305,7 +305,7 @@ export class PreflightEngine {
                     `${safeguardResult.warnings.length} warning(s)`);
             }
             catch (err) {
-                console.error(`[preflight] ⚠ Safeguard check failed: ${err instanceof Error ? err.message : String(err)}`);
+                console.error(`[preflight] WARNING: Safeguard check failed: ${err instanceof Error ? err.message : String(err)}`);
                 // Safeguard failure is non-blocking — log and continue
             }
         }
@@ -339,11 +339,11 @@ export class PreflightEngine {
         console.error(`[preflight] Dependencies: ${depCount} checked, ${missingCount} missing`);
         if (manifest.sudo !== "never") {
             const sudoStatus = privileges.satisfied
-                ? "session active ✓"
+                ? "session active OK"
                 : `${privileges.issues.length} issue(s)`;
             console.error(`[preflight] Privileges: sudo ${manifest.sudo} — ${sudoStatus}`);
         }
-        console.error(`[preflight] ${passed ? "✓" : "✗"} Pre-flight ${passed ? "passed" : "FAILED"} (${duration}ms)`);
+        console.error(`[preflight] ${passed ? "OK" : "FAIL"} Pre-flight ${passed ? "passed" : "FAILED"} (${duration}ms)`);
         return result;
     }
     // ── Individual check phases ────────────────────────────────────────────
@@ -497,7 +497,7 @@ export class PreflightEngine {
      *
      * @example Passing
      * ```
-     * ✅ Pre-flight passed for 'firewall_iptables_list'
+     * PASS: Pre-flight passed for 'firewall_iptables_list'
      *   Dependencies: 2/2 available (iptables, ip6tables)
      *   Privileges: sudo session active
      *   Ready to execute.
@@ -505,7 +505,7 @@ export class PreflightEngine {
      *
      * @example Failing
      * ```
-     * ❌ Pre-flight FAILED for 'compliance_oscap_scan'
+     * Pre-flight FAILED for 'compliance_oscap_scan'
      *   Missing dependencies:
      *     • oscap (binary) — Install with: sudo apt-get install -y libopenscap8
      *   Privilege issues:
@@ -522,7 +522,7 @@ export class PreflightEngine {
             const autoNote = autoInstalledCount > 0
                 ? ` (auto-installed ${autoInstalledCount} ${autoInstalledCount === 1 ? "dependency" : "dependencies"})`
                 : "";
-            lines.push(`✅ Pre-flight passed for '${result.toolName}'${autoNote}`);
+            lines.push(`Pre-flight passed for '${result.toolName}'${autoNote}`);
             // Dependencies line
             const requiredChecks = result.dependencies.checked.filter((c) => c.required);
             const requiredFound = requiredChecks.filter((c) => c.found);
@@ -559,7 +559,7 @@ export class PreflightEngine {
         }
         else {
             // ── Failing summary ──────────────────────────────────────────────
-            lines.push(`❌ Pre-flight FAILED for '${result.toolName}'`);
+            lines.push(`Pre-flight FAILED for '${result.toolName}'`);
             // Missing dependencies
             if (result.dependencies.missing.length > 0) {
                 lines.push("  Missing dependencies:");
@@ -583,7 +583,7 @@ export class PreflightEngine {
                 result.safeguards.blockers.length > 0) {
                 lines.push("  Safety blockers:");
                 for (const blocker of result.safeguards.blockers) {
-                    lines.push(`    🛑 ${blocker}`);
+                    lines.push(`    ${blocker}`);
                 }
             }
             lines.push("  Cannot proceed until issues are resolved.");
@@ -593,8 +593,8 @@ export class PreflightEngine {
     /**
      * Generate a shorter status message for prepending to tool output.
      *
-     * - Passed (no issues): `"[pre-flight ✓] All checks passed (2 deps, sudo active)"`
-     * - Passed (warnings): `"[pre-flight ✓] Passed with warnings: optional dep 'nmap' not found"`
+     * - Passed (no issues): `"[pre-flight OK] All checks passed (2 deps, sudo active)"`
+     * - Passed (warnings): `"[pre-flight OK] Passed with warnings: optional dep 'nmap' not found"`
      * - Failed: returns the full error summary from {@link formatSummary}
      */
     formatStatusMessage(result) {
@@ -614,9 +614,9 @@ export class PreflightEngine {
             const missingNames = optionalMissing
                 .map((c) => c.name)
                 .join("', '");
-            return `[pre-flight ✓] Passed with warnings: optional dep '${missingNames}' not found`;
+            return `[pre-flight OK] Passed with warnings: optional dep '${missingNames}' not found`;
         }
-        return `[pre-flight ✓] All checks passed (${depCount} deps${privStatus})`;
+        return `[pre-flight OK] All checks passed (${depCount} deps${privStatus})`;
     }
     // ── Cache management ───────────────────────────────────────────────────
     /**

package/build/core/progress.js

@@ -36,10 +36,10 @@ export function renderProgressBar(percent, options) {
 }
 // ── Complexity Badges ────────────────────────────────────────────────────────
 const COMPLEXITY_BADGES = {
-    low: "⚡ LOW",
-    medium: "📊 MEDIUM",
-    high: "🔥 HIGH",
-    critical: "⚠️  CRITICAL",
+    low: "LOW",
+    medium: "MEDIUM",
+    high: "HIGH",
+    critical: "WARNING: CRITICAL",
 };
 // ── Pre-Execution Banner ─────────────────────────────────────────────────────
 /**
@@ -58,28 +58,28 @@ export function generateDurationBanner(toolName, action, timeoutMs) {
     const estimate = getDurationEstimate(toolName, action);
     if (!estimate) {
         // No estimate available — return minimal info
-        return `⏱️  Timeout: ${formatElapsed(timeoutMs)}\n`;
+        return `Timeout: ${formatElapsed(timeoutMs)}\n`;
     }
     const durationStr = formatDurationEstimate(estimate);
     const complexityBadge = COMPLEXITY_BADGES[estimate.complexity];
     const longRunning = isLongRunning(toolName, action);
     if (!longRunning) {
         // Quick tool — compact one-liner
-        return `⏱️  Est: ${durationStr} | ${complexityBadge}\n`;
+        return `Est: ${durationStr} | ${complexityBadge}\n`;
     }
     // Long-running tool — detailed banner
     const lines = [];
     lines.push("┌─────────────────────────────────────────────────────────┐");
-    lines.push(`│ 📋 ${estimate.description.padEnd(54)}│`);
+    lines.push(`│ ${estimate.description.padEnd(54)}│`);
     lines.push("├─────────────────────────────────────────────────────────┤");
-    lines.push(`│ ⏱️  Duration estimate: ${durationStr.padEnd(36)}│`);
-    lines.push(`│ 📊 Complexity: ${complexityBadge.padEnd(42)}│`);
-    lines.push(`│ 🔧 Timeout: ${formatElapsed(timeoutMs).padEnd(45)}│`);
+    lines.push(`│ Duration estimate: ${durationStr.padEnd(36)}│`);
+    lines.push(`│ Complexity: ${complexityBadge.padEnd(42)}│`);
+    lines.push(`│ Timeout: ${formatElapsed(timeoutMs).padEnd(45)}│`);
     if (estimate.supportsProgress) {
-        lines.push(`│ 📈 Progress tracking: enabled${" ".repeat(28)}│`);
+        lines.push(`│ Progress tracking: enabled${" ".repeat(28)}│`);
     }
     if (estimate.durationFactors.length > 0) {
-        lines.push(`│ 📎 Factors: ${estimate.durationFactors.slice(0, 2).join(", ").padEnd(45)}│`);
+        lines.push(`│ Factors: ${estimate.durationFactors.slice(0, 2).join(", ").padEnd(45)}│`);
     }
     lines.push("└─────────────────────────────────────────────────────────┘");
     return lines.join("\n") + "\n\n";
@@ -100,22 +100,22 @@ export function generateTimingSummary(toolName, action, actualMs) {
     const estimate = getDurationEstimate(toolName, action);
     const actualStr = formatElapsed(actualMs);
     if (!estimate) {
-        return `\n⏱️  Completed in ${actualStr}`;
+        return `\nCompleted in ${actualStr}`;
     }
     const minMs = estimate.minSeconds * 1000;
     const maxMs = estimate.maxSeconds * 1000;
     const estimatedStr = formatDurationEstimate(estimate);
     let indicator;
     if (actualMs < minMs) {
-        indicator = "⚡ Faster than expected";
+        indicator = "Faster than expected";
     }
     else if (actualMs > maxMs) {
-        indicator = "🐢 Slower than expected";
+        indicator = "Slower than expected";
     }
     else {
-        indicator = "✅ Within estimate";
+        indicator = "PASS: Within estimate";
     }
-    return `\n⏱️  Completed in ${actualStr} (est: ${estimatedStr}) — ${indicator}`;
+    return `\nCompleted in ${actualStr} (est: ${estimatedStr}) — ${indicator}`;
 }
 // ── Timing Context Helpers ───────────────────────────────────────────────────
 /**
@@ -181,12 +181,12 @@ export function generatePhaseBanner(phaseName, phaseNumber, tools) {
         const totalMinMin = Math.ceil(totalMinSec / 60);
         const totalMaxMin = Math.ceil(totalMaxSec / 60);
         const avgMin = Math.ceil((totalMinMin + totalMaxMin) / 2);
-        lines.push(`║  📊 TOTAL ESTIMATE: ${totalMinMin}-${totalMaxMin} min (avg: ~${avgMin} min)${" ".repeat(Math.max(0, 20 - String(totalMaxMin).length - String(avgMin).length))}║`);
+        lines.push(`║  TOTAL ESTIMATE: ${totalMinMin}-${totalMaxMin} min (avg: ~${avgMin} min)${" ".repeat(Math.max(0, 20 - String(totalMaxMin).length - String(avgMin).length))}║`);
     }
     if (hasLongRunning) {
-        lines.push("║  ⚠️  Long-running phase — progress updates included         ║");
+        lines.push("║  WARNING: Long-running phase — progress updates included         ║");
     }
-    lines.push("║  ✓ All tools will run to completion (no timeouts)          ║");
+    lines.push("║  OK All tools will run to completion (no timeouts)          ║");
     lines.push("║                                                            ║");
     lines.push("╚════════════════════════════════════════════════════════════╝");
     return lines.join("\n");

package/build/core/run-command.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Shared async command runner using spawnSafe.
+ *
+ * Replaces the duplicate runCommand() implementations found in 11 tool files.
+ * Wraps spawnSafe in a Promise that collects stdout/stderr and handles
+ * timeouts, spawn errors, and process errors gracefully.
+ */
+export interface CommandResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+export declare function runCommand(command: string, args: string[], timeoutMs?: number): Promise<CommandResult>;
+//# sourceMappingURL=run-command.d.ts.map

package/build/core/run-command.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-command.d.ts","sourceRoot":"","sources":["../../src/core/run-command.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,wBAAsB,UAAU,CAC9B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,SAAS,SAAS,GACjB,OAAO,CAAC,aAAa,CAAC,CAyCxB"}

package/build/core/run-command.js

@@ -0,0 +1,46 @@
+/**
+ * Shared async command runner using spawnSafe.
+ *
+ * Replaces the duplicate runCommand() implementations found in 11 tool files.
+ * Wraps spawnSafe in a Promise that collects stdout/stderr and handles
+ * timeouts, spawn errors, and process errors gracefully.
+ */
+import { spawnSafe } from "./spawn-safe.js";
+export async function runCommand(command, args, timeoutMs = 30_000) {
+    return new Promise((resolve) => {
+        let child;
+        try {
+            child = spawnSafe(command, args);
+        }
+        catch (err) {
+            resolve({ stdout: "", stderr: err instanceof Error ? err.message : String(err), exitCode: -1 });
+            return;
+        }
+        let stdout = "";
+        let stderr = "";
+        let resolved = false;
+        const timer = setTimeout(() => {
+            if (!resolved) {
+                resolved = true;
+                child.kill("SIGTERM");
+                resolve({ stdout, stderr: stderr + "\n[TIMEOUT]", exitCode: -1 });
+            }
+        }, timeoutMs);
+        child.stdout?.on("data", (data) => { stdout += data.toString(); });
+        child.stderr?.on("data", (data) => { stderr += data.toString(); });
+        child.on("close", (code) => {
+            if (!resolved) {
+                resolved = true;
+                clearTimeout(timer);
+                resolve({ stdout, stderr, exitCode: code ?? -1 });
+            }
+        });
+        child.on("error", (err) => {
+            if (!resolved) {
+                resolved = true;
+                clearTimeout(timer);
+                resolve({ stdout, stderr: err.message, exitCode: -1 });
+            }
+        });
+    });
+}

package/build/core/spawn-safe.d.ts

@@ -13,11 +13,11 @@
  * 2. shell: false always
  * 3. Audit logging to stderr
  */
-import { type SpawnOptions, type ExecFileSyncOptions, type ChildProcess } from "node:child_process";
-export interface SpawnSafeOptions extends SpawnOptions {
-}
-export interface ExecFileSafeOptions extends ExecFileSyncOptions {
-}
+import { type SpawnOptions, type ExecFileSyncOptions, type ChildProcess as NodeChildProcess } from "node:child_process";
+/** Re-export ChildProcess type so tool files can import it without touching node:child_process directly. */
+export type { NodeChildProcess as ChildProcess };
+export type SpawnSafeOptions = SpawnOptions;
+export type ExecFileSafeOptions = ExecFileSyncOptions;
 /**
  * Redact sensitive arguments from a command's argument array for safe logging.
  *
@@ -41,7 +41,7 @@ export declare function redactArgs(command: string, args: readonly string[]): st
  * @param options - SpawnOptions (shell is always forced to false)
  * @throws {Error} If the command is not in the allowlist
  */
-export declare function spawnSafe(command: string, args: string[], options?: SpawnSafeOptions): ChildProcess;
+export declare function spawnSafe(command: string, args: string[], options?: SpawnSafeOptions): NodeChildProcess;
 /**
  * Execute a file synchronously with allowlist enforcement and shell: false.
  *

package/build/core/spawn-safe.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"spawn-safe.d.ts","sourceRoot":"","sources":["../../src/core/spawn-safe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAGL,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAK5B,MAAM,WAAW,gBAAiB,SAAQ,YAAY;CAAG;AAEzD,MAAM,WAAW,mBAAoB,SAAQ,mBAAmB;CAAG;AAUnE;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,EAAE,CAgC7E;AAID;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CACvB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE,gBAAgB,GACzB,YAAY,CAUd;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE,mBAAmB,GAC5B,MAAM,GAAG,MAAM,CAiCjB"}
+{"version":3,"file":"spawn-safe.d.ts","sourceRoot":"","sources":["../../src/core/spawn-safe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAGL,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,KAAK,YAAY,IAAI,gBAAgB,EACtC,MAAM,oBAAoB,CAAC;AAE5B,4GAA4G;AAC5G,YAAY,EAAE,gBAAgB,IAAI,YAAY,EAAE,CAAC;AAKjD,MAAM,MAAM,gBAAgB,GAAG,YAAY,CAAC;AAE5C,MAAM,MAAM,mBAAmB,GAAG,mBAAmB,CAAC;AAUtD;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,EAAE,CAgC7E;AAID;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CACvB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE,gBAAgB,GACzB,gBAAgB,CAUlB;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,CAAC,EAAE,mBAAmB,GAC5B,MAAM,GAAG,MAAM,CAiCjB"}

package/build/core/sudo-guard.js

@@ -188,14 +188,14 @@ export class SudoGuard {
         const reasonText = reason ?? "This tool requires elevated (root) privileges to function.";
         // Build the prompt message for AI clients.
         const lines = [];
-        lines.push("🔒 Sudo session required");
-        lines.push("─".repeat(50));
+        lines.push("Sudo session required");
+        lines.push("");
         lines.push("");
         lines.push(`Tool: ${toolName}`);
         lines.push(`Reason: ${reasonText}`);
         lines.push("");
         if (status.elevated && status.remainingSeconds !== null && status.remainingSeconds <= 0) {
-            lines.push("⚠️  Your sudo session has expired.");
+            lines.push("WARNING: Your sudo session has expired.");
             lines.push("");
             lines.push("ACTION: Call sudo_session with action=elevate_gui to re-authenticate,");
             lines.push("or action=extend to extend an active session.");
@@ -210,7 +210,7 @@ export class SudoGuard {
         lines.push("stored in a zeroable memory buffer, and never visible to the AI.");
         if (originalError) {
             lines.push("");
-            lines.push("─".repeat(50));
+            lines.push("");
             lines.push("Original error:");
             lines.push(originalError.substring(0, 500));
         }

package/build/core/third-party-installer.js

@@ -471,7 +471,7 @@ async function installGithubRelease(entry) {
             dryRun: false,
             success: true,
         }));
-        console.error(`[third-party-installer] ✓ ${entry.name} v${entry.version} installed successfully`);
+        console.error(`[third-party-installer] OK ${entry.name} v${entry.version} installed successfully`);
         return {
             binary: entry.binary,
             success: true,
@@ -585,7 +585,7 @@ async function installAptRepo(entry) {
         console.error(`[third-party-installer] Running apt-get update...`);
         const updateResult = execWithSudo(["apt-get", "update"], { timeoutMs: 120_000 });
         if (!updateResult.success) {
-            console.error(`[third-party-installer] ⚠ apt-get update had issues: ${updateResult.stderr.slice(0, 200)}`);
+            console.error(`[third-party-installer] WARNING: apt-get update had issues: ${updateResult.stderr.slice(0, 200)}`);
         }
         const packages = entry.aptPinnedPackages ?? [entry.binary];
         for (const pkg of packages) {
@@ -609,7 +609,7 @@ async function installAptRepo(entry) {
             dryRun: false,
             success: true,
         }));
-        console.error(`[third-party-installer] ✓ ${entry.name} v${entry.version} installed successfully via APT`);
+        console.error(`[third-party-installer] OK ${entry.name} v${entry.version} installed successfully via APT`);
         return {
             binary: entry.binary,
             success: true,
@@ -658,7 +658,7 @@ async function installNpmLocal(entry) {
         dryRun: false,
         success: true,
     }));
-    console.error(`[third-party-installer] ✓ ${entry.name} v${entry.version} installed via npm`);
+    console.error(`[third-party-installer] OK ${entry.name} v${entry.version} installed via npm`);
     return {
         binary: entry.binary,
         success: true,

package/build/core/tool-wrapper.js

@@ -195,7 +195,7 @@ function createWrappedHandler(toolName, originalHandler, ctx) {
                 content: [
                     {
                         type: "text",
-                        text: `⚠ Rate limit exceeded\n\n${rateLimitResult.reason}`,
+                        text: `WARNING: Rate limit exceeded\n\n${rateLimitResult.reason}`,
                     },
                 ],
                 isError: true,
@@ -269,12 +269,12 @@ function createWrappedHandler(toolName, originalHandler, ctx) {
         catch (err) {
             // Pre-flight itself threw — return error instead of running without dependency checking
             const errMsg = err instanceof Error ? err.message : String(err);
-            console.error(`[preflight] ⚠ Pre-flight failed unexpectedly for '${toolName}': ${errMsg}`);
+            console.error(`[preflight] WARNING: Pre-flight failed unexpectedly for '${toolName}': ${errMsg}`);
             return {
                 content: [
                     {
                         type: "text",
-                        text: `⚠ Pre-flight internal error for '${toolName}'\n\nThe pre-flight dependency checking system encountered an unexpected error and the tool was not executed.\n\nError: ${errMsg}\n\nPlease retry the operation or check the pre-flight configuration. If this persists, the tool's dependency manifest may need attention.`,
+                        text: `WARNING: Pre-flight internal error for '${toolName}'\n\nThe pre-flight dependency checking system encountered an unexpected error and the tool was not executed.\n\nError: ${errMsg}\n\nPlease retry the operation or check the pre-flight configuration. If this persists, the tool's dependency manifest may need attention.`,
                     },
                 ],
                 isError: true,

package/build/tools/access-control.js

@@ -879,8 +879,8 @@ export function registerAccessControlTools(server) {
                                     ? "CRITICAL: Weak SSH algorithms detected. Apply Mozilla Modern SSH configuration immediately."
                                     : warnCount > 0
                                         ? "WARNING: SSH algorithms not explicitly configured. Set explicit algorithms in sshd_config."
-                                        : "PASS: SSH cryptographic configuration meets modern standards.",
-                            }, null, 2))],
+                                        : "SSH cryptographic configuration meets modern standards.",
+                            }))],
                     };
                 }
                 catch (error) {
@@ -1154,7 +1154,7 @@ export function registerAccessControlTools(server) {
                                 content: [
                                     createTextContent(`[DRY-RUN] Would write the following to ${targetFile}:\n\n` +
                                         configLines.map((l) => `  ${l}`).join("\n") +
-                                        (pwqSanityWarnings ? `\n\n⚠️ Sanity warnings:\n${pwqSanityWarnings}` : "")),
+                                        (pwqSanityWarnings ? `\n\nWARNING: Sanity warnings:\n${pwqSanityWarnings}` : "")),
                                 ],
                             };
                         }
@@ -1200,7 +1200,7 @@ export function registerAccessControlTools(server) {
                                 content: [
                                     createTextContent(`pam_pwquality configured in ${targetFile}:\n\n` +
                                         configLines.map((l) => `  ${l}`).join("\n") +
-                                        (pwqSanityWarnings ? `\n\n⚠️ Sanity warnings:\n${pwqSanityWarnings}` : "")),
+                                        (pwqSanityWarnings ? `\n\nWARNING: Sanity warnings:\n${pwqSanityWarnings}` : "")),
                                 ],
                             };
                         }
@@ -1276,7 +1276,7 @@ export function registerAccessControlTools(server) {
                                 createTextContent(`[DRY-RUN] Would add/update pam_faillock.so in ${targetFile}:\n\n` +
                                     `  ${preLine}\n  ${authLine}\n\n` +
                                     `Settings: ${JSON.stringify(merged)}` +
-                                    (flSanityWarnings ? `\n\n⚠️ Sanity warnings:\n${flSanityWarnings}` : "")),
+                                    (flSanityWarnings ? `\n\nWARNING: Sanity warnings:\n${flSanityWarnings}` : "")),
                             ],
                         };
                     }
@@ -1332,7 +1332,7 @@ export function registerAccessControlTools(server) {
                                     `  ${preLine}\n  ${authLine}\n\n` +
                                     `Settings: ${JSON.stringify(merged)}\n` +
                                     `Backup: ${backupEntry.backupPath}` +
-                                    (flSanityWarnings ? `\n\n⚠️ Sanity warnings:\n${flSanityWarnings}` : "")),
+                                    (flSanityWarnings ? `\n\nWARNING: Sanity warnings:\n${flSanityWarnings}` : "")),
                             ],
                         };
                     }

package/build/tools/api-security.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api-security.d.ts","sourceRoot":"","sources":["../../src/tools/api-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAy1BpE,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA6WhE"}
+{"version":3,"file":"api-security.d.ts","sourceRoot":"","sources":["../../src/tools/api-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AA2xBpE,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA6WhE"}

package/build/tools/api-security.js

@@ -8,7 +8,7 @@
  * verification, TLS configuration checking, and CORS policy analysis.
  */
 import { z } from "zod";
-import { spawnSafe } from "../core/spawn-safe.js";
+import { runCommand } from "../core/run-command.js";
 import { createTextContent, createErrorContent, formatToolOutput, } from "../core/parsers.js";
 // ── Constants ──────────────────────────────────────────────────────────────────
 const DEFAULT_PORT_RANGE = "80,443,3000,4000,5000,8000,8080,8443,9000";
@@ -21,53 +21,7 @@ const COMMON_API_PATHS = [
     "/openapi.json",
     "/.well-known/openid-configuration",
 ];
-/**
- * Run a command via spawnSafe and collect output as a promise.
- * Handles errors gracefully — returns error info instead of throwing.
- */
-async function runCommand(command, args, timeoutMs = 30_000) {
-    return new Promise((resolve) => {
-        let child;
-        try {
-            child = spawnSafe(command, args);
-        }
-        catch (err) {
-            const msg = err instanceof Error ? err.message : String(err);
-            resolve({ stdout: "", stderr: msg, exitCode: -1 });
-            return;
-        }
-        let stdout = "";
-        let stderr = "";
-        let resolved = false;
-        const timer = setTimeout(() => {
-            if (!resolved) {
-                resolved = true;
-                child.kill("SIGTERM");
-                resolve({ stdout, stderr: stderr + "\n[TIMEOUT]", exitCode: -1 });
-            }
-        }, timeoutMs);
-        child.stdout?.on("data", (data) => {
-            stdout += data.toString();
-        });
-        child.stderr?.on("data", (data) => {
-            stderr += data.toString();
-        });
-        child.on("close", (code) => {
-            if (!resolved) {
-                resolved = true;
-                clearTimeout(timer);
-                resolve({ stdout, stderr, exitCode: code ?? -1 });
-            }
-        });
-        child.on("error", (err) => {
-            if (!resolved) {
-                resolved = true;
-                clearTimeout(timer);
-                resolve({ stdout, stderr: err.message, exitCode: -1 });
-            }
-        });
-    });
-}
+// ── Helpers ────────────────────────────────────────────────────────────────────
 /**
  * Validate and normalize a target URL.
  * Returns the normalized URL or null if invalid.
@@ -692,7 +646,7 @@ export function registerApiSecurityTools(server) {
                     text += `Auth Type: ${authResult.authType}\n`;
                     text += `Status without auth: ${authResult.statusWithoutAuth}\n`;
                     text += `Status with auth: ${authResult.statusWithAuth}\n`;
-                    text += `Verbose Errors: ${authResult.verboseErrors ? "YES ⚠" : "no"}\n`;
+                    text += `Verbose Errors: ${authResult.verboseErrors ? "YES WARNING" : "no"}\n`;
                     if (authResult.errorDetails.length > 0) {
                         text += `\nError Details:\n`;
                         for (const detail of authResult.errorDetails) {
@@ -864,8 +818,8 @@ export function registerApiSecurityTools(server) {
                         text += `Allow-Origin: ${corsResult.allowOrigin}\n`;
                         text += `Allow-Credentials: ${corsResult.allowCredentials}\n`;
                         text += `Allow-Methods: ${corsResult.allowMethods || "not specified"}\n`;
-                        text += `Wildcard Origin: ${corsResult.wildcardOrigin ? "YES ⚠" : "no"}\n`;
-                        text += `Origin Reflection: ${corsResult.originReflection ? "YES ⚠" : "no"}\n`;
+                        text += `Wildcard Origin: ${corsResult.wildcardOrigin ? "YES WARNING" : "no"}\n`;
+                        text += `Origin Reflection: ${corsResult.originReflection ? "YES WARNING" : "no"}\n`;
                     }
                     if (corsResult.criticalIssues.length > 0) {
                         text += `\nCritical Issues:\n`;

package/build/tools/app-hardening.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app-hardening.d.ts","sourceRoot":"","sources":["../../src/tools/app-hardening.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AA6dpE,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAgYjE"}
+{"version":3,"file":"app-hardening.d.ts","sourceRoot":"","sources":["../../src/tools/app-hardening.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AA6dpE,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA6XjE"}