defense-mcp-server 0.9.2 → 0.9.4

package/build/core/run-command.js

@@ -0,0 +1,46 @@
+/**
+ * Shared async command runner using spawnSafe.
+ *
+ * Replaces the duplicate runCommand() implementations found in 11 tool files.
+ * Wraps spawnSafe in a Promise that collects stdout/stderr and handles
+ * timeouts, spawn errors, and process errors gracefully.
+ */
+import { spawnSafe } from "./spawn-safe.js";
+export async function runCommand(command, args, timeoutMs = 30_000) {
+    return new Promise((resolve) => {
+        let child;
+        try {
+            child = spawnSafe(command, args);
+        }
+        catch (err) {
+            resolve({ stdout: "", stderr: err instanceof Error ? err.message : String(err), exitCode: -1 });
+            return;
+        }
+        let stdout = "";
+        let stderr = "";
+        let resolved = false;
+        const timer = setTimeout(() => {
+            if (!resolved) {
+                resolved = true;
+                child.kill("SIGTERM");
+                resolve({ stdout, stderr: stderr + "\n[TIMEOUT]", exitCode: -1 });
+            }
+        }, timeoutMs);
+        child.stdout?.on("data", (data) => { stdout += data.toString(); });
+        child.stderr?.on("data", (data) => { stderr += data.toString(); });
+        child.on("close", (code) => {
+            if (!resolved) {
+                resolved = true;
+                clearTimeout(timer);
+                resolve({ stdout, stderr, exitCode: code ?? -1 });
+            }
+        });
+        child.on("error", (err) => {
+            if (!resolved) {
+                resolved = true;
+                clearTimeout(timer);
+                resolve({ stdout, stderr: err.message, exitCode: -1 });
+            }
+        });
+    });
+}

package/build/core/sudo-guard.js

@@ -188,14 +188,14 @@ export class SudoGuard {
         const reasonText = reason ?? "This tool requires elevated (root) privileges to function.";
         // Build the prompt message for AI clients.
         const lines = [];
-        lines.push("🔒 Sudo session required");
-        lines.push("─".repeat(50));
+        lines.push("Sudo session required");
+        lines.push("");
         lines.push("");
         lines.push(`Tool: ${toolName}`);
         lines.push(`Reason: ${reasonText}`);
         lines.push("");
         if (status.elevated && status.remainingSeconds !== null && status.remainingSeconds <= 0) {
-            lines.push("⚠️  Your sudo session has expired.");
+            lines.push("WARNING: Your sudo session has expired.");
             lines.push("");
             lines.push("ACTION: Call sudo_session with action=elevate_gui to re-authenticate,");
             lines.push("or action=extend to extend an active session.");
@@ -210,7 +210,7 @@ export class SudoGuard {
         lines.push("stored in a zeroable memory buffer, and never visible to the AI.");
         if (originalError) {
             lines.push("");
-            lines.push("─".repeat(50));
+            lines.push("");
             lines.push("Original error:");
             lines.push(originalError.substring(0, 500));
         }

package/build/core/third-party-installer.js

@@ -471,7 +471,7 @@ async function installGithubRelease(entry) {
             dryRun: false,
             success: true,
         }));
-        console.error(`[third-party-installer] ✓ ${entry.name} v${entry.version} installed successfully`);
+        console.error(`[third-party-installer] OK ${entry.name} v${entry.version} installed successfully`);
         return {
             binary: entry.binary,
             success: true,
@@ -585,7 +585,7 @@ async function installAptRepo(entry) {
         console.error(`[third-party-installer] Running apt-get update...`);
         const updateResult = execWithSudo(["apt-get", "update"], { timeoutMs: 120_000 });
         if (!updateResult.success) {
-            console.error(`[third-party-installer] ⚠ apt-get update had issues: ${updateResult.stderr.slice(0, 200)}`);
+            console.error(`[third-party-installer] WARNING: apt-get update had issues: ${updateResult.stderr.slice(0, 200)}`);
         }
         const packages = entry.aptPinnedPackages ?? [entry.binary];
         for (const pkg of packages) {
@@ -609,7 +609,7 @@ async function installAptRepo(entry) {
             dryRun: false,
             success: true,
         }));
-        console.error(`[third-party-installer] ✓ ${entry.name} v${entry.version} installed successfully via APT`);
+        console.error(`[third-party-installer] OK ${entry.name} v${entry.version} installed successfully via APT`);
         return {
             binary: entry.binary,
             success: true,
@@ -658,7 +658,7 @@ async function installNpmLocal(entry) {
         dryRun: false,
         success: true,
     }));
-    console.error(`[third-party-installer] ✓ ${entry.name} v${entry.version} installed via npm`);
+    console.error(`[third-party-installer] OK ${entry.name} v${entry.version} installed via npm`);
     return {
         binary: entry.binary,
         success: true,

package/build/core/tool-wrapper.js

@@ -195,7 +195,7 @@ function createWrappedHandler(toolName, originalHandler, ctx) {
                 content: [
                     {
                         type: "text",
-                        text: `⚠ Rate limit exceeded\n\n${rateLimitResult.reason}`,
+                        text: `WARNING: Rate limit exceeded\n\n${rateLimitResult.reason}`,
                     },
                 ],
                 isError: true,
@@ -269,12 +269,12 @@ function createWrappedHandler(toolName, originalHandler, ctx) {
         catch (err) {
             // Pre-flight itself threw — return error instead of running without dependency checking
             const errMsg = err instanceof Error ? err.message : String(err);
-            console.error(`[preflight] ⚠ Pre-flight failed unexpectedly for '${toolName}': ${errMsg}`);
+            console.error(`[preflight] WARNING: Pre-flight failed unexpectedly for '${toolName}': ${errMsg}`);
             return {
                 content: [
                     {
                         type: "text",
-                        text: `⚠ Pre-flight internal error for '${toolName}'\n\nThe pre-flight dependency checking system encountered an unexpected error and the tool was not executed.\n\nError: ${errMsg}\n\nPlease retry the operation or check the pre-flight configuration. If this persists, the tool's dependency manifest may need attention.`,
+                        text: `WARNING: Pre-flight internal error for '${toolName}'\n\nThe pre-flight dependency checking system encountered an unexpected error and the tool was not executed.\n\nError: ${errMsg}\n\nPlease retry the operation or check the pre-flight configuration. If this persists, the tool's dependency manifest may need attention.`,
                     },
                 ],
                 isError: true,

package/build/tools/access-control.js

@@ -879,8 +879,8 @@ export function registerAccessControlTools(server) {
                                     ? "CRITICAL: Weak SSH algorithms detected. Apply Mozilla Modern SSH configuration immediately."
                                     : warnCount > 0
                                         ? "WARNING: SSH algorithms not explicitly configured. Set explicit algorithms in sshd_config."
-                                        : "PASS: SSH cryptographic configuration meets modern standards.",
-                            }, null, 2))],
+                                        : "SSH cryptographic configuration meets modern standards.",
+                            }))],
                     };
                 }
                 catch (error) {
@@ -1154,7 +1154,7 @@ export function registerAccessControlTools(server) {
                                 content: [
                                     createTextContent(`[DRY-RUN] Would write the following to ${targetFile}:\n\n` +
                                         configLines.map((l) => `  ${l}`).join("\n") +
-                                        (pwqSanityWarnings ? `\n\n⚠️ Sanity warnings:\n${pwqSanityWarnings}` : "")),
+                                        (pwqSanityWarnings ? `\n\nWARNING: Sanity warnings:\n${pwqSanityWarnings}` : "")),
                                 ],
                             };
                         }
@@ -1200,7 +1200,7 @@ export function registerAccessControlTools(server) {
                                 content: [
                                     createTextContent(`pam_pwquality configured in ${targetFile}:\n\n` +
                                         configLines.map((l) => `  ${l}`).join("\n") +
-                                        (pwqSanityWarnings ? `\n\n⚠️ Sanity warnings:\n${pwqSanityWarnings}` : "")),
+                                        (pwqSanityWarnings ? `\n\nWARNING: Sanity warnings:\n${pwqSanityWarnings}` : "")),
                                 ],
                             };
                         }
@@ -1276,7 +1276,7 @@ export function registerAccessControlTools(server) {
                                 createTextContent(`[DRY-RUN] Would add/update pam_faillock.so in ${targetFile}:\n\n` +
                                     `  ${preLine}\n  ${authLine}\n\n` +
                                     `Settings: ${JSON.stringify(merged)}` +
-                                    (flSanityWarnings ? `\n\n⚠️ Sanity warnings:\n${flSanityWarnings}` : "")),
+                                    (flSanityWarnings ? `\n\nWARNING: Sanity warnings:\n${flSanityWarnings}` : "")),
                             ],
                         };
                     }
@@ -1332,7 +1332,7 @@ export function registerAccessControlTools(server) {
                                     `  ${preLine}\n  ${authLine}\n\n` +
                                     `Settings: ${JSON.stringify(merged)}\n` +
                                     `Backup: ${backupEntry.backupPath}` +
-                                    (flSanityWarnings ? `\n\n⚠️ Sanity warnings:\n${flSanityWarnings}` : "")),
+                                    (flSanityWarnings ? `\n\nWARNING: Sanity warnings:\n${flSanityWarnings}` : "")),
                             ],
                         };
                     }

package/build/tools/api-security.js

@@ -8,7 +8,7 @@
  * verification, TLS configuration checking, and CORS policy analysis.
  */
 import { z } from "zod";
-import { spawnSafe } from "../core/spawn-safe.js";
+import { runCommand } from "../core/run-command.js";
 import { createTextContent, createErrorContent, formatToolOutput, } from "../core/parsers.js";
 // ── Constants ──────────────────────────────────────────────────────────────────
 const DEFAULT_PORT_RANGE = "80,443,3000,4000,5000,8000,8080,8443,9000";
@@ -21,53 +21,7 @@ const COMMON_API_PATHS = [
     "/openapi.json",
     "/.well-known/openid-configuration",
 ];
-/**
- * Run a command via spawnSafe and collect output as a promise.
- * Handles errors gracefully — returns error info instead of throwing.
- */
-async function runCommand(command, args, timeoutMs = 30_000) {
-    return new Promise((resolve) => {
-        let child;
-        try {
-            child = spawnSafe(command, args);
-        }
-        catch (err) {
-            const msg = err instanceof Error ? err.message : String(err);
-            resolve({ stdout: "", stderr: msg, exitCode: -1 });
-            return;
-        }
-        let stdout = "";
-        let stderr = "";
-        let resolved = false;
-        const timer = setTimeout(() => {
-            if (!resolved) {
-                resolved = true;
-                child.kill("SIGTERM");
-                resolve({ stdout, stderr: stderr + "\n[TIMEOUT]", exitCode: -1 });
-            }
-        }, timeoutMs);
-        child.stdout?.on("data", (data) => {
-            stdout += data.toString();
-        });
-        child.stderr?.on("data", (data) => {
-            stderr += data.toString();
-        });
-        child.on("close", (code) => {
-            if (!resolved) {
-                resolved = true;
-                clearTimeout(timer);
-                resolve({ stdout, stderr, exitCode: code ?? -1 });
-            }
-        });
-        child.on("error", (err) => {
-            if (!resolved) {
-                resolved = true;
-                clearTimeout(timer);
-                resolve({ stdout, stderr: err.message, exitCode: -1 });
-            }
-        });
-    });
-}
+// ── Helpers ────────────────────────────────────────────────────────────────────
 /**
  * Validate and normalize a target URL.
  * Returns the normalized URL or null if invalid.
@@ -692,7 +646,7 @@ export function registerApiSecurityTools(server) {
                     text += `Auth Type: ${authResult.authType}\n`;
                     text += `Status without auth: ${authResult.statusWithoutAuth}\n`;
                     text += `Status with auth: ${authResult.statusWithAuth}\n`;
-                    text += `Verbose Errors: ${authResult.verboseErrors ? "YES ⚠" : "no"}\n`;
+                    text += `Verbose Errors: ${authResult.verboseErrors ? "YES WARNING" : "no"}\n`;
                     if (authResult.errorDetails.length > 0) {
                         text += `\nError Details:\n`;
                         for (const detail of authResult.errorDetails) {
@@ -864,8 +818,8 @@ export function registerApiSecurityTools(server) {
                         text += `Allow-Origin: ${corsResult.allowOrigin}\n`;
                         text += `Allow-Credentials: ${corsResult.allowCredentials}\n`;
                         text += `Allow-Methods: ${corsResult.allowMethods || "not specified"}\n`;
-                        text += `Wildcard Origin: ${corsResult.wildcardOrigin ? "YES ⚠" : "no"}\n`;
-                        text += `Origin Reflection: ${corsResult.originReflection ? "YES ⚠" : "no"}\n`;
+                        text += `Wildcard Origin: ${corsResult.wildcardOrigin ? "YES WARNING" : "no"}\n`;
+                        text += `Origin Reflection: ${corsResult.originReflection ? "YES WARNING" : "no"}\n`;
                     }
                     if (corsResult.criticalIssues.length > 0) {
                         text += `\nCritical Issues:\n`;

package/build/tools/app-hardening.js

@@ -454,8 +454,8 @@ export function registerAppHardeningTools(server) {
             case "audit": {
                 try {
                     const sections = [];
-                    sections.push("🔍 Application Security Audit");
-                    sections.push("=".repeat(55));
+                    sections.push("Application Security Audit");
+                    sections.push("");
                     const apps = await detectRunningApps();
                     if (apps.length === 0) {
                         sections.push("\nNo known applications detected.");
@@ -467,9 +467,7 @@ export function registerAppHardeningTools(server) {
                     apps.sort((a, b) => riskOrder[a.profile.riskLevel] - riskOrder[b.profile.riskLevel]);
                     let totalRisks = 0;
                     for (const app of apps) {
-                        const riskIcon = app.profile.riskLevel === "critical" ? "⛔" :
-                            app.profile.riskLevel === "high" ? "🔴" : app.profile.riskLevel === "medium" ? "🟡" : "🟢";
-                        sections.push(`── ${riskIcon} ${app.profile.name} ──`);
+                        sections.push(`── ${app.profile.name} ──`);
                         sections.push(`  Category:     ${app.profile.category}`);
                         sections.push(`  Risk Level:   ${app.profile.riskLevel.toUpperCase()}`);
                         sections.push(`  Running as:   ${app.user}`);
@@ -480,17 +478,17 @@ export function registerAppHardeningTools(server) {
                             sections.push(`  Listening Ports:`);
                             for (const lp of app.listenPorts) {
                                 const external = !lp.address.includes("127.0.0.1") && !lp.address.includes("::1");
-                                sections.push(`    ${lp.protocol}/${lp.port} on ${lp.address} [${external ? "⚠️ EXTERNAL" : "✅ localhost"}]`);
+                                sections.push(`    ${lp.protocol}/${lp.port} on ${lp.address} [${external ? "WARNING: EXTERNAL" : "localhost"}]`);
                             }
                         }
                         sections.push(`  Security Concerns:`);
                         for (const concern of app.profile.securityConcerns) {
-                            sections.push(`    ⚠️ ${concern}`);
+                            sections.push(`    WARNING: ${concern}`);
                             totalRisks++;
                         }
                         sections.push(`  Top Recommendations:`);
                         for (const rec of app.profile.recommendations.slice(0, 3)) {
-                            sections.push(`    💡 ${rec}`);
+                            sections.push(`    ${rec}`);
                         }
                         if (app.profile.recommendations.length > 3) {
                             sections.push(`    ... +${app.profile.recommendations.length - 3} more (use action=recommend)`);
@@ -530,24 +528,24 @@ export function registerAppHardeningTools(server) {
                         };
                     }
                     const sections = [];
-                    sections.push(`🛡️ Hardening Guide: ${profile.name}`);
-                    sections.push("=".repeat(55));
+                    sections.push(`Hardening Guide: ${profile.name}`);
+                    sections.push("");
                     sections.push(`Category: ${profile.category} | Risk: ${profile.riskLevel.toUpperCase()}`);
                     sections.push("\n── Security Concerns ──");
                     for (const concern of profile.securityConcerns) {
-                        sections.push(`  ⚠️ ${concern}`);
+                        sections.push(`  WARNING: ${concern}`);
                     }
                     sections.push("\n── Network Hardening ──");
                     if (profile.requiredPorts.length > 0) {
                         sections.push("  Ports that MUST remain open (core functionality):");
                         for (const p of profile.requiredPorts) {
-                            sections.push(`    ✅ ${p.protocol}/${p.port} — ${p.purpose}`);
+                            sections.push(`    ${p.protocol}/${p.port} — ${p.purpose}`);
                         }
                     }
                     if (profile.localhostOnlyPorts.length > 0) {
                         sections.push("  Ports to restrict to localhost/LAN:");
                         for (const p of profile.localhostOnlyPorts) {
-                            sections.push(`    🔒 ${p.protocol}/${p.port} — ${p.purpose}`);
+                            sections.push(`    ${p.protocol}/${p.port} — ${p.purpose}`);
                         }
                     }
                     sections.push("  Firewall strategy:");
@@ -571,11 +569,11 @@ export function registerAppHardeningTools(server) {
                     sections.push("\n── Filesystem Permissions ──");
                     sections.push("  Writable paths (required for operation):");
                     for (const p of profile.writablePaths) {
-                        sections.push(`    📝 ${p}`);
+                        sections.push(`    ${p}`);
                     }
                     sections.push("  Read-only paths:");
                     for (const p of profile.readablePaths) {
-                        sections.push(`    📖 ${p}`);
+                        sections.push(`    ${p}`);
                     }
                     return { content: [createTextContent(sections.join("\n"))] };
                 }
@@ -600,8 +598,8 @@ export function registerAppHardeningTools(server) {
                     }
                     const effectiveDryRun = dry_run ?? getConfig().dryRun;
                     const sections = [];
-                    sections.push(`🔥 Firewall Rules for ${profile.name}`);
-                    sections.push("=".repeat(55));
+                    sections.push(`Firewall Rules for ${profile.name}`);
+                    sections.push("");
                     sections.push(`LAN CIDR: ${lan_cidr}`);
                     sections.push(effectiveDryRun ? "\n[DRY RUN] Rules that would be applied:\n" : "\nApplying rules:\n");
                     const rules = [];
@@ -632,7 +630,7 @@ export function registerAppHardeningTools(server) {
                             else
                                 failed++;
                         }
-                        sections.push(`\n✅ Applied ${applied} rules, ❌ ${failed} failed`);
+                        sections.push(`\nApplied ${applied} rules, ${failed} failed`);
                     }
                     sections.push("\n── Additional Recommendations ──");
                     sections.push("  • Consider using nftables for more granular control");
@@ -690,10 +688,10 @@ export function registerAppHardeningTools(server) {
                         }
                     }
                     const sections = [];
-                    sections.push(`🔒 Systemd Hardening: ${profile.name}`);
-                    sections.push("=".repeat(55));
+                    sections.push(`Systemd Hardening: ${profile.name}`);
+                    sections.push("");
                     if (!svcName) {
-                        sections.push(`\n⚠️ No running systemd service found for ${profile.name}.`);
+                        sections.push(`\nWARNING: No running systemd service found for ${profile.name}.`);
                         sections.push("Provide service_name manually if the service uses a different name.");
                         sections.push("\nRecommended override content for when the service is configured:\n");
                     }
@@ -726,12 +724,12 @@ export function registerAppHardeningTools(server) {
                         });
                         if (writeResult.exitCode === 0) {
                             await executeCommand({ toolName: "app_hardening", command: "sudo", args: ["systemctl", "daemon-reload"], timeout: 10000 });
-                            sections.push(`\n✅ Override written to ${overridePath}`);
-                            sections.push("✅ systemd daemon reloaded");
-                            sections.push(`\n⚠️ Restart the service to apply: sudo systemctl restart ${svcName}`);
+                            sections.push(`\nOverride written to ${overridePath}`);
+                            sections.push("systemd daemon reloaded");
+                            sections.push(`\nRestart the service to apply: sudo systemctl restart ${svcName}`);
                         }
                         else {
-                            sections.push(`\n❌ Failed to write override: ${writeResult.stderr}`);
+                            sections.push(`\nFailed to write override: ${writeResult.stderr}`);
                         }
                     }
                     sections.push("\n── What These Directives Do ──");

package/build/tools/cloud-security.js

@@ -8,7 +8,7 @@
  * exposure checking, storage audit, and IMDS security assessment for AWS/GCP/Azure.
  */
 import { z } from "zod";
-import { spawnSafe } from "../core/spawn-safe.js";
+import { runCommand } from "../core/run-command.js";
 import { createTextContent, createErrorContent, formatToolOutput, } from "../core/parsers.js";
 import { existsSync } from "node:fs";
 /** Sensitive environment variable names for cloud credentials */
@@ -30,53 +30,7 @@ const CREDENTIAL_FILE_PATHS = [
     { provider: "gcp", path: "~/.config/gcloud/application_default_credentials.json" },
     { provider: "azure", path: "~/.azure/accessTokens.json" },
 ];
-/**
- * Run a command via spawnSafe and collect output as a promise.
- * Handles errors gracefully — returns error info instead of throwing.
- */
-async function runCommand(command, args, timeoutMs = 30_000) {
-    return new Promise((resolve) => {
-        let child;
-        try {
-            child = spawnSafe(command, args);
-        }
-        catch (err) {
-            const msg = err instanceof Error ? err.message : String(err);
-            resolve({ stdout: "", stderr: msg, exitCode: -1 });
-            return;
-        }
-        let stdout = "";
-        let stderr = "";
-        let resolved = false;
-        const timer = setTimeout(() => {
-            if (!resolved) {
-                resolved = true;
-                child.kill("SIGTERM");
-                resolve({ stdout, stderr: stderr + "\n[TIMEOUT]", exitCode: -1 });
-            }
-        }, timeoutMs);
-        child.stdout?.on("data", (data) => {
-            stdout += data.toString();
-        });
-        child.stderr?.on("data", (data) => {
-            stderr += data.toString();
-        });
-        child.on("close", (code) => {
-            if (!resolved) {
-                resolved = true;
-                clearTimeout(timer);
-                resolve({ stdout, stderr, exitCode: code ?? -1 });
-            }
-        });
-        child.on("error", (err) => {
-            if (!resolved) {
-                resolved = true;
-                clearTimeout(timer);
-                resolve({ stdout, stderr: err.message, exitCode: -1 });
-            }
-        });
-    });
-}
+// ── Helpers ────────────────────────────────────────────────────────────────────
 // ── Credential masking ─────────────────────────────────────────────────────────
 /**
  * Mask a credential value, showing first 4 chars + asterisks.
@@ -611,7 +565,7 @@ export function registerCloudSecurityTools(server) {
                     text += "Credential Files:\n";
                     for (const file of creds.credentialFiles) {
                         const status = file.exists
-                            ? `EXISTS (permissions: ${file.permissions || "unknown"})${file.permWarning ? ` ⚠ ${file.permWarning}` : ""}`
+                            ? `EXISTS (permissions: ${file.permissions || "unknown"})${file.permWarning ? ` WARNING: ${file.permWarning}` : ""}`
                             : "not found";
                         text += `  • ${file.path}: ${status}\n`;
                     }
@@ -706,10 +660,10 @@ export function registerCloudSecurityTools(server) {
                         return { content: [formatToolOutput(output)] };
                     }
                     let text = "Cloud Security — IMDS Security Check\n\n";
-                    text += `IMDSv1 (unauthenticated): ${imds.v1Accessible ? "ACCESSIBLE ⚠" : "not accessible ✓"}\n`;
+                    text += `IMDSv1 (unauthenticated): ${imds.v1Accessible ? "ACCESSIBLE WARNING" : "not accessible OK"}\n`;
                     text += `IMDSv2 (token-based): ${imds.v2Accessible ? "accessible" : "not accessible"}\n`;
                     text += `IMDSv2 Token Endpoint: ${imds.v2TokenWorks ? "working" : "not working"}\n`;
-                    text += `Iptables IMDS Rules: ${imds.iptablesBlocked ? "BLOCKED ✓" : imds.iptablesRules.length > 0 ? "rules found" : "no rules"}\n`;
+                    text += `Iptables IMDS Rules: ${imds.iptablesBlocked ? "BLOCKED OK" : imds.iptablesRules.length > 0 ? "rules found" : "no rules"}\n`;
                     text += `Hop Limit: ${imds.hopLimit}\n`;
                     text += `\nSeverity: ${imds.severity}\n`;
                     text += `Security Score: ${imds.securityScore}/100\n`;

package/build/tools/compliance.js

@@ -14,7 +14,7 @@ import { generateDurationBanner, generateTimingSummary, startTiming, } from "../
 import { logChange, createChangeEntry } from "../core/changelog.js";
 import { getDistroAdapter } from "../core/distro-adapter.js";
 import { sanitizeArgs } from "../core/sanitizer.js";
-import { readFileSync } from "node:fs";
+import { readFileSync, statSync } from "node:fs";
 import { loadPolicy, evaluatePolicy, getBuiltinPolicies, } from "../core/policy-engine.js";
 async function runCisCheck(command, args, id, title, level, expectPattern) {
     try {
@@ -668,7 +668,7 @@ export function registerComplianceTools(server) {
                     }
                     function filePermCheckLocal(filePath, maxPerm) {
                         try {
-                            const { statSync } = require("node:fs");
+                            // statSync imported at module level
                             const stat = statSync(filePath);
                             const mode = (stat.mode & 0o777).toString(8);
                             return { passed: parseInt(mode, 8) <= parseInt(maxPerm, 8), detail: `${filePath}: ${mode} (max: ${maxPerm})` };
@@ -943,21 +943,17 @@ export function registerComplianceTools(server) {
                         for (const section of report.sections) {
                             md += `## ${section.name}\n\n`;
                             md += `**Score:** ${section.score}/100\n\n`;
-                            md += `\`\`\`json\n${JSON.stringify(section.details, null, 2)}\n\`\`\`\n\n`;
+                            md += `\`\`\`json\n${JSON.stringify(section.details)}\n\`\`\`\n\n`;
                         }
                         return { content: [createTextContent(md)] };
                     }
                     // Text format
-                    let text = `${"=".repeat(60)}\n`;
-                    text += `  COMPLIANCE REPORT\n`;
-                    text += `  Generated: ${report.timestamp}\n`;
-                    text += `  Overall Score: ${report.overallScore}/100\n`;
-                    text += `${"=".repeat(60)}\n\n`;
+                    let text = `COMPLIANCE REPORT\n`;
+                    text += `Generated: ${report.timestamp}\n`;
+                    text += `Overall Score: ${report.overallScore}/100\n\n`;
                     for (const section of report.sections) {
-                        text += `${"─".repeat(50)}\n`;
-                        text += `  ${section.name} — Score: ${section.score}/100\n`;
-                        text += `${"─".repeat(50)}\n`;
-                        text += `${JSON.stringify(section.details, null, 2)}\n\n`;
+                        text += `${section.name} — Score: ${section.score}/100\n`;
+                        text += `${JSON.stringify(section.details)}\n\n`;
                     }
                     return { content: [createTextContent(text)] };
                 }
@@ -981,7 +977,7 @@ export function registerComplianceTools(server) {
                     const currentUser = process.env.USER || process.env.LOGNAME;
                     if (currentUser && currentUser !== "root" && !allowed_users.includes(currentUser)) {
                         allowed_users = [...allowed_users, currentUser];
-                        changes.push(`⚠️ Auto-included current user '${currentUser}' in allowed_users to prevent self-lockout`);
+                        changes.push(`WARNING: Auto-included current user '${currentUser}' in allowed_users to prevent self-lockout`);
                     }
                     // Validate usernames
                     for (const user of allowed_users) {