npm - hackmyagent - Versions diffs - 0.11.1 → 0.11.2 - Mend

hackmyagent 0.11.1 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/cli.js +68 -16
package/dist/cli.js.map +1 -1
package/dist/hardening/scanner.d.ts.map +1 -1
package/dist/hardening/scanner.js +146 -12
package/dist/hardening/scanner.js.map +1 -1
package/dist/hardening/taxonomy.d.ts.map +1 -1
package/dist/hardening/taxonomy.js +1 -0
package/dist/hardening/taxonomy.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +1 -1
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -120,9 +120,15 @@ Examples:
   $ hackmyagent secure --fix                   Fix issues automatically
   $ hackmyagent fix-all                        Run all security plugins
   $ hackmyagent scan example.com               Scan external infrastructure`)
-    .version(index_1.VERSION, '-v, --version', 'Output the version number')
-    .option('--no-color', 'Disable colored output (also respects NO_COLOR env)')
-    .hook('preAction', (thisCommand) => {
+    .version('hackmyagent ' + index_1.VERSION, '-v, --version', 'Output the version number')
+    .option('--no-color', 'Disable colored output (also respects NO_COLOR env)');
+program.addHelpText('beforeAll', `
+Quick start:
+  $ hackmyagent secure              Scan current directory (147+ checks)
+  $ hackmyagent fix-all --with-aim  Auto-fix + create agent identity
+  $ hackmyagent attack              Red-team your agent
+`);
+program.hook('preAction', (thisCommand) => {
     const opts = thisCommand.opts();
     if (opts.color === false) {
         colors = { green: '', yellow: '', red: '', brightRed: '', cyan: '', dim: '', reset: '' };
@@ -1532,22 +1538,43 @@ function resolvePackageVersion(targetDir) {
     catch { /* ignore */ }
     return null;
 }
+/**
+ * Build an anonymized contribution summary from scan findings.
+ * Contains only aggregate data -- no file paths, no code, no project names.
+ */
+function buildContributionSummary(findings, score, projectType) {
+    const failed = findings.filter((f) => !f.passed);
+    const categories = [...new Set(failed.map((f) => f.category).filter(Boolean))].sort();
+    const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+    for (const f of failed) {
+        if (f.severity in counts)
+            counts[f.severity]++;
+    }
+    return {
+        packageType: projectType,
+        findingCategories: categories,
+        findingCounts: counts,
+        score,
+        toolVersion: index_1.VERSION,
+    };
+}
 /**
  * Handle community contribution after a scan completes.
  *
  * Determines whether to contribute based on:
  *   1. --contribute / --no-contribute CLI flags (highest priority)
- *   2. ~/.opena2a/config.json contribute.enabled setting
- *   3. Interactive opt-in prompt (first scan or scan #10)
+ *   2. --ci mode: skip prompt, only contribute if --contribute is explicit
+ *   3. ~/.opena2a/config.json contribute.enabled setting
+ *   4. Interactive opt-in prompt (first scan or scan #10)
  *
- * If contributing, builds an anonymized payload and submits it
- * asynchronously (non-blocking). Failures are logged as warnings.
+ * Shows what will be sent before sending (transparency).
  */
-async function handleContribution(contributeFlag, targetDir, findings, registryUrl, format) {
+async function handleContribution(contributeFlag, targetDir, findings, registryUrl, format, contributionOptions) {
     try {
         const { isContributeEnabled, shouldPromptContribute, showContributePrompt, incrementScanCount, buildContributionPayloadFromDir, submitContribution, } = await Promise.resolve().then(() => __importStar(require('./telemetry')));
         // Always increment scan count
         incrementScanCount();
+        const isCi = contributionOptions?.ci === true;
         // Determine whether to contribute
         let shouldContribute;
         if (contributeFlag === true) {
@@ -1558,6 +1585,10 @@ async function handleContribution(contributeFlag, targetDir, findings, registryU
             // --no-contribute flag: skip this scan
             shouldContribute = false;
         }
+        else if (isCi) {
+            // CI mode: never prompt, only contribute if --contribute was explicit
+            shouldContribute = false;
+        }
         else {
             // Check config
             const configSetting = isContributeEnabled();
@@ -1568,7 +1599,7 @@ async function handleContribution(contributeFlag, targetDir, findings, registryU
                 shouldContribute = false;
             }
             else {
-                // Not configured -- prompt after 3 scans (interactive TTY only)
+                // Not configured -- prompt (interactive TTY only)
                 if (format === 'text' && process.stdout.isTTY && shouldPromptContribute()) {
                     shouldContribute = await showContributePrompt();
                 }
@@ -1579,6 +1610,21 @@ async function handleContribution(contributeFlag, targetDir, findings, registryU
         }
         if (!shouldContribute)
             return;
+        // Build the anonymized contribution summary for transparency display
+        const score = contributionOptions?.score ?? 0;
+        const projectType = contributionOptions?.projectType ?? 'unknown';
+        const summary = buildContributionSummary(findings, score, projectType);
+        // Transparency: show what will be sent before sending
+        if (format === 'text' && !isCi) {
+            console.log('');
+            console.log('Contributing anonymized scan summary to OpenA2A Registry:');
+            console.log(`  Package type: ${summary.packageType}`);
+            console.log(`  Categories:   ${summary.findingCategories.join(', ') || '(none)'}`);
+            console.log(`  Findings:     ${summary.findingCounts.critical} critical, ${summary.findingCounts.high} high, ${summary.findingCounts.medium} medium, ${summary.findingCounts.low} low`);
+            console.log(`  Score:        ${summary.score}`);
+            console.log(`  Tool version: ${summary.toolVersion}`);
+            console.log('  (No file paths, code, or project names are sent)');
+        }
         // Build and submit contribution (non-blocking)
         const packageName = resolvePackageName(targetDir);
         if (!packageName)
@@ -1600,7 +1646,7 @@ async function handleContribution(contributeFlag, targetDir, findings, registryU
  * Converts SoulScanResult controls into SecurityFinding-like objects
  * for the contribution module, then delegates to handleContribution.
  */
-async function handleSoulContribution(contributeFlag, targetDir, result, registryUrl, format) {
+async function handleSoulContribution(contributeFlag, targetDir, result, registryUrl, format, contributionOptions) {
     // Convert soul controls into SecurityFinding-shaped objects
     const findings = [];
     for (const domain of result.domains) {
@@ -1619,7 +1665,11 @@ async function handleSoulContribution(contributeFlag, targetDir, result, registr
             });
         }
     }
-    await handleContribution(contributeFlag, targetDir, findings, registryUrl, format);
+    await handleContribution(contributeFlag, targetDir, findings, registryUrl, format, {
+        ci: contributionOptions?.ci,
+        score: result.score,
+        projectType: 'soul',
+    });
 }
 program
     .command('secure')
@@ -1680,6 +1730,7 @@ Examples:
     .option('--registry-key <key>', 'Registry API key (default: REGISTRY_API_KEY env)')
     .option('--contribute', 'Share anonymized scan findings with OpenA2A Registry (overrides config)')
     .option('--no-contribute', 'Do not share findings for this scan (overrides config)')
+    .option('--ci', 'CI mode: suppress interactive prompts, machine-friendly output')
     .action(async (directory, options) => {
     try {
         const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
@@ -1884,7 +1935,7 @@ Examples:
                 writeJsonStdout(jsonOutput);
             }
             // Community contribution (non-blocking, runs in JSON mode too)
-            await handleContribution(options.contribute, targetDir, result.findings, options.registryUrl, format);
+            await handleContribution(options.contribute, targetDir, result.findings, options.registryUrl, format, { ci: options.ci, score: result.score, projectType: result.projectType });
             const critHigh = result.findings.filter((f) => !f.passed && !f.fixed && (f.severity === 'critical' || f.severity === 'high'));
             if (critHigh.length > 0)
                 process.exitCode = 1;
@@ -1935,9 +1986,9 @@ Examples:
         let scoreExtra = '';
         if (result.semanticAnalysis) {
             const sa = result.semanticAnalysis;
-            scoreExtra = ` | Semantic: ${sa.layer2Findings} structural`;
+            scoreExtra = ` | ${sa.layer2Findings} deep analysis finding${sa.layer2Findings === 1 ? '' : 's'}`;
             if (sa.layer3Findings > 0) {
-                scoreExtra += `, ${sa.layer3Findings} LLM`;
+                scoreExtra += `, ${sa.layer3Findings} AI-assisted`;
                 if (sa.llmCost !== undefined)
                     scoreExtra += ` ($${sa.llmCost.toFixed(3)})`;
                 if (sa.cachedResults)
@@ -2104,7 +2155,7 @@ Examples:
             }
         }
         // Community contribution: share anonymized findings with OpenA2A Registry
-        await handleContribution(options.contribute, targetDir, result.findings, options.registryUrl, format);
+        await handleContribution(options.contribute, targetDir, result.findings, options.registryUrl, format, { ci: options.ci, score: result.score, projectType: result.projectType });
         // Star prompt (interactive TTY only, text format only)
         if (process.stdout.isTTY) {
             console.log(`${colors.cyan}Helpful?${RESET()} Star the project: https://github.com/opena2a-org/opena2a\n`);
@@ -4003,6 +4054,7 @@ Examples:
     .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://api.oa2a.org')
     .option('--contribute', 'Share anonymized scan findings with OpenA2A Registry (overrides config)')
     .option('--no-contribute', 'Do not share findings for this scan (overrides config)')
+    .option('--ci', 'CI mode: suppress interactive prompts, machine-friendly output')
     .action(async (directory, options) => {
     try {
         const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
@@ -4168,7 +4220,7 @@ Examples:
         }
         // Community contribution: share anonymized findings with OpenA2A Registry
         const soulFormat = options.json ? 'json' : 'text';
-        await handleSoulContribution(options.contribute, targetDir, result, options.registryUrl, soulFormat);
+        await handleSoulContribution(options.contribute, targetDir, result, options.registryUrl, soulFormat, { ci: options.ci });
         // Check fail threshold
         if (options.failBelow) {
             const threshold = parseInt(options.failBelow, 10);