npm - hackmyagent - Versions diffs - 0.11.12 → 0.11.14 - Mend

hackmyagent 0.11.12 → 0.11.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (96) hide show

package/README.md +16 -15
package/dist/arp/engine/correlation.d.ts +27 -0
package/dist/arp/engine/correlation.d.ts.map +1 -0
package/dist/arp/engine/correlation.js +95 -0
package/dist/arp/engine/correlation.js.map +1 -0
package/dist/arp/engine/event-engine.d.ts +1 -0
package/dist/arp/engine/event-engine.d.ts.map +1 -1
package/dist/arp/engine/event-engine.js +16 -0
package/dist/arp/engine/event-engine.js.map +1 -1
package/dist/arp/index.d.ts +2 -0
package/dist/arp/index.d.ts.map +1 -1
package/dist/arp/index.js +5 -1
package/dist/arp/index.js.map +1 -1
package/dist/arp/intelligence/anomaly.d.ts +4 -0
package/dist/arp/intelligence/anomaly.d.ts.map +1 -1
package/dist/arp/intelligence/anomaly.js +71 -0
package/dist/arp/intelligence/anomaly.js.map +1 -1
package/dist/arp/intelligence/nanomind-l1.d.ts +72 -0
package/dist/arp/intelligence/nanomind-l1.d.ts.map +1 -0
package/dist/arp/intelligence/nanomind-l1.js +268 -0
package/dist/arp/intelligence/nanomind-l1.js.map +1 -0
package/dist/arp/monitors/network.d.ts +16 -1
package/dist/arp/monitors/network.d.ts.map +1 -1
package/dist/arp/monitors/network.js +55 -1
package/dist/arp/monitors/network.js.map +1 -1
package/dist/arp/proxy/server.d.ts +7 -0
package/dist/arp/proxy/server.d.ts.map +1 -1
package/dist/arp/proxy/server.js +24 -0
package/dist/arp/proxy/server.js.map +1 -1
package/dist/attack-engine/feedback-loop.d.ts +36 -0
package/dist/attack-engine/feedback-loop.d.ts.map +1 -0
package/dist/attack-engine/feedback-loop.js +261 -0
package/dist/attack-engine/feedback-loop.js.map +1 -0
package/dist/attack-engine/index.d.ts +13 -0
package/dist/attack-engine/index.d.ts.map +1 -0
package/dist/attack-engine/index.js +21 -0
package/dist/attack-engine/index.js.map +1 -0
package/dist/attack-engine/payload-generator.d.ts +21 -0
package/dist/attack-engine/payload-generator.d.ts.map +1 -0
package/dist/attack-engine/payload-generator.js +210 -0
package/dist/attack-engine/payload-generator.js.map +1 -0
package/dist/attack-engine/target-reader.d.ts +15 -0
package/dist/attack-engine/target-reader.d.ts.map +1 -0
package/dist/attack-engine/target-reader.js +152 -0
package/dist/attack-engine/target-reader.js.map +1 -0
package/dist/attack-engine/training-pipeline.d.ts +57 -0
package/dist/attack-engine/training-pipeline.d.ts.map +1 -0
package/dist/attack-engine/training-pipeline.js +146 -0
package/dist/attack-engine/training-pipeline.js.map +1 -0
package/dist/attack-engine/types.d.ts +133 -0
package/dist/attack-engine/types.d.ts.map +1 -0
package/dist/attack-engine/types.js +22 -0
package/dist/attack-engine/types.js.map +1 -0
package/dist/cli.js +210 -12
package/dist/cli.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +9 -1
package/dist/index.js.map +1 -1
package/dist/output/asff.d.ts +37 -0
package/dist/output/asff.d.ts.map +1 -0
package/dist/output/asff.js +112 -0
package/dist/output/asff.js.map +1 -0
package/dist/semantic/index.d.ts +2 -0
package/dist/semantic/index.d.ts.map +1 -1
package/dist/semantic/index.js +9 -1
package/dist/semantic/index.js.map +1 -1
package/dist/semantic/nanomind-analyzer.d.ts +77 -0
package/dist/semantic/nanomind-analyzer.d.ts.map +1 -0
package/dist/semantic/nanomind-analyzer.js +165 -0
package/dist/semantic/nanomind-analyzer.js.map +1 -0
package/dist/simulation/engine.d.ts +69 -0
package/dist/simulation/engine.d.ts.map +1 -0
package/dist/simulation/engine.js +297 -0
package/dist/simulation/engine.js.map +1 -0
package/dist/simulation/index.d.ts +15 -0
package/dist/simulation/index.d.ts.map +1 -0
package/dist/simulation/index.js +31 -0
package/dist/simulation/index.js.map +1 -0
package/dist/simulation/llm-executor.d.ts +58 -0
package/dist/simulation/llm-executor.d.ts.map +1 -0
package/dist/simulation/llm-executor.js +297 -0
package/dist/simulation/llm-executor.js.map +1 -0
package/dist/simulation/mock-tools.d.ts +35 -0
package/dist/simulation/mock-tools.d.ts.map +1 -0
package/dist/simulation/mock-tools.js +181 -0
package/dist/simulation/mock-tools.js.map +1 -0
package/dist/simulation/probes.d.ts +17 -0
package/dist/simulation/probes.d.ts.map +1 -0
package/dist/simulation/probes.js +295 -0
package/dist/simulation/probes.js.map +1 -0
package/dist/simulation/types.d.ts +79 -0
package/dist/simulation/types.d.ts.map +1 -0
package/dist/simulation/types.js +25 -0
package/dist/simulation/types.js.map +1 -0
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -1734,15 +1734,18 @@ Examples:
     .option('--dry-run', 'Preview fixes without applying them (use with --fix)')
     .option('--ignore <checks>', 'Comma-separated check IDs to skip (e.g., CRED-001,GIT-002)')
     .option('--json', 'Output as JSON (deprecated: use --format json)')
-    .option('-f, --format <format>', 'Output format: text, json, sarif, html (default: text)', 'text')
+    .option('-f, --format <format>', 'Output format: text, json, sarif, html, asff (default: text)', 'text')
+    .option('--aws-account-id <id>', 'AWS account ID for ASFF format')
+    .option('--aws-region <region>', 'AWS region for ASFF format')
     .option('-o, --output <file>', 'Write output to file instead of stdout')
     .option('--fail-below <percent>', 'Exit 1 if compliance below threshold (0-100)')
     .option('-v, --verbose', 'Show all checks including passed ones')
     .option('-b, --benchmark <name>', 'Run benchmark compliance check (e.g., oasb-1)')
     .option('-l, --level <level>', 'Benchmark level: L1 (Essential), L2 (Standard), L3 (Hardened)', 'L1')
     .option('-c, --category <name>', 'Filter to specific benchmark category')
-    .option('--deep', 'Enable LLM-powered semantic analysis (requires ANTHROPIC_API_KEY)')
-    .option('--scan-depth <depth>', 'CAAT scan depth: quick (config+creds only), standard (default), deep (+ LLM analysis)', 'standard')
+    .option('--deep', 'Maximum analysis: static + NanoMind + behavioral simulation + adaptive attacks (~30s per artifact)')
+    .option('--static-only', 'Disable NanoMind and simulation (static checks only, fast, deterministic)')
+    .option('--scan-depth <depth>', 'CAAT scan depth: quick (config+creds only), standard (default), deep (+ simulation)', 'standard')
     .option('--ci-publish', 'Submit scan results to registry CI endpoint (requires CI_SCAN_HMAC_SECRET env)')
     .option('--publish', 'Push scan results to the OpenA2A Registry')
     .option('--registry-report', 'Post results to OpenA2A Registry')
@@ -1787,7 +1790,7 @@ Examples:
             process.exit(1);
         }
         // Determine output format (--json is deprecated alias for --format json)
-        const validFormats = ['text', 'json', 'sarif', 'html', 'asp'];
+        const validFormats = ['text', 'json', 'sarif', 'html', 'asp', 'asff'];
         const format = options.json ? 'json' : (options.format || 'text');
         if (!validFormats.includes(format)) {
             console.error(`Error: Invalid format '${format}'. Use: ${validFormats.join(', ')}`);
@@ -1815,17 +1818,41 @@ Examples:
             console.error(`Error: Invalid scan depth '${options.scanDepth}'. Use: ${validDepths.join(', ')}`);
             process.exit(1);
         }
-        // Deep mode: --deep flag OR --scan-depth deep
+        // Analysis mode: smart defaults, minimal flags
+        // Default: static + NanoMind (if daemon available)
+        // --deep: everything (static + NanoMind + simulation + adaptive attacks)
+        // --static-only: just static checks (CI/deterministic)
+        // --ci: implies --static-only
+        const isStaticOnly = options.staticOnly ?? false;
         const isDeep = options.deep ?? (scanDepth === 'deep');
-        const onProgress = isDeep && format === 'text'
+        // Auto-detect NanoMind daemon
+        let nanomindAvailable = false;
+        if (!isStaticOnly && !options.ci) {
+            try {
+                const { isDaemonAvailable } = await Promise.resolve().then(() => __importStar(require('./semantic/nanomind-analyzer.js')));
+                nanomindAvailable = await isDaemonAvailable();
+            }
+            catch { /* daemon not installed */ }
+        }
+        const onProgress = format === 'text'
             ? (msg) => process.stdout.write(msg)
             : undefined;
-        if (isDeep && format === 'text') {
-            if (!process.env.ANTHROPIC_API_KEY) {
-                console.log(`Layer 3: Semantic analysis — skipped (no ANTHROPIC_API_KEY)`);
-                console.log(`  Tip: Add HackMyAgent as an MCP server for free LLM analysis:`);
-                console.log(`  npx ${CLI_PREFIX} init-mcp\n`);
+        // Show analysis mode to user
+        if (format === 'text') {
+            if (isStaticOnly || options.ci) {
+                // Static only -- no extra output
+            }
+            else if (nanomindAvailable && isDeep) {
+                console.log(`Analysis: static + NanoMind + behavioral simulation + adaptive attacks\n`);
+            }
+            else if (nanomindAvailable) {
+                console.log(`Analysis: static + NanoMind (enhanced accuracy)\n`);
+            }
+            else if (isDeep) {
+                console.log(`Analysis: static + behavioral simulation\n`);
+                console.log(`  Tip: Install NanoMind for even better results: nanomind-daemon start\n`);
             }
+            // Default static-only: no message needed, it's the baseline
         }
         if (scanDepth === 'quick' && format === 'text') {
             console.log(`Scan depth: quick (config checks + credential detection only)\n`);
@@ -1843,6 +1870,53 @@ Examples:
             onProgress,
         });
         const scanDurationMs = Date.now() - scanStartMs;
+        // Behavioral simulation: auto-runs on --deep, or when NanoMind detects ambiguity
+        if (isDeep && format === 'text') {
+            try {
+                const { SimulationEngine, parseSkillProfile } = await Promise.resolve().then(() => __importStar(require('./simulation/index.js')));
+                const { readFileSync, readdirSync, statSync } = await Promise.resolve().then(() => __importStar(require('node:fs')));
+                const { join } = await Promise.resolve().then(() => __importStar(require('node:path')));
+                // Find skill files in target directory
+                const skillFiles = [];
+                const findSkills = (dir) => {
+                    try {
+                        for (const entry of readdirSync(dir)) {
+                            const fullPath = join(dir, entry);
+                            const stat = statSync(fullPath);
+                            if (stat.isDirectory() && !entry.startsWith('.') && entry !== 'node_modules') {
+                                findSkills(fullPath);
+                            }
+                            else if (entry.endsWith('.md') || entry.endsWith('.yaml') || entry.endsWith('.yml')) {
+                                skillFiles.push(fullPath);
+                            }
+                        }
+                    }
+                    catch { /* skip inaccessible dirs */ }
+                };
+                findSkills(targetDir);
+                if (skillFiles.length === 0) {
+                    process.stdout.write(`\n[Simulation] No skill/SOUL/MCP artifacts found. Simulation skipped.\n\n`);
+                }
+                else {
+                    process.stdout.write(`\n[Simulation] Running behavioral simulation on ${skillFiles.length} artifact(s)...\n`);
+                    const sim = new SimulationEngine({ useLLM: nanomindAvailable });
+                    for (const file of skillFiles.slice(0, 10)) { // Cap at 10 files
+                        const content = readFileSync(file, 'utf-8');
+                        const profile = parseSkillProfile(content, file.split('/').pop() ?? 'unknown');
+                        const simResult = await sim.runLayer3(profile);
+                        const icon = simResult.verdict === 'CLEAN' ? 'PASS' : simResult.verdict === 'SUSPICIOUS' ? 'WARN' : 'FAIL';
+                        process.stdout.write(`  [${icon}] ${file.split('/').pop()} — ${simResult.verdict} (${(simResult.confidence * 100).toFixed(0)}% confidence, ${simResult.failedProbes.length}/${simResult.probeCount} probes failed)\n`);
+                        // Auto-export training data
+                        const { exportSimulationTraining } = await Promise.resolve().then(() => __importStar(require('./attack-engine/training-pipeline.js')));
+                        exportSimulationTraining(content, simResult);
+                    }
+                    process.stdout.write(`[Simulation] Complete.\n\n`);
+                } // end skillFiles.length > 0
+            }
+            catch (err) {
+                process.stdout.write(`[Simulation] Skipped: ${err instanceof Error ? err.message : 'unknown error'}\n\n`);
+            }
+        }
         // OASB-2 composite mode: infrastructure (50%) + governance (50%)
         if (isOasb2) {
             const infraResult = generateBenchmarkReport(result.allFindings || result.findings, level, options.category);
@@ -2013,6 +2087,26 @@ Examples:
                 process.exit(1);
             return;
         }
+        if (format === 'asff') {
+            const { toASSF } = await Promise.resolve().then(() => __importStar(require('./output/asff.js')));
+            const output = toASSF(result.findings, {
+                awsAccountId: options.awsAccountId,
+                awsRegion: options.awsRegion,
+                targetDir,
+            });
+            if (options.output) {
+                require('fs').writeFileSync(options.output, output);
+                console.error(`ASFF report written to ${options.output}`);
+                console.error(`Import: aws securityhub batch-import-findings --findings file://${options.output}`);
+            }
+            else {
+                console.log(output);
+            }
+            const critHigh = result.findings.filter((f) => !f.passed && !f.fixed && (f.severity === 'critical' || f.severity === 'high'));
+            if (critHigh.length > 0)
+                process.exit(1);
+            return;
+        }
         // Filter to only show failed findings (issues)
         const issues = result.findings.filter((f) => !f.passed && !f.fixed);
         const fixedFindings = result.findings.filter((f) => f.fixed);
@@ -4390,7 +4484,8 @@ Examples:
     .option('--tier <tier>', 'Override agent tier detection (BASIC, TOOL-USING, AGENTIC, MULTI-AGENT)')
     .option('--profile <profile>', 'Override agent profile (conversational, code-assistant, tool-agent, autonomous, orchestrator, custom)')
     .option('--fail-below <score>', 'Exit 1 if score below threshold (0-100)')
-    .option('--deep', 'Enable LLM semantic analysis for ambiguous controls (requires claude CLI or ANTHROPIC_API_KEY)')
+    .option('--deep', 'Maximum analysis: NanoMind + SOUL governance simulation (~15s)')
+    .option('--static-only', 'Disable NanoMind (static governance checks only)')
     .option('--publish', 'Push scan results to the OpenA2A Registry')
     .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', validateRegistryUrl(process.env.REGISTRY_URL || 'https://api.oa2a.org'))
     .option('--contribute', 'Share anonymized scan findings with OpenA2A Registry (overrides config)')
@@ -5025,6 +5120,109 @@ program
     writeJsonStdout({ totalChecks: Object.keys(metadata).length, checks: metadata });
 });
 // Show help and exit 0 when no arguments provided
+// explain command: NanoMind-powered finding explanation
+program
+    .command('explain')
+    .argument('<findingId>', 'Finding ID to explain (e.g., SKILL-SEMANTIC-007 or CRED-001)')
+    .description('Explain a security finding in plain English using NanoMind')
+    .action(async (findingId) => {
+    console.log(`Explaining finding: ${findingId}\n`);
+    // Try NanoMind daemon first for dynamic explanation
+    const { isDaemonAvailable, explainFinding } = await Promise.resolve().then(() => __importStar(require('./semantic/nanomind-analyzer.js')));
+    const available = await isDaemonAvailable();
+    if (available) {
+        const explanation = await explainFinding(JSON.stringify({ findingId }));
+        if (explanation) {
+            console.log(explanation);
+            return;
+        }
+    }
+    // Fallback: static explanation from check metadata
+    const checkId = findingId.toUpperCase();
+    const staticExplanations = {
+        'CRED-001': 'Hardcoded credential detected. API keys, tokens, or passwords are embedded directly in source code. Replace with environment variable references ($VAR_NAME) and rotate the exposed credential immediately.',
+        'CRED-002': 'OpenAI API key pattern detected (sk-...). Move to environment variable OPENAI_API_KEY.',
+        'CRED-003': 'Anthropic API key pattern detected (sk-ant-...). Move to environment variable ANTHROPIC_API_KEY.',
+        'CRED-004': 'AWS credential pattern detected. Use AWS SDK credential chain or environment variables.',
+        'MCP-001': 'MCP server running without TLS. Agent-to-server communication is unencrypted.',
+        'SKILL-005': 'External endpoint in skill capability declaration. Verify the endpoint is trusted.',
+    };
+    const explanation = staticExplanations[checkId];
+    if (explanation) {
+        console.log(`${checkId}: ${explanation}`);
+    }
+    else {
+        console.log(`No explanation available for ${findingId}.`);
+        if (!available) {
+            console.log(`\nFor dynamic explanations, install NanoMind: npm install -g @nanomind/cli && nanomind-daemon start`);
+        }
+    }
+});
+// red-team command: NanoMind-powered adaptive attack engine
+program
+    .command('red-team')
+    .argument('<target>', 'Path to artifact to red-team (skill, SOUL.md, MCP config, system prompt)')
+    .description('Run adaptive attack session against an artifact. NanoMind generates target-specific attacks, observes responses, adapts, and maps defenses.')
+    .option('--iterations <n>', 'Max attack iterations per category', '5')
+    .option('--json', 'Output results as JSON')
+    .action(async (target, options) => {
+    const { readFileSync } = await Promise.resolve().then(() => __importStar(require('node:fs')));
+    const { runAttackSession, exportTrainingData } = await Promise.resolve().then(() => __importStar(require('./attack-engine/feedback-loop.js')));
+    const { exportAttackTraining } = await Promise.resolve().then(() => __importStar(require('./attack-engine/training-pipeline.js')));
+    let content;
+    try {
+        content = readFileSync(target, 'utf-8');
+    }
+    catch {
+        console.error(`Cannot read file: ${target}`);
+        process.exit(1);
+    }
+    const artifactType = target.toLowerCase().includes('soul') ? 'soul'
+        : target.toLowerCase().includes('mcp') ? 'mcp_tool'
+            : 'skill';
+    const name = target.split('/').pop() ?? 'unknown';
+    if (!options.json) {
+        console.log(`\nAdaptive Attack Engine`);
+        console.log(`Target: ${name} (${artifactType})`);
+        console.log(`Max iterations: ${options.iterations ?? 5} per category\n`);
+    }
+    const result = await runAttackSession(content, artifactType, name, {
+        maxIterations: parseInt(options.iterations ?? '5', 10),
+    });
+    if (options.json) {
+        console.log(JSON.stringify(result, null, 2));
+    }
+    else {
+        console.log(`Results:`);
+        console.log(`  Payloads generated: ${result.totalPayloads}`);
+        console.log(`  Successful attacks: ${result.successCount}`);
+        console.log(`  Partial successes:  ${result.partialCount}`);
+        console.log(`  Resilience score:   ${(result.defenseMap.resilienceScore * 100).toFixed(0)}%`);
+        console.log(`  Duration:           ${result.durationMs}ms\n`);
+        if (result.vulnerabilities.length > 0) {
+            console.log(`Vulnerabilities Found:`);
+            for (const vuln of result.vulnerabilities) {
+                console.log(`  [${vuln.severity.toUpperCase()}] ${vuln.title}`);
+                console.log(`    ${vuln.description}`);
+                console.log(`    Fix: ${vuln.remediation}\n`);
+            }
+        }
+        else {
+            console.log(`No vulnerabilities found. All defenses held.\n`);
+        }
+        if (result.defenseMap.strongCategories.length > 0) {
+            console.log(`Strong defenses: ${result.defenseMap.strongCategories.join(', ')}`);
+        }
+        if (result.defenseMap.weakCategories.length > 0) {
+            console.log(`Weak defenses:   ${result.defenseMap.weakCategories.join(', ')}`);
+        }
+    }
+    // Auto-export training data
+    const trainingCount = exportAttackTraining(result);
+    if (!options.json && trainingCount > 0) {
+        console.log(`\n${trainingCount} training samples exported to NanoMind corpus.`);
+    }
+});
 if (process.argv.length <= 2) {
     program.outputHelp();
     process.exit(0);