hackmyagent 0.11.6 → 0.11.8

package/README.md

@@ -1,12 +1,11 @@
-> **[OpenA2A](https://github.com/opena2a-org/opena2a)**: [CLI](https://github.com/opena2a-org/opena2a) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [Secretless](https://github.com/opena2a-org/secretless-ai) · [AIM](https://github.com/opena2a-org/agent-identity-management) · [Browser Guard](https://github.com/opena2a-org/AI-BrowserGuard) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent) · Registry (April 2026)
-
+> **[OpenA2A](https://github.com/opena2a-org/opena2a)**: [CLI](https://github.com/opena2a-org/opena2a) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [Secretless](https://github.com/opena2a-org/secretless-ai) · [AIM](https://github.com/opena2a-org/agent-identity-management) · [Browser Guard](https://github.com/opena2a-org/AI-BrowserGuard) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent)
 # HackMyAgent
 
 [![npm version](https://img.shields.io/npm/v/hackmyagent.svg)](https://www.npmjs.com/package/hackmyagent)
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Tests](https://img.shields.io/badge/tests-1051%20passing-brightgreen)](https://github.com/opena2a-org/hackmyagent)
 
-**183 security checks for AI agents. Find what can go wrong before an attacker does.**
+**187 security checks for AI agents. Find what can go wrong before an attacker does.**
 
 Security scanner and red-team toolkit for Claude Code, Cursor, VS Code, and any MCP server setup.
 
@@ -32,7 +31,7 @@ npx opena2a-cli review
 
 **Attack testing** -- 115 adversarial payloads across 11 categories (prompt injection, data exfiltration, jailbreak, MCP exploitation, supply chain, memory weaponization, A2A protocol attacks, context window attacks).
 
-**Static analysis** -- 183 security checks across 35 categories covering credentials, MCP configs, OpenClaw/NemoClaw, Unicode steganography, CVE detection, governance, supply chain, memory poisoning, agent identity, and sandbox escape patterns.
+**Static analysis** -- 187 security checks across 39 categories covering credentials, MCP configs, OpenClaw/NemoClaw, Unicode steganography, CVE detection, governance, supply chain, memory poisoning, agent identity, and sandbox escape patterns.
 
 <details>
 <summary>Attack testing details (115 payloads)</summary>
@@ -50,7 +49,7 @@ npx opena2a-cli review
 </details>
 
 <details>
-<summary>Static analysis details (183 checks)</summary>
+<summary>Static analysis details (187 checks)</summary>
 
 - **Unicode steganography** -- invisible codepoints, zero-width chars, bidi attacks, homoglyph confusables, GlassWorm decoders ([real-world: os-info-checker-es6 npm attack, May 2025](https://thehackernews.com/2025/05/malicious-npm-package-leverages-unicode.html))
 - **Hardcoded credentials** -- API keys, tokens, and passwords in source or config files
@@ -66,7 +65,7 @@ npx opena2a-cli review
 
 </details>
 
-183 checks across 35 categories. 115 attack payloads. No flags needed.
+187 checks across 39 categories. 115 attack payloads. No flags needed.
 
 ---
 
@@ -108,7 +107,7 @@ npm install --save-dev hackmyagent
 
 Step-by-step guides for common workflows:
 
-- **[Scan my agent](docs/use-cases/scan-my-agent.md)** -- Run all 183 checks and auto-fix findings (5 min)
+- **[Scan my agent](docs/use-cases/scan-my-agent.md)** -- Run all 187 checks and auto-fix findings (5 min)
 - **[Red-team MCP servers](docs/use-cases/red-team-mcp.md)** -- Test MCP servers with adversarial payloads (10 min)
 - **[Secure OpenClaw](docs/use-cases/openclaw-security.md)** -- OpenClaw-specific checks, CVE detection, ClawHavoc IOC scanning (10 min)
 - **Secure NemoClaw** -- Scan NVIDIA NemoClaw sandbox installations for credential exposure, network misconfig, and sandbox escape vectors (5 min)

package/dist/cli.js

@@ -43,6 +43,7 @@ const index_1 = require("./index");
 const resolve_mcp_1 = require("./resolve-mcp");
 const nemoclaw_scanner_1 = require("./hardening/nemoclaw-scanner");
 const program = new commander_1.Command();
+program.showHelpAfterError('(run with --help for usage)');
 // Write JSON to stdout synchronously with retry for pipe backpressure.
 // process.stdout.write() is async and gets truncated when process.exit()
 // runs before the stream flushes. fs.writeFileSync(1, ...) can fail with
@@ -104,7 +105,7 @@ program
     .name('hackmyagent')
     .description(`Find it. Break it. Fix it.
 
-The hacker's toolkit for AI agents. 183 security checks, 115 attack
+The hacker's toolkit for AI agents. 187 security checks, 115 attack
 payloads, auto-fix with rollback, and OASB benchmark compliance.
 
 Documentation: https://hackmyagent.com/docs
@@ -113,10 +114,10 @@ Updates (v${index_1.VERSION}):
   - NemoClaw sandbox scanner (28 installation checks)
   - 10 new static analysis patterns (NEMO series)
   - Community trust contributions
-  - 183 checks across 35 categories
+  - 187 checks across 39 categories
 
 Examples:
-  $ hackmyagent secure                         Find vulnerabilities (183 checks)
+  $ hackmyagent secure                         Find vulnerabilities (187 checks)
   $ hackmyagent attack --local                 Break it with 115 attack payloads
   $ hackmyagent secure --fix                   Fix issues automatically
   $ hackmyagent fix-all                        Run all security plugins
@@ -125,7 +126,7 @@ Examples:
     .option('--no-color', 'Disable colored output (also respects NO_COLOR env)');
 program.addHelpText('beforeAll', `
 Quick start:
-  $ hackmyagent secure              Scan current directory (183 checks)
+  $ hackmyagent secure              Scan current directory (187 checks)
   $ hackmyagent fix-all --with-aim  Auto-fix + create agent identity
   $ hackmyagent attack              Red-team your agent
 `);
@@ -1621,7 +1622,7 @@ program
     .command('secure')
     .description(`Scan and harden your agent setup
 
-Performs 183 security checks across 35 categories:
+Performs 187 security checks across 39 categories:
   • Credentials: API key exposure, secrets in configs
   • MCP: Server configs, tool permissions, secrets
   • Network: TLS, interface bindings, CORS
@@ -1679,7 +1680,7 @@ Examples:
     .option('--ci', 'CI mode: suppress interactive prompts, exit non-zero on findings')
     .action(async (directory, options) => {
     try {
-        const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
+        const targetDir = require("path").resolve(directory);
         // CI mode: force non-interactive defaults
         if (options.ci) {
             if (!options.format && !options.json)
@@ -1962,8 +1963,12 @@ Examples:
             console.log(`${colors.green}No issues found.${RESET()}\n`);
         }
         else if (issues.length > 0) {
-            // Print issues - clean format
-            console.log(`${issues.length} issue${issues.length === 1 ? '' : 's'} found:\n`);
+            // Print issues - clean format with fixable count
+            const fixableCount = issues.filter((f) => f.fixable).length;
+            const fixableNote = fixableCount > 0
+                ? ` (${fixableCount} auto-fixable with \`${CLI_PREFIX} secure --fix\`)`
+                : '';
+            console.log(`${issues.length} issue${issues.length === 1 ? '' : 's'} found${fixableNote}:\n`);
             for (const finding of issues) {
                 const display = SEVERITY_DISPLAY[finding.severity];
                 const location = finding.file
@@ -2022,17 +2027,32 @@ Examples:
                 console.log(`  No changes were made.\n`);
             }
         }
-        // Print fixed findings
+        // Print fixed findings with detailed summary
         if (fixedFindings.length > 0) {
-            console.log(`${colors.green}Fixed ${fixedFindings.length} issue${fixedFindings.length === 1 ? '' : 's'}:${RESET()}`);
+            const verifiedCount = fixedFindings.filter((f) => f.fixVerified).length;
+            const unverifiedCount = fixedFindings.filter((f) => f.fixVerified === false).length;
+            console.log(`${colors.green}Fixed ${fixedFindings.length} issue${fixedFindings.length === 1 ? '' : 's'}${verifiedCount > 0 ? ` (${verifiedCount} verified)` : ''}:${RESET()}`);
             for (const finding of fixedFindings) {
-                const location = finding.file || '';
-                console.log(`  ${colors.green}✓${RESET()} ${location} - ${finding.name}`);
+                const location = finding.file ? (finding.line ? `${finding.file}:${finding.line}` : finding.file) : '';
+                const verified = finding.fixVerified;
+                const verifyIcon = verified === true ? `${colors.green}✓✓${RESET()}` : verified === false ? `${colors.yellow}✓?${RESET()}` : `${colors.green}✓${RESET()}`;
+                console.log(`  ${verifyIcon} [${finding.checkId}] ${location} - ${finding.name}`);
+                if (finding.fixMessage) {
+                    console.log(`    ${colors.cyan}→${RESET()} ${finding.fixMessage}`);
+                }
+            }
+            if (unverifiedCount > 0) {
+                console.log(`\n  ${colors.yellow}${unverifiedCount} fix${unverifiedCount === 1 ? '' : 'es'} could not be verified. Review these manually.${RESET()}`);
             }
             console.log();
+            // Remaining fixable issues
+            const remainingFixable = issues.filter((f) => f.fixable && !f.fixed);
+            if (remainingFixable.length > 0) {
+                console.log(`${colors.yellow}${remainingFixable.length} more issue${remainingFixable.length === 1 ? '' : 's'} can be auto-fixed.${RESET()} Run \`${CLI_PREFIX} secure --fix\` again.\n`);
+            }
             if (result.backupPath) {
-                console.log(`Backup: ${result.backupPath}`);
-                console.log(`Undo: ${CLI_PREFIX} rollback ${directory}\n`);
+                console.log(`${colors.yellow}Backup created:${RESET()} ${result.backupPath}`);
+                console.log(`${colors.yellow}Something wrong?${RESET()} Run \`${CLI_PREFIX} rollback ${directory}\` to undo all changes.\n`);
             }
         }
         // Registry reporting: only when explicitly requested via --version-id (CI) or --registry-report
@@ -2644,7 +2664,7 @@ Examples:
     .argument('[directory]', 'Directory to rollback (defaults to current directory)', '.')
     .action(async (directory) => {
     try {
-        const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
+        const targetDir = require("path").resolve(directory);
         console.log(`\nRolling back changes in ${targetDir}...\n`);
         const scanner = new index_1.HardeningScanner();
         await scanner.rollback(targetDir);
@@ -4096,7 +4116,7 @@ Examples:
     .option('-t, --tool <name>', 'Force specific tool: claude, cursor, vscode')
     .action(async (directory, options) => {
     try {
-        const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
+        const targetDir = require("path").resolve(directory);
         const { initMcp } = await Promise.resolve().then(() => __importStar(require('./init-mcp')));
         const result = initMcp(targetDir, options.tool);
         if (!result.created) {
@@ -4106,7 +4126,7 @@ Examples:
         console.log(`\n  Detected: ${result.tool}\n`);
         console.log(`  Added HackMyAgent MCP server to ${result.configPath}\n`);
         console.log(`  Available tools in ${result.tool}:`);
-        console.log(`    hackmyagent_scan       — 183 checks + structural analysis`);
+        console.log(`    hackmyagent_scan       — 187 checks + structural analysis`);
         console.log(`    hackmyagent_deep_scan  — Full analysis with LLM reasoning`);
         console.log(`    hackmyagent_analyze_file — Analyze a single file`);
         console.log(`    hackmyagent_benchmark  — OASB-1 compliance assessment\n`);
@@ -4201,7 +4221,7 @@ Examples:
     .option('--ci', 'CI mode: suppress interactive prompts, exit non-zero on findings')
     .action(async (directory, options) => {
     try {
-        const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
+        const targetDir = require("path").resolve(directory);
         // CI mode: force non-interactive defaults
         if (options.ci) {
             if (options.contribute === undefined)
@@ -4418,7 +4438,7 @@ Examples:
     .option('--json', 'Output as JSON')
     .action(async (directory, options) => {
     try {
-        const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
+        const targetDir = require("path").resolve(directory);
         if (!require('fs').existsSync(targetDir)) {
             process.stderr.write(`Error: Directory '${targetDir}' does not exist.\n`);
             process.exit(1);