hackmyagent 0.11.8 → 0.11.9

package/README.md

@@ -5,7 +5,7 @@
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Tests](https://img.shields.io/badge/tests-1051%20passing-brightgreen)](https://github.com/opena2a-org/hackmyagent)
 
-**187 security checks for AI agents. Find what can go wrong before an attacker does.**
+**199 security checks for AI agents. Find what can go wrong before an attacker does.**
 
 Security scanner and red-team toolkit for Claude Code, Cursor, VS Code, and any MCP server setup.
 
@@ -31,7 +31,7 @@ npx opena2a-cli review
 
 **Attack testing** -- 115 adversarial payloads across 11 categories (prompt injection, data exfiltration, jailbreak, MCP exploitation, supply chain, memory weaponization, A2A protocol attacks, context window attacks).
 
-**Static analysis** -- 187 security checks across 39 categories covering credentials, MCP configs, OpenClaw/NemoClaw, Unicode steganography, CVE detection, governance, supply chain, memory poisoning, agent identity, and sandbox escape patterns.
+**Static analysis** -- 199 security checks across 60 categories covering credentials, MCP configs, OpenClaw/NemoClaw, Unicode steganography, CVE detection, governance, supply chain, memory poisoning, agent identity, and sandbox escape patterns.
 
 <details>
 <summary>Attack testing details (115 payloads)</summary>
@@ -49,7 +49,7 @@ npx opena2a-cli review
 </details>
 
 <details>
-<summary>Static analysis details (187 checks)</summary>
+<summary>Static analysis details (199 checks)</summary>
 
 - **Unicode steganography** -- invisible codepoints, zero-width chars, bidi attacks, homoglyph confusables, GlassWorm decoders ([real-world: os-info-checker-es6 npm attack, May 2025](https://thehackernews.com/2025/05/malicious-npm-package-leverages-unicode.html))
 - **Hardcoded credentials** -- API keys, tokens, and passwords in source or config files
@@ -65,7 +65,7 @@ npx opena2a-cli review
 
 </details>
 
-187 checks across 39 categories. 115 attack payloads. No flags needed.
+199 checks across 60 categories. 115 attack payloads. No flags needed.
 
 ---
 
@@ -107,10 +107,9 @@ npm install --save-dev hackmyagent
 
 Step-by-step guides for common workflows:
 
-- **[Scan my agent](docs/use-cases/scan-my-agent.md)** -- Run all 187 checks and auto-fix findings (5 min)
+- **[Scan my agent](docs/use-cases/scan-my-agent.md)** -- Run all 199 checks and auto-fix findings (5 min)
 - **[Red-team MCP servers](docs/use-cases/red-team-mcp.md)** -- Test MCP servers with adversarial payloads (10 min)
-- **[Secure OpenClaw](docs/use-cases/openclaw-security.md)** -- OpenClaw-specific checks, CVE detection, ClawHavoc IOC scanning (10 min)
-- **Secure NemoClaw** -- Scan NVIDIA NemoClaw sandbox installations for credential exposure, network misconfig, and sandbox escape vectors (5 min)
+- **[Secure OpenClaw](docs/use-cases/openclaw-security.md)** -- Auto-detected when OpenClaw files are present. Includes CVE detection and ClawHavoc IOC scanning (10 min)
 - **[CI/CD pipeline](docs/use-cases/ci-pipeline.md)** -- GitHub Actions with JSON/SARIF output (5 min)
 
 ---
@@ -280,16 +279,9 @@ hackmyagent harden-soul --dry-run         # preview without writing
 
 ---
 
-### `hackmyagent secure-nemoclaw` -- NemoClaw Sandbox Scanner
+### OpenClaw and NemoClaw Detection
 
-Scan NVIDIA NemoClaw installations for credential exposure, network misconfiguration, blueprint integrity issues, sandbox escape vectors, and inherited OpenClaw vulnerabilities. 28 checks across 6 categories.
-
-```bash
-hackmyagent secure-nemoclaw                  # scan auto-detected directory
-hackmyagent secure-nemoclaw ~/.nemoclaw      # scan specific directory
-hackmyagent secure-nemoclaw --json           # JSON output for CI
-hackmyagent secure-nemoclaw --verbose        # show all checks including passed
-```
+`hackmyagent secure` auto-detects OpenClaw and NemoClaw installations by looking for `.openclaw/`, `.moltbot/`, `.nemoclaw/`, `openclaw.json`, and `openclaw.plugin.json`. When detected, it automatically runs platform-specific checks (28 NemoClaw checks, 34 OpenClaw checks) alongside the standard 199 security checks. No separate commands needed.
 
 
 ---

package/dist/cli.js

@@ -82,6 +82,19 @@ function resolveCliPrefix() {
     return 'hackmyagent';
 }
 const CLI_PREFIX = resolveCliPrefix();
+/**
+ * Validate that a registry URL uses HTTPS.
+ * Allows http://localhost for local development.
+ * Rejects all other non-HTTPS URLs to prevent credential leakage.
+ */
+function validateRegistryUrl(url) {
+    if (url && !url.startsWith('https://') && !url.startsWith('http://localhost')) {
+        console.error('Error: Registry URL must use HTTPS. Got: ' + url);
+        console.error('Only https:// URLs and http://localhost are allowed.');
+        process.exit(1);
+    }
+    return url;
+}
 // Check for NO_COLOR env or non-TTY to disable colors by default
 const noColorEnv = process.env.NO_COLOR !== undefined || !process.stdout.isTTY;
 // Color codes - will be cleared if --no-color is passed
@@ -105,7 +118,7 @@ program
     .name('hackmyagent')
     .description(`Find it. Break it. Fix it.
 
-The hacker's toolkit for AI agents. 187 security checks, 115 attack
+The hacker's toolkit for AI agents. 199 security checks, 115 attack
 payloads, auto-fix with rollback, and OASB benchmark compliance.
 
 Documentation: https://hackmyagent.com/docs
@@ -114,10 +127,10 @@ Updates (v${index_1.VERSION}):
   - NemoClaw sandbox scanner (28 installation checks)
   - 10 new static analysis patterns (NEMO series)
   - Community trust contributions
-  - 187 checks across 39 categories
+  - 199 checks across 60 categories
 
 Examples:
-  $ hackmyagent secure                         Find vulnerabilities (187 checks)
+  $ hackmyagent secure                         Find vulnerabilities (199 checks)
   $ hackmyagent attack --local                 Break it with 115 attack payloads
   $ hackmyagent secure --fix                   Fix issues automatically
   $ hackmyagent fix-all                        Run all security plugins
@@ -126,7 +139,7 @@ Examples:
     .option('--no-color', 'Disable colored output (also respects NO_COLOR env)');
 program.addHelpText('beforeAll', `
 Quick start:
-  $ hackmyagent secure              Scan current directory (187 checks)
+  $ hackmyagent secure              Scan current directory (199 checks)
   $ hackmyagent fix-all --with-aim  Auto-fix + create agent identity
   $ hackmyagent attack              Red-team your agent
 `);
@@ -1540,6 +1553,66 @@ function resolvePackageVersion(targetDir) {
     catch { /* ignore */ }
     return null;
 }
+/**
+ * Resolve package name from pyproject.toml (Python projects).
+ */
+function resolvePackageNamePyproject(targetDir) {
+    try {
+        const fs = require('fs');
+        const path = require('path');
+        const pyprojectPath = path.join(targetDir, 'pyproject.toml');
+        if (fs.existsSync(pyprojectPath)) {
+            const content = fs.readFileSync(pyprojectPath, 'utf-8');
+            // Match [project] section's name field
+            const nameMatch = content.match(/\[project\][\s\S]*?name\s*=\s*"([^"]+)"/);
+            if (nameMatch)
+                return nameMatch[1];
+            // Also try [tool.poetry] section
+            const poetryMatch = content.match(/\[tool\.poetry\][\s\S]*?name\s*=\s*"([^"]+)"/);
+            if (poetryMatch)
+                return poetryMatch[1];
+        }
+    }
+    catch { /* ignore */ }
+    return null;
+}
+/**
+ * Resolve package version from pyproject.toml (Python projects).
+ */
+function resolvePackageVersionPyproject(targetDir) {
+    try {
+        const fs = require('fs');
+        const path = require('path');
+        const pyprojectPath = path.join(targetDir, 'pyproject.toml');
+        if (fs.existsSync(pyprojectPath)) {
+            const content = fs.readFileSync(pyprojectPath, 'utf-8');
+            const versionMatch = content.match(/\[project\][\s\S]*?version\s*=\s*"([^"]+)"/);
+            if (versionMatch)
+                return versionMatch[1];
+            const poetryMatch = content.match(/\[tool\.poetry\][\s\S]*?version\s*=\s*"([^"]+)"/);
+            if (poetryMatch)
+                return poetryMatch[1];
+        }
+    }
+    catch { /* ignore */ }
+    return null;
+}
+/**
+ * Resolve the repository URL from the git remote 'origin'.
+ */
+function resolveRepoUrl(targetDir) {
+    try {
+        const { execSync } = require('child_process');
+        const url = execSync('git remote get-url origin', {
+            cwd: targetDir,
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+        return url || null;
+    }
+    catch { /* ignore */ }
+    return null;
+}
 /**
  * Handle community contribution after a scan completes.
  *
@@ -1622,13 +1695,13 @@ program
     .command('secure')
     .description(`Scan and harden your agent setup
 
-Performs 187 security checks across 39 categories:
+Performs 199 security checks across 60 categories:
   • Credentials: API key exposure, secrets in configs
   • MCP: Server configs, tool permissions, secrets
   • Network: TLS, interface bindings, CORS
   • Prompt: Injection defenses, role protection
   • Encryption: At-rest encryption, secure hashing
-  • And 25 more categories...
+  • And 54 more categories...
 
 Benchmark mode (--benchmark):
   oasb-1   OASB-1 infrastructure compliance (L1/L2/L3 levels)
@@ -1669,11 +1742,13 @@ Examples:
     .option('-l, --level <level>', 'Benchmark level: L1 (Essential), L2 (Standard), L3 (Hardened)', 'L1')
     .option('-c, --category <name>', 'Filter to specific benchmark category')
     .option('--deep', 'Enable LLM-powered semantic analysis (requires ANTHROPIC_API_KEY)')
+    .option('--scan-depth <depth>', 'CAAT scan depth: quick (config+creds only), standard (default), deep (+ LLM analysis)', 'standard')
+    .option('--ci-publish', 'Submit scan results to registry CI endpoint (requires CI_SCAN_HMAC_SECRET env)')
     .option('--publish', 'Push scan results to the OpenA2A Registry')
     .option('--registry-report', 'Post results to OpenA2A Registry')
     .option('--no-registry', 'Skip auto-publishing results to OpenA2A Registry')
     .option('--version-id <id>', 'Registry version ID to report against')
-    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://api.oa2a.org')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', validateRegistryUrl(process.env.REGISTRY_URL || 'https://api.oa2a.org'))
     .option('--registry-key <key>', 'Registry API key (default: REGISTRY_API_KEY env)')
     .option('--contribute', 'Share anonymized scan findings with OpenA2A Registry (overrides config)')
     .option('--no-contribute', 'Do not share findings for this scan (overrides config)')
@@ -1733,8 +1808,15 @@ Examples:
                 console.log(`\nScanning ${targetDir}...\n`);
             }
         }
-        // Deep mode progress display
-        const isDeep = options.deep ?? false;
+        // Validate scan depth
+        const validDepths = ['quick', 'standard', 'deep'];
+        const scanDepth = (options.scanDepth || 'standard');
+        if (!validDepths.includes(scanDepth)) {
+            console.error(`Error: Invalid scan depth '${options.scanDepth}'. Use: ${validDepths.join(', ')}`);
+            process.exit(1);
+        }
+        // Deep mode: --deep flag OR --scan-depth deep
+        const isDeep = options.deep ?? (scanDepth === 'deep');
         const onProgress = isDeep && format === 'text'
             ? (msg) => process.stdout.write(msg)
             : undefined;
@@ -1745,6 +1827,9 @@ Examples:
                 console.log(`  npx ${CLI_PREFIX} init-mcp\n`);
             }
         }
+        if (scanDepth === 'quick' && format === 'text') {
+            console.log(`Scan depth: quick (config checks + credential detection only)\n`);
+        }
         const scanner = new index_1.HardeningScanner();
         const scanStartMs = Date.now();
         const result = await scanner.scan({
@@ -1753,6 +1838,7 @@ Examples:
             dryRun: options.dryRun ?? false,
             ignore: ignoreList,
             deep: isDeep,
+            scanDepth,
             cliName: CLI_PREFIX,
             onProgress,
         });
@@ -1862,7 +1948,7 @@ Examples:
             if (options.publish && options.registry !== false) {
                 try {
                     const { publishScanResults } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                    const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
+                    const registryUrl = validateRegistryUrl(options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org');
                     const packageName = resolvePackageName(targetDir);
                     if (packageName) {
                         const publishData = {
@@ -2060,7 +2146,7 @@ Examples:
         if (options.versionId || options.registryReport) {
             try {
                 const core = await Promise.resolve().then(() => __importStar(require('./index')));
-                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
+                const registryUrl = validateRegistryUrl(options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org');
                 if (options.versionId) {
                     // Authenticated path: existing behavior (version-id + API key)
                     const registryKey = options.registryKey || process.env.REGISTRY_API_KEY;
@@ -2107,7 +2193,7 @@ Examples:
         else if (options.publish) {
             try {
                 const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
+                const registryUrl = validateRegistryUrl(options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org');
                 const packageName = resolvePackageName(targetDir);
                 if (!packageName) {
                     console.error('\nCould not determine package name. Publish requires a package.json with a name field.');
@@ -2139,6 +2225,97 @@ Examples:
                 console.error('Scan results are still available locally.');
             }
         }
+        // CI publish: submit results to registry CAAT pipeline endpoint
+        if (options.ciPublish) {
+            const hmacSecret = process.env.CI_SCAN_HMAC_SECRET;
+            if (!hmacSecret) {
+                console.error('\nError: --ci-publish requires the CI_SCAN_HMAC_SECRET environment variable.');
+                process.exit(1);
+            }
+            try {
+                const { RegistryClient } = await Promise.resolve().then(() => __importStar(require('./registry/client')));
+                const { computeTreeHash } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
+                const registryUrl = validateRegistryUrl(options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org');
+                const packageName = resolvePackageName(targetDir) || resolvePackageNamePyproject(targetDir);
+                const packageVersion = resolvePackageVersion(targetDir) || resolvePackageVersionPyproject(targetDir);
+                const repoUrl = resolveRepoUrl(targetDir);
+                if (!packageName) {
+                    console.error('\nCould not determine package name from package.json or pyproject.toml.');
+                }
+                else if (!repoUrl) {
+                    console.error('\nCould not determine repo URL from git remote. Ensure a git remote is configured.');
+                }
+                else {
+                    // Compute CAAT tree hash
+                    let contentHash = '';
+                    try {
+                        contentHash = computeTreeHash(targetDir);
+                    }
+                    catch {
+                        console.error('Warning: Could not compute tree hash. Using empty hash.');
+                    }
+                    // Count severity
+                    const failed = result.findings.filter((f) => !f.passed && !f.fixed);
+                    const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+                    for (const f of failed) {
+                        if (f.severity === 'critical')
+                            counts.critical++;
+                        else if (f.severity === 'high')
+                            counts.high++;
+                        else if (f.severity === 'medium')
+                            counts.medium++;
+                        else if (f.severity === 'low')
+                            counts.low++;
+                    }
+                    const status = (counts.critical > 0 || counts.high > 0) ? 'failed'
+                        : (counts.medium > 0 || counts.low > 0) ? 'warnings' : 'passed';
+                    const client = new RegistryClient({ registryUrl, apiKey: '' });
+                    const scanId = `hma-ci-${Date.now()}`;
+                    // Get scanner version from package.json
+                    let scannerVersion = 'unknown';
+                    try {
+                        const hmaPackagePath = require('path').resolve(__dirname, '../package.json');
+                        scannerVersion = require(hmaPackagePath).version || 'unknown';
+                    }
+                    catch { /* ignore */ }
+                    const ciResult = await client.submitCIScanResult({
+                        packageName,
+                        packageType: undefined,
+                        version: packageVersion ?? undefined,
+                        repoUrl,
+                        scanId,
+                        status,
+                        criticalCount: counts.critical,
+                        highCount: counts.high,
+                        mediumCount: counts.medium,
+                        lowCount: counts.low,
+                        contentHash,
+                        scannerVersion,
+                        hmacSecret,
+                        rawReport: {
+                            generator: 'hackmyagent',
+                            totalFindings: result.findings.length,
+                            failedFindings: failed.length,
+                            scanDepth,
+                        },
+                    });
+                    if (format === 'text') {
+                        console.log(`\nCI scan result submitted to registry.`);
+                        console.log(`  Scan ID: ${scanId}`);
+                        console.log(`  Valid: ${ciResult.valid}`);
+                        console.log(`  Trust impact: ${ciResult.trustImpact}\n`);
+                    }
+                    else if (format === 'json') {
+                        console.error(JSON.stringify({ ciPublish: { scanId, ...ciResult } }, null, 2));
+                    }
+                }
+            }
+            catch (ciErr) {
+                const msg = ciErr instanceof Error ? ciErr.message : 'unknown error';
+                console.error(`\nFailed to submit CI scan result: ${msg}`);
+                console.error('Scan results are still available locally.');
+            }
+        }
         // Community contribution: share anonymized findings with OpenA2A Registry
         await handleContribution(options.contribute, targetDir, result.findings, scanDurationMs, options.registryUrl, format);
         // Star prompt (interactive TTY only, text format only)
@@ -2738,7 +2915,7 @@ Examples:
     .option('--registry-report', 'Post results to OpenA2A Registry')
     .option('--no-registry', 'Skip auto-publishing results to OpenA2A Registry')
     .option('--version-id <id>', 'Registry version ID to report against')
-    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://api.oa2a.org')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', validateRegistryUrl(process.env.REGISTRY_URL || 'https://api.oa2a.org'))
     .option('--registry-key <key>', 'Registry API key (default: REGISTRY_API_KEY env)')
     .action(async (targetUrl, options) => {
     try {
@@ -2894,7 +3071,7 @@ Examples:
         if (shouldReport) {
             try {
                 const core = await Promise.resolve().then(() => __importStar(require('./index')));
-                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
+                const registryUrl = validateRegistryUrl(options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org');
                 if (options.versionId) {
                     // Authenticated path: existing behavior (version-id + API key)
                     const registryKey = options.registryKey || process.env.REGISTRY_API_KEY;
@@ -2941,7 +3118,7 @@ Examples:
         else if (options.publish && targetType !== 'local') {
             try {
                 const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                const regUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
+                const regUrl = validateRegistryUrl(options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org');
                 const packageName = target.url || targetUrl || 'unknown';
                 if (format === 'text') {
                     console.log('\nPublishing results to registry...\n');
@@ -4126,7 +4303,7 @@ Examples:
         console.log(`\n  Detected: ${result.tool}\n`);
         console.log(`  Added HackMyAgent MCP server to ${result.configPath}\n`);
         console.log(`  Available tools in ${result.tool}:`);
-        console.log(`    hackmyagent_scan       — 187 checks + structural analysis`);
+        console.log(`    hackmyagent_scan       — 199 checks + structural analysis`);
         console.log(`    hackmyagent_deep_scan  — Full analysis with LLM reasoning`);
         console.log(`    hackmyagent_analyze_file — Analyze a single file`);
         console.log(`    hackmyagent_benchmark  — OASB-1 compliance assessment\n`);
@@ -4215,7 +4392,7 @@ Examples:
     .option('--fail-below <score>', 'Exit 1 if score below threshold (0-100)')
     .option('--deep', 'Enable LLM semantic analysis for ambiguous controls (requires claude CLI or ANTHROPIC_API_KEY)')
     .option('--publish', 'Push scan results to the OpenA2A Registry')
-    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://api.oa2a.org')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', validateRegistryUrl(process.env.REGISTRY_URL || 'https://api.oa2a.org'))
     .option('--contribute', 'Share anonymized scan findings with OpenA2A Registry (overrides config)')
     .option('--no-contribute', 'Do not share findings for this scan (overrides config)')
     .option('--ci', 'CI mode: suppress interactive prompts, exit non-zero on findings')
@@ -4248,7 +4425,7 @@ Examples:
             if (options.publish) {
                 try {
                     const { publishScanResults } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                    const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
+                    const registryUrl = validateRegistryUrl(options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org');
                     const packageName = resolvePackageName(targetDir);
                     if (packageName) {
                         const publishData = {
@@ -4363,7 +4540,7 @@ Examples:
         if (options.publish) {
             try {
                 const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
+                const registryUrl = validateRegistryUrl(options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org');
                 const packageName = resolvePackageName(targetDir);
                 if (!packageName) {
                     process.stderr.write('Could not determine package name. Publish requires a package.json with a name field.\n');
@@ -4739,10 +4916,10 @@ Examples:
     .option('--audit <file>', 'Audit a dependency file (package.json or requirements.txt)')
     .option('--batch <names...>', 'Batch trust lookup for multiple packages')
     .option('--min-trust <level>', 'Minimum trust level threshold (0-4)', '3')
-    .option('--registry-url <url>', 'Registry base URL', REGISTRY_DEFAULT_URL)
+    .option('--registry-url <url>', 'Registry base URL', validateRegistryUrl(REGISTRY_DEFAULT_URL))
     .option('--json', 'Output as JSON')
     .action(async (packageName, opts) => {
-    const registryUrl = opts.registryUrl.replace(/\/+$/, '');
+    const registryUrl = validateRegistryUrl(opts.registryUrl).replace(/\/+$/, '');
     const minTrust = parseInt(opts.minTrust, 10);
     if (isNaN(minTrust) || minTrust < 0 || minTrust > 4) {
         process.stderr.write('Error: --min-trust must be a number between 0 and 4\n');
@@ -4821,5 +4998,36 @@ Examples:
         process.exit(1);
     }
 });
+program
+    .command('check-metadata')
+    .description('Export metadata for all security checks by scanning test fixtures (JSON)')
+    .option('-d, --directory <dir>', 'Directory to scan for check metadata extraction')
+    .action(async (options) => {
+    const { getAttackClass } = require('./hardening/taxonomy');
+    const targetDir = options.directory || process.cwd();
+    // Run a real scan to collect all check metadata from findings
+    const scanner = new index_1.HardeningScanner();
+    const result = await scanner.scan({ targetDir, autoFix: false, scanDepth: 'deep' });
+    const metadata = {};
+    for (const finding of result.findings) {
+        if (!metadata[finding.checkId]) {
+            metadata[finding.checkId] = {
+                checkId: finding.checkId,
+                name: finding.name,
+                category: finding.category,
+                attackClass: getAttackClass(finding.checkId) || '',
+                severity: finding.severity,
+                fix: finding.fix || '',
+                guidance: finding.guidance || '',
+            };
+        }
+    }
+    writeJsonStdout({ totalChecks: Object.keys(metadata).length, checks: metadata });
+});
+// Show help and exit 0 when no arguments provided
+if (process.argv.length <= 2) {
+    program.outputHelp();
+    process.exit(0);
+}
 program.parse();
 //# sourceMappingURL=cli.js.map