hackmyagent 0.12.9 → 0.13.1

package/dist/cli.js

@@ -45,14 +45,14 @@ const wild_1 = require("./wild");
 const nemoclaw_scanner_1 = require("./hardening/nemoclaw-scanner");
 const program = new commander_1.Command();
 program.showHelpAfterError('(run with --help for usage)');
-// Write JSON to stdout synchronously with retry for pipe backpressure.
+// Write a string to stdout synchronously with retry for pipe backpressure.
 // process.stdout.write() is async and gets truncated when process.exit()
 // runs before the stream flushes. fs.writeFileSync(1, ...) can fail with
 // EAGAIN on non-blocking pipes when the buffer (64KB on macOS) fills up.
 // This function writes in chunks with retry to handle both cases.
-function writeJsonStdout(data) {
+function writeLargeStdout(text) {
     const fs = require('fs');
-    const buf = Buffer.from(JSON.stringify(data, null, 2) + '\n');
+    const buf = Buffer.from(text);
     let offset = 0;
     while (offset < buf.length) {
         try {
@@ -61,13 +61,16 @@ function writeJsonStdout(data) {
         }
         catch (e) {
             if (e && typeof e === 'object' && 'code' in e && e.code === 'EAGAIN') {
-                // Pipe buffer full — spin-wait briefly then retry
+                // Pipe buffer full -- spin-wait briefly then retry
                 continue;
             }
             throw e;
         }
     }
 }
+function writeJsonStdout(data) {
+    writeLargeStdout(JSON.stringify(data, null, 2) + '\n');
+}
 // Resolve the CLI command name based on how we were invoked.
 // When run via `opena2a scan secure`, use `opena2a scan` prefix.
 // When run directly as `hackmyagent`, use that.
@@ -96,6 +99,10 @@ function validateRegistryUrl(url) {
     }
     return url;
 }
+// Global CI mode flag -- set before parse() by stripping --ci from argv.
+// Commands that already define --ci (secure, scan-soul) use their own opts;
+// all others can check this module-level flag.
+let globalCiMode = false;
 // Check for NO_COLOR env or non-TTY to disable colors by default
 const noColorEnv = process.env.NO_COLOR !== undefined || !process.stdout.isTTY;
 // Color codes - will be cleared if --no-color is passed
@@ -136,7 +143,7 @@ Examples:
   $ hackmyagent secure --fix                   Fix issues automatically
   $ hackmyagent fix-all                        Run all security plugins
   $ hackmyagent scan example.com               Scan external infrastructure`)
-    .version('hackmyagent ' + index_1.VERSION, '-V, --version', 'Output the version number')
+    .version('hackmyagent ' + index_1.VERSION, '-v, --version', 'Output the version number')
     .option('--no-color', 'Disable colored output (also respects NO_COLOR env)');
 program.addHelpText('beforeAll', `
 Quick start:
@@ -212,7 +219,7 @@ Examples:
             const riskDisplay = RISK_DISPLAY[risk];
             console.log(`\n${riskDisplay.color()}${riskDisplay.symbol} ${risk.toUpperCase()} RISK${RESET()}\n`);
             console.log(`Path: ${resolved}`);
-            console.log(`NanoMind: ${nmResult.compiledArtifacts} artifact(s) compiled\n`);
+            console.log(`Semantic analysis: ${nmResult.compiledArtifacts} file(s) analyzed\n`);
             if (issues.length === 0) {
                 console.log(`${colors.green}No security issues detected.${RESET()}\n`);
             }
@@ -232,10 +239,13 @@ Examples:
                 process.exit(1);
             return;
         }
-        // Registry lookup path (non-local identifier)
-        const result = await (0, index_1.checkSkill)(skill, {
+        // Registry lookup path (non-local identifier) with 10s timeout
+        const checkPromise = (0, index_1.checkSkill)(skill, {
             skipDnsVerification: options.offline,
         });
+        const timeoutPromise = new Promise((_, reject) => setTimeout(() => reject(new Error(`Timed out verifying "${skill}" (10s). The publisher may not exist or DNS is unreachable.\n` +
+            `Try: ${CLI_PREFIX.replace(' scan', '')} check ${skill} --offline`)), 10000));
+        const result = await Promise.race([checkPromise, timeoutPromise]);
         if (options.json) {
             writeJsonStdout(result);
             return;
@@ -1797,8 +1807,8 @@ Examples:
     .option('-b, --benchmark <name>', 'Run benchmark compliance check (e.g., oasb-1)')
     .option('-l, --level <level>', 'Benchmark level: L1 (Essential), L2 (Standard), L3 (Hardened)', 'L1')
     .option('-c, --category <name>', 'Filter to specific benchmark category')
-    .option('--deep', 'Maximum analysis: static + NanoMind + behavioral simulation + adaptive attacks (~30s per artifact)')
-    .option('--static-only', 'Disable NanoMind and simulation (static checks only, fast, deterministic)')
+    .option('--deep', 'Maximum analysis: static + semantic + behavioral simulation + adaptive attacks (~30s per file)')
+    .option('--static-only', 'Disable semantic analysis and simulation (static checks only, fast, deterministic)')
     .option('--scan-depth <depth>', 'CAAT scan depth: quick (config+creds only), standard (default), deep (+ simulation)', 'standard')
     .option('--ci-publish', 'Submit scan results to registry CI endpoint (requires CI_SCAN_HMAC_SECRET env)')
     .option('--publish', 'Push scan results to the OpenA2A Registry')
@@ -1898,14 +1908,13 @@ Examples:
                 // Static only -- no extra output
             }
             else if (nanomindAvailable && isDeep) {
-                console.log(`Analysis: static + NanoMind + behavioral simulation + adaptive attacks\n`);
+                console.log(`Analysis: static + semantic + behavioral simulation + adaptive attacks\n`);
             }
             else if (nanomindAvailable) {
-                console.log(`Analysis: static + NanoMind (enhanced accuracy)\n`);
+                console.log(`Analysis: static + semantic (ML-enhanced accuracy)\n`);
             }
             else if (isDeep) {
                 console.log(`Analysis: static + behavioral simulation\n`);
-                console.log(`  Tip: Install NanoMind for even better results: nanomind-daemon start\n`);
             }
             // Default static-only: no message needed, it's the baseline
         }
@@ -2068,14 +2077,14 @@ Examples:
                     printBenchmarkReport(benchmarkResult, options.verbose ?? false);
                     output = '';
             }
-            // Write output
+            // Write output (use writeLargeStdout to avoid 64KB pipe truncation)
             if (output) {
                 if (options.output) {
                     require('fs').writeFileSync(options.output, output);
                     console.error(`Report written to ${options.output}`);
                 }
                 else {
-                    console.log(output);
+                    writeLargeStdout(output + '\n');
                 }
             }
             // Check fail threshold
@@ -2139,7 +2148,7 @@ Examples:
                 console.error(`Report written to ${options.output}`);
             }
             else {
-                console.log(output);
+                writeLargeStdout(output + '\n');
             }
             const critHigh = result.findings.filter((f) => !f.passed && !f.fixed && (f.severity === 'critical' || f.severity === 'high'));
             if (critHigh.length > 0)
@@ -2298,10 +2307,10 @@ Examples:
                 console.log(`\n  ${colors.yellow}${unverifiedCount} fix${unverifiedCount === 1 ? '' : 'es'} could not be verified. Review these manually.${RESET()}`);
             }
             console.log();
-            // Remaining fixable issues
-            const remainingFixable = issues.filter((f) => f.fixable && !f.fixed);
-            if (remainingFixable.length > 0) {
-                console.log(`${colors.yellow}${remainingFixable.length} more issue${remainingFixable.length === 1 ? '' : 's'} can be auto-fixed.${RESET()} Run \`${CLI_PREFIX} secure --fix\` again.\n`);
+            // Remaining issues with fix guidance (not yet auto-fixed)
+            const remainingWithFix = issues.filter((f) => !f.fixed && (f.fix || f.fixable));
+            if (remainingWithFix.length > 0) {
+                console.log(`${remainingWithFix.length} remaining issue${remainingWithFix.length === 1 ? '' : 's'} ${remainingWithFix.length === 1 ? 'has' : 'have'} fix guidance. Run \`${CLI_PREFIX} fix-all\` to apply all available fixes.\n`);
             }
             if (result.backupPath) {
                 console.log(`${colors.yellow}Backup created:${RESET()} ${result.backupPath}`);
@@ -2947,6 +2956,18 @@ Examples:
     .option('-v, --verbose', 'Show detailed finding information')
     .action(async (target, options) => {
     try {
+        // Detect local path confusion: user probably wants 'secure' not 'scan'
+        const fs = require('fs');
+        if (fs.existsSync(target) && (target === '.' || target.startsWith('./') || target.startsWith('/') || target.startsWith('..'))) {
+            const secureCmd = CLI_PREFIX.includes('scan')
+                ? CLI_PREFIX.replace('scan', 'secure')
+                : `${CLI_PREFIX} secure`;
+            console.error(`\n"scan" is for external targets (hostnames/IPs).` +
+                `\nTo scan a local project, use:\n` +
+                `\n  ${secureCmd} ${target}` +
+                `\n`);
+            process.exit(1);
+        }
         const timeoutMs = parseInt(options.timeout ?? '5000', 10);
         const customPorts = options.ports
             ? options.ports.split(',').map((p) => parseInt(p.trim(), 10))
@@ -3240,14 +3261,14 @@ Examples:
                 printAttackReport(report, options.verbose ?? false);
                 output = '';
         }
-        // Write output
+        // Write output (use writeLargeStdout to avoid 64KB pipe truncation)
         if (output) {
             if (options.output) {
                 require('fs').writeFileSync(options.output, output);
                 console.error(`Report written to ${options.output}`);
             }
             else {
-                console.log(output);
+                writeLargeStdout(output + '\n');
             }
         }
         // Registry reporting: only when explicitly requested via --version-id (CI) or --registry-report
@@ -3502,6 +3523,9 @@ function generateAttackHtmlReport(report) {
         'context-window': 'CTX',
         'supply-chain': 'SUP',
         'tool-shadow': 'SHADOW',
+        'parser-differential': 'PARSE',
+        'persistent-agent': 'PERSIST',
+        'fake-tool': 'FAKETOOL',
     };
     // Donut chart for attack results
     const donutRadius = 60;
@@ -4574,8 +4598,8 @@ Examples:
     .option('--tier <tier>', 'Override agent tier detection (BASIC, TOOL-USING, AGENTIC, MULTI-AGENT)')
     .option('--profile <profile>', 'Override agent profile (conversational, code-assistant, tool-agent, autonomous, orchestrator, custom)')
     .option('--fail-below <score>', 'Exit 1 if score below threshold (0-100)')
-    .option('--deep', 'Maximum analysis: NanoMind + SOUL governance simulation (~15s)')
-    .option('--static-only', 'Disable NanoMind (static governance checks only)')
+    .option('--deep', 'Maximum analysis: semantic + SOUL governance simulation (~15s)')
+    .option('--static-only', 'Disable semantic analysis (static governance checks only)')
     .option('--publish', 'Push scan results to the OpenA2A Registry')
     .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', validateRegistryUrl(process.env.REGISTRY_URL || 'https://api.oa2a.org'))
     .option('--contribute', 'Share anonymized scan findings with OpenA2A Registry (overrides config)')
@@ -4647,7 +4671,7 @@ Examples:
         process.stdout.write('\nOASB v2 Behavioral Governance Scan\n');
         process.stdout.write('----------------------------------------------------\n');
         if (options.deep) {
-            process.stdout.write(`Analysis: static + NanoMind semantic (deep)\n`);
+            process.stdout.write(`Analysis: static + semantic (ML-enhanced deep scan)\n`);
         }
         process.stdout.write('\n');
         if (result.file) {
@@ -4713,7 +4737,7 @@ Examples:
             }
             else if (result.deepAnalysisResults && result.deepAnalysisResults.length > 0) {
                 const llmUpgraded = result.deepAnalysisResults.filter((e) => e.llmPassed).length;
-                process.stdout.write(`Deep Analysis: ${llmUpgraded} control${llmUpgraded === 1 ? '' : 's'} upgraded by NanoMind semantic analysis\n`);
+                process.stdout.write(`Deep Analysis: ${llmUpgraded} control${llmUpgraded === 1 ? '' : 's'} upgraded by ML semantic analysis\n`);
             }
             else {
                 process.stdout.write(`Deep Analysis: all controls passed, no further analysis needed\n`);
@@ -5310,7 +5334,7 @@ program
 program
     .command('explain')
     .argument('<findingId>', 'Finding ID to explain (e.g., SKILL-SEMANTIC-007 or CRED-001)')
-    .description('Explain a security finding in plain English using NanoMind')
+    .description('Explain a security finding in plain English')
     .action(async (findingId) => {
     console.log(`Explaining finding: ${findingId}\n`);
     // Try NanoMind daemon first for dynamic explanation
@@ -5474,7 +5498,7 @@ Examples:
                 process.stderr.write(`Report written to ${options.output}\n`);
             }
             else {
-                console.log(output);
+                writeLargeStdout(output + '\n');
             }
         }
         else {
@@ -5486,7 +5510,7 @@ Examples:
             }
         }
         // Exit with non-zero if resilience is poor
-        if (report.resilienceRating === 'critical' || report.resilienceRating === 'poor') {
+        if (report.resilienceRating === 'critical' || report.resilienceRating === 'needs-attention') {
             process.exit(1);
         }
     }
@@ -5539,6 +5563,153 @@ function printWildReport(report) {
     console.log(`page content through an LLM. For static config scanning, use:${colors.reset}`);
     console.log(`  ${colors.cyan}npx hackmyagent secure${colors.reset}`);
 }
+// pull-stubs: fetch pending HMA check stubs from the registry
+program
+    .command('pull-stubs')
+    .description(`Fetch pending HMA check stubs from the registry for review.
+
+The ARIA pipeline discovers new attack patterns and creates stub definitions
+for checks that HMA doesn't yet implement. This command pulls those stubs
+so you can review, refine, and integrate them.
+
+Requires INTERNAL_API_KEY environment variable for registry authentication.
+
+Examples:
+  $ ${CLI_PREFIX} pull-stubs
+  $ ${CLI_PREFIX} pull-stubs --status review
+  $ ${CLI_PREFIX} pull-stubs --json`)
+    .option('--status <status>', 'Filter by stub status (draft, review, integrated, rejected)', 'draft')
+    .option('--registry-url <url>', 'Registry base URL', validateRegistryUrl(process.env.REGISTRY_URL || 'https://api.oa2a.org'))
+    .option('--json', 'Output raw JSON instead of formatted table')
+    .action(async (opts) => {
+    const validStatuses = ['draft', 'review', 'integrated', 'rejected'];
+    if (!validStatuses.includes(opts.status)) {
+        process.stderr.write(`Error: --status must be one of: ${validStatuses.join(', ')}\n`);
+        process.stderr.write(`  Got: ${opts.status}\n`);
+        process.exit(1);
+    }
+    const apiKey = process.env.INTERNAL_API_KEY;
+    if (!apiKey) {
+        process.stderr.write('Error: INTERNAL_API_KEY environment variable is not set.\n');
+        process.stderr.write('\nThis command requires registry authentication.\n');
+        process.stderr.write('Set the variable and retry:\n');
+        process.stderr.write('  export INTERNAL_API_KEY=<your-key>\n');
+        process.stderr.write(`  ${CLI_PREFIX} pull-stubs\n`);
+        process.exit(1);
+    }
+    const registryUrl = validateRegistryUrl(opts.registryUrl).replace(/\/+$/, '');
+    const endpoint = `${registryUrl}/internal/aria/hma-stubs`;
+    let responseData;
+    try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 15000);
+        const res = await fetch(endpoint, {
+            headers: {
+                'Authorization': `Bearer ${apiKey}`,
+                'Accept': 'application/json',
+            },
+            signal: controller.signal,
+        });
+        clearTimeout(timeout);
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            process.stderr.write(`Error: Registry returned ${res.status} ${res.statusText}\n`);
+            if (res.status === 401 || res.status === 403) {
+                process.stderr.write('  Your INTERNAL_API_KEY may be invalid or expired.\n');
+            }
+            if (body)
+                process.stderr.write(`  ${body.slice(0, 200)}\n`);
+            process.exit(1);
+        }
+        responseData = await res.json();
+    }
+    catch (err) {
+        if (err instanceof Error && err.name === 'AbortError') {
+            process.stderr.write(`Error: Registry request timed out after 15s.\n`);
+            process.stderr.write(`  URL: ${endpoint}\n`);
+            process.stderr.write(`  Check your network connection and registry URL.\n`);
+        }
+        else {
+            process.stderr.write(`Error: Could not reach the registry.\n`);
+            process.stderr.write(`  URL: ${endpoint}\n`);
+            process.stderr.write(`  ${err instanceof Error ? err.message : String(err)}\n`);
+        }
+        process.exit(1);
+    }
+    // Filter by status
+    const stubs = responseData.stubs.filter(s => s.status === opts.status);
+    if (stubs.length === 0) {
+        if (opts.json) {
+            writeJsonStdout({ stubs: [], total: responseData.total, filtered: 0, status: opts.status });
+        }
+        else {
+            console.log(`No stubs with status "${opts.status}" found.`);
+            if (responseData.total > 0) {
+                console.log(`  Registry has ${responseData.total} total stub(s). Try a different --status filter.`);
+            }
+        }
+        return;
+    }
+    // JSON output mode
+    if (opts.json) {
+        writeJsonStdout({ stubs, total: responseData.total, filtered: stubs.length, status: opts.status });
+        return;
+    }
+    // Formatted output
+    const severityColor = {
+        critical: colors.brightRed,
+        high: colors.red,
+        medium: colors.yellow,
+        low: colors.cyan,
+        info: colors.dim,
+    };
+    console.log(`\nHMA Check Stubs (status: ${opts.status})\n`);
+    for (const stub of stubs) {
+        const sc = severityColor[stub.severity?.toLowerCase()] || '';
+        console.log(`${'='.repeat(60)}`);
+        console.log(`  Check ID:   ${stub.checkId}`);
+        console.log(`  Series:     ${stub.series}`);
+        console.log(`  Name:       ${stub.name}`);
+        console.log(`  Severity:   ${sc}${stub.severity}${colors.reset}`);
+        console.log(`  ARIA ID:    ${stub.ariaFindingId}`);
+        console.log(`  Status:     ${stub.status}`);
+        if (stub.description) {
+            console.log(`  Description: ${stub.description}`);
+        }
+        if (stub.detectionLogic) {
+            console.log(`  Detection logic:`);
+            for (const line of stub.detectionLogic.split('\n')) {
+                console.log(`    ${line}`);
+            }
+        }
+        console.log('');
+    }
+    // Summary
+    console.log('='.repeat(60));
+    console.log(`\nSummary`);
+    console.log(`  Total in registry:  ${responseData.total}`);
+    console.log(`  Matching "${opts.status}":  ${stubs.length}`);
+    // By series
+    const bySeries = {};
+    for (const s of stubs) {
+        bySeries[s.series] = (bySeries[s.series] || 0) + 1;
+    }
+    console.log(`\n  By series:`);
+    for (const [series, count] of Object.entries(bySeries).sort((a, b) => b[1] - a[1])) {
+        console.log(`    ${series}: ${count}`);
+    }
+    // By severity
+    const bySeverity = {};
+    for (const s of stubs) {
+        bySeverity[s.severity] = (bySeverity[s.severity] || 0) + 1;
+    }
+    console.log(`\n  By severity:`);
+    for (const [sev, count] of Object.entries(bySeverity).sort((a, b) => b[1] - a[1])) {
+        const sc = severityColor[sev?.toLowerCase()] || '';
+        console.log(`    ${sc}${sev}${colors.reset}: ${count}`);
+    }
+    console.log('');
+});
 // create-skill: generate best-practice, secured skills from plain English
 program
     .command('create-skill')
@@ -5585,6 +5756,12 @@ program
     catch {
         // Integrity check itself failed -- continue (don't block on missing manifest in dev)
     }
+    // Global --ci flag: strip from argv so individual commands don't reject it.
+    // Any command can check globalCiMode to adjust behavior.
+    if (process.argv.includes('--ci')) {
+        globalCiMode = true;
+        process.argv = process.argv.filter(a => a !== '--ci');
+    }
     if (process.argv.length <= 2) {
         program.outputHelp();
         process.exit(0);