hackmyagent 0.17.0 → 0.17.2

package/dist/cli.js

@@ -267,9 +267,23 @@ Examples:
             return;
         }
         // npm package name: download, run full HMA scan, clean up
+        // On npm 404, fall through to skill check (skill identifiers look like @scope/name)
         if (looksLikeNpmPackage(skill)) {
-            await checkNpmPackage(skill, options);
-            return;
+            try {
+                await checkNpmPackage(skill, options);
+                return;
+            }
+            catch (npmErr) {
+                if (npmErr instanceof Error && npmErr.name === 'NpmNotFoundError') {
+                    // Not on npm — fall through to skill check
+                    if (!options.json && !globalCiMode) {
+                        console.error(`Package "${skill}" not found on npm. Trying as skill identifier...`);
+                    }
+                }
+                else {
+                    throw npmErr; // Re-throw non-404 errors
+                }
+            }
         }
         // --rescan only applies to targets that otherwise hit the registry cache.
         // For skill identifiers we fall through to the registry lookup below.
@@ -494,22 +508,10 @@ function displayUnifiedCheck(opts) {
             guidance: f.guidance,
             attackClass: f.attackClass,
         }));
-        // Score governance-only scans more fairly — governance gaps aren't code vulns
-        const hasCodeFindings = issues.some(f => {
-            const cat = (f.category || '').toLowerCase();
-            const id = f.checkId || '';
-            return cat !== 'governance' && cat !== 'injection-hardening' && cat !== 'trust-hierarchy'
-                && !id.startsWith('AST-GOV') && !id.startsWith('AST-GOVERN')
-                && !id.startsWith('AST-PROMPT') && !id.startsWith('AST-HEARTBEAT');
-        });
-        if (hasCodeFindings) {
-            score = critical > 0 ? Math.max(10, 100 - critical * 20 - high * 10 - medium * 5) : high > 0 ? Math.max(30, 100 - high * 10 - medium * 5) : Math.max(50, 100 - medium * 5 - low * 2);
-        }
-        else {
-            // Governance-only: floor at 25, each finding costs less
-            score = Math.max(25, 100 - critical * 8 - high * 5 - medium * 3 - low * 1);
-        }
-        maxScore = 100;
+        // Use the canonical scoring formula (exponential decay + 0.4x governance weight)
+        const scoreResult = (0, index_1.calculateSecurityScore)(issues);
+        score = scoreResult.score;
+        maxScore = scoreResult.maxScore;
     }
     else if (registry?.found) {
         score = Math.round(registry.trustScore * 100);
@@ -2266,6 +2268,7 @@ Examples:
     .option('-l, --level <level>', 'Benchmark level: L1 (Essential), L2 (Standard), L3 (Hardened)', 'L1')
     .option('-c, --category <name>', 'Filter to specific benchmark category')
     .option('--deep', 'Maximum analysis: static + semantic + behavioral simulation + adaptive attacks (~30s per file)')
+    .option('--analm', 'AI-powered threat analysis using AnaLM (requires analm setup)')
     .option('--static-only', 'Disable semantic analysis and simulation (static checks only, fast, deterministic)')
     .option('--scan-depth <depth>', 'CAAT scan depth: quick (config+creds only), standard (default), deep (+ simulation)', 'standard')
     .option('--ci-publish', 'Submit scan results to registry CI endpoint (requires CI_SCAN_HMAC_SECRET env)')
@@ -2358,7 +2361,7 @@ Examples:
             catch { /* daemon not installed */ }
         }
         const onProgress = format === 'text'
-            ? (msg) => process.stdout.write(msg)
+            ? (msg) => process.stdout.write(msg.endsWith('\n') ? msg : msg + '\n')
             : undefined;
         // Show analysis mode to user
         if (format === 'text') {
@@ -2394,15 +2397,16 @@ Examples:
         const scanDurationMs = Date.now() - scanStartMs;
         // NanoMind Semantic Compiler: AST-based analysis runs alongside static checks
         // Defense-in-depth: static findings can NEVER be suppressed, only upgraded
+        const { orchestrateNanoMind } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/orchestrate.js')));
+        const existingFindings = result.allFindings || result.findings || [];
+        const nmResult = await orchestrateNanoMind(targetDir, existingFindings, {
+            staticOnly: isStaticOnly,
+            ci: options.ci,
+            deep: isDeep,
+            analm: options.analm,
+            silent: format !== 'text',
+        });
         {
-            const { orchestrateNanoMind } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/orchestrate.js')));
-            const existingFindings = result.allFindings || result.findings || [];
-            const nmResult = await orchestrateNanoMind(targetDir, existingFindings, {
-                staticOnly: isStaticOnly,
-                ci: options.ci,
-                deep: isDeep,
-                silent: format !== 'text',
-            });
             // Re-apply all filters after NanoMind merge (merge uses allFindings which is unfiltered)
             const refiltered = await scanner.reapplyIgnoreFilters(nmResult.mergedFindings, targetDir);
             if (result.allFindings) {
@@ -2591,7 +2595,10 @@ Examples:
                     publishStatus = { success: false, error: msg };
                 }
             }
-            const jsonOutput = publishStatus ? { ...result, publish: publishStatus } : result;
+            const jsonBase = nmResult.analystFindings?.length
+                ? { ...result, analystFindings: nmResult.analystFindings }
+                : result;
+            const jsonOutput = publishStatus ? { ...jsonBase, publish: publishStatus } : jsonBase;
             if (options.output) {
                 require('fs').writeFileSync(options.output, JSON.stringify(jsonOutput, null, 2) + '\n');
                 console.error(`Report written to ${options.output}`);
@@ -2746,6 +2753,42 @@ Examples:
             if (summaryParts.length > 0) {
                 console.log(`${summaryParts.join(' | ')}\n`);
             }
+            // Analyst findings (--analyze)
+            if (nmResult.analystFindings && nmResult.analystFindings.length > 0) {
+                console.log(`${colors.cyan}--- AnaLM Analysis ---${RESET()}\n`);
+                for (const af of nmResult.analystFindings) {
+                    const r = af.result;
+                    if (af.taskType === 'threatAnalysis') {
+                        const level = String(r.threatLevel ?? 'unknown').toUpperCase();
+                        const levelColor = level === 'CRITICAL' || level === 'HIGH' ? colors.red : level === 'MEDIUM' ? colors.yellow : colors.dim;
+                        console.log(`  ${levelColor}${level}${RESET()}  ${r.attackVector ?? ''}`);
+                        if (r.description)
+                            console.log(`       ${r.description}`);
+                        if (Array.isArray(r.mitigations) && r.mitigations.length > 0) {
+                            for (const m of r.mitigations) {
+                                console.log(`       ${colors.cyan}Fix:${RESET()} ${m}`);
+                            }
+                        }
+                    }
+                    else if (af.taskType === 'credentialContextClassification') {
+                        const cls = String(r.classification ?? 'unknown');
+                        const clsColor = cls === 'real' ? colors.red : cls === 'test' || cls === 'example' ? colors.green : colors.yellow;
+                        console.log(`  Credential: ${clsColor}${cls}${RESET()}`);
+                        if (r.reasoning)
+                            console.log(`       ${r.reasoning}`);
+                    }
+                    else {
+                        // Generic display for other task types
+                        console.log(`  ${af.taskType}: ${JSON.stringify(r)}`);
+                    }
+                    console.log(`       ${colors.dim}Confidence: ${Math.round(af.confidence * 100)}% | ${af.modelVersion} (${af.durationMs}ms)${RESET()}`);
+                    console.log();
+                }
+            }
+            // Analyst hint (shown when model is available but --analyze not used)
+            if (nmResult.analystHint && issues.length > 0) {
+                console.log(`${colors.dim}Tip: ${nmResult.analystHint}${RESET()}\n`);
+            }
             // Dry-run summary
             if (result.dryRun) {
                 const wouldFixCount = issues.filter((f) => f.wouldFix).length;
@@ -2796,7 +2839,8 @@ Examples:
                         console.error('Error: --registry-key or REGISTRY_API_KEY env is required when using --version-id');
                         process.exit(1);
                     }
-                    const client = new core.RegistryClient({ registryUrl, apiKey: registryKey });
+                    const atcToken = process.env.ATC_TOKEN;
+                    const client = new core.RegistryClient({ registryUrl, apiKey: registryKey, atcToken });
                     const payload = core.buildScanReport(options.versionId, result.findings);
                     await client.reportScanResult(payload);
                     console.log(`Registry: scan results reported for version ${options.versionId}`);
@@ -3240,7 +3284,7 @@ Examples:
     .argument('<target>', 'Target hostname or IP address')
     .option('--json', 'Output as JSON (for scripting/CI)')
     .option('-p, --ports <ports>', 'Comma-separated ports to scan (default: common MCP ports)')
-    .option('-t, --timeout <ms>', 'Connection timeout in milliseconds', '5000')
+    .option('-t, --timeout <ms>', 'Connection timeout in milliseconds', '2000')
     .option('-v, --verbose', 'Show detailed finding information')
     .action(async (target, options) => {
     try {
@@ -3256,11 +3300,11 @@ Examples:
                 `\n`);
             process.exit(1);
         }
-        const timeoutMs = parseInt(options.timeout ?? '5000', 10);
+        const timeoutMs = parseInt(options.timeout ?? '2000', 10);
         const customPorts = options.ports
             ? options.ports.split(',').map((p) => parseInt(p.trim(), 10))
             : undefined;
-        const portCount = customPorts?.length ?? 5;
+        const portCount = customPorts?.length ?? 2;
         if (!options.json) {
             console.log(`\nScanning ${target} (${portCount} ports, ${timeoutMs}ms timeout)...\n`);
         }
@@ -3566,7 +3610,8 @@ Examples:
                         console.error('Error: --registry-key or REGISTRY_API_KEY env is required when using --version-id');
                         process.exit(1);
                     }
-                    const client = new core.RegistryClient({ registryUrl, apiKey: registryKey });
+                    const atcToken = process.env.ATC_TOKEN;
+                    const client = new core.RegistryClient({ registryUrl, apiKey: registryKey, atcToken });
                     const payload = core.buildAttackReport(options.versionId, report);
                     await client.reportScanResult(payload);
                     console.log(`Registry: attack results reported for version ${options.versionId}`);
@@ -5575,6 +5620,28 @@ Examples:
         if (opts.json) {
             writeJsonStdout(result);
         }
+        else if (result.found) {
+            // Use the unified display (same as `check --no-scan`) for visual consistency
+            const registryData = {
+                found: true,
+                name: result.name,
+                trustScore: result.trustScore,
+                trustLevel: result.trustLevel,
+                verdict: result.verdict,
+                scanStatus: result.scanStatus,
+                lastScannedAt: result.lastScannedAt,
+                packageType: result.packageType,
+                recommendation: result.recommendation,
+                cveCount: result.cveCount,
+                communityScans: result.communityScans,
+                dependencies: result.dependencies ? {
+                    totalDeps: result.dependencies.totalDeps,
+                    vulnerableDeps: result.dependencies.vulnerableDeps,
+                    minTrustLevel: result.dependencies.minTrustLevel,
+                } : undefined,
+            };
+            displayUnifiedCheck({ name: packageName, registry: registryData, verbose: false });
+        }
         else {
             process.stdout.write(formatTrustCheck(result));
         }
@@ -5593,7 +5660,7 @@ program
     .option('-d, --directory <dir>', 'Scan a specific directory to collect check metadata from findings')
     .option('--json', 'Output as JSON (default)')
     .action(async (options) => {
-    const { getAttackClass, getTaxonomyMap } = require('./hardening/taxonomy');
+    const { getAttackClass, getTaxonomyMap, getCheckSeverity } = require('./hardening/taxonomy');
     // Build static registry from taxonomy map (covers all known checks)
     const taxMap = getTaxonomyMap();
     const metadata = {};
@@ -5605,7 +5672,7 @@ program
             name: checkId,
             category: prefix.toLowerCase(),
             attackClass: taxMap[checkId] || '',
-            severity: '',
+            severity: getCheckSeverity(checkId),
         };
     }
     // If a directory is provided, enrich with actual finding data (names, severity, etc.)
@@ -6094,6 +6161,63 @@ program
     }
     console.log(`\nYour skill is ready. Verify security with: hackmyagent secure ${outputDir}/`);
 });
+// analm: manage the AnaLM generative model
+const analmCmd = program
+    .command('analm')
+    .description('Manage the AnaLM model for AI-powered security analysis');
+analmCmd
+    .command('setup')
+    .description('Download the AnaLM model')
+    .action(async () => {
+    const { getAnalystStatus, setupAnalystModel } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/inference/security-analyst.js')));
+    const status = await getAnalystStatus();
+    console.log('AnaLM (NanoMind Security Analyst)');
+    console.log(`  Platform: ${status.platform}`);
+    console.log(`  Backend:  ${status.backend === 'none' ? 'not available' : status.backend}`);
+    console.log(`  Model:    ${status.modelCached ? 'cached' : 'not downloaded'}`);
+    console.log('');
+    if (status.backend === 'none') {
+        console.log('No supported inference backend found.');
+        if (process.platform !== 'darwin') {
+            console.log('Currently requires Apple Silicon Mac with MLX.');
+            console.log('Cross-platform support (llama.cpp/GGUF) coming soon.');
+        }
+        else {
+            console.log('Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh');
+        }
+        process.exit(1);
+    }
+    if (status.modelCached) {
+        console.log('Model already downloaded. Use --analm with any scan command.');
+        return;
+    }
+    const ok = await setupAnalystModel(false);
+    if (!ok)
+        process.exit(1);
+});
+analmCmd
+    .command('status')
+    .description('Check the status of AnaLM model and runtime')
+    .action(async () => {
+    const { getAnalystStatus } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/inference/security-analyst.js')));
+    const status = await getAnalystStatus();
+    console.log('AnaLM (NanoMind Security Analyst)');
+    console.log(`  Platform:  ${status.platform}`);
+    console.log(`  Backend:   ${status.backend === 'none' ? `${colors.red}not available${RESET()}` : `${colors.green}${status.backend}${RESET()}`}`);
+    console.log(`  Model:     ${status.modelCached ? `${colors.green}cached${RESET()}` : `${colors.yellow}not downloaded${RESET()}`}`);
+    console.log(`  Ready:     ${status.available ? `${colors.green}yes${RESET()}` : `${colors.yellow}no${RESET()}`}`);
+    console.log('');
+    if (status.available) {
+        console.log('Use --analm with any scan command for AI-powered analysis.');
+        console.log(`  Example: hackmyagent secure ./my-agent --analm`);
+    }
+    else if (status.backend !== 'none') {
+        console.log(`Run: hackmyagent analm setup`);
+    }
+    else if (process.platform !== 'darwin') {
+        console.log('Cross-platform support (llama.cpp/GGUF) coming soon.');
+    }
+});
 // ============================================================================
 // npm package scanning helpers (used by `check <package>`)
 // ============================================================================
@@ -6438,6 +6562,9 @@ const AI_TOOLING_PATH_PATTERNS = [
     /^\.aider/,
     /^\.copilot\//,
     /^\.github\/copilot/,
+    /\.env\.example$/i, // Example env files are not real credentials
+    /\.env\.sample$/i,
+    /\.env\.template$/i,
 ];
 /** Governance-related categories/checkId prefixes that are noise on AI tooling files */
 const GOVERNANCE_CATEGORIES = new Set([
@@ -6473,13 +6600,12 @@ function filterLocalOnlyFindings(result, scanner) {
         // Remove local-only categories (git, permissions, env, etc.)
         if (PACKAGE_SCAN_LOCAL_ONLY_CATEGORIES.has(f.category))
             return false;
-        // Remove governance findings on AI tooling files (CLAUDE.md, .claude/, etc.)
-        if (f.file && isAiToolingFile(f.file)) {
-            if (GOVERNANCE_CATEGORIES.has(f.category))
-                return false;
-            if (GOVERNANCE_CHECK_PREFIXES.some(p => f.checkId.startsWith(p)))
-                return false;
-        }
+        // Exclude ALL findings on AI tooling files (CLAUDE.md, .claude/, .cursorrules, etc.)
+        // These files contain instructions to AI assistants, not package source code.
+        // Credential patterns, injection patterns, and governance findings in these
+        // files are false positives — they describe security practices, not vulnerabilities.
+        if (f.file && isAiToolingFile(f.file))
+            return false;
         return true;
     });
     // Demote test file findings to low severity (test code patterns are
@@ -7054,7 +7180,35 @@ async function checkNpmPackage(name, options) {
         const { stdout } = await execAsync('npm', ['pack', name, '--pack-destination', tempDir], { timeout: 60000 });
         const tarball = stdout.trim().split('\n').pop();
         await execAsync('tar', ['xzf', join(tempDir, tarball), '-C', tempDir], { timeout: 30000 });
-        const packageDir = join(tempDir, 'package');
+        // npm tarballs normally extract to 'package/', but some packages (e.g. @types/*)
+        // may use a different directory name. Detect the actual extracted directory.
+        const { readdir, stat } = await Promise.resolve().then(() => __importStar(require('node:fs/promises')));
+        let packageDir = join(tempDir, 'package');
+        try {
+            await stat(packageDir);
+        }
+        catch {
+            // 'package/' doesn't exist — find the extracted directory (skip the .tgz file)
+            const entries = await readdir(tempDir);
+            const dirs = [];
+            for (const entry of entries) {
+                if (entry.endsWith('.tgz') || entry.endsWith('.tar.gz'))
+                    continue;
+                const s = await stat(join(tempDir, entry));
+                if (s.isDirectory())
+                    dirs.push(entry);
+            }
+            if (dirs.length === 1) {
+                packageDir = join(tempDir, dirs[0]);
+            }
+            else if (dirs.length === 0) {
+                throw new Error(`Tarball extraction produced no directory in ${tempDir}`);
+            }
+            else {
+                // Multiple dirs — pick the first non-hidden one
+                packageDir = join(tempDir, dirs.find(d => !d.startsWith('.')) || dirs[0]);
+            }
+        }
         // Run full HMA scan + NanoMind (same pipeline as `secure`)
         const scanner = new index_1.HardeningScanner();
         const result = await scanner.scan({ targetDir: packageDir, autoFix: false });
@@ -7137,21 +7291,10 @@ async function checkNpmPackage(name, options) {
         const message = err instanceof Error ? err.message : String(err);
         // Clean npm error messages
         if (message.includes('404') || message.includes('Not Found')) {
-            console.error(`Error: Package "${name}" not found on npm.`);
-            // Suggest similar packages via npm registry search
-            try {
-                const suggestions = await suggestSimilarPackages(name);
-                if (suggestions.length > 0) {
-                    console.error(`\nDid you mean?`);
-                    for (const s of suggestions) {
-                        console.error(`  ${s}`);
-                    }
-                    console.error();
-                }
-            }
-            catch {
-                // Search failed — just show the original error
-            }
+            // Throw a typed error so the router can fall through to skill check
+            const notFound = new Error(`NPM_NOT_FOUND:${name}`);
+            notFound.name = 'NpmNotFoundError';
+            throw notFound;
         }
         else {
             console.error(`Error: ${message}`);