hackmyagent 0.17.1 → 0.17.2

package/dist/cli.js

@@ -2268,6 +2268,7 @@ Examples:
     .option('-l, --level <level>', 'Benchmark level: L1 (Essential), L2 (Standard), L3 (Hardened)', 'L1')
     .option('-c, --category <name>', 'Filter to specific benchmark category')
     .option('--deep', 'Maximum analysis: static + semantic + behavioral simulation + adaptive attacks (~30s per file)')
+    .option('--analm', 'AI-powered threat analysis using AnaLM (requires analm setup)')
     .option('--static-only', 'Disable semantic analysis and simulation (static checks only, fast, deterministic)')
     .option('--scan-depth <depth>', 'CAAT scan depth: quick (config+creds only), standard (default), deep (+ simulation)', 'standard')
     .option('--ci-publish', 'Submit scan results to registry CI endpoint (requires CI_SCAN_HMAC_SECRET env)')
@@ -2360,7 +2361,7 @@ Examples:
             catch { /* daemon not installed */ }
         }
         const onProgress = format === 'text'
-            ? (msg) => process.stdout.write(msg)
+            ? (msg) => process.stdout.write(msg.endsWith('\n') ? msg : msg + '\n')
             : undefined;
         // Show analysis mode to user
         if (format === 'text') {
@@ -2396,15 +2397,16 @@ Examples:
         const scanDurationMs = Date.now() - scanStartMs;
         // NanoMind Semantic Compiler: AST-based analysis runs alongside static checks
         // Defense-in-depth: static findings can NEVER be suppressed, only upgraded
+        const { orchestrateNanoMind } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/orchestrate.js')));
+        const existingFindings = result.allFindings || result.findings || [];
+        const nmResult = await orchestrateNanoMind(targetDir, existingFindings, {
+            staticOnly: isStaticOnly,
+            ci: options.ci,
+            deep: isDeep,
+            analm: options.analm,
+            silent: format !== 'text',
+        });
         {
-            const { orchestrateNanoMind } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/orchestrate.js')));
-            const existingFindings = result.allFindings || result.findings || [];
-            const nmResult = await orchestrateNanoMind(targetDir, existingFindings, {
-                staticOnly: isStaticOnly,
-                ci: options.ci,
-                deep: isDeep,
-                silent: format !== 'text',
-            });
             // Re-apply all filters after NanoMind merge (merge uses allFindings which is unfiltered)
             const refiltered = await scanner.reapplyIgnoreFilters(nmResult.mergedFindings, targetDir);
             if (result.allFindings) {
@@ -2593,7 +2595,10 @@ Examples:
                     publishStatus = { success: false, error: msg };
                 }
             }
-            const jsonOutput = publishStatus ? { ...result, publish: publishStatus } : result;
+            const jsonBase = nmResult.analystFindings?.length
+                ? { ...result, analystFindings: nmResult.analystFindings }
+                : result;
+            const jsonOutput = publishStatus ? { ...jsonBase, publish: publishStatus } : jsonBase;
             if (options.output) {
                 require('fs').writeFileSync(options.output, JSON.stringify(jsonOutput, null, 2) + '\n');
                 console.error(`Report written to ${options.output}`);
@@ -2748,6 +2753,42 @@ Examples:
             if (summaryParts.length > 0) {
                 console.log(`${summaryParts.join(' | ')}\n`);
             }
+            // Analyst findings (--analyze)
+            if (nmResult.analystFindings && nmResult.analystFindings.length > 0) {
+                console.log(`${colors.cyan}--- AnaLM Analysis ---${RESET()}\n`);
+                for (const af of nmResult.analystFindings) {
+                    const r = af.result;
+                    if (af.taskType === 'threatAnalysis') {
+                        const level = String(r.threatLevel ?? 'unknown').toUpperCase();
+                        const levelColor = level === 'CRITICAL' || level === 'HIGH' ? colors.red : level === 'MEDIUM' ? colors.yellow : colors.dim;
+                        console.log(`  ${levelColor}${level}${RESET()}  ${r.attackVector ?? ''}`);
+                        if (r.description)
+                            console.log(`       ${r.description}`);
+                        if (Array.isArray(r.mitigations) && r.mitigations.length > 0) {
+                            for (const m of r.mitigations) {
+                                console.log(`       ${colors.cyan}Fix:${RESET()} ${m}`);
+                            }
+                        }
+                    }
+                    else if (af.taskType === 'credentialContextClassification') {
+                        const cls = String(r.classification ?? 'unknown');
+                        const clsColor = cls === 'real' ? colors.red : cls === 'test' || cls === 'example' ? colors.green : colors.yellow;
+                        console.log(`  Credential: ${clsColor}${cls}${RESET()}`);
+                        if (r.reasoning)
+                            console.log(`       ${r.reasoning}`);
+                    }
+                    else {
+                        // Generic display for other task types
+                        console.log(`  ${af.taskType}: ${JSON.stringify(r)}`);
+                    }
+                    console.log(`       ${colors.dim}Confidence: ${Math.round(af.confidence * 100)}% | ${af.modelVersion} (${af.durationMs}ms)${RESET()}`);
+                    console.log();
+                }
+            }
+            // Analyst hint (shown when model is available but --analyze not used)
+            if (nmResult.analystHint && issues.length > 0) {
+                console.log(`${colors.dim}Tip: ${nmResult.analystHint}${RESET()}\n`);
+            }
             // Dry-run summary
             if (result.dryRun) {
                 const wouldFixCount = issues.filter((f) => f.wouldFix).length;
@@ -2798,7 +2839,8 @@ Examples:
                         console.error('Error: --registry-key or REGISTRY_API_KEY env is required when using --version-id');
                         process.exit(1);
                     }
-                    const client = new core.RegistryClient({ registryUrl, apiKey: registryKey });
+                    const atcToken = process.env.ATC_TOKEN;
+                    const client = new core.RegistryClient({ registryUrl, apiKey: registryKey, atcToken });
                     const payload = core.buildScanReport(options.versionId, result.findings);
                     await client.reportScanResult(payload);
                     console.log(`Registry: scan results reported for version ${options.versionId}`);
@@ -3568,7 +3610,8 @@ Examples:
                         console.error('Error: --registry-key or REGISTRY_API_KEY env is required when using --version-id');
                         process.exit(1);
                     }
-                    const client = new core.RegistryClient({ registryUrl, apiKey: registryKey });
+                    const atcToken = process.env.ATC_TOKEN;
+                    const client = new core.RegistryClient({ registryUrl, apiKey: registryKey, atcToken });
                     const payload = core.buildAttackReport(options.versionId, report);
                     await client.reportScanResult(payload);
                     console.log(`Registry: attack results reported for version ${options.versionId}`);
@@ -6118,6 +6161,63 @@ program
     }
     console.log(`\nYour skill is ready. Verify security with: hackmyagent secure ${outputDir}/`);
 });
+// analm: manage the AnaLM generative model
+const analmCmd = program
+    .command('analm')
+    .description('Manage the AnaLM model for AI-powered security analysis');
+analmCmd
+    .command('setup')
+    .description('Download the AnaLM model')
+    .action(async () => {
+    const { getAnalystStatus, setupAnalystModel } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/inference/security-analyst.js')));
+    const status = await getAnalystStatus();
+    console.log('AnaLM (NanoMind Security Analyst)');
+    console.log(`  Platform: ${status.platform}`);
+    console.log(`  Backend:  ${status.backend === 'none' ? 'not available' : status.backend}`);
+    console.log(`  Model:    ${status.modelCached ? 'cached' : 'not downloaded'}`);
+    console.log('');
+    if (status.backend === 'none') {
+        console.log('No supported inference backend found.');
+        if (process.platform !== 'darwin') {
+            console.log('Currently requires Apple Silicon Mac with MLX.');
+            console.log('Cross-platform support (llama.cpp/GGUF) coming soon.');
+        }
+        else {
+            console.log('Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh');
+        }
+        process.exit(1);
+    }
+    if (status.modelCached) {
+        console.log('Model already downloaded. Use --analm with any scan command.');
+        return;
+    }
+    const ok = await setupAnalystModel(false);
+    if (!ok)
+        process.exit(1);
+});
+analmCmd
+    .command('status')
+    .description('Check the status of AnaLM model and runtime')
+    .action(async () => {
+    const { getAnalystStatus } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/inference/security-analyst.js')));
+    const status = await getAnalystStatus();
+    console.log('AnaLM (NanoMind Security Analyst)');
+    console.log(`  Platform:  ${status.platform}`);
+    console.log(`  Backend:   ${status.backend === 'none' ? `${colors.red}not available${RESET()}` : `${colors.green}${status.backend}${RESET()}`}`);
+    console.log(`  Model:     ${status.modelCached ? `${colors.green}cached${RESET()}` : `${colors.yellow}not downloaded${RESET()}`}`);
+    console.log(`  Ready:     ${status.available ? `${colors.green}yes${RESET()}` : `${colors.yellow}no${RESET()}`}`);
+    console.log('');
+    if (status.available) {
+        console.log('Use --analm with any scan command for AI-powered analysis.');
+        console.log(`  Example: hackmyagent secure ./my-agent --analm`);
+    }
+    else if (status.backend !== 'none') {
+        console.log(`Run: hackmyagent analm setup`);
+    }
+    else if (process.platform !== 'darwin') {
+        console.log('Cross-platform support (llama.cpp/GGUF) coming soon.');
+    }
+});
 // ============================================================================
 // npm package scanning helpers (used by `check <package>`)
 // ============================================================================