hackmyagent 0.17.7 → 0.17.9

package/dist/cli.js

@@ -221,7 +221,15 @@ Examples:
             const targetDir = statSync(resolved).isFile() ? dirname(resolved) : resolved;
             const { orchestrateNanoMind } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/orchestrate.js')));
             const nmResult = await orchestrateNanoMind(targetDir, [], { silent: !!options.json, analm: options.analm });
-            const issues = nmResult.mergedFindings.filter((f) => !f.passed);
+            // Apply .hmaignore filtering (paths + check IDs)
+            const { loadHmaIgnore: loadIgnore, isPathIgnored: pathIgnored, isCheckIgnored: checkIgnored } = await Promise.resolve().then(() => __importStar(require('./hardening/scanner.js')));
+            const skillIgnoreRules = await loadIgnore(targetDir);
+            let skillFindings = nmResult.mergedFindings;
+            if (skillIgnoreRules.paths.length > 0 || skillIgnoreRules.checkIds.length > 0) {
+                skillFindings = skillFindings.filter((f) => !(f.file && pathIgnored(f.file, skillIgnoreRules.paths)) &&
+                    !checkIgnored(f.checkId, skillIgnoreRules.checkIds));
+            }
+            const issues = skillFindings.filter((f) => !f.passed);
             const critical = issues.filter((f) => f.severity === 'critical');
             const high = issues.filter((f) => f.severity === 'high');
             if (options.json) {
@@ -1876,8 +1884,8 @@ function generateScanHtmlReport(scanResult, targetDir) {
         <td>${f.fixMessage ? escapeHtml(f.fixMessage) : ''}</td>
       </tr>`).join('');
     const projectTypeLabel = {
-        cli: 'CLI Tool', library: 'Library', webapp: 'Web App', api: 'API Server',
-        mcp: 'MCP Server', openclaw: 'OpenClaw Agent', all: 'Project',
+        cli: 'CLI Tool', library: 'Library', sdk: 'SDK/API Client', webapp: 'Web App',
+        api: 'API Server', mcp: 'MCP Server', openclaw: 'OpenClaw Agent', all: 'Project',
     };
     return `<!DOCTYPE html>
 <html lang="en">
@@ -2484,6 +2492,7 @@ Examples:
             deep: isDeep,
             analm: options.analm,
             silent: format !== 'text',
+            projectType: result.projectType,
         });
         {
             // Re-apply all filters after NanoMind merge (merge uses allFindings which is unfiltered)
@@ -2498,6 +2507,7 @@ Examples:
                 result.findings = refiltered.filter((f) => !f.passed && f.file && scanner.findingAppliesTo(f, projectType));
             }
             // Recalculate score from filtered findings (score was set pre-NanoMind)
+            // findings already filtered by project type above, so just exclude passed/fixed
             const forScore = (result.findings || []).filter((f) => !f.passed && !f.fixed);
             result.score = scanner.calculateScore(forScore).score;
         }
@@ -2748,6 +2758,7 @@ Examples:
         const projectTypeLabel = {
             cli: 'CLI Tool',
             library: 'Library',
+            sdk: 'SDK/API Client',
             webapp: 'Web App',
             api: 'API Server',
             mcp: 'MCP Server',
@@ -3263,7 +3274,7 @@ Examples:
         // NanoMind semantic analysis (defense-in-depth)
         try {
             const { orchestrateNanoMind } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/orchestrate.js')));
-            const nmResult = await orchestrateNanoMind(targetDir, result.findings, { silent: !!options.json });
+            const nmResult = await orchestrateNanoMind(targetDir, result.findings, { silent: !!options.json, projectType: result.projectType });
             // Re-apply .hmaignore filters and recalculate score after NanoMind merge
             const hRefiltered = await scanner.reapplyIgnoreFilters(nmResult.mergedFindings, targetDir);
             result.findings = hRefiltered;
@@ -3359,6 +3370,197 @@ Examples:
         process.exit(1);
     }
 });
+function detectNemoClawDirectory(providedDir) {
+    const os = require('os');
+    const fs = require('fs');
+    const path = require('path');
+    if (providedDir && providedDir !== '') {
+        return providedDir.startsWith('/') ? providedDir : path.join(process.cwd(), providedDir);
+    }
+    const homeDir = os.homedir();
+    const candidates = [
+        path.join(homeDir, '.nemoclaw'),
+        path.join(homeDir, '.openshell'),
+        path.join(homeDir, '.openclaw'),
+    ];
+    for (const candidate of candidates) {
+        if (fs.existsSync(candidate)) {
+            return candidate;
+        }
+    }
+    return process.cwd();
+}
+function filterNemoClawFindings(findings) {
+    return findings.filter((f) => {
+        const checkId = f.checkId.toUpperCase();
+        return checkId.startsWith('HMA-NMC-');
+    });
+}
+function assessNemoClawRiskLevel(findings) {
+    const criticalCount = findings.filter((f) => f.severity === 'critical').length;
+    const highCount = findings.filter((f) => f.severity === 'high').length;
+    const mediumCount = findings.filter((f) => f.severity === 'medium').length;
+    if (criticalCount > 0) {
+        return {
+            level: 'Critical',
+            color: colors.brightRed,
+            description: `${criticalCount} critical finding(s) with recommended fixes available.`,
+        };
+    }
+    if (highCount > 0) {
+        return {
+            level: 'High',
+            color: colors.red,
+            description: `${highCount} high-severity finding(s) detected. Fixes available below.`,
+        };
+    }
+    if (mediumCount > 0) {
+        return {
+            level: 'Moderate',
+            color: colors.yellow,
+            description: 'Some findings detected. Review the recommendations below.',
+        };
+    }
+    if (findings.length === 0) {
+        return {
+            level: 'None',
+            color: colors.dim,
+            description: `No NemoClaw installation detected. Run \`${CLI_PREFIX} secure\` for a full scan.`,
+        };
+    }
+    return {
+        level: 'Low',
+        color: colors.green,
+        description: 'No critical or high findings detected.',
+    };
+}
+program
+    .command('secure-nemoclaw')
+    .description(`Security scan for NVIDIA NemoClaw installations
+
+Performs focused security checks for NemoClaw sandbox deployments:
+  - Secrets: NVIDIA API key exposure in configs, logs, Docker, shell history
+  - Network: Gateway/k3s/inference port binding, Docker socket, egress policies
+  - Skills: Blueprint integrity, skill verification, directory permissions
+  - Process: Sandbox privileges, seccomp/Landlock enforcement, root execution
+  - OpenClaw layer: Inherited misconfigs that survive NemoClaw sandboxing
+
+Auto-detects ~/.nemoclaw, ~/.openshell, or ~/.openclaw directories.
+Exit code 1 if critical/high issues found.
+
+Examples:
+  $ hackmyagent secure-nemoclaw                  Scan auto-detected directory
+  $ hackmyagent secure-nemoclaw ~/.nemoclaw      Scan specific directory
+  $ hackmyagent secure-nemoclaw --json           JSON output for CI`)
+    .argument('[directory]', 'Directory to scan (default: ~/.nemoclaw or ~/.openshell)', '')
+    .option('--json', 'Output as JSON (for scripting/CI)')
+    .option('-v, --verbose', 'Show all checks including passed ones')
+    .action(async (directory, options) => {
+    try {
+        const targetDir = detectNemoClawDirectory(directory);
+        if (!options.json) {
+            console.log(`\nNemoClaw Security Report`);
+            console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n`);
+            console.log(`Scanning ${targetDir}...\n`);
+        }
+        const scanner = new index_1.HardeningScanner();
+        const result = await scanner.scan({ targetDir, autoFix: false });
+        const findings = result.findings;
+        // Enrich with taxonomy
+        const { enrichWithTaxonomy } = require('./hardening/taxonomy');
+        enrichWithTaxonomy(findings);
+        // NanoMind semantic analysis (defense-in-depth)
+        let mergedFindings = findings;
+        try {
+            const { orchestrateNanoMind } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/orchestrate.js')));
+            const nmResult = await orchestrateNanoMind(targetDir, findings, { silent: !!options.json });
+            mergedFindings = nmResult.mergedFindings;
+        }
+        catch { /* NanoMind unavailable */ }
+        // Re-apply .hmaignore filtering after NanoMind merge (paths + check IDs)
+        try {
+            const { loadHmaIgnore: loadIgnore, isPathIgnored: pathIgnored, isCheckIgnored: checkIgnored } = await Promise.resolve().then(() => __importStar(require('./hardening/scanner.js')));
+            const ncIgnoreRules = await loadIgnore(targetDir);
+            if (ncIgnoreRules.paths.length > 0 || ncIgnoreRules.checkIds.length > 0) {
+                mergedFindings = mergedFindings.filter((f) => !(f.file && pathIgnored(f.file, ncIgnoreRules.paths)) &&
+                    !checkIgnored(f.checkId, ncIgnoreRules.checkIds));
+            }
+        }
+        catch { /* ignore filter unavailable */ }
+        const issues = mergedFindings.filter((f) => !f.passed);
+        const passedFindings = mergedFindings.filter((f) => f.passed);
+        if (options.json) {
+            const jsonOutput = {
+                target: targetDir,
+                riskLevel: assessNemoClawRiskLevel(issues).level,
+                totalChecks: mergedFindings.length,
+                issues: issues.length,
+                passed: passedFindings.length,
+                findings: mergedFindings,
+            };
+            writeJsonStdout(jsonOutput);
+            return;
+        }
+        // Risk assessment
+        const risk = assessNemoClawRiskLevel(issues);
+        console.log(`Risk Level: ${risk.color}${risk.level}${RESET()}`);
+        console.log(`${risk.description}\n`);
+        // Summary stats
+        console.log(`Checks: ${findings.length} total | ${issues.length} issues | ${passedFindings.length} passed\n`);
+        // Show issues
+        if (issues.length > 0) {
+            console.log(`${colors.red}Findings:${RESET()}\n`);
+            for (const finding of issues) {
+                const display = SEVERITY_DISPLAY[finding.severity];
+                const location = finding.file
+                    ? finding.line
+                        ? `${finding.file}:${finding.line}`
+                        : finding.file
+                    : '';
+                const sevLabel = finding.severity.charAt(0).toUpperCase() + finding.severity.slice(1);
+                console.log(`${display.color()}${display.symbol} [${finding.checkId}] ${sevLabel}${RESET()}`);
+                console.log(`   ${finding.description}`);
+                if (location) {
+                    console.log(`   File: ${location}`);
+                }
+                if (finding.fix) {
+                    console.log(`   ${colors.cyan}Recommended fix:${RESET()} ${finding.fix}`);
+                }
+                console.log();
+            }
+        }
+        else {
+            console.log(`${colors.green}No NemoClaw-specific issues found.${RESET()}\n`);
+        }
+        // Show passed checks in verbose mode
+        if (options.verbose && passedFindings.length > 0) {
+            console.log(`${colors.green}Passed Checks:${RESET()}`);
+            for (const finding of passedFindings) {
+                console.log(`  ${colors.green}[ok]${RESET()} [${finding.checkId}] ${finding.name}`);
+            }
+            console.log();
+        }
+        // Shodan self-check guidance
+        if (issues.some((f) => f.category === 'network')) {
+            console.log(`${colors.yellow}Internet Exposure Check:${RESET()}`);
+            console.log(`  Check if your instance is visible on Shodan:`);
+            console.log(`  https://www.shodan.io/host/<YOUR-IP>`);
+            console.log(`  Known NemoClaw dorks: port:18789, port:6443 ssl.cert.subject.cn:"k3s-serving"\n`);
+        }
+        console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`);
+        console.log(`Run '${CLI_PREFIX} secure-openclaw' for OpenClaw-specific checks.`);
+        console.log(`Run '${CLI_PREFIX} secure' for a full security scan.\n`);
+        // Exit with non-zero if critical/high issues remain
+        const criticalOrHigh = issues.filter((f) => f.severity === 'critical' || f.severity === 'high');
+        if (criticalOrHigh.length > 0) {
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        process.exit(1);
+    }
+});
 program
     .command('scan')
     .description(`Scan external target for exposed MCP endpoints
@@ -6705,10 +6907,30 @@ const DOCS_AND_GENERATED_PATTERNS = [
     /\bHISTORY/i, // history files
     /\bLICENSE/i, // license files
     /\bCONTRIBUTING/i, // contributing guides
+    /\.tmLanguage\.json$/i, // TextMate grammars
+    /\.schema\.json$/i, // JSON schema definitions
+    /\.nls\.json$/i, // localization/NLS files
+    /\bcglicenses/i, // CG license files
+    /\blicenses?\//i, // license directories
+];
+/**
+ * Check IDs for security-sensitive pattern matches that produce false
+ * positives on documentation and generated files. These checks look for
+ * credential patterns, prompt injection, governance gaps, and skill
+ * definitions — all of which appear naturally in docs that DESCRIBE
+ * these concepts without being vulnerable.
+ */
+const DOCS_FALSE_POSITIVE_PREFIXES = [
+    'AST-GOV', // governance checks
+    'AST-GOVERN', // governance checks
+    'AST-PROMPT', // prompt security checks
+    'AST-HEARTBEAT', // heartbeat/liveness checks
+    'AST-CRED', // credential pattern checks
+    'AST-INJECT', // injection pattern checks
+    'AST-EXFIL', // exfiltration pattern checks
+    'SKILL-', // skill definition checks
+    'SUPPLY-', // supply chain checks
 ];
-function isDocsOrGenerated(filePath) {
-    return DOCS_AND_GENERATED_PATTERNS.some(p => p.test(filePath));
-}
 /**
  * Build scripts, CI/CD pipelines, and infrastructure files.
  * These are not runtime attack surfaces — findings here are lower risk.
@@ -6730,30 +6952,15 @@ const BUILD_CI_PATTERNS = [
     /\btools?\//i, // tools/ directory
     /\binfra\//i, // infra/ directory
 ];
-function isBuildOrCiFile(filePath) {
-    return BUILD_CI_PATTERNS.some(p => p.test(filePath));
-}
-/**
- * Check IDs for security-sensitive pattern matches that produce false
- * positives on documentation and generated files. These checks look for
- * credential patterns, prompt injection, governance gaps, and skill
- * definitions — all of which appear naturally in docs that DESCRIBE
- * these concepts without being vulnerable.
- */
-const DOCS_FALSE_POSITIVE_PREFIXES = [
-    'AST-GOV', // governance checks
-    'AST-GOVERN', // governance checks
-    'AST-PROMPT', // prompt security checks
-    'AST-HEARTBEAT', // heartbeat/liveness checks
-    'AST-CRED', // credential pattern checks
-    'AST-INJECT', // injection pattern checks
-    'AST-EXFIL', // exfiltration pattern checks
-    'SKILL-', // skill definition checks
-    'SUPPLY-', // supply chain checks
-];
 function isTestFile(filePath) {
     return TEST_FILE_PATTERNS.some(p => p.test(filePath));
 }
+function isDocsOrGenerated(filePath) {
+    return DOCS_AND_GENERATED_PATTERNS.some(p => p.test(filePath));
+}
+function isBuildOrCiFile(filePath) {
+    return BUILD_CI_PATTERNS.some(p => p.test(filePath));
+}
 function isAiToolingFile(filePath) {
     return AI_TOOLING_PATH_PATTERNS.some(p => p.test(filePath));
 }
@@ -6762,8 +6969,8 @@ function isAiToolingFile(filePath) {
  * packages (e.g. "Missing .gitignore" on an npm tarball).  Also filters
  * governance findings on AI tooling files, removes false-positive
  * pattern matches on documentation/generated files, and demotes test
- * file findings. Mutates `result.findings` in place and recalculates
- * the score.
+ * and build file findings. Mutates `result.findings` in place and
+ * recalculates the score.
  */
 function filterLocalOnlyFindings(result, scanner) {
     result.findings = result.findings.filter(f => {