hackmyagent 0.7.2 → 0.8.0

package/dist/registry/client.js

@@ -0,0 +1,308 @@
+"use strict";
+/**
+ * OpenA2A Registry client for posting scan results.
+ *
+ * Maps HackMyAgent scan findings to the registry's ScanResult format
+ * and POSTs them to the registry callback endpoint.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RegistryClient = void 0;
+exports.buildScanReport = buildScanReport;
+exports.buildAttackReport = buildAttackReport;
+exports.buildCommunityReport = buildCommunityReport;
+exports.buildCommunityAttackReport = buildCommunityAttackReport;
+class RegistryClient {
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Post scan results to registry callback endpoint.
+     */
+    async reportScanResult(payload) {
+        const url = `${this.config.registryUrl}/internal/scan-result`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${this.config.apiKey}`,
+                'User-Agent': 'HackMyAgent-CLI',
+            },
+            body: JSON.stringify(payload),
+        });
+        if (!response.ok) {
+            const body = await response.text().catch(() => '');
+            throw new Error(`Registry report failed (${response.status}): ${body}`);
+        }
+    }
+    /**
+     * Request a short-lived scan token for community scan submission.
+     * Returns the token response on success, or null on failure (never throws).
+     */
+    async requestScanToken(packageName, options) {
+        const url = `${this.config.registryUrl}/api/v1/registry/community/request-scan-token`;
+        try {
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'User-Agent': 'HackMyAgent-CLI',
+                },
+                body: JSON.stringify({
+                    packageName,
+                    packageType: options?.packageType,
+                    version: options?.version,
+                }),
+            });
+            if (response.status === 404) {
+                console.error(`Registry: package "${packageName}" not found in registry`);
+                return null;
+            }
+            if (response.status === 429) {
+                console.error('Registry: rate limited — try again later');
+                return null;
+            }
+            if (!response.ok) {
+                const body = await response.text().catch(() => '');
+                console.error(`Registry: scan token request failed (${response.status}): ${body}`);
+                return null;
+            }
+            return await response.json();
+        }
+        catch {
+            console.error('Registry: scan token request failed (network error)');
+            return null;
+        }
+    }
+    /**
+     * Post community scan results with optional scan token.
+     * Returns { status: 'accepted' | 'unknown_package' | 'failed' }.
+     * Never throws — registry errors are non-fatal for the user's scan.
+     */
+    async reportCommunityResult(payload, scanToken) {
+        const url = `${this.config.registryUrl}/api/v1/registry/community/scan-result`;
+        const body = JSON.stringify(payload);
+        const headers = {
+            'Content-Type': 'application/json',
+            'User-Agent': 'HackMyAgent-CLI',
+        };
+        if (scanToken) {
+            headers['X-Scan-Token'] = scanToken;
+        }
+        try {
+            const response = await fetch(url, {
+                method: 'POST',
+                headers,
+                body,
+            });
+            if (!response.ok) {
+                const errBody = await response.json().catch(() => ({}));
+                return {
+                    status: 'failed',
+                    message: errBody.message || `HTTP ${response.status}`,
+                    code: errBody.code,
+                };
+            }
+            return await response.json();
+        }
+        catch {
+            return { status: 'failed', message: 'Network error' };
+        }
+    }
+    /**
+     * Look up package info from registry.
+     */
+    async getPackage(publisherName, packageType, name) {
+        const url = `${this.config.registryUrl}/api/v1/registry/${packageType}/${name}?publisher=${publisherName}`;
+        const response = await fetch(url, {
+            headers: {
+                'User-Agent': 'HackMyAgent-CLI',
+            },
+        });
+        if (response.status === 404) {
+            return null;
+        }
+        if (!response.ok) {
+            throw new Error(`Registry lookup failed (${response.status})`);
+        }
+        return response.json();
+    }
+}
+exports.RegistryClient = RegistryClient;
+/**
+ * Build a ScanReportPayload from HMA hardening scan results.
+ */
+function buildScanReport(versionId, findings) {
+    const failed = findings.filter(f => !f.passed && !f.fixed);
+    const counts = countBySeverity(failed);
+    const status = deriveStatus(counts);
+    // Map failed findings to vulnerability format
+    const vulnerabilities = failed.map(f => ({
+        id: f.checkId,
+        severity: f.severity,
+        title: f.name,
+        description: f.description,
+    }));
+    // Extract observed capabilities from capability-related checks
+    const observedCapabilities = [];
+    for (const f of findings) {
+        if (f.checkId.startsWith('FS-') && !f.passed)
+            observedCapabilities.push('filesystem');
+        if (f.checkId.startsWith('NET-') && !f.passed)
+            observedCapabilities.push('network');
+        if (f.checkId.startsWith('SHELL-') && !f.passed)
+            observedCapabilities.push('shell_exec');
+    }
+    return {
+        versionId,
+        scanId: `hma-${Date.now()}`,
+        status,
+        completedAt: new Date().toISOString(),
+        vulnerabilities,
+        criticalCount: counts.critical,
+        highCount: counts.high,
+        mediumCount: counts.medium,
+        lowCount: counts.low,
+        observedCapabilities: [...new Set(observedCapabilities)],
+        observedExternalApis: [],
+        capabilityMismatch: false,
+        behavioralFindings: [],
+        behavioralScore: 0,
+        rawReport: {
+            generator: 'hackmyagent',
+            totalFindings: findings.length,
+            failedFindings: failed.length,
+        },
+    };
+}
+/**
+ * Build a ScanReportPayload from HMA attack results.
+ */
+function buildAttackReport(versionId, report) {
+    const vulnerabilities = report.results
+        .filter(r => r.success)
+        .map(r => ({
+        id: r.payload.id,
+        severity: r.payload.severity,
+        title: `${r.payload.category}: ${r.payload.id}`,
+        description: r.response?.substring(0, 500) || 'Attack succeeded',
+    }));
+    const counts = {
+        critical: vulnerabilities.filter(v => v.severity === 'critical').length,
+        high: vulnerabilities.filter(v => v.severity === 'high').length,
+        medium: vulnerabilities.filter(v => v.severity === 'medium').length,
+        low: vulnerabilities.filter(v => v.severity === 'low').length,
+    };
+    const status = deriveStatus(counts);
+    return {
+        versionId,
+        scanId: `hma-attack-${Date.now()}`,
+        status,
+        completedAt: new Date().toISOString(),
+        vulnerabilities,
+        criticalCount: counts.critical,
+        highCount: counts.high,
+        mediumCount: counts.medium,
+        lowCount: counts.low,
+        observedCapabilities: [],
+        observedExternalApis: [],
+        capabilityMismatch: false,
+        behavioralFindings: [],
+        behavioralScore: 0,
+        rawReport: {
+            generator: 'hackmyagent-attack',
+            target: report.target,
+            riskRating: report.riskRating,
+            totalPayloads: report.summary.total,
+            successfulAttacks: report.summary.successful,
+        },
+    };
+}
+/**
+ * Build a CommunityScanPayload from HMA hardening scan results.
+ * Used for auto-publishing to the community endpoint (no version ID needed).
+ */
+function buildCommunityReport(packageName, findings, options) {
+    const failed = findings.filter(f => !f.passed && !f.fixed);
+    const counts = countBySeverity(failed);
+    const status = deriveStatus(counts);
+    const vulnerabilities = failed.map(f => ({
+        id: f.checkId,
+        severity: f.severity,
+        title: f.name,
+        description: f.description,
+    }));
+    return {
+        packageName,
+        packageType: options?.packageType,
+        version: options?.version,
+        scanId: `hma-community-${Date.now()}`,
+        status,
+        completedAt: new Date().toISOString(),
+        vulnerabilities,
+        criticalCount: counts.critical,
+        highCount: counts.high,
+        mediumCount: counts.medium,
+        lowCount: counts.low,
+        rawReport: {
+            generator: 'hackmyagent',
+            totalFindings: findings.length,
+            failedFindings: failed.length,
+        },
+    };
+}
+/**
+ * Build a CommunityScanPayload from HMA attack results.
+ */
+function buildCommunityAttackReport(packageName, report, options) {
+    const vulnerabilities = report.results
+        .filter(r => r.success)
+        .map(r => ({
+        id: r.payload.id,
+        severity: r.payload.severity,
+        title: `${r.payload.category}: ${r.payload.id}`,
+        description: r.response?.substring(0, 500) || 'Attack succeeded',
+    }));
+    const counts = {
+        critical: vulnerabilities.filter(v => v.severity === 'critical').length,
+        high: vulnerabilities.filter(v => v.severity === 'high').length,
+        medium: vulnerabilities.filter(v => v.severity === 'medium').length,
+        low: vulnerabilities.filter(v => v.severity === 'low').length,
+    };
+    const status = deriveStatus(counts);
+    return {
+        packageName,
+        packageType: options?.packageType,
+        version: options?.version,
+        scanId: `hma-attack-community-${Date.now()}`,
+        status,
+        completedAt: new Date().toISOString(),
+        vulnerabilities,
+        criticalCount: counts.critical,
+        highCount: counts.high,
+        mediumCount: counts.medium,
+        lowCount: counts.low,
+        rawReport: {
+            generator: 'hackmyagent-attack',
+            target: report.target,
+            riskRating: report.riskRating,
+            totalPayloads: report.summary.total,
+            successfulAttacks: report.summary.successful,
+        },
+    };
+}
+function countBySeverity(findings) {
+    return {
+        critical: findings.filter(f => f.severity === 'critical').length,
+        high: findings.filter(f => f.severity === 'high').length,
+        medium: findings.filter(f => f.severity === 'medium').length,
+        low: findings.filter(f => f.severity === 'low').length,
+    };
+}
+function deriveStatus(counts) {
+    if (counts.critical > 0 || counts.high > 0)
+        return 'failed';
+    if (counts.medium > 0 || counts.low > 0)
+        return 'warnings';
+    return 'passed';
+}
+//# sourceMappingURL=client.js.map

package/dist/registry/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/registry/client.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA+NH,0CA8CC;AAKD,8CA6CC;AAMD,oDAkCC;AAKD,gEA2CC;AAhVD,MAAa,cAAc;IAGzB,YAAY,MAAsB;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,OAA0B;QAC/C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,uBAAuB,CAAC;QAE9D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;gBAC/C,YAAY,EAAE,iBAAiB;aAChC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,2BAA2B,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CACvD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB,CACpB,WAAmB,EACnB,OAAoD;QAEpD,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,+CAA+C,CAAC;QAEtF,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,YAAY,EAAE,iBAAiB;iBAChC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,WAAW;oBACX,WAAW,EAAE,OAAO,EAAE,WAAW;oBACjC,OAAO,EAAE,OAAO,EAAE,OAAO;iBAC1B,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CAAC,sBAAsB,WAAW,yBAAyB,CAAC,CAAC;gBAC1E,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;gBAC1D,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;gBACnD,OAAO,CAAC,KAAK,CAAC,wCAAwC,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;gBACnF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAA+D,CAAC;QAC5F,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;YACrE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,qBAAqB,CACzB,OAA6B,EAC7B,SAAkB;QAElB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,wCAAwC,CAAC;QAC/E,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAErC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,YAAY,EAAE,iBAAiB;SAChC,CAAC;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC;QACtC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI;aACL,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAA4B,CAAC;gBACnF,OAAO;oBACL,MAAM,EAAE,QAAQ;oBAChB,OAAO,EAAG,OAAO,CAAC,OAAkB,IAAI,QAAQ,QAAQ,CAAC,MAAM,EAAE;oBACjE,IAAI,EAAE,OAAO,CAAC,IAA0B;iBACzC,CAAC;YACJ,CAAC;YAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAA0C,CAAC;QACvE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;QACxD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CACd,aAAqB,EACrB,WAAmB,EACnB,IAAY;QAEZ,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,oBAAoB,WAAW,IAAI,IAAI,cAAc,aAAa,EAAE,CAAC;QAE3G,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,OAAO,EAAE;gBACP,YAAY,EAAE,iBAAiB;aAChC;SACF,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QACjE,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,EAA8B,CAAC;IACrD,CAAC;CACF;AAnJD,wCAmJC;AAED;;GAEG;AACH,SAAgB,eAAe,CAC7B,SAAiB,EACjB,QAA2B;IAE3B,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAE3D,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEpC,8CAA8C;IAC9C,MAAM,eAAe,GAA2B,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC/D,EAAE,EAAE,CAAC,CAAC,OAAO;QACb,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,KAAK,EAAE,CAAC,CAAC,IAAI;QACb,WAAW,EAAE,CAAC,CAAC,WAAW;KAC3B,CAAC,CAAC,CAAC;IAEJ,+DAA+D;IAC/D,MAAM,oBAAoB,GAAa,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,oBAAoB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACtF,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACpF,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,oBAAoB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC3F,CAAC;IAED,OAAO;QACL,SAAS;QACT,MAAM,EAAE,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE;QAC3B,MAAM;QACN,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,eAAe;QACf,aAAa,EAAE,MAAM,CAAC,QAAQ;QAC9B,SAAS,EAAE,MAAM,CAAC,IAAI;QACtB,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,QAAQ,EAAE,MAAM,CAAC,GAAG;QACpB,oBAAoB,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC,CAAC;QACxD,oBAAoB,EAAE,EAAE;QACxB,kBAAkB,EAAE,KAAK;QACzB,kBAAkB,EAAE,EAAE;QACtB,eAAe,EAAE,CAAC;QAClB,SAAS,EAAE;YACT,SAAS,EAAE,aAAa;YACxB,aAAa,EAAE,QAAQ,CAAC,MAAM;YAC9B,cAAc,EAAE,MAAM,CAAC,MAAM;SAC9B;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,SAAiB,EACjB,MAAoB;IAEpB,MAAM,eAAe,GAA2B,MAAM,CAAC,OAAO;SAC3D,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACT,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE;QAChB,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ;QAC5B,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE;QAC/C,WAAW,EAAE,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,kBAAkB;KACjE,CAAC,CAAC,CAAC;IAEN,MAAM,MAAM,GAAG;QACb,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QACvE,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;QAC/D,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;QACnE,GAAG,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;KAC9D,CAAC;IAEF,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO;QACL,SAAS;QACT,MAAM,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,EAAE;QAClC,MAAM;QACN,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,eAAe;QACf,aAAa,EAAE,MAAM,CAAC,QAAQ;QAC9B,SAAS,EAAE,MAAM,CAAC,IAAI;QACtB,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,QAAQ,EAAE,MAAM,CAAC,GAAG;QACpB,oBAAoB,EAAE,EAAE;QACxB,oBAAoB,EAAE,EAAE;QACxB,kBAAkB,EAAE,KAAK;QACzB,kBAAkB,EAAE,EAAE;QACtB,eAAe,EAAE,CAAC;QAClB,SAAS,EAAE;YACT,SAAS,EAAE,oBAAoB;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,aAAa,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK;YACnC,iBAAiB,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU;SAC7C;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAClC,WAAmB,EACnB,QAA2B,EAC3B,OAAoD;IAEpD,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEpC,MAAM,eAAe,GAA2B,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC/D,EAAE,EAAE,CAAC,CAAC,OAAO;QACb,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,KAAK,EAAE,CAAC,CAAC,IAAI;QACb,WAAW,EAAE,CAAC,CAAC,WAAW;KAC3B,CAAC,CAAC,CAAC;IAEJ,OAAO;QACL,WAAW;QACX,WAAW,EAAE,OAAO,EAAE,WAAW;QACjC,OAAO,EAAE,OAAO,EAAE,OAAO;QACzB,MAAM,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,EAAE;QACrC,MAAM;QACN,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,eAAe;QACf,aAAa,EAAE,MAAM,CAAC,QAAQ;QAC9B,SAAS,EAAE,MAAM,CAAC,IAAI;QACtB,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,QAAQ,EAAE,MAAM,CAAC,GAAG;QACpB,SAAS,EAAE;YACT,SAAS,EAAE,aAAa;YACxB,aAAa,EAAE,QAAQ,CAAC,MAAM;YAC9B,cAAc,EAAE,MAAM,CAAC,MAAM;SAC9B;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,0BAA0B,CACxC,WAAmB,EACnB,MAAoB,EACpB,OAAoD;IAEpD,MAAM,eAAe,GAA2B,MAAM,CAAC,OAAO;SAC3D,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACT,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE;QAChB,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ;QAC5B,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE;QAC/C,WAAW,EAAE,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,kBAAkB;KACjE,CAAC,CAAC,CAAC;IAEN,MAAM,MAAM,GAAG;QACb,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QACvE,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;QAC/D,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;QACnE,GAAG,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;KAC9D,CAAC;IAEF,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO;QACL,WAAW;QACX,WAAW,EAAE,OAAO,EAAE,WAAW;QACjC,OAAO,EAAE,OAAO,EAAE,OAAO;QACzB,MAAM,EAAE,wBAAwB,IAAI,CAAC,GAAG,EAAE,EAAE;QAC5C,MAAM;QACN,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,eAAe;QACf,aAAa,EAAE,MAAM,CAAC,QAAQ;QAC9B,SAAS,EAAE,MAAM,CAAC,IAAI;QACtB,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,QAAQ,EAAE,MAAM,CAAC,GAAG;QACpB,SAAS,EAAE;YACT,SAAS,EAAE,oBAAoB;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,aAAa,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK;YACnC,iBAAiB,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU;SAC7C;KACF,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,QAA2C;IAMlE,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QAChE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;QACxD,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;QAC5D,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;KACvD,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAKrB;IACC,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC5D,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,GAAG,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAC3D,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/registry/index.d.ts

@@ -0,0 +1,3 @@
+export { RegistryClient, buildScanReport, buildAttackReport, buildCommunityReport, buildCommunityAttackReport, } from './client';
+export type { RegistryConfig, RegistryPackage, ScanReportPayload, CommunityScanPayload, } from './client';
+//# sourceMappingURL=index.d.ts.map

package/dist/registry/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/registry/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,oBAAoB,EACpB,0BAA0B,GAC3B,MAAM,UAAU,CAAC;AAElB,YAAY,EACV,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,UAAU,CAAC"}

package/dist/registry/index.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildCommunityAttackReport = exports.buildCommunityReport = exports.buildAttackReport = exports.buildScanReport = exports.RegistryClient = void 0;
+var client_1 = require("./client");
+Object.defineProperty(exports, "RegistryClient", { enumerable: true, get: function () { return client_1.RegistryClient; } });
+Object.defineProperty(exports, "buildScanReport", { enumerable: true, get: function () { return client_1.buildScanReport; } });
+Object.defineProperty(exports, "buildAttackReport", { enumerable: true, get: function () { return client_1.buildAttackReport; } });
+Object.defineProperty(exports, "buildCommunityReport", { enumerable: true, get: function () { return client_1.buildCommunityReport; } });
+Object.defineProperty(exports, "buildCommunityAttackReport", { enumerable: true, get: function () { return client_1.buildCommunityAttackReport; } });
+//# sourceMappingURL=index.js.map

package/dist/registry/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/registry/index.ts"],"names":[],"mappings":";;;AAAA,mCAMkB;AALhB,wGAAA,cAAc,OAAA;AACd,yGAAA,eAAe,OAAA;AACf,2GAAA,iBAAiB,OAAA;AACjB,8GAAA,oBAAoB,OAAA;AACpB,oHAAA,0BAA0B,OAAA"}

package/dist/scanner/external-scanner.d.ts

@@ -0,0 +1,13 @@
+/**
+ * External Scanner
+ * Scans remote targets for exposed MCP endpoints, configs, and credentials
+ */
+import type { ExternalScanResult, ScannerOptions } from './types';
+export declare class ExternalScanner {
+    scan(target: string, options?: ScannerOptions): Promise<ExternalScanResult>;
+    private scanPorts;
+    private isPortOpen;
+    private checkPort;
+    private httpProbe;
+}
+//# sourceMappingURL=external-scanner.d.ts.map

package/dist/scanner/external-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"external-scanner.d.ts","sourceRoot":"","sources":["../../src/scanner/external-scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,kBAAkB,EAAmB,cAAc,EAAmB,MAAM,SAAS,CAAC;AAoDpG,qBAAa,eAAe;IACpB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,kBAAkB,CAAC;YA0CnE,SAAS;IAmBvB,OAAO,CAAC,UAAU;YAyBJ,SAAS;IAuHvB,OAAO,CAAC,SAAS;CA8ClB"}

package/dist/scanner/external-scanner.js

@@ -0,0 +1,299 @@
+"use strict";
+/**
+ * External Scanner
+ * Scans remote targets for exposed MCP endpoints, configs, and credentials
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ExternalScanner = void 0;
+const net = __importStar(require("net"));
+const http = __importStar(require("http"));
+const https = __importStar(require("https"));
+// Default ports to scan
+const DEFAULT_PORTS = [80, 443, 3000, 3001, 4000, 5000, 8000, 8080, 8888, 18789, 18790];
+// Config file paths to check
+const CONFIG_PATHS = [
+    '/.claude/settings.json',
+    '/mcp.json',
+    '/.cursor/mcp.json',
+    '/.vscode/mcp.json',
+    '/config.json',
+    '/.env',
+];
+// MCP endpoint paths to check
+const MCP_SSE_PATHS = ['/sse', '/events', '/mcp/sse', '/mcp/events'];
+const MCP_TOOLS_PATHS = ['/tools', '/list', '/mcp/tools', '/mcp/list'];
+// CLAUDE.md paths
+const CLAUDE_MD_PATHS = ['/CLAUDE.md', '/.claude/CLAUDE.md'];
+// API key patterns
+const API_KEY_PATTERNS = [
+    { name: 'Anthropic', pattern: /sk-ant-api\d{2}-[a-zA-Z0-9_-]{6,}/ },
+    { name: 'OpenAI', pattern: /sk-proj-[a-zA-Z0-9]{6,}/ },
+    { name: 'OpenAI', pattern: /sk-[a-zA-Z0-9]{20,}/ },
+    { name: 'AWS', pattern: /AKIA[0-9A-Z]{16}/ },
+    { name: 'GitHub', pattern: /ghp_[a-zA-Z0-9]{36}/ },
+    { name: 'GitHub', pattern: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/ },
+];
+// Severity weights for scoring
+const SEVERITY_WEIGHTS = {
+    critical: 25,
+    high: 15,
+    medium: 10,
+    low: 5,
+};
+function generateId() {
+    return Math.random().toString(36).substring(2, 10);
+}
+function calculateGrade(score) {
+    if (score >= 90)
+        return 'A';
+    if (score >= 80)
+        return 'B';
+    if (score >= 70)
+        return 'C';
+    if (score >= 60)
+        return 'D';
+    return 'F';
+}
+class ExternalScanner {
+    async scan(target, options) {
+        const startTime = Date.now();
+        const timeout = options?.timeout ?? 5000;
+        const ports = options?.ports ?? DEFAULT_PORTS;
+        const skipPortScan = options?.skipPortScan ?? false;
+        // Port scan
+        let openPorts = [];
+        if (!skipPortScan) {
+            openPorts = await this.scanPorts(target, ports, timeout);
+        }
+        // Run security checks on open ports
+        const findings = [];
+        for (const port of openPorts) {
+            const portFindings = await this.checkPort(target, port, timeout);
+            findings.push(...portFindings);
+        }
+        // Calculate score
+        let score = 100;
+        for (const finding of findings) {
+            score -= SEVERITY_WEIGHTS[finding.severity];
+        }
+        score = Math.max(0, score);
+        const grade = calculateGrade(score);
+        const duration = Date.now() - startTime;
+        return {
+            id: generateId(),
+            target,
+            score,
+            grade,
+            findings,
+            duration,
+            timestamp: new Date(),
+            openPorts,
+        };
+    }
+    async scanPorts(target, ports, timeout) {
+        const openPorts = [];
+        await Promise.all(ports.map(async (port) => {
+            const isOpen = await this.isPortOpen(target, port, timeout);
+            if (isOpen) {
+                openPorts.push(port);
+            }
+        }));
+        return openPorts.sort((a, b) => a - b);
+    }
+    isPortOpen(host, port, timeout) {
+        return new Promise((resolve) => {
+            const socket = new net.Socket();
+            socket.setTimeout(timeout);
+            socket.on('connect', () => {
+                socket.destroy();
+                resolve(true);
+            });
+            socket.on('timeout', () => {
+                socket.destroy();
+                resolve(false);
+            });
+            socket.on('error', () => {
+                socket.destroy();
+                resolve(false);
+            });
+            socket.connect(port, host);
+        });
+    }
+    async checkPort(target, port, timeout) {
+        const findings = [];
+        const useHttps = port === 443;
+        const baseUrl = `http${useHttps ? 's' : ''}://${target}:${port}`;
+        // Check MCP SSE endpoints
+        for (const path of MCP_SSE_PATHS) {
+            const result = await this.httpProbe(baseUrl + path, timeout);
+            if (result && result.contentType?.includes('text/event-stream')) {
+                findings.push({
+                    id: generateId(),
+                    checkId: 'MCP-SSE',
+                    severity: 'critical',
+                    title: 'MCP SSE Endpoint Exposed',
+                    description: 'Server-Sent Events endpoint for MCP is publicly accessible',
+                    port,
+                    path,
+                    evidence: `Content-Type: ${result.contentType}`,
+                    impact: 'Attackers can connect to the MCP server and potentially execute commands',
+                    fix: 'Restrict access with authentication or firewall rules',
+                });
+                break;
+            }
+        }
+        // Check MCP tools endpoints
+        for (const path of MCP_TOOLS_PATHS) {
+            const result = await this.httpProbe(baseUrl + path, timeout);
+            if (result && result.status === 200 && result.body?.includes('tools')) {
+                findings.push({
+                    id: generateId(),
+                    checkId: 'MCP-TOOLS',
+                    severity: 'critical',
+                    title: 'MCP Tools Endpoint Exposed',
+                    description: 'MCP tools listing is publicly accessible',
+                    port,
+                    path,
+                    evidence: `Found tools listing at ${path}`,
+                    impact: 'Attackers can enumerate available MCP tools and capabilities',
+                    fix: 'Restrict access with authentication or remove from public access',
+                });
+                break;
+            }
+        }
+        // Check config files
+        for (const path of CONFIG_PATHS) {
+            const result = await this.httpProbe(baseUrl + path, timeout);
+            if (result && result.status === 200 && result.body) {
+                // Check if it looks like JSON config
+                if (result.contentType?.includes('application/json') ||
+                    result.body.trim().startsWith('{')) {
+                    findings.push({
+                        id: generateId(),
+                        checkId: 'CONFIG-EXPOSED',
+                        severity: 'critical',
+                        title: 'Configuration File Exposed',
+                        description: `Configuration file ${path} is publicly accessible`,
+                        port,
+                        path,
+                        evidence: `HTTP 200 at ${path}`,
+                        impact: 'Configuration files may contain sensitive settings, API keys, or server details',
+                        fix: 'Remove file from public access or configure web server to deny access',
+                    });
+                }
+            }
+        }
+        // Check CLAUDE.md
+        for (const path of CLAUDE_MD_PATHS) {
+            const result = await this.httpProbe(baseUrl + path, timeout);
+            if (result && result.status === 200 && result.body) {
+                findings.push({
+                    id: generateId(),
+                    checkId: 'CLAUDE-MD-EXPOSED',
+                    severity: 'high',
+                    title: 'CLAUDE.md System Instructions Exposed',
+                    description: 'Agent system instructions file is publicly accessible',
+                    port,
+                    path,
+                    evidence: `Found CLAUDE.md at ${path}`,
+                    impact: 'System instructions reveal agent behavior, capabilities, and potential weaknesses',
+                    fix: 'Remove file from public access or configure web server to deny access',
+                });
+                break;
+            }
+        }
+        // Check root path for API keys in responses
+        const rootResult = await this.httpProbe(baseUrl + '/', timeout);
+        if (rootResult && rootResult.body) {
+            for (const { name, pattern } of API_KEY_PATTERNS) {
+                if (pattern.test(rootResult.body)) {
+                    findings.push({
+                        id: generateId(),
+                        checkId: 'API-KEY-EXPOSED',
+                        severity: 'critical',
+                        title: `${name} API Key Exposed`,
+                        description: `${name} API key found in HTTP response`,
+                        port,
+                        path: '/',
+                        evidence: `Found ${name} API key pattern in response`,
+                        impact: 'API keys can be used to access services, incur costs, or steal data',
+                        fix: 'Remove API keys from responses and rotate compromised keys immediately',
+                    });
+                    break;
+                }
+            }
+        }
+        return findings;
+    }
+    httpProbe(url, timeout) {
+        return new Promise((resolve) => {
+            const isHttps = url.startsWith('https://');
+            const client = isHttps ? https : http;
+            const req = client.get(url, {
+                timeout,
+                headers: {
+                    'User-Agent': 'HackMyAgent-Scanner/1.0',
+                    'ngrok-skip-browser-warning': 'true',
+                },
+                rejectUnauthorized: false,
+            }, (res) => {
+                let body = '';
+                res.on('data', (chunk) => {
+                    body += chunk;
+                    // Limit body size
+                    if (body.length > 10000) {
+                        res.destroy();
+                    }
+                });
+                res.on('end', () => {
+                    resolve({
+                        status: res.statusCode ?? 0,
+                        contentType: res.headers['content-type'],
+                        body: body.substring(0, 10000),
+                    });
+                });
+                res.on('error', () => resolve(null));
+            });
+            req.on('timeout', () => {
+                req.destroy();
+                resolve(null);
+            });
+            req.on('error', () => resolve(null));
+        });
+    }
+}
+exports.ExternalScanner = ExternalScanner;
+//# sourceMappingURL=external-scanner.js.map