hackmyagent 0.8.0 → 0.9.0

package/dist/hardening/mcp-tool-enum.js

@@ -0,0 +1,315 @@
+"use strict";
+/**
+ * MCP Tool Enumeration (MCPTOOL-001 to MCPTOOL-005)
+ *
+ * Connects to configured MCP servers, discovers their tools via JSON-RPC,
+ * and classifies dangerous capabilities. Only runs with --deep or --live-mcp flag.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverMcpConfigs = discoverMcpConfigs;
+exports.enumerateStdioTools = enumerateStdioTools;
+exports.classifyTools = classifyTools;
+exports.checkMcpToolEnumeration = checkMcpToolEnumeration;
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+// Dangerous capability classification
+const EXECUTION_TOOLS = new Set([
+    'execute_command', 'bash', 'shell', 'run_command', 'exec',
+    'run_script', 'terminal', 'execute', 'run', 'system',
+    'execute_shell', 'run_shell', 'subprocess',
+]);
+const FILESYSTEM_WRITE_TOOLS = new Set([
+    'write_file', 'create_file', 'delete_file', 'edit_file',
+    'write', 'remove_file', 'mkdir', 'rename_file', 'move_file',
+    'append_file', 'overwrite_file', 'file_write',
+]);
+const NETWORK_TOOLS = new Set([
+    'fetch', 'http_request', 'curl', 'wget', 'request',
+    'http_get', 'http_post', 'web_request', 'send_request',
+    'make_request', 'api_call',
+]);
+const CREDENTIAL_TOOLS = new Set([
+    'get_secret', 'read_env', 'get_credential', 'get_password',
+    'read_secret', 'fetch_secret', 'env_var', 'get_token',
+    'read_keychain', 'get_api_key',
+]);
+const SPAWN_TIMEOUT_MS = 5000;
+const JSON_RPC_VERSION = '2.0';
+/**
+ * Discover MCP server configurations from known config file locations.
+ */
+async function discoverMcpConfigs(targetDir) {
+    const configs = new Map();
+    const configPaths = [
+        path.join(targetDir, 'mcp.json'),
+        path.join(targetDir, '.cursor', 'mcp.json'),
+        path.join(targetDir, '.vscode', 'mcp.json'),
+        path.join(os.homedir(), '.claude', 'settings.json'),
+    ];
+    for (const configPath of configPaths) {
+        try {
+            const content = await fs.readFile(configPath, 'utf-8');
+            const parsed = JSON.parse(content);
+            // Handle different config formats
+            const servers = parsed.mcpServers || parsed.servers || {};
+            for (const [name, serverConfig] of Object.entries(servers)) {
+                const config = serverConfig;
+                if (config.command || config.url) {
+                    configs.set(name, {
+                        config: {
+                            command: config.command,
+                            args: config.args,
+                            env: config.env,
+                            url: config.url,
+                        },
+                        configPath,
+                    });
+                }
+            }
+        }
+        catch {
+            // Config file doesn't exist or is invalid, skip
+        }
+    }
+    return configs;
+}
+/**
+ * Connect to a stdio MCP server and enumerate its tools.
+ */
+async function enumerateStdioTools(serverName, config) {
+    return new Promise((resolve) => {
+        let child = null;
+        let buffer = '';
+        let resolved = false;
+        const cleanup = () => {
+            if (child && !child.killed) {
+                child.kill('SIGTERM');
+            }
+        };
+        const finish = (result) => {
+            if (!resolved) {
+                resolved = true;
+                cleanup();
+                resolve(result);
+            }
+        };
+        // Timeout
+        const timer = setTimeout(() => {
+            finish({ serverName, configPath: '', tools: [], error: 'Timeout after 5s' });
+        }, SPAWN_TIMEOUT_MS);
+        try {
+            child = (0, child_process_1.spawn)(config.command, config.args || [], {
+                stdio: ['pipe', 'pipe', 'pipe'],
+                env: { ...process.env, ...config.env },
+            });
+            child.on('error', (err) => {
+                clearTimeout(timer);
+                finish({ serverName, configPath: '', tools: [], error: err.message });
+            });
+            child.stdout?.on('data', (data) => {
+                buffer += data.toString();
+                // Try to parse JSON-RPC responses
+                const lines = buffer.split('\n');
+                for (const line of lines) {
+                    const trimmed = line.trim();
+                    if (!trimmed)
+                        continue;
+                    try {
+                        const msg = JSON.parse(trimmed);
+                        // Response to initialize
+                        if (msg.id === 1 && msg.result) {
+                            // Send tools/list
+                            const toolsRequest = JSON.stringify({
+                                jsonrpc: JSON_RPC_VERSION,
+                                id: 2,
+                                method: 'tools/list',
+                                params: {},
+                            }) + '\n';
+                            child?.stdin?.write(toolsRequest);
+                        }
+                        // Response to tools/list
+                        if (msg.id === 2 && msg.result) {
+                            clearTimeout(timer);
+                            const tools = (msg.result.tools || []).map((t) => ({
+                                name: t.name,
+                                description: t.description,
+                                inputSchema: t.inputSchema,
+                            }));
+                            finish({ serverName, configPath: '', tools });
+                        }
+                    }
+                    catch {
+                        // Not valid JSON, skip
+                    }
+                }
+                // Keep only the last incomplete line in buffer
+                buffer = lines[lines.length - 1] || '';
+            });
+            // Send initialize request
+            const initRequest = JSON.stringify({
+                jsonrpc: JSON_RPC_VERSION,
+                id: 1,
+                method: 'initialize',
+                params: {
+                    protocolVersion: '2024-11-05',
+                    capabilities: {},
+                    clientInfo: { name: 'hackmyagent-scanner', version: '0.8.0' },
+                },
+            }) + '\n';
+            child.stdin?.write(initRequest);
+        }
+        catch (err) {
+            clearTimeout(timer);
+            finish({ serverName, configPath: '', tools: [], error: err.message });
+        }
+    });
+}
+/**
+ * Classify tool capabilities and generate security findings.
+ */
+function classifyTools(serverName, configPath, tools) {
+    const findings = [];
+    // MCPTOOL-001: Execution tools
+    const execTools = tools.filter((t) => EXECUTION_TOOLS.has(t.name.toLowerCase()));
+    if (execTools.length > 0) {
+        findings.push({
+            checkId: 'MCPTOOL-001',
+            name: 'MCP server exposes command execution',
+            description: `MCP server "${serverName}" provides tools that can execute arbitrary commands: ${execTools.map((t) => t.name).join(', ')}. This allows the AI to run any system command.`,
+            category: 'mcp-capability',
+            severity: 'critical',
+            passed: false,
+            message: `${serverName}: ${execTools.length} execution tool(s) exposed`,
+            fixable: false,
+            file: configPath,
+            fix: 'Restrict command execution tools or add an allowlist of permitted commands.',
+        });
+    }
+    // MCPTOOL-002: Filesystem write tools
+    const fsWriteTools = tools.filter((t) => FILESYSTEM_WRITE_TOOLS.has(t.name.toLowerCase()));
+    if (fsWriteTools.length > 0) {
+        findings.push({
+            checkId: 'MCPTOOL-002',
+            name: 'MCP server exposes filesystem write',
+            description: `MCP server "${serverName}" provides tools that can write/delete files: ${fsWriteTools.map((t) => t.name).join(', ')}. This allows modifying system files.`,
+            category: 'mcp-capability',
+            severity: 'high',
+            passed: false,
+            message: `${serverName}: ${fsWriteTools.length} filesystem write tool(s) exposed`,
+            fixable: false,
+            file: configPath,
+            fix: 'Add path restrictions to filesystem write tools.',
+        });
+    }
+    // MCPTOOL-003: Unrestricted network tools
+    const netTools = tools.filter((t) => NETWORK_TOOLS.has(t.name.toLowerCase()));
+    if (netTools.length > 0) {
+        findings.push({
+            checkId: 'MCPTOOL-003',
+            name: 'MCP server exposes unrestricted network access',
+            description: `MCP server "${serverName}" provides tools for network requests: ${netTools.map((t) => t.name).join(', ')}. This allows data exfiltration.`,
+            category: 'mcp-capability',
+            severity: 'high',
+            passed: false,
+            message: `${serverName}: ${netTools.length} network tool(s) exposed`,
+            fixable: false,
+            file: configPath,
+            fix: 'Restrict network access to specific domains or add an allowlist.',
+        });
+    }
+    // MCPTOOL-004: Credential-accessing tools
+    const credTools = tools.filter((t) => CREDENTIAL_TOOLS.has(t.name.toLowerCase()));
+    if (credTools.length > 0) {
+        findings.push({
+            checkId: 'MCPTOOL-004',
+            name: 'MCP server exposes credential access',
+            description: `MCP server "${serverName}" provides tools that access credentials: ${credTools.map((t) => t.name).join(', ')}.`,
+            category: 'mcp-capability',
+            severity: 'critical',
+            passed: false,
+            message: `${serverName}: ${credTools.length} credential-accessing tool(s) exposed`,
+            fixable: false,
+            file: configPath,
+            fix: 'Remove credential access tools or use secretless-ai broker for credential isolation.',
+        });
+    }
+    // MCPTOOL-005: Server with 10+ tools and no apparent access control
+    if (tools.length >= 10) {
+        findings.push({
+            checkId: 'MCPTOOL-005',
+            name: 'MCP server exposes excessive tools',
+            description: `MCP server "${serverName}" exposes ${tools.length} tools. Large tool surfaces increase the attack area for prompt injection.`,
+            category: 'mcp-capability',
+            severity: 'medium',
+            passed: false,
+            message: `${serverName}: ${tools.length} tools exposed (threshold: 10)`,
+            fixable: false,
+            file: configPath,
+            fix: 'Reduce the number of exposed tools or implement per-tool access controls.',
+        });
+    }
+    return findings;
+}
+/**
+ * Run full MCP tool enumeration scan.
+ * Discovers MCP configs, connects to each server, enumerates tools, classifies dangers.
+ */
+async function checkMcpToolEnumeration(targetDir, onProgress) {
+    const findings = [];
+    const configs = await discoverMcpConfigs(targetDir);
+    if (configs.size === 0)
+        return findings;
+    onProgress?.(`Found ${configs.size} MCP server(s), enumerating tools...`);
+    for (const [serverName, { config, configPath }] of configs) {
+        onProgress?.(`Scanning ${serverName}...`);
+        if (config.command) {
+            const result = await enumerateStdioTools(serverName, config);
+            if (result.error) {
+                // Non-fatal: server couldn't be reached
+                onProgress?.(`  ${serverName}: ${result.error}`);
+                continue;
+            }
+            const serverFindings = classifyTools(serverName, configPath, result.tools);
+            findings.push(...serverFindings);
+            onProgress?.(`  ${serverName}: ${result.tools.length} tools, ${serverFindings.length} findings`);
+        }
+        // SSE servers would go here (future)
+    }
+    return findings;
+}
+//# sourceMappingURL=mcp-tool-enum.js.map

package/dist/hardening/mcp-tool-enum.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-tool-enum.js","sourceRoot":"","sources":["../../src/hardening/mcp-tool-enum.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2DH,gDAwCC;AAKD,kDAoGC;AAKD,sCA4FC;AAMD,0DAiCC;AAlVD,iDAAyD;AACzD,gDAAkC;AAClC,2CAA6B;AAC7B,uCAAyB;AAuBzB,sCAAsC;AACtC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM;IACzD,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ;IACpD,eAAe,EAAE,WAAW,EAAE,YAAY;CAC3C,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW;IACvD,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW;IAC3D,aAAa,EAAE,gBAAgB,EAAE,YAAY;CAC9C,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS;IAClD,UAAU,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc;IACtD,cAAc,EAAE,UAAU;CAC3B,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,YAAY,EAAE,UAAU,EAAE,gBAAgB,EAAE,cAAc;IAC1D,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,WAAW;IACrD,eAAe,EAAE,aAAa;CAC/B,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,IAAK,CAAC;AAC/B,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAE/B;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACtC,SAAiB;IAEjB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA2D,CAAC;IAEnF,MAAM,WAAW,GAAG;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC;KACpD,CAAC;IAEF,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAEnC,kCAAkC;YAClC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;YAE1D,KAAK,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3D,MAAM,MAAM,GAAG,YAAuC,CAAC;gBACvD,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;oBACjC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE;wBAChB,MAAM,EAAE;4BACN,OAAO,EAAE,MAAM,CAAC,OAAiB;4BACjC,IAAI,EAAE,MAAM,CAAC,IAA4B;4BACzC,GAAG,EAAE,MAAM,CAAC,GAAyC;4BACrD,GAAG,EAAE,MAAM,CAAC,GAAyB;yBACtC;wBACD,UAAU;qBACX,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gDAAgD;QAClD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB,CACvC,UAAkB,EAClB,MAAuB;IAEvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,KAAK,GAAwB,IAAI,CAAC;QACtC,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QAErB,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,MAAM,GAAG,CAAC,MAAuB,EAAE,EAAE;YACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,QAAQ,GAAG,IAAI,CAAC;gBAChB,OAAO,EAAE,CAAC;gBACV,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC;QACH,CAAC,CAAC;QAEF,UAAU;QACV,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAC/E,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAErB,IAAI,CAAC;YACH,KAAK,GAAG,IAAA,qBAAK,EAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE,EAAE;gBAC/C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,GAAG,EAAE;aACvC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACxB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACxE,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACxC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAE1B,kCAAkC;gBAClC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC5B,IAAI,CAAC,OAAO;wBAAE,SAAS;oBAEvB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;wBAEhC,yBAAyB;wBACzB,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;4BAC/B,kBAAkB;4BAClB,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC;gCAClC,OAAO,EAAE,gBAAgB;gCACzB,EAAE,EAAE,CAAC;gCACL,MAAM,EAAE,YAAY;gCACpB,MAAM,EAAE,EAAE;6BACX,CAAC,GAAG,IAAI,CAAC;4BACV,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;wBACpC,CAAC;wBAED,yBAAyB;wBACzB,IAAI,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;4BAC/B,YAAY,CAAC,KAAK,CAAC,CAAC;4BACpB,MAAM,KAAK,GAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CACvD,CAAC,CAA0B,EAAE,EAAE,CAAC,CAAC;gCAC/B,IAAI,EAAE,CAAC,CAAC,IAAc;gCACtB,WAAW,EAAE,CAAC,CAAC,WAAiC;gCAChD,WAAW,EAAE,CAAC,CAAC,WAAkD;6BAClE,CAAC,CACH,CAAC;4BACF,MAAM,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;wBAChD,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,uBAAuB;oBACzB,CAAC;gBACH,CAAC;gBACD,+CAA+C;gBAC/C,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,CAAC,CAAC,CAAC;YAEH,0BAA0B;YAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;gBACjC,OAAO,EAAE,gBAAgB;gBACzB,EAAE,EAAE,CAAC;gBACL,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE;oBACN,eAAe,EAAE,YAAY;oBAC7B,YAAY,EAAE,EAAE;oBAChB,UAAU,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE;iBAC9D;aACF,CAAC,GAAG,IAAI,CAAC;YACV,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa,CAC3B,UAAkB,EAClB,UAAkB,EAClB,KAAoB;IAEpB,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,+BAA+B;IAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACjF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,sCAAsC;YAC5C,WAAW,EAAE,eAAe,UAAU,yDAAyD,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,iDAAiD;YACvL,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,UAAsB;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,SAAS,CAAC,MAAM,4BAA4B;YACvE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,6EAA6E;SACnF,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC3F,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,qCAAqC;YAC3C,WAAW,EAAE,eAAe,UAAU,iDAAiD,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,uCAAuC;YACxK,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,MAAkB;YAC5B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,YAAY,CAAC,MAAM,mCAAmC;YACjF,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,kDAAkD;SACxD,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9E,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,gDAAgD;YACtD,WAAW,EAAE,eAAe,UAAU,0CAA0C,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,kCAAkC;YACxJ,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,MAAkB;YAC5B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,QAAQ,CAAC,MAAM,0BAA0B;YACpE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,kEAAkE;SACxE,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAClF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,sCAAsC;YAC5C,WAAW,EAAE,eAAe,UAAU,6CAA6C,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;YAC7H,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,UAAsB;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,SAAS,CAAC,MAAM,uCAAuC;YAClF,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,sFAAsF;SAC5F,CAAC,CAAC;IACL,CAAC;IAED,oEAAoE;IACpE,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;QACvB,QAAQ,CAAC,IAAI,CAAC;YACZ,OAAO,EAAE,aAAa;YACtB,IAAI,EAAE,oCAAoC;YAC1C,WAAW,EAAE,eAAe,UAAU,aAAa,KAAK,CAAC,MAAM,4EAA4E;YAC3I,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,QAAoB;YAC9B,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,GAAG,UAAU,KAAK,KAAK,CAAC,MAAM,gCAAgC;YACvE,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,2EAA2E;SACjF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,uBAAuB,CAC3C,SAAiB,EACjB,UAAsC;IAEtC,MAAM,QAAQ,GAAsB,EAAE,CAAC;IAEvC,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAExC,UAAU,EAAE,CAAC,SAAS,OAAO,CAAC,IAAI,sCAAsC,CAAC,CAAC;IAE1E,KAAK,MAAM,CAAC,UAAU,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,IAAI,OAAO,EAAE,CAAC;QAC3D,UAAU,EAAE,CAAC,YAAY,UAAU,KAAK,CAAC,CAAC;QAE1C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAC7D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,wCAAwC;gBACxC,UAAU,EAAE,CAAC,KAAK,UAAU,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;gBACjD,SAAS;YACX,CAAC;YAED,MAAM,cAAc,GAAG,aAAa,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC3E,QAAQ,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC;YAEjC,UAAU,EAAE,CACV,KAAK,UAAU,KAAK,MAAM,CAAC,KAAK,CAAC,MAAM,WAAW,cAAc,CAAC,MAAM,WAAW,CACnF,CAAC;QACJ,CAAC;QACD,qCAAqC;IACvC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/hardening/scanner.js

@@ -3689,7 +3689,7 @@ dist/
             await fs.access(backupBaseDir);
         }
         catch {
-            throw new Error('No backup found. Cannot rollback.');
+            throw new Error('No backup found. Run hackmyagent harden --fix <dir> first to create a backup.');
         }
         // Find the most recent backup
         const backups = await fs.readdir(backupBaseDir);
@@ -3698,7 +3698,7 @@ dist/
             .sort()
             .reverse();
         if (sortedBackups.length === 0) {
-            throw new Error('No backup found. Cannot rollback.');
+            throw new Error('No backup found. Run hackmyagent harden --fix <dir> first to create a backup.');
         }
         const latestBackup = sortedBackups[0];
         const backupDir = path.join(backupBaseDir, latestBackup);
@@ -3709,7 +3709,7 @@ dist/
             manifest = JSON.parse(manifestContent);
         }
         catch {
-            throw new Error('Backup manifest is corrupted. Cannot rollback.');
+            throw new Error('Backup manifest is corrupted. Delete ~/.hackmyagent/backups/ and re-run hackmyagent harden --fix.');
         }
         // Restore existing files from backup
         for (const file of manifest.existingFiles) {