nsauditor-ai 0.1.1 → 0.1.3

package/README.md

@@ -271,18 +271,21 @@ Add this to your `claude_desktop_config.json` (Settings → Developer → Edit C
   "mcpServers": {
     "nsauditor-ai": {
       "command": "npx",
-      "args": ["nsauditor-ai-mcp"],
+      "args": ["--package=nsauditor-ai", "nsauditor-ai-mcp"],
       "env": {
         "AI_PROVIDER": "claude",
         "ANTHROPIC_API_KEY": "your-key-here",
-        "NSA_ALLOW_ALL_HOSTS": "1"
+        "NSA_ALLOW_ALL_HOSTS": "1",
+        "PLUGIN_TIMEOUT_MS": "5000"
       }
     }
   }
 }
 ```
 
-Set `NSA_ALLOW_ALL_HOSTS=1` if you need to scan private/RFC 1918 addresses (e.g., `192.168.x.x`). The `AI_PROVIDER` and key variables are optional — they enable AI-powered analysis of scan results.
+- `NSA_ALLOW_ALL_HOSTS=1` — required to scan private/RFC 1918 addresses (e.g., `192.168.x.x`)
+- `PLUGIN_TIMEOUT_MS=5000` — reduces per-plugin timeout to 5s so the full scan completes within Claude Desktop's 60s MCP limit
+- `AI_PROVIDER` and API key — optional, enables AI-powered analysis of scan results
 
 ### Claude Code Setup
 

package/cli.mjs

@@ -685,7 +685,7 @@ async function main() {
   if (cmd === 'license') {
     const { getTierFromEnv } = await import('./utils/license.mjs');
     const { resolveCapabilities } = await import('./utils/capabilities.mjs');
-    // TODO (Phase 2): replace getTierFromEnv() with loadLicense() for full JWT verification
+    // TODO: replace getTierFromEnv() with loadLicense() for full license validation
     const tier = getTierFromEnv();
     const caps = resolveCapabilities(tier);
     const key = process.env.NSAUDITOR_LICENSE_KEY;

package/docs/EULA-nsauditor-ai.md

@@ -1,7 +1,7 @@
 # NSAUDITOR AI — END USER LICENSE AGREEMENT (EULA)
 
 **Nsasoft US LLC**
-**Effective Date: [DATE]**
+**Effective Date: April 7, 2026**
 **Version: 2.0**
 
 ---
@@ -317,8 +317,4 @@ Website: https://www.nsauditor.com/ai/
 
 ---
 
-*This document is a draft template for review purposes. Nsasoft US LLC should have this Agreement reviewed by a licensed attorney before publication. This does not constitute legal advice.*
-
----
-
 **END OF LICENSE AGREEMENT**

package/mcp_server.mjs

@@ -8,6 +8,10 @@
 //   import { createServer, toolHandlers } from './mcp_server.mjs'  — for testing
 
 import { createRequire } from 'node:module';
+import { dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { resolveAndValidate } from './utils/net_validation.mjs';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
@@ -25,15 +29,12 @@ const { version: TOOL_VERSION } = _require('./package.json');
 // License tier & capability resolution (module-level, overridable for tests)
 // ---------------------------------------------------------------------------
 
-// TODO (Phase 2): replace getTierFromEnv() with loadLicense(process.env.NSAUDITOR_LICENSE_KEY)
-// and wire the returned tier here. Until then, pro_* prefix grants Pro tier without verification.
+// TODO: replace getTierFromEnv() with loadLicense() for full license validation.
 let _tier = getTierFromEnv();
 let _capabilities = resolveCapabilities(_tier);
 
 /**
  * @internal Test-only. Override tier without touching env vars.
- * Do NOT use in production code. When JWT license validation lands (Phase 2),
- * this function will be removed or guarded by NODE_ENV !== 'production'.
  */
 export function _setTier(tier) {
   if (process.env.NODE_ENV === 'production') throw new Error('_setTier is test-only and disabled in production');
@@ -68,7 +69,7 @@ let _nvdClient = null;
 async function getPluginManager() {
   if (_pluginManager) return _pluginManager;
   const { default: PluginManager } = await import('./plugin_manager.mjs');
-  _pluginManager = await PluginManager.create('./plugins');
+  _pluginManager = await PluginManager.create(`${__dirname}/plugins`);
   return _pluginManager;
 }
 
@@ -197,11 +198,14 @@ export async function validateHost(host) {
     throw new Error('Scanning loopback, link-local, or metadata addresses is not allowed via MCP');
   }
 
-  // DNS resolution check — catches rebinding, decimal/octal IPs, IPv6-mapped addrs
-  try {
-    await resolveAndValidate(h);
-  } catch (err) {
-    throw new Error('Scanning loopback, link-local, or metadata addresses is not allowed via MCP');
+  // DNS resolution check — catches rebinding, decimal/octal IPs, IPv6-mapped addrs.
+  // NSA_ALLOW_ALL_HOSTS=1 bypasses RFC 1918 checks for local network auditing.
+  if (!process.env.NSA_ALLOW_ALL_HOSTS) {
+    try {
+      await resolveAndValidate(h);
+    } catch (err) {
+      throw new Error('Scanning loopback, link-local, or metadata addresses is not allowed via MCP');
+    }
   }
   return h;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,

package/plugin_manager.mjs

@@ -378,7 +378,7 @@ export class PluginManager {
     const mgr = new PluginManager(baseDir);
     mgr.plugins = rawPlugins;
     // Resolve capabilities from env tier at load time — prevents permissive fallback.
-    // TODO (Phase 2): replace getTierFromEnv() with loadLicense() result here.
+    // TODO: replace getTierFromEnv() with loadLicense() result here.
     mgr._resolvedCapabilities = resolveCapabilities(getTierFromEnv());
     vlog("PluginManager initialized successfully");
     return mgr;
@@ -643,7 +643,7 @@ export class PluginManager {
   _hasCapabilities(plugin, capabilities) {
     if (!plugin.requiredCapabilities?.length) return true;
     // Fall back to capabilities resolved at load time — never "allow all".
-    // TODO (Phase 2): _resolvedCapabilities will reflect JWT-verified tier.
+    // Capabilities resolved at load time — updated when license validation lands.
     const caps = capabilities ?? this._resolvedCapabilities ?? {};
     return plugin.requiredCapabilities.every(cap => Boolean(caps[cap]));
   }

package/plugins/os_detector.mjs

@@ -93,7 +93,7 @@ function evidenceRow(info, port = null, proto = "os-detector", banner = null) {
 
 function looksLikeAppleHost(s) {
   const host = String(s || "").toLowerCase();
-  // iphone-of-joe.local, ANAHITs-iPad.local, ANAHITs-iMac.local, MacBook-Air.local, apple-tv.local, etc.
+  // iphone-of-alice.local, Alices-iPad.local, Alices-iMac.local, MacBook-Air.local, apple-tv.local, etc.
   return /(iphone|ipad|ipod|imac|macbook|apple.?tv)/i.test(host);
 }
 

package/plugins/snmp_scanner.mjs

@@ -9,7 +9,7 @@ export const snmpCommunities = process.env.SNMP_COMMUNITY
   : DEFAULT_COMMUNITIES;
 const oidTable = {
   default: [1, 3, 6, 1, 2, 1, 1, 1, 0], // sysDescr 
-  epsonShortName: [1, 3, 6, 1, 2, 1, 1, 5, 0], // sysDescr EPSON6768F4 '1.3.6.1.2.1.1.5.0'
+  epsonShortName: [1, 3, 6, 1, 2, 1, 1, 5, 0], // sysName '1.3.6.1.2.1.1.5.0'
   epsonModel: [1, 3, 6, 1, 4, 1, 1248, 1, 1, 3, 1, 29, 3, 1, 45, 0], // Epson model OID
   epsonSerial: [1, 3, 6, 1, 4, 1, 1248, 1, 2, 2, 1, 1, 1, 4, 1], // Epson serial number
   epsonVersions: [1, 3, 6, 1, 2, 1, 2, 2, 1, 2, 1], // Hardware and firmware versions

package/plugins/ssh_scanner.mjs

@@ -365,14 +365,7 @@ export default {
    * @returns {Promise<object>} result object (manager wraps with id/name)
    */
   async run(host, port = 22, options = {}) {
-    console.log(`Running SSH Scanner on ${host}:${port}`);
     const res = await readSshBanner(host, port, options?.timeoutMs || 1500);
-    // Mirror your other plugins’ console style (manager will also print the wrapped result)
-    console.log("SSH Scanner Result:", JSON.stringify({
-      id: this.id,
-      name: this.name,
-      result: res
-    }, null, 2));
     return res; // manager expects only the "result" object
   }
 };

package/utils/license.mjs

@@ -1,10 +1,9 @@
 // utils/license.mjs
-// CE stub implementation. Full ES256 JWT validation added in Phase 2 (roadmap).
+// CE stub — full license validation coming in a future release.
 
 /**
  * Parse tier from NSAUDITOR_LICENSE_KEY environment variable.
  * Stub uses key prefix: pro_* → 'pro', enterprise_* → 'enterprise'.
- * Phase 2 roadmap replaces this with offline jose ES256 JWT verification.
  */
 export function getTierFromEnv() {
   const key = process.env.NSAUDITOR_LICENSE_KEY;
@@ -16,7 +15,6 @@ export function getTierFromEnv() {
 
 /**
  * Validate a license key string.
- * Phase 2 roadmap: replace with jose.jwtVerify() against embedded ECDSA P-256 public key.
  * Gracefully degrades to CE on any failure — never throws.
  *
  * @param {string|undefined} keyStr
@@ -24,6 +22,6 @@ export function getTierFromEnv() {
  */
 export async function loadLicense(keyStr) {
   if (!keyStr) return { valid: false, tier: 'ce', reason: 'no key provided' };
-  // TODO (Phase 2): implement jose.jwtVerify with embedded public key
-  return { valid: false, tier: 'ce', reason: 'JWT validation not yet implemented' };
+  // TODO: implement full license validation
+  return { valid: false, tier: 'ce', reason: 'license validation not yet implemented' };
 }

package/utils/sarif.mjs

@@ -8,7 +8,7 @@ const { version: TOOL_VERSION } = require('../package.json');
 const SARIF_VERSION = '2.1.0';
 const SARIF_SCHEMA = 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json';
 const TOOL_NAME = 'nsauditor';
-const TOOL_URI = 'https://github.com/nsasoft/nsauditor-plugin-manager';
+const TOOL_URI = 'https://github.com/nsasoft/nsauditor-ai';
 
 /**
  * Map nsauditor severity to SARIF level.