nsauditor-ai 0.1.20 → 0.1.22

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.20",
+  "version": "0.1.22",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,

package/plugin_manager.mjs

@@ -123,7 +123,7 @@ function withBaseContext(ctxLike) {
   return { ...base, ...live };
 }
 
-async function callPlugin(mod, host, ctx, priorOutputs = null) {
+async function callPlugin(mod, host, ctx, priorOutputs = null, cliOpts = {}) {
   // Decide if we run once per matching open port, or once total.
   const req = mod?.requirements || {};
   const runs = [];
@@ -141,7 +141,10 @@ async function callPlugin(mod, host, ctx, priorOutputs = null) {
 
   const runWithCtx = (port) => {
     const extra = isOsDetector && Array.isArray(priorOutputs) ? { results: priorOutputs } : {};
-    const pluginPromise = mod.run(host, port, { context: withBaseContext(ctx), ...extra });
+    // Forward CLI-derived opts (ports, etc.) so plugins can honor flags like --ports.
+    // CLI opts come last so they don't override critical orchestration fields like
+    // `context` if the CLI ever accidentally collides on those names.
+    const pluginPromise = mod.run(host, port, { ...cliOpts, context: withBaseContext(ctx), ...extra });
 
     const timeoutMs = PLUGIN_TIMEOUT_MS;
     let timer;
@@ -694,8 +697,9 @@ export class PluginManager {
 
       vlog(`Running ${mod.name} (priority ${getPriority(mod)}) on ${host}`);
       // **FIX**: pass prior outputs into OS Detector via callPlugin(..., priorOutputs)
+      // **N.27 FIX**: forward CLI-derived opts (ports, etc.) so plugins can honor CLI flags
       const startMs = Date.now();
-      const wrappedRuns = await callPlugin(mod, host, ctx, outputs);
+      const wrappedRuns = await callPlugin(mod, host, ctx, outputs, opts);
       const duration_ms = Date.now() - startMs;
 
       // Determine manifest status from the plugin results

package/plugins/port_scanner.mjs

@@ -18,6 +18,45 @@ function uniqInts(arr = []) {
   return [...new Set((arr || []).map((x) => Number(x)).filter(Number.isFinite))];
 }
 
+/**
+ * Parse a CLI-style ports spec string into TCP/UDP port arrays.
+ *
+ * Accepted formats (entries comma-separated, whitespace tolerated):
+ *   "8090"                   → { tcp: [8090],          udp: [] }
+ *   "8090,9090"              → { tcp: [8090, 9090],    udp: [] }
+ *   "8090/tcp"               → { tcp: [8090],          udp: [] }
+ *   "8090/udp"               → { tcp: [],              udp: [8090] }
+ *   "8090,9090/udp"          → { tcp: [8090],          udp: [9090] }
+ *   "8090/tcp,9090/udp"      → { tcp: [8090],          udp: [9090] }
+ *
+ * Default protocol when not specified: TCP.
+ *
+ * Malformed entries (non-numeric, out-of-range 1–65535, empty, unknown
+ * protocol suffix) are silently skipped — defensive for sloppy CLI input.
+ *
+ * @param {string} spec
+ * @returns {{ tcp: number[], udp: number[] }}
+ */
+export function parsePortsSpec(spec) {
+  const out = { tcp: [], udp: [] };
+  if (typeof spec !== 'string') return out;
+  const entries = spec.split(',').map(s => s.trim()).filter(Boolean);
+  for (const entry of entries) {
+    // Reject entries with more than one '/' separator (e.g. "8090/tcp/extra")
+    const parts = entry.split('/');
+    if (parts.length > 2) continue;
+    const portStr = parts[0];
+    const proto   = (parts[1] || 'tcp').toLowerCase();
+    if (proto !== 'tcp' && proto !== 'udp') continue;
+    const port = Number(portStr);
+    if (!Number.isInteger(port) || port < 1 || port > 65535) continue;
+    out[proto].push(port);
+  }
+  out.tcp = uniqInts(out.tcp);
+  out.udp = uniqInts(out.udp);
+  return out;
+}
+
 async function loadConfigPortsFromServicesJson(cwd = process.cwd()) {
   // Supports the "array schema" used by tests:
   // { "services": [ { port, protocol }, ... ] }
@@ -179,7 +218,13 @@ export default {
     const maxBannerBytes  = toInt(process.env.TCP_BANNER_MAX_BYTES, 350);
     const udpPayload      = Buffer.from("hi");
 
-    // Port sources: opts first, else config/services.json, else empty (tests supply what they need)
+    // Port sources, in priority order:
+    //   1. Explicit opts.tcpPorts / opts.udpPorts arrays (tests, programmatic API)
+    //   2. config/services.json (default well-known port set)
+    //   3. Empty
+    // Then ADDITIVELY merge opts.ports (CLI --ports flag, comma-separated string with
+    // optional /tcp /udp suffix). Additive semantics so that --ports adds extras to the
+    // default scan rather than silently replacing it (Task N.27, fixed in v0.1.22).
     let tcpPorts = Array.isArray(opts.tcpPorts) ? uniqInts(opts.tcpPorts) : [];
     let udpPorts = Array.isArray(opts.udpPorts) ? uniqInts(opts.udpPorts) : [];
 
@@ -189,6 +234,13 @@ export default {
       udpPorts = cfg.udp;
     }
 
+    // Additive merge of CLI --ports flag (string spec)
+    if (typeof opts.ports === 'string' && opts.ports.trim()) {
+      const extra = parsePortsSpec(opts.ports);
+      tcpPorts = uniqInts([...tcpPorts, ...extra.tcp]);
+      udpPorts = uniqInts([...udpPorts, ...extra.udp]);
+    }
+
     // If still nothing, just return empty structure
     if (!tcpPorts.length && !udpPorts.length) {
       return {

package/utils/validate.mjs

@@ -20,8 +20,15 @@
 import fsp from 'node:fs/promises';
 import path from 'node:path';
 import dnsP from 'node:dns/promises';
+import { fileURLToPath } from 'node:url';
 import { resolveBaseOutDir } from './output_dir.mjs';
 
+// Package root — derived from THIS file's location (utils/validate.mjs) by
+// going up one directory. Used as the default plugin-discovery base so that
+// `nsauditor-ai validate` finds the plugins shipped with the package, NOT
+// whatever happens to be in the user's cwd. Fixed in v0.1.21 (Task N.25).
+const PKG_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+
 export const STATUSES = Object.freeze({
   OK:    'ok',
   WARN:  'warn',
@@ -36,26 +43,32 @@ const DEFAULT_NETWORK_HOST = 'localhost'; // hermetic — no external dependency
 /**
  * Verify all installed plugins load without error.
  *
+ * Discovery base is the **package root** (derived from this file's location),
+ * not `process.cwd()`. Critical: when the bin shim is invoked from anywhere
+ * other than the install dir, `process.cwd()` is the user's working
+ * directory — which has no plugins. v0.1.20 had this bug; fixed in v0.1.21.
+ *
  * @param {object} [opts]
  * @param {Function} [opts.discover] - Override for testing.
+ * @param {string}   [opts.pkgRoot]  - Override package root path (test injection).
  */
-export async function checkPlugins({ discover } = {}) {
+export async function checkPlugins({ discover, pkgRoot = PKG_ROOT } = {}) {
   try {
     const fn = discover || (await import('./plugin_discovery.mjs')).discoverPlugins;
-    const result = await fn(process.cwd());
+    const result = await fn(pkgRoot);
     const plugins = Array.isArray(result) ? result : (result?.plugins ?? []);
     return {
       name: 'plugins',
       status: STATUSES.OK,
       message: `${plugins.length} plugin${plugins.length === 1 ? '' : 's'} loaded`,
-      details: { count: plugins.length },
+      details: { count: plugins.length, basePath: pkgRoot },
     };
   } catch (err) {
     return {
       name: 'plugins',
       status: STATUSES.ERROR,
       message: `Plugin discovery failed: ${err.message}`,
-      details: { error: err.message },
+      details: { error: err.message, basePath: pkgRoot },
     };
   }
 }
@@ -276,4 +289,5 @@ export const _internals = {
   FREE_SPACE_WARN_MB,
   DEFAULT_NETWORK_TIMEOUT_MS,
   DEFAULT_NETWORK_HOST,
+  PKG_ROOT,
 };