npm - nsauditor-ai - Versions diffs - 0.1.34 → 0.1.35 - Mend

nsauditor-ai 0.1.34 → 0.1.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -15,6 +15,30 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 **Zero Data Exfiltration by design.** NSAuditor AI works fully offline. AI analysis, CVE correlation, and continuous monitoring all happen locally. External calls (to AI APIs, NVD, etc.) are opt-in and use your own API keys. We never see your scan data.
+## What's New (0.1.35) — CLI provenance footer matches MCP response (so the comparison actually works)
+0.1.34 added the version-provenance block to the MCP server's `list_plugins` response, but **the CLI baseline (`license --plugins` / `license --status`) didn't show versions** — so customers couldn't easily compare. 0.1.35 fixes that asymmetry.
+Both CLI commands now emit an identical provenance block:
+```
+── Installation provenance ──
+  nsauditor-ai (CE):              0.1.35
+  @nsasoft/nsauditor-ai-ee (EE):  0.3.4 (loaded)
+```
+**Customer hallucination-detection workflow (5 seconds, no log archeology):**
+1. In Claude Desktop: ask "list plugins" → receive a response that should end with the provenance block
+2. In your terminal: run `nsauditor-ai license --plugins`
+3. Compare the two `── Installation provenance ──` blocks character-for-character
+4. **Match** → real MCP `tools/call` happened, response is trustworthy
+5. **Mismatch / missing block** → Claude fabricated the response (see CE 0.1.33 advisory)
+This is the v1 mitigation; the v2 (Thread L Phase 2) adds per-call cryptographic sentinel UUIDs that the customer can grep against the server log directly. v1 catches the common case where Claude either omits the block entirely (unlikely to fabricate the new structure verbatim) or includes a stale version pulled from training data.
+---
 ## What's New (0.1.34) — list_plugins now embeds CE+EE versions for hallucination detection
 Companion to the 0.1.33 advisory. The `list_plugins` MCP tool's response now appends the actual installed CE + EE version numbers, so customers can verify a Claude Desktop response in **5 seconds** without log archeology:

package/cli.mjs CHANGED Viewed

@@ -5,8 +5,10 @@ import { buildHtmlReport } from './utils/report_html.mjs';
 import fsp from 'node:fs/promises';
 import { dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { createRequire } from 'node:module';
 const __dirname = dirname(fileURLToPath(import.meta.url));
+const _require = createRequire(import.meta.url);
 import path from 'node:path';
 import { platform } from 'node:os';
 import { openaiSimplePrompt, openaiPrompt as openaiProPrompt, openaiPromptOptimized } from './utils/prompts.mjs';
@@ -931,6 +933,20 @@ Docs: https://www.nsauditor.com/ai/   |   Pricing: https://www.nsauditor.com/ai/
           console.log('\n→ Start a free 14-day Pro trial: https://www.nsauditor.com/ai/trial');
         }
       }
+      // CE 0.1.35 (Thread L mitigation v2): version provenance footer
+      // matches the MCP server's list_plugins suffix exactly. Customer
+      // verification flow: read versions in Claude Desktop's MCP
+      // response → compare against `license --status` output here.
+      // Mismatch ⇒ Claude hallucinated.
+      let _eeVersion = 'not installed';
+      try {
+        const ee = _require('@nsasoft/nsauditor-ai-ee/package.json');
+        _eeVersion = ee && ee.version ? `${ee.version} (loaded)` : 'unknown (loaded)';
+      } catch { /* CE-only — fine */ }
+      console.log('');
+      console.log('── Installation provenance ──');
+      console.log(`  nsauditor-ai (CE):              ${TOOL_VERSION}`);
+      console.log(`  @nsasoft/nsauditor-ai-ee (EE):  ${_eeVersion}`);
     } else if (rawArgs.includes('--capabilities')) {
       const tier = getTierFromEnv();
       const caps = resolveCapabilities(tier);
@@ -1004,6 +1020,24 @@ Docs: https://www.nsauditor.com/ai/   |   Pricing: https://www.nsauditor.com/ai/
         console.log('');
         console.log(`  ${totalRendered} plugin${totalRendered === 1 ? '' : 's'} total · current tier: ${tier}`);
       }
+      // CE 0.1.35 (Thread L mitigation v2): emit installation provenance
+      // identical in shape to the MCP server's list_plugins suffix.
+      // Customers comparing Claude Desktop's MCP response against the
+      // CLI baseline now see the SAME version block in both places.
+      // Mismatch → Claude hallucinated. Match → real tool call.
+      const ceVersion = TOOL_VERSION;
+      let eeVersion = 'not installed';
+      try {
+        const eeManifest = _require('@nsasoft/nsauditor-ai-ee/package.json');
+        eeVersion = eeManifest && eeManifest.version
+          ? `${eeManifest.version} (loaded)`
+          : 'unknown (loaded)';
+      } catch { /* CE-only install — fine */ }
+      console.log('');
+      console.log('── Installation provenance ──');
+      console.log(`  nsauditor-ai (CE):              ${ceVersion}`);
+      console.log(`  @nsasoft/nsauditor-ai-ee (EE):  ${eeVersion}`);
     } else if (rawArgs.includes('install')) {
       // CE-0.1.30.4 — install command. Verify the JWT FIRST, then persist
       // to a platform-appropriate location (macOS Keychain / file).

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.34",
+  "version": "0.1.35",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,