pkgxray 0.2.0 → 0.4.0

package/README.md

@@ -96,11 +96,10 @@ Use the stdio server from any MCP-capable agent:
 }
 ```
 
-The server exposes three tools:
+The server exposes two tools:
 
-- `audit_agent_extension_supply_chain` — zero-dep static heuristics
+- `audit_agent_extension_supply_chain` — static heuristics on supplied evidence
 - `guard_agent_extension_install` — stage, vuln-check, audit a real package
-- `reason_about_extension_supply_chain` — Claude-powered authoritative verdict (requires `ANTHROPIC_API_KEY`)
 
 Tool arguments:
 
@@ -114,50 +113,22 @@ Tool arguments:
 `guard_agent_extension_install` accepts `reference`, optional `quarantineRoot`,
 optional `promoteTo`, `policy`, `force`, and `outputFormat`.
 
-`reason_about_extension_supply_chain` accepts the same evidence shape as
-`audit_agent_extension_supply_chain`, plus optional `model` (default
-`claude-opus-4-7`) and `maxFiles` (default 200). It returns a JSON verdict per
-the prompt's schema (`verdict`, `summary`, `findings`, `evidenceGaps`,
-`promotable`) plus `usage` and `latencyMs`.
+## Static heuristics — calibration
 
-## Reasoning mode (`--reason`)
+The heuristics are calibrated to keep legitimate packages out of `block`. Real
+malicious patterns that gate the verdict:
 
-Layer an LLM-powered authoritative verdict on top of the static heuristics.
-Supports Anthropic (Claude), OpenAI (GPT), and Google (Gemini).
+- **block** (HIGH) — prompt-injection text in README/docs, credential reads in
+  proximity to a filesystem-read primitive, persistence writes to shell rc /
+  cron / launchagents, dynamic exec + hardcoded IP/shortener/webhook target,
+  bulk `process.env` harvest in the same file as outbound network.
+- **review** (MEDIUM) — install / postinstall / prepare lifecycle scripts,
+  dynamic eval / new Function / vm, clipboard read/write, missing
+  package.json, missing entrypoint source.
+- **info** — child_process / fetch / network in isolation. Common in build
+  tools and CLIs; recorded but does not gate the verdict.
 
-```bash
-# Anthropic (default)
-export ANTHROPIC_API_KEY=sk-ant-...
-npm install -g @anthropic-ai/sdk
-pkgxray --reason --file evidence.json
-pkgxray guard npm:some-pkg --reason --format json
-
-# OpenAI
-export OPENAI_API_KEY=sk-...
-npm install -g openai
-pkgxray guard npm:some-pkg --reason --reason-provider openai
-
-# Gemini
-export GEMINI_API_KEY=...
-npm install -g @google/generative-ai
-pkgxray guard npm:some-pkg --reason --reason-model gemini-2.5-pro
-```
-
-Provider is selected by `--reason-provider <anthropic|openai|gemini>` or
-auto-detected from the model prefix (`claude-*` → anthropic, `gpt-*`/`o*` →
-openai, `gemini-*` → gemini). Defaults: `claude-opus-4-7`, `gpt-5`,
-`gemini-2.5-pro` — overridable with `--reason-model`.
-
-The Anthropic path uses adaptive thinking, `effort: "high"`, and caches the
-system prompt for 5-minute TTL (~90% cheaper on prompt tokens for repeated
-calls in the window). OpenAI uses strict structured outputs against the same
-JSON Schema. Gemini uses JSON-mode responses.
-
-Source files are capped at 200 files / 32 KB each / 500 KB total before
-sending — override with `--reason-max-files`.
-
-The reasoning verdict supersedes the static decision when `--reason` is used.
-Exit codes: `0` = safe, `2` = block, `3` = review.
+`.d.ts`, `.map`, `.min.js`, and `.lock` files are skipped entirely.
 
 ## Browser Extension
 

package/bin/audit.js

@@ -4,8 +4,6 @@
 const fs = require("node:fs");
 const { auditEvidence, renderMarkdown } = require("../src/auditor");
 const { guardExtension } = require("../src/quarantine");
-const { reasonAbout } = require("../src/reasoner");
-const { detectAvailableProvider, reasoningSetupHint } = require("../src/providers");
 
 function printUsage() {
   process.stderr.write(
@@ -14,17 +12,10 @@ function printUsage() {
       "  pkgxray < evidence.json",
       "  pkgxray --format json < evidence.json",
       "  pkgxray --file evidence.json --format markdown",
-      "  pkgxray --reason --file evidence.json",
-      "  pkgxray guard <npm-package|npm:name@version|./path> [--reason] [--promote-to dir] [--no-source-scan]",
+      "  pkgxray guard <npm-package|npm:name@version|./path> [--promote-to dir] [--no-source-scan]",
       "",
       "Evidence JSON fields:",
       "  packageName, npmMetadata, githubMetadata, webPresence, sourceFiles",
-      "",
-      "LLM reasoning runs automatically when any of ANTHROPIC_API_KEY,",
-      "OPENAI_API_KEY, or GEMINI_API_KEY is set AND the matching SDK is",
-      "installed (@anthropic-ai/sdk, openai, or @google/generative-ai).",
-      "Use --no-reason to force static-only, --reason-provider <name> to pin a",
-      "provider, --reason-model <id> to pin a model.",
       ""
     ].join("\n")
   );
@@ -58,17 +49,6 @@ function parseArgs(argv) {
       options.sourceScan = false;
     } else if (arg === "--no-vulnerability-check") {
       options.vulnerabilityCheck = false;
-    } else if (arg === "--reason") {
-      options.reason = true;
-    } else if (arg === "--no-reason") {
-      options.reason = false;
-      options.reasonExplicitOff = true;
-    } else if (arg === "--reason-model") {
-      options.reasonModel = argv[++i];
-    } else if (arg === "--reason-provider") {
-      options.reasonProvider = argv[++i];
-    } else if (arg === "--reason-max-files") {
-      options.reasonMaxFiles = Number(argv[++i]);
     } else {
       throw new Error(`Unknown argument: ${arg}`);
     }
@@ -86,36 +66,6 @@ function readInput(file) {
   return fs.readFileSync(0, "utf8");
 }
 
-function resolveReasonMode(options) {
-  if (options.reasonExplicitOff) return { enabled: false, autoDetected: false };
-  if (options.reason) return { enabled: true, autoDetected: false };
-  const detected = detectAvailableProvider();
-  if (detected) {
-    return { enabled: true, autoDetected: true, detectedProvider: detected.name };
-  }
-  return { enabled: false, autoDetected: false };
-}
-
-async function maybeReason(evidence, options, mode) {
-  if (!mode || !mode.enabled) return null;
-  try {
-    return await reasonAbout(evidence, {
-      provider: options.reasonProvider || mode.detectedProvider,
-      model: options.reasonModel,
-      maxFiles: options.reasonMaxFiles
-    });
-  } catch (error) {
-    return { error: { code: error.code || "REASONER_ERROR", message: error.message } };
-  }
-}
-
-function reasoningExitCode(reasoning) {
-  if (!reasoning || reasoning.error) return null;
-  if (reasoning.verdict === "block") return 2;
-  if (reasoning.verdict === "review") return 3;
-  return 0;
-}
-
 async function main() {
   const options = parseArgs(process.argv.slice(2));
   if (options.help) {
@@ -128,27 +78,6 @@ async function main() {
       throw new Error("guard requires an extension reference");
     }
     const result = await guardExtension(options.reference, options);
-    const reasonMode = resolveReasonMode(options);
-    if (reasonMode.enabled) {
-      const evidenceForReason = {
-        packageName: result.resolved && result.resolved.packageName,
-        npmMetadata: result.resolved && result.resolved.npmMetadata,
-        githubMetadata: null,
-        webPresence: null,
-        sourceFiles: result.sourceFiles || {}
-      };
-      const reasoning = await maybeReason(evidenceForReason, options, reasonMode);
-      result.reasoning = reasoning;
-      if (reasoning && !reasoning.error && reasoning.verdict) {
-        result.decision = reasoning.verdict === "block"
-          ? "block"
-          : reasoning.verdict === "safe"
-            ? "allow"
-            : "review";
-      }
-    } else {
-      result.reasoningHint = reasoningSetupHint();
-    }
     if (options.format === "json") {
       process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
     } else {
@@ -165,30 +94,14 @@ async function main() {
 
   const evidence = JSON.parse(raw);
   const report = auditEvidence(evidence);
-  const reasonMode = resolveReasonMode(options);
-  const reasoning = await maybeReason(evidence, options, reasonMode);
-  const hint = reasonMode.enabled ? null : reasoningSetupHint();
-
-  const payload = reasoning
-    ? { report, reasoning }
-    : hint
-      ? { report, reasoningHint: hint }
-      : report;
 
   if (options.format === "json") {
-    process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
-  } else if (reasoning) {
-    process.stdout.write(`${renderMarkdown(report)}\n\n---\n\n${renderReasoningMarkdown(reasoning)}\n`);
-  } else if (hint) {
-    process.stdout.write(`${renderMarkdown(report)}\n\n💡 ${hint}\n`);
+    process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
   } else {
     process.stdout.write(`${renderMarkdown(report)}\n`);
   }
 
-  const exitFromReason = reasoningExitCode(reasoning);
-  if (exitFromReason !== null) {
-    process.exitCode = exitFromReason;
-  }
+  process.exitCode = report.verdict === "block" ? 2 : report.verdict === "review" ? 3 : 0;
 }
 
 function renderGuardMarkdown(result) {
@@ -204,55 +117,6 @@ function renderGuardMarkdown(result) {
   }
 
   lines.push(renderMarkdown(result.report));
-
-  if (result.reasoning) {
-    lines.push("", "---", "", renderReasoningMarkdown(result.reasoning));
-  } else if (result.reasoningHint) {
-    lines.push("", `💡 ${result.reasoningHint}`);
-  }
-
-  return lines.join("\n");
-}
-
-function renderReasoningMarkdown(reasoning) {
-  if (reasoning.error) {
-    return `Reasoning: **unavailable** (${reasoning.error.code}: ${reasoning.error.message})`;
-  }
-  const lines = [
-    `Reasoning verdict: **${(reasoning.verdict || "?").toUpperCase()}**`,
-    `Provider: \`${reasoning.provider || "?"}\` · Model: \`${reasoning.model}\` · latency: ${reasoning.latencyMs} ms`,
-    "",
-    reasoning.summary || "",
-    ""
-  ];
-  if (reasoning.usage) {
-    const u = reasoning.usage;
-    const parts = [
-      `in=${u.input_tokens ?? "?"}`,
-      `out=${u.output_tokens ?? "?"}`,
-      `cache_read=${u.cache_read_input_tokens ?? 0}`,
-      `cache_write=${u.cache_creation_input_tokens ?? 0}`
-    ];
-    lines.push(`Tokens: ${parts.join(" · ")}`, "");
-  }
-  if (reasoning.findings && reasoning.findings.length > 0) {
-    lines.push("Findings:");
-    for (const finding of reasoning.findings) {
-      lines.push(
-        `- **${finding.severity.toUpperCase()} - ${finding.category}**: ${finding.reasoning}`,
-        `  Evidence: \`${finding.evidence}\``
-      );
-    }
-    lines.push("");
-  } else {
-    lines.push("Findings: none reported.", "");
-  }
-  if (reasoning.evidenceGaps && reasoning.evidenceGaps.length > 0) {
-    lines.push("Evidence gaps:");
-    for (const gap of reasoning.evidenceGaps) {
-      lines.push(`- ${gap}`);
-    }
-  }
   return lines.join("\n");
 }
 

package/bin/mcp-server.js

@@ -3,11 +3,9 @@
 
 const { auditEvidence, renderMarkdown } = require("../src/auditor");
 const { guardExtension } = require("../src/quarantine");
-const { reasonAbout } = require("../src/reasoner");
 
 const TOOL_NAME = "audit_agent_extension_supply_chain";
 const GUARD_TOOL_NAME = "guard_agent_extension_install";
-const REASON_TOOL_NAME = "reason_about_extension_supply_chain";
 let buffer = "";
 
 function send(message) {
@@ -115,59 +113,6 @@ function guardToolDefinition() {
   };
 }
 
-function reasonToolDefinition() {
-  return {
-    name: REASON_TOOL_NAME,
-    description:
-      "Consult an LLM as an authoritative reasoning layer over supplied evidence. Supports Anthropic, OpenAI, and Gemini providers; defaults to Anthropic + claude-opus-4-7. Returns a structured JSON verdict (verdict, summary, findings, evidenceGaps, promotable). Requires the matching env key (ANTHROPIC_API_KEY / OPENAI_API_KEY / GEMINI_API_KEY) and SDK installed.",
-    inputSchema: {
-      type: "object",
-      additionalProperties: false,
-      properties: {
-        packageName: { type: "string" },
-        npmMetadata: {},
-        githubMetadata: {},
-        webPresence: {},
-        sourceFiles: {
-          description:
-            "Map of file path to source text, or an array of objects with path/name and content/text.",
-          anyOf: [
-            { type: "object", additionalProperties: { type: "string" } },
-            {
-              type: "array",
-              items: {
-                type: "object",
-                additionalProperties: true,
-                properties: {
-                  path: { type: "string" },
-                  name: { type: "string" },
-                  content: { type: "string" },
-                  text: { type: "string" }
-                }
-              }
-            }
-          ]
-        },
-        provider: {
-          type: "string",
-          enum: ["anthropic", "openai", "gemini"],
-          description: "LLM provider. Defaults to anthropic, or auto-detected from model."
-        },
-        model: {
-          type: "string",
-          description:
-            "Model ID. Defaults per provider: anthropic=claude-opus-4-7, openai=gpt-5, gemini=gemini-2.5-pro."
-        },
-        maxFiles: {
-          type: "integer",
-          description: "Cap on source files sent to the model. Default 200."
-        }
-      },
-      required: ["sourceFiles"]
-    }
-  };
-}
-
 function handleRequest(request) {
   const { id, method, params } = request;
 
@@ -195,14 +140,14 @@ function handleRequest(request) {
       jsonrpc: "2.0",
       id,
       result: {
-        tools: [toolDefinition(), guardToolDefinition(), reasonToolDefinition()]
+        tools: [toolDefinition(), guardToolDefinition()]
       }
     };
   }
 
   if (method === "tools/call") {
     const name = params && params.name;
-    if (name !== TOOL_NAME && name !== GUARD_TOOL_NAME && name !== REASON_TOOL_NAME) {
+    if (name !== TOOL_NAME && name !== GUARD_TOOL_NAME) {
       return {
         jsonrpc: "2.0",
         id,
@@ -215,27 +160,6 @@ function handleRequest(request) {
 
     const args = (params && params.arguments) || {};
 
-    if (name === REASON_TOOL_NAME) {
-      return reasonAbout(args, {
-        provider: args.provider,
-        model: args.model,
-        maxFiles: args.maxFiles
-      })
-        .then((reasoning) => ({
-          jsonrpc: "2.0",
-          id,
-          result: {
-            content: textContent(JSON.stringify(reasoning, null, 2)),
-            structuredContent: reasoning
-          }
-        }))
-        .catch((error) => ({
-          jsonrpc: "2.0",
-          id,
-          error: { code: -32603, message: `${error.code || "REASONER_ERROR"}: ${error.message}` }
-        }));
-    }
-
     if (name === GUARD_TOOL_NAME) {
       return guardExtension(args.reference, args).then((guardResult) => {
         const text =

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "pkgxray",
-  "version": "0.2.0",
-  "description": "Local CLI and MCP server that audits AI-agent extensions and npm packages for supply-chain risk. Zero-dep static heuristics + sandboxed quarantine + optional multi-provider (Claude / GPT / Gemini) reasoning layer.",
+  "version": "0.4.0",
+  "description": "Zero-dep local CLI and MCP server that scans npm packages and AI-agent extensions for supply-chain risk. OSV vuln pre-check, sandboxed quarantine, tarball-integrity verification, calibrated static heuristics.",
   "license": "MIT",
   "author": "Jack Adams-Lovell",
   "type": "commonjs",
@@ -34,26 +34,9 @@
     "security",
     "supply-chain",
     "npm-audit",
-    "agent-extension",
-    "ai-safety",
-    "claude",
-    "openai",
-    "gemini"
+    "agent-extension"
   ],
   "engines": {
     "node": ">=18"
-  },
-  "peerDependencies": {
-    "@anthropic-ai/sdk": ">=0.40.0",
-    "openai": ">=4.0.0",
-    "@google/generative-ai": ">=0.20.0"
-  },
-  "peerDependenciesMeta": {
-    "@anthropic-ai/sdk": { "optional": true },
-    "openai": { "optional": true },
-    "@google/generative-ai": { "optional": true }
-  },
-  "devDependencies": {
-    "@anthropic-ai/sdk": "^0.105.0"
   }
 }