ragent-cli 1.8.0 → 1.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -0
- package/SECURITY.md +75 -0
- package/dist/index.js +4308 -2910
- package/dist/sbom.json +109 -0
- package/package.json +10 -2
package/README.md
CHANGED
|
@@ -102,6 +102,17 @@ ragent update [--check]
|
|
|
102
102
|
|
|
103
103
|
Use `--check` to see if an update is available without installing.
|
|
104
104
|
|
|
105
|
+
### `ragent discover`
|
|
106
|
+
|
|
107
|
+
One-shot scan for running AI agent sessions.
|
|
108
|
+
|
|
109
|
+
```bash
|
|
110
|
+
ragent discover # Human-readable table
|
|
111
|
+
ragent discover --json # JSON output
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
Detects Claude Code, Codex CLI, aider, Gemini CLI, and VS Code terminal sessions with confidence scoring.
|
|
115
|
+
|
|
105
116
|
### `ragent sessions list`
|
|
106
117
|
|
|
107
118
|
List tmux sessions, windows, and panes on this host.
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
# Security — ragent-cli
|
|
2
|
+
|
|
3
|
+
## Reporting Vulnerabilities
|
|
4
|
+
|
|
5
|
+
If you discover a security vulnerability, please report it responsibly.
|
|
6
|
+
|
|
7
|
+
**Email:** security@intellimetrics.net
|
|
8
|
+
|
|
9
|
+
Include: description, reproduction steps, impact assessment, and suggested fix if any.
|
|
10
|
+
We acknowledge reports within 48 hours and aim to patch within 90 days.
|
|
11
|
+
Please do not publicly disclose until a patch is released.
|
|
12
|
+
|
|
13
|
+
## Supported Versions
|
|
14
|
+
|
|
15
|
+
| Version | Supported |
|
|
16
|
+
|---------|-----------|
|
|
17
|
+
| 1.x | Yes |
|
|
18
|
+
|
|
19
|
+
## Supply Chain Security
|
|
20
|
+
|
|
21
|
+
### npm Provenance
|
|
22
|
+
|
|
23
|
+
Every release is published from GitHub Actions with `--provenance`, linking the
|
|
24
|
+
published package back to the exact source commit and CI workflow via Sigstore.
|
|
25
|
+
Verify with:
|
|
26
|
+
|
|
27
|
+
```bash
|
|
28
|
+
npm audit signatures
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
### Software Bill of Materials (SBOM)
|
|
32
|
+
|
|
33
|
+
Each release includes a CycloneDX SBOM at `dist/sbom.json` inside the npm
|
|
34
|
+
package. It lists all production dependencies with their versions, licenses,
|
|
35
|
+
and package URLs (PURLs).
|
|
36
|
+
|
|
37
|
+
Extract and inspect:
|
|
38
|
+
|
|
39
|
+
```bash
|
|
40
|
+
# After installing ragent-cli
|
|
41
|
+
cat node_modules/ragent-cli/dist/sbom.json | npx @cyclonedx/cyclonedx-cli validate --input-format json
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
### Lockfile Integrity
|
|
45
|
+
|
|
46
|
+
CI uses `npm ci` (not `npm install`) to ensure deterministic installs from the
|
|
47
|
+
committed `package-lock.json`. Any lockfile drift fails the build.
|
|
48
|
+
|
|
49
|
+
### Code Analysis
|
|
50
|
+
|
|
51
|
+
- **CodeQL** runs on every PR and weekly via GitHub Actions
|
|
52
|
+
- **npm audit** (high severity) runs in CI on every PR
|
|
53
|
+
- Source maps are not included in the published package
|
|
54
|
+
|
|
55
|
+
## Runtime Security
|
|
56
|
+
|
|
57
|
+
- The CLI makes **outbound-only** connections (no listening ports)
|
|
58
|
+
- Agent tokens are stored in `~/.config/ragent/config.json` with user-only permissions
|
|
59
|
+
- When installed as a systemd service, hardening directives are applied:
|
|
60
|
+
- `NoNewPrivileges=true`
|
|
61
|
+
- `PrivateTmp=true`
|
|
62
|
+
- `ProtectSystem=strict`
|
|
63
|
+
- `ProtectHome=read-only`
|
|
64
|
+
|
|
65
|
+
## Dependencies
|
|
66
|
+
|
|
67
|
+
Runtime dependencies are kept minimal:
|
|
68
|
+
|
|
69
|
+
| Package | Purpose |
|
|
70
|
+
|---------|---------|
|
|
71
|
+
| `commander` | CLI argument parsing |
|
|
72
|
+
| `ws` | WebSocket client |
|
|
73
|
+
| `node-pty` | PTY spawning (native module) |
|
|
74
|
+
| `figlet` | ASCII art banner |
|
|
75
|
+
| `@azure/web-pubsub-client` | Azure Web PubSub relay |
|