ragent-cli 1.8.0 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/SECURITY.md +75 -0
- package/dist/index.js +1159 -89
- package/dist/sbom.json +1149 -0
- package/package.json +6 -2
package/SECURITY.md
ADDED
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
# Security — ragent-cli
|
|
2
|
+
|
|
3
|
+
## Reporting Vulnerabilities
|
|
4
|
+
|
|
5
|
+
If you discover a security vulnerability, please report it responsibly.
|
|
6
|
+
|
|
7
|
+
**Email:** security@intellimetrics.net
|
|
8
|
+
|
|
9
|
+
Include: description, reproduction steps, impact assessment, and suggested fix if any.
|
|
10
|
+
We acknowledge reports within 48 hours and aim to patch within 90 days.
|
|
11
|
+
Please do not publicly disclose until a patch is released.
|
|
12
|
+
|
|
13
|
+
## Supported Versions
|
|
14
|
+
|
|
15
|
+
| Version | Supported |
|
|
16
|
+
|---------|-----------|
|
|
17
|
+
| 1.x | Yes |
|
|
18
|
+
|
|
19
|
+
## Supply Chain Security
|
|
20
|
+
|
|
21
|
+
### npm Provenance
|
|
22
|
+
|
|
23
|
+
Every release is published from GitHub Actions with `--provenance`, linking the
|
|
24
|
+
published package back to the exact source commit and CI workflow via Sigstore.
|
|
25
|
+
Verify with:
|
|
26
|
+
|
|
27
|
+
```bash
|
|
28
|
+
npm audit signatures
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
### Software Bill of Materials (SBOM)
|
|
32
|
+
|
|
33
|
+
Each release includes a CycloneDX SBOM at `dist/sbom.json` inside the npm
|
|
34
|
+
package. It lists all production dependencies with their versions, licenses,
|
|
35
|
+
and package URLs (PURLs).
|
|
36
|
+
|
|
37
|
+
Extract and inspect:
|
|
38
|
+
|
|
39
|
+
```bash
|
|
40
|
+
# After installing ragent-cli
|
|
41
|
+
cat node_modules/ragent-cli/dist/sbom.json | npx @cyclonedx/cyclonedx-cli validate --input-format json
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
### Lockfile Integrity
|
|
45
|
+
|
|
46
|
+
CI uses `npm ci` (not `npm install`) to ensure deterministic installs from the
|
|
47
|
+
committed `package-lock.json`. Any lockfile drift fails the build.
|
|
48
|
+
|
|
49
|
+
### Code Analysis
|
|
50
|
+
|
|
51
|
+
- **CodeQL** runs on every PR and weekly via GitHub Actions
|
|
52
|
+
- **npm audit** (high severity) runs in CI on every PR
|
|
53
|
+
- Source maps are not included in the published package
|
|
54
|
+
|
|
55
|
+
## Runtime Security
|
|
56
|
+
|
|
57
|
+
- The CLI makes **outbound-only** connections (no listening ports)
|
|
58
|
+
- Agent tokens are stored in `~/.config/ragent/config.json` with user-only permissions
|
|
59
|
+
- When installed as a systemd service, hardening directives are applied:
|
|
60
|
+
- `NoNewPrivileges=true`
|
|
61
|
+
- `PrivateTmp=true`
|
|
62
|
+
- `ProtectSystem=strict`
|
|
63
|
+
- `ProtectHome=read-only`
|
|
64
|
+
|
|
65
|
+
## Dependencies
|
|
66
|
+
|
|
67
|
+
Runtime dependencies are kept minimal:
|
|
68
|
+
|
|
69
|
+
| Package | Purpose |
|
|
70
|
+
|---------|---------|
|
|
71
|
+
| `commander` | CLI argument parsing |
|
|
72
|
+
| `ws` | WebSocket client |
|
|
73
|
+
| `node-pty` | PTY spawning (native module) |
|
|
74
|
+
| `figlet` | ASCII art banner |
|
|
75
|
+
| `@azure/web-pubsub-client` | Azure Web PubSub relay |
|