sapper-ai 0.5.0 → 0.6.0

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAaA,wBAAsB,MAAM,CAAC,IAAI,GAAE,MAAM,EAA0B,GAAG,OAAO,CAAC,MAAM,CAAC,CAiCpF"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAkBA,wBAAsB,MAAM,CAAC,IAAI,GAAE,MAAM,EAA0B,GAAG,OAAO,CAAC,MAAM,CAAC,CAuFpF"}

package/dist/cli.js

@@ -45,7 +45,12 @@ const node_path_1 = require("node:path");
 const readline = __importStar(require("node:readline"));
 const select_1 = __importDefault(require("@inquirer/select"));
 const presets_1 = require("./presets");
+const policyYaml_1 = require("./policyYaml");
+const harden_1 = require("./harden");
+const quarantine_1 = require("./quarantine");
+const wrapConfig_1 = require("./mcp/wrapConfig");
 const scan_1 = require("./scan");
+const env_1 = require("./utils/env");
 async function runCli(argv = process.argv.slice(2)) {
     if (argv[0] === '--help' || argv[0] === '-h') {
         printUsage();
@@ -62,7 +67,49 @@ async function runCli(argv = process.argv.slice(2)) {
             printUsage();
             return 1;
         }
-        return (0, scan_1.runScan)(scanOptions);
+        const scanExitCode = await (0, scan_1.runScan)(scanOptions);
+        const shouldOfferHarden = parsed.noPrompt !== true &&
+            process.stdout.isTTY === true &&
+            process.stdin.isTTY === true &&
+            (0, env_1.isCiEnv)(process.env) !== true &&
+            (parsed.harden === true || (await (0, harden_1.getHardenPlanSummary)({ includeSystem: true })).actions.length > 0);
+        if (shouldOfferHarden) {
+            const hardenExitCode = await (0, harden_1.runHarden)({
+                apply: true,
+                includeSystem: true,
+            });
+            if (scanExitCode === 0 && hardenExitCode !== 0) {
+                return hardenExitCode;
+            }
+        }
+        return scanExitCode;
+    }
+    if (argv[0] === 'harden') {
+        const parsed = parseHardenArgs(argv.slice(1));
+        if (!parsed) {
+            printUsage();
+            return 1;
+        }
+        return (0, harden_1.runHarden)(parsed);
+    }
+    if (argv[0] === 'mcp') {
+        const parsed = parseMcpArgs(argv.slice(1));
+        if (!parsed) {
+            printUsage();
+            return 1;
+        }
+        return runMcpCommand(parsed);
+    }
+    if (argv[0] === 'quarantine') {
+        const parsed = parseQuarantineArgs(argv.slice(1));
+        if (!parsed) {
+            printUsage();
+            return 1;
+        }
+        if (parsed.command === 'quarantine_list') {
+            return (0, quarantine_1.runQuarantineList)({ quarantineDir: parsed.quarantineDir });
+        }
+        return (0, quarantine_1.runQuarantineRestore)({ id: parsed.id, quarantineDir: parsed.quarantineDir, force: parsed.force });
     }
     if (argv[0] === 'dashboard') {
         return runDashboard();
@@ -84,10 +131,20 @@ Usage:
   sapper-ai scan --deep       Current directory + subdirectories
   sapper-ai scan --system     AI system paths (~/.claude, ~/.cursor, ...)
   sapper-ai scan ./path       Scan a specific file/directory
+  sapper-ai scan --policy ./sapperai.config.yaml  Use explicit policy path (fatal if invalid)
   sapper-ai scan --fix        Quarantine blocked files
   sapper-ai scan --ai         Deep scan with AI analysis (requires OPENAI_API_KEY)
+  sapper-ai scan --no-prompt  Disable all prompts (CI-safe)
+  sapper-ai scan --harden     After scan, offer to apply recommended hardening
   sapper-ai scan --no-open    Skip opening report in browser
   sapper-ai scan --no-save    Skip saving scan results to ~/.sapperai/scans/
+  sapper-ai harden            Plan recommended setup changes (no writes)
+  sapper-ai harden --apply    Apply recommended project changes
+  sapper-ai harden --include-system   Include system changes (home directory)
+  sapper-ai mcp wrap-config   Wrap MCP servers to run behind sapperai-proxy (defaults to Claude Code config)
+  sapper-ai mcp unwrap-config Undo MCP wrapping
+  sapper-ai quarantine list   List quarantined files
+  sapper-ai quarantine restore <id> [--force]  Restore quarantined file by id
   sapper-ai init          Interactive setup wizard
   sapper-ai dashboard     Launch web dashboard
   sapper-ai --help        Show this help
@@ -97,17 +154,30 @@ Learn more: https://github.com/sapper-ai/sapperai
 }
 function parseScanArgs(argv) {
     const targets = [];
+    let policyPath;
     let fix = false;
     let deep = false;
     let system = false;
     let ai = false;
     let noSave = false;
     let noOpen = false;
-    for (const arg of argv) {
+    let noPrompt = false;
+    let harden = false;
+    for (let index = 0; index < argv.length; index += 1) {
+        const arg = argv[index];
+        const nextArg = argv[index + 1];
         if (arg === '--fix') {
             fix = true;
             continue;
         }
+        if (arg === '--policy') {
+            if (!nextArg || nextArg.startsWith('-')) {
+                return null;
+            }
+            policyPath = nextArg;
+            index += 1;
+            continue;
+        }
         if (arg === '--deep') {
             deep = true;
             continue;
@@ -120,6 +190,14 @@ function parseScanArgs(argv) {
             ai = true;
             continue;
         }
+        if (arg === '--no-prompt') {
+            noPrompt = true;
+            continue;
+        }
+        if (arg === '--harden') {
+            harden = true;
+            continue;
+        }
         if (arg === '--no-open') {
             noOpen = true;
             continue;
@@ -133,7 +211,221 @@ function parseScanArgs(argv) {
         }
         targets.push(arg);
     }
-    return { targets, fix, deep, system, ai, noSave, noOpen };
+    return { targets, policyPath, fix, deep, system, ai, noSave, noOpen, noPrompt, harden };
+}
+function parseHardenArgs(argv) {
+    let apply = false;
+    let includeSystem = false;
+    let yes = false;
+    let noPrompt = false;
+    let force = false;
+    let workflowVersion;
+    let mcpVersion;
+    for (let index = 0; index < argv.length; index += 1) {
+        const arg = argv[index];
+        const nextArg = argv[index + 1];
+        if (arg === '--dry-run') {
+            apply = false;
+            continue;
+        }
+        if (arg === '--apply') {
+            apply = true;
+            continue;
+        }
+        if (arg === '--include-system') {
+            includeSystem = true;
+            continue;
+        }
+        if (arg === '--yes') {
+            yes = true;
+            continue;
+        }
+        if (arg === '--no-prompt') {
+            noPrompt = true;
+            continue;
+        }
+        if (arg === '--force') {
+            force = true;
+            continue;
+        }
+        if (arg === '--workflow-version') {
+            if (!nextArg || nextArg.startsWith('-'))
+                return null;
+            workflowVersion = nextArg;
+            index += 1;
+            continue;
+        }
+        if (arg === '--mcp-version') {
+            if (!nextArg || nextArg.startsWith('-'))
+                return null;
+            mcpVersion = nextArg;
+            index += 1;
+            continue;
+        }
+        return null;
+    }
+    return {
+        apply,
+        includeSystem,
+        yes,
+        noPrompt,
+        force,
+        workflowVersion,
+        mcpVersion,
+    };
+}
+function parseMcpArgs(argv) {
+    const subcommand = argv[0];
+    const rest = argv.slice(1);
+    if (!subcommand)
+        return null;
+    const defaultConfigPath = (0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'claude-code', 'config.json');
+    let configPath = defaultConfigPath;
+    let format = 'jsonc';
+    let dryRun = false;
+    let mcpVersion;
+    for (let index = 0; index < rest.length; index += 1) {
+        const arg = rest[index];
+        const nextArg = rest[index + 1];
+        if (arg === '--config') {
+            if (!nextArg || nextArg.startsWith('-'))
+                return null;
+            configPath = nextArg;
+            format = 'json';
+            index += 1;
+            continue;
+        }
+        if (arg === '--jsonc') {
+            format = 'jsonc';
+            continue;
+        }
+        if (arg === '--dry-run') {
+            dryRun = true;
+            continue;
+        }
+        if (arg === '--mcp-version') {
+            if (!nextArg || nextArg.startsWith('-'))
+                return null;
+            mcpVersion = nextArg;
+            index += 1;
+            continue;
+        }
+        return null;
+    }
+    if (subcommand === 'wrap-config') {
+        return { command: 'mcp_wrap_config', configPath, format, dryRun, mcpVersion };
+    }
+    if (subcommand === 'unwrap-config') {
+        return { command: 'mcp_unwrap_config', configPath, format, dryRun };
+    }
+    return null;
+}
+async function runMcpCommand(args) {
+    if (args.command === 'mcp_unwrap_config') {
+        const result = await (0, wrapConfig_1.unwrapMcpConfigFile)({
+            filePath: args.configPath,
+            format: args.format,
+            dryRun: args.dryRun,
+        });
+        if (!result.changed) {
+            console.log('No changes needed.');
+            return 0;
+        }
+        if (result.restoredFromBackupPath) {
+            if (args.dryRun) {
+                console.log(`Config parse failed; would restore from backup: ${result.restoredFromBackupPath}`);
+                return 0;
+            }
+            console.log(`Config parse failed; restored from backup: ${result.restoredFromBackupPath}`);
+            if (result.backupPath)
+                console.log(`Backup: ${result.backupPath}`);
+            return 0;
+        }
+        if (args.dryRun) {
+            console.log(`Would unwrap ${result.changedServers.length} server(s): ${result.changedServers.join(', ')}`);
+            return 0;
+        }
+        console.log(`Unwrapped ${result.changedServers.length} server(s): ${result.changedServers.join(', ')}`);
+        if (result.backupPath)
+            console.log(`Backup: ${result.backupPath}`);
+        return 0;
+    }
+    if (!(0, wrapConfig_1.checkNpxAvailable)()) {
+        console.error("npx is not available on PATH. Install Node.js/npm and retry.");
+        return 1;
+    }
+    const envVersion = process.env.SAPPERAI_MCP_VERSION?.trim();
+    const installedVersion = (0, wrapConfig_1.resolveInstalledPackageVersion)('@sapper-ai/mcp');
+    const mcpVersion = (args.mcpVersion ?? envVersion ?? installedVersion ?? '').trim();
+    if (!mcpVersion) {
+        console.error("Missing MCP version. Provide '--mcp-version <semver>' or install @sapper-ai/mcp.");
+        return 1;
+    }
+    const result = await (0, wrapConfig_1.wrapMcpConfigFile)({
+        filePath: args.configPath,
+        mcpVersion,
+        format: args.format,
+        dryRun: args.dryRun,
+    });
+    if (!result.changed) {
+        console.log('No changes needed.');
+        return 0;
+    }
+    if (args.dryRun) {
+        console.log(`Would wrap ${result.changedServers.length} server(s): ${result.changedServers.join(', ')}`);
+        return 0;
+    }
+    console.log(`Wrapped ${result.changedServers.length} server(s): ${result.changedServers.join(', ')}`);
+    if (result.backupPath)
+        console.log(`Backup: ${result.backupPath}`);
+    return 0;
+}
+function parseQuarantineArgs(argv) {
+    const subcommand = argv[0];
+    const rest = argv.slice(1);
+    if (!subcommand)
+        return null;
+    let quarantineDir;
+    let force = false;
+    if (subcommand === 'list') {
+        for (let index = 0; index < rest.length; index += 1) {
+            const arg = rest[index];
+            const nextArg = rest[index + 1];
+            if (arg === '--quarantine-dir') {
+                if (!nextArg || nextArg.startsWith('-'))
+                    return null;
+                quarantineDir = nextArg;
+                index += 1;
+                continue;
+            }
+            return null;
+        }
+        return { command: 'quarantine_list', quarantineDir };
+    }
+    if (subcommand === 'restore') {
+        const id = rest[0];
+        if (!id)
+            return null;
+        const tail = rest.slice(1);
+        for (let index = 0; index < tail.length; index += 1) {
+            const arg = tail[index];
+            const nextArg = tail[index + 1];
+            if (arg === '--force') {
+                force = true;
+                continue;
+            }
+            if (arg === '--quarantine-dir') {
+                if (!nextArg || nextArg.startsWith('-'))
+                    return null;
+                quarantineDir = nextArg;
+                index += 1;
+                continue;
+            }
+            return null;
+        }
+        return { command: 'quarantine_restore', id, quarantineDir, force };
+    }
+    return null;
 }
 function displayPath(path) {
     const home = (0, node_os_1.homedir)();
@@ -176,6 +468,7 @@ async function resolveScanOptions(args) {
         fix: args.fix,
         noSave: args.noSave,
         noOpen: args.noOpen,
+        policyPath: args.policyPath,
     };
     if (args.system) {
         if (args.targets.length > 0) {
@@ -204,8 +497,8 @@ async function resolveScanOptions(args) {
     if (args.deep) {
         return { ...common, targets: [cwd], deep: true, ai: args.ai, scopeLabel: 'Current + subdirectories' };
     }
-    if (process.stdout.isTTY !== true) {
-        return { ...common, targets: [cwd], deep: true, ai: false, scopeLabel: 'Current + subdirectories' };
+    if (args.noPrompt === true || process.stdout.isTTY !== true) {
+        return { ...common, targets: [cwd], deep: true, ai: args.ai, scopeLabel: 'Current + subdirectories' };
     }
     const scope = await promptScanScope(cwd);
     const ai = args.ai ? true : await promptScanDepth();
@@ -285,9 +578,9 @@ async function runInitWizard() {
         '# Generated by: sapper-ai init',
         '# Docs: https://github.com/sapper-ai/sapperai',
         '',
-        ...buildPolicyYaml(selectedPreset, auditLogPath),
     ];
-    (0, node_fs_1.writeFileSync)(outputPath, `${lines.join('\n')}\n`, 'utf8');
+    const body = (0, policyYaml_1.renderPolicyYaml)(selectedPreset, auditLogPath);
+    (0, node_fs_1.writeFileSync)(outputPath, `${lines.join('\n')}\n${body}`, 'utf8');
     console.log(`\n  Created ${outputPath}\n`);
     console.log('  Quick start:\n');
     console.log("    import { createGuard } from 'sapper-ai'");
@@ -296,29 +589,6 @@ async function runInitWizard() {
     console.log();
     rl.close();
 }
-function buildPolicyYaml(preset, auditLogPath) {
-    const p = presets_1.presets[preset].policy;
-    const lines = [];
-    lines.push(`mode: ${p.mode}`);
-    lines.push(`defaultAction: ${p.defaultAction}`);
-    lines.push(`failOpen: ${p.failOpen}`);
-    lines.push('');
-    lines.push('detectors:');
-    const detectors = p.detectors ?? ['rules'];
-    for (const d of detectors) {
-        lines.push(`  - ${d}`);
-    }
-    lines.push('');
-    lines.push('thresholds:');
-    const thresholds = p.thresholds ?? {};
-    lines.push(`  riskThreshold: ${thresholds.riskThreshold ?? 0.7}`);
-    lines.push(`  blockMinConfidence: ${thresholds.blockMinConfidence ?? 0.5}`);
-    if (auditLogPath) {
-        lines.push('');
-        lines.push(`auditLogPath: ${auditLogPath}`);
-    }
-    return lines;
-}
 function isDirectExecution(argv) {
     const entry = argv[1];
     if (!entry) {

package/dist/harden.d.ts

@@ -0,0 +1,28 @@
+type HardenScope = 'project' | 'system';
+export interface HardenPlanSummary {
+    repoRoot: string;
+    notes: string[];
+    actions: Array<{
+        id: string;
+        scope: HardenScope;
+        title: string;
+        paths: string[];
+    }>;
+}
+export interface HardenOptions {
+    cwd?: string;
+    env?: NodeJS.ProcessEnv;
+    includeSystem?: boolean;
+    dryRun?: boolean;
+    apply?: boolean;
+    yes?: boolean;
+    noPrompt?: boolean;
+    force?: boolean;
+    workflowVersion?: string;
+    mcpVersion?: string;
+    write?: (text: string) => void;
+}
+export declare function getHardenPlanSummary(options?: HardenOptions): Promise<HardenPlanSummary>;
+export declare function runHarden(options?: HardenOptions): Promise<number>;
+export {};
+//# sourceMappingURL=harden.d.ts.map

package/dist/harden.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"harden.d.ts","sourceRoot":"","sources":["../src/harden.ts"],"names":[],"mappings":"AAeA,KAAK,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAA;AAUvC,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,OAAO,EAAE,KAAK,CAAC;QACb,EAAE,EAAE,MAAM,CAAA;QACV,KAAK,EAAE,WAAW,CAAA;QAClB,KAAK,EAAE,MAAM,CAAA;QACb,KAAK,EAAE,MAAM,EAAE,CAAA;KAChB,CAAC,CAAA;CACH;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAA;IACvB,aAAa,CAAC,EAAE,OAAO,CAAA;IACvB,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,GAAG,CAAC,EAAE,OAAO,CAAA;IACb,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAA;CAC/B;AAoLD,wBAAsB,oBAAoB,CAAC,OAAO,GAAE,aAAkB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAOlG;AAED,wBAAsB,SAAS,CAAC,OAAO,GAAE,aAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,CAgG5E"}