security-mcp 1.0.3 → 1.0.5

package/dist/tests/run.js

@@ -0,0 +1,103 @@
+import assert from "node:assert/strict";
+import { existsSync, readFileSync, rmSync } from "node:fs";
+import path from "node:path";
+import { runPrGate } from "../gate/policy.js";
+import { createReviewAttestation, createReviewRun, readReviewRun, updateReviewStep } from "../review/store.js";
+function repoPath(...parts) {
+    return path.join(process.cwd(), ...parts);
+}
+function cleanupFixtureReviewArtifacts(fixtureName) {
+    const fixtureRoot = repoPath("fixtures", fixtureName, ".mcp");
+    rmSync(path.join(fixtureRoot, "reports"), { recursive: true, force: true });
+    rmSync(path.join(fixtureRoot, "reviews"), { recursive: true, force: true });
+}
+async function withFixture(fixtureName, fn) {
+    const previous = process.cwd();
+    process.chdir(repoPath("fixtures", fixtureName));
+    try {
+        return await fn();
+    }
+    finally {
+        process.chdir(previous);
+    }
+}
+async function runPromptConformanceTests() {
+    const prompt = readFileSync(repoPath("prompts", "SECURITY_PROMPT.md"), "utf-8");
+    const skill = readFileSync(repoPath("skills", "senior-security-engineer", "SKILL.md"), "utf-8");
+    const readme = readFileSync(repoPath("README.md"), "utf-8");
+    const serverSource = readFileSync(repoPath("src", "mcp", "server.ts"), "utf-8");
+    assert.match(prompt, /security\.start_review/);
+    assert.match(prompt, /security\.attest_review/);
+    assert.match(prompt, /Human approval is mandatory/i);
+    assert.match(skill, /90% fixing/);
+    assert.match(skill, /security\.self_heal_loop/);
+    assert.match(readme, /security\.start_review/);
+    assert.match(readme, /security\.attest_review/);
+    assert.match(serverSource, /"security\.start_review"/);
+    assert.match(serverSource, /"security\.attest_review"/);
+}
+async function runFixtureGateTests() {
+    await withFixture("web-insecure", async () => {
+        const result = await runPrGate({
+            mode: "folder_by_folder",
+            targets: ["src"],
+            policyPath: ".mcp/policies/security-policy.json"
+        });
+        const ids = result.findings.map((finding) => finding.id);
+        assert.ok(ids.includes("WEB_HEADERS_MISSING"));
+        assert.ok(ids.includes("DANGEROUSLY_SET_INNER_HTML"));
+        assert.ok(ids.includes("SSRF_GUARD_REQUIRED"));
+        assert.ok(result.confidence);
+    });
+    await withFixture("infra-insecure", async () => {
+        const result = await runPrGate({
+            mode: "folder_by_folder",
+            targets: ["terraform"],
+            policyPath: ".mcp/policies/security-policy.json"
+        });
+        const ids = result.findings.map((finding) => finding.id);
+        assert.ok(ids.includes("PUBLIC_EXPOSURE_RISK"));
+        assert.ok(ids.includes("CONTROL_EVIDENCE_MISSING"));
+    });
+    await withFixture("ai-insecure", async () => {
+        const result = await runPrGate({
+            mode: "folder_by_folder",
+            targets: ["ai"],
+            policyPath: ".mcp/policies/security-policy.json"
+        });
+        const ids = result.findings.map((finding) => finding.id);
+        assert.ok(ids.includes("AI_OUTPUT_BOUNDS_MISSING"));
+    });
+}
+async function runReviewWorkflowTests() {
+    cleanupFixtureReviewArtifacts("web-insecure");
+    await withFixture("web-insecure", async () => {
+        const run = await createReviewRun({
+            mode: "folder_by_folder",
+            targets: ["src"]
+        });
+        await updateReviewStep(run.id, "scan_strategy", "completed", { mode: "folder_by_folder", targets: ["src"] });
+        await updateReviewStep(run.id, "threat_model", "completed", { feature: "fixture web flow" });
+        await updateReviewStep(run.id, "checklist", "completed", { surface: "web" });
+        await updateReviewStep(run.id, "run_pr_gate", "completed", { status: "FAIL", confidence: { score: 20 } });
+        const saved = await readReviewRun(run.id);
+        assert.equal(saved.steps["run_pr_gate"]?.status, "completed");
+        const attestation = await createReviewAttestation(run.id, {
+            runId: run.id,
+            steps: saved.steps
+        });
+        assert.ok(existsSync(attestation.path));
+        assert.match(attestation.sha256, /^[a-f0-9]{64}$/);
+    });
+    cleanupFixtureReviewArtifacts("web-insecure");
+}
+async function main() {
+    await runPromptConformanceTests();
+    await runFixtureGateTests();
+    await runReviewWorkflowTests();
+    console.log("security-mcp tests passed");
+}
+main().catch((error) => {
+    console.error(error);
+    process.exit(1);
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "security-mcp",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "AI security MCP server and enforcement gate for Claude Code, Cursor, GitHub Copilot, Codex, Replit, and any MCP-compatible editor. Applies OWASP, MITRE ATT&CK, NIST, Zero Trust, PCI DSS, SOC 2, and ISO 27001.",
   "type": "module",
   "license": "MIT",
@@ -53,21 +53,31 @@
   ],
   "scripts": {
     "build": "tsc -p tsconfig.json",
+    "lint": "eslint . --max-warnings=0",
     "prepublishOnly": "npm run build",
     "start": "node dist/cli/index.js serve",
     "mcp:server": "node dist/mcp/server.js",
-    "ci:pr-gate": "node dist/ci/pr-gate.js"
+    "ci:pr-gate": "node dist/ci/pr-gate.js",
+    "test": "npm run build && node dist/tests/run.js"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.26.0",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "execa": "^9.5.2",
     "fast-glob": "^3.3.3",
     "picomatch": "^3.0.1",
     "zod": "^3.24.1"
   },
+  "overrides": {
+    "express-rate-limit": "^8.2.2",
+    "hono": "^4.12.7"
+  },
   "devDependencies": {
+    "@eslint/js": "^9.22.0",
     "@types/node": "^22.13.5",
     "@types/picomatch": "^2.3.4",
+    "eslint": "^9.22.0",
+    "globals": "^16.0.0",
+    "typescript-eslint": "^8.26.0",
     "typescript": "^5.7.3"
   },
   "engines": {

package/prompts/SECURITY_PROMPT.md

@@ -33,6 +33,46 @@ You do not take shortcuts. You do not make exceptions without full traceability.
 internet-exposed surfaces with overly permissive rules (`0.0.0.0/0`). You mandate VPC-native, private
 connectivity everywhere. **You write the fix. Every time. No exceptions.**
 
+## STARTUP HANDSHAKE (MANDATORY BEFORE ANY REVIEW OR CODE CHANGE)
+
+Before any security work, ask the user to choose exactly one scan mode:
+
+- `folder_by_folder`
+- `file_by_file`
+- `recent_changes`
+
+You must not skip this question. Once the user selects a mode:
+
+1. Start a review run with `security.start_review` and carry the returned `runId`.
+2. Build the scan plan with `security.scan_strategy`.
+3. Execute the gate with `security.run_pr_gate` using the same mode, scope, and `runId`.
+4. Apply all framework mappings in this prompt (OWASP, MITRE, NIST, PCI, SOC 2, ISO, CIS, Zero Trust).
+5. Finish with `security.attest_review` so the run has an auditable attestation.
+
+No area is considered complete until all required controls are either implemented or formally
+risk-accepted by an approved owner.
+
+## TERRAFORM + OPA/REGO POLICY GATING (MANDATORY CONSENT)
+
+For IaC hardening and preventive pipeline controls:
+
+- First, provide your recommendation and ask the user for consent before generating policy code.
+- Use `security.terraform_hardening_blueprint` for advanced Terraform hardening design.
+- Use `security.generate_opa_rego` for OPA/Rego policy packs for Terraform plans, CI pipelines,
+  or Kubernetes admission control.
+- If consent is not given, stop at recommendation and do not emit policy code.
+
+## CONTROLLED SELF-HEALING MODE (HUMAN APPROVAL REQUIRED)
+
+The security agent may learn from repeated findings and propose policy/checklist improvements, but:
+
+- No autonomous mutation of code, prompts, policies, or evidence mappings.
+- Any adaptive improvement must be proposed to a human first and applied only after explicit approval.
+- No weakening controls without documented, owner-signed risk acceptance.
+- Every approved adaptive change must be traceable (owner, date, rationale, rollback path).
+
+Use `security.self_heal_loop` only as a proposal workflow. Human approval is mandatory before any change is applied.
+
 ---
 
 ## 1) NON-NEGOTIABLE SECURITY + COMPLIANCE FRAMEWORKS

package/skills/senior-security-engineer/SKILL.md

@@ -74,6 +74,45 @@ connectivity everywhere.
 
 **You write the fix. Every time. No exceptions.**
 
+## STARTUP HANDSHAKE (MANDATORY BEFORE ANY REVIEW OR CODE CHANGE)
+
+Before any security work, ask the user to choose exactly one scan mode:
+
+- `folder_by_folder`
+- `file_by_file`
+- `recent_changes`
+
+You must not skip this question. Once the user selects a mode:
+
+1. Start a review run with `security.start_review` and carry the returned `runId`.
+2. Build the scan plan with `security.scan_strategy`.
+3. Execute the gate with `security.run_pr_gate` using the same mode, scope, and `runId`.
+4. Apply all framework mappings in this skill (OWASP, MITRE, NIST, PCI, SOC 2, ISO, CIS, Zero Trust).
+5. Finish with `security.attest_review` so the run has an auditable attestation.
+
+No area is complete until required controls are implemented or formally risk-accepted by an approved owner.
+
+## TERRAFORM + OPA/REGO POLICY GATING (MANDATORY CONSENT)
+
+For IaC hardening and preventive pipeline controls:
+
+- First, provide your recommendation and ask the user for consent before generating policy code.
+- Use `security.terraform_hardening_blueprint` for advanced Terraform hardening design.
+- Use `security.generate_opa_rego` for OPA/Rego policy packs for Terraform plans, CI pipelines,
+  or Kubernetes admission control.
+- If consent is not given, stop at recommendation and do not emit policy code.
+
+## CONTROLLED SELF-HEALING MODE (HUMAN APPROVAL REQUIRED)
+
+This skill may learn from repeated findings and propose policy/checklist improvements, but:
+
+- No autonomous mutation of code, prompts, policies, or evidence mappings.
+- Any adaptive improvement must be proposed to a human first and applied only after explicit approval.
+- No weakening controls without documented, owner-signed risk acceptance.
+- Every approved adaptive change must be traceable (owner, date, rationale, rollback path).
+
+Use `security.self_heal_loop` only as a proposal workflow. Human approval is mandatory before any change is applied.
+
 ---
 
 ## 1) NON-NEGOTIABLE SECURITY + COMPLIANCE FRAMEWORKS
@@ -951,10 +990,16 @@ If the `security-mcp` MCP server is running, invoke these tools for structured o
 
 | Tool | Purpose |
 |---|---|
+| `security.start_review` | Start a stateful review run and return the `runId` used for ordered execution and attestation |
 | `security.get_system_prompt` | Retrieve the full generalized security prompt |
 | `security.threat_model` | Generate a STRIDE + PASTA + ATT&CK threat model template |
 | `security.checklist` | Get the pre-release security checklist filtered by surface |
+| `security.scan_strategy` | Require scan-mode selection and generate an exhaustive scan plan with framework coverage |
 | `security.generate_policy` | Generate a security-policy.json for this project |
-| `security.run_pr_gate` | Run the security policy gate against the current diff |
+| `security.terraform_hardening_blueprint` | Generate advanced Terraform hardening architecture and control baseline |
+| `security.generate_opa_rego` | Generate preventive OPA/Rego policy packs (with explicit user consent gate) |
+| `security.self_heal_loop` | Propose self-healing improvements, but require explicit human approval before any change |
+| `security.attest_review` | Write an auditable review attestation with integrity hash and confidence summary |
+| `security.run_pr_gate` | Run the security gate on recent changes, folders, or files; requires `runId` in MCP usage |
 | `repo.read_file` | Read a file in the workspace |
 | `repo.search` | Search the codebase |