security-mcp 1.0.5 → 1.1.1

package/dist/cli/index.js

@@ -57,12 +57,14 @@ COMMANDS
   config           Print MCP config JSON for manual editor setup
 
 OPTIONS (install)
-  --claude-code    Write config for Claude Code only
-  --cursor         Write config for Cursor only
-  --vscode         Write config for VS Code only
-  --global         Write to global editor config (default)
+  --claude-code        Write config for Claude Code only
+  --cursor             Write config for Cursor only
+  --vscode             Write config for VS Code only
+  --global             Write to global editor config (default)
   --use-global-binary  Write configs that execute "security-mcp serve" instead of npx
-  --dry-run        Print what would change without writing
+  --dry-run            Print what would change without writing
+  --yes                Skip interactive setup questions (install with defaults)
+  --non-interactive    Same as --yes (for CI environments)
 
 OPTIONS (general)
   --version        Print version
@@ -131,26 +133,29 @@ async function main() {
             break;
         }
         case "install": {
+            const noEditorFlag = !args.includes("--claude-code") && !args.includes("--cursor") && !args.includes("--vscode");
             const options = {
                 claudeCode: args.includes("--claude-code"),
                 cursor: args.includes("--cursor"),
                 vscode: args.includes("--vscode"),
                 dryRun: args.includes("--dry-run"),
                 useGlobalBinary,
-                // If no editor flag specified, install to all detected
-                all: !args.includes("--claude-code") && !args.includes("--cursor") && !args.includes("--vscode")
+                all: noEditorFlag,
+                interactive: !args.includes("--yes") && !args.includes("--non-interactive")
             };
             await runInstall(options);
             break;
         }
         case "install-global": {
+            const noEditorFlag = !args.includes("--claude-code") && !args.includes("--cursor") && !args.includes("--vscode");
             const options = {
                 claudeCode: args.includes("--claude-code"),
                 cursor: args.includes("--cursor"),
                 vscode: args.includes("--vscode"),
                 dryRun: args.includes("--dry-run"),
                 useGlobalBinary: true,
-                all: !args.includes("--claude-code") && !args.includes("--cursor") && !args.includes("--vscode")
+                all: noEditorFlag,
+                interactive: !args.includes("--yes") && !args.includes("--non-interactive")
             };
             await runInstall(options);
             break;

package/dist/cli/install.js

@@ -6,7 +6,9 @@
 import { readFileSync, writeFileSync, mkdirSync, existsSync, copyFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { homedir, platform } from "node:os";
+import * as https from "node:https";
 import { fileURLToPath } from "node:url";
+import { runOnboarding, installSecurityTools, commandExists, SECURITY_TOOLS } from "./onboarding.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PKG_ROOT = resolve(__dirname, "../..");
 function resolveHome(p) {
@@ -157,8 +159,83 @@ function installSkill(dryRun) {
     }
     process.stdout.write(`  ${dryRun ? "[dry-run] would copy" : "installed"} skill: ${skillDest}\n`);
 }
+/**
+ * Download a skill SKILL.md from a remote URL and save it to ~/.claude/skills/{skillName}/SKILL.md.
+ * Used for lazy on-demand skill installation — all sub-agents are downloaded this way at first use.
+ * Mirrors the same pattern used for security tool binary downloads in onboarding.ts.
+ */
+// CWE-22: only alphanumeric, hyphens, and dots allowed in skill names
+const SAFE_SKILL_NAME_RE = /^[a-zA-Z0-9][a-zA-Z0-9._-]{0,127}$/;
+export async function downloadSkill(skillName, url, dryRun = false) {
+    if (!SAFE_SKILL_NAME_RE.test(skillName)) {
+        process.stdout.write(`  [error] invalid skill name "${skillName}" — skipping download\n`);
+        return;
+    }
+    const skillDest = resolveHome(`~/.claude/skills/${skillName}/SKILL.md`);
+    if (dryRun) {
+        process.stdout.write(`  [dry-run] would download skill "${skillName}" from ${url} → ${skillDest}\n`);
+        return;
+    }
+    const MAX_SKILL_BYTES = 512 * 1024; // 512 KB — skills are markdown files
+    const content = await new Promise((resolve) => {
+        const req = https.get(url, { headers: { "User-Agent": "security-mcp" } }, (res) => {
+            if ((res.statusCode ?? 500) >= 400) {
+                res.resume();
+                resolve(null);
+                return;
+            }
+            let body = "";
+            res.setEncoding("utf8");
+            res.on("data", (chunk) => {
+                body += chunk;
+                if (Buffer.byteLength(body, "utf8") > MAX_SKILL_BYTES) {
+                    req.destroy();
+                    resolve(null);
+                }
+            });
+            res.on("end", () => resolve(body));
+        });
+        req.on("error", () => resolve(null));
+        req.setTimeout(10000, () => { req.destroy(); resolve(null); });
+    });
+    if (!content) {
+        process.stdout.write(`  [error] failed to download skill "${skillName}" from ${url}\n`);
+        return;
+    }
+    mkdirSync(dirname(skillDest), { recursive: true });
+    writeFileSync(skillDest, content, "utf-8");
+    process.stdout.write(`  installed skill: ${skillDest}\n`);
+}
+/**
+ * Eagerly install the orchestrator skill (bundled in the package) plus record
+ * its version so orchestration.ensure_skill can detect future updates.
+ */
+function installOrchestratorSkill(dryRun) {
+    const skillName = "ciso-orchestrator";
+    const skillSrc = join(PKG_ROOT, "skills", skillName, "SKILL.md");
+    const skillDest = resolveHome(`~/.claude/skills/${skillName}/SKILL.md`);
+    if (!existsSync(skillSrc)) {
+        process.stdout.write(`  [skip] skills/${skillName}/SKILL.md not found in package\n`);
+        return;
+    }
+    if (!dryRun) {
+        mkdirSync(dirname(skillDest), { recursive: true });
+        copyFileSync(skillSrc, skillDest);
+    }
+    process.stdout.write(`  ${dryRun ? "[dry-run] would copy" : "installed"} skill: ${skillDest}\n`);
+}
 export async function runInstall(opts) {
     const dryRun = opts.dryRun;
+    // ── Interactive onboarding (skipped when --yes or non-TTY) ──────────────
+    if (opts.interactive && !dryRun) {
+        const onboarding = await runOnboarding();
+        if (onboarding?.installTools) {
+            const toInstall = SECURITY_TOOLS.filter((t) => !commandExists(t.id));
+            process.stdout.write("\nInstalling security scanning tools...\n");
+            await installSecurityTools(toInstall);
+            process.stdout.write("\n");
+        }
+    }
     process.stdout.write(`\nsecurity-mcp installer${dryRun ? " (dry-run)" : ""}\n`);
     process.stdout.write("=".repeat(40) + "\n\n");
     const targets = getEditorTargets(opts);
@@ -184,11 +261,12 @@ export async function runInstall(opts) {
             process.stdout.write(`  [error] ${err instanceof Error ? err.message : String(err)}\n`);
         }
     }
-    // Install Claude Code skill if Claude Code is in scope
+    // Install Claude Code skills if Claude Code is in scope
     const hasClaudeCode = targets.some((t) => t.name.startsWith("Claude Code"));
     if (hasClaudeCode || opts.all) {
-        process.stdout.write("\nInstalling Claude Code skill...\n");
+        process.stdout.write("\nInstalling Claude Code skills...\n");
         installSkill(dryRun);
+        installOrchestratorSkill(dryRun);
     }
     process.stdout.write("\nInstalling security policy...\n");
     installPolicy(dryRun);