security-mcp 1.1.0 → 1.1.1

package/defaults/agent-run-schema.json

@@ -0,0 +1,98 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://github.com/AbrahamOO/security-mcp/blob/main/defaults/agent-run-schema.json",
+  "title": "AgentRunManifest",
+  "description": "Schema for .mcp/agent-runs/{agentRunId}/manifest.json — the coordination state for a multi-agent security run.",
+  "type": "object",
+  "required": ["agentRunId", "runId", "createdAt", "updatedAt", "phase", "internetPermitted", "stackContext", "scope", "agents"],
+  "additionalProperties": false,
+  "properties": {
+    "agentRunId": {
+      "type": "string",
+      "minLength": 32,
+      "maxLength": 32,
+      "description": "32-character hex identifier for this agent run."
+    },
+    "runId": {
+      "type": "string",
+      "format": "uuid",
+      "description": "UUID of the parent review run from security.start_review."
+    },
+    "createdAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "updatedAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "phase": {
+      "type": "integer",
+      "enum": [0, 1, 2, 3],
+      "description": "Current execution phase: 0=init, 1=parallel discovery, 2=adversarial+compliance, 3=synthesis."
+    },
+    "internetPermitted": {
+      "type": "boolean",
+      "description": "Whether the user permitted internet access for this run."
+    },
+    "stackContext": {
+      "type": "object",
+      "required": ["languages", "frameworks", "databases", "cloudProvider", "paymentProcessor", "hasAI", "hasMobile", "hasPII", "hasPayments", "packageManagers", "ciPlatform"],
+      "additionalProperties": false,
+      "properties": {
+        "languages":       { "type": "array", "items": { "type": "string" } },
+        "frameworks":      { "type": "array", "items": { "type": "string" } },
+        "databases":       { "type": "array", "items": { "type": "string" } },
+        "cloudProvider":   { "type": "array", "items": { "type": "string" } },
+        "paymentProcessor":{ "type": "array", "items": { "type": "string" } },
+        "hasAI":           { "type": "boolean" },
+        "hasMobile":       { "type": "boolean" },
+        "hasPII":          { "type": "boolean" },
+        "hasPayments":     { "type": "boolean" },
+        "packageManagers": { "type": "array", "items": { "type": "string" } },
+        "ciPlatform":      { "type": "array", "items": { "type": "string" } }
+      }
+    },
+    "scope": {
+      "type": "object",
+      "required": ["mode", "targets", "baseRef", "headRef"],
+      "additionalProperties": false,
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["recent_changes", "folder_by_folder", "file_by_file"]
+        },
+        "targets": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "baseRef": { "type": "string" },
+        "headRef": { "type": "string" }
+      }
+    },
+    "agents": {
+      "type": "object",
+      "description": "Map of agent name to its lifecycle record.",
+      "additionalProperties": {
+        "$ref": "#/$defs/AgentRecord"
+      }
+    }
+  },
+  "$defs": {
+    "AgentRecord": {
+      "type": "object",
+      "required": ["status", "startedAt", "completedAt", "findingsPath", "summary"],
+      "additionalProperties": false,
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": ["pending", "running", "completed", "completed_partial", "failed"]
+        },
+        "startedAt":    { "type": ["string", "null"], "format": "date-time" },
+        "completedAt":  { "type": ["string", "null"], "format": "date-time" },
+        "findingsPath": { "type": ["string", "null"] },
+        "summary":      { "type": ["string", "null"] }
+      }
+    }
+  }
+}

package/dist/cli/install.js

@@ -6,6 +6,7 @@
 import { readFileSync, writeFileSync, mkdirSync, existsSync, copyFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { homedir, platform } from "node:os";
+import * as https from "node:https";
 import { fileURLToPath } from "node:url";
 import { runOnboarding, installSecurityTools, commandExists, SECURITY_TOOLS } from "./onboarding.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -158,6 +159,71 @@ function installSkill(dryRun) {
     }
     process.stdout.write(`  ${dryRun ? "[dry-run] would copy" : "installed"} skill: ${skillDest}\n`);
 }
+/**
+ * Download a skill SKILL.md from a remote URL and save it to ~/.claude/skills/{skillName}/SKILL.md.
+ * Used for lazy on-demand skill installation — all sub-agents are downloaded this way at first use.
+ * Mirrors the same pattern used for security tool binary downloads in onboarding.ts.
+ */
+// CWE-22: only alphanumeric, hyphens, and dots allowed in skill names
+const SAFE_SKILL_NAME_RE = /^[a-zA-Z0-9][a-zA-Z0-9._-]{0,127}$/;
+export async function downloadSkill(skillName, url, dryRun = false) {
+    if (!SAFE_SKILL_NAME_RE.test(skillName)) {
+        process.stdout.write(`  [error] invalid skill name "${skillName}" — skipping download\n`);
+        return;
+    }
+    const skillDest = resolveHome(`~/.claude/skills/${skillName}/SKILL.md`);
+    if (dryRun) {
+        process.stdout.write(`  [dry-run] would download skill "${skillName}" from ${url} → ${skillDest}\n`);
+        return;
+    }
+    const MAX_SKILL_BYTES = 512 * 1024; // 512 KB — skills are markdown files
+    const content = await new Promise((resolve) => {
+        const req = https.get(url, { headers: { "User-Agent": "security-mcp" } }, (res) => {
+            if ((res.statusCode ?? 500) >= 400) {
+                res.resume();
+                resolve(null);
+                return;
+            }
+            let body = "";
+            res.setEncoding("utf8");
+            res.on("data", (chunk) => {
+                body += chunk;
+                if (Buffer.byteLength(body, "utf8") > MAX_SKILL_BYTES) {
+                    req.destroy();
+                    resolve(null);
+                }
+            });
+            res.on("end", () => resolve(body));
+        });
+        req.on("error", () => resolve(null));
+        req.setTimeout(10000, () => { req.destroy(); resolve(null); });
+    });
+    if (!content) {
+        process.stdout.write(`  [error] failed to download skill "${skillName}" from ${url}\n`);
+        return;
+    }
+    mkdirSync(dirname(skillDest), { recursive: true });
+    writeFileSync(skillDest, content, "utf-8");
+    process.stdout.write(`  installed skill: ${skillDest}\n`);
+}
+/**
+ * Eagerly install the orchestrator skill (bundled in the package) plus record
+ * its version so orchestration.ensure_skill can detect future updates.
+ */
+function installOrchestratorSkill(dryRun) {
+    const skillName = "ciso-orchestrator";
+    const skillSrc = join(PKG_ROOT, "skills", skillName, "SKILL.md");
+    const skillDest = resolveHome(`~/.claude/skills/${skillName}/SKILL.md`);
+    if (!existsSync(skillSrc)) {
+        process.stdout.write(`  [skip] skills/${skillName}/SKILL.md not found in package\n`);
+        return;
+    }
+    if (!dryRun) {
+        mkdirSync(dirname(skillDest), { recursive: true });
+        copyFileSync(skillSrc, skillDest);
+    }
+    process.stdout.write(`  ${dryRun ? "[dry-run] would copy" : "installed"} skill: ${skillDest}\n`);
+}
 export async function runInstall(opts) {
     const dryRun = opts.dryRun;
     // ── Interactive onboarding (skipped when --yes or non-TTY) ──────────────
@@ -195,11 +261,12 @@ export async function runInstall(opts) {
             process.stdout.write(`  [error] ${err instanceof Error ? err.message : String(err)}\n`);
         }
     }
-    // Install Claude Code skill if Claude Code is in scope
+    // Install Claude Code skills if Claude Code is in scope
     const hasClaudeCode = targets.some((t) => t.name.startsWith("Claude Code"));
     if (hasClaudeCode || opts.all) {
-        process.stdout.write("\nInstalling Claude Code skill...\n");
+        process.stdout.write("\nInstalling Claude Code skills...\n");
         installSkill(dryRun);
+        installOrchestratorSkill(dryRun);
     }
     process.stdout.write("\nInstalling security policy...\n");
     installPolicy(dryRun);

package/dist/cli/onboarding.js

@@ -12,7 +12,7 @@
  */
 import { createInterface } from "node:readline/promises";
 import { stdin as input, stdout as output } from "node:process";
-import { execSync, spawnSync } from "node:child_process";
+import { spawnSync } from "node:child_process";
 import { platform, arch, homedir } from "node:os";
 import { mkdirSync, createWriteStream, chmodSync, existsSync } from "node:fs";
 import { join } from "node:path";
@@ -204,13 +204,13 @@ function getCpuArch() {
 }
 export function commandExists(cmd) {
     try {
+        // Use spawnSync (not execSync) to avoid shell injection — cmd is never interpolated into a shell string
         if (process.platform === "win32") {
-            execSync(`where "${cmd}"`, { stdio: "pipe" });
+            return spawnSync("where", [cmd], { stdio: "pipe" }).status === 0;
         }
         else {
-            execSync(`command -v ${cmd}`, { stdio: "pipe" });
+            return spawnSync("which", [cmd], { stdio: "pipe" }).status === 0;
         }
-        return true;
     }
     catch {
         return false;

package/dist/cli/update.js

@@ -4,11 +4,13 @@ import { dirname, join } from "node:path";
 import * as https from "node:https";
 const CACHE_DIR = join(homedir(), ".security-mcp");
 const CACHE_PATH = join(CACHE_DIR, "update-check.json");
+const SKILL_VERSIONS_PATH = join(CACHE_DIR, "skill-versions.json");
 const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000;
 const PROMPT_INTERVAL_MS = 24 * 60 * 60 * 1000;
 const REGISTRY_URL = "https://registry.npmjs.org/security-mcp/latest";
+const SKILLS_MANIFEST_URL = "https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/skills-manifest.json";
 function parseVersion(input) {
-    const match = input.trim().match(/^v?(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?$/);
+    const match = /^v?(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?$/.exec(input.trim());
     if (!match)
         return null;
     return {
@@ -64,10 +66,15 @@ function fetchLatestVersion(timeoutMs = 1500) {
                 resolve(null);
                 return;
             }
+            const MAX_BYTES = 64 * 1024; // 64 KB — npm registry version response
             let body = "";
             res.setEncoding("utf8");
             res.on("data", (chunk) => {
                 body += chunk;
+                if (Buffer.byteLength(body, "utf8") > MAX_BYTES) {
+                    req.destroy();
+                    resolve(null);
+                }
             });
             res.on("end", () => {
                 try {
@@ -96,6 +103,71 @@ function shouldPrompt(cache, latestVersion, now) {
         return true;
     return now - lastPromptedAt >= PROMPT_INTERVAL_MS;
 }
+/** Check the skills manifest for skills that have newer versions than what is locally installed. */
+async function checkSkillUpdates() {
+    try {
+        const body = await new Promise((resolve) => {
+            const req = https.get(SKILLS_MANIFEST_URL, { headers: { "User-Agent": "security-mcp-update-checker" } }, (res) => {
+                if ((res.statusCode ?? 500) >= 400) {
+                    res.resume();
+                    resolve(null);
+                    return;
+                }
+                const MAX_MANIFEST_BYTES = 256 * 1024; // 256 KB
+                let buf = "";
+                res.setEncoding("utf8");
+                res.on("data", (c) => {
+                    buf += c;
+                    if (Buffer.byteLength(buf, "utf8") > MAX_MANIFEST_BYTES) {
+                        req.destroy();
+                        resolve(null);
+                    }
+                });
+                res.on("end", () => resolve(buf));
+            });
+            req.on("error", () => resolve(null));
+            req.setTimeout(3000, () => { req.destroy(); resolve(null); });
+        });
+        if (!body)
+            return [];
+        const manifest = JSON.parse(body);
+        let installed = {};
+        try {
+            installed = JSON.parse(readFileSync(SKILL_VERSIONS_PATH, "utf-8"));
+        }
+        catch { /* not installed yet */ }
+        const outdated = [];
+        for (const [name, entry] of Object.entries(manifest.skills)) {
+            const local = installed[name]?.version;
+            if (local && local !== entry.version) {
+                outdated.push(`${name}: ${local} → ${entry.version}`);
+            }
+        }
+        return outdated;
+    }
+    catch {
+        return [];
+    }
+}
+function printUpdateNotices(cache, currentVersion, now) {
+    const hasMcpUpdate = cache.latestVersion && compareVersions(currentVersion, cache.latestVersion) < 0;
+    const hasSkillUpdates = (cache.skillsWithUpdates?.length ?? 0) > 0;
+    if (!hasMcpUpdate && !hasSkillUpdates)
+        return;
+    if (cache.latestVersion && !shouldPrompt(cache, cache.latestVersion, now))
+        return;
+    if (hasMcpUpdate && cache.latestVersion) {
+        console.error(`\nUpdate available: security-mcp ${currentVersion} → ${cache.latestVersion}\n` +
+            "Run the CISO Orchestrator skill and choose option (A) to update automatically, or:\n" +
+            `  npm install -g security-mcp@${cache.latestVersion}\n` +
+            "  security-mcp install\n");
+    }
+    if (hasSkillUpdates && cache.skillsWithUpdates) {
+        console.error("\nSkill updates available:\n" +
+            cache.skillsWithUpdates.map((s) => `  • ${s}`).join("\n") +
+            "\nRun the CISO Orchestrator skill to apply skill updates automatically.\n");
+    }
+}
 export async function notifyIfUpdateAvailable(currentVersion) {
     const now = Date.now();
     const cache = readCache();
@@ -103,22 +175,18 @@ export async function notifyIfUpdateAvailable(currentVersion) {
     const shouldRefresh = Number.isNaN(lastCheckedAt) || now - lastCheckedAt >= CHECK_INTERVAL_MS;
     if (shouldRefresh) {
         const latestVersion = await fetchLatestVersion();
-        if (latestVersion) {
+        if (latestVersion)
             cache.latestVersion = latestVersion;
-        }
+        const skillUpdates = await checkSkillUpdates();
+        if (skillUpdates.length > 0)
+            cache.skillsWithUpdates = skillUpdates;
         cache.lastCheckedAt = new Date(now).toISOString();
         writeCache(cache);
     }
-    if (!cache.latestVersion)
-        return;
-    if (compareVersions(currentVersion, cache.latestVersion) >= 0)
-        return;
-    if (!shouldPrompt(cache, cache.latestVersion, now))
-        return;
-    process.stderr.write(`\nUpdate available: security-mcp ${currentVersion} -> ${cache.latestVersion}\n` +
-        "Update command: npm install -g security-mcp@latest\n" +
-        "Then refresh editor config: security-mcp install-global\n\n");
-    cache.lastPromptedVersion = cache.latestVersion;
-    cache.lastPromptedAt = new Date(now).toISOString();
-    writeCache(cache);
+    printUpdateNotices(cache, currentVersion, now);
+    if (cache.latestVersion) {
+        cache.lastPromptedVersion = cache.latestVersion;
+        cache.lastPromptedAt = new Date(now).toISOString();
+        writeCache(cache);
+    }
 }

package/dist/gate/checks/ai-redteam.js

@@ -294,16 +294,91 @@ async function runDynamicProbes(endpointUrl, probes) {
     }
     return results;
 }
+// CWE-918: resolve and validate an endpoint URL is not pointing to a private/metadata host.
+const PROBE_PRIVATE_RE = [/^127\./, /^10\./, /^172\.(1[6-9]|2\d|3[01])\./, /^192\.168\./, /^169\.254\./, /^::1$/, /^fc/, /^fd/];
+function isProbePrivateIp(ip) {
+    return PROBE_PRIVATE_RE.some((r) => r.test(ip));
+}
+async function resolveSafeEndpoint(rawUrl) {
+    try {
+        const parsed = new URL(rawUrl);
+        if (parsed.protocol !== "https:" && parsed.protocol !== "http:")
+            return null;
+        const { lookup } = await import("node:dns/promises");
+        const { isIP } = await import("node:net");
+        const host = parsed.hostname;
+        if (isIP(host))
+            return isProbePrivateIp(host) ? null : rawUrl;
+        if (host === "localhost" || host.endsWith(".internal"))
+            return null;
+        const resolved = await lookup(host, { all: true });
+        if (resolved.some(({ address }) => isProbePrivateIp(address)))
+            return null;
+        return rawUrl;
+    }
+    catch {
+        return null;
+    }
+}
+function probeFailureToFinding(probe) {
+    switch (probe.probe) {
+        case "jailbreak": return {
+            id: "AI_JAILBREAK_SUCCESS",
+            title: "Jailbreak probe succeeded — system prompt may have leaked",
+            severity: "CRITICAL",
+            evidence: ["Probe: jailbreak", probe.detail ?? ""],
+            requiredActions: [
+                "Implement system prompt protection: use instruction hierarchy, not string concatenation.",
+                "Add jailbreak detection and monitoring.",
+                "Do not rely on the system prompt for access control."
+            ]
+        };
+        case "injection": return {
+            id: "AI_INJECTION_SUCCESS",
+            title: "Prompt injection probe succeeded via simulated RAG context",
+            severity: "CRITICAL",
+            evidence: ["Probe: injection"],
+            requiredActions: [
+                "Apply content isolation between user instructions and retrieved context.",
+                "Treat all RAG-retrieved content as untrusted.",
+                "Validate model outputs before acting on them."
+            ]
+        };
+        case "pii_exfil": return {
+            id: "AI_PII_LEAK",
+            title: "PII exfiltration probe succeeded — model repeated sensitive data",
+            severity: "CRITICAL",
+            evidence: ["Probe: pii_exfil"],
+            requiredActions: [
+                "Implement output PII scanning before returning model responses.",
+                "Block responses containing SSN, card numbers, or credential patterns.",
+                "Add output filtering as a defense-in-depth layer."
+            ]
+        };
+        case "token_flood": return {
+            id: "AI_RATE_LIMIT_MISSING",
+            title: "Token flooding probe was not rate-limited — DoS risk",
+            severity: "HIGH",
+            evidence: ["Probe: token_flood"],
+            requiredActions: [
+                "Implement request size limits and token quotas on AI endpoints.",
+                "Return 413 or 429 for oversized requests.",
+                "Add per-user token budgets."
+            ]
+        };
+        default: return null;
+    }
+}
 /**
  * Run AI/LLM red-team checks: static analysis + optional dynamic probes.
  */
 export async function runAiRedteamChecks(opts) {
     const findings = [];
-    // Static analysis (always runs)
-    const staticFindings = await runStaticAnalysis(opts.changedFiles);
-    findings.push(...staticFindings);
-    // Dynamic probes (only if endpoint is configured)
-    const endpointUrl = opts.endpointUrl ?? process.env["SECURITY_AI_ENDPOINT"];
+    findings.push(...await runStaticAnalysis(opts.changedFiles));
+    const rawEndpointUrl = opts.endpointUrl ?? process.env["SECURITY_AI_ENDPOINT"];
+    if (!rawEndpointUrl)
+        return findings;
+    const endpointUrl = await resolveSafeEndpoint(rawEndpointUrl);
     if (!endpointUrl)
         return findings;
     const allProbes = ["jailbreak", "injection", "pii_exfil", "token_flood"];
@@ -314,60 +389,9 @@ export async function runAiRedteamChecks(opts) {
         for (const probe of result.value) {
             if (probe.passed)
                 continue;
-            switch (probe.probe) {
-                case "jailbreak":
-                    findings.push({
-                        id: "AI_JAILBREAK_SUCCESS",
-                        title: "Jailbreak probe succeeded — system prompt may have leaked",
-                        severity: "CRITICAL",
-                        evidence: ["Probe: jailbreak", probe.detail ?? ""],
-                        requiredActions: [
-                            "Implement system prompt protection: use instruction hierarchy, not string concatenation.",
-                            "Add jailbreak detection and monitoring.",
-                            "Do not rely on the system prompt for access control."
-                        ]
-                    });
-                    break;
-                case "injection":
-                    findings.push({
-                        id: "AI_INJECTION_SUCCESS",
-                        title: "Prompt injection probe succeeded via simulated RAG context",
-                        severity: "CRITICAL",
-                        evidence: ["Probe: injection"],
-                        requiredActions: [
-                            "Apply content isolation between user instructions and retrieved context.",
-                            "Treat all RAG-retrieved content as untrusted.",
-                            "Validate model outputs before acting on them."
-                        ]
-                    });
-                    break;
-                case "pii_exfil":
-                    findings.push({
-                        id: "AI_PII_LEAK",
-                        title: "PII exfiltration probe succeeded — model repeated sensitive data",
-                        severity: "CRITICAL",
-                        evidence: ["Probe: pii_exfil"],
-                        requiredActions: [
-                            "Implement output PII scanning before returning model responses.",
-                            "Block responses containing SSN, card numbers, or credential patterns.",
-                            "Add output filtering as a defense-in-depth layer."
-                        ]
-                    });
-                    break;
-                case "token_flood":
-                    findings.push({
-                        id: "AI_RATE_LIMIT_MISSING",
-                        title: "Token flooding probe was not rate-limited — DoS risk",
-                        severity: "HIGH",
-                        evidence: ["Probe: token_flood"],
-                        requiredActions: [
-                            "Implement request size limits and token quotas on AI endpoints.",
-                            "Return 413 or 429 for oversized requests.",
-                            "Add per-user token budgets."
-                        ]
-                    });
-                    break;
-            }
+            const finding = probeFailureToFinding(probe);
+            if (finding)
+                findings.push(finding);
         }
     }
     return findings;

package/dist/gate/checks/runtime.js

@@ -2,8 +2,59 @@
  * Runtime evidence verification.
  * Checks HTTP security headers and TLS configuration against a live target.
  */
+import * as dns from "node:dns/promises";
+import * as net from "node:net";
 import * as https from "node:https";
 import * as tls from "node:tls";
+// CWE-918: SSRF guard — block private/link-local/metadata IP ranges
+const PRIVATE_CIDR_PATTERNS = [
+    /^127\./, // loopback
+    /^10\./, // RFC-1918
+    /^172\.(1[6-9]|2\d|3[01])\./, // RFC-1918
+    /^192\.168\./, // RFC-1918
+    /^169\.254\./, // link-local / cloud metadata (169.254.169.254)
+    /^::1$/, // IPv6 loopback
+    /^fc/, // IPv6 ULA
+    /^fd/, // IPv6 ULA
+    /^0\./, // 0.0.0.0/8
+    /^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./, // RFC-6598 shared address space
+];
+function isPrivateIp(ip) {
+    return PRIVATE_CIDR_PATTERNS.some((re) => re.test(ip));
+}
+async function isSafeUrl(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        return false;
+    }
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:")
+        return false;
+    const host = parsed.hostname;
+    // Block bare IP references
+    if (net.isIP(host)) {
+        return !isPrivateIp(host);
+    }
+    // Block known metadata hostnames
+    if (host === "localhost" || host === "metadata.google.internal" ||
+        host === "169.254.169.254" || host.endsWith(".internal")) {
+        return false;
+    }
+    // Resolve DNS and check all resolved IPs
+    try {
+        const resolved = await dns.lookup(host, { all: true });
+        for (const { address } of resolved) {
+            if (isPrivateIp(address))
+                return false;
+        }
+    }
+    catch {
+        return false; // can't resolve → skip
+    }
+    return true;
+}
 const REQUIRED_HEADERS = [
     {
         name: "content-security-policy",
@@ -129,8 +180,10 @@ export async function runRuntimeChecks(opts) {
     const findings = [];
     // Determine target URL
     const stagingUrl = process.env["SECURITY_STAGING_URL"];
-    const targets = stagingUrl ? [stagingUrl, ...opts.targets] : opts.targets;
-    const uniqueTargets = [...new Set(targets)].filter((t) => t.startsWith("http"));
+    const rawTargets = stagingUrl ? [stagingUrl, ...opts.targets] : opts.targets;
+    // CWE-918: resolve hostnames and reject private/metadata IPs before making requests
+    const safeChecks = await Promise.all(rawTargets.map(async (t) => ({ t, safe: await isSafeUrl(t) })));
+    const uniqueTargets = [...new Set(safeChecks.filter((x) => x.safe).map((x) => x.t))];
     if (uniqueTargets.length === 0)
         return findings;
     const timeoutMs = 15_000;

package/dist/gate/checks/scanners.js

@@ -29,7 +29,12 @@ const ScannerConfigSchema = z.object({
 async function loadScannerConfig() {
     const overridePath = process.env["SECURITY_GATE_SCANNERS"];
     if (overridePath) {
-        const raw = await readFile(join(process.cwd(), overridePath), "utf-8");
+        // CWE-22: resolve to absolute path and ensure it stays within cwd
+        const resolved = resolve(process.cwd(), overridePath);
+        if (!resolved.startsWith(process.cwd() + "/") && resolved !== process.cwd()) {
+            throw new Error(`SECURITY_GATE_SCANNERS path '${overridePath}' escapes the project directory`);
+        }
+        const raw = await readFile(resolved, "utf-8");
         return ScannerConfigSchema.parse(JSON.parse(raw));
     }
     try {

package/dist/gate/exceptions.js

@@ -22,7 +22,12 @@ const ExceptionFileSchema = z.object({
 async function readExceptionsJson() {
     const overridePath = process.env["SECURITY_GATE_EXCEPTIONS"];
     if (overridePath) {
-        return await readFile(join(process.cwd(), overridePath), "utf-8");
+        // CWE-22: ensure path stays within the project directory
+        const resolved = resolve(process.cwd(), overridePath);
+        if (!resolved.startsWith(process.cwd() + "/") && resolved !== process.cwd()) {
+            throw new Error(`SECURITY_GATE_EXCEPTIONS path '${overridePath}' escapes the project directory`);
+        }
+        return await readFile(resolved, "utf-8");
     }
     try {
         return await readFile(join(process.cwd(), ".mcp", "exceptions", "security-exceptions.json"), "utf-8");