ship-safe 7.0.0 → 9.0.0

package/cli/commands/mcp.js

@@ -24,6 +24,9 @@
  *   scan_secrets    - Scan a directory for leaked secrets
  *   get_checklist   - Return the launch-day security checklist
  *   analyze_file    - Analyze a single file for security issues
+ *   scan_repo       - Run a full multi-agent security scan on a repo
+ *   get_findings    - Read findings from a saved ship-safe report file
+ *   suppress_finding - Add a ship-safe-ignore comment to suppress a finding
  *
  * PROTOCOL:
  *   JSON-RPC 2.0 over stdio (MCP spec: https://modelcontextprotocol.io)
@@ -34,6 +37,10 @@ import path from 'path';
 import fg from 'fast-glob';
 import { SECRET_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS, SKIP_FILENAMES, TEST_FILE_PATTERNS, MAX_FILE_SIZE } from '../utils/patterns.js';
 import { isHighEntropyMatch } from '../utils/entropy.js';
+import { buildOrchestrator } from '../agents/index.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
+import { autoDetectProvider } from '../providers/llm-provider.js';
+import { DeepAnalyzer } from '../agents/deep-analyzer.js';
 
 // =============================================================================
 // MCP TOOL DEFINITIONS
@@ -80,6 +87,74 @@ const TOOLS = [
       required: ['path'],
     },
   },
+  {
+    name: 'scan_repo',
+    description: 'Run a full multi-agent security scan on a repository or directory. Runs all 20+ ship-safe security agents (injection, auth bypass, secrets, supply chain, LLM security, etc.) and returns a structured findings report with severity ratings and remediation advice. Use this when the user asks to audit, scan, or check the security of their project.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        path: {
+          type: 'string',
+          description: 'The directory path to scan. Use "." for current directory.',
+        },
+        agents: {
+          type: 'array',
+          items: { type: 'string' },
+          description: 'Specific agent names to run (optional). Omit to run all agents.',
+        },
+        llm: {
+          type: 'boolean',
+          description: 'Enable LLM-powered deep analysis for critical/high findings (default: false). Requires ANTHROPIC_API_KEY or similar env var.',
+        },
+        outputFile: {
+          type: 'string',
+          description: 'Optional path to save the JSON report for later retrieval with get_findings.',
+        },
+      },
+      required: ['path'],
+    },
+  },
+  {
+    name: 'get_findings',
+    description: 'Read and return findings from a ship-safe JSON report file previously saved by scan_repo or the ship-safe CLI (npx ship-safe audit --json). Useful for reviewing or referencing a prior scan without re-running it.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        reportPath: {
+          type: 'string',
+          description: 'Path to the ship-safe JSON report file (e.g. ship-safe-report.json).',
+        },
+        severity: {
+          type: 'string',
+          enum: ['critical', 'high', 'medium', 'low'],
+          description: 'Filter findings by minimum severity (optional).',
+        },
+      },
+      required: ['reportPath'],
+    },
+  },
+  {
+    name: 'suppress_finding',
+    description: 'Add a ship-safe-ignore comment to a specific line in a file to suppress a false-positive security finding. The comment tells ship-safe\'s scanner to skip that line in future scans. Always explain why the suppression is safe.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        file: {
+          type: 'string',
+          description: 'Path to the file containing the false-positive finding.',
+        },
+        line: {
+          type: 'number',
+          description: 'Line number of the finding to suppress (1-indexed).',
+        },
+        reason: {
+          type: 'string',
+          description: 'Brief explanation of why this finding is a false positive (appended to the ignore comment).',
+        },
+      },
+      required: ['file', 'line', 'reason'],
+    },
+  },
 ];
 
 // =============================================================================
@@ -163,6 +238,192 @@ async function analyzeFile({ path: filePath }) {
   };
 }
 
+async function scanRepo({ path: targetPath, agents: agentFilter, llm = false, outputFile }) {
+  const rootPath = path.resolve(targetPath);
+
+  if (!fs.existsSync(rootPath)) {
+    return { error: `Path does not exist: ${rootPath}` };
+  }
+
+  // MCP communicates over stdout as JSON-RPC. Suppress all console output during
+  // the scan so spinner text and log lines don't pollute the transport stream.
+  const noop = () => {};
+  const savedLog   = console.log;
+  const savedWarn  = console.warn;
+  const savedError = console.error;
+  const savedInfo  = console.info;
+  console.log = console.warn = console.error = console.info = noop;
+
+  try {
+    const orchestrator = buildOrchestrator();
+    const context = { rootPath };
+
+    // Run all agents (quiet:true suppresses ora spinners; console is already nulled)
+    const { findings, recon } = await orchestrator.runAll(rootPath, {
+      agents: agentFilter,
+      timeout: 30000,
+      concurrency: 6,
+      quiet: true,
+    });
+
+    // Optional: LLM deep analysis
+    let deepStats = null;
+    if (llm) {
+      const provider = autoDetectProvider(rootPath, {});
+      if (provider) {
+        const analyzer = new DeepAnalyzer({ provider, budgetCents: 50, verbose: false });
+        await analyzer.analyze(findings, { rootPath, recon });
+        deepStats = analyzer.getStats();
+      }
+    }
+
+    // Score
+    const scorer = new ScoringEngine();
+    const { score, grade } = scorer.score(findings);
+
+    const SEV_ORDER = ['critical', 'high', 'medium', 'low'];
+    const bySeverity = {};
+    for (const sev of SEV_ORDER) {
+      bySeverity[sev] = findings.filter(f => f.severity === sev).length;
+    }
+
+    const report = {
+      scannedAt: new Date().toISOString(),
+      rootPath,
+      score,
+      grade,
+      totalFindings: findings.length,
+      bySeverity,
+      findings: findings.map(f => ({
+        title:         f.title,
+        severity:      f.severity,
+        category:      f.category,
+        rule:          f.rule,
+        file:          f.file ? path.relative(rootPath, f.file) : null,
+        line:          f.line,
+        description:   f.description,
+        remediation:   f.remediation,
+        confidence:    f.confidence,
+        ...(f.deepAnalysis ? { deepAnalysis: f.deepAnalysis } : {}),
+      })),
+      ...(deepStats ? { deepAnalysis: deepStats } : {}),
+      summary: `Score: ${score}/100 (${grade}) — ${findings.length} finding(s): ${bySeverity.critical} critical, ${bySeverity.high} high, ${bySeverity.medium} medium, ${bySeverity.low} low.`,
+    };
+
+    if (outputFile) {
+      const outPath = path.resolve(outputFile);
+      fs.writeFileSync(outPath, JSON.stringify(report, null, 2), 'utf-8');
+      report.savedTo = outPath;
+    }
+
+    return report;
+  } catch (err) {
+    return { error: `Scan failed: ${err.message}` };
+  } finally {
+    // Always restore console so other tool calls are not affected
+    console.log   = savedLog;
+    console.warn  = savedWarn;
+    console.error = savedError;
+    console.info  = savedInfo;
+  }
+}
+
+function getFindings({ reportPath, severity }) {
+  const absPath = path.resolve(reportPath);
+
+  if (!fs.existsSync(absPath)) {
+    return { error: `Report file not found: ${absPath}` };
+  }
+
+  let report;
+  try {
+    report = JSON.parse(fs.readFileSync(absPath, 'utf-8'));
+  } catch (err) {
+    return { error: `Failed to parse report: ${err.message}` };
+  }
+
+  const findings = report.findings ?? [];
+  const SEV_RANK = { critical: 4, high: 3, medium: 2, low: 1 };
+  const filtered = severity
+    ? findings.filter(f => (SEV_RANK[f.severity] ?? 0) >= (SEV_RANK[severity] ?? 0))
+    : findings;
+
+  return {
+    reportPath:    absPath,
+    scannedAt:     report.scannedAt,
+    score:         report.score,
+    grade:         report.grade,
+    totalFindings: filtered.length,
+    bySeverity:    report.bySeverity,
+    findings:      filtered,
+    summary:       report.summary,
+    ...(severity ? { filter: `severity >= ${severity}` } : {}),
+  };
+}
+
+function suppressFinding({ file, line, reason }) {
+  const absPath = path.resolve(file);
+
+  if (!fs.existsSync(absPath)) {
+    return { error: `File not found: ${absPath}` };
+  }
+
+  let content;
+  try {
+    content = fs.readFileSync(absPath, 'utf-8');
+  } catch (err) {
+    return { error: `Cannot read file: ${err.message}` };
+  }
+
+  const lines = content.split('\n');
+  const lineIdx = line - 1; // Convert to 0-indexed
+
+  if (lineIdx < 0 || lineIdx >= lines.length) {
+    return { error: `Line ${line} is out of range (file has ${lines.length} lines)` };
+  }
+
+  const targetLine = lines[lineIdx];
+
+  // Already suppressed?
+  if (/ship-safe-ignore/i.test(targetLine)) {
+    return { alreadySuppressed: true, file: absPath, line, message: 'Line already has a ship-safe-ignore comment.' };
+  }
+
+  // Detect indentation and comment style
+  const indent = targetLine.match(/^(\s*)/)?.[1] ?? '';
+  const isJs   = /\.(js|ts|jsx|tsx|mjs|cjs|java|c|cpp|cs|go|rs|swift|kt)$/.test(file);
+  const isPy   = /\.py$/.test(file);
+  const isRb   = /\.rb$/.test(file);
+  const isHtml = /\.(html?|vue|svelte)$/.test(file);
+
+  let ignoreComment;
+  if (isHtml) {
+    ignoreComment = `${indent}<!-- ship-safe-ignore — ${reason} -->`;
+  } else if (isPy || isRb) {
+    ignoreComment = `${indent}# ship-safe-ignore — ${reason}`;
+  } else {
+    ignoreComment = `${indent}// ship-safe-ignore — ${reason}`;
+  }
+
+  // Insert ignore comment on the line BEFORE the finding
+  lines.splice(lineIdx, 0, ignoreComment);
+
+  try {
+    fs.writeFileSync(absPath, lines.join('\n'), 'utf-8');
+  } catch (err) {
+    return { error: `Cannot write file: ${err.message}` };
+  }
+
+  return {
+    suppressed:    true,
+    file:          absPath,
+    originalLine:  line,
+    insertedLine:  line, // The ignore comment is now on this line, original moved to line+1
+    comment:       ignoreComment,
+    message:       `Added ship-safe-ignore comment before line ${line} in ${path.basename(file)}.`,
+  };
+}
+
 // =============================================================================
 // SCAN UTILITIES (shared with scan command)
 // =============================================================================
@@ -283,6 +544,15 @@ async function handleRequest(request) {
           case 'analyze_file':
             result = await analyzeFile(args);
             break;
+          case 'scan_repo':
+            result = await scanRepo(args);
+            break;
+          case 'get_findings':
+            result = getFindings(args);
+            break;
+          case 'suppress_finding':
+            result = suppressFinding(args);
+            break;
           default:
             return respondError(-32601, `Unknown tool: ${name}`);
         }

package/cli/commands/red-team.js

@@ -17,7 +17,7 @@ import fs from 'fs';
 import path from 'path';
 import chalk from 'chalk';
 import ora from 'ora';
-import { buildOrchestrator } from '../agents/index.js';
+import { buildOrchestratorAsync } from '../agents/index.js';
 import { ScoringEngine } from '../agents/scoring-engine.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { HTMLReporter } from '../agents/html-reporter.js';
@@ -39,7 +39,7 @@ export async function redTeamCommand(targetPath = '.', options = {}) {
   console.log();
 
   // ── 1. Run orchestrator ─────────────────────────────────────────────────────
-  const orchestrator = buildOrchestrator();
+  const orchestrator = await buildOrchestratorAsync(absolutePath, { quiet: true });
 
   const agentFilter = options.agents
     ? options.agents.split(',').map(a => a.trim())

package/cli/commands/scan-mcp.js

@@ -109,6 +109,72 @@ const MCP_TOOL_PATTERNS = [
     severity: 'medium',
     target: 'any',
   },
+
+  // ── Hermes Agent: Function-Call Poisoning (ASI-03, ASI-05) ───────────────
+  {
+    name: 'Hermes: XML tool_call injection in description',
+    regex: /<tool_call>[\s\S]{0,300}<\/tool_call>/gi,
+    severity: 'critical',
+    target: 'description',
+    owasp: 'ASI-03',
+    note: 'Description embeds a Hermes-format <tool_call> block — will be parsed and executed by agents consuming this manifest.',
+  },
+  {
+    name: 'Hermes: Function-call format injection',
+    regex: /<function_calls>[\s\S]{0,300}<\/function_calls>/gi,
+    severity: 'critical',
+    target: 'description',
+    owasp: 'ASI-03',
+    note: 'Description embeds a <function_calls> block matching Hermes/Claude XML call format.',
+  },
+  {
+    name: 'Hermes: tool_choice manipulation',
+    regex: /tool_choice\s*[=:]\s*["']?(?:auto|any|none|required)["']?\s*(?:,|\}|$)/gi,
+    severity: 'high',
+    target: 'description',
+    owasp: 'ASI-03',
+    note: 'Description attempts to override tool_choice routing, steering agent to call attacker-controlled tools.',
+  },
+  {
+    name: 'Hermes: Forced tool invocation via description',
+    regex: /(?:you\s+must\s+(?:call|invoke|use)\s+(?:the\s+)?tool|always\s+(?:call|invoke|run)\s+(?:the\s+)?(?:tool|function)|tool\s+MUST\s+be\s+(?:called|invoked|used))/gi,
+    severity: 'high',
+    target: 'description',
+    owasp: 'ASI-03',
+    note: 'Instruction in tool description coerces the LLM agent into calling a specific tool, bypassing agent autonomy.',
+  },
+  {
+    name: 'Hermes: Schema bypass via additionalProperties',
+    regex: /"additionalProperties"\s*:\s*true/gi,
+    severity: 'high',
+    target: 'schema',
+    owasp: 'ASI-03',
+    note: 'Tool input schema allows arbitrary extra properties — attackers can inject undeclared parameters that bypass input validation.',
+  },
+  {
+    name: 'Hermes: Late binding via env-var registry URL',
+    regex: /(?:HERMES_REGISTRY_URL|AGENT_REGISTRY|TOOL_REGISTRY_URL|REGISTRY_ENDPOINT)\s*[=:]/gi,
+    severity: 'critical',
+    target: 'any',
+    owasp: 'ASI-05',
+    note: 'Tool definition references a runtime-resolved registry URL — attacker who controls the env var can swap the entire tool registry at execution time.',
+  },
+  {
+    name: 'Hermes: Namespace collision / tool shadowing',
+    regex: /(?:override\s+(?:existing\s+)?tool|shadow\s+tool|replace\s+(?:the\s+)?(?:existing\s+)?tool|re-register\s+tool)/gi,
+    severity: 'critical',
+    target: 'description',
+    owasp: 'ASI-05',
+    note: 'Description explicitly documents shadowing a previously registered tool — classic namespace collision attack.',
+  },
+  {
+    name: 'Hermes: Recursive sub-agent invocation in description',
+    regex: /(?:spawn\s+(?:a\s+)?(?:new\s+)?(?:sub[-\s]?agent|child[-\s]?agent|nested[-\s]?agent)|create\s+(?:a\s+)?(?:sub[-\s]?agent|child[-\s]?agent)|recursively\s+call\s+(?:agent|tool))/gi,
+    severity: 'high',
+    target: 'description',
+    owasp: 'ASI-02',
+    note: 'Description instructs the agent to spawn sub-agents — could lead to unbounded recursion or privilege escalation through child agents.',
+  },
 ];
 
 // Dangerous tool name keywords — flag tools whose names suggest shell/exec access
@@ -348,6 +414,18 @@ function analyzeToolDefinition(tool) {
     }
   }
 
+  // Check for additionalProperties: true at the top-level schema (schema bypass)
+  const topSchema = tool.inputSchema || tool.input_schema || {};
+  if (topSchema.additionalProperties === true) {
+    findings.push({
+      check: 'schema-analysis',
+      name: 'Hermes: Schema bypass — additionalProperties: true',
+      severity: 'high',
+      tool: name,
+      matched: 'Top-level inputSchema has additionalProperties: true — arbitrary params accepted',
+    });
+  }
+
   // Check for excessive required parameters (information harvesting)
   const required = tool.inputSchema?.required || tool.input_schema?.required || [];
   const properties = tool.inputSchema?.properties || tool.input_schema?.properties || {};