agent-audit-kit 0.3.0__tar.gz → 0.3.2__tar.gz

agent_audit_kit-0.3.2/.github/workflows/docker-nightly.yml

@@ -0,0 +1,74 @@
+name: Docker nightly rebuild
+
+# Closes C13 — scheduled rebuild so the :latest and :nightly tags pick up
+# base-image security patches without waiting for a release tag.
+
+on:
+  schedule:
+    - cron: "23 3 * * *"   # 03:23 UTC daily (off-peak; random minute per fleet-hygiene)
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  rebuild:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Compute tag set
+        id: tags
+        run: |
+          date_tag=$(date -u +%Y%m%d)
+          echo "date_tag=${date_tag}" >> "$GITHUB_OUTPUT"
+
+      - name: Build + push (latest + nightly + date tag)
+        id: push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          pull: true           # force re-pull of base image to catch upstream patches
+          no-cache: true       # avoid cached base-image layers
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/agent-audit-kit:latest
+            ghcr.io/${{ github.repository_owner }}/agent-audit-kit:nightly
+            ghcr.io/${{ github.repository_owner }}/agent-audit-kit:nightly-${{ steps.tags.outputs.date_tag }}
+          labels: |
+            org.opencontainers.image.title=AgentAuditKit
+            org.opencontainers.image.description=Security scanner for MCP-connected AI agent pipelines
+            org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/agent-audit-kit
+            org.opencontainers.image.licenses=MIT
+            org.opencontainers.image.revision=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trivy scan (fail if new CRITICAL/HIGH in base image)
+        uses: aquasecurity/trivy-action@master
+        continue-on-error: true
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/agent-audit-kit:nightly
+          format: sarif
+          output: trivy-nightly.sarif
+          severity: CRITICAL,HIGH
+
+      - name: Upload Trivy SARIF to Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-nightly.sarif
+          category: trivy-nightly

agent_audit_kit-0.3.2/.github/workflows/mcp-security-index.yml

@@ -0,0 +1,87 @@
+name: MCP Security Index — weekly snapshot
+
+# Closes B4 / #25: MkDocs docs live at gh-pages/docs/, MCP Security
+# Index at gh-pages/. Replaces the broken .github/workflows/docs.yml
+# (stale deploy-pages SHA) with a single deploy pipeline.
+
+on:
+  schedule:
+    - cron: "11 7 * * 1"   # Mondays, 07:11 UTC
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+      - ".github/workflows/mcp-security-index.yml"
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  snapshot:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install agent-audit-kit + MkDocs
+        run: |
+          pip install -e .
+          pip install mkdocs mkdocs-material
+
+      # ---- MCP Security Index (only on schedule / manual dispatch) ----
+      - name: Crawl public MCP servers
+        if: github.event_name != 'push'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p benchmarks/data
+          python benchmarks/crawler.py --limit 500 --output benchmarks/results.json
+
+      - name: Build MCP Security Index site
+        if: github.event_name != 'push'
+        run: python benchmarks/index_builder.py --input benchmarks/results.json --site-dir benchmarks/site --clean
+
+      # ---- MkDocs ----
+      - name: Build MkDocs
+        run: mkdocs build -d docs_build
+
+      # ---- Assemble gh-pages payload: index/ at root, docs at /docs/ ----
+      - name: Fetch prior gh-pages state (so we preserve the index on docs-only pushes)
+        run: |
+          git fetch origin gh-pages:gh-pages-remote || echo "no existing gh-pages branch"
+          mkdir -p pages_staging
+          if git show-ref --verify --quiet refs/heads/gh-pages-remote; then
+            git --work-tree=pages_staging checkout gh-pages-remote -- . || true
+          fi
+
+      - name: Stage payload
+        run: |
+          # docs always rebuilt from latest main
+          rm -rf pages_staging/docs
+          mv docs_build pages_staging/docs
+          # index only refreshed on schedule / dispatch
+          if [ -d benchmarks/site ]; then
+            cp -r benchmarks/site/. pages_staging/
+          fi
+          # .nojekyll so GitHub Pages serves the raw HTML
+          touch pages_staging/.nojekyll
+
+      - name: Publish to gh-pages
+        run: |
+          cd pages_staging
+          git init -q
+          git config user.name 'mcp-security-index'
+          git config user.email 'mcp-security-index@users.noreply.github.com'
+          git checkout -b gh-pages
+          git add .
+          git commit -q -m "snapshot: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+          git remote add origin "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
+          git push --force origin gh-pages

{agent_audit_kit-0.3.0 → agent_audit_kit-0.3.2}/.github/workflows/release.yml

@@ -12,10 +12,36 @@ permissions:
   attestations: write
 
 jobs:
+  # --------------------------------------------------------------------------
+  # 0. Gate: refuse to release while any sla-48h CVE-response issue is open.
+  #    Implements CLAUDE_PROMPT.md §5(1) — "blocks release until the issue
+  #    is closed". (C14)
+  # --------------------------------------------------------------------------
+  cve-response-gate:
+    name: CVE-response gate
+    runs-on: ubuntu-latest
+    permissions:
+      issues: read
+      contents: read
+    steps:
+      - name: Block release if open cve-response issues exist
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          count=$(gh issue list --repo "$GITHUB_REPOSITORY" --label sla-48h --state open --json number --jq length)
+          if [ "$count" != "0" ]; then
+            echo "::error ::cve-response gate: $count open sla-48h issue(s). Close them (or resolve with patch-release) before tagging."
+            gh issue list --repo "$GITHUB_REPOSITORY" --label sla-48h --state open
+            exit 1
+          fi
+          echo "cve-response gate: clean — 0 open sla-48h issues."
+
   # --------------------------------------------------------------------------
   # 1. Publish to PyPI using trusted publishing (OIDC)
   # --------------------------------------------------------------------------
   pypi:
+    needs: cve-response-gate
     name: Publish to PyPI
     runs-on: ubuntu-latest
     environment:
@@ -24,10 +50,10 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'
 
@@ -45,6 +71,7 @@ jobs:
   # --------------------------------------------------------------------------
   docker:
     name: Push Docker image to GHCR
+    needs: cve-response-gate
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -52,13 +79,13 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to GHCR
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -69,14 +96,14 @@ jobs:
         run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
 
       - name: Build image for scanning
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        uses: docker/build-push-action@v5
         with:
           context: .
           load: true
           tags: agent-audit-kit:scan
 
       - name: Scan Docker image with Trivy
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@master
         with:
           image-ref: agent-audit-kit:scan
           format: sarif
@@ -85,7 +112,7 @@ jobs:
 
       - name: Build and push
         id: push
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
@@ -102,7 +129,7 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Generate SLSA provenance attestation
-        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        uses: actions/attest-build-provenance@v2
         with:
           subject-name: ghcr.io/sattyamjjain/agent-audit-kit
           subject-digest: ${{ steps.push.outputs.digest }}
@@ -113,15 +140,16 @@ jobs:
   # --------------------------------------------------------------------------
   bundle-and-sign:
     name: Rule bundle + SBOM (Sigstore)
+    needs: cve-response-gate
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'
 
@@ -146,6 +174,14 @@ jobs:
             rules.json
             sbom.cdx.json
             sbom.spdx.json
+          # Keep sigs in the workflow; we attach them ourselves in github-release.
+          release-signing-artifacts: false
+          upload-signing-artifacts: true
+
+      - name: Verify sigstore outputs landed
+        run: |
+          ls -la ./*.sigstore* || true
+          ls -la ./rules.json ./sbom.cdx.json ./sbom.spdx.json
 
       - name: Upload signed artifacts
         uses: actions/upload-artifact@v4
@@ -157,6 +193,9 @@ jobs:
             sbom.cdx.json
             sbom.spdx.json
             *.sigstore
+            *.sigstore.json
+            *.sig
+          if-no-files-found: warn
 
   # --------------------------------------------------------------------------
   # 4. Create GitHub Release with auto-generated notes + signed bundle
@@ -168,7 +207,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@v4
 
       - name: Download signed artifacts
         uses: actions/download-artifact@v4
@@ -177,7 +216,7 @@ jobs:
           path: signed
 
       - name: Create release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true
           files: |
@@ -186,6 +225,8 @@ jobs:
             signed/sbom.cdx.json
             signed/sbom.spdx.json
             signed/*.sigstore
+            signed/*.sigstore.json
+            signed/*.sig
           body: |
             ## Installation
 

agent_audit_kit-0.3.2/.github/workflows/sync-rule-count.yml

@@ -0,0 +1,60 @@
+name: Sync rule count
+
+# Keeps README badge + action.yml description + __init__.RULE_COUNT in
+# lockstep with the rule bundle. Runs on every push to main that touches
+# rules.json or the rule source, then commits the bumped files back if
+# anything drifted.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - rules.json
+      - agent_audit_kit/rules/**
+      - agent_audit_kit/bundle.py
+      - scripts/sync_rule_count.py
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    if: github.actor != 'github-actions[bot]'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install agent-audit-kit
+        run: pip install -e .
+
+      - name: Regenerate bundle + sync surfaces
+        id: sync
+        run: python scripts/sync_rule_count.py --regenerate
+
+      - name: Check for drift
+        id: diff
+        run: |
+          if git diff --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+            git diff --stat
+          fi
+
+      - name: Commit
+        if: steps.diff.outputs.changed == 'true'
+        run: |
+          git config user.name 'agent-audit-kit-bot'
+          git config user.email 'agent-audit-kit-bot@users.noreply.github.com'
+          git add rules.json README.md action.yml agent_audit_kit/__init__.py
+          git commit -m "chore(rule-count): auto-sync after rules.json change"
+          git push

{agent_audit_kit-0.3.0 → agent_audit_kit-0.3.2}/.gitignore

@@ -44,3 +44,4 @@ Thumbs.db
 # Benchmark data (downloaded configs)
 benchmarks/data/
 benchmarks/results.json
+benchmarks/site/

agent_audit_kit-0.3.2/.pre-commit-config.yaml

@@ -0,0 +1,26 @@
+# Pre-commit hooks run against this repo.
+# Install once:
+#   pip install pre-commit && pre-commit install
+#
+# To skip (e.g. emergency commits): `git commit --no-verify`.
+repos:
+  # ---------------------------------------------------------------------
+  # Local: block rule-count drift at commit time.
+  # ---------------------------------------------------------------------
+  - repo: local
+    hooks:
+      - id: aak-sync-rule-count
+        name: AAK — rule count in lockstep with rules.json
+        entry: python scripts/sync_rule_count.py --check
+        language: system
+        pass_filenames: false
+        files: "^(rules\\.json|README\\.md|action\\.yml|agent_audit_kit/rules/|agent_audit_kit/__init__\\.py$)"
+
+  # ---------------------------------------------------------------------
+  # Upstream lint / format.
+  # ---------------------------------------------------------------------
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.8.4
+    hooks:
+      - id: ruff
+        args: [--fix]

agent_audit_kit-0.3.2/CHANGELOG.cves.md

@@ -0,0 +1,59 @@
+# AAK Response SLA — CVE-to-Rule Ledger
+
+We publicly commit to shipping rule coverage for every disclosed MCP CVE
+within **48 hours of NVD disclosure**. This file is the audit trail.
+
+Format: one line per CVE, `CVE-YYYY-NNNNN` → `AAK-XXX-NNN` with the
+shipped-at timestamp. The GitHub Action `.github/workflows/cve-watcher.yml`
+diffs NVD's MCP keyword feed against this file and opens an
+`sla-48h`-labelled issue for anything new.
+
+## Shipped in v0.3.2 (2026-04-20)
+
+| CVE / Incident | Advisory | AAK rule(s) | Shipped | Latency |
+|---|---|---|---|---|
+| CVE-2026-33032 (MCPwn, KEV) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-33032) — nginx-ui, CVSS 9.8 | **AAK-MCPWN-001** (primary) · AAK-MCP-011/012/020 (secondary, retained) | 2026-04-20 | targeted follow-up 4d after PoC |
+| CVE-2026-40933 | [GHSA-c9gw-hvqq-f33r](https://github.com/advisories/GHSA-c9gw-hvqq-f33r) — Flowise MCP adapter, CVSS 10.0 | AAK-FLOWISE-001 (primary) · AAK-STDIO-001 (architectural class) | 2026-04-20 | <48h |
+| VERCEL-2026-04-19 (incident) | [Vercel bulletin](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident) | AAK-OAUTH-SCOPE-001, AAK-OAUTH-3P-001 | 2026-04-20 | <24h |
+| MCPWN-2026-04-16 (incident) | [Rapid7 ETR](https://www.rapid7.com/blog/post/etr-cve-2026-33032-nginx-ui-missing-mcp-authentication/) | AAK-MCPWN-001 | 2026-04-20 | 4d (targeted) |
+
+## Shipped in v0.3.1 (2026-04-19)
+
+| CVE | Advisory | AAK rule(s) | Shipped | Latency |
+|---|---|---|---|---|
+| CVE-2026-30615 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-30615) (Windsurf, CVSS 8.0) | AAK-STDIO-001, AAK-WINDSURF-001 | 2026-04-19 | <48h |
+| CVE-2026-35402 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-35402) (mcp-neo4j-cypher, CVSS 2.3) | AAK-NEO4J-001 | 2026-04-19 | <48h |
+| CVE-2026-35603 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-35603) (Claude Code Windows, CVSS 5.4) | AAK-CLAUDE-WIN-001 | 2026-04-19 | <48h |
+| CVE-2026-6494  | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-6494)  (AAP MCP log injection, CVSS 5.3) | AAK-LOGINJ-001 | 2026-04-19 | <48h |
+
+### Ox Security architectural class (Apr 16 2026 disclosure)
+
+AAK-STDIO-001 closes this whole family with a single AST-based
+detection in `scanners/stdio_injection.py`:
+
+| CVE | Product |
+|---|---|
+| CVE-2025-65720 | GPT Researcher |
+| CVE-2026-26015 | DocsGPT |
+| CVE-2026-30615 | Windsurf |
+| CVE-2026-30617 | Langchain-Chatchat |
+| CVE-2026-30618 | Fay Framework |
+| CVE-2026-30623 | LiteLLM |
+| CVE-2026-30624 | Agent Zero |
+| CVE-2026-30625 | Upsonic |
+| CVE-2026-33224 | Bisheng / Jaaz |
+
+Source: <https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/>
+
+## Shipped in v0.3.0
+
+| CVE | Advisory | AAK rule(s) | Shipped | Latency |
+|---|---|---|---|---|
+| CVE-2025-59536 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-59536) | AAK-HOOK-RCE-001, AAK-HOOK-RCE-002, AAK-HOOK-RCE-003 | 2026-04-18 | retroactive |
+| CVE-2026-33032 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-33032) | AAK-MCP-011, AAK-MCP-012, AAK-MCP-020 | 2026-04-18 | retroactive |
+| CVE-2026-34070 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-34070) | AAK-LANGCHAIN-001, AAK-LANGCHAIN-002 | 2026-04-18 | retroactive |
+| CVE-2025-68664 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-68664) | AAK-LANGCHAIN-003 | 2026-04-18 | retroactive |
+
+## Open (48h SLA ticking)
+
+_none — file response-tracking issues get posted here when the SLA fires._