agent-audit-kit 0.3.2__tar.gz → 0.3.3__tar.gz

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/.github/workflows/cve-watcher.yml

@@ -25,13 +25,27 @@ jobs:
         with:
           python-version: "3.11"
 
-      - name: Fetch NVD MCP CVEs and diff against CHANGELOG.cves.md
+      - name: Restore cve-watcher state
+        uses: actions/cache@v4
+        with:
+          path: .aak/cve-watcher-state.json
+          key: cve-watcher-state-${{ github.repository }}
+          restore-keys: cve-watcher-state-
+
+      - name: Fetch NVD MCP CVEs and diff against CHANGELOG.cves.md + open issues
         id: diff
         env:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           python3 scripts/cve_watcher.py > new_cves.json
-          test -s new_cves.json && echo "new_cves=true" >> "$GITHUB_OUTPUT" || echo "new_cves=false" >> "$GITHUB_OUTPUT"
+          # Treat bare "[]" as empty.
+          if [ "$(tr -d ' \n\t' < new_cves.json)" = "[]" ] || [ ! -s new_cves.json ]; then
+            echo "new_cves=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "new_cves=true" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: File response-tracking issue
         if: steps.diff.outputs.new_cves == 'true'

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/.gitignore

@@ -45,3 +45,6 @@ Thumbs.db
 benchmarks/data/
 benchmarks/results.json
 benchmarks/site/
+
+# v0.3.3: cve-watcher persistent state
+.aak/cve-watcher-state.json

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/CHANGELOG.cves.md

@@ -8,6 +8,16 @@ shipped-at timestamp. The GitHub Action `.github/workflows/cve-watcher.yml`
 diffs NVD's MCP keyword feed against this file and opens an
 `sla-48h`-labelled issue for anything new.
 
+## Shipped in v0.3.3 (2026-04-21)
+
+| CVE / Incident | Advisory | AAK rule(s) | Shipped | Latency |
+|---|---|---|---|---|
+| CVE-2026-39313 | [GitLab advisory](https://advisories.gitlab.com/npm/mcp-framework/CVE-2026-39313/) — mcp-framework < 0.2.22 HTTP-body DoS | **AAK-MCPFRAME-001** | 2026-04-21 | 5d (tracking issue → rule) |
+| CVE-2025-66335 | [Apache advisory](http://www.mail-archive.com/dev@doris.apache.org/msg11406.html) — apache-doris-mcp-server < 0.6.1 SQL injection | **AAK-DORIS-001** | 2026-04-21 | <48h |
+| OX-MCP-2026-04-15 (incident) | [OX Security](https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/) · Anthropic declined to CVE | **AAK-ANTHROPIC-SDK-001** (SDK-level), AAK-STDIO-001 (sink-level) | 2026-04-21 | 6d (design-class rule) |
+
+Deferred to v0.3.4 pending NVD resolution (records unresolvable during 2026-04-21 cycle): CVE-2026-6599 (#47), CVE-2026-39861 (#53).
+
 ## Shipped in v0.3.2 (2026-04-20)
 
 | CVE / Incident | Advisory | AAK rule(s) | Shipped | Latency |

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/CHANGELOG.md

@@ -5,6 +5,127 @@ All notable changes to AgentAuditKit are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.3.3] - 2026-04-21
+
+**Headline: mcp-framework + Apache Doris pin-checks, Anthropic MCP SDK
+STDIO hardening, CVE-watcher dedup, AICM density to ≥51%, CycloneDX
+AI-BOM emitter.**
+
+Clears the 48h SLA on CVE-2026-39313 and CVE-2025-66335, adds the
+SDK-level inheritance check the OX Security 2026-04-15 disclosure asked
+for, roots out the watcher regression that opened five copies of
+CVE-2026-6599, and lifts the AICM mapping density from a 7% starter to
+a real procurement-facing 63%.
+
+### Added — rule coverage (3 new rules, 148 → 151)
+
+- **AAK-MCPFRAME-001** (MEDIUM) — CVE-2026-39313, mcp-framework < 0.2.22
+  HTTP-body DoS. Detection: `package.json` pin-check + TS/JS regex for
+  `readRequestBody`-style chunk-concat accumulating into a string
+  without a `Content-Length` / `maxMessageSize` guard. Ships in a new
+  `scanners/transport_limits.py`. Strips `//` and `/* ... */` comments
+  before matching the size-guard regex so docstring mentions do not
+  spuriously suppress.
+- **AAK-DORIS-001** (HIGH) — CVE-2025-66335, apache-doris-mcp-server
+  < 0.6.1 SQL injection via query-context neutralization bypass.
+  Pin-check scans `requirements*.txt`, `pyproject.toml`,
+  `Pipfile(.lock)`, `poetry.lock`, `uv.lock`. Lives in
+  `scanners/supply_chain.py`.
+- **AAK-ANTHROPIC-SDK-001** (HIGH) — SDK-level STDIO sanitization
+  inheritance check covering the OX Security 2026-04-15 class.
+  Anthropic declined to CVE — "sanitization is the developer's
+  responsibility". Fires only when (a) an upstream MCP SDK is declared
+  in a manifest (Python `mcp`/`modelcontextprotocol`, TS
+  `@modelcontextprotocol/sdk`, Java `io.modelcontextprotocol:*`, Rust
+  equivalents), (b) a STDIO transport is exposed, and (c) no
+  sanitizer, HTTP opt-out, or documented risk acceptance is present.
+  Opt-out via `.agent-audit-kit.yml` with `accepts_stdio_risk: true`
+  plus a non-empty `justification:`. Ships in a new
+  `scanners/mcp_sdk_hardening.py`. Tagged
+  `incident_references=["OX-MCP-2026-04-15"]`.
+
+### Added — OWASP Agentic 2026 density floor
+
+- `tests/test_owasp_agentic_coverage.py` now enforces a **≥3 rules per
+  ASI slot** density floor (parametrized). The marketing claim
+  "OWASP Agentic Top 10: 10/10" is now backed by a test that fails
+  CI if any slot falls below three rules.
+- `AAK-A2A-003`, `AAK-A2A-011`, `AAK-A2A-012` gain `ASI08` tags
+  (Agent Communication Poisoning) — lifts ASI08 coverage from 1 rule
+  to 3.
+- `scripts/gen_owasp_coverage.py` additionally rewrites a
+  `<!-- owasp-coverage:start -->`…`<!-- owasp-coverage:end -->`
+  marker in `README.md` so the rendered coverage table stays in lockstep
+  with the code.
+
+### Added — CSA AICM density to ≥51%
+
+- `_AICM_TAGS` in `agent_audit_kit/rules/builtin.py` expands from 10
+  rules (7%) to **95 rules (63%)**, covering the SECRET-*, SUPPLY-*,
+  TRUST-*, TRANSPORT-*, A2A-*, POISON-*, TAINT-*, SSRF-*, OAUTH-*,
+  SKILL-*, MARKETPLACE-*, HOOK-*, and CVE-response families. Each
+  family maps to the canonical AICM control domain (DSP / IAM / STA /
+  CEK / AIS / LOG / IVS / CCC).
+- `tests/test_aicm.py` gets a **density floor assertion** — the suite
+  now fails CI if fewer than 75 rules carry an AICM tag.
+- `--compliance aicm` CSV output reflects the expanded mapping
+  automatically; no CLI change needed.
+
+### Added — CycloneDX AI-BOM emitter
+
+- `agent-audit-kit sbom --format aibom` emits a CycloneDX 1.5 AI/ML-BOM
+  on top of the existing SBOM primitive. Adds:
+  - `components` entries with `type: "machine-learning-model"` for each
+    detected vendor SDK (anthropic/Claude, openai/GPT, cohere/Command).
+  - A `formulation` block listing detected agent-platform SDKs
+    (LangChain, LangSmith, LangGraph, LangFuse, Helicone, Humanloop,
+    MCP SDK) with pURLs where the pin can be extracted.
+  - `metadata.properties`: `aak:rule-bundle-sha256` (pulled from
+    `rules.json.sha256` if present), `aak:aibom: "1"` marker, and one
+    `aak:incident-fired` per fired incident reference so the BOM can
+    double as attestation evidence.
+- Covered by `tests/test_cyclonedx_aibom.py`.
+
+### Fixed — CVE-response watcher dedup (Task A)
+
+- `scripts/cve_watcher.py` was only deduping against
+  `CHANGELOG.cves.md`. A CVE sitting in the SLA queue without a rule
+  yet never reached the changelog, so the 6-hourly cron re-opened it.
+  Over 48h this filed five copies of CVE-2026-6599 (#47/#48/#50/#52/#55)
+  and three of CVE-2025-66335.
+- Rewritten with three layers of dedup (any one suppresses):
+  1. `CHANGELOG.cves.md`.
+  2. Persistent `.aak/cve-watcher-state.json` (cached across workflow
+     runs via `actions/cache`).
+  3. Open `cve-response` issue titles + bodies via the GitHub REST API.
+- New `scripts/close_duplicate_cve_issues.py` groups existing open
+  `cve-response` issues by extracted CVE ID, keeps the lowest-numbered,
+  closes the rest with a cross-reference body. Ran against live repo
+  during this release: closed #48, #50, #51, #52, #54, #55, #56 (7
+  dups).
+- `.github/workflows/cve-watcher.yml` now wires `GITHUB_TOKEN` +
+  `GITHUB_REPOSITORY` into the diff step and restores the state file
+  from `actions/cache`.
+- Covered by `tests/test_cve_watcher_dedup.py` — five scenarios
+  including the observed "same CVE × 3 cron runs" replay.
+
+### Added — provenance plumbing
+
+- `CHANGELOG.cves.md` gains entries for CVE-2026-39313,
+  CVE-2025-66335, and the OX-MCP-2026-04-15 incident class.
+- `watch.py` parameter annotations updated from the string-form
+  `"callable | None"` to the proper `Callable[[int, list[Any]], None]`
+  (incidental mypy-1.x compatibility fix carried over from 0.3.2.1
+  hotfix).
+- `scanners/marketplace_manifest.py` ships the Python 3.10 `tomli`
+  fallback that made CI green for 0.3.2 — kept for 0.3.3.
+
+### Thanks
+
+OX Security for the 2026-04-15 "Mother of all AI supply chains"
+disclosure; Apache Doris for the 0.6.1 patch turnaround; the CSA AICM
+working group for publishing a v1 control catalog we can map to.
+
 ## [0.3.2] - 2026-04-20
 
 **Headline: MCPwn coverage + third-party OAuth-app surface + OWASP Agentic 2026 coverage proof.**

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agent-audit-kit
-Version: 0.3.2
+Version: 0.3.3
 Summary: Security scanner for MCP-connected AI agent pipelines
 Project-URL: Homepage, https://github.com/sattyamjjain/agent-audit-kit
 Project-URL: Repository, https://github.com/sattyamjjain/agent-audit-kit
@@ -42,7 +42,7 @@ Description-Content-Type: text/markdown
   <a href="https://pypi.org/project/agent-audit-kit/"><img src="https://img.shields.io/pypi/v/agent-audit-kit.svg" alt="PyPI"></a>
   <a href="https://www.python.org/downloads/"><img src="https://img.shields.io/badge/python-3.9+-blue.svg" alt="Python 3.9+"></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"></a>
-  <a href="#what-it-scans"><img src="https://img.shields.io/badge/rules-148-blue.svg" alt="Rules: 148"></a>
+  <a href="#what-it-scans"><img src="https://img.shields.io/badge/rules-151-blue.svg" alt="Rules: 151"></a>
   <a href="#frameworks--standards"><img src="https://img.shields.io/badge/OWASP_Agentic-10%2F10-green.svg" alt="OWASP Agentic: 10/10"></a>
   <a href="#frameworks--standards"><img src="https://img.shields.io/badge/OWASP_MCP-10%2F10-green.svg" alt="OWASP MCP: 10/10"></a>
   <a href="https://sattyamjjain.github.io/agent-audit-kit/"><img src="https://img.shields.io/badge/MCP_Security_Index-live-blue.svg" alt="MCP Security Index"></a>
@@ -57,7 +57,7 @@ Description-Content-Type: text/markdown
 
 Security scanner for MCP-connected AI agent pipelines. Finds misconfigurations, hardcoded secrets, tool poisoning, rug pulls, trust boundary violations, and tainted data flows across **13 agent platforms**.
 
-- **<!-- rule-count:total -->148<!-- /rule-count --> rules** across 11 security categories, covering the 2026 CVE wave
+- **<!-- rule-count:total -->151<!-- /rule-count --> rules** across 11 security categories, covering the 2026 CVE wave
 - **28 scanner modules** including AST-based Python taint analysis and regex pattern scanners for TypeScript/JavaScript and Rust
 - **16 CLI commands**: `scan`, `discover`, `pin`, `verify`, `fix`, `score`, `update`, `proxy`, `kill`, `watch`, plus `export-rules`, `verify-bundle`, `sbom`, `report`, `install-precommit`, and the Security-Advisories scan flag
 - **OWASP coverage**: Agentic Top 10 (10/10), MCP Top 10 (10/10), Adversa AI Top 25
@@ -149,7 +149,7 @@ agent-audit-kit scan examples/vulnerable-configs/04-hook-exfiltration/
 | **Transport Security** | 4 | HTTP endpoints, TLS disabled, deprecated SSE, tokens in URL query strings |
 | **Legal Compliance** | 3 | Copyleft licenses (AGPL/SSPL), missing licenses, DMCA-flagged packages |
 
-**<!-- rule-count:total -->148<!-- /rule-count --> rules total.** Every finding includes severity, evidence, remediation, OWASP references, Adversa references, and CVE links where applicable.
+**<!-- rule-count:total -->151<!-- /rule-count --> rules total.** Every finding includes severity, evidence, remediation, OWASP references, Adversa references, and CVE links where applicable.
 
 ### Agent Platforms Scanned
 
@@ -304,8 +304,29 @@ Generate an SVG badge for your README: `agent-audit-kit score . --badge`
 
 | Framework | Coverage |
 |-----------|----------|
-| **OWASP Agentic Top 10** (ASI01-ASI10) | 10/10 (100%) |
+| **OWASP Agentic Top 10** (ASI01-ASI10) | 10/10 (100%) — density by slot below |
 | **OWASP MCP Top 10** (MCP01-MCP10) | 10/10 (100%) |
+
+<details>
+<summary>OWASP Agentic Top 10 — density by slot</summary>
+
+<!-- owasp-coverage:start -->
+| ASI | Title | # rules |
+| --- | --- | --- |
+| **ASI01** | Goal Hijack | 7 |
+| **ASI02** | Tool Misuse | 12 |
+| **ASI03** | Memory Poisoning | 42 |
+| **ASI04** | Identity & Privilege Abuse | 20 |
+| **ASI05** | Cascading Failures | 25 |
+| **ASI06** | Unauthorized Capability Acquisition | 23 |
+| **ASI07** | Plan Injection | 9 |
+| **ASI08** | Agent Communication Poisoning | 4 |
+| **ASI09** | Resource Abuse | 5 |
+| **ASI10** | Supply-Chain | 5 |
+<!-- owasp-coverage:end -->
+
+</details>
+
 | **Adversa AI MCP Security Top 25** | Fully mapped |
 | **EU AI Act** | `--compliance eu-ai-act` |
 | **SOC 2 Type II** | `--compliance soc2` |
@@ -338,7 +359,7 @@ See [`docs/comparisons.md`](docs/comparisons.md) for a fully-sourced version. Ve
 | Feature | AgentAuditKit | Microsoft AGT | Snyk Agent Scan | Semgrep Multimodal |
 |---------|:---:|:---:|:---:|:---:|
 | Scope | Static scanner + compliance PDFs | Runtime governance | Static + runtime | Multimodal SAST |
-| Detection rules (static) | **<!-- rule-count:total -->148<!-- /rule-count -->** | Runtime policies, not rules | ~30 | LLM-assisted |
+| Detection rules (static) | **<!-- rule-count:total -->151<!-- /rule-count -->** | Runtime policies, not rules | ~30 | LLM-assisted |
 | OWASP Agentic 10/10 | **Yes** | Yes | Partial | Partial |
 | OWASP MCP 10/10 | **Yes** | No (runtime-focused) | No | No |
 | Auditor-ready PDF compliance | **11 frameworks** | No | 0 | 0 |

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/README.md

@@ -8,7 +8,7 @@
   <a href="https://pypi.org/project/agent-audit-kit/"><img src="https://img.shields.io/pypi/v/agent-audit-kit.svg" alt="PyPI"></a>
   <a href="https://www.python.org/downloads/"><img src="https://img.shields.io/badge/python-3.9+-blue.svg" alt="Python 3.9+"></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"></a>
-  <a href="#what-it-scans"><img src="https://img.shields.io/badge/rules-148-blue.svg" alt="Rules: 148"></a>
+  <a href="#what-it-scans"><img src="https://img.shields.io/badge/rules-151-blue.svg" alt="Rules: 151"></a>
   <a href="#frameworks--standards"><img src="https://img.shields.io/badge/OWASP_Agentic-10%2F10-green.svg" alt="OWASP Agentic: 10/10"></a>
   <a href="#frameworks--standards"><img src="https://img.shields.io/badge/OWASP_MCP-10%2F10-green.svg" alt="OWASP MCP: 10/10"></a>
   <a href="https://sattyamjjain.github.io/agent-audit-kit/"><img src="https://img.shields.io/badge/MCP_Security_Index-live-blue.svg" alt="MCP Security Index"></a>
@@ -23,7 +23,7 @@
 
 Security scanner for MCP-connected AI agent pipelines. Finds misconfigurations, hardcoded secrets, tool poisoning, rug pulls, trust boundary violations, and tainted data flows across **13 agent platforms**.
 
-- **<!-- rule-count:total -->148<!-- /rule-count --> rules** across 11 security categories, covering the 2026 CVE wave
+- **<!-- rule-count:total -->151<!-- /rule-count --> rules** across 11 security categories, covering the 2026 CVE wave
 - **28 scanner modules** including AST-based Python taint analysis and regex pattern scanners for TypeScript/JavaScript and Rust
 - **16 CLI commands**: `scan`, `discover`, `pin`, `verify`, `fix`, `score`, `update`, `proxy`, `kill`, `watch`, plus `export-rules`, `verify-bundle`, `sbom`, `report`, `install-precommit`, and the Security-Advisories scan flag
 - **OWASP coverage**: Agentic Top 10 (10/10), MCP Top 10 (10/10), Adversa AI Top 25
@@ -115,7 +115,7 @@ agent-audit-kit scan examples/vulnerable-configs/04-hook-exfiltration/
 | **Transport Security** | 4 | HTTP endpoints, TLS disabled, deprecated SSE, tokens in URL query strings |
 | **Legal Compliance** | 3 | Copyleft licenses (AGPL/SSPL), missing licenses, DMCA-flagged packages |
 
-**<!-- rule-count:total -->148<!-- /rule-count --> rules total.** Every finding includes severity, evidence, remediation, OWASP references, Adversa references, and CVE links where applicable.
+**<!-- rule-count:total -->151<!-- /rule-count --> rules total.** Every finding includes severity, evidence, remediation, OWASP references, Adversa references, and CVE links where applicable.
 
 ### Agent Platforms Scanned
 
@@ -270,8 +270,29 @@ Generate an SVG badge for your README: `agent-audit-kit score . --badge`
 
 | Framework | Coverage |
 |-----------|----------|
-| **OWASP Agentic Top 10** (ASI01-ASI10) | 10/10 (100%) |
+| **OWASP Agentic Top 10** (ASI01-ASI10) | 10/10 (100%) — density by slot below |
 | **OWASP MCP Top 10** (MCP01-MCP10) | 10/10 (100%) |
+
+<details>
+<summary>OWASP Agentic Top 10 — density by slot</summary>
+
+<!-- owasp-coverage:start -->
+| ASI | Title | # rules |
+| --- | --- | --- |
+| **ASI01** | Goal Hijack | 7 |
+| **ASI02** | Tool Misuse | 12 |
+| **ASI03** | Memory Poisoning | 42 |
+| **ASI04** | Identity & Privilege Abuse | 20 |
+| **ASI05** | Cascading Failures | 25 |
+| **ASI06** | Unauthorized Capability Acquisition | 23 |
+| **ASI07** | Plan Injection | 9 |
+| **ASI08** | Agent Communication Poisoning | 4 |
+| **ASI09** | Resource Abuse | 5 |
+| **ASI10** | Supply-Chain | 5 |
+<!-- owasp-coverage:end -->
+
+</details>
+
 | **Adversa AI MCP Security Top 25** | Fully mapped |
 | **EU AI Act** | `--compliance eu-ai-act` |
 | **SOC 2 Type II** | `--compliance soc2` |
@@ -304,7 +325,7 @@ See [`docs/comparisons.md`](docs/comparisons.md) for a fully-sourced version. Ve
 | Feature | AgentAuditKit | Microsoft AGT | Snyk Agent Scan | Semgrep Multimodal |
 |---------|:---:|:---:|:---:|:---:|
 | Scope | Static scanner + compliance PDFs | Runtime governance | Static + runtime | Multimodal SAST |
-| Detection rules (static) | **<!-- rule-count:total -->148<!-- /rule-count -->** | Runtime policies, not rules | ~30 | LLM-assisted |
+| Detection rules (static) | **<!-- rule-count:total -->151<!-- /rule-count -->** | Runtime policies, not rules | ~30 | LLM-assisted |
 | OWASP Agentic 10/10 | **Yes** | Yes | Partial | Partial |
 | OWASP MCP 10/10 | **Yes** | No (runtime-focused) | No | No |
 | Auditor-ready PDF compliance | **11 frameworks** | No | 0 | 0 |

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/action.yml

@@ -1,5 +1,5 @@
 name: 'AgentAuditKit MCP Security Scan'
-description: 'AgentAuditKit — MCP Security Scan (148 rules, OWASP Agentic Top 10 + MCP Top 10)'
+description: 'AgentAuditKit — MCP Security Scan (151 rules, OWASP Agentic Top 10 + MCP Top 10)'
 author: 'sattyamjjain'
 
 branding:

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/agent_audit_kit/__init__.py

@@ -1,5 +1,5 @@
 """AgentAuditKit — Security scanner for MCP-connected AI agent pipelines."""
 from __future__ import annotations
 
-__version__ = "0.3.2"
-RULE_COUNT = 148
+__version__ = "0.3.3"
+RULE_COUNT = 151

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/agent_audit_kit/cli.py

@@ -705,18 +705,37 @@ def verify_bundle_cmd(bundle: str, sig_path: str | None) -> None:
 @click.option(
     "--format",
     "sbom_format",
-    type=click.Choice(["cyclonedx", "spdx"]),
+    type=click.Choice(["cyclonedx", "spdx", "aibom"]),
     default="cyclonedx",
-    help="SBOM format.",
+    help=(
+        "SBOM format. `cyclonedx` + `spdx` are standard SBOMs; `aibom` "
+        "emits a CycloneDX 1.5 AI/ML-BOM with machine-learning-model "
+        "components, detected agent-platform SDKs, and rule-bundle "
+        "provenance properties."
+    ),
 )
 @click.option("--output", "-o", "output_file", type=click.Path(), default=None,
               help="Write SBOM to file (defaults to stdout).")
 def sbom_cmd(path: str, sbom_format: str, output_file: str | None) -> None:
-    """Emit a CycloneDX 1.5 or SPDX 2.3 SBOM for the project's MCP dependencies."""
+    """Emit a CycloneDX 1.5 / SPDX 2.3 SBOM or a CycloneDX AI-BOM (`--format aibom`)."""
     from agent_audit_kit.output.sbom import emit_cyclonedx, emit_spdx
 
     project = Path(path)
-    payload = emit_cyclonedx(project) if sbom_format == "cyclonedx" else emit_spdx(project)
+    if sbom_format == "spdx":
+        payload = emit_spdx(project)
+    elif sbom_format == "aibom":
+        # Best-effort: pull the shipped rule-bundle hash if the user has
+        # the file committed locally; don't fail the emit if it's absent.
+        sha256_path = project / "rules.json.sha256"
+        rule_hash: str | None = None
+        if sha256_path.is_file():
+            try:
+                rule_hash = sha256_path.read_text(encoding="utf-8").split()[0]
+            except OSError:
+                rule_hash = None
+        payload = emit_cyclonedx(project, aibom=True, rule_bundle_sha256=rule_hash)
+    else:
+        payload = emit_cyclonedx(project)
     if output_file:
         Path(output_file).write_text(payload, encoding="utf-8")
         click.echo(f"SBOM written to {output_file}", err=True)

{agent_audit_kit-0.3.2 → agent_audit_kit-0.3.3}/agent_audit_kit/engine.py

@@ -51,6 +51,8 @@ _OPTIONAL_SCANNERS: list[tuple[str, str, list[str]]] = [
     ("log_injection", "MCP tool log-injection (CVE-2026-6494)", []),
     ("mcp_middleware", "MCPwn twin-route middleware asymmetry (CVE-2026-33032)", []),
     ("oauth_surface", "Third-party OAuth surface (VERCEL-2026-04-19)", []),
+    ("transport_limits", "Transport body-size limits (CVE-2026-39313)", []),
+    ("mcp_sdk_hardening", "Upstream MCP SDK STDIO hardening (OX-MCP-2026-04-15)", []),
 ]