agentsentinel-cli 0.9.2__tar.gz → 0.9.3__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/.gitignore +4 -0
  2. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/PKG-INFO +20 -8
  3. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/README.md +19 -7
  4. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/cli.py +625 -0
  5. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/__init__.py +0 -0
  6. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_auth.py +214 -0
  7. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_fuzz.py +183 -0
  8. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_inject.py +164 -0
  9. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_poison.py +215 -0
  10. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/mcp_recon.py +112 -0
  11. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/models.py +112 -0
  12. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/payloads.py +388 -0
  13. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/report.py +212 -0
  14. agentsentinel_cli-0.9.3/agentsentinel_cli/redteam/transport.py +493 -0
  15. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/pyproject.toml +9 -1
  16. agentsentinel_cli-0.9.2/publish.sh +0 -31
  17. agentsentinel_cli-0.9.2/tmp/note.md +0 -16
  18. agentsentinel_cli-0.9.2/tmp/publish.sh +0 -31
  19. agentsentinel_cli-0.9.2/tmp/pypi.md +0 -53
  20. agentsentinel_cli-0.9.2/tmp/test-mcp-agent/README.md +0 -134
  21. agentsentinel_cli-0.9.2/tmp/test-mcp-agent/langchain_agent.py +0 -178
  22. agentsentinel_cli-0.9.2/tmp/test-mcp-agent/mcp_server.py +0 -245
  23. agentsentinel_cli-0.9.2/tmp/test-mcp-agent/requirements.txt +0 -16
  24. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/DOCUMENTATION.md +0 -0
  25. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/LICENSE +0 -0
  26. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/__init__.py +0 -0
  27. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/a2a_report.py +0 -0
  28. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/a2a_rules.py +0 -0
  29. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/a2a_scanner.py +0 -0
  30. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/discover.py +0 -0
  31. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/discover_report.py +0 -0
  32. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/fingerprint.py +0 -0
  33. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/frameworks.py +0 -0
  34. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/host_report.py +0 -0
  35. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/host_rules.py +0 -0
  36. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/host_scanner.py +0 -0
  37. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/inspect.py +0 -0
  38. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/inspect_report.py +0 -0
  39. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/mcp_client.py +0 -0
  40. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/mcp_report.py +0 -0
  41. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/mcp_rules.py +0 -0
  42. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/report.py +0 -0
  43. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/rules.py +0 -0
  44. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/scanner.py +0 -0
  45. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/secrets.py +0 -0
  46. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/secrets_report.py +0 -0
  47. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/secrets_rules.py +0 -0
  48. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/supply_chain_ai.py +0 -0
  49. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/supply_chain_report.py +0 -0
  50. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/supply_chain_rules.py +0 -0
  51. {agentsentinel_cli-0.9.2 → agentsentinel_cli-0.9.3}/agentsentinel_cli/suppress.py +0 -0
@@ -27,6 +27,10 @@ htmlcov/
27
27
  .env
28
28
  .env.*
29
29
 
30
+ # Publish scripts contain credentials — never commit
31
+ publish.sh
32
+ tmp/
33
+
30
34
  # Sentinel analyst memory (local state, not for commit)
31
35
  .sentinel/
32
36
 
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: agentsentinel-cli
3
- Version: 0.9.2
3
+ Version: 0.9.3
4
4
  Summary: AI agent and MCP server security scanner — discovery, static analysis, supply chain audit, and multi-agent trust analysis
5
5
  Project-URL: Homepage, https://github.com/jaydenaung/agentsentinel-cli
6
6
  Project-URL: Repository, https://github.com/jaydenaung/agentsentinel-cli
@@ -59,7 +59,7 @@ pipx install agentsentinel-cli
59
59
  | `sentinel secrets` | Are credentials or PII exposed in these files? |
60
60
  | `sentinel inspect` | What framework, model, and role is this agent? |
61
61
  | `sentinel a2a` | Are multi-agent trust boundaries safe? |
62
- | `sentinel host-scan` | What is my local AI security posture? |
62
+ | `sentinel host-scan` | What is my local AI security posture across all AI tools? |
63
63
 
64
64
  ---
65
65
 
@@ -325,7 +325,9 @@ Covers **ASI07** (Insecure Inter-Agent Communication).
325
325
 
326
326
  ### `sentinel host-scan` — local AI security posture audit
327
327
 
328
- Audits your machine's AI security posture without any network calls. Reads Claude Code and Claude Desktop configurations, shell credential files, macOS privacy permissions (TCC), system security settings, and running AI processes.
328
+ Audits your machine's AI security posture without any network calls. Discovers and audits MCP server configurations across every major AI coding tool on the host — Claude Code, Claude Desktop, Cursor, Windsurf, Continue.dev, Gemini CLI, and VS Code — then checks shell credentials, macOS privacy permissions, system security settings, and running AI processes.
329
+
330
+ Works on macOS, Linux, and Windows. No API key required.
329
331
 
330
332
  ```bash
331
333
  sentinel host-scan
@@ -335,9 +337,19 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
335
337
  ```
336
338
 
337
339
  **What it checks:**
338
- - **Claude Code** — `allowedTools` (Bash bypass), MCP server configs, shell hooks
340
+
341
+ *Anthropic tools*
342
+ - **Claude Code** — `allowedTools` (shell bypass), MCP server configs, shell hooks
339
343
  - **Claude Desktop** — MCP server configs
340
- - **Third-party AI tools** — Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.codeium/windsurf/mcp_config.json`), Continue.dev (`~/.continue/config.json`), Gemini CLI (`~/.gemini/settings.json`), VS Code (`mcp.servers` in `settings.json`) — all MCP server configs audited with the same rules
344
+
345
+ *Third-party AI tools* — MCP server configs audited with the same exfiltration, broad-filesystem, sensitive-path, and sprawl rules as Claude tools
346
+ - **Cursor** — `~/.cursor/mcp.json`
347
+ - **Windsurf** — `~/.codeium/windsurf/mcp_config.json`
348
+ - **Continue.dev** — `~/.continue/config.json`
349
+ - **Gemini CLI** — `~/.gemini/settings.json`
350
+ - **VS Code** — `mcp.servers` in `settings.json` (MCP support added in VS Code 1.99)
351
+
352
+ *Host security*
341
353
  - **Shell configs** — hardcoded AI API keys in `.zshrc`, `.bashrc`, `.zprofile`, etc.
342
354
  - **macOS TCC permissions** — Full Disk Access, Screen Recording, Accessibility granted to AI apps
343
355
  - **macOS system security** — SIP, FileVault, Gatekeeper status
@@ -351,15 +363,15 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
351
363
  | `HOST_SHELL_UNRESTRICTED` | CRITICAL | config | `Bash` in `allowedTools` — shell runs without confirmation prompt |
352
364
  | `HOST_SIP_DISABLED` | CRITICAL | system | macOS System Integrity Protection is off |
353
365
  | `HOST_API_KEY_IN_SHELL` | HIGH | data_exposure | AI API keys hardcoded in shell config files |
354
- | `HOST_MCP_EXFIL_PATH` | HIGH | config | MCP server has both filesystem access and network capability |
366
+ | `HOST_MCP_EXFIL_PATH` | HIGH | config | Any AI tool's MCP server has both filesystem access and network capability |
355
367
  | `HOST_FDA_AI_APP` | HIGH | permissions | Full Disk Access granted to an AI app or its terminal |
356
368
  | `HOST_SCREEN_RECORDING_AI` | HIGH | permissions | Screen Recording permission granted to an AI app |
357
369
  | `HOST_AI_PROCESS_EXPOSED` | HIGH | network | AI-related process listening on a non-localhost interface |
358
370
  | `HOST_FILEVAULT_OFF` | HIGH | system | FileVault disk encryption is disabled |
359
371
  | `HOST_ACCESSIBILITY_AI` | MEDIUM | permissions | Accessibility permission granted to an AI app |
360
372
  | `HOST_HOOKS_SHELL` | MEDIUM | config | Claude Code shell hooks that could interpolate AI output |
361
- | `HOST_MCP_BROAD_FS` | MEDIUM | config | MCP server configured with home-dir or root-level path |
362
- | `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
373
+ | `HOST_MCP_BROAD_FS` | MEDIUM | config | Any AI tool's MCP server configured with home-dir or root-level path |
374
+ | `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | Any AI tool's MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
363
375
  | `HOST_MANY_MCP_SERVERS` | MEDIUM | config | 8+ MCP servers across all detected AI tools — large prompt injection attack surface |
364
376
  | `HOST_GATEKEEPER_OFF` | MEDIUM | system | Gatekeeper disabled — unsigned binaries run without warning |
365
377
  | `HOST_LARGE_MEMORY` | LOW | data_exposure | Claude Code memory files exceed 50 MB of accumulated conversation data |
@@ -25,7 +25,7 @@ pipx install agentsentinel-cli
25
25
  | `sentinel secrets` | Are credentials or PII exposed in these files? |
26
26
  | `sentinel inspect` | What framework, model, and role is this agent? |
27
27
  | `sentinel a2a` | Are multi-agent trust boundaries safe? |
28
- | `sentinel host-scan` | What is my local AI security posture? |
28
+ | `sentinel host-scan` | What is my local AI security posture across all AI tools? |
29
29
 
30
30
  ---
31
31
 
@@ -291,7 +291,9 @@ Covers **ASI07** (Insecure Inter-Agent Communication).
291
291
 
292
292
  ### `sentinel host-scan` — local AI security posture audit
293
293
 
294
- Audits your machine's AI security posture without any network calls. Reads Claude Code and Claude Desktop configurations, shell credential files, macOS privacy permissions (TCC), system security settings, and running AI processes.
294
+ Audits your machine's AI security posture without any network calls. Discovers and audits MCP server configurations across every major AI coding tool on the host — Claude Code, Claude Desktop, Cursor, Windsurf, Continue.dev, Gemini CLI, and VS Code — then checks shell credentials, macOS privacy permissions, system security settings, and running AI processes.
295
+
296
+ Works on macOS, Linux, and Windows. No API key required.
295
297
 
296
298
  ```bash
297
299
  sentinel host-scan
@@ -301,9 +303,19 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
301
303
  ```
302
304
 
303
305
  **What it checks:**
304
- - **Claude Code** — `allowedTools` (Bash bypass), MCP server configs, shell hooks
306
+
307
+ *Anthropic tools*
308
+ - **Claude Code** — `allowedTools` (shell bypass), MCP server configs, shell hooks
305
309
  - **Claude Desktop** — MCP server configs
306
- - **Third-party AI tools** — Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.codeium/windsurf/mcp_config.json`), Continue.dev (`~/.continue/config.json`), Gemini CLI (`~/.gemini/settings.json`), VS Code (`mcp.servers` in `settings.json`) — all MCP server configs audited with the same rules
310
+
311
+ *Third-party AI tools* — MCP server configs audited with the same exfiltration, broad-filesystem, sensitive-path, and sprawl rules as Claude tools
312
+ - **Cursor** — `~/.cursor/mcp.json`
313
+ - **Windsurf** — `~/.codeium/windsurf/mcp_config.json`
314
+ - **Continue.dev** — `~/.continue/config.json`
315
+ - **Gemini CLI** — `~/.gemini/settings.json`
316
+ - **VS Code** — `mcp.servers` in `settings.json` (MCP support added in VS Code 1.99)
317
+
318
+ *Host security*
307
319
  - **Shell configs** — hardcoded AI API keys in `.zshrc`, `.bashrc`, `.zprofile`, etc.
308
320
  - **macOS TCC permissions** — Full Disk Access, Screen Recording, Accessibility granted to AI apps
309
321
  - **macOS system security** — SIP, FileVault, Gatekeeper status
@@ -317,15 +329,15 @@ sentinel host-scan --ignore-rule HOST_LARGE_MEMORY
317
329
  | `HOST_SHELL_UNRESTRICTED` | CRITICAL | config | `Bash` in `allowedTools` — shell runs without confirmation prompt |
318
330
  | `HOST_SIP_DISABLED` | CRITICAL | system | macOS System Integrity Protection is off |
319
331
  | `HOST_API_KEY_IN_SHELL` | HIGH | data_exposure | AI API keys hardcoded in shell config files |
320
- | `HOST_MCP_EXFIL_PATH` | HIGH | config | MCP server has both filesystem access and network capability |
332
+ | `HOST_MCP_EXFIL_PATH` | HIGH | config | Any AI tool's MCP server has both filesystem access and network capability |
321
333
  | `HOST_FDA_AI_APP` | HIGH | permissions | Full Disk Access granted to an AI app or its terminal |
322
334
  | `HOST_SCREEN_RECORDING_AI` | HIGH | permissions | Screen Recording permission granted to an AI app |
323
335
  | `HOST_AI_PROCESS_EXPOSED` | HIGH | network | AI-related process listening on a non-localhost interface |
324
336
  | `HOST_FILEVAULT_OFF` | HIGH | system | FileVault disk encryption is disabled |
325
337
  | `HOST_ACCESSIBILITY_AI` | MEDIUM | permissions | Accessibility permission granted to an AI app |
326
338
  | `HOST_HOOKS_SHELL` | MEDIUM | config | Claude Code shell hooks that could interpolate AI output |
327
- | `HOST_MCP_BROAD_FS` | MEDIUM | config | MCP server configured with home-dir or root-level path |
328
- | `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
339
+ | `HOST_MCP_BROAD_FS` | MEDIUM | config | Any AI tool's MCP server configured with home-dir or root-level path |
340
+ | `HOST_MCP_SENSITIVE_PATH` | MEDIUM | config | Any AI tool's MCP server has access to `~/.ssh`, `~/.aws`, `~/.kube`, or Keychain |
329
341
  | `HOST_MANY_MCP_SERVERS` | MEDIUM | config | 8+ MCP servers across all detected AI tools — large prompt injection attack surface |
330
342
  | `HOST_GATEKEEPER_OFF` | MEDIUM | system | Gatekeeper disabled — unsigned binaries run without warning |
331
343
  | `HOST_LARGE_MEMORY` | LOW | data_exposure | Claude Code memory files exceed 50 MB of accumulated conversation data |