apm-cli 0.8.0__tar.gz → 0.8.1__tar.gz

{apm_cli-0.8.0/src/apm_cli.egg-info → apm_cli-0.8.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: apm-cli
-Version: 0.8.0
+Version: 0.8.1
 Summary: MCP configuration tool
 Author-email: Daniel Meppiel <user@example.com>
 License: MIT License
@@ -88,7 +88,7 @@ dependencies:
     # Specific agent primitives from any repository
     - github/awesome-copilot/agents/api-architect.agent.md
     # A full APM package with instructions, skills, prompts, hooks...
-    - microsoft/apm-sample-package
+    - microsoft/apm-sample-package#v1.0.0
 ```
 
 ```bash
@@ -149,7 +149,7 @@ pip install apm-cli
 Then start adding packages:
 
 ```bash
-apm install microsoft/apm-sample-package
+apm install microsoft/apm-sample-package#v1.0.0
 ```
 
 See the **[Getting Started guide](https://microsoft.github.io/apm/getting-started/quick-start/)** for the full walkthrough.

{apm_cli-0.8.0 → apm_cli-0.8.1}/README.md

@@ -27,7 +27,7 @@ dependencies:
     # Specific agent primitives from any repository
     - github/awesome-copilot/agents/api-architect.agent.md
     # A full APM package with instructions, skills, prompts, hooks...
-    - microsoft/apm-sample-package
+    - microsoft/apm-sample-package#v1.0.0
 ```
 
 ```bash
@@ -88,7 +88,7 @@ pip install apm-cli
 Then start adding packages:
 
 ```bash
-apm install microsoft/apm-sample-package
+apm install microsoft/apm-sample-package#v1.0.0
 ```
 
 See the **[Getting Started guide](https://microsoft.github.io/apm/getting-started/quick-start/)** for the full walkthrough.

{apm_cli-0.8.0 → apm_cli-0.8.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "apm-cli"
-version = "0.8.0"
+version = "0.8.1"
 description = "MCP configuration tool"
 readme = "README.md"
 requires-python = ">=3.10"

{apm_cli-0.8.0 → apm_cli-0.8.1}/src/apm_cli/adapters/client/base.py

@@ -1,7 +1,10 @@
 """Base adapter interface for MCP clients."""
 
+import re
 from abc import ABC, abstractmethod
 
+_INPUT_VAR_RE = re.compile(r"\$\{input:([^}]+)\}")
+
 
 class MCPClientAdapter(ABC):
     """Base adapter for MCP clients."""
@@ -84,3 +87,33 @@ class MCPClientAdapter(ABC):
             return "nuget"
 
         return ""
+
+    @staticmethod
+    def _warn_input_variables(mapping, server_name, runtime_label):
+        """Emit a warning for each ``${input:...}`` reference found in *mapping*.
+
+        Runtimes that do not support VS Code-style input prompts (Copilot CLI,
+        Codex CLI, etc.) should call this so users know their placeholders
+        will not be resolved at runtime.
+
+        Args:
+            mapping (dict): Header or env dict to scan.
+            server_name (str): Server name for the warning message.
+            runtime_label (str): Human-readable runtime name (e.g. "Copilot CLI").
+        """
+        if not mapping:
+            return
+        seen: set = set()
+        for value in mapping.values():
+            if not isinstance(value, str):
+                continue
+            for match in _INPUT_VAR_RE.finditer(value):
+                var_id = match.group(1)
+                if var_id in seen:
+                    continue
+                seen.add(var_id)
+                print(
+                    f"[!]  Warning: ${{input:{var_id}}} in server "
+                    f"'{server_name}' will not be resolved \u2014 "
+                    f"{runtime_label} does not support input variable prompts"
+                )

{apm_cli-0.8.0 → apm_cli-0.8.1}/src/apm_cli/adapters/client/codex.py

@@ -181,6 +181,7 @@ class CodexClientAdapter(MCPClientAdapter):
             config["args"] = raw["args"]
             if raw.get("env"):
                 config["env"] = raw["env"]
+                self._warn_input_variables(raw["env"], server_info.get("name", ""), "Codex CLI")
             return config
         
         # Note: Remote servers (SSE type) are handled in configure_mcp_server and rejected early
@@ -218,10 +219,24 @@ class CodexClientAdapter(MCPClientAdapter):
                 # Generate command and args based on package type
                 if registry_name == "npm":
                     config["command"] = runtime_hint or "npx"
-                    # Always include package name; filter duplicates from legacy runtime_arguments
                     all_args = processed_runtime_args + processed_package_args
-                    extra_args = [a for a in all_args if a != package_name] if all_args else []
-                    config["args"] = ["-y", package_name] + extra_args
+                    if all_args:
+                        # If runtime_arguments already include the package (bare or
+                        # versioned), use them as-is — they are authoritative from
+                        # the registry and may carry a version pin.
+                        has_pkg = any(
+                            a == package_name or a.startswith(f"{package_name}@")
+                            for a in all_args
+                        )
+                        if has_pkg:
+                            config["args"] = all_args
+                        else:
+                            # Legacy: runtime_arguments don't mention the package,
+                            # prepend -y + bare name ourselves.
+                            extra_args = [a for a in all_args if a != "-y"]
+                            config["args"] = ["-y", package_name] + extra_args
+                    else:
+                        config["args"] = ["-y", package_name]
                     # For NPM packages, also use env block for environment variables
                     if resolved_env:
                         config["env"] = resolved_env

{apm_cli-0.8.0 → apm_cli-0.8.1}/src/apm_cli/adapters/client/copilot.py

@@ -173,6 +173,7 @@ class CopilotClientAdapter(MCPClientAdapter):
             config["args"] = raw["args"]
             if raw.get("env"):
                 config["env"] = raw["env"]
+                self._warn_input_variables(raw["env"], server_info.get("name", ""), "Copilot CLI")
             # Apply tools override if present
             tools_override = server_info.get("_apm_tools_override")
             if tools_override:
@@ -218,6 +219,10 @@ class CopilotClientAdapter(MCPClientAdapter):
                         resolved_value = self._resolve_env_variable(header_name, header_value, env_overrides)
                         config["headers"][header_name] = resolved_value
 
+            # Warn about unresolvable ${input:...} references in headers
+            if config.get("headers"):
+                self._warn_input_variables(config["headers"], server_info.get("name", ""), "Copilot CLI")
+
             # Apply tools override from MCP dependency overlay if present
             tools_override = server_info.get("_apm_tools_override")
             if tools_override:

{apm_cli-0.8.0 → apm_cli-0.8.1}/src/apm_cli/adapters/client/vscode.py

@@ -8,7 +8,7 @@ https://code.visualstudio.com/docs/copilot/chat/mcp-servers
 import json
 import os
 from pathlib import Path
-from .base import MCPClientAdapter
+from .base import MCPClientAdapter, _INPUT_VAR_RE
 from ...registry.client import SimpleRegistryClient
 from ...registry.integration import RegistryIntegration
 
@@ -197,6 +197,9 @@ class VSCodeClientAdapter(MCPClientAdapter):
             }
             if raw.get("env"):
                 server_config["env"] = raw["env"]
+                input_vars.extend(
+                    self._extract_input_variables(raw["env"], server_info.get("name", ""))
+                )
             return server_config, input_vars
         
         # Check for packages information
@@ -308,6 +311,9 @@ class VSCodeClientAdapter(MCPClientAdapter):
                         "url": remote.get("url", ""),
                         "headers": headers,
                     }
+                    input_vars.extend(
+                        self._extract_input_variables(headers, server_info.get("name", ""))
+                    )
             # If no packages AND no endpoints/remotes, fail with clear error
             else:
                 packages = server_info.get("packages", [])
@@ -323,6 +329,36 @@ class VSCodeClientAdapter(MCPClientAdapter):
         
         return server_config, input_vars
 
+    def _extract_input_variables(self, mapping, server_name):
+        """Scan dict values for ${input:...} references and return input variable definitions.
+
+        Args:
+            mapping (dict): Header or env dict whose values may contain
+                ``${input:<id>}`` placeholders.
+            server_name (str): Server name used in the description field.
+
+        Returns:
+            list[dict]: Input variable definitions (``promptString``, ``password: true``).
+                Duplicates within *mapping* are already deduplicated.
+        """
+        seen: set = set()
+        result: list = []
+        for value in (mapping or {}).values():
+            if not isinstance(value, str):
+                continue
+            for match in _INPUT_VAR_RE.finditer(value):
+                var_id = match.group(1)
+                if var_id in seen:
+                    continue
+                seen.add(var_id)
+                result.append({
+                    "type": "promptString",
+                    "id": var_id,
+                    "description": f"{var_id} for MCP server {server_name}",
+                    "password": True,
+                })
+        return result
+
     @staticmethod
     def _extract_package_args(package):
         """Extract positional arguments from a package entry.

{apm_cli-0.8.0 → apm_cli-0.8.1}/src/apm_cli/bundle/packer.py

@@ -156,8 +156,13 @@ def pack_bundle(
             lockfile_enriched=True,
         )
 
-    # 5b. Scan files for hidden characters before bundling
-    from ..security.content_scanner import ContentScanner
+    # 5b. Scan files for hidden characters before bundling.
+    # Intentionally non-blocking (warn only) — pack is an authoring tool.
+    # Critical findings here mean the author's own source files contain
+    # hidden characters. We surface them so the author can fix before
+    # publishing, but don't block the bundle. Consumers are protected by
+    # install/unpack which block on critical.
+    from ..security.gate import WARN_POLICY, SecurityGate
     from ..utils.console import _rich_warning
 
     _scan_findings_total = 0
@@ -165,19 +170,15 @@ def pack_bundle(
         src = project_root / rel_path
         if src.is_symlink():
             continue
-        if src.is_file():
-            findings = ContentScanner.scan_file(src)
-            if findings:
-                _scan_findings_total += len(findings)
-        elif src.is_dir():
-            for dirpath, _dirnames, filenames in os.walk(src, followlinks=False):
-                for fname in filenames:
-                    fpath = Path(dirpath) / fname
-                    if fpath.is_symlink():
-                        continue
-                    findings = ContentScanner.scan_file(fpath)
-                    if findings:
-                        _scan_findings_total += len(findings)
+        if src.is_dir():
+            verdict = SecurityGate.scan_files(src, policy=WARN_POLICY)
+            _scan_findings_total += len(verdict.all_findings)
+        elif src.is_file():
+            verdict = SecurityGate.scan_text(
+                src.read_text(encoding="utf-8", errors="replace"),
+                str(src), policy=WARN_POLICY,
+            )
+            _scan_findings_total += len(verdict.all_findings)
     if _scan_findings_total:
         _rich_warning(
             f"Bundle contains {_scan_findings_total} hidden character(s) across source files "
@@ -191,12 +192,15 @@ def pack_bundle(
     # 7. Copy files preserving directory structure
     for rel_path in unique_files:
         src = project_root / rel_path
+        if src.is_symlink():
+            continue  # Never bundle symlinks
         dest = bundle_dir / rel_path
         if src.is_dir():
-            shutil.copytree(src, dest, dirs_exist_ok=True)
+            from ..security.gate import ignore_symlinks
+            shutil.copytree(src, dest, dirs_exist_ok=True, ignore=ignore_symlinks)
         else:
             dest.parent.mkdir(parents=True, exist_ok=True)
-            shutil.copy2(src, dest)
+            shutil.copy2(src, dest, follow_symlinks=False)
 
     # 8. Enrich lockfile copy and write to bundle
     enriched_yaml = enrich_lockfile_for_pack(lockfile, fmt, effective_target)

{apm_cli-0.8.0 → apm_cli-0.8.1}/src/apm_cli/bundle/unpacker.py

@@ -20,6 +20,8 @@ class UnpackResult:
     verified: bool = False
     dependency_files: Dict[str, List[str]] = field(default_factory=dict)
     skipped_count: int = 0
+    security_warnings: int = 0
+    security_critical: int = 0
 
 
 def unpack_bundle(
@@ -27,6 +29,7 @@ def unpack_bundle(
     output_dir: Path = Path("."),
     skip_verify: bool = False,
     dry_run: bool = False,
+    force: bool = False,
 ) -> UnpackResult:
     """Extract and apply an APM bundle to a project directory.
 
@@ -39,6 +42,7 @@ def unpack_bundle(
         output_dir: Target project directory to copy files into.
         skip_verify: If *True*, skip completeness verification against the lockfile.
         dry_run: If *True*, resolve the file list but write nothing to disk.
+        force: If *True*, deploy even when critical hidden characters are found.
 
     Returns:
         :class:`UnpackResult` describing what was (or would be) extracted.
@@ -55,12 +59,16 @@ def unpack_bundle(
         cleanup_temp = True
         try:
             with tarfile.open(bundle_path, "r:gz") as tar:
-                # Security: prevent path traversal
+                # Security: prevent path traversal and special entries
                 for member in tar.getmembers():
                     if member.name.startswith("/") or ".." in member.name:
                         raise ValueError(
                             f"Refusing to extract path-traversal entry: {member.name}"
                         )
+                    if member.issym() or member.islnk():
+                        raise ValueError(
+                            f"Refusing to extract symlink/hardlink: {member.name}"
+                        )
                 # filter="data" was added in Python 3.12; use it when available
                 if sys.version_info >= (3, 12):
                     tar.extractall(temp_dir, filter="data")
@@ -131,6 +139,34 @@ def unpack_bundle(
         if skip_verify:
             verified = False
 
+        # 3b. Security scan: check bundle contents for hidden Unicode characters
+        from ..security.gate import BLOCK_POLICY, SecurityGate
+
+        # Scan all files under source_dir (SecurityGate handles symlink
+        # skipping, directory recursion, and OSError resilience)
+        verdict = SecurityGate.scan_files(
+            source_dir, policy=BLOCK_POLICY, force=force
+        )
+        security_warnings = verdict.warning_count
+        security_critical = verdict.critical_count
+
+        if verdict.should_block:
+            affected = []
+            for path, findings in verdict.findings_by_file.items():
+                c = sum(1 for f in findings if f.severity == "critical")
+                if c > 0:
+                    affected.append(f"  {path}  ({c} critical)")
+            raise ValueError(
+                f"Blocked: bundle contains {len(affected)} file(s) "
+                f"with critical hidden characters\n\n"
+                f"Affected files:\n" + "\n".join(affected) + "\n\n"
+                "Next steps:\n"
+                "  - Extract the bundle and run: apm audit --file <path> to inspect\n"
+                "  - Run: apm unpack --force to deploy anyway "
+                "(not recommended)\n\n"
+                "Learn more: https://apm.github.io/apm/enterprise/security/"
+            )
+
         # Dry-run: return file list without writing
         if dry_run:
             return UnpackResult(
@@ -138,6 +174,8 @@ def unpack_bundle(
                 files=unique_files,
                 verified=verified,
                 dependency_files=dep_file_map,
+                security_warnings=security_warnings,
+                security_critical=security_critical,
             )
 
         # 4. Copy target files to output_dir (additive, no deletes)
@@ -157,14 +195,21 @@ def unpack_bundle(
                     f"Refusing to unpack path that escapes output directory: {rel_path!r}"
                 )
             src = source_dir / rel_path
+            if src.is_symlink():
+                # Security: skip symlinks to prevent scanning bypass
+                skipped += 1
+                continue
             if not src.exists():
                 skipped += 1
                 continue  # skip_verify may allow missing files
             if src.is_dir():
-                shutil.copytree(src, dest, dirs_exist_ok=True)
+                from ..security.gate import ignore_symlinks
+                shutil.copytree(
+                    src, dest, dirs_exist_ok=True, ignore=ignore_symlinks
+                )
             else:
                 dest.parent.mkdir(parents=True, exist_ok=True)
-                shutil.copy2(src, dest)
+                shutil.copy2(src, dest, follow_symlinks=False)
 
         return UnpackResult(
             extracted_dir=bundle_path,
@@ -172,6 +217,8 @@ def unpack_bundle(
             verified=verified,
             dependency_files=dep_file_map,
             skipped_count=skipped,
+            security_warnings=security_warnings,
+            security_critical=security_critical,
         )
     finally:
         # Clean up temp dir if we created one

{apm_cli-0.8.0 → apm_cli-0.8.1}/src/apm_cli/commands/audit.py

@@ -47,28 +47,19 @@ def _scan_files_in_dir(
     dir_path: Path,
     base_label: str,
 ) -> Tuple[Dict[str, List[ScanFinding]], int]:
-    """Recursively scan all files under a directory.
-
-    Uses ``os.walk(followlinks=False)`` to avoid following symlinked
-    directories outside the intended package tree.
+    """Recursively scan all files under a directory via SecurityGate.
 
     Returns (findings_by_file, files_scanned).
     """
-    import os
+    from ..security.gate import REPORT_POLICY, SecurityGate
 
+    verdict = SecurityGate.scan_files(dir_path, policy=REPORT_POLICY)
+    # Re-key findings with the base_label prefix for display
     findings: Dict[str, List[ScanFinding]] = {}
-    count = 0
-    for dirpath, _dirs, filenames in os.walk(dir_path, followlinks=False):
-        for fname in filenames:
-            f = Path(dirpath) / fname
-            if f.is_symlink():
-                continue
-            count += 1
-            result = ContentScanner.scan_file(f)
-            if result:
-                label = f"{base_label}/{f.relative_to(dir_path).as_posix()}"
-                findings[label] = result
-    return findings, count
+    for rel_path, file_findings in verdict.findings_by_file.items():
+        label = f"{base_label}/{rel_path}"
+        findings[label] = file_findings
+    return findings, verdict.files_scanned
 
 
 def _scan_lockfile_packages(
@@ -173,6 +164,7 @@ def _render_findings_table(
     if console:
         try:
             from rich.table import Table
+            from ..security.audit_report import relative_path_for_report
 
             table = Table(
                 title=f"{STATUS_SYMBOLS['search']} Content Scan Findings",
@@ -193,7 +185,7 @@ def _render_findings_table(
             for f in rows:
                 table.add_row(
                     f.severity.upper(),
-                    f.file,
+                    relative_path_for_report(f.file),
                     f"{f.line}:{f.column}",
                     f.codepoint,
                     f.description,
@@ -411,8 +403,24 @@ def _preview_strip(
     is_flag=True,
     help="Preview what --strip would remove without modifying files",
 )
+@click.option(
+    "--format",
+    "-f",
+    "output_format",
+    type=click.Choice(["text", "json", "sarif", "markdown"], case_sensitive=False),
+    default="text",
+    help="Output format: text (default), json, sarif (GitHub Code Scanning), markdown (step summaries).",
+)
+@click.option(
+    "--output",
+    "-o",
+    "output_path",
+    type=click.Path(),
+    default=None,
+    help="Write output to file (auto-detects format from extension: .sarif, .json, .md).",
+)
 @click.pass_context
-def audit(ctx, package, file_path, strip, verbose, dry_run):
+def audit(ctx, package, file_path, strip, verbose, dry_run, output_format, output_path):
     """Scan deployed prompt files for hidden Unicode characters.
 
     Detects invisible characters that could embed hidden instructions in
@@ -431,7 +439,25 @@ def audit(ctx, package, file_path, strip, verbose, dry_run):
         apm audit my-package           # Scan a specific package
         apm audit --file .cursorrules  # Scan any file
         apm audit --strip              # Remove dangerous/suspicious chars
+        apm audit -f sarif             # SARIF output to stdout
+        apm audit -f markdown          # Markdown to stdout
+        apm audit -o report.sarif      # Write SARIF to file
+        apm audit -f json -o out.json  # JSON report to file
     """
+    # Resolve effective format (auto-detect from extension when needed)
+    effective_format = output_format
+    if output_path and effective_format == "text":
+        from ..security.audit_report import detect_format_from_extension
+
+        effective_format = detect_format_from_extension(Path(output_path))
+
+    # --format json/sarif/markdown is incompatible with --strip / --dry-run
+    if effective_format != "text" and (strip or dry_run):
+        _rich_error(
+            f"--format {effective_format} cannot be combined with --strip or --dry-run"
+        )
+        sys.exit(1)
+
     project_root = Path.cwd()
 
     if file_path:
@@ -488,17 +514,57 @@ def audit(ctx, package, file_path, strip, verbose, dry_run):
         sys.exit(0)
 
     # -- Display findings --
-    if findings_by_file:
-        _render_findings_table(findings_by_file, verbose=verbose)
+    # Determine exit code first (shared by all formats)
+    if not findings_by_file or not _has_actionable_findings(findings_by_file):
+        exit_code = 0
+    else:
+        all_findings = [f for ff in findings_by_file.values() for f in ff]
+        exit_code = 1 if ContentScanner.has_critical(all_findings) else 2
+
+    if effective_format == "text":
+        if output_path:
+            _rich_error(
+                "Text format does not support --output. "
+                "Use --format json, sarif, or markdown to write to a file."
+            )
+            sys.exit(1)
+        if findings_by_file:
+            _render_findings_table(findings_by_file, verbose=verbose)
+        _render_summary(findings_by_file, files_scanned)
+    elif effective_format == "markdown":
+        from ..security.audit_report import findings_to_markdown
+
+        md_report = findings_to_markdown(findings_by_file, files_scanned=files_scanned)
+        if output_path:
+            Path(output_path).parent.mkdir(parents=True, exist_ok=True)
+            Path(output_path).write_text(md_report, encoding="utf-8")
+            _rich_success(f"Audit report written to {output_path}")
+        else:
+            click.echo(md_report)
+    else:
+        from ..security.audit_report import (
+            findings_to_json,
+            findings_to_sarif,
+            serialize_report,
+            write_report,
+        )
 
-    _render_summary(findings_by_file, files_scanned)
+        if effective_format == "sarif":
+            report = findings_to_sarif(
+                findings_by_file, files_scanned=files_scanned
+            )
+        else:
+            report = findings_to_json(
+                findings_by_file,
+                files_scanned=files_scanned,
+                exit_code=exit_code,
+            )
 
-    # -- Exit code --
-    # Info-only findings are informational → exit 0
-    if not findings_by_file or not _has_actionable_findings(findings_by_file):
-        sys.exit(0)
+        if output_path:
+            write_report(report, Path(output_path))
+            _rich_success(f"Audit report written to {output_path}")
+        else:
+            click.echo(serialize_report(report))
 
-    all_findings = [f for ff in findings_by_file.values() for f in ff]
-    if ContentScanner.has_critical(all_findings):
-        sys.exit(1)
-    sys.exit(2)
+    # -- Exit code --
+    sys.exit(exit_code)

{apm_cli-0.8.0 → apm_cli-0.8.1}/src/apm_cli/commands/compile.py

@@ -7,7 +7,7 @@ import click
 
 from ..compilation import AgentsCompiler, CompilationConfig
 from ..primitives.discovery import discover_primitives
-from ..security.content_scanner import ContentScanner
+
 from ..utils.console import (
     STATUS_SYMBOLS,
     _rich_echo,
@@ -491,6 +491,7 @@ def compile(
         # Perform compilation
         compiler = AgentsCompiler(".")
         result = compiler.compile(config)
+        compile_has_critical = result.has_critical_security
 
         if result.success:
             # Handle different compilation modes
@@ -553,12 +554,15 @@ def compile(
                         # Only rewrite when content materially changes (creation, update, missing constitution case)
                         if c_status in ("CREATED", "UPDATED", "MISSING"):
                             # Defense-in-depth: scan compiled output before writing
-                            findings = ContentScanner.scan_text(
-                                final_content, filename=str(output_path)
+                            from ..security.gate import WARN_POLICY, SecurityGate
+
+                            verdict = SecurityGate.scan_text(
+                                final_content, str(output_path), policy=WARN_POLICY
                             )
-                            if findings:
-                                _, summary = ContentScanner.classify(findings)
-                                actionable = summary.get("critical", 0) + summary.get("warning", 0)
+                            if verdict.has_findings:
+                                actionable = verdict.critical_count + verdict.warning_count
+                                if verdict.has_critical:
+                                    compile_has_critical = True
                                 if actionable:
                                     _rich_warning(
                                         f"Compiled output contains {actionable} hidden character(s) "
@@ -743,6 +747,15 @@ def compile(
         except Exception:
             pass  # Continue if orphan check fails
 
+        # Hard-fail when critical security findings were detected in compiled
+        # output. Consistent with apm install and apm unpack behavior.
+        if compile_has_critical:
+            _rich_error(
+                "Compiled output contains critical hidden characters"
+                " — run 'apm audit' to inspect, 'apm audit --strip' to clean"
+            )
+            sys.exit(1)
+
     except ImportError as e:
         _rich_error(f"Compilation module not available: {e}")
         _rich_info("This might be a development environment issue.")