sync: update from internal repo (2026-02-11 21:51)

Author: Traviseric

.github/workflows/ci.yml

@@ -0,0 +1,134 @@
+name: CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test
+
+      - name: Type check
+        run: npm run typecheck
+
+      - name: Build
+        run: npm run build
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linter
+        run: npm run lint
+        continue-on-error: true
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Audit dependencies
+        run: npm audit --audit-level=high
+        continue-on-error: true
+
+      - name: Build package
+        run: npm run build
+
+      - name: Self-scan with agent-security
+        run: node dist/index.js scan . --fail-on critical
+        continue-on-error: true
+
+  sbom:
+    name: Generate SBOM
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Generate SBOM
+        run: npx @cyclonedx/cyclonedx-npm --output-file sbom.json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json
+
+  publish-check:
+    name: Publish Check
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Dry run publish
+        run: npm publish --dry-run

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Travis Eric
+Copyright (c) 2026 Empowered Humanity
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -4,7 +4,7 @@ Security scanner for AI agent architectures. Detects prompt injection, credentia
 
 ## What It Detects
 
-**132 detection patterns** across 4 scanner categories:
+**176 detection patterns** across 5 scanner categories:
 
 ### 1. Prompt Injection (34 patterns)
 - Instruction override attempts
@@ -37,6 +37,17 @@ Security scanner for AI agent architectures. Detects prompt injection, credentia
 - Password patterns
 - Generic secrets (`sk-`, `ghp_`, `AKIA`, etc.)
 
+### 5. MCP Security Checklist (44 patterns)
+- **Server Config**: Bind-all-interfaces, disabled auth, CORS wildcard, no TLS, no rate limiting
+- **Tool Poisoning**: Description injection, hidden instructions, permission escalation, result injection
+- **Credential Misuse**: Excessive OAuth scopes, no token expiry, credentials in URLs, plaintext tokens
+- **Isolation Failures**: Docker host network, sensitive path mounts, no sandbox, shared state
+- **Data Security**: Logging sensitive fields, context dumps, disabled encryption
+- **Client Security**: Auto-approve wildcards, skip cert verify, weak TLS
+- **Supply Chain**: Unsigned plugins, dependency wildcards, untrusted registries
+- **Multi-MCP**: Cross-server calls, function priority override, server impersonation
+- **Prompt Security**: Init prompt poisoning, hidden context tags, resource-embedded instructions
+
 ## OWASP ASI Alignment
 
 The scanner implements detection for all 10 OWASP Agentic Security Issues:
@@ -136,7 +147,7 @@ security_scan:
 
 ## Pattern Categories
 
-The 132 patterns are organized into these categories:
+The 176 patterns are organized into these categories:
 
 | Category | Count | Severity |
 |----------|-------|----------|
@@ -156,13 +167,20 @@ The 132 patterns are organized into these categories:
 | Boundary Escape | 3 | Critical |
 | Permission Escalation | 3 | High |
 | Dangerous Commands | 3 | High |
-| *28 other categories* | 42 | Varies |
-
-**Total**: 62 critical, 52 high, 18 medium
+| MCP Server Config | 8 | High/Critical |
+| MCP Tool Poisoning | 6 | Critical |
+| MCP Credentials | 5 | Critical/High |
+| MCP Isolation | 5 | Critical/High |
+| MCP Client Security | 6 | High/Medium |
+| MCP Supply Chain | 3 | Critical |
+| MCP Multi-Server | 3 | Critical |
+| MCP Prompt Security | 4 | Critical |
+| MCP Data Security | 4 | High |
+| *24 other categories* | 28 | Varies |
 
 ## Pattern Sources
 
-Detection patterns compiled from 18+ authoritative research sources:
+Detection patterns compiled from 19+ authoritative research sources:
 - ai-assistant: Internal Claude Code security research
 - ACAD-001: Academic papers on prompt injection
 - ACAD-004: Agent-specific attack research
@@ -173,6 +191,7 @@ Detection patterns compiled from 18+ authoritative research sources:
 - FRM-002: Framework-specific vulnerabilities
 - VND-005: Vendor security advisories
 - CMP-002: Company security research
+- SLOWMIST-MCP: SlowMist MCP Security Checklist (44 patterns across 9 categories)
 
 ## Risk Scoring
 

tests/patterns.test.ts

@@ -86,8 +86,11 @@ describe('CAPE Patterns', () => {
 
   it('should detect config file write attempts', () => {
     const content = 'Writing to .vscode/settings.json';
-    const findings = matchPatterns(capePatterns, content, 'test.txt');
-    expect(findings.length).toBeGreaterThan(0);
+    // cape_config_write has context: 'file_write_operation' (runtime-only),
+    // so test the regex directly rather than through matchPatterns
+    const configWritePattern = capePatterns.find(p => p.name === 'cape_config_write');
+    expect(configWritePattern).toBeDefined();
+    expect(configWritePattern!.pattern.test(content)).toBe(true);
   });
 
   it('should detect cross-agent instructions', () => {