Skip to content

fix: resolve open issues #11, #19, #26, #27#30

Merged
dmchaledev merged 1 commit into
mainfrom
claude/open-issues-resolution-6zh3iw
Jun 22, 2026
Merged

fix: resolve open issues #11, #19, #26, #27#30
dmchaledev merged 1 commit into
mainfrom
claude/open-issues-resolution-6zh3iw

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

URL/endpoint mode (#27): scanning a URL previously ran every config rule
against an empty config, so any endpoint always emitted a CRITICAL NO_AUTH
and MEDIUM MISSING_RATE_LIMIT and always failed — a 100% false-positive on
the advertised path. URL mode now runs only the rules a URL can answer
(MISSING_TLS, INSECURE_TRANSPORT) and emits an INFO URL_SCAN_LIMITED note
explaining that live introspection isn't performed and a config file is
required for the full rule set.

WEAK_API_KEY (#26): now length-checks auth.token alongside auth.apiKey, so a
short bearer token no longer passes the gate. JWT-shaped tokens are exempt;
evidence names the offending field.

YAML parsing (#19): replaced the flat hand-rolled parser with an
indentation-driven one that handles nested maps (transport.auth) and
sequences of maps (tools, with permissions sub-lists). A YAML config and its
JSON equivalent now produce identical results. Still zero runtime deps.

--rule validation (#11): unknown/typo'd rule IDs now exit 2 with a clear
message instead of silently filtering to nothing and reporting a false
PASSED. --help lists valid rule IDs.

Also scopes MISSING_TLS to the HTTP family (no false positive on wss://, no
double-count on ws://). Updated tests (118 passing), README, launch post,
and CHANGELOG.

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01H7vsCPf3aGjgKogYtWJty9

URL/endpoint mode (#27): scanning a URL previously ran every config rule
against an empty config, so any endpoint always emitted a CRITICAL NO_AUTH
and MEDIUM MISSING_RATE_LIMIT and always failed — a 100% false-positive on
the advertised path. URL mode now runs only the rules a URL can answer
(MISSING_TLS, INSECURE_TRANSPORT) and emits an INFO URL_SCAN_LIMITED note
explaining that live introspection isn't performed and a config file is
required for the full rule set.

WEAK_API_KEY (#26): now length-checks auth.token alongside auth.apiKey, so a
short bearer token no longer passes the gate. JWT-shaped tokens are exempt;
evidence names the offending field.

YAML parsing (#19): replaced the flat hand-rolled parser with an
indentation-driven one that handles nested maps (transport.auth) and
sequences of maps (tools, with permissions sub-lists). A YAML config and its
JSON equivalent now produce identical results. Still zero runtime deps.

--rule validation (#11): unknown/typo'd rule IDs now exit 2 with a clear
message instead of silently filtering to nothing and reporting a false
PASSED. --help lists valid rule IDs.

Also scopes MISSING_TLS to the HTTP family (no false positive on wss://, no
double-count on ws://). Updated tests (118 passing), README, launch post,
and CHANGELOG.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01H7vsCPf3aGjgKogYtWJty9
@dmchaledev dmchaledev merged commit 4ef0b12 into main Jun 22, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants