fix: resolve open issues #11, #19, #26, #27#30
Merged
Conversation
URL/endpoint mode (#27): scanning a URL previously ran every config rule against an empty config, so any endpoint always emitted a CRITICAL NO_AUTH and MEDIUM MISSING_RATE_LIMIT and always failed — a 100% false-positive on the advertised path. URL mode now runs only the rules a URL can answer (MISSING_TLS, INSECURE_TRANSPORT) and emits an INFO URL_SCAN_LIMITED note explaining that live introspection isn't performed and a config file is required for the full rule set. WEAK_API_KEY (#26): now length-checks auth.token alongside auth.apiKey, so a short bearer token no longer passes the gate. JWT-shaped tokens are exempt; evidence names the offending field. YAML parsing (#19): replaced the flat hand-rolled parser with an indentation-driven one that handles nested maps (transport.auth) and sequences of maps (tools, with permissions sub-lists). A YAML config and its JSON equivalent now produce identical results. Still zero runtime deps. --rule validation (#11): unknown/typo'd rule IDs now exit 2 with a clear message instead of silently filtering to nothing and reporting a false PASSED. --help lists valid rule IDs. Also scopes MISSING_TLS to the HTTP family (no false positive on wss://, no double-count on ws://). Updated tests (118 passing), README, launch post, and CHANGELOG. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01H7vsCPf3aGjgKogYtWJty9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
URL/endpoint mode (#27): scanning a URL previously ran every config rule
against an empty config, so any endpoint always emitted a CRITICAL NO_AUTH
and MEDIUM MISSING_RATE_LIMIT and always failed — a 100% false-positive on
the advertised path. URL mode now runs only the rules a URL can answer
(MISSING_TLS, INSECURE_TRANSPORT) and emits an INFO URL_SCAN_LIMITED note
explaining that live introspection isn't performed and a config file is
required for the full rule set.
WEAK_API_KEY (#26): now length-checks auth.token alongside auth.apiKey, so a
short bearer token no longer passes the gate. JWT-shaped tokens are exempt;
evidence names the offending field.
YAML parsing (#19): replaced the flat hand-rolled parser with an
indentation-driven one that handles nested maps (transport.auth) and
sequences of maps (tools, with permissions sub-lists). A YAML config and its
JSON equivalent now produce identical results. Still zero runtime deps.
--rule validation (#11): unknown/typo'd rule IDs now exit 2 with a clear
message instead of silently filtering to nothing and reporting a false
PASSED. --help lists valid rule IDs.
Also scopes MISSING_TLS to the HTTP family (no false positive on wss://, no
double-count on ws://). Updated tests (118 passing), README, launch post,
and CHANGELOG.
Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01H7vsCPf3aGjgKogYtWJty9