feat: v0.6.0 — MCP security suite, detection benchmark, ReDoS hardening

- MCP tool-poisoning scanner + rug-pull detection + /scan-mcp (stdio + remote HTTP)
- customRules config extension point
- detection benchmark (bench/, npm run bench) with CI regression gate
- ReDoS audit + fixes (splitCommands, zh_mixed_lang_injection)
- default injectionThreshold 60->40 (benchmark-calibrated, revertible)
- PII false-positive fixes; L5/L7 DLP merge; SECURITY.md accuracy

Full granular history on branch feat/mcp-security-suite.

Author: jnMetaCode

.github/workflows/ci.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  test:
+    name: Test (Node ${{ matrix.node }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: [18, 20, 22]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node ${{ matrix.node }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+
+      # package-lock.json is gitignored, so use `npm install` (not `npm ci`).
+      - name: Install dependencies
+        run: npm install
+
+      - name: Typecheck
+        run: npx tsc --noEmit
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
+        run: npm test
+
+      - name: Detection benchmark (precision/recall regression gate)
+        run: npm run bench -- --ci

.github/workflows/release.yml

@@ -0,0 +1,57 @@
+name: Release
+
+# Publishes to npm with provenance (SLSA build attestation) when a version tag
+# is pushed (e.g. `git tag v0.5.12 && git push --tags`).
+# Requires an NPM_TOKEN repo secret (automation token, publish scope).
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+  id-token: write # required for npm provenance
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Typecheck
+        run: npx tsc --noEmit
+
+      - name: Test
+        run: npm test
+
+      - name: Detection benchmark gate
+        run: npm run bench -- --ci
+
+      - name: Build
+        run: npm run build
+
+      # Idempotent: skip if this version is already on npm (e.g. published locally).
+      - name: Check if version already published
+        id: check
+        run: |
+          V=$(node -p "require('./package.json').version")
+          if npm view "shellward@$V" version >/dev/null 2>&1; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Publish with provenance
+        if: steps.check.outputs.exists == 'false'
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/test.yml

@@ -21,6 +21,10 @@ Thumbs.db
 .env
 .env.*
 
+# Secrets / registry publish tokens (never commit)
+.mcpregistry_*
+*_token
+
 # npm
 .npm/
 package-lock.json
@@ -41,3 +45,6 @@ promo/
 awesome-llm-security/
 *.mp4
 docs/
+
+# Agent worktrees
+.claude/

.gitignore

@@ -5,6 +5,29 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/),
 and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.6.0] - 2026-06-05
+
+### Added
+- **MCP tool-poisoning scanner** (`scanToolDefinition` / `scan_mcp_tool` MCP tool): detects hidden instructions, invisible characters, concealment ("don't tell the user"), sensitive-file access and exfiltration hints in an MCP tool's description/parameters
+- **MCP rug-pull detection** (`McpBaseline`): fingerprints each tool's description+schema and flags silent changes across runs (`SHELLWARD_BASELINE_PATH` to relocate the store)
+- **`/scan-mcp` command + MCP client** (`mcp-client.ts`): discovers configured MCP servers and scans them live — **stdio and remote Streamable-HTTP** (incl. SSE responses + session headers), zero dependencies
+- **Custom rules** (`customRules` in `ShellWardConfig`): additive `blockedTools` / `sensitiveTools` / `outboundTools` / `honeypotPaths` / `sensitivePatterns` / `dangerousCommands` / `injectionRules`, plus `allowedTools` that always wins; invalid user regexes are skipped, never throw
+- **Detection benchmark** (`bench/`, `npm run bench`): labeled corpus (attacks + hard negatives + documented bypasses) reporting precision/recall/F1; CI regression gate (`--ci`)
+- **ReDoS audit** (`test-redos.ts`, in CI): adversarial-input timing budget for every detector
+- Unicode tag-character and variation-selector detection in hidden-char scanning
+- Startup nudge to run `/scan-mcp` when MCP servers are configured
+
+### Changed
+- **Default `injectionThreshold` 60 → 40** — the benchmark showed 60 missed most single-signal attacks (injection recall 37.5% → 100%). More aggressive blocking; revert via config or `SHELLWARD_THRESHOLD`
+- Injection rules 32 → 37 (20 ZH + 17 EN); fixed several intervening-word / reversed-order / word-boundary bugs
+- Command + injection inputs are normalized before matching (empty-quote de-obfuscation, zero-width stripping)
+- L5 Security Gate now delegates outbound DLP to the single L7 path (no divergence)
+
+### Fixed
+- **ReDoS**: `splitCommands` (catastrophic backtracking on whitespace floods) and `zh_mixed_lang_injection` (unbounded `.*`)
+- **PII false positives**: `phone_cn` restricted to real carrier segments; `bank_card_cn` narrowed to UnionPay (no longer mislabels Visa/Mastercard)
+- `SECURITY.md` corrected (no false "no network calls" claim; supported versions; ReDoS claim now CI-verified)
+
 ## [0.5.16] - 2026-04-15
 
 ### Added