# ai-agentic-mcpscan - Doramagic AI Context Pack

> 定位：安装前体验与判断资产。它帮助宿主 AI 有一个好的开始，但不代表已经安装、执行或验证目标项目。

## 充分原则

- **充分原则，不是压缩原则**：AI Context Pack 应该充分到让宿主 AI 在开工前理解项目价值、能力边界、使用入口、风险和证据来源；它可以分层组织，但不以最短摘要为目标。
- **压缩策略**：只压缩噪声和重复内容，不压缩会影响判断和开工质量的上下文。

## 给宿主 AI 的使用方式

你正在读取 Doramagic 为 ai-agentic-mcpscan 编译的 AI Context Pack。请把它当作开工前上下文：帮助用户理解适合谁、能做什么、如何开始、哪些必须安装后验证、风险在哪里。不要声称你已经安装、运行或执行了目标项目。

## Claim 消费规则

- **事实来源**：Repo Evidence + Claim/Evidence Graph；Human Wiki 只提供显著性、术语和叙事结构。
- **事实最低状态**：`supported`
- `supported`：可以作为项目事实使用，但回答中必须引用 claim_id 和证据路径。
- `weak`：只能作为低置信度线索，必须要求用户继续核实。
- `inferred`：只能用于风险提示或待确认问题，不能包装成项目事实。
- `unverified`：不得作为事实使用，应明确说证据不足。
- `contradicted`：必须展示冲突来源，不得替用户强行选择一个版本。

## 它最适合谁

- **正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**：README 或插件配置提到多个宿主 AI。 证据：`README.md` Claim：`clm_0002` supported 0.86

## 它能做什么

- **命令行启动或安装流程**（需要安装后验证）：项目文档中存在可执行命令，真实使用需要在本地或宿主环境中运行这些命令。 证据：`README.md` Claim：`clm_0001` supported 0.86

## 怎么开始

- `pipx install ai-agentic-mcpscan            # provides the` 证据：`README.md` Claim：`clm_0003` supported 0.86
- `pipx install "ai-agentic-mcpscan[yaml]"    # + audit Continue's config.yaml` 证据：`README.md` Claim：`clm_0004` supported 0.86
- `pipx install "ai-agentic-mcpscan[crypto]"  # + verify ed25519 LAN manifests` 证据：`README.md` Claim：`clm_0005` supported 0.86
- `git clone https://github.com/IRsoctierDT/ai-agentic-mcpscan.git` 证据：`README.md` Claim：`clm_0006` supported 0.86

## 继续前判断卡

- **当前建议**：需要管理员/安全审批
- **为什么**：继续前可能涉及密钥、账号、外部服务或敏感上下文，建议先经过管理员或安全审批。

### 30 秒判断

- **现在怎么做**：需要管理员/安全审批
- **最小安全下一步**：先跑 Prompt Preview；若涉及凭证或企业环境，先审批再试装
- **先别相信**：角色质量和任务匹配不能直接相信。
- **继续会触碰**：角色选择偏差、命令执行、本地环境或项目文件

### 现在可以相信

- **适合人群线索：正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**（supported）：有 supported claim 或项目证据支撑，但仍不等于真实安装效果。 证据：`README.md` Claim：`clm_0002` supported 0.86
- **能力存在：命令行启动或安装流程**（supported）：可以相信项目包含这类能力线索；是否适合你的具体任务仍要试用或安装后验证。 证据：`README.md` Claim：`clm_0001` supported 0.86
- **存在 Quick Start / 安装命令线索**（supported）：可以相信项目文档出现过启动或安装入口；不要因此直接在主力环境运行。 证据：`README.md` Claim：`clm_0003` supported 0.86

### 现在还不能相信

- **角色质量和任务匹配不能直接相信。**（unverified）：角色库证明有很多角色，不证明每个角色都适合你的具体任务，也不证明角色能产生高质量结果。
- **不能把角色文案当成真实执行能力。**（unverified）：安装前只能判断角色描述和任务画像是否匹配，不能证明它能在宿主 AI 里完成任务。
- **真实输出质量不能在安装前相信。**（unverified）：Prompt Preview 只能展示引导方式，不能证明真实项目中的结果质量。
- **宿主 AI 版本兼容性不能在安装前相信。**（unverified）：Claude、Cursor、Codex、Gemini 等宿主加载规则和版本差异必须在真实环境验证。
- **不会污染现有宿主 AI 行为，不能直接相信。**（inferred）：Skill、plugin、AGENTS/CLAUDE/GEMINI 指令可能改变宿主 AI 的默认行为。
- **可安全回滚不能默认相信。**（unverified）：除非项目明确提供卸载和恢复说明，否则必须先在隔离环境验证。
- **真实安装后是否与用户当前宿主 AI 版本兼容？**（unverified）：兼容性只能通过实际宿主环境验证。
- **项目输出质量是否满足用户具体任务？**（unverified）：安装前预览只能展示流程和边界，不能替代真实评测。

### 继续会触碰什么

- **角色选择偏差**：用户对任务应该由哪个专家角色处理的判断。 原因：选错角色会让 AI 从错误专业视角回答，浪费时间或误导决策。
- **命令执行**：包管理器、网络下载、本地插件目录、项目配置或用户主目录。 原因：运行第一条命令就可能产生环境改动；必须先判断是否值得跑。 证据：`README.md`
- **本地环境或项目文件**：安装结果、插件缓存、项目配置或本地依赖目录。 原因：安装前无法证明写入范围和回滚方式，需要隔离验证。 证据：`README.md`
- **环境变量 / API Key**：项目入口文档明确出现 API key、token、secret 或账号凭证配置。 原因：如果真实安装需要凭证，应先使用测试凭证并经过权限/合规判断。 证据：`README.md`
- **宿主 AI 上下文**：AI Context Pack、Prompt Preview、Skill 路由、风险规则和项目事实。 原因：导入上下文会影响宿主 AI 后续判断，必须避免把未验证项包装成事实。

### 最小安全下一步

- **先跑 Prompt Preview**：先用交互式试用验证任务画像和角色匹配，不要先导入整套角色库。（适用：任何项目都适用，尤其是输出质量未知时。）
- **只在隔离目录或测试账号试装**：避免安装命令污染主力宿主 AI、真实项目或用户主目录。（适用：存在命令执行、插件配置或本地写入线索时。）
- **不要使用真实生产凭证**：环境变量/API key 一旦进入宿主或工具链，可能产生账号和合规风险。（适用：出现 API、TOKEN、KEY、SECRET 等环境线索时。）
- **安装后只验证一个最小任务**：先验证加载、兼容、输出质量和回滚，再决定是否深用。（适用：准备从试用进入真实工作流时。）

### 退出方式

- **保留安装前状态**：记录原始宿主配置和项目状态，后续才能判断是否可恢复。
- **保留原始角色选择记录**：如果输出偏题，可以回到任务画像阶段重新选择角色，而不是继续沿着错误角色推进。
- **记录安装命令和写入路径**：没有明确卸载说明时，至少要知道哪些目录或配置需要手动清理。
- **准备撤销测试 API key 或 token**：测试凭证泄露或误用时，可以快速止损。
- **如果没有回滚路径，不进入主力环境**：不可回滚是继续前阻断项，不应靠信任或运气继续。

## 哪些只能预览

- 解释项目适合谁和能做什么
- 基于项目文档演示典型对话流程
- 帮助用户判断是否值得安装或继续研究

## 哪些必须安装后验证

- 真实安装 Skill、插件或 CLI
- 执行脚本、修改本地文件或访问外部服务
- 验证真实输出质量、性能和兼容性

## 边界与风险判断卡

- **把安装前预览误认为真实运行**：用户可能高估项目已经完成的配置、权限和兼容性验证。 处理方式：明确区分 prompt_preview_can_do 与 runtime_required。 Claim：`clm_0007` inferred 0.45
- **命令执行会修改本地环境**：安装命令可能写入用户主目录、宿主插件目录或项目配置。 处理方式：先在隔离环境或测试账号中运行。 证据：`README.md` Claim：`clm_0008` supported 0.86
- **待确认**：真实安装后是否与用户当前宿主 AI 版本兼容？。原因：兼容性只能通过实际宿主环境验证。
- **待确认**：项目输出质量是否满足用户具体任务？。原因：安装前预览只能展示流程和边界，不能替代真实评测。
- **待确认**：安装命令是否需要网络、权限或全局写入？。原因：这影响企业环境和个人环境的安装风险。

## 开工前工作上下文

### 加载顺序

- 先读取 how_to_use.host_ai_instruction，建立安装前判断资产的边界。
- 读取 claim_graph_summary，确认事实来自 Claim/Evidence Graph，而不是 Human Wiki 叙事。
- 再读取 intended_users、capabilities 和 quick_start_candidates，判断用户是否匹配。
- 需要执行具体任务时，优先查 role_skill_index，再查 evidence_index。
- 遇到真实安装、文件修改、网络访问、性能或兼容性问题时，转入 risk_card 和 boundaries.runtime_required。

### 任务路由

- **命令行启动或安装流程**：先说明这是安装后验证能力，再给出安装前检查清单。 边界：必须真实安装或运行后验证。 证据：`README.md` Claim：`clm_0001` supported 0.86

### 上下文规模

- 文件总数：102
- 重要文件覆盖：40/102
- 证据索引条目：71
- 角色 / Skill 条目：21

### 证据不足时的处理

- **missing_evidence**：说明证据不足，要求用户提供目标文件、README 段落或安装后验证记录；不要补全事实。
- **out_of_scope_request**：说明该任务超出当前 AI Context Pack 证据范围，并建议用户先查看 Human Manual 或真实安装后验证。
- **runtime_request**：给出安装前检查清单和命令来源，但不要替用户执行命令或声称已执行。
- **source_conflict**：同时展示冲突来源，标记为待核实，不要强行选择一个版本。

## Prompt Recipes

### 适配判断

- 目标：判断这个项目是否适合用户当前任务。
- 预期输出：适配结论、关键理由、证据引用、安装前可预览内容、必须安装后验证内容、下一步建议。

```text
请基于 ai-agentic-mcpscan 的 AI Context Pack，先问我 3 个必要问题，然后判断它是否适合我的任务。回答必须包含：适合谁、能做什么、不能做什么、是否值得安装、证据来自哪里。所有项目事实必须引用 evidence_refs、source_paths 或 claim_id。
```

### 安装前体验

- 目标：让用户在安装前感受核心工作流，同时避免把预览包装成真实能力或营销承诺。
- 预期输出：一段带边界标签的体验剧本、安装后验证清单和谨慎建议；不含真实运行承诺或强营销表述。

```text
请把 ai-agentic-mcpscan 当作安装前体验资产，而不是已安装工具或真实运行环境。

请严格输出四段：
1. 先问我 3 个必要问题。
2. 给出一段“体验剧本”：用 [安装前可预览]、[必须安装后验证]、[证据不足] 三种标签展示它可能如何引导工作流。
3. 给出安装后验证清单：列出哪些能力只有真实安装、真实宿主加载、真实项目运行后才能确认。
4. 给出谨慎建议：只能说“值得继续研究/试装”“先补充信息后再判断”或“不建议继续”，不得替项目背书。

硬性边界：
- 不要声称已经安装、运行、执行测试、修改文件或产生真实结果。
- 不要写“自动适配”“确保通过”“完美适配”“强烈建议安装”等承诺性表达。
- 如果描述安装后的工作方式，必须使用“如果安装成功且宿主正确加载 Skill，它可能会……”这种条件句。
- 体验剧本只能写成“示例台词/假设流程”：使用“可能会询问/可能会建议/可能会展示”，不要写“已写入、已生成、已通过、正在运行、正在生成”。
- Prompt Preview 不负责给安装命令；如用户准备试装，只能提示先阅读 Quick Start 和 Risk Card，并在隔离环境验证。
- 所有项目事实必须来自 supported claim、evidence_refs 或 source_paths；inferred/unverified 只能作风险或待确认项。

```

### 角色 / Skill 选择

- 目标：从项目里的角色或 Skill 中挑选最匹配的资产。
- 预期输出：候选角色或 Skill 列表，每项包含适用场景、证据路径、风险边界和是否需要安装后验证。

```text
请读取 role_skill_index，根据我的目标任务推荐 3-5 个最相关的角色或 Skill。每个推荐都要说明适用场景、可能输出、风险边界和 evidence_refs。
```

### 风险预检

- 目标：安装或引入前识别环境、权限、规则冲突和质量风险。
- 预期输出：环境、权限、依赖、许可、宿主冲突、质量风险和未知项的检查清单。

```text
请基于 risk_card、boundaries 和 quick_start_candidates，给我一份安装前风险预检清单。不要替我执行命令，只说明我应该检查什么、为什么检查、失败会有什么影响。
```

### 宿主 AI 开工指令

- 目标：把项目上下文转成一次对话开始前的宿主 AI 指令。
- 预期输出：一段边界明确、证据引用明确、适合复制给宿主 AI 的开工前指令。

```text
请基于 ai-agentic-mcpscan 的 AI Context Pack，生成一段我可以粘贴给宿主 AI 的开工前指令。这段指令必须遵守 not_runtime=true，不能声称项目已经安装、运行或产生真实结果。
```

## 角色 / Skill 索引

- 共索引 21 个角色 / Skill / 项目文档条目。

- **AI Agentic MCPscan**（project_doc）：Local-first, offline-by-default security posture scanner for MCP / local-agent setups. Find exposed servers, plaintext secrets, over-broad tool scopes, and unpinned packages — then fix the highest-impact issues first. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`README.md`
- **Dogfood harness T-402**（project_doc）：Turns "the scan looks right" into a measurable pre-1.0 gate : a curated set of clean and messy MCP configs across every supported host, each hand-labeled with the findings it must produce. The harness lays each fixture out at its real discovery path and runs the full scan pipeline, then reports false positives flagged a non-issue and false negatives missed a real one . 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`tools/dogfood/README.md`
- **AI Agentic MCPscan — Architecture & ADR Validation**（project_doc）：AI Agentic MCPscan — Architecture & ADR Validation 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/ARCHITECTURE.md`
- **Contributing to AI Agentic MCPscan**（project_doc）：Thanks for your interest! This project aims to be exemplary, reviewable security tooling, so contributions are held to a clear bar. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`CONTRIBUTING.md`
- **Changelog**（project_doc）：All notable changes to this project are documented here. The format is based on Keep a Changelog https://keepachangelog.com/en/1.1.0/ , and this project adheres to Semantic Versioning https://semver.org/spec/v2.0.0.html . 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`CHANGELOG.md`
- **Backlog & Sprint Plan — MCP Posture Scanner**（project_doc）：Backlog & Sprint Plan — MCP Posture Scanner 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/BACKLOG.md`
- **Full-Team Backlog Review — Pre-Development Gate**（project_doc）：Full-Team Backlog Review — Pre-Development Gate 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/BACKLOG_REVIEW.md`
- **Architecture Decision Records — MCP Posture Scanner**（project_doc）：Architecture Decision Records — MCP Posture Scanner 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/DECISIONS.md`
- **DevSecOps: Git Workflow, CI/CD & Supply-Chain Architecture**（project_doc）：DevSecOps: Git Workflow, CI/CD & Supply-Chain Architecture 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/DEVSECOPS.md`
- **mcpscan lan — operator guide**（project_doc）：mcpscan lan assesses MCP exposure on hosts you are authorized to test . It is a separate, gated command from mcpscan scan which is localhost-only and is inert without a signed authorization manifest . 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/LAN_OPERATOR_GUIDE.md`
- **Releasing AI Agentic MCPscan**（project_doc）：Publishing is human-gated and uses PyPI Trusted Publishing OIDC , so no API token is ever stored in the repo. The Release workflow .github/workflows/release.yml runs only when you publish a GitHub Release. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/RELEASING.md`
- **Security Reviewer Sign-off — AI Agentic MCPscan MVP**（project_doc）：Security Reviewer Sign-off — AI Agentic MCPscan MVP 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/SECURITY_SIGNOFF.md`
- **AI Agentic MCPscan — Product & Technical Specification**（project_doc）：AI Agentic MCPscan — Product & Technical Specification 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/SPEC.md`
- **Delivery Status — AI Agentic MCPscan**（project_doc）：Delivery Status — AI Agentic MCPscan 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/STATUS.md`
- **Network-lab runbook T-402, Phase 3 — the socket + lan surface**（project_doc）：Network-lab runbook T-402, Phase 3 — the socket + lan surface 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/dogfood/NETWORK_LAB.md`
- **Dogfood triage template T-402, Phase 2**（project_doc）：Dogfood triage template T-402, Phase 2 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/dogfood/TRIAGE_TEMPLATE.md`
- **Proposal — Authorized-LAN scanning mcpscan lan**（project_doc）：Proposal — Authorized-LAN scanning mcpscan lan 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/proposals/LAN_SCANNING.md`
- **Proposal — Real-lab dogfood T-402**（project_doc）：Status: Draft, for review · Implements backlog T-402 Sprint 4 · Traces SPEC §14 · Target: pre-1.0 gate 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/proposals/REAL_LAB_DOGFOOD.md`
- **Vision — from scanner to AI Infrastructure Security Platform**（project_doc）：Vision — from scanner to AI Infrastructure Security Platform 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`docs/proposals/VISION.md`
- **Contributor Covenant Code of Conduct**（project_doc）：Contributor Covenant Code of Conduct 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`CODE_OF_CONDUCT.md`
- **Security Policy**（project_doc）：AI Agentic MCPscan is a security tool, so we hold its own posture to a high bar. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`SECURITY.md`

## 证据索引

- 共索引 71 条证据。

- **AI Agentic MCPscan**（documentation）：Local-first, offline-by-default security posture scanner for MCP / local-agent setups. Find exposed servers, plaintext secrets, over-broad tool scopes, and unpinned packages — then fix the highest-impact issues first. 证据：`README.md`
- **Dogfood harness T-402**（documentation）：Turns "the scan looks right" into a measurable pre-1.0 gate : a curated set of clean and messy MCP configs across every supported host, each hand-labeled with the findings it must produce. The harness lays each fixture out at its real discovery path and runs the full scan pipeline, then reports false positives flagged a non-issue and false negatives missed a real one . 证据：`tools/dogfood/README.md`
- **AI Agentic MCPscan — Architecture & ADR Validation**（documentation）：AI Agentic MCPscan — Architecture & ADR Validation 证据：`docs/ARCHITECTURE.md`
- **Contributing to AI Agentic MCPscan**（documentation）：Thanks for your interest! This project aims to be exemplary, reviewable security tooling, so contributions are held to a clear bar. 证据：`CONTRIBUTING.md`
- **License**（source_file）：Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ 证据：`LICENSE`
- **Changelog**（documentation）：All notable changes to this project are documented here. The format is based on Keep a Changelog https://keepachangelog.com/en/1.1.0/ , and this project adheres to Semantic Versioning https://semver.org/spec/v2.0.0.html . 证据：`CHANGELOG.md`
- **Backlog & Sprint Plan — MCP Posture Scanner**（documentation）：Backlog & Sprint Plan — MCP Posture Scanner 证据：`docs/BACKLOG.md`
- **Full-Team Backlog Review — Pre-Development Gate**（documentation）：Full-Team Backlog Review — Pre-Development Gate 证据：`docs/BACKLOG_REVIEW.md`
- **Architecture Decision Records — MCP Posture Scanner**（documentation）：Architecture Decision Records — MCP Posture Scanner 证据：`docs/DECISIONS.md`
- **DevSecOps: Git Workflow, CI/CD & Supply-Chain Architecture**（documentation）：DevSecOps: Git Workflow, CI/CD & Supply-Chain Architecture 证据：`docs/DEVSECOPS.md`
- **mcpscan lan — operator guide**（documentation）：mcpscan lan assesses MCP exposure on hosts you are authorized to test . It is a separate, gated command from mcpscan scan which is localhost-only and is inert without a signed authorization manifest . 证据：`docs/LAN_OPERATOR_GUIDE.md`
- **Releasing AI Agentic MCPscan**（documentation）：Publishing is human-gated and uses PyPI Trusted Publishing OIDC , so no API token is ever stored in the repo. The Release workflow .github/workflows/release.yml runs only when you publish a GitHub Release. 证据：`docs/RELEASING.md`
- **Security Reviewer Sign-off — AI Agentic MCPscan MVP**（documentation）：Security Reviewer Sign-off — AI Agentic MCPscan MVP 证据：`docs/SECURITY_SIGNOFF.md`
- **AI Agentic MCPscan — Product & Technical Specification**（documentation）：AI Agentic MCPscan — Product & Technical Specification 证据：`docs/SPEC.md`
- **Delivery Status — AI Agentic MCPscan**（documentation）：Delivery Status — AI Agentic MCPscan 证据：`docs/STATUS.md`
- **Network-lab runbook T-402, Phase 3 — the socket + lan surface**（documentation）：Network-lab runbook T-402, Phase 3 — the socket + lan surface 证据：`docs/dogfood/NETWORK_LAB.md`
- **Dogfood triage template T-402, Phase 2**（documentation）：Dogfood triage template T-402, Phase 2 证据：`docs/dogfood/TRIAGE_TEMPLATE.md`
- **Proposal — Authorized-LAN scanning mcpscan lan**（documentation）：Proposal — Authorized-LAN scanning mcpscan lan 证据：`docs/proposals/LAN_SCANNING.md`
- **Proposal — Real-lab dogfood T-402**（documentation）：Status: Draft, for review · Implements backlog T-402 Sprint 4 · Traces SPEC §14 · Target: pre-1.0 gate 证据：`docs/proposals/REAL_LAB_DOGFOOD.md`
- **Vision — from scanner to AI Infrastructure Security Platform**（documentation）：Vision — from scanner to AI Infrastructure Security Platform 证据：`docs/proposals/VISION.md`
- **Runtime deps are intentionally minimal and will be PINNED as the build lands.**（source_file）：build-system requires = "hatchling" build-backend = "hatchling.build" 证据：`pyproject.toml`
- **Init**（source_file）：version = version "ai-agentic-mcpscan" ⋮---- version = "0.0.0+unknown" 证据：`src/mcpscan/__init__.py`
- **Init**（source_file）：all = 证据：`src/mcpscan/atlas/__init__.py`
- **Model**（source_file）：class Framework Enum ⋮---- ATTACK = "mitre attack" ATLAS = "mitre atlas" OWASP LLM = "owasp llm top10" NIST AI RMF = "nist ai rmf" CIS = "cis controls v8" ⋮---- FRAMEWORK LABELS: dict Framework, str = { ⋮---- def framework label framework: Framework - str ⋮---- @dataclass frozen=True class FrameworkRef ⋮---- framework: Framework ref: str title: str ⋮---- CREDS IN FILES = FrameworkRef ATLAS CREDS = FrameworkRef Framework.ATLAS, "AML.T0055", "Unsecured Credentials" LLM SENSITIVE = FrameworkRef Framework.OWASP LLM, "LLM02", "Sensitive Information Disclosure" RMF GOVERN = FrameworkRef Framework.NIST AI RMF, "GOVERN", "Govern function" RMF MAP = FrameworkRef Framework.NIST AI RMF, "MAP", "Map fu… 证据：`src/mcpscan/atlas/model.py`
- **Render**（source_file）：def ref line ref: FrameworkRef - str ⋮---- def render terminal atlas report: Report, opts: RenderOptions - str ⋮---- """The scan's findings, each annotated with its framework citations.""" total = sum len s.findings for s in report.servers lines = f"AI Agentic MCPscan — atlas: {total} finding s mapped" ⋮---- refs = refs for finding.id ⋮---- def render terminal matrix - str ⋮---- lines = "AI Agentic MCPscan — atlas reference matrix" ⋮---- def ref to dict ref: FrameworkRef - dict str, str ⋮---- def render json atlas report: Report, opts: RenderOptions - str ⋮---- findings = payload = { 证据：`src/mcpscan/atlas/render.py`
- **Init**（source_file）：@dataclass frozen=True class EnvFile ⋮---- path: str entries: tuple tuple int, str, str , ... mode: int None = None git tracked: bool None = None ⋮---- def parse env text path: str, text: str, , mode: int None = None - EnvFile ⋮---- entries: list tuple int, str, str = ⋮---- line = raw line.strip ⋮---- all = "EnvFile", "ServerDecl", "parse env text" 证据：`src/mcpscan/checks/__init__.py`
- **Exposure**（source_file）：def check socket exposure sock: ListeningSocket - list Finding ⋮---- severity = classify exposure sock.ip ⋮---- all = "Severity", "check socket exposure" 证据：`src/mcpscan/checks/exposure.py`
- **Pinning**（source_file）：VERSIONED = re.compile r"@\d @latest == @ ~^ ?\d" LATEST = re.compile r"@latest\b" FLOATING RUNNERS = {"npx", "uvx", "pnpx", "bunx"} ⋮---- NPM RUNNERS = {"npx", "pnpx", "bunx"} PYPI RUNNERS = {"uvx", "pipx", "pip"} ⋮---- def package args args: tuple str, ... - list str ⋮---- @dataclass frozen=True class PackageSpec ⋮---- ecosystem: str name: str version: str ⋮---- def parse package spec command: str None, args: tuple str, ... - PackageSpec None ⋮---- runner = command or "" .rsplit "/", 1 -1 ⋮---- ecosystem = "npm" ⋮---- ecosystem = "PyPI" ⋮---- ids = ", ".join vuln ids :5 ⋮---- def check server pinning server: ServerDecl, config path: str - list Finding ⋮---- """Flag an unpinned package run… 证据：`src/mcpscan/checks/pinning.py`
- **Secrets**（source_file）：PROVIDER PATTERNS: tuple tuple str, re.Pattern str , ... = ⋮---- SECRET NAME = re.compile ENTROPY THRESHOLD = 3.5 MIN ENTROPY LEN = 20 ⋮---- def shannon entropy value: str - float ⋮---- """Shannon entropy bits/char of a string.""" ⋮---- counts = {ch: value.count ch for ch in set value } n = len value ⋮---- def provider match value: str - str None ⋮---- def looks secret key: str, value: str - str None ⋮---- """Return a human label if key, value looks like a plaintext secret.""" label = provider match value ⋮---- def finding label: str, location: Location, raw value: str - Finding ⋮---- def check server env server: ServerDecl, config path: str - list Finding ⋮---- findings: list Finding = ⋮--… 证据：`src/mcpscan/checks/secrets.py`
- **Tool Scope**（source_file）：DANGEROUS = re.compile PARENS = re.compile r"\ ^ \ " ⋮---- def is dangerous tool token: str - bool ⋮---- """True if token names a shell/exec-class RCE-capable tool. Public so the --fix remediation removes exactly what this module flags — the checker and the fixer must never diverge. """ ⋮---- def has broad wildcard entry: str - bool ⋮---- """True if wildcards the tool/permission name itself. A inside parentheses e.g. Glob src/ scopes a specific tool's arguments and is fine; a outside parentheses , mcp grants access broadly and is flagged. """ outside = PARENS.sub "", entry ⋮---- def check permissions allow: tuple str, ... , config path: str - list Finding ⋮---- """Flag wildcard grants and a… 证据：`src/mcpscan/checks/tool_scope.py`
- **Imported lazily so the default/help path stays light and import-isolated.**（source_file）：THRESHOLDS = { ⋮---- def build parser - argparse.ArgumentParser ⋮---- parser = argparse.ArgumentParser ⋮---- drift = parser.add argument group ⋮---- atlas = parser.add argument group ⋮---- trust = parser.add argument group ⋮---- inventory = parser.add argument group ⋮---- lan = parser.add argument group ⋮---- def main argv: list str None = None - int ⋮---- parser = build parser args = parser.parse args argv ⋮---- GRADE RANK = {"A": 0, "B": 1, "C": 2, "D": 3, "F": 4} ⋮---- def run trust args: argparse.Namespace - int ⋮---- report = collect trust roots=args.root opts = RenderOptions absolute paths=args.absolute paths, home=str Path.home ⋮---- floor = GRADE RANK args.min grade ⋮---- def postur… 证据：`src/mcpscan/cli.py`
- **Domain**（source_file）：class Severity Enum ⋮---- CRITICAL = "critical" HIGH = "high" MEDIUM = "medium" LOW = "low" INFO = "info" ⋮---- @property def weight self - int ⋮---- SEVERITY WEIGHT: dict Severity, int = { ⋮---- class Dimension Enum ⋮---- EXPOSURE = "exposure" CREDENTIAL = "credential" TOOL SCOPE = "tool scope" PINNING = "pinning" ⋮---- class ServerState Enum ⋮---- RUNNING = "running" DECLARED = "declared" ⋮---- @dataclass frozen=True class SecretFingerprint ⋮---- masked: str sha256 8: str length: int ⋮---- @dataclass frozen=True class Location ⋮---- path: str line: int None = None ⋮---- @dataclass frozen=True class Finding ⋮---- id: str dimension: Dimension severity: Severity title: str location: Location… 证据：`src/mcpscan/domain.py`
- **Init**（source_file）：all = 证据：`src/mcpscan/drift/__init__.py`
- **Baseline**（source_file）：class BaselineError Exception ⋮---- def snapshot to dict snapshot: Snapshot, , created at: str None = None - dict str, object ⋮---- def render baseline snapshot: Snapshot, , created at: str None = None - str ⋮---- def load baseline text: str, , verify digest: bool = True - Snapshot ⋮---- data = json.loads text ⋮---- schema = data.get "schema version" ⋮---- raw facts = data.get "facts" ⋮---- facts: list PostureFact = ⋮---- snapshot = Snapshot schema version=DRIFT SCHEMA VERSION, facts=tuple facts ⋮---- stored = data.get "digest" actual = snapshot digest snapshot ⋮---- def fact from dict item: object - PostureFact ⋮---- kind = FactKind item "kind" key = str item "key" summary = str item "summ… 证据：`src/mcpscan/drift/baseline.py`
- **Diff**（source_file）：def exposure of fact: PostureFact - str ⋮---- def added direction fact: PostureFact - Direction ⋮---- def removed direction fact: PostureFact - Direction ⋮---- def changed direction before: PostureFact, after: PostureFact - Direction ⋮---- def diff snapshots baseline: Snapshot, current: Snapshot - DriftReport ⋮---- old = baseline.by key new = current.by key entries: list DriftEntry = ⋮---- fact = new key ⋮---- fact = old key ⋮---- DIRECTION ORDER = { 证据：`src/mcpscan/drift/diff.py`
- **Model**（source_file）：DRIFT SCHEMA VERSION = "1.0" ⋮---- class FactKind Enum ⋮---- SERVER = "server" FINDING = "finding" ASSET = "asset" ⋮---- class Direction Enum ⋮---- REGRESSION = "regression" IMPROVEMENT = "improvement" INFORMATIONAL = "informational" ⋮---- class ChangeType Enum ⋮---- ADDED = "added" REMOVED = "removed" CHANGED = "changed" ⋮---- @dataclass frozen=True class PostureFact ⋮---- kind: FactKind key: str summary: str detail: tuple tuple str, str , ... = ⋮---- def detail map self - dict str, str ⋮---- @dataclass frozen=True class Snapshot ⋮---- schema version: str facts: tuple PostureFact, ... = field default factory=tuple ⋮---- def by key self - dict str, PostureFact ⋮---- @dataclass frozen=True c… 证据：`src/mcpscan/drift/model.py`
- **Render**（source_file）：CHANGE MARK: dict ChangeType, str = { ⋮---- DIRECTION LABEL: dict Direction, str = { ⋮---- def render terminal drift report: DriftReport - str ⋮---- n reg = len report.regressions n imp = len report.improvements lines = ⋮---- mark = CHANGE MARK entry.change label = DIRECTION LABEL entry.direction ⋮---- before = dict entry.detail before after = dict entry.detail after ⋮---- def entry to dict entry: DriftEntry - dict str, object ⋮---- def render json drift report: DriftReport - str ⋮---- payload = { 证据：`src/mcpscan/drift/render.py`
- **Snapshot**（source_file）：def server fact server: Server - PostureFact ⋮---- exposure = "exposed" if server.bind addr and not is loopback server.bind addr else "local" detail = { ⋮---- def finding facts server: Server - list PostureFact ⋮---- facts: list PostureFact = ⋮---- line = "" if finding.location.line is None else str finding.location.line key = f"finding:{server.id}:{finding.id}:{finding.location.path}:{line}" ⋮---- def asset facts inventory: Inventory - list PostureFact ⋮---- key = f"asset:{asset.kind.value}:{asset.location}:{asset.server name or ''}" ⋮---- def build snapshot report: Report, inventory: Inventory None = None - Snapshot ⋮---- """Normalize a scan Report and optional Inventory into a Snapshot."… 证据：`src/mcpscan/drift/snapshot.py`
- **--- user-level default host configs ---**（source_file）：SCHEMA VERSION = "1.0" ⋮---- OsvFetch = Callable str, str, str , "tuple tuple str, ... , bool " ⋮---- def adapters - tuple HostAdapter, ... ⋮---- system = system or platform.system env = env if env is not None else os.environ roots = list roots if roots is not None else Path.cwd adapters = adapters ⋮---- seen: list Path = ⋮---- def add path: Path - None ⋮---- def audit config cfg: ParsedConfig, osv fetch: OsvFetch None = None - list Server ⋮---- servers: list Server = ⋮---- findings: list Finding = ⋮---- perm findings = check permissions cfg.allow permissions, cfg.path ⋮---- spec: PackageSpec None = parse package spec command, args ⋮---- def default osv fetch name: str, version: str, ecosys… 证据：`src/mcpscan/engine.py`
- **Osv**（source_file）：OSV URL = "https://api.osv.dev/v1/query" ⋮---- @dataclass frozen=True class OsvVuln ⋮---- id: str critical: bool ⋮---- def parse osv response data: object - list OsvVuln ⋮---- vulns = data.get "vulns" ⋮---- out: list OsvVuln = ⋮---- vid = str vuln.get "id", "" or "UNKNOWN" ⋮---- def is critical vuln: dict str, object - bool ⋮---- blob = json.dumps vuln .upper ⋮---- body = json.dumps request = urllib.request.Request ⋮---- payload = json.loads resp.read .decode "utf-8" 证据：`src/mcpscan/enrichment/osv.py`
- **Init**（source_file）：all = 证据：`src/mcpscan/inventory/__init__.py`
- **The process name is the stronger identity; the endpoint result**（source_file）：SnippetFetch = Callable str, int, str , "tuple int, str None" ⋮---- PROC SIGNATURES: dict str, tuple AssetKind, str = { ⋮---- ENDPOINT SIGNATURES: tuple tuple str, str, AssetKind, str, Confidence , ... = ⋮---- PORT HINTS: dict int, tuple AssetKind, str = { ⋮---- MCP PATHS = "/mcp", "/sse" ⋮---- def normalize proc proc name: str - str ⋮---- name = proc name.lower ⋮---- def match proc proc name: str None - tuple AssetKind, str None ⋮---- def classify socket sock: ListeningSocket, fetch: SnippetFetch None = None - Asset None ⋮---- evidence: list str = kind: AssetKind None = None product = "" confidence = Confidence.LOW ⋮---- proc match = match proc sock.proc name ⋮---- confidence = Confidence.… 证据：`src/mcpscan/inventory/classify.py`
- **Collect**（source_file）：def read path: Path - str None ⋮---- def default fetch host: str, port: int, path: str - tuple int, str None ⋮---- system = system or platform.system env = env if env is not None else os.environ roots = list roots if roots is not None else Path.cwd ⋮---- fetch: SnippetFetch None = None ⋮---- fetch = snippet fetch if snippet fetch is not None else default fetch ⋮---- assets: list Asset = ⋮---- candidates = Path str c for c in adapter.default config paths system, env ⋮---- raw = read path ⋮---- cfg = adapter.parse str path , raw ⋮---- incomplete = False ⋮---- result: EnumerationResult = enumerate listening incomplete = result.inspection incomplete seen: set tuple int, int None = set ⋮---- key… 证据：`src/mcpscan/inventory/collect.py`
- **Fingerprint**（source_file）：MAX BYTES = 4096 PRINTABLE = set string.printable ⋮---- def sanitize raw: bytes - str ⋮---- text = raw.decode "utf-8", errors="replace" ⋮---- """GET one path on a loopback host; return status, sanitized body snippet . The status code matters to classification: a 404 proves the path does not exist on that server, which is negative evidence see the MCP rule in classify . Returns None when the endpoint doesn't respond or errors , so a probe failure can never distort classification — it just yields no evidence. Raises: NonLoopbackProbeError: if host is not loopback fail closed . """ ⋮---- conn = http.client.HTTPConnection host, port, timeout=timeout ⋮---- resp = conn.getresponse body = resp.rea… 证据：`src/mcpscan/inventory/fingerprint.py`
- **Model**（source_file）：INVENTORY SCHEMA VERSION = "1.0" ⋮---- class AssetKind Enum ⋮---- AGENT HOST = "agent host" MCP SERVER = "mcp server" MODEL SERVER = "model server" INFERENCE ENDPOINT = "inference endpoint" LLM GATEWAY = "llm gateway" VECTOR DB = "vector db" ⋮---- class AssetSource Enum ⋮---- CONFIG = "config" SOCKET = "socket" ⋮---- class Confidence Enum ⋮---- HIGH = "high" MEDIUM = "medium" LOW = "low" ⋮---- @dataclass frozen=True class Asset ⋮---- kind: AssetKind product: str source: AssetSource location: str confidence: Confidence evidence: tuple str, ... host: str None = None server name: str None = None bind addr: str None = None port: int None = None pid: int None = None proc name: str None = None ⋮-… 证据：`src/mcpscan/inventory/model.py`
- **Render**（source_file）：KIND LABELS: dict AssetKind, str = { ⋮---- def location asset: Asset, opts: RenderOptions - str ⋮---- def render terminal inventory inventory: Inventory, opts: RenderOptions - str ⋮---- lines = f"AI Agentic MCPscan — inventory: {len inventory.assets } asset s " ⋮---- group = a for a in inventory.assets if a.kind is kind ⋮---- name = f"{asset.product}" ⋮---- proc = asset.proc name or "?" ⋮---- def asset to dict asset: Asset, opts: RenderOptions - dict str, object ⋮---- def render json inventory inventory: Inventory, opts: RenderOptions - str ⋮---- payload = { 证据：`src/mcpscan/inventory/render.py`
- **Init**（source_file）：all = 证据：`src/mcpscan/lan/__init__.py`
- **Audit**（source_file）：@dataclass frozen=True class AuditRecord ⋮---- manifest sha256: str authorization id: str operator: str tool version: str invoker: str utc timestamp: str argv: tuple str, ... resolved targets: tuple str, ... results digest: str ⋮---- def digest payload payload: object - str ⋮---- encoded = json.dumps payload, sort keys=True, separators= ",", ":" , ensure ascii=False ⋮---- def audit record to dict record: AuditRecord - dict str, object 证据：`src/mcpscan/lan/audit.py`
- **Budgets**（source_file）：Invoker = Literal "human", "agent" ⋮---- @dataclass frozen=True class Budgets ⋮---- max hosts: int max ports per host: int max concurrency: int max total connections: int max runtime s: float per target cooldown s: float ⋮---- def lowered self, overrides: float - Budgets ⋮---- current = { ⋮---- HUMAN CEILING = Budgets AGENT CEILING = Budgets ⋮---- def budgets for invoker invoker: Invoker - Budgets 证据：`src/mcpscan/lan/budgets.py`
- **Manifest**（source_file）：VALID SCHEMES = "ssh", "ed25519" ⋮---- @dataclass frozen=True class Manifest ⋮---- authorization id: str operator: str expires at: datetime targets: tuple str, ... ports: tuple int, ... signature scheme: str sha256: str ⋮---- def is expired self, now: datetime - bool ⋮---- @dataclass frozen=True class ManifestError ⋮---- message: str ⋮---- def require str data: dict str, object , key: str - str ManifestError ⋮---- value = data.get key ⋮---- def load manifest raw: bytes - Manifest ManifestError ⋮---- sha256 = hashlib.sha256 raw .hexdigest ⋮---- data = tomllib.loads raw.decode "utf-8" ⋮---- auth id = require str data, "authorization id" ⋮---- operator = require str data, "operator" ⋮---- expi… 证据：`src/mcpscan/lan/manifest.py`
- **Policy**（source_file）：@dataclass frozen=True class EnterprisePolicy ⋮---- public targets: tuple str, ... ⋮---- @dataclass frozen=True class PolicyError ⋮---- message: str ⋮---- def load policy raw: bytes - EnterprisePolicy PolicyError ⋮---- data = tomllib.loads raw.decode "utf-8" ⋮---- targets = data.get "public targets" 证据：`src/mcpscan/lan/policy.py`
- **Replace C0/C1 control characters and DEL with a space, keep printable text.**（source_file）：ANSI = re.compile r"\x1b\ 0-9;? -/ @-~ " LABEL = " untrusted remote data " ⋮---- def sanitize remote raw: bytes str, , max len: int = 200 - str ⋮---- """Return an inert, labelled, length-capped rendering of remote bytes. A prompt-injection payload survives only as plain, labelled text — it is never interpreted, interpolated into remediation prose, or fed to a model. """ text = raw.decode "utf-8", errors="replace" if isinstance raw, bytes else raw text = ANSI.sub "", text Replace C0/C1 control characters and DEL with a space, keep printable text. text = "".join ch if ch = " " and ch != "\x7f" else " " for ch in text text = " ".join text.split ⋮---- text = text :max len + "…" 证据：`src/mcpscan/lan/sanitize.py`
- **Scope**（source_file）：IPNetwork = ipaddress.IPv4Network ipaddress.IPv6Network ⋮---- @dataclass frozen=True class ScopeError ⋮---- message: str ⋮---- @dataclass frozen=True class ResolvedScope ⋮---- hosts: tuple str, ... ports: tuple int, ... ⋮---- def as network target: str - IPNetwork ScopeError ⋮---- def covered by policy net: IPNetwork, allowlist: tuple str, ... None - bool ⋮---- """True if net is a subnet of some explicitly-authorized public target.""" ⋮---- allowed = ipaddress.ip network entry, strict=False if net.version == allowed.version and net.subnet of allowed : type: ignore arg-type ⋮---- """Resolve manifest targets to concrete hosts, enforcing all scope rules.""" ports = manifest.ports ⋮---- hosts:… 证据：`src/mcpscan/lan/scope.py`
- **Separator-agnostic so it works regardless of the OS the report is rendered**（source_file）：SEPARATORS = "/", "\\" ⋮---- SEVERITY ORDER: dict Severity, int = { ⋮---- @dataclass frozen=True class RenderOptions ⋮---- """Cross-renderer display options.""" ⋮---- show secrets: bool = False absolute paths: bool = False home: str None = None ⋮---- def display path path: str, opts: RenderOptions - str ⋮---- """Relativize a filesystem path under the home dir to ~/… FR-R7 . Non-path locations e.g. ip:port and paths outside home are returned unchanged. --absolute-paths disables relativization. """ ⋮---- Separator-agnostic so it works regardless of the OS the report is rendered on Windows CI rendering POSIX-style paths, and vice versa . home = opts.home.rstrip "/\\" 证据：`src/mcpscan/report/__init__.py`
- **A colon in the first segment that is not a Windows drive letter marks a**（source_file）：SARIF SCHEMA = SARIF VERSION = "2.1.0" TOOL NAME = "ai-agentic-mcpscan" INFORMATION URI = "https://github.com/IRsoctierDT/ai-agentic-mcpscan" ⋮---- LEVEL: dict Severity, str = { ⋮---- SECURITY SEVERITY: dict Severity, str = { ⋮---- def source uri path: str, base: str None, opts: RenderOptions - str None ⋮---- norm = path.replace "\\", "/" first = norm.split "/", 1 0 A colon in the first segment that is not a Windows drive letter marks a network endpoint host:port , not a file — out of scope for code scanning. ⋮---- b = base.replace "\\", "/" .rstrip "/" ⋮---- disp = display path path, opts .replace "\\", "/" ⋮---- if len disp 2 and disp 1 == ":": Windows drive, e.g. C:/Users/... ⋮---- retur… 证据：`src/mcpscan/report/sarif.py`
- **Scoring**（source_file）：MAX SCORE = 100 GRADE BANDS: tuple tuple int, str , ... = FAIL GRADE = "F" ⋮---- def score findings findings: Iterable Finding - int ⋮---- score = MAX SCORE - sum f.severity.weight for f in findings ⋮---- def grade for score score: int - str ⋮---- def grade findings findings: Iterable Finding - str ⋮---- def worst grade grades: Iterable str - str ⋮---- letters = list grades ⋮---- def dimension grades findings: Iterable Finding - dict Dimension, str ⋮---- by dim: dict Dimension, list Finding = {dim: for dim in Dimension} 证据：`src/mcpscan/scoring.py`
- **Init**（source_file）：all = 证据：`src/mcpscan/trust/__init__.py`
- **Analyze**（source_file）：AUTONOMY = 15 PROVENANCE = 10 ⋮---- def secret factor server: ServerDecl, path: str - FactorScore ⋮---- n = len check server env server, path ⋮---- risk = min SECRET BASE + n - 1 SECRET PER EXTRA, SECRET CAP plural = "credential" if n == 1 else "credentials" ⋮---- def privilege factor server: ServerDecl - FactorScore ⋮---- dangerous = t for t in server.auto approve if is dangerous tool t wildcard = t for t in server.auto approve if has broad wildcard t risk = 0 ⋮---- risk = min risk, PRIVILEGE CAP ⋮---- parts = ⋮---- def autonomy factor server: ServerDecl - FactorScore ⋮---- n = len server.auto approve ⋮---- def provenance factor server: ServerDecl, path: str - FactorScore ⋮---- def relatio… 证据：`src/mcpscan/trust/analyze.py`
- **Collect**（source_file）：def read path: Path - str None ⋮---- system = system or platform.system env = env if env is not None else os.environ roots = list roots if roots is not None else Path.cwd ⋮---- profiles: list TrustProfile = ⋮---- candidates = Path str c for c in adapter.default config paths system, env ⋮---- raw = read path 证据：`src/mcpscan/trust/collect.py`
- **Model**（source_file）：TRUST SCHEMA VERSION = "1.0" ⋮---- class TrustFactor Enum ⋮---- SECRET ACCESS = "secret access" TOOL PRIVILEGE = "tool privilege" AUTONOMY = "autonomy" CODE PROVENANCE = "code provenance" ⋮---- @dataclass frozen=True class FactorScore ⋮---- factor: TrustFactor risk: int detail: str ⋮---- @property def present self - bool ⋮---- @dataclass frozen=True class RiskRelationship ⋮---- id: str title: str rationale: str factors: tuple TrustFactor, ... ⋮---- @dataclass frozen=True class TrustProfile ⋮---- subject: str server name: str host: str location: str score: int grade: str factors: tuple FactorScore, ... = relationships: tuple RiskRelationship, ... = ⋮---- @property def present factors self -… 证据：`src/mcpscan/trust/model.py`
- 其余 11 条证据见 `AI_CONTEXT_PACK.json` 或 `EVIDENCE_INDEX.json`。

## 宿主 AI 必须遵守的规则

- **把本资产当作开工前上下文，而不是运行环境。**：AI Context Pack 只包含证据化项目理解，不包含目标项目的可执行状态。 证据：`README.md`, `tools/dogfood/README.md`, `docs/ARCHITECTURE.md`
- **回答用户时区分可预览内容与必须安装后才能验证的内容。**：安装前体验的消费者价值来自降低误装和误判，而不是伪装成真实运行。 证据：`README.md`, `tools/dogfood/README.md`, `docs/ARCHITECTURE.md`

## 用户开工前应该回答的问题

- 你准备在哪个宿主 AI 或本地环境中使用它？
- 你只是想先体验工作流，还是准备真实安装？
- 你最在意的是安装成本、输出质量、还是和现有规则的冲突？

## 验收标准

- 所有能力声明都能回指到 evidence_refs 中的文件路径。
- AI_CONTEXT_PACK.md 没有把预览包装成真实运行。
- 用户能在 3 分钟内看懂适合谁、能做什么、如何开始和风险边界。

---

## Doramagic Context Augmentation

下面内容用于强化 Repomix/AI Context Pack 主体。Human Manual 只提供阅读骨架；踩坑日志会被转成宿主 AI 必须遵守的工作约束。

## Human Manual 骨架

使用规则：这里只是项目阅读路线和显著性信号，不是事实权威。具体事实仍必须回到 repo evidence / Claim Graph。

宿主 AI 硬性规则：
- 不得把页标题、章节顺序、摘要或 importance 当作项目事实证据。
- 解释 Human Manual 骨架时，必须明确说它只是阅读路线/显著性信号。
- 能力、安装、兼容性、运行状态和风险判断必须引用 repo evidence、source path 或 Claim Graph。

- **项目概述、安装与运行模式**：importance `high`
  - source_paths: README.md, pyproject.toml, src/mcpscan/cli.py
- **核心 scan 命令、检查项与 A–F 评分**：importance `high`
  - source_paths: src/mcpscan/engine.py, src/mcpscan/scoring.py, src/mcpscan/checks/exposure.py, src/mcpscan/checks/secrets.py, src/mcpscan/checks/tool_scope.py
- **主机适配器:Claude、Cursor、Windsurf、Cline、VS Code、Zed、Continue**：importance `high`
  - source_paths: src/mcpscan/adapters/base.py, src/mcpscan/adapters/paths.py, src/mcpscan/adapters/claude.py, src/mcpscan/adapters/cursor.py, src/mcpscan/adapters/windsurf.py
- **信任评分与风险关系(`mcpscan trust`)**：importance `high`
  - source_paths: src/mcpscan/trust/analyze.py, src/mcpscan/trust/collect.py, src/mcpscan/trust/model.py, src/mcpscan/trust/render.py, src/mcpscan/domain.py
- **资产清单与安全框架映射**：importance `medium`
  - source_paths: src/mcpscan/inventory/collect.py, src/mcpscan/inventory/classify.py, src/mcpscan/inventory/fingerprint.py, src/mcpscan/inventory/model.py, src/mcpscan/inventory/render.py
- **漂移检测、SARIF 与 CI 集成**：importance `high`
  - source_paths: src/mcpscan/drift/baseline.py, src/mcpscan/drift/diff.py, src/mcpscan/drift/model.py, src/mcpscan/drift/render.py, src/mcpscan/drift/snapshot.py
- **授权网络评估 `mcpscan lan`**：importance `high`
  - source_paths: src/mcpscan/lan/manifest.py, src/mcpscan/lan/policy.py, src/mcpscan/lan/scope.py, src/mcpscan/lan/budgets.py, src/mcpscan/lan/sanitize.py
- **内部架构、引擎与扩展点**：importance `medium`
  - source_paths: src/mcpscan/__init__.py, src/mcpscan/engine.py, src/mcpscan/domain.py, src/mcpscan/scoring.py, src/mcpscan/enrichment/osv.py

## Repo Inspection Evidence / 源码检查证据

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `20244612b86e6974f6c37adc5842a330459cccfb`
- inspected_files: `README.md`, `pyproject.toml`, `docs/ARCHITECTURE.md`, `docs/BACKLOG.md`, `docs/BACKLOG_REVIEW.md`, `docs/DECISIONS.md`, `docs/DEVSECOPS.md`, `docs/LAN_OPERATOR_GUIDE.md`, `docs/RELEASING.md`, `docs/SECURITY_SIGNOFF.md`, `docs/SPEC.md`, `docs/STATUS.md`, `docs/STATUS.yaml`, `docs/dogfood/NETWORK_LAB.md`, `docs/dogfood/TRIAGE_TEMPLATE.md`, `docs/proposals/LAN_SCANNING.md`, `docs/proposals/REAL_LAB_DOGFOOD.md`, `docs/proposals/VISION.md`, `src/mcpscan/__init__.py`, `src/mcpscan/adapters/__init__.py`

宿主 AI 硬性规则：
- 没有 repo_clone_verified=true 时，不得声称已经读过源码。
- 没有 repo_inspection_verified=true 时，不得把 README/docs/package 文件判断写成事实。
- 没有 quick_start_verified=true 时，不得声称 Quick Start 已跑通。

## Doramagic Pitfall Constraints / 踩坑约束

这些规则来自 Doramagic 发现、验证或编译过程中的项目专属坑点。宿主 AI 必须把它们当作工作约束，而不是普通说明文字。

### Constraint 1: 可能修改宿主 AI 配置

- Trigger: 项目面向 Claude/Cursor/Codex/Gemini/OpenCode 等宿主，或安装命令涉及用户配置目录。
- Host AI rule: 列出会写入的配置文件、目录和卸载/回滚步骤。
- Why it matters: 安装可能改变本机 AI 工具行为，用户需要知道写入位置和回滚方法。
- Evidence: capability.host_targets | https://github.com/IRsoctierDT/ai-agentic-mcpscan | host_targets=mcp_host, claude, cursor
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 2: 能力判断依赖假设

- Trigger: README/documentation is current enough for a first validation pass.
- Host AI rule: 将假设转成下游验证清单。
- Why it matters: 假设不成立时，用户拿不到承诺的能力。
- Evidence: capability.assumptions | https://github.com/IRsoctierDT/ai-agentic-mcpscan | README/documentation is current enough for a first validation pass.
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 3: 维护活跃度未知

- Trigger: 未记录 last_activity_observed。
- Host AI rule: 补 GitHub 最近 commit、release、issue/PR 响应信号。
- Why it matters: 新项目、停更项目和活跃项目会被混在一起，推荐信任度下降。
- Evidence: evidence.maintainer_signals | https://github.com/IRsoctierDT/ai-agentic-mcpscan | last_activity_observed missing
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

- Trigger: no_demo
- Evidence: downstream_validation.risk_items | https://github.com/IRsoctierDT/ai-agentic-mcpscan | no_demo; severity=medium
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 5: 存在评分风险

- Trigger: no_demo
- Why it matters: 风险会影响是否适合普通用户安装。
- Evidence: risks.scoring_risks | https://github.com/IRsoctierDT/ai-agentic-mcpscan | no_demo; severity=medium
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 6: issue/PR 响应质量未知

- Trigger: issue_or_pr_quality=unknown。
- Host AI rule: 抽样最近 issue/PR，判断是否长期无人处理。
- Why it matters: 用户无法判断遇到问题后是否有人维护。
- Evidence: evidence.maintainer_signals | https://github.com/IRsoctierDT/ai-agentic-mcpscan | issue_or_pr_quality=unknown
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 7: 发布节奏不明确

- Trigger: release_recency=unknown。
- Host AI rule: 确认最近 release/tag 和 README 安装命令是否一致。
- Why it matters: 安装命令和文档可能落后于代码，用户踩坑概率升高。
- Evidence: evidence.maintainer_signals | https://github.com/IRsoctierDT/ai-agentic-mcpscan | release_recency=unknown
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。
