{ "schema_version": 1, "generated_at": "2026-04-30T18:00:00Z", "hostname": "nightward-fixture", "home": "/tmp/nightward-fixture-home", "scan_mode": "home", "summary": { "total_items": 1, "total_findings": 4, "items_by_classification": { "portable": 1 }, "items_by_risk": { "info": 1 }, "items_by_tool": { "Codex": 1 }, "findings_by_severity": { "info": 1, "medium": 2, "high": 1 }, "findings_by_rule": { "mcp_broad_filesystem": 1, "mcp_secret_env": 1, "mcp_server_review": 1, "mcp_unpinned_package": 1 }, "findings_by_tool": { "Codex": 4 } }, "items": [ { "id": "d02aa351e661", "tool": "Codex", "path": "/tmp/nightward-fixture-home/.codex/config.toml", "kind": "file", "classification": "portable", "risk": "info", "reason": "Path is a portable-looking configuration file.", "recommended_action": "Review generated findings before syncing.", "exists": true, "size_bytes": 152, "mod_time": "2026-04-30T18:00:00Z" } ], "findings": [ { "id": "mcp_unpinned_package-23f4e5dd9f16", "tool": "Codex", "path": "/tmp/nightward-fixture-home/.codex/config.toml", "server": "demo", "severity": "high", "rule": "mcp_unpinned_package", "message": "MCP server \"demo\" runs a package executor without an obvious pinned package version.", "evidence": "command=npx args=-y @modelcontextprotocol/server-filesystem $HOME url=", "recommended_action": "Replace unversioned or @latest package references with a reviewed explicit version.", "impact": "Unsafe portable config can expose secrets, stale local state, or unexpected agent capabilities.", "why_this_matters": "AI agent and MCP configuration often sits in dotfiles and sync folders, so local-only values can leak or break on another machine.", "docs_url": "https://nightward.aethereal.dev/guide/mcp-security", "fix_available": true, "fix_kind": "pin-package", "confidence": "medium", "risk": "high", "requires_review": true, "fix_summary": "Replace unversioned or @latest package references with a reviewed explicit version.", "fix_steps": [ "Inspect the redacted evidence.", "Replace unversioned or @latest package references with a reviewed explicit version.", "Re-run Nightward and compare the next report." ], "patch_hint": { "kind": "pin-package", "package": "@modelcontextprotocol/server-filesystem" } }, { "id": "mcp_secret_env-2b536e661bca", "tool": "Codex", "path": "/tmp/nightward-fixture-home/.codex/config.toml", "server": "demo", "severity": "medium", "rule": "mcp_secret_env", "message": "MCP server \"demo\" references a sensitive environment key.", "evidence": "env.API_TOKEN=${API_TOKEN}", "recommended_action": "Keep secret values outside dotfiles and document required env names only.", "impact": "Unsafe portable config can expose secrets, stale local state, or unexpected agent capabilities.", "why_this_matters": "AI agent and MCP configuration often sits in dotfiles and sync folders, so local-only values can leak or break on another machine.", "docs_url": "https://nightward.aethereal.dev/guide/remediation", "fix_available": true, "fix_kind": "externalize-secret", "confidence": "medium", "risk": "medium", "requires_review": true, "fix_summary": "Keep secret values outside dotfiles and document required env names only.", "fix_steps": [ "Inspect the redacted evidence.", "Keep secret values outside dotfiles and document required env names only.", "Re-run Nightward and compare the next report." ], "patch_hint": { "kind": "externalize-secret", "env_key": "API_TOKEN" } }, { "id": "mcp_broad_filesystem-8dca8b68a5eb", "tool": "Codex", "path": "/tmp/nightward-fixture-home/.codex/config.toml", "server": "demo", "severity": "medium", "rule": "mcp_broad_filesystem", "message": "MCP server \"demo\" appears to reference broad filesystem access.", "evidence": "npx -y @modelcontextprotocol/server-filesystem $HOME ", "recommended_action": "Narrow filesystem arguments to explicit project or vault directories.", "impact": "Unsafe portable config can expose secrets, stale local state, or unexpected agent capabilities.", "why_this_matters": "AI agent and MCP configuration often sits in dotfiles and sync folders, so local-only values can leak or break on another machine.", "docs_url": "https://nightward.aethereal.dev/guide/mcp-security", "fix_available": true, "fix_kind": "narrow-filesystem", "confidence": "medium", "risk": "medium", "requires_review": true, "fix_summary": "Narrow filesystem arguments to explicit project or vault directories.", "fix_steps": [ "Inspect the redacted evidence.", "Narrow filesystem arguments to explicit project or vault directories.", "Re-run Nightward and compare the next report." ] }, { "id": "mcp_server_review-b836ab7c82bf", "tool": "Codex", "path": "/tmp/nightward-fixture-home/.codex/config.toml", "server": "demo", "severity": "info", "rule": "mcp_server_review", "message": "Review MCP server \"demo\" before syncing this config.", "evidence": "npx -y @modelcontextprotocol/server-filesystem $HOME ", "recommended_action": "Confirm this server is intentional and safe for the target machine before syncing.", "impact": "Unsafe portable config can expose secrets, stale local state, or unexpected agent capabilities.", "why_this_matters": "AI agent and MCP configuration often sits in dotfiles and sync folders, so local-only values can leak or break on another machine.", "docs_url": "https://nightward.aethereal.dev/reference/rules", "fix_available": true, "fix_kind": "manual-review", "confidence": "medium", "risk": "info", "requires_review": true, "fix_summary": "Confirm this server is intentional and safe for the target machine before syncing.", "fix_steps": [ "Inspect the redacted evidence.", "Confirm this server is intentional and safe for the target machine before syncing.", "Re-run Nightward and compare the next report." ] } ], "adapters": [ { "name": "Codex", "description": "OpenAI Codex CLI and agent configuration", "available": true, "checked": [ ".codex/config.toml", ".codex/auth.json" ], "found": [ "/tmp/nightward-fixture-home/.codex/config.toml" ] }, { "name": "Claude", "description": "Claude Code and Claude Desktop MCP configuration", "available": false, "checked": [ ".claude.json", "Library/Application Support/Claude/claude_desktop_config.json" ] }, { "name": "Cursor", "description": "Cursor MCP configuration", "available": false, "checked": [ ".cursor/mcp.json" ] }, { "name": "Windsurf", "description": "Windsurf MCP configuration", "available": false, "checked": [ ".codeium/windsurf/mcp_config.json", ".windsurf/mcp_config.json" ] }, { "name": "VS Code", "description": "VS Code and compatible MCP settings", "available": false, "checked": [ "Library/Application Support/Code/User/mcp.json", "Library/Application Support/Code/User/settings.json", ".config/Code/User/mcp.json", ".config/Code/User/settings.json" ] }, { "name": "Cline/Roo", "description": "Cline and Roo Code MCP settings", "available": false, "checked": [ "Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json", "Library/Application Support/Code/User/globalStorage/rooveterinaryinc.roo-cline/settings/mcp_settings.json", ".cline/mcp_settings.json", ".roo/mcp_settings.json" ] }, { "name": "OpenCode", "description": "OpenCode local MCP configuration", "available": false, "checked": [ ".opencode/config.json", ".config/opencode/opencode.json" ] }, { "name": "Goose", "description": "Goose agent and MCP configuration", "available": false, "checked": [ ".config/goose/config.yaml" ] }, { "name": "Ollama/Open WebUI", "description": "Local model identity and app-owned runtime state", "available": false, "checked": [ ".ollama/id_ed25519", ".open-webui" ] } ] }