[codex] fail closed on unsafe live scans and restore scanner fidelity

[alexyorke]

What changed

• fail closed on scan --server, gate, tooltrust_scan_server, and tooltrust_scan_config unless an unsafe live scan opt-in is set
• preserve nested MCP metadata and schema, and walk nested properties in the analyzers
• stop live scan dependency enrichment from using the caller cwd as an unrelated project root
• build the GitHub Action from the checked-out ref and pin the npm wrapper to the package release tag
• use per-dependency lookup timeouts and add Yarn Berry lockfile parsing
• normalize home-directory resolution for config and model paths
• fix live local dependency parsing for PNPM peer-suffixed keys and requirements.txt inline comments / environment markers
• strip Python requirement extras from exact pins before dependency lookup
• parse Python === exact pins without corrupting the version
• strip pip hash options and line-continuation backslashes from exact-pinned requirement versions
• parse CVSS v3 vector strings from OSV so Critical vulnerabilities are not downgraded to High
• validate repo_url hosts before remote lockfile fetches and normalize trailing .git/ GitHub URLs
• tolerate boolean npm bundleDependencies / bundledDependencies registry fields so package scripts and IOC metadata are still inspected
• keep scan-repo source detection capped per language without hiding other languages
• expand scan-repo detection to cover mark3labs Go MCP servers and CommonJS / JSX MCP SDK files
• populate and render dependency visibility context in MCP scan reports using the same helper as the CLI
• preserve dependency source metadata from MCP metadata.dependencies entries
• preserve dependency source provenance in supply-chain issue evidence
• stop AS-014 from warning when an MCP tool exposes a usable repo_url
• parse JSON-RPC wrapped MCP tools/list responses instead of silently scanning zero tools
• preserve standard MCP _meta fields alongside legacy metadata fields
• merge current main into the PR branch so the PR is up to date

Why

The scanner had several high-impact fidelity and safety bugs at once: live scans executed the target command on the host before ToolTrust could score it, MCP adapters dropped nested schema and metadata, live dependency enrichment could import unrelated lockfiles from the caller repo, packaging paths fetched mutable latest binaries, local lockfile parsing missed common dependency formats, Python requirement pins with extras, ===, hashes, or continuation backslashes produced package/version strings OSV would not match, OSV vector severities could be under-classified, remote lockfile fetches trusted malformed GitHub-looking URLs, npm registry decoding could drop package evidence on common field shapes, source-repo detection could miss embedded MCP servers depending on language ordering or SDK style, MCP report generation dropped dependency visibility fields that the CLI already surfaced, MCP dependency parsing discarded per-dependency provenance needed to label verified lockfile evidence correctly, supply-chain issue generation overwrote dependency provenance back to plain metadata, the dependency-inventory checker used dependency collection instead of checking visibility fields directly, valid JSON-RPC tools/list payloads were treated as empty, and standard MCP _meta fields were ignored.

Impact

• live scanning is explicit and fail-closed by default across the CLI and MCP tool surfaces
• MCP live-scan tools now require allow_unsafe_live_scan=true before launching target commands or configured servers
• AS-005, AS-010, AS-011, context inference, and input-surface checks now see nested schema and metadata
• local lockfiles no longer pollute unrelated live scans
• PNPM peer dependency suffixes and Python requirement markers/comments no longer break local dependency evidence
• Python requirement extras, triple-equals exact pins, hashes, and continuation backslashes now map to package/version values OSV can query
• CVSS v3 vector severities are scored instead of falling back to High
• remote lockfile enrichment no longer fetches attacker-controlled non-GitHub hosts that merely contain github.com/ in the path
• npm lifecycle-script and IOC checks keep working when registry metadata uses boolean bundle dependency fields
• Action and npm installs are version-pinned instead of following latest
• dependency lookups no longer silently stop after one slow package
• Windows config lookup honors HOME-style test sandboxes
• scan-repo reports matches across multiple languages and recognizes more common embedded MCP server implementations
• MCP scan output no longer loses dependency inventory visibility and explanatory notes
• MCP adapter output keeps dependency provenance such as local_lockfile, so visibility labels stay accurate
• AS-004/AS-008/AS-015/AS-016 evidence can now distinguish declared metadata from verified lockfile-derived dependency entries
• AS-014 no longer emits a misleading “no metadata.dependencies or repo_url” warning when repo_url is present
• pasted JSON-RPC tools/list responses and live mcp-go _meta metadata now retain tool definitions and analyzer inputs

Validation

• go test ./... -count=1
• go vet ./...
• targeted repros for unsafe live scan opt-in in CLI and MCP tools, nested metadata/schema findings, cwd lockfile pollution, Yarn Berry parsing, HOME fallback behavior, PNPM peer key parsing, requirements marker/comment parsing, Python requirement extras, Python === pins, pip hash/continuation requirements, CVSS vector severity, GitHub repo URL host validation, trailing .git/ repo URL normalization, boolean npm bundle dependency fields, scan-repo per-language caps, mark3labs Go detection, CommonJS MCP SDK detection, MCP dependency visibility propagation, MCP dependency visibility text rendering, MCP dependency source preservation, supply-chain evidence source preservation, AS-014 repo URL false-positive prevention, JSON-RPC tools/list parsing, and MCP _meta preservation