Fix AI-05 false positives on Node.js bundles, add e2e test suite

AI-05 flagged all non-entry-point .js files in compiled output
directories (build/, dist/) as unexpected executables. Added
Node.js entry point directory resolution, mirroring the existing
Python module resolution approach.

- Add _add_node_entry_point_files() to resolve build directory tree
- Guard against root-level entry points to prevent over-whitelisting
- Add 3 unit tests for Node.js multi-file builds
- Add e2e test suite (test_e2e_bundles.py) scanning real registry
  bundles: finnhub, folk, nationalparks
- Bump version to 0.2.4

Author: mgoldsborough

apps/scanner/.gitignore

@@ -51,6 +51,9 @@ dmypy.json
 *.mcpb
 /tmp/
 
+# Downloaded test bundles (e2e tests)
+/tests/data/
+
 # Environment
 .env
 .env.*

apps/scanner/Dockerfile

@@ -20,7 +20,7 @@ RUN curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main
 RUN npm install -g eslint eslint-plugin-security --no-fund --no-audit
 
 # mpak-scanner + Python security tools (bandit, guarddog)
-RUN pip install --no-cache-dir "mpak-scanner[job]==0.2.3" bandit guarddog
+RUN pip install --no-cache-dir "mpak-scanner[job]==0.2.4" bandit guarddog
 
 ENTRYPOINT ["mpak-scanner"]
 CMD ["job"]

apps/scanner/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "mpak-scanner"
-version = "0.2.3"
+version = "0.2.4"
 description = "Security scanner for MCP bundles. Powers mpak Certified verification."
 readme = "README.md"
 license = "Apache-2.0"
@@ -92,6 +92,9 @@ python-version = "3.13"
 
 [tool.pytest.ini_options]
 testpaths = ["tests"]
+markers = [
+    "e2e: end-to-end tests against real bundles from the registry (requires tests/data/)",
+]
 
 [dependency-groups]
 dev = [

apps/scanner/src/mpak_scanner/__init__.py

@@ -3,5 +3,5 @@
 from mpak_scanner.models import ComplianceLevel, ControlResult, SecurityReport
 from mpak_scanner.scanner import scan_bundle
 
-__version__ = "0.2.3"
+__version__ = "0.2.4"
 __all__ = ["scan_bundle", "SecurityReport", "ControlResult", "ComplianceLevel"]

apps/scanner/src/mpak_scanner/controls/artifact_integrity/ai05_bundle_completeness.py

@@ -227,8 +227,10 @@ def _build_referenced_files(self, manifest: dict[str, Any], bundle_dir: Path | N
                     cleaned = arg.replace("${__dirname}/", "")
                     referenced.add(cleaned)
 
-        # _meta.org.mpaktrust metadata (non-executable, always allowed)
-        # These don't need to be in the referenced set since they're not executable
+        # Node.js entry point directory resolution
+        server_type = server.get("type", "") if isinstance(server, dict) else ""
+        if server_type == "node" and entry_point and bundle_dir:
+            self._add_node_entry_point_files(entry_point, bundle_dir, referenced)
 
         return referenced
 
@@ -252,6 +254,27 @@ def _add_python_module_files(self, module_name: str, bundle_dir: Path, reference
                     if f.is_file():
                         referenced.add(str(f.relative_to(bundle_dir)).replace("\\", "/"))
 
+    def _add_node_entry_point_files(self, entry_point: str, bundle_dir: Path, referenced: set[str]) -> None:
+        """Resolve a Node.js entry point to its sibling modules.
+
+        TypeScript compiles to a directory (build/, dist/) where the entry
+        point imports other .js files. Add all files in the entry point's
+        directory tree as referenced.
+        """
+        entry_path = bundle_dir / entry_point
+        if not entry_path.exists():
+            return
+
+        # Add all files in the entry point's parent directory tree
+        entry_dir = entry_path.parent
+        if entry_dir == bundle_dir:
+            # Entry point is at root; don't add everything
+            return
+
+        for f in entry_dir.rglob("*"):
+            if f.is_file():
+                referenced.add(str(f.relative_to(bundle_dir)).replace("\\", "/"))
+
     def _looks_like_file(self, arg: str) -> bool:
         """Check if an argument looks like a file path."""
         # Skip flags

apps/scanner/src/mpak_scanner/scanner.py

@@ -70,7 +70,7 @@
 logger = logging.getLogger(__name__)
 
 # Version of the scanner
-SCANNER_VERSION = "0.2.3"
+SCANNER_VERSION = "0.2.4"
 
 # Domain groupings for controls (matches MTF v0.1 spec)
 DOMAINS = {

apps/scanner/tests/test_e2e_bundles.py

@@ -0,0 +1,144 @@
+"""End-to-end tests against real bundles from the mpak registry.
+
+These tests scan real published bundles to catch false positives and
+regressions that synthetic fixtures miss.
+
+Setup:
+    mpak bundle pull @nimblebraininc/finnhub -o tests/data/finnhub.mcpb
+    mpak bundle pull @nimblebraininc/folk -o tests/data/folk.mcpb
+    mpak bundle pull @nimblebraininc/nationalparks -o tests/data/nationalparks.mcpb
+
+Run:
+    uv run pytest tests/test_e2e_bundles.py -v
+    uv run pytest -m e2e -v
+"""
+
+from pathlib import Path
+
+import pytest
+
+from mpak_scanner import scan_bundle
+from mpak_scanner.models import ControlStatus, Severity
+
+DATA_DIR = Path(__file__).parent / "data"
+
+# Bundle paths
+FINNHUB = DATA_DIR / "finnhub.mcpb"
+FOLK = DATA_DIR / "folk.mcpb"
+NATIONALPARKS = DATA_DIR / "nationalparks.mcpb"
+
+ALL_BUNDLES = [
+    pytest.param(FINNHUB, id="finnhub"),
+    pytest.param(FOLK, id="folk"),
+    pytest.param(NATIONALPARKS, id="nationalparks"),
+]
+
+PYTHON_BUNDLES = [
+    pytest.param(FINNHUB, id="finnhub"),
+    pytest.param(FOLK, id="folk"),
+]
+
+NODE_BUNDLES = [
+    pytest.param(NATIONALPARKS, id="nationalparks"),
+]
+
+
+def skip_if_missing(bundle_path: Path) -> None:
+    if not bundle_path.exists():
+        pytest.skip(f"Bundle not found: {bundle_path.name} (run: mpak bundle pull ... -o {bundle_path})")
+
+
+@pytest.mark.e2e
+class TestBundleCompleteness:
+    """AI-05: Real bundles should not have false-positive unexpected executables."""
+
+    @pytest.mark.parametrize("bundle", ALL_BUNDLES)
+    def test_ai05_passes(self, bundle: Path) -> None:
+        """AI-05 should PASS on all published bundles (no false positives)."""
+        skip_if_missing(bundle)
+        report = scan_bundle(bundle)
+
+        ai05 = report.all_controls.get("AI-05")
+        assert ai05 is not None
+        assert ai05.status == ControlStatus.PASS, f"AI-05 false positives on {bundle.name}: " + ", ".join(
+            f.title for f in ai05.findings if f.severity in {Severity.HIGH, Severity.CRITICAL}
+        )
+
+    @pytest.mark.parametrize("bundle", ALL_BUNDLES)
+    def test_no_high_or_critical_in_ai05(self, bundle: Path) -> None:
+        """AI-05 should have zero HIGH/CRITICAL findings on published bundles."""
+        skip_if_missing(bundle)
+        report = scan_bundle(bundle)
+
+        ai05 = report.all_controls.get("AI-05")
+        assert ai05 is not None
+        blocking = [f for f in ai05.findings if f.severity in {Severity.HIGH, Severity.CRITICAL}]
+        assert blocking == [], f"Blocking findings on {bundle.name}: {[f.title for f in blocking]}"
+
+
+@pytest.mark.e2e
+class TestManifestValidation:
+    """AI-01: Real bundles should have valid manifests."""
+
+    @pytest.mark.parametrize("bundle", ALL_BUNDLES)
+    def test_ai01_passes(self, bundle: Path) -> None:
+        skip_if_missing(bundle)
+        report = scan_bundle(bundle)
+
+        ai01 = report.all_controls.get("AI-01")
+        assert ai01 is not None
+        assert ai01.status == ControlStatus.PASS, f"AI-01 failed on {bundle.name}: {ai01.findings}"
+
+
+@pytest.mark.e2e
+class TestSafeExecution:
+    """CQ-05: Real bundles should pass safe execution checks."""
+
+    @pytest.mark.parametrize("bundle", ALL_BUNDLES)
+    def test_cq05_passes(self, bundle: Path) -> None:
+        skip_if_missing(bundle)
+        report = scan_bundle(bundle)
+
+        cq05 = report.all_controls.get("CQ-05")
+        assert cq05 is not None
+        assert cq05.status == ControlStatus.PASS, f"CQ-05 failed on {bundle.name}: {cq05.findings}"
+
+
+@pytest.mark.e2e
+class TestFullScan:
+    """Full scan results for each bundle."""
+
+    @pytest.mark.parametrize("bundle", PYTHON_BUNDLES)
+    def test_python_bundles_no_critical_findings(self, bundle: Path) -> None:
+        """Python bundles should have no CRITICAL findings across all controls."""
+        skip_if_missing(bundle)
+        report = scan_bundle(bundle)
+
+        critical = []
+        for control_id, result in report.all_controls.items():
+            for f in result.findings:
+                if f.severity == Severity.CRITICAL:
+                    critical.append(f"{control_id}: {f.title}")
+        assert critical == [], f"Critical findings on {bundle.name}: {critical}"
+
+    @pytest.mark.parametrize("bundle", NODE_BUNDLES)
+    def test_node_bundles_no_critical_findings(self, bundle: Path) -> None:
+        """Node.js bundles should have no CRITICAL findings across all controls."""
+        skip_if_missing(bundle)
+        report = scan_bundle(bundle)
+
+        critical = []
+        for control_id, result in report.all_controls.items():
+            for f in result.findings:
+                if f.severity == Severity.CRITICAL:
+                    critical.append(f"{control_id}: {f.title}")
+        assert critical == [], f"Critical findings on {bundle.name}: {critical}"
+
+    @pytest.mark.parametrize("bundle", ALL_BUNDLES)
+    def test_scan_completes_without_errors(self, bundle: Path) -> None:
+        """Scanner should not produce ERROR status on any control."""
+        skip_if_missing(bundle)
+        report = scan_bundle(bundle)
+
+        errors = [f"{cid}: {r.findings}" for cid, r in report.all_controls.items() if r.status == ControlStatus.ERROR]
+        assert errors == [], f"Controls errored on {bundle.name}: {errors}"

apps/scanner/tests/test_scanner.py

@@ -862,6 +862,93 @@ def test_python_module_flag_still_catches_unrelated_files(self, bundle_dir: Path
         assert result.status == ControlStatus.FAIL
         assert any("backdoor.py" in f.file for f in result.findings if f.file)
 
+    def test_node_multi_file_build_passes(self, bundle_dir: Path) -> None:
+        """Node.js entry point in build/ should treat sibling modules as referenced."""
+        manifest = {
+            "name": "@test/node-multi",
+            "version": "1.0.0",
+            "server": {
+                "type": "node",
+                "entry_point": "build/index.js",
+                "mcp_config": {
+                    "command": "node",
+                    "args": ["${__dirname}/build/index.js", "--stdio"],
+                },
+            },
+        }
+        (bundle_dir / "manifest.json").write_text(json.dumps(manifest))
+        (bundle_dir / "package.json").write_text('{"name": "test"}')
+        build = bundle_dir / "build"
+        build.mkdir()
+        (build / "index.js").write_text("import './config.js';")
+        (build / "config.js").write_text("export const cfg = {};")
+        (build / "schemas.js").write_text("export const schemas = {};")
+        handlers = build / "handlers"
+        handlers.mkdir()
+        (handlers / "findParks.js").write_text("export function findParks() {}")
+        (handlers / "getAlerts.js").write_text("export function getAlerts() {}")
+
+        from mpak_scanner.controls.artifact_integrity import AI05BundleCompleteness
+
+        control = AI05BundleCompleteness()
+        result = control.run(bundle_dir, manifest)
+        assert result.status == ControlStatus.PASS
+
+    def test_node_build_with_stray_script_fails(self, bundle_dir: Path) -> None:
+        """Node.js build/ files are allowed but stray scripts at root should fail."""
+        manifest = {
+            "name": "@test/node-stray",
+            "version": "1.0.0",
+            "server": {
+                "type": "node",
+                "entry_point": "build/index.js",
+                "mcp_config": {
+                    "command": "node",
+                    "args": ["${__dirname}/build/index.js"],
+                },
+            },
+        }
+        (bundle_dir / "manifest.json").write_text(json.dumps(manifest))
+        build = bundle_dir / "build"
+        build.mkdir()
+        (build / "index.js").write_text("console.log('ok')")
+        # Stray script outside build/
+        (bundle_dir / "deploy.sh").write_text("#!/bin/bash\nrm -rf /")
+
+        from mpak_scanner.controls.artifact_integrity import AI05BundleCompleteness
+
+        control = AI05BundleCompleteness()
+        result = control.run(bundle_dir, manifest)
+        assert result.status == ControlStatus.FAIL
+        assert any("deploy.sh" in f.file for f in result.findings if f.file)
+        # build/index.js should NOT be flagged
+        assert not any("build/index.js" in f.file for f in result.findings if f.file)
+
+    def test_node_root_entry_point_no_over_allow(self, bundle_dir: Path) -> None:
+        """Node.js entry point at root should not whitelist all files."""
+        manifest = {
+            "name": "@test/node-root",
+            "version": "1.0.0",
+            "server": {
+                "type": "node",
+                "entry_point": "index.js",
+                "mcp_config": {
+                    "command": "node",
+                    "args": ["${__dirname}/index.js"],
+                },
+            },
+        }
+        (bundle_dir / "manifest.json").write_text(json.dumps(manifest))
+        (bundle_dir / "index.js").write_text("console.log('ok')")
+        (bundle_dir / "backdoor.js").write_text("require('child_process').exec('evil')")
+
+        from mpak_scanner.controls.artifact_integrity import AI05BundleCompleteness
+
+        control = AI05BundleCompleteness()
+        result = control.run(bundle_dir, manifest)
+        assert result.status == ControlStatus.FAIL
+        assert any("backdoor.js" in f.file for f in result.findings if f.file)
+
 
 # =============================================================================
 # Fixture-based Integration Tests