feat: full path enumeration in dry-run + where --json + v0.31.1 (#16)

msaad00 · agent-bom · web-flow · commit a026ef8c56b6 · 2026-02-23T23:19:00.000-05:00
- Replace hardcoded 3-path sample in --dry-run with full enumeration
  of all 25 discovery paths from CONFIG_LOCATIONS (fixes wrong
  ~/.codeium/windsurf path that never existed)
- Add get_all_discovery_paths() to discovery module for reuse
- Enhance `where` command: show totals, Docker MCP Toolkit paths,
  Docker Compose files, and --json output for machine auditing
- Bump version to 0.31.1 across all files
- Add 4 new tests for path enumeration and where --json (953 total)

Addresses ClawHub OpenClaw scanner Instruction Scope feedback by
making the fixed discovery scope fully transparent and auditable.

Co-authored-by: Wagdy Saad &lt;andwgdysaad@gmail.com&gt;
diff --git a/Dockerfile.sse b/Dockerfile.sse
@@ -13,7 +13,7 @@
 
 FROM python:3.12-slim
 
-ARG VERSION=0.31.0
+ARG VERSION=0.31.1
 
 LABEL org.opencontainers.image.title="agent-bom MCP Server"
 LABEL org.opencontainers.image.description="AI supply chain security scanner — MCP server with streamable HTTP transport"
diff --git a/PUBLISHING.md b/PUBLISHING.md
@@ -102,7 +102,7 @@ npm install -g clawhub@latest
 clawhub login --token "$CLAWHUB_TOKEN"
 clawhub publish integrations/openclaw \
   --slug agent-bom --name "agent-bom" \
-  --version "0.31.0" --no-input --force
+  --version "0.31.1" --no-input --force
 ```
 
 ### Verification
@@ -138,8 +138,8 @@ Images published:
 Tag push triggers the full pipeline automatically:
 
 ```bash
-git tag v0.31.0
-git push origin v0.31.0
+git tag v0.31.1
+git push origin v0.31.1
 ```
 
 This triggers:
diff --git a/README.md b/README.md
@@ -101,7 +101,7 @@ Console, HTML dashboard, SARIF, CycloneDX 1.6, SPDX 3.0, Prometheus, OTLP, JSON,
 |----------|------|
 | PyPI | `pip install agent-bom` |
 | Docker | `docker run agentbom/agent-bom scan` |
-| GitHub Action | `uses: msaad00/agent-bom@v0.31.0` |
+| GitHub Action | `uses: msaad00/agent-bom@v0.31.1` |
 | MCP Registry | [server.json](integrations/mcp-registry/server.json) |
 | ToolHive | [registry entry](integrations/toolhive/server.json) |
 | OpenClaw | [SKILL.md](integrations/openclaw/SKILL.md) |
@@ -315,7 +315,7 @@ agent-bom scan --aws -f graph -o graph.json   # export graph data
 |------|---------|----------|
 | CLI | `agent-bom scan` | Local audit |
 | Pre-install check | `agent-bom check express@4.18.2 -e npm` | Before running MCP servers |
-| GitHub Action | `uses: msaad00/agent-bom@v0.31.0` | CI/CD + SARIF |
+| GitHub Action | `uses: msaad00/agent-bom@v0.31.1` | CI/CD + SARIF |
 | Docker | `docker run agentbom/agent-bom scan` | Isolated scans |
 | REST API | `agent-bom api` | Dashboards, SIEM |
 | MCP Server | `agent-bom mcp-server` | Inside any MCP client |
@@ -325,7 +325,7 @@ agent-bom scan --aws -f graph -o graph.json   # export graph data
 ### GitHub Action
 
 ```yaml
-- uses: msaad00/agent-bom@v0.31.0
+- uses: msaad00/agent-bom@v0.31.1
   with:
     severity-threshold: high
     upload-sarif: true
diff --git a/integrations/mcp-registry/server.json b/integrations/mcp-registry/server.json
@@ -3,7 +3,7 @@
   "name": "io.github.msaad00/agent-bom",
   "description": "AI supply chain security scanner — CVE scanning, blast radius, policy enforcement, SBOM generation",
   "title": "agent-bom",
-  "version": "0.31.0",
+  "version": "0.31.1",
   "repository": {
     "url": "https://github.com/msaad00/agent-bom",
     "source": "github"
@@ -12,7 +12,7 @@
     {
       "registryType": "pypi",
       "identifier": "agent-bom",
-      "version": "0.31.0",
+      "version": "0.31.1",
       "transport": {
         "type": "stdio"
       },
diff --git a/integrations/openclaw/SKILL.md b/integrations/openclaw/SKILL.md
@@ -1,7 +1,7 @@
 ---
 name: agent-bom
 description: Scan AI agents and MCP servers for CVEs, generate SBOMs, map blast radius, enforce security policies
-version: 0.31.0
+version: 0.31.1
 metadata:
   openclaw:
     requires:
@@ -71,7 +71,7 @@ pipx install agent-bom
 ### Verify installation
 ```bash
 agent-bom --version
-# Should print: agent-bom 0.31.0
+# Should print: agent-bom 0.31.1
 ```
 
 ### Verify source
diff --git a/integrations/toolhive/Dockerfile.mcp b/integrations/toolhive/Dockerfile.mcp
@@ -1,6 +1,6 @@
 FROM python:3.12-slim
 
-ARG VERSION=0.31.0
+ARG VERSION=0.31.1
 
 LABEL maintainer="W S <34316639+msaad00@users.noreply.github.com>"
 LABEL description="agent-bom MCP Server: AI supply chain security scanning via MCP protocol"
diff --git a/integrations/toolhive/server.json b/integrations/toolhive/server.json
@@ -3,15 +3,15 @@
   "name": "io.github.msaad00/agent-bom",
   "description": "AI supply chain security scanner — CVE scanning, blast radius analysis, policy enforcement, and SBOM generation for MCP servers and AI agents",
   "title": "agent-bom",
-  "version": "0.31.0",
+  "version": "0.31.1",
   "repository": {
     "url": "https://github.com/msaad00/agent-bom",
     "source": "github"
   },
   "packages": [
     {
       "registryType": "oci",
-      "identifier": "ghcr.io/msaad00/agent-bom:v0.31.0",
+      "identifier": "ghcr.io/msaad00/agent-bom:v0.31.1",
       "transport": {
         "type": "stdio"
       },
@@ -28,7 +28,7 @@
   "_meta": {
     "io.modelcontextprotocol.registry/publisher-provided": {
       "io.github.msaad00": {
-        "ghcr.io/msaad00/agent-bom:v0.31.0": {
+        "ghcr.io/msaad00/agent-bom:v0.31.1": {
           "tier": "Community",
           "status": "Active",
           "tags": [
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "agent-bom"
-version = "0.31.0"
+version = "0.31.1"
 description = "AI Bill of Materials (AI-BOM) generator — CVE scanning, blast radius, enterprise remediation plans, OWASP LLM Top 10 + MITRE ATLAS + NIST AI RMF threat mapping, LLM-powered enrichment, OpenClaw discovery, MCP runtime introspection, and MCP registry for AI agents."
 readme = "README.md"
 license = {text = "Apache-2.0"}
diff --git a/src/agent_bom/__init__.py b/src/agent_bom/__init__.py
@@ -5,4 +5,4 @@
 try:
     __version__ = version("agent-bom")
 except PackageNotFoundError:
-    __version__ = "0.31.0"
+    __version__ = "0.31.1"
diff --git a/src/agent_bom/cli.py b/src/agent_bom/cli.py
@@ -319,13 +319,9 @@ def scan(
         if config_dir:
             reads.append(f"  [green]Would read:[/green]   {config_dir}  (config directory)")
         if not reads:
-            import platform
-            if platform.system() == "Darwin":
-                reads.append("  [green]Would read:[/green]   ~/Library/Application Support/Claude/claude_desktop_config.json")
-                reads.append("  [green]Would read:[/green]   ~/.cursor/mcp.json")
-                reads.append("  [green]Would read:[/green]   ~/.codeium/windsurf/mcp_config.json")
-            else:
-                reads.append("  [green]Would read:[/green]   ~/.config/claude/claude_desktop_config.json")
+            from agent_bom.discovery import get_all_discovery_paths
+            for client, path in get_all_discovery_paths():
+                reads.append(f"  [green]Would read:[/green]   {path}  ({client})")
         for tf_dir in tf_dirs:
             reads.append(f"  [green]Would read:[/green]   {tf_dir}  (Terraform .tf files)")
         for ap in agent_projects:
@@ -1535,17 +1531,49 @@ def validate(inventory_file: str):
 
 
 @main.command()
-def where():
-    """Show where agent-bom looks for MCP configurations."""
+@click.option("--json", "as_json", is_flag=True, help="Output as JSON for machine consumption")
+def where(as_json: bool):
+    """Show where agent-bom looks for MCP configurations.
+
+    Lists every config path that would be checked during auto-discovery,
+    grouped by MCP client. Paths that exist on your system are marked with ✓.
+
+    Use --json for machine-readable output (useful for auditing).
+    """
     import shutil
 
+    from agent_bom.discovery import (
+        AGENT_BINARIES,
+        COMPOSE_FILE_NAMES,
+        CONFIG_LOCATIONS,
+        PROJECT_CONFIG_FILES,
+        expand_path,
+        get_all_discovery_paths,
+        get_platform,
+    )
+
+    current_platform = get_platform()
+
+    if as_json:
+        import json as _json
+        entries = []
+        for client, path in get_all_discovery_paths(current_platform):
+            expanded = str(expand_path(path)) if not path.startswith(".") else path
+            entries.append({
+                "client": client,
+                "path": path,
+                "expanded": expanded,
+                "exists": expand_path(path).exists() if not path.startswith(".") else Path(path).exists(),
+            })
+        click.echo(_json.dumps({"platform": current_platform, "paths": entries}, indent=2))
+        return
+
     console = Console()
     console.print(BANNER, style="bold blue")
     console.print("\n[bold]MCP Client Configuration Locations[/bold]\n")
 
-    from agent_bom.discovery import AGENT_BINARIES, CONFIG_LOCATIONS, PROJECT_CONFIG_FILES, expand_path, get_platform
-
-    current_platform = get_platform()
+    total_paths = 0
+    found_paths = 0
 
     for agent_type, platforms in CONFIG_LOCATIONS.items():
         paths = platforms.get(current_platform, [])
@@ -1560,16 +1588,48 @@ def where():
         console.print(f"\n  [bold cyan]{agent_type.value}[/bold cyan]{binary_status}")
         if paths:
             for p in paths:
+                total_paths += 1
                 expanded = expand_path(p)
                 exists = "✓" if expanded.exists() else "✗"
                 style = "green" if expanded.exists() else "dim"
+                if expanded.exists():
+                    found_paths += 1
                 console.print(f"    [{style}]{exists} {expanded}[/{style}]")
         else:
             console.print(f"    [dim]  (CLI-based discovery via {binary or 'N/A'})[/dim]")
 
-    console.print("\n  [bold cyan]Project-level configs[/bold cyan]")
+    # Docker MCP Toolkit paths
+    console.print("\n  [bold cyan]Docker MCP Toolkit[/bold cyan]")
+    for dp in ["~/.docker/mcp/registry.yaml", "~/.docker/mcp/catalogs/docker-mcp.yaml"]:
+        total_paths += 1
+        expanded = expand_path(dp)
+        exists = "✓" if expanded.exists() else "✗"
+        style = "green" if expanded.exists() else "dim"
+        if expanded.exists():
+            found_paths += 1
+        console.print(f"    [{style}]{exists} {expanded}[/{style}]")
+
+    console.print("\n  [bold cyan]Project-level configs[/bold cyan]  [dim](relative to CWD)[/dim]")
     for config_name in PROJECT_CONFIG_FILES:
-        console.print(f"    [dim]  ./{config_name}[/dim]")
+        total_paths += 1
+        exists = Path(config_name).exists()
+        mark = "✓" if exists else "✗"
+        style = "green" if exists else "dim"
+        if exists:
+            found_paths += 1
+        console.print(f"    [{style}]{mark} ./{config_name}[/{style}]")
+
+    console.print("\n  [bold cyan]Docker Compose files[/bold cyan]  [dim](relative to CWD)[/dim]")
+    for cf in COMPOSE_FILE_NAMES:
+        total_paths += 1
+        exists = Path(cf).exists()
+        mark = "✓" if exists else "✗"
+        style = "green" if exists else "dim"
+        if exists:
+            found_paths += 1
+        console.print(f"    [{style}]{mark} ./{cf}[/{style}]")
+
+    console.print(f"\n  [bold]Total:[/bold] {total_paths} paths checked, {found_paths} found on this system")
 
 
 @main.command()
diff --git a/src/agent_bom/discovery/__init__.py b/src/agent_bom/discovery/__init__.py
@@ -134,6 +134,29 @@ def expand_path(path_str: str) -> Path:
     return Path(os.path.expanduser(path_str)).resolve()
 
 
+def get_all_discovery_paths(plat: Optional[str] = None) -> list[tuple[str, str]]:
+    """Return all config paths that would be checked during discovery.
+
+    Returns a list of (client_name, path_string) tuples for the given platform.
+    Used by --dry-run and ``agent-bom paths`` for full transparency.
+    """
+    plat = plat or get_platform()
+    paths: list[tuple[str, str]] = []
+    for agent_type, platforms in CONFIG_LOCATIONS.items():
+        for p in platforms.get(plat, []):
+            paths.append((agent_type.value, p))
+    # Docker MCP Toolkit paths (not in CONFIG_LOCATIONS)
+    paths.append(("Docker MCP Toolkit", "~/.docker/mcp/registry.yaml"))
+    paths.append(("Docker MCP Toolkit", "~/.docker/mcp/catalogs/docker-mcp.yaml"))
+    # Project-level configs (relative to CWD)
+    for pf in PROJECT_CONFIG_FILES:
+        paths.append(("Project config", pf))
+    # Docker Compose files (relative to CWD)
+    for cf in COMPOSE_FILE_NAMES:
+        paths.append(("Docker Compose", cf))
+    return paths
+
+
 def parse_mcp_config(config_data: dict, config_path: str) -> list[MCPServer]:
     """Parse MCP server definitions from a config file.
 
diff --git a/tests/test_core.py b/tests/test_core.py
@@ -255,7 +255,7 @@ def empty_report():
 
 def test_version_sync():
     from agent_bom import __version__
-    assert __version__ == "0.31.0"
+    assert __version__ == "0.31.1"
 
 
 def test_report_version_matches():
@@ -2795,7 +2795,7 @@ def test_toolhive_server_json_valid():
     p = Path(__file__).parent.parent / "integrations" / "toolhive" / "server.json"
     data = _json.loads(p.read_text())
     assert data["name"] == "io.github.msaad00/agent-bom"
-    assert data["version"] == "0.31.0"
+    assert data["version"] == "0.31.1"
     assert "packages" in data
     assert data["packages"][0]["registryType"] == "oci"
 
diff --git a/tests/test_discovery_enhanced.py b/tests/test_discovery_enhanced.py
@@ -411,3 +411,59 @@ def test_where_shows_binary_info():
     assert result.exit_code == 0
     # Should mention binary detection
     assert "binary:" in result.output or "toolhive" in result.output.lower()
+
+
+def test_get_all_discovery_paths_returns_all_clients():
+    from agent_bom.discovery import get_all_discovery_paths
+
+    paths = get_all_discovery_paths("Darwin")
+    clients = {c for c, _ in paths}
+    # Must include key clients
+    for expected in ["claude-desktop", "claude-code", "cursor", "windsurf",
+                     "Docker MCP Toolkit", "Project config", "Docker Compose"]:
+        assert expected in clients, f"Missing client: {expected}"
+    # Must have a reasonable number of paths
+    assert len(paths) >= 20
+
+
+def test_get_all_discovery_paths_linux():
+    from agent_bom.discovery import get_all_discovery_paths
+
+    paths = get_all_discovery_paths("Linux")
+    path_strs = [p for _, p in paths]
+    # Linux should use ~/.config paths, not ~/Library
+    assert any("/.config/" in p for p in path_strs)
+    assert not any("Library/Application Support" in p for p in path_strs)
+
+
+def test_where_json_output():
+    import json
+
+    from click.testing import CliRunner
+
+    from agent_bom.cli import main
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["where", "--json"])
+    assert result.exit_code == 0
+    data = json.loads(result.output)
+    assert "platform" in data
+    assert "paths" in data
+    assert len(data["paths"]) >= 20
+    # Each entry has required fields
+    for entry in data["paths"]:
+        assert "client" in entry
+        assert "path" in entry
+        assert "exists" in entry
+
+
+def test_where_shows_totals():
+    from click.testing import CliRunner
+
+    from agent_bom.cli import main
+
+    runner = CliRunner()
+    result = runner.invoke(main, ["where"])
+    assert result.exit_code == 0
+    assert "Total:" in result.output
+    assert "paths checked" in result.output
