From 0e6211f42516bab06fa1f5fa40eab019f11e3b44 Mon Sep 17 00:00:00 2001
From: Joe Cardoso <jow13_122@yahoo.com>
Date: Sat, 7 Mar 2026 16:11:03 -0300
Subject: [PATCH 1/2] fix(ci): use uv pip install for mpak-scanner in scan.yml

The workflow installs Python 3.13 via uv, but the scanner was installed
with bare pip (system Python, likely 3.12). The fallback silently faked
a clean scan report. Switch to uv pip install so mpak-scanner runs
under the correct Python.
---
 .github/workflows/scan.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 07bd736..5d2965d 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -28,12 +28,8 @@ jobs:
 
       - name: Run MTF scanner
         run: |
-          if pip install mpak-scanner 2>/dev/null; then
-            mpak-scanner scan *.mcpb --json > scan-results.json
-          else
-            echo "mpak-scanner not yet available — skipping client-side scan"
-            echo '{"findings": []}' > scan-results.json
-          fi
+          uv pip install mpak-scanner
+          mpak-scanner scan *.mcpb --json > scan-results.json
 
       - name: Check for critical/high findings
         run: |

From 4b3e468a745037f38f7585b9c05e36342da58e73 Mon Sep 17 00:00:00 2001
From: Joe Cardoso <jow13_122@yahoo.com>
Date: Sat, 7 Mar 2026 16:27:18 -0300
Subject: [PATCH 2/2] fix(ci): use uvx for mpak-scanner in scan.yml

uvx runs mpak-scanner in an isolated environment with the correct
Python, avoiding PATH issues from uv pip install.
---
 .github/workflows/scan.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 5d2965d..60808b1 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -27,9 +27,7 @@ jobs:
         run: npx @anthropic-ai/mcpb pack
 
       - name: Run MTF scanner
-        run: |
-          uv pip install mpak-scanner
-          mpak-scanner scan *.mcpb --json > scan-results.json
+        run: uvx mpak-scanner scan *.mcpb --json > scan-results.json
 
       - name: Check for critical/high findings
         run: |