`--local-only` flag not supported for scan command (contradicts documentation)

[niranjan4r]

According to the Invariant Labs documentation, the --local-only flag can be used with the scan command to run local LLM-based checks without sending data to the Invariant cloud API.

You can run MCP-scan locally by using the --local-only flag. This will only run local checks and will not invoke the Invariant Guardrailing API, however, it will not provide as accurate results as it just runs a local LLM-based policy check. This option requires an OPENAI_API_KEY environment variable to be set.

However, in the current codebase, the --local-only flag is not available for scan command. When I try to run:

uvx mcp-scan scan mcp.json --local-only

I get:

error: unrecognized arguments: --local-only

Expected behavior:
The scan command should support the --local-only flag as described in the documentation, allowing users to run local LLM-based vulnerability checks.

[henyl81]

also to select a specific OpenAI URL (meaning --local-only we can set the open_API_KEY and URL)