@atlashub/smartstack-mcp 1.14.0 → 1.15.0

package/dist/index.js

@@ -82,10 +82,10 @@ import { stat, mkdir, readFile, writeFile, cp, rm } from "fs/promises";
 import path from "path";
 import { glob } from "glob";
 var FileSystemError = class extends Error {
-  constructor(message, operation, path24, cause) {
+  constructor(message, operation, path26, cause) {
     super(message);
     this.operation = operation;
-    this.path = path24;
+    this.path = path26;
     this.cause = cause;
     this.name = "FileSystemError";
   }
@@ -648,6 +648,39 @@ var SuggestTestScenariosInputSchema = z.object({
   name: z.string().min(1).describe("Component name or file path"),
   depth: z.enum(["basic", "comprehensive", "security-focused"]).default("comprehensive").describe("Depth of analysis")
 });
+var SecurityCheckSchema = z.enum([
+  "hardcoded-secrets",
+  "sql-injection",
+  "tenant-isolation",
+  "authorization",
+  "dangerous-functions",
+  "input-validation",
+  "xss",
+  "csrf",
+  "logging-sensitive",
+  "all"
+]);
+var ValidateSecurityInputSchema = z.object({
+  path: z.string().optional().describe("Project path to validate (default: SmartStack.app path)"),
+  checks: z.array(SecurityCheckSchema).default(["all"]).describe("Security checks to run"),
+  severity: z.enum(["blocking", "all"]).optional().describe("Filter results by severity")
+});
+var QualityMetricSchema = z.enum([
+  "cognitive-complexity",
+  "cyclomatic-complexity",
+  "function-size",
+  "nesting-depth",
+  "parameter-count",
+  "code-duplication",
+  "file-size",
+  "all"
+]);
+var AnalyzeCodeQualityInputSchema = z.object({
+  path: z.string().optional().describe("Project path to analyze (default: SmartStack.app path)"),
+  metrics: z.array(QualityMetricSchema).default(["all"]).describe("Metrics to analyze"),
+  threshold: z.enum(["strict", "normal", "lenient"]).default("normal").describe("Threshold level for violations"),
+  scope: z.enum(["changed", "all"]).default("all").describe("Analyze only changed files or all")
+});
 var ScaffoldApiClientInputSchema = z.object({
   path: z.string().optional().describe("Path to SmartStack project root (defaults to configured project path)"),
   navRoute: z.string().min(1).describe('NavRoute path (e.g., "platform.administration.users")'),
@@ -9735,6 +9768,919 @@ function generateRecommendations3(analyzed) {
   return recommendations;
 }
 
+// src/tools/validate-security.ts
+import path20 from "path";
+var validateSecurityTool = {
+  name: "validate_security",
+  description: "Validate SmartStack security patterns: multi-tenant isolation, authorization, input validation, secrets exposure, injection vulnerabilities, and OWASP Top 10 compliance.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      path: {
+        type: "string",
+        description: "Project path to validate (default: SmartStack.app path from config)"
+      },
+      checks: {
+        type: "array",
+        items: {
+          type: "string",
+          enum: [
+            "hardcoded-secrets",
+            "sql-injection",
+            "tenant-isolation",
+            "authorization",
+            "dangerous-functions",
+            "input-validation",
+            "xss",
+            "csrf",
+            "logging-sensitive",
+            "all"
+          ]
+        },
+        description: "Security checks to run",
+        default: ["all"]
+      },
+      severity: {
+        type: "string",
+        enum: ["blocking", "all"],
+        description: "Filter results by severity"
+      }
+    }
+  }
+};
+async function handleValidateSecurity(args, config) {
+  const input = ValidateSecurityInputSchema.parse(args);
+  const projectPath = input.path || config.smartstack.projectPath;
+  const checksToRun = input.checks.includes("all") ? [
+    "hardcoded-secrets",
+    "sql-injection",
+    "tenant-isolation",
+    "authorization",
+    "dangerous-functions",
+    "input-validation"
+  ] : input.checks;
+  logger.info("Validating security", { projectPath, checks: checksToRun });
+  const result = {
+    valid: true,
+    summary: "",
+    findings: [],
+    stats: {
+      blocking: 0,
+      critical: 0,
+      warning: 0,
+      filesScanned: 0
+    }
+  };
+  const structure = await findSmartStackStructure(projectPath);
+  if (checksToRun.includes("hardcoded-secrets")) {
+    await checkHardcodedSecrets(structure, result);
+  }
+  if (checksToRun.includes("sql-injection")) {
+    await checkSqlInjection(structure, result);
+  }
+  if (checksToRun.includes("tenant-isolation")) {
+    await checkTenantIsolation(structure, result);
+  }
+  if (checksToRun.includes("authorization")) {
+    await checkAuthorization(structure, result);
+  }
+  if (checksToRun.includes("dangerous-functions")) {
+    await checkDangerousFunctions(structure, result);
+  }
+  if (checksToRun.includes("input-validation")) {
+    await checkInputValidation(structure, result);
+  }
+  result.stats.blocking = result.findings.filter((f) => f.severity === "blocking").length;
+  result.stats.critical = result.findings.filter((f) => f.severity === "critical").length;
+  result.stats.warning = result.findings.filter((f) => f.severity === "warning").length;
+  if (input.severity === "blocking") {
+    result.findings = result.findings.filter((f) => f.severity === "blocking");
+  }
+  result.valid = result.stats.blocking === 0;
+  result.summary = result.valid ? `Security validation passed. ${result.stats.warning} warning(s) found.` : `Security validation FAILED. ${result.stats.blocking} blocking issue(s) found.`;
+  return formatSecurityReport(result);
+}
+async function checkHardcodedSecrets(structure, result) {
+  const secretPatterns = [
+    // Credentials
+    { pattern: /(?:password|passwd|pwd)\s*[=:]\s*["'][^"']{4,}["']/gi, name: "password" },
+    { pattern: /(?:api[_-]?key|apikey)\s*[=:]\s*["'][^"']{8,}["']/gi, name: "API key" },
+    { pattern: /(?:secret|token)\s*[=:]\s*["'][^"']{8,}["']/gi, name: "secret/token" },
+    // Connection strings with embedded passwords
+    { pattern: /Server=.+;.*Password=[^;]+/gi, name: "connection string with password" },
+    { pattern: /Data Source=.+;.*Password=[^;]+/gi, name: "connection string with password" },
+    // Private keys
+    { pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/g, name: "private key" }
+  ];
+  const filesToScan = await getFilesToScan(structure, ["**/*.cs", "**/*.ts", "**/*.tsx", "**/*.json"]);
+  result.stats.filesScanned += filesToScan.length;
+  for (const file of filesToScan) {
+    if (isExcludedFile(file)) continue;
+    const content = await readText(file);
+    const lines = content.split("\n");
+    for (const { pattern, name } of secretPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = getLineNumber(content, match.index);
+        const lineContent = lines[lineNumber - 1]?.trim() || "";
+        if (isPlaceholderValue(lineContent)) continue;
+        result.findings.push({
+          severity: "blocking",
+          category: "hardcoded-secrets",
+          message: `Hardcoded ${name} detected`,
+          file: path20.relative(structure.root, file),
+          line: lineNumber,
+          code: truncateCode(lineContent),
+          suggestion: `Move ${name} to configuration or environment variables`,
+          cweId: "CWE-798"
+        });
+      }
+    }
+  }
+}
+async function checkSqlInjection(structure, result) {
+  const sqlInjectionPatterns = [
+    // Raw SQL with string concatenation (the most dangerous pattern)
+    { pattern: /\.(?:FromSqlRaw|ExecuteSqlRaw)\s*\([^)]*\s*\+\s*/g, name: "concatenated SQL in FromSqlRaw/ExecuteSqlRaw" },
+    // ADO.NET without parameters
+    { pattern: /new SqlCommand\s*\([^)]*\+/g, name: "concatenated SQL in SqlCommand" },
+    { pattern: /CommandText\s*=\s*[^;]*\+/g, name: "concatenated SQL in CommandText" }
+    // Note: FromSqlInterpolated with $"" is safe and not flagged
+  ];
+  const csFiles = await getFilesToScan(structure, ["**/*.cs"]);
+  result.stats.filesScanned += csFiles.length;
+  for (const file of csFiles) {
+    if (isExcludedFile(file)) continue;
+    const content = await readText(file);
+    const lines = content.split("\n");
+    for (const { pattern, name } of sqlInjectionPatterns) {
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const lineNumber = getLineNumber(content, match.index);
+        const lineContent = lines[lineNumber - 1]?.trim() || "";
+        result.findings.push({
+          severity: "blocking",
+          category: "sql-injection",
+          message: `Potential SQL injection: ${name}`,
+          file: path20.relative(structure.root, file),
+          line: lineNumber,
+          code: truncateCode(lineContent),
+          suggestion: 'Use parameterized queries: FromSqlRaw("SELECT * FROM x WHERE id = {0}", id) or FromSqlInterpolated',
+          cweId: "CWE-89"
+        });
+      }
+    }
+  }
+}
+async function checkTenantIsolation(structure, result) {
+  if (!structure.domain) {
+    result.findings.push({
+      severity: "warning",
+      category: "tenant-isolation",
+      message: "Domain project not found, skipping tenant isolation validation",
+      file: "",
+      suggestion: "Ensure project structure follows SmartStack conventions"
+    });
+    return;
+  }
+  const entityFiles = await findFiles("**/Entities/**/*.cs", { cwd: structure.domain });
+  const tenantEntities = [];
+  for (const file of entityFiles) {
+    const content = await readText(file);
+    if (content.includes("ITenantEntity") || content.includes(": TenantEntity")) {
+      const entityMatch = content.match(/class\s+(\w+)/);
+      if (entityMatch) {
+        tenantEntities.push(entityMatch[1]);
+      }
+    }
+    const createMethodMatches = content.matchAll(/public\s+static\s+\w+\s+Create\s*\(([^)]*)\)/g);
+    for (const match of createMethodMatches) {
+      const params = match[1];
+      if ((content.includes("ITenantEntity") || content.includes(": TenantEntity")) && !params.includes("tenantId") && !params.includes("TenantId")) {
+        const lineNumber = getLineNumber(content, match.index);
+        result.findings.push({
+          severity: "blocking",
+          category: "tenant-isolation",
+          message: "Create method missing tenantId parameter for tenant entity",
+          file: path20.relative(structure.root, file),
+          line: lineNumber,
+          code: truncateCode(match[0]),
+          suggestion: "Add Guid tenantId as first parameter: Create(Guid tenantId, ...)",
+          cweId: "CWE-639"
+        });
+      }
+    }
+  }
+  if (structure.application) {
+    const serviceFiles = await findFiles("**/*Service.cs", { cwd: structure.application });
+    for (const file of serviceFiles) {
+      const content = await readText(file);
+      const directAccessPattern = /_context\.\w+\.(?:First|Single|Find|ToList)\s*\(/g;
+      let match;
+      while ((match = directAccessPattern.exec(content)) !== null) {
+        const surroundingCode = content.substring(Math.max(0, match.index - 100), match.index + 100);
+        if (!surroundingCode.includes(".Where(") && !surroundingCode.includes("TenantId")) {
+          const lineNumber = getLineNumber(content, match.index);
+          result.findings.push({
+            severity: "critical",
+            category: "tenant-isolation",
+            message: "Direct DbContext access without tenant filtering",
+            file: path20.relative(structure.root, file),
+            line: lineNumber,
+            code: truncateCode(match[0]),
+            suggestion: "Use repository with global tenant filter or add explicit TenantId filter",
+            cweId: "CWE-639"
+          });
+        }
+      }
+    }
+  }
+}
+async function checkAuthorization(structure, result) {
+  const apiPath = structure.api || structure.apiCore;
+  if (!apiPath) {
+    result.findings.push({
+      severity: "warning",
+      category: "authorization",
+      message: "API project not found, skipping authorization validation",
+      file: "",
+      suggestion: "Ensure project structure follows SmartStack conventions"
+    });
+    return;
+  }
+  const controllerFiles = await findFiles("**/Controllers/**/*.cs", { cwd: apiPath });
+  result.stats.filesScanned += controllerFiles.length;
+  for (const file of controllerFiles) {
+    const content = await readText(file);
+    if (content.includes("[ApiController]")) {
+      const hasClassLevelAuth = content.includes("[Authorize]") || content.includes("[NavRoute(") || content.includes("[AllowAnonymous]");
+      if (!hasClassLevelAuth) {
+        const controllerMatch = content.match(/class\s+(\w+Controller)/);
+        const controllerName = controllerMatch ? controllerMatch[1] : "Unknown";
+        const lineNumber = controllerMatch ? getLineNumber(content, controllerMatch.index) : 1;
+        result.findings.push({
+          severity: "blocking",
+          category: "authorization",
+          message: `Controller ${controllerName} missing authorization attribute`,
+          file: path20.relative(structure.root, file),
+          line: lineNumber,
+          suggestion: 'Add [NavRoute("context.application.module")] or [Authorize] attribute to the controller class',
+          cweId: "CWE-862"
+        });
+      }
+    }
+  }
+}
+async function checkDangerousFunctions(structure, result) {
+  const csharpPatterns = [
+    { pattern: /Process\.Start\s*\([^)]*(?:user|input|param|request)/gi, name: "Process.Start with user input" },
+    { pattern: /Assembly\.Load(?:From|File)?\s*\(/g, name: "Dynamic assembly loading" },
+    { pattern: /Type\.GetType\s*\([^)]*(?:user|input|param|request)/gi, name: "Type.GetType with user input" },
+    { pattern: /Activator\.CreateInstance\s*\([^)]*(?:user|input|param|request)/gi, name: "Activator.CreateInstance with user input" }
+  ];
+  const typescriptPatterns = [
+    { pattern: /\beval\s*\(/g, name: "eval() usage" },
+    { pattern: /new\s+Function\s*\(/g, name: "new Function() usage" },
+    { pattern: /child_process\.exec\s*\(/g, name: "child_process.exec usage" },
+    { pattern: /\.innerHTML\s*=/g, name: "innerHTML assignment" },
+    { pattern: /dangerouslySetInnerHTML/g, name: "dangerouslySetInnerHTML usage" }
+  ];
+  const csFiles = await getFilesToScan(structure, ["**/*.cs"]);
+  for (const file of csFiles) {
+    if (isExcludedFile(file)) continue;
+    const content = await readText(file);
+    await checkPatterns(file, content, csharpPatterns, structure, result);
+  }
+  const tsFiles = await getFilesToScan(structure, ["**/*.ts", "**/*.tsx"]);
+  for (const file of tsFiles) {
+    if (isExcludedFile(file)) continue;
+    const content = await readText(file);
+    await checkPatterns(file, content, typescriptPatterns, structure, result);
+  }
+}
+async function checkPatterns(file, content, patterns, structure, result) {
+  const lines = content.split("\n");
+  for (const { pattern, name } of patterns) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      const lineNumber = getLineNumber(content, match.index);
+      const lineContent = lines[lineNumber - 1]?.trim() || "";
+      result.findings.push({
+        severity: "critical",
+        category: "dangerous-functions",
+        message: `Dangerous function: ${name}`,
+        file: path20.relative(structure.root, file),
+        line: lineNumber,
+        code: truncateCode(lineContent),
+        suggestion: "Avoid using dangerous functions with user-controlled input. Use safe alternatives.",
+        cweId: "CWE-78"
+      });
+    }
+  }
+}
+async function checkInputValidation(structure, result) {
+  if (!structure.application) {
+    return;
+  }
+  const dtoFiles = await findFiles("**/*Dto.cs", { cwd: structure.application });
+  const dtos = [];
+  for (const file of dtoFiles) {
+    const content = await readText(file);
+    const dtoMatch = content.match(/class\s+(\w+Dto)/);
+    if (dtoMatch) {
+      dtos.push(dtoMatch[1]);
+    }
+  }
+  const validatorFiles = await findFiles("**/*Validator.cs", { cwd: structure.application });
+  const validators = [];
+  for (const file of validatorFiles) {
+    const content = await readText(file);
+    const validatorMatch = content.match(/class\s+(\w+Validator)/);
+    if (validatorMatch) {
+      validators.push(validatorMatch[1]);
+    }
+  }
+  for (const dto of dtos) {
+    const expectedValidator = dto.replace(/Dto$/, "DtoValidator");
+    const hasValidator = validators.some((v) => v === expectedValidator || v === `${dto}Validator`);
+    if (!hasValidator) {
+      result.findings.push({
+        severity: "warning",
+        category: "input-validation",
+        message: `DTO ${dto} has no FluentValidation validator`,
+        file: `Application/DTOs/${dto}.cs`,
+        suggestion: `Create ${expectedValidator} class with FluentValidation rules`,
+        cweId: "CWE-20"
+      });
+    }
+  }
+}
+async function getFilesToScan(structure, patterns) {
+  const allFiles = [];
+  for (const pattern of patterns) {
+    const files = await findFiles(pattern, { cwd: structure.root });
+    for (const file of files) {
+      try {
+        validatePathSecurity(file, structure.root);
+        allFiles.push(file);
+      } catch {
+        logger.warn("Skipping file outside project root", { file });
+      }
+    }
+  }
+  return [...new Set(allFiles)];
+}
+function isExcludedFile(filePath) {
+  const exclusions = [
+    /[/\\]bin[/\\]/,
+    /[/\\]obj[/\\]/,
+    /[/\\]node_modules[/\\]/,
+    /\.example\./,
+    /\.template\./,
+    /\.test\./,
+    /\.spec\./,
+    /Tests[/\\]/,
+    /appsettings\.Development\.json$/,
+    /appsettings\.Template\.json$/
+  ];
+  return exclusions.some((pattern) => pattern.test(filePath));
+}
+function isPlaceholderValue(line) {
+  const placeholderPatterns = [
+    /\${[A-Z_][A-Z0-9_]*}/,
+    // ${VAR_NAME} - env var syntax
+    /%[A-Z_][A-Z0-9_]*%/,
+    // %VAR_NAME% - Windows env var
+    /\{\{[A-Za-z_][A-Za-z0-9_]*\}\}/,
+    // {{varName}} - template syntax
+    /["']your[_-]?(?:password|secret|key|token)["']/i,
+    // "your_password" placeholders
+    /["']changeme["']/i,
+    /["']<[A-Z_]+>["']/,
+    // "<REPLACE_ME>" syntax
+    /["']xxx+["']/i,
+    // "xxx" or "XXXX" placeholders
+    /=\s*["']["']/
+    // Empty string assignments
+  ];
+  return placeholderPatterns.some((pattern) => pattern.test(line));
+}
+function getLineNumber(content, index) {
+  const normalizedContent = content.substring(0, index).replace(/\r\n/g, "\n");
+  return normalizedContent.split("\n").length;
+}
+function truncateCode(code, maxLength = 80) {
+  return code.length > maxLength ? code.substring(0, maxLength) + "..." : code;
+}
+function formatSecurityReport(result) {
+  const lines = [];
+  lines.push("# Security Validation Report");
+  lines.push("");
+  lines.push("## Summary");
+  lines.push(`- **Status**: ${result.valid ? "\u2705 PASSED" : "\u274C FAILED"}`);
+  lines.push(`- **Blocking**: ${result.stats.blocking}`);
+  lines.push(`- **Critical**: ${result.stats.critical}`);
+  lines.push(`- **Warnings**: ${result.stats.warning}`);
+  lines.push(`- **Files Scanned**: ${result.stats.filesScanned}`);
+  lines.push("");
+  if (result.findings.length === 0) {
+    lines.push("No security issues found.");
+    return lines.join("\n");
+  }
+  const blocking = result.findings.filter((f) => f.severity === "blocking");
+  const critical = result.findings.filter((f) => f.severity === "critical");
+  const warnings = result.findings.filter((f) => f.severity === "warning");
+  if (blocking.length > 0) {
+    lines.push("## Blocking Issues");
+    lines.push("");
+    for (const finding of blocking) {
+      formatFinding(finding, lines);
+    }
+  }
+  if (critical.length > 0) {
+    lines.push("## Critical Issues");
+    lines.push("");
+    for (const finding of critical) {
+      formatFinding(finding, lines);
+    }
+  }
+  if (warnings.length > 0) {
+    lines.push("## Warnings");
+    lines.push("");
+    for (const finding of warnings) {
+      formatFinding(finding, lines);
+    }
+  }
+  return lines.join("\n");
+}
+function formatFinding(finding, lines) {
+  lines.push(`### ${finding.category}: ${finding.message}`);
+  if (finding.file) {
+    lines.push(`- **File**: \`${finding.file}${finding.line ? `:${finding.line}` : ""}\``);
+  }
+  if (finding.code) {
+    lines.push(`- **Code**: \`${finding.code}\``);
+  }
+  if (finding.cweId) {
+    lines.push(`- **CWE**: ${finding.cweId}`);
+  }
+  lines.push(`- **Fix**: ${finding.suggestion}`);
+  lines.push("");
+}
+
+// src/tools/analyze-code-quality.ts
+import path21 from "path";
+var analyzeCodeQualityTool = {
+  name: "analyze_code_quality",
+  description: "Analyze code quality metrics for SmartStack projects: cognitive complexity, cyclomatic complexity, function size, nesting depth, and maintainability indicators.",
+  inputSchema: {
+    type: "object",
+    properties: {
+      path: {
+        type: "string",
+        description: "Project path to analyze (default: SmartStack.app path from config)"
+      },
+      metrics: {
+        type: "array",
+        items: {
+          type: "string",
+          enum: [
+            "cognitive-complexity",
+            "cyclomatic-complexity",
+            "function-size",
+            "nesting-depth",
+            "parameter-count",
+            "code-duplication",
+            "file-size",
+            "all"
+          ]
+        },
+        description: "Metrics to analyze",
+        default: ["all"]
+      },
+      threshold: {
+        type: "string",
+        enum: ["strict", "normal", "lenient"],
+        description: "Threshold level for violations",
+        default: "normal"
+      },
+      scope: {
+        type: "string",
+        enum: ["changed", "all"],
+        description: "Analyze only changed files or all",
+        default: "all"
+      }
+    }
+  }
+};
+var THRESHOLDS = {
+  strict: {
+    cognitiveComplexity: 10,
+    cyclomaticComplexity: 8,
+    functionSize: 30,
+    nestingDepth: 2,
+    parameterCount: 3,
+    fileSize: 300
+  },
+  normal: {
+    cognitiveComplexity: 15,
+    cyclomaticComplexity: 10,
+    functionSize: 50,
+    nestingDepth: 3,
+    parameterCount: 4,
+    fileSize: 500
+  },
+  lenient: {
+    cognitiveComplexity: 25,
+    cyclomaticComplexity: 15,
+    functionSize: 80,
+    nestingDepth: 4,
+    parameterCount: 5,
+    fileSize: 800
+  }
+};
+async function handleAnalyzeCodeQuality(args, config) {
+  const input = AnalyzeCodeQualityInputSchema.parse(args);
+  const projectPath = input.path || config.smartstack.projectPath;
+  const thresholdLevel = input.threshold;
+  const thresholds = THRESHOLDS[thresholdLevel];
+  logger.info("Analyzing code quality", { projectPath, threshold: thresholdLevel });
+  const structure = await findSmartStackStructure(projectPath);
+  const allFunctionMetrics = [];
+  const fileMetrics = /* @__PURE__ */ new Map();
+  const csFiles = await findFiles("**/*.cs", { cwd: structure.root });
+  const filteredCsFiles = csFiles.filter((f) => !isExcludedPath(f));
+  for (const file of filteredCsFiles) {
+    const content = await readText(file);
+    const relPath = path21.relative(structure.root, file);
+    const lineCount = content.split("\n").length;
+    const functions = extractCSharpFunctions(content, relPath);
+    allFunctionMetrics.push(...functions);
+    fileMetrics.set(relPath, { lineCount, functions: functions.length });
+  }
+  const tsFiles = await findFiles("**/*.{ts,tsx}", { cwd: structure.root });
+  const filteredTsFiles = tsFiles.filter((f) => !isExcludedPath(f));
+  for (const file of filteredTsFiles) {
+    const content = await readText(file);
+    const relPath = path21.relative(structure.root, file);
+    const lineCount = content.split("\n").length;
+    const functions = extractTypeScriptFunctions(content, relPath);
+    allFunctionMetrics.push(...functions);
+    fileMetrics.set(relPath, { lineCount, functions: functions.length });
+  }
+  const metrics = calculateMetrics(allFunctionMetrics, fileMetrics, thresholds);
+  const hotspots = identifyHotspots(allFunctionMetrics, fileMetrics, thresholds);
+  const summary = calculateSummary(allFunctionMetrics, fileMetrics, metrics, hotspots);
+  const result = {
+    summary,
+    metrics,
+    hotspots
+  };
+  return formatQualityReport(result, thresholds);
+}
+function extractCSharpFunctions(content, file) {
+  const functions = [];
+  const lines = content.split("\n");
+  const methodPattern = /\b(public|private|protected|internal)\s+(?:async\s+)?(?:static\s+)?(?:virtual\s+)?(?:override\s+)?(?:[\w<>,\s\[\]]+)\s+(\w+)\s*\(([^)]*)\)/gm;
+  let match;
+  while ((match = methodPattern.exec(content)) !== null) {
+    const methodName = match[2];
+    const params = match[3];
+    const startLine = getLineNumber2(content, match.index);
+    const endLine = findMethodEnd(lines, startLine - 1);
+    const lineCount = endLine - startLine + 1;
+    const parameterCount = params.trim() ? params.split(",").length : 0;
+    const methodBody = lines.slice(startLine - 1, endLine).join("\n");
+    const cognitiveComplexity = calculateCognitiveComplexity(methodBody);
+    const cyclomaticComplexity = calculateCyclomaticComplexity(methodBody);
+    const maxNestingDepth = calculateNestingDepth(methodBody);
+    functions.push({
+      name: methodName,
+      file,
+      startLine,
+      endLine,
+      lineCount,
+      parameterCount,
+      maxNestingDepth,
+      cognitiveComplexity,
+      cyclomaticComplexity
+    });
+  }
+  return functions;
+}
+function extractTypeScriptFunctions(content, file) {
+  const functions = [];
+  const lines = content.split("\n");
+  const processedFunctions = /* @__PURE__ */ new Set();
+  const patterns = [
+    // Arrow functions assigned to const/let
+    /(?:const|let)\s+(\w+)\s*=\s*(?:async\s+)?\([^)]*\)\s*(?::\s*\w+)?\s*=>/g,
+    // Function declarations
+    /(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/g,
+    // Class methods (removed ^ anchor for consistency)
+    /\b(?:async\s+)?(\w+)\s*\(([^)]*)\)\s*(?::\s*[\w<>,\s\[\]]+)?\s*\{/gm
+  ];
+  for (const pattern of patterns) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      const funcName = match[1];
+      const params = match[2] || "";
+      const startLine = getLineNumber2(content, match.index);
+      if (["if", "for", "while", "switch", "catch", "constructor"].includes(funcName)) continue;
+      const funcKey = `${file}:${startLine}:${funcName}`;
+      if (processedFunctions.has(funcKey)) continue;
+      processedFunctions.add(funcKey);
+      const endLine = findMethodEnd(lines, startLine - 1);
+      const lineCount = endLine - startLine + 1;
+      const parameterCount = params.trim() ? params.split(",").length : 0;
+      const methodBody = lines.slice(startLine - 1, endLine).join("\n");
+      const cognitiveComplexity = calculateCognitiveComplexity(methodBody);
+      const cyclomaticComplexity = calculateCyclomaticComplexity(methodBody);
+      const maxNestingDepth = calculateNestingDepth(methodBody);
+      functions.push({
+        name: funcName,
+        file,
+        startLine,
+        endLine,
+        lineCount,
+        parameterCount,
+        maxNestingDepth,
+        cognitiveComplexity,
+        cyclomaticComplexity
+      });
+    }
+  }
+  return functions;
+}
+function findMethodEnd(lines, startIndex) {
+  let braceCount = 0;
+  let foundFirstBrace = false;
+  for (let i = startIndex; i < lines.length; i++) {
+    const line = stripStringsAndComments(lines[i]);
+    for (const char of line) {
+      if (char === "{") {
+        braceCount++;
+        foundFirstBrace = true;
+      } else if (char === "}") {
+        braceCount--;
+        if (foundFirstBrace && braceCount === 0) {
+          return i + 1;
+        }
+      }
+    }
+  }
+  return startIndex + 1;
+}
+function stripStringsAndComments(line) {
+  let result = line.replace(/\/\/.*$/, "");
+  result = result.replace(/"(?:[^"\\]|\\.)*"/g, '""');
+  result = result.replace(/'(?:[^'\\]|\\.)*'/g, "''");
+  result = result.replace(/`(?:[^`\\]|\\.)*`/g, "``");
+  return result;
+}
+function calculateCognitiveComplexity(code) {
+  let complexity = 0;
+  let nestingLevel = 0;
+  const lines = code.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    const controlFlowPatterns = [
+      /\bif\s*\(/g,
+      /\belse\s+if\s*\(/g,
+      /\bfor\s*\(/g,
+      /\bforeach\s*\(/g,
+      /\bwhile\s*\(/g,
+      /\bdo\s*\{/g,
+      /\bswitch\s*\(/g,
+      /\bcatch\s*\(/g
+    ];
+    for (const pattern of controlFlowPatterns) {
+      const matches = trimmed.match(pattern) || [];
+      complexity += matches.length * (1 + nestingLevel);
+    }
+    const logicalPatterns = [/&&/g, /\|\|/g, /\?\?/g, /\?\./g];
+    for (const pattern of logicalPatterns) {
+      const matches = trimmed.match(pattern) || [];
+      complexity += matches.length;
+    }
+    const ternaryMatches = trimmed.match(/\?[^?:]+:/g) || [];
+    complexity += ternaryMatches.length;
+    const openBraces = (trimmed.match(/\{/g) || []).length;
+    const closeBraces = (trimmed.match(/\}/g) || []).length;
+    nestingLevel += openBraces - closeBraces;
+    nestingLevel = Math.max(0, nestingLevel);
+  }
+  return complexity;
+}
+function calculateCyclomaticComplexity(code) {
+  let complexity = 1;
+  const patterns = [
+    /\bif\b/g,
+    /\belse\s+if\b/g,
+    /\bwhile\b/g,
+    /\bfor\b/g,
+    /\bforeach\b/g,
+    /\bcase\b/g,
+    /\bcatch\b/g,
+    /\?\?/g,
+    /\?\./g,
+    /&&/g,
+    /\|\|/g
+  ];
+  for (const pattern of patterns) {
+    const matches = code.match(pattern) || [];
+    complexity += matches.length;
+  }
+  return complexity;
+}
+function calculateNestingDepth(code) {
+  let maxDepth = 0;
+  let currentDepth = 0;
+  for (const char of code) {
+    if (char === "{") {
+      currentDepth++;
+      maxDepth = Math.max(maxDepth, currentDepth);
+    } else if (char === "}") {
+      currentDepth = Math.max(0, currentDepth - 1);
+    }
+  }
+  return maxDepth;
+}
+function calculateMetrics(functions, fileMetrics, thresholds) {
+  const createStat = (values, threshold) => {
+    const filtered = values.filter((v) => v > 0);
+    const avg = filtered.length > 0 ? filtered.reduce((a, b) => a + b, 0) / filtered.length : 0;
+    const max = filtered.length > 0 ? Math.max(...filtered) : 0;
+    const violations = filtered.filter((v) => v > threshold).length;
+    return {
+      average: Math.round(avg * 10) / 10,
+      max,
+      threshold,
+      violations
+    };
+  };
+  const fileSizes = Array.from(fileMetrics.values()).map((f) => f.lineCount);
+  return {
+    cognitiveComplexity: createStat(
+      functions.map((f) => f.cognitiveComplexity),
+      thresholds.cognitiveComplexity
+    ),
+    cyclomaticComplexity: createStat(
+      functions.map((f) => f.cyclomaticComplexity),
+      thresholds.cyclomaticComplexity
+    ),
+    functionSize: createStat(
+      functions.map((f) => f.lineCount),
+      thresholds.functionSize
+    ),
+    nestingDepth: createStat(
+      functions.map((f) => f.maxNestingDepth),
+      thresholds.nestingDepth
+    ),
+    fileSize: createStat(fileSizes, thresholds.fileSize)
+  };
+}
+function identifyHotspots(functions, fileMetrics, thresholds) {
+  const hotspots = [];
+  for (const func of functions) {
+    const issues = [];
+    if (func.cognitiveComplexity > thresholds.cognitiveComplexity) {
+      issues.push(`Cognitive complexity: ${func.cognitiveComplexity} (threshold: ${thresholds.cognitiveComplexity})`);
+    }
+    if (func.cyclomaticComplexity > thresholds.cyclomaticComplexity) {
+      issues.push(`Cyclomatic complexity: ${func.cyclomaticComplexity} (threshold: ${thresholds.cyclomaticComplexity})`);
+    }
+    if (func.lineCount > thresholds.functionSize) {
+      issues.push(`Lines: ${func.lineCount} (threshold: ${thresholds.functionSize})`);
+    }
+    if (func.maxNestingDepth > thresholds.nestingDepth) {
+      issues.push(`Nesting depth: ${func.maxNestingDepth} (threshold: ${thresholds.nestingDepth})`);
+    }
+    if (issues.length > 0) {
+      const severity = issues.length >= 3 ? "high" : issues.length === 2 ? "medium" : "low";
+      hotspots.push({
+        file: func.file,
+        function: func.name,
+        issues,
+        severity,
+        metrics: {
+          cognitiveComplexity: func.cognitiveComplexity,
+          cyclomaticComplexity: func.cyclomaticComplexity,
+          lineCount: func.lineCount,
+          nestingDepth: func.maxNestingDepth
+        }
+      });
+    }
+  }
+  for (const [file, metrics] of fileMetrics) {
+    if (metrics.lineCount > thresholds.fileSize) {
+      hotspots.push({
+        file,
+        issues: [`File size: ${metrics.lineCount} lines (threshold: ${thresholds.fileSize})`],
+        severity: "medium",
+        metrics: {
+          lineCount: metrics.lineCount
+        }
+      });
+    }
+  }
+  const severityOrder = { high: 0, medium: 1, low: 2 };
+  hotspots.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+  return hotspots.slice(0, 20);
+}
+function calculateSummary(functions, fileMetrics, metrics, hotspots) {
+  const totalViolations = metrics.cognitiveComplexity.violations + metrics.cyclomaticComplexity.violations + metrics.functionSize.violations + metrics.nestingDepth.violations + metrics.fileSize.violations;
+  const totalFunctions = functions.length;
+  const totalFiles = fileMetrics.size;
+  const violationRate = totalFunctions > 0 ? totalViolations / totalFunctions : 0;
+  const score = Math.max(0, Math.round(100 - violationRate * 100));
+  let grade;
+  if (score >= 90) grade = "A";
+  else if (score >= 80) grade = "B";
+  else if (score >= 70) grade = "C";
+  else if (score >= 60) grade = "D";
+  else grade = "F";
+  return {
+    score,
+    grade,
+    filesAnalyzed: totalFiles,
+    functionsAnalyzed: totalFunctions,
+    issuesFound: hotspots.length
+  };
+}
+function isExcludedPath(filePath) {
+  const exclusions = [
+    /[/\\]bin[/\\]/,
+    /[/\\]obj[/\\]/,
+    /[/\\]node_modules[/\\]/,
+    /[/\\]Migrations[/\\]/,
+    /\.test\./,
+    /\.spec\./,
+    /Tests[/\\]/,
+    /\.d\.ts$/,
+    /\.min\./
+  ];
+  return exclusions.some((pattern) => pattern.test(filePath));
+}
+function getLineNumber2(content, index) {
+  const normalizedContent = content.substring(0, index).replace(/\r\n/g, "\n");
+  return normalizedContent.split("\n").length;
+}
+function formatQualityReport(result, thresholds) {
+  const lines = [];
+  lines.push("# Code Quality Report");
+  lines.push("");
+  lines.push("## Summary");
+  lines.push(`- **Score**: ${result.summary.score}/100 (Grade: ${result.summary.grade})`);
+  lines.push(`- **Files analyzed**: ${result.summary.filesAnalyzed}`);
+  lines.push(`- **Functions analyzed**: ${result.summary.functionsAnalyzed}`);
+  lines.push(`- **Issues found**: ${result.summary.issuesFound}`);
+  lines.push("");
+  lines.push("## Metrics Overview");
+  lines.push("");
+  lines.push("| Metric | Average | Max | Threshold | Status |");
+  lines.push("|--------|---------|-----|-----------|--------|");
+  const formatMetricRow = (name, stat2) => {
+    const status = stat2.violations > 0 ? `${stat2.violations} violations` : "\u2705 OK";
+    return `| ${name} | ${stat2.average} | ${stat2.max} | ${stat2.threshold} | ${status} |`;
+  };
+  lines.push(formatMetricRow("Cognitive Complexity", result.metrics.cognitiveComplexity));
+  lines.push(formatMetricRow("Cyclomatic Complexity", result.metrics.cyclomaticComplexity));
+  lines.push(formatMetricRow("Function Size", result.metrics.functionSize));
+  lines.push(formatMetricRow("Nesting Depth", result.metrics.nestingDepth));
+  lines.push(formatMetricRow("File Size", result.metrics.fileSize));
+  lines.push("");
+  if (result.hotspots.length > 0) {
+    lines.push("## Hotspots (Needs Attention)");
+    lines.push("");
+    for (const hotspot of result.hotspots) {
+      const severityEmoji = hotspot.severity === "high" ? "\u{1F534}" : hotspot.severity === "medium" ? "\u{1F7E1}" : "\u{1F7E2}";
+      const location = hotspot.function ? `\`${hotspot.function}\` (${hotspot.file})` : `\`${hotspot.file}\``;
+      lines.push(`### ${severityEmoji} ${hotspot.severity.toUpperCase()}: ${location}`);
+      for (const issue of hotspot.issues) {
+        lines.push(`- ${issue}`);
+      }
+      if (hotspot.function) {
+        if (hotspot.metrics.cognitiveComplexity && hotspot.metrics.cognitiveComplexity > thresholds.cognitiveComplexity) {
+          lines.push(`- **Recommendation**: Extract logic into smaller, focused methods`);
+        } else if (hotspot.metrics.lineCount && hotspot.metrics.lineCount > thresholds.functionSize) {
+          lines.push(`- **Recommendation**: Split into multiple functions with single responsibilities`);
+        }
+      } else {
+        lines.push(`- **Recommendation**: Consider splitting this file into smaller modules`);
+      }
+      lines.push("");
+    }
+  } else {
+    lines.push("No hotspots found. Code quality is within acceptable thresholds.");
+  }
+  return lines.join("\n");
+}
+
 // src/resources/conventions.ts
 var conventionsResourceTemplate = {
   uri: "smartstack://conventions",
@@ -10870,7 +11816,7 @@ Run specific or all checks:
 }
 
 // src/resources/project-info.ts
-import path20 from "path";
+import path22 from "path";
 var projectInfoResourceTemplate = {
   uri: "smartstack://project",
   name: "SmartStack Project Info",
@@ -10907,16 +11853,16 @@ async function getProjectInfoResource(config) {
   lines.push("```");
   lines.push(`${projectInfo.name}/`);
   if (structure.domain) {
-    lines.push(`\u251C\u2500\u2500 ${path20.basename(structure.domain)}/          # Domain layer (entities)`);
+    lines.push(`\u251C\u2500\u2500 ${path22.basename(structure.domain)}/          # Domain layer (entities)`);
   }
   if (structure.application) {
-    lines.push(`\u251C\u2500\u2500 ${path20.basename(structure.application)}/     # Application layer (services)`);
+    lines.push(`\u251C\u2500\u2500 ${path22.basename(structure.application)}/     # Application layer (services)`);
   }
   if (structure.infrastructure) {
-    lines.push(`\u251C\u2500\u2500 ${path20.basename(structure.infrastructure)}/  # Infrastructure (EF Core)`);
+    lines.push(`\u251C\u2500\u2500 ${path22.basename(structure.infrastructure)}/  # Infrastructure (EF Core)`);
   }
   if (structure.api) {
-    lines.push(`\u251C\u2500\u2500 ${path20.basename(structure.api)}/             # API layer (controllers)`);
+    lines.push(`\u251C\u2500\u2500 ${path22.basename(structure.api)}/             # API layer (controllers)`);
   }
   if (structure.web) {
     lines.push(`\u2514\u2500\u2500 web/smartstack-web/      # React frontend`);
@@ -10929,8 +11875,8 @@ async function getProjectInfoResource(config) {
     lines.push("| Project | Path |");
     lines.push("|---------|------|");
     for (const csproj of projectInfo.csprojFiles) {
-      const name = path20.basename(csproj, ".csproj");
-      const relativePath = path20.relative(projectPath, csproj);
+      const name = path22.basename(csproj, ".csproj");
+      const relativePath = path22.relative(projectPath, csproj);
       lines.push(`| ${name} | \`${relativePath}\` |`);
     }
     lines.push("");
@@ -10940,10 +11886,10 @@ async function getProjectInfoResource(config) {
       cwd: structure.migrations,
       ignore: ["*.Designer.cs"]
     });
-    const migrations = migrationFiles.map((f) => path20.basename(f)).filter((f) => !f.includes("ModelSnapshot") && !f.includes(".Designer.")).sort();
+    const migrations = migrationFiles.map((f) => path22.basename(f)).filter((f) => !f.includes("ModelSnapshot") && !f.includes(".Designer.")).sort();
     lines.push("## EF Core Migrations");
     lines.push("");
-    lines.push(`**Location**: \`${path20.relative(projectPath, structure.migrations)}\``);
+    lines.push(`**Location**: \`${path22.relative(projectPath, structure.migrations)}\``);
     lines.push(`**Total Migrations**: ${migrations.length}`);
     lines.push("");
     if (migrations.length > 0) {
@@ -10978,11 +11924,11 @@ async function getProjectInfoResource(config) {
   lines.push("dotnet build");
   lines.push("");
   lines.push("# Run API");
-  lines.push(`cd ${structure.api ? path20.relative(projectPath, structure.api) : "src/Api"}`);
+  lines.push(`cd ${structure.api ? path22.relative(projectPath, structure.api) : "src/Api"}`);
   lines.push("dotnet run");
   lines.push("");
   lines.push("# Run frontend");
-  lines.push(`cd ${structure.web ? path20.relative(projectPath, structure.web) : "web"}`);
+  lines.push(`cd ${structure.web ? path22.relative(projectPath, structure.web) : "web"}`);
   lines.push("npm run dev");
   lines.push("");
   lines.push("# Create migration");
@@ -11005,7 +11951,7 @@ async function getProjectInfoResource(config) {
 }
 
 // src/resources/api-endpoints.ts
-import path21 from "path";
+import path23 from "path";
 var apiEndpointsResourceTemplate = {
   uri: "smartstack://api/",
   name: "SmartStack API Endpoints",
@@ -11030,7 +11976,7 @@ async function getApiEndpointsResource(config, endpointFilter) {
 }
 async function parseController(filePath, _rootPath) {
   const content = await readText(filePath);
-  const fileName = path21.basename(filePath, ".cs");
+  const fileName = path23.basename(filePath, ".cs");
   const controllerName = fileName.replace("Controller", "");
   const endpoints = [];
   const routeMatch = content.match(/\[Route\s*\(\s*"([^"]+)"\s*\)\]/);
@@ -11177,7 +12123,7 @@ function getMethodEmoji(method) {
 }
 
 // src/resources/db-schema.ts
-import path22 from "path";
+import path24 from "path";
 var dbSchemaResourceTemplate = {
   uri: "smartstack://schema/",
   name: "SmartStack Database Schema",
@@ -11267,7 +12213,7 @@ async function parseEntity(filePath, rootPath, _config) {
     tableName,
     properties,
     relationships,
-    file: path22.relative(rootPath, filePath)
+    file: path24.relative(rootPath, filePath)
   };
 }
 async function enrichFromConfigurations(entities, infrastructurePath, _config) {
@@ -11413,7 +12359,7 @@ function formatSchema(entities, filter, _config) {
 }
 
 // src/resources/entities.ts
-import path23 from "path";
+import path25 from "path";
 var entitiesResourceTemplate = {
   uri: "smartstack://entities/",
   name: "SmartStack Entities",
@@ -11473,7 +12419,7 @@ async function parseEntitySummary(filePath, rootPath, config) {
     hasSoftDelete,
     hasRowVersion,
     file: filePath,
-    relativePath: path23.relative(rootPath, filePath)
+    relativePath: path25.relative(rootPath, filePath)
   };
 }
 function inferTableInfo(entityName, config) {
@@ -11673,7 +12619,10 @@ async function createServer() {
         validateFrontendRoutesTool,
         // Frontend Extension Tools
         scaffoldFrontendExtensionTool,
-        analyzeExtensionPointsTool
+        analyzeExtensionPointsTool,
+        // Security & Code Quality Tools
+        validateSecurityTool,
+        analyzeCodeQualityTool
       ]
     };
   });
@@ -11732,6 +12681,13 @@ async function createServer() {
         case "analyze_extension_points":
           result = await handleAnalyzeExtensionPoints(args ?? {}, config);
           break;
+        // Security & Code Quality Tools
+        case "validate_security":
+          result = await handleValidateSecurity(args ?? {}, config);
+          break;
+        case "analyze_code_quality":
+          result = await handleAnalyzeCodeQuality(args ?? {}, config);
+          break;
         default:
           throw new Error(`Unknown tool: ${name}`);
       }