@clear-capabilities/agentic-security-scanner 0.75.0 → 0.76.1

package/src/mcp/.agentic-security/last-scan.json.sig

@@ -1 +1 @@
-ac345bff3df871eaa40a4f27cfd6ba4edfec6a76eae2638630ec37f1d0f1808c
+5631e63f07a8029565c2084b53ff72e102e06e44a49d89f8a5f9e18b59c0a2cd

package/src/mcp/.agentic-security/scan-history.json

@@ -1,85 +1,4 @@
 [
-  {
-    "timestamp": "2026-05-18T21:08:19.904Z",
-    "label": "scan",
-    "total": 14,
-    "critical": 0,
-    "high": 0,
-    "medium": 14,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "struct:audit.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:server.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:140:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:148:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:289:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:403:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:83:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:98:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:99:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T00:08:13.198Z",
-    "label": "scan",
-    "total": 14,
-    "critical": 0,
-    "high": 0,
-    "medium": 14,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "struct:audit.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:server.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:140:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:148:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:289:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:404:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:83:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:98:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:99:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T20:18:42.254Z",
-    "label": "scan",
-    "total": 17,
-    "critical": 0,
-    "high": 0,
-    "medium": 17,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "struct:audit.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:audit.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:server.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:113:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:128:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:143:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:144:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:185:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:193:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:334:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "struct:tools.js:449:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
-      "toctou-fs:audit.js:34",
-      "toctou-fs:audit.js:66",
-      "toctou-fs:tools.js:113"
-    ]
-  },
   {
     "timestamp": "2026-05-19T20:18:51.483Z",
     "label": "scan",
@@ -1121,5 +1040,143 @@
       "toctou-fs:tools.js:723",
       "toctou-fs:tools.js:805"
     ]
+  },
+  {
+    "timestamp": "2026-05-24T15:10:27.373Z",
+    "label": "scan",
+    "total": 34,
+    "critical": 0,
+    "high": 0,
+    "medium": 34,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:108:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:122:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:123:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:97:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:279:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:318:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:326:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:519:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:654:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:729:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:731:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:736:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:739:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:818:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:827:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:856:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:858:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:122",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:318",
+      "toctou-fs:tools.js:736",
+      "toctou-fs:tools.js:818"
+    ]
+  },
+  {
+    "timestamp": "2026-05-24T15:10:37.152Z",
+    "label": "scan",
+    "total": 34,
+    "critical": 0,
+    "high": 0,
+    "medium": 34,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:108:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:122:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:123:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:97:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:279:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:318:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:326:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:520:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:655:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:730:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:732:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:737:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:740:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:819:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:828:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:857:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:859:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:122",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:318",
+      "toctou-fs:tools.js:737",
+      "toctou-fs:tools.js:819"
+    ]
+  },
+  {
+    "timestamp": "2026-05-24T15:10:46.492Z",
+    "label": "scan",
+    "total": 34,
+    "critical": 0,
+    "high": 0,
+    "medium": 34,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:108:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:122:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:123:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:97:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:279:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:318:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:326:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:520:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:656:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:731:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:733:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:738:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:741:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:820:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:829:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:858:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:860:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:122",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:318",
+      "toctou-fs:tools.js:738",
+      "toctou-fs:tools.js:820"
+    ]
   }
 ]

package/src/mcp/.agentic-security/streak.json

@@ -1,9 +1,9 @@
 {
   "firstScanDate": "2026-05-18T16:19:09.478Z",
-  "lastScanDate": "2026-05-19T23:06:35.158Z",
-  "totalScans": 48,
-  "daysCleanCritical": 2,
-  "lastCleanDate": "2026-05-19",
+  "lastScanDate": "2026-05-24T15:10:46.517Z",
+  "totalScans": 51,
+  "daysCleanCritical": 1,
+  "lastCleanDate": "2026-05-24",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
   "bestDaysCleanCritical": 2,

package/src/mcp/tools.js

@@ -16,11 +16,24 @@ import * as fs from 'node:fs';
 import * as fsp from 'node:fs/promises';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
-import { runScan } from '../runScan.js';
 import { applyFix as applyFixHistory } from '../posture/fix-history.js';
 import { verifyLastScan } from '../posture/integrity.js';
 import { redactString, redactFinding } from './redact.js';
-import { verifyFix as verifyFixCore } from '../posture/fix-verify.js';
+
+// Lazy-loaded: these transitively pull in npm packages (fast-glob,
+// @babel/core) that aren't available in the plugin-cache install path
+// (no node_modules). Deferring keeps the MCP server bootable everywhere;
+// the import only runs when a tool that needs them is actually called.
+let _runScan;
+async function getRunScan() {
+  if (!_runScan) _runScan = (await import('../runScan.js')).runScan;
+  return _runScan;
+}
+let _verifyFixCore;
+async function getVerifyFixCore() {
+  if (!_verifyFixCore) _verifyFixCore = (await import('../posture/fix-verify.js')).verifyFix;
+  return _verifyFixCore;
+}
 
 const MAX_FILES_PER_SCAN = 1024;
 const MAX_FILE_BYTES = 500_000;
@@ -315,6 +328,7 @@ export const scan_diff = {
       fileContents[rel] = content;
     }
 
+    const runScan = await getRunScan();
     const result = await runScan(sessionRoot, { network: false, fileContents });
     const wantSet = new Set(Object.keys(fileContents));
     const sevRank = { info: 0, low: 1, medium: 2, high: 3, critical: 4 };
@@ -588,6 +602,7 @@ export const verify_fix = {
       confined[relPath] = String(content);
     }
     try {
+      const verifyFixCore = await getVerifyFixCore();
       const r = await verifyFixCore({
         scanRoot: ctx.sessionRoot,
         originalFindingStableId: stable_id,