@clear-capabilities/agentic-security-scanner 0.75.0 → 0.77.0

package/dist/601.index.js

@@ -1,1038 +0,0 @@
-export const id = 601;
-export const ids = [601];
-export const modules = {
-
-/***/ 3601:
-/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
-
-
-// EXPORTS
-__webpack_require__.d(__webpack_exports__, {
-  runStdio: () => (/* binding */ runStdio)
-});
-
-// EXTERNAL MODULE: external "node:fs"
-var external_node_fs_ = __webpack_require__(3024);
-// EXTERNAL MODULE: external "node:crypto"
-var external_node_crypto_ = __webpack_require__(7598);
-// EXTERNAL MODULE: external "node:path"
-var external_node_path_ = __webpack_require__(6760);
-// EXTERNAL MODULE: external "node:url"
-var external_node_url_ = __webpack_require__(3136);
-// EXTERNAL MODULE: external "node:fs/promises"
-var promises_ = __webpack_require__(1455);
-// EXTERNAL MODULE: ./src/runScan.js + 2 modules
-var runScan = __webpack_require__(9099);
-// EXTERNAL MODULE: ./src/posture/fix-history.js
-var fix_history = __webpack_require__(4407);
-// EXTERNAL MODULE: ./src/posture/integrity.js
-var integrity = __webpack_require__(1130);
-;// CONCATENATED MODULE: ./src/mcp/redact.js
-// Secret redactor for MCP tool outputs and audit log argument summaries.
-//
-// OWASP MCP01 + MCP10: the scanner reads source code, and findings carry
-// `snippet` / `description` / `trace` strings that may contain hardcoded
-// credentials, API keys, JWTs, private keys, etc. When those flow back to
-// the agent through tools/call responses they land in the agent's context
-// — exposing the secret to model logs, transcripts, and any downstream tool
-// the agent passes them to.
-//
-// We replace high-confidence secret shapes with [REDACTED:<kind>] before
-// emitting them. The original full content is still on disk (scanner
-// findings); the MCP surface is the bottleneck we control.
-//
-// Patterns deliberately stay narrow: high-precision so we don't garble
-// non-secret long strings (UUIDs, SHAs, base64-encoded scan IDs).
-
-const PATTERNS = [
-  // Provider-specific high-entropy keys (anchored prefixes give very low FP)
-  [/AKIA[0-9A-Z]{16}/g, 'aws-access-key'],
-  [/ASIA[0-9A-Z]{16}/g, 'aws-temp-key'],
-  [/gh[pousr]_[A-Za-z0-9]{36,255}/g, 'github-token'],
-  [/xox[abprs]-[A-Za-z0-9-]{10,}/g, 'slack-token'],
-  [/sk-ant-[A-Za-z0-9_-]{20,}/g, 'anthropic-key'],
-  [/sk-proj-[A-Za-z0-9_-]{20,}/g, 'openai-project-key'],
-  [/sk-[A-Za-z0-9]{32,}/g, 'openai-or-stripe-key'],
-  [/sk_(?:live|test)_[A-Za-z0-9]{20,}/g, 'stripe-key'],
-  [/rk_(?:live|test)_[A-Za-z0-9]{20,}/g, 'stripe-restricted-key'],
-  [/SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g, 'sendgrid-key'],
-  [/AIza[0-9A-Za-z_-]{35}/g, 'google-api-key'],
-  // JWT — three dot-separated b64url segments starting with eyJ
-  [/eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g, 'jwt'],
-  // PEM-encoded private keys
-  [/-----BEGIN (?:RSA |DSA |EC |OPENSSH |PGP )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |DSA |EC |OPENSSH |PGP )?PRIVATE KEY-----/g, 'private-key-block'],
-  // Authorization headers — common copy-paste shape
-  [/(?:Authorization|authorization)\s*:\s*Bearer\s+[A-Za-z0-9._~+/-]{20,}={0,2}/g, 'bearer-token'],
-  // Hardcoded password literals — assignment shape with quoted value
-  [/(password|passwd|secret|api[_-]?key|access[_-]?token)\s*[:=]\s*["'][^"'\n]{6,}["']/gi, 'hardcoded-credential'],
-];
-
-const SNIPPET_MAX = 2000;
-// OWASP A03 — cap input before running 14 regex patterns over it. A forged
-// last-scan.json could plant a 50MB description string; without this cap a
-// single explain_finding/query_taint call would peg CPU. After truncation
-// the snippet still gets the final SNIPPET_MAX trim downstream.
-const INPUT_MAX = 100_000;
-
-function redactString(s) {
-  if (typeof s !== 'string') return s;
-  let out = s;
-  if (out.length > INPUT_MAX) out = out.slice(0, INPUT_MAX) + `…(+${out.length - INPUT_MAX})`;
-  for (const [re, kind] of PATTERNS) {
-    out = out.replace(re, `[REDACTED:${kind}]`);
-  }
-  if (out.length > SNIPPET_MAX) out = out.slice(0, SNIPPET_MAX) + `…(+${out.length - SNIPPET_MAX})`;
-  return out;
-}
-
-// Deep-redact every string in a finding-like object (mutates returned copy).
-function redactFinding(f) {
-  if (!f || typeof f !== 'object') return f;
-  const out = { ...f };
-  for (const k of ['snippet', 'description', 'remediation', 'title', 'vuln', 'message']) {
-    if (typeof out[k] === 'string') out[k] = redactString(out[k]);
-  }
-  if (out.trace) {
-    try { out.trace = JSON.parse(redactString(JSON.stringify(out.trace))); }
-    catch { /* keep as-is if not round-trippable */ }
-  }
-  return out;
-}
-
-// Redact a freeform JSON-stringified argument blob (used by audit log).
-function redactArgsBlob(s) {
-  return redactString(s);
-}
-
-// EXTERNAL MODULE: external "node:child_process"
-var external_node_child_process_ = __webpack_require__(1421);
-// EXTERNAL MODULE: ./src/engine.js + 422 modules
-var engine = __webpack_require__(3209);
-;// CONCATENATED MODULE: ./src/posture/fix-verify.js
-// Closed-loop /fix verification (Sentinel-parity FR-L4-4, FR-L4-5).
-//
-// Given a candidate patch (the new file content + the finding stableId being
-// fixed), verify it:
-//
-//   1. The original finding's stableId no longer fires on the patched file.
-//   2. No new findings at severity ≥ medium were introduced by the patch.
-//   3. The project's existing linter (when present) passes on the patched file.
-//
-// If any of those fail, the caller is expected to NOT apply the patch and
-// instead surface a "fix plan" — a numbered list of steps the engineer can
-// follow — rather than dump a broken patch on the user.
-
-
-
-
-
-
-const SEVERITY_RANK = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
-
-// Run a focused re-scan over just the patched file(s) using the in-memory
-// engine. No filesystem write needed — we hand the new content in via the
-// fileContents map.
-async function verifyPatch({
-  scanRoot,
-  originalFindingStableId,
-  files,   // { [relPath]: newContent }
-  depFileContents = {},
-} = {}) {
-  if (!files || typeof files !== 'object') return { ok: false, reason: 'no-files-provided' };
-  const fileContents = { ...files };
-  let scan;
-  try {
-    scan = await (0,engine/* runFullScan */.wW)({ fileContents, depFileContents, scanRoot }, () => {});
-  } catch (e) {
-    return { ok: false, reason: 'rescan-failed', error: e.message };
-  }
-  const findings = (scan && scan.findings) || [];
-  const stillHasOriginal = !!originalFindingStableId &&
-    findings.some(f => f.stableId === originalFindingStableId);
-  if (stillHasOriginal) {
-    return { ok: false, reason: 'original-finding-still-present', stableId: originalFindingStableId };
-  }
-  const introducedHighOrAbove = findings.filter(f =>
-    (SEVERITY_RANK[f.severity] ?? 9) <= SEVERITY_RANK.medium);
-  // Don't count findings on lines outside the patched files — but our
-  // fileContents map IS the patched files, so every finding is in-scope.
-  return {
-    ok: introducedHighOrAbove.length === 0,
-    reason: introducedHighOrAbove.length === 0 ? 'verified' : 'introduced-new-findings',
-    introduced: introducedHighOrAbove.map(f => ({
-      vuln: f.vuln, file: f.file, line: f.line, severity: f.severity,
-      stableId: f.stableId,
-    })),
-  };
-}
-
-// Detect which linter the project uses and run it on the patched files.
-// Returns { ok, runner, output } or { ok: true, runner: 'none' } when no
-// linter is configured (silent pass).
-function runProjectLinter(scanRoot, filePaths) {
-  if (!scanRoot || !Array.isArray(filePaths) || filePaths.length === 0) {
-    return { ok: true, runner: 'none' };
-  }
-  const has = (p) => { try { return external_node_fs_.existsSync(external_node_path_.join(scanRoot, p)); } catch { return false; } };
-  // Pick the linter by config file present in the repo root.
-  const jsFiles = filePaths.filter(f => /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(f));
-  const pyFiles = filePaths.filter(f => /\.py$/i.test(f));
-  const goFiles = filePaths.filter(f => /\.go$/i.test(f));
-  const javaFiles = filePaths.filter(f => /\.java$/i.test(f));
-
-  if (jsFiles.length && (has('.eslintrc') || has('.eslintrc.json') || has('.eslintrc.js') || has('eslint.config.js') || has('eslint.config.mjs'))) {
-    return runLinter(scanRoot, 'eslint', ['--no-error-on-unmatched-pattern', ...jsFiles]);
-  }
-  if (pyFiles.length && (has('pyproject.toml') || has('ruff.toml') || has('.ruff.toml'))) {
-    return runLinter(scanRoot, 'ruff', ['check', ...pyFiles]);
-  }
-  if (pyFiles.length && has('.flake8')) {
-    return runLinter(scanRoot, 'flake8', pyFiles);
-  }
-  if (goFiles.length && (has('.golangci.yml') || has('.golangci.yaml'))) {
-    return runLinter(scanRoot, 'golangci-lint', ['run', ...goFiles]);
-  }
-  if (javaFiles.length && has('checkstyle.xml')) {
-    return runLinter(scanRoot, 'checkstyle', ['-c', 'checkstyle.xml', ...javaFiles]);
-  }
-  return { ok: true, runner: 'none' };
-}
-
-function runLinter(cwd, cmd, args) {
-  let r;
-  try {
-    r = (0,external_node_child_process_.spawnSync)(cmd, args, { cwd, encoding: 'utf8', timeout: 60_000 });
-  } catch (e) {
-    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing', error: e.message };
-  }
-  if (r.error && r.error.code === 'ENOENT') {
-    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing' };
-  }
-  if (r.status === null) {
-    return { ok: false, runner: cmd, reason: 'timed-out', output: (r.stderr || r.stdout || '').slice(-2000) };
-  }
-  return {
-    ok: r.status === 0,
-    runner: cmd,
-    exitCode: r.status,
-    output: ((r.stderr || '') + (r.stdout || '')).slice(-2000),
-  };
-}
-
-// Top-level verify: re-scan + lint. Returns the combined verdict + a
-// human-readable summary string suitable for surfacing to the user.
-async function verifyFix({
-  scanRoot,
-  originalFindingStableId,
-  files,
-  depFileContents,
-} = {}) {
-  const rescan = await verifyPatch({ scanRoot, originalFindingStableId, files, depFileContents });
-  const lint = runProjectLinter(scanRoot, Object.keys(files || {}));
-  const ok = rescan.ok && (lint.ok || lint.skipped);
-  const summary = [
-    `re-scan: ${rescan.ok ? 'PASS' : 'FAIL — ' + rescan.reason}`,
-    `linter:  ${lint.runner === 'none' ? 'skipped (no linter config)'
-              : lint.skipped ? `${lint.runner} not installed`
-              : lint.ok ? `${lint.runner} PASS`
-              : `${lint.runner} FAIL (exit ${lint.exitCode})`}`,
-  ].join('\n');
-  return { ok, rescan, lint, summary };
-}
-
-;// CONCATENATED MODULE: ./src/mcp/tools.js
-// MCP tool implementations — PRD Feature 2, hardened against the OWASP MCP
-// Top 10 (see ./redact.js, ./audit.js, ./server.js for sibling controls).
-//
-// Trust model:
-//   - Session root fixed at server boot. No per-call retargeting.
-//   - Path arguments lstat-checked (symlinks refused, OWASP MCP05) and
-//     realpath-confined to session root.
-//   - Tool outputs marked _meta.untrusted_excerpts:true (OWASP MCP03/MCP06)
-//     because they may contain text from scanned files, which is adversary-
-//     controlled in any context where the agent might read malicious code.
-//   - Secret-shaped strings redacted on the way out (OWASP MCP01/MCP10).
-//   - `apply_fix` requires confirm:true, valid HMAC signature on
-//     last-scan.json, non-shadow finding, and confined file path.
-
-
-
-
-
-
-
-
-
-
-const MAX_FILES_PER_SCAN = 1024;
-const MAX_FILE_BYTES = 500_000;
-const MAX_TOTAL_SCAN_BYTES = 50_000_000;
-const META = { source: 'agentic-security-mcp', untrusted_excerpts: true };
-
-// OWASP A01 — refuse writes to paths that could subvert the security tool
-// itself or the host's source-control / dependency state. A forged finding
-// could otherwise tell apply_fix to overwrite our own rules.yml, our audit
-// log, a .git/hooks/post-commit payload, or a node_modules package.
-const RESERVED_WRITE_PREFIXES = [
-  '.git/',
-  '.agentic-security/',
-  'node_modules/',
-];
-function _isReservedWritePath(sessionRoot, absFile) {
-  // Resolve sessionRoot symlinks so the relative path is computed against
-  // the same canonical root as `absFile` (which _confine already realpath'd).
-  // On macOS /tmp → /private/tmp; without this normalization the relative
-  // would contain "../" and the prefix check would miss the reserved path.
-  const rootReal = external_node_fs_.realpathSync(external_node_path_.resolve(sessionRoot));
-  const rel = external_node_path_.relative(rootReal, absFile).replace(/\\/g, '/');
-  return RESERVED_WRITE_PREFIXES.some(p => rel === p.replace(/\/$/, '') || rel.startsWith(p));
-}
-
-// ─── Path confinement ────────────────────────────────────────────────────────
-// Lexical check + lstat symlink reject + realpath re-check. OWASP MCP05.
-//
-// For non-existent paths (apply_fix to a new file is a possible legitimate
-// case; in practice we re-check existence at the use-site) we walk up the
-// deepest existing ancestor and realpath that, so a parent-symlink can't
-// silently relocate writes.
-function _confine(sessionRoot, candidate, label) {
-  if (typeof candidate !== 'string' || !candidate) throw new Error(`${label}: not a string`);
-  const rootReal = external_node_fs_.realpathSync(external_node_path_.resolve(sessionRoot));
-  const abs = external_node_path_.isAbsolute(candidate) ? candidate : external_node_path_.resolve(rootReal, candidate);
-
-  // Lexical pre-check: rejects "../../etc/passwd" before any fs call.
-  const relLex = external_node_path_.relative(rootReal, external_node_path_.resolve(abs));
-  if (relLex === '' || relLex.startsWith('..') || external_node_path_.isAbsolute(relLex)) {
-    throw new Error(`${label}: path "${candidate}" escapes session root`);
-  }
-
-  // If the path exists, the leaf must not be a symlink and its realpath
-  // must still be under rootReal.
-  if (external_node_fs_.existsSync(abs)) {
-    if (external_node_fs_.lstatSync(abs).isSymbolicLink()) {
-      throw new Error(`${label}: path "${candidate}" is a symbolic link (refused)`);
-    }
-    const real = external_node_fs_.realpathSync(abs);
-    if (external_node_path_.relative(rootReal, real).startsWith('..')) {
-      throw new Error(`${label}: path "${candidate}" resolves outside session root via symlink`);
-    }
-    return real;
-  }
-
-  // Path doesn't exist — walk up to the deepest existing ancestor and
-  // realpath that. If a parent dir is a symlink pointing outside rootReal
-  // we catch it here.
-  let parent = external_node_path_.dirname(abs);
-  while (parent !== external_node_path_.dirname(parent) && !external_node_fs_.existsSync(parent)) {
-    parent = external_node_path_.dirname(parent);
-  }
-  const parentReal = external_node_fs_.realpathSync(parent);
-  if (external_node_path_.relative(rootReal, parentReal).startsWith('..')) {
-    throw new Error(`${label}: path "${candidate}" parent resolves outside session root`);
-  }
-  const suffix = external_node_path_.relative(parent, abs);
-  return external_node_path_.resolve(parentReal, suffix);
-}
-
-function _readLastScanVerified(sessionRoot, { allowUnsigned = false } = {}) {
-  const stateDir = external_node_path_.join(sessionRoot, '.agentic-security');
-  const scanFile = external_node_path_.join(stateDir, 'last-scan.json');
-  const sigFile = scanFile + '.sig';
-  if (!external_node_fs_.existsSync(scanFile)) return { scan: null, status: 'missing' };
-  const body = external_node_fs_.readFileSync(scanFile, 'utf8');
-  const ok = (0,integrity/* verifyLastScan */.E)(body, sigFile);
-  if (ok === false) return { scan: null, status: 'tampered' };
-  if (ok === null && !allowUnsigned) return { scan: null, status: 'unsigned' };
-  let parsed;
-  try { parsed = JSON.parse(body); }
-  catch { return { scan: null, status: 'unparseable' }; }
-  return { scan: parsed, status: ok ? 'verified' : 'unsigned' };
-}
-
-function _findById(scan, id) {
-  if (!scan) return null;
-  return (scan.findings || []).find(f => f.id === id)
-      || (scan.secrets || []).find(f => f.id === id)
-      || null;
-}
-
-// ─── scan_diff ───────────────────────────────────────────────────────────────
-const scan_diff = {
-  name: 'scan_diff',
-  description: 'Scan a list of files for security findings. Use BEFORE writing a Write/Edit to disk so the agent can self-correct. Returns findings with severity, file:line, title, remediation. Snippets are redacted of obvious secret patterns. Paths confined to the session root; symlinks are refused.',
-  inputSchema: {
-    type: 'object',
-    additionalProperties: false,
-    properties: {
-      files: {
-        type: 'array', minItems: 1, maxItems: MAX_FILES_PER_SCAN,
-        items: { type: 'string', minLength: 1, maxLength: 4096 },
-      },
-      severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low', 'info'] },
-    },
-    required: ['files'],
-  },
-  async handler({ files, severity }, ctx) {
-    const sessionRoot = ctx.sessionRoot;
-    const abs = files.map(f => _confine(sessionRoot, f, 'files[]'));
-
-    const fileContents = {};
-    let totalBytes = 0;
-    for (const a of abs) {
-      let stat;
-      try { stat = external_node_fs_.statSync(a); } catch { continue; }
-      if (!stat.isFile()) continue;
-      if (stat.size > MAX_FILE_BYTES) continue;
-      totalBytes += stat.size;
-      if (totalBytes > MAX_TOTAL_SCAN_BYTES) {
-        throw new Error(`scan_diff: total scan size exceeds ${MAX_TOTAL_SCAN_BYTES} bytes`);
-      }
-      let content;
-      try { content = external_node_fs_.readFileSync(a, 'utf8'); } catch { continue; }
-      const rel = external_node_path_.relative(sessionRoot, a).replace(/\\/g, '/');
-      fileContents[rel] = content;
-    }
-
-    const result = await (0,runScan.runScan)(sessionRoot, { network: false, fileContents });
-    const wantSet = new Set(Object.keys(fileContents));
-    const sevRank = { info: 0, low: 1, medium: 2, high: 3, critical: 4 };
-    const min = sevRank[severity] ?? 0;
-    const findings = (result.scan.findings || [])
-      .filter(f => wantSet.has(String(f.file || '').replace(/\\/g, '/')) && (sevRank[f.severity] ?? 0) >= min)
-      .map(f => redactFinding({
-        id: f.id, severity: f.severity, file: f.file, line: f.line,
-        title: f.title || f.vuln, cwe: f.cwe,
-        description: f.description, remediation: f.remediation,
-      }));
-    return {
-      _meta: META,
-      scannedFiles: Object.keys(fileContents).length,
-      findingCount: findings.length,
-      findings,
-    };
-  },
-};
-
-// ─── query_taint ─────────────────────────────────────────────────────────────
-const query_taint = {
-  name: 'query_taint',
-  description: 'Query whether the last verified scan found a taint path involving a given source and sink.',
-  inputSchema: {
-    type: 'object',
-    additionalProperties: false,
-    properties: {
-      source: { type: 'string', minLength: 1, maxLength: 256 },
-      sink: { type: 'string', minLength: 1, maxLength: 256 },
-    },
-    required: ['source', 'sink'],
-  },
-  async handler({ source, sink }, ctx) {
-    const { scan, status } = _readLastScanVerified(ctx.sessionRoot, { allowUnsigned: true });
-    if (!scan) {
-      return { _meta: META, hasResult: false, status, message: `No usable scan state (${status}).` };
-    }
-    const srcL = String(source).toLowerCase();
-    const sinkL = String(sink).toLowerCase();
-    const matches = (scan.findings || []).filter(f => {
-      const hay = [f.description, f.title, f.vuln, f.snippet, JSON.stringify(f.trace || '')].join(' ').toLowerCase();
-      return hay.includes(srcL) && hay.includes(sinkL);
-    }).map(f => redactFinding({
-      id: f.id, severity: f.severity, file: f.file, line: f.line,
-      title: f.title || f.vuln, description: f.description,
-      trace: f.trace || null,
-    }));
-    return {
-      _meta: META,
-      hasResult: true,
-      integrity: status,
-      scanStartedAt: scan.startedAt || scan.meta?.startedAt || null,
-      matchCount: matches.length,
-      matches,
-    };
-  },
-};
-
-// ─── explain_finding ─────────────────────────────────────────────────────────
-const explain_finding = {
-  name: 'explain_finding',
-  description: 'Return full details for a single finding from the last verified scan. Snippet/description redacted of secret patterns.',
-  inputSchema: {
-    type: 'object',
-    additionalProperties: false,
-    properties: {
-      finding_id: { type: 'string', minLength: 1, maxLength: 256 },
-    },
-    required: ['finding_id'],
-  },
-  async handler({ finding_id }, ctx) {
-    const { scan, status } = _readLastScanVerified(ctx.sessionRoot, { allowUnsigned: true });
-    if (!scan) throw new Error(`No usable scan state (${status}).`);
-    const f = _findById(scan, finding_id);
-    if (!f) throw new Error(`Finding not found: ${finding_id}`);
-    const redacted = redactFinding({
-      id: f.id, severity: f.severity, file: f.file, line: f.line,
-      title: f.title || f.vuln, cwe: f.cwe,
-      description: f.description, remediation: f.remediation,
-      snippet: f.snippet || null,
-      trace: f.trace || null,
-    });
-    return {
-      _meta: META,
-      ...redacted,
-      confidence: f.confidence ?? null,
-      hasReplacementFix: typeof f.fix?.replacement === 'string',
-      integrity: status,
-    };
-  },
-};
-
-// ─── apply_fix ───────────────────────────────────────────────────────────────
-const apply_fix = {
-  name: 'apply_fix',
-  description: 'Apply the stored replacement fix for a finding. Refuses if last-scan.json fails its HMAC check, if the finding is shadow-marked, or if its file path escapes the session root via lexical traversal OR a symlink. Requires confirm:true. Supports dry_run:true to preview without writing.',
-  inputSchema: {
-    type: 'object',
-    additionalProperties: false,
-    properties: {
-      finding_id: { type: 'string', minLength: 1, maxLength: 256 },
-      confirm: { type: 'boolean' },
-      dry_run: { type: 'boolean' },
-    },
-    required: ['finding_id', 'confirm'],
-  },
-  async handler({ finding_id, confirm, dry_run = false }, ctx) {
-    if (confirm !== true) {
-      return { _meta: META, applied: false, reason: 'apply_fix requires confirm: true.' };
-    }
-    const { scan, status } = _readLastScanVerified(ctx.sessionRoot, { allowUnsigned: false });
-    if (!scan) {
-      return { _meta: META, applied: false, reason: `last-scan.json failed integrity check: ${status}. Run a fresh scan.` };
-    }
-    const f = _findById(scan, finding_id);
-    if (!f) return { _meta: META, applied: false, reason: `Finding not found: ${finding_id}` };
-    if (f._shadow === true) {
-      return { _meta: META, applied: false, reason: 'shadow findings cannot be auto-applied' };
-    }
-    if (typeof f.fix?.replacement !== 'string') {
-      return {
-        _meta: META, applied: false,
-        reason: 'No full replacement available — only a template. Apply the template manually.',
-        template: redactString(f.fix?.code || ''),
-        file: f.file, line: f.line,
-      };
-    }
-    let absFile;
-    try { absFile = _confine(ctx.sessionRoot, f.file, 'finding.file'); }
-    catch (e) {
-      return { _meta: META, applied: false, reason: `path-escape refused: ${e.message}` };
-    }
-    if (_isReservedWritePath(ctx.sessionRoot, absFile)) {
-      return { _meta: META, applied: false, reason: `reserved path refused: writes to .git/, .agentic-security/, or node_modules/ are not permitted via apply_fix` };
-    }
-    if (!external_node_fs_.existsSync(absFile)) {
-      return { _meta: META, applied: false, reason: `File not found: ${absFile}` };
-    }
-    const originalContent = await promises_.readFile(absFile, 'utf8');
-
-    if (dry_run) {
-      return {
-        _meta: META,
-        applied: false, dryRun: true,
-        file: f.file,
-        originalSize: originalContent.length,
-        newSize: f.fix.replacement.length,
-        diffSummary: `${originalContent.length} → ${f.fix.replacement.length} bytes`,
-      };
-    }
-
-    const entry = await (0,fix_history/* applyFix */.oM)({
-      scanRoot: ctx.sessionRoot,
-      file: f.file,
-      originalContent,
-      newContent: f.fix.replacement,
-      findingId: f.id,
-      stableId: f.stableId || null,   // premortem 4R-8
-      ruleId: f.rule || null,
-      vuln: f.vuln || f.title || null,
-    });
-    return { _meta: META, applied: true, historyId: entry.id, file: f.file, backupPath: entry.backupPath, integrity: status };
-  },
-};
-
-// ─── verify_fix ──────────────────────────────────────────────────────────────
-// Closed-loop verification of a proposed patch BEFORE the agent applies it.
-// Re-scans the patched files in-memory (no disk write), confirms the original
-// stableId is gone, and runs the project's existing linter on the patched
-// files. Returns a structured verdict the agent can use to decide whether to
-// proceed with apply_fix.
-const verify_fix = {
-  name: 'verify_fix',
-  description: 'Verify a proposed patch before applying. Re-scans the patched files in memory and runs the project linter. Returns { ok, rescan, lint, summary }. No filesystem writes.',
-  inputSchema: {
-    type: 'object',
-    additionalProperties: false,
-    properties: {
-      stable_id: { type: 'string', minLength: 8, maxLength: 64 },
-      files: {
-        type: 'object',
-        additionalProperties: { type: 'string', maxLength: 500_000 },
-        minProperties: 1,
-        maxProperties: 8,
-      },
-    },
-    required: ['stable_id', 'files'],
-  },
-  async handler({ stable_id, files }, ctx) {
-    // Confine every file path before passing to the verifier.
-    const confined = {};
-    for (const [relPath, content] of Object.entries(files || {})) {
-      try {
-        _confine(ctx.sessionRoot, relPath, 'files key');
-      } catch (e) {
-        return { _meta: META, ok: false, reason: `path-escape refused: ${e.message}` };
-      }
-      confined[relPath] = String(content);
-    }
-    try {
-      const r = await verifyFix({
-        scanRoot: ctx.sessionRoot,
-        originalFindingStableId: stable_id,
-        files: confined,
-      });
-      return {
-        _meta: META,
-        ok: r.ok,
-        rescan: { ok: r.rescan.ok, reason: r.rescan.reason, introduced: r.rescan.introduced || [] },
-        lint: { runner: r.lint.runner, ok: r.lint.ok, skipped: r.lint.skipped || false, output: redactString(r.lint.output || '').slice(0, 1500) },
-        summary: r.summary,
-      };
-    } catch (e) {
-      return { _meta: META, ok: false, reason: `verify_fix failed: ${e.message}` };
-    }
-  },
-};
-
-// ─── synthesize_fix ──────────────────────────────────────────────────────────
-// Return the stored fix replacement + regression-test scaffold for a finding,
-// WITHOUT applying anything. The agent can call verify_fix → apply_fix in
-// sequence with the returned blob.
-const synthesize_fix = {
-  name: 'synthesize_fix',
-  description: 'Return the stored fix replacement for a finding (replacement text + remediation + plan if the patch is too large). Read-only; never writes to disk. Use verify_fix → apply_fix to deploy.',
-  inputSchema: {
-    type: 'object',
-    additionalProperties: false,
-    properties: {
-      finding_id: { type: 'string', minLength: 1, maxLength: 256 },
-    },
-    required: ['finding_id'],
-  },
-  async handler({ finding_id }, ctx) {
-    const { scan, status } = _readLastScanVerified(ctx.sessionRoot, { allowUnsigned: false });
-    if (!scan) {
-      return { _meta: META, ok: false, reason: `last-scan.json failed integrity check: ${status}` };
-    }
-    const f = _findById(scan, finding_id);
-    if (!f) return { _meta: META, ok: false, reason: `Finding not found: ${finding_id}` };
-    if (f._shadow === true) return { _meta: META, ok: false, reason: 'shadow findings have no synthesized fix' };
-    const fix = f.fix || {};
-    const hasReplacement = typeof fix.replacement === 'string' && fix.replacement.length > 0;
-    // Patch bounds: count files touched + LoC delta.
-    let touchedFiles = 1;
-    let locDelta = 0;
-    if (hasReplacement) {
-      let orig = '';
-      try {
-        const abs = _confine(ctx.sessionRoot, f.file, 'finding.file');
-        orig = external_node_fs_.readFileSync(abs, 'utf8');
-      } catch { /* ignore — counts will reflect new-only LoC */ }
-      locDelta = Math.abs(fix.replacement.split('\n').length - orig.split('\n').length);
-    }
-    const oversized = touchedFiles > 3 || locDelta > 100;
-    return {
-      _meta: META,
-      ok: true,
-      stable_id: f.stableId || null,
-      file: f.file, line: f.line,
-      vuln: f.vuln,
-      severity: f.severity,
-      hasReplacement,
-      replacement: hasReplacement ? redactString(fix.replacement) : null,
-      template: fix.code ? redactString(fix.code) : null,
-      remediation: typeof fix.description === 'string' ? fix.description : (typeof fix === 'string' ? fix : null),
-      patchBounds: { touchedFiles, locDelta, oversized },
-      recommendsFixPlan: oversized && !hasReplacement,
-    };
-  },
-};
-
-const ALL_TOOLS = [scan_diff, query_taint, explain_finding, apply_fix, verify_fix, synthesize_fix];
-
-;// CONCATENATED MODULE: ./src/mcp/validate.js
-// Minimal JSON Schema validator — just the subset our tool schemas use.
-// No deps. Throws on invalid input with a path-prefixed error message.
-//
-// Supported keywords: type (object/array/string/boolean/number),
-// required, properties, items, enum, minItems, maxItems, maxLength,
-// minLength, additionalProperties (only as `false` — strict).
-
-const TYPE_OF = (v) => {
-  if (v === null) return 'null';
-  if (Array.isArray(v)) return 'array';
-  return typeof v;
-};
-
-function validate(schema, value, path = 'arguments') {
-  if (!schema) return;
-  const t = schema.type;
-  if (t === 'object') {
-    if (TYPE_OF(value) !== 'object') throw new Error(`${path}: expected object, got ${TYPE_OF(value)}`);
-    for (const req of schema.required || []) {
-      if (!(req in value)) throw new Error(`${path}: missing required property "${req}"`);
-    }
-    if (schema.additionalProperties === false) {
-      const allowed = new Set(Object.keys(schema.properties || {}));
-      for (const k of Object.keys(value)) {
-        if (!allowed.has(k)) throw new Error(`${path}: unexpected property "${k}"`);
-      }
-    }
-    for (const [k, sub] of Object.entries(schema.properties || {})) {
-      if (k in value) validate(sub, value[k], `${path}.${k}`);
-    }
-  } else if (t === 'array') {
-    if (!Array.isArray(value)) throw new Error(`${path}: expected array, got ${TYPE_OF(value)}`);
-    if (schema.minItems != null && value.length < schema.minItems) throw new Error(`${path}: minItems=${schema.minItems}, got length=${value.length}`);
-    if (schema.maxItems != null && value.length > schema.maxItems) throw new Error(`${path}: maxItems=${schema.maxItems}, got length=${value.length}`);
-    if (schema.items) for (let i = 0; i < value.length; i++) validate(schema.items, value[i], `${path}[${i}]`);
-  } else if (t === 'string') {
-    if (typeof value !== 'string') throw new Error(`${path}: expected string, got ${TYPE_OF(value)}`);
-    if (schema.enum && !schema.enum.includes(value)) throw new Error(`${path}: must be one of [${schema.enum.join(', ')}]`);
-    if (schema.maxLength != null && value.length > schema.maxLength) throw new Error(`${path}: maxLength=${schema.maxLength}, got length=${value.length}`);
-    if (schema.minLength != null && value.length < schema.minLength) throw new Error(`${path}: minLength=${schema.minLength}, got length=${value.length}`);
-  } else if (t === 'boolean') {
-    if (typeof value !== 'boolean') throw new Error(`${path}: expected boolean, got ${TYPE_OF(value)}`);
-  } else if (t === 'number' || t === 'integer') {
-    if (typeof value !== 'number') throw new Error(`${path}: expected number, got ${TYPE_OF(value)}`);
-    if (t === 'integer' && !Number.isInteger(value)) throw new Error(`${path}: expected integer`);
-    if (schema.minimum != null && value < schema.minimum) throw new Error(`${path}: < minimum (${schema.minimum})`);
-    if (schema.maximum != null && value > schema.maximum) throw new Error(`${path}: > maximum (${schema.maximum})`);
-  }
-}
-
-;// CONCATENATED MODULE: ./src/mcp/audit.js
-// Append-only audit log of MCP tool calls — OWASP MCP08.
-//
-// Format: one JSON object per line (NDJSON) at
-//   <sessionRoot>/.agentic-security/mcp-audit.log
-//
-// Each entry carries `prev` — the SHA-256 of the previous entry's serialized
-// form. The first entry's prev is "GENESIS". Tampering with any line breaks
-// the chain from that point forward; a reader can detect partial truncation
-// or in-place edits. (Cannot prevent total deletion of the file — for that
-// you need write-once storage or a remote sink, out of scope for v1.)
-//
-// Argument blobs are redacted (OWASP MCP01/MCP10) so credentials passed in
-// arguments cannot leak via the audit trail.
-
-
-
-
-
-
-const MAX_ARG_BYTES = 1024;
-const GENESIS = 'GENESIS';
-
-function _summarize(args) {
-  let s;
-  try { s = JSON.stringify(args); } catch { s = '<unserializable>'; }
-  s = redactArgsBlob(s);
-  if (s.length > MAX_ARG_BYTES) s = s.slice(0, MAX_ARG_BYTES) + `…(+${s.length - MAX_ARG_BYTES})`;
-  return s;
-}
-
-function _sha(s) { return external_node_crypto_.createHash('sha256').update(s).digest('hex'); }
-
-function _readLastEntryHash(logFile) {
-  if (!external_node_fs_.existsSync(logFile)) return GENESIS;
-  try {
-    const all = external_node_fs_.readFileSync(logFile, 'utf8');
-    const lines = all.split('\n').filter(Boolean);
-    if (!lines.length) return GENESIS;
-    return _sha(lines[lines.length - 1]);
-  } catch { return GENESIS; }
-}
-
-function auditCall({ sessionRoot, tool, args, outcome, reason }) {
-  if (!sessionRoot) return;
-  try {
-    const dir = external_node_path_.join(sessionRoot, '.agentic-security');
-    external_node_fs_.mkdirSync(dir, { recursive: true });
-    const logFile = external_node_path_.join(dir, 'mcp-audit.log');
-    const entry = {
-      ts: new Date().toISOString(),
-      tool,
-      outcome,
-      ...(reason ? { reason } : {}),
-      args: _summarize(args),
-      prev: _readLastEntryHash(logFile),
-    };
-    external_node_fs_.appendFileSync(logFile, JSON.stringify(entry) + '\n');
-  } catch { /* audit failure must never break a tool call */ }
-}
-
-// Verify the chain from start to end. Returns
-//   { ok: true, entries: N } if intact
-//   { ok: false, brokenAt: <line-index>, expected, got } if any link breaks
-// Reader/operator-facing tool.
-function verifyAuditLog(logFile) {
-  if (!fs.existsSync(logFile)) return { ok: true, entries: 0 };
-  const text = fs.readFileSync(logFile, 'utf8');
-  const lines = text.split('\n').filter(Boolean);
-  let expectedPrev = GENESIS;
-  for (let i = 0; i < lines.length; i++) {
-    let entry;
-    try { entry = JSON.parse(lines[i]); }
-    catch { return { ok: false, brokenAt: i, reason: 'not JSON' }; }
-    if (entry.prev !== expectedPrev) {
-      return { ok: false, brokenAt: i, expected: expectedPrev, got: entry.prev };
-    }
-    expectedPrev = _sha(lines[i]);
-  }
-  return { ok: true, entries: lines.length };
-}
-
-;// CONCATENATED MODULE: ./src/mcp/server.js
-// MCP server core — JSON-RPC 2.0 handler for the Model Context Protocol.
-//
-// Hardening posture (mapped to OWASP MCP Top 10):
-//   - Session root chosen at server boot, no per-call retargeting (MCP02)
-//   - Every tools/call argument validated against the tool's inputSchema (MCP02/MCP05)
-//   - Every tools/call audited with a hash-chained log (MCP08)
-//   - serverInfo.codeFingerprint = SHA-256 of MCP source files (MCP04/MCP09)
-//     so a fleet can detect tampered or unauthorized server deployments
-//   - AGENTIC_SECURITY_MCP_DISABLED=1 hard-disables all tool calls (MCP09)
-//   - Stdio transport caps line/buffer size (./stdio.js) (MCP05 DoS)
-
-
-
-
-
-
-
-
-
-const PROTOCOL_VERSION = '2025-03-26';
-const SERVER_NAME = 'agentic-security';
-const SERVER_VERSION = '0.39.2';
-
-const TOOLS_BY_NAME = Object.fromEntries(ALL_TOOLS.map(t => [t.name, t]));
-
-// Code fingerprint — SHA-256 of the MCP source files concatenated in a
-// stable order. Embedded in `initialize` response so a fleet operator can
-// detect when an unapproved build is running (OWASP MCP04/MCP09).
-function _codeFingerprint() {
-  try {
-    const here = external_node_path_.dirname((0,external_node_url_.fileURLToPath)(import.meta.url));
-    const files = ['server.js', 'tools.js', 'stdio.js', 'audit.js', 'validate.js', 'redact.js'];
-    const h = external_node_crypto_.createHash('sha256');
-    for (const f of files) {
-      try { h.update(f); h.update(external_node_fs_.readFileSync(external_node_path_.join(here, f))); } catch {}
-    }
-    return h.digest('hex');
-  } catch { return null; }
-}
-const CODE_FINGERPRINT = _codeFingerprint();
-
-function _err(id, code, message, data) {
-  const out = { jsonrpc: '2.0', id, error: { code, message } };
-  if (data !== undefined) out.error.data = data;
-  return out;
-}
-
-function _ok(id, result) {
-  return { jsonrpc: '2.0', id, result };
-}
-
-function createServer({ sessionRoot = process.cwd() } = {}) {
-  const ctx = { sessionRoot };
-
-  async function handleRequest(msg) {
-    if (!msg || typeof msg !== 'object') return _err(null, -32600, 'Invalid Request');
-    if (msg.jsonrpc !== '2.0') return _err(msg.id ?? null, -32600, 'Invalid Request: jsonrpc must be "2.0"');
-
-    const isNotification = msg.id === undefined || msg.id === null;
-    const id = msg.id ?? null;
-    const disabled = process.env.AGENTIC_SECURITY_MCP_DISABLED === '1';
-
-    switch (msg.method) {
-      case 'initialize':
-        return _ok(id, {
-          protocolVersion: PROTOCOL_VERSION,
-          capabilities: { tools: {} },
-          serverInfo: {
-            name: SERVER_NAME,
-            version: SERVER_VERSION,
-            codeFingerprint: CODE_FINGERPRINT,
-            disabled,
-          },
-        });
-
-      case 'notifications/initialized':
-        return null;
-
-      case 'ping':
-        return _ok(id, {});
-
-      case 'tools/list':
-        return _ok(id, {
-          tools: ALL_TOOLS.map(t => ({
-            name: t.name,
-            description: t.description,
-            inputSchema: t.inputSchema,
-          })),
-        });
-
-      case 'tools/call': {
-        const name = msg.params?.name;
-        const args = msg.params?.arguments ?? {};
-        if (disabled) {
-          auditCall({ sessionRoot, tool: name, args, outcome: 'rejected', reason: 'server-disabled' });
-          return _ok(id, {
-            content: [{ type: 'text', text: 'MCP server is disabled (AGENTIC_SECURITY_MCP_DISABLED=1).' }],
-            isError: true,
-          });
-        }
-        const tool = TOOLS_BY_NAME[name];
-        if (!tool) {
-          auditCall({ sessionRoot, tool: name, args, outcome: 'rejected', reason: 'unknown-tool' });
-          return _err(id, -32602, `Unknown tool: ${name}`);
-        }
-        try { validate(tool.inputSchema, args); }
-        catch (e) {
-          auditCall({ sessionRoot, tool: name, args, outcome: 'rejected', reason: `invalid-args: ${e.message}` });
-          return _ok(id, {
-            content: [{ type: 'text', text: `Invalid arguments: ${e.message}` }],
-            isError: true,
-          });
-        }
-        try {
-          const result = await tool.handler(args, ctx);
-          auditCall({ sessionRoot, tool: name, args, outcome: 'ok' });
-          return _ok(id, {
-            content: [{ type: 'text', text: JSON.stringify(result, null, 2) }],
-            isError: false,
-          });
-        } catch (e) {
-          auditCall({ sessionRoot, tool: name, args, outcome: 'error', reason: e.message });
-          return _ok(id, {
-            content: [{ type: 'text', text: `Error: ${e.message}` }],
-            isError: true,
-          });
-        }
-      }
-
-      default:
-        if (isNotification) return null;
-        return _err(id, -32601, `Method not found: ${msg.method}`);
-    }
-  }
-
-  return { handleRequest, sessionRoot };
-}
-
-// NOTE: no default-singleton export. Callers must use createServer({...})
-// with an explicit sessionRoot. Removed because the prior default was bound
-// to process.cwd() at module-load time — a footgun for any caller that
-// imported `handleRequest` directly (OWASP A05).
-
-
-
-;// CONCATENATED MODULE: ./src/mcp/stdio.js
-// Stdio transport for the MCP server — newline-delimited JSON in/out.
-//
-// MCP's stdio transport is NDJSON: one JSON-RPC message per line on stdin,
-// one response per line on stdout. stderr is reserved for logging.
-//
-// Hardening:
-//   - Per-message line cap (MAX_LINE_BYTES). A line over the cap is dropped
-//     and the buffer state is reset so a long oversize payload can't peg
-//     the parser via `buf += chunk` growth.
-//   - Buffer hard cap (MAX_BUFFER_BYTES). Reached if input arrives with no
-//     newlines (e.g., a peer streaming a 4GB stream of `a`). On overflow we
-//     emit a parse-error response and reset.
-
-
-
-const MAX_LINE_BYTES = 4 * 1024 * 1024;        // 4 MB per JSON-RPC message
-const MAX_BUFFER_BYTES = 8 * 1024 * 1024;      // 8 MB sliding buffer
-
-function runStdio({
-  stdin = process.stdin,
-  stdout = process.stdout,
-  stderr = process.stderr,
-  sessionRoot = process.cwd(),
-} = {}) {
-  const server = createServer({ sessionRoot });
-  let buf = '';
-  let overflowSkip = false; // true while we are dropping bytes until the next newline
-
-  stdin.setEncoding('utf8');
-
-  stdin.on('data', async (chunk) => {
-    if (overflowSkip) {
-      const nl = chunk.indexOf('\n');
-      if (nl === -1) return;
-      // Resume after the next newline.
-      chunk = chunk.slice(nl + 1);
-      overflowSkip = false;
-    }
-
-    buf += chunk;
-
-    // Hard buffer cap — only triggers if a peer is streaming without newlines.
-    if (buf.length > MAX_BUFFER_BYTES) {
-      stderr.write(`mcp: input buffer exceeded ${MAX_BUFFER_BYTES} bytes — dropping until next newline\n`);
-      const errResponse = { jsonrpc: '2.0', id: null, error: { code: -32700, message: 'Parse error: input too large' } };
-      stdout.write(JSON.stringify(errResponse) + '\n');
-      buf = '';
-      overflowSkip = true;
-      return;
-    }
-
-    let nl;
-    while ((nl = buf.indexOf('\n')) !== -1) {
-      const line = buf.slice(0, nl).trim();
-      buf = buf.slice(nl + 1);
-      if (!line) continue;
-      if (line.length > MAX_LINE_BYTES) {
-        stderr.write(`mcp: dropped oversize line (${line.length} > ${MAX_LINE_BYTES} bytes)\n`);
-        const errResponse = { jsonrpc: '2.0', id: null, error: { code: -32700, message: 'Parse error: line too large' } };
-        stdout.write(JSON.stringify(errResponse) + '\n');
-        continue;
-      }
-      let msg;
-      try { msg = JSON.parse(line); }
-      catch (e) {
-        stderr.write(`mcp: failed to parse line as JSON: ${e.message}\n`);
-        const errResponse = { jsonrpc: '2.0', id: null, error: { code: -32700, message: 'Parse error' } };
-        stdout.write(JSON.stringify(errResponse) + '\n');
-        continue;
-      }
-      try {
-        const response = await server.handleRequest(msg);
-        if (response !== null) stdout.write(JSON.stringify(response) + '\n');
-      } catch (e) {
-        stderr.write(`mcp: handler threw: ${e.message}\n`);
-        const errResponse = { jsonrpc: '2.0', id: msg.id ?? null, error: { code: -32603, message: 'Internal error', data: e.message } };
-        stdout.write(JSON.stringify(errResponse) + '\n');
-      }
-    }
-  });
-
-  stdin.on('end', () => { process.exit(0); });
-}
-
-
-/***/ })
-
-};