@clear-capabilities/agentic-security-scanner 0.78.0 → 0.80.0

package/src/mcp/.agentic-security/last-scan.json.sig

@@ -0,0 +1 @@
+45066aa2e5bc1eff0060249590f9b659f87ee1b5bf259c508d585c75d5be346a

package/src/mcp/.agentic-security/scan-history.json

@@ -0,0 +1,143 @@
+[
+  {
+    "timestamp": "2026-05-28T17:48:43.152Z",
+    "label": "scan",
+    "total": 35,
+    "critical": 0,
+    "high": 0,
+    "medium": 35,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:102:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:113:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:127:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:128:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:88:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:279:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:318:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:326:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:533:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:669:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:744:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:746:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:751:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:754:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:833:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:842:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:871:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:873:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:127",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:318",
+      "toctou-fs:tools.js:751",
+      "toctou-fs:tools.js:833"
+    ]
+  },
+  {
+    "timestamp": "2026-05-28T18:12:31.102Z",
+    "label": "scan",
+    "total": 35,
+    "critical": 0,
+    "high": 0,
+    "medium": 35,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:102:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:113:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:127:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:128:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:88:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:279:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:318:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:326:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:533:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:669:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:744:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:746:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:751:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:754:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:833:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:842:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:871:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:873:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:127",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:318",
+      "toctou-fs:tools.js:751",
+      "toctou-fs:tools.js:833"
+    ]
+  },
+  {
+    "timestamp": "2026-05-28T18:14:00.048Z",
+    "label": "scan",
+    "total": 35,
+    "critical": 0,
+    "high": 0,
+    "medium": 35,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:102:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:113:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:127:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:128:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:88:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:281:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:320:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:328:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:535:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:671:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:746:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:748:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:753:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:756:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:835:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:844:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:873:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:875:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:127",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:320",
+      "toctou-fs:tools.js:753",
+      "toctou-fs:tools.js:835"
+    ]
+  }
+]

package/src/mcp/.agentic-security/streak.json

@@ -0,0 +1,20 @@
+{
+  "firstScanDate": "2026-05-28T17:48:43.176Z",
+  "lastScanDate": "2026-05-28T18:14:00.070Z",
+  "totalScans": 3,
+  "daysCleanCritical": 1,
+  "lastCleanDate": "2026-05-28",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 1,
+  "totalFindingsAtFirstScan": 40,
+  "totalFindingsAtLastScan": 40,
+  "totalFixesInferred": 0,
+  "lastGrade": "A-",
+  "bestGrade": "A-",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan"
+  ],
+  "previousGrade": "A-"
+}

package/src/mcp/audit.js

@@ -82,6 +82,11 @@ async function _postRemote(url, entry) {
 export function auditCall({ sessionRoot, tool, args, outcome, reason }) {
   if (!sessionRoot) return;
   try {
+    // Safety: only write audit log if sessionRoot looks like a project root
+    const MARKERS = ['.git', 'package.json', 'pyproject.toml', 'go.mod', 'Cargo.toml', 'pom.xml', 'composer.json', 'Gemfile'];
+    let hasMarker = false;
+    for (const m of MARKERS) { try { if (fs.existsSync(path.join(sessionRoot, m))) { hasMarker = true; break; } } catch {} }
+    if (!hasMarker) return;
     const dir = path.join(sessionRoot, '.agentic-security');
     fs.mkdirSync(dir, { recursive: true });
     const logFile = path.join(dir, 'mcp-audit.log');

package/src/mcp/tools.js

@@ -238,6 +238,8 @@ function _findById(scan, id) {
   if (!scan) return null;
   return (scan.findings || []).find(f => f.id === id)
       || (scan.secrets || []).find(f => f.id === id)
+      || (scan.supplyChain || []).find(f => f.id === id)
+      || (scan.logicVulns || []).find(f => f.id === id)
       || null;
 }
 
@@ -468,6 +470,19 @@ export const explain_finding = {
       confidence: f.confidence ?? null,
       hasReplacementFix: typeof f.fix?.replacement === 'string',
       integrity: status,
+      // Risk-signal passthrough so agents can decide priority without
+      // re-reading last-scan.json or re-fetching OSV/KEV/EPSS. compositeRisk
+      // is the canonical sort key; the other fields are its provenance.
+      compositeRisk: f.compositeRisk ?? null,
+      compositeRiskTier: f.compositeRiskTier ?? null,
+      compositeRiskFactors: Array.isArray(f.compositeRiskFactors) ? f.compositeRiskFactors : [],
+      exploitability: f.exploitability ?? null,
+      exploitabilityTier: f.exploitabilityTier ?? null,
+      mitigationVerdict: f.mitigationVerdict ?? null,
+      kev: !!(f.kev || f.kevListed || f.weaponized),
+      epssScore: typeof f.epssScore === 'number' ? f.epssScore : null,
+      epssPercentile: typeof f.epssPercentile === 'number' ? f.epssPercentile : null,
+      exploitedNow: !!f.exploitedNow,
     };
   },
 };
@@ -952,4 +967,78 @@ export const lookup_cve = {
   },
 };
 
-export const ALL_TOOLS = [scan_diff, query_taint, explain_finding, apply_fix, verify_fix, synthesize_fix, find_rule_module, append_scratchpad, read_scratchpad, append_agents_memory, read_agents_memory, lookup_cve];
+// ─── synthesize_sca_upgrade ───────────────────────────────────────────────
+// Phase 3 / Item 5 of the SCA improvement plan. Read-only counterpart to
+// apply_sca_upgrade — produces a structured upgrade plan via the
+// ecosystem's native --dry-run command. Safe to call any number of times.
+let _scaUpgrade;
+async function _getScaUpgrade() {
+  if (!_scaUpgrade) _scaUpgrade = await import('../posture/sca-upgrade.js');
+  return _scaUpgrade;
+}
+export const synthesize_sca_upgrade = {
+  name: 'synthesize_sca_upgrade',
+  description: 'Generate an upgrade plan for a single SCA finding. Runs the ecosystem dry-run (npm install --dry-run, pip install --dry-run, cargo update --dry-run). Returns { ecosystem, package, currentVersion, targetVersion, isBreaking, command, manifestFiles, dryRun, testCommand }. No writes.',
+  inputSchema: {
+    type: 'object',
+    additionalProperties: false,
+    properties: {
+      finding_id: { type: 'string', minLength: 1, maxLength: 256 },
+    },
+    required: ['finding_id'],
+  },
+  async handler({ finding_id }, ctx) {
+    const { scan, status } = _readLastScanVerified(ctx.sessionRoot, { allowUnsigned: true });
+    if (!scan) throw new Error(`No usable scan state (${status}).`);
+    const f = _findById(scan, finding_id);
+    if (!f) throw new Error(`Finding not found: ${finding_id}`);
+    if (f.type !== 'vulnerable_dep') {
+      return { _meta: META, ok: false, reason: 'finding is not an SCA vulnerable_dep — use synthesize_fix for SAST findings' };
+    }
+    const { planScaUpgrade } = await _getScaUpgrade();
+    const plan = await planScaUpgrade({ scanRoot: ctx.sessionRoot, finding: f });
+    return { _meta: META, ...plan };
+  },
+};
+
+// ─── apply_sca_upgrade ────────────────────────────────────────────────────
+// Phase 3 / Item 5 of the SCA improvement plan. The MCP `apply_fix` path
+// refuses every package-manager manifest by design. This tool bypasses
+// that ONLY for the install pathway — it shells out to the ecosystem's
+// native package manager (npm / pip / cargo / go) which is the right
+// surface for safely modifying manifests + lockfiles. Backs up affected
+// manifests before the install; runs the project's test command (if
+// detected); rolls back manifests if tests fail.
+export const apply_sca_upgrade = {
+  name: 'apply_sca_upgrade',
+  description: 'Apply a vulnerable_dep upgrade. Backs up manifests, runs the package manager, runs the project test command, restores manifests on test failure. Requires confirm:true. Set run_tests:false to skip the test gate (NOT recommended).',
+  inputSchema: {
+    type: 'object',
+    additionalProperties: false,
+    properties: {
+      finding_id: { type: 'string', minLength: 1, maxLength: 256 },
+      confirm: { type: 'boolean' },
+      run_tests: { type: 'boolean' },
+    },
+    required: ['finding_id', 'confirm'],
+  },
+  async handler({ finding_id, confirm, run_tests = true }, ctx) {
+    if (confirm !== true) {
+      return { _meta: META, applied: false, reason: 'apply_sca_upgrade requires confirm: true.' };
+    }
+    const { scan, status } = _readLastScanVerified(ctx.sessionRoot, { allowUnsigned: false });
+    if (!scan) {
+      return { _meta: META, applied: false, reason: `last-scan.json failed integrity check: ${status}. Run a fresh scan.` };
+    }
+    const f = _findById(scan, finding_id);
+    if (!f) return { _meta: META, applied: false, reason: `Finding not found: ${finding_id}` };
+    if (f.type !== 'vulnerable_dep') {
+      return { _meta: META, applied: false, reason: 'finding is not an SCA vulnerable_dep — use apply_fix for SAST findings' };
+    }
+    const { applyScaUpgrade } = await _getScaUpgrade();
+    const result = await applyScaUpgrade({ scanRoot: ctx.sessionRoot, finding: f, runTests: run_tests });
+    return { _meta: META, ...result };
+  },
+};
+
+export const ALL_TOOLS = [scan_diff, query_taint, explain_finding, apply_fix, verify_fix, synthesize_fix, find_rule_module, append_scratchpad, read_scratchpad, append_agents_memory, read_agents_memory, lookup_cve, synthesize_sca_upgrade, apply_sca_upgrade];