@cognium-ai/mcp-server 0.1.1 → 0.2.1

package/dist/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAKpE,wBAAgB,WAAW,IAAI,SAAS,CAWvC"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAOpE,wBAAgB,WAAW,IAAI,SAAS,CAavC"}

package/dist/server.js

@@ -5,14 +5,18 @@ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { registerVerifySpecConformance } from './tools/verify-spec-conformance.js';
 import { registerFindSpecDrift } from './tools/find-spec-drift.js';
 import { registerFindPattern } from './tools/find-pattern.js';
+import { registerFindCredentialExposure } from './tools/find-credential-exposure.js';
+import { registerCheckLicenseCompliance } from './tools/check-license-compliance.js';
 export function buildServer() {
     const server = new McpServer({
         name: 'cognium-mcp',
-        version: '0.1.1',
+        version: '0.2.1',
     });
     registerVerifySpecConformance(server);
     registerFindSpecDrift(server);
     registerFindPattern(server);
+    registerFindCredentialExposure(server);
+    registerCheckLicenseCompliance(server);
     return server;
 }
 //# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAE9D,MAAM,UAAU,WAAW;IACzB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,6BAA6B,CAAC,MAAM,CAAC,CAAC;IACtC,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC9B,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAE5B,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF,MAAM,UAAU,WAAW;IACzB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,6BAA6B,CAAC,MAAM,CAAC,CAAC;IACtC,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC9B,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC5B,8BAA8B,CAAC,MAAM,CAAC,CAAC;IACvC,8BAA8B,CAAC,MAAM,CAAC,CAAC;IAEvC,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/tools/check-license-compliance.d.ts

@@ -0,0 +1,11 @@
+/**
+ * check_license_compliance MCP tool (Pillar I, Workflow #2).
+ *
+ * Scans a code root for copyleft/restrictive license issues in dependencies.
+ * Supports Node.js (package.json) and Rust (Cargo.toml) ecosystems.
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/79
+ */
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerCheckLicenseCompliance(server: McpServer): void;
+//# sourceMappingURL=check-license-compliance.d.ts.map

package/dist/tools/check-license-compliance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-license-compliance.d.ts","sourceRoot":"","sources":["../../src/tools/check-license-compliance.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AA0HzE,wBAAgB,8BAA8B,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAsDtE"}

package/dist/tools/check-license-compliance.js

@@ -0,0 +1,125 @@
+/**
+ * check_license_compliance MCP tool (Pillar I, Workflow #2).
+ *
+ * Scans a code root for copyleft/restrictive license issues in dependencies.
+ * Supports Node.js (package.json) and Rust (Cargo.toml) ecosystems.
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/79
+ */
+import { z } from 'zod';
+import { scanLicenseCompliance, COPYLEFT_SEVERITY, } from 'circle-ir-ai';
+const MAX_FINDINGS = 500;
+const inputSchema = {
+    code_root: z.string().describe('Absolute path to the code root to scan'),
+    include_dev_deps: z.boolean().optional().default(false).describe('Include devDependencies (default: false)'),
+    severity_floor: z.enum(['info', 'low', 'medium', 'high', 'critical']).optional().default('low').describe('Minimum severity to report (default: low)'),
+};
+const findingSchema = z.object({
+    kind: z.literal('LICENSE_VIOLATION'),
+    severity: z.enum(['low', 'medium', 'high', 'critical']),
+    location: z.object({
+        file: z.string(),
+        span: z.tuple([z.number(), z.number()]),
+    }),
+    evidence: z.object({
+        rule_id: z.string(),
+        dependency: z.string(),
+        license: z.string(),
+        confidence: z.number(),
+    }),
+    suggested_action: z.string(),
+});
+const outputSchema = {
+    findings: z.array(findingSchema),
+    summary: z.object({
+        total: z.number(),
+        by_severity: z.object({
+            critical: z.number(),
+            high: z.number(),
+            medium: z.number(),
+            low: z.number(),
+        }),
+        by_ecosystem: z.object({
+            nodejs: z.number(),
+            rust: z.number(),
+        }),
+        truncated: z.boolean(),
+    }),
+    copyleft_reference: z.record(z.string(), z.string()).describe('Reference table: license to severity'),
+};
+const SEVERITY_ORDER = {
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+function licenseToFinding(finding) {
+    return {
+        kind: 'LICENSE_VIOLATION',
+        severity: finding.severity === 'info' ? 'low' : finding.severity,
+        location: {
+            file: finding.file,
+            span: [finding.line ?? 1, finding.line ?? 1],
+        },
+        evidence: {
+            rule_id: finding.ruleId,
+            dependency: finding.dependency,
+            license: finding.license,
+            confidence: finding.confidence,
+        },
+        suggested_action: finding.suggestedAction,
+    };
+}
+function buildCopyleftReference() {
+    const ref = {};
+    for (const [license, severity] of Object.entries(COPYLEFT_SEVERITY)) {
+        ref[license] = severity;
+    }
+    return ref;
+}
+export function registerCheckLicenseCompliance(server) {
+    server.registerTool('check_license_compliance', {
+        title: 'Check License Compliance',
+        description: 'Scan a code root for copyleft/restrictive license issues in dependencies. ' +
+            'Supports Node.js (package.json) and Rust (Cargo.toml). ' +
+            'Flags AGPL, GPL, LGPL, MPL, and other copyleft licenses with severity classification. ' +
+            'Returns findings with dependency info, license SPDX, and remediation guidance.',
+        inputSchema,
+        outputSchema,
+    }, async ({ code_root, include_dev_deps, severity_floor }) => {
+        const scanResult = await scanLicenseCompliance(code_root, {
+            includeDevDeps: include_dev_deps,
+            minSeverity: severity_floor,
+        });
+        const floorValue = SEVERITY_ORDER[severity_floor ?? 'low'];
+        const filteredFindings = scanResult.findings.filter((f) => SEVERITY_ORDER[f.severity] >= floorValue);
+        const truncated = filteredFindings.length > MAX_FINDINGS;
+        const findings = filteredFindings
+            .slice(0, MAX_FINDINGS)
+            .map(licenseToFinding);
+        const result = {
+            findings,
+            summary: {
+                total: filteredFindings.length,
+                by_severity: {
+                    critical: filteredFindings.filter((f) => f.severity === 'critical').length,
+                    high: filteredFindings.filter((f) => f.severity === 'high').length,
+                    medium: filteredFindings.filter((f) => f.severity === 'medium').length,
+                    low: filteredFindings.filter((f) => f.severity === 'low').length,
+                },
+                by_ecosystem: {
+                    nodejs: filteredFindings.filter((f) => f.ecosystem === 'nodejs').length,
+                    rust: filteredFindings.filter((f) => f.ecosystem === 'rust').length,
+                },
+                truncated,
+            },
+            copyleft_reference: buildCopyleftReference(),
+        };
+        return {
+            content: [{ type: 'text', text: JSON.stringify(result) }],
+            structuredContent: result,
+        };
+    });
+}
+//# sourceMappingURL=check-license-compliance.js.map

package/dist/tools/check-license-compliance.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-license-compliance.js","sourceRoot":"","sources":["../../src/tools/check-license-compliance.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EACL,qBAAqB,EACrB,iBAAiB,GAGlB,MAAM,cAAc,CAAC;AAEtB,MAAM,YAAY,GAAG,GAAG,CAAC;AAIzB,MAAM,WAAW,GAAG;IAClB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wCAAwC,CAAC;IACxE,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,0CAA0C,CAAC;IAC5G,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,2CAA2C,CAAC;CACtJ,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC;IACpC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACvD,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;KACxC,CAAC;IACF,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;KACvB,CAAC;IACF,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;CAC7B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC;IAChC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;YACpB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;SAChB,CAAC;QACF,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC;YACrB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;YAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;SACjB,CAAC;QACF,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE;KACvB,CAAC;IACF,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,sCAAsC,CAAC;CACtG,CAAC;AAqCF,MAAM,cAAc,GAAkC;IACpD,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,SAAS,gBAAgB,CAAC,OAAuB;IAC/C,OAAO;QACL,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ;QAChE,QAAQ,EAAE;YACR,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;SAC7C;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,OAAO,CAAC,MAAM;YACvB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B;QACD,gBAAgB,EAAE,OAAO,CAAC,eAAe;KAC1C,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB;IAC7B,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACpE,GAAG,CAAC,OAAO,CAAC,GAAG,QAAQ,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,MAAiB;IAC9D,MAAM,CAAC,YAAY,CACjB,0BAA0B,EAC1B;QACE,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,4EAA4E;YAC5E,yDAAyD;YACzD,wFAAwF;YACxF,gFAAgF;QAClF,WAAW;QACX,YAAY;KACb,EACD,KAAK,EAAE,EAAE,SAAS,EAAE,gBAAgB,EAAE,cAAc,EAAE,EAAE,EAAE;QACxD,MAAM,UAAU,GAAG,MAAM,qBAAqB,CAAC,SAAS,EAAE;YACxD,cAAc,EAAE,gBAAgB;YAChC,WAAW,EAAE,cAA+B;SAC7C,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,IAAI,KAAK,CAAC,CAAC;QAC3D,MAAM,gBAAgB,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CACjD,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAyB,CAAC,IAAI,UAAU,CACjE,CAAC;QAEF,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,GAAG,YAAY,CAAC;QACzD,MAAM,QAAQ,GAAG,gBAAgB;aAC9B,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC;aACtB,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAEzB,MAAM,MAAM,GAAiC;YAC3C,QAAQ;YACR,OAAO,EAAE;gBACP,KAAK,EAAE,gBAAgB,CAAC,MAAM;gBAC9B,WAAW,EAAE;oBACX,QAAQ,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;oBAC1E,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;oBAClE,MAAM,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;oBACtE,GAAG,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;iBACjE;gBACD,YAAY,EAAE;oBACZ,MAAM,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,MAAM;oBACvE,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,MAAM;iBACpE;gBACD,SAAS;aACV;YACD,kBAAkB,EAAE,sBAAsB,EAAE;SAC7C,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,iBAAiB,EAAE,MAA4C;SAChE,CAAC;IACJ,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/find-credential-exposure.d.ts

@@ -0,0 +1,17 @@
+/**
+ * `find_credential_exposure` MCP tool (Pillar I, Workflow #1).
+ *
+ * Scans a code root for hardcoded credentials (API keys, tokens, passwords,
+ * private keys) using circle-ir's ScanSecretsPass for SAST detection and
+ * circle-ir-ai's secret scanner for git history scanning.
+ *
+ * Architecture:
+ * - SAST detection: Delegated to circle-ir's ScanSecretsPass (no duplication)
+ * - Git history: circle-ir-ai scans commits (cross-commit analysis)
+ * - Output: Common Pillar I findings envelope for cognium-code integration
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/78
+ */
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerFindCredentialExposure(server: McpServer): void;
+//# sourceMappingURL=find-credential-exposure.d.ts.map

package/dist/tools/find-credential-exposure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-credential-exposure.d.ts","sourceRoot":"","sources":["../../src/tools/find-credential-exposure.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAuJzE,wBAAgB,8BAA8B,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA4DtE"}

package/dist/tools/find-credential-exposure.js

@@ -0,0 +1,172 @@
+/**
+ * `find_credential_exposure` MCP tool (Pillar I, Workflow #1).
+ *
+ * Scans a code root for hardcoded credentials (API keys, tokens, passwords,
+ * private keys) using circle-ir's ScanSecretsPass for SAST detection and
+ * circle-ir-ai's secret scanner for git history scanning.
+ *
+ * Architecture:
+ * - SAST detection: Delegated to circle-ir's ScanSecretsPass (no duplication)
+ * - Git history: circle-ir-ai scans commits (cross-commit analysis)
+ * - Output: Common Pillar I findings envelope for cognium-code integration
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/78
+ */
+import { z } from 'zod';
+import { scanForSecrets } from 'circle-ir-ai';
+/** Hard cap on findings returned. */
+const MAX_FINDINGS = 500;
+const inputSchema = {
+    code_root: z.string().describe('Absolute path to the code root to scan'),
+    include_git_history: z.boolean().optional().default(false).describe('Scan git history for secrets (default: false)'),
+    severity_floor: z.enum(['info', 'low', 'medium', 'high', 'critical']).optional().default('low').describe('Minimum severity to report (default: low)'),
+};
+const findingSchema = z.object({
+    kind: z.literal('CREDENTIAL_EXPOSURE'),
+    severity: z.enum(['low', 'medium', 'high', 'critical']),
+    location: z.object({
+        file: z.string(),
+        span: z.tuple([z.number(), z.number()]),
+    }),
+    evidence: z.object({
+        rule_id: z.string(),
+        match_snippet: z.string(),
+        confidence: z.number(),
+    }),
+    suggested_action: z.string(),
+});
+const outputSchema = {
+    findings: z.array(findingSchema),
+    summary: z.object({
+        total: z.number(),
+        by_severity: z.object({
+            critical: z.number(),
+            high: z.number(),
+            medium: z.number(),
+            low: z.number(),
+        }),
+        truncated: z.boolean(),
+    }),
+};
+/**
+ * Map severity to suggested action
+ */
+function getSuggestedAction(secret) {
+    const category = secret.category.toLowerCase();
+    const isActive = secret.presentInHead;
+    if (!isActive) {
+        return 'Secret found in git history only. Consider rotating and cleaning history with git-filter-repo or BFG.';
+    }
+    switch (category) {
+        case 'aws':
+            return 'Rotate the AWS access key immediately via IAM console and move to AWS Secrets Manager or environment variables.';
+        case 'github':
+            return 'Revoke the token at https://github.com/settings/tokens and use GITHUB_TOKEN or repository secrets instead.';
+        case 'openai':
+            return 'Revoke the key at https://platform.openai.com/api-keys and load from environment variables.';
+        case 'anthropic':
+            return 'Revoke the key in the Anthropic Console and load from environment variables.';
+        case 'stripe':
+            return 'Rotate in the Stripe Dashboard and use environment variables or a secrets manager.';
+        case 'slack':
+            return 'Revoke the token in Slack workspace settings and use environment variables.';
+        case 'gcp':
+            return 'Restrict or revoke in Google Cloud Console and use service account keys or Workload Identity.';
+        case 'private-key':
+            return 'Remove immediately, rotate the keypair, and never commit private keys to source control.';
+        case 'jwt':
+            return 'JWTs carry whatever scope they were minted with. Rotate signing keys and remove the token.';
+        case 'npm':
+            return 'Revoke at https://www.npmjs.com/settings/<user>/tokens and use NPM_TOKEN environment variable.';
+        case 'high-entropy':
+            return 'If this is a credential, move to environment variables or a secrets manager. If sample data, add to .gitignore.';
+        default:
+            return 'Rotate this credential immediately and move to environment variables or a secrets manager.';
+    }
+}
+/**
+ * Map severity order for filtering
+ */
+const SEVERITY_ORDER = {
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+/**
+ * Convert DetectedSecret to CredentialFinding
+ */
+function secretToFinding(secret, codeRoot) {
+    // Make file path relative to code_root
+    let relativePath = secret.file;
+    if (relativePath.startsWith(codeRoot)) {
+        relativePath = relativePath.slice(codeRoot.length);
+        if (relativePath.startsWith('/')) {
+            relativePath = relativePath.slice(1);
+        }
+    }
+    return {
+        kind: 'CREDENTIAL_EXPOSURE',
+        severity: secret.severity === 'low' ? 'low' : secret.severity,
+        location: {
+            file: relativePath,
+            span: [secret.line, secret.line], // Single line span
+        },
+        evidence: {
+            rule_id: secret.patternId,
+            match_snippet: secret.match, // Already redacted by scanner
+            confidence: secret.llmConfidence ?? (secret.category === 'high-entropy' ? 0.7 : 0.95),
+        },
+        suggested_action: getSuggestedAction(secret),
+    };
+}
+export function registerFindCredentialExposure(server) {
+    server.registerTool('find_credential_exposure', {
+        title: 'Find Credential Exposure',
+        description: 'Scan a code root for hardcoded credentials (API keys, tokens, passwords, ' +
+            'private keys). Uses SAST pattern matching and optional git history scanning. ' +
+            'Returns findings with severity, location, and remediation guidance.',
+        inputSchema,
+        outputSchema,
+    }, async ({ code_root, include_git_history, severity_floor }) => {
+        // Map severity_floor to scanner's minSeverity
+        const minSeverity = severity_floor === 'info' ? undefined :
+            severity_floor === 'low' ? 'low' :
+                severity_floor === 'medium' ? 'medium' :
+                    severity_floor === 'high' ? 'high' :
+                        severity_floor === 'critical' ? 'critical' :
+                            'low';
+        const scanResult = await scanForSecrets(code_root, {
+            scanHistory: include_git_history,
+            minSeverity,
+            maxCommits: 100, // Reasonable limit for git history
+        });
+        // Filter by severity floor and convert to findings
+        const floorValue = SEVERITY_ORDER[severity_floor ?? 'low'];
+        const filteredSecrets = scanResult.secrets.filter((s) => SEVERITY_ORDER[s.severity] >= floorValue);
+        // Convert to findings format, respecting MAX_FINDINGS
+        const truncated = filteredSecrets.length > MAX_FINDINGS;
+        const findings = filteredSecrets
+            .slice(0, MAX_FINDINGS)
+            .map((s) => secretToFinding(s, code_root));
+        const result = {
+            findings,
+            summary: {
+                total: filteredSecrets.length,
+                by_severity: {
+                    critical: filteredSecrets.filter((s) => s.severity === 'critical').length,
+                    high: filteredSecrets.filter((s) => s.severity === 'high').length,
+                    medium: filteredSecrets.filter((s) => s.severity === 'medium').length,
+                    low: filteredSecrets.filter((s) => s.severity === 'low').length,
+                },
+                truncated,
+            },
+        };
+        return {
+            content: [{ type: 'text', text: JSON.stringify(result) }],
+            structuredContent: result,
+        };
+    });
+}
+//# sourceMappingURL=find-credential-exposure.js.map

package/dist/tools/find-credential-exposure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-credential-exposure.js","sourceRoot":"","sources":["../../src/tools/find-credential-exposure.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,cAAc,EAA4C,MAAM,cAAc,CAAC;AAExF,qCAAqC;AACrC,MAAM,YAAY,GAAG,GAAG,CAAC;AAIzB,MAAM,WAAW,GAAG;IAClB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wCAAwC,CAAC;IACxE,mBAAmB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,+CAA+C,CAAC;IACpH,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,2CAA2C,CAAC;CACtJ,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,qBAAqB,CAAC;IACtC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACvD,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;KACxC,CAAC;IACF,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;QACjB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;KACvB,CAAC;IACF,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;CAC7B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC;IAChC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;YACpB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;SAChB,CAAC;QACF,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE;KACvB,CAAC;CACH,CAAC;AA+BF;;GAEG;AACH,SAAS,kBAAkB,CAAC,MAAsB;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,aAAa,CAAC;IAEtC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,uGAAuG,CAAC;IACjH,CAAC;IAED,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,KAAK;YACR,OAAO,iHAAiH,CAAC;QAC3H,KAAK,QAAQ;YACX,OAAO,4GAA4G,CAAC;QACtH,KAAK,QAAQ;YACX,OAAO,6FAA6F,CAAC;QACvG,KAAK,WAAW;YACd,OAAO,8EAA8E,CAAC;QACxF,KAAK,QAAQ;YACX,OAAO,oFAAoF,CAAC;QAC9F,KAAK,OAAO;YACV,OAAO,6EAA6E,CAAC;QACvF,KAAK,KAAK;YACR,OAAO,+FAA+F,CAAC;QACzG,KAAK,aAAa;YAChB,OAAO,0FAA0F,CAAC;QACpG,KAAK,KAAK;YACR,OAAO,4FAA4F,CAAC;QACtG,KAAK,KAAK;YACR,OAAO,gGAAgG,CAAC;QAC1G,KAAK,cAAc;YACjB,OAAO,iHAAiH,CAAC;QAC3H;YACE,OAAO,4FAA4F,CAAC;IACxG,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,cAAc,GAAkC;IACpD,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF;;GAEG;AACH,SAAS,eAAe,CAAC,MAAsB,EAAE,QAAgB;IAC/D,uCAAuC;IACvC,IAAI,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC;IAC/B,IAAI,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtC,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnD,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,QAA0C;QAC/F,QAAQ,EAAE;YACR,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,mBAAmB;SACtD;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,MAAM,CAAC,SAAS;YACzB,aAAa,EAAE,MAAM,CAAC,KAAK,EAAE,8BAA8B;YAC3D,UAAU,EAAE,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;SACtF;QACD,gBAAgB,EAAE,kBAAkB,CAAC,MAAM,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,MAAiB;IAC9D,MAAM,CAAC,YAAY,CACjB,0BAA0B,EAC1B;QACE,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,2EAA2E;YAC3E,+EAA+E;YAC/E,qEAAqE;QACvE,WAAW;QACX,YAAY;KACb,EACD,KAAK,EAAE,EAAE,SAAS,EAAE,mBAAmB,EAAE,cAAc,EAAE,EAAE,EAAE;QAC3D,8CAA8C;QAC9C,MAAM,WAAW,GACf,cAAc,KAAK,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YACvC,cAAc,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;gBAClC,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;oBACxC,cAAc,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;wBACpC,cAAc,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;4BAC5C,KAAK,CAAC;QAER,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,SAAS,EAAE;YACjD,WAAW,EAAE,mBAAmB;YAChC,WAAW;YACX,UAAU,EAAE,GAAG,EAAE,mCAAmC;SACrD,CAAC,CAAC;QAEH,mDAAmD;QACnD,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,IAAI,KAAK,CAAC,CAAC;QAC3D,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAC/C,CAAC,CAAiB,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAyB,CAAC,IAAI,UAAU,CACjF,CAAC;QAEF,sDAAsD;QACtD,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,GAAG,YAAY,CAAC;QACxD,MAAM,QAAQ,GAAG,eAAe;aAC7B,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC;aACtB,GAAG,CAAC,CAAC,CAAiB,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAiC;YAC3C,QAAQ;YACR,OAAO,EAAE;gBACP,KAAK,EAAE,eAAe,CAAC,MAAM;gBAC7B,WAAW,EAAE;oBACX,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;oBACzF,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;oBACjF,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;oBACrF,GAAG,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;iBAChF;gBACD,SAAS;aACV;SACF,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,iBAAiB,EAAE,MAA4C;SAChE,CAAC;IACJ,CAAC,CACF,CAAC;AACJ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cognium-ai/mcp-server",
-  "version": "0.1.1",
+  "version": "0.2.1",
   "description": "MCP server exposing Cognium spec-conformance, spec-drift, and pattern-search tools over stdio",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -46,7 +46,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "circle-ir": "^3.23.3",
-    "circle-ir-ai": "^2.7.19",
+    "circle-ir-ai": "^2.8.0",
     "minimatch": "^10.2.5",
     "zod": "^3.25.0"
   },