@cognium-ai/mcp-server 0.2.1 → 0.4.0

package/README.md

@@ -1,9 +1,22 @@
 # @cognium-ai/mcp-server
 
-An [MCP](https://modelcontextprotocol.io) server exposing Cognium's
-spec-conformance, spec-drift, and pattern-search tools over **stdio**. Backed
-by the [`circle-ir-ai`](https://www.npmjs.com/package/circle-ir-ai) engine's
-`analyzeSpecGap`.
+An [MCP](https://modelcontextprotocol.io) server exposing Cognium's security
+scanning and spec-conformance tools over **stdio**. Backed by the
+[`circle-ir-ai`](https://www.npmjs.com/package/circle-ir-ai) engine.
+
+## Tools Overview
+
+| Tool | Category | Description |
+|------|----------|-------------|
+| `find_credential_exposure` | Pillar I | Detect hardcoded secrets (AWS, GitHub, OpenAI, etc.) |
+| `check_license_compliance` | Pillar I | Flag copyleft licenses in dependencies |
+| `find_stale_dependencies` | Pillar I | Check npm registry for outdated packages |
+| `find_install_script_risk` | Pillar I | Detect malicious install script patterns |
+| `find_typosquats` | Pillar I | Detect typosquat package names |
+| `find_excessive_permissions` | Pillar I | Audit MCP config permissions |
+| `verify_spec_conformance` | Spec | Analyze code-to-spec alignment |
+| `find_spec_drift` | Spec | Report spec/code drift |
+| `find_pattern` | Utility | Regex search over code |
 
 ## Install & run
 
@@ -31,7 +44,111 @@ Inspect it interactively:
 npx @modelcontextprotocol/inspector cognium-mcp
 ```
 
-## Tools
+## Pillar I Security Tools
+
+All Pillar I tools return a common envelope:
+
+```jsonc
+{
+  "findings": [{ "kind": "...", "severity": "...", "location": {...}, "evidence": {...}, "suggested_action": "..." }],
+  "summary": { "total": N, "by_severity": {...}, "truncated": false }
+}
+```
+
+- `location.span` is **1-indexed line numbers** `[start_line, end_line]`
+- All tools accept `severity_floor` to filter results
+
+### `find_credential_exposure`
+
+Detect hardcoded secrets using SAST pattern matching.
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `code_root` | string | Absolute path to scan |
+| `include_git_history` | boolean | Scan git history (default: false) |
+| `severity_floor` | enum | Minimum severity: info/low/medium/high/critical |
+
+**Evidence:** `rule_id`, `match_snippet` (redacted), `confidence`
+
+### `check_license_compliance`
+
+Flag copyleft licenses in npm/Cargo dependencies.
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `code_root` | string | Absolute path to scan |
+| `include_dev_deps` | boolean | Include devDependencies (default: false) |
+| `severity_floor` | enum | Minimum severity |
+
+**Severity:** AGPL/SSPL=critical, GPL=high, LGPL/MPL=medium, EUPL/CPAL=low
+
+### `find_stale_dependencies`
+
+Check npm dependencies for staleness and known vulnerabilities.
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `code_root` | string | Absolute path to scan |
+| `include_dev_deps` | boolean | Include devDependencies (default: false) |
+| `severity_floor` | enum | Minimum severity |
+| `check_vulnerabilities` | boolean | Query OSV for CVEs (default: true) |
+
+**Staleness severity:** >3 years=high, >2 years=medium, >1 year=low
+
+**Vulnerability severity:** CVSS ≥9.0=critical, ≥7.0=high, ≥4.0=medium, <4.0=low
+
+**Evidence:**
+- Staleness: `dependency`, `current_version`, `latest_version`, `days_since_publish`, `last_publish_date`
+- Vulnerability: `dependency`, `current_version`, `vuln_id`, `cve`, `cvss`, `summary`
+
+### `find_install_script_risk`
+
+Detect malicious patterns in npm lifecycle scripts (preinstall, postinstall, etc.).
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `code_root` | string | Absolute path to scan |
+| `severity_floor` | enum | Minimum severity |
+
+**Rules:** piped downloads (critical), eval/exec (critical), base64 decode (high), env exfiltration (high), network downloads (medium), hidden file writes (medium)
+
+### `find_typosquats`
+
+Detect typosquat package names using Levenshtein distance and homoglyph detection.
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `code_root` | string | Absolute path to scan |
+| `include_dev_deps` | boolean | Include devDependencies (default: false) |
+| `severity_floor` | enum | Minimum severity |
+| `check_homoglyphs` | boolean | Detect visual deception attacks (default: true) |
+| `check_popularity` | boolean | Query npm for download counts (default: false) |
+
+**Detection methods:**
+- **Levenshtein:** distance=1 is high, distance=2 is medium
+- **Homoglyph:** detects visual deception (`rn`→`m`, `1`→`l`, `0`→`o`, etc.) - always high severity
+
+**Evidence:** `dependency`, `similar_to`, `detection_method`, `distance`, `homoglyph`, `target_downloads`
+
+### `find_excessive_permissions`
+
+Audit MCP server configurations for overly broad permissions.
+
+| Input | Type | Description |
+|-------|------|-------------|
+| `code_root` | string | Absolute path to scan |
+| `severity_floor` | enum | Minimum severity |
+| `deep_analysis` | boolean | Run CircleIR to detect undisclosed capabilities (default: true) |
+
+**Config formats:** skill bundle (mcp.json), Claude Desktop, Cursor
+
+**Static rules:** broad filesystem paths, secret env vars, unrestricted network, dangerous commands
+
+**Deep analysis:** Cross-references declared permissions against actual code behavior. Detects undisclosed network, filesystem, or process execution capabilities.
+
+---
+
+## Spec Tools
 
 ### `verify_spec_conformance`
 

package/dist/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAOpE,wBAAgB,WAAW,IAAI,SAAS,CAavC"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAWpE,wBAAgB,WAAW,IAAI,SAAS,CAsBvC"}

package/dist/server.js

@@ -7,16 +7,27 @@ import { registerFindSpecDrift } from './tools/find-spec-drift.js';
 import { registerFindPattern } from './tools/find-pattern.js';
 import { registerFindCredentialExposure } from './tools/find-credential-exposure.js';
 import { registerCheckLicenseCompliance } from './tools/check-license-compliance.js';
+import { registerFindStaleDependencies } from './tools/find-stale-dependencies.js';
+import { registerFindInstallScriptRisk } from './tools/find-install-script-risk.js';
+import { registerFindTyposquats } from './tools/find-typosquats.js';
+import { registerFindExcessivePermissions } from './tools/find-excessive-permissions.js';
 export function buildServer() {
     const server = new McpServer({
         name: 'cognium-mcp',
-        version: '0.2.1',
+        version: '0.4.0',
     });
+    // Spec tools (legacy)
     registerVerifySpecConformance(server);
     registerFindSpecDrift(server);
     registerFindPattern(server);
+    // Pillar I Batch 1
     registerFindCredentialExposure(server);
     registerCheckLicenseCompliance(server);
+    // Pillar I Batch 2
+    registerFindStaleDependencies(server);
+    registerFindInstallScriptRisk(server);
+    registerFindTyposquats(server);
+    registerFindExcessivePermissions(server);
     return server;
 }
 //# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF,MAAM,UAAU,WAAW;IACzB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,6BAA6B,CAAC,MAAM,CAAC,CAAC;IACtC,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC9B,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC5B,8BAA8B,CAAC,MAAM,CAAC,CAAC;IACvC,8BAA8B,CAAC,MAAM,CAAC,CAAC;IAEvC,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,6BAA6B,EAAE,MAAM,qCAAqC,CAAC;AACpF,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AAEzF,MAAM,UAAU,WAAW;IACzB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,sBAAsB;IACtB,6BAA6B,CAAC,MAAM,CAAC,CAAC;IACtC,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC9B,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAE5B,mBAAmB;IACnB,8BAA8B,CAAC,MAAM,CAAC,CAAC;IACvC,8BAA8B,CAAC,MAAM,CAAC,CAAC;IAEvC,mBAAmB;IACnB,6BAA6B,CAAC,MAAM,CAAC,CAAC;IACtC,6BAA6B,CAAC,MAAM,CAAC,CAAC;IACtC,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAC/B,gCAAgC,CAAC,MAAM,CAAC,CAAC;IAEzC,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/tools/find-excessive-permissions.d.ts

@@ -0,0 +1,16 @@
+/**
+ * find_excessive_permissions MCP tool (Pillar I, Batch 2).
+ *
+ * Analyzes MCP server configurations for overly broad or dangerous permissions.
+ * Supports: skill bundle (mcp.json), Claude Desktop, Cursor configs.
+ *
+ * Auto-detection heuristic:
+ * - Files named mcp.json, .mcp.json, mcp-config.json → skill bundle format
+ * - claude_desktop_config.json → Claude Desktop format
+ * - .cursor/mcp.json → Cursor format
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/80
+ */
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerFindExcessivePermissions(server: McpServer): void;
+//# sourceMappingURL=find-excessive-permissions.d.ts.map

package/dist/tools/find-excessive-permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-excessive-permissions.d.ts","sourceRoot":"","sources":["../../src/tools/find-excessive-permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAiGzE,wBAAgB,gCAAgC,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAmExE"}

package/dist/tools/find-excessive-permissions.js

@@ -0,0 +1,144 @@
+/**
+ * find_excessive_permissions MCP tool (Pillar I, Batch 2).
+ *
+ * Analyzes MCP server configurations for overly broad or dangerous permissions.
+ * Supports: skill bundle (mcp.json), Claude Desktop, Cursor configs.
+ *
+ * Auto-detection heuristic:
+ * - Files named mcp.json, .mcp.json, mcp-config.json → skill bundle format
+ * - claude_desktop_config.json → Claude Desktop format
+ * - .cursor/mcp.json → Cursor format
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/80
+ */
+import { z } from 'zod';
+import { excessivePermissionsPass } from 'circle-ir-ai';
+import { loadCircleIR } from '../analysis.js';
+const MAX_FINDINGS = 500;
+const SEVERITY_ORDER = {
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+const inputSchema = {
+    code_root: z.string().describe('Absolute path to the code root to scan'),
+    severity_floor: z.enum(['info', 'low', 'medium', 'high', 'critical']).optional().default('low').describe('Minimum severity to report (default: low)'),
+    deep_analysis: z.boolean().optional().default(true).describe('Run CircleIR analysis to detect undisclosed capabilities (default: true)'),
+};
+const outputSchema = {
+    findings: z.array(z.object({
+        kind: z.literal('EXCESSIVE_PERMISSION'),
+        severity: z.enum(['low', 'medium', 'high', 'critical']),
+        location: z.object({
+            file: z.string(),
+            span: z.tuple([z.number(), z.number()]),
+        }),
+        evidence: z.object({
+            rule_id: z.string(),
+            config_file: z.string(),
+            permission_type: z.string(),
+            value: z.string(),
+        }),
+        suggested_action: z.string(),
+    })),
+    summary: z.object({
+        total: z.number(),
+        by_severity: z.object({
+            critical: z.number(),
+            high: z.number(),
+            medium: z.number(),
+            low: z.number(),
+        }),
+        truncated: z.boolean(),
+    }),
+    detection_info: z.object({
+        config_files_checked: z.array(z.string()),
+        auto_detection_heuristic: z.string(),
+        deep_analysis_performed: z.boolean(),
+        files_analyzed: z.number().optional(),
+    }),
+};
+const SUGGESTED_ACTIONS = {
+    'perm-broad-filesystem': 'Restrict filesystem access to specific directories needed by the tool. Avoid /home, /Users, or ~ wildcards.',
+    'perm-secret-env-exposure': 'Remove sensitive environment variables from MCP config. Use secrets management instead.',
+    'perm-unrestricted-network': 'Restrict network access to specific hosts/ports needed by the tool.',
+    'perm-dangerous-command': 'Review and restrict allowed commands. Avoid shell interpreters and system utilities.',
+    'perm-write-sensitive-path': 'Restrict write access to user-specific directories. Avoid system paths.',
+};
+function trustFindingToMcp(f) {
+    const meta = f.meta;
+    return {
+        kind: 'EXCESSIVE_PERMISSION',
+        severity: f.severity === 'info' ? 'low' : f.severity,
+        location: {
+            file: f.location?.file ?? 'mcp.json',
+            span: [f.location?.line ?? 1, f.location?.line ?? 1],
+        },
+        evidence: {
+            rule_id: f.ruleId,
+            config_file: f.location?.file ?? 'mcp.json',
+            permission_type: meta.permissionType ?? 'unknown',
+            value: meta.value ?? '',
+        },
+        suggested_action: SUGGESTED_ACTIONS[f.ruleId] ?? 'Review this permission for security risks and apply least-privilege principle.',
+    };
+}
+export function registerFindExcessivePermissions(server) {
+    server.registerTool('find_excessive_permissions', {
+        title: 'Find Excessive Permissions',
+        description: 'Analyze MCP server configurations for overly broad permissions. ' +
+            'Detects: broad filesystem paths (/home, /Users, ~), secret env var exposure, ' +
+            'unrestricted network access, dangerous command allowlisting. ' +
+            'Auto-detects config format (skill bundle, Claude Desktop, Cursor).',
+        inputSchema,
+        outputSchema,
+    }, async ({ code_root, severity_floor, deep_analysis }) => {
+        // Run CircleIR analysis for deep capability detection
+        let circleIRResults;
+        if (deep_analysis !== false) {
+            try {
+                const { results } = await loadCircleIR(code_root);
+                circleIRResults = results;
+            }
+            catch {
+                // CircleIR analysis failed, continue with static-only analysis
+            }
+        }
+        const result = await excessivePermissionsPass(code_root, { circleIRResults });
+        const floorValue = SEVERITY_ORDER[severity_floor ?? 'low'];
+        const filtered = result.findings.filter((f) => SEVERITY_ORDER[f.severity] >= floorValue);
+        const truncated = filtered.length > MAX_FINDINGS;
+        const findings = filtered.slice(0, MAX_FINDINGS).map(trustFindingToMcp);
+        const output = {
+            findings,
+            summary: {
+                total: filtered.length,
+                by_severity: {
+                    critical: filtered.filter((f) => f.severity === 'critical').length,
+                    high: filtered.filter((f) => f.severity === 'high').length,
+                    medium: filtered.filter((f) => f.severity === 'medium').length,
+                    low: filtered.filter((f) => f.severity === 'low').length,
+                },
+                truncated,
+            },
+            detection_info: {
+                config_files_checked: [
+                    'mcp.json', '.mcp.json', 'mcp-config.json',
+                    'claude_desktop_config.json', '.cursor/mcp.json',
+                ],
+                auto_detection_heuristic: 'Files named mcp.json/.mcp.json/mcp-config.json use skill bundle format. ' +
+                    'claude_desktop_config.json uses Claude Desktop format. ' +
+                    '.cursor/mcp.json uses Cursor format.',
+                deep_analysis_performed: !!circleIRResults,
+                files_analyzed: circleIRResults?.length,
+            },
+        };
+        return {
+            content: [{ type: 'text', text: JSON.stringify(output) }],
+            structuredContent: output,
+        };
+    });
+}
+//# sourceMappingURL=find-excessive-permissions.js.map

package/dist/tools/find-excessive-permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-excessive-permissions.js","sourceRoot":"","sources":["../../src/tools/find-excessive-permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,wBAAwB,EAAyC,MAAM,cAAc,CAAC;AAC/F,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,MAAM,YAAY,GAAG,GAAG,CAAC;AAIzB,MAAM,cAAc,GAAkC;IACpD,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,MAAM,WAAW,GAAG;IAClB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wCAAwC,CAAC;IACxE,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,2CAA2C,CAAC;IACrJ,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,0EAA0E,CAAC;CACzI,CAAC;AAEF,MAAM,YAAY,GAAG;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC;QACvC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QACvD,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;YACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;SACxC,CAAC;QACF,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;YACjB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;YACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;YACvB,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;YAC3B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;SAClB,CAAC;QACF,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;KAC7B,CAAC,CAAC;IACH,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;YACpB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;SAChB,CAAC;QACF,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE;KACvB,CAAC;IACF,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC;QACvB,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACzC,wBAAwB,EAAE,CAAC,CAAC,MAAM,EAAE;QACpC,uBAAuB,EAAE,CAAC,CAAC,OAAO,EAAE;QACpC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACtC,CAAC;CACH,CAAC;AAeF,MAAM,iBAAiB,GAA2B;IAChD,uBAAuB,EAAE,6GAA6G;IACtI,0BAA0B,EAAE,yFAAyF;IACrH,2BAA2B,EAAE,qEAAqE;IAClG,wBAAwB,EAAE,sFAAsF;IAChH,2BAA2B,EAAE,yEAAyE;CACvG,CAAC;AAEF,SAAS,iBAAiB,CAAC,CAAe;IACxC,MAAM,IAAI,GAAG,CAAC,CAAC,IAA+B,CAAC;IAE/C,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAkD;QAC9F,QAAQ,EAAE;YACR,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,UAAU;YACpC,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;SACrD;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,CAAC,CAAC,MAAM;YACjB,WAAW,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,UAAU;YAC3C,eAAe,EAAG,IAAI,CAAC,cAAyB,IAAI,SAAS;YAC7D,KAAK,EAAG,IAAI,CAAC,KAAgB,IAAI,EAAE;SACpC;QACD,gBAAgB,EAAE,iBAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,gFAAgF;KAClI,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,MAAiB;IAChE,MAAM,CAAC,YAAY,CACjB,4BAA4B,EAC5B;QACE,KAAK,EAAE,4BAA4B;QACnC,WAAW,EACT,kEAAkE;YAClE,+EAA+E;YAC/E,+DAA+D;YAC/D,oEAAoE;QACtE,WAAW;QACX,YAAY;KACb,EACD,KAAK,EAAE,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa,EAAE,EAAE,EAAE;QACrD,sDAAsD;QACtD,IAAI,eAA2D,CAAC;QAChE,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,CAAC;gBAClD,eAAe,GAAG,OAAO,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,+DAA+D;YACjE,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAAC,SAAS,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC;QAE9E,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,IAAI,KAAK,CAAC,CAAC;QAC3D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAyB,CAAC,IAAI,UAAU,CACjE,CAAC;QAEF,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,GAAG,YAAY,CAAC;QACjD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAExE,MAAM,MAAM,GAAG;YACb,QAAQ;YACR,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,CAAC,MAAM;gBACtB,WAAW,EAAE;oBACX,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;oBAClE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;oBAC1D,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;oBAC9D,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;iBACzD;gBACD,SAAS;aACV;YACD,cAAc,EAAE;gBACd,oBAAoB,EAAE;oBACpB,UAAU,EAAE,WAAW,EAAE,iBAAiB;oBAC1C,4BAA4B,EAAE,kBAAkB;iBACjD;gBACD,wBAAwB,EACtB,0EAA0E;oBAC1E,yDAAyD;oBACzD,sCAAsC;gBACxC,uBAAuB,EAAE,CAAC,CAAC,eAAe;gBAC1C,cAAc,EAAE,eAAe,EAAE,MAAM;aACxC;SACF,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,iBAAiB,EAAE,MAA4C;SAChE,CAAC;IACJ,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/find-install-script-risk.d.ts

@@ -0,0 +1,11 @@
+/**
+ * find_install_script_risk MCP tool (Pillar I, Batch 2).
+ *
+ * Analyzes npm package.json lifecycle scripts for suspicious patterns.
+ * Scope: npm lifecycle scripts only (preinstall, install, postinstall, prepare, etc.)
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/80
+ */
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerFindInstallScriptRisk(server: McpServer): void;
+//# sourceMappingURL=find-install-script-risk.d.ts.map

package/dist/tools/find-install-script-risk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-install-script-risk.d.ts","sourceRoot":"","sources":["../../src/tools/find-install-script-risk.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAgGzE,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA2CrE"}

package/dist/tools/find-install-script-risk.js

@@ -0,0 +1,115 @@
+/**
+ * find_install_script_risk MCP tool (Pillar I, Batch 2).
+ *
+ * Analyzes npm package.json lifecycle scripts for suspicious patterns.
+ * Scope: npm lifecycle scripts only (preinstall, install, postinstall, prepare, etc.)
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/80
+ */
+import { z } from 'zod';
+import { maliciousInstallScriptPass } from 'circle-ir-ai';
+const MAX_FINDINGS = 500;
+const MAX_SNIPPET_LENGTH = 200;
+const SEVERITY_ORDER = {
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+const inputSchema = {
+    code_root: z.string().describe('Absolute path to the code root to scan'),
+    severity_floor: z.enum(['info', 'low', 'medium', 'high', 'critical']).optional().default('low').describe('Minimum severity to report (default: low)'),
+};
+const outputSchema = {
+    findings: z.array(z.object({
+        kind: z.literal('MALICIOUS_INSTALL_SCRIPT'),
+        severity: z.enum(['low', 'medium', 'high', 'critical']),
+        location: z.object({
+            file: z.string(),
+            span: z.tuple([z.number(), z.number()]),
+        }),
+        evidence: z.object({
+            rule_id: z.string(),
+            script_name: z.string(),
+            script_content: z.string(),
+            pattern_matched: z.string(),
+        }),
+        suggested_action: z.string(),
+    })),
+    summary: z.object({
+        total: z.number(),
+        by_severity: z.object({
+            critical: z.number(),
+            high: z.number(),
+            medium: z.number(),
+            low: z.number(),
+        }),
+        truncated: z.boolean(),
+    }),
+};
+const SUGGESTED_ACTIONS = {
+    'install-script-piped-download': 'Remove piped download execution. If external resources are needed, download explicitly and verify checksums.',
+    'install-script-eval-exec': 'Remove dynamic code execution. Use static scripts instead of eval/exec patterns.',
+    'install-script-base64-decode': 'Remove base64 obfuscation. Install scripts should be readable and auditable.',
+    'install-script-env-exfil': 'Remove environment variable access that could leak secrets. Document required env vars instead.',
+    'install-script-network-download': 'Avoid network downloads in install scripts. Bundle dependencies or use npm dependencies.',
+    'install-script-hidden-file-write': 'Avoid writing to hidden files/directories. Use explicit, documented paths.',
+};
+function truncate(str, max) {
+    if (str.length <= max)
+        return str;
+    return str.slice(0, max - 3) + '...';
+}
+function trustFindingToMcp(f) {
+    const meta = f.meta;
+    return {
+        kind: 'MALICIOUS_INSTALL_SCRIPT',
+        severity: f.severity === 'info' ? 'low' : f.severity,
+        location: {
+            file: f.location?.file ?? 'package.json',
+            span: [f.location?.line ?? 1, f.location?.line ?? 1],
+        },
+        evidence: {
+            rule_id: f.ruleId,
+            script_name: meta.scriptName ?? 'unknown',
+            script_content: truncate(meta.scriptContent ?? '', MAX_SNIPPET_LENGTH),
+            pattern_matched: f.ruleId,
+        },
+        suggested_action: SUGGESTED_ACTIONS[f.ruleId] ?? 'Review this install script for security risks.',
+    };
+}
+export function registerFindInstallScriptRisk(server) {
+    server.registerTool('find_install_script_risk', {
+        title: 'Find Install Script Risk',
+        description: 'Analyze npm package.json lifecycle scripts (preinstall, install, postinstall, prepare) ' +
+            'for suspicious patterns: piped downloads, eval/exec, base64 decoding, env exfiltration, ' +
+            'network downloads, hidden file writes. npm lifecycle scripts only.',
+        inputSchema,
+        outputSchema,
+    }, async ({ code_root, severity_floor }) => {
+        const result = await maliciousInstallScriptPass(code_root, {});
+        const floorValue = SEVERITY_ORDER[severity_floor ?? 'low'];
+        const filtered = result.findings.filter((f) => SEVERITY_ORDER[f.severity] >= floorValue);
+        const truncated = filtered.length > MAX_FINDINGS;
+        const findings = filtered.slice(0, MAX_FINDINGS).map(trustFindingToMcp);
+        const output = {
+            findings,
+            summary: {
+                total: filtered.length,
+                by_severity: {
+                    critical: filtered.filter((f) => f.severity === 'critical').length,
+                    high: filtered.filter((f) => f.severity === 'high').length,
+                    medium: filtered.filter((f) => f.severity === 'medium').length,
+                    low: filtered.filter((f) => f.severity === 'low').length,
+                },
+                truncated,
+            },
+        };
+        return {
+            content: [{ type: 'text', text: JSON.stringify(output) }],
+            structuredContent: output,
+        };
+    });
+}
+//# sourceMappingURL=find-install-script-risk.js.map

package/dist/tools/find-install-script-risk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-install-script-risk.js","sourceRoot":"","sources":["../../src/tools/find-install-script-risk.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,0BAA0B,EAAyC,MAAM,cAAc,CAAC;AAEjG,MAAM,YAAY,GAAG,GAAG,CAAC;AACzB,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAI/B,MAAM,cAAc,GAAkC;IACpD,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,MAAM,WAAW,GAAG;IAClB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wCAAwC,CAAC;IACxE,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,2CAA2C,CAAC;CACtJ,CAAC;AAEF,MAAM,YAAY,GAAG;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC;QAC3C,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QACvD,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;YACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;SACxC,CAAC;QACF,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;YACjB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;YACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;YACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE;YAC1B,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;SAC5B,CAAC;QACF,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;KAC7B,CAAC,CAAC;IACH,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;YACpB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;SAChB,CAAC;QACF,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE;KACvB,CAAC;CACH,CAAC;AAeF,MAAM,iBAAiB,GAA2B;IAChD,+BAA+B,EAAE,8GAA8G;IAC/I,0BAA0B,EAAE,kFAAkF;IAC9G,8BAA8B,EAAE,8EAA8E;IAC9G,0BAA0B,EAAE,iGAAiG;IAC7H,iCAAiC,EAAE,0FAA0F;IAC7H,kCAAkC,EAAE,4EAA4E;CACjH,CAAC;AAEF,SAAS,QAAQ,CAAC,GAAW,EAAE,GAAW;IACxC,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,GAAG,CAAC;IAClC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC;AACvC,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAe;IACxC,MAAM,IAAI,GAAG,CAAC,CAAC,IAA+B,CAAC;IAE/C,OAAO;QACL,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAkD;QAC9F,QAAQ,EAAE;YACR,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,cAAc;YACxC,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;SACrD;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,CAAC,CAAC,MAAM;YACjB,WAAW,EAAG,IAAI,CAAC,UAAqB,IAAI,SAAS;YACrD,cAAc,EAAE,QAAQ,CAAE,IAAI,CAAC,aAAwB,IAAI,EAAE,EAAE,kBAAkB,CAAC;YAClF,eAAe,EAAE,CAAC,CAAC,MAAM;SAC1B;QACD,gBAAgB,EAAE,iBAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,gDAAgD;KAClG,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,MAAiB;IAC7D,MAAM,CAAC,YAAY,CACjB,0BAA0B,EAC1B;QACE,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,yFAAyF;YACzF,0FAA0F;YAC1F,oEAAoE;QACtE,WAAW;QACX,YAAY;KACb,EACD,KAAK,EAAE,EAAE,SAAS,EAAE,cAAc,EAAE,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,MAAM,0BAA0B,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,IAAI,KAAK,CAAC,CAAC;QAC3D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAyB,CAAC,IAAI,UAAU,CACjE,CAAC;QAEF,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,GAAG,YAAY,CAAC;QACjD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAExE,MAAM,MAAM,GAAG;YACb,QAAQ;YACR,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,CAAC,MAAM;gBACtB,WAAW,EAAE;oBACX,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;oBAClE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;oBAC1D,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;oBAC9D,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;iBACzD;gBACD,SAAS;aACV;SACF,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,iBAAiB,EAAE,MAA4C;SAChE,CAAC;IACJ,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/find-stale-dependencies.d.ts

@@ -0,0 +1,14 @@
+/**
+ * find_stale_dependencies MCP tool (Pillar I, Batch 2).
+ *
+ * Checks npm dependencies for:
+ * 1. Staleness: last publish date via npm registry
+ * 2. Known vulnerabilities: via OSV (Open Source Vulnerabilities) API
+ *
+ * npm package.json only (pypi/cargo/go deferred).
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/80
+ */
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerFindStaleDependencies(server: McpServer): void;
+//# sourceMappingURL=find-stale-dependencies.d.ts.map

package/dist/tools/find-stale-dependencies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-stale-dependencies.d.ts","sourceRoot":"","sources":["../../src/tools/find-stale-dependencies.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAoJzE,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA+DrE"}

package/dist/tools/find-stale-dependencies.js

@@ -0,0 +1,177 @@
+/**
+ * find_stale_dependencies MCP tool (Pillar I, Batch 2).
+ *
+ * Checks npm dependencies for:
+ * 1. Staleness: last publish date via npm registry
+ * 2. Known vulnerabilities: via OSV (Open Source Vulnerabilities) API
+ *
+ * npm package.json only (pypi/cargo/go deferred).
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/80
+ */
+import { z } from 'zod';
+import { dependencyStalenessPass } from 'circle-ir-ai';
+const MAX_FINDINGS = 500;
+const SEVERITY_ORDER = {
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+const inputSchema = {
+    code_root: z.string().describe('Absolute path to the code root to scan'),
+    include_dev_deps: z.boolean().optional().default(false).describe('Include devDependencies (default: false)'),
+    severity_floor: z.enum(['info', 'low', 'medium', 'high', 'critical']).optional().default('low').describe('Minimum severity to report (default: low)'),
+    check_vulnerabilities: z.boolean().optional().default(true).describe('Check for known vulnerabilities via OSV database (default: true)'),
+};
+const outputSchema = {
+    findings: z.array(z.object({
+        kind: z.enum(['STALE_DEPENDENCY', 'VULNERABLE_DEPENDENCY']),
+        severity: z.enum(['low', 'medium', 'high', 'critical']),
+        location: z.object({
+            file: z.string(),
+            span: z.tuple([z.number(), z.number()]),
+        }),
+        evidence: z.object({
+            rule_id: z.string(),
+            dependency: z.string(),
+            current_version: z.string(),
+            latest_version: z.string().nullable(),
+            finding_type: z.enum(['staleness', 'maintainer', 'vulnerability']),
+            // Staleness fields
+            days_since_publish: z.number().optional(),
+            last_publish_date: z.string().optional(),
+            // Vulnerability fields
+            vuln_id: z.string().optional(),
+            cve: z.string().optional(),
+            cvss: z.number().optional(),
+            summary: z.string().optional(),
+        }),
+        suggested_action: z.string(),
+    })),
+    summary: z.object({
+        total: z.number(),
+        by_severity: z.object({
+            critical: z.number(),
+            high: z.number(),
+            medium: z.number(),
+            low: z.number(),
+        }),
+        by_finding_type: z.object({
+            staleness: z.number(),
+            maintainer: z.number(),
+            vulnerability: z.number(),
+        }),
+        truncated: z.boolean(),
+    }),
+};
+function trustFindingToMcp(f) {
+    const meta = f.meta;
+    const findingType = meta.findingType ?? 'staleness';
+    const days = meta.daysSincePublish ?? 0;
+    let action = 'Consider updating to the latest version.';
+    let kind = 'STALE_DEPENDENCY';
+    if (findingType === 'vulnerability') {
+        kind = 'VULNERABLE_DEPENDENCY';
+        const cve = meta.cve;
+        const vulnId = meta.vulnId;
+        const cvss = meta.cvss;
+        if (cvss && cvss >= 9.0) {
+            action = `CRITICAL vulnerability ${cve ?? vulnId}. Upgrade immediately or remove this dependency.`;
+        }
+        else if (cvss && cvss >= 7.0) {
+            action = `HIGH severity vulnerability ${cve ?? vulnId}. Upgrade to a patched version as soon as possible.`;
+        }
+        else {
+            action = `Known vulnerability ${cve ?? vulnId}. Upgrade to a patched version when available.`;
+        }
+    }
+    else if (findingType === 'maintainer') {
+        action = 'This package has zero maintainers on npm. High risk of abandonment - find an alternative.';
+    }
+    else if (days > 1095) {
+        action = 'This package has not been updated in over 3 years. Evaluate if it is still maintained or find an alternative.';
+    }
+    else if (days > 730) {
+        action = 'This package has not been updated in over 2 years. Check for security advisories and consider alternatives.';
+    }
+    else if (days > 365) {
+        action = 'This package has not been updated in over 1 year. Monitor for updates.';
+    }
+    return {
+        kind,
+        severity: f.severity === 'info' ? 'low' : f.severity,
+        location: {
+            file: f.location?.file ?? 'package.json',
+            span: [f.location?.line ?? 1, f.location?.line ?? 1],
+        },
+        evidence: {
+            rule_id: f.ruleId,
+            dependency: meta.dependency ?? 'unknown',
+            current_version: meta.currentVersion ?? 'unknown',
+            latest_version: meta.latestVersion ?? null,
+            finding_type: findingType,
+            // Staleness fields (only for staleness findings)
+            ...(findingType === 'staleness' && {
+                days_since_publish: meta.daysSincePublish ?? 0,
+                last_publish_date: meta.lastPublishDate ?? '',
+            }),
+            // Vulnerability fields (only for vulnerability findings)
+            ...(findingType === 'vulnerability' && {
+                vuln_id: meta.vulnId,
+                cve: meta.cve,
+                cvss: meta.cvss,
+                summary: meta.summary,
+            }),
+        },
+        suggested_action: action,
+    };
+}
+export function registerFindStaleDependencies(server) {
+    server.registerTool('find_stale_dependencies', {
+        title: 'Find Stale Dependencies',
+        description: 'Check npm dependencies for staleness and known vulnerabilities. ' +
+            'Staleness: flags packages not updated in >1 year (low), >2 years (medium), >3 years (high). ' +
+            'Vulnerabilities: queries OSV database for CVEs affecting your exact versions. ' +
+            'Also flags packages with zero maintainers. npm package.json only.',
+        inputSchema,
+        outputSchema,
+    }, async ({ code_root, include_dev_deps, severity_floor, check_vulnerabilities }) => {
+        const result = await dependencyStalenessPass(code_root, {
+            includeDevDeps: include_dev_deps,
+            checkVulnerabilities: check_vulnerabilities,
+        });
+        const floorValue = SEVERITY_ORDER[severity_floor ?? 'low'];
+        const filtered = result.findings.filter((f) => SEVERITY_ORDER[f.severity] >= floorValue);
+        const truncated = filtered.length > MAX_FINDINGS;
+        const findings = filtered.slice(0, MAX_FINDINGS).map(trustFindingToMcp);
+        // Count by finding type
+        const stalenessCount = filtered.filter((f) => f.meta?.findingType === 'staleness').length;
+        const maintainerCount = filtered.filter((f) => f.meta?.findingType === 'maintainer').length;
+        const vulnerabilityCount = filtered.filter((f) => f.meta?.findingType === 'vulnerability').length;
+        const output = {
+            findings,
+            summary: {
+                total: filtered.length,
+                by_severity: {
+                    critical: filtered.filter((f) => f.severity === 'critical').length,
+                    high: filtered.filter((f) => f.severity === 'high').length,
+                    medium: filtered.filter((f) => f.severity === 'medium').length,
+                    low: filtered.filter((f) => f.severity === 'low').length,
+                },
+                by_finding_type: {
+                    staleness: stalenessCount,
+                    maintainer: maintainerCount,
+                    vulnerability: vulnerabilityCount,
+                },
+                truncated,
+            },
+        };
+        return {
+            content: [{ type: 'text', text: JSON.stringify(output) }],
+            structuredContent: output,
+        };
+    });
+}
+//# sourceMappingURL=find-stale-dependencies.js.map

package/dist/tools/find-stale-dependencies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-stale-dependencies.js","sourceRoot":"","sources":["../../src/tools/find-stale-dependencies.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,uBAAuB,EAAyC,MAAM,cAAc,CAAC;AAE9F,MAAM,YAAY,GAAG,GAAG,CAAC;AAIzB,MAAM,cAAc,GAAkC;IACpD,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,MAAM,WAAW,GAAG;IAClB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wCAAwC,CAAC;IACxE,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,0CAA0C,CAAC;IAC5G,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,2CAA2C,CAAC;IACrJ,qBAAqB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,kEAAkE,CAAC;CACzI,CAAC;AAEF,MAAM,YAAY,GAAG;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,kBAAkB,EAAE,uBAAuB,CAAC,CAAC;QAC3D,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QACvD,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;YACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;SACxC,CAAC;QACF,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;YACjB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;YACnB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;YACtB,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,YAAY,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,YAAY,EAAE,eAAe,CAAC,CAAC;YAClE,mBAAmB;YACnB,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACzC,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACxC,uBAAuB;YACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC9B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC1B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC3B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SAC/B,CAAC;QACF,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;KAC7B,CAAC,CAAC;IACH,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;YACpB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;SAChB,CAAC;QACF,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC;YACxB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;YACrB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;YACtB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;SAC1B,CAAC;QACF,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE;KACvB,CAAC;CACH,CAAC;AA0BF,SAAS,iBAAiB,CAAC,CAAe;IACxC,MAAM,IAAI,GAAG,CAAC,CAAC,IAA+B,CAAC;IAC/C,MAAM,WAAW,GAAI,IAAI,CAAC,WAA2B,IAAI,WAAW,CAAC;IACrE,MAAM,IAAI,GAAI,IAAI,CAAC,gBAA2B,IAAI,CAAC,CAAC;IAEpD,IAAI,MAAM,GAAG,0CAA0C,CAAC;IACxD,IAAI,IAAI,GAAiD,kBAAkB,CAAC;IAE5E,IAAI,WAAW,KAAK,eAAe,EAAE,CAAC;QACpC,IAAI,GAAG,uBAAuB,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAyB,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,MAA4B,CAAC;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAA0B,CAAC;QAC7C,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;YACxB,MAAM,GAAG,0BAA0B,GAAG,IAAI,MAAM,kDAAkD,CAAC;QACrG,CAAC;aAAM,IAAI,IAAI,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;YAC/B,MAAM,GAAG,+BAA+B,GAAG,IAAI,MAAM,qDAAqD,CAAC;QAC7G,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,uBAAuB,GAAG,IAAI,MAAM,gDAAgD,CAAC;QAChG,CAAC;IACH,CAAC;SAAM,IAAI,WAAW,KAAK,YAAY,EAAE,CAAC;QACxC,MAAM,GAAG,2FAA2F,CAAC;IACvG,CAAC;SAAM,IAAI,IAAI,GAAG,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,+GAA+G,CAAC;IAC3H,CAAC;SAAM,IAAI,IAAI,GAAG,GAAG,EAAE,CAAC;QACtB,MAAM,GAAG,6GAA6G,CAAC;IACzH,CAAC;SAAM,IAAI,IAAI,GAAG,GAAG,EAAE,CAAC;QACtB,MAAM,GAAG,wEAAwE,CAAC;IACpF,CAAC;IAED,OAAO;QACL,IAAI;QACJ,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAkD;QAC9F,QAAQ,EAAE;YACR,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,cAAc;YACxC,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;SACrD;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,CAAC,CAAC,MAAM;YACjB,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,SAAS;YACpD,eAAe,EAAG,IAAI,CAAC,cAAyB,IAAI,SAAS;YAC7D,cAAc,EAAG,IAAI,CAAC,aAAwB,IAAI,IAAI;YACtD,YAAY,EAAE,WAAW;YACzB,iDAAiD;YACjD,GAAG,CAAC,WAAW,KAAK,WAAW,IAAI;gBACjC,kBAAkB,EAAG,IAAI,CAAC,gBAA2B,IAAI,CAAC;gBAC1D,iBAAiB,EAAG,IAAI,CAAC,eAA0B,IAAI,EAAE;aAC1D,CAAC;YACF,yDAAyD;YACzD,GAAG,CAAC,WAAW,KAAK,eAAe,IAAI;gBACrC,OAAO,EAAE,IAAI,CAAC,MAA4B;gBAC1C,GAAG,EAAE,IAAI,CAAC,GAAyB;gBACnC,IAAI,EAAE,IAAI,CAAC,IAA0B;gBACrC,OAAO,EAAE,IAAI,CAAC,OAA6B;aAC5C,CAAC;SACH;QACD,gBAAgB,EAAE,MAAM;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,MAAiB;IAC7D,MAAM,CAAC,YAAY,CACjB,yBAAyB,EACzB;QACE,KAAK,EAAE,yBAAyB;QAChC,WAAW,EACT,kEAAkE;YAClE,8FAA8F;YAC9F,gFAAgF;YAChF,mEAAmE;QACrE,WAAW;QACX,YAAY;KACb,EACD,KAAK,EAAE,EAAE,SAAS,EAAE,gBAAgB,EAAE,cAAc,EAAE,qBAAqB,EAAE,EAAE,EAAE;QAC/E,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,SAAS,EAAE;YACtD,cAAc,EAAE,gBAAgB;YAChC,oBAAoB,EAAE,qBAAqB;SAC5C,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,IAAI,KAAK,CAAC,CAAC;QAC3D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAyB,CAAC,IAAI,UAAU,CACjE,CAAC;QAEF,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,GAAG,YAAY,CAAC;QACjD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAExE,wBAAwB;QACxB,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CACpC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,IAAgC,EAAE,WAAW,KAAK,WAAW,CACxE,CAAC,MAAM,CAAC;QACT,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,IAAgC,EAAE,WAAW,KAAK,YAAY,CACzE,CAAC,MAAM,CAAC;QACT,MAAM,kBAAkB,GAAG,QAAQ,CAAC,MAAM,CACxC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,IAAgC,EAAE,WAAW,KAAK,eAAe,CAC5E,CAAC,MAAM,CAAC;QAET,MAAM,MAAM,GAAG;YACb,QAAQ;YACR,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,CAAC,MAAM;gBACtB,WAAW,EAAE;oBACX,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;oBAClE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;oBAC1D,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;oBAC9D,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;iBACzD;gBACD,eAAe,EAAE;oBACf,SAAS,EAAE,cAAc;oBACzB,UAAU,EAAE,eAAe;oBAC3B,aAAa,EAAE,kBAAkB;iBAClC;gBACD,SAAS;aACV;SACF,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,iBAAiB,EAAE,MAA4C;SAChE,CAAC;IACJ,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/find-typosquats.d.ts

@@ -0,0 +1,11 @@
+/**
+ * find_typosquats MCP tool (Pillar I, Batch 2).
+ *
+ * Detects potential typosquat packages by comparing dependency names
+ * against popular npm packages using Levenshtein distance.
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/80
+ */
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerFindTyposquats(server: McpServer): void;
+//# sourceMappingURL=find-typosquats.d.ts.map

package/dist/tools/find-typosquats.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-typosquats.d.ts","sourceRoot":"","sources":["../../src/tools/find-typosquats.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAgHzE,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA2D9D"}

package/dist/tools/find-typosquats.js

@@ -0,0 +1,141 @@
+/**
+ * find_typosquats MCP tool (Pillar I, Batch 2).
+ *
+ * Detects potential typosquat packages by comparing dependency names
+ * against popular npm packages using Levenshtein distance.
+ *
+ * @see https://github.com/cogniumhq/cognium-ai/issues/80
+ */
+import { z } from 'zod';
+import { typosquatDetectionPass } from 'circle-ir-ai';
+const MAX_FINDINGS = 500;
+const SEVERITY_ORDER = {
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+const inputSchema = {
+    code_root: z.string().describe('Absolute path to the code root to scan'),
+    include_dev_deps: z.boolean().optional().default(false).describe('Include devDependencies (default: false)'),
+    severity_floor: z.enum(['info', 'low', 'medium', 'high', 'critical']).optional().default('low').describe('Minimum severity to report (default: low)'),
+    check_homoglyphs: z.boolean().optional().default(true).describe('Detect homoglyph attacks like "rn" vs "m" (default: true)'),
+    check_popularity: z.boolean().optional().default(false).describe('Query npm for download counts (slower, default: false)'),
+};
+const outputSchema = {
+    findings: z.array(z.object({
+        kind: z.literal('TYPOSQUAT_RISK'),
+        severity: z.enum(['medium', 'high']),
+        location: z.object({
+            file: z.string(),
+            span: z.tuple([z.number(), z.number()]),
+        }),
+        evidence: z.object({
+            rule_id: z.string(),
+            dependency: z.string(),
+            similar_to: z.string(),
+            detection_method: z.enum(['levenshtein', 'homoglyph']),
+            distance: z.number().optional(),
+            homoglyph: z.string().optional(),
+            target_downloads: z.number().optional(),
+        }),
+        suggested_action: z.string(),
+    })),
+    summary: z.object({
+        total: z.number(),
+        by_severity: z.object({
+            critical: z.number(),
+            high: z.number(),
+            medium: z.number(),
+            low: z.number(),
+        }),
+        by_detection_method: z.object({
+            levenshtein: z.number(),
+            homoglyph: z.number(),
+        }),
+        truncated: z.boolean(),
+    }),
+};
+function trustFindingToMcp(f) {
+    const meta = f.meta;
+    const dependency = meta.dependency ?? 'unknown';
+    const similarTo = meta.similarTo ?? 'unknown';
+    const detectionMethod = meta.detectionMethod ?? 'levenshtein';
+    const distance = meta.distance;
+    const homoglyph = meta.homoglyph;
+    const targetDownloads = meta.targetDownloads;
+    let action;
+    if (detectionMethod === 'homoglyph') {
+        action = `"${dependency}" uses visual deception (${homoglyph}) to mimic "${similarTo}". This is a high-confidence typosquat attack. Remove immediately.`;
+    }
+    else if (distance === 1) {
+        action = `"${dependency}" is 1 character away from "${similarTo}". Verify this is intentional and not a typosquat attack.`;
+    }
+    else {
+        action = `"${dependency}" is similar to "${similarTo}". Verify this is the intended package.`;
+    }
+    return {
+        kind: 'TYPOSQUAT_RISK',
+        severity: f.severity === 'high' ? 'high' : 'medium',
+        location: {
+            file: f.location?.file ?? 'package.json',
+            span: [f.location?.line ?? 1, f.location?.line ?? 1],
+        },
+        evidence: {
+            rule_id: f.ruleId,
+            dependency,
+            similar_to: similarTo,
+            detection_method: detectionMethod,
+            ...(distance !== undefined && { distance }),
+            ...(homoglyph && { homoglyph }),
+            ...(targetDownloads !== undefined && { target_downloads: targetDownloads }),
+        },
+        suggested_action: action,
+    };
+}
+export function registerFindTyposquats(server) {
+    server.registerTool('find_typosquats', {
+        title: 'Find Typosquats',
+        description: 'Detect potential typosquat packages using Levenshtein distance and homoglyph detection. ' +
+            'Homoglyph attacks use visual deception (e.g., "rn" looks like "m", "1" looks like "l"). ' +
+            'Protects against attacks like "lodahs" (typo) or "rnaterial-ui" (homoglyph for "material-ui").',
+        inputSchema,
+        outputSchema,
+    }, async ({ code_root, include_dev_deps, severity_floor, check_homoglyphs, check_popularity }) => {
+        const result = await typosquatDetectionPass(code_root, {
+            includeDevDeps: include_dev_deps,
+            checkHomoglyphs: check_homoglyphs,
+            checkPopularity: check_popularity,
+        });
+        const floorValue = SEVERITY_ORDER[severity_floor ?? 'low'];
+        const filtered = result.findings.filter((f) => SEVERITY_ORDER[f.severity] >= floorValue);
+        const truncated = filtered.length > MAX_FINDINGS;
+        const findings = filtered.slice(0, MAX_FINDINGS).map(trustFindingToMcp);
+        // Count by detection method
+        const levenshteinCount = filtered.filter((f) => f.meta?.detectionMethod === 'levenshtein').length;
+        const homoglyphCount = filtered.filter((f) => f.meta?.detectionMethod === 'homoglyph').length;
+        const output = {
+            findings,
+            summary: {
+                total: filtered.length,
+                by_severity: {
+                    critical: filtered.filter((f) => f.severity === 'critical').length,
+                    high: filtered.filter((f) => f.severity === 'high').length,
+                    medium: filtered.filter((f) => f.severity === 'medium').length,
+                    low: filtered.filter((f) => f.severity === 'low').length,
+                },
+                by_detection_method: {
+                    levenshtein: levenshteinCount,
+                    homoglyph: homoglyphCount,
+                },
+                truncated,
+            },
+        };
+        return {
+            content: [{ type: 'text', text: JSON.stringify(output) }],
+            structuredContent: output,
+        };
+    });
+}
+//# sourceMappingURL=find-typosquats.js.map

package/dist/tools/find-typosquats.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-typosquats.js","sourceRoot":"","sources":["../../src/tools/find-typosquats.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,sBAAsB,EAAyC,MAAM,cAAc,CAAC;AAE7F,MAAM,YAAY,GAAG,GAAG,CAAC;AAIzB,MAAM,cAAc,GAAkC;IACpD,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,MAAM,WAAW,GAAG;IAClB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wCAAwC,CAAC;IACxE,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,0CAA0C,CAAC;IAC5G,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,2CAA2C,CAAC;IACrJ,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,2DAA2D,CAAC;IAC5H,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,wDAAwD,CAAC;CAC3H,CAAC;AAEF,MAAM,YAAY,GAAG;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;QACjC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;YACjB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;SACxC,CAAC;QACF,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC;YACjB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;YACnB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;YACtB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;YACtB,gBAAgB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;YACtD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC/B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAChC,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACxC,CAAC;QACF,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;KAC7B,CAAC,CAAC;IACH,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;YACpB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;SAChB,CAAC;QACF,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC;YAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;YACvB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;SACtB,CAAC;QACF,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE;KACvB,CAAC;CACH,CAAC;AAkBF,SAAS,iBAAiB,CAAC,CAAe;IACxC,MAAM,IAAI,GAAG,CAAC,CAAC,IAA+B,CAAC;IAC/C,MAAM,UAAU,GAAI,IAAI,CAAC,UAAqB,IAAI,SAAS,CAAC;IAC5D,MAAM,SAAS,GAAI,IAAI,CAAC,SAAoB,IAAI,SAAS,CAAC;IAC1D,MAAM,eAAe,GAAI,IAAI,CAAC,eAA+C,IAAI,aAAa,CAAC;IAC/F,MAAM,QAAQ,GAAG,IAAI,CAAC,QAA8B,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAA+B,CAAC;IACvD,MAAM,eAAe,GAAG,IAAI,CAAC,eAAqC,CAAC;IAEnE,IAAI,MAAc,CAAC;IACnB,IAAI,eAAe,KAAK,WAAW,EAAE,CAAC;QACpC,MAAM,GAAG,IAAI,UAAU,4BAA4B,SAAS,eAAe,SAAS,oEAAoE,CAAC;IAC3J,CAAC;SAAM,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,GAAG,IAAI,UAAU,+BAA+B,SAAS,2DAA2D,CAAC;IAC7H,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,IAAI,UAAU,oBAAoB,SAAS,yCAAyC,CAAC;IAChG,CAAC;IAED,OAAO;QACL,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;QACnD,QAAQ,EAAE;YACR,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,cAAc;YACxC,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,IAAI,CAAC,CAAC;SACrD;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,CAAC,CAAC,MAAM;YACjB,UAAU;YACV,UAAU,EAAE,SAAS;YACrB,gBAAgB,EAAE,eAAe;YACjC,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,CAAC;YAC3C,GAAG,CAAC,SAAS,IAAI,EAAE,SAAS,EAAE,CAAC;YAC/B,GAAG,CAAC,eAAe,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;SAC5E;QACD,gBAAgB,EAAE,MAAM;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAiB;IACtD,MAAM,CAAC,YAAY,CACjB,iBAAiB,EACjB;QACE,KAAK,EAAE,iBAAiB;QACxB,WAAW,EACT,0FAA0F;YAC1F,0FAA0F;YAC1F,gGAAgG;QAClG,WAAW;QACX,YAAY;KACb,EACD,KAAK,EAAE,EAAE,SAAS,EAAE,gBAAgB,EAAE,cAAc,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,EAAE,EAAE;QAC5F,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE;YACrD,cAAc,EAAE,gBAAgB;YAChC,eAAe,EAAE,gBAAgB;YACjC,eAAe,EAAE,gBAAgB;SAClC,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,IAAI,KAAK,CAAC,CAAC;QAC3D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAyB,CAAC,IAAI,UAAU,CACjE,CAAC;QAEF,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,GAAG,YAAY,CAAC;QACjD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAExE,4BAA4B;QAC5B,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CACtC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,IAAgC,EAAE,eAAe,KAAK,aAAa,CAC9E,CAAC,MAAM,CAAC;QACT,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CACpC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,IAAgC,EAAE,eAAe,KAAK,WAAW,CAC5E,CAAC,MAAM,CAAC;QAET,MAAM,MAAM,GAAG;YACb,QAAQ;YACR,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,CAAC,MAAM;gBACtB,WAAW,EAAE;oBACX,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;oBAClE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;oBAC1D,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;oBAC9D,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;iBACzD;gBACD,mBAAmB,EAAE;oBACnB,WAAW,EAAE,gBAAgB;oBAC7B,SAAS,EAAE,cAAc;iBAC1B;gBACD,SAAS;aACV;SACF,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,iBAAiB,EAAE,MAA4C;SAChE,CAAC;IACJ,CAAC,CACF,CAAC;AACJ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cognium-ai/mcp-server",
-  "version": "0.2.1",
+  "version": "0.4.0",
   "description": "MCP server exposing Cognium spec-conformance, spec-drift, and pattern-search tools over stdio",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -46,7 +46,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "circle-ir": "^3.23.3",
-    "circle-ir-ai": "^2.8.0",
+    "circle-ir-ai": "^2.8.3",
     "minimatch": "^10.2.5",
     "zod": "^3.25.0"
   },