@getdebug/mcp 0.2.0

package/README.md

@@ -0,0 +1,95 @@
+# @getdebug/mcp
+
+Model Context Protocol server for [getdebug](https://www.getdebug.dev). Lets Claude, Cursor, and any MCP-compatible AI client read your projects, findings, and proposed fixes through the same bearer token `getdebug login` already creates.
+
+## Tools (v0.2)
+
+- **`list_projects`** — projects in your active org, with last-run status + finding counts.
+- **`list_findings`** — findings for a project, filterable by severity, with id / file / line / CWE / OWASP.
+- **`get_finding`** — full details of one finding: explanation, snippet, CWE/OWASP refs, and the proposed-fix diff when one exists.
+- **`list_fixes`** — proposed/applied fixes (optionally scoped to a project or status), with finding link + PR URL.
+- **`start_scan`** — enqueue a fresh hosted analyze run on a project. Findings appear in ~1-2 min; re-call `list_findings` to fetch.
+
+`apply_fix` lands in a future release. Today: when `get_finding` shows a proposed-fix diff, applying it still happens via the PR review flow on the dashboard.
+
+## Auth
+
+The server reads `~/.getdebug/config.json`, the same file `getdebug login` writes. You must:
+
+1. Install the CLI: `npm i -g @getdebug/cli`
+2. Run `getdebug login` once.
+3. The config file must be `chmod 600` — the server refuses to load with looser perms, matching the CLI.
+
+No new credentials, no extra OAuth, no `MCP_TOKEN` env var to manage.
+
+## Setup — Claude Desktop
+
+Add this to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or the equivalent on your OS:
+
+```json
+{
+  "mcpServers": {
+    "getdebug": {
+      "command": "npx",
+      "args": ["-y", "@getdebug/mcp"]
+    }
+  }
+}
+```
+
+Restart Claude Desktop. The three tools appear under the 🔧 menu in any chat.
+
+## Setup — Cursor
+
+Cursor's MCP config lives at `~/.cursor/mcp.json` (or per-workspace at `.cursor/mcp.json`):
+
+```json
+{
+  "mcpServers": {
+    "getdebug": {
+      "command": "npx",
+      "args": ["-y", "@getdebug/mcp"]
+    }
+  }
+}
+```
+
+## Setup — any other MCP client
+
+Transport is stdio. Spawn `getdebug-mcp` (or `npx @getdebug/mcp`); the server speaks MCP over the child's stdin/stdout. Stderr is for logs only.
+
+## Local development
+
+```bash
+pnpm install --filter @getdebug/mcp...
+cd mcp
+pnpm dev        # tsx, hot-reload
+pnpm typecheck
+pnpm build && node dist/index.js
+```
+
+Override the API base for staging or local dev:
+
+```bash
+GETDEBUG_API_URL=http://localhost:3001 node dist/index.js
+```
+
+(The CLI honors the same env var — see `cli/internal/cmd/login.go`.)
+
+## What the agent will see
+
+Example: an agent asks *"any high-severity findings in my debug project?"* The tool flow:
+
+1. `list_projects` → picks the project id matching "debug".
+2. `list_findings({projectId, severity: "high", limit: 25})` → returns a list of HIGH findings with file paths + line numbers.
+3. `get_finding({findingId})` for any the agent wants to drill into → returns explanation + snippet + proposed-fix diff.
+
+The agent can now reference *your actual security findings* by file and line while answering questions or writing code — without you copying anything in.
+
+## Privacy
+
+This server is a thin client. It never touches your source files directly; it only reads what's already in your getdebug org via the same API the CLI and dashboard use. Run `getdebug login --logout` (or just delete `~/.getdebug/config.json`) to revoke access.
+
+## License
+
+MIT.

package/dist/api.js

@@ -0,0 +1,66 @@
+// Thin fetch wrapper. Matches the api's `{ok,data} | {ok:false,error}`
+// envelope (see CLAUDE.md "Errors are values"). The MCP tools surface
+// the error message back to the agent verbatim so the user sees the
+// real failure mode (not-signed-in, 404, etc) instead of a generic
+// "tool failed" string.
+export async function apiFetch(auth, path, init) {
+    const url = `${auth.apiBase}${path}`;
+    let res;
+    try {
+        res = await fetch(url, {
+            ...init,
+            headers: {
+                Authorization: `Bearer ${auth.token}`,
+                Accept: "application/json",
+                ...(init?.body ? { "Content-Type": "application/json" } : {}),
+                ...init?.headers,
+            },
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: {
+                code: "network_error",
+                message: err instanceof Error ? err.message : String(err),
+            },
+        };
+    }
+    if (res.status === 401) {
+        return {
+            ok: false,
+            error: {
+                code: "unauthorized",
+                message: "Token rejected. Run `getdebug login` again to mint a fresh one.",
+            },
+        };
+    }
+    const text = await res.text();
+    let parsed;
+    try {
+        parsed = text ? JSON.parse(text) : null;
+    }
+    catch {
+        return {
+            ok: false,
+            error: {
+                code: "malformed_response",
+                message: `${res.status} ${res.statusText}: non-JSON response`,
+            },
+        };
+    }
+    if (parsed &&
+        typeof parsed === "object" &&
+        "ok" in parsed &&
+        typeof parsed.ok === "boolean") {
+        return parsed;
+    }
+    return {
+        ok: false,
+        error: {
+            code: "unexpected_shape",
+            message: `${res.status}: response did not match {ok,data}|{ok,error} envelope`,
+        },
+    };
+}
+//# sourceMappingURL=api.js.map

package/dist/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAYA,uEAAuE;AACvE,sEAAsE;AACtE,oEAAoE;AACpE,mEAAmE;AACnE,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,IAAkB,EAClB,IAAY,EACZ,IAAkB;IAElB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;IACrC,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YACrB,GAAG,IAAI;YACP,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;gBACrC,MAAM,EAAE,kBAAkB;gBAC1B,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7D,GAAG,IAAI,EAAE,OAAO;aACjB;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aAC1D;SACF,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACvB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,iEAAiE;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,qBAAqB;aAC9D;SACF,CAAC;IACJ,CAAC;IAED,IACE,MAAM;QACN,OAAO,MAAM,KAAK,QAAQ;QAC1B,IAAI,IAAI,MAAM;QACd,OAAQ,MAA0B,CAAC,EAAE,KAAK,SAAS,EACnD,CAAC;QACD,OAAO,MAAsB,CAAC;IAChC,CAAC;IAED,OAAO;QACL,EAAE,EAAE,KAAK;QACT,KAAK,EAAE;YACL,IAAI,EAAE,kBAAkB;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,wDAAwD;SAC/E;KACF,CAAC;AACJ,CAAC"}

package/dist/auth.js

@@ -0,0 +1,63 @@
+import { readFileSync, statSync } from "node:fs";
+import { homedir, platform } from "node:os";
+import { join } from "node:path";
+const CONFIG_RELATIVE = ".getdebug/config.json";
+const DEFAULT_API_BASE = "https://api.getdebug.dev";
+export class AuthError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = "AuthError";
+    }
+}
+// Read ~/.getdebug/config.json. Mirrors cli/internal/config/config.go:
+//   - Token + apiBaseUrl + userEmail JSON shape
+//   - On Unix, refuses to load if the file isn't 0600 (matches Go's
+//     ErrInsecurePerms — the token is a long-lived bearer credential)
+//   - Returns an AuthError the caller can surface verbatim to the user
+export function loadAuth() {
+    const path = join(homedir(), CONFIG_RELATIVE);
+    let raw;
+    try {
+        if (platform() !== "win32") {
+            const st = statSync(path);
+            const mode = st.mode & 0o777;
+            if ((mode & 0o077) !== 0) {
+                throw new AuthError(`~/.getdebug/config.json has insecure permissions (${mode.toString(8)}). Run \`chmod 600 ~/.getdebug/config.json\` and retry.`, "insecure_perms");
+            }
+        }
+        raw = readFileSync(path, "utf8");
+    }
+    catch (err) {
+        if (err instanceof AuthError)
+            throw err;
+        if (err &&
+            typeof err === "object" &&
+            "code" in err &&
+            err.code === "ENOENT") {
+            throw new AuthError("Not signed in. Run `getdebug login` first — see https://www.getdebug.dev/docs.", "no_config");
+        }
+        throw err;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        throw new AuthError("~/.getdebug/config.json is not valid JSON. Delete it and run `getdebug login` again.", "malformed_config");
+    }
+    const token = typeof parsed.token === "string" ? parsed.token : "";
+    if (!token) {
+        throw new AuthError("~/.getdebug/config.json has no token. Run `getdebug login` again.", "no_token");
+    }
+    const apiBase = typeof parsed.apiBaseUrl === "string" && parsed.apiBaseUrl
+        ? parsed.apiBaseUrl
+        : (process.env.GETDEBUG_API_URL ?? DEFAULT_API_BASE);
+    return {
+        apiBase: apiBase.replace(/\/+$/, ""),
+        token,
+        userEmail: typeof parsed.userEmail === "string" ? parsed.userEmail : undefined,
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACjD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,eAAe,GAAG,uBAAuB,CAAC;AAChD,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAQpD,MAAM,OAAO,SAAU,SAAQ,KAAK;IAGhB;IAFlB,YACE,OAAe,EACC,IAIF;QAEd,KAAK,CAAC,OAAO,CAAC,CAAC;QANC,SAAI,GAAJ,IAAI,CAIN;QAGd,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AAED,uEAAuE;AACvE,gDAAgD;AAChD,oEAAoE;AACpE,sEAAsE;AACtE,uEAAuE;AACvE,MAAM,UAAU,QAAQ;IACtB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,eAAe,CAAC,CAAC;IAE9C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,IAAI,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC1B,MAAM,IAAI,GAAG,EAAE,CAAC,IAAI,GAAG,KAAK,CAAC;YAC7B,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,MAAM,IAAI,SAAS,CACjB,qDAAqD,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,yDAAyD,EAC9H,gBAAgB,CACjB,CAAC;YACJ,CAAC;QACH,CAAC;QACD,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS;YAAE,MAAM,GAAG,CAAC;QACxC,IACE,GAAG;YACH,OAAO,GAAG,KAAK,QAAQ;YACvB,MAAM,IAAI,GAAG;YACZ,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAChD,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,gFAAgF,EAChF,WAAW,CACZ,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,IAAI,MAAsE,CAAC;IAC3E,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,SAAS,CACjB,sFAAsF,EACtF,kBAAkB,CACnB,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,SAAS,CACjB,mEAAmE,EACnE,UAAU,CACX,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GACX,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,IAAI,MAAM,CAAC,UAAU;QACxD,CAAC,CAAC,MAAM,CAAC,UAAU;QACnB,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,CAAC;IAEzD,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QACpC,KAAK;QACL,SAAS,EAAE,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;KAC/E,CAAC;AACJ,CAAC"}

package/dist/index.js

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+// getdebug MCP server. Exposes a small set of tools so Claude, Cursor,
+// or any MCP-compatible client can read getdebug projects, findings,
+// and fix proposals over the authenticated bearer token stored at
+// ~/.getdebug/config.json by `getdebug login`.
+//
+// Transport: stdio. The host process spawns this binary and talks JSON-RPC
+// over the child's stdin/stdout. Logs go to stderr only — anything written
+// to stdout that isn't a valid MCP message corrupts the protocol.
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
+import { zodToJsonSchema } from "zod-to-json-schema";
+import { AuthError, loadAuth } from "./auth.js";
+import { listProjects } from "./tools/list-projects.js";
+import { ListFindingsInput, listFindings } from "./tools/list-findings.js";
+import { GetFindingInput, getFinding } from "./tools/get-finding.js";
+import { ListFixesInput, listFixes } from "./tools/list-fixes.js";
+import { StartScanInput, startScan } from "./tools/start-scan.js";
+const SERVER_NAME = "getdebug";
+const SERVER_VERSION = "0.2.0";
+const server = new Server({ name: SERVER_NAME, version: SERVER_VERSION }, { capabilities: { tools: {} } });
+const tools = [
+    {
+        name: "list_projects",
+        description: "List the projects connected to the user's active getdebug org. Returns project ids, names, last-run status, and finding counts.",
+        inputSchema: { type: "object", properties: {} },
+    },
+    {
+        name: "list_findings",
+        description: "List security findings for a given project. Supports severity + limit filters. Returns id, severity, category, file path + line, and whether a fix is available.",
+        inputSchema: zodToJsonSchema(ListFindingsInput),
+    },
+    {
+        name: "get_finding",
+        description: "Fetch the full details of a single finding by id, including explanation, code snippet, CWE/OWASP refs, and the proposed-fix diff if one exists.",
+        inputSchema: zodToJsonSchema(GetFindingInput),
+    },
+    {
+        name: "list_fixes",
+        description: "List proposed/applied fixes, optionally scoped to a project or filtered by status. Each fix links back to its finding and the open pull request URL (if one was created).",
+        inputSchema: zodToJsonSchema(ListFixesInput),
+    },
+    {
+        name: "start_scan",
+        description: "Enqueue a fresh hosted analyze run on the given project. Returns the run id; new findings appear within ~1-2 minutes (re-call list_findings to fetch them).",
+        inputSchema: zodToJsonSchema(StartScanInput),
+    },
+];
+server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools }));
+server.setRequestHandler(CallToolRequestSchema, async (req) => {
+    try {
+        const auth = loadAuth();
+        const name = req.params.name;
+        const args = req.params.arguments ?? {};
+        if (name === "list_projects") {
+            const text = await listProjects(auth);
+            return { content: [{ type: "text", text }] };
+        }
+        if (name === "list_findings") {
+            const parsed = ListFindingsInput.parse(args);
+            const text = await listFindings(auth, parsed);
+            return { content: [{ type: "text", text }] };
+        }
+        if (name === "get_finding") {
+            const parsed = GetFindingInput.parse(args);
+            const text = await getFinding(auth, parsed);
+            return { content: [{ type: "text", text }] };
+        }
+        if (name === "list_fixes") {
+            const parsed = ListFixesInput.parse(args);
+            const text = await listFixes(auth, parsed);
+            return { content: [{ type: "text", text }] };
+        }
+        if (name === "start_scan") {
+            const parsed = StartScanInput.parse(args);
+            const text = await startScan(auth, parsed);
+            return { content: [{ type: "text", text }] };
+        }
+        return {
+            content: [{ type: "text", text: `Unknown tool: ${name}` }],
+            isError: true,
+        };
+    }
+    catch (err) {
+        if (err instanceof AuthError) {
+            return {
+                content: [{ type: "text", text: err.message }],
+                isError: true,
+            };
+        }
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            content: [{ type: "text", text: `Error: ${message}` }],
+            isError: true,
+        };
+    }
+});
+const transport = new StdioServerTransport();
+await server.connect(transport);
+// Stderr-only log; stdout is reserved for protocol messages.
+process.stderr.write(`${SERVER_NAME} mcp server v${SERVER_VERSION} ready\n`);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,uEAAuE;AACvE,qEAAqE;AACrE,kEAAkE;AAClE,+CAA+C;AAC/C,EAAE;AACF,2EAA2E;AAC3E,2EAA2E;AAC3E,kEAAkE;AAElE,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAErD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAElE,MAAM,WAAW,GAAG,UAAU,CAAC;AAC/B,MAAM,cAAc,GAAG,OAAO,CAAC;AAE/B,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,EAAE,EAC9C,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAC;AAEF,MAAM,KAAK,GAAG;IACZ;QACE,IAAI,EAAE,eAAe;QACrB,WAAW,EACT,iIAAiI;QACnI,WAAW,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE;KAChD;IACD;QACE,IAAI,EAAE,eAAe;QACrB,WAAW,EACT,kKAAkK;QACpK,WAAW,EAAE,eAAe,CAAC,iBAAiB,CAAC;KAChD;IACD;QACE,IAAI,EAAE,aAAa;QACnB,WAAW,EACT,iJAAiJ;QACnJ,WAAW,EAAE,eAAe,CAAC,eAAe,CAAC;KAC9C;IACD;QACE,IAAI,EAAE,YAAY;QAClB,WAAW,EACT,2KAA2K;QAC7K,WAAW,EAAE,eAAe,CAAC,cAAc,CAAC;KAC7C;IACD;QACE,IAAI,EAAE,YAAY;QAClB,WAAW,EACT,6JAA6J;QAC/J,WAAW,EAAE,eAAe,CAAC,cAAc,CAAC;KAC7C;CACF,CAAC;AAEF,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;AAE1E,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;IAC5D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;QAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC;QAExC,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;YACtC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC5C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC1C,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC3C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QACD,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC1C,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC3C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QACD,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;YAC1D,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;YAC7B,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;gBAC9C,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;QACD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,OAAO,EAAE,EAAE,CAAC;YACtD,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAChC,6DAA6D;AAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,WAAW,gBAAgB,cAAc,UAAU,CAAC,CAAC"}

package/dist/tools/get-finding.js

@@ -0,0 +1,37 @@
+import { z } from "zod";
+import { apiFetch } from "../api.js";
+export const GetFindingInput = z.object({
+    findingId: z.string().min(1).describe("Finding id (from list_findings)."),
+});
+export async function getFinding(auth, args) {
+    const res = await apiFetch(auth, `/v1/findings/${encodeURIComponent(args.findingId)}`);
+    if (!res.ok) {
+        return `Error (${res.error.code}): ${res.error.message}`;
+    }
+    const f = res.data.finding;
+    const refs = [f.cwe, f.owasp].filter(Boolean).join(" · ");
+    const sections = [
+        `# ${f.title}`,
+        `**Severity:** ${f.severity} · **Category:** ${f.category}${refs ? ` · ${refs}` : ""}`,
+        `**Location:** ${f.filePath}:${f.lineStart}${f.lineEnd !== f.lineStart ? `-${f.lineEnd}` : ""}`,
+        "",
+        f.explanation,
+    ];
+    if (f.snippet) {
+        sections.push("", "```", f.snippet, "```");
+    }
+    if (f.fix) {
+        sections.push("", `## Proposed fix (id=${f.fix.id}, status=${f.fix.status})`);
+        if (f.fix.diff) {
+            sections.push("```diff", f.fix.diff, "```");
+        }
+        else {
+            sections.push("_(no diff inline — fetch via /v1/fixes/:id for the patch)_");
+        }
+    }
+    if (typeof f.confidence === "number") {
+        sections.push("", `_confidence: ${f.confidence.toFixed(2)}_`);
+    }
+    return sections.join("\n");
+}
+//# sourceMappingURL=get-finding.js.map

package/dist/tools/get-finding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-finding.js","sourceRoot":"","sources":["../../src/tools/get-finding.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,kCAAkC,CAAC;CAC1E,CAAC,CAAC;AA4BH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,IAAkB,EAClB,IAAoB;IAEpB,MAAM,GAAG,GAAG,MAAM,QAAQ,CACxB,IAAI,EACJ,gBAAgB,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CACrD,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,UAAU,GAAG,CAAC,KAAK,CAAC,IAAI,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC;IAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,MAAM,QAAQ,GAAa;QACzB,KAAK,CAAC,CAAC,KAAK,EAAE;QACd,iBAAiB,CAAC,CAAC,QAAQ,oBAAoB,CAAC,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;QACtF,iBAAiB,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/F,EAAE;QACF,CAAC,CAAC,WAAW;KACd,CAAC;IACF,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;QACd,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;QACV,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,uBAAuB,CAAC,CAAC,GAAG,CAAC,EAAE,YAAY,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;QAC9E,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACrC,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,gBAAgB,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC"}

package/dist/tools/list-findings.js

@@ -0,0 +1,52 @@
+import { z } from "zod";
+import { apiFetch } from "../api.js";
+export const ListFindingsInput = z.object({
+    projectId: z.string().min(1).describe("Project id (from list_projects)."),
+    severity: z
+        .enum(["critical", "high", "medium", "low", "info"])
+        .optional()
+        .describe("Filter to a single severity. Omit for all severities."),
+    limit: z
+        .number()
+        .int()
+        .min(1)
+        .max(100)
+        .default(25)
+        .describe("Max number of findings to return (1-100)."),
+});
+export async function listFindings(auth, args) {
+    const params = new URLSearchParams({
+        projectId: args.projectId,
+        limit: String(args.limit),
+    });
+    if (args.severity)
+        params.set("severity", args.severity);
+    const res = await apiFetch(auth, `/v1/findings?${params.toString()}`);
+    if (!res.ok) {
+        return `Error (${res.error.code}): ${res.error.message}`;
+    }
+    const rows = res.data.findings;
+    if (rows.length === 0) {
+        return `No findings for project ${args.projectId}${args.severity ? ` at severity ${args.severity}` : ""}.`;
+    }
+    const header = `Showing ${rows.length}${typeof res.data.total === "number" ? ` of ${res.data.total}` : ""} findings for project ${args.projectId}.`;
+    const lines = rows.map((f) => {
+        const refs = [f.cwe, f.owasp].filter(Boolean).join(" · ");
+        const tail = [
+            f.hasFix ? "fix available" : null,
+            f.suppressed ? "suppressed" : null,
+        ]
+            .filter(Boolean)
+            .join(" · ");
+        return [
+            `- [${f.severity.toUpperCase()}] ${f.title}`,
+            `  id=${f.id} · ${f.filePath}:${f.lineStart}${f.lineEnd !== f.lineStart ? `-${f.lineEnd}` : ""}`,
+            refs ? `  ${refs}` : null,
+            tail ? `  ${tail}` : null,
+        ]
+            .filter(Boolean)
+            .join("\n");
+    });
+    return [header, "", ...lines].join("\n");
+}
+//# sourceMappingURL=list-findings.js.map

package/dist/tools/list-findings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-findings.js","sourceRoot":"","sources":["../../src/tools/list-findings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,kCAAkC,CAAC;IACzE,QAAQ,EAAE,CAAC;SACR,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;SACnD,QAAQ,EAAE;SACV,QAAQ,CAAC,uDAAuD,CAAC;IACpE,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,GAAG,CAAC;SACR,OAAO,CAAC,EAAE,CAAC;SACX,QAAQ,CAAC,2CAA2C,CAAC;CACzD,CAAC,CAAC;AAsBH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAkB,EAClB,IAAsB;IAEtB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;KAC1B,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEzD,MAAM,GAAG,GAAG,MAAM,QAAQ,CACxB,IAAI,EACJ,gBAAgB,MAAM,CAAC,QAAQ,EAAE,EAAE,CACpC,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,UAAU,GAAG,CAAC,KAAK,CAAC,IAAI,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC3D,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;IAC/B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,2BAA2B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,gBAAgB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;IAC7G,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,IAAI,CAAC,MAAM,GAAG,OAAO,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,yBAAyB,IAAI,CAAC,SAAS,GAAG,CAAC;IACpJ,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1D,MAAM,IAAI,GAAG;YACX,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI;YACjC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI;SACnC;aACE,MAAM,CAAC,OAAO,CAAC;aACf,IAAI,CAAC,KAAK,CAAC,CAAC;QACf,OAAO;YACL,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,KAAK,EAAE;YAC5C,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;YAChG,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI;YACzB,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI;SAC1B;aACE,MAAM,CAAC,OAAO,CAAC;aACf,IAAI,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,MAAM,EAAE,EAAE,EAAE,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC3C,CAAC"}

package/dist/tools/list-fixes.js

@@ -0,0 +1,47 @@
+import { z } from "zod";
+import { apiFetch } from "../api.js";
+export const ListFixesInput = z.object({
+    projectId: z
+        .string()
+        .min(1)
+        .optional()
+        .describe("Project id (from list_projects). Omit to list fixes across the whole org."),
+    status: z
+        .enum(["proposed", "applied", "rejected", "superseded", "manual"])
+        .optional()
+        .describe("Filter to a single fix status. Omit for all statuses."),
+    limit: z
+        .number()
+        .int()
+        .min(1)
+        .max(100)
+        .default(25)
+        .describe("Max number of fixes to return (1-100)."),
+});
+export async function listFixes(auth, args) {
+    const params = new URLSearchParams({ limit: String(args.limit) });
+    if (args.projectId)
+        params.set("projectId", args.projectId);
+    if (args.status)
+        params.set("status", args.status);
+    const res = await apiFetch(auth, `/v1/fixes?${params.toString()}`);
+    if (!res.ok) {
+        return `Error (${res.error.code}): ${res.error.message}`;
+    }
+    const rows = res.data.fixes;
+    if (rows.length === 0) {
+        const scope = args.projectId ? `project ${args.projectId}` : "your org";
+        return `No fixes for ${scope}${args.status ? ` with status ${args.status}` : ""}.`;
+    }
+    const header = `Showing ${rows.length} fix${rows.length === 1 ? "" : "es"}.`;
+    const lines = rows.map((f) => {
+        const pr = f.pullRequest ? `\n  PR: ${f.pullRequest.url} (${f.pullRequest.status ?? "open"})` : "";
+        return [
+            `- [${f.finding.severity.toUpperCase()} · ${f.status}] ${f.finding.title}`,
+            `  fix=${f.id} · finding=${f.finding.id}`,
+            `  ${f.project.name} · ${f.finding.filePath}:${f.finding.lineStart}${pr}`,
+        ].join("\n");
+    });
+    return [header, "", ...lines].join("\n");
+}
+//# sourceMappingURL=list-fixes.js.map

package/dist/tools/list-fixes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-fixes.js","sourceRoot":"","sources":["../../src/tools/list-fixes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,SAAS,EAAE,CAAC;SACT,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,QAAQ,EAAE;SACV,QAAQ,CAAC,2EAA2E,CAAC;IACxF,MAAM,EAAE,CAAC;SACN,IAAI,CAAC,CAAC,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;SACjE,QAAQ,EAAE;SACV,QAAQ,CAAC,uDAAuD,CAAC;IACpE,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,GAAG,CAAC;SACR,OAAO,CAAC,EAAE,CAAC;SACX,QAAQ,CAAC,wCAAwC,CAAC;CACtD,CAAC,CAAC;AA8BH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAkB,EAClB,IAAmB;IAEnB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClE,IAAI,IAAI,CAAC,SAAS;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IAC5D,IAAI,IAAI,CAAC,MAAM;QAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAEnD,MAAM,GAAG,GAAG,MAAM,QAAQ,CACxB,IAAI,EACJ,aAAa,MAAM,CAAC,QAAQ,EAAE,EAAE,CACjC,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,UAAU,GAAG,CAAC,KAAK,CAAC,IAAI,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC3D,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;IAC5B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;QACxE,OAAO,gBAAgB,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;IACrF,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,IAAI,CAAC,MAAM,OAAO,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC;IAC7E,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3B,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,WAAW,CAAC,GAAG,KAAK,CAAC,CAAC,WAAW,CAAC,MAAM,IAAI,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACnG,OAAO;YACL,MAAM,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE;YAC1E,SAAS,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE;YACzC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,EAAE,EAAE;SAC1E,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,MAAM,EAAE,EAAE,EAAE,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC3C,CAAC"}

package/dist/tools/list-projects.js

@@ -0,0 +1,20 @@
+import { z } from "zod";
+import { apiFetch } from "../api.js";
+export const listProjectsInputSchema = {};
+export const ListProjectsInput = z.object({});
+export async function listProjects(auth) {
+    const res = await apiFetch(auth, "/v1/projects");
+    if (!res.ok) {
+        return `Error (${res.error.code}): ${res.error.message}`;
+    }
+    if (res.data.projects.length === 0) {
+        return "No projects connected yet. Visit https://www.getdebug.dev/projects/new to connect a repo.";
+    }
+    const lines = res.data.projects.map((p) => {
+        const status = p.lastRunStatus ? ` · last run: ${p.lastRunStatus}` : "";
+        const findings = typeof p.findingsCount === "number" ? ` · ${p.findingsCount} findings` : "";
+        return `- ${p.name} (id=${p.id})${status}${findings}`;
+    });
+    return lines.join("\n");
+}
+//# sourceMappingURL=list-projects.js.map

package/dist/tools/list-projects.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-projects.js","sourceRoot":"","sources":["../../src/tools/list-projects.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,MAAM,CAAC,MAAM,uBAAuB,GAAG,EAAW,CAAC;AACnD,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAe9C,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAkB;IACnD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAuB,IAAI,EAAE,cAAc,CAAC,CAAC;IACvE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,UAAU,GAAG,CAAC,KAAK,CAAC,IAAI,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC3D,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,2FAA2F,CAAC;IACrG,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACxC,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACxE,MAAM,QAAQ,GACZ,OAAO,CAAC,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,aAAa,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9E,OAAO,KAAK,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,EAAE,IAAI,MAAM,GAAG,QAAQ,EAAE,CAAC;IACxD,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/tools/start-scan.js

@@ -0,0 +1,29 @@
+import { z } from "zod";
+import { apiFetch } from "../api.js";
+export const StartScanInput = z.object({
+    projectId: z
+        .string()
+        .min(1)
+        .describe("Project id (from list_projects). Use the id, not the project name."),
+});
+// Enqueues an analyze run on the hosted worker. Returns the run id; the
+// caller (or the user via the dashboard) can poll the run for progress.
+// MCP-side this is intentionally fire-and-forget: streaming progress over
+// a stdio transport adds complexity and most clients don't render it.
+// The agent can re-call list_findings after a minute or so to see the
+// new results.
+export async function startScan(auth, args) {
+    const res = await apiFetch(auth, `/v1/projects/${encodeURIComponent(args.projectId)}/runs`, { method: "POST", body: "{}" });
+    if (!res.ok) {
+        return `Error (${res.error.code}): ${res.error.message}`;
+    }
+    return [
+        `Run ${res.data.id} enqueued (status: ${res.data.status}).`,
+        "",
+        "The worker is now cloning, parsing, and analyzing the repo.",
+        "Findings typically appear within 1-2 minutes. Re-call list_findings",
+        `(projectId="${args.projectId}") to fetch the new results, or watch`,
+        `the dashboard at https://www.getdebug.dev/projects/${args.projectId}.`,
+    ].join("\n");
+}
+//# sourceMappingURL=start-scan.js.map

package/dist/tools/start-scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"start-scan.js","sourceRoot":"","sources":["../../src/tools/start-scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAErC,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,SAAS,EAAE,CAAC;SACT,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,QAAQ,CAAC,oEAAoE,CAAC;CAClF,CAAC,CAAC;AAQH,wEAAwE;AACxE,wEAAwE;AACxE,0EAA0E;AAC1E,sEAAsE;AACtE,sEAAsE;AACtE,eAAe;AACf,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAkB,EAClB,IAAmB;IAEnB,MAAM,GAAG,GAAG,MAAM,QAAQ,CACxB,IAAI,EACJ,gBAAgB,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EACzD,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAC/B,CAAC;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,UAAU,GAAG,CAAC,KAAK,CAAC,IAAI,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC3D,CAAC;IACD,OAAO;QACL,OAAO,GAAG,CAAC,IAAI,CAAC,EAAE,sBAAsB,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI;QAC3D,EAAE;QACF,6DAA6D;QAC7D,qEAAqE;QACrE,eAAe,IAAI,CAAC,SAAS,uCAAuC;QACpE,sDAAsD,IAAI,CAAC,SAAS,GAAG;KACxE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@getdebug/mcp",
+  "version": "0.2.0",
+  "description": "Model Context Protocol server for getdebug. Lets Claude, Cursor, and any MCP-compatible AI client read your projects, findings, and fixes.",
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "getdebug-mcp": "./dist/index.js"
+  },
+  "main": "./dist/index.js",
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json && chmod +x dist/index.js",
+    "dev": "tsx src/index.ts",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "start": "node dist/index.js"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "zod": "^3.23.8",
+    "zod-to-json-schema": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.6.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}