@opentriologue/depsight-mcp 0.2.0

package/README.md

@@ -0,0 +1,137 @@
+# depsight-mcp
+
+Model Context Protocol server for [depsight](https://github.com/LanNguyenSi/depsight) — query CVE scans, license reports, dependency age, policy evaluation, and CI analytics from Claude (or any MCP-capable agent).
+
+This is a thin wrapper around depsight's existing Next.js REST API. It does not talk to the database directly.
+
+## Tools
+
+| Name | Purpose |
+|---|---|
+| `depsight_list_repos` | List the user's GitHub repos (source of `repoId` values) |
+| `depsight_get_overview` | Team-health dashboard summary across all tracked repos |
+| `depsight_get_cves` | Get the latest CVE scan for a repo, with optional min-severity / since-date filters |
+| `depsight_get_license_report` | Per-package license compatibility + policy violations |
+| `depsight_get_deps` | Dependency-age analysis (up-to-date / outdated / major-behind / deprecated) |
+| `depsight_get_history` | Time series of CVE scan results for a repo |
+| `depsight_evaluate_policy` | Run enabled policies against a specific scan (read-only) |
+| `depsight_ci_analytics` | GitHub Actions CI insights — per-repo (with `repoId`) or cross-repo (without) |
+
+All tools are **read-only** in v1. Scan triggers, webhook management, and policy mutation are not exposed.
+
+## Prerequisites
+
+1. **A running depsight instance.** Either local (`npm run dev`, default `http://localhost:3000`) or hosted.
+2. **A depsight API token (`dsat_…`).** See [minting a token](#minting-a-token) below.
+
+## Install + run
+
+```bash
+# One-off via npx (published on npm via the release workflow; see Releasing below)
+npx -y @opentriologue/depsight-mcp
+
+# Or locally from this repo after `npm run build`
+node /path/to/depsight/mcp/dist/index.js
+```
+
+The server speaks MCP over stdio — launch it via your agent's MCP client config, not directly from a terminal.
+
+### Claude Desktop / Claude Code config
+
+```json
+{
+  "mcpServers": {
+    "depsight": {
+      "command": "npx",
+      "args": ["-y", "@opentriologue/depsight-mcp"],
+      "env": {
+        "DEPSIGHT_URL": "https://depsight.opentriologue.ai",
+        "DEPSIGHT_API_TOKEN": "dsat_..."
+      }
+    }
+  }
+}
+```
+
+Both env vars are **required**; the server aborts on startup otherwise.
+
+## Minting a token
+
+API tokens live in the `ApiToken` Prisma model and are scoped to a single depsight user. Inside the depsight repo:
+
+```bash
+# ensure DATABASE_URL is set in your shell
+npx tsx scripts/mint-api-token.ts --user <userId> --name claude-desktop
+```
+
+The raw `dsat_…` value is printed **once**. Store it in your agent config (env var, secret manager) — there is no retrieve-existing endpoint. To rotate, mint a new one and `UPDATE "ApiToken" SET "revokedAt" = NOW() WHERE id = '…';` on the old row.
+
+All data is scoped to the minting user: tools only see repos that user owns.
+
+## Smoke test
+
+After setting env vars:
+
+```bash
+# From the mcp/ directory
+npm run build
+
+# 1) Discover tools (handshake + tools/list)
+printf '%s\n' \
+  '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"smoke","version":"0"}}}' \
+  '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' \
+  | DEPSIGHT_URL=http://localhost:3000 DEPSIGHT_API_TOKEN=dsat_... node dist/index.js
+
+# 2) Real round-trip against the depsight API — lists repos
+printf '%s\n' \
+  '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"smoke","version":"0"}}}' \
+  '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"depsight_list_repos","arguments":{}}}' \
+  | DEPSIGHT_URL=http://localhost:3000 DEPSIGHT_API_TOKEN=dsat_... node dist/index.js
+```
+
+Should print a JSON-RPC response listing the 8 tools, then a second response with the user's GitHub repos. In Claude Code, ask *"list my depsight repos with critical CVEs"* — the agent should call `depsight_list_repos` then `depsight_get_cves` with `minSeverity: "CRITICAL"` per repo.
+
+## Error handling
+
+Tool handlers never throw. On any failure (network, HTTP non-2xx, parse error), they return:
+
+```json
+{
+  "content": [{ "type": "text", "text": "{\"success\":false,\"error\":\"…\"}" }],
+  "isError": true
+}
+```
+
+HTTP errors carry the upstream status code and response body so you can tell a 401 (bad token) apart from a 404 (wrong `repoId`).
+
+## Scope / limitations
+
+- Read-only. v1 intentionally omits write operations (scan triggers, policy mutation, Slack config).
+- No per-tool ACL. A token with the `dsat_` prefix can call any read tool for its user's data.
+- No pagination beyond what the underlying REST endpoints already expose. Very large repos may produce large JSON responses.
+- Tokens never expire automatically. Operators must rotate manually.
+
+## Development
+
+```bash
+npm install
+npm run dev        # runs against DEPSIGHT_URL + DEPSIGHT_API_TOKEN via tsx
+npm test           # vitest
+npm run build      # emits dist/
+```
+
+## Releasing
+
+Publishing is tag-driven via [`.github/workflows/publish-npm.yml`](../.github/workflows/publish-npm.yml),
+kept separate from the app's `v*` releases so the two never collide.
+
+```bash
+# 1. Bump the version in mcp/package.json (e.g. 0.2.0 -> 0.2.1)
+# 2. Commit, then push a tag whose suffix matches that version:
+git tag depsight-mcp-v0.2.1
+git push origin depsight-mcp-v0.2.1
+```
+
+The workflow checks `mcp/package.json` version against the tag, builds, and runs
+`npm publish --access public --provenance`. It requires a repo secret `NPM_TOKEN`
+with publish rights to the `@opentriologue` npm org (operator one-time setup).

package/dist/client.d.ts

@@ -0,0 +1,27 @@
+import type { Config } from "./config.js";
+export declare class HttpError extends Error {
+    readonly status: number;
+    readonly path: string;
+    readonly body: unknown;
+    constructor(status: number, path: string, body: unknown);
+}
+/**
+ * Thin HTTP client around depsight's Next.js API. Every request
+ * carries `Authorization: Bearer <dsat_...>` — the token is minted
+ * per user and scopes every tool call to that user's repos.
+ */
+export declare class DepsightClient {
+    private readonly config;
+    constructor(config: Config);
+    private request;
+    listRepos(): Promise<unknown>;
+    getOverview(): Promise<unknown>;
+    getScan(repoId: string): Promise<unknown>;
+    getDeps(repoId: string): Promise<unknown>;
+    getLicense(repoId: string): Promise<unknown>;
+    getHistory(repoId: string, limit?: number): Promise<unknown>;
+    evaluatePolicy(scanId: string): Promise<unknown>;
+    getCiAnalytics(repoId: string, type: "fail-rate" | "build-times" | "flaky" | "bottleneck", period: 1 | 7 | 30): Promise<unknown>;
+    getCiAnalyticsCrossRepo(period: 1 | 7 | 30): Promise<unknown>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAE1C,qBAAa,SAAU,SAAQ,KAAK;aAEhB,MAAM,EAAE,MAAM;aACd,IAAI,EAAE,MAAM;aACZ,IAAI,EAAE,OAAO;gBAFb,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,OAAO;CAIhC;AAED;;;;GAIG;AACH,qBAAa,cAAc;IACb,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;YAE7B,OAAO;IAwCrB,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAI7B,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAI/B,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIzC,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIzC,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI5C,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI5D,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIhD,cAAc,CACZ,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,WAAW,GAAG,aAAa,GAAG,OAAO,GAAG,YAAY,EAC1D,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GACjB,OAAO,CAAC,OAAO,CAAC;IAMnB,uBAAuB,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;CAK9D"}

package/dist/client.js

@@ -0,0 +1,89 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DepsightClient = exports.HttpError = void 0;
+class HttpError extends Error {
+    constructor(status, path, body) {
+        super(`Depsight ${path} → HTTP ${status}: ${JSON.stringify(body)}`);
+        this.status = status;
+        this.path = path;
+        this.body = body;
+    }
+}
+exports.HttpError = HttpError;
+/**
+ * Thin HTTP client around depsight's Next.js API. Every request
+ * carries `Authorization: Bearer <dsat_...>` — the token is minted
+ * per user and scopes every tool call to that user's repos.
+ */
+class DepsightClient {
+    constructor(config) {
+        this.config = config;
+    }
+    async request(method, path, init) {
+        const url = new URL(this.config.gatewayUrl + path);
+        if (init?.query) {
+            for (const [k, v] of Object.entries(init.query)) {
+                if (v === undefined || v === null || v === "")
+                    continue;
+                url.searchParams.set(k, String(v));
+            }
+        }
+        const res = await fetch(url.toString(), {
+            method,
+            headers: {
+                "Content-Type": "application/json",
+                Accept: "application/json",
+                Authorization: `Bearer ${this.config.apiToken}`,
+            },
+            body: init?.body !== undefined ? JSON.stringify(init.body) : undefined,
+        });
+        const text = await res.text();
+        let parsed = null;
+        if (text.length > 0) {
+            try {
+                parsed = JSON.parse(text);
+            }
+            catch {
+                parsed = text;
+            }
+        }
+        if (!res.ok) {
+            throw new HttpError(res.status, path, parsed);
+        }
+        return parsed;
+    }
+    // ── Read tools (v1) ─────────────────────────────────────────
+    listRepos() {
+        return this.request("GET", "/api/repos");
+    }
+    getOverview() {
+        return this.request("GET", "/api/overview");
+    }
+    getScan(repoId) {
+        return this.request("GET", "/api/scan", { query: { repoId } });
+    }
+    getDeps(repoId) {
+        return this.request("GET", "/api/deps", { query: { repoId } });
+    }
+    getLicense(repoId) {
+        return this.request("GET", "/api/license", { query: { repoId } });
+    }
+    getHistory(repoId, limit) {
+        return this.request("GET", "/api/history", { query: { repoId, limit } });
+    }
+    evaluatePolicy(scanId) {
+        return this.request("POST", "/api/policies/evaluate", { body: { scanId } });
+    }
+    getCiAnalytics(repoId, type, period) {
+        return this.request("GET", `/api/ci/analytics/${encodeURIComponent(repoId)}`, {
+            query: { type, period },
+        });
+    }
+    getCiAnalyticsCrossRepo(period) {
+        return this.request("GET", "/api/ci/analytics/cross-repo", {
+            query: { period },
+        });
+    }
+}
+exports.DepsightClient = DepsightClient;
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":";;;AAEA,MAAa,SAAU,SAAQ,KAAK;IAClC,YACkB,MAAc,EACd,IAAY,EACZ,IAAa;QAE7B,KAAK,CAAC,YAAY,IAAI,WAAW,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAJpD,WAAM,GAAN,MAAM,CAAQ;QACd,SAAI,GAAJ,IAAI,CAAQ;QACZ,SAAI,GAAJ,IAAI,CAAS;IAG/B,CAAC;CACF;AARD,8BAQC;AAED;;;;GAIG;AACH,MAAa,cAAc;IACzB,YAA6B,MAAc;QAAd,WAAM,GAAN,MAAM,CAAQ;IAAG,CAAC;IAEvC,KAAK,CAAC,OAAO,CACnB,MAAsB,EACtB,IAAY,EACZ,IAA8E;QAE9E,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;QACnD,IAAI,IAAI,EAAE,KAAK,EAAE,CAAC;YAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,EAAE;oBAAE,SAAS;gBACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;YACtC,MAAM;YACN,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,MAAM,EAAE,kBAAkB;gBAC1B,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;aAChD;YACD,IAAI,EAAE,IAAI,EAAE,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SACvE,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,MAAM,GAAY,IAAI,CAAC;QAC3B,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,GAAG,IAAI,CAAC;YAChB,CAAC;QACH,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,MAAW,CAAC;IACrB,CAAC;IAED,+DAA+D;IAE/D,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAC3C,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,CAAC,MAAc;QACpB,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,WAAW,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,CAAC,MAAc;QACpB,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,WAAW,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,UAAU,CAAC,MAAc;QACvB,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,cAAc,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,UAAU,CAAC,MAAc,EAAE,KAAc;QACvC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,cAAc,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,cAAc,CAAC,MAAc;QAC3B,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,wBAAwB,EAAE,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,cAAc,CACZ,MAAc,EACd,IAA0D,EAC1D,MAAkB;QAElB,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,qBAAqB,kBAAkB,CAAC,MAAM,CAAC,EAAE,EAAE;YAC5E,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;SACxB,CAAC,CAAC;IACL,CAAC;IAED,uBAAuB,CAAC,MAAkB;QACxC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,8BAA8B,EAAE;YACzD,KAAK,EAAE,EAAE,MAAM,EAAE;SAClB,CAAC,CAAC;IACL,CAAC;CACF;AAtFD,wCAsFC"}

package/dist/config.d.ts

@@ -0,0 +1,16 @@
+export interface Config {
+    gatewayUrl: string;
+    apiToken: string;
+}
+/**
+ * Load runtime config from env vars.
+ *
+ * `DEPSIGHT_URL` — base URL of the depsight Next.js app (e.g.
+ *   `https://depsight.opentriologue.ai` or `http://localhost:3000`).
+ *   Required. Trailing slashes are stripped.
+ * `DEPSIGHT_API_TOKEN` — `dsat_` prefixed API token minted via
+ *   `scripts/mint-api-token.ts`. Required. Scopes to the user who
+ *   minted it; depsight has no per-tool ACL today.
+ */
+export declare function loadConfig(): Config;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,MAAM;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;GASG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAqBnC"}

package/dist/config.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+/**
+ * Load runtime config from env vars.
+ *
+ * `DEPSIGHT_URL` — base URL of the depsight Next.js app (e.g.
+ *   `https://depsight.opentriologue.ai` or `http://localhost:3000`).
+ *   Required. Trailing slashes are stripped.
+ * `DEPSIGHT_API_TOKEN` — `dsat_` prefixed API token minted via
+ *   `scripts/mint-api-token.ts`. Required. Scopes to the user who
+ *   minted it; depsight has no per-tool ACL today.
+ */
+function loadConfig() {
+    const gatewayUrl = process.env.DEPSIGHT_URL;
+    if (!gatewayUrl) {
+        throw new Error("DEPSIGHT_URL environment variable is required.\n" +
+            "Set it to the URL of your depsight instance, e.g. https://depsight.opentriologue.ai");
+    }
+    const apiToken = process.env.DEPSIGHT_API_TOKEN;
+    if (!apiToken) {
+        throw new Error("DEPSIGHT_API_TOKEN environment variable is required.\n" +
+            "Mint one with `npx tsx scripts/mint-api-token.ts --user <id>` inside the depsight repo.");
+    }
+    return {
+        gatewayUrl: gatewayUrl.replace(/\/$/, ""),
+        apiToken,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";;AAeA,gCAqBC;AA/BD;;;;;;;;;GASG;AACH,SAAgB,UAAU;IACxB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,kDAAkD;YAChD,qFAAqF,CACxF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAChD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,wDAAwD;YACtD,yFAAyF,CAC5F,CAAC;IACJ,CAAC;IAED,OAAO;QACL,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;QACzC,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const config_js_1 = require("./config.js");
+const server_js_1 = require("./server.js");
+async function main() {
+    try {
+        const config = (0, config_js_1.loadConfig)();
+        await (0, server_js_1.startServer)(config);
+    }
+    catch (err) {
+        console.error("[depsight-mcp] Fatal error:", err);
+        process.exit(1);
+    }
+}
+main();
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAEA,2CAAyC;AACzC,2CAA0C;AAE1C,KAAK,UAAU,IAAI;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,sBAAU,GAAE,CAAC;QAC5B,MAAM,IAAA,uBAAW,EAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,5 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { Config } from "./config.js";
+export declare function createServer(config: Config): McpServer;
+export declare function startServer(config: Config): Promise<void>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAU1C,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAiBtD;AAED,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAI/D"}

package/dist/server.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createServer = createServer;
+exports.startServer = startServer;
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const client_js_1 = require("./client.js");
+const repos_js_1 = require("./tools/repos.js");
+const cves_js_1 = require("./tools/cves.js");
+const deps_js_1 = require("./tools/deps.js");
+const license_js_1 = require("./tools/license.js");
+const history_js_1 = require("./tools/history.js");
+const policy_js_1 = require("./tools/policy.js");
+const ci_js_1 = require("./tools/ci.js");
+function createServer(config) {
+    const server = new mcp_js_1.McpServer({
+        name: "depsight",
+        version: "0.1.0",
+    });
+    const client = new client_js_1.DepsightClient(config);
+    (0, repos_js_1.registerRepoTools)(server, client);
+    (0, cves_js_1.registerCveTools)(server, client);
+    (0, deps_js_1.registerDepsTools)(server, client);
+    (0, license_js_1.registerLicenseTools)(server, client);
+    (0, history_js_1.registerHistoryTools)(server, client);
+    (0, policy_js_1.registerPolicyTools)(server, client);
+    (0, ci_js_1.registerCiTools)(server, client);
+    return server;
+}
+async function startServer(config) {
+    const server = createServer(config);
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+}
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";;AAYA,oCAiBC;AAED,kCAIC;AAnCD,oEAAoE;AACpE,wEAAiF;AAEjF,2CAA6C;AAC7C,+CAAqD;AACrD,6CAAmD;AACnD,6CAAoD;AACpD,mDAA0D;AAC1D,mDAA0D;AAC1D,iDAAwD;AACxD,yCAAgD;AAEhD,SAAgB,YAAY,CAAC,MAAc;IACzC,MAAM,MAAM,GAAG,IAAI,kBAAS,CAAC;QAC3B,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,0BAAc,CAAC,MAAM,CAAC,CAAC;IAE1C,IAAA,4BAAiB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,IAAA,0BAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAA,2BAAiB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,IAAA,iCAAoB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,IAAA,iCAAoB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,IAAA,+BAAmB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,IAAA,uBAAe,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEhC,OAAO,MAAM,CAAC;AAChB,CAAC;AAEM,KAAK,UAAU,WAAW,CAAC,MAAc;IAC9C,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}

package/dist/tools/ci.d.ts

@@ -0,0 +1,4 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { DepsightClient } from "../client.js";
+export declare function registerCiTools(server: McpServer, client: DepsightClient): void;
+//# sourceMappingURL=ci.d.ts.map

package/dist/tools/ci.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci.d.ts","sourceRoot":"","sources":["../../src/tools/ci.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAKnD,wBAAgB,eAAe,CAC7B,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,cAAc,GACrB,IAAI,CAkDN"}

package/dist/tools/ci.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerCiTools = registerCiTools;
+const zod_1 = require("zod");
+const shared_js_1 = require("./shared.js");
+const PERIODS = [1, 7, 30];
+function registerCiTools(server, client) {
+    server.tool("depsight_ci_analytics", "GitHub Actions CI insights. When `repoId` is provided, returns per-repo data for the chosen analytics `type` (fail-rate / build-times / flaky / bottleneck). When `repoId` is omitted, returns cross-repo health summaries across all tracked repos.", {
+        repoId: zod_1.z
+            .string()
+            .optional()
+            .describe("Optional: the depsight repo ID. Omit to get cross-repo summaries."),
+        type: zod_1.z
+            .enum(["fail-rate", "build-times", "flaky", "bottleneck"])
+            .optional()
+            .describe("Analytics type (repo-scoped only, default fail-rate). Ignored for cross-repo queries."),
+        period: zod_1.z
+            .enum(["1", "7", "30"])
+            .optional()
+            .describe("Lookback window in days. Default 30."),
+    }, async ({ repoId, type, period }) => {
+        try {
+            const parsedPeriod = (period ? Number(period) : 30);
+            const validPeriod = PERIODS.includes(parsedPeriod)
+                ? parsedPeriod
+                : 30;
+            if (!repoId) {
+                const data = await client.getCiAnalyticsCrossRepo(validPeriod);
+                return (0, shared_js_1.ok)(data);
+            }
+            const data = await client.getCiAnalytics(repoId, type ?? "fail-rate", validPeriod);
+            return (0, shared_js_1.ok)(data);
+        }
+        catch (e) {
+            return (0, shared_js_1.errResult)(e);
+        }
+    });
+}
+//# sourceMappingURL=ci.js.map

package/dist/tools/ci.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci.js","sourceRoot":"","sources":["../../src/tools/ci.ts"],"names":[],"mappings":";;AAOA,0CAqDC;AA3DD,6BAAwB;AAExB,2CAA4C;AAE5C,MAAM,OAAO,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAU,CAAC;AAEpC,SAAgB,eAAe,CAC7B,MAAiB,EACjB,MAAsB;IAEtB,MAAM,CAAC,IAAI,CACT,uBAAuB,EACvB,sPAAsP,EACtP;QACE,MAAM,EAAE,OAAC;aACN,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,QAAQ,CACP,mEAAmE,CACpE;QACH,IAAI,EAAE,OAAC;aACJ,IAAI,CAAC,CAAC,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;aACzD,QAAQ,EAAE;aACV,QAAQ,CACP,uFAAuF,CACxF;QACH,MAAM,EAAE,OAAC;aACN,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;aACtB,QAAQ,EAAE;aACV,QAAQ,CAAC,sCAAsC,CAAC;KACpD,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;QACjC,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAG5C,CAAC;YACP,MAAM,WAAW,GAAI,OAA6B,CAAC,QAAQ,CACzD,YAAY,CACb;gBACC,CAAC,CAAC,YAAY;gBACd,CAAC,CAAC,EAAE,CAAC;YAEP,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,WAAW,CAAC,CAAC;gBAC/D,OAAO,IAAA,cAAE,EAAC,IAAI,CAAC,CAAC;YAClB,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,cAAc,CACtC,MAAM,EACN,IAAI,IAAI,WAAW,EACnB,WAAW,CACZ,CAAC;YACF,OAAO,IAAA,cAAE,EAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,qBAAS,EAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/cves.d.ts

@@ -0,0 +1,4 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { DepsightClient } from "../client.js";
+export declare function registerCveTools(server: McpServer, client: DepsightClient): void;
+//# sourceMappingURL=cves.d.ts.map

package/dist/tools/cves.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cves.d.ts","sourceRoot":"","sources":["../../src/tools/cves.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAWnD,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,cAAc,GACrB,IAAI,CA4EN"}

package/dist/tools/cves.js

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerCveTools = registerCveTools;
+const zod_1 = require("zod");
+const shared_js_1 = require("./shared.js");
+const SEVERITIES = ["CRITICAL", "HIGH", "MEDIUM", "LOW"];
+function severityRank(s) {
+    const idx = SEVERITIES.indexOf(s.toUpperCase());
+    return idx === -1 ? 99 : idx;
+}
+function registerCveTools(server, client) {
+    server.tool("depsight_get_cves", "Get CVE advisories from the most recent completed CVE scan for a repo. Optionally filter by minimum severity and/or a publish-after cutoff. Returns the full scan envelope (counts, risk score) plus the filtered advisory list.", {
+        repoId: zod_1.z
+            .string()
+            .min(1)
+            .describe("The depsight repo ID. Get it from depsight_list_repos."),
+        minSeverity: zod_1.z
+            .enum(SEVERITIES)
+            .optional()
+            .describe("Only include advisories at or above this severity."),
+        publishedAfter: zod_1.z
+            .string()
+            .optional()
+            .describe("ISO 8601 date/time. Only include advisories published at or after this instant."),
+    }, async ({ repoId, minSeverity, publishedAfter }) => {
+        try {
+            const data = (await client.getScan(repoId));
+            if (!data || !data.scan) {
+                return (0, shared_js_1.ok)({
+                    success: true,
+                    scan: null,
+                    advisories: [],
+                    message: "No completed CVE scan found for this repo yet.",
+                });
+            }
+            const minRank = minSeverity !== undefined ? severityRank(minSeverity) : Infinity;
+            const cutoff = publishedAfter ? Date.parse(publishedAfter) : null;
+            if (publishedAfter && cutoff !== null && Number.isNaN(cutoff)) {
+                return (0, shared_js_1.errResult)(new Error(`publishedAfter is not a valid ISO 8601 date: "${publishedAfter}"`));
+            }
+            const advisories = data.scan.advisories.filter((a) => {
+                const sev = typeof a.severity === "string" ? a.severity : "";
+                if (minSeverity !== undefined && severityRank(sev) > minRank) {
+                    return false;
+                }
+                if (cutoff !== null) {
+                    const published = typeof a.publishedAt === "string"
+                        ? Date.parse(a.publishedAt)
+                        : NaN;
+                    // An advisory with a missing or un-parseable publishedAt
+                    // is excluded when a cutoff is active — the caller asked
+                    // for "after this date" and we cannot prove it satisfies
+                    // that condition.
+                    if (Number.isNaN(published) || published < cutoff)
+                        return false;
+                }
+                return true;
+            });
+            return (0, shared_js_1.ok)({
+                success: true,
+                scan: { ...data.scan, advisories },
+                filterApplied: { minSeverity, publishedAfter },
+            });
+        }
+        catch (e) {
+            return (0, shared_js_1.errResult)(e);
+        }
+    });
+}
+//# sourceMappingURL=cves.js.map

package/dist/tools/cves.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cves.js","sourceRoot":"","sources":["../../src/tools/cves.ts"],"names":[],"mappings":";;AAaA,4CA+EC;AA3FD,6BAAwB;AAExB,2CAA4C;AAE5C,MAAM,UAAU,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAU,CAAC;AAGlE,SAAS,YAAY,CAAC,CAAS;IAC7B,MAAM,GAAG,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAc,CAAC,CAAC;IAC5D,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;AAC/B,CAAC;AAED,SAAgB,gBAAgB,CAC9B,MAAiB,EACjB,MAAsB;IAEtB,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,kOAAkO,EAClO;QACE,MAAM,EAAE,OAAC;aACN,MAAM,EAAE;aACR,GAAG,CAAC,CAAC,CAAC;aACN,QAAQ,CAAC,wDAAwD,CAAC;QACrE,WAAW,EAAE,OAAC;aACX,IAAI,CAAC,UAAU,CAAC;aAChB,QAAQ,EAAE;aACV,QAAQ,CAAC,oDAAoD,CAAC;QACjE,cAAc,EAAE,OAAC;aACd,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,QAAQ,CACP,iFAAiF,CAClF;KACJ,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,EAAE,EAAE;QAChD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAG7B,CAAC;YAEd,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACxB,OAAO,IAAA,cAAE,EAAC;oBACR,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,IAAI;oBACV,UAAU,EAAE,EAAE;oBACd,OAAO,EAAE,gDAAgD;iBAC1D,CAAC,CAAC;YACL,CAAC;YAED,MAAM,OAAO,GACX,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YACnE,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAClE,IAAI,cAAc,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC9D,OAAO,IAAA,qBAAS,EACd,IAAI,KAAK,CACP,iDAAiD,cAAc,GAAG,CACnE,CACF,CAAC;YACJ,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACnD,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7D,IAAI,WAAW,KAAK,SAAS,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC;oBAC7D,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;oBACpB,MAAM,SAAS,GACb,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ;wBAC/B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC;wBAC3B,CAAC,CAAC,GAAG,CAAC;oBACV,yDAAyD;oBACzD,yDAAyD;oBACzD,yDAAyD;oBACzD,kBAAkB;oBAClB,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,SAAS,GAAG,MAAM;wBAAE,OAAO,KAAK,CAAC;gBAClE,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;YAEH,OAAO,IAAA,cAAE,EAAC;gBACR,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE;gBAClC,aAAa,EAAE,EAAE,WAAW,EAAE,cAAc,EAAE;aAC/C,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,qBAAS,EAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/deps.d.ts

@@ -0,0 +1,4 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { DepsightClient } from "../client.js";
+export declare function registerDepsTools(server: McpServer, client: DepsightClient): void;
+//# sourceMappingURL=deps.d.ts.map

package/dist/tools/deps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.d.ts","sourceRoot":"","sources":["../../src/tools/deps.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,cAAc,GACrB,IAAI,CAmBN"}

package/dist/tools/deps.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerDepsTools = registerDepsTools;
+const zod_1 = require("zod");
+const shared_js_1 = require("./shared.js");
+function registerDepsTools(server, client) {
+    server.tool("depsight_get_deps", "Get the dependency-age report for a repo: which packages are up-to-date, outdated, major-behind, or deprecated, based on the latest dependency scan.", {
+        repoId: zod_1.z
+            .string()
+            .min(1)
+            .describe("The depsight repo ID. Get it from depsight_list_repos."),
+    }, async ({ repoId }) => {
+        try {
+            const data = await client.getDeps(repoId);
+            return (0, shared_js_1.ok)(data);
+        }
+        catch (e) {
+            return (0, shared_js_1.errResult)(e);
+        }
+    });
+}
+//# sourceMappingURL=deps.js.map

package/dist/tools/deps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.js","sourceRoot":"","sources":["../../src/tools/deps.ts"],"names":[],"mappings":";;AAKA,8CAsBC;AA1BD,6BAAwB;AAExB,2CAA4C;AAE5C,SAAgB,iBAAiB,CAC/B,MAAiB,EACjB,MAAsB;IAEtB,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,sJAAsJ,EACtJ;QACE,MAAM,EAAE,OAAC;aACN,MAAM,EAAE;aACR,GAAG,CAAC,CAAC,CAAC;aACN,QAAQ,CAAC,wDAAwD,CAAC;KACtE,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;QACnB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC1C,OAAO,IAAA,cAAE,EAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,qBAAS,EAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/history.d.ts

@@ -0,0 +1,4 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { DepsightClient } from "../client.js";
+export declare function registerHistoryTools(server: McpServer, client: DepsightClient): void;
+//# sourceMappingURL=history.d.ts.map

package/dist/tools/history.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"history.d.ts","sourceRoot":"","sources":["../../src/tools/history.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,cAAc,GACrB,IAAI,CA0BN"}

package/dist/tools/history.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerHistoryTools = registerHistoryTools;
+const zod_1 = require("zod");
+const shared_js_1 = require("./shared.js");
+function registerHistoryTools(server, client) {
+    server.tool("depsight_get_history", "Get the CVE-scan history (time series of risk scores and CVE counts) for a repo. Useful for trend analysis.", {
+        repoId: zod_1.z
+            .string()
+            .min(1)
+            .describe("The depsight repo ID. Get it from depsight_list_repos."),
+        limit: zod_1.z
+            .number()
+            .int()
+            .min(1)
+            .max(100)
+            .optional()
+            .describe("Number of past scans to return (default 30, max 100)."),
+    }, async ({ repoId, limit }) => {
+        try {
+            const data = await client.getHistory(repoId, limit);
+            return (0, shared_js_1.ok)(data);
+        }
+        catch (e) {
+            return (0, shared_js_1.errResult)(e);
+        }
+    });
+}
+//# sourceMappingURL=history.js.map

package/dist/tools/history.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"history.js","sourceRoot":"","sources":["../../src/tools/history.ts"],"names":[],"mappings":";;AAKA,oDA6BC;AAjCD,6BAAwB;AAExB,2CAA4C;AAE5C,SAAgB,oBAAoB,CAClC,MAAiB,EACjB,MAAsB;IAEtB,MAAM,CAAC,IAAI,CACT,sBAAsB,EACtB,6GAA6G,EAC7G;QACE,MAAM,EAAE,OAAC;aACN,MAAM,EAAE;aACR,GAAG,CAAC,CAAC,CAAC;aACN,QAAQ,CAAC,wDAAwD,CAAC;QACrE,KAAK,EAAE,OAAC;aACL,MAAM,EAAE;aACR,GAAG,EAAE;aACL,GAAG,CAAC,CAAC,CAAC;aACN,GAAG,CAAC,GAAG,CAAC;aACR,QAAQ,EAAE;aACV,QAAQ,CAAC,uDAAuD,CAAC;KACrE,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE;QAC1B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YACpD,OAAO,IAAA,cAAE,EAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,qBAAS,EAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/license.d.ts

@@ -0,0 +1,4 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { DepsightClient } from "../client.js";
+export declare function registerLicenseTools(server: McpServer, client: DepsightClient): void;
+//# sourceMappingURL=license.d.ts.map

package/dist/tools/license.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"license.d.ts","sourceRoot":"","sources":["../../src/tools/license.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,cAAc,GACrB,IAAI,CAmBN"}

package/dist/tools/license.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerLicenseTools = registerLicenseTools;
+const zod_1 = require("zod");
+const shared_js_1 = require("./shared.js");
+function registerLicenseTools(server, client) {
+    server.tool("depsight_get_license_report", "Get the license-compatibility report for a repo: per-package licenses, compatibility flags, policy violations, and totals.", {
+        repoId: zod_1.z
+            .string()
+            .min(1)
+            .describe("The depsight repo ID. Get it from depsight_list_repos."),
+    }, async ({ repoId }) => {
+        try {
+            const data = await client.getLicense(repoId);
+            return (0, shared_js_1.ok)(data);
+        }
+        catch (e) {
+            return (0, shared_js_1.errResult)(e);
+        }
+    });
+}
+//# sourceMappingURL=license.js.map

package/dist/tools/license.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"license.js","sourceRoot":"","sources":["../../src/tools/license.ts"],"names":[],"mappings":";;AAKA,oDAsBC;AA1BD,6BAAwB;AAExB,2CAA4C;AAE5C,SAAgB,oBAAoB,CAClC,MAAiB,EACjB,MAAsB;IAEtB,MAAM,CAAC,IAAI,CACT,6BAA6B,EAC7B,4HAA4H,EAC5H;QACE,MAAM,EAAE,OAAC;aACN,MAAM,EAAE;aACR,GAAG,CAAC,CAAC,CAAC;aACN,QAAQ,CAAC,wDAAwD,CAAC;KACtE,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;QACnB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAC7C,OAAO,IAAA,cAAE,EAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,qBAAS,EAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/policy.d.ts

@@ -0,0 +1,4 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { DepsightClient } from "../client.js";
+export declare function registerPolicyTools(server: McpServer, client: DepsightClient): void;
+//# sourceMappingURL=policy.d.ts.map

package/dist/tools/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/tools/policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,cAAc,GACrB,IAAI,CAqBN"}

package/dist/tools/policy.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerPolicyTools = registerPolicyTools;
+const zod_1 = require("zod");
+const shared_js_1 = require("./shared.js");
+function registerPolicyTools(server, client) {
+    server.tool("depsight_evaluate_policy", "Evaluate the user's enabled policies (LICENSE_DENY, LICENSE_ALLOW_ONLY, CVE_MIN_SEVERITY, DEPENDENCY_MAX_AGE) against a specific scan. Read-only — does not mutate state. Returns the violations with affected packages.", {
+        scanId: zod_1.z
+            .string()
+            .min(1)
+            .describe("The scan ID to evaluate. Get it from depsight_get_cves (scan.id) or depsight_get_deps (scanId)."),
+    }, async ({ scanId }) => {
+        try {
+            const data = await client.evaluatePolicy(scanId);
+            return (0, shared_js_1.ok)(data);
+        }
+        catch (e) {
+            return (0, shared_js_1.errResult)(e);
+        }
+    });
+}
+//# sourceMappingURL=policy.js.map

package/dist/tools/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/tools/policy.ts"],"names":[],"mappings":";;AAKA,kDAwBC;AA5BD,6BAAwB;AAExB,2CAA4C;AAE5C,SAAgB,mBAAmB,CACjC,MAAiB,EACjB,MAAsB;IAEtB,MAAM,CAAC,IAAI,CACT,0BAA0B,EAC1B,0NAA0N,EAC1N;QACE,MAAM,EAAE,OAAC;aACN,MAAM,EAAE;aACR,GAAG,CAAC,CAAC,CAAC;aACN,QAAQ,CACP,iGAAiG,CAClG;KACJ,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;QACnB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;YACjD,OAAO,IAAA,cAAE,EAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,qBAAS,EAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/repos.d.ts

@@ -0,0 +1,4 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { DepsightClient } from "../client.js";
+export declare function registerRepoTools(server: McpServer, client: DepsightClient): void;
+//# sourceMappingURL=repos.d.ts.map

package/dist/tools/repos.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"repos.d.ts","sourceRoot":"","sources":["../../src/tools/repos.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,cAAc,GACrB,IAAI,CA4BN"}

package/dist/tools/repos.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerRepoTools = registerRepoTools;
+const shared_js_1 = require("./shared.js");
+function registerRepoTools(server, client) {
+    server.tool("depsight_list_repos", "List the GitHub repositories the authenticated user has access to (via their GitHub token). Use this to discover `repoId` values that other depsight_* tools accept.", {}, async () => {
+        try {
+            const data = await client.listRepos();
+            return (0, shared_js_1.ok)(data);
+        }
+        catch (e) {
+            return (0, shared_js_1.errResult)(e);
+        }
+    });
+    server.tool("depsight_get_overview", "Team-health dashboard summary across all tracked repos: aggregate CVE counts, risk scores, license issues, and the top riskiest repos. No arguments.", {}, async () => {
+        try {
+            const data = await client.getOverview();
+            return (0, shared_js_1.ok)(data);
+        }
+        catch (e) {
+            return (0, shared_js_1.errResult)(e);
+        }
+    });
+}
+//# sourceMappingURL=repos.js.map

package/dist/tools/repos.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"repos.js","sourceRoot":"","sources":["../../src/tools/repos.ts"],"names":[],"mappings":";;AAIA,8CA+BC;AAjCD,2CAA4C;AAE5C,SAAgB,iBAAiB,CAC/B,MAAiB,EACjB,MAAsB;IAEtB,MAAM,CAAC,IAAI,CACT,qBAAqB,EACrB,sKAAsK,EACtK,EAAE,EACF,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC;YACtC,OAAO,IAAA,cAAE,EAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,qBAAS,EAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,uBAAuB,EACvB,sJAAsJ,EACtJ,EAAE,EACF,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;YACxC,OAAO,IAAA,cAAE,EAAC,IAAI,CAAC,CAAC;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,qBAAS,EAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/shared.d.ts

@@ -0,0 +1,10 @@
+export type ToolResult = {
+    content: Array<{
+        type: "text";
+        text: string;
+    }>;
+    isError?: true;
+};
+export declare function ok(data: unknown): ToolResult;
+export declare function errResult(error: unknown): ToolResult;
+//# sourceMappingURL=shared.d.ts.map

package/dist/tools/shared.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../src/tools/shared.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,UAAU,GAAG;IACvB,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C,OAAO,CAAC,EAAE,IAAI,CAAC;CAChB,CAAC;AAEF,wBAAgB,EAAE,CAAC,IAAI,EAAE,OAAO,GAAG,UAAU,CAI5C;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,OAAO,GAAG,UAAU,CAWpD"}

package/dist/tools/shared.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ok = ok;
+exports.errResult = errResult;
+function ok(data) {
+    return {
+        content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+    };
+}
+function errResult(error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify({ success: false, error: message }, null, 2),
+            },
+        ],
+        isError: true,
+    };
+}
+//# sourceMappingURL=shared.js.map

package/dist/tools/shared.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared.js","sourceRoot":"","sources":["../../src/tools/shared.ts"],"names":[],"mappings":";;AAKA,gBAIC;AAED,8BAWC;AAjBD,SAAgB,EAAE,CAAC,IAAa;IAC9B,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;KACjE,CAAC;AACJ,CAAC;AAED,SAAgB,SAAS,CAAC,KAAc;IACtC,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,OAAO;QACL,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;aAClE;SACF;QACD,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@opentriologue/depsight-mcp",
+  "version": "0.2.0",
+  "description": "MCP server for depsight — query CVE, license, dependency and CI data from Claude / other agents",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "depsight-mcp": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "prepublishOnly": "npm run build"
+  },
+  "files": [
+    "dist/**/*",
+    "README.md"
+  ],
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "zod": "^3.22.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.3.0",
+    "vitest": "^3.0.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "keywords": [
+    "mcp",
+    "depsight",
+    "security",
+    "cve",
+    "sbom",
+    "license",
+    "ai-agents",
+    "model-context-protocol"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/LanNguyenSi/depsight.git",
+    "directory": "mcp"
+  }
+}