npm - @rigour-labs/mcp - Versions diffs - 4.3.1 → 4.3.3 - Mend

@rigour-labs/mcp 4.3.1 → 4.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/tools/deep-handlers.js +1 -1
package/dist/tools/deep-handlers.test.js +1 -1
package/dist/tools/definitions.js +5 -5
package/dist/tools/quality-handlers.test.js +1 -1
package/dist/utils/config.d.ts +11 -0
package/package.json +2 -2

package/dist/tools/deep-handlers.js CHANGED Viewed

@@ -40,7 +40,7 @@ export async function handleCheckDeep(runner, cwd, config, args) {
             if (db) {
                 const repoName = path.basename(cwd);
                 const scanId = insertScan(db, repoName, report, {
-                    deepTier: args.pro ? 'pro' : (execution.isLocal ? 'deep' : 'cloud'),
+                    deepTier: args.pro ? 'deep' : (execution.isLocal ? 'lite' : 'cloud'),
                     deepModel: report.stats.deep?.model,
                 });
                 insertFindings(db, scanId, report.failures);

package/dist/tools/deep-handlers.test.js CHANGED Viewed

@@ -10,7 +10,7 @@ describe('handleCheckDeep privacy routing', () => {
             score: 100,
             ai_health_score: 100,
             structural_score: 100,
-            deep: { enabled: true, tier: 'deep', model: 'Qwen2.5-Coder-0.5B', total_ms: 1000 },
+            deep: { enabled: true, tier: 'lite', model: 'Qwen3.5-0.8B', total_ms: 1000 },
         },
     };
     it('reports local execution by default', async () => {

package/dist/tools/definitions.js CHANGED Viewed

@@ -27,14 +27,14 @@ export const TOOL_DEFINITIONS = [
     // ─── Core Quality Gates ───────────────────────────────
     {
         name: "rigour_check",
-        description: "Run quality gate checks on the project. Deep modes: off (fast deterministic gates only), quick (deep enabled with standard local tier unless cloud provider is configured), full (deep enabled, optional pro model).",
+        description: "Run quality gate checks on the project. Deep modes: off (fast deterministic gates only), quick (deep enabled with lite local model unless cloud provider is configured), full (deep enabled, optional pro flag for full deep model).",
         inputSchema: {
             type: "object",
             properties: {
                 ...cwdParam(),
                 files: { type: "array", items: { type: "string" }, description: "Optional file paths (relative to cwd) to limit scan scope for both deterministic and deep checks." },
-                deep: { type: "string", enum: ["off", "quick", "full"], description: "Deep mode: 'off' (default), 'quick' (deep enabled with standard model), 'full' (deep enabled, combine with pro=true for larger local model)." },
-                pro: { type: "boolean", description: "Use larger local deep model tier when deep is enabled." },
+                deep: { type: "string", enum: ["off", "quick", "full"], description: "Deep mode: 'off' (default), 'quick' (deep enabled with lite model), 'full' (deep enabled, combine with pro=true for full deep model)." },
+                pro: { type: "boolean", description: "Use full deep model (Qwen2.5-Coder-1.5B) instead of lite (Qwen3.5-0.8B) when deep is enabled." },
                 apiKey: { type: "string", description: "Optional cloud API key for deep analysis." },
                 provider: { type: "string", description: "Cloud provider for deep analysis (claude, openai, gemini, groq, mistral, together, deepseek, ollama, etc.)." },
                 apiBaseUrl: { type: "string", description: "Custom API base URL for self-hosted/proxy deep endpoints." },
@@ -461,12 +461,12 @@ export const TOOL_DEFINITIONS = [
     // ─── Deep Analysis (v4.0+) ──────────────────────────────
     {
         name: "rigour_check_deep",
-        description: "Run quality gates WITH deep LLM-powered analysis. Three-step pipeline: AST extracts facts → LLM interprets → AST verifies. Local-first by default (Qwen2.5-Coder), or bring your own API key for any cloud provider.",
+        description: "Run quality gates WITH deep LLM-powered analysis. Three-step pipeline: AST extracts facts → LLM interprets → AST verifies. Local-first by default (Qwen3.5-0.8B lite sidecar), or bring your own API key for any cloud provider.",
         inputSchema: {
             type: "object",
             properties: {
                 ...cwdParam(),
-                pro: { type: "boolean", description: "Use the larger 1.5B model (--pro tier). Default: false (0.5B model)." },
+                pro: { type: "boolean", description: "Use full deep model (Qwen2.5-Coder-1.5B) instead of default lite model (Qwen3.5-0.8B)." },
                 apiKey: { type: "string", description: "API key for cloud LLM provider. If provided, uses cloud instead of local sidecar." },
                 provider: { type: "string", description: "Cloud provider name (e.g., 'claude', 'openai', 'gemini', 'groq', 'mistral', 'together', 'fireworks', 'deepseek', 'perplexity', 'ollama', 'lmstudio'). Default: 'claude' when apiKey is provided." },
                 apiBaseUrl: { type: "string", description: "Custom API base URL for self-hosted or proxy endpoints." },

package/dist/tools/quality-handlers.test.js CHANGED Viewed

@@ -23,7 +23,7 @@ describe('handleCheck deep routing', () => {
             ...baseReport,
             stats: {
                 ...baseReport.stats,
-                deep: { enabled: true, tier: 'deep', model: 'Qwen2.5-Coder-0.5B' },
+                deep: { enabled: true, tier: 'lite', model: 'Qwen3.5-0.8B' },
             },
         });
         const runner = { run };

package/dist/utils/config.d.ts CHANGED Viewed

@@ -110,6 +110,17 @@ export declare function loadConfig(cwd: string): Promise<{
             command_injection: boolean;
             block_on_severity: "critical" | "high" | "medium" | "low";
         };
+        frontend_secret_exposure: {
+            enabled: boolean;
+            block_on_severity: "critical" | "high" | "medium" | "low";
+            check_process_env: boolean;
+            check_import_meta_env: boolean;
+            secret_env_name_patterns: string[];
+            safe_public_prefixes: string[];
+            frontend_path_patterns: string[];
+            server_path_patterns: string[];
+            allowlist_env_names: string[];
+        };
         adaptive: {
             enabled: boolean;
             base_coverage_threshold: number;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/mcp",
-  "version": "4.3.1",
+  "version": "4.3.3",
   "description": "MCP server for AI code governance — OWASP LLM Top 10 (10/10), real-time hooks, 25+ security patterns, hallucinated import detection, multi-agent governance. Works with Claude, Cursor, Cline, Windsurf, Gemini. Industry presets for HIPAA, SOC2, FedRAMP.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -48,7 +48,7 @@
     "execa": "^8.0.1",
     "fs-extra": "^11.2.0",
     "yaml": "^2.8.2",
-    "@rigour-labs/core": "4.3.1"
+    "@rigour-labs/core": "4.3.3"
   },
   "devDependencies": {
     "@types/node": "^25.0.3",