@runsec/mcp 1.0.26 → 1.0.28

package/dist/data/semgrep-rules/README-taint-overlays.md

@@ -18,4 +18,4 @@ rules:
       - pattern: child_process.exec($X, ...)
 ```
 
-Map to MITRE **T1059.007** (JavaScript) / **T1204** where applicable; combine with `server/cognitive_engine.py` to downgrade confidence when matches are constant-only.
+Map to MITRE **T1059.007** (JavaScript) / **T1204** where applicable; combine with RunSec cognitive scoring in the Hub pipeline when matches are constant-only.

package/dist/index.js

@@ -29,6 +29,7 @@ var import_types = require("@modelcontextprotocol/sdk/types.js");
 
 // src/engine/ruleEngine.ts
 var import_node_fs2 = require("fs");
+var import_node_fs3 = require("fs");
 var import_node_path2 = __toESM(require("path"));
 var import_ignore = __toESM(require("ignore"));
 
@@ -250,7 +251,7 @@ async function buildIgnoreMatcher(workspaceRoot) {
   ]);
   const runsecIgnorePath = import_node_path2.default.join(workspaceRoot, RUNSEC_IGNORE_FILE);
   try {
-    const content = await import_node_fs2.promises.readFile(runsecIgnorePath, "utf-8");
+    const content = await import_node_fs3.promises.readFile(runsecIgnorePath, "utf-8");
     matcher.add(content);
   } catch {
   }
@@ -265,7 +266,7 @@ async function collectFilesWithStats(workspacePath, targetFiles) {
   let skippedByIgnore = 0;
   let stat;
   try {
-    stat = await import_node_fs2.promises.stat(root);
+    stat = await import_node_fs3.promises.stat(root);
   } catch {
     stat = null;
   }
@@ -282,7 +283,7 @@ async function collectFilesWithStats(workspacePath, targetFiles) {
         continue;
       }
       try {
-        const s = await import_node_fs2.promises.stat(candidate);
+        const s = await import_node_fs3.promises.stat(candidate);
         if (s.isFile()) out.push(candidate);
       } catch {
       }
@@ -293,7 +294,7 @@ async function collectFilesWithStats(workspacePath, targetFiles) {
   const stack = [root];
   while (stack.length) {
     const dir = stack.pop();
-    const entries = await import_node_fs2.promises.readdir(dir, { withFileTypes: true });
+    const entries = await import_node_fs3.promises.readdir(dir, { withFileTypes: true });
     for (const entry of entries) {
       const full = import_node_path2.default.join(dir, entry.name);
       const relative = normalizeRelativePath(import_node_path2.default.relative(root, full));
@@ -329,14 +330,16 @@ function findLineByOffset(content, offset) {
   }
   return line;
 }
-function extractSnippetByLine(fileContent, line) {
+function extractSnippetFromDisk(absoluteFilePath, line) {
   try {
-    const lines = fileContent.split("\n");
+    const actualContent = (0, import_node_fs2.readFileSync)(absoluteFilePath, "utf-8");
+    const lines = actualContent.split("\n");
     const start = Math.max(0, line - 2);
     const end = Math.min(lines.length, line + 2);
-    return lines.slice(start, end).join("\n").trim() || "// Snippet extraction failed";
-  } catch {
-    return "// Error reading code snippet";
+    return lines.slice(start, end).join("\n").trim() || "SNIPPET_IS_EMPTY";
+  } catch (error) {
+    console.error(`Failed to read snippet for ${absoluteFilePath}`, error);
+    return "ERROR_READING_FILE";
   }
 }
 function scanContentWithRules(content, file, workspacePath, rules) {
@@ -353,7 +356,7 @@ function scanContentWithRules(content, file, workspacePath, rules) {
       while ((match = regex.exec(content)) !== null) {
         const line = findLineByOffset(content, match.index);
         const snippetMatch = match[0] || "";
-        const snippet = extractSnippetByLine(content, line);
+        const snippet = extractSnippetFromDisk(file, line);
         localFindings.push({
           rule_id: rule.id,
           cwe: rule.cwe,
@@ -384,7 +387,7 @@ async function executeAudit(toolName, args) {
       fileBatch.map(async (file) => {
         let fileStat;
         try {
-          fileStat = await import_node_fs2.promises.stat(file);
+          fileStat = await import_node_fs3.promises.stat(file);
         } catch {
           return [];
         }
@@ -394,7 +397,7 @@ async function executeAudit(toolName, args) {
         }
         let content = "";
         try {
-          content = await import_node_fs2.promises.readFile(file, "utf-8");
+          content = await import_node_fs3.promises.readFile(file, "utf-8");
         } catch {
           return [];
         }
@@ -426,17 +429,19 @@ async function executeAudit(toolName, args) {
 }
 
 // src/engine/reportFormatter.ts
-var import_node_fs3 = __toESM(require("fs"));
+var import_node_fs4 = __toESM(require("fs"));
 var import_node_path3 = __toESM(require("path"));
 function safeText(value) {
   return String(value ?? "").replace(/`/g, "'");
 }
-function shouldExcludeFindingFilePath(filePath) {
-  const n = filePath.replace(/\\/g, "/");
-  const u = n.toUpperCase();
-  if (u.includes("SECURITY_AUDIT")) return true;
-  if (n.includes("/tests/") || n.startsWith("tests/")) return true;
-  return false;
+function cleanReportFindings(findings) {
+  return findings.filter((f) => {
+    const ruleId = String(f.rule_id || "").toLowerCase();
+    const fp = String(f.file_path || "").replace(/\\/g, "/");
+    const isK8sInPython = ruleId.includes("k8s") && fp.toLowerCase().endsWith(".py");
+    const isTestOrDoc = fp.includes("SECURITY_AUDIT") || fp.includes("tests/");
+    return !isK8sInPython && !isTestOrDoc;
+  });
 }
 function tierCriticalHighLow(severity) {
   const x = (severity || "HIGH").toUpperCase();
@@ -448,7 +453,7 @@ function escapeSnippetForBlockquoteFenced(snippet) {
   return snippet.replace(/```/g, "```");
 }
 function buildServerSideReportMarkdown(standard, findings, metrics) {
-  const rows = findings.filter((f) => !shouldExcludeFindingFilePath(String(f.file_path || "")));
+  const rows = cleanReportFindings(findings);
   let critical = 0;
   let high = 0;
   let low = 0;
@@ -467,7 +472,7 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
   out.push("---");
   out.push("### Compliance Matrix");
   out.push(`- **CRITICAL:** ${critical} | **HIGH:** ${high} | **LOW:** ${low}`);
-  out.push(`- **Reported findings (after excluding SECURITY_AUDIT* paths and tests/):** ${rows.length}`);
+  out.push(`- **Reported findings (after excluding K8s-on-.py, SECURITY_AUDIT, tests/):** ${rows.length}`);
   out.push("");
   out.push("---");
   out.push("### Findings");
@@ -481,7 +486,7 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
       const sev = safeText(finding.severity || "HIGH");
       const cwe = safeText(finding.cwe || "UNKNOWN");
       const desc = String(finding.description || "").trim();
-      const rawSnippet = String(finding.snippet || "").trim() || "// (empty snippet)";
+      const rawSnippet = String(finding.snippet ?? "").trim() || "SNIPPET_IS_EMPTY";
       const sn = escapeSnippetForBlockquoteFenced(rawSnippet);
       out.push(`#### \`${fp}:${line}\` \u2014 ${rule}`);
       if (desc) out.push(safeText(desc));
@@ -520,7 +525,7 @@ function generateMarkdownReport(standard, findings, metrics, workspacePath) {
   const rows = Array.isArray(findings) ? findings : [];
   const reportContent = buildServerSideReportMarkdown(standard, rows, m);
   const reportPath = import_node_path3.default.join(process.cwd(), "runsec-report.md");
-  import_node_fs3.default.writeFileSync(reportPath, reportContent, "utf-8");
+  import_node_fs4.default.writeFileSync(reportPath, reportContent, "utf-8");
   console.error(`[runsec] wrote server-side report to: ${reportPath}`);
   return `
 <system_directive>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.26",
+  "version": "1.0.28",
   "main": "dist/index.js",
   "files": [
     "dist",