@runsec/mcp 1.0.70 → 1.0.71

package/dist/index.js

@@ -401,16 +401,38 @@ async function ignoreFinding(args) {
 
 // src/engine/ruleEngine.ts
 var import_node_fs8 = require("fs");
-var import_node_path13 = __toESM(require("path"));
+var import_node_path14 = __toESM(require("path"));
 var import_ignore = __toESM(require("ignore"));
 
 // src/engine/unifiedScanPipeline.ts
-var import_node_path12 = __toESM(require("path"));
+var import_node_path13 = __toESM(require("path"));
 
 // src/engine/cognitiveEngine.ts
 var import_node_crypto2 = require("crypto");
 var import_node_fs3 = __toESM(require("fs"));
 var import_node_path3 = __toESM(require("path"));
+
+// src/engine/secretHeuristics.ts
+var ENV_INTERP_RE = /\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\(|environ\[/i;
+var LOCKFILE_BASENAMES = /^(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|cargo\.lock|composer\.lock|gemfile\.lock)$/i;
+function hasEnvironmentInterpolation(text) {
+  return ENV_INTERP_RE.test(text);
+}
+function isLockfileOrModulesPath(relPath) {
+  const normalized = relPath.replace(/\\/g, "/").toLowerCase();
+  if (!normalized || normalized === ".") return false;
+  if (normalized.includes("/node_modules/") || normalized.startsWith("node_modules/")) return true;
+  const base = normalized.split("/").pop() ?? normalized;
+  if (LOCKFILE_BASENAMES.test(base)) return true;
+  if (base.endsWith(".lock")) return true;
+  if (/-lock\.json$/i.test(base)) return true;
+  return false;
+}
+function isTrufflehogVerified(verifiedFlag, description) {
+  return verifiedFlag || /\(verified\)/i.test(description);
+}
+
+// src/engine/cognitiveEngine.ts
 var PRIMARY_LOG_THRESHOLD = 0.8;
 var CONFIDENCE_THRESHOLD = PRIMARY_LOG_THRESHOLD;
 var ELITE_LOW_CONFIDENCE_CAP = 0.28;
@@ -479,11 +501,20 @@ function looksLikeStaticLiteralMatch(finding) {
   if (snippet.length < 3) return false;
   return /^["'][^"']{0,200}["']\s*$/u.test(snippet);
 }
+function isUnverifiedTrufflehogSecret(finding) {
+  return finding.category === "secrets" && !/\(verified\)/i.test(finding.description);
+}
 function envOrConfigOnly(title, finding) {
   const t = title.toLowerCase();
   if (/\b(env var|environment|os\.getenv|process\.env|feature flag)\b/i.test(t)) return true;
-  const blob = `${finding.description} ${finding.match_text}`.toLowerCase();
-  return blob.includes("getenv") || blob.includes("process.env");
+  const blob = `${finding.description} ${finding.match_text} ${finding.snippet ?? ""}`;
+  if (hasEnvironmentInterpolation(blob)) return true;
+  const lowered = blob.toLowerCase();
+  return lowered.includes("getenv") || lowered.includes("process.env");
+}
+function precedentEnvironmentInterpolation(title, msg, snippet, description) {
+  if (/\(verified\)/i.test(description)) return false;
+  return hasEnvironmentInterpolation(`${title} ${msg} ${snippet}`);
 }
 function isSqlInjectionFinding(finding) {
   const blob = combinedTitleAndMessage(finding).toLowerCase();
@@ -728,6 +759,14 @@ function elitePrecedents(score, finding, relPath) {
     s = Math.min(s, 0.12);
     reasons.push("precedent:shell_no_untrusted_input_attack_path");
   }
+  if (precedentEnvironmentInterpolation(title, msg, snippet, finding.description)) {
+    s = Math.min(s, 0.15);
+    reasons.push("precedent:environment_interpolation");
+  }
+  if (finding.category === "secrets" && isUnverifiedTrufflehogSecret(finding) && isLockfileOrModulesPath(relPath)) {
+    s = Math.min(s, 0.1);
+    reasons.push("precedent:lockfile_or_modules_path");
+  }
   return [Math.max(0.05, s), reasons];
 }
 function comparativeAnalysisBoost(repoRoot, relPath, apply) {
@@ -795,6 +834,22 @@ function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot)
   } else if (category === "secrets") {
     if (sev === "CRITICAL") score = 0.95;
     else if (finding.match_text.includes("(verified)")) score = 0.93;
+    if (/pii\s+email/i.test(title) || finding.rule_id.includes("pii-email")) {
+      const piiVerified = /\(verified\)/i.test(finding.description);
+      score = Math.min(score, piiVerified ? 0.45 : 0.32);
+      reasons.push("pii_email_deprioritized");
+    }
+    if (isUnverifiedTrufflehogSecret(finding)) {
+      const secretBlob = `${finding.match_text} ${finding.snippet ?? ""}`;
+      if (hasEnvironmentInterpolation(secretBlob)) {
+        score = Math.min(score, 0.15);
+        reasons.push("environment_interpolation_placeholder");
+      }
+      if (isLockfileOrModulesPath(relPath)) {
+        score = Math.min(score, 0.1);
+        reasons.push("lockfile_or_modules_path");
+      }
+    }
   }
   const libs = phase1.protection_libs_detected ?? [];
   if (libs.length && protectionMatchesMetric(title, libs)) {
@@ -1618,6 +1673,9 @@ function trufflehogFileAndLine(raw) {
 }
 function severityForSecret(detectorName, verified) {
   const name = detectorName.toLowerCase();
+  if (name.includes("pii email")) {
+    return verified ? "LOW" : "INFO";
+  }
   if (CRITICAL_SECRET_DETECTORS.test(name) || verified === true) {
     return "CRITICAL";
   }
@@ -1634,6 +1692,12 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
     const redacted = String(raw.Redacted ?? "").trim();
     const rawSecret = String(raw.Raw ?? "").trim();
     const display = redacted || rawSecret || "[secret redacted]";
+    const description = `TruffleHog: exposed ${detector}${verified ? " (verified)" : ""}`;
+    if (!isTrufflehogVerified(verified, description)) {
+      if (isLockfileOrModulesPath(rel)) continue;
+      const blob = `${display} ${rawSecret}`;
+      if (hasEnvironmentInterpolation(blob)) continue;
+    }
     const severity = severityForSecret(detector, verified);
     findings.push({
       category: "secrets",
@@ -1643,7 +1707,7 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
       asvsLevel: "L1",
       asvsTrace: "V6.4.1",
       severity,
-      description: `TruffleHog: exposed ${detector}${verified ? " (verified)" : ""}`,
+      description,
       file_path: rel,
       line,
       match_text: display.slice(0, 200),
@@ -2321,7 +2385,38 @@ async function runSemgrepScan(opts) {
 // src/engine/supplyChainRunner.ts
 var import_node_child_process2 = require("child_process");
 var import_node_util2 = require("util");
+var import_node_path12 = __toESM(require("path"));
+
+// src/engine/trufflehogExclude.ts
+var import_promises = __toESM(require("fs/promises"));
+var import_node_os = __toESM(require("os"));
 var import_node_path11 = __toESM(require("path"));
+var TRUFFLEHOG_EXCLUDE_PATTERNS = [
+  "**/*.lock",
+  "**/package-lock.json",
+  "**/pnpm-lock.yaml",
+  "**/yarn.lock",
+  "**/poetry.lock",
+  "**/Cargo.lock",
+  "**/composer.lock",
+  "**/Gemfile.lock",
+  "**/*-lock.json",
+  "**/node_modules/**"
+];
+async function createTrufflehogExcludeFile() {
+  const tmpDir = await import_promises.default.mkdtemp(import_node_path11.default.join(import_node_os.default.tmpdir(), "runsec-th-exclude-"));
+  const excludeFilePath = import_node_path11.default.join(tmpDir, "exclude-paths.txt");
+  await import_promises.default.writeFile(excludeFilePath, `${TRUFFLEHOG_EXCLUDE_PATTERNS.join("\n")}
+`, "utf-8");
+  return {
+    excludeFilePath,
+    cleanup: async () => {
+      await import_promises.default.rm(tmpDir, { recursive: true, force: true }).catch(() => void 0);
+    }
+  };
+}
+
+// src/engine/supplyChainRunner.ts
 var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process2.execFile);
 var MAX_BUFFER_BYTES2 = 64 * 1024 * 1024;
 var TRUFFLEHOG_DOCKER = "trufflesecurity/trufflehog:latest";
@@ -2416,12 +2511,12 @@ async function runExec(bin, argv, cwd, engineLabel) {
   }
 }
 function getTrufflehogConfigPath() {
-  return import_node_path11.default.join(getDataDirectory(), "trufflehog-config.yaml");
+  return import_node_path12.default.join(getDataDirectory(), "trufflehog-config.yaml");
 }
 function resolveScanTarget(workspaceRoot, scanTargets) {
-  const root = import_node_path11.default.resolve(workspaceRoot);
-  const abs = scanTargets.length === 1 ? import_node_path11.default.resolve(scanTargets[0]) : root;
-  const relRaw = import_node_path11.default.relative(root, abs);
+  const root = import_node_path12.default.resolve(workspaceRoot);
+  const abs = scanTargets.length === 1 ? import_node_path12.default.resolve(scanTargets[0]) : root;
+  const relRaw = import_node_path12.default.relative(root, abs);
   const rel = relRaw && !relRaw.startsWith("..") ? relRaw.replace(/\\/g, "/") : ".";
   return { abs, rel };
 }
@@ -2437,25 +2532,98 @@ function parseTrufflehogStdout(stdout) {
   }
   return out;
 }
+function trufflehogArgvWithExcludes(targetArg, configPath, excludeFilePath, dockerConfigPath) {
+  const config = dockerConfigPath ?? configPath;
+  return [
+    "filesystem",
+    targetArg,
+    "--json",
+    "--config",
+    config,
+    "--exclude-paths",
+    excludeFilePath
+  ];
+}
 async function runTrufflehogScan(opts) {
-  const root = import_node_path11.default.resolve(opts.workspaceRoot);
+  const root = import_node_path12.default.resolve(opts.workspaceRoot);
   const { rel } = resolveScanTarget(root, opts.scanTargets);
   const configPath = getTrufflehogConfigPath();
   const targetArg = rel === "." ? "." : rel;
-  const localArgv = ["filesystem", targetArg, "--json", "--config", configPath];
-  const trufflehogBin = resolveEngineCommand("trufflehog");
+  const excludeArtifacts = await createTrufflehogExcludeFile();
   try {
-    const { stdout, stderr, exitCode } = await runExec(trufflehogBin, localArgv, root, "trufflehog");
-    const findings = parseTrufflehogStdout(stdout);
-    if (exitCode !== 0 && findings.length === 0) {
-      const error = resolveSupplyChainErrorMessage("trufflehog", { stderr, exitCode });
-      logEngineExecFailure("trufflehog", trufflehogBin, exitCode, stderr, error);
-      logSupplyChainErrorStatus("trufflehog", { stderr, error, exitCode });
-      return { engine: "trufflehog", status: "error", findings: [], stderr: stderr.trim() || error, error };
-    }
-    return { engine: "trufflehog", status: "ok", findings, stderr };
-  } catch (error) {
-    if (!isENOENTError(error)) {
+    const localArgv = trufflehogArgvWithExcludes(targetArg, configPath, excludeArtifacts.excludeFilePath);
+    const trufflehogBin = resolveEngineCommand("trufflehog");
+    try {
+      const { stdout, stderr, exitCode } = await runExec(trufflehogBin, localArgv, root, "trufflehog");
+      const findings = parseTrufflehogStdout(stdout);
+      if (exitCode !== 0 && findings.length === 0) {
+        const error = resolveSupplyChainErrorMessage("trufflehog", { stderr, exitCode });
+        logEngineExecFailure("trufflehog", trufflehogBin, exitCode, stderr, error);
+        logSupplyChainErrorStatus("trufflehog", { stderr, error, exitCode });
+        return { engine: "trufflehog", status: "error", findings: [], stderr: stderr.trim() || error, error };
+      }
+      return { engine: "trufflehog", status: "ok", findings, stderr };
+    } catch (error) {
+      if (!isENOENTError(error)) {
+        logScanCatchFailure("trufflehog", error);
+        const message = error instanceof Error ? error.message : String(error);
+        const captured = readExecError2(error);
+        const resolved = resolveSupplyChainErrorMessage("trufflehog", {
+          stderr: captured?.stderr,
+          error: message,
+          exitCode: captured?.exitCode
+        });
+        logSupplyChainErrorStatus("trufflehog", {
+          stderr: captured?.stderr,
+          error: resolved,
+          exitCode: captured?.exitCode
+        });
+        return {
+          engine: "trufflehog",
+          status: "error",
+          findings: [],
+          stderr: captured?.stderr?.trim() || resolved,
+          error: resolved
+        };
+      }
+    }
+    const dockerRel = rel === "." ? "/src" : `/src/${rel}`;
+    const dataDir = getDataDirectory();
+    const dockerExcludePath = "/runsec-exclude/exclude-paths.txt";
+    const dockerArgv = [
+      "run",
+      "--rm",
+      "-v",
+      `${root}:/src`,
+      "-v",
+      `${dataDir}:/runsec-data:ro`,
+      "-v",
+      `${import_node_path12.default.dirname(excludeArtifacts.excludeFilePath)}:/runsec-exclude:ro`,
+      TRUFFLEHOG_DOCKER,
+      ...trufflehogArgvWithExcludes(
+        dockerRel,
+        configPath,
+        dockerExcludePath,
+        "/runsec-data/trufflehog-config.yaml"
+      )
+    ];
+    try {
+      const { stdout, stderr, exitCode } = await runExec("docker", dockerArgv, void 0, "docker-trufflehog");
+      const findings = parseTrufflehogStdout(stdout);
+      if (exitCode !== 0 && findings.length === 0) {
+        const error = resolveSupplyChainErrorMessage("trufflehog", { stderr, error: stderr.trim(), exitCode });
+        logEngineExecFailure("docker-trufflehog", "docker", exitCode, stderr, error);
+        logSupplyChainErrorStatus("docker-trufflehog", { stderr, error, exitCode });
+        return {
+          engine: "docker-trufflehog",
+          status: "error",
+          findings: [],
+          stderr: stderr.trim() || error,
+          error
+        };
+      }
+      return { engine: "docker-trufflehog", status: "ok", findings, stderr };
+    } catch (error) {
       logScanCatchFailure("trufflehog", error);
       const message = error instanceof Error ? error.message : String(error);
       const captured = readExecError2(error);
@@ -2464,70 +2632,18 @@ async function runTrufflehogScan(opts) {
         error: message,
         exitCode: captured?.exitCode
       });
-      logSupplyChainErrorStatus("trufflehog", {
-        stderr: captured?.stderr,
-        error: resolved,
-        exitCode: captured?.exitCode
-      });
+      const fullError = isENOENTError(error) ? `${resolved} ${engineSetupHint("trufflehog")}` : `trufflehog not available: ${resolved}. ${engineSetupHint("trufflehog")}`;
+      logSupplyChainErrorStatus("trufflehog", { stderr: captured?.stderr, error: fullError, exitCode: captured?.exitCode });
       return {
         engine: "trufflehog",
         status: "error",
         findings: [],
-        stderr: captured?.stderr?.trim() || resolved,
-        error: resolved
+        stderr: captured?.stderr?.trim() || fullError,
+        error: fullError
       };
     }
-  }
-  const dockerRel = rel === "." ? "/src" : `/src/${rel}`;
-  const dataDir = getDataDirectory();
-  const dockerArgv = [
-    "run",
-    "--rm",
-    "-v",
-    `${root}:/src`,
-    "-v",
-    `${dataDir}:/runsec-data:ro`,
-    TRUFFLEHOG_DOCKER,
-    "filesystem",
-    dockerRel,
-    "--json",
-    "--config",
-    "/runsec-data/trufflehog-config.yaml"
-  ];
-  try {
-    const { stdout, stderr, exitCode } = await runExec("docker", dockerArgv, void 0, "docker-trufflehog");
-    const findings = parseTrufflehogStdout(stdout);
-    if (exitCode !== 0 && findings.length === 0) {
-      const error = resolveSupplyChainErrorMessage("trufflehog", { stderr, error: stderr.trim(), exitCode });
-      logEngineExecFailure("docker-trufflehog", "docker", exitCode, stderr, error);
-      logSupplyChainErrorStatus("docker-trufflehog", { stderr, error, exitCode });
-      return {
-        engine: "docker-trufflehog",
-        status: "error",
-        findings: [],
-        stderr: stderr.trim() || error,
-        error
-      };
-    }
-    return { engine: "docker-trufflehog", status: "ok", findings, stderr };
-  } catch (error) {
-    logScanCatchFailure("trufflehog", error);
-    const message = error instanceof Error ? error.message : String(error);
-    const captured = readExecError2(error);
-    const resolved = resolveSupplyChainErrorMessage("trufflehog", {
-      stderr: captured?.stderr,
-      error: message,
-      exitCode: captured?.exitCode
-    });
-    const fullError = isENOENTError(error) ? `${resolved} ${engineSetupHint("trufflehog")}` : `trufflehog not available: ${resolved}. ${engineSetupHint("trufflehog")}`;
-    logSupplyChainErrorStatus("trufflehog", { stderr: captured?.stderr, error: fullError, exitCode: captured?.exitCode });
-    return {
-      engine: "trufflehog",
-      status: "error",
-      findings: [],
-      stderr: captured?.stderr?.trim() || fullError,
-      error: fullError
-    };
+  } finally {
+    await excludeArtifacts.cleanup();
   }
 }
 function parseSyftStdout(stdout) {
@@ -2540,7 +2656,7 @@ function parseSyftStdout(stdout) {
   }
 }
 async function runSyftScan(opts) {
-  const root = import_node_path11.default.resolve(opts.workspaceRoot);
+  const root = import_node_path12.default.resolve(opts.workspaceRoot);
   const { abs } = resolveScanTarget(root, opts.scanTargets);
   const scanPath = abs;
   const syftBin = resolveEngineCommand("syft");
@@ -2596,7 +2712,7 @@ async function runSyftScan(opts) {
       };
     }
   }
-  const rel = import_node_path11.default.relative(root, scanPath).replace(/\\/g, "/") || ".";
+  const rel = import_node_path12.default.relative(root, scanPath).replace(/\\/g, "/") || ".";
   const dockerTarget = rel === "." ? "/src" : `/src/${rel}`;
   const dockerArgv = ["run", "--rm", "-v", `${root}:/src`, SYFT_DOCKER, dockerTarget, "-o", "json"];
   try {
@@ -2776,7 +2892,7 @@ function applyCognitiveFilter(workspaceRoot, findings) {
 async function runUnifiedScanPipeline(opts) {
   const startedAt = Date.now();
   const { standard, workspace_path, scan_targets, skipped_by_ignore } = opts;
-  const workspaceRoot = import_node_path12.default.resolve(workspace_path);
+  const workspaceRoot = import_node_path13.default.resolve(workspace_path);
   const rules = getRulesRegistry()[standard];
   const fpIgnoreEntries = await loadIgnoreEntries(workspaceRoot);
   const { semgrepOutcome, trufflehogOutcome, syftOutcome, concurrent_duration_ms } = await runScanEnginesConcurrent(
@@ -2940,7 +3056,7 @@ async function buildIgnoreMatcher(workspaceRoot) {
     "**/coverage/**",
     "**/vendor/**"
   ]);
-  const runsecIgnorePath = import_node_path13.default.join(workspaceRoot, RUNSEC_IGNORE_FILE);
+  const runsecIgnorePath = import_node_path14.default.join(workspaceRoot, RUNSEC_IGNORE_FILE);
   try {
     const content = await import_node_fs8.promises.readFile(runsecIgnorePath, "utf-8");
     matcher.add(content);
@@ -2949,7 +3065,7 @@ async function buildIgnoreMatcher(workspaceRoot) {
   return matcher;
 }
 async function collectFilesWithStats(workspacePath, targetFiles) {
-  const root = import_node_path13.default.resolve(workspacePath);
+  const root = import_node_path14.default.resolve(workspacePath);
   const ignoreMatcher = await buildIgnoreMatcher(root);
   let skippedByIgnore = 0;
   let stat;
@@ -2964,8 +3080,8 @@ async function collectFilesWithStats(workspacePath, targetFiles) {
   if (targetFiles?.length) {
     const out = [];
     for (const f of targetFiles) {
-      const candidate = import_node_path13.default.resolve(root, f);
-      const relativeCandidate = normalizeRelativePath3(import_node_path13.default.relative(root, candidate));
+      const candidate = import_node_path14.default.resolve(root, f);
+      const relativeCandidate = normalizeRelativePath3(import_node_path14.default.relative(root, candidate));
       if (!relativeCandidate || ignoreMatcher.ignores(relativeCandidate) || shouldIgnoreByDefault(relativeCandidate)) {
         skippedByIgnore += 1;
         continue;
@@ -3005,7 +3121,7 @@ function buildAuditReportMetrics(result) {
 async function executeAudit(toolName, args) {
   const standard = STANDARD_TOOL_MAP[toolName];
   if (!standard) throw new Error(`Unknown audit tool: ${toolName}`);
-  const workspaceRoot = import_node_path13.default.resolve(args.workspace_path);
+  const workspaceRoot = import_node_path14.default.resolve(args.workspace_path);
   const { files: scanTargets, skipped_by_ignore } = await collectFilesWithStats(workspaceRoot, args.target_files);
   const result = await runUnifiedScanPipeline({
     standard,
@@ -3019,7 +3135,7 @@ async function executeAudit(toolName, args) {
 
 // src/engine/reportFormatter.ts
 var import_node_fs9 = __toESM(require("fs"));
-var import_node_path14 = __toESM(require("path"));
+var import_node_path15 = __toESM(require("path"));
 var REPORT_SECTION_TITLES = {
   code: "Code Vulnerabilities",
   secrets: "Exposed Secrets",
@@ -3112,7 +3228,7 @@ function shortRuleLabel(ruleId) {
   return parts[parts.length - 1] || ruleId;
 }
 function snippetLanguage(filePath) {
-  const ext = import_node_path14.default.extname(filePath).replace(/^\./, "").toLowerCase();
+  const ext = import_node_path15.default.extname(filePath).replace(/^\./, "").toLowerCase();
   const map = {
     yml: "yaml",
     yaml: "yaml",
@@ -3214,9 +3330,9 @@ var TECH_STACK_BY_EXT = {
 };
 function techStackFromFilePath(filePath) {
   const normalized = String(filePath ?? "").replace(/\\/g, "/");
-  const base = import_node_path14.default.basename(normalized).toLowerCase();
+  const base = import_node_path15.default.basename(normalized).toLowerCase();
   if (base === "dockerfile" || base.startsWith("dockerfile.")) return "Docker";
-  const ext = import_node_path14.default.extname(normalized).toLowerCase();
+  const ext = import_node_path15.default.extname(normalized).toLowerCase();
   return TECH_STACK_BY_EXT[ext] ?? "Other";
 }
 function countFindingsByTechStack(findings) {
@@ -3478,8 +3594,8 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
   return finalizeReportMarkdown(out.join("\n"));
 }
 function resolveReportPath(workspacePath) {
-  const base = workspacePath?.trim() ? import_node_path14.default.resolve(workspacePath) : process.cwd();
-  return import_node_path14.default.join(base, "runsec-report.md");
+  const base = workspacePath?.trim() ? import_node_path15.default.resolve(workspacePath) : process.cwd();
+  return import_node_path15.default.join(base, "runsec-report.md");
 }
 function generateMarkdownReport(standard, findings, metrics, workspacePath) {
   const m = metrics || {};
@@ -3502,16 +3618,16 @@ Simply confirm that the scan is complete and the report is saved at the path abo
 
 // src/engine/reviewFormatter.ts
 var import_node_fs14 = __toESM(require("fs"));
-var import_node_path20 = __toESM(require("path"));
+var import_node_path21 = __toESM(require("path"));
 
 // src/engine/threatModelEngine.ts
 var import_node_crypto4 = require("crypto");
 var import_node_fs13 = __toESM(require("fs"));
-var import_node_path19 = __toESM(require("path"));
+var import_node_path20 = __toESM(require("path"));
 
 // src/skills/skillsApi.ts
 var import_node_fs12 = __toESM(require("fs"));
-var import_node_path18 = __toESM(require("path"));
+var import_node_path19 = __toESM(require("path"));
 
 // src/skills/patternParser.ts
 var METRIC_ID_RE = /^[A-Z0-9]{2,4}-[0-9A-Za-z.\-]+$/;
@@ -3584,25 +3700,25 @@ function parsePatternRows(patternsText) {
 }
 
 // src/skills/paths.ts
-var import_node_path15 = __toESM(require("path"));
+var import_node_path16 = __toESM(require("path"));
 var RUNSEC_RELEASE_VERSION = "v1.0";
 var RAG_CACHE_SCHEMA_VERSION = 3;
 var ANTI_HALLUCINATION_PROMPT = "You MUST re-run a RunSec audit tool (runsec_audit_general or a scoped runsec_audit_*) after every remediation. Security claims without a fresh scanner PASS are invalid.";
 function getSkillsDirectory() {
-  return import_node_path15.default.join(getDataDirectory(), "skills");
+  return import_node_path16.default.join(getDataDirectory(), "skills");
 }
 function getRagCachePath() {
-  return import_node_path15.default.join(getDataDirectory(), ".rag-cache.json");
+  return import_node_path16.default.join(getDataDirectory(), ".rag-cache.json");
 }
 
 // src/skills/ragIndex.ts
 var import_node_crypto3 = require("crypto");
 var import_node_fs11 = __toESM(require("fs"));
-var import_node_path17 = __toESM(require("path"));
+var import_node_path18 = __toESM(require("path"));
 
 // src/skills/skillLoader.ts
 var import_node_fs10 = __toESM(require("fs"));
-var import_node_path16 = __toESM(require("path"));
+var import_node_path17 = __toESM(require("path"));
 function loadSkillManifests() {
   const skillsDir = getSkillsDirectory();
   const manifests = {};
@@ -3611,7 +3727,7 @@ function loadSkillManifests() {
   }
   for (const entry of import_node_fs10.default.readdirSync(skillsDir, { withFileTypes: true })) {
     if (!entry.isDirectory()) continue;
-    const skillJson = import_node_path16.default.join(skillsDir, entry.name, "skill.json");
+    const skillJson = import_node_path17.default.join(skillsDir, entry.name, "skill.json");
     if (!import_node_fs10.default.existsSync(skillJson)) continue;
     const data = JSON.parse(import_node_fs10.default.readFileSync(skillJson, "utf-8"));
     const sid = String(data.skill_id ?? entry.name);
@@ -3620,7 +3736,7 @@ function loadSkillManifests() {
   return manifests;
 }
 function skillDirectory(manifest) {
-  return import_node_path16.default.join(getSkillsDirectory(), manifest.__dir_name);
+  return import_node_path17.default.join(getSkillsDirectory(), manifest.__dir_name);
 }
 
 // src/skills/ragIndex.ts
@@ -3674,7 +3790,7 @@ function listSkillSourceFiles() {
   const files = [];
   const walk = (dir) => {
     for (const entry of import_node_fs11.default.readdirSync(dir, { withFileTypes: true })) {
-      const full = import_node_path17.default.join(dir, entry.name);
+      const full = import_node_path18.default.join(dir, entry.name);
       if (entry.isDirectory()) walk(full);
       else if (entry.isFile()) files.push(full);
     }
@@ -3687,7 +3803,7 @@ function computeFilesChecksum() {
   const entries = [];
   for (const full of files) {
     const st = import_node_fs11.default.statSync(full);
-    const rel = import_node_path17.default.relative(getSkillsDirectory(), full).replace(/\\/g, "/");
+    const rel = import_node_path18.default.relative(getSkillsDirectory(), full).replace(/\\/g, "/");
     const mtimeNs = typeof st.mtimeNs === "bigint" ? Number(st.mtimeNs) : Math.round(st.mtimeMs * 1e6);
     entries.push({
       path: rel,
@@ -3718,8 +3834,8 @@ function buildRagIndex() {
   const manifests = loadSkillManifests();
   for (const [skill_id, manifest] of Object.entries(manifests)) {
     const dir = skillDirectory(manifest);
-    const indexPath = import_node_path17.default.join(dir, "index.md");
-    const patternsPath = import_node_path17.default.join(dir, "patterns.md");
+    const indexPath = import_node_path18.default.join(dir, "index.md");
+    const patternsPath = import_node_path18.default.join(dir, "patterns.md");
     if (!import_node_fs11.default.existsSync(indexPath) || !import_node_fs11.default.existsSync(patternsPath)) continue;
     const indexText = import_node_fs11.default.readFileSync(indexPath, "utf-8");
     const patternsText = import_node_fs11.default.readFileSync(patternsPath, "utf-8");
@@ -3944,7 +4060,7 @@ function selectSkillsForContext(opts) {
   const query = [opts.question ?? "", opts.file_path ?? "", opts.file_content ?? ""].filter(Boolean).join("\n");
   const semScores = query ? semanticSkillScores(query) : {};
   const keywordBoosts = query ? skillBoosts(query) : {};
-  const suffix = import_node_path17.default.extname(opts.file_path ?? "").toLowerCase();
+  const suffix = import_node_path18.default.extname(opts.file_path ?? "").toLowerCase();
   const hay = query.toLowerCase();
   const ranked = [];
   for (const [sid, manifest] of Object.entries(manifests)) {
@@ -3981,7 +4097,7 @@ function findPatternChunkByMetric(metricId) {
 
 // src/skills/skillsApi.ts
 function loadComplianceSnapshot() {
-  const p = import_node_path18.default.join(getDataDirectory(), "rule-compliance-map.json");
+  const p = import_node_path19.default.join(getDataDirectory(), "rule-compliance-map.json");
   if (!import_node_fs12.default.existsSync(p)) return {};
   try {
     return JSON.parse(import_node_fs12.default.readFileSync(p, "utf-8"));
@@ -3991,8 +4107,8 @@ function loadComplianceSnapshot() {
 }
 function extractTestbedExample(metricId, examplePath, skillsRoot) {
   if (!examplePath) return "";
-  const p = import_node_path18.default.isAbsolute(examplePath) ? examplePath : import_node_path18.default.join(import_node_path18.default.dirname(skillsRoot), "..", "..", examplePath);
-  const resolved = import_node_fs12.default.existsSync(p) ? p : import_node_path18.default.join(getDataDirectory(), "..", "..", examplePath);
+  const p = import_node_path19.default.isAbsolute(examplePath) ? examplePath : import_node_path19.default.join(import_node_path19.default.dirname(skillsRoot), "..", "..", examplePath);
+  const resolved = import_node_fs12.default.existsSync(p) ? p : import_node_path19.default.join(getDataDirectory(), "..", "..", examplePath);
   if (!import_node_fs12.default.existsSync(resolved)) return "";
   const lines = import_node_fs12.default.readFileSync(resolved, "utf-8").split(/\r?\n/);
   const needle = `Vulnerable: ${metricId}`;
@@ -4046,8 +4162,8 @@ function getSkillContext(args) {
   }
   const manifest = manifests[skill_id];
   const dir = skillDirectory(manifest);
-  const indexPath = import_node_path18.default.join(dir, "index.md");
-  const patternsPath = import_node_path18.default.join(dir, "patterns.md");
+  const indexPath = import_node_path19.default.join(dir, "index.md");
+  const patternsPath = import_node_path19.default.join(dir, "patterns.md");
   if (!import_node_fs12.default.existsSync(indexPath) || !import_node_fs12.default.existsSync(patternsPath)) {
     return {
       error: `incomplete skill data for ${skill_id}`,
@@ -4068,11 +4184,11 @@ function getSkillContext(args) {
       source: row.source
     });
   }
-  const skillsRoot = import_node_path18.default.dirname(dir);
+  const skillsRoot = import_node_path19.default.dirname(dir);
   const response = {
     skill_id,
-    index_path: import_node_path18.default.relative(getDataDirectory(), indexPath).replace(/\\/g, "/"),
-    patterns_path: import_node_path18.default.relative(getDataDirectory(), patternsPath).replace(/\\/g, "/"),
+    index_path: import_node_path19.default.relative(getDataDirectory(), indexPath).replace(/\\/g, "/"),
+    patterns_path: import_node_path19.default.relative(getDataDirectory(), patternsPath).replace(/\\/g, "/"),
     index_md: import_node_fs12.default.readFileSync(indexPath, "utf-8"),
     patterns_md: import_node_fs12.default.readFileSync(patternsPath, "utf-8"),
     patterns_by_stack: Object.fromEntries(Object.keys(grouped).sort().map((k) => [k, grouped[k]])),
@@ -4114,7 +4230,7 @@ function askGuidance(question) {
   if (!q) return { error: "question is required" };
   const best = semanticSearch(q, 50, "pattern", true);
   const manifests = loadSkillManifests();
-  const skillsRoot = import_node_path18.default.join(getDataDirectory(), "skills");
+  const skillsRoot = import_node_path19.default.join(getDataDirectory(), "skills");
   const required = requiredMetricIds(q);
   const out = [];
   const seen = /* @__PURE__ */ new Set();
@@ -4220,10 +4336,10 @@ function walkFiles2(root, opts) {
       const entries = import_node_fs13.default.readdirSync(dir, { withFileTypes: true });
       for (const ent of entries) {
         if (out.length >= max) break;
-        const full = import_node_path19.default.join(dir, ent.name);
+        const full = import_node_path20.default.join(dir, ent.name);
         if (ent.isDirectory()) {
           if (!skip.has(ent.name)) stack.push(full);
-        } else if (ent.isFile() && exts.has(import_node_path19.default.extname(ent.name).toLowerCase())) {
+        } else if (ent.isFile() && exts.has(import_node_path20.default.extname(ent.name).toLowerCase())) {
           out.push(full);
         }
       }
@@ -4264,7 +4380,7 @@ function syftPackages(payload) {
   return out.sort((a, b) => a.name.localeCompare(b.name));
 }
 function collectRepoThreatSignals(scanRoot, syftPayload) {
-  const root = import_node_path19.default.resolve(scanRoot);
+  const root = import_node_path20.default.resolve(scanRoot);
   const scanRel = ".";
   const signals = {
     scan_root: scanRel,
@@ -4310,11 +4426,11 @@ function collectRepoThreatSignals(scanRoot, syftPayload) {
         continue;
       }
       for (const ent of entries) {
-        const full = import_node_path19.default.join(dir, ent.name);
+        const full = import_node_path20.default.join(dir, ent.name);
         if (ent.isDirectory()) {
           if (!skip.has(ent.name) && !ent.name.startsWith(".")) stack.push(full);
         } else if (ent.isFile() && patternNames.includes(ent.name)) {
-          const rel = import_node_path19.default.relative(root, full).replace(/\\/g, "/");
+          const rel = import_node_path20.default.relative(root, full).replace(/\\/g, "/");
           if (!rel.startsWith("..")) handler(full, rel);
         }
       }
@@ -4326,15 +4442,15 @@ function collectRepoThreatSignals(scanRoot, syftPayload) {
   });
   globWalk(["requirements.txt", "pyproject.toml", "go.mod"], (full, rel) => {
     addKey(rel);
-    if (import_node_path19.default.basename(full) === "requirements.txt") {
+    if (import_node_path20.default.basename(full) === "requirements.txt") {
       for (const d of parseRequirementsDeps(full)) deps.add(d);
-    } else if (import_node_path19.default.basename(full) === "pyproject.toml") {
+    } else if (import_node_path20.default.basename(full) === "pyproject.toml") {
       const txt = readTextSafe(full, 8e4).toLowerCase();
       for (const m of txt.matchAll(/['"]([a-zA-Z0-9_.\-]+)['"]/g)) deps.add(m[1].toLowerCase());
     }
   });
   for (const name of ["Dockerfile", "docker-compose.yml", "docker-compose.yaml"]) {
-    const fp = import_node_path19.default.join(root, name);
+    const fp = import_node_path20.default.join(root, name);
     if (import_node_fs13.default.existsSync(fp)) {
       addKey(name);
       if (name === "Dockerfile") signals.flags.has_dockerfile = true;
@@ -4342,14 +4458,14 @@ function collectRepoThreatSignals(scanRoot, syftPayload) {
     }
   }
   for (const full of walkFiles2(root, { maxFiles: 80, extensions: /* @__PURE__ */ new Set([".yaml", ".yml"]) })) {
-    const base = import_node_path19.default.basename(full).toLowerCase();
+    const base = import_node_path20.default.basename(full).toLowerCase();
     if (base.includes("deploy") || base.includes("helm") || base.includes("k8s") || base.includes("values")) {
       signals.flags.has_k8s_yaml = true;
-      addKey(import_node_path19.default.relative(root, full).replace(/\\/g, "/"));
+      addKey(import_node_path20.default.relative(root, full).replace(/\\/g, "/"));
       break;
     }
   }
-  if (import_node_fs13.default.existsSync(import_node_path19.default.join(root, ".github", "workflows"))) {
+  if (import_node_fs13.default.existsSync(import_node_path20.default.join(root, ".github", "workflows"))) {
     signals.flags.has_github_workflows = true;
   }
   for (const pkg of signals.syft_packages) {
@@ -4381,7 +4497,7 @@ ${context}
 ${repoFp}`).digest("hex");
 }
 function loadThreatModelCache(workspaceRoot) {
-  const p = import_node_path19.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE);
+  const p = import_node_path20.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE);
   if (!import_node_fs13.default.existsSync(p)) {
     return { schema_version: THREAT_MODEL_CACHE_SCHEMA_VERSION, entries: {} };
   }
@@ -4397,7 +4513,7 @@ function loadThreatModelCache(workspaceRoot) {
   }
 }
 function saveThreatModelCache(workspaceRoot, cacheKey, markdown, baseline) {
-  const p = import_node_path19.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE);
+  const p = import_node_path20.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE);
   const payload = loadThreatModelCache(workspaceRoot);
   payload.entries[cacheKey] = {
     markdown,
@@ -4610,7 +4726,7 @@ function loadRepoCrosscheckHaystack(scanRoot, maxChars = 35e4) {
   let total = 0;
   const files = walkFiles2(scanRoot, { maxFiles: 220 });
   for (const full of files) {
-    const rel = import_node_path19.default.relative(scanRoot, full).replace(/\\/g, "/");
+    const rel = import_node_path20.default.relative(scanRoot, full).replace(/\\/g, "/");
     const snippet = readTextSafe(full, 14e3);
     const block = `
 --- ${rel} ---
@@ -4820,8 +4936,8 @@ function generateThreatModelMarkdown(profile, baseline, signals, ragKeywords, ca
 `;
 }
 async function runThreatModelEngine(opts) {
-  const workspaceRoot = import_node_path19.default.resolve(opts.workspace_path);
-  const projectName = (opts.project_name ?? import_node_path19.default.basename(workspaceRoot)).trim() || "project";
+  const workspaceRoot = import_node_path20.default.resolve(opts.workspace_path);
+  const projectName = (opts.project_name ?? import_node_path20.default.basename(workspaceRoot)).trim() || "project";
   const userContext = (opts.context ?? "").trim();
   const profile = detectSecurityProfile(projectName, userContext);
   const baseline = ARCHITECTURE_BASELINES[profile];
@@ -4836,13 +4952,13 @@ Project: ${projectName}`;
   const cache = loadThreatModelCache(workspaceRoot);
   const cached = cache.entries[cacheKey];
   if (cached?.markdown) {
-    const reportPath2 = import_node_path19.default.join(workspaceRoot, THREAT_MODEL_REPORT_FILE);
+    const reportPath2 = import_node_path20.default.join(workspaceRoot, THREAT_MODEL_REPORT_FILE);
     import_node_fs13.default.writeFileSync(reportPath2, cached.markdown, "utf-8");
     return {
       profile,
       markdown: cached.markdown,
       report_path: reportPath2,
-      cache_path: import_node_path19.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE),
+      cache_path: import_node_path20.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE),
       cache_hit: true,
       cache_key: cacheKey,
       repo_fingerprint: repoFp,
@@ -4874,7 +4990,7 @@ Project: ${projectName}`;
     rag_keywords: [...ragKeywords].sort().slice(0, 40)
   };
   const cachePath = saveThreatModelCache(workspaceRoot, cacheKey, markdown, baselinePayload);
-  const reportPath = import_node_path19.default.join(workspaceRoot, THREAT_MODEL_REPORT_FILE);
+  const reportPath = import_node_path20.default.join(workspaceRoot, THREAT_MODEL_REPORT_FILE);
   import_node_fs13.default.writeFileSync(reportPath, markdown, "utf-8");
   return {
     profile,
@@ -5090,8 +5206,8 @@ function buildSecurityReviewMarkdown(opts) {
   return out.join("\n");
 }
 function resolveSecurityReviewPath(workspacePath) {
-  const base = workspacePath?.trim() ? import_node_path20.default.resolve(workspacePath) : process.cwd();
-  return import_node_path20.default.join(base, SECURITY_REVIEW_REPORT_FILE);
+  const base = workspacePath?.trim() ? import_node_path21.default.resolve(workspacePath) : process.cwd();
+  return import_node_path21.default.join(base, SECURITY_REVIEW_REPORT_FILE);
 }
 function writeSecurityReviewReport(markdown, workspacePath) {
   const reportPath = resolveSecurityReviewPath(workspacePath);
@@ -5100,8 +5216,8 @@ function writeSecurityReviewReport(markdown, workspacePath) {
   return reportPath;
 }
 async function executeSecurityReview(opts) {
-  const workspaceRoot = import_node_path20.default.resolve(opts.workspace_path);
-  const projectName = (opts.project_name ?? import_node_path20.default.basename(workspaceRoot)).trim() || import_node_path20.default.basename(workspaceRoot);
+  const workspaceRoot = import_node_path21.default.resolve(opts.workspace_path);
+  const projectName = (opts.project_name ?? import_node_path21.default.basename(workspaceRoot)).trim() || import_node_path21.default.basename(workspaceRoot);
   console.error("[runsec] security review: starting unified scan + STRIDE threat model");
   const [audit, threatModel] = await Promise.all([
     executeAudit("runsec_audit_general", {
@@ -5135,17 +5251,17 @@ async function executeSecurityReview(opts) {
 
 // src/engine/remediation.ts
 var import_node_fs16 = __toESM(require("fs"));
-var import_node_path22 = __toESM(require("path"));
+var import_node_path23 = __toESM(require("path"));
 
 // src/skills/metricLookup.ts
 var import_node_fs15 = __toESM(require("fs"));
-var import_node_path21 = __toESM(require("path"));
+var import_node_path22 = __toESM(require("path"));
 function findMetricRow(metricId) {
   const mid = metricId.trim().toUpperCase();
   if (!mid) return null;
   const manifests = loadSkillManifests();
   for (const [, manifest] of Object.entries(manifests)) {
-    const patternsPath = import_node_path21.default.join(skillDirectory(manifest), "patterns.md");
+    const patternsPath = import_node_path22.default.join(skillDirectory(manifest), "patterns.md");
     if (!import_node_fs15.default.existsSync(patternsPath)) continue;
     const rows = parsePatternRows(import_node_fs15.default.readFileSync(patternsPath, "utf-8"));
     const row = rows.find((r) => r.metric_id.toUpperCase() === mid);
@@ -5160,12 +5276,12 @@ function normalizeRelPath2(p) {
   return p.replace(/\\/g, "/").replace(/^\.\/+/, "");
 }
 function resolveTargetFile(workspaceRoot, filePath) {
-  const root = import_node_path22.default.resolve(workspaceRoot);
+  const root = import_node_path23.default.resolve(workspaceRoot);
   const rel = normalizeRelPath2(filePath.trim());
   if (!rel) return { error: "file_path is required" };
-  const abs = import_node_path22.default.resolve(root, rel);
-  const relFromRoot = import_node_path22.default.relative(root, abs).replace(/\\/g, "/");
-  if (relFromRoot.startsWith("..") || import_node_path22.default.isAbsolute(relFromRoot)) {
+  const abs = import_node_path23.default.resolve(root, rel);
+  const relFromRoot = import_node_path23.default.relative(root, abs).replace(/\\/g, "/");
+  if (relFromRoot.startsWith("..") || import_node_path23.default.isAbsolute(relFromRoot)) {
     return { error: `file_path must be inside workspace: ${root}` };
   }
   for (const seg of BLOCKED_PATH_SEGMENTS) {
@@ -5245,7 +5361,7 @@ function writeBackup(absPath) {
   return backupPath;
 }
 function applyDvs001Fix(absPath) {
-  const rel = import_node_path22.default.basename(absPath);
+  const rel = import_node_path23.default.basename(absPath);
   const lines = import_node_fs16.default.readFileSync(absPath, "utf-8").split(/\r?\n/);
   const newLines = lines.filter((ln) => !/^\s*user\s+root\s*$/i.test(ln.trim()));
   const hasNonRootUser = newLines.some(
@@ -5577,6 +5693,47 @@ function isRemediationTool(name) {
   return REMEDIATION_TOOL_NAMES.includes(name);
 }
 
+// src/complianceScores.ts
+var SEVERITY_PENALTY = {
+  CRITICAL: 15,
+  HIGH: 10,
+  MEDIUM: 5,
+  LOW: 2,
+  INFO: 1
+};
+var STANDARD_FRAMEWORK_KEY = {
+  "PCI-DSS": "pciDss",
+  SOC2: "soc2",
+  HIPAA: "hipaa"
+};
+function compliancePctFromFindings(findings, scannedFiles) {
+  if (findings.length === 0) return 100;
+  let penalty = 0;
+  for (const f of findings) {
+    const sev = String(f.severity ?? "MEDIUM").toUpperCase();
+    penalty += SEVERITY_PENALTY[sev] ?? 5;
+  }
+  const files = Math.max(1, scannedFiles);
+  const densityPenalty = findings.length / files * 8;
+  const raw = 100 - penalty - densityPenalty;
+  return Math.max(0, Math.min(100, Math.round(raw * 10) / 10));
+}
+function buildHubComplianceBlock(result) {
+  const scanned = result.scanned_files_count > 0 ? result.scanned_files_count : result.files_scanned;
+  const asvs = compliancePctFromFindings(result.findings, scanned);
+  const compliance = {
+    asvs,
+    pciDss: null,
+    soc2: null,
+    hipaa: null
+  };
+  const frameworkKey = STANDARD_FRAMEWORK_KEY[result.standard];
+  if (frameworkKey) {
+    compliance[frameworkKey] = asvs;
+  }
+  return { compliance, complianceASVS: asvs };
+}
+
 // src/telemetryClient.ts
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
@@ -5600,12 +5757,15 @@ function resolveScanVerdict(result) {
 function buildHubUploadPayload(result, reportMetrics, workspacePath, projectId) {
   const metrics = countSeverityMetrics(result.findings);
   const verdict = resolveScanVerdict(result);
+  const { compliance, complianceASVS } = buildHubComplianceBlock(result);
   const runsecJson = {
     source: "runsec_mcp",
     standard: result.standard,
     workspace_path: workspacePath,
     verdict,
     metrics,
+    compliance,
+    complianceASVS,
     audit: result,
     report_metrics: reportMetrics,
     findings: result.findings,