@runsec/mcp 1.0.74 → 1.0.76

package/dist/index.js

@@ -413,7 +413,7 @@ var import_node_fs3 = __toESM(require("fs"));
 var import_node_path3 = __toESM(require("path"));
 
 // src/engine/secretHeuristics.ts
-var ENV_INTERP_RE = /\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\(|environ\[/i;
+var ENV_INTERP_RE = /(?:\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\()/i;
 var LOCKFILE_BASENAMES = /^(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|cargo\.lock|composer\.lock|gemfile\.lock)$/i;
 function hasEnvironmentInterpolation(text) {
   return ENV_INTERP_RE.test(text);
@@ -431,8 +431,54 @@ function isLockfileOrModulesPath(relPath) {
 function isTrufflehogVerified(verifiedFlag, description) {
   return verifiedFlag || /\(verified\)/i.test(description);
 }
+var LOCKFILE_LAYOUT_RE = /(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|\.xib|\.storyboard|\.docx)/i;
+function isLockfileLayoutArtifactPath(relPath) {
+  return LOCKFILE_LAYOUT_RE.test(relPath.replace(/\\/g, "/"));
+}
 
 // src/engine/cognitiveEngine.ts
+var NUCLEAR_HARD_DROP_CONFIDENCE = 0.01;
+var CUSTOMREGEX_UNVERIFIED_CAP = 0.1;
+function findingIsVerified(finding) {
+  if (finding.verified === true) return true;
+  return isTrufflehogVerified(false, finding.description) || /\(verified\)/i.test(finding.match_text ?? "");
+}
+function applyNuclearHardDrop(finding, relPath) {
+  const matchText = finding.match_text ?? "";
+  const snippet = finding.snippet ?? "";
+  if (ENV_INTERP_RE.test(matchText) || ENV_INTERP_RE.test(snippet)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "env_variable_interpolation" };
+  }
+  if (!findingIsVerified(finding) && LOCKFILE_LAYOUT_RE.test(relPath)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "lockfile_or_layout_artifact" };
+  }
+  return null;
+}
+function isCustomRegexFinding(finding) {
+  const detector = String(finding.detector_name ?? "").trim().toLowerCase();
+  if (detector === "customregex") return true;
+  const title = String(finding.title ?? finding.description ?? "");
+  if (/customregex/i.test(title)) return true;
+  return /(?:^|\.)customregex$/i.test(finding.rule_id) || finding.rule_id.includes("trufflehog.customregex");
+}
+function looksLikeHighEntropyRawToken(finding) {
+  const blob = `${finding.match_text ?? ""} ${finding.snippet ?? ""}`.trim();
+  if (blob.length < 24 || ENV_INTERP_RE.test(blob)) return false;
+  if (/^(?:ghp_|gho_|github_pat_|glpat-|sk-[a-zA-Z0-9]{10,}|AKIA[0-9A-Z]{16}|xox[baprs]-|eyJ[A-Za-z0-9_-]{10,}\.)/i.test(
+    blob
+  )) {
+    return true;
+  }
+  const compact = blob.replace(/\s+/g, "");
+  if (compact.length >= 40 && /^[A-Za-z0-9+/=_-]+$/.test(compact)) return true;
+  return false;
+}
+function customRegexNeedsBaseClamp(finding) {
+  if (!isCustomRegexFinding(finding)) return false;
+  if (findingIsVerified(finding)) return false;
+  if (looksLikeHighEntropyRawToken(finding)) return false;
+  return true;
+}
 var PRIMARY_LOG_THRESHOLD = 0.8;
 var CONFIDENCE_THRESHOLD = PRIMARY_LOG_THRESHOLD;
 var ELITE_LOW_CONFIDENCE_CAP = 0.28;
@@ -823,9 +869,13 @@ function attackPathConcrete(finding, confidence, eliteHard, allReasons, snippet)
   return confidence >= PRIMARY_LOG_THRESHOLD;
 }
 function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot) {
+  const nuclear = applyNuclearHardDrop(finding, relPath);
+  if (nuclear) {
+    return [nuclear.cap, [nuclear.reason]];
+  }
   const reasons = [];
   let score = category === "secrets" ? 0.9 : category === "dependencies" ? 0.78 : 0.82;
-  const title = finding.description;
+  const title = finding.title ?? finding.description;
   const sev = (finding.severity || "").toUpperCase();
   if (category === "code") {
     if (sev === "CRITICAL" || sev === "ERROR") score = 0.92;
@@ -833,23 +883,27 @@ function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot)
     else score = 0.55;
   } else if (category === "secrets") {
     if (sev === "CRITICAL") score = 0.95;
-    else if (finding.match_text.includes("(verified)")) score = 0.93;
+    else if (findingIsVerified(finding) || finding.match_text.includes("(verified)")) score = 0.93;
     if (/pii\s+email/i.test(title) || finding.rule_id.includes("pii-email")) {
-      const piiVerified = /\(verified\)/i.test(finding.description);
+      const piiVerified = findingIsVerified(finding);
       score = Math.min(score, piiVerified ? 0.45 : 0.32);
       reasons.push("pii_email_deprioritized");
     }
     if (isUnverifiedTrufflehogSecret(finding)) {
       const secretBlob = `${finding.match_text} ${finding.snippet ?? ""}`;
       if (hasEnvironmentInterpolation(secretBlob)) {
-        score = Math.min(score, 0.15);
-        reasons.push("environment_interpolation_placeholder");
+        score = Math.min(score, NUCLEAR_HARD_DROP_CONFIDENCE);
+        reasons.push("env_variable_interpolation");
       }
-      if (isLockfileOrModulesPath(relPath)) {
-        score = Math.min(score, 0.1);
-        reasons.push("lockfile_or_modules_path");
+      if (isLockfileOrModulesPath(relPath) || isLockfileLayoutArtifactPath(relPath)) {
+        score = Math.min(score, NUCLEAR_HARD_DROP_CONFIDENCE);
+        reasons.push("lockfile_or_layout_artifact");
       }
     }
+    if (customRegexNeedsBaseClamp(finding)) {
+      score = Math.min(score, CUSTOMREGEX_UNVERIFIED_CAP);
+      reasons.push("customregex_unverified_clamped");
+    }
   }
   const libs = phase1.protection_libs_detected ?? [];
   if (libs.length && protectionMatchesMetric(title, libs)) {
@@ -923,6 +977,19 @@ function downgradeSeverity(severity, cap) {
 function enrichAuditFinding(repoRoot, finding, opts) {
   const applyFp = opts?.applyFalsePositiveFilter ?? !isCalibrationTestbedPath(finding.file_path);
   const relPath = finding.file_path.replace(/\\/g, "/");
+  const nuclearDrop = applyNuclearHardDrop(finding, relPath);
+  if (nuclearDrop) {
+    return {
+      ...finding,
+      severity: downgradeSeverity(finding.severity, "LOW"),
+      confidence_score: nuclearDrop.cap,
+      confidence_reasons: [nuclearDrop.reason],
+      primary_log_eligible: false,
+      suppressed: true,
+      suppression_reason: nuclearDrop.reason,
+      attack_path_concrete: false
+    };
+  }
   const phase1 = phase1ContextResearch(repoRoot, relPath);
   let [conf, reasons] = baseConfidenceForFinding(finding, phase1, relPath, finding.category, repoRoot);
   const [boost, boostReason] = comparativeAnalysisBoost(repoRoot, relPath, applyFp);
@@ -947,11 +1014,18 @@ function enrichAuditFinding(repoRoot, finding, opts) {
       }
     }
   }
-  conf = Math.max(0.05, Math.min(1, conf));
+  const postNuclear = applyNuclearHardDrop(finding, relPath);
+  if (postNuclear) {
+    conf = Math.min(conf, postNuclear.cap);
+    if (!reasons.includes(postNuclear.reason)) reasons.push(postNuclear.reason);
+  } else {
+    conf = Math.max(0.05, Math.min(1, conf));
+  }
   const snippetL = snippetLower(finding);
   const attackConcrete = attackPathConcrete(finding, conf, eliteHard, reasons, snippetL);
   const critique = selfCritique(finding, conf, phase1);
-  const primaryOk = conf >= PRIMARY_LOG_THRESHOLD && !hardExcludeFromPrimaryLog(relPath, finding.description, conf, eliteHard);
+  const hardDropped = Boolean(postNuclear);
+  const primaryOk = !hardDropped && conf >= PRIMARY_LOG_THRESHOLD && !hardExcludeFromPrimaryLog(relPath, finding.description, conf, eliteHard);
   let severity = finding.severity;
   const originalSeverity = finding.original_severity ?? finding.severity;
   if (reasons.includes("phase1_protection_lib_present") && conf <= 0.25) {
@@ -959,6 +1033,7 @@ function enrichAuditFinding(repoRoot, finding, opts) {
   } else if (!primaryOk && conf < PRIMARY_LOG_THRESHOLD) {
     severity = downgradeSeverity(severity, critique.suggested_severity_cap);
   }
+  const forceSuppressed = hardDropped;
   return {
     ...finding,
     severity,
@@ -966,6 +1041,10 @@ function enrichAuditFinding(repoRoot, finding, opts) {
     confidence_score: Math.round(conf * 1e3) / 1e3,
     confidence_reasons: reasons,
     primary_log_eligible: primaryOk,
+    ...forceSuppressed ? {
+      suppressed: true,
+      suppression_reason: postNuclear.reason
+    } : {},
     attack_path_concrete: attackConcrete,
     cognitive: {
       phase1_context_research: phase1,
@@ -1063,8 +1142,8 @@ function buildVerdict(primaryFindings) {
 function applyCognitivePipeline(workspaceRoot, findings) {
   const enriched = findings.map((f) => enrichAuditFinding(workspaceRoot, f));
   const { kept, duplicates } = deduplicateSameLineFindings(enriched);
-  const primary = kept.filter((f) => f.primary_log_eligible);
-  const suppressed = kept.filter((f) => !f.primary_log_eligible).concat(duplicates);
+  const primary = kept.filter((f) => f.primary_log_eligible && !f.suppressed);
+  const suppressed = kept.filter((f) => !f.primary_log_eligible || f.suppressed).concat(duplicates);
   return {
     primary,
     suppressed,
@@ -1708,6 +1787,9 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
       asvsTrace: "V6.4.1",
       severity,
       description,
+      title: description,
+      detector_name: detector,
+      verified,
       file_path: rel,
       line,
       match_text: display.slice(0, 200),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.74",
+  "version": "1.0.76",
   "main": "dist/index.js",
   "files": [
     "dist",