@runsec/mcp 1.0.75 → 1.0.77

package/dist/index.js

@@ -413,8 +413,7 @@ var import_node_fs3 = __toESM(require("fs"));
 var import_node_path3 = __toESM(require("path"));
 
 // src/engine/secretHeuristics.ts
-var STRICT_ENV_INTERP_RE = /(?:\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\(|environ\[)/i;
-var ENV_INTERP_RE = STRICT_ENV_INTERP_RE;
+var ENV_INTERP_RE = /(?:\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\()/i;
 var LOCKFILE_BASENAMES = /^(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|cargo\.lock|composer\.lock|gemfile\.lock)$/i;
 function hasEnvironmentInterpolation(text) {
   return ENV_INTERP_RE.test(text);
@@ -432,37 +431,54 @@ function isLockfileOrModulesPath(relPath) {
 function isTrufflehogVerified(verifiedFlag, description) {
   return verifiedFlag || /\(verified\)/i.test(description);
 }
-function isStaticLayoutDumpPath(relPath) {
-  const normalized = relPath.replace(/\\/g, "/").toLowerCase();
-  const base = normalized.split("/").pop() ?? normalized;
-  if (base.endsWith(".storyboard") || base.endsWith(".xib") || base.endsWith(".docx")) return true;
-  if (base.endsWith(".lock") || /\.lock$/i.test(base)) return true;
-  return false;
-}
-function matchTextHasStrictEnvInterpolation(matchText, snippet) {
-  const m = (matchText ?? "").trim();
-  const s = (snippet ?? "").trim();
-  if (m && STRICT_ENV_INTERP_RE.test(m)) return true;
-  if (s && STRICT_ENV_INTERP_RE.test(s)) return true;
-  return false;
+var LOCKFILE_LAYOUT_RE = /(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|\.xib|\.storyboard|\.docx)/i;
+function isLockfileLayoutArtifactPath(relPath) {
+  return LOCKFILE_LAYOUT_RE.test(relPath.replace(/\\/g, "/"));
 }
 
 // src/engine/cognitiveEngine.ts
-var ABSOLUTE_ENV_INTERP_CAP = 0.05;
-var ABSOLUTE_STATIC_DUMP_CAP = 0.01;
-function resolveAbsoluteSuppression(finding, relPath) {
-  if (matchTextHasStrictEnvInterpolation(finding.match_text ?? "", finding.snippet ?? "")) {
-    return { cap: ABSOLUTE_ENV_INTERP_CAP, reason: "environment_variable_interpolation" };
-  }
-  const verified = isTrufflehogVerified(
-    /\(verified\)/i.test(finding.description) || /\(verified\)/i.test(finding.match_text ?? ""),
-    finding.description
-  );
-  if (!verified && isStaticLayoutDumpPath(relPath)) {
-    return { cap: ABSOLUTE_STATIC_DUMP_CAP, reason: "static_layout_or_lockfile_unverified" };
+var NUCLEAR_HARD_DROP_CONFIDENCE = 0.01;
+var CUSTOMREGEX_UNVERIFIED_CAP = 0.1;
+function findingIsVerified(finding) {
+  if (finding.verified === true) return true;
+  return isTrufflehogVerified(false, finding.description) || /\(verified\)/i.test(finding.match_text ?? "");
+}
+function applyNuclearHardDrop(finding, relPath) {
+  const matchText = finding.match_text ?? "";
+  const snippet = finding.snippet ?? "";
+  if (ENV_INTERP_RE.test(matchText) || ENV_INTERP_RE.test(snippet)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "env_variable_interpolation" };
+  }
+  if (!findingIsVerified(finding) && LOCKFILE_LAYOUT_RE.test(relPath)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "lockfile_or_layout_artifact" };
   }
   return null;
 }
+function isCustomRegexFinding(finding) {
+  const detector = String(finding.detector_name ?? "").trim().toLowerCase();
+  if (detector === "customregex") return true;
+  const title = String(finding.title ?? finding.description ?? "");
+  if (/customregex/i.test(title)) return true;
+  return /(?:^|\.)customregex$/i.test(finding.rule_id) || finding.rule_id.includes("trufflehog.customregex");
+}
+function looksLikeHighEntropyRawToken(finding) {
+  const blob = `${finding.match_text ?? ""} ${finding.snippet ?? ""}`.trim();
+  if (blob.length < 24 || ENV_INTERP_RE.test(blob)) return false;
+  if (/^(?:ghp_|gho_|github_pat_|glpat-|sk-[a-zA-Z0-9]{10,}|AKIA[0-9A-Z]{16}|xox[baprs]-|eyJ[A-Za-z0-9_-]{10,}\.)/i.test(
+    blob
+  )) {
+    return true;
+  }
+  const compact = blob.replace(/\s+/g, "");
+  if (compact.length >= 40 && /^[A-Za-z0-9+/=_-]+$/.test(compact)) return true;
+  return false;
+}
+function customRegexNeedsBaseClamp(finding) {
+  if (!isCustomRegexFinding(finding)) return false;
+  if (findingIsVerified(finding)) return false;
+  if (looksLikeHighEntropyRawToken(finding)) return false;
+  return true;
+}
 var PRIMARY_LOG_THRESHOLD = 0.8;
 var CONFIDENCE_THRESHOLD = PRIMARY_LOG_THRESHOLD;
 var ELITE_LOW_CONFIDENCE_CAP = 0.28;
@@ -853,13 +869,13 @@ function attackPathConcrete(finding, confidence, eliteHard, allReasons, snippet)
   return confidence >= PRIMARY_LOG_THRESHOLD;
 }
 function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot) {
-  const absolute = resolveAbsoluteSuppression(finding, relPath);
-  if (absolute) {
-    return [absolute.cap, [absolute.reason]];
+  const nuclear = applyNuclearHardDrop(finding, relPath);
+  if (nuclear) {
+    return [nuclear.cap, [nuclear.reason]];
   }
   const reasons = [];
   let score = category === "secrets" ? 0.9 : category === "dependencies" ? 0.78 : 0.82;
-  const title = finding.description;
+  const title = finding.title ?? finding.description;
   const sev = (finding.severity || "").toUpperCase();
   if (category === "code") {
     if (sev === "CRITICAL" || sev === "ERROR") score = 0.92;
@@ -867,23 +883,27 @@ function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot)
     else score = 0.55;
   } else if (category === "secrets") {
     if (sev === "CRITICAL") score = 0.95;
-    else if (finding.match_text.includes("(verified)")) score = 0.93;
+    else if (findingIsVerified(finding) || finding.match_text.includes("(verified)")) score = 0.93;
     if (/pii\s+email/i.test(title) || finding.rule_id.includes("pii-email")) {
-      const piiVerified = /\(verified\)/i.test(finding.description);
+      const piiVerified = findingIsVerified(finding);
       score = Math.min(score, piiVerified ? 0.45 : 0.32);
       reasons.push("pii_email_deprioritized");
     }
     if (isUnverifiedTrufflehogSecret(finding)) {
       const secretBlob = `${finding.match_text} ${finding.snippet ?? ""}`;
       if (hasEnvironmentInterpolation(secretBlob)) {
-        score = Math.min(score, ABSOLUTE_ENV_INTERP_CAP);
-        reasons.push("environment_variable_interpolation");
+        score = Math.min(score, NUCLEAR_HARD_DROP_CONFIDENCE);
+        reasons.push("env_variable_interpolation");
       }
-      if (isLockfileOrModulesPath(relPath)) {
-        score = Math.min(score, 0.1);
-        reasons.push("lockfile_or_modules_path");
+      if (isLockfileOrModulesPath(relPath) || isLockfileLayoutArtifactPath(relPath)) {
+        score = Math.min(score, NUCLEAR_HARD_DROP_CONFIDENCE);
+        reasons.push("lockfile_or_layout_artifact");
       }
     }
+    if (customRegexNeedsBaseClamp(finding)) {
+      score = Math.min(score, CUSTOMREGEX_UNVERIFIED_CAP);
+      reasons.push("customregex_unverified_clamped");
+    }
   }
   const libs = phase1.protection_libs_detected ?? [];
   if (libs.length && protectionMatchesMetric(title, libs)) {
@@ -957,7 +977,19 @@ function downgradeSeverity(severity, cap) {
 function enrichAuditFinding(repoRoot, finding, opts) {
   const applyFp = opts?.applyFalsePositiveFilter ?? !isCalibrationTestbedPath(finding.file_path);
   const relPath = finding.file_path.replace(/\\/g, "/");
-  const absoluteSuppress = resolveAbsoluteSuppression(finding, relPath);
+  const nuclearDrop = applyNuclearHardDrop(finding, relPath);
+  if (nuclearDrop) {
+    return {
+      ...finding,
+      severity: downgradeSeverity(finding.severity, "LOW"),
+      confidence_score: nuclearDrop.cap,
+      confidence_reasons: [nuclearDrop.reason],
+      primary_log_eligible: false,
+      suppressed: true,
+      suppression_reason: nuclearDrop.reason,
+      attack_path_concrete: false
+    };
+  }
   const phase1 = phase1ContextResearch(repoRoot, relPath);
   let [conf, reasons] = baseConfidenceForFinding(finding, phase1, relPath, finding.category, repoRoot);
   const [boost, boostReason] = comparativeAnalysisBoost(repoRoot, relPath, applyFp);
@@ -982,18 +1014,18 @@ function enrichAuditFinding(repoRoot, finding, opts) {
       }
     }
   }
-  if (absoluteSuppress) {
-    conf = Math.min(conf, absoluteSuppress.cap);
-    if (!reasons.includes(absoluteSuppress.reason)) {
-      reasons.push(absoluteSuppress.reason);
-    }
+  const postNuclear = applyNuclearHardDrop(finding, relPath);
+  if (postNuclear) {
+    conf = Math.min(conf, postNuclear.cap);
+    if (!reasons.includes(postNuclear.reason)) reasons.push(postNuclear.reason);
   } else {
     conf = Math.max(0.05, Math.min(1, conf));
   }
   const snippetL = snippetLower(finding);
   const attackConcrete = attackPathConcrete(finding, conf, eliteHard, reasons, snippetL);
   const critique = selfCritique(finding, conf, phase1);
-  const primaryOk = !absoluteSuppress && conf >= PRIMARY_LOG_THRESHOLD && !hardExcludeFromPrimaryLog(relPath, finding.description, conf, eliteHard);
+  const hardDropped = Boolean(postNuclear);
+  const primaryOk = !hardDropped && conf >= PRIMARY_LOG_THRESHOLD && !hardExcludeFromPrimaryLog(relPath, finding.description, conf, eliteHard);
   let severity = finding.severity;
   const originalSeverity = finding.original_severity ?? finding.severity;
   if (reasons.includes("phase1_protection_lib_present") && conf <= 0.25) {
@@ -1001,7 +1033,7 @@ function enrichAuditFinding(repoRoot, finding, opts) {
   } else if (!primaryOk && conf < PRIMARY_LOG_THRESHOLD) {
     severity = downgradeSeverity(severity, critique.suggested_severity_cap);
   }
-  const forceSuppressed = Boolean(absoluteSuppress);
+  const forceSuppressed = hardDropped;
   return {
     ...finding,
     severity,
@@ -1011,7 +1043,7 @@ function enrichAuditFinding(repoRoot, finding, opts) {
     primary_log_eligible: primaryOk,
     ...forceSuppressed ? {
       suppressed: true,
-      suppression_reason: absoluteSuppress.reason
+      suppression_reason: postNuclear.reason
     } : {},
     attack_path_concrete: attackConcrete,
     cognitive: {
@@ -1755,6 +1787,9 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
       asvsTrace: "V6.4.1",
       severity,
       description,
+      title: description,
+      detector_name: detector,
+      verified,
       file_path: rel,
       line,
       match_text: display.slice(0, 200),
@@ -5740,6 +5775,45 @@ function isRemediationTool(name) {
   return REMEDIATION_TOOL_NAMES.includes(name);
 }
 
+// src/hubUploadUrl.ts
+var HUB_UPLOAD_REPORT_PATH = "/api/mcp/upload-report";
+var LEGACY_TELEMETRY_INGEST_PATH = "/api/v1/telemetry/ingest";
+function stripTrailingSlash(url) {
+  return url.replace(/\/$/, "");
+}
+function migrateLegacyIngestUrl(url) {
+  if (!url.includes(LEGACY_TELEMETRY_INGEST_PATH)) return url;
+  console.warn(
+    `[runsec] Legacy telemetry ingest URL detected (${LEGACY_TELEMETRY_INGEST_PATH}); using ${HUB_UPLOAD_REPORT_PATH} instead`
+  );
+  return url.replace(LEGACY_TELEMETRY_INGEST_PATH, HUB_UPLOAD_REPORT_PATH);
+}
+function resolveHubUploadUrl() {
+  const explicit = [
+    process.env.RUNSEC_HUB_INGEST_URL,
+    process.env.RUNSEC_HUB_UPLOAD_URL,
+    process.env.RUNSEC_TELEMETRY_URL
+  ].map((v) => v?.trim()).find(Boolean);
+  if (explicit) {
+    const migrated = migrateLegacyIngestUrl(explicit);
+    if (migrated.includes(HUB_UPLOAD_REPORT_PATH)) {
+      return stripTrailingSlash(migrated);
+    }
+    if (/^https?:\/\//i.test(migrated)) {
+      return `${stripTrailingSlash(migrated)}${HUB_UPLOAD_REPORT_PATH}`;
+    }
+    return stripTrailingSlash(migrated);
+  }
+  const base = stripTrailingSlash(
+    process.env.RUNSEC_HUB_URL?.trim() || process.env.RUNSEC_API_URL?.trim() || "https://runsec.io"
+  );
+  const migratedBase = migrateLegacyIngestUrl(base);
+  if (migratedBase.includes(HUB_UPLOAD_REPORT_PATH)) {
+    return migratedBase;
+  }
+  return `${migratedBase}${HUB_UPLOAD_REPORT_PATH}`;
+}
+
 // src/complianceScores.ts
 var SEVERITY_PENALTY = {
   CRITICAL: 15,
@@ -5782,6 +5856,26 @@ function buildHubComplianceBlock(result) {
 }
 
 // src/telemetryClient.ts
+var HUB_UPLOAD_TIMEOUT_MS = 12e4;
+function hubAuthHeaders(apiKey) {
+  return {
+    Authorization: `Bearer ${apiKey}`,
+    // Cloudflare/tunnel may strip Authorization on POST; Hub accepts this duplicate.
+    "X-RunSec-Api-Key": apiKey,
+    "Content-Type": "application/json",
+    Accept: "application/json"
+  };
+}
+function formatHubSyncErrorMessage(error, targetUrl, response) {
+  const status = response?.status != null ? String(response.status) : error?.response?.status != null ? String(error.response.status) : "n/a";
+  const err = error instanceof Error ? error : new Error(String(error));
+  const cause = err.cause instanceof Error ? err.cause.message : err.cause != null ? String(err.cause) : "";
+  let message = `Sync failed: ${err.message}. Target URL: ${targetUrl}. Status: ${status}`;
+  if (cause && !message.includes(cause)) {
+    message += `. Cause: ${cause}`;
+  }
+  return message;
+}
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
   for (const f of findings) {
@@ -5837,30 +5931,29 @@ async function uploadScanResultsToHub(payload, apiKey) {
     console.warn("[runsec] Hub telemetry skipped: API key missing");
     return { success: false, message: "Sync failed: API key missing" };
   }
-  const baseUrl = (process.env.RUNSEC_API_URL || "https://runsec.io").replace(/\/$/, "");
-  const url = `${baseUrl}/api/mcp/upload-report`;
+  const url = resolveHubUploadUrl();
+  console.error(`[runsec] Hub telemetry upload \u2192 ${url}`);
   try {
     const response = await fetch(url, {
       method: "POST",
-      headers: {
-        Authorization: `Bearer ${trimmedKey}`,
-        // Cloudflare/tunnel may strip Authorization on POST; Hub accepts this duplicate.
-        "X-RunSec-Api-Key": trimmedKey,
-        "Content-Type": "application/json",
-        Accept: "application/json"
-      },
-      body: JSON.stringify(payload)
+      headers: hubAuthHeaders(trimmedKey),
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
     });
     if (!response.ok) {
       const detail = await response.text().catch(() => "");
       const detailSnippet = detail.slice(0, 500).trim();
       const statusLabel = response.statusText || String(response.status);
-      console.warn(
-        `[runsec] Hub telemetry upload failed (${response.status}): ${detailSnippet || statusLabel}`
+      const httpMessage = detailSnippet || statusLabel;
+      const message = formatHubSyncErrorMessage(
+        new Error(httpMessage),
+        url,
+        response
       );
+      console.warn(`[runsec] Hub telemetry upload failed: ${message}`);
       return {
         success: false,
-        message: `Sync failed: ${detailSnippet || statusLabel}`
+        message
       };
     }
     const body = await response.json().catch(() => ({}));
@@ -5876,9 +5969,9 @@ async function uploadScanResultsToHub(payload, apiKey) {
       projectId
     };
   } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
+    const message = formatHubSyncErrorMessage(error, url);
     console.warn(`[runsec] Hub telemetry upload error (scan saved locally): ${message}`);
-    return { success: false, message: `Sync failed: ${message}` };
+    return { success: false, message };
   }
 }
 
@@ -5920,10 +6013,13 @@ function appendCloudSyncToDirective(directive, syncResult) {
 ${lines}`;
 }
 async function verifyApiKey(apiKey) {
-  const baseUrl = (process.env.RUNSEC_API_URL || "https://runsec.io").replace(/\/$/, "");
+  const verifyUrl = resolveHubUploadUrl().replace(/\/upload-report\/?$/, "/verify-key");
   try {
-    const response = await fetch(`${baseUrl}/api/mcp/verify-key`, {
-      headers: { Authorization: `Bearer ${apiKey}` }
+    const response = await fetch(verifyUrl, {
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "X-RunSec-Api-Key": apiKey
+      }
     });
     if (response.status === 401 || response.status === 403) {
       console.error("\u274C FATAL: Invalid RunSec API Key.");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.75",
+  "version": "1.0.77",
   "main": "dist/index.js",
   "files": [
     "dist",