@runsec/mcp 1.0.76 → 1.0.77

package/dist/index.js

@@ -5775,6 +5775,45 @@ function isRemediationTool(name) {
   return REMEDIATION_TOOL_NAMES.includes(name);
 }
 
+// src/hubUploadUrl.ts
+var HUB_UPLOAD_REPORT_PATH = "/api/mcp/upload-report";
+var LEGACY_TELEMETRY_INGEST_PATH = "/api/v1/telemetry/ingest";
+function stripTrailingSlash(url) {
+  return url.replace(/\/$/, "");
+}
+function migrateLegacyIngestUrl(url) {
+  if (!url.includes(LEGACY_TELEMETRY_INGEST_PATH)) return url;
+  console.warn(
+    `[runsec] Legacy telemetry ingest URL detected (${LEGACY_TELEMETRY_INGEST_PATH}); using ${HUB_UPLOAD_REPORT_PATH} instead`
+  );
+  return url.replace(LEGACY_TELEMETRY_INGEST_PATH, HUB_UPLOAD_REPORT_PATH);
+}
+function resolveHubUploadUrl() {
+  const explicit = [
+    process.env.RUNSEC_HUB_INGEST_URL,
+    process.env.RUNSEC_HUB_UPLOAD_URL,
+    process.env.RUNSEC_TELEMETRY_URL
+  ].map((v) => v?.trim()).find(Boolean);
+  if (explicit) {
+    const migrated = migrateLegacyIngestUrl(explicit);
+    if (migrated.includes(HUB_UPLOAD_REPORT_PATH)) {
+      return stripTrailingSlash(migrated);
+    }
+    if (/^https?:\/\//i.test(migrated)) {
+      return `${stripTrailingSlash(migrated)}${HUB_UPLOAD_REPORT_PATH}`;
+    }
+    return stripTrailingSlash(migrated);
+  }
+  const base = stripTrailingSlash(
+    process.env.RUNSEC_HUB_URL?.trim() || process.env.RUNSEC_API_URL?.trim() || "https://runsec.io"
+  );
+  const migratedBase = migrateLegacyIngestUrl(base);
+  if (migratedBase.includes(HUB_UPLOAD_REPORT_PATH)) {
+    return migratedBase;
+  }
+  return `${migratedBase}${HUB_UPLOAD_REPORT_PATH}`;
+}
+
 // src/complianceScores.ts
 var SEVERITY_PENALTY = {
   CRITICAL: 15,
@@ -5817,6 +5856,26 @@ function buildHubComplianceBlock(result) {
 }
 
 // src/telemetryClient.ts
+var HUB_UPLOAD_TIMEOUT_MS = 12e4;
+function hubAuthHeaders(apiKey) {
+  return {
+    Authorization: `Bearer ${apiKey}`,
+    // Cloudflare/tunnel may strip Authorization on POST; Hub accepts this duplicate.
+    "X-RunSec-Api-Key": apiKey,
+    "Content-Type": "application/json",
+    Accept: "application/json"
+  };
+}
+function formatHubSyncErrorMessage(error, targetUrl, response) {
+  const status = response?.status != null ? String(response.status) : error?.response?.status != null ? String(error.response.status) : "n/a";
+  const err = error instanceof Error ? error : new Error(String(error));
+  const cause = err.cause instanceof Error ? err.cause.message : err.cause != null ? String(err.cause) : "";
+  let message = `Sync failed: ${err.message}. Target URL: ${targetUrl}. Status: ${status}`;
+  if (cause && !message.includes(cause)) {
+    message += `. Cause: ${cause}`;
+  }
+  return message;
+}
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
   for (const f of findings) {
@@ -5872,30 +5931,29 @@ async function uploadScanResultsToHub(payload, apiKey) {
     console.warn("[runsec] Hub telemetry skipped: API key missing");
     return { success: false, message: "Sync failed: API key missing" };
   }
-  const baseUrl = (process.env.RUNSEC_API_URL || "https://runsec.io").replace(/\/$/, "");
-  const url = `${baseUrl}/api/mcp/upload-report`;
+  const url = resolveHubUploadUrl();
+  console.error(`[runsec] Hub telemetry upload \u2192 ${url}`);
   try {
     const response = await fetch(url, {
       method: "POST",
-      headers: {
-        Authorization: `Bearer ${trimmedKey}`,
-        // Cloudflare/tunnel may strip Authorization on POST; Hub accepts this duplicate.
-        "X-RunSec-Api-Key": trimmedKey,
-        "Content-Type": "application/json",
-        Accept: "application/json"
-      },
-      body: JSON.stringify(payload)
+      headers: hubAuthHeaders(trimmedKey),
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
     });
     if (!response.ok) {
       const detail = await response.text().catch(() => "");
       const detailSnippet = detail.slice(0, 500).trim();
       const statusLabel = response.statusText || String(response.status);
-      console.warn(
-        `[runsec] Hub telemetry upload failed (${response.status}): ${detailSnippet || statusLabel}`
+      const httpMessage = detailSnippet || statusLabel;
+      const message = formatHubSyncErrorMessage(
+        new Error(httpMessage),
+        url,
+        response
       );
+      console.warn(`[runsec] Hub telemetry upload failed: ${message}`);
       return {
         success: false,
-        message: `Sync failed: ${detailSnippet || statusLabel}`
+        message
       };
     }
     const body = await response.json().catch(() => ({}));
@@ -5911,9 +5969,9 @@ async function uploadScanResultsToHub(payload, apiKey) {
       projectId
     };
   } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
+    const message = formatHubSyncErrorMessage(error, url);
     console.warn(`[runsec] Hub telemetry upload error (scan saved locally): ${message}`);
-    return { success: false, message: `Sync failed: ${message}` };
+    return { success: false, message };
   }
 }
 
@@ -5955,10 +6013,13 @@ function appendCloudSyncToDirective(directive, syncResult) {
 ${lines}`;
 }
 async function verifyApiKey(apiKey) {
-  const baseUrl = (process.env.RUNSEC_API_URL || "https://runsec.io").replace(/\/$/, "");
+  const verifyUrl = resolveHubUploadUrl().replace(/\/upload-report\/?$/, "/verify-key");
   try {
-    const response = await fetch(`${baseUrl}/api/mcp/verify-key`, {
-      headers: { Authorization: `Bearer ${apiKey}` }
+    const response = await fetch(verifyUrl, {
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "X-RunSec-Api-Key": apiKey
+      }
     });
     if (response.status === 401 || response.status === 403) {
       console.error("\u274C FATAL: Invalid RunSec API Key.");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.76",
+  "version": "1.0.77",
   "main": "dist/index.js",
   "files": [
     "dist",