@runsec/mcp 1.0.76 → 1.0.78

package/dist/index.js

@@ -413,7 +413,7 @@ var import_node_fs3 = __toESM(require("fs"));
 var import_node_path3 = __toESM(require("path"));
 
 // src/engine/secretHeuristics.ts
-var ENV_INTERP_RE = /(?:\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\()/i;
+var ENV_INTERP_RE = /(?:\$\{[A-Z0-9_]+\}|\$\{[^}]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\(|environ\[)/i;
 var LOCKFILE_BASENAMES = /^(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|cargo\.lock|composer\.lock|gemfile\.lock)$/i;
 function hasEnvironmentInterpolation(text) {
   return ENV_INTERP_RE.test(text);
@@ -435,6 +435,15 @@ var LOCKFILE_LAYOUT_RE = /(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yar
 function isLockfileLayoutArtifactPath(relPath) {
   return LOCKFILE_LAYOUT_RE.test(relPath.replace(/\\/g, "/"));
 }
+function findingBlobHasEnvInterpolation(finding) {
+  const parts = [
+    finding.match_text ?? "",
+    finding.snippet ?? "",
+    finding.description ?? "",
+    finding.title ?? ""
+  ];
+  return parts.some((p) => p.trim() && hasEnvironmentInterpolation(p));
+}
 
 // src/engine/cognitiveEngine.ts
 var NUCLEAR_HARD_DROP_CONFIDENCE = 0.01;
@@ -446,14 +455,38 @@ function findingIsVerified(finding) {
 function applyNuclearHardDrop(finding, relPath) {
   const matchText = finding.match_text ?? "";
   const snippet = finding.snippet ?? "";
-  if (ENV_INTERP_RE.test(matchText) || ENV_INTERP_RE.test(snippet)) {
+  if (ENV_INTERP_RE.test(matchText) || ENV_INTERP_RE.test(snippet) || findingBlobHasEnvInterpolation(finding)) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "env_variable_interpolation" };
   }
-  if (!findingIsVerified(finding) && LOCKFILE_LAYOUT_RE.test(relPath)) {
+  if (!findingIsVerified(finding) && (LOCKFILE_LAYOUT_RE.test(relPath) || isLockfileOrModulesPath(relPath) || isLockfileLayoutArtifactPath(relPath))) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "lockfile_or_layout_artifact" };
   }
+  if (isCustomRegexFinding(finding) && !findingIsVerified(finding)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "customregex_unverified" };
+  }
   return null;
 }
+function materializeNuclearSuppressedFinding(finding, drop) {
+  return {
+    ...finding,
+    severity: downgradeSeverity(finding.severity, "LOW"),
+    confidence_score: drop.cap,
+    confidence_reasons: [drop.reason],
+    primary_log_eligible: false,
+    suppressed: true,
+    suppression_reason: drop.reason,
+    attack_path_concrete: false
+  };
+}
+function relPathForFinding(finding) {
+  return finding.file_path.replace(/\\/g, "/");
+}
+function isNuclearSuppressedFinding(finding) {
+  if (finding.suppressed) return true;
+  const conf = finding.confidence_score;
+  if (conf != null && conf <= NUCLEAR_HARD_DROP_CONFIDENCE) return true;
+  return applyNuclearHardDrop(finding, relPathForFinding(finding)) != null;
+}
 function isCustomRegexFinding(finding) {
   const detector = String(finding.detector_name ?? "").trim().toLowerCase();
   if (detector === "customregex") return true;
@@ -979,16 +1012,7 @@ function enrichAuditFinding(repoRoot, finding, opts) {
   const relPath = finding.file_path.replace(/\\/g, "/");
   const nuclearDrop = applyNuclearHardDrop(finding, relPath);
   if (nuclearDrop) {
-    return {
-      ...finding,
-      severity: downgradeSeverity(finding.severity, "LOW"),
-      confidence_score: nuclearDrop.cap,
-      confidence_reasons: [nuclearDrop.reason],
-      primary_log_eligible: false,
-      suppressed: true,
-      suppression_reason: nuclearDrop.reason,
-      attack_path_concrete: false
-    };
+    return materializeNuclearSuppressedFinding(finding, nuclearDrop);
   }
   const phase1 = phase1ContextResearch(repoRoot, relPath);
   let [conf, reasons] = baseConfidenceForFinding(finding, phase1, relPath, finding.category, repoRoot);
@@ -1126,7 +1150,7 @@ function deduplicateSameLineFindings(findings) {
 }
 function buildVerdict(primaryFindings) {
   const blocking = primaryFindings.filter(
-    (f) => isBlockingSeverity(f.severity) && (f.confidence_score ?? 0) >= PRIMARY_LOG_THRESHOLD
+    (f) => !f.suppressed && !isNuclearSuppressedFinding(f) && isBlockingSeverity(f.severity) && (f.confidence_score ?? 0) >= PRIMARY_LOG_THRESHOLD
   );
   const isSafe = blocking.length === 0;
   const status = isSafe ? "PASS" : "FAIL";
@@ -1140,17 +1164,38 @@ function buildVerdict(primaryFindings) {
   };
 }
 function applyCognitivePipeline(workspaceRoot, findings) {
-  const enriched = findings.map((f) => enrichAuditFinding(workspaceRoot, f));
+  const nuclearSuppressed = [];
+  const active = [];
+  for (const finding of findings) {
+    const relPath = relPathForFinding(finding);
+    const drop = applyNuclearHardDrop(finding, relPath);
+    if (drop) {
+      nuclearSuppressed.push(materializeNuclearSuppressedFinding(finding, drop));
+    } else {
+      active.push(finding);
+    }
+  }
+  const enriched = active.map((f) => enrichAuditFinding(workspaceRoot, f));
   const { kept, duplicates } = deduplicateSameLineFindings(enriched);
-  const primary = kept.filter((f) => f.primary_log_eligible && !f.suppressed);
-  const suppressed = kept.filter((f) => !f.primary_log_eligible || f.suppressed).concat(duplicates);
+  const primary = kept.filter(
+    (f) => f.primary_log_eligible && !f.suppressed && !isNuclearSuppressedFinding(f)
+  );
+  const suppressed = nuclearSuppressed.concat(
+    kept.filter(
+      (f) => f.suppressed || isNuclearSuppressedFinding(f) || !f.primary_log_eligible
+    )
+  ).concat(duplicates);
+  const allScored = [...primary, ...suppressed];
+  console.error(
+    `[runsec] cognitive: raw=${findings.length} nuclear=${nuclearSuppressed.length} primary=${primary.length} suppressed=${suppressed.length}`
+  );
   return {
     primary,
     suppressed,
     summary: {
       version: "v1.0",
       primary_log_threshold: PRIMARY_LOG_THRESHOLD,
-      findings_total: enriched.length,
+      findings_total: allScored.length,
       findings_primary: primary.length,
       findings_suppressed: suppressed.length,
       false_positive_filtering: true
@@ -1774,8 +1819,9 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
     const description = `TruffleHog: exposed ${detector}${verified ? " (verified)" : ""}`;
     if (!isTrufflehogVerified(verified, description)) {
       if (isLockfileOrModulesPath(rel)) continue;
-      const blob = `${display} ${rawSecret}`;
+      const blob = `${display} ${rawSecret} ${description}`;
       if (hasEnvironmentInterpolation(blob)) continue;
+      if (detector.toLowerCase() === "customregex") continue;
     }
     const severity = severityForSecret(detector, verified);
     findings.push({
@@ -3607,6 +3653,7 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
   const out = [];
   out.push(`# RunSec Unified Security Report`);
   out.push("");
+  out.push(`**Generated at:** ${(/* @__PURE__ */ new Date()).toISOString()}`);
   out.push(`**Standard:** ${safeText(standard)}`);
   out.push(`**X-RunSec-Verdict:** \`${safeText(verdictLabel)}\`${metrics.verdict?.is_safe === false && metrics.verdict.fail_reason ? ` \u2014 ${safeText(metrics.verdict.fail_reason)}` : ""}`);
   out.push(
@@ -5775,6 +5822,95 @@ function isRemediationTool(name) {
   return REMEDIATION_TOOL_NAMES.includes(name);
 }
 
+// src/hubUploadUrl.ts
+var HUB_UPLOAD_REPORT_PATH = "/api/mcp/upload-report";
+var DEFAULT_PRODUCTION_HUB_ORIGIN = "https://runsec.io";
+var LEGACY_TELEMETRY_INGEST_PATH = "/api/v1/telemetry/ingest";
+function stripTrailingSlash(url) {
+  return url.replace(/\/$/, "");
+}
+function migrateLegacyIngestUrl(url) {
+  if (!url.includes(LEGACY_TELEMETRY_INGEST_PATH)) return url;
+  console.warn(
+    `[runsec] Legacy telemetry ingest URL detected (${LEGACY_TELEMETRY_INGEST_PATH}); using ${HUB_UPLOAD_REPORT_PATH} instead`
+  );
+  return url.replace(LEGACY_TELEMETRY_INGEST_PATH, HUB_UPLOAD_REPORT_PATH);
+}
+function isProductionRuntime() {
+  const nodeEnv = String(process.env.NODE_ENV ?? "").toLowerCase();
+  const environment = String(process.env.ENVIRONMENT ?? "").toLowerCase();
+  return nodeEnv === "production" || environment === "production";
+}
+function firstAllowedOrigin(raw) {
+  if (!raw?.trim()) return null;
+  const first = raw.split(",")[0]?.trim();
+  return first || null;
+}
+function vercelDeploymentUrl() {
+  const host = process.env.VERCEL_URL?.trim();
+  if (!host) return null;
+  return host.startsWith("http") ? stripTrailingSlash(host) : `https://${host}`;
+}
+function colocatedHubOrigin() {
+  const port = process.env.PORT?.trim() || process.env.WEB_PORT?.trim();
+  if (!port || !/^\d+$/.test(port)) return null;
+  return `http://127.0.0.1:${port}`;
+}
+function resolveHubBaseUrl() {
+  const candidates = [
+    process.env.RUNSEC_HUB_URL,
+    process.env.RUNSEC_API_URL,
+    process.env.RUNSEC_HUB_ORIGIN,
+    process.env.NEXT_PUBLIC_APP_URL,
+    process.env.PUBLIC_APP_URL,
+    process.env.NEXTAUTH_URL,
+    process.env.AUTH_URL,
+    firstAllowedOrigin(process.env.ALLOWED_ORIGINS),
+    vercelDeploymentUrl()
+  ].map((v) => v?.trim()).filter(Boolean);
+  if (candidates.length > 0) {
+    return stripTrailingSlash(migrateLegacyIngestUrl(candidates[0]));
+  }
+  if (isProductionRuntime()) {
+    const colocated = colocatedHubOrigin();
+    if (colocated) {
+      console.error(
+        `[runsec] RUNSEC_HUB_URL unset \u2014 using colocated Hub origin ${colocated} (override with RUNSEC_HUB_URL if needed)`
+      );
+      return colocated;
+    }
+  }
+  return DEFAULT_PRODUCTION_HUB_ORIGIN;
+}
+function appendUploadPath(base) {
+  const migrated = migrateLegacyIngestUrl(base);
+  if (migrated.includes(HUB_UPLOAD_REPORT_PATH)) {
+    return stripTrailingSlash(migrated);
+  }
+  return `${stripTrailingSlash(migrated)}${HUB_UPLOAD_REPORT_PATH}`;
+}
+function resolveHubUploadUrl() {
+  const explicit = [
+    process.env.RUNSEC_HUB_INGEST_URL,
+    process.env.RUNSEC_HUB_UPLOAD_URL,
+    process.env.RUNSEC_TELEMETRY_URL
+  ].map((v) => v?.trim()).find(Boolean);
+  if (explicit) {
+    return appendUploadPath(explicit);
+  }
+  return appendUploadPath(resolveHubBaseUrl());
+}
+function localhostAlternateUploadUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (parsed.hostname !== "localhost") return null;
+    parsed.hostname = "127.0.0.1";
+    return parsed.toString();
+  } catch {
+    return null;
+  }
+}
+
 // src/complianceScores.ts
 var SEVERITY_PENALTY = {
   CRITICAL: 15,
@@ -5817,6 +5953,80 @@ function buildHubComplianceBlock(result) {
 }
 
 // src/telemetryClient.ts
+var HUB_UPLOAD_TIMEOUT_MS = 12e4;
+function hubAuthHeaders(apiKey) {
+  return {
+    Authorization: `Bearer ${apiKey}`,
+    // Cloudflare/tunnel may strip Authorization on POST; Hub accepts this duplicate.
+    "X-RunSec-Api-Key": apiKey,
+    "Content-Type": "application/json",
+    Accept: "application/json"
+  };
+}
+function networkErrorCode(error) {
+  const err = error instanceof Error ? error : null;
+  if (err && "code" in err && typeof err.code === "string") {
+    return String(err.code);
+  }
+  const cause = err?.cause;
+  if (cause && typeof cause === "object" && "code" in cause) {
+    return String(cause.code);
+  }
+  return "";
+}
+function dumpHubNetworkError(error, targetUrl) {
+  const err = error instanceof Error ? error : new Error(String(error));
+  const code = networkErrorCode(error) || "n/a";
+  console.error("[runsec-network-error]", code, err.message, "Target URL:", targetUrl);
+  if (err.cause != null) {
+    console.error("[runsec-network-error] cause:", err.cause);
+  }
+  if (err.stack) {
+    console.error("[runsec-network-error] stack:", err.stack);
+  }
+  try {
+    const extras = {};
+    for (const key of Object.getOwnPropertyNames(err)) {
+      if (key === "message" || key === "stack") continue;
+      extras[key] = err[key];
+    }
+    if (Object.keys(extras).length > 0) {
+      console.error("[runsec-network-error] details:", extras);
+    }
+  } catch {
+    console.error("[runsec-network-error] raw:", error);
+  }
+}
+function formatHubSyncErrorMessage(error, targetUrl, response, responseBody) {
+  const status = response?.status != null ? String(response.status) : error?.response?.status != null ? String(error.response.status) : "n/a";
+  const err = error instanceof Error ? error : new Error(String(error));
+  const cause = err.cause instanceof Error ? err.cause.message : err.cause != null ? String(err.cause) : "";
+  const code = networkErrorCode(error);
+  let message = `Sync failed: ${err.message}. Target URL: ${targetUrl}. Status: ${status}`;
+  if (code) message += `. Code: ${code}`;
+  if (cause && !message.includes(cause)) message += `. Cause: ${cause}`;
+  if (responseBody?.trim()) {
+    message += `. Body: ${responseBody.trim().slice(0, 300)}`;
+  }
+  if (status === "n/a" && /fetch failed|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|CERT|SSL|TLS/i.test(err.message + code)) {
+    message += ". Hint: set RUNSEC_HUB_URL to your production Hub origin (same value as NEXT_PUBLIC_APP_URL on the Hub server).";
+  }
+  return message;
+}
+function logHubSyncFailure(message, error, targetUrl) {
+  if (error != null && targetUrl) {
+    dumpHubNetworkError(error, targetUrl);
+  }
+  console.error(`[runsec] Hub telemetry upload error (scan saved locally): ${message}`);
+}
+async function postHubUpload(url, apiKey, payload) {
+  return await fetch(url, {
+    method: "POST",
+    headers: hubAuthHeaders(apiKey),
+    body: JSON.stringify(payload),
+    signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
+  });
+}
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
   for (const f of findings) {
@@ -5872,30 +6082,42 @@ async function uploadScanResultsToHub(payload, apiKey) {
     console.warn("[runsec] Hub telemetry skipped: API key missing");
     return { success: false, message: "Sync failed: API key missing" };
   }
-  const baseUrl = (process.env.RUNSEC_API_URL || "https://runsec.io").replace(/\/$/, "");
-  const url = `${baseUrl}/api/mcp/upload-report`;
+  const url = resolveHubUploadUrl();
+  console.error(`[runsec] Hub telemetry upload \u2192 ${url}`);
+  const attemptUpload = async (targetUrl) => {
+    try {
+      return await postHubUpload(targetUrl, trimmedKey, payload);
+    } catch (firstError) {
+      const alt = localhostAlternateUploadUrl(targetUrl);
+      if (!alt || alt === targetUrl) throw firstError;
+      console.error(`[runsec] Hub telemetry retry \u2192 ${alt}`);
+      return await postHubUpload(alt, trimmedKey, payload);
+    }
+  };
   try {
-    const response = await fetch(url, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${trimmedKey}`,
-        // Cloudflare/tunnel may strip Authorization on POST; Hub accepts this duplicate.
-        "X-RunSec-Api-Key": trimmedKey,
-        "Content-Type": "application/json",
-        Accept: "application/json"
-      },
-      body: JSON.stringify(payload)
-    });
+    let response;
+    try {
+      response = await attemptUpload(url);
+    } catch (networkError) {
+      const message = formatHubSyncErrorMessage(networkError, url);
+      logHubSyncFailure(message, networkError, url);
+      return { success: false, message };
+    }
     if (!response.ok) {
       const detail = await response.text().catch(() => "");
       const detailSnippet = detail.slice(0, 500).trim();
       const statusLabel = response.statusText || String(response.status);
-      console.warn(
-        `[runsec] Hub telemetry upload failed (${response.status}): ${detailSnippet || statusLabel}`
+      const httpMessage = detailSnippet || statusLabel;
+      const message = formatHubSyncErrorMessage(
+        new Error(httpMessage),
+        url,
+        response,
+        detailSnippet
       );
+      logHubSyncFailure(message, new Error(httpMessage), url);
       return {
         success: false,
-        message: `Sync failed: ${detailSnippet || statusLabel}`
+        message
       };
     }
     const body = await response.json().catch(() => ({}));
@@ -5911,9 +6133,9 @@ async function uploadScanResultsToHub(payload, apiKey) {
       projectId
     };
   } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    console.warn(`[runsec] Hub telemetry upload error (scan saved locally): ${message}`);
-    return { success: false, message: `Sync failed: ${message}` };
+    const message = formatHubSyncErrorMessage(error, url);
+    logHubSyncFailure(message, error, url);
+    return { success: false, message };
   }
 }
 
@@ -5955,10 +6177,13 @@ function appendCloudSyncToDirective(directive, syncResult) {
 ${lines}`;
 }
 async function verifyApiKey(apiKey) {
-  const baseUrl = (process.env.RUNSEC_API_URL || "https://runsec.io").replace(/\/$/, "");
+  const verifyUrl = resolveHubUploadUrl().replace(/\/upload-report\/?$/, "/verify-key");
   try {
-    const response = await fetch(`${baseUrl}/api/mcp/verify-key`, {
-      headers: { Authorization: `Bearer ${apiKey}` }
+    const response = await fetch(verifyUrl, {
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "X-RunSec-Api-Key": apiKey
+      }
     });
     if (response.status === 401 || response.status === 403) {
       console.error("\u274C FATAL: Invalid RunSec API Key.");
@@ -6242,6 +6467,7 @@ CRITICAL INSTRUCTIONS FOR LLM:
 async function main() {
   const key = getApiKey();
   process.env.RUNSEC_API_KEY = key;
+  console.error(`[runsec] MCP @runsec/mcp starting \u2014 Hub upload target: ${resolveHubUploadUrl()}`);
   await verifyApiKey(key);
   const summary = validateRules();
   console.error("Rules registry validated:", summary);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.76",
+  "version": "1.0.78",
   "main": "dist/index.js",
   "files": [
     "dist",