npm - @runsec/mcp - Versions diffs - 1.0.77 → 1.0.79 - Mend

@runsec/mcp 1.0.77 → 1.0.79

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +261 -47
package/package.json +4 -2

package/dist/index.js CHANGED Viewed

@@ -413,7 +413,7 @@ var import_node_fs3 = __toESM(require("fs"));
 var import_node_path3 = __toESM(require("path"));
 // src/engine/secretHeuristics.ts
-var ENV_INTERP_RE = /(?:\$\{[A-Z0-9_]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\()/i;
+var ENV_INTERP_RE = /(?:\$\{[A-Z0-9_]+\}|\$\{[^}]+\}|\$[A-Z][A-Z0-9_]{2,}|%\([A-Za-z0-9_.]+\)s|process\.env\.|os\.getenv\(|getenv\(|environ\[)/i;
 var LOCKFILE_BASENAMES = /^(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|cargo\.lock|composer\.lock|gemfile\.lock)$/i;
 function hasEnvironmentInterpolation(text) {
   return ENV_INTERP_RE.test(text);
@@ -435,6 +435,15 @@ var LOCKFILE_LAYOUT_RE = /(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yar
 function isLockfileLayoutArtifactPath(relPath) {
   return LOCKFILE_LAYOUT_RE.test(relPath.replace(/\\/g, "/"));
 }
+function findingBlobHasEnvInterpolation(finding) {
+  const parts = [
+    finding.match_text ?? "",
+    finding.snippet ?? "",
+    finding.description ?? "",
+    finding.title ?? ""
+  ];
+  return parts.some((p) => p.trim() && hasEnvironmentInterpolation(p));
+}
 // src/engine/cognitiveEngine.ts
 var NUCLEAR_HARD_DROP_CONFIDENCE = 0.01;
@@ -446,14 +455,38 @@ function findingIsVerified(finding) {
 function applyNuclearHardDrop(finding, relPath) {
   const matchText = finding.match_text ?? "";
   const snippet = finding.snippet ?? "";
-  if (ENV_INTERP_RE.test(matchText) || ENV_INTERP_RE.test(snippet)) {
+  if (ENV_INTERP_RE.test(matchText) || ENV_INTERP_RE.test(snippet) || findingBlobHasEnvInterpolation(finding)) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "env_variable_interpolation" };
   }
-  if (!findingIsVerified(finding) && LOCKFILE_LAYOUT_RE.test(relPath)) {
+  if (!findingIsVerified(finding) && (LOCKFILE_LAYOUT_RE.test(relPath) || isLockfileOrModulesPath(relPath) || isLockfileLayoutArtifactPath(relPath))) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "lockfile_or_layout_artifact" };
   }
+  if (isCustomRegexFinding(finding) && !findingIsVerified(finding)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "customregex_unverified" };
+  }
   return null;
 }
+function materializeNuclearSuppressedFinding(finding, drop) {
+  return {
+    ...finding,
+    severity: downgradeSeverity(finding.severity, "LOW"),
+    confidence_score: drop.cap,
+    confidence_reasons: [drop.reason],
+    primary_log_eligible: false,
+    suppressed: true,
+    suppression_reason: drop.reason,
+    attack_path_concrete: false
+  };
+}
+function relPathForFinding(finding) {
+  return finding.file_path.replace(/\\/g, "/");
+}
+function isNuclearSuppressedFinding(finding) {
+  if (finding.suppressed) return true;
+  const conf = finding.confidence_score;
+  if (conf != null && conf <= NUCLEAR_HARD_DROP_CONFIDENCE) return true;
+  return applyNuclearHardDrop(finding, relPathForFinding(finding)) != null;
+}
 function isCustomRegexFinding(finding) {
   const detector = String(finding.detector_name ?? "").trim().toLowerCase();
   if (detector === "customregex") return true;
@@ -979,16 +1012,7 @@ function enrichAuditFinding(repoRoot, finding, opts) {
   const relPath = finding.file_path.replace(/\\/g, "/");
   const nuclearDrop = applyNuclearHardDrop(finding, relPath);
   if (nuclearDrop) {
-    return {
-      ...finding,
-      severity: downgradeSeverity(finding.severity, "LOW"),
-      confidence_score: nuclearDrop.cap,
-      confidence_reasons: [nuclearDrop.reason],
-      primary_log_eligible: false,
-      suppressed: true,
-      suppression_reason: nuclearDrop.reason,
-      attack_path_concrete: false
-    };
+    return materializeNuclearSuppressedFinding(finding, nuclearDrop);
   }
   const phase1 = phase1ContextResearch(repoRoot, relPath);
   let [conf, reasons] = baseConfidenceForFinding(finding, phase1, relPath, finding.category, repoRoot);
@@ -1126,7 +1150,7 @@ function deduplicateSameLineFindings(findings) {
 }
 function buildVerdict(primaryFindings) {
   const blocking = primaryFindings.filter(
-    (f) => isBlockingSeverity(f.severity) && (f.confidence_score ?? 0) >= PRIMARY_LOG_THRESHOLD
+    (f) => !f.suppressed && !isNuclearSuppressedFinding(f) && isBlockingSeverity(f.severity) && (f.confidence_score ?? 0) >= PRIMARY_LOG_THRESHOLD
   );
   const isSafe = blocking.length === 0;
   const status = isSafe ? "PASS" : "FAIL";
@@ -1140,17 +1164,38 @@ function buildVerdict(primaryFindings) {
   };
 }
 function applyCognitivePipeline(workspaceRoot, findings) {
-  const enriched = findings.map((f) => enrichAuditFinding(workspaceRoot, f));
+  const nuclearSuppressed = [];
+  const active = [];
+  for (const finding of findings) {
+    const relPath = relPathForFinding(finding);
+    const drop = applyNuclearHardDrop(finding, relPath);
+    if (drop) {
+      nuclearSuppressed.push(materializeNuclearSuppressedFinding(finding, drop));
+    } else {
+      active.push(finding);
+    }
+  }
+  const enriched = active.map((f) => enrichAuditFinding(workspaceRoot, f));
   const { kept, duplicates } = deduplicateSameLineFindings(enriched);
-  const primary = kept.filter((f) => f.primary_log_eligible && !f.suppressed);
-  const suppressed = kept.filter((f) => !f.primary_log_eligible || f.suppressed).concat(duplicates);
+  const primary = kept.filter(
+    (f) => f.primary_log_eligible && !f.suppressed && !isNuclearSuppressedFinding(f)
+  );
+  const suppressed = nuclearSuppressed.concat(
+    kept.filter(
+      (f) => f.suppressed || isNuclearSuppressedFinding(f) || !f.primary_log_eligible
+    )
+  ).concat(duplicates);
+  const allScored = [...primary, ...suppressed];
+  console.error(
+    `[runsec] cognitive: raw=${findings.length} nuclear=${nuclearSuppressed.length} primary=${primary.length} suppressed=${suppressed.length}`
+  );
   return {
     primary,
     suppressed,
     summary: {
       version: "v1.0",
       primary_log_threshold: PRIMARY_LOG_THRESHOLD,
-      findings_total: enriched.length,
+      findings_total: allScored.length,
       findings_primary: primary.length,
       findings_suppressed: suppressed.length,
       false_positive_filtering: true
@@ -1774,8 +1819,9 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
     const description = `TruffleHog: exposed ${detector}${verified ? " (verified)" : ""}`;
     if (!isTrufflehogVerified(verified, description)) {
       if (isLockfileOrModulesPath(rel)) continue;
-      const blob = `${display} ${rawSecret}`;
+      const blob = `${display} ${rawSecret} ${description}`;
       if (hasEnvironmentInterpolation(blob)) continue;
+      if (detector.toLowerCase() === "customregex") continue;
     }
     const severity = severityForSecret(detector, verified);
     findings.push({
@@ -3047,7 +3093,7 @@ async function runUnifiedScanPipeline(opts) {
     `[runsec] unified scan: engines=${concurrent_duration_ms}ms merge+cognitive=${merge_duration_ms}ms | raw=${allRaw.length} primary=${findings.length} suppressed_cognitive=${findings_suppressed.length}`
   );
   console.error(
-    `[runsec] X-RunSec-Verdict: ${cognitiveResult.verdict.http_headers["X-RunSec-Verdict"]} (blocking=${cognitiveResult.verdict.blocking_findings_count})`
+    `[runsec] @runsec/mcp cognitive complete | X-RunSec-Verdict: ${cognitiveResult.verdict.http_headers["X-RunSec-Verdict"]} | primary=${findings.length} suppressed=${findings_suppressed.length} blocking=${cognitiveResult.verdict.blocking_findings_count}`
   );
   return {
     standard,
@@ -3607,6 +3653,7 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
   const out = [];
   out.push(`# RunSec Unified Security Report`);
   out.push("");
+  out.push(`**Generated at:** ${(/* @__PURE__ */ new Date()).toISOString()}`);
   out.push(`**Standard:** ${safeText(standard)}`);
   out.push(`**X-RunSec-Verdict:** \`${safeText(verdictLabel)}\`${metrics.verdict?.is_safe === false && metrics.verdict.fail_reason ? ` \u2014 ${safeText(metrics.verdict.fail_reason)}` : ""}`);
   out.push(
@@ -5776,7 +5823,10 @@ function isRemediationTool(name) {
 }
 // src/hubUploadUrl.ts
+var import_node_fs17 = __toESM(require("fs"));
 var HUB_UPLOAD_REPORT_PATH = "/api/mcp/upload-report";
+var DEFAULT_PRODUCTION_HUB_ORIGIN = "https://runsec.io";
+var DEFAULT_DOCKER_INTERNAL_HUB_ORIGIN = "http://frontend:3000";
 var LEGACY_TELEMETRY_INGEST_PATH = "/api/v1/telemetry/ingest";
 function stripTrailingSlash(url) {
   return url.replace(/\/$/, "");
@@ -5788,6 +5838,79 @@ function migrateLegacyIngestUrl(url) {
   );
   return url.replace(LEGACY_TELEMETRY_INGEST_PATH, HUB_UPLOAD_REPORT_PATH);
 }
+function isProductionRuntime() {
+  const nodeEnv = String(process.env.NODE_ENV ?? "").toLowerCase();
+  const environment = String(process.env.ENVIRONMENT ?? "").toLowerCase();
+  return nodeEnv === "production" || environment === "production";
+}
+function firstAllowedOrigin(raw) {
+  if (!raw?.trim()) return null;
+  const first = raw.split(",")[0]?.trim();
+  return first || null;
+}
+function vercelDeploymentUrl() {
+  const host = process.env.VERCEL_URL?.trim();
+  if (!host) return null;
+  return host.startsWith("http") ? stripTrailingSlash(host) : `https://${host}`;
+}
+function colocatedHubOrigin() {
+  const port = process.env.PORT?.trim() || process.env.WEB_PORT?.trim();
+  if (!port || !/^\d+$/.test(port)) return null;
+  return `http://127.0.0.1:${port}`;
+}
+function isDockerRuntime() {
+  try {
+    return import_node_fs17.default.existsSync("/.dockerenv");
+  } catch {
+    return false;
+  }
+}
+function resolveDockerInternalHubOrigin() {
+  return stripTrailingSlash(
+    process.env.RUNSEC_HUB_INTERNAL_URL?.trim() || process.env.FRONTEND_INTERNAL_URL?.trim() || DEFAULT_DOCKER_INTERNAL_HUB_ORIGIN
+  );
+}
+function resolveHubBaseUrl() {
+  const candidates = [
+    process.env.RUNSEC_HUB_URL,
+    process.env.RUNSEC_API_URL,
+    process.env.RUNSEC_HUB_ORIGIN,
+    process.env.RUNSEC_HUB_INTERNAL_URL,
+    process.env.NEXT_PUBLIC_APP_URL,
+    process.env.PUBLIC_APP_URL,
+    process.env.NEXTAUTH_URL,
+    process.env.AUTH_URL,
+    firstAllowedOrigin(process.env.ALLOWED_ORIGINS),
+    vercelDeploymentUrl()
+  ].map((v) => v?.trim()).filter(Boolean);
+  if (candidates.length > 0) {
+    return stripTrailingSlash(migrateLegacyIngestUrl(candidates[0]));
+  }
+  if (isDockerRuntime()) {
+    const internal = resolveDockerInternalHubOrigin();
+    console.error(
+      `[runsec] Docker runtime \u2014 Hub upload via internal origin ${internal} (set RUNSEC_HUB_URL to override)`
+    );
+    return internal;
+  }
+  if (isProductionRuntime()) {
+    const colocated = colocatedHubOrigin();
+    if (colocated) {
+      console.error(
+        `[runsec] RUNSEC_HUB_URL unset \u2014 using colocated Hub origin ${colocated} (override with RUNSEC_HUB_URL if needed)`
+      );
+      return colocated;
+    }
+  }
+  return DEFAULT_PRODUCTION_HUB_ORIGIN;
+}
+function appendUploadPath(base) {
+  const migrated = migrateLegacyIngestUrl(base);
+  if (migrated.includes(HUB_UPLOAD_REPORT_PATH)) {
+    return stripTrailingSlash(migrated);
+  }
+  return `${stripTrailingSlash(migrated)}${HUB_UPLOAD_REPORT_PATH}`;
+}
 function resolveHubUploadUrl() {
   const explicit = [
     process.env.RUNSEC_HUB_INGEST_URL,
@@ -5795,23 +5918,33 @@ function resolveHubUploadUrl() {
     process.env.RUNSEC_TELEMETRY_URL
   ].map((v) => v?.trim()).find(Boolean);
   if (explicit) {
-    const migrated = migrateLegacyIngestUrl(explicit);
-    if (migrated.includes(HUB_UPLOAD_REPORT_PATH)) {
-      return stripTrailingSlash(migrated);
-    }
-    if (/^https?:\/\//i.test(migrated)) {
-      return `${stripTrailingSlash(migrated)}${HUB_UPLOAD_REPORT_PATH}`;
-    }
-    return stripTrailingSlash(migrated);
+    return appendUploadPath(explicit);
   }
-  const base = stripTrailingSlash(
-    process.env.RUNSEC_HUB_URL?.trim() || process.env.RUNSEC_API_URL?.trim() || "https://runsec.io"
-  );
-  const migratedBase = migrateLegacyIngestUrl(base);
-  if (migratedBase.includes(HUB_UPLOAD_REPORT_PATH)) {
-    return migratedBase;
+  return appendUploadPath(resolveHubBaseUrl());
+}
+function localhostAlternateUploadUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (parsed.hostname !== "localhost") return null;
+    parsed.hostname = "127.0.0.1";
+    return parsed.toString();
+  } catch {
+    return null;
+  }
+}
+function dockerInternalAlternateUploadUrl(url) {
+  if (!isDockerRuntime()) return null;
+  try {
+    const parsed = new URL(url);
+    const internal = new URL(resolveDockerInternalHubOrigin());
+    if (parsed.origin === internal.origin) return null;
+    internal.pathname = HUB_UPLOAD_REPORT_PATH;
+    internal.search = "";
+    internal.hash = "";
+    return internal.toString();
+  } catch {
+    return appendUploadPath(resolveDockerInternalHubOrigin());
   }
-  return `${migratedBase}${HUB_UPLOAD_REPORT_PATH}`;
 }
 // src/complianceScores.ts
@@ -5866,16 +5999,70 @@ function hubAuthHeaders(apiKey) {
     Accept: "application/json"
   };
 }
-function formatHubSyncErrorMessage(error, targetUrl, response) {
+function networkErrorCode(error) {
+  const err = error instanceof Error ? error : null;
+  if (err && "code" in err && typeof err.code === "string") {
+    return String(err.code);
+  }
+  const cause = err?.cause;
+  if (cause && typeof cause === "object" && "code" in cause) {
+    return String(cause.code);
+  }
+  return "";
+}
+function dumpHubNetworkError(error, targetUrl) {
+  const err = error instanceof Error ? error : new Error(String(error));
+  const code = networkErrorCode(error) || "n/a";
+  console.error("[runsec-network-error]", code, err.message, "Target URL:", targetUrl);
+  if (err.cause != null) {
+    console.error("[runsec-network-error] cause:", err.cause);
+  }
+  if (err.stack) {
+    console.error("[runsec-network-error] stack:", err.stack);
+  }
+  try {
+    const extras = {};
+    for (const key of Object.getOwnPropertyNames(err)) {
+      if (key === "message" || key === "stack") continue;
+      extras[key] = err[key];
+    }
+    if (Object.keys(extras).length > 0) {
+      console.error("[runsec-network-error] details:", extras);
+    }
+  } catch {
+    console.error("[runsec-network-error] raw:", error);
+  }
+}
+function formatHubSyncErrorMessage(error, targetUrl, response, responseBody) {
   const status = response?.status != null ? String(response.status) : error?.response?.status != null ? String(error.response.status) : "n/a";
   const err = error instanceof Error ? error : new Error(String(error));
   const cause = err.cause instanceof Error ? err.cause.message : err.cause != null ? String(err.cause) : "";
+  const code = networkErrorCode(error);
   let message = `Sync failed: ${err.message}. Target URL: ${targetUrl}. Status: ${status}`;
-  if (cause && !message.includes(cause)) {
-    message += `. Cause: ${cause}`;
+  if (code) message += `. Code: ${code}`;
+  if (cause && !message.includes(cause)) message += `. Cause: ${cause}`;
+  if (responseBody?.trim()) {
+    message += `. Body: ${responseBody.trim().slice(0, 300)}`;
+  }
+  if (status === "n/a" && /fetch failed|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|CERT|SSL|TLS/i.test(err.message + code)) {
+    message += ". Hint: set RUNSEC_HUB_URL to your production Hub origin (same value as NEXT_PUBLIC_APP_URL on the Hub server).";
   }
   return message;
 }
+function logHubSyncFailure(message, error, targetUrl) {
+  if (error != null && targetUrl) {
+    dumpHubNetworkError(error, targetUrl);
+  }
+  console.error(`[runsec] Hub telemetry upload error (scan saved locally): ${message}`);
+}
+async function postHubUpload(url, apiKey, payload) {
+  return await fetch(url, {
+    method: "POST",
+    headers: hubAuthHeaders(apiKey),
+    body: JSON.stringify(payload),
+    signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
+  });
+}
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
   for (const f of findings) {
@@ -5933,13 +6120,38 @@ async function uploadScanResultsToHub(payload, apiKey) {
   }
   const url = resolveHubUploadUrl();
   console.error(`[runsec] Hub telemetry upload \u2192 ${url}`);
+  const attemptUpload = async (targetUrl) => {
+    const errors = [];
+    const urls = [targetUrl];
+    const localhostAlt = localhostAlternateUploadUrl(targetUrl);
+    if (localhostAlt && localhostAlt !== targetUrl) urls.push(localhostAlt);
+    const dockerAlt = dockerInternalAlternateUploadUrl(targetUrl);
+    if (dockerAlt && !urls.includes(dockerAlt)) urls.push(dockerAlt);
+    let lastError = new Error("No upload attempts made");
+    for (let i = 0; i < urls.length; i++) {
+      const tryUrl = urls[i];
+      if (i > 0) {
+        console.error(`[runsec] Hub telemetry retry \u2192 ${tryUrl}`);
+      }
+      try {
+        return await postHubUpload(tryUrl, trimmedKey, payload);
+      } catch (err) {
+        lastError = err;
+        errors.push(err);
+        dumpHubNetworkError(err, tryUrl);
+      }
+    }
+    throw lastError;
+  };
   try {
-    const response = await fetch(url, {
-      method: "POST",
-      headers: hubAuthHeaders(trimmedKey),
-      body: JSON.stringify(payload),
-      signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
-    });
+    let response;
+    try {
+      response = await attemptUpload(url);
+    } catch (networkError) {
+      const message = formatHubSyncErrorMessage(networkError, url);
+      logHubSyncFailure(message, networkError, url);
+      return { success: false, message };
+    }
     if (!response.ok) {
       const detail = await response.text().catch(() => "");
       const detailSnippet = detail.slice(0, 500).trim();
@@ -5948,9 +6160,10 @@ async function uploadScanResultsToHub(payload, apiKey) {
       const message = formatHubSyncErrorMessage(
         new Error(httpMessage),
         url,
-        response
+        response,
+        detailSnippet
       );
-      console.warn(`[runsec] Hub telemetry upload failed: ${message}`);
+      logHubSyncFailure(message, new Error(httpMessage), url);
       return {
         success: false,
         message
@@ -5970,7 +6183,7 @@ async function uploadScanResultsToHub(payload, apiKey) {
     };
   } catch (error) {
     const message = formatHubSyncErrorMessage(error, url);
-    console.warn(`[runsec] Hub telemetry upload error (scan saved locally): ${message}`);
+    logHubSyncFailure(message, error, url);
     return { success: false, message };
   }
 }
@@ -6303,6 +6516,7 @@ CRITICAL INSTRUCTIONS FOR LLM:
 async function main() {
   const key = getApiKey();
   process.env.RUNSEC_API_KEY = key;
+  console.error(`[runsec] MCP @runsec/mcp starting \u2014 Hub upload target: ${resolveHubUploadUrl()}`);
   await verifyApiKey(key);
   const summary = validateRules();
   console.error("Rules registry validated:", summary);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.77",
+  "version": "1.0.79",
   "main": "dist/index.js",
   "files": [
     "dist",
@@ -30,7 +30,9 @@
     "test": "vitest run",
     "test:gold": "tsx scripts/qaValidationReport.ts",
     "test:gold:parse": "tsx scripts/qaValidationReport.ts --parse-only",
-    "simulate:output": "tsx scripts/simulate_output.ts"
+    "simulate:output": "tsx scripts/simulate_output.ts",
+    "debug:pipeline": "tsx scripts/debug-pipeline.ts",
+    "test:e2e": "npm run build && tsx scripts/debug-pipeline.ts"
   },
   "keywords": [
     "mcp",