npm - @runsec/mcp - Versions diffs - 1.0.78 → 1.0.80 - Mend

@runsec/mcp 1.0.78 → 1.0.80

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +149 -15
package/package.json +4 -2

package/dist/index.js CHANGED Viewed

@@ -435,6 +435,26 @@ var LOCKFILE_LAYOUT_RE = /(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yar
 function isLockfileLayoutArtifactPath(relPath) {
   return LOCKFILE_LAYOUT_RE.test(relPath.replace(/\\/g, "/"));
 }
+var DEV_GENERIC_CREDENTIAL_RE = /(?:postgres:postgres|root:root|root:password|admin:admin|user:password|test:test|guest:guest|changeme:changeme)/i;
+var DEV_DB_HOST_RE = /@(?:dev_db|dev-db|localhost|127\.0\.0\.1|0\.0\.0\.0|host\.docker\.internal|\.local\b|docker\.internal)(?::|\/|$)/i;
+var DEV_DATABASE_URI_RE = /(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis):\/\/(?:[^:@\s]+:[^@\s]+@)?(?:dev_db|dev-db|localhost|127\.0\.0\.1|host\.docker\.internal)/i;
+function blobHasDevDatabaseSecret(text) {
+  const blob = (text ?? "").trim();
+  if (!blob) return false;
+  if (DEV_GENERIC_CREDENTIAL_RE.test(blob)) return true;
+  if (DEV_DB_HOST_RE.test(blob)) return true;
+  if (DEV_DATABASE_URI_RE.test(blob)) return true;
+  return false;
+}
+function findingHasDevDatabaseSecret(finding) {
+  const parts = [
+    finding.match_text ?? "",
+    finding.snippet ?? "",
+    finding.description ?? "",
+    finding.title ?? ""
+  ];
+  return parts.some((p) => blobHasDevDatabaseSecret(p));
+}
 function findingBlobHasEnvInterpolation(finding) {
   const parts = [
     finding.match_text ?? "",
@@ -458,6 +478,9 @@ function applyNuclearHardDrop(finding, relPath) {
   if (ENV_INTERP_RE.test(matchText) || ENV_INTERP_RE.test(snippet) || findingBlobHasEnvInterpolation(finding)) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "env_variable_interpolation" };
   }
+  if (findingHasDevDatabaseSecret(finding)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "dev_database_placeholder" };
+  }
   if (!findingIsVerified(finding) && (LOCKFILE_LAYOUT_RE.test(relPath) || isLockfileOrModulesPath(relPath) || isLockfileLayoutArtifactPath(relPath))) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "lockfile_or_layout_artifact" };
   }
@@ -496,7 +519,8 @@ function isCustomRegexFinding(finding) {
 }
 function looksLikeHighEntropyRawToken(finding) {
   const blob = `${finding.match_text ?? ""} ${finding.snippet ?? ""}`.trim();
-  if (blob.length < 24 || ENV_INTERP_RE.test(blob)) return false;
+  if (blob.length < 24 || ENV_INTERP_RE.test(blob) || findingHasDevDatabaseSecret(finding)) return false;
+  if (/^(?:postgres(?:ql)?|mysql|mongodb|redis):\/\//i.test(blob)) return false;
   if (/^(?:ghp_|gho_|github_pat_|glpat-|sk-[a-zA-Z0-9]{10,}|AKIA[0-9A-Z]{16}|xox[baprs]-|eyJ[A-Za-z0-9_-]{10,}\.)/i.test(
     blob
   )) {
@@ -1821,6 +1845,7 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
       if (isLockfileOrModulesPath(rel)) continue;
       const blob = `${display} ${rawSecret} ${description}`;
       if (hasEnvironmentInterpolation(blob)) continue;
+      if (blobHasDevDatabaseSecret(blob)) continue;
       if (detector.toLowerCase() === "customregex") continue;
     }
     const severity = severityForSecret(detector, verified);
@@ -3093,7 +3118,7 @@ async function runUnifiedScanPipeline(opts) {
     `[runsec] unified scan: engines=${concurrent_duration_ms}ms merge+cognitive=${merge_duration_ms}ms | raw=${allRaw.length} primary=${findings.length} suppressed_cognitive=${findings_suppressed.length}`
   );
   console.error(
-    `[runsec] X-RunSec-Verdict: ${cognitiveResult.verdict.http_headers["X-RunSec-Verdict"]} (blocking=${cognitiveResult.verdict.blocking_findings_count})`
+    `[runsec] @runsec/mcp cognitive complete | X-RunSec-Verdict: ${cognitiveResult.verdict.http_headers["X-RunSec-Verdict"]} | primary=${findings.length} suppressed=${findings_suppressed.length} blocking=${cognitiveResult.verdict.blocking_findings_count}`
   );
   return {
     standard,
@@ -5823,8 +5848,10 @@ function isRemediationTool(name) {
 }
 // src/hubUploadUrl.ts
+var import_node_fs17 = __toESM(require("fs"));
 var HUB_UPLOAD_REPORT_PATH = "/api/mcp/upload-report";
 var DEFAULT_PRODUCTION_HUB_ORIGIN = "https://runsec.io";
+var DEFAULT_DOCKER_INTERNAL_HUB_ORIGIN = "http://frontend:3000";
 var LEGACY_TELEMETRY_INGEST_PATH = "/api/v1/telemetry/ingest";
 function stripTrailingSlash(url) {
   return url.replace(/\/$/, "");
@@ -5856,11 +5883,24 @@ function colocatedHubOrigin() {
   if (!port || !/^\d+$/.test(port)) return null;
   return `http://127.0.0.1:${port}`;
 }
+function isDockerRuntime() {
+  try {
+    return import_node_fs17.default.existsSync("/.dockerenv");
+  } catch {
+    return false;
+  }
+}
+function resolveDockerInternalHubOrigin() {
+  return stripTrailingSlash(
+    process.env.RUNSEC_HUB_INTERNAL_URL?.trim() || process.env.FRONTEND_INTERNAL_URL?.trim() || DEFAULT_DOCKER_INTERNAL_HUB_ORIGIN
+  );
+}
 function resolveHubBaseUrl() {
   const candidates = [
     process.env.RUNSEC_HUB_URL,
     process.env.RUNSEC_API_URL,
     process.env.RUNSEC_HUB_ORIGIN,
+    process.env.RUNSEC_HUB_INTERNAL_URL,
     process.env.NEXT_PUBLIC_APP_URL,
     process.env.PUBLIC_APP_URL,
     process.env.NEXTAUTH_URL,
@@ -5871,6 +5911,13 @@ function resolveHubBaseUrl() {
   if (candidates.length > 0) {
     return stripTrailingSlash(migrateLegacyIngestUrl(candidates[0]));
   }
+  if (isDockerRuntime()) {
+    const internal = resolveDockerInternalHubOrigin();
+    console.error(
+      `[runsec] Docker runtime \u2014 Hub upload via internal origin ${internal} (set RUNSEC_HUB_URL to override)`
+    );
+    return internal;
+  }
   if (isProductionRuntime()) {
     const colocated = colocatedHubOrigin();
     if (colocated) {
@@ -5910,6 +5957,24 @@ function localhostAlternateUploadUrl(url) {
     return null;
   }
 }
+function dockerInternalAlternateUploadUrl(url) {
+  if (!isDockerRuntime()) return null;
+  try {
+    const parsed = new URL(url);
+    const internal = new URL(resolveDockerInternalHubOrigin());
+    if (parsed.origin === internal.origin) return null;
+    internal.pathname = HUB_UPLOAD_REPORT_PATH;
+    internal.search = "";
+    internal.hash = "";
+    return internal.toString();
+  } catch {
+    return appendUploadPath(resolveDockerInternalHubOrigin());
+  }
+}
+// src/telemetryClient.ts
+var import_node_http = __toESM(require("http"));
+var import_node_https = __toESM(require("https"));
 // src/complianceScores.ts
 var SEVERITY_PENALTY = {
@@ -6019,14 +6084,70 @@ function logHubSyncFailure(message, error, targetUrl) {
   }
   console.error(`[runsec] Hub telemetry upload error (scan saved locally): ${message}`);
 }
-async function postHubUpload(url, apiKey, payload) {
-  return await fetch(url, {
-    method: "POST",
-    headers: hubAuthHeaders(apiKey),
-    body: JSON.stringify(payload),
-    signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
+function postHubUploadNodeHttp(url, apiKey, payload) {
+  return new Promise((resolve, reject) => {
+    const body = JSON.stringify(payload);
+    let parsed;
+    try {
+      parsed = new URL(url);
+    } catch (err) {
+      reject(err);
+      return;
+    }
+    const headers = {
+      ...hubAuthHeaders(apiKey),
+      "Content-Length": String(Buffer.byteLength(body))
+    };
+    const lib = parsed.protocol === "https:" ? import_node_https.default : import_node_http.default;
+    const port = parsed.port !== "" ? Number(parsed.port) : parsed.protocol === "https:" ? 443 : 80;
+    const req = lib.request(
+      {
+        hostname: parsed.hostname,
+        port,
+        path: `${parsed.pathname}${parsed.search}`,
+        method: "POST",
+        headers,
+        timeout: HUB_UPLOAD_TIMEOUT_MS
+      },
+      (res) => {
+        const chunks = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => {
+          const text = Buffer.concat(chunks).toString("utf8");
+          const status = res.statusCode ?? 0;
+          resolve({
+            ok: status >= 200 && status < 300,
+            status,
+            statusText: res.statusMessage ?? "",
+            text: async () => text,
+            json: async () => JSON.parse(text || "{}")
+          });
+        });
+      }
+    );
+    req.on("error", reject);
+    req.on("timeout", () => {
+      req.destroy();
+      reject(Object.assign(new Error("Hub upload request timeout"), { code: "ETIMEDOUT" }));
+    });
+    req.write(body);
+    req.end();
   });
 }
+async function postHubUpload(url, apiKey, payload) {
+  try {
+    return await fetch(url, {
+      method: "POST",
+      headers: hubAuthHeaders(apiKey),
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
+    });
+  } catch (fetchError) {
+    console.error("[runsec] fetch() failed \u2014 retrying Hub upload via node:http(s)");
+    dumpHubNetworkError(fetchError, url);
+    return postHubUploadNodeHttp(url, apiKey, payload);
+  }
+}
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
   for (const f of findings) {
@@ -6085,14 +6206,27 @@ async function uploadScanResultsToHub(payload, apiKey) {
   const url = resolveHubUploadUrl();
   console.error(`[runsec] Hub telemetry upload \u2192 ${url}`);
   const attemptUpload = async (targetUrl) => {
-    try {
-      return await postHubUpload(targetUrl, trimmedKey, payload);
-    } catch (firstError) {
-      const alt = localhostAlternateUploadUrl(targetUrl);
-      if (!alt || alt === targetUrl) throw firstError;
-      console.error(`[runsec] Hub telemetry retry \u2192 ${alt}`);
-      return await postHubUpload(alt, trimmedKey, payload);
+    const errors = [];
+    const urls = [targetUrl];
+    const localhostAlt = localhostAlternateUploadUrl(targetUrl);
+    if (localhostAlt && localhostAlt !== targetUrl) urls.push(localhostAlt);
+    const dockerAlt = dockerInternalAlternateUploadUrl(targetUrl);
+    if (dockerAlt && !urls.includes(dockerAlt)) urls.push(dockerAlt);
+    let lastError = new Error("No upload attempts made");
+    for (let i = 0; i < urls.length; i++) {
+      const tryUrl = urls[i];
+      if (i > 0) {
+        console.error(`[runsec] Hub telemetry retry \u2192 ${tryUrl}`);
+      }
+      try {
+        return await postHubUpload(tryUrl, trimmedKey, payload);
+      } catch (err) {
+        lastError = err;
+        errors.push(err);
+        dumpHubNetworkError(err, tryUrl);
+      }
     }
+    throw lastError;
   };
   try {
     let response;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.78",
+  "version": "1.0.80",
   "main": "dist/index.js",
   "files": [
     "dist",
@@ -30,7 +30,9 @@
     "test": "vitest run",
     "test:gold": "tsx scripts/qaValidationReport.ts",
     "test:gold:parse": "tsx scripts/qaValidationReport.ts --parse-only",
-    "simulate:output": "tsx scripts/simulate_output.ts"
+    "simulate:output": "tsx scripts/simulate_output.ts",
+    "debug:pipeline": "tsx scripts/debug-pipeline.ts",
+    "test:e2e": "npm run build && tsx scripts/debug-pipeline.ts"
   },
   "keywords": [
     "mcp",