@runsec/mcp 1.0.79 → 1.0.80

package/dist/index.js

@@ -435,6 +435,26 @@ var LOCKFILE_LAYOUT_RE = /(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yar
 function isLockfileLayoutArtifactPath(relPath) {
   return LOCKFILE_LAYOUT_RE.test(relPath.replace(/\\/g, "/"));
 }
+var DEV_GENERIC_CREDENTIAL_RE = /(?:postgres:postgres|root:root|root:password|admin:admin|user:password|test:test|guest:guest|changeme:changeme)/i;
+var DEV_DB_HOST_RE = /@(?:dev_db|dev-db|localhost|127\.0\.0\.1|0\.0\.0\.0|host\.docker\.internal|\.local\b|docker\.internal)(?::|\/|$)/i;
+var DEV_DATABASE_URI_RE = /(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis):\/\/(?:[^:@\s]+:[^@\s]+@)?(?:dev_db|dev-db|localhost|127\.0\.0\.1|host\.docker\.internal)/i;
+function blobHasDevDatabaseSecret(text) {
+  const blob = (text ?? "").trim();
+  if (!blob) return false;
+  if (DEV_GENERIC_CREDENTIAL_RE.test(blob)) return true;
+  if (DEV_DB_HOST_RE.test(blob)) return true;
+  if (DEV_DATABASE_URI_RE.test(blob)) return true;
+  return false;
+}
+function findingHasDevDatabaseSecret(finding) {
+  const parts = [
+    finding.match_text ?? "",
+    finding.snippet ?? "",
+    finding.description ?? "",
+    finding.title ?? ""
+  ];
+  return parts.some((p) => blobHasDevDatabaseSecret(p));
+}
 function findingBlobHasEnvInterpolation(finding) {
   const parts = [
     finding.match_text ?? "",
@@ -458,6 +478,9 @@ function applyNuclearHardDrop(finding, relPath) {
   if (ENV_INTERP_RE.test(matchText) || ENV_INTERP_RE.test(snippet) || findingBlobHasEnvInterpolation(finding)) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "env_variable_interpolation" };
   }
+  if (findingHasDevDatabaseSecret(finding)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "dev_database_placeholder" };
+  }
   if (!findingIsVerified(finding) && (LOCKFILE_LAYOUT_RE.test(relPath) || isLockfileOrModulesPath(relPath) || isLockfileLayoutArtifactPath(relPath))) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "lockfile_or_layout_artifact" };
   }
@@ -496,7 +519,8 @@ function isCustomRegexFinding(finding) {
 }
 function looksLikeHighEntropyRawToken(finding) {
   const blob = `${finding.match_text ?? ""} ${finding.snippet ?? ""}`.trim();
-  if (blob.length < 24 || ENV_INTERP_RE.test(blob)) return false;
+  if (blob.length < 24 || ENV_INTERP_RE.test(blob) || findingHasDevDatabaseSecret(finding)) return false;
+  if (/^(?:postgres(?:ql)?|mysql|mongodb|redis):\/\//i.test(blob)) return false;
   if (/^(?:ghp_|gho_|github_pat_|glpat-|sk-[a-zA-Z0-9]{10,}|AKIA[0-9A-Z]{16}|xox[baprs]-|eyJ[A-Za-z0-9_-]{10,}\.)/i.test(
     blob
   )) {
@@ -1821,6 +1845,7 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
       if (isLockfileOrModulesPath(rel)) continue;
       const blob = `${display} ${rawSecret} ${description}`;
       if (hasEnvironmentInterpolation(blob)) continue;
+      if (blobHasDevDatabaseSecret(blob)) continue;
       if (detector.toLowerCase() === "customregex") continue;
     }
     const severity = severityForSecret(detector, verified);
@@ -5947,6 +5972,10 @@ function dockerInternalAlternateUploadUrl(url) {
   }
 }
 
+// src/telemetryClient.ts
+var import_node_http = __toESM(require("http"));
+var import_node_https = __toESM(require("https"));
+
 // src/complianceScores.ts
 var SEVERITY_PENALTY = {
   CRITICAL: 15,
@@ -6055,14 +6084,70 @@ function logHubSyncFailure(message, error, targetUrl) {
   }
   console.error(`[runsec] Hub telemetry upload error (scan saved locally): ${message}`);
 }
-async function postHubUpload(url, apiKey, payload) {
-  return await fetch(url, {
-    method: "POST",
-    headers: hubAuthHeaders(apiKey),
-    body: JSON.stringify(payload),
-    signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
+function postHubUploadNodeHttp(url, apiKey, payload) {
+  return new Promise((resolve, reject) => {
+    const body = JSON.stringify(payload);
+    let parsed;
+    try {
+      parsed = new URL(url);
+    } catch (err) {
+      reject(err);
+      return;
+    }
+    const headers = {
+      ...hubAuthHeaders(apiKey),
+      "Content-Length": String(Buffer.byteLength(body))
+    };
+    const lib = parsed.protocol === "https:" ? import_node_https.default : import_node_http.default;
+    const port = parsed.port !== "" ? Number(parsed.port) : parsed.protocol === "https:" ? 443 : 80;
+    const req = lib.request(
+      {
+        hostname: parsed.hostname,
+        port,
+        path: `${parsed.pathname}${parsed.search}`,
+        method: "POST",
+        headers,
+        timeout: HUB_UPLOAD_TIMEOUT_MS
+      },
+      (res) => {
+        const chunks = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => {
+          const text = Buffer.concat(chunks).toString("utf8");
+          const status = res.statusCode ?? 0;
+          resolve({
+            ok: status >= 200 && status < 300,
+            status,
+            statusText: res.statusMessage ?? "",
+            text: async () => text,
+            json: async () => JSON.parse(text || "{}")
+          });
+        });
+      }
+    );
+    req.on("error", reject);
+    req.on("timeout", () => {
+      req.destroy();
+      reject(Object.assign(new Error("Hub upload request timeout"), { code: "ETIMEDOUT" }));
+    });
+    req.write(body);
+    req.end();
   });
 }
+async function postHubUpload(url, apiKey, payload) {
+  try {
+    return await fetch(url, {
+      method: "POST",
+      headers: hubAuthHeaders(apiKey),
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
+    });
+  } catch (fetchError) {
+    console.error("[runsec] fetch() failed \u2014 retrying Hub upload via node:http(s)");
+    dumpHubNetworkError(fetchError, url);
+    return postHubUploadNodeHttp(url, apiKey, payload);
+  }
+}
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
   for (const f of findings) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.79",
+  "version": "1.0.80",
   "main": "dist/index.js",
   "files": [
     "dist",