npm - @runsec/mcp - Versions diffs - 1.0.80 → 1.0.83 - Mend

@runsec/mcp 1.0.80 → 1.0.83

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/bin/runsec-mcp.cjs CHANGED Viewed

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 "use strict";
 const fs = require("node:fs");

package/dist/index.js CHANGED Viewed

@@ -435,6 +435,25 @@ var LOCKFILE_LAYOUT_RE = /(?:poetry\.lock|package-lock\.json|pnpm-lock\.yaml|yar
 function isLockfileLayoutArtifactPath(relPath) {
   return LOCKFILE_LAYOUT_RE.test(relPath.replace(/\\/g, "/"));
 }
+function isStaticLayoutDumpPath(relPath) {
+  return isLockfileLayoutArtifactPath(relPath);
+}
+function isHexChecksumBlob(text) {
+  const compact = (text ?? "").replace(/\s+/g, "").trim();
+  if (compact.length < 40 || compact.length > 128) return false;
+  return /^[0-9a-f]+$/i.test(compact);
+}
+var UNVERIFIED_NOISE_DETECTORS = /* @__PURE__ */ new Set([
+  "customregex",
+  "sentrytoken",
+  "hashicorpvault"
+]);
+function isUnverifiedTrufflehogNoiseDetector(detectorName) {
+  const d = detectorName.trim().toLowerCase().replace(/\s+/g, "");
+  if (UNVERIFIED_NOISE_DETECTORS.has(d)) return true;
+  if (d === "sentry" || d === "sentrytoken") return true;
+  return false;
+}
 var DEV_GENERIC_CREDENTIAL_RE = /(?:postgres:postgres|root:root|root:password|admin:admin|user:password|test:test|guest:guest|changeme:changeme)/i;
 var DEV_DB_HOST_RE = /@(?:dev_db|dev-db|localhost|127\.0\.0\.1|0\.0\.0\.0|host\.docker\.internal|\.local\b|docker\.internal)(?::|\/|$)/i;
 var DEV_DATABASE_URI_RE = /(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis):\/\/(?:[^:@\s]+:[^@\s]+@)?(?:dev_db|dev-db|localhost|127\.0\.0\.1|host\.docker\.internal)/i;
@@ -481,9 +500,17 @@ function applyNuclearHardDrop(finding, relPath) {
   if (findingHasDevDatabaseSecret(finding)) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "dev_database_placeholder" };
   }
-  if (!findingIsVerified(finding) && (LOCKFILE_LAYOUT_RE.test(relPath) || isLockfileOrModulesPath(relPath) || isLockfileLayoutArtifactPath(relPath))) {
+  const secretBlob = `${matchText} ${snippet}`.trim();
+  if (!findingIsVerified(finding) && isHexChecksumBlob(secretBlob)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "package_checksum_hex" };
+  }
+  if (!findingIsVerified(finding) && (LOCKFILE_LAYOUT_RE.test(relPath) || isLockfileOrModulesPath(relPath) || isLockfileLayoutArtifactPath(relPath) || isStaticLayoutDumpPath(relPath))) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "lockfile_or_layout_artifact" };
   }
+  const detector = String(finding.detector_name ?? "").trim();
+  if (!findingIsVerified(finding) && isUnverifiedTrufflehogNoiseDetector(detector)) {
+    return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "unverified_trufflehog_noise_detector" };
+  }
   if (isCustomRegexFinding(finding) && !findingIsVerified(finding)) {
     return { cap: NUCLEAR_HARD_DROP_CONFIDENCE, reason: "customregex_unverified" };
   }
@@ -527,7 +554,10 @@ function looksLikeHighEntropyRawToken(finding) {
     return true;
   }
   const compact = blob.replace(/\s+/g, "");
-  if (compact.length >= 40 && /^[A-Za-z0-9+/=_-]+$/.test(compact)) return true;
+  if (isHexChecksumBlob(compact)) return false;
+  if (compact.length >= 40 && /^[A-Za-z0-9+/=_-]+$/.test(compact) && /[A-Z]/.test(compact) && /[a-z]/.test(compact)) {
+    return true;
+  }
   return false;
 }
 function customRegexNeedsBaseClamp(finding) {
@@ -1842,11 +1872,12 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
     const display = redacted || rawSecret || "[secret redacted]";
     const description = `TruffleHog: exposed ${detector}${verified ? " (verified)" : ""}`;
     if (!isTrufflehogVerified(verified, description)) {
-      if (isLockfileOrModulesPath(rel)) continue;
       const blob = `${display} ${rawSecret} ${description}`;
+      if (isLockfileOrModulesPath(rel) || isStaticLayoutDumpPath(rel)) continue;
       if (hasEnvironmentInterpolation(blob)) continue;
       if (blobHasDevDatabaseSecret(blob)) continue;
-      if (detector.toLowerCase() === "customregex") continue;
+      if (isHexChecksumBlob(display) || isHexChecksumBlob(rawSecret)) continue;
+      if (isUnverifiedTrufflehogNoiseDetector(detector)) continue;
     }
     const severity = severityForSecret(detector, verified);
     findings.push({
@@ -2545,16 +2576,11 @@ var import_promises = __toESM(require("fs/promises"));
 var import_node_os = __toESM(require("os"));
 var import_node_path11 = __toESM(require("path"));
 var TRUFFLEHOG_EXCLUDE_PATTERNS = [
-  "**/*.lock",
-  "**/package-lock.json",
-  "**/pnpm-lock.yaml",
-  "**/yarn.lock",
-  "**/poetry.lock",
-  "**/Cargo.lock",
-  "**/composer.lock",
-  "**/Gemfile.lock",
-  "**/*-lock.json",
-  "**/node_modules/**"
+  String.raw`\.lock$`,
+  String.raw`package-lock\.json$`,
+  String.raw`pnpm-lock\.yaml$`,
+  String.raw`-lock\.json$`,
+  String.raw`(^|[\\/])node_modules([\\/]|$)`
 ];
 async function createTrufflehogExcludeFile() {
   const tmpDir = await import_promises.default.mkdtemp(import_node_path11.default.join(import_node_os.default.tmpdir(), "runsec-th-exclude-"));
@@ -3287,8 +3313,29 @@ async function executeAudit(toolName, args) {
 }
 // src/engine/reportFormatter.ts
+var import_node_fs10 = __toESM(require("fs"));
+var import_node_path16 = __toESM(require("path"));
+// src/version.ts
 var import_node_fs9 = __toESM(require("fs"));
 var import_node_path15 = __toESM(require("path"));
+function loadVersion() {
+  const candidates = [
+    import_node_path15.default.join(__dirname, "..", "package.json"),
+    import_node_path15.default.join(__dirname, "package.json")
+  ];
+  for (const candidate of candidates) {
+    try {
+      const raw = JSON.parse(import_node_fs9.default.readFileSync(candidate, "utf8"));
+      if (raw.version?.trim()) return raw.version.trim();
+    } catch {
+    }
+  }
+  return "unknown";
+}
+var RUNSEC_MCP_VERSION = loadVersion();
+// src/engine/reportFormatter.ts
 var REPORT_SECTION_TITLES = {
   code: "Code Vulnerabilities",
   secrets: "Exposed Secrets",
@@ -3381,7 +3428,7 @@ function shortRuleLabel(ruleId) {
   return parts[parts.length - 1] || ruleId;
 }
 function snippetLanguage(filePath) {
-  const ext = import_node_path15.default.extname(filePath).replace(/^\./, "").toLowerCase();
+  const ext = import_node_path16.default.extname(filePath).replace(/^\./, "").toLowerCase();
   const map = {
     yml: "yaml",
     yaml: "yaml",
@@ -3483,9 +3530,9 @@ var TECH_STACK_BY_EXT = {
 };
 function techStackFromFilePath(filePath) {
   const normalized = String(filePath ?? "").replace(/\\/g, "/");
-  const base = import_node_path15.default.basename(normalized).toLowerCase();
+  const base = import_node_path16.default.basename(normalized).toLowerCase();
   if (base === "dockerfile" || base.startsWith("dockerfile.")) return "Docker";
-  const ext = import_node_path15.default.extname(normalized).toLowerCase();
+  const ext = import_node_path16.default.extname(normalized).toLowerCase();
   return TECH_STACK_BY_EXT[ext] ?? "Other";
 }
 function countFindingsByTechStack(findings) {
@@ -3679,6 +3726,7 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
   out.push(`# RunSec Unified Security Report`);
   out.push("");
   out.push(`**Generated at:** ${(/* @__PURE__ */ new Date()).toISOString()}`);
+  out.push(`**MCP package:** \`@runsec/mcp@${safeText(RUNSEC_MCP_VERSION)}\``);
   out.push(`**Standard:** ${safeText(standard)}`);
   out.push(`**X-RunSec-Verdict:** \`${safeText(verdictLabel)}\`${metrics.verdict?.is_safe === false && metrics.verdict.fail_reason ? ` \u2014 ${safeText(metrics.verdict.fail_reason)}` : ""}`);
   out.push(
@@ -3748,15 +3796,15 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
   return finalizeReportMarkdown(out.join("\n"));
 }
 function resolveReportPath(workspacePath) {
-  const base = workspacePath?.trim() ? import_node_path15.default.resolve(workspacePath) : process.cwd();
-  return import_node_path15.default.join(base, "runsec-report.md");
+  const base = workspacePath?.trim() ? import_node_path16.default.resolve(workspacePath) : process.cwd();
+  return import_node_path16.default.join(base, "runsec-report.md");
 }
 function generateMarkdownReport(standard, findings, metrics, workspacePath) {
   const m = metrics || {};
   const rows = Array.isArray(findings) ? findings : [];
   const reportContent = finalizeReportMarkdown(buildServerSideReportMarkdown(standard, rows, m));
   const reportPath = resolveReportPath(workspacePath);
-  import_node_fs9.default.writeFileSync(reportPath, reportContent, "utf-8");
+  import_node_fs10.default.writeFileSync(reportPath, reportContent, "utf-8");
   console.error(`[runsec] wrote unified report to: ${reportPath}`);
   console.error(`[runsec] X-RunSec-Verdict: ${m.verdict?.http_headers?.["X-RunSec-Verdict"] ?? m.verdict?.status ?? "PASS"}`);
   return `
@@ -3771,17 +3819,17 @@ Simply confirm that the scan is complete and the report is saved at the path abo
 }
 // src/engine/reviewFormatter.ts
-var import_node_fs14 = __toESM(require("fs"));
-var import_node_path21 = __toESM(require("path"));
+var import_node_fs15 = __toESM(require("fs"));
+var import_node_path22 = __toESM(require("path"));
 // src/engine/threatModelEngine.ts
 var import_node_crypto4 = require("crypto");
-var import_node_fs13 = __toESM(require("fs"));
-var import_node_path20 = __toESM(require("path"));
+var import_node_fs14 = __toESM(require("fs"));
+var import_node_path21 = __toESM(require("path"));
 // src/skills/skillsApi.ts
-var import_node_fs12 = __toESM(require("fs"));
-var import_node_path19 = __toESM(require("path"));
+var import_node_fs13 = __toESM(require("fs"));
+var import_node_path20 = __toESM(require("path"));
 // src/skills/patternParser.ts
 var METRIC_ID_RE = /^[A-Z0-9]{2,4}-[0-9A-Za-z.\-]+$/;
@@ -3854,43 +3902,43 @@ function parsePatternRows(patternsText) {
 }
 // src/skills/paths.ts
-var import_node_path16 = __toESM(require("path"));
+var import_node_path17 = __toESM(require("path"));
 var RUNSEC_RELEASE_VERSION = "v1.0";
 var RAG_CACHE_SCHEMA_VERSION = 3;
 var ANTI_HALLUCINATION_PROMPT = "You MUST re-run a RunSec audit tool (runsec_audit_general or a scoped runsec_audit_*) after every remediation. Security claims without a fresh scanner PASS are invalid.";
 function getSkillsDirectory() {
-  return import_node_path16.default.join(getDataDirectory(), "skills");
+  return import_node_path17.default.join(getDataDirectory(), "skills");
 }
 function getRagCachePath() {
-  return import_node_path16.default.join(getDataDirectory(), ".rag-cache.json");
+  return import_node_path17.default.join(getDataDirectory(), ".rag-cache.json");
 }
 // src/skills/ragIndex.ts
 var import_node_crypto3 = require("crypto");
-var import_node_fs11 = __toESM(require("fs"));
-var import_node_path18 = __toESM(require("path"));
+var import_node_fs12 = __toESM(require("fs"));
+var import_node_path19 = __toESM(require("path"));
 // src/skills/skillLoader.ts
-var import_node_fs10 = __toESM(require("fs"));
-var import_node_path17 = __toESM(require("path"));
+var import_node_fs11 = __toESM(require("fs"));
+var import_node_path18 = __toESM(require("path"));
 function loadSkillManifests() {
   const skillsDir = getSkillsDirectory();
   const manifests = {};
-  if (!import_node_fs10.default.existsSync(skillsDir)) {
+  if (!import_node_fs11.default.existsSync(skillsDir)) {
     return manifests;
   }
-  for (const entry of import_node_fs10.default.readdirSync(skillsDir, { withFileTypes: true })) {
+  for (const entry of import_node_fs11.default.readdirSync(skillsDir, { withFileTypes: true })) {
     if (!entry.isDirectory()) continue;
-    const skillJson = import_node_path17.default.join(skillsDir, entry.name, "skill.json");
-    if (!import_node_fs10.default.existsSync(skillJson)) continue;
-    const data = JSON.parse(import_node_fs10.default.readFileSync(skillJson, "utf-8"));
+    const skillJson = import_node_path18.default.join(skillsDir, entry.name, "skill.json");
+    if (!import_node_fs11.default.existsSync(skillJson)) continue;
+    const data = JSON.parse(import_node_fs11.default.readFileSync(skillJson, "utf-8"));
     const sid = String(data.skill_id ?? entry.name);
     manifests[sid] = { ...data, skill_id: sid, __dir_name: entry.name };
   }
   return manifests;
 }
 function skillDirectory(manifest) {
-  return import_node_path17.default.join(getSkillsDirectory(), manifest.__dir_name);
+  return import_node_path18.default.join(getSkillsDirectory(), manifest.__dir_name);
 }
 // src/skills/ragIndex.ts
@@ -3936,28 +3984,28 @@ function cosine(a, b) {
 }
 function hashFile(filePath) {
   const h = (0, import_node_crypto3.createHash)("sha256");
-  h.update(import_node_fs11.default.readFileSync(filePath));
+  h.update(import_node_fs12.default.readFileSync(filePath));
   return h.digest("hex");
 }
 function listSkillSourceFiles() {
   const skillsDir = getSkillsDirectory();
   const files = [];
   const walk = (dir) => {
-    for (const entry of import_node_fs11.default.readdirSync(dir, { withFileTypes: true })) {
-      const full = import_node_path18.default.join(dir, entry.name);
+    for (const entry of import_node_fs12.default.readdirSync(dir, { withFileTypes: true })) {
+      const full = import_node_path19.default.join(dir, entry.name);
       if (entry.isDirectory()) walk(full);
       else if (entry.isFile()) files.push(full);
     }
   };
-  if (import_node_fs11.default.existsSync(skillsDir)) walk(skillsDir);
+  if (import_node_fs12.default.existsSync(skillsDir)) walk(skillsDir);
   return files.sort();
 }
 function computeFilesChecksum() {
   const files = listSkillSourceFiles();
   const entries = [];
   for (const full of files) {
-    const st = import_node_fs11.default.statSync(full);
-    const rel = import_node_path18.default.relative(getSkillsDirectory(), full).replace(/\\/g, "/");
+    const st = import_node_fs12.default.statSync(full);
+    const rel = import_node_path19.default.relative(getSkillsDirectory(), full).replace(/\\/g, "/");
     const mtimeNs = typeof st.mtimeNs === "bigint" ? Number(st.mtimeNs) : Math.round(st.mtimeMs * 1e6);
     entries.push({
       path: rel,
@@ -3988,11 +4036,11 @@ function buildRagIndex() {
   const manifests = loadSkillManifests();
   for (const [skill_id, manifest] of Object.entries(manifests)) {
     const dir = skillDirectory(manifest);
-    const indexPath = import_node_path18.default.join(dir, "index.md");
-    const patternsPath = import_node_path18.default.join(dir, "patterns.md");
-    if (!import_node_fs11.default.existsSync(indexPath) || !import_node_fs11.default.existsSync(patternsPath)) continue;
-    const indexText = import_node_fs11.default.readFileSync(indexPath, "utf-8");
-    const patternsText = import_node_fs11.default.readFileSync(patternsPath, "utf-8");
+    const indexPath = import_node_path19.default.join(dir, "index.md");
+    const patternsPath = import_node_path19.default.join(dir, "patterns.md");
+    if (!import_node_fs12.default.existsSync(indexPath) || !import_node_fs12.default.existsSync(patternsPath)) continue;
+    const indexText = import_node_fs12.default.readFileSync(indexPath, "utf-8");
+    const patternsText = import_node_fs12.default.readFileSync(patternsPath, "utf-8");
     const example_path = String(manifest.few_shot_examples ?? "");
     for (const paragraph of indexText.split(/\n\n+/).map((p) => p.trim()).filter(Boolean)) {
       chunks.push({
@@ -4033,9 +4081,9 @@ function buildRagIndex() {
 }
 function loadRagCache(current) {
   const cachePath = getRagCachePath();
-  if (!import_node_fs11.default.existsSync(cachePath)) return null;
+  if (!import_node_fs12.default.existsSync(cachePath)) return null;
   try {
-    const payload = JSON.parse(import_node_fs11.default.readFileSync(cachePath, "utf-8"));
+    const payload = JSON.parse(import_node_fs12.default.readFileSync(cachePath, "utf-8"));
     if (payload.schema_version !== RAG_CACHE_SCHEMA_VERSION) return null;
     if (JSON.stringify(payload.files_checksum) !== JSON.stringify(current)) return null;
     return deserializeChunks(payload.chunks ?? []);
@@ -4050,7 +4098,7 @@ function saveRagCache(chunks, filesChecksum) {
       files_checksum: filesChecksum,
       chunks: serializeChunks(chunks)
     };
-    import_node_fs11.default.writeFileSync(getRagCachePath(), JSON.stringify(payload), "utf-8");
+    import_node_fs12.default.writeFileSync(getRagCachePath(), JSON.stringify(payload), "utf-8");
   } catch {
     console.error("[runsec] RAG cache write failed; continuing in-memory only");
   }
@@ -4214,7 +4262,7 @@ function selectSkillsForContext(opts) {
   const query = [opts.question ?? "", opts.file_path ?? "", opts.file_content ?? ""].filter(Boolean).join("\n");
   const semScores = query ? semanticSkillScores(query) : {};
   const keywordBoosts = query ? skillBoosts(query) : {};
-  const suffix = import_node_path18.default.extname(opts.file_path ?? "").toLowerCase();
+  const suffix = import_node_path19.default.extname(opts.file_path ?? "").toLowerCase();
   const hay = query.toLowerCase();
   const ranked = [];
   for (const [sid, manifest] of Object.entries(manifests)) {
@@ -4251,20 +4299,20 @@ function findPatternChunkByMetric(metricId) {
 // src/skills/skillsApi.ts
 function loadComplianceSnapshot() {
-  const p = import_node_path19.default.join(getDataDirectory(), "rule-compliance-map.json");
-  if (!import_node_fs12.default.existsSync(p)) return {};
+  const p = import_node_path20.default.join(getDataDirectory(), "rule-compliance-map.json");
+  if (!import_node_fs13.default.existsSync(p)) return {};
   try {
-    return JSON.parse(import_node_fs12.default.readFileSync(p, "utf-8"));
+    return JSON.parse(import_node_fs13.default.readFileSync(p, "utf-8"));
   } catch {
     return {};
   }
 }
 function extractTestbedExample(metricId, examplePath, skillsRoot) {
   if (!examplePath) return "";
-  const p = import_node_path19.default.isAbsolute(examplePath) ? examplePath : import_node_path19.default.join(import_node_path19.default.dirname(skillsRoot), "..", "..", examplePath);
-  const resolved = import_node_fs12.default.existsSync(p) ? p : import_node_path19.default.join(getDataDirectory(), "..", "..", examplePath);
-  if (!import_node_fs12.default.existsSync(resolved)) return "";
-  const lines = import_node_fs12.default.readFileSync(resolved, "utf-8").split(/\r?\n/);
+  const p = import_node_path20.default.isAbsolute(examplePath) ? examplePath : import_node_path20.default.join(import_node_path20.default.dirname(skillsRoot), "..", "..", examplePath);
+  const resolved = import_node_fs13.default.existsSync(p) ? p : import_node_path20.default.join(getDataDirectory(), "..", "..", examplePath);
+  if (!import_node_fs13.default.existsSync(resolved)) return "";
+  const lines = import_node_fs13.default.readFileSync(resolved, "utf-8").split(/\r?\n/);
   const needle = `Vulnerable: ${metricId}`;
   for (let idx = 0; idx < lines.length; idx += 1) {
     if (lines[idx].includes(needle)) {
@@ -4316,16 +4364,16 @@ function getSkillContext(args) {
   }
   const manifest = manifests[skill_id];
   const dir = skillDirectory(manifest);
-  const indexPath = import_node_path19.default.join(dir, "index.md");
-  const patternsPath = import_node_path19.default.join(dir, "patterns.md");
-  if (!import_node_fs12.default.existsSync(indexPath) || !import_node_fs12.default.existsSync(patternsPath)) {
+  const indexPath = import_node_path20.default.join(dir, "index.md");
+  const patternsPath = import_node_path20.default.join(dir, "patterns.md");
+  if (!import_node_fs13.default.existsSync(indexPath) || !import_node_fs13.default.existsSync(patternsPath)) {
     return {
       error: `incomplete skill data for ${skill_id}`,
-      index_exists: import_node_fs12.default.existsSync(indexPath),
-      patterns_exists: import_node_fs12.default.existsSync(patternsPath)
+      index_exists: import_node_fs13.default.existsSync(indexPath),
+      patterns_exists: import_node_fs13.default.existsSync(patternsPath)
     };
   }
-  const parsedRows = parsePatternRows(import_node_fs12.default.readFileSync(patternsPath, "utf-8"));
+  const parsedRows = parsePatternRows(import_node_fs13.default.readFileSync(patternsPath, "utf-8"));
   const grouped = {};
   for (const row of parsedRows) {
     const stack = row.stack.trim() || "Generic";
@@ -4338,13 +4386,13 @@ function getSkillContext(args) {
       source: row.source
     });
   }
-  const skillsRoot = import_node_path19.default.dirname(dir);
+  const skillsRoot = import_node_path20.default.dirname(dir);
   const response = {
     skill_id,
-    index_path: import_node_path19.default.relative(getDataDirectory(), indexPath).replace(/\\/g, "/"),
-    patterns_path: import_node_path19.default.relative(getDataDirectory(), patternsPath).replace(/\\/g, "/"),
-    index_md: import_node_fs12.default.readFileSync(indexPath, "utf-8"),
-    patterns_md: import_node_fs12.default.readFileSync(patternsPath, "utf-8"),
+    index_path: import_node_path20.default.relative(getDataDirectory(), indexPath).replace(/\\/g, "/"),
+    patterns_path: import_node_path20.default.relative(getDataDirectory(), patternsPath).replace(/\\/g, "/"),
+    index_md: import_node_fs13.default.readFileSync(indexPath, "utf-8"),
+    patterns_md: import_node_fs13.default.readFileSync(patternsPath, "utf-8"),
     patterns_by_stack: Object.fromEntries(Object.keys(grouped).sort().map((k) => [k, grouped[k]])),
     agent_system_insert: ANTI_HALLUCINATION_PROMPT,
     compliance_snapshot: loadComplianceSnapshot()
@@ -4384,7 +4432,7 @@ function askGuidance(question) {
   if (!q) return { error: "question is required" };
   const best = semanticSearch(q, 50, "pattern", true);
   const manifests = loadSkillManifests();
-  const skillsRoot = import_node_path19.default.join(getDataDirectory(), "skills");
+  const skillsRoot = import_node_path20.default.join(getDataDirectory(), "skills");
   const required = requiredMetricIds(q);
   const out = [];
   const seen = /* @__PURE__ */ new Set();
@@ -4447,7 +4495,7 @@ var STRIDE_LABELS = {
 };
 function readTextSafe(filePath, limit = 4e5) {
   try {
-    const data = import_node_fs13.default.readFileSync(filePath, "utf-8");
+    const data = import_node_fs14.default.readFileSync(filePath, "utf-8");
     return data.length > limit ? data.slice(0, limit) : data;
   } catch {
     return "";
@@ -4487,13 +4535,13 @@ function walkFiles2(root, opts) {
     let dir;
     try {
       dir = stack.pop();
-      const entries = import_node_fs13.default.readdirSync(dir, { withFileTypes: true });
+      const entries = import_node_fs14.default.readdirSync(dir, { withFileTypes: true });
       for (const ent of entries) {
         if (out.length >= max) break;
-        const full = import_node_path20.default.join(dir, ent.name);
+        const full = import_node_path21.default.join(dir, ent.name);
         if (ent.isDirectory()) {
           if (!skip.has(ent.name)) stack.push(full);
-        } else if (ent.isFile() && exts.has(import_node_path20.default.extname(ent.name).toLowerCase())) {
+        } else if (ent.isFile() && exts.has(import_node_path21.default.extname(ent.name).toLowerCase())) {
           out.push(full);
         }
       }
@@ -4534,7 +4582,7 @@ function syftPackages(payload) {
   return out.sort((a, b) => a.name.localeCompare(b.name));
 }
 function collectRepoThreatSignals(scanRoot, syftPayload) {
-  const root = import_node_path20.default.resolve(scanRoot);
+  const root = import_node_path21.default.resolve(scanRoot);
   const scanRel = ".";
   const signals = {
     scan_root: scanRel,
@@ -4556,7 +4604,7 @@ function collectRepoThreatSignals(scanRoot, syftPayload) {
     }
   };
   try {
-    for (const ent of import_node_fs13.default.readdirSync(root, { withFileTypes: true })) {
+    for (const ent of import_node_fs14.default.readdirSync(root, { withFileTypes: true })) {
       if (ent.isDirectory() && !ent.name.startsWith(".")) {
         signals.top_level_dirs.push(ent.name);
         if (signals.top_level_dirs.length >= 40) break;
@@ -4575,16 +4623,16 @@ function collectRepoThreatSignals(scanRoot, syftPayload) {
       const dir = stack.pop();
       let entries;
       try {
-        entries = import_node_fs13.default.readdirSync(dir, { withFileTypes: true });
+        entries = import_node_fs14.default.readdirSync(dir, { withFileTypes: true });
       } catch {
         continue;
       }
       for (const ent of entries) {
-        const full = import_node_path20.default.join(dir, ent.name);
+        const full = import_node_path21.default.join(dir, ent.name);
         if (ent.isDirectory()) {
           if (!skip.has(ent.name) && !ent.name.startsWith(".")) stack.push(full);
         } else if (ent.isFile() && patternNames.includes(ent.name)) {
-          const rel = import_node_path20.default.relative(root, full).replace(/\\/g, "/");
+          const rel = import_node_path21.default.relative(root, full).replace(/\\/g, "/");
           if (!rel.startsWith("..")) handler(full, rel);
         }
       }
@@ -4596,30 +4644,30 @@ function collectRepoThreatSignals(scanRoot, syftPayload) {
   });
   globWalk(["requirements.txt", "pyproject.toml", "go.mod"], (full, rel) => {
     addKey(rel);
-    if (import_node_path20.default.basename(full) === "requirements.txt") {
+    if (import_node_path21.default.basename(full) === "requirements.txt") {
       for (const d of parseRequirementsDeps(full)) deps.add(d);
-    } else if (import_node_path20.default.basename(full) === "pyproject.toml") {
+    } else if (import_node_path21.default.basename(full) === "pyproject.toml") {
       const txt = readTextSafe(full, 8e4).toLowerCase();
       for (const m of txt.matchAll(/['"]([a-zA-Z0-9_.\-]+)['"]/g)) deps.add(m[1].toLowerCase());
     }
   });
   for (const name of ["Dockerfile", "docker-compose.yml", "docker-compose.yaml"]) {
-    const fp = import_node_path20.default.join(root, name);
-    if (import_node_fs13.default.existsSync(fp)) {
+    const fp = import_node_path21.default.join(root, name);
+    if (import_node_fs14.default.existsSync(fp)) {
       addKey(name);
       if (name === "Dockerfile") signals.flags.has_dockerfile = true;
       else signals.flags.has_compose = true;
     }
   }
   for (const full of walkFiles2(root, { maxFiles: 80, extensions: /* @__PURE__ */ new Set([".yaml", ".yml"]) })) {
-    const base = import_node_path20.default.basename(full).toLowerCase();
+    const base = import_node_path21.default.basename(full).toLowerCase();
     if (base.includes("deploy") || base.includes("helm") || base.includes("k8s") || base.includes("values")) {
       signals.flags.has_k8s_yaml = true;
-      addKey(import_node_path20.default.relative(root, full).replace(/\\/g, "/"));
+      addKey(import_node_path21.default.relative(root, full).replace(/\\/g, "/"));
       break;
     }
   }
-  if (import_node_fs13.default.existsSync(import_node_path20.default.join(root, ".github", "workflows"))) {
+  if (import_node_fs14.default.existsSync(import_node_path21.default.join(root, ".github", "workflows"))) {
     signals.flags.has_github_workflows = true;
   }
   for (const pkg of signals.syft_packages) {
@@ -4651,12 +4699,12 @@ ${context}
 ${repoFp}`).digest("hex");
 }
 function loadThreatModelCache(workspaceRoot) {
-  const p = import_node_path20.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE);
-  if (!import_node_fs13.default.existsSync(p)) {
+  const p = import_node_path21.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE);
+  if (!import_node_fs14.default.existsSync(p)) {
     return { schema_version: THREAT_MODEL_CACHE_SCHEMA_VERSION, entries: {} };
   }
   try {
-    const data = JSON.parse(import_node_fs13.default.readFileSync(p, "utf-8"));
+    const data = JSON.parse(import_node_fs14.default.readFileSync(p, "utf-8"));
     if (data.schema_version !== THREAT_MODEL_CACHE_SCHEMA_VERSION) {
       return { schema_version: THREAT_MODEL_CACHE_SCHEMA_VERSION, entries: {} };
     }
@@ -4667,7 +4715,7 @@ function loadThreatModelCache(workspaceRoot) {
   }
 }
 function saveThreatModelCache(workspaceRoot, cacheKey, markdown, baseline) {
-  const p = import_node_path20.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE);
+  const p = import_node_path21.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE);
   const payload = loadThreatModelCache(workspaceRoot);
   payload.entries[cacheKey] = {
     markdown,
@@ -4676,7 +4724,7 @@ function saveThreatModelCache(workspaceRoot, cacheKey, markdown, baseline) {
     repo_fingerprint: String(baseline.repo_fingerprint ?? "")
   };
   payload.baseline = baseline;
-  import_node_fs13.default.writeFileSync(p, JSON.stringify(payload, null, 2), "utf-8");
+  import_node_fs14.default.writeFileSync(p, JSON.stringify(payload, null, 2), "utf-8");
   return p;
 }
 function strideClassifyClause(clause) {
@@ -4880,7 +4928,7 @@ function loadRepoCrosscheckHaystack(scanRoot, maxChars = 35e4) {
   let total = 0;
   const files = walkFiles2(scanRoot, { maxFiles: 220 });
   for (const full of files) {
-    const rel = import_node_path20.default.relative(scanRoot, full).replace(/\\/g, "/");
+    const rel = import_node_path21.default.relative(scanRoot, full).replace(/\\/g, "/");
     const snippet = readTextSafe(full, 14e3);
     const block = `
 --- ${rel} ---
@@ -5090,8 +5138,8 @@ function generateThreatModelMarkdown(profile, baseline, signals, ragKeywords, ca
 `;
 }
 async function runThreatModelEngine(opts) {
-  const workspaceRoot = import_node_path20.default.resolve(opts.workspace_path);
-  const projectName = (opts.project_name ?? import_node_path20.default.basename(workspaceRoot)).trim() || "project";
+  const workspaceRoot = import_node_path21.default.resolve(opts.workspace_path);
+  const projectName = (opts.project_name ?? import_node_path21.default.basename(workspaceRoot)).trim() || "project";
   const userContext = (opts.context ?? "").trim();
   const profile = detectSecurityProfile(projectName, userContext);
   const baseline = ARCHITECTURE_BASELINES[profile];
@@ -5106,13 +5154,13 @@ Project: ${projectName}`;
   const cache = loadThreatModelCache(workspaceRoot);
   const cached = cache.entries[cacheKey];
   if (cached?.markdown) {
-    const reportPath2 = import_node_path20.default.join(workspaceRoot, THREAT_MODEL_REPORT_FILE);
-    import_node_fs13.default.writeFileSync(reportPath2, cached.markdown, "utf-8");
+    const reportPath2 = import_node_path21.default.join(workspaceRoot, THREAT_MODEL_REPORT_FILE);
+    import_node_fs14.default.writeFileSync(reportPath2, cached.markdown, "utf-8");
     return {
       profile,
       markdown: cached.markdown,
       report_path: reportPath2,
-      cache_path: import_node_path20.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE),
+      cache_path: import_node_path21.default.join(workspaceRoot, THREAT_MODEL_CACHE_FILE),
       cache_hit: true,
       cache_key: cacheKey,
       repo_fingerprint: repoFp,
@@ -5144,8 +5192,8 @@ Project: ${projectName}`;
     rag_keywords: [...ragKeywords].sort().slice(0, 40)
   };
   const cachePath = saveThreatModelCache(workspaceRoot, cacheKey, markdown, baselinePayload);
-  const reportPath = import_node_path20.default.join(workspaceRoot, THREAT_MODEL_REPORT_FILE);
-  import_node_fs13.default.writeFileSync(reportPath, markdown, "utf-8");
+  const reportPath = import_node_path21.default.join(workspaceRoot, THREAT_MODEL_REPORT_FILE);
+  import_node_fs14.default.writeFileSync(reportPath, markdown, "utf-8");
   return {
     profile,
     markdown,
@@ -5360,18 +5408,18 @@ function buildSecurityReviewMarkdown(opts) {
   return out.join("\n");
 }
 function resolveSecurityReviewPath(workspacePath) {
-  const base = workspacePath?.trim() ? import_node_path21.default.resolve(workspacePath) : process.cwd();
-  return import_node_path21.default.join(base, SECURITY_REVIEW_REPORT_FILE);
+  const base = workspacePath?.trim() ? import_node_path22.default.resolve(workspacePath) : process.cwd();
+  return import_node_path22.default.join(base, SECURITY_REVIEW_REPORT_FILE);
 }
 function writeSecurityReviewReport(markdown, workspacePath) {
   const reportPath = resolveSecurityReviewPath(workspacePath);
-  import_node_fs14.default.writeFileSync(reportPath, markdown, "utf-8");
+  import_node_fs15.default.writeFileSync(reportPath, markdown, "utf-8");
   console.error(`[runsec] wrote security review to: ${reportPath}`);
   return reportPath;
 }
 async function executeSecurityReview(opts) {
-  const workspaceRoot = import_node_path21.default.resolve(opts.workspace_path);
-  const projectName = (opts.project_name ?? import_node_path21.default.basename(workspaceRoot)).trim() || import_node_path21.default.basename(workspaceRoot);
+  const workspaceRoot = import_node_path22.default.resolve(opts.workspace_path);
+  const projectName = (opts.project_name ?? import_node_path22.default.basename(workspaceRoot)).trim() || import_node_path22.default.basename(workspaceRoot);
   console.error("[runsec] security review: starting unified scan + STRIDE threat model");
   const [audit, threatModel] = await Promise.all([
     executeAudit("runsec_audit_general", {
@@ -5404,20 +5452,20 @@ async function executeSecurityReview(opts) {
 }
 // src/engine/remediation.ts
-var import_node_fs16 = __toESM(require("fs"));
-var import_node_path23 = __toESM(require("path"));
+var import_node_fs17 = __toESM(require("fs"));
+var import_node_path24 = __toESM(require("path"));
 // src/skills/metricLookup.ts
-var import_node_fs15 = __toESM(require("fs"));
-var import_node_path22 = __toESM(require("path"));
+var import_node_fs16 = __toESM(require("fs"));
+var import_node_path23 = __toESM(require("path"));
 function findMetricRow(metricId) {
   const mid = metricId.trim().toUpperCase();
   if (!mid) return null;
   const manifests = loadSkillManifests();
   for (const [, manifest] of Object.entries(manifests)) {
-    const patternsPath = import_node_path22.default.join(skillDirectory(manifest), "patterns.md");
-    if (!import_node_fs15.default.existsSync(patternsPath)) continue;
-    const rows = parsePatternRows(import_node_fs15.default.readFileSync(patternsPath, "utf-8"));
+    const patternsPath = import_node_path23.default.join(skillDirectory(manifest), "patterns.md");
+    if (!import_node_fs16.default.existsSync(patternsPath)) continue;
+    const rows = parsePatternRows(import_node_fs16.default.readFileSync(patternsPath, "utf-8"));
     const row = rows.find((r) => r.metric_id.toUpperCase() === mid);
     if (row) return row;
   }
@@ -5430,12 +5478,12 @@ function normalizeRelPath2(p) {
   return p.replace(/\\/g, "/").replace(/^\.\/+/, "");
 }
 function resolveTargetFile(workspaceRoot, filePath) {
-  const root = import_node_path23.default.resolve(workspaceRoot);
+  const root = import_node_path24.default.resolve(workspaceRoot);
   const rel = normalizeRelPath2(filePath.trim());
   if (!rel) return { error: "file_path is required" };
-  const abs = import_node_path23.default.resolve(root, rel);
-  const relFromRoot = import_node_path23.default.relative(root, abs).replace(/\\/g, "/");
-  if (relFromRoot.startsWith("..") || import_node_path23.default.isAbsolute(relFromRoot)) {
+  const abs = import_node_path24.default.resolve(root, rel);
+  const relFromRoot = import_node_path24.default.relative(root, abs).replace(/\\/g, "/");
+  if (relFromRoot.startsWith("..") || import_node_path24.default.isAbsolute(relFromRoot)) {
     return { error: `file_path must be inside workspace: ${root}` };
   }
   for (const seg of BLOCKED_PATH_SEGMENTS) {
@@ -5443,8 +5491,8 @@ function resolveTargetFile(workspaceRoot, filePath) {
       return { error: `refusing to modify path under blocked segment: ${seg}` };
     }
   }
-  if (!import_node_fs16.default.existsSync(abs)) return { error: `path does not exist: ${relFromRoot}` };
-  if (!import_node_fs16.default.statSync(abs).isFile()) return { error: `path is not a file: ${relFromRoot}` };
+  if (!import_node_fs17.default.existsSync(abs)) return { error: `path does not exist: ${relFromRoot}` };
+  if (!import_node_fs17.default.statSync(abs).isFile()) return { error: `path is not a file: ${relFromRoot}` };
   return { abs, rel: relFromRoot };
 }
 function normalizeNewlines(text) {
@@ -5511,12 +5559,12 @@ function locateTargetInFile(content, target) {
 }
 function writeBackup(absPath) {
   const backupPath = `${absPath}.bak`;
-  import_node_fs16.default.copyFileSync(absPath, backupPath);
+  import_node_fs17.default.copyFileSync(absPath, backupPath);
   return backupPath;
 }
 function applyDvs001Fix(absPath) {
-  const rel = import_node_path23.default.basename(absPath);
-  const lines = import_node_fs16.default.readFileSync(absPath, "utf-8").split(/\r?\n/);
+  const rel = import_node_path24.default.basename(absPath);
+  const lines = import_node_fs17.default.readFileSync(absPath, "utf-8").split(/\r?\n/);
   const newLines = lines.filter((ln) => !/^\s*user\s+root\s*$/i.test(ln.trim()));
   const hasNonRootUser = newLines.some(
     (ln) => /^\s*user\s+\S+\s*$/i.test(ln.trim()) && !/^\s*user\s+root\s*$/i.test(ln.trim())
@@ -5542,7 +5590,7 @@ function applyDvs001Fix(absPath) {
     };
   }
   const backupPath = writeBackup(absPath);
-  import_node_fs16.default.writeFileSync(absPath, `${newLines.join("\n")}
+  import_node_fs17.default.writeFileSync(absPath, `${newLines.join("\n")}
 `, "utf-8");
   return {
     status: "fixed",
@@ -5619,7 +5667,7 @@ function applyRemediation(args) {
       fix_template: row.fix_template
     };
   }
-  const original = import_node_fs16.default.readFileSync(resolved.abs, "utf-8");
+  const original = import_node_fs17.default.readFileSync(resolved.abs, "utf-8");
   const { index, count } = locateTargetInFile(original, target);
   if (count === 0) {
     return {
@@ -5646,7 +5694,7 @@ function applyRemediation(args) {
   const backupPath = writeBackup(resolved.abs);
   const ending = original.includes("\r\n") ? "\r\n" : "\n";
   const outText = updated.split("\n").join(ending);
-  import_node_fs16.default.writeFileSync(resolved.abs, outText.endsWith(ending) || !original.endsWith(ending) ? outText : outText + ending, "utf-8");
+  import_node_fs17.default.writeFileSync(resolved.abs, outText.endsWith(ending) || !original.endsWith(ending) ? outText : outText + ending, "utf-8");
   return {
     status: "fixed",
     message: "Remediation applied after exact target verification; backup created",
@@ -5848,7 +5896,7 @@ function isRemediationTool(name) {
 }
 // src/hubUploadUrl.ts
-var import_node_fs17 = __toESM(require("fs"));
+var import_node_fs18 = __toESM(require("fs"));
 var HUB_UPLOAD_REPORT_PATH = "/api/mcp/upload-report";
 var DEFAULT_PRODUCTION_HUB_ORIGIN = "https://runsec.io";
 var DEFAULT_DOCKER_INTERNAL_HUB_ORIGIN = "http://frontend:3000";
@@ -5885,7 +5933,7 @@ function colocatedHubOrigin() {
 }
 function isDockerRuntime() {
   try {
-    return import_node_fs17.default.existsSync("/.dockerenv");
+    return import_node_fs18.default.existsSync("/.dockerenv");
   } catch {
     return false;
   }
@@ -6134,7 +6182,15 @@ function postHubUploadNodeHttp(url, apiKey, payload) {
     req.end();
   });
 }
+function preferNodeHttpUpload() {
+  if (process.platform === "win32") return true;
+  if (process.env.RUNSEC_HUB_USE_NODE_HTTP === "1") return true;
+  return false;
+}
 async function postHubUpload(url, apiKey, payload) {
+  if (preferNodeHttpUpload()) {
+    return postHubUploadNodeHttp(url, apiKey, payload);
+  }
   try {
     return await fetch(url, {
       method: "POST",
@@ -6601,7 +6657,9 @@ CRITICAL INSTRUCTIONS FOR LLM:
 async function main() {
   const key = getApiKey();
   process.env.RUNSEC_API_KEY = key;
-  console.error(`[runsec] MCP @runsec/mcp starting \u2014 Hub upload target: ${resolveHubUploadUrl()}`);
+  console.error(
+    `[runsec] MCP @runsec/mcp v${RUNSEC_MCP_VERSION} starting \u2014 Hub upload target: ${resolveHubUploadUrl()}`
+  );
   await verifyApiKey(key);
   const summary = validateRules();
   console.error("Rules registry validated:", summary);

package/package.json CHANGED Viewed

@@ -1,8 +1,9 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.80",
+  "version": "1.0.83",
   "main": "dist/index.js",
   "files": [
+    "package.json",
     "dist",
     "bin/runsec-mcp.cjs",
     "bin/ensure-binaries.cjs",