@runsec/mcp 1.0.84 → 1.0.85

package/dist/index.js

@@ -3285,7 +3285,8 @@ function buildAuditReportMetrics(result) {
     raw_engines: result.raw_engines,
     cwe_counts: cweCounts,
     verdict: result.verdict,
-    cognitive: result.cognitive
+    cognitive: result.cognitive,
+    findings_suppressed: result.findings_suppressed
   };
 }
 async function executeAudit(toolName, args) {
@@ -3534,6 +3535,67 @@ function countFindingsByTechStack(findings) {
   }
   return Array.from(counts.entries()).map(([tag, count]) => ({ tag, count })).sort((a, b) => b.count - a.count || a.tag.localeCompare(b.tag));
 }
+function suppressionReasonLabel(finding) {
+  const reason = String(finding.suppression_reason ?? "").trim();
+  if (reason) return reason;
+  const conf = finding.confidence_score;
+  if (typeof conf === "number" && conf <= 0.01) return "nuclear_hard_drop";
+  if (typeof conf === "number" && conf < 0.8) return "cognitive_below_threshold";
+  return "cognitive_suppressed";
+}
+function renderSuppressedFindingsSection(suppressed) {
+  const out = [];
+  if (suppressed.length === 0) return out;
+  const byReason = /* @__PURE__ */ new Map();
+  for (const row of suppressed) {
+    const key = suppressionReasonLabel(row);
+    const bucket = byReason.get(key);
+    if (bucket) bucket.push(row);
+    else byReason.set(key, [row]);
+  }
+  out.push("---");
+  out.push(`## Appendix: Cognitively suppressed findings (${suppressed.length})`);
+  out.push("");
+  out.push(
+    "These TruffleHog/Semgrep hits were processed by the cognitive engine and scored below the primary report threshold (0.8). They do **not** change `X-RunSec-Verdict`."
+  );
+  out.push("");
+  out.push("| Suppression reason | Count |");
+  out.push("|---|---:|");
+  const sortedReasons = Array.from(byReason.entries()).sort((a, b) => b[1].length - a[1].length);
+  for (const [reason, rows] of sortedReasons) {
+    out.push(`| \`${safeText(reason)}\` | ${rows.length} |`);
+  }
+  const maxFilesPerReason = 40;
+  for (const [reason, rows] of sortedReasons) {
+    out.push("");
+    out.push(`### ${safeText(reason)} (${rows.length})`);
+    out.push("");
+    out.push("**Affected files:**");
+    const locations = [
+      ...new Set(
+        rows.map((row) => `${String(row.file_path || "unknown")}:${Number(row.line ?? 0)}`)
+      )
+    ].sort();
+    for (const loc of locations.slice(0, maxFilesPerReason)) {
+      out.push(`- \`${safeText(loc)}\``);
+    }
+    if (locations.length > maxFilesPerReason) {
+      out.push(`- _+${locations.length - maxFilesPerReason} additional locations omitted._`);
+    }
+    const sample = rows.find((r) => String(r.snippet ?? r.match_text ?? "").trim());
+    const sampleText = String(sample?.snippet ?? sample?.match_text ?? "").trim();
+    if (sampleText) {
+      out.push("");
+      out.push("**Example snippet:**");
+      out.push("");
+      out.push("```text");
+      out.push(safeText(sampleText.slice(0, 400)));
+      out.push("```");
+    }
+  }
+  return out;
+}
 function renderTechStackSummary(findings) {
   const rows = countFindingsByTechStack(findings);
   const out = [];
@@ -3742,11 +3804,18 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
   out.push(
     `- **Code Vulnerabilities:** ${byCategory.code.length} | **Exposed Secrets:** ${executiveCategoryLabel("secrets", byCategory.secrets.length, es)} | **Vulnerable Dependencies:** ${executiveCategoryLabel("dependencies", byCategory.dependencies.length, es)}`
   );
+  const suppressedRows = Array.isArray(metrics.findings_suppressed) ? metrics.findings_suppressed : [];
+  const rawSecrets = es?.trufflehog?.finding_count ?? metrics.cognitive?.findings_total ?? 0;
   out.push(
-    `- **Primary findings (cognitive-filtered):** ${findings.length} | **Suppressed (.runsecignore):** ${Number(metrics.suppressed_fp_count || 0)} | **Suppressed (cognitive):** ${Number(metrics.cognitive_suppressed_count || 0)}`
+    `- **Primary findings (cognitive-filtered):** ${findings.length} | **Suppressed (.runsecignore):** ${Number(metrics.suppressed_fp_count || 0)} | **Suppressed (cognitive):** ${Number(metrics.cognitive_suppressed_count ?? suppressedRows.length)}`
   );
+  if (Number(rawSecrets) > 0 && findings.length === 0 && suppressedRows.length > 0) {
+    out.push(
+      `- **Raw TruffleHog hits:** ${rawSecrets} \u2014 see **Appendix: Cognitively suppressed findings** below.`
+    );
+  }
   out.push("");
-  out.push(...renderTechStackSummary(findings));
+  out.push(...renderTechStackSummary([...findings, ...suppressedRows]));
   out.push("");
   let sectionNum = 1;
   for (const category of CATEGORY_ORDER) {
@@ -3759,6 +3828,7 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
     out.push(...renderFindingRows(rows));
     sectionNum += 1;
   }
+  out.push(...renderSuppressedFindingsSection(suppressedRows));
   out.push("---");
   out.push("<details><summary>Telemetry (machine)</summary>\n");
   out.push("```json");
@@ -6058,6 +6128,17 @@ function buildHubComplianceBlock(result) {
 
 // src/telemetryClient.ts
 var HUB_UPLOAD_TIMEOUT_MS = 12e4;
+var HUB_UPLOAD_MAX_RETRIES = 4;
+var HUB_HTTPS_AGENT = new import_node_https.default.Agent({ keepAlive: true, maxSockets: 4, timeout: HUB_UPLOAD_TIMEOUT_MS });
+function sleepMs(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isRetryableHubNetworkError(error) {
+  const code = networkErrorCode(error);
+  const message = error instanceof Error ? error.message : String(error);
+  const blob = `${code} ${message}`;
+  return /ECONNRESET|ECONNREFUSED|ETIMEDOUT|EPIPE|ENOTFOUND|ECONNABORTED|socket hang up|network/i.test(blob);
+}
 function hubAuthHeaders(apiKey) {
   return {
     Authorization: `Bearer ${apiKey}`,
@@ -6112,11 +6193,47 @@ function formatHubSyncErrorMessage(error, targetUrl, response, responseBody) {
   if (responseBody?.trim()) {
     message += `. Body: ${responseBody.trim().slice(0, 300)}`;
   }
-  if (status === "n/a" && /fetch failed|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|CERT|SSL|TLS/i.test(err.message + code)) {
-    message += ". Hint: set RUNSEC_HUB_URL to your production Hub origin (same value as NEXT_PUBLIC_APP_URL on the Hub server).";
+  if (status === "n/a" && /fetch failed|ECONNRESET|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|CERT|SSL|TLS/i.test(err.message + code)) {
+    message += ". Hint: check network/VPN/firewall, retry the scan, or set RUNSEC_HUB_URL to your Hub origin (NEXT_PUBLIC_APP_URL).";
   }
   return message;
 }
+function slimFindingForHubUpload(finding) {
+  return {
+    category: finding.category,
+    rule_id: finding.rule_id,
+    severity: finding.severity,
+    file_path: finding.file_path,
+    line: finding.line,
+    detector_name: finding.detector_name,
+    description: finding.description?.slice(0, 240),
+    match_text: finding.match_text?.slice(0, 120),
+    confidence_score: finding.confidence_score,
+    suppressed: finding.suppressed,
+    suppression_reason: finding.suppression_reason
+  };
+}
+function slimRunsecJsonForHubUpload(result, reportMetrics, workspacePath, verdict, metrics, compliance, complianceASVS) {
+  return {
+    source: "runsec_mcp",
+    standard: result.standard,
+    workspace_path: workspacePath,
+    verdict,
+    metrics,
+    compliance,
+    complianceASVS,
+    report_metrics: reportMetrics,
+    findings: result.findings.map(slimFindingForHubUpload),
+    findings_suppressed: result.findings_suppressed.map(slimFindingForHubUpload),
+    duration_ms: result.duration_ms,
+    findings_count: result.findings_count,
+    cognitive_suppressed_count: result.cognitive_suppressed_count,
+    engines: result.engines,
+    engine_summary: result.engine_summary,
+    cognitive: result.cognitive,
+    verdict_detail: result.verdict
+  };
+}
 function logHubSyncFailure(message, error, targetUrl) {
   if (error != null && targetUrl) {
     dumpHubNetworkError(error, targetUrl);
@@ -6146,7 +6263,8 @@ function postHubUploadNodeHttp(url, apiKey, payload) {
         path: `${parsed.pathname}${parsed.search}`,
         method: "POST",
         headers,
-        timeout: HUB_UPLOAD_TIMEOUT_MS
+        timeout: HUB_UPLOAD_TIMEOUT_MS,
+        agent: lib === import_node_https.default ? HUB_HTTPS_AGENT : void 0
       },
       (res) => {
         const chunks = [];
@@ -6174,11 +6292,12 @@ function postHubUploadNodeHttp(url, apiKey, payload) {
   });
 }
 function preferNodeHttpUpload() {
-  if (process.platform === "win32") return true;
+  if (process.env.VITEST === "true" || process.env.RUNSEC_HUB_USE_FETCH === "1") return false;
   if (process.env.RUNSEC_HUB_USE_NODE_HTTP === "1") return true;
+  if (process.platform === "win32") return true;
   return false;
 }
-async function postHubUpload(url, apiKey, payload) {
+async function postHubUploadOnce(url, apiKey, payload) {
   if (preferNodeHttpUpload()) {
     return postHubUploadNodeHttp(url, apiKey, payload);
   }
@@ -6195,6 +6314,25 @@ async function postHubUpload(url, apiKey, payload) {
     return postHubUploadNodeHttp(url, apiKey, payload);
   }
 }
+async function postHubUpload(url, apiKey, payload) {
+  let lastError = new Error("Hub upload failed");
+  for (let attempt = 0; attempt < HUB_UPLOAD_MAX_RETRIES; attempt++) {
+    try {
+      return await postHubUploadOnce(url, apiKey, payload);
+    } catch (error) {
+      lastError = error;
+      if (attempt >= HUB_UPLOAD_MAX_RETRIES - 1 || !isRetryableHubNetworkError(error)) {
+        throw error;
+      }
+      const delayMs = 1e3 * 2 ** attempt;
+      console.error(
+        `[runsec] Hub upload retry ${attempt + 2}/${HUB_UPLOAD_MAX_RETRIES} in ${delayMs}ms (${networkErrorCode(error) || "network"})`
+      );
+      await sleepMs(delayMs);
+    }
+  }
+  throw lastError;
+}
 function countSeverityMetrics(findings) {
   const metrics = { critical: 0, high: 0, medium: 0, low: 0, total: 0 };
   for (const f of findings) {
@@ -6218,24 +6356,15 @@ function buildHubUploadPayload(result, reportMetrics, workspacePath, projectId)
   const metrics = countSeverityMetrics(result.findings);
   const verdict = resolveScanVerdict(result);
   const { compliance, complianceASVS } = buildHubComplianceBlock(result);
-  const runsecJson = {
-    source: "runsec_mcp",
-    standard: result.standard,
-    workspace_path: workspacePath,
+  const runsecJson = slimRunsecJsonForHubUpload(
+    result,
+    reportMetrics,
+    workspacePath,
     verdict,
     metrics,
     compliance,
-    complianceASVS,
-    audit: result,
-    report_metrics: reportMetrics,
-    findings: result.findings,
-    findings_suppressed: result.findings_suppressed,
-    duration_ms: result.duration_ms,
-    findings_count: result.findings_count,
-    engines: result.engines,
-    engine_summary: result.engine_summary,
-    cognitive: result.cognitive
-  };
+    complianceASVS
+  );
   const resolvedProjectId = projectId?.trim() || process.env.RUNSEC_PROJECT_ID?.trim() || void 0;
   return {
     projectId: resolvedProjectId,
@@ -6251,7 +6380,8 @@ async function uploadScanResultsToHub(payload, apiKey) {
     return { success: false, message: "Sync failed: API key missing" };
   }
   const url = resolveHubUploadUrl();
-  console.error(`[runsec] Hub telemetry upload \u2192 ${url}`);
+  const payloadBytes = Buffer.byteLength(JSON.stringify(payload), "utf8");
+  console.error(`[runsec] Hub telemetry upload \u2192 ${url} (${payloadBytes} bytes)`);
   const attemptUpload = async (targetUrl) => {
     const errors = [];
     const urls = [targetUrl];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.84",
+  "version": "1.0.85",
   "main": "dist/index.js",
   "files": [
     "package.json",