@runsec/mcp 1.0.85 → 1.0.88

package/dist/index.js

@@ -6066,6 +6066,19 @@ function localhostAlternateUploadUrl(url) {
     return null;
   }
 }
+function hubUploadUrlCandidates(primaryUrl) {
+  const urls = [];
+  const add = (candidate) => {
+    const trimmed = candidate?.trim();
+    if (trimmed && !urls.includes(trimmed)) urls.push(trimmed);
+  };
+  add(primaryUrl);
+  const direct = process.env.RUNSEC_HUB_DIRECT_ORIGIN?.trim();
+  if (direct) add(appendUploadPath(direct));
+  add(localhostAlternateUploadUrl(primaryUrl));
+  add(dockerInternalAlternateUploadUrl(primaryUrl));
+  return urls;
+}
 function dockerInternalAlternateUploadUrl(url) {
   if (!isDockerRuntime()) return null;
   try {
@@ -6129,7 +6142,8 @@ function buildHubComplianceBlock(result) {
 // src/telemetryClient.ts
 var HUB_UPLOAD_TIMEOUT_MS = 12e4;
 var HUB_UPLOAD_MAX_RETRIES = 4;
-var HUB_HTTPS_AGENT = new import_node_https.default.Agent({ keepAlive: true, maxSockets: 4, timeout: HUB_UPLOAD_TIMEOUT_MS });
+var HUB_WRITE_CHUNK_BYTES = 16 * 1024;
+var HUB_HTTPS_AGENT = new import_node_https.default.Agent({ keepAlive: false, maxSockets: 2, timeout: HUB_UPLOAD_TIMEOUT_MS });
 function sleepMs(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
@@ -6194,7 +6208,7 @@ function formatHubSyncErrorMessage(error, targetUrl, response, responseBody) {
     message += `. Body: ${responseBody.trim().slice(0, 300)}`;
   }
   if (status === "n/a" && /fetch failed|ECONNRESET|ECONNREFUSED|ENOTFOUND|ETIMEDOUT|CERT|SSL|TLS/i.test(err.message + code)) {
-    message += ". Hint: check network/VPN/firewall, retry the scan, or set RUNSEC_HUB_URL to your Hub origin (NEXT_PUBLIC_APP_URL).";
+    message += ". Hint: if Hub uses Cloudflare Tunnel, set HTTP Host Header to runsec.io (not localhost:3000) in the tunnel public hostname settings, or set RUNSEC_HUB_DIRECT_ORIGIN=http://YOUR_SERVER_IP:3000 in MCP env to bypass the tunnel.";
   }
   return message;
 }
@@ -6206,34 +6220,139 @@ function slimFindingForHubUpload(finding) {
     file_path: finding.file_path,
     line: finding.line,
     detector_name: finding.detector_name,
-    description: finding.description?.slice(0, 240),
-    match_text: finding.match_text?.slice(0, 120),
+    description: finding.description?.slice(0, 160),
     confidence_score: finding.confidence_score,
     suppressed: finding.suppressed,
     suppression_reason: finding.suppression_reason
   };
 }
+function buildSuppressedSummaryForHub(findings, includeLocations) {
+  const byReason = {};
+  for (const f of findings) {
+    const reason = String(f.suppression_reason ?? "cognitive_suppressed");
+    byReason[reason] = (byReason[reason] ?? 0) + 1;
+  }
+  const summary = { total: findings.length, by_reason: byReason };
+  if (!includeLocations) return summary;
+  const locations = [];
+  for (const f of findings) {
+    const reason = String(f.suppression_reason ?? "cognitive_suppressed");
+    locations.push({
+      file_path: f.file_path,
+      line: f.line ?? 0,
+      rule_id: f.rule_id,
+      detector_name: f.detector_name,
+      suppression_reason: reason,
+      severity: f.severity
+    });
+  }
+  summary.locations = locations;
+  return summary;
+}
+function slimEngineSummaryForHub(engineSummary) {
+  if (!engineSummary) return void 0;
+  const pick = (row) => row ? {
+    engine: row.engine,
+    status: row.status,
+    finding_count: row.finding_count,
+    duration_ms: row.duration_ms
+  } : void 0;
+  return {
+    concurrent_duration_ms: engineSummary.concurrent_duration_ms,
+    semgrep: pick(engineSummary.semgrep),
+    trufflehog: pick(engineSummary.trufflehog),
+    syft: pick(engineSummary.syft)
+  };
+}
+function slimReportMetricsForHub(reportMetrics) {
+  const { findings_suppressed: _fs, raw_engines: _raw, engine_summary, ...rest } = reportMetrics;
+  return {
+    ...rest,
+    engine_summary: slimEngineSummaryForHub(engine_summary)
+  };
+}
+function minimalRunsecJsonForHubUpload(result, workspacePath, verdict, metrics, compliance, complianceASVS) {
+  return {
+    source: "runsec_mcp",
+    transport: "minimal",
+    standard: result.standard,
+    workspace_path: workspacePath,
+    verdict,
+    metrics,
+    compliance,
+    complianceASVS,
+    duration_ms: result.duration_ms,
+    findings_count: result.findings_count,
+    cognitive_suppressed_count: result.cognitive_suppressed_count,
+    findings_suppressed_summary: buildSuppressedSummaryForHub(result.findings_suppressed, false),
+    cognitive: result.cognitive,
+    engine_summary: slimEngineSummaryForHub(result.engine_summary),
+    verdict_detail: {
+      status: result.verdict?.status,
+      blocking_findings_count: result.verdict?.blocking_findings_count,
+      primary_findings_count: result.verdict?.primary_findings_count
+    }
+  };
+}
 function slimRunsecJsonForHubUpload(result, reportMetrics, workspacePath, verdict, metrics, compliance, complianceASVS) {
+  if (process.env.RUNSEC_HUB_FULL_UPLOAD !== "1") {
+    return minimalRunsecJsonForHubUpload(
+      result,
+      workspacePath,
+      verdict,
+      metrics,
+      compliance,
+      complianceASVS
+    );
+  }
   return {
     source: "runsec_mcp",
+    transport: "full",
     standard: result.standard,
     workspace_path: workspacePath,
     verdict,
     metrics,
     compliance,
     complianceASVS,
-    report_metrics: reportMetrics,
+    report_metrics: slimReportMetricsForHub(reportMetrics),
     findings: result.findings.map(slimFindingForHubUpload),
-    findings_suppressed: result.findings_suppressed.map(slimFindingForHubUpload),
+    findings_suppressed_summary: buildSuppressedSummaryForHub(result.findings_suppressed, true),
+    findings_suppressed_count: result.findings_suppressed.length,
     duration_ms: result.duration_ms,
     findings_count: result.findings_count,
     cognitive_suppressed_count: result.cognitive_suppressed_count,
     engines: result.engines,
-    engine_summary: result.engine_summary,
+    engine_summary: slimEngineSummaryForHub(result.engine_summary),
     cognitive: result.cognitive,
     verdict_detail: result.verdict
   };
 }
+function toMinimalHubPayload(payload) {
+  const runsecJson = payload.runsecJson ?? {};
+  const minimalJson = {
+    source: "runsec_mcp",
+    transport: "minimal",
+    workspace_path: runsecJson.workspace_path,
+    standard: runsecJson.standard,
+    verdict: payload.verdict,
+    metrics: payload.metrics,
+    compliance: runsecJson.compliance,
+    complianceASVS: runsecJson.complianceASVS,
+    cognitive: runsecJson.cognitive,
+    findings_suppressed_summary: runsecJson.findings_suppressed_summary,
+    findings_suppressed_count: runsecJson.findings_suppressed_count,
+    duration_ms: runsecJson.duration_ms,
+    findings_count: runsecJson.findings_count,
+    engine_summary: runsecJson.engine_summary,
+    verdict_detail: runsecJson.verdict_detail
+  };
+  return {
+    projectId: payload.projectId,
+    verdict: payload.verdict,
+    metrics: payload.metrics,
+    runsecJson: minimalJson
+  };
+}
 function logHubSyncFailure(message, error, targetUrl) {
   if (error != null && targetUrl) {
     dumpHubNetworkError(error, targetUrl);
@@ -6250,9 +6369,11 @@ function postHubUploadNodeHttp(url, apiKey, payload) {
       reject(err);
       return;
     }
+    const bodyBuffer = Buffer.from(body, "utf8");
     const headers = {
       ...hubAuthHeaders(apiKey),
-      "Content-Length": String(Buffer.byteLength(body))
+      "Content-Length": String(bodyBuffer.length),
+      Connection: "close"
     };
     const lib = parsed.protocol === "https:" ? import_node_https.default : import_node_http.default;
     const port = parsed.port !== "" ? Number(parsed.port) : parsed.protocol === "https:" ? 443 : 80;
@@ -6287,27 +6408,33 @@ function postHubUploadNodeHttp(url, apiKey, payload) {
       req.destroy();
       reject(Object.assign(new Error("Hub upload request timeout"), { code: "ETIMEDOUT" }));
     });
-    req.write(body);
+    for (let offset = 0; offset < bodyBuffer.length; offset += HUB_WRITE_CHUNK_BYTES) {
+      req.write(bodyBuffer.subarray(offset, offset + HUB_WRITE_CHUNK_BYTES));
+    }
     req.end();
   });
 }
-function preferNodeHttpUpload() {
-  if (process.env.VITEST === "true" || process.env.RUNSEC_HUB_USE_FETCH === "1") return false;
-  if (process.env.RUNSEC_HUB_USE_NODE_HTTP === "1") return true;
-  if (process.platform === "win32") return true;
-  return false;
+async function postHubUploadFetch(url, apiKey, payload) {
+  return await fetch(url, {
+    method: "POST",
+    headers: hubAuthHeaders(apiKey),
+    body: JSON.stringify(payload),
+    signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
+  });
 }
 async function postHubUploadOnce(url, apiKey, payload) {
-  if (preferNodeHttpUpload()) {
-    return postHubUploadNodeHttp(url, apiKey, payload);
+  const useNodeFirst = process.env.RUNSEC_HUB_USE_NODE_HTTP === "1";
+  if (useNodeFirst) {
+    try {
+      return await postHubUploadNodeHttp(url, apiKey, payload);
+    } catch (nodeError) {
+      console.error("[runsec] node:http(s) upload failed \u2014 retrying with fetch()");
+      dumpHubNetworkError(nodeError, url);
+      return postHubUploadFetch(url, apiKey, payload);
+    }
   }
   try {
-    return await fetch(url, {
-      method: "POST",
-      headers: hubAuthHeaders(apiKey),
-      body: JSON.stringify(payload),
-      signal: AbortSignal.timeout(HUB_UPLOAD_TIMEOUT_MS)
-    });
+    return await postHubUploadFetch(url, apiKey, payload);
   } catch (fetchError) {
     console.error("[runsec] fetch() failed \u2014 retrying Hub upload via node:http(s)");
     dumpHubNetworkError(fetchError, url);
@@ -6379,39 +6506,44 @@ async function uploadScanResultsToHub(payload, apiKey) {
     console.warn("[runsec] Hub telemetry skipped: API key missing");
     return { success: false, message: "Sync failed: API key missing" };
   }
-  const url = resolveHubUploadUrl();
-  const payloadBytes = Buffer.byteLength(JSON.stringify(payload), "utf8");
-  console.error(`[runsec] Hub telemetry upload \u2192 ${url} (${payloadBytes} bytes)`);
-  const attemptUpload = async (targetUrl) => {
-    const errors = [];
-    const urls = [targetUrl];
-    const localhostAlt = localhostAlternateUploadUrl(targetUrl);
-    if (localhostAlt && localhostAlt !== targetUrl) urls.push(localhostAlt);
-    const dockerAlt = dockerInternalAlternateUploadUrl(targetUrl);
-    if (dockerAlt && !urls.includes(dockerAlt)) urls.push(dockerAlt);
-    let lastError = new Error("No upload attempts made");
-    for (let i = 0; i < urls.length; i++) {
-      const tryUrl = urls[i];
-      if (i > 0) {
-        console.error(`[runsec] Hub telemetry retry \u2192 ${tryUrl}`);
-      }
-      try {
-        return await postHubUpload(tryUrl, trimmedKey, payload);
-      } catch (err) {
-        lastError = err;
-        errors.push(err);
-        dumpHubNetworkError(err, tryUrl);
-      }
-    }
-    throw lastError;
-  };
+  const primaryUrl = resolveHubUploadUrl();
+  const uploadUrls = hubUploadUrlCandidates(primaryUrl);
+  const payloadVariants = [
+    { label: "minimal", body: payload },
+    { label: "minimal-fallback", body: toMinimalHubPayload(payload) }
+  ];
+  const seenPayloads = /* @__PURE__ */ new Set();
+  const uniqueVariants = payloadVariants.filter((variant) => {
+    const key = JSON.stringify(variant.body);
+    if (seenPayloads.has(key)) return false;
+    seenPayloads.add(key);
+    return true;
+  });
+  console.error(
+    `[runsec] Hub telemetry upload targets: ${uploadUrls.join(" \u2192 ")} (${uniqueVariants[0] ? Buffer.byteLength(JSON.stringify(uniqueVariants[0].body), "utf8") : 0} bytes, mode=${String(uniqueVariants[0]?.body.runsecJson.transport ?? "minimal")})`
+  );
+  let lastNetworkError = new Error("No upload attempts made");
+  let lastTryUrl = primaryUrl;
   try {
     let response;
-    try {
-      response = await attemptUpload(url);
-    } catch (networkError) {
-      const message = formatHubSyncErrorMessage(networkError, url);
-      logHubSyncFailure(message, networkError, url);
+    outer: for (const variant of uniqueVariants) {
+      for (const tryUrl of uploadUrls) {
+        lastTryUrl = tryUrl;
+        const bytes = Buffer.byteLength(JSON.stringify(variant.body), "utf8");
+        console.error(`[runsec] Hub upload attempt (${variant.label}, ${bytes} bytes) \u2192 ${tryUrl}`);
+        try {
+          response = await postHubUpload(tryUrl, trimmedKey, variant.body);
+          break outer;
+        } catch (err) {
+          lastNetworkError = err;
+          dumpHubNetworkError(err, tryUrl);
+          if (!isRetryableHubNetworkError(err)) break;
+        }
+      }
+    }
+    if (!response) {
+      const message = formatHubSyncErrorMessage(lastNetworkError, lastTryUrl);
+      logHubSyncFailure(message, lastNetworkError, lastTryUrl);
       return { success: false, message };
     }
     if (!response.ok) {
@@ -6421,11 +6553,11 @@ async function uploadScanResultsToHub(payload, apiKey) {
       const httpMessage = detailSnippet || statusLabel;
       const message = formatHubSyncErrorMessage(
         new Error(httpMessage),
-        url,
+        lastTryUrl,
         response,
         detailSnippet
       );
-      logHubSyncFailure(message, new Error(httpMessage), url);
+      logHubSyncFailure(message, new Error(httpMessage), lastTryUrl);
       return {
         success: false,
         message
@@ -6444,8 +6576,8 @@ async function uploadScanResultsToHub(payload, apiKey) {
       projectId
     };
   } catch (error) {
-    const message = formatHubSyncErrorMessage(error, url);
-    logHubSyncFailure(message, error, url);
+    const message = formatHubSyncErrorMessage(error, lastTryUrl);
+    logHubSyncFailure(message, error, lastTryUrl);
     return { success: false, message };
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.85",
+  "version": "1.0.88",
   "main": "dist/index.js",
   "files": [
     "package.json",