npm - @runsec/mcp - Versions diffs - 1.0.88 → 1.0.89 - Mend

@runsec/mcp 1.0.88 → 1.0.89

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +377 -181
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -623,6 +623,49 @@ function isTestOnlyPath(relPath) {
   if (base.includes("conftest.py") || base === "pytest.ini" || base.includes("jest.config")) return true;
   return false;
 }
+function isDevOrLocalConfigPath(relPath) {
+  const r = relPath.toLowerCase().replace(/\\/g, "/");
+  const base = import_node_path3.default.posix.basename(r);
+  if (isTestOnlyPath(relPath)) return true;
+  if (/-dev\b|\.dev\.|\/dev\/|docker-compose-dev|compose\.dev|local\.|\.local\.|\.env\.example|\.env\.sample|\.env\.template/.test(r)) {
+    return true;
+  }
+  if (base.startsWith("test_") || base.includes(".test.") || base.includes(".spec.")) return true;
+  return false;
+}
+function isProductionCoreConfigPath(relPath) {
+  const r = relPath.toLowerCase().replace(/\\/g, "/");
+  const base = import_node_path3.default.posix.basename(r);
+  if (isDevOrLocalConfigPath(relPath)) return false;
+  if (base === "settings.py" || base === "production.py" || base === "prod.py") return true;
+  if (/\/settings\/production\.py$/.test(r) || /\/config\/production\./.test(r)) return true;
+  if (base.includes("production") && !base.includes("non-production")) return true;
+  return false;
+}
+var ALLOWED_HOSTS_WILDCARD_RE = /allowed_hosts\s*=\s*\[\s*['"]\*['"]\s*\]|allowed_hosts\s*=\s*\{\s*['"]\*['"]\s*\}/i;
+function isHighImpactProductionMisconfig(finding, relPath) {
+  if (finding.category !== "code") return false;
+  if (!isProductionCoreConfigPath(relPath)) return false;
+  const blob = `${finding.snippet ?? ""} ${finding.match_text ?? ""} ${finding.description ?? ""}`;
+  return ALLOWED_HOSTS_WILDCARD_RE.test(blob);
+}
+function computeDynamicCodeConfidence(finding, relPath, sev) {
+  const reasons = [];
+  let score;
+  if (sev === "CRITICAL" || sev === "ERROR") score = 0.9;
+  else if (sev === "WARNING" || sev === "HIGH") score = 0.78;
+  else if (sev === "MEDIUM") score = 0.62;
+  else score = 0.48;
+  if (isHighImpactProductionMisconfig(finding, relPath)) {
+    score = Math.max(score, 0.94);
+    reasons.push("production_core_misconfig_elevated");
+  }
+  if (isDevOrLocalConfigPath(relPath)) {
+    score = Math.min(score, 0.1);
+    reasons.push("dev_or_local_config_clamped");
+  }
+  return { score, reasons };
+}
 function combinedTitleAndMessage(finding) {
   return `${finding.description} ${finding.match_text}`.trim();
 }
@@ -965,9 +1008,9 @@ function baseConfidenceForFinding(finding, phase1, relPath, category, repoRoot)
   const title = finding.title ?? finding.description;
   const sev = (finding.severity || "").toUpperCase();
   if (category === "code") {
-    if (sev === "CRITICAL" || sev === "ERROR") score = 0.92;
-    else if (sev === "WARNING" || sev === "HIGH") score = 0.84;
-    else score = 0.55;
+    const dynamic = computeDynamicCodeConfidence(finding, relPath, sev);
+    score = dynamic.score;
+    reasons.push(...dynamic.reasons);
   } else if (category === "secrets") {
     if (sev === "CRITICAL") score = 0.95;
     else if (findingIsVerified(finding) || finding.match_text.includes("(verified)")) score = 0.93;
@@ -1287,9 +1330,13 @@ var CWE_NAMES = {
   "CWE-639": "Authorization Bypass Through User-Controlled Key",
   "CWE-770": "Allocation of Resources Without Limits or Throttling",
   "CWE-798": "Use of Hard-coded Credentials",
+  "CWE-312": "Cleartext Storage of Sensitive Information",
+  "CWE-494": "Download of Code Without Integrity Check",
+  "CWE-1188": "Insecure Default Initialization of Resource",
   "CWE-915": "Improperly Controlled Modification of Dynamically-Determined Object Attributes",
   "CWE-918": "Server-Side Request Forgery",
-  "CWE-1336": "Improper Neutralization of Special Elements in Template Engine"
+  "CWE-1336": "Improper Neutralization of Special Elements in Template Engine",
+  "CWE-1104": "Use of Unmaintained Third Party Components"
 };
 var CVSS_MAP = {
   "CWE-89": [9.8, "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"],
@@ -1324,12 +1371,13 @@ function extractCweDeepFallback(result) {
   const match = blob.match(CWE_RE);
   return match ? match[0].toUpperCase() : null;
 }
-var UNKNOWN_CWE_TYPE_LABEL = "Unknown Vulnerability Type";
 function formatCweDisplay(cweId) {
   const normalized = cweId.match(CWE_RE)?.[0]?.toUpperCase();
-  if (!normalized || normalized === "UNKNOWN") return "Unknown CWE";
+  if (!normalized || normalized === "UNKNOWN") {
+    return "CWE-494: Download of Code Without Integrity Check";
+  }
   const name = CWE_NAMES[normalized];
-  return name ? `${normalized}: ${name}` : `${normalized}: ${UNKNOWN_CWE_TYPE_LABEL}`;
+  return name ? `${normalized}: ${name}` : `${normalized}: Security Weakness (Unmapped CWE)`;
 }
 function calculateCvss(cweId, semgrepSeverity = "WARNING") {
   const normalized = cweId.match(CWE_RE)?.[0]?.toUpperCase();
@@ -1662,6 +1710,59 @@ function formatAsvsLevelDisplay(level) {
   return `Level ${normalized.replace(/^L/i, "")}`;
 }
+// src/rules/cweMapper.ts
+var CWE_RE2 = /CWE-\d+/i;
+var SECRET_RULE_RE = /trufflehog|(?:^|\.)secrets\.|cloud-secrets|sec-\d{3}|hard[-_]?coded|credential|api[-_]?key|token|password|vault|customregex/i;
+var INPUT_RULE_RE = /domain[-_]?input|validation|allowed_hosts|host[-_]?header|ssrf|xss|sqli|sql[-_]?injection|csrf|injection|sanitize|origin|dja-|div-|fas-016|nst-014|ruby-017|aac-001/i;
+var INFRA_RULE_RE = /infra|k8s|helm|docker|compose|terraform|tf-|deployment|hardening|cis-|kube|container|image:|pinned|sbom|syft/i;
+function normalizeCweToken(value) {
+  if (typeof value !== "string") return null;
+  const match = value.trim().match(CWE_RE2);
+  return match ? match[0].toUpperCase() : null;
+}
+function classifyRuleForCweFallback(ruleId, category, description) {
+  if (category === "secrets") return "secret";
+  if (category === "dependencies") return "infra";
+  const blob = `${ruleId} ${description ?? ""}`.toLowerCase();
+  if (SECRET_RULE_RE.test(blob)) return "secret";
+  if (INPUT_RULE_RE.test(blob)) return "input";
+  if (INFRA_RULE_RE.test(blob)) return "infra";
+  return "generic";
+}
+function fallbackCweForKind(kind) {
+  switch (kind) {
+    case "secret":
+      return "CWE-798";
+    case "input":
+      return "CWE-20";
+    case "infra":
+      return "CWE-1188";
+    default:
+      return "CWE-494";
+  }
+}
+function resolveCweId(input) {
+  const fromField = normalizeCweToken(input.cwe);
+  if (fromField) return fromField;
+  const fromName = normalizeCweToken(input.cwe_name);
+  if (fromName) return fromName;
+  const kind = classifyRuleForCweFallback(
+    String(input.rule_id ?? ""),
+    input.category,
+    input.description
+  );
+  return fallbackCweForKind(kind);
+}
+function resolveCweDisplay(input) {
+  const existing = String(input.cwe_name ?? "").trim();
+  const existingId = normalizeCweToken(existing);
+  if (existingId && !/unknown/i.test(existing)) {
+    return formatCweDisplay(existingId);
+  }
+  const cweId = resolveCweId(input);
+  return formatCweDisplay(cweId);
+}
 // src/engine/semgrepMapping.ts
 function normalizeRelativePath(value) {
   return value.replace(/\\/g, "/");
@@ -1756,7 +1857,13 @@ function mapSemgrepResultToFinding(result, workspaceRoot) {
     metadata: result.extra?.metadata,
     message
   });
-  const cwe = semgrepCwe !== "UNKNOWN" ? semgrepCwe : registryRule?.cwe && registryRule.cwe !== "UNKNOWN" ? registryRule.cwe : fallbackMeta.cwe;
+  const rawCwe = semgrepCwe !== "UNKNOWN" ? semgrepCwe : registryRule?.cwe && registryRule.cwe !== "UNKNOWN" ? registryRule.cwe : fallbackMeta.cwe;
+  const cwe = resolveCweId({
+    cwe: rawCwe,
+    rule_id: registryRule?.id ?? checkId,
+    category: "code",
+    description: message
+  });
   const metadata = result.extra?.metadata;
   const remediation = extractRemediationFromMetadata(metadata);
   const remediation_lang = extractRemediationLangFromMetadata(metadata);
@@ -1775,7 +1882,7 @@ function mapSemgrepResultToFinding(result, workspaceRoot) {
     category: "code",
     rule_id: registryRule?.id ?? checkId,
     cwe,
-    cwe_name: formatCweDisplay(cwe),
+    cwe_name: resolveCweDisplay({ cwe, rule_id: registryRule?.id ?? checkId, category: "code", description: message }),
     severity: contextSeverity.severity,
     original_severity,
     description: message || registryRule?.description || checkId,
@@ -1871,10 +1978,13 @@ function mapTrufflehogFindings(rows, workspaceRoot) {
     const display = redacted || rawSecret || "[secret redacted]";
     const description = `TruffleHog: exposed ${detector}${verified ? " (verified)" : ""}`;
     const severity = severityForSecret(detector, verified);
+    const rule_id = `runsec.secrets.trufflehog.${detector.toLowerCase().replace(/\s+/g, "-")}`;
+    const cwe = resolveCweId({ cwe: "CWE-798", rule_id, category: "secrets", description, detector_name: detector });
     findings.push({
       category: "secrets",
-      rule_id: `runsec.secrets.trufflehog.${detector.toLowerCase().replace(/\s+/g, "-")}`,
-      cwe: "CWE-798",
+      rule_id,
+      cwe,
+      cwe_name: resolveCweDisplay({ cwe, rule_id, category: "secrets", description, detector_name: detector }),
       stackTags: ["Secrets"],
       asvsLevel: "L1",
       asvsTrace: "V6.4.1",
@@ -3328,6 +3438,7 @@ function loadVersion() {
 var RUNSEC_MCP_VERSION = loadVersion();
 // src/engine/reportFormatter.ts
+var ALLOWED_HOSTS_WILDCARD_RE2 = /allowed_hosts\s*=\s*\[\s*['"]\*['"]\s*\]|allowed_hosts\s*=\s*\{\s*['"]\*['"]\s*\}/i;
 var REPORT_SECTION_TITLES = {
   code: "Code Vulnerabilities",
   secrets: "Exposed Secrets",
@@ -3386,10 +3497,103 @@ function normalizeCategory(row) {
   const c = row.category;
   if (c === "secrets" || c === "dependencies" || c === "code") return c;
   const rule = String(row.rule_id ?? "").toLowerCase();
-  if (rule.includes("trufflehog") || rule.includes("secrets")) return "secrets";
-  if (rule.includes("syft") || rule.includes("dependencies")) return "dependencies";
+  if (rule.includes("trufflehog") || row.detector_name) return "secrets";
+  if (rule.includes("syft") || rule.includes("sbom")) return "dependencies";
   return "code";
 }
+function serviceComponentFromPath(filePath) {
+  const normalized = String(filePath ?? "").replace(/\\/g, "/");
+  const parts = normalized.split("/").filter(Boolean);
+  if (parts.length === 0) return "workspace";
+  if (parts[0] === "src" && parts[1]) return parts[1];
+  if (["app", "apps", "services", "packages", "deploy", "infra", "config"].includes(parts[0]) && parts[1]) {
+    return `${parts[0]}/${parts[1]}`;
+  }
+  return parts[0];
+}
+function buildComponentMatrix(primary, suppressed) {
+  const map = /* @__PURE__ */ new Map();
+  const touch = (filePath) => {
+    const key = serviceComponentFromPath(filePath);
+    let row = map.get(key);
+    if (!row) {
+      row = { component: key, critical: 0, high: 0, medium: 0, suppressed: 0 };
+      map.set(key, row);
+    }
+    return row;
+  };
+  for (const f of primary) {
+    const row = touch(String(f.file_path ?? "workspace"));
+    const sev = normalizeSeverity(f.severity);
+    if (sev === "CRITICAL") row.critical += 1;
+    else if (sev === "HIGH") row.high += 1;
+    else if (sev === "MEDIUM") row.medium += 1;
+  }
+  for (const f of suppressed) {
+    touch(String(f.file_path ?? "workspace")).suppressed += 1;
+  }
+  return Array.from(map.values()).sort(
+    (a, b) => b.critical + b.high + b.medium + b.suppressed - (a.critical + a.high + a.medium + a.suppressed) || a.component.localeCompare(b.component)
+  );
+}
+function buildDeveloperTopActions(findings, limit = 3) {
+  const ranked = [...findings].sort((a, b) => {
+    const sev = severityRank(a.severity) - severityRank(b.severity);
+    if (sev !== 0) return sev;
+    const confA = typeof a.confidence_score === "number" ? a.confidence_score : 0;
+    const confB = typeof b.confidence_score === "number" ? b.confidence_score : 0;
+    return confB - confA;
+  });
+  const out = [];
+  for (const f of ranked) {
+    if (out.length >= limit) break;
+    out.push({
+      file_path: String(f.file_path ?? "unknown"),
+      line: Number(f.line ?? 0),
+      severity: normalizeSeverity(f.severity),
+      rule_id: String(f.rule_id ?? "unknown_rule"),
+      description: String(f.description ?? f.rule_id ?? "Security finding")
+    });
+  }
+  return out;
+}
+function buildProofOfConcept(group, example) {
+  const blob = `${group.description} ${example?.snippet ?? ""} ${group.rule_id}`;
+  if (ALLOWED_HOSTS_WILDCARD_RE2.test(blob) || /dja-005|insecure allowed_hosts/i.test(blob)) {
+    return {
+      bash: [
+        "# Host header poisoning \u2014 run only against systems you are authorized to test",
+        'curl -i -H "Host: evil-attacker.com" "https://<your-production-domain>/"'
+      ].join("\n")
+    };
+  }
+  if (/\bssrf\b|cwe-918|aac-001|nst-014|ruby-017|fas-016/i.test(blob)) {
+    return {
+      bash: [
+        "# SSRF/metadata probe \u2014 should be blocked by egress controls",
+        'curl -i --max-time 3 "http://169.254.169.254/latest/meta-data/"'
+      ].join("\n")
+    };
+  }
+  if (/csrf|cwe-352/i.test(blob)) {
+    return {
+      bash: [
+        "# CSRF check \u2014 confirm state-changing routes require anti-CSRF token",
+        'curl -i -X POST "https://<your-production-domain>/api/state-changing" -H "Cookie: session=<value>"'
+      ].join("\n")
+    };
+  }
+  return null;
+}
+function formatRemediationAsDiff(remediation, example, description) {
+  const fix = remediation.trim();
+  if (!fix || !example?.snippet?.trim() || example.snippet === NO_CODE_SNIPPET) return fix;
+  if (description && fix === description.trim()) return fix;
+  const bad = example.snippet.trim();
+  if (bad.includes("\n") || fix.includes("\n")) return fix;
+  if (bad === fix) return fix;
+  return ["--- vulnerable", "+++ recommended", `-${bad}`, `+${fix}`].join("\n");
+}
 var SEVERITY_RANK = {
   CRITICAL: 0,
   ERROR: 0,
@@ -3478,63 +3682,6 @@ function formatStackTagsInline(tags) {
   if (!tags.length) return "";
   return tags.map((t) => `**[${safeText(t)}]**`).join(" ");
 }
-var TECH_STACK_BY_EXT = {
-  ".py": "Python",
-  ".js": "JavaScript/TypeScript",
-  ".jsx": "JavaScript/TypeScript",
-  ".mjs": "JavaScript/TypeScript",
-  ".cjs": "JavaScript/TypeScript",
-  ".ts": "JavaScript/TypeScript",
-  ".tsx": "JavaScript/TypeScript",
-  ".java": "Java",
-  ".kt": "Kotlin",
-  ".kts": "Kotlin",
-  ".go": "Go",
-  ".dart": "Dart",
-  ".rb": "Ruby",
-  ".php": "PHP",
-  ".rs": "Rust",
-  ".cs": "C#",
-  ".cpp": "C++",
-  ".cc": "C++",
-  ".c": "C",
-  ".h": "C/C++ Header",
-  ".swift": "Swift",
-  ".scala": "Scala",
-  ".yaml": "YAML",
-  ".yml": "YAML",
-  ".json": "JSON",
-  ".xml": "XML",
-  ".tf": "Terraform",
-  ".vue": "Vue",
-  ".svelte": "Svelte",
-  ".sql": "SQL",
-  ".sh": "Shell",
-  ".bash": "Shell",
-  ".zsh": "Shell",
-  ".ps1": "PowerShell",
-  ".gradle": "Gradle",
-  ".properties": "Properties",
-  ".toml": "TOML",
-  ".ini": "INI",
-  ".conf": "Config",
-  ".md": "Markdown"
-};
-function techStackFromFilePath(filePath) {
-  const normalized = String(filePath ?? "").replace(/\\/g, "/");
-  const base = import_node_path16.default.basename(normalized).toLowerCase();
-  if (base === "dockerfile" || base.startsWith("dockerfile.")) return "Docker";
-  const ext = import_node_path16.default.extname(normalized).toLowerCase();
-  return TECH_STACK_BY_EXT[ext] ?? "Other";
-}
-function countFindingsByTechStack(findings) {
-  const counts = /* @__PURE__ */ new Map();
-  for (const row of findings) {
-    const stack = techStackFromFilePath(String(row.file_path ?? ""));
-    counts.set(stack, (counts.get(stack) ?? 0) + 1);
-  }
-  return Array.from(counts.entries()).map(([tag, count]) => ({ tag, count })).sort((a, b) => b.count - a.count || a.tag.localeCompare(b.tag));
-}
 function suppressionReasonLabel(finding) {
   const reason = String(finding.suppression_reason ?? "").trim();
   if (reason) return reason;
@@ -3544,76 +3691,32 @@ function suppressionReasonLabel(finding) {
   return "cognitive_suppressed";
 }
 function renderSuppressedFindingsSection(suppressed) {
-  const out = [];
-  if (suppressed.length === 0) return out;
+  if (suppressed.length === 0) return [];
   const byReason = /* @__PURE__ */ new Map();
   for (const row of suppressed) {
     const key = suppressionReasonLabel(row);
-    const bucket = byReason.get(key);
-    if (bucket) bucket.push(row);
-    else byReason.set(key, [row]);
+    byReason.set(key, (byReason.get(key) ?? 0) + 1);
   }
+  const out = [];
   out.push("---");
-  out.push(`## Appendix: Cognitively suppressed findings (${suppressed.length})`);
+  out.push("<details>");
+  out.push(`<summary>Appendix: Cognitive suppression summary (${suppressed.length} items)</summary>`);
   out.push("");
   out.push(
-    "These TruffleHog/Semgrep hits were processed by the cognitive engine and scored below the primary report threshold (0.8). They do **not** change `X-RunSec-Verdict`."
+    "Findings below the primary confidence threshold (0.8) or nuclear-hard-dropped. They do not affect `X-RunSec-Verdict`."
   );
   out.push("");
   out.push("| Suppression reason | Count |");
   out.push("|---|---:|");
-  const sortedReasons = Array.from(byReason.entries()).sort((a, b) => b[1].length - a[1].length);
-  for (const [reason, rows] of sortedReasons) {
-    out.push(`| \`${safeText(reason)}\` | ${rows.length} |`);
+  const sortedReasons = Array.from(byReason.entries()).sort((a, b) => b[1] - a[1]);
+  for (const [reason, count] of sortedReasons) {
+    out.push(`| \`${safeText(reason)}\` | ${count} |`);
   }
-  const maxFilesPerReason = 40;
-  for (const [reason, rows] of sortedReasons) {
-    out.push("");
-    out.push(`### ${safeText(reason)} (${rows.length})`);
-    out.push("");
-    out.push("**Affected files:**");
-    const locations = [
-      ...new Set(
-        rows.map((row) => `${String(row.file_path || "unknown")}:${Number(row.line ?? 0)}`)
-      )
-    ].sort();
-    for (const loc of locations.slice(0, maxFilesPerReason)) {
-      out.push(`- \`${safeText(loc)}\``);
-    }
-    if (locations.length > maxFilesPerReason) {
-      out.push(`- _+${locations.length - maxFilesPerReason} additional locations omitted._`);
-    }
-    const sample = rows.find((r) => String(r.snippet ?? r.match_text ?? "").trim());
-    const sampleText = String(sample?.snippet ?? sample?.match_text ?? "").trim();
-    if (sampleText) {
-      out.push("");
-      out.push("**Example snippet:**");
-      out.push("");
-      out.push("```text");
-      out.push(safeText(sampleText.slice(0, 400)));
-      out.push("```");
-    }
-  }
-  return out;
-}
-function renderTechStackSummary(findings) {
-  const rows = countFindingsByTechStack(findings);
-  const out = [];
-  out.push("### Findings by tech stack");
   out.push("");
-  if (rows.length === 0) {
-    out.push("_No findings to summarize by file type._");
-    return out;
-  }
-  out.push("| Tech stack | Findings |");
-  out.push("|---|---:|");
-  for (const { tag, count } of rows.slice(0, 20)) {
-    out.push(`| ${safeText(tag)} | ${count} |`);
-  }
-  if (rows.length > 20) {
-    out.push("");
-    out.push(`_+${rows.length - 20} additional stacks omitted._`);
-  }
+  out.push(
+    "_Per-file listings omitted to reduce noise. Re-run with verbose telemetry or inspect engine JSON for full paths._"
+  );
+  out.push("</details>");
   return out;
 }
 function groupFindingsByRule(findings) {
@@ -3626,8 +3729,22 @@ function groupFindingsByRule(findings) {
         rule_id: ruleId,
         description: String(f.description || ruleId),
         severity: normalizeSeverity(f.severity),
-        cwe: f.cwe != null && String(f.cwe).trim() !== "" ? String(f.cwe) : "UNKNOWN",
-        cwe_name: String(f.cwe_name || f.cwe || "Unknown CWE"),
+        cwe: resolveCweId({
+          cwe: f.cwe,
+          cwe_name: f.cwe_name,
+          rule_id: ruleId,
+          category: normalizeCategory(f),
+          description: f.description,
+          detector_name: f.detector_name
+        }),
+        cwe_name: resolveCweDisplay({
+          cwe: f.cwe,
+          cwe_name: f.cwe_name,
+          rule_id: ruleId,
+          category: normalizeCategory(f),
+          description: f.description,
+          detector_name: f.detector_name
+        }),
         remediation: String(f.remediation || "").trim(),
         metadata: {
           remediation_lang: f.metadata?.remediation_lang?.trim() || void 0
@@ -3705,7 +3822,7 @@ function countSeverity(findings) {
   }
   return { critical, high, medium, low };
 }
-function renderFindingRows(findings) {
+function renderFindingRows(findings, category) {
   const out = [];
   if (findings.length === 0) {
     out.push("_No findings in this category._");
@@ -3713,56 +3830,101 @@ function renderFindingRows(findings) {
   }
   for (const group of groupFindingsByRule(findings)) {
     const metric = shortRuleLabel(group.rule_id);
-    const conf = typeof group.confidence_score === "number" ? `Confidence: ${group.confidence_score.toFixed(2)} | ` : "";
+    const conf = typeof group.confidence_score === "number" ? ` (confidence ${group.confidence_score.toFixed(2)})` : "";
     const cweLabel = safeText(group.cwe_name || group.cwe);
-    const stackInline = formatStackTagsInline(group.stackTags);
-    const cvssLine = typeof group.cvss_score === "number" ? `**CVSS:** ${group.cvss_score.toFixed(1)}${group.cvss_vector ? ` (\`${safeText(group.cvss_vector)}\`)` : ""}` : "";
-    const asvsLevelText = formatAsvsLevelDisplay(group.asvsLevel);
-    const asvsLine = asvsLevelText && group.asvsTrace ? `**ASVS:** ${asvsLevelText} (${safeText(group.asvsTrace)})` : asvsLevelText ? `**ASVS:** ${asvsLevelText}` : group.asvsTrace ? `**ASVS:** ${safeText(group.asvsTrace)}` : "";
-    out.push(
-      `**[${normalizeSeverity(group.severity)}]** \`${safeText(group.rule_id)}\` (${metric})`
-    );
-    if (group.description.trim()) {
+    const example = group.exampleOccurrence ?? group.occurrences[0];
+    const primaryLoc = example ? `\`${safeText(example.file_path)}:${example.line}\`` : "`unknown:0`";
+    out.push(`### ${normalizeSeverity(group.severity)} \u2014 \`${safeText(group.rule_id)}\` (${metric})${conf}`);
+    out.push("");
+    out.push(`**Target location:** ${primaryLoc}`);
+    if (group.occurrences.length > 1) {
       out.push("");
-      out.push(safeText(group.description));
+      out.push("**Additional locations:**");
+      for (const occ of group.occurrences.slice(0, 12)) {
+        out.push(`- \`${safeText(occ.file_path)}:${occ.line}\``);
+      }
+      if (group.occurrences.length > 12) {
+        out.push(`- _+${group.occurrences.length - 12} more omitted_`);
+      }
     }
     out.push("");
-    out.push(
-      `${conf}**CWE:** ${cweLabel}${stackInline ? ` ${stackInline}` : ""}`
-    );
-    if (cvssLine) {
-      out.push(cvssLine);
-    }
-    if (asvsLine) {
-      out.push(asvsLine);
-    }
+    out.push("**Problem description:**");
     out.push("");
-    out.push("**Affected Files:**");
-    for (const occ of group.occurrences) {
-      out.push(`- \`${safeText(occ.file_path)}:${occ.line}\``);
+    out.push(safeText(group.description.trim() || group.rule_id));
+    out.push("");
+    out.push(`**CWE:** ${cweLabel}`);
+    const stackInline = formatStackTagsInline(group.stackTags);
+    if (stackInline) out.push(stackInline);
+    if (typeof group.cvss_score === "number") {
+      out.push(
+        `**CVSS:** ${group.cvss_score.toFixed(1)}${group.cvss_vector ? ` (\`${safeText(group.cvss_vector)}\`)` : ""}`
+      );
+    }
+    const asvsLevelText = formatAsvsLevelDisplay(group.asvsLevel);
+    if (asvsLevelText) {
+      out.push(
+        `**ASVS:** ${asvsLevelText}${group.asvsTrace ? ` (${safeText(group.asvsTrace)})` : ""}`
+      );
     }
     out.push("");
-    const example = group.exampleOccurrence;
-    if (example) {
+    if (example && isUsableSnippet(example.snippet)) {
       const lang = snippetLanguage(example.file_path);
-      out.push(`**Example Snippet** (from \`${safeText(example.file_path)}:${example.line}\`):`);
+      out.push("**Code snippet:**");
       out.push("");
       out.push("```" + lang);
       out.push(example.snippet);
       out.push("```");
       out.push("");
     }
+    if (category === "code") {
+      const poc = buildProofOfConcept(group, example);
+      if (poc) {
+        out.push("**Proof of Concept (Instant Verification):**");
+        out.push("");
+        out.push("```bash");
+        out.push(poc.bash);
+        out.push("```");
+        out.push("");
+      }
+    }
     const remediationText = remediationForGroup(group);
     const remediationLang = remediationFenceLanguage(group);
-    out.push("### Remediation");
+    const diffText = formatRemediationAsDiff(remediationText, example, group.description);
+    out.push("**Contextual remediation:**");
     out.push("");
     out.push("```" + remediationLang);
-    out.push(remediationText);
+    out.push(diffText);
     out.push("```");
     out.push("");
   }
   return out;
 }
+function renderComplianceAuditorSection(standard, findings) {
+  const out = [];
+  out.push("### For Compliance Auditors");
+  out.push("");
+  const cweSet = new Set(findings.map((f) => resolveCweId({ cwe: f.cwe, rule_id: f.rule_id, category: f.category, description: f.description })));
+  const hasSecrets = findings.some((f) => normalizeCategory(f) === "secrets");
+  const hasInput = [...cweSet].some((c) => /CWE-(20|79|89|346|352|918)/.test(c));
+  const hasCrypto = [...cweSet].some((c) => /CWE-(327|295|347)/.test(c));
+  out.push("| Baseline | Applicable controls | Scan signal |");
+  out.push("|---|---|---|");
+  out.push(
+    `| SOC 2 Trust Services Criteria (Security) | CC6.1 Logical access, CC7.2 System monitoring | ${hasSecrets ? "Secret exposure patterns detected" : "No primary secret findings"} |`
+  );
+  out.push(
+    `| PCI-DSS v4.0 | Req. 6.2 Secure development, Req. 6.4 Public-facing vulnerabilities | ${hasInput ? "Input validation / injection class findings present" : "No primary injection-class findings"} |`
+  );
+  out.push(
+    `| OWASP ASVS (mapped) | V5 Validation / V13 API / V14 Config | ${findings.length ? `${findings.length} primary finding(s) with ASVS traces where available` : "Clean primary log"} |`
+  );
+  if (hasCrypto) {
+    out.push(`| Cryptographic controls | ASVS V13.2 / PCI 3.5 | Weak crypto or TLS findings in primary log |`);
+  }
+  out.push("");
+  out.push(`_Audit standard selected for this run: **${safeText(standard)}**._`);
+  return out;
+}
 function buildServerSideReportMarkdown(standard, findings, metrics) {
   const verdictLabel = metrics.verdict?.http_headers?.["X-RunSec-Verdict"] ?? metrics.verdict?.status ?? "PASS";
   const allSev = countSeverity(findings);
@@ -3775,62 +3937,96 @@ function buildServerSideReportMarkdown(standard, findings, metrics) {
     byCategory[normalizeCategory(row)].push(row);
   }
   const es = metrics.engine_summary;
+  const suppressedRows = Array.isArray(metrics.findings_suppressed) ? metrics.findings_suppressed : [];
+  const cognitiveSuppressed = Number(metrics.cognitive_suppressed_count ?? suppressedRows.length);
+  const rawSecrets = es?.trufflehog?.finding_count ?? metrics.cognitive?.findings_total ?? 0;
   const out = [];
-  out.push(`# RunSec Unified Security Report`);
+  out.push(`# RunSec Security Report`);
   out.push("");
-  out.push(`**Generated at:** ${(/* @__PURE__ */ new Date()).toISOString()}`);
-  out.push(`**MCP package:** \`@runsec/mcp@${safeText(RUNSEC_MCP_VERSION)}\``);
-  out.push(`**Standard:** ${safeText(standard)}`);
-  out.push(`**X-RunSec-Verdict:** \`${safeText(verdictLabel)}\`${metrics.verdict?.is_safe === false && metrics.verdict.fail_reason ? ` \u2014 ${safeText(metrics.verdict.fail_reason)}` : ""}`);
+  out.push("| | |");
+  out.push("|---|---|");
+  out.push(`| **X-RunSec-Verdict** | \`${safeText(verdictLabel)}\`${metrics.verdict?.is_safe === false && metrics.verdict.fail_reason ? ` \u2014 ${safeText(metrics.verdict.fail_reason)}` : ""} |`);
+  out.push(`| **Generated at** | ${(/* @__PURE__ */ new Date()).toISOString()} |`);
+  out.push(`| **MCP package** | \`@runsec/mcp@${safeText(RUNSEC_MCP_VERSION)}\` |`);
+  out.push(`| **AI cognitive noise suppressed** | ${cognitiveSuppressed} |`);
+  out.push(`| **Standard** | ${safeText(standard)} |`);
   out.push(
-    `**Scan time:** ${Number(metrics.duration_ms || 0)}ms | **Files scanned:** ${Number(metrics.scanned_files_count || 0)} | **Rules:** ${Number(metrics.total_rules || 0)}`
+    `| **Scan** | ${Number(metrics.duration_ms || 0)}ms \xB7 ${Number(metrics.scanned_files_count || 0)} files \xB7 ${Number(metrics.total_rules || 0)} rules |`
   );
   if (metrics.engines) {
     out.push(
-      `**Engines (concurrent):** Semgrep \`${safeText(metrics.engines.semgrep ?? "n/a")}\` | TruffleHog \`${safeText(metrics.engines.trufflehog ?? "n/a")}\` | Syft \`${safeText(metrics.engines.syft ?? "n/a")}\`${es?.concurrent_duration_ms != null ? ` | **Wall time:** ${es.concurrent_duration_ms}ms` : ""}`
+      `| **Engines** | Semgrep \`${safeText(metrics.engines.semgrep ?? "n/a")}\` \xB7 TruffleHog \`${safeText(metrics.engines.trufflehog ?? "n/a")}\` \xB7 Syft \`${safeText(metrics.engines.syft ?? "n/a")}\`${es?.concurrent_duration_ms != null ? ` \xB7 ${es.concurrent_duration_ms}ms wall` : ""} |`
     );
   }
   if (es) {
     out.push(
-      `**Raw engine counts (pre-cognitive):** Code ${es.semgrep?.finding_count ?? 0} | Secrets ${rawEngineCountLabel("trufflehog", es)} | Dependencies ${rawEngineCountLabel("syft", es)}`
+      `| **Raw engine counts** | Code ${es.semgrep?.finding_count ?? 0} \xB7 Secrets ${rawEngineCountLabel("trufflehog", es)} \xB7 Dependencies ${rawEngineCountLabel("syft", es)} |`
     );
   }
   out.push("");
   out.push("---");
-  out.push("## Executive summary");
-  out.push(
-    `- **CRITICAL:** ${allSev.critical} | **HIGH:** ${allSev.high} | **MEDIUM:** ${allSev.medium} | **LOW:** ${allSev.low}`
-  );
+  out.push("## Executive Summary");
+  out.push("");
   out.push(
-    `- **Code Vulnerabilities:** ${byCategory.code.length} | **Exposed Secrets:** ${executiveCategoryLabel("secrets", byCategory.secrets.length, es)} | **Vulnerable Dependencies:** ${executiveCategoryLabel("dependencies", byCategory.dependencies.length, es)}`
+    `**Primary severity:** CRITICAL ${allSev.critical} \xB7 HIGH ${allSev.high} \xB7 MEDIUM ${allSev.medium} \xB7 LOW ${allSev.low} \xB7 Primary findings ${findings.length}`
   );
-  const suppressedRows = Array.isArray(metrics.findings_suppressed) ? metrics.findings_suppressed : [];
-  const rawSecrets = es?.trufflehog?.finding_count ?? metrics.cognitive?.findings_total ?? 0;
   out.push(
-    `- **Primary findings (cognitive-filtered):** ${findings.length} | **Suppressed (.runsecignore):** ${Number(metrics.suppressed_fp_count || 0)} | **Suppressed (cognitive):** ${Number(metrics.cognitive_suppressed_count ?? suppressedRows.length)}`
+    `**By engine (primary log):** Code (Semgrep) ${byCategory.code.length} \xB7 Secrets (TruffleHog) ${executiveCategoryLabel("secrets", byCategory.secrets.length, es)} \xB7 Dependencies (Syft) ${executiveCategoryLabel("dependencies", byCategory.dependencies.length, es)}`
   );
   if (Number(rawSecrets) > 0 && findings.length === 0 && suppressedRows.length > 0) {
-    out.push(
-      `- **Raw TruffleHog hits:** ${rawSecrets} \u2014 see **Appendix: Cognitively suppressed findings** below.`
-    );
+    out.push(`**Note:** ${rawSecrets} raw TruffleHog hits were cognitively suppressed \u2014 see appendix.`);
   }
   out.push("");
-  out.push(...renderTechStackSummary([...findings, ...suppressedRows]));
+  out.push("### For Developers (Actionable Top 3)");
+  out.push("");
+  const topActions = buildDeveloperTopActions(findings, 3);
+  if (topActions.length === 0) {
+    out.push("- No blocking primary findings \u2014 maintain secure defaults on the next change set.");
+  } else {
+    for (const item of topActions) {
+      out.push(
+        `- **[${item.severity}]** \`${safeText(item.file_path)}:${item.line}\` \u2014 ${safeText(item.description)} (\`${safeText(item.rule_id)}\`)`
+      );
+    }
+  }
+  out.push("");
+  out.push("### For Tech Leads (Component Vulnerability Matrix)");
+  out.push("");
+  const matrix = buildComponentMatrix(findings, suppressedRows);
+  if (matrix.length === 0) {
+    out.push("_No component-level signal in the primary or suppressed logs._");
+  } else {
+    out.push("| Service/Component | CRITICAL | HIGH | MEDIUM | Suppressed Noise |");
+    out.push("|---|---:|---:|---:|---:|");
+    for (const row of matrix.slice(0, 24)) {
+      out.push(
+        `| ${safeText(row.component)} | ${row.critical} | ${row.high} | ${row.medium} | ${row.suppressed} |`
+      );
+    }
+    if (matrix.length > 24) {
+      out.push(`| _+${matrix.length - 24} components omitted_ | | | | |`);
+    }
+  }
+  out.push("");
+  out.push(...renderComplianceAuditorSection(standard, findings));
+  out.push("");
+  out.push("---");
+  out.push("## Detailed Findings");
   out.push("");
   let sectionNum = 1;
   for (const category of CATEGORY_ORDER) {
     const rows = byCategory[category];
     const engineTag = category === "code" ? "Semgrep" : category === "secrets" ? "TruffleHog" : "Syft SBOM";
-    out.push("---");
-    out.push(`## ${sectionNum}. ${REPORT_SECTION_TITLES[category]} (${engineTag})`);
+    out.push(`### ${sectionNum}. ${REPORT_SECTION_TITLES[category]} (${engineTag})`);
     out.push(...renderCategorySectionSummary(category, rows, es, metrics));
     out.push("");
-    out.push(...renderFindingRows(rows));
+    out.push(...renderFindingRows(rows, category));
     sectionNum += 1;
   }
   out.push(...renderSuppressedFindingsSection(suppressedRows));
   out.push("---");
-  out.push("<details><summary>Telemetry (machine)</summary>\n");
+  out.push("<details><summary>Telemetry (machine-readable)</summary>");
+  out.push("");
   out.push("```json");
   out.push(
     JSON.stringify(

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@runsec/mcp",
-  "version": "1.0.88",
+  "version": "1.0.89",
   "main": "dist/index.js",
   "files": [
     "package.json",