@saiteja1123/mcp-server 1.1.3 → 1.1.5

package/src/server.js

@@ -10,29 +10,44 @@ import {
 } from './rule-engine/index.js';
 import {
   DEFAULT_INCLUDE, DEFAULT_EXCLUDE,
-  inferLang, normalizeRootPath, ensureDirectory,
+  normalizeRootPath, ensureDirectory,
   gatherRepoScan, readGitignoreChecks,
   detectWorkspacePath, isHomePath,
 } from './repo-scan.mjs';
-import { postRemoteLocalScan } from './api-scan.mjs';
-import { validateScanPath, diagnosticLock } from './lock.mjs';
+import { diagnosticLock } from './lock.mjs';
+import { persistRepoScanLog } from './api-scan.mjs';
+import { createBindingGuard, formatGuardError } from './security/pathGuard.js';
+import { registerLocalScanTool } from './tools/localScan.js';
+import { registerScanFileTool } from './tools/scanFile.js';
+import { registerDeepScanTools } from './tools/deepScan.js';
+import { registerProjectTools } from './tools/projects.js';
 
 const require = createRequire(import.meta.url);
 const mcpPkg = require('../package.json');
 
 const INSTALL_TOKEN = process.env.VIBESECUR_INSTALL_TOKEN || null;
+const AUTH_TOKEN = process.env.VIBESECUR_AUTH_TOKEN || process.env.VIBESECUR_TOKEN || null;
 const BOUND_ROOT = process.env.VIBESECUR_BOUND_ROOT
   ? path.resolve(process.env.VIBESECUR_BOUND_ROOT)
   : null;
+const API_BASE = process.env.VIBESECUR_API_BASE || process.env.VIBESECUR_API_URL || '';
+const UNIVERSAL_MODE = !!AUTH_TOKEN && !BOUND_ROOT;
 
-if (!INSTALL_TOKEN || !BOUND_ROOT) {
-  process.stderr.write(
-    '[vibesecur] WARNING: VIBESECUR_INSTALL_TOKEN and VIBESECUR_BOUND_ROOT are not set.\n' +
-    '[vibesecur] Run: vibesecur-mcp bind <folder> then vibesecur-mcp config <folder>\n' +
-    '[vibesecur] Scans will be restricted to process.cwd() as fallback.\n',
-  );
+function debugLog(message, payload) {
+  if (process.env.VIBESECUR_DEBUG !== '1') return;
+  process.stderr.write(`[vibesecur-debug] ${message}: ${JSON.stringify(payload)}\n`);
 }
 
+const guardPath = createBindingGuard({
+  boundRoot: BOUND_ROOT,
+  installToken: INSTALL_TOKEN,
+  authToken: AUTH_TOKEN,
+  apiBase: API_BASE,
+  universalMode: UNIVERSAL_MODE,
+  normalizePath: normalizeRootPath,
+  debugLog,
+});
+
 const server = new McpServer({
   name: 'vibesecur-mcp-server',
   version: mcpPkg.version || '2.0.0',
@@ -40,52 +55,7 @@ const server = new McpServer({
 
 const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3 };
 
-async function guardPath(requestedPath) {
-  const target = normalizeRootPath(requestedPath);
-  if (!BOUND_ROOT) {
-    const cwd = path.resolve(process.cwd());
-    if (!target.startsWith(cwd + path.sep) && target !== cwd) {
-      return {
-        ok: false,
-        httpStatus: 403,
-        code: 'NO_LOCK_OUT_OF_CWD',
-        message:
-          `No lock configured and "${target}" is outside process.cwd() "${cwd}". ` +
-          'Run vibesecur-mcp bind <folder> and add VIBESECUR_BOUND_ROOT to your MCP config.',
-      };
-    }
-    return { ok: true, resolvedRoot: target };
-  }
-  if (!target.startsWith(BOUND_ROOT + path.sep) && target !== BOUND_ROOT) {
-    return {
-      ok: false,
-      httpStatus: 403,
-      code: 'OUT_OF_FOLDER',
-      message:
-        `Path "${target}" is outside the locked project folder "${BOUND_ROOT}". ` +
-        'Vibesecur MCP is bound to one folder per install. ' +
-        'To scan a different folder, run "vibesecur-mcp rebind <new-folder>".',
-      rebindHint: `vibesecur-mcp rebind ${target}`,
-    };
-  }
-  const result = await validateScanPath(target, INSTALL_TOKEN);
-  if (!result.ok) return result;
-  return { ok: true, resolvedRoot: target, lock: result.lock };
-}
-
-function guardError(guard) {
-  const status = guard.httpStatus ? ` (${guard.httpStatus})` : '';
-  const text = JSON.stringify({
-    error: guard.code || 'SCAN_BLOCKED',
-    message: guard.message,
-    rebindHint: guard.rebindHint || null,
-    docs: 'https://vibesecur.com/docs/mcp-setup',
-  }, null, 2);
-  return {
-    content: [{ type: 'text', text: `Security Lock Error${status}:\n${text}` }],
-    isError: true,
-  };
-}
+const guardError = formatGuardError;
 
 function buildScanMeta(resolvedRoot, includeGlobs, excludeGlobs, maxFiles, matchedLen, scannedLen) {
   return {
@@ -96,7 +66,8 @@ function buildScanMeta(resolvedRoot, includeGlobs, excludeGlobs, maxFiles, match
     matchedFiles: matchedLen,
     scannedFiles: scannedLen,
     cappedByMaxFiles: matchedLen > maxFiles,
-    boundRoot: BOUND_ROOT || 'unconfigured',
+    boundRoot: BOUND_ROOT || (UNIVERSAL_MODE ? 'account-wide' : 'unconfigured'),
+    mode: UNIVERSAL_MODE ? 'universal' : (BOUND_ROOT ? 'single-folder' : 'unconfigured'),
   };
 }
 
@@ -108,9 +79,40 @@ function humanRepoSummary(meta, agg) {
   return parts.join(' ');
 }
 
+async function syncRepoScanToDashboard({ aggregate, findings, projectRoot, guard }) {
+  const installToken = guard.installToken || INSTALL_TOKEN;
+  const lockedRootHash = guard.lockedRootHash || guard.lock?.lockedRootHash || guard.lock?.rootHash;
+  if (!installToken || !lockedRootHash) {
+    return { ok: false, reason: 'missing install token or locked root hash' };
+  }
+  try {
+    const logRes = await persistRepoScanLog({
+      aggregate,
+      findings,
+      projectRoot,
+      installToken,
+      lockedRootHash,
+    });
+    if (logRes?.ok && logRes.json?.success) {
+      return { ok: true, scanId: logRes.json?.data?.scanId || null };
+    }
+    return {
+      ok: false,
+      reason: logRes?.reason || logRes?.error || logRes?.json?.error || `status ${logRes?.status || 'unknown'}`,
+    };
+  } catch (err) {
+    process.stderr.write(`[vibesecur] scan log failed (non-fatal): ${err.message}\n`);
+    return { ok: false, reason: err.message };
+  }
+}
+
 function flattenFindings(fileResults) {
   return fileResults.flatMap((fr) =>
-    (fr.result.findings || []).map((f) => ({ ...f, filePath: fr.filePath })),
+    (fr.result.findings || []).map((f) => ({
+      ...f,
+      filePath: fr.filePath,
+      snippetPreview: f.snippetPreview || f.snippet || '',
+    })),
   );
 }
 
@@ -124,10 +126,11 @@ function pickTopFindings(fileResults, n) {
   return flat.slice(0, n).map((f) => ({
     filePath: f.filePath,
     lineNumber: f.lineNumber,
+    endLineNumber: f.endLineNumber || f.lineNumber,
     ruleId: f.ruleId,
     ruleName: f.ruleName,
     severity: f.severity,
-    snippetPreview: (f.snippet || '').slice(0, 120),
+    snippetPreview: (f.snippetPreview || '').slice(0, 120),
   }));
 }
 
@@ -144,9 +147,13 @@ server.registerTool('health', {
     ok: true,
     server: { name: 'vibesecur-mcp-server', version: mcpPkg.version },
     lock: {
-      configured: !!(INSTALL_TOKEN && BOUND_ROOT),
+      configured: UNIVERSAL_MODE || !!(INSTALL_TOKEN && BOUND_ROOT),
+      mode: UNIVERSAL_MODE ? 'universal' : 'single-folder',
       boundRoot: BOUND_ROOT || null,
+      accountWide: UNIVERSAL_MODE,
       healthy: diag.healthy,
+      runtimeCompatible: diag.runtimeCompatible || false,
+      source: diag.source || null,
       issues: diag.issues || [],
     },
     rules: {
@@ -165,9 +172,11 @@ server.registerTool('health', {
 
   if (detail === 'full') {
     payload.envHints = {
+      VIBESECUR_AUTH_TOKEN: AUTH_TOKEN ? '***set***' : 'NOT SET',
       VIBESECUR_INSTALL_TOKEN: INSTALL_TOKEN ? '***set***' : 'NOT SET',
       VIBESECUR_BOUND_ROOT: BOUND_ROOT || 'NOT SET',
-      VIBESECUR_API_BASE: process.env.VIBESECUR_API_BASE || 'NOT SET',
+      VIBESECUR_API_BASE: API_BASE || 'NOT SET',
+      universalMode: UNIVERSAL_MODE,
       CURSOR_WORKSPACE_PATH: process.env.CURSOR_WORKSPACE_PATH ?? null,
       WORKSPACE_PATH: process.env.WORKSPACE_PATH ?? null,
     };
@@ -178,7 +187,9 @@ server.registerTool('health', {
     ok: true,
     version: mcpPkg.version,
     lockConfigured: payload.lock.configured,
+    lockMode: payload.lock.mode,
     lockHealthy: payload.lock.healthy,
+    runtimeCompatible: payload.lock.runtimeCompatible,
     boundRoot: BOUND_ROOT || null,
     totalRules: JS_RULES.length + PY_RULES.length,
     processCwd: cwd,
@@ -218,92 +229,29 @@ server.registerTool('installDiagnostic', {
   };
 });
 
-server.registerTool('localScan', {
-  title: 'Local Security Scan',
-  description: 'Run Vibesecur rule-engine on code. Restricted to bound project folder.',
-  inputSchema: {
-    code: z.string().min(1).max(50000).describe('Source code to scan'),
-    lang: z.enum(['js', 'ts', 'py', 'json', 'auto']).default('auto'),
-    projectRoot: z.string().default('.').describe('Must be inside bound folder'),
-  },
-}, async ({ code, lang = 'auto', projectRoot = '.' }) => {
-  const guard = await guardPath(projectRoot);
-  if (!guard.ok) return guardError(guard);
-  const remote = await postRemoteLocalScan({
-    code,
-    lang,
-    projectRoot: guard.resolvedRoot,
-    platform: 'mcp',
-    token: INSTALL_TOKEN,
-  });
-  if (!remote.skipped && remote.status === 402) {
-    return {
-      content: [{ type: 'text', text: JSON.stringify({ ...remote.json, upgradeUrl: 'https://vibesecur.com/#pricing' }, null, 2) }],
-      isError: true,
-    };
-  }
-  if (!remote.skipped && remote.ok && remote.json?.success && remote.json?.data) {
-    const data = remote.json.data;
-    const humanSummary = `${data.verdict || ''} Score ${data.score} (${data.grade}) - ${(data.findings || []).length} finding(s).`;
-    const enriched = { ...data, humanSummary, engineVersion: mcpPkg.version, quota: remote.json.quota };
-    return { content: [{ type: 'text', text: JSON.stringify(enriched, null, 2) }], structuredContent: enriched };
-  }
-  const result = localScan(code, lang);
-  const humanSummary = `${result.verdict} Score ${result.score} (${result.grade}) - ${result.findings.length} finding(s).`;
-  const enriched = { ...result, humanSummary, engineVersion: mcpPkg.version, mode: 'offline' };
-  return { content: [{ type: 'text', text: JSON.stringify(enriched, null, 2) }], structuredContent: enriched };
+registerProjectTools(server, {
+  authToken: AUTH_TOKEN,
+  apiBase: API_BASE,
+  normalizeRootPath,
 });
 
-server.registerTool('scanFile', {
-  title: 'Scan File',
-  description: 'Scan a single file. Must be inside the bound project folder.',
-  inputSchema: {
-    filePath: z.string().min(1).describe('Absolute or relative file path (must be inside bound folder)'),
-    lang: z.enum(['js', 'ts', 'py', 'json', 'auto']).default('auto'),
-  },
-}, async ({ filePath, lang = 'auto' }) => {
-  try {
-    const resolvedPath = path.resolve(filePath);
-    const guard = await guardPath(path.dirname(resolvedPath));
-    if (!guard.ok) return guardError(guard);
-    const code = await fs.readFile(resolvedPath, 'utf8');
-    const useLang = lang === 'auto' ? inferLang(resolvedPath) : lang;
-    const remote = await postRemoteLocalScan({
-      code,
-      lang: useLang,
-      projectRoot: guard.resolvedRoot,
-      platform: 'mcp',
-      token: INSTALL_TOKEN,
-    });
-    let result;
-    if (!remote.skipped && remote.ok && remote.json?.success && remote.json?.data) {
-      result = remote.json.data;
-    } else if (!remote.skipped && remote.status === 402) {
-      return { content: [{ type: 'text', text: JSON.stringify(remote.json, null, 2) }], isError: true };
-    } else {
-      result = localScan(code, useLang);
-    }
-    const findings = result.findings || [];
-    const bySev = findings.reduce((a, f) => {
-      a[f.severity] = (a[f.severity] || 0) + 1;
-      return a;
-    }, { critical: 0, high: 0, medium: 0, low: 0 });
-    const humanSummary = `File "${resolvedPath}": score ${result.score} (${result.grade}), ${findings.length} issue(s).`;
-    const body = {
-      humanSummary,
-      filePath: resolvedPath,
-      lang: useLang,
-      score: result.score,
-      grade: result.grade,
-      findings: findings.length,
-      bySeverity: bySev,
-      checklist: result.checklist,
-      result,
-    };
-    return { content: [{ type: 'text', text: JSON.stringify(body, null, 2) }], structuredContent: body };
-  } catch (e) {
-    return { content: [{ type: 'text', text: `scanFile failed: ${e.message}` }], isError: true };
-  }
+registerLocalScanTool(server, {
+  guardPath,
+  guardError,
+  installToken: INSTALL_TOKEN,
+  engineVersion: mcpPkg.version,
+});
+
+registerScanFileTool(server, {
+  guardPath,
+  guardError,
+  installToken: INSTALL_TOKEN,
+  engineVersion: mcpPkg.version,
+});
+
+registerDeepScanTools(server, {
+  guardPath,
+  guardError,
 });
 
 server.registerTool('scanRepo', {
@@ -323,7 +271,24 @@ server.registerTool('scanRepo', {
     await ensureDirectory(resolvedRoot);
     const { matchedFiles, limitedFiles, fileResults, aggregate, topRiskFiles } =
       await gatherRepoScan(resolvedRoot, includeGlobs, excludeGlobs, maxFiles);
+    const allFindings = flattenFindings(fileResults).map((f) => ({
+      filePath: f.filePath,
+      lineNumber: f.lineNumber,
+      endLineNumber: f.endLineNumber || f.lineNumber,
+      ruleId: f.ruleId,
+      ruleName: f.ruleName,
+      severity: f.severity,
+      category: f.category,
+      snippetPreview: (f.snippetPreview || '').slice(0, 120),
+      fix: f.fix,
+    }));
     const meta = buildScanMeta(resolvedRoot, includeGlobs, excludeGlobs, maxFiles, matchedFiles.length, limitedFiles.length);
+    const logged = await syncRepoScanToDashboard({
+      aggregate,
+      findings: allFindings,
+      projectRoot: resolvedRoot,
+      guard,
+    });
     const body = {
       meta,
       humanSummary: humanRepoSummary(meta, aggregate),
@@ -334,6 +299,8 @@ server.registerTool('scanRepo', {
       summary: aggregate.summary,
       checklist: aggregate.checklist,
       topRiskFiles,
+      allFindings,
+      logged,
     };
     return { content: [{ type: 'text', text: JSON.stringify(body, null, 2) }], structuredContent: { ...body, fileResults } };
   } catch (e) {
@@ -350,8 +317,16 @@ server.registerTool('scanSummary', {
     excludeGlobs: z.array(z.string()).default(DEFAULT_EXCLUDE),
     maxFiles: z.number().int().min(1).max(5000).default(200),
     topFindings: z.number().int().min(1).max(50).default(20),
+    maxFindings: z.number().int().min(20).max(500).default(200),
   },
-}, async ({ rootPath, includeGlobs = DEFAULT_INCLUDE, excludeGlobs = DEFAULT_EXCLUDE, maxFiles = 200, topFindings = 20 }) => {
+}, async ({
+  rootPath,
+  includeGlobs = DEFAULT_INCLUDE,
+  excludeGlobs = DEFAULT_EXCLUDE,
+  maxFiles = 200,
+  topFindings = 20,
+  maxFindings = 200,
+}) => {
   try {
     const guard = await guardPath(rootPath);
     if (!guard.ok) return guardError(guard);
@@ -361,12 +336,24 @@ server.registerTool('scanSummary', {
       await gatherRepoScan(resolvedRoot, includeGlobs, excludeGlobs, maxFiles);
     const meta = buildScanMeta(resolvedRoot, includeGlobs, excludeGlobs, maxFiles, matchedFiles.length, limitedFiles.length);
     const top = pickTopFindings(fileResults, topFindings);
+    const allFindings = flattenFindings(fileResults).slice(0, maxFindings).map((f) => ({
+      filePath: f.filePath,
+      lineNumber: f.lineNumber,
+      endLineNumber: f.endLineNumber || f.lineNumber,
+      ruleId: f.ruleId,
+      ruleName: f.ruleName,
+      severity: f.severity,
+      category: f.category,
+      snippetPreview: (f.snippetPreview || '').slice(0, 120),
+      fix: f.fix,
+    }));
     const payload = {
       meta,
       humanSummary: humanRepoSummary(meta, aggregate),
       summary: aggregate.summary,
       checklist: { passed: aggregate.checklist.filter((c) => c.pass).length, total: aggregate.checklist.length },
       topFindings: top,
+      allFindings,
     };
     return { content: [{ type: 'text', text: JSON.stringify(payload, null, 2) }], structuredContent: payload };
   } catch (e) {
@@ -396,7 +383,24 @@ server.registerTool('scanCurrentWorkspace', {
     await ensureDirectory(guard.resolvedRoot);
     const { matchedFiles, limitedFiles, fileResults, aggregate, topRiskFiles } =
       await gatherRepoScan(guard.resolvedRoot, includeGlobs, excludeGlobs, maxFiles);
+    const allFindings = flattenFindings(fileResults).map((f) => ({
+      filePath: f.filePath,
+      lineNumber: f.lineNumber,
+      endLineNumber: f.endLineNumber || f.lineNumber,
+      ruleId: f.ruleId,
+      ruleName: f.ruleName,
+      severity: f.severity,
+      category: f.category,
+      snippetPreview: (f.snippetPreview || '').slice(0, 120),
+      fix: f.fix,
+    }));
     const meta = buildScanMeta(guard.resolvedRoot, includeGlobs, excludeGlobs, maxFiles, matchedFiles.length, limitedFiles.length);
+    const logged = await syncRepoScanToDashboard({
+      aggregate,
+      findings: allFindings,
+      projectRoot: guard.resolvedRoot,
+      guard,
+    });
     const body = {
       meta,
       humanSummary: humanRepoSummary(meta, aggregate),
@@ -407,6 +411,8 @@ server.registerTool('scanCurrentWorkspace', {
       summary: aggregate.summary,
       checklist: aggregate.checklist,
       topRiskFiles,
+      allFindings,
+      logged,
     };
     return { content: [{ type: 'text', text: JSON.stringify(body, null, 2) }], structuredContent: { ...body, fileResults } };
   } catch (e) {
@@ -476,6 +482,16 @@ server.registerTool('buildClaudePrompt', {
 });
 
 async function main() {
+  if (!INSTALL_TOKEN || !BOUND_ROOT) {
+    throw new Error(
+      'VIBESECUR_INSTALL_TOKEN and VIBESECUR_BOUND_ROOT are required. ' +
+      'Run "vibesecur-mcp bind <folder>" and update your MCP config env.',
+    );
+  }
+  const startupGuard = await guardPath(BOUND_ROOT);
+  if (!startupGuard.ok) {
+    throw new Error(`${startupGuard.code}: ${startupGuard.message}`);
+  }
   const transport = new StdioServerTransport();
   await server.connect(transport);
   process.stderr.write(