@saiteja1123/mcp-server 1.1.4 → 1.1.5

package/src/tools/localScan.js

@@ -0,0 +1,85 @@
+/**
+ * src/tools/localScan.js
+ *
+ * MCP tool: 'localScan'
+ *
+ * Registers the localScan tool against a McpServer instance.
+ * All server-level dependencies (guard, token, version) are injected
+ * by the caller — this file never imports from server.js.
+ *
+ * Dependency injection contract:
+ *   registerLocalScanTool(server, deps)
+ *     server       — McpServer instance
+ *     deps.guardPath     — async (path: string) => GuardResult
+ *     deps.guardError    — (guard: GuardResult) => McpErrorResponse
+ *     deps.INSTALL_TOKEN — string | null
+ *     deps.engineVersion — string (mcpPkg.version)
+ *
+ * DOES NOT OWN:
+ *   - Path guard implementation (server.js)
+ *   - Install token / bound root resolution (server.js)
+ *   - Scan orchestration (orchestrator/runScan.js)
+ *   - Governance middleware (middleware/governance.js — called inside runScan)
+ */
+
+import * as z from 'zod';
+import { runScan } from '../orchestrator/runScan.js';
+
+/**
+ * Register the 'localScan' MCP tool on the provided server instance.
+ *
+ * @param {import('@modelcontextprotocol/sdk/server/mcp.js').McpServer} server
+ * @param {Object} deps
+ * @param {Function} deps.guardPath     - Bound-folder + lock validation
+ * @param {Function} deps.guardError    - Guard failure → MCP error response
+ * @param {string|null} deps.INSTALL_TOKEN
+ * @param {string} deps.engineVersion
+ */
+export function registerLocalScanTool(server, { guardPath, guardError, installToken, engineVersion }) {
+  server.registerTool('localScan', {
+    title: 'Local Security Scan',
+    description: 'Run Vibesecur rule-engine on code. Restricted to bound project folder.',
+    inputSchema: {
+      code: z.string().min(1).max(50000).describe('Source code to scan'),
+      lang: z.enum(['js', 'ts', 'py', 'json', 'auto']).default('auto'),
+      projectRoot: z.string().default('.').describe('Must be inside bound folder'),
+    },
+  }, async ({ code, lang = 'auto', projectRoot = '.' }) => {
+    // ── Binding / path guard ──────────────────────────────────────────────
+    const guard = await guardPath(projectRoot);
+    if (!guard.ok) return guardError(guard);
+
+    // ── Scan orchestration (remote → governance → local fallback) ─────────
+    const outcome = await runScan({
+      code,
+      lang,
+      projectRoot: guard.resolvedRoot,
+      installToken: guard.installToken || installToken,
+      lockedRootHash: guard.lockedRootHash || guard.lock?.lockedRootHash || guard.lock?.rootHash,
+      engineVersion,
+    });
+
+    // ── Error outcome (REMOTE_VERIFICATION_REQUIRED / UPGRADE_REQUIRED /
+    //    GOVERNANCE_BLOCKED) ─────────────────────────────────────────────
+    if (!outcome.ok) {
+      return {
+        content: [{ type: 'text', text: JSON.stringify(outcome.errorPayload, null, 2) }],
+        isError: true,
+      };
+    }
+
+    // ── Remote success ────────────────────────────────────────────────────
+    if (outcome.mode === 'remote') {
+      const data = outcome.result;
+      const humanSummary = `${data.verdict || ''} Score ${data.score} (${data.grade}) - ${(data.findings || []).length} finding(s).`;
+      const enriched = { ...data, humanSummary, engineVersion: outcome.engineVersion, quota: outcome.quota };
+      return { content: [{ type: 'text', text: JSON.stringify(enriched, null, 2) }], structuredContent: enriched };
+    }
+
+    // ── Offline fallback ──────────────────────────────────────────────────
+    const result = outcome.result;
+    const humanSummary = `${result.verdict} Score ${result.score} (${result.grade}) - ${result.findings.length} finding(s).`;
+    const enriched = { ...result, humanSummary, engineVersion: outcome.engineVersion, mode: 'offline' };
+    return { content: [{ type: 'text', text: JSON.stringify(enriched, null, 2) }], structuredContent: enriched };
+  });
+}

package/src/tools/projects.js

@@ -0,0 +1,124 @@
+import * as z from 'zod';
+
+import { listProjects } from '../api-scan.mjs';
+import { ensureProjectBinding, invalidateProjectsListCache } from '../project-bindings.mjs';
+
+function resolveAuthToken(authToken) {
+  return (
+    authToken
+    || process.env.VIBESECUR_AUTH_TOKEN
+    || process.env.VIBESECUR_TOKEN
+    || ''
+  ).trim();
+}
+
+function formatApiError(res, fallback) {
+  return res.json?.error || res.error || fallback || `Request failed (${res.status || 'unknown'})`;
+}
+
+/**
+ * Register project management tools (CRU — create/read/update, never delete).
+ */
+export function registerProjectTools(server, { authToken, apiBase, normalizeRootPath }) {
+  const token = () => resolveAuthToken(authToken);
+
+  server.registerTool('projectList', {
+    title: 'List Projects',
+    description: 'List all projects in your Vibesecur account. Read-only.',
+    inputSchema: {},
+  }, async () => {
+    if (!token()) {
+      return {
+        content: [{ type: 'text', text: JSON.stringify({
+          error: 'AUTH_REQUIRED',
+          message: 'Set VIBESECUR_AUTH_TOKEN in MCP config (login JWT from dashboard).',
+        }, null, 2) }],
+        isError: true,
+      };
+    }
+    const res = await listProjects({ authToken: token() });
+    if (!res.ok || !res.json?.success) {
+      return {
+        content: [{ type: 'text', text: JSON.stringify({
+          error: 'PROJECT_LIST_FAILED',
+          message: formatApiError(res, 'Unable to list projects'),
+        }, null, 2) }],
+        isError: true,
+      };
+    }
+    const projects = res.json.data?.projects || [];
+    const body = {
+      count: projects.length,
+      projects: projects.map((p) => ({
+        id: p.id,
+        name: p.name,
+        lockedRootHint: p.lockedRootHint,
+        mcpBound: p.mcpBound,
+        latestScan: p.latestScan,
+      })),
+    };
+    return {
+      content: [{ type: 'text', text: JSON.stringify(body, null, 2) }],
+      structuredContent: body,
+    };
+  });
+
+  server.registerTool('projectUpsert', {
+    title: 'Create or Update Project',
+    description:
+      'Register a codebase folder as a project, or update an existing one. ' +
+      'Never deletes projects. Creates install credentials for scans in that folder.',
+    inputSchema: {
+      rootPath: z.string().min(1).describe('Absolute or relative codebase root folder'),
+      name: z.string().min(1).max(200).optional().describe('Display name (optional)'),
+      projectId: z.string().uuid().optional().describe('Existing project id to update/rebind'),
+    },
+  }, async ({ rootPath, name, projectId }) => {
+    if (!token()) {
+      return {
+        content: [{ type: 'text', text: JSON.stringify({
+          error: 'AUTH_REQUIRED',
+          message: 'Set VIBESECUR_AUTH_TOKEN in MCP config (login JWT from dashboard).',
+        }, null, 2) }],
+        isError: true,
+      };
+    }
+
+    const resolvedRoot = normalizeRootPath(rootPath);
+    const binding = await ensureProjectBinding({
+      lockedRootPath: resolvedRoot,
+      name,
+      projectId,
+      authToken: token(),
+      apiBase,
+    });
+
+    if (!binding.ok) {
+      return {
+        content: [{ type: 'text', text: JSON.stringify({
+          error: binding.code || 'PROJECT_UPSERT_FAILED',
+          message: binding.message,
+        }, null, 2) }],
+        isError: true,
+      };
+    }
+
+    invalidateProjectsListCache();
+    const body = {
+      action: binding.action,
+      project: {
+        id: binding.projectId,
+        projectHash: binding.projectHash,
+        lockedRootPath: binding.projectRoot,
+        lockedRootHash: binding.lockedRootHash,
+      },
+      message:
+        'Project registered. Scans under this folder will sync metadata to the dashboard. ' +
+        'Install token is cached for this MCP session (not returned for security).',
+    };
+    return {
+      content: [{ type: 'text', text: JSON.stringify(body, null, 2) }],
+      structuredContent: body,
+    };
+  });
+}

package/src/tools/scanFile.js

@@ -0,0 +1,131 @@
+/**
+ * src/tools/scanFile.js
+ *
+ * MCP tool: 'scanFile'
+ *
+ * Registers the scanFile tool against a McpServer instance.
+ * All server-level dependencies (guard, token, version) are injected
+ * by the caller — this file never imports from server.js.
+ *
+ * Dependency injection contract:
+ *   registerScanFileTool(server, deps)
+ *     server                  — McpServer instance
+ *     deps.guardPath          — async (path: string) => GuardResult
+ *     deps.guardError         — (guard: GuardResult) => McpErrorResponse
+ *     deps.INSTALL_TOKEN      — string | null
+ *     deps.engineVersion      — string (mcpPkg.version)
+ *
+ * Tool-owned responsibilities:
+ *   - path.resolve() / fs.realpath()  — symlink resolution + existence check
+ *   - fs.readFile()                   — file content loading
+ *   - inferLang()                     — language detection from file extension
+ *   - File-report response formatting — findingsWithLocation, bySev, body shape
+ *   - Top-level try/catch             — wraps all I/O so ENOENT etc. are caught
+ *
+ * DOES NOT OWN:
+ *   - Path guard implementation        (server.js — injected)
+ *   - Install token / bound root       (server.js — injected)
+ *   - Scan orchestration               (orchestrator/runScan.js — direct import)
+ *   - Governance middleware            (middleware/governance.js — called inside runScan)
+ *
+ * NOTE: guardPath is called with path.dirname(realPath) — the containing
+ * directory of the resolved real file — not the raw filePath argument.
+ * This is intentional: symlinks may point outside the apparent directory.
+ */
+
+import * as z from 'zod';
+import fs from 'fs/promises';
+import path from 'path';
+import { inferLang } from '../repo-scan.mjs';
+import { runScan } from '../orchestrator/runScan.js';
+
+/**
+ * Register the 'scanFile' MCP tool on the provided server instance.
+ *
+ * @param {import('@modelcontextprotocol/sdk/server/mcp.js').McpServer} server
+ * @param {Object} deps
+ * @param {Function}    deps.guardPath      - Bound-folder + lock validation
+ * @param {Function}    deps.guardError     - Guard failure → MCP error response
+ * @param {string|null} deps.INSTALL_TOKEN
+ * @param {string}      deps.engineVersion
+ */
+export function registerScanFileTool(server, { guardPath, guardError, installToken, engineVersion }) {
+  server.registerTool('scanFile', {
+    title: 'Scan File',
+    description: 'Scan a single file. Must be inside the bound project folder.',
+    inputSchema: {
+      filePath: z.string().min(1).describe('Absolute or relative file path (must be inside bound folder)'),
+      lang: z.enum(['js', 'ts', 'py', 'json', 'auto']).default('auto'),
+    },
+  }, async ({ filePath, lang = 'auto' }) => {
+    try {
+      // ── File I/O + symlink resolution ───────────────────────────────────
+      const resolvedPath = path.resolve(filePath);
+      const realPath = await fs.realpath(resolvedPath);
+
+      // ── Binding / path guard ─────────────────────────────────────────────
+      // Guard receives dirname(realPath) — the directory of the resolved real
+      // file. Using realPath prevents symlinks from bypassing the bound folder.
+      const guard = await guardPath(path.dirname(realPath));
+      if (!guard.ok) return guardError(guard);
+
+      // ── Read file content + resolve language ────────────────────────────
+      const code = await fs.readFile(realPath, 'utf8');
+      const useLang = lang === 'auto' ? inferLang(realPath) : lang;
+
+      // ── Scan orchestration (remote → governance → local fallback) ────────
+      const outcome = await runScan({
+        code,
+        lang: useLang,
+        projectRoot: guard.resolvedRoot,
+        installToken: guard.installToken || installToken,
+        lockedRootHash: guard.lockedRootHash || guard.lock?.lockedRootHash || guard.lock?.rootHash,
+        engineVersion,
+      });
+
+      // ── Error outcome (REMOTE_VERIFICATION_REQUIRED / UPGRADE_REQUIRED /
+      //    GOVERNANCE_BLOCKED) ──────────────────────────────────────────────
+      if (!outcome.ok) {
+        return {
+          content: [{ type: 'text', text: JSON.stringify(outcome.errorPayload, null, 2) }],
+          isError: true,
+        };
+      }
+
+      // ── File-report response formatting ─────────────────────────────────
+      // NOTE: findings field is the COUNT (number), not the array.
+      // The full findings array lives inside result.findings.
+      const result = outcome.result;
+      const findings = result.findings || [];
+      const findingsWithLocation = findings.map((f) => ({
+        ...f,
+        filePath: realPath,
+        snippetPreview: f.snippetPreview || f.snippet || '',
+      }));
+      const bySev = findings.reduce((a, f) => {
+        a[f.severity] = (a[f.severity] || 0) + 1;
+        return a;
+      }, { critical: 0, high: 0, medium: 0, low: 0 });
+      const humanSummary = `File "${realPath}": score ${result.score} (${result.grade}), ${findings.length} issue(s).`;
+      const body = {
+        humanSummary,
+        filePath: realPath,
+        lang: useLang,
+        score: result.score,
+        grade: result.grade,
+        findings: findingsWithLocation.length,   // count — not array
+        bySeverity: bySev,
+        checklist: result.checklist,
+        result: {
+          ...result,
+          findings: findingsWithLocation,
+        },
+      };
+      return { content: [{ type: 'text', text: JSON.stringify(body, null, 2) }], structuredContent: body };
+
+    } catch (e) {
+      // Catches: ENOENT from realpath, EACCES from readFile, unexpected throws
+      return { content: [{ type: 'text', text: `scanFile failed: ${e.message}` }], isError: true };
+    }
+  });
+}