@saiteja1123/mcp-server 1.1.4 → 1.1.6

package/package.json

@@ -1,55 +1,59 @@
-{
-  "name": "@saiteja1123/mcp-server",
-  "version": "1.1.4",
-  "private": false,
-  "license": "MIT",
-  "description": "Vibesecur MCP security scanner - one-folder locking, cross-IDE, Cursor/VSCode/Windsurf",
-  "type": "module",
-  "main": "./src/index.js",
-  "bin": {
-    "vibesecur-mcp": "./src/cli.js"
-  },
-  "files": [
-    "src",
-    "README.md"
-  ],
-  "scripts": {
-    "start": "node ./src/server.js",
-    "dev": "node --watch ./src/server.js",
-    "bind": "node ./src/cli.js bind",
-    "init": "node ./src/cli.js init",
-    "doctor": "node ./src/cli.js doctor",
-    "test": "node --input-type=module --eval \"import('./src/server.js')\""
-  },
-  "exports": {
-    ".": "./src/index.js",
-    "./server": "./src/server.js",
-    "./lock": "./src/lock.mjs"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.29.0",
-    "fast-glob": "^3.3.3",
-    "zod": "^4.3.6"
-  },
-  "bundledDependencies": [],
-  "publishConfig": {
-    "access": "public"
-  },
-  "engines": {
-    "node": ">=20.0.0"
-  },
-  "keywords": [
-    "mcp",
-    "security",
-    "vibesecur",
-    "cursor",
-    "windsurf",
-    "scanner",
-    "supabase-rls"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/vibesecur/vibesecur"
-  },
-  "homepage": "https://vibesecur.com/docs/mcp-setup"
-}
+{
+  "name": "@saiteja1123/mcp-server",
+  "version": "1.1.6",
+  "private": false,
+  "license": "MIT",
+  "description": "Vibesecur MCP security scanner — universal account config, multi-project CRU, folder locking, cross-IDE",
+  "type": "module",
+  "main": "./src/index.js",
+  "bin": {
+    "vibesecur-mcp": "./src/cli.js"
+  },
+  "files": [
+    "src",
+    "README.md"
+  ],
+  "scripts": {
+    "start": "node --env-file=.env ./src/server.js",
+    "dev": "node --env-file=.env --watch ./src/server.js",
+    "bind": "node ./src/cli.js bind",
+    "init": "node ./src/cli.js init",
+    "doctor": "node ./src/cli.js doctor",
+    "test": "node ./src/selftest.js",
+    "benchmark": "node ../../tests/security/benchmark-runner.js",
+    "benchmark:ci": "node ../../tests/security/benchmark-runner.js --ci",
+    "benchmark:json": "node ../../tests/security/benchmark-runner.js --json",
+    "benchmark:verbose": "node ../../tests/security/benchmark-runner.js --verbose"
+  },
+  "exports": {
+    ".": "./src/index.js",
+    "./server": "./src/server.js",
+    "./lock": "./src/lock.mjs"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "fast-glob": "^3.3.3",
+    "zod": "^4.3.6"
+  },
+  "bundledDependencies": [],
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "keywords": [
+    "mcp",
+    "security",
+    "vibesecur",
+    "cursor",
+    "windsurf",
+    "scanner",
+    "supabase-rls"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/vibesecur/vibesecur"
+  },
+  "homepage": "https://vibesecur.com/docs/mcp-setup"
+}

package/src/api-scan.mjs

@@ -1,93 +1,362 @@
-import crypto from 'crypto';
-import path from 'path';
-
-function sha256Hex(input) {
-  return crypto.createHash('sha256').update(input, 'utf8').digest('hex');
-}
-
-export function getMcpSessionId() {
-  const fromEnv = process.env.VIBESECUR_SESSION_ID;
-  if (typeof fromEnv === 'string' && fromEnv.trim().length > 0) {
-    return fromEnv.trim().slice(0, 64);
-  }
-  const basis = `mcp:${process.env.USER || process.env.USERNAME || 'anon'}:${process.cwd()}`;
-  return sha256Hex(basis);
-}
-
-export function getProjectHashForPath(rootPath) {
-  const resolved = path.resolve(rootPath || '.');
-  return sha256Hex(`vibesecur:mcp:${resolved}`);
-}
-
-export function normalizeApiBase(raw) {
-  if (!raw || typeof raw !== 'string') return '';
-  const u = raw.trim().replace(/\/$/, '');
-  return u.endsWith('/api/v1') ? u : `${u}/api/v1`;
-}
-
-/** GET origin (no /api/v1) for lightweight health checks. */
-export function getApiOriginFromBase(raw) {
-  const normalized = normalizeApiBase(raw);
-  if (!normalized) return '';
-  return normalized.replace(/\/api\/v1\/?$/, '') || normalized;
-}
-
-/**
- * Quick reachability check (GET app root). Does not run a scan.
- * @param {string} [baseUrl] - e.g. https://vibesecur.onrender.com (optional /api/v1 ok)
- */
-export async function pingBackend(baseUrl) {
-  const raw = (
-    baseUrl
-    || process.env.VIBESECUR_API_BASE
-    || process.env.VIBESECUR_API_URL
-    || 'https://vibesecur.onrender.com'
-  ).trim();
-  const origin = getApiOriginFromBase(raw);
-  if (!origin) {
-    return { ok: false, skipped: true, message: 'No API base URL' };
-  }
-  const url = origin.endsWith('/') ? origin.slice(0, -1) : origin;
-  try {
-    const ctrl = typeof AbortSignal !== 'undefined' && AbortSignal.timeout
-      ? AbortSignal.timeout(12000)
-      : undefined;
-    const res = await fetch(`${url}/`, { method: 'GET', signal: ctrl });
-    const ok = true;
-    return { ok, status: res.status, url: `${url}/` };
-  } catch (e) {
-    return { ok: false, error: e.message };
-  }
-}
-
-export async function postRemoteLocalScan({
-  code,
-  lang = 'auto',
-  projectRoot = '.',
-  platform = 'mcp',
-  token,
-} = {}) {
-  const apiBase = normalizeApiBase(process.env.VIBESECUR_API_BASE || process.env.VIBESECUR_API_URL || '');
-  if (!apiBase) {
-    return { skipped: true, reason: 'VIBESECUR_API_BASE not set' };
-  }
-
-  const projectHash = getProjectHashForPath(projectRoot);
-  const headers = {
-    'Content-Type': 'application/json',
-    'x-session-id': getMcpSessionId(),
-  };
-  const bearer = token || process.env.VIBESECUR_AUTH_TOKEN || process.env.VIBESECUR_TOKEN;
-  if (bearer) {
-    headers.Authorization = bearer.startsWith('Bearer ') ? bearer : `Bearer ${bearer}`;
-  }
-
-  const res = await fetch(`${apiBase}/scan/local`, {
-    method: 'POST',
-    headers,
-    body: JSON.stringify({ code, lang, platform, projectHash }),
-  });
-
-  const json = await res.json().catch(() => ({}));
-  return { apiBase, status: res.status, ok: res.ok, json };
-}
+import crypto from 'crypto';
+import path from 'path';
+
+function sha256Hex(input) {
+  return crypto.createHash('sha256').update(input, 'utf8').digest('hex');
+}
+
+export function getMcpSessionId() {
+  const fromEnv = process.env.VIBESECUR_SESSION_ID;
+  if (typeof fromEnv === 'string' && fromEnv.trim().length > 0) {
+    return fromEnv.trim().slice(0, 64);
+  }
+  const basis = `mcp:${process.env.USER || process.env.USERNAME || 'anon'}:${process.cwd()}`;
+  return sha256Hex(basis);
+}
+
+export function getProjectHashForPath(rootPath) {
+  const resolved = path.resolve(rootPath || '.');
+  return sha256Hex(`vibesecur:mcp:${resolved}`);
+}
+
+export function normalizeLockedRoot(rawPath = '') {
+  if (typeof rawPath !== 'string') return '';
+  const trimmed = rawPath.trim();
+  if (!trimmed) return '';
+  const slashed = trimmed.replace(/\\/g, '/').replace(/\/{2,}/g, '/');
+  const withoutTrailing = slashed.replace(/\/+$/, '');
+  return withoutTrailing.toLowerCase();
+}
+
+export function buildLockedRootHash(lockedRootPath) {
+  return sha256Hex(`vibesecur:mcp:root:${normalizeLockedRoot(lockedRootPath)}`);
+}
+
+export function buildLockedProjectHash(lockedRootHash) {
+  return sha256Hex(`vibesecur:mcp:project:${String(lockedRootHash || '').toLowerCase()}`);
+}
+
+export function normalizeApiBase(raw) {
+  if (!raw || typeof raw !== 'string') return '';
+  const u = raw.trim().replace(/\/$/, '');
+  return u.endsWith('/api/v1') ? u : `${u}/api/v1`;
+}
+
+/** GET origin (no /api/v1) for lightweight health checks. */
+export function getApiOriginFromBase(raw) {
+  const normalized = normalizeApiBase(raw);
+  if (!normalized) return '';
+  return normalized.replace(/\/api\/v1\/?$/, '') || normalized;
+}
+
+/**
+ * Quick reachability check (GET app root). Does not run a scan.
+ * @param {string} [baseUrl] - e.g. https://vibesecur.onrender.com (optional /api/v1 ok)
+ */
+export async function pingBackend(baseUrl) {
+  const raw = (
+    baseUrl
+    || process.env.VIBESECUR_API_BASE
+    || process.env.VIBESECUR_API_URL
+    || 'https://vibesecur.onrender.com'
+  ).trim();
+  const origin = getApiOriginFromBase(raw);
+  if (!origin) {
+    return { ok: false, skipped: true, message: 'No API base URL' };
+  }
+  const url = origin.endsWith('/') ? origin.slice(0, -1) : origin;
+  try {
+    const ctrl = typeof AbortSignal !== 'undefined' && AbortSignal.timeout
+      ? AbortSignal.timeout(12000)
+      : undefined;
+    const res = await fetch(`${url}/`, { method: 'GET', signal: ctrl });
+    const ok = true;
+    return { ok, status: res.status, url: `${url}/` };
+  } catch (e) {
+    return { ok: false, error: e.message };
+  }
+}
+
+function resolveAuthToken(authToken) {
+  const token = (
+    authToken
+    || process.env.VIBESECUR_AUTH_TOKEN
+    || process.env.VIBESECUR_TOKEN
+  );
+  if (!token || typeof token !== 'string') return '';
+  return token.trim();
+}
+
+function debugLog(message, payload) {
+  if (process.env.VIBESECUR_DEBUG !== '1') return;
+  process.stderr.write(`[vibesecur-debug] ${message}: ${JSON.stringify(payload)}\n`);
+}
+
+export async function requestServerBind({
+  lockedRootPath,
+  authToken,
+  apiBase,
+} = {}) {
+  const normalizedApiBase = normalizeApiBase(
+    apiBase || process.env.VIBESECUR_API_BASE || process.env.VIBESECUR_API_URL || '',
+  );
+  if (!normalizedApiBase) {
+    return { ok: false, skipped: true, error: 'VIBESECUR_API_BASE not set' };
+  }
+  const bearer = resolveAuthToken(authToken);
+  if (!bearer) {
+    return { ok: false, skipped: true, error: 'Missing auth token (set VIBESECUR_AUTH_TOKEN)' };
+  }
+  try {
+    const res = await fetch(`${normalizedApiBase}/mcp/bind`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: bearer.startsWith('Bearer ') ? bearer : `Bearer ${bearer}`,
+      },
+      body: JSON.stringify({ lockedRootPath }),
+    });
+    const json = await res.json().catch(() => ({}));
+    return { apiBase: normalizedApiBase, status: res.status, ok: res.ok, json };
+  } catch (e) {
+    return { apiBase: normalizedApiBase, ok: false, error: e.message };
+  }
+}
+
+export async function verifyInstallBinding({
+  installToken,
+  lockedRootHash,
+  apiBase,
+} = {}) {
+  const normalizedApiBase = normalizeApiBase(
+    apiBase || process.env.VIBESECUR_API_BASE || process.env.VIBESECUR_API_URL || '',
+  );
+  if (!normalizedApiBase) {
+    return { ok: false, skipped: true, error: 'VIBESECUR_API_BASE not set' };
+  }
+  debugLog('verifyInstallBinding payload', {
+    apiBase: normalizedApiBase,
+    lockedRootHash,
+    installTokenHashPrefix: installToken ? sha256Hex(installToken).slice(0, 12) : null,
+  });
+  try {
+    const res = await fetch(`${normalizedApiBase}/mcp/verify-install`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ installToken, lockedRootHash }),
+    });
+    const json = await res.json().catch(() => ({}));
+    debugLog('verifyInstallBinding response', {
+      apiBase: normalizedApiBase,
+      status: res.status,
+      ok: res.ok,
+      body: json,
+    });
+    return { apiBase: normalizedApiBase, status: res.status, ok: res.ok, json };
+  } catch (e) {
+    return { apiBase: normalizedApiBase, ok: false, error: e.message };
+  }
+}
+
+/**
+ * Persist scan metadata to /scan/log so the Projects dashboard reflects the
+ * latest MCP scan. Metadata only — never sends raw source. Best-effort: the
+ * caller treats failures as non-fatal because the scan itself already ran.
+ *
+ * Reuses the codeHash + scanReceipt from the preceding /scan/local response so
+ * the backend skips a second quota increment (same project + code within the
+ * receipt window).
+ */
+export async function postScanLog({
+  result,
+  lang = 'auto',
+  projectRoot = '.',
+  platform = 'mcp',
+  installToken,
+  lockedRootHash,
+  authToken,
+} = {}) {
+  const apiBase = normalizeApiBase(process.env.VIBESECUR_API_BASE || process.env.VIBESECUR_API_URL || '');
+  if (!apiBase) {
+    return { skipped: true, reason: 'VIBESECUR_API_BASE not set' };
+  }
+  if (!result || typeof result !== 'object') {
+    return { skipped: true, reason: 'no scan result to log' };
+  }
+
+  const projectHash = /^[a-f0-9]{64}$/i.test(String(lockedRootHash || ''))
+    ? buildLockedProjectHash(String(lockedRootHash).toLowerCase())
+    : getProjectHashForPath(projectRoot);
+
+  const findings = Array.isArray(result.findings) ? result.findings : [];
+  const countSeverity = (sev) => findings.filter((f) => f && f.severity === sev).length;
+
+  const body = {
+    score: result.score,
+    grade: result.grade,
+    platform,
+    lang,
+    engine: result.engine === 'claude_ai' ? 'claude_ai' : 'local',
+    source: 'mcp',
+    projectHash,
+    installToken,
+    lockedRootHash,
+    criticalCount: countSeverity('critical'),
+    highCount: countSeverity('high'),
+    mediumCount: countSeverity('medium'),
+    findings,
+  };
+  if (/^[a-f0-9]{64}$/i.test(String(result.codeHash || ''))) {
+    body.codeHash = String(result.codeHash).toLowerCase();
+  }
+  if (typeof result.scanReceipt === 'string' && result.scanReceipt.length === 64) {
+    body.scanReceipt = result.scanReceipt;
+  }
+
+  const headers = {
+    'Content-Type': 'application/json',
+    'x-session-id': getMcpSessionId(),
+  };
+  const bearer = resolveAuthToken(authToken);
+  if (bearer) {
+    headers.Authorization = bearer.startsWith('Bearer ') ? bearer : `Bearer ${bearer}`;
+  }
+
+  try {
+    const res = await fetch(`${apiBase}/scan/log`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify(body),
+    });
+    const json = await res.json().catch(() => ({}));
+    return { apiBase, status: res.status, ok: res.ok, json };
+  } catch (e) {
+    return { apiBase, ok: false, error: e.message };
+  }
+}
+
+/**
+ * Persist aggregated repo/workspace scan metadata to /scan/log for the
+ * Projects dashboard. Used by scanRepo and scanCurrentWorkspace (not localScan).
+ */
+export async function persistRepoScanLog({
+  aggregate,
+  findings = [],
+  projectRoot,
+  installToken,
+  lockedRootHash,
+  lang = 'auto',
+  authToken,
+} = {}) {
+  const { getGrade } = await import('./rule-engine/index.js');
+  const score = aggregate?.summary?.score ?? 0;
+  return postScanLog({
+    result: {
+      score,
+      grade: getGrade(score),
+      findings,
+    },
+    lang,
+    projectRoot,
+    platform: 'mcp',
+    installToken,
+    lockedRootHash,
+    authToken,
+  });
+}
+
+export async function postRemoteLocalScan({
+  code,
+  lang = 'auto',
+  projectRoot = '.',
+  platform = 'mcp',
+  installToken,
+  lockedRootHash,
+  authToken,
+} = {}) {
+  const apiBase = normalizeApiBase(process.env.VIBESECUR_API_BASE || process.env.VIBESECUR_API_URL || '');
+  if (!apiBase) {
+    return { skipped: true, reason: 'VIBESECUR_API_BASE not set' };
+  }
+
+  const projectHash = /^[a-f0-9]{64}$/i.test(String(lockedRootHash || ''))
+    ? buildLockedProjectHash(String(lockedRootHash).toLowerCase())
+    : getProjectHashForPath(projectRoot);
+  const headers = {
+    'Content-Type': 'application/json',
+    'x-session-id': getMcpSessionId(),
+  };
+  const bearer = resolveAuthToken(authToken);
+  if (bearer) {
+    headers.Authorization = bearer.startsWith('Bearer ') ? bearer : `Bearer ${bearer}`;
+  }
+
+  try {
+    const res = await fetch(`${apiBase}/scan/local`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        code,
+        lang,
+        platform,
+        projectHash,
+        installToken,
+        lockedRootHash,
+      }),
+    });
+
+    const json = await res.json().catch(() => ({}));
+    return { apiBase, status: res.status, ok: res.ok, json };
+  } catch (e) {
+    return { apiBase, ok: false, error: e.message };
+  }
+}
+
+async function authedFetch(path, { method = 'GET', authToken, body } = {}) {
+  const normalizedApiBase = normalizeApiBase(
+    process.env.VIBESECUR_API_BASE || process.env.VIBESECUR_API_URL || '',
+  );
+  if (!normalizedApiBase) {
+    return { ok: false, skipped: true, error: 'VIBESECUR_API_BASE not set' };
+  }
+  const bearer = resolveAuthToken(authToken);
+  if (!bearer) {
+    return { ok: false, skipped: true, error: 'Missing auth token (set VIBESECUR_AUTH_TOKEN)' };
+  }
+  try {
+    const res = await fetch(`${normalizedApiBase}${path}`, {
+      method,
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: bearer.startsWith('Bearer ') ? bearer : `Bearer ${bearer}`,
+      },
+      ...(body !== undefined ? { body: JSON.stringify(body) } : {}),
+    });
+    const json = await res.json().catch(() => ({}));
+    return { apiBase: normalizedApiBase, status: res.status, ok: res.ok, json };
+  } catch (e) {
+    return { apiBase: normalizedApiBase, ok: false, error: e.message };
+  }
+}
+
+/** List account projects (read). */
+export async function listProjects({ authToken } = {}) {
+  return authedFetch('/projects', { authToken });
+}
+
+/**
+ * Create or update a project for a codebase folder (CRU — never delete).
+ * Used by MCP projectUpsert and universal scan binding resolution.
+ */
+export async function upsertProject({
+  lockedRootPath,
+  name,
+  projectId,
+  authToken,
+} = {}) {
+  return authedFetch('/projects/upsert', {
+    method: 'POST',
+    authToken,
+    body: { lockedRootPath, name, projectId },
+  });
+}