@saiteja1123/mcp-server 1.1.4 → 1.1.6

package/src/deep-scan/project-map.js

@@ -0,0 +1,507 @@
+import crypto from 'crypto';
+import fs from 'fs/promises';
+import path from 'path';
+import fg from 'fast-glob';
+import { createArtifactRef, validateRunIdSegment } from './contracts.js';
+import { assertSourceSafePayload, cloneSourceSafe } from './sourceSafe.js';
+
+export const PROJECT_MAP_SCHEMA_VERSION = 'project_map.v1';
+export const PROJECT_MAP_STEPPER_ID = 'project.map';
+export const PROJECT_MAP_STEPPER_VERSION = '1.0.0';
+
+const DEFAULT_IGNORE = [
+  '**/node_modules/**',
+  '**/.git/**',
+  '**/dist/**',
+  '**/build/**',
+  '**/.next/**',
+  '**/.nuxt/**',
+  '**/.svelte-kit/**',
+  '**/.venv/**',
+  '**/venv/**',
+  '**/.vibesecur/**',
+  '**/coverage/**',
+];
+
+const DEPLOYMENT_FILES = new Map([
+  ['render.yaml', 'render'],
+  ['render.yml', 'render'],
+  ['vercel.json', 'vercel'],
+  ['netlify.toml', 'netlify'],
+  ['railway.json', 'railway'],
+  ['fly.toml', 'fly'],
+  ['dockerfile', 'docker'],
+  ['docker-compose.yml', 'docker_compose'],
+  ['docker-compose.yaml', 'docker_compose'],
+  ['procfile', 'procfile'],
+  ['app.yaml', 'google_app_engine'],
+  ['cloudbuild.yaml', 'google_cloud_build'],
+  ['cloudbuild.yml', 'google_cloud_build'],
+  ['serverless.yml', 'serverless'],
+  ['serverless.yaml', 'serverless'],
+]);
+
+const LANGUAGE_BY_EXTENSION = new Map([
+  ['.js', 'JavaScript/TypeScript'],
+  ['.jsx', 'JavaScript/TypeScript'],
+  ['.mjs', 'JavaScript/TypeScript'],
+  ['.cjs', 'JavaScript/TypeScript'],
+  ['.ts', 'JavaScript/TypeScript'],
+  ['.tsx', 'JavaScript/TypeScript'],
+  ['.py', 'Python'],
+  ['.go', 'Go'],
+  ['.rs', 'Rust'],
+  ['.rb', 'Ruby'],
+  ['.php', 'PHP'],
+  ['.java', 'Java'],
+  ['.kt', 'Kotlin'],
+  ['.kts', 'Kotlin'],
+  ['.cs', 'C#'],
+  ['.swift', 'Swift'],
+  ['.scala', 'Scala'],
+  ['.sh', 'Shell'],
+  ['.bash', 'Shell'],
+  ['.zsh', 'Shell'],
+  ['.sql', 'SQL'],
+  ['.html', 'HTML'],
+  ['.css', 'CSS'],
+  ['.md', 'Markdown'],
+  ['.yml', 'YAML'],
+  ['.yaml', 'YAML'],
+  ['.toml', 'TOML'],
+]);
+
+const FRAMEWORK_DETECTORS = [
+  { name: 'express', packages: ['express'], runtime: 'node', category: 'api' },
+  { name: 'fastify', packages: ['fastify'], runtime: 'node', category: 'api' },
+  { name: 'koa', packages: ['koa'], runtime: 'node', category: 'api' },
+  { name: 'nestjs', packages: ['@nestjs/core'], runtime: 'node', category: 'api' },
+  { name: 'next', packages: ['next'], runtime: 'node', category: 'web' },
+  { name: 'remix', packages: ['@remix-run/react', '@remix-run/node'], runtime: 'node', category: 'web' },
+  { name: 'vite', packages: ['vite', '@vitejs/plugin-react'], runtime: 'node', category: 'web' },
+  { name: 'react', packages: ['react'], runtime: 'browser', category: 'web' },
+  { name: 'vue', packages: ['vue'], runtime: 'browser', category: 'web' },
+  { name: 'svelte', packages: ['svelte', '@sveltejs/kit'], runtime: 'browser', category: 'web' },
+  { name: 'astro', packages: ['astro'], runtime: 'node', category: 'web' },
+  { name: 'angular', packages: ['@angular/core'], runtime: 'browser', category: 'web' },
+  { name: 'mcp', packages: ['@modelcontextprotocol/sdk'], runtime: 'node', category: 'tooling' },
+  { name: 'stripe', packages: ['stripe'], runtime: 'node', category: 'payments' },
+  { name: 'supabase', packages: ['@supabase/supabase-js'], runtime: 'node', category: 'data' },
+];
+
+const SECRETISH_PATTERNS = [
+  /\b(?:sk|pk)_(?:live|test)_[a-zA-Z0-9_=-]{6,}\b/gi,
+  /\bgh[pousr]_[a-zA-Z0-9_]{10,}\b/g,
+  /\bAKIA[0-9A-Z]{12,}\b/g,
+  /\bxox[baprs]-[a-zA-Z0-9-]{10,}\b/gi,
+  /-----BEGIN [A-Z ]*(?:PRIVATE KEY|SECRET|TOKEN|CERTIFICATE)-----[\s\S]*?-----END [A-Z ]*-----/gi,
+];
+
+const nowIso = () => new Date().toISOString();
+
+const toPosix = (value) => String(value || '').replace(/\\/g, '/');
+
+const sortByPath = (items) => [...items].sort((a, b) => String(a.path).localeCompare(String(b.path)));
+
+function stableSort(value) {
+  if (Array.isArray(value)) return value.map(stableSort);
+  if (!value || typeof value !== 'object') return value;
+  return Object.keys(value)
+    .sort()
+    .reduce((acc, key) => {
+      acc[key] = stableSort(value[key]);
+      return acc;
+    }, {});
+}
+
+function stableStringify(value) {
+  return JSON.stringify(stableSort(value));
+}
+
+function redactString(value) {
+  if (typeof value !== 'string') return value;
+  let redacted = value;
+  for (const pattern of SECRETISH_PATTERNS) redacted = redacted.replace(pattern, '[redacted]');
+  redacted = redacted.replace(
+    /\b([A-Z0-9_]*(?:TOKEN|SECRET|PASSWORD|API_KEY|PRIVATE_KEY)[A-Z0-9_]*)=("[^"]*"|'[^']*'|\S+)/gi,
+    '$1=[redacted]',
+  );
+  return redacted;
+}
+
+function redactCommand(value) {
+  return redactString(value)
+    .replace(
+      /(Authorization:\s*(?:Bearer|Basic)\s+)([^"'\s]+)/gi,
+      '$1[redacted]',
+    )
+    .replace(
+      /\b([a-z][a-z0-9+.-]*:\/\/)([^/\s:@]+):([^@\s/]+)@/gi,
+      '$1[redacted]@',
+    )
+    .replace(
+      /(\s--(?:token|api-key|apikey|password|secret|client-secret|access-token|auth-token)(?:=|\s+))(?:"[^"]*"|'[^']*'|[^\s]+)/gi,
+      '$1[redacted]',
+    );
+}
+
+function redactJson(value) {
+  if (typeof value === 'string') return redactString(value);
+  if (Array.isArray(value)) return value.map(redactJson);
+  if (!value || typeof value !== 'object') return value;
+  return Object.entries(value).reduce((acc, [key, child]) => {
+    acc[key] = redactJson(child);
+    return acc;
+  }, {});
+}
+
+async function readJsonFile(filePath) {
+  const raw = await fs.readFile(filePath, 'utf8');
+  return redactJson(JSON.parse(raw));
+}
+
+function collectDependencyNames(manifest) {
+  const groups = [
+    manifest.dependencies,
+    manifest.devDependencies,
+    manifest.peerDependencies,
+    manifest.optionalDependencies,
+  ];
+  return [...new Set(groups.flatMap((group) => Object.keys(group || {})))].sort();
+}
+
+function safePackageName(value) {
+  return typeof value === 'string' && value.trim() ? redactString(value.trim()).slice(0, 180) : undefined;
+}
+
+function scriptCommands(manifestPath, manifest) {
+  return Object.entries(manifest.scripts || {})
+    .filter(([name]) => /(^|:)(test|spec|check|lint|verify|e2e|integration|unit)(:|$)/i.test(name))
+    .map(([name, command]) => ({
+      source: manifestPath,
+      name: redactString(name),
+      command: redactCommand(String(command || '')).slice(0, 300),
+    }))
+    .sort((a, b) => `${a.source}:${a.name}`.localeCompare(`${b.source}:${b.name}`));
+}
+
+function packageManagerFromFiles(files, packageJsons) {
+  const names = new Set();
+  const basenames = new Set(files.map((file) => path.basename(file).toLowerCase()));
+  if (basenames.has('pnpm-lock.yaml') || basenames.has('pnpm-workspace.yaml')) names.add('pnpm');
+  if (basenames.has('yarn.lock')) names.add('yarn');
+  if (basenames.has('bun.lockb') || basenames.has('bun.lock')) names.add('bun');
+  if (basenames.has('package-lock.json') || packageJsons.length > 0) names.add('npm');
+  if (basenames.has('requirements.txt') || basenames.has('pyproject.toml')) names.add('pip');
+  if (basenames.has('poetry.lock')) names.add('poetry');
+  if (basenames.has('cargo.lock') || basenames.has('cargo.toml')) names.add('cargo');
+  if (basenames.has('go.mod')) names.add('go');
+  return [...names].sort();
+}
+
+function detectFrameworks(manifests) {
+  const packageNames = new Set(manifests.flatMap((manifest) => manifest.dependencyNames || []));
+  return FRAMEWORK_DETECTORS
+    .filter((detector) => detector.packages.some((packageName) => packageNames.has(packageName)))
+    .map((detector) => ({
+      name: detector.name,
+      category: detector.category,
+      runtime: detector.runtime,
+      evidence: detector.packages.filter((packageName) => packageNames.has(packageName)).sort(),
+    }))
+    .sort((a, b) => a.name.localeCompare(b.name));
+}
+
+function detectRuntimes(files, manifests, frameworks) {
+  const runtimes = new Set(frameworks.map((framework) => framework.runtime).filter(Boolean));
+  if (manifests.some((manifest) => manifest.type === 'node')) runtimes.add('node');
+  const lowerFiles = files.map((file) => file.toLowerCase());
+  if (lowerFiles.some((file) => file.endsWith('requirements.txt') || file.endsWith('pyproject.toml') || path.extname(file) === '.py')) {
+    runtimes.add('python');
+  }
+  if (lowerFiles.some((file) => file.endsWith('go.mod') || path.extname(file) === '.go')) runtimes.add('go');
+  if (lowerFiles.some((file) => file.endsWith('cargo.toml') || path.extname(file) === '.rs')) runtimes.add('rust');
+  if (runtimes.has('browser')) runtimes.add('browser');
+  return [...runtimes].sort();
+}
+
+function detectLanguages(files) {
+  const counts = new Map();
+  for (const file of files) {
+    const ext = path.extname(file).toLowerCase();
+    if (path.basename(file).startsWith('.env')) continue;
+    const language = LANGUAGE_BY_EXTENSION.get(ext);
+    if (!language) continue;
+    const current = counts.get(language) || { language, files: 0, extensions: new Set() };
+    current.files += 1;
+    current.extensions.add(ext);
+    counts.set(language, current);
+  }
+  return [...counts.values()]
+    .map((item) => ({
+      language: item.language,
+      files: item.files,
+      extensions: [...item.extensions].sort(),
+    }))
+    .sort((a, b) => b.files - a.files || a.language.localeCompare(b.language));
+}
+
+function isRouteLike(relativePath) {
+  const normalized = toPosix(relativePath).toLowerCase();
+  const ext = path.extname(normalized);
+  if (!['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.php', '.go'].includes(ext)) return false;
+  return (
+    /(^|\/)(routes?|controllers?|handlers?|endpoints?)(\/|$)/.test(normalized)
+    || /(^|\/)(pages\/api|app\/api|api)(\/|$)/.test(normalized)
+    || /(^|\/)(route|router|controller|server)\.[a-z0-9]+$/.test(normalized)
+    || /(^|\/)app\.(js|ts|mjs|cjs|py|rb|php|go)$/.test(normalized)
+  );
+}
+
+function routeKind(relativePath) {
+  const normalized = toPosix(relativePath).toLowerCase();
+  if (normalized.includes('/pages/api/')) return 'pages_api';
+  if (normalized.includes('/app/api/')) return 'app_api';
+  if (normalized.includes('/routes/') || normalized.includes('/route.')) return 'route_file';
+  if (normalized.includes('/controllers/') || normalized.includes('/controller.')) return 'controller_file';
+  if (/(^|\/)(server|app)\.(js|ts|mjs|cjs|py|rb|php|go)$/.test(normalized)) return 'server_entry';
+  return 'route_like';
+}
+
+function detectDeploymentFiles(files) {
+  return files
+    .map((file) => {
+      const base = path.basename(file).toLowerCase();
+      const type = DEPLOYMENT_FILES.get(base);
+      return type ? { path: file, type } : null;
+    })
+    .filter(Boolean)
+    .sort((a, b) => a.path.localeCompare(b.path));
+}
+
+function detectEnvFiles(files) {
+  return files
+    .filter((file) => {
+      const base = path.basename(file).toLowerCase();
+      return base === '.env' || base.startsWith('.env.') || base.endsWith('.env') || base.includes('.env.');
+    })
+    .map((file) => ({
+      path: file,
+      kind: path.basename(file).toLowerCase().includes('example') ? 'example' : 'env',
+      valuesCaptured: false,
+    }))
+    .sort((a, b) => a.path.localeCompare(b.path));
+}
+
+async function collectFiles(rootPath) {
+  const files = await fg(['**/*', '**/.env*'], {
+    cwd: rootPath,
+    onlyFiles: true,
+    dot: true,
+    absolute: false,
+    ignore: DEFAULT_IGNORE,
+    suppressErrors: true,
+    followSymbolicLinks: false,
+  });
+  return [...new Set(files.map(toPosix))].sort();
+}
+
+async function collectPackageManifests(rootPath, files) {
+  const packageJsons = files.filter((file) => path.basename(file) === 'package.json');
+  const manifests = [];
+  for (const relativePath of packageJsons) {
+    const absolutePath = path.join(rootPath, relativePath);
+    const manifest = await readJsonFile(absolutePath);
+    const dependencyNames = collectDependencyNames(manifest);
+    const workspaces = Array.isArray(manifest.workspaces)
+      ? manifest.workspaces
+      : manifest.workspaces?.packages;
+    manifests.push({
+      path: relativePath,
+      type: 'node',
+      packageName: safePackageName(manifest.name),
+      private: manifest.private === true,
+      scriptNames: Object.keys(manifest.scripts || {}).sort().map(redactString),
+      dependencyNames,
+      workspaces: Array.isArray(workspaces) ? workspaces.map(redactString).sort() : [],
+      packageManager: typeof manifest.packageManager === 'string' ? redactString(manifest.packageManager) : undefined,
+      scripts: scriptCommands(relativePath, manifest),
+    });
+  }
+  return sortByPath(manifests);
+}
+
+async function collectOtherManifests(files) {
+  const manifestNames = new Set([
+    'requirements.txt',
+    'pyproject.toml',
+    'go.mod',
+    'cargo.toml',
+    'gemfile',
+    'composer.json',
+  ]);
+  return files
+    .filter((file) => manifestNames.has(path.basename(file).toLowerCase()))
+    .map((file) => ({
+      path: file,
+      type: path.basename(file).replace(/\..*$/, '').toLowerCase(),
+      scriptNames: [],
+      dependencyNames: [],
+      workspaces: [],
+      scripts: [],
+    }))
+    .sort((a, b) => a.path.localeCompare(b.path));
+}
+
+function buildWorkspaceSummary(manifests, files) {
+  const workspaceManifests = manifests.filter((manifest) => manifest.workspaces?.length);
+  const hasPnpmWorkspace = files.includes('pnpm-workspace.yaml');
+  return {
+    detected: workspaceManifests.length > 0 || hasPnpmWorkspace,
+    manifests: workspaceManifests.map((manifest) => manifest.path),
+    patterns: [...new Set(workspaceManifests.flatMap((manifest) => manifest.workspaces || []))].sort(),
+  };
+}
+
+export function hashProjectMapArtifact(artifact) {
+  assertSourceSafePayload(artifact, 'projectMapArtifact');
+  return crypto.createHash('sha256').update(stableStringify(artifact)).digest('hex');
+}
+
+export async function buildProjectMapArtifact({
+  rootPath,
+  generatedAt = nowIso(),
+  maxFiles = 5000,
+} = {}) {
+  if (!rootPath || typeof rootPath !== 'string') throw new Error('Project Map requires rootPath');
+  const resolvedRoot = path.resolve(rootPath);
+  const stat = await fs.stat(resolvedRoot);
+  if (!stat.isDirectory()) throw new Error(`Project Map rootPath is not a directory: ${resolvedRoot}`);
+
+  const discoveredFiles = await collectFiles(resolvedRoot);
+  const files = discoveredFiles.slice(0, maxFiles);
+  const nodeManifests = await collectPackageManifests(resolvedRoot, files);
+  const otherManifests = await collectOtherManifests(files);
+  const manifests = sortByPath([...nodeManifests, ...otherManifests]);
+  const frameworks = detectFrameworks(manifests);
+  const artifact = {
+    schemaVersion: PROJECT_MAP_SCHEMA_VERSION,
+    generatedAt,
+    root: {
+      name: path.basename(resolvedRoot),
+      pathHash: crypto.createHash('sha256').update(resolvedRoot.toLowerCase()).digest('hex'),
+    },
+    limits: {
+      maxFiles,
+      filesObserved: files.length,
+      filesDiscovered: discoveredFiles.length,
+      truncated: discoveredFiles.length > maxFiles,
+    },
+    packageManagers: packageManagerFromFiles(files, nodeManifests),
+    workspace: buildWorkspaceSummary(manifests, files),
+    manifests: manifests.map(({ scripts, ...manifest }) => manifest),
+    frameworks,
+    runtimes: detectRuntimes(files, manifests, frameworks),
+    languages: detectLanguages(files),
+    routeFiles: files
+      .filter(isRouteLike)
+      .map((file) => ({ path: file, kind: routeKind(file) }))
+      .sort((a, b) => a.path.localeCompare(b.path)),
+    testCommands: nodeManifests.flatMap((manifest) => manifest.scripts || [])
+      .sort((a, b) => `${a.source}:${a.name}`.localeCompare(`${b.source}:${b.name}`)),
+    deploymentFiles: detectDeploymentFiles(files),
+    envFiles: detectEnvFiles(files),
+    privacy: {
+      envValuesCaptured: false,
+      sourceBodiesCaptured: false,
+      rawSourceStored: false,
+      artifactStorage: 'local_metadata_and_hash_refs',
+      redactionStatus: 'manifest_commands_redacted_env_values_unread',
+    },
+  };
+
+  assertSourceSafePayload(artifact, 'projectMapArtifact');
+  return cloneSourceSafe(artifact, 'projectMapArtifact');
+}
+
+export async function writeProjectMapArtifact({ rootPath, runId, artifact }) {
+  assertSourceSafePayload(artifact, 'projectMapArtifact');
+  const safeRunId = validateRunIdSegment(runId, 'runId');
+  const relativeUri = `.vibesecur/deep-scans/${safeRunId}/project-map.json`;
+  const target = path.join(path.resolve(rootPath), relativeUri);
+  await fs.mkdir(path.dirname(target), { recursive: true });
+  const serialized = `${JSON.stringify(stableSort(artifact), null, 2)}\n`;
+  const tmp = `${target}.${process.pid}.${Date.now()}.tmp`;
+  await fs.writeFile(tmp, serialized, 'utf8');
+  await fs.rename(tmp, target);
+  return {
+    uri: relativeUri,
+    hash: crypto.createHash('sha256').update(serialized).digest('hex'),
+  };
+}
+
+export function projectMapStepper() {
+  return {
+    id: PROJECT_MAP_STEPPER_ID,
+    version: PROJECT_MAP_STEPPER_VERSION,
+    title: 'Project Map Stepper',
+    category: 'project_map',
+    requiredInputs: ['bound_project_root'],
+    producedArtifacts: ['project_map'],
+    defaultTimeoutMs: 30000,
+    async run({ runId, config = {}, tools = {} }) {
+      const rootPath = tools.rootPath || config.rootPath || '.';
+      const startedAt = nowIso();
+      const artifact = await buildProjectMapArtifact({
+        rootPath,
+        generatedAt: config.generatedAt || startedAt,
+        maxFiles: Number.isFinite(Number(config.maxFiles)) ? Number(config.maxFiles) : 5000,
+      });
+      const contentHash = hashProjectMapArtifact(artifact);
+      const written = await writeProjectMapArtifact({ rootPath, runId, artifact });
+      const safeRunId = validateRunIdSegment(runId, 'runId');
+      const ref = createArtifactRef({
+        id: `artifact-${safeRunId}-project-map`,
+        type: 'project_map',
+        storage: 'local',
+        uri: written.uri,
+        hash: written.hash,
+        preview: 'Project Map metadata: manifests, frameworks, languages, route/deploy/env filenames only.',
+        metadata: {
+          schemaVersion: PROJECT_MAP_SCHEMA_VERSION,
+          contentHash,
+          generatedBy: PROJECT_MAP_STEPPER_ID,
+          redactionStatus: artifact.privacy.redactionStatus,
+          packageManagers: artifact.packageManagers,
+          frameworkCount: artifact.frameworks.length,
+          routeFileCount: artifact.routeFiles.length,
+          envFileCount: artifact.envFiles.length,
+        },
+      });
+
+      return {
+        stepperId: PROJECT_MAP_STEPPER_ID,
+        version: PROJECT_MAP_STEPPER_VERSION,
+        status: 'passed',
+        startedAt,
+        finishedAt: nowIso(),
+        evidence: [{
+          type: 'hash',
+          label: 'Project Map artifact hash',
+          hash: ref.hash,
+          preview: 'Metadata-only Project Map artifact written locally.',
+          summary: `${artifact.manifests.length} manifest(s), ${artifact.frameworks.length} framework signal(s), ${artifact.routeFiles.length} route-like file(s).`,
+          metadata: {
+            contentHash,
+            envValuesCaptured: false,
+            sourceBodiesCaptured: false,
+          },
+        }],
+        findings: [],
+        artifacts: [ref],
+        summary: 'Project Map artifact generated with manifest, framework, route, test command, deployment, and env filename metadata.',
+        nextActions: ['Use the Project Map artifact to target deterministic scan, test planning, report, and passport steppers.'],
+      };
+    },
+  };
+}