@triedotdev/mcp 1.0.4 → 1.0.5

package/dist/{chunk-6INDJQPJ.js → chunk-77JFVVWF.js}

@@ -670,10 +670,9 @@ import { basename as basename3 } from "path";
 var PRIVACY_INDICATORS = {
   high: [
     { pattern: /email|phone|ssn|social.*security|passport|driver.*license/i, reason: "PII fields" },
-    { pattern: /patient|medical|diagnosis|medication|treatment|symptom/i, reason: "PHI/health data" },
     { pattern: /credit.*card|card.*number|cvv|expiry/i, reason: "payment data" },
     { pattern: /password|credential|secret|token/i, reason: "credentials" },
-    { pattern: /gdpr|hipaa|ccpa|coppa|consent/i, reason: "compliance mentions" }
+    { pattern: /gdpr|ccpa|coppa|consent/i, reason: "compliance mentions" }
   ],
   medium: [
     { pattern: /user.*data|personal.*info|profile/i, reason: "user data" },
@@ -713,17 +712,16 @@ var CRITICAL_PRIVACY_PATTERNS = [
 ];
 var PrivacyAgent = class extends BaseAgent {
   name = "privacy";
-  description = "AI-powered privacy analysis: GDPR, HIPAA, CCPA, COPPA compliance";
+  description = "AI-powered privacy analysis: GDPR, CCPA, PCI-DSS compliance";
   version = "2.0.0";
   shouldActivate(context) {
-    const hasHealthSignals = context.touchesHealthData;
     const hasUserDataSignals = context.touchesUserData && (context.touchesDatabase || context.touchesAuth || context.patterns?.hasFormHandling || context.patterns?.hasEmailHandling || context.touchesThirdPartyAPI);
     const fileNameSignals = context.filePatterns.some(
-      (pattern) => ["profile", "account", "customer", "member", "identity", "patient"].some(
+      (pattern) => ["profile", "account", "customer", "member", "identity"].some(
         (keyword) => pattern.includes(keyword)
       )
     );
-    return hasHealthSignals || hasUserDataSignals || fileNameSignals && context.touchesDatabase;
+    return hasUserDataSignals || fileNameSignals && context.touchesDatabase;
   }
   /**
    * Check file relevance for privacy analysis
@@ -771,8 +769,6 @@ Analyze code for privacy violations and data protection issues.
 KEY REGULATIONS:
 - **GDPR**: EU data protection (consent, data minimization, right to erasure)
 - **CCPA**: California privacy (disclosure, opt-out, data access)
-- **HIPAA**: Health data protection (PHI encryption, access controls)
-- **COPPA**: Children's privacy (parental consent for under 13)
 - **PCI DSS**: Payment card data security
 
 FOCUS ON:
@@ -820,15 +816,6 @@ ${content}
 - Is PII encrypted in transit?
 - Is there data minimization (only collecting what's needed)?
 - Are there proper access controls?`;
-    }
-    if (relevance.indicators.includes("PHI/health data")) {
-      prompt += `
-
-### HIPAA Compliance (Health Data)
-- Is PHI encrypted with AES-256 or equivalent?
-- Are there audit logs for PHI access?
-- Is there access control based on roles?
-- Is there a breach notification mechanism?`;
     }
     if (relevance.indicators.includes("payment data")) {
       prompt += `
@@ -838,14 +825,6 @@ ${content}
 - Is CVV NOT being stored?
 - Are there access controls?
 - Is data properly tokenized?`;
-    }
-    if (relevance.indicators.includes("age data (COPPA)")) {
-      prompt += `
-
-### COPPA Compliance (Children's Data)
-- Is age verified before data collection?
-- Is parental consent obtained for under 13?
-- Is data from children handled specially?`;
     }
     if (relevance.indicators.includes("tracking") || relevance.indicators.includes("client storage")) {
       prompt += `
@@ -1377,7 +1356,7 @@ var LegalAgent = class extends BaseAgent {
   description = "Compliance with GDPR, CCPA, data protection laws, and legal requirements";
   version = "1.0.0";
   shouldActivate(context) {
-    return context.touchesUserData || context.touchesHealthData || context.touchesPayments || context.touchesAuth;
+    return context.touchesUserData || context.touchesPayments || context.touchesAuth;
   }
   async analyzeFiles(files, _context) {
     const issues = [];
@@ -2752,6 +2731,182 @@ var TrieCleanAgent = class extends BaseAgent {
   }
 };
 
+// src/agents/soc2.ts
+var SOC2_PATTERNS = {
+  // CC6 - Logical Access Controls
+  hardcodedSecrets: [
+    { pattern: /['"]sk_live_[A-Za-z0-9]{20,}['"]/, issue: "Hardcoded Stripe live key", regulation: "CC6.1" },
+    { pattern: /['"]AKIA[A-Z0-9]{16}['"]/, issue: "Hardcoded AWS access key", regulation: "CC6.1" },
+    { pattern: /['"]ghp_[A-Za-z0-9]{36}['"]/, issue: "Hardcoded GitHub token", regulation: "CC6.1" },
+    { pattern: /password\s*[:=]\s*['"][^'"]{8,}['"](?!.*example|test|placeholder)/i, issue: "Hardcoded password", regulation: "CC6.1" },
+    { pattern: /api[_-]?key\s*[:=]\s*['"][A-Za-z0-9]{20,}['"]/i, issue: "Hardcoded API key", regulation: "CC6.1" },
+    { pattern: /secret\s*[:=]\s*['"][^'"]{16,}['"]/i, issue: "Hardcoded secret value", regulation: "CC6.1" }
+  ],
+  // Missing access control
+  accessControl: [
+    { pattern: /\/\/\s*TODO:?\s*(add|implement)?\s*(auth|access|permission)/i, issue: "Missing access control (TODO)", regulation: "CC6.2" },
+    { pattern: /isAdmin\s*[:=]\s*true|role\s*[:=]\s*['"]admin['"]/i, issue: "Hardcoded admin privilege", regulation: "CC6.3" }
+  ],
+  // CC7 - System Operations (Logging & Monitoring)
+  logging: [
+    { pattern: /console\.(log|error|warn)\s*\([^)]*password/i, issue: "Password logged to console", regulation: "CC7.2" },
+    { pattern: /console\.(log|error|warn)\s*\([^)]*token/i, issue: "Token logged to console", regulation: "CC7.2" },
+    { pattern: /console\.(log|error|warn)\s*\([^)]*secret/i, issue: "Secret logged to console", regulation: "CC7.2" },
+    { pattern: /console\.(log|error|warn)\s*\([^)]*apiKey/i, issue: "API key logged to console", regulation: "CC7.2" }
+  ],
+  // Error handling
+  errorHandling: [
+    { pattern: /catch\s*\([^)]*\)\s*\{\s*\}/, issue: "Empty catch block - errors silently swallowed", regulation: "CC7.3" },
+    { pattern: /catch\s*\([^)]*\)\s*\{\s*\/\//, issue: "Catch block only has comments", regulation: "CC7.3" },
+    { pattern: /\.catch\s*\(\s*\(\s*\)\s*=>\s*\{\s*\}\s*\)/, issue: "Empty .catch() handler", regulation: "CC7.3" }
+  ],
+  // CC8 - Change Management (implicit through code patterns)
+  changeManagement: [
+    { pattern: /\/\/\s*HACK|\/\/\s*FIXME.*security|\/\/\s*XXX/i, issue: "Security-related HACK/FIXME comment", regulation: "CC8.1" },
+    { pattern: /\/\/\s*temporary|\/\/\s*remove\s*(before|in)\s*prod/i, issue: "Temporary code flagged for removal", regulation: "CC8.1" }
+  ],
+  // Security - Encryption
+  encryption: [
+    { pattern: /md5\s*\(|crypto\.createHash\s*\(\s*['"]md5['"]\s*\)/i, issue: "MD5 is cryptographically broken", regulation: "CC6.7" },
+    { pattern: /sha1\s*\(|crypto\.createHash\s*\(\s*['"]sha1['"]\s*\)/i, issue: "SHA1 is deprecated for security use", regulation: "CC6.7" },
+    { pattern: /DES|3DES|RC4|Blowfish/i, issue: "Weak/deprecated encryption algorithm", regulation: "CC6.7" },
+    { pattern: /Math\.random\s*\(\s*\).*(?:token|key|secret|password|id)/i, issue: "Math.random() used for security-sensitive value", regulation: "CC6.7" }
+  ],
+  // Security - Input validation
+  inputValidation: [
+    { pattern: /eval\s*\(\s*(?:req\.|request\.|params\.|query\.)/i, issue: "eval() with user input - code injection risk", regulation: "CC6.6" },
+    { pattern: /innerHTML\s*=\s*(?:req\.|request\.|params\.|data\.)/i, issue: "innerHTML with unescaped user input - XSS risk", regulation: "CC6.6" },
+    { pattern: /exec\s*\(\s*(?:req\.|request\.|params\.|`)/i, issue: "Command execution with user input", regulation: "CC6.6" },
+    { pattern: /\$\{.*\}.*(?:SELECT|INSERT|UPDATE|DELETE)/i, issue: "SQL query with string interpolation", regulation: "CC6.6" }
+  ],
+  // Security - Authentication
+  authentication: [
+    { pattern: /jwt\.sign\s*\([^)]*expiresIn:\s*['"]?\d{6,}['"]?/i, issue: "JWT with very long expiration", regulation: "CC6.1" },
+    { pattern: /verify\s*[:=]\s*false|rejectUnauthorized\s*[:=]\s*false/i, issue: "TLS/SSL verification disabled", regulation: "CC6.7" },
+    { pattern: /sameSite\s*[:=]\s*['"]none['"]/i, issue: "Cookie SameSite=None may enable CSRF", regulation: "CC6.1" },
+    { pattern: /httpOnly\s*[:=]\s*false/i, issue: "Cookie httpOnly disabled - XSS risk", regulation: "CC6.1" },
+    { pattern: /secure\s*[:=]\s*false.*cookie/i, issue: "Cookie secure flag disabled", regulation: "CC6.1" }
+  ]
+};
+var REGULATION_DESCRIPTIONS = {
+  "CC6.1": "Logical Access Security - Access controls and authentication",
+  "CC6.2": "Role-Based Access Control - Segregation of duties",
+  "CC6.3": "Least Privilege - Minimal necessary access rights",
+  "CC6.6": "Protection Against Threats - Input validation and injection prevention",
+  "CC6.7": "Data Protection - Encryption and secure transmission",
+  "CC7.2": "Monitoring - Security event logging without sensitive data exposure",
+  "CC7.3": "Incident Detection - Proper error handling and alerting",
+  "CC8.1": "Change Management - Controlled changes with proper review"
+};
+var SOC2Agent = class extends BaseAgent {
+  name = "soc2";
+  description = "SOC 2 Type II compliance: access controls, encryption, logging, change management";
+  version = "1.0.0";
+  shouldActivate(context) {
+    return context.touchesAuth || context.touchesAPI || context.touchesDatabase || context.touchesUserData || context.touchesSecurityConfig || context.touchesLogging;
+  }
+  async analyzeFiles(files, _context) {
+    const issues = [];
+    for (const file of files) {
+      if (/node_modules|\.d\.ts$|\.min\.|dist\/|build\/|\.test\.|\.spec\./i.test(file)) {
+        continue;
+      }
+      try {
+        const content = await this.readFile(file);
+        const lines = content.split("\n");
+        for (const [category, patterns] of Object.entries(SOC2_PATTERNS)) {
+          for (const { pattern, issue, regulation } of patterns) {
+            for (let i = 0; i < lines.length; i++) {
+              const line = lines[i] || "";
+              if (pattern.test(line)) {
+                if (this.isTestOrExample(line, content)) {
+                  continue;
+                }
+                const severity = this.getSeverity(category, regulation);
+                const regulationDesc = REGULATION_DESCRIPTIONS[regulation] || regulation;
+                issues.push(this.createIssue(
+                  this.generateIssueId(),
+                  severity,
+                  `[SOC 2 ${regulation}] ${issue}`,
+                  this.getFix(category, issue),
+                  file,
+                  i + 1,
+                  this.getConfidence(category),
+                  `SOC 2 ${regulation}: ${regulationDesc}`,
+                  this.isAutoFixable(category)
+                ));
+                break;
+              }
+            }
+          }
+        }
+      } catch (error) {
+        console.error(`SOC2 Agent: Error reading file ${file}:`, error);
+      }
+    }
+    return issues;
+  }
+  isTestOrExample(line, content) {
+    if (/example|test|mock|fake|dummy|placeholder|sample/i.test(line)) {
+      return true;
+    }
+    if (/describe\s*\(|it\s*\(|test\s*\(|jest|mocha|vitest/i.test(content.slice(0, 500))) {
+      return true;
+    }
+    return false;
+  }
+  getSeverity(category, regulation) {
+    if (category === "hardcodedSecrets" || regulation === "CC6.6") {
+      return "critical";
+    }
+    if (category === "encryption" || category === "logging" || category === "authentication") {
+      return "serious";
+    }
+    if (category === "accessControl" || category === "errorHandling") {
+      return "moderate";
+    }
+    return "low";
+  }
+  getConfidence(category) {
+    switch (category) {
+      case "hardcodedSecrets":
+        return 0.95;
+      case "logging":
+        return 0.9;
+      case "encryption":
+        return 0.85;
+      case "inputValidation":
+        return 0.85;
+      case "authentication":
+        return 0.8;
+      case "errorHandling":
+        return 0.75;
+      case "accessControl":
+        return 0.7;
+      case "changeManagement":
+        return 0.6;
+      default:
+        return 0.7;
+    }
+  }
+  isAutoFixable(category) {
+    return category === "errorHandling";
+  }
+  getFix(category, issue) {
+    const fixes = {
+      hardcodedSecrets: "Move secrets to environment variables or a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager)",
+      accessControl: "Implement proper RBAC with dynamic role checking. Never hardcode admin privileges.",
+      logging: "Remove sensitive data from logs. Use structured logging with PII filtering.",
+      errorHandling: "Add proper error handling: log the error, notify monitoring, and return safe error messages.",
+      encryption: "Use strong algorithms: AES-256-GCM for encryption, SHA-256+ for hashing, crypto.randomBytes() for random values.",
+      inputValidation: "Validate and sanitize all user input. Use parameterized queries for SQL. Escape HTML output.",
+      authentication: "Use secure cookie settings (httpOnly, secure, sameSite). Set reasonable JWT expiration (15min-24h).",
+      changeManagement: "Address security-related TODOs before deployment. Document in issue tracker if deferring."
+    };
+    return fixes[category] || "Review and fix according to SOC 2 requirements.";
+  }
+};
+
 // src/agents/custom-agent.ts
 var CustomAgent = class extends BaseAgent {
   name;
@@ -2983,7 +3138,8 @@ var AgentRegistry = class {
       new DevOpsAgent(),
       new BugFindingAgent(),
       new UserTestingAgent(),
-      new TrieCleanAgent()
+      new TrieCleanAgent(),
+      new SOC2Agent()
     ];
     console.error(`Loaded config for ${builtinAgents.length} built-in agents`);
     for (const agent of builtinAgents) {
@@ -3870,10 +4026,6 @@ var Triager = class {
         confidence += 0.5;
         reasons.push("PII handling");
       }
-      if (context.touchesHealthData) {
-        confidence += 0.6;
-        reasons.push("PHI/HIPAA");
-      }
       if (context.touchesAuth) {
         confidence += 0.3;
         reasons.push("credentials");
@@ -3893,10 +4045,6 @@ var Triager = class {
     }
     if (agent.name === "legal") {
       tier = 2;
-      if (context.touchesHealthData) {
-        confidence += 0.6;
-        reasons.push("HIPAA compliance");
-      }
       if (context.touchesUserData) {
         confidence += 0.4;
         reasons.push("GDPR/CCPA");
@@ -4059,6 +4207,29 @@ var Triager = class {
         reasons.push("React code");
       }
     }
+    if (agent.name === "soc2") {
+      tier = 2;
+      if (context.touchesAuth) {
+        confidence += 0.4;
+        reasons.push("authentication");
+      }
+      if (context.touchesSecurityConfig) {
+        confidence += 0.4;
+        reasons.push("security config");
+      }
+      if (context.touchesLogging) {
+        confidence += 0.3;
+        reasons.push("logging");
+      }
+      if (context.touchesAPI) {
+        confidence += 0.25;
+        reasons.push("API endpoints");
+      }
+      if (context.touchesDatabase) {
+        confidence += 0.2;
+        reasons.push("data access");
+      }
+    }
     confidence = Math.min(1, confidence);
     return { agent, confidence, reasons, tier, isCustom: false };
   }
@@ -4121,7 +4292,6 @@ var Triager = class {
     if (context.touchesPayments) reasons.push("payments");
     if (context.touchesDatabase) reasons.push("database");
     if (context.touchesUserData) reasons.push("user data");
-    if (context.touchesHealthData) reasons.push("PHI");
     if (context.touchesUI) reasons.push("UI");
     if (context.touchesAPI) reasons.push("API");
     if (context.isNewFeature) reasons.push("new feature");
@@ -7623,4 +7793,4 @@ export {
   getSystemPrompt,
   TrieFixTool
 };
-//# sourceMappingURL=chunk-6INDJQPJ.js.map
+//# sourceMappingURL=chunk-77JFVVWF.js.map