agent-security-scanner-mcp 3.20.0 → 4.0.0

package/code-review-agent/src/graph/resolver.ts

@@ -0,0 +1,138 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+export interface ImportInfo {
+  specifier: string;
+  isLocal: boolean;
+  resolved: string | null;
+}
+
+const JS_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.cjs'];
+const PY_EXTENSIONS = ['.py'];
+
+export function extractImports(content: string, language: string): ImportInfo[] {
+  const imports: ImportInfo[] = [];
+
+  if (['javascript', 'typescript'].includes(language)) {
+    // ES imports
+    for (const m of content.matchAll(/import\s+(?:.*?\s+from\s+)?['"]([^'"]+)['"]/g)) {
+      const spec = m[1];
+      imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
+    }
+    // Re-exports: export { ... } from '...', export * from '...', export { default } from '...'
+    for (const m of content.matchAll(/export\s+(?:\*|{[^}]*})\s+from\s+['"]([^'"]+)['"]/g)) {
+      const spec = m[1];
+      imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
+    }
+    // require
+    for (const m of content.matchAll(/require\s*\(\s*['"]([^'"]+)['"]\s*\)/g)) {
+      const spec = m[1];
+      imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
+    }
+    // dynamic import
+    for (const m of content.matchAll(/import\s*\(\s*['"]([^'"]+)['"]\s*\)/g)) {
+      const spec = m[1];
+      imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
+    }
+  } else if (language === 'python') {
+    // from .module import ... (relative) and from package import ... (absolute)
+    for (const m of content.matchAll(/from\s+(\S+)\s+import/g)) {
+      const spec = m[1];
+      imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
+    }
+    // import module
+    for (const m of content.matchAll(/^import\s+(\S+)/gm)) {
+      const spec = m[1];
+      imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
+    }
+  } else if (language === 'go') {
+    for (const m of content.matchAll(/["']([^"']+)["']/g)) {
+      const spec = m[1];
+      if (spec.includes('/')) {
+        imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
+      }
+    }
+  }
+
+  return imports;
+}
+
+export function resolveImportPath(
+  specifier: string,
+  fromFile: string,
+  language: string,
+): string | null {
+  if (!isLocalImport(specifier, language)) return null;
+
+  const fromDir = path.dirname(fromFile);
+
+  if (['javascript', 'typescript'].includes(language)) {
+    // Try exact path first, then with extensions, then index files
+    const candidates: string[] = [];
+    const base = path.resolve(fromDir, specifier);
+
+    candidates.push(base);
+    for (const ext of JS_EXTENSIONS) {
+      candidates.push(base + ext);
+    }
+    for (const ext of JS_EXTENSIONS) {
+      candidates.push(path.join(base, `index${ext}`));
+    }
+
+    for (const candidate of candidates) {
+      try {
+        if (fs.statSync(candidate).isFile()) return candidate;
+      } catch { /* not found */ }
+    }
+  } else if (language === 'python') {
+    // Handle relative imports: .utils, ..models, .sub.module
+    let resolveDir = fromDir;
+    let moduleSpec = specifier;
+
+    if (specifier.startsWith('.')) {
+      // Count leading dots for parent traversal
+      const dotMatch = specifier.match(/^(\.+)(.*)/);
+      if (dotMatch) {
+        const dots = dotMatch[1].length;
+        moduleSpec = dotMatch[2]; // remainder after dots (may be empty for bare ".")
+        // Each dot beyond the first goes up one directory
+        resolveDir = fromDir;
+        for (let i = 1; i < dots; i++) {
+          resolveDir = path.dirname(resolveDir);
+        }
+      }
+    }
+
+    // Convert module.path to filesystem path
+    const modulePath = moduleSpec ? moduleSpec.replace(/\./g, path.sep) : '';
+    const base = modulePath ? path.resolve(resolveDir, modulePath) : resolveDir;
+
+    for (const ext of PY_EXTENSIONS) {
+      try {
+        const candidate = base + ext;
+        if (fs.statSync(candidate).isFile()) return candidate;
+      } catch { /* not found */ }
+    }
+
+    // Try as package (directory with __init__.py)
+    try {
+      const initFile = path.join(base, '__init__.py');
+      if (fs.statSync(initFile).isFile()) return initFile;
+    } catch { /* not found */ }
+  }
+
+  return null;
+}
+
+export function isLocalImport(specifier: string, language: string): boolean {
+  if (['javascript', 'typescript'].includes(language)) {
+    return specifier.startsWith('./') || specifier.startsWith('../');
+  }
+  if (language === 'python') {
+    return specifier.startsWith('.');
+  }
+  if (language === 'go') {
+    return !specifier.includes('.');
+  }
+  return false;
+}

package/code-review-agent/src/index.ts

@@ -0,0 +1,58 @@
+// Core engine
+export { AnalysisEngine, type ProgressCallback } from './analyzer/engine.js';
+export { IntentProfiler } from './analyzer/intent.js';
+export { SemanticAnalyzer } from './analyzer/semantic.js';
+
+// LLM providers
+export { AnthropicProvider } from './llm/anthropic.js';
+export { ClaudeCliProvider } from './llm/claude-cli.js';
+export { OpenAIProvider } from './llm/openai.js';
+export { ModelRouter } from './llm/router.js';
+export type { LLMProvider, ChatMessage } from './llm/provider.js';
+export { SchemaValidationError } from './llm/provider.js';
+export { zodToJsonSchema, zodToAnthropicTool, zodToOpenAIResponseFormat } from './llm/schemas.js';
+
+// Context
+export { buildProjectContext, formatProjectContextForLLM } from './context/project.js';
+export { buildFileContext, isTestFile, isConfigFile, isGeneratedFile } from './context/file.js';
+export { ContextAssembler } from './context/assembler.js';
+
+// Graph
+export { DependencyGraphBuilder } from './graph/dependency.js';
+export { resolveImportPath, extractImports, isLocalImport } from './graph/resolver.js';
+
+// Types
+export type {
+  AnalysisResult,
+  AnalysisStats,
+  FileAnalysisResult,
+  ProjectContext,
+  FileContext,
+  DependencyNode,
+  DependencyGraph,
+} from './types/analysis.js';
+export type {
+  AnalysisOptions,
+  CRAgentConfig,
+} from './types/config.js';
+export { loadConfig, resolveOptions } from './types/config.js';
+export {
+  FindingSchema,
+  FileAnalysisResponseSchema,
+  IntentProfileSchema,
+  TriageDecisionSchema,
+  SeveritySchema,
+  CategorySchema,
+  IntentAlignmentSchema,
+  RiskDomainSchema,
+} from './types/findings.js';
+export type {
+  Finding,
+  FileAnalysisResponse,
+  IntentProfile,
+  TriageDecision,
+  Severity,
+  Category,
+  IntentAlignment,
+  RiskDomain,
+} from './types/findings.js';

package/code-review-agent/src/llm/anthropic.ts

@@ -0,0 +1,106 @@
+import Anthropic from '@anthropic-ai/sdk';
+import { countTokens } from '@anthropic-ai/tokenizer';
+import type { z } from 'zod';
+import { type ChatMessage, type LLMProvider, SchemaValidationError } from './provider.js';
+import { zodToAnthropicTool } from './schemas.js';
+
+const MAX_RETRIES = 3;
+
+export class AnthropicProvider implements LLMProvider {
+  private client: Anthropic;
+  readonly modelId: string;
+  readonly providerName = 'anthropic';
+
+  constructor(apiKey: string, model?: string) {
+    this.client = new Anthropic({ apiKey });
+    this.modelId = model ?? 'claude-sonnet-4-20250514';
+  }
+
+  async chat(messages: ChatMessage[]): Promise<string> {
+    const { system, userMessages } = this.splitMessages(messages);
+
+    const response = await this.client.messages.create({
+      model: this.modelId,
+      max_tokens: 4096,
+      system: system ?? undefined,
+      messages: userMessages,
+    });
+
+    const textBlock = response.content.find((b) => b.type === 'text');
+    return textBlock?.text ?? '';
+  }
+
+  async chatStructured<T>(
+    messages: ChatMessage[],
+    schema: z.ZodType<T>,
+    schemaName: string,
+  ): Promise<T> {
+    const tool = zodToAnthropicTool(schema, schemaName, `Respond with ${schemaName}`);
+    const { system, userMessages } = this.splitMessages(messages);
+
+    let lastError: Error | null = null;
+    const conversationMessages = [...userMessages];
+
+    for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+      const response = await this.client.messages.create({
+        model: this.modelId,
+        max_tokens: 8192,
+        system: system ?? undefined,
+        messages: conversationMessages,
+        tools: [tool as Anthropic.Tool],
+        tool_choice: { type: 'tool' as const, name: schemaName },
+      });
+
+      const toolBlock = response.content.find((b) => b.type === 'tool_use');
+      if (!toolBlock || toolBlock.type !== 'tool_use') {
+        lastError = new Error('No tool_use block in response');
+        continue;
+      }
+
+      const result = schema.safeParse(toolBlock.input);
+      if (result.success) {
+        return result.data;
+      }
+
+      lastError = new Error(result.error.message);
+
+      // Append error feedback for retry
+      conversationMessages.push({
+        role: 'assistant',
+        content: JSON.stringify(toolBlock.input),
+      });
+      conversationMessages.push({
+        role: 'user',
+        content: `Schema validation error: ${result.error.message}. Please fix and respond again.`,
+      });
+    }
+
+    throw new SchemaValidationError(MAX_RETRIES, lastError!);
+  }
+
+  countTokens(text: string): number {
+    try {
+      return countTokens(text);
+    } catch {
+      return Math.ceil(text.length / 4);
+    }
+  }
+
+  private splitMessages(messages: ChatMessage[]): {
+    system: string | null;
+    userMessages: Array<{ role: 'user' | 'assistant'; content: string }>;
+  } {
+    let system: string | null = null;
+    const userMessages: Array<{ role: 'user' | 'assistant'; content: string }> = [];
+
+    for (const msg of messages) {
+      if (msg.role === 'system') {
+        system = msg.content;
+      } else {
+        userMessages.push({ role: msg.role, content: msg.content });
+      }
+    }
+
+    return { system, userMessages };
+  }
+}

package/code-review-agent/src/llm/claude-cli.ts

@@ -0,0 +1,188 @@
+import { spawn } from 'node:child_process';
+import type { z } from 'zod';
+import { type ChatMessage, type LLMProvider, SchemaValidationError } from './provider.js';
+import { zodToJsonSchema } from './schemas.js';
+
+const MAX_RETRIES = 3;
+
+interface ClaudeCliResult {
+  type: string;
+  result: string;
+  is_error: boolean;
+  usage?: {
+    input_tokens?: number;
+    output_tokens?: number;
+  };
+}
+
+export class ClaudeCliProvider implements LLMProvider {
+  readonly modelId: string;
+  readonly providerName = 'claude-cli';
+
+  constructor(model?: string) {
+    this.modelId = model ?? 'sonnet';
+  }
+
+  async chat(messages: ChatMessage[]): Promise<string> {
+    const prompt = this.formatMessages(messages);
+    return this.runClaude(prompt);
+  }
+
+  async chatStructured<T>(
+    messages: ChatMessage[],
+    schema: z.ZodType<T>,
+    schemaName: string,
+  ): Promise<T> {
+    const jsonSchema = zodToJsonSchema(schema);
+    const schemaInstruction = [
+      `You MUST respond with ONLY a valid JSON object matching this schema (no markdown, no explanation, no wrapping):`,
+      `Schema name: ${schemaName}`,
+      '```json',
+      JSON.stringify(jsonSchema, null, 2),
+      '```',
+      'Respond with ONLY the JSON object. No other text.',
+    ].join('\n');
+
+    let lastError: Error | null = null;
+    const conversationParts = [...messages];
+
+    for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+      const prompt = this.formatMessages([
+        ...conversationParts,
+        { role: 'user', content: schemaInstruction },
+      ]);
+
+      const raw = await this.runClaude(prompt);
+
+      // Extract JSON from response (handle markdown code blocks)
+      const jsonStr = extractJson(raw);
+
+      let parsed: unknown;
+      try {
+        parsed = JSON.parse(jsonStr);
+      } catch (e) {
+        lastError = e instanceof Error ? e : new Error(String(e));
+        conversationParts.push(
+          { role: 'assistant', content: raw },
+          { role: 'user', content: `That was not valid JSON. Parse error: ${lastError.message}. Respond with ONLY a valid JSON object.` },
+        );
+        continue;
+      }
+
+      const result = schema.safeParse(parsed);
+      if (result.success) {
+        return result.data;
+      }
+
+      lastError = new Error(result.error.message);
+      conversationParts.push(
+        { role: 'assistant', content: raw },
+        { role: 'user', content: `Schema validation error: ${result.error.message}. Fix the JSON and respond with ONLY the corrected JSON object.` },
+      );
+    }
+
+    throw new SchemaValidationError(MAX_RETRIES, lastError!);
+  }
+
+  countTokens(text: string): number {
+    // Approximate — Claude CLI doesn't expose a token counter
+    return Math.ceil(text.length / 4);
+  }
+
+  private formatMessages(messages: ChatMessage[]): string {
+    const parts: string[] = [];
+
+    for (const msg of messages) {
+      if (msg.role === 'system') {
+        parts.push(`[System Instructions]\n${msg.content}\n`);
+      } else if (msg.role === 'user') {
+        parts.push(`${msg.content}`);
+      } else if (msg.role === 'assistant') {
+        parts.push(`[Previous response]\n${msg.content}\n`);
+      }
+    }
+
+    return parts.join('\n\n');
+  }
+
+  private runClaude(prompt: string): Promise<string> {
+    return new Promise((resolve, reject) => {
+      const args = [
+        '-p', '-',
+        '--output-format', 'json',
+        '--model', this.modelId,
+        '--no-session-persistence',
+      ];
+
+      const child = spawn('claude', args, {
+        stdio: ['pipe', 'pipe', 'pipe'],
+        timeout: 180_000,
+      });
+
+      let stdout = '';
+      let stderr = '';
+
+      child.stdout.on('data', (data: Buffer) => { stdout += data.toString(); });
+      child.stderr.on('data', (data: Buffer) => { stderr += data.toString(); });
+
+      child.on('close', (code) => {
+        if (code !== 0 && !stdout) {
+          // Sanitize stderr — only show first 200 chars, never leak prompt content
+          const safeStderr = stderr ? sanitizeError(stderr) : '';
+          reject(new Error(`claude CLI exited with code ${code}${safeStderr ? `: ${safeStderr}` : ''}`));
+          return;
+        }
+
+        try {
+          const result = JSON.parse(stdout) as ClaudeCliResult;
+          if (result.is_error) {
+            reject(new Error(`claude CLI error: ${sanitizeError(result.result)}`));
+            return;
+          }
+          resolve(result.result);
+        } catch {
+          resolve(stdout.trim());
+        }
+      });
+
+      child.on('error', (err) => {
+        reject(new Error(`claude CLI failed to start: ${sanitizeError(err.message)}`));
+      });
+
+      // Handle stdin write errors (e.g., broken pipe if child exits early)
+      child.stdin.on('error', (err) => {
+        // Ignore EPIPE — child may have already exited, close handler will deal with it
+        if ((err as NodeJS.ErrnoException).code !== 'EPIPE') {
+          reject(new Error(`Failed to write prompt to claude CLI: ${sanitizeError(err.message)}`));
+        }
+      });
+
+      // Write prompt to stdin and close it
+      child.stdin.write(prompt);
+      child.stdin.end();
+    });
+  }
+}
+
+function sanitizeError(msg: string): string {
+  // Never leak prompt content in errors — truncate and strip anything
+  // that looks like it could be prompt/code/schema content
+  const firstLine = msg.split('\n')[0].trim();
+  return firstLine.length > 200 ? firstLine.slice(0, 200) + '...' : firstLine;
+}
+
+function extractJson(text: string): string {
+  // Try to extract JSON from markdown code blocks
+  const codeBlockMatch = text.match(/```(?:json)?\s*\n?([\s\S]*?)\n?```/);
+  if (codeBlockMatch) {
+    return codeBlockMatch[1].trim();
+  }
+
+  // Try to find a JSON object directly
+  const objectMatch = text.match(/\{[\s\S]*\}/);
+  if (objectMatch) {
+    return objectMatch[0];
+  }
+
+  return text.trim();
+}

package/code-review-agent/src/llm/openai.ts

@@ -0,0 +1,95 @@
+import OpenAI from 'openai';
+import { type Tiktoken, encoding_for_model } from 'tiktoken';
+import type { z } from 'zod';
+import { type ChatMessage, type LLMProvider, SchemaValidationError } from './provider.js';
+import { zodToOpenAIResponseFormat } from './schemas.js';
+
+const MAX_RETRIES = 3;
+
+export class OpenAIProvider implements LLMProvider {
+  private client: OpenAI;
+  private encoder: Tiktoken | null = null;
+  readonly modelId: string;
+  readonly providerName = 'openai';
+
+  constructor(apiKey: string, model?: string) {
+    this.client = new OpenAI({ apiKey });
+    this.modelId = model ?? 'gpt-4o';
+  }
+
+  async chat(messages: ChatMessage[]): Promise<string> {
+    const response = await this.client.chat.completions.create({
+      model: this.modelId,
+      messages: messages.map((m) => ({ role: m.role, content: m.content })),
+      max_tokens: 4096,
+    });
+
+    return response.choices[0]?.message?.content ?? '';
+  }
+
+  async chatStructured<T>(
+    messages: ChatMessage[],
+    schema: z.ZodType<T>,
+    schemaName: string,
+  ): Promise<T> {
+    const responseFormat = zodToOpenAIResponseFormat(schema, schemaName);
+
+    let lastError: Error | null = null;
+    const conversationMessages = messages.map((m) => ({
+      role: m.role,
+      content: m.content,
+    }));
+
+    for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+      const response = await this.client.chat.completions.create({
+        model: this.modelId,
+        messages: conversationMessages,
+        max_tokens: 8192,
+        response_format: responseFormat,
+      });
+
+      const content = response.choices[0]?.message?.content;
+      if (!content) {
+        lastError = new Error('Empty response from OpenAI');
+        continue;
+      }
+
+      let parsed: unknown;
+      try {
+        parsed = JSON.parse(content);
+      } catch (e) {
+        lastError = e instanceof Error ? e : new Error(String(e));
+        continue;
+      }
+
+      const result = schema.safeParse(parsed);
+      if (result.success) {
+        return result.data;
+      }
+
+      lastError = new Error(result.error.message);
+
+      conversationMessages.push({
+        role: 'assistant' as const,
+        content,
+      });
+      conversationMessages.push({
+        role: 'user' as const,
+        content: `Schema validation error: ${result.error.message}. Please fix and respond again.`,
+      });
+    }
+
+    throw new SchemaValidationError(MAX_RETRIES, lastError!);
+  }
+
+  countTokens(text: string): number {
+    try {
+      if (!this.encoder) {
+        this.encoder = encoding_for_model(this.modelId as Parameters<typeof encoding_for_model>[0]);
+      }
+      return this.encoder.encode(text).length;
+    } catch {
+      return Math.ceil(text.length / 4);
+    }
+  }
+}

package/code-review-agent/src/llm/provider.ts

@@ -0,0 +1,33 @@
+import type { z } from 'zod';
+
+export interface ChatMessage {
+  role: 'system' | 'user' | 'assistant';
+  content: string;
+}
+
+export interface LLMProvider {
+  readonly modelId: string;
+  readonly providerName: string;
+
+  chat(messages: ChatMessage[]): Promise<string>;
+
+  chatStructured<T>(
+    messages: ChatMessage[],
+    schema: z.ZodType<T>,
+    schemaName: string,
+  ): Promise<T>;
+
+  countTokens(text: string): number;
+}
+
+export class SchemaValidationError extends Error {
+  constructor(
+    public readonly attempts: number,
+    public readonly lastError: Error,
+  ) {
+    super(
+      `Schema validation failed after ${attempts} attempts: ${lastError.message}`,
+    );
+    this.name = 'SchemaValidationError';
+  }
+}