agent-security-scanner-mcp 3.20.0 → 4.0.0

package/code-review-agent/src/context/assembler.ts

@@ -0,0 +1,165 @@
+import type { FileContext, ProjectContext } from '../types/analysis.js';
+import type { IntentProfile } from '../types/findings.js';
+import type { LLMProvider } from '../llm/provider.js';
+import { formatProjectContextForLLM } from './project.js';
+
+const TOKEN_BUDGETS: Record<string, number> = {
+  anthropic: 100_000,
+  openai: 60_000,
+  'claude-cli': 100_000,
+};
+
+const TRUNCATION_MARKER = '\n[TRUNCATED — file too large for context window]\n';
+
+// Reserve 20% of budget for LLM output tokens
+const OUTPUT_RESERVE = 0.2;
+
+export class ContextAssembler {
+  constructor(private provider: LLMProvider) {}
+
+  /**
+   * Calculate how many lines of source code fit in the remaining
+   * token budget after system prompt, intent, project context, and
+   * metadata are accounted for.
+   */
+  calculateMaxLines(
+    intent: IntentProfile,
+    project: ProjectContext,
+    file: FileContext,
+    systemPrompt: string,
+  ): number {
+    const budget = TOKEN_BUDGETS[this.provider.providerName] ?? 60_000;
+    const usableBudget = budget * (1 - OUTPUT_RESERVE);
+
+    // Measure fixed overhead
+    const overheadParts = [
+      systemPrompt,
+      formatIntent(intent),
+      formatProjectContextForLLM(project),
+      formatFileMetadata(file),
+      // Framing text around file content
+      `\n## File Content\nFile: ${file.filePath} (${file.language})\n\`\`\`\n\`\`\`\n`,
+    ];
+    const overheadTokens = this.provider.countTokens(overheadParts.join('\n'));
+
+    const remainingTokens = usableBudget - overheadTokens;
+    if (remainingTokens <= 0) return 100; // absolute minimum
+
+    // Estimate chars per line from actual file content (avg line length)
+    const lines = file.content.split('\n');
+    const avgCharsPerLine = lines.length > 0
+      ? file.content.length / lines.length
+      : 40;
+    // ~4 chars per token + line number prefix ("1234: ")
+    const charsPerToken = 4;
+    const lineNumberOverhead = 6;
+    const tokensPerLine = (avgCharsPerLine + lineNumberOverhead) / charsPerToken;
+
+    const maxLines = Math.floor(remainingTokens / tokensPerLine);
+    return Math.max(maxLines, 100); // never go below 100 lines
+  }
+
+  assembleAnalysisContext(
+    intent: IntentProfile,
+    project: ProjectContext,
+    file: FileContext,
+  ): string {
+    const budget = TOKEN_BUDGETS[this.provider.providerName] ?? 60_000;
+
+    // Priority order: intent > file content > project context
+    const sections: Array<{ label: string; content: string; priority: number }> = [
+      {
+        label: 'Intent Profile',
+        content: formatIntent(intent),
+        priority: 1,
+      },
+      {
+        label: 'File Content',
+        content: formatFileContent(file),
+        priority: 2,
+      },
+      {
+        label: 'Project Context',
+        content: formatProjectContextForLLM(project),
+        priority: 3,
+      },
+      {
+        label: 'File Metadata',
+        content: formatFileMetadata(file),
+        priority: 4,
+      },
+    ];
+
+    // Sort by priority and assemble within budget
+    sections.sort((a, b) => a.priority - b.priority);
+
+    let assembled = '';
+    let usedTokens = 0;
+
+    for (const section of sections) {
+      const sectionText = `\n## ${section.label}\n${section.content}\n`;
+      const sectionTokens = this.provider.countTokens(sectionText);
+
+      if (usedTokens + sectionTokens > budget * 0.8) {
+        // Truncate this section to fit
+        const remainingBudget = Math.floor((budget * 0.8 - usedTokens) * 4); // rough chars
+        if (remainingBudget > 200) {
+          assembled += `\n## ${section.label}\n${section.content.slice(0, remainingBudget)}${TRUNCATION_MARKER}`;
+        }
+        break;
+      }
+
+      assembled += sectionText;
+      usedTokens += sectionTokens;
+    }
+
+    return assembled;
+  }
+
+  assembleTriageContext(project: ProjectContext, file: FileContext): string {
+    // Triage needs less context — just file overview + project summary
+    const sections = [
+      `## File: ${file.filePath}`,
+      `Language: ${file.language} | Lines: ${file.lineCount}`,
+      `Test: ${file.isTestFile} | Config: ${file.isConfigFile} | Generated: ${file.isGenerated}`,
+      `Imports: ${file.imports.slice(0, 10).join(', ')}`,
+      '',
+      `## Project`,
+      `Language: ${project.language} | Framework: ${project.framework}`,
+      project.readme ? `README excerpt: ${project.readme.slice(0, 500)}` : 'No README',
+    ];
+
+    // Include first 100 lines of file content for triage
+    const preview = file.content.split('\n').slice(0, 100).join('\n');
+    sections.push('', '## File Preview (first 100 lines)', '```', preview, '```');
+
+    return sections.join('\n');
+  }
+}
+
+function formatIntent(intent: IntentProfile): string {
+  return [
+    `Purpose: ${intent.purpose}`,
+    `Risk Domain: ${intent.riskDomain}`,
+    `Framework: ${intent.framework}`,
+    `Expected Behaviors: ${intent.expectedBehaviors.join('; ')}`,
+    `Unexpected Behaviors: ${intent.unexpectedBehaviors.join('; ')}`,
+  ].join('\n');
+}
+
+function formatFileContent(file: FileContext): string {
+  const numbered = file.content
+    .split('\n')
+    .map((line, i) => `${i + 1}: ${line}`)
+    .join('\n');
+  return `File: ${file.filePath} (${file.language})\n\`\`\`\n${numbered}\n\`\`\``;
+}
+
+function formatFileMetadata(file: FileContext): string {
+  const parts = [
+    `Imports: ${file.imports.join(', ') || 'none'}`,
+    `Imported by: ${file.importedBy.join(', ') || 'none'}`,
+    `Siblings: ${file.siblingFiles.join(', ') || 'none'}`,
+  ];
+  return parts.join('\n');
+}

package/code-review-agent/src/context/file.ts

@@ -0,0 +1,145 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { DependencyGraph, FileContext } from '../types/analysis.js';
+
+const LANGUAGE_MAP: Record<string, string> = {
+  '.js': 'javascript',
+  '.mjs': 'javascript',
+  '.cjs': 'javascript',
+  '.jsx': 'javascript',
+  '.ts': 'typescript',
+  '.tsx': 'typescript',
+  '.py': 'python',
+  '.go': 'go',
+  '.rs': 'rust',
+  '.java': 'java',
+  '.rb': 'ruby',
+  '.php': 'php',
+  '.c': 'c',
+  '.cpp': 'cpp',
+  '.cs': 'csharp',
+  '.swift': 'swift',
+  '.kt': 'kotlin',
+};
+
+const TEST_PATTERNS = [
+  /\.test\.[jt]sx?$/,
+  /\.spec\.[jt]sx?$/,
+  /_test\.go$/,
+  /test_.*\.py$/,
+  /.*_test\.py$/,
+  /\.test\.py$/,
+  /Test\.java$/,
+  /\.test\.rb$/,
+];
+
+const CONFIG_PATTERNS = [
+  /\.config\.[jt]s$/,
+  /\.rc$/,
+  /\.json$/,
+  /\.ya?ml$/,
+  /\.toml$/,
+  /\.ini$/,
+  /\.env/,
+  /Makefile$/,
+  /Dockerfile$/,
+];
+
+const GENERATED_MARKERS = [
+  '// Code generated',
+  '# Generated by',
+  '// AUTO-GENERATED',
+  '/* eslint-disable */',
+  '// @generated',
+];
+
+export function buildFileContext(
+  filePath: string,
+  projectRoot: string,
+  graph?: DependencyGraph,
+): FileContext {
+  const content = fs.readFileSync(filePath, 'utf-8');
+  const ext = path.extname(filePath);
+  const language = LANGUAGE_MAP[ext] ?? 'unknown';
+  const lines = content.split('\n');
+
+  const relativePath = path.relative(projectRoot, filePath);
+  const dirName = path.dirname(filePath);
+
+  let siblingFiles: string[] = [];
+  try {
+    siblingFiles = fs
+      .readdirSync(dirName)
+      .filter((f) => {
+        const full = path.join(dirName, f);
+        try { return fs.statSync(full).isFile(); } catch { return false; }
+      })
+      .filter((f) => f !== path.basename(filePath))
+      .slice(0, 20);
+  } catch { /* dir read error */ }
+
+  const imports = extractImports(content, language);
+
+  let importedBy: string[] = [];
+  if (graph) {
+    const node = graph.nodes.get(relativePath) ?? graph.nodes.get(filePath);
+    if (node) {
+      importedBy = node.importedBy;
+    }
+  }
+
+  return {
+    filePath: relativePath,
+    content,
+    language,
+    lineCount: lines.length,
+    imports,
+    importedBy,
+    siblingFiles,
+    isTestFile: isTestFile(relativePath),
+    isConfigFile: isConfigFile(relativePath),
+    isGenerated: isGeneratedFile(content),
+  };
+}
+
+export function isTestFile(filePath: string): boolean {
+  const name = path.basename(filePath);
+  // Normalize separators for cross-platform matching
+  const normalized = filePath.replace(/\\/g, '/');
+  return TEST_PATTERNS.some((p) => p.test(name)) ||
+    /(^|\/)(test|tests|__tests__)\//.test(normalized);
+}
+
+export function isConfigFile(filePath: string): boolean {
+  const name = path.basename(filePath);
+  return CONFIG_PATTERNS.some((p) => p.test(name));
+}
+
+export function isGeneratedFile(content: string): boolean {
+  const header = content.slice(0, 500);
+  return GENERATED_MARKERS.some((m) => header.includes(m));
+}
+
+function extractImports(content: string, language: string): string[] {
+  const imports: string[] = [];
+
+  if (['javascript', 'typescript'].includes(language)) {
+    // ES imports
+    const esImports = content.matchAll(/import\s+(?:.*?\s+from\s+)?['"]([^'"]+)['"]/g);
+    for (const m of esImports) imports.push(m[1]);
+    // require
+    const requires = content.matchAll(/require\s*\(\s*['"]([^'"]+)['"]\s*\)/g);
+    for (const m of requires) imports.push(m[1]);
+  } else if (language === 'python') {
+    const pyImports = content.matchAll(/(?:from\s+(\S+)\s+import|import\s+(\S+))/g);
+    for (const m of pyImports) imports.push(m[1] ?? m[2]);
+  } else if (language === 'go') {
+    const goImports = content.matchAll(/import\s+(?:\(\s*)?["']([^"']+)["']/g);
+    for (const m of goImports) imports.push(m[1]);
+  } else if (language === 'java') {
+    const javaImports = content.matchAll(/import\s+([\w.]+);/g);
+    for (const m of javaImports) imports.push(m[1]);
+  }
+
+  return [...new Set(imports)];
+}

package/code-review-agent/src/context/project.ts

@@ -0,0 +1,253 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { ProjectContext } from '../types/analysis.js';
+
+const README_MAX_CHARS = 2000;
+const TREE_MAX_DEPTH = 2;
+const LANGUAGE_CENSUS_MAX_FILES = 200;
+
+export function buildProjectContext(projectRoot: string): ProjectContext {
+  return {
+    readme: readReadme(projectRoot),
+    packageMeta: readPackageMeta(projectRoot),
+    directoryTree: buildDirectoryTree(projectRoot, TREE_MAX_DEPTH),
+    envVars: readEnvVarNames(projectRoot),
+    hasDockerfile: fileExists(projectRoot, 'Dockerfile'),
+    hasCI:
+      dirExists(projectRoot, '.github/workflows') ||
+      fileExists(projectRoot, '.gitlab-ci.yml') ||
+      fileExists(projectRoot, 'Jenkinsfile'),
+    language: detectLanguage(projectRoot),
+    framework: detectFramework(projectRoot),
+  };
+}
+
+export function formatProjectContextForLLM(ctx: ProjectContext): string {
+  const sections: string[] = [];
+
+  if (ctx.readme) {
+    sections.push(`## Project README\n${ctx.readme}`);
+  }
+
+  if (ctx.packageMeta) {
+    const meta = ctx.packageMeta;
+    const parts: string[] = [];
+    if (meta.name) parts.push(`Name: ${meta.name}`);
+    if (meta.description) parts.push(`Description: ${meta.description}`);
+    if (meta.dependencies) {
+      const deps = Object.keys(meta.dependencies as Record<string, string>);
+      parts.push(`Dependencies: ${deps.join(', ')}`);
+    }
+    sections.push(`## Package Metadata\n${parts.join('\n')}`);
+  }
+
+  sections.push(`## Directory Structure\n\`\`\`\n${ctx.directoryTree}\n\`\`\``);
+
+  if (ctx.envVars.length > 0) {
+    sections.push(`## Environment Variables\n${ctx.envVars.join(', ')}`);
+  }
+
+  const infra: string[] = [];
+  if (ctx.hasDockerfile) infra.push('Dockerfile');
+  if (ctx.hasCI) infra.push('CI/CD');
+  if (infra.length > 0) {
+    sections.push(`## Infrastructure\n${infra.join(', ')}`);
+  }
+
+  sections.push(`## Language: ${ctx.language}\n## Framework: ${ctx.framework}`);
+
+  return sections.join('\n\n');
+}
+
+function readReadme(root: string): string {
+  for (const name of ['README.md', 'README.txt', 'README', 'readme.md']) {
+    const filePath = path.join(root, name);
+    try {
+      const content = fs.readFileSync(filePath, 'utf-8');
+      return content.slice(0, README_MAX_CHARS);
+    } catch {
+      continue;
+    }
+  }
+  return '';
+}
+
+function readPackageMeta(root: string): Record<string, unknown> | null {
+  for (const name of ['package.json', 'pyproject.toml', 'go.mod', 'Cargo.toml']) {
+    const filePath = path.join(root, name);
+    try {
+      const content = fs.readFileSync(filePath, 'utf-8');
+      if (name === 'package.json') {
+        return JSON.parse(content);
+      }
+      return { _raw: content.slice(0, 500), _type: name };
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+
+function readEnvVarNames(root: string): string[] {
+  const envPath = path.join(root, '.env.example');
+  try {
+    const content = fs.readFileSync(envPath, 'utf-8');
+    return content
+      .split('\n')
+      .map((line) => line.trim())
+      .filter((line) => line && !line.startsWith('#'))
+      .map((line) => line.split('=')[0].trim())
+      .filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+function buildDirectoryTree(root: string, maxDepth: number, prefix = '', depth = 0): string {
+  if (depth >= maxDepth) return '';
+
+  const EXCLUDE = new Set([
+    'node_modules', 'dist', 'build', '.git', 'vendor', '__pycache__',
+    '.venv', '.next', 'coverage', '.nyc_output',
+  ]);
+
+  let entries: fs.Dirent[];
+  try {
+    entries = fs.readdirSync(root, { withFileTypes: true });
+  } catch {
+    return '';
+  }
+
+  const filtered = entries
+    .filter((e) => !EXCLUDE.has(e.name) && !e.name.startsWith('.'))
+    .sort((a, b) => {
+      if (a.isDirectory() && !b.isDirectory()) return -1;
+      if (!a.isDirectory() && b.isDirectory()) return 1;
+      return a.name.localeCompare(b.name);
+    });
+
+  const lines: string[] = [];
+  for (let i = 0; i < filtered.length; i++) {
+    const entry = filtered[i];
+    const isLast = i === filtered.length - 1;
+    const connector = isLast ? '└── ' : '├── ';
+    const childPrefix = isLast ? '    ' : '│   ';
+
+    lines.push(`${prefix}${connector}${entry.name}${entry.isDirectory() ? '/' : ''}`);
+
+    if (entry.isDirectory()) {
+      const subtree = buildDirectoryTree(
+        path.join(root, entry.name),
+        maxDepth,
+        `${prefix}${childPrefix}`,
+        depth + 1,
+      );
+      if (subtree) lines.push(subtree);
+    }
+  }
+
+  return lines.join('\n');
+}
+
+function detectLanguage(root: string): string {
+  // Check manifest files first
+  if (fileExists(root, 'package.json') || fileExists(root, 'tsconfig.json')) return 'javascript/typescript';
+  if (fileExists(root, 'requirements.txt') || fileExists(root, 'setup.py') || fileExists(root, 'pyproject.toml')) return 'python';
+  if (fileExists(root, 'go.mod')) return 'go';
+  if (fileExists(root, 'Cargo.toml')) return 'rust';
+  if (fileExists(root, 'pom.xml') || fileExists(root, 'build.gradle')) return 'java';
+
+  // Fallback: recursive census of file extensions across the project
+  try {
+    const extCounts: Record<string, number> = {};
+    let countedFiles = 0;
+    const exclude = new Set([
+      'node_modules', 'dist', 'build', '.git', 'vendor', '__pycache__',
+      '.venv', 'venv', 'env', '.next', 'coverage', '.nyc_output',
+    ]);
+
+    const walk = (dir: string): void => {
+      if (countedFiles >= LANGUAGE_CENSUS_MAX_FILES) return;
+
+      let entries: fs.Dirent[];
+      try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+      } catch {
+        return;
+      }
+
+      for (const entry of entries) {
+        if (countedFiles >= LANGUAGE_CENSUS_MAX_FILES) return;
+        if (exclude.has(entry.name) || entry.name.startsWith('.')) continue;
+
+        const fullPath = path.join(dir, entry.name);
+        if (entry.isDirectory()) {
+          walk(fullPath);
+          continue;
+        }
+
+        if (!entry.isFile()) continue;
+        const ext = path.extname(entry.name);
+        if (!ext) continue;
+        extCounts[ext] = (extCounts[ext] ?? 0) + 1;
+        countedFiles++;
+      }
+    };
+
+    walk(root);
+
+    if (countedFiles === 0) {
+      return 'unknown';
+    }
+
+    const jsExts = ['.js', '.mjs', '.cjs', '.jsx', '.ts', '.tsx'];
+    const pyExts = ['.py'];
+    const jsCount = jsExts.reduce((n, e) => n + (extCounts[e] ?? 0), 0);
+    const pyCount = pyExts.reduce((n, e) => n + (extCounts[e] ?? 0), 0);
+    if (jsCount > 0 && jsCount >= pyCount) return 'javascript/typescript';
+    if (pyCount > 0) return 'python';
+    if (extCounts['.go']) return 'go';
+    if (extCounts['.rs']) return 'rust';
+    if (extCounts['.java']) return 'java';
+  } catch { /* can't read directory */ }
+
+  return 'unknown';
+}
+
+function detectFramework(root: string): string {
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf-8'));
+    const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+    if (deps.next) return 'next.js';
+    if (deps.express) return 'express';
+    if (deps.fastify) return 'fastify';
+    if (deps.react) return 'react';
+    if (deps.vue) return 'vue';
+    if (deps.hono) return 'hono';
+  } catch { /* no package.json */ }
+
+  try {
+    const req = fs.readFileSync(path.join(root, 'requirements.txt'), 'utf-8');
+    if (req.includes('django')) return 'django';
+    if (req.includes('flask')) return 'flask';
+    if (req.includes('fastapi')) return 'fastapi';
+  } catch { /* no requirements.txt */ }
+
+  return 'none';
+}
+
+function fileExists(root: string, name: string): boolean {
+  try {
+    return fs.statSync(path.join(root, name)).isFile();
+  } catch {
+    return false;
+  }
+}
+
+function dirExists(root: string, name: string): boolean {
+  try {
+    return fs.statSync(path.join(root, name)).isDirectory();
+  } catch {
+    return false;
+  }
+}

package/code-review-agent/src/graph/dependency.ts

@@ -0,0 +1,116 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { DependencyGraph, DependencyNode } from '../types/analysis.js';
+import { extractImports, resolveImportPath } from './resolver.js';
+
+const MAX_DEPTH = 4;
+const MAX_FILES = 200;
+
+const LANGUAGE_MAP: Record<string, string> = {
+  '.js': 'javascript', '.mjs': 'javascript', '.cjs': 'javascript', '.jsx': 'javascript',
+  '.ts': 'typescript', '.tsx': 'typescript',
+  '.py': 'python',
+  '.go': 'go',
+  '.rs': 'rust',
+  '.java': 'java',
+  '.rb': 'ruby',
+  '.php': 'php',
+  '.c': 'c',
+  '.cpp': 'cpp',
+  '.h': 'c',
+  '.hpp': 'cpp',
+  '.cs': 'csharp',
+  '.swift': 'swift',
+  '.kt': 'kotlin',
+};
+
+export class DependencyGraphBuilder {
+  private nodes = new Map<string, DependencyNode>();
+  private visited = new Set<string>();
+  private projectRoot: string;
+
+  constructor(projectRoot: string) {
+    this.projectRoot = projectRoot;
+  }
+
+  build(entryFiles: string[]): DependencyGraph {
+    const queue: Array<{ file: string; depth: number }> = entryFiles.map((f) => ({
+      file: path.resolve(this.projectRoot, f),
+      depth: 0,
+    }));
+
+    while (queue.length > 0 && this.nodes.size < MAX_FILES) {
+      const item = queue.shift()!;
+      const { file, depth } = item;
+
+      if (this.visited.has(file) || depth > MAX_DEPTH) continue;
+      this.visited.add(file);
+
+      const relPath = path.relative(this.projectRoot, file);
+      const ext = path.extname(file);
+      const language = LANGUAGE_MAP[ext];
+      if (!language) continue;
+
+      let content: string;
+      try {
+        content = fs.readFileSync(file, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      const imports = extractImports(content, language);
+      const resolvedImports: string[] = [];
+
+      for (const imp of imports) {
+        if (!imp.isLocal) continue;
+
+        const resolved = resolveImportPath(imp.specifier, file, language);
+        if (resolved) {
+          const resolvedRel = path.relative(this.projectRoot, resolved);
+          resolvedImports.push(resolvedRel);
+
+          // Ensure the target node exists
+          if (!this.nodes.has(resolvedRel)) {
+            this.nodes.set(resolvedRel, {
+              file: resolvedRel,
+              imports: [],
+              importedBy: [],
+            });
+          }
+
+          // Add reverse edge
+          this.nodes.get(resolvedRel)!.importedBy.push(relPath);
+
+          // Queue for traversal
+          if (!this.visited.has(resolved)) {
+            queue.push({ file: resolved, depth: depth + 1 });
+          }
+        }
+      }
+
+      const existing = this.nodes.get(relPath);
+      if (existing) {
+        existing.imports = resolvedImports;
+      } else {
+        this.nodes.set(relPath, {
+          file: relPath,
+          imports: resolvedImports,
+          importedBy: [],
+        });
+      }
+    }
+
+    return {
+      nodes: this.nodes,
+      entryPoints: entryFiles.map((f) => path.relative(this.projectRoot, path.resolve(this.projectRoot, f))),
+    };
+  }
+
+  getImporters(file: string): string[] {
+    return this.nodes.get(file)?.importedBy ?? [];
+  }
+
+  getImportees(file: string): string[] {
+    return this.nodes.get(file)?.imports ?? [];
+  }
+}