appsec-agent 2.1.7 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +35 -0
- package/conf/appsec_agent.yaml +6 -0
- package/dist/bin/agent-run.js +16 -0
- package/dist/bin/agent-run.js.map +1 -1
- package/dist/conf/appsec_agent.yaml +6 -0
- package/dist/src/agent_actions.d.ts +10 -0
- package/dist/src/agent_actions.d.ts.map +1 -1
- package/dist/src/agent_actions.js +63 -1
- package/dist/src/agent_actions.js.map +1 -1
- package/dist/src/agent_options.d.ts +6 -1
- package/dist/src/agent_options.d.ts.map +1 -1
- package/dist/src/agent_options.js +42 -1
- package/dist/src/agent_options.js.map +1 -1
- package/dist/src/index.d.ts +2 -0
- package/dist/src/index.d.ts.map +1 -1
- package/dist/src/index.js +9 -1
- package/dist/src/index.js.map +1 -1
- package/dist/src/main.d.ts.map +1 -1
- package/dist/src/main.js +127 -3
- package/dist/src/main.js.map +1 -1
- package/dist/src/schemas/adversarial_pass.d.ts +47 -0
- package/dist/src/schemas/adversarial_pass.d.ts.map +1 -0
- package/dist/src/schemas/adversarial_pass.js +139 -0
- package/dist/src/schemas/adversarial_pass.js.map +1 -0
- package/dist/src/schemas/import_graph.d.ts +40 -0
- package/dist/src/schemas/import_graph.d.ts.map +1 -0
- package/dist/src/schemas/import_graph.js +107 -0
- package/dist/src/schemas/import_graph.js.map +1 -0
- package/package.json +2 -2
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Import-graph context input (v2.2.0 / plan §3.1 Stage B) — per-file reachability
|
|
4
|
+
* summary passed to `pr_reviewer` so the LLM can factor inbound-caller counts
|
|
5
|
+
* into its confidence calls.
|
|
6
|
+
*
|
|
7
|
+
* The authoritative post-LLM confidence downrank lives in the parent app
|
|
8
|
+
* (`sast-ai-app/backend/src/services/importGraphDecision.ts`). The context
|
|
9
|
+
* here is advisory — it lets the LLM see what the post-pass will see and
|
|
10
|
+
* avoid raising a HIGH-confidence finding on an unreachable helper file.
|
|
11
|
+
*
|
|
12
|
+
* Shape mirrors the existing adversarial/diff-context pattern: the backend
|
|
13
|
+
* composes a JSON file, the agent parses + formats into the user prompt,
|
|
14
|
+
* no HTTP call at agent runtime.
|
|
15
|
+
*/
|
|
16
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
+
exports.parseImportGraphContext = parseImportGraphContext;
|
|
18
|
+
exports.formatImportGraphContextForPrompt = formatImportGraphContextForPrompt;
|
|
19
|
+
const MAX_FILES = 500;
|
|
20
|
+
const MAX_CALLERS_PER_FILE = 20;
|
|
21
|
+
/**
|
|
22
|
+
* Parse and validate an import-graph context JSON payload (throws on structural error).
|
|
23
|
+
*/
|
|
24
|
+
function parseImportGraphContext(data) {
|
|
25
|
+
if (!data || typeof data !== 'object') {
|
|
26
|
+
throw new Error('Import-graph context must be a JSON object');
|
|
27
|
+
}
|
|
28
|
+
const o = data;
|
|
29
|
+
if (!Array.isArray(o.files)) {
|
|
30
|
+
throw new Error('Import-graph context must include a "files" array');
|
|
31
|
+
}
|
|
32
|
+
if (o.files.length > MAX_FILES) {
|
|
33
|
+
throw new Error(`Import-graph context supports at most ${MAX_FILES} files per run`);
|
|
34
|
+
}
|
|
35
|
+
const files = [];
|
|
36
|
+
for (const item of o.files) {
|
|
37
|
+
if (!item || typeof item !== 'object') {
|
|
38
|
+
throw new Error('Each import-graph file entry must be an object');
|
|
39
|
+
}
|
|
40
|
+
const f = item;
|
|
41
|
+
if (typeof f.file !== 'string' || !f.file.trim()) {
|
|
42
|
+
throw new Error('Each import-graph file entry must have a non-empty string "file"');
|
|
43
|
+
}
|
|
44
|
+
if (typeof f.inbound_prod_import_count !== 'number' || !Number.isFinite(f.inbound_prod_import_count)) {
|
|
45
|
+
throw new Error('Each import-graph file entry must have a numeric "inbound_prod_import_count"');
|
|
46
|
+
}
|
|
47
|
+
const callers = Array.isArray(f.callers)
|
|
48
|
+
? f.callers
|
|
49
|
+
.filter((c) => typeof c === 'string' && c.length > 0)
|
|
50
|
+
.slice(0, MAX_CALLERS_PER_FILE)
|
|
51
|
+
: undefined;
|
|
52
|
+
const graphStatus = f.graph_status === 'ok' || f.graph_status === 'missing' || f.graph_status === 'partial'
|
|
53
|
+
? f.graph_status
|
|
54
|
+
: undefined;
|
|
55
|
+
files.push({
|
|
56
|
+
file: String(f.file),
|
|
57
|
+
inbound_prod_import_count: Math.max(0, Math.trunc(f.inbound_prod_import_count)),
|
|
58
|
+
callers,
|
|
59
|
+
is_entry_point: typeof f.is_entry_point === 'boolean' ? f.is_entry_point : undefined,
|
|
60
|
+
graph_status: graphStatus,
|
|
61
|
+
});
|
|
62
|
+
}
|
|
63
|
+
const coverage = o.coverage === 'full' || o.coverage === 'partial' || o.coverage === 'none' ? o.coverage : undefined;
|
|
64
|
+
return {
|
|
65
|
+
default_branch_sha: typeof o.default_branch_sha === 'string' ? o.default_branch_sha : undefined,
|
|
66
|
+
parsed_at: typeof o.parsed_at === 'string' ? o.parsed_at : undefined,
|
|
67
|
+
coverage,
|
|
68
|
+
files,
|
|
69
|
+
metadata: o.metadata && typeof o.metadata === 'object'
|
|
70
|
+
? {
|
|
71
|
+
project_name: typeof o.metadata.project_name === 'string'
|
|
72
|
+
? o.metadata.project_name
|
|
73
|
+
: undefined,
|
|
74
|
+
}
|
|
75
|
+
: undefined,
|
|
76
|
+
};
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Format the context for inclusion in a PR-reviewer user prompt. Compact by
|
|
80
|
+
* design — we want this to consume far less prompt budget than the diff itself.
|
|
81
|
+
*/
|
|
82
|
+
function formatImportGraphContextForPrompt(ctx) {
|
|
83
|
+
if (ctx.files.length === 0) {
|
|
84
|
+
return '';
|
|
85
|
+
}
|
|
86
|
+
const lines = [];
|
|
87
|
+
lines.push('### File reachability summary (import-graph, Stage B)');
|
|
88
|
+
lines.push('The post-LLM scorer will multiply confidence by 0.3 for findings on files with `inbound_prod_import_count == 0` and not marked as entry points. Factor this in when assigning confidence — do not raise HIGH on unreachable helpers.');
|
|
89
|
+
if (ctx.default_branch_sha) {
|
|
90
|
+
lines.push(`Graph built from default-branch SHA \`${ctx.default_branch_sha.slice(0, 12)}\`.`);
|
|
91
|
+
}
|
|
92
|
+
if (ctx.coverage && ctx.coverage !== 'full') {
|
|
93
|
+
lines.push(`_Coverage: **${ctx.coverage}** — missing files are scored as \`graph_status=missing\` and will **not** be downranked (fail-open)._`);
|
|
94
|
+
}
|
|
95
|
+
lines.push('');
|
|
96
|
+
lines.push('| File | Inbound | Entry point | Status | Top callers |');
|
|
97
|
+
lines.push('|---|---:|:---:|:---:|---|');
|
|
98
|
+
for (const f of ctx.files) {
|
|
99
|
+
const entry = f.is_entry_point ? 'yes' : 'no';
|
|
100
|
+
const status = f.graph_status ?? 'ok';
|
|
101
|
+
const callers = f.callers && f.callers.length > 0 ? f.callers.slice(0, 3).map((c) => `\`${c}\``).join(', ') : '—';
|
|
102
|
+
lines.push(`| \`${f.file}\` | ${f.inbound_prod_import_count} | ${entry} | ${status} | ${callers} |`);
|
|
103
|
+
}
|
|
104
|
+
lines.push('');
|
|
105
|
+
return lines.join('\n');
|
|
106
|
+
}
|
|
107
|
+
//# sourceMappingURL=import_graph.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"import_graph.js","sourceRoot":"","sources":["../../../src/schemas/import_graph.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAwBH,0DAyDC;AAMD,8EA6BC;AAlGD,MAAM,SAAS,GAAG,GAAG,CAAC;AACtB,MAAM,oBAAoB,GAAG,EAAE,CAAC;AAEhC;;GAEG;AACH,SAAgB,uBAAuB,CAAC,IAAa;IACnD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,CAAC,GAAG,IAA+B,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,yCAAyC,SAAS,gBAAgB,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;QAC3B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,CAAC,GAAG,IAA+B,CAAC;QAC1C,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;QACtF,CAAC;QACD,IAAI,OAAO,CAAC,CAAC,yBAAyB,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,yBAAyB,CAAC,EAAE,CAAC;YACrG,MAAM,IAAI,KAAK,CAAC,8EAA8E,CAAC,CAAC;QAClG,CAAC;QACD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;YACtC,CAAC,CAAE,CAAC,CAAC,OAAqB;iBACrB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;iBACjE,KAAK,CAAC,CAAC,EAAE,oBAAoB,CAAC;YACnC,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,WAAW,GACf,CAAC,CAAC,YAAY,KAAK,IAAI,IAAI,CAAC,CAAC,YAAY,KAAK,SAAS,IAAI,CAAC,CAAC,YAAY,KAAK,SAAS;YACrF,CAAC,CAAC,CAAC,CAAC,YAAY;YAChB,CAAC,CAAC,SAAS,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,yBAAyB,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC;YAC/E,OAAO;YACP,cAAc,EAAE,OAAO,CAAC,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS;YACpF,YAAY,EAAE,WAAW;SAC1B,CAAC,CAAC;IACL,CAAC;IACD,MAAM,QAAQ,GACZ,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IACtG,OAAO;QACL,kBAAkB,EAAE,OAAO,CAAC,CAAC,kBAAkB,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,SAAS;QAC/F,SAAS,EAAE,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QACpE,QAAQ;QACR,KAAK;QACL,QAAQ,EACN,CAAC,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ;YAC1C,CAAC,CAAC;gBACE,YAAY,EACV,OAAQ,CAAC,CAAC,QAAsC,CAAC,YAAY,KAAK,QAAQ;oBACxE,CAAC,CAAE,CAAC,CAAC,QAAqC,CAAC,YAAY;oBACvD,CAAC,CAAC,SAAS;aAChB;YACH,CAAC,CAAC,SAAS;KAChB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,iCAAiC,CAAC,GAAuB;IACvE,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IACpE,KAAK,CAAC,IAAI,CACR,sOAAsO,CACvO,CAAC;IACF,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,yCAAyC,GAAG,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC5C,KAAK,CAAC,IAAI,CACR,gBAAgB,GAAG,CAAC,QAAQ,wGAAwG,CACrI,CAAC;IACJ,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;IACtE,KAAK,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9C,MAAM,MAAM,GAAG,CAAC,CAAC,YAAY,IAAI,IAAI,CAAC;QACtC,MAAM,OAAO,GACX,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACpG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,yBAAyB,MAAM,KAAK,MAAM,MAAM,MAAM,OAAO,IAAI,CAAC,CAAC;IACvG,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "appsec-agent",
|
|
3
|
-
"version": "2.
|
|
3
|
+
"version": "2.2.0",
|
|
4
4
|
"description": "TypeScript package for AppSec AI Agent management",
|
|
5
5
|
"author": "Sam Li",
|
|
6
|
-
"date": "Apr
|
|
6
|
+
"date": "Apr 24 2026",
|
|
7
7
|
"license": "MIT",
|
|
8
8
|
"main": "dist/src/index.js",
|
|
9
9
|
"types": "dist/src/index.d.ts",
|