autoremediator 0.1.1 → 0.1.2

package/dist/chunk-H4ICCI3K.js

@@ -0,0 +1,1847 @@
+// src/remediation/pipeline.ts
+import { generateText as generateText2 } from "ai";
+import { existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
+import { join as join7 } from "path";
+import semver4 from "semver";
+
+// src/platform/config.ts
+function resolveProvider(options = {}) {
+  const raw = options.llmProvider ?? process.env.AUTOREMEDIATOR_LLM_PROVIDER ?? "openai";
+  if (raw !== "openai" && raw !== "anthropic" && raw !== "local") {
+    throw new Error(
+      `Unsupported LLM provider "${raw}". Set AUTOREMEDIATOR_LLM_PROVIDER to "openai", "anthropic", or "local".`
+    );
+  }
+  return raw;
+}
+function resolveModelName(provider, options = {}) {
+  if (options.model) return options.model;
+  if (process.env.AUTOREMEDIATOR_MODEL) return process.env.AUTOREMEDIATOR_MODEL;
+  const defaults = {
+    openai: "gpt-4o",
+    anthropic: "claude-sonnet-4-5",
+    local: "local"
+  };
+  return defaults[provider];
+}
+async function createModel(options = {}) {
+  const provider = resolveProvider(options);
+  if (provider === "local") {
+    throw new Error(
+      "Local provider does not create a language model. Use the deterministic pipeline path instead."
+    );
+  }
+  const modelName = resolveModelName(provider, options);
+  if (provider === "openai") {
+    const apiKey = process.env.OPENAI_API_KEY;
+    if (!apiKey) {
+      throw new Error(
+        "OPENAI_API_KEY environment variable is required when using the openai provider."
+      );
+    }
+    const { createOpenAI } = await import("@ai-sdk/openai");
+    const openai = createOpenAI({ apiKey });
+    return openai(modelName);
+  }
+  if (provider === "anthropic") {
+    const apiKey = process.env.ANTHROPIC_API_KEY;
+    if (!apiKey) {
+      throw new Error(
+        "ANTHROPIC_API_KEY environment variable is required when using the anthropic provider."
+      );
+    }
+    const { createAnthropic } = await import("@ai-sdk/anthropic");
+    const anthropic = createAnthropic({ apiKey });
+    return anthropic(modelName);
+  }
+  throw new Error(`Unhandled provider: ${provider}`);
+}
+function getNvdConfig() {
+  return {
+    apiKey: process.env.AUTOREMEDIATOR_NVD_API_KEY
+  };
+}
+function getGitHubToken() {
+  return process.env.GITHUB_TOKEN;
+}
+
+// src/platform/package-manager.ts
+import { existsSync } from "fs";
+import { join } from "path";
+function detectPackageManager(cwd) {
+  if (existsSync(join(cwd, "pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync(join(cwd, "yarn.lock"))) return "yarn";
+  return "npm";
+}
+function getPackageManagerCommands(pm) {
+  if (pm === "pnpm") {
+    return {
+      install: ["pnpm", "install"],
+      installPreferOffline: ["pnpm", "install", "--prefer-offline"],
+      installDev: (pkg) => ["pnpm", "add", "-D", pkg],
+      test: ["pnpm", "test"],
+      list: ["pnpm", "list", "--json", "--depth=0"],
+      lockfileName: "pnpm-lock.yaml"
+    };
+  }
+  if (pm === "yarn") {
+    return {
+      install: ["yarn", "install"],
+      installPreferOffline: ["yarn", "install"],
+      installDev: (pkg) => ["yarn", "add", "--dev", pkg],
+      test: ["yarn", "test"],
+      list: ["yarn", "list", "--json", "--depth=0"],
+      lockfileName: "yarn.lock"
+    };
+  }
+  return {
+    install: ["npm", "install"],
+    installPreferOffline: ["npm", "install", "--prefer-offline"],
+    installDev: (pkg) => ["npm", "install", "--save-dev", pkg],
+    test: ["npm", "test"],
+    list: ["npm", "list", "--json", "--depth=0"],
+    lockfileName: "package-lock.json"
+  };
+}
+function parseListOutput(pm, stdout) {
+  const versions = /* @__PURE__ */ new Map();
+  if (!stdout.trim()) return versions;
+  if (pm === "yarn") {
+    const lines = stdout.split("\n").map((l) => l.trim()).filter(Boolean);
+    for (const line of lines) {
+      try {
+        const obj = JSON.parse(line);
+        if (obj.type !== "tree") continue;
+        for (const tree of obj.data?.trees ?? []) {
+          const raw = tree.name ?? "";
+          const at = raw.lastIndexOf("@");
+          if (at <= 0) continue;
+          const name = raw.slice(0, at);
+          const version = raw.slice(at + 1);
+          if (name && version) {
+            versions.set(name, version);
+          }
+        }
+      } catch {
+      }
+    }
+    return versions;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(stdout);
+  } catch {
+    return versions;
+  }
+  const root = Array.isArray(parsed) ? parsed[0] : parsed;
+  const dependencies = root?.dependencies;
+  for (const [name, entry] of Object.entries(dependencies ?? {})) {
+    const version = entry?.version;
+    if (typeof version === "string" && version) {
+      versions.set(name, version);
+    }
+  }
+  return versions;
+}
+
+// src/remediation/tools/lookup-cve.ts
+import { tool } from "ai";
+import { z } from "zod";
+
+// src/intelligence/sources/osv.ts
+var OSV_BASE = "https://api.osv.dev/v1";
+async function fetchOsvVuln(cveId) {
+  const url = `${OSV_BASE}/vulns/${encodeURIComponent(cveId)}`;
+  const res = await fetch(url, {
+    headers: { Accept: "application/json" }
+  });
+  if (res.status === 404) return null;
+  if (!res.ok) {
+    throw new Error(`OSV API error ${res.status} for ${cveId}: ${await res.text()}`);
+  }
+  return res.json();
+}
+function osvEventsToSemverRange(events) {
+  const parts = [];
+  for (const event of events) {
+    if (event.introduced !== void 0) {
+      const v = event.introduced === "0" ? "0.0.0" : event.introduced;
+      parts.push(`>=${v}`);
+    }
+    if (event.fixed !== void 0) {
+      parts.push(`<${event.fixed}`);
+    }
+    if (event.last_affected !== void 0) {
+      parts.push(`<=${event.last_affected}`);
+    }
+  }
+  return parts.join(" ") || ">=0.0.0";
+}
+function parseOsvVuln(vuln) {
+  const npmAffected = [];
+  for (const affected of vuln.affected ?? []) {
+    const ecosystem = affected.package?.ecosystem;
+    const packageName = affected.package?.name;
+    if (!ecosystem || typeof ecosystem !== "string") continue;
+    if (!packageName || typeof packageName !== "string") continue;
+    if (ecosystem.toLowerCase() !== "npm") continue;
+    const semverRange = affected.ranges?.find((r) => r.type === "SEMVER");
+    const vulnerableRange = semverRange ? osvEventsToSemverRange(semverRange.events) : ">=0.0.0";
+    const fixedEvent = semverRange?.events.find((e) => e.fixed !== void 0);
+    npmAffected.push({
+      name: packageName,
+      ecosystem: "npm",
+      vulnerableRange,
+      firstPatchedVersion: fixedEvent?.fixed,
+      source: "osv"
+    });
+  }
+  const severity = deriveSeverity(vuln.severity);
+  return {
+    id: vuln.id,
+    summary: vuln.summary ?? vuln.details ?? "No summary available.",
+    severity,
+    references: vuln.references?.map((r) => r.url) ?? [],
+    affectedPackages: npmAffected
+  };
+}
+function deriveSeverity(severityEntries) {
+  if (!severityEntries?.length) return "UNKNOWN";
+  const cvssEntry = severityEntries.find((s) => s.type === "CVSS_V3") ?? severityEntries[0];
+  const scoreMatch = cvssEntry.score.match(/(\d+\.\d+)$/);
+  if (scoreMatch) {
+    const score = parseFloat(scoreMatch[1]);
+    if (score >= 9) return "CRITICAL";
+    if (score >= 7) return "HIGH";
+    if (score >= 4) return "MEDIUM";
+    return "LOW";
+  }
+  return "UNKNOWN";
+}
+async function lookupCveOsv(cveId) {
+  const vuln = await fetchOsvVuln(cveId);
+  if (!vuln) return null;
+  return parseOsvVuln(vuln);
+}
+
+// src/intelligence/sources/github-advisory.ts
+var GH_ADVISORY_BASE = "https://api.github.com/advisories";
+function buildHeaders() {
+  const headers = {
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28"
+  };
+  const token = getGitHubToken();
+  if (token) {
+    headers.Authorization = `Bearer ${token}`;
+  }
+  return headers;
+}
+async function fetchGhAdvisories(cveId) {
+  const url = new URL(GH_ADVISORY_BASE);
+  url.searchParams.set("cve_id", cveId);
+  url.searchParams.set("ecosystem", "npm");
+  url.searchParams.set("type", "reviewed");
+  url.searchParams.set("per_page", "10");
+  const res = await fetch(url.toString(), { headers: buildHeaders() });
+  if (res.status === 404) return [];
+  if (!res.ok) {
+    console.warn(
+      `[autoremediator] GitHub Advisory API returned ${res.status} for ${cveId} \u2014 skipping.`
+    );
+    return [];
+  }
+  return res.json();
+}
+function parseGhAdvisories(advisories) {
+  const packages = [];
+  for (const advisory of advisories) {
+    for (const vuln of advisory.vulnerabilities) {
+      if (vuln.package.ecosystem.toLowerCase() !== "npm") continue;
+      packages.push({
+        name: vuln.package.name,
+        ecosystem: "npm",
+        vulnerableRange: vuln.vulnerable_version_range ?? ">=0.0.0",
+        firstPatchedVersion: vuln.first_patched_version ?? void 0,
+        source: "github-advisory"
+      });
+    }
+  }
+  return packages;
+}
+function mergeGhDataIntoCveDetails(details, ghPackages) {
+  const enriched = { ...details };
+  for (const ghPkg of ghPackages) {
+    const existing = enriched.affectedPackages.find(
+      (p) => p.name === ghPkg.name
+    );
+    if (existing) {
+      if (!existing.firstPatchedVersion && ghPkg.firstPatchedVersion) {
+        existing.firstPatchedVersion = ghPkg.firstPatchedVersion;
+      }
+    } else {
+      enriched.affectedPackages.push(ghPkg);
+    }
+  }
+  return enriched;
+}
+async function lookupCveGitHub(cveId) {
+  const advisories = await fetchGhAdvisories(cveId);
+  return parseGhAdvisories(advisories);
+}
+
+// src/intelligence/sources/nvd.ts
+var NVD_BASE = "https://services.nvd.nist.gov/rest/json/cves/2.0";
+function buildNvdHeaders() {
+  const { apiKey } = getNvdConfig();
+  const headers = { Accept: "application/json" };
+  if (apiKey) {
+    headers.apiKey = apiKey;
+  }
+  return headers;
+}
+async function fetchNvdCvss(cveId) {
+  const url = `${NVD_BASE}?cveId=${encodeURIComponent(cveId)}`;
+  try {
+    const res = await fetch(url, { headers: buildNvdHeaders() });
+    if (!res.ok) return void 0;
+    const data = await res.json();
+    const vuln = data.vulnerabilities?.[0];
+    if (!vuln) return void 0;
+    const metrics = vuln.cve.metrics;
+    const metric = metrics?.cvssMetricV31?.[0] ?? metrics?.cvssMetricV30?.[0] ?? metrics?.cvssMetricV2?.[0];
+    if (!metric) return void 0;
+    const score = metric.cvssData.baseScore;
+    const rawSeverity = metric.cvssData.baseSeverity.toUpperCase();
+    const severityMap = {
+      CRITICAL: "CRITICAL",
+      HIGH: "HIGH",
+      MEDIUM: "MEDIUM",
+      LOW: "LOW"
+    };
+    return {
+      score,
+      severity: severityMap[rawSeverity] ?? "UNKNOWN"
+    };
+  } catch {
+    return void 0;
+  }
+}
+async function enrichWithNvd(details) {
+  const cvss = await fetchNvdCvss(details.id);
+  if (cvss) {
+    details.cvssScore = cvss.score;
+    if (details.severity === "UNKNOWN") {
+      details.severity = cvss.severity;
+    }
+  }
+  return details;
+}
+
+// src/remediation/tools/lookup-cve.ts
+var lookupCveTool = tool({
+  description: "Look up a CVE ID and return the list of affected npm packages, their vulnerable version ranges, and the first patched version. Always call this first.",
+  parameters: z.object({
+    cveId: z.string().regex(/^CVE-\d{4}-\d+$/i, "Must be a valid CVE ID like CVE-2021-23337")
+  }),
+  execute: async ({ cveId }) => {
+    const normalizedId = cveId.toUpperCase();
+    const [osvDetails, ghPackages] = await Promise.all([
+      lookupCveOsv(normalizedId),
+      lookupCveGitHub(normalizedId)
+    ]);
+    if (!osvDetails && ghPackages.length === 0) {
+      return {
+        success: false,
+        error: `CVE "${normalizedId}" was not found in OSV or GitHub Advisory databases. It may be too new, or not affect npm packages.`
+      };
+    }
+    let details = osvDetails ?? {
+      id: normalizedId,
+      summary: "Details sourced from GitHub Advisory Database.",
+      severity: "UNKNOWN",
+      references: [],
+      affectedPackages: []
+    };
+    if (ghPackages.length > 0) {
+      details = mergeGhDataIntoCveDetails(details, ghPackages);
+    }
+    details = await enrichWithNvd(details);
+    if (details.affectedPackages.length === 0) {
+      return {
+        success: false,
+        error: `CVE "${normalizedId}" was found but has no npm-specific affected packages listed. It may affect a different ecosystem.`
+      };
+    }
+    return { success: true, data: details };
+  }
+});
+
+// src/remediation/tools/check-inventory.ts
+import { tool as tool2 } from "ai";
+import { z as z2 } from "zod";
+import { readFileSync } from "fs";
+import { join as join2 } from "path";
+import { execa } from "execa";
+var checkInventoryTool = tool2({
+  description: "Read the project's package.json and installed dependencies to list packages and exact versions. Must be called before checking version matches.",
+  parameters: z2.object({
+    cwd: z2.string().describe("Absolute path to the consumer project's root directory"),
+    packageManager: z2.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)")
+  }),
+  execute: async ({ cwd, packageManager }) => {
+    let pkgJson;
+    try {
+      pkgJson = JSON.parse(readFileSync(join2(cwd, "package.json"), "utf8"));
+    } catch {
+      return {
+        packages: [],
+        error: `Could not read package.json in "${cwd}". Is this a Node.js project?`
+      };
+    }
+    const pm = packageManager ?? detectPackageManager(cwd);
+    const commands = getPackageManagerCommands(pm);
+    let installedVersions = /* @__PURE__ */ new Map();
+    try {
+      const [cmd, ...args] = commands.list;
+      const listResult = await execa(cmd, args, {
+        cwd,
+        stdio: "pipe",
+        reject: false
+      });
+      installedVersions = parseListOutput(pm, listResult.stdout || "");
+    } catch {
+    }
+    const packages = [];
+    for (const [name, version] of installedVersions.entries()) {
+      const isDirect = Boolean(pkgJson.dependencies?.[name]) || Boolean(pkgJson.devDependencies?.[name]) || Boolean(pkgJson.peerDependencies?.[name]);
+      packages.push({
+        name,
+        version,
+        type: isDirect ? "direct" : "indirect"
+      });
+    }
+    if (packages.length === 0) {
+      const allDeps = {
+        ...pkgJson.dependencies,
+        ...pkgJson.devDependencies
+      };
+      for (const [name, version] of Object.entries(allDeps)) {
+        const cleaned = version.replace(/^[\^~>=<]+/, "").trim();
+        packages.push({ name, version: cleaned, type: "direct" });
+      }
+    }
+    return { packages };
+  }
+});
+
+// src/remediation/tools/check-version-match.ts
+import { tool as tool3 } from "ai";
+import { z as z3 } from "zod";
+import semver from "semver";
+var affectedPackageSchema = z3.object({
+  name: z3.string(),
+  ecosystem: z3.literal("npm"),
+  vulnerableRange: z3.string(),
+  firstPatchedVersion: z3.string().optional(),
+  source: z3.enum(["osv", "github-advisory"])
+});
+var inventoryPackageSchema = z3.object({
+  name: z3.string(),
+  version: z3.string(),
+  type: z3.enum(["direct", "indirect"])
+});
+var checkVersionMatchTool = tool3({
+  description: "Check which of the project's installed packages fall within the CVE's vulnerable version ranges. Returns only the packages that are actually vulnerable.",
+  parameters: z3.object({
+    installedPackages: z3.array(inventoryPackageSchema).describe("Output from the check-inventory tool"),
+    affectedPackages: z3.array(affectedPackageSchema).describe("affectedPackages array from the lookup-cve tool result")
+  }),
+  execute: async ({ installedPackages, affectedPackages }) => {
+    const vulnerable = [];
+    for (const affected of affectedPackages) {
+      const matches = installedPackages.filter(
+        (p) => p.name === affected.name
+      );
+      for (const installed of matches) {
+        if (!semver.valid(installed.version)) continue;
+        let isVulnerable = false;
+        try {
+          isVulnerable = semver.satisfies(installed.version, affected.vulnerableRange, {
+            includePrerelease: false
+          });
+        } catch {
+          continue;
+        }
+        if (isVulnerable) {
+          vulnerable.push({ installed, affected });
+        }
+      }
+    }
+    return {
+      vulnerablePackages: vulnerable,
+      checkedCount: installedPackages.length
+    };
+  }
+});
+
+// src/remediation/tools/find-fixed-version.ts
+import { tool as tool4 } from "ai";
+import { z as z4 } from "zod";
+
+// src/intelligence/sources/registry.ts
+import semver2 from "semver";
+var NPM_REGISTRY = "https://registry.npmjs.org";
+async function fetchPackageVersions(packageName) {
+  const url = `${NPM_REGISTRY}/${encodeURIComponent(packageName)}`;
+  const res = await fetch(url, {
+    headers: { Accept: "application/json" }
+  });
+  if (res.status === 404) return [];
+  if (!res.ok) {
+    throw new Error(
+      `npm registry error ${res.status} for "${packageName}": ${await res.text()}`
+    );
+  }
+  const data = await res.json();
+  return Object.keys(data.versions);
+}
+async function findSafeUpgradeVersion(packageName, installedVersion, firstPatchedVersion) {
+  const versions = await fetchPackageVersions(packageName);
+  if (!versions.length) return void 0;
+  const installedMajor = semver2.major(installedVersion);
+  const candidates = versions.filter((v) => semver2.valid(v) && semver2.gte(v, firstPatchedVersion)).sort(semver2.compare);
+  if (!candidates.length) return void 0;
+  const sameMajor = candidates.find(
+    (v) => semver2.major(v) === installedMajor
+  );
+  if (sameMajor) return sameMajor;
+  return candidates[0];
+}
+
+// src/remediation/tools/find-fixed-version.ts
+var findFixedVersionTool = tool4({
+  description: "Query the npm registry to find the lowest published version of a package that is >= the first patched version. Prefer same-major upgrades. Returns undefined if no safe version exists.",
+  parameters: z4.object({
+    packageName: z4.string().describe("The npm package name"),
+    installedVersion: z4.string().describe("The currently installed version (exact semver)"),
+    firstPatchedVersion: z4.string().describe(
+      "The first version that is NOT vulnerable (from lookup-cve). Use this as the floor."
+    )
+  }),
+  execute: async ({
+    packageName,
+    installedVersion,
+    firstPatchedVersion
+  }) => {
+    const safeVersion = await findSafeUpgradeVersion(
+      packageName,
+      installedVersion,
+      firstPatchedVersion
+    );
+    if (!safeVersion) {
+      return {
+        isMajorBump: false,
+        message: `No safe upgrade version found for "${packageName}". The patch-file path will be needed.`
+      };
+    }
+    const installedMajor = parseInt(installedVersion.split(".")[0] ?? "0", 10);
+    const safeMajor = parseInt(safeVersion.split(".")[0] ?? "0", 10);
+    const isMajorBump = safeMajor > installedMajor;
+    return {
+      safeVersion,
+      isMajorBump,
+      message: isMajorBump ? `Found safe version ${safeVersion} for "${packageName}", but it is a major bump from ${installedVersion}. Applying anyway \u2014 consumer should review for breaking changes.` : `Found safe version ${safeVersion} for "${packageName}" (from ${installedVersion}).`
+    };
+  }
+});
+
+// src/remediation/tools/apply-version-bump.ts
+import { tool as tool5 } from "ai";
+import { z as z5 } from "zod";
+import { join as join4 } from "path";
+import { readFileSync as readFileSync3, writeFileSync } from "fs";
+import { execa as execa2 } from "execa";
+import semver3 from "semver";
+
+// src/platform/policy.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { join as join3 } from "path";
+var DEFAULT_POLICY = {
+  allowMajorBumps: false,
+  denyPackages: [],
+  allowPackages: [],
+  autoApply: true
+};
+function loadPolicy(cwd, explicitPath) {
+  const candidate = explicitPath ?? join3(cwd, ".autoremediator.json");
+  if (!existsSync2(candidate)) return DEFAULT_POLICY;
+  try {
+    const parsed = JSON.parse(readFileSync2(candidate, "utf8"));
+    return {
+      allowMajorBumps: parsed.allowMajorBumps ?? DEFAULT_POLICY.allowMajorBumps,
+      denyPackages: parsed.denyPackages ?? DEFAULT_POLICY.denyPackages,
+      allowPackages: parsed.allowPackages ?? DEFAULT_POLICY.allowPackages,
+      autoApply: parsed.autoApply ?? DEFAULT_POLICY.autoApply
+    };
+  } catch {
+    return DEFAULT_POLICY;
+  }
+}
+function isPackageAllowed(policy, packageName) {
+  if (policy.denyPackages.includes(packageName)) return false;
+  if (policy.allowPackages.length > 0 && !policy.allowPackages.includes(packageName)) {
+    return false;
+  }
+  return true;
+}
+
+// src/remediation/tools/apply-version-bump.ts
+var applyVersionBumpTool = tool5({
+  description: "Update package.json to use the safe version of a vulnerable package and run the project's package manager install. In dry-run mode, only reports what would change.",
+  parameters: z5.object({
+    cwd: z5.string().describe("Absolute path to the consumer project root"),
+    packageManager: z5.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageName: z5.string().describe("The npm package to upgrade"),
+    fromVersion: z5.string().describe("The currently installed vulnerable version"),
+    toVersion: z5.string().describe("The safe target version to upgrade to"),
+    dryRun: z5.boolean().default(false).describe("If true, report changes but do not write"),
+    policyPath: z5.string().optional().describe("Optional path to .autoremediator policy file"),
+    skipTests: z5.boolean().default(true).describe("If true, skip test validation after applying the fix")
+  }),
+  execute: async ({
+    cwd,
+    packageManager,
+    packageName,
+    fromVersion,
+    toVersion,
+    dryRun,
+    policyPath,
+    skipTests
+  }) => {
+    const pm = packageManager ?? detectPackageManager(cwd);
+    const commands = getPackageManagerCommands(pm);
+    const pkgPath = join4(cwd, "package.json");
+    const policy = loadPolicy(cwd, policyPath);
+    if (!isPackageAllowed(policy, packageName)) {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun,
+        message: `Policy blocked changes for package "${packageName}".`
+      };
+    }
+    const isMajorBump = semver3.valid(fromVersion) && semver3.valid(toVersion) && semver3.major(toVersion) > semver3.major(fromVersion);
+    if (isMajorBump && !policy.allowMajorBumps) {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun,
+        message: `Policy blocked major bump for "${packageName}" (${fromVersion} -> ${toVersion}).`
+      };
+    }
+    let pkgJson;
+    try {
+      pkgJson = JSON.parse(readFileSync3(pkgPath, "utf8"));
+    } catch {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        applied: false,
+        dryRun,
+        message: `Could not read package.json at "${pkgPath}".`
+      };
+    }
+    const depField = ["dependencies", "devDependencies", "peerDependencies"].find(
+      (f) => pkgJson[f]?.[packageName] !== void 0
+    );
+    if (!depField) {
+      return {
+        packageName,
+        strategy: "none",
+        fromVersion,
+        applied: false,
+        dryRun,
+        message: `"${packageName}" was not found in package.json dependencies (it may be a transitive dep). Cannot auto-bump.`
+      };
+    }
+    const currentRange = pkgJson[depField][packageName];
+    const prefixMatch = currentRange.match(/^([~^]?)/);
+    const prefix = prefixMatch?.[1] ?? "";
+    const newRange = `${prefix}${toVersion}`;
+    if (dryRun) {
+      const installCmd = commands.installPreferOffline.join(" ");
+      const testCmd = commands.test.join(" ");
+      return {
+        packageName,
+        strategy: "version-bump",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun: true,
+        message: `[DRY RUN] Would update ${depField}.${packageName}: "${currentRange}" \u2192 "${newRange}", then run ${installCmd}${skipTests ? "" : ` and ${testCmd}`}.`
+      };
+    }
+    pkgJson[depField][packageName] = newRange;
+    writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+    try {
+      const [installCmd, ...installArgs] = commands.installPreferOffline;
+      await execa2(installCmd, installArgs, {
+        cwd,
+        stdio: "pipe"
+      });
+    } catch (err) {
+      pkgJson[depField][packageName] = currentRange;
+      writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        packageName,
+        strategy: "version-bump",
+        fromVersion,
+        toVersion,
+        applied: false,
+        dryRun: false,
+        message: `${commands.installPreferOffline.join(" ")} failed after updating "${packageName}" to ${toVersion}. Reverted. Error: ${message}`
+      };
+    }
+    if (!skipTests) {
+      try {
+        const [testCmd, ...testArgs] = commands.test;
+        await execa2(testCmd, testArgs, {
+          cwd,
+          stdio: "pipe"
+        });
+      } catch (err) {
+        pkgJson[depField][packageName] = currentRange;
+        writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+        try {
+          const [rollbackCmd, ...rollbackArgs] = commands.installPreferOffline;
+          await execa2(rollbackCmd, rollbackArgs, {
+            cwd,
+            stdio: "pipe"
+          });
+        } catch {
+        }
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+          packageName,
+          strategy: "version-bump",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun: false,
+          message: `${commands.test.join(" ")} failed after upgrading "${packageName}" to ${toVersion}. Rolled back to ${currentRange}. Error: ${message}`
+        };
+      }
+    }
+    return {
+      packageName,
+      strategy: "version-bump",
+      fromVersion,
+      toVersion,
+      applied: true,
+      dryRun: false,
+      message: `Successfully upgraded "${packageName}" from ${fromVersion} to ${toVersion}, ran ${commands.installPreferOffline.join(" ")}${skipTests ? "" : `, and passed ${commands.test.join(" ")}`}.`
+    };
+  }
+});
+
+// src/remediation/tools/fetch-package-source.ts
+import { tool as tool6 } from "ai";
+import { z as z6 } from "zod";
+import { mkdir, readdir, readFile } from "fs/promises";
+import { join as join5 } from "path";
+import { execa as execa3 } from "execa";
+var fetchPackageSourceTool = tool6({
+  description: "Download package tarball from npm and extract source files for CVE analysis. Supports custom file patterns (default: *.js, *.ts).",
+  parameters: z6.object({
+    packageName: z6.string().min(1).describe("The npm package name (e.g., 'lodash', '@scope/package')"),
+    version: z6.string().regex(/^\d+\.\d+\.\d+/, "Must be a valid semver version").describe("Exact package version to download"),
+    filePatterns: z6.array(z6.string()).optional().default(["*.js", "*.ts"]).describe(
+      "File patterns to extract (glob patterns, default: *.js, *.ts)"
+    )
+  }),
+  execute: async ({
+    packageName,
+    version,
+    filePatterns
+  }) => {
+    const tempBaseDir = `/tmp/autoremediator-pkg-${Date.now()}`;
+    const extractDir = join5(tempBaseDir, "out");
+    try {
+      const npmUrl = `https://registry.npmjs.org/${packageName}/-/${packageName.split("/").pop()}-${version}.tgz`;
+      await mkdir(tempBaseDir, { recursive: true });
+      const tarballPath = join5(tempBaseDir, "package.tgz");
+      await execa3("curl", ["-L", "-o", tarballPath, npmUrl]);
+      await mkdir(extractDir, { recursive: true });
+      await execa3("tar", ["-xzf", tarballPath, "-C", extractDir]);
+      const extractedContents = await readdir(extractDir);
+      const packageRootDir = extractedContents.includes("package") ? join5(extractDir, "package") : extractDir;
+      const sourceCode = {};
+      async function walkDir(dir, relativeBase) {
+        try {
+          const files = await readdir(dir, { withFileTypes: true });
+          for (const file of files) {
+            const fullPath = join5(dir, file.name);
+            const relPath = join5(relativeBase, file.name);
+            if (file.isDirectory()) {
+              if (![
+                "node_modules",
+                ".git",
+                "dist",
+                "build",
+                "coverage",
+                ".next",
+                "out"
+              ].includes(file.name)) {
+                await walkDir(fullPath, relPath);
+              }
+            } else if (file.isFile()) {
+              const matches = filePatterns.some((pattern) => {
+                const regex = new RegExp(
+                  `^${pattern.replace(/\*/g, ".*").replace(/\./g, "\\.")}$`
+                );
+                return regex.test(file.name);
+              });
+              if (matches) {
+                try {
+                  const content = await readFile(fullPath, "utf8");
+                  sourceCode[relPath] = content;
+                } catch {
+                }
+              }
+            }
+          }
+        } catch {
+        }
+      }
+      await walkDir(packageRootDir, "");
+      if (Object.keys(sourceCode).length === 0) {
+        return {
+          success: false,
+          error: `No source files matching patterns [${filePatterns.join(", ")}] found in ${packageName}@${version}. Download succeeded but extraction yielded no matching files.`
+        };
+      }
+      return {
+        success: true,
+        sourceCode,
+        packageDir: packageRootDir
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      if (message.includes("404") || message.includes("not found")) {
+        return {
+          success: false,
+          error: `Package ${packageName}@${version} not found on npm registry. It may not exist or the version may be incorrect.`
+        };
+      }
+      return {
+        success: false,
+        error: `Failed to fetch and extract package ${packageName}@${version}: ${message}`
+      };
+    }
+  }
+});
+
+// src/remediation/tools/generate-patch.ts
+import { tool as tool7 } from "ai";
+import { z as z7 } from "zod";
+import { generateText } from "ai";
+var VULNERABILITY_DESCRIPTIONS = {
+  redos: "Regular Expression Denial of Service (ReDoS): The vulnerability is caused by poorly constructed regular expressions that cause excessive backtracking when processing certain inputs. The fix should optimize the regex to avoid catastrophic backtracking or replace it with a safer alternative.",
+  "code-injection": "Code Injection: The vulnerability allows injected code to be executed. The fix must properly sanitize/validate inputs and prevent dynamic code execution, or use safe alternatives like template literals with proper escaping.",
+  "path-traversal": "Path Traversal: The vulnerability allows access to files outside intended directories through path traversal sequences (../, etc.). The fix must validate and normalize file paths, use path.resolve() and path.relative() checks.",
+  unknown: "Unknown vulnerability type: Analyze the CVE summary carefully and implement the most appropriate fix for the security issue described."
+};
+var generatePatchTool = tool7({
+  description: "Generate a unified diff patch for a CVE using LLM analysis of vulnerable source code.",
+  parameters: z7.object({
+    packageName: z7.string().min(1).describe("The npm package name"),
+    vulnerableVersion: z7.string().describe("The vulnerable version string"),
+    cveId: z7.string().regex(/^CVE-\d{4}-\d+$/i).describe("CVE ID (e.g., CVE-2021-23337)"),
+    cveSummary: z7.string().min(10).describe("CVE description and impact"),
+    sourceFiles: z7.record(z7.string()).describe(
+      "Map of file paths to source code contents from fetch-package-source"
+    ),
+    vulnerabilityCategory: z7.enum(["redos", "code-injection", "path-traversal", "unknown"]).optional().default("unknown").describe("Category of the vulnerability for better context"),
+    dryRun: z7.boolean().optional().default(false).describe("If true, return analysis without generating patches")
+  }),
+  execute: async ({
+    packageName,
+    vulnerableVersion,
+    cveId,
+    cveSummary,
+    sourceFiles,
+    vulnerabilityCategory,
+    dryRun
+  }) => {
+    try {
+      const model = await createModel();
+      const modelName = model.modelId || "unknown-model";
+      const sourceContext = Object.entries(sourceFiles).map(([filePath, content]) => `
+### File: ${filePath}
+\`\`\`typescript
+${content}
+\`\`\``).join("\n");
+      const vulnerabilityContext = VULNERABILITY_DESCRIPTIONS[vulnerabilityCategory] || VULNERABILITY_DESCRIPTIONS.unknown;
+      const prompt = `You are a security expert tasked with analyzing a CVE vulnerability and generating a secure patch.
+
+## CVE Information
+- CVE ID: ${cveId}
+- Package: ${packageName}@${vulnerableVersion}
+- Category: ${vulnerabilityCategory}
+
+## Vulnerability Summary
+${cveSummary}
+
+## Vulnerability Type Context
+${vulnerabilityContext}
+
+## Vulnerable Source Code
+${sourceContext}
+
+## Your Task
+Analyze the source code to:
+1. Identify the exact code location causing the vulnerability
+2. Explain the root cause of the security issue
+3. Propose a secure fix that addresses the vulnerability
+4. Provide the complete fixed version of affected files
+
+## Response Format
+Respond ONLY with valid JSON (no markdown, no extra text):
+{
+  "analysis": "Detailed explanation of the vulnerability root cause and why it's a security issue",
+  "fixedCode": {
+    "path/to/file.js": "Complete fixed source code for this file",
+    "path/to/other.ts": "Complete fixed source code for this file"
+  },
+  "confidence": 0.95,
+  "riskLevel": "medium"
+}
+
+Important:
+- confidence: number between 0 and 1 indicating how confident you are in the fix
+- riskLevel: "low", "medium", or "high" - assess the risk of the proposed fix breaking functionality
+- fixedCode: must contain the COMPLETE file contents (not just diffs), with the vulnerability addressed
+- Only include files that need modification`;
+      const { text } = await generateText({
+        model,
+        prompt,
+        temperature: 0.3
+        // Lower temperature for more consistent code generation
+      });
+      let analysis;
+      try {
+        const jsonMatch = text.match(/\{[\s\S]*\}/);
+        if (!jsonMatch) {
+          throw new Error("No JSON found in LLM response");
+        }
+        analysis = JSON.parse(jsonMatch[0]);
+      } catch (err) {
+        return {
+          success: false,
+          llmModel: modelName,
+          confidence: 0,
+          riskLevel: "high",
+          error: `Failed to parse LLM response: ${err instanceof Error ? err.message : "unknown error"}`
+        };
+      }
+      if (!analysis.analysis || !analysis.fixedCode || typeof analysis.confidence !== "number" || !["low", "medium", "high"].includes(analysis.riskLevel)) {
+        return {
+          success: false,
+          llmModel: modelName,
+          confidence: 0,
+          riskLevel: "high",
+          error: "LLM response missing required fields (analysis, fixedCode, confidence, riskLevel)"
+        };
+      }
+      if (dryRun) {
+        return {
+          success: true,
+          llmModel: modelName,
+          confidence: analysis.confidence,
+          riskLevel: analysis.riskLevel
+        };
+      }
+      const patches = [];
+      for (const [filePath, fixedCode] of Object.entries(
+        analysis.fixedCode
+      )) {
+        const originalCode = sourceFiles[filePath];
+        if (!originalCode) {
+          continue;
+        }
+        const unifiedDiff = generateUnifiedDiff(
+          originalCode,
+          fixedCode,
+          filePath
+        );
+        if (unifiedDiff) {
+          patches.push({
+            filePath,
+            unifiedDiff
+          });
+        }
+      }
+      if (patches.length === 0) {
+        return {
+          success: false,
+          llmModel: modelName,
+          confidence: analysis.confidence,
+          riskLevel: analysis.riskLevel,
+          error: "No valid patches could be generated from LLM response"
+        };
+      }
+      return {
+        success: true,
+        patches,
+        llmModel: modelName,
+        confidence: analysis.confidence,
+        riskLevel: analysis.riskLevel
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        llmModel: "unknown",
+        confidence: 0,
+        riskLevel: "high",
+        error: `Patch generation failed: ${message}`
+      };
+    }
+  }
+});
+function generateUnifiedDiff(original, fixed, filePath) {
+  if (original === fixed) {
+    return null;
+  }
+  const originalLines = original.split("\n");
+  const fixedLines = fixed.split("\n");
+  const diff = [];
+  diff.push(`--- a/${filePath}`);
+  diff.push(`+++ b/${filePath}`);
+  diff.push("@@ -1," + originalLines.length + " +1," + fixedLines.length + " @@");
+  const maxLen = Math.max(originalLines.length, fixedLines.length);
+  for (let i = 0; i < maxLen; i++) {
+    const origLine = originalLines[i] || "";
+    const fixedLine = fixedLines[i] || "";
+    if (origLine !== fixedLine) {
+      if (origLine) {
+        diff.push("-" + origLine);
+      }
+      if (fixedLine) {
+        diff.push("+" + fixedLine);
+      }
+    } else if (origLine) {
+      diff.push(" " + origLine);
+    }
+  }
+  return diff.join("\n");
+}
+
+// src/remediation/tools/apply-patch-file.ts
+import { tool as tool8 } from "ai";
+import { z as z8 } from "zod";
+import { existsSync as existsSync3 } from "fs";
+import { mkdir as mkdir2, mkdtemp, readFile as readFile2, rm, writeFile } from "fs/promises";
+import { tmpdir } from "os";
+import { join as join6 } from "path";
+import { execa as execa4 } from "execa";
+var applyPatchFileTool = tool8({
+  description: "Write generated patch file and apply it using package-manager-native patch flow when available, falling back to patch-package when needed.",
+  parameters: z8.object({
+    packageName: z8.string().min(1).describe("The npm package name"),
+    vulnerableVersion: z8.string().describe("The vulnerable version string"),
+    patchContent: z8.string().min(10).describe("Unified diff patch content from generate-patch"),
+    patchesDir: z8.string().optional().default("./patches").describe("Directory to store patch files"),
+    cwd: z8.string().describe("Project root directory (for package.json)"),
+    packageManager: z8.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    validateWithTests: z8.boolean().optional().default(true).describe("Run package manager test command to validate patch doesn't break anything")
+  }),
+  execute: async ({
+    packageName,
+    vulnerableVersion,
+    patchContent,
+    patchesDir,
+    cwd,
+    packageManager,
+    validateWithTests
+  }) => {
+    try {
+      const pm = packageManager ?? detectPackageManager(cwd);
+      const patchesDirPath = join6(cwd, patchesDir);
+      await mkdir2(patchesDirPath, { recursive: true });
+      const patchFileName = `${packageName}+${vulnerableVersion}.patch`;
+      const patchFilePath = join6(patchesDirPath, patchFileName);
+      await writeFile(patchFilePath, patchContent, "utf8");
+      let validationResult;
+      const patchMode = await resolvePatchMode(pm, cwd);
+      const applyResult = patchMode === "patch-package" ? await configurePatchPackagePostinstall(cwd) : await applyNativePatch({
+        cwd,
+        packageName,
+        vulnerableVersion,
+        patchContent,
+        patchMode
+      });
+      if (!applyResult.success) {
+        return {
+          success: false,
+          patchPath: patchFilePath,
+          patchMode,
+          postinstallConfigured: patchMode === "patch-package" ? false : void 0,
+          error: applyResult.error
+        };
+      }
+      if (validateWithTests) {
+        validationResult = await validatePatchWithTests(cwd, pm);
+      }
+      return {
+        success: true,
+        patchPath: patchFilePath,
+        patchMode,
+        postinstallConfigured: patchMode === "patch-package",
+        validation: validationResult
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        error: `Failed to apply patch file: ${message}`
+      };
+    }
+  }
+});
+async function resolvePatchMode(packageManager, cwd) {
+  if (packageManager === "npm") return "patch-package";
+  if (packageManager === "pnpm") return "native-pnpm";
+  try {
+    const result = await execa4("yarn", ["--version"], {
+      cwd,
+      stdio: "pipe"
+    });
+    const version = result.stdout.trim();
+    const major = Number.parseInt(version.split(".")[0] || "0", 10);
+    return major >= 2 ? "native-yarn" : "patch-package";
+  } catch {
+    return "patch-package";
+  }
+}
+async function configurePatchPackagePostinstall(cwd) {
+  const pkgJsonPath = join6(cwd, "package.json");
+  let pkgJson;
+  try {
+    pkgJson = JSON.parse(await readFile2(pkgJsonPath, "utf8"));
+  } catch {
+    return {
+      success: false,
+      error: `Could not read package.json at ${pkgJsonPath}`
+    };
+  }
+  if (!pkgJson.scripts) {
+    pkgJson.scripts = {};
+  }
+  const patchApplyCmd = "patch-package";
+  const currentPostinstall = pkgJson.scripts.postinstall || "";
+  if (currentPostinstall && !currentPostinstall.includes("patch-package")) {
+    pkgJson.scripts.postinstall = `${currentPostinstall} && ${patchApplyCmd}`;
+  } else if (!currentPostinstall) {
+    pkgJson.scripts.postinstall = patchApplyCmd;
+  }
+  await writeFile(pkgJsonPath, JSON.stringify(pkgJson, null, 2) + "\n", "utf8");
+  return { success: true };
+}
+async function applyNativePatch(params) {
+  const { cwd, packageName, vulnerableVersion, patchContent, patchMode } = params;
+  const packageSpec = `${packageName}@${vulnerableVersion}`;
+  const createArgs = patchMode === "native-pnpm" ? ["pnpm", ["patch", packageSpec]] : ["yarn", ["patch", packageSpec]];
+  let patchDir;
+  try {
+    const createResult = await execa4(createArgs[0], createArgs[1], {
+      cwd,
+      stdio: "pipe"
+    });
+    patchDir = extractPatchDirectory(`${createResult.stdout}
+${createResult.stderr}`);
+  } catch (err) {
+    return {
+      success: false,
+      error: `Failed to create native patch workspace for ${packageSpec}: ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+  if (!patchDir) {
+    return {
+      success: false,
+      error: `Could not determine native patch directory for ${packageSpec}.`
+    };
+  }
+  const tempPatchDir = await mkdtemp(join6(tmpdir(), "autoremediator-native-patch-"));
+  const tempPatchFile = join6(tempPatchDir, "change.patch");
+  try {
+    await writeFile(tempPatchFile, patchContent, "utf8");
+    await execa4("patch", ["-p1", "-i", tempPatchFile], {
+      cwd: patchDir,
+      stdio: "pipe"
+    });
+    const commitArgs = patchMode === "native-pnpm" ? ["pnpm", ["patch-commit", patchDir]] : ["yarn", ["patch-commit", "-s", patchDir]];
+    await execa4(commitArgs[0], commitArgs[1], {
+      cwd,
+      stdio: "pipe"
+    });
+  } catch (err) {
+    return {
+      success: false,
+      error: `Failed to apply native patch for ${packageSpec}: ${err instanceof Error ? err.message : String(err)}`
+    };
+  } finally {
+    await rm(tempPatchDir, { recursive: true, force: true });
+  }
+  return { success: true };
+}
+function extractPatchDirectory(output) {
+  const lines = output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+  for (const line of lines) {
+    if (existsSync3(line)) {
+      return line;
+    }
+    const tokens = line.split(/\s+/).map((token) => token.replace(/^['"]|['"]$/g, ""));
+    for (const token of tokens) {
+      if (token.startsWith("/") && existsSync3(token)) {
+        return token;
+      }
+    }
+  }
+  return "";
+}
+async function validatePatchWithTests(cwd, packageManager) {
+  try {
+    const commands = getPackageManagerCommands(packageManager);
+    const [cmd, ...args] = commands.test;
+    const result = await execa4(cmd, args, {
+      cwd,
+      timeout: 6e4,
+      // 60 second timeout
+      stdio: "pipe"
+    });
+    return {
+      passed: true,
+      output: result.stdout
+    };
+  } catch (err) {
+    const errorOutput = err instanceof Error && "stdout" in err ? err.stdout : "";
+    const failedTests = extractFailedTests(errorOutput);
+    return {
+      passed: false,
+      output: errorOutput,
+      failedTests
+    };
+  }
+}
+function extractFailedTests(output) {
+  const failedTests = [];
+  const patterns = [
+    /✖\s+(.+?)(?:\n|$)/g,
+    // Mocha style
+    /●\s+(.+)(?:\n|$)/g,
+    // Jest style
+    /FAIL.*?(.+?)(?:\n|$)/g
+    // Generic FAIL
+  ];
+  for (const pattern of patterns) {
+    let match;
+    while ((match = pattern.exec(output)) !== null) {
+      if (match[1]) {
+        failedTests.push(match[1].trim());
+      }
+    }
+  }
+  return failedTests.slice(0, 5);
+}
+
+// src/remediation/pipeline.ts
+async function runHealAgent(cveId, options = {}) {
+  const provider = resolveProvider(options);
+  if (provider === "local") {
+    return runLocalHealPipeline(cveId, options);
+  }
+  const cwd = options.cwd ?? process.cwd();
+  const packageManager = options.packageManager ?? detectPackageManager(cwd);
+  const dryRun = options.dryRun ?? false;
+  const skipTests = options.skipTests ?? true;
+  const policyPath = options.policyPath ?? "";
+  const patchesDir = options.patchesDir || "./patches";
+  const model = await createModel(options);
+  const systemPrompt = loadOrchestrationPrompt({
+    cveId,
+    cwd,
+    dryRun,
+    skipTests,
+    policyPath,
+    patchesDir,
+    packageManager
+  });
+  const prompt = `Patch vulnerable dependencies affected by ${cveId} in the project at: ${cwd}. Package manager: ${packageManager}.`;
+  const collectedResults = [];
+  const vulnerablePackages = [];
+  let cveDetails = null;
+  let agentSteps = 0;
+  let lastGeneratedPatches = null;
+  const result = await generateText2({
+    model,
+    system: systemPrompt,
+    prompt,
+    tools: {
+      "lookup-cve": lookupCveTool,
+      "check-inventory": checkInventoryTool,
+      "check-version-match": checkVersionMatchTool,
+      "find-fixed-version": findFixedVersionTool,
+      "apply-version-bump": applyVersionBumpTool,
+      "fetch-package-source": fetchPackageSourceTool,
+      "generate-patch": generatePatchTool,
+      "apply-patch-file": applyPatchFileTool
+    },
+    maxSteps: 25,
+    onStepFinish(stepResult) {
+      agentSteps += 1;
+      const { toolResults } = stepResult;
+      for (const tr of toolResults ?? []) {
+        const toolResult = tr.result;
+        if (tr.toolName === "lookup-cve" && toolResult?.data) {
+          cveDetails = toolResult.data;
+        }
+        if (tr.toolName === "check-version-match" && toolResult?.vulnerablePackages) {
+          vulnerablePackages.push(...toolResult.vulnerablePackages);
+        }
+        if (tr.toolName === "apply-version-bump") {
+          collectedResults.push(toolResult);
+        }
+        if (tr.toolName === "fetch-package-source" && toolResult?.success) {
+          const sourceData = {
+            success: toolResult.success,
+            sourceFiles: toolResult.sourceFiles,
+            packageDir: toolResult.packageDir
+          };
+        }
+        if (tr.toolName === "generate-patch" && toolResult?.success) {
+          const patchData = {
+            success: toolResult.success,
+            patches: toolResult.patches,
+            confidence: toolResult.confidence,
+            riskLevel: toolResult.riskLevel
+          };
+          lastGeneratedPatches = patchData.patches || null;
+        }
+        if (tr.toolName === "apply-patch-file" && toolResult) {
+          const patchFileResult = {
+            success: toolResult.success,
+            patchPath: toolResult.patchPath,
+            postinstallConfigured: toolResult.postinstallConfigured,
+            validation: toolResult.validation
+          };
+          if (patchFileResult.success) {
+            collectedResults.push({
+              ...toolResult,
+              strategy: "patch-file"
+            });
+          }
+        }
+      }
+    }
+  });
+  return {
+    cveId,
+    cveDetails,
+    vulnerablePackages,
+    results: collectedResults,
+    agentSteps,
+    summary: result.text
+  };
+}
+async function runLocalHealPipeline(cveId, options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const packageManager = options.packageManager ?? detectPackageManager(cwd);
+  const dryRun = options.dryRun ?? false;
+  const skipTests = options.skipTests ?? true;
+  const policyPath = options.policyPath ?? "";
+  const collectedResults = [];
+  const vulnerablePackages = [];
+  let cveDetails = null;
+  let agentSteps = 0;
+  const normalizedId = cveId.toUpperCase();
+  const [osvDetails, ghPackages] = await Promise.all([
+    lookupCveOsv(normalizedId),
+    lookupCveGitHub(normalizedId).catch(() => [])
+  ]);
+  agentSteps += 2;
+  if (!osvDetails && ghPackages.length === 0) {
+    return {
+      cveId,
+      cveDetails: null,
+      vulnerablePackages,
+      results: collectedResults,
+      agentSteps,
+      summary: `Local mode failed at lookup-cve: ${normalizedId} not found in OSV or GitHub advisory data.`
+    };
+  }
+  cveDetails = osvDetails ?? {
+    id: normalizedId,
+    summary: "Details sourced from GitHub Advisory Database.",
+    severity: "UNKNOWN",
+    references: [],
+    affectedPackages: []
+  };
+  if (ghPackages.length > 0) {
+    cveDetails = mergeGhDataIntoCveDetails(cveDetails, ghPackages);
+  }
+  cveDetails = await enrichWithNvd(cveDetails);
+  if (cveDetails.affectedPackages.length === 0) {
+    return {
+      cveId,
+      cveDetails,
+      vulnerablePackages,
+      results: collectedResults,
+      agentSteps,
+      summary: `Local mode lookup succeeded but no npm affected packages were found for ${normalizedId}.`
+    };
+  }
+  const inventory = await checkInventoryTool.execute({ cwd, packageManager });
+  agentSteps += 1;
+  if (inventory?.error) {
+    return {
+      cveId,
+      cveDetails,
+      vulnerablePackages,
+      results: collectedResults,
+      agentSteps,
+      summary: `Local mode failed at check-inventory: ${inventory.error}`
+    };
+  }
+  const installedPackages = inventory.packages ?? [];
+  for (const affected of cveDetails.affectedPackages) {
+    if (!affected || typeof affected !== "object") continue;
+    if (!affected.name || !affected.vulnerableRange) continue;
+    if (affected.ecosystem !== "npm") continue;
+    const matches = installedPackages.filter((p) => p.name === affected.name);
+    for (const installed of matches) {
+      if (!semver4.valid(installed.version)) continue;
+      let isVulnerable = false;
+      try {
+        isVulnerable = semver4.satisfies(installed.version, affected.vulnerableRange, {
+          includePrerelease: false
+        });
+      } catch {
+        continue;
+      }
+      if (isVulnerable) {
+        vulnerablePackages.push({ installed, affected });
+      }
+    }
+  }
+  agentSteps += 1;
+  for (const vulnerable of vulnerablePackages) {
+    const pkg = vulnerable.installed;
+    const firstPatchedVersion = vulnerable.affected.firstPatchedVersion;
+    if (!firstPatchedVersion) {
+      collectedResults.push({
+        packageName: pkg.name,
+        strategy: "none",
+        fromVersion: pkg.version,
+        applied: false,
+        dryRun,
+        message: `No firstPatchedVersion available for ${pkg.name}; cannot resolve deterministic upgrade in local mode.`
+      });
+      continue;
+    }
+    const safeVersion = await findSafeUpgradeVersion(
+      pkg.name,
+      pkg.version,
+      firstPatchedVersion
+    );
+    agentSteps += 1;
+    if (!safeVersion) {
+      collectedResults.push({
+        packageName: pkg.name,
+        strategy: "none",
+        fromVersion: pkg.version,
+        applied: false,
+        dryRun,
+        message: `No safe upgrade version found for ${pkg.name}.`
+      });
+      continue;
+    }
+    const applyResult = await applyVersionBumpTool.execute({
+      cwd,
+      packageManager,
+      packageName: pkg.name,
+      fromVersion: pkg.version,
+      toVersion: safeVersion,
+      dryRun,
+      policyPath,
+      skipTests
+    });
+    agentSteps += 1;
+    collectedResults.push(applyResult);
+  }
+  const appliedCount = collectedResults.filter((r) => r.applied).length;
+  const unresolvedCount = collectedResults.filter((r) => !r.applied && !r.dryRun).length;
+  const dryRunCount = collectedResults.filter((r) => r.dryRun).length;
+  return {
+    cveId,
+    cveDetails,
+    vulnerablePackages,
+    results: collectedResults,
+    agentSteps,
+    summary: `Local mode completed: vulnerable=${vulnerablePackages.length}, applied=${appliedCount}, dryRun=${dryRunCount}, unresolved=${unresolvedCount}`
+  };
+}
+function loadOrchestrationPrompt(ctx) {
+  const promptPath = join7(process.cwd(), ".github", "instructions", "orchestration.instructions.md");
+  if (!existsSync4(promptPath)) {
+    return `You are autoremediator, an agentic security remediation system for Node.js package dependencies.
+Working directory: ${ctx.cwd}
+  Package manager: ${ctx.packageManager}
+Dry run: ${ctx.dryRun}
+Skip tests: ${ctx.skipTests}
+Policy path: ${ctx.policyPath || "undefined"}
+Patches dir: ${ctx.patchesDir}
+
+Required sequence:
+1. lookup-cve
+2. check-inventory
+3. check-version-match
+4. find-fixed-version
+5. apply-version-bump
+
+Fallback sequence (when strategy="none"):
+1. fetch-package-source
+2. generate-patch
+3. apply-patch-file
+
+Always respect dryRun and policy constraints.`;
+  }
+  const template = readFileSync4(promptPath, "utf8");
+  return template.replaceAll("{{cveId}}", ctx.cveId).replaceAll("{{cwd}}", ctx.cwd).replaceAll("{{packageManager}}", ctx.packageManager).replaceAll("{{dryRun}}", String(ctx.dryRun)).replaceAll("{{skipTests}}", String(ctx.skipTests)).replaceAll("{{policyPath}}", ctx.policyPath || "undefined").replaceAll("{{patchesDir}}", ctx.patchesDir);
+}
+
+// src/scanner/index.ts
+import { extname } from "path";
+import { readFileSync as readFileSync8 } from "fs";
+
+// src/scanner/adapters/npm-audit.ts
+import { readFileSync as readFileSync5 } from "fs";
+var CVE_REGEX = /CVE-\d{4}-\d+/gi;
+function normalizeSeverity(raw) {
+  if (!raw) return "UNKNOWN";
+  const up = raw.toUpperCase();
+  if (up === "CRITICAL" || up === "HIGH" || up === "MEDIUM" || up === "LOW") {
+    return up;
+  }
+  return "UNKNOWN";
+}
+function parseNpmAuditJsonFromString(content) {
+  const report = JSON.parse(content);
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const vuln of Object.values(report.vulnerabilities ?? {})) {
+    for (const viaEntry of vuln.via ?? []) {
+      const text = typeof viaEntry === "string" ? viaEntry : `${viaEntry.url ?? ""} ${viaEntry.name ?? ""}`;
+      const matches = text.match(CVE_REGEX) ?? [];
+      for (const match of matches) {
+        const cveId = match.toUpperCase();
+        const key = `${cveId}:${vuln.name}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        findings.push({
+          cveId,
+          source: "npm-audit",
+          packageName: vuln.name,
+          severity: normalizeSeverity(vuln.severity)
+        });
+      }
+    }
+  }
+  return findings;
+}
+function parseNpmAuditJsonFile(filePath) {
+  const content = readFileSync5(filePath, "utf8");
+  return parseNpmAuditJsonFromString(content);
+}
+
+// src/scanner/adapters/yarn-audit.ts
+import { readFileSync as readFileSync6 } from "fs";
+var CVE_REGEX2 = /CVE-\d{4}-\d+/gi;
+function normalizeSeverity2(raw) {
+  if (!raw) return "UNKNOWN";
+  const up = raw.toUpperCase();
+  if (up === "CRITICAL" || up === "HIGH" || up === "MEDIUM" || up === "LOW") {
+    return up;
+  }
+  return "UNKNOWN";
+}
+function parseYarnAuditJsonFromString(content) {
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  const lines = content.split("\n").map((line) => line.trim()).filter(Boolean);
+  for (const line of lines) {
+    let parsed;
+    try {
+      parsed = JSON.parse(line);
+    } catch {
+      continue;
+    }
+    const event = parsed;
+    if (event.type !== "auditAdvisory") continue;
+    const advisory = event.data?.advisory;
+    const packageName = advisory?.module_name;
+    const severity = normalizeSeverity2(advisory?.severity);
+    const text = `${advisory?.url ?? ""} ${(advisory?.cves ?? []).join(" ")}`;
+    const matches = text.match(CVE_REGEX2) ?? [];
+    for (const match of matches) {
+      const cveId = match.toUpperCase();
+      const key = `${cveId}:${packageName ?? ""}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      findings.push({
+        cveId,
+        source: "yarn-audit",
+        packageName,
+        severity
+      });
+    }
+  }
+  return findings;
+}
+function parseYarnAuditJsonFile(filePath) {
+  const content = readFileSync6(filePath, "utf8");
+  return parseYarnAuditJsonFromString(content);
+}
+
+// src/scanner/adapters/sarif.ts
+import { readFileSync as readFileSync7 } from "fs";
+var CVE_REGEX3 = /CVE-\d{4}-\d+/gi;
+function extractPackageName(result) {
+  const pkg = result.properties?.["packageName"];
+  return typeof pkg === "string" ? pkg : void 0;
+}
+function parseSarifFromString(content) {
+  const report = JSON.parse(content);
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const run of report.runs ?? []) {
+    for (const result of run.results ?? []) {
+      const combined = `${result.ruleId ?? ""} ${result.message?.text ?? ""}`;
+      const matches = combined.match(CVE_REGEX3) ?? [];
+      for (const match of matches) {
+        const cveId = match.toUpperCase();
+        const pkg = extractPackageName(result);
+        const key = `${cveId}:${pkg ?? ""}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        findings.push({
+          cveId,
+          source: "sarif",
+          packageName: pkg,
+          severity: "UNKNOWN"
+        });
+      }
+    }
+  }
+  return findings;
+}
+function parseSarifFile(filePath) {
+  const content = readFileSync7(filePath, "utf8");
+  return parseSarifFromString(content);
+}
+
+// src/scanner/index.ts
+function parseScanInput(filePath, format) {
+  const resolved = format === "auto" ? inferFormat(filePath) : format;
+  if (resolved === "npm-audit") {
+    return parseNpmAuditJsonFile(filePath);
+  }
+  if (resolved === "yarn-audit") {
+    return parseYarnAuditJsonFile(filePath);
+  }
+  if (resolved === "sarif") {
+    return parseSarifFile(filePath);
+  }
+  throw new Error(`Unsupported input format: ${resolved}`);
+}
+function inferFormat(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  if (ext === ".sarif") return "sarif";
+  try {
+    const content = readFileSync8(filePath, "utf8");
+    const firstLine = content.split("\n").find((line) => line.trim().startsWith("{"));
+    if (firstLine) {
+      const parsed = JSON.parse(firstLine);
+      if (parsed.type === "auditAdvisory" || parsed.type === "auditSummary") {
+        return "yarn-audit";
+      }
+    }
+  } catch {
+  }
+  return "npm-audit";
+}
+function uniqueCveIds(findings) {
+  return [...new Set(findings.map((f) => f.cveId.toUpperCase()))];
+}
+
+// src/platform/evidence.ts
+import { mkdirSync, writeFileSync as writeFileSync2 } from "fs";
+import { join as join8 } from "path";
+function createEvidenceLog(cwd, cveIds) {
+  return {
+    runId: `${Date.now()}`,
+    cveIds,
+    cwd,
+    startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    steps: []
+  };
+}
+function addEvidenceStep(log, action, input, output, error) {
+  log.steps.push({
+    at: (/* @__PURE__ */ new Date()).toISOString(),
+    action,
+    input,
+    output,
+    error
+  });
+}
+function finalizeEvidence(log) {
+  log.finishedAt = (/* @__PURE__ */ new Date()).toISOString();
+  return log;
+}
+function writeEvidenceLog(cwd, log) {
+  const dir = join8(cwd, ".autoremediator", "evidence");
+  mkdirSync(dir, { recursive: true });
+  const filePath = join8(dir, `${log.runId}.json`);
+  writeFileSync2(filePath, JSON.stringify(log, null, 2) + "\n", "utf8");
+  return filePath;
+}
+
+// src/api.ts
+var runRemediationPipeline = runHealAgent;
+async function remediate(cveId, options = {}) {
+  if (!/^CVE-\d{4}-\d+$/i.test(cveId)) {
+    throw new Error(
+      `Invalid CVE ID: "${cveId}". Expected format: CVE-YYYY-NNNNN (e.g. CVE-2021-23337).`
+    );
+  }
+  return runHealAgent(cveId.toUpperCase(), options);
+}
+async function remediateFromScan(inputPath, options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const format = options.format ?? "auto";
+  const patchesDir = options.patchesDir ?? "./patches";
+  const findings = parseScanInput(inputPath, format);
+  const cveIds = uniqueCveIds(findings);
+  const policy = loadPolicy(cwd, options.policyPath);
+  const evidence = createEvidenceLog(cwd, cveIds);
+  addEvidenceStep(evidence, "scan.parse", { inputPath, format }, { findingCount: findings.length, cveCount: cveIds.length });
+  const reports = [];
+  const errors = [];
+  const patchValidationFailures = [];
+  let patchFileCount = 0;
+  for (const cveId of cveIds) {
+    try {
+      addEvidenceStep(evidence, "heal.start", { cveId });
+      const report = await remediate(cveId, {
+        ...options,
+        patchesDir
+      });
+      report.results = report.results.filter((r) => isPackageAllowed(policy, r.packageName));
+      for (const result of report.results) {
+        if (result.strategy === "patch-file") {
+          patchFileCount += 1;
+        }
+        if (result.validation?.passed === false && result.validation?.error) {
+          patchValidationFailures.push({
+            packageName: result.packageName,
+            cveId,
+            error: result.validation.error
+          });
+        }
+      }
+      reports.push(report);
+      addEvidenceStep(evidence, "heal.finish", { cveId }, { results: report.results.length });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      errors.push({ cveId, message });
+      addEvidenceStep(evidence, "heal.error", { cveId }, void 0, message);
+    }
+  }
+  let successCount = 0;
+  let failedCount = 0;
+  for (const report of reports) {
+    for (const result of report.results) {
+      if (result.applied || result.dryRun) {
+        successCount += 1;
+      } else {
+        failedCount += 1;
+      }
+    }
+  }
+  failedCount += errors.length;
+  let status = "ok";
+  if (failedCount > 0 && successCount > 0) {
+    status = "partial";
+  } else if (failedCount > 0 && successCount === 0) {
+    status = "failed";
+  }
+  finalizeEvidence(evidence);
+  const evidenceFile = options.writeEvidence === false ? void 0 : writeEvidenceLog(cwd, evidence);
+  return {
+    schemaVersion: "1.0",
+    status,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    cveIds,
+    reports,
+    successCount,
+    failedCount,
+    errors,
+    evidenceFile,
+    patchFileCount,
+    patchValidationFailures: patchValidationFailures.length > 0 ? patchValidationFailures : void 0,
+    patchStorageDir: patchFileCount > 0 ? patchesDir : void 0
+  };
+}
+function toCiSummary(report) {
+  let remediationCount = 0;
+  for (const cveReport of report.reports) {
+    remediationCount += cveReport.results.length;
+  }
+  return {
+    schemaVersion: report.schemaVersion,
+    status: report.status,
+    generatedAt: report.generatedAt,
+    cveCount: report.cveIds.length,
+    remediationCount,
+    successCount: report.successCount,
+    failedCount: report.failedCount,
+    errors: report.errors,
+    evidenceFile: report.evidenceFile,
+    patchFileCount: report.patchFileCount || 0,
+    patchValidationFailures: report.patchValidationFailures,
+    patchStorageDir: report.patchStorageDir
+  };
+}
+function ciExitCode(summary) {
+  return summary.failedCount > 0 ? 1 : 0;
+}
+
+export {
+  runHealAgent,
+  runRemediationPipeline,
+  remediate,
+  remediateFromScan,
+  toCiSummary,
+  ciExitCode
+};
+//# sourceMappingURL=chunk-H4ICCI3K.js.map