autoremediator 0.1.2 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/README.md +53 -76
  2. package/dist/{chunk-H4ICCI3K.js → chunk-DQKT2CUG.js} +191 -78
  3. package/dist/chunk-DQKT2CUG.js.map +1 -0
  4. package/dist/cli.js +4 -4
  5. package/dist/cli.js.map +1 -1
  6. package/dist/index.d.ts +3 -31
  7. package/dist/index.js +1 -5
  8. package/dist/mcp/server.js +2 -2
  9. package/dist/mcp/server.js.map +1 -1
  10. package/dist/openapi/server.js +2 -2
  11. package/dist/openapi/server.js.map +1 -1
  12. package/llms.txt +127 -3
  13. package/package.json +1 -1
  14. package/dist/chunk-H4ICCI3K.js.map +0 -1
package/README.md CHANGED
@@ -5,104 +5,81 @@
5
5
  [![license](https://img.shields.io/npm/l/autoremediator.svg)](https://github.com/Rawlings/autoremediator/blob/master/LICENSE)
6
6
  [![node](https://img.shields.io/node/v/autoremediator.svg)](https://www.npmjs.com/package/autoremediator)
7
7
 
8
- Autoremediator is an agentic Node.js CVE remediation tool.
8
+ > [!WARNING]
9
+ > Automated dependency remediation is a controversial practice.
10
+ > It can reduce exposure windows, but it can also introduce operational and supply-chain risk if used without policy controls.
11
+ > Autoremediator is designed for automation-first teams, and should be paired with explicit policy, CI safeguards, and repository protection rules.
9
12
 
10
- It can remediate from either a single CVE ID or scanner output, then apply safe dependency updates with package-manager-aware validation and fallback strategies.
13
+ Autoremediator is an automation-first Node.js CVE remediation platform package.
11
14
 
12
- - Scanner-first workflow with CVE fallback
13
- - Package manager support: npm, pnpm, yarn
14
- - Policy-driven safety controls
15
- - Evidence logging and CI summary support
15
+ This package is designed for teams that want remediation integrated into GitHub workflows and CI pipelines.
16
16
 
17
- ## For AI Agents
17
+ It exposes stable SDK and CLI surfaces for direct CVE remediation and scanner-driven automation.
18
18
 
19
- Autoremediator is useful in practical dependency-security workflows where teams need fixes, evidence, and CI-friendly behavior.
19
+ ## Why Teams Use It
20
20
 
21
- Common scenarios:
21
+ - Continuous remediation in CI and scheduled GitHub workflows
22
+ - Scanner-to-fix pipelines from npm audit, yarn audit, and SARIF inputs
23
+ - Policy-aware upgrade behavior for controlled automation at scale
24
+ - Structured evidence and summary outputs for security operations
25
+ - Multiple integration surfaces for platform engineering and automation agents
22
26
 
23
- - Cleaning up npm audit or yarn audit results in active services.
24
- - Triage and remediation of a specific CVE across one or many Node.js projects.
25
- - Converting scanner outputs (including SARIF) into actionable dependency updates.
26
- - Running non-interactive remediation in CI with deterministic summaries and exit codes.
27
- - Powering internal security assistants through CLI, SDK, or MCP tool integration.
27
+ ## Primary Use Cases
28
28
 
29
- Primary surfaces:
29
+ - Scheduled GitHub Actions remediation jobs with auto-generated pull requests
30
+ - CI enforcement gates that fail on unresolved remediation outcomes
31
+ - Scanner-to-fix automation from npm audit, yarn audit, and SARIF outputs
32
+ - Platform-level remediation orchestration across many services
33
+ - Agentic integration via CLI, SDK, MCP, and OpenAPI
30
34
 
31
- - CLI: `autoremediator`
32
- - MCP server: `autoremediator-mcp`
33
- - SDK: `import { remediate, remediateFromScan } from "autoremediator"`
35
+ ## How Remediation Works
34
36
 
35
- ## Use Cases
37
+ Core pipeline behavior:
36
38
 
37
- - Auto-remediate npm audit findings in CI with deterministic exit codes.
38
- - Process SARIF security scan output and apply safe dependency upgrades.
39
- - Build an internal security bot on top of the MCP server tool surface.
40
- - Integrate CVE-to-fix workflows into custom Node.js platform tooling.
41
- - Run scanner-to-remediation pipelines across npm, pnpm, and yarn projects.
39
+ 1. CVE lookup and enrichment
40
+ 2. installed dependency inventory detection
41
+ 3. vulnerable version matching
42
+ 4. safe version bump attempt
43
+ 5. controlled fallback patch flow when no safe bump exists
42
44
 
43
- ## Installation
45
+ Safety and policy controls are applied through each stage.
44
46
 
45
- Global:
47
+ ## Surfaces
46
48
 
47
- ```bash
48
- pnpm add -g autoremediator
49
- # or
50
- npm install -g autoremediator
51
- # or
52
- yarn global add autoremediator
53
- ```
49
+ - CLI: workflow and CI execution
50
+ - SDK: custom automation programs
51
+ - MCP: AI host integrations
52
+ - OpenAPI: service-based automation
54
53
 
55
- Project-local:
56
-
57
- ```bash
58
- pnpm add -D autoremediator
59
- pnpm exec autoremediator --help
60
- ```
61
-
62
- ## Environment
63
-
64
- Set one provider key:
65
-
66
- ```bash
67
- export OPENAI_API_KEY=...
68
- # or
69
- export ANTHROPIC_API_KEY=...
70
- ```
71
-
72
- ## Quick Start
73
-
74
- Single CVE:
75
-
76
- ```bash
77
- autoremediator CVE-2021-23337
78
- autoremediator CVE-2021-23337 --dry-run
79
- autoremediator CVE-2021-23337 --run-tests
80
- autoremediator CVE-2021-23337 --llm-provider anthropic
81
- ```
54
+ ## Documentation
82
55
 
83
- Scanner input:
56
+ - [Docs Home](https://rawlings.github.io/autoremediator/)
57
+ - [Getting Started](https://rawlings.github.io/autoremediator/docs/getting-started): install and first remediation runs
58
+ - [CLI Reference](https://rawlings.github.io/autoremediator/docs/cli): command and option semantics
59
+ - [Scanner Inputs](https://rawlings.github.io/autoremediator/docs/scanner-inputs): scanner adapters and format constraints
60
+ - [Policy and Safety](https://rawlings.github.io/autoremediator/docs/policy-and-safety): policy precedence and operational guardrails
61
+ - [API and SDK](https://rawlings.github.io/autoremediator/docs/api-sdk): public programmatic entry points
62
+ - [Integrations](https://rawlings.github.io/autoremediator/docs/integrations): CI workflows and service integrations
63
+ - [Contributor Guide](https://rawlings.github.io/autoremediator/docs/contributor-guide): architecture and extension guidance
84
64
 
85
- ```bash
86
- autoremediator ./audit.json
87
- autoremediator ./report.sarif --format sarif
88
- autoremediator --input ./scan.json --format auto
89
- ```
65
+ ## Product Direction
90
66
 
91
- CI mode:
67
+ - Prioritize automation workflows over one-off manual runs
68
+ - Configure policy and branch protection before broad rollout
69
+ - Use CI summaries and evidence outputs for operational governance
92
70
 
93
- ```bash
94
- autoremediator ./scan.json --ci --summary-file ./summary.json
95
- ```
71
+ ## Getting Started Fast
96
72
 
97
- ## Documentation
73
+ Start from the live guides instead of repo markdown:
98
74
 
99
- - Live docs site: https://rawlings.github.io/autoremediator/
100
- - Repository: https://github.com/Rawlings/autoremediator
75
+ - [Quick setup](https://rawlings.github.io/autoremediator/docs/getting-started)
76
+ - [Automation workflows](https://rawlings.github.io/autoremediator/docs/integrations)
77
+ - [Safety controls](https://rawlings.github.io/autoremediator/docs/policy-and-safety)
101
78
 
102
- ## Exit Codes (CI)
79
+ ## Package
103
80
 
104
- - `0` when failedCount is 0
105
- - `1` when failedCount is greater than 0
81
+ - [npm package](https://www.npmjs.com/package/autoremediator)
82
+ - [repository](https://github.com/Rawlings/autoremediator)
106
83
 
107
84
  ## License
108
85