autoremediator 0.1.2 → 0.2.1

package/dist/{chunk-H4ICCI3K.js → chunk-DQKT2CUG.js}

@@ -80,7 +80,7 @@ function getPackageManagerCommands(pm) {
       installPreferOffline: ["pnpm", "install", "--prefer-offline"],
       installDev: (pkg) => ["pnpm", "add", "-D", pkg],
       test: ["pnpm", "test"],
-      list: ["pnpm", "list", "--json", "--depth=0"],
+      list: ["pnpm", "list", "--json", "--depth", "99"],
       lockfileName: "pnpm-lock.yaml"
     };
   }
@@ -90,7 +90,7 @@ function getPackageManagerCommands(pm) {
       installPreferOffline: ["yarn", "install"],
       installDev: (pkg) => ["yarn", "add", "--dev", pkg],
       test: ["yarn", "test"],
-      list: ["yarn", "list", "--json", "--depth=0"],
+      list: ["yarn", "list", "--json"],
       lockfileName: "yarn.lock"
     };
   }
@@ -99,7 +99,7 @@ function getPackageManagerCommands(pm) {
     installPreferOffline: ["npm", "install", "--prefer-offline"],
     installDev: (pkg) => ["npm", "install", "--save-dev", pkg],
     test: ["npm", "test"],
-    list: ["npm", "list", "--json", "--depth=0"],
+    list: ["npm", "list", "--json", "--all"],
     lockfileName: "package-lock.json"
   };
 }
@@ -134,13 +134,18 @@ function parseListOutput(pm, stdout) {
     return versions;
   }
   const root = Array.isArray(parsed) ? parsed[0] : parsed;
-  const dependencies = root?.dependencies;
-  for (const [name, entry] of Object.entries(dependencies ?? {})) {
-    const version = entry?.version;
-    if (typeof version === "string" && version) {
-      versions.set(name, version);
+  function collectDependencies(tree) {
+    if (!tree) return;
+    for (const [name, entry] of Object.entries(tree)) {
+      if (!entry || typeof entry !== "object") continue;
+      const version = entry.version;
+      if (typeof version === "string" && version) {
+        versions.set(name, version);
+      }
+      collectDependencies(entry.dependencies);
     }
   }
+  collectDependencies(root?.dependencies);
   return versions;
 }
 
@@ -506,11 +511,18 @@ async function fetchPackageVersions(packageName) {
   const data = await res.json();
   return Object.keys(data.versions);
 }
-async function findSafeUpgradeVersion(packageName, installedVersion, firstPatchedVersion) {
+async function findSafeUpgradeVersion(packageName, installedVersion, firstPatchedVersion, vulnerableRange) {
   const versions = await fetchPackageVersions(packageName);
   if (!versions.length) return void 0;
   const installedMajor = semver2.major(installedVersion);
-  const candidates = versions.filter((v) => semver2.valid(v) && semver2.gte(v, firstPatchedVersion)).sort(semver2.compare);
+  const candidates = versions.filter((v) => semver2.valid(v) && semver2.gte(v, firstPatchedVersion)).filter((v) => {
+    if (!vulnerableRange) return true;
+    try {
+      return !semver2.satisfies(v, vulnerableRange, { includePrerelease: false });
+    } catch {
+      return true;
+    }
+  }).sort(semver2.compare);
   if (!candidates.length) return void 0;
   const sameMajor = candidates.find(
     (v) => semver2.major(v) === installedMajor
@@ -527,17 +539,20 @@ var findFixedVersionTool = tool4({
     installedVersion: z4.string().describe("The currently installed version (exact semver)"),
     firstPatchedVersion: z4.string().describe(
       "The first version that is NOT vulnerable (from lookup-cve). Use this as the floor."
-    )
+    ),
+    vulnerableRange: z4.string().optional().describe("Optional vulnerable semver range used to exclude still-vulnerable versions")
   }),
   execute: async ({
     packageName,
     installedVersion,
-    firstPatchedVersion
+    firstPatchedVersion,
+    vulnerableRange
   }) => {
     const safeVersion = await findSafeUpgradeVersion(
       packageName,
       installedVersion,
-      firstPatchedVersion
+      firstPatchedVersion,
+      vulnerableRange
     );
     if (!safeVersion) {
       return {
@@ -570,8 +585,7 @@ import { join as join3 } from "path";
 var DEFAULT_POLICY = {
   allowMajorBumps: false,
   denyPackages: [],
-  allowPackages: [],
-  autoApply: true
+  allowPackages: []
 };
 function loadPolicy(cwd, explicitPath) {
   const candidate = explicitPath ?? join3(cwd, ".autoremediator.json");
@@ -581,8 +595,7 @@ function loadPolicy(cwd, explicitPath) {
     return {
       allowMajorBumps: parsed.allowMajorBumps ?? DEFAULT_POLICY.allowMajorBumps,
       denyPackages: parsed.denyPackages ?? DEFAULT_POLICY.denyPackages,
-      allowPackages: parsed.allowPackages ?? DEFAULT_POLICY.allowPackages,
-      autoApply: parsed.autoApply ?? DEFAULT_POLICY.autoApply
+      allowPackages: parsed.allowPackages ?? DEFAULT_POLICY.allowPackages
     };
   } catch {
     return DEFAULT_POLICY;
@@ -756,7 +769,7 @@ var applyVersionBumpTool = tool5({
 // src/remediation/tools/fetch-package-source.ts
 import { tool as tool6 } from "ai";
 import { z as z6 } from "zod";
-import { mkdir, readdir, readFile } from "fs/promises";
+import { mkdir, readdir, readFile, rm } from "fs/promises";
 import { join as join5 } from "path";
 import { execa as execa3 } from "execa";
 var fetchPackageSourceTool = tool6({
@@ -831,7 +844,7 @@ var fetchPackageSourceTool = tool6({
       }
       return {
         success: true,
-        sourceCode,
+        sourceFiles: sourceCode,
         packageDir: packageRootDir
       };
     } catch (err) {
@@ -846,6 +859,8 @@ var fetchPackageSourceTool = tool6({
         success: false,
         error: `Failed to fetch and extract package ${packageName}@${version}: ${message}`
       };
+    } finally {
+      await rm(tempBaseDir, { recursive: true, force: true });
     }
   }
 });
@@ -883,9 +898,19 @@ var generatePatchTool = tool7({
     dryRun
   }) => {
     try {
+      const resolvedSourceFiles = sourceFiles;
+      if (Object.keys(resolvedSourceFiles).length === 0) {
+        return {
+          success: false,
+          llmModel: "unknown",
+          confidence: 0,
+          riskLevel: "high",
+          error: "No source files were provided. Call fetch-package-source first and pass sourceFiles."
+        };
+      }
       const model = await createModel();
       const modelName = model.modelId || "unknown-model";
-      const sourceContext = Object.entries(sourceFiles).map(([filePath, content]) => `
+      const sourceContext = Object.entries(resolvedSourceFiles).map(([filePath, content]) => `
 ### File: ${filePath}
 \`\`\`typescript
 ${content}
@@ -974,12 +999,12 @@ Important:
       for (const [filePath, fixedCode] of Object.entries(
         analysis.fixedCode
       )) {
-        const originalCode = sourceFiles[filePath];
-        if (!originalCode) {
+        const sourceFile = resolvedSourceFiles[filePath];
+        if (!sourceFile) {
           continue;
         }
         const unifiedDiff = generateUnifiedDiff(
-          originalCode,
+          sourceFile,
           fixedCode,
           filePath
         );
@@ -1002,6 +1027,7 @@ Important:
       return {
         success: true,
         patches,
+        patchContent: patches[0]?.unifiedDiff,
         llmModel: modelName,
         confidence: analysis.confidence,
         riskLevel: analysis.riskLevel
@@ -1050,7 +1076,7 @@ function generateUnifiedDiff(original, fixed, filePath) {
 import { tool as tool8 } from "ai";
 import { z as z8 } from "zod";
 import { existsSync as existsSync3 } from "fs";
-import { mkdir as mkdir2, mkdtemp, readFile as readFile2, rm, writeFile } from "fs/promises";
+import { mkdir as mkdir2, mkdtemp, readFile as readFile2, rm as rm2, writeFile } from "fs/promises";
 import { tmpdir } from "os";
 import { join as join6 } from "path";
 import { execa as execa4 } from "execa";
@@ -1059,40 +1085,81 @@ var applyPatchFileTool = tool8({
   parameters: z8.object({
     packageName: z8.string().min(1).describe("The npm package name"),
     vulnerableVersion: z8.string().describe("The vulnerable version string"),
-    patchContent: z8.string().min(10).describe("Unified diff patch content from generate-patch"),
+    patchContent: z8.string().min(10).optional().describe("Unified diff patch content from generate-patch"),
+    patches: z8.array(
+      z8.object({
+        filePath: z8.string().min(1),
+        unifiedDiff: z8.string().min(10)
+      })
+    ).optional().describe("Patch list from generate-patch; first patch is applied"),
     patchesDir: z8.string().optional().default("./patches").describe("Directory to store patch files"),
     cwd: z8.string().describe("Project root directory (for package.json)"),
     packageManager: z8.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
-    validateWithTests: z8.boolean().optional().default(true).describe("Run package manager test command to validate patch doesn't break anything")
+    validateWithTests: z8.boolean().optional().default(true).describe("Run package manager test command to validate patch doesn't break anything"),
+    dryRun: z8.boolean().optional().default(false).describe("If true, report but do not mutate files")
+  }).refine((value) => Boolean(value.patchContent || value.patches && value.patches.length > 0), {
+    message: "Either patchContent or patches must be provided"
   }),
   execute: async ({
     packageName,
     vulnerableVersion,
     patchContent,
+    patches,
     patchesDir,
     cwd,
     packageManager,
-    validateWithTests
+    validateWithTests,
+    dryRun
   }) => {
     try {
       const pm = packageManager ?? detectPackageManager(cwd);
+      const selectedPatch = patchContent ?? patches?.[0]?.unifiedDiff;
+      if (!selectedPatch) {
+        return {
+          success: false,
+          packageName,
+          vulnerableVersion,
+          applied: false,
+          dryRun,
+          message: "No patch content provided.",
+          error: "No patch content provided."
+        };
+      }
+      const patchFileName = buildPatchFileName(packageName, vulnerableVersion);
+      const patchFilePath = join6(cwd, patchesDir, patchFileName);
+      if (dryRun) {
+        return {
+          success: true,
+          packageName,
+          vulnerableVersion,
+          applied: false,
+          dryRun: true,
+          message: `[DRY RUN] Would write and configure patch at ${patchFilePath}.`,
+          patchFilePath,
+          patchPath: patchFilePath
+        };
+      }
       const patchesDirPath = join6(cwd, patchesDir);
       await mkdir2(patchesDirPath, { recursive: true });
-      const patchFileName = `${packageName}+${vulnerableVersion}.patch`;
-      const patchFilePath = join6(patchesDirPath, patchFileName);
-      await writeFile(patchFilePath, patchContent, "utf8");
+      await writeFile(patchFilePath, selectedPatch, "utf8");
       let validationResult;
       const patchMode = await resolvePatchMode(pm, cwd);
-      const applyResult = patchMode === "patch-package" ? await configurePatchPackagePostinstall(cwd) : await applyNativePatch({
+      const applyResult = patchMode === "patch-package" ? await configurePatchPackagePostinstall(cwd, pm) : await applyNativePatch({
         cwd,
         packageName,
         vulnerableVersion,
-        patchContent,
+        patchContent: selectedPatch,
         patchMode
       });
       if (!applyResult.success) {
         return {
           success: false,
+          packageName,
+          vulnerableVersion,
+          applied: false,
+          dryRun: false,
+          message: applyResult.error,
+          patchFilePath,
           patchPath: patchFilePath,
           patchMode,
           postinstallConfigured: patchMode === "patch-package" ? false : void 0,
@@ -1101,9 +1168,32 @@ var applyPatchFileTool = tool8({
       }
       if (validateWithTests) {
         validationResult = await validatePatchWithTests(cwd, pm);
+        if (!validationResult.passed) {
+          const validationError = "Patch validation failed after apply; patch marked unresolved.";
+          return {
+            success: false,
+            packageName,
+            vulnerableVersion,
+            applied: false,
+            dryRun: false,
+            message: validationError,
+            patchFilePath,
+            patchPath: patchFilePath,
+            patchMode,
+            postinstallConfigured: patchMode === "patch-package",
+            validation: validationResult,
+            error: validationError
+          };
+        }
       }
       return {
         success: true,
+        packageName,
+        vulnerableVersion,
+        applied: true,
+        dryRun: false,
+        message: `Patch applied successfully for ${packageName}@${vulnerableVersion}.`,
+        patchFilePath,
         patchPath: patchFilePath,
         patchMode,
         postinstallConfigured: patchMode === "patch-package",
@@ -1113,6 +1203,11 @@ var applyPatchFileTool = tool8({
       const message = err instanceof Error ? err.message : String(err);
       return {
         success: false,
+        packageName,
+        vulnerableVersion,
+        applied: false,
+        dryRun,
+        message: `Failed to apply patch file: ${message}`,
         error: `Failed to apply patch file: ${message}`
       };
     }
@@ -1133,7 +1228,11 @@ async function resolvePatchMode(packageManager, cwd) {
     return "patch-package";
   }
 }
-async function configurePatchPackagePostinstall(cwd) {
+function buildPatchFileName(packageName, vulnerableVersion) {
+  const safeName = packageName.replace(/^@/, "").replace(/\//g, "+");
+  return `${safeName}+${vulnerableVersion}.patch`;
+}
+async function configurePatchPackagePostinstall(cwd, packageManager) {
   const pkgJsonPath = join6(cwd, "package.json");
   let pkgJson;
   try {
@@ -1144,6 +1243,22 @@ async function configurePatchPackagePostinstall(cwd) {
       error: `Could not read package.json at ${pkgJsonPath}`
     };
   }
+  const devDependencies = pkgJson.devDependencies ?? {};
+  if (!devDependencies["patch-package"]) {
+    try {
+      const commands = getPackageManagerCommands(packageManager);
+      const [cmd, ...args] = commands.installDev("patch-package");
+      await execa4(cmd, args, {
+        cwd,
+        stdio: "pipe"
+      });
+    } catch (err) {
+      return {
+        success: false,
+        error: `Failed to install patch-package: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
   if (!pkgJson.scripts) {
     pkgJson.scripts = {};
   }
@@ -1160,10 +1275,11 @@ async function configurePatchPackagePostinstall(cwd) {
 async function applyNativePatch(params) {
   const { cwd, packageName, vulnerableVersion, patchContent, patchMode } = params;
   const packageSpec = `${packageName}@${vulnerableVersion}`;
-  const createArgs = patchMode === "native-pnpm" ? ["pnpm", ["patch", packageSpec]] : ["yarn", ["patch", packageSpec]];
+  const createCommand = patchMode === "native-pnpm" ? "pnpm" : "yarn";
+  const createArgs = ["patch", packageSpec];
   let patchDir;
   try {
-    const createResult = await execa4(createArgs[0], createArgs[1], {
+    const createResult = await execa4(createCommand, createArgs, {
       cwd,
       stdio: "pipe"
     });
@@ -1189,8 +1305,9 @@ ${createResult.stderr}`);
       cwd: patchDir,
       stdio: "pipe"
     });
-    const commitArgs = patchMode === "native-pnpm" ? ["pnpm", ["patch-commit", patchDir]] : ["yarn", ["patch-commit", "-s", patchDir]];
-    await execa4(commitArgs[0], commitArgs[1], {
+    const commitCommand = patchMode === "native-pnpm" ? "pnpm" : "yarn";
+    const commitArgs = patchMode === "native-pnpm" ? ["patch-commit", patchDir] : ["patch-commit", "-s", patchDir];
+    await execa4(commitCommand, commitArgs, {
       cwd,
       stdio: "pipe"
     });
@@ -1200,7 +1317,7 @@ ${createResult.stderr}`);
       error: `Failed to apply native patch for ${packageSpec}: ${err instanceof Error ? err.message : String(err)}`
     };
   } finally {
-    await rm(tempPatchDir, { recursive: true, force: true });
+    await rm2(tempPatchDir, { recursive: true, force: true });
   }
   return { success: true };
 }
@@ -1265,10 +1382,10 @@ function extractFailedTests(output) {
 }
 
 // src/remediation/pipeline.ts
-async function runHealAgent(cveId, options = {}) {
+async function runRemediationPipeline(cveId, options = {}) {
   const provider = resolveProvider(options);
   if (provider === "local") {
-    return runLocalHealPipeline(cveId, options);
+    return runLocalRemediationPipeline(cveId, options);
   }
   const cwd = options.cwd ?? process.cwd();
   const packageManager = options.packageManager ?? detectPackageManager(cwd);
@@ -1291,7 +1408,6 @@ async function runHealAgent(cveId, options = {}) {
   const vulnerablePackages = [];
   let cveDetails = null;
   let agentSteps = 0;
-  let lastGeneratedPatches = null;
   const result = await generateText2({
     model,
     system: systemPrompt,
@@ -1321,35 +1437,22 @@ async function runHealAgent(cveId, options = {}) {
         if (tr.toolName === "apply-version-bump") {
           collectedResults.push(toolResult);
         }
-        if (tr.toolName === "fetch-package-source" && toolResult?.success) {
-          const sourceData = {
-            success: toolResult.success,
-            sourceFiles: toolResult.sourceFiles,
-            packageDir: toolResult.packageDir
-          };
-        }
-        if (tr.toolName === "generate-patch" && toolResult?.success) {
-          const patchData = {
-            success: toolResult.success,
-            patches: toolResult.patches,
-            confidence: toolResult.confidence,
-            riskLevel: toolResult.riskLevel
-          };
-          lastGeneratedPatches = patchData.patches || null;
-        }
         if (tr.toolName === "apply-patch-file" && toolResult) {
-          const patchFileResult = {
-            success: toolResult.success,
-            patchPath: toolResult.patchPath,
-            postinstallConfigured: toolResult.postinstallConfigured,
-            validation: toolResult.validation
-          };
-          if (patchFileResult.success) {
-            collectedResults.push({
-              ...toolResult,
-              strategy: "patch-file"
-            });
-          }
+          const validation = toolResult.validation;
+          const message = typeof toolResult.message === "string" ? toolResult.message : typeof toolResult.error === "string" ? toolResult.error : "Patch-file strategy finished.";
+          collectedResults.push({
+            packageName: typeof toolResult.packageName === "string" ? toolResult.packageName : "unknown-package",
+            strategy: "patch-file",
+            fromVersion: typeof toolResult.vulnerableVersion === "string" ? toolResult.vulnerableVersion : "unknown",
+            patchFilePath: typeof toolResult.patchFilePath === "string" ? toolResult.patchFilePath : typeof toolResult.patchPath === "string" ? toolResult.patchPath : void 0,
+            applied: Boolean(toolResult.applied),
+            dryRun: Boolean(toolResult.dryRun),
+            message,
+            validation: validation && typeof validation.passed === "boolean" ? {
+              passed: validation.passed,
+              error: typeof validation.error === "string" ? validation.error : void 0
+            } : void 0
+          });
         }
       }
     }
@@ -1363,7 +1466,7 @@ async function runHealAgent(cveId, options = {}) {
     summary: result.text
   };
 }
-async function runLocalHealPipeline(cveId, options = {}) {
+async function runLocalRemediationPipeline(cveId, options = {}) {
   const cwd = options.cwd ?? process.cwd();
   const packageManager = options.packageManager ?? detectPackageManager(cwd);
   const dryRun = options.dryRun ?? false;
@@ -1447,6 +1550,17 @@ async function runLocalHealPipeline(cveId, options = {}) {
   for (const vulnerable of vulnerablePackages) {
     const pkg = vulnerable.installed;
     const firstPatchedVersion = vulnerable.affected.firstPatchedVersion;
+    if (pkg.type === "indirect") {
+      collectedResults.push({
+        packageName: pkg.name,
+        strategy: "none",
+        fromVersion: pkg.version,
+        applied: false,
+        dryRun,
+        message: `"${pkg.name}" is an indirect dependency; automatic version bump is limited to direct dependencies in local mode.`
+      });
+      continue;
+    }
     if (!firstPatchedVersion) {
       collectedResults.push({
         packageName: pkg.name,
@@ -1461,7 +1575,8 @@ async function runLocalHealPipeline(cveId, options = {}) {
     const safeVersion = await findSafeUpgradeVersion(
       pkg.name,
       pkg.version,
-      firstPatchedVersion
+      firstPatchedVersion,
+      vulnerable.affected.vulnerableRange
     );
     agentSteps += 1;
     if (!safeVersion) {
@@ -1727,14 +1842,13 @@ function writeEvidenceLog(cwd, log) {
 }
 
 // src/api.ts
-var runRemediationPipeline = runHealAgent;
 async function remediate(cveId, options = {}) {
   if (!/^CVE-\d{4}-\d+$/i.test(cveId)) {
     throw new Error(
       `Invalid CVE ID: "${cveId}". Expected format: CVE-YYYY-NNNNN (e.g. CVE-2021-23337).`
     );
   }
-  return runHealAgent(cveId.toUpperCase(), options);
+  return runRemediationPipeline(cveId.toUpperCase(), options);
 }
 async function remediateFromScan(inputPath, options = {}) {
   const cwd = options.cwd ?? process.cwd();
@@ -1751,7 +1865,7 @@ async function remediateFromScan(inputPath, options = {}) {
   let patchFileCount = 0;
   for (const cveId of cveIds) {
     try {
-      addEvidenceStep(evidence, "heal.start", { cveId });
+      addEvidenceStep(evidence, "remediate.start", { cveId });
       const report = await remediate(cveId, {
         ...options,
         patchesDir
@@ -1770,11 +1884,11 @@ async function remediateFromScan(inputPath, options = {}) {
         }
       }
       reports.push(report);
-      addEvidenceStep(evidence, "heal.finish", { cveId }, { results: report.results.length });
+      addEvidenceStep(evidence, "remediate.finish", { cveId }, { results: report.results.length });
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
       errors.push({ cveId, message });
-      addEvidenceStep(evidence, "heal.error", { cveId }, void 0, message);
+      addEvidenceStep(evidence, "remediate.error", { cveId }, void 0, message);
     }
   }
   let successCount = 0;
@@ -1837,11 +1951,10 @@ function ciExitCode(summary) {
 }
 
 export {
-  runHealAgent,
   runRemediationPipeline,
   remediate,
   remediateFromScan,
   toCiSummary,
   ciExitCode
 };
-//# sourceMappingURL=chunk-H4ICCI3K.js.map
+//# sourceMappingURL=chunk-DQKT2CUG.js.map