autoremediator 0.2.2 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/README.md +16 -1
  2. package/dist/{chunk-DQKT2CUG.js → chunk-GBOD3DV6.js} +739 -159
  3. package/dist/chunk-GBOD3DV6.js.map +1 -0
  4. package/dist/cli.d.ts +5 -0
  5. package/dist/cli.js +55 -17
  6. package/dist/cli.js.map +1 -1
  7. package/dist/index.d.ts +77 -11
  8. package/dist/index.js +3 -1
  9. package/dist/mcp/server.d.ts +292 -0
  10. package/dist/mcp/server.js +120 -16
  11. package/dist/mcp/server.js.map +1 -1
  12. package/dist/openapi/server.d.ts +445 -1
  13. package/dist/openapi/server.js +215 -54
  14. package/dist/openapi/server.js.map +1 -1
  15. package/package.json +1 -1
  16. package/dist/chunk-DQKT2CUG.js.map +0 -1
package/dist/cli.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/cli.ts"],"sourcesContent":["#!/usr/bin/env node\n\nimport { Command } from \"commander\";\nimport { ciExitCode, remediate, remediateFromScan, toCiSummary } from \"./api.js\";\nimport { existsSync, writeFileSync } from \"node:fs\";\n\ntype ScanFormat = \"auto\" | \"npm-audit\" | \"yarn-audit\" | \"sarif\";\n\ninterface CommandOptions {\n cwd: string;\n packageManager?: \"npm\" | \"pnpm\" | \"yarn\";\n dryRun: boolean;\n runTests: boolean;\n json: boolean;\n llmProvider?: \"openai\" | \"anthropic\" | \"local\";\n input?: string;\n format: ScanFormat;\n policy?: string;\n evidence: boolean;\n ci: boolean;\n summaryFile?: string;\n}\n\nfunction logJson(value: unknown): void {\n process.stdout.write(`${JSON.stringify(value, null, 2)}\\n`);\n}\n\nfunction isCveId(value: string): boolean {\n return /^CVE-\\d{4}-\\d+$/i.test(value);\n}\n\nasync function runSingleCve(cveId: string, opts: CommandOptions): Promise<void> {\n const report = await remediate(cveId, {\n cwd: opts.cwd,\n packageManager: opts.packageManager,\n dryRun: opts.dryRun,\n skipTests: !opts.runTests,\n policyPath: opts.policy,\n llmProvider: opts.llmProvider,\n });\n\n if (opts.json) {\n logJson(report);\n return;\n }\n\n process.stdout.write(`${report.summary}\\n`);\n process.stdout.write(`Results: ${report.results.length}\\n`);\n}\n\nasync function runScanInput(inputPath: string, opts: CommandOptions): Promise<void> {\n const report = await remediateFromScan(inputPath, {\n cwd: opts.cwd,\n packageManager: opts.packageManager,\n format: opts.format,\n policyPath: opts.policy,\n dryRun: opts.dryRun,\n skipTests: !opts.runTests,\n llmProvider: opts.llmProvider,\n writeEvidence: opts.evidence,\n });\n\n if (opts.summaryFile) {\n const summary = toCiSummary(report);\n writeFileSync(opts.summaryFile, JSON.stringify(summary, null, 2) + \"\\n\", \"utf8\");\n }\n\n if (opts.json) {\n logJson(report);\n if (opts.ci) {\n process.exitCode = ciExitCode(toCiSummary(report));\n }\n return;\n }\n\n process.stdout.write(`CVEs found: ${report.cveIds.length}\\n`);\n process.stdout.write(`Remediation reports: ${report.reports.length}\\n`);\n process.stdout.write(`Successful remediations: ${report.successCount}\\n`);\n process.stdout.write(`Failed remediations: ${report.failedCount}\\n`);\n if (report.evidenceFile) {\n process.stdout.write(`Evidence: ${report.evidenceFile}\\n`);\n }\n\n if (report.errors.length > 0) {\n for (const error of report.errors) {\n process.stdout.write(`Error ${error.cveId}: ${error.message}\\n`);\n }\n }\n\n if (opts.ci) {\n process.exitCode = ciExitCode(toCiSummary(report));\n }\n}\n\nasync function main(): Promise<void> {\n const program = new Command();\n\n program\n .name(\"autoremediator\")\n .description(\"Scanner-first Node.js vulnerability auto-remediation tool\")\n .version(\"0.1.2\")\n .showHelpAfterError();\n\n program\n .command(\"cve\")\n .description(\"Remediate a single CVE ID\")\n .argument(\"<cveId>\", \"CVE ID, e.g. CVE-2021-23337\")\n .option(\"--cwd <path>\", \"Target project directory\", process.cwd())\n .option(\"--package-manager <name>\", \"Package manager: npm|pnpm|yarn\")\n .option(\"--dry-run\", \"Plan changes only without mutating files\", false)\n .option(\"--run-tests\", \"Run package-manager test validation after apply\", false)\n .option(\"--llm-provider <provider>\", \"LLM provider: openai|anthropic|local\")\n .option(\"--json\", \"Print JSON output\", false)\n .action(async (cveId: string, opts: CommandOptions) => {\n await runSingleCve(cveId, opts);\n });\n\n program\n .command(\"scan\")\n .description(\"Remediate vulnerabilities from scanner output (npm/pnpm/yarn audit JSON or SARIF)\")\n .requiredOption(\"--input <path>\", \"Path to scanner output file\")\n .option(\"--format <type>\", \"Input format: auto|npm-audit|yarn-audit|sarif\", \"auto\")\n .option(\"--cwd <path>\", \"Target project directory\", process.cwd())\n .option(\"--package-manager <name>\", \"Package manager: npm|pnpm|yarn\")\n .option(\"--policy <path>\", \"Path to policy file (.autoremediator.json)\")\n .option(\"--dry-run\", \"Plan changes only without mutating files\", false)\n .option(\"--run-tests\", \"Run package-manager test validation after apply\", false)\n .option(\"--llm-provider <provider>\", \"LLM provider: openai|anthropic|local\")\n .option(\"--no-evidence\", \"Disable evidence file output\")\n .option(\"--ci\", \"Enable CI behavior (non-zero exit on failed remediations)\", false)\n .option(\"--summary-file <path>\", \"Write machine-readable scan summary JSON to path\")\n .option(\"--json\", \"Print JSON output\", false)\n .action(async (opts: CommandOptions) => {\n await runScanInput(opts.input!, opts);\n });\n\n // Scanner-first top-level mode (default):\n // autoremediator --input audit.json\n // autoremediator audit.json\n program\n .argument(\"[target]\", \"Scanner output file path (or CVE ID fallback)\")\n .option(\"--cwd <path>\", \"Target project directory\", process.cwd())\n .option(\"--package-manager <name>\", \"Package manager: npm|pnpm|yarn\")\n .option(\"--dry-run\", \"Plan changes only without mutating files\", false)\n .option(\"--run-tests\", \"Run package-manager test validation after apply\", false)\n .option(\"--llm-provider <provider>\", \"LLM provider: openai|anthropic|local\")\n .option(\"--input <path>\", \"Path to scanner output file (scanner-first mode)\")\n .option(\"--format <type>\", \"Input format: auto|npm-audit|yarn-audit|sarif\", \"auto\")\n .option(\"--policy <path>\", \"Path to policy file (.autoremediator.json)\")\n .option(\"--no-evidence\", \"Disable evidence file output\")\n .option(\"--ci\", \"Enable CI behavior (non-zero exit on failed remediations)\", false)\n .option(\"--summary-file <path>\", \"Write machine-readable scan summary JSON to path\")\n .option(\"--json\", \"Print JSON output\", false)\n .action(async (target: string | undefined, opts: CommandOptions) => {\n if (opts.input) {\n await runScanInput(opts.input, opts);\n return;\n }\n\n if (!target) {\n program.outputHelp();\n return;\n }\n\n if (isCveId(target)) {\n await runSingleCve(target, opts);\n return;\n }\n\n if (existsSync(target)) {\n await runScanInput(target, opts);\n return;\n }\n\n throw new Error(\n `Target \"${target}\" is neither a valid CVE ID nor an existing scan file path.`\n );\n });\n\n await program.parseAsync(process.argv);\n}\n\nmain().catch((error) => {\n const message = error instanceof Error ? error.message : String(error);\n process.stderr.write(`[autoremediator] ${message}\\n`);\n process.exit(1);\n});\n"],"mappings":";;;;;;;;;AAEA,SAAS,eAAe;AAExB,SAAS,YAAY,qBAAqB;AAmB1C,SAAS,QAAQ,OAAsB;AACrC,UAAQ,OAAO,MAAM,GAAG,KAAK,UAAU,OAAO,MAAM,CAAC,CAAC;AAAA,CAAI;AAC5D;AAEA,SAAS,QAAQ,OAAwB;AACvC,SAAO,mBAAmB,KAAK,KAAK;AACtC;AAEA,eAAe,aAAa,OAAe,MAAqC;AAC9E,QAAM,SAAS,MAAM,UAAU,OAAO;AAAA,IACpC,KAAK,KAAK;AAAA,IACV,gBAAgB,KAAK;AAAA,IACrB,QAAQ,KAAK;AAAA,IACb,WAAW,CAAC,KAAK;AAAA,IACjB,YAAY,KAAK;AAAA,IACjB,aAAa,KAAK;AAAA,EACpB,CAAC;AAED,MAAI,KAAK,MAAM;AACb,YAAQ,MAAM;AACd;AAAA,EACF;AAEA,UAAQ,OAAO,MAAM,GAAG,OAAO,OAAO;AAAA,CAAI;AAC1C,UAAQ,OAAO,MAAM,YAAY,OAAO,QAAQ,MAAM;AAAA,CAAI;AAC5D;AAEA,eAAe,aAAa,WAAmB,MAAqC;AAClF,QAAM,SAAS,MAAM,kBAAkB,WAAW;AAAA,IAChD,KAAK,KAAK;AAAA,IACV,gBAAgB,KAAK;AAAA,IACrB,QAAQ,KAAK;AAAA,IACb,YAAY,KAAK;AAAA,IACjB,QAAQ,KAAK;AAAA,IACb,WAAW,CAAC,KAAK;AAAA,IACjB,aAAa,KAAK;AAAA,IAClB,eAAe,KAAK;AAAA,EACtB,CAAC;AAED,MAAI,KAAK,aAAa;AACpB,UAAM,UAAU,YAAY,MAAM;AAClC,kBAAc,KAAK,aAAa,KAAK,UAAU,SAAS,MAAM,CAAC,IAAI,MAAM,MAAM;AAAA,EACjF;AAEA,MAAI,KAAK,MAAM;AACb,YAAQ,MAAM;AACd,QAAI,KAAK,IAAI;AACX,cAAQ,WAAW,WAAW,YAAY,MAAM,CAAC;AAAA,IACnD;AACA;AAAA,EACF;AAEA,UAAQ,OAAO,MAAM,eAAe,OAAO,OAAO,MAAM;AAAA,CAAI;AAC5D,UAAQ,OAAO,MAAM,wBAAwB,OAAO,QAAQ,MAAM;AAAA,CAAI;AACtE,UAAQ,OAAO,MAAM,4BAA4B,OAAO,YAAY;AAAA,CAAI;AACxE,UAAQ,OAAO,MAAM,wBAAwB,OAAO,WAAW;AAAA,CAAI;AACnE,MAAI,OAAO,cAAc;AACvB,YAAQ,OAAO,MAAM,aAAa,OAAO,YAAY;AAAA,CAAI;AAAA,EAC3D;AAEA,MAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,eAAW,SAAS,OAAO,QAAQ;AACjC,cAAQ,OAAO,MAAM,SAAS,MAAM,KAAK,KAAK,MAAM,OAAO;AAAA,CAAI;AAAA,IACjE;AAAA,EACF;AAEA,MAAI,KAAK,IAAI;AACX,YAAQ,WAAW,WAAW,YAAY,MAAM,CAAC;AAAA,EACnD;AACF;AAEA,eAAe,OAAsB;AACnC,QAAM,UAAU,IAAI,QAAQ;AAE5B,UACG,KAAK,gBAAgB,EACrB,YAAY,2DAA2D,EACvE,QAAQ,OAAO,EACf,mBAAmB;AAEtB,UACG,QAAQ,KAAK,EACb,YAAY,2BAA2B,EACvC,SAAS,WAAW,6BAA6B,EACjD,OAAO,gBAAgB,4BAA4B,QAAQ,IAAI,CAAC,EAChE,OAAO,4BAA4B,gCAAgC,EACnE,OAAO,aAAa,4CAA4C,KAAK,EACrE,OAAO,eAAe,mDAAmD,KAAK,EAC9E,OAAO,6BAA6B,sCAAsC,EAC1E,OAAO,UAAU,qBAAqB,KAAK,EAC3C,OAAO,OAAO,OAAe,SAAyB;AACrD,UAAM,aAAa,OAAO,IAAI;AAAA,EAChC,CAAC;AAEH,UACG,QAAQ,MAAM,EACd,YAAY,mFAAmF,EAC/F,eAAe,kBAAkB,6BAA6B,EAC9D,OAAO,mBAAmB,iDAAiD,MAAM,EACjF,OAAO,gBAAgB,4BAA4B,QAAQ,IAAI,CAAC,EAChE,OAAO,4BAA4B,gCAAgC,EACnE,OAAO,mBAAmB,4CAA4C,EACtE,OAAO,aAAa,4CAA4C,KAAK,EACrE,OAAO,eAAe,mDAAmD,KAAK,EAC9E,OAAO,6BAA6B,sCAAsC,EAC1E,OAAO,iBAAiB,8BAA8B,EACtD,OAAO,QAAQ,6DAA6D,KAAK,EACjF,OAAO,yBAAyB,kDAAkD,EAClF,OAAO,UAAU,qBAAqB,KAAK,EAC3C,OAAO,OAAO,SAAyB;AACtC,UAAM,aAAa,KAAK,OAAQ,IAAI;AAAA,EACtC,CAAC;AAKH,UACG,SAAS,YAAY,+CAA+C,EACpE,OAAO,gBAAgB,4BAA4B,QAAQ,IAAI,CAAC,EAChE,OAAO,4BAA4B,gCAAgC,EACnE,OAAO,aAAa,4CAA4C,KAAK,EACrE,OAAO,eAAe,mDAAmD,KAAK,EAC9E,OAAO,6BAA6B,sCAAsC,EAC1E,OAAO,kBAAkB,kDAAkD,EAC3E,OAAO,mBAAmB,iDAAiD,MAAM,EACjF,OAAO,mBAAmB,4CAA4C,EACtE,OAAO,iBAAiB,8BAA8B,EACtD,OAAO,QAAQ,6DAA6D,KAAK,EACjF,OAAO,yBAAyB,kDAAkD,EAClF,OAAO,UAAU,qBAAqB,KAAK,EAC3C,OAAO,OAAO,QAA4B,SAAyB;AAClE,QAAI,KAAK,OAAO;AACd,YAAM,aAAa,KAAK,OAAO,IAAI;AACnC;AAAA,IACF;AAEA,QAAI,CAAC,QAAQ;AACX,cAAQ,WAAW;AACnB;AAAA,IACF;AAEA,QAAI,QAAQ,MAAM,GAAG;AACnB,YAAM,aAAa,QAAQ,IAAI;AAC/B;AAAA,IACF;AAEA,QAAI,WAAW,MAAM,GAAG;AACtB,YAAM,aAAa,QAAQ,IAAI;AAC/B;AAAA,IACF;AAEA,UAAM,IAAI;AAAA,MACR,WAAW,MAAM;AAAA,IACnB;AAAA,EACF,CAAC;AAEH,QAAM,QAAQ,WAAW,QAAQ,IAAI;AACvC;AAEA,KAAK,EAAE,MAAM,CAAC,UAAU;AACtB,QAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,UAAQ,OAAO,MAAM,oBAAoB,OAAO;AAAA,CAAI;AACpD,UAAQ,KAAK,CAAC;AAChB,CAAC;","names":[]}
1
+ {"version":3,"sources":["../src/cli.ts"],"sourcesContent":["#!/usr/bin/env node\n\nimport { Command } from \"commander\";\nimport { ciExitCode, remediate, remediateFromScan, toCiSummary } from \"./api.js\";\nimport { existsSync, writeFileSync } from \"node:fs\";\nimport { fileURLToPath } from \"node:url\";\n\ntype ScanFormat = \"auto\" | \"npm-audit\" | \"yarn-audit\" | \"sarif\";\n\ninterface CommandOptions {\n cwd: string;\n packageManager?: \"npm\" | \"pnpm\" | \"yarn\";\n dryRun: boolean;\n preview: boolean;\n runTests: boolean;\n json: boolean;\n llmProvider?: \"openai\" | \"anthropic\" | \"local\";\n requestId?: string;\n sessionId?: string;\n parentRunId?: string;\n idempotencyKey?: string;\n resume: boolean;\n actor?: string;\n source?: \"cli\" | \"sdk\" | \"mcp\" | \"openapi\" | \"unknown\";\n directDependenciesOnly: boolean;\n preferVersionBump: boolean;\n input?: string;\n format: ScanFormat;\n policy?: string;\n evidence: boolean;\n ci: boolean;\n summaryFile?: string;\n}\n\nfunction logJson(value: unknown): void {\n process.stdout.write(`${JSON.stringify(value, null, 2)}\\n`);\n}\n\nfunction isCveId(value: string): boolean {\n return /^CVE-\\d{4}-\\d+$/i.test(value);\n}\n\nasync function runSingleCve(cveId: string, opts: CommandOptions): Promise<void> {\n const report = await remediate(cveId, {\n cwd: opts.cwd,\n packageManager: opts.packageManager,\n dryRun: opts.dryRun,\n preview: opts.preview,\n runTests: opts.runTests,\n policy: opts.policy,\n llmProvider: opts.llmProvider,\n requestId: opts.requestId,\n sessionId: opts.sessionId,\n parentRunId: opts.parentRunId,\n idempotencyKey: opts.idempotencyKey,\n resume: opts.resume,\n actor: opts.actor,\n source: opts.source ?? \"cli\",\n constraints: {\n directDependenciesOnly: opts.directDependenciesOnly,\n preferVersionBump: opts.preferVersionBump,\n },\n });\n\n if (opts.json) {\n logJson(report);\n return;\n }\n\n process.stdout.write(`${report.summary}\\n`);\n process.stdout.write(`Results: ${report.results.length}\\n`);\n}\n\nasync function runScanInput(inputPath: string, opts: CommandOptions): Promise<void> {\n const report = await remediateFromScan(inputPath, {\n cwd: opts.cwd,\n packageManager: opts.packageManager,\n format: opts.format,\n policy: opts.policy,\n dryRun: opts.dryRun,\n preview: opts.preview,\n runTests: opts.runTests,\n llmProvider: opts.llmProvider,\n evidence: opts.evidence,\n requestId: opts.requestId,\n sessionId: opts.sessionId,\n parentRunId: opts.parentRunId,\n idempotencyKey: opts.idempotencyKey,\n resume: opts.resume,\n actor: opts.actor,\n source: opts.source ?? \"cli\",\n constraints: {\n directDependenciesOnly: opts.directDependenciesOnly,\n preferVersionBump: opts.preferVersionBump,\n },\n });\n\n if (opts.summaryFile) {\n const summary = toCiSummary(report);\n writeFileSync(opts.summaryFile, JSON.stringify(summary, null, 2) + \"\\n\", \"utf8\");\n }\n\n if (opts.json) {\n logJson(report);\n if (opts.ci) {\n process.exitCode = ciExitCode(toCiSummary(report));\n }\n return;\n }\n\n process.stdout.write(`CVEs found: ${report.cveIds.length}\\n`);\n process.stdout.write(`Remediation reports: ${report.reports.length}\\n`);\n process.stdout.write(`Successful remediations: ${report.successCount}\\n`);\n process.stdout.write(`Failed remediations: ${report.failedCount}\\n`);\n if (report.evidenceFile) {\n process.stdout.write(`Evidence: ${report.evidenceFile}\\n`);\n }\n\n if (report.errors.length > 0) {\n for (const error of report.errors) {\n process.stdout.write(`Error ${error.cveId}: ${error.message}\\n`);\n }\n }\n\n if (opts.ci) {\n process.exitCode = ciExitCode(toCiSummary(report));\n }\n}\n\nexport function createProgram(): Command {\n const program = new Command();\n\n program\n .name(\"autoremediator\")\n .description(\"Scanner-first Node.js vulnerability auto-remediation tool\")\n .version(\"0.1.2\")\n .showHelpAfterError();\n\n program\n .command(\"cve\")\n .description(\"Remediate a single CVE ID\")\n .argument(\"<cveId>\", \"CVE ID, e.g. CVE-2021-23337\")\n .option(\"--cwd <path>\", \"Target project directory\", process.cwd())\n .option(\"--package-manager <name>\", \"Package manager: npm|pnpm|yarn\")\n .option(\"--dry-run\", \"Plan changes only without mutating files\", false)\n .option(\"--preview\", \"Run non-mutating remediation preview mode\", false)\n .option(\"--run-tests\", \"Run package-manager test validation after apply\", false)\n .option(\"--llm-provider <provider>\", \"LLM provider: openai|anthropic|local\")\n .option(\"--request-id <id>\", \"Request correlation ID\")\n .option(\"--session-id <id>\", \"Session correlation ID\")\n .option(\"--parent-run-id <id>\", \"Parent run correlation ID\")\n .option(\"--idempotency-key <key>\", \"Idempotency key for replay-safe execution\")\n .option(\"--resume\", \"Resume by returning cached result for matching idempotency key\", false)\n .option(\"--actor <name>\", \"Actor identity for evidence provenance\")\n .option(\"--source <src>\", \"Source system: cli|sdk|mcp|openapi|unknown\")\n .option(\"--direct-dependencies-only\", \"Enforce direct-dependency-only remediation constraint\", false)\n .option(\"--prefer-version-bump\", \"Reject patch-file outcomes when version-bump is preferred\", false)\n .option(\"--json\", \"Print JSON output\", false)\n .action(async (cveId: string, opts: CommandOptions) => {\n await runSingleCve(cveId, opts);\n });\n\n program\n .command(\"scan\")\n .description(\"Remediate vulnerabilities from scanner output (npm/pnpm/yarn audit JSON or SARIF)\")\n .requiredOption(\"--input <path>\", \"Path to scanner output file\")\n .option(\"--format <type>\", \"Input format: auto|npm-audit|yarn-audit|sarif\", \"auto\")\n .option(\"--cwd <path>\", \"Target project directory\", process.cwd())\n .option(\"--package-manager <name>\", \"Package manager: npm|pnpm|yarn\")\n .option(\"--policy <path>\", \"Path to policy file (.autoremediator.json)\")\n .option(\"--dry-run\", \"Plan changes only without mutating files\", false)\n .option(\"--preview\", \"Run non-mutating remediation preview mode\", false)\n .option(\"--run-tests\", \"Run package-manager test validation after apply\", false)\n .option(\"--llm-provider <provider>\", \"LLM provider: openai|anthropic|local\")\n .option(\"--request-id <id>\", \"Request correlation ID\")\n .option(\"--session-id <id>\", \"Session correlation ID\")\n .option(\"--parent-run-id <id>\", \"Parent run correlation ID\")\n .option(\"--idempotency-key <key>\", \"Idempotency key for replay-safe execution\")\n .option(\"--resume\", \"Resume by returning cached result for matching idempotency key\", false)\n .option(\"--actor <name>\", \"Actor identity for evidence provenance\")\n .option(\"--source <src>\", \"Source system: cli|sdk|mcp|openapi|unknown\")\n .option(\"--direct-dependencies-only\", \"Enforce direct-dependency-only remediation constraint\", false)\n .option(\"--prefer-version-bump\", \"Reject patch-file outcomes when version-bump is preferred\", false)\n .option(\"--evidence\", \"Enable evidence file output\", true)\n .option(\"--no-evidence\", \"Disable evidence file output\")\n .option(\"--ci\", \"Enable CI behavior (non-zero exit on failed remediations)\", false)\n .option(\"--summary-file <path>\", \"Write machine-readable scan summary JSON to path\")\n .option(\"--json\", \"Print JSON output\", false)\n .action(async (opts: CommandOptions) => {\n await runScanInput(opts.input!, opts);\n });\n\n // Scanner-first top-level mode (default):\n // autoremediator --input audit.json\n // autoremediator audit.json\n program\n .argument(\"[target]\", \"Scanner output file path (or CVE ID fallback)\")\n .option(\"--cwd <path>\", \"Target project directory\", process.cwd())\n .option(\"--package-manager <name>\", \"Package manager: npm|pnpm|yarn\")\n .option(\"--dry-run\", \"Plan changes only without mutating files\", false)\n .option(\"--preview\", \"Run non-mutating remediation preview mode\", false)\n .option(\"--run-tests\", \"Run package-manager test validation after apply\", false)\n .option(\"--llm-provider <provider>\", \"LLM provider: openai|anthropic|local\")\n .option(\"--request-id <id>\", \"Request correlation ID\")\n .option(\"--session-id <id>\", \"Session correlation ID\")\n .option(\"--parent-run-id <id>\", \"Parent run correlation ID\")\n .option(\"--idempotency-key <key>\", \"Idempotency key for replay-safe execution\")\n .option(\"--resume\", \"Resume by returning cached result for matching idempotency key\", false)\n .option(\"--actor <name>\", \"Actor identity for evidence provenance\")\n .option(\"--source <src>\", \"Source system: cli|sdk|mcp|openapi|unknown\")\n .option(\"--direct-dependencies-only\", \"Enforce direct-dependency-only remediation constraint\", false)\n .option(\"--prefer-version-bump\", \"Reject patch-file outcomes when version-bump is preferred\", false)\n .option(\"--input <path>\", \"Path to scanner output file (scanner-first mode)\")\n .option(\"--format <type>\", \"Input format: auto|npm-audit|yarn-audit|sarif\", \"auto\")\n .option(\"--policy <path>\", \"Path to policy file (.autoremediator.json)\")\n .option(\"--evidence\", \"Enable evidence file output\", true)\n .option(\"--no-evidence\", \"Disable evidence file output\")\n .option(\"--ci\", \"Enable CI behavior (non-zero exit on failed remediations)\", false)\n .option(\"--summary-file <path>\", \"Write machine-readable scan summary JSON to path\")\n .option(\"--json\", \"Print JSON output\", false)\n .action(async (target: string | undefined, opts: CommandOptions) => {\n if (opts.input) {\n await runScanInput(opts.input, opts);\n return;\n }\n\n if (!target) {\n program.outputHelp();\n return;\n }\n\n if (isCveId(target)) {\n await runSingleCve(target, opts);\n return;\n }\n\n if (existsSync(target)) {\n await runScanInput(target, opts);\n return;\n }\n\n throw new Error(\n `Target \"${target}\" is neither a valid CVE ID nor an existing scan file path.`\n );\n });\n\n return program;\n}\n\nasync function main(argv = process.argv): Promise<void> {\n const program = createProgram();\n await program.parseAsync(argv);\n}\n\nfunction isMainModule(): boolean {\n if (!process.argv[1]) return false;\n return fileURLToPath(import.meta.url) === process.argv[1];\n}\n\nif (isMainModule()) {\n main().catch((error) => {\n const message = error instanceof Error ? error.message : String(error);\n process.stderr.write(`[autoremediator] ${message}\\n`);\n process.exit(1);\n });\n}\n"],"mappings":";;;;;;;;;AAEA,SAAS,eAAe;AAExB,SAAS,YAAY,qBAAqB;AAC1C,SAAS,qBAAqB;AA6B9B,SAAS,QAAQ,OAAsB;AACrC,UAAQ,OAAO,MAAM,GAAG,KAAK,UAAU,OAAO,MAAM,CAAC,CAAC;AAAA,CAAI;AAC5D;AAEA,SAAS,QAAQ,OAAwB;AACvC,SAAO,mBAAmB,KAAK,KAAK;AACtC;AAEA,eAAe,aAAa,OAAe,MAAqC;AAC9E,QAAM,SAAS,MAAM,UAAU,OAAO;AAAA,IACpC,KAAK,KAAK;AAAA,IACV,gBAAgB,KAAK;AAAA,IACrB,QAAQ,KAAK;AAAA,IACb,SAAS,KAAK;AAAA,IACd,UAAU,KAAK;AAAA,IACf,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK;AAAA,IAChB,aAAa,KAAK;AAAA,IAClB,gBAAgB,KAAK;AAAA,IACrB,QAAQ,KAAK;AAAA,IACb,OAAO,KAAK;AAAA,IACZ,QAAQ,KAAK,UAAU;AAAA,IACvB,aAAa;AAAA,MACX,wBAAwB,KAAK;AAAA,MAC7B,mBAAmB,KAAK;AAAA,IAC1B;AAAA,EACF,CAAC;AAED,MAAI,KAAK,MAAM;AACb,YAAQ,MAAM;AACd;AAAA,EACF;AAEA,UAAQ,OAAO,MAAM,GAAG,OAAO,OAAO;AAAA,CAAI;AAC1C,UAAQ,OAAO,MAAM,YAAY,OAAO,QAAQ,MAAM;AAAA,CAAI;AAC5D;AAEA,eAAe,aAAa,WAAmB,MAAqC;AAClF,QAAM,SAAS,MAAM,kBAAkB,WAAW;AAAA,IAChD,KAAK,KAAK;AAAA,IACV,gBAAgB,KAAK;AAAA,IACrB,QAAQ,KAAK;AAAA,IACb,QAAQ,KAAK;AAAA,IACb,QAAQ,KAAK;AAAA,IACb,SAAS,KAAK;AAAA,IACd,UAAU,KAAK;AAAA,IACf,aAAa,KAAK;AAAA,IAClB,UAAU,KAAK;AAAA,IACf,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK;AAAA,IAChB,aAAa,KAAK;AAAA,IAClB,gBAAgB,KAAK;AAAA,IACrB,QAAQ,KAAK;AAAA,IACb,OAAO,KAAK;AAAA,IACZ,QAAQ,KAAK,UAAU;AAAA,IACvB,aAAa;AAAA,MACX,wBAAwB,KAAK;AAAA,MAC7B,mBAAmB,KAAK;AAAA,IAC1B;AAAA,EACF,CAAC;AAED,MAAI,KAAK,aAAa;AACpB,UAAM,UAAU,YAAY,MAAM;AAClC,kBAAc,KAAK,aAAa,KAAK,UAAU,SAAS,MAAM,CAAC,IAAI,MAAM,MAAM;AAAA,EACjF;AAEA,MAAI,KAAK,MAAM;AACb,YAAQ,MAAM;AACd,QAAI,KAAK,IAAI;AACX,cAAQ,WAAW,WAAW,YAAY,MAAM,CAAC;AAAA,IACnD;AACA;AAAA,EACF;AAEA,UAAQ,OAAO,MAAM,eAAe,OAAO,OAAO,MAAM;AAAA,CAAI;AAC5D,UAAQ,OAAO,MAAM,wBAAwB,OAAO,QAAQ,MAAM;AAAA,CAAI;AACtE,UAAQ,OAAO,MAAM,4BAA4B,OAAO,YAAY;AAAA,CAAI;AACxE,UAAQ,OAAO,MAAM,wBAAwB,OAAO,WAAW;AAAA,CAAI;AACnE,MAAI,OAAO,cAAc;AACvB,YAAQ,OAAO,MAAM,aAAa,OAAO,YAAY;AAAA,CAAI;AAAA,EAC3D;AAEA,MAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,eAAW,SAAS,OAAO,QAAQ;AACjC,cAAQ,OAAO,MAAM,SAAS,MAAM,KAAK,KAAK,MAAM,OAAO;AAAA,CAAI;AAAA,IACjE;AAAA,EACF;AAEA,MAAI,KAAK,IAAI;AACX,YAAQ,WAAW,WAAW,YAAY,MAAM,CAAC;AAAA,EACnD;AACF;AAEO,SAAS,gBAAyB;AACvC,QAAM,UAAU,IAAI,QAAQ;AAE5B,UACG,KAAK,gBAAgB,EACrB,YAAY,2DAA2D,EACvE,QAAQ,OAAO,EACf,mBAAmB;AAEtB,UACG,QAAQ,KAAK,EACb,YAAY,2BAA2B,EACvC,SAAS,WAAW,6BAA6B,EACjD,OAAO,gBAAgB,4BAA4B,QAAQ,IAAI,CAAC,EAChE,OAAO,4BAA4B,gCAAgC,EACnE,OAAO,aAAa,4CAA4C,KAAK,EACrE,OAAO,aAAa,6CAA6C,KAAK,EACtE,OAAO,eAAe,mDAAmD,KAAK,EAC9E,OAAO,6BAA6B,sCAAsC,EAC1E,OAAO,qBAAqB,wBAAwB,EACpD,OAAO,qBAAqB,wBAAwB,EACpD,OAAO,wBAAwB,2BAA2B,EAC1D,OAAO,2BAA2B,2CAA2C,EAC7E,OAAO,YAAY,kEAAkE,KAAK,EAC1F,OAAO,kBAAkB,wCAAwC,EACjE,OAAO,kBAAkB,4CAA4C,EACrE,OAAO,8BAA8B,yDAAyD,KAAK,EACnG,OAAO,yBAAyB,6DAA6D,KAAK,EAClG,OAAO,UAAU,qBAAqB,KAAK,EAC3C,OAAO,OAAO,OAAe,SAAyB;AACrD,UAAM,aAAa,OAAO,IAAI;AAAA,EAChC,CAAC;AAEH,UACG,QAAQ,MAAM,EACd,YAAY,mFAAmF,EAC/F,eAAe,kBAAkB,6BAA6B,EAC9D,OAAO,mBAAmB,iDAAiD,MAAM,EACjF,OAAO,gBAAgB,4BAA4B,QAAQ,IAAI,CAAC,EAChE,OAAO,4BAA4B,gCAAgC,EACnE,OAAO,mBAAmB,4CAA4C,EACtE,OAAO,aAAa,4CAA4C,KAAK,EACrE,OAAO,aAAa,6CAA6C,KAAK,EACtE,OAAO,eAAe,mDAAmD,KAAK,EAC9E,OAAO,6BAA6B,sCAAsC,EAC1E,OAAO,qBAAqB,wBAAwB,EACpD,OAAO,qBAAqB,wBAAwB,EACpD,OAAO,wBAAwB,2BAA2B,EAC1D,OAAO,2BAA2B,2CAA2C,EAC7E,OAAO,YAAY,kEAAkE,KAAK,EAC1F,OAAO,kBAAkB,wCAAwC,EACjE,OAAO,kBAAkB,4CAA4C,EACrE,OAAO,8BAA8B,yDAAyD,KAAK,EACnG,OAAO,yBAAyB,6DAA6D,KAAK,EAClG,OAAO,cAAc,+BAA+B,IAAI,EACxD,OAAO,iBAAiB,8BAA8B,EACtD,OAAO,QAAQ,6DAA6D,KAAK,EACjF,OAAO,yBAAyB,kDAAkD,EAClF,OAAO,UAAU,qBAAqB,KAAK,EAC3C,OAAO,OAAO,SAAyB;AACtC,UAAM,aAAa,KAAK,OAAQ,IAAI;AAAA,EACtC,CAAC;AAKH,UACG,SAAS,YAAY,+CAA+C,EACpE,OAAO,gBAAgB,4BAA4B,QAAQ,IAAI,CAAC,EAChE,OAAO,4BAA4B,gCAAgC,EACnE,OAAO,aAAa,4CAA4C,KAAK,EACrE,OAAO,aAAa,6CAA6C,KAAK,EACtE,OAAO,eAAe,mDAAmD,KAAK,EAC9E,OAAO,6BAA6B,sCAAsC,EAC1E,OAAO,qBAAqB,wBAAwB,EACpD,OAAO,qBAAqB,wBAAwB,EACpD,OAAO,wBAAwB,2BAA2B,EAC1D,OAAO,2BAA2B,2CAA2C,EAC7E,OAAO,YAAY,kEAAkE,KAAK,EAC1F,OAAO,kBAAkB,wCAAwC,EACjE,OAAO,kBAAkB,4CAA4C,EACrE,OAAO,8BAA8B,yDAAyD,KAAK,EACnG,OAAO,yBAAyB,6DAA6D,KAAK,EAClG,OAAO,kBAAkB,kDAAkD,EAC3E,OAAO,mBAAmB,iDAAiD,MAAM,EACjF,OAAO,mBAAmB,4CAA4C,EACtE,OAAO,cAAc,+BAA+B,IAAI,EACxD,OAAO,iBAAiB,8BAA8B,EACtD,OAAO,QAAQ,6DAA6D,KAAK,EACjF,OAAO,yBAAyB,kDAAkD,EAClF,OAAO,UAAU,qBAAqB,KAAK,EAC3C,OAAO,OAAO,QAA4B,SAAyB;AAClE,QAAI,KAAK,OAAO;AACd,YAAM,aAAa,KAAK,OAAO,IAAI;AACnC;AAAA,IACF;AAEA,QAAI,CAAC,QAAQ;AACX,cAAQ,WAAW;AACnB;AAAA,IACF;AAEA,QAAI,QAAQ,MAAM,GAAG;AACnB,YAAM,aAAa,QAAQ,IAAI;AAC/B;AAAA,IACF;AAEA,QAAI,WAAW,MAAM,GAAG;AACtB,YAAM,aAAa,QAAQ,IAAI;AAC/B;AAAA,IACF;AAEA,UAAM,IAAI;AAAA,MACR,WAAW,MAAM;AAAA,IACnB;AAAA,EACF,CAAC;AAEH,SAAO;AACT;AAEA,eAAe,KAAK,OAAO,QAAQ,MAAqB;AACtD,QAAM,UAAU,cAAc;AAC9B,QAAM,QAAQ,WAAW,IAAI;AAC/B;AAEA,SAAS,eAAwB;AAC/B,MAAI,CAAC,QAAQ,KAAK,CAAC,EAAG,QAAO;AAC7B,SAAO,cAAc,YAAY,GAAG,MAAM,QAAQ,KAAK,CAAC;AAC1D;AAEA,IAAI,aAAa,GAAG;AAClB,OAAK,EAAE,MAAM,CAAC,UAAU;AACtB,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,YAAQ,OAAO,MAAM,oBAAoB,OAAO;AAAA,CAAI;AACpD,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;","names":[]}
package/dist/index.d.ts CHANGED
@@ -4,6 +4,32 @@ interface CveDetails {
4
4
  summary: string;
5
5
  severity: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | "UNKNOWN";
6
6
  cvssScore?: number;
7
+ epss?: {
8
+ score: number;
9
+ percentile: number;
10
+ date?: string;
11
+ };
12
+ kev?: {
13
+ knownExploited: boolean;
14
+ dateAdded?: string;
15
+ dueDate?: string;
16
+ requiredAction?: string;
17
+ knownRansomwareCampaignUse?: string;
18
+ };
19
+ intelligence?: {
20
+ cveServicesEnriched?: boolean;
21
+ gitlabAdvisoryMatched?: boolean;
22
+ certCcMatched?: boolean;
23
+ depsDevEnrichedPackages?: number;
24
+ scorecardProjects?: number;
25
+ vendorAdvisories?: string[];
26
+ commercialFeeds?: string[];
27
+ sourceHealth?: Record<string, {
28
+ attempted: boolean;
29
+ changed: boolean;
30
+ error?: string;
31
+ }>;
32
+ };
7
33
  references: string[];
8
34
  affectedPackages: AffectedPackage[];
9
35
  }
@@ -48,24 +74,48 @@ interface PatchResult {
48
74
  error?: string;
49
75
  };
50
76
  }
77
+ interface CorrelationContext {
78
+ requestId?: string;
79
+ sessionId?: string;
80
+ parentRunId?: string;
81
+ }
82
+ interface RemediationConstraints {
83
+ directDependenciesOnly?: boolean;
84
+ preferVersionBump?: boolean;
85
+ }
86
+ interface ProvenanceContext {
87
+ actor?: string;
88
+ source?: "cli" | "sdk" | "mcp" | "openapi" | "unknown";
89
+ }
51
90
  /** Top-level options for the remediate() API and CLI */
52
- interface RemediateOptions {
91
+ interface RemediateOptions extends CorrelationContext {
53
92
  /** Working directory of the consumer's project (defaults to process.cwd()) */
54
93
  cwd?: string;
55
94
  /** Package manager to use (defaults to auto-detect from lockfile) */
56
95
  packageManager?: "npm" | "pnpm" | "yarn";
57
96
  /** If true, plan and report changes but do not write anything */
58
97
  dryRun?: boolean;
59
- /** If true, skip running npm test after patching */
60
- skipTests?: boolean;
98
+ /** If true, run package-manager tests after patching */
99
+ runTests?: boolean;
61
100
  /** Override the LLM provider (falls back to env AUTOREMEDIATOR_LLM_PROVIDER) */
62
101
  llmProvider?: "openai" | "anthropic" | "local";
63
102
  /** Override the model name */
64
103
  model?: string;
65
104
  /** Optional path to a policy file (.autoremediator.json) */
66
- policyPath?: string;
105
+ policy?: string;
67
106
  /** Directory to write .patch files (default: ./patches) */
68
107
  patchesDir?: string;
108
+ /** If true, run a non-mutating remediation preview (forces dryRun behavior for mutation tools). */
109
+ preview?: boolean;
110
+ /** Optional deterministic idempotency key for request replay handling. */
111
+ idempotencyKey?: string;
112
+ /** If true, return cached report for matching idempotency key + CVE when available. */
113
+ resume?: boolean;
114
+ /** Optional caller provenance fields for evidence and reporting. */
115
+ actor?: string;
116
+ source?: "cli" | "sdk" | "mcp" | "openapi" | "unknown";
117
+ /** Optional orchestration constraints for result enforcement. */
118
+ constraints?: RemediationConstraints;
69
119
  }
70
120
  /** Final report returned by the remediation pipeline */
71
121
  interface RemediationReport {
@@ -75,6 +125,10 @@ interface RemediationReport {
75
125
  results: PatchResult[];
76
126
  agentSteps: number;
77
127
  summary: string;
128
+ correlation?: CorrelationContext;
129
+ provenance?: ProvenanceContext;
130
+ constraints?: RemediationConstraints;
131
+ resumedFromCache?: boolean;
78
132
  }
79
133
 
80
134
  type ScanInputFormat = "npm-audit" | "yarn-audit" | "sarif" | "auto";
@@ -83,8 +137,8 @@ declare function runRemediationPipeline(cveId: string, options?: RemediateOption
83
137
 
84
138
  interface ScanOptions extends RemediateOptions {
85
139
  format?: ScanInputFormat;
86
- policyPath?: string;
87
- writeEvidence?: boolean;
140
+ policy?: string;
141
+ evidence?: boolean;
88
142
  }
89
143
  interface ScanReport {
90
144
  schemaVersion: "1.0";
@@ -99,13 +153,17 @@ interface ScanReport {
99
153
  message: string;
100
154
  }>;
101
155
  evidenceFile?: string;
102
- patchFileCount: number;
156
+ patchCount: number;
103
157
  patchValidationFailures?: Array<{
104
158
  packageName: string;
105
159
  cveId: string;
106
160
  error: string;
107
161
  }>;
108
- patchStorageDir?: string;
162
+ patchesDir?: string;
163
+ correlation?: CorrelationContext;
164
+ provenance?: ProvenanceContext;
165
+ constraints?: RemediationConstraints;
166
+ idempotencyKey?: string;
109
167
  }
110
168
  interface CiSummary {
111
169
  schemaVersion: "1.0";
@@ -120,13 +178,17 @@ interface CiSummary {
120
178
  message: string;
121
179
  }>;
122
180
  evidenceFile?: string;
123
- patchFileCount?: number;
181
+ patchCount?: number;
124
182
  patchValidationFailures?: Array<{
125
183
  packageName: string;
126
184
  cveId: string;
127
185
  error: string;
128
186
  }>;
129
- patchStorageDir?: string;
187
+ patchesDir?: string;
188
+ correlation?: CorrelationContext;
189
+ provenance?: ProvenanceContext;
190
+ constraints?: RemediationConstraints;
191
+ idempotencyKey?: string;
130
192
  }
131
193
  /**
132
194
  * Main entry point for programmatic use.
@@ -136,6 +198,10 @@ interface CiSummary {
136
198
  * @returns A RemediationReport describing what was found and done
137
199
  */
138
200
  declare function remediate(cveId: string, options?: RemediateOptions): Promise<RemediationReport>;
201
+ /**
202
+ * Non-mutating preview entrypoint for planning and orchestration.
203
+ */
204
+ declare function planRemediation(cveId: string, options?: RemediateOptions): Promise<RemediationReport>;
139
205
  /**
140
206
  * Scanner-first entrypoint: parse a scanner output file (npm audit JSON or SARIF),
141
207
  * extract CVEs, and run remediations one-by-one.
@@ -144,4 +210,4 @@ declare function remediateFromScan(inputPath: string, options?: ScanOptions): Pr
144
210
  declare function toCiSummary(report: ScanReport): CiSummary;
145
211
  declare function ciExitCode(summary: CiSummary): number;
146
212
 
147
- export { type AffectedPackage, type CiSummary, type CveDetails, type InventoryPackage, type PatchResult, type PatchStrategy, type RemediateOptions, type RemediationReport, type ScanInputFormat, type ScanOptions, type ScanReport, type VulnerablePackage, ciExitCode, remediate, remediateFromScan, runRemediationPipeline, toCiSummary };
213
+ export { type AffectedPackage, type CiSummary, type CorrelationContext, type CveDetails, type InventoryPackage, type PatchResult, type PatchStrategy, type ProvenanceContext, type RemediateOptions, type RemediationConstraints, type RemediationReport, type ScanInputFormat, type ScanOptions, type ScanReport, type VulnerablePackage, ciExitCode, planRemediation, remediate, remediateFromScan, runRemediationPipeline, toCiSummary };
package/dist/index.js CHANGED
@@ -1,12 +1,14 @@
1
1
  import {
2
2
  ciExitCode,
3
+ planRemediation,
3
4
  remediate,
4
5
  remediateFromScan,
5
6
  runRemediationPipeline,
6
7
  toCiSummary
7
- } from "./chunk-DQKT2CUG.js";
8
+ } from "./chunk-GBOD3DV6.js";
8
9
  export {
9
10
  ciExitCode,
11
+ planRemediation,
10
12
  remediate,
11
13
  remediateFromScan,
12
14
  runRemediationPipeline,
package/dist/mcp/server.d.ts CHANGED
@@ -1 +1,293 @@
1
1
  #!/usr/bin/env node
2
+ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
3
+ import { remediate, planRemediation, remediateFromScan } from '../index.js';
4
+
5
+ /**
6
+ * autoremediator MCP server
7
+ *
8
+ * Exposes all autoremediator tools via the Model Context Protocol so LLM hosts
9
+ * (Claude Desktop, Cursor, Copilot, etc.) can invoke them directly.
10
+ *
11
+ * Start: autoremediator-mcp (stdio transport)
12
+ */
13
+
14
+ interface McpApiDeps {
15
+ remediateFn: typeof remediate;
16
+ planRemediationFn: typeof planRemediation;
17
+ remediateFromScanFn: typeof remediateFromScan;
18
+ }
19
+ declare const TOOLS: ({
20
+ name: string;
21
+ description: string;
22
+ inputSchema: {
23
+ type: string;
24
+ required: string[];
25
+ properties: {
26
+ cveId: {
27
+ type: string;
28
+ description: string;
29
+ };
30
+ cwd: {
31
+ type: string;
32
+ description: string;
33
+ };
34
+ packageManager: {
35
+ type: string;
36
+ enum: string[];
37
+ description: string;
38
+ };
39
+ dryRun: {
40
+ type: string;
41
+ description: string;
42
+ };
43
+ preview: {
44
+ type: string;
45
+ description: string;
46
+ };
47
+ runTests: {
48
+ type: string;
49
+ description: string;
50
+ };
51
+ llmProvider: {
52
+ type: string;
53
+ enum: string[];
54
+ description: string;
55
+ };
56
+ patchesDir: {
57
+ type: string;
58
+ description: string;
59
+ };
60
+ policy: {
61
+ type: string;
62
+ description: string;
63
+ };
64
+ requestId: {
65
+ type: string;
66
+ description: string;
67
+ };
68
+ sessionId: {
69
+ type: string;
70
+ description: string;
71
+ };
72
+ parentRunId: {
73
+ type: string;
74
+ description: string;
75
+ };
76
+ idempotencyKey: {
77
+ type: string;
78
+ description: string;
79
+ };
80
+ resume: {
81
+ type: string;
82
+ description: string;
83
+ };
84
+ actor: {
85
+ type: string;
86
+ description: string;
87
+ };
88
+ source: {
89
+ type: string;
90
+ enum: string[];
91
+ description: string;
92
+ };
93
+ constraints: {
94
+ type: string;
95
+ properties: {
96
+ directDependenciesOnly: {
97
+ type: string;
98
+ };
99
+ preferVersionBump: {
100
+ type: string;
101
+ };
102
+ };
103
+ };
104
+ inputPath?: undefined;
105
+ format?: undefined;
106
+ evidence?: undefined;
107
+ };
108
+ };
109
+ } | {
110
+ name: string;
111
+ description: string;
112
+ inputSchema: {
113
+ type: string;
114
+ required: string[];
115
+ properties: {
116
+ cveId: {
117
+ type: string;
118
+ description: string;
119
+ };
120
+ cwd: {
121
+ type: string;
122
+ description: string;
123
+ };
124
+ packageManager: {
125
+ type: string;
126
+ enum: string[];
127
+ description: string;
128
+ };
129
+ runTests: {
130
+ type: string;
131
+ description: string;
132
+ };
133
+ llmProvider: {
134
+ type: string;
135
+ enum: string[];
136
+ description: string;
137
+ };
138
+ patchesDir: {
139
+ type: string;
140
+ description: string;
141
+ };
142
+ policy: {
143
+ type: string;
144
+ description: string;
145
+ };
146
+ requestId: {
147
+ type: string;
148
+ description: string;
149
+ };
150
+ sessionId: {
151
+ type: string;
152
+ description: string;
153
+ };
154
+ parentRunId: {
155
+ type: string;
156
+ description: string;
157
+ };
158
+ idempotencyKey: {
159
+ type: string;
160
+ description: string;
161
+ };
162
+ resume: {
163
+ type: string;
164
+ description: string;
165
+ };
166
+ actor: {
167
+ type: string;
168
+ description: string;
169
+ };
170
+ source: {
171
+ type: string;
172
+ enum: string[];
173
+ description: string;
174
+ };
175
+ constraints: {
176
+ type: string;
177
+ properties: {
178
+ directDependenciesOnly: {
179
+ type: string;
180
+ };
181
+ preferVersionBump: {
182
+ type: string;
183
+ };
184
+ };
185
+ };
186
+ dryRun?: undefined;
187
+ preview?: undefined;
188
+ inputPath?: undefined;
189
+ format?: undefined;
190
+ evidence?: undefined;
191
+ };
192
+ };
193
+ } | {
194
+ name: string;
195
+ description: string;
196
+ inputSchema: {
197
+ type: string;
198
+ required: string[];
199
+ properties: {
200
+ inputPath: {
201
+ type: string;
202
+ description: string;
203
+ };
204
+ cwd: {
205
+ type: string;
206
+ description: string;
207
+ };
208
+ packageManager: {
209
+ type: string;
210
+ enum: string[];
211
+ description: string;
212
+ };
213
+ format: {
214
+ type: string;
215
+ enum: string[];
216
+ description: string;
217
+ };
218
+ dryRun: {
219
+ type: string;
220
+ description: string;
221
+ };
222
+ preview: {
223
+ type: string;
224
+ description: string;
225
+ };
226
+ evidence: {
227
+ type: string;
228
+ description: string;
229
+ };
230
+ runTests: {
231
+ type: string;
232
+ description: string;
233
+ };
234
+ policy: {
235
+ type: string;
236
+ description: string;
237
+ };
238
+ requestId: {
239
+ type: string;
240
+ description: string;
241
+ };
242
+ sessionId: {
243
+ type: string;
244
+ description: string;
245
+ };
246
+ parentRunId: {
247
+ type: string;
248
+ description: string;
249
+ };
250
+ idempotencyKey: {
251
+ type: string;
252
+ description: string;
253
+ };
254
+ resume: {
255
+ type: string;
256
+ description: string;
257
+ };
258
+ actor: {
259
+ type: string;
260
+ description: string;
261
+ };
262
+ source: {
263
+ type: string;
264
+ enum: string[];
265
+ description: string;
266
+ };
267
+ constraints: {
268
+ type: string;
269
+ properties: {
270
+ directDependenciesOnly: {
271
+ type: string;
272
+ };
273
+ preferVersionBump: {
274
+ type: string;
275
+ };
276
+ };
277
+ };
278
+ cveId?: undefined;
279
+ llmProvider?: undefined;
280
+ patchesDir?: undefined;
281
+ };
282
+ };
283
+ })[];
284
+ declare function handleToolCall(name: string, args?: Record<string, unknown>, deps?: McpApiDeps): Promise<{
285
+ content: Array<{
286
+ type: "text";
287
+ text: string;
288
+ }>;
289
+ isError?: boolean;
290
+ }>;
291
+ declare function createMcpServer(): Server;
292
+
293
+ export { TOOLS, createMcpServer, handleToolCall };