autoremediator 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,211 @@
1
+ /** A resolved CVE entry with affected npm package info */
2
+ interface CveDetails {
3
+ id: string;
4
+ summary: string;
5
+ severity: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | "UNKNOWN";
6
+ cvssScore?: number;
7
+ epss?: {
8
+ score: number;
9
+ percentile: number;
10
+ date?: string;
11
+ };
12
+ kev?: {
13
+ knownExploited: boolean;
14
+ dateAdded?: string;
15
+ dueDate?: string;
16
+ requiredAction?: string;
17
+ knownRansomwareCampaignUse?: string;
18
+ };
19
+ intelligence?: {
20
+ cveServicesEnriched?: boolean;
21
+ gitlabAdvisoryMatched?: boolean;
22
+ certCcMatched?: boolean;
23
+ depsDevEnrichedPackages?: number;
24
+ scorecardProjects?: number;
25
+ vendorAdvisories?: string[];
26
+ commercialFeeds?: string[];
27
+ sourceHealth?: Record<string, {
28
+ attempted: boolean;
29
+ changed: boolean;
30
+ error?: string;
31
+ }>;
32
+ };
33
+ references: string[];
34
+ affectedPackages: AffectedPackage[];
35
+ }
36
+ /** A single npm package affected by a CVE */
37
+ interface AffectedPackage {
38
+ name: string;
39
+ ecosystem: "npm";
40
+ /** Semver range string for the vulnerable version window, e.g. ">=0.0.0 <4.17.21" */
41
+ vulnerableRange: string;
42
+ /** The first version that is NOT vulnerable (the safe upgrade target) */
43
+ firstPatchedVersion?: string;
44
+ /** Source that provided this entry */
45
+ source: "osv" | "github-advisory";
46
+ }
47
+ /** A package found in the consumer's project */
48
+ interface InventoryPackage {
49
+ name: string;
50
+ version: string;
51
+ /** "direct" = listed in package.json; "indirect" = transitive dep */
52
+ type: "direct" | "indirect";
53
+ }
54
+ /** A package that is both installed and matches a vulnerable range */
55
+ interface VulnerablePackage {
56
+ installed: InventoryPackage;
57
+ affected: AffectedPackage;
58
+ /** The resolved safe upgrade version, if one exists on npm */
59
+ safeUpgradeVersion?: string;
60
+ }
61
+ /** The outcome of a single patch operation */
62
+ type PatchStrategy = "version-bump" | "override" | "patch-file" | "none";
63
+ type DependencyScope = "direct" | "transitive";
64
+ type UnresolvedReason = "constraint-blocked" | "indirect-dependency" | "install-failed" | "major-bump-required" | "no-safe-version" | "override-apply-failed" | "package-json-not-found" | "patch-apply-failed" | "patch-confidence-too-low" | "patch-generation-failed" | "patch-validation-failed" | "policy-blocked" | "requires-llm-fallback" | "source-fetch-failed" | "validation-failed";
65
+ type PatchStrategyCounts = Partial<Record<PatchStrategy, number>>;
66
+ type DependencyScopeCounts = Partial<Record<DependencyScope, number>>;
67
+ type UnresolvedReasonCounts = Partial<Record<UnresolvedReason, number>>;
68
+ interface PatchResult {
69
+ packageName: string;
70
+ strategy: PatchStrategy;
71
+ fromVersion: string;
72
+ toVersion?: string;
73
+ patchFilePath?: string;
74
+ applied: boolean;
75
+ dryRun: boolean;
76
+ message: string;
77
+ unresolvedReason?: UnresolvedReason;
78
+ validation?: {
79
+ passed: boolean;
80
+ error?: string;
81
+ };
82
+ }
83
+ interface CorrelationContext {
84
+ requestId?: string;
85
+ sessionId?: string;
86
+ parentRunId?: string;
87
+ }
88
+ interface RemediationConstraints {
89
+ directDependenciesOnly?: boolean;
90
+ preferVersionBump?: boolean;
91
+ }
92
+ interface ProvenanceContext {
93
+ actor?: string;
94
+ source?: "cli" | "sdk" | "mcp" | "openapi" | "unknown";
95
+ }
96
+ /** Top-level options for the remediate() API and CLI */
97
+ interface RemediateOptions extends CorrelationContext {
98
+ /** Working directory of the consumer's project (defaults to process.cwd()) */
99
+ cwd?: string;
100
+ /** Package manager to use (defaults to auto-detect from lockfile) */
101
+ packageManager?: "npm" | "pnpm" | "yarn";
102
+ /** If true, plan and report changes but do not write anything */
103
+ dryRun?: boolean;
104
+ /** If true, run package-manager tests after patching */
105
+ runTests?: boolean;
106
+ /** Override the LLM provider (falls back to env AUTOREMEDIATOR_LLM_PROVIDER) */
107
+ llmProvider?: "openai" | "anthropic" | "local";
108
+ /** Override the model name */
109
+ model?: string;
110
+ /** Optional path to a policy file (.autoremediator.json) */
111
+ policy?: string;
112
+ /** If false, do not write evidence JSON for this run (default: true). */
113
+ evidence?: boolean;
114
+ /** Directory to write .patch files (default: ./patches) */
115
+ patchesDir?: string;
116
+ /** If true, run a non-mutating remediation preview (forces dryRun behavior for mutation tools). */
117
+ preview?: boolean;
118
+ /** Optional deterministic idempotency key for request replay handling. */
119
+ idempotencyKey?: string;
120
+ /** If true, return cached report for matching idempotency key + CVE when available. */
121
+ resume?: boolean;
122
+ /** Optional caller provenance fields for evidence and reporting. */
123
+ actor?: string;
124
+ source?: "cli" | "sdk" | "mcp" | "openapi" | "unknown";
125
+ /** Optional orchestration constraints for result enforcement. */
126
+ constraints?: RemediationConstraints;
127
+ }
128
+ /** Final report returned by the remediation pipeline */
129
+ interface RemediationReport {
130
+ cveId: string;
131
+ cveDetails: CveDetails | null;
132
+ vulnerablePackages: VulnerablePackage[];
133
+ results: PatchResult[];
134
+ agentSteps: number;
135
+ summary: string;
136
+ evidenceFile?: string;
137
+ correlation?: CorrelationContext;
138
+ provenance?: ProvenanceContext;
139
+ constraints?: RemediationConstraints;
140
+ resumedFromCache?: boolean;
141
+ }
142
+
143
+ type ScanInputFormat = "npm-audit" | "yarn-audit" | "sarif" | "auto";
144
+
145
+ interface ScanOptions extends RemediateOptions {
146
+ format?: ScanInputFormat;
147
+ policy?: string;
148
+ }
149
+ interface ScanReport {
150
+ schemaVersion: "1.0";
151
+ status: "ok" | "partial" | "failed";
152
+ generatedAt: string;
153
+ cveIds: string[];
154
+ reports: RemediationReport[];
155
+ successCount: number;
156
+ failedCount: number;
157
+ errors: Array<{
158
+ cveId: string;
159
+ message: string;
160
+ }>;
161
+ evidenceFile?: string;
162
+ patchCount: number;
163
+ patchValidationFailures?: Array<{
164
+ packageName: string;
165
+ cveId: string;
166
+ error: string;
167
+ }>;
168
+ strategyCounts?: PatchStrategyCounts;
169
+ dependencyScopeCounts?: DependencyScopeCounts;
170
+ unresolvedByReason?: UnresolvedReasonCounts;
171
+ patchesDir?: string;
172
+ correlation?: CorrelationContext;
173
+ provenance?: ProvenanceContext;
174
+ constraints?: RemediationConstraints;
175
+ idempotencyKey?: string;
176
+ }
177
+ interface CiSummary {
178
+ schemaVersion: "1.0";
179
+ status: "ok" | "partial" | "failed";
180
+ generatedAt: string;
181
+ cveCount: number;
182
+ remediationCount: number;
183
+ successCount: number;
184
+ failedCount: number;
185
+ errors: Array<{
186
+ cveId: string;
187
+ message: string;
188
+ }>;
189
+ evidenceFile?: string;
190
+ patchCount?: number;
191
+ patchValidationFailures?: Array<{
192
+ packageName: string;
193
+ cveId: string;
194
+ error: string;
195
+ }>;
196
+ strategyCounts?: PatchStrategyCounts;
197
+ dependencyScopeCounts?: DependencyScopeCounts;
198
+ unresolvedByReason?: UnresolvedReasonCounts;
199
+ patchesDir?: string;
200
+ correlation?: CorrelationContext;
201
+ provenance?: ProvenanceContext;
202
+ constraints?: RemediationConstraints;
203
+ idempotencyKey?: string;
204
+ }
205
+
206
+ declare function remediate(cveId: string, options?: RemediateOptions): Promise<RemediationReport>;
207
+ declare function planRemediation(cveId: string, options?: RemediateOptions): Promise<RemediationReport>;
208
+
209
+ declare function remediateFromScan(inputPath: string, options?: ScanOptions): Promise<ScanReport>;
210
+
211
+ export { type AffectedPackage as A, type CiSummary as C, type DependencyScope as D, type InventoryPackage as I, type PatchResult as P, type RemediateOptions as R, type ScanReport as S, type UnresolvedReason as U, type VulnerablePackage as V, type RemediationReport as a, type CorrelationContext as b, type CveDetails as c, type DependencyScopeCounts as d, type PatchStrategy as e, type PatchStrategyCounts as f, type ProvenanceContext as g, type RemediationConstraints as h, type ScanInputFormat as i, type ScanOptions as j, type UnresolvedReasonCounts as k, remediateFromScan as l, planRemediation as p, remediate as r };
package/llms.txt CHANGED
@@ -44,7 +44,7 @@ autoremediator ./npm-audit.json --cwd ./my-project --ci
44
44
  autoremediator-mcp # stdio transport — register with any MCP host
45
45
  ```
46
46
 
47
- Available MCP tools: `remediate`, `remediateFromScan`
47
+ Available MCP tools: `remediate`, `planRemediation`, `remediateFromScan`
48
48
 
49
49
  ## Tools (agent / MCP)
50
50
 
@@ -55,6 +55,7 @@ Available MCP tools: `remediate`, `remediateFromScan`
55
55
  | `check-version-match` | Cross-reference inventory against vulnerable ranges |
56
56
  | `find-fixed-version` | Query npm registry for lowest safe upgrade |
57
57
  | `apply-version-bump` | Update package.json and run package-manager install |
58
+ | `apply-package-override` | Apply package-manager-native override for vulnerable transitive dependencies |
58
59
  | `fetch-package-source`| Download package tarball for patch generation |
59
60
  | `generate-patch` | Generate unified diff patch via LLM |
60
61
  | `apply-patch-file` | Write/apply patch file via native or compatibility patch flow |
@@ -63,6 +64,7 @@ Available MCP tools: `remediate`, `remediateFromScan`
63
64
 
64
65
  ```
65
66
  lookup-cve → check-inventory → check-version-match → find-fixed-version → apply-version-bump
67
+ └─ transitive path: apply-package-override
66
68
  └─ fallback: fetch-package-source → generate-patch → apply-patch-file
67
69
  ```
68
70
 
@@ -72,11 +74,20 @@ lookup-cve → check-inventory → check-version-match → find-fixed-version
72
74
  |--------|------|---------|-------------|
73
75
  | `cwd` | string | `process.cwd()` | Project root |
74
76
  | `dryRun` | boolean | `false` | Plan only, write nothing |
75
- | `skipTests` | boolean | `true` | Skip package-manager test command after fix |
77
+ | `runTests` | boolean | `false` | Run package-manager test command after fix |
76
78
  | `packageManager` | `npm\|pnpm\|yarn` | auto-detect | Override package manager selection |
77
- | `llmProvider` | `openai\|anthropic\|local` | `openai` | LLM backend (`local` = deterministic, no API key needed) |
79
+ | `llmProvider` | `openai\|anthropic\|local` | `openai` | LLM backend (`local` = deterministic primary path; fallback patch generation may require model credentials) |
78
80
  | `patchesDir` | string | `./patches` | Directory for .patch files |
79
- | `policyPath` | string | `.autoremediator.json` | Policy file path |
81
+ | `policy` | string | `.autoremediator.json` | Policy file path |
82
+ | `preview` | boolean | `false` | Non-mutating remediation preview (forces dry-run behavior) |
83
+ | `evidence` | boolean | `true` | Write evidence JSON output |
84
+ | `requestId` | string | auto-generated | Request correlation ID |
85
+ | `sessionId` | string | unset | Session correlation ID |
86
+ | `parentRunId` | string | unset | Parent run correlation ID |
87
+ | `idempotencyKey` | string | unset | Replay-safe idempotency key |
88
+ | `resume` | boolean | `false` | Return cached result for matching idempotency key when available |
89
+ | `constraints.directDependenciesOnly` | boolean | `false` | Restrict remediation to direct dependencies |
90
+ | `constraints.preferVersionBump` | boolean | `false` | Reject override and patch remediation |
80
91
 
81
92
  ## Policy File (`.autoremediator.json`)
82
93
 
@@ -114,6 +125,7 @@ lookup-cve → check-inventory → check-version-match → find-fixed-version
114
125
  results: PatchResult[]; // strategy: "version-bump" | "patch-file" | "none"
115
126
  agentSteps: number;
116
127
  summary: string;
128
+ evidenceFile?: string;
117
129
  }
118
130
  ```
119
131
 
@@ -129,8 +141,11 @@ lookup-cve → check-inventory → check-version-match → find-fixed-version
129
141
  failedCount: number;
130
142
  errors: Array<{ cveId: string; message: string }>;
131
143
  evidenceFile?: string; // path to .autoremediator/evidence/<runId>.json
132
- patchFileCount: number;
144
+ patchCount: number;
133
145
  patchValidationFailures?: Array<{ packageName: string; cveId: string; error: string }>;
134
- patchStorageDir?: string;
146
+ strategyCounts?: Record<string, number>;
147
+ dependencyScopeCounts?: Record<string, number>;
148
+ unresolvedByReason?: Record<string, number>;
149
+ patchesDir?: string;
135
150
  }
136
151
  ```
package/package.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "name": "autoremediator",
3
3
  "private": false,
4
- "version": "0.5.0",
5
- "description": "Automated CVE remediation for Node.js dependencies with CLI, SDK, MCP, and scanner-to-fix workflows.",
4
+ "version": "0.7.0",
5
+ "description": "Risk-aware, agentic CVE remediation for Node.js using OSV, CISA KEV, and FIRST EPSS intelligence with policy and evidence controls.",
6
6
  "keywords": [
7
7
  "security-remediation",
8
8
  "dependency-security",