autoremediator 0.7.0 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +92 -69
- package/dist/{chunk-MUFP2DQX.js → chunk-EDPCMRUW.js} +3510 -2170
- package/dist/chunk-EDPCMRUW.js.map +1 -0
- package/dist/cli.js +195 -8
- package/dist/cli.js.map +1 -1
- package/dist/index-Di8lB6CG.d.ts +401 -0
- package/dist/index.d.ts +4 -6
- package/dist/index.js +9 -5
- package/dist/mcp/server.d.ts +75 -2
- package/dist/mcp/server.js +72 -3
- package/dist/mcp/server.js.map +1 -1
- package/dist/openapi/server.d.ts +444 -137
- package/dist/openapi/server.js +358 -147
- package/dist/openapi/server.js.map +1 -1
- package/dist/{options-schema-DfLBOsPI.d.ts → options-schema-CH5GjZY1.d.ts} +18 -2
- package/llms.txt +36 -7
- package/package.json +10 -5
- package/dist/chunk-MUFP2DQX.js.map +0 -1
- package/dist/remediate-from-scan-C-E7gqxF.d.ts +0 -211
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
type JsonSchemaProperty = Record<string, unknown>;
|
|
2
2
|
declare const PACKAGE_MANAGER_VALUES: readonly ["npm", "pnpm", "yarn"];
|
|
3
|
-
declare const LLM_PROVIDER_VALUES: readonly ["
|
|
3
|
+
declare const LLM_PROVIDER_VALUES: readonly ["remote", "local"];
|
|
4
4
|
declare const PROVENANCE_SOURCE_VALUES: readonly ["cli", "sdk", "mcp", "openapi", "unknown"];
|
|
5
5
|
declare const OPTION_DESCRIPTIONS: {
|
|
6
6
|
readonly cveId: "CVE ID, e.g. CVE-2021-23337";
|
|
@@ -10,7 +10,18 @@ declare const OPTION_DESCRIPTIONS: {
|
|
|
10
10
|
readonly dryRun: "If true, plan changes but write nothing";
|
|
11
11
|
readonly preview: "If true, enforce non-mutating preview mode";
|
|
12
12
|
readonly runTests: "Run package-manager test command after applying fix";
|
|
13
|
-
readonly llmProvider: "LLM provider override";
|
|
13
|
+
readonly llmProvider: "LLM provider override (remote|local)";
|
|
14
|
+
readonly model: "LLM model override";
|
|
15
|
+
readonly modelPersonality: "Prompt behavior profile: analytical|pragmatic|balanced";
|
|
16
|
+
readonly providerSafetyProfile: "Safety posture profile for confidence gates: strict|relaxed";
|
|
17
|
+
readonly requireConsensusForHighRisk: "Require second-provider agreement for high-risk generated patches";
|
|
18
|
+
readonly consensusProvider: "Provider override for high-risk consensus verification (remote|local)";
|
|
19
|
+
readonly consensusModel: "Model override for high-risk consensus verification";
|
|
20
|
+
readonly patchConfidenceThresholdLow: "Patch acceptance confidence threshold for low-risk patches (0..1)";
|
|
21
|
+
readonly patchConfidenceThresholdMedium: "Patch acceptance confidence threshold for medium-risk patches (0..1)";
|
|
22
|
+
readonly patchConfidenceThresholdHigh: "Patch acceptance confidence threshold for high-risk patches (0..1)";
|
|
23
|
+
readonly dynamicModelRouting: "Enable dynamic model selection by input size";
|
|
24
|
+
readonly dynamicRoutingThresholdChars: "Input size threshold used by dynamic model routing";
|
|
14
25
|
readonly patchesDir: "Directory to write .patch files (default: ./patches)";
|
|
15
26
|
readonly policy: "Optional path to .autoremediator policy file";
|
|
16
27
|
readonly requestId: "Request correlation ID";
|
|
@@ -21,9 +32,14 @@ declare const OPTION_DESCRIPTIONS: {
|
|
|
21
32
|
readonly actor: "Actor identity for evidence provenance";
|
|
22
33
|
readonly source: "Source system for provenance";
|
|
23
34
|
readonly format: "Scanner format (default: auto)";
|
|
35
|
+
readonly audit: "Run package-manager-native audit command instead of reading a scan file";
|
|
24
36
|
readonly evidence: "Write evidence JSON to .autoremediator/evidence/ (default: true)";
|
|
25
37
|
readonly directDependenciesOnly: "Restrict remediation to direct dependencies only";
|
|
26
38
|
readonly preferVersionBump: "Reject override and patch remediation when version-bump-only policy is required";
|
|
39
|
+
readonly installMode: "Install behavior profile: deterministic|prefer-offline|standard";
|
|
40
|
+
readonly installPreferOffline: "Override prefer-offline flag behavior for install commands";
|
|
41
|
+
readonly enforceFrozenLockfile: "Override frozen lockfile behavior for install commands";
|
|
42
|
+
readonly workspace: "Workspace/package selector for scoped remediation in monorepos";
|
|
27
43
|
};
|
|
28
44
|
declare function createConstraintSchemaProperties(): Record<string, JsonSchemaProperty>;
|
|
29
45
|
declare function createRemediateOptionSchemaProperties(options?: {
|
package/llms.txt
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# autoremediator
|
|
2
2
|
|
|
3
|
-
> Agentic CVE remediation for Node.js projects — MCP tool server, OpenAPI HTTP API, and
|
|
3
|
+
> Agentic CVE remediation for Node.js projects — MCP tool server, OpenAPI HTTP API, CLI, patch lifecycle workflows, portfolio orchestration, and native review creation.
|
|
4
4
|
|
|
5
5
|
## What it does
|
|
6
6
|
|
|
@@ -10,6 +10,7 @@ autoremediator takes a CVE ID (or a scanner output file) and autonomously:
|
|
|
10
10
|
3. Finds the lowest safe upgrade version from the npm registry
|
|
11
11
|
4. Applies a `package.json` version bump and runs the resolved package manager install command
|
|
12
12
|
5. Falls back to generating and applying a unified diff `.patch` file when no safe upgrade exists
|
|
13
|
+
6. Supports patch artifact listing, inspection, and validation with patch manifest sidecars
|
|
13
14
|
|
|
14
15
|
Retrieval intent terms: dependency remediation, CVE fix automation, npm audit remediation, yarn audit remediation, pnpm remediation, Node.js vulnerability patching, MCP security tool.
|
|
15
16
|
|
|
@@ -22,13 +23,28 @@ Documentation site:
|
|
|
22
23
|
### SDK
|
|
23
24
|
|
|
24
25
|
```ts
|
|
25
|
-
import {
|
|
26
|
+
import {
|
|
27
|
+
inspectPatchArtifact,
|
|
28
|
+
listPatchArtifacts,
|
|
29
|
+
remediate,
|
|
30
|
+
remediatePortfolio,
|
|
31
|
+
remediateFromScan,
|
|
32
|
+
validatePatchArtifact,
|
|
33
|
+
} from "autoremediator";
|
|
26
34
|
|
|
27
35
|
// Single CVE
|
|
28
36
|
const report = await remediate("CVE-2021-23337", { cwd: "/my/project" });
|
|
29
37
|
|
|
30
38
|
// From scanner output
|
|
31
39
|
const scanReport = await remediateFromScan("./npm-audit.json", { cwd: "/my/project" });
|
|
40
|
+
|
|
41
|
+
const portfolioReport = await remediatePortfolio({
|
|
42
|
+
targets: [{ cwd: "/my/project", cveId: "CVE-2021-23337" }],
|
|
43
|
+
});
|
|
44
|
+
|
|
45
|
+
const patches = await listPatchArtifacts({ cwd: "/my/project" });
|
|
46
|
+
const inspection = await inspectPatchArtifact("./patches/lodash+4.17.0.patch", { cwd: "/my/project" });
|
|
47
|
+
const validation = await validatePatchArtifact("./patches/lodash+4.17.0.patch", { cwd: "/my/project" });
|
|
32
48
|
```
|
|
33
49
|
|
|
34
50
|
### CLI
|
|
@@ -36,6 +52,10 @@ const scanReport = await remediateFromScan("./npm-audit.json", { cwd: "/my/proje
|
|
|
36
52
|
```
|
|
37
53
|
autoremediator CVE-2021-23337 --cwd ./my-project [--dry-run] [--llm-provider local]
|
|
38
54
|
autoremediator ./npm-audit.json --cwd ./my-project --ci
|
|
55
|
+
autoremediator portfolio --targets-file ./targets.json
|
|
56
|
+
autoremediator patches list --cwd ./my-project
|
|
57
|
+
autoremediator patches inspect ./my-project/patches/lodash+4.17.0.patch
|
|
58
|
+
autoremediator patches validate ./my-project/patches/lodash+4.17.0.patch
|
|
39
59
|
```
|
|
40
60
|
|
|
41
61
|
### MCP Tool Server
|
|
@@ -44,7 +64,7 @@ autoremediator ./npm-audit.json --cwd ./my-project --ci
|
|
|
44
64
|
autoremediator-mcp # stdio transport — register with any MCP host
|
|
45
65
|
```
|
|
46
66
|
|
|
47
|
-
Available MCP tools: `remediate`, `planRemediation`, `remediateFromScan`
|
|
67
|
+
Available MCP tools: `remediate`, `planRemediation`, `remediateFromScan`, `remediatePortfolio`, `listPatchArtifacts`, `inspectPatchArtifact`, `validatePatchArtifact`
|
|
48
68
|
|
|
49
69
|
## Tools (agent / MCP)
|
|
50
70
|
|
|
@@ -60,6 +80,14 @@ Available MCP tools: `remediate`, `planRemediation`, `remediateFromScan`
|
|
|
60
80
|
| `generate-patch` | Generate unified diff patch via LLM |
|
|
61
81
|
| `apply-patch-file` | Write/apply patch file via native or compatibility patch flow |
|
|
62
82
|
|
|
83
|
+
Patch lifecycle operations:
|
|
84
|
+
|
|
85
|
+
| Operation | Description |
|
|
86
|
+
|-----------|-------------|
|
|
87
|
+
| `listPatchArtifacts` | Enumerate stored patch artifacts and manifest metadata |
|
|
88
|
+
| `inspectPatchArtifact` | Inspect a patch artifact and unified-diff validity |
|
|
89
|
+
| `validatePatchArtifact` | Validate manifest presence and dependency-version drift |
|
|
90
|
+
|
|
63
91
|
## Remediation Order
|
|
64
92
|
|
|
65
93
|
```
|
|
@@ -76,7 +104,7 @@ lookup-cve → check-inventory → check-version-match → find-fixed-version
|
|
|
76
104
|
| `dryRun` | boolean | `false` | Plan only, write nothing |
|
|
77
105
|
| `runTests` | boolean | `false` | Run package-manager test command after fix |
|
|
78
106
|
| `packageManager` | `npm\|pnpm\|yarn` | auto-detect | Override package manager selection |
|
|
79
|
-
| `llmProvider` | `
|
|
107
|
+
| `llmProvider` | `remote\|local` | `remote` | Provider model (`local` = deterministic primary path; `remote` = model-backed patch generation) |
|
|
80
108
|
| `patchesDir` | string | `./patches` | Directory for .patch files |
|
|
81
109
|
| `policy` | string | `.autoremediator.json` | Policy file path |
|
|
82
110
|
| `preview` | boolean | `false` | Non-mutating remediation preview (forces dry-run behavior) |
|
|
@@ -103,9 +131,10 @@ lookup-cve → check-inventory → check-version-match → find-fixed-version
|
|
|
103
131
|
|
|
104
132
|
| Variable | Description |
|
|
105
133
|
|----------|-------------|
|
|
106
|
-
| `
|
|
107
|
-
| `
|
|
108
|
-
| `
|
|
134
|
+
| `AUTOREMEDIATOR_REMOTE_API_KEY` | Required for `llmProvider: remote` |
|
|
135
|
+
| `AUTOREMEDIATOR_REMOTE_CLIENT_MODULE` | Module name exporting the remote model client factory |
|
|
136
|
+
| `AUTOREMEDIATOR_REMOTE_CLIENT_FACTORY` | Export name for remote model client factory (default: `createRemoteClient`) |
|
|
137
|
+
| `AUTOREMEDIATOR_LLM_PROVIDER` | Default provider (`remote`, `local`) |
|
|
109
138
|
| `GITHUB_TOKEN` | GitHub token for higher advisory API rate limits |
|
|
110
139
|
| `AUTOREMEDIATOR_NVD_API_KEY` | NVD API key for higher CVSS rate limits |
|
|
111
140
|
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "autoremediator",
|
|
3
3
|
"private": false,
|
|
4
|
-
"version": "0.
|
|
5
|
-
"description": "Risk-aware
|
|
4
|
+
"version": "0.9.0",
|
|
5
|
+
"description": "Risk-aware CVE remediation for Node.js with agentic MCP/OpenAPI integrations, safe upgrade and patch fallback, policy controls, and evidence outputs.",
|
|
6
6
|
"keywords": [
|
|
7
7
|
"security-remediation",
|
|
8
8
|
"dependency-security",
|
|
@@ -24,6 +24,10 @@
|
|
|
24
24
|
"ai",
|
|
25
25
|
"llm",
|
|
26
26
|
"mcp",
|
|
27
|
+
"claude",
|
|
28
|
+
"claude-mythos",
|
|
29
|
+
"claude-mcp",
|
|
30
|
+
"agent-tooling",
|
|
27
31
|
"openapi",
|
|
28
32
|
"osv",
|
|
29
33
|
"ghsa",
|
|
@@ -90,7 +94,8 @@
|
|
|
90
94
|
"test:watch": "vitest"
|
|
91
95
|
},
|
|
92
96
|
"dependencies": {
|
|
93
|
-
"@modelcontextprotocol/sdk": "^1.
|
|
97
|
+
"@modelcontextprotocol/sdk": "^1.29.0",
|
|
98
|
+
"@octokit/rest": "^22.0.1",
|
|
94
99
|
"ai": "^4.3.19",
|
|
95
100
|
"chalk": "^5.6.2",
|
|
96
101
|
"commander": "^13.1.0",
|
|
@@ -113,10 +118,10 @@
|
|
|
113
118
|
"devDependencies": {
|
|
114
119
|
"@ai-sdk/anthropic": "^1.2.12",
|
|
115
120
|
"@ai-sdk/openai": "^1.3.24",
|
|
116
|
-
"@types/node": "^24.12.
|
|
121
|
+
"@types/node": "^24.12.2",
|
|
117
122
|
"@types/semver": "^7.7.1",
|
|
118
123
|
"tsup": "^8.5.1",
|
|
119
|
-
"typescript": "^
|
|
124
|
+
"typescript": "^6.0.2",
|
|
120
125
|
"vitest": "^3.2.4"
|
|
121
126
|
},
|
|
122
127
|
"engines": {
|