autoremediator 0.7.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,6 @@
1
1
  type JsonSchemaProperty = Record<string, unknown>;
2
2
  declare const PACKAGE_MANAGER_VALUES: readonly ["npm", "pnpm", "yarn"];
3
- declare const LLM_PROVIDER_VALUES: readonly ["openai", "anthropic", "local"];
3
+ declare const LLM_PROVIDER_VALUES: readonly ["remote", "local"];
4
4
  declare const PROVENANCE_SOURCE_VALUES: readonly ["cli", "sdk", "mcp", "openapi", "unknown"];
5
5
  declare const OPTION_DESCRIPTIONS: {
6
6
  readonly cveId: "CVE ID, e.g. CVE-2021-23337";
@@ -10,7 +10,18 @@ declare const OPTION_DESCRIPTIONS: {
10
10
  readonly dryRun: "If true, plan changes but write nothing";
11
11
  readonly preview: "If true, enforce non-mutating preview mode";
12
12
  readonly runTests: "Run package-manager test command after applying fix";
13
- readonly llmProvider: "LLM provider override";
13
+ readonly llmProvider: "LLM provider override (remote|local)";
14
+ readonly model: "LLM model override";
15
+ readonly modelPersonality: "Prompt behavior profile: analytical|pragmatic|balanced";
16
+ readonly providerSafetyProfile: "Safety posture profile for confidence gates: strict|relaxed";
17
+ readonly requireConsensusForHighRisk: "Require second-provider agreement for high-risk generated patches";
18
+ readonly consensusProvider: "Provider override for high-risk consensus verification (remote|local)";
19
+ readonly consensusModel: "Model override for high-risk consensus verification";
20
+ readonly patchConfidenceThresholdLow: "Patch acceptance confidence threshold for low-risk patches (0..1)";
21
+ readonly patchConfidenceThresholdMedium: "Patch acceptance confidence threshold for medium-risk patches (0..1)";
22
+ readonly patchConfidenceThresholdHigh: "Patch acceptance confidence threshold for high-risk patches (0..1)";
23
+ readonly dynamicModelRouting: "Enable dynamic model selection by input size";
24
+ readonly dynamicRoutingThresholdChars: "Input size threshold used by dynamic model routing";
14
25
  readonly patchesDir: "Directory to write .patch files (default: ./patches)";
15
26
  readonly policy: "Optional path to .autoremediator policy file";
16
27
  readonly requestId: "Request correlation ID";
@@ -21,9 +32,14 @@ declare const OPTION_DESCRIPTIONS: {
21
32
  readonly actor: "Actor identity for evidence provenance";
22
33
  readonly source: "Source system for provenance";
23
34
  readonly format: "Scanner format (default: auto)";
35
+ readonly audit: "Run package-manager-native audit command instead of reading a scan file";
24
36
  readonly evidence: "Write evidence JSON to .autoremediator/evidence/ (default: true)";
25
37
  readonly directDependenciesOnly: "Restrict remediation to direct dependencies only";
26
38
  readonly preferVersionBump: "Reject override and patch remediation when version-bump-only policy is required";
39
+ readonly installMode: "Install behavior profile: deterministic|prefer-offline|standard";
40
+ readonly installPreferOffline: "Override prefer-offline flag behavior for install commands";
41
+ readonly enforceFrozenLockfile: "Override frozen lockfile behavior for install commands";
42
+ readonly workspace: "Workspace/package selector for scoped remediation in monorepos";
27
43
  };
28
44
  declare function createConstraintSchemaProperties(): Record<string, JsonSchemaProperty>;
29
45
  declare function createRemediateOptionSchemaProperties(options?: {
package/llms.txt CHANGED
@@ -1,6 +1,6 @@
1
1
  # autoremediator
2
2
 
3
- > Agentic CVE remediation for Node.js projects — MCP tool server, OpenAPI HTTP API, and CLI.
3
+ > Agentic CVE remediation for Node.js projects — MCP tool server, OpenAPI HTTP API, CLI, patch lifecycle workflows, portfolio orchestration, and native review creation.
4
4
 
5
5
  ## What it does
6
6
 
@@ -10,6 +10,7 @@ autoremediator takes a CVE ID (or a scanner output file) and autonomously:
10
10
  3. Finds the lowest safe upgrade version from the npm registry
11
11
  4. Applies a `package.json` version bump and runs the resolved package manager install command
12
12
  5. Falls back to generating and applying a unified diff `.patch` file when no safe upgrade exists
13
+ 6. Supports patch artifact listing, inspection, and validation with patch manifest sidecars
13
14
 
14
15
  Retrieval intent terms: dependency remediation, CVE fix automation, npm audit remediation, yarn audit remediation, pnpm remediation, Node.js vulnerability patching, MCP security tool.
15
16
 
@@ -22,13 +23,28 @@ Documentation site:
22
23
  ### SDK
23
24
 
24
25
  ```ts
25
- import { remediate, remediateFromScan } from "autoremediator";
26
+ import {
27
+ inspectPatchArtifact,
28
+ listPatchArtifacts,
29
+ remediate,
30
+ remediatePortfolio,
31
+ remediateFromScan,
32
+ validatePatchArtifact,
33
+ } from "autoremediator";
26
34
 
27
35
  // Single CVE
28
36
  const report = await remediate("CVE-2021-23337", { cwd: "/my/project" });
29
37
 
30
38
  // From scanner output
31
39
  const scanReport = await remediateFromScan("./npm-audit.json", { cwd: "/my/project" });
40
+
41
+ const portfolioReport = await remediatePortfolio({
42
+ targets: [{ cwd: "/my/project", cveId: "CVE-2021-23337" }],
43
+ });
44
+
45
+ const patches = await listPatchArtifacts({ cwd: "/my/project" });
46
+ const inspection = await inspectPatchArtifact("./patches/lodash+4.17.0.patch", { cwd: "/my/project" });
47
+ const validation = await validatePatchArtifact("./patches/lodash+4.17.0.patch", { cwd: "/my/project" });
32
48
  ```
33
49
 
34
50
  ### CLI
@@ -36,6 +52,10 @@ const scanReport = await remediateFromScan("./npm-audit.json", { cwd: "/my/proje
36
52
  ```
37
53
  autoremediator CVE-2021-23337 --cwd ./my-project [--dry-run] [--llm-provider local]
38
54
  autoremediator ./npm-audit.json --cwd ./my-project --ci
55
+ autoremediator portfolio --targets-file ./targets.json
56
+ autoremediator patches list --cwd ./my-project
57
+ autoremediator patches inspect ./my-project/patches/lodash+4.17.0.patch
58
+ autoremediator patches validate ./my-project/patches/lodash+4.17.0.patch
39
59
  ```
40
60
 
41
61
  ### MCP Tool Server
@@ -44,7 +64,7 @@ autoremediator ./npm-audit.json --cwd ./my-project --ci
44
64
  autoremediator-mcp # stdio transport — register with any MCP host
45
65
  ```
46
66
 
47
- Available MCP tools: `remediate`, `planRemediation`, `remediateFromScan`
67
+ Available MCP tools: `remediate`, `planRemediation`, `remediateFromScan`, `remediatePortfolio`, `listPatchArtifacts`, `inspectPatchArtifact`, `validatePatchArtifact`
48
68
 
49
69
  ## Tools (agent / MCP)
50
70
 
@@ -60,6 +80,14 @@ Available MCP tools: `remediate`, `planRemediation`, `remediateFromScan`
60
80
  | `generate-patch` | Generate unified diff patch via LLM |
61
81
  | `apply-patch-file` | Write/apply patch file via native or compatibility patch flow |
62
82
 
83
+ Patch lifecycle operations:
84
+
85
+ | Operation | Description |
86
+ |-----------|-------------|
87
+ | `listPatchArtifacts` | Enumerate stored patch artifacts and manifest metadata |
88
+ | `inspectPatchArtifact` | Inspect a patch artifact and unified-diff validity |
89
+ | `validatePatchArtifact` | Validate manifest presence and dependency-version drift |
90
+
63
91
  ## Remediation Order
64
92
 
65
93
  ```
@@ -76,7 +104,7 @@ lookup-cve → check-inventory → check-version-match → find-fixed-version
76
104
  | `dryRun` | boolean | `false` | Plan only, write nothing |
77
105
  | `runTests` | boolean | `false` | Run package-manager test command after fix |
78
106
  | `packageManager` | `npm\|pnpm\|yarn` | auto-detect | Override package manager selection |
79
- | `llmProvider` | `openai\|anthropic\|local` | `openai` | LLM backend (`local` = deterministic primary path; fallback patch generation may require model credentials) |
107
+ | `llmProvider` | `remote\|local` | `remote` | Provider model (`local` = deterministic primary path; `remote` = model-backed patch generation) |
80
108
  | `patchesDir` | string | `./patches` | Directory for .patch files |
81
109
  | `policy` | string | `.autoremediator.json` | Policy file path |
82
110
  | `preview` | boolean | `false` | Non-mutating remediation preview (forces dry-run behavior) |
@@ -103,9 +131,10 @@ lookup-cve → check-inventory → check-version-match → find-fixed-version
103
131
 
104
132
  | Variable | Description |
105
133
  |----------|-------------|
106
- | `OPENAI_API_KEY` | Required for `llmProvider: openai` |
107
- | `ANTHROPIC_API_KEY` | Required for `llmProvider: anthropic` |
108
- | `AUTOREMEDIATOR_LLM_PROVIDER` | Default provider (`openai`, `anthropic`, `local`) |
134
+ | `AUTOREMEDIATOR_REMOTE_API_KEY` | Required for `llmProvider: remote` |
135
+ | `AUTOREMEDIATOR_REMOTE_CLIENT_MODULE` | Module name exporting the remote model client factory |
136
+ | `AUTOREMEDIATOR_REMOTE_CLIENT_FACTORY` | Export name for remote model client factory (default: `createRemoteClient`) |
137
+ | `AUTOREMEDIATOR_LLM_PROVIDER` | Default provider (`remote`, `local`) |
109
138
  | `GITHUB_TOKEN` | GitHub token for higher advisory API rate limits |
110
139
  | `AUTOREMEDIATOR_NVD_API_KEY` | NVD API key for higher CVSS rate limits |
111
140
 
package/package.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "name": "autoremediator",
3
3
  "private": false,
4
- "version": "0.7.0",
5
- "description": "Risk-aware, agentic CVE remediation for Node.js using OSV, CISA KEV, and FIRST EPSS intelligence with policy and evidence controls.",
4
+ "version": "0.9.0",
5
+ "description": "Risk-aware CVE remediation for Node.js with agentic MCP/OpenAPI integrations, safe upgrade and patch fallback, policy controls, and evidence outputs.",
6
6
  "keywords": [
7
7
  "security-remediation",
8
8
  "dependency-security",
@@ -24,6 +24,10 @@
24
24
  "ai",
25
25
  "llm",
26
26
  "mcp",
27
+ "claude",
28
+ "claude-mythos",
29
+ "claude-mcp",
30
+ "agent-tooling",
27
31
  "openapi",
28
32
  "osv",
29
33
  "ghsa",
@@ -90,7 +94,8 @@
90
94
  "test:watch": "vitest"
91
95
  },
92
96
  "dependencies": {
93
- "@modelcontextprotocol/sdk": "^1.27.1",
97
+ "@modelcontextprotocol/sdk": "^1.29.0",
98
+ "@octokit/rest": "^22.0.1",
94
99
  "ai": "^4.3.19",
95
100
  "chalk": "^5.6.2",
96
101
  "commander": "^13.1.0",
@@ -113,10 +118,10 @@
113
118
  "devDependencies": {
114
119
  "@ai-sdk/anthropic": "^1.2.12",
115
120
  "@ai-sdk/openai": "^1.3.24",
116
- "@types/node": "^24.12.0",
121
+ "@types/node": "^24.12.2",
117
122
  "@types/semver": "^7.7.1",
118
123
  "tsup": "^8.5.1",
119
- "typescript": "^5.9.3",
124
+ "typescript": "^6.0.2",
120
125
  "vitest": "^3.2.4"
121
126
  },
122
127
  "engines": {