brainblast 0.5.3 → 0.6.0

package/dist/cli.js

@@ -2,11 +2,9 @@
 import {
   analyzeCosts,
   applyDiffToFile,
-  audit,
   buildTrustGraph,
   cacheSize,
   defaultCachePath,
-  getChangedRanges,
   initPack,
   isTelemetryEnabled,
   isValidSolanaAddress,
@@ -15,12 +13,16 @@ import {
   recordGraduationEvents,
   renderCostReportMd,
   renderTrustGraphMd,
-  resolveRules,
   startWatch,
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-LHP6HFMS.js";
+} from "./chunk-ZZ6LBZV5.js";
+import {
+  audit,
+  getChangedRanges,
+  resolveRules
+} from "./chunk-A56IF3UX.js";
 
 // src/cli.ts
 import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
@@ -107,6 +109,15 @@ function parsePackDirs(argv) {
   if (!value || value.startsWith("--")) return [];
   return value.split(",").map((s) => s.trim()).filter(Boolean);
 }
+if (args[0] === "diff") {
+  await runDiff(args.slice(1));
+  process.exit(0);
+}
+if (args[0] === "mcp") {
+  const { startMcpServer } = await import("./mcp-RUVILE2Y.js");
+  await startMcpServer();
+  process.exit(0);
+}
 if (args[0] === "trust-graph") {
   await runTrustGraph(args.slice(1));
   process.exit(0);
@@ -418,3 +429,87 @@ Warning: could not create branch/commit: ${e.message ?? e}`);
     }
   }
 }
+function splitPkgVersion(arg) {
+  if (arg.startsWith("@")) {
+    const rest = arg.slice(1);
+    const at2 = rest.lastIndexOf("@");
+    if (at2 < 0) return [arg, ""];
+    return [`@${rest.slice(0, at2)}`, rest.slice(at2 + 1)];
+  }
+  const at = arg.lastIndexOf("@");
+  if (at <= 0) return [arg, ""];
+  return [arg.slice(0, at), arg.slice(at + 1)];
+}
+function guessEcosystem(name) {
+  if (name.includes("/") && !name.startsWith("@")) return "Go";
+  return "npm";
+}
+async function runDiff(argv) {
+  const flag = (n) => {
+    const i = argv.indexOf(`--${n}`);
+    return i >= 0 ? argv[i + 1] : void 0;
+  };
+  const ecoFlag = flag("ecosystem");
+  const fromFlag = flag("from");
+  const toFlag = flag("to");
+  const jsonOut = argv.includes("--json");
+  const skipValues = new Set([ecoFlag, fromFlag, toFlag].filter(Boolean));
+  const positional = argv.filter((a) => !a.startsWith("--") && !skipValues.has(a));
+  let pkgName;
+  let fromVersion;
+  let toVersion;
+  let ecosystem;
+  if (positional.length === 2 && positional[0].includes("@") && positional[1].includes("@")) {
+    const [n1, v1] = splitPkgVersion(positional[0]);
+    const [n2, v2] = splitPkgVersion(positional[1]);
+    if (n1 !== n2) {
+      console.error(`error: package names must match ('${n1}' vs '${n2}')`);
+      process.exit(2);
+    }
+    if (!v1 || !v2) {
+      console.error("error: could not parse versions from arguments");
+      process.exit(2);
+    }
+    pkgName = n1;
+    fromVersion = v1;
+    toVersion = v2;
+    ecosystem = ecoFlag ?? guessEcosystem(pkgName);
+  } else if (positional.length >= 1 && fromFlag && toFlag) {
+    pkgName = positional[0];
+    fromVersion = fromFlag;
+    toVersion = toFlag;
+    ecosystem = ecoFlag ?? guessEcosystem(pkgName);
+  } else {
+    console.error("usage: brainblast diff <pkg>@<from> <pkg>@<to> [--ecosystem <eco>]");
+    console.error("   or: brainblast diff <pkg> --from <v1> --to <v2> [--ecosystem <eco>]");
+    console.error("  e.g.: brainblast diff lodash@4.17.20 lodash@4.17.21");
+    process.exit(2);
+  }
+  const { diffVersions, renderDiffText, renderDiffMd, riskScore } = await import("./diff-PZKZYBKF.js");
+  let result;
+  try {
+    result = await diffVersions(ecosystem, pkgName, fromVersion, toVersion);
+  } catch (e) {
+    console.error(`brainblast diff: ${e.message ?? String(e)}`);
+    process.exit(1);
+  }
+  if (jsonOut) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+  console.log(renderDiffText(result));
+  const score = riskScore(result);
+  if (score > 0) {
+    console.error(`
+Upgrade INCREASES risk (score: +${score}). Review introduced advisories before bumping.`);
+    process.exit(1);
+  } else if (score < 0) {
+    console.log(`
+Upgrade DECREASES risk (score: ${score}). Upgrade recommended.`);
+  } else if (result.unchanged.length > 0) {
+    console.log(`
+Risk profile unchanged (${result.unchanged.length} advisory${result.unchanged.length !== 1 ? "ies" : ""} persist in both versions).`);
+  } else {
+    console.log("\nNo known advisories for either version.");
+  }
+}

package/dist/diff-PZKZYBKF.js

@@ -0,0 +1,12 @@
+import {
+  diffVersions,
+  renderDiffMd,
+  renderDiffText,
+  riskScore
+} from "./chunk-SC6RNNDW.js";
+export {
+  diffVersions,
+  renderDiffMd,
+  renderDiffText,
+  riskScore
+};

package/dist/index.d.ts

@@ -495,4 +495,29 @@ declare function isEntryExpired(entry: ProgramCacheEntry, ttlHoursOverride?: num
  */
 declare function cacheSize(cache: ProgramCache, ttlHoursOverride?: number): number;
 
-export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type GraduationEvent, type OnChainProgram, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TelemetrySubmitResult, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type WatchEvent, type WatchOptions, analyzeCosts, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkerKinds, defaultCachePath, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getRepoHash, getUserHash, getWorkingTreeChanges, initPack, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseDiff, putCacheEntry, rangeChanged, recordGraduationEvents, renderCostReportMd, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, runChecker, runIncrementalScan, saveProgramCache, startWatch, submitTelemetry, telemetryFilePath, testKinds, validatePack, validatePackManifest };
+interface OsvAdvisory {
+    id: string;
+    severity: "critical" | "high" | "medium" | "low";
+    summary: string;
+    url: string;
+}
+declare function queryOsv(ecosystem: string, name: string, version: string): Promise<OsvAdvisory[]>;
+
+interface DiffResult {
+    package: string;
+    ecosystem: string;
+    fromVersion: string;
+    toVersion: string;
+    /** Advisories present in fromVersion that are gone in toVersion. */
+    resolved: OsvAdvisory[];
+    /** Advisories that appear in toVersion but were not in fromVersion. */
+    introduced: OsvAdvisory[];
+    /** Advisories present in both versions. */
+    unchanged: OsvAdvisory[];
+}
+declare function diffVersions(ecosystem: string, packageName: string, fromVersion: string, toVersion: string): Promise<DiffResult>;
+declare function riskScore(result: DiffResult): number;
+declare function renderDiffText(result: DiffResult): string;
+declare function renderDiffMd(result: DiffResult): string;
+
+export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DiffResult, type GraduationEvent, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TelemetrySubmitResult, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type WatchEvent, type WatchOptions, analyzeCosts, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkerKinds, defaultCachePath, diffVersions, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getRepoHash, getUserHash, getWorkingTreeChanges, initPack, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseDiff, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderCostReportMd, renderDiffMd, renderDiffText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, startWatch, submitTelemetry, telemetryFilePath, testKinds, validatePack, validatePackManifest };

package/dist/index.js

@@ -1,56 +1,65 @@
 import {
   DEFAULT_REGISTRY_URL,
   DEFAULT_TTL_HOURS,
-  PACK_MANIFEST_FILE,
   analyzeCosts,
   applyDiffToFile,
-  audit,
-  auditWithRule,
   base58Decode,
   base58Encode,
   buildTrustGraph,
   cacheSize,
-  checkerKinds,
   defaultCachePath,
-  fileChanged,
-  findCandidates,
-  findConfigCandidates,
   getCacheEntry,
   getCacheEntryMeta,
-  getChangedRanges,
   getRepoHash,
   getUserHash,
-  getWorkingTreeChanges,
   initPack,
   isEntryExpired,
   isTelemetryEnabled,
   isValidSolanaAddress,
   lamportsToSol,
   loadDirectory,
-  loadPack,
-  loadPacksFromDir,
   loadProgramCache,
-  loadRules,
   parseDiff,
   putCacheEntry,
-  rangeChanged,
   recordGraduationEvents,
   renderCostReportMd,
-  renderTest,
   renderTrustGraphMd,
   rentExemptMinimum,
-  resolveRules,
-  rules,
-  runChecker,
   runIncrementalScan,
   saveProgramCache,
   startWatch,
   submitTelemetry,
   telemetryFilePath,
+  validatePack
+} from "./chunk-ZZ6LBZV5.js";
+import {
+  PACK_MANIFEST_FILE,
+  audit,
+  auditWithRule,
+  checkerKinds,
+  fileChanged,
+  findCandidates,
+  findConfigCandidates,
+  getChangedRanges,
+  getWorkingTreeChanges,
+  loadPack,
+  loadPacksFromDir,
+  loadRules,
+  rangeChanged,
+  renderTest,
+  resolveRules,
+  rules,
+  runChecker,
   testKinds,
-  validatePack,
   validatePackManifest
-} from "./chunk-LHP6HFMS.js";
+} from "./chunk-A56IF3UX.js";
+import {
+  diffVersions,
+  queryOsv,
+  renderDiffMd,
+  renderDiffText,
+  riskScore
+} from "./chunk-SC6RNNDW.js";
 
 // src/generate.ts
 import { writeFileSync, mkdirSync } from "fs";
@@ -80,6 +89,7 @@ export {
   cacheSize,
   checkerKinds,
   defaultCachePath,
+  diffVersions,
   fileChanged,
   findCandidates,
   findConfigCandidates,
@@ -102,13 +112,17 @@ export {
   loadRules,
   parseDiff,
   putCacheEntry,
+  queryOsv,
   rangeChanged,
   recordGraduationEvents,
   renderCostReportMd,
+  renderDiffMd,
+  renderDiffText,
   renderTest,
   renderTrustGraphMd,
   rentExemptMinimum,
   resolveRules,
+  riskScore,
   runChecker,
   runIncrementalScan,
   saveProgramCache,

package/dist/mcp-RUVILE2Y.js

@@ -0,0 +1,172 @@
+import {
+  audit,
+  resolveRules
+} from "./chunk-A56IF3UX.js";
+import {
+  diffVersions,
+  queryOsv
+} from "./chunk-SC6RNNDW.js";
+
+// src/mcp.ts
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+var VERSION = "0.6.0";
+var TOOLS = [
+  {
+    name: "brainblast_audit",
+    description: "Run the brainblast deterministic static auditor on a local project directory. Returns per-rule check results (pass / fail / cant_tell) and severity totals. Catches catastrophic AI-integration traps: Stripe raw-body signing, JWT audience/issuer, SPL token-program identity, command-injection sinks, committed secrets, and more.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        dir: {
+          type: "string",
+          description: "Absolute path to the project directory to audit. Defaults to the current working directory if omitted."
+        },
+        packs: {
+          type: "array",
+          items: { type: "string" },
+          description: "Optional list of absolute paths to pluggable rule-pack directories (each must contain a brainblast-pack.yaml manifest)."
+        }
+      },
+      required: []
+    }
+  },
+  {
+    name: "brainblast_diff",
+    description: "Compare the OSV security-advisory risk profile between two versions of a package. Shows which advisories were introduced by the upgrade, which were resolved, and which are present in both versions. Returns a risk score: positive means the upgrade increases risk, negative means it decreases risk.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        ecosystem: {
+          type: "string",
+          description: "OSV ecosystem name \u2014 e.g. npm, PyPI, crates.io, Go, RubyGems, Packagist, Maven, NuGet."
+        },
+        package: { type: "string", description: "Package / module name." },
+        from_version: { type: "string", description: "The version currently in use (upgrading from)." },
+        to_version: { type: "string", description: "The candidate version (upgrading to)." }
+      },
+      required: ["ecosystem", "package", "from_version", "to_version"]
+    }
+  },
+  {
+    name: "brainblast_osv_check",
+    description: "Query OSV.dev for all known security advisories affecting a specific package at a specific version. Returns severity (critical/high/medium/low), advisory ID, human-readable summary, and advisory URL. An empty array means no advisories found \u2014 not that the package is safe.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        ecosystem: {
+          type: "string",
+          description: "OSV ecosystem \u2014 e.g. npm, PyPI, crates.io, Go, RubyGems."
+        },
+        package: { type: "string", description: "Package name." },
+        version: { type: "string", description: "Exact version string to check." }
+      },
+      required: ["ecosystem", "package", "version"]
+    }
+  }
+];
+async function startMcpServer() {
+  const server = new Server(
+    { name: "brainblast", version: VERSION },
+    { capabilities: { tools: {} } }
+  );
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
+  server.setRequestHandler(CallToolRequestSchema, async (req) => {
+    const { name, arguments: args = {} } = req.params;
+    if (name === "brainblast_audit") {
+      const { dir = process.cwd(), packs = [] } = args;
+      try {
+        const rules = resolveRules(dir, packs);
+        const { checks, report } = audit(dir, rules);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(
+                {
+                  dir,
+                  rulesLoaded: rules.length,
+                  checks,
+                  riskTotals: report.riskTotals
+                },
+                null,
+                2
+              )
+            }
+          ]
+        };
+      } catch (e) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Error running audit: ${e.message ?? String(e)}`
+            }
+          ],
+          isError: true
+        };
+      }
+    }
+    if (name === "brainblast_osv_check") {
+      const { ecosystem, package: pkg, version } = args;
+      try {
+        const advisories = await queryOsv(ecosystem, pkg, version);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(advisories, null, 2)
+            }
+          ]
+        };
+      } catch (e) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `OSV query failed: ${e.message ?? String(e)}`
+            }
+          ],
+          isError: true
+        };
+      }
+    }
+    if (name === "brainblast_diff") {
+      const { ecosystem, package: pkg, from_version, to_version } = args;
+      try {
+        const result = await diffVersions(ecosystem, pkg, from_version, to_version);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (e) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Diff failed: ${e.message ?? String(e)}`
+            }
+          ],
+          isError: true
+        };
+      }
+    }
+    return {
+      content: [{ type: "text", text: `Unknown tool: ${name}` }],
+      isError: true
+    };
+  });
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+export {
+  startMcpServer
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.5.3",
+  "version": "0.6.0",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [
@@ -63,6 +63,7 @@
     "typecheck": "tsc --noEmit -p tsconfig.json"
   },
   "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "tree-sitter": "^0.22.4",
     "tree-sitter-rust": "^0.24.0",
     "ts-morph": "^23",