couchloop-eq-mcp 1.0.3 → 1.0.5

package/dist/tools/scan-security.js

@@ -0,0 +1,237 @@
+/**
+ * MCP Tool: scan_security
+ * Comprehensive security vulnerability scanner for AI-generated code
+ * Detects SQL injection, XSS, hardcoded secrets, and other security issues
+ */
+import { z } from 'zod';
+import { SqlInjectionDetector } from '../developer/scanners/sql-injection-detector.js';
+import { XssDetector } from '../developer/scanners/xss-detector.js';
+import { SecretScanner } from '../developer/scanners/secret-scanner.js';
+import { logger } from '../utils/logger.js';
+const inputSchema = z.object({
+    code: z.string().describe('Code snippet to scan for security vulnerabilities'),
+    language: z.enum(['javascript', 'typescript', 'python', 'java', 'sql', 'html', 'unknown']).default('javascript').describe('Programming language of the code'),
+    scanType: z.enum(['quick', 'thorough']).default('thorough').describe('Scan depth: quick (essential) or thorough (comprehensive)'),
+});
+export const scanSecurityTool = {
+    name: 'scan_security',
+    description: 'Comprehensive security scanner for AI-generated code. Detects SQL injection, XSS, hardcoded secrets, and other vulnerabilities with CWE codes and secure alternatives.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            code: {
+                type: 'string',
+                description: 'Code snippet to scan for security vulnerabilities'
+            },
+            language: {
+                type: 'string',
+                enum: ['javascript', 'typescript', 'python', 'java', 'sql', 'html', 'unknown'],
+                default: 'javascript',
+                description: 'Programming language of the code'
+            },
+            scanType: {
+                type: 'string',
+                enum: ['quick', 'thorough'],
+                default: 'thorough',
+                description: 'Scan depth: quick (essential checks) or thorough (comprehensive)'
+            }
+        },
+        required: ['code']
+    }
+};
+export async function handleScanSecurity(input) {
+    try {
+        const params = inputSchema.parse(input);
+        logger.info(`Security scan requested for ${params.language} code (${params.scanType} mode)`);
+        const vulnerabilities = [];
+        // Run appropriate scanners based on language and scan type
+        if (params.scanType === 'thorough' || ['javascript', 'typescript', 'sql'].includes(params.language)) {
+            const sqlDetector = new SqlInjectionDetector();
+            const sqlVulns = sqlDetector.scan(params.code);
+            vulnerabilities.push(...formatVulnerabilities(sqlVulns, 'SQLInjectionDetector'));
+        }
+        if (params.scanType === 'thorough' || ['javascript', 'typescript', 'html', 'python', 'java'].includes(params.language)) {
+            const xssDetector = new XssDetector();
+            const xssVulns = xssDetector.scan(params.code);
+            vulnerabilities.push(...formatVulnerabilities(xssVulns, 'XssDetector'));
+        }
+        if (params.scanType === 'thorough' || ['javascript', 'typescript', 'python', 'java'].includes(params.language)) {
+            const secretScanner = new SecretScanner();
+            const secretVulns = secretScanner.scan(params.code);
+            vulnerabilities.push(...formatVulnerabilities(secretVulns, 'SecretScanner'));
+        }
+        // Sort by severity and line number
+        vulnerabilities.sort((a, b) => {
+            const severityOrder = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
+            const aSeverity = severityOrder[a.severity] ?? 4;
+            const bSeverity = severityOrder[b.severity] ?? 4;
+            if (aSeverity !== bSeverity)
+                return aSeverity - bSeverity;
+            return a.line - b.line;
+        });
+        // Calculate summary
+        const summary = calculateSummary(vulnerabilities, params.language, params.scanType);
+        // Generate recommendations
+        const recommendations = generateRecommendations(vulnerabilities);
+        // Generate developer notes
+        const developerNotes = generateDeveloperNotes(vulnerabilities, params.language);
+        // Determine overall risk level
+        const riskLevel = determineRiskLevel(summary);
+        const result = {
+            summary,
+            vulnerabilities,
+            riskLevel,
+            recommendations,
+            developerNotes,
+        };
+        logger.info(`Security scan completed: ${vulnerabilities.length} vulnerabilities found (${summary.critical} critical, ${summary.high} high)`);
+        return result;
+    }
+    catch (error) {
+        logger.error('Error during security scan:', error);
+        if (error instanceof z.ZodError) {
+            return {
+                summary: {
+                    totalVulnerabilities: 0,
+                    critical: 0,
+                    high: 0,
+                    medium: 0,
+                    low: 0,
+                    language: 'unknown',
+                    scanType: 'thorough',
+                },
+                vulnerabilities: [],
+                riskLevel: 'SAFE',
+                recommendations: ['Invalid input provided to security scanner'],
+                developerNotes: `Validation error: ${error.message}`,
+            };
+        }
+        return {
+            summary: {
+                totalVulnerabilities: 0,
+                critical: 0,
+                high: 0,
+                medium: 0,
+                low: 0,
+                language: 'unknown',
+                scanType: 'thorough',
+            },
+            vulnerabilities: [],
+            riskLevel: 'SAFE',
+            recommendations: ['An error occurred during scanning'],
+            developerNotes: `Error: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        };
+    }
+}
+/**
+ * Format vulnerabilities from scanners to unified format
+ */
+function formatVulnerabilities(vulns, scannerName) {
+    return vulns.map(vuln => ({
+        ...vuln,
+        scanner: scannerName,
+    }));
+}
+/**
+ * Calculate vulnerability summary
+ */
+function calculateSummary(vulnerabilities, language, scanType) {
+    const counts = {
+        CRITICAL: 0,
+        HIGH: 0,
+        MEDIUM: 0,
+        LOW: 0,
+    };
+    for (const vuln of vulnerabilities) {
+        counts[vuln.severity]++;
+    }
+    return {
+        totalVulnerabilities: vulnerabilities.length,
+        critical: counts.CRITICAL,
+        high: counts.HIGH,
+        medium: counts.MEDIUM,
+        low: counts.LOW,
+        language,
+        scanType,
+    };
+}
+/**
+ * Generate recommendations based on vulnerabilities found
+ */
+function generateRecommendations(vulnerabilities) {
+    const recommendations = new Set();
+    // Group vulnerabilities by type
+    const hasSQL = vulnerabilities.some(v => v.type === 'SQL_INJECTION' || v.type === 'UNPARAMETERIZED_QUERY');
+    const hasXSS = vulnerabilities.some(v => v.type?.includes('XSS') || v.type?.includes('INNERHTML'));
+    const hasSecrets = vulnerabilities.some(v => v.type === 'HARDCODED_API_KEY' || v.type === 'HARDCODED_PASSWORD');
+    if (hasSQL) {
+        recommendations.add('Use parameterized queries for all database operations. Never concatenate user input directly into SQL strings.');
+        recommendations.add('Consider using an ORM like Prisma, Drizzle, or TypeORM that handle SQL injection prevention automatically.');
+        recommendations.add('Validate and whitelist all dynamic table and column names using strict allowlists.');
+    }
+    if (hasXSS) {
+        recommendations.add('Use textContent instead of innerHTML for displaying user-provided text.');
+        recommendations.add('Always sanitize untrusted HTML using libraries like DOMPurify before rendering.');
+        recommendations.add('Use content security policies (CSP) to prevent inline script execution.');
+        recommendations.add('Never use eval() or Function() constructors with user input.');
+        recommendations.add('In React, prefer component composition over dangerouslySetInnerHTML.');
+    }
+    if (hasSecrets) {
+        recommendations.add('Move all secrets to environment variables (.env files, never commit these).');
+        recommendations.add('Use a secrets management system: AWS Secrets Manager, HashiCorp Vault, or cloud provider equivalents.');
+        recommendations.add('Rotate all exposed credentials immediately - they may be compromised.');
+        recommendations.add('Implement pre-commit hooks to prevent secrets from being committed.');
+    }
+    // General recommendations
+    recommendations.add('Enable OWASP dependency scanning in your CI/CD pipeline (npm audit, Snyk, etc.).');
+    recommendations.add('Implement automated security scanning in code review process.');
+    recommendations.add('Conduct regular security audits of AI-generated code before deployment.');
+    recommendations.add('Use security linters: ESLint security plugins, Semgrep, or SonarQube.');
+    return Array.from(recommendations);
+}
+/**
+ * Generate developer-friendly notes
+ */
+function generateDeveloperNotes(vulnerabilities, language) {
+    const criticalCount = vulnerabilities.filter(v => v.severity === 'CRITICAL').length;
+    const highCount = vulnerabilities.filter(v => v.severity === 'HIGH').length;
+    if (vulnerabilities.length === 0) {
+        return `Good news! No security vulnerabilities detected in this ${language} code snippet during scanning. ✓`;
+    }
+    let notes = `Security scan found ${vulnerabilities.length} potential issue(s) in this ${language} code:\n`;
+    if (criticalCount > 0) {
+        notes += `\n🔴 CRITICAL (${criticalCount}): These vulnerabilities could lead to immediate security breaches. Fix these before any deployment.\n`;
+    }
+    if (highCount > 0) {
+        notes += `\n🟠 HIGH (${highCount}): Serious security issues that should be fixed as soon as possible.\n`;
+    }
+    const mediumCount = vulnerabilities.filter(v => v.severity === 'MEDIUM').length;
+    if (mediumCount > 0) {
+        notes += `\n🟡 MEDIUM (${mediumCount}): Important security improvements to make.\n`;
+    }
+    notes += `\n📋 Each vulnerability includes:
+- The specific code location (line number)
+- CWE code for security reference
+- Clear explanation of the risk
+- Secure code example for fixing
+
+⚠️  Research Finding: 80% of AI-generated code contains security vulnerabilities. Developers are 3.5x more likely to think insecure code is secure. Always review AI-generated code with security in mind.`;
+    return notes;
+}
+/**
+ * Determine overall risk level
+ */
+function determineRiskLevel(summary) {
+    if (summary.critical > 0)
+        return 'CRITICAL';
+    if (summary.high >= 3)
+        return 'CRITICAL';
+    if (summary.high > 0)
+        return 'HIGH';
+    if (summary.medium >= 3)
+        return 'MEDIUM';
+    if (summary.medium > 0)
+        return 'LOW';
+    return 'SAFE';
+}
+//# sourceMappingURL=scan-security.js.map

package/dist/tools/scan-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-security.js","sourceRoot":"","sources":["../../src/tools/scan-security.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iDAAiD,CAAC;AACvF,OAAO,EAAE,WAAW,EAAE,MAAM,uCAAuC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mDAAmD,CAAC;IAC9E,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,QAAQ,CAAC,kCAAkC,CAAC;IAC7J,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,2DAA2D,CAAC;CAClI,CAAC,CAAC;AAiCH,MAAM,CAAC,MAAM,gBAAgB,GAAS;IACpC,IAAI,EAAE,eAAe;IACrB,WAAW,EAAE,wKAAwK;IACrL,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ;QACd,UAAU,EAAE;YACV,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,mDAAmD;aACjE;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC9E,OAAO,EAAE,YAAY;gBACrB,WAAW,EAAE,kCAAkC;aAChD;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,CAAC,OAAO,EAAE,UAAU,CAAC;gBAC3B,OAAO,EAAE,UAAU;gBACnB,WAAW,EAAE,kEAAkE;aAChF;SACF;QACD,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,KAAc;IACrD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAExC,MAAM,CAAC,IAAI,CAAC,+BAA+B,MAAM,CAAC,QAAQ,UAAU,MAAM,CAAC,QAAQ,QAAQ,CAAC,CAAC;QAE7F,MAAM,eAAe,GAA4B,EAAE,CAAC;QAEpD,2DAA2D;QAC3D,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpG,MAAM,WAAW,GAAG,IAAI,oBAAoB,EAAE,CAAC;YAC/C,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC/C,eAAe,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,QAAQ,EAAE,sBAAsB,CAAC,CAAC,CAAC;QACnF,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvH,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC/C,eAAe,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/G,MAAM,aAAa,GAAG,IAAI,aAAa,EAAE,CAAC;YAC1C,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACpD,eAAe,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC,CAAC;QAC/E,CAAC;QAED,mCAAmC;QACnC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YAC5B,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;YAClE,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACjD,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAEjD,IAAI,SAAS,KAAK,SAAS;gBAAE,OAAO,SAAS,GAAG,SAAS,CAAC;YAC1D,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;QACzB,CAAC,CAAC,CAAC;QAEH,oBAAoB;QACpB,MAAM,OAAO,GAAG,gBAAgB,CAAC,eAAe,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEpF,2BAA2B;QAC3B,MAAM,eAAe,GAAG,uBAAuB,CAAC,eAAe,CAAC,CAAC;QAEjE,2BAA2B;QAC3B,MAAM,cAAc,GAAG,sBAAsB,CAAC,eAAe,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEhF,+BAA+B;QAC/B,MAAM,SAAS,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAE9C,MAAM,MAAM,GAAuB;YACjC,OAAO;YACP,eAAe;YACf,SAAS;YACT,eAAe;YACf,cAAc;SACf,CAAC;QAEF,MAAM,CAAC,IAAI,CAAC,4BAA4B,eAAe,CAAC,MAAM,2BAA2B,OAAO,CAAC,QAAQ,cAAc,OAAO,CAAC,IAAI,QAAQ,CAAC,CAAC;QAE7I,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QAEnD,IAAI,KAAK,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;YAChC,OAAO;gBACL,OAAO,EAAE;oBACP,oBAAoB,EAAE,CAAC;oBACvB,QAAQ,EAAE,CAAC;oBACX,IAAI,EAAE,CAAC;oBACP,MAAM,EAAE,CAAC;oBACT,GAAG,EAAE,CAAC;oBACN,QAAQ,EAAE,SAAS;oBACnB,QAAQ,EAAE,UAAU;iBACrB;gBACD,eAAe,EAAE,EAAE;gBACnB,SAAS,EAAE,MAAM;gBACjB,eAAe,EAAE,CAAC,4CAA4C,CAAC;gBAC/D,cAAc,EAAE,qBAAqB,KAAK,CAAC,OAAO,EAAE;aACrD,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE;gBACP,oBAAoB,EAAE,CAAC;gBACvB,QAAQ,EAAE,CAAC;gBACX,IAAI,EAAE,CAAC;gBACP,MAAM,EAAE,CAAC;gBACT,GAAG,EAAE,CAAC;gBACN,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,UAAU;aACrB;YACD,eAAe,EAAE,EAAE;YACnB,SAAS,EAAE,MAAM;YACjB,eAAe,EAAE,CAAC,mCAAmC,CAAC;YACtD,cAAc,EAAE,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;SACrF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,KAAY,EAAE,WAAmB;IAC9D,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxB,GAAG,IAAI;QACP,OAAO,EAAE,WAAW;KACrB,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,eAAwC,EAAE,QAAgB,EAAE,QAAgB;IACpG,MAAM,MAAM,GAAG;QACb,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;KACP,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,oBAAoB,EAAE,eAAe,CAAC,MAAM;QAC5C,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,QAAQ;QACR,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,eAAwC;IACvE,MAAM,eAAe,GAAgB,IAAI,GAAG,EAAE,CAAC;IAE/C,gCAAgC;IAChC,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,IAAI,CAAC,CAAC,IAAI,KAAK,uBAAuB,CAAC,CAAC;IAC3G,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;IACnG,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,mBAAmB,IAAI,CAAC,CAAC,IAAI,KAAK,oBAAoB,CAAC,CAAC;IAEhH,IAAI,MAAM,EAAE,CAAC;QACX,eAAe,CAAC,GAAG,CAAC,gHAAgH,CAAC,CAAC;QACtI,eAAe,CAAC,GAAG,CAAC,4GAA4G,CAAC,CAAC;QAClI,eAAe,CAAC,GAAG,CAAC,oFAAoF,CAAC,CAAC;IAC5G,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,eAAe,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;QAC/F,eAAe,CAAC,GAAG,CAAC,iFAAiF,CAAC,CAAC;QACvG,eAAe,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;QAC/F,eAAe,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;QACpF,eAAe,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;IAC9F,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,eAAe,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;QACnG,eAAe,CAAC,GAAG,CAAC,uGAAuG,CAAC,CAAC;QAC7H,eAAe,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;QAC7F,eAAe,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;IAC7F,CAAC;IAED,0BAA0B;IAC1B,eAAe,CAAC,GAAG,CAAC,kFAAkF,CAAC,CAAC;IACxG,eAAe,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;IACrF,eAAe,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;IAC/F,eAAe,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;IAE7F,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,eAAwC,EAAE,QAAgB;IACxF,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IACpF,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAE5E,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,2DAA2D,QAAQ,kCAAkC,CAAC;IAC/G,CAAC;IAED,IAAI,KAAK,GAAG,uBAAuB,eAAe,CAAC,MAAM,+BAA+B,QAAQ,UAAU,CAAC;IAE3G,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;QACtB,KAAK,IAAI,kBAAkB,aAAa,wGAAwG,CAAC;IACnJ,CAAC;IAED,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,KAAK,IAAI,cAAc,SAAS,wEAAwE,CAAC;IAC3G,CAAC;IAED,MAAM,WAAW,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAChF,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;QACpB,KAAK,IAAI,gBAAgB,WAAW,+CAA+C,CAAC;IACtF,CAAC;IAED,KAAK,IAAI;;;;;;2MAMgM,CAAC;IAE1M,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,OAAY;IACtC,IAAI,OAAO,CAAC,QAAQ,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAC5C,IAAI,OAAO,CAAC,IAAI,IAAI,CAAC;QAAE,OAAO,UAAU,CAAC;IACzC,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC;IACpC,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IACzC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/tools/validate_packages.d.ts

@@ -0,0 +1,8 @@
+/**
+ * MCP Tool: validate_packages
+ * Validates package dependencies and prevents hallucinated packages
+ */
+import { Tool } from '@modelcontextprotocol/sdk/types.js';
+export declare const validatePackagesTool: Tool;
+export declare function handleValidatePackages(input: unknown): Promise<object>;
+//# sourceMappingURL=validate_packages.d.ts.map

package/dist/tools/validate_packages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate_packages.d.ts","sourceRoot":"","sources":["../../src/tools/validate_packages.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAgB1D,eAAO,MAAM,oBAAoB,EAAE,IA0ClC,CAAC;AAEF,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CA2F5E"}

package/dist/tools/validate_packages.js

@@ -0,0 +1,159 @@
+/**
+ * MCP Tool: validate_packages
+ * Validates package dependencies and prevents hallucinated packages
+ */
+import { z } from 'zod';
+import { PackageBlocker } from '../developer/blockers/package-blocker.js';
+import { PackageEvaluator } from '../developer/evaluators/package-evaluator.js';
+const inputSchema = z.object({
+    code: z.string().optional().describe('Code snippet containing package imports/requires'),
+    command: z.string().optional().describe('Package manager command (npm install, pip install, etc.)'),
+    packages: z.array(z.object({
+        name: z.string(),
+        version: z.string().optional(),
+        registry: z.enum(['npm', 'pypi', 'maven']).optional()
+    })).optional().describe('Array of packages to validate'),
+    language: z.enum(['javascript', 'typescript', 'python', 'java', 'unknown']).default('unknown'),
+    autoFix: z.boolean().default(true).describe('Automatically fix package names when possible')
+});
+export const validatePackagesTool = {
+    name: 'validate_packages',
+    description: 'Validate package dependencies to prevent installation of non-existent or malicious packages',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            code: {
+                type: 'string',
+                description: 'Code snippet containing package imports/requires'
+            },
+            command: {
+                type: 'string',
+                description: 'Package manager command (npm install, pip install, etc.)'
+            },
+            packages: {
+                type: 'array',
+                items: {
+                    type: 'object',
+                    properties: {
+                        name: { type: 'string' },
+                        version: { type: 'string' },
+                        registry: {
+                            type: 'string',
+                            enum: ['npm', 'pypi', 'maven']
+                        }
+                    },
+                    required: ['name']
+                },
+                description: 'Array of packages to validate'
+            },
+            language: {
+                type: 'string',
+                enum: ['javascript', 'typescript', 'python', 'java', 'unknown'],
+                default: 'unknown'
+            },
+            autoFix: {
+                type: 'boolean',
+                default: true,
+                description: 'Automatically fix package names when possible'
+            }
+        }
+    }
+};
+export async function handleValidatePackages(input) {
+    try {
+        const params = inputSchema.parse(input);
+        const blocker = new PackageBlocker(params.autoFix);
+        const evaluator = new PackageEvaluator();
+        // Handle code validation
+        if (params.code) {
+            const result = await blocker.interceptCode(params.code, params.language);
+            return {
+                type: 'code_validation',
+                allowed: result.allowed,
+                blockedPackages: result.blockedPackages,
+                warnings: result.warnings,
+                suggestions: result.suggestions,
+                modifiedCode: result.modified,
+                summary: generateSummary(result.blockedPackages, result.warnings)
+            };
+        }
+        // Handle command validation
+        if (params.command) {
+            const result = await blocker.interceptCommand(params.command);
+            return {
+                type: 'command_validation',
+                allowed: result.allowed,
+                blockedPackages: result.blockedPackages,
+                warnings: result.warnings,
+                suggestions: result.suggestions,
+                modifiedCommand: result.modified,
+                summary: generateSummary(result.blockedPackages, result.warnings)
+            };
+        }
+        // Handle direct package list validation
+        if (params.packages && params.packages.length > 0) {
+            const results = await Promise.all(params.packages.map(async (pkg) => {
+                const evaluation = await evaluator.evaluate(pkg.name, { language: params.language }, pkg.version);
+                return {
+                    package: pkg.name,
+                    version: pkg.version,
+                    exists: evaluation.package.exists,
+                    blocked: evaluation.blocked,
+                    reason: evaluation.reason,
+                    warnings: evaluation.warning,
+                    suggestions: evaluation.suggestions,
+                    latestVersion: evaluation.package.latestVersion,
+                    deprecated: evaluation.package.deprecated,
+                    securityIssues: evaluation.package.securityIssues
+                };
+            }));
+            const blockedCount = results.filter(r => r.blocked).length;
+            const warningCount = results.filter(r => r.warnings).length;
+            return {
+                type: 'package_validation',
+                packages: results,
+                summary: {
+                    total: results.length,
+                    valid: results.filter(r => r.exists && !r.blocked).length,
+                    blocked: blockedCount,
+                    warnings: warningCount,
+                    message: blockedCount > 0
+                        ? `⚠️ ${blockedCount} package(s) blocked - they don't exist or have issues`
+                        : warningCount > 0
+                            ? `✓ All packages exist but ${warningCount} have warnings`
+                            : '✅ All packages validated successfully'
+                }
+            };
+        }
+        return {
+            error: 'No input provided. Please provide code, command, or packages to validate.'
+        };
+    }
+    catch (error) {
+        console.error('Package validation error:', error);
+        return {
+            error: error instanceof Error ? error.message : 'Failed to validate packages'
+        };
+    }
+}
+function generateSummary(blockedPackages, warnings) {
+    if (blockedPackages.length === 0 && warnings.length === 0) {
+        return {
+            status: 'success',
+            message: '✅ All packages validated successfully'
+        };
+    }
+    if (blockedPackages.length > 0) {
+        return {
+            status: 'blocked',
+            message: `❌ Blocked ${blockedPackages.length} non-existent/malicious package(s)`,
+            details: `Prevented installation of: ${blockedPackages.join(', ')}`
+        };
+    }
+    return {
+        status: 'warning',
+        message: `⚠️ ${warnings.length} warning(s) found`,
+        details: warnings[0] // Show first warning
+    };
+}
+//# sourceMappingURL=validate_packages.js.map

package/dist/tools/validate_packages.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate_packages.js","sourceRoot":"","sources":["../../src/tools/validate_packages.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,0CAA0C,CAAC;AAC1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,8CAA8C,CAAC;AAEhF,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kDAAkD,CAAC;IACxF,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,0DAA0D,CAAC;IACnG,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC9B,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;KACtD,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,+BAA+B,CAAC;IACxD,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAC9F,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,+CAA+C,CAAC;CAC7F,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAS;IACxC,IAAI,EAAE,mBAAmB;IACzB,WAAW,EAAE,6FAA6F;IAC1G,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ;QACd,UAAU,EAAE;YACV,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,kDAAkD;aAChE;YACD,OAAO,EAAE;gBACP,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,0DAA0D;aACxE;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE;oBACL,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACxB,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC3B,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC;yBAC/B;qBACF;oBACD,QAAQ,EAAE,CAAC,MAAM,CAAC;iBACnB;gBACD,WAAW,EAAE,+BAA+B;aAC7C;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC/D,OAAO,EAAE,SAAS;aACnB;YACD,OAAO,EAAE;gBACP,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,IAAI;gBACb,WAAW,EAAE,+CAA+C;aAC7D;SACF;KACF;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAc;IACzD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,OAAO,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG,IAAI,gBAAgB,EAAE,CAAC;QAEzC,yBAAyB;QACzB,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAChB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YAEzE,OAAO;gBACL,IAAI,EAAE,iBAAiB;gBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,YAAY,EAAE,MAAM,CAAC,QAAQ;gBAC7B,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,QAAQ,CAAC;aAClE,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAE9D,OAAO;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,eAAe,EAAE,MAAM,CAAC,QAAQ;gBAChC,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,QAAQ,CAAC;aAClE,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;gBAChC,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,QAAQ,CACzC,GAAG,CAAC,IAAI,EACR,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,EAC7B,GAAG,CAAC,OAAO,CACZ,CAAC;gBAEF,OAAO;oBACL,OAAO,EAAE,GAAG,CAAC,IAAI;oBACjB,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,MAAM,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM;oBACjC,OAAO,EAAE,UAAU,CAAC,OAAO;oBAC3B,MAAM,EAAE,UAAU,CAAC,MAAM;oBACzB,QAAQ,EAAE,UAAU,CAAC,OAAO;oBAC5B,WAAW,EAAE,UAAU,CAAC,WAAW;oBACnC,aAAa,EAAE,UAAU,CAAC,OAAO,CAAC,aAAa;oBAC/C,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,UAAU;oBACzC,cAAc,EAAE,UAAU,CAAC,OAAO,CAAC,cAAc;iBAClD,CAAC;YACJ,CAAC,CAAC,CACH,CAAC;YAEF,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YAC3D,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;YAE5D,OAAO;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE;oBACP,KAAK,EAAE,OAAO,CAAC,MAAM;oBACrB,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM;oBACzD,OAAO,EAAE,YAAY;oBACrB,QAAQ,EAAE,YAAY;oBACtB,OAAO,EAAE,YAAY,GAAG,CAAC;wBACvB,CAAC,CAAC,MAAM,YAAY,uDAAuD;wBAC3E,CAAC,CAAC,YAAY,GAAG,CAAC;4BAClB,CAAC,CAAC,4BAA4B,YAAY,gBAAgB;4BAC1D,CAAC,CAAC,uCAAuC;iBAC5C;aACF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,2EAA2E;SACnF,CAAC;IAEJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;QAClD,OAAO;YACL,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,6BAA6B;SAC9E,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,eAAyB,EAAE,QAAkB;IACpE,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,uCAAuC;SACjD,CAAC;IACJ,CAAC;IAED,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,aAAa,eAAe,CAAC,MAAM,oCAAoC;YAChF,OAAO,EAAE,8BAA8B,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACpE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,MAAM,QAAQ,CAAC,MAAM,mBAAmB;QACjD,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,qBAAqB;KAC3C,CAAC;AACJ,CAAC"}

package/dist/types/auth.d.ts

@@ -4,25 +4,9 @@ import { z } from 'zod';
  * This allows the AI agent to provide user authentication info
  */
 export declare const AuthContextSchema: z.ZodObject<{
-    /**
-     * OAuth access token or session identifier
-     * This will be validated against the OAuth tokens table
-     */
     token: z.ZodOptional<z.ZodString>;
-    /**
-     * External user identifier (from OAuth provider)
-     * Used as a fallback if token validation fails
-     */
     user_id: z.ZodOptional<z.ZodString>;
-    /**
-     * Client identifier (ChatGPT, Claude, etc.)
-     * Helps track which AI agent is making the request
-     */
     client_id: z.ZodOptional<z.ZodString>;
-    /**
-     * Stable conversation identifier for user binding
-     * Used to generate persistent user IDs for MCP clients without OAuth
-     */
     conversation_id: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     user_id?: string | undefined;
@@ -38,8 +22,24 @@ export declare const AuthContextSchema: z.ZodObject<{
 export type AuthContext = z.infer<typeof AuthContextSchema>;
 /**
  * Extract user ID from authentication context
- * Implements secure hash-based persistent identity for MCP clients
- * Falls back to ephemeral IDs only when no stable context is available
+ * Implements tiered identity:
+ * - Priority 1: OAuth token validation (Pro tier - cross-device)
+ * - Priority 2: External user ID + client ID (ChatGPT OAuth)
+ * - Priority 3: Local file-based identity (Free tier - single machine)
+ * - Priority 4: Conversation-based ID (single window only)
+ * - Fallback: Ephemeral IDs (no persistence)
  */
 export declare function extractUserFromContext(authContext?: AuthContext): Promise<string>;
+/**
+ * Get user tier from identity prefix
+ */
+export declare function getUserTier(userId: string): 'pro' | 'free' | 'ephemeral';
+/**
+ * Check if user has Pro tier features
+ */
+export declare function hasProFeatures(userId: string): boolean;
+/**
+ * Get the local identity file path for debugging/support
+ */
+export declare function getIdentityFilePath(): string;
 //# sourceMappingURL=auth.d.ts.map

package/dist/types/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/types/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB;;;GAGG;AACH,eAAO,MAAM,iBAAiB;IAC5B;;;OAGG;;IAGH;;;OAGG;;IAGH;;;OAGG;;IAGH;;;OAGG;;;;;;;;;;;;EAEH,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D;;;;GAIG;AACH,wBAAsB,sBAAsB,CAAC,WAAW,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAwCvF"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/types/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB;;;GAGG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;EAK5B,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AA0D5D;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAAC,WAAW,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAwCvF;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,GAAG,MAAM,GAAG,WAAW,CAMxE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAEtD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C"}

package/dist/types/auth.js

@@ -1,71 +1,126 @@
 import { z } from 'zod';
 import { createHash } from 'crypto';
+import { homedir, hostname } from 'os';
+import { join } from 'path';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
 /**
  * Authentication context that can be passed through MCP tool calls
  * This allows the AI agent to provide user authentication info
  */
 export const AuthContextSchema = z.object({
-    /**
-     * OAuth access token or session identifier
-     * This will be validated against the OAuth tokens table
-     */
     token: z.string().optional().describe('OAuth access token or session identifier'),
-    /**
-     * External user identifier (from OAuth provider)
-     * Used as a fallback if token validation fails
-     */
     user_id: z.string().optional().describe('External user identifier from OAuth provider'),
-    /**
-     * Client identifier (ChatGPT, Claude, etc.)
-     * Helps track which AI agent is making the request
-     */
     client_id: z.string().optional().describe('Client application identifier'),
-    /**
-     * Stable conversation identifier for user binding
-     * Used to generate persistent user IDs for MCP clients without OAuth
-     */
     conversation_id: z.string().optional().describe('Stable conversation identifier for user binding'),
 });
+const IDENTITY_DIR = join(homedir(), '.couchloop-mcp');
+const IDENTITY_FILE = join(IDENTITY_DIR, 'identity.json');
+/**
+ * Get or create local identity file for free tier users
+ * This provides single-machine persistence without requiring OAuth
+ */
+function getOrCreateLocalIdentity() {
+    try {
+        // Ensure directory exists
+        if (!existsSync(IDENTITY_DIR)) {
+            mkdirSync(IDENTITY_DIR, { recursive: true });
+        }
+        // Check if identity file exists
+        if (existsSync(IDENTITY_FILE)) {
+            const data = readFileSync(IDENTITY_FILE, 'utf-8');
+            const identity = JSON.parse(data);
+            if (identity.user_id && identity.user_id.startsWith('local_')) {
+                return identity.user_id;
+            }
+        }
+        // Create new local identity
+        const machineId = createHash('sha256')
+            .update(hostname() + ':' + homedir() + ':' + Date.now())
+            .digest('hex')
+            .substring(0, 24);
+        const newIdentity = {
+            user_id: 'local_' + machineId,
+            created_at: new Date().toISOString(),
+            machine: hostname(),
+            tier: 'free',
+        };
+        writeFileSync(IDENTITY_FILE, JSON.stringify(newIdentity, null, 2));
+        console.log('Created local identity: ' + newIdentity.user_id + ' at ' + IDENTITY_FILE);
+        return newIdentity.user_id;
+    }
+    catch (error) {
+        console.warn('Failed to create/read local identity file:', error);
+        return '';
+    }
+}
 /**
  * Extract user ID from authentication context
- * Implements secure hash-based persistent identity for MCP clients
- * Falls back to ephemeral IDs only when no stable context is available
+ * Implements tiered identity:
+ * - Priority 1: OAuth token validation (Pro tier - cross-device)
+ * - Priority 2: External user ID + client ID (ChatGPT OAuth)
+ * - Priority 3: Local file-based identity (Free tier - single machine)
+ * - Priority 4: Conversation-based ID (single window only)
+ * - Fallback: Ephemeral IDs (no persistence)
  */
 export async function extractUserFromContext(authContext) {
-    // Priority 1: Hash-based persistent ID from external user identifier
+    // Priority 1: OAuth token validation (Pro tier - future)
+    if (authContext?.token) {
+        const hash = createHash('sha256').update(authContext.token).digest('hex');
+        return 'oauth_' + hash.substring(0, 24);
+    }
+    // Priority 2: Hash-based persistent ID from external user identifier
     // For ChatGPT: this is the openai/subject that persists across all chat windows
-    // We hash it to avoid storing any external PII
     if (authContext?.user_id && authContext?.client_id) {
         const hash = createHash('sha256')
-            .update(`${authContext.client_id}:${authContext.user_id}`)
+            .update(authContext.client_id + ':' + authContext.user_id)
             .digest('hex');
-        // Use client prefix to identify the source
-        return `${authContext.client_id}_${hash.substring(0, 24)}`;
+        return authContext.client_id + '_' + hash.substring(0, 24);
     }
-    // Priority 2: JWT token validation (future OAuth implementation)
-    if (authContext?.token) {
-        // TODO: Implement proper JWT validation and extraction
-        // For now, use token as a temporary identifier
-        return `oauth_${authContext.token.substring(0, 16)}`;
+    // Priority 3: Local file-based identity (Free tier)
+    // Provides single-machine persistence for VS Code, Cursor, Claude Desktop, etc.
+    const localIdentity = getOrCreateLocalIdentity();
+    if (localIdentity) {
+        return localIdentity;
     }
-    // Priority 3: Conversation-based ID (single chat window only)
-    // This is less ideal as it doesn't persist across windows
+    // Priority 4: Conversation-based ID (single chat window only)
     if (authContext?.client_id && authContext?.conversation_id) {
         const hash = createHash('sha256')
-            .update(`${authContext.client_id}:conv:${authContext.conversation_id}`)
+            .update(authContext.client_id + ':conv:' + authContext.conversation_id)
             .digest('hex');
-        // Use conv_ prefix to identify these as conversation-specific IDs
-        return `conv_${hash.substring(0, 28)}`;
+        return 'conv_' + hash.substring(0, 28);
     }
     // Fallback: Create ephemeral user with warning
-    // These should be cleaned up periodically as they indicate missing context
     console.warn('Creating ephemeral user - no stable identity provided', {
         client_id: authContext?.client_id,
         has_conversation_id: !!authContext?.conversation_id,
         timestamp: new Date().toISOString()
     });
     const { nanoid } = await import('nanoid');
-    // Use ephemeral_ prefix to clearly identify temporary users
-    return `ephemeral_${nanoid(12)}`;
+    return 'ephemeral_' + nanoid(12);
+}
+/**
+ * Get user tier from identity prefix
+ */
+export function getUserTier(userId) {
+    if (userId.startsWith('oauth_'))
+        return 'pro';
+    if (userId.startsWith('local_'))
+        return 'free';
+    if (userId.startsWith('ephemeral_'))
+        return 'ephemeral';
+    // Client-based IDs (chatgpt_, claude_, etc.) could be either
+    return 'free';
+}
+/**
+ * Check if user has Pro tier features
+ */
+export function hasProFeatures(userId) {
+    return getUserTier(userId) === 'pro';
+}
+/**
+ * Get the local identity file path for debugging/support
+ */
+export function getIdentityFilePath() {
+    return IDENTITY_FILE;
 }
 //# sourceMappingURL=auth.js.map