npm - dep-oracle - Versions diffs - 1.1.0 → 1.1.1 - Mend

dep-oracle 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -1,13 +1,31 @@
-🌍 **English** | [Turkce](README.tr.md)
-# dep-oracle 🔮
-> Your dependencies have dependencies. Who's watching them?
+<p align="center">
+  <h1 align="center">dep-oracle</h1>
+  <p align="center"><strong>Predictive Dependency Security Engine</strong></p>
+  <p align="center">
+    <a href="https://www.npmjs.com/package/dep-oracle"><img src="https://img.shields.io/npm/v/dep-oracle.svg" alt="npm version"></a>
+    <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"></a>
+    <a href="https://www.npmjs.com/package/dep-oracle"><img src="https://img.shields.io/npm/dm/dep-oracle.svg" alt="npm downloads"></a>
+    <a href="https://github.com/ertugrulakben/dep-oracle"><img src="https://img.shields.io/github/stars/ertugrulakben/dep-oracle.svg?style=social" alt="GitHub stars"></a>
+  </p>
+  <p align="center">
+    <a href="#quick-start">Quick Start</a> &middot;
+    <a href="#features">Features</a> &middot;
+    <a href="#trust-score-algorithm">Algorithm</a> &middot;
+    <a href="#claude-code-integration-mcp">MCP</a> &middot;
+    <a href="#comparison">Comparison</a>
+  </p>
+  <p align="center">
+    <strong>English</strong> | <a href="README.tr.md">Turkce</a>
+  </p>
+</p>
+---
+> **Your dependencies have dependencies. Who's watching them?**
 **dep-oracle** is a predictive dependency security engine that calculates **Trust Scores** (0-100) for every package in your dependency tree. It detects zombie dependencies, measures blast radius, catches typosquatting attempts, and predicts future risks — before they become vulnerabilities.
-[![npm version](https://img.shields.io/npm/v/dep-oracle.svg)](https://www.npmjs.com/package/dep-oracle)
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+**Claude Code Security** scans YOUR code. **dep-oracle** scans everything your code **depends on**.
 ## Why?
@@ -16,8 +34,6 @@
 - `npm audit` only catches **known** CVEs — dep-oracle **predicts** future risks
 - You audit your code. But do you audit your **trust**?
-**Claude Code Security** scans YOUR code. **dep-oracle** scans everything your code **depends on**.
 ## Quick Start
 ```bash
@@ -27,19 +43,25 @@ npx dep-oracle
 # Or install globally
 npm install -g dep-oracle
 dep-oracle scan
+# Check a single package
+dep-oracle check express
 ```
-## What It Does
+## Features
 | Feature | Description |
 |---------|-------------|
-| **Trust Score** | 0-100 weighted score per package (maintainer health, security, activity, popularity, funding, license) |
+| **Trust Score** | 0-100 weighted score per package (security, maintainer health, activity, popularity, funding, license) |
 | **Zombie Detection** | Finds unmaintained but critical packages (no commits in 12+ months) |
 | **Blast Radius** | Shows how many files are affected if a dependency is compromised |
-| **Typosquat Detection** | Catches suspicious package names similar to popular packages |
-| **Trend Prediction** | 3-month risk projection based on download/commit trends |
-| **Migration Advisor** | Suggests safer alternatives for risky dependencies |
+| **Typosquat Detection** | 1,847+ known packages + live npm registry lookup to catch suspicious names |
+| **Trend Prediction** | 3-month risk projection based on download/commit/release trends |
+| **Migration Advisor** | 131 package mappings with 192 safer alternatives for risky dependencies |
 | **Offline Mode** | Works from cache without internet (`--offline`) |
+| **MCP Server** | Native Claude Code integration — ask about your dependencies in natural language |
+| **Multi-Format Output** | Terminal (colored tree), HTML, JSON, and SARIF |
+| **GitHub Action** | Automate trust checks in your CI/CD pipeline |
 ## Usage
@@ -47,28 +69,32 @@ dep-oracle scan
 # Scan current project
 dep-oracle scan
-# Scan with specific output
+# Scan with specific output format
 dep-oracle scan --format json
 dep-oracle scan --format html
 dep-oracle scan --format sarif
 # Check a single package
 dep-oracle check lodash
+dep-oracle check express@4.18.2
-# Offline mode (uses cached data)
+# Offline mode (uses cached data only)
 dep-oracle scan --offline
-# Set minimum score threshold (CI/CD)
+# Set minimum score threshold (exit code 1 if below)
 dep-oracle scan --threshold 60
 # Ignore specific packages
 dep-oracle scan --ignore deprecated-but-needed,legacy-pkg
+# Verbose logging
+dep-oracle scan --verbose
 ```
 ## Output Example
 ```
-🔮 dep-oracle v1.0.0
+dep-oracle v1.1.0
 Scanning package.json...
 Found 47 direct dependencies, 683 transitive
 Collecting data... [=============================] 100% (2.3s)
@@ -76,19 +102,19 @@ Collecting data... [=============================] 100% (2.3s)
 DEPENDENCY TRUST REPORT
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-🚫 CRITICAL (score < 50)
+  CRITICAL (score < 50)
-  ■ event-stream@3.3.6         Score: 12  💀 ZOMBIE
+  ■ event-stream@3.3.6         Score: 12  ZOMBIE
     Last commit: 2018 | 0 maintainers active
     Blast radius: 14 files | Alternative: highland
-⚠  WARNING (score 50-79)
+  WARNING (score 50-79)
-  ■ moment@2.29.4              Score: 58  💀 ZOMBIE
+  ■ moment@2.29.4              Score: 58  ZOMBIE
     Maintenance mode | No new features
-    Blast radius: 23 files | Alternative: dayjs
+    Blast radius: 23 files | Alternative: dayjs, date-fns, luxon
-✅ SAFE (score 80+): 679 packages
+  SAFE (score 80+): 679 packages
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 SUMMARY
@@ -103,14 +129,63 @@ Each package is scored 0-100 based on six weighted metrics:
 | Metric | Weight | What It Measures |
 |--------|--------|------------------|
-| Security History | 25% | CVE count, average patch time, vulnerability density |
+| Security History | 25% | CVE count with diminishing penalty, average patch time, fast-patch bonus |
 | Maintainer Health | 25% | Active maintainers (bus factor), issue response time, PR merge speed |
-| Activity | 20% | Commit frequency trend, release cadence, last publish date |
+| Activity | 20% | Commit frequency trend, release cadence, last publish recency |
 | Popularity | 15% | Weekly downloads, dependent count, GitHub stars |
 | Funding | 10% | GitHub Sponsors, OpenCollective, corporate backing |
 | License | 5% | MIT/Apache = safe, GPL = risk, Unknown = red flag |
-**Score Ranges:** 80-100 ✅ Safe | 50-79 ⚠️ Warning | 0-49 🚫 Critical
+**Score Ranges:** 80-100 Safe | 50-79 Warning | 0-49 Critical
+### Security Scoring (v1.1.0)
+The security metric uses a **diminishing penalty** model — the first vulnerability has the highest impact, and each additional one has progressively less effect:
+| Vulnerabilities | Security Score |
+|-----------------|---------------|
+| 0 | 100 |
+| 1 | 85 |
+| 2 | 72 |
+| 3 | 60 |
+| 4 | 50 |
+| 5+ | max(20, 100 - n*12) |
+Packages that patch vulnerabilities quickly (within 7 days) receive a **+10 bonus**. Slower patches (within 30 days) receive **+5**.
+### Graceful Degradation
+If an API is unreachable (GitHub down, no internet, rate limited), dep-oracle doesn't crash. The missing metric weight is redistributed across available metrics. If 3+ metrics are unavailable, a reliability warning is shown.
+## Typosquat Detection
+dep-oracle uses a multi-layer approach to catch typosquatting:
+1. **Static registry** — 1,847+ known popular package names across 40+ categories (React, Vue, Angular, Express, testing, CLI tools, etc.)
+2. **Dynamic npm lookup** — Fetches the top 5,000 most-downloaded packages from npm and caches them for 7 days
+3. **Pattern matching** — Levenshtein distance, prefix/suffix manipulation, character swap, missing/extra letter detection
+```bash
+dep-oracle check expresss    # Catches: similar to "express" (distance: 1)
+dep-oracle check lodashe     # Catches: similar to "lodash" (distance: 1)
+dep-oracle check react-js    # Catches: suffix pattern of "react"
+```
+## Migration Advisor
+When a package scores low or is flagged as a zombie, dep-oracle suggests safer alternatives from a curated database of **131 package mappings** with **192 alternatives**:
+```
+moment     → dayjs, date-fns, luxon
+request    → axios, got, node-fetch, undici
+lodash     → lodash-es, radash, just (native alternatives)
+express    → fastify, koa, hono
+gulp       → esbuild, tsup, vite
+mocha      → vitest, jest, node:test
+...and 125 more
+```
+Each suggestion includes difficulty rating (easy/moderate/hard) and migration context.
 ## Claude Code Integration (MCP)
@@ -129,9 +204,20 @@ dep-oracle works as an MCP server for Claude Code:
 ```
 Then in Claude Code, just ask:
-- "What's the riskiest dependency in this project?"
-- "Is lodash safe to use?"
-- "Show me zombie dependencies"
+- *"What's the riskiest dependency in this project?"*
+- *"Is lodash safe to use?"*
+- *"Show me zombie dependencies"*
+- *"Suggest alternatives for moment.js"*
+**Available MCP Tools:**
+| Tool | Description |
+|------|-------------|
+| `dep_oracle_scan` | Full project dependency scan |
+| `dep_oracle_trust_score` | Trust score for a single package |
+| `dep_oracle_blast_radius` | Impact analysis for a package |
+| `dep_oracle_zombies` | List all zombie dependencies |
+| `dep_oracle_suggest_migration` | Get alternative package suggestions |
 ## GitHub Action
@@ -176,35 +262,112 @@ Or add to `package.json`:
 }
 ```
+### Configuration Options
+| Option | Default | Description |
+|--------|---------|-------------|
+| `threshold` | `60` | Minimum trust score. Packages below trigger warnings and non-zero exit |
+| `ignore` | `[]` | Packages to skip during scanning |
+| `format` | `"terminal"` | Output format: `terminal`, `json`, `html`, `sarif` |
+| `offline` | `false` | Use only cached data, skip all API calls |
+| `githubToken` | `null` | GitHub token for higher API rate limits (5000/hr vs 60/hr) |
+| `cacheTtl` | `86400` | Cache TTL in seconds (default: 24 hours) |
 ## Supported Package Managers
 | Manager | Manifest | Lock File | Status |
 |---------|----------|-----------|--------|
-| npm | `package.json` | `package-lock.json` | ✅ Supported |
-| yarn | `package.json` | `yarn.lock` | ✅ Supported |
-| pnpm | `package.json` | `pnpm-lock.yaml` | ✅ Supported |
-| pip | `requirements.txt` | `Pipfile.lock` | ✅ Supported |
-| poetry | `pyproject.toml` | `poetry.lock` | ✅ Supported |
+| npm | `package.json` | `package-lock.json` | Supported |
+| yarn | `package.json` | `yarn.lock` | Supported |
+| pnpm | `package.json` | `pnpm-lock.yaml` | Supported |
+| pip | `requirements.txt` | `Pipfile.lock` | Supported |
+| poetry | `pyproject.toml` | `poetry.lock` | Supported |
 ## Comparison
 | Feature | npm audit | Dependabot | Socket.dev | Snyk | **dep-oracle** |
 |---------|-----------|------------|------------|------|----------------|
-| Known CVE scan | ✅ | ✅ | ✅ | ✅ | ✅ |
-| Predictive risk | ❌ | ❌ | Partial | ❌ | **✅** |
-| Trust Score (0-100) | ❌ | ❌ | ❌ | ❌ | **✅** |
-| Zombie detection | ❌ | ❌ | ❌ | ❌ | **✅** |
-| Blast radius | ❌ | ❌ | ❌ | ❌ | **✅** |
-| Typosquat detection | ❌ | ❌ | ✅ | ❌ | **✅** |
-| Trend prediction | ❌ | ❌ | ❌ | ❌ | **✅** |
-| MCP integration | ❌ | ❌ | ✅ | ✅ | **✅** |
-| Zero install (npx) | ✅ | ❌ | ❌ | ❌ | **✅** |
-| Free | ✅ | ✅ | Freemium | Freemium | **✅** |
+| Known CVE scan | Yes | Yes | Yes | Yes | **Yes** |
+| Predictive risk | No | No | Partial | No | **Yes** |
+| Trust Score (0-100) | No | No | No | No | **Yes** |
+| Zombie detection | No | No | No | No | **Yes** |
+| Blast radius | No | No | No | No | **Yes** |
+| Typosquat detection | No | No | Yes | No | **Yes** |
+| Trend prediction | No | No | No | No | **Yes** |
+| Migration advisor | No | Partial | No | Partial | **Yes (131 pkgs)** |
+| MCP integration | No | No | Yes | Yes | **Yes** |
+| Zero install (npx) | Yes | No | No | No | **Yes** |
+| Free & open source | Yes | Yes | Freemium | Freemium | **Yes** |
+## Programmatic API
+```typescript
+import { scan, checkPackage } from 'dep-oracle';
+// Scan a project
+const report = await scan({ dir: './my-project', format: 'json' });
+// Check a single package
+const result = await checkPackage('express');
+console.log(result.trustScore); // 74
+console.log(result.isZombie);   // false
+```
+## Test Suite
+dep-oracle has comprehensive test coverage:
+```
+10 test files | 144 tests | 100% passing
+  trust-score.test.ts     34 tests   Scoring engine, metrics, edge cases
+  zombie-detector.test.ts 10 tests   Zombie detection logic
+  typosquat.test.ts       15 tests   Typosquat pattern matching
+  migration-advisor.test.ts 12 tests Migration suggestions
+  trend-predictor.test.ts 10 tests   Trend prediction engine
+  parsers.test.ts         17 tests   npm + Python parsers
+  cache.test.ts           15 tests   Cache store operations
+  logger.test.ts          17 tests   Logger utility
+  rate-limiter.test.ts    6 tests    Rate limiter
+  schema.test.ts          8 tests    Zod schema validation
+```
+```bash
+npm test          # Run all tests
+npm run lint      # TypeScript type checking
+```
+## Changelog
+### v1.1.0 (2025-02-22)
+- **Typosquat Detection**: Expanded to 1,847+ known packages across 40+ categories, plus dynamic npm registry fetch (top 5,000 packages, 7-day cache)
+- **Migration Advisor**: Expanded to 131 package mappings with 192 safer alternatives
+- **Trust Score Calibration**: Diminishing vulnerability penalty (first CVE has highest impact), fast-patch bonus (+10 for <=7 days)
+- **Poetry.lock Support**: Full poetry.lock parsing for Python projects
+- **Comprehensive Test Suite**: 10 test files, 144 tests covering all analyzers, parsers, cache, and utilities
+- **Turkish README**: Full Turkish documentation (README.tr.md)
+- **Dynamic CLI Version**: Version automatically synced from package.json
+### v1.0.0 (2025-02-22)
+- Initial release
+- Trust Score engine with 6 weighted metrics
+- npm + Python (pip, poetry, pyproject.toml) parsers
+- Zombie detection, blast radius analysis
+- Typosquat detection with Levenshtein distance
+- Trend prediction (3-month risk projection)
+- Migration advisor with curated alternatives
+- Terminal, HTML, JSON, SARIF output formats
+- MCP server for Claude Code integration
+- GitHub Action support
+- Offline mode with SQLite-compatible cache
+- Badge generator (SVG)
 ## Contributing
-See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, coding standards, and how to add new collectors/parsers.
+See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, coding standards, and how to add new collectors, parsers, or analyzers.
 ## License
-[MIT](LICENSE) — Ertugrul Akben
+[MIT](LICENSE) — [Ertugrul Akben](https://ertugrulakben.com)

package/README.tr.md CHANGED Viewed

@@ -1,138 +1,212 @@
-# dep-oracle
-> Bagimliklarinin bagimliliklari var. Kim kontrol ediyor?
-**dep-oracle**, bagimlilik agacindaki her paket icin **Guven Skoru** (0-100) hesaplayan prediktif bir bagimlilik guvenlik motorudur. Zombi bagimliliklari tespit eder, patlama yaricapini olcer, typosquatting girisimlerini yakalar ve gelecekteki riskleri -- daha guvenlik acigina donusmeden -- onceden tahmin eder.
-[![npm version](https://img.shields.io/npm/v/dep-oracle.svg)](https://www.npmjs.com/package/dep-oracle)
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+<p align="center">
+  <h1 align="center">dep-oracle</h1>
+  <p align="center"><strong>Prediktif Bağımlılık Güvenlik Motoru</strong></p>
+  <p align="center">
+    <a href="https://www.npmjs.com/package/dep-oracle"><img src="https://img.shields.io/npm/v/dep-oracle.svg" alt="npm version"></a>
+    <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"></a>
+    <a href="https://www.npmjs.com/package/dep-oracle"><img src="https://img.shields.io/npm/dm/dep-oracle.svg" alt="npm downloads"></a>
+    <a href="https://github.com/ertugrulakben/dep-oracle"><img src="https://img.shields.io/github/stars/ertugrulakben/dep-oracle.svg?style=social" alt="GitHub stars"></a>
+  </p>
+  <p align="center">
+    <a href="#hızlı-başlangıç">Hızlı Başlangıç</a> &middot;
+    <a href="#özellikler">Özellikler</a> &middot;
+    <a href="#güven-skoru-algoritması">Algoritma</a> &middot;
+    <a href="#claude-code-entegrasyonu-mcp">MCP</a> &middot;
+    <a href="#karşılaştırma">Karşılaştırma</a>
+  </p>
+  <p align="center">
+    <a href="README.md">English</a> | <strong>Türkçe</strong>
+  </p>
+</p>
+---
+> **Bağımlılıklarının bağımlılıkları var. Kim kontrol ediyor?**
+**dep-oracle**, bağımlılık ağacındaki her paket için **Güven Skoru** (0-100) hesaplayan prediktif bir bağımlılık güvenlik motorudur. Zombi bağımlılıkları tespit eder, patlama yarıçapını ölçer, typosquatting girişimlerini yakalar ve gelecekteki riskleri — daha güvenlik açığına dönüşmeden — önceden tahmin eder.
+**Claude Code Security** sizin kodunuzu tarar. **dep-oracle** ise kodunuzun **bağımlı olduğu her şeyi** tarar.
 ## Neden dep-oracle?
-Tedarik zinciri saldirilari (supply chain attacks) her yil daha buyuk bir tehdit haline geliyor. Rakamlar net:
+Tedarik zinciri saldırıları (supply chain attacks) her yıl daha büyük bir tehdit haline geliyor:
-- **2025'teki guvenlik ihlallerinin %62'si** tedarik zinciri saldirilari kaynakli
-- Ortalama bir projede **683 gecisli (transitive) bagimlilik** bulunuyor
-- `npm audit` yalnizca **bilinen** CVE'leri yakalayabiliyor -- dep-oracle gelecekteki riskleri **tahmin ediyor**
-- Kendi kodunuzu denetliyorsunuz. Peki bagimlilik zincirinizi de denetliyor musunuz?
+- **2025'teki güvenlik ihlallerinin %62'si** tedarik zinciri saldırıları kaynaklı
+- Ortalama bir projede **683 geçişli (transitive) bağımlılık** bulunuyor
+- `npm audit` yalnızca **bilinen** CVE'leri yakalayabiliyor — dep-oracle gelecekteki riskleri **tahmin ediyor**
+- Kendi kodunuzu denetliyorsunuz. Peki bağımlılık zincirinizi de denetliyor musunuz?
-Turkiye'deki yazilim ekosistemi hizla buyuyor. Startuplardan kurumsallara, e-ticaret projelerinden fintech uygulamalarina kadar her yerde npm, pip ve yarn paketleri kullaniliyor. Ancak `node_modules` klasorunun icinde ne oldugunu kac kisi gercekten biliyor? Bir paket maintainer'i hesabini birakirsa, bir bagimlilik yillardir guncellenmiyorsa ya da ismini populer bir paketten degistirip kotu amacli kod enjekte eden biri varsa -- dep-oracle tam da bu noktalarda devreye giriyor.
+Türkiye'deki yazılım ekosistemi hızla büyüyor. Startup'lardan kurumsallara, e-ticaret projelerinden fintech uygulamalarına kadar her yerde npm, pip ve yarn paketleri kullanılıyor. Ancak `node_modules` klasörünün içinde ne olduğunu kaç kişi gerçekten biliyor? Bir paket maintainer'ı hesabını bırakırsa, bir bağımlılık yıllardır güncellenmiyorsa ya da ismini popüler bir paketten değiştirip kötü amaçlı kod enjekte eden biri varsa — dep-oracle tam da bu noktalarda devreye giriyor.
-**Claude Code Security** sizin kodunuzu tarar. **dep-oracle** ise kodunuzun **bagimli oldugu her seyi** tarar.
-## Hizli Baslangic
+## Hızlı Başlangıç
 ```bash
-# Kurulum gerektirmez -- dogrudan calistirin
+# Kurulum gerektirmez — doğrudan çalıştırın
 npx dep-oracle
-# Ya da global olarak yukleyin
+# Ya da global olarak yükleyin
 npm install -g dep-oracle
 dep-oracle scan
-```
-Tek bir komutla projenizin tam bagimlilik guven raporunu alin. Kurulum, konfigürasyon, hesap acma derdi yok.
+# Tek bir paketi kontrol edin
+dep-oracle check express
+```
-## Ozellikler
+## Özellikler
-| Ozellik | Aciklama |
+| Özellik | Açıklama |
 |---------|----------|
-| **Guven Skoru** | Her paket icin 0-100 arasi agirlikli skor (maintainer sagligi, guvenlik, aktivite, popularite, fonlama, lisans) |
-| **Zombi Tespiti** | Kritik ama bakimsiz paketleri bulur (12+ aydir commit yok) |
-| **Patlama Yaricapi** | Bir bagimlilik ele gecirilirse kac dosyanin etkilenecegini gosterir |
-| **Typosquat Tespiti** | Populer paketlere benzer suphelı paket adlarini yakalar |
-| **Trend Tahmini** | Indirme/commit trendlerine dayali 3 aylik risk projeksiyonu |
-| **Goc Danismani** | Riskli bagimliklar icin daha guvenli alternatifler onerir |
-| **Cevrimdisi Mod** | Internet olmadan onbellekten calisir (`--offline`) |
-| **MCP Entegrasyonu** | Claude Code ile dogrudan entegrasyon |
-| **GitHub Action** | CI/CD pipeline'ina dogrudan entegre edin |
-| **Coklu Format** | Terminal, HTML, JSON ve SARIF ciktisi destegi |
-## Kullanim Ornekleri
+| **Güven Skoru** | Her paket için 0-100 arası ağırlıklı skor (güvenlik, maintainer sağlığı, aktivite, popülarite, fonlama, lisans) |
+| **Zombi Tespiti** | Kritik ama bakımsız paketleri bulur (12+ aydır commit yok) |
+| **Patlama Yarıçapı** | Bir bağımlılık ele geçirilirse kaç dosyanın etkileneceğini gösterir |
+| **Typosquat Tespiti** | 1.847+ bilinen paket + canlı npm registry sorgusu ile şüpheli isimleri yakalar |
+| **Trend Tahmini** | İndirme/commit/release trendlerine dayalı 3 aylık risk projeksiyonu |
+| **Göç Danışmanı** | 131 paket eşleşmesi ve 192 daha güvenli alternatif önerisi |
+| **Çevrimdışı Mod** | İnternet olmadan önbellekten çalışır (`--offline`) |
+| **MCP Sunucusu** | Claude Code ile doğal dilde bağımlılık sorgulama |
+| **Çoklu Format** | Terminal (renkli ağaç), HTML, JSON ve SARIF çıktısı |
+| **GitHub Action** | CI/CD pipeline'ında otomatik güven kontrolü |
+## Kullanım
 ```bash
 # Mevcut projeyi tara
 dep-oracle scan
-# Farkli formatlarda cikti al
+# Farklı formatlarda çıktı al
 dep-oracle scan --format json
 dep-oracle scan --format html
 dep-oracle scan --format sarif
 # Tek bir paketi kontrol et
 dep-oracle check lodash
+dep-oracle check express@4.18.2
-# Cevrimdisi mod (onbellekteki verileri kullanir)
+# Çevrimdışı mod (yalnızca önbellek kullanılır)
 dep-oracle scan --offline
-# Minimum skor esigi belirle (CI/CD icin ideal)
+# Minimum skor eşiği belirle (altındaysa çıkış kodu 1)
 dep-oracle scan --threshold 60
 # Belirli paketleri yoksay
 dep-oracle scan --ignore deprecated-but-needed,legacy-pkg
+# Ayrıntılı loglama
+dep-oracle scan --verbose
 ```
-## Cikti Ornegi
+## Çıktı Örneği
 ```
-dep-oracle v1.0.0
-package.json taraniyor...
-47 dogrudan bagimlilik, 683 gecisli bagimlilik bulundu
-Veri toplaniyor... [=============================] 100% (2.3s)
+dep-oracle v1.1.0
+package.json taranıyor...
+47 doğrudan bağımlılık, 683 geçişli bağımlılık bulundu
+Veri toplanıyor... [=============================] 100% (2.3s)
-BAGIMLILIK GUVEN RAPORU
+BAĞIMLILIK GÜVEN RAPORU
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-KRITIK (skor < 50)
+  KRİTİK (skor < 50)
-  event-stream@3.3.6         Skor: 12  ZOMBI
+  ■ event-stream@3.3.6         Skor: 12  ZOMBİ
     Son commit: 2018 | 0 aktif maintainer
-    Patlama yaricapi: 14 dosya | Alternatif: highland
+    Patlama yarıçapı: 14 dosya | Alternatif: highland
-UYARI (skor 50-79)
+  UYARI (skor 50-79)
-  moment@2.29.4              Skor: 58  ZOMBI
-    Bakim modunda | Yeni ozellik yok
-    Patlama yaricapi: 23 dosya | Alternatif: dayjs
+  ■ moment@2.29.4              Skor: 58  ZOMBİ
+    Bakım modunda | Yeni özellik yok
+    Patlama yarıçapı: 23 dosya | Alternatif: dayjs, date-fns, luxon
-GUVENLI (skor 80+): 679 paket
+  GÜVENLİ (skor 80+): 679 paket
-OZET
-  Genel Guven Skoru: 74/100
-  Kritik: 2 | Uyari: 3 | Guvenli: 679
-  Zombi: 2 | Kaldirilmis: 1
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ÖZET
+  Genel Güven Skoru: 74/100
+  Kritik: 2 | Uyarı: 3 | Güvenli: 679
+  Zombi: 2 | Kaldırılmış: 1
 ```
-## Guven Skoru Algoritmasi
+## Güven Skoru Algoritması
-Her paket, alti agirlikli metrige gore 0-100 arasi puanlanir:
+Her paket, altı ağırlıklı metriğe göre 0-100 arası puanlanır:
-| Metrik | Agirlik | Neyi Olcer |
+| Metrik | Ağırlık | Neyi Ölçer |
 |--------|---------|------------|
-| Guvenlik Gecmisi | %25 | CVE sayisi, ortalama yama suresi, guvenlik acigi yogunlugu |
-| Maintainer Sagligi | %25 | Aktif maintainer sayisi (bus factor), issue yanit suresi, PR merge hizi |
-| Aktivite | %20 | Commit frekans trendi, surum kadansi, son yayinlama tarihi |
-| Popularite | %15 | Haftalik indirme, bagimli paket sayisi, GitHub yildizlari |
+| Güvenlik Geçmişi | %25 | CVE sayısı (azalan ceza modeli), ortalama yama süresi, hızlı yama bonusu |
+| Maintainer Sağlığı | %25 | Aktif maintainer sayısı (bus factor), issue yanıt süresi, PR merge hızı |
+| Aktivite | %20 | Commit frekans trendi, sürüm kadansı, son yayınlama tarihi |
+| Popülarite | %15 | Haftalık indirme, bağımlı paket sayısı, GitHub yıldızları |
 | Fonlama | %10 | GitHub Sponsors, OpenCollective, kurumsal destek |
-| Lisans | %5 | MIT/Apache = guvenli, GPL = risk, Bilinmeyen = kirmizi bayrak |
+| Lisans | %5 | MIT/Apache = güvenli, GPL = risk, Bilinmeyen = kırmızı bayrak |
+**Skor Aralıkları:** 80-100 Güvenli | 50-79 Uyarı | 0-49 Kritik
+### Güvenlik Puanlaması (v1.1.0)
+Güvenlik metriği **azalan ceza** modeli kullanır — ilk güvenlik açığı en yüksek etkiye sahiptir, sonrakiler giderek azalan etkiye sahip olur:
+| Güvenlik Açığı Sayısı | Güvenlik Puanı |
+|-----------------------|----------------|
+| 0 | 100 |
+| 1 | 85 |
+| 2 | 72 |
+| 3 | 60 |
+| 4 | 50 |
+| 5+ | max(20, 100 - n*12) |
-**Skor Araliklari:** 80-100 Guvenli | 50-79 Uyari | 0-49 Kritik
+Güvenlik açıklarını hızlıca yamayan paketler (7 gün içinde) **+10 bonus** alır. Daha yavaş yamalar (30 gün içinde) **+5 bonus** alır.
+### Skor Nasıl Hesaplanıyor?
+Örneğin lodash paketini ele alalım:
+- Güvenlik Geçmişi: Bilinen CVE'ler az, yamalar hızlı → 85 puan (x0.25 = 21.25)
+- Maintainer Sağlığı: Aktif maintainer'lar var ama sınırlı → 70 puan (x0.25 = 17.5)
+- Aktivite: Son sürüm yakın tarihli → 80 puan (x0.20 = 16)
+- Popülarite: Milyonlarca haftalık indirme → 95 puan (x0.15 = 14.25)
+- Fonlama: OpenCollective desteği var → 60 puan (x0.10 = 6)
+- Lisans: MIT → 100 puan (x0.05 = 5)
+**Toplam: 80/100 — Güvenli**
+### Zarif Bozulma (Graceful Degradation)
+Bir API erişilemediyse (GitHub kapalı, internet yok, rate limit), dep-oracle çökmez. Eksik metrik ağırlığı diğer mevcut metriklere dağılır. 3+ metrik kullanılamaz durumda ise güvenilirlik uyarısı gösterilir.
+## Typosquat Tespiti
+dep-oracle, typosquatting'i yakalamak için çok katmanlı bir yaklaşım kullanır:
+1. **Statik kayıt** — 40+ kategoride 1.847+ bilinen popüler paket adı (React, Vue, Angular, Express, test araçları, CLI araçları vb.)
+2. **Dinamik npm sorgusu** — npm'den en çok indirilen 5.000 paketi çeker ve 7 gün boyunca önbelleğine alır
+3. **Örüntü eşleştirme** — Levenshtein mesafesi, önek/sonek manipülasyonu, karakter değişimi, eksik/fazla harf tespiti
+```bash
+dep-oracle check expresss    # Yakalar: "express"e benzer (mesafe: 1)
+dep-oracle check lodashe     # Yakalar: "lodash"a benzer (mesafe: 1)
+dep-oracle check react-js    # Yakalar: "react" sonek örüntüsü
+```
-### Skor nasil hesaplaniyor?
+## Göç Danışmanı
-Ornegin lodash paketini ele alalim:
+Bir paket düşük skor aldığında veya zombi olarak işaretlendiğinde, dep-oracle **131 paket eşleşmesi** ve **192 alternatif** içeren küratörlü bir veritabanından daha güvenli seçenekler önerir:
-- Guvenlik Gecmisi: Bilinen CVE'ler az, yamalar hizli -> 85 puan (x0.25 = 21.25)
-- Maintainer Sagligi: Aktif maintainer'lar var ama sinirli -> 70 puan (x0.25 = 17.5)
-- Aktivite: Son surum yakin tarihli -> 80 puan (x0.20 = 16)
-- Popularite: Milyonlarca haftalik indirme -> 95 puan (x0.15 = 14.25)
-- Fonlama: OpenCollective destegi var -> 60 puan (x0.10 = 6)
-- Lisans: MIT -> 100 puan (x0.05 = 5)
+```
+moment     → dayjs, date-fns, luxon
+request    → axios, got, node-fetch, undici
+lodash     → lodash-es, radash, just (native alternatifler)
+express    → fastify, koa, hono
+gulp       → esbuild, tsup, vite
+mocha      → vitest, jest, node:test
+...ve 125 paket daha
+```
-**Toplam: 80/100 -- Guvenli**
+Her öneri zorluk derecesi (kolay/orta/zor) ve göç bağlamı içerir.
 ## Claude Code Entegrasyonu (MCP)
-dep-oracle, Claude Code icin bir MCP sunucusu olarak calisir. Ayarlamaniz cok basit:
+dep-oracle, Claude Code için bir MCP sunucusu olarak çalışır:
 ```json
 // .claude/settings.json
@@ -146,22 +220,28 @@ dep-oracle, Claude Code icin bir MCP sunucusu olarak calisir. Ayarlamaniz cok ba
 }
 ```
-Ayarladiktan sonra Claude Code icinde dogrudan sorabilirsiniz:
+Ayarladıktan sonra Claude Code içinde doğrudan sorabilirsiniz:
-- "Bu projedeki en riskli bagimlilik hangisi?"
-- "lodash kullanmak guvenli mi?"
-- "Zombi bagimliliklari goster"
-- "Guven skoru 50'nin altindaki paketleri listele"
-- "moment.js icin alternatif oner"
+- *"Bu projedeki en riskli bağımlılık hangisi?"*
+- *"lodash kullanmak güvenli mi?"*
+- *"Zombi bağımlılıkları göster"*
+- *"moment.js için alternatif öner"*
+- *"Güven skoru 50'nin altındaki paketleri listele"*
-Claude Code, dep-oracle'in verdigi verileri kullanarak size anlamli ve baglamsal yanıtlar verir.
+**Mevcut MCP Araçları:**
-## GitHub Action
+| Araç | Açıklama |
+|------|----------|
+| `dep_oracle_scan` | Tam proje bağımlılık taraması |
+| `dep_oracle_trust_score` | Tek paket güven skoru |
+| `dep_oracle_blast_radius` | Paket etki analizi |
+| `dep_oracle_zombies` | Tüm zombi bağımlılıkları listele |
+| `dep_oracle_suggest_migration` | Alternatif paket önerileri |
-dep-oracle'i CI/CD pipeline'iniza entegre ederek her pull request'te otomatik bagimlilik guven kontrolu yapabilirsiniz:
+## GitHub Action
 ```yaml
-name: Bagimlilik Guven Kontrolu
+name: Bağımlılık Güven Kontrolü
 on: [pull_request]
 jobs:
@@ -175,14 +255,14 @@ jobs:
           format: sarif
 ```
-Bu konfigurasyonla:
-- Her PR'da otomatik bagimlilik taramasi yapilir
-- Guven skoru 60'in altindaki paketler icin uyari verilir
-- SARIF formatinda cikti uretilir ve GitHub Security sekmesinde goruntulenir
+Bu konfigürasyonla:
+- Her PR'da otomatik bağımlılık taraması yapılır
+- Güven skoru 60'ın altındaki paketler için uyarı verilir
+- SARIF formatında çıktı üretilir ve GitHub Security sekmesinde görüntülenir
-## Konfigurasyon
+## Konfigürasyon
-Proje kokunde `.dep-oraclerc.json` dosyasi olusturun:
+Proje kökünde `.dep-oraclerc.json` dosyası oluşturun:
 ```json
 {
@@ -195,7 +275,7 @@ Proje kokunde `.dep-oraclerc.json` dosyasi olusturun:
 }
 ```
-Ya da `package.json` icinde tanimlayabilirsiniz:
+Ya da `package.json` içinde tanımlayabilirsiniz:
 ```json
 {
@@ -206,20 +286,20 @@ Ya da `package.json` icinde tanimlayabilirsiniz:
 }
 ```
-### Konfigurasyon Secenekleri
+### Konfigürasyon Seçenekleri
-| Secenek | Varsayilan | Aciklama |
+| Seçenek | Varsayılan | Açıklama |
 |---------|-----------|----------|
-| `threshold` | `60` | Minimum guven skoru esigi. Altindaki paketler uyari verir |
-| `ignore` | `[]` | Tarama disinda tutulacak paket listesi |
-| `format` | `"terminal"` | Cikti formati: `terminal`, `json`, `html`, `sarif` |
-| `offline` | `false` | Cevrimdisi mod. `true` olursa yalnizca onbellek kullanilir |
-| `githubToken` | `null` | GitHub API rate limit'i artirmak icin token |
-| `cacheTtl` | `86400` | Onbellek gecerlilik suresi (saniye cinsinden, varsayilan: 24 saat) |
+| `threshold` | `60` | Minimum güven skoru eşiği. Altındaki paketler uyarı verir ve sıfır olmayan çıkış kodu döndürür |
+| `ignore` | `[]` | Tarama dışında tutulacak paket listesi |
+| `format` | `"terminal"` | Çıktı formatı: `terminal`, `json`, `html`, `sarif` |
+| `offline` | `false` | Çevrimdışı mod. Yalnızca önbellek kullanılır, API çağrısı yapılmaz |
+| `githubToken` | `null` | GitHub API rate limit'i artırmak için token (5000/saat vs 60/saat) |
+| `cacheTtl` | `86400` | Önbellek geçerlilik süresi (saniye cinsinden, varsayılan: 24 saat) |
-## Desteklenen Paket Yoneticileri
+## Desteklenen Paket Yöneticileri
-| Yonetici | Manifest Dosyasi | Kilit Dosyasi | Durum |
+| Yönetici | Manifest Dosyası | Kilit Dosyası | Durum |
 |----------|-------------------|---------------|-------|
 | npm | `package.json` | `package-lock.json` | Destekleniyor |
 | yarn | `package.json` | `yarn.lock` | Destekleniyor |
@@ -227,29 +307,93 @@ Ya da `package.json` icinde tanimlayabilirsiniz:
 | pip | `requirements.txt` | `Pipfile.lock` | Destekleniyor |
 | poetry | `pyproject.toml` | `poetry.lock` | Destekleniyor |
-## Karsilastirma
+## Karşılaştırma
-| Ozellik | npm audit | Dependabot | Socket.dev | Snyk | **dep-oracle** |
+| Özellik | npm audit | Dependabot | Socket.dev | Snyk | **dep-oracle** |
 |---------|-----------|------------|------------|------|----------------|
-| Bilinen CVE taramasi | Var | Var | Var | Var | **Var** |
-| Prediktif risk analizi | Yok | Yok | Kismi | Yok | **Var** |
-| Guven Skoru (0-100) | Yok | Yok | Yok | Yok | **Var** |
+| Bilinen CVE taraması | Var | Var | Var | Var | **Var** |
+| Prediktif risk analizi | Yok | Yok | Kısmi | Yok | **Var** |
+| Güven Skoru (0-100) | Yok | Yok | Yok | Yok | **Var** |
 | Zombi tespiti | Yok | Yok | Yok | Yok | **Var** |
-| Patlama yaricapi | Yok | Yok | Yok | Yok | **Var** |
+| Patlama yarıçapı | Yok | Yok | Yok | Yok | **Var** |
 | Typosquat tespiti | Yok | Yok | Var | Yok | **Var** |
 | Trend tahmini | Yok | Yok | Yok | Yok | **Var** |
+| Göç danışmanı | Yok | Kısmi | Yok | Kısmi | **Var (131 paket)** |
 | MCP entegrasyonu | Yok | Yok | Var | Var | **Var** |
-| Sifir kurulum (npx) | Var | Yok | Yok | Yok | **Var** |
-| Ucretsiz | Var | Var | Freemium | Freemium | **Var** |
+| Sıfır kurulum (npx) | Var | Yok | Yok | Yok | **Var** |
+| Ücretsiz ve açık kaynak | Var | Var | Freemium | Freemium | **Var** |
+## Programatik API
+```typescript
+import { scan, checkPackage } from 'dep-oracle';
+// Projeyi tara
+const report = await scan({ dir: './benim-projem', format: 'json' });
+// Tek paket kontrol et
+const result = await checkPackage('express');
+console.log(result.trustScore); // 74
+console.log(result.isZombie);   // false
+```
+## Test Suite
+dep-oracle kapsamlı test kapsamına sahiptir:
+```
+10 test dosyası | 144 test | %100 başarılı
+  trust-score.test.ts     34 test   Puanlama motoru, metrikler, kenar durumlar
+  zombie-detector.test.ts 10 test   Zombi tespit mantığı
+  typosquat.test.ts       15 test   Typosquat örüntü eşleştirme
+  migration-advisor.test.ts 12 test Göç önerileri
+  trend-predictor.test.ts 10 test   Trend tahmin motoru
+  parsers.test.ts         17 test   npm + Python parser'ları
+  cache.test.ts           15 test   Önbellek işlemleri
+  logger.test.ts          17 test   Logger yardımcı aracı
+  rate-limiter.test.ts    6 test    Rate limiter
+  schema.test.ts          8 test    Zod şema doğrulama
+```
+```bash
+npm test          # Tüm testleri çalıştır
+npm run lint      # TypeScript tip kontrolü
+```
+## Değişiklik Günlüğü
+### v1.1.0 (2025-02-22)
+- **Typosquat Tespiti**: 40+ kategoride 1.847+ bilinen pakete genişletildi, ayrıca dinamik npm registry sorgusu eklendi (en popüler 5.000 paket, 7 günlük önbellek)
+- **Göç Danışmanı**: 131 paket eşleşmesi ve 192 daha güvenli alternatife genişletildi
+- **Güven Skoru Kalibrasyonu**: Azalan güvenlik açığı cezası (ilk CVE en yüksek etki), hızlı yama bonusu (<=7 gün için +10)
+- **Poetry.lock Desteği**: Python projeleri için tam poetry.lock ayrıştırma
+- **Kapsamlı Test Suite**: 10 test dosyası, 144 test — tüm analizörler, parser'lar, önbellek ve yardımcı araçları kapsar
+- **Türkçe README**: Tam Türkçe dokümantasyon
+- **Dinamik CLI Versiyonu**: Versiyon otomatik olarak package.json'dan senkronize edilir
+### v1.0.0 (2025-02-22)
-dep-oracle, mevcut araclarin yerini almak icin degil, onlarin biraktigi boslugu doldurmak icin tasarlandi. `npm audit` bilinen aciklari yakaliyorsa, dep-oracle henuz bildirilmemis ama olusmak uzere olan riskleri gosterir.
+- İlk sürüm
+- 6 ağırlıklı metrikli Güven Skoru motoru
+- npm + Python (pip, poetry, pyproject.toml) parser'ları
+- Zombi tespiti, patlama yarıçapı analizi
+- Levenshtein mesafesi ile typosquat tespiti
+- Trend tahmini (3 aylık risk projeksiyonu)
+- Küratörlü alternatiflerle göç danışmanı
+- Terminal, HTML, JSON, SARIF çıktı formatları
+- Claude Code entegrasyonu için MCP sunucusu
+- GitHub Action desteği
+- SQLite uyumlu önbellek ile çevrimdışı mod
+- Rozet üreticisi (SVG)
-## Katkida Bulunma
+## Katkıda Bulunma
-Katkida bulunmak istiyorsaniz [CONTRIBUTING.md](CONTRIBUTING.md) dosyasina goz atin. Gelistirme ortami kurulumu, kodlama standartlari ve yeni collector/parser ekleme rehberi orada.
+Katkıda bulunmak istiyorsanız [CONTRIBUTING.md](CONTRIBUTING.md) dosyasına göz atın. Geliştirme ortamı kurulumu, kodlama standartları ve yeni collector/parser/analyzer ekleme rehberi orada.
-Her turlu katki degerlidir: hata bildirimi, dokumantasyon iyilestirmesi, yeni ozellik onerisi veya kod katkisi.
+Her türlü katkı değerlidir: hata bildirimi, dokümantasyon iyileştirmesi, yeni özellik önerisi veya kod katkısı.
 ## Lisans
-[MIT](LICENSE) -- Ertugrul Akben
+[MIT](LICENSE) — [Ertuğrul Akben](https://ertugrulakben.com)

package/dist/mcp/server.js CHANGED Viewed

@@ -15,6 +15,9 @@ import {
 // src/mcp/server.ts
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
 // src/mcp/tools.ts
 import { resolve } from "path";
@@ -462,8 +465,18 @@ async function handleReport(args) {
 }
 // src/mcp/server.ts
+var __filename2 = fileURLToPath(import.meta.url);
+var __dirname2 = dirname(__filename2);
+var pkgPath = join(__dirname2, "..", "..", "package.json");
+var pkgVersion = (() => {
+  try {
+    return JSON.parse(readFileSync(pkgPath, "utf-8")).version;
+  } catch {
+    return "1.1.0";
+  }
+})();
 var server = new Server(
-  { name: "dep-oracle", version: "1.0.0" },
+  { name: "dep-oracle", version: pkgVersion },
   { capabilities: { tools: {} } }
 );
 registerTools(server);

package/dist/mcp/server.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/mcp/server.ts","../../src/mcp/tools.ts","../../src/reporters/json.ts"],"sourcesContent":["/*\n MCP stdio server entry point for dep-oracle.\n \n Exposes the full dep-oracle analysis engine as MCP tools so that\n * Claude (and other MCP clients) can scan projects, evaluate trust\n * scores, detect zombies, and more -- all through the standard\n * Model Context Protocol.\n /\n\nimport { Server } from '@modelcontextprotocol/sdk/server/index.js';\nimport { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';\nimport { registerTools } from './tools.js';\n\nconst server = new Server(\n { name: 'dep-oracle', version: '1.0.0' },\n { capabilities: { tools: {} } },\n);\n\nregisterTools(server);\n\nconst transport = new StdioServerTransport();\nawait server.connect(transport);\n","/\n MCP tool definitions for dep-oracle.\n \n Registers 8 tools that expose the full analysis pipeline:\n * 1. dep_oracle_scan -- full project scan\n * 2. dep_oracle_trust_score -- single package trust score\n * 3. dep_oracle_blast_radius -- import impact analysis\n * 4. dep_oracle_zombies -- list zombie dependencies\n * 5. dep_oracle_suggest_migration -- migration suggestions\n * 6. dep_oracle_typosquat_check -- typosquat risk check\n * 7. dep_oracle_compare -- side-by-side package comparison\n * 8. dep_oracle_report -- generate HTML report\n \n All tools share the same core engine (parsers, collectors, analyzers)\n * as the CLI.\n /\n\nimport { resolve } from 'node:path';\nimport type { Server } from '@modelcontextprotocol/sdk/server/index.js';\nimport {\n ListToolsRequestSchema,\n CallToolRequestSchema,\n} from '@modelcontextprotocol/sdk/types.js';\n\nimport { CacheManager } from '../cache/store.js';\nimport { NpmParser } from '../parsers/npm.js';\nimport { PythonParser } from '../parsers/python.js';\nimport type { DependencyTree, TrustReport, ScanResult } from '../parsers/schema.js';\nimport { CollectorOrchestrator } from '../collectors/orchestrator.js';\nimport { TrustScoreEngine } from '../analyzers/trust-score.js';\nimport { ZombieDetector } from '../analyzers/zombie-detector.js';\nimport { BlastRadiusCalculator } from '../analyzers/blast-radius.js';\nimport { MigrationAdvisor } from '../analyzers/migration-advisor.js';\nimport { TyposquatDetector } from '../analyzers/typosquat.js';\nimport { buildImportGraph, getBlastRadius } from '../utils/graph.js';\nimport { JsonReporter } from '../reporters/json.js';\n\n// ---------------------------------------------------------------------------\n// Shared instances (created once per MCP server lifetime)\n// ---------------------------------------------------------------------------\n\nconst cache = new CacheManager();\nconst orchestrator = new CollectorOrchestrator(cache, {\n githubToken: process.env.GITHUB_TOKEN,\n});\nconst trustEngine = new TrustScoreEngine();\nconst zombieDetector = new ZombieDetector();\nconst blastRadiusCalc = new BlastRadiusCalculator();\nconst migrationAdvisor = new MigrationAdvisor();\nconst typosquatDetector = new TyposquatDetector();\nconst jsonReporter = new JsonReporter();\nconst parsers = [new NpmParser(), new PythonParser()];\n\n// ---------------------------------------------------------------------------\n// Tool definitions\n// ---------------------------------------------------------------------------\n\nconst TOOLS = [\n {\n name: 'dep_oracle_scan',\n description:\n 'Perform a full dependency security scan on a project directory. ' +\n 'Parses the manifest (package.json, requirements.txt, etc.), collects data ' +\n 'from registries and GitHub, computes trust scores for every dependency, ' +\n 'detects zombies, typosquats, and calculates blast radius. Returns a complete ' +\n 'ScanResult JSON with per-package trust reports and an overall project score.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n dir: {\n type: 'string',\n description:\n 'Absolute path to the project directory to scan. ' +\n 'Defaults to the current working directory if omitted.',\n },\n },\n required: [] as string[],\n },\n },\n {\n name: 'dep_oracle_trust_score',\n description:\n 'Calculate the trust score for a single npm package. Queries the npm registry, ' +\n 'GitHub, OSV vulnerability database, and other sources to produce a weighted ' +\n 'score (0-100) across 6 dimensions: security, maintainer, activity, popularity, ' +\n 'funding, and license. Returns a TrustReport JSON with the overall score, ' +\n 'per-dimension metrics, zombie status, and alternative suggestions.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n package: {\n type: 'string',\n description: 'npm package name (e.g. \"express\", \"@scope/pkg\").',\n },\n version: {\n type: 'string',\n description:\n 'Specific version to analyze (e.g. \"4.18.2\"). If omitted, the latest version is used.',\n },\n },\n required: ['package'],\n },\n },\n {\n name: 'dep_oracle_blast_radius',\n description:\n 'Analyze the blast radius (import impact) of a package within a project. ' +\n 'Scans all JS/TS source files to find how many files import the given package. ' +\n 'Returns the count of affected files, their paths, and the percentage of the ' +\n 'codebase impacted. Useful for understanding the risk if a dependency is ' +\n 'compromised or needs replacement.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n package: {\n type: 'string',\n description: 'Package name to check import usage for.',\n },\n dir: {\n type: 'string',\n description:\n 'Absolute path to the project directory. Defaults to cwd if omitted.',\n },\n },\n required: ['package'],\n },\n },\n {\n name: 'dep_oracle_zombies',\n description:\n 'Detect zombie (abandoned/unmaintained) dependencies in a project. ' +\n 'Parses the manifest, queries registry and GitHub for each dependency, and ' +\n 'flags packages that show signs of abandonment: deprecated, no commits in 12+ months, ' +\n 'no active maintainers, etc. Returns an array of zombie packages with severity ' +\n 'levels and reasons.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n dir: {\n type: 'string',\n description:\n 'Absolute path to the project directory. Defaults to cwd if omitted.',\n },\n },\n required: [] as string[],\n },\n },\n {\n name: 'dep_oracle_suggest_migration',\n description:\n 'Get migration suggestions for a given package. Looks up the package in a ' +\n 'curated knowledge base of common replacements and returns alternatives with ' +\n 'descriptions and difficulty ratings. Useful for replacing deprecated, abandoned, ' +\n 'or low-trust packages (e.g. moment -> dayjs, request -> got, lodash -> es-toolkit).',\n inputSchema: {\n type: 'object' as const,\n properties: {\n package: {\n type: 'string',\n description: 'Package name to find migration alternatives for.',\n },\n },\n required: ['package'],\n },\n },\n {\n name: 'dep_oracle_typosquat_check',\n description:\n 'Check whether a package name is a potential typosquat of a popular package. ' +\n 'Uses Levenshtein distance, homoglyph detection, and pattern analysis to identify ' +\n 'suspicious package names that closely resemble well-known packages. Returns a ' +\n 'risk assessment with similar package names and the edit distance.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n package: {\n type: 'string',\n description: 'Package name to check for typosquatting risk.',\n },\n },\n required: ['package'],\n },\n },\n {\n name: 'dep_oracle_compare',\n description:\n 'Compare two packages side-by-side by computing trust scores for both. ' +\n 'Returns the full trust report for each package including scores, metrics, ' +\n 'zombie status, and trend direction. Useful for evaluating alternatives ' +\n 'or choosing between competing libraries.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n packageA: {\n type: 'string',\n description: 'First package name to compare.',\n },\n packageB: {\n type: 'string',\n description: 'Second package name to compare.',\n },\n },\n required: ['packageA', 'packageB'],\n },\n },\n {\n name: 'dep_oracle_report',\n description:\n 'Generate a JSON report for a project. Runs a full scan and outputs the results ' +\n 'as formatted JSON. Optionally writes the report to a file. Returns the JSON ' +\n 'content or the path to the generated file.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n dir: {\n type: 'string',\n description:\n 'Absolute path to the project directory. Defaults to cwd if omitted.',\n },\n output: {\n type: 'string',\n description:\n 'Absolute path to write the report file. If omitted, the report content is returned directly.',\n },\n },\n required: [] as string[],\n },\n },\n];\n\n// ---------------------------------------------------------------------------\n// Tool registration\n// ---------------------------------------------------------------------------\n\nexport function registerTools(server: Server): void {\n // List all available tools\n server.setRequestHandler(ListToolsRequestSchema, async () => ({\n tools: TOOLS,\n }));\n\n // Handle tool invocations\n server.setRequestHandler(CallToolRequestSchema, async (request) => {\n const { name, arguments: args } = request.params;\n\n try {\n switch (name) {\n case 'dep_oracle_scan':\n return await handleScan(args);\n case 'dep_oracle_trust_score':\n return await handleTrustScore(args);\n case 'dep_oracle_blast_radius':\n return await handleBlastRadius(args);\n case 'dep_oracle_zombies':\n return await handleZombies(args);\n case 'dep_oracle_suggest_migration':\n return await handleSuggestMigration(args);\n case 'dep_oracle_typosquat_check':\n return await handleTyposquatCheck(args);\n case 'dep_oracle_compare':\n return await handleCompare(args);\n case 'dep_oracle_report':\n return await handleReport(args);\n default:\n return errorResponse(`Unknown tool: ${name}`);\n }\n } catch (err) {\n const message = err instanceof Error ? err.message : String(err);\n return errorResponse(`Tool \"${name}\" failed: ${message}`);\n }\n });\n}\n\n// ---------------------------------------------------------------------------\n// Helper: build a successful text content response\n// ---------------------------------------------------------------------------\n\nfunction successResponse(data: unknown) {\n const text = typeof data === 'string' ? data : JSON.stringify(data, null, 2);\n return {\n content: [{ type: 'text' as const, text }],\n };\n}\n\nfunction errorResponse(message: string) {\n return {\n content: [{ type: 'text' as const, text: message }],\n isError: true,\n };\n}\n\n// ---------------------------------------------------------------------------\n// Shared: parse project dependencies\n// ---------------------------------------------------------------------------\n\nasync function parseProject(dir: string): Promise<DependencyTree \| null> {\n for (const parser of parsers) {\n if (await parser.detect(dir)) {\n return parser.parse(dir);\n }\n }\n return null;\n}\n\n// ---------------------------------------------------------------------------\n// Shared: build a full trust report for a single package\n// ---------------------------------------------------------------------------\n\nasync function buildTrustReport(\n packageName: string,\n version: string,\n blastRadius: number = 0,\n): Promise<TrustReport> {\n const results = await orchestrator.collectAll(packageName, version);\n const trustResult = trustEngine.calculate(results);\n const zombie = zombieDetector.detect(\n results.registry.data,\n results.github.data,\n );\n const typosquat = typosquatDetector.check(packageName);\n const alternatives = migrationAdvisor.suggest(\n packageName,\n zombie.isZombie ? 'zombie dependency' : 'low trust score',\n );\n\n // Determine trend from popularity data\n const trend = results.popularity.data?.trend ?? 'stable';\n\n return {\n package: packageName,\n version,\n trustScore: trustResult.trustScore,\n metrics: trustResult.metrics,\n isZombie: zombie.isZombie,\n blastRadius,\n alternatives: alternatives.map((a) => a.alternative),\n trend,\n typosquatRisk: typosquat.isRisky ? 1.0 : 0.0,\n };\n}\n\n// ---------------------------------------------------------------------------\n// Tool handlers\n// ---------------------------------------------------------------------------\n\nasync function handleScan(args: Record<string, unknown> \| undefined) {\n const dir = resolve(String(args?.dir ?? process.cwd()));\n\n const tree = await parseProject(dir);\n if (!tree) {\n return errorResponse(\n `No supported manifest file found in \"${dir}\". ` +\n 'Supported: package.json, requirements.txt, pyproject.toml, Pipfile.',\n );\n }\n\n // Build import graph for blast radius\n const importGraph = await buildImportGraph(dir);\n\n // Collect trust reports for all direct dependencies\n const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);\n const reports: TrustReport[] = [];\n\n for (const node of directNodes) {\n const blastRadius = getBlastRadius(node.name, importGraph);\n const report = await buildTrustReport(node.name, node.version, blastRadius);\n reports.push(report);\n }\n\n // Overall score: weighted average\n const overallScore =\n reports.length > 0\n ? Math.round(\n reports.reduce((sum, r) => sum + r.trustScore, 0) / reports.length,\n )\n : 0;\n\n // Summary\n const zombieCount = reports.filter((r) => r.isZombie).length;\n const criticalCount = reports.filter((r) => r.trustScore < 50).length;\n const summary =\n `Scanned ${reports.length} direct dependencies. ` +\n `Overall trust score: ${overallScore}/100. ` +\n `${zombieCount} zombie(s) detected. ` +\n `${criticalCount} package(s) below trust threshold.`;\n\n const scanResult: ScanResult = {\n tree,\n reports,\n overallScore,\n summary,\n };\n\n // Serialize (handles Map objects)\n const serialized = jsonReporter.report(scanResult);\n return successResponse(serialized);\n}\n\nasync function handleTrustScore(args: Record<string, unknown> \| undefined) {\n const packageName = String(args?.package ?? '');\n if (!packageName) {\n return errorResponse('Missing required parameter: \"package\".');\n }\n\n const version = String(args?.version ?? 'latest');\n const report = await buildTrustReport(packageName, version);\n return successResponse(report);\n}\n\nasync function handleBlastRadius(args: Record<string, unknown> \| undefined) {\n const packageName = String(args?.package ?? '');\n if (!packageName) {\n return errorResponse('Missing required parameter: \"package\".');\n }\n\n const dir = resolve(String(args?.dir ?? process.cwd()));\n const result = await blastRadiusCalc.calculate(packageName, dir);\n return successResponse(result);\n}\n\nasync function handleZombies(args: Record<string, unknown> \| undefined) {\n const dir = resolve(String(args?.dir ?? process.cwd()));\n\n const tree = await parseProject(dir);\n if (!tree) {\n return errorResponse(\n `No supported manifest file found in \"${dir}\".`,\n );\n }\n\n const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);\n const zombies: Array<{\n package: string;\n version: string;\n severity: string;\n reason: string;\n lastActivity: string \| null;\n }> = [];\n\n for (const node of directNodes) {\n const results = await orchestrator.collectAll(node.name, node.version);\n const zombie = zombieDetector.detect(\n results.registry.data,\n results.github.data,\n );\n\n if (zombie.isZombie) {\n zombies.push({\n package: node.name,\n version: node.version,\n severity: zombie.severity,\n reason: zombie.reason,\n lastActivity: zombie.lastActivity?.toISOString() ?? null,\n });\n }\n }\n\n if (zombies.length === 0) {\n return successResponse({\n message: 'No zombie dependencies detected.',\n zombies: [],\n });\n }\n\n return successResponse({\n message: `Found ${zombies.length} zombie dependency(ies).`,\n zombies,\n });\n}\n\nasync function handleSuggestMigration(args: Record<string, unknown> \| undefined) {\n const packageName = String(args?.package ?? '');\n if (!packageName) {\n return errorResponse('Missing required parameter: \"package\".');\n }\n\n const suggestions = migrationAdvisor.suggest(packageName, 'manual query');\n\n if (suggestions.length === 0) {\n return successResponse({\n package: packageName,\n message: `No migration suggestions found for \"${packageName}\". ` +\n 'This package may not have known alternatives in our database.',\n suggestions: [],\n });\n }\n\n return successResponse({\n package: packageName,\n suggestions,\n });\n}\n\nasync function handleTyposquatCheck(args: Record<string, unknown> \| undefined) {\n const packageName = String(args?.package ?? '');\n if (!packageName) {\n return errorResponse('Missing required parameter: \"package\".');\n }\n\n const result = typosquatDetector.check(packageName);\n return successResponse({\n package: packageName,\n ...result,\n });\n}\n\nasync function handleCompare(args: Record<string, unknown> \| undefined) {\n const packageA = String(args?.packageA ?? '');\n const packageB = String(args?.packageB ?? '');\n\n if (!packageA \|\| !packageB) {\n return errorResponse('Missing required parameters: \"packageA\" and \"packageB\".');\n }\n\n const [reportA, reportB] = await Promise.all([\n buildTrustReport(packageA, 'latest'),\n buildTrustReport(packageB, 'latest'),\n ]);\n\n return successResponse({\n comparison: {\n packageA: reportA,\n packageB: reportB,\n winner:\n reportA.trustScore > reportB.trustScore\n ? packageA\n : reportA.trustScore < reportB.trustScore\n ? packageB\n : 'tie',\n scoreDifference: Math.abs(reportA.trustScore - reportB.trustScore),\n },\n });\n}\n\nasync function handleReport(args: Record<string, unknown> \| undefined) {\n const dir = resolve(String(args?.dir ?? process.cwd()));\n const output = args?.output ? resolve(String(args.output)) : null;\n\n const tree = await parseProject(dir);\n if (!tree) {\n return errorResponse(\n `No supported manifest file found in \"${dir}\".`,\n );\n }\n\n // Build import graph for blast radius\n const importGraph = await buildImportGraph(dir);\n\n // Collect trust reports for direct dependencies\n const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);\n const reports: TrustReport[] = [];\n\n for (const node of directNodes) {\n const blastRadius = getBlastRadius(node.name, importGraph);\n const report = await buildTrustReport(node.name, node.version, blastRadius);\n reports.push(report);\n }\n\n const overallScore =\n reports.length > 0\n ? Math.round(\n reports.reduce((sum, r) => sum + r.trustScore, 0) / reports.length,\n )\n : 0;\n\n const zombieCount = reports.filter((r) => r.isZombie).length;\n const criticalCount = reports.filter((r) => r.trustScore < 50).length;\n const summary =\n `Scanned ${reports.length} direct dependencies. ` +\n `Overall trust score: ${overallScore}/100. ` +\n `${zombieCount} zombie(s) detected. ` +\n `${criticalCount} package(s) below trust threshold.`;\n\n const scanResult: ScanResult = {\n tree,\n reports,\n overallScore,\n summary,\n };\n\n const jsonContent = jsonReporter.report(scanResult);\n\n if (output) {\n const { writeFile } = await import('node:fs/promises');\n await writeFile(output, jsonContent, 'utf-8');\n return successResponse({\n message: `Report written to ${output}`,\n path: output,\n });\n }\n\n return successResponse(jsonContent);\n}\n","import type { ScanResult } from \"../parsers/schema.js\";\n\n// ---------------------------------------------------------------------------\n// JsonReporter\n// ---------------------------------------------------------------------------\n\n/\n Serialize a ScanResult as formatted JSON.\n \n The output is a self-contained JSON string suitable for piping into jq,\n * saving to a file, or passing to downstream tooling.\n /\nexport class JsonReporter {\n /\n Convert the scan result into a pretty-printed JSON string.\n \n Map objects (e.g. DependencyTree.nodes) are converted to plain\n * objects so that they survive JSON serialization.\n /\n report(result: ScanResult): string {\n return JSON.stringify(this.toSerializable(result), null, 2);\n }\n\n // -------------------------------------------------------------------------\n // Internals\n // -------------------------------------------------------------------------\n\n /\n Walk the value recursively and convert Map instances into plain objects\n * so JSON.stringify can handle them.\n */\n private toSerializable(value: unknown): unknown {\n if (value === null \|\| value === undefined) {\n return value;\n }\n\n if (value instanceof Map) {\n const obj: Record<string, unknown> = {};\n for (const [k, v] of value.entries()) {\n obj[String(k)] = this.toSerializable(v);\n }\n return obj;\n }\n\n if (Array.isArray(value)) {\n return value.map((item) => this.toSerializable(item));\n }\n\n if (typeof value === \"object\") {\n const result: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(value)) {\n result[k] = this.toSerializable(v);\n }\n return result;\n }\n\n return value;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;AASA,SAAS,cAAc;AACvB,SAAS,4BAA4B;;;ACOrC,SAAS,eAAe;AAExB;AAAA,EACE;AAAA,EACA;AAAA,OACK;;;ACVA,IAAM,eAAN,MAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOxB,OAAO,QAA4B;AACjC,WAAO,KAAK,UAAU,KAAK,eAAe,MAAM,GAAG,MAAM,CAAC;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,eAAe,OAAyB;AAC9C,QAAI,UAAU,QAAQ,UAAU,QAAW;AACzC,aAAO;AAAA,IACT;AAEA,QAAI,iBAAiB,KAAK;AACxB,YAAM,MAA+B,CAAC;AACtC,iBAAW,CAAC,GAAG,CAAC,KAAK,MAAM,QAAQ,GAAG;AACpC,YAAI,OAAO,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC;AAAA,MACxC;AACA,aAAO;AAAA,IACT;AAEA,QAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,aAAO,MAAM,IAAI,CAAC,SAAS,KAAK,eAAe,IAAI,CAAC;AAAA,IACtD;AAEA,QAAI,OAAO,UAAU,UAAU;AAC7B,YAAM,SAAkC,CAAC;AACzC,iBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,GAAG;AAC1C,eAAO,CAAC,IAAI,KAAK,eAAe,CAAC;AAAA,MACnC;AACA,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AACF;;;ADjBA,IAAM,QAAQ,IAAI,aAAa;AAC/B,IAAM,eAAe,IAAI,sBAAsB,OAAO;AAAA,EACpD,aAAa,QAAQ,IAAI;AAC3B,CAAC;AACD,IAAM,cAAc,IAAI,iBAAiB;AACzC,IAAM,iBAAiB,IAAI,eAAe;AAC1C,IAAM,kBAAkB,IAAI,sBAAsB;AAClD,IAAM,mBAAmB,IAAI,iBAAiB;AAC9C,IAAM,oBAAoB,IAAI,kBAAkB;AAChD,IAAM,eAAe,IAAI,aAAa;AACtC,IAAM,UAAU,CAAC,IAAI,UAAU,GAAG,IAAI,aAAa,CAAC;AAMpD,IAAM,QAAQ;AAAA,EACZ;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAKF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,KAAK;AAAA,UACH,MAAM;AAAA,UACN,aACE;AAAA,QAEJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC;AAAA,IACb;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAKF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,QACA,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC,SAAS;AAAA,IACtB;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAKF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,QACA,KAAK;AAAA,UACH,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC,SAAS;AAAA,IACtB;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAKF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,KAAK;AAAA,UACH,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC;AAAA,IACb;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAIF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,MACF;AAAA,MACA,UAAU,CAAC,SAAS;AAAA,IACtB;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAIF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,MACF;AAAA,MACA,UAAU,CAAC,SAAS;AAAA,IACtB;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAIF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,UAAU;AAAA,UACR,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,QACA,UAAU;AAAA,UACR,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,MACF;AAAA,MACA,UAAU,CAAC,YAAY,UAAU;AAAA,IACnC;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAGF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,KAAK;AAAA,UACH,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,QACA,QAAQ;AAAA,UACN,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC;AAAA,IACb;AAAA,EACF;AACF;AAMO,SAAS,cAAcA,SAAsB;AAElD,EAAAA,QAAO,kBAAkB,wBAAwB,aAAa;AAAA,IAC5D,OAAO;AAAA,EACT,EAAE;AAGF,EAAAA,QAAO,kBAAkB,uBAAuB,OAAO,YAAY;AACjE,UAAM,EAAE,MAAM,WAAW,KAAK,IAAI,QAAQ;AAE1C,QAAI;AACF,cAAQ,MAAM;AAAA,QACZ,KAAK;AACH,iBAAO,MAAM,WAAW,IAAI;AAAA,QAC9B,KAAK;AACH,iBAAO,MAAM,iBAAiB,IAAI;AAAA,QACpC,KAAK;AACH,iBAAO,MAAM,kBAAkB,IAAI;AAAA,QACrC,KAAK;AACH,iBAAO,MAAM,cAAc,IAAI;AAAA,QACjC,KAAK;AACH,iBAAO,MAAM,uBAAuB,IAAI;AAAA,QAC1C,KAAK;AACH,iBAAO,MAAM,qBAAqB,IAAI;AAAA,QACxC,KAAK;AACH,iBAAO,MAAM,cAAc,IAAI;AAAA,QACjC,KAAK;AACH,iBAAO,MAAM,aAAa,IAAI;AAAA,QAChC;AACE,iBAAO,cAAc,iBAAiB,IAAI,EAAE;AAAA,MAChD;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,aAAO,cAAc,SAAS,IAAI,aAAa,OAAO,EAAE;AAAA,IAC1D;AAAA,EACF,CAAC;AACH;AAMA,SAAS,gBAAgB,MAAe;AACtC,QAAM,OAAO,OAAO,SAAS,WAAW,OAAO,KAAK,UAAU,MAAM,MAAM,CAAC;AAC3E,SAAO;AAAA,IACL,SAAS,CAAC,EAAE,MAAM,QAAiB,KAAK,CAAC;AAAA,EAC3C;AACF;AAEA,SAAS,cAAc,SAAiB;AACtC,SAAO;AAAA,IACL,SAAS,CAAC,EAAE,MAAM,QAAiB,MAAM,QAAQ,CAAC;AAAA,IAClD,SAAS;AAAA,EACX;AACF;AAMA,eAAe,aAAa,KAA6C;AACvE,aAAW,UAAU,SAAS;AAC5B,QAAI,MAAM,OAAO,OAAO,GAAG,GAAG;AAC5B,aAAO,OAAO,MAAM,GAAG;AAAA,IACzB;AAAA,EACF;AACA,SAAO;AACT;AAMA,eAAe,iBACb,aACA,SACA,cAAsB,GACA;AACtB,QAAM,UAAU,MAAM,aAAa,WAAW,aAAa,OAAO;AAClE,QAAM,cAAc,YAAY,UAAU,OAAO;AACjD,QAAM,SAAS,eAAe;AAAA,IAC5B,QAAQ,SAAS;AAAA,IACjB,QAAQ,OAAO;AAAA,EACjB;AACA,QAAM,YAAY,kBAAkB,MAAM,WAAW;AACrD,QAAM,eAAe,iBAAiB;AAAA,IACpC;AAAA,IACA,OAAO,WAAW,sBAAsB;AAAA,EAC1C;AAGA,QAAM,QAAQ,QAAQ,WAAW,MAAM,SAAS;AAEhD,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,YAAY,YAAY;AAAA,IACxB,SAAS,YAAY;AAAA,IACrB,UAAU,OAAO;AAAA,IACjB;AAAA,IACA,cAAc,aAAa,IAAI,CAAC,MAAM,EAAE,WAAW;AAAA,IACnD;AAAA,IACA,eAAe,UAAU,UAAU,IAAM;AAAA,EAC3C;AACF;AAMA,eAAe,WAAW,MAA2C;AACnE,QAAM,MAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,IAAI,CAAC,CAAC;AAEtD,QAAM,OAAO,MAAM,aAAa,GAAG;AACnC,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL,wCAAwC,GAAG;AAAA,IAE7C;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,iBAAiB,GAAG;AAG9C,QAAM,cAAc,MAAM,KAAK,KAAK,MAAM,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,QAAQ;AAC5E,QAAM,UAAyB,CAAC;AAEhC,aAAW,QAAQ,aAAa;AAC9B,UAAM,cAAc,eAAe,KAAK,MAAM,WAAW;AACzD,UAAM,SAAS,MAAM,iBAAiB,KAAK,MAAM,KAAK,SAAS,WAAW;AAC1E,YAAQ,KAAK,MAAM;AAAA,EACrB;AAGA,QAAM,eACJ,QAAQ,SAAS,IACb,KAAK;AAAA,IACH,QAAQ,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,YAAY,CAAC,IAAI,QAAQ;AAAA,EAC9D,IACA;AAGN,QAAM,cAAc,QAAQ,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE;AACtD,QAAM,gBAAgB,QAAQ,OAAO,CAAC,MAAM,EAAE,aAAa,EAAE,EAAE;AAC/D,QAAM,UACJ,WAAW,QAAQ,MAAM,8CACD,YAAY,SACjC,WAAW,wBACX,aAAa;AAElB,QAAM,aAAyB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAGA,QAAM,aAAa,aAAa,OAAO,UAAU;AACjD,SAAO,gBAAgB,UAAU;AACnC;AAEA,eAAe,iBAAiB,MAA2C;AACzE,QAAM,cAAc,OAAO,MAAM,WAAW,EAAE;AAC9C,MAAI,CAAC,aAAa;AAChB,WAAO,cAAc,wCAAwC;AAAA,EAC/D;AAEA,QAAM,UAAU,OAAO,MAAM,WAAW,QAAQ;AAChD,QAAM,SAAS,MAAM,iBAAiB,aAAa,OAAO;AAC1D,SAAO,gBAAgB,MAAM;AAC/B;AAEA,eAAe,kBAAkB,MAA2C;AAC1E,QAAM,cAAc,OAAO,MAAM,WAAW,EAAE;AAC9C,MAAI,CAAC,aAAa;AAChB,WAAO,cAAc,wCAAwC;AAAA,EAC/D;AAEA,QAAM,MAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,IAAI,CAAC,CAAC;AACtD,QAAM,SAAS,MAAM,gBAAgB,UAAU,aAAa,GAAG;AAC/D,SAAO,gBAAgB,MAAM;AAC/B;AAEA,eAAe,cAAc,MAA2C;AACtE,QAAM,MAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,IAAI,CAAC,CAAC;AAEtD,QAAM,OAAO,MAAM,aAAa,GAAG;AACnC,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL,wCAAwC,GAAG;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,KAAK,KAAK,MAAM,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,QAAQ;AAC5E,QAAM,UAMD,CAAC;AAEN,aAAW,QAAQ,aAAa;AAC9B,UAAM,UAAU,MAAM,aAAa,WAAW,KAAK,MAAM,KAAK,OAAO;AACrE,UAAM,SAAS,eAAe;AAAA,MAC5B,QAAQ,SAAS;AAAA,MACjB,QAAQ,OAAO;AAAA,IACjB;AAEA,QAAI,OAAO,UAAU;AACnB,cAAQ,KAAK;AAAA,QACX,SAAS,KAAK;AAAA,QACd,SAAS,KAAK;AAAA,QACd,UAAU,OAAO;AAAA,QACjB,QAAQ,OAAO;AAAA,QACf,cAAc,OAAO,cAAc,YAAY,KAAK;AAAA,MACtD,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,QAAQ,WAAW,GAAG;AACxB,WAAO,gBAAgB;AAAA,MACrB,SAAS;AAAA,MACT,SAAS,CAAC;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,SAAO,gBAAgB;AAAA,IACrB,SAAS,SAAS,QAAQ,MAAM;AAAA,IAChC;AAAA,EACF,CAAC;AACH;AAEA,eAAe,uBAAuB,MAA2C;AAC/E,QAAM,cAAc,OAAO,MAAM,WAAW,EAAE;AAC9C,MAAI,CAAC,aAAa;AAChB,WAAO,cAAc,wCAAwC;AAAA,EAC/D;AAEA,QAAM,cAAc,iBAAiB,QAAQ,aAAa,cAAc;AAExE,MAAI,YAAY,WAAW,GAAG;AAC5B,WAAO,gBAAgB;AAAA,MACrB,SAAS;AAAA,MACT,SAAS,uCAAuC,WAAW;AAAA,MAE3D,aAAa,CAAC;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO,gBAAgB;AAAA,IACrB,SAAS;AAAA,IACT;AAAA,EACF,CAAC;AACH;AAEA,eAAe,qBAAqB,MAA2C;AAC7E,QAAM,cAAc,OAAO,MAAM,WAAW,EAAE;AAC9C,MAAI,CAAC,aAAa;AAChB,WAAO,cAAc,wCAAwC;AAAA,EAC/D;AAEA,QAAM,SAAS,kBAAkB,MAAM,WAAW;AAClD,SAAO,gBAAgB;AAAA,IACrB,SAAS;AAAA,IACT,GAAG;AAAA,EACL,CAAC;AACH;AAEA,eAAe,cAAc,MAA2C;AACtE,QAAM,WAAW,OAAO,MAAM,YAAY,EAAE;AAC5C,QAAM,WAAW,OAAO,MAAM,YAAY,EAAE;AAE5C,MAAI,CAAC,YAAY,CAAC,UAAU;AAC1B,WAAO,cAAc,yDAAyD;AAAA,EAChF;AAEA,QAAM,CAAC,SAAS,OAAO,IAAI,MAAM,QAAQ,IAAI;AAAA,IAC3C,iBAAiB,UAAU,QAAQ;AAAA,IACnC,iBAAiB,UAAU,QAAQ;AAAA,EACrC,CAAC;AAED,SAAO,gBAAgB;AAAA,IACrB,YAAY;AAAA,MACV,UAAU;AAAA,MACV,UAAU;AAAA,MACV,QACE,QAAQ,aAAa,QAAQ,aACzB,WACA,QAAQ,aAAa,QAAQ,aAC3B,WACA;AAAA,MACR,iBAAiB,KAAK,IAAI,QAAQ,aAAa,QAAQ,UAAU;AAAA,IACnE;AAAA,EACF,CAAC;AACH;AAEA,eAAe,aAAa,MAA2C;AACrE,QAAM,MAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,IAAI,CAAC,CAAC;AACtD,QAAM,SAAS,MAAM,SAAS,QAAQ,OAAO,KAAK,MAAM,CAAC,IAAI;AAE7D,QAAM,OAAO,MAAM,aAAa,GAAG;AACnC,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL,wCAAwC,GAAG;AAAA,IAC7C;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,iBAAiB,GAAG;AAG9C,QAAM,cAAc,MAAM,KAAK,KAAK,MAAM,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,QAAQ;AAC5E,QAAM,UAAyB,CAAC;AAEhC,aAAW,QAAQ,aAAa;AAC9B,UAAM,cAAc,eAAe,KAAK,MAAM,WAAW;AACzD,UAAM,SAAS,MAAM,iBAAiB,KAAK,MAAM,KAAK,SAAS,WAAW;AAC1E,YAAQ,KAAK,MAAM;AAAA,EACrB;AAEA,QAAM,eACJ,QAAQ,SAAS,IACb,KAAK;AAAA,IACH,QAAQ,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,YAAY,CAAC,IAAI,QAAQ;AAAA,EAC9D,IACA;AAEN,QAAM,cAAc,QAAQ,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE;AACtD,QAAM,gBAAgB,QAAQ,OAAO,CAAC,MAAM,EAAE,aAAa,EAAE,EAAE;AAC/D,QAAM,UACJ,WAAW,QAAQ,MAAM,8CACD,YAAY,SACjC,WAAW,wBACX,aAAa;AAElB,QAAM,aAAyB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,cAAc,aAAa,OAAO,UAAU;AAElD,MAAI,QAAQ;AACV,UAAM,EAAE,UAAU,IAAI,MAAM,OAAO,aAAkB;AACrD,UAAM,UAAU,QAAQ,aAAa,OAAO;AAC5C,WAAO,gBAAgB;AAAA,MACrB,SAAS,qBAAqB,MAAM;AAAA,MACpC,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,SAAO,gBAAgB,WAAW;AACpC;;;ADlkBA,IAAM,SAAS,IAAI;AAAA,EACjB,EAAE,MAAM,cAAc,SAAS,QAAQ;AAAA,EACvC,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,EAAE;AAChC;AAEA,cAAc,MAAM;AAEpB,IAAM,YAAY,IAAI,qBAAqB;AAC3C,MAAM,OAAO,QAAQ,SAAS;","names":["server"]}
1	+ {"version":3,"sources":["../../src/mcp/server.ts","../../src/mcp/tools.ts","../../src/reporters/json.ts"],"sourcesContent":["/*\n MCP stdio server entry point for dep-oracle.\n \n Exposes the full dep-oracle analysis engine as MCP tools so that\n * Claude (and other MCP clients) can scan projects, evaluate trust\n * scores, detect zombies, and more -- all through the standard\n * Model Context Protocol.\n /\n\nimport { Server } from '@modelcontextprotocol/sdk/server/index.js';\nimport { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';\nimport { readFileSync } from 'node:fs';\nimport { fileURLToPath } from 'node:url';\nimport { dirname, join } from 'node:path';\nimport { registerTools } from './tools.js';\n\nconst __filename = fileURLToPath(import.meta.url);\nconst __dirname = dirname(__filename);\nconst pkgPath = join(__dirname, '..', '..', 'package.json');\nconst pkgVersion = (() => {\n try {\n return JSON.parse(readFileSync(pkgPath, 'utf-8')).version as string;\n } catch {\n return '1.1.0';\n }\n})();\n\nconst server = new Server(\n { name: 'dep-oracle', version: pkgVersion },\n { capabilities: { tools: {} } },\n);\n\nregisterTools(server);\n\nconst transport = new StdioServerTransport();\nawait server.connect(transport);\n","/\n MCP tool definitions for dep-oracle.\n \n Registers 8 tools that expose the full analysis pipeline:\n * 1. dep_oracle_scan -- full project scan\n * 2. dep_oracle_trust_score -- single package trust score\n * 3. dep_oracle_blast_radius -- import impact analysis\n * 4. dep_oracle_zombies -- list zombie dependencies\n * 5. dep_oracle_suggest_migration -- migration suggestions\n * 6. dep_oracle_typosquat_check -- typosquat risk check\n * 7. dep_oracle_compare -- side-by-side package comparison\n * 8. dep_oracle_report -- generate HTML report\n \n All tools share the same core engine (parsers, collectors, analyzers)\n * as the CLI.\n /\n\nimport { resolve } from 'node:path';\nimport type { Server } from '@modelcontextprotocol/sdk/server/index.js';\nimport {\n ListToolsRequestSchema,\n CallToolRequestSchema,\n} from '@modelcontextprotocol/sdk/types.js';\n\nimport { CacheManager } from '../cache/store.js';\nimport { NpmParser } from '../parsers/npm.js';\nimport { PythonParser } from '../parsers/python.js';\nimport type { DependencyTree, TrustReport, ScanResult } from '../parsers/schema.js';\nimport { CollectorOrchestrator } from '../collectors/orchestrator.js';\nimport { TrustScoreEngine } from '../analyzers/trust-score.js';\nimport { ZombieDetector } from '../analyzers/zombie-detector.js';\nimport { BlastRadiusCalculator } from '../analyzers/blast-radius.js';\nimport { MigrationAdvisor } from '../analyzers/migration-advisor.js';\nimport { TyposquatDetector } from '../analyzers/typosquat.js';\nimport { buildImportGraph, getBlastRadius } from '../utils/graph.js';\nimport { JsonReporter } from '../reporters/json.js';\n\n// ---------------------------------------------------------------------------\n// Shared instances (created once per MCP server lifetime)\n// ---------------------------------------------------------------------------\n\nconst cache = new CacheManager();\nconst orchestrator = new CollectorOrchestrator(cache, {\n githubToken: process.env.GITHUB_TOKEN,\n});\nconst trustEngine = new TrustScoreEngine();\nconst zombieDetector = new ZombieDetector();\nconst blastRadiusCalc = new BlastRadiusCalculator();\nconst migrationAdvisor = new MigrationAdvisor();\nconst typosquatDetector = new TyposquatDetector();\nconst jsonReporter = new JsonReporter();\nconst parsers = [new NpmParser(), new PythonParser()];\n\n// ---------------------------------------------------------------------------\n// Tool definitions\n// ---------------------------------------------------------------------------\n\nconst TOOLS = [\n {\n name: 'dep_oracle_scan',\n description:\n 'Perform a full dependency security scan on a project directory. ' +\n 'Parses the manifest (package.json, requirements.txt, etc.), collects data ' +\n 'from registries and GitHub, computes trust scores for every dependency, ' +\n 'detects zombies, typosquats, and calculates blast radius. Returns a complete ' +\n 'ScanResult JSON with per-package trust reports and an overall project score.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n dir: {\n type: 'string',\n description:\n 'Absolute path to the project directory to scan. ' +\n 'Defaults to the current working directory if omitted.',\n },\n },\n required: [] as string[],\n },\n },\n {\n name: 'dep_oracle_trust_score',\n description:\n 'Calculate the trust score for a single npm package. Queries the npm registry, ' +\n 'GitHub, OSV vulnerability database, and other sources to produce a weighted ' +\n 'score (0-100) across 6 dimensions: security, maintainer, activity, popularity, ' +\n 'funding, and license. Returns a TrustReport JSON with the overall score, ' +\n 'per-dimension metrics, zombie status, and alternative suggestions.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n package: {\n type: 'string',\n description: 'npm package name (e.g. \"express\", \"@scope/pkg\").',\n },\n version: {\n type: 'string',\n description:\n 'Specific version to analyze (e.g. \"4.18.2\"). If omitted, the latest version is used.',\n },\n },\n required: ['package'],\n },\n },\n {\n name: 'dep_oracle_blast_radius',\n description:\n 'Analyze the blast radius (import impact) of a package within a project. ' +\n 'Scans all JS/TS source files to find how many files import the given package. ' +\n 'Returns the count of affected files, their paths, and the percentage of the ' +\n 'codebase impacted. Useful for understanding the risk if a dependency is ' +\n 'compromised or needs replacement.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n package: {\n type: 'string',\n description: 'Package name to check import usage for.',\n },\n dir: {\n type: 'string',\n description:\n 'Absolute path to the project directory. Defaults to cwd if omitted.',\n },\n },\n required: ['package'],\n },\n },\n {\n name: 'dep_oracle_zombies',\n description:\n 'Detect zombie (abandoned/unmaintained) dependencies in a project. ' +\n 'Parses the manifest, queries registry and GitHub for each dependency, and ' +\n 'flags packages that show signs of abandonment: deprecated, no commits in 12+ months, ' +\n 'no active maintainers, etc. Returns an array of zombie packages with severity ' +\n 'levels and reasons.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n dir: {\n type: 'string',\n description:\n 'Absolute path to the project directory. Defaults to cwd if omitted.',\n },\n },\n required: [] as string[],\n },\n },\n {\n name: 'dep_oracle_suggest_migration',\n description:\n 'Get migration suggestions for a given package. Looks up the package in a ' +\n 'curated knowledge base of common replacements and returns alternatives with ' +\n 'descriptions and difficulty ratings. Useful for replacing deprecated, abandoned, ' +\n 'or low-trust packages (e.g. moment -> dayjs, request -> got, lodash -> es-toolkit).',\n inputSchema: {\n type: 'object' as const,\n properties: {\n package: {\n type: 'string',\n description: 'Package name to find migration alternatives for.',\n },\n },\n required: ['package'],\n },\n },\n {\n name: 'dep_oracle_typosquat_check',\n description:\n 'Check whether a package name is a potential typosquat of a popular package. ' +\n 'Uses Levenshtein distance, homoglyph detection, and pattern analysis to identify ' +\n 'suspicious package names that closely resemble well-known packages. Returns a ' +\n 'risk assessment with similar package names and the edit distance.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n package: {\n type: 'string',\n description: 'Package name to check for typosquatting risk.',\n },\n },\n required: ['package'],\n },\n },\n {\n name: 'dep_oracle_compare',\n description:\n 'Compare two packages side-by-side by computing trust scores for both. ' +\n 'Returns the full trust report for each package including scores, metrics, ' +\n 'zombie status, and trend direction. Useful for evaluating alternatives ' +\n 'or choosing between competing libraries.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n packageA: {\n type: 'string',\n description: 'First package name to compare.',\n },\n packageB: {\n type: 'string',\n description: 'Second package name to compare.',\n },\n },\n required: ['packageA', 'packageB'],\n },\n },\n {\n name: 'dep_oracle_report',\n description:\n 'Generate a JSON report for a project. Runs a full scan and outputs the results ' +\n 'as formatted JSON. Optionally writes the report to a file. Returns the JSON ' +\n 'content or the path to the generated file.',\n inputSchema: {\n type: 'object' as const,\n properties: {\n dir: {\n type: 'string',\n description:\n 'Absolute path to the project directory. Defaults to cwd if omitted.',\n },\n output: {\n type: 'string',\n description:\n 'Absolute path to write the report file. If omitted, the report content is returned directly.',\n },\n },\n required: [] as string[],\n },\n },\n];\n\n// ---------------------------------------------------------------------------\n// Tool registration\n// ---------------------------------------------------------------------------\n\nexport function registerTools(server: Server): void {\n // List all available tools\n server.setRequestHandler(ListToolsRequestSchema, async () => ({\n tools: TOOLS,\n }));\n\n // Handle tool invocations\n server.setRequestHandler(CallToolRequestSchema, async (request) => {\n const { name, arguments: args } = request.params;\n\n try {\n switch (name) {\n case 'dep_oracle_scan':\n return await handleScan(args);\n case 'dep_oracle_trust_score':\n return await handleTrustScore(args);\n case 'dep_oracle_blast_radius':\n return await handleBlastRadius(args);\n case 'dep_oracle_zombies':\n return await handleZombies(args);\n case 'dep_oracle_suggest_migration':\n return await handleSuggestMigration(args);\n case 'dep_oracle_typosquat_check':\n return await handleTyposquatCheck(args);\n case 'dep_oracle_compare':\n return await handleCompare(args);\n case 'dep_oracle_report':\n return await handleReport(args);\n default:\n return errorResponse(`Unknown tool: ${name}`);\n }\n } catch (err) {\n const message = err instanceof Error ? err.message : String(err);\n return errorResponse(`Tool \"${name}\" failed: ${message}`);\n }\n });\n}\n\n// ---------------------------------------------------------------------------\n// Helper: build a successful text content response\n// ---------------------------------------------------------------------------\n\nfunction successResponse(data: unknown) {\n const text = typeof data === 'string' ? data : JSON.stringify(data, null, 2);\n return {\n content: [{ type: 'text' as const, text }],\n };\n}\n\nfunction errorResponse(message: string) {\n return {\n content: [{ type: 'text' as const, text: message }],\n isError: true,\n };\n}\n\n// ---------------------------------------------------------------------------\n// Shared: parse project dependencies\n// ---------------------------------------------------------------------------\n\nasync function parseProject(dir: string): Promise<DependencyTree \| null> {\n for (const parser of parsers) {\n if (await parser.detect(dir)) {\n return parser.parse(dir);\n }\n }\n return null;\n}\n\n// ---------------------------------------------------------------------------\n// Shared: build a full trust report for a single package\n// ---------------------------------------------------------------------------\n\nasync function buildTrustReport(\n packageName: string,\n version: string,\n blastRadius: number = 0,\n): Promise<TrustReport> {\n const results = await orchestrator.collectAll(packageName, version);\n const trustResult = trustEngine.calculate(results);\n const zombie = zombieDetector.detect(\n results.registry.data,\n results.github.data,\n );\n const typosquat = typosquatDetector.check(packageName);\n const alternatives = migrationAdvisor.suggest(\n packageName,\n zombie.isZombie ? 'zombie dependency' : 'low trust score',\n );\n\n // Determine trend from popularity data\n const trend = results.popularity.data?.trend ?? 'stable';\n\n return {\n package: packageName,\n version,\n trustScore: trustResult.trustScore,\n metrics: trustResult.metrics,\n isZombie: zombie.isZombie,\n blastRadius,\n alternatives: alternatives.map((a) => a.alternative),\n trend,\n typosquatRisk: typosquat.isRisky ? 1.0 : 0.0,\n };\n}\n\n// ---------------------------------------------------------------------------\n// Tool handlers\n// ---------------------------------------------------------------------------\n\nasync function handleScan(args: Record<string, unknown> \| undefined) {\n const dir = resolve(String(args?.dir ?? process.cwd()));\n\n const tree = await parseProject(dir);\n if (!tree) {\n return errorResponse(\n `No supported manifest file found in \"${dir}\". ` +\n 'Supported: package.json, requirements.txt, pyproject.toml, Pipfile.',\n );\n }\n\n // Build import graph for blast radius\n const importGraph = await buildImportGraph(dir);\n\n // Collect trust reports for all direct dependencies\n const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);\n const reports: TrustReport[] = [];\n\n for (const node of directNodes) {\n const blastRadius = getBlastRadius(node.name, importGraph);\n const report = await buildTrustReport(node.name, node.version, blastRadius);\n reports.push(report);\n }\n\n // Overall score: weighted average\n const overallScore =\n reports.length > 0\n ? Math.round(\n reports.reduce((sum, r) => sum + r.trustScore, 0) / reports.length,\n )\n : 0;\n\n // Summary\n const zombieCount = reports.filter((r) => r.isZombie).length;\n const criticalCount = reports.filter((r) => r.trustScore < 50).length;\n const summary =\n `Scanned ${reports.length} direct dependencies. ` +\n `Overall trust score: ${overallScore}/100. ` +\n `${zombieCount} zombie(s) detected. ` +\n `${criticalCount} package(s) below trust threshold.`;\n\n const scanResult: ScanResult = {\n tree,\n reports,\n overallScore,\n summary,\n };\n\n // Serialize (handles Map objects)\n const serialized = jsonReporter.report(scanResult);\n return successResponse(serialized);\n}\n\nasync function handleTrustScore(args: Record<string, unknown> \| undefined) {\n const packageName = String(args?.package ?? '');\n if (!packageName) {\n return errorResponse('Missing required parameter: \"package\".');\n }\n\n const version = String(args?.version ?? 'latest');\n const report = await buildTrustReport(packageName, version);\n return successResponse(report);\n}\n\nasync function handleBlastRadius(args: Record<string, unknown> \| undefined) {\n const packageName = String(args?.package ?? '');\n if (!packageName) {\n return errorResponse('Missing required parameter: \"package\".');\n }\n\n const dir = resolve(String(args?.dir ?? process.cwd()));\n const result = await blastRadiusCalc.calculate(packageName, dir);\n return successResponse(result);\n}\n\nasync function handleZombies(args: Record<string, unknown> \| undefined) {\n const dir = resolve(String(args?.dir ?? process.cwd()));\n\n const tree = await parseProject(dir);\n if (!tree) {\n return errorResponse(\n `No supported manifest file found in \"${dir}\".`,\n );\n }\n\n const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);\n const zombies: Array<{\n package: string;\n version: string;\n severity: string;\n reason: string;\n lastActivity: string \| null;\n }> = [];\n\n for (const node of directNodes) {\n const results = await orchestrator.collectAll(node.name, node.version);\n const zombie = zombieDetector.detect(\n results.registry.data,\n results.github.data,\n );\n\n if (zombie.isZombie) {\n zombies.push({\n package: node.name,\n version: node.version,\n severity: zombie.severity,\n reason: zombie.reason,\n lastActivity: zombie.lastActivity?.toISOString() ?? null,\n });\n }\n }\n\n if (zombies.length === 0) {\n return successResponse({\n message: 'No zombie dependencies detected.',\n zombies: [],\n });\n }\n\n return successResponse({\n message: `Found ${zombies.length} zombie dependency(ies).`,\n zombies,\n });\n}\n\nasync function handleSuggestMigration(args: Record<string, unknown> \| undefined) {\n const packageName = String(args?.package ?? '');\n if (!packageName) {\n return errorResponse('Missing required parameter: \"package\".');\n }\n\n const suggestions = migrationAdvisor.suggest(packageName, 'manual query');\n\n if (suggestions.length === 0) {\n return successResponse({\n package: packageName,\n message: `No migration suggestions found for \"${packageName}\". ` +\n 'This package may not have known alternatives in our database.',\n suggestions: [],\n });\n }\n\n return successResponse({\n package: packageName,\n suggestions,\n });\n}\n\nasync function handleTyposquatCheck(args: Record<string, unknown> \| undefined) {\n const packageName = String(args?.package ?? '');\n if (!packageName) {\n return errorResponse('Missing required parameter: \"package\".');\n }\n\n const result = typosquatDetector.check(packageName);\n return successResponse({\n package: packageName,\n ...result,\n });\n}\n\nasync function handleCompare(args: Record<string, unknown> \| undefined) {\n const packageA = String(args?.packageA ?? '');\n const packageB = String(args?.packageB ?? '');\n\n if (!packageA \|\| !packageB) {\n return errorResponse('Missing required parameters: \"packageA\" and \"packageB\".');\n }\n\n const [reportA, reportB] = await Promise.all([\n buildTrustReport(packageA, 'latest'),\n buildTrustReport(packageB, 'latest'),\n ]);\n\n return successResponse({\n comparison: {\n packageA: reportA,\n packageB: reportB,\n winner:\n reportA.trustScore > reportB.trustScore\n ? packageA\n : reportA.trustScore < reportB.trustScore\n ? packageB\n : 'tie',\n scoreDifference: Math.abs(reportA.trustScore - reportB.trustScore),\n },\n });\n}\n\nasync function handleReport(args: Record<string, unknown> \| undefined) {\n const dir = resolve(String(args?.dir ?? process.cwd()));\n const output = args?.output ? resolve(String(args.output)) : null;\n\n const tree = await parseProject(dir);\n if (!tree) {\n return errorResponse(\n `No supported manifest file found in \"${dir}\".`,\n );\n }\n\n // Build import graph for blast radius\n const importGraph = await buildImportGraph(dir);\n\n // Collect trust reports for direct dependencies\n const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);\n const reports: TrustReport[] = [];\n\n for (const node of directNodes) {\n const blastRadius = getBlastRadius(node.name, importGraph);\n const report = await buildTrustReport(node.name, node.version, blastRadius);\n reports.push(report);\n }\n\n const overallScore =\n reports.length > 0\n ? Math.round(\n reports.reduce((sum, r) => sum + r.trustScore, 0) / reports.length,\n )\n : 0;\n\n const zombieCount = reports.filter((r) => r.isZombie).length;\n const criticalCount = reports.filter((r) => r.trustScore < 50).length;\n const summary =\n `Scanned ${reports.length} direct dependencies. ` +\n `Overall trust score: ${overallScore}/100. ` +\n `${zombieCount} zombie(s) detected. ` +\n `${criticalCount} package(s) below trust threshold.`;\n\n const scanResult: ScanResult = {\n tree,\n reports,\n overallScore,\n summary,\n };\n\n const jsonContent = jsonReporter.report(scanResult);\n\n if (output) {\n const { writeFile } = await import('node:fs/promises');\n await writeFile(output, jsonContent, 'utf-8');\n return successResponse({\n message: `Report written to ${output}`,\n path: output,\n });\n }\n\n return successResponse(jsonContent);\n}\n","import type { ScanResult } from \"../parsers/schema.js\";\n\n// ---------------------------------------------------------------------------\n// JsonReporter\n// ---------------------------------------------------------------------------\n\n/\n Serialize a ScanResult as formatted JSON.\n \n The output is a self-contained JSON string suitable for piping into jq,\n * saving to a file, or passing to downstream tooling.\n /\nexport class JsonReporter {\n /\n Convert the scan result into a pretty-printed JSON string.\n \n Map objects (e.g. DependencyTree.nodes) are converted to plain\n * objects so that they survive JSON serialization.\n /\n report(result: ScanResult): string {\n return JSON.stringify(this.toSerializable(result), null, 2);\n }\n\n // -------------------------------------------------------------------------\n // Internals\n // -------------------------------------------------------------------------\n\n /\n Walk the value recursively and convert Map instances into plain objects\n * so JSON.stringify can handle them.\n */\n private toSerializable(value: unknown): unknown {\n if (value === null \|\| value === undefined) {\n return value;\n }\n\n if (value instanceof Map) {\n const obj: Record<string, unknown> = {};\n for (const [k, v] of value.entries()) {\n obj[String(k)] = this.toSerializable(v);\n }\n return obj;\n }\n\n if (Array.isArray(value)) {\n return value.map((item) => this.toSerializable(item));\n }\n\n if (typeof value === \"object\") {\n const result: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(value)) {\n result[k] = this.toSerializable(v);\n }\n return result;\n }\n\n return value;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;AASA,SAAS,cAAc;AACvB,SAAS,4BAA4B;AACrC,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,SAAS,YAAY;;;ACI9B,SAAS,eAAe;AAExB;AAAA,EACE;AAAA,EACA;AAAA,OACK;;;ACVA,IAAM,eAAN,MAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOxB,OAAO,QAA4B;AACjC,WAAO,KAAK,UAAU,KAAK,eAAe,MAAM,GAAG,MAAM,CAAC;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,eAAe,OAAyB;AAC9C,QAAI,UAAU,QAAQ,UAAU,QAAW;AACzC,aAAO;AAAA,IACT;AAEA,QAAI,iBAAiB,KAAK;AACxB,YAAM,MAA+B,CAAC;AACtC,iBAAW,CAAC,GAAG,CAAC,KAAK,MAAM,QAAQ,GAAG;AACpC,YAAI,OAAO,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC;AAAA,MACxC;AACA,aAAO;AAAA,IACT;AAEA,QAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,aAAO,MAAM,IAAI,CAAC,SAAS,KAAK,eAAe,IAAI,CAAC;AAAA,IACtD;AAEA,QAAI,OAAO,UAAU,UAAU;AAC7B,YAAM,SAAkC,CAAC;AACzC,iBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAK,GAAG;AAC1C,eAAO,CAAC,IAAI,KAAK,eAAe,CAAC;AAAA,MACnC;AACA,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AACF;;;ADjBA,IAAM,QAAQ,IAAI,aAAa;AAC/B,IAAM,eAAe,IAAI,sBAAsB,OAAO;AAAA,EACpD,aAAa,QAAQ,IAAI;AAC3B,CAAC;AACD,IAAM,cAAc,IAAI,iBAAiB;AACzC,IAAM,iBAAiB,IAAI,eAAe;AAC1C,IAAM,kBAAkB,IAAI,sBAAsB;AAClD,IAAM,mBAAmB,IAAI,iBAAiB;AAC9C,IAAM,oBAAoB,IAAI,kBAAkB;AAChD,IAAM,eAAe,IAAI,aAAa;AACtC,IAAM,UAAU,CAAC,IAAI,UAAU,GAAG,IAAI,aAAa,CAAC;AAMpD,IAAM,QAAQ;AAAA,EACZ;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAKF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,KAAK;AAAA,UACH,MAAM;AAAA,UACN,aACE;AAAA,QAEJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC;AAAA,IACb;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAKF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,QACA,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC,SAAS;AAAA,IACtB;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAKF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,QACA,KAAK;AAAA,UACH,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC,SAAS;AAAA,IACtB;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAKF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,KAAK;AAAA,UACH,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC;AAAA,IACb;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAIF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,MACF;AAAA,MACA,UAAU,CAAC,SAAS;AAAA,IACtB;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAIF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,SAAS;AAAA,UACP,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,MACF;AAAA,MACA,UAAU,CAAC,SAAS;AAAA,IACtB;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAIF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,UAAU;AAAA,UACR,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,QACA,UAAU;AAAA,UACR,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,MACF;AAAA,MACA,UAAU,CAAC,YAAY,UAAU;AAAA,IACnC;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aACE;AAAA,IAGF,aAAa;AAAA,MACX,MAAM;AAAA,MACN,YAAY;AAAA,QACV,KAAK;AAAA,UACH,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,QACA,QAAQ;AAAA,UACN,MAAM;AAAA,UACN,aACE;AAAA,QACJ;AAAA,MACF;AAAA,MACA,UAAU,CAAC;AAAA,IACb;AAAA,EACF;AACF;AAMO,SAAS,cAAcA,SAAsB;AAElD,EAAAA,QAAO,kBAAkB,wBAAwB,aAAa;AAAA,IAC5D,OAAO;AAAA,EACT,EAAE;AAGF,EAAAA,QAAO,kBAAkB,uBAAuB,OAAO,YAAY;AACjE,UAAM,EAAE,MAAM,WAAW,KAAK,IAAI,QAAQ;AAE1C,QAAI;AACF,cAAQ,MAAM;AAAA,QACZ,KAAK;AACH,iBAAO,MAAM,WAAW,IAAI;AAAA,QAC9B,KAAK;AACH,iBAAO,MAAM,iBAAiB,IAAI;AAAA,QACpC,KAAK;AACH,iBAAO,MAAM,kBAAkB,IAAI;AAAA,QACrC,KAAK;AACH,iBAAO,MAAM,cAAc,IAAI;AAAA,QACjC,KAAK;AACH,iBAAO,MAAM,uBAAuB,IAAI;AAAA,QAC1C,KAAK;AACH,iBAAO,MAAM,qBAAqB,IAAI;AAAA,QACxC,KAAK;AACH,iBAAO,MAAM,cAAc,IAAI;AAAA,QACjC,KAAK;AACH,iBAAO,MAAM,aAAa,IAAI;AAAA,QAChC;AACE,iBAAO,cAAc,iBAAiB,IAAI,EAAE;AAAA,MAChD;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,aAAO,cAAc,SAAS,IAAI,aAAa,OAAO,EAAE;AAAA,IAC1D;AAAA,EACF,CAAC;AACH;AAMA,SAAS,gBAAgB,MAAe;AACtC,QAAM,OAAO,OAAO,SAAS,WAAW,OAAO,KAAK,UAAU,MAAM,MAAM,CAAC;AAC3E,SAAO;AAAA,IACL,SAAS,CAAC,EAAE,MAAM,QAAiB,KAAK,CAAC;AAAA,EAC3C;AACF;AAEA,SAAS,cAAc,SAAiB;AACtC,SAAO;AAAA,IACL,SAAS,CAAC,EAAE,MAAM,QAAiB,MAAM,QAAQ,CAAC;AAAA,IAClD,SAAS;AAAA,EACX;AACF;AAMA,eAAe,aAAa,KAA6C;AACvE,aAAW,UAAU,SAAS;AAC5B,QAAI,MAAM,OAAO,OAAO,GAAG,GAAG;AAC5B,aAAO,OAAO,MAAM,GAAG;AAAA,IACzB;AAAA,EACF;AACA,SAAO;AACT;AAMA,eAAe,iBACb,aACA,SACA,cAAsB,GACA;AACtB,QAAM,UAAU,MAAM,aAAa,WAAW,aAAa,OAAO;AAClE,QAAM,cAAc,YAAY,UAAU,OAAO;AACjD,QAAM,SAAS,eAAe;AAAA,IAC5B,QAAQ,SAAS;AAAA,IACjB,QAAQ,OAAO;AAAA,EACjB;AACA,QAAM,YAAY,kBAAkB,MAAM,WAAW;AACrD,QAAM,eAAe,iBAAiB;AAAA,IACpC;AAAA,IACA,OAAO,WAAW,sBAAsB;AAAA,EAC1C;AAGA,QAAM,QAAQ,QAAQ,WAAW,MAAM,SAAS;AAEhD,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,YAAY,YAAY;AAAA,IACxB,SAAS,YAAY;AAAA,IACrB,UAAU,OAAO;AAAA,IACjB;AAAA,IACA,cAAc,aAAa,IAAI,CAAC,MAAM,EAAE,WAAW;AAAA,IACnD;AAAA,IACA,eAAe,UAAU,UAAU,IAAM;AAAA,EAC3C;AACF;AAMA,eAAe,WAAW,MAA2C;AACnE,QAAM,MAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,IAAI,CAAC,CAAC;AAEtD,QAAM,OAAO,MAAM,aAAa,GAAG;AACnC,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL,wCAAwC,GAAG;AAAA,IAE7C;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,iBAAiB,GAAG;AAG9C,QAAM,cAAc,MAAM,KAAK,KAAK,MAAM,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,QAAQ;AAC5E,QAAM,UAAyB,CAAC;AAEhC,aAAW,QAAQ,aAAa;AAC9B,UAAM,cAAc,eAAe,KAAK,MAAM,WAAW;AACzD,UAAM,SAAS,MAAM,iBAAiB,KAAK,MAAM,KAAK,SAAS,WAAW;AAC1E,YAAQ,KAAK,MAAM;AAAA,EACrB;AAGA,QAAM,eACJ,QAAQ,SAAS,IACb,KAAK;AAAA,IACH,QAAQ,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,YAAY,CAAC,IAAI,QAAQ;AAAA,EAC9D,IACA;AAGN,QAAM,cAAc,QAAQ,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE;AACtD,QAAM,gBAAgB,QAAQ,OAAO,CAAC,MAAM,EAAE,aAAa,EAAE,EAAE;AAC/D,QAAM,UACJ,WAAW,QAAQ,MAAM,8CACD,YAAY,SACjC,WAAW,wBACX,aAAa;AAElB,QAAM,aAAyB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAGA,QAAM,aAAa,aAAa,OAAO,UAAU;AACjD,SAAO,gBAAgB,UAAU;AACnC;AAEA,eAAe,iBAAiB,MAA2C;AACzE,QAAM,cAAc,OAAO,MAAM,WAAW,EAAE;AAC9C,MAAI,CAAC,aAAa;AAChB,WAAO,cAAc,wCAAwC;AAAA,EAC/D;AAEA,QAAM,UAAU,OAAO,MAAM,WAAW,QAAQ;AAChD,QAAM,SAAS,MAAM,iBAAiB,aAAa,OAAO;AAC1D,SAAO,gBAAgB,MAAM;AAC/B;AAEA,eAAe,kBAAkB,MAA2C;AAC1E,QAAM,cAAc,OAAO,MAAM,WAAW,EAAE;AAC9C,MAAI,CAAC,aAAa;AAChB,WAAO,cAAc,wCAAwC;AAAA,EAC/D;AAEA,QAAM,MAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,IAAI,CAAC,CAAC;AACtD,QAAM,SAAS,MAAM,gBAAgB,UAAU,aAAa,GAAG;AAC/D,SAAO,gBAAgB,MAAM;AAC/B;AAEA,eAAe,cAAc,MAA2C;AACtE,QAAM,MAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,IAAI,CAAC,CAAC;AAEtD,QAAM,OAAO,MAAM,aAAa,GAAG;AACnC,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL,wCAAwC,GAAG;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,KAAK,KAAK,MAAM,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,QAAQ;AAC5E,QAAM,UAMD,CAAC;AAEN,aAAW,QAAQ,aAAa;AAC9B,UAAM,UAAU,MAAM,aAAa,WAAW,KAAK,MAAM,KAAK,OAAO;AACrE,UAAM,SAAS,eAAe;AAAA,MAC5B,QAAQ,SAAS;AAAA,MACjB,QAAQ,OAAO;AAAA,IACjB;AAEA,QAAI,OAAO,UAAU;AACnB,cAAQ,KAAK;AAAA,QACX,SAAS,KAAK;AAAA,QACd,SAAS,KAAK;AAAA,QACd,UAAU,OAAO;AAAA,QACjB,QAAQ,OAAO;AAAA,QACf,cAAc,OAAO,cAAc,YAAY,KAAK;AAAA,MACtD,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,QAAQ,WAAW,GAAG;AACxB,WAAO,gBAAgB;AAAA,MACrB,SAAS;AAAA,MACT,SAAS,CAAC;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,SAAO,gBAAgB;AAAA,IACrB,SAAS,SAAS,QAAQ,MAAM;AAAA,IAChC;AAAA,EACF,CAAC;AACH;AAEA,eAAe,uBAAuB,MAA2C;AAC/E,QAAM,cAAc,OAAO,MAAM,WAAW,EAAE;AAC9C,MAAI,CAAC,aAAa;AAChB,WAAO,cAAc,wCAAwC;AAAA,EAC/D;AAEA,QAAM,cAAc,iBAAiB,QAAQ,aAAa,cAAc;AAExE,MAAI,YAAY,WAAW,GAAG;AAC5B,WAAO,gBAAgB;AAAA,MACrB,SAAS;AAAA,MACT,SAAS,uCAAuC,WAAW;AAAA,MAE3D,aAAa,CAAC;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO,gBAAgB;AAAA,IACrB,SAAS;AAAA,IACT;AAAA,EACF,CAAC;AACH;AAEA,eAAe,qBAAqB,MAA2C;AAC7E,QAAM,cAAc,OAAO,MAAM,WAAW,EAAE;AAC9C,MAAI,CAAC,aAAa;AAChB,WAAO,cAAc,wCAAwC;AAAA,EAC/D;AAEA,QAAM,SAAS,kBAAkB,MAAM,WAAW;AAClD,SAAO,gBAAgB;AAAA,IACrB,SAAS;AAAA,IACT,GAAG;AAAA,EACL,CAAC;AACH;AAEA,eAAe,cAAc,MAA2C;AACtE,QAAM,WAAW,OAAO,MAAM,YAAY,EAAE;AAC5C,QAAM,WAAW,OAAO,MAAM,YAAY,EAAE;AAE5C,MAAI,CAAC,YAAY,CAAC,UAAU;AAC1B,WAAO,cAAc,yDAAyD;AAAA,EAChF;AAEA,QAAM,CAAC,SAAS,OAAO,IAAI,MAAM,QAAQ,IAAI;AAAA,IAC3C,iBAAiB,UAAU,QAAQ;AAAA,IACnC,iBAAiB,UAAU,QAAQ;AAAA,EACrC,CAAC;AAED,SAAO,gBAAgB;AAAA,IACrB,YAAY;AAAA,MACV,UAAU;AAAA,MACV,UAAU;AAAA,MACV,QACE,QAAQ,aAAa,QAAQ,aACzB,WACA,QAAQ,aAAa,QAAQ,aAC3B,WACA;AAAA,MACR,iBAAiB,KAAK,IAAI,QAAQ,aAAa,QAAQ,UAAU;AAAA,IACnE;AAAA,EACF,CAAC;AACH;AAEA,eAAe,aAAa,MAA2C;AACrE,QAAM,MAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,IAAI,CAAC,CAAC;AACtD,QAAM,SAAS,MAAM,SAAS,QAAQ,OAAO,KAAK,MAAM,CAAC,IAAI;AAE7D,QAAM,OAAO,MAAM,aAAa,GAAG;AACnC,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL,wCAAwC,GAAG;AAAA,IAC7C;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,iBAAiB,GAAG;AAG9C,QAAM,cAAc,MAAM,KAAK,KAAK,MAAM,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,QAAQ;AAC5E,QAAM,UAAyB,CAAC;AAEhC,aAAW,QAAQ,aAAa;AAC9B,UAAM,cAAc,eAAe,KAAK,MAAM,WAAW;AACzD,UAAM,SAAS,MAAM,iBAAiB,KAAK,MAAM,KAAK,SAAS,WAAW;AAC1E,YAAQ,KAAK,MAAM;AAAA,EACrB;AAEA,QAAM,eACJ,QAAQ,SAAS,IACb,KAAK;AAAA,IACH,QAAQ,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,YAAY,CAAC,IAAI,QAAQ;AAAA,EAC9D,IACA;AAEN,QAAM,cAAc,QAAQ,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE;AACtD,QAAM,gBAAgB,QAAQ,OAAO,CAAC,MAAM,EAAE,aAAa,EAAE,EAAE;AAC/D,QAAM,UACJ,WAAW,QAAQ,MAAM,8CACD,YAAY,SACjC,WAAW,wBACX,aAAa;AAElB,QAAM,aAAyB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,cAAc,aAAa,OAAO,UAAU;AAElD,MAAI,QAAQ;AACV,UAAM,EAAE,UAAU,IAAI,MAAM,OAAO,aAAkB;AACrD,UAAM,UAAU,QAAQ,aAAa,OAAO;AAC5C,WAAO,gBAAgB;AAAA,MACrB,SAAS,qBAAqB,MAAM;AAAA,MACpC,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,SAAO,gBAAgB,WAAW;AACpC;;;AD/jBA,IAAMC,cAAa,cAAc,YAAY,GAAG;AAChD,IAAMC,aAAY,QAAQD,WAAU;AACpC,IAAM,UAAU,KAAKC,YAAW,MAAM,MAAM,cAAc;AAC1D,IAAM,cAAc,MAAM;AACxB,MAAI;AACF,WAAO,KAAK,MAAM,aAAa,SAAS,OAAO,CAAC,EAAE;AAAA,EACpD,QAAQ;AACN,WAAO;AAAA,EACT;AACF,GAAG;AAEH,IAAM,SAAS,IAAI;AAAA,EACjB,EAAE,MAAM,cAAc,SAAS,WAAW;AAAA,EAC1C,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,EAAE;AAChC;AAEA,cAAc,MAAM;AAEpB,IAAM,YAAY,IAAI,qBAAqB;AAC3C,MAAM,OAAO,QAAQ,SAAS;","names":["server","__filename","__dirname"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,7 @@
 {
   "name": "dep-oracle",
-  "version": "1.1.0",
+  "version": "1.1.1",
+  "mcpName": "io.github.ertugrulakben/dep-oracle",
   "description": "Predictive dependency security engine. Trust scores, zombie detection, blast radius analysis for your supply chain.",
   "type": "module",
   "bin": {