dep-oracle 1.2.0 → 1.2.1

package/dist/server-TKLM7YIF.js

@@ -0,0 +1,608 @@
+#!/usr/bin/env node
+import {
+  BlastRadiusCalculator,
+  CacheManager,
+  CollectorOrchestrator,
+  MigrationAdvisor,
+  NpmParser,
+  PythonParser,
+  TrustScoreEngine,
+  TyposquatDetector,
+  ZombieDetector
+} from "./chunk-VHQCTVCZ.js";
+
+// src/mcp/server.ts
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join as join2 } from "path";
+
+// src/mcp/tools.ts
+import { resolve } from "path";
+import {
+  ListToolsRequestSchema,
+  CallToolRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+
+// src/utils/graph.ts
+import { readFile, readdir, stat } from "fs/promises";
+import { join, extname } from "path";
+var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".mts", ".cts"]);
+var IGNORED_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  "out",
+  ".next",
+  ".nuxt",
+  "coverage",
+  "__pycache__",
+  ".venv",
+  "venv"
+]);
+var IMPORT_PATTERNS = [
+  // ESM: import ... from "pkg"  /  export ... from "pkg"
+  /(?:import|export)\s+.*?\s+from\s+["']([^"']+)["']/g,
+  // ESM: import "pkg" (side-effect import)
+  /import\s+["']([^"']+)["']/g,
+  // CJS: require("pkg")
+  /require\s*\(\s*["']([^"']+)["']\s*\)/g,
+  // Dynamic: import("pkg")
+  /import\s*\(\s*["']([^"']+)["']\s*\)/g
+];
+function extractPackageName(specifier) {
+  if (specifier.startsWith(".") || specifier.startsWith("/")) return null;
+  if (specifier.startsWith("node:")) return null;
+  if (specifier.startsWith("@")) {
+    const parts = specifier.split("/");
+    if (parts.length < 2) return null;
+    return `${parts[0]}/${parts[1]}`;
+  }
+  return specifier.split("/")[0];
+}
+function extractImports(content) {
+  const packages = /* @__PURE__ */ new Set();
+  for (const pattern of IMPORT_PATTERNS) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      const specifier = match[1];
+      const pkg = extractPackageName(specifier);
+      if (pkg) {
+        packages.add(pkg);
+      }
+    }
+  }
+  return packages;
+}
+async function collectSourceFiles(dir) {
+  const files = [];
+  let entries;
+  try {
+    entries = await readdir(dir);
+  } catch {
+    return files;
+  }
+  const tasks = [];
+  for (const entry of entries) {
+    if (IGNORED_DIRS.has(entry)) continue;
+    const fullPath = join(dir, entry);
+    tasks.push(
+      (async () => {
+        try {
+          const info = await stat(fullPath);
+          if (info.isDirectory()) {
+            const nested = await collectSourceFiles(fullPath);
+            files.push(...nested);
+          } else if (info.isFile() && SCANNABLE_EXTENSIONS.has(extname(entry))) {
+            files.push(fullPath);
+          }
+        } catch {
+        }
+      })()
+    );
+  }
+  await Promise.all(tasks);
+  return files;
+}
+async function buildImportGraph(dir) {
+  const graph = /* @__PURE__ */ new Map();
+  const sourceFiles = await collectSourceFiles(dir);
+  const results = await Promise.all(
+    sourceFiles.map(async (filePath) => {
+      try {
+        const content = await readFile(filePath, "utf-8");
+        const packages = extractImports(content);
+        return { filePath, packages };
+      } catch {
+        return { filePath, packages: /* @__PURE__ */ new Set() };
+      }
+    })
+  );
+  for (const { filePath, packages } of results) {
+    for (const pkg of packages) {
+      let fileSet = graph.get(pkg);
+      if (!fileSet) {
+        fileSet = /* @__PURE__ */ new Set();
+        graph.set(pkg, fileSet);
+      }
+      fileSet.add(filePath);
+    }
+  }
+  return graph;
+}
+function getBlastRadius(packageName, graph) {
+  const files = graph.get(packageName);
+  return files ? files.size : 0;
+}
+
+// src/reporters/json.ts
+var JsonReporter = class {
+  /**
+   * Convert the scan result into a pretty-printed JSON string.
+   *
+   * Map objects (e.g. DependencyTree.nodes) are converted to plain
+   * objects so that they survive JSON serialization.
+   */
+  report(result) {
+    return JSON.stringify(this.toSerializable(result), null, 2);
+  }
+  // -------------------------------------------------------------------------
+  // Internals
+  // -------------------------------------------------------------------------
+  /**
+   * Walk the value recursively and convert Map instances into plain objects
+   * so JSON.stringify can handle them.
+   */
+  toSerializable(value) {
+    if (value === null || value === void 0) {
+      return value;
+    }
+    if (value instanceof Map) {
+      const obj = {};
+      for (const [k, v] of value.entries()) {
+        obj[String(k)] = this.toSerializable(v);
+      }
+      return obj;
+    }
+    if (Array.isArray(value)) {
+      return value.map((item) => this.toSerializable(item));
+    }
+    if (typeof value === "object") {
+      const result = {};
+      for (const [k, v] of Object.entries(value)) {
+        result[k] = this.toSerializable(v);
+      }
+      return result;
+    }
+    return value;
+  }
+};
+
+// src/mcp/tools.ts
+var VALID_PACKAGE_NAME = /^(@[a-z0-9-~][a-z0-9._-~]*\/)?[a-z0-9-~][a-z0-9._-~]*$/i;
+function validateDir(input) {
+  const dir = resolve(String(input ?? process.cwd()));
+  const normalized = dir.replace(/\\/g, "/");
+  if (normalized.includes("/../") || normalized.endsWith("/..")) {
+    throw new Error("Path traversal not allowed");
+  }
+  return dir;
+}
+function validateOutputPath(output, baseDir) {
+  const resolved = resolve(output);
+  const base = resolve(baseDir);
+  if (!resolved.startsWith(base)) {
+    throw new Error("Output path must be within the project directory");
+  }
+  return resolved;
+}
+function validatePackageName(name) {
+  const trimmed = name.trim();
+  if (!trimmed) throw new Error("Package name is required");
+  if (trimmed.length > 214) throw new Error("Package name too long");
+  if (!VALID_PACKAGE_NAME.test(trimmed)) {
+    throw new Error(`Invalid package name: "${trimmed}"`);
+  }
+  return trimmed;
+}
+var cache = new CacheManager();
+var orchestrator = new CollectorOrchestrator(cache, {
+  githubToken: process.env.GITHUB_TOKEN
+});
+var trustEngine = new TrustScoreEngine();
+var zombieDetector = new ZombieDetector();
+var blastRadiusCalc = new BlastRadiusCalculator();
+var migrationAdvisor = new MigrationAdvisor();
+var typosquatDetector = new TyposquatDetector();
+var jsonReporter = new JsonReporter();
+var parsers = [new NpmParser(), new PythonParser()];
+var TOOLS = [
+  {
+    name: "dep_oracle_scan",
+    description: "Perform a full dependency security scan on a project directory. Parses the manifest (package.json, requirements.txt, etc.), collects data from registries and GitHub, computes trust scores for every dependency, detects zombies, typosquats, and calculates blast radius. Returns a complete ScanResult JSON with per-package trust reports and an overall project score.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        dir: {
+          type: "string",
+          description: "Absolute path to the project directory to scan. Defaults to the current working directory if omitted."
+        }
+      },
+      required: []
+    }
+  },
+  {
+    name: "dep_oracle_trust_score",
+    description: "Calculate the trust score for a single npm package. Queries the npm registry, GitHub, OSV vulnerability database, and other sources to produce a weighted score (0-100) across 6 dimensions: security, maintainer, activity, popularity, funding, and license. Returns a TrustReport JSON with the overall score, per-dimension metrics, zombie status, and alternative suggestions.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        package: {
+          type: "string",
+          description: 'npm package name (e.g. "express", "@scope/pkg").'
+        },
+        version: {
+          type: "string",
+          description: 'Specific version to analyze (e.g. "4.18.2"). If omitted, the latest version is used.'
+        }
+      },
+      required: ["package"]
+    }
+  },
+  {
+    name: "dep_oracle_blast_radius",
+    description: "Analyze the blast radius (import impact) of a package within a project. Scans all JS/TS source files to find how many files import the given package. Returns the count of affected files, their paths, and the percentage of the codebase impacted. Useful for understanding the risk if a dependency is compromised or needs replacement.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        package: {
+          type: "string",
+          description: "Package name to check import usage for."
+        },
+        dir: {
+          type: "string",
+          description: "Absolute path to the project directory. Defaults to cwd if omitted."
+        }
+      },
+      required: ["package"]
+    }
+  },
+  {
+    name: "dep_oracle_zombies",
+    description: "Detect zombie (abandoned/unmaintained) dependencies in a project. Parses the manifest, queries registry and GitHub for each dependency, and flags packages that show signs of abandonment: deprecated, no commits in 12+ months, no active maintainers, etc. Returns an array of zombie packages with severity levels and reasons.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        dir: {
+          type: "string",
+          description: "Absolute path to the project directory. Defaults to cwd if omitted."
+        }
+      },
+      required: []
+    }
+  },
+  {
+    name: "dep_oracle_suggest_migration",
+    description: "Get migration suggestions for a given package. Looks up the package in a curated knowledge base of common replacements and returns alternatives with descriptions and difficulty ratings. Useful for replacing deprecated, abandoned, or low-trust packages (e.g. moment -> dayjs, request -> got, lodash -> es-toolkit).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        package: {
+          type: "string",
+          description: "Package name to find migration alternatives for."
+        }
+      },
+      required: ["package"]
+    }
+  },
+  {
+    name: "dep_oracle_typosquat_check",
+    description: "Check whether a package name is a potential typosquat of a popular package. Uses Levenshtein distance, homoglyph detection, and pattern analysis to identify suspicious package names that closely resemble well-known packages. Returns a risk assessment with similar package names and the edit distance.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        package: {
+          type: "string",
+          description: "Package name to check for typosquatting risk."
+        }
+      },
+      required: ["package"]
+    }
+  },
+  {
+    name: "dep_oracle_compare",
+    description: "Compare two packages side-by-side by computing trust scores for both. Returns the full trust report for each package including scores, metrics, zombie status, and trend direction. Useful for evaluating alternatives or choosing between competing libraries.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        packageA: {
+          type: "string",
+          description: "First package name to compare."
+        },
+        packageB: {
+          type: "string",
+          description: "Second package name to compare."
+        }
+      },
+      required: ["packageA", "packageB"]
+    }
+  },
+  {
+    name: "dep_oracle_report",
+    description: "Generate a JSON report for a project. Runs a full scan and outputs the results as formatted JSON. Optionally writes the report to a file. Returns the JSON content or the path to the generated file.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        dir: {
+          type: "string",
+          description: "Absolute path to the project directory. Defaults to cwd if omitted."
+        },
+        output: {
+          type: "string",
+          description: "Absolute path to write the report file. If omitted, the report content is returned directly."
+        }
+      },
+      required: []
+    }
+  }
+];
+function registerTools(server2) {
+  server2.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: TOOLS
+  }));
+  server2.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    try {
+      switch (name) {
+        case "dep_oracle_scan":
+          return await handleScan(args);
+        case "dep_oracle_trust_score":
+          return await handleTrustScore(args);
+        case "dep_oracle_blast_radius":
+          return await handleBlastRadius(args);
+        case "dep_oracle_zombies":
+          return await handleZombies(args);
+        case "dep_oracle_suggest_migration":
+          return await handleSuggestMigration(args);
+        case "dep_oracle_typosquat_check":
+          return await handleTyposquatCheck(args);
+        case "dep_oracle_compare":
+          return await handleCompare(args);
+        case "dep_oracle_report":
+          return await handleReport(args);
+        default:
+          return errorResponse(`Unknown tool: ${name}`);
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return errorResponse(`Tool "${name}" failed: ${message}`);
+    }
+  });
+}
+function successResponse(data) {
+  const text = typeof data === "string" ? data : JSON.stringify(data, null, 2);
+  return {
+    content: [{ type: "text", text }]
+  };
+}
+function errorResponse(message) {
+  return {
+    content: [{ type: "text", text: message }],
+    isError: true
+  };
+}
+async function parseProject(dir) {
+  for (const parser of parsers) {
+    if (await parser.detect(dir)) {
+      return parser.parse(dir);
+    }
+  }
+  return null;
+}
+async function buildTrustReport(packageName, version, blastRadius = 0) {
+  const results = await orchestrator.collectAll(packageName, version);
+  const trustResult = trustEngine.calculate(results);
+  const zombie = zombieDetector.detect(
+    results.registry.data,
+    results.github.data
+  );
+  const typosquat = typosquatDetector.check(packageName);
+  const alternatives = migrationAdvisor.suggest(
+    packageName,
+    zombie.isZombie ? "zombie dependency" : "low trust score"
+  );
+  const trend = results.popularity.data?.trend ?? "stable";
+  return {
+    package: packageName,
+    version,
+    trustScore: trustResult.trustScore,
+    metrics: trustResult.metrics,
+    isZombie: zombie.isZombie,
+    blastRadius,
+    alternatives: alternatives.map((a) => a.alternative),
+    trend,
+    typosquatRisk: typosquat.isRisky ? 1 : 0
+  };
+}
+async function handleScan(args) {
+  const dir = validateDir(args?.dir);
+  const tree = await parseProject(dir);
+  if (!tree) {
+    return errorResponse(
+      `No supported manifest file found in "${dir}". Supported: package.json, requirements.txt, pyproject.toml, Pipfile.`
+    );
+  }
+  const importGraph = await buildImportGraph(dir);
+  const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);
+  const reports = [];
+  for (const node of directNodes) {
+    const blastRadius = getBlastRadius(node.name, importGraph);
+    const report = await buildTrustReport(node.name, node.version, blastRadius);
+    reports.push(report);
+  }
+  const overallScore = reports.length > 0 ? Math.round(
+    reports.reduce((sum, r) => sum + r.trustScore, 0) / reports.length
+  ) : 0;
+  const zombieCount = reports.filter((r) => r.isZombie).length;
+  const criticalCount = reports.filter((r) => r.trustScore < 50).length;
+  const summary = `Scanned ${reports.length} direct dependencies. Overall trust score: ${overallScore}/100. ${zombieCount} zombie(s) detected. ${criticalCount} package(s) below trust threshold.`;
+  const scanResult = {
+    tree,
+    reports,
+    overallScore,
+    summary
+  };
+  const serialized = jsonReporter.report(scanResult);
+  return successResponse(serialized);
+}
+async function handleTrustScore(args) {
+  const packageName = validatePackageName(String(args?.package ?? ""));
+  const version = String(args?.version ?? "latest");
+  const report = await buildTrustReport(packageName, version);
+  return successResponse(report);
+}
+async function handleBlastRadius(args) {
+  const packageName = validatePackageName(String(args?.package ?? ""));
+  const dir = validateDir(args?.dir);
+  const result = await blastRadiusCalc.calculate(packageName, dir);
+  return successResponse(result);
+}
+async function handleZombies(args) {
+  const dir = validateDir(args?.dir);
+  const tree = await parseProject(dir);
+  if (!tree) {
+    return errorResponse(
+      `No supported manifest file found in "${dir}".`
+    );
+  }
+  const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);
+  const zombies = [];
+  for (const node of directNodes) {
+    const results = await orchestrator.collectAll(node.name, node.version);
+    const zombie = zombieDetector.detect(
+      results.registry.data,
+      results.github.data
+    );
+    if (zombie.isZombie) {
+      zombies.push({
+        package: node.name,
+        version: node.version,
+        severity: zombie.severity,
+        reason: zombie.reason,
+        lastActivity: zombie.lastActivity?.toISOString() ?? null
+      });
+    }
+  }
+  if (zombies.length === 0) {
+    return successResponse({
+      message: "No zombie dependencies detected.",
+      zombies: []
+    });
+  }
+  return successResponse({
+    message: `Found ${zombies.length} zombie dependency(ies).`,
+    zombies
+  });
+}
+async function handleSuggestMigration(args) {
+  const packageName = validatePackageName(String(args?.package ?? ""));
+  const suggestions = migrationAdvisor.suggest(packageName, "manual query");
+  if (suggestions.length === 0) {
+    return successResponse({
+      package: packageName,
+      message: `No migration suggestions found for "${packageName}". This package may not have known alternatives in our database.`,
+      suggestions: []
+    });
+  }
+  return successResponse({
+    package: packageName,
+    suggestions
+  });
+}
+async function handleTyposquatCheck(args) {
+  const packageName = validatePackageName(String(args?.package ?? ""));
+  const result = typosquatDetector.check(packageName);
+  return successResponse({
+    package: packageName,
+    ...result
+  });
+}
+async function handleCompare(args) {
+  const packageA = validatePackageName(String(args?.packageA ?? ""));
+  const packageB = validatePackageName(String(args?.packageB ?? ""));
+  const [reportA, reportB] = await Promise.all([
+    buildTrustReport(packageA, "latest"),
+    buildTrustReport(packageB, "latest")
+  ]);
+  return successResponse({
+    comparison: {
+      packageA: reportA,
+      packageB: reportB,
+      winner: reportA.trustScore > reportB.trustScore ? packageA : reportA.trustScore < reportB.trustScore ? packageB : "tie",
+      scoreDifference: Math.abs(reportA.trustScore - reportB.trustScore)
+    }
+  });
+}
+async function handleReport(args) {
+  const dir = validateDir(args?.dir);
+  const output = args?.output ? validateOutputPath(String(args.output), dir) : null;
+  const tree = await parseProject(dir);
+  if (!tree) {
+    return errorResponse(
+      `No supported manifest file found in "${dir}".`
+    );
+  }
+  const importGraph = await buildImportGraph(dir);
+  const directNodes = Array.from(tree.nodes.values()).filter((n) => n.isDirect);
+  const reports = [];
+  for (const node of directNodes) {
+    const blastRadius = getBlastRadius(node.name, importGraph);
+    const report = await buildTrustReport(node.name, node.version, blastRadius);
+    reports.push(report);
+  }
+  const overallScore = reports.length > 0 ? Math.round(
+    reports.reduce((sum, r) => sum + r.trustScore, 0) / reports.length
+  ) : 0;
+  const zombieCount = reports.filter((r) => r.isZombie).length;
+  const criticalCount = reports.filter((r) => r.trustScore < 50).length;
+  const summary = `Scanned ${reports.length} direct dependencies. Overall trust score: ${overallScore}/100. ${zombieCount} zombie(s) detected. ${criticalCount} package(s) below trust threshold.`;
+  const scanResult = {
+    tree,
+    reports,
+    overallScore,
+    summary
+  };
+  const jsonContent = jsonReporter.report(scanResult);
+  if (output) {
+    const { writeFile } = await import("fs/promises");
+    await writeFile(output, jsonContent, "utf-8");
+    return successResponse({
+      message: `Report written to ${output}`,
+      path: output
+    });
+  }
+  return successResponse(jsonContent);
+}
+
+// src/mcp/server.ts
+var __filename2 = fileURLToPath(import.meta.url);
+var __dirname2 = dirname(__filename2);
+var pkgPath = join2(__dirname2, "..", "..", "package.json");
+var pkgVersion = (() => {
+  try {
+    return JSON.parse(readFileSync(pkgPath, "utf-8")).version;
+  } catch {
+    return "1.2.1";
+  }
+})();
+var server = new Server(
+  { name: "dep-oracle", version: pkgVersion },
+  { capabilities: { tools: {} } }
+);
+registerTools(server);
+var transport = new StdioServerTransport();
+await server.connect(transport);
+//# sourceMappingURL=server-TKLM7YIF.js.map