depwire-cli 0.9.25 → 0.9.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-ORGAO3HT.js → chunk-B2KGFBZL.js} +59 -1
- package/dist/{chunk-QHVWDUSX.js → chunk-YYY5TNG7.js} +1446 -1
- package/dist/index.js +220 -30
- package/dist/mcpb-entry.js +2 -2
- package/dist/sdk.d.ts +49 -1
- package/dist/sdk.js +3 -1
- package/package.json +1 -1
|
@@ -14,8 +14,9 @@ import {
|
|
|
14
14
|
loadMetadata,
|
|
15
15
|
parseProject,
|
|
16
16
|
parseTypeScriptFile,
|
|
17
|
+
scanSecurity,
|
|
17
18
|
searchSymbols
|
|
18
|
-
} from "./chunk-
|
|
19
|
+
} from "./chunk-YYY5TNG7.js";
|
|
19
20
|
|
|
20
21
|
// src/viz/data.ts
|
|
21
22
|
import { basename } from "path";
|
|
@@ -1127,6 +1128,50 @@ Always run this before any refactor that touches file structure.`,
|
|
|
1127
1128
|
},
|
|
1128
1129
|
required: ["operation", "target"]
|
|
1129
1130
|
}
|
|
1131
|
+
},
|
|
1132
|
+
{
|
|
1133
|
+
name: "security_scan",
|
|
1134
|
+
description: `Scan the codebase for security vulnerabilities using deterministic checks + graph-aware severity scoring. No API key required.
|
|
1135
|
+
|
|
1136
|
+
Checks: dependency CVEs, shell injection, hardcoded secrets, path traversal, auth bypass, input validation, information disclosure, cryptography weaknesses, frontend XSS, architecture-level risks.
|
|
1137
|
+
|
|
1138
|
+
Graph-aware severity: vulnerabilities reachable from MCP tools or HTTP routes are automatically elevated. A medium shell injection reachable from connect_repo becomes Critical.
|
|
1139
|
+
|
|
1140
|
+
Returns ranked findings (Critical \u2192 Low) with attack scenarios and suggested fixes. Use --target for single-file scan.`,
|
|
1141
|
+
inputSchema: {
|
|
1142
|
+
type: "object",
|
|
1143
|
+
properties: {
|
|
1144
|
+
target: {
|
|
1145
|
+
type: "string",
|
|
1146
|
+
description: "Relative file path to scan. Omit to scan entire repo."
|
|
1147
|
+
},
|
|
1148
|
+
classes: {
|
|
1149
|
+
type: "array",
|
|
1150
|
+
items: {
|
|
1151
|
+
type: "string",
|
|
1152
|
+
enum: [
|
|
1153
|
+
"dependency-cve",
|
|
1154
|
+
"shell-injection",
|
|
1155
|
+
"code-injection",
|
|
1156
|
+
"secrets",
|
|
1157
|
+
"path-traversal",
|
|
1158
|
+
"auth",
|
|
1159
|
+
"input-validation",
|
|
1160
|
+
"information-disclosure",
|
|
1161
|
+
"architecture",
|
|
1162
|
+
"cryptography",
|
|
1163
|
+
"supply-chain",
|
|
1164
|
+
"frontend-xss"
|
|
1165
|
+
]
|
|
1166
|
+
},
|
|
1167
|
+
description: "Vulnerability classes to check. Omit for all."
|
|
1168
|
+
},
|
|
1169
|
+
graphAware: {
|
|
1170
|
+
type: "boolean",
|
|
1171
|
+
description: "Enable graph-aware severity elevation (recommended). Default: true."
|
|
1172
|
+
}
|
|
1173
|
+
}
|
|
1174
|
+
}
|
|
1130
1175
|
}
|
|
1131
1176
|
];
|
|
1132
1177
|
}
|
|
@@ -1209,6 +1254,19 @@ async function handleToolCall(name, args, state) {
|
|
|
1209
1254
|
} else {
|
|
1210
1255
|
result = handleSimulateChange(args, state);
|
|
1211
1256
|
}
|
|
1257
|
+
} else if (name === "security_scan") {
|
|
1258
|
+
if (!isProjectLoaded(state)) {
|
|
1259
|
+
result = {
|
|
1260
|
+
error: "No project loaded",
|
|
1261
|
+
message: "Use connect_repo to connect to a codebase first"
|
|
1262
|
+
};
|
|
1263
|
+
} else {
|
|
1264
|
+
result = await scanSecurity(state.projectRoot, state.graph, {
|
|
1265
|
+
target: args.target,
|
|
1266
|
+
classes: args.classes,
|
|
1267
|
+
graphAware: args.graphAware !== false
|
|
1268
|
+
});
|
|
1269
|
+
}
|
|
1212
1270
|
} else {
|
|
1213
1271
|
if (!isProjectLoaded(state)) {
|
|
1214
1272
|
result = {
|