dravix-agent 0.1.0

package/dist/learning/suppressions.js

@@ -0,0 +1,179 @@
+/**
+ * Suppression learning — append-only per-project store of dismissed findings.
+ *
+ * Layout: ``<project_root>/.aegis/suppressions.jsonl`` — one JSON line per
+ * suppression event. We keep history (rather than overwriting) so the user
+ * can audit who-suppressed-what-and-when via simple text tools.
+ *
+ * Operations:
+ *   suppress(finding_id, reason, expires_at?)  → append an `add` entry
+ *   unsuppress(finding_id)                      → append a `remove` entry
+ *   list()                                      → fold the log into the
+ *                                                 currently-active set
+ *   isActive(finding_id)                        → fast check
+ *
+ * The log is folded each time `list()` is called; for the realtime gate
+ * we cache the active set in `_activeCache` keyed by project root +
+ * mtime. The cache invalidates as soon as the file changes.
+ *
+ * Expiry: an entry's ``expires_at`` is an ISO timestamp; when the wall
+ * clock passes it, the suppression is treated as removed automatically
+ * (no log rewrite needed). Useful for "snooze this finding for 7 days".
+ *
+ * What this is NOT (yet): an ML / pattern-based suppression learner.
+ * Phase 4 (out of V2-13 scope) will learn "the team always dismisses
+ * SECRET-AWS-X in test files" and auto-suppress. v1 is manual via the
+ * `aegis suppress` CLI.
+ */
+import { appendFileSync, existsSync, mkdirSync, readFileSync, statSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { z } from "zod";
+import { getLogger } from "../util/logger.js";
+const log = getLogger("aegis.suppressions");
+const FINDING_ID_RE = /^[0-9a-f]{16}$/;
+const MAX_REASON_CHARS = 500;
+// ── Schema ────────────────────────────────────────────────────────────────
+const SuppressionEntry = z.object({
+    op: z.enum(["add", "remove"]),
+    id: z.string().regex(FINDING_ID_RE),
+    ts: z.string(), // ISO 8601
+    reason: z.string().max(MAX_REASON_CHARS).optional(),
+    expires_at: z.string().optional(), // ISO 8601
+    who: z.string().max(120).optional(), // OS user, for audit
+});
+const _activeCache = new Map();
+// ── Paths ─────────────────────────────────────────────────────────────────
+export function suppressionsPath(projectRoot) {
+    return join(projectRoot, ".aegis", "suppressions.jsonl");
+}
+function ensureDir(p) {
+    const d = dirname(p);
+    if (!existsSync(d))
+        mkdirSync(d, { recursive: true });
+}
+/** Add an `add` event to the log. Idempotent — adding an already-active
+ * suppression is a no-op log entry (we still append for audit). */
+export function suppress(projectRoot, findingId, opts) {
+    if (!FINDING_ID_RE.test(findingId)) {
+        return { ok: false, reason: `invalid finding id (expected 16 hex chars): ${findingId}` };
+    }
+    const entry = {
+        op: "add",
+        id: findingId,
+        ts: new Date().toISOString(),
+        ...(opts?.reason ? { reason: opts.reason.slice(0, MAX_REASON_CHARS) } : {}),
+        ...(opts?.expiresAt ? { expires_at: opts.expiresAt } : {}),
+        ...(opts?.who ? { who: opts.who.slice(0, 120) } : {}),
+    };
+    return writeEntry(projectRoot, entry);
+}
+/** Add a `remove` event — the finding will be ALLOWED through again on
+ * the next gate run. */
+export function unsuppress(projectRoot, findingId, opts) {
+    if (!FINDING_ID_RE.test(findingId)) {
+        return { ok: false, reason: `invalid finding id: ${findingId}` };
+    }
+    const entry = {
+        op: "remove",
+        id: findingId,
+        ts: new Date().toISOString(),
+        ...(opts?.reason ? { reason: opts.reason.slice(0, MAX_REASON_CHARS) } : {}),
+        ...(opts?.who ? { who: opts.who.slice(0, 120) } : {}),
+    };
+    return writeEntry(projectRoot, entry);
+}
+function writeEntry(projectRoot, entry) {
+    const p = suppressionsPath(projectRoot);
+    ensureDir(p);
+    try {
+        appendFileSync(p, JSON.stringify(entry) + "\n", "utf8");
+        // Invalidate the cache for this project — next list() call re-reads.
+        _activeCache.delete(projectRoot);
+        return { ok: true, entry };
+    }
+    catch (err) {
+        return { ok: false, reason: `write failed: ${String(err)}` };
+    }
+}
+// ── Fold the log into the active set ─────────────────────────────────────
+/** Return the currently-active suppressions (folded from the append log,
+ * with expired entries dropped). O(1) hit on the per-project cache when
+ * the log mtime hasn't changed since the last call. */
+export function listActive(projectRoot) {
+    return [...activeMap(projectRoot).values()];
+}
+/** Fast O(1) check used by the orchestrator. Returns true iff the finding
+ * id is currently suppressed (added + not removed + not expired). */
+export function isSuppressed(projectRoot, findingId) {
+    return activeMap(projectRoot).has(findingId);
+}
+function activeMap(projectRoot) {
+    const p = suppressionsPath(projectRoot);
+    if (!existsSync(p)) {
+        _activeCache.delete(projectRoot);
+        return new Map();
+    }
+    let mtimeMs = 0;
+    try {
+        mtimeMs = statSync(p).mtimeMs;
+    }
+    catch {
+        return new Map();
+    }
+    const cached = _activeCache.get(projectRoot);
+    if (cached && cached.mtimeMs === mtimeMs) {
+        return cached.active;
+    }
+    // Re-fold the log.
+    const active = new Map();
+    let raw;
+    try {
+        raw = readFileSync(p, "utf8");
+    }
+    catch (err) {
+        log.warn("suppressions: read failed", { path: p, err: String(err) });
+        return new Map();
+    }
+    const now = Date.now();
+    for (const line of raw.split(/\r?\n/)) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        let parsed;
+        try {
+            const candidate = JSON.parse(trimmed);
+            const res = SuppressionEntry.safeParse(candidate);
+            if (!res.success)
+                continue;
+            parsed = res.data;
+        }
+        catch {
+            continue; // skip malformed lines silently
+        }
+        if (parsed.op === "remove") {
+            active.delete(parsed.id);
+            continue;
+        }
+        // op === "add"
+        if (parsed.expires_at) {
+            const exp = Date.parse(parsed.expires_at);
+            if (Number.isFinite(exp) && exp <= now)
+                continue; // already expired
+        }
+        active.set(parsed.id, {
+            id: parsed.id,
+            added_at: parsed.ts,
+            ...(parsed.reason ? { reason: parsed.reason } : {}),
+            ...(parsed.expires_at ? { expires_at: parsed.expires_at } : {}),
+            ...(parsed.who ? { who: parsed.who } : {}),
+        });
+    }
+    _activeCache.set(projectRoot, { mtimeMs, active });
+    return active;
+}
+/** Test-only — wipe the in-memory cache so a test can re-read after
+ * writing fresh entries. */
+export function _resetActiveCacheForTests() {
+    _activeCache.clear();
+}
+//# sourceMappingURL=suppressions.js.map

package/dist/learning/suppressions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"suppressions.js","sourceRoot":"","sources":["../../src/learning/suppressions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACxF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE9C,MAAM,GAAG,GAAG,SAAS,CAAC,oBAAoB,CAAC,CAAC;AAE5C,MAAM,aAAa,GAAG,gBAAgB,CAAC;AACvC,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAE7B,6EAA6E;AAE7E,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC7B,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC;IACnC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,WAAW;IAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,EAAE;IACnD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,WAAW;IAC9C,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,qBAAqB;CAC3D,CAAC,CAAC;AAiBH,MAAM,YAAY,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEnD,6EAA6E;AAE7E,MAAM,UAAU,gBAAgB,CAAC,WAAmB;IAClD,OAAO,IAAI,CAAC,WAAW,EAAE,QAAQ,EAAE,oBAAoB,CAAC,CAAC;AAC3D,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACrB,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,SAAS,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACxD,CAAC;AAUD;mEACmE;AACnE,MAAM,UAAU,QAAQ,CACtB,WAAmB,EACnB,SAAiB,EACjB,IAAsB;IAEtB,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,+CAA+C,SAAS,EAAE,EAAE,CAAC;IAC3F,CAAC;IACD,MAAM,KAAK,GAAqB;QAC9B,EAAE,EAAE,KAAK;QACT,EAAE,EAAE,SAAS;QACb,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3E,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACtD,CAAC;IACF,OAAO,UAAU,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;AACxC,CAAC;AAED;wBACwB;AACxB,MAAM,UAAU,UAAU,CACxB,WAAmB,EACnB,SAAiB,EACjB,IAAwC;IAExC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,SAAS,EAAE,EAAE,CAAC;IACnE,CAAC;IACD,MAAM,KAAK,GAAqB;QAC9B,EAAE,EAAE,QAAQ;QACZ,EAAE,EAAE,SAAS;QACb,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3E,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACtD,CAAC;IACF,OAAO,UAAU,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,UAAU,CACjB,WAAmB,EACnB,KAAuB;IAEvB,MAAM,CAAC,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACxC,SAAS,CAAC,CAAC,CAAC,CAAC;IACb,IAAI,CAAC;QACH,cAAc,CAAC,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;QACxD,qEAAqE;QACrE,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;IAC/D,CAAC;AACH,CAAC;AAED,4EAA4E;AAE5E;;uDAEuD;AACvD,MAAM,UAAU,UAAU,CAAC,WAAmB;IAC5C,OAAO,CAAC,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;qEACqE;AACrE,MAAM,UAAU,YAAY,CAAC,WAAmB,EAAE,SAAiB;IACjE,OAAO,SAAS,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,SAAS,CAAC,WAAmB;IACpC,MAAM,CAAC,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;QACnB,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACjC,OAAO,IAAI,GAAG,EAAE,CAAC;IACnB,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,CAAC;QACH,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,GAAG,EAAE,CAAC;IACnB,CAAC;IACD,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;QACzC,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IACD,mBAAmB;IACnB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA6B,CAAC;IACpD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,2BAA2B,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrE,OAAO,IAAI,GAAG,EAAE,CAAC;IACnB,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,MAAwB,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACtC,MAAM,GAAG,GAAG,gBAAgB,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,GAAG,CAAC,OAAO;gBAAE,SAAS;YAC3B,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,gCAAgC;QAC5C,CAAC;QACD,IAAI,MAAM,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC3B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACzB,SAAS;QACX,CAAC;QACD,eAAe;QACf,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC1C,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,GAAG;gBAAE,SAAS,CAAC,kBAAkB;QACtE,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE;YACpB,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC3C,CAAC,CAAC;IACL,CAAC;IACD,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IACnD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;4BAC4B;AAC5B,MAAM,UAAU,yBAAyB;IACvC,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC"}

package/dist/mcp/server.d.ts

@@ -0,0 +1,2 @@
+export declare function startServer(): Promise<void>;
+//# sourceMappingURL=server.d.ts.map

package/dist/mcp/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AA0FA,wBAAsB,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,CAyGjD"}

package/dist/mcp/server.js

@@ -0,0 +1,187 @@
+/**
+ * Aegis MCP server (stdio transport).
+ *
+ * Exposes four tools to the agent (Claude Code / Cursor / Codex / opencode):
+ *   - precheck_change : fast advisory before the write
+ *   - validate_edit   : authoritative gate after the write
+ *   - explain_risk    : look up a prior decision
+ *   - aegis_health    : warm state + cache hit/miss + availability snapshot
+ *
+ * The server WARMS at boot (Vul-RAG embed + engine availability probe +
+ * SCIP indexer + claude binary discovery) BEFORE announcing itself ready
+ * over stdio, so the very first tool call lands on hot caches.
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
+import { precheckChangeInputSchema, runPrecheckChange } from "./tools/precheck.js";
+import { validateEditInputSchema, runValidateEdit } from "./tools/validate.js";
+import { explainRiskInputSchema, runExplainRisk } from "./tools/explain.js";
+import { warmAtBoot, warmMetrics, refreshAvailability } from "./warm.js";
+import { getLogger } from "../util/logger.js";
+const log = getLogger("aegis.mcp.server");
+const TOOLS = [
+    {
+        name: "precheck_change",
+        description: "Fast (<200 ms) advisory check for a proposed file write. Returns warn/allow; never blocks. Call from PreToolUse.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                file_path: { type: "string", description: "Absolute path of the file the agent is about to write." },
+                content: { type: "string", description: "Full proposed file content (UTF-8)." },
+                project_root: { type: "string", description: "Optional project root for path safety + caching." },
+            },
+            required: ["file_path", "content"],
+        },
+    },
+    {
+        name: "validate_edit",
+        description: "Authoritative validation of a file write. Runs all available engines (Semgrep, Pyright/tsc, ESLint, tree-sitter, secret-scan, Joern, Pysa) plus the LLM critic + property test in parallel + sequenced stages. Warm path: in-mem LRU + single-flight dedup. Returns verdict allow|warn|block and a remediation prompt the agent can act on.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                file_path: { type: "string", description: "Absolute path of the file (written or about to be written)." },
+                content: { type: "string", description: "Full file content (UTF-8)." },
+                project_root: { type: "string", description: "Optional project root." },
+            },
+            required: ["file_path", "content"],
+        },
+    },
+    {
+        name: "explain_risk",
+        description: "Retrieve prior gate decisions for a file or finding from the local audit log (.aegis/audit.jsonl).",
+        inputSchema: {
+            type: "object",
+            properties: {
+                finding_id: {
+                    type: "string",
+                    pattern: "^[0-9a-f]{16}$",
+                    description: "16-hex finding id from a prior validate_edit response.",
+                },
+                file: { type: "string", description: "Filter audit rows by file path (suffix match)." },
+                line: { type: "number", description: "Filter by line number." },
+                project_root: { type: "string", description: "Optional project root." },
+                limit: { type: "number", description: "Max audit rows returned (default 10)." },
+            },
+        },
+    },
+    {
+        name: "aegis_health",
+        description: "Return the server's warm state, in-mem cache stats, and engine availability snapshot. Optionally refresh availability (`refresh: true`) to re-probe engines installed mid-session.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                refresh: { type: "boolean", description: "Re-probe engine availability." },
+            },
+        },
+    },
+];
+export async function startServer() {
+    const tBoot0 = Date.now();
+    // Warm BEFORE we even create the server so a fast client probe lands
+    // on a hot pipeline. The MCP SDK doesn't expose a "wait for ready" hook
+    // pre-connect; doing it here is the closest equivalent.
+    let warmState = null;
+    try {
+        warmState = await warmAtBoot();
+    }
+    catch (err) {
+        log.warn("warm-at-boot failed; server starts cold", { err: String(err) });
+    }
+    const bootDurationMs = Date.now() - tBoot0;
+    log.info("server boot complete", {
+        bootDurationMs,
+        warmDurationMs: warmState?.durationMs,
+        vulRagEntries: warmState?.vulRagEntries,
+        engineAvailable: warmState?.engineAvailable,
+        claudeBin: warmState?.claudeBin ?? "not_found",
+    });
+    const server = new Server({ name: "aegis-v2", version: "0.2.0" }, { capabilities: { tools: {} } });
+    server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
+    server.setRequestHandler(CallToolRequestSchema, async (req) => {
+        const { name, arguments: args } = req.params;
+        const t0 = Date.now();
+        try {
+            switch (name) {
+                case "precheck_change": {
+                    const input = precheckChangeInputSchema.parse(args ?? {});
+                    const out = await runPrecheckChange(input);
+                    log.debug("tool call ok", { name, ms: Date.now() - t0, verdict: out.verdict });
+                    return { content: [{ type: "text", text: JSON.stringify(out) }] };
+                }
+                case "validate_edit": {
+                    const input = validateEditInputSchema.parse(args ?? {});
+                    const out = await runValidateEdit(input);
+                    log.debug("tool call ok", { name, ms: Date.now() - t0, verdict: out.verdict });
+                    return { content: [{ type: "text", text: JSON.stringify(out) }] };
+                }
+                case "explain_risk": {
+                    const input = explainRiskInputSchema.parse(args ?? {});
+                    const out = runExplainRisk(input);
+                    return { content: [{ type: "text", text: JSON.stringify(out) }] };
+                }
+                case "aegis_health": {
+                    const refresh = args?.refresh === true;
+                    if (refresh)
+                        await refreshAvailability();
+                    const metrics = warmMetrics();
+                    return {
+                        content: [
+                            {
+                                type: "text",
+                                text: JSON.stringify({ boot_ms: bootDurationMs, ...metrics }),
+                            },
+                        ],
+                    };
+                }
+                default:
+                    return {
+                        isError: true,
+                        content: [{ type: "text", text: `unknown tool: ${name}` }],
+                    };
+            }
+        }
+        catch (err) {
+            log.error("tool call failed", { name, err: String(err) });
+            return {
+                isError: true,
+                content: [
+                    {
+                        type: "text",
+                        text: JSON.stringify({
+                            error: err instanceof Error ? err.message : String(err),
+                        }),
+                    },
+                ],
+            };
+        }
+    });
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    log.info("aegis MCP server ready (stdio)", { warmedMs: bootDurationMs });
+    // The stdio transport's stdin listener pins the event loop while the
+    // client keeps the connection open. We MUST NOT let the caller's
+    // top-level main() return immediately — that would trigger
+    // ``process.exit(0)`` and kill the long-running server. Block on a
+    // promise that only resolves when stdin closes (client disconnect or
+    // EOF) or the transport itself signals close.
+    await new Promise((resolve) => {
+        const done = () => {
+            resolve();
+        };
+        process.stdin.once("end", done);
+        process.stdin.once("close", done);
+        // The MCP SDK exposes ``onclose`` on the transport; wire it too in
+        // case the client cleanly disconnects without closing the pipe.
+        transport.onclose = done;
+    });
+    log.info("aegis MCP server stopped (stdin closed)");
+}
+// Top-level when invoked via `node ./dist/mcp/server.js`.
+if (import.meta.url === `file://${process.argv[1]}`) {
+    startServer().catch((err) => {
+        log.error("server crashed", { err: String(err) });
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=server.js.map

package/dist/mcp/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EAAE,yBAAyB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACnF,OAAO,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC/E,OAAO,EAAE,sBAAsB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC5E,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACzE,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE9C,MAAM,GAAG,GAAG,SAAS,CAAC,kBAAkB,CAAC,CAAC;AAE1C,MAAM,KAAK,GAAW;IACpB;QACE,IAAI,EAAE,iBAAiB;QACvB,WAAW,EACT,kHAAkH;QACpH,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,wDAAwD,EAAE;gBACpG,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,qCAAqC,EAAE;gBAC/E,YAAY,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,kDAAkD,EAAE;aAClG;YACD,QAAQ,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC;SACnC;KACF;IACD;QACE,IAAI,EAAE,eAAe;QACrB,WAAW,EACT,6UAA6U;QAC/U,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,SAAS,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,6DAA6D,EAAE;gBACzG,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,4BAA4B,EAAE;gBACtE,YAAY,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,wBAAwB,EAAE;aACxE;YACD,QAAQ,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC;SACnC;KACF;IACD;QACE,IAAI,EAAE,cAAc;QACpB,WAAW,EACT,oGAAoG;QACtG,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,UAAU,EAAE;oBACV,IAAI,EAAE,QAAQ;oBACd,OAAO,EAAE,gBAAgB;oBACzB,WAAW,EAAE,wDAAwD;iBACtE;gBACD,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,gDAAgD,EAAE;gBACvF,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,wBAAwB,EAAE;gBAC/D,YAAY,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,wBAAwB,EAAE;gBACvE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,uCAAuC,EAAE;aAChF;SACF;KACF;IACD;QACE,IAAI,EAAE,cAAc;QACpB,WAAW,EACT,oLAAoL;QACtL,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,+BAA+B,EAAE;aAC3E;SACF;KACF;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC1B,qEAAqE;IACrE,wEAAwE;IACxE,wDAAwD;IACxD,IAAI,SAAS,GAAkD,IAAI,CAAC;IACpE,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,UAAU,EAAE,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,IAAI,CAAC,yCAAyC,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;IAC3C,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE;QAC/B,cAAc;QACd,cAAc,EAAE,SAAS,EAAE,UAAU;QACrC,aAAa,EAAE,SAAS,EAAE,aAAa;QACvC,eAAe,EAAE,SAAS,EAAE,eAAe;QAC3C,SAAS,EAAE,SAAS,EAAE,SAAS,IAAI,WAAW;KAC/C,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,EACtC,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAC;IAEF,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAEjF,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;QAC5D,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAC7C,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,QAAQ,IAAI,EAAE,CAAC;gBACb,KAAK,iBAAiB,CAAC,CAAC,CAAC;oBACvB,MAAM,KAAK,GAAG,yBAAyB,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;oBAC1D,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;oBAC3C,GAAG,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;oBAC/E,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBACpE,CAAC;gBACD,KAAK,eAAe,CAAC,CAAC,CAAC;oBACrB,MAAM,KAAK,GAAG,uBAAuB,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;oBACxD,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;oBACzC,GAAG,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;oBAC/E,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBACpE,CAAC;gBACD,KAAK,cAAc,CAAC,CAAC,CAAC;oBACpB,MAAM,KAAK,GAAG,sBAAsB,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;oBACvD,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;oBAClC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBACpE,CAAC;gBACD,KAAK,cAAc,CAAC,CAAC,CAAC;oBACpB,MAAM,OAAO,GAAI,IAA0C,EAAE,OAAO,KAAK,IAAI,CAAC;oBAC9E,IAAI,OAAO;wBAAE,MAAM,mBAAmB,EAAE,CAAC;oBACzC,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;oBAC9B,OAAO;wBACL,OAAO,EAAE;4BACP;gCACE,IAAI,EAAE,MAAM;gCACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;6BAC9D;yBACF;qBACF,CAAC;gBACJ,CAAC;gBACD;oBACE,OAAO;wBACL,OAAO,EAAE,IAAI;wBACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;qBAC3D,CAAC;YACN,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;4BACnB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;yBACxD,CAAC;qBACH;iBACF;aACF,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC,CAAC;IAEzE,qEAAqE;IACrE,iEAAiE;IACjE,2DAA2D;IAC3D,mEAAmE;IACnE,qEAAqE;IACrE,8CAA8C;IAC9C,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,GAAS,EAAE;YACtB,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC;QACF,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAChC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAClC,mEAAmE;QACnE,gEAAgE;QAC/D,SAAiD,CAAC,OAAO,GAAG,IAAI,CAAC;IACpE,CAAC,CAAC,CAAC;IACH,GAAG,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;AACtD,CAAC;AAED,0DAA0D;AAC1D,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACpD,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QAC1B,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/mcp/tools/explain.d.ts

@@ -0,0 +1,58 @@
+import { z } from "zod";
+export declare const explainRiskInputSchema: z.ZodEffects<z.ZodObject<{
+    finding_id: z.ZodOptional<z.ZodString>;
+    file: z.ZodOptional<z.ZodString>;
+    line: z.ZodOptional<z.ZodNumber>;
+    project_root: z.ZodOptional<z.ZodString>;
+    limit: z.ZodDefault<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    limit: number;
+    file?: string | undefined;
+    line?: number | undefined;
+    project_root?: string | undefined;
+    finding_id?: string | undefined;
+}, {
+    file?: string | undefined;
+    line?: number | undefined;
+    limit?: number | undefined;
+    project_root?: string | undefined;
+    finding_id?: string | undefined;
+}>, {
+    limit: number;
+    file?: string | undefined;
+    line?: number | undefined;
+    project_root?: string | undefined;
+    finding_id?: string | undefined;
+}, {
+    file?: string | undefined;
+    line?: number | undefined;
+    limit?: number | undefined;
+    project_root?: string | undefined;
+    finding_id?: string | undefined;
+}>;
+export type ExplainRiskInput = z.infer<typeof explainRiskInputSchema>;
+export interface AuditRow {
+    ts: string;
+    file: string;
+    lang: string;
+    action: "allow" | "warn" | "block";
+    duration_ms: number;
+    truncated: boolean;
+    n_findings: number;
+    n_block: number;
+    n_warn: number;
+    driving: {
+        engine: string;
+        rule_id: string;
+        severity: string;
+        confidence: number;
+        cwe?: string;
+    } | null;
+}
+export interface ExplainRiskOutput {
+    matches: AuditRow[];
+    total_scanned: number;
+    audit_path: string;
+}
+export declare function runExplainRisk(input: ExplainRiskInput): ExplainRiskOutput;
+//# sourceMappingURL=explain.d.ts.map

package/dist/mcp/tools/explain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../../src/mcp/tools/explain.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWhC,CAAC;AAEJ,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EACH;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,GACvF,IAAI,CAAC;CACV;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,QAAQ,EAAE,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,gBAAgB,GAAG,iBAAiB,CAmCzE"}

package/dist/mcp/tools/explain.js

@@ -0,0 +1,60 @@
+/**
+ * `explain_risk` — read-only retrieval against the local audit log.
+ *
+ * Looks up a finding by id (engine+file+line+rule sha) and returns the
+ * decision context that surrounded it. Useful for the agent to follow up
+ * ("why was this blocked?") or for a human to debug.
+ */
+import { readFileSync, existsSync } from "node:fs";
+import { resolve } from "node:path";
+import { z } from "zod";
+export const explainRiskInputSchema = z
+    .object({
+    finding_id: z.string().regex(/^[0-9a-f]{16}$/).optional(),
+    file: z.string().optional(),
+    line: z.number().int().positive().optional(),
+    project_root: z.string().optional(),
+    limit: z.number().int().positive().max(50).default(10),
+})
+    .refine((v) => v.finding_id !== undefined || v.file !== undefined, "either finding_id or file must be provided");
+export function runExplainRisk(input) {
+    const root = input.project_root ?? process.cwd();
+    const auditPath = resolve(root, ".aegis", "audit.jsonl");
+    if (!existsSync(auditPath)) {
+        return { matches: [], total_scanned: 0, audit_path: auditPath };
+    }
+    const text = readFileSync(auditPath, "utf8");
+    const lines = text.split(/\r?\n/).filter(Boolean);
+    const matches = [];
+    let scanned = 0;
+    // Read most-recent first.
+    for (let i = lines.length - 1; i >= 0; i--) {
+        scanned++;
+        let row;
+        try {
+            row = JSON.parse(lines[i]);
+        }
+        catch {
+            continue;
+        }
+        if (input.finding_id) {
+            // We don't index findings individually in audit.jsonl (we only log the
+            // driving one); approximate match against the driving finding's id-shape
+            // via engine+rule. The full per-finding index is Phase 1.
+            if (row.driving) {
+                const synthId = `${row.driving.engine}/${row.driving.rule_id}`;
+                if (synthId.includes(input.finding_id))
+                    matches.push(row);
+            }
+        }
+        else if (input.file) {
+            if (row.file === input.file || row.file.endsWith(input.file)) {
+                matches.push(row);
+            }
+        }
+        if (matches.length >= input.limit)
+            break;
+    }
+    return { matches, total_scanned: scanned, audit_path: auditPath };
+}
+//# sourceMappingURL=explain.js.map

package/dist/mcp/tools/explain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.js","sourceRoot":"","sources":["../../../src/mcp/tools/explain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAQ,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC;KACpC,MAAM,CAAC;IACN,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,QAAQ,EAAE;IACzD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC5C,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACvD,CAAC;KACD,MAAM,CACL,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EACzD,4CAA4C,CAC7C,CAAC;AAyBJ,MAAM,UAAU,cAAc,CAAC,KAAuB;IACpD,MAAM,IAAI,GAAG,KAAK,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACjD,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;IACzD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IAClE,CAAC;IACD,MAAM,IAAI,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,0BAA0B;IAC1B,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,OAAO,EAAE,CAAC;QACV,IAAI,GAAa,CAAC;QAClB,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAE,CAAa,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;YACrB,uEAAuE;YACvE,yEAAyE;YACzE,0DAA0D;YAC1D,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBAC/D,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC;oBAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;aAAM,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;YACtB,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;QACD,IAAI,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK;YAAE,MAAM;IAC3C,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AACpE,CAAC"}

package/dist/mcp/tools/precheck.d.ts

@@ -0,0 +1,29 @@
+/**
+ * `precheck_change` — fast advisory (PreToolUse). Never blocks.
+ *
+ * Runs ONLY the cheap, in-process engines: tree-sitter parse + secret scan +
+ * ESLint (if installed and lang matches). No subprocess work — keep it ≤ 50 ms.
+ */
+import { z } from "zod";
+export declare const precheckChangeInputSchema: z.ZodObject<{
+    file_path: z.ZodString;
+    content: z.ZodString;
+    project_root: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    file_path: string;
+    content: string;
+    project_root?: string | undefined;
+}, {
+    file_path: string;
+    content: string;
+    project_root?: string | undefined;
+}>;
+export type PrecheckChangeInput = z.infer<typeof precheckChangeInputSchema>;
+export interface PrecheckChangeOutput {
+    verdict: "allow" | "warn";
+    summary: string;
+    duration_ms: number;
+    reasons: string[];
+}
+export declare function runPrecheckChange(input: PrecheckChangeInput): Promise<PrecheckChangeOutput>;
+//# sourceMappingURL=precheck.d.ts.map

package/dist/mcp/tools/precheck.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"precheck.d.ts","sourceRoot":"","sources":["../../../src/mcp/tools/precheck.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAKxB,eAAO,MAAM,yBAAyB;;;;;;;;;;;;EAIpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAKD,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAyBjG"}

package/dist/mcp/tools/precheck.js

@@ -0,0 +1,42 @@
+/**
+ * `precheck_change` — fast advisory (PreToolUse). Never blocks.
+ *
+ * Runs ONLY the cheap, in-process engines: tree-sitter parse + secret scan +
+ * ESLint (if installed and lang matches). No subprocess work — keep it ≤ 50 ms.
+ */
+import { z } from "zod";
+import { ENGINES } from "../../engines/registry.js";
+import { runGateFast } from "../warm.js";
+export const precheckChangeInputSchema = z.object({
+    file_path: z.string().min(1),
+    content: z.string(),
+    project_root: z.string().optional(),
+});
+// In-process engines only (no subprocess).
+const CHEAP_ENGINE_NAMES = new Set(["secret-scan", "treesitter", "eslint"]);
+export async function runPrecheckChange(input) {
+    const cheap = ENGINES.filter((e) => CHEAP_ENGINE_NAMES.has(e.name));
+    // Precheck deliberately bypasses the LRU (`noCache: true`) — it's
+    // advisory and the user expects "live" feedback even on unchanged
+    // content. The warm path still benefits from the availability override.
+    const { report } = await runGateFast({
+        filePath: input.file_path,
+        content: input.content,
+        ...(input.project_root !== undefined ? { projectRoot: input.project_root } : {}),
+        totalTimeoutMs: 200,
+        engines: cheap,
+        noCache: true,
+    });
+    // Precheck is advisory: even a block decision degrades to warn so the agent
+    // can choose. `validate_edit` is the authoritative blocker.
+    const verdict = report.decision.action === "allow" ? "allow" : "warn";
+    return {
+        verdict,
+        summary: report.decision.summary,
+        duration_ms: report.durationMs,
+        reasons: report.findings
+            .slice(0, 3)
+            .map((f) => `${f.engine}/${f.rule_id}: ${f.message.slice(0, 120)}`),
+    };
+}
+//# sourceMappingURL=precheck.js.map

package/dist/mcp/tools/precheck.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"precheck.js","sourceRoot":"","sources":["../../../src/mcp/tools/precheck.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,OAAO,EAAE,MAAM,2BAA2B,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAWH,2CAA2C;AAC3C,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC;AAE5E,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,KAA0B;IAChE,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACpE,kEAAkE;IAClE,kEAAkE;IAClE,wEAAwE;IACxE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC;QACnC,QAAQ,EAAE,KAAK,CAAC,SAAS;QACzB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,GAAG,CAAC,KAAK,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,cAAc,EAAE,GAAG;QACnB,OAAO,EAAE,KAAK;QACd,OAAO,EAAE,IAAI;KACd,CAAC,CAAC;IACH,4EAA4E;IAC5E,4DAA4D;IAC5D,MAAM,OAAO,GACX,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;IACxD,OAAO;QACL,OAAO;QACP,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO;QAChC,WAAW,EAAE,MAAM,CAAC,UAAU;QAC9B,OAAO,EAAE,MAAM,CAAC,QAAQ;aACrB,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;KACtE,CAAC;AACJ,CAAC"}