dravix-agent 0.1.0

package/dist/telemetry/uploader.js

@@ -0,0 +1,92 @@
+// HTTPS uploader with retry + exponential backoff.
+import { platform, arch } from "node:os";
+import { isTelemetryEnabled } from "./consent.js";
+import { getInstallationId } from "./installation.js";
+import { SCHEMA_VERSION } from "./types.js";
+const API_BASE = process.env.AEGIS_TELEMETRY_ENDPOINT ?? "https://aegis-api.fixme-now.com";
+const CLIENT_VERSION = process.env.AEGIS_CLIENT_VERSION ?? "0.2.0";
+const MAX_RETRIES = 3;
+export async function uploadBatch(findings, feedback, durations) {
+    if (!isTelemetryEnabled())
+        return { ok: false, reason: "disabled" };
+    if (findings.length === 0 && feedback.length === 0)
+        return { ok: true };
+    const body = {
+        schema_version: SCHEMA_VERSION,
+        installation_id: getInstallationId(),
+        client_version: CLIENT_VERSION,
+        platform: `${platform()}-${arch()}`,
+        sent_at: Date.now(),
+        findings,
+        ...(feedback.length > 0 ? { feedback } : {}),
+        stats: {
+            durations_ms: durations,
+            lang_counts: _count(findings, (f) => f.lang),
+            engine_counts: _count(findings, (f) => f.engine),
+            verdict_counts: _count(findings, (f) => f.verdict),
+        },
+    };
+    const json = JSON.stringify(body);
+    let attempt = 0;
+    let lastErr = "";
+    while (attempt < MAX_RETRIES) {
+        try {
+            const res = await fetch(`${API_BASE}/v1/findings`, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: json,
+            });
+            if (res.ok)
+                return { ok: true };
+            if (res.status === 429) {
+                const retry_after = Number(res.headers.get("retry-after") ?? "60");
+                await _sleep(retry_after * 1000);
+            }
+            else if (res.status >= 500) {
+                await _sleep(2 ** attempt * 1000);
+            }
+            else {
+                lastErr = `http ${res.status}`;
+                break;
+            }
+        }
+        catch (err) {
+            lastErr = err instanceof Error ? err.message : String(err);
+            await _sleep(2 ** attempt * 1000);
+        }
+        attempt++;
+    }
+    return { ok: false, reason: lastErr || "max_retries" };
+}
+function _count(xs, key) {
+    const r = {};
+    for (const x of xs)
+        r[key(x)] = (r[key(x)] ?? 0) + 1;
+    return r;
+}
+function _sleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}
+export async function postOptOut(reason) {
+    try {
+        const res = await fetch(`${API_BASE}/v1/optout`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ installation_id: getInstallationId(), reason }),
+        });
+        return { ok: res.ok };
+    }
+    catch {
+        return { ok: false };
+    }
+}
+export async function deleteAllData() {
+    try {
+        const res = await fetch(`${API_BASE}/v1/installations/${getInstallationId()}`, { method: "DELETE" });
+        return { ok: res.ok };
+    }
+    catch {
+        return { ok: false };
+    }
+}
+//# sourceMappingURL=uploader.js.map

package/dist/telemetry/uploader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"uploader.js","sourceRoot":"","sources":["../../src/telemetry/uploader.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAG5C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,iCAAiC,CAAC;AAC3F,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,OAAO,CAAC;AACnE,MAAM,WAAW,GAAG,CAAC,CAAC;AAEtB,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAA2B,EAC3B,QAA4B,EAC5B,SAAmB;IAEnB,IAAI,CAAC,kBAAkB,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACxE,MAAM,IAAI,GAAgB;QACxB,cAAc,EAAE,cAAc;QAC9B,eAAe,EAAE,iBAAiB,EAAE;QACpC,cAAc,EAAE,cAAc;QAC9B,QAAQ,EAAE,GAAG,QAAQ,EAAE,IAAI,IAAI,EAAE,EAAE;QACnC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE;QACnB,QAAQ;QACR,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,KAAK,EAAE;YACL,YAAY,EAAE,SAAS;YACvB,WAAW,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YAC5C,aAAa,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;YAChD,cAAc,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;SACnD;KACF,CAAC;IACF,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,OAAO,OAAO,GAAG,WAAW,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,cAAc,EAAE;gBACjD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI;aACX,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,EAAE;gBAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;YAChC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,CAAC;gBACnE,MAAM,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;YACnC,CAAC;iBAAM,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBAC7B,MAAM,MAAM,CAAC,CAAC,IAAI,OAAO,GAAG,IAAI,CAAC,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;gBAC/B,MAAM;YACR,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3D,MAAM,MAAM,CAAC,CAAC,IAAI,OAAO,GAAG,IAAI,CAAC,CAAC;QACpC,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,IAAI,aAAa,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,MAAM,CAAI,EAAO,EAAE,GAAqB;IAC/C,MAAM,CAAC,GAA2B,EAAE,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,EAAE;QAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACrD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,MAAM,CAAC,EAAU;IACxB,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAe;IAC9C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,YAAY,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,iBAAiB,EAAE,EAAE,MAAM,EAAE,CAAC;SACvE,CAAC,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IACvB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,QAAQ,qBAAqB,iBAAiB,EAAE,EAAE,EACrD,EAAE,MAAM,EAAE,QAAQ,EAAE,CACrB,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IACvB,CAAC;AACH,CAAC"}

package/dist/util/logger.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Minimal structured logger.
+ *
+ * Writes JSON lines to stderr (so it does NOT interfere with MCP stdio on stdout).
+ * Level via `AEGIS_LOG_LEVEL` (debug|info|warn|error), default info.
+ */
+export type LogLevel = "debug" | "info" | "warn" | "error";
+export declare class Logger {
+    private readonly name;
+    constructor(name: string);
+    child(suffix: string): Logger;
+    private emit;
+    debug(msg: string, fields?: Record<string, unknown>): void;
+    info(msg: string, fields?: Record<string, unknown>): void;
+    warn(msg: string, fields?: Record<string, unknown>): void;
+    error(msg: string, fields?: Record<string, unknown>): void;
+}
+export declare function getLogger(name: string): Logger;
+//# sourceMappingURL=logger.d.ts.map

package/dist/util/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/util/logger.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAc3D,qBAAa,MAAM;IACL,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,MAAM;IAEzC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAI7B,OAAO,CAAC,IAAI;IAgBZ,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAI1D,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAIzD,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAIzD,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;CAG3D;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE9C"}

package/dist/util/logger.js

@@ -0,0 +1,58 @@
+/**
+ * Minimal structured logger.
+ *
+ * Writes JSON lines to stderr (so it does NOT interfere with MCP stdio on stdout).
+ * Level via `AEGIS_LOG_LEVEL` (debug|info|warn|error), default info.
+ */
+const LEVELS = {
+    debug: 10,
+    info: 20,
+    warn: 30,
+    error: 40,
+};
+function currentLevel() {
+    const env = (process.env.AEGIS_LOG_LEVEL ?? "info").toLowerCase();
+    return LEVELS[env] ?? LEVELS.info;
+}
+export class Logger {
+    name;
+    constructor(name) {
+        this.name = name;
+    }
+    child(suffix) {
+        return new Logger(`${this.name}.${suffix}`);
+    }
+    emit(level, msg, fields) {
+        if (LEVELS[level] < currentLevel())
+            return;
+        const line = {
+            ts: new Date().toISOString(),
+            level,
+            logger: this.name,
+            msg,
+            ...(fields ?? {}),
+        };
+        try {
+            process.stderr.write(JSON.stringify(line) + "\n");
+        }
+        catch {
+            // never let logging crash the gate
+        }
+    }
+    debug(msg, fields) {
+        this.emit("debug", msg, fields);
+    }
+    info(msg, fields) {
+        this.emit("info", msg, fields);
+    }
+    warn(msg, fields) {
+        this.emit("warn", msg, fields);
+    }
+    error(msg, fields) {
+        this.emit("error", msg, fields);
+    }
+}
+export function getLogger(name) {
+    return new Logger(name);
+}
+//# sourceMappingURL=logger.js.map

package/dist/util/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/util/logger.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,MAAM,GAA6B;IACvC,KAAK,EAAE,EAAE;IACT,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,EAAE;IACR,KAAK,EAAE,EAAE;CACV,CAAC;AAEF,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,MAAM,CAAC,CAAC,WAAW,EAAc,CAAC;IAC9E,OAAO,MAAM,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC;AACpC,CAAC;AAED,MAAM,OAAO,MAAM;IACY;IAA7B,YAA6B,IAAY;QAAZ,SAAI,GAAJ,IAAI,CAAQ;IAAG,CAAC;IAE7C,KAAK,CAAC,MAAc;QAClB,OAAO,IAAI,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,IAAI,MAAM,EAAE,CAAC,CAAC;IAC9C,CAAC;IAEO,IAAI,CAAC,KAAe,EAAE,GAAW,EAAE,MAAgC;QACzE,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,EAAE;YAAE,OAAO;QAC3C,MAAM,IAAI,GAAG;YACX,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,KAAK;YACL,MAAM,EAAE,IAAI,CAAC,IAAI;YACjB,GAAG;YACH,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;SAClB,CAAC;QACF,IAAI,CAAC;YACH,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;QACrC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAW,EAAE,MAAgC;QACjD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,CAAC,GAAW,EAAE,MAAgC;QAChD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IACjC,CAAC;IAED,IAAI,CAAC,GAAW,EAAE,MAAgC;QAChD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,GAAW,EAAE,MAAgC;QACjD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IAClC,CAAC;CACF;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/util/safe-paths.d.ts

@@ -0,0 +1,8 @@
+export interface PathCheck {
+    ok: boolean;
+    reason?: "denied_system" | "denied_home_secret" | "outside_root" | "not_found" | "symlink_escape";
+    resolved?: string;
+}
+export declare function safeResolve(filePath: string, projectRoot?: string): PathCheck;
+export declare function isReadableFile(absPath: string): boolean;
+//# sourceMappingURL=safe-paths.d.ts.map

package/dist/util/safe-paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-paths.d.ts","sourceRoot":"","sources":["../../src/util/safe-paths.ts"],"names":[],"mappings":"AAwCA,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,CAAC,EAAE,eAAe,GAAG,oBAAoB,GAAG,cAAc,GAAG,WAAW,GAAG,gBAAgB,CAAC;IAClG,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAwD7E;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAOvD"}

package/dist/util/safe-paths.js

@@ -0,0 +1,102 @@
+/**
+ * Path safety — prevent the gate from being tricked into reading sensitive
+ * locations outside the project.
+ *
+ * Rules:
+ *  1. The path must resolve to an absolute file (no `..` after normalization
+ *     can escape the project root, if a root is provided).
+ *  2. The path must NOT be in the denylist of sensitive system locations.
+ *  3. Reparse-points / symlinks that point outside the root are rejected.
+ */
+import { realpathSync, statSync } from "node:fs";
+import { homedir, platform } from "node:os";
+import { resolve, sep } from "node:path";
+const DENY_PREFIXES_POSIX = [
+    "/etc",
+    "/root",
+    "/var/run",
+    "/proc",
+    "/sys",
+    "/private/etc",
+];
+const DENY_HOME_SUBDIRS = [
+    ".ssh",
+    ".aws",
+    ".gnupg",
+    ".kube",
+    ".docker",
+    ".npmrc",
+    ".pgpass",
+];
+const DENY_WIN_PREFIXES = [
+    "C:\\Windows",
+    "C:\\Program Files",
+    "C:\\Program Files (x86)",
+    "C:\\ProgramData",
+];
+export function safeResolve(filePath, projectRoot) {
+    let resolved;
+    try {
+        resolved = resolve(filePath);
+    }
+    catch {
+        return { ok: false, reason: "not_found" };
+    }
+    // existence + symlink check
+    let real;
+    try {
+        real = realpathSync(resolved);
+    }
+    catch {
+        // Path doesn't exist or we can't follow it — that's OK for some flows
+        // (the agent may be writing a NEW file), so fall back to resolved.
+        real = resolved;
+    }
+    // home-secret denylist
+    const home = homedir();
+    for (const sub of DENY_HOME_SUBDIRS) {
+        const denied = resolve(home, sub);
+        if (real === denied || real.startsWith(denied + sep)) {
+            return { ok: false, reason: "denied_home_secret", resolved: real };
+        }
+    }
+    // system denylist
+    if (platform() === "win32") {
+        for (const pfx of DENY_WIN_PREFIXES) {
+            if (real.toLowerCase().startsWith(pfx.toLowerCase() + sep) || real.toLowerCase() === pfx.toLowerCase()) {
+                return { ok: false, reason: "denied_system", resolved: real };
+            }
+        }
+    }
+    else {
+        for (const pfx of DENY_PREFIXES_POSIX) {
+            if (real === pfx || real.startsWith(pfx + sep)) {
+                return { ok: false, reason: "denied_system", resolved: real };
+            }
+        }
+    }
+    // root containment
+    if (projectRoot) {
+        let realRoot;
+        try {
+            realRoot = realpathSync(resolve(projectRoot));
+        }
+        catch {
+            realRoot = resolve(projectRoot);
+        }
+        if (real !== realRoot && !real.startsWith(realRoot + sep)) {
+            return { ok: false, reason: "outside_root", resolved: real };
+        }
+    }
+    return { ok: true, resolved: real };
+}
+export function isReadableFile(absPath) {
+    try {
+        const st = statSync(absPath);
+        return st.isFile();
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=safe-paths.js.map

package/dist/util/safe-paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-paths.js","sourceRoot":"","sources":["../../src/util/safe-paths.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACjD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AAEzC,MAAM,mBAAmB,GAA0B;IACjD,MAAM;IACN,OAAO;IACP,UAAU;IACV,OAAO;IACP,MAAM;IACN,cAAc;CACf,CAAC;AAEF,MAAM,iBAAiB,GAA0B;IAC/C,MAAM;IACN,MAAM;IACN,QAAQ;IACR,OAAO;IACP,SAAS;IACT,QAAQ;IACR,SAAS;CACV,CAAC;AAEF,MAAM,iBAAiB,GAA0B;IAC/C,aAAa;IACb,mBAAmB;IACnB,yBAAyB;IACzB,iBAAiB;CAClB,CAAC;AAQF,MAAM,UAAU,WAAW,CAAC,QAAgB,EAAE,WAAoB;IAChE,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IAED,4BAA4B;IAC5B,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;QACtE,mEAAmE;QACnE,IAAI,GAAG,QAAQ,CAAC;IAClB,CAAC;IAED,uBAAuB;IACvB,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;IACvB,KAAK,MAAM,GAAG,IAAI,iBAAiB,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAClC,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,EAAE,CAAC;YACrD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QACrE,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;QAC3B,KAAK,MAAM,GAAG,IAAI,iBAAiB,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;gBACvG,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;YACtC,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC;gBAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAED,mBAAmB;IACnB,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACH,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,GAAG,GAAG,CAAC,EAAE,CAAC;YAC1D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC7B,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/util/subprocess.d.ts

@@ -0,0 +1,32 @@
+export interface RunOptions {
+    /** Command-line args; NOT shell-interpreted. */
+    args: ReadonlyArray<string>;
+    /** Working directory. Defaults to `process.cwd()`. */
+    cwd?: string;
+    /** Hard kill after this many ms. Default 10_000. */
+    timeoutMs?: number;
+    /** Optional stdin payload. */
+    stdin?: string | Buffer;
+    /** Environment overrides — added ON TOP OF process.env. */
+    env?: Readonly<Record<string, string>>;
+    /** Cap on captured output, per stream (bytes). Default 5 MB. */
+    maxBufferBytes?: number;
+}
+export interface RunResult {
+    command: string;
+    args: ReadonlyArray<string>;
+    exitCode: number | null;
+    signal: NodeJS.Signals | null;
+    stdout: string;
+    stderr: string;
+    durationMs: number;
+    timedOut: boolean;
+}
+/**
+ * Spawn a command and resolve to a result. Never throws on non-zero exit;
+ * the caller inspects ``exitCode`` / ``timedOut``.
+ */
+export declare function run(command: string, opts: RunOptions): Promise<RunResult>;
+/** True if the binary is found on PATH and executable. */
+export declare function which(binary: string): Promise<string | null>;
+//# sourceMappingURL=subprocess.d.ts.map

package/dist/util/subprocess.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subprocess.d.ts","sourceRoot":"","sources":["../../src/util/subprocess.ts"],"names":[],"mappings":"AAeA,MAAM,WAAW,UAAU;IACzB,gDAAgD;IAChD,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5B,sDAAsD;IACtD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,oDAAoD;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,2DAA2D;IAC3D,GAAG,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACvC,gEAAgE;IAChE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAKD;;;GAGG;AACH,wBAAsB,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAqH/E;AAED,0DAA0D;AAC1D,wBAAsB,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAMlE"}

package/dist/util/subprocess.js

@@ -0,0 +1,137 @@
+/**
+ * Safe subprocess wrapper.
+ *
+ * - Hard timeout (kills the process tree, not just the parent).
+ * - Captures stdout/stderr separately.
+ * - No shell expansion (args go directly).
+ * - Returns a structured result; never throws on non-zero exit.
+ */
+import { spawn } from "node:child_process";
+import { setTimeout as delay } from "node:timers/promises";
+import { getLogger } from "./logger.js";
+const log = getLogger("aegis.subprocess");
+const DEFAULT_TIMEOUT_MS = 10_000;
+const DEFAULT_MAX_BYTES = 5 * 1024 * 1024;
+/**
+ * Spawn a command and resolve to a result. Never throws on non-zero exit;
+ * the caller inspects ``exitCode`` / ``timedOut``.
+ */
+export async function run(command, opts) {
+    const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const maxBytes = opts.maxBufferBytes ?? DEFAULT_MAX_BYTES;
+    const t0 = Date.now();
+    // Merge env: process.env first, opts.env wins.
+    const env = { ...process.env, ...(opts.env ?? {}) };
+    // Windows + Node 20+: spawning a .cmd / .bat directly throws EINVAL since
+    // CVE-2024-27980; the documented fix is `shell: true`. We bound the security
+    // impact by NEVER letting user-controlled strings reach this path — args
+    // here come from typed config / our own engines, not from agent payloads.
+    const isWindowsBatch = process.platform === "win32" && /\.(cmd|bat)$/i.test(command);
+    const child = spawn(command, [...opts.args], {
+        cwd: opts.cwd,
+        env,
+        stdio: ["pipe", "pipe", "pipe"],
+        windowsHide: true,
+        ...(isWindowsBatch ? { shell: true } : {}),
+    });
+    let stdout = "";
+    let stderr = "";
+    let stdoutBytes = 0;
+    let stderrBytes = 0;
+    let outTruncated = false;
+    let errTruncated = false;
+    child.stdout?.setEncoding("utf8");
+    child.stderr?.setEncoding("utf8");
+    child.stdout?.on("data", (chunk) => {
+        const n = Buffer.byteLength(chunk, "utf8");
+        if (stdoutBytes + n > maxBytes) {
+            if (!outTruncated) {
+                outTruncated = true;
+                log.warn("stdout truncated", { command, limit: maxBytes });
+            }
+            return;
+        }
+        stdoutBytes += n;
+        stdout += chunk;
+    });
+    child.stderr?.on("data", (chunk) => {
+        const n = Buffer.byteLength(chunk, "utf8");
+        if (stderrBytes + n > maxBytes) {
+            if (!errTruncated) {
+                errTruncated = true;
+                log.warn("stderr truncated", { command, limit: maxBytes });
+            }
+            return;
+        }
+        stderrBytes += n;
+        stderr += chunk;
+    });
+    if (opts.stdin !== undefined && child.stdin) {
+        try {
+            child.stdin.end(opts.stdin);
+        }
+        catch (e) {
+            log.debug("stdin write failed", { err: String(e) });
+        }
+    }
+    else {
+        try {
+            child.stdin?.end();
+        }
+        catch {
+            // ignore
+        }
+    }
+    let timedOut = false;
+    const timeoutHandle = setTimeout(() => {
+        timedOut = true;
+        try {
+            // SIGTERM first, then SIGKILL if it survives 1s
+            child.kill("SIGTERM");
+        }
+        catch {
+            // ignore
+        }
+        void delay(1000).then(() => {
+            if (child.exitCode === null && child.signalCode === null) {
+                try {
+                    child.kill("SIGKILL");
+                }
+                catch {
+                    // ignore
+                }
+            }
+        });
+    }, timeoutMs);
+    const { exitCode, signal } = await new Promise((resolve) => {
+        child.once("close", (code, sig) => {
+            clearTimeout(timeoutHandle);
+            resolve({ exitCode: code, signal: sig });
+        });
+        child.once("error", (err) => {
+            clearTimeout(timeoutHandle);
+            log.debug("spawn error", { command, err: String(err) });
+            resolve({ exitCode: null, signal: null });
+        });
+    });
+    return {
+        command,
+        args: opts.args,
+        exitCode,
+        signal,
+        stdout,
+        stderr,
+        durationMs: Date.now() - t0,
+        timedOut,
+    };
+}
+/** True if the binary is found on PATH and executable. */
+export async function which(binary) {
+    const cmd = process.platform === "win32" ? "where" : "which";
+    const r = await run(cmd, { args: [binary], timeoutMs: 2000 });
+    if (r.exitCode !== 0 || !r.stdout.trim())
+        return null;
+    // `where` may return multiple lines on Windows — take the first.
+    return r.stdout.split(/\r?\n/)[0].trim();
+}
+//# sourceMappingURL=subprocess.js.map

package/dist/util/subprocess.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"subprocess.js","sourceRoot":"","sources":["../../src/util/subprocess.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,UAAU,IAAI,KAAK,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,MAAM,GAAG,GAAG,SAAS,CAAC,kBAAkB,CAAC,CAAC;AA4B1C,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,iBAAiB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAE1C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,GAAG,CAAC,OAAe,EAAE,IAAgB;IACzD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,IAAI,iBAAiB,CAAC;IAC1D,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEtB,+CAA+C;IAC/C,MAAM,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,CAAC;IAEpD,0EAA0E;IAC1E,6EAA6E;IAC7E,yEAAyE;IACzE,0EAA0E;IAC1E,MAAM,cAAc,GAClB,OAAO,CAAC,QAAQ,KAAK,OAAO,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAEhE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE;QAC3C,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG;QACH,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;QAC/B,WAAW,EAAE,IAAI;QACjB,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3C,CAAC,CAAC;IAEH,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,YAAY,GAAG,KAAK,CAAC;IAEzB,KAAK,CAAC,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAClC,KAAK,CAAC,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAElC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;QACzC,MAAM,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC3C,IAAI,WAAW,GAAG,CAAC,GAAG,QAAQ,EAAE,CAAC;YAC/B,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,YAAY,GAAG,IAAI,CAAC;gBACpB,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC7D,CAAC;YACD,OAAO;QACT,CAAC;QACD,WAAW,IAAI,CAAC,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC;IAClB,CAAC,CAAC,CAAC;IACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;QACzC,MAAM,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC3C,IAAI,WAAW,GAAG,CAAC,GAAG,QAAQ,EAAE,CAAC;YAC/B,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,YAAY,GAAG,IAAI,CAAC;gBACpB,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC7D,CAAC;YACD,OAAO;QACT,CAAC;QACD,WAAW,IAAI,CAAC,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAC5C,IAAI,CAAC;YACH,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,GAAG,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;QACpC,QAAQ,GAAG,IAAI,CAAC;QAChB,IAAI,CAAC;YACH,gDAAgD;YAChD,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,KAAK,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;YACzB,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,IAAI,KAAK,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;gBACzD,IAAI,CAAC;oBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACxB,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,EAAE,SAAS,CAAC,CAAC;IAEd,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,OAAO,CAG3C,CAAC,OAAO,EAAE,EAAE;QACb,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAChC,YAAY,CAAC,aAAa,CAAC,CAAC;YAC5B,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC1B,YAAY,CAAC,aAAa,CAAC,CAAC;YAC5B,GAAG,CAAC,KAAK,CAAC,aAAa,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACxD,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,QAAQ;QACR,MAAM;QACN,MAAM;QACN,MAAM;QACN,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;QAC3B,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,0DAA0D;AAC1D,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,MAAc;IACxC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7D,MAAM,CAAC,GAAG,MAAM,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9D,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACtD,iEAAiE;IACjE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAC;AAC5C,CAAC"}

package/package.json

@@ -0,0 +1,93 @@
+{
+  "name": "dravix-agent",
+  "version": "0.1.0",
+  "description": "Real-time code-quality gate for AI coding agents (Claude Code) — multi-engine SAST + LLM critic + cross-file taint, OSS, self-hosted.",
+  "license": "MIT",
+  "type": "module",
+  "engines": {
+    "node": ">=18.0.0 <25.0.0"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": {
+    "aegis": "./dist/bin/aegis.js",
+    "dravix-agent": "./dist/bin/aegis.js"
+  },
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./mcp": {
+      "import": "./dist/mcp/server.js",
+      "types": "./dist/mcp/server.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json && node scripts/copy-assets.mjs",
+    "watch": "tsc -p tsconfig.json --watch",
+    "clean": "node -e \"require('node:fs').rmSync('dist',{recursive:true,force:true})\"",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "mcp": "node ./dist/mcp/server.js",
+    "doctor": "node ./dist/bin/aegis.js doctor",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "claude-code",
+    "ai-agent",
+    "code-review",
+    "sast",
+    "security",
+    "static-analysis",
+    "llm-critic",
+    "joern",
+    "pysa",
+    "semgrep",
+    "vulnerability-scanner",
+    "ai-safety",
+    "code-gate"
+  ],
+  "author": "rotem1230",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/rotem1230/dravix-agent"
+  },
+  "homepage": "https://github.com/rotem1230/dravix-agent",
+  "bugs": {
+    "url": "https://github.com/rotem1230/dravix-agent/issues"
+  },
+  "dependencies": {
+    "@huggingface/transformers": "^3.7.6",
+    "@modelcontextprotocol/sdk": "^1.0.4",
+    "@sourcegraph/scip-python": "^0.6.6",
+    "@sourcegraph/scip-typescript": "^0.4.0",
+    "@typescript-eslint/eslint-plugin": "^8.21.0",
+    "@typescript-eslint/parser": "^8.21.0",
+    "eslint": "^9.18.0",
+    "hnswlib-node": "^3.0.0",
+    "lmdb": "^3.2.6",
+    "protobufjs": "^7.4.0",
+    "tree-sitter": "^0.22.4",
+    "tree-sitter-javascript": "^0.23.1",
+    "tree-sitter-python": "^0.23.6",
+    "tree-sitter-typescript": "^0.23.2",
+    "yaml": "^2.9.0",
+    "zod": "^3.24.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.5",
+    "typescript": "^5.7.3",
+    "vitest": "^2.1.8"
+  },
+  "files": [
+    "dist",
+    "data",
+    "README.md",
+    "ARCHITECTURE.md",
+    "ROADMAP.md",
+    "LICENSE",
+    ".claude"
+  ]
+}