ferret-scan 2.1.2 → 2.3.0

package/dist/__tests__/webhooks.extra.test.js

@@ -0,0 +1,144 @@
+/**
+ * Additional Webhook Tests
+ * Covers sendWebhook with slack/discord/teams includeDetails formatting
+ */
+import { sendWebhook } from '../features/webhooks.js';
+function makeFinding(overrides = {}) {
+    return {
+        ruleId: 'INJ-001',
+        ruleName: 'Test Rule',
+        severity: 'HIGH',
+        category: 'injection',
+        file: '/test.md',
+        relativePath: 'test.md',
+        line: 5,
+        match: 'bad content',
+        context: [],
+        remediation: 'fix it',
+        timestamp: new Date(),
+        riskScore: 50,
+        ...overrides,
+    };
+}
+function makeScanResult(findings = [], overrides = {}) {
+    return {
+        success: true,
+        startTime: new Date(),
+        endTime: new Date(),
+        duration: 1000,
+        scannedPaths: ['/project'],
+        totalFiles: 5,
+        analyzedFiles: 4,
+        skippedFiles: 1,
+        findings,
+        findingsBySeverity: {
+            CRITICAL: findings.filter(f => f.severity === 'CRITICAL'),
+            HIGH: findings.filter(f => f.severity === 'HIGH'),
+            MEDIUM: findings.filter(f => f.severity === 'MEDIUM'),
+            LOW: findings.filter(f => f.severity === 'LOW'),
+            INFO: findings.filter(f => f.severity === 'INFO'),
+        },
+        findingsByCategory: {},
+        overallRiskScore: 50,
+        summary: {
+            critical: findings.filter(f => f.severity === 'CRITICAL').length,
+            high: findings.filter(f => f.severity === 'HIGH').length,
+            medium: findings.filter(f => f.severity === 'MEDIUM').length,
+            low: findings.filter(f => f.severity === 'LOW').length,
+            info: 0,
+            total: findings.length,
+        },
+        errors: [],
+        ...overrides,
+    };
+}
+describe('sendWebhook with includeDetails', () => {
+    let originalFetch;
+    beforeEach(() => {
+        originalFetch = globalThis.fetch;
+        globalThis.fetch = jest.fn().mockResolvedValue({
+            ok: true,
+            status: 200,
+            text: () => Promise.resolve(''),
+        });
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+    });
+    it('sends slack with includeDetails and CRITICAL findings', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'CRITICAL' })]), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            includeDetails: true,
+        });
+        expect(result.success).toBe(true);
+        expect(globalThis.fetch).toHaveBeenCalled();
+        const body = JSON.parse(globalThis.fetch.mock.calls[0][1]?.body);
+        expect(body.attachments).toBeDefined();
+    });
+    it('sends discord with includeDetails', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'HIGH' })]), {
+            url: 'https://discord.com/api/webhooks/x/y',
+            type: 'discord',
+            includeDetails: true,
+        });
+        expect(result.success).toBe(true);
+        const body = JSON.parse(globalThis.fetch.mock.calls[0][1]?.body);
+        expect(body.embeds).toBeDefined();
+    });
+    it('sends teams with includeDetails', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'MEDIUM' })]), {
+            url: 'https://org.webhook.office.com/webhook',
+            type: 'teams',
+            includeDetails: true,
+        });
+        expect(result.success).toBe(true);
+        const body = JSON.parse(globalThis.fetch.mock.calls[0][1]?.body);
+        expect(body['@type']).toBe('MessageCard');
+    });
+    it('sends generic webhook without error', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding()]), {
+            url: 'https://custom-webhook.example.com/hook',
+            type: 'generic',
+            includeDetails: true,
+            headers: { 'X-Custom-Token': 'abc123' },
+        });
+        expect(result.success).toBe(true);
+        const [, options] = globalThis.fetch.mock.calls[0];
+        expect(options.headers['X-Custom-Token']).toBe('abc123');
+    });
+    it('sends with medium severity findings triggering yellow color', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'MEDIUM' })]), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            includeDetails: false,
+        });
+        expect(result.success).toBe(true);
+    });
+    it('sends with no findings (green color path)', async () => {
+        const result = await sendWebhook(makeScanResult([]), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            includeDetails: false,
+        });
+        expect(result.success).toBe(true);
+    });
+    it('respects custom timeout option', async () => {
+        const result = await sendWebhook(makeScanResult(), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            timeout: 5000,
+        });
+        expect(result.success).toBe(true);
+    });
+    it('skips sending when all findings are below minSeverity', async () => {
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'LOW' }), makeFinding({ severity: 'INFO' })]), {
+            url: 'https://hooks.slack.com/services/xxx',
+            type: 'slack',
+            minSeverity: 'HIGH',
+        });
+        expect(result.success).toBe(true);
+        expect(globalThis.fetch).not.toHaveBeenCalled();
+    });
+});
+//# sourceMappingURL=webhooks.extra.test.js.map

package/dist/__tests__/webhooks.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Webhooks Tests
+ * Tests for detectWebhookType and sendWebhook (mocking fetch).
+ */
+export {};
+//# sourceMappingURL=webhooks.test.d.ts.map

package/dist/__tests__/webhooks.test.js

@@ -0,0 +1,154 @@
+/**
+ * Webhooks Tests
+ * Tests for detectWebhookType and sendWebhook (mocking fetch).
+ */
+import { detectWebhookType, sendWebhook, } from '../features/webhooks.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function makeFinding(overrides = {}) {
+    return {
+        ruleId: 'INJ-001',
+        ruleName: 'Test Rule',
+        severity: 'HIGH',
+        category: 'injection',
+        file: '/test.md',
+        relativePath: 'test.md',
+        line: 5,
+        match: 'bad content',
+        context: [],
+        remediation: 'fix it',
+        timestamp: new Date(),
+        riskScore: 50,
+        ...overrides,
+    };
+}
+function makeScanResult(findings = []) {
+    return {
+        success: true,
+        startTime: new Date(),
+        endTime: new Date(),
+        duration: 1000,
+        scannedPaths: ['/project'],
+        totalFiles: 5,
+        analyzedFiles: 4,
+        skippedFiles: 1,
+        findings,
+        findingsBySeverity: {
+            CRITICAL: findings.filter(f => f.severity === 'CRITICAL'),
+            HIGH: findings.filter(f => f.severity === 'HIGH'),
+            MEDIUM: findings.filter(f => f.severity === 'MEDIUM'),
+            LOW: findings.filter(f => f.severity === 'LOW'),
+            INFO: findings.filter(f => f.severity === 'INFO'),
+        },
+        findingsByCategory: {},
+        overallRiskScore: 50,
+        summary: {
+            critical: 0,
+            high: findings.filter(f => f.severity === 'HIGH').length,
+            medium: 0, low: 0, info: 0,
+            total: findings.length,
+        },
+        errors: [],
+    };
+}
+function makeWebhookConfig(overrides = {}) {
+    return {
+        url: 'https://hooks.example.com/webhook',
+        type: 'generic',
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// detectWebhookType
+// ---------------------------------------------------------------------------
+describe('detectWebhookType', () => {
+    it('detects Slack URL', () => {
+        expect(detectWebhookType('https://hooks.slack.com/services/xxx')).toBe('slack');
+    });
+    it('detects Discord URL', () => {
+        expect(detectWebhookType('https://discord.com/api/webhooks/123/abc')).toBe('discord');
+    });
+    it('detects Teams from webhook.office.com', () => {
+        expect(detectWebhookType('https://myorg.webhook.office.com/webhookb2/xxx')).toBe('teams');
+    });
+    it('detects Teams from outlook.office.com', () => {
+        expect(detectWebhookType('https://myorg.outlook.office.com/webhook/xxx')).toBe('teams');
+    });
+    it('returns generic for unknown URLs', () => {
+        expect(detectWebhookType('https://my-custom-webhook.example.com/hook')).toBe('generic');
+    });
+    it('returns generic for empty string', () => {
+        expect(detectWebhookType('')).toBe('generic');
+    });
+});
+// ---------------------------------------------------------------------------
+// sendWebhook — with mocked fetch
+// ---------------------------------------------------------------------------
+describe('sendWebhook', () => {
+    let originalFetch;
+    beforeEach(() => {
+        originalFetch = globalThis.fetch;
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+    });
+    function mockFetch(status, ok, body = '') {
+        globalThis.fetch = jest.fn().mockResolvedValue({
+            ok,
+            status,
+            text: () => Promise.resolve(body),
+        });
+    }
+    it('returns success when fetch succeeds with 200', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult(), makeWebhookConfig());
+        expect(result.success).toBe(true);
+        expect(result.statusCode).toBe(200);
+    });
+    it('returns failure when fetch returns non-ok status', async () => {
+        mockFetch(500, false, 'Internal Server Error');
+        const result = await sendWebhook(makeScanResult(), makeWebhookConfig());
+        expect(result.success).toBe(false);
+        expect(result.statusCode).toBe(500);
+    });
+    it('returns failure when fetch throws', async () => {
+        globalThis.fetch = jest.fn().mockRejectedValue(new Error('network error'));
+        const result = await sendWebhook(makeScanResult(), makeWebhookConfig());
+        expect(result.success).toBe(false);
+        expect(result.error).toContain('network error');
+    });
+    it('sends to slack type without error', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding()]), makeWebhookConfig({ type: 'slack', url: 'https://hooks.slack.com/services/xxx' }));
+        expect(result.success).toBe(true);
+    });
+    it('sends to discord type without error', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding()]), makeWebhookConfig({ type: 'discord', url: 'https://discord.com/api/webhooks/x/y' }));
+        expect(result.success).toBe(true);
+    });
+    it('sends to teams type without error', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding()]), makeWebhookConfig({ type: 'teams', url: 'https://org.webhook.office.com/webhook' }));
+        expect(result.success).toBe(true);
+    });
+    it('skips when minSeverity not met and findings exist', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'LOW' })]), makeWebhookConfig({ minSeverity: 'HIGH' }));
+        // Should return success=true without sending
+        expect(result.success).toBe(true);
+    });
+    it('sends when minSeverity is met', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding({ severity: 'CRITICAL' })]), makeWebhookConfig({ minSeverity: 'HIGH' }));
+        expect(result.success).toBe(true);
+        expect(globalThis.fetch).toHaveBeenCalled();
+    });
+    it('includes details when includeDetails is true', async () => {
+        mockFetch(200, true);
+        const result = await sendWebhook(makeScanResult([makeFinding()]), makeWebhookConfig({ includeDetails: true }));
+        expect(result.success).toBe(true);
+    });
+});
+//# sourceMappingURL=webhooks.test.js.map

package/dist/analyzers/AstAnalyzer.d.ts

@@ -6,7 +6,11 @@ import type { SemanticFinding, DiscoveredFile, Rule } from '../types.js';
 /**
  * Analyze a single file for semantic patterns
  */
-export declare function analyzeFile(file: DiscoveredFile, content: string, rules: Rule[]): Promise<SemanticFinding[]>;
+export declare function analyzeFile(file: DiscoveredFile, content: string, rules: Rule[], opts?: {
+    maxMs?: number;
+    maxNodes?: number;
+    maxBlockMs?: number;
+}): Promise<SemanticFinding[]>;
 /**
  * Check if semantic analysis should be performed
  */

package/dist/analyzers/AstAnalyzer.js

@@ -133,11 +133,19 @@ function extractSemanticContext(tsLib, sourceFile) {
     return context;
 }
 /**
- * Find security patterns in AST
+ * Find security patterns in AST, with optional time and node-count guards.
  */
-function findSecurityPatterns(tsLib, sourceFile, patterns) {
+function findSecurityPatterns(tsLib, sourceFile, patterns, opts) {
     const matches = [];
+    let nodeCount = 0;
+    const deadline = opts?.deadline;
+    const maxNodes = opts?.maxNodes ?? 50_000;
     function visit(node) {
+        nodeCount++;
+        if (nodeCount > maxNodes)
+            return;
+        if (deadline !== undefined && Date.now() > deadline)
+            return;
         for (const pattern of patterns) {
             const match = matchSemanticPattern(tsLib, node, pattern, sourceFile);
             if (match) {
@@ -277,8 +285,11 @@ function createContextLines(sourceFile, node, contextLines = 3) {
 /**
  * Analyze a single file for semantic patterns
  */
-export async function analyzeFile(file, content, rules) {
+export async function analyzeFile(file, content, rules, opts) {
     const findings = [];
+    const maxMs = opts?.maxMs ?? 2000;
+    const maxNodes = opts?.maxNodes ?? 50_000;
+    const perBlockMs = Math.min(maxMs, opts?.maxBlockMs ?? 500);
     try {
         // Get rules with semantic patterns
         const semanticRules = rules.filter(rule => rule.semanticPatterns && rule.semanticPatterns.length > 0);
@@ -296,16 +307,26 @@ export async function analyzeFile(file, content, rules) {
             // Analyze the entire file for TypeScript/JavaScript files
             codeBlocksToAnalyze = [{ code: content, language: file.type, line: 1 }];
         }
+        const fileDeadline = Date.now() + maxMs;
         // Analyze each code block
         for (const codeBlock of codeBlocksToAnalyze) {
+            if (Date.now() > fileDeadline) {
+                logger.warn(`AST analysis file deadline (${maxMs}ms) reached for ${file.relativePath}; skipping remaining code blocks`);
+                break;
+            }
             try {
                 const sourceFile = createAST(tsLib, codeBlock.code, `${file.relativePath}_block_${codeBlock.line}.${codeBlock.language}`);
                 const semanticContext = extractSemanticContext(tsLib, sourceFile);
+                // Per-block deadline: min of (remaining file budget, per-block cap).
+                const blockDeadline = Math.min(fileDeadline, Date.now() + perBlockMs);
                 // Check each semantic rule
                 for (const rule of semanticRules) {
                     if (!rule.semanticPatterns)
                         continue;
-                    const patternMatches = findSecurityPatterns(tsLib, sourceFile, rule.semanticPatterns);
+                    const patternMatches = findSecurityPatterns(tsLib, sourceFile, rule.semanticPatterns, {
+                        deadline: blockDeadline,
+                        maxNodes,
+                    });
                     for (const match of patternMatches) {
                         const position = getPositionFromNode(match.node, sourceFile);
                         const astNodeInfo = createASTNodeInfo(tsLib, match.node, sourceFile);

package/dist/features/customRules.js

@@ -7,6 +7,7 @@ import { createHash } from 'node:crypto';
 import { resolve, extname } from 'node:path';
 import { parse as parseYaml } from 'yaml';
 import { z } from 'zod';
+import { compileSafePattern } from '../utils/safeRegex.js';
 import logger from '../utils/logger.js';
 /**
  * Schema for custom rule definition in YAML/JSON
@@ -139,14 +140,15 @@ function parseCustomRulesContent(content, sourceExt, sourceLabel) {
  * Convert custom rule definition to Rule object
  */
 function definitionToRule(def) {
-    // Compile regex patterns with error handling
+    // Compile regex patterns — reject unsafe patterns via compileSafePattern
     const patterns = [];
     for (const pattern of def.patterns) {
-        try {
-            patterns.push(new RegExp(pattern, 'gi'));
+        const compiled = compileSafePattern(pattern, 'gi');
+        if (compiled === null) {
+            logger.warn(`Unsafe or invalid regex pattern in rule ${def.id} (skipped): ${pattern}`);
         }
-        catch {
-            logger.warn(`Invalid regex pattern in rule ${def.id}: ${pattern}`);
+        else {
+            patterns.push(compiled);
         }
     }
     if (patterns.length === 0) {
@@ -154,33 +156,27 @@ function definitionToRule(def) {
     }
     // Compile exclude patterns
     const excludePatterns = def.excludePatterns?.map((p) => {
-        try {
-            return new RegExp(p, 'gi');
-        }
-        catch {
-            logger.warn(`Invalid exclude pattern in rule ${def.id}: ${p}`);
-            return null;
+        const compiled = compileSafePattern(p, 'gi');
+        if (compiled === null) {
+            logger.warn(`Unsafe or invalid exclude pattern in rule ${def.id} (skipped): ${p}`);
         }
+        return compiled;
     }).filter((p) => p !== null);
     // Compile require context patterns
     const requireContext = def.requireContext?.map((p) => {
-        try {
-            return new RegExp(p, 'gi');
-        }
-        catch {
-            logger.warn(`Invalid requireContext pattern in rule ${def.id}: ${p}`);
-            return null;
+        const compiled = compileSafePattern(p, 'gi');
+        if (compiled === null) {
+            logger.warn(`Unsafe or invalid requireContext pattern in rule ${def.id} (skipped): ${p}`);
         }
+        return compiled;
     }).filter((p) => p !== null);
     // Compile exclude context patterns
     const excludeContext = def.excludeContext?.map((p) => {
-        try {
-            return new RegExp(p, 'gi');
-        }
-        catch {
-            logger.warn(`Invalid excludeContext pattern in rule ${def.id}: ${p}`);
-            return null;
+        const compiled = compileSafePattern(p, 'gi');
+        if (compiled === null) {
+            logger.warn(`Unsafe or invalid excludeContext pattern in rule ${def.id} (skipped): ${p}`);
         }
+        return compiled;
     }).filter((p) => p !== null);
     const rule = {
         id: def.id,
@@ -458,14 +454,11 @@ export function validateCustomRulesFile(filePath) {
                 warnings,
             };
         }
-        // Validate regex patterns
+        // Validate regex patterns — also screen for ReDoS risks
         for (const rule of result.data.rules) {
             for (const pattern of rule.patterns) {
-                try {
-                    void new RegExp(pattern, 'gi');
-                }
-                catch {
-                    errors.push(`Rule ${rule.id}: Invalid regex pattern "${pattern}"`);
+                if (compileSafePattern(pattern, 'gi') === null) {
+                    errors.push(`Rule ${rule.id}: Unsafe or invalid regex pattern "${pattern}"`);
                 }
             }
         }

package/dist/features/ignoreComments.js

@@ -8,16 +8,16 @@ import logger from '../utils/logger.js';
  */
 const COMMENT_PATTERNS = {
     default: [
-        /\/\/\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+([^\n]+))?/gi,
-        /\/\*\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+([^*]+))?\s*\*\//gi,
-        /#\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+([^\n]+))?/gi,
+        /\/\/\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+([^\n]+))?/gi,
+        /\/\*\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+([^*]+))?\s*\*\//gi,
+        /#\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+([^\n]+))?/gi,
     ],
     html: [
         // Non-greedy capture so rule ids like "INJ-001" (with hyphens) work correctly.
-        /<!--\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+(.+?))?\s*-->/gi,
+        /<!--\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+(.+?))?\s*-->/gi,
     ],
     sql: [
-        /--\s*ferret-(ignore|disable|enable|ignore-line|ignore-next-line)(?:\s+([^\n]+))?/gi,
+        /--\s*ferret-(ignore-next-line|ignore-line|ignore|disable|enable)(?:\s+([^\n]+))?/gi,
     ],
 };
 /**

package/dist/features/mcpTrustScore.d.ts

@@ -0,0 +1,17 @@
+/**
+ * MCP Server Trust Scoring
+ * Evaluates the security posture of an MCP server configuration.
+ */
+export interface McpTrustResult {
+    score: number;
+    trustLevel: 'HIGH' | 'MEDIUM' | 'LOW' | 'CRITICAL';
+    flags: string[];
+}
+/**
+ * Score an MCP server configuration entry.
+ *
+ * @param serverConfig - A single MCP server config object (value from `mcpServers` map)
+ * @returns Trust score (0-100), trust level, and list of flags
+ */
+export declare function scoreMcpServer(serverConfig: unknown): McpTrustResult;
+//# sourceMappingURL=mcpTrustScore.d.ts.map

package/dist/features/mcpTrustScore.js

@@ -0,0 +1,74 @@
+/**
+ * MCP Server Trust Scoring
+ * Evaluates the security posture of an MCP server configuration.
+ */
+// Known suspicious package names / name fragments
+const SUSPICIOUS_NAMES = [
+    'shadow', 'stealer', 'exfil', 'beacon', 'c2-', '-c2',
+    'keylog', 'implant', 'dropper', 'exploit',
+];
+/**
+ * Score an MCP server configuration entry.
+ *
+ * @param serverConfig - A single MCP server config object (value from `mcpServers` map)
+ * @returns Trust score (0-100), trust level, and list of flags
+ */
+export function scoreMcpServer(serverConfig) {
+    const flags = [];
+    let score = 100;
+    if (typeof serverConfig !== 'object' || serverConfig === null) {
+        return { score: 0, trustLevel: 'CRITICAL', flags: ['Invalid config object'] };
+    }
+    const cfg = serverConfig;
+    // Insecure transport
+    const transport = cfg['transport'];
+    if (transport === 'http' || transport === 'sse') {
+        score -= 30;
+        flags.push(`Insecure transport: '${transport}' — prefer stdio or wss`);
+    }
+    // Plain HTTP URL
+    const url = typeof cfg['url'] === 'string' ? cfg['url'] : '';
+    if (url.startsWith('http://')) {
+        score -= 25;
+        flags.push('Plain HTTP URL — credentials and tool calls are transmitted in cleartext');
+    }
+    // Unpinned npx command
+    const command = typeof cfg['command'] === 'string' ? cfg['command'] : '';
+    if (command === 'npx' || command.endsWith('/npx')) {
+        const args = Array.isArray(cfg['args']) ? cfg['args'] : [];
+        const firstArg = args[0] ?? '';
+        if (firstArg && !firstArg.includes('@') && !firstArg.startsWith('-')) {
+            score -= 20;
+            flags.push(`Unpinned npx package '${firstArg}' — pin to a specific version to prevent rug pulls`);
+        }
+    }
+    // Dangerous flags in args
+    const args = Array.isArray(cfg['args']) ? cfg['args'] : [];
+    for (const arg of args) {
+        if (typeof arg === 'string' && (arg.includes('--allow-all') || arg.includes('--dangerously-skip'))) {
+            score -= 30;
+            flags.push(`Dangerous arg '${arg}' — bypasses MCP safety checks`);
+        }
+    }
+    // Suspicious name
+    const name = typeof cfg['name'] === 'string' ? cfg['name'].toLowerCase() : '';
+    const pkg = args.find(a => typeof a === 'string' && !a.startsWith('-')) ?? '';
+    const combined = `${name} ${pkg}`.toLowerCase();
+    for (const pattern of SUSPICIOUS_NAMES) {
+        if (combined.includes(pattern)) {
+            score -= 50;
+            flags.push(`Name matches suspicious pattern '${pattern}'`);
+            break;
+        }
+    }
+    const clampedScore = Math.max(0, Math.min(100, score));
+    return {
+        score: clampedScore,
+        trustLevel: clampedScore >= 80 ? 'HIGH'
+            : clampedScore >= 60 ? 'MEDIUM'
+                : clampedScore >= 40 ? 'LOW'
+                    : 'CRITICAL',
+        flags,
+    };
+}
+//# sourceMappingURL=mcpTrustScore.js.map

package/dist/features/mcpValidator.d.ts

@@ -3,6 +3,7 @@
  * Validates .mcp.json files for dangerous permissions, untrusted sources, etc.
  */
 import type { Finding, Severity } from '../types.js';
+import { type McpTrustResult } from './mcpTrustScore.js';
 /**
  * Risk assessment for MCP servers
  */
@@ -18,6 +19,7 @@ export interface McpRiskAssessment {
     capabilities: string[];
     command?: string | undefined;
     url?: string | undefined;
+    trustScore?: McpTrustResult | undefined;
 }
 /**
  * Validate MCP configuration JSON content

package/dist/features/mcpValidator.js

@@ -7,6 +7,7 @@
 import { readFileSync, existsSync } from 'node:fs';
 import { resolve, basename } from 'node:path';
 import { z } from 'zod';
+import { scoreMcpServer } from './mcpTrustScore.js';
 /**
  * MCP Server configuration schema
  */
@@ -282,6 +283,18 @@ export function validateMcpConfigContent(content) {
         for (const [name, config] of Object.entries(servers)) {
             if (typeof config === 'object' && config !== null) {
                 const assessment = analyzeServer(name, config);
+                // Augment with trust score; surface CRITICAL/LOW trust as issues
+                assessment.trustScore = scoreMcpServer({ ...config, name });
+                if (assessment.trustScore.trustLevel === 'CRITICAL' || assessment.trustScore.trustLevel === 'LOW') {
+                    for (const flag of assessment.trustScore.flags) {
+                        assessment.issues.push({
+                            type: 'trust-score',
+                            severity: assessment.trustScore.trustLevel === 'CRITICAL' ? 'CRITICAL' : 'HIGH',
+                            description: `Trust score ${assessment.trustScore.score}/100: ${flag}`,
+                            remediation: 'Review MCP server configuration and address the flagged concern.',
+                        });
+                    }
+                }
                 assessments.push(assessment);
             }
         }