hound-mcp 0.1.0

package/dist/index.js

@@ -0,0 +1,928 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+
+// src/server.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+
+// src/prompts/index.ts
+import { z } from "zod/v4";
+function registerPrompts(server) {
+  server.registerPrompt(
+    "security_audit",
+    {
+      description: "Run a full security audit on the current project's dependencies. Scans for vulnerabilities, license issues, and typosquat risks across your entire dependency tree.",
+      argsSchema: {
+        ecosystem: z.string().optional().describe("Package ecosystem (npm, pypi, cargo, etc). Auto-detected if omitted.")
+      }
+    },
+    ({ ecosystem }) => {
+      const ecoNote = ecosystem ? ` The project uses ${ecosystem}.` : "";
+      return {
+        messages: [
+          {
+            role: "user",
+            content: {
+              type: "text",
+              text: `Please run a comprehensive security audit on this project's dependencies.${ecoNote}
+
+Follow these steps:
+1. Use \`hound_popular\` to check the most commonly used packages in this ecosystem for known vulnerabilities \u2014 this gives a quick baseline.
+2. For any specific packages you can identify in the project, use \`hound_vulns\` to check each one for CVEs and advisories.
+3. Use \`hound_inspect\` on the 3-5 most critical dependencies to check their licenses, OpenSSF Scorecard, and GitHub health.
+4. For any package names that look unusual or unfamiliar, use \`hound_typosquat\` to check for potential typosquatting.
+5. If any vulnerabilities are found, use \`hound_advisories\` to get full details and fix guidance.
+
+Summarize findings as:
+- **Critical / High** vulnerabilities that need immediate attention
+- **License risks** (copyleft licenses, unknown licenses)
+- **Health concerns** (abandoned packages, low Scorecard scores)
+- **Recommended actions** with specific version upgrades where available`
+            }
+          }
+        ]
+      };
+    }
+  );
+  server.registerPrompt(
+    "package_evaluation",
+    {
+      description: "Evaluate a package before adding it as a dependency. Returns a go/no-go recommendation with security, license, and health analysis.",
+      argsSchema: {
+        package: z.string().describe("Package name to evaluate (e.g. express, requests, serde)"),
+        version: z.string().optional().describe("Specific version to evaluate. Uses latest stable if omitted."),
+        ecosystem: z.string().optional().describe("Package ecosystem. Defaults to npm if omitted.")
+      }
+    },
+    ({ package: pkg, version, ecosystem }) => {
+      const eco = ecosystem ?? "npm";
+      const versionNote = version ? `version ${version} of ` : "";
+      return {
+        messages: [
+          {
+            role: "user",
+            content: {
+              type: "text",
+              text: `I'm considering adding ${versionNote}\`${pkg}\` (${eco}) as a dependency. Please evaluate it thoroughly.
+
+Steps:
+1. Use \`hound_inspect\` on \`${pkg}\`${version ? `@${version}` : ""} (ecosystem: ${eco}) to get the full health profile \u2014 licenses, vulnerabilities, OpenSSF Scorecard, GitHub stats.
+2. Use \`hound_vulns\` to get the full vulnerability list with fix versions.
+3. Use \`hound_typosquat\` to confirm this is the legitimate package and not a typosquat.
+4. Use \`hound_tree\` to check the transitive dependency count \u2014 packages with hundreds of transitive deps carry more supply chain risk.
+5. If any advisories are listed, use \`hound_advisories\` to get the details.
+
+Give me a clear **GO / NO-GO / CONDITIONAL** recommendation with reasoning. If conditional, state exactly what version or conditions would make it acceptable.`
+            }
+          }
+        ]
+      };
+    }
+  );
+  server.registerPrompt(
+    "pre_release_check",
+    {
+      description: "Run a pre-release dependency scan before shipping. Checks for vulnerabilities and license issues that could block a release.",
+      argsSchema: {
+        version: z.string().optional().describe("The version you are about to release, e.g. 1.2.0")
+      }
+    },
+    ({ version }) => {
+      const versionNote = version ? ` (version ${version})` : "";
+      return {
+        messages: [
+          {
+            role: "user",
+            content: {
+              type: "text",
+              text: `I'm about to release this project${versionNote}. Run a pre-release dependency check.
+
+Steps:
+1. Use \`hound_popular\` to scan all key packages in this project's ecosystem for known vulnerabilities.
+2. For any packages identified as critical to this project, use \`hound_vulns\` to check for vulnerabilities.
+3. Use \`hound_inspect\` on the top 5 dependencies by importance to verify licenses are compatible and no advisories are outstanding.
+4. Flag any HIGH or CRITICAL severity vulnerabilities as **release blockers**.
+5. Flag any copyleft licenses (GPL, AGPL, LGPL) that may conflict with the project's MIT license as **license blockers**.
+
+Output a release checklist:
+- \u2705 or \u274C Vulnerabilities (CRITICAL/HIGH)
+- \u2705 or \u274C License compatibility
+- \u2705 or \u274C No abandoned dependencies (last published >2 years ago)
+
+End with a clear **SAFE TO RELEASE** or **BLOCKED \u2014 fix these issues first** verdict.`
+            }
+          }
+        ]
+      };
+    }
+  );
+}
+
+// src/tools/advisories.ts
+import { z as z2 } from "zod/v4";
+
+// src/api/depsdev.ts
+var BASE_URL = "https://api.deps.dev/v3";
+var ECOSYSTEM_MAP = {
+  npm: "npm",
+  pypi: "pypi",
+  go: "go",
+  maven: "maven",
+  cargo: "cargo",
+  nuget: "nuget",
+  rubygems: "rubygems"
+};
+async function get(path) {
+  const url = `${BASE_URL}${path}`;
+  const res = await fetch(url, {
+    headers: { "User-Agent": "hound-mcp/0.1.0" }
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new DepsDevError(res.status, url, body);
+  }
+  return res.json();
+}
+var DepsDevError = class extends Error {
+  constructor(status, url, body) {
+    super(`deps.dev API error ${status} for ${url}`);
+    this.status = status;
+    this.url = url;
+    this.body = body;
+    this.name = "DepsDevError";
+  }
+};
+async function getVersion(ecosystem, name, version) {
+  const sys = ECOSYSTEM_MAP[ecosystem];
+  return get(
+    `/systems/${sys}/packages/${encodeURIComponent(name)}/versions/${encodeURIComponent(version)}`
+  );
+}
+async function getPackage(ecosystem, name) {
+  const sys = ECOSYSTEM_MAP[ecosystem];
+  return get(`/systems/${sys}/packages/${encodeURIComponent(name)}`);
+}
+async function getDependencies(ecosystem, name, version) {
+  const sys = ECOSYSTEM_MAP[ecosystem];
+  return get(
+    `/systems/${sys}/packages/${encodeURIComponent(name)}/versions/${encodeURIComponent(version)}:dependencies`
+  );
+}
+async function getProject(projectId) {
+  const encoded = projectId.replaceAll("/", "%2F");
+  return get(`/projects/${encoded}`);
+}
+async function getAdvisory(advisoryId) {
+  return get(`/advisories/${encodeURIComponent(advisoryId)}`);
+}
+function extractProjectId(version) {
+  const related = version.relatedProjects ?? [];
+  const sourceRepo = related.find(
+    (r) => r.relationType === "SOURCE_REPO" || r.relationType === "ISSUE_TRACKER"
+  );
+  return sourceRepo?.projectKey.id ?? null;
+}
+
+// src/api/osv.ts
+var BASE_URL2 = "https://api.osv.dev/v1";
+var ECOSYSTEM_MAP2 = {
+  npm: "npm",
+  pypi: "PyPI",
+  go: "Go",
+  maven: "Maven",
+  cargo: "crates.io",
+  nuget: "NuGet",
+  rubygems: "RubyGems"
+};
+async function post(path, body) {
+  const url = `${BASE_URL2}${path}`;
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "User-Agent": "hound-mcp/0.1.0"
+    },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new OsvError(res.status, url, text);
+  }
+  return res.json();
+}
+var OsvError = class extends Error {
+  constructor(status, url, body) {
+    super(`OSV API error ${status} for ${url}`);
+    this.status = status;
+    this.url = url;
+    this.body = body;
+    this.name = "OsvError";
+  }
+};
+async function queryVulns(ecosystem, name, version) {
+  const response = await post("/query", {
+    version,
+    package: {
+      name,
+      ecosystem: ECOSYSTEM_MAP2[ecosystem]
+    }
+  });
+  return response.vulns ?? [];
+}
+async function queryVulnsBatch(packages) {
+  if (packages.length === 0) return [];
+  const response = await post("/querybatch", {
+    queries: packages.map((pkg) => ({
+      version: pkg.version,
+      package: {
+        name: pkg.name,
+        ecosystem: ECOSYSTEM_MAP2[pkg.ecosystem]
+      }
+    }))
+  });
+  return response.results.map((result) => result.vulns ?? []);
+}
+async function getVuln(vulnId) {
+  const url = `${BASE_URL2}/vulns/${encodeURIComponent(vulnId)}`;
+  const res = await fetch(url, {
+    headers: { "User-Agent": "hound-mcp/0.1.0" }
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new OsvError(res.status, url, text);
+  }
+  return res.json();
+}
+function extractSeverity(vuln) {
+  const dbSeverity = vuln.database_specific?.severity?.toUpperCase();
+  if (dbSeverity === "CRITICAL") return "CRITICAL";
+  if (dbSeverity === "HIGH") return "HIGH";
+  if (dbSeverity === "MODERATE") return "MODERATE";
+  if (dbSeverity === "LOW") return "LOW";
+  const cvssScore = extractCvssScore(vuln);
+  if (cvssScore === null) return "UNKNOWN";
+  if (cvssScore >= 9) return "CRITICAL";
+  if (cvssScore >= 7) return "HIGH";
+  if (cvssScore >= 4) return "MODERATE";
+  return "LOW";
+}
+function extractCvssScore(vuln) {
+  const entries = vuln.severity ?? [];
+  const preferred = ["CVSS_V3", "CVSS_V4", "CVSS_V2"];
+  for (const type of preferred) {
+    const entry = entries.find((e) => e.type === type);
+    if (entry) {
+      return parseCvssScore(entry.score);
+    }
+  }
+  return null;
+}
+function extractFixVersions(vuln, ecosystem) {
+  const osvEcosystem = ECOSYSTEM_MAP2[ecosystem];
+  const fixed = /* @__PURE__ */ new Set();
+  for (const affected of vuln.affected) {
+    if (affected.package.ecosystem.toLowerCase() !== osvEcosystem.toLowerCase()) {
+      continue;
+    }
+    for (const range of affected.ranges) {
+      for (const event of range.events) {
+        if ("fixed" in event && event.fixed) {
+          fixed.add(event.fixed);
+        }
+      }
+    }
+  }
+  return [...fixed];
+}
+function parseCvssScore(vector) {
+  void vector;
+  return null;
+}
+
+// src/tools/advisories.ts
+function register(server) {
+  return server.registerTool(
+    "hound_advisories",
+    {
+      description: "Get full details for a security advisory by ID (GHSA, CVE, or OSV ID). Returns title, severity, affected versions, fix versions, and references.",
+      inputSchema: {
+        id: z2.string().describe("Advisory ID \u2014 e.g. GHSA-rv95-896h-c2vc, CVE-2024-29041, or any OSV ID")
+      }
+    },
+    async ({ id }) => {
+      const [osvResult, depsdevResult] = await Promise.allSettled([getVuln(id), getAdvisory(id)]);
+      const lines = [];
+      if (osvResult.status === "fulfilled") {
+        const vuln = osvResult.value;
+        lines.push(`\u{1F514} Advisory: ${vuln.id}`);
+        lines.push("\u2550".repeat(50));
+        lines.push("");
+        lines.push(`\u{1F4CB} Summary: ${vuln.summary}`);
+        lines.push(`\u{1F4C5} Published: ${vuln.published.slice(0, 10)}`);
+        lines.push(`\u{1F504} Last modified: ${vuln.modified.slice(0, 10)}`);
+        if (vuln.aliases && vuln.aliases.length > 0) {
+          lines.push(`\u{1F517} Also known as: ${vuln.aliases.join(", ")}`);
+        }
+        const dbSeverity = vuln.database_specific?.severity;
+        if (dbSeverity) {
+          lines.push(`\u26A0\uFE0F  Severity: ${dbSeverity}`);
+        }
+        if (vuln.database_specific?.cwe_ids && vuln.database_specific.cwe_ids.length > 0) {
+          lines.push(`\u{1F3F7}\uFE0F  CWE: ${vuln.database_specific.cwe_ids.join(", ")}`);
+        }
+        if (vuln.affected.length > 0) {
+          lines.push("");
+          lines.push("\u{1F4E6} Affected packages");
+          lines.push("\u2500".repeat(30));
+          for (const affected of vuln.affected) {
+            lines.push(`  ${affected.package.ecosystem}: ${affected.package.name}`);
+            for (const range of affected.ranges) {
+              if (range.type === "SEMVER") {
+                const introduced = range.events.find((e) => "introduced" in e);
+                const fixed = range.events.find((e) => "fixed" in e);
+                const introStr = introduced && "introduced" in introduced ? introduced.introduced : "0";
+                if (fixed && "fixed" in fixed) {
+                  lines.push(`  Affected: >= ${introStr}, fixed in ${fixed.fixed}`);
+                } else {
+                  lines.push(`  Affected: >= ${introStr} (no fix available)`);
+                }
+              }
+            }
+          }
+        }
+        if (vuln.details) {
+          lines.push("");
+          lines.push("\u{1F4DD} Details");
+          lines.push("\u2500".repeat(30));
+          const details = vuln.details.length > 500 ? `${vuln.details.slice(0, 500)}...` : vuln.details;
+          lines.push(details);
+        }
+        if (vuln.references && vuln.references.length > 0) {
+          lines.push("");
+          lines.push("\u{1F517} References");
+          lines.push("\u2500".repeat(30));
+          for (const ref of vuln.references.slice(0, 5)) {
+            lines.push(`  ${ref.url}`);
+          }
+          if (vuln.references.length > 5) {
+            lines.push(`  ... and ${vuln.references.length - 5} more`);
+          }
+        }
+        lines.push("");
+        lines.push(`Source: https://osv.dev/vulnerability/${id}`);
+      } else if (depsdevResult.status === "fulfilled") {
+        const advisory = depsdevResult.value;
+        lines.push(`\u{1F514} Advisory: ${advisory.advisoryKey.id}`);
+        lines.push("\u2550".repeat(50));
+        lines.push("");
+        lines.push(`\u{1F4CB} Title: ${advisory.title}`);
+        if (advisory.aliases.length > 0) {
+          lines.push(`\u{1F517} Also known as: ${advisory.aliases.join(", ")}`);
+        }
+        lines.push(`\u26A0\uFE0F  CVSS v3 Score: ${advisory.cvss3Score}`);
+        lines.push(`\u{1F4D0} CVSS Vector: ${advisory.cvss3Vector}`);
+        lines.push("");
+        lines.push(`Source: ${advisory.url}`);
+      } else {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Could not find advisory "${id}". Check the ID format (e.g. GHSA-xxxx-xxxx-xxxx or CVE-YYYY-NNNNN).`
+            }
+          ]
+        };
+      }
+      return {
+        content: [{ type: "text", text: lines.join("\n") }]
+      };
+    }
+  );
+}
+
+// src/tools/inspect.ts
+import { z as z3 } from "zod/v4";
+var ECOSYSTEM_VALUES = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+function register2(server) {
+  return server.registerTool(
+    "hound_inspect",
+    {
+      description: "Get a comprehensive profile of a package version: licenses, vulnerabilities, OpenSSF scorecard, GitHub stats, and dependency count \u2014 all in one call.",
+      inputSchema: {
+        name: z3.string().describe("Package name"),
+        version: z3.string().describe("Package version"),
+        ecosystem: z3.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
+      }
+    },
+    async ({ name, version, ecosystem }) => {
+      const eco = ecosystem;
+      const [versionData, vulns] = await Promise.allSettled([
+        getVersion(eco, name, version),
+        queryVulns(eco, name, version)
+      ]);
+      if (versionData.status === "rejected") {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Could not find ${name}@${version} in ${ecosystem}. Check the package name and version.`
+            }
+          ]
+        };
+      }
+      const pkg = versionData.value;
+      const vulnList = vulns.status === "fulfilled" ? vulns.value : [];
+      const projectId = extractProjectId(pkg);
+      const projectData = projectId !== null ? await getProject(projectId).catch(() => null) : null;
+      const lines = [`\u{1F4E6} ${name}@${version} (${ecosystem})`, "\u2550".repeat(50), ""];
+      const published = pkg.publishedAt.slice(0, 10);
+      const daysSince = Math.floor(
+        (Date.now() - new Date(pkg.publishedAt).getTime()) / (1e3 * 60 * 60 * 24)
+      );
+      lines.push(`\u{1F4C5} Published: ${published} (${daysSince} days ago)`);
+      const licenses = pkg.licenses && pkg.licenses.length > 0 ? pkg.licenses.join(", ") : "Unknown";
+      lines.push(`\u{1F4C4} License: ${licenses}`);
+      if (vulnList.length === 0) {
+        lines.push(`\u{1F6E1}\uFE0F  Vulnerabilities: None known`);
+      } else {
+        const counts = {};
+        for (const v of vulnList) {
+          const sev = extractSeverity(v);
+          counts[sev] = (counts[sev] ?? 0) + 1;
+        }
+        const summary = Object.entries(counts).map(([s, n]) => `${n} ${s.toLowerCase()}`).join(", ");
+        lines.push(`\u26A0\uFE0F  Vulnerabilities: ${vulnList.length} (${summary})`);
+      }
+      const advisoryCount = pkg.advisoryKeys?.length ?? 0;
+      if (advisoryCount > 0) {
+        const ids = pkg.advisoryKeys?.map((a) => a.id).join(", ");
+        lines.push(`\u{1F514} Advisories: ${ids}`);
+      }
+      if (projectData !== null) {
+        lines.push("");
+        lines.push("\u{1F4CA} Project Health");
+        lines.push("\u2500".repeat(30));
+        lines.push(`\u2B50 Stars: ${projectData.starsCount.toLocaleString()}`);
+        lines.push(`\u{1F374} Forks: ${projectData.forksCount.toLocaleString()}`);
+        lines.push(`\u{1F41B} Open issues: ${projectData.openIssuesCount.toLocaleString()}`);
+        if (projectData.scorecard !== null) {
+          const score = projectData.scorecard.overallScore.toFixed(1);
+          const grade = scorecardGrade(projectData.scorecard.overallScore);
+          lines.push(`\u{1F3C6} OpenSSF Scorecard: ${score}/10 (${grade})`);
+          const weak = [...projectData.scorecard.checks].sort((a, b) => a.score - b.score).slice(0, 3);
+          if (weak.length > 0) {
+            lines.push(
+              `   Lowest checks: ${weak.map((c) => `${c.name} (${c.score}/10)`).join(", ")}`
+            );
+          }
+        }
+      }
+      const homepage = pkg.links?.find((l) => l.label === "HOMEPAGE");
+      const sourceRepo = pkg.links?.find((l) => l.label === "SOURCE_REPO");
+      if (homepage ?? sourceRepo) {
+        lines.push("");
+        if (homepage) lines.push(`\u{1F310} Homepage: ${homepage.url}`);
+        if (sourceRepo) lines.push(`\u{1F4BB} Source: ${sourceRepo.url}`);
+      }
+      lines.push("");
+      lines.push(
+        `\u{1F517} deps.dev: https://deps.dev/${ecosystem}/packages/${encodeURIComponent(name)}/versions/${encodeURIComponent(version)}`
+      );
+      return {
+        content: [{ type: "text", text: lines.join("\n") }]
+      };
+    }
+  );
+}
+function scorecardGrade(score) {
+  if (score >= 9) return "A";
+  if (score >= 7) return "B";
+  if (score >= 5) return "C";
+  if (score >= 3) return "D";
+  return "F";
+}
+
+// src/tools/popular.ts
+import { z as z4 } from "zod/v4";
+var ECOSYSTEM_VALUES2 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+var POPULAR_DEFAULTS = {
+  npm: [
+    "express",
+    "lodash",
+    "axios",
+    "react",
+    "typescript",
+    "webpack",
+    "eslint",
+    "jest",
+    "next",
+    "vue"
+  ],
+  pypi: [
+    "requests",
+    "numpy",
+    "pandas",
+    "flask",
+    "django",
+    "fastapi",
+    "sqlalchemy",
+    "pytest",
+    "boto3",
+    "pydantic"
+  ],
+  go: [
+    "github.com/gin-gonic/gin",
+    "github.com/gorilla/mux",
+    "github.com/stretchr/testify",
+    "github.com/spf13/cobra",
+    "go.uber.org/zap"
+  ],
+  maven: [
+    "com.google.guava:guava",
+    "org.springframework:spring-core",
+    "org.apache.commons:commons-lang3",
+    "com.fasterxml.jackson.core:jackson-databind",
+    "org.slf4j:slf4j-api"
+  ],
+  cargo: ["serde", "tokio", "reqwest", "clap", "anyhow", "log", "rand", "regex"],
+  nuget: [
+    "Newtonsoft.Json",
+    "Microsoft.Extensions.Logging",
+    "Serilog",
+    "AutoMapper",
+    "FluentValidation"
+  ],
+  rubygems: ["rails", "devise", "rspec-core", "activerecord", "sidekiq"]
+};
+function register3(server) {
+  return server.registerTool(
+    "hound_popular",
+    {
+      description: "Scan a list of popular (or user-specified) packages for known vulnerabilities. Quickly surface which widely-used packages in an ecosystem have open security issues.",
+      inputSchema: {
+        ecosystem: z4.enum(ECOSYSTEM_VALUES2).default("npm").describe("Package ecosystem (default: npm)"),
+        packages: z4.array(z4.string()).optional().describe(
+          "Specific package names to check. If omitted, uses a curated list of popular packages for the ecosystem."
+        )
+      }
+    },
+    async ({ ecosystem, packages }) => {
+      const eco = ecosystem;
+      const names = packages ?? POPULAR_DEFAULTS[ecosystem] ?? [];
+      if (names.length === 0) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `No packages specified and no defaults available for ${ecosystem}.`
+            }
+          ]
+        };
+      }
+      const packageResults = await Promise.allSettled(
+        names.map(async (name) => {
+          const pkg = await getPackage(eco, name);
+          const defaultVersion = pkg.versions.find((v) => v.isDefault) ?? pkg.versions[0];
+          return {
+            name,
+            version: defaultVersion?.versionKey.version ?? "unknown"
+          };
+        })
+      );
+      const resolved = packageResults.map((r, i) => ({
+        name: names[i] ?? "",
+        version: r.status === "fulfilled" ? r.value.version : null
+      })).filter((p) => p.version !== null);
+      const failed = packageResults.filter((r) => r.status === "rejected").length;
+      const vulnResults = await queryVulnsBatch(
+        resolved.map((p) => ({ ecosystem: eco, name: p.name, version: p.version }))
+      );
+      const lines = [
+        `\u{1F50D} Vulnerability scan: ${ecosystem} popular packages`,
+        "\u2550".repeat(50),
+        `Checked ${resolved.length} packages`,
+        ""
+      ];
+      const withVulns = resolved.map((pkg, i) => ({ ...pkg, vulns: vulnResults[i] ?? [] })).sort((a, b) => b.vulns.length - a.vulns.length);
+      const vulnerableCount = withVulns.filter((p) => p.vulns.length > 0).length;
+      if (vulnerableCount === 0) {
+        lines.push(`\u2705 All ${resolved.length} packages are clean \u2014 no known vulnerabilities.`);
+        lines.push("");
+      } else {
+        lines.push(`\u26A0\uFE0F  ${vulnerableCount} of ${resolved.length} packages have vulnerabilities:`);
+        lines.push("");
+      }
+      for (const pkg of withVulns) {
+        if (pkg.vulns.length === 0) {
+          lines.push(`  \u2705 ${pkg.name}@${pkg.version}`);
+        } else {
+          lines.push(`  \u26A0\uFE0F  ${pkg.name}@${pkg.version} \u2014 ${pkg.vulns.length} vuln(s)`);
+          for (const v of pkg.vulns.slice(0, 3)) {
+            lines.push(`      ${v.id}: ${v.summary}`);
+          }
+          if (pkg.vulns.length > 3) {
+            lines.push(`      ... and ${pkg.vulns.length - 3} more`);
+          }
+        }
+      }
+      if (failed > 0) {
+        lines.push("");
+        lines.push(`\u2139\uFE0F  ${failed} package(s) could not be resolved in ${ecosystem}.`);
+      }
+      lines.push("");
+      lines.push("Source: OSV.dev + deps.dev");
+      return {
+        content: [{ type: "text", text: lines.join("\n") }]
+      };
+    }
+  );
+}
+
+// src/tools/tree.ts
+import { z as z5 } from "zod/v4";
+var ECOSYSTEM_VALUES3 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+function register4(server) {
+  return server.registerTool(
+    "hound_tree",
+    {
+      description: "Show the full resolved dependency tree for a package version, including all transitive dependencies with their depth and relation type.",
+      inputSchema: {
+        name: z5.string().describe("Package name"),
+        version: z5.string().describe("Package version"),
+        ecosystem: z5.enum(ECOSYSTEM_VALUES3).default("npm").describe("Package ecosystem (default: npm)"),
+        maxDepth: z5.number().int().min(1).max(10).default(3).describe("Maximum depth to display (default: 3, max: 10)")
+      }
+    },
+    async ({ name, version, ecosystem, maxDepth }) => {
+      let deps;
+      try {
+        deps = await getDependencies(ecosystem, name, version);
+      } catch {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Could not fetch dependency tree for ${name}@${version}. Check the package name and version.`
+            }
+          ]
+        };
+      }
+      const nodes = deps.nodes;
+      const edges = deps.edges;
+      const directCount = nodes.filter((n) => n.relationType === "DIRECT").length;
+      const indirectCount = nodes.filter((n) => n.relationType === "INDIRECT").length;
+      const totalCount = directCount + indirectCount;
+      const children = /* @__PURE__ */ new Map();
+      for (const edge of edges) {
+        if (!children.has(edge.fromNode)) children.set(edge.fromNode, []);
+        children.get(edge.fromNode)?.push(edge.toNode);
+      }
+      const lines = [
+        `\u{1F333} Dependency tree for ${name}@${version} (${ecosystem})`,
+        "\u2550".repeat(50),
+        `${totalCount} total dependencies (${directCount} direct, ${indirectCount} transitive)`,
+        ""
+      ];
+      const rootNode = nodes[0];
+      if (rootNode) {
+        renderNode(lines, nodes, children, 0, 0, maxDepth, /* @__PURE__ */ new Set());
+      }
+      if (maxDepth < 10 && indirectCount > 0) {
+        lines.push("");
+        lines.push(`\u2139\uFE0F  Showing up to depth ${maxDepth}. Use maxDepth to see deeper.`);
+      }
+      lines.push("");
+      lines.push(`Source: deps.dev`);
+      return {
+        content: [{ type: "text", text: lines.join("\n") }]
+      };
+    }
+  );
+}
+function renderNode(lines, nodes, children, nodeIndex, depth, maxDepth, visited) {
+  if (visited.has(nodeIndex)) return;
+  visited.add(nodeIndex);
+  const node = nodes[nodeIndex];
+  if (!node) return;
+  const indent = "  ".repeat(depth);
+  const isRoot = depth === 0;
+  const prefix = isRoot ? "" : "\u251C\u2500\u2500 ";
+  const errorSuffix = node.errors.length > 0 ? " \u26A0\uFE0F" : "";
+  lines.push(`${indent}${prefix}${node.key.name}@${node.key.version}${errorSuffix}`);
+  if (depth >= maxDepth) {
+    const childCount = children.get(nodeIndex)?.length ?? 0;
+    if (childCount > 0) {
+      lines.push(`${indent}  \u2514\u2500\u2500 ... (${childCount} more)`);
+    }
+    return;
+  }
+  for (const childIdx of children.get(nodeIndex) ?? []) {
+    renderNode(lines, nodes, children, childIdx, depth + 1, maxDepth, visited);
+  }
+}
+
+// src/tools/typosquat.ts
+import { z as z6 } from "zod/v4";
+var ECOSYSTEM_VALUES4 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+function generateTypos(name) {
+  const variants = /* @__PURE__ */ new Set();
+  for (let i = 0; i < name.length; i++) {
+    variants.add(name.slice(0, i) + name.slice(i + 1));
+  }
+  for (let i = 0; i < name.length - 1; i++) {
+    const a = name.charAt(i);
+    const b = name.charAt(i + 1);
+    variants.add(name.slice(0, i) + b + a + name.slice(i + 2));
+  }
+  if (name.includes("-")) {
+    variants.add(name.replaceAll("-", "_"));
+    variants.add(name.replaceAll("-", ""));
+  }
+  if (name.includes("_")) {
+    variants.add(name.replaceAll("_", "-"));
+    variants.add(name.replaceAll("_", ""));
+  }
+  variants.add(`node-${name}`);
+  variants.add(`${name}-js`);
+  variants.add(`${name}js`);
+  variants.add(`${name}-node`);
+  variants.delete(name);
+  return [...variants];
+}
+function register5(server) {
+  return server.registerTool(
+    "hound_typosquat",
+    {
+      description: "Check if a package name looks like a typosquat of a popular package. Generates likely typo variants and checks which ones exist in the registry.",
+      inputSchema: {
+        name: z6.string().describe("Package name to check"),
+        ecosystem: z6.enum(ECOSYSTEM_VALUES4).default("npm").describe("Package ecosystem (default: npm)")
+      }
+    },
+    async ({ name, ecosystem }) => {
+      const eco = ecosystem;
+      const variants = generateTypos(name);
+      const results = await Promise.allSettled(
+        variants.map(async (variant) => {
+          const pkg = await getPackage(eco, variant);
+          return { name: variant, versionCount: pkg.versions.length };
+        })
+      );
+      const existing = results.filter((r) => r.status === "fulfilled").map((r) => r.value).sort((a, b) => b.versionCount - a.versionCount);
+      const targetExists = await getPackage(eco, name).then((p) => p.versions.length).catch(() => null);
+      const lines = [`\u{1F50D} Typosquat check: ${name} (${ecosystem})`, "\u2550".repeat(50), ""];
+      if (targetExists === null) {
+        lines.push(`\u26A0\uFE0F  "${name}" does not exist in ${ecosystem}.`);
+        lines.push(`This package name itself may be available \u2014 or it could be a typo.`);
+      } else {
+        lines.push(`\u2705 "${name}" exists (${targetExists} published versions)`);
+      }
+      lines.push("");
+      if (existing.length === 0) {
+        lines.push(`\u2705 No typosquat variants found in ${ecosystem}.`);
+        lines.push(`None of the ${variants.length} generated variants exist.`);
+      } else {
+        lines.push(`\u26A0\uFE0F  Found ${existing.length} similar package(s) that exist in ${ecosystem}:`);
+        lines.push("");
+        for (const pkg of existing) {
+          lines.push(`  \u{1F4E6} ${pkg.name} (${pkg.versionCount} versions)`);
+        }
+        lines.push("");
+        lines.push(`If you meant to install "${name}", double-check you typed it correctly.`);
+        lines.push(`If you are the author of "${name}", consider reserving these names.`);
+      }
+      lines.push("");
+      lines.push(
+        `\u2139\uFE0F  Checked ${variants.length} typo variants (omission, transposition, hyphen, affixes)`
+      );
+      return {
+        content: [{ type: "text", text: lines.join("\n") }]
+      };
+    }
+  );
+}
+
+// src/tools/vulns.ts
+import { z as z7 } from "zod/v4";
+var ECOSYSTEM_VALUES5 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+var SEVERITY_ICON = {
+  CRITICAL: "\u{1F534}",
+  HIGH: "\u{1F7E0}",
+  MODERATE: "\u{1F7E1}",
+  LOW: "\u{1F535}",
+  UNKNOWN: "\u26AA"
+};
+function register6(server) {
+  return server.registerTool(
+    "hound_vulns",
+    {
+      description: "List all known vulnerabilities for a specific package version, grouped by severity with fix versions and advisory links.",
+      inputSchema: {
+        name: z7.string().describe("Package name (e.g. express, lodash)"),
+        version: z7.string().describe("Package version (e.g. 4.18.2)"),
+        ecosystem: z7.enum(ECOSYSTEM_VALUES5).default("npm").describe("Package ecosystem (default: npm)")
+      }
+    },
+    async ({ name, version, ecosystem }) => {
+      let vulns;
+      try {
+        vulns = await queryVulns(ecosystem, name, version);
+      } catch {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Failed to query vulnerabilities for ${name}@${version}. The OSV API may be temporarily unavailable.`
+            }
+          ]
+        };
+      }
+      if (vulns.length === 0) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `\u2705 No known vulnerabilities found for ${name}@${version} (${ecosystem}).
+
+This checks the OSV database which covers GitHub Advisory Database, NVD, and more.`
+            }
+          ]
+        };
+      }
+      const bySeverity = {
+        CRITICAL: [],
+        HIGH: [],
+        MODERATE: [],
+        LOW: [],
+        UNKNOWN: []
+      };
+      for (const vuln of vulns) {
+        const sev = extractSeverity(vuln);
+        bySeverity[sev]?.push(vuln);
+      }
+      const lines = [
+        `\u{1F50D} Vulnerabilities in ${name}@${version} (${ecosystem})`,
+        "\u2500".repeat(50),
+        `Found ${vulns.length} vulnerability${vulns.length === 1 ? "" : "ies"}`,
+        ""
+      ];
+      for (const severity of ["CRITICAL", "HIGH", "MODERATE", "LOW", "UNKNOWN"]) {
+        const group = bySeverity[severity] ?? [];
+        if (group.length === 0) continue;
+        const icon = SEVERITY_ICON[severity] ?? "\u26AA";
+        lines.push(`${icon} ${severity} (${group.length})`);
+        lines.push("\u2500".repeat(30));
+        for (const vuln of group) {
+          lines.push(`  ${vuln.id}`);
+          lines.push(`  ${vuln.summary}`);
+          const fixes = extractFixVersions(vuln, ecosystem);
+          if (fixes.length > 0) {
+            lines.push(`  Fix: upgrade to ${fixes.join(" or ")}`);
+          } else {
+            lines.push(`  Fix: no patched version available`);
+          }
+          if (vuln.aliases && vuln.aliases.length > 0) {
+            lines.push(`  Also known as: ${vuln.aliases.join(", ")}`);
+          }
+          lines.push(`  Published: ${vuln.published.slice(0, 10)}`);
+          lines.push("");
+        }
+      }
+      lines.push(`Source: https://osv.dev`);
+      return {
+        content: [{ type: "text", text: lines.join("\n") }]
+      };
+    }
+  );
+}
+
+// src/server.ts
+var SERVER_NAME = "hound-mcp";
+var SERVER_VERSION = "0.1.0";
+function createServer() {
+  const server = new McpServer({
+    name: SERVER_NAME,
+    version: SERVER_VERSION
+  });
+  register6(server);
+  register2(server);
+  register4(server);
+  register5(server);
+  register(server);
+  register3(server);
+  registerPrompts(server);
+  return server;
+}
+
+// src/index.ts
+async function main() {
+  const server = createServer();
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+main().catch((err) => {
+  console.error("Fatal error:", err);
+  process.exit(1);
+});
+//# sourceMappingURL=index.js.map