hound-mcp 0.2.1 → 0.2.3

package/dist/index.js

@@ -6,45 +6,9 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 // src/server.ts
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
-// src/prompts/index.ts
+// src/prompts/package_evaluation.ts
 import { z } from "zod/v4";
-function registerPrompts(server) {
-  server.registerPrompt(
-    "security_audit",
-    {
-      description: "Run a full security audit on the current project's dependencies. Scans for vulnerabilities, license issues, and typosquat risks across your entire dependency tree.",
-      argsSchema: {
-        ecosystem: z.string().optional().describe("Package ecosystem (npm, pypi, cargo, etc). Auto-detected if omitted.")
-      }
-    },
-    ({ ecosystem }) => {
-      const ecoNote = ecosystem ? ` The project uses ${ecosystem}.` : "";
-      return {
-        messages: [
-          {
-            role: "user",
-            content: {
-              type: "text",
-              text: `Please run a comprehensive security audit on this project's dependencies.${ecoNote}
-
-Follow these steps:
-1. Use \`hound_popular\` to check the most commonly used packages in this ecosystem for known vulnerabilities \u2014 this gives a quick baseline.
-2. For any specific packages you can identify in the project, use \`hound_vulns\` to check each one for CVEs and advisories.
-3. Use \`hound_inspect\` on the 3-5 most critical dependencies to check their licenses, OpenSSF Scorecard, and GitHub health.
-4. For any package names that look unusual or unfamiliar, use \`hound_typosquat\` to check for potential typosquatting.
-5. If any vulnerabilities are found, use \`hound_advisories\` to get full details and fix guidance.
-
-Summarize findings as:
-- **Critical / High** vulnerabilities that need immediate attention
-- **License risks** (copyleft licenses, unknown licenses)
-- **Health concerns** (abandoned packages, low Scorecard scores)
-- **Recommended actions** with specific version upgrades where available`
-            }
-          }
-        ]
-      };
-    }
-  );
+function packageEvaluationRegisterPrompt(server) {
   server.registerPrompt(
     "package_evaluation",
     {
@@ -80,12 +44,17 @@ Give me a clear **GO / NO-GO / CONDITIONAL** recommendation with reasoning. If c
       };
     }
   );
+}
+
+// src/prompts/pre_release_check.ts
+import { z as z2 } from "zod/v4";
+function preReleaseCheckRegisterPrompt(server) {
   server.registerPrompt(
     "pre_release_check",
     {
       description: "Run a pre-release dependency scan before shipping. Checks for vulnerabilities and license issues that could block a release.",
       argsSchema: {
-        version: z.string().optional().describe("The version you are about to release, e.g. 1.2.0")
+        version: z2.string().optional().describe("The version you are about to release, e.g. 1.2.0")
       }
     },
     ({ version }) => {
@@ -119,8 +88,56 @@ End with a clear **SAFE TO RELEASE** or **BLOCKED \u2014 fix these issues first*
   );
 }
 
+// src/prompts/security_audit.ts
+import { z as z3 } from "zod/v4";
+function securityAuditRegisterPrompt(server) {
+  server.registerPrompt(
+    "security_audit",
+    {
+      description: "Run a full security audit on the current project's dependencies. Scans for vulnerabilities, license issues, and typosquat risks across your entire dependency tree.",
+      argsSchema: {
+        ecosystem: z3.string().optional().describe("Package ecosystem (npm, pypi, cargo, etc). Auto-detected if omitted.")
+      }
+    },
+    ({ ecosystem }) => {
+      const ecoNote = ecosystem ? ` The project uses ${ecosystem}.` : "";
+      return {
+        messages: [
+          {
+            role: "user",
+            content: {
+              type: "text",
+              text: `Please run a comprehensive security audit on this project's dependencies.${ecoNote}
+
+Follow these steps:
+1. Use \`hound_popular\` to check the most commonly used packages in this ecosystem for known vulnerabilities \u2014 this gives a quick baseline.
+2. For any specific packages you can identify in the project, use \`hound_vulns\` to check each one for CVEs and advisories.
+3. Use \`hound_inspect\` on the 3-5 most critical dependencies to check their licenses, OpenSSF Scorecard, and GitHub health.
+4. For any package names that look unusual or unfamiliar, use \`hound_typosquat\` to check for potential typosquatting.
+5. If any vulnerabilities are found, use \`hound_advisories\` to get full details and fix guidance.
+
+Summarize findings as:
+- **Critical / High** vulnerabilities that need immediate attention
+- **License risks** (copyleft licenses, unknown licenses)
+- **Health concerns** (abandoned packages, low Scorecard scores)
+- **Recommended actions** with specific version upgrades where available`
+            }
+          }
+        ]
+      };
+    }
+  );
+}
+
+// src/prompts/index.ts
+function registerPrompts(server) {
+  securityAuditRegisterPrompt(server);
+  packageEvaluationRegisterPrompt(server);
+  preReleaseCheckRegisterPrompt(server);
+}
+
 // src/tools/advisories.ts
-import { z as z2 } from "zod/v4";
+import { z as z4 } from "zod/v4";
 
 // src/api/depsdev.ts
 var BASE_URL = "https://api.deps.dev/v3";
@@ -136,7 +153,7 @@ var ECOSYSTEM_MAP = {
 async function get(path) {
   const url = `${BASE_URL}${path}`;
   const res = await fetch(url, {
-    headers: { "User-Agent": "hound-mcp/0.1.0" }
+    headers: { "User-Agent": `hound-mcp/${"0.2.3"}` }
   });
   if (!res.ok) {
     const body = await res.text().catch(() => "");
@@ -201,7 +218,7 @@ async function post(path, body) {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
-      "User-Agent": "hound-mcp/0.1.0"
+      "User-Agent": `hound-mcp/${"0.2.3"}`
     },
     body: JSON.stringify(body)
   });
@@ -246,7 +263,7 @@ async function queryVulnsBatch(packages) {
 async function getVuln(vulnId) {
   const url = `${BASE_URL2}/vulns/${encodeURIComponent(vulnId)}`;
   const res = await fetch(url, {
-    headers: { "User-Agent": "hound-mcp/0.1.0" }
+    headers: { "User-Agent": `hound-mcp/${"0.2.3"}` }
   });
   if (!res.ok) {
     const text = await res.text().catch(() => "");
@@ -307,7 +324,7 @@ function register(server) {
     {
       description: "Get full details for a security advisory by ID (GHSA, CVE, or OSV ID). Returns title, severity, affected versions, fix versions, and references.",
       inputSchema: {
-        id: z2.string().describe("Advisory ID \u2014 e.g. GHSA-rv95-896h-c2vc, CVE-2024-29041, or any OSV ID")
+        id: z4.string().describe("Advisory ID \u2014 e.g. GHSA-rv95-896h-c2vc, CVE-2024-29041, or any OSV ID")
       }
     },
     async ({ id }) => {
@@ -402,17 +419,21 @@ function register(server) {
 }
 
 // src/tools/inspect.ts
-import { z as z3 } from "zod/v4";
+import { z as z5 } from "zod/v4";
+
+// src/constants/ecosystems.ts
 var ECOSYSTEM_VALUES = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+
+// src/tools/inspect.ts
 function register2(server) {
   return server.registerTool(
     "hound_inspect",
     {
       description: "Get a comprehensive profile of a package version: licenses, vulnerabilities, OpenSSF scorecard, GitHub stats, and dependency count \u2014 all in one call.",
       inputSchema: {
-        name: z3.string().describe("Package name"),
-        version: z3.string().describe("Package version"),
-        ecosystem: z3.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
+        name: z5.string().describe("Package name"),
+        version: z5.string().describe("Package version"),
+        ecosystem: z5.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
       }
     },
     async ({ name, version, ecosystem }) => {
@@ -504,8 +525,14 @@ function scorecardGrade(score) {
 }
 
 // src/tools/popular.ts
-import { z as z4 } from "zod/v4";
-var ECOSYSTEM_VALUES2 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+import { z as z6 } from "zod/v4";
+
+// src/utils/getDefaultVersion.ts
+function getDefaultVersion(versions) {
+  return versions.find((v) => v.isDefault) ?? versions.at(-1);
+}
+
+// src/tools/popular.ts
 var POPULAR_DEFAULTS = {
   npm: [
     "express",
@@ -561,8 +588,8 @@ function register3(server) {
     {
       description: "Scan a list of popular (or user-specified) packages for known vulnerabilities. Quickly surface which widely-used packages in an ecosystem have open security issues.",
       inputSchema: {
-        ecosystem: z4.enum(ECOSYSTEM_VALUES2).default("npm").describe("Package ecosystem (default: npm)"),
-        packages: z4.array(z4.string()).optional().describe(
+        ecosystem: z6.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)"),
+        packages: z6.array(z6.string()).optional().describe(
           "Specific package names to check. If omitted, uses a curated list of popular packages for the ecosystem."
         )
       }
@@ -583,7 +610,7 @@ function register3(server) {
       const packageResults = await Promise.allSettled(
         names.map(async (name) => {
           const pkg = await getPackage(eco, name);
-          const defaultVersion = pkg.versions.find((v) => v.isDefault) ?? pkg.versions[0];
+          const defaultVersion = getDefaultVersion(pkg.versions);
           return {
             name,
             version: defaultVersion?.versionKey.version ?? "unknown"
@@ -640,18 +667,17 @@ function register3(server) {
 }
 
 // src/tools/tree.ts
-import { z as z5 } from "zod/v4";
-var ECOSYSTEM_VALUES3 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+import { z as z7 } from "zod/v4";
 function register4(server) {
   return server.registerTool(
     "hound_tree",
     {
       description: "Show the full resolved dependency tree for a package version, including all transitive dependencies with their depth and relation type.",
       inputSchema: {
-        name: z5.string().describe("Package name"),
-        version: z5.string().describe("Package version"),
-        ecosystem: z5.enum(ECOSYSTEM_VALUES3).default("npm").describe("Package ecosystem (default: npm)"),
-        maxDepth: z5.number().int().min(1).max(10).default(3).describe("Maximum depth to display (default: 3, max: 10)")
+        name: z7.string().describe("Package name"),
+        version: z7.string().describe("Package version"),
+        ecosystem: z7.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)"),
+        maxDepth: z7.number().int().min(1).max(10).default(3).describe("Maximum depth to display (default: 3, max: 10)")
       }
     },
     async ({ name, version, ecosystem, maxDepth }) => {
@@ -670,8 +696,8 @@ function register4(server) {
       }
       const nodes = deps.nodes;
       const edges = deps.edges;
-      const directCount = nodes.filter((n) => n.relationType === "DIRECT").length;
-      const indirectCount = nodes.filter((n) => n.relationType === "INDIRECT").length;
+      const directCount = nodes.filter((n) => n.relation === "DIRECT").length;
+      const indirectCount = nodes.filter((n) => n.relation === "INDIRECT").length;
       const totalCount = directCount + indirectCount;
       const children = /* @__PURE__ */ new Map();
       for (const edge of edges) {
@@ -709,7 +735,7 @@ function renderNode(lines, nodes, children, nodeIndex, depth, maxDepth, visited)
   const isRoot = depth === 0;
   const prefix = isRoot ? "" : "\u251C\u2500\u2500 ";
   const errorSuffix = node.errors.length > 0 ? " \u26A0\uFE0F" : "";
-  lines.push(`${indent}${prefix}${node.key.name}@${node.key.version}${errorSuffix}`);
+  lines.push(`${indent}${prefix}${node.versionKey.name}@${node.versionKey.version}${errorSuffix}`);
   if (depth >= maxDepth) {
     const childCount = children.get(nodeIndex)?.length ?? 0;
     if (childCount > 0) {
@@ -723,8 +749,7 @@ function renderNode(lines, nodes, children, nodeIndex, depth, maxDepth, visited)
 }
 
 // src/tools/typosquat.ts
-import { z as z6 } from "zod/v4";
-var ECOSYSTEM_VALUES4 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+import { z as z8 } from "zod/v4";
 function generateTypos(name) {
   const variants = /* @__PURE__ */ new Set();
   for (let i = 0; i < name.length; i++) {
@@ -756,8 +781,8 @@ function register5(server) {
     {
       description: "Check if a package name looks like a typosquat of a popular package. Generates likely typo variants and checks which ones exist in the registry.",
       inputSchema: {
-        name: z6.string().describe("Package name to check"),
-        ecosystem: z6.enum(ECOSYSTEM_VALUES4).default("npm").describe("Package ecosystem (default: npm)")
+        name: z8.string().describe("Package name to check"),
+        ecosystem: z8.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
       }
     },
     async ({ name, ecosystem }) => {
@@ -804,7 +829,7 @@ function register5(server) {
 }
 
 // src/tools/audit.ts
-import { z as z7 } from "zod/v4";
+import { z as z9 } from "zod/v4";
 
 // src/parsers/index.ts
 function parseLockfile(filename, content) {
@@ -958,8 +983,8 @@ function register6(server) {
     {
       description: "Scan a project's lockfile for dependency risks. Parses package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Cargo.lock, or go.sum and batch-queries OSV for vulnerabilities across all dependencies.",
       inputSchema: {
-        lockfile_content: z7.string().describe("Full text content of the lockfile"),
-        lockfile_name: z7.string().describe(
+        lockfile_content: z9.string().describe("Full text content of the lockfile"),
+        lockfile_name: z9.string().describe(
           "Filename to determine format: package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Cargo.lock, go.sum"
         )
       }
@@ -1081,8 +1106,9 @@ ${icon} ${sev} (${group.length})`);
 }
 
 // src/tools/compare.ts
-import { z as z8 } from "zod/v4";
-var ECOSYSTEM_VALUES5 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+import { z as z10 } from "zod/v4";
+
+// src/constants/licenses.ts
 var COPYLEFT_LICENSES = /* @__PURE__ */ new Set([
   "GPL-2.0",
   "GPL-2.0-only",
@@ -1104,11 +1130,20 @@ var COPYLEFT_LICENSES = /* @__PURE__ */ new Set([
   "EPL-1.0",
   "EPL-2.0"
 ]);
+var NETWORK_COPYLEFT = /* @__PURE__ */ new Set([
+  "AGPL-3.0",
+  "AGPL-3.0-only",
+  "AGPL-3.0-or-later",
+  "EUPL-1.1",
+  "EUPL-1.2"
+]);
+
+// src/tools/compare.ts
 async function gatherPackageData(eco, name) {
   let defaultVersion;
   try {
     const pkg = await getPackage(eco, name);
-    const defaultV = pkg.versions.find((v) => v.isDefault) ?? pkg.versions[pkg.versions.length - 1];
+    const defaultV = getDefaultVersion(pkg.versions);
     if (!defaultV) return null;
     defaultVersion = defaultV.versionKey.version;
   } catch {
@@ -1162,9 +1197,9 @@ function register7(server) {
     {
       description: "Side-by-side comparison of two packages: vulnerabilities, OpenSSF Scorecard, GitHub stars, release recency, and license. Returns a recommendation.",
       inputSchema: {
-        package_a: z8.string().describe("First package name"),
-        package_b: z8.string().describe("Second package name"),
-        ecosystem: z8.enum(ECOSYSTEM_VALUES5).default("npm").describe("Package ecosystem (default: npm)")
+        package_a: z10.string().describe("First package name"),
+        package_b: z10.string().describe("Second package name"),
+        ecosystem: z10.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
       }
     },
     async ({ package_a, package_b, ecosystem }) => {
@@ -1272,29 +1307,7 @@ function register7(server) {
 }
 
 // src/tools/license-check.ts
-import { z as z9 } from "zod/v4";
-var COPYLEFT_LICENSES2 = /* @__PURE__ */ new Set([
-  "GPL-2.0",
-  "GPL-2.0-only",
-  "GPL-2.0-or-later",
-  "GPL-3.0",
-  "GPL-3.0-only",
-  "GPL-3.0-or-later",
-  "AGPL-3.0",
-  "AGPL-3.0-only",
-  "AGPL-3.0-or-later",
-  "LGPL-2.0",
-  "LGPL-2.1",
-  "LGPL-3.0",
-  "EUPL-1.1",
-  "EUPL-1.2",
-  "MPL-2.0",
-  "OSL-3.0",
-  "CDDL-1.0",
-  "EPL-1.0",
-  "EPL-2.0"
-]);
-var NETWORK_COPYLEFT = /* @__PURE__ */ new Set(["AGPL-3.0", "AGPL-3.0-only", "AGPL-3.0-or-later", "EUPL-1.1", "EUPL-1.2"]);
+import { z as z11 } from "zod/v4";
 var POLICY_ALLOWLISTS = {
   permissive: /* @__PURE__ */ new Set([
     "MIT",
@@ -1337,7 +1350,7 @@ var POLICY_ALLOWLISTS = {
 };
 function classifyLicense(license) {
   if (NETWORK_COPYLEFT.has(license)) return "network-copyleft";
-  if (COPYLEFT_LICENSES2.has(license)) {
+  if (COPYLEFT_LICENSES.has(license)) {
     if (license.startsWith("LGPL") || license === "MPL-2.0" || license === "EPL-1.0" || license === "EPL-2.0" || license === "CDDL-1.0") {
       return "weak-copyleft";
     }
@@ -1353,9 +1366,9 @@ function register8(server) {
     {
       description: "Scan a lockfile for license compliance. Resolves licenses for every dependency and flags packages that violate the chosen policy (permissive, copyleft, or none).",
       inputSchema: {
-        lockfile_content: z9.string().describe("Full text content of the lockfile"),
-        lockfile_name: z9.string().describe("Filename: package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Cargo.lock, go.sum"),
-        policy: z9.enum(["permissive", "copyleft", "none"]).default("permissive").describe(
+        lockfile_content: z11.string().describe("Full text content of the lockfile"),
+        lockfile_name: z11.string().describe("Filename: package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Cargo.lock, go.sum"),
+        policy: z11.enum(["permissive", "copyleft", "none"]).default("permissive").describe(
           "License policy to enforce: 'permissive' (MIT/Apache/BSD only), 'copyleft' (allows GPL but not AGPL), 'none' (report only, no violations)"
         )
       }
@@ -1472,38 +1485,16 @@ Supported: package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Cargo
 }
 
 // src/tools/preinstall.ts
-import { z as z10 } from "zod/v4";
-var ECOSYSTEM_VALUES6 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
-var COPYLEFT_LICENSES3 = /* @__PURE__ */ new Set([
-  "GPL-2.0",
-  "GPL-2.0-only",
-  "GPL-2.0-or-later",
-  "GPL-3.0",
-  "GPL-3.0-only",
-  "GPL-3.0-or-later",
-  "AGPL-3.0",
-  "AGPL-3.0-only",
-  "AGPL-3.0-or-later",
-  "LGPL-2.0",
-  "LGPL-2.1",
-  "LGPL-3.0",
-  "EUPL-1.1",
-  "EUPL-1.2",
-  "MPL-2.0",
-  "OSL-3.0",
-  "CDDL-1.0",
-  "EPL-1.0",
-  "EPL-2.0"
-]);
+import { z as z12 } from "zod/v4";
 function register9(server) {
   return server.registerTool(
     "hound_preinstall",
     {
       description: "Safety check before installing a package. Checks known vulnerabilities, typosquatting risk, abandonment, and license concerns. Returns a go/no-go verdict.",
       inputSchema: {
-        name: z10.string().describe("Package name"),
-        version: z10.string().optional().describe("Package version (defaults to latest)"),
-        ecosystem: z10.enum(ECOSYSTEM_VALUES6).default("npm").describe("Package ecosystem (default: npm)")
+        name: z12.string().describe("Package name"),
+        version: z12.string().optional().describe("Package version (defaults to latest)"),
+        ecosystem: z12.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
       }
     },
     async ({ name, version, ecosystem }) => {
@@ -1512,7 +1503,7 @@ function register9(server) {
       if (!resolvedVersion) {
         try {
           const pkg2 = await getPackage(eco, name);
-          const defaultV = pkg2.versions.find((v) => v.isDefault) ?? pkg2.versions[pkg2.versions.length - 1];
+          const defaultV = getDefaultVersion(pkg2.versions);
           resolvedVersion = defaultV?.versionKey.version ?? "";
         } catch {
           return {
@@ -1600,7 +1591,7 @@ function register9(server) {
       const licenses = pkg.licenses ?? [];
       if (licenses.length === 0) {
         issues.push({ level: "warn", message: "License unknown" });
-      } else if (licenses.some((l) => COPYLEFT_LICENSES3.has(l))) {
+      } else if (licenses.some((l) => COPYLEFT_LICENSES.has(l))) {
         issues.push({
           level: "warn",
           message: `Copyleft license detected: ${licenses.join(", ")}`
@@ -1661,29 +1652,7 @@ function register9(server) {
 }
 
 // src/tools/score.ts
-import { z as z11 } from "zod/v4";
-var ECOSYSTEM_VALUES7 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
-var COPYLEFT_LICENSES4 = /* @__PURE__ */ new Set([
-  "GPL-2.0",
-  "GPL-2.0-only",
-  "GPL-2.0-or-later",
-  "GPL-3.0",
-  "GPL-3.0-only",
-  "GPL-3.0-or-later",
-  "AGPL-3.0",
-  "AGPL-3.0-only",
-  "AGPL-3.0-or-later",
-  "LGPL-2.0",
-  "LGPL-2.1",
-  "LGPL-3.0",
-  "EUPL-1.1",
-  "EUPL-1.2",
-  "MPL-2.0",
-  "OSL-3.0",
-  "CDDL-1.0",
-  "EPL-1.0",
-  "EPL-2.0"
-]);
+import { z as z13 } from "zod/v4";
 function letterGrade(score) {
   if (score >= 90) return "A";
   if (score >= 75) return "B";
@@ -1711,9 +1680,9 @@ function register10(server) {
     {
       description: "Compute a 0-100 Hound Score for a package version combining vulnerability severity, OpenSSF Scorecard, release recency, and license risk. Returns a letter grade (A-F) with a breakdown.",
       inputSchema: {
-        name: z11.string().describe("Package name"),
-        version: z11.string().describe("Package version"),
-        ecosystem: z11.enum(ECOSYSTEM_VALUES7).default("npm").describe("Package ecosystem (default: npm)")
+        name: z13.string().describe("Package name"),
+        version: z13.string().describe("Package version"),
+        ecosystem: z13.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
       }
     },
     async ({ name, version, ecosystem }) => {
@@ -1772,7 +1741,7 @@ function register10(server) {
       const licenses = pkg.licenses ?? [];
       if (licenses.length === 0) {
         licenseScore = 5;
-      } else if (licenses.some((l) => COPYLEFT_LICENSES4.has(l))) {
+      } else if (licenses.some((l) => COPYLEFT_LICENSES.has(l))) {
         licenseScore = 8;
       }
       const total = vulnScore + scorecardScore + recencyScore + licenseScore;
@@ -1812,7 +1781,7 @@ function register10(server) {
       lines.push(`\u{1F4C5} Published ${daysSince} days ago`);
       if (licenses.length === 0) {
         lines.push("\u26A0\uFE0F  License unknown");
-      } else if (licenses.some((l) => COPYLEFT_LICENSES4.has(l))) {
+      } else if (licenses.some((l) => COPYLEFT_LICENSES.has(l))) {
         lines.push(`\u26A0\uFE0F  Copyleft license: ${licenses.join(", ")}`);
       } else {
         lines.push(`\u2705 License: ${licenses.join(", ")}`);
@@ -1827,8 +1796,7 @@ function register10(server) {
 }
 
 // src/tools/upgrade.ts
-import { z as z12 } from "zod/v4";
-var ECOSYSTEM_VALUES8 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+import { z as z14 } from "zod/v4";
 function parseVersion(v) {
   return v.split(".").map((p) => parseInt(p.replace(/[^0-9]/g, ""), 10) || 0);
 }
@@ -1847,9 +1815,9 @@ function register11(server) {
     {
       description: "Find the minimum version upgrade that resolves all known vulnerabilities for a package. Checks every published version and returns the nearest safe one.",
       inputSchema: {
-        name: z12.string().describe("Package name (e.g. express, lodash)"),
-        version: z12.string().describe("Current vulnerable version (e.g. 4.17.20)"),
-        ecosystem: z12.enum(ECOSYSTEM_VALUES8).default("npm").describe("Package ecosystem (default: npm)")
+        name: z14.string().describe("Package name (e.g. express, lodash)"),
+        version: z14.string().describe("Current vulnerable version (e.g. 4.17.20)"),
+        ecosystem: z14.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
       }
     },
     async ({ name, version, ecosystem }) => {
@@ -1886,7 +1854,7 @@ This may be the latest version already.`
         toCheck.map((v) => ({ ecosystem: eco, name, version: v }))
       );
       const safeVersions = toCheck.filter((_, i) => (vulnResults[i]?.length ?? 0) === 0);
-      const latestVersion = candidates[candidates.length - 1] ?? version;
+      const latestVersion = candidates.at(-1) ?? version;
       const latestVulns = vulnResults[toCheck.indexOf(latestVersion)] ?? [];
       const lines = [
         `\u{1F50D} Safe upgrade finder: ${name} (${ecosystem})`,
@@ -1903,7 +1871,7 @@ This may be the latest version already.`
         lines.push("  \u2022 Evaluating an alternative package via hound_compare");
       } else {
         const minimum = safeVersions[0] ?? "";
-        const latest = safeVersions[safeVersions.length - 1] ?? "";
+        const latest = safeVersions.at(-1) ?? "";
         lines.push(`\u2705 Safe upgrade available`);
         lines.push("");
         lines.push(`  Minimum safe version: ${minimum}`);
@@ -1911,7 +1879,7 @@ This may be the latest version already.`
           lines.push(`  Latest safe version:  ${latest}`);
         }
         lines.push("");
-        if (latestVulns.length > 0 && safeVersions[safeVersions.length - 1] !== latestVersion) {
+        if (latestVulns.length > 0 && safeVersions.at(-1) !== latestVersion) {
           lines.push(`\u26A0\uFE0F  Latest version (${latestVersion}) still has ${latestVulns.length} known vuln(s).`);
           lines.push(`   Recommended: upgrade to ${latest}`);
         } else {
@@ -1932,8 +1900,7 @@ This may be the latest version already.`
 }
 
 // src/tools/vulns.ts
-import { z as z13 } from "zod/v4";
-var ECOSYSTEM_VALUES9 = ["npm", "pypi", "go", "maven", "cargo", "nuget", "rubygems"];
+import { z as z15 } from "zod/v4";
 var SEVERITY_ICON2 = {
   CRITICAL: "\u{1F534}",
   HIGH: "\u{1F7E0}",
@@ -1947,9 +1914,9 @@ function register12(server) {
     {
       description: "List all known vulnerabilities for a specific package version, grouped by severity with fix versions and advisory links.",
       inputSchema: {
-        name: z13.string().describe("Package name (e.g. express, lodash)"),
-        version: z13.string().describe("Package version (e.g. 4.18.2)"),
-        ecosystem: z13.enum(ECOSYSTEM_VALUES9).default("npm").describe("Package ecosystem (default: npm)")
+        name: z15.string().describe("Package name (e.g. express, lodash)"),
+        version: z15.string().describe("Package version (e.g. 4.18.2)"),
+        ecosystem: z15.enum(ECOSYSTEM_VALUES).default("npm").describe("Package ecosystem (default: npm)")
       }
     },
     async ({ name, version, ecosystem }) => {
@@ -2027,7 +1994,7 @@ This checks the OSV database which covers GitHub Advisory Database, NVD, and mor
 
 // src/server.ts
 var SERVER_NAME = "hound-mcp";
-var SERVER_VERSION = "0.2.0";
+var SERVER_VERSION = "0.2.3";
 function createServer() {
   const server = new McpServer({
     name: SERVER_NAME,