luvv-mcp-server 1.1.0

package/README.md

@@ -0,0 +1,283 @@
+# Luvv MCPServer — 生产级安全审计 MCP 工具
+
+封装 **semgrep** (SAST) + **gitleaks** (密钥检测)，通过 **MCP stdio 协议** 为 Claude Desktop 提供一键代码安全扫描能力。
+
+## 功能特性
+
+- `run_security_scan` 工具：传入目标目录路径，自动并行执行 semgrep + gitleaks
+- 返回合并的结构化 JSON 审计报告（含摘要统计）
+- 依赖工具未安装时，报告中自动附带各平台的安装指引
+- 所有异常/日志通过 stderr 输出，绝不污染 MCP 协议通道（stdout）
+- 内置路径安全校验，拒绝扫描系统敏感目录
+- Docker 环境隔离支持，预装全部依赖
+
+## 快速开始
+
+### 1. 环境要求
+
+| 组件 | 版本要求 |
+|------|---------|
+| Node.js | >= 20.0.0 LTS |
+| npm | >= 10.0.0 |
+| semgrep | >= 1.0（可选，未安装在报告中提示） |
+| gitleaks | >= 8.0（可选，未安装在报告中提示） |
+
+### 2. 安装依赖与编译
+
+```bash
+# 克隆项目（或直接进入目录）
+cd luvv-mcp-server
+
+# 安装 npm 依赖
+npm install
+
+# 编译 TypeScript
+npm run build
+```
+
+编译产物输出到 `dist/` 目录，入口文件 `dist/main.js`。
+
+### 3. 安装扫描工具（推荐）
+
+```bash
+# --- semgrep ---
+# macOS
+brew install semgrep
+
+# Linux
+pipx install semgrep
+# 或: pip install semgrep
+
+# --- gitleaks ---
+# macOS
+brew install gitleaks
+
+# Linux
+wget https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.18.4_linux_x64.tar.gz
+tar -xzf gitleaks_*.tar.gz -C /usr/local/bin/ gitleaks
+chmod +x /usr/local/bin/gitleaks
+
+# --- 验证安装 ---
+semgrep --version
+gitleaks version
+```
+
+> 如果未安装 semgrep 或 gitleaks，扫描仍可运行，但对应工具的结果中会包含 `available: false` 及安装提示。
+
+### 4. 在 Claude Desktop 中配置
+
+打开 Claude Desktop 配置文件：
+
+- **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json`
+- **Windows**: `%APPDATA%\Claude\claude_desktop_config.json`
+- **Linux**: `~/.config/Claude/claude_desktop_config.json`
+
+添加以下配置块：
+
+```json
+{
+  "mcpServers": {
+    "luvv-security-scanner": {
+      "command": "node",
+      "args": [
+        "/Users/你的用户名/luvv-mcp-server/dist/main.js"
+      ]
+    }
+  }
+}
+```
+
+**实际路径示例**（macOS 用户 `zhangsan`）：
+
+```json
+{
+  "mcpServers": {
+    "luvv-security-scanner": {
+      "command": "node",
+      "args": [
+        "/Users/zhangsan/luvv-mcp-server/dist/main.js"
+      ]
+    }
+  }
+}
+```
+
+**实际路径示例**（Windows 用户 `Administrator`）：
+
+```json
+{
+  "mcpServers": {
+    "luvv-security-scanner": {
+      "command": "node",
+      "args": [
+        "C:\\Users\\Administrator\\luvv-mcp-server\\dist\\main.js"
+      ]
+    }
+  }
+}
+```
+
+配置完成后，**重启 Claude Desktop**。在对话中输入"帮我扫描 /path/to/project 的安全问题"，Claude 会自动调用 `run_security_scan` 工具。
+
+### 5. 验证 MCP 连接
+
+启动 Claude Desktop 后，检查工具栏是否出现新工具图标（锤子），或在对话中尝试：
+
+```
+请列出你当前可用的 MCP 工具
+```
+
+如果看到 `run_security_scan`，说明连接成功。
+
+---
+
+## Docker 运行方式
+
+Docker 镜像已预装 semgrep + gitleaks，适合环境隔离或 CI/CD 集成。
+
+### 构建镜像
+
+```bash
+docker compose build
+```
+
+### 交互式运行（手动测试）
+
+```bash
+# 启动容器并进入交互式 stdio 模式
+echo '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' | \
+  docker compose run --rm -T mcp
+```
+
+### 通过管道发送扫描请求
+
+```bash
+# 构造一个扫描请求的 MCP 消息
+cat <<'JSONRPC' | docker compose run --rm -T mcp
+{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"run_security_scan","arguments":{"target_path":"/scan"}}}
+JSONRPC
+```
+
+### 扫描本地代码
+
+```bash
+# 将本地项目挂载为 /scan
+SCAN_TARGET=$(pwd) docker compose run --rm mcp
+```
+
+---
+
+## 输出示例
+
+```json
+{
+  "target_path": "/home/user/my-project",
+  "resolved_path": "/home/user/my-project",
+  "scan_time": "2026-06-13T12:00:00.000Z",
+  "duration_ms": 12345,
+  "tools": {
+    "semgrep": {
+      "available": true,
+      "results": {
+        "results": [
+          {
+            "check_id": "python.lang.security.audit.dangerous-subprocess-use",
+            "path": "src/utils.py",
+            "start": { "line": 42 },
+            "end": { "line": 42 },
+            "extra": {
+              "severity": "ERROR",
+              "message": "Detected subprocess function without a static string"
+            }
+          }
+        ]
+      }
+    },
+    "gitleaks": {
+      "available": true,
+      "results": [
+        {
+          "RuleID": "generic-api-key",
+          "Description": "Generic API Key",
+          "File": "config.py",
+          "StartLine": 15,
+          "Secret": "***REDACTED***",
+          "Match": "sk_live_xxxxxxxxxxxx"
+        }
+      ]
+    }
+  },
+  "summary": {
+    "total_findings": 2,
+    "semgrep_findings": 1,
+    "gitleaks_findings": 1
+  },
+  "environment": {
+    "node_version": "v20.14.0",
+    "platform": "linux",
+    "hostname": "dev-machine"
+  }
+}
+```
+
+当工具未安装时：
+
+```json
+{
+  "tools": {
+    "semgrep": {
+      "available": false,
+      "error": "semgrep 未安装或不在 PATH 中",
+      "install_hint": "# macOS\nbrew install semgrep\n\n# Linux (pip)\npip install semgrep"
+    }
+  }
+}
+```
+
+---
+
+## 环境变量
+
+参见 `.env.example`，可复制为 `.env` 后修改：
+
+| 变量 | 默认值 | 说明 |
+|------|--------|------|
+| `SEMGREP_CONFIG` | `auto` | semgrep 规则集（`p/security-audit`、`p/owasp-top-ten` 等） |
+| `SEMGREP_TIMEOUT` | `300` | semgrep 超时时间（秒） |
+| `GITLEAKS_TIMEOUT` | `120` | gitleaks 超时时间（秒） |
+| `LOG_LEVEL` | `info` | 日志级别（debug/info/warn/error） |
+| `INCLUDE_RAW_OUTPUT` | `false` | 是否返回完整原始输出 |
+
+---
+
+## 项目结构
+
+```
+luvv-mcp-server/
+├── src/
+│   ├── main.ts               # CLI 入口，按参数路由传输模式
+│   ├── server.ts              # createServer() 工厂函数
+│   ├── tools/
+│   │   ├── index.ts           # registerAllTools() 汇总
+│   │   └── run-security-scan.ts  # 安全扫描工具定义与处理器
+│   ├── transports/
+│   │   └── stdio.ts           # stdio 传输启动器（+ 信号处理）
+│   └── lib/
+│       ├── logger.ts          # 结构化 stderr 日志
+│       ├── executor.ts        # spawn 封装 + 路径校验
+│       └── scanner.ts         # semgrep + gitleaks 编排
+├── tests/
+│   └── run-security-scan.test.ts  # 单元测试
+├── dist/                      # 编译产物（npm run build）
+├── vitest.config.ts
+├── package.json
+├── tsconfig.json
+├── Dockerfile
+├── docker-compose.yml
+├── .env.example
+└── README.md
+```
+
+## License
+
+MIT

package/dist/lib/executor.d.ts

@@ -0,0 +1,48 @@
+/**
+ * 外部命令执行工具 — 提供子进程 spawn、二进制检测、超时控制等基础能力。
+ */
+export interface ExecResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number | null;
+    killed: boolean;
+}
+export interface BinaryInfo {
+    found: boolean;
+    version: string;
+}
+/**
+ * 检查可执行文件是否在 PATH 中，并捕获其 --version 输出的首行。
+ * semgrep 和部分工具有时将版本信息写入 stderr，因此合并两者。
+ */
+export declare function detectBinary(name: string, timeoutMs?: number): Promise<BinaryInfo>;
+/**
+ * 执行命令，超时后发送 SIGKILL 强制终止。
+ * 返回 stdout、stderr、退出码以及是否因超时而被 kill。
+ */
+export declare function runCommand(command: string, args: string[], timeoutMs: number): Promise<ExecResult>;
+export interface PathCheck {
+    ok: boolean;
+    resolved: string;
+    reason?: string;
+}
+/**
+ * 验证路径存在、为目录、且可读。
+ */
+export declare function verifyDirectory(raw: string): Promise<PathCheck>;
+/**
+ * 拒绝扫描系统敏感路径，避免误操作。
+ */
+export declare function isSensitivePath(target: string): boolean;
+export interface DependencyStatus {
+    semgrep: {
+        installed: boolean;
+        version: string;
+    };
+    gitleaks: {
+        installed: boolean;
+        version: string;
+    };
+}
+export declare function checkDependencies(): Promise<DependencyStatus>;
+//# sourceMappingURL=executor.d.ts.map

package/dist/lib/executor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/lib/executor.ts"],"names":[],"mappings":"AAAA;;GAEG;AAWH,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAMD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CA2BlF;AAMD;;;GAGG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,UAAU,CAAC,CAqCrB;AAMD,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAYrE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAYvD;AAMD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,QAAQ,EAAE;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CACnD;AAED,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAcnE"}

package/dist/lib/executor.js

@@ -0,0 +1,123 @@
+/**
+ * 外部命令执行工具 — 提供子进程 spawn、二进制检测、超时控制等基础能力。
+ */
+import { spawn } from "node:child_process";
+import { stat } from "node:fs/promises";
+import { resolve } from "node:path";
+import { logger } from "./logger.js";
+// ---------------------------------------------------------------------------
+// 二进制可用性检测
+// ---------------------------------------------------------------------------
+/**
+ * 检查可执行文件是否在 PATH 中，并捕获其 --version 输出的首行。
+ * semgrep 和部分工具有时将版本信息写入 stderr，因此合并两者。
+ */
+export function detectBinary(name, timeoutMs = 10_000) {
+    return new Promise((resolve) => {
+        const child = spawn(name, ["--version"], {
+            stdio: ["ignore", "pipe", "pipe"],
+            timeout: timeoutMs,
+        });
+        let merged = "";
+        child.stdout?.on("data", (chunk) => {
+            merged += chunk.toString();
+        });
+        child.stderr?.on("data", (chunk) => {
+            merged += chunk.toString();
+        });
+        child.on("close", (code) => {
+            resolve({
+                found: code === 0,
+                version: merged.trim().split("\n")[0] ?? "",
+            });
+        });
+        child.on("error", () => {
+            resolve({ found: false, version: "" });
+        });
+    });
+}
+// ---------------------------------------------------------------------------
+// 带超时的命令执行
+// ---------------------------------------------------------------------------
+/**
+ * 执行命令，超时后发送 SIGKILL 强制终止。
+ * 返回 stdout、stderr、退出码以及是否因超时而被 kill。
+ */
+export function runCommand(command, args, timeoutMs) {
+    return new Promise((resolve) => {
+        const child = spawn(command, args, {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        let killed = false;
+        const timer = setTimeout(() => {
+            killed = true;
+            child.kill("SIGKILL");
+        }, timeoutMs);
+        child.stdout?.on("data", (chunk) => {
+            stdout += chunk.toString();
+        });
+        child.stderr?.on("data", (chunk) => {
+            stderr += chunk.toString();
+        });
+        child.on("close", (code) => {
+            clearTimeout(timer);
+            resolve({ stdout, stderr, exitCode: code, killed });
+        });
+        child.on("error", (err) => {
+            clearTimeout(timer);
+            resolve({
+                stdout: "",
+                stderr: `spawn(${command}) 失败: ${err.message}`,
+                exitCode: null,
+                killed: false,
+            });
+        });
+    });
+}
+/**
+ * 验证路径存在、为目录、且可读。
+ */
+export async function verifyDirectory(raw) {
+    const resolvedPath = resolve(raw);
+    try {
+        const info = await stat(resolvedPath);
+        if (!info.isDirectory()) {
+            return { ok: false, resolved: resolvedPath, reason: "路径不是目录" };
+        }
+        return { ok: true, resolved: resolvedPath };
+    }
+    catch (err) {
+        const detail = err instanceof Error ? err.message : String(err);
+        return { ok: false, resolved: resolvedPath, reason: `无法访问: ${detail}` };
+    }
+}
+/**
+ * 拒绝扫描系统敏感路径，避免误操作。
+ */
+export function isSensitivePath(target) {
+    const denyList = [
+        "/etc/passwd",
+        "/etc/shadow",
+        "/proc",
+        "/sys",
+        "/root",
+        "C:\\Windows\\System32",
+        "~/.ssh",
+    ];
+    const lower = target.toLowerCase();
+    return denyList.some((entry) => lower.includes(entry.toLowerCase()));
+}
+export async function checkDependencies() {
+    const [semgrep, gitleaks] = await Promise.all([
+        detectBinary("semgrep"),
+        detectBinary("gitleaks"),
+    ]);
+    logger.info(`依赖检测: semgrep=${semgrep.found ? semgrep.version || "✓" : "✗"}, gitleaks=${gitleaks.found ? gitleaks.version || "✓" : "✗"}`);
+    return {
+        semgrep: { installed: semgrep.found, version: semgrep.version },
+        gitleaks: { installed: gitleaks.found, version: gitleaks.version },
+    };
+}
+//# sourceMappingURL=executor.js.map

package/dist/lib/executor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.js","sourceRoot":"","sources":["../../src/lib/executor.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAkBrC,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,SAAS,GAAG,MAAM;IAC3D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,KAAK,GAAiB,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE;YACrD,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC7B,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,OAAO,CAAC;gBACN,KAAK,EAAE,IAAI,KAAK,CAAC;gBACjB,OAAO,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACrB,OAAO,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,UAAU,CACxB,OAAe,EACf,IAAc,EACd,SAAiB;IAEjB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,KAAK,GAAiB,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE;YAC/C,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,KAAK,CAAC;QAEnB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,GAAG,IAAI,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC7B,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC;gBACN,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,SAAS,OAAO,SAAS,GAAG,CAAC,OAAO,EAAE;gBAC9C,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,KAAK;aACd,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAYD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAW;IAC/C,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QACjE,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;IAC1E,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,MAAM,QAAQ,GAAG;QACf,aAAa;QACb,aAAa;QACb,OAAO;QACP,MAAM;QACN,OAAO;QACP,uBAAuB;QACvB,QAAQ;KACT,CAAC;IACF,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACnC,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACvE,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC5C,YAAY,CAAC,SAAS,CAAC;QACvB,YAAY,CAAC,UAAU,CAAC;KACzB,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CACT,iBAAiB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,cAAc,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAC5H,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE;QAC/D,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE;KACnE,CAAC;AACJ,CAAC"}

package/dist/lib/logger.d.ts

@@ -0,0 +1,13 @@
+/**
+ * 结构化日志模块 — 所有日志写入 stderr，确保 MCP 协议通道（stdout）不受污染。
+ *
+ * 输出格式为单行 JSON，便于日志聚合工具解析：
+ * {"ts":"2026-06-13T...","level":"info","msg":"...","ctx":{}}
+ */
+export declare const logger: {
+    debug: (msg: string, ctx?: unknown) => void;
+    info: (msg: string, ctx?: unknown) => void;
+    warn: (msg: string, ctx?: unknown) => void;
+    error: (msg: string, ctx?: unknown) => void;
+};
+//# sourceMappingURL=logger.d.ts.map

package/dist/lib/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/lib/logger.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA+BH,eAAO,MAAM,MAAM;iBACJ,MAAM,QAAQ,OAAO;gBACtB,MAAM,QAAQ,OAAO;gBACrB,MAAM,QAAQ,OAAO;iBACpB,MAAM,QAAQ,OAAO;CACnC,CAAC"}

package/dist/lib/logger.js

@@ -0,0 +1,36 @@
+/**
+ * 结构化日志模块 — 所有日志写入 stderr，确保 MCP 协议通道（stdout）不受污染。
+ *
+ * 输出格式为单行 JSON，便于日志聚合工具解析：
+ * {"ts":"2026-06-13T...","level":"info","msg":"...","ctx":{}}
+ */
+const SEVERITY_RANK = {
+    debug: 0,
+    info: 1,
+    warn: 2,
+    error: 3,
+};
+/** 从 LOG_LEVEL 环境变量读取阈值，默认 "info" */
+function threshold() {
+    const raw = (process.env.LOG_LEVEL ?? "info").toLowerCase();
+    return raw in SEVERITY_RANK ? raw : "info";
+}
+function emit(level, message, context) {
+    const current = threshold();
+    if (SEVERITY_RANK[level] < SEVERITY_RANK[current])
+        return;
+    const record = {
+        ts: new Date().toISOString(),
+        level,
+        msg: message,
+        ...(context !== undefined ? { ctx: context } : {}),
+    };
+    process.stderr.write(JSON.stringify(record) + "\n");
+}
+export const logger = {
+    debug: (msg, ctx) => emit("debug", msg, ctx),
+    info: (msg, ctx) => emit("info", msg, ctx),
+    warn: (msg, ctx) => emit("warn", msg, ctx),
+    error: (msg, ctx) => emit("error", msg, ctx),
+};
+//# sourceMappingURL=logger.js.map

package/dist/lib/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/lib/logger.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,aAAa,GAAgC;IACjD,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,CAAC;IACP,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,qCAAqC;AACrC,SAAS,SAAS;IAChB,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5D,OAAO,GAAG,IAAI,aAAa,CAAC,CAAC,CAAE,GAAmB,CAAC,CAAC,CAAC,MAAM,CAAC;AAC9D,CAAC;AAED,SAAS,IAAI,CAAC,KAAkB,EAAE,OAAe,EAAE,OAAiB;IAClE,MAAM,OAAO,GAAG,SAAS,EAAE,CAAC;IAC5B,IAAI,aAAa,CAAC,KAAK,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC;QAAE,OAAO;IAE1D,MAAM,MAAM,GAAG;QACb,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAC5B,KAAK;QACL,GAAG,EAAE,OAAO;QACZ,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACnD,CAAC;IAEF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAG;IACpB,KAAK,EAAE,CAAC,GAAW,EAAE,GAAa,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC;IAC9D,IAAI,EAAE,CAAC,GAAW,EAAE,GAAa,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC;IAC5D,IAAI,EAAE,CAAC,GAAW,EAAE,GAAa,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC;IAC5D,KAAK,EAAE,CAAC,GAAW,EAAE,GAAa,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC;CAC/D,CAAC"}

package/dist/lib/scanner.d.ts

@@ -0,0 +1,26 @@
+/**
+ * 扫描编排模块 — 封装 semgrep SAST 和 gitleaks 密钥检测的调用逻辑。
+ *
+ * 设计原则：
+ * - 每个扫描器返回统一结构的 ToolResult（含 available / error / install_hint / results）
+ * - 工具未安装时不报错，而是在结果中嵌入各平台安装指引
+ * - 所有运行时异常在此层兜底，上层（tool handler）只关心组装报告
+ */
+export interface ToolResult {
+    available: boolean;
+    error?: string;
+    installGuide?: string;
+    findings?: unknown;
+}
+interface ScanOutcome {
+    semgrep: ToolResult;
+    gitleaks: ToolResult;
+    elapsedMs: number;
+}
+/**
+ * 并行执行 semgrep 和 gitleaks，返回合并结果及耗时。
+ * 单个扫描器失败不影响另一方，所有错误封装在 ToolResult 中。
+ */
+export declare function executeScan(target: string): Promise<ScanOutcome>;
+export {};
+//# sourceMappingURL=scanner.d.ts.map

package/dist/lib/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/lib/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,UAAU,WAAW;IACnB,OAAO,EAAE,UAAU,CAAC;IACpB,QAAQ,EAAE,UAAU,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAuKD;;;GAGG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAOtE"}

package/dist/lib/scanner.js

@@ -0,0 +1,161 @@
+/**
+ * 扫描编排模块 — 封装 semgrep SAST 和 gitleaks 密钥检测的调用逻辑。
+ *
+ * 设计原则：
+ * - 每个扫描器返回统一结构的 ToolResult（含 available / error / install_hint / results）
+ * - 工具未安装时不报错，而是在结果中嵌入各平台安装指引
+ * - 所有运行时异常在此层兜底，上层（tool handler）只关心组装报告
+ */
+import { detectBinary, runCommand } from "./executor.js";
+import { logger } from "./logger.js";
+// ---------------------------------------------------------------------------
+// 常量
+// ---------------------------------------------------------------------------
+const TIMEOUT_SEMGREP = (Number(process.env.SEMGREP_TIMEOUT) || 300) * 1000;
+const TIMEOUT_GITLEAKS = (Number(process.env.GITLEAKS_TIMEOUT) || 120) * 1000;
+const RULESET = process.env.SEMGREP_CONFIG || "auto";
+// ---------------------------------------------------------------------------
+// 安装指引（纯文本，多平台）
+// ---------------------------------------------------------------------------
+const INSTALL_SEMGREP = [
+    "# macOS",
+    "brew install semgrep",
+    "",
+    "# Linux",
+    "pipx install semgrep",
+    "",
+    "# 或通过 pip",
+    "pip3 install semgrep",
+    "",
+    "# Docker（无需本地安装）",
+    "docker run --rm -v \"$(pwd):/src\" returntocorp/semgrep semgrep --config=auto /src",
+].join("\n");
+const INSTALL_GITLEAKS = [
+    "# macOS",
+    "brew install gitleaks",
+    "",
+    "# Linux (预编译二进制)",
+    "curl -fsSL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.18.4_linux_x64.tar.gz | tar -xz -C /usr/local/bin/ gitleaks",
+    "chmod +x /usr/local/bin/gitleaks",
+    "",
+    "# 或使用 Go 安装",
+    "go install github.com/gitleaks/gitleaks/v8@latest",
+].join("\n");
+// ---------------------------------------------------------------------------
+// 扫描器实现
+// ---------------------------------------------------------------------------
+async function scanSemgrep(target) {
+    const bin = await detectBinary("semgrep");
+    if (!bin.found) {
+        return {
+            available: false,
+            error: "semgrep 未安装或不在 PATH 中",
+            installGuide: INSTALL_SEMGREP,
+        };
+    }
+    logger.info(`semgrep 扫描启动: ${target} (ruleset=${RULESET})`);
+    try {
+        const { stdout, stderr, exitCode, killed } = await runCommand("semgrep", ["--config", RULESET, "--json", "--quiet", target], TIMEOUT_SEMGREP);
+        if (killed) {
+            return {
+                available: true,
+                error: `扫描超时（>${TIMEOUT_SEMGREP / 1000}s），建议缩小扫描范围`,
+            };
+        }
+        if (stderr) {
+            logger.warn(`semgrep stderr: ${stderr.slice(0, 400)}`);
+        }
+        let parsed;
+        try {
+            parsed = JSON.parse(stdout || "{}");
+        }
+        catch {
+            // 尝试从混合输出中截取 JSON 段
+            const start = stdout.indexOf("{");
+            if (start >= 0) {
+                try {
+                    parsed = JSON.parse(stdout.slice(start));
+                }
+                catch {
+                    parsed = { _raw: stdout.slice(0, 2000), _parseError: true };
+                }
+            }
+            else {
+                parsed = { _raw: stdout.slice(0, 2000), _parseError: true };
+            }
+        }
+        const results = parsed?.results;
+        const count = Array.isArray(results) ? results.length : 0;
+        logger.info(`semgrep 完成: ${count} 个发现 (exit=${exitCode})`);
+        return { available: true, findings: parsed };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error(`semgrep 异常: ${msg}`);
+        return { available: true, error: `semgrep 执行失败: ${msg}` };
+    }
+}
+async function scanGitleaks(target) {
+    const bin = await detectBinary("gitleaks");
+    if (!bin.found) {
+        return {
+            available: false,
+            error: "gitleaks 未安装或不在 PATH 中",
+            installGuide: INSTALL_GITLEAKS,
+        };
+    }
+    logger.info(`gitleaks 扫描启动: ${target}`);
+    try {
+        const { stdout, stderr, exitCode, killed } = await runCommand("gitleaks", [
+            "detect",
+            "--no-git",
+            "--source",
+            target,
+            "--format",
+            "json",
+            "--exit-code",
+            "0",
+            "--verbose",
+        ], TIMEOUT_GITLEAKS);
+        if (killed) {
+            return {
+                available: true,
+                error: `扫描超时（>${TIMEOUT_GITLEAKS / 1000}s）`,
+            };
+        }
+        if (stderr) {
+            logger.warn(`gitleaks stderr: ${stderr.slice(0, 400)}`);
+        }
+        let parsed;
+        try {
+            parsed = JSON.parse(stdout || "[]");
+        }
+        catch {
+            parsed = { _raw: stdout.slice(0, 2000), _parseError: true };
+        }
+        const count = Array.isArray(parsed) ? parsed.length : 0;
+        logger.info(`gitleaks 完成: ${count} 个发现 (exit=${exitCode})`);
+        return { available: true, findings: parsed };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error(`gitleaks 异常: ${msg}`);
+        return { available: true, error: `gitleaks 执行失败: ${msg}` };
+    }
+}
+// ---------------------------------------------------------------------------
+// 并行编排入口
+// ---------------------------------------------------------------------------
+/**
+ * 并行执行 semgrep 和 gitleaks，返回合并结果及耗时。
+ * 单个扫描器失败不影响另一方，所有错误封装在 ToolResult 中。
+ */
+export async function executeScan(target) {
+    const start = Date.now();
+    const [semgrep, gitleaks] = await Promise.all([
+        scanSemgrep(target),
+        scanGitleaks(target),
+    ]);
+    return { semgrep, gitleaks, elapsedMs: Date.now() - start };
+}
+//# sourceMappingURL=scanner.js.map

package/dist/lib/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/lib/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAmBrC,8EAA8E;AAC9E,KAAK;AACL,8EAA8E;AAE9E,MAAM,eAAe,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC;AAC5E,MAAM,gBAAgB,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC;AAC9E,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC;AAErD,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,MAAM,eAAe,GAAG;IACtB,SAAS;IACT,sBAAsB;IACtB,EAAE;IACF,SAAS;IACT,sBAAsB;IACtB,EAAE;IACF,WAAW;IACX,sBAAsB;IACtB,EAAE;IACF,kBAAkB;IAClB,oFAAoF;CACrF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb,MAAM,gBAAgB,GAAG;IACvB,SAAS;IACT,uBAAuB;IACvB,EAAE;IACF,kBAAkB;IAClB,iJAAiJ;IACjJ,kCAAkC;IAClC,EAAE;IACF,aAAa;IACb,mDAAmD;CACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAE9E,KAAK,UAAU,WAAW,CAAC,MAAc;IACvC,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,CAAC;IAE1C,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QACf,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,uBAAuB;YAC9B,YAAY,EAAE,eAAe;SAC9B,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,iBAAiB,MAAM,aAAa,OAAO,GAAG,CAAC,CAAC;IAE5D,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CAC3D,SAAS,EACT,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,EAClD,eAAe,CAChB,CAAC;QAEF,IAAI,MAAM,EAAE,CAAC;YACX,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,KAAK,EAAE,SAAS,eAAe,GAAG,IAAI,aAAa;aACpD,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;YACpB,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3C,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;gBAC9D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;YAC9D,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAI,MAAkC,EAAE,OAAO,CAAC;QAC7D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,eAAe,KAAK,cAAc,QAAQ,GAAG,CAAC,CAAC;QAE3D,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,eAAe,GAAG,EAAE,CAAC,CAAC;QACnC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,iBAAiB,GAAG,EAAE,EAAE,CAAC;IAC5D,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,MAAc;IACxC,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,UAAU,CAAC,CAAC;IAE3C,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QACf,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,wBAAwB;YAC/B,YAAY,EAAE,gBAAgB;SAC/B,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,kBAAkB,MAAM,EAAE,CAAC,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,UAAU,CAC3D,UAAU,EACV;YACE,QAAQ;YACR,UAAU;YACV,UAAU;YACV,MAAM;YACN,UAAU;YACV,MAAM;YACN,aAAa;YACb,GAAG;YACH,WAAW;SACZ,EACD,gBAAgB,CACjB,CAAC;QAEF,IAAI,MAAM,EAAE,CAAC;YACX,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,KAAK,EAAE,SAAS,gBAAgB,GAAG,IAAI,IAAI;aAC5C,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,IAAI,CAAC,oBAAoB,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QAC9D,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAE,MAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CAAC,gBAAgB,KAAK,cAAc,QAAQ,GAAG,CAAC,CAAC;QAE5D,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,gBAAgB,GAAG,EAAE,CAAC,CAAC;QACpC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,kBAAkB,GAAG,EAAE,EAAE,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAAc;IAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC5C,WAAW,CAAC,MAAM,CAAC;QACnB,YAAY,CAAC,MAAM,CAAC;KACrB,CAAC,CAAC;IACH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC;AAC9D,CAAC"}

package/dist/main.d.ts

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+/**
+ * Luvv MCPServer — 入口路由器
+ *
+ * 用法：
+ *   node dist/main.js           # 默认 stdio 模式
+ *   node dist/main.js stdio     # 显式 stdio
+ *
+ * 未来可扩展：
+ *   node dist/main.js sse       # Server-Sent Events
+ *   node dist/main.js http      # Streamable HTTP
+ */
+export {};
+//# sourceMappingURL=main.d.ts.map

package/dist/main.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":";AACA;;;;;;;;;;GAUG"}

package/dist/main.js

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+/**
+ * Luvv MCPServer — 入口路由器
+ *
+ * 用法：
+ *   node dist/main.js           # 默认 stdio 模式
+ *   node dist/main.js stdio     # 显式 stdio
+ *
+ * 未来可扩展：
+ *   node dist/main.js sse       # Server-Sent Events
+ *   node dist/main.js http      # Streamable HTTP
+ */
+import { logger } from "./lib/logger.js";
+const transport = process.argv[2] || "stdio";
+async function main() {
+    switch (transport) {
+        case "stdio": {
+            const { launchStdio } = await import("./transports/stdio.js");
+            await launchStdio();
+            break;
+        }
+        default:
+            logger.error(`未知传输模式: ${transport}`);
+            process.stderr.write(`用法: node dist/main.js [stdio]\n`);
+            process.stderr.write(`可用模式: stdio\n`);
+            process.exit(1);
+    }
+}
+main().catch((err) => {
+    logger.error("启动失败", {
+        detail: err instanceof Error ? err.message : String(err),
+    });
+    process.exit(1);
+});
+//# sourceMappingURL=main.js.map

package/dist/main.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.js","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":";AACA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAEzC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;AAE7C,KAAK,UAAU,IAAI;IACjB,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YAC9D,MAAM,WAAW,EAAE,CAAC;YACpB,MAAM;QACR,CAAC;QACD;YACE,MAAM,CAAC,KAAK,CAAC,WAAW,SAAS,EAAE,CAAC,CAAC;YACrC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACxD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE;QACnB,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;KACzD,CAAC,CAAC;IACH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,21 @@
+/**
+ * MCP Server 工厂 — 负责创建和配置 McpServer 实例。
+ *
+ * 此模块不关心传输层协议（stdio/SSE/HTTP），只负责：
+ * 1. 创建服务器实例（name + version）
+ * 2. 注册所有工具 / 资源 / 提示
+ * 3. 返回 server 实例及清理函数
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export interface ServerContext {
+    server: McpServer;
+    /** 优雅关闭：依次关闭 server 并执行清理回调 */
+    shutdown: () => Promise<void>;
+}
+/**
+ * 创建并配置一个完整的 MCP Server。
+ *
+ * 调用方负责将 server 连接到具体传输层（如 StdioServerTransport）。
+ */
+export declare function createServer(): ServerContext;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAQpE,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/B;AAMD;;;;GAIG;AACH,wBAAgB,YAAY,IAAI,aAAa,CA8B5C"}

package/dist/server.js

@@ -0,0 +1,46 @@
+/**
+ * MCP Server 工厂 — 负责创建和配置 McpServer 实例。
+ *
+ * 此模块不关心传输层协议（stdio/SSE/HTTP），只负责：
+ * 1. 创建服务器实例（name + version）
+ * 2. 注册所有工具 / 资源 / 提示
+ * 3. 返回 server 实例及清理函数
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { registerAllTools } from "./tools/index.js";
+import { logger } from "./lib/logger.js";
+// ---------------------------------------------------------------------------
+// 工厂函数
+// ---------------------------------------------------------------------------
+/**
+ * 创建并配置一个完整的 MCP Server。
+ *
+ * 调用方负责将 server 连接到具体传输层（如 StdioServerTransport）。
+ */
+export function createServer() {
+    logger.info("正在初始化 Luvv MCPServer...");
+    const server = new McpServer({
+        name: "luvv-security-scanner",
+        version: "1.1.0",
+    });
+    // --- 注册能力 ---
+    registerAllTools(server);
+    // --- 构造清理函数 ---
+    const cleanupTasks = [];
+    const shutdown = async () => {
+        logger.info("正在关闭服务器...");
+        for (const task of cleanupTasks) {
+            try {
+                await task();
+            }
+            catch (err) {
+                logger.error("清理任务失败", { detail: String(err) });
+            }
+        }
+        await server.close();
+        logger.info("服务器已关闭");
+    };
+    logger.info("MCP Server 实例创建完成");
+    return { server, shutdown };
+}
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAYzC,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,eAAe;IACf,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEzB,iBAAiB;IACjB,MAAM,YAAY,GAA+B,EAAE,CAAC;IAEpD,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;QACzC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1B,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,MAAM,IAAI,EAAE,CAAC;YACf,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxB,CAAC,CAAC;IAEF,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAEjC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC9B,CAAC"}

package/dist/tools/index.d.ts

@@ -0,0 +1,15 @@
+/**
+ * 工具注册汇总 — 所有 MCP 工具的集中注册入口。
+ *
+ * 新增工具时：
+ * 1. 在 tools/ 下创建独立文件
+ * 2. 导出 registerXxx(server) 函数
+ * 3. 在此文件中导入并调用
+ */
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+/**
+ * 向 McpServer 实例注册所有工具。
+ * 被 server.ts 的 createServer() 工厂调用。
+ */
+export declare function registerAllTools(server: McpServer): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/tools/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAGzE;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAExD"}

package/dist/tools/index.js

@@ -0,0 +1,17 @@
+/**
+ * 工具注册汇总 — 所有 MCP 工具的集中注册入口。
+ *
+ * 新增工具时：
+ * 1. 在 tools/ 下创建独立文件
+ * 2. 导出 registerXxx(server) 函数
+ * 3. 在此文件中导入并调用
+ */
+import { registerRunSecurityScan } from "./run-security-scan.js";
+/**
+ * 向 McpServer 实例注册所有工具。
+ * 被 server.ts 的 createServer() 工厂调用。
+ */
+export function registerAllTools(server) {
+    registerRunSecurityScan(server);
+}
+//# sourceMappingURL=index.js.map

package/dist/tools/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAEjE;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAiB;IAChD,uBAAuB,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC"}

package/dist/tools/run-security-scan.d.ts

@@ -0,0 +1,40 @@
+/**
+ * run_security_scan 工具定义与处理器。
+ *
+ * 接收 target_path，内部编排 semgrep + gitleaks 并行扫描，
+ * 返回结构化的安全审计报告。
+ */
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+export declare const SecurityScanInput: z.ZodObject<{
+    target_path: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    target_path: string;
+}, {
+    target_path: string;
+}>;
+export type SecurityScanArgs = z.infer<typeof SecurityScanInput>;
+export declare const TOOL_NAME = "run_security_scan";
+export declare const TOOL_CONFIG: {
+    title: string;
+    description: string;
+    inputSchema: z.ZodObject<{
+        target_path: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        target_path: string;
+    }, {
+        target_path: string;
+    }>;
+    annotations: {
+        readOnlyHint: boolean;
+        destructiveHint: boolean;
+        idempotentHint: boolean;
+        openWorldHint: boolean;
+    };
+};
+/**
+ * 向 McpServer 实例注册 run_security_scan 工具。
+ * 采用 server.tool() 高层 API，与官方 server.registerTool() 等价但更简洁。
+ */
+export declare function registerRunSecurityScan(server: McpServer): void;
+//# sourceMappingURL=run-security-scan.d.ts.map

package/dist/tools/run-security-scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-security-scan.d.ts","sourceRoot":"","sources":["../../src/tools/run-security-scan.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AASxB,eAAO,MAAM,iBAAiB;;;;;;EAK5B,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAMjE,eAAO,MAAM,SAAS,sBAAsB,CAAC;AAE7C,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;CAYvB,CAAC;AAqGF;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA4E/D"}

package/dist/tools/run-security-scan.js

@@ -0,0 +1,172 @@
+/**
+ * run_security_scan 工具定义与处理器。
+ *
+ * 接收 target_path，内部编排 semgrep + gitleaks 并行扫描，
+ * 返回结构化的安全审计报告。
+ */
+import { z } from "zod";
+import { executeScan } from "../lib/scanner.js";
+import { verifyDirectory, isSensitivePath } from "../lib/executor.js";
+import { logger } from "../lib/logger.js";
+// ---------------------------------------------------------------------------
+// 输入 Schema（Zod）
+// ---------------------------------------------------------------------------
+export const SecurityScanInput = z.object({
+    target_path: z
+        .string()
+        .min(1, "target_path 不能为空")
+        .describe("要扫描的目标目录的绝对路径，如 /home/user/project"),
+});
+// ---------------------------------------------------------------------------
+// 工具元数据
+// ---------------------------------------------------------------------------
+export const TOOL_NAME = "run_security_scan";
+export const TOOL_CONFIG = {
+    title: "安全审计扫描",
+    description: "对目标目录执行安全扫描，内部自动并行调用 semgrep（SAST 静态分析）和 gitleaks（硬编码密钥检测），" +
+        "返回合并的结构化 JSON 审计报告。若依赖工具未安装，报告中会附带各平台的安装指引。",
+    inputSchema: SecurityScanInput,
+    annotations: {
+        readOnlyHint: true, // 只读操作，不修改任何文件
+        destructiveHint: false, // 非破坏性
+        idempotentHint: true, // 对同一目录多次扫描结果一致（幂等）
+        openWorldHint: false, // 不依赖外部世界状态
+    },
+};
+// ---------------------------------------------------------------------------
+// 结果裁剪（缩减大型输出，保护敏感数据）
+// ---------------------------------------------------------------------------
+/** 对 semgrep 输出只保留摘要字段 */
+function trimSemgrep(findings) {
+    const data = findings;
+    if (!data || !Array.isArray(data.results))
+        return findings;
+    return {
+        ...data,
+        results: data.results.map((r) => ({
+            check_id: r.check_id,
+            path: r.path,
+            start: r.start,
+            end: r.end,
+            extra: {
+                severity: r.extra?.severity,
+                message: r.extra?.message,
+            },
+        })),
+    };
+}
+/** 对 gitleaks 输出做密钥掩码处理 */
+function trimGitleaks(findings) {
+    if (!Array.isArray(findings))
+        return findings;
+    return findings.map((f) => ({
+        RuleID: f.RuleID,
+        Description: f.Description,
+        File: f.File,
+        StartLine: f.StartLine,
+        Secret: f.Secret ? "***MASKED***" : undefined,
+        Match: f.Match,
+    }));
+}
+function buildReport(targetRaw, resolved, elapsed, semgrepResult, gitleaksResult) {
+    const semFindings = semgrepResult.findings?.results?.length ?? 0;
+    const glFindings = Array.isArray(gitleaksResult.findings)
+        ? gitleaksResult.findings.length
+        : 0;
+    return {
+        target_path: targetRaw,
+        resolved_path: resolved,
+        scan_time: new Date().toISOString(),
+        duration_ms: elapsed,
+        tools: {
+            semgrep: semgrepResult,
+            gitleaks: gitleaksResult,
+        },
+        summary: {
+            total_findings: semFindings + glFindings,
+            semgrep_findings: semFindings,
+            gitleaks_findings: glFindings,
+        },
+        environment: {
+            node_version: process.version,
+            platform: process.platform,
+            hostname: process.env.COMPUTERNAME || process.env.HOSTNAME || "unknown",
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// 注册入口
+// ---------------------------------------------------------------------------
+/**
+ * 向 McpServer 实例注册 run_security_scan 工具。
+ * 采用 server.tool() 高层 API，与官方 server.registerTool() 等价但更简洁。
+ */
+export function registerRunSecurityScan(server) {
+    server.registerTool(TOOL_NAME, TOOL_CONFIG, async (args) => {
+        const { target_path } = SecurityScanInput.parse(args);
+        // --- 1. 敏感路径拦截 ---
+        if (isSensitivePath(target_path)) {
+            logger.warn(`拒绝敏感路径扫描请求: ${target_path}`);
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: JSON.stringify({
+                            target_path,
+                            scan_time: new Date().toISOString(),
+                            error: "出于安全原因，拒绝扫描系统敏感目录",
+                            tools: { semgrep: { available: false }, gitleaks: { available: false } },
+                        }, null, 2),
+                    },
+                ],
+            };
+        }
+        // --- 2. 路径验证 ---
+        const verified = await verifyDirectory(target_path);
+        if (!verified.ok) {
+            logger.warn(`路径验证失败: ${verified.reason}`);
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: JSON.stringify({
+                            target_path,
+                            scan_time: new Date().toISOString(),
+                            error: verified.reason ?? "路径不可访问",
+                            tools: { semgrep: { available: false }, gitleaks: { available: false } },
+                        }, null, 2),
+                    },
+                ],
+            };
+        }
+        // --- 3. 执行扫描 ---
+        logger.info(`开始安全扫描: ${verified.resolved}`);
+        const { semgrep, gitleaks, elapsedMs } = await executeScan(verified.resolved);
+        // --- 4. 裁剪输出（非原始模式） ---
+        const wantRaw = process.env.INCLUDE_RAW_OUTPUT === "true";
+        const semgrepOut = {
+            available: semgrep.available,
+            ...(semgrep.error ? { error: semgrep.error } : {}),
+            ...(semgrep.installGuide ? { install_guide: semgrep.installGuide } : {}),
+            findings: wantRaw ? semgrep.findings : trimSemgrep(semgrep.findings),
+        };
+        const gitleaksOut = {
+            available: gitleaks.available,
+            ...(gitleaks.error ? { error: gitleaks.error } : {}),
+            ...(gitleaks.installGuide ? { install_guide: gitleaks.installGuide } : {}),
+            findings: wantRaw ? gitleaks.findings : trimGitleaks(gitleaks.findings),
+        };
+        // --- 5. 组装报告 ---
+        const report = buildReport(target_path, verified.resolved, elapsedMs, semgrepOut, gitleaksOut);
+        logger.info(`扫描完成: ${report.summary.total_findings} 个发现, 耗时 ${elapsedMs}ms`);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(report, null, 2),
+                },
+            ],
+        };
+    });
+}
+//# sourceMappingURL=run-security-scan.js.map

package/dist/tools/run-security-scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-security-scan.js","sourceRoot":"","sources":["../../src/tools/run-security-scan.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE1C,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,WAAW,EAAE,CAAC;SACX,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,EAAE,kBAAkB,CAAC;SAC1B,QAAQ,CAAC,oCAAoC,CAAC;CAClD,CAAC,CAAC;AAIH,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAE9E,MAAM,CAAC,MAAM,SAAS,GAAG,mBAAmB,CAAC;AAE7C,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,KAAK,EAAE,QAAQ;IACf,WAAW,EACT,6DAA6D;QAC7D,6CAA6C;IAC/C,WAAW,EAAE,iBAAiB;IAC9B,WAAW,EAAE;QACX,YAAY,EAAE,IAAI,EAAQ,eAAe;QACzC,eAAe,EAAE,KAAK,EAAI,OAAO;QACjC,cAAc,EAAE,IAAI,EAAM,oBAAoB;QAC9C,aAAa,EAAE,KAAK,EAAM,YAAY;KACvC;CACF,CAAC;AAEF,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,0BAA0B;AAC1B,SAAS,WAAW,CAAC,QAAiB;IACpC,MAAM,IAAI,GAAG,QAAsD,CAAC;IACpE,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC3D,OAAO;QACL,GAAG,IAAI;QACP,OAAO,EAAG,IAAI,CAAC,OAA0C,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpE,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,KAAK,EAAE;gBACL,QAAQ,EAAG,CAAC,CAAC,KAAiC,EAAE,QAAQ;gBACxD,OAAO,EAAG,CAAC,CAAC,KAAiC,EAAE,OAAO;aACvD;SACF,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC;AAED,2BAA2B;AAC3B,SAAS,YAAY,CAAC,QAAiB;IACrC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC9C,OAAQ,QAA2C,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9D,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS;QAC7C,KAAK,EAAE,CAAC,CAAC,KAAK;KACf,CAAC,CAAC,CAAC;AACN,CAAC;AA2BD,SAAS,WAAW,CAClB,SAAiB,EACjB,QAAgB,EAChB,OAAe,EACf,aAAsC,EACtC,cAAuC;IAEvC,MAAM,WAAW,GAAI,aAAa,CAAC,QAAoC,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC;IAC9F,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC;QACvD,CAAC,CAAE,cAAc,CAAC,QAAsB,CAAC,MAAM;QAC/C,CAAC,CAAC,CAAC,CAAC;IAEN,OAAO;QACL,WAAW,EAAE,SAAS;QACtB,aAAa,EAAE,QAAQ;QACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,WAAW,EAAE,OAAO;QACpB,KAAK,EAAE;YACL,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,cAAc;SACzB;QACD,OAAO,EAAE;YACP,cAAc,EAAE,WAAW,GAAG,UAAU;YACxC,gBAAgB,EAAE,WAAW;YAC7B,iBAAiB,EAAE,UAAU;SAC9B;QACD,WAAW,EAAE;YACX,YAAY,EAAE,OAAO,CAAC,OAAO;YAC7B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS;SACxE;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAiB;IACvD,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,KAAK,EAAE,IAAI,EAA2B,EAAE;QAClF,MAAM,EAAE,WAAW,EAAE,GAAG,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEtD,oBAAoB;QACpB,IAAI,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,eAAe,WAAW,EAAE,CAAC,CAAC;YAC1C,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;4BACnB,WAAW;4BACX,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;4BACnC,KAAK,EAAE,mBAAmB;4BAC1B,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,EAAE;yBACzE,EAAE,IAAI,EAAE,CAAC,CAAC;qBACZ;iBACF;aACF,CAAC;QACJ,CAAC;QAED,kBAAkB;QAClB,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;QACpD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,WAAW,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAC1C,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;4BACnB,WAAW;4BACX,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;4BACnC,KAAK,EAAE,QAAQ,CAAC,MAAM,IAAI,QAAQ;4BAClC,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,EAAE;yBACzE,EAAE,IAAI,EAAE,CAAC,CAAC;qBACZ;iBACF;aACF,CAAC;QACJ,CAAC;QAED,kBAAkB;QAClB,MAAM,CAAC,IAAI,CAAC,WAAW,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC5C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE9E,yBAAyB;QACzB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,MAAM,CAAC;QAC1D,MAAM,UAAU,GAA4B;YAC1C,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClD,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACxE,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC;SACrE,CAAC;QACF,MAAM,WAAW,GAA4B;YAC3C,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1E,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC;SACxE,CAAC;QAEF,kBAAkB;QAClB,MAAM,MAAM,GAAG,WAAW,CAAC,WAAW,EAAE,QAAQ,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QAE/F,MAAM,CAAC,IAAI,CACT,SAAS,MAAM,CAAC,OAAO,CAAC,cAAc,YAAY,SAAS,IAAI,CAChE,CAAC;QAEF,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;iBACtC;aACF;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/transports/stdio.d.ts

@@ -0,0 +1,17 @@
+/**
+ * stdio 传输启动器 — 通过标准输入/输出运行 MCP 服务器。
+ *
+ * 这是默认的传输模式，适用于 Claude Desktop 本地集成。
+ * 进程 stdout 承载 MCP 协议 JSON-RPC 消息，stderr 承载日志。
+ */
+/**
+ * 启动 stdio 模式服务器。
+ *
+ * 流程：
+ * 1. 预热检测 semgrep / gitleaks 可用性（仅日志，不阻塞）
+ * 2. 创建 McpServer 实例并注册工具
+ * 3. 连接到 StdioServerTransport
+ * 4. 注册 SIGINT / SIGTERM 优雅退出
+ */
+export declare function launchStdio(): Promise<void>;
+//# sourceMappingURL=stdio.d.ts.map

package/dist/transports/stdio.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio.d.ts","sourceRoot":"","sources":["../../src/transports/stdio.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH;;;;;;;;GAQG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC,CAwCjD"}

package/dist/transports/stdio.js

@@ -0,0 +1,54 @@
+/**
+ * stdio 传输启动器 — 通过标准输入/输出运行 MCP 服务器。
+ *
+ * 这是默认的传输模式，适用于 Claude Desktop 本地集成。
+ * 进程 stdout 承载 MCP 协议 JSON-RPC 消息，stderr 承载日志。
+ */
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { createServer } from "../server.js";
+import { checkDependencies } from "../lib/executor.js";
+import { logger } from "../lib/logger.js";
+/**
+ * 启动 stdio 模式服务器。
+ *
+ * 流程：
+ * 1. 预热检测 semgrep / gitleaks 可用性（仅日志，不阻塞）
+ * 2. 创建 McpServer 实例并注册工具
+ * 3. 连接到 StdioServerTransport
+ * 4. 注册 SIGINT / SIGTERM 优雅退出
+ */
+export async function launchStdio() {
+    logger.info("启动 stdio 传输模式...");
+    // --- 1. 预热检测 ---
+    const deps = await checkDependencies();
+    if (!deps.semgrep.installed || !deps.gitleaks.installed) {
+        logger.warn("部分依赖工具未安装，扫描时将在报告中附带安装指引", {
+            semgrep: deps.semgrep.installed,
+            gitleaks: deps.gitleaks.installed,
+        });
+    }
+    // --- 2. 创建服务器 ---
+    const { server, shutdown } = createServer();
+    // --- 3. 连接传输 ---
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    logger.info("服务器已就绪，等待客户端请求...");
+    // --- 4. 信号处理 ---
+    const handleSignal = async (signal) => {
+        logger.info(`收到 ${signal} 信号，准备退出`);
+        await shutdown();
+        process.exit(0);
+    };
+    // 阻止重复注册（防止多次信号触发重复清理）
+    process.once("SIGINT", () => handleSignal("SIGINT"));
+    process.once("SIGTERM", () => handleSignal("SIGTERM"));
+    // 未捕获异常兜底
+    process.on("unhandledRejection", (reason) => {
+        logger.error("未处理的 Promise 拒绝", { detail: String(reason) });
+    });
+    process.on("uncaughtException", (err) => {
+        logger.error("未捕获的异常", { detail: err.message });
+        shutdown().finally(() => process.exit(1));
+    });
+}
+//# sourceMappingURL=stdio.js.map

package/dist/transports/stdio.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/transports/stdio.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE1C;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAEhC,kBAAkB;IAClB,MAAM,IAAI,GAAG,MAAM,iBAAiB,EAAE,CAAC;IACvC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE;YACtC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,SAAS;SAClC,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,EAAE,CAAC;IAE5C,kBAAkB;IAClB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAEjC,kBAAkB;IAClB,MAAM,YAAY,GAAG,KAAK,EAAE,MAAc,EAAE,EAAE;QAC5C,MAAM,CAAC,IAAI,CAAC,MAAM,MAAM,UAAU,CAAC,CAAC;QACpC,MAAM,QAAQ,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,uBAAuB;IACvB,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;IAEvD,UAAU;IACV,OAAO,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,EAAE,CAAC,mBAAmB,EAAE,CAAC,GAAG,EAAE,EAAE;QACtC,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC"}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "luvv-mcp-server",
+  "version": "1.1.0",
+  "description": "生产级安全审计 MCP Server — 封装 semgrep + gitleaks，通过 stdio 协议为 Claude Desktop 提供自动化代码扫描能力",
+  "type": "module",
+  "main": "dist/main.js",
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/main.js",
+    "dev": "tsc --watch",
+    "clean": "rm -rf dist",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "prestart": "npm run build"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.6.1",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "typescript": "^5.5.0",
+    "vitest": "^2.1.0",
+    "@vitest/coverage-v8": "^2.1.0"
+  },
+  "keywords": [
+    "mcp",
+    "security",
+    "audit",
+    "semgrep",
+    "gitleaks",
+    "claude",
+    "sast"
+  ],
+  "license": "MIT",
+  "author": "Luvv"
+}