nexus-agents 2.28.0 → 2.29.1

package/dist/chunk-2UR7YN6T.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/mcp/tools/scanner-registry-fetcher.ts","../src/mcp/tools/repo-security-plan-fallback.ts","../src/mcp/tools/repo-security-plan.ts"],"sourcesContent":["/**\n * nexus-agents/mcp - Scanner Registry Fetcher\n *\n * Fetches the scanner-registry.json manifest from the\n * vulnerability-scanner-registry GitHub Releases at runtime.\n * Uses a TTL cache and falls back to embedded data on failure.\n *\n * @module mcp/tools/scanner-registry-fetcher\n * (Source: Consensus vote — externalize scanner registry, 6-0 unanimous)\n */\n\nimport { z } from 'zod';\nimport { createLogger } from '../../core/index.js';\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/** A scanner entry from the registry manifest. */\nexport interface RegistryScanner {\n  readonly name: string;\n  readonly displayName: string;\n  readonly categories: readonly string[];\n  readonly license: string;\n  readonly pricingModel: string;\n  readonly relationships?: readonly RegistryRelationship[] | undefined;\n}\n\n/** A relationship edge between scanners. */\nexport interface RegistryRelationship {\n  readonly target: string;\n  readonly type: 'uses' | 'supersedes' | 'bundles' | 'competes-with';\n}\n\n/** Language matrix: category → scanner names. */\nexport interface LanguageMatrixEntry {\n  readonly sast?: readonly string[] | undefined;\n  readonly sca?: readonly string[] | undefined;\n  readonly secrets?: readonly string[] | undefined;\n  readonly container?: readonly string[] | undefined;\n  readonly iac?: readonly string[] | undefined;\n  readonly dast?: readonly string[] | undefined;\n}\n\n/** The full registry manifest shape. */\nexport interface ScannerRegistryManifest {\n  readonly version: string;\n  readonly generatedAt: string;\n  readonly scanners: readonly RegistryScanner[];\n  readonly languageMatrix: Readonly<Record<string, LanguageMatrixEntry>>;\n}\n\n// ============================================================================\n// Zod Schema for Validation\n// ============================================================================\n\nconst RelationshipSchema = z.object({\n  target: z.string().min(1),\n  type: z.enum(['uses', 'supersedes', 'bundles', 'competes-with']),\n});\n\nconst ScannerSchema = z.object({\n  name: z.string().min(1),\n  displayName: z.string().min(1),\n  categories: z.array(z.string().min(1)),\n  license: z.string().min(1),\n  pricingModel: z.string().min(1),\n  relationships: z.array(RelationshipSchema).optional(),\n});\n\nconst LanguageMatrixEntrySchema = z\n  .object({\n    sast: z.array(z.string()).optional(),\n    sca: z.array(z.string()).optional(),\n    secrets: z.array(z.string()).optional(),\n    container: z.array(z.string()).optional(),\n    iac: z.array(z.string()).optional(),\n    dast: z.array(z.string()).optional(),\n  })\n  .loose();\n\nconst ManifestSchema = z.object({\n  version: z.string().min(1),\n  generatedAt: z.string().min(1),\n  scanners: z.array(ScannerSchema),\n  languageMatrix: z.record(z.string().max(50), LanguageMatrixEntrySchema),\n});\n\n// ============================================================================\n// Cache\n// ============================================================================\n\ninterface CacheEntry {\n  manifest: ScannerRegistryManifest;\n  fetchedAt: number;\n  releaseTag: string;\n}\n\nconst CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\nlet cachedEntry: CacheEntry | null = null;\n\n/** Inflight fetch promise for probe coalescing (#1448). */\nlet inflightFetch: Promise<ScannerRegistryManifest | null> | undefined;\n\n/** Clear the cache and inflight state (for testing). */\nexport function clearRegistryCache(): void {\n  cachedEntry = null;\n  inflightFetch = undefined;\n}\n\n// ============================================================================\n// Fetcher\n// ============================================================================\n\nconst REGISTRY_REPO = 'williamzujkowski/vulnerability-scanner-registry';\nconst FETCH_TIMEOUT_MS = 10_000;\n\n/** Promisified execFile signature used by fetcher helpers. */\ntype ExecFileAsync = (\n  file: string,\n  args: readonly string[],\n  options: { timeout?: number; maxBuffer?: number }\n) => Promise<{ stdout: string; stderr: string }>;\n\nconst logger = createLogger({ component: 'scanner-registry-fetcher' });\n\n/** Get the latest release tag name (lightweight check, no download). */\nasync function getLatestReleaseTag(execFileAsync: ExecFileAsync): Promise<string | null> {\n  const { stdout } = await execFileAsync(\n    'gh',\n    ['release', 'view', '--repo', REGISTRY_REPO, '--json', 'tagName', '--jq', '.tagName'],\n    { timeout: FETCH_TIMEOUT_MS }\n  );\n  return stdout.trim() || null;\n}\n\n/** Download and parse the full manifest. */\nasync function downloadManifest(\n  execFileAsync: ExecFileAsync\n): Promise<ScannerRegistryManifest | null> {\n  const { stdout } = await execFileAsync(\n    'gh',\n    [\n      'release',\n      'download',\n      '--repo',\n      REGISTRY_REPO,\n      '--pattern',\n      'scanner-registry.json',\n      '--output',\n      '-',\n    ],\n    { timeout: FETCH_TIMEOUT_MS, maxBuffer: 1024 * 1024 }\n  );\n\n  let jsonData: unknown;\n  try {\n    jsonData = JSON.parse(stdout);\n  } catch {\n    logger.warn('Registry manifest is not valid JSON', {\n      stdoutLength: stdout.length,\n      preview: stdout.slice(0, 100),\n    });\n    return null;\n  }\n\n  const parsed = ManifestSchema.safeParse(jsonData);\n  if (!parsed.success) {\n    logger.warn('Registry manifest failed schema validation', {\n      errors: parsed.error.issues.slice(0, 3),\n    });\n    return null;\n  }\n\n  logger.info('Fetched scanner registry manifest', {\n    version: parsed.data.version,\n    scanners: parsed.data.scanners.length,\n    languages: Object.keys(parsed.data.languageMatrix).length,\n  });\n  return parsed.data;\n}\n\n/**\n * Fetch the scanner registry manifest from GitHub Releases.\n * If we have a cached version and the release tag hasn't changed,\n * just refreshes the cache timer (no download).\n */\nasync function fetchManifestFromGitHub(): Promise<ScannerRegistryManifest | null> {\n  try {\n    const { execFile } = await import('node:child_process');\n    const { promisify } = await import('node:util');\n    const execFileAsync = promisify(execFile);\n\n    const tag = await getLatestReleaseTag(execFileAsync);\n    if (tag === null) {\n      logger.warn('No releases found in scanner registry');\n      return null;\n    }\n\n    // If cached version matches the latest tag, refresh timer only\n    if (cachedEntry !== null && cachedEntry.releaseTag === tag) {\n      logger.debug('Scanner registry unchanged, refreshing cache timer', { tag });\n      cachedEntry = { ...cachedEntry, fetchedAt: Date.now() };\n      return cachedEntry.manifest;\n    }\n\n    // New release — download full manifest\n    const manifest = await downloadManifest(execFileAsync);\n    if (manifest !== null) {\n      cachedEntry = { manifest, fetchedAt: Date.now(), releaseTag: tag };\n    }\n    return manifest;\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    logger.debug('Failed to fetch scanner registry', { error: msg });\n    return null;\n  }\n}\n\n/**\n * Get the scanner registry, fetching from GitHub if cache is stale.\n * Returns null if no cached data and fetch fails.\n */\nexport async function getRegistryManifest(): Promise<ScannerRegistryManifest | null> {\n  // Check cache\n  if (cachedEntry !== null) {\n    const age = Date.now() - cachedEntry.fetchedAt;\n    if (age < CACHE_TTL_MS) {\n      return cachedEntry.manifest;\n    }\n  }\n\n  // Coalesce concurrent fetches — only one inflight request at a time (#1448)\n  inflightFetch ??= fetchManifestFromGitHub().finally(() => {\n    inflightFetch = undefined;\n  });\n  const manifest = await inflightFetch;\n  if (manifest !== null) {\n    return manifest;\n  }\n\n  // Return stale cache if available\n  if (cachedEntry !== null) {\n    logger.warn('Using stale cached registry manifest');\n    return cachedEntry.manifest;\n  }\n\n  return null;\n}\n\n/**\n * Extract scanners from manifest into the format expected by plan builder.\n */\nexport function extractScannerEntries(\n  manifest: ScannerRegistryManifest\n): readonly RegistryScanner[] {\n  return manifest.scanners;\n}\n\n/**\n * Extract language matrix, normalizing to consistent category keys.\n */\nexport function extractLanguageMatrix(\n  manifest: ScannerRegistryManifest\n): Readonly<Record<string, LanguageMatrixEntry>> {\n  return manifest.languageMatrix;\n}\n","/**\n * nexus-agents/mcp - Fallback Scanner Data\n *\n * Embedded snapshot of the vulnerability-scanner-registry manifest.\n * Used when the live registry fetch fails (network issues, gh CLI\n * unavailable, etc.). Updated periodically from the canonical\n * registry at github.com/williamzujkowski/vulnerability-scanner-registry.\n *\n * @module mcp/tools/repo-security-plan-fallback\n * (Source: Consensus vote — externalize scanner registry, 6-0 unanimous)\n */\n\nimport type { ScannerData } from './repo-security-plan.js';\n\n// ============================================================================\n// Fallback Scanner Entries (27 scanners)\n// ============================================================================\n\nconst FALLBACK_SCANNERS: ScannerData['scanners'] = [\n  {\n    name: 'semgrep',\n    displayName: 'Semgrep',\n    categories: ['sast', 'secrets'],\n    license: 'LGPL-2.1',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'codeql',\n    displayName: 'CodeQL',\n    categories: ['sast'],\n    license: 'MIT',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'bandit',\n    displayName: 'Bandit',\n    categories: ['sast'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'gosec',\n    displayName: 'Gosec',\n    categories: ['sast'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'brakeman',\n    displayName: 'Brakeman',\n    categories: ['sast'],\n    license: 'MIT',\n    pricingModel: 'free',\n  },\n  {\n    name: 'phpstan',\n    displayName: 'PHPStan',\n    categories: ['sast'],\n    license: 'MIT',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'shellcheck',\n    displayName: 'ShellCheck',\n    categories: ['sast'],\n    license: 'GPL-3.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'cppcheck',\n    displayName: 'Cppcheck',\n    categories: ['sast'],\n    license: 'GPL-3.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'detekt',\n    displayName: 'detekt',\n    categories: ['sast'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'spotbugs',\n    displayName: 'SpotBugs',\n    categories: ['sast'],\n    license: 'LGPL-2.1',\n    pricingModel: 'free',\n  },\n  {\n    name: 'eslint-security',\n    displayName: 'eslint-plugin-security',\n    categories: ['sast'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'sonarqube',\n    displayName: 'SonarQube',\n    categories: ['sast', 'sca'],\n    license: 'LGPL-3.0',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'osv-scanner',\n    displayName: 'OSV-Scanner',\n    categories: ['sca', 'container', 'iac', 'sbom'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'grype',\n    displayName: 'Grype',\n    categories: ['sca', 'container'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'snyk',\n    displayName: 'Snyk',\n    categories: ['sca', 'sast', 'container'],\n    license: 'Proprietary',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'npm-audit',\n    displayName: 'npm audit',\n    categories: ['sca'],\n    license: 'Artistic-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'pip-audit',\n    displayName: 'pip-audit',\n    categories: ['sca'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'cargo-audit',\n    displayName: 'cargo-audit',\n    categories: ['sca'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'bundler-audit',\n    displayName: 'bundler-audit',\n    categories: ['sca'],\n    license: 'GPL-3.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'govulncheck',\n    displayName: 'govulncheck',\n    categories: ['sca'],\n    license: 'BSD-3-Clause',\n    pricingModel: 'free',\n  },\n  {\n    name: 'owasp-dependency-check',\n    displayName: 'OWASP Dependency-Check',\n    categories: ['sca'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'gitleaks',\n    displayName: 'Gitleaks',\n    categories: ['secrets'],\n    license: 'MIT',\n    pricingModel: 'free',\n  },\n  {\n    name: 'trufflehog',\n    displayName: 'TruffleHog',\n    categories: ['secrets'],\n    license: 'AGPL-3.0',\n    pricingModel: 'freemium',\n  },\n  {\n    name: 'checkov',\n    displayName: 'Checkov',\n    categories: ['iac', 'sca'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'tfsec',\n    displayName: 'tfsec',\n    categories: ['iac'],\n    license: 'MIT',\n    pricingModel: 'free',\n  },\n  {\n    name: 'owasp-zap',\n    displayName: 'OWASP ZAP',\n    categories: ['dast', 'api'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'syft',\n    displayName: 'Syft',\n    categories: ['sbom'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n  {\n    name: 'grype-image',\n    displayName: 'Grype (image scan)',\n    categories: ['image-currency', 'container'],\n    license: 'Apache-2.0',\n    pricingModel: 'free',\n  },\n];\n\n// ============================================================================\n// Fallback Language Map (16 languages)\n// ============================================================================\n\nconst FALLBACK_LANGUAGE_MAP: ScannerData['languageMap'] = {\n  TypeScript: {\n    sast: ['semgrep', 'eslint-security', 'codeql'],\n    sca: ['npm-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  JavaScript: {\n    sast: ['semgrep', 'eslint-security', 'codeql'],\n    sca: ['npm-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Python: {\n    sast: ['bandit', 'semgrep', 'codeql'],\n    sca: ['pip-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Java: {\n    sast: ['codeql', 'semgrep', 'spotbugs'],\n    sca: ['owasp-dependency-check', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Go: {\n    sast: ['gosec', 'semgrep', 'codeql'],\n    sca: ['govulncheck', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Ruby: {\n    sast: ['brakeman', 'semgrep', 'codeql'],\n    sca: ['bundler-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  PHP: {\n    sast: ['phpstan', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  'C#': {\n    sast: ['codeql', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  C: {\n    sast: ['cppcheck', 'codeql', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  'C++': {\n    sast: ['cppcheck', 'codeql', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Rust: {\n    sast: ['semgrep'],\n    sca: ['cargo-audit', 'osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Kotlin: {\n    sast: ['detekt', 'semgrep', 'codeql'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Swift: {\n    sast: ['codeql', 'semgrep'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Scala: {\n    sast: ['semgrep', 'spotbugs'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n  Shell: {\n    sast: ['shellcheck', 'semgrep'],\n    sca: [],\n    secrets: ['gitleaks'],\n  },\n  HCL: {\n    sast: ['checkov', 'tfsec'],\n    sca: ['osv-scanner'],\n    secrets: ['gitleaks'],\n  },\n};\n\n// ============================================================================\n// Exported Fallback\n// ============================================================================\n\n/** Embedded scanner data snapshot used when live registry is unavailable. */\nexport const FALLBACK_SCANNER_DATA: ScannerData = {\n  scanners: FALLBACK_SCANNERS,\n  languageMap: FALLBACK_LANGUAGE_MAP,\n  source: 'fallback',\n};\n","/**\n * nexus-agents/mcp - Repository Security Plan Logic\n *\n * Generates a language-aware security scanning pipeline recommendation\n * by composing repo_analyze output with scanner registry data.\n * Fetches fresh data from vulnerability-scanner-registry GitHub Releases;\n * falls back to embedded snapshot if fetch fails.\n *\n * @module mcp/tools/repo-security-plan\n * (Source: Issue #1079, externalization vote 6-0 unanimous)\n */\n\nimport type { RepoAnalysis } from './repo-analyze-types.js';\nimport type {\n  RepoSecurityPlanInput,\n  RepoSecurityPlan,\n  ScannerRecommendation,\n  ConflictWarning,\n  CoverageAnalysis,\n} from './repo-security-plan-types.js';\nimport { analyzeGitHubRepo } from './repo-analyze.js';\nimport { getRegistryManifest } from './scanner-registry-fetcher.js';\nimport type { RegistryScanner, LanguageMatrixEntry } from './scanner-registry-fetcher.js';\nimport { FALLBACK_SCANNER_DATA } from './repo-security-plan-fallback.js';\nimport { createLogger } from '../../core/index.js';\n\nconst logger = createLogger({ component: 'repo-security-plan' });\n\n// ============================================================================\n// Scanner Data Interface (common shape for fetched + fallback)\n// ============================================================================\n\n/** Internal scanner entry used by plan builder. */\nexport interface ScannerEntry {\n  readonly name: string;\n  readonly displayName: string;\n  readonly categories: readonly string[];\n  readonly license: string;\n  readonly pricingModel: string;\n  readonly supersedes?: readonly string[];\n}\n\n/** Language mapping: category → scanner names. */\ninterface LanguageMapping {\n  readonly sast: readonly string[];\n  readonly sca: readonly string[];\n  readonly secrets: readonly string[];\n}\n\n/** Resolved scanner data for plan building. */\nexport interface ScannerData {\n  readonly scanners: readonly ScannerEntry[];\n  readonly languageMap: Readonly<Record<string, LanguageMapping>>;\n  readonly source: 'registry' | 'fallback';\n}\n\n// Re-export for consumers\nexport { FALLBACK_SCANNER_DATA } from './repo-security-plan-fallback.js';\n\n// ============================================================================\n// Registry → ScannerData Conversion\n// ============================================================================\n\nfunction convertRegistryScanner(s: RegistryScanner): ScannerEntry {\n  const supersedes = s.relationships?.filter((r) => r.type === 'supersedes').map((r) => r.target);\n  return {\n    name: s.name,\n    displayName: s.displayName,\n    categories: s.categories,\n    license: s.license,\n    pricingModel: s.pricingModel,\n    ...(supersedes !== undefined && supersedes.length > 0 ? { supersedes } : {}),\n  };\n}\n\n/** Known PascalCase language names from GitHub API. Handles registry keys like \"typescript\" → \"TypeScript\". */\nconst LANGUAGE_PASCAL_MAP: Readonly<Record<string, string>> = {\n  typescript: 'TypeScript',\n  javascript: 'JavaScript',\n  python: 'Python',\n  java: 'Java',\n  csharp: 'C#',\n  'c#': 'C#',\n  cpp: 'C++',\n  'c++': 'C++',\n  go: 'Go',\n  rust: 'Rust',\n  ruby: 'Ruby',\n  php: 'PHP',\n  swift: 'Swift',\n  kotlin: 'Kotlin',\n  scala: 'Scala',\n  hcl: 'HCL',\n  shell: 'Shell',\n  dockerfile: 'Dockerfile',\n};\n\nfunction normalizeLangName(lang: string): string {\n  const lower = lang.toLowerCase();\n  return LANGUAGE_PASCAL_MAP[lower] ?? lang.charAt(0).toUpperCase() + lang.slice(1);\n}\n\nfunction convertLanguageMatrix(\n  matrix: Readonly<Record<string, LanguageMatrixEntry>>\n): Record<string, LanguageMapping> {\n  const result: Record<string, LanguageMapping> = {};\n  for (const [lang, entry] of Object.entries(matrix)) {\n    // Normalize language name to PascalCase (GitHub API returns PascalCase like \"TypeScript\")\n    const normalized = normalizeLangName(lang);\n    result[normalized] = {\n      sast: entry.sast ?? [],\n      sca: entry.sca ?? [],\n      secrets: entry.secrets ?? [],\n    };\n  }\n  return result;\n}\n\n/** Resolve scanner data: fetch from registry, fall back to embedded. */\nexport async function resolveScannerData(): Promise<ScannerData> {\n  const manifest = await getRegistryManifest();\n  if (manifest !== null) {\n    logger.info('Using live scanner registry', {\n      version: manifest.version,\n      scanners: manifest.scanners.length,\n    });\n    return {\n      scanners: manifest.scanners.map(convertRegistryScanner),\n      languageMap: convertLanguageMatrix(manifest.languageMatrix),\n      source: 'registry',\n    };\n  }\n\n  logger.info('Using fallback scanner data');\n  return FALLBACK_SCANNER_DATA;\n}\n\n// ============================================================================\n// CI Snippet Generation (GitHub Actions only for v1)\n// ============================================================================\n\nconst CI_SNIPPETS: Readonly<Record<string, string>> = {\n  semgrep: '- uses: semgrep/semgrep-action@v1\\n  with:\\n    config: auto',\n  codeql: '- uses: github/codeql-action/analyze@v3',\n  grype: '- uses: anchore/scan-action@v4\\n  with:\\n    path: .',\n  'grype-image':\n    '- uses: anchore/scan-action@v4\\n  with:\\n    image: ${{ env.IMAGE_TAG }}\\n    severity: CRITICAL,HIGH\\n    exit-code: 1',\n  gitleaks: '- uses: gitleaks/gitleaks-action@v2',\n  bandit: '- run: pip install bandit && bandit -r . -f json',\n  gosec: '- uses: securego/gosec@master\\n  with:\\n    args: ./...',\n  checkov: '- uses: bridgecrewio/checkov-action@master',\n  'osv-scanner': '- uses: google/osv-scanner-action@v1',\n  snyk: '- uses: snyk/actions/node@master # adjust for language',\n  shellcheck: '- uses: ludeeus/action-shellcheck@master',\n};\n\nfunction generateCiSnippet(name: string, ci: string | null): string | null {\n  if (ci !== 'github-actions') return null;\n  return CI_SNIPPETS[name] ?? null;\n}\n\n// ============================================================================\n// Helper Functions\n// ============================================================================\n\nfunction findScanner(name: string, scanners: readonly ScannerEntry[]): ScannerEntry | undefined {\n  return scanners.find((s) => s.name === name);\n}\n\nfunction isAlreadyUsed(name: string, existing: readonly string[]): boolean {\n  return existing.some((t) => t.toLowerCase().includes(name.toLowerCase()));\n}\n\n/** Context passed to recommendation collectors. */\ninterface RecContext {\n  readonly existing: readonly string[];\n  readonly ciProvider: string | null;\n  readonly language: string | null;\n  readonly categoryFilter: ReadonlySet<string> | null;\n  readonly maxScanners: number;\n  readonly scanners: readonly ScannerEntry[];\n}\n\n/** Options for collecting recommendations in a single category. */\ninterface CategoryRecOptions {\n  readonly names: readonly string[];\n  readonly category: string;\n  readonly rationale: (entry: ScannerEntry) => string;\n  readonly priority: 'critical' | 'recommended';\n  readonly ctx: RecContext;\n}\n\n/** Collect recommendations for a single category. */\nfunction collectCategoryRecs(recs: ScannerRecommendation[], opts: CategoryRecOptions): void {\n  for (const name of opts.names) {\n    if (recs.length >= opts.ctx.maxScanners) break;\n    if (isAlreadyUsed(name, opts.ctx.existing)) continue;\n    const entry = findScanner(name, opts.ctx.scanners);\n    if (!entry) continue;\n    if (opts.ctx.categoryFilter && !opts.ctx.categoryFilter.has(opts.category)) continue;\n    const isFirst = opts.category === 'sast' && recs.length === 0;\n    recs.push({\n      name,\n      displayName: entry.displayName,\n      category: opts.category,\n      license: entry.license,\n      pricingModel: entry.pricingModel,\n      rationale: opts.rationale(entry),\n      priority: isFirst ? 'critical' : opts.priority,\n      ciSnippet: generateCiSnippet(name, opts.ctx.ciProvider),\n    });\n  }\n}\n\n/** Collect language-specific recommendations (SAST + SCA + secrets). */\nfunction collectLanguageRecs(\n  langMap: LanguageMapping,\n  recs: ScannerRecommendation[],\n  ctx: RecContext\n): void {\n  const lang = ctx.language ?? 'unknown';\n  collectCategoryRecs(recs, {\n    names: langMap.sast,\n    category: 'sast',\n    rationale: (e) => `${e.displayName} provides SAST for ${lang}`,\n    priority: 'recommended',\n    ctx,\n  });\n  collectCategoryRecs(recs, {\n    names: langMap.sca,\n    category: 'sca',\n    rationale: (e) => `${e.displayName} provides SCA for ${lang} dependencies`,\n    priority: 'critical',\n    ctx,\n  });\n  collectCategoryRecs(recs, {\n    names: langMap.secrets,\n    category: 'secrets',\n    rationale: () => 'Detects leaked credentials and API keys in source code',\n    priority: 'critical',\n    ctx,\n  });\n}\n\n/** Try to add a single scanner if not already present. */\nfunction tryAddScanner(\n  scannerName: string,\n  category: string,\n  rationale: string,\n  recs: ScannerRecommendation[],\n  ctx: RecContext\n): void {\n  if (recs.length >= ctx.maxScanners) return;\n  if (ctx.categoryFilter && !ctx.categoryFilter.has(category)) return;\n  if (isAlreadyUsed(scannerName, ctx.existing)) return;\n  if (recs.some((r) => r.name === scannerName)) return;\n  const entry = findScanner(scannerName, ctx.scanners);\n  if (!entry) return;\n  recs.push({\n    name: scannerName,\n    displayName: entry.displayName,\n    category,\n    license: entry.license,\n    pricingModel: entry.pricingModel,\n    rationale,\n    priority: 'recommended',\n    ciSnippet: generateCiSnippet(scannerName, ctx.ciProvider),\n  });\n}\n\n// ============================================================================\n// Conflict Detection\n// ============================================================================\n\nfunction detectConflicts(\n  recs: readonly ScannerRecommendation[],\n  scanners: readonly ScannerEntry[]\n): readonly ConflictWarning[] {\n  const warnings: ConflictWarning[] = [];\n  const names = new Set(recs.map((r) => r.name));\n  detectSuperseded(names, scanners, warnings);\n  detectRedundant(recs, warnings);\n  return warnings;\n}\n\nfunction detectSuperseded(\n  names: ReadonlySet<string>,\n  scanners: readonly ScannerEntry[],\n  warnings: ConflictWarning[]\n): void {\n  for (const scanner of scanners) {\n    if (!names.has(scanner.name)) continue;\n    if (!scanner.supersedes) continue;\n    for (const old of scanner.supersedes) {\n      if (names.has(old)) {\n        warnings.push({\n          scanners: [old, scanner.name],\n          type: 'superseded',\n          recommendation: `${scanner.displayName} supersedes ${old}. Remove ${old}.`,\n        });\n      }\n    }\n  }\n}\n\nfunction detectRedundant(\n  recs: readonly ScannerRecommendation[],\n  warnings: ConflictWarning[]\n): void {\n  const catMap = new Map<string, string[]>();\n  for (const rec of recs) {\n    const arr = catMap.get(rec.category) ?? [];\n    arr.push(rec.name);\n    catMap.set(rec.category, arr);\n  }\n  for (const [cat, scanners] of catMap) {\n    if (scanners.length > 2) {\n      const count = String(scanners.length);\n      warnings.push({\n        scanners,\n        type: 'redundant',\n        recommendation: `${count} scanners for ${cat}. Consider keeping top 2.`,\n      });\n    }\n  }\n}\n\n// ============================================================================\n// Coverage Analysis\n// ============================================================================\n\nconst ALL_CATEGORIES = ['sast', 'dast', 'sca', 'secrets', 'container', 'iac', 'image-currency'];\n\nfunction buildCoverage(\n  recs: readonly ScannerRecommendation[],\n  existing: readonly string[],\n  scanners: readonly ScannerEntry[]\n): readonly CoverageAnalysis[] {\n  return ALL_CATEGORIES.map((cat) => {\n    const found = recs.filter((r) => r.category === cat).map((r) => r.name);\n    const existingMatch = existing.some((t) =>\n      scanners.some((s) => s.categories.includes(cat) && t.toLowerCase().includes(s.name))\n    );\n    return { category: cat, covered: found.length > 0 || existingMatch, scanners: found };\n  });\n}\n\n// ============================================================================\n// Plan Assembly\n// ============================================================================\n\n/** Options for buildPlanFromAnalysis (allows optional fields for testability). */\ninterface BuildPlanOptions {\n  readonly repo: string;\n  readonly categories?: readonly string[] | undefined;\n  readonly maxScanners?: number | undefined;\n}\n\n/** Generate a security scanning plan for a repository (fetches live data). */\nexport async function generateSecurityPlan(\n  input: RepoSecurityPlanInput\n): Promise<RepoSecurityPlan> {\n  const [analysis, data] = await Promise.all([\n    analyzeGitHubRepo({ repo: input.repo, depth: 'deep' }),\n    resolveScannerData(),\n  ]);\n  return buildPlanFromAnalysis(analysis, input, data);\n}\n\n/** Collect infrastructure-specific scanner recommendations. */\nfunction collectInfraRecs(\n  analysis: RepoAnalysis,\n  recs: ScannerRecommendation[],\n  ctx: RecContext\n): void {\n  if (analysis.hasDockerfile) {\n    tryAddScanner(\n      'grype',\n      'container',\n      'Dockerfile detected — scan container images for vulnerabilities',\n      recs,\n      ctx\n    );\n    tryAddScanner('grype-image', 'image-currency', buildImageCurrencyRationale(), recs, ctx);\n  }\n  if (analysis.hasHelmCharts) {\n    tryAddScanner(\n      'checkov',\n      'iac',\n      'Helm charts detected — scan IaC for misconfigurations',\n      recs,\n      ctx\n    );\n  }\n}\n\n/**\n * Build the rationale string for periodic container base image CVE scanning.\n * Extracted to keep collectInfraRecs within the 50-line function limit.\n */\nfunction buildImageCurrencyRationale(): string {\n  return (\n    'Dockerfile detected — periodically scan built images with ' +\n    '`grype image --severity CRITICAL,HIGH` to detect CVEs introduced by stale base images. ' +\n    'Pin base images to specific version tags (e.g., node:22.4.0-alpine3.20) rather than ' +\n    ':latest to get reproducible scans and predictable CVE surface area. ' +\n    'Alpine-based images typically have a smaller CVE surface than Debian/Ubuntu equivalents ' +\n    'due to musl libc and a minimal package set, but verify with grype before assuming.'\n  );\n}\n\n/** Pure function: build plan from analysis + scanner data (testable). */\nexport function buildPlanFromAnalysis(\n  analysis: RepoAnalysis,\n  input: BuildPlanOptions,\n  data?: ScannerData\n): RepoSecurityPlan {\n  const resolved = data ?? FALLBACK_SCANNER_DATA;\n  const ctx: RecContext = {\n    existing: analysis.securityTooling,\n    ciProvider: analysis.ciProvider,\n    language: analysis.language,\n    categoryFilter: input.categories ? new Set(input.categories) : null,\n    maxScanners: input.maxScanners ?? 10,\n    scanners: resolved.scanners,\n  };\n\n  const recs: ScannerRecommendation[] = [];\n  const normalizedLang = analysis.language !== null ? normalizeLangName(analysis.language) : null;\n  const langMap = normalizedLang !== null ? resolved.languageMap[normalizedLang] : undefined;\n  if (langMap) collectLanguageRecs(langMap, recs, ctx);\n  collectInfraRecs(analysis, recs, ctx);\n\n  const conflicts = detectConflicts(recs, resolved.scanners);\n  const coverage = buildCoverage(recs, analysis.securityTooling, resolved.scanners);\n  const uncovered = coverage.filter((c) => !c.covered).map((c) => c.category);\n\n  return {\n    repo: analysis.name,\n    language: analysis.language,\n    framework: analysis.framework,\n    ciProvider: analysis.ciProvider,\n    existingTooling: analysis.securityTooling,\n    recommendations: recs,\n    conflicts,\n    coverage,\n    gapsSummary: [\n      ...analysis.gaps,\n      ...(uncovered.length > 0 ? [`Uncovered categories: ${uncovered.join(', ')}`] : []),\n    ],\n  };\n}\n"],"mappings":";;;;;;;;AAWA,SAAS,SAAS;AA6ClB,IAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACxB,MAAM,EAAE,KAAK,CAAC,QAAQ,cAAc,WAAW,eAAe,CAAC;AACjE,CAAC;AAED,IAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACtB,aAAa,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AAAA,EACrC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACzB,cAAc,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC9B,eAAe,EAAE,MAAM,kBAAkB,EAAE,SAAS;AACtD,CAAC;AAED,IAAM,4BAA4B,EAC/B,OAAO;AAAA,EACN,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACnC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAClC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACtC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACxC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAClC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACrC,CAAC,EACA,MAAM;AAET,IAAM,iBAAiB,EAAE,OAAO;AAAA,EAC9B,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACzB,aAAa,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC7B,UAAU,EAAE,MAAM,aAAa;AAAA,EAC/B,gBAAgB,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,yBAAyB;AACxE,CAAC;AAYD,IAAM,eAAe,KAAK,KAAK;AAC/B,IAAI,cAAiC;AAGrC,IAAI;AAGG,SAAS,qBAA2B;AACzC,gBAAc;AACd,kBAAgB;AAClB;AAMA,IAAM,gBAAgB;AACtB,IAAM,mBAAmB;AASzB,IAAM,SAAS,aAAa,EAAE,WAAW,2BAA2B,CAAC;AAGrE,eAAe,oBAAoB,eAAsD;AACvF,QAAM,EAAE,OAAO,IAAI,MAAM;AAAA,IACvB;AAAA,IACA,CAAC,WAAW,QAAQ,UAAU,eAAe,UAAU,WAAW,QAAQ,UAAU;AAAA,IACpF,EAAE,SAAS,iBAAiB;AAAA,EAC9B;AACA,SAAO,OAAO,KAAK,KAAK;AAC1B;AAGA,eAAe,iBACb,eACyC;AACzC,QAAM,EAAE,OAAO,IAAI,MAAM;AAAA,IACvB;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,EAAE,SAAS,kBAAkB,WAAW,OAAO,KAAK;AAAA,EACtD;AAEA,MAAI;AACJ,MAAI;AACF,eAAW,KAAK,MAAM,MAAM;AAAA,EAC9B,QAAQ;AACN,WAAO,KAAK,uCAAuC;AAAA,MACjD,cAAc,OAAO;AAAA,MACrB,SAAS,OAAO,MAAM,GAAG,GAAG;AAAA,IAC9B,CAAC;AACD,WAAO;AAAA,EACT;AAEA,QAAM,SAAS,eAAe,UAAU,QAAQ;AAChD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,KAAK,8CAA8C;AAAA,MACxD,QAAQ,OAAO,MAAM,OAAO,MAAM,GAAG,CAAC;AAAA,IACxC,CAAC;AACD,WAAO;AAAA,EACT;AAEA,SAAO,KAAK,qCAAqC;AAAA,IAC/C,SAAS,OAAO,KAAK;AAAA,IACrB,UAAU,OAAO,KAAK,SAAS;AAAA,IAC/B,WAAW,OAAO,KAAK,OAAO,KAAK,cAAc,EAAE;AAAA,EACrD,CAAC;AACD,SAAO,OAAO;AAChB;AAOA,eAAe,0BAAmE;AAChF,MAAI;AACF,UAAM,EAAE,SAAS,IAAI,MAAM,OAAO,eAAoB;AACtD,UAAM,EAAE,UAAU,IAAI,MAAM,OAAO,MAAW;AAC9C,UAAM,gBAAgB,UAAU,QAAQ;AAExC,UAAM,MAAM,MAAM,oBAAoB,aAAa;AACnD,QAAI,QAAQ,MAAM;AAChB,aAAO,KAAK,uCAAuC;AACnD,aAAO;AAAA,IACT;AAGA,QAAI,gBAAgB,QAAQ,YAAY,eAAe,KAAK;AAC1D,aAAO,MAAM,sDAAsD,EAAE,IAAI,CAAC;AAC1E,oBAAc,EAAE,GAAG,aAAa,WAAW,KAAK,IAAI,EAAE;AACtD,aAAO,YAAY;AAAA,IACrB;AAGA,UAAM,WAAW,MAAM,iBAAiB,aAAa;AACrD,QAAI,aAAa,MAAM;AACrB,oBAAc,EAAE,UAAU,WAAW,KAAK,IAAI,GAAG,YAAY,IAAI;AAAA,IACnE;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,WAAO,MAAM,oCAAoC,EAAE,OAAO,IAAI,CAAC;AAC/D,WAAO;AAAA,EACT;AACF;AAMA,eAAsB,sBAA+D;AAEnF,MAAI,gBAAgB,MAAM;AACxB,UAAM,MAAM,KAAK,IAAI,IAAI,YAAY;AACrC,QAAI,MAAM,cAAc;AACtB,aAAO,YAAY;AAAA,IACrB;AAAA,EACF;AAGA,oBAAkB,wBAAwB,EAAE,QAAQ,MAAM;AACxD,oBAAgB;AAAA,EAClB,CAAC;AACD,QAAM,WAAW,MAAM;AACvB,MAAI,aAAa,MAAM;AACrB,WAAO;AAAA,EACT;AAGA,MAAI,gBAAgB,MAAM;AACxB,WAAO,KAAK,sCAAsC;AAClD,WAAO,YAAY;AAAA,EACrB;AAEA,SAAO;AACT;;;ACtOA,IAAM,oBAA6C;AAAA,EACjD;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,QAAQ,SAAS;AAAA,IAC9B,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,QAAQ,KAAK;AAAA,IAC1B,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,OAAO,aAAa,OAAO,MAAM;AAAA,IAC9C,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,OAAO,WAAW;AAAA,IAC/B,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,OAAO,QAAQ,WAAW;AAAA,IACvC,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,SAAS;AAAA,IACtB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,SAAS;AAAA,IACtB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,OAAO,KAAK;AAAA,IACzB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,KAAK;AAAA,IAClB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,QAAQ,KAAK;AAAA,IAC1B,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,MAAM;AAAA,IACnB,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,aAAa;AAAA,IACb,YAAY,CAAC,kBAAkB,WAAW;AAAA,IAC1C,SAAS;AAAA,IACT,cAAc;AAAA,EAChB;AACF;AAMA,IAAM,wBAAoD;AAAA,EACxD,YAAY;AAAA,IACV,MAAM,CAAC,WAAW,mBAAmB,QAAQ;AAAA,IAC7C,KAAK,CAAC,aAAa,aAAa;AAAA,IAChC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,YAAY;AAAA,IACV,MAAM,CAAC,WAAW,mBAAmB,QAAQ;AAAA,IAC7C,KAAK,CAAC,aAAa,aAAa;AAAA,IAChC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,QAAQ;AAAA,IACN,MAAM,CAAC,UAAU,WAAW,QAAQ;AAAA,IACpC,KAAK,CAAC,aAAa,aAAa;AAAA,IAChC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,UAAU,WAAW,UAAU;AAAA,IACtC,KAAK,CAAC,0BAA0B,aAAa;AAAA,IAC7C,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,IAAI;AAAA,IACF,MAAM,CAAC,SAAS,WAAW,QAAQ;AAAA,IACnC,KAAK,CAAC,eAAe,aAAa;AAAA,IAClC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,YAAY,WAAW,QAAQ;AAAA,IACtC,KAAK,CAAC,iBAAiB,aAAa;AAAA,IACpC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,KAAK;AAAA,IACH,MAAM,CAAC,WAAW,SAAS;AAAA,IAC3B,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,UAAU,SAAS;AAAA,IAC1B,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,GAAG;AAAA,IACD,MAAM,CAAC,YAAY,UAAU,SAAS;AAAA,IACtC,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,YAAY,UAAU,SAAS;AAAA,IACtC,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,CAAC,SAAS;AAAA,IAChB,KAAK,CAAC,eAAe,aAAa;AAAA,IAClC,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,QAAQ;AAAA,IACN,MAAM,CAAC,UAAU,WAAW,QAAQ;AAAA,IACpC,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,UAAU,SAAS;AAAA,IAC1B,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,WAAW,UAAU;AAAA,IAC5B,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,OAAO;AAAA,IACL,MAAM,CAAC,cAAc,SAAS;AAAA,IAC9B,KAAK,CAAC;AAAA,IACN,SAAS,CAAC,UAAU;AAAA,EACtB;AAAA,EACA,KAAK;AAAA,IACH,MAAM,CAAC,WAAW,OAAO;AAAA,IACzB,KAAK,CAAC,aAAa;AAAA,IACnB,SAAS,CAAC,UAAU;AAAA,EACtB;AACF;AAOO,IAAM,wBAAqC;AAAA,EAChD,UAAU;AAAA,EACV,aAAa;AAAA,EACb,QAAQ;AACV;;;AC/RA,IAAMA,UAAS,aAAa,EAAE,WAAW,qBAAqB,CAAC;AAqC/D,SAAS,uBAAuB,GAAkC;AAChE,QAAM,aAAa,EAAE,eAAe,OAAO,CAAC,MAAM,EAAE,SAAS,YAAY,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM;AAC9F,SAAO;AAAA,IACL,MAAM,EAAE;AAAA,IACR,aAAa,EAAE;AAAA,IACf,YAAY,EAAE;AAAA,IACd,SAAS,EAAE;AAAA,IACX,cAAc,EAAE;AAAA,IAChB,GAAI,eAAe,UAAa,WAAW,SAAS,IAAI,EAAE,WAAW,IAAI,CAAC;AAAA,EAC5E;AACF;AAGA,IAAM,sBAAwD;AAAA,EAC5D,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,KAAK;AAAA,EACL,OAAO;AAAA,EACP,IAAI;AAAA,EACJ,MAAM;AAAA,EACN,MAAM;AAAA,EACN,KAAK;AAAA,EACL,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,KAAK;AAAA,EACL,OAAO;AAAA,EACP,YAAY;AACd;AAEA,SAAS,kBAAkB,MAAsB;AAC/C,QAAM,QAAQ,KAAK,YAAY;AAC/B,SAAO,oBAAoB,KAAK,KAAK,KAAK,OAAO,CAAC,EAAE,YAAY,IAAI,KAAK,MAAM,CAAC;AAClF;AAEA,SAAS,sBACP,QACiC;AACjC,QAAM,SAA0C,CAAC;AACjD,aAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AAElD,UAAM,aAAa,kBAAkB,IAAI;AACzC,WAAO,UAAU,IAAI;AAAA,MACnB,MAAM,MAAM,QAAQ,CAAC;AAAA,MACrB,KAAK,MAAM,OAAO,CAAC;AAAA,MACnB,SAAS,MAAM,WAAW,CAAC;AAAA,IAC7B;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,qBAA2C;AAC/D,QAAM,WAAW,MAAM,oBAAoB;AAC3C,MAAI,aAAa,MAAM;AACrB,IAAAA,QAAO,KAAK,+BAA+B;AAAA,MACzC,SAAS,SAAS;AAAA,MAClB,UAAU,SAAS,SAAS;AAAA,IAC9B,CAAC;AACD,WAAO;AAAA,MACL,UAAU,SAAS,SAAS,IAAI,sBAAsB;AAAA,MACtD,aAAa,sBAAsB,SAAS,cAAc;AAAA,MAC1D,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,EAAAA,QAAO,KAAK,6BAA6B;AACzC,SAAO;AACT;AAMA,IAAM,cAAgD;AAAA,EACpD,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,eACE;AAAA,EACF,UAAU;AAAA,EACV,QAAQ;AAAA,EACR,OAAO;AAAA,EACP,SAAS;AAAA,EACT,eAAe;AAAA,EACf,MAAM;AAAA,EACN,YAAY;AACd;AAEA,SAAS,kBAAkB,MAAc,IAAkC;AACzE,MAAI,OAAO,iBAAkB,QAAO;AACpC,SAAO,YAAY,IAAI,KAAK;AAC9B;AAMA,SAAS,YAAY,MAAc,UAA6D;AAC9F,SAAO,SAAS,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI;AAC7C;AAEA,SAAS,cAAc,MAAc,UAAsC;AACzE,SAAO,SAAS,KAAK,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,KAAK,YAAY,CAAC,CAAC;AAC1E;AAsBA,SAAS,oBAAoB,MAA+B,MAAgC;AAC1F,aAAW,QAAQ,KAAK,OAAO;AAC7B,QAAI,KAAK,UAAU,KAAK,IAAI,YAAa;AACzC,QAAI,cAAc,MAAM,KAAK,IAAI,QAAQ,EAAG;AAC5C,UAAM,QAAQ,YAAY,MAAM,KAAK,IAAI,QAAQ;AACjD,QAAI,CAAC,MAAO;AACZ,QAAI,KAAK,IAAI,kBAAkB,CAAC,KAAK,IAAI,eAAe,IAAI,KAAK,QAAQ,EAAG;AAC5E,UAAM,UAAU,KAAK,aAAa,UAAU,KAAK,WAAW;AAC5D,SAAK,KAAK;AAAA,MACR;AAAA,MACA,aAAa,MAAM;AAAA,MACnB,UAAU,KAAK;AAAA,MACf,SAAS,MAAM;AAAA,MACf,cAAc,MAAM;AAAA,MACpB,WAAW,KAAK,UAAU,KAAK;AAAA,MAC/B,UAAU,UAAU,aAAa,KAAK;AAAA,MACtC,WAAW,kBAAkB,MAAM,KAAK,IAAI,UAAU;AAAA,IACxD,CAAC;AAAA,EACH;AACF;AAGA,SAAS,oBACP,SACA,MACA,KACM;AACN,QAAM,OAAO,IAAI,YAAY;AAC7B,sBAAoB,MAAM;AAAA,IACxB,OAAO,QAAQ;AAAA,IACf,UAAU;AAAA,IACV,WAAW,CAAC,MAAM,GAAG,EAAE,WAAW,sBAAsB,IAAI;AAAA,IAC5D,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AACD,sBAAoB,MAAM;AAAA,IACxB,OAAO,QAAQ;AAAA,IACf,UAAU;AAAA,IACV,WAAW,CAAC,MAAM,GAAG,EAAE,WAAW,qBAAqB,IAAI;AAAA,IAC3D,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AACD,sBAAoB,MAAM;AAAA,IACxB,OAAO,QAAQ;AAAA,IACf,UAAU;AAAA,IACV,WAAW,MAAM;AAAA,IACjB,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AACH;AAGA,SAAS,cACP,aACA,UACA,WACA,MACA,KACM;AACN,MAAI,KAAK,UAAU,IAAI,YAAa;AACpC,MAAI,IAAI,kBAAkB,CAAC,IAAI,eAAe,IAAI,QAAQ,EAAG;AAC7D,MAAI,cAAc,aAAa,IAAI,QAAQ,EAAG;AAC9C,MAAI,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,WAAW,EAAG;AAC9C,QAAM,QAAQ,YAAY,aAAa,IAAI,QAAQ;AACnD,MAAI,CAAC,MAAO;AACZ,OAAK,KAAK;AAAA,IACR,MAAM;AAAA,IACN,aAAa,MAAM;AAAA,IACnB;AAAA,IACA,SAAS,MAAM;AAAA,IACf,cAAc,MAAM;AAAA,IACpB;AAAA,IACA,UAAU;AAAA,IACV,WAAW,kBAAkB,aAAa,IAAI,UAAU;AAAA,EAC1D,CAAC;AACH;AAMA,SAAS,gBACP,MACA,UAC4B;AAC5B,QAAM,WAA8B,CAAC;AACrC,QAAM,QAAQ,IAAI,IAAI,KAAK,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC;AAC7C,mBAAiB,OAAO,UAAU,QAAQ;AAC1C,kBAAgB,MAAM,QAAQ;AAC9B,SAAO;AACT;AAEA,SAAS,iBACP,OACA,UACA,UACM;AACN,aAAW,WAAW,UAAU;AAC9B,QAAI,CAAC,MAAM,IAAI,QAAQ,IAAI,EAAG;AAC9B,QAAI,CAAC,QAAQ,WAAY;AACzB,eAAW,OAAO,QAAQ,YAAY;AACpC,UAAI,MAAM,IAAI,GAAG,GAAG;AAClB,iBAAS,KAAK;AAAA,UACZ,UAAU,CAAC,KAAK,QAAQ,IAAI;AAAA,UAC5B,MAAM;AAAA,UACN,gBAAgB,GAAG,QAAQ,WAAW,eAAe,GAAG,YAAY,GAAG;AAAA,QACzE,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,gBACP,MACA,UACM;AACN,QAAM,SAAS,oBAAI,IAAsB;AACzC,aAAW,OAAO,MAAM;AACtB,UAAM,MAAM,OAAO,IAAI,IAAI,QAAQ,KAAK,CAAC;AACzC,QAAI,KAAK,IAAI,IAAI;AACjB,WAAO,IAAI,IAAI,UAAU,GAAG;AAAA,EAC9B;AACA,aAAW,CAAC,KAAK,QAAQ,KAAK,QAAQ;AACpC,QAAI,SAAS,SAAS,GAAG;AACvB,YAAM,QAAQ,OAAO,SAAS,MAAM;AACpC,eAAS,KAAK;AAAA,QACZ;AAAA,QACA,MAAM;AAAA,QACN,gBAAgB,GAAG,KAAK,iBAAiB,GAAG;AAAA,MAC9C,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAMA,IAAM,iBAAiB,CAAC,QAAQ,QAAQ,OAAO,WAAW,aAAa,OAAO,gBAAgB;AAE9F,SAAS,cACP,MACA,UACA,UAC6B;AAC7B,SAAO,eAAe,IAAI,CAAC,QAAQ;AACjC,UAAM,QAAQ,KAAK,OAAO,CAAC,MAAM,EAAE,aAAa,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI;AACtE,UAAM,gBAAgB,SAAS;AAAA,MAAK,CAAC,MACnC,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,SAAS,GAAG,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC;AAAA,IACrF;AACA,WAAO,EAAE,UAAU,KAAK,SAAS,MAAM,SAAS,KAAK,eAAe,UAAU,MAAM;AAAA,EACtF,CAAC;AACH;AAcA,eAAsB,qBACpB,OAC2B;AAC3B,QAAM,CAAC,UAAU,IAAI,IAAI,MAAM,QAAQ,IAAI;AAAA,IACzC,kBAAkB,EAAE,MAAM,MAAM,MAAM,OAAO,OAAO,CAAC;AAAA,IACrD,mBAAmB;AAAA,EACrB,CAAC;AACD,SAAO,sBAAsB,UAAU,OAAO,IAAI;AACpD;AAGA,SAAS,iBACP,UACA,MACA,KACM;AACN,MAAI,SAAS,eAAe;AAC1B;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,kBAAc,eAAe,kBAAkB,4BAA4B,GAAG,MAAM,GAAG;AAAA,EACzF;AACA,MAAI,SAAS,eAAe;AAC1B;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAMA,SAAS,8BAAsC;AAC7C,SACE;AAOJ;AAGO,SAAS,sBACd,UACA,OACA,MACkB;AAClB,QAAM,WAAW,QAAQ;AACzB,QAAM,MAAkB;AAAA,IACtB,UAAU,SAAS;AAAA,IACnB,YAAY,SAAS;AAAA,IACrB,UAAU,SAAS;AAAA,IACnB,gBAAgB,MAAM,aAAa,IAAI,IAAI,MAAM,UAAU,IAAI;AAAA,IAC/D,aAAa,MAAM,eAAe;AAAA,IAClC,UAAU,SAAS;AAAA,EACrB;AAEA,QAAM,OAAgC,CAAC;AACvC,QAAM,iBAAiB,SAAS,aAAa,OAAO,kBAAkB,SAAS,QAAQ,IAAI;AAC3F,QAAM,UAAU,mBAAmB,OAAO,SAAS,YAAY,cAAc,IAAI;AACjF,MAAI,QAAS,qBAAoB,SAAS,MAAM,GAAG;AACnD,mBAAiB,UAAU,MAAM,GAAG;AAEpC,QAAM,YAAY,gBAAgB,MAAM,SAAS,QAAQ;AACzD,QAAM,WAAW,cAAc,MAAM,SAAS,iBAAiB,SAAS,QAAQ;AAChF,QAAM,YAAY,SAAS,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ;AAE1E,SAAO;AAAA,IACL,MAAM,SAAS;AAAA,IACf,UAAU,SAAS;AAAA,IACnB,WAAW,SAAS;AAAA,IACpB,YAAY,SAAS;AAAA,IACrB,iBAAiB,SAAS;AAAA,IAC1B,iBAAiB;AAAA,IACjB;AAAA,IACA;AAAA,IACA,aAAa;AAAA,MACX,GAAG,SAAS;AAAA,MACZ,GAAI,UAAU,SAAS,IAAI,CAAC,yBAAyB,UAAU,KAAK,IAAI,CAAC,EAAE,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AACF;","names":["logger"]}

package/dist/chunk-2UUUKVNR.js

@@ -0,0 +1,61 @@
+import {
+  createLogger
+} from "./chunk-ELIFTCYM.js";
+
+// src/swe-bench/mcp-config.ts
+import { writeFile, mkdtemp, rm } from "fs/promises";
+import { join } from "path";
+import { tmpdir } from "os";
+var logger = createLogger({ component: "swe-bench-mcp-config" });
+var DEFAULT_ALLOWED_TOOLS = [
+  "memory_query",
+  "memory_stats",
+  "research_query",
+  "research_discover",
+  "weather_report",
+  "delegate_to_model"
+];
+function resolveCliPath(override) {
+  if (override !== void 0) return override;
+  const distDir = join(__dirname, "..");
+  return join(distDir, "cli.js");
+}
+function buildConfig(options) {
+  const cliPath = resolveCliPath(options?.cliPath);
+  const tools = options?.allowedTools ?? DEFAULT_ALLOWED_TOOLS;
+  const entry = {
+    command: "node",
+    args: [cliPath, "--mode=server"],
+    ...options?.env !== void 0 ? { env: options.env } : {}
+  };
+  return {
+    mcpServers: {
+      "nexus-agents": entry
+    }
+  };
+  void tools;
+}
+async function generateMcpConfig(options) {
+  const config = buildConfig(options);
+  const tools = options?.allowedTools ?? DEFAULT_ALLOWED_TOOLS;
+  const tempDir = await mkdtemp(join(tmpdir(), "nexus-mcp-"));
+  const configPath = join(tempDir, "mcp-config.json");
+  await writeFile(configPath, JSON.stringify(config, null, 2), "utf-8");
+  const cleanup = async () => {
+    await rm(tempDir, { recursive: true, force: true }).catch((e) => {
+      logger.debug("Best-effort cleanup failed", {
+        error: e instanceof Error ? e.message : String(e)
+      });
+    });
+  };
+  return { configPath, cleanup, allowedTools: tools };
+}
+function getDefaultAllowedTools() {
+  return DEFAULT_ALLOWED_TOOLS;
+}
+
+export {
+  generateMcpConfig,
+  getDefaultAllowedTools
+};
+//# sourceMappingURL=chunk-2UUUKVNR.js.map

package/dist/chunk-2UUUKVNR.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/swe-bench/mcp-config.ts"],"sourcesContent":["/**\n * nexus-agents/swe-bench - MCP Config Generator\n *\n * Generates MCP server configuration for child Claude CLI sessions.\n * Enables SWE-bench agents to access nexus-agents tools (memory, research).\n *\n * @module swe-bench/mcp-config\n * (Source: Issue #1413 - MCP tools in SWE-bench CLI sessions)\n */\n\nimport { writeFile, mkdtemp, rm } from 'node:fs/promises';\nimport { join } from 'node:path';\nimport { tmpdir } from 'node:os';\nimport { createLogger } from '../core/index.js';\n\nconst logger = createLogger({ component: 'swe-bench-mcp-config' });\n\n/**\n * MCP server entry in Claude CLI config format.\n */\ninterface McpServerEntry {\n  readonly command: string;\n  readonly args: readonly string[];\n  readonly env?: Readonly<Record<string, string>>;\n}\n\n/**\n * MCP config file format for Claude CLI (--mcp-config).\n */\ninterface McpConfigFile {\n  readonly mcpServers: Readonly<Record<string, McpServerEntry>>;\n}\n\n/**\n * Options for generating MCP config.\n */\nexport interface McpConfigOptions {\n  /** Path to nexus-agents CLI entry point. */\n  readonly cliPath?: string;\n  /** Additional environment variables for the MCP server. */\n  readonly env?: Readonly<Record<string, string>>;\n  /** Custom allowed tools (default: read-only subset). */\n  readonly allowedTools?: readonly string[];\n}\n\n/** Default read-only tools available to SWE-bench child sessions. */\nconst DEFAULT_ALLOWED_TOOLS: readonly string[] = [\n  'memory_query',\n  'memory_stats',\n  'research_query',\n  'research_discover',\n  'weather_report',\n  'delegate_to_model',\n];\n\n/**\n * Resolves the nexus-agents CLI path.\n * Uses the built dist/cli.js relative to this package.\n */\nfunction resolveCliPath(override?: string): string {\n  if (override !== undefined) return override;\n  // Resolve relative to this file: src/swe-bench/ → dist/cli.js\n  // At runtime we're in dist/swe-bench/, so go up one level\n  const distDir = join(__dirname, '..');\n  return join(distDir, 'cli.js');\n}\n\n/**\n * Builds the MCP config object for a nexus-agents server.\n */\nfunction buildConfig(options?: McpConfigOptions): McpConfigFile {\n  const cliPath = resolveCliPath(options?.cliPath);\n  const tools = options?.allowedTools ?? DEFAULT_ALLOWED_TOOLS;\n\n  const entry: McpServerEntry = {\n    command: 'node',\n    args: [cliPath, '--mode=server'],\n    ...(options?.env !== undefined ? { env: options.env } : {}),\n  };\n\n  return {\n    mcpServers: {\n      'nexus-agents': entry,\n    },\n  };\n\n  // Note: tool allowlisting is handled by Claude CLI's --allowedTools flag,\n  // not in the MCP config itself. The caller should pass tools separately.\n  void tools;\n}\n\n/**\n * Generated MCP config with path and cleanup function.\n */\nexport interface GeneratedMcpConfig {\n  /** Path to the generated config file. */\n  readonly configPath: string;\n  /** Cleanup function to remove temp files. */\n  readonly cleanup: () => Promise<void>;\n  /** Allowed tools list for --allowedTools flag. */\n  readonly allowedTools: readonly string[];\n}\n\n/**\n * Generates an MCP config file for Claude CLI child sessions.\n *\n * Creates a temporary JSON file that can be passed to `claude --mcp-config`.\n * Returns the file path and a cleanup function.\n */\nexport async function generateMcpConfig(options?: McpConfigOptions): Promise<GeneratedMcpConfig> {\n  const config = buildConfig(options);\n  const tools = options?.allowedTools ?? DEFAULT_ALLOWED_TOOLS;\n\n  const tempDir = await mkdtemp(join(tmpdir(), 'nexus-mcp-'));\n  const configPath = join(tempDir, 'mcp-config.json');\n\n  await writeFile(configPath, JSON.stringify(config, null, 2), 'utf-8');\n\n  const cleanup = async (): Promise<void> => {\n    await rm(tempDir, { recursive: true, force: true }).catch((e: unknown) => {\n      logger.debug('Best-effort cleanup failed', {\n        error: e instanceof Error ? e.message : String(e),\n      });\n    });\n  };\n\n  return { configPath, cleanup, allowedTools: tools };\n}\n\n/**\n * Gets the default allowed tools for SWE-bench MCP sessions.\n */\nexport function getDefaultAllowedTools(): readonly string[] {\n  return DEFAULT_ALLOWED_TOOLS;\n}\n"],"mappings":";;;;;AAUA,SAAS,WAAW,SAAS,UAAU;AACvC,SAAS,YAAY;AACrB,SAAS,cAAc;AAGvB,IAAM,SAAS,aAAa,EAAE,WAAW,uBAAuB,CAAC;AA+BjE,IAAM,wBAA2C;AAAA,EAC/C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAMA,SAAS,eAAe,UAA2B;AACjD,MAAI,aAAa,OAAW,QAAO;AAGnC,QAAM,UAAU,KAAK,WAAW,IAAI;AACpC,SAAO,KAAK,SAAS,QAAQ;AAC/B;AAKA,SAAS,YAAY,SAA2C;AAC9D,QAAM,UAAU,eAAe,SAAS,OAAO;AAC/C,QAAM,QAAQ,SAAS,gBAAgB;AAEvC,QAAM,QAAwB;AAAA,IAC5B,SAAS;AAAA,IACT,MAAM,CAAC,SAAS,eAAe;AAAA,IAC/B,GAAI,SAAS,QAAQ,SAAY,EAAE,KAAK,QAAQ,IAAI,IAAI,CAAC;AAAA,EAC3D;AAEA,SAAO;AAAA,IACL,YAAY;AAAA,MACV,gBAAgB;AAAA,IAClB;AAAA,EACF;AAIA,OAAK;AACP;AAoBA,eAAsB,kBAAkB,SAAyD;AAC/F,QAAM,SAAS,YAAY,OAAO;AAClC,QAAM,QAAQ,SAAS,gBAAgB;AAEvC,QAAM,UAAU,MAAM,QAAQ,KAAK,OAAO,GAAG,YAAY,CAAC;AAC1D,QAAM,aAAa,KAAK,SAAS,iBAAiB;AAElD,QAAM,UAAU,YAAY,KAAK,UAAU,QAAQ,MAAM,CAAC,GAAG,OAAO;AAEpE,QAAM,UAAU,YAA2B;AACzC,UAAM,GAAG,SAAS,EAAE,WAAW,MAAM,OAAO,KAAK,CAAC,EAAE,MAAM,CAAC,MAAe;AACxE,aAAO,MAAM,8BAA8B;AAAA,QACzC,OAAO,aAAa,QAAQ,EAAE,UAAU,OAAO,CAAC;AAAA,MAClD,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAEA,SAAO,EAAE,YAAY,SAAS,cAAc,MAAM;AACpD;AAKO,SAAS,yBAA4C;AAC1D,SAAO;AACT;","names":[]}