nexus-agents 2.29.0 → 2.29.1

package/dist/adaptive-memory-RST6DZYR.js

@@ -0,0 +1,15 @@
+import {
+  AdaptiveMemoryBackend,
+  DEFAULT_SCORING_CONFIG,
+  createAdaptiveMemory
+} from "./chunk-FYJVXQHX.js";
+import "./chunk-633WH2ML.js";
+import "./chunk-ELIFTCYM.js";
+import "./chunk-CLYZ7FWP.js";
+import "./chunk-UP2VWCW5.js";
+export {
+  AdaptiveMemoryBackend,
+  DEFAULT_SCORING_CONFIG,
+  createAdaptiveMemory
+};
+//# sourceMappingURL=adaptive-memory-RST6DZYR.js.map

package/dist/chunk-2UR7YN6T.js

@@ -0,0 +1,700 @@
+import {
+  analyzeGitHubRepo
+} from "./chunk-BC3M4VLP.js";
+import {
+  createLogger
+} from "./chunk-ELIFTCYM.js";
+
+// src/mcp/tools/scanner-registry-fetcher.ts
+import { z } from "zod";
+var RelationshipSchema = z.object({
+  target: z.string().min(1),
+  type: z.enum(["uses", "supersedes", "bundles", "competes-with"])
+});
+var ScannerSchema = z.object({
+  name: z.string().min(1),
+  displayName: z.string().min(1),
+  categories: z.array(z.string().min(1)),
+  license: z.string().min(1),
+  pricingModel: z.string().min(1),
+  relationships: z.array(RelationshipSchema).optional()
+});
+var LanguageMatrixEntrySchema = z.object({
+  sast: z.array(z.string()).optional(),
+  sca: z.array(z.string()).optional(),
+  secrets: z.array(z.string()).optional(),
+  container: z.array(z.string()).optional(),
+  iac: z.array(z.string()).optional(),
+  dast: z.array(z.string()).optional()
+}).loose();
+var ManifestSchema = z.object({
+  version: z.string().min(1),
+  generatedAt: z.string().min(1),
+  scanners: z.array(ScannerSchema),
+  languageMatrix: z.record(z.string().max(50), LanguageMatrixEntrySchema)
+});
+var CACHE_TTL_MS = 60 * 60 * 1e3;
+var cachedEntry = null;
+var inflightFetch;
+function clearRegistryCache() {
+  cachedEntry = null;
+  inflightFetch = void 0;
+}
+var REGISTRY_REPO = "williamzujkowski/vulnerability-scanner-registry";
+var FETCH_TIMEOUT_MS = 1e4;
+var logger = createLogger({ component: "scanner-registry-fetcher" });
+async function getLatestReleaseTag(execFileAsync) {
+  const { stdout } = await execFileAsync(
+    "gh",
+    ["release", "view", "--repo", REGISTRY_REPO, "--json", "tagName", "--jq", ".tagName"],
+    { timeout: FETCH_TIMEOUT_MS }
+  );
+  return stdout.trim() || null;
+}
+async function downloadManifest(execFileAsync) {
+  const { stdout } = await execFileAsync(
+    "gh",
+    [
+      "release",
+      "download",
+      "--repo",
+      REGISTRY_REPO,
+      "--pattern",
+      "scanner-registry.json",
+      "--output",
+      "-"
+    ],
+    { timeout: FETCH_TIMEOUT_MS, maxBuffer: 1024 * 1024 }
+  );
+  let jsonData;
+  try {
+    jsonData = JSON.parse(stdout);
+  } catch {
+    logger.warn("Registry manifest is not valid JSON", {
+      stdoutLength: stdout.length,
+      preview: stdout.slice(0, 100)
+    });
+    return null;
+  }
+  const parsed = ManifestSchema.safeParse(jsonData);
+  if (!parsed.success) {
+    logger.warn("Registry manifest failed schema validation", {
+      errors: parsed.error.issues.slice(0, 3)
+    });
+    return null;
+  }
+  logger.info("Fetched scanner registry manifest", {
+    version: parsed.data.version,
+    scanners: parsed.data.scanners.length,
+    languages: Object.keys(parsed.data.languageMatrix).length
+  });
+  return parsed.data;
+}
+async function fetchManifestFromGitHub() {
+  try {
+    const { execFile } = await import("child_process");
+    const { promisify } = await import("util");
+    const execFileAsync = promisify(execFile);
+    const tag = await getLatestReleaseTag(execFileAsync);
+    if (tag === null) {
+      logger.warn("No releases found in scanner registry");
+      return null;
+    }
+    if (cachedEntry !== null && cachedEntry.releaseTag === tag) {
+      logger.debug("Scanner registry unchanged, refreshing cache timer", { tag });
+      cachedEntry = { ...cachedEntry, fetchedAt: Date.now() };
+      return cachedEntry.manifest;
+    }
+    const manifest = await downloadManifest(execFileAsync);
+    if (manifest !== null) {
+      cachedEntry = { manifest, fetchedAt: Date.now(), releaseTag: tag };
+    }
+    return manifest;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logger.debug("Failed to fetch scanner registry", { error: msg });
+    return null;
+  }
+}
+async function getRegistryManifest() {
+  if (cachedEntry !== null) {
+    const age = Date.now() - cachedEntry.fetchedAt;
+    if (age < CACHE_TTL_MS) {
+      return cachedEntry.manifest;
+    }
+  }
+  inflightFetch ??= fetchManifestFromGitHub().finally(() => {
+    inflightFetch = void 0;
+  });
+  const manifest = await inflightFetch;
+  if (manifest !== null) {
+    return manifest;
+  }
+  if (cachedEntry !== null) {
+    logger.warn("Using stale cached registry manifest");
+    return cachedEntry.manifest;
+  }
+  return null;
+}
+
+// src/mcp/tools/repo-security-plan-fallback.ts
+var FALLBACK_SCANNERS = [
+  {
+    name: "semgrep",
+    displayName: "Semgrep",
+    categories: ["sast", "secrets"],
+    license: "LGPL-2.1",
+    pricingModel: "freemium"
+  },
+  {
+    name: "codeql",
+    displayName: "CodeQL",
+    categories: ["sast"],
+    license: "MIT",
+    pricingModel: "freemium"
+  },
+  {
+    name: "bandit",
+    displayName: "Bandit",
+    categories: ["sast"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "gosec",
+    displayName: "Gosec",
+    categories: ["sast"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "brakeman",
+    displayName: "Brakeman",
+    categories: ["sast"],
+    license: "MIT",
+    pricingModel: "free"
+  },
+  {
+    name: "phpstan",
+    displayName: "PHPStan",
+    categories: ["sast"],
+    license: "MIT",
+    pricingModel: "freemium"
+  },
+  {
+    name: "shellcheck",
+    displayName: "ShellCheck",
+    categories: ["sast"],
+    license: "GPL-3.0",
+    pricingModel: "free"
+  },
+  {
+    name: "cppcheck",
+    displayName: "Cppcheck",
+    categories: ["sast"],
+    license: "GPL-3.0",
+    pricingModel: "free"
+  },
+  {
+    name: "detekt",
+    displayName: "detekt",
+    categories: ["sast"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "spotbugs",
+    displayName: "SpotBugs",
+    categories: ["sast"],
+    license: "LGPL-2.1",
+    pricingModel: "free"
+  },
+  {
+    name: "eslint-security",
+    displayName: "eslint-plugin-security",
+    categories: ["sast"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "sonarqube",
+    displayName: "SonarQube",
+    categories: ["sast", "sca"],
+    license: "LGPL-3.0",
+    pricingModel: "freemium"
+  },
+  {
+    name: "osv-scanner",
+    displayName: "OSV-Scanner",
+    categories: ["sca", "container", "iac", "sbom"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "grype",
+    displayName: "Grype",
+    categories: ["sca", "container"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "snyk",
+    displayName: "Snyk",
+    categories: ["sca", "sast", "container"],
+    license: "Proprietary",
+    pricingModel: "freemium"
+  },
+  {
+    name: "npm-audit",
+    displayName: "npm audit",
+    categories: ["sca"],
+    license: "Artistic-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "pip-audit",
+    displayName: "pip-audit",
+    categories: ["sca"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "cargo-audit",
+    displayName: "cargo-audit",
+    categories: ["sca"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "bundler-audit",
+    displayName: "bundler-audit",
+    categories: ["sca"],
+    license: "GPL-3.0",
+    pricingModel: "free"
+  },
+  {
+    name: "govulncheck",
+    displayName: "govulncheck",
+    categories: ["sca"],
+    license: "BSD-3-Clause",
+    pricingModel: "free"
+  },
+  {
+    name: "owasp-dependency-check",
+    displayName: "OWASP Dependency-Check",
+    categories: ["sca"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "gitleaks",
+    displayName: "Gitleaks",
+    categories: ["secrets"],
+    license: "MIT",
+    pricingModel: "free"
+  },
+  {
+    name: "trufflehog",
+    displayName: "TruffleHog",
+    categories: ["secrets"],
+    license: "AGPL-3.0",
+    pricingModel: "freemium"
+  },
+  {
+    name: "checkov",
+    displayName: "Checkov",
+    categories: ["iac", "sca"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "tfsec",
+    displayName: "tfsec",
+    categories: ["iac"],
+    license: "MIT",
+    pricingModel: "free"
+  },
+  {
+    name: "owasp-zap",
+    displayName: "OWASP ZAP",
+    categories: ["dast", "api"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "syft",
+    displayName: "Syft",
+    categories: ["sbom"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  },
+  {
+    name: "grype-image",
+    displayName: "Grype (image scan)",
+    categories: ["image-currency", "container"],
+    license: "Apache-2.0",
+    pricingModel: "free"
+  }
+];
+var FALLBACK_LANGUAGE_MAP = {
+  TypeScript: {
+    sast: ["semgrep", "eslint-security", "codeql"],
+    sca: ["npm-audit", "osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  JavaScript: {
+    sast: ["semgrep", "eslint-security", "codeql"],
+    sca: ["npm-audit", "osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Python: {
+    sast: ["bandit", "semgrep", "codeql"],
+    sca: ["pip-audit", "osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Java: {
+    sast: ["codeql", "semgrep", "spotbugs"],
+    sca: ["owasp-dependency-check", "osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Go: {
+    sast: ["gosec", "semgrep", "codeql"],
+    sca: ["govulncheck", "osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Ruby: {
+    sast: ["brakeman", "semgrep", "codeql"],
+    sca: ["bundler-audit", "osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  PHP: {
+    sast: ["phpstan", "semgrep"],
+    sca: ["osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  "C#": {
+    sast: ["codeql", "semgrep"],
+    sca: ["osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  C: {
+    sast: ["cppcheck", "codeql", "semgrep"],
+    sca: ["osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  "C++": {
+    sast: ["cppcheck", "codeql", "semgrep"],
+    sca: ["osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Rust: {
+    sast: ["semgrep"],
+    sca: ["cargo-audit", "osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Kotlin: {
+    sast: ["detekt", "semgrep", "codeql"],
+    sca: ["osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Swift: {
+    sast: ["codeql", "semgrep"],
+    sca: ["osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Scala: {
+    sast: ["semgrep", "spotbugs"],
+    sca: ["osv-scanner"],
+    secrets: ["gitleaks"]
+  },
+  Shell: {
+    sast: ["shellcheck", "semgrep"],
+    sca: [],
+    secrets: ["gitleaks"]
+  },
+  HCL: {
+    sast: ["checkov", "tfsec"],
+    sca: ["osv-scanner"],
+    secrets: ["gitleaks"]
+  }
+};
+var FALLBACK_SCANNER_DATA = {
+  scanners: FALLBACK_SCANNERS,
+  languageMap: FALLBACK_LANGUAGE_MAP,
+  source: "fallback"
+};
+
+// src/mcp/tools/repo-security-plan.ts
+var logger2 = createLogger({ component: "repo-security-plan" });
+function convertRegistryScanner(s) {
+  const supersedes = s.relationships?.filter((r) => r.type === "supersedes").map((r) => r.target);
+  return {
+    name: s.name,
+    displayName: s.displayName,
+    categories: s.categories,
+    license: s.license,
+    pricingModel: s.pricingModel,
+    ...supersedes !== void 0 && supersedes.length > 0 ? { supersedes } : {}
+  };
+}
+var LANGUAGE_PASCAL_MAP = {
+  typescript: "TypeScript",
+  javascript: "JavaScript",
+  python: "Python",
+  java: "Java",
+  csharp: "C#",
+  "c#": "C#",
+  cpp: "C++",
+  "c++": "C++",
+  go: "Go",
+  rust: "Rust",
+  ruby: "Ruby",
+  php: "PHP",
+  swift: "Swift",
+  kotlin: "Kotlin",
+  scala: "Scala",
+  hcl: "HCL",
+  shell: "Shell",
+  dockerfile: "Dockerfile"
+};
+function normalizeLangName(lang) {
+  const lower = lang.toLowerCase();
+  return LANGUAGE_PASCAL_MAP[lower] ?? lang.charAt(0).toUpperCase() + lang.slice(1);
+}
+function convertLanguageMatrix(matrix) {
+  const result = {};
+  for (const [lang, entry] of Object.entries(matrix)) {
+    const normalized = normalizeLangName(lang);
+    result[normalized] = {
+      sast: entry.sast ?? [],
+      sca: entry.sca ?? [],
+      secrets: entry.secrets ?? []
+    };
+  }
+  return result;
+}
+async function resolveScannerData() {
+  const manifest = await getRegistryManifest();
+  if (manifest !== null) {
+    logger2.info("Using live scanner registry", {
+      version: manifest.version,
+      scanners: manifest.scanners.length
+    });
+    return {
+      scanners: manifest.scanners.map(convertRegistryScanner),
+      languageMap: convertLanguageMatrix(manifest.languageMatrix),
+      source: "registry"
+    };
+  }
+  logger2.info("Using fallback scanner data");
+  return FALLBACK_SCANNER_DATA;
+}
+var CI_SNIPPETS = {
+  semgrep: "- uses: semgrep/semgrep-action@v1\n  with:\n    config: auto",
+  codeql: "- uses: github/codeql-action/analyze@v3",
+  grype: "- uses: anchore/scan-action@v4\n  with:\n    path: .",
+  "grype-image": "- uses: anchore/scan-action@v4\n  with:\n    image: ${{ env.IMAGE_TAG }}\n    severity: CRITICAL,HIGH\n    exit-code: 1",
+  gitleaks: "- uses: gitleaks/gitleaks-action@v2",
+  bandit: "- run: pip install bandit && bandit -r . -f json",
+  gosec: "- uses: securego/gosec@master\n  with:\n    args: ./...",
+  checkov: "- uses: bridgecrewio/checkov-action@master",
+  "osv-scanner": "- uses: google/osv-scanner-action@v1",
+  snyk: "- uses: snyk/actions/node@master # adjust for language",
+  shellcheck: "- uses: ludeeus/action-shellcheck@master"
+};
+function generateCiSnippet(name, ci) {
+  if (ci !== "github-actions") return null;
+  return CI_SNIPPETS[name] ?? null;
+}
+function findScanner(name, scanners) {
+  return scanners.find((s) => s.name === name);
+}
+function isAlreadyUsed(name, existing) {
+  return existing.some((t) => t.toLowerCase().includes(name.toLowerCase()));
+}
+function collectCategoryRecs(recs, opts) {
+  for (const name of opts.names) {
+    if (recs.length >= opts.ctx.maxScanners) break;
+    if (isAlreadyUsed(name, opts.ctx.existing)) continue;
+    const entry = findScanner(name, opts.ctx.scanners);
+    if (!entry) continue;
+    if (opts.ctx.categoryFilter && !opts.ctx.categoryFilter.has(opts.category)) continue;
+    const isFirst = opts.category === "sast" && recs.length === 0;
+    recs.push({
+      name,
+      displayName: entry.displayName,
+      category: opts.category,
+      license: entry.license,
+      pricingModel: entry.pricingModel,
+      rationale: opts.rationale(entry),
+      priority: isFirst ? "critical" : opts.priority,
+      ciSnippet: generateCiSnippet(name, opts.ctx.ciProvider)
+    });
+  }
+}
+function collectLanguageRecs(langMap, recs, ctx) {
+  const lang = ctx.language ?? "unknown";
+  collectCategoryRecs(recs, {
+    names: langMap.sast,
+    category: "sast",
+    rationale: (e) => `${e.displayName} provides SAST for ${lang}`,
+    priority: "recommended",
+    ctx
+  });
+  collectCategoryRecs(recs, {
+    names: langMap.sca,
+    category: "sca",
+    rationale: (e) => `${e.displayName} provides SCA for ${lang} dependencies`,
+    priority: "critical",
+    ctx
+  });
+  collectCategoryRecs(recs, {
+    names: langMap.secrets,
+    category: "secrets",
+    rationale: () => "Detects leaked credentials and API keys in source code",
+    priority: "critical",
+    ctx
+  });
+}
+function tryAddScanner(scannerName, category, rationale, recs, ctx) {
+  if (recs.length >= ctx.maxScanners) return;
+  if (ctx.categoryFilter && !ctx.categoryFilter.has(category)) return;
+  if (isAlreadyUsed(scannerName, ctx.existing)) return;
+  if (recs.some((r) => r.name === scannerName)) return;
+  const entry = findScanner(scannerName, ctx.scanners);
+  if (!entry) return;
+  recs.push({
+    name: scannerName,
+    displayName: entry.displayName,
+    category,
+    license: entry.license,
+    pricingModel: entry.pricingModel,
+    rationale,
+    priority: "recommended",
+    ciSnippet: generateCiSnippet(scannerName, ctx.ciProvider)
+  });
+}
+function detectConflicts(recs, scanners) {
+  const warnings = [];
+  const names = new Set(recs.map((r) => r.name));
+  detectSuperseded(names, scanners, warnings);
+  detectRedundant(recs, warnings);
+  return warnings;
+}
+function detectSuperseded(names, scanners, warnings) {
+  for (const scanner of scanners) {
+    if (!names.has(scanner.name)) continue;
+    if (!scanner.supersedes) continue;
+    for (const old of scanner.supersedes) {
+      if (names.has(old)) {
+        warnings.push({
+          scanners: [old, scanner.name],
+          type: "superseded",
+          recommendation: `${scanner.displayName} supersedes ${old}. Remove ${old}.`
+        });
+      }
+    }
+  }
+}
+function detectRedundant(recs, warnings) {
+  const catMap = /* @__PURE__ */ new Map();
+  for (const rec of recs) {
+    const arr = catMap.get(rec.category) ?? [];
+    arr.push(rec.name);
+    catMap.set(rec.category, arr);
+  }
+  for (const [cat, scanners] of catMap) {
+    if (scanners.length > 2) {
+      const count = String(scanners.length);
+      warnings.push({
+        scanners,
+        type: "redundant",
+        recommendation: `${count} scanners for ${cat}. Consider keeping top 2.`
+      });
+    }
+  }
+}
+var ALL_CATEGORIES = ["sast", "dast", "sca", "secrets", "container", "iac", "image-currency"];
+function buildCoverage(recs, existing, scanners) {
+  return ALL_CATEGORIES.map((cat) => {
+    const found = recs.filter((r) => r.category === cat).map((r) => r.name);
+    const existingMatch = existing.some(
+      (t) => scanners.some((s) => s.categories.includes(cat) && t.toLowerCase().includes(s.name))
+    );
+    return { category: cat, covered: found.length > 0 || existingMatch, scanners: found };
+  });
+}
+async function generateSecurityPlan(input) {
+  const [analysis, data] = await Promise.all([
+    analyzeGitHubRepo({ repo: input.repo, depth: "deep" }),
+    resolveScannerData()
+  ]);
+  return buildPlanFromAnalysis(analysis, input, data);
+}
+function collectInfraRecs(analysis, recs, ctx) {
+  if (analysis.hasDockerfile) {
+    tryAddScanner(
+      "grype",
+      "container",
+      "Dockerfile detected \u2014 scan container images for vulnerabilities",
+      recs,
+      ctx
+    );
+    tryAddScanner("grype-image", "image-currency", buildImageCurrencyRationale(), recs, ctx);
+  }
+  if (analysis.hasHelmCharts) {
+    tryAddScanner(
+      "checkov",
+      "iac",
+      "Helm charts detected \u2014 scan IaC for misconfigurations",
+      recs,
+      ctx
+    );
+  }
+}
+function buildImageCurrencyRationale() {
+  return "Dockerfile detected \u2014 periodically scan built images with `grype image --severity CRITICAL,HIGH` to detect CVEs introduced by stale base images. Pin base images to specific version tags (e.g., node:22.4.0-alpine3.20) rather than :latest to get reproducible scans and predictable CVE surface area. Alpine-based images typically have a smaller CVE surface than Debian/Ubuntu equivalents due to musl libc and a minimal package set, but verify with grype before assuming.";
+}
+function buildPlanFromAnalysis(analysis, input, data) {
+  const resolved = data ?? FALLBACK_SCANNER_DATA;
+  const ctx = {
+    existing: analysis.securityTooling,
+    ciProvider: analysis.ciProvider,
+    language: analysis.language,
+    categoryFilter: input.categories ? new Set(input.categories) : null,
+    maxScanners: input.maxScanners ?? 10,
+    scanners: resolved.scanners
+  };
+  const recs = [];
+  const normalizedLang = analysis.language !== null ? normalizeLangName(analysis.language) : null;
+  const langMap = normalizedLang !== null ? resolved.languageMap[normalizedLang] : void 0;
+  if (langMap) collectLanguageRecs(langMap, recs, ctx);
+  collectInfraRecs(analysis, recs, ctx);
+  const conflicts = detectConflicts(recs, resolved.scanners);
+  const coverage = buildCoverage(recs, analysis.securityTooling, resolved.scanners);
+  const uncovered = coverage.filter((c) => !c.covered).map((c) => c.category);
+  return {
+    repo: analysis.name,
+    language: analysis.language,
+    framework: analysis.framework,
+    ciProvider: analysis.ciProvider,
+    existingTooling: analysis.securityTooling,
+    recommendations: recs,
+    conflicts,
+    coverage,
+    gapsSummary: [
+      ...analysis.gaps,
+      ...uncovered.length > 0 ? [`Uncovered categories: ${uncovered.join(", ")}`] : []
+    ]
+  };
+}
+
+export {
+  clearRegistryCache,
+  getRegistryManifest,
+  FALLBACK_SCANNER_DATA,
+  resolveScannerData,
+  generateSecurityPlan,
+  buildPlanFromAnalysis
+};
+//# sourceMappingURL=chunk-2UR7YN6T.js.map