projscan 3.0.2 → 3.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/dataflow.js +2 -0
- package/dist/cli/commands/dataflow.js.map +1 -1
- package/dist/cli/commands/review.js +5 -23
- package/dist/cli/commands/review.js.map +1 -1
- package/dist/core/ast.d.ts +8 -0
- package/dist/core/ast.js +69 -4
- package/dist/core/ast.js.map +1 -1
- package/dist/core/dataflow.d.ts +2 -0
- package/dist/core/dataflow.js +3 -1
- package/dist/core/dataflow.js.map +1 -1
- package/dist/core/dataflowFilters.d.ts +1 -0
- package/dist/core/dataflowFilters.js +8 -9
- package/dist/core/dataflowFilters.js.map +1 -1
- package/dist/core/frameworkSources.d.ts +2 -0
- package/dist/core/frameworkSources.js +33 -0
- package/dist/core/frameworkSources.js.map +1 -0
- package/dist/core/indexCache.js +4 -1
- package/dist/core/indexCache.js.map +1 -1
- package/dist/core/ownership.js +58 -0
- package/dist/core/ownership.js.map +1 -1
- package/dist/core/pathClassifiers.d.ts +2 -0
- package/dist/core/pathClassifiers.js +23 -0
- package/dist/core/pathClassifiers.js.map +1 -0
- package/dist/core/review.d.ts +2 -0
- package/dist/core/review.js +90 -16
- package/dist/core/review.js.map +1 -1
- package/dist/core/reviewDataflow.d.ts +10 -2
- package/dist/core/reviewDataflow.js +15 -11
- package/dist/core/reviewDataflow.js.map +1 -1
- package/dist/core/taint.js +3 -1
- package/dist/core/taint.js.map +1 -1
- package/dist/mcp/tools/dataflow.js +5 -0
- package/dist/mcp/tools/dataflow.js.map +1 -1
- package/dist/mcp/tools/review.js +3 -23
- package/dist/mcp/tools/review.js.map +1 -1
- package/dist/projscan-sbom.cdx.json +6 -6
- package/dist/tool-manifest.json +6 -2
- package/package.json +1 -1
package/dist/mcp/tools/review.js
CHANGED
|
@@ -1,5 +1,4 @@
|
|
|
1
1
|
import { computeReview, selectReviewTier, shapeReviewForTier } from '../../core/review.js';
|
|
2
|
-
import { detectWorkspaces, filterFilesByPackage } from '../../core/monorepo.js';
|
|
3
2
|
import { emitProgress } from '../progress.js';
|
|
4
3
|
export const reviewTool = {
|
|
5
4
|
name: 'projscan_review',
|
|
@@ -36,29 +35,10 @@ export const reviewTool = {
|
|
|
36
35
|
const head = typeof args.head === 'string' ? args.head : undefined;
|
|
37
36
|
const intent = typeof args.intent === 'string' ? args.intent : undefined;
|
|
38
37
|
emitProgress(1, 4, 'building base + head graphs');
|
|
39
|
-
const
|
|
40
|
-
if (
|
|
38
|
+
const packageName = typeof args.package === 'string' && args.package.length > 0 ? args.package : undefined;
|
|
39
|
+
if (packageName)
|
|
41
40
|
emitProgress(2, 4, 'scoping to workspace');
|
|
42
|
-
|
|
43
|
-
const target = args.package;
|
|
44
|
-
const allChangedPaths = [
|
|
45
|
-
...report.prDiff.filesAdded,
|
|
46
|
-
...report.prDiff.filesRemoved,
|
|
47
|
-
...report.prDiff.filesModified.map((f) => f.relativePath),
|
|
48
|
-
];
|
|
49
|
-
const allowed = new Set(filterFilesByPackage(ws, target, allChangedPaths));
|
|
50
|
-
report.prDiff.filesAdded = report.prDiff.filesAdded.filter((f) => allowed.has(f));
|
|
51
|
-
report.prDiff.filesRemoved = report.prDiff.filesRemoved.filter((f) => allowed.has(f));
|
|
52
|
-
report.prDiff.filesModified = report.prDiff.filesModified.filter((f) => allowed.has(f.relativePath));
|
|
53
|
-
report.prDiff.totalFilesChanged =
|
|
54
|
-
report.prDiff.filesAdded.length +
|
|
55
|
-
report.prDiff.filesRemoved.length +
|
|
56
|
-
report.prDiff.filesModified.length;
|
|
57
|
-
report.changedFiles = report.changedFiles.filter((f) => allowed.has(f.relativePath));
|
|
58
|
-
report.newCycles = report.newCycles.filter((c) => c.files.some((f) => allowed.has(f)));
|
|
59
|
-
report.riskyFunctions = report.riskyFunctions.filter((f) => allowed.has(f.file));
|
|
60
|
-
report.dependencyChanges = report.dependencyChanges.filter((d) => d.workspace === target);
|
|
61
|
-
}
|
|
41
|
+
const report = await computeReview(rootPath, { base, head, intent, package: packageName });
|
|
62
42
|
emitProgress(4, 4, 'done');
|
|
63
43
|
// 1.5 — adaptive shape based on max_cost_tokens. With no budget,
|
|
64
44
|
// returns the full report unchanged. With a budget, picks a tier
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"review.js","sourceRoot":"","sources":["../../../src/mcp/tools/review.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"review.js","sourceRoot":"","sources":["../../../src/mcp/tools/review.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAG9C,MAAM,CAAC,MAAM,UAAU,GAAY;IACjC,IAAI,EAAE,iBAAiB;IACvB,WAAW,EACT,+wBAA+wB;IACjxB,WAAW,EAAE;QACX,IAAI,EAAE,QAAQ;QACd,UAAU,EAAE;YACV,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,wFAAwF;aACtG;YACD,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE;YACjE,UAAU,EAAE;gBACV,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,+CAA+C;aAC7D;YACD,eAAe,EAAE;gBACf,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,yTAAyT;aAC5T;YACD,OAAO,EAAE;gBACP,IAAI,EAAE,QAAQ;gBACd,WAAW,EAAE,2FAA2F;aACzG;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,QAAQ;gBACd,WAAW,EACT,ggBAAggB;aACngB;SACF;KACF;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE;QAChC,YAAY,CAAC,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QACnE,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;QACnE,MAAM,MAAM,GAAG,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QACzE,YAAY,CAAC,CAAC,EAAE,CAAC,EAAE,6BAA6B,CAAC,CAAC;QAClD,MAAM,WAAW,GAAG,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3G,IAAI,WAAW;YAAE,YAAY,CAAC,CAAC,EAAE,CAAC,EAAE,sBAAsB,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;QAE3F,YAAY,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;QAE3B,iEAAiE;QACjE,iEAAiE;QACjE,8DAA8D;QAC9D,iEAAiE;QACjE,MAAM,aAAa,GACjB,OAAO,IAAI,CAAC,eAAe,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC;YAC/E,CAAC,CAAC,IAAI,CAAC,eAAe;YACtB,CAAC,CAAC,SAAS,CAAC;QAChB,MAAM,IAAI,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;QAC7C,IAAI,IAAI,KAAK,MAAM,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YACnD,iEAAiE;YACjE,iEAAiE;YACjE,6CAA6C;YAC7C,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,OAAO,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;CACF,CAAC"}
|
|
@@ -1,23 +1,23 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.5",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:d0175b29-5bae-42dd-846b-ff89ac180c1b",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "2026-05-
|
|
7
|
+
"timestamp": "2026-05-27T17:24:30.602Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"vendor": "projscan",
|
|
11
11
|
"name": "projscan-sbom-generator",
|
|
12
|
-
"version": "3.0.
|
|
12
|
+
"version": "3.0.3"
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
16
|
"type": "application",
|
|
17
|
-
"bom-ref": "pkg:npm/projscan@3.0.
|
|
17
|
+
"bom-ref": "pkg:npm/projscan@3.0.3",
|
|
18
18
|
"name": "projscan",
|
|
19
|
-
"version": "3.0.
|
|
20
|
-
"purl": "pkg:npm/projscan@3.0.
|
|
19
|
+
"version": "3.0.3",
|
|
20
|
+
"purl": "pkg:npm/projscan@3.0.3"
|
|
21
21
|
}
|
|
22
22
|
},
|
|
23
23
|
"components": [
|
package/dist/tool-manifest.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "projscan",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.3",
|
|
4
4
|
"mcpProtocolVersion": "2025-03-26",
|
|
5
|
-
"generatedAt": "2026-05-
|
|
5
|
+
"generatedAt": "2026-05-27T17:24:35.773Z",
|
|
6
6
|
"toolCount": 39,
|
|
7
7
|
"tools": [
|
|
8
8
|
{
|
|
@@ -700,6 +700,10 @@
|
|
|
700
700
|
"type": "boolean",
|
|
701
701
|
"description": "Include broad readFile/writeFile-style default risks. Default false."
|
|
702
702
|
},
|
|
703
|
+
"include_generated": {
|
|
704
|
+
"type": "boolean",
|
|
705
|
+
"description": "Include default risks that touch generated/codegen files. Default false."
|
|
706
|
+
},
|
|
703
707
|
"max_tokens": {
|
|
704
708
|
"type": "number",
|
|
705
709
|
"description": "Cap the response to roughly this many tokens."
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "projscan",
|
|
3
3
|
"mcpName": "io.github.abhiyoheswaran1/projscan",
|
|
4
|
-
"version": "3.0.
|
|
4
|
+
"version": "3.0.3",
|
|
5
5
|
"description": "Agent-first code intelligence. MCP server (2025-03-26) with AST parsing for JavaScript, TypeScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++; stable v3 semantic graph (projscan_semantic_graph), dataflow risk engine with bridge-helper detection (projscan_dataflow), code graph, file + per-function AST cyclomatic complexity, per-function fan-in + fan-out, coupling + cycle detection, structural PR diff with HTML reporter, coverage report with HTML reporter, intent-grounded one-call PR review (projscan_review with optional `intent` arg, new taint flows, contract changes, and newDataflowRisks) and long-running PR-watch mode with structured per-bucket deltas (projscan_review_watch), agent workplans (projscan_workplan), bug-hunt queues (projscan_bug_hunt), product-line planning (projscan_release_train), evidence packs (projscan_evidence_pack), regression planning (projscan_regression_plan), agent briefs (projscan_agent_brief), quality scorecards (projscan_quality_scorecard), and preflight with supply-chain IOC evidence, rule-driven fix suggestions + mechanical apply layer with rollback (projscan_apply_fix, projscan_fix_suggest, projscan_explain_issue), source-to-sink taint analysis (projscan_taint) with truncation reporting, transitive blast-radius analysis with cross-repo mode (projscan_impact for files and symbols), cross-repo workspace registration + intelligence (projscan_workspace_graph), per-function semantic search chunks (sub-file embeddings), per-rule confidence + severity drift + cost-summary analytics with live streaming (projscan_cost_summary), stable local analyzer + reporter plugin API (projscan_plugin, CLI --reporter, opt-in via PROJSCAN_PLUGINS_PREVIEW=1), monorepo workspace awareness with cross-package import policy + per-package dependencies / outdated / audit, BM25 + optional semantic search, cursor pagination, progress notifications, context-budgeted output, and a stable-surface CI guard. CLI on the side.",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "./dist/index.js",
|