feat(mcp): add file analysis, alerts, organizations, and threat feed tools#179
Open
annextuckner wants to merge 4 commits into
Open
feat(mcp): add file analysis, alerts, organizations, and threat feed tools#179annextuckner wants to merge 4 commits into
annextuckner wants to merge 4 commits into
Conversation
…tools
Six new MCP tools on top of `depscore`, each following main's
`lib/<tool>-tool.ts` registration pattern:
- `organizations` — list orgs the authenticated user belongs to
- `alerts` — paginated org alerts with severity/category/artifact filters
- `threat_feed` — paginated org threat feed (GET /v0/orgs/{slug}/threat-feed)
- `package_files` — file tree for any package on a supported ecosystem
- `package_file_contents` — read one published file by content hash
- `package_file_grep` — regex search a single file by hash
Adds a process-wide LRU blob cache (default 64 MB, tunable via
SOCKET_BLOB_CACHE_BYTES) so repeated reads/greps of the same hash skip
the socketusercontent fetch across stateless HTTP requests.
Extends `buildPurl` with optional qualifiers, an `openvsx` → `vscode`
rewrite with auto-added `repository_url`, and a placeholder-version
check that only treats `1.0.0` as stale for ecosystems where the model
historically defaults to it (npm/pypi) — not for ecosystems that
genuinely publish 1.0.0 (chrome, openvsx).
pnpm 11.x no longer reads the package.json "pnpm.overrides" field. Move the five overrides not already in pnpm-workspace.yaml (@hono/node-server, fast-uri, hono, zod, zod-to-json-schema) into its overrides: block and drop the dead pnpm field. Refresh the lockfile for the plugin-patch-format-guard hook's catalog deps. Repoint three scripts (test, check, lint) off the stale lib-stable/spawn/spawn export onto process/spawn/child, matching every other script after the lib 6.0.3 restructure.
The lib 6.0.3 restructure dropped the bare "logger" subpath's getDefaultLogger export; it now lives at logger/default. Repoint the three mock-client entrypoints and two scripts. The scripts also move off the bare "lib" name onto the lib-stable self-import alias, matching the rest of scripts/.
# Conflicts: # lib/depscore-tool.ts # lib/purl.ts # package.json # pnpm-lock.yaml # scripts/check-versions.ts # scripts/lint.mts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Six new MCP tools on top of
depscore, each following thelib/<tool>-tool.tsregistration pattern:organizations— list orgs the authenticated user belongs toalerts— paginated org alerts with severity/category/artifact filtersthreat_feed— paginated org threat feed (GET /v0/orgs/{slug}/threat-feed)package_files— file tree for any package on a supported ecosystempackage_file_contents— read one published file by content hashpackage_file_grep— regex search a single file by hashAdds a process-wide LRU blob cache (default 64 MB, tunable via
SOCKET_BLOB_CACHE_BYTES) so repeated reads/greps of the same hash skip thesocketusercontentfetch across stateless HTTP requests.Extends
buildPurlwith optional qualifiers, anopenvsx→vscoderewrite with auto-addedrepository_url, and a placeholder-version check that treats1.0.0as stale only for ecosystems where the model historically defaults to it (npm/pypi), not for ecosystems that genuinely publish1.0.0(chrome, openvsx).Test
pnpm run test:node-test— 77 tests passblob.test.ts,files.test.ts,purl.test.ts