-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathserver.js
More file actions
477 lines (450 loc) · 19.7 KB
/
server.js
File metadata and controls
477 lines (450 loc) · 19.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
import { z } from 'zod';
import { createRequire } from 'module';
import { runOrgs } from '../commands/scans/orgs.js';
import { runRepos } from '../commands/scans/repos.js';
import { runHistory } from '../commands/scans/history.js';
import { runGet } from '../commands/scans/get.js';
import { runResults } from '../commands/scans/results.js';
import { runDismissed } from '../commands/scans/dismissed.js';
import { runStartScan } from '../commands/scans/start-scan.js';
import { runReviewHeadless } from '../reviewHeadless.js';
import * as scm from '../scm/index.js';
import { isAlreadyLoggedIn, runLoginFlow } from '../utils/loginFlow.js';
import { getConfigValue } from '../utils/config.js';
const require = createRequire(import.meta.url);
const pkg = require('../../package.json');
const READ = { readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true };
const WRITE_NON_DESTRUCTIVE = { readOnlyHint: false, destructiveHint: false, idempotentHint: false, openWorldHint: true };
// Write-side tools are gated behind CODEANT_READ_ONLY. Default = read-only.
function isReadOnly() {
const v = process.env.CODEANT_READ_ONLY;
if (v === undefined) return true;
return v !== '0' && v.toLowerCase() !== 'false';
}
function ok(value) {
return { content: [{ type: 'text', text: JSON.stringify(value, null, 2) }] };
}
function fail(err) {
const message = err instanceof Error ? err.message : String(err);
return {
isError: true,
content: [{ type: 'text', text: JSON.stringify({ error: message }, null, 2) }],
};
}
function resolveRepoOpts(input) {
const remote = input.remote || scm.detectRemote();
const name = input.name || scm.detectRepoName();
const defaultBranch = input.defaultBranch || scm.detectDefaultBranch();
if (!remote) throw new Error('Could not detect remote. Pass `remote` (github|gitlab|bitbucket|azure).');
if (!name) throw new Error('Could not detect repo name. Pass `name` (owner/repo).');
return { ...input, remote, name, defaultBranch };
}
// Capture stdout from a function that writes JSON to stdout (used for `scans results` and `scans start-scan`).
async function captureStdout(fn) {
const chunks = [];
const origWrite = process.stdout.write.bind(process.stdout);
process.stdout.write = (chunk) => {
chunks.push(typeof chunk === 'string' ? chunk : chunk.toString('utf8'));
return true;
};
try {
await fn();
} finally {
process.stdout.write = origWrite;
}
return chunks.join('');
}
async function ensureAuthenticated() {
const envToken = process.env.CODEANT_API_TOKEN;
if (envToken && envToken.trim()) return;
if (isAlreadyLoggedIn()) {
process.env.CODEANT_API_TOKEN = getConfigValue('apiKeyV2');
return;
}
console.error('[codeant-mcp] No API token configured — opening browser for sign-in.');
try {
await runLoginFlow();
console.error('[codeant-mcp] Login complete.');
} catch (err) {
console.error(`[codeant-mcp] Login failed: ${err.message}. The server will start anyway; call the codeant_login tool to retry.`);
}
}
export async function startMcpServer() {
await ensureAuthenticated();
const server = new McpServer({ name: 'codeant', version: pkg.version });
const readOnly = isReadOnly();
// ─── Scans: discovery ────────────────────────────────────────────────────
server.registerTool(
'codeant_scans_orgs',
{
title: 'List CodeAnt organizations',
description: 'List the CodeAnt organizations the current user is authenticated to. Use this first when the user has not specified an org.',
inputSchema: {},
annotations: READ,
},
async () => {
try { return ok(await runOrgs()); } catch (err) { return fail(err); }
}
);
server.registerTool(
'codeant_scans_repos',
{
title: 'List repositories in a CodeAnt org',
description: 'List repositories connected to CodeAnt for a given organization. Use this to enumerate repos before fanning out org-wide queries (e.g. "secrets across all repos"). If `org` is omitted and the user has exactly one org, it is auto-picked.',
inputSchema: {
org: z.string().optional().describe('Organization name. Optional when only one org is authenticated.'),
},
annotations: READ,
},
async ({ org }) => {
try { return ok(await runRepos({ org })); } catch (err) { return fail(err); }
}
);
// ─── Scans: history + metadata ───────────────────────────────────────────
server.registerTool(
'codeant_scans_history',
{
title: 'List scan history for a repo',
description: 'Show recent scan runs for a single repository. Use this to find a scan ID/commit SHA to drill into, or to answer "when did this repo last get scanned".',
inputSchema: {
repo: z.string().describe('Repository in owner/repo form.'),
branch: z.string().optional().describe('Filter by branch name.'),
since: z.string().optional().describe('ISO 8601 date; only return scans newer than this.'),
limit: z.number().int().positive().max(100).optional().describe('Max scans returned (default 20).'),
},
annotations: READ,
},
async ({ repo, branch, since, limit }) => {
try { return ok(await runHistory({ repo, branch, since, limit: limit ?? 20 })); } catch (err) { return fail(err); }
}
);
server.registerTool(
'codeant_scans_get',
{
title: 'Get scan metadata summary',
description: 'Get summary metadata for a single scan (severity + category counts only — no findings). Use this to size up a scan before pulling full results.',
inputSchema: {
repo: z.string().describe('Repository in owner/repo form.'),
scan: z.string().optional().describe('Specific commit SHA. Either `scan` or `branch` should be provided.'),
branch: z.string().optional().describe('Resolve the latest scan on this branch.'),
types: z.string().optional().describe('Comma-separated scan types (default "all"). e.g. "sast,secrets".'),
},
annotations: READ,
},
async ({ repo, scan, branch, types }) => {
try { return ok(await runGet({ repo, scan, branch, types: types ?? 'all' })); } catch (err) { return fail(err); }
}
);
// ─── Scans: findings ─────────────────────────────────────────────────────
server.registerTool(
'codeant_scans_results',
{
title: 'Fetch scan findings',
description: 'Fetch full findings (SAST, SCA, secrets, IaC, dead code, anti-patterns, etc.) for a single scan on a single repository. Returns the raw findings as JSON. For org-wide queries, call `codeant_scans_repos` first and fan out per-repo.',
inputSchema: {
repo: z.string().describe('Repository in owner/repo form.'),
scan: z.string().optional().describe('Specific commit SHA.'),
branch: z.string().optional().describe('Resolve the latest scan on this branch.'),
types: z.string().optional().describe('Comma-separated types: sast,sca,secrets,iac,dead_code,sbom,anti_patterns,docstring,complex_functions,all (default "all").'),
severity: z.string().optional().describe('Comma-separated severities (e.g. "critical,high").'),
path: z.string().optional().describe('File path glob filter.'),
check: z.string().optional().describe('Filter by check ID or name (regex).'),
filterDismissed: z.boolean().optional().describe('Exclude dismissed findings (default false).'),
includeFalsePositives: z.boolean().optional().describe('Include false positives (default true).'),
fields: z.string().optional().describe('Project findings to a subset of fields (comma-separated).'),
limit: z.number().int().positive().max(500).optional().describe('Max findings per page (default 100).'),
offset: z.number().int().nonnegative().optional().describe('Pagination offset (default 0).'),
},
annotations: READ,
},
async (input) => {
try {
const text = await captureStdout(() =>
runResults({
repo: input.repo,
scan: input.scan,
branch: input.branch,
types: input.types ?? 'all',
severity: input.severity,
path: input.path,
check: input.check,
filterDismissed: input.filterDismissed ?? false,
includeFalsePositives: input.includeFalsePositives ?? true,
format: 'json',
output: undefined,
fields: input.fields,
limit: input.limit ?? 100,
offset: input.offset ?? 0,
failFast: false,
})
);
// runResults already emits JSON; pass it through unparsed to preserve shape.
return { content: [{ type: 'text', text: text || '{}' }] };
} catch (err) {
return fail(err);
}
}
);
server.registerTool(
'codeant_scans_dismissed',
{
title: 'List dismissed alerts',
description: 'List dismissed alerts (false positives, accepted risk, etc.) for a repository. Useful when triaging to avoid re-surfacing already-handled findings.',
inputSchema: {
repo: z.string().describe('Repository in owner/repo form.'),
analysisType: z.enum(['security', 'secrets']).optional().describe('Analysis type (default "security").'),
},
annotations: READ,
},
async ({ repo, analysisType }) => {
try { return ok(await runDismissed({ repo, analysisType: analysisType ?? 'security' })); } catch (err) { return fail(err); }
}
);
// ─── Pull requests (SCM, read-only) ──────────────────────────────────────
server.registerTool(
'codeant_pr_list',
{
title: 'List pull requests',
description: 'List pull requests / merge requests on the current repo (auto-detected from git remote unless `name`+`remote` are provided).',
inputSchema: {
name: z.string().optional().describe('Repository in owner/repo form. Auto-detected if omitted.'),
remote: z.enum(['github', 'gitlab', 'bitbucket', 'azure']).optional().describe('Auto-detected if omitted.'),
defaultBranch: z.string().optional(),
sourceBranch: z.string().optional(),
author: z.string().optional().describe('Filter by author login (fuzzy).'),
state: z.enum(['open', 'closed']).optional().describe('Default "open".'),
limit: z.number().int().positive().max(100).optional(),
offset: z.number().int().nonnegative().optional(),
},
annotations: READ,
},
async (input) => {
try {
const opts = resolveRepoOpts(input);
return ok(
await scm.listPullRequests({
name: opts.name,
remote: opts.remote,
defaultBranch: opts.defaultBranch,
sourceBranch: opts.sourceBranch,
authorLogin: opts.author,
state: opts.state ?? 'open',
limit: opts.limit ?? 20,
offset: opts.offset ?? 0,
})
);
} catch (err) { return fail(err); }
}
);
server.registerTool(
'codeant_pr_get',
{
title: 'Get pull request details',
description: 'Fetch detailed information for a single PR/MR including review analysis.',
inputSchema: {
prNumber: z.number().int().positive(),
name: z.string().optional(),
remote: z.enum(['github', 'gitlab', 'bitbucket', 'azure']).optional(),
defaultBranch: z.string().optional(),
},
annotations: READ,
},
async (input) => {
try {
const opts = resolveRepoOpts(input);
return ok(
await scm.getPullRequest({
name: opts.name,
remote: opts.remote,
defaultBranch: opts.defaultBranch,
prNumber: input.prNumber,
})
);
} catch (err) { return fail(err); }
}
);
server.registerTool(
'codeant_pr_comments',
{
title: 'List PR comments',
description: 'List comments on a PR/MR with optional filters (CodeAnt-authored only, resolved/unresolved, date range).',
inputSchema: {
prNumber: z.number().int().positive(),
name: z.string().optional(),
remote: z.enum(['github', 'gitlab', 'bitbucket', 'azure']).optional(),
defaultBranch: z.string().optional(),
codeantGenerated: z.boolean().optional().describe('Only return comments authored by CodeAnt.'),
addressed: z.boolean().optional().describe('Filter by addressed/resolved status.'),
createdAfter: z.string().optional().describe('ISO 8601.'),
createdBefore: z.string().optional().describe('ISO 8601.'),
},
annotations: READ,
},
async (input) => {
try {
const opts = resolveRepoOpts(input);
return ok(
await scm.listPullRequestComments({
name: opts.name,
remote: opts.remote,
defaultBranch: opts.defaultBranch,
prNumber: input.prNumber,
codeantGenerated: input.codeantGenerated,
addressed: input.addressed,
createdAfter: input.createdAfter,
createdBefore: input.createdBefore,
})
);
} catch (err) { return fail(err); }
}
);
server.registerTool(
'codeant_comments_search',
{
title: 'Search CodeAnt review comments',
description: 'Search across CodeAnt review comments by free-text query. Returns matching comments with repo, PR, and file context.',
inputSchema: {
query: z.string(),
name: z.string().optional(),
remote: z.enum(['github', 'gitlab', 'bitbucket', 'azure']).optional(),
limit: z.number().int().positive().max(50).optional(),
includeAddressed: z.boolean().optional(),
createdAfter: z.string().optional().describe('ISO 8601.'),
},
annotations: READ,
},
async (input) => {
try {
const opts = resolveRepoOpts(input);
return ok(
await scm.searchComments({
name: opts.name,
remote: opts.remote,
query: input.query,
limit: input.limit ?? 10,
includeAddressed: input.includeAddressed ?? false,
createdAfter: input.createdAfter,
})
);
} catch (err) { return fail(err); }
}
);
// ─── Local review (read-only — does not modify files) ────────────────────
server.registerTool(
'codeant_review_local',
{
title: 'Review local working-copy changes',
description: 'Run a CodeAnt AI review on local working-copy changes and return the findings as JSON. Does not modify files — pair with editor tools to apply fixes. Use this for "review my changes" / "check my staged files" prompts.',
inputSchema: {
scope: z
.enum(['all', 'uncommitted', 'staged-only', 'committed', 'last-commit', 'last-n-commits', 'base-branch', 'base-commit'])
.optional()
.describe('Review scope. Default "uncommitted".'),
lastNCommits: z.number().int().positive().max(5).optional(),
baseBranch: z.string().optional(),
baseCommit: z.string().optional(),
include: z.array(z.string()).optional().describe('Glob patterns to include.'),
exclude: z.array(z.string()).optional().describe('Glob patterns to exclude.'),
},
annotations: READ,
},
async (input) => {
try {
const result = await runReviewHeadless({
workspacePath: process.cwd(),
scanType: input.scope ?? 'uncommitted',
lastNCommits: input.lastNCommits ?? 1,
include: input.include ?? [],
exclude: input.exclude ?? [],
baseBranch: input.baseBranch ?? null,
baseCommit: input.baseCommit ?? null,
onProgress: () => {},
onFilesReady: () => {},
});
return ok(result);
} catch (err) { return fail(err); }
}
);
// ─── Auth (always registered — login is needed even in read-only mode) ───
server.registerTool(
'codeant_login',
{
title: 'Sign in to CodeAnt AI',
description: 'Opens app.codeant.ai in the user\'s browser and waits up to 10 minutes for them to complete sign-in. Tell the user to check their browser and finish the flow there. On success the API token is saved to ~/.codeant/config.json (apiKeyV2) and set on the running MCP process, so subsequent tool calls are authenticated without restart. Returns { alreadyLoggedIn: true } immediately if a token is already configured, unless `force` is true.',
inputSchema: {
force: z.boolean().optional().describe('Re-authenticate even if a token is already configured. Default false.'),
},
annotations: { ...WRITE_NON_DESTRUCTIVE, idempotentHint: true },
},
async ({ force }) => {
try {
const envToken = process.env.CODEANT_API_TOKEN;
if (!force && ((envToken && envToken.trim()) || isAlreadyLoggedIn())) {
return ok({ alreadyLoggedIn: true });
}
const { token, loginUrl } = await runLoginFlow();
const masked = token ? `${token.slice(0, 8)}…` : null;
return ok({ status: 'success', loginUrl, token: masked });
} catch (err) { return fail(err); }
}
);
// ─── Write-side tools (gated behind CODEANT_READ_ONLY=0) ─────────────────
if (!readOnly) {
server.registerTool(
'codeant_scans_start',
{
title: 'Trigger a new scan',
description: 'Trigger a new scan run for a repository. WRITE OPERATION — only enabled when CODEANT_READ_ONLY=0.',
inputSchema: {
repo: z.string().optional().describe('owner/repo (auto-detected from git remote if omitted).'),
branch: z.string().optional(),
commit: z.string().optional(),
include: z.string().optional().describe('Comma-separated globs.'),
exclude: z.string().optional().describe('Comma-separated globs.'),
},
annotations: WRITE_NON_DESTRUCTIVE,
},
async (input) => {
try {
const text = await captureStdout(() => runStartScan(input));
return { content: [{ type: 'text', text: text || '{}' }] };
} catch (err) { return fail(err); }
}
);
server.registerTool(
'codeant_pr_resolve',
{
title: 'Resolve a PR conversation',
description: 'Resolve a conversation/comment thread on a PR. WRITE OPERATION — only enabled when CODEANT_READ_ONLY=0.',
inputSchema: {
prNumber: z.number().int().positive(),
name: z.string().optional(),
remote: z.enum(['github', 'gitlab', 'bitbucket', 'azure']).optional(),
commentId: z.number().int().optional(),
threadId: z.string().optional(),
discussionId: z.string().optional(),
},
annotations: { ...WRITE_NON_DESTRUCTIVE, idempotentHint: true },
},
async (input) => {
try {
const opts = resolveRepoOpts(input);
return ok(
await scm.resolveConversation({
name: opts.name,
remote: opts.remote,
prNumber: input.prNumber,
commentId: input.commentId,
threadId: input.threadId,
discussionId: input.discussionId,
})
);
} catch (err) { return fail(err); }
}
);
}
const transport = new StdioServerTransport();
await server.connect(transport);
}