feat(mcp): add file analysis, alerts, organizations, and threat feed tools#179
Closed
annextuckner wants to merge 4 commits into
Closed
feat(mcp): add file analysis, alerts, organizations, and threat feed tools#179annextuckner wants to merge 4 commits into
annextuckner wants to merge 4 commits into
Conversation
…tools
Six new MCP tools on top of `depscore`, each following main's
`lib/<tool>-tool.ts` registration pattern:
- `organizations` — list orgs the authenticated user belongs to
- `alerts` — paginated org alerts with severity/category/artifact filters
- `threat_feed` — paginated org threat feed (GET /v0/orgs/{slug}/threat-feed)
- `package_files` — file tree for any package on a supported ecosystem
- `package_file_contents` — read one published file by content hash
- `package_file_grep` — regex search a single file by hash
Adds a process-wide LRU blob cache (default 64 MB, tunable via
SOCKET_BLOB_CACHE_BYTES) so repeated reads/greps of the same hash skip
the socketusercontent fetch across stateless HTTP requests.
Extends `buildPurl` with optional qualifiers, an `openvsx` → `vscode`
rewrite with auto-added `repository_url`, and a placeholder-version
check that only treats `1.0.0` as stale for ecosystems where the model
historically defaults to it (npm/pypi) — not for ecosystems that
genuinely publish 1.0.0 (chrome, openvsx).
pnpm 11.x no longer reads the package.json "pnpm.overrides" field. Move the five overrides not already in pnpm-workspace.yaml (@hono/node-server, fast-uri, hono, zod, zod-to-json-schema) into its overrides: block and drop the dead pnpm field. Refresh the lockfile for the plugin-patch-format-guard hook's catalog deps. Repoint three scripts (test, check, lint) off the stale lib-stable/spawn/spawn export onto process/spawn/child, matching every other script after the lib 6.0.3 restructure.
The lib 6.0.3 restructure dropped the bare "logger" subpath's getDefaultLogger export; it now lives at logger/default. Repoint the three mock-client entrypoints and two scripts. The scripts also move off the bare "lib" name onto the lib-stable self-import alias, matching the rest of scripts/.
# Conflicts: # lib/depscore-tool.ts # lib/purl.ts # package.json # pnpm-lock.yaml # scripts/check-versions.ts # scripts/lint.mts
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Jun 1, 2026
First seam of #179. buildPurl takes an optional qualifiers map, rewrites the friendly `openvsx` ecosystem to PURL type `vscode` with an auto `repository_url=https://open-vsx.org` qualifier (caller-overridable), and only treats `1.0.0` as a placeholder version for npm/pypi (chrome/openvsx publish real 1.0.0). Ported the PR's 5 new cases into test/purl.test.ts. Co-authored-by: annextuckner <annextuckner@users.noreply.github.com>
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Jun 1, 2026
Second seam of #179. Adds a debug() that forwards to logger.info only when SOCKET_DEBUG is set, preserving the pre-bundle pino behavior where verbose request/cache traces stayed quiet by default — the new file/blob/ threat-feed tools use it. Also switches scripts/check-versions.ts to the -stable logger import per the scripts/** self-import rule. Co-authored-by: annextuckner <annextuckner@users.noreply.github.com>
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Jun 1, 2026
lib/blob.ts fetches single (Q) + chunked (S) blobs from socketusercontent, decoding UTF-8 / flagging binary / honoring maxBytes. Converted off raw fetch() onto httpRequest (arrayBuffer for binary bodies), null→undefined. lib/blob-cache.ts is the process-wide LRU; its env reads now route through new lib/env.ts getters (getSocketBlob*/getSocketBypass*). test/blob.test.ts ports the PR's 10 cases to vitest, mocking socketusercontent with nock (no live network). getOrFetchBlob cache coverage is a follow-up. Co-authored-by: annextuckner <annextuckner@users.noreply.github.com>
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Jun 1, 2026
lib/files.ts fetches a package's file manifest (httpRequest, not fetch), normalizes + renders it as a tree. lib/package-files-tool.ts registers three read-only MCP tools — package_files (list), package_file_contents (read via the blob cache), package_file_grep (regex search) — wired into createConfiguredServer(). New lib/env.ts getter for the internal UA; getStaticApiKey() exported from depscore-tool for the shared auth fallback. test/files.test.ts ports the PR's 17 cases to vitest (pure helpers direct, fetchFileList via nock). package_files-tool handler coverage is a follow-up. Co-authored-by: annextuckner <annextuckner@users.noreply.github.com>
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Jun 1, 2026
Final seam of #179. Adds the org-scoped data modules + MCP tool wrappers: - organizations — list the user's Socket orgs (discovers org_slug) - alerts — latest org security alerts with severity/category/etc filters - threat-feed — org threat-feed items (renamed threatFeed.ts → threat-feed.ts) All three converted off raw fetch() onto httpRequest, errorMessage(e) for catches, optional props explicit-undefined, and registered in createConfiguredServer(). Tests (alerts/organizations/threat-feed) port the query-builders direct + the fetch paths via nock. Tool-handler coverage is a follow-up. Server smoke-creates with all tools registered. Co-authored-by: annextuckner <annextuckner@users.noreply.github.com>
Collaborator
|
Landed in main across five focused commits (you're credited as co-author on each):
Adapted to current main rather than merged: every data module was converted off raw |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Six new MCP tools on top of
depscore, each following thelib/<tool>-tool.tsregistration pattern:organizations— list orgs the authenticated user belongs toalerts— paginated org alerts with severity/category/artifact filtersthreat_feed— paginated org threat feed (GET /v0/orgs/{slug}/threat-feed)package_files— file tree for any package on a supported ecosystempackage_file_contents— read one published file by content hashpackage_file_grep— regex search a single file by hashAdds a process-wide LRU blob cache (default 64 MB, tunable via
SOCKET_BLOB_CACHE_BYTES) so repeated reads/greps of the same hash skip thesocketusercontentfetch across stateless HTTP requests.Extends
buildPurlwith optional qualifiers, anopenvsx→vscoderewrite with auto-addedrepository_url, and a placeholder-version check that treats1.0.0as stale only for ecosystems where the model historically defaults to it (npm/pypi), not for ecosystems that genuinely publish1.0.0(chrome, openvsx).Test
pnpm run test:node-test— 77 tests passblob.test.ts,files.test.ts,purl.test.ts