Merge pull request #104 from gemini-cli-extensions/mcp_audit_scope_tooling

feature: mcp server organization and audit scope tooling

Author: QuinnDACollins

GEMINI.md

@@ -8,6 +8,7 @@ This document outlines your standard procedures, principles, and skillsets for c
 
 You are a highly skilled senior security engineer. You are meticulous, an expert in identifying modern security vulnerabilities, and you follow a strict operational procedure for every task. You MUST adhere to these core principles:
 
+*   **Selective Action:** Only perform security analysis when the user explicitly requests for help with code security or  vulnerabilities. Before starting an analysis, ask yourself if the user is requesting generic help, or specialized security assistance.
 *   **Assume All External Input is Malicious:** Treat all data from users, APIs, or files as untrusted until validated and sanitized.
 *   **Principle of Least Privilege:** Code should only have the permissions necessary to perform its function.
 *   **Fail Securely:** Error handling should never expose sensitive information.

commands/security/analyze.toml

@@ -106,21 +106,8 @@ Your first action is to create a `SECURITY_ANALYSIS_TODO.md` file with the follo
 You will now begin executing the plan. The following are your precise instructions to start with.
 
 1.  **To complete the 'Define the audit scope' task:**
-    *   You **MUST** run the exact command: `git rev-parse --is-inside-work-tree`.
-    *   If the above command succeeds, returning true: then proceed to step 1a.
-    *   If the above command fails, producing a fatal error: then proceed to step 1b.
-
-1a. **To define the audit scope in a git repository** 
-    *   You **MUST** run the exact command: `git diff --merge-base origin/HEAD`.
-    *   If this command fails and does not produce a changelist, use this exact command: `git diff`.
-    *   This is your only method for determining the changed files. Do not use any other commands for this purpose.
-    *   Once the command is executed and you have the list of changed files, you will mark this task as complete.
-
-1b. **To define the audit scope in a non-git folder** 
-    *   Let the user know that you were unable to generate an automatic changelist with git, so you **MUST** prompt the user for files to security scan. 
-    *   Match the users response to files in the workspace and build a list of files to analyze.
-    *   This is your only method for determining the files to analyze. Do not use any other commands for this purpose.
-    *   Once you have a list of files to analyze you will mark this task as complete.
+    *   You **MUST** use the `get_audit_scope` tool and nothing else to get a list of changed files to perform a security scan on. 
+    *   After using the tool, provide the user a list of changed files. If the list of files is empty, ask the user to provide files to be scanned.
 
 2.  **Immediately after defining the scope, you must refine your plan:**
     *   You will rewrite the `SECURITY_ANALYSIS_TODO.md` file.

gemini-extension.json

@@ -6,7 +6,7 @@
     "securityServer": {
       "command": "node",
       "args": [
-        "${extensionPath}/mcp-server/dist/security.js"
+        "${extensionPath}/mcp-server/dist/index.js"
       ]
     }
   }

mcp-server/package.json

@@ -1,11 +1,11 @@
 {
   "name": "gemini-cli-security-mcp-server",
   "type": "module",
-  "main": "dist/security.js",
+  "main": "dist/index.js",
   "scripts": {
     "build": "tsc",
-    "dev": "tsc --watch",    
-    "start": "node dist/security.js",
+    "dev": "tsc --watch",
+    "start": "node dist/index.js",
     "test": "vitest",
     "typecheck": "tsc --noEmit",
     "prepare": "npm run build"

mcp-server/src/filesystem.test.ts

@@ -0,0 +1,35 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { expect, describe, it, beforeAll, afterAll } from 'vitest';
+import { isGitHubRepository, getAuditScope } from './filesystem';
+import { execSync } from 'child_process';
+import * as fs from 'fs';
+
+describe('filesystem', () => {
+  beforeAll(() => {
+    execSync('git init');
+    execSync('git remote add origin https://github.com/gemini-testing/gemini-test-repo.git');
+    fs.writeFileSync('test.txt', 'hello');
+    execSync('git add .');
+    execSync('git commit -m "initial commit"');
+  });
+
+  afterAll(() => {
+    fs.unlinkSync('test.txt');
+    execSync('rm -rf .git');
+  });
+
+  it('should return true if the directory is a github repository', () => {
+    expect(isGitHubRepository()).toBe(true);
+  });
+
+  it('should return a diff of the current changes', () => {
+    fs.writeFileSync('test.txt', 'hello world');
+    const diff = getAuditScope();
+    expect(diff).toContain('hello world');
+  });
+});

mcp-server/src/filesystem.ts

@@ -0,0 +1,45 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { spawnSync } from 'node:child_process';
+
+/**
+ * Checks if the current directory is a GitHub repository.
+ * @returns True if the current directory is a GitHub repository, false otherwise.
+ */
+export const isGitHubRepository = (): boolean => {
+  try {
+    const remotes = (
+      spawnSync('git', ['remote', '-v'], {
+        encoding: 'utf-8',
+      }).stdout || ''
+    ).trim();
+
+    const pattern = /github\.com/;
+
+    return pattern.test(remotes);
+  } catch (_error) {
+    return false;
+  }
+};
+
+/**
+ * Gets a changelist of the repository 
+ */
+export function getAuditScope(): string {
+    let command = isGitHubRepository() ? 'git diff --merge-base origin/HEAD' : 'git diff';
+    try {
+        const diff = (
+        spawnSync('git', command.split(' ').slice(1), {
+            encoding: 'utf-8',
+        }).stdout || ''
+        ).trim();
+
+        return diff;
+    } catch (_error) {
+        return "";
+    }
+}

mcp-server/src/index.ts

@@ -0,0 +1,58 @@
+#!/usr/bin/env node
+
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { z } from 'zod';
+import { promises as fs } from 'fs';
+import path from 'path';
+import { getAuditScope } from './filesystem.js';
+import { findLineNumbers } from './security.js';
+
+const server = new McpServer({
+  name: 'gemini-cli-security',
+  version: '0.1.0',
+});
+
+server.tool(
+  'find_line_numbers',
+  'Finds the line numbers of a code snippet in a file.',
+  {
+    filePath: z
+      .string()
+      .describe('The path to the file to with the security vulnerability.'),
+    snippet: z
+      .string()
+      .describe('The code snippet to search for inside the file.'),
+  },
+  (input) => findLineNumbers(input, { fs, path })
+);
+
+server.tool(
+  'get_audit_scope',
+  'Checks if the current directory is a GitHub repository.',
+  {},
+  () => {
+    const diff = getAuditScope();
+    return {
+      content: [
+        {
+          type: 'text',
+          text: diff,
+        },
+      ],
+    };
+  }
+);
+
+async function startServer() {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+
+startServer();

mcp-server/src/security.ts

@@ -1,23 +1,13 @@
-#!/usr/bin/env node
-
 /**
  * @license
  * Copyright 2025 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { CallToolResult } from '@modelcontextprotocol/sdk/types.js';
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { z } from 'zod';
 import { promises as fs } from 'fs';
 import path from 'path';
 
-const server = new McpServer({
-  name: 'gemini-cli-security',
-  version: '0.1.0',
-});
-
 export async function findLineNumbers(
   {
     filePath,
@@ -38,7 +28,9 @@ export async function findLineNumbers(
         content: [
           {
             type: 'text',
-            text: JSON.stringify({ error: 'File path is outside of the current working directory.' }),
+            text: JSON.stringify({
+              error: 'File path is outside of the current working directory.',
+            }),
           },
         ],
       };
@@ -126,20 +118,3 @@ export async function findLineNumbers(
     };
   }
 }
-
-server.tool(
-  'find_line_numbers',
-  'Finds the line numbers of a code snippet in a file.',
-  {
-    filePath: z.string().describe('The path to the file to with the security vulnerability.'),
-    snippet: z.string().describe('The code snippet to search for inside the file.'),
-  },
-  (input) => findLineNumbers(input, { fs, path })
-);
-
-async function startServer() {
-  const transport = new StdioServerTransport();
-  await server.connect(transport);
-}
-
-startServer();