feat(mcp): add depsight_rescan tool to trigger a repo scan from MCP#83
Merged
Conversation
The depsight MCP server was read-only, so an agent could not close the
fix -> rescan -> verify loop without the web UI. Add depsight_rescan({repoId})
which POSTs to the existing /api/scan endpoint with the same dsat_ Bearer
token the read tools use (resolveRequestUser already accepts it server-side,
and scanRepository scopes the scan to the token user's own repos), returning
scanId + status so the caller can then poll depsight_get_cves.
Tests cover the client (path/method/Bearer/body + 401/400/500 -> HttpError)
and the tool wrapper (success envelope, status/dependabotDisabled defaulting,
and HttpError -> isError mapping).
Out of scope, filed as follow-up (task 5e9a27bc): access-denied currently
returns 500 instead of 403/404, and there is no already-running scan guard.
Refs: task bbbc70b1
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The depsight MCP server was read-only — an agent couldn't close the fix → rescan → verify loop without the web UI. Adds
depsight_rescan({ repoId })that POSTs to the existing/api/scanendpoint and returnsscanId+status, so the caller can then polldepsight_get_cves.mcp/src/client.ts:rescan(repoId)→ POST/api/scanwith the samedsat_Bearer token the read tools use.mcp/src/tools/rescan.ts:depsight_rescantool (zodrepoIdmin(1); per-repo only — no all-repos mode).mcp/src/server.ts: registers the tool.Auth / safety (verified by reviewer)
/api/scanauthenticates viaresolveRequestUser(), which already accepts thedsat_Bearer token identically to the read routes — zero endpoint changes needed.scanRepositoryscopes the scan to repos owned + tracked by the token's user → no cross-user IDOR.Tests
HttpError.status/dependabotDisableddefaulting, andHttpError→isErrorresult.tscbuild clean, 28/28 mcp tests green.Out of scope → follow-up (task
5e9a27bc)Reviewer noted two pre-existing backend behaviors the tool merely relays: access-denied returns 500 (not 403/404), and there's no already-running scan guard. Both filed as a follow-up; not touched here.
Note: a version bump/publish of
@opentriologue/depsight-mcpis left to the release process (the running MCP server picks up the new tool on restart).Refs: task bbbc70b1