@agentutility/mcp-prooflayer 0.1.8 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -7
- package/dist/tools.generated.js +84 -12
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -22,7 +22,7 @@ Edit `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) o
|
|
|
22
22
|
}
|
|
23
23
|
```
|
|
24
24
|
|
|
25
|
-
Restart Claude Desktop.
|
|
25
|
+
Restart Claude Desktop. 15 tools appear in the tool palette.
|
|
26
26
|
|
|
27
27
|
## Install — Cursor
|
|
28
28
|
|
|
@@ -46,23 +46,25 @@ Send any amount of **USDC on Base mainnet** to the address derived from your `X4
|
|
|
46
46
|
|
|
47
47
|
USDC on Base contract: `0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913`
|
|
48
48
|
|
|
49
|
-
## Tools (
|
|
49
|
+
## Tools (15)
|
|
50
50
|
|
|
51
51
|
| Tool | Description |
|
|
52
52
|
|---|---|
|
|
53
53
|
| `ai-content-detector` | (0.03 USDC/call) AI content detector / GPT detector / ChatGPT plagiarism checker. Calibrated probability (0-1), verdict, suspicious phrases, per-axis style signals (em-dash overuse, hedge phrases, formulaic transitions). |
|
|
54
|
+
| `app-store-rejection-explain` | (0.02 USDC/call) App Store rejection explainer / Google Play rejection triage / mobile app review policy checklist. Parses rejection text and app metadata, identifies likely policy areas, extracts deadlines, and returns a policy-clean resubmission checklist plus reviewer-note outline. Does not promise approval or recommend platform-policy evasion. |
|
|
54
55
|
| `brand-clearance` | (0.25 USDC/call) Brand clearance aggregator / name screening / product-name vetting / startup-brand pre-flight. Given a candidate brand name, returns a single composite clearance signal an agent can act on. Calls four checks in parallel (in-process, no x402 self-billing): USPTO TM name search, domain availability across requested TLDs (default .com .ai .dev .io .co), Wikipedia presence, Hacker News mention scan. Returns risk_level (clear|soft|moderate|hard), risk_score 0-100, sub-scores per signal, the raw hits, and a one-line recommendation. Designed for AI agents self-screening project / product / startup names before committing. Screening tool only — not legal advice. |
|
|
55
|
-
| `cve` | (0.005 USDC/call) CVE lookup / vulnerability
|
|
56
|
-
| `cve-lookup` | (0.005 USDC/call) CVE lookup / vulnerability database. NIST NVD-
|
|
56
|
+
| `cve` | (0.005 USDC/call) CVE lookup / vulnerability lookup / NVD record / CVSS scorer / vuln advisory fetch / exploit-known check / CWE class / patch-priority triage / Log4Shell-style record. Short alias of cve-lookup. Returns NIST NVD record with CVSS v3.1 + v2 vectors, severity, CWE, affected CPE list, references, public-exploit indicator with reference URLs, and a bounded exploitability summary. Federal public data. |
|
|
57
|
+
| `cve-lookup` | (0.005 USDC/call) CVE lookup / vulnerability database / NVD record fetcher / CVSS scorer / Log4Shell-style advisory inspector / known-exploit checker / CISA KEV adjacent / patch-priority triage / CWE classifier. Pulls the canonical NIST NVD record for a CVE-YYYY-NNNNN identifier and returns description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE class, affected CPE list, NVD references, and a public-exploit-known boolean with reference URLs. Includes a bounded plain-English exploitability summary. Federal public data. |
|
|
57
58
|
| `db-migration-risk` | (0.02 USDC/call) DB migration risk audit / SQL migration safety check / DROP COLUMN detector / unsafe ALTER TABLE detector / Postgres CREATE INDEX CONCURRENTLY check / Alembic op.drop_* detector / TRUNCATE/DELETE WHERE detector / foreign key NOT VALID check / pre-deploy DB gate. Walks `migrations/`, `prisma/migrations/`, `db/migrate/`, `supabase/migrations/`, `alembic/versions/` and flags destructive DDL, lock-heavy ALTER TABLE, NOT NULL without DEFAULT, plain CREATE INDEX (vs CONCURRENTLY), unbounded TRUNCATE/DELETE, and FK validation without NOT VALID. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, …]} for private / agent-workspace use. |
|
|
58
59
|
| `dep-risk-summary` | (0.03 USDC/call) repo dependency risk audit / package.json + lockfile vetter / unpinned dep detector / transitive dep counter / requirements.txt audit / pyproject dep risk / repo-level supply-chain risk score / Snyk-adjacent / deprecated dep detector / install-script dep detector. Best-effort scan of package.json, pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock (JS); requirements.txt, pyproject.toml, poetry.lock (Python); go.mod, go.sum (Go). Samples 10 alphabetically-first direct deps via npm/PyPI registry for deprecation + install-script signals. Returns 0-100 score, per-finding kind/severity/path/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, …]}. |
|
|
59
60
|
| `deploy-config-risk` | (0.02 USDC/call) deploy config audit / Dockerfile lint / vercel.json hardening / wrangler.toml review / docker-compose.yml safety / fly.toml secrets check / netlify deploy gate / open CORS detector / exposed admin port detector / plaintext secret in env detector / production-readiness deploy gate. Fetches deploy config files (Dockerfile, wrangler.toml, vercel.json, netlify.toml, fly.toml, docker-compose.yml, serverless.yml) and flags open CORS with credentials, exposed admin ports (22/5432/6379/etc), plaintext secrets in inline env, dev/debug mode left enabled, missing healthchecks. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, …]} for private / agent-workspace use. |
|
|
60
61
|
| `github-repo-health` | (0.03 USDC/call) GitHub repo health score / open-source maintainability checker. 0-100 score + grade (abandoned/stale/okay/healthy/thriving). Commit activity, contributors, license, CI, tests. Plus LLM verdict. |
|
|
61
|
-
| `package-risk-npm` | (0.03 USDC/call) npm package risk score / supply-chain scanner / typosquat detector.
|
|
62
|
+
| `package-risk-npm` | (0.03 USDC/call) npm package risk score / npm supply-chain scanner / typosquat detector / postinstall-script flagger / npm install pre-flight audit / package.json + pnpm-lock.yaml vetter / Snyk-adjacent / Socket.dev-adjacent / pre-install safety gate. Pulls registry metadata + download stats for an npm package (and optional version), checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary. |
|
|
62
63
|
| `production-readiness-score` | (0.10 USDC/call) production readiness score / AI app deploy gate / Prooflayer cluster aggregator / repo prod-risk composite / one-call audit / unified production readiness API / vibe-coded app safety scan. Calls all 5 Prooflayer component scanners (secrets-exposure-check, deploy-config-risk, db-migration-risk, dep-risk-summary, prompt-injection-surface) in parallel in-process and rolls findings into a weighted composite score (default weights: secrets 0.30, migrations 0.20, deps 0.20, deploy 0.15, prompt 0.15). Returns composite 0-100, production_grade (production-ready | needs-review | risky | do-not-ship), per-component sub-scores, top-N deduped findings sorted by severity + score_contribution, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, …]}. Optional 'weights' override (each in [0,0.5], proportionally normalized) and 'max_findings' (default 10, cap 50). |
|
|
63
64
|
| `prompt-injection-surface` | (0.03 USDC/call) AI prompt injection surface scanner / LLM call-site audit / unsanitized user input in prompts detector / system-message mixing flag / unbounded completion detector / AI app safety scan / pre-deploy AI risk gate. Walks .ts/.tsx/.js/.jsx/.py/.mjs/.cjs source files, locates LLM SDK call sites (anthropic, openai, @ai-sdk/*, google generative), and flags user input flowing into prompts without sanitization, calls without max_tokens caps, system/user prompt mixing, and LLM output used unvalidated in fetch/exec/eval. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} (tree-walk, capped 500 files) or {files: [{path, content}, …]}. |
|
|
64
|
-
| `pypi-package-risk` | (0.01 USDC/call) PyPI package risk score / Python supply-chain scanner
|
|
65
|
+
| `pypi-package-risk` | (0.01 USDC/call) PyPI package risk score / Python supply-chain scanner / pip dependency vetter / typosquat detector / pre-install audit / Python-package safety check / pyproject.toml / requirements.txt vetter / poetry + uv pre-install gate. Pulls metadata + release history from pypi.org for a package (and optional version), evaluates age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and a Venice-LLM plain-English risk summary. |
|
|
65
66
|
| `secrets-exposure-check` | (0.02 USDC/call) secrets exposure scan / hardcoded API key detector / .env-committed-key audit / Next.js client env leak detector / pre-deploy secret gate. Fetches top-level config files (.env*, wrangler.toml, vercel.json, next.config.*, package.json, etc.) and scans for hardcoded AWS/OpenAI/Anthropic/Stripe/GitHub keys, private keys, DB URLs with passwords, JWT secrets, weak values in .env.example, and server-only env vars accidentally exposed via NEXT_PUBLIC_. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, …]} for private / agent-workspace use. |
|
|
67
|
+
| `vendor-questionnaire-draft` | (0.08 USDC/call) Vendor security questionnaire draft API / security questionnaire answerer / SOC 2 evidence answer helper / vendor due diligence response builder. Takes questionnaire text plus supplied evidence snippets and drafts only evidence-supported answers. Unsupported questions are marked needs_evidence instead of invented. Useful for founders and agents answering customer security reviews without leaking private repo data or making unsupported compliance claims. |
|
|
66
68
|
|
|
67
69
|
## How it works
|
|
68
70
|
|
|
@@ -83,4 +85,4 @@ The agent never sees the payment flow — it just gets the result.
|
|
|
83
85
|
|
|
84
86
|
---
|
|
85
87
|
|
|
86
|
-
**Version:** 0.1
|
|
88
|
+
**Version:** 0.2.1 · **License:** MIT
|
package/dist/tools.generated.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
/** Auto-generated by scripts/generate-mcp-clusters.mjs. Do not edit by hand. */
|
|
2
2
|
export const CLUSTER_SLUG = "prooflayer";
|
|
3
|
-
export const VERSION = "0.1
|
|
3
|
+
export const VERSION = "0.2.1";
|
|
4
4
|
export const TOOLS = [
|
|
5
5
|
{
|
|
6
6
|
"name": "ai-content-detector",
|
|
@@ -11,8 +11,7 @@ export const TOOLS = [
|
|
|
11
11
|
"type": "object",
|
|
12
12
|
"properties": {
|
|
13
13
|
"text": {
|
|
14
|
-
"type": "string"
|
|
15
|
-
"description": "100-20,000 chars."
|
|
14
|
+
"type": "string"
|
|
16
15
|
}
|
|
17
16
|
},
|
|
18
17
|
"required": [
|
|
@@ -20,6 +19,36 @@ export const TOOLS = [
|
|
|
20
19
|
]
|
|
21
20
|
}
|
|
22
21
|
},
|
|
22
|
+
{
|
|
23
|
+
"name": "app-store-rejection-explain",
|
|
24
|
+
"http_name": "app-store-rejection-explain",
|
|
25
|
+
"description": "(0.02 USDC/call) App Store rejection explainer / Google Play rejection triage / mobile app review policy checklist. Parses rejection text and app metadata, identifies likely policy areas, extracts deadlines, and returns a policy-clean resubmission checklist plus reviewer-note outline. Does not promise approval or recommend platform-policy evasion.",
|
|
26
|
+
"method": "POST",
|
|
27
|
+
"input_schema": {
|
|
28
|
+
"type": "object",
|
|
29
|
+
"properties": {
|
|
30
|
+
"rejection_text": {
|
|
31
|
+
"type": "string",
|
|
32
|
+
"description": "Apple App Review or Google Play rejection text. Max 30k chars."
|
|
33
|
+
},
|
|
34
|
+
"platform": {
|
|
35
|
+
"type": "string",
|
|
36
|
+
"enum": [
|
|
37
|
+
"apple",
|
|
38
|
+
"google"
|
|
39
|
+
],
|
|
40
|
+
"description": "Optional platform hint."
|
|
41
|
+
},
|
|
42
|
+
"app_metadata": {
|
|
43
|
+
"type": "string",
|
|
44
|
+
"description": "Optional app description, screenshots notes, release notes, or metadata excerpt."
|
|
45
|
+
}
|
|
46
|
+
},
|
|
47
|
+
"required": [
|
|
48
|
+
"rejection_text"
|
|
49
|
+
]
|
|
50
|
+
}
|
|
51
|
+
},
|
|
23
52
|
{
|
|
24
53
|
"name": "brand-clearance",
|
|
25
54
|
"http_name": "brand-clearance",
|
|
@@ -49,14 +78,14 @@ export const TOOLS = [
|
|
|
49
78
|
{
|
|
50
79
|
"name": "cve",
|
|
51
80
|
"http_name": "cve",
|
|
52
|
-
"description": "(0.005 USDC/call) CVE lookup / vulnerability
|
|
81
|
+
"description": "(0.005 USDC/call) CVE lookup / vulnerability lookup / NVD record / CVSS scorer / vuln advisory fetch / exploit-known check / CWE class / patch-priority triage / Log4Shell-style record. Short alias of cve-lookup. Returns NIST NVD record with CVSS v3.1 + v2 vectors, severity, CWE, affected CPE list, references, public-exploit indicator with reference URLs, and a bounded exploitability summary. Federal public data.",
|
|
53
82
|
"method": "POST",
|
|
54
83
|
"input_schema": {
|
|
55
84
|
"type": "object",
|
|
56
85
|
"properties": {
|
|
57
86
|
"cve_id": {
|
|
58
87
|
"type": "string",
|
|
59
|
-
"description": "
|
|
88
|
+
"description": "CVE identifier in 'CVE-YYYY-NNNN[N...]' format. Case-insensitive."
|
|
60
89
|
}
|
|
61
90
|
},
|
|
62
91
|
"required": [
|
|
@@ -67,14 +96,14 @@ export const TOOLS = [
|
|
|
67
96
|
{
|
|
68
97
|
"name": "cve-lookup",
|
|
69
98
|
"http_name": "cve-lookup",
|
|
70
|
-
"description": "(0.005 USDC/call) CVE lookup / vulnerability database. NIST NVD-
|
|
99
|
+
"description": "(0.005 USDC/call) CVE lookup / vulnerability database / NVD record fetcher / CVSS scorer / Log4Shell-style advisory inspector / known-exploit checker / CISA KEV adjacent / patch-priority triage / CWE classifier. Pulls the canonical NIST NVD record for a CVE-YYYY-NNNNN identifier and returns description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE class, affected CPE list, NVD references, and a public-exploit-known boolean with reference URLs. Includes a bounded plain-English exploitability summary. Federal public data.",
|
|
71
100
|
"method": "POST",
|
|
72
101
|
"input_schema": {
|
|
73
102
|
"type": "object",
|
|
74
103
|
"properties": {
|
|
75
104
|
"cve_id": {
|
|
76
105
|
"type": "string",
|
|
77
|
-
"description": "
|
|
106
|
+
"description": "CVE identifier in 'CVE-YYYY-NNNN[N...]' format. Case-insensitive. Example 'CVE-2021-44228' (Log4Shell)."
|
|
78
107
|
}
|
|
79
108
|
},
|
|
80
109
|
"required": [
|
|
@@ -121,8 +150,7 @@ export const TOOLS = [
|
|
|
121
150
|
"type": "object",
|
|
122
151
|
"properties": {
|
|
123
152
|
"repo": {
|
|
124
|
-
"type": "string"
|
|
125
|
-
"description": "owner/name."
|
|
153
|
+
"type": "string"
|
|
126
154
|
}
|
|
127
155
|
},
|
|
128
156
|
"required": [
|
|
@@ -133,14 +161,14 @@ export const TOOLS = [
|
|
|
133
161
|
{
|
|
134
162
|
"name": "package-risk-npm",
|
|
135
163
|
"http_name": "package-risk-npm",
|
|
136
|
-
"description": "(0.03 USDC/call) npm package risk score / supply-chain scanner / typosquat detector.
|
|
164
|
+
"description": "(0.03 USDC/call) npm package risk score / npm supply-chain scanner / typosquat detector / postinstall-script flagger / npm install pre-flight audit / package.json + pnpm-lock.yaml vetter / Snyk-adjacent / Socket.dev-adjacent / pre-install safety gate. Pulls registry metadata + download stats for an npm package (and optional version), checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary.",
|
|
137
165
|
"method": "POST",
|
|
138
166
|
"input_schema": {
|
|
139
167
|
"type": "object",
|
|
140
168
|
"properties": {
|
|
141
169
|
"package_name": {
|
|
142
170
|
"type": "string",
|
|
143
|
-
"description": "e.g. '
|
|
171
|
+
"description": "npm package name. Supports scoped names (e.g. '@types/node', '@vercel/next')."
|
|
144
172
|
},
|
|
145
173
|
"version": {
|
|
146
174
|
"type": "string",
|
|
@@ -175,7 +203,7 @@ export const TOOLS = [
|
|
|
175
203
|
{
|
|
176
204
|
"name": "pypi-package-risk",
|
|
177
205
|
"http_name": "pypi-package-risk",
|
|
178
|
-
"description": "(0.01 USDC/call) PyPI package risk score / Python supply-chain scanner
|
|
206
|
+
"description": "(0.01 USDC/call) PyPI package risk score / Python supply-chain scanner / pip dependency vetter / typosquat detector / pre-install audit / Python-package safety check / pyproject.toml / requirements.txt vetter / poetry + uv pre-install gate. Pulls metadata + release history from pypi.org for a package (and optional version), evaluates age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and a Venice-LLM plain-English risk summary.",
|
|
179
207
|
"method": "POST",
|
|
180
208
|
"input_schema": {
|
|
181
209
|
"type": "object",
|
|
@@ -203,5 +231,49 @@ export const TOOLS = [
|
|
|
203
231
|
"type": "object",
|
|
204
232
|
"properties": {}
|
|
205
233
|
}
|
|
234
|
+
},
|
|
235
|
+
{
|
|
236
|
+
"name": "vendor-questionnaire-draft",
|
|
237
|
+
"http_name": "vendor-questionnaire-draft",
|
|
238
|
+
"description": "(0.08 USDC/call) Vendor security questionnaire draft API / security questionnaire answerer / SOC 2 evidence answer helper / vendor due diligence response builder. Takes questionnaire text plus supplied evidence snippets and drafts only evidence-supported answers. Unsupported questions are marked needs_evidence instead of invented. Useful for founders and agents answering customer security reviews without leaking private repo data or making unsupported compliance claims.",
|
|
239
|
+
"method": "POST",
|
|
240
|
+
"input_schema": {
|
|
241
|
+
"type": "object",
|
|
242
|
+
"properties": {
|
|
243
|
+
"questionnaire_text": {
|
|
244
|
+
"type": "string",
|
|
245
|
+
"description": "Questionnaire questions or pasted security review text. Max 30k chars."
|
|
246
|
+
},
|
|
247
|
+
"evidence": {
|
|
248
|
+
"type": "array",
|
|
249
|
+
"description": "Optional supporting snippets. Answers are drafted only from these items.",
|
|
250
|
+
"items": {
|
|
251
|
+
"type": "object",
|
|
252
|
+
"properties": {
|
|
253
|
+
"label": {
|
|
254
|
+
"type": "string"
|
|
255
|
+
},
|
|
256
|
+
"text": {
|
|
257
|
+
"type": "string"
|
|
258
|
+
},
|
|
259
|
+
"url": {
|
|
260
|
+
"type": "string"
|
|
261
|
+
}
|
|
262
|
+
},
|
|
263
|
+
"required": [
|
|
264
|
+
"label",
|
|
265
|
+
"text"
|
|
266
|
+
]
|
|
267
|
+
}
|
|
268
|
+
},
|
|
269
|
+
"company_name": {
|
|
270
|
+
"type": "string",
|
|
271
|
+
"description": "Optional company/product name for answer wording."
|
|
272
|
+
}
|
|
273
|
+
},
|
|
274
|
+
"required": [
|
|
275
|
+
"questionnaire_text"
|
|
276
|
+
]
|
|
277
|
+
}
|
|
206
278
|
}
|
|
207
279
|
];
|
package/package.json
CHANGED