@blacksandscyber/mcp-server-bursar 0.5.0

package/build/shield/types.d.ts

@@ -0,0 +1,261 @@
+/** Type definitions for Shield API resources and discovery results. */
+export interface Organization {
+    id: string;
+    name: string;
+    plan: string;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface App {
+    id: string;
+    orgId: string;
+    name: string;
+    status: "active" | "provisioning" | "locked" | "suspended";
+    createdAt: string;
+    updatedAt: string;
+}
+export interface Certificate {
+    id: string;
+    appId: string;
+    type: "mtls" | "server" | "client";
+    fingerprint: string;
+    expiresAt: string;
+    issuedAt: string;
+    status: "active" | "revoked" | "expired";
+}
+export interface Endpoint {
+    id: string;
+    appId: string;
+    host: string;
+    port: number;
+    protocol: "tcp" | "udp" | "http" | "https";
+    status: "active" | "inactive";
+}
+export interface Policy {
+    id: string;
+    appId: string;
+    name: string;
+    type: "network" | "dns" | "access" | "compliance";
+    rules: PolicyRule[];
+    enabled: boolean;
+}
+export interface PolicyRule {
+    action: "allow" | "deny" | "log";
+    target: string;
+    conditions?: Record<string, unknown>;
+}
+export interface Manifest {
+    id: string;
+    orgId: string;
+    appName: string;
+    services: ManifestService[];
+    status: "pending" | "validated" | "provisioned" | "failed";
+    createdAt: string;
+}
+export interface ManifestService {
+    name: string;
+    port: number;
+    protocol: string;
+    allowedDomains?: string[];
+}
+export interface VerifyResult {
+    id: string;
+    appId: string;
+    score: number;
+    grade: "A" | "B" | "C" | "D" | "F";
+    checks: VerifyCheck[];
+    scannedAt: string;
+    dimensions?: Record<string, number>;
+}
+export interface VerifyCheck {
+    name: string;
+    passed: boolean;
+    severity: "critical" | "high" | "medium" | "low" | "info";
+    details?: string;
+}
+export interface ComplianceReport {
+    id: string;
+    appId: string;
+    framework: ComplianceFramework;
+    score: number;
+    controls: ComplianceControl[];
+    generatedAt: string;
+}
+export interface ComplianceControl {
+    id: string;
+    name: string;
+    status: "pass" | "fail" | "partial" | "not_applicable";
+    evidence?: string;
+}
+export interface DnsRule {
+    id: string;
+    appId: string;
+    domain: string;
+    action: "allow" | "block";
+    reason?: string;
+    createdAt: string;
+}
+export interface Operation {
+    id: string;
+    type: string;
+    status: "pending" | "running" | "completed" | "failed";
+    result?: Record<string, unknown>;
+    error?: string;
+    createdAt: string;
+    completedAt?: string;
+}
+export interface Session {
+    id: string;
+    appId: string;
+    userId: string;
+    status: "active" | "expired" | "revoked";
+    createdAt: string;
+    expiresAt: string;
+}
+export interface ListResponse<T> {
+    data: T[];
+    total: number;
+    page: number;
+    pageSize: number;
+}
+export type ComplianceFramework = "SOC2" | "HIPAA" | "PCI-DSS" | "ISO27001";
+export interface FrameworkInfo {
+    framework: string;
+    runtime: string;
+    version: string | null;
+    packageManager: string | null;
+    runtimeVersion?: string;
+    dockerImage?: string;
+}
+/** Finding severity enum (Workstream-1 #13g). Applied uniformly across all scan findings. */
+export type Severity = "CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO";
+export interface EndpointInfo {
+    type: "api" | "web";
+    method: string;
+    path: string;
+    protocol: string;
+    file: string;
+    auth_method: string;
+    /** 1-based line number where the route was declared (Workstream-1 context). */
+    line?: number;
+    /** How the method was determined: "decorator" | "named-export" | "router-call" | "url-conf" | "page-file" | "fallback". */
+    detected_via?: string;
+    /** Confidence the route was identified correctly. */
+    confidence?: "high" | "medium" | "low";
+    /** Confidence the auth_method classification is correct. "low" generally means file-level inference, not per-route. */
+    auth_confidence?: "high" | "medium" | "low";
+    /** Risk severity for this route (Workstream-1 #13g). */
+    severity?: Severity;
+    /** Plain-English reason the severity was assigned. */
+    severity_rationale?: string;
+}
+export interface PiiField {
+    type: string;
+    sensitivity: "critical" | "high" | "medium" | "low";
+    field: string;
+    file: string;
+    /** 1-based line number where the match was found (Workstream-1 explanation context). */
+    line?: number;
+    /** Trimmed source line the match occurred on, for human review. */
+    snippet?: string;
+    /** Detection confidence — "high" = structural evidence (schema/object key/quoted field),
+     *  "medium" = bare identifier in code, "low" = comment/prose (filtered out by default). */
+    confidence?: "high" | "medium" | "low";
+    /** Plain-English remediation guidance for this PII type. */
+    remediation?: string;
+    /** Risk severity for this finding (Workstream-1 #13g). */
+    severity?: Severity;
+    /** Plain-English reason the severity was assigned. */
+    severity_rationale?: string;
+}
+export interface ExternalService {
+    name: string;
+    domain: string;
+    port: number;
+    protocol: string;
+    purpose: string;
+    detectedFrom: string;
+}
+export interface DataStore {
+    type: string;
+    host: string;
+    port: number | null;
+    encrypted: boolean | null;
+    contains_pii: boolean | null;
+    detectedFrom: string;
+}
+export interface SecurityManifest {
+    application: {
+        name: string;
+        version: string;
+        framework: string;
+        runtime: string;
+        runtimeVersion?: string;
+    };
+    endpoints: Array<{
+        type: string;
+        protocol: string;
+        port: number;
+        path: string;
+        auth_method: string;
+    }>;
+    external_services: Array<{
+        name: string;
+        domain: string;
+        port: number;
+        protocol: string;
+        purpose: string;
+    }>;
+    data_stores: Array<{
+        type: string;
+        host: string;
+        port: number | null;
+        encrypted: boolean | null;
+        contains_pii: boolean;
+    }>;
+    data_flows: Array<{
+        source: string;
+        destination: string;
+        data_types: string[];
+        sensitivity: string;
+    }>;
+    compliance: {
+        frameworks: string[];
+        data_residency: string;
+        audit_required: boolean;
+    };
+    security_preferences: {
+        session_ttl: number;
+        mfa_required: boolean;
+        ip_binding: boolean;
+        auto_rotate_certs: boolean;
+    };
+    _metadata: {
+        generated_by: string;
+        generated_at: string;
+        confidence: number;
+        pii_summary: {
+            total_fields: number;
+            sensitivity_level: string;
+            types: string[];
+        };
+    };
+}
+export interface DiscoveryResult {
+    framework: FrameworkInfo;
+    endpoints: EndpointInfo[];
+    piiFields: PiiField[];
+    externalServices: ExternalService[];
+    dataStores: DataStore[];
+    manifest: SecurityManifest;
+}
+export interface PostureReport {
+    score: number;
+    grade: string;
+    status: "SECURE" | "NEEDS_ATTENTION" | "AT_RISK";
+    summary: string;
+    dimensions: Record<string, number>;
+    recommendations: string[];
+    timestamp: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/build/shield/types.js

@@ -0,0 +1,4 @@
+"use strict";
+/** Type definitions for Shield API resources and discovery results. */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/build/shield/verify/postureReporter.d.ts

@@ -0,0 +1,4 @@
+/** Format verification results into posture reports with grades and recommendations. */
+import type { PostureReport } from "../types";
+export declare function formatPosture(result: Record<string, unknown> | null): PostureReport;
+//# sourceMappingURL=postureReporter.d.ts.map

package/build/shield/verify/postureReporter.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatPosture = formatPosture;
+function formatPosture(result) {
+    if (!result) {
+        return { score: 0, grade: "F", status: "AT_RISK", summary: "No verification data available", dimensions: {}, recommendations: ["Run a posture scan to establish baseline"], timestamp: new Date().toISOString() };
+    }
+    const score = result.score || 0;
+    const grade = score >= 90 ? "A" : score >= 80 ? "B" : score >= 70 ? "C" : score >= 60 ? "D" : "F";
+    const status = score >= 80 ? "SECURE" : score >= 50 ? "NEEDS_ATTENTION" : "AT_RISK";
+    const dims = result.dimensions || {};
+    const recommendations = [];
+    if ((dims.certFreshness ?? 100) < 80)
+        recommendations.push("Rotate certificates that are approaching expiry");
+    if ((dims.policyCompliance ?? 100) < 80)
+        recommendations.push("Review and sync pending policy changes");
+    if ((dims.sessionHygiene ?? 100) < 80)
+        recommendations.push("Terminate stale sessions and review session TTL settings");
+    if ((dims.threatBlockRatio ?? 100) < 80)
+        recommendations.push("Review threat activity and update DNS block lists");
+    if (recommendations.length === 0)
+        recommendations.push("All security dimensions are healthy");
+    return {
+        score, grade, status,
+        summary: `Security Posture: ${grade} (${score}/100) - ${status}`,
+        dimensions: dims,
+        recommendations,
+        timestamp: result.timestamp || new Date().toISOString(),
+    };
+}
+//# sourceMappingURL=postureReporter.js.map

package/dxt/blacksands-ca.crt

@@ -0,0 +1,67 @@
+-----BEGIN CERTIFICATE-----
+MIIF/DCCA+SgAwIBAgIJAPADND1aMtKrMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
+aXNjbzEcMBoGA1UECgwTQmxhY2tzYW5kcyBTZWN1cml0eTEeMBwGA1UECwwVQ2Vy
+dGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDDBJCbGFja3NhbmRzIFJvb3QgQ0Ew
+HhcNMjYwNDAxMTM0MzI0WhcNMzYwMzI5MTM0MzI0WjCBnTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xHDAa
+BgNVBAoME0JsYWNrc2FuZHMgU2VjdXJpdHkxHjAcBgNVBAsMFUNlcnRpZmljYXRl
+IEF1dGhvcml0eTEjMCEGA1UEAwwaQmxhY2tzYW5kcyBJbnRlcm1lZGlhdGUgQ0Ew
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDrOJB5g8HyB30BvuQ1rokW
+o9vduPvYnvXESYIN5+OvJDYpgCb4cxoc7oUySMtcwKMAX8/UdvQ3JxmglBSsQXGf
+i0C2V8qftVtuqWdLwPhp8xQa07M+lZ3ZtM0AXI5y7FLxg7t5zx4cVcQDLSGNnmYY
+fctuWIm+Ga4wtHGMPrG6PRwDG5K3RJOII2XjGqxtiex02mVcdIC4lZ+zA9svewbg
+11yLZEl+bxQdCDeY8Eo/uyxe+69AoM1ExZ0YoURq8lINkI4OtS6QGHug8eOWSwGU
+NvhujNm9fnjDz5+9U91JbCeWBB6mvdlNqR28sSvECpqmQ4UCiCABHluP9TWlBjmy
+CRYv4EBBpUeNSTzsYs3TQNSChgt+PsopUaIgiCEgSz6ioDf9BkFsOKDTsjsXcxiJ
+8UCYi8P5vMhwKeNDYVl/OO8Wp8s+/Z+1upCWVFGpreYfr4Q7iIh1RfA5HnO3R5N0
+hJpuGeG45zQ2cCEV4N2lU1eUcxJHA/q61Uchlqb3kw81HlHCdy9pVQmSmhWRd7fL
+hJqgiEp/4QRtlWi/rXncU5XYH2Hc3QXNDRvnEccwHexZAfcBEXdQN7m0NdGVn/e1
+l+0BA3635P6IPhETkgDjGgDbKyY2MxHPtsfun4+Acrvaqxb0rdG/GS7NdMIbUArD
+7GK0h5AE9mHr1RHApPwGTwIDAQABo0UwQzAdBgNVHQ4EFgQU1rlRozoYooNirPVT
+N18NqY0u3kQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggIBAE3LitbXdghElOnnNOfK9fxX5l81STzxtj6LfpoyB1iF
+AIdetbC3RBVaeLU1KmNxUGZG99SMywbJcRLdfkDb27UE8K/2vBiiehgnf8oMrNQh
+vTQTPqZmFVUzAM4tOzVtigFFUzFvAiy4Dg/2/92Pqjmr/upMWiA83DndTAM1Zqiy
+6QKT8WwLnYuaPy/CJW2fiT0Ibkr6MR+70pqrqvNZNU5rP6wm2jNspyHop/IIEoXp
+AMKsu4s2yn2WLgVIerumLqN3sZ0jJCTctLvehaE6xF6AE2OkQj3RPI6VjGrfthPg
+pkMEiJ/R/wP4Z3+XBqzK8WHKg0p5xosViUgcNici7NSKXH1PeSn0QKkCkXMT1nEw
+QcM4oudsP6PmSMsSW2Lez98TQH2yDepI9gMuCoWJZqXE/my9Qm7qApmSOfYpZKSe
++waA6O/SVf/pvUkkIL6xurbQ2YfQpyFPvxI++jTf1Fc3tr4Y1xbbhbp6YKwKjeub
+mhiQ2TzDDnLKEWjSVFrcv1d1t2rs5UcF4gvFklKKVClUu+fc2fA1Y8tcY+V8yahb
+6yGH6+zdCKZKBmjuty7NE32SZo7JVMKSHXqQQY40OK7ME/gRbUGCgloeFSy93XgB
+C2i4DhPrCsVvwq82ML2uN9ZRwtSj+0/AlMzPzOuCRA82ivOZvHApXY6MkPs3FJdY
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFqDCCA5ACCQCYE/o6EZKxzTANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMC
+VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
+HDAaBgNVBAoME0JsYWNrc2FuZHMgU2VjdXJpdHkxHjAcBgNVBAsMFUNlcnRpZmlj
+YXRlIEF1dGhvcml0eTEbMBkGA1UEAwwSQmxhY2tzYW5kcyBSb290IENBMB4XDTI2
+MDIxNzIwMDAzMloXDTM2MDIxNTIwMDAzMlowgZUxCzAJBgNVBAYTAlVTMRMwEQYD
+VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRwwGgYDVQQK
+DBNCbGFja3NhbmRzIFNlY3VyaXR5MR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRo
+b3JpdHkxGzAZBgNVBAMMEkJsYWNrc2FuZHMgUm9vdCBDQTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBALqgx6j/C5hHfLOl22OvtdHRe5wyhWci+oCrNej4
+eWEsK7VcNWgSjErRg/xa3hf9Fd7cul5xEcBb0Rrpx23f6ej4GOz9wzdDvQK5/cGE
+eHgTxNjcnTA+0xOQd8bHwur48H69Byj2l41WnMTdwUlQQY7baqPtyPKmj/TnXQ1x
+rYjpi968jCjV1wQQlCGxoHFR9poZKxAJOZ1yQgDXI9npn5OcX0zYVPXHxUeTi5l4
+Um7BTSFgkbMtd1AVjnDlYGWYU3//Mp279b9or/8UMIfcZm+DhKo3IYA4tOvSMsqP
+F+Zq/VRqJItSKVXppZHb4h0Qb85vhHhJXuxLyjYU1WFLvvWrQqf2EO8wq+PR0bto
+0a2HRQLRml1K2nYwcYGxj/QwHjdtzwq8g3mNToMFLPQjabluVj3ZD5JtZ9XVynMb
+IGrRNpq8LiPW1rWFoypHsYlmv7dIGghtI4aSKVDuX/KFhpTD8zNeRxeOQi3b1p0k
+EdUP+IGga4vBxoR+hEhvHkXdTJ9VGGPiqbQsD5wgnbA8sDXy/7A4TSD+bZjGqgTW
+vP2+NLH+kQqH2UJk4k2jZAfvfU4nKFlq0MYs42FJyrh1ot6gBudakCe4hyS9SFtN
+6iErFjDfDpc2jwUAbTngRanCZ9WpiVXdkaVznRg0ftok/KCi27EthQo2tfkA4uGy
+/x+LAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAHDz3xNfZld3u3bbcmvVX+vSmSnF
+ZJR6dlMEPLmtQ77pf/P735j2DXM3j6eyWzXHKwMdmnaeRxOOGU/wrpvAcyCtEChH
+bfXa/lAoN1AJu9ZIKze8uSISvQrY5hEjjs42vQ5U+hJbocvVB9WwL7wTkK6ctdbu
+ZrgJVEht7OHUWRsKzXecb4EMWRrm8/TAD2bmrDve2FaPMQACsiBQ3XgXxgsnyCFp
+agLxf6h33QndCrlzMh53S1nkjEhen3ffBrWP6DzdAVUIDUnXvPdnxP2sSqZqd6vf
+hd556FCIhQ97KNVc0rlUMm1RKHTSOUeopESfzMtacXNEhXdXPVIh/3HFjZSQKFGx
+NyIAG3wPKjtxE903MNvezyJROtdNLYI0LF3Gbyc780i197lsoM412BiF/w/36Vs7
+90hP2+D6THtkVLKPIoS6LfgPL8tabjOVu0TDMwuFXJC+W3TtWpWQmKja/YzoNdvQ
+yootcAzVkClk7/H53z49yfIvFgDnuNaDVHlNJs8P7lMVBin5WwBLBs98TyT8As1F
+6/juZuKTiw02jGr0diMx/lsF/eUOxHlsI3carTthRr4kpmuOvEITagoBaxH7VqAo
+FLmvS7Ztop/JI8vk/YFrsbI4Nje8A4MGwwBrfknZ3vSDGU+aXhYAObjD8d4ljNUq
+X5sIz6zv2K6bxt5+
+-----END CERTIFICATE-----