@boldsec/mcp 0.1.0 → 0.2.0

package/dist/guide.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"guide.d.ts","sourceRoot":"","sources":["../src/guide.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAmBH,wBAAgB,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAkDlD"}
+{"version":3,"file":"guide.d.ts","sourceRoot":"","sources":["../src/guide.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAmBH,wBAAgB,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CA6DlD"}

package/dist/guide.js

@@ -51,8 +51,15 @@ export function wiringGuide(stack) {
         "a) Find how the app authenticates a request (read the repo):",
         "   look for next-auth/@auth, @supabase/ssr or supabase-js, a jwt/jose verify, or a session cookie",
         "   that maps to a user. Identify the call that yields the current user's id.",
-        "b) Find the owner field's VALUE SHAPE: open an example object route's response (or its DB model)",
-        "   and note what the owner id looks like (e.g. usr_101, a bare number, a uuid).",
+        "b) Find the owner field's NAME and VALUE SHAPE: open an example object route's response (or its",
+        "   DB model) and note BOTH (i) the exact field name that identifies the owner (e.g. ownerUserId,",
+        "   owner_id, accountHolderId) and (ii) what the value looks like (e.g. usr_101, a number, a uuid).",
+        "b2) MAKE SURE BoLD CAN READ THAT OWNER FIELD. BoLD auto-detects common names (ownerId, ownerUserId,",
+        "   user_id, owner_user_id, createdBy, authorId, belongsTo, tenantId, ...). If the app's owner field",
+        "   is NOT one of these, you MUST set BOLD_OWNER_FIELDS to it in the app's environment, e.g.",
+        "   BOLD_OWNER_FIELDS=accountHolderId  (comma-separate multiple). If you skip this, BoLD cannot see",
+        "   the owner and a real cross-user leak becomes INVISIBLE (it shows as a blind-spot needs-review,",
+        "   NOT a catch). This is the single most common reason a real BOLA is missed, do not skip it.",
         "c) Write a resolver returning the caller id in THAT shape. Common patterns:",
         ...RESOLVER_PATTERNS,
         "",
@@ -67,10 +74,14 @@ export function wiringGuide(stack) {
         "which can cause a FALSE alarm or hide a real one. A left-in TODO is safe (BoLD holds cross-reads",
         "for review); a wrong resolver is not. When unsure: stop and ask, never ship a confident guess.",
         "",
-        "## After wiring",
-        "Tell the user to make one authenticated request, then call bold_coverage to confirm BoLD has",
-        "started seeing routes. bold_coverage reports ONLY routes BoLD has actually observed; it never",
-        "implies coverage of an unwired route.",
+        "## After wiring -- VERIFY, do not assume it worked",
+        "1. Tell the user to make one authenticated request to a wrapped object route.",
+        "2. Call bold_coverage to confirm BoLD is seeing the route (it reports ONLY observed routes and",
+        "   never implies coverage of an unwired one).",
+        "3. Have the user do a real cross-user read (user A reads user B's object), then check the BoLD",
+        "   findings. If the finding says BLIND SPOT / 'cannot see the owner', BoLD could not read the owner",
+        "   field, go back to step b2 and set BOLD_OWNER_FIELDS, then redeploy. A blind-spot needs-review is",
+        "   NOT a pass; treat it as unfinished wiring and tell the user plainly it is not an all-clear.",
     ].join("\n");
 }
 //# sourceMappingURL=guide.js.map

package/dist/guide.js.map

@@ -1 +1 @@
-{"version":3,"file":"guide.js","sourceRoot":"","sources":["../src/guide.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,iBAAiB,GAAG;IACxB,yBAAyB;IACzB,wCAAwC;IACxC,6EAA6E;IAC7E,6BAA6B;IAC7B,uDAAuD;IACvD,kEAAkE;IAClE,sCAAsC;IACtC,gDAAgD;IAChD,mFAAmF;IACnF,oEAAoE;IACpE,UAAU;IACV,6BAA6B;IAC7B,2CAA2C;IAC3C,4FAA4F;CAC7F,CAAC;AAEF,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,MAAM,SAAS,GACb,KAAK,IAAI,KAAK,CAAC,WAAW,EAAE,KAAK,YAAY;QAC3C,CAAC,CAAC,kJAAkJ;QACpJ,CAAC,CAAC,+KAA+K,CAAC;IAEtL,OAAO;QACL,iEAAiE;QACjE,EAAE;QACF,iGAAiG;QACjG,gGAAgG;QAChG,wFAAwF;QACxF,EAAE;QACF,UAAU;QACV,gDAAgD;QAChD,yGAAyG;QACzG,MAAM,SAAS,EAAE;QACjB,sGAAsG;QACtG,kGAAkG;QAClG,4DAA4D;QAC5D,EAAE;QACF,uEAAuE;QACvE,kGAAkG;QAClG,mGAAmG;QACnG,sCAAsC;QACtC,EAAE;QACF,8DAA8D;QAC9D,mGAAmG;QACnG,8EAA8E;QAC9E,kGAAkG;QAClG,iFAAiF;QACjF,6EAA6E;QAC7E,GAAG,iBAAiB;QACpB,EAAE;QACF,8FAA8F;QAC9F,+FAA+F;QAC/F,+FAA+F;QAC/F,EAAE;QACF,wCAAwC;QACxC,iGAAiG;QACjG,kGAAkG;QAClG,gGAAgG;QAChG,kGAAkG;QAClG,gGAAgG;QAChG,EAAE;QACF,iBAAiB;QACjB,8FAA8F;QAC9F,+FAA+F;QAC/F,uCAAuC;KACxC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}
+{"version":3,"file":"guide.js","sourceRoot":"","sources":["../src/guide.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,iBAAiB,GAAG;IACxB,yBAAyB;IACzB,wCAAwC;IACxC,6EAA6E;IAC7E,6BAA6B;IAC7B,uDAAuD;IACvD,kEAAkE;IAClE,sCAAsC;IACtC,gDAAgD;IAChD,mFAAmF;IACnF,oEAAoE;IACpE,UAAU;IACV,6BAA6B;IAC7B,2CAA2C;IAC3C,4FAA4F;CAC7F,CAAC;AAEF,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,MAAM,SAAS,GACb,KAAK,IAAI,KAAK,CAAC,WAAW,EAAE,KAAK,YAAY;QAC3C,CAAC,CAAC,kJAAkJ;QACpJ,CAAC,CAAC,+KAA+K,CAAC;IAEtL,OAAO;QACL,iEAAiE;QACjE,EAAE;QACF,iGAAiG;QACjG,gGAAgG;QAChG,wFAAwF;QACxF,EAAE;QACF,UAAU;QACV,gDAAgD;QAChD,yGAAyG;QACzG,MAAM,SAAS,EAAE;QACjB,sGAAsG;QACtG,kGAAkG;QAClG,4DAA4D;QAC5D,EAAE;QACF,uEAAuE;QACvE,kGAAkG;QAClG,mGAAmG;QACnG,sCAAsC;QACtC,EAAE;QACF,8DAA8D;QAC9D,mGAAmG;QACnG,8EAA8E;QAC9E,iGAAiG;QACjG,kGAAkG;QAClG,oGAAoG;QACpG,qGAAqG;QACrG,qGAAqG;QACrG,6FAA6F;QAC7F,oGAAoG;QACpG,mGAAmG;QACnG,+FAA+F;QAC/F,6EAA6E;QAC7E,GAAG,iBAAiB;QACpB,EAAE;QACF,8FAA8F;QAC9F,+FAA+F;QAC/F,+FAA+F;QAC/F,EAAE;QACF,wCAAwC;QACxC,iGAAiG;QACjG,kGAAkG;QAClG,gGAAgG;QAChG,kGAAkG;QAClG,gGAAgG;QAChG,EAAE;QACF,oDAAoD;QACpD,+EAA+E;QAC/E,gGAAgG;QAChG,+CAA+C;QAC/C,gGAAgG;QAChG,qGAAqG;QACrG,qGAAqG;QACrG,gGAAgG;KACjG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boldsec/mcp",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "BoLD MCP server: connect, wire, and verify BoLD live BOLA/IDOR monitoring from your AI editor (Claude, Cursor, Codex). Metadata only; never reaches a verdict.",
   "type": "module",
   "bin": {