@certscore/mcp 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +5 -0
- package/README.md +261 -0
- package/dist/certscore-mcp.mjs +23023 -0
- package/dist/index.d.ts +13 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +129 -0
- package/dist/server.d.ts +8 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +148 -0
- package/dist/tools.d.ts +77 -0
- package/dist/tools.d.ts.map +1 -0
- package/dist/tools.js +329 -0
- package/dist/version.d.ts +2 -0
- package/dist/version.d.ts.map +1 -0
- package/dist/version.js +3 -0
- package/package.json +65 -0
- package/server.json +37 -0
package/LICENSE
ADDED
package/README.md
ADDED
|
@@ -0,0 +1,261 @@
|
|
|
1
|
+
# CertScore MCP
|
|
2
|
+
|
|
3
|
+
CertScore MCP exposes a focused Model Context Protocol server for CertScore Pulse workflows.
|
|
4
|
+
|
|
5
|
+
Status: public developer preview. The server is distributed for external MCP clients through npm and Homebrew. Local WC01 development uses `pnpm mcp:certscore`.
|
|
6
|
+
|
|
7
|
+
<!-- mcp-name: ai.certscore/mcp -->
|
|
8
|
+
|
|
9
|
+
Public docs:
|
|
10
|
+
|
|
11
|
+
- https://certscore.ai/developers/mcp
|
|
12
|
+
- https://certscore.ai/developers/quickstart
|
|
13
|
+
- https://certscore.ai/developers/reference
|
|
14
|
+
- https://certscore.ai/api-pulse
|
|
15
|
+
|
|
16
|
+
## Tools
|
|
17
|
+
|
|
18
|
+
- `scan_site` - Start or reuse a CertScore public-web scan for a public URL.
|
|
19
|
+
- `get_scan` - Retrieve the API v2 public-safe scan resource for a stable scan ID.
|
|
20
|
+
- `get_scan_status` - Pass scanId (preferred, API v2). Pass jobId only for a just-created scan that has not yet returned a scanId.
|
|
21
|
+
- `get_report` - Retrieve a summary CertScore Pulse report by stable scan ID. Use get_evidence for the larger bounded evidence packet.
|
|
22
|
+
- `get_evidence` - Retrieve the bounded structured Evidence JSON packet for a stable scan ID. Excludes raw cookie values, raw bodies, sensitive payloads, full DOM, and unredacted query values.
|
|
23
|
+
- `export_findings` - Return structured findings from a CertScore Pulse report for downstream review or ticketing workflows.
|
|
24
|
+
- `list_findings` - List API v2 public-safe findings already projected for a scan.
|
|
25
|
+
- `get_pre_consent_cookies_trackers` - Retrieve the public-safe Cookies & Trackers (Pre-consent) report table as compact JSON for a scan.
|
|
26
|
+
- `explain_finding` - Explain a single CertScore finding with public evidence, caveats, and reviewer next steps.
|
|
27
|
+
- `get_latest_domain_scan` - Retrieve the latest eligible API v2 public-safe scan for a domain.
|
|
28
|
+
- `get_latest_domain_pre_consent_cookies_trackers` - Retrieve the public-safe Cookies & Trackers (Pre-consent) table from the latest eligible scan for a domain.
|
|
29
|
+
|
|
30
|
+
The initial MCP surface intentionally does not include account scan browsing or scan comparison tools.
|
|
31
|
+
|
|
32
|
+
## Configuration
|
|
33
|
+
|
|
34
|
+
Recommended MCP client config:
|
|
35
|
+
|
|
36
|
+
```json
|
|
37
|
+
{
|
|
38
|
+
"mcpServers": {
|
|
39
|
+
"certscore": {
|
|
40
|
+
"command": "npx",
|
|
41
|
+
"args": ["-y", "@certscore/mcp"],
|
|
42
|
+
"env": {
|
|
43
|
+
"CERTSCORE_API_KEY": "YOUR_TOKEN",
|
|
44
|
+
"CERTSCORE_BASE_URL": "https://certscore.ai"
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
Install globally with npm if your MCP client requires a persistent command:
|
|
52
|
+
|
|
53
|
+
```bash
|
|
54
|
+
npm install -g @certscore/mcp
|
|
55
|
+
certscore-mcp --version
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
Install with Homebrew on macOS:
|
|
59
|
+
|
|
60
|
+
```bash
|
|
61
|
+
brew tap ergoveritas1-alt/certscore https://github.com/ergoveritas1-alt/certscore.ai
|
|
62
|
+
brew install --cask certscore-mcp
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
The cask installs the prebuilt MCP command for users who prefer a persistent local binary.
|
|
66
|
+
|
|
67
|
+
Use the installed command from an MCP client:
|
|
68
|
+
|
|
69
|
+
```json
|
|
70
|
+
{
|
|
71
|
+
"mcpServers": {
|
|
72
|
+
"certscore": {
|
|
73
|
+
"command": "certscore-mcp",
|
|
74
|
+
"env": {
|
|
75
|
+
"CERTSCORE_API_KEY": "YOUR_TOKEN",
|
|
76
|
+
"CERTSCORE_BASE_URL": "https://certscore.ai"
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
Run from this monorepo for local development:
|
|
84
|
+
|
|
85
|
+
```bash
|
|
86
|
+
CERTSCORE_API_KEY=... pnpm mcp:certscore
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
Generate a scoped preview key after applying DB migrations:
|
|
90
|
+
|
|
91
|
+
```bash
|
|
92
|
+
pnpm db:migrate
|
|
93
|
+
pnpm mcp:certscore:generate-key -- --name "CertScore MCP preview"
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
Run the built package directly after local build:
|
|
97
|
+
|
|
98
|
+
```bash
|
|
99
|
+
CERTSCORE_API_KEY=... certscore-mcp
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
Optional:
|
|
103
|
+
|
|
104
|
+
```bash
|
|
105
|
+
CERTSCORE_BASE_URL=https://certscore.ai
|
|
106
|
+
CERTSCORE_REQUEST_TIMEOUT_MS=300000
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
`CERTSCORE_API_KEY` should be a scoped CertScore API token for the workspace or preview user. The MCP server passes it to Pulse as a bearer token and does not persist it.
|
|
110
|
+
|
|
111
|
+
## API Key Access
|
|
112
|
+
|
|
113
|
+
MCP clients usually need `scan:read`, `scan:create`, and `mcp` scopes. Sign in to CertScore, verify your email, then request a self-serve `cs_mcp_` key from `POST /api/v2/keys/request`. Self-serve keys include scan creation within the published rate limits. Email `support@certscore.ai` for higher limits or custom access.
|
|
114
|
+
|
|
115
|
+
## Verify Install
|
|
116
|
+
|
|
117
|
+
```bash
|
|
118
|
+
certscore-mcp --version
|
|
119
|
+
certscore-mcp --help
|
|
120
|
+
CERTSCORE_API_KEY=... certscore-mcp doctor
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
The doctor command checks binary startup, version output, Node.js runtime compatibility, the configured CertScore base URL, API v2 health, and API key presence. It does not print secrets, create scans, or inspect raw scanner artifacts. There is no dedicated public auth-check endpoint; verify credentials with a real MCP tool call such as `scan_site` after the client is connected.
|
|
124
|
+
|
|
125
|
+
## MCP Client Examples
|
|
126
|
+
|
|
127
|
+
Claude Desktop-style config:
|
|
128
|
+
|
|
129
|
+
```json
|
|
130
|
+
{
|
|
131
|
+
"mcpServers": {
|
|
132
|
+
"certscore": {
|
|
133
|
+
"command": "certscore-mcp",
|
|
134
|
+
"env": {
|
|
135
|
+
"CERTSCORE_API_KEY": "YOUR_TOKEN",
|
|
136
|
+
"CERTSCORE_BASE_URL": "https://certscore.ai"
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
Cursor config:
|
|
144
|
+
|
|
145
|
+
```json
|
|
146
|
+
{
|
|
147
|
+
"mcpServers": {
|
|
148
|
+
"certscore": {
|
|
149
|
+
"command": "npx",
|
|
150
|
+
"args": ["-y", "@certscore/mcp"],
|
|
151
|
+
"env": {
|
|
152
|
+
"CERTSCORE_API_KEY": "YOUR_TOKEN",
|
|
153
|
+
"CERTSCORE_BASE_URL": "https://certscore.ai"
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
}
|
|
158
|
+
```
|
|
159
|
+
|
|
160
|
+
Windsurf or generic stdio MCP client config:
|
|
161
|
+
|
|
162
|
+
```json
|
|
163
|
+
{
|
|
164
|
+
"mcpServers": {
|
|
165
|
+
"certscore": {
|
|
166
|
+
"command": "npx",
|
|
167
|
+
"args": ["-y", "@certscore/mcp"],
|
|
168
|
+
"env": {
|
|
169
|
+
"CERTSCORE_API_KEY": "YOUR_TOKEN",
|
|
170
|
+
"CERTSCORE_BASE_URL": "https://certscore.ai"
|
|
171
|
+
}
|
|
172
|
+
}
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
```
|
|
176
|
+
|
|
177
|
+
Local repo config for contributors:
|
|
178
|
+
|
|
179
|
+
```json
|
|
180
|
+
{
|
|
181
|
+
"mcpServers": {
|
|
182
|
+
"certscore": {
|
|
183
|
+
"command": "pnpm",
|
|
184
|
+
"args": ["mcp:certscore"],
|
|
185
|
+
"cwd": "/path/to/WC01",
|
|
186
|
+
"env": {
|
|
187
|
+
"CERTSCORE_API_KEY": "YOUR_TOKEN",
|
|
188
|
+
"CERTSCORE_BASE_URL": "https://certscore.ai"
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
## Agent Workflow
|
|
196
|
+
|
|
197
|
+
1. Call `scan_site` with a public URL.
|
|
198
|
+
2. If it returns a `jobId`, call `get_scan_status` until the scan completes.
|
|
199
|
+
3. Call `get_scan` with the stable `scanId`.
|
|
200
|
+
4. Call `list_findings` to route structured findings into review workflows.
|
|
201
|
+
5. Call `get_evidence` when a reviewer or agent needs the larger bounded evidence packet.
|
|
202
|
+
6. Call `get_pre_consent_cookies_trackers` when the user asks for Cookies & Trackers (Pre-consent) table data as JSON.
|
|
203
|
+
7. Call `explain_finding` when a reviewer needs evidence and caveats for a specific finding.
|
|
204
|
+
8. Call `get_latest_domain_scan` or `get_latest_domain_pre_consent_cookies_trackers` when the user asks for latest eligible public data for a domain.
|
|
205
|
+
|
|
206
|
+
```json
|
|
207
|
+
{
|
|
208
|
+
"tool": "get_pre_consent_cookies_trackers",
|
|
209
|
+
"arguments": {
|
|
210
|
+
"scanId": "00000000-0000-4000-8000-000000000123"
|
|
211
|
+
}
|
|
212
|
+
}
|
|
213
|
+
```
|
|
214
|
+
|
|
215
|
+
```json
|
|
216
|
+
{
|
|
217
|
+
"tool": "get_latest_domain_pre_consent_cookies_trackers",
|
|
218
|
+
"arguments": {
|
|
219
|
+
"domain": "example.com",
|
|
220
|
+
"scanFrom": "eu_ie"
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
When summarizing table data, group rows by `vendor`, `purpose`, and `host` unless the user asks for row-level JSON.
|
|
226
|
+
Treat MCP outputs as automated public-web observations for review. They are not legal advice, certification, or a compliance determination. MCP tools must not infer findings from raw labels, raw network events, missing data, or display-only context.
|
|
227
|
+
|
|
228
|
+
## Live Smoke
|
|
229
|
+
|
|
230
|
+
```bash
|
|
231
|
+
CERTSCORE_API_KEY=... pnpm mcp:certscore:smoke
|
|
232
|
+
```
|
|
233
|
+
|
|
234
|
+
Optional:
|
|
235
|
+
|
|
236
|
+
```bash
|
|
237
|
+
CERTSCORE_MCP_SMOKE_URL=https://example.com
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
Without `CERTSCORE_API_KEY`, the smoke script exits successfully with a skip message.
|
|
241
|
+
|
|
242
|
+
For the full production operator smoke, run from the WC01 repo:
|
|
243
|
+
|
|
244
|
+
```bash
|
|
245
|
+
pnpm ops:smoke:mcp-production
|
|
246
|
+
```
|
|
247
|
+
|
|
248
|
+
This verifies the Homebrew-installed `certscore-mcp` command against live `https://certscore.ai`. It creates a short-lived preview key, stores only the hash in production through the approved ECS/Fargate path, checks required tools, requests a fresh EU-IR scan with `freshness: "refresh"` and `scanFrom: "eu_ie"`, requires non-empty findings and pre-consent cookies/trackers rows, runs `explain_finding`, and revokes the temporary key afterward. It exercises existing public-safe API/MCP projections only.
|
|
249
|
+
|
|
250
|
+
## Troubleshooting
|
|
251
|
+
|
|
252
|
+
- Command not found: run the Homebrew install again and confirm Homebrew's bin directory is on `PATH`.
|
|
253
|
+
- Missing API key: set `CERTSCORE_API_KEY` in the MCP client environment and rerun `certscore-mcp doctor`.
|
|
254
|
+
- Bad token: rotate the key or request a fresh scoped API/MCP key.
|
|
255
|
+
- API unreachable: check `CERTSCORE_BASE_URL` and verify `https://certscore.ai/api/v2/health`.
|
|
256
|
+
- Homebrew tap stale: run `brew update` and reinstall `certscore-mcp`.
|
|
257
|
+
- Old cached release: run `brew reinstall --cask certscore-mcp` after updating the tap.
|
|
258
|
+
|
|
259
|
+
## Runbook
|
|
260
|
+
|
|
261
|
+
See `docs/certscore-mcp-homebrew-release.md` for Homebrew release steps and `docs/certscore-mcp-preview-runbook.md` for key issuance, smoke testing, deploy verification, and scan-to-report guardrails.
|