@certscore/mcp 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LICENSE ADDED
@@ -0,0 +1,5 @@
1
+ Proprietary. All rights reserved.
2
+
3
+ Copyright (c) ErgoVeritas, LLC.
4
+
5
+ All rights reserved. This package is distributed for CertScore developer-preview integration use only.
package/README.md ADDED
@@ -0,0 +1,261 @@
1
+ # CertScore MCP
2
+
3
+ CertScore MCP exposes a focused Model Context Protocol server for CertScore Pulse workflows.
4
+
5
+ Status: public developer preview. The server is distributed for external MCP clients through npm and Homebrew. Local WC01 development uses `pnpm mcp:certscore`.
6
+
7
+ <!-- mcp-name: ai.certscore/mcp -->
8
+
9
+ Public docs:
10
+
11
+ - https://certscore.ai/developers/mcp
12
+ - https://certscore.ai/developers/quickstart
13
+ - https://certscore.ai/developers/reference
14
+ - https://certscore.ai/api-pulse
15
+
16
+ ## Tools
17
+
18
+ - `scan_site` - Start or reuse a CertScore public-web scan for a public URL.
19
+ - `get_scan` - Retrieve the API v2 public-safe scan resource for a stable scan ID.
20
+ - `get_scan_status` - Pass scanId (preferred, API v2). Pass jobId only for a just-created scan that has not yet returned a scanId.
21
+ - `get_report` - Retrieve a summary CertScore Pulse report by stable scan ID. Use get_evidence for the larger bounded evidence packet.
22
+ - `get_evidence` - Retrieve the bounded structured Evidence JSON packet for a stable scan ID. Excludes raw cookie values, raw bodies, sensitive payloads, full DOM, and unredacted query values.
23
+ - `export_findings` - Return structured findings from a CertScore Pulse report for downstream review or ticketing workflows.
24
+ - `list_findings` - List API v2 public-safe findings already projected for a scan.
25
+ - `get_pre_consent_cookies_trackers` - Retrieve the public-safe Cookies & Trackers (Pre-consent) report table as compact JSON for a scan.
26
+ - `explain_finding` - Explain a single CertScore finding with public evidence, caveats, and reviewer next steps.
27
+ - `get_latest_domain_scan` - Retrieve the latest eligible API v2 public-safe scan for a domain.
28
+ - `get_latest_domain_pre_consent_cookies_trackers` - Retrieve the public-safe Cookies & Trackers (Pre-consent) table from the latest eligible scan for a domain.
29
+
30
+ The initial MCP surface intentionally does not include account scan browsing or scan comparison tools.
31
+
32
+ ## Configuration
33
+
34
+ Recommended MCP client config:
35
+
36
+ ```json
37
+ {
38
+ "mcpServers": {
39
+ "certscore": {
40
+ "command": "npx",
41
+ "args": ["-y", "@certscore/mcp"],
42
+ "env": {
43
+ "CERTSCORE_API_KEY": "YOUR_TOKEN",
44
+ "CERTSCORE_BASE_URL": "https://certscore.ai"
45
+ }
46
+ }
47
+ }
48
+ }
49
+ ```
50
+
51
+ Install globally with npm if your MCP client requires a persistent command:
52
+
53
+ ```bash
54
+ npm install -g @certscore/mcp
55
+ certscore-mcp --version
56
+ ```
57
+
58
+ Install with Homebrew on macOS:
59
+
60
+ ```bash
61
+ brew tap ergoveritas1-alt/certscore https://github.com/ergoveritas1-alt/certscore.ai
62
+ brew install --cask certscore-mcp
63
+ ```
64
+
65
+ The cask installs the prebuilt MCP command for users who prefer a persistent local binary.
66
+
67
+ Use the installed command from an MCP client:
68
+
69
+ ```json
70
+ {
71
+ "mcpServers": {
72
+ "certscore": {
73
+ "command": "certscore-mcp",
74
+ "env": {
75
+ "CERTSCORE_API_KEY": "YOUR_TOKEN",
76
+ "CERTSCORE_BASE_URL": "https://certscore.ai"
77
+ }
78
+ }
79
+ }
80
+ }
81
+ ```
82
+
83
+ Run from this monorepo for local development:
84
+
85
+ ```bash
86
+ CERTSCORE_API_KEY=... pnpm mcp:certscore
87
+ ```
88
+
89
+ Generate a scoped preview key after applying DB migrations:
90
+
91
+ ```bash
92
+ pnpm db:migrate
93
+ pnpm mcp:certscore:generate-key -- --name "CertScore MCP preview"
94
+ ```
95
+
96
+ Run the built package directly after local build:
97
+
98
+ ```bash
99
+ CERTSCORE_API_KEY=... certscore-mcp
100
+ ```
101
+
102
+ Optional:
103
+
104
+ ```bash
105
+ CERTSCORE_BASE_URL=https://certscore.ai
106
+ CERTSCORE_REQUEST_TIMEOUT_MS=300000
107
+ ```
108
+
109
+ `CERTSCORE_API_KEY` should be a scoped CertScore API token for the workspace or preview user. The MCP server passes it to Pulse as a bearer token and does not persist it.
110
+
111
+ ## API Key Access
112
+
113
+ MCP clients usually need `scan:read`, `scan:create`, and `mcp` scopes. Sign in to CertScore, verify your email, then request a self-serve `cs_mcp_` key from `POST /api/v2/keys/request`. Self-serve keys include scan creation within the published rate limits. Email `support@certscore.ai` for higher limits or custom access.
114
+
115
+ ## Verify Install
116
+
117
+ ```bash
118
+ certscore-mcp --version
119
+ certscore-mcp --help
120
+ CERTSCORE_API_KEY=... certscore-mcp doctor
121
+ ```
122
+
123
+ The doctor command checks binary startup, version output, Node.js runtime compatibility, the configured CertScore base URL, API v2 health, and API key presence. It does not print secrets, create scans, or inspect raw scanner artifacts. There is no dedicated public auth-check endpoint; verify credentials with a real MCP tool call such as `scan_site` after the client is connected.
124
+
125
+ ## MCP Client Examples
126
+
127
+ Claude Desktop-style config:
128
+
129
+ ```json
130
+ {
131
+ "mcpServers": {
132
+ "certscore": {
133
+ "command": "certscore-mcp",
134
+ "env": {
135
+ "CERTSCORE_API_KEY": "YOUR_TOKEN",
136
+ "CERTSCORE_BASE_URL": "https://certscore.ai"
137
+ }
138
+ }
139
+ }
140
+ }
141
+ ```
142
+
143
+ Cursor config:
144
+
145
+ ```json
146
+ {
147
+ "mcpServers": {
148
+ "certscore": {
149
+ "command": "npx",
150
+ "args": ["-y", "@certscore/mcp"],
151
+ "env": {
152
+ "CERTSCORE_API_KEY": "YOUR_TOKEN",
153
+ "CERTSCORE_BASE_URL": "https://certscore.ai"
154
+ }
155
+ }
156
+ }
157
+ }
158
+ ```
159
+
160
+ Windsurf or generic stdio MCP client config:
161
+
162
+ ```json
163
+ {
164
+ "mcpServers": {
165
+ "certscore": {
166
+ "command": "npx",
167
+ "args": ["-y", "@certscore/mcp"],
168
+ "env": {
169
+ "CERTSCORE_API_KEY": "YOUR_TOKEN",
170
+ "CERTSCORE_BASE_URL": "https://certscore.ai"
171
+ }
172
+ }
173
+ }
174
+ }
175
+ ```
176
+
177
+ Local repo config for contributors:
178
+
179
+ ```json
180
+ {
181
+ "mcpServers": {
182
+ "certscore": {
183
+ "command": "pnpm",
184
+ "args": ["mcp:certscore"],
185
+ "cwd": "/path/to/WC01",
186
+ "env": {
187
+ "CERTSCORE_API_KEY": "YOUR_TOKEN",
188
+ "CERTSCORE_BASE_URL": "https://certscore.ai"
189
+ }
190
+ }
191
+ }
192
+ }
193
+ ```
194
+
195
+ ## Agent Workflow
196
+
197
+ 1. Call `scan_site` with a public URL.
198
+ 2. If it returns a `jobId`, call `get_scan_status` until the scan completes.
199
+ 3. Call `get_scan` with the stable `scanId`.
200
+ 4. Call `list_findings` to route structured findings into review workflows.
201
+ 5. Call `get_evidence` when a reviewer or agent needs the larger bounded evidence packet.
202
+ 6. Call `get_pre_consent_cookies_trackers` when the user asks for Cookies & Trackers (Pre-consent) table data as JSON.
203
+ 7. Call `explain_finding` when a reviewer needs evidence and caveats for a specific finding.
204
+ 8. Call `get_latest_domain_scan` or `get_latest_domain_pre_consent_cookies_trackers` when the user asks for latest eligible public data for a domain.
205
+
206
+ ```json
207
+ {
208
+ "tool": "get_pre_consent_cookies_trackers",
209
+ "arguments": {
210
+ "scanId": "00000000-0000-4000-8000-000000000123"
211
+ }
212
+ }
213
+ ```
214
+
215
+ ```json
216
+ {
217
+ "tool": "get_latest_domain_pre_consent_cookies_trackers",
218
+ "arguments": {
219
+ "domain": "example.com",
220
+ "scanFrom": "eu_ie"
221
+ }
222
+ }
223
+ ```
224
+
225
+ When summarizing table data, group rows by `vendor`, `purpose`, and `host` unless the user asks for row-level JSON.
226
+ Treat MCP outputs as automated public-web observations for review. They are not legal advice, certification, or a compliance determination. MCP tools must not infer findings from raw labels, raw network events, missing data, or display-only context.
227
+
228
+ ## Live Smoke
229
+
230
+ ```bash
231
+ CERTSCORE_API_KEY=... pnpm mcp:certscore:smoke
232
+ ```
233
+
234
+ Optional:
235
+
236
+ ```bash
237
+ CERTSCORE_MCP_SMOKE_URL=https://example.com
238
+ ```
239
+
240
+ Without `CERTSCORE_API_KEY`, the smoke script exits successfully with a skip message.
241
+
242
+ For the full production operator smoke, run from the WC01 repo:
243
+
244
+ ```bash
245
+ pnpm ops:smoke:mcp-production
246
+ ```
247
+
248
+ This verifies the Homebrew-installed `certscore-mcp` command against live `https://certscore.ai`. It creates a short-lived preview key, stores only the hash in production through the approved ECS/Fargate path, checks required tools, requests a fresh EU-IR scan with `freshness: "refresh"` and `scanFrom: "eu_ie"`, requires non-empty findings and pre-consent cookies/trackers rows, runs `explain_finding`, and revokes the temporary key afterward. It exercises existing public-safe API/MCP projections only.
249
+
250
+ ## Troubleshooting
251
+
252
+ - Command not found: run the Homebrew install again and confirm Homebrew's bin directory is on `PATH`.
253
+ - Missing API key: set `CERTSCORE_API_KEY` in the MCP client environment and rerun `certscore-mcp doctor`.
254
+ - Bad token: rotate the key or request a fresh scoped API/MCP key.
255
+ - API unreachable: check `CERTSCORE_BASE_URL` and verify `https://certscore.ai/api/v2/health`.
256
+ - Homebrew tap stale: run `brew update` and reinstall `certscore-mcp`.
257
+ - Old cached release: run `brew reinstall --cask certscore-mcp` after updating the tap.
258
+
259
+ ## Runbook
260
+
261
+ See `docs/certscore-mcp-homebrew-release.md` for Homebrew release steps and `docs/certscore-mcp-preview-runbook.md` for key issuance, smoke testing, deploy verification, and scan-to-report guardrails.