@certynix/mcp 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,49 @@
+# Changelog
+
+All notable changes to `@certynix/mcp` will be documented in this file.
+
+The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [1.0.0] - 2026-03-15
+
+### Added
+
+- Initial release of `@certynix/mcp` — Official Certynix MCP Server
+- **14 Tools:**
+  - `register_asset` — Register digital assets via SHA-256 hash, URL, or base64 file
+  - `verify_asset` — Public asset authenticity verification (no quota consumed)
+  - `list_assets` — List organization assets with filters and cursor-based pagination
+  - `get_asset` — Fetch a specific asset by ID with full metadata
+  - `delete_asset` — Soft delete an asset (requires `confirm: true`)
+  - `list_alerts` — List Exposure Alerts with severity and resolved filters
+  - `get_trust_score` — Fetch Trust Score V2 with all 4 pillar components and penalties
+  - `list_audit_logs` — List audit trail with action type and date range filters
+  - `create_api_key` — Create a new API Key (full key shown only once)
+  - `list_api_keys` — List API Keys (prefix only, never full value)
+  - `revoke_api_key` — Revoke an API Key immediately (requires `confirm: true`)
+  - `create_webhook` — Create webhook endpoint (signing_secret shown only once)
+  - `list_webhooks` — List webhooks (signing_secret never returned)
+  - `verify_webhook_signature` — Local HMAC-SHA256 webhook signature verification
+- **4 Resources:**
+  - `certynix://organization/info` — Authenticated organization info
+  - `certynix://organization/trust-score` — Trust Score V2 with components and penalties
+  - `certynix://assets/{asset_id}` — Full asset metadata (URI template)
+  - `certynix://alerts/active` — Active (unresolved) Exposure Alerts
+- **2 Prompts:**
+  - `certynix_audit_report` — Structured audit report for a specified period
+  - `certynix_security_review` — Complete organization security analysis with recommendations
+- **Transports:**
+  - `stdio` transport — for Claude Desktop, Cursor, Windsurf and local tools
+  - `sse` transport — for remote agents, cloud platforms and web integrations
+- **Security features:**
+  - Automatic sandbox detection via API key prefix (`cnx_test_sk_*`)
+  - API key masking (`maskApiKey()`) in all logs and error messages
+  - `sanitizeForOutput()` removes sensitive fields recursively from all outputs
+  - Destructive action confirmation (`confirm: true` required for `delete_asset` and `revoke_api_key`)
+  - Local HMAC-SHA256 webhook signature verification with constant-time comparison
+  - Anti-replay protection: timestamps older than 5 minutes are rejected
+  - Future timestamp detection: timestamps > 60s in the future are rejected
+  - `organization_id` never accepted as a tool parameter (always resolved via API Key)

package/README.md

@@ -0,0 +1,209 @@
+# @certynix/mcp — Official Certynix MCP Server
+
+> **Expose the Certynix Trust Infrastructure to AI agents via Model Context Protocol.**
+> Connect Claude Desktop, Cursor, Windsurf, LangChain, CrewAI, and any MCP-compatible system to the Certynix API.
+
+---
+
+## What is this?
+
+`@certynix/mcp` is an MCP (Model Context Protocol) server that acts as a bridge between AI agents and the Certynix API. It exposes the Trust Infrastructure capabilities as **tools**, **resources**, and **prompts** that any MCP client can consume.
+
+**Use cases:**
+
+- AI agent that automatically registers assets in a CI/CD pipeline
+- Claude verifying the authenticity of a contract before analyzing it
+- Agent monitoring Exposure Alerts and taking corrective actions
+- Audit automation: audit log listing and analysis via prompt
+- Document approval workflow integration
+
+---
+
+## Installation
+
+```bash
+npm install -g @certynix/mcp
+```
+
+---
+
+## Configuration
+
+### Environment variables
+
+```bash
+# REQUIRED
+CERTYNIX_API_KEY=cnx_live_sk_...   # Production key
+# or
+CERTYNIX_API_KEY=cnx_test_sk_...   # Sandbox key (auto-detected)
+
+# OPTIONAL
+CERTYNIX_BASE_URL=https://api.certynix.com  # Auto-detected from key prefix
+CERTYNIX_TIMEOUT=30000                       # Request timeout in ms (default: 30000)
+MCP_TRANSPORT=stdio                          # stdio | sse (default: stdio)
+MCP_PORT=3100                                # SSE port (default: 3100, sse only)
+MCP_LOG_LEVEL=info                           # debug | info | warn | error
+```
+
+### Sandbox mode
+
+API keys prefixed with `cnx_test_sk_` automatically connect to the sandbox environment (`https://sandbox.certynix.com`). No configuration needed.
+
+---
+
+## Claude Desktop
+
+Add to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
+
+```json
+{
+  "mcpServers": {
+    "certynix": {
+      "command": "npx",
+      "args": ["-y", "@certynix/mcp"],
+      "env": {
+        "CERTYNIX_API_KEY": "cnx_live_sk_..."
+      }
+    }
+  }
+}
+```
+
+Or if installed globally:
+
+```json
+{
+  "mcpServers": {
+    "certynix": {
+      "command": "certynix-mcp",
+      "env": {
+        "CERTYNIX_API_KEY": "cnx_live_sk_..."
+      }
+    }
+  }
+}
+```
+
+---
+
+## Cursor / Windsurf
+
+Add to `~/.cursor/mcp.json` (Cursor) or the equivalent Windsurf config:
+
+```json
+{
+  "mcpServers": {
+    "certynix": {
+      "command": "certynix-mcp",
+      "env": {
+        "CERTYNIX_API_KEY": "cnx_live_sk_..."
+      }
+    }
+  }
+}
+```
+
+---
+
+## SSE Transport (remote agents)
+
+```bash
+# Start SSE server
+CERTYNIX_API_KEY=cnx_live_sk_... MCP_TRANSPORT=sse MCP_PORT=3100 certynix-mcp
+
+# Endpoints:
+# SSE:          http://localhost:3100/sse
+# Messages:     http://localhost:3100/message
+# Health check: http://localhost:3100/health
+```
+
+### Docker
+
+```dockerfile
+FROM node:20-alpine
+RUN npm install -g @certynix/mcp
+ENV MCP_TRANSPORT=sse
+ENV MCP_PORT=3100
+EXPOSE 3100
+CMD ["certynix-mcp"]
+```
+
+---
+
+## Tools (14)
+
+| Tool | Description |
+|------|-------------|
+| `register_asset` | Register a digital asset via SHA-256 hash, public URL, or base64 file content |
+| `verify_asset` | Publicly verify asset authenticity — no auth required, no quota consumed |
+| `list_assets` | List organization assets with status and date filters, cursor pagination |
+| `get_asset` | Fetch a specific asset by ID with full metadata and event history |
+| `delete_asset` | Soft delete an asset — irreversible, requires `confirm: true` |
+| `list_alerts` | List Exposure Alerts with severity and resolved status filters |
+| `get_trust_score` | Get Trust Score V2: score 0-100, 4-pillar breakdown, active penalties |
+| `list_audit_logs` | List complete audit trail with action type and date range filters |
+| `create_api_key` | Create a new API Key — full key shown only once, store immediately |
+| `list_api_keys` | List API Keys — prefix only, full key never returned |
+| `revoke_api_key` | Revoke an API Key immediately — irreversible, requires `confirm: true` |
+| `create_webhook` | Create a webhook endpoint — signing_secret shown only at creation |
+| `list_webhooks` | List webhooks — signing_secret never returned in listings |
+| `verify_webhook_signature` | Local HMAC-SHA256 webhook signature verification (no API call) |
+
+### Usage examples with Claude
+
+```
+"Register this document on Certynix:
+ SHA-256 hash: a3f4b2c1d8e9f0123456789abcdef0123456789abcdef0123456789abcdef01
+ filename: service-contract-2026.pdf"
+
+"Verify if the file with hash e3b0c44298fc1c149afbf4c8996fb924...
+ has been certified by anyone"
+
+"List the last 10 high-severity Exposure Alerts"
+
+"Generate a security review of our organization"
+
+"Create an API Key called 'CI/CD Pipeline - GitHub Actions'"
+
+"Show me all active Exposure Alerts"
+
+"What is our current Trust Score?"
+```
+
+---
+
+## Resources (4)
+
+| URI | Description |
+|-----|-------------|
+| `certynix://organization/info` | Authenticated organization info: name, plan, Trust Score |
+| `certynix://organization/trust-score` | Trust Score V2 with component breakdown and active penalties |
+| `certynix://assets/{asset_id}` | Full asset metadata by ID (URI template) |
+| `certynix://alerts/active` | Active (unresolved) Exposure Alerts |
+
+---
+
+## Prompts (2)
+
+| Prompt | Description |
+|--------|-------------|
+| `certynix_audit_report` | Generate a structured audit report for a period (`last_7_days`, `last_30_days`, `custom`) |
+| `certynix_security_review` | Complete organization security analysis: Trust Score, penalties, API Keys, alerts, recommendations |
+
+---
+
+## Security
+
+- **API Key never exposed**: masked in all logs as `cnx_live_sk_***`
+- **Sensitive fields sanitized**: `api_key`, `secret`, `token`, `password`, `signing_secret` replaced with `***` in all outputs
+- **Destructive actions require confirmation**: `delete_asset` and `revoke_api_key` require `confirm: true`
+- **`organization_id` never accepted as parameter**: always resolved server-side via API Key
+- **Webhook verification is constant-time**: prevents HMAC timing attacks
+- **Anti-replay protection**: webhook timestamps older than 5 minutes are rejected
+- **Signing secret shown only once**: at webhook creation — never returned in listings
+
+---
+
+## Changelog
+
+See [CHANGELOG.md](./CHANGELOG.md) for release history.

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+/**
+ * Certynix MCP Server — Entrypoint
+ *
+ * Expõe a Certynix Trust Infrastructure para agentes de IA via Model Context Protocol.
+ * Suporta transporte stdio (Claude Desktop) e SSE (integrações remotas).
+ *
+ * Variáveis de ambiente:
+ *   CERTYNIX_API_KEY  — obrigatório (cnx_live_sk_* ou cnx_test_sk_*)
+ *   CERTYNIX_BASE_URL — opcional (auto-detectado via prefixo da key)
+ *   CERTYNIX_TIMEOUT  — opcional (ms, padrão: 30000)
+ *   MCP_TRANSPORT     — opcional (stdio | sse, padrão: stdio)
+ *   MCP_PORT          — opcional (apenas para sse, padrão: 3100)
+ *   MCP_LOG_LEVEL     — opcional (debug | info | warn | error, padrão: info)
+ */
+export {};

package/dist/index.js

@@ -0,0 +1,119 @@
+#!/usr/bin/env node
+/**
+ * Certynix MCP Server — Entrypoint
+ *
+ * Expõe a Certynix Trust Infrastructure para agentes de IA via Model Context Protocol.
+ * Suporta transporte stdio (Claude Desktop) e SSE (integrações remotas).
+ *
+ * Variáveis de ambiente:
+ *   CERTYNIX_API_KEY  — obrigatório (cnx_live_sk_* ou cnx_test_sk_*)
+ *   CERTYNIX_BASE_URL — opcional (auto-detectado via prefixo da key)
+ *   CERTYNIX_TIMEOUT  — opcional (ms, padrão: 30000)
+ *   MCP_TRANSPORT     — opcional (stdio | sse, padrão: stdio)
+ *   MCP_PORT          — opcional (apenas para sse, padrão: 3100)
+ *   MCP_LOG_LEVEL     — opcional (debug | info | warn | error, padrão: info)
+ */
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { createServer } from './server.js';
+import { maskApiKey } from './utils/mask.js';
+async function main() {
+    const apiKey = process.env['CERTYNIX_API_KEY'];
+    if (!apiKey) {
+        console.error('Error: CERTYNIX_API_KEY environment variable is required.\n' +
+            'Set it to your Certynix API Key (cnx_live_sk_... for production, cnx_test_sk_... for sandbox).');
+        process.exit(1);
+    }
+    // Validar formato básico sem expor a key
+    if (!apiKey.startsWith('cnx_live_sk_') && !apiKey.startsWith('cnx_test_sk_')) {
+        console.error('Error: Invalid CERTYNIX_API_KEY format.\n' +
+            'Expected: cnx_live_sk_... (production) or cnx_test_sk_... (sandbox).');
+        process.exit(1);
+    }
+    const transport = process.env['MCP_TRANSPORT'] ?? 'stdio';
+    const baseUrl = process.env['CERTYNIX_BASE_URL'];
+    const timeoutRaw = process.env['CERTYNIX_TIMEOUT'];
+    const timeout = timeoutRaw !== undefined ? parseInt(timeoutRaw, 10) : undefined;
+    const isSandbox = apiKey.startsWith('cnx_test_sk_');
+    let server;
+    try {
+        server = createServer(apiKey, {
+            ...(baseUrl !== undefined ? { baseUrl } : {}),
+            ...(timeout !== undefined ? { timeout } : {}),
+        });
+    }
+    catch (err) {
+        // Nunca logar a API key, mesmo em erro de inicialização
+        console.error('Failed to initialize Certynix MCP Server. Check your API key format and network connectivity.');
+        if (err instanceof Error) {
+            // Sanitizar mensagem de erro para garantir que a key não vaze
+            const sanitized = err.message.replace(apiKey, maskApiKey(apiKey));
+            console.error(`Details: ${sanitized}`);
+        }
+        process.exit(1);
+    }
+    if (transport === 'stdio') {
+        const stdioTransport = new StdioServerTransport();
+        await server.connect(stdioTransport);
+        // Log para stderr (não interfere com stdio MCP) — API key mascarada
+        console.error(`Certynix MCP Server running (stdio) — ` +
+            `API key: ${maskApiKey(apiKey)} — ` +
+            `Environment: ${isSandbox ? 'sandbox' : 'production'}`);
+    }
+    else if (transport === 'sse') {
+        const port = parseInt(process.env['MCP_PORT'] ?? '3100', 10);
+        // SSE transport via HTTP server
+        // Importação dinâmica para evitar dependência quando não for necessário
+        const { createServer: createHttpServer } = await import('node:http');
+        const { SSEServerTransport } = await import('@modelcontextprotocol/sdk/server/sse.js');
+        const httpServer = createHttpServer();
+        let sseTransport = null;
+        // eslint-disable-next-line @typescript-eslint/no-misused-promises
+        httpServer.on('request', async (req, res) => {
+            if (req.method === 'GET' && req.url === '/sse') {
+                sseTransport = new SSEServerTransport('/message', res);
+                await server.connect(sseTransport);
+                console.error(`Certynix MCP SSE client connected from ${req.socket.remoteAddress ?? 'unknown'}`);
+            }
+            else if (req.method === 'POST' && req.url === '/message') {
+                if (!sseTransport) {
+                    res.writeHead(503, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'SSE connection not established yet' }));
+                    return;
+                }
+                await sseTransport.handlePostMessage(req, res);
+            }
+            else if (req.method === 'GET' && req.url === '/health') {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({
+                    status: 'ok',
+                    server: 'certynix-mcp',
+                    version: '1.0.0',
+                    environment: isSandbox ? 'sandbox' : 'production',
+                }));
+            }
+            else {
+                res.writeHead(404, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Not found' }));
+            }
+        });
+        await new Promise((resolve, reject) => {
+            httpServer.listen(port, () => {
+                console.error(`Certynix MCP Server running on port ${port} (SSE) — ` +
+                    `API key: ${maskApiKey(apiKey)} — ` +
+                    `Environment: ${isSandbox ? 'sandbox' : 'production'}\n` +
+                    `  SSE endpoint: http://localhost:${port}/sse\n` +
+                    `  Health check: http://localhost:${port}/health`);
+                resolve();
+            });
+            httpServer.on('error', reject);
+        });
+    }
+    else {
+        console.error(`Error: Invalid MCP_TRANSPORT value: "${transport}". Expected "stdio" or "sse".`);
+        process.exit(1);
+    }
+}
+main().catch((err) => {
+    console.error('Fatal error:', err instanceof Error ? err.message : String(err));
+    process.exit(1);
+});

package/dist/prompts/audit-report.d.ts

@@ -0,0 +1,6 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+/**
+ * Prompt: certynix_audit_report
+ * Gera um relatório de auditoria estruturado a partir dos audit logs da organização.
+ */
+export declare function registerAuditReportPrompt(server: McpServer): void;

package/dist/prompts/audit-report.js

@@ -0,0 +1,117 @@
+import { z } from 'zod';
+/**
+ * Prompt: certynix_audit_report
+ * Gera um relatório de auditoria estruturado a partir dos audit logs da organização.
+ */
+export function registerAuditReportPrompt(server) {
+    server.prompt('certynix_audit_report', 'Gera um relatório de auditoria estruturado para um período específico, analisando ações críticas, padrões de acesso e eventos de segurança.', {
+        period: z
+            .enum(['last_7_days', 'last_30_days', 'custom'])
+            .describe("Período do relatório: 'last_7_days' (últimos 7 dias), 'last_30_days' (últimos 30 dias), 'custom' (usar start_date e end_date)."),
+        start_date: z
+            .string()
+            .optional()
+            .describe("Data de início no formato ISO 8601 (ex: 2026-01-01T00:00:00Z). Necessário apenas quando period='custom'."),
+        end_date: z
+            .string()
+            .optional()
+            .describe("Data de fim no formato ISO 8601 (ex: 2026-01-31T23:59:59Z). Necessário apenas quando period='custom'."),
+    }, (args) => {
+        const period = args['period'] ?? 'last_30_days';
+        const startDate = args['start_date'];
+        const endDate = args['end_date'];
+        let periodDescription;
+        let dateInstructions;
+        if (period === 'last_7_days') {
+            const now = new Date();
+            const weekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
+            periodDescription = 'últimos 7 dias';
+            dateInstructions = `Use created_after="${weekAgo.toISOString()}" e created_before="${now.toISOString()}" ao chamar list_audit_logs.`;
+        }
+        else if (period === 'last_30_days') {
+            const now = new Date();
+            const monthAgo = new Date(now.getTime() - 30 * 24 * 60 * 60 * 1000);
+            periodDescription = 'últimos 30 dias';
+            dateInstructions = `Use created_after="${monthAgo.toISOString()}" e created_before="${now.toISOString()}" ao chamar list_audit_logs.`;
+        }
+        else if (period === 'custom' && startDate && endDate) {
+            periodDescription = `${startDate} até ${endDate}`;
+            dateInstructions = `Use created_after="${startDate}" e created_before="${endDate}" ao chamar list_audit_logs.`;
+        }
+        else {
+            periodDescription = 'período especificado';
+            dateInstructions =
+                "Peça ao usuário para especificar start_date e end_date quando period='custom'.";
+        }
+        return {
+            messages: [
+                {
+                    role: 'user',
+                    content: {
+                        type: 'text',
+                        text: `Gere um Relatório de Auditoria Certynix completo para o período: ${periodDescription}.
+
+## Instruções de execução
+
+1. **Chame a tool list_audit_logs** com os seguintes parâmetros:
+   - ${dateInstructions}
+   - limit: 100
+   - Se houver has_more=true na resposta, continue paginando com o next_cursor até obter todos os registros do período.
+
+2. **Chame a tool get_trust_score** para incluir o Trust Score atual no relatório.
+
+3. **Chame a tool list_alerts** com resolved=false para incluir alertas ativos.
+
+## Estrutura do relatório a gerar
+
+Após coletar os dados, gere um relatório em Markdown com esta estrutura:
+
+---
+
+# Relatório de Auditoria Certynix
+**Período:** ${periodDescription}
+**Gerado em:** [data atual]
+
+## Resumo Executivo
+- Total de ações no período: [N]
+- Trust Score atual: [score]/100
+- Alertas ativos: [N]
+- Eventos críticos: [N]
+
+## Trust Score
+- Score: [N]/100 ([label])
+- Identidade: [N]/35
+- Segurança: [N]/25
+- Comportamento: [N]/20
+- Assets: [N]/20
+- Penalidades ativas: [lista ou "Nenhuma"]
+
+## Atividade por Tipo de Ação
+| Ação | Quantidade |
+|------|-----------|
+| asset.created | N |
+| api_key.created | N |
+| ... | ... |
+
+## Eventos Críticos de Segurança
+[Lista de eventos relacionados a api_key.created, api_key.revoked, member.invited, plan.changed, etc.]
+
+## Assets Registrados no Período
+[Sumário de assets registrados: total, status breakdown, first_registrant count]
+
+## Alertas de Exposição Ativos
+[Lista de alertas não resolvidos com severidade]
+
+## Recomendações
+[Com base nos dados coletados, liste 3-5 recomendações priorizadas]
+
+---
+
+**IMPORTANTE:** Nunca inclua valores de API Keys, tokens, ou outros dados sensíveis no relatório.
+`,
+                    },
+                },
+            ],
+        };
+    });
+}

package/dist/prompts/security-review.d.ts

@@ -0,0 +1,6 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+/**
+ * Prompt: certynix_security_review
+ * Analisa o estado de segurança da Organization e gera recomendações.
+ */
+export declare function registerSecurityReviewPrompt(server: McpServer): void;

package/dist/prompts/security-review.js

@@ -0,0 +1,95 @@
+/**
+ * Prompt: certynix_security_review
+ * Analisa o estado de segurança da Organization e gera recomendações.
+ */
+export function registerSecurityReviewPrompt(server) {
+    server.prompt('certynix_security_review', 'Gera uma análise de segurança completa da Organization: Trust Score, penalidades ativas, status de API Keys, alertas abertos e recomendações priorizadas.', {}, (_args) => {
+        return {
+            messages: [
+                {
+                    role: 'user',
+                    content: {
+                        type: 'text',
+                        text: `Realize uma Revisão de Segurança completa da organização Certynix.
+
+## Instruções de execução
+
+Execute as seguintes tools em ordem para coletar dados:
+
+1. **get_trust_score** — Trust Score atual com componentes e penalidades
+2. **list_alerts** com resolved=false, limit=50 — Alertas de exposição ativos
+3. **list_api_keys** com limit=100 — Inventário de API Keys ativas
+4. **list_audit_logs** com limit=50, action="api_key.created" — Criações recentes de API Keys
+5. **list_audit_logs** com limit=20, action="member.invited" — Membros adicionados recentemente
+6. **list_assets** com limit=20, status="failed" — Assets com falha de verificação
+
+## Estrutura da análise a gerar
+
+Após coletar todos os dados, gere uma Revisão de Segurança em Markdown:
+
+---
+
+# Revisão de Segurança Certynix
+**Data:** [data atual]
+**Status Geral:** [Critico / Atenção / Bom / Excelente com base no score]
+
+## Trust Score: [N]/100
+
+### Componentes
+| Pilar | Pontuação | Máximo | Status |
+|-------|-----------|--------|--------|
+| Identidade | N | 35 | [OK/Atenção/Crítico] |
+| Segurança | N | 25 | [OK/Atenção/Crítico] |
+| Comportamento | N | 20 | [OK/Atenção/Crítico] |
+| Assets | N | 20 | [OK/Atenção/Crítico] |
+
+### Penalidades Ativas
+[Lista de penalidades ou "Nenhuma penalidade ativa"]
+
+## Alertas de Exposição ([N] ativos)
+
+### Alta Severidade ([N])
+[Lista de alertas high com descrição]
+
+### Média Severidade ([N])
+[Lista de alertas medium]
+
+### Baixa Severidade ([N])
+[Lista de alertas low]
+
+## API Keys ([N] ativas)
+[Listar todas as API Keys com nome e data de criação]
+[Identificar keys não utilizadas recentemente]
+[Identificar keys criadas há mais de 90 dias sem rotação]
+
+## Observações de Acesso
+[Membros adicionados recentemente]
+[API Keys criadas recentemente]
+
+## Assets com Falha ([N])
+[Lista de assets com status=failed]
+
+## Recomendações Priorizadas
+
+### Críticas (ação imediata)
+1. [recomendação baseada nos dados]
+
+### Altas (próxima semana)
+1. [recomendação baseada nos dados]
+
+### Médias (próximo mês)
+1. [recomendação baseada nos dados]
+
+## Score de Maturidade de Segurança
+[Avaliação qualitativa de 1-5 com justificativa baseada nos dados coletados]
+
+---
+
+**IMPORTANTE:** Nunca inclua valores de API Keys, tokens, signing secrets ou outros dados sensíveis na análise.
+`,
+                    },
+                },
+            ],
+        };
+    });
+}

package/dist/resources/alerts-active.d.ts

@@ -0,0 +1,7 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { CertynixClient } from '@certynix/sdk';
+/**
+ * Resource: certynix://alerts/active
+ * Lista todos os Exposure Alerts ativos não resolvidos.
+ */
+export declare function registerActiveAlertsResource(server: McpServer, client: CertynixClient): void;

package/dist/resources/alerts-active.js

@@ -0,0 +1,43 @@
+import { formatError } from '../utils/format.js';
+/**
+ * Resource: certynix://alerts/active
+ * Lista todos os Exposure Alerts ativos não resolvidos.
+ */
+export function registerActiveAlertsResource(server, client) {
+    server.resource('alerts-active', 'certynix://alerts/active', {
+        description: 'Lista de Exposure Alerts ativos não resolvidos: anomalias de integridade detectadas automaticamente (surtos de verificação, versões conflitantes, assets não verificados).',
+        mimeType: 'application/json',
+    }, async (_uri) => {
+        try {
+            const page = await client.alerts.listPage({ resolved: false, limit: 50 });
+            return {
+                contents: [
+                    {
+                        uri: 'certynix://alerts/active',
+                        mimeType: 'application/json',
+                        text: JSON.stringify({
+                            data: page.data,
+                            total_active: page.data.length,
+                            has_more: page.pagination.has_more,
+                            next_cursor: page.pagination.next_cursor,
+                            note: page.pagination.has_more
+                                ? 'Use a tool list_alerts com cursor para ver mais alertas.'
+                                : undefined,
+                        }, null, 2),
+                    },
+                ],
+            };
+        }
+        catch (err) {
+            return {
+                contents: [
+                    {
+                        uri: 'certynix://alerts/active',
+                        mimeType: 'application/json',
+                        text: JSON.stringify({ error: formatError(err) }, null, 2),
+                    },
+                ],
+            };
+        }
+    });
+}

package/dist/resources/asset.d.ts

@@ -0,0 +1,7 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import type { CertynixClient } from '@certynix/sdk';
+/**
+ * Resource template: certynix://assets/{asset_id}
+ * Retorna metadados completos de um asset específico.
+ */
+export declare function registerAssetResource(server: McpServer, client: CertynixClient): void;