@cyanheads/whois-mcp-server 0.1.1

package/README.md

@@ -0,0 +1,316 @@
+<div align="center">
+  <h1>@cyanheads/whois-mcp-server</h1>
+  <p><b>Look up domain registration, check availability, fetch DNS records, and resolve IPs and ASNs via RDAP and DNS-over-HTTPS via MCP. STDIO or Streamable HTTP.</b>
+  <div>6 Tools</div>
+  </p>
+</div>
+
+<div align="center">
+
+[![Version](https://img.shields.io/badge/Version-0.1.1-blue.svg?style=flat-square)](./CHANGELOG.md) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Docker](https://img.shields.io/badge/Docker-ghcr.io-2496ED?style=flat-square&logo=docker&logoColor=white)](https://github.com/users/cyanheads/packages/container/package/whois-mcp-server) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![npm](https://img.shields.io/npm/v/@cyanheads/whois-mcp-server?style=flat-square&logo=npm&logoColor=white)](https://www.npmjs.com/package/@cyanheads/whois-mcp-server) [![TypeScript](https://img.shields.io/badge/TypeScript-^6.0.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.3.11-blueviolet.svg?style=flat-square)](https://bun.sh/)
+
+</div>
+
+<div align="center">
+
+[![Install in Claude Desktop](https://img.shields.io/badge/Install_in-Claude_Desktop-D97757?style=for-the-badge&logo=anthropic&logoColor=white)](https://github.com/cyanheads/whois-mcp-server/releases/latest/download/whois-mcp-server.mcpb) [![Install in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=whois-mcp-server&config=eyJjb21tYW5kIjoibnB4IiwiYXJncyI6WyIteSIsIkBjeWFuaGVhZHMvd2hvaXMtbWNwLXNlcnZlciJdfQ==) [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install_Server-0098FF?style=for-the-badge&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode:mcp/install?%7B%22name%22%3A%22whois-mcp-server%22%2C%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40cyanheads%2Fwhois-mcp-server%22%5D%7D)
+
+[![Framework](https://img.shields.io/badge/Built%20on-@cyanheads/mcp--ts--core-67E8F9?style=flat-square)](https://www.npmjs.com/package/@cyanheads/mcp-ts-core)
+
+</div>
+
+---
+
+## Tools
+
+Six tools covering domain intelligence, DNS, and IP/ASN resolution:
+
+| Tool | Description |
+|:-----|:------------|
+| `whois_lookup_domain` | Full domain registration record — registrar, created/expiry dates, nameservers, EPP status, DNSSEC, registrant org |
+| `whois_check_availability` | Check whether a domain is registered or available for registration |
+| `whois_get_dns` | DNS records for any hostname via DNS-over-HTTPS (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, PTR) |
+| `whois_lookup_ip` | IP or CIDR netblock, org, country, abuse contact, and reverse DNS via RIR RDAP |
+| `whois_lookup_asn` | Resolve an ASN to its org name, country, and RIR source |
+| `whois_get_dossier` | One-call domain triage — registration + DNS in parallel, normalized into a single record with factual signals |
+
+### `whois_lookup_domain`
+
+Look up a domain's full RDAP registration record.
+
+- RDAP-first via IANA auto-bootstrap — automatically selects the correct registry RDAP server per TLD
+- Returns registrar, creation/expiry dates, nameservers, EPP status codes, DNSSEC delegation flag
+- Surfaces `registrant_redacted: true` explicitly when privacy redaction is in effect (standard post-GDPR for gTLDs)
+- Returns `rdap_coverage: false` for TLDs without RDAP coverage rather than silently failing
+- Includes `last_update_of_rdap_db` event timestamp for data freshness transparency
+
+---
+
+### `whois_check_availability`
+
+Check whether a domain name is registered or available to register.
+
+- RDAP 404 = available (`available: true`) — exploits the RDAP spec's intended behavior
+- Returns `available: false` with `registrar` and `expiry_date` when registered
+- Returns `available: null` with `rdap_coverage: false` for TLDs without RDAP — cannot determine availability
+- Optimized for bulk name sweeps — thin response, no unnecessary fields
+
+---
+
+### `whois_get_dns`
+
+Fetch DNS records via DNS-over-HTTPS.
+
+- Cloudflare `1.1.1.1` primary, Google `8.8.8.8` fallback (used for CAA records where Cloudflare returns raw hex)
+- Supports A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, PTR — multiple types in one call
+- Returns records with TTLs and the resolving source (`cloudflare` or `google`)
+- `nxdomain: true` in result (not an error) when the domain doesn't exist in DNS
+
+---
+
+### `whois_lookup_ip`
+
+Look up an IP address or CIDR block via RIR RDAP.
+
+- Auto-routes to the correct RIR (ARIN, RIPE, APNIC, LACNIC, AFRINIC) via IANA IP bootstrap
+- Returns netblock CIDR, org name, country, abuse contact email
+- Fetches PTR (reverse DNS) via DoH as a best-effort step — `ptr: null` on failure, not an error
+- Validates and rejects private/reserved ranges (RFC 1918, loopback, link-local) with a clear error
+
+---
+
+### `whois_lookup_asn`
+
+Resolve an ASN to its org name, country, and RIR.
+
+- Accepts `AS15169` or bare integer `15169` format
+- Routes to the correct RIR RDAP endpoint via IANA ASN bootstrap
+- Returns `name`, `org`, `country`, `rir`, `start_autnum`, `end_autnum`
+
+---
+
+### `whois_get_dossier`
+
+One-call domain triage aggregating registration and DNS data in parallel.
+
+- Runs RDAP domain lookup and DoH (A, MX, NS, TXT) in parallel via `Promise.allSettled`
+- Inferred signals: `age_days`, `privacy_redacted`, `registrar`, `ns_provider` (from NS records), `mx_provider` (from MX records)
+- No synthesized risk scores — factual signals only; the agent decides the verdict
+- Partial results surfaced when one leg fails (`source_error` on the failed leg)
+- Both-legs-fail throws `ServiceUnavailable`; individual leg failures are data, not errors
+
+---
+
+## Features
+
+Built on [`@cyanheads/mcp-ts-core`](https://www.npmjs.com/package/@cyanheads/mcp-ts-core):
+
+- Declarative tool definitions — single file per tool, framework handles registration and validation
+- Unified error handling — handlers throw, framework catches, classifies, and formats
+- Pluggable auth: `none`, `jwt`, `oauth`
+- Swappable storage backends: `in-memory`, `filesystem`, `Supabase`, `Cloudflare KV/R2/D1`
+- Structured logging with optional OpenTelemetry tracing
+- STDIO and Streamable HTTP transports
+
+Domain and network intelligence:
+
+- RDAP over HTTPS — no port-43 TCP dependency, runs on Node, Bun, and Cloudflare Workers
+- IANA bootstrap auto-selection — correct registry RDAP server picked per TLD, RIR, or ASN range; bootstrap JSON cached (TTL 24h) in tenant state
+- DNS-over-HTTPS via Cloudflare and Google — resilient dual-provider with per-type routing (Google for CAA; Cloudflare for all others)
+- No API keys required — all sources (IANA, registry RDAP endpoints, RIR RDAP, Cloudflare DoH, Google DoH) are public and keyless
+
+Agent-friendly output:
+
+- Explicit coverage signals — `rdap_coverage: false` tells the agent the TLD lacks RDAP rather than returning a confusing error
+- Privacy redaction surfaced as a field — `registrant_redacted: true` rather than silently absent contact data
+- Partial failure model — `whois_get_dossier` marks individual legs with `source_error` and continues; only both-legs-fail escalates to an error
+- Factual signals, not scores — `age_days`, `privacy_redacted`, `ns_provider`, `mx_provider` are real data; agents chain into threat-intel or risk servers for enrichment
+
+---
+
+## Getting started
+
+No API keys or accounts required. Add the following to your MCP client configuration file.
+
+```json
+{
+  "mcpServers": {
+    "whois-mcp-server": {
+      "type": "stdio",
+      "command": "bunx",
+      "args": ["@cyanheads/whois-mcp-server@latest"],
+      "env": {
+        "MCP_TRANSPORT_TYPE": "stdio",
+        "MCP_LOG_LEVEL": "info"
+      }
+    }
+  }
+}
+```
+
+Or with npx (no Bun required):
+
+```json
+{
+  "mcpServers": {
+    "whois-mcp-server": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@cyanheads/whois-mcp-server@latest"],
+      "env": {
+        "MCP_TRANSPORT_TYPE": "stdio",
+        "MCP_LOG_LEVEL": "info"
+      }
+    }
+  }
+}
+```
+
+Or with Docker:
+
+```json
+{
+  "mcpServers": {
+    "whois-mcp-server": {
+      "type": "stdio",
+      "command": "docker",
+      "args": [
+        "run", "-i", "--rm",
+        "-e", "MCP_TRANSPORT_TYPE=stdio",
+        "ghcr.io/cyanheads/whois-mcp-server:latest"
+      ]
+    }
+  }
+}
+```
+
+For Streamable HTTP, set the transport and start the server:
+
+```sh
+MCP_TRANSPORT_TYPE=http MCP_HTTP_PORT=3010 bun run start:http
+# Server listens at http://localhost:3010/mcp
+```
+
+### Prerequisites
+
+- [Bun v1.3.0](https://bun.sh/) or higher (or Node.js v24+).
+- No API keys required — all data sources are public.
+
+### Installation
+
+1. **Clone the repository:**
+
+```sh
+git clone https://github.com/cyanheads/whois-mcp-server.git
+```
+
+2. **Navigate into the directory:**
+
+```sh
+cd whois-mcp-server
+```
+
+3. **Install dependencies:**
+
+```sh
+bun install
+```
+
+4. **Configure environment:**
+
+```sh
+cp .env.example .env
+# All vars are optional — defaults work for most use cases
+```
+
+---
+
+## Configuration
+
+| Variable | Description | Default |
+|:---------|:------------|:--------|
+| `RDAP_TIMEOUT_MS` | HTTP timeout for RDAP requests in milliseconds. | `5000` |
+| `DOH_TIMEOUT_MS` | HTTP timeout for DNS-over-HTTPS requests in milliseconds. | `3000` |
+| `RDAP_MAX_RETRIES` | Max retry attempts on transient RDAP failures. | `2` |
+| `DOH_MAX_RETRIES` | Max retry attempts on transient DoH failures. | `2` |
+| `MCP_TRANSPORT_TYPE` | Transport: `stdio` or `http`. | `stdio` |
+| `MCP_HTTP_PORT` | Port for HTTP server. | `3010` |
+| `MCP_AUTH_MODE` | Auth mode: `none`, `jwt`, or `oauth`. | `none` |
+| `MCP_LOG_LEVEL` | Log level (RFC 5424). | `info` |
+| `OTEL_ENABLED` | Enable [OpenTelemetry instrumentation](https://github.com/cyanheads/mcp-ts-core/tree/main/docs/telemetry). | `false` |
+
+See [`.env.example`](./.env.example) for the full list of optional overrides.
+
+---
+
+## Running the server
+
+### Local development
+
+- **Build and run:**
+
+  ```sh
+  bun run rebuild
+  bun run start:stdio
+  # or
+  bun run start:http
+  ```
+
+- **Run checks and tests:**
+
+  ```sh
+  bun run devcheck   # Lint, format, typecheck, security
+  bun run test       # Vitest test suite
+  bun run lint:mcp   # Validate MCP definitions against spec
+  ```
+
+### Docker
+
+```sh
+docker build -t whois-mcp-server .
+docker run --rm -p 3010:3010 whois-mcp-server
+```
+
+The Dockerfile defaults to HTTP transport, stateless session mode, and logs to `/var/log/whois-mcp-server`. OpenTelemetry peer dependencies are installed by default — build with `--build-arg OTEL_ENABLED=false` to omit them.
+
+---
+
+## Project structure
+
+| Path | Purpose |
+|:-----|:--------|
+| `src/index.ts` | `createApp()` entry point — registers tools and inits services. |
+| `src/config/` | Server-specific environment variable parsing and validation (Zod). |
+| `src/services/rdap/` | RDAP client — IANA bootstrap cache, domain/IP/ASN lookup, retry. |
+| `src/services/doh/` | DNS-over-HTTPS client — Cloudflare primary, Google fallback. |
+| `src/mcp-server/tools/` | Tool definitions (`*.tool.ts`). |
+| `tests/` | Vitest tests mirroring `src/`. |
+| `docs/` | Design and API reference documents. |
+
+---
+
+## Development guide
+
+See [`CLAUDE.md`](./CLAUDE.md) for development guidelines and architectural rules. The short version:
+
+- Handlers throw, framework catches — no `try/catch` in tool logic
+- Use `ctx.log` for request-scoped logging, `ctx.state` for tenant-scoped storage (IANA bootstrap cache)
+- Register new tools via `src/index.ts` tools array
+- Wrap external API calls: validate raw → normalize to domain type → return output schema; never fabricate missing fields
+
+---
+
+## Contributing
+
+Issues and pull requests are welcome. Run checks and tests before submitting:
+
+```sh
+bun run devcheck
+bun run test
+```
+
+---
+
+## License
+
+Apache-2.0 — see [LICENSE](LICENSE) for details.

package/changelog/0.1.x/0.1.1.md

@@ -0,0 +1,32 @@
+---
+summary: "Initial public release — 6 RDAP + DoH tools for domain registration, availability, DNS records, IP netblock, ASN, and domain dossier; TXT record prompt-injection hardening"
+breaking: false
+security: true
+---
+
+# 0.1.1 — 2026-06-05
+
+Initial public release of `@cyanheads/whois-mcp-server`. Provides 6 MCP tools over [RDAP](https://www.iana.org/rdap) (via IANA bootstrap) and [DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) (Cloudflare primary, Google fallback):
+
+- **`whois_lookup_domain`** — domain registration record: registrar, created/expiry dates, nameservers, EPP status codes, DNSSEC flag, registrant org
+- **`whois_check_availability`** — domain availability check via RDAP 404 signal
+- **`whois_get_dns`** — DNS records via DoH (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, PTR)
+- **`whois_lookup_ip`** — IP/CIDR netblock, org, abuse contact via RIR RDAP
+- **`whois_lookup_asn`** — ASN to org/RIR resolution via RIR RDAP
+- **`whois_get_dossier`** — one-call domain triage: registration + DNS records fetched in parallel
+
+## Added
+
+- **`whois_lookup_domain`** — RDAP domain lookup with IANA auto-bootstrap; returns registrar, dates, nameservers, EPP status, DNSSEC, and registrant org (where not privacy-redacted)
+- **`whois_check_availability`** — checks domain availability by interpreting RDAP 404 as unregistered; falls back to a registration hint when RDAP coverage is absent for the TLD
+- **`whois_get_dns`** — DNS record fetch via Cloudflare DoH (primary) / Google DoH (fallback); supports A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, PTR record types
+- **`whois_lookup_ip`** — resolves any IPv4/IPv6 address or CIDR prefix to its RIR netblock record (org, country, abuse contact) via the appropriate RIR's RDAP endpoint
+- **`whois_lookup_asn`** — resolves an AS number to org name, country, and RIR via RIR RDAP
+- **`whois_get_dossier`** — parallel domain triage tool combining `whois_lookup_domain` + `whois_get_dns` in a single call; includes derived signals (hosting provider guess, SPF/DMARC/DKIM presence, registrar-lock status)
+- **RDAP service** (`src/services/rdap/`) — IANA bootstrap cache (TTL via `ctx.state`), domain/IP/ASN lookup, RIR routing, normalized types
+- **DoH service** (`src/services/doh/`) — Cloudflare-primary / Google-fallback DNS-over-HTTPS client, all record types, normalized types
+- **Server config** (`src/config/server-config.ts`) — `RDAP_TIMEOUT_MS`, `DOH_TIMEOUT_MS`, `RDAP_MAX_RETRIES`, `DOH_MAX_RETRIES` env vars
+
+## Security
+
+- **TXT record prompt-injection hardening** — DNS TXT record values are attacker-controlled free-text; `whois_get_dns` and `whois_get_dossier` now backtick-fence every TXT value in `format()` output before it reaches the LLM context, preventing embedded instructions from executing as prompt content

package/changelog/template.md

@@ -0,0 +1,127 @@
+---
+# FORMAT REFERENCE — do not edit. Copy this file to
+# `changelog/<major.minor>.x/<version>.md` (e.g. `changelog/0.8.x/0.8.6.md`)
+# to author a new release. Set that file's H1 to `# <version> — YYYY-MM-DD`
+# with a concrete date.
+
+# Required. One-line GitHub Release-style headline. 350 character cap.
+# Default short and scannable. Don't pad, don't stitch unrelated changes with
+# semicolons — pick the headline. Quotes required: unquoted YAML treats `: `
+# inside the value as a key separator and fails GitHub's strict parser.
+summary: ""
+
+# Set `true` when consumers must change code to upgrade: API removals,
+# signature changes, config renames, behavior changes that break existing
+# usage. Flagged as `Breaking` in the rollup.
+breaking: false
+
+# Set `true` if this release contains any security fix. Pairs with the
+# `## Security` section below. Flagged as `Security` in the rollup so
+# users can triage upgrade urgency at a glance.
+security: false
+
+# Optional free-form notes for maintenance agents processing this release.
+# Not rendered in CHANGELOG — consumed by agents running `maintenance` on
+# downstream servers. Use for adoption instructions that don't fit the
+# human-facing sections: new files to create, fields to populate, one-time
+# migration steps. Omit the field entirely when there's nothing to say.
+# agent-notes: |
+#   <instructions for downstream maintenance agents>
+---
+
+# <version> — YYYY-MM-DD
+
+<!--
+  AUTHORING GUIDE — applies to the new per-version file you create from this
+  template.
+
+  Audience: someone scanning release notes to decide what affects them. Lead
+  each bullet with the symbol or concept name in **bold** so they can skip
+  what's irrelevant and zoom in on what's not.
+
+  Tone: terse, fact-dense, not verbose. Default to one sentence per bullet —
+  name the symbol, state what changed, stop. Use a second sentence only when
+  it carries weight. If a bullet feels long, it is.
+
+  Cut: mechanism walkthroughs (those belong in JSDoc, CLAUDE.md/AGENTS.md, or the
+  relevant skill), ceremonial framings ("This release introduces…",
+  backwards-compat paragraphs), file-by-file test enumerations, internal
+  implementation notes. Prefer code/symbol names over English re-explanations.
+
+  Narrative intro: skip by default. Add one short sentence only when the
+  release theme genuinely needs framing the bullets can't carry.
+
+  Sections: Keep a Changelog order — Added, Changed, Deprecated, Removed,
+  Fixed, Security. Include only sections with entries; delete the rest
+  (including the commented-out scaffolding below). Don't ship empty headers.
+
+  Include: every distinct fact a reader needs to adopt or audit the release —
+  new exports, signatures, lint rule IDs, env vars, breaking changes, version
+  bumps on shipped skills. Nothing more.
+
+  Links: link issues, PRs, docs, or skills where they help a reader jump to
+  context. Once per item per entry — don't re-link the same issue in summary,
+  narrative, and bullet. Skip links for inline symbol names; code spans speak
+  for themselves.
+
+  Issue/PR URLs: use full URLs. GitHub's bare `#NN` auto-link only resolves
+  inside its own UI, not in npm reads or local editors.
+
+      [#38](https://github.com/cyanheads/mcp-ts-core/issues/38)   ← issue
+      [#42](https://github.com/cyanheads/mcp-ts-core/pull/42)     ← PR
+
+  Verify numbers exist before linking (`gh issue view NN`, `gh pr view NN`).
+  Never speculate on a future number — `#42` for an upcoming PR silently
+  resolves to whatever real item already owns 42, and timeline previews pull
+  in that unrelated item's metadata.
+
+  TAG ANNOTATIONS — the annotated tag body renders as the GitHub Release body
+  via `gh release create --notes-from-tag`. The tag is a derivative of this
+  changelog entry — a condensed, scannable version, not a copy. Format:
+
+    <theme — omit version number, GitHub prepends it>
+                                                          ← blank line
+    <1-2 sentence context: what this release does>
+                                                          ← blank line
+    Dependency bumps:                                     ← section header
+                                                          ← blank line
+    - `@cyanheads/mcp-ts-core` ^0.9.1 → ^0.9.6          ← bullet
+                                                          ← blank line
+    Changed:                                              ← only sections with entries
+                                                          ← blank line
+    - `format()` output includes `query` in text mode
+                                                          ← blank line
+    Added:
+                                                          ← blank line
+    - `manifest.json` scaffolded for MCPB bundle support
+    - Install badges (Claude Desktop, Cursor, VS Code)
+                                                          ← blank line
+    <N> tests pass; `bun run devcheck` clean.             ← footer
+
+  Never a flat comma-separated string. Always structured markdown with
+  sections. The tag must scan well as a rendered GitHub Release page.
+-->
+
+## Added
+
+-
+
+## Changed
+
+-
+
+<!-- ## Deprecated
+
+- -->
+
+<!-- ## Removed
+
+- -->
+
+## Fixed
+
+-
+
+<!-- ## Security
+
+- -->

package/dist/config/server-config.d.ts

@@ -0,0 +1,16 @@
+/**
+ * @fileoverview Server-specific environment configuration for whois-mcp-server.
+ * @module config/server-config
+ */
+import { z } from '@cyanheads/mcp-ts-core';
+declare const ServerConfigSchema: z.ZodObject<{
+    rdapTimeoutMs: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+    dohTimeoutMs: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+    rdapMaxRetries: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+    dohMaxRetries: z.ZodDefault<z.ZodCoercedNumber<unknown>>;
+}, z.core.$strip>;
+export type ServerConfig = z.infer<typeof ServerConfigSchema>;
+/** Returns the parsed server config, lazy-initialized on first call. */
+export declare function getServerConfig(): ServerConfig;
+export {};
+//# sourceMappingURL=server-config.d.ts.map

package/dist/config/server-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-config.d.ts","sourceRoot":"","sources":["../../src/config/server-config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,wBAAwB,CAAC;AAG3C,QAAA,MAAM,kBAAkB;;;;;iBAWtB,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAI9D,wEAAwE;AACxE,wBAAgB,eAAe,IAAI,YAAY,CAQ9C"}

package/dist/config/server-config.js

@@ -0,0 +1,30 @@
+/**
+ * @fileoverview Server-specific environment configuration for whois-mcp-server.
+ * @module config/server-config
+ */
+import { z } from '@cyanheads/mcp-ts-core';
+import { parseEnvConfig } from '@cyanheads/mcp-ts-core/config';
+const ServerConfigSchema = z.object({
+    rdapTimeoutMs: z.coerce.number().default(5000).describe('HTTP timeout for RDAP requests in ms.'),
+    dohTimeoutMs: z.coerce.number().default(3000).describe('HTTP timeout for DoH requests in ms.'),
+    rdapMaxRetries: z.coerce
+        .number()
+        .default(2)
+        .describe('Max retry attempts on transient RDAP failures.'),
+    dohMaxRetries: z.coerce
+        .number()
+        .default(2)
+        .describe('Max retry attempts on transient DoH failures.'),
+});
+let _config;
+/** Returns the parsed server config, lazy-initialized on first call. */
+export function getServerConfig() {
+    _config ??= parseEnvConfig(ServerConfigSchema, {
+        rdapTimeoutMs: 'RDAP_TIMEOUT_MS',
+        dohTimeoutMs: 'DOH_TIMEOUT_MS',
+        rdapMaxRetries: 'RDAP_MAX_RETRIES',
+        dohMaxRetries: 'DOH_MAX_RETRIES',
+    });
+    return _config;
+}
+//# sourceMappingURL=server-config.js.map

package/dist/config/server-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-config.js","sourceRoot":"","sources":["../../src/config/server-config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,wBAAwB,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAE/D,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,uCAAuC,CAAC;IAChG,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,sCAAsC,CAAC;IAC9F,cAAc,EAAE,CAAC,CAAC,MAAM;SACrB,MAAM,EAAE;SACR,OAAO,CAAC,CAAC,CAAC;SACV,QAAQ,CAAC,gDAAgD,CAAC;IAC7D,aAAa,EAAE,CAAC,CAAC,MAAM;SACpB,MAAM,EAAE;SACR,OAAO,CAAC,CAAC,CAAC;SACV,QAAQ,CAAC,+CAA+C,CAAC;CAC7D,CAAC,CAAC;AAIH,IAAI,OAAiC,CAAC;AAEtC,wEAAwE;AACxE,MAAM,UAAU,eAAe;IAC7B,OAAO,KAAK,cAAc,CAAC,kBAAkB,EAAE;QAC7C,aAAa,EAAE,iBAAiB;QAChC,YAAY,EAAE,gBAAgB;QAC9B,cAAc,EAAE,kBAAkB;QAClC,aAAa,EAAE,iBAAiB;KACjC,CAAC,CAAC;IACH,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+/**
+ * @fileoverview whois-mcp-server MCP server entry point.
+ * @module index
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;GAGG"}

package/dist/index.js

@@ -0,0 +1,38 @@
+#!/usr/bin/env node
+/**
+ * @fileoverview whois-mcp-server MCP server entry point.
+ * @module index
+ */
+import { createApp } from '@cyanheads/mcp-ts-core';
+import { whoisCheckAvailability } from './mcp-server/tools/definitions/whois-check-availability.tool.js';
+import { whoisGetDns } from './mcp-server/tools/definitions/whois-get-dns.tool.js';
+import { whoisGetDossier } from './mcp-server/tools/definitions/whois-get-dossier.tool.js';
+import { whoisLookupAsn } from './mcp-server/tools/definitions/whois-lookup-asn.tool.js';
+import { whoisLookupDomain } from './mcp-server/tools/definitions/whois-lookup-domain.tool.js';
+import { whoisLookupIp } from './mcp-server/tools/definitions/whois-lookup-ip.tool.js';
+import { initDohService } from './services/doh/doh-service.js';
+import { initRdapService } from './services/rdap/rdap-service.js';
+await createApp({
+    tools: [
+        whoisLookupDomain,
+        whoisCheckAvailability,
+        whoisGetDns,
+        whoisLookupIp,
+        whoisLookupAsn,
+        whoisGetDossier,
+    ],
+    resources: [],
+    prompts: [],
+    instructions: 'whois-mcp-server: domain and IP intelligence via RDAP and DNS-over-HTTPS. No API keys required.\n' +
+        '- whois_lookup_domain: full registration record (registrar, dates, status, nameservers)\n' +
+        '- whois_check_availability: is a domain available to register? (RDAP 404 = available)\n' +
+        '- whois_get_dns: DNS records for any hostname (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, PTR)\n' +
+        '- whois_lookup_ip: IP/CIDR netblock, org, abuse contact, and PTR via RIR RDAP\n' +
+        '- whois_lookup_asn: ASN to org/RIR resolution\n' +
+        '- whois_get_dossier: one-call domain triage — registration + DNS in parallel with inferred signals',
+    setup(core) {
+        initRdapService(core.config, core.storage);
+        initDohService(core.config, core.storage);
+    },
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;GAGG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,sBAAsB,EAAE,MAAM,iEAAiE,CAAC;AACzG,OAAO,EAAE,WAAW,EAAE,MAAM,sDAAsD,CAAC;AACnF,OAAO,EAAE,eAAe,EAAE,MAAM,0DAA0D,CAAC;AAC3F,OAAO,EAAE,cAAc,EAAE,MAAM,yDAAyD,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,MAAM,4DAA4D,CAAC;AAC/F,OAAO,EAAE,aAAa,EAAE,MAAM,wDAAwD,CAAC;AACvF,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAElE,MAAM,SAAS,CAAC;IACd,KAAK,EAAE;QACL,iBAAiB;QACjB,sBAAsB;QACtB,WAAW;QACX,aAAa;QACb,cAAc;QACd,eAAe;KAChB;IACD,SAAS,EAAE,EAAE;IACb,OAAO,EAAE,EAAE;IACX,YAAY,EACV,mGAAmG;QACnG,2FAA2F;QAC3F,yFAAyF;QACzF,8FAA8F;QAC9F,iFAAiF;QACjF,iDAAiD;QACjD,oGAAoG;IACtG,KAAK,CAAC,IAAI;QACR,eAAe,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAC3C,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;CACF,CAAC,CAAC"}

package/dist/mcp-server/tools/definitions/_fqdn.d.ts

@@ -0,0 +1,7 @@
+/**
+ * @fileoverview Shared FQDN validation used across tool handlers.
+ * @module mcp-server/tools/definitions/_fqdn
+ */
+/** Simple FQDN validation: labels separated by dots, no consecutive dots, length limits */
+export declare function isValidFqdn(domain: string): boolean;
+//# sourceMappingURL=_fqdn.d.ts.map

package/dist/mcp-server/tools/definitions/_fqdn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_fqdn.d.ts","sourceRoot":"","sources":["../../../../src/mcp-server/tools/definitions/_fqdn.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,2FAA2F;AAC3F,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAQnD"}

package/dist/mcp-server/tools/definitions/_fqdn.js

@@ -0,0 +1,18 @@
+/**
+ * @fileoverview Shared FQDN validation used across tool handlers.
+ * @module mcp-server/tools/definitions/_fqdn
+ */
+/** Simple FQDN validation: labels separated by dots, no consecutive dots, length limits */
+export function isValidFqdn(domain) {
+    if (!domain || domain.length > 253)
+        return false;
+    const labels = domain.split('.');
+    if (labels.length < 2)
+        return false;
+    return labels.every((label) => {
+        if (!label || label.length > 63)
+            return false;
+        return /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/.test(label);
+    });
+}
+//# sourceMappingURL=_fqdn.js.map

package/dist/mcp-server/tools/definitions/_fqdn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_fqdn.js","sourceRoot":"","sources":["../../../../src/mcp-server/tools/definitions/_fqdn.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,2FAA2F;AAC3F,MAAM,UAAU,WAAW,CAAC,MAAc;IACxC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QAC5B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE;YAAE,OAAO,KAAK,CAAC;QAC9C,OAAO,wDAAwD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/mcp-server/tools/definitions/whois-check-availability.tool.d.ts

@@ -0,0 +1,26 @@
+/**
+ * @fileoverview whois_check_availability tool — domain availability check via RDAP 404 semantics.
+ * @module mcp-server/tools/definitions/whois-check-availability.tool
+ */
+import { z } from '@cyanheads/mcp-ts-core';
+import { JsonRpcErrorCode } from '@cyanheads/mcp-ts-core/errors';
+export declare const whoisCheckAvailability: import("@cyanheads/mcp-ts-core").ToolDefinition<z.ZodObject<{
+    domain: z.ZodString;
+}, z.core.$strip>, z.ZodObject<{
+    domain: z.ZodString;
+    available: z.ZodNullable<z.ZodBoolean>;
+    rdap_coverage: z.ZodBoolean;
+    registrar: z.ZodOptional<z.ZodString>;
+    expiry_date: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, readonly [{
+    readonly reason: "invalid_domain";
+    readonly code: JsonRpcErrorCode.InvalidParams;
+    readonly when: "Input is not a valid FQDN.";
+    readonly recovery: "Provide a valid fully-qualified domain name like \"example.com\" or \"sub.example.org\".";
+}, {
+    readonly reason: "rdap_no_coverage";
+    readonly code: JsonRpcErrorCode.NotFound;
+    readonly when: "TLD has no RDAP server — available is null, cannot determine registration status.";
+    readonly recovery: "This TLD has no RDAP coverage; availability cannot be determined programmatically.";
+}], undefined>;
+//# sourceMappingURL=whois-check-availability.tool.d.ts.map

package/dist/mcp-server/tools/definitions/whois-check-availability.tool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"whois-check-availability.tool.d.ts","sourceRoot":"","sources":["../../../../src/mcp-server/tools/definitions/whois-check-availability.tool.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAQ,CAAC,EAAE,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AAIjE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;cA4GjC,CAAC"}