@elytrasec/mcp 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 ElytraSec
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,56 @@
+# @elytrasec/mcp
+
+Elytra Security as a Model Context Protocol server. Give your AI coding agent the ability to scan smart contracts and code, replay famous exploit patterns, and look up onchain attestations — without leaving the IDE.
+
+## Install
+
+### Claude Desktop
+
+Add to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
+
+```json
+{
+  "mcpServers": {
+    "elytra": {
+      "command": "npx",
+      "args": ["-y", "@elytrasec/mcp"]
+    }
+  }
+}
+```
+
+Restart Claude Desktop. The 4 Elytra tools appear in the MCP indicator.
+
+### Cursor
+
+Settings → MCP → Add server:
+
+```json
+{ "command": "npx", "args": ["-y", "@elytrasec/mcp"] }
+```
+
+### Cline / Continue / any MCP-compatible client
+
+Same one-liner — install as a stdio server with the npx command above.
+
+## Tools
+
+| Tool | What it does |
+|---|---|
+| `elytra_scan` | Scan a code snippet for security vulnerabilities |
+| `elytra_scan_address` | Scan a deployed contract by 0x address (Ethereum / Base / Arbitrum / Optimism / Polygon) |
+| `elytra_replay_hacks` | Test code against 8 famous-exploit patterns (Bybit, Ronin, Euler, Beanstalk, Multichain, Curve, Radiant, zkSync) |
+| `elytra_agent_identity` | Return Elytra's onchain agent card (ERC-8004, pricing, capabilities) |
+
+## Optional env vars
+
+- `ELYTRA_API_KEY` — Bearer key for the paid `/api/v1/scan` endpoint (bypasses x402 micropayment for higher throughput). Contact hello@elytrasec.io.
+- `ELYTRA_BASE_URL` — Override the default `https://elytrasec.io` (for self-hosting).
+
+## Pricing
+
+All tools above hit Elytra's free public endpoints. For higher rate limits or AI-powered deep review, the underlying API supports x402 pay-per-call in USDC on Base or Solana (1¢ per scan, 2¢ per review).
+
+## License
+
+MIT

package/dist/index.js

@@ -0,0 +1,219 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+var BASE_URL = process.env.ELYTRA_BASE_URL ?? "https://elytrasec.io";
+var API_KEY = process.env.ELYTRA_API_KEY ?? "";
+async function postJSON(path, body, opts = {}) {
+  const headers = { "Content-Type": "application/json" };
+  if (opts.auth && API_KEY) headers.Authorization = `Bearer ${API_KEY}`;
+  let res;
+  try {
+    res = await fetch(`${BASE_URL}${path}`, { method: "POST", headers, body: JSON.stringify(body) });
+  } catch (e) {
+    return { error: `Network error reaching Elytra: ${e instanceof Error ? e.message : "unknown"}`, status: 0 };
+  }
+  let data;
+  try {
+    data = await res.json();
+  } catch {
+    data = null;
+  }
+  if (!res.ok) {
+    const errMsg = data?.error ?? `HTTP ${res.status}`;
+    return { error: errMsg, status: res.status };
+  }
+  return { ok: true, data };
+}
+async function getJSON(path) {
+  let res;
+  try {
+    res = await fetch(`${BASE_URL}${path}`);
+  } catch (e) {
+    return { error: `Network error reaching Elytra: ${e instanceof Error ? e.message : "unknown"}`, status: 0 };
+  }
+  let data;
+  try {
+    data = await res.json();
+  } catch {
+    data = null;
+  }
+  if (!res.ok) {
+    const errMsg = data?.error ?? `HTTP ${res.status}`;
+    return { error: errMsg, status: res.status };
+  }
+  return { ok: true, data };
+}
+function formatScan(r, label) {
+  const lines = [];
+  if (r.contract) {
+    lines.push(`# ${label}: ${r.contract.name} on ${r.contract.chainName}`);
+    lines.push(`Compiler: ${r.contract.compiler.replace(/^v/, "")}  \xB7  Explorer: ${r.contract.explorerUrl}`);
+  } else {
+    lines.push(`# ${label}`);
+  }
+  if (r.warning) {
+    lines.push("");
+    lines.push(`\u26A0 ${r.warning}`);
+    return lines.join("\n");
+  }
+  lines.push("");
+  lines.push(`Score: ${r.score ?? "n/a"}/100  \xB7  Grade: ${r.grade ?? "n/a"}`);
+  lines.push(`Findings: ${r.findings.length}`);
+  if (r.findings.length === 0) {
+    lines.push("");
+    lines.push("No issues found.");
+    return lines.join("\n");
+  }
+  const order = ["critical", "high", "medium", "low", "info"];
+  const grouped = {};
+  for (const f of r.findings) (grouped[f.severity.toLowerCase()] ||= []).push(f);
+  for (const sev of order) {
+    const group = grouped[sev];
+    if (!group?.length) continue;
+    lines.push("");
+    lines.push(`## ${sev.toUpperCase()} (${group.length})`);
+    for (const f of group) {
+      const where = f.filePath ? `${f.filePath}:${f.startLine}` : `L${f.startLine}`;
+      lines.push(`- [${f.ruleId}] ${f.title.replace(/^\[Pattern\] /, "")}  \xB7  ${where}`);
+      if (f.suggestion) lines.push(`  \u2192 ${f.suggestion}`);
+    }
+  }
+  return lines.join("\n");
+}
+var TOOLS = [
+  {
+    name: "elytra_scan",
+    description: "Scan a code snippet for security vulnerabilities. Supports Solidity, Vyper, JS/TS, Python, Go, Rust, Java, Ruby, PHP, plus IaC (Terraform, Kubernetes, Dockerfile, GitHub Actions). Returns findings with severity, fix suggestions, and a 0-100 score. Use this for security-focused code review.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        code: { type: "string", description: "The source code to scan" },
+        language: { type: "string", description: "Language hint: javascript | typescript | python | go | java | ruby | php | solidity | rust", default: "javascript" }
+      },
+      required: ["code"]
+    }
+  },
+  {
+    name: "elytra_scan_address",
+    description: "Scan a DEPLOYED smart contract by its onchain address. Elytra fetches the verified source from the block explorer (Etherscan / Basescan / etc.) and scans every source file. Use this when the user gives you a 0x... address and asks about its security.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        address: { type: "string", description: "Contract address (0x... 40 hex chars)" },
+        chain: { type: "string", description: "ethereum | base | arbitrum | optimism | polygon", default: "ethereum" }
+      },
+      required: ["address"]
+    }
+  },
+  {
+    name: "elytra_replay_hacks",
+    description: "Run the 8 famous-exploit pattern detectors against submitted source code. Encodes patterns from $3B+ in losses: Bybit ($1.46B), Ronin ($625M), Euler ($197M), Beanstalk ($182M), Multichain ($126M), Curve ($73M), Radiant ($53M), zkSync ($5M). Returns only matches against these specific historic attack vectors. Use this when you want to check 'have I made any of the famous mistakes?'",
+    inputSchema: {
+      type: "object",
+      properties: {
+        code: { type: "string", description: "The source code to test against hack-replay patterns" },
+        language: { type: "string", description: "Language hint", default: "solidity" }
+      },
+      required: ["code"]
+    }
+  },
+  {
+    name: "elytra_agent_identity",
+    description: "Return Elytra's onchain agent identity card \u2014 ERC-8004 registry data, capabilities, pricing on Base and Solana, attestation count, and discovery endpoints. Use this when the user wants to verify or learn about the Elytra agent itself, integrate it programmatically, or compare it to other agents.",
+    inputSchema: { type: "object", properties: {} }
+  }
+];
+function errOut(msg) {
+  return { content: [{ type: "text", text: `Error: ${msg}` }], isError: true };
+}
+async function runScan(args) {
+  if (!args.code) return errOut("Missing required field: code");
+  const r = await postJSON("/api/playground", {
+    code: args.code,
+    language: args.language ?? "javascript"
+  });
+  if (!("ok" in r)) return errOut(r.error);
+  return { content: [{ type: "text", text: formatScan(r.data, "Scan result") }] };
+}
+async function runScanAddress(args) {
+  if (!args.address) return errOut("Missing required field: address");
+  const r = await postJSON("/api/playground/scan-address", {
+    address: args.address,
+    chain: args.chain ?? "ethereum"
+  });
+  if (!("ok" in r)) return errOut(r.error);
+  return { content: [{ type: "text", text: formatScan(r.data, "Contract scan") }] };
+}
+async function runReplayHacks(args) {
+  if (!args.code) return errOut("Missing required field: code");
+  const r = await postJSON("/api/playground", {
+    code: args.code,
+    language: args.language ?? "solidity"
+  });
+  if (!("ok" in r)) return errOut(r.error);
+  const onlyHacks = {
+    ...r.data,
+    findings: r.data.findings.filter((f) => f.ruleId.startsWith("cp-hack-"))
+  };
+  const text = onlyHacks.findings.length === 0 ? "No famous-hack patterns matched against this code. \u2713\n\nThis means none of: Bybit \xB7 Ronin \xB7 Euler \xB7 Beanstalk \xB7 Multichain \xB7 Curve \xB7 Radiant \xB7 zkSync fingerprints fired.\n\nNote: hack-replay is a narrow pattern check \u2014 run elytra_scan for the full 130+ rule set." : formatScan(onlyHacks, "Famous-hack pattern matches");
+  return { content: [{ type: "text", text }] };
+}
+async function runAgentIdentity() {
+  const r = await getJSON("/.well-known/agent-card.json");
+  if (!("ok" in r)) return errOut(r.error);
+  const c = r.data;
+  const lines = [];
+  lines.push(`# ${c.name}`);
+  lines.push("");
+  lines.push(c.description);
+  lines.push("");
+  lines.push(`## Identity`);
+  lines.push(`- ERC-8004 agent ID: ${c.identity.erc8004.agentId ?? "(pending registration)"}`);
+  lines.push(`- Registry: ${c.identity.erc8004.registryExplorer}`);
+  lines.push(`- Wallet:   ${c.identity.wallet ?? "(unconfigured)"}`);
+  lines.push(`- Attestation service: ${c.identity.attestation.service}`);
+  lines.push(`- Confirmed attestations onchain: ${c.attestation_count}`);
+  lines.push("");
+  lines.push(`## Capabilities`);
+  for (const cap of c.capabilities) {
+    const priceLines = cap.pricing.filter((p) => p.available).map((p) => `${p.human} on ${p.chain}`).join("  \xB7  ");
+    lines.push(`- **${cap.name}**  \u2192  ${cap.endpoint}`);
+    if (priceLines) lines.push(`  Pricing: ${priceLines}`);
+  }
+  lines.push("");
+  lines.push(`## Discovery`);
+  for (const [k, v] of Object.entries(c.discovery)) lines.push(`- ${k}: ${v}`);
+  return { content: [{ type: "text", text: lines.join("\n") }] };
+}
+var server = new Server(
+  { name: "elytrasec", version: "0.1.0" },
+  { capabilities: { tools: {} } }
+);
+server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
+server.setRequestHandler(CallToolRequestSchema, async (req) => {
+  const { name, arguments: args = {} } = req.params;
+  try {
+    switch (name) {
+      case "elytra_scan":
+        return await runScan(args);
+      case "elytra_scan_address":
+        return await runScanAddress(args);
+      case "elytra_replay_hacks":
+        return await runReplayHacks(args);
+      case "elytra_agent_identity":
+        return await runAgentIdentity();
+      default:
+        return errOut(`Unknown tool: ${name}`);
+    }
+  } catch (e) {
+    return errOut(e instanceof Error ? e.message : "Internal MCP server error");
+  }
+});
+var transport = new StdioServerTransport();
+await server.connect(transport);

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@elytrasec/mcp",
+  "version": "0.1.0",
+  "description": "Elytra Security as a Model Context Protocol server — give your AI agent (Claude Desktop, Cursor, Cline) the ability to scan smart contracts and code, replay famous exploit patterns, and post onchain attestations.",
+  "license": "MIT",
+  "author": "ElytraSec <hello@elytrasec.io>",
+  "homepage": "https://elytrasec.io/agents",
+  "bugs": "https://github.com/ElytraSec/elytrasec/issues",
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "security",
+    "scanner",
+    "solidity",
+    "defi",
+    "ai-agent",
+    "claude",
+    "cursor"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ElytraSec/elytrasec.git",
+    "directory": "packages/mcp"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "bin": {
+    "elytrasec-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.4",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^22.13.4",
+    "tsup": "^8.5.1",
+    "typescript": "^5.7.3"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup src/index.ts --format esm --watch",
+    "start": "node dist/index.js"
+  }
+}