@elytrasec/mcp 0.1.0 → 0.2.0

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 ElytraSec
+Copyright (c) 2026 ElytraSec
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,6 +1,8 @@
 # @elytrasec/mcp
 
-Elytra Security as a Model Context Protocol server. Give your AI coding agent the ability to scan smart contracts and code, replay famous exploit patterns, and look up onchain attestations — without leaving the IDE.
+Elytra Security as a Model Context Protocol server. Give your AI coding agent (Claude Desktop, Cursor, Cline, Zed) the ability to scan smart contracts and code, check 12 famous-hack patterns, and return public Elytra security receipts — without leaving the IDE.
+
+173 detection rules. ERC-8004 verified agent. x402 pay-per-call in USDC on Base + Solana.
 
 ## Install
 
@@ -13,7 +15,7 @@ Add to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS)
   "mcpServers": {
     "elytra": {
       "command": "npx",
-      "args": ["-y", "@elytrasec/mcp"]
+      "args": ["-y", "@elytrasec/mcp@latest"]
     }
   }
 }
@@ -26,7 +28,7 @@ Restart Claude Desktop. The 4 Elytra tools appear in the MCP indicator.
 Settings → MCP → Add server:
 
 ```json
-{ "command": "npx", "args": ["-y", "@elytrasec/mcp"] }
+{ "command": "npx", "args": ["-y", "@elytrasec/mcp@latest"] }
 ```
 
 ### Cline / Continue / any MCP-compatible client
@@ -39,9 +41,20 @@ Same one-liner — install as a stdio server with the npx command above.
 |---|---|
 | `elytra_scan` | Scan a code snippet for security vulnerabilities |
 | `elytra_scan_address` | Scan a deployed contract by 0x address (Ethereum / Base / Arbitrum / Optimism / Polygon) |
-| `elytra_replay_hacks` | Test code against 8 famous-exploit patterns (Bybit, Ronin, Euler, Beanstalk, Multichain, Curve, Radiant, zkSync) |
+| `elytra_replay_hacks` | Test code against 12 famous-exploit patterns ($3.04B combined losses): Bybit, Ronin, Euler, Beanstalk, Multichain, Curve, Radiant, zkSync, Cream, Wormhole, Nomad, Mango |
 | `elytra_agent_identity` | Return Elytra's onchain agent card (ERC-8004, pricing, capabilities) |
 
+## Privacy & safety
+
+This MCP server is a thin, read-only client over Elytra's public HTTP API. Specifically:
+
+- **No shell execution.** The server never spawns child processes or executes shell commands.
+- **No file writes.** The server reads nothing from disk and writes nothing to disk.
+- **No private keys.** The server never reads, requests, generates, or stores private keys.
+- **No wallet signing.** The server never signs transactions or messages. Any onchain payments (x402) are settled by Elytra's facilitators, not by this server.
+- **Sends only what you ask it to.** Each tool call forwards exactly the code, address, or query the AI agent passed in — nothing more. No telemetry, no ambient file reads, no background uploads.
+- **May return public receipt URLs.** Depending on Elytra's API mode, a scan can produce a public receipt page at `https://elytrasec.io/r/<id>`. The URL is returned to you; you decide whether to share it.
+
 ## Optional env vars
 
 - `ELYTRA_API_KEY` — Bearer key for the paid `/api/v1/scan` endpoint (bypasses x402 micropayment for higher throughput). Contact hello@elytrasec.io.

package/dist/index.js

@@ -113,7 +113,7 @@ var TOOLS = [
   },
   {
     name: "elytra_replay_hacks",
-    description: "Run the 8 famous-exploit pattern detectors against submitted source code. Encodes patterns from $3B+ in losses: Bybit ($1.46B), Ronin ($625M), Euler ($197M), Beanstalk ($182M), Multichain ($126M), Curve ($73M), Radiant ($53M), zkSync ($5M). Returns only matches against these specific historic attack vectors. Use this when you want to check 'have I made any of the famous mistakes?'",
+    description: "Run the 12 famous-exploit pattern detectors against submitted source code. Encodes patterns from $3.04B in losses: Bybit ($1.46B), Ronin ($625M), Wormhole ($325M), Euler ($197M), Nomad ($190M), Beanstalk ($182M), Cream ($130M), Multichain ($126M), Mango ($114M), Curve ($73M), Radiant ($53M), zkSync ($5M). Returns only matches against these specific historic attack vectors. Use this when you want to check 'have I made any of the famous mistakes?'",
     inputSchema: {
       type: "object",
       properties: {
@@ -161,7 +161,7 @@ async function runReplayHacks(args) {
     ...r.data,
     findings: r.data.findings.filter((f) => f.ruleId.startsWith("cp-hack-"))
   };
-  const text = onlyHacks.findings.length === 0 ? "No famous-hack patterns matched against this code. \u2713\n\nThis means none of: Bybit \xB7 Ronin \xB7 Euler \xB7 Beanstalk \xB7 Multichain \xB7 Curve \xB7 Radiant \xB7 zkSync fingerprints fired.\n\nNote: hack-replay is a narrow pattern check \u2014 run elytra_scan for the full 130+ rule set." : formatScan(onlyHacks, "Famous-hack pattern matches");
+  const text = onlyHacks.findings.length === 0 ? "No famous-hack patterns matched against this code. \u2713\n\nThis means none of: Bybit \xB7 Ronin \xB7 Wormhole \xB7 Euler \xB7 Nomad \xB7 Beanstalk \xB7 Cream \xB7 Multichain \xB7 Mango \xB7 Curve \xB7 Radiant \xB7 zkSync fingerprints fired.\n\nNote: hack-replay is a narrow pattern check \u2014 run elytra_scan for the full 173-rule set." : formatScan(onlyHacks, "Famous-hack pattern matches");
   return { content: [{ type: "text", text }] };
 }
 async function runAgentIdentity() {
@@ -192,7 +192,7 @@ async function runAgentIdentity() {
   return { content: [{ type: "text", text: lines.join("\n") }] };
 }
 var server = new Server(
-  { name: "elytrasec", version: "0.1.0" },
+  { name: "elytrasec", version: "0.2.0" },
   { capabilities: { tools: {} } }
 );
 server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));

package/package.json

@@ -1,29 +1,18 @@
 {
   "name": "@elytrasec/mcp",
-  "version": "0.1.0",
-  "description": "Elytra Security as a Model Context Protocol server — give your AI agent (Claude Desktop, Cursor, Cline) the ability to scan smart contracts and code, replay famous exploit patterns, and post onchain attestations.",
+  "version": "0.2.0",
+  "description": "Elytra Security as a Model Context Protocol server — give your AI agent the ability to scan smart contracts and code, check 12 famous-hack patterns, and return public Elytra security receipts.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",
   "homepage": "https://elytrasec.io/agents",
-  "bugs": "https://github.com/ElytraSec/elytrasec/issues",
-  "keywords": [
-    "mcp",
-    "model-context-protocol",
-    "security",
-    "scanner",
-    "solidity",
-    "defi",
-    "ai-agent",
-    "claude",
-    "cursor"
-  ],
+  "bugs": "https://github.com/ElytraSec/mcp/issues",
+  "keywords": ["mcp", "model-context-protocol", "security", "scanner", "solidity", "defi", "ai-agent", "claude", "cursor"],
   "engines": {
     "node": ">=20"
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/ElytraSec/elytrasec.git",
-    "directory": "packages/mcp"
+    "url": "https://github.com/ElytraSec/mcp.git"
   },
   "publishConfig": {
     "access": "public"
@@ -34,8 +23,14 @@
   },
   "files": [
     "dist",
-    "README.md"
+    "README.md",
+    "LICENSE"
   ],
+  "scripts": {
+    "build": "tsup",
+    "dev":   "tsup src/index.ts --format esm --watch",
+    "start": "node dist/index.js"
+  },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.4",
     "zod": "^3.23.8"
@@ -44,10 +39,5 @@
     "@types/node": "^22.13.4",
     "tsup": "^8.5.1",
     "typescript": "^5.7.3"
-  },
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup src/index.ts --format esm --watch",
-    "start": "node dist/index.js"
   }
-}
+}