@hasna/mcps 0.0.16 → 0.0.17

package/README.md

@@ -27,6 +27,9 @@ mcps --help
 - `mcps call`
 - `mcps info`
 - `mcps doctor`
+- `mcps providers list`
+- `mcps providers search github`
+- `mcps providers install github`
 - `mcps env list <server-id>`
 - `mcps env ref <server-id> API_KEY=UPSTREAM_API_KEY --source env`
 - `mcps machines list`
@@ -55,6 +58,23 @@ Notes:
 - Targets need SSH access plus `node` and either `bun` or `npm` available remotely.
 - Use `-j` or `--json` on the new `machines` and `fleet` commands for scriptable output.
 
+## Curated Provider Profiles
+
+`mcps providers` exposes a curated catalog of common MCP providers with source,
+auth, transport, and install metadata. The default catalog includes Notion,
+Linear, GitHub, Slack, Gmail, Google Drive, Google Calendar, Stripe, Cloudflare,
+PostgreSQL, filesystem, and browser automation profiles.
+
+```bash
+mcps providers list
+mcps providers info github --json
+mcps providers install github
+```
+
+Direct remote providers install as HTTP/SSE entries. Local stdio fallbacks such
+as PostgreSQL, filesystem, and Playwright browser automation require explicit
+local command consent before registration.
+
 ## Credential References
 
 Secret-like environment keys and values are rejected from plain server env storage.

package/bin/index.js

@@ -11985,7 +11985,7 @@ var init_provider_profile_seeds = __esm(() => {
       provenance: {
         source: "curated",
         sourceUrl: "https://developers.notion.com/guides/mcp/build-mcp-client",
-        verifiedAt: "2026-05-10"
+        verifiedAt: "2026-05-11"
       }
     },
     {
@@ -12017,7 +12017,384 @@ var init_provider_profile_seeds = __esm(() => {
       provenance: {
         source: "curated",
         sourceUrl: "https://linear.app/docs/mcp",
-        verifiedAt: "2026-05-10"
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "github",
+      displayName: "GitHub",
+      description: "Connect GitHub so agents can inspect repositories, manage issues and pull requests, analyze Actions runs, and work with project metadata.",
+      endpoint: "https://api.githubcopilot.com/mcp/",
+      transport: "streamable-http",
+      authType: "oauth2",
+      authMetadata: {
+        oauthVersion: "2.0",
+        pkce: true,
+        dynamicClientRegistration: false,
+        bearerToken: "optional",
+        notes: "GitHub hosts the remote server. OAuth requires host-side GitHub App/OAuth App setup; clients that cannot complete OAuth can use an Authorization bearer GitHub PAT."
+      },
+      scopes: ["repo", "read:org", "read:user", "user:email", "workflow", "notifications", "project"],
+      tokenMode: "user",
+      installFallback: {
+        command: "docker",
+        args: ["run", "-i", "--rm", "-e", "GITHUB_PERSONAL_ACCESS_TOKEN", "ghcr.io/github/github-mcp-server"],
+        env: { GITHUB_PERSONAL_ACCESS_TOKEN: "GITHUB_PERSONAL_ACCESS_TOKEN" },
+        packageName: "ghcr.io/github/github-mcp-server",
+        url: "https://api.githubcopilot.com/mcp/"
+      },
+      docsUrl: "https://github.com/github/github-mcp-server",
+      safety: {
+        requiresApproval: true,
+        sensitiveScopes: ["repo", "workflow", "project"],
+        dataClasses: ["repositories", "issues", "pull_requests", "actions", "security_alerts", "organization_members"],
+        notes: "GitHub tools can read private source and mutate repository objects. Prefer least-privilege OAuth scopes or fine-grained PATs and approval-gate write operations."
+      },
+      provenance: {
+        source: "curated",
+        sourceUrl: "https://github.com/github/github-mcp-server",
+        repositoryUrl: "https://github.com/github/github-mcp-server",
+        packageName: "ghcr.io/github/github-mcp-server",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "slack",
+      displayName: "Slack",
+      description: "Connect Slack so agents can search workspace messages and files, inspect conversations, read user context, and draft or send approved messages.",
+      endpoint: "https://mcp.slack.com/mcp",
+      transport: "streamable-http",
+      authType: "oauth2",
+      authMetadata: {
+        oauthVersion: "2.0",
+        pkce: true,
+        dynamicClientRegistration: false,
+        bearerToken: "none",
+        notes: "Slack's remote MCP endpoint uses Streamable HTTP, requires a registered Slack app identity, and does not support SSE or dynamic client registration."
+      },
+      scopes: [
+        "search:read.public",
+        "search:read.private",
+        "search:read.mpim",
+        "search:read.im",
+        "search:read.files",
+        "search:read.users",
+        "channels:history",
+        "groups:history",
+        "mpim:history",
+        "im:history",
+        "chat:write",
+        "canvases:read",
+        "canvases:write",
+        "users:read",
+        "users:read.email"
+      ],
+      tokenMode: "user",
+      docsUrl: "https://docs.slack.dev/ai/slack-mcp-server/",
+      safety: {
+        requiresApproval: true,
+        sensitiveScopes: ["chat:write", "canvases:write", "users:read.email"],
+        dataClasses: ["messages", "files", "channels", "users", "canvases"],
+        notes: "Slack data often includes confidential team communication. Search/read access should stay tenant-scoped and message/canvas writes should require explicit approval."
+      },
+      provenance: {
+        source: "curated",
+        sourceUrl: "https://docs.slack.dev/ai/slack-mcp-server/",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "gmail",
+      displayName: "Gmail",
+      description: "Connect Gmail through the open Workspace MCP server for mail search, message retrieval, drafts, labels, filters, and approved send workflows.",
+      transport: "stdio",
+      authType: "oauth2",
+      authMetadata: {
+        oauthVersion: "2.1",
+        pkce: true,
+        dynamicClientRegistration: false,
+        bearerToken: "optional",
+        notes: "Workspace MCP is an independent open-source Google Workspace server. Configure your own Google OAuth client and storage backend for Gmail access."
+      },
+      scopes: [
+        "https://www.googleapis.com/auth/gmail.readonly",
+        "https://www.googleapis.com/auth/gmail.modify",
+        "https://www.googleapis.com/auth/gmail.compose",
+        "https://www.googleapis.com/auth/gmail.send"
+      ],
+      tokenMode: "user",
+      installFallback: {
+        command: "uvx",
+        args: ["workspace-mcp"],
+        env: { WORKSPACE_MCP_PERMISSIONS: "gmail:send" },
+        packageName: "workspace-mcp",
+        url: "http://127.0.0.1:8000/mcp"
+      },
+      docsUrl: "https://workspacemcp.com/docs",
+      safety: {
+        requiresApproval: true,
+        sensitiveScopes: [
+          "https://www.googleapis.com/auth/gmail.modify",
+          "https://www.googleapis.com/auth/gmail.compose",
+          "https://www.googleapis.com/auth/gmail.send"
+        ],
+        dataClasses: ["email_messages", "threads", "attachments", "labels", "contacts"],
+        notes: "Email content and sending are high-impact actions. Prefer read-only permissions until a user intentionally enables drafts or sends."
+      },
+      provenance: {
+        source: "github",
+        sourceUrl: "https://workspacemcp.com/docs",
+        repositoryUrl: "https://github.com/taylorwilsdon/google_workspace_mcp",
+        packageName: "workspace-mcp",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "google-drive",
+      displayName: "Google Drive",
+      description: "Connect Google Drive through the open Workspace MCP server for file search, folder navigation, content reads, and approved file operations.",
+      transport: "stdio",
+      authType: "oauth2",
+      authMetadata: {
+        oauthVersion: "2.1",
+        pkce: true,
+        dynamicClientRegistration: false,
+        bearerToken: "optional",
+        notes: "Workspace MCP is an independent open-source Google Workspace server. Configure your own Google OAuth client and storage backend for Drive access."
+      },
+      scopes: [
+        "https://www.googleapis.com/auth/drive.readonly",
+        "https://www.googleapis.com/auth/drive.file",
+        "https://www.googleapis.com/auth/drive"
+      ],
+      tokenMode: "user",
+      installFallback: {
+        command: "uvx",
+        args: ["workspace-mcp"],
+        env: { WORKSPACE_MCP_PERMISSIONS: "drive:readonly" },
+        packageName: "workspace-mcp",
+        url: "http://127.0.0.1:8000/mcp"
+      },
+      docsUrl: "https://workspacemcp.com/docs",
+      safety: {
+        requiresApproval: true,
+        sensitiveScopes: [
+          "https://www.googleapis.com/auth/drive.file",
+          "https://www.googleapis.com/auth/drive"
+        ],
+        dataClasses: ["drive_files", "folders", "documents", "spreadsheets", "attachments", "sharing_permissions"],
+        notes: "Drive access can expose broad business documents. Keep tenant allowlists and approval-gate creation, movement, and permission changes."
+      },
+      provenance: {
+        source: "github",
+        sourceUrl: "https://workspacemcp.com/docs",
+        repositoryUrl: "https://github.com/taylorwilsdon/google_workspace_mcp",
+        packageName: "workspace-mcp",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "google-calendar",
+      displayName: "Google Calendar",
+      description: "Connect Google Calendar through the open Workspace MCP server for calendar discovery, event reads, and approved scheduling changes.",
+      transport: "stdio",
+      authType: "oauth2",
+      authMetadata: {
+        oauthVersion: "2.1",
+        pkce: true,
+        dynamicClientRegistration: false,
+        bearerToken: "optional",
+        notes: "Workspace MCP is an independent open-source Google Workspace server. Configure your own Google OAuth client and storage backend for Calendar access."
+      },
+      scopes: [
+        "https://www.googleapis.com/auth/calendar.readonly",
+        "https://www.googleapis.com/auth/calendar.events",
+        "https://www.googleapis.com/auth/calendar"
+      ],
+      tokenMode: "user",
+      installFallback: {
+        command: "uvx",
+        args: ["workspace-mcp"],
+        env: { WORKSPACE_MCP_PERMISSIONS: "calendar:readonly" },
+        packageName: "workspace-mcp",
+        url: "http://127.0.0.1:8000/mcp"
+      },
+      docsUrl: "https://workspacemcp.com/docs",
+      safety: {
+        requiresApproval: true,
+        sensitiveScopes: [
+          "https://www.googleapis.com/auth/calendar.events",
+          "https://www.googleapis.com/auth/calendar"
+        ],
+        dataClasses: ["calendars", "events", "attendees", "attachments", "availability"],
+        notes: "Calendar writes can invite people, reveal availability, and alter operational schedules. Gate creates, updates, and deletes with user approval."
+      },
+      provenance: {
+        source: "github",
+        sourceUrl: "https://workspacemcp.com/docs",
+        repositoryUrl: "https://github.com/taylorwilsdon/google_workspace_mcp",
+        packageName: "workspace-mcp",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "stripe",
+      displayName: "Stripe",
+      description: "Connect Stripe so agents can inspect accounts, balances, customers, prices, subscriptions, invoices, disputes, and perform approved Stripe API operations.",
+      endpoint: "https://mcp.stripe.com",
+      transport: "streamable-http",
+      authType: "oauth2",
+      authMetadata: {
+        oauthVersion: "2.0",
+        pkce: true,
+        dynamicClientRegistration: false,
+        bearerToken: "optional",
+        notes: "Stripe supports OAuth MCP sessions and restricted API keys as Authorization bearer tokens for clients that do not support OAuth."
+      },
+      tokenMode: "workspace",
+      installFallback: {
+        command: "npx",
+        args: ["-y", "@stripe/mcp"],
+        env: { STRIPE_SECRET_KEY: "STRIPE_SECRET_KEY" },
+        packageName: "@stripe/mcp",
+        url: "https://mcp.stripe.com"
+      },
+      docsUrl: "https://docs.stripe.com/mcp",
+      safety: {
+        requiresApproval: true,
+        sensitiveScopes: ["restricted_api_key", "live_mode"],
+        dataClasses: ["payments", "customers", "subscriptions", "invoices", "disputes", "account_balances"],
+        notes: "Use restricted keys, separate sandbox/live mode, and require approval for any operation that creates, updates, refunds, cancels, or exposes customer data."
+      },
+      provenance: {
+        source: "curated",
+        sourceUrl: "https://docs.stripe.com/mcp",
+        repositoryUrl: "https://github.com/stripe/ai",
+        packageName: "@stripe/mcp",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "cloudflare",
+      displayName: "Cloudflare",
+      description: "Connect Cloudflare's remote MCP server for account, zone, developer platform, logs, analytics, and approved infrastructure operations.",
+      endpoint: "https://mcp.cloudflare.com/mcp",
+      transport: "streamable-http",
+      authType: "oauth2",
+      authMetadata: {
+        oauthVersion: "2.0",
+        pkce: true,
+        dynamicClientRegistration: false,
+        bearerToken: "none",
+        notes: "Cloudflare's remote MCP server redirects users through Cloudflare authorization and permission selection."
+      },
+      tokenMode: "workspace",
+      docsUrl: "https://developers.cloudflare.com/agents/model-context-protocol/mcp-servers-for-cloudflare/",
+      safety: {
+        requiresApproval: true,
+        sensitiveScopes: ["account_admin", "zone_write", "workers_write", "dns_write"],
+        dataClasses: ["accounts", "zones", "dns_records", "workers", "logs", "analytics", "security_events"],
+        notes: "Cloudflare tools can affect live infrastructure. Require account scoping, least-privilege permissions, and approval for write operations."
+      },
+      provenance: {
+        source: "curated",
+        sourceUrl: "https://github.com/cloudflare/mcp",
+        repositoryUrl: "https://github.com/cloudflare/mcp",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "postgres",
+      displayName: "PostgreSQL",
+      description: "Connect a PostgreSQL database through the reference read-only MCP server for schema inspection and SQL query analysis.",
+      transport: "stdio",
+      authType: "api_key",
+      authMetadata: {
+        bearerToken: "none",
+        notes: "The stdio server takes a PostgreSQL connection URL argument. Store the URL in a secret manager or environment variable and grant read-only database credentials."
+      },
+      tokenMode: "service",
+      installFallback: {
+        command: "npx",
+        args: ["-y", "@modelcontextprotocol/server-postgres", "${POSTGRES_URL}"],
+        packageName: "@modelcontextprotocol/server-postgres"
+      },
+      docsUrl: "https://www.npmjs.com/package/@modelcontextprotocol/server-postgres",
+      safety: {
+        readOnly: true,
+        requiresApproval: false,
+        sensitiveScopes: ["database_connection_url"],
+        dataClasses: ["database_schema", "table_rows", "query_results"],
+        notes: "Use read-only database users and network allowlists. Treat query results as sensitive even when the server enforces read-only transactions."
+      },
+      provenance: {
+        source: "npm",
+        sourceUrl: "https://www.npmjs.com/package/@modelcontextprotocol/server-postgres",
+        repositoryUrl: "https://github.com/modelcontextprotocol/servers",
+        packageName: "@modelcontextprotocol/server-postgres",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "filesystem",
+      displayName: "Filesystem",
+      description: "Connect the reference filesystem MCP server for scoped local file and directory reads, writes, searches, metadata, and move operations.",
+      transport: "stdio",
+      authType: "none",
+      authMetadata: {
+        bearerToken: "none",
+        notes: "Filesystem access is bounded by explicit root directories passed to the local stdio server."
+      },
+      tokenMode: "none",
+      installFallback: {
+        command: "npx",
+        args: ["-y", "@modelcontextprotocol/server-filesystem", "${workspaceFolder}"],
+        packageName: "@modelcontextprotocol/server-filesystem"
+      },
+      docsUrl: "https://www.npmjs.com/package/@modelcontextprotocol/server-filesystem",
+      safety: {
+        requiresApproval: true,
+        destructiveTools: ["write_file", "delete_file", "move_file", "create_directory"],
+        dataClasses: ["local_files", "source_code", "documents", "directory_metadata"],
+        notes: "Always constrain roots to intended project directories and approval-gate write, delete, and move operations."
+      },
+      provenance: {
+        source: "npm",
+        sourceUrl: "https://www.npmjs.com/package/@modelcontextprotocol/server-filesystem",
+        repositoryUrl: "https://github.com/modelcontextprotocol/servers",
+        packageName: "@modelcontextprotocol/server-filesystem",
+        verifiedAt: "2026-05-11"
+      }
+    },
+    {
+      id: "browser",
+      displayName: "Browser Automation",
+      description: "Connect Playwright MCP so agents can navigate pages, inspect accessibility snapshots, fill forms, capture screenshots, and run browser automation.",
+      transport: "stdio",
+      authType: "none",
+      authMetadata: {
+        bearerToken: "none",
+        notes: "Playwright MCP runs browser automation locally and may reuse browser profile state unless configured for isolation."
+      },
+      tokenMode: "none",
+      installFallback: {
+        command: "npx",
+        args: ["-y", "@playwright/mcp"],
+        packageName: "@playwright/mcp"
+      },
+      docsUrl: "https://playwright.dev/docs/getting-started-mcp",
+      safety: {
+        requiresApproval: true,
+        destructiveTools: ["browser_click", "browser_type", "browser_file_upload", "browser_run_code"],
+        dataClasses: ["web_pages", "forms", "cookies", "local_storage", "screenshots", "browser_profiles"],
+        notes: "Browser automation can submit forms, alter accounts, and expose logged-in sessions. Prefer isolated profiles and require approval for side-effecting actions."
+      },
+      provenance: {
+        source: "curated",
+        sourceUrl: "https://playwright.dev/docs/getting-started-mcp",
+        repositoryUrl: "https://github.com/microsoft/playwright-mcp",
+        packageName: "@playwright/mcp",
+        verifiedAt: "2026-05-11"
       }
     }
   ];
@@ -12140,22 +12517,19 @@ function getDb() {
     db.exec("ALTER TABLE provider_profiles ADD COLUMN auth_metadata TEXT NOT NULL DEFAULT '{}'");
   } catch {}
   db.exec("CREATE INDEX IF NOT EXISTS idx_provider_profiles_enabled ON provider_profiles(enabled)");
-  const providerProfileCount = db.query("SELECT COUNT(*) as c FROM provider_profiles").get().c;
-  if (providerProfileCount === 0) {
-    const insertProviderProfile = db.prepare(`
-      INSERT OR IGNORE INTO provider_profiles (
-        id, display_name, description, endpoint, transport, fallback_endpoints,
-        auth_type, auth_metadata, scopes, token_mode, install_fallback,
-        docs_url, safety, provenance, enabled
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-    `);
-    const run = db.transaction(() => {
-      for (const profile of DEFAULT_PROVIDER_PROFILE_SEEDS) {
-        insertProviderProfile.run(profile.id, profile.displayName, profile.description ?? null, profile.endpoint ?? null, profile.transport, JSON.stringify(profile.fallbackEndpoints ?? []), profile.authType, JSON.stringify(profile.authMetadata ?? {}), JSON.stringify(profile.scopes ?? []), profile.tokenMode ?? "none", JSON.stringify(profile.installFallback ?? null), profile.docsUrl ?? null, JSON.stringify(profile.safety ?? {}), JSON.stringify(profile.provenance), profile.enabled === false ? 0 : 1);
-      }
-    });
-    run();
-  }
+  const insertProviderProfile = db.prepare(`
+    INSERT OR IGNORE INTO provider_profiles (
+      id, display_name, description, endpoint, transport, fallback_endpoints,
+      auth_type, auth_metadata, scopes, token_mode, install_fallback,
+      docs_url, safety, provenance, enabled
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  const seedProviderProfiles = db.transaction(() => {
+    for (const profile of DEFAULT_PROVIDER_PROFILE_SEEDS) {
+      insertProviderProfile.run(profile.id, profile.displayName, profile.description ?? null, profile.endpoint ?? null, profile.transport, JSON.stringify(profile.fallbackEndpoints ?? []), profile.authType, JSON.stringify(profile.authMetadata ?? {}), JSON.stringify(profile.scopes ?? []), profile.tokenMode ?? "none", JSON.stringify(profile.installFallback ?? null), profile.docsUrl ?? null, JSON.stringify(profile.safety ?? {}), JSON.stringify(profile.provenance), profile.enabled === false ? 0 : 1);
+    }
+  });
+  seedProviderProfiles();
   db.exec(`
     CREATE TABLE IF NOT EXISTS feedback (
       id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
@@ -19416,7 +19790,7 @@ var init_sources = __esm(() => {
 var require_package = __commonJS((exports, module) => {
   module.exports = {
     name: "@hasna/mcps",
-    version: "0.0.16",
+    version: "0.0.17",
     description: "Meta-MCP registry & CLI \u2014 discover, manage, and proxy MCP servers",
     type: "module",
     repository: {
@@ -38936,7 +39310,7 @@ function buildMcpTools() {
     },
     {
       name: "list_provider_profiles",
-      description: "List curated provider profiles for hosted/common MCP integrations such as Notion and Linear.",
+      description: "List curated provider profiles for hosted/common MCP integrations such as GitHub, Slack, Google Workspace, Stripe, Cloudflare, Postgres, filesystem, and browser automation.",
       paramsSchema: {
         enabled_only: exports_external2.boolean().optional().describe("Only include enabled provider profiles")
       },
@@ -38946,7 +39320,7 @@ function buildMcpTools() {
       name: "search_provider_profiles",
       description: "Search curated provider profiles separately from raw MCP registry/source search.",
       paramsSchema: {
-        query: exports_external2.string().describe("Search query such as 'notion', 'linear', or an endpoint URL"),
+        query: exports_external2.string().describe("Search query such as 'github', 'slack', 'postgres', or an endpoint URL"),
         enabled_only: exports_external2.boolean().optional().describe("Only include enabled provider profiles")
       },
       run: ({ query, enabled_only }) => jsonContent(searchProviderProfiles(String(query), { enabledOnly: enabled_only === true }))