@kryptosai/mcp-observatory 0.22.0 → 0.23.0

package/docs/proof.md

@@ -6,22 +6,30 @@ MCP Observatory is early, but it is already a working MCP testing/security stack
 
 - npm package: `@kryptosai/mcp-observatory`
 - GitHub Action: `KryptosAI/mcp-observatory/action@main`
+- Latest release: `v0.23.0`
 - CLI command count: scan, test, record, replay, verify, diff, watch, suggest, serve, lock, history, init-ci, ci-report, enterprise-report, score, badge, cloud
-- Test suite: 321 passing tests across 40 test files as of June 19, 2026
-- GitHub traffic snapshot: 582 clones and 175 unique cloners in the visible June 2026 traffic window
+- Test suite: 334 passing tests across 43 test files as of June 20, 2026
+- GitHub traffic snapshot: 721 clones and 221 unique cloners in the visible June 2026 traffic window
 - npm downloads snapshot: 104 downloads for June 11-17, 2026
+- Security guide: [MCP Server Security Field Guide](./mcp-security-field-guide.md)
+- Safety index: [MCP Server Safety Index](./mcp-server-safety-index.md)
+- Public examples: [Reference Evaluations](./reference-evaluations.md)
+- Lock-file CI primitive: [MCP Lock Files](./mcp-lock-files.md)
+- Public post drafts: [Launch Post Drafts](./public-post-drafts.md)
+- Pilot offer: [Private MCP Readiness Review](./paid-pilot-offer.md)
 
 ## Safe Aggregate Telemetry Snapshot
 
 Internal telemetry is used for product analytics and account-level outreach. Public reporting uses only aggregate or sanitized data.
 
-As of the latest local export on June 19, 2026:
+As of the latest local export on June 20, 2026:
 
-- 10,278 telemetry events
-- 7,211 unique sessions
-- 5,368 external sessions after separating internal/personal activity
-- 2,434 external CI sessions
-- 128 attributed company/org sessions
+- 10,918 telemetry events
+- 7,380 total sessions
+- 5,379 external sessions after separating internal/personal activity
+- 2,446 external CI sessions
+- 138 attributed company/org sessions
+- 11 attributed company/org candidates
 - top external commands: `serve`, `run`, `diff`, `test`, `scan`, `history`
 
 Raw emails, hostnames, private URLs, tokens, and response bodies are not published.
@@ -50,7 +58,16 @@ Accepted third-party integrations will be tracked here:
 
 | Repo | PR | Check Added | Badge Added | Status |
 | --- | --- | --- | --- | --- |
-| _pending_ | | | | |
+| `modelcontextprotocol/servers` | [#4392](https://github.com/modelcontextprotocol/servers/pull/4392) | Yes | No | Open, mergeable, MCP Observatory check passing |
+| `microsoft/playwright-mcp` | [#1657](https://github.com/microsoft/playwright-mcp/pull/1657) | Yes | No | Open |
+| `upstash/context7` | [#2800](https://github.com/upstash/context7/pull/2800) | Yes | No | Open |
+| `executeautomation/mcp-playwright` | [#225](https://github.com/executeautomation/mcp-playwright/pull/225) | Yes | No | Open |
+| `kazuph/mcp-taskmanager` | [#11](https://github.com/kazuph/mcp-taskmanager/pull/11) | Yes | No | Open |
+| `cyanheads/filesystem-mcp-server` | [#19](https://github.com/cyanheads/filesystem-mcp-server/pull/19) | Yes | No | Open |
+| `antvis/mcp-server-chart` | [#312](https://github.com/antvis/mcp-server-chart/pull/312) | Yes | No | Open |
+| `BrowserMCP/mcp` | [#189](https://github.com/BrowserMCP/mcp/pull/189) | Yes | No | Open |
+| `UI5/mcp-server` | [#348](https://github.com/UI5/mcp-server/pull/348) | Yes | No | Open |
+| `makenotion/notion-mcp-server` | [#324](https://github.com/makenotion/notion-mcp-server/pull/324) | Yes | No | Open |
 
 ## Commercial Proof
 

package/docs/public-post-drafts.md

@@ -0,0 +1,86 @@
+# Public Post Drafts
+
+Use these as launch posts, GitHub Discussion posts, LinkedIn posts, or short blog drafts. The framing is about MCP safety patterns, not “look at my tool.”
+
+## 1. I Tested 20 MCP Servers. The Pattern Was Not “Bad Servers”; It Was Missing Gates.
+
+MCP servers are becoming production dependencies for agents, but many of them still ship without the kind of CI gate we expect from normal software dependencies.
+
+The main pattern I saw while building the first MCP Server Safety Index was simple: the risky part is rarely that a server exists. The risky part is that agents may depend on a tool surface nobody is testing for startup reliability, schema quality, security posture, or drift.
+
+The checks that matter most:
+
+- does the server start cleanly in CI?
+- do tools, prompts, and resources respond as advertised?
+- are tool schemas precise enough for agents to call safely?
+- did a release add, remove, or broaden a tool?
+- are destructive tools clearly identifiable?
+
+My takeaway: MCP needs a package-lock moment. Commit the agent-facing contract, then make drift visible before agents depend on it.
+
+## 2. Browser MCP Servers Need A Different Security Bar
+
+Browser automation MCP servers are powerful because agents can navigate pages, click, type, inspect state, and sometimes execute scripts.
+
+That is exactly why they need explicit CI and security gates.
+
+For browser MCP servers, a useful review should separate:
+
+- harmless inventory checks
+- state-mutating browser actions
+- code execution or page-evaluation tools
+- network/navigation controls
+- tool schemas that are too broad for safe agent planning
+
+The goal is not to block browser MCP. The goal is to make the trust boundary visible before an agent gets a browser with hands.
+
+## 3. Filesystem MCP Servers Should Always Test In A Sandbox
+
+Filesystem MCP servers are one of the clearest examples of why MCP CI needs context.
+
+A server can be useful and still dangerous if the test command points at the wrong directory, if read/write boundaries are unclear, or if a tool schema makes broad path access look harmless.
+
+The minimum safety pattern:
+
+- run CI against a temporary harmless directory
+- verify tools/resources respond as advertised
+- flag broad filesystem access
+- document which operations are read-only vs write-capable
+- treat changes to path schemas as contract drift
+
+Agents need tools. They do not need accidental access to everything.
+
+## 4. Token-Backed SaaS MCP Servers Need Issue-First Certification
+
+Many SaaS, cloud, payments, database, and developer-platform MCP servers cannot be safely checked with a drive-by PR because meaningful startup requires tokens or live services.
+
+For those repos, the right move is usually not a workflow PR first. It is an issue or maintainer question:
+
+“What is the safest CI startup command for this server?”
+
+Once maintainers provide a token-safe target config, the useful checks are:
+
+- does startup fail cleanly without credentials?
+- are auth requirements documented?
+- are destructive tools obvious?
+- are schemas narrow enough for agent use?
+- can the repo publish a safe compatibility/security badge?
+
+Security adoption works better when it starts by respecting maintainer context.
+
+## 5. MCP Drift Is An AI Supply Chain Problem
+
+When a package dependency changes, teams have lock files, diffs, review, and release notes.
+
+When an MCP server changes its tool surface, an agent dependency changed too.
+
+That means tool additions, tool removals, schema broadening, new write actions, and prompt/resource changes should be visible in pull requests.
+
+The useful primitive is an MCP lock file:
+
+```bash
+npx @kryptosai/mcp-observatory lock
+npx @kryptosai/mcp-observatory lock verify
+```
+
+The point is not bureaucracy. It is to make the agent-facing contract reviewable before production workflows quietly depend on something new.

package/docs/publish-readiness.md

@@ -22,6 +22,11 @@ Confirm:
 - HTTP target examples use env references instead of inline tokens.
 - Security findings appear in artifact evidence as structured `findings`.
 - Hosted upload is available through `mcp-observatory cloud upload <artifact>` when `MCP_OBSERVATORY_CLOUD_TOKEN` is set.
+- Hosted HTTP scans require `Authorization: Bearer <HOSTED_SCAN_TOKEN>` and are treated as an authenticated pilot surface.
+
+Known audit note:
+
+- `npm audit` may report `undici <=6.26.0` through the `npm@11.17.0` package bundled under `@semantic-release/npm`. As of June 20, 2026, `npm audit fix` cannot update this bundled copy and `npm@11.17.0` is the current published npm package. The remaining vulnerable `undici` copy is release tooling only and is not part of MCP Observatory runtime dependencies or the packed npm artifact. Recheck after npm publishes a newer package.
 
 Known audit note:
 
@@ -32,10 +37,10 @@ Known audit note:
 - Merge the health/commercialization PR.
 - Update the GitHub repo homepage to the README or commercial page.
 - Publish npm only after the release gate is green.
-- Refresh MCP directory listings with: “MCP Observatory helps teams test, secure, and monitor MCP servers before agents depend on them.”
-- Include “free for local OSS use; paid for hosted reporting, private repo CI, security reports, production monitoring, certification, support, and fleet visibility.”
+- Refresh MCP directory listings with: “MCP Observatory is the CI and security gate for MCP servers before agents depend on them.”
+- Include “free for local OSS use; paid for hosted reporting, private repo CI, recurring security reports, certification, support, and fleet visibility.”
 - Link production users to `COMMERCIAL.md` and `william@banksey.com`.
-- Submit or refresh listings on Glama, PulseMCP, Smithery, and relevant awesome-MCP lists with the tags: security, developer tools, CI/CD, testing, observability, schema drift.
+- Submit or refresh listings on Glama, PulseMCP, Smithery, and relevant awesome-MCP lists with the tags: security, developer tools, CI/CD, testing, MCP security, schema drift.
 - Use the certification distribution loop to open helpful PRs against popular MCP server repos and convert accepted PRs into proof points.
 - Link public proof, the safety report, and directory listing copy from launch/outreach materials.
 
@@ -67,6 +72,7 @@ Worker:
 
 - `POST /api/v1/artifacts` stores a run artifact behind bearer-token auth.
 - `GET /api/v1/artifacts/:org` returns the org artifact index behind the same auth.
+- `POST /api/v1/scan` requires `Authorization: Bearer <HOSTED_SCAN_TOKEN>`.
 - Hosted scans reject localhost/private-network targets; use local CLI for internal MCP servers.
 
 ## What Not To Do Yet

package/docs/reference-evaluations.md

@@ -0,0 +1,134 @@
+# MCP Observatory Reference Evaluations
+
+Reference evaluations show how MCP Observatory applies to common MCP server categories. These are public, safe examples intended to help maintainers and security reviewers understand what the tool checks and what kind of risk each category can expose.
+
+The examples below are not customer claims. They are public evaluation targets, public pull requests, or category examples that can be reproduced with the CLI.
+
+## Official MCP Reference Servers
+
+Representative repo: [`modelcontextprotocol/servers`](https://github.com/modelcontextprotocol/servers)
+
+Public proof:
+
+- PR: [`modelcontextprotocol/servers#4392`](https://github.com/modelcontextprotocol/servers/pull/4392)
+- Status: open, mergeable, with a passing MCP Observatory check as of June 19, 2026
+
+What this represents:
+
+- reference MCP implementations
+- simple tools that should behave predictably in CI
+- a good baseline for model context protocol testing
+
+What Observatory checks:
+
+- server startup in GitHub Actions
+- tools list/respond correctly
+- schema quality and security scan output
+- report generation for maintainers
+
+Adoption command:
+
+```bash
+npx @kryptosai/mcp-observatory init-ci --all --command "npx -y @modelcontextprotocol/server-sequential-thinking"
+```
+
+## Browser Automation MCP Servers
+
+Representative public examples:
+
+- [`microsoft/playwright-mcp`](https://github.com/microsoft/playwright-mcp)
+- [`executeautomation/mcp-playwright`](https://github.com/executeautomation/mcp-playwright)
+
+Public proof:
+
+- PR: [`microsoft/playwright-mcp#1657`](https://github.com/microsoft/playwright-mcp/pull/1657)
+- PR: [`executeautomation/mcp-playwright#225`](https://github.com/executeautomation/mcp-playwright/pull/225)
+
+What this represents:
+
+- high-capability browser tools
+- agent access to pages, scripts, navigation, screenshots, and user-like actions
+- a category where secure tool invocation and explicit trust boundaries matter
+
+What Observatory checks:
+
+- tool inventory
+- schema quality
+- risky browser/code-execution surfaces
+- intentional suppressions for known acceptable findings
+- whether deep invocation should be skipped for tools that can mutate browser state
+
+Adoption command:
+
+```bash
+npx @kryptosai/mcp-observatory test --security npx -y @playwright/mcp
+```
+
+## Filesystem MCP Servers
+
+Representative public category: filesystem-backed MCP servers.
+
+Public proof:
+
+- PR: [`cyanheads/filesystem-mcp-server#19`](https://github.com/cyanheads/filesystem-mcp-server/pull/19)
+
+What this represents:
+
+- local file access exposed to agents
+- read/write boundaries that should be explicit
+- capability declarations that need to match observed MCP behavior
+
+What Observatory checks:
+
+- tools/resources capability consistency
+- broad filesystem access findings
+- schema quality for path-oriented tools
+- safe sandbox target configuration for CI
+
+Adoption command:
+
+```bash
+npx @kryptosai/mcp-observatory test --security npx -y filesystem-mcp-server .
+```
+
+Use a harmless temporary directory for CI checks when evaluating filesystem servers.
+
+## Documentation And Search MCP Servers
+
+Representative public example: [`upstash/context7`](https://github.com/upstash/context7)
+
+Public proof:
+
+- PR: [`upstash/context7#2800`](https://github.com/upstash/context7/pull/2800)
+
+What this represents:
+
+- documentation retrieval and search tools
+- untrusted or fast-changing text entering an agent context
+- a category where prompt-injection-aware review matters
+
+What Observatory checks:
+
+- tool inventory
+- schema quality
+- startup reliability
+- security findings around broad retrieval or response behavior
+- report artifacts that maintainers can review in pull requests
+
+Adoption command:
+
+```bash
+npx @kryptosai/mcp-observatory init-ci --all --command "npx -y @upstash/context7-mcp"
+```
+
+## How To Read These Evaluations
+
+Passing an Observatory check means the server passed the configured compatibility and security checks for that run. It does not mean the server is universally safe for every environment.
+
+Use the results as an engineering control:
+
+- add CI for repeatability
+- compare artifacts between releases
+- review security findings and suppressions
+- document accepted risk for broad tools
+- escalate production/private usage to hosted reporting, certification, or fleet visibility when the server becomes operationally important

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@kryptosai/mcp-observatory",
-  "version": "0.22.0",
-  "description": "Test, secure, and monitor MCP servers before agents depend on them.",
+  "version": "0.23.0",
+  "description": "The CI and security gate for MCP servers before agents depend on them.",
   "mcpName": "io.github.KryptosAI/mcp-observatory",
   "license": "MIT",
   "type": "module",
@@ -48,7 +48,7 @@
     "proof:refresh": "tsx scripts/refresh-proof-artifacts.ts",
     "release:prep": "node scripts/release.mjs",
     "certification:pr-body": "tsx scripts/print-certification-pr-body.ts",
-    "typecheck": "tsc --noEmit -p tsconfig.json",
+    "typecheck": "tsc --noEmit -p tsconfig.json && npm --prefix api install && npm --prefix api run typecheck",
     "test": "vitest run",
     "validate:artifacts": "tsx scripts/validate-artifacts.ts",
     "verify:packed-install": "node scripts/verify-packed-install.mjs",
@@ -62,12 +62,13 @@
     "mcp-server",
     "model-context-protocol",
     "ai-agent",
+    "agent-security",
+    "ai-supply-chain",
     "ai-tools",
     "developer-tools",
     "cli",
     "regression-testing",
     "interoperability",
-    "observability",
     "record",
     "replay",
     "cassette",
@@ -78,7 +79,7 @@
     "ci-cd",
     "mcp-ci",
     "github-action",
-    "production-monitoring",
+    "mcp-lockfile",
     "enterprise",
     "enterprise-report",
     "feishu",