@mcp-guardian/server 0.3.0

package/dist/proxy/proxy-manager.d.ts

@@ -0,0 +1,12 @@
+import { HistoryDatabase } from '../database/history-db.js';
+import { McpProxyServer } from './proxy-server.js';
+import { McpServerConfig } from '../types.js';
+export declare class ProxyManager {
+    private db;
+    private proxies;
+    constructor(db: HistoryDatabase);
+    getProxies(): McpProxyServer[];
+    startAll(configs: McpServerConfig[]): Promise<void>;
+    stopAll(): void;
+}
+//# sourceMappingURL=proxy-manager.d.ts.map

package/dist/proxy/proxy-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-manager.d.ts","sourceRoot":"","sources":["../../src/proxy/proxy-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9C,qBAAa,YAAY;IAGX,OAAO,CAAC,EAAE;IAFtB,OAAO,CAAC,OAAO,CAAwB;gBAEnB,EAAE,EAAE,eAAe;IAEvC,UAAU,IAAI,cAAc,EAAE;IAIxB,QAAQ,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBzD,OAAO,IAAI,IAAI;CAOhB"}

package/dist/proxy/proxy-manager.js

@@ -0,0 +1,37 @@
+import { McpProxyServer } from './proxy-server.js';
+import { Logger } from '../utils/logger.js';
+export class ProxyManager {
+    db;
+    proxies = [];
+    constructor(db) {
+        this.db = db;
+    }
+    getProxies() {
+        return this.proxies;
+    }
+    async startAll(configs) {
+        for (const config of configs) {
+            if (config.transport === 'stdio' && config.command) {
+                try {
+                    const proxy = new McpProxyServer(config.command, config.args || [], config.env || {}, this.db, config.name);
+                    this.proxies.push(proxy);
+                    Logger.info(`Proxy started for ${config.name} (${config.command})`);
+                }
+                catch (err) {
+                    Logger.error(`Failed to start proxy for ${config.name}: ${err?.message}`);
+                }
+            }
+            else if (config.url) {
+                Logger.info(`SSE proxy for ${config.name} not yet supported — skipping`);
+            }
+        }
+    }
+    stopAll() {
+        for (const proxy of this.proxies) {
+            proxy.kill();
+        }
+        this.proxies = [];
+        Logger.info('All proxies stopped');
+    }
+}
+//# sourceMappingURL=proxy-manager.js.map

package/dist/proxy/proxy-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-manager.js","sourceRoot":"","sources":["../../src/proxy/proxy-manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C,MAAM,OAAO,YAAY;IAGH;IAFZ,OAAO,GAAqB,EAAE,CAAC;IAEvC,YAAoB,EAAmB;QAAnB,OAAE,GAAF,EAAE,CAAiB;IAAG,CAAC;IAE3C,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAA0B;QACvC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,MAAM,CAAC,SAAS,KAAK,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnD,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,cAAc,CAC9B,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,IAAI,IAAI,EAAE,EACjB,MAAM,CAAC,GAAG,IAAI,EAAE,EAChB,IAAI,CAAC,EAAE,EACP,MAAM,CAAC,IAAI,CACZ,CAAC;oBACF,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBACzB,MAAM,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;gBACtE,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,MAAM,CAAC,KAAK,CAAC,6BAA6B,MAAM,CAAC,IAAI,KAAK,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;gBAC5E,CAAC;YACH,CAAC;iBAAM,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;gBACtB,MAAM,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,IAAI,+BAA+B,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,EAAE,CAAC;QACf,CAAC;QACD,IAAI,CAAC,OAAO,GAAG,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACrC,CAAC;CACF"}

package/dist/proxy/proxy-server.d.ts

@@ -0,0 +1,26 @@
+import { HistoryDatabase } from '../database/history-db.js';
+/**
+ * MCP Proxy Interceptor — sits between the AI client and an MCP server,
+ * capturing every JSON-RPC call's token usage for real cost auditing.
+ */
+export declare class McpProxyServer {
+    private child;
+    private tokenCounter;
+    private db;
+    private currentRequestId;
+    private requestStartTime;
+    private requestToolName;
+    private requestTokens;
+    private serverName;
+    constructor(command: string, args: string[], env: Record<string, string>, db: HistoryDatabase, serverName?: string);
+    get stdin(): NodeJS.WritableStream | null;
+    private setupStdout;
+    private setupStderr;
+    /**
+     * Called when the AI client writes a request to be proxied.
+     * Tracks tools/call requests for token counting.
+     */
+    handleClientInput(raw: string): void;
+    kill(): void;
+}
+//# sourceMappingURL=proxy-server.d.ts.map

package/dist/proxy/proxy-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-server.d.ts","sourceRoot":"","sources":["../../src/proxy/proxy-server.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAG5D;;;GAGG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,EAAE,CAAkB;IAC5B,OAAO,CAAC,gBAAgB,CAAuB;IAC/C,OAAO,CAAC,gBAAgB,CAAa;IACrC,OAAO,CAAC,eAAe,CAAuB;IAC9C,OAAO,CAAC,aAAa,CAAa;IAClC,OAAO,CAAC,UAAU,CAAS;gBAGzB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EAAE,EACd,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC3B,EAAE,EAAE,eAAe,EACnB,UAAU,CAAC,EAAE,MAAM;IAarB,IAAI,KAAK,IAAI,MAAM,CAAC,cAAc,GAAG,IAAI,CAExC;IAED,OAAO,CAAC,WAAW;IAqCnB,OAAO,CAAC,WAAW;IAMnB;;;OAGG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAepC,IAAI,IAAI,IAAI;CAOb"}

package/dist/proxy/proxy-server.js

@@ -0,0 +1,99 @@
+import { spawn } from 'child_process';
+import { createInterface } from 'readline';
+import { TokenCounter } from '../utils/token-counter.js';
+import { Logger } from '../utils/logger.js';
+/**
+ * MCP Proxy Interceptor — sits between the AI client and an MCP server,
+ * capturing every JSON-RPC call's token usage for real cost auditing.
+ */
+export class McpProxyServer {
+    child;
+    tokenCounter;
+    db;
+    currentRequestId = null;
+    requestStartTime = 0;
+    requestToolName = null;
+    requestTokens = 0;
+    serverName;
+    constructor(command, args, env, db, serverName) {
+        this.serverName = serverName || command.split('/').pop() || command;
+        this.child = spawn(command, args, {
+            env: { ...process.env, ...env },
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        this.tokenCounter = new TokenCounter();
+        this.db = db;
+        this.setupStdout();
+        this.setupStderr();
+    }
+    get stdin() {
+        return this.child.stdin;
+    }
+    setupStdout() {
+        const rl = createInterface({ input: this.child.stdout });
+        rl.on('line', (line) => {
+            try {
+                const msg = JSON.parse(line);
+                if (msg.id && msg.id === this.currentRequestId) {
+                    // Response to our tracked tools/call request
+                    const responseTokens = this.tokenCounter.count(line);
+                    const record = {
+                        serverName: this.serverName,
+                        toolName: this.requestToolName || 'unknown',
+                        requestTokens: this.requestTokens,
+                        responseTokens,
+                        totalTokens: this.requestTokens + responseTokens,
+                        durationMs: Date.now() - this.requestStartTime,
+                        timestamp: new Date().toISOString(),
+                    };
+                    // Await the DB write so tests can read immediately
+                    this.db.addCallRecord(record).then(() => this.db.flush()).catch((err) => Logger.debug(`Proxy: failed to store call record: ${err?.message}`));
+                    this.currentRequestId = null;
+                    this.requestToolName = null;
+                }
+                // Forward response to client
+                process.stdout.write(line + '\n');
+            }
+            catch {
+                // Non-JSON line — forward as-is
+                process.stdout.write(line + '\n');
+            }
+        });
+        rl.on('close', () => {
+            Logger.debug(`[proxy:${this.serverName}] stdout closed`);
+        });
+    }
+    setupStderr() {
+        this.child.stderr?.on('data', (data) => {
+            process.stderr.write(data);
+        });
+    }
+    /**
+     * Called when the AI client writes a request to be proxied.
+     * Tracks tools/call requests for token counting.
+     */
+    handleClientInput(raw) {
+        try {
+            const msg = JSON.parse(raw);
+            if (msg.method === 'tools/call' && msg.id) {
+                this.requestStartTime = Date.now();
+                this.currentRequestId = msg.id;
+                this.requestToolName = msg.params?.name || 'unknown';
+                this.requestTokens = this.tokenCounter.count(raw);
+            }
+        }
+        catch {
+            // Non-JSON input — forward as-is
+        }
+        this.child.stdin?.write(raw + '\n');
+    }
+    kill() {
+        try {
+            this.child.kill();
+        }
+        catch {
+            // Already dead
+        }
+    }
+}
+//# sourceMappingURL=proxy-server.js.map

package/dist/proxy/proxy-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-server.js","sourceRoot":"","sources":["../../src/proxy/proxy-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAgB,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAGzD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C;;;GAGG;AACH,MAAM,OAAO,cAAc;IACjB,KAAK,CAAe;IACpB,YAAY,CAAe;IAC3B,EAAE,CAAkB;IACpB,gBAAgB,GAAkB,IAAI,CAAC;IACvC,gBAAgB,GAAW,CAAC,CAAC;IAC7B,eAAe,GAAkB,IAAI,CAAC;IACtC,aAAa,GAAW,CAAC,CAAC;IAC1B,UAAU,CAAS;IAE3B,YACE,OAAe,EACf,IAAc,EACd,GAA2B,EAC3B,EAAmB,EACnB,UAAmB;QAEnB,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC;QACpE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE;YAChC,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE;YAC/B,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QACH,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,IAAI,CAAC,WAAW,EAAE,CAAC;IACrB,CAAC;IAED,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;IAC1B,CAAC;IAEO,WAAW;QACjB,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAO,EAAE,CAAC,CAAC;QAC1D,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC7B,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBAC/C,6CAA6C;oBAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrD,MAAM,MAAM,GAAoB;wBAC9B,UAAU,EAAE,IAAI,CAAC,UAAU;wBAC3B,QAAQ,EAAE,IAAI,CAAC,eAAe,IAAI,SAAS;wBAC3C,aAAa,EAAE,IAAI,CAAC,aAAa;wBACjC,cAAc;wBACd,WAAW,EAAE,IAAI,CAAC,aAAa,GAAG,cAAc;wBAChD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,gBAAgB;wBAC9C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;qBACpC,CAAC;oBACF,mDAAmD;oBACnD,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CACtE,MAAM,CAAC,KAAK,CAAC,uCAAuC,GAAG,EAAE,OAAO,EAAE,CAAC,CACpE,CAAC;oBACF,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;oBAC7B,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;gBAC9B,CAAC;gBACD,6BAA6B;gBAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;gBAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;YACpC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClB,MAAM,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,UAAU,iBAAiB,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,WAAW;QACjB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,iBAAiB,CAAC,GAAW;QAC3B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBAC1C,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBACnC,IAAI,CAAC,gBAAgB,GAAG,GAAG,CAAC,EAAE,CAAC;gBAC/B,IAAI,CAAC,eAAe,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,IAAI,SAAS,CAAC;gBACrD,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;QACnC,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,IAAI;QACF,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;CACF"}

package/dist/reporter/report-generator.d.ts

@@ -0,0 +1,9 @@
+import { FullReport, SecurityReport, CostReport, HealthReport } from '../types.js';
+export declare class ReportGenerator {
+    formatSecurityReports(reports: SecurityReport[]): string;
+    formatCostReports(reports: CostReport[]): string;
+    formatHealthReports(reports: HealthReport[]): string;
+    formatFullReport(report: FullReport): string;
+    toMarkdown(report: FullReport): string;
+}
+//# sourceMappingURL=report-generator.d.ts.map

package/dist/reporter/report-generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report-generator.d.ts","sourceRoot":"","sources":["../../src/reporter/report-generator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEnF,qBAAa,eAAe;IAC1B,qBAAqB,CAAC,OAAO,EAAE,cAAc,EAAE,GAAG,MAAM;IA0CxD,iBAAiB,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM;IAehD,mBAAmB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,MAAM;IAepD,gBAAgB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM;IAc5C,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM;CA2DvC"}

package/dist/reporter/report-generator.js

@@ -0,0 +1,145 @@
+import chalk from 'chalk';
+export class ReportGenerator {
+    formatSecurityReports(reports) {
+        let out = chalk.bold.underline('\n🔒 Security Scan Results\n');
+        for (const r of reports) {
+            const grade = r.score >= 80 ? 'A' : r.score >= 60 ? 'B' : r.score >= 40 ? 'C' : 'D';
+            const gradeColor = r.score >= 80 ? chalk.green : r.score >= 60 ? chalk.yellow : chalk.red;
+            out += `\n${chalk.bold(r.serverName)} - Score: ${gradeColor(grade)} (${r.score})\n`;
+            if (r.cves.length > 0) {
+                out += `  CVEs: ${chalk.red(String(r.cves.length))} found\n`;
+                for (const c of r.cves) {
+                    const sevColor = c.severity === 'CRITICAL' ? chalk.red : c.severity === 'HIGH' ? chalk.yellow : chalk.gray;
+                    out += `    ${sevColor(`[${c.severity}]`)} ${c.id}: ${c.summary.substring(0, 80)}\n`;
+                }
+            }
+            else {
+                out += `  CVEs: ${chalk.green('None')}\n`;
+            }
+            if (!r.authStatus.hasAuthentication)
+                out += `  ${chalk.red('⚠ No authentication detected')}\n`;
+            if (!r.authStatus.isTransportEncrypted)
+                out += `  ${chalk.yellow('⚠ Transport not encrypted')}\n`;
+            if (r.typoSquatRisk.length > 0) {
+                out += `  ${chalk.red('⚠ Possible typo-squatting detected:')}\n`;
+                for (const t of r.typoSquatRisk) {
+                    out += `    "${t.suspiciousName}" → similar to "${t.similarityTo}" (distance: ${t.distance})\n`;
+                }
+            }
+            if (r.secretsFound.length > 0) {
+                out += `  ${chalk.red(`⚠ ${r.secretsFound.length} hardcoded secret(s) detected`)}\n`;
+                for (const s of r.secretsFound) {
+                    out += `    ${chalk.yellow(s.type)} in ${s.location}\n`;
+                }
+            }
+            if (r.recommendations.length > 0) {
+                out += `  ${chalk.cyan('Recommendations:')}\n`;
+                for (const rec of r.recommendations) {
+                    out += `    - ${rec}\n`;
+                }
+            }
+        }
+        return out;
+    }
+    formatCostReports(reports) {
+        let out = chalk.bold.underline('\n💰 Cost Audit\n');
+        for (const r of reports) {
+            out += `\n${chalk.bold(r.serverName)}: ${chalk.yellow(String(r.tokensUsed))} tokens, ${chalk.green(`$${r.estimatedCostUSD.toFixed(4)}`)} (${r.pricingModel})\n`;
+            out += `  Input: ${r.inputTokens} tokens, Output: ${r.outputTokens} tokens\n`;
+            for (const t of r.toolBreakdown) {
+                out += `  ${chalk.dim(t.toolName)}: ${t.tokens} tokens, ${t.calls} calls, $${t.cost.toFixed(4)}\n`;
+            }
+            if (r.note)
+                out += `  ${chalk.dim('ℹ️ ' + r.note)}\n`;
+        }
+        const grandTotal = reports.reduce((sum, r) => sum + r.estimatedCostUSD, 0);
+        out += `\n${chalk.bold(`Total estimated cost: $${grandTotal.toFixed(4)}`)}\n`;
+        return out;
+    }
+    formatHealthReports(reports) {
+        let out = chalk.bold.underline('\n❤️ Health Check\n');
+        for (const r of reports) {
+            const latencyColor = r.latencyMs > 2000 ? chalk.red : r.latencyMs > 500 ? chalk.yellow : chalk.green;
+            const successColor = r.successRate >= 0.9 ? chalk.green : r.successRate >= 0.7 ? chalk.yellow : chalk.red;
+            out += `\n${chalk.bold(r.serverName)}: ${latencyColor(`${r.latencyMs}ms`)} latency, ${successColor(`${(r.successRate * 100).toFixed(0)}%`)} success\n`;
+            out += `  Tools: ${r.toolCount}, Context Pressure: ${(r.contextPressure * 100).toFixed(0)}%\n`;
+            if (r.overloadWarning)
+                out += `  ${chalk.yellow(`⚠ Tool overload: ${r.toolCount} tools may confuse agents`)}\n`;
+            for (const rec of r.recommendations) {
+                out += `  - ${rec}\n`;
+            }
+        }
+        return out;
+    }
+    formatFullReport(report) {
+        return (chalk.bold.cyan(`\n═══════════════════════════════════════════\n`) +
+            chalk.bold.cyan(`  MCP Guardian Report\n`) +
+            chalk.bold.cyan(`  ${report.timestamp}\n`) +
+            chalk.bold.cyan(`  Config: ${report.configPath}\n`) +
+            chalk.bold.cyan(`═══════════════════════════════════════════\n`) +
+            this.formatSecurityReports(report.security) +
+            this.formatCostReports(report.costs) +
+            this.formatHealthReports(report.health) +
+            `\n${chalk.bold.cyan('Overall Score: ')}${chalk.bold.white(`${report.overallScore}/100`)}\n`);
+    }
+    toMarkdown(report) {
+        let md = `# MCP Guardian Report\n\n**Timestamp:** ${report.timestamp}  \n**Overall Score:** ${report.overallScore}/100\n\n`;
+        md += `## 🔒 Security\n\n`;
+        for (const s of report.security) {
+            md += `### ${s.serverName} — Score: ${s.score}\n\n`;
+            if (s.cves.length > 0) {
+                md += `| CVE | Severity | Summary |\n|-----|----------|--------|\n`;
+                for (const cve of s.cves) {
+                    md += `| ${cve.id} | ${cve.severity} | ${cve.summary.substring(0, 100)} |\n`;
+                }
+                md += '\n';
+            }
+            if (!s.authStatus.hasAuthentication)
+                md += `⚠️ No authentication detected\n\n`;
+            if (!s.authStatus.isTransportEncrypted)
+                md += `⚠️ Transport not encrypted\n\n`;
+            if (s.typoSquatRisk.length > 0) {
+                md += `⚠️ **Typo-squat risks:**\n`;
+                for (const t of s.typoSquatRisk) {
+                    md += `- \`${t.suspiciousName}\` similar to \`${t.similarityTo}\` (distance ${t.distance})\n`;
+                }
+                md += '\n';
+            }
+            if (s.secretsFound.length > 0) {
+                md += `⚠️ **Secrets found:**\n`;
+                for (const sec of s.secretsFound) {
+                    md += `- \`${sec.type}\` in \`${sec.location}\`\n`;
+                }
+                md += '\n';
+            }
+            if (s.recommendations.length > 0) {
+                md += `**Recommendations:**\n`;
+                for (const rec of s.recommendations)
+                    md += `- ${rec}\n`;
+                md += '\n';
+            }
+        }
+        md += `## 💰 Costs\n\n`;
+        for (const c of report.costs) {
+            md += `### ${c.serverName} — ${c.tokensUsed} tokens → $${c.estimatedCostUSD.toFixed(4)}\n\n`;
+            md += `| Tool | Calls | Tokens | Cost |\n|------|-------|--------|------|\n`;
+            for (const t of c.toolBreakdown) {
+                md += `| ${t.toolName} | ${t.calls} | ${t.tokens} | $${t.cost.toFixed(4)} |\n`;
+            }
+            md += '\n';
+        }
+        md += `## ❤️ Health\n\n`;
+        for (const h of report.health) {
+            md += `### ${h.serverName}\n\n`;
+            md += `- Latency: ${h.latencyMs}ms\n`;
+            md += `- Success rate: ${(h.successRate * 100).toFixed(0)}%\n`;
+            md += `- Tools: ${h.toolCount}\n`;
+            md += `- Context pressure: ${(h.contextPressure * 100).toFixed(0)}%\n`;
+            if (h.overloadWarning)
+                md += `⚠️ Tool overload warning (>15 tools)\n`;
+            md += '\n';
+        }
+        return md;
+    }
+}
+//# sourceMappingURL=report-generator.js.map

package/dist/reporter/report-generator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report-generator.js","sourceRoot":"","sources":["../../src/reporter/report-generator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAG1B,MAAM,OAAO,eAAe;IAC1B,qBAAqB,CAAC,OAAyB;QAC7C,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,8BAA8B,CAAC,CAAC;QAC/D,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YACpF,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;YAC1F,GAAG,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,KAAK,CAAC;YAEpF,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,GAAG,IAAI,WAAW,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC;gBAC7D,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;oBACvB,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;oBAC3G,GAAG,IAAI,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC;gBACvF,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,GAAG,IAAI,WAAW,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC;YAC5C,CAAC;YAED,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,iBAAiB;gBAAE,GAAG,IAAI,KAAK,KAAK,CAAC,GAAG,CAAC,8BAA8B,CAAC,IAAI,CAAC;YAC/F,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,oBAAoB;gBAAE,GAAG,IAAI,KAAK,KAAK,CAAC,MAAM,CAAC,2BAA2B,CAAC,IAAI,CAAC;YAClG,IAAI,CAAC,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,GAAG,IAAI,KAAK,KAAK,CAAC,GAAG,CAAC,qCAAqC,CAAC,IAAI,CAAC;gBACjE,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;oBAChC,GAAG,IAAI,QAAQ,CAAC,CAAC,cAAc,mBAAmB,CAAC,CAAC,YAAY,gBAAgB,CAAC,CAAC,QAAQ,KAAK,CAAC;gBAClG,CAAC;YACH,CAAC;YACD,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,GAAG,IAAI,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,MAAM,+BAA+B,CAAC,IAAI,CAAC;gBACrF,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;oBAC/B,GAAG,IAAI,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,IAAI,CAAC;gBAC1D,CAAC;YACH,CAAC;YAED,IAAI,CAAC,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,GAAG,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC;gBAC/C,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,eAAe,EAAE,CAAC;oBACpC,GAAG,IAAI,SAAS,GAAG,IAAI,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,iBAAiB,CAAC,OAAqB;QACrC,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACpD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,GAAG,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,YAAY,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,YAAY,KAAK,CAAC;YAChK,GAAG,IAAI,YAAY,CAAC,CAAC,WAAW,oBAAoB,CAAC,CAAC,YAAY,WAAW,CAAC;YAC9E,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;gBAChC,GAAG,IAAI,KAAK,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,MAAM,YAAY,CAAC,CAAC,KAAK,YAAY,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;YACrG,CAAC;YACD,IAAI,CAAC,CAAC,IAAI;gBAAE,GAAG,IAAI,KAAK,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;QACxD,CAAC;QACD,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC;QAC3E,GAAG,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,0BAA0B,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC;QAC9E,OAAO,GAAG,CAAC;IACb,CAAC;IAED,mBAAmB,CAAC,OAAuB;QACzC,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QACtD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,YAAY,GAAG,CAAC,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC;YACrG,MAAM,YAAY,GAAG,CAAC,CAAC,WAAW,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;YAC1G,GAAG,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,YAAY,CAAC,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,aAAa,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;YACvJ,GAAG,IAAI,YAAY,CAAC,CAAC,SAAS,uBAAuB,CAAC,CAAC,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;YAC/F,IAAI,CAAC,CAAC,eAAe;gBAAE,GAAG,IAAI,KAAK,KAAK,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,SAAS,2BAA2B,CAAC,IAAI,CAAC;YAChH,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,eAAe,EAAE,CAAC;gBACpC,GAAG,IAAI,OAAO,GAAG,IAAI,CAAC;YACxB,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,gBAAgB,CAAC,MAAkB;QACjC,OAAO,CACL,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,iDAAiD,CAAC;YAClE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,SAAS,IAAI,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,UAAU,IAAI,CAAC;YACnD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,+CAA+C,CAAC;YAChE,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,QAAQ,CAAC;YAC3C,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,KAAK,CAAC;YACpC,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC;YACvC,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,YAAY,MAAM,CAAC,IAAI,CAC7F,CAAC;IACJ,CAAC;IAED,UAAU,CAAC,MAAkB;QAC3B,IAAI,EAAE,GAAG,2CAA2C,MAAM,CAAC,SAAS,0BAA0B,MAAM,CAAC,YAAY,UAAU,CAAC;QAE5H,EAAE,IAAI,oBAAoB,CAAC;QAC3B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAChC,EAAE,IAAI,OAAO,CAAC,CAAC,UAAU,aAAa,CAAC,CAAC,KAAK,MAAM,CAAC;YACpD,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,EAAE,IAAI,6DAA6D,CAAC;gBACpE,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;oBACzB,EAAE,IAAI,KAAK,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;gBAC/E,CAAC;gBACD,EAAE,IAAI,IAAI,CAAC;YACb,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,iBAAiB;gBAAE,EAAE,IAAI,mCAAmC,CAAC;YAC/E,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,oBAAoB;gBAAE,EAAE,IAAI,gCAAgC,CAAC;YAC/E,IAAI,CAAC,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,EAAE,IAAI,4BAA4B,CAAC;gBACnC,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;oBAChC,EAAE,IAAI,OAAO,CAAC,CAAC,cAAc,mBAAmB,CAAC,CAAC,YAAY,gBAAgB,CAAC,CAAC,QAAQ,KAAK,CAAC;gBAChG,CAAC;gBACD,EAAE,IAAI,IAAI,CAAC;YACb,CAAC;YACD,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,EAAE,IAAI,yBAAyB,CAAC;gBAChC,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;oBACjC,EAAE,IAAI,OAAO,GAAG,CAAC,IAAI,WAAW,GAAG,CAAC,QAAQ,MAAM,CAAC;gBACrD,CAAC;gBACD,EAAE,IAAI,IAAI,CAAC;YACb,CAAC;YACD,IAAI,CAAC,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,EAAE,IAAI,wBAAwB,CAAC;gBAC/B,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC,eAAe;oBAAE,EAAE,IAAI,KAAK,GAAG,IAAI,CAAC;gBACxD,EAAE,IAAI,IAAI,CAAC;YACb,CAAC;QACH,CAAC;QAED,EAAE,IAAI,iBAAiB,CAAC;QACxB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAC7B,EAAE,IAAI,OAAO,CAAC,CAAC,UAAU,MAAM,CAAC,CAAC,UAAU,cAAc,CAAC,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;YAC7F,EAAE,IAAI,sEAAsE,CAAC;YAC7E,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;gBAChC,EAAE,IAAI,KAAK,CAAC,CAAC,QAAQ,MAAM,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,MAAM,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;YACjF,CAAC;YACD,EAAE,IAAI,IAAI,CAAC;QACb,CAAC;QAED,EAAE,IAAI,kBAAkB,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAC9B,EAAE,IAAI,OAAO,CAAC,CAAC,UAAU,MAAM,CAAC;YAChC,EAAE,IAAI,cAAc,CAAC,CAAC,SAAS,MAAM,CAAC;YACtC,EAAE,IAAI,mBAAmB,CAAC,CAAC,CAAC,WAAW,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;YAC/D,EAAE,IAAI,YAAY,CAAC,CAAC,SAAS,IAAI,CAAC;YAClC,EAAE,IAAI,uBAAuB,CAAC,CAAC,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;YACvE,IAAI,CAAC,CAAC,eAAe;gBAAE,EAAE,IAAI,wCAAwC,CAAC;YACtE,EAAE,IAAI,IAAI,CAAC;QACb,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}

package/dist/scanners/auth-prober.d.ts

@@ -0,0 +1,13 @@
+import { McpServerConfig, AuthStatus } from '../types.js';
+/**
+ * Probes MCP server configurations for authentication and transport security.
+ * Checks for API keys in environment variables, auth tokens in URLs, and
+ * whether the transport is encrypted (HTTPS/WSS vs plain HTTP/WS).
+ */
+export declare class AuthProber {
+    /**
+     * Probe a server config for authentication and transport security status.
+     */
+    probe(server: McpServerConfig): AuthStatus;
+}
+//# sourceMappingURL=auth-prober.d.ts.map

package/dist/scanners/auth-prober.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-prober.d.ts","sourceRoot":"","sources":["../../src/scanners/auth-prober.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE1D;;;;GAIG;AACH,qBAAa,UAAU;IACrB;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,eAAe,GAAG,UAAU;CAmD3C"}

package/dist/scanners/auth-prober.js

@@ -0,0 +1,59 @@
+/**
+ * Probes MCP server configurations for authentication and transport security.
+ * Checks for API keys in environment variables, auth tokens in URLs, and
+ * whether the transport is encrypted (HTTPS/WSS vs plain HTTP/WS).
+ */
+export class AuthProber {
+    /**
+     * Probe a server config for authentication and transport security status.
+     */
+    probe(server) {
+        // Check for auth tokens in environment variables
+        const authKeys = ['API_KEY', 'AUTH_TOKEN', 'MCP_API_KEY', 'SECRET', 'ACCESS_TOKEN', 'BEARER_TOKEN'];
+        let hasAuth = false;
+        let method;
+        if (server.env) {
+            for (const key of authKeys) {
+                const value = server.env[key] ?? server.env[key.toLowerCase()] ?? server.env[key.toUpperCase()];
+                if (typeof value === 'string' && value.trim().length > 0) {
+                    hasAuth = true;
+                    method = 'environment_variable';
+                    break;
+                }
+            }
+        }
+        // Check for credentials in URL
+        if (!hasAuth && server.url) {
+            try {
+                const parsed = new URL(server.url);
+                if (parsed.username || parsed.password) {
+                    hasAuth = true;
+                    method = 'url_credentials';
+                }
+                // Check for auth query params
+                const authParams = ['api_key', 'apikey', 'token', 'auth', 'key'];
+                for (const param of authParams) {
+                    if (parsed.searchParams.has(param)) {
+                        hasAuth = true;
+                        method = 'query_parameter';
+                        break;
+                    }
+                }
+            }
+            catch {
+                // Invalid URL — skip
+            }
+        }
+        // Check transport encryption
+        const isEncrypted = server.transport === 'stdio' // local pipe is fine
+            || server.url?.startsWith('https://')
+            || server.url?.startsWith('wss://')
+            || false;
+        return {
+            hasAuthentication: hasAuth,
+            method,
+            isTransportEncrypted: isEncrypted,
+        };
+    }
+}
+//# sourceMappingURL=auth-prober.js.map

package/dist/scanners/auth-prober.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-prober.js","sourceRoot":"","sources":["../../src/scanners/auth-prober.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,MAAM,OAAO,UAAU;IACrB;;OAEG;IACH,KAAK,CAAC,MAAuB;QAC3B,iDAAiD;QACjD,MAAM,QAAQ,GAAG,CAAC,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;QACpG,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,MAA0B,CAAC;QAE/B,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;YACf,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;gBAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;gBAChG,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACzD,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM,GAAG,sBAAsB,CAAC;oBAChC,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACnC,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;oBACvC,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM,GAAG,iBAAiB,CAAC;gBAC7B,CAAC;gBACD,8BAA8B;gBAC9B,MAAM,UAAU,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;gBACjE,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;oBAC/B,IAAI,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;wBACnC,OAAO,GAAG,IAAI,CAAC;wBACf,MAAM,GAAG,iBAAiB,CAAC;wBAC3B,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,KAAK,OAAO,CAAC,qBAAqB;eACjE,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,UAAU,CAAC;eAClC,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC;eAChC,KAAK,CAAC;QAEX,OAAO;YACL,iBAAiB,EAAE,OAAO;YAC1B,MAAM;YACN,oBAAoB,EAAE,WAAW;SAClC,CAAC;IACJ,CAAC;CACF"}

package/dist/scanners/command-validator.d.ts

@@ -0,0 +1,15 @@
+import { McpServerConfig } from '../types.js';
+/**
+ * Detects potentially dangerous commands in MCP server configs.
+ * Flags: path traversal, shell metacharacters, non-standard executables.
+ */
+export interface CommandWarning {
+    serverName: string;
+    field: 'command' | 'args';
+    issue: string;
+    severity: 'HIGH' | 'MEDIUM' | 'LOW';
+}
+export declare class CommandValidator {
+    validate(server: McpServerConfig): CommandWarning[];
+}
+//# sourceMappingURL=command-validator.d.ts.map

package/dist/scanners/command-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-validator.d.ts","sourceRoot":"","sources":["../../src/scanners/command-validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,SAAS,GAAG,MAAM,CAAC;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACrC;AAoBD,qBAAa,gBAAgB;IAC3B,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,cAAc,EAAE;CAmCpD"}

package/dist/scanners/command-validator.js

@@ -0,0 +1,50 @@
+const ALLOWED_EXECUTABLES = [
+    'npx', 'node', 'python', 'python3', 'uvx', 'deno', 'bun',
+    'docker', 'kubectl', 'aws', 'gcloud',
+];
+const SUSPICIOUS_PATTERNS = [
+    { pattern: /\.\.\//, issue: 'Path traversal (../) detected', severity: 'HIGH' },
+    { pattern: /;\s*\w/, issue: 'Shell command chaining (;) detected', severity: 'HIGH' },
+    { pattern: /\|\s*\w/, issue: 'Pipe character (|) detected — possible command chaining', severity: 'HIGH' },
+    { pattern: /\$\{/, issue: 'Shell variable expansion (${}) detected', severity: 'MEDIUM' },
+    { pattern: /`[^`]+`/, issue: 'Backtick command substitution detected', severity: 'HIGH' },
+    { pattern: /&&|\|\|/, issue: 'Shell logical operators (&&/||) detected', severity: 'HIGH' },
+    { pattern: />\s*\//, issue: 'Output redirection (>) to absolute path detected', severity: 'MEDIUM' },
+    { pattern: /\/etc\/passwd|\/etc\/shadow/, issue: 'Reference to sensitive system file detected', severity: 'HIGH' },
+    { pattern: /rm\s+-rf/, issue: 'Destructive command (rm -rf) detected', severity: 'HIGH' },
+    { pattern: /curl\s|wget\s/, issue: 'Network download tool detected in command', severity: 'MEDIUM' },
+];
+export class CommandValidator {
+    validate(server) {
+        const warnings = [];
+        // Check the command field
+        if (server.command) {
+            const cmdName = server.command.split('/').pop()?.split(' ')[0] || server.command;
+            if (!ALLOWED_EXECUTABLES.includes(cmdName) && !cmdName.startsWith('.')) {
+                warnings.push({
+                    serverName: server.name,
+                    field: 'command',
+                    issue: `Unrecognized executable: ${cmdName}. Consider using npx or node.`,
+                    severity: 'MEDIUM',
+                });
+            }
+            // Check for suspicious patterns
+            for (const { pattern, issue, severity } of SUSPICIOUS_PATTERNS) {
+                if (pattern.test(server.command)) {
+                    warnings.push({ serverName: server.name, field: 'command', issue, severity });
+                }
+            }
+        }
+        // Check args
+        if (server.args) {
+            const argsStr = server.args.join(' ');
+            for (const { pattern, issue, severity } of SUSPICIOUS_PATTERNS) {
+                if (pattern.test(argsStr)) {
+                    warnings.push({ serverName: server.name, field: 'args', issue, severity });
+                }
+            }
+        }
+        return warnings;
+    }
+}
+//# sourceMappingURL=command-validator.js.map

package/dist/scanners/command-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-validator.js","sourceRoot":"","sources":["../../src/scanners/command-validator.ts"],"names":[],"mappings":"AAaA,MAAM,mBAAmB,GAAG;IAC1B,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK;IACxD,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ;CACrC,CAAC;AAEF,MAAM,mBAAmB,GAAG;IAC1B,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,+BAA+B,EAAE,QAAQ,EAAE,MAAe,EAAE;IACxF,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,qCAAqC,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC9F,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,yDAAyD,EAAE,QAAQ,EAAE,MAAe,EAAE;IACnH,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,yCAAyC,EAAE,QAAQ,EAAE,QAAiB,EAAE;IAClG,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,wCAAwC,EAAE,QAAQ,EAAE,MAAe,EAAE;IAClG,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,0CAA0C,EAAE,QAAQ,EAAE,MAAe,EAAE;IACpG,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,kDAAkD,EAAE,QAAQ,EAAE,QAAiB,EAAE;IAC7G,EAAE,OAAO,EAAE,6BAA6B,EAAE,KAAK,EAAE,6CAA6C,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC3H,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,uCAAuC,EAAE,QAAQ,EAAE,MAAe,EAAE;IAClG,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,2CAA2C,EAAE,QAAQ,EAAE,QAAiB,EAAE;CAC9G,CAAC;AAEF,MAAM,OAAO,gBAAgB;IAC3B,QAAQ,CAAC,MAAuB;QAC9B,MAAM,QAAQ,GAAqB,EAAE,CAAC;QAEtC,0BAA0B;QAC1B,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC;YACjF,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvE,QAAQ,CAAC,IAAI,CAAC;oBACZ,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,KAAK,EAAE,SAAS;oBAChB,KAAK,EAAE,4BAA4B,OAAO,+BAA+B;oBACzE,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,gCAAgC;YAChC,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,mBAAmB,EAAE,CAAC;gBAC/D,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;oBACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAChF,CAAC;YACH,CAAC;QACH,CAAC;QAED,aAAa;QACb,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,mBAAmB,EAAE,CAAC;gBAC/D,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC1B,QAAQ,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAC7E,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/scanners/cve-checker.d.ts

@@ -0,0 +1,15 @@
+import { CveFinding } from '../types.js';
+/**
+ * Checks packages for known CVEs using OSV.dev and (optionally) NVD.
+ */
+export declare class CveChecker {
+    private osv;
+    private nvd;
+    constructor();
+    /**
+     * Check a package for known vulnerabilities.
+     * Tries OSV.dev first (purl-based), falls back to NVD keyword search.
+     */
+    check(packageName: string, version?: string): Promise<CveFinding[]>;
+}
+//# sourceMappingURL=cve-checker.d.ts.map

package/dist/scanners/cve-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cve-checker.d.ts","sourceRoot":"","sources":["../../src/scanners/cve-checker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAIzC;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,GAAG,CAAY;IACvB,OAAO,CAAC,GAAG,CAAY;;IAOvB;;;OAGG;IACG,KAAK,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;CAW1E"}

package/dist/scanners/cve-checker.js

@@ -0,0 +1,28 @@
+import { OsvClient } from '../clients/osv-client.js';
+import { NvdClient } from '../clients/nvd-client.js';
+/**
+ * Checks packages for known CVEs using OSV.dev and (optionally) NVD.
+ */
+export class CveChecker {
+    osv;
+    nvd;
+    constructor() {
+        this.osv = new OsvClient();
+        this.nvd = new NvdClient();
+    }
+    /**
+     * Check a package for known vulnerabilities.
+     * Tries OSV.dev first (purl-based), falls back to NVD keyword search.
+     */
+    async check(packageName, version) {
+        // Try OSV first — it's faster and more accurate for npm packages
+        const osvResults = await this.osv.check(packageName, version);
+        if (osvResults.length > 0) {
+            return osvResults;
+        }
+        // Fall back to NVD keyword search
+        const nvdResults = await this.nvd.search(packageName);
+        return nvdResults;
+    }
+}
+//# sourceMappingURL=cve-checker.js.map

package/dist/scanners/cve-checker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cve-checker.js","sourceRoot":"","sources":["../../src/scanners/cve-checker.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAErD;;GAEG;AACH,MAAM,OAAO,UAAU;IACb,GAAG,CAAY;IACf,GAAG,CAAY;IAEvB;QACE,IAAI,CAAC,GAAG,GAAG,IAAI,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,GAAG,GAAG,IAAI,SAAS,EAAE,CAAC;IAC7B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,KAAK,CAAC,WAAmB,EAAE,OAAgB;QAC/C,iEAAiE;QACjE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAC9D,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,kCAAkC;QAClC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACtD,OAAO,UAAU,CAAC;IACpB,CAAC;CACF"}

package/dist/scanners/secret-scanner.d.ts

@@ -0,0 +1,12 @@
+import { McpServerConfig, SecretFinding } from '../types.js';
+/**
+ * Scans MCP server configs for hardcoded secrets in environment variables
+ * and command-line arguments.
+ */
+export declare class SecretScanner {
+    /**
+     * Scan a server config for hardcoded secrets.
+     */
+    scan(server: McpServerConfig): SecretFinding[];
+}
+//# sourceMappingURL=secret-scanner.d.ts.map

package/dist/scanners/secret-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-scanner.d.ts","sourceRoot":"","sources":["../../src/scanners/secret-scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAgC7D;;;GAGG;AACH,qBAAa,aAAa;IACxB;;OAEG;IACH,IAAI,CAAC,MAAM,EAAE,eAAe,GAAG,aAAa,EAAE;CAmC/C"}