@mcp-shark/mcp-shark 1.5.13 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (100) hide show
  1. package/README.md +396 -59
  2. package/bin/mcp-shark.js +146 -52
  3. package/core/cli/AutoFixEngine.js +93 -0
  4. package/core/cli/ConfigScanner.js +193 -0
  5. package/core/cli/DataLoader.js +200 -0
  6. package/core/cli/DeclarativeRuleEngine.js +363 -0
  7. package/core/cli/DoctorCommand.js +218 -0
  8. package/core/cli/FixHandlers.js +222 -0
  9. package/core/cli/HtmlReportGenerator.js +203 -0
  10. package/core/cli/IdeConfigPaths.js +175 -0
  11. package/core/cli/ListCommand.js +224 -0
  12. package/core/cli/LockCommand.js +164 -0
  13. package/core/cli/LockDiffEngine.js +152 -0
  14. package/core/cli/RuleRegistryConfig.js +131 -0
  15. package/core/cli/ScanCommand.js +244 -0
  16. package/core/cli/ScanService.js +200 -0
  17. package/core/cli/SecretDetector.js +92 -0
  18. package/core/cli/SharkScoreCalculator.js +109 -0
  19. package/core/cli/ToolClassifications.js +51 -0
  20. package/core/cli/ToxicFlowAnalyzer.js +212 -0
  21. package/core/cli/UpdateCommand.js +188 -0
  22. package/core/cli/WalkthroughGenerator.js +195 -0
  23. package/core/cli/WatchCommand.js +129 -0
  24. package/core/cli/YamlRuleEngine.js +197 -0
  25. package/core/cli/data/rule-packs/agentic-security-2026.json +180 -0
  26. package/core/cli/data/rule-packs/general-security.json +173 -0
  27. package/core/cli/data/rule-packs/owasp-mcp-2026.json +244 -0
  28. package/core/cli/data/rule-packs/toxic-flow-heuristics.json +21 -0
  29. package/core/cli/data/rule-sources.json +5 -0
  30. package/core/cli/data/secret-patterns.json +18 -0
  31. package/core/cli/data/tool-classifications.json +111 -0
  32. package/core/cli/data/toxic-flow-rules.json +47 -0
  33. package/core/cli/index.js +23 -0
  34. package/core/cli/output/Banner.js +52 -0
  35. package/core/cli/output/Formatter.js +183 -0
  36. package/core/cli/output/JsonFormatter.js +106 -0
  37. package/core/cli/output/index.js +16 -0
  38. package/core/cli/secureRegistryFetch.js +157 -0
  39. package/core/cli/symbols.js +16 -0
  40. package/core/container/DependencyContainer.js +4 -1
  41. package/core/repositories/PacketRepository.js +16 -0
  42. package/core/services/AuditService.js +2 -0
  43. package/core/services/security/StaticRulesService.js +69 -13
  44. package/core/services/security/TrafficAnalysisService.js +19 -1
  45. package/core/services/security/TrafficToxicFlowService.js +154 -0
  46. package/core/services/security/index.js +2 -1
  47. package/core/services/security/rules/index.js +25 -59
  48. package/core/services/security/rules/scans/configPermissions.js +91 -0
  49. package/core/services/security/rules/scans/duplicateToolNames.js +85 -0
  50. package/core/services/security/rules/scans/insecureTransport.js +148 -0
  51. package/core/services/security/rules/scans/missingContainment.js +123 -0
  52. package/core/services/security/rules/scans/shellEnvInjection.js +101 -0
  53. package/core/services/security/rules/scans/unsafeDefaults.js +99 -0
  54. package/core/services/security/toolsListFromTrafficParser.js +70 -0
  55. package/core/tui/App.js +144 -0
  56. package/core/tui/FindingsPanel.js +115 -0
  57. package/core/tui/FixPanel.js +132 -0
  58. package/core/tui/Header.js +51 -0
  59. package/core/tui/HelpBar.js +42 -0
  60. package/core/tui/ServersPanel.js +109 -0
  61. package/core/tui/ToxicFlowsPanel.js +100 -0
  62. package/core/tui/h.js +8 -0
  63. package/core/tui/index.js +11 -0
  64. package/core/tui/render.js +22 -0
  65. package/package.json +24 -16
  66. package/ui/dist/assets/{index-CiCSDYf-.js → index-Buah4fNS.js} +32 -32
  67. package/ui/dist/index.html +1 -1
  68. package/ui/server/controllers/RequestController.js +9 -1
  69. package/ui/server/controllers/SecurityFindingsController.js +46 -1
  70. package/ui/server/routes/requests.js +8 -1
  71. package/ui/server/routes/security.js +5 -1
  72. package/ui/server/setup.js +2 -0
  73. package/ui/server/swagger/paths/components.js +55 -0
  74. package/ui/server/swagger/paths/securityTrafficFlows.js +59 -0
  75. package/ui/server/swagger/paths.js +2 -0
  76. package/ui/server/swagger/swagger.js +5 -1
  77. package/ui/src/Security.jsx +10 -0
  78. package/ui/src/components/Security/ScannerContent.jsx +30 -1
  79. package/ui/src/components/Security/TrafficToxicFlowsPanel.jsx +253 -0
  80. package/ui/src/components/Security/securityApi.js +15 -0
  81. package/ui/src/components/Security/useSecurity.js +60 -3
  82. package/core/services/security/rules/scans/agentic01GoalHijack.js +0 -130
  83. package/core/services/security/rules/scans/agentic02ToolMisuse.js +0 -129
  84. package/core/services/security/rules/scans/agentic03IdentityAbuse.js +0 -130
  85. package/core/services/security/rules/scans/agentic04SupplyChain.js +0 -130
  86. package/core/services/security/rules/scans/agentic06MemoryPoisoning.js +0 -130
  87. package/core/services/security/rules/scans/agentic07InsecureCommunication.js +0 -135
  88. package/core/services/security/rules/scans/agentic08CascadingFailures.js +0 -135
  89. package/core/services/security/rules/scans/agentic09TrustExploitation.js +0 -135
  90. package/core/services/security/rules/scans/agentic10RogueAgent.js +0 -130
  91. package/core/services/security/rules/scans/hardcodedSecrets.js +0 -130
  92. package/core/services/security/rules/scans/mcp01TokenMismanagement.js +0 -127
  93. package/core/services/security/rules/scans/mcp02ScopeCreep.js +0 -130
  94. package/core/services/security/rules/scans/mcp03ToolPoisoning.js +0 -132
  95. package/core/services/security/rules/scans/mcp04SupplyChain.js +0 -131
  96. package/core/services/security/rules/scans/mcp06PromptInjection.js +0 -200
  97. package/core/services/security/rules/scans/mcp07InsufficientAuth.js +0 -130
  98. package/core/services/security/rules/scans/mcp08LackAudit.js +0 -129
  99. package/core/services/security/rules/scans/mcp09ShadowServers.js +0 -129
  100. package/core/services/security/rules/scans/mcp10ContextInjection.js +0 -130
@@ -0,0 +1,11 @@
1
+ /**
2
+ * TUI module barrel file
3
+ */
4
+ export { App } from './App.js';
5
+ export { Header } from './Header.js';
6
+ export { FindingsPanel } from './FindingsPanel.js';
7
+ export { ServersPanel } from './ServersPanel.js';
8
+ export { ToxicFlowsPanel } from './ToxicFlowsPanel.js';
9
+ export { FixPanel } from './FixPanel.js';
10
+ export { HelpBar } from './HelpBar.js';
11
+ export { launchTui } from './render.js';
@@ -0,0 +1,22 @@
1
+ import { render } from 'ink';
2
+ /**
3
+ * TUI Renderer — Entry point for the interactive terminal UI
4
+ * Called by `mcp-shark tui` command
5
+ */
6
+ import { createElement } from 'react';
7
+ import { bootstrapLogger as logger } from '#core/libraries/index.js';
8
+ import { App } from './App.js';
9
+
10
+ /**
11
+ * Launch the interactive TUI
12
+ * @returns {Promise<void>}
13
+ */
14
+ export async function launchTui() {
15
+ try {
16
+ const { waitUntilExit } = render(createElement(App));
17
+ await waitUntilExit();
18
+ } catch (err) {
19
+ logger.error({ err: err.message }, 'TUI failed to start');
20
+ throw err;
21
+ }
22
+ }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@mcp-shark/mcp-shark",
3
- "version": "1.5.13",
4
- "description": "Aggregate multiple Model Context Protocol (MCP) servers into a single unified interface with a powerful monitoring UI. Prov deep visibility into every request and response.",
3
+ "version": "1.6.0",
4
+ "description": "Security scanner for AI agent tools. Scans MCP IDE configs locally (35 rules, toxic flow heuristics, auto-fix, tool pinning). Rule registry fetch is opt-in.",
5
5
  "type": "module",
6
6
  "main": "./bin/mcp-shark.js",
7
7
  "exports": {
@@ -45,12 +45,13 @@
45
45
  "test": "c8 node --test --test-name-pattern='.*' --test-reporter spec $(find core ui/server -path '*/__tests__/*.test.js' -type f)",
46
46
  "test:ui": "vitest run --coverage",
47
47
  "test:all": "npm run test:coverage && npm run test:ui",
48
+ "generate:rules": "node scripts/generate-rule-index.js",
48
49
  "lint": "biome lint .",
49
50
  "lint:fix": "biome lint --write .",
50
51
  "format": "biome format --write .",
51
52
  "check": "biome check .",
52
53
  "check:fix": "biome check --write .",
53
- "prepare": "husky install || true",
54
+ "prepare": "husky || true",
54
55
  "prepublishOnly": "npm run check:fix && npm run build:ui",
55
56
  "pack:inspect": "npm run prepublishOnly && npm pack && tar -tzf mcp-shark-mcp-shark-*.tgz | head -50 && echo '...' && tar -tzf mcp-shark-mcp-shark-*.tgz | wc -l && echo 'files total'",
56
57
  "pack:list": "npm run prepublishOnly && npm pack && tar -tzf mcp-shark-mcp-shark-*.tgz",
@@ -64,20 +65,19 @@
64
65
  "keywords": [
65
66
  "mcp",
66
67
  "model-context-protocol",
67
- "aggregator",
68
- "server",
69
- "ui",
70
- "monitoring",
71
- "debugging",
72
- "wireshark",
73
- "traffic-capture",
74
- "mcp-server",
75
- "mcp-client",
76
68
  "security",
77
- "audit",
78
- "logging",
79
- "playground",
80
- "smart-scan"
69
+ "scanner",
70
+ "vulnerability",
71
+ "owasp",
72
+ "ai-agent",
73
+ "mcp-server",
74
+ "static-analysis",
75
+ "toxic-flow",
76
+ "auto-fix",
77
+ "lockfile",
78
+ "sarif",
79
+ "cli",
80
+ "devtools"
81
81
  ],
82
82
  "author": "",
83
83
  "license": "SEE LICENSE IN LICENSE",
@@ -85,18 +85,26 @@
85
85
  "node": ">=20.0.0"
86
86
  },
87
87
  "dependencies": {
88
+ "@clack/prompts": "^1.2.0",
88
89
  "@iarna/toml": "^2.2.5",
89
90
  "@modelcontextprotocol/sdk": "^1.20.2",
90
91
  "@tabler/icons-react": "^3.0.0",
91
92
  "animejs": "^3.2.2",
92
93
  "better-sqlite3": "^12.4.1",
94
+ "boxen": "^8.0.1",
95
+ "cli-table3": "^0.6.5",
93
96
  "commander": "^14.0.2",
94
97
  "consola": "^3.4.2",
95
98
  "cors": "^2.8.5",
96
99
  "echarts": "^6.0.0",
97
100
  "echarts-for-react": "^3.0.6",
98
101
  "express": "^4.18.2",
102
+ "ink": "^5.2.1",
103
+ "ink-select-input": "^6.2.0",
104
+ "ink-spinner": "^5.0.0",
105
+ "ink-text-input": "^6.0.0",
99
106
  "jsonrpc-lite": "^2.2.0",
107
+ "kleur": "^4.1.5",
100
108
  "open": "^11.0.0",
101
109
  "react": "^18.2.0",
102
110
  "react-dom": "^18.2.0",