@mcp-shark/mcp-shark 1.5.13 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +396 -59
- package/bin/mcp-shark.js +146 -52
- package/core/cli/AutoFixEngine.js +93 -0
- package/core/cli/ConfigScanner.js +193 -0
- package/core/cli/DataLoader.js +200 -0
- package/core/cli/DeclarativeRuleEngine.js +363 -0
- package/core/cli/DoctorCommand.js +218 -0
- package/core/cli/FixHandlers.js +222 -0
- package/core/cli/HtmlReportGenerator.js +203 -0
- package/core/cli/IdeConfigPaths.js +175 -0
- package/core/cli/ListCommand.js +224 -0
- package/core/cli/LockCommand.js +164 -0
- package/core/cli/LockDiffEngine.js +152 -0
- package/core/cli/RuleRegistryConfig.js +131 -0
- package/core/cli/ScanCommand.js +244 -0
- package/core/cli/ScanService.js +200 -0
- package/core/cli/SecretDetector.js +92 -0
- package/core/cli/SharkScoreCalculator.js +109 -0
- package/core/cli/ToolClassifications.js +51 -0
- package/core/cli/ToxicFlowAnalyzer.js +212 -0
- package/core/cli/UpdateCommand.js +188 -0
- package/core/cli/WalkthroughGenerator.js +195 -0
- package/core/cli/WatchCommand.js +129 -0
- package/core/cli/YamlRuleEngine.js +197 -0
- package/core/cli/data/rule-packs/agentic-security-2026.json +180 -0
- package/core/cli/data/rule-packs/general-security.json +173 -0
- package/core/cli/data/rule-packs/owasp-mcp-2026.json +244 -0
- package/core/cli/data/rule-packs/toxic-flow-heuristics.json +21 -0
- package/core/cli/data/rule-sources.json +5 -0
- package/core/cli/data/secret-patterns.json +18 -0
- package/core/cli/data/tool-classifications.json +111 -0
- package/core/cli/data/toxic-flow-rules.json +47 -0
- package/core/cli/index.js +23 -0
- package/core/cli/output/Banner.js +52 -0
- package/core/cli/output/Formatter.js +183 -0
- package/core/cli/output/JsonFormatter.js +106 -0
- package/core/cli/output/index.js +16 -0
- package/core/cli/secureRegistryFetch.js +157 -0
- package/core/cli/symbols.js +16 -0
- package/core/container/DependencyContainer.js +4 -1
- package/core/repositories/PacketRepository.js +16 -0
- package/core/services/AuditService.js +2 -0
- package/core/services/security/StaticRulesService.js +69 -13
- package/core/services/security/TrafficAnalysisService.js +19 -1
- package/core/services/security/TrafficToxicFlowService.js +154 -0
- package/core/services/security/index.js +2 -1
- package/core/services/security/rules/index.js +25 -59
- package/core/services/security/rules/scans/configPermissions.js +91 -0
- package/core/services/security/rules/scans/duplicateToolNames.js +85 -0
- package/core/services/security/rules/scans/insecureTransport.js +148 -0
- package/core/services/security/rules/scans/missingContainment.js +123 -0
- package/core/services/security/rules/scans/shellEnvInjection.js +101 -0
- package/core/services/security/rules/scans/unsafeDefaults.js +99 -0
- package/core/services/security/toolsListFromTrafficParser.js +70 -0
- package/core/tui/App.js +144 -0
- package/core/tui/FindingsPanel.js +115 -0
- package/core/tui/FixPanel.js +132 -0
- package/core/tui/Header.js +51 -0
- package/core/tui/HelpBar.js +42 -0
- package/core/tui/ServersPanel.js +109 -0
- package/core/tui/ToxicFlowsPanel.js +100 -0
- package/core/tui/h.js +8 -0
- package/core/tui/index.js +11 -0
- package/core/tui/render.js +22 -0
- package/package.json +24 -16
- package/ui/dist/assets/{index-CiCSDYf-.js → index-Buah4fNS.js} +32 -32
- package/ui/dist/index.html +1 -1
- package/ui/server/controllers/RequestController.js +9 -1
- package/ui/server/controllers/SecurityFindingsController.js +46 -1
- package/ui/server/routes/requests.js +8 -1
- package/ui/server/routes/security.js +5 -1
- package/ui/server/setup.js +2 -0
- package/ui/server/swagger/paths/components.js +55 -0
- package/ui/server/swagger/paths/securityTrafficFlows.js +59 -0
- package/ui/server/swagger/paths.js +2 -0
- package/ui/server/swagger/swagger.js +5 -1
- package/ui/src/Security.jsx +10 -0
- package/ui/src/components/Security/ScannerContent.jsx +30 -1
- package/ui/src/components/Security/TrafficToxicFlowsPanel.jsx +253 -0
- package/ui/src/components/Security/securityApi.js +15 -0
- package/ui/src/components/Security/useSecurity.js +60 -3
- package/core/services/security/rules/scans/agentic01GoalHijack.js +0 -130
- package/core/services/security/rules/scans/agentic02ToolMisuse.js +0 -129
- package/core/services/security/rules/scans/agentic03IdentityAbuse.js +0 -130
- package/core/services/security/rules/scans/agentic04SupplyChain.js +0 -130
- package/core/services/security/rules/scans/agentic06MemoryPoisoning.js +0 -130
- package/core/services/security/rules/scans/agentic07InsecureCommunication.js +0 -135
- package/core/services/security/rules/scans/agentic08CascadingFailures.js +0 -135
- package/core/services/security/rules/scans/agentic09TrustExploitation.js +0 -135
- package/core/services/security/rules/scans/agentic10RogueAgent.js +0 -130
- package/core/services/security/rules/scans/hardcodedSecrets.js +0 -130
- package/core/services/security/rules/scans/mcp01TokenMismanagement.js +0 -127
- package/core/services/security/rules/scans/mcp02ScopeCreep.js +0 -130
- package/core/services/security/rules/scans/mcp03ToolPoisoning.js +0 -132
- package/core/services/security/rules/scans/mcp04SupplyChain.js +0 -131
- package/core/services/security/rules/scans/mcp06PromptInjection.js +0 -200
- package/core/services/security/rules/scans/mcp07InsufficientAuth.js +0 -130
- package/core/services/security/rules/scans/mcp08LackAudit.js +0 -129
- package/core/services/security/rules/scans/mcp09ShadowServers.js +0 -129
- package/core/services/security/rules/scans/mcp10ContextInjection.js +0 -130
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* TUI module barrel file
|
|
3
|
+
*/
|
|
4
|
+
export { App } from './App.js';
|
|
5
|
+
export { Header } from './Header.js';
|
|
6
|
+
export { FindingsPanel } from './FindingsPanel.js';
|
|
7
|
+
export { ServersPanel } from './ServersPanel.js';
|
|
8
|
+
export { ToxicFlowsPanel } from './ToxicFlowsPanel.js';
|
|
9
|
+
export { FixPanel } from './FixPanel.js';
|
|
10
|
+
export { HelpBar } from './HelpBar.js';
|
|
11
|
+
export { launchTui } from './render.js';
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
import { render } from 'ink';
|
|
2
|
+
/**
|
|
3
|
+
* TUI Renderer — Entry point for the interactive terminal UI
|
|
4
|
+
* Called by `mcp-shark tui` command
|
|
5
|
+
*/
|
|
6
|
+
import { createElement } from 'react';
|
|
7
|
+
import { bootstrapLogger as logger } from '#core/libraries/index.js';
|
|
8
|
+
import { App } from './App.js';
|
|
9
|
+
|
|
10
|
+
/**
|
|
11
|
+
* Launch the interactive TUI
|
|
12
|
+
* @returns {Promise<void>}
|
|
13
|
+
*/
|
|
14
|
+
export async function launchTui() {
|
|
15
|
+
try {
|
|
16
|
+
const { waitUntilExit } = render(createElement(App));
|
|
17
|
+
await waitUntilExit();
|
|
18
|
+
} catch (err) {
|
|
19
|
+
logger.error({ err: err.message }, 'TUI failed to start');
|
|
20
|
+
throw err;
|
|
21
|
+
}
|
|
22
|
+
}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mcp-shark/mcp-shark",
|
|
3
|
-
"version": "1.
|
|
4
|
-
"description": "
|
|
3
|
+
"version": "1.6.0",
|
|
4
|
+
"description": "Security scanner for AI agent tools. Scans MCP IDE configs locally (35 rules, toxic flow heuristics, auto-fix, tool pinning). Rule registry fetch is opt-in.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./bin/mcp-shark.js",
|
|
7
7
|
"exports": {
|
|
@@ -45,12 +45,13 @@
|
|
|
45
45
|
"test": "c8 node --test --test-name-pattern='.*' --test-reporter spec $(find core ui/server -path '*/__tests__/*.test.js' -type f)",
|
|
46
46
|
"test:ui": "vitest run --coverage",
|
|
47
47
|
"test:all": "npm run test:coverage && npm run test:ui",
|
|
48
|
+
"generate:rules": "node scripts/generate-rule-index.js",
|
|
48
49
|
"lint": "biome lint .",
|
|
49
50
|
"lint:fix": "biome lint --write .",
|
|
50
51
|
"format": "biome format --write .",
|
|
51
52
|
"check": "biome check .",
|
|
52
53
|
"check:fix": "biome check --write .",
|
|
53
|
-
"prepare": "husky
|
|
54
|
+
"prepare": "husky || true",
|
|
54
55
|
"prepublishOnly": "npm run check:fix && npm run build:ui",
|
|
55
56
|
"pack:inspect": "npm run prepublishOnly && npm pack && tar -tzf mcp-shark-mcp-shark-*.tgz | head -50 && echo '...' && tar -tzf mcp-shark-mcp-shark-*.tgz | wc -l && echo 'files total'",
|
|
56
57
|
"pack:list": "npm run prepublishOnly && npm pack && tar -tzf mcp-shark-mcp-shark-*.tgz",
|
|
@@ -64,20 +65,19 @@
|
|
|
64
65
|
"keywords": [
|
|
65
66
|
"mcp",
|
|
66
67
|
"model-context-protocol",
|
|
67
|
-
"aggregator",
|
|
68
|
-
"server",
|
|
69
|
-
"ui",
|
|
70
|
-
"monitoring",
|
|
71
|
-
"debugging",
|
|
72
|
-
"wireshark",
|
|
73
|
-
"traffic-capture",
|
|
74
|
-
"mcp-server",
|
|
75
|
-
"mcp-client",
|
|
76
68
|
"security",
|
|
77
|
-
"
|
|
78
|
-
"
|
|
79
|
-
"
|
|
80
|
-
"
|
|
69
|
+
"scanner",
|
|
70
|
+
"vulnerability",
|
|
71
|
+
"owasp",
|
|
72
|
+
"ai-agent",
|
|
73
|
+
"mcp-server",
|
|
74
|
+
"static-analysis",
|
|
75
|
+
"toxic-flow",
|
|
76
|
+
"auto-fix",
|
|
77
|
+
"lockfile",
|
|
78
|
+
"sarif",
|
|
79
|
+
"cli",
|
|
80
|
+
"devtools"
|
|
81
81
|
],
|
|
82
82
|
"author": "",
|
|
83
83
|
"license": "SEE LICENSE IN LICENSE",
|
|
@@ -85,18 +85,26 @@
|
|
|
85
85
|
"node": ">=20.0.0"
|
|
86
86
|
},
|
|
87
87
|
"dependencies": {
|
|
88
|
+
"@clack/prompts": "^1.2.0",
|
|
88
89
|
"@iarna/toml": "^2.2.5",
|
|
89
90
|
"@modelcontextprotocol/sdk": "^1.20.2",
|
|
90
91
|
"@tabler/icons-react": "^3.0.0",
|
|
91
92
|
"animejs": "^3.2.2",
|
|
92
93
|
"better-sqlite3": "^12.4.1",
|
|
94
|
+
"boxen": "^8.0.1",
|
|
95
|
+
"cli-table3": "^0.6.5",
|
|
93
96
|
"commander": "^14.0.2",
|
|
94
97
|
"consola": "^3.4.2",
|
|
95
98
|
"cors": "^2.8.5",
|
|
96
99
|
"echarts": "^6.0.0",
|
|
97
100
|
"echarts-for-react": "^3.0.6",
|
|
98
101
|
"express": "^4.18.2",
|
|
102
|
+
"ink": "^5.2.1",
|
|
103
|
+
"ink-select-input": "^6.2.0",
|
|
104
|
+
"ink-spinner": "^5.0.0",
|
|
105
|
+
"ink-text-input": "^6.0.0",
|
|
99
106
|
"jsonrpc-lite": "^2.2.0",
|
|
107
|
+
"kleur": "^4.1.5",
|
|
100
108
|
"open": "^11.0.0",
|
|
101
109
|
"react": "^18.2.0",
|
|
102
110
|
"react-dom": "^18.2.0",
|