@mcp-shark/mcp-shark 1.5.13 → 1.7.2

package/core/tui/FindingsPanel.js

@@ -0,0 +1,115 @@
+/**
+ * TUI Findings Panel — Scrollable list of security findings with detail view
+ */
+import { Box, Text } from 'ink';
+import { h } from './h.js';
+
+const SEVERITY_COLORS = { critical: 'red', high: 'yellow', medium: 'blue', low: 'gray' };
+const SEVERITY_ICONS = { critical: '✖', high: '▲', medium: '●', low: '○' };
+const VISIBLE_ROWS = 15;
+
+export function FindingsPanel({ findings, selectedIndex }) {
+  if (findings.length === 0) {
+    return h(
+      Box,
+      { padding: 1 },
+      h(Text, { color: 'green' }, '✔ No security issues found. Your MCP setup looks clean.')
+    );
+  }
+
+  const clamped = Math.min(selectedIndex, findings.length - 1);
+  const scrollOffset = Math.max(0, clamped - VISIBLE_ROWS + 3);
+  const visible = findings.slice(scrollOffset, scrollOffset + VISIBLE_ROWS);
+  const selected = findings[clamped];
+
+  const rows = visible.map((finding, idx) => {
+    const actualIdx = scrollOffset + idx;
+    const isSelected = actualIdx === clamped;
+    const sev = (finding.severity || 'medium').toLowerCase();
+    const color = SEVERITY_COLORS[sev] || 'white';
+    const icon = SEVERITY_ICONS[sev] || '●';
+
+    return h(
+      Box,
+      { key: finding.rule_id + finding.title + actualIdx },
+      h(
+        Text,
+        { inverse: isSelected, color: isSelected ? 'cyan' : color },
+        `${isSelected ? '▸' : ' '} ${icon} ${sev.toUpperCase().padEnd(8)}`
+      ),
+      h(
+        Text,
+        { inverse: isSelected, color: isSelected ? 'white' : 'gray' },
+        ` ${truncate(finding.title, 70)}`
+      )
+    );
+  });
+
+  const scrollInfo =
+    findings.length > VISIBLE_ROWS
+      ? h(
+          Text,
+          { color: 'gray', dimColor: true },
+          `${scrollOffset > 0 ? '↑ ' : '  '}${scrollOffset + VISIBLE_ROWS < findings.length ? '↓ scroll' : '  end'} (${clamped + 1}/${findings.length})`
+        )
+      : null;
+
+  const detail = selected
+    ? h(
+        Box,
+        { flexDirection: 'column', borderStyle: 'single', borderColor: 'cyan', paddingX: 1 },
+        h(Text, { bold: true, color: 'white' }, ' Detail '),
+        h(Text, null, h(Text, { bold: true }, 'Rule:'), ` ${selected.rule_id || '—'}`),
+        h(
+          Text,
+          null,
+          h(Text, { bold: true }, 'Severity:'),
+          ' ',
+          h(
+            Text,
+            { color: SEVERITY_COLORS[(selected.severity || '').toLowerCase()] },
+            selected.severity
+          )
+        ),
+        h(Text, null, h(Text, { bold: true }, 'Server:'), ` ${selected.server_name || '—'}`),
+        h(Text, null, h(Text, { bold: true }, 'IDE:'), ` ${selected.ide || '—'}`),
+        h(
+          Text,
+          { wrap: 'wrap' },
+          h(Text, { bold: true }, 'Description:'),
+          ` ${selected.description || '—'}`
+        ),
+        selected.recommendation
+          ? h(
+              Text,
+              { wrap: 'wrap' },
+              h(Text, { bold: true }, 'Fix:'),
+              ` ${selected.recommendation}`
+            )
+          : null,
+        selected.fixable
+          ? h(Text, { color: 'green' }, '✔ Auto-fixable — press 4 to go to Fix panel')
+          : null
+      )
+    : null;
+
+  return h(
+    Box,
+    { flexDirection: 'column' },
+    h(
+      Box,
+      { flexDirection: 'column', borderStyle: 'single', borderColor: 'gray', paddingX: 1 },
+      h(Text, { bold: true, color: 'white' }, ` Findings (${findings.length}) `),
+      ...rows,
+      scrollInfo
+    ),
+    detail
+  );
+}
+
+function truncate(str, maxLen) {
+  if (!str) {
+    return '';
+  }
+  return str.length > maxLen ? `${str.slice(0, maxLen - 1)}…` : str;
+}

package/core/tui/FixPanel.js

@@ -0,0 +1,132 @@
+import { Box, Text, useInput } from 'ink';
+/**
+ * TUI Fix Panel — Auto-fix interface with interactive selection
+ */
+import { useState } from 'react';
+import { applyFixes } from '#core/cli/AutoFixEngine.js';
+import { h } from './h.js';
+
+export function FixPanel({ findings, onRescan }) {
+  const fixable = findings.filter((f) => f.fixable);
+  const [fixResult, setFixResult] = useState(null);
+  const [confirming, setConfirming] = useState(false);
+
+  useInput((input) => {
+    if (confirming) {
+      if (input === 'y') {
+        try {
+          setFixResult(applyFixes(findings));
+        } catch (err) {
+          setFixResult({
+            fixed: [],
+            skipped: [],
+            errors: [{ success: false, error: err.message, finding: { title: 'Apply fixes' } }],
+          });
+        }
+        setConfirming(false);
+      }
+      if (input === 'n') {
+        setConfirming(false);
+      }
+      return;
+    }
+
+    if (input === 'f' && fixable.length > 0) {
+      setConfirming(true);
+    }
+    if (input === 'u') {
+      try {
+        setFixResult(applyFixes(findings, { undo: true }));
+      } catch (err) {
+        setFixResult({
+          fixed: [],
+          skipped: [],
+          errors: [{ success: false, error: err.message, finding: { title: 'Undo fixes' } }],
+        });
+      }
+    }
+    if (input === 'r') {
+      setFixResult(null);
+      onRescan();
+    }
+  });
+
+  if (fixable.length === 0 && !fixResult) {
+    return h(
+      Box,
+      { padding: 1, flexDirection: 'column' },
+      h(Text, { color: 'green' }, '✔ No auto-fixable issues found.'),
+      h(Text, { color: 'gray' }, 'All findings require manual remediation.')
+    );
+  }
+
+  const fixRows = fixable.map((finding) =>
+    h(
+      Box,
+      { key: `${finding.rule_id}-${finding.title}` },
+      h(Text, { color: 'green' }, '  ● '),
+      h(Text, { color: 'white' }, `${finding.fix_type} — `),
+      h(Text, { color: 'gray' }, truncate(finding.title, 60))
+    )
+  );
+
+  const prompt = confirming
+    ? h(
+        Text,
+        { bold: true, color: 'yellow' },
+        `Apply ${fixable.length} fixes? Backups will be created. (y/n)`
+      )
+    : h(
+        Text,
+        { color: 'gray' },
+        'Press ',
+        h(Text, { bold: true, color: 'cyan' }, 'f'),
+        ' to fix all · ',
+        h(Text, { bold: true, color: 'cyan' }, 'u'),
+        ' to undo · ',
+        h(Text, { bold: true, color: 'cyan' }, 'r'),
+        ' to rescan'
+      );
+
+  const resultPanel = fixResult
+    ? h(
+        Box,
+        { flexDirection: 'column', borderStyle: 'single', borderColor: 'cyan', paddingX: 1 },
+        h(Text, { bold: true, color: 'white' }, ' Results '),
+        ...fixResult.fixed.map((fx) =>
+          h(Text, { key: `fix-${fx.message}`, color: 'green' }, `  ✔ ${fx.message}`)
+        ),
+        ...fixResult.errors.map((err) =>
+          h(Text, { key: `err-${err.error}`, color: 'red' }, `  ✖ ${err.error || err.reason}`)
+        ),
+        ...fixResult.skipped.map((sk) =>
+          h(Text, { key: `skip-${sk.reason}`, color: 'gray' }, `  ○ Skipped: ${sk.reason}`)
+        ),
+        h(
+          Text,
+          { bold: true },
+          `  ${fixResult.fixed.length} fixed · ${fixResult.errors.length} errors · ${fixResult.skipped.length} skipped`
+        )
+      )
+    : null;
+
+  return h(
+    Box,
+    { flexDirection: 'column' },
+    h(
+      Box,
+      { flexDirection: 'column', borderStyle: 'single', borderColor: 'green', paddingX: 1 },
+      h(Text, { bold: true, color: 'white' }, ` Auto-Fix (${fixable.length} fixable) `),
+      ...fixRows,
+      h(Box, { marginTop: 1 }, prompt)
+    ),
+    resultPanel
+  );
+}
+
+function truncate(str, maxLen) {
+  if (!str) {
+    return '';
+  }
+  return str.length > maxLen ? `${str.slice(0, maxLen - 1)}…` : str;
+}

package/core/tui/Header.js

@@ -0,0 +1,51 @@
+/**
+ * TUI Header — Score display and scan summary
+ */
+import { Box, Text } from 'ink';
+import { h } from './h.js';
+
+const GRADE_COLORS = { A: 'green', B: 'green', C: 'yellow', D: 'yellow', F: 'red' };
+
+export function Header({
+  score,
+  grade,
+  serverCount,
+  findingCount,
+  flowCount,
+  ruleCount,
+  elapsedMs,
+}) {
+  const gradeColor = GRADE_COLORS[grade] || 'white';
+
+  const scoreDisplay =
+    score !== null
+      ? h(
+          '',
+          null,
+          h(Text, { bold: true }, 'Score: '),
+          h(Text, { bold: true, color: gradeColor }, `${score}/100 (${grade})`)
+        )
+      : h(Text, { color: 'gray' }, 'Scanning...');
+
+  const statsDisplay =
+    score !== null
+      ? h(
+          Text,
+          { color: 'gray' },
+          `${findingCount} findings · ${flowCount} flows · ${serverCount} servers · ${ruleCount} rules · ${elapsedMs}ms`
+        )
+      : null;
+
+  return h(
+    Box,
+    { flexDirection: 'row', paddingX: 1, justifyContent: 'space-between' },
+    h(
+      Box,
+      null,
+      h(Text, { bold: true, color: 'cyan' }, 'mcp-shark'),
+      h(Text, { color: 'gray' }, ' │ '),
+      scoreDisplay
+    ),
+    statsDisplay
+  );
+}

package/core/tui/HelpBar.js

@@ -0,0 +1,42 @@
+/**
+ * TUI Help Bar — Keyboard shortcuts displayed at the bottom
+ */
+import { Box, Text } from 'ink';
+import { h } from './h.js';
+
+const COMMON_KEYS = [
+  { key: 'j/k', desc: 'navigate' },
+  { key: 'Tab', desc: 'next panel' },
+  { key: '1-4', desc: 'panel' },
+  { key: 'r', desc: 'rescan' },
+  { key: 'q', desc: 'quit' },
+];
+
+const PANEL_KEYS = {
+  findings: [],
+  servers: [],
+  flows: [],
+  fix: [
+    { key: 'f', desc: 'fix all' },
+    { key: 'u', desc: 'undo' },
+  ],
+};
+
+export function HelpBar({ activePanel }) {
+  const panelSpecific = PANEL_KEYS[activePanel] || [];
+  const allKeys = [...panelSpecific, ...COMMON_KEYS];
+
+  return h(
+    Box,
+    { paddingX: 1 },
+    ...allKeys.map(({ key, desc }, idx) =>
+      h(
+        Box,
+        { key, marginRight: 1 },
+        h(Text, { bold: true, color: 'cyan' }, key),
+        h(Text, { color: 'gray' }, ` ${desc}`),
+        idx < allKeys.length - 1 ? h(Text, { color: 'gray' }, ' │') : null
+      )
+    )
+  );
+}

package/core/tui/ServersPanel.js

@@ -0,0 +1,109 @@
+/**
+ * TUI Servers Panel — Server inventory with finding counts
+ */
+import { Box, Text } from 'ink';
+import { h } from './h.js';
+
+export function ServersPanel({ servers, findings, selectedIndex }) {
+  if (servers.length === 0) {
+    return h(
+      Box,
+      { padding: 1 },
+      h(Text, { color: 'yellow' }, '\u25B2 No MCP servers detected across 15 IDEs.')
+    );
+  }
+
+  const clamped = Math.min(selectedIndex, servers.length - 1);
+  const selected = servers[clamped];
+  const selectedFindings = findings.filter((f) => f.server_name === selected?.name);
+
+  const rows = servers.map((server, idx) => {
+    const isSelected = idx === clamped;
+    const count = findings.filter((f) => f.server_name === server.name).length;
+    const countColor = count === 0 ? 'green' : count > 3 ? 'red' : 'yellow';
+
+    return h(
+      Box,
+      { key: `${server.name}-${server.ide}` },
+      h(
+        Text,
+        { inverse: isSelected, color: isSelected ? 'cyan' : 'white' },
+        `${isSelected ? '▸' : ' '} ${server.name.padEnd(25)}`
+      ),
+      h(Text, { inverse: isSelected, color: isSelected ? 'white' : 'gray' }, server.ide.padEnd(15)),
+      h(
+        Text,
+        { inverse: isSelected, color: isSelected ? 'white' : countColor },
+        count === 0 ? '✔ clean' : `${count} issues`
+      )
+    );
+  });
+
+  const findingRows = selectedFindings.slice(0, 5).map((f) =>
+    h(
+      Text,
+      {
+        key: `${f.rule_id}-${f.title}`,
+        color: (f.severity || '').toLowerCase() === 'critical' ? 'red' : 'yellow',
+      },
+      `  ${f.severity?.toUpperCase()} — ${f.title}`
+    )
+  );
+
+  const moreText =
+    selectedFindings.length > 5
+      ? h(Text, { color: 'gray' }, `  ... and ${selectedFindings.length - 5} more`)
+      : null;
+
+  const detail = selected
+    ? h(
+        Box,
+        { flexDirection: 'column', borderStyle: 'single', borderColor: 'cyan', paddingX: 1 },
+        h(Text, { bold: true, color: 'white' }, ` ${selected.name} `),
+        h(Text, null, h(Text, { bold: true }, 'IDE:'), ` ${selected.ide}`),
+        h(Text, null, h(Text, { bold: true }, 'Config:'), ` ${selected.configPath || '—'}`),
+        h(
+          Text,
+          null,
+          h(Text, { bold: true }, 'Transport:'),
+          ` ${detectTransport(selected.config)}`
+        ),
+        h(Text, null, h(Text, { bold: true }, 'Command:'), ` ${selected.config?.command || '—'}`),
+        h(
+          Text,
+          null,
+          h(Text, { bold: true }, 'Tools:'),
+          ` ${Array.isArray(selected.tools) ? selected.tools.length : '?'}`
+        ),
+        h(Text, null, h(Text, { bold: true }, 'Findings:'), ` ${selectedFindings.length}`),
+        selectedFindings.length > 0
+          ? h(Box, { flexDirection: 'column' }, ...findingRows, moreText)
+          : null
+      )
+    : null;
+
+  return h(
+    Box,
+    { flexDirection: 'column' },
+    h(
+      Box,
+      { flexDirection: 'column', borderStyle: 'single', borderColor: 'gray', paddingX: 1 },
+      h(Text, { bold: true, color: 'white' }, ` Servers (${servers.length}) `),
+      ...rows
+    ),
+    detail
+  );
+}
+
+function detectTransport(config) {
+  if (!config) {
+    return 'unknown';
+  }
+  if (config.command) {
+    return 'stdio';
+  }
+  if (config.url) {
+    return config.transport || 'http';
+  }
+  return config.transport || 'unknown';
+}

package/core/tui/ToxicFlowsPanel.js

@@ -0,0 +1,100 @@
+/**
+ * TUI Toxic Flows Panel — Cross-server attack path visualization
+ */
+import { Box, Text } from 'ink';
+import { h } from './h.js';
+
+export function ToxicFlowsPanel({ toxicFlows, selectedIndex }) {
+  if (toxicFlows.length === 0) {
+    return h(
+      Box,
+      { padding: 1 },
+      h(Text, { color: 'green' }, '✔ No toxic cross-server flows detected.')
+    );
+  }
+
+  const clamped = Math.min(selectedIndex, toxicFlows.length - 1);
+  const selected = toxicFlows[clamped];
+
+  const rows = toxicFlows.map((flow, idx) => {
+    const isSelected = idx === clamped;
+    const riskColor = (flow.risk || '').toLowerCase() === 'high' ? 'red' : 'yellow';
+    const flowKey = `${flow.source}-${flow.sink}-${flow.rule || idx}`;
+
+    return h(
+      Box,
+      { key: flowKey },
+      h(
+        Text,
+        { inverse: isSelected, color: isSelected ? 'magenta' : riskColor },
+        `${isSelected ? '▸' : ' '} ${(flow.risk || 'MED').toUpperCase().padEnd(6)}`
+      ),
+      h(
+        Text,
+        { inverse: isSelected, color: isSelected ? 'white' : 'gray' },
+        ` ${flow.source || '?'} → ${flow.sink || '?'}`
+      ),
+      h(
+        Text,
+        { inverse: isSelected, color: isSelected ? 'white' : 'gray', dimColor: !isSelected },
+        ` — ${truncate(flow.scenario || '', 50)}`
+      )
+    );
+  });
+
+  const caps = selected?.capabilities
+    ? Object.entries(selected.capabilities)
+        .filter(([, v]) => v)
+        .map(([k]) => k)
+        .join(', ')
+    : '—';
+
+  const detail = selected
+    ? h(
+        Box,
+        { flexDirection: 'column', borderStyle: 'single', borderColor: 'magenta', paddingX: 1 },
+        h(Text, { bold: true, color: 'magenta' }, ' Flow Detail '),
+        h(
+          Text,
+          null,
+          h(Text, { bold: true, color: 'red' }, selected.source),
+          h(Text, { color: 'gray' }, ' → '),
+          h(Text, { bold: true, color: 'red' }, selected.sink)
+        ),
+        h(
+          Text,
+          null,
+          h(Text, { bold: true }, 'Risk:'),
+          ' ',
+          h(Text, { color: selected.risk === 'high' ? 'red' : 'yellow' }, selected.risk)
+        ),
+        h(Text, null, h(Text, { bold: true }, 'Rule:'), ` ${selected.rule || '—'}`),
+        h(
+          Text,
+          { wrap: 'wrap' },
+          h(Text, { bold: true }, 'Scenario:'),
+          ` ${selected.scenario || '—'}`
+        ),
+        h(Text, { wrap: 'wrap' }, h(Text, { bold: true }, 'Capabilities:'), ` ${caps}`)
+      )
+    : null;
+
+  return h(
+    Box,
+    { flexDirection: 'column' },
+    h(
+      Box,
+      { flexDirection: 'column', borderStyle: 'single', borderColor: 'magenta', paddingX: 1 },
+      h(Text, { bold: true, color: 'white' }, ` Toxic Flows (${toxicFlows.length}) `),
+      ...rows
+    ),
+    detail
+  );
+}
+
+function truncate(str, maxLen) {
+  if (!str) {
+    return '';
+  }
+  return str.length > maxLen ? `${str.slice(0, maxLen - 1)}…` : str;
+}

package/core/tui/h.js

@@ -0,0 +1,8 @@
+/**
+ * JSX-free helper for React.createElement
+ * Keeps TUI code readable without requiring a build step.
+ */
+import { Fragment, createElement } from 'react';
+
+export const h = createElement;
+export const F = Fragment;

package/core/tui/index.js

@@ -0,0 +1,11 @@
+/**
+ * TUI module barrel file
+ */
+export { App } from './App.js';
+export { Header } from './Header.js';
+export { FindingsPanel } from './FindingsPanel.js';
+export { ServersPanel } from './ServersPanel.js';
+export { ToxicFlowsPanel } from './ToxicFlowsPanel.js';
+export { FixPanel } from './FixPanel.js';
+export { HelpBar } from './HelpBar.js';
+export { launchTui } from './render.js';

package/core/tui/render.js

@@ -0,0 +1,22 @@
+import { render } from 'ink';
+/**
+ * TUI Renderer — Entry point for the interactive terminal UI
+ * Called by `mcp-shark tui` command
+ */
+import { createElement } from 'react';
+import { bootstrapLogger as logger } from '#core/libraries/index.js';
+import { App } from './App.js';
+
+/**
+ * Launch the interactive TUI
+ * @returns {Promise<void>}
+ */
+export async function launchTui() {
+  try {
+    const { waitUntilExit } = render(createElement(App));
+    await waitUntilExit();
+  } catch (err) {
+    logger.error({ err: err.message }, 'TUI failed to start');
+    throw err;
+  }
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@mcp-shark/mcp-shark",
-  "version": "1.5.13",
-  "description": "Aggregate multiple Model Context Protocol (MCP) servers into a single unified interface with a powerful monitoring UI. Prov deep visibility into every request and response.",
+  "version": "1.7.2",
+  "description": "Security scanner for AI agent tools. Local static scan of MCP IDE configs (41 rules, toxic flow heuristics, AAuth visibility, auto-fix, tool pinning). Optional proxy + in-browser dashboard: traffic, findings, AAuth Explorer, YARA, Playground. Smart Scan optional (your API token). Rule registry fetch is opt-in.",
   "type": "module",
   "main": "./bin/mcp-shark.js",
   "exports": {
@@ -45,12 +45,13 @@
     "test": "c8 node --test --test-name-pattern='.*' --test-reporter spec $(find core ui/server -path '*/__tests__/*.test.js' -type f)",
     "test:ui": "vitest run --coverage",
     "test:all": "npm run test:coverage && npm run test:ui",
+    "generate:rules": "node scripts/generate-rule-index.js",
     "lint": "biome lint .",
     "lint:fix": "biome lint --write .",
     "format": "biome format --write .",
     "check": "biome check .",
     "check:fix": "biome check --write .",
-    "prepare": "husky install || true",
+    "prepare": "husky || true",
     "prepublishOnly": "npm run check:fix && npm run build:ui",
     "pack:inspect": "npm run prepublishOnly && npm pack && tar -tzf mcp-shark-mcp-shark-*.tgz | head -50 && echo '...' && tar -tzf mcp-shark-mcp-shark-*.tgz | wc -l && echo 'files total'",
     "pack:list": "npm run prepublishOnly && npm pack && tar -tzf mcp-shark-mcp-shark-*.tgz",
@@ -64,20 +65,19 @@
   "keywords": [
     "mcp",
     "model-context-protocol",
-    "aggregator",
-    "server",
-    "ui",
-    "monitoring",
-    "debugging",
-    "wireshark",
-    "traffic-capture",
-    "mcp-server",
-    "mcp-client",
     "security",
-    "audit",
-    "logging",
-    "playground",
-    "smart-scan"
+    "scanner",
+    "vulnerability",
+    "owasp",
+    "ai-agent",
+    "mcp-server",
+    "static-analysis",
+    "toxic-flow",
+    "auto-fix",
+    "lockfile",
+    "sarif",
+    "cli",
+    "devtools"
   ],
   "author": "",
   "license": "SEE LICENSE IN LICENSE",
@@ -85,18 +85,26 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
+    "@clack/prompts": "^1.2.0",
     "@iarna/toml": "^2.2.5",
     "@modelcontextprotocol/sdk": "^1.20.2",
     "@tabler/icons-react": "^3.0.0",
     "animejs": "^3.2.2",
     "better-sqlite3": "^12.4.1",
+    "boxen": "^8.0.1",
+    "cli-table3": "^0.6.5",
     "commander": "^14.0.2",
     "consola": "^3.4.2",
     "cors": "^2.8.5",
     "echarts": "^6.0.0",
     "echarts-for-react": "^3.0.6",
     "express": "^4.18.2",
+    "ink": "^5.2.1",
+    "ink-select-input": "^6.2.0",
+    "ink-spinner": "^5.0.0",
+    "ink-text-input": "^6.0.0",
     "jsonrpc-lite": "^2.2.0",
+    "kleur": "^4.1.5",
     "open": "^11.0.0",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",