@mcp-shark/mcp-shark 1.5.13 → 1.7.2

package/bin/mcp-shark.js

@@ -1,12 +1,23 @@
 #!/usr/bin/env node
 
+/**
+ * MCP Shark CLI Entry Point
+ */
 import { spawn } from 'node:child_process';
 import { existsSync, readFileSync } from 'node:fs';
 import { dirname, join, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { Command } from 'commander';
 import open from 'open';
+import { executeDoctor } from '#core/cli/DoctorCommand.js';
+import { executeList } from '#core/cli/ListCommand.js';
+import { executeDiff, executeLock, executeLockVerify } from '#core/cli/LockCommand.js';
+import { executeScan } from '#core/cli/ScanCommand.js';
+import { executeUpdateRules } from '#core/cli/UpdateCommand.js';
+import { executeWatch } from '#core/cli/WatchCommand.js';
+import { displayServeBanner } from '#core/cli/output/Banner.js';
 import { bootstrapLogger as logger } from '#core/libraries/index.js';
+import { launchTui } from '#core/tui/render.js';
 
 const SERVER_URL = 'http://localhost:9853';
 const BROWSER_OPEN_DELAY = 1000;
@@ -15,35 +26,19 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const rootDir = resolve(__dirname, '..');
 
-/**
- * Display welcome banner
- */
-function displayWelcomeBanner() {
-  const pkgPath = join(rootDir, 'package.json');
-  const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
-  const version = pkg.version;
-
-  const banner = `
-   ███╗   ███╗ ██████╗ ██████╗      ███████╗██╗  ██╗ █████╗ ██████╗ ██╗  ██╗
-   ████╗ ████║██╔════╝██╔══██╗     ██╔════╝██║  ██║██╔══██╗██╔══██╗██║ ██╔╝
-   ██╔████╔██║██║     ██████╔╝     ███████╗███████║███████║██████╔╝█████╔╝ 
-   ██║╚██╔╝██║██║     ██╔═══╝      ╚════██║██╔══██║██╔══██║██╔══██╗██╔═██╗ 
-   ██║ ╚═╝ ██║╚██████╗██║          ███████║██║  ██║██║  ██║██║  ██║██║  ██╗
-   ╚═╝     ╚═╝ ╚═════╝╚═╝          ╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝
-   
-   Aggregate multiple MCP servers into a unified interface
-   Version: ${version} | Homepage: https://mcpshark.sh
-`;
-
-  logger.log(banner);
+function getVersion() {
+  try {
+    const pkgPath = join(rootDir, 'package.json');
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return pkg.version;
+  } catch (_err) {
+    return '0.0.0';
+  }
 }
 
 const uiDir = join(rootDir, 'ui');
 const distDir = join(uiDir, 'dist');
 
-/**
- * Validate that UI dist directory exists
- */
 function validateUIBuilt() {
   if (!existsSync(distDir)) {
     logger.error(
@@ -54,17 +49,11 @@ function validateUIBuilt() {
   }
 }
 
-/**
- * Open the browser after a short delay
- */
 async function openBrowser() {
-  await new Promise((resolve) => setTimeout(resolve, BROWSER_OPEN_DELAY));
+  await new Promise((r) => setTimeout(r, BROWSER_OPEN_DELAY));
   open(SERVER_URL);
 }
 
-/**
- * Start the UI server
- */
 async function startServer(shouldOpenBrowser = false) {
   logger.info('Starting MCP Shark UI server...');
   logger.info(`Open ${SERVER_URL} in your browser`);
@@ -93,19 +82,14 @@ async function startServer(shouldOpenBrowser = false) {
     }
   });
 
-  // Handle process termination
   const shutdown = async (signal) => {
     if (shutdownState.isShuttingDown) {
       return;
     }
     shutdownState.isShuttingDown = true;
-
     logger.info('Shutting down...');
-
-    // Send signal to child process
     serverProcess.kill(signal);
 
-    // Wait for child process to exit, with timeout
     const timeout = setTimeout(() => {
       logger.info('Forcefully terminating server process...');
       serverProcess.kill('SIGKILL');
@@ -122,37 +106,147 @@ async function startServer(shouldOpenBrowser = false) {
   process.on('SIGTERM', () => shutdown('SIGTERM'));
 }
 
-/**
- * Validate that required directories exist
- */
 function validateDirectories() {
   if (!existsSync(uiDir)) {
-    logger.error('Error: UI directory not found. Please ensure you are in the correct directory.');
+    logger.error('Error: UI directory not found.');
     process.exit(1);
   }
 }
 
 /**
- * Main execution function
+ * Legacy: `npx mcp-shark --open` / `-o` → `serve --open` (before Commander parses argv).
+ * Skipped when the first argument is a subcommand (e.g. `serve`, `scan`).
  */
+function applyLegacyOpenAlias() {
+  const argv = process.argv.slice(2);
+  if (argv.length === 0) {
+    return;
+  }
+  const first = argv[0];
+  if (!first.startsWith('-')) {
+    return;
+  }
+  if (!argv.includes('--open') && !argv.includes('-o')) {
+    return;
+  }
+  const filtered = argv.filter((x) => x !== '--open' && x !== '-o');
+  process.argv = [process.argv[0], process.argv[1], 'serve', '--open', ...filtered];
+}
+
 async function main() {
-  // Display welcome banner
-  displayWelcomeBanner();
+  applyLegacyOpenAlias();
+
+  const version = getVersion();
 
-  // Parse command line options
   const program = new Command();
-  program.option('-o, --open', 'Open the browser', false).parse(process.argv);
+  program.name('mcp-shark').description('Security scanner for AI agent tools').version(version);
+
+  program
+    .command('scan', { isDefault: true })
+    .description('Scan MCP configurations for security issues (default)')
+    .option('--fix', 'Auto-fix fixable issues')
+    .option('--undo', 'Undo previous --fix changes (use with --fix)')
+    .option('--yes', 'Skip confirmation prompt for --fix')
+    .option('--walkthrough', 'Show full attack chain narratives')
+    .option('--ci', 'CI mode: exit code 1 on critical/high findings')
+    .option('--format <format>', 'Output format: terminal, json, sarif, html', 'terminal')
+    .option('--output <path>', 'Write report to file (for html format)')
+    .option('--strict', 'Count advisory findings in score')
+    .option('--ide <name>', 'Scan specific IDE only')
+    .option('--rules <path>', 'Load custom YAML rules from directory')
+    .option(
+      '--refresh-rules',
+      'Download rule packs from registry before scan (HTTPS; configure via env or .mcp-shark/rule-registry.json)'
+    )
+    .action(async (options) => {
+      const exitCode = await executeScan(options);
+      if (exitCode !== 0) {
+        process.exit(exitCode);
+      }
+    });
 
-  const options = program.opts();
+  program
+    .command('lock')
+    .description('Create or update .mcp-shark.lock (pin tool definitions)')
+    .option('--verify', 'Verify current state matches lockfile')
+    .action((options) => {
+      const exitCode = options.verify ? executeLockVerify() : executeLock(options);
+      if (exitCode !== 0) {
+        process.exit(exitCode);
+      }
+    });
 
-  // Validate environment
-  validateDirectories();
+  program
+    .command('diff')
+    .description('Show tool definition changes since last lock')
+    .action(() => {
+      const exitCode = executeDiff();
+      if (exitCode !== 0) {
+        process.exit(exitCode);
+      }
+    });
 
-  // Validate UI is built (pre-built files should be included in package)
-  validateUIBuilt();
+  program
+    .command('doctor')
+    .description('Run environment health checks')
+    .action(() => {
+      const exitCode = executeDoctor();
+      if (exitCode !== 0) {
+        process.exit(exitCode);
+      }
+    });
+
+  program
+    .command('tui')
+    .description('Launch interactive terminal UI (lazygit-style)')
+    .action(async () => {
+      await launchTui();
+    });
+
+  program
+    .command('watch')
+    .description('Watch config files and re-scan on changes')
+    .action(() => {
+      const exitCode = executeWatch();
+      if (exitCode !== 0) {
+        process.exit(exitCode);
+      }
+    });
+
+  program
+    .command('list')
+    .description('Show inventory of all detected MCP servers')
+    .option('--format <format>', 'Output format: terminal, json', 'terminal')
+    .action((options) => {
+      const exitCode = executeList(options);
+      if (exitCode !== 0) {
+        process.exit(exitCode);
+      }
+    });
+
+  program
+    .command('update-rules')
+    .description('Download latest rule packs from remote registry')
+    .option('--source <url>', 'Custom manifest URL (enterprise registries)')
+    .action(async (options) => {
+      const code = await executeUpdateRules(options);
+      if (code !== 0) {
+        process.exit(code);
+      }
+    });
+
+  program
+    .command('serve')
+    .description('Start the web UI on localhost:9853')
+    .option('-o, --open', 'Open the browser', false)
+    .action(async (options) => {
+      displayServeBanner();
+      validateDirectories();
+      validateUIBuilt();
+      await startServer(options.open);
+    });
 
-  // Start the server
-  await startServer(options.open);
+  await program.parseAsync(process.argv);
 }
 
 main().catch((error) => {

package/core/cli/AutoFixEngine.js

@@ -0,0 +1,93 @@
+/**
+ * Auto-Fix Engine
+ * Orchestrates fix application and renders results.
+ * Delegates actual fix logic to FixHandlers.
+ */
+import kleur from 'kleur';
+import { applyFix, createEnvExample, undoFixes } from './FixHandlers.js';
+import { S } from './symbols.js';
+
+/**
+ * Apply fixes for all fixable findings
+ * @param {Array} findings - Findings from ScanService
+ * @param {object} options
+ * @param {boolean} [options.undo] - Undo previous fixes
+ * @returns {{ fixed: Array, skipped: Array, errors: Array }}
+ */
+export function applyFixes(findings, options = {}) {
+  if (options.undo) {
+    return undoFixes(findings);
+  }
+
+  const fixable = findings.filter((f) => f.fixable);
+  const result = { fixed: [], skipped: [], errors: [] };
+
+  const envVarsCollected = [];
+
+  for (const finding of fixable) {
+    const fixResult = applyFix(finding, envVarsCollected);
+    if (fixResult.success) {
+      result.fixed.push(fixResult);
+    } else if (fixResult.error) {
+      result.errors.push(fixResult);
+    } else {
+      result.skipped.push(fixResult);
+    }
+  }
+
+  if (envVarsCollected.length > 0) {
+    createEnvExample(envVarsCollected, result);
+  }
+
+  return result;
+}
+
+/**
+ * Render fix results to terminal
+ */
+export function renderFixResults(fixResult, scoreBefore, scoreAfter) {
+  const total = fixResult.fixed.length;
+  const attempted = fixResult.fixed.length + fixResult.skipped.length + fixResult.errors.length;
+
+  if (attempted === 0) {
+    console.log(`  ${kleur.dim('No auto-fixable issues found')}`);
+    return;
+  }
+
+  console.log('');
+  console.log(kleur.bold('  Applying fixes...'));
+  console.log('');
+
+  fixResult.fixed.forEach((fix, index) => {
+    console.log(`  ${kleur.green(S.pass)} [${index + 1}/${total}] ${fix.message}`);
+    if (fix.backupPath) {
+      console.log(`          ${kleur.dim(`Backup: ${fix.backupPath}`)}`);
+    }
+  });
+
+  for (const err of fixResult.errors) {
+    console.log(`  ${kleur.red(S.fail)} ${err.finding?.title || 'Fix'}: ${err.error}`);
+  }
+
+  const remaining = fixResult.skipped.length + fixResult.errors.length;
+  console.log('');
+  console.log(`  ${total} fixed · ${remaining} remaining (manual fix needed)`);
+
+  if (scoreBefore !== null && scoreAfter !== null) {
+    const diff = scoreAfter - scoreBefore;
+    const bar = renderProgressBar(scoreAfter);
+    console.log(`  Shark Score: ${scoreBefore} → ${scoreAfter} (+${diff} points) ${bar}`);
+  }
+
+  console.log('');
+  console.log(kleur.dim('  Undo all: npx mcp-shark scan --fix --undo'));
+}
+
+/**
+ * Render a simple progress bar
+ */
+function renderProgressBar(score) {
+  const filled = Math.round((score / 100) * 30);
+  const empty = 30 - filled;
+  return kleur.green('█'.repeat(filled)) + kleur.dim('░'.repeat(empty));
+}

package/core/cli/ConfigScanner.js

@@ -0,0 +1,193 @@
+/**
+ * Scans IDE config files and extracts MCP server definitions
+ * Supports JSON, TOML, and embedded JSON (settings files with mcpServers key)
+ */
+import { existsSync, readFileSync, statSync } from 'node:fs';
+import { basename } from 'node:path';
+import TOML from '@iarna/toml';
+import { IDE_CONFIGS } from './IdeConfigPaths.js';
+
+/**
+ * Parse a JSON config file for MCP servers
+ * @returns {{ servers: object, raw: object } | null}
+ */
+function parseJsonConfig(filePath) {
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    const parsed = JSON.parse(content);
+    const servers = parsed.mcpServers || parsed.servers || {};
+    return { servers, raw: parsed };
+  } catch (_err) {
+    return null;
+  }
+}
+
+/**
+ * Parse a TOML config file (Codex) for MCP servers
+ * @returns {{ servers: object, raw: object } | null}
+ */
+function parseTOMLConfig(filePath) {
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    const parsed = TOML.parse(content);
+    const servers = parsed.mcpServers || parsed.mcp_servers || {};
+    return { servers, raw: parsed };
+  } catch (_err) {
+    return null;
+  }
+}
+
+/**
+ * Parse a JSON settings file that embeds MCP config under a key
+ * (Gemini CLI, Continue, Zed)
+ * @returns {{ servers: object, raw: object } | null}
+ */
+function parseEmbeddedJsonConfig(filePath) {
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    const parsed = JSON.parse(content);
+    const servers = parsed.mcpServers || parsed.mcp_servers || parsed.mcp?.servers || {};
+    return { servers, raw: parsed };
+  } catch (_err) {
+    return null;
+  }
+}
+
+/**
+ * Get file permissions as octal string (Unix only)
+ */
+function getFilePermissions(filePath) {
+  try {
+    const stats = statSync(filePath);
+    return (stats.mode & 0o777).toString(8);
+  } catch (_err) {
+    return null;
+  }
+}
+
+/**
+ * Extract tool definitions from a server config entry
+ */
+function extractToolsFromServer(serverConfig) {
+  if (!serverConfig || typeof serverConfig !== 'object') {
+    return [];
+  }
+  if (serverConfig.tools) {
+    return serverConfig.tools;
+  }
+  return [];
+}
+
+/**
+ * Scan all IDEs and return discovered MCP configurations
+ * @param {object} options
+ * @param {string} [options.ide] - Filter to specific IDE name
+ * @returns {Array<object>} Array of discovered IDE configs with servers
+ */
+export function scanIdeConfigs(options = {}) {
+  const results = [];
+  const ideFilter = options.ide ? options.ide.toLowerCase() : null;
+
+  for (const ideConfig of IDE_CONFIGS) {
+    if (ideFilter && ideConfig.name.toLowerCase() !== ideFilter) {
+      continue;
+    }
+
+    const detected = detectIdeConfig(ideConfig);
+    results.push(detected);
+  }
+
+  return results;
+}
+
+/**
+ * Detect and parse a single IDE config
+ */
+function detectIdeConfig(ideConfig) {
+  const result = {
+    name: ideConfig.name,
+    found: false,
+    configPath: null,
+    displayPath: null,
+    permissions: null,
+    servers: {},
+    serverCount: 0,
+    toolCount: 0,
+    error: null,
+  };
+
+  for (const configPath of ideConfig.paths) {
+    if (!existsSync(configPath)) {
+      continue;
+    }
+
+    result.found = true;
+    result.configPath = configPath;
+    result.displayPath = configPath.replace(process.env.HOME || '', '~');
+    result.permissions = getFilePermissions(configPath);
+
+    const parsed = parseConfigByType(ideConfig.parser, configPath);
+    if (!parsed) {
+      result.error = `Failed to parse ${basename(configPath)}`;
+      break;
+    }
+
+    result.servers = parsed.servers;
+    result.serverCount = Object.keys(parsed.servers).length;
+
+    const toolCount = countTools(parsed.servers);
+    result.toolCount = toolCount;
+    break;
+  }
+
+  return result;
+}
+
+/**
+ * Route to the correct parser based on config type
+ */
+function parseConfigByType(parser, filePath) {
+  if (parser === 'json') {
+    return parseJsonConfig(filePath);
+  }
+  if (parser === 'toml') {
+    return parseTOMLConfig(filePath);
+  }
+  if (parser === 'jsonEmbedded') {
+    return parseEmbeddedJsonConfig(filePath);
+  }
+  return null;
+}
+
+/**
+ * Count total tools across all servers
+ */
+function countTools(servers) {
+  const total = Object.values(servers).reduce((sum, server) => {
+    const tools = extractToolsFromServer(server);
+    return sum + (Array.isArray(tools) ? tools.length : Object.keys(tools).length);
+  }, 0);
+  return total;
+}
+
+/**
+ * Get a flat list of all servers across all IDEs
+ */
+export function getAllServers(ideResults) {
+  const servers = [];
+  for (const ide of ideResults) {
+    if (!ide.found) {
+      continue;
+    }
+    for (const [serverName, serverConfig] of Object.entries(ide.servers)) {
+      servers.push({
+        name: serverName,
+        ide: ide.name,
+        configPath: ide.configPath,
+        config: serverConfig,
+        tools: extractToolsFromServer(serverConfig),
+      });
+    }
+  }
+  return servers;
+}