@mcp-shark/mcp-shark 1.5.13 → 1.7.2

package/core/cli/IdeConfigPaths.js

@@ -0,0 +1,175 @@
+/**
+ * IDE configuration paths for MCP server detection
+ * Maps IDE names to their known config file locations across platforms
+ */
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { Environment } from '#core/configs/environment.js';
+
+const HOME = homedir();
+const PLATFORM = process.platform;
+
+function macAppSupport(appName) {
+  return join(HOME, 'Library', 'Application Support', appName);
+}
+
+function winAppData(appName) {
+  const appData = process.env.APPDATA || join(Environment.getUserProfile(), 'AppData', 'Roaming');
+  return join(appData, appName);
+}
+
+function linuxConfig(appName) {
+  const xdgConfig = process.env.XDG_CONFIG_HOME || join(HOME, '.config');
+  return join(xdgConfig, appName);
+}
+
+/**
+ * Build platform-aware config paths for an IDE
+ */
+function buildPaths(mac, win, linux) {
+  const paths = [];
+  if (PLATFORM === 'darwin' && mac) {
+    paths.push(...(Array.isArray(mac) ? mac : [mac]));
+  }
+  if (PLATFORM === 'win32' && win) {
+    paths.push(...(Array.isArray(win) ? win : [win]));
+  }
+  if (PLATFORM === 'linux' && linux) {
+    paths.push(...(Array.isArray(linux) ? linux : [linux]));
+  }
+  return paths;
+}
+
+/**
+ * All known IDE config definitions
+ * Each entry: { name, paths: string[], parser: 'json' | 'toml' | 'jsonEmbedded' }
+ */
+export const IDE_CONFIGS = [
+  {
+    name: 'Cursor',
+    parser: 'json',
+    paths: [
+      join(HOME, '.cursor', 'mcp.json'),
+      join(process.cwd(), '.cursor', 'mcp.json'),
+      ...buildPaths(null, join(Environment.getUserProfile(), '.cursor', 'mcp.json'), null),
+    ],
+  },
+  {
+    name: 'Claude Desktop',
+    parser: 'json',
+    paths: buildPaths(
+      join(macAppSupport('Claude'), 'claude_desktop_config.json'),
+      join(winAppData('Claude'), 'claude_desktop_config.json'),
+      join(linuxConfig('Claude'), 'claude_desktop_config.json')
+    ),
+  },
+  {
+    name: 'Claude Code',
+    parser: 'json',
+    paths: [join(HOME, '.claude.json'), join(HOME, '.claude', 'settings.json')],
+  },
+  {
+    name: 'VS Code',
+    parser: 'json',
+    paths: [join(process.cwd(), '.vscode', 'mcp.json'), join(HOME, '.vscode', 'mcp.json')],
+  },
+  {
+    name: 'Windsurf',
+    parser: 'json',
+    paths: [
+      join(HOME, '.codeium', 'windsurf', 'mcp_config.json'),
+      ...buildPaths(
+        null,
+        join(Environment.getUserProfile(), '.codeium', 'windsurf', 'mcp_config.json'),
+        null
+      ),
+    ],
+  },
+  {
+    name: 'Codex',
+    parser: 'toml',
+    paths: [
+      join(Environment.getCodexHome(), 'config.toml'),
+      join(HOME, '.codex', 'config.toml'),
+      ...buildPaths(null, join(Environment.getUserProfile(), '.codex', 'config.toml'), null),
+    ],
+  },
+  {
+    name: 'Gemini CLI',
+    parser: 'jsonEmbedded',
+    paths: [join(HOME, '.gemini', 'settings.json')],
+  },
+  {
+    name: 'Continue',
+    parser: 'jsonEmbedded',
+    paths: [join(HOME, '.continue', 'config.json')],
+  },
+  {
+    name: 'Cline',
+    parser: 'json',
+    paths: buildPaths(
+      join(
+        macAppSupport('Code'),
+        'User',
+        'globalStorage',
+        'saoudrizwan.claude-dev',
+        'settings',
+        'cline_mcp_settings.json'
+      ),
+      join(
+        winAppData('Code'),
+        'User',
+        'globalStorage',
+        'saoudrizwan.claude-dev',
+        'settings',
+        'cline_mcp_settings.json'
+      ),
+      join(
+        linuxConfig('Code'),
+        'User',
+        'globalStorage',
+        'saoudrizwan.claude-dev',
+        'settings',
+        'cline_mcp_settings.json'
+      )
+    ),
+  },
+  {
+    name: 'Amp',
+    parser: 'json',
+    paths: [join(HOME, '.amp', 'mcp.json')],
+  },
+  {
+    name: 'Kiro',
+    parser: 'json',
+    paths: [join(HOME, '.kiro', 'mcp.json')],
+  },
+  {
+    name: 'Zed',
+    parser: 'jsonEmbedded',
+    paths: buildPaths(
+      join(HOME, '.config', 'zed', 'settings.json'),
+      null,
+      join(linuxConfig('zed'), 'settings.json')
+    ),
+  },
+  {
+    name: 'Augment',
+    parser: 'json',
+    paths: [join(HOME, '.augment', 'mcp.json')],
+  },
+  {
+    name: 'Roo Code',
+    parser: 'json',
+    paths: [join(HOME, '.roo-code', 'mcp.json')],
+  },
+  {
+    name: 'Project',
+    parser: 'json',
+    paths: [
+      join(process.cwd(), 'mcp.json'),
+      join(process.cwd(), '.mcp.json'),
+      join(process.cwd(), '.mcp', 'config.json'),
+    ],
+  },
+];

package/core/cli/ListCommand.js

@@ -0,0 +1,255 @@
+/**
+ * List Command
+ * Displays a beautiful inventory of all detected MCP servers,
+ * their transport type, tool count, and config source.
+ */
+import Table from 'cli-table3';
+import kleur from 'kleur';
+import { inspectServerConfigForAauth } from '#core/services/security/aauthParser.js';
+import { getAllServers, scanIdeConfigs } from './ConfigScanner.js';
+import { TOOL_CLASSIFICATIONS } from './ToolClassifications.js';
+import { S } from './symbols.js';
+
+const TRANSPORT_LABELS = {
+  stdio: kleur.cyan('stdio'),
+  sse: kleur.magenta('sse'),
+  http: kleur.yellow('http'),
+  streamable: kleur.green('streamable'),
+  unknown: kleur.dim('unknown'),
+};
+
+/**
+ * Execute the list command — server inventory
+ * @param {object} options
+ * @param {string} [options.format] - Output format: terminal, json
+ * @returns {number} Exit code
+ */
+export function executeList(options = {}) {
+  const ideResults = scanIdeConfigs();
+  const servers = getAllServers(ideResults);
+
+  if (servers.length === 0) {
+    console.log(`\n  ${kleur.yellow(S.warn)} No MCP servers found\n`);
+    console.log(kleur.dim('  Searched 15 IDEs. Install an MCP server to get started.'));
+    console.log('');
+    return 0;
+  }
+
+  if (options.format === 'json') {
+    return renderJsonInventory(servers, ideResults);
+  }
+
+  return renderTerminalInventory(servers, ideResults);
+}
+
+/**
+ * Render server inventory as a beautiful terminal table
+ */
+function renderTerminalInventory(servers, ideResults) {
+  const foundIdes = ideResults.filter((r) => r.found);
+
+  console.log('');
+  console.log(kleur.bold('  MCP Server Inventory'));
+  console.log(kleur.dim(`  Found ${servers.length} servers across ${foundIdes.length} IDEs`));
+  console.log('');
+
+  const table = new Table({
+    head: ['Server', 'IDE', 'Transport', 'Tools', 'Capabilities'].map((h) => kleur.bold(h)),
+    chars: {
+      top: '─',
+      'top-mid': '┬',
+      'top-left': '┌',
+      'top-right': '┐',
+      bottom: '─',
+      'bottom-mid': '┴',
+      'bottom-left': '└',
+      'bottom-right': '┘',
+      left: '│',
+      'left-mid': '├',
+      mid: '─',
+      'mid-mid': '┼',
+      right: '│',
+      'right-mid': '┤',
+      middle: '│',
+    },
+    style: { head: [], border: [] },
+  });
+
+  for (const server of servers) {
+    const transport = detectTransport(server.config);
+    const toolCount = getToolCount(server);
+    const capabilities = getServerCapabilities(server.name);
+
+    table.push([
+      kleur.white(server.name),
+      kleur.dim(server.ide),
+      TRANSPORT_LABELS[transport] || TRANSPORT_LABELS.unknown,
+      toolCount > 0 ? kleur.bold(String(toolCount)) : kleur.dim('?'),
+      capabilities || kleur.dim('—'),
+    ]);
+  }
+
+  console.log(table.toString());
+  console.log('');
+
+  renderAauthSummary(servers);
+  renderIdeSummary(ideResults);
+
+  return 0;
+}
+
+/**
+ * Print a single-line AAuth advertisement summary across all detected servers.
+ * Visibility-only: this only checks for AAuth-shaped fields in the static config
+ * (agent IDs, JWKS URLs, .well-known/aauth references). It does not connect.
+ */
+function renderAauthSummary(servers) {
+  let advertised = 0;
+  for (const server of servers) {
+    if (inspectServerConfigForAauth(server.config)) {
+      advertised += 1;
+    }
+  }
+  const remaining = servers.length - advertised;
+  if (servers.length === 0) {
+    return;
+  }
+  console.log(kleur.bold('  AAuth Visibility'));
+  console.log(
+    `  ${kleur.green(S.pass)} ${advertised} server${advertised === 1 ? '' : 's'} advertise AAuth · ${kleur.dim(`${remaining} do not`)}`
+  );
+  console.log(
+    kleur.dim(
+      '  Observed only — mcp-shark does not verify AAuth identity. See https://www.aauth.dev'
+    )
+  );
+  console.log('');
+}
+
+/**
+ * Render a summary of which IDEs were detected
+ */
+function renderIdeSummary(ideResults) {
+  const found = ideResults.filter((r) => r.found);
+  const notFound = ideResults.filter((r) => !r.found);
+
+  console.log(kleur.bold('  IDE Detection'));
+  for (const ide of found) {
+    console.log(`  ${kleur.green(S.pass)} ${ide.name} (${ide.serverCount} servers)`);
+  }
+  if (notFound.length > 0) {
+    console.log(`  ${kleur.dim(`${notFound.length} IDEs not installed`)}`);
+  }
+  console.log('');
+}
+
+/**
+ * Render inventory as JSON
+ */
+function renderJsonInventory(servers, ideResults) {
+  const output = {
+    total_servers: servers.length,
+    ides_found: ideResults.filter((r) => r.found).length,
+    servers: servers.map((s) => ({
+      name: s.name,
+      ide: s.ide,
+      config_path: s.configPath,
+      transport: detectTransport(s.config),
+      tool_count: getToolCount(s),
+      command: s.config?.command || null,
+      args_present: hasArgsPresent(s.config),
+      aauth: inspectServerConfigForAauth(s.config),
+    })),
+  };
+  console.log(JSON.stringify(output, null, 2));
+  return 0;
+}
+
+/**
+ * Detect transport type from server config
+ */
+function detectTransport(config) {
+  if (!config) {
+    return 'unknown';
+  }
+  if (config.command) {
+    return 'stdio';
+  }
+  if (config.url?.includes('/sse')) {
+    return 'sse';
+  }
+  if (config.url) {
+    return config.transport || 'http';
+  }
+  if (config.transport) {
+    return config.transport;
+  }
+  return 'unknown';
+}
+
+/**
+ * Get number of tools for a server
+ */
+function getToolCount(server) {
+  if (Array.isArray(server.tools)) {
+    return server.tools.length;
+  }
+  if (server.tools && typeof server.tools === 'object') {
+    return Object.keys(server.tools).length;
+  }
+  return 0;
+}
+
+/**
+ * Whether server config includes non-empty args (boolean only for JSON output — avoids leaking secrets).
+ */
+export function hasArgsPresent(config) {
+  const args = config?.args;
+  if (args == null) {
+    return false;
+  }
+  if (Array.isArray(args)) {
+    return args.length > 0;
+  }
+  if (typeof args === 'object') {
+    return Object.keys(args).length > 0;
+  }
+  return String(args).length > 0;
+}
+
+/**
+ * Get known capabilities from the classification database
+ * (values are per-tool capability strings, not flat boolean flags)
+ */
+export function getServerCapabilities(serverName) {
+  const classification = TOOL_CLASSIFICATIONS[serverName];
+  if (!classification || typeof classification !== 'object') {
+    return null;
+  }
+
+  const capSet = new Set();
+  for (const cap of Object.values(classification)) {
+    if (typeof cap === 'string' && cap) {
+      capSet.add(cap);
+    }
+  }
+
+  const caps = [];
+  if (capSet.has('reads_secrets')) {
+    caps.push(kleur.red('secrets'));
+  }
+  if (capSet.has('writes_code')) {
+    caps.push(kleur.yellow('code'));
+  }
+  if (capSet.has('sends_external')) {
+    caps.push(kleur.magenta('network'));
+  }
+  if (capSet.has('modifies_infra')) {
+    caps.push(kleur.red('infra'));
+  }
+  if (capSet.has('ingests_untrusted')) {
+    caps.push(kleur.cyan('untrusted'));
+  }
+
+  return caps.length > 0 ? caps.join(', ') : null;
+}

package/core/cli/LockCommand.js

@@ -0,0 +1,164 @@
+/**
+ * Lock / Diff Commands
+ * Creates and verifies .mcp-shark.lock — SHA-256 hashes of tool definitions
+ * Detects rug pull attacks (Catalog §1.5)
+ */
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import kleur from 'kleur';
+import { getAllServers, scanIdeConfigs } from './ConfigScanner.js';
+import { computeDiff, countParameters, hashToolDefinition, renderDiff } from './LockDiffEngine.js';
+import { S } from './symbols.js';
+
+const LOCKFILE_NAME = '.mcp-shark.lock';
+
+/**
+ * Execute the lock command — create or update lockfile
+ */
+export function executeLock(options = {}) {
+  const ideResults = scanIdeConfigs();
+  const servers = getAllServers(ideResults);
+
+  if (servers.length === 0) {
+    console.log(`  ${kleur.yellow(S.warn)} No MCP servers found to lock`);
+    return 1;
+  }
+
+  const lockData = buildLockData(servers);
+  const lockfilePath = join(process.cwd(), LOCKFILE_NAME);
+  const content = JSON.stringify(lockData, null, 2);
+
+  writeFileSync(lockfilePath, content, 'utf-8');
+  console.log('');
+  console.log(`  ${kleur.green(S.pass)} Lockfile created: ${LOCKFILE_NAME}`);
+  console.log(`  ${kleur.dim(`${Object.keys(lockData.servers).length} servers locked`)}`);
+
+  if (options.verify) {
+    return verifyLockfile(lockData);
+  }
+
+  console.log('');
+  console.log(kleur.dim('  Commit this file to detect future tool definition changes.'));
+  console.log(kleur.dim('  Verify: npx mcp-shark lock --verify'));
+  console.log('');
+
+  return 0;
+}
+
+/**
+ * Execute lock --verify — compare current state against lockfile
+ */
+export function executeLockVerify() {
+  const lockfilePath = join(process.cwd(), LOCKFILE_NAME);
+
+  if (!existsSync(lockfilePath)) {
+    console.log(`  ${kleur.red(S.fail)} No ${LOCKFILE_NAME} found`);
+    console.log(kleur.dim('  Run: npx mcp-shark lock'));
+    return 1;
+  }
+
+  const lockData = JSON.parse(readFileSync(lockfilePath, 'utf-8'));
+  return verifyLockfile(lockData);
+}
+
+/**
+ * Execute the diff command — show changes since last lock
+ */
+export function executeDiff() {
+  const lockfilePath = join(process.cwd(), LOCKFILE_NAME);
+
+  if (!existsSync(lockfilePath)) {
+    console.log(`  ${kleur.yellow(S.warn)} No ${LOCKFILE_NAME} found`);
+    console.log(kleur.dim('  Run: npx mcp-shark lock'));
+    return 1;
+  }
+
+  const lockData = JSON.parse(readFileSync(lockfilePath, 'utf-8'));
+  const ideResults = scanIdeConfigs();
+  const currentServers = getAllServers(ideResults);
+
+  const changes = computeDiff(lockData, currentServers);
+  renderDiff(changes);
+
+  return changes.length > 0 ? 1 : 0;
+}
+
+/**
+ * Build lockfile data structure
+ */
+function buildLockData(servers) {
+  const now = new Date().toISOString();
+  const serverEntries = {};
+
+  for (const server of servers) {
+    const toolHashes = buildToolHashes(server, now);
+
+    serverEntries[server.name] = {
+      source: server.ide,
+      config_path: server.configPath,
+      tools: toolHashes,
+      tool_count: (Array.isArray(server.tools) ? server.tools : []).length,
+      locked_at: now,
+    };
+  }
+
+  return {
+    version: 1,
+    created: now,
+    updated: now,
+    shark_version: getSharkVersion(),
+    servers: serverEntries,
+  };
+}
+
+/**
+ * Build tool hash entries for a server
+ */
+function buildToolHashes(server, now) {
+  const toolHashes = {};
+  const tools = Array.isArray(server.tools) ? server.tools : [];
+
+  for (const tool of tools) {
+    const toolObj = typeof tool === 'string' ? { name: tool } : tool;
+    const hash = hashToolDefinition(toolObj);
+    toolHashes[toolObj.name || 'unknown'] = {
+      hash: `sha256:${hash}`,
+      description_length: (toolObj.description || '').length,
+      parameter_count: countParameters(toolObj),
+      pinned_at: now,
+    };
+  }
+
+  return toolHashes;
+}
+
+/**
+ * Verify current state matches lockfile
+ */
+function verifyLockfile(lockData) {
+  const ideResults = scanIdeConfigs();
+  const currentServers = getAllServers(ideResults);
+  const changes = computeDiff(lockData, currentServers);
+
+  if (changes.length === 0) {
+    console.log(`  ${kleur.green(S.pass)} All definitions match lockfile`);
+    return 0;
+  }
+
+  console.log(`  ${kleur.red(S.fail)} ${changes.length} changes detected`);
+  renderDiff(changes);
+  return 1;
+}
+
+/**
+ * Get shark version from package.json
+ */
+function getSharkVersion() {
+  try {
+    const pkgPath = join(import.meta.dirname, '..', '..', 'package.json');
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return pkg.version;
+  } catch (_err) {
+    return '1.0.0';
+  }
+}