npm - @mcpassure/mcp-anvisa-bulario - Versions diffs - 2.0.0 → 2.1.0 - Mend

@mcpassure/mcp-anvisa-bulario 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.en.md +34 -8
package/README.md +34 -8
package/dist/index.js +0 -0
package/package.json +23 -21
package/dist/utils/playwright-http.d.ts +0 -2
package/dist/utils/playwright-http.d.ts.map +0 -1
package/dist/utils/playwright-http.js +0 -4
package/dist/utils/playwright-http.js.map +0 -1

package/README.en.md CHANGED Viewed

@@ -8,9 +8,10 @@
 Enables AI agents (Claude, GPT, Copilot) to query drug leaflets (bulas), active ingredients, therapeutic classes, and other metadata for medications registered in Brazil, with structured responses and efficient caching.
-[![CI](https://github.com/mcpassure/mcp-anvisa-bulario/actions/workflows/ci.yml/badge.svg)](https://github.com/mcpassure/mcp-anvisa-bulario/actions)
 [![npm](https://img.shields.io/npm/v/@mcpassure/mcp-anvisa-bulario)](https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario)
 [![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+[![OSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/mcpassure/monorepo/badge)](https://securityscorecards.dev/viewer/?uri=github.com/mcpassure/monorepo)
+[![SAFE-MCP](https://img.shields.io/badge/SAFE--MCP-mapped-green)](#safe-mcp-mapping)
 ---
@@ -89,13 +90,7 @@ Add to `claude_desktop_config.json`:
 ## Demo
-![Demo](./.github/assets/demo.gif)
-To run locally:
-```bash
-npm run demo
-```
+🚧 Demo GIF coming soon.
 ---
@@ -194,3 +189,34 @@ Maintained by [MCPAssure Brasil](https://github.com/mcpassure). See [CONTRIBUTIN
 ---
 Part of the [MCPAssure](https://github.com/mcpassure) catalog — curated MCP examples for Brazilian healthcare.
+---
+## SAFE-MCP Mapping
+Assessment against the SAFE-MCP framework (OpenSSF + LF + OpenID Foundation).
+### Mitigated attacks
+| ID | Attack | Status | How we mitigate it |
+|----|--------|--------|-------------------|
+| SAFE-T001 | Tool Poisoning | ✓ Mitigated | Strict Zod schema; drug names validated before querying the database |
+| SAFE-T002 | Indirect Prompt Injection | ✓ Mitigated | Structured output (`structuredContent`); ANVISA content is tabular, no executable markup |
+| SAFE-T003 | Credential exposure | ✓ Mitigated | Public ANVISA data with no authentication; R2 only in server-side Worker |
+| SAFE-T004 | Data exfiltration | ✓ Mitigated | Read-only on public drug data; no access to user data |
+| SAFE-T005 | Resource exhaustion | ✓ Mitigated | Local SQLite cache (18MB); canary uses HEAD request or single header download |
+### NOT mitigated (honest declaration)
+| ID | Attack | Why not mitigated |
+|----|--------|------------------|
+| SAFE-T010 | Supply-chain attack via npm | `pnpm audit` + Renovate; no SBOM generated yet |
+| SAFE-T015 | Side-channel timing analysis | Not relevant for public tabular drug data |
+### Lethal Trifecta Declaration (Willison, 2025)
+1. **Private data access** — ✗ **Absent.** ANVISA Bulário is entirely public; no patient data is accessed.
+2. **Untrusted content exposure** — ⚠ **Partial.** Inputs validated by Zod; ANVISA data is governmental.
+3. **External communication capability** — ✗ **Absent.** MCP operates on local SQLite cache; no runtime external calls.
+**Conclusion:** this MCP **does not combine all 3 factors simultaneously**. Local-first architecture eliminates the external communication factor.

package/README.md CHANGED Viewed

@@ -8,9 +8,10 @@
 Permite que agentes de IA (Claude, GPT, Copilot) consultem bulas, princípios ativos, classes terapêuticas e demais metadados de medicamentos registrados no Brasil com resposta estruturada e cache eficiente.
-[![CI](https://github.com/mcpassure/mcp-anvisa-bulario/actions/workflows/ci.yml/badge.svg)](https://github.com/mcpassure/mcp-anvisa-bulario/actions)
 [![npm](https://img.shields.io/npm/v/@mcpassure/mcp-anvisa-bulario)](https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario)
 [![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+[![OSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/mcpassure/monorepo/badge)](https://securityscorecards.dev/viewer/?uri=github.com/mcpassure/monorepo)
+[![SAFE-MCP](https://img.shields.io/badge/SAFE--MCP-mapped-green)](#safe-mcp-mapping)
 ---
@@ -90,13 +91,7 @@ Adicione ao `claude_desktop_config.json`:
 ## Demo
-![Demo](./.github/assets/demo.gif)
-Para rodar localmente:
-```bash
-npm run demo
-```
+🚧 Demo GIF em breve.
 ---
@@ -190,3 +185,34 @@ Mantido pela [MCPAssure Brasil](https://github.com/mcpassure). Consulte [CONTRIB
 ---
 Parte do catálogo [MCPAssure](https://github.com/mcpassure) — exemplos de curadoria de MCPs para saúde brasileira.
+---
+## SAFE-MCP Mapping
+Avaliação contra o framework SAFE-MCP (OpenSSF + LF + OpenID Foundation).
+### Ataques mitigados
+| ID | Ataque | Status | Como mitigamos |
+|----|--------|--------|----------------|
+| SAFE-T001 | Tool Poisoning | ✓ Mitigado | Schema Zod estrito; nomes de medicamentos validados antes de consultar banco |
+| SAFE-T002 | Indirect Prompt Injection | ✓ Mitigado | Output estruturado (`structuredContent`); conteúdo ANVISA é tabular, sem markup executável |
+| SAFE-T003 | Credential exposure | ✓ Mitigado | Dados públicos ANVISA sem autenticação; R2 apenas em Worker server-side |
+| SAFE-T004 | Data exfiltration | ✓ Mitigado | Read-only sobre dados públicos de medicamentos; sem acesso a dados de usuário |
+| SAFE-T005 | Resource exhaustion | ✓ Mitigado | Cache SQLite local (18MB); canary usa HEAD request ou download único de header |
+### Ataques NÃO mitigados (declaração honesta)
+| ID | Ataque | Por que não mitigado |
+|----|--------|---------------------|
+| SAFE-T010 | Supply-chain attack via npm | `pnpm audit` + Renovate; sem SBOM gerado ainda |
+| SAFE-T015 | Side-channel timing analysis | Não relevante para dados públicos tabelados de medicamentos |
+### Lethal Trifecta Declaration (Willison, 2025)
+1. **Acesso a dados privados** — ✗ **Ausente.** Bulário ANVISA é integralmente público; nenhum dado de paciente é acessado.
+2. **Exposição a conteúdo não-confiável** — ⚠ **Parcial.** Inputs validados por Zod; dados ANVISA são governamentais.
+3. **Capacidade de comunicação externa** — ✗ **Ausente.** MCP opera sobre banco SQLite local; sem chamadas em runtime.
+**Conclusão:** este MCP **não combina os 3 fatores simultaneamente**. Arquitetura local-first elimina o fator de comunicação externa.

package/dist/index.js CHANGED Viewed

File without changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mcpassure/mcp-anvisa-bulario",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "mcpName": "io.github.mcpassure/mcp-anvisa-bulario",
   "description": "MCP server para consulta do Bulário Eletrônico da ANVISA via CSV oficial",
   "license": "MIT",
@@ -32,24 +32,6 @@
     "README.md",
     "LICENSE"
   ],
-  "scripts": {
-    "build": "tsc -p tsconfig.build.json",
-    "start": "node dist/index.js",
-    "dev": "tsx src/index.ts",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "test:integration": "tsx integration-tests/bin/run-all.ts",
-    "test:integration:offline": "tsx integration-tests/bin/run-all.ts --offline",
-    "lint": "biome check src tests evals integration-tests test-utils",
-    "lint:fix": "biome check --write src tests evals integration-tests test-utils",
-    "format": "biome format --write src tests evals integration-tests test-utils",
-    "typecheck": "tsc --noEmit",
-    "sync": "tsx src/scripts/sync.ts",
-    "evals": "tsx evals/runner.ts",
-    "canary": "tsx src/scripts/canary.ts",
-    "demo": "tsx scripts/demo.ts",
-    "prepublishOnly": "npm run lint && npm run typecheck && npm run test && npm run build"
-  },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "aws4fetch": "^1.0.20",
@@ -62,9 +44,29 @@
     "@types/node": "^22.10.0",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "vitest": "^4.1.6"
+    "vitest": "^4.1.6",
+    "@mcpassure/test-utils": "0.1.0"
   },
   "engines": {
     "node": ">=22.0.0"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "start": "node dist/index.js",
+    "dev": "tsx src/index.ts",
+    "test": "vitest run --exclude tests/e2e",
+    "test:e2e": "vitest run tests/e2e",
+    "test:watch": "vitest",
+    "test:integration": "tsx integration-tests/bin/run-all.ts",
+    "test:integration:offline": "tsx integration-tests/bin/run-all.ts --offline",
+    "lint": "biome check src tests evals integration-tests test-utils",
+    "lint:fix": "biome check --write src tests evals integration-tests test-utils",
+    "format": "biome format --write src tests evals integration-tests test-utils",
+    "typecheck": "tsc --noEmit",
+    "sync": "tsx src/scripts/sync.ts",
+    "evals": "tsx evals/runner.ts",
+    "canary": "tsx src/scripts/canary.ts",
+    "schema:check": "tsx scripts/schema-check.ts",
+    "demo": "tsx scripts/demo.ts"
   }
-}
+}

package/dist/utils/playwright-http.d.ts DELETED Viewed

	@@ -1,2 +0,0 @@
1	- export { HttpClient } from "./http.js";
2	- //# sourceMappingURL=playwright-http.d.ts.map

package/dist/utils/playwright-http.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"playwright-http.d.ts","sourceRoot":"","sources":["../../src/utils/playwright-http.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC"}

package/dist/utils/playwright-http.js DELETED Viewed

@@ -1,4 +0,0 @@
-// Consolidado em ./http.ts — este arquivo será removido na próxima limpeza.
-// Re-export pra manter qualquer import legacy funcionando temporariamente.
-export { HttpClient } from "./http.js";
-//# sourceMappingURL=playwright-http.js.map

package/dist/utils/playwright-http.js.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"playwright-http.js","sourceRoot":"","sources":["../../src/utils/playwright-http.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,2EAA2E;AAC3E,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC"}