@perfai/mcp 1.0.24 → 1.0.25

package/README.md

@@ -1,352 +1,339 @@
-# PerfAI MCP Server
+# @perfai/mcp
 
-A specialized Model Context Protocol (MCP) server for **PerfAI Security Analysis** with Auth0 authentication.
+A Model Context Protocol (MCP) server that brings **PerfAI Security, Design & Quality Analysis** directly into your AI coding assistant. Authenticate once, then list and triage API security issues, generate AI-powered fix prompts, and view detailed dashboards — all from within Claude, Cursor, VS Code, Windsurf, Zed, or any MCP-compatible client.
 
-## 📦 Installation (from npm)
-
-Install globally (CLI):
-
-```bash
-npm install -g perfai-mcp-server
-```
-
-Or add as a project dependency:
-
-```bash
-npm install perfai-mcp-server --save-dev
-```
-
-## ⚙️ Quick Setup
+---
 
-Generate MCP configuration files with placeholders:
+## 📦 Installation
 
 ```bash
-perfai-mcp-setup
+npx -y @perfai/mcp@latest
 ```
 
-This creates `cursor_mcp_config.json` and `vscode_mcp_config.json` in your current directory with placeholder credentials that you can edit.
-
-## 🚀 Run (CLI)
+Or install globally:
 
 ```bash
-perfai-mcp-server
+npm install -g @perfai/mcp
 ```
 
-This starts the MCP server over stdio. Use with an MCP client (Cursor, VS Code, MCP Inspector).
+---
 
-### Required Environment Variables
+## ⚡ Quick Start — One-Line Setup
 
-You only need to provide your PerfAI credentials:
+### Claude (Desktop or CLI)
 
 ```bash
-set PERFAI_USERNAME=your-username
-set PERFAI_PASSWORD=your-password
+claude mcp add perfai-mcp -e PERFAI_USERNAME=your@email.com -e PERFAI_PASSWORD=yourpassword -- npx -y @perfai/mcp@latest
 ```
 
-**Note:** Auth0 domain and client ID are pre-configured and don't need to be set.
-
-### Kubernetes (K8s Secrets)
-
-Store credentials in a Kubernetes `Secret` and inject them as environment variables (recommended for clusters).
+That single command registers the server, sets credentials, and connects it to Claude. No config file editing needed.
 
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: perfai-mcp-secrets
-type: Opaque
-stringData:
-  PERFAI_USERNAME: "<perfai-username>"
-  PERFAI_PASSWORD: "<perfai-password>"
-  # Optional (only if used in your deployment)
-  PERFAI_DASHBOARD_API_AUTH: "Authorization: Basic <base64(user:pass)>"
-  PERFAI_AUTH0_CLIENT_SECRET: "<auth0-client-secret>"
 ---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: perfai-mcp
-spec:
-  template:
-    spec:
-      containers:
-        - name: perfai-mcp
-          envFrom:
-            - secretRef:
-                name: perfai-mcp-secrets
-```
-
-## 🧩 Programmatic Usage
-
-```ts
-import { startServer, authManager, AuthenticationManager } from '@perfai/mcp-server';
-
-// Start server (returns a promise)
-await startServer();
-```
-
-All logging is written to stderr to remain MCP-compatible.
-
-## 🔐 Authentication & Security
 
-**🎯 Universal Device Code Authentication** - Works with ANY MCP client without configuration!
+## 🔧 MCP Client Configuration
 
-- **🔑 Auth0 Integration**: Seamless integration with `auth.perfai.ai`
-- **🌐 Zero Configuration**: No redirect URLs needed - works everywhere
-- **📱 Device Code Flow**: Simple browser authentication like Netflix/GitHub
-- **🛡️ Session Management**: Secure token storage and automatic validation
-- **🔄 Auto-Detection**: Server automatically detects authentication completion
-- **👥 Multi-User Support**: Isolated sessions for different users
+### Claude Desktop
 
-## 🛠️ Available Tools
+Add to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
 
-### 🔓 **Public Tools** (No authentication required)
-- **🔐 `login`**: Authenticate with PerfAI using OAuth2 Device Code flow
-- **📊 `auth_status`**: Check current authentication status and user information
-
-### 🔒 **Protected Tools** (Authentication required)
-
-#### 👤 **User Management**
-- **👤 `user_info`**: Get detailed authenticated user information
-- **🚪 `logout`**: Clear authentication session and logout
-
-#### 🏢 **Organization Management**
-- **🏢 `manage_organizations`**: List, select, and refresh organizations
-  - Actions: `list`, `select`, `refresh`
-- **📋 `list_apps`**: List all APPs in table format (Seq, App Name, Label) - shows unique instances
-- **🎯 `select_app`**: Select an APP by sequence number from list_apps table
-
-#### 🔒 **Security Analysis**
-- **🔒 `show_security_issues`**: List security vulnerabilities by organization
-  - Shows 20 issues at a time with pagination
-  - Sorted by severity (Critical → High → Medium → Low)
-  - Displays CVSS scores for each issue
-  - Supports pagination, search, and severity filtering
-- **🤖 `ai_fix_security_issue`**: Generate AI-powered remediation prompts
-  - Works with sequence numbers, issue IDs, or descriptive text
-- **📋 `show_fixed_issues`**: View all AI-fixed security issues in current session
-
-#### 🚀 **Security Testing**
-- **🚀 `run_security_test`**: Execute comprehensive security analysis using Docker
-  - Requires OpenAPI spec URL and local API base path
-  - Uses PerfAI's Docker-based security testing engine
-  - Waits 40 seconds for system to process security issues
-- **🔍 `check_security_fixes`**: Check which previously fixed security issues were actually resolved
-  - Independent tool that can be run anytime
-  - Shows comparison table of fixed vs still existing issues
-  - Clears fixed issues from session after comparison
-
-## 🚀 Quick Start (Local Development)
-
-### 1. Install Dependencies
-```bash
-npm install
-```
-
-### 2. Build the Project
-```bash
-npm run build
+```json
+{
+  "mcpServers": {
+    "perfai-mcp": {
+      "command": "npx",
+      "args": ["-y", "@perfai/mcp@latest"],
+      "env": {
+        "PERFAI_USERNAME": "your@email.com",
+        "PERFAI_PASSWORD": "yourpassword"
+      }
+    }
+  }
+}
 ```
 
-### 3. Start the Server (built output)
-```bash
-npm start
-```
+### Cursor
 
-Or directly via ts-node (optional):
+**Project-level** — create `.cursor/mcp.json` in your project root:
 
-```bash
-npx ts-node src/index.ts
+```json
+{
+  "mcpServers": {
+    "perfai-mcp": {
+      "command": "npx",
+      "args": ["-y", "@perfai/mcp@latest"],
+      "env": {
+        "PERFAI_USERNAME": "your@email.com",
+        "PERFAI_PASSWORD": "yourpassword"
+      }
+    }
+  }
+}
 ```
 
-### 4. Test with MCP Inspector (Optional)
-```bash
-npm run mcp:inspect
-```
+**Global** — add the same block to `~/.cursor/mcp.json`.
 
-## 🔧 MCP Client Configuration
+### VS Code (Copilot Agent Mode)
+
+Create `.vscode/mcp.json` in your workspace:
 
-### For Cursor
-Add to your `cursor_mcp_config.json`:
 ```json
 {
-  "mcpServers": {
+  "servers": {
     "perfai-mcp": {
       "type": "stdio",
       "command": "npx",
-      "args": ["perfai-mcp-server"],
+      "args": ["-y", "@perfai/mcp@latest"],
       "env": {
-        "PERFAI_USERNAME": "your-username",
-        "PERFAI_PASSWORD": "your-password"
+        "PERFAI_USERNAME": "your@email.com",
+        "PERFAI_PASSWORD": "yourpassword"
       }
     }
   }
 }
 ```
 
-### For VS Code
-Add to your `vscode_mcp_config.json`:
+> Note: VS Code uses the `"servers"` key (not `"mcpServers"`).
+
+### Windsurf
+
+Add to `~/.codeium/windsurf/mcp_config.json`:
+
 ```json
 {
   "mcpServers": {
     "perfai-mcp": {
-      "type": "stdio",
       "command": "npx",
-      "args": ["perfai-mcp-server"],
+      "args": ["-y", "@perfai/mcp@latest"],
       "env": {
-        "PERFAI_USERNAME": "your-username",
-        "PERFAI_PASSWORD": "your-password"
+        "PERFAI_USERNAME": "your@email.com",
+        "PERFAI_PASSWORD": "yourpassword"
       }
     }
   }
 }
 ```
 
-## 🧪 Authentication Flow
+### Zed
+
+Add to your Zed `settings.json`:
 
-### Step-by-Step Authentication
+```json
+{
+  "context_servers": {
+    "perfai-mcp": {
+      "command": {
+        "path": "npx",
+        "args": ["-y", "@perfai/mcp@latest"],
+        "env": {
+          "PERFAI_USERNAME": "your@email.com",
+          "PERFAI_PASSWORD": "yourpassword"
+        }
+      },
+      "settings": {}
+    }
+  }
+}
+```
 
-1. **Check Initial Status**: Run `auth_status` → Shows "Not Authenticated"
-2. **Login**: Run `login` tool:
-   - ✅ Browser automatically opens to PerfAI Auth0 device page
-   - 📱 You'll see a simple code (e.g., `BDJK-WHNZ`)
-   - 🔐 Enter the code in browser and complete authentication
-   - 🔄 Server automatically detects completion
-3. **Verify**: Run `auth_status` → Shows user info and "Authenticated"
-4. **Use Protected Tools**: All 9 protected tools now available
-5. **Logout**: Run `logout` → Returns to 2 public tools only
+### Any other MCP client
 
-### Security Features
-- **🔒 Zero Configuration**: No Auth0 redirect URL setup required
-- **🌐 Universal Compatibility**: Works with any MCP client
-- **⏰ Auto-Expiry**: Tokens automatically expire for security
-- **🔄 Session Isolation**: Each user session is completely isolated
+```json
+{
+  "command": "npx",
+  "args": ["-y", "@perfai/mcp@latest"],
+  "env": {
+    "PERFAI_USERNAME": "your@email.com",
+    "PERFAI_PASSWORD": "yourpassword"
+  }
+}
+```
 
-## 📋 Tool Usage Examples
+---
 
-### Organization Management
-```bash
-# List available organizations
-manage_organizations {"action": "list"}
+## 🔐 Authentication
 
-# Select an organization
-manage_organizations {"action": "select", "org_id": "your-org-id"}
+Run the `login` tool from your AI assistant to open a browser-based Auth0 login. After authenticating, all protected tools become available automatically.
 
-# Refresh organization list
-manage_organizations {"action": "refresh"}
+```
+login                  # opens browser → authenticate → done
+auth_status            # verify you're authenticated
+logout                 # clear session
 ```
 
-### Security Analysis
-```bash
-# List security issues
-show_security_issues {"limit": 20}
+---
 
-# Search for specific app issues
-show_security_issues {"search": "myapp", "limit": 10}
+## 🛠️ Available Tools
 
-# Generate AI fix for an issue by sequence number
-ai_fix_security_issue {"issue_id": "14"}
+### 🔓 Public (no authentication required)
+
+| Tool | Description |
+|------|-------------|
+| `login` | Authenticate with PerfAI via Auth0 OAuth. Opens browser. |
+| `auth_status` | Check current authentication status and user info. |
+
+### 🔒 Protected (authentication required)
+
+#### User & Session
+| Tool | Description |
+|------|-------------|
+| `user_info` | Get detailed information about the authenticated user. |
+| `logout` | Clear authentication session. |
+| `setup` | Auto-configure org and app with default values. |
+
+#### Organization & App Management
+| Tool | Parameters | Description |
+|------|------------|-------------|
+| `manage_organizations` | `action` (list/select/refresh), `sequence`, `org_id` | List orgs with sequence numbers, select by number or ID. |
+| `list_apps` | `search`, `environment`, `page`, `limit` | List all APPs with optional filters and pagination. |
+| `select_app` | `sequence`, `name_or_label`, `app_id` | Select an APP by sequence number, partial name/label, or exact ID. |
+
+#### Issue Summary
+| Tool | Description |
+|------|-------------|
+| `summarize_issues` | Full dashboard for the selected APP — security risk, design issues, quality issues, attack surface, bug bounty savings, and coverage. |
+
+#### Security Issues
+| Tool | Parameters | Description |
+|------|------------|-------------|
+| `show_security_issues` | `limit`, `severities[]`, `status`, `sort_by`, `sort_order`, `search`, `cursor` | List security vulnerabilities with filters. |
+| `ai_fix_security_issue` | `issue_id` (sequence #, ID, or description) | Generate an AI-powered fix prompt for a security issue. |
+| `check_security_fixes` | `wait_seconds` | Check which previously fixed issues were actually resolved. |
+
+#### Design Issues
+| Tool | Parameters | Description |
+|------|------------|-------------|
+| `show_design_issues` | `limit`, `status`, `sort_by`, `sort_order`, `search`, `cursor` | List API design issues with filters. |
+| `ai_fix_design_issue` | `issue_id` | Generate an AI-powered fix prompt for a design issue. |
+| `check_design_fixes` | `wait_seconds` | Check which design fixes were actually resolved. |
+
+#### Quality / Spec Validation Issues
+| Tool | Parameters | Description |
+|------|------------|-------------|
+| `show_quality_issues` | `limit`, `sort_by`, `sort_order`, `search`, `cursor` | List spec validation issues. |
+| `ai_fix_quality_issue` | `issue_id` | Generate an AI-powered fix prompt for a quality issue. |
+| `check_quality_fixes` | `wait_seconds` | Check which quality fixes were actually resolved. |
+
+#### Session State
+| Tool | Description |
+|------|-------------|
+| `show_fixed_issues` | Show all AI-fixed issues from the current session. |
 
-# Generate AI fix for an issue by ID
-ai_fix_security_issue {"issue_id": "issue-id-here"}
+---
 
-# Generate AI fix for an issue by description
-ai_fix_security_issue {"issue_id": "System Design Issues/Enumerable Resource ID • MULTIPLE /store"}
+## 💡 Typical Workflow
 
-# Show all fixed issues
-show_fixed_issues {}
+```
+1. login                                                          # authenticate
+2. manage_organizations {"action": "list"}                        # see your orgs
+3. manage_organizations {"action": "select", "sequence": 1}
+4. list_apps {"search": "payments"}                               # find your app
+5. select_app {"sequence": 2}                                     # or by name: {"name_or_label": "payments"}
+6. summarize_issues                                               # dashboard overview
+7. show_security_issues {"severities": ["Critical", "High"]}
+8. ai_fix_security_issue {"issue_id": "3"}                        # fix issue #3
+9. show_design_issues {"status": "Open"}
+10. show_quality_issues {}
 ```
 
-### APP Management
-```bash
-# List available APPs (shows table with sequence numbers)
-list_apps {}
+---
 
-# Select an APP by sequence number from list_apps table
-select_app {"sequence": 1}
-```
+## 📋 Tool Examples
 
-### Security Testing
-```bash
-# Run comprehensive security test (waits 40 seconds for processing)
-run_security_test {
-  "spec_url": "http://localhost:3000/swagger.json",
-  "local_base_path": "http://localhost:3000"
-}
+### Organization & App Selection
 
-# Check which previously fixed issues were actually resolved
-check_security_fixes {"wait_seconds": 15}
-```
+```jsonc
+// List organizations with sequence numbers
+manage_organizations {"action": "list"}
 
-## 🏗️ Development
+// Select org by sequence number (preferred)
+manage_organizations {"action": "select", "sequence": 2}
 
-### Watch Mode
-```bash
-npm run dev
-```
+// List apps — filter by name or environment
+list_apps {"search": "checkout", "environment": "production", "page": 1, "limit": 50}
 
-### Available Scripts
-- `npm run build` – Compile TypeScript to JavaScript
-- `npm run dev` – Watch mode for development
-- `npm start` – Start the MCP server
-- `npm run mcp:inspect` – Start MCP Inspector for testing
+// Select app by partial name
+select_app {"name_or_label": "checkout"}
 
-### Project Structure
+// Select app by sequence number from list_apps
+select_app {"sequence": 4}
 ```
-├── src/
-│   └── index.ts              # Main MCP server implementation
-├── dist/                     # Compiled JavaScript output
-├── package.json              # Dependencies and scripts
-├── tsconfig.json             # TypeScript configuration
-├── cursor_mcp_config.json    # Cursor MCP client config
-├── vscode_mcp_config.json    # VS Code MCP client config
-└── README.md                 # This file
+
+### Summary Dashboard
+
+```jsonc
+// Full dashboard: security + design + quality + attack surface
+summarize_issues {}
 ```
 
-## 🔍 Troubleshooting
+### Security Issues
 
-### Publishing (Maintainers)
+```jsonc
+// Show only Critical and High issues
+show_security_issues {"severities": ["Critical", "High"], "limit": 20}
 
-```bash
-# Bump version (choose patch|minor|major)
-npm version patch
+// Show dismissed issues
+show_security_issues {"status": "Dismissed"}
+
+// Fix issue #5
+ai_fix_security_issue {"issue_id": "5"}
 
-# Publish (scoped public)
-npm publish --access public
+// Fix by description
+ai_fix_security_issue {"issue_id": "System Design Issues/Enumerable Resource ID • GET /users"}
 ```
 
-If you see 403 errors ensure: (1) You're logged in (`npm whoami`), (2) The `@perfai` scope exists and you have publish rights, (3) Version not already published.
+### Design & Quality Issues
 
-### Common Issues
+```jsonc
+show_design_issues {"status": "Open", "sort_by": "createdOn", "sort_order": "DESC"}
+show_quality_issues {"limit": 50}
+ai_fix_design_issue {"issue_id": "2"}
+ai_fix_quality_issue {"issue_id": "7"}
+```
 
-#### Authentication Problems
-- **Browser doesn't open**: Manually visit the URL shown in the login response
-- **Code expired**: Run `login` again to get a new device code
-- **Stuck on authentication**: Check browser for any error messages
+---
 
-#### Organization Issues
-- **No organizations found**: Run `manage_organizations {"action": "refresh"}`
-- **Permission denied**: Ensure your PerfAI account has organization access
+## 🚀 Local Development
 
-#### API Testing Issues
-- **Docker errors**: Ensure Docker Desktop is running
-- **Invalid URLs**: Verify your APP is accessible and spec URL is valid
-- **Timeout**: Large APIs may take longer; check Docker logs
+```bash
+git clone https://github.com/perfai/mcp-server.git
+cd mcp-server
+npm install
+npm run build        # compile TS → dist/
+npm start            # start MCP server
+npm run dev          # watch mode
+npm run mcp:inspect  # MCP Inspector UI at http://localhost:6274
+```
 
-### Debug Mode
-The server logs all activity to stderr, making debugging easier:
+---
+
+## 🔍 Troubleshooting
+
+| Problem | Fix |
+|---------|-----|
+| Browser doesn't open on `login` | Manually visit the URL shown in the tool response |
+| `No organizations found` | Run `manage_organizations {"action": "refresh"}` |
+| App not found by name | Run `list_apps {}` first and use the exact sequence number |
+| Protected tool says "Authentication required" | Run `login` first |
+| Stale issues after a fix | Wait a moment and re-run `show_*_issues` |
+
+Debug logs go to stderr:
 ```bash
-npm start 2> debug.log  # Capture debug logs
+npm start 2> debug.log
 ```
 
-## 🌟 Features
+---
+
+## 🌟 Key Features
+
+- **Auth0 OAuth2** — secure browser-based login, no plaintext credentials in config
+- **Org & App selection** — by sequence number, name/label partial match, or ID
+- **Issue filters** — severity, status (Open/Dismissed), sort field & direction, keyword search, pagination
+- **Summary dashboard** — single-call overview of security, design, quality, attack surface, and bug bounty savings
+- **AI fix prompts** — generate actionable fix instructions for any issue by number, ID, or description
+- **Fix tracking** — compare AI-fixed issues against post-run results to confirm resolution
 
-- **🎯 PerfAI-Focused**: Built specifically for PerfAI security workflows
-- **🔐 Secure Authentication**: OAuth2 Device Code flow with session management
-- **📊 Comprehensive Analysis**: Full security issue management and AI-powered fixes
-- **🐳 Docker Integration**: Containerized security testing engine
-- **🔄 Real-time Updates**: Live tool list updates based on authentication state
-- **📱 Universal Client Support**: Works with Cursor, VS Code, and any MCP client
+---
 
+## 📄 License
 
-**🚀 Ready to secure your APIs with PerfAI's MCP integration!**
+MIT — see [LICENSE](LICENSE)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@perfai/mcp",
-  "version": "1.0.24",
+  "version": "1.0.25",
   "description": "PerfAI MCP Server - Security, Design & Quality Analysis with Auth0 Authentication",
   "main": "dist/server.js",
   "bin": {