@perfai/mcp 1.0.24 → 1.0.26

package/README.md

@@ -1,352 +1,348 @@
-# PerfAI MCP Server
+# @perfai/mcp
 
-A specialized Model Context Protocol (MCP) server for **PerfAI Security Analysis** with Auth0 authentication.
+A Model Context Protocol (MCP) server that brings **PerfAI Security, Design & Quality Analysis** directly into your AI coding assistant. Authenticate once, then list and triage API security issues, generate AI-powered fix prompts, and view detailed dashboards — all from within Claude, Cursor, VS Code, Windsurf, Zed, or any MCP-compatible client.
 
-## 📦 Installation (from npm)
+---
 
-Install globally (CLI):
+## 📦 Installation
 
 ```bash
-npm install -g perfai-mcp-server
+npx -y @perfai/mcp@latest
 ```
 
-Or add as a project dependency:
+Or install globally:
 
 ```bash
-npm install perfai-mcp-server --save-dev
+npm install -g @perfai/mcp
 ```
 
-## ⚙️ Quick Setup
-
-Generate MCP configuration files with placeholders:
-
-```bash
-perfai-mcp-setup
-```
+---
 
-This creates `cursor_mcp_config.json` and `vscode_mcp_config.json` in your current directory with placeholder credentials that you can edit.
+## ⚡ Quick Start — One-Line Setup
 
-## 🚀 Run (CLI)
+### Claude (Desktop or CLI)
 
 ```bash
-perfai-mcp-server
-```
-
-This starts the MCP server over stdio. Use with an MCP client (Cursor, VS Code, MCP Inspector).
+claude mcp add perfai-mcp --scope user -e PERFAI_USERNAME=your@email.com -e PERFAI_PASSWORD=yourpassword -- npx -y @perfai/mcp@latest
 
-### Required Environment Variables
-
-You only need to provide your PerfAI credentials:
-
-```bash
-set PERFAI_USERNAME=your-username
-set PERFAI_PASSWORD=your-password
 ```
 
-**Note:** Auth0 domain and client ID are pre-configured and don't need to be set.
-
-### Kubernetes (K8s Secrets)
+That single command registers the server, sets credentials, and connects it to Claude. No config file editing needed.
 
-Store credentials in a Kubernetes `Secret` and inject them as environment variables (recommended for clusters).
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: perfai-mcp-secrets
-type: Opaque
-stringData:
-  PERFAI_USERNAME: "<perfai-username>"
-  PERFAI_PASSWORD: "<perfai-password>"
-  # Optional (only if used in your deployment)
-  PERFAI_DASHBOARD_API_AUTH: "Authorization: Basic <base64(user:pass)>"
-  PERFAI_AUTH0_CLIENT_SECRET: "<auth0-client-secret>"
 ---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: perfai-mcp
-spec:
-  template:
-    spec:
-      containers:
-        - name: perfai-mcp
-          envFrom:
-            - secretRef:
-                name: perfai-mcp-secrets
-```
-
-## 🧩 Programmatic Usage
-
-```ts
-import { startServer, authManager, AuthenticationManager } from '@perfai/mcp-server';
 
-// Start server (returns a promise)
-await startServer();
-```
-
-All logging is written to stderr to remain MCP-compatible.
-
-## 🔐 Authentication & Security
-
-**🎯 Universal Device Code Authentication** - Works with ANY MCP client without configuration!
+## 🔧 MCP Client Configuration
 
-- **🔑 Auth0 Integration**: Seamless integration with `auth.perfai.ai`
-- **🌐 Zero Configuration**: No redirect URLs needed - works everywhere
-- **📱 Device Code Flow**: Simple browser authentication like Netflix/GitHub
-- **🛡️ Session Management**: Secure token storage and automatic validation
-- **🔄 Auto-Detection**: Server automatically detects authentication completion
-- **👥 Multi-User Support**: Isolated sessions for different users
+### Claude Desktop
 
-## 🛠️ Available Tools
+Add to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\Claude\claude_desktop_config.json` (Windows):
 
-### 🔓 **Public Tools** (No authentication required)
-- **🔐 `login`**: Authenticate with PerfAI using OAuth2 Device Code flow
-- **📊 `auth_status`**: Check current authentication status and user information
-
-### 🔒 **Protected Tools** (Authentication required)
-
-#### 👤 **User Management**
-- **👤 `user_info`**: Get detailed authenticated user information
-- **🚪 `logout`**: Clear authentication session and logout
-
-#### 🏢 **Organization Management**
-- **🏢 `manage_organizations`**: List, select, and refresh organizations
-  - Actions: `list`, `select`, `refresh`
-- **📋 `list_apps`**: List all APPs in table format (Seq, App Name, Label) - shows unique instances
-- **🎯 `select_app`**: Select an APP by sequence number from list_apps table
-
-#### 🔒 **Security Analysis**
-- **🔒 `show_security_issues`**: List security vulnerabilities by organization
-  - Shows 20 issues at a time with pagination
-  - Sorted by severity (Critical → High → Medium → Low)
-  - Displays CVSS scores for each issue
-  - Supports pagination, search, and severity filtering
-- **🤖 `ai_fix_security_issue`**: Generate AI-powered remediation prompts
-  - Works with sequence numbers, issue IDs, or descriptive text
-- **📋 `show_fixed_issues`**: View all AI-fixed security issues in current session
-
-#### 🚀 **Security Testing**
-- **🚀 `run_security_test`**: Execute comprehensive security analysis using Docker
-  - Requires OpenAPI spec URL and local API base path
-  - Uses PerfAI's Docker-based security testing engine
-  - Waits 40 seconds for system to process security issues
-- **🔍 `check_security_fixes`**: Check which previously fixed security issues were actually resolved
-  - Independent tool that can be run anytime
-  - Shows comparison table of fixed vs still existing issues
-  - Clears fixed issues from session after comparison
-
-## 🚀 Quick Start (Local Development)
-
-### 1. Install Dependencies
-```bash
-npm install
-```
-
-### 2. Build the Project
-```bash
-npm run build
+```json
+{
+  "mcpServers": {
+    "perfai-mcp": {
+      "command": "npx",
+      "args": ["-y", "@perfai/mcp@latest"],
+      "env": {
+        "PERFAI_USERNAME": "your@email.com",
+        "PERFAI_PASSWORD": "yourpassword"
+      }
+    }
+  }
+}
 ```
 
-### 3. Start the Server (built output)
-```bash
-npm start
-```
+### Cursor
 
-Or directly via ts-node (optional):
+**Project-level** — create `.cursor/mcp.json` in your project root:
 
-```bash
-npx ts-node src/index.ts
+```json
+{
+  "mcpServers": {
+    "perfai-mcp": {
+      "command": "npx",
+      "args": ["-y", "@perfai/mcp@latest"],
+      "env": {
+        "PERFAI_USERNAME": "your@email.com",
+        "PERFAI_PASSWORD": "yourpassword"
+      }
+    }
+  }
+}
 ```
 
-### 4. Test with MCP Inspector (Optional)
-```bash
-npm run mcp:inspect
-```
+**Global** — add the same block to `~/.cursor/mcp.json`.
 
-## 🔧 MCP Client Configuration
+### VS Code (Copilot Agent Mode)
+
+Create `.vscode/mcp.json` in your workspace:
 
-### For Cursor
-Add to your `cursor_mcp_config.json`:
 ```json
 {
-  "mcpServers": {
+  "servers": {
     "perfai-mcp": {
       "type": "stdio",
       "command": "npx",
-      "args": ["perfai-mcp-server"],
+      "args": ["-y", "@perfai/mcp@latest"],
       "env": {
-        "PERFAI_USERNAME": "your-username",
-        "PERFAI_PASSWORD": "your-password"
+        "PERFAI_USERNAME": "your@email.com",
+        "PERFAI_PASSWORD": "yourpassword"
       }
     }
   }
 }
 ```
 
-### For VS Code
-Add to your `vscode_mcp_config.json`:
+> Note: VS Code uses the `"servers"` key (not `"mcpServers"`).
+
+### Windsurf
+
+Add to `~/.codeium/windsurf/mcp_config.json`:
+
 ```json
 {
   "mcpServers": {
     "perfai-mcp": {
-      "type": "stdio",
       "command": "npx",
-      "args": ["perfai-mcp-server"],
+      "args": ["-y", "@perfai/mcp@latest"],
       "env": {
-        "PERFAI_USERNAME": "your-username",
-        "PERFAI_PASSWORD": "your-password"
+        "PERFAI_USERNAME": "your@email.com",
+        "PERFAI_PASSWORD": "yourpassword"
       }
     }
   }
 }
 ```
 
-## 🧪 Authentication Flow
+### Zed
 
-### Step-by-Step Authentication
+Add to your Zed `settings.json`:
+
+```json
+{
+  "context_servers": {
+    "perfai-mcp": {
+      "command": {
+        "path": "npx",
+        "args": ["-y", "@perfai/mcp@latest"],
+        "env": {
+          "PERFAI_USERNAME": "your@email.com",
+          "PERFAI_PASSWORD": "yourpassword"
+        }
+      },
+      "settings": {}
+    }
+  }
+}
+```
 
-1. **Check Initial Status**: Run `auth_status` → Shows "Not Authenticated"
-2. **Login**: Run `login` tool:
-   - ✅ Browser automatically opens to PerfAI Auth0 device page
-   - 📱 You'll see a simple code (e.g., `BDJK-WHNZ`)
-   - 🔐 Enter the code in browser and complete authentication
-   - 🔄 Server automatically detects completion
-3. **Verify**: Run `auth_status` → Shows user info and "Authenticated"
-4. **Use Protected Tools**: All 9 protected tools now available
-5. **Logout**: Run `logout` → Returns to 2 public tools only
+### Any other MCP client
 
-### Security Features
-- **🔒 Zero Configuration**: No Auth0 redirect URL setup required
-- **🌐 Universal Compatibility**: Works with any MCP client
-- **⏰ Auto-Expiry**: Tokens automatically expire for security
-- **🔄 Session Isolation**: Each user session is completely isolated
+```json
+{
+  "command": "npx",
+  "args": ["-y", "@perfai/mcp@latest"],
+  "env": {
+    "PERFAI_USERNAME": "your@email.com",
+    "PERFAI_PASSWORD": "yourpassword"
+  }
+}
+```
 
-## 📋 Tool Usage Examples
+---
 
-### Organization Management
-```bash
-# List available organizations
-manage_organizations {"action": "list"}
+## 🔐 Authentication
 
-# Select an organization
-manage_organizations {"action": "select", "org_id": "your-org-id"}
+Run the `login` tool from your AI assistant to open a browser-based Auth0 login. After authenticating, all protected tools become available automatically.
 
-# Refresh organization list
-manage_organizations {"action": "refresh"}
+```
+login                  # opens browser → authenticate → done
+auth_status            # verify you're authenticated
+logout                 # clear session
 ```
 
-### Security Analysis
-```bash
-# List security issues
-show_security_issues {"limit": 20}
+---
 
-# Search for specific app issues
-show_security_issues {"search": "myapp", "limit": 10}
+## 🛠️ Available Tools
 
-# Generate AI fix for an issue by sequence number
-ai_fix_security_issue {"issue_id": "14"}
+### 🔓 Public (no authentication required)
 
-# Generate AI fix for an issue by ID
-ai_fix_security_issue {"issue_id": "issue-id-here"}
+| Tool          | Description                                              |
+| ------------- | -------------------------------------------------------- |
+| `login`       | Authenticate with PerfAI via Auth0 OAuth. Opens browser. |
+| `auth_status` | Check current authentication status and user info.       |
 
-# Generate AI fix for an issue by description
-ai_fix_security_issue {"issue_id": "System Design Issues/Enumerable Resource ID • MULTIPLE /store"}
+### 🔒 Protected (authentication required)
 
-# Show all fixed issues
-show_fixed_issues {}
-```
+#### User & Session
 
-### APP Management
-```bash
-# List available APPs (shows table with sequence numbers)
-list_apps {}
+| Tool        | Description                                            |
+| ----------- | ------------------------------------------------------ |
+| `user_info` | Get detailed information about the authenticated user. |
+| `logout`    | Clear authentication session.                          |
+| `setup`     | Auto-configure org and app with default values.        |
+
+#### Organization & App Management
+
+| Tool                   | Parameters                                           | Description                                                        |
+| ---------------------- | ---------------------------------------------------- | ------------------------------------------------------------------ |
+| `manage_organizations` | `action` (list/select/refresh), `sequence`, `org_id` | List orgs with sequence numbers, select by number or ID.           |
+| `list_apps`            | `search`, `environment`, `page`, `limit`             | List all APPs with optional filters and pagination.                |
+| `select_app`           | `sequence`, `name_or_label`, `app_id`                | Select an APP by sequence number, partial name/label, or exact ID. |
+
+#### Issue Summary
+
+| Tool               | Description                                                                                                                           |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
+| `summarize_issues` | Full dashboard for the selected APP — security risk, design issues, quality issues, attack surface, bug bounty savings, and coverage. |
+
+#### Security Issues
+
+| Tool                    | Parameters                                                                     | Description                                                 |
+| ----------------------- | ------------------------------------------------------------------------------ | ----------------------------------------------------------- |
+| `show_security_issues`  | `limit`, `severities[]`, `status`, `sort_by`, `sort_order`, `search`, `cursor` | List security vulnerabilities with filters.                 |
+| `ai_fix_security_issue` | `issue_id` (sequence #, ID, or description)                                    | Generate an AI-powered fix prompt for a security issue.     |
+| `check_security_fixes`  | `wait_seconds`                                                                 | Check which previously fixed issues were actually resolved. |
+
+#### Design Issues
+
+| Tool                  | Parameters                                                     | Description                                           |
+| --------------------- | -------------------------------------------------------------- | ----------------------------------------------------- |
+| `show_design_issues`  | `limit`, `status`, `sort_by`, `sort_order`, `search`, `cursor` | List API design issues with filters.                  |
+| `ai_fix_design_issue` | `issue_id`                                                     | Generate an AI-powered fix prompt for a design issue. |
+| `check_design_fixes`  | `wait_seconds`                                                 | Check which design fixes were actually resolved.      |
+
+#### Quality / Spec Validation Issues
+
+| Tool                   | Parameters                                           | Description                                            |
+| ---------------------- | ---------------------------------------------------- | ------------------------------------------------------ |
+| `show_quality_issues`  | `limit`, `sort_by`, `sort_order`, `search`, `cursor` | List spec validation issues.                           |
+| `ai_fix_quality_issue` | `issue_id`                                           | Generate an AI-powered fix prompt for a quality issue. |
+| `check_quality_fixes`  | `wait_seconds`                                       | Check which quality fixes were actually resolved.      |
+
+#### Session State
+
+| Tool                | Description                                        |
+| ------------------- | -------------------------------------------------- |
+| `show_fixed_issues` | Show all AI-fixed issues from the current session. |
 
-# Select an APP by sequence number from list_apps table
-select_app {"sequence": 1}
+---
+
+## 💡 Typical Workflow
+
+```
+1. login                                                          # authenticate
+2. manage_organizations {"action": "list"}                        # see your orgs
+3. manage_organizations {"action": "select", "sequence": 1}
+4. list_apps {"search": "payments"}                               # find your app
+5. select_app {"sequence": 2}                                     # or by name: {"name_or_label": "payments"}
+6. summarize_issues                                               # dashboard overview
+7. show_security_issues {"severities": ["Critical", "High"]}
+8. ai_fix_security_issue {"issue_id": "3"}                        # fix issue #3
+9. show_design_issues {"status": "Open"}
+10. show_quality_issues {}
 ```
 
-### Security Testing
-```bash
-# Run comprehensive security test (waits 40 seconds for processing)
-run_security_test {
-  "spec_url": "http://localhost:3000/swagger.json",
-  "local_base_path": "http://localhost:3000"
-}
+---
+
+## 📋 Tool Examples
 
-# Check which previously fixed issues were actually resolved
-check_security_fixes {"wait_seconds": 15}
+### Organization & App Selection
+
+```jsonc
+// List organizations with sequence numbers
+manage_organizations {"action": "list"}
+
+// Select org by sequence number (preferred)
+manage_organizations {"action": "select", "sequence": 2}
+
+// List apps — filter by name or environment
+list_apps {"search": "checkout", "environment": "production", "page": 1, "limit": 50}
+
+// Select app by partial name
+select_app {"name_or_label": "checkout"}
+
+// Select app by sequence number from list_apps
+select_app {"sequence": 4}
 ```
 
-## 🏗️ Development
+### Summary Dashboard
 
-### Watch Mode
-```bash
-npm run dev
+```jsonc
+// Full dashboard: security + design + quality + attack surface
+summarize_issues {}
 ```
 
-### Available Scripts
-- `npm run build` – Compile TypeScript to JavaScript
-- `npm run dev` – Watch mode for development
-- `npm start` – Start the MCP server
-- `npm run mcp:inspect` – Start MCP Inspector for testing
+### Security Issues
+
+```jsonc
+// Show only Critical and High issues
+show_security_issues {"severities": ["Critical", "High"], "limit": 20}
 
-### Project Structure
+// Show dismissed issues
+show_security_issues {"status": "Dismissed"}
+
+// Fix issue #5
+ai_fix_security_issue {"issue_id": "5"}
+
+// Fix by description
+ai_fix_security_issue {"issue_id": "System Design Issues/Enumerable Resource ID • GET /users"}
 ```
-├── src/
-│   └── index.ts              # Main MCP server implementation
-├── dist/                     # Compiled JavaScript output
-├── package.json              # Dependencies and scripts
-├── tsconfig.json             # TypeScript configuration
-├── cursor_mcp_config.json    # Cursor MCP client config
-├── vscode_mcp_config.json    # VS Code MCP client config
-└── README.md                 # This file
+
+### Design & Quality Issues
+
+```jsonc
+show_design_issues {"status": "Open", "sort_by": "createdOn", "sort_order": "DESC"}
+show_quality_issues {"limit": 50}
+ai_fix_design_issue {"issue_id": "2"}
+ai_fix_quality_issue {"issue_id": "7"}
 ```
 
-## 🔍 Troubleshooting
+---
 
-### Publishing (Maintainers)
+## 🚀 Local Development
 
 ```bash
-# Bump version (choose patch|minor|major)
-npm version patch
-
-# Publish (scoped public)
-npm publish --access public
+git clone https://github.com/perfai/mcp-server.git
+cd mcp-server
+npm install
+npm run build        # compile TS → dist/
+npm start            # start MCP server
+npm run dev          # watch mode
+npm run mcp:inspect  # MCP Inspector UI at http://localhost:6274
 ```
 
-If you see 403 errors ensure: (1) You're logged in (`npm whoami`), (2) The `@perfai` scope exists and you have publish rights, (3) Version not already published.
-
-### Common Issues
+---
 
-#### Authentication Problems
-- **Browser doesn't open**: Manually visit the URL shown in the login response
-- **Code expired**: Run `login` again to get a new device code
-- **Stuck on authentication**: Check browser for any error messages
+## 🔍 Troubleshooting
 
-#### Organization Issues
-- **No organizations found**: Run `manage_organizations {"action": "refresh"}`
-- **Permission denied**: Ensure your PerfAI account has organization access
+| Problem                                       | Fix                                                        |
+| --------------------------------------------- | ---------------------------------------------------------- |
+| Browser doesn't open on `login`               | Manually visit the URL shown in the tool response          |
+| `No organizations found`                      | Run `manage_organizations {"action": "refresh"}`           |
+| App not found by name                         | Run `list_apps {}` first and use the exact sequence number |
+| Protected tool says "Authentication required" | Run `login` first                                          |
+| Stale issues after a fix                      | Wait a moment and re-run `show_*_issues`                   |
 
-#### API Testing Issues
-- **Docker errors**: Ensure Docker Desktop is running
-- **Invalid URLs**: Verify your APP is accessible and spec URL is valid
-- **Timeout**: Large APIs may take longer; check Docker logs
+Debug logs go to stderr:
 
-### Debug Mode
-The server logs all activity to stderr, making debugging easier:
 ```bash
-npm start 2> debug.log  # Capture debug logs
+npm start 2> debug.log
 ```
 
-## 🌟 Features
+---
 
-- **🎯 PerfAI-Focused**: Built specifically for PerfAI security workflows
-- **🔐 Secure Authentication**: OAuth2 Device Code flow with session management
-- **📊 Comprehensive Analysis**: Full security issue management and AI-powered fixes
-- **🐳 Docker Integration**: Containerized security testing engine
-- **🔄 Real-time Updates**: Live tool list updates based on authentication state
-- **📱 Universal Client Support**: Works with Cursor, VS Code, and any MCP client
+## 🌟 Key Features
+
+- **Auth0 OAuth2** — secure browser-based login, no plaintext credentials in config
+- **Org & App selection** — by sequence number, name/label partial match, or ID
+- **Issue filters** — severity, status (Open/Dismissed), sort field & direction, keyword search, pagination
+- **Summary dashboard** — single-call overview of security, design, quality, attack surface, and bug bounty savings
+- **AI fix prompts** — generate actionable fix instructions for any issue by number, ID, or description
+- **Fix tracking** — compare AI-fixed issues against post-run results to confirm resolution
+
+---
 
+## 📄 License
 
-**🚀 Ready to secure your APIs with PerfAI's MCP integration!**
+MIT — see [LICENSE](LICENSE)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@perfai/mcp",
-  "version": "1.0.24",
+  "version": "1.0.26",
   "description": "PerfAI MCP Server - Security, Design & Quality Analysis with Auth0 Authentication",
   "main": "dist/server.js",
   "bin": {