npm - @raghulm/aegis-mcp - Versions diffs - 1.0.0 - Mend

@raghulm/aegis-mcp 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,340 @@
+<div align="center">
+  <h1>🛡️ Aegis MCP Server</h1>
+  <p><b>Aegis MCP is an open-source, DevSecOps-focused Model Context Protocol server that allows AI agents to safely interact with cloud infrastructure, CI/CD systems, and security tooling.</b></p>
+  [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+  [![Python version](https://img.shields.io/badge/python-3.12+-blue.svg)](https://www.python.org/downloads/)
+  [![MCP Protocol](https://img.shields.io/badge/MCP-Server-green.svg)](https://modelcontextprotocol.io/)
+  [![Docker](https://img.shields.io/badge/docker-ready-blue.svg)](https://www.docker.com/)
+</div>
+---
+**Aegis MCP Server** empowers AI assistants (like Claude, Cursor, and GitHub Copilot) to perform cloud architecture administration, security scanning, and network analyses directly from their execution environments. It wraps powerful underlying tools and SDKs into secure, audited MCP tool sets.
+---
+## 📸 Demo in Action
+```text
+AI Agent: "Check if any S3 bucket is publicly accessible"
+Tool call → aws_check_s3_public_access
+Result → bucket audit report
+```
+<p align="center">
+  <img src="docs/demo-aegis.gif" width="900"/>
+</p>
+---
+## 🌟 Key Features
+- 🚀 **FastMCP Server** — Exposes domain-specific tools for AWS, Kubernetes, security scanning, Git, network analysis, and CI/CD pipelines.
+- 🔐 **Flexible Authorization** — JWT-based RBAC for production deployments; automatically disabled for local stdio sessions (Claude Desktop, Agent IDEs).
+- 📜 **Structured Audit Logging** — Emits clean JSON audit logs for every invocation, suitable for SIEM integrations.
+- 🛠 **Expandable Tooling** — Easily add new integrations. Includes ready-to-use scanners for dependencies, secrets, SSL/TLS certs, Semgrep, Trivy, and more.
+- 📦 **Docker Ready** — Containerized deployment using a non-root runtime with built-in health checks.
+- 🌐 **ASGI Integration** — FastAPI health endpoint alongside MCP streamable-http transport.
+---
+## 📐 Architecture
+```mermaid
+flowchart TD
+    Client[MCP Client / AI Agent] -->|Tool Call| AuthZ[Auth & RBAC Layer]
+    subgraph aegis-mcp["Aegis MCP Server"]
+        AuthZ --> Audit[Audit Logger]
+        Audit --> ToolsLayer[Tool Dispatch Layer]
+    end
+    ToolsLayer --> AWS[AWS SDK]
+    ToolsLayer --> K8s[kubectl / K8s SDK]
+    ToolsLayer --> Sec[Trivy / Semgrep]
+    ToolsLayer --> Net[Nmap / SSL]
+    ToolsLayer --> Git[Git CLI]
+```
+The server receives MCP tool-call requests over **streamable HTTP** or **stdio** transport. In HTTP mode, each request requires a JWT bearer token for authorization. In stdio mode (local usage), authorization is automatically disabled.
+---
+## 📂 Repository Structure
+```text
+aegis-mcp/
+│
+├── server/
+│   ├── main.py
+│   ├── health.py
+│   ├── auth.py
+│   └── tools/
+│       ├── aws/
+│       ├── kubernetes/
+│       ├── security/
+│       └── network/
+│
+├── policies/
+├── tests/
+├── Dockerfile
+└── run_stdio.py
+```
+---
+## 🧰 Available Tools
+### Example Tool Invocation
+```text
+Tool: security_run_trivy_scan
+Input:
+image=nginx:latest
+Output:
+CRITICAL: 2
+HIGH: 4
+MEDIUM: 7
+```
+### Cloud & DevOps
+| Tool | Description |
+|------|-------------|
+| `aws_list_ec2_instances` | List EC2 instances in a specific AWS region |
+| `aws_check_s3_public_access` | Audit S3 buckets for public access settings |
+| `k8s_list_pods` | List Kubernetes pods in a given namespace |
+| `cicd_pipeline_status` | Fetch CI/CD pipeline execution status |
+| `git_recent_commits` | Fetch recent commit history from the active Git repo |
+### Application Security & SAST
+| Tool | Description |
+|------|-------------|
+| `security_semgrep_scan` | Run Semgrep SAST scan on a local directory or file |
+| `security_run_trivy_scan` | Run Trivy vulnerability scan on a container image |
+| `security_scan_secrets` | Scan files/directories for exposed secrets |
+| `security_check_dependencies` | Check dependency files for known CVEs via OSV.dev |
+### Network & Infrastructure Security
+| Tool | Description |
+|------|-------------|
+| `k8s_security_audit` | Audit Kubernetes clusters (privileged containers, wildcard RBAC, etc.) |
+| `network_port_scan` | TCP port scan to detect exposed services |
+| `security_check_ssl_certificate` | Validate SSL/TLS certificate details and expiry |
+| `security_check_http_headers` | Audit URLs for security headers (HSTS, CSP, etc.) |
+> [!IMPORTANT]
+> **SAST (Semgrep scan) works only on Agent IDEs (e.g., Antigravity, Cursor) or Claude Co-work.**
+> It does **not** work on Claude Desktop due to Windows subprocess pipe limitations with `semgrep-core.exe`. All other tools (secrets scan, SSL check, port scan, etc.) work on all platforms including Claude Desktop.
+---
+## 🚀 Getting Started
+### One-Command Install (NPX)
+```bash
+npx @raghulm/aegis-mcp
+```
+That's it. Aegis will:
+1. ✅ Check your Python version (3.12+ required)
+2. 📥 Clone and install the server into `~/.aegis-mcp`
+3. 🖨️ Print your ready-to-paste MCP config
+4. 🚀 Start the server
+**Additional commands:**
+```bash
+npx @raghulm/aegis-mcp --install   # Force reinstall / update
+npx @raghulm/aegis-mcp --config    # Print MCP config JSON only
+npx @raghulm/aegis-mcp --help      # Show all options
+```
+---
+### Prerequisites
+- **Node.js 16+** (for NPX install)
+- **Python 3.12+**
+- **Git**
+- **Semgrep** — `pip install semgrep` (for SAST scanning)
+- Optional: AWS CLI / `boto3`, `kubectl`, Trivy (for their respective tools)
+### Manual Installation
+```bash
+git clone https://github.com/raghulvj01/aegis-mcp.git
+cd aegis-mcp
+# Create virtual environment
+python -m venv .venv
+# Activate it
+# Linux/Mac:
+source .venv/bin/activate
+# Windows:
+.venv\Scripts\activate
+# Install dependencies
+pip install -r requirements.txt
+```
+---
+## 🤖 Usage with AI Agents
+### Agent IDE / Antigravity (Recommended)
+Add to your MCP config (e.g., `mcp_config.json`):
+```json
+{
+  "mcpServers": {
+    "aegis": {
+      "command": "c:\\path\\to\\aegis-mcp\\.venv\\Scripts\\python.exe",
+      "args": ["c:\\path\\to\\aegis-mcp\\run_stdio.py"]
+    }
+  }
+}
+```
+> ✅ **All 12 tools work**, including Semgrep SAST.
+### Claude Desktop
+Add to `claude_desktop_config.json`:
+- **Windows**: `%LOCALAPPDATA%\Packages\Claude_...\LocalCache\Roaming\Claude\`
+- **Mac**: `~/Library/Application Support/Claude/`
+```json
+{
+  "mcpServers": {
+    "aegis": {
+      "command": "c:\\path\\to\\aegis-mcp\\.venv\\Scripts\\python.exe",
+      "args": ["c:\\path\\to\\aegis-mcp\\run_stdio.py"]
+    }
+  }
+}
+```
+> ⚠️ **11 of 12 tools work.** Semgrep SAST does not work due to Windows pipe limitations.
+### Cursor / Windsurf (HTTP Mode)
+Start the server, then add to `.cursor/mcp.json`:
+```bash
+uvicorn server.health:app --host 0.0.0.0 --port 8000
+```
+```json
+{
+  "mcpServers": {
+    "aegis": {
+      "url": "http://localhost:8000/mcp"
+    }
+  }
+}
+```
+### Docker Deployment
+```bash
+docker build -t aegis-mcp .
+docker run -p 8000:8000 aegis-mcp
+```
+---
+## ⚙️ Configuration
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `MCP_AUTH_DISABLED` | Disable JWT auth (auto-set for stdio) | `false` |
+| `MCP_SERVICE_NAME` | Name of the MCP service | `aegis` |
+| `MCP_ENV` | Environment (`dev`, `staging`, `prod`) | `dev` |
+| `MCP_ROLES_FILE` | Path to roles policy YAML | `policies/roles.yaml` |
+| `MCP_SCOPES_FILE` | Path to scopes policy YAML | `policies/scope_rules.yaml` |
+| `OIDC_ISSUER` | Expected JWT `iss` claim | *None* |
+| `OIDC_AUDIENCE` | Expected JWT `aud` claim | *None* |
+---
+## 🗝 Access Control
+In **HTTP mode**, every tool requires a `token` argument containing a JWT. The authorization layer checks roles and scopes defined in `policies/roles.yaml` and `policies/scope_rules.yaml`.
+In **stdio mode** (local usage via `run_stdio.py`), authorization is **automatically disabled** — no token required.
+### Policy Example (`policies/roles.yaml`)
+```yaml
+roles:
+  viewer:
+    - aws_list_ec2_instances
+    - k8s_list_pods
+  security:
+    - security_run_trivy_scan
+    - security_semgrep_scan
+  admin:
+    - aws_list_ec2_instances
+    - k8s_list_pods
+    - security_run_trivy_scan
+    - security_semgrep_scan
+    # ... all tools
+```
+---
+## 📝 Audit Logging
+The `@audit_tool_call` decorator emits structured JSON logs for every invocation:
+```json
+{
+  "timestamp": "2026-03-06T08:00:01+00:00",
+  "level": "INFO",
+  "event": "tool_call_succeeded",
+  "tool": "security_run_trivy_scan",
+  "duration_ms": 1204
+}
+```
+---
+## 🛡️ Security Best Practices
+1. **Enforce JWT Signature Validation** — Update `server/auth.py` to verify RS256 JWTs using your IdP's JWKS endpoint for production.
+2. **Least-Privilege Credentials** — Assign ReadOnly IAM / K8s roles to the server environment.
+3. **Monitor Audit Logs** — Forward JSON logs to a SIEM. Set up anomaly detection for aggressive looping.
+---
+## 🛣️ Roadmap
+- [ ] Terraform security scanner
+- [ ] IAM policy risk detection
+- [ ] Kubernetes misconfiguration scanner (Basic `k8s_security_audit` implemented!)
+- [ ] GitHub Actions security audit
+- [ ] Cloud cost analysis tools
+---
+## 🤝 Contributing
+1. Fork the project
+2. Create your feature branch (`git checkout -b feature/AmazingFeature`)
+3. Add your tool into `tools/<domain>/`
+4. Register it via `@mcp.tool()` in `server/main.py` with `@audit_tool_call` and auth check
+5. Add tests in `tests/`
+6. Open a Pull Request
+---
+## 📄 License
+Distributed under the MIT License. See `LICENSE` for more information.

package/bin/aegis-mcp.js ADDED Viewed

@@ -0,0 +1,164 @@
+#!/usr/bin/env node
+const { execSync, spawn } = require("child_process");
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const REPO_URL = "https://github.com/raghulvj01/aegis-mcp.git";
+const INSTALL_DIR = path.join(os.homedir(), ".aegis-mcp");
+const VERSION = require("../package.json").version;
+const colors = {
+  reset: "\x1b[0m",
+  cyan: "\x1b[36m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  red: "\x1b[31m",
+  bold: "\x1b[1m",
+};
+function log(msg, color = "reset") {
+  console.error(`${colors[color]}${msg}${colors.reset}`);
+}
+function banner() {
+  console.error(`
+${colors.cyan}${colors.bold}
+  🛡️  Aegis MCP Server v${VERSION}
+  Open-source DevSecOps MCP for AI Agents
+${colors.reset}`);
+}
+function checkPython() {
+  const candidates = ["python3", "python"];
+  for (const cmd of candidates) {
+    try {
+      const version = execSync(`${cmd} --version 2>&1`, { encoding: "utf8" }).trim();
+      const match = version.match(/Python (\d+)\.(\d+)/);
+      if (match && (parseInt(match[1]) > 3 || (parseInt(match[1]) === 3 && parseInt(match[2]) >= 12))) {
+        log(`✅ Found ${version}`, "green");
+        return cmd;
+      } else if (match) {
+        log(`⚠️  Found ${version} but Python 3.12+ is required.`, "yellow");
+      }
+    } catch {}
+  }
+  log("❌ Python 3.12+ not found. Please install it from https://python.org", "red");
+  process.exit(1);
+}
+function isInstalled() {
+  return (
+    fs.existsSync(INSTALL_DIR) &&
+    fs.existsSync(path.join(INSTALL_DIR, "run_stdio.py"))
+  );
+}
+function install(pythonCmd) {
+  log("📦 Installing Aegis MCP...", "cyan");
+  if (fs.existsSync(INSTALL_DIR)) {
+    log("🔄 Updating existing installation...", "yellow");
+    execSync("git pull", { cwd: INSTALL_DIR, stdio: "inherit" });
+  } else {
+    log(`📥 Cloning from ${REPO_URL}...`, "cyan");
+    execSync(`git clone ${REPO_URL} "${INSTALL_DIR}"`, { stdio: "inherit" });
+  }
+  log("📦 Creating virtual environment...", "cyan");
+  execSync(`${pythonCmd} -m venv .venv`, { cwd: INSTALL_DIR, stdio: "inherit" });
+  const pip = process.platform === "win32"
+    ? path.join(INSTALL_DIR, ".venv", "Scripts", "pip.exe")
+    : path.join(INSTALL_DIR, ".venv", "bin", "pip");
+  log("📦 Installing Python dependencies...", "cyan");
+  execSync(`"${pip}" install -r requirements.txt`, { cwd: INSTALL_DIR, stdio: "inherit" });
+  log("✅ Aegis MCP installed successfully!", "green");
+}
+function run() {
+  const pythonExe = process.platform === "win32"
+    ? path.join(INSTALL_DIR, ".venv", "Scripts", "python.exe")
+    : path.join(INSTALL_DIR, ".venv", "bin", "python");
+  const scriptPath = path.join(INSTALL_DIR, "run_stdio.py");
+  log("🚀 Starting Aegis MCP Server...\n", "green");
+  const child = spawn(pythonExe, [scriptPath], {
+    stdio: "inherit",
+    env: { ...process.env, MCP_AUTH_DISABLED: "true" },
+  });
+  child.on("error", (err) => {
+    log(`\n❌ Failed to start Aegis MCP: ${err.message}`, "red");
+    process.exit(1);
+  });
+  child.on("exit", (code) => {
+    process.exit(code || 0);
+  });
+  process.on("SIGINT", () => child.kill("SIGINT"));
+  process.on("SIGTERM", () => child.kill("SIGTERM"));
+}
+function printMCPConfig() {
+  const pythonExe = process.platform === "win32"
+    ? path.join(INSTALL_DIR, ".venv", "Scripts", "python.exe")
+    : path.join(INSTALL_DIR, ".venv", "bin", "python");
+  const scriptPath = path.join(INSTALL_DIR, "run_stdio.py");
+  log("\n📋 Add this to your MCP config (claude_desktop_config.json / mcp_config.json):\n", "cyan");
+  console.error(JSON.stringify({
+    mcpServers: {
+      aegis: {
+        command: pythonExe,
+        args: [scriptPath],
+      },
+    },
+  }, null, 2));
+  console.error();
+}
+// ── Main ──────────────────────────────────────────────────────────────────────
+const args = process.argv.slice(2);
+banner();
+if (args.includes("--help") || args.includes("-h")) {
+  console.error(`Usage: npx aegis-mcp [options]
+Options:
+  (no args)        Install (if needed) and start the MCP server
+  --install        Force reinstall
+  --config         Print MCP config JSON and exit
+  --version, -v    Show version
+  --help, -h       Show this help
+`);
+  process.exit(0);
+}
+if (args.includes("--version") || args.includes("-v")) {
+  console.log(VERSION);
+  process.exit(0);
+}
+const pythonCmd = checkPython();
+if (args.includes("--install") || !isInstalled()) {
+  install(pythonCmd);
+}
+if (args.includes("--config")) {
+  printMCPConfig();
+  process.exit(0);
+}
+printMCPConfig();
+run();

package/package.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "name": "@raghulm/aegis-mcp",
+  "version": "1.0.0",
+  "description": "🛡️ Open-source DevSecOps MCP server — gives AI agents real hands in your cloud infrastructure",
+  "homepage": "https://github.com/raghulvj01/aegis-mcp",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/raghulvj01/aegis-mcp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/raghulvj01/aegis-mcp/issues"
+  },
+  "author": "Raghul VJ <raghulvj01@gmail.com>",
+  "license": "MIT",
+  "keywords": [
+    "mcp",
+    "devsecops",
+    "aws",
+    "kubernetes",
+    "security",
+    "ai-agents",
+    "claude",
+    "trivy",
+    "semgrep",
+    "open-source",
+    "fastmcp",
+    "docker",
+    "cloud-security"
+  ],
+  "bin": {
+    "aegis-mcp": "bin/aegis-mcp.js"
+  },
+  "engines": {
+    "node": ">=16.0.0"
+  },
+  "files": [
+    "bin/"
+  ]
+}