@securityreviewai/security-review-mcp 0.2.9

package/dist/prompts/generationPrompts.js

@@ -0,0 +1,229 @@
+import * as z from "zod/v4";
+export function registerGenerationPrompts(server) {
+    server.registerPrompt("document_generation", {
+        description: "Generate a detailed architecture/design document from minimal user input. The generated document is suitable for uploading to SRAI as a knowledge base document for security review. Use when the user wants to create an SRAI project from a brief description.",
+        argsSchema: {
+            system_name: z.string(),
+            brief_description: z.string(),
+            doc_type: z.string().default("architecture"),
+        },
+    }, async ({ system_name, brief_description, doc_type }) => {
+        const normalized = doc_type.toLowerCase();
+        if (normalized === "api") {
+            return promptText(apiTemplate(system_name, brief_description));
+        }
+        if (normalized === "deployment") {
+            return promptText(deploymentTemplate(system_name, brief_description));
+        }
+        return promptText(architectureTemplate(system_name, brief_description));
+    });
+}
+function architectureTemplate(systemName, briefDescription) {
+    return `You are a senior software architect. Generate a comprehensive architecture document for the system described below. The document should be detailed enough for a security team to perform a thorough threat model analysis.
+
+## System: ${systemName}
+
+## Brief Description
+${briefDescription}
+
+## INSTRUCTIONS
+
+Generate a detailed **Architecture Design Document** that includes ALL of the following sections. Be thorough and specific -- infer reasonable architectural decisions from the brief description.
+
+### Document Structure
+
+**1. Executive Summary**
+- System purpose and business context
+- Key stakeholders
+- High-level architecture style (monolith, microservices, serverless, etc.)
+
+**2. System Overview**
+- Detailed functional description
+- Key business capabilities
+- User types and their roles
+- System boundaries
+
+**3. Architecture Components**
+For each component, describe:
+- Name and purpose
+- Technology stack (language, framework, database, etc.)
+- APIs exposed (endpoints, protocols)
+- Data stored or processed
+- Authentication/authorization mechanisms
+- Scaling characteristics
+
+**4. Data Architecture**
+- Data models (key entities and relationships)
+- Data stores (databases, caches, file storage)
+- Data classification (what is sensitive, PII, financial, etc.)
+- Data flow between components
+- Data retention and lifecycle
+
+**5. Integration Architecture**
+- External services and APIs consumed
+- Third-party integrations
+- Message queues or event buses
+- Webhooks and callbacks
+
+**6. Infrastructure & Deployment**
+- Cloud provider and services used
+- Network topology (VPCs, subnets, security groups)
+- Container orchestration (if applicable)
+- CI/CD pipeline
+- Environment strategy (dev, staging, production)
+
+**7. Security Architecture**
+- Authentication mechanism (OAuth2, JWT, SAML, etc.)
+- Authorization model (RBAC, ABAC, etc.)
+- Encryption at rest and in transit
+- Secret management approach
+- Logging and monitoring
+- Network security controls
+
+**8. Non-Functional Requirements**
+- Performance targets
+- Availability/SLA requirements
+- Compliance requirements
+- Scalability approach
+
+Format the document with clear markdown headers, bullet points, and tables where appropriate. Make it comprehensive but readable. This document will be used for security threat modeling, so err on the side of more detail about data flows, trust boundaries, and security-relevant decisions.`;
+}
+function apiTemplate(systemName, briefDescription) {
+    return `You are a senior API architect. Generate a comprehensive API specification document for the system described below. The document should be detailed enough for a security team to assess the API attack surface.
+
+## System: ${systemName}
+
+## Brief Description
+${briefDescription}
+
+## INSTRUCTIONS
+
+Generate a detailed **API Design Document** that includes ALL of the following sections:
+
+**1. API Overview**
+- Base URL structure
+- API versioning strategy
+- Authentication mechanism
+- Rate limiting policy
+
+**2. Authentication & Authorization**
+- Auth flows (OAuth2, API keys, JWT, etc.)
+- Token lifecycle (issuance, refresh, revocation)
+- Permission model
+- Scopes or roles
+
+**3. API Endpoints**
+For each major endpoint group, document:
+- HTTP method and path
+- Request parameters (path, query, body)
+- Request/response schemas
+- Authentication requirements
+- Rate limits
+- Error responses
+
+**4. Data Models**
+- Key request/response objects
+- Sensitive fields and their handling
+- Validation rules
+
+**5. Security Controls**
+- Input validation approach
+- Output encoding
+- CORS policy
+- Security headers
+- Request size limits
+- File upload handling
+
+**6. Error Handling**
+- Error response format
+- Error codes and their meanings
+- Information leakage prevention
+
+**7. Integration Patterns**
+- Webhooks and callbacks
+- Pagination strategy
+- Filtering and sorting
+- Batch operations
+
+Format as a detailed technical document suitable for security threat modeling.`;
+}
+function deploymentTemplate(systemName, briefDescription) {
+    return `You are a senior DevOps/platform engineer. Generate a comprehensive deployment and infrastructure document for the system described below. The document should be detailed enough for a security team to assess the infrastructure attack surface.
+
+## System: ${systemName}
+
+## Brief Description
+${briefDescription}
+
+## INSTRUCTIONS
+
+Generate a detailed **Deployment & Infrastructure Document** including:
+
+**1. Infrastructure Overview**
+- Cloud provider(s) and regions
+- Architecture style (containers, VMs, serverless)
+- High availability design
+
+**2. Network Architecture**
+- VPC/network design
+- Subnet layout (public, private, data)
+- Load balancers and CDN
+- DNS configuration
+- Firewall rules and security groups
+- Network segmentation
+
+**3. Compute Resources**
+- Application servers / containers
+- Container orchestration (Kubernetes, ECS, etc.)
+- Auto-scaling policies
+- Resource limits
+
+**4. Data Infrastructure**
+- Database servers and configuration
+- Caching layer
+- Object storage
+- Backup and recovery strategy
+
+**5. CI/CD Pipeline**
+- Source code management
+- Build process
+- Testing stages
+- Deployment strategy (blue-green, canary, rolling)
+- Artifact management
+
+**6. Security Infrastructure**
+- Identity and access management
+- Secret management (Vault, AWS Secrets Manager, etc.)
+- Certificate management
+- WAF and DDoS protection
+- Vulnerability scanning
+
+**7. Observability**
+- Logging infrastructure
+- Metrics collection
+- Alerting rules
+- Distributed tracing
+- Incident response procedures
+
+**8. Compliance**
+- Encryption at rest configuration
+- Encryption in transit configuration
+- Audit logging
+- Data residency
+- Compliance certifications
+
+Format as a detailed technical document suitable for security threat modeling.`;
+}
+function promptText(text) {
+    return {
+        messages: [
+            {
+                role: "user",
+                content: {
+                    type: "text",
+                    text,
+                },
+            },
+        ],
+    };
+}

package/dist/resources/reviewResources.js

@@ -0,0 +1,101 @@
+import { ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { getApiClient, SraiApiError } from "../api/client.js";
+import { jsonStringify } from "../utils/serialization.js";
+export function registerReviewResources(server) {
+    server.registerResource("SRAI Projects", "srai://projects", {
+        description: "List of all projects in the SRAI platform.",
+        mimeType: "application/json",
+    }, async (uri) => {
+        try {
+            const result = await getApiClient().listProjects();
+            return {
+                contents: [
+                    {
+                        uri: uri.href,
+                        text: jsonStringify(result),
+                        mimeType: "application/json",
+                    },
+                ],
+            };
+        }
+        catch (error) {
+            return resourceError(uri, error);
+        }
+    });
+    server.registerResource("Project Reviews", new ResourceTemplate("srai://projects/{project_id}/reviews", { list: undefined }), {
+        description: "List of all reviews for a specific SRAI project.",
+        mimeType: "application/json",
+    }, async (uri, variables) => {
+        try {
+            const projectId = Number(variables.project_id);
+            const result = await getApiClient().listReviews(projectId);
+            return {
+                contents: [
+                    {
+                        uri: uri.href,
+                        text: jsonStringify(result),
+                        mimeType: "application/json",
+                    },
+                ],
+            };
+        }
+        catch (error) {
+            return resourceError(uri, error);
+        }
+    });
+    server.registerResource("Review Summary", new ResourceTemplate("srai://projects/{project_id}/reviews/{review_id}/summary", { list: undefined }), {
+        description: "Summary of a specific security review including status, artifact counts, and workflow progress.",
+        mimeType: "application/json",
+    }, async (uri, variables) => {
+        try {
+            const projectId = Number(variables.project_id);
+            const reviewId = Number(variables.review_id);
+            const review = await getApiClient().getReview(projectId, reviewId);
+            return {
+                contents: [
+                    {
+                        uri: uri.href,
+                        text: jsonStringify(review),
+                        mimeType: "application/json",
+                    },
+                ],
+            };
+        }
+        catch (error) {
+            return resourceError(uri, error);
+        }
+    });
+    server.registerResource("Project Documents", new ResourceTemplate("srai://projects/{project_id}/documents", { list: undefined }), {
+        description: "List of all documents in a specific SRAI project.",
+        mimeType: "application/json",
+    }, async (uri, variables) => {
+        try {
+            const projectId = Number(variables.project_id);
+            const result = await getApiClient().listDocuments(projectId);
+            return {
+                contents: [
+                    {
+                        uri: uri.href,
+                        text: jsonStringify(result),
+                        mimeType: "application/json",
+                    },
+                ],
+            };
+        }
+        catch (error) {
+            return resourceError(uri, error);
+        }
+    });
+}
+function resourceError(uri, error) {
+    const message = error instanceof SraiApiError ? error.detail : error instanceof Error ? error.message : String(error);
+    return {
+        contents: [
+            {
+                uri: uri.href,
+                text: jsonStringify({ error: message }),
+                mimeType: "application/json",
+            },
+        ],
+    };
+}

package/dist/server.js

@@ -0,0 +1,38 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { registerAnalysisPrompts } from "./prompts/analysisPrompts.js";
+import { registerGenerationPrompts } from "./prompts/generationPrompts.js";
+import { registerReviewResources } from "./resources/reviewResources.js";
+import { registerDocumentTools } from "./tools/documentTools.js";
+import { registerIntegrationTools } from "./tools/integrationTools.js";
+import { registerProjectTools } from "./tools/projectTools.js";
+import { registerReviewArtifactTools } from "./tools/reviewArtifactTools.js";
+import { registerReviewTools } from "./tools/reviewTools.js";
+import { registerWorkflowTools } from "./tools/workflowTools.js";
+export function createServer() {
+    const mcp = new McpServer({
+        name: "SRAI Security Review",
+        version: "1.0.0",
+        description: "You are a security review assistant powered by the SRAI platform. " +
+            "When user does not provide numeric IDs, resolve project by name first " +
+            "using find_project_by_name, then list and resolve reviews only inside " +
+            "that project using list_reviews_by_project_name or list_reviews. " +
+            "Never assume project_id=1 or review_id=1. " +
+            "You can create projects, upload documents, run security reviews, " +
+            "fetch external content (Jira and Confluence), " +
+            "and analyze any content for security objectives, components, " +
+            "data dictionaries, threat scenarios (product, netwrok, workload type etc), and countermeasures. " +
+            "Use the available prompts for structured security analysis guidance." +
+            "do not create projects in securityreview until the user explicitly asks to do so" +
+            "if he asks to give a threat model in the chat, just give it there.",
+    });
+    registerProjectTools(mcp);
+    registerDocumentTools(mcp);
+    registerReviewTools(mcp);
+    registerWorkflowTools(mcp);
+    registerIntegrationTools(mcp);
+    registerReviewArtifactTools(mcp);
+    registerAnalysisPrompts(mcp);
+    registerGenerationPrompts(mcp);
+    registerReviewResources(mcp);
+    return mcp;
+}

package/dist/tools/common.js

@@ -0,0 +1,14 @@
+import { SraiApiError } from "../api/client.js";
+import { errorToolResult, textToolResult } from "../utils/serialization.js";
+export async function runTool(task) {
+    try {
+        const result = await task();
+        return textToolResult(result);
+    }
+    catch (error) {
+        if (error instanceof SraiApiError) {
+            return errorToolResult(error.detail, error.statusCode);
+        }
+        return errorToolResult(error instanceof Error ? error.message : String(error));
+    }
+}

package/dist/tools/documentTools.js

@@ -0,0 +1,140 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import * as z from "zod/v4";
+import { getApiClient } from "../api/client.js";
+import { errorToolResult, textToolResult } from "../utils/serialization.js";
+import { runTool } from "./common.js";
+export function registerDocumentTools(server) {
+    server.registerTool("list_documents", {
+        description: "List all documents in an SRAI project. Returns document IDs, names, types, and processing status. Use this to find documents for a review.",
+        inputSchema: {
+            project_id: z.number().int(),
+        },
+    }, async ({ project_id }) => runTool(async () => getApiClient().listDocuments(project_id)));
+    server.registerTool("get_document", {
+        description: "Get detailed information about a specific document in an SRAI project. Returns name, description, type, file path, and processing status.",
+        inputSchema: {
+            project_id: z.number().int(),
+            document_id: z.number().int(),
+        },
+    }, async ({ project_id, document_id }) => runTool(async () => getApiClient().getDocument(project_id, document_id)));
+    server.registerTool("get_document_evaluation", {
+        description: "Get the evaluation data for a processed document. Returns the extracted content summary and quality assessment. Only available after document processing is complete.",
+        inputSchema: {
+            project_id: z.number().int(),
+            document_id: z.number().int(),
+        },
+    }, async ({ project_id, document_id }) => runTool(async () => getApiClient().getDocumentEvaluation(project_id, document_id)));
+    server.registerTool("upload_component_diagram", {
+        description: "Upload a component diagram image file to an SRAI project using a local file path. This is optimized for IDE usage where the user provides a path from their local machine. Accepted file extensions: .png, .jpg, .jpeg.",
+        inputSchema: {
+            project_id: z.number().int(),
+            name: z.string(),
+            description: z.string(),
+            file_path: z.string(),
+        },
+    }, async ({ project_id, name, description, file_path }) => {
+        try {
+            const resolvedPath = expandUserPath(file_path);
+            const stat = await fs.stat(resolvedPath).catch(() => undefined);
+            if (!stat || !stat.isFile()) {
+                return errorToolResult(`File not found or not a file: ${file_path}`, 400);
+            }
+            const extension = path.extname(resolvedPath).toLowerCase();
+            if (![".png", ".jpg", ".jpeg"].includes(extension)) {
+                return errorToolResult("Invalid diagram file type. Accepted extensions are: .png, .jpg, .jpeg", 400);
+            }
+            const fileBytes = await fs.readFile(resolvedPath);
+            const result = await getApiClient().uploadComponentDiagram(project_id, name, description, fileBytes, path.basename(resolvedPath), contentTypeForExtension(extension));
+            return textToolResult(result);
+        }
+        catch (error) {
+            return errorToolResult(error instanceof Error ? `Unable to read file: ${error.message}` : String(error), 400);
+        }
+    });
+    server.registerTool("upload_document", {
+        description: "Upload a knowledge base document or component diagram to an SRAI project. Provide file content as base64-encoded string, file name, and document type. Valid document_type values: 'Uploaded Knowledgebase doc', 'Component Diagram'. The document will be processed asynchronously after upload.",
+        inputSchema: {
+            project_id: z.number().int(),
+            name: z.string(),
+            description: z.string(),
+            document_type: z.string(),
+            file_content_base64: z.string(),
+            file_name: z.string(),
+        },
+    }, async ({ project_id, name, description, document_type, file_content_base64, file_name }) => runTool(async () => getApiClient().uploadDocument(project_id, name, description, document_type, Buffer.from(file_content_base64, "base64"), file_name)));
+    server.registerTool("create_document_from_content", {
+        description: "Create and upload a document from raw text/markdown content. The content is converted to a .txt file and uploaded to the SRAI project. Use this when you have generated or received text content that needs to be saved as a document in SRAI for security review. The LLM should generate detailed content before calling this tool.",
+        inputSchema: {
+            project_id: z.number().int(),
+            name: z.string(),
+            description: z.string(),
+            content: z.string(),
+        },
+    }, async ({ project_id, name, description, content }) => runTool(async () => getApiClient().uploadDocument(project_id, name, description, "Uploaded Knowledgebase doc", Buffer.from(content, "utf8"), `${name.replaceAll(" ", "_").toLowerCase()}.txt`)));
+    server.registerTool("link_external_document", {
+        description: "Link an external document to an SRAI project. Supports linking from Jira issues, Confluence pages, and GitHub repositories. Provide the appropriate source-specific fields in the payload.\n\nFor Jira: include document_type='Jira Issue', jira_issue_id, and optionally jira_project_key or jira_issue_url.\nFor Confluence: include document_type='Confluence Page', confluence_page_id, confluence_space_key, or confluence_page_url.\nFor GitHub: include document_type='Github Repository' and github_repo_url.",
+        inputSchema: {
+            project_id: z.number().int(),
+            name: z.string(),
+            description: z.string(),
+            document_type: z.string(),
+            source_id: z.string().default(""),
+            source_url: z.string().default(""),
+            source_key: z.string().default(""),
+        },
+    }, async ({ project_id, name, description, document_type, source_id, source_url, source_key }) => runTool(async () => {
+        const payload = {
+            name,
+            description,
+            document_type,
+        };
+        const docTypeLower = document_type.toLowerCase();
+        if (docTypeLower.includes("jira")) {
+            if (source_url) {
+                payload.jira_issue_url = source_url;
+            }
+            if (source_id) {
+                payload.jira_issue_id = source_id;
+            }
+            if (source_key) {
+                payload.jira_project_key = source_key;
+            }
+        }
+        else if (docTypeLower.includes("confluence")) {
+            if (source_url) {
+                payload.confluence_page_url = source_url;
+            }
+            if (source_id) {
+                payload.confluence_page_id = source_id;
+            }
+            if (source_key) {
+                payload.confluence_space_key = source_key;
+            }
+        }
+        else if (docTypeLower.includes("github")) {
+            if (source_url) {
+                payload.github_repo_url = source_url;
+            }
+        }
+        return getApiClient().linkDocument(project_id, payload);
+    }));
+}
+function expandUserPath(filePath) {
+    if (filePath.startsWith("~/")) {
+        return path.join(os.homedir(), filePath.slice(2));
+    }
+    return filePath;
+}
+function contentTypeForExtension(extension) {
+    switch (extension) {
+        case ".png":
+            return "image/png";
+        case ".jpg":
+        case ".jpeg":
+            return "image/jpeg";
+        default:
+            return "application/octet-stream";
+    }
+}

package/dist/tools/integrationTools.js

@@ -0,0 +1,100 @@
+import * as z from "zod/v4";
+import { getApiClient, SraiApiError } from "../api/client.js";
+import { ConfluenceClient } from "../integrations/confluenceClient.js";
+import { JiraClient } from "../integrations/jiraClient.js";
+import { errorToolResult, textToolResult } from "../utils/serialization.js";
+export function registerIntegrationTools(server) {
+    server.registerTool("fetch_jira_issue", {
+        description: "Fetch a Jira issue by its key (e.g., 'PROJ-123') or URL. Returns the issue summary, description, acceptance criteria, comments, status, priority, and labels. The fetched content can then be analyzed using the security analysis prompts, or linked to an SRAI project. Requires JIRA_BASE_URL, JIRA_EMAIL, and JIRA_API_TOKEN environment variables.",
+        inputSchema: {
+            issue_id: z.string(),
+        },
+    }, async ({ issue_id }) => textToolResult(await new JiraClient().fetchIssue(issue_id)));
+    server.registerTool("fetch_confluence_page", {
+        description: "Fetch a Confluence page by its ID or URL. Returns the page title, space, and full text content. The fetched content can then be analyzed using the security analysis prompts, or linked to an SRAI project. Requires CONFLUENCE_BASE_URL, CONFLUENCE_EMAIL, and CONFLUENCE_API_TOKEN environment variables.",
+        inputSchema: {
+            page_id: z.string().default(""),
+            page_url: z.string().default(""),
+        },
+    }, async ({ page_id, page_url }) => {
+        try {
+            const client = new ConfluenceClient();
+            if (page_url) {
+                return textToolResult(await client.fetchPageByUrl(page_url));
+            }
+            if (page_id) {
+                return textToolResult(await client.fetchPage(page_id));
+            }
+            return errorToolResult("Provide either page_id or page_url");
+        }
+        catch (error) {
+            return errorToolResult(error instanceof Error ? error.message : String(error));
+        }
+    });
+    server.registerTool("search_confluence_pages", {
+        description: "Search Confluence pages using CQL and return matching pages with content. Use this when you don't have a page ID/URL yet or need to fetch multiple pages. Examples: cql='space=ENG and type=page and title~\"Threat Model\"'. Requires CONFLUENCE_BASE_URL, CONFLUENCE_EMAIL, and CONFLUENCE_API_TOKEN.",
+        inputSchema: {
+            cql: z.string(),
+            limit: z.number().int().default(10),
+            include_content: z.boolean().default(true),
+        },
+    }, async ({ cql, limit, include_content }) => {
+        try {
+            const result = await new ConfluenceClient().searchPages(cql, limit, include_content);
+            return textToolResult(result);
+        }
+        catch (error) {
+            return errorToolResult(error instanceof Error ? error.message : String(error));
+        }
+    });
+    server.registerTool("fetch_and_link_to_srai", {
+        description: "Fetch content from an external source AND link it as a document in an SRAI project. This is a convenience tool that combines fetching (from Jira or Confluence) with linking it to a project.\n\nParameters:\n- project_id: The SRAI project to link to\n- source_type: 'jira' or 'confluence'\n- source_identifier: The issue key or page ID/URL\n- name: Document name in SRAI\n- description: Document description in SRAI",
+        inputSchema: {
+            project_id: z.number().int(),
+            source_type: z.string(),
+            source_identifier: z.string(),
+            name: z.string(),
+            description: z.string(),
+        },
+    }, async ({ project_id, source_type, source_identifier, name, description }) => {
+        const docTypeMap = {
+            jira: "Jira Issue",
+            confluence: "Confluence Page",
+        };
+        const docType = docTypeMap[source_type.toLowerCase()];
+        if (!docType) {
+            return errorToolResult(`Unknown source_type: ${source_type}. Use: jira, confluence`);
+        }
+        const payload = {
+            name,
+            description,
+            document_type: docType,
+        };
+        if (source_type.toLowerCase() === "jira") {
+            if (source_identifier.includes("://")) {
+                payload.jira_issue_url = source_identifier;
+            }
+            else {
+                payload.jira_issue_id = source_identifier;
+            }
+        }
+        else if (source_type.toLowerCase() === "confluence") {
+            if (source_identifier.includes("://")) {
+                payload.confluence_page_url = source_identifier;
+            }
+            else {
+                payload.confluence_page_id = source_identifier;
+            }
+        }
+        try {
+            const result = await getApiClient().linkDocument(project_id, payload);
+            return textToolResult(result);
+        }
+        catch (error) {
+            if (error instanceof SraiApiError) {
+                return errorToolResult(error.detail, error.statusCode);
+            }
+            return errorToolResult(error instanceof Error ? error.message : String(error));
+        }
+    });
+}