@ship-safe/mcp 0.2.0

package/README.md

@@ -0,0 +1,90 @@
+# @ship-safe/mcp
+
+A [Model Context Protocol](https://modelcontextprotocol.io) server that lets your AI coding agent (Cursor, Claude Code, Claude Desktop, Windsurf, …) scan the code it writes for security vulnerabilities — **in-loop, without leaving the editor**.
+
+It runs ShipSafe's fast local pattern scan for free (secrets, injection, broken auth/IDOR, misconfig) plus a **dependency CVE scan** of your lockfiles (`package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `requirements.txt`, `go.sum`, `Gemfile.lock`) via the OSV database. With a Growth or Shield login it also runs **AI deep analysis** and can generate a one‑paste fix prompt. Your code is never stored.
+
+## Tools
+
+| Tool | What it does | Auth |
+|------|--------------|------|
+| `shipsafe_scan` | Scan a directory; returns plain‑English findings with the exact fix for each, plus structured output (see below). | Free (local). AI analysis needs Growth/Shield. |
+| `shipsafe_fix_prompt` | Scan, then return one paste‑ready prompt that fixes everything, tailored to the detected AI builder. | Growth / Shield |
+| `shipsafe_status` | Show login state, plan, and remaining AI scan quota. | — |
+
+### `shipsafe_scan` inputs
+
+| Input | Type | Purpose |
+|-------|------|---------|
+| `path` | string | Directory to scan (defaults to cwd). |
+| `severity` | `critical`\|`high`\|`medium`\|`low` | Only return findings at or above this severity. |
+| `ai` | boolean | Run AI deep analysis (needs Growth/Shield). On by default for paid users. |
+| `paths` | string[] | Scan only these files/dirs (inside the project) — e.g. the files you just edited. Fast inner loop. |
+| `changedOnly` | boolean | Scan only files changed vs git HEAD + new untracked files. Falls back to a full scan if not a git repo. |
+
+### Structured output
+
+Alongside the human‑readable report, `shipsafe_scan` returns machine‑readable `structuredContent` an agent can branch on:
+
+- `clean` (boolean) and `counts` (by severity) — a greppable pass/fail, so you never have to parse prose.
+- `findings[]` — each with `key`, `severity`, `file`, `line`, `cwe`, `plainEnglish`, `fixDescription`, `fixSuggestion`.
+- `scanned` — `{ mode: "full" | "targeted", sourceFiles, dependencyFiles }`.
+- `diff` (full‑project scans only) — `{ resolved, stillOpen, introduced }` vs your previous scan of the same directory, so a `scan → fix → re-scan` loop can confirm a fix actually worked. The diff state is kept locally under `~/.shipsafe/mcp-history` and never leaves your machine.
+
+Failures (no source files, generation errors, not logged in) are returned with `isError: true`, so "couldn't run" is never mistaken for "ran clean".
+
+## Login (for AI analysis)
+
+The server reuses the ShipSafe CLI's session. Once, in a terminal:
+
+```bash
+npx @ship-safe/cli login
+```
+
+That writes `~/.shipsafe/token.json`, which this MCP server reads. The free local scan works without it.
+
+## Setup
+
+### Cursor — `.cursor/mcp.json` (project) or `~/.cursor/mcp.json` (global)
+
+```json
+{
+  "mcpServers": {
+    "shipsafe": { "command": "npx", "args": ["-y", "@ship-safe/mcp"] }
+  }
+}
+```
+
+### Claude Code
+
+```bash
+claude mcp add shipsafe -- npx -y @ship-safe/mcp
+```
+
+### Claude Desktop — `claude_desktop_config.json`
+
+```json
+{
+  "mcpServers": {
+    "shipsafe": { "command": "npx", "args": ["-y", "@ship-safe/mcp"] }
+  }
+}
+```
+
+Then ask the agent: *"scan this project with ShipSafe and fix what it finds."*
+
+## Configuration
+
+| Env var | Default | Purpose |
+|---------|---------|---------|
+| `SHIPSAFE_API_URL` | `https://ship-safe.co` | Point at a local/staging backend (e.g. `http://localhost:3000`). |
+
+## Local development
+
+```bash
+pnpm install
+pnpm --filter @shipsafe/shared --filter @shipsafe/scanner build
+pnpm --filter @ship-safe/mcp build
+# run the built server directly (stdio):
+node apps/mcp/dist/index.js
+```