@sigildev/sigil 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 mcp-scanner contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,246 @@
+# sigil
+
+Deep static security analysis for MCP servers. Finds command injection, path traversal, tool poisoning, credential leaks, and 12 other vulnerability classes — source code analysis that goes beyond description scanning.
+
+[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![npm version](https://img.shields.io/npm/v/sigil.svg)](https://www.npmjs.com/package/sigil)
+
+---
+
+## The Problem
+
+MCP servers are the bridge between AI agents and the real world — file systems, databases, APIs, shell commands. They're also largely unaudited. Studies of MCP implementations found **43% vulnerable to command injection**, **82% using file operations prone to path traversal**, and **5.5% with active tool poisoning** in their descriptions. Existing scanners check tool descriptions and metadata. They don't read the source code. sigil does.
+
+## What sigil Does
+
+- **Source code analysis** — Reads TypeScript and Python source, detects dangerous patterns in tool handlers (exec, eval, fs, SQL), flags unsanitized paths. Goes beyond description scanning — analyzes what your code actually does.
+- **16 security rules across 7 categories** — Injection, permissions, data exfiltration, input validation, tool description integrity, authentication, configuration. Each rule maps to documented MCP attack vectors and real CVEs.
+- **Trust score (0-100)** — Quantified security posture with A-F grading. Exit code 1 on FAIL for CI/CD gating. One critical finding = 75 or below.
+
+## Quick Start
+
+```bash
+npx sigil .
+```
+
+```
+  Sigil v0.1.0
+
+  Scanning: ./my-mcp-server
+  Language: TypeScript
+  Tools: 5 detected | Resources: 2 detected | Prompts: 0 detected
+
+  CRITICAL  MCS-INJ-001  Command Injection via tool input
+  │ src/tools/run-command.ts:24
+  │ Tool "execute" passes user input directly to child_process.exec()
+  │ without sanitization. Allows arbitrary command execution.
+  │
+  │   23│ server.tool("execute", { cmd: z.string() }, async ({ cmd }) => {
+  │ > 24│   const result = await exec(cmd);
+  │   25│   return { content: [{ type: "text", text: result.stdout }] };
+
+  HIGH  MCS-PERM-002  Unrestricted filesystem access
+  │ src/tools/files.ts:12
+  │ Tool "read_file" accepts arbitrary paths with no allowlist or
+  │ directory restriction. Can read /etc/passwd, SSH keys, .env files.
+
+  HIGH  MCS-DATA-001  Environment variable exposure
+  │ src/tools/debug.ts:8
+  │ Tool "get_env" returns process.env without filtering.
+  │ Exposes API keys, credentials, and secrets to the LLM.
+
+  MEDIUM  MCS-VALID-001  Missing input schema
+  │ src/tools/search.ts:31
+  │ Tool "search" has no input validation schema defined.
+  │ All inputs accepted without type or constraint checking.
+
+  LOW  MCS-CFG-002  Verbose error messages
+  │ src/index.ts:45
+  │ Error handler returns full stack traces to the client.
+
+  ──────────────────────────────────────────────────────
+  5 findings: 1 critical, 2 high, 1 medium, 1 low
+  Trust Score: 32/100 (FAIL)
+  ──────────────────────────────────────────────────────
+```
+
+## Installation
+
+```bash
+# Run without installing
+npx sigil .
+
+# Install globally
+npm install -g sigil
+
+# Install as dev dependency
+npm install -D sigil
+```
+
+## Usage
+
+```bash
+# Scan an MCP server directory
+sigil .
+sigil ./servers/github-server
+
+# Scan all servers in a config file
+sigil claude_desktop_config.json
+sigil .mcp.json
+
+# Machine-readable output
+sigil . --output json
+sigil . --output sarif
+
+# Filter by severity
+sigil . -s high          # Only high and critical findings
+
+# Ignore specific rules
+sigil . --ignore MCS-CFG-002,MCS-DEP-002
+
+# Quiet mode (findings only, no banner)
+sigil . -q
+```
+
+## What It Checks
+
+16 rules across 7 categories. Each maps to real MCP attack vectors and documented CVEs.
+
+| ID | Rule | Severity | What it detects |
+|----|------|----------|-----------------|
+| MCS-INJ-001 | Command Injection | CRITICAL | Tool inputs passed to `exec`, `spawn(shell)`, `os.system`, `subprocess.run(shell=True)` |
+| MCS-INJ-002 | SQL Injection | CRITICAL | Tool inputs concatenated into SQL strings without parameterized queries |
+| MCS-INJ-003 | Path Traversal | HIGH | Tool inputs used in file paths without canonicalization or directory restriction |
+| MCS-PERM-001 | Overly Broad Capabilities | HIGH | Tools performing dangerous ops (write, delete, fetch, exec) without scope restrictions |
+| MCS-PERM-002 | Unrestricted FS Access | HIGH | File system tools with no directory allowlist or path prefix restriction |
+| MCS-PERM-003 | Arbitrary Code Execution | CRITICAL | Tool inputs passed to `eval()`, `Function()`, `exec()`, `vm.runInNewContext` |
+| MCS-DATA-001 | Env Variable Exposure | HIGH | `process.env` or `os.environ` returned wholesale without filtering |
+| MCS-DATA-002 | Credential Leakage | HIGH | Unfiltered API responses containing auth tokens, session IDs, or credentials |
+| MCS-VALID-001 | Missing Input Schema | MEDIUM | Tools registered with empty or absent input validation schemas |
+| MCS-DESC-001 | Suspicious Descriptions | HIGH | Prompt injection patterns in tool descriptions (override instructions, exfiltration URLs, cross-tool calls) |
+| MCS-AUTH-001 | Hardcoded Credentials | CRITICAL | API keys, tokens, passwords hardcoded in source (`sk-*`, `ghp_*`, `AKIA*`, private keys) |
+| MCS-AUTH-002 | Secrets in Config | HIGH | Credentials inline in MCP config files instead of env var references |
+| MCS-CFG-001 | Debug Mode Enabled | MEDIUM | Debug/development configuration left enabled |
+| MCS-CFG-002 | Verbose Error Messages | LOW | Error handlers returning full stack traces to the client |
+| MCS-CFG-003 | Insecure Transport | MEDIUM | HTTP without TLS, binding to `0.0.0.0`, CORS with `*` |
+| MCS-DEP-001 | Vulnerable Dependencies | Varies | Dependencies with known CVEs (queried against OSV.dev) |
+
+## Output Formats
+
+### Text (default)
+
+Human-readable terminal output with color-coded severity badges and inline code excerpts. See Quick Start above.
+
+### JSON
+
+```bash
+sigil . --output json
+```
+
+Produces a structured `ScanResult` object with full finding details, tool/resource/prompt inventory, and trust score. Pipe to `jq` or consume programmatically.
+
+### SARIF
+
+```bash
+sigil . --output sarif
+```
+
+SARIF v2.1.0 output for integration with GitHub Code Scanning, VS Code SARIF Viewer, and other SARIF-compatible tools. Upload directly to GitHub:
+
+```bash
+sigil . --output sarif > results.sarif
+# Upload to GitHub Code Scanning via API or Action
+```
+
+## Trust Score
+
+```
+Score = 100 - penalties
+
+CRITICAL  = -25 points each
+HIGH      = -15 points each
+MEDIUM    = -5 points each
+LOW       = -2 points each
+
+A (90-100) = PASS    D (30-49) = FAIL
+B (70-89)  = PASS    F (0-29)  = FAIL
+C (50-69)  = WARN
+```
+
+Exit code `0` on PASS (score >= 70). Exit code `1` on FAIL. Use in CI/CD to block deployments.
+
+## Configuration
+
+Create `.sigil.yml` in your project root:
+
+```yaml
+# Rules to ignore
+ignore:
+  - MCS-CFG-002    # We intentionally show verbose errors in dev
+  - MCS-DEP-002    # We know this server is maintained
+
+# Severity overrides
+overrides:
+  MCS-VALID-001: low    # Downgrade missing schema for our use case
+
+# Paths to exclude
+exclude:
+  - "tests/**"
+  - "examples/**"
+  - "**/*.test.ts"
+
+# Minimum score to pass (default: 70)
+passScore: 60
+```
+
+## How It Works
+
+Three-layer analysis pipeline. No dynamic analysis — the scanner never runs your MCP server.
+
+1. **Discovery** — Finds MCP server entry points, parses config files (`claude_desktop_config.json`, `.mcp.json`), reads `package.json`/`pyproject.toml`, discovers source files.
+2. **Analysis** — 16 rules run against source code:
+   - **Pattern Analyzer** — Context-aware regex detection for injection sinks, dangerous permissions, credential leaks, prompt injection, and configuration issues. Checks surrounding code context to reduce false positives.
+   - **Dependency Checker** — Parses dependency manifests, queries OSV.dev for known CVEs.
+3. **Reporting** — Aggregates findings, computes trust score, formats output.
+
+## Comparison
+
+| Feature | sigil | Snyk agent-scan | Cisco Sigil | Enkrypt AI |
+|---------|-------------|-----------------|-------------------|------------|
+| Open source | MIT | Partial | Partial | No |
+| Analysis depth | Source code pattern analysis | Description scanning | YARA rules + LLM | Agentic static |
+| Languages | TypeScript + Python | Runtime only | Unknown | GitHub repos |
+| Trust scoring | 0-100 + A-F grade | Pass/fail | None | Per-finding |
+| SARIF output | Yes | No | No | No |
+| Config scanning | Yes | No | No | No |
+| Dependency scanning | Yes (OSV.dev) | No | No | No |
+| Description poisoning | Yes | Yes | Yes (LLM) | Yes |
+| Cost | Free | Free (scanner), paid (platform) | Free (scanner), paid (API) | Free tier, paid |
+
+**Our edge:** Deep source code analysis (not just description scanning), both TypeScript and Python, trust scoring, config file scanning, dependency checking, and SARIF output — in a single free, open-source CLI. No account required. No data sent to external services (except OSV.dev for dependency CVE checks).
+
+## Supported MCP Frameworks
+
+- `@modelcontextprotocol/sdk` (TypeScript) — `server.tool()`, `server.resource()`, `server.prompt()`
+- `mcp` / FastMCP (Python) — `@mcp.tool()`, `@mcp.resource()`, `@mcp.prompt()`
+
+## Contributing
+
+Contributions welcome. Areas where help is needed:
+
+- **New rules** — See the rule template in `src/rules/`. Each rule is a self-contained module.
+- **Language support** — Go, Rust, Java MCP server analysis.
+- **False positive reports** — If the scanner flags safe code, open an issue with a minimal repro.
+- **Real-world validation** — Run the scanner on your MCP servers and share results (with permission).
+
+```bash
+git clone https://github.com/sigil/sigil
+cd sigil
+npm install
+npm test
+npm run dev -- ./tests/fixtures/vulnerable-ts
+```
+
+## License
+
+MIT

package/dist/analyzers/ast/python.d.ts

@@ -0,0 +1,14 @@
+import type { AnalysisContext, Finding } from "../types.js";
+/**
+ * Python AST analyzer.
+ *
+ * Parses Python source files using tree-sitter with the Python grammar
+ * and runs rule-specific visitors to detect:
+ * - FastMCP instantiation (FastMCP(...))
+ * - Tool decorators (@mcp.tool(), @server.tool())
+ * - Dangerous sink usage in decorated functions (os.system, subprocess.*, open(), eval(), exec())
+ *
+ * TODO: Implement tree-sitter parsing and taint tracking
+ */
+export declare function analyzePython(_context: AnalysisContext): Finding[];
+//# sourceMappingURL=python.d.ts.map

package/dist/analyzers/ast/python.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.d.ts","sourceRoot":"","sources":["../../../src/analyzers/ast/python.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE5D;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,eAAe,GACxB,OAAO,EAAE,CAEX"}

package/dist/analyzers/ast/python.js

@@ -0,0 +1,15 @@
+/**
+ * Python AST analyzer.
+ *
+ * Parses Python source files using tree-sitter with the Python grammar
+ * and runs rule-specific visitors to detect:
+ * - FastMCP instantiation (FastMCP(...))
+ * - Tool decorators (@mcp.tool(), @server.tool())
+ * - Dangerous sink usage in decorated functions (os.system, subprocess.*, open(), eval(), exec())
+ *
+ * TODO: Implement tree-sitter parsing and taint tracking
+ */
+export function analyzePython(_context) {
+    return [];
+}
+//# sourceMappingURL=python.js.map

package/dist/analyzers/ast/python.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.js","sourceRoot":"","sources":["../../../src/analyzers/ast/python.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,MAAM,UAAU,aAAa,CAC3B,QAAyB;IAEzB,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/analyzers/ast/taint.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Simplified taint tracking for single-function analysis.
+ *
+ * Algorithm:
+ * 1. Mark all tool handler parameters as "tainted"
+ * 2. Walk the handler function body
+ * 3. If a tainted value reaches a dangerous sink without passing through
+ *    a known sanitizer, produce a finding
+ *
+ * Known sanitizers:
+ * - parseInt(), Number()
+ * - encodeURIComponent()
+ * - path.resolve() + startsWith() prefix check
+ * - Parameterized query patterns ($1, ?, :param)
+ * - Allowlist checks (enum, .includes(), switch/case)
+ *
+ * Known dangerous sinks:
+ * - child_process.exec, execSync
+ * - child_process.spawn with shell: true
+ * - eval(), new Function(), vm.runInNewContext
+ * - os.system, subprocess.run(shell=True), subprocess.Popen(shell=True)
+ * - fs.readFile, fs.writeFile without path validation
+ * - db.query with string concatenation
+ * - fetch() / http.request() with tainted URL
+ *
+ * TODO: Implement taint propagation through variable assignments and function calls
+ */
+export interface TaintSource {
+    name: string;
+    line: number;
+    column: number;
+}
+export interface TaintSink {
+    type: "exec" | "eval" | "fs" | "sql" | "fetch";
+    name: string;
+    line: number;
+    column: number;
+}
+export interface TaintResult {
+    source: TaintSource;
+    sink: TaintSink;
+    sanitized: boolean;
+}
+export declare function traceTaint(_sources: TaintSource[], _sinks: TaintSink[]): TaintResult[];
+//# sourceMappingURL=taint.d.ts.map

package/dist/analyzers/ast/taint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint.d.ts","sourceRoot":"","sources":["../../../src/analyzers/ast/taint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,KAAK,GAAG,OAAO,CAAC;IAC/C,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,WAAW,CAAC;IACpB,IAAI,EAAE,SAAS,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,wBAAgB,UAAU,CACxB,QAAQ,EAAE,WAAW,EAAE,EACvB,MAAM,EAAE,SAAS,EAAE,GAClB,WAAW,EAAE,CAGf"}

package/dist/analyzers/ast/taint.js

@@ -0,0 +1,32 @@
+/**
+ * Simplified taint tracking for single-function analysis.
+ *
+ * Algorithm:
+ * 1. Mark all tool handler parameters as "tainted"
+ * 2. Walk the handler function body
+ * 3. If a tainted value reaches a dangerous sink without passing through
+ *    a known sanitizer, produce a finding
+ *
+ * Known sanitizers:
+ * - parseInt(), Number()
+ * - encodeURIComponent()
+ * - path.resolve() + startsWith() prefix check
+ * - Parameterized query patterns ($1, ?, :param)
+ * - Allowlist checks (enum, .includes(), switch/case)
+ *
+ * Known dangerous sinks:
+ * - child_process.exec, execSync
+ * - child_process.spawn with shell: true
+ * - eval(), new Function(), vm.runInNewContext
+ * - os.system, subprocess.run(shell=True), subprocess.Popen(shell=True)
+ * - fs.readFile, fs.writeFile without path validation
+ * - db.query with string concatenation
+ * - fetch() / http.request() with tainted URL
+ *
+ * TODO: Implement taint propagation through variable assignments and function calls
+ */
+export function traceTaint(_sources, _sinks) {
+    // TODO: Implement
+    return [];
+}
+//# sourceMappingURL=taint.js.map

package/dist/analyzers/ast/taint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint.js","sourceRoot":"","sources":["../../../src/analyzers/ast/taint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAqBH,MAAM,UAAU,UAAU,CACxB,QAAuB,EACvB,MAAmB;IAEnB,kBAAkB;IAClB,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/analyzers/ast/typescript.d.ts

@@ -0,0 +1,15 @@
+import type { AnalysisContext, Finding } from "../types.js";
+/**
+ * TypeScript AST analyzer.
+ *
+ * Parses TypeScript/JavaScript source files using the TypeScript Compiler API
+ * and runs rule-specific visitors to detect:
+ * - MCP server instantiation (new McpServer(...), new Server(...))
+ * - Tool registrations (.tool() calls) with name, description, schema, handler
+ * - Resource registrations (.resource() calls)
+ * - Dangerous sink usage in handlers (exec, eval, fs ops, SQL queries, fetch)
+ *
+ * TODO: Implement AST walking and taint tracking
+ */
+export declare function analyzeTypeScript(_context: AnalysisContext): Finding[];
+//# sourceMappingURL=typescript.d.ts.map

package/dist/analyzers/ast/typescript.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"typescript.d.ts","sourceRoot":"","sources":["../../../src/analyzers/ast/typescript.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE5D;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,eAAe,GACxB,OAAO,EAAE,CAEX"}

package/dist/analyzers/ast/typescript.js

@@ -0,0 +1,16 @@
+/**
+ * TypeScript AST analyzer.
+ *
+ * Parses TypeScript/JavaScript source files using the TypeScript Compiler API
+ * and runs rule-specific visitors to detect:
+ * - MCP server instantiation (new McpServer(...), new Server(...))
+ * - Tool registrations (.tool() calls) with name, description, schema, handler
+ * - Resource registrations (.resource() calls)
+ * - Dangerous sink usage in handlers (exec, eval, fs ops, SQL queries, fetch)
+ *
+ * TODO: Implement AST walking and taint tracking
+ */
+export function analyzeTypeScript(_context) {
+    return [];
+}
+//# sourceMappingURL=typescript.js.map

package/dist/analyzers/ast/typescript.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"typescript.js","sourceRoot":"","sources":["../../../src/analyzers/ast/typescript.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAyB;IAEzB,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/analyzers/deps.d.ts

@@ -0,0 +1,13 @@
+import type { AnalysisContext, Finding } from "./types.js";
+/**
+ * Dependency vulnerability checker.
+ *
+ * Parses lock files and queries the OSV.dev vulnerability database:
+ * - package-lock.json / yarn.lock / pnpm-lock.yaml → extract dependency graph
+ * - requirements.txt / poetry.lock / uv.lock → extract dependency list
+ * - For each dependency + version, query https://api.osv.dev/v1/query
+ *
+ * TODO: Implement lock file parsing and OSV.dev queries
+ */
+export declare function analyzeDependencies(_context: AnalysisContext): Promise<Finding[]>;
+//# sourceMappingURL=deps.d.ts.map

package/dist/analyzers/deps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.d.ts","sourceRoot":"","sources":["../../src/analyzers/deps.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE3D;;;;;;;;;GASG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,eAAe,GACxB,OAAO,CAAC,OAAO,EAAE,CAAC,CAEpB"}

package/dist/analyzers/deps.js

@@ -0,0 +1,14 @@
+/**
+ * Dependency vulnerability checker.
+ *
+ * Parses lock files and queries the OSV.dev vulnerability database:
+ * - package-lock.json / yarn.lock / pnpm-lock.yaml → extract dependency graph
+ * - requirements.txt / poetry.lock / uv.lock → extract dependency list
+ * - For each dependency + version, query https://api.osv.dev/v1/query
+ *
+ * TODO: Implement lock file parsing and OSV.dev queries
+ */
+export async function analyzeDependencies(_context) {
+    return [];
+}
+//# sourceMappingURL=deps.js.map

package/dist/analyzers/deps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deps.js","sourceRoot":"","sources":["../../src/analyzers/deps.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAyB;IAEzB,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/analyzers/pattern.d.ts

@@ -0,0 +1,12 @@
+import type { AnalysisContext, Finding } from "./types.js";
+/**
+ * Regex-based pattern matcher for rules that don't need AST understanding:
+ * - Credential patterns (MCS-AUTH-001): high-entropy strings, known key prefixes
+ * - Tool description analysis (MCS-DESC-001): prompt injection patterns
+ * - Debug/config patterns (MCS-CFG-001, MCS-CFG-002)
+ * - Transport config (MCS-CFG-003)
+ *
+ * TODO: Implement pattern matching
+ */
+export declare function analyzePatterns(_context: AnalysisContext): Finding[];
+//# sourceMappingURL=pattern.d.ts.map

package/dist/analyzers/pattern.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern.d.ts","sourceRoot":"","sources":["../../src/analyzers/pattern.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE3D;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,eAAe,GACxB,OAAO,EAAE,CAEX"}

package/dist/analyzers/pattern.js

@@ -0,0 +1,13 @@
+/**
+ * Regex-based pattern matcher for rules that don't need AST understanding:
+ * - Credential patterns (MCS-AUTH-001): high-entropy strings, known key prefixes
+ * - Tool description analysis (MCS-DESC-001): prompt injection patterns
+ * - Debug/config patterns (MCS-CFG-001, MCS-CFG-002)
+ * - Transport config (MCS-CFG-003)
+ *
+ * TODO: Implement pattern matching
+ */
+export function analyzePatterns(_context) {
+    return [];
+}
+//# sourceMappingURL=pattern.js.map

package/dist/analyzers/pattern.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern.js","sourceRoot":"","sources":["../../src/analyzers/pattern.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAyB;IAEzB,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/analyzers/types.d.ts

@@ -0,0 +1,111 @@
+export type Severity = "critical" | "high" | "medium" | "low";
+export type Grade = "A" | "B" | "C" | "D" | "F";
+export type ScoreLabel = "PASS" | "WARN" | "FAIL";
+export interface Finding {
+    ruleId: string;
+    severity: Severity;
+    title: string;
+    message: string;
+    location: Location;
+    tool?: ToolContext;
+    fix?: Fix;
+}
+export interface Location {
+    file: string;
+    startLine: number;
+    endLine: number;
+    startColumn?: number;
+    endColumn?: number;
+}
+export interface ToolContext {
+    name: string;
+    description?: string;
+}
+export interface Fix {
+    description: string;
+    suggestion?: string;
+}
+export interface ToolInfo {
+    name: string;
+    description?: string;
+    inputSchema?: Record<string, unknown>;
+    hasHandler: boolean;
+}
+export interface ResourceInfo {
+    uri: string;
+    name?: string;
+    description?: string;
+}
+export interface PromptInfo {
+    name: string;
+    description?: string;
+    arguments?: string[];
+}
+export interface Score {
+    value: number;
+    grade: Grade;
+    label: ScoreLabel;
+}
+export interface ScanResult {
+    scanner: {
+        name: string;
+        version: string;
+    };
+    target: TargetInfo;
+    server: ServerInfo;
+    findings: Finding[];
+    score: Score;
+    timestamp: string;
+    duration: number;
+}
+export interface TargetInfo {
+    path: string;
+    name?: string;
+    version?: string;
+    language: "typescript" | "python" | "unknown";
+}
+export interface ServerInfo {
+    tools: ToolInfo[];
+    resources: ResourceInfo[];
+    prompts: PromptInfo[];
+}
+export type RuleCategory = "injection" | "permissions" | "data-exfiltration" | "validation" | "description" | "auth" | "config" | "dependencies";
+export interface RuleDefinition {
+    id: string;
+    name: string;
+    severity: Severity;
+    category: RuleCategory;
+    description: string;
+    detect: (context: AnalysisContext) => Finding[];
+}
+export interface AnalysisContext {
+    /** Absolute path to the scan root */
+    rootDir: string;
+    /** Detected language */
+    language: "typescript" | "python" | "unknown";
+    /** All source file paths (relative to rootDir) */
+    sourceFiles: string[];
+    /** Raw source code keyed by relative path */
+    sources: Map<string, string>;
+    /** Discovered MCP server info */
+    server: ServerInfo;
+    /** Manifest info (package.json / pyproject.toml) */
+    manifest?: ManifestInfo;
+    /** MCP config entries, if scanned from a config file */
+    configEntries?: ConfigEntry[];
+}
+export interface ManifestInfo {
+    name?: string;
+    version?: string;
+    dependencies: Record<string, string>;
+    devDependencies: Record<string, string>;
+    lockfilePath?: string;
+}
+export interface ConfigEntry {
+    name: string;
+    command: string;
+    args?: string[];
+    env?: Record<string, string>;
+}
+export type OutputFormat = "text" | "json" | "sarif";
+//# sourceMappingURL=types.d.ts.map

package/dist/analyzers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/analyzers/types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE9D,MAAM,MAAM,KAAK,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;AAEhD,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAIlD,MAAM,WAAW,OAAO;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,GAAG;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,UAAU,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAID,MAAM,WAAW,KAAK;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,KAAK,CAAC;IACb,KAAK,EAAE,UAAU,CAAC;CACnB;AAID,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE;QACP,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,MAAM,EAAE,UAAU,CAAC;IACnB,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,KAAK,EAAE,KAAK,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,YAAY,GAAG,QAAQ,GAAG,SAAS,CAAC;CAC/C;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,SAAS,EAAE,YAAY,EAAE,CAAC;IAC1B,OAAO,EAAE,UAAU,EAAE,CAAC;CACvB;AAID,MAAM,MAAM,YAAY,GACpB,WAAW,GACX,aAAa,GACb,mBAAmB,GACnB,YAAY,GACZ,aAAa,GACb,MAAM,GACN,QAAQ,GACR,cAAc,CAAC;AAEnB,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,CAAC,OAAO,EAAE,eAAe,KAAK,OAAO,EAAE,CAAC;CACjD;AAID,MAAM,WAAW,eAAe;IAC9B,qCAAqC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,wBAAwB;IACxB,QAAQ,EAAE,YAAY,GAAG,QAAQ,GAAG,SAAS,CAAC;IAC9C,kDAAkD;IAClD,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,6CAA6C;IAC7C,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,iCAAiC;IACjC,MAAM,EAAE,UAAU,CAAC;IACnB,oDAAoD;IACpD,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,wDAAwD;IACxD,aAAa,CAAC,EAAE,WAAW,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC9B;AAID,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC"}

package/dist/analyzers/types.js

@@ -0,0 +1,3 @@
+// ─── Severity & Grading ───
+export {};
+//# sourceMappingURL=types.js.map

package/dist/analyzers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/analyzers/types.ts"],"names":[],"mappings":"AAAA,6BAA6B"}

package/dist/discovery/config-parser.d.ts

@@ -0,0 +1,7 @@
+import type { ConfigEntry } from "../analyzers/types.js";
+/**
+ * Parse an MCP configuration file (claude_desktop_config.json, .mcp.json)
+ * and extract server entries.
+ */
+export declare function parseConfig(configPath: string): Promise<ConfigEntry[]>;
+//# sourceMappingURL=config-parser.d.ts.map

package/dist/discovery/config-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-parser.d.ts","sourceRoot":"","sources":["../../src/discovery/config-parser.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;;GAGG;AACH,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAoB5E"}