@taplid/mcp 0.4.6 → 0.4.7

package/README.md

@@ -1,165 +1,171 @@
-# @taplid/mcp
-
-Local MCP (Model Context Protocol) server exposing Taplid's artifact audit as a single tool for AI coding agents.
-
-Use Taplid from Claude Desktop, Cursor, or any MCP-aware client to verify AI-generated artifacts (implementation plans, code reviews, PR reviews, generated technical reports, proposed code changes) against supplied context before trusting, applying, merging, sending, or acting on them.
-
-## What it does
-
-Registers one MCP tool, `taplid_audit`, that accepts three text fields and returns ALLOW / REVIEW / BLOCK with a 0-100 trust score and a structured summary.
-
-- One tool only. No file reading. No command execution. No repo scanning.
-- Stdio transport. Local process launched by the MCP client.
-- HTTP caller boundary to the existing Taplid API. No engine code is imported.
-
-## Install and configure
-
-The package is invoked as a local binary by an MCP-aware client (Claude Desktop, Cursor, others). It does not need to be globally installed; `npx` resolves it on first invocation.
-
-### Claude Desktop / Cursor (cross-platform)
-
-Add this block to your MCP client's `mcpServers` config and `npx` will resolve the package on first invocation:
-
-```json
-{
-  "mcpServers": {
-    "taplid": {
-      "command": "npx",
-      "args": ["-y", "@taplid/mcp"],
-      "env": {
-        "TAPLID_API_KEY": "tap_live_...",
-        "TAPLID_API_URL": "https://api.taplid.com"
-      }
-    }
-  }
-}
-```
-
-### Local development (Windows path)
-
-For local development against a Taplid API running on your machine:
-
-```json
-{
-  "mcpServers": {
-    "taplid-local": {
-      "command": "node",
-      "args": ["C:\\code\\taplid\\packages\\taplid-mcp\\dist\\server.js"],
-      "env": {
-        "TAPLID_API_KEY": "tap_live_...",
-        "TAPLID_API_URL": "http://127.0.0.1:7000"
-      }
-    }
-  }
-}
-```
-
-Compatible with MCP-aware clients such as Claude Desktop and Cursor where stdio MCP servers are supported. Specific clients may use their own config formats.
-
-## Environment variables
-
-| Variable | Default | Purpose |
-|---|---|---|
-| `TAPLID_API_KEY` | required | Bearer token for the Taplid API. Set this in your MCP client config block. Never passed as a tool input. |
-| `TAPLID_API_URL` | falls back to `TAPLID_PUBLIC_API_URL`, then `https://api.taplid.com` | Base URL for the Taplid API. |
-| `TAPLID_MCP_TIMEOUT_MS` | `60000` | AbortController deadline for each request. Range 1000-600000ms; out-of-range values revert to default. |
-| `TAPLID_MCP_DEBUG` | `false` | When `"true"`, successful responses include a `_debug` object with `{latencyMs, bytesIn, httpStatus}`. Bodies and secrets are never included. |
-| `TAPLID_MCP_LOG_LEVEL` | `info` | Pino log level: `trace`, `debug`, `info`, `warn`, `error`, `fatal`, `silent`. |
-
-Logs go to stderr only. Stdout is reserved for the MCP protocol.
-
-## Tool: `taplid_audit`
-
-`MAX_REVIEW_FIELD_CHARS` characters (120,000). Oversize input is rejected before the network call.
-
-`TAPLID_API_KEY` is read from the MCP client env block.
-
-### Worked example
-
-Input:
-
-```json
-{
-  "context": "The number is 1.",
-  "prompt": "What is the number?",
-  "response": "The number is 2."
-}
-```
-
-Expected envelope:
-
-```json
-{
-  "auditId": "AUD-XXX...",
-  "decision": "BLOCK",
-  "trustScore": 0,
-  "summary": "This answer conflicts with the provided context.",
-  "issues": [
-    {
-      "message": "Contradicts the provided context.",
-      "snippet": "The number is 2.",
-      "reason": "The answer says the opposite of what the context says."
-    }
-  ],
-  "nextStep": "Do not use this yet. Adjust the answer to match the provided context, then re-run the check.",
-  "repairActions": [
-    {
-      "action": "Rewrite the answer so it aligns with the provided context.",
-      "priority": "high",
-      "target": "response"
-    }
-  ],
-  "claims": [
-    {
-      "status": "contradicted",
-      "text": "The number is 2."
-    }
-  ],
-  "details": {
-    "passThreshold": 80,
-    "reviewThreshold": 60
-  }
-}
-```
-
-### Response fields
-
-- **auditId** — unique identifier for this audit run
-- **decision** — `ALLOW`, `REVIEW`, or `BLOCK`
-- **trustScore** — 0 to 100 public trust signal
-- **summary** — short explanation for the verdict
-- **issues** — concrete problems found in the response
-- **nextStep** — practical guidance for what to do next
-- **repairActions** — prioritized steps to fix the response
-- **claims** — individual claims extracted and verified against the context
-- **details.passThreshold / details.reviewThreshold** — decision thresholds set on your account
-
-`repairActions` and `auditId` are present only when the API returns them.
-
-## Error codes
-
-The MCP tool returns structured errors with stable codes; no stack traces, no raw upstream bodies.
-
-| Code | When |
-|---|---|
-| `INVALID_INPUT` | A required field is missing or not a non-empty string. |
-| `INPUT_TOO_LARGE` | One of `context`, `prompt`, `response` exceeds 120,000 characters. Detected pre-network. |
-| `MISSING_API_KEY` | `TAPLID_API_KEY` is not set. Detected pre-network. |
-| `UPSTREAM_AUTH_FAILED` | The Taplid API returned 401 or 403. |
-| `UPSTREAM_RATE_LIMITED` | The Taplid API returned 429. |
-| `UPSTREAM_TIMEOUT` | The request did not complete within `TAPLID_MCP_TIMEOUT_MS`. |
-| `UPSTREAM_UNAVAILABLE` | The Taplid API returned 5xx or the host was unreachable. |
-| `UPSTREAM_BAD_RESPONSE` | The Taplid API returned a body that was not valid JSON or not the expected shape. |
-| `MCP_INTERNAL` | Unexpected internal error. |
-
-## Security model
-
-- One MCP tool. No file I/O, no shell, no process spawning, no inbound network listener.
-- Stdio transport launched by the MCP client. The threat model includes hostile tool input and hostile generated artifacts.
-- `TAPLID_API_KEY` is read from the environment only and is never accepted as a tool input.
-- Logs redact the API key, the `Authorization` header, and the bodies of `context`, `prompt`, `response`. Stdout is reserved for the MCP protocol.
-- The package never imports core Taplid engine code. The audit pipeline is reached via the public `/api/review` HTTP endpoint, which preserves all server-side guards.
-
-## License
-
-Same license as the parent Taplid workspace.
+# @taplid/mcp
+
+Official MCP for the hosted Taplid audit API.
+
+- Docs: https://taplid.com/docs
+- Audit page: https://taplid.com/audit
+
+
+Local MCP (Model Context Protocol) server exposing Taplid's artifact audit as a single tool for AI coding agents.
+
+Use Taplid from Claude Desktop, Cursor, or any MCP-aware client to verify AI-generated artifacts (implementation plans, code reviews, PR reviews, generated technical reports, proposed code changes) against supplied context before trusting, applying, merging, sending, or acting on them.
+
+## What it does
+
+Registers one MCP tool, `taplid_audit`, that accepts three text fields and returns ALLOW / REVIEW / BLOCK with a 0-100 trust score and a structured summary.
+
+- One tool only. No file reading. No command execution. No repo scanning.
+- Stdio transport. Local process launched by the MCP client.
+- HTTP caller boundary to the existing Taplid API. No engine code is imported.
+
+## Install and configure
+
+The package is invoked as a local binary by an MCP-aware client (Claude Desktop, Cursor, others). It does not need to be globally installed; `npx` resolves it on first invocation.
+
+### Claude Desktop / Cursor (cross-platform)
+
+Add this block to your MCP client's `mcpServers` config and `npx` will resolve the package on first invocation:
+
+```json
+{
+  "mcpServers": {
+    "taplid": {
+      "command": "npx",
+      "args": ["-y", "@taplid/mcp"],
+      "env": {
+        "TAPLID_API_KEY": "tap_live_...",
+        "TAPLID_API_URL": "https://api.taplid.com"
+      }
+    }
+  }
+}
+```
+
+### Local development (Windows path)
+
+For local development against a Taplid API running on your machine:
+
+```json
+{
+  "mcpServers": {
+    "taplid-local": {
+      "command": "node",
+      "args": ["C:\\code\\taplid\\packages\\taplid-mcp\\dist\\server.js"],
+      "env": {
+        "TAPLID_API_KEY": "tap_live_...",
+        "TAPLID_API_URL": "http://127.0.0.1:7000"
+      }
+    }
+  }
+}
+```
+
+Compatible with MCP-aware clients such as Claude Desktop and Cursor where stdio MCP servers are supported. Specific clients may use their own config formats.
+
+## Environment variables
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `TAPLID_API_KEY` | required | Bearer token for the Taplid API. Set this in your MCP client config block. Never passed as a tool input. |
+| `TAPLID_API_URL` | falls back to `TAPLID_PUBLIC_API_URL`, then `https://api.taplid.com` | Base URL for the Taplid API. |
+| `TAPLID_MCP_TIMEOUT_MS` | `60000` | AbortController deadline for each request. Range 1000-600000ms; out-of-range values revert to default. |
+| `TAPLID_MCP_DEBUG` | `false` | When `"true"`, successful responses include a `_debug` object with `{latencyMs, bytesIn, httpStatus}`. Bodies and secrets are never included. |
+| `TAPLID_MCP_LOG_LEVEL` | `info` | Pino log level: `trace`, `debug`, `info`, `warn`, `error`, `fatal`, `silent`. |
+
+Logs go to stderr only. Stdout is reserved for the MCP protocol.
+
+## Tool: `taplid_audit`
+
+`MAX_REVIEW_FIELD_CHARS` characters (120,000). Oversize input is rejected before the network call.
+
+`TAPLID_API_KEY` is read from the MCP client env block.
+
+### Worked example
+
+Input:
+
+```json
+{
+  "context": "The number is 1.",
+  "prompt": "What is the number?",
+  "response": "The number is 2."
+}
+```
+
+Expected envelope:
+
+```json
+{
+  "auditId": "AUD-XXX...",
+  "decision": "BLOCK",
+  "trustScore": 0,
+  "summary": "This answer conflicts with the provided context.",
+  "issues": [
+    {
+      "message": "Contradicts the provided context.",
+      "snippet": "The number is 2.",
+      "reason": "The answer says the opposite of what the context says."
+    }
+  ],
+  "nextStep": "Do not use this yet. Adjust the answer to match the provided context, then re-run the check.",
+  "repairActions": [
+    {
+      "action": "Rewrite the answer so it aligns with the provided context.",
+      "priority": "high",
+      "target": "response"
+    }
+  ],
+  "claims": [
+    {
+      "status": "contradicted",
+      "text": "The number is 2."
+    }
+  ],
+  "details": {
+    "passThreshold": 80,
+    "reviewThreshold": 60
+  }
+}
+```
+
+### Response fields
+
+- **auditId** — unique identifier for this audit run
+- **decision** — `ALLOW`, `REVIEW`, or `BLOCK`
+- **trustScore** — 0 to 100 public trust signal
+- **summary** — short explanation for the verdict
+- **issues** — concrete problems found in the response
+- **nextStep** — practical guidance for what to do next
+- **repairActions** — prioritized steps to fix the response
+- **claims** — individual claims extracted and verified against the context
+- **details.passThreshold / details.reviewThreshold** — decision thresholds set on your account
+
+`repairActions` and `auditId` are present only when the API returns them.
+
+## Error codes
+
+The MCP tool returns structured errors with stable codes; no stack traces, no raw upstream bodies.
+
+| Code | When |
+|---|---|
+| `INVALID_INPUT` | A required field is missing or not a non-empty string. |
+| `INPUT_TOO_LARGE` | One of `context`, `prompt`, `response` exceeds 120,000 characters. Detected pre-network. |
+| `MISSING_API_KEY` | `TAPLID_API_KEY` is not set. Detected pre-network. |
+| `UPSTREAM_AUTH_FAILED` | The Taplid API returned 401 or 403. |
+| `UPSTREAM_RATE_LIMITED` | The Taplid API returned 429. |
+| `UPSTREAM_TIMEOUT` | The request did not complete within `TAPLID_MCP_TIMEOUT_MS`. |
+| `UPSTREAM_UNAVAILABLE` | The Taplid API returned 5xx or the host was unreachable. |
+| `UPSTREAM_BAD_RESPONSE` | The Taplid API returned a body that was not valid JSON or not the expected shape. |
+| `MCP_INTERNAL` | Unexpected internal error. |
+
+## Security model
+
+- One MCP tool. No file I/O, no shell, no process spawning, no inbound network listener.
+- Stdio transport launched by the MCP client. The threat model includes hostile tool input and hostile generated artifacts.
+- `TAPLID_API_KEY` is read from the environment only and is never accepted as a tool input.
+- Logs redact the API key, the `Authorization` header, and the bodies of `context`, `prompt`, `response`. Stdout is reserved for the MCP protocol.
+- The package never imports core Taplid engine code. The audit pipeline is reached via Taplid's public HTTP audit endpoint, which preserves all server-side guards.
+
+## License
+
+Same license as the parent Taplid workspace.

package/dist/mcp-output.js

@@ -3,7 +3,6 @@ export function buildMcpOutput(result, cfg) {
     if (!cfg.debug)
         return envelope;
     const debug = {
-        auditMode: 'artifact',
         latencyMs: result.latencyMs,
         bytesIn: result.bytesIn,
         httpStatus: result.httpStatus,

package/dist/server.js

@@ -9,7 +9,7 @@ import { handleTaplidAudit } from './tool.js';
 export function createServer() {
     const server = new McpServer({
         name: 'taplid-mcp',
-        version: '0.4.6',
+        version: '0.4.7',
     });
     server.registerTool(TOOL_NAME, {
         description: TOOL_DESCRIPTION,

package/dist/taplid-client.js

@@ -16,14 +16,13 @@ export async function postArtifactReview(req, cfg, deps = {}) {
     try {
         try {
             res = await Promise.race([
-                fetchImpl(`${cfg.baseUrl}/api/review`, {
+                fetchImpl(`${cfg.baseUrl}/review`, {
                     method: 'POST',
                     headers: {
                         'content-type': 'application/json',
                         authorization: `Bearer ${cfg.apiKey}`,
                     },
                     body: JSON.stringify({
-                        auditMode: 'artifact',
                         context: req.context,
                         prompt: req.prompt,
                         response: req.response,

package/dist/tool.js

@@ -32,7 +32,6 @@ export async function handleTaplidAudit(rawInput, deps = {}) {
             : null;
         logger.info({
             event: 'taplid_audit.ok',
-            auditMode: 'artifact',
             decision,
             trustScore,
             latencyMs: result.latencyMs,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@taplid/mcp",
-  "version": "0.4.6",
+  "version": "0.4.7",
   "description": "Local MCP (Model Context Protocol) server exposing Taplid artifact audit as a single tool for AI coding agents.",
   "keywords": [
     "taplid",
@@ -36,7 +36,7 @@
   ],
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
-    "@taplid/contract": "0.4.6",
+    "@taplid/contract": "0.4.7",
     "pino": "^9.0.0",
     "zod": "^3.0.0"
   },