@tomsmart-ai/mcp-audit-claude-code 0.1.0

package/README.md

@@ -0,0 +1,85 @@
+# @tomsmart-ai/mcp-audit-claude-code
+
+> MCP server for auditing Claude Code configurations. Originally built for [AI Orchestration Audit-as-a-Service](https://smartflowproai.com/work-with-me) deliverables. Open-source under MIT.
+
+Drop this server into your own Claude Code setup and it gains three tools for self-auditing your `~/.claude/settings.json` + skills + hooks directories.
+
+## What it audits
+
+### audit_config_file
+
+Parses your Claude Code `settings.json` and flags:
+- **HIGH**: `bypassPermissions` defaultMode (security risk), hardcoded API keys leaked in config
+- **MED**: missing permissions block, empty allow lists
+- **LOW**: missing hooks block, no env vars set, excessive plugins enabled
+
+### audit_skills_dir
+
+Scans `~/.claude/skills/` and flags per-skill:
+- **MED**: missing SKILL.md, missing YAML frontmatter, missing description field
+- **LOW**: description shorter than 20 chars, body shorter than 100 chars
+
+### audit_hooks_dir
+
+Scans `~/.claude/hooks/` shell scripts and flags:
+- **HIGH**: hook not executable (`chmod +x` missing), leaked API keys in hook content
+- **MED**: missing `set -e` error handling in bash hooks
+- **LOW**: hardcoded `/Users/<name>/` paths (portability hit)
+
+## Install
+
+```bash
+npm install -g @tomsmart-ai/mcp-audit-claude-code
+```
+
+## Use with Claude Code
+
+Add to `~/.claude.json`:
+
+```json
+{
+  "mcpServers": {
+    "audit-claude-code": {
+      "command": "mcp-audit-claude-code"
+    }
+  }
+}
+```
+
+Restart Claude Code. Then ask:
+
+```
+Audit my Claude Code config at ~/.claude/settings.json
+```
+
+Claude calls `audit_config_file`, returns findings list with severity + fix hints.
+
+## Use case: AAA self-audit
+
+This server powers the AI Orchestration Audit-as-a-Service stack audits (Tier 1 $500 — Tier 3 $1,500). When you commission an audit, this MCP server runs against your stack first, then a human review applies cultural context and shipping pragmatism on top.
+
+If you want to skip the audit-as-a-service and run the same checks yourself, install this server and ask Claude to audit. The tools are the same; what you don't get is the cultural review layer + the implementation effort (audit-as-a-service includes one fix on Tier 2+).
+
+## Why open-source
+
+The audit logic itself is straightforward — read JSON, check patterns, return findings. Selling closed access to the tool would protect zero moat. The moat is the cultural-context review + the experience auditing many stacks + knowing which findings actually matter for which workflows.
+
+Open-source the tool, sell the judgment.
+
+## Roadmap
+
+- v0.1.0 (today, Wt 26.05.2026) — initial audit tools for config, skills, hooks
+- v0.2.0 — add `audit_memory_dir` for `~/.claude/projects/*/memory/` quality scan
+- v0.3.0 — add `audit_mcp_server_config` for inspecting MCP server registrations
+- v0.4.0 — add `recommend_hooks` returning suggested hook scaffolds for missing categories
+- v0.5.0 — cross-check `audit_config_file` against `audit_hooks_dir` (consistency: hooks referenced in config exist on disk)
+
+## License
+
+MIT
+
+## Author
+
+Tom Smart — [smartflowproai.com](https://smartflowproai.com) · [@TomSmart_ai](https://x.com/TomSmart_ai) · [github.com/smartflowproai-lang](https://github.com/smartflowproai-lang)
+
+Pair-built with Claude (Anthropic's coding agent). Tom scoped the tools, drafted findings categories, decided severity thresholds. Claude wrote the TypeScript. Tom reviewed each change and ran smoke tests before publish.

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+/**
+ * mcp-audit-claude-code v0.1.0
+ *
+ * MCP server exposing audit tools for Claude Code configurations.
+ * Primary use: AI Orchestration Audit-as-a-Service (AAA) deliverables.
+ * Secondary use: solo self-audit by anyone running Claude Code.
+ *
+ * Tools:
+ *   - audit_config_file(file_path)   — parses ~/.claude/settings.json, flags anti-patterns
+ *   - audit_skills_dir(dir_path)     — scans skill SKILL.md files for quality issues
+ *   - audit_hooks_dir(dir_path)      — checks hook scripts for safety + error handling
+ *
+ * Built Wt 26.05.2026 ~18:20 PL ja-side autonomous as Tom Smart's AAA primary new monetization project.
+ */
+export {};

package/dist/index.js

@@ -0,0 +1,368 @@
+#!/usr/bin/env node
+/**
+ * mcp-audit-claude-code v0.1.0
+ *
+ * MCP server exposing audit tools for Claude Code configurations.
+ * Primary use: AI Orchestration Audit-as-a-Service (AAA) deliverables.
+ * Secondary use: solo self-audit by anyone running Claude Code.
+ *
+ * Tools:
+ *   - audit_config_file(file_path)   — parses ~/.claude/settings.json, flags anti-patterns
+ *   - audit_skills_dir(dir_path)     — scans skill SKILL.md files for quality issues
+ *   - audit_hooks_dir(dir_path)      — checks hook scripts for safety + error handling
+ *
+ * Built Wt 26.05.2026 ~18:20 PL ja-side autonomous as Tom Smart's AAA primary new monetization project.
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
+import * as fs from "node:fs";
+import * as path from "node:path";
+const server = new Server({
+    name: "@tomsmart-ai/mcp-audit-claude-code",
+    version: "0.1.0",
+}, {
+    capabilities: {
+        tools: {},
+    },
+});
+function auditConfigFile(filePath) {
+    const findings = [];
+    if (!fs.existsSync(filePath)) {
+        return {
+            findings: [{ severity: "HIGH", category: "missing", message: `Config file not found at ${filePath}`, fix_hint: "Verify path; if Claude Code is installed, default location is ~/.claude/settings.json" }],
+            summary: "FAIL — config file not found",
+        };
+    }
+    let config;
+    try {
+        config = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+    }
+    catch (e) {
+        return {
+            findings: [{ severity: "HIGH", category: "syntax", message: `JSON parse error: ${e.message}`, fix_hint: "Validate JSON syntax via `jq . settings.json`" }],
+            summary: "FAIL — syntax error",
+        };
+    }
+    // Check 1: permissions section structure
+    if (!config.permissions) {
+        findings.push({
+            severity: "MED",
+            category: "permissions",
+            message: "No permissions block. Claude Code will prompt on every tool call.",
+            fix_hint: "Add permissions section z allowlist of safe paths (Write/Edit) and tools (Bash command patterns).",
+        });
+    }
+    else if (config.permissions.defaultMode === "bypassPermissions") {
+        findings.push({
+            severity: "HIGH",
+            category: "security",
+            message: "defaultMode set to 'bypassPermissions' — Claude can execute arbitrary tools without confirmation.",
+            fix_hint: "Use 'acceptEdits' for most use cases. Reserve 'bypassPermissions' only for trusted automation contexts (CI, VPS overnight chains).",
+        });
+    }
+    // Check 2: hooks
+    if (!config.hooks || Object.keys(config.hooks).length === 0) {
+        findings.push({
+            severity: "LOW",
+            category: "hooks",
+            message: "No hooks configured. Missing opportunity for pre-prompt context injection / pre-tool-use safety / stop-hook gates.",
+            fix_hint: "Common hooks worth setting: UserPromptSubmit (memory grep / context injection), PreToolUse (audit / safety), PostToolUse (logging).",
+        });
+    }
+    // Check 3: env vars
+    if (!config.env) {
+        findings.push({
+            severity: "LOW",
+            category: "env",
+            message: "No env vars configured.",
+            fix_hint: "Consider setting CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING or other harness-level controls.",
+        });
+    }
+    // Check 4: hardcoded API keys
+    const configString = JSON.stringify(config);
+    const apiKeyPatterns = [
+        /sk_live_[a-zA-Z0-9_]{20,}/g,
+        /sk-ant-[a-zA-Z0-9_-]{20,}/g,
+        /sk-[a-zA-Z0-9_-]{20,}/g,
+        /AIza[a-zA-Z0-9_-]{30,}/g,
+        /ghp_[a-zA-Z0-9]{30,}/g,
+    ];
+    for (const pat of apiKeyPatterns) {
+        const m = configString.match(pat);
+        if (m) {
+            findings.push({
+                severity: "HIGH",
+                category: "secret_leak",
+                message: `Possible API key / token found in config: ${m[0].substring(0, 12)}…`,
+                fix_hint: "Move secrets to env vars OR external secret store (1Password CLI, age-encrypted file). Never commit raw secrets to settings.json.",
+            });
+        }
+    }
+    // Check 5: empty allow list
+    if (config.permissions?.allow && config.permissions.allow.length === 0) {
+        findings.push({
+            severity: "MED",
+            category: "permissions",
+            message: "permissions.allow is empty — every tool call will prompt.",
+            fix_hint: "Populate allow list z safe paths (e.g. Write(/path/to/safe-dir/**)) and Bash command patterns (e.g. Bash(ls *)).",
+        });
+    }
+    // Check 6: plugins enabled
+    if (config.enabledPlugins) {
+        const pluginCount = Object.keys(config.enabledPlugins).filter(k => config.enabledPlugins[k]).length;
+        if (pluginCount > 5) {
+            findings.push({
+                severity: "LOW",
+                category: "plugins",
+                message: `${pluginCount} plugins enabled. Each adds token overhead at startup.`,
+                fix_hint: "Disable unused plugins. Set value to false in enabledPlugins to keep config but skip load.",
+            });
+        }
+    }
+    const highCount = findings.filter(f => f.severity === "HIGH").length;
+    const medCount = findings.filter(f => f.severity === "MED").length;
+    const lowCount = findings.filter(f => f.severity === "LOW").length;
+    let summary;
+    if (highCount > 0)
+        summary = `BLOCK — ${highCount} HIGH, ${medCount} MED, ${lowCount} LOW`;
+    else if (medCount > 0)
+        summary = `WARN — ${medCount} MED, ${lowCount} LOW`;
+    else if (lowCount > 0)
+        summary = `POLISH — ${lowCount} LOW`;
+    else
+        summary = `PASS — no anti-patterns detected`;
+    return { findings, summary };
+}
+// =====================================================================
+// Tool: audit_skills_dir
+// =====================================================================
+function auditSkillsDir(dirPath) {
+    const findings = [];
+    if (!fs.existsSync(dirPath)) {
+        return {
+            findings: [{ severity: "HIGH", category: "missing", message: `Skills directory not found at ${dirPath}`, fix_hint: "Default Claude Code skills location is ~/.claude/skills/" }],
+            summary: "FAIL — skills dir not found",
+            skill_count: 0,
+        };
+    }
+    const skills = fs.readdirSync(dirPath).filter(name => {
+        const fullPath = path.join(dirPath, name);
+        return fs.statSync(fullPath).isDirectory();
+    });
+    if (skills.length === 0) {
+        findings.push({
+            severity: "LOW",
+            category: "empty",
+            message: "No skills installed.",
+            fix_hint: "Skills provide reusable workflows. Consider building skills for common multi-step tasks.",
+        });
+        return { findings, summary: "EMPTY — no skills", skill_count: 0 };
+    }
+    for (const skillName of skills) {
+        const skillDir = path.join(dirPath, skillName);
+        const skillMdPath = path.join(skillDir, "SKILL.md");
+        if (!fs.existsSync(skillMdPath)) {
+            findings.push({
+                severity: "MED",
+                category: "skill_structure",
+                message: `Skill '${skillName}' missing SKILL.md`,
+                fix_hint: "Every skill needs SKILL.md with frontmatter (name + description) and body instructions.",
+            });
+            continue;
+        }
+        const skillMd = fs.readFileSync(skillMdPath, "utf-8");
+        // Check frontmatter present
+        if (!skillMd.startsWith("---")) {
+            findings.push({
+                severity: "MED",
+                category: "skill_frontmatter",
+                message: `Skill '${skillName}' SKILL.md missing YAML frontmatter`,
+                fix_hint: "Add ---\\nname: skill-name\\ndescription: When to use\\n--- at top of SKILL.md",
+            });
+        }
+        // Check description quality
+        const descMatch = skillMd.match(/description:\s*(.+)/);
+        if (!descMatch) {
+            findings.push({
+                severity: "MED",
+                category: "skill_description",
+                message: `Skill '${skillName}' missing description field`,
+                fix_hint: "description field is what Claude uses to decide if skill matches user request. Be specific about when to invoke.",
+            });
+        }
+        else if (descMatch[1].trim().length < 20) {
+            findings.push({
+                severity: "LOW",
+                category: "skill_description",
+                message: `Skill '${skillName}' description is short (${descMatch[1].trim().length} chars)`,
+                fix_hint: "Aim for 50-150 chars in description. Include trigger keywords + use cases.",
+            });
+        }
+        // Check body length
+        const bodyAfterFrontmatter = skillMd.replace(/^---[\s\S]*?---\n/, "").trim();
+        if (bodyAfterFrontmatter.length < 100) {
+            findings.push({
+                severity: "MED",
+                category: "skill_body",
+                message: `Skill '${skillName}' body very short (${bodyAfterFrontmatter.length} chars)`,
+                fix_hint: "Skill body should provide step-by-step instructions Claude follows. Short skills often miss edge cases.",
+            });
+        }
+    }
+    const summary = findings.length === 0
+        ? `PASS — ${skills.length} skills, no anti-patterns`
+        : `${findings.filter(f => f.severity === "HIGH").length} HIGH / ${findings.filter(f => f.severity === "MED").length} MED / ${findings.filter(f => f.severity === "LOW").length} LOW across ${skills.length} skills`;
+    return { findings, summary, skill_count: skills.length };
+}
+// =====================================================================
+// Tool: audit_hooks_dir
+// =====================================================================
+function auditHooksDir(dirPath) {
+    const findings = [];
+    if (!fs.existsSync(dirPath)) {
+        return {
+            findings: [{ severity: "LOW", category: "missing", message: `Hooks directory not found at ${dirPath}`, fix_hint: "Default Claude Code hooks location is ~/.claude/hooks/" }],
+            summary: "EMPTY — no hooks dir",
+            hook_count: 0,
+        };
+    }
+    const hookFiles = fs.readdirSync(dirPath).filter(name => name.endsWith(".sh") || name.endsWith(".py") || name.endsWith(".js"));
+    if (hookFiles.length === 0) {
+        return { findings: [{ severity: "LOW", category: "empty", message: "No hook scripts found.", fix_hint: "Consider hooks for UserPromptSubmit (context injection), PreToolUse (audit), PostToolUse (logging)." }], summary: "EMPTY — no hooks", hook_count: 0 };
+    }
+    for (const hookFile of hookFiles) {
+        const fullPath = path.join(dirPath, hookFile);
+        const content = fs.readFileSync(fullPath, "utf-8");
+        const stats = fs.statSync(fullPath);
+        // Check executable bit (owner OR group OR world executable)
+        if (!(stats.mode & 0o111)) {
+            findings.push({
+                severity: "HIGH",
+                category: "permissions",
+                message: `Hook '${hookFile}' is not executable. Claude Code will NOT invoke it.`,
+                fix_hint: `Run: chmod +x ${fullPath}`,
+            });
+        }
+        // Check error handling for bash hooks
+        if (hookFile.endsWith(".sh")) {
+            if (!content.includes("set -e") && !content.includes("set -euo")) {
+                findings.push({
+                    severity: "MED",
+                    category: "error_handling",
+                    message: `Hook '${hookFile}' missing 'set -e' or 'set -euo pipefail'`,
+                    fix_hint: "Add 'set -euo pipefail' at top of bash hook to fail-fast on errors instead of silent corruption.",
+                });
+            }
+        }
+        // Check for hardcoded paths to current user
+        const userMatches = content.match(/\/Users\/[a-zA-Z0-9_-]+/g);
+        if (userMatches) {
+            findings.push({
+                severity: "LOW",
+                category: "portability",
+                message: `Hook '${hookFile}' has hardcoded user path (e.g. ${userMatches[0]})`,
+                fix_hint: "Use $HOME or ~/ instead of /Users/<name>/ for portability across machines.",
+            });
+        }
+        // Check for credentials in hook
+        const apiKeyPatterns = [/sk_live_[a-zA-Z0-9_]{20,}/, /sk-[a-zA-Z0-9_-]{20,}/];
+        for (const pat of apiKeyPatterns) {
+            if (content.match(pat)) {
+                findings.push({
+                    severity: "HIGH",
+                    category: "secret_leak",
+                    message: `Hook '${hookFile}' contains hardcoded API key.`,
+                    fix_hint: "Move secrets to env vars OR external secret store. Read via $VAR_NAME at hook runtime.",
+                });
+            }
+        }
+    }
+    const summary = findings.length === 0
+        ? `PASS — ${hookFiles.length} hooks, no anti-patterns`
+        : `${findings.filter(f => f.severity === "HIGH").length} HIGH / ${findings.filter(f => f.severity === "MED").length} MED / ${findings.filter(f => f.severity === "LOW").length} LOW across ${hookFiles.length} hooks`;
+    return { findings, summary, hook_count: hookFiles.length };
+}
+// =====================================================================
+// MCP server wiring
+// =====================================================================
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: [
+        {
+            name: "audit_config_file",
+            description: "Audit a Claude Code settings.json configuration file for anti-patterns: missing permissions, bypassPermissions risk, hardcoded API keys, empty allow lists, excessive plugins. Returns findings with severity HIGH/MED/LOW and fix hints.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    file_path: {
+                        type: "string",
+                        description: "Absolute path to Claude Code settings.json (typical: ~/.claude/settings.json)",
+                    },
+                },
+                required: ["file_path"],
+            },
+        },
+        {
+            name: "audit_skills_dir",
+            description: "Audit a Claude Code skills directory for quality issues: missing SKILL.md, missing frontmatter, short descriptions, sparse body content. Returns findings + skill count.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    dir_path: {
+                        type: "string",
+                        description: "Absolute path to Claude Code skills directory (typical: ~/.claude/skills/)",
+                    },
+                },
+                required: ["dir_path"],
+            },
+        },
+        {
+            name: "audit_hooks_dir",
+            description: "Audit a Claude Code hooks directory: missing executable bit, missing 'set -e' error handling, hardcoded user paths, leaked credentials in hook scripts. Returns findings + hook count.",
+            inputSchema: {
+                type: "object",
+                properties: {
+                    dir_path: {
+                        type: "string",
+                        description: "Absolute path to Claude Code hooks directory (typical: ~/.claude/hooks/)",
+                    },
+                },
+                required: ["dir_path"],
+            },
+        },
+    ],
+}));
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    let result;
+    if (name === "audit_config_file") {
+        result = auditConfigFile(args.file_path);
+    }
+    else if (name === "audit_skills_dir") {
+        result = auditSkillsDir(args.dir_path);
+    }
+    else if (name === "audit_hooks_dir") {
+        result = auditHooksDir(args.dir_path);
+    }
+    else {
+        throw new Error(`Unknown tool: ${name}`);
+    }
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify(result, null, 2),
+            },
+        ],
+    };
+});
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error("mcp-audit-claude-code v0.1.0 listening on stdio");
+}
+main().catch((err) => {
+    console.error("Fatal error:", err);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB;IACE,IAAI,EAAE,oCAAoC;IAC1C,OAAO,EAAE,OAAO;CACjB,EACD;IACE,YAAY,EAAE;QACZ,KAAK,EAAE,EAAE;KACV;CACF,CACF,CAAC;AAaF,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,4BAA4B,QAAQ,EAAE,EAAE,QAAQ,EAAE,uFAAuF,EAAE,CAAC;YACzM,OAAO,EAAE,8BAA8B;SACxC,CAAC;IACJ,CAAC;IAED,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO;YACL,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,qBAAsB,CAAW,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,+CAA+C,EAAE,CAAC;YACrK,OAAO,EAAE,qBAAqB;SAC/B,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,aAAa;YACvB,OAAO,EAAE,mEAAmE;YAC5E,QAAQ,EAAE,mGAAmG;SAC9G,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,MAAM,CAAC,WAAW,CAAC,WAAW,KAAK,mBAAmB,EAAE,CAAC;QAClE,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,mGAAmG;YAC5G,QAAQ,EAAE,oIAAoI;SAC/I,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB;IACjB,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5D,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,oHAAoH;YAC7H,QAAQ,EAAE,qIAAqI;SAChJ,CAAC,CAAC;IACL,CAAC;IAED,oBAAoB;IACpB,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,yBAAyB;YAClC,QAAQ,EAAE,yFAAyF;SACpG,CAAC,CAAC;IACL,CAAC;IAED,8BAA8B;IAC9B,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,cAAc,GAAG;QACrB,4BAA4B;QAC5B,4BAA4B;QAC5B,wBAAwB;QACxB,yBAAyB;QACzB,uBAAuB;KACxB,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,EAAE,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,aAAa;gBACvB,OAAO,EAAE,6CAA6C,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG;gBAC9E,QAAQ,EAAE,mIAAmI;aAC9I,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvE,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,aAAa;YACvB,OAAO,EAAE,2DAA2D;YACpE,QAAQ,EAAE,kHAAkH;SAC7H,CAAC,CAAC;IACL,CAAC;IAED,2BAA2B;IAC3B,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;QAC1B,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QACpG,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YACpB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,GAAG,WAAW,wDAAwD;gBAC/E,QAAQ,EAAE,4FAA4F;aACvG,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACrE,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC;IACnE,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC;IAEnE,IAAI,OAAe,CAAC;IACpB,IAAI,SAAS,GAAG,CAAC;QAAE,OAAO,GAAG,WAAW,SAAS,UAAU,QAAQ,SAAS,QAAQ,MAAM,CAAC;SACtF,IAAI,QAAQ,GAAG,CAAC;QAAE,OAAO,GAAG,UAAU,QAAQ,SAAS,QAAQ,MAAM,CAAC;SACtE,IAAI,QAAQ,GAAG,CAAC;QAAE,OAAO,GAAG,YAAY,QAAQ,MAAM,CAAC;;QACvD,OAAO,GAAG,kCAAkC,CAAC;IAElD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED,wEAAwE;AACxE,yBAAyB;AACzB,wEAAwE;AAExE,SAAS,cAAc,CAAC,OAAe;IACrC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,OAAO;YACL,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,iCAAiC,OAAO,EAAE,EAAE,QAAQ,EAAE,0DAA0D,EAAE,CAAC;YAChL,OAAO,EAAE,6BAA6B;YACtC,WAAW,EAAE,CAAC;SACf,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC1C,OAAO,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,sBAAsB;YAC/B,QAAQ,EAAE,0FAA0F;SACrG,CAAC,CAAC;QACH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;IACpE,CAAC;IAED,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAEpD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,iBAAiB;gBAC3B,OAAO,EAAE,UAAU,SAAS,oBAAoB;gBAChD,QAAQ,EAAE,yFAAyF;aACpG,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAEtD,4BAA4B;QAC5B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,mBAAmB;gBAC7B,OAAO,EAAE,UAAU,SAAS,qCAAqC;gBACjE,QAAQ,EAAE,gFAAgF;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,4BAA4B;QAC5B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACvD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,mBAAmB;gBAC7B,OAAO,EAAE,UAAU,SAAS,6BAA6B;gBACzD,QAAQ,EAAE,kHAAkH;aAC7H,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,mBAAmB;gBAC7B,OAAO,EAAE,UAAU,SAAS,2BAA2B,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,SAAS;gBAC1F,QAAQ,EAAE,4EAA4E;aACvF,CAAC,CAAC;QACL,CAAC;QAED,oBAAoB;QACpB,MAAM,oBAAoB,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7E,IAAI,oBAAoB,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACtC,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,UAAU,SAAS,sBAAsB,oBAAoB,CAAC,MAAM,SAAS;gBACtF,QAAQ,EAAE,yGAAyG;aACpH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC;QACnC,CAAC,CAAC,UAAU,MAAM,CAAC,MAAM,2BAA2B;QACpD,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,WAAW,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,UAAU,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,eAAe,MAAM,CAAC,MAAM,SAAS,CAAC;IAEtN,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;AAC3D,CAAC;AAED,wEAAwE;AACxE,wBAAwB;AACxB,wEAAwE;AAExE,SAAS,aAAa,CAAC,OAAe;IACpC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,OAAO;YACL,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,gCAAgC,OAAO,EAAE,EAAE,QAAQ,EAAE,wDAAwD,EAAE,CAAC;YAC5K,OAAO,EAAE,sBAAsB;YAC/B,UAAU,EAAE,CAAC;SACd,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;IAE/H,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,wBAAwB,EAAE,QAAQ,EAAE,qGAAqG,EAAE,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;IAChQ,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEpC,4DAA4D;QAC5D,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,aAAa;gBACvB,OAAO,EAAE,SAAS,QAAQ,sDAAsD;gBAChF,QAAQ,EAAE,iBAAiB,QAAQ,EAAE;aACtC,CAAC,CAAC;QACL,CAAC;QAED,sCAAsC;QACtC,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBACjE,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,gBAAgB;oBAC1B,OAAO,EAAE,SAAS,QAAQ,2CAA2C;oBACrE,QAAQ,EAAE,kGAAkG;iBAC7G,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9D,IAAI,WAAW,EAAE,CAAC;YAChB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,aAAa;gBACvB,OAAO,EAAE,SAAS,QAAQ,mCAAmC,WAAW,CAAC,CAAC,CAAC,GAAG;gBAC9E,QAAQ,EAAE,4EAA4E;aACvF,CAAC,CAAC;QACL,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,CAAC,2BAA2B,EAAE,uBAAuB,CAAC,CAAC;QAC9E,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,IAAI,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,aAAa;oBACvB,OAAO,EAAE,SAAS,QAAQ,+BAA+B;oBACzD,QAAQ,EAAE,wFAAwF;iBACnG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC;QACnC,CAAC,CAAC,UAAU,SAAS,CAAC,MAAM,0BAA0B;QACtD,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,WAAW,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,UAAU,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,eAAe,SAAS,CAAC,MAAM,QAAQ,CAAC;IAExN,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC;AAC7D,CAAC;AAED,wEAAwE;AACxE,oBAAoB;AACpB,wEAAwE;AAExE,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;IAC5D,KAAK,EAAE;QACL;YACE,IAAI,EAAE,mBAAmB;YACzB,WAAW,EAAE,2OAA2O;YACxP,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,SAAS,EAAE;wBACT,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,+EAA+E;qBAC7F;iBACF;gBACD,QAAQ,EAAE,CAAC,WAAW,CAAC;aACxB;SACF;QACD;YACE,IAAI,EAAE,kBAAkB;YACxB,WAAW,EAAE,0KAA0K;YACvL,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,QAAQ,EAAE;wBACR,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,4EAA4E;qBAC1F;iBACF;gBACD,QAAQ,EAAE,CAAC,UAAU,CAAC;aACvB;SACF;QACD;YACE,IAAI,EAAE,iBAAiB;YACvB,WAAW,EAAE,wLAAwL;YACrM,WAAW,EAAE;gBACX,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,QAAQ,EAAE;wBACR,IAAI,EAAE,QAAQ;wBACd,WAAW,EAAE,0EAA0E;qBACxF;iBACF;gBACD,QAAQ,EAAE,CAAC,UAAU,CAAC;aACvB;SACF;KACF;CACF,CAAC,CAAC,CAAC;AAEJ,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;IAChE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAEjD,IAAI,MAAW,CAAC;IAChB,IAAI,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACjC,MAAM,GAAG,eAAe,CAAC,IAAK,CAAC,SAAmB,CAAC,CAAC;IACtD,CAAC;SAAM,IAAI,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACvC,MAAM,GAAG,cAAc,CAAC,IAAK,CAAC,QAAkB,CAAC,CAAC;IACpD,CAAC;SAAM,IAAI,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACtC,MAAM,GAAG,aAAa,CAAC,IAAK,CAAC,QAAkB,CAAC,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO;QACL,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;aACtC;SACF;KACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;AACnE,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IACnC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@tomsmart-ai/mcp-audit-claude-code",
+  "version": "0.1.0",
+  "description": "MCP server for auditing Claude Code configurations (~/.claude.json + skills + hooks). Used internally for AI Orchestration Audit-as-a-Service deliverables, also usable standalone for self-audit.",
+  "main": "dist/index.js",
+  "type": "module",
+  "bin": {
+    "mcp-audit-claude-code": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "dev": "tsx src/index.ts",
+    "test": "node test/smoke.js"
+  },
+  "keywords": [
+    "mcp",
+    "claude-code",
+    "audit",
+    "ai-orchestration",
+    "smartflow"
+  ],
+  "author": "Tom Smart <info@smartflowproai.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/smartflowproai-lang/mcp-audit-claude-code"
+  },
+  "homepage": "https://smartflowproai.com/work-with-me",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.0",
+    "tsx": "^4.0.0",
+    "@types/node": "^20.0.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/src/index.ts

@@ -0,0 +1,420 @@
+#!/usr/bin/env node
+/**
+ * mcp-audit-claude-code v0.1.0
+ *
+ * MCP server exposing audit tools for Claude Code configurations.
+ * Primary use: AI Orchestration Audit-as-a-Service (AAA) deliverables.
+ * Secondary use: solo self-audit by anyone running Claude Code.
+ *
+ * Tools:
+ *   - audit_config_file(file_path)   — parses ~/.claude/settings.json, flags anti-patterns
+ *   - audit_skills_dir(dir_path)     — scans skill SKILL.md files for quality issues
+ *   - audit_hooks_dir(dir_path)      — checks hook scripts for safety + error handling
+ *
+ * Built Wt 26.05.2026 ~18:20 PL ja-side autonomous as Tom Smart's AAA primary new monetization project.
+ */
+
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+} from "@modelcontextprotocol/sdk/types.js";
+import * as fs from "node:fs";
+import * as path from "node:path";
+
+const server = new Server(
+  {
+    name: "@tomsmart-ai/mcp-audit-claude-code",
+    version: "0.1.0",
+  },
+  {
+    capabilities: {
+      tools: {},
+    },
+  }
+);
+
+// =====================================================================
+// Tool: audit_config_file
+// =====================================================================
+
+interface ConfigFinding {
+  severity: "HIGH" | "MED" | "LOW";
+  category: string;
+  message: string;
+  fix_hint: string;
+}
+
+function auditConfigFile(filePath: string): { findings: ConfigFinding[]; summary: string } {
+  const findings: ConfigFinding[] = [];
+
+  if (!fs.existsSync(filePath)) {
+    return {
+      findings: [{ severity: "HIGH", category: "missing", message: `Config file not found at ${filePath}`, fix_hint: "Verify path; if Claude Code is installed, default location is ~/.claude/settings.json" }],
+      summary: "FAIL — config file not found",
+    };
+  }
+
+  let config: any;
+  try {
+    config = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+  } catch (e) {
+    return {
+      findings: [{ severity: "HIGH", category: "syntax", message: `JSON parse error: ${(e as Error).message}`, fix_hint: "Validate JSON syntax via `jq . settings.json`" }],
+      summary: "FAIL — syntax error",
+    };
+  }
+
+  // Check 1: permissions section structure
+  if (!config.permissions) {
+    findings.push({
+      severity: "MED",
+      category: "permissions",
+      message: "No permissions block. Claude Code will prompt on every tool call.",
+      fix_hint: "Add permissions section z allowlist of safe paths (Write/Edit) and tools (Bash command patterns).",
+    });
+  } else if (config.permissions.defaultMode === "bypassPermissions") {
+    findings.push({
+      severity: "HIGH",
+      category: "security",
+      message: "defaultMode set to 'bypassPermissions' — Claude can execute arbitrary tools without confirmation.",
+      fix_hint: "Use 'acceptEdits' for most use cases. Reserve 'bypassPermissions' only for trusted automation contexts (CI, VPS overnight chains).",
+    });
+  }
+
+  // Check 2: hooks
+  if (!config.hooks || Object.keys(config.hooks).length === 0) {
+    findings.push({
+      severity: "LOW",
+      category: "hooks",
+      message: "No hooks configured. Missing opportunity for pre-prompt context injection / pre-tool-use safety / stop-hook gates.",
+      fix_hint: "Common hooks worth setting: UserPromptSubmit (memory grep / context injection), PreToolUse (audit / safety), PostToolUse (logging).",
+    });
+  }
+
+  // Check 3: env vars
+  if (!config.env) {
+    findings.push({
+      severity: "LOW",
+      category: "env",
+      message: "No env vars configured.",
+      fix_hint: "Consider setting CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING or other harness-level controls.",
+    });
+  }
+
+  // Check 4: hardcoded API keys
+  const configString = JSON.stringify(config);
+  const apiKeyPatterns = [
+    /sk_live_[a-zA-Z0-9_]{20,}/g,
+    /sk-ant-[a-zA-Z0-9_-]{20,}/g,
+    /sk-[a-zA-Z0-9_-]{20,}/g,
+    /AIza[a-zA-Z0-9_-]{30,}/g,
+    /ghp_[a-zA-Z0-9]{30,}/g,
+  ];
+  for (const pat of apiKeyPatterns) {
+    const m = configString.match(pat);
+    if (m) {
+      findings.push({
+        severity: "HIGH",
+        category: "secret_leak",
+        message: `Possible API key / token found in config: ${m[0].substring(0, 12)}…`,
+        fix_hint: "Move secrets to env vars OR external secret store (1Password CLI, age-encrypted file). Never commit raw secrets to settings.json.",
+      });
+    }
+  }
+
+  // Check 5: empty allow list
+  if (config.permissions?.allow && config.permissions.allow.length === 0) {
+    findings.push({
+      severity: "MED",
+      category: "permissions",
+      message: "permissions.allow is empty — every tool call will prompt.",
+      fix_hint: "Populate allow list z safe paths (e.g. Write(/path/to/safe-dir/**)) and Bash command patterns (e.g. Bash(ls *)).",
+    });
+  }
+
+  // Check 6: plugins enabled
+  if (config.enabledPlugins) {
+    const pluginCount = Object.keys(config.enabledPlugins).filter(k => config.enabledPlugins[k]).length;
+    if (pluginCount > 5) {
+      findings.push({
+        severity: "LOW",
+        category: "plugins",
+        message: `${pluginCount} plugins enabled. Each adds token overhead at startup.`,
+        fix_hint: "Disable unused plugins. Set value to false in enabledPlugins to keep config but skip load.",
+      });
+    }
+  }
+
+  const highCount = findings.filter(f => f.severity === "HIGH").length;
+  const medCount = findings.filter(f => f.severity === "MED").length;
+  const lowCount = findings.filter(f => f.severity === "LOW").length;
+
+  let summary: string;
+  if (highCount > 0) summary = `BLOCK — ${highCount} HIGH, ${medCount} MED, ${lowCount} LOW`;
+  else if (medCount > 0) summary = `WARN — ${medCount} MED, ${lowCount} LOW`;
+  else if (lowCount > 0) summary = `POLISH — ${lowCount} LOW`;
+  else summary = `PASS — no anti-patterns detected`;
+
+  return { findings, summary };
+}
+
+// =====================================================================
+// Tool: audit_skills_dir
+// =====================================================================
+
+function auditSkillsDir(dirPath: string): { findings: ConfigFinding[]; summary: string; skill_count: number } {
+  const findings: ConfigFinding[] = [];
+
+  if (!fs.existsSync(dirPath)) {
+    return {
+      findings: [{ severity: "HIGH", category: "missing", message: `Skills directory not found at ${dirPath}`, fix_hint: "Default Claude Code skills location is ~/.claude/skills/" }],
+      summary: "FAIL — skills dir not found",
+      skill_count: 0,
+    };
+  }
+
+  const skills = fs.readdirSync(dirPath).filter(name => {
+    const fullPath = path.join(dirPath, name);
+    return fs.statSync(fullPath).isDirectory();
+  });
+
+  if (skills.length === 0) {
+    findings.push({
+      severity: "LOW",
+      category: "empty",
+      message: "No skills installed.",
+      fix_hint: "Skills provide reusable workflows. Consider building skills for common multi-step tasks.",
+    });
+    return { findings, summary: "EMPTY — no skills", skill_count: 0 };
+  }
+
+  for (const skillName of skills) {
+    const skillDir = path.join(dirPath, skillName);
+    const skillMdPath = path.join(skillDir, "SKILL.md");
+
+    if (!fs.existsSync(skillMdPath)) {
+      findings.push({
+        severity: "MED",
+        category: "skill_structure",
+        message: `Skill '${skillName}' missing SKILL.md`,
+        fix_hint: "Every skill needs SKILL.md with frontmatter (name + description) and body instructions.",
+      });
+      continue;
+    }
+
+    const skillMd = fs.readFileSync(skillMdPath, "utf-8");
+
+    // Check frontmatter present
+    if (!skillMd.startsWith("---")) {
+      findings.push({
+        severity: "MED",
+        category: "skill_frontmatter",
+        message: `Skill '${skillName}' SKILL.md missing YAML frontmatter`,
+        fix_hint: "Add ---\\nname: skill-name\\ndescription: When to use\\n--- at top of SKILL.md",
+      });
+    }
+
+    // Check description quality
+    const descMatch = skillMd.match(/description:\s*(.+)/);
+    if (!descMatch) {
+      findings.push({
+        severity: "MED",
+        category: "skill_description",
+        message: `Skill '${skillName}' missing description field`,
+        fix_hint: "description field is what Claude uses to decide if skill matches user request. Be specific about when to invoke.",
+      });
+    } else if (descMatch[1].trim().length < 20) {
+      findings.push({
+        severity: "LOW",
+        category: "skill_description",
+        message: `Skill '${skillName}' description is short (${descMatch[1].trim().length} chars)`,
+        fix_hint: "Aim for 50-150 chars in description. Include trigger keywords + use cases.",
+      });
+    }
+
+    // Check body length
+    const bodyAfterFrontmatter = skillMd.replace(/^---[\s\S]*?---\n/, "").trim();
+    if (bodyAfterFrontmatter.length < 100) {
+      findings.push({
+        severity: "MED",
+        category: "skill_body",
+        message: `Skill '${skillName}' body very short (${bodyAfterFrontmatter.length} chars)`,
+        fix_hint: "Skill body should provide step-by-step instructions Claude follows. Short skills often miss edge cases.",
+      });
+    }
+  }
+
+  const summary = findings.length === 0
+    ? `PASS — ${skills.length} skills, no anti-patterns`
+    : `${findings.filter(f => f.severity === "HIGH").length} HIGH / ${findings.filter(f => f.severity === "MED").length} MED / ${findings.filter(f => f.severity === "LOW").length} LOW across ${skills.length} skills`;
+
+  return { findings, summary, skill_count: skills.length };
+}
+
+// =====================================================================
+// Tool: audit_hooks_dir
+// =====================================================================
+
+function auditHooksDir(dirPath: string): { findings: ConfigFinding[]; summary: string; hook_count: number } {
+  const findings: ConfigFinding[] = [];
+
+  if (!fs.existsSync(dirPath)) {
+    return {
+      findings: [{ severity: "LOW", category: "missing", message: `Hooks directory not found at ${dirPath}`, fix_hint: "Default Claude Code hooks location is ~/.claude/hooks/" }],
+      summary: "EMPTY — no hooks dir",
+      hook_count: 0,
+    };
+  }
+
+  const hookFiles = fs.readdirSync(dirPath).filter(name => name.endsWith(".sh") || name.endsWith(".py") || name.endsWith(".js"));
+
+  if (hookFiles.length === 0) {
+    return { findings: [{ severity: "LOW", category: "empty", message: "No hook scripts found.", fix_hint: "Consider hooks for UserPromptSubmit (context injection), PreToolUse (audit), PostToolUse (logging)." }], summary: "EMPTY — no hooks", hook_count: 0 };
+  }
+
+  for (const hookFile of hookFiles) {
+    const fullPath = path.join(dirPath, hookFile);
+    const content = fs.readFileSync(fullPath, "utf-8");
+    const stats = fs.statSync(fullPath);
+
+    // Check executable bit (owner OR group OR world executable)
+    if (!(stats.mode & 0o111)) {
+      findings.push({
+        severity: "HIGH",
+        category: "permissions",
+        message: `Hook '${hookFile}' is not executable. Claude Code will NOT invoke it.`,
+        fix_hint: `Run: chmod +x ${fullPath}`,
+      });
+    }
+
+    // Check error handling for bash hooks
+    if (hookFile.endsWith(".sh")) {
+      if (!content.includes("set -e") && !content.includes("set -euo")) {
+        findings.push({
+          severity: "MED",
+          category: "error_handling",
+          message: `Hook '${hookFile}' missing 'set -e' or 'set -euo pipefail'`,
+          fix_hint: "Add 'set -euo pipefail' at top of bash hook to fail-fast on errors instead of silent corruption.",
+        });
+      }
+    }
+
+    // Check for hardcoded paths to current user
+    const userMatches = content.match(/\/Users\/[a-zA-Z0-9_-]+/g);
+    if (userMatches) {
+      findings.push({
+        severity: "LOW",
+        category: "portability",
+        message: `Hook '${hookFile}' has hardcoded user path (e.g. ${userMatches[0]})`,
+        fix_hint: "Use $HOME or ~/ instead of /Users/<name>/ for portability across machines.",
+      });
+    }
+
+    // Check for credentials in hook
+    const apiKeyPatterns = [/sk_live_[a-zA-Z0-9_]{20,}/, /sk-[a-zA-Z0-9_-]{20,}/];
+    for (const pat of apiKeyPatterns) {
+      if (content.match(pat)) {
+        findings.push({
+          severity: "HIGH",
+          category: "secret_leak",
+          message: `Hook '${hookFile}' contains hardcoded API key.`,
+          fix_hint: "Move secrets to env vars OR external secret store. Read via $VAR_NAME at hook runtime.",
+        });
+      }
+    }
+  }
+
+  const summary = findings.length === 0
+    ? `PASS — ${hookFiles.length} hooks, no anti-patterns`
+    : `${findings.filter(f => f.severity === "HIGH").length} HIGH / ${findings.filter(f => f.severity === "MED").length} MED / ${findings.filter(f => f.severity === "LOW").length} LOW across ${hookFiles.length} hooks`;
+
+  return { findings, summary, hook_count: hookFiles.length };
+}
+
+// =====================================================================
+// MCP server wiring
+// =====================================================================
+
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+  tools: [
+    {
+      name: "audit_config_file",
+      description: "Audit a Claude Code settings.json configuration file for anti-patterns: missing permissions, bypassPermissions risk, hardcoded API keys, empty allow lists, excessive plugins. Returns findings with severity HIGH/MED/LOW and fix hints.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          file_path: {
+            type: "string",
+            description: "Absolute path to Claude Code settings.json (typical: ~/.claude/settings.json)",
+          },
+        },
+        required: ["file_path"],
+      },
+    },
+    {
+      name: "audit_skills_dir",
+      description: "Audit a Claude Code skills directory for quality issues: missing SKILL.md, missing frontmatter, short descriptions, sparse body content. Returns findings + skill count.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          dir_path: {
+            type: "string",
+            description: "Absolute path to Claude Code skills directory (typical: ~/.claude/skills/)",
+          },
+        },
+        required: ["dir_path"],
+      },
+    },
+    {
+      name: "audit_hooks_dir",
+      description: "Audit a Claude Code hooks directory: missing executable bit, missing 'set -e' error handling, hardcoded user paths, leaked credentials in hook scripts. Returns findings + hook count.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          dir_path: {
+            type: "string",
+            description: "Absolute path to Claude Code hooks directory (typical: ~/.claude/hooks/)",
+          },
+        },
+        required: ["dir_path"],
+      },
+    },
+  ],
+}));
+
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+  const { name, arguments: args } = request.params;
+
+  let result: any;
+  if (name === "audit_config_file") {
+    result = auditConfigFile(args!.file_path as string);
+  } else if (name === "audit_skills_dir") {
+    result = auditSkillsDir(args!.dir_path as string);
+  } else if (name === "audit_hooks_dir") {
+    result = auditHooksDir(args!.dir_path as string);
+  } else {
+    throw new Error(`Unknown tool: ${name}`);
+  }
+
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify(result, null, 2),
+      },
+    ],
+  };
+});
+
+async function main() {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error("mcp-audit-claude-code v0.1.0 listening on stdio");
+}
+
+main().catch((err) => {
+  console.error("Fatal error:", err);
+  process.exit(1);
+});

package/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ES2020",
+    "moduleResolution": "node",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}