@turbopentest/mcp-server 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 IntegSec Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,106 @@
+# @turbopentest/mcp-server
+
+MCP server for [TurboPentest](https://turbopentest.com) — run AI-powered penetration tests and review findings from your coding assistant.
+
+## Setup
+
+### 1. Get your API key
+
+Create an API key at [turbopentest.com/settings/api-keys](https://turbopentest.com/settings/api-keys).
+
+### 2. Add to your MCP client
+
+**Claude Desktop** (`claude_desktop_config.json`):
+
+```json
+{
+  "mcpServers": {
+    "turbopentest": {
+      "command": "npx",
+      "args": ["@turbopentest/mcp-server"],
+      "env": {
+        "TURBOPENTEST_API_KEY": "tp_live_..."
+      }
+    }
+  }
+}
+```
+
+**Claude Code** (`.mcp.json` in your project root):
+
+```json
+{
+  "mcpServers": {
+    "turbopentest": {
+      "command": "npx",
+      "args": ["@turbopentest/mcp-server"],
+      "env": {
+        "TURBOPENTEST_API_KEY": "tp_live_..."
+      }
+    }
+  }
+}
+```
+
+**Cursor** (Settings > MCP Servers > Add):
+
+```json
+{
+  "command": "npx",
+  "args": ["@turbopentest/mcp-server"],
+  "env": {
+    "TURBOPENTEST_API_KEY": "tp_live_..."
+  }
+}
+```
+
+## Tools
+
+| Tool                 | Description                                                                                                                           |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
+| `start_pentest`      | Launch a pentest against a verified domain. Supports recon/standard/deep/blitz tiers and optional GitHub repo for white-box scanning. |
+| `get_pentest`        | Get full scan details: status, progress, findings summary, executive summary, attack surface map, STRIDE threat model.                |
+| `list_pentests`      | List all your pentests with status and finding counts. Filter by status, limit results.                                               |
+| `get_findings`       | Get structured vulnerability findings with severity, CVSS, CWE, PoC, remediation, and retest commands. Filter by severity.            |
+| `download_report`    | Download a pentest report as markdown (best for AI), JSON, or PDF.                                                                    |
+| `get_credits`        | Check your credit balance and available scan tiers with pricing.                                                                      |
+| `verify_attestation` | Verify a blockchain-anchored pentest attestation by hash (public, no API key required).                                               |
+| `list_domains`       | List your verified domains and their verification status.                                                                             |
+
+## Scan Tiers
+
+| Tier     | Agents | Duration | Price |
+| -------- | ------ | -------- | ----- |
+| Recon    | 1      | 30 min   | $49   |
+| Standard | 4      | 1 hour   | $99   |
+| Deep     | 10     | 2 hours  | $299  |
+| Blitz    | 20     | 4 hours  | $699  |
+
+## Example
+
+```
+You:    "Run a pentest on staging.example.com"
+Claude: Calls start_pentest → "Started pentest tp_abc123, 4 agents, ~1 hour"
+
+You:    "How's it going?"
+Claude: Calls get_pentest → "60% complete, 3 findings so far (1 high, 2 medium)"
+
+You:    "Show me the high severity findings"
+Claude: Calls get_findings(severity: "high") → Shows SQL injection details with PoC and remediation
+```
+
+## Configuration
+
+| Environment Variable   | Description                          | Default                        |
+| ---------------------- | ------------------------------------ | ------------------------------ |
+| `TURBOPENTEST_API_KEY` | Your TurboPentest API key (required) | —                              |
+| `TURBOPENTEST_API_URL` | Custom API base URL (for testing)    | `https://turbopentest.com/api` |
+
+## Requirements
+
+- Node.js 18+
+- A [TurboPentest](https://turbopentest.com) account with API access
+
+## License
+
+MIT

package/dist/client.d.ts

@@ -0,0 +1,24 @@
+import type { Scan, ScanSummary, CreditBalance, CreditTiersResponse, Attestation, Domain, MultiDomainResponse } from "./types.js";
+export declare class ApiError extends Error {
+    status: number;
+    constructor(status: number, message: string);
+}
+export declare class TurboPentestClient {
+    private baseUrl;
+    private apiKey;
+    constructor(apiKey: string, baseUrl?: string);
+    private request;
+    private requestText;
+    startPentest(params: {
+        targetUrl: string;
+        repoUrl?: string;
+        tier?: string;
+    }): Promise<Scan | MultiDomainResponse>;
+    getPentest(id: string): Promise<Scan>;
+    listPentests(): Promise<ScanSummary[]>;
+    getReport(id: string, format: string): Promise<string | Record<string, unknown>>;
+    getCreditBalance(): Promise<CreditBalance>;
+    getCreditTiers(): Promise<CreditTiersResponse>;
+    getAttestation(hash: string): Promise<Attestation>;
+    listDomains(): Promise<Domain[]>;
+}

package/dist/client.js

@@ -0,0 +1,95 @@
+export class ApiError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+        this.name = "ApiError";
+    }
+}
+export class TurboPentestClient {
+    baseUrl;
+    apiKey;
+    constructor(apiKey, baseUrl) {
+        this.apiKey = apiKey;
+        this.baseUrl = (baseUrl || "https://turbopentest.com/api").replace(/\/$/, "");
+    }
+    async request(path, options = {}) {
+        const url = `${this.baseUrl}${path}`;
+        const headers = {
+            "Content-Type": "application/json",
+            ...options.headers,
+        };
+        if (this.apiKey) {
+            headers["Authorization"] = `Bearer ${this.apiKey}`;
+        }
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 30_000);
+        try {
+            const response = await fetch(url, {
+                ...options,
+                headers,
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                const body = await response.json().catch(() => ({}));
+                const message = body.error || `API request failed with status ${response.status}`;
+                throw new ApiError(response.status, message);
+            }
+            return (await response.json());
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+    }
+    async requestText(path) {
+        const url = `${this.baseUrl}${path}`;
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 30_000);
+        try {
+            const response = await fetch(url, {
+                headers: { Authorization: `Bearer ${this.apiKey}` },
+                signal: controller.signal,
+            });
+            if (!response.ok) {
+                const body = await response.text().catch(() => "");
+                throw new ApiError(response.status, body || `API request failed with status ${response.status}`);
+            }
+            return await response.text();
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+    }
+    async startPentest(params) {
+        return this.request("/pentests", {
+            method: "POST",
+            body: JSON.stringify(params),
+        });
+    }
+    async getPentest(id) {
+        return this.request(`/pentests/${encodeURIComponent(id)}`);
+    }
+    async listPentests() {
+        return this.request("/pentests");
+    }
+    async getReport(id, format) {
+        const encodedId = encodeURIComponent(id);
+        if (format === "json") {
+            return this.request(`/pentests/${encodedId}/report?format=json`);
+        }
+        return this.requestText(`/pentests/${encodedId}/report?format=${encodeURIComponent(format)}`);
+    }
+    async getCreditBalance() {
+        return this.request("/credits/balance");
+    }
+    async getCreditTiers() {
+        return this.request("/credits/tiers");
+    }
+    async getAttestation(hash) {
+        return this.request(`/attestations/${encodeURIComponent(hash)}`);
+    }
+    async listDomains() {
+        return this.request("/domains");
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAUA,MAAM,OAAO,QAAS,SAAQ,KAAK;IAExB;IADT,YACS,MAAc,EACrB,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,WAAM,GAAN,MAAM,CAAQ;QAIrB,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;IACzB,CAAC;CACF;AAED,MAAM,OAAO,kBAAkB;IACrB,OAAO,CAAS;IAChB,MAAM,CAAS;IAEvB,YAAY,MAAc,EAAE,OAAgB;QAC1C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,OAAO,GAAG,CAAC,OAAO,IAAI,8BAA8B,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAChF,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,IAAY,EAAE,UAAuB,EAAE;QAC9D,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;QACrC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,GAAI,OAAO,CAAC,OAAkC;SAC/C,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,MAAM,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;QAE7D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,GAAG,OAAO;gBACV,OAAO;gBACP,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBACrD,MAAM,OAAO,GACV,IAA2B,CAAC,KAAK,IAAI,kCAAkC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBAC5F,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,CAAC;YAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAC;QACtC,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,IAAY;QACpC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;QAE7D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE,EAAE;gBACnD,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;gBACnD,MAAM,IAAI,QAAQ,CAChB,QAAQ,CAAC,MAAM,EACf,IAAI,IAAI,kCAAkC,QAAQ,CAAC,MAAM,EAAE,CAC5D,CAAC;YACJ,CAAC;YAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC/B,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,MAIlB;QACC,OAAO,IAAI,CAAC,OAAO,CAA6B,WAAW,EAAE;YAC3D,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;SAC7B,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,EAAU;QACzB,OAAO,IAAI,CAAC,OAAO,CAAO,aAAa,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,OAAO,IAAI,CAAC,OAAO,CAAgB,WAAW,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,EAAU,EAAE,MAAc;QACxC,MAAM,SAAS,GAAG,kBAAkB,CAAC,EAAE,CAAC,CAAC;QACzC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC,OAAO,CAA0B,aAAa,SAAS,qBAAqB,CAAC,CAAC;QAC5F,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC,aAAa,SAAS,kBAAkB,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAChG,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,OAAO,IAAI,CAAC,OAAO,CAAgB,kBAAkB,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC,OAAO,CAAsB,gBAAgB,CAAC,CAAC;IAC7D,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,OAAO,IAAI,CAAC,OAAO,CAAc,iBAAiB,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,IAAI,CAAC,OAAO,CAAW,UAAU,CAAC,CAAC;IAC5C,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { TurboPentestClient } from "./client.js";
+import { createServer } from "./server.js";
+const apiKey = process.env.TURBOPENTEST_API_KEY;
+if (!apiKey) {
+    console.error("Error: TURBOPENTEST_API_KEY environment variable is required.\n" +
+        "Set it in your MCP client config:\n\n" +
+        '  "env": { "TURBOPENTEST_API_KEY": "tp_live_..." }\n\n' +
+        "Get your API key at https://turbopentest.com/settings/api-keys");
+    process.exit(1);
+}
+const baseUrl = process.env.TURBOPENTEST_API_URL;
+const client = new TurboPentestClient(apiKey, baseUrl);
+const server = createServer(client);
+const transport = new StdioServerTransport();
+await server.connect(transport);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;AAEhD,IAAI,CAAC,MAAM,EAAE,CAAC;IACZ,OAAO,CAAC,KAAK,CACX,iEAAiE;QAC/D,uCAAuC;QACvC,wDAAwD;QACxD,gEAAgE,CACnE,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;AACjD,MAAM,MAAM,GAAG,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AACvD,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;AAEpC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { TurboPentestClient } from "./client.js";
+export declare function createServer(client: TurboPentestClient): McpServer;

package/dist/server.js

@@ -0,0 +1,25 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { registerStartPentest } from "./tools/start-pentest.js";
+import { registerGetPentest } from "./tools/get-pentest.js";
+import { registerListPentests } from "./tools/list-pentests.js";
+import { registerGetFindings } from "./tools/get-findings.js";
+import { registerDownloadReport } from "./tools/download-report.js";
+import { registerGetCredits } from "./tools/get-credits.js";
+import { registerVerifyAttestation } from "./tools/verify-attestation.js";
+import { registerListDomains } from "./tools/list-domains.js";
+export function createServer(client) {
+    const server = new McpServer({
+        name: "turbopentest",
+        version: "0.1.0",
+    });
+    registerStartPentest(server, client);
+    registerGetPentest(server, client);
+    registerListPentests(server, client);
+    registerGetFindings(server, client);
+    registerDownloadReport(server, client);
+    registerGetCredits(server, client);
+    registerVerifyAttestation(server, client);
+    registerListDomains(server, client);
+    return server;
+}
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAC1E,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAE9D,MAAM,UAAU,YAAY,CAAC,MAA0B;IACrD,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,mBAAmB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpC,sBAAsB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,yBAAyB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,mBAAmB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEpC,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/tools/download-report.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { TurboPentestClient } from "../client.js";
+export declare function registerDownloadReport(server: McpServer, client: TurboPentestClient): void;

package/dist/tools/download-report.js

@@ -0,0 +1,53 @@
+import { z } from "zod";
+export function registerDownloadReport(server, client) {
+    server.registerTool("download_report", {
+        title: "Download Report",
+        description: "Download a pentest report. Use format=markdown for AI-readable content, " +
+            "format=json for structured data, or format=pdf for the full formatted report. " +
+            "The scan must be complete.",
+        inputSchema: z.object({
+            pentest_id: z.string().uuid().describe("The pentest ID (UUID)"),
+            format: z
+                .enum(["json", "markdown", "pdf"])
+                .describe("Report format: markdown (best for AI reading), json (structured data), pdf (formatted document)"),
+        }),
+    }, async ({ pentest_id, format }) => {
+        try {
+            const result = await client.getReport(pentest_id, format);
+            if (format === "pdf") {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: `PDF report for pentest ${pentest_id} is available for download at:\n` +
+                                `https://turbopentest.com/api/pentests/${pentest_id}/report?format=pdf\n\n` +
+                                "Note: PDF content cannot be displayed inline. Use format=markdown for AI-readable content.",
+                        },
+                    ],
+                };
+            }
+            if (format === "json") {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: JSON.stringify(result, null, 2),
+                        },
+                    ],
+                };
+            }
+            // markdown
+            return {
+                content: [{ type: "text", text: result }],
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [{ type: "text", text: `Failed to download report: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+}
+//# sourceMappingURL=download-report.js.map

package/dist/tools/download-report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"download-report.js","sourceRoot":"","sources":["../../src/tools/download-report.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,MAAM,UAAU,sBAAsB,CAAC,MAAiB,EAAE,MAA0B;IAClF,MAAM,CAAC,YAAY,CACjB,iBAAiB,EACjB;QACE,KAAK,EAAE,iBAAiB;QACxB,WAAW,EACT,0EAA0E;YAC1E,gFAAgF;YAChF,4BAA4B;QAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,uBAAuB,CAAC;YAC/D,MAAM,EAAE,CAAC;iBACN,IAAI,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;iBACjC,QAAQ,CACP,iGAAiG,CAClG;SACJ,CAAC;KACH,EACD,KAAK,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAE1D,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACrB,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EACF,0BAA0B,UAAU,kCAAkC;gCACtE,yCAAyC,UAAU,wBAAwB;gCAC3E,4FAA4F;yBAC/F;qBACF;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;yBACtC;qBACF;iBACF,CAAC;YACJ,CAAC;YAED,WAAW;YACX,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,MAAgB,EAAE,CAAC;aAC7D,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,8BAA8B,OAAO,EAAE,EAAE,CAAC;gBACnF,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/get-credits.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { TurboPentestClient } from "../client.js";
+export declare function registerGetCredits(server: McpServer, client: TurboPentestClient): void;

package/dist/tools/get-credits.js

@@ -0,0 +1,45 @@
+import { z } from "zod";
+export function registerGetCredits(server, client) {
+    server.registerTool("get_credits", {
+        title: "Get Credits",
+        description: "Check your credit balance and available scan tiers with pricing. " +
+            "Credits are required to launch pentests.",
+        inputSchema: z.object({}),
+    }, async () => {
+        try {
+            const [balance, tiersData] = await Promise.all([
+                client.getCreditBalance(),
+                client.getCreditTiers(),
+            ]);
+            const lines = [
+                "--- Credit Balance ---",
+                `  Available: ${balance.available}`,
+                `  Used:      ${balance.used}`,
+                `  Scheduled: ${balance.scheduled}`,
+                `  Expired:   ${balance.expired}`,
+            ];
+            if (balance.expiringSoon > 0) {
+                lines.push(`  Expiring soon (30 days): ${balance.expiringSoon}`);
+            }
+            lines.push("", "  Available by tier:", `    Recon:    ${balance.byTier.recon || 0}`, `    Standard: ${balance.byTier.standard || 0}`, `    Deep:     ${balance.byTier.deep || 0}`, `    Blitz:    ${balance.byTier.blitz || 0}`, "", "--- Available Tiers ---");
+            for (const tier of tiersData.tiers) {
+                lines.push(`  ${tier.label} ($${(tier.priceCents / 100).toFixed(0)})`, `    Agents: ${tier.agents}, Duration: ${tier.durationMin}min, Agent-hours: ${tier.agentHours}`);
+            }
+            if (tiersData.volumeDiscounts.length > 0) {
+                lines.push("", "  Volume discounts:");
+                for (const d of tiersData.volumeDiscounts) {
+                    lines.push(`    ${d.minQuantity}+ credits: ${d.discountPercent}% off`);
+                }
+            }
+            return { content: [{ type: "text", text: lines.join("\n") }] };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [{ type: "text", text: `Failed to get credits: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+}
+//# sourceMappingURL=get-credits.js.map

package/dist/tools/get-credits.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-credits.js","sourceRoot":"","sources":["../../src/tools/get-credits.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,MAAM,UAAU,kBAAkB,CAAC,MAAiB,EAAE,MAA0B;IAC9E,MAAM,CAAC,YAAY,CACjB,aAAa,EACb;QACE,KAAK,EAAE,aAAa;QACpB,WAAW,EACT,mEAAmE;YACnE,0CAA0C;QAC5C,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;KAC1B,EACD,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBAC7C,MAAM,CAAC,gBAAgB,EAAE;gBACzB,MAAM,CAAC,cAAc,EAAE;aACxB,CAAC,CAAC;YAEH,MAAM,KAAK,GAAG;gBACZ,wBAAwB;gBACxB,gBAAgB,OAAO,CAAC,SAAS,EAAE;gBACnC,gBAAgB,OAAO,CAAC,IAAI,EAAE;gBAC9B,gBAAgB,OAAO,CAAC,SAAS,EAAE;gBACnC,gBAAgB,OAAO,CAAC,OAAO,EAAE;aAClC,CAAC;YAEF,IAAI,OAAO,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;gBAC7B,KAAK,CAAC,IAAI,CAAC,8BAA8B,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;YACnE,CAAC;YAED,KAAK,CAAC,IAAI,CACR,EAAE,EACF,sBAAsB,EACtB,iBAAiB,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,EAAE,EAC5C,iBAAiB,OAAO,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,EAAE,EAC/C,iBAAiB,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,EAAE,EAC3C,iBAAiB,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,EAAE,EAC5C,EAAE,EACF,yBAAyB,CAC1B,CAAC;YAEF,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;gBACnC,KAAK,CAAC,IAAI,CACR,KAAK,IAAI,CAAC,KAAK,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAC1D,eAAe,IAAI,CAAC,MAAM,eAAe,IAAI,CAAC,WAAW,qBAAqB,IAAI,CAAC,UAAU,EAAE,CAChG,CAAC;YACJ,CAAC;YAED,IAAI,SAAS,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACzC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,qBAAqB,CAAC,CAAC;gBACtC,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC;oBAC1C,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,WAAW,cAAc,CAAC,CAAC,eAAe,OAAO,CAAC,CAAC;gBACzE,CAAC;YACH,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QAC1E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,0BAA0B,OAAO,EAAE,EAAE,CAAC;gBAC/E,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/get-findings.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { TurboPentestClient } from "../client.js";
+export declare function registerGetFindings(server: McpServer, client: TurboPentestClient): void;

package/dist/tools/get-findings.js

@@ -0,0 +1,81 @@
+import { z } from "zod";
+function formatFinding(f, index) {
+    const lines = [
+        `[${index + 1}] ${f.severity.toUpperCase()}: ${f.title}`,
+        `    Tool: ${f.sourceTool}`,
+    ];
+    if (f.cvss !== null)
+        lines.push(`    CVSS: ${f.cvss}${f.cvssVector ? ` (${f.cvssVector})` : ""}`);
+    if (f.cweId)
+        lines.push(`    CWE: ${f.cweId}`);
+    if (f.owaspCategory)
+        lines.push(`    OWASP: ${f.owaspCategory}`);
+    if (f.affectedUrl)
+        lines.push(`    URL: ${f.affectedUrl}`);
+    if (f.cveIds.length > 0)
+        lines.push(`    CVEs: ${f.cveIds.join(", ")}`);
+    if (f.description)
+        lines.push(`    Description: ${f.description}`);
+    if (f.proofOfExploit)
+        lines.push(`    PoC: ${f.proofOfExploit}`);
+    if (f.remediation)
+        lines.push(`    Remediation: ${f.remediation}`);
+    if (f.retestCommand)
+        lines.push(`    Retest: ${f.retestCommand}`);
+    return lines.join("\n");
+}
+export function registerGetFindings(server, client) {
+    server.registerTool("get_findings", {
+        title: "Get Findings",
+        description: "Get structured vulnerability findings for a pentest. " +
+            "Each finding includes severity, CVSS, CWE, description, PoC, remediation, and retest command. " +
+            "Use the severity filter to narrow results.",
+        inputSchema: z.object({
+            pentest_id: z.string().uuid().describe("The pentest ID (UUID)"),
+            severity: z
+                .enum(["critical", "high", "medium", "low", "info"])
+                .optional()
+                .describe("Filter findings by severity level"),
+        }),
+    }, async ({ pentest_id, severity }) => {
+        try {
+            const scan = await client.getPentest(pentest_id);
+            let findings = scan.findings;
+            if (severity) {
+                findings = findings.filter((f) => f.severity === severity);
+            }
+            if (findings.length === 0) {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: severity
+                                ? `No ${severity} findings for pentest ${pentest_id}.`
+                                : `No findings for pentest ${pentest_id}.`,
+                        },
+                    ],
+                };
+            }
+            const MAX_DISPLAY = 20;
+            const displayed = findings.slice(0, MAX_DISPLAY);
+            const lines = [
+                `Findings for pentest ${pentest_id}${severity ? ` (${severity} only)` : ""}:`,
+                `Total: ${findings.length}`,
+                "",
+                ...displayed.map((f, i) => formatFinding(f, i)),
+            ];
+            if (findings.length > MAX_DISPLAY) {
+                lines.push("", `... showing ${MAX_DISPLAY} of ${findings.length} findings. Use severity filter to narrow results.`);
+            }
+            return { content: [{ type: "text", text: lines.join("\n") }] };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [{ type: "text", text: `Failed to get findings: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+}
+//# sourceMappingURL=get-findings.js.map

package/dist/tools/get-findings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-findings.js","sourceRoot":"","sources":["../../src/tools/get-findings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAKxB,SAAS,aAAa,CAAC,CAAU,EAAE,KAAa;IAC9C,MAAM,KAAK,GAAG;QACZ,IAAI,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,KAAK,EAAE;QACxD,aAAa,CAAC,CAAC,UAAU,EAAE;KAC5B,CAAC;IAEF,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;QAAE,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClG,IAAI,CAAC,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;IAC/C,IAAI,CAAC,CAAC,aAAa;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;IACjE,IAAI,CAAC,CAAC,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC3D,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxE,IAAI,CAAC,CAAC,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACnE,IAAI,CAAC,CAAC,cAAc;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC;IACjE,IAAI,CAAC,CAAC,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACnE,IAAI,CAAC,CAAC,aAAa;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;IAElE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAiB,EAAE,MAA0B;IAC/E,MAAM,CAAC,YAAY,CACjB,cAAc,EACd;QACE,KAAK,EAAE,cAAc;QACrB,WAAW,EACT,uDAAuD;YACvD,gGAAgG;YAChG,4CAA4C;QAC9C,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,uBAAuB,CAAC;YAC/D,QAAQ,EAAE,CAAC;iBACR,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;iBACnD,QAAQ,EAAE;iBACV,QAAQ,CAAC,mCAAmC,CAAC;SACjD,CAAC;KACH,EACD,KAAK,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,EAAE;QACjC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;YACjD,IAAI,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YAE7B,IAAI,QAAQ,EAAE,CAAC;gBACb,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;YAC7D,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,QAAQ;gCACZ,CAAC,CAAC,MAAM,QAAQ,yBAAyB,UAAU,GAAG;gCACtD,CAAC,CAAC,2BAA2B,UAAU,GAAG;yBAC7C;qBACF;iBACF,CAAC;YACJ,CAAC;YAED,MAAM,WAAW,GAAG,EAAE,CAAC;YACvB,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;YACjD,MAAM,KAAK,GAAG;gBACZ,wBAAwB,UAAU,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG;gBAC7E,UAAU,QAAQ,CAAC,MAAM,EAAE;gBAC3B,EAAE;gBACF,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;aAChD,CAAC;YAEF,IAAI,QAAQ,CAAC,MAAM,GAAG,WAAW,EAAE,CAAC;gBAClC,KAAK,CAAC,IAAI,CACR,EAAE,EACF,eAAe,WAAW,OAAO,QAAQ,CAAC,MAAM,mDAAmD,CACpG,CAAC;YACJ,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QAC1E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,2BAA2B,OAAO,EAAE,EAAE,CAAC;gBAChF,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/get-pentest.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { TurboPentestClient } from "../client.js";
+export declare function registerGetPentest(server: McpServer, client: TurboPentestClient): void;

package/dist/tools/get-pentest.js

@@ -0,0 +1,72 @@
+import { z } from "zod";
+export function registerGetPentest(server, client) {
+    server.registerTool("get_pentest", {
+        title: "Get Pentest",
+        description: "Get full details for a pentest including status, progress, findings summary, " +
+            "executive summary, attack surface map, and STRIDE threat model.",
+        inputSchema: z.object({
+            pentest_id: z.string().uuid().describe("The pentest ID (UUID)"),
+        }),
+    }, async ({ pentest_id }) => {
+        try {
+            const scan = await client.getPentest(pentest_id);
+            const severityCounts = {
+                critical: 0,
+                high: 0,
+                medium: 0,
+                low: 0,
+                info: 0,
+            };
+            for (const f of scan.findings) {
+                severityCounts[f.severity] = (severityCounts[f.severity] || 0) + 1;
+            }
+            const toolsDone = scan.toolResults.filter((t) => t.status === "complete").length;
+            const toolsTotal = scan.toolResults.length;
+            const progress = toolsTotal > 0 ? Math.round((toolsDone / toolsTotal) * 100) : 0;
+            const lines = [
+                `Pentest: ${scan.id}`,
+                `Target:  ${scan.targetUrl}`,
+                `Status:  ${scan.status}`,
+            ];
+            if (scan.status === "scanning") {
+                lines.push(`Progress: ${progress}% (${toolsDone}/${toolsTotal} tools complete)`);
+            }
+            lines.push(`Started: ${scan.startedAt || "pending"}`, scan.completedAt ? `Completed: ${scan.completedAt}` : "", "", `--- Findings (${scan.findings.length} total) ---`, `  Critical: ${severityCounts.critical}`, `  High:     ${severityCounts.high}`, `  Medium:   ${severityCounts.medium}`, `  Low:      ${severityCounts.low}`, `  Info:     ${severityCounts.info}`);
+            if (scan.status === "scanning") {
+                const running = scan.toolResults
+                    .filter((t) => t.status === "running")
+                    .map((t) => t.toolName);
+                const pending = scan.toolResults
+                    .filter((t) => t.status === "pending")
+                    .map((t) => t.toolName);
+                if (running.length)
+                    lines.push("", `Running: ${running.join(", ")}`);
+                if (pending.length)
+                    lines.push(`Pending: ${pending.join(", ")}`);
+            }
+            if (scan.executiveSummary) {
+                lines.push("", "--- Executive Summary ---", scan.executiveSummary);
+            }
+            if (scan.attackSurface) {
+                lines.push("", "--- Attack Surface ---", JSON.stringify(scan.attackSurface, null, 2));
+            }
+            if (scan.threatModel) {
+                lines.push("", "--- STRIDE Threat Model ---", JSON.stringify(scan.threatModel, null, 2));
+            }
+            if (scan.failureReason) {
+                lines.push("", `Failure reason: ${scan.failureReason}`);
+            }
+            return {
+                content: [{ type: "text", text: lines.filter((l) => l !== "").join("\n") }],
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [{ type: "text", text: `Failed to get pentest: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+}
+//# sourceMappingURL=get-pentest.js.map

package/dist/tools/get-pentest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-pentest.js","sourceRoot":"","sources":["../../src/tools/get-pentest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,MAAM,UAAU,kBAAkB,CAAC,MAAiB,EAAE,MAA0B;IAC9E,MAAM,CAAC,YAAY,CACjB,aAAa,EACb;QACE,KAAK,EAAE,aAAa;QACpB,WAAW,EACT,+EAA+E;YAC/E,iEAAiE;QACnE,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,uBAAuB,CAAC;SAChE,CAAC;KACH,EACD,KAAK,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;QACvB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;YAEjD,MAAM,cAAc,GAA2B;gBAC7C,QAAQ,EAAE,CAAC;gBACX,IAAI,EAAE,CAAC;gBACP,MAAM,EAAE,CAAC;gBACT,GAAG,EAAE,CAAC;gBACN,IAAI,EAAE,CAAC;aACR,CAAC;YACF,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC9B,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACrE,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;YACjF,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC;YAC3C,MAAM,QAAQ,GAAG,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,UAAU,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAEjF,MAAM,KAAK,GAAa;gBACtB,YAAY,IAAI,CAAC,EAAE,EAAE;gBACrB,YAAY,IAAI,CAAC,SAAS,EAAE;gBAC5B,YAAY,IAAI,CAAC,MAAM,EAAE;aAC1B,CAAC;YAEF,IAAI,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;gBAC/B,KAAK,CAAC,IAAI,CAAC,aAAa,QAAQ,MAAM,SAAS,IAAI,UAAU,kBAAkB,CAAC,CAAC;YACnF,CAAC;YAED,KAAK,CAAC,IAAI,CACR,YAAY,IAAI,CAAC,SAAS,IAAI,SAAS,EAAE,EACzC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EACxD,EAAE,EACF,iBAAiB,IAAI,CAAC,QAAQ,CAAC,MAAM,aAAa,EAClD,eAAe,cAAc,CAAC,QAAQ,EAAE,EACxC,eAAe,cAAc,CAAC,IAAI,EAAE,EACpC,eAAe,cAAc,CAAC,MAAM,EAAE,EACtC,eAAe,cAAc,CAAC,GAAG,EAAE,EACnC,eAAe,cAAc,CAAC,IAAI,EAAE,CACrC,CAAC;YAEF,IAAI,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;gBAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW;qBAC7B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;qBACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;gBAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW;qBAC7B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;qBACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;gBAC1B,IAAI,OAAO,CAAC,MAAM;oBAAE,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACrE,IAAI,OAAO,CAAC,MAAM;oBAAE,KAAK,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACnE,CAAC;YAED,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,2BAA2B,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACrE,CAAC;YAED,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;gBACvB,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,wBAAwB,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACxF,CAAC;YAED,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,6BAA6B,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC3F,CAAC;YAED,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;gBACvB,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,mBAAmB,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;YAC1D,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;aACrF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,0BAA0B,OAAO,EAAE,EAAE,CAAC;gBAC/E,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/list-domains.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { TurboPentestClient } from "../client.js";
+export declare function registerListDomains(server: McpServer, client: TurboPentestClient): void;

package/dist/tools/list-domains.js

@@ -0,0 +1,46 @@
+import { z } from "zod";
+export function registerListDomains(server, client) {
+    server.registerTool("list_domains", {
+        title: "List Domains",
+        description: "List your verified domains and their verification status. " +
+            "Domains must be verified before you can run pentests against them.",
+        inputSchema: z.object({}),
+    }, async () => {
+        try {
+            const domains = await client.listDomains();
+            if (domains.length === 0) {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: "No domains found.\n\n" +
+                                "To verify a domain, add a DNS TXT record at turbopentest.com/domains.",
+                        },
+                    ],
+                };
+            }
+            const lines = [`Domains (${domains.length})`, ""];
+            for (const d of domains) {
+                const verified = d.verifiedAt ? "Verified" : "Pending";
+                const expiry = d.expiresAt ? `Expires: ${d.expiresAt}` : "";
+                lines.push(`  ${d.domain}`, `    Status:  ${verified}`, `    Token:   ${d.token}`, expiry ? `    ${expiry}` : "", `    Added:   ${d.createdAt}`, "");
+            }
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: lines.filter((l) => l !== "").join("\n"),
+                    },
+                ],
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [{ type: "text", text: `Failed to list domains: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+}
+//# sourceMappingURL=list-domains.js.map

package/dist/tools/list-domains.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-domains.js","sourceRoot":"","sources":["../../src/tools/list-domains.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,MAAM,UAAU,mBAAmB,CAAC,MAAiB,EAAE,MAA0B;IAC/E,MAAM,CAAC,YAAY,CACjB,cAAc,EACd;QACE,KAAK,EAAE,cAAc;QACrB,WAAW,EACT,4DAA4D;YAC5D,oEAAoE;QACtE,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;KAC1B,EACD,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;YAE3C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EACF,uBAAuB;gCACvB,uEAAuE;yBAC1E;qBACF;iBACF,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAG,CAAC,YAAY,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC,CAAC;YAElD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,MAAM,QAAQ,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;gBACvD,MAAM,MAAM,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAE5D,KAAK,CAAC,IAAI,CACR,KAAK,CAAC,CAAC,MAAM,EAAE,EACf,gBAAgB,QAAQ,EAAE,EAC1B,gBAAgB,CAAC,CAAC,KAAK,EAAE,EACzB,MAAM,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,EAC7B,gBAAgB,CAAC,CAAC,SAAS,EAAE,EAC7B,EAAE,CACH,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;qBAC/C;iBACF;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,2BAA2B,OAAO,EAAE,EAAE,CAAC;gBAChF,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/list-pentests.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { TurboPentestClient } from "../client.js";
+export declare function registerListPentests(server: McpServer, client: TurboPentestClient): void;

package/dist/tools/list-pentests.js

@@ -0,0 +1,61 @@
+import { z } from "zod";
+export function registerListPentests(server, client) {
+    server.registerTool("list_pentests", {
+        title: "List Pentests",
+        description: "List all your pentests with status and finding counts. " +
+            "Results are ordered newest first.",
+        inputSchema: z.object({
+            limit: z
+                .number()
+                .int()
+                .min(1)
+                .max(100)
+                .default(10)
+                .describe("Maximum number of results to return"),
+            status: z
+                .enum(["queued", "scanning", "complete", "failed"])
+                .optional()
+                .describe("Filter by scan status"),
+        }),
+    }, async ({ limit, status }) => {
+        try {
+            let scans = await client.listPentests();
+            if (status) {
+                scans = scans.filter((s) => s.status === status);
+            }
+            scans = scans.slice(0, limit);
+            if (scans.length === 0) {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: status
+                                ? `No pentests found with status "${status}".`
+                                : "No pentests found. Use start_pentest to launch one.",
+                        },
+                    ],
+                };
+            }
+            const lines = [`Pentests (showing ${scans.length})`, ""];
+            for (const scan of scans) {
+                const severityCounts = {};
+                for (const f of scan.findings) {
+                    severityCounts[f.severity] = (severityCounts[f.severity] || 0) + 1;
+                }
+                const findingSummary = Object.entries(severityCounts)
+                    .map(([sev, count]) => `${count} ${sev}`)
+                    .join(", ");
+                lines.push(`  ${scan.id}`, `    Target:   ${scan.targetUrl}`, `    Status:   ${scan.status}`, `    Created:  ${scan.createdAt}`, `    Findings: ${findingSummary || "none"}`, "");
+            }
+            return { content: [{ type: "text", text: lines.join("\n") }] };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [{ type: "text", text: `Failed to list pentests: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+}
+//# sourceMappingURL=list-pentests.js.map

package/dist/tools/list-pentests.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list-pentests.js","sourceRoot":"","sources":["../../src/tools/list-pentests.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,MAAM,UAAU,oBAAoB,CAAC,MAAiB,EAAE,MAA0B;IAChF,MAAM,CAAC,YAAY,CACjB,eAAe,EACf;QACE,KAAK,EAAE,eAAe;QACtB,WAAW,EACT,yDAAyD;YACzD,mCAAmC;QACrC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,KAAK,EAAE,CAAC;iBACL,MAAM,EAAE;iBACR,GAAG,EAAE;iBACL,GAAG,CAAC,CAAC,CAAC;iBACN,GAAG,CAAC,GAAG,CAAC;iBACR,OAAO,CAAC,EAAE,CAAC;iBACX,QAAQ,CAAC,qCAAqC,CAAC;YAClD,MAAM,EAAE,CAAC;iBACN,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;iBAClD,QAAQ,EAAE;iBACV,QAAQ,CAAC,uBAAuB,CAAC;SACrC,CAAC;KACH,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;QAC1B,IAAI,CAAC;YACH,IAAI,KAAK,GAAG,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;YAExC,IAAI,MAAM,EAAE,CAAC;gBACX,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;YACnD,CAAC;YAED,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YAE9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAe;4BACrB,IAAI,EAAE,MAAM;gCACV,CAAC,CAAC,kCAAkC,MAAM,IAAI;gCAC9C,CAAC,CAAC,qDAAqD;yBAC1D;qBACF;iBACF,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAG,CAAC,qBAAqB,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC,CAAC;YAEzD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,cAAc,GAA2B,EAAE,CAAC;gBAClD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;oBAC9B,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBACrE,CAAC;gBACD,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC;qBAClD,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC;qBACxC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEd,KAAK,CAAC,IAAI,CACR,KAAK,IAAI,CAAC,EAAE,EAAE,EACd,iBAAiB,IAAI,CAAC,SAAS,EAAE,EACjC,iBAAiB,IAAI,CAAC,MAAM,EAAE,EAC9B,iBAAiB,IAAI,CAAC,SAAS,EAAE,EACjC,iBAAiB,cAAc,IAAI,MAAM,EAAE,EAC3C,EAAE,CACH,CAAC;YACJ,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QAC1E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,4BAA4B,OAAO,EAAE,EAAE,CAAC;gBACjF,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/start-pentest.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { TurboPentestClient } from "../client.js";
+export declare function registerStartPentest(server: McpServer, client: TurboPentestClient): void;

package/dist/tools/start-pentest.js

@@ -0,0 +1,73 @@
+import { z } from "zod";
+export function registerStartPentest(server, client) {
+    server.registerTool("start_pentest", {
+        title: "Start Pentest",
+        description: "Launch an AI-powered penetration test against a target URL. " +
+            "The domain must be verified first (see list_domains). " +
+            "Requires an available credit matching the selected tier.",
+        inputSchema: z.object({
+            target_url: z.string().url().describe("The target URL to scan (must be a verified domain)"),
+            repo_url: z
+                .string()
+                .url()
+                .optional()
+                .describe("GitHub repository URL for white-box scanning (SAST, secrets, SCA)"),
+            tier: z
+                .enum(["recon", "standard", "deep", "blitz"])
+                .default("standard")
+                .describe("Scan tier: recon (1 agent, 30min), standard (4 agents, 1hr), deep (10 agents, 2hr), blitz (20 agents, 4hr)"),
+        }),
+    }, async ({ target_url, repo_url, tier }) => {
+        try {
+            const result = await client.startPentest({
+                targetUrl: target_url,
+                repoUrl: repo_url,
+                tier,
+            });
+            if ("groupId" in result) {
+                const multi = result;
+                const lines = [
+                    `Pentest group started: ${multi.groupId}`,
+                    `Scans launched: ${multi.scans.length}`,
+                    "",
+                    ...multi.scans.map((s) => `  - ${s.targetUrl} (ID: ${s.id})`),
+                    "",
+                    "Use get_pentest with each scan ID to check status.",
+                ];
+                return { content: [{ type: "text", text: lines.join("\n") }] };
+            }
+            const scan = result;
+            const tierInfo = {
+                recon: { agents: 1, duration: "~30 minutes" },
+                standard: { agents: 4, duration: "~1 hour" },
+                deep: { agents: 10, duration: "~2 hours" },
+                blitz: { agents: 20, duration: "~4 hours" },
+            };
+            const info = tierInfo[tier] || tierInfo.standard;
+            const lines = [
+                "Pentest started successfully",
+                "",
+                `  ID:       ${scan.id}`,
+                `  Target:   ${scan.targetUrl}`,
+                `  Status:   ${scan.status}`,
+                `  Tier:     ${tier}`,
+                `  Agents:   ${info.agents}`,
+                `  Duration: ${info.duration}`,
+                scan.repoUrl ? `  Repo:     ${scan.repoUrl}` : null,
+                "",
+                `Use get_pentest("${scan.id}") to check progress.`,
+            ];
+            return {
+                content: [{ type: "text", text: lines.filter(Boolean).join("\n") }],
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [{ type: "text", text: `Failed to start pentest: ${message}` }],
+                isError: true,
+            };
+        }
+    });
+}
+//# sourceMappingURL=start-pentest.js.map

package/dist/tools/start-pentest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"start-pentest.js","sourceRoot":"","sources":["../../src/tools/start-pentest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAKxB,MAAM,UAAU,oBAAoB,CAAC,MAAiB,EAAE,MAA0B;IAChF,MAAM,CAAC,YAAY,CACjB,eAAe,EACf;QACE,KAAK,EAAE,eAAe;QACtB,WAAW,EACT,8DAA8D;YAC9D,wDAAwD;YACxD,0DAA0D;QAC5D,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,oDAAoD,CAAC;YAC3F,QAAQ,EAAE,CAAC;iBACR,MAAM,EAAE;iBACR,GAAG,EAAE;iBACL,QAAQ,EAAE;iBACV,QAAQ,CAAC,mEAAmE,CAAC;YAChF,IAAI,EAAE,CAAC;iBACJ,IAAI,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;iBAC5C,OAAO,CAAC,UAAU,CAAC;iBACnB,QAAQ,CACP,4GAA4G,CAC7G;SACJ,CAAC;KACH,EACD,KAAK,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE;QACvC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC;gBACvC,SAAS,EAAE,UAAU;gBACrB,OAAO,EAAE,QAAQ;gBACjB,IAAI;aACL,CAAC,CAAC;YAEH,IAAI,SAAS,IAAI,MAAM,EAAE,CAAC;gBACxB,MAAM,KAAK,GAAG,MAA6B,CAAC;gBAC5C,MAAM,KAAK,GAAG;oBACZ,0BAA0B,KAAK,CAAC,OAAO,EAAE;oBACzC,mBAAmB,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE;oBACvC,EAAE;oBACF,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,SAAS,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC7D,EAAE;oBACF,oDAAoD;iBACrD,CAAC;gBACF,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YAC1E,CAAC;YAED,MAAM,IAAI,GAAG,MAAc,CAAC;YAC5B,MAAM,QAAQ,GAAyD;gBACrE,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,aAAa,EAAE;gBAC7C,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE;gBAC5C,IAAI,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;gBAC1C,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;aAC5C,CAAC;YACF,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC;YAEjD,MAAM,KAAK,GAAG;gBACZ,8BAA8B;gBAC9B,EAAE;gBACF,eAAe,IAAI,CAAC,EAAE,EAAE;gBACxB,eAAe,IAAI,CAAC,SAAS,EAAE;gBAC/B,eAAe,IAAI,CAAC,MAAM,EAAE;gBAC5B,eAAe,IAAI,EAAE;gBACrB,eAAe,IAAI,CAAC,MAAM,EAAE;gBAC5B,eAAe,IAAI,CAAC,QAAQ,EAAE;gBAC9B,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI;gBACnD,EAAE;gBACF,oBAAoB,IAAI,CAAC,EAAE,uBAAuB;aACnD,CAAC;YAEF,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;aAC7E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,4BAA4B,OAAO,EAAE,EAAE,CAAC;gBACjF,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tools/verify-attestation.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { TurboPentestClient } from "../client.js";
+export declare function registerVerifyAttestation(server: McpServer, client: TurboPentestClient): void;

package/dist/tools/verify-attestation.js

@@ -0,0 +1,51 @@
+import { z } from "zod";
+export function registerVerifyAttestation(server, client) {
+    server.registerTool("verify_attestation", {
+        title: "Verify Attestation",
+        description: "Verify a blockchain-anchored pentest attestation by its hash. " +
+            "This is a public endpoint — no API key required. " +
+            "Use this to confirm that a pentest was actually performed and its results are authentic.",
+        inputSchema: z.object({
+            hash: z.string().describe("The attestation hash to verify"),
+        }),
+    }, async ({ hash }) => {
+        try {
+            const data = await client.getAttestation(hash);
+            const a = data.attestation;
+            const lines = [
+                `Attestation: ${hash}`,
+                `Verified: ${data.verified ? "YES (blockchain-anchored)" : "PENDING (not yet anchored)"}`,
+                "",
+                "--- Scan Details ---",
+                `  Tier:         ${a.creditTier}`,
+                `  Agents:       ${a.agentCount}`,
+                `  Agent Hours:  ${a.agentHours}`,
+                `  Duration:     ${a.durationMin} minutes`,
+                `  Tools Run:    ${a.toolsRun}`,
+                `  Risk Score:   ${a.riskScore}`,
+                `  Completed:    ${a.completedAt}`,
+            ];
+            if (a.findingSummary) {
+                const summary = a.findingSummary;
+                lines.push("", "  Findings:", `    Critical: ${summary.critical || 0}`, `    High:     ${summary.high || 0}`, `    Medium:   ${summary.medium || 0}`, `    Low:      ${summary.low || 0}`, `    Info:     ${summary.info || 0}`);
+            }
+            if (data.anchor) {
+                lines.push("", "--- Blockchain Proof ---", `  Chain ID:     ${data.anchor.chainId}`, `  TX Hash:      ${data.anchor.txHash}`, `  Block:        ${data.anchor.blockNumber}`, `  Merkle Root:  ${data.anchor.rootHash}`);
+            }
+            return { content: [{ type: "text", text: lines.join("\n") }] };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: `Failed to verify attestation: ${message}`,
+                    },
+                ],
+                isError: true,
+            };
+        }
+    });
+}
+//# sourceMappingURL=verify-attestation.js.map

package/dist/tools/verify-attestation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-attestation.js","sourceRoot":"","sources":["../../src/tools/verify-attestation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,MAAM,UAAU,yBAAyB,CAAC,MAAiB,EAAE,MAA0B;IACrF,MAAM,CAAC,YAAY,CACjB,oBAAoB,EACpB;QACE,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,gEAAgE;YAChE,mDAAmD;YACnD,0FAA0F;QAC5F,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC;YACpB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;SAC5D,CAAC;KACH,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YAE/C,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC;YAC3B,MAAM,KAAK,GAAG;gBACZ,gBAAgB,IAAI,EAAE;gBACtB,aAAa,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,4BAA4B,EAAE;gBACzF,EAAE;gBACF,sBAAsB;gBACtB,mBAAmB,CAAC,CAAC,UAAU,EAAE;gBACjC,mBAAmB,CAAC,CAAC,UAAU,EAAE;gBACjC,mBAAmB,CAAC,CAAC,UAAU,EAAE;gBACjC,mBAAmB,CAAC,CAAC,WAAW,UAAU;gBAC1C,mBAAmB,CAAC,CAAC,QAAQ,EAAE;gBAC/B,mBAAmB,CAAC,CAAC,SAAS,EAAE;gBAChC,mBAAmB,CAAC,CAAC,WAAW,EAAE;aACnC,CAAC;YAEF,IAAI,CAAC,CAAC,cAAc,EAAE,CAAC;gBACrB,MAAM,OAAO,GAAG,CAAC,CAAC,cAAwC,CAAC;gBAC3D,KAAK,CAAC,IAAI,CACR,EAAE,EACF,aAAa,EACb,iBAAiB,OAAO,CAAC,QAAQ,IAAI,CAAC,EAAE,EACxC,iBAAiB,OAAO,CAAC,IAAI,IAAI,CAAC,EAAE,EACpC,iBAAiB,OAAO,CAAC,MAAM,IAAI,CAAC,EAAE,EACtC,iBAAiB,OAAO,CAAC,GAAG,IAAI,CAAC,EAAE,EACnC,iBAAiB,OAAO,CAAC,IAAI,IAAI,CAAC,EAAE,CACrC,CAAC;YACJ,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,KAAK,CAAC,IAAI,CACR,EAAE,EACF,0BAA0B,EAC1B,mBAAmB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EACxC,mBAAmB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,EACvC,mBAAmB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,EAC5C,mBAAmB,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAC1C,CAAC;YACJ,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QAC1E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,iCAAiC,OAAO,EAAE;qBACjD;iBACF;gBACD,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,136 @@
+export interface Scan {
+    id: string;
+    targetUrl: string;
+    repoUrl: string | null;
+    status: "queued" | "scanning" | "complete" | "failed";
+    isDemo: boolean;
+    failureReason: string | null;
+    executiveSummary: string | null;
+    aiSummary: string | null;
+    attackSurface: Record<string, unknown> | null;
+    threatModel: Record<string, unknown> | null;
+    startedAt: string | null;
+    completedAt: string | null;
+    createdAt: string;
+    groupId: string | null;
+    tier?: string | null;
+    findings: Finding[];
+    toolResults: ToolResult[];
+    retestResults?: RetestResult[];
+    groupSiblings?: GroupSibling[] | null;
+}
+export interface Finding {
+    id: string;
+    severity: "critical" | "high" | "medium" | "low" | "info";
+    title: string;
+    description: string | null;
+    sourceTool: string;
+    vulnType: string | null;
+    proofOfExploit: string | null;
+    remediation: string | null;
+    retestCommand: string | null;
+    cvss: number | null;
+    cvssVector: string | null;
+    cveIds: string[];
+    cweId: string | null;
+    owaspCategory: string | null;
+    affectedUrl: string | null;
+    references: string[];
+    fingerprint: string | null;
+}
+export interface ToolResult {
+    id: string;
+    toolName: string;
+    status: "pending" | "running" | "complete" | "failed";
+    startedAt: string | null;
+    completedAt: string | null;
+}
+export interface RetestResult {
+    fingerprint: string;
+    retestCommand: string;
+    status: "confirmed" | "not_confirmed" | "error" | "timeout";
+    output: string | null;
+}
+export interface GroupSibling {
+    id: string;
+    targetUrl: string;
+    status: string;
+}
+export interface ScanSummary {
+    id: string;
+    targetUrl: string;
+    repoUrl: string | null;
+    status: "queued" | "scanning" | "complete" | "failed";
+    createdAt: string;
+    startedAt: string | null;
+    completedAt: string | null;
+    tier?: string | null;
+    findings: {
+        severity: string;
+        fingerprint: string | null;
+    }[];
+    toolResults: {
+        toolName: string;
+        status: string;
+    }[];
+}
+export interface CreditBalance {
+    available: number;
+    used: number;
+    expired: number;
+    scheduled: number;
+    total: number;
+    expiringSoon: number;
+    byTier: Record<string, number>;
+    tiersByStatus: Record<string, Record<string, number>>;
+}
+export interface CreditTier {
+    id: string;
+    label: string;
+    agentHours: number;
+    agents: number;
+    durationMin: number;
+    priceCents: number;
+}
+export interface CreditTiersResponse {
+    tiers: CreditTier[];
+    volumeDiscounts: {
+        minQuantity: number;
+        discountPercent: number;
+    }[];
+}
+export interface Attestation {
+    attestation: {
+        targetHash: string;
+        creditTier: string;
+        agentHours: number;
+        agentCount: number;
+        durationMin: number;
+        toolsRun: number;
+        findingSummary: Record<string, number>;
+        riskScore: number;
+        completedAt: string;
+    };
+    anchor: {
+        rootHash: string;
+        txHash: string;
+        chainId: number;
+        blockNumber: string;
+    } | null;
+    verified: boolean;
+}
+export interface Domain {
+    id: string;
+    domain: string;
+    token: string;
+    verifiedAt: string | null;
+    expiresAt: string | null;
+    createdAt: string;
+}
+export interface MultiDomainResponse {
+    groupId: string;
+    scans: {
+        id: string;
+        targetUrl: string;
+    }[];
+}

package/dist/types.js

@@ -0,0 +1,3 @@
+// API response types — derived from TurboPentest REST API
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,0DAA0D"}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@turbopentest/mcp-server",
+  "version": "0.1.0",
+  "description": "MCP server for TurboPentest — AI-powered penetration testing from your coding assistant",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "turbopentest-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "pentest",
+    "security",
+    "turbopentest",
+    "ai"
+  ],
+  "author": "IntegSec Inc.",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "tsx": "^4.19.0",
+    "@types/node": "^22.0.0"
+  }
+}