@turbopentest/mcp-server 0.2.0 → 0.2.1

package/dist/prompts/analyze-findings.js

@@ -13,40 +13,40 @@ export function registerAnalyzeFindings(server) {
                 role: "user",
                 content: {
                     type: "text",
-                    text: `You are a security analyst producing a prioritized remediation plan for pentest ${pentest_id}.
-
-Follow these steps:
-
-1. **Get pentest context** - Call turbopentest_get_pentest with pentest_id="${pentest_id}". Note the target URL, executive summary, attack surface, and STRIDE threat model. If the pentest is not complete, tell the user and stop.
-
-2. **Gather all findings** - Call turbopentest_get_findings with pentest_id="${pentest_id}" for each severity level separately:
-   - First with severity="critical"
-   - Then severity="high"
-   - Then severity="medium"
-   - Then severity="low"
-   This ensures you see all findings even if there are many.
-
-3. **Produce a prioritized remediation plan** organized as follows:
-
-   **Executive Summary** - One paragraph overview of the security posture.
-
-   **Critical & High Priority** - For each critical/high finding:
-   - Title and affected URL
-   - Why it matters (business impact)
-   - Specific remediation steps
-   - Retest command to verify the fix
-   - Estimated effort (quick fix / moderate / significant)
-
-   **Quick Wins** - Findings that are easy to fix regardless of severity. Look for:
-   - Missing security headers
-   - Outdated software versions
-   - Default credentials
-   - Information disclosure
-
-   **Medium & Low Priority** - Grouped summary with remediation themes rather than individual findings.
-
-   **Recommended Fix Order** - Numbered list of what to fix first, considering both severity and effort. Prioritize: critical issues, then quick wins, then high-effort items.
-
+                    text: `You are a security analyst producing a prioritized remediation plan for pentest ${pentest_id}.
+
+Follow these steps:
+
+1. **Get pentest context** - Call turbopentest_get_pentest with pentest_id="${pentest_id}". Note the target URL, executive summary, attack surface, and STRIDE threat model. If the pentest is not complete, tell the user and stop.
+
+2. **Gather all findings** - Call turbopentest_get_findings with pentest_id="${pentest_id}" for each severity level separately:
+   - First with severity="critical"
+   - Then severity="high"
+   - Then severity="medium"
+   - Then severity="low"
+   This ensures you see all findings even if there are many.
+
+3. **Produce a prioritized remediation plan** organized as follows:
+
+   **Executive Summary** - One paragraph overview of the security posture.
+
+   **Critical & High Priority** - For each critical/high finding:
+   - Title and affected URL
+   - Why it matters (business impact)
+   - Specific remediation steps
+   - Retest command to verify the fix
+   - Estimated effort (quick fix / moderate / significant)
+
+   **Quick Wins** - Findings that are easy to fix regardless of severity. Look for:
+   - Missing security headers
+   - Outdated software versions
+   - Default credentials
+   - Information disclosure
+
+   **Medium & Low Priority** - Grouped summary with remediation themes rather than individual findings.
+
+   **Recommended Fix Order** - Numbered list of what to fix first, considering both severity and effort. Prioritize: critical issues, then quick wins, then high-effort items.
+
 Present the plan in clean markdown with clear sections.`,
                 },
             },

package/dist/prompts/compare-pentests.js

@@ -14,40 +14,40 @@ export function registerComparePentests(server) {
                 role: "user",
                 content: {
                     type: "text",
-                    text: `You are comparing two penetration tests to track security posture changes.
-
-- Baseline (earlier): ${baseline_id}
-- Current (later): ${current_id}
-
-Follow these steps:
-
-1. **Get both pentests** - Call turbopentest_get_pentest for "${baseline_id}" and "${current_id}". Verify both are complete. Note their target URLs and completion dates.
-
-2. **Get all findings** - Call turbopentest_get_findings for both pentest IDs.
-
-3. **Compare findings** - Match findings between the two tests:
-   - Match by fingerprint first (exact match on the fingerprint field)
-   - If a finding has no fingerprint (null), fall back to matching by title
-   - Categorize each finding as:
-     - **New** - in current but not in baseline (regression)
-     - **Fixed** - in baseline but not in current (improvement)
-     - **Persistent** - in both tests (unresolved)
-
-4. **Present the comparison** in this format:
-
-   **Summary**
-   - Baseline: [target] tested on [date], [N] findings
-   - Current: [target] tested on [date], [N] findings
-   - Trend: Improving / Declining / Stable
-
-   **Fixed (improvements)** - List each with severity and title. Celebrate these.
-
-   **New (regressions)** - List each with severity, title, and remediation. Flag these as needing attention.
-
-   **Persistent (unresolved)** - List each with severity and title. Note how long they've been open.
-
-   **Severity Trend** - Table comparing critical/high/medium/low/info counts between baseline and current.
-
+                    text: `You are comparing two penetration tests to track security posture changes.
+
+- Baseline (earlier): ${baseline_id}
+- Current (later): ${current_id}
+
+Follow these steps:
+
+1. **Get both pentests** - Call turbopentest_get_pentest for "${baseline_id}" and "${current_id}". Verify both are complete. Note their target URLs and completion dates.
+
+2. **Get all findings** - Call turbopentest_get_findings for both pentest IDs.
+
+3. **Compare findings** - Match findings between the two tests:
+   - Match by fingerprint first (exact match on the fingerprint field)
+   - If a finding has no fingerprint (null), fall back to matching by title
+   - Categorize each finding as:
+     - **New** - in current but not in baseline (regression)
+     - **Fixed** - in baseline but not in current (improvement)
+     - **Persistent** - in both tests (unresolved)
+
+4. **Present the comparison** in this format:
+
+   **Summary**
+   - Baseline: [target] tested on [date], [N] findings
+   - Current: [target] tested on [date], [N] findings
+   - Trend: Improving / Declining / Stable
+
+   **Fixed (improvements)** - List each with severity and title. Celebrate these.
+
+   **New (regressions)** - List each with severity, title, and remediation. Flag these as needing attention.
+
+   **Persistent (unresolved)** - List each with severity and title. Note how long they've been open.
+
+   **Severity Trend** - Table comparing critical/high/medium/low/info counts between baseline and current.
+
    **Recommendation** - One paragraph on overall trajectory and top priority actions.`,
                 },
             },

package/dist/prompts/run-pentest.js

@@ -17,22 +17,22 @@ export function registerRunPentest(server) {
                 role: "user",
                 content: {
                     type: "text",
-                    text: `You are helping a security engineer run a penetration test against ${target_url} using the "${tier}" tier.
-
-Follow these steps in order:
-
-1. **Verify the domain** - Call turbopentest_list_domains and check that the domain for ${target_url} appears and is verified. If not, tell the user they need to verify the domain first at https://turbopentest.com/domains.
-
-2. **Check credits** - Call turbopentest_get_credits and confirm the user has at least one "${tier}" credit available. If not, tell them their current balance and suggest alternatives.
-
-3. **Launch the pentest** - Call turbopentest_start_pentest with target_url="${target_url}" and tier="${tier}". Note the pentest ID from the response.
-
-4. **Monitor progress** - Call turbopentest_get_pentest with the pentest ID to check status. If status is "scanning", report the progress percentage and which tools are running, then wait 30 seconds and check again. Repeat until status is "complete" or "failed". Do not poll more than 240 times (2 hours max).
-
-5. **Summarize findings** - Once complete, call turbopentest_get_findings with the pentest ID. Present a severity breakdown (critical/high/medium/low/info counts) and list the top findings with their titles, severity, and remediation advice.
-
-6. **Offer the report** - Ask the user if they'd like to download the full report. If yes, call turbopentest_download_report with their preferred format (markdown is best for reading here, json for structured data, pdf for sharing).
-
+                    text: `You are helping a security engineer run a penetration test against ${target_url} using the "${tier}" tier.
+
+Follow these steps in order:
+
+1. **Verify the domain** - Call turbopentest_list_domains and check that the domain for ${target_url} appears and is verified. If not, tell the user they need to verify the domain first at https://turbopentest.com/domains.
+
+2. **Check credits** - Call turbopentest_get_credits and confirm the user has at least one "${tier}" credit available. If not, tell them their current balance and suggest alternatives.
+
+3. **Launch the pentest** - Call turbopentest_start_pentest with target_url="${target_url}" and tier="${tier}". Note the pentest ID from the response.
+
+4. **Monitor progress** - Call turbopentest_get_pentest with the pentest ID to check status. If status is "scanning", report the progress percentage and which tools are running, then wait 30 seconds and check again. Repeat until status is "complete" or "failed". Do not poll more than 240 times (2 hours max).
+
+5. **Summarize findings** - Once complete, call turbopentest_get_findings with the pentest ID. Present a severity breakdown (critical/high/medium/low/info counts) and list the top findings with their titles, severity, and remediation advice.
+
+6. **Offer the report** - Ask the user if they'd like to download the full report. If yes, call turbopentest_download_report with their preferred format (markdown is best for reading here, json for structured data, pdf for sharing).
+
 If any step fails, explain the error clearly and suggest how to resolve it.`,
                 },
             },

package/dist/prompts/security-posture.js

@@ -8,38 +8,38 @@ export function registerSecurityPosture(server) {
                 role: "user",
                 content: {
                     type: "text",
-                    text: `You are producing an executive security posture report for this user's organization.
-
-Follow these steps:
-
-1. **Get recent pentests** - Call turbopentest_list_pentests with limit=20. Note how many are complete vs in-progress.
-
-2. **Gather findings for recent completed tests** - For the 5 most recently completed pentests, call turbopentest_get_findings for each. This caps API calls while giving a representative view.
-
-3. **Produce an executive summary** with these sections:
-
-   **Overview**
-   - Total pentests run (from the list)
-   - Targets tested (unique URLs)
-   - Date range covered
-
-   **Vulnerability Summary**
-   - Total findings by severity across all 5 analyzed tests
-   - Most common vulnerability types (group by title similarity)
-   - Average findings per test
-
-   **Highest Risk Targets**
-   - Which targets have the most critical/high findings
-   - Any targets with unresolved critical issues
-
-   **Trends** (if multiple tests exist for the same target)
-   - Is the finding count going up or down?
-   - Are critical issues being resolved?
-
-   **Top 3 Recommended Actions**
-   - Specific, actionable items based on the findings
-   - Prioritize by impact and prevalence
-
+                    text: `You are producing an executive security posture report for this user's organization.
+
+Follow these steps:
+
+1. **Get recent pentests** - Call turbopentest_list_pentests with limit=20. Note how many are complete vs in-progress.
+
+2. **Gather findings for recent completed tests** - For the 5 most recently completed pentests, call turbopentest_get_findings for each. This caps API calls while giving a representative view.
+
+3. **Produce an executive summary** with these sections:
+
+   **Overview**
+   - Total pentests run (from the list)
+   - Targets tested (unique URLs)
+   - Date range covered
+
+   **Vulnerability Summary**
+   - Total findings by severity across all 5 analyzed tests
+   - Most common vulnerability types (group by title similarity)
+   - Average findings per test
+
+   **Highest Risk Targets**
+   - Which targets have the most critical/high findings
+   - Any targets with unresolved critical issues
+
+   **Trends** (if multiple tests exist for the same target)
+   - Is the finding count going up or down?
+   - Are critical issues being resolved?
+
+   **Top 3 Recommended Actions**
+   - Specific, actionable items based on the findings
+   - Prioritize by impact and prevalence
+
 Present this as a clean executive briefing suitable for sharing with leadership. Use bullet points and tables where appropriate.`,
                 },
             },

package/package.json

@@ -1,46 +1,46 @@
-{
-  "name": "@turbopentest/mcp-server",
-  "version": "0.2.0",
-  "description": "MCP server for TurboPentest — AI-powered penetration testing from your coding assistant",
-  "type": "module",
-  "main": "dist/index.js",
-  "bin": {
-    "turbopentest-mcp": "dist/index.js"
-  },
-  "files": [
-    "dist"
-  ],
-  "scripts": {
-    "build": "tsc",
-    "dev": "tsx src/index.ts",
-    "prepublishOnly": "npm run build"
-  },
-  "keywords": [
-    "mcp",
-    "model-context-protocol",
-    "pentest",
-    "security",
-    "turbopentest",
-    "ai"
-  ],
-  "author": "IntegSec Inc.",
-  "license": "MIT",
-  "mcpName": "io.github.integsec/turbopentest",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/integsec/turbopentest-mcp.git"
-  },
-  "homepage": "https://turbopentest.com",
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.26.0",
-    "zod": "^4.3.6"
-  },
-  "devDependencies": {
-    "@types/node": "^25.3.5",
-    "tsx": "^4.19.0",
-    "typescript": "^5.7.0"
-  }
-}
+{
+  "name": "@turbopentest/mcp-server",
+  "version": "0.2.1",
+  "description": "MCP server for TurboPentest — AI-powered penetration testing from your coding assistant",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "turbopentest-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "pentest",
+    "security",
+    "turbopentest",
+    "ai"
+  ],
+  "author": "IntegSec Inc.",
+  "license": "MIT",
+  "mcpName": "io.github.integsec/turbopentest",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/integsec/turbopentest-mcp.git"
+  },
+  "homepage": "https://turbopentest.com",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.5",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  }
+}