agent-mcp-guard 0.4.2 → 0.4.3

package/README.md

@@ -19,7 +19,7 @@ Live demo PR: [mcp-guard-demo#1](https://github.com/ChaoYue0307/mcp-guard-demo/p
   <a href="https://github.com/marketplace/actions/mcp-guard-mcp-security-scanner"><img alt="GitHub Marketplace" src="https://img.shields.io/badge/Marketplace-mcp--guard-0f766e?logo=github"></a>
   <a href="https://github.com/ChaoYue0307/mcp-guard/actions"><img alt="CI" src="https://github.com/ChaoYue0307/mcp-guard/actions/workflows/ci.yml/badge.svg"></a>
   <a href="LICENSE"><img alt="License" src="https://img.shields.io/badge/license-Apache--2.0-111827"></a>
-  <a href="https://github.com/ChaoYue0307/mcp-guard/releases/tag/v0.4.2"><img alt="Release" src="https://img.shields.io/github/v/release/ChaoYue0307/mcp-guard?color=7c2d12"></a>
+  <a href="https://github.com/ChaoYue0307/mcp-guard/releases/tag/v0.4.3"><img alt="Release" src="https://img.shields.io/github/v/release/ChaoYue0307/mcp-guard?color=7c2d12"></a>
 </p>
 
 ## Install
@@ -81,7 +81,7 @@ mcp-guard scan --config .mcp.json --baseline .mcp-guard-baseline.json --fail-on
 Use the GitHub Action:
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.2
+- uses: ChaoYue0307/mcp-guard-action@v0.4.3
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json
@@ -206,6 +206,7 @@ Contact: [hechaoyue0307@gmail.com](mailto:hechaoyue0307@gmail.com)
 - [GitHub Action](docs/github-action.md)
 - [Marketplace publishing plan](docs/marketplace.md)
 - [Privacy and security](docs/privacy-and-security.md)
+- [Trusted publishing](docs/trusted-publishing.md)
 - [Roadmap](docs/roadmap.md)
 - [Operator runbook](docs/operator-runbook.md)
 

package/docs/baseline.md

@@ -30,7 +30,7 @@ If the scan finds only baseline-accepted findings, the exit code is `0`. If a ne
 ## GitHub Action
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.2
+- uses: ChaoYue0307/mcp-guard-action@v0.4.3
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json
@@ -45,7 +45,7 @@ The generated Markdown, HTML, JSON, and PR comment separate active findings from
 {
   "version": 1,
   "generatedAt": "2026-05-10T00:00:00.000Z",
-  "toolVersion": "0.4.2",
+  "toolVersion": "0.4.3",
   "findings": [
     {
       "fingerprint": "mcpg_a009b2c2",

package/docs/business-playbook.md

@@ -22,6 +22,8 @@ Deliverables:
 - document missing rule requests for future product work;
 - provide a short setup handoff note.
 
+For product operations, npm Trusted Publishing should be used after the package setting is configured. This avoids manual QR-code publish flows and makes small releases repeatable.
+
 ## Pricing
 
 | Customer | Price |

package/docs/github-action.md

@@ -35,7 +35,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: ChaoYue0307/mcp-guard-action@v0.4.2
+      - uses: ChaoYue0307/mcp-guard-action@v0.4.3
         with:
           config: .mcp.json
           fail-on: high
@@ -63,7 +63,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: ChaoYue0307/mcp-guard-action@v0.4.2
+      - uses: ChaoYue0307/mcp-guard-action@v0.4.3
         with:
           config: .mcp.json
           fail-on: high
@@ -75,7 +75,7 @@ jobs:
 Use `fail-on: none` when you want artifacts and summaries without blocking a pull request.
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.2
+- uses: ChaoYue0307/mcp-guard-action@v0.4.3
   with:
     fail-on: none
 ```
@@ -91,7 +91,7 @@ mcp-guard scan --config .mcp.json --write-baseline .mcp-guard-baseline.json
 Commit `.mcp-guard-baseline.json`, then reference it from the action:
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.2
+- uses: ChaoYue0307/mcp-guard-action@v0.4.3
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json

package/docs/launch-checklist.md

@@ -31,7 +31,7 @@ mcp-guard scan --config .mcp.json --fail-on high
 ## GitHub Action Setup
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.2
+- uses: ChaoYue0307/mcp-guard-action@v0.4.3
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json

package/docs/marketplace-action-readme.md

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: ChaoYue0307/mcp-guard-action@v0.4.2
+      - uses: ChaoYue0307/mcp-guard-action@v0.4.3
         with:
           config: .mcp.json
           fail-on: high
@@ -42,7 +42,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: ChaoYue0307/mcp-guard-action@v0.4.2
+      - uses: ChaoYue0307/mcp-guard-action@v0.4.3
         with:
           config: .mcp.json
           fail-on: high
@@ -95,7 +95,7 @@ mcp-guard scan --config .mcp.json --write-baseline .mcp-guard-baseline.json
 Then enforce only new findings:
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.2
+- uses: ChaoYue0307/mcp-guard-action@v0.4.3
   with:
     config: .mcp.json
     baseline: .mcp-guard-baseline.json

package/docs/marketplace.md

@@ -82,16 +82,16 @@ Code quality
 Current release title:
 
 ```text
-v0.4.2
+v0.4.3
 ```
 
 Release notes:
 
 ```text
-CI bootstrap release.
+Trusted Publishing readiness release.
 
-- Adds `mcp-guard init` for generating a GitHub Action workflow.
-- Can generate and reference an initial baseline.
+- Adds a GitHub Actions workflow for npm Trusted Publishing readiness.
+- Keeps `mcp-guard init` for generating a GitHub Action workflow and baseline.
 - Keeps Node.js 24, PR comments, artifacts, and SARIF upload support.
 ```
 
@@ -105,7 +105,7 @@ Completed:
 - README, docs, and website examples now use:
 
 ```yaml
-- uses: ChaoYue0307/mcp-guard-action@v0.4.2
+- uses: ChaoYue0307/mcp-guard-action@v0.4.3
 ```
 
 Remaining Marketplace web step:

package/docs/roadmap.md

@@ -12,6 +12,7 @@
 - Baseline/allowlist mode for accepting known findings and failing only on new risks.
 - Optional GitHub pull request comments from the Marketplace Action.
 - `mcp-guard init` for bootstrapping a GitHub Action workflow and optional baseline.
+- npm Trusted Publishing workflow prepared for tokenless release publishing.
 
 ## Next
 

package/docs/trusted-publishing.md

@@ -0,0 +1,61 @@
+# Trusted Publishing
+
+`mcp-guard` includes a GitHub Actions workflow for npm Trusted Publishing so future releases can publish without npm browser QR links, OTP prompts, or long-lived npm tokens.
+
+## Why
+
+npm browser authentication links can expire quickly and may open as 404. Trusted Publishing lets npm accept a publish from a specific GitHub Actions workflow through OIDC.
+
+The workflow is committed at:
+
+```text
+.github/workflows/publish-npm.yml
+```
+
+It uses:
+
+- `permissions: id-token: write`
+- `actions/checkout@v6`
+- `actions/setup-node@v6`
+- Node.js 24
+- `npm publish --access public`
+
+## npm Package Settings
+
+Configure this once on npmjs.com:
+
+| Field | Value |
+| --- | --- |
+| Package | `agent-mcp-guard` |
+| Publisher | GitHub Actions |
+| Organization or user | `ChaoYue0307` |
+| Repository | `mcp-guard` |
+| Workflow filename | `publish-npm.yml` |
+| Environment name | leave empty |
+
+After this is saved, run the workflow from GitHub Actions with the release tag, for example:
+
+```text
+v0.4.3
+```
+
+## Release Flow After Setup
+
+1. Update `package.json` and `src/cli.js`.
+2. Run `npm test` and `npm run release:check`.
+3. Commit and push to `main`.
+4. Create a GitHub release tag such as `v0.4.3`.
+5. Run the `Publish npm` workflow with the same tag.
+6. Verify npm:
+
+```bash
+npm view agent-mcp-guard version
+```
+
+## Troubleshooting
+
+- The workflow filename configured on npm must be exactly `publish-npm.yml`.
+- The package `repository.url` must match `https://github.com/ChaoYue0307/mcp-guard`.
+- The workflow must run on GitHub-hosted runners.
+- The workflow must keep `id-token: write`.
+- If npm says authentication failed, re-check the npm Trusted Publisher fields before retrying.

package/examples/sample-report.md

@@ -1,6 +1,6 @@
 # mcp-guard Scan Report
 
-Generated: 2026-05-10T13:31:24.377Z
+Generated: 2026-05-10T13:47:08.616Z
 
 ## Summary
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-mcp-guard",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "Open-source CLI scanner for risky MCP server and AI agent tool configuration.",
   "type": "module",
   "homepage": "https://chaoyue0307.github.io/mcp-guard/",

package/site/e2e/report.html

@@ -297,7 +297,7 @@
           <div class="metric"><strong>1</strong><span>Scanned files</span></div>
           <div class="metric"><strong>3</strong><span>MCP servers</span></div>
           <div class="metric"><strong>9</strong><span>Active findings</span></div>
-          <div class="metric"><strong>2026-05-10 13:31 UTC</strong><span>Generated</span></div>
+          <div class="metric"><strong>2026-05-10 13:47 UTC</strong><span>Generated</span></div>
         </div>
       </div>
       <aside class="scorecard" aria-label="Risk score">

package/site/e2e/report.json

@@ -1,9 +1,9 @@
 {
   "metadata": {
-    "generatedAt": "2026-05-10T13:31:24.346Z",
+    "generatedAt": "2026-05-10T13:47:08.576Z",
     "cwd": ".",
     "home": "~",
-    "toolVersion": "0.4.2"
+    "toolVersion": "0.4.3"
   },
   "scannedFiles": [
     "site/e2e/claude_desktop_config.json"

package/site/e2e/report.md

@@ -1,6 +1,6 @@
 # mcp-guard Scan Report
 
-Generated: 2026-05-10T13:31:24.329Z
+Generated: 2026-05-10T13:47:08.555Z
 
 ## Summary
 

package/site/e2e/report.sarif

@@ -7,7 +7,7 @@
         "driver": {
           "name": "mcp-guard",
           "informationUri": "https://github.com/ChaoYue0307/mcp-guard",
-          "semanticVersion": "0.4.2",
+          "semanticVersion": "0.4.3",
           "rules": [
             {
               "id": "MCP010",

package/src/cli.js

@@ -6,7 +6,7 @@ import { scan } from "./scan.js";
 import { generateHtmlReport, generateJsonReport, generateMarkdownReport, generateSarifReport, generateTextReport } from "./report.js";
 import { compareSeverity, severityRank } from "./severity.js";
 
-const VERSION = "0.4.2";
+const VERSION = "0.4.3";
 
 export async function runCli(argv, io) {
   const args = argv.slice(2);