npm - agentaudit - Versions diffs - 3.10.9 → 3.12.0 - Mend

agentaudit 3.10.9 → 3.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/cli.mjs +574 -162
package/index.mjs +795 -659
package/package.json +7 -3
package/scan-tool-poisoning.mjs +297 -0
package/tool-poisoning-detector.mjs +913 -0

package/index.mjs CHANGED Viewed

@@ -1,659 +1,795 @@
-#!/usr/bin/env node
-/**
- * AgentAudit MCP Server
- *
- * Security audit capabilities via Model Context Protocol.
- *
- * Tools:
- *   - discover_servers  Find locally installed MCP servers + check registry status
- *   - audit_package     Clone a repo, return source code + audit prompt for LLM analysis
- *   - submit_report     Upload a completed audit report to agentaudit.dev
- *   - check_package     Look up a package in the AgentAudit registry
- *
- * Usage:
- *   npx agentaudit                (starts MCP server via stdio)
- *   node index.mjs                (same)
- *
- * Configure in Claude/Cursor/Windsurf:
- *   { "mcpServers": { "agentaudit": { "command": "npx", "args": ["-y", "agentaudit"] } } }
- */
-import { Server } from '@modelcontextprotocol/sdk/server/index.js';
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import {
-  CallToolRequestSchema,
-  ListToolsRequestSchema,
-} from '@modelcontextprotocol/sdk/types.js';
-import fs from 'fs';
-import os from 'os';
-import path from 'path';
-import crypto from 'crypto';
-import { execSync, execFileSync } from 'child_process';
-import { fileURLToPath } from 'url';
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const SKILL_DIR = path.resolve(__dirname);
-const REGISTRY_URL = 'https://agentaudit.dev';
-const MAX_FILE_SIZE = 50_000;
-const MAX_TOTAL_SIZE = 300_000;
-const SKIP_DIRS = new Set([
-  'node_modules', '.git', '__pycache__', '.venv', 'venv', 'dist', 'build',
-  '.next', '.nuxt', 'coverage', '.pytest_cache', '.mypy_cache', 'vendor',
-  'test', 'tests', '__tests__', 'spec', 'specs', 'docs', 'doc',
-  'examples', 'example', 'fixtures', '.vscode', '.idea',
-  'e2e', 'benchmark', 'benchmarks', '.tox', '.eggs', 'htmlcov',
-]);
-const SKIP_EXTENSIONS = new Set([
-  '.lock', '.png', '.jpg', '.jpeg', '.gif', '.svg', '.ico', '.woff',
-  '.woff2', '.ttf', '.eot', '.mp3', '.mp4', '.zip', '.tar', '.gz',
-  '.map', '.min.js', '.min.css', '.d.ts', '.pyc', '.pyo', '.so',
-  '.dylib', '.dll', '.exe', '.bin', '.dat', '.db', '.sqlite',
-]);
-const PRIORITY_FILES = [
-  'index.js', 'index.ts', 'index.mjs', 'main.js', 'main.ts', 'main.py',
-  'app.js', 'app.ts', 'app.py', 'server.js', 'server.ts', 'server.py',
-  'cli.js', 'cli.ts', 'cli.py', '__init__.py', '__main__.py',
-  'package.json', 'pyproject.toml', 'setup.py', 'setup.cfg',
-  'Cargo.toml', 'go.mod', 'SKILL.md', 'skill.md',
-  'Makefile', 'Dockerfile', 'docker-compose.yml',
-];
-// ── Credentials ─────────────────────────────────────────
-function loadApiKey() {
-  if (process.env.AGENTAUDIT_API_KEY) return process.env.AGENTAUDIT_API_KEY;
-  const home = process.env.HOME || process.env.USERPROFILE || '';
-  const xdg = process.env.XDG_CONFIG_HOME || path.join(home, '.config');
-  const paths = [
-    path.join(SKILL_DIR, 'config', 'credentials.json'),
-    path.join(xdg, 'agentaudit', 'credentials.json'),
-  ];
-  for (const p of paths) {
-    if (fs.existsSync(p)) {
-      try {
-        const key = JSON.parse(fs.readFileSync(p, 'utf8')).api_key;
-        if (key) return key;
-      } catch {}
-    }
-  }
-  return '';
-}
-function loadAuditPrompt() {
-  const promptPath = path.join(SKILL_DIR, 'prompts', 'audit-prompt.md');
-  if (fs.existsSync(promptPath)) return fs.readFileSync(promptPath, 'utf8');
-  return 'ERROR: audit-prompt.md not found at ' + promptPath;
-}
-// ── File Collection ─────────────────────────────────────
-function collectFiles(dir, basePath = '', collected = [], totalSize = { bytes: 0 }) {
-  if (totalSize.bytes >= MAX_TOTAL_SIZE) return collected;
-  let entries;
-  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
-  catch { return collected; }
-  entries.sort((a, b) => {
-    const aP = PRIORITY_FILES.includes(a.name) ? 0 : 1;
-    const bP = PRIORITY_FILES.includes(b.name) ? 0 : 1;
-    return aP - bP || a.name.localeCompare(b.name);
-  });
-  for (const entry of entries) {
-    if (totalSize.bytes >= MAX_TOTAL_SIZE) break;
-    const relPath = basePath ? `${basePath}/${entry.name}` : entry.name;
-    const fullPath = path.join(dir, entry.name);
-    if (entry.isDirectory()) {
-      // Special: scan .github/workflows/ (security-critical CI/CD files)
-      if (entry.name === '.github') {
-        const wfDir = path.join(fullPath, 'workflows');
-        try { if (fs.statSync(wfDir).isDirectory()) collectFiles(wfDir, relPath + '/workflows', collected, totalSize); } catch {}
-        continue;
-      }
-      if (SKIP_DIRS.has(entry.name) || entry.name.startsWith('.')) continue;
-      collectFiles(fullPath, relPath, collected, totalSize);
-    } else {
-      const ext = path.extname(entry.name).toLowerCase();
-      if (SKIP_EXTENSIONS.has(ext)) continue;
-      try {
-        const stat = fs.statSync(fullPath);
-        if (stat.size > MAX_FILE_SIZE) {
-          collected.push({ path: relPath, content: `[FILE TOO LARGE: ${stat.size} bytes — skipped]` });
-          continue;
-        }
-        if (stat.size === 0) continue;
-        const content = fs.readFileSync(fullPath, 'utf8');
-        totalSize.bytes += content.length;
-        collected.push({ path: relPath, content });
-      } catch {}
-    }
-  }
-  return collected;
-}
-// ── Package Detection ────────────────────────────────────
-function detectPackageInfo(repoPath, files) {
-  const info = { type: 'unknown' };
-  const allContent = files.map(f => f.content).join('\n');
-  if (allContent.includes('modelcontextprotocol') || allContent.includes('FastMCP') || allContent.includes('mcp.server') || allContent.includes('mcp_server') || allContent.includes('mcp-go')) {
-    info.type = 'mcp-server';
-  } else if (files.some(f => f.path.toLowerCase() === 'skill.md')) {
-    info.type = 'agent-skill';
-  } else if (allContent.includes('#!/usr/bin/env') || allContent.includes('argparse') || allContent.includes('commander')) {
-    info.type = 'cli-tool';
-  } else {
-    info.type = 'library';
-  }
-  return info;
-}
-// ── Repo Helpers ────────────────────────────────────────
-function validateGitUrl(url) {
-  if (/[;&|`$(){}!\n\r]/.test(url)) {
-    throw new Error(`Rejected URL with suspicious characters: ${url.slice(0, 80)}`);
-  }
-  if (!/^(https?:\/\/|git@|git:\/\/|ssh:\/\/)/.test(url) && !/^[a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+$/.test(url)) {
-    throw new Error(`Invalid repository URL: ${url.slice(0, 80)}`);
-  }
-}
-function cloneRepo(sourceUrl) {
-  validateGitUrl(sourceUrl);
-  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
-  try {
-    execFileSync('git', ['clone', '--depth', '1', sourceUrl, path.join(tmpDir, 'repo')], {
-      timeout: 30_000, stdio: 'pipe',
-    });
-    return path.join(tmpDir, 'repo');
-  } catch (err) {
-    throw new Error(`Failed to clone ${sourceUrl}: ${err.message}`);
-  }
-}
-function cleanupRepo(repoPath) {
-  try { fs.rmSync(path.dirname(repoPath), { recursive: true, force: true }); } catch {}
-}
-function slugFromUrl(url) {
-  const match = url.match(/github\.com\/([^/]+)\/([^/.\s]+)/);
-  if (match) return match[2].toLowerCase().replace(/[^a-z0-9-]/g, '-');
-  return url.replace(/[^a-z0-9]/gi, '-').toLowerCase().slice(0, 60);
-}
-// ── Discover local MCP configs ──────────────────────────
-function discoverMcpServers() {
-  const home = process.env.HOME || process.env.USERPROFILE || '';
-  const candidates = [
-    { platform: 'Claude Desktop', path: path.join(home, '.claude', 'mcp.json') },
-    { platform: 'Claude Desktop', path: path.join(home, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json') },
-    { platform: 'Claude Desktop', path: path.join(home, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json') },
-    { platform: 'Claude Desktop', path: path.join(home, '.config', 'claude', 'claude_desktop_config.json') },
-    { platform: 'Cursor', path: path.join(home, '.cursor', 'mcp.json') },
-    { platform: 'Windsurf', path: path.join(home, '.codeium', 'windsurf', 'mcp_config.json') },
-    { platform: 'VS Code', path: path.join(home, '.vscode', 'mcp.json') },
-  ];
-  const results = [];
-  for (const c of candidates) {
-    if (!fs.existsSync(c.path)) {
-      results.push({ platform: c.platform, config_path: c.path, status: 'not found', servers: [] });
-      continue;
-    }
-    let content;
-    try { content = JSON.parse(fs.readFileSync(c.path, 'utf8')); }
-    catch { results.push({ platform: c.platform, config_path: c.path, status: 'parse error', servers: [] }); continue; }
-    const serverMap = content.mcpServers || content.servers || {};
-    const servers = [];
-    for (const [name, cfg] of Object.entries(serverMap)) {
-      const allArgs = [cfg.command, ...(cfg.args || [])].filter(Boolean).join(' ');
-      const npxMatch = allArgs.match(/npx\s+(?:-y\s+)?(@?[a-z0-9][\w./-]*)/i);
-      const pyMatch = allArgs.match(/(?:uvx|pip run|python -m)\s+(@?[a-z0-9][\w./-]*)/i);
-      let remoteService = null;
-      if (cfg.url) {
-        try {
-          const hostParts = new URL(cfg.url).hostname.split('.');
-          remoteService = hostParts.length === 3 ? hostParts[1] : hostParts[0];
-        } catch {}
-      }
-      servers.push({
-        name,
-        command: cfg.command || null,
-        args: cfg.args || [],
-        url: cfg.url || null,
-        npm_package: npxMatch?.[1] || null,
-        pip_package: pyMatch?.[1] || null,
-        remote_service: remoteService,
-      });
-    }
-    results.push({ platform: c.platform, config_path: c.path, status: 'found', server_count: servers.length, servers });
-  }
-  return results;
-}
-async function resolveSourceUrl(server) {
-  if (server.npm_package) {
-    try {
-      const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(server.npm_package)}`, {
-        signal: AbortSignal.timeout(5000),
-      });
-      if (res.ok) {
-        const data = await res.json();
-        let repoUrl = data.repository?.url;
-        if (repoUrl) {
-          repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '').replace(/^ssh:\/\/git@github\.com/, 'https://github.com');
-          if (repoUrl.startsWith('http')) return repoUrl;
-        }
-      }
-    } catch {}
-    return `https://www.npmjs.com/package/${server.npm_package}`;
-  }
-  if (server.pip_package) {
-    try {
-      const res = await fetch(`https://pypi.org/pypi/${encodeURIComponent(server.pip_package)}/json`, {
-        signal: AbortSignal.timeout(5000),
-      });
-      if (res.ok) {
-        const data = await res.json();
-        const urls = data.info?.project_urls || {};
-        const source = urls.Source || urls.Repository || urls.Homepage || urls['Source Code'] || data.info?.home_page;
-        if (source && source.startsWith('http')) return source;
-      }
-    } catch {}
-    return `https://pypi.org/project/${server.pip_package}/`;
-  }
-  // URL-based remote MCP — try npm with common naming patterns
-  if (server.remote_service) {
-    for (const tryName of [
-      `@${server.remote_service}/mcp-server-${server.remote_service}`,
-      `${server.remote_service}-mcp`,
-      `mcp-server-${server.remote_service}`,
-    ]) {
-      try {
-        const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(tryName)}`, {
-          signal: AbortSignal.timeout(3000),
-        });
-        if (res.ok) {
-          const data = await res.json();
-          let repoUrl = data.repository?.url;
-          if (repoUrl) {
-            repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '');
-            if (repoUrl.startsWith('http')) return repoUrl;
-          }
-        }
-      } catch {}
-    }
-  }
-  return null;
-}
-async function checkRegistry(slug) {
-  try {
-    const res = await fetch(`${REGISTRY_URL}/api/skills/${encodeURIComponent(slug)}`, {
-      signal: AbortSignal.timeout(5000),
-    });
-    if (res.ok) return await res.json();
-  } catch {}
-  return null;
-}
-// ── MCP Server ───────────────────────────────────────────
-const server = new Server(
-  { name: 'agentaudit', version: '3.9.8' },
-  { capabilities: { tools: {} } }
-);
-server.setRequestHandler(ListToolsRequestSchema, async () => ({
-  tools: [
-    {
-      name: 'discover_servers',
-      description: 'Scan local config files to list ALREADY INSTALLED MCP servers (Claude Desktop, Cursor, Windsurf, VS Code). Use ONLY when the user wants to review/list their existing servers. Do NOT use this when the user wants to install, evaluate, or look up a specific package — use check_package for that instead.',
-      inputSchema: {
-        type: 'object',
-        properties: {
-          check_registry: {
-            type: 'boolean',
-            description: 'If true, also check each discovered server against the AgentAudit registry (default: true)',
-          },
-        },
-      },
-    },
-    {
-      name: 'audit_package',
-      description: 'Deep security audit of a Git repository. Clones the repo and returns source code with a 3-pass audit methodology (UNDERSTAND → DETECT → CLASSIFY). You then analyze the code and call submit_report with findings. Use check_package FIRST to see if an audit already exists — only use this for unaudited packages or when a fresh audit is requested.',
-      inputSchema: {
-        type: 'object',
-        properties: {
-          source_url: {
-            type: 'string',
-            description: 'Git repository URL to audit (e.g., https://github.com/owner/repo)',
-          },
-        },
-        required: ['source_url'],
-      },
-    },
-    {
-      name: 'submit_report',
-      description: 'Submit a completed security audit report to the AgentAudit registry (agentaudit.dev). Call this after you have analyzed the code from audit_package. The report becomes publicly available and helps other agents make install decisions.',
-      inputSchema: {
-        type: 'object',
-        properties: {
-          report: {
-            type: 'object',
-            description: 'The audit report JSON object. Required fields: skill_slug, source_url, risk_score (0-100), result (safe|caution|unsafe), findings (array), findings_count, max_severity, package_type.',
-          },
-        },
-        required: ['report'],
-      },
-    },
-    {
-      name: 'check_package',
-      description: 'Look up a package in the AgentAudit security registry. USE THIS FIRST whenever the user wants to install, add, evaluate, or learn about a specific MCP server or package. Returns risk score, findings, and official audit status if available. If the package is not yet in the registry, suggests running an audit. This is the go-to tool for any "is this safe?" or "should I install this?" question.',
-      inputSchema: {
-        type: 'object',
-        properties: {
-          package_name: {
-            type: 'string',
-            description: 'Package name or slug to look up (e.g., "fastmcp", "mongodb-mcp-server")',
-          },
-        },
-        required: ['package_name'],
-      },
-    },
-  ],
-}));
-server.setRequestHandler(CallToolRequestSchema, async (request) => {
-  const { name, arguments: args } = request.params;
-  switch (name) {
-    // ── discover_servers ──────────────────────────────────
-    case 'discover_servers': {
-      const doRegistryCheck = args.check_registry !== false;
-      const configs = discoverMcpServers();
-      const foundConfigs = configs.filter(c => c.status === 'found');
-      const allServers = foundConfigs.flatMap(c => c.servers.map(s => ({ ...s, platform: c.platform })));
-      let text = `# Discovered MCP Servers\n\n`;
-      text += `Scanned ${configs.length} config locations. Found ${foundConfigs.length} config(s) with ${allServers.length} server(s).\n\n`;
-      for (const config of configs) {
-        if (config.status === 'not found') continue;
-        text += `## ${config.platform}\n`;
-        text += `Config: \`${config.config_path}\`\n\n`;
-        if (config.servers.length === 0) {
-          text += `No servers configured.\n\n`;
-          continue;
-        }
-        for (const srv of config.servers) {
-          const slug = srv.npm_package?.replace(/^@/, '').replace(/\//g, '-')
-            || srv.pip_package?.replace(/[^a-z0-9-]/gi, '-')
-            || srv.name.toLowerCase().replace(/[^a-z0-9-]/gi, '-');
-          text += `### ${srv.name}\n`;
-          if (srv.url) {
-            text += `- URL: \`${srv.url}\`\n`;
-          } else {
-            text += `- Command: \`${[srv.command, ...srv.args].filter(Boolean).join(' ')}\`\n`;
-          }
-          if (srv.npm_package) text += `- npm: ${srv.npm_package}\n`;
-          if (srv.pip_package) text += `- pip: ${srv.pip_package}\n`;
-          if (srv.remote_service) text += `- Service: ${srv.remote_service}\n`;
-          if (doRegistryCheck) {
-            const regData = await checkRegistry(slug);
-            if (regData) {
-              const risk = regData.risk_score ?? regData.latest_risk_score ?? 0;
-              const official = regData.has_official_audit ? ' (official)' : '';
-              text += `- **Registry: ✅ Audited** — Risk ${risk}/100${official}\n`;
-              text += `- Report: ${REGISTRY_URL}/skills/${slug}\n`;
-            } else {
-              const sourceUrl = await resolveSourceUrl(srv);
-              text += `- **Registry: ⚠️ Not audited** — no audit report found\n`;
-              if (sourceUrl) {
-                text += `- Source: ${sourceUrl}\n`;
-                text += `- To audit: call \`audit_package\` with source_url \`${sourceUrl}\`\n`;
-              } else {
-                text += `- Source URL unknown — check the package's GitHub/npm page\n`;
-                text += `- To audit: find the source URL, then call \`audit_package\`\n`;
-              }
-            }
-          }
-          text += `\n`;
-        }
-      }
-      if (allServers.length === 0) {
-        text += `No MCP servers found. Config locations searched:\n`;
-        text += `- Claude Desktop: ~/.claude/mcp.json\n`;
-        text += `- Cursor: ~/.cursor/mcp.json\n`;
-        text += `- Windsurf: ~/.codeium/windsurf/mcp_config.json\n`;
-        text += `- VS Code: ~/.vscode/mcp.json\n`;
-      }
-      return { content: [{ type: 'text', text }] };
-    }
-    // ── audit_package ─────────────────────────────────────
-    case 'audit_package': {
-      const { source_url } = args;
-      if (!source_url || !source_url.startsWith('http')) {
-        return { content: [{ type: 'text', text: 'Error: source_url must be a valid HTTP(S) URL' }] };
-      }
-      let repoPath;
-      try {
-        repoPath = cloneRepo(source_url);
-        const files = collectFiles(repoPath);
-        const slug = slugFromUrl(source_url);
-        const auditPrompt = loadAuditPrompt();
-        // Compute provenance data
-        const pkgInfo = detectPackageInfo(repoPath, files);
-        const KNOWN_MCP_LIBS = new Set(['fastmcp', 'jlowin-fastmcp', 'mcp-go', 'fastapi-mcp', 'fastapi_mcp', 'mcp-use', 'mcp-agent']);
-        const KNOWN_CLI = new Set(['mcp-cli', 'mcp-scan', 'inspector']);
-        let detectedType = pkgInfo.type === 'unknown' ? 'other' : pkgInfo.type;
-        if (KNOWN_MCP_LIBS.has(slug)) detectedType = 'library';
-        if (KNOWN_CLI.has(slug)) detectedType = 'cli-tool';
-        let commitSha = '';
-        try { commitSha = execSync('git rev-parse HEAD', { cwd: repoPath, encoding: 'utf8' }).trim(); } catch {}
-        const hashInput = files.slice().sort((a, b) => a.path.localeCompare(b.path))
-          .map(f => f.path + '\n' + f.content).join('\n');
-        const sourceHash = crypto.createHash('sha256').update(hashInput).digest('hex');
-        let codeBlock = '';
-        for (const file of files) {
-          codeBlock += `\n### FILE: ${file.path}\n\`\`\`\n${file.content}\n\`\`\`\n`;
-        }
-        const response = [
-          `# Security Audit: ${slug}`,
-          ``,
-          `**Source:** ${source_url}`,
-          `**Files collected:** ${files.length}`,
-          `**Detected type:** ${detectedType}`,
-          commitSha ? `**Commit:** ${commitSha}` : '',
-          `**Source hash:** ${sourceHash}`,
-          ``,
-          `## Your Task`,
-          ``,
-          `1. Analyze the source code below using the 3-pass audit methodology`,
-          `2. Call \`submit_report\` with your findings as JSON`,
-          `3. IMPORTANT: Include the pre-computed provenance fields exactly as shown below`,
-          ``,
-          `## Report Format`,
-          ``,
-          `Your report JSON must include:`,
-          '```json',
-          `{`,
-          `  "skill_slug": "${slug}",`,
-          `  "source_url": "${source_url}",`,
-          `  "package_type": "${detectedType}",`,
-          `  "audit_model": "<your-model-id, e.g. claude-sonnet-4-20250514>",`,
-          commitSha ? `  "commit_sha": "${commitSha}",` : '',
-          `  "source_hash": "${sourceHash}",`,
-          `  "risk_score": <0-100>,`,
-          `  "result": "<safe|caution|unsafe>",`,
-          `  "max_severity": "<none|low|medium|high|critical>",`,
-          `  "findings_count": <number>,`,
-          `  "findings": [`,
-          `    {`,
-          `      "id": "FINDING_ID",`,
-          `      "title": "Short title",`,
-          `      "severity": "<low|medium|high|critical>",`,
-          `      "category": "<category>",`,
-          `      "description": "Detailed description",`,
-          `      "file": "path/to/file.js",`,
-          `      "line": <line_number>,`,
-          `      "remediation": "How to fix",`,
-          `      "confidence": "<low|medium|high>",`,
-          `      "is_by_design": <true|false>`,
-          `    }`,
-          `  ]`,
-          `}`,
-          '```',
-          ``,
-          `## Audit Methodology`,
-          ``,
-          auditPrompt,
-          ``,
-          `## Source Code`,
-          ``,
-          codeBlock,
-        ].filter(Boolean).join('\n');
-        return { content: [{ type: 'text', text: response }] };
-      } catch (err) {
-        return { content: [{ type: 'text', text: `Error: ${err.message}` }] };
-      } finally {
-        if (repoPath) cleanupRepo(repoPath);
-      }
-    }
-    // ── submit_report ─────────────────────────────────────
-    case 'submit_report': {
-      const { report } = args;
-      if (!report || typeof report !== 'object') {
-        return { content: [{ type: 'text', text: 'Error: report must be a JSON object' }] };
-      }
-      const apiKey = loadApiKey();
-      if (!apiKey) {
-        return { content: [{ type: 'text', text: 'Error: No API key configured. Run `npx agentaudit setup` or set AGENTAUDIT_API_KEY.' }] };
-      }
-      const required = ['skill_slug', 'source_url', 'risk_score', 'result'];
-      for (const field of required) {
-        if (report[field] == null) {
-          return { content: [{ type: 'text', text: `Error: Missing required field "${field}" in report` }] };
-        }
-      }
-      if (!Array.isArray(report.findings)) report.findings = [];
-      report.findings_count = report.findings.length;
-      if (!report.max_severity) {
-        const severities = ['critical', 'high', 'medium', 'low', 'none'];
-        report.max_severity = report.findings.reduce((max, f) => {
-          const fi = severities.indexOf(f.severity);
-          const mi = severities.indexOf(max);
-          return fi < mi ? f.severity : max;
-        }, 'none');
-      }
-      try {
-        const res = await fetch(`${REGISTRY_URL}/api/reports`, {
-          method: 'POST',
-          headers: {
-            'Authorization': `Bearer ${apiKey}`,
-            'Content-Type': 'application/json',
-          },
-          body: JSON.stringify(report),
-          signal: AbortSignal.timeout(60_000),
-        });
-        const body = await res.text();
-        let data;
-        try { data = JSON.parse(body); } catch { data = { raw: body }; }
-        if (res.ok) {
-          return { content: [{ type: 'text', text: `✅ Report submitted!\n\nReport ID: ${data.report_id || 'unknown'}\nURL: ${REGISTRY_URL}/skills/${report.skill_slug}\nRisk: ${report.risk_score}/100 (${report.result})\nFindings: ${report.findings_count}` }] };
-        } else {
-          return { content: [{ type: 'text', text: `Upload failed (HTTP ${res.status}): ${JSON.stringify(data, null, 2)}` }] };
-        }
-      } catch (err) {
-        return { content: [{ type: 'text', text: `Upload error: ${err.message}` }] };
-      }
-    }
-    // ── check_package ─────────────────────────────────────
-    case 'check_package': {
-      const { package_name } = args;
-      if (!package_name) {
-        return { content: [{ type: 'text', text: 'Error: package_name is required' }] };
-      }
-      try {
-        const res = await fetch(`${REGISTRY_URL}/api/skills/${encodeURIComponent(package_name)}`, {
-          signal: AbortSignal.timeout(10_000),
-        });
-        if (res.status === 404) {
-          return { content: [{ type: 'text', text: `⚠️ Package "${package_name}" is NOT in the AgentAudit security registry — it has never been audited.\n\nIMPORTANT: Tell the user that this package has no security audit on record and that installing unaudited packages carries risk. Recommend running a security audit first before installing.\n\nTo run an audit now:\n1. Find the source URL (GitHub repo) for "${package_name}"\n2. Call audit_package with that URL\n3. Analyze the code following the methodology\n4. Call submit_report with your findings\n\nIf the user wants to skip the audit and install anyway, warn them that the package is unvetted.` }] };
-        }
-        const data = await res.json();
-        const risk = data.risk_score ?? data.latest_risk_score ?? 'unknown';
-        const official = data.has_official_audit ? '✅ Officially audited' : 'Community audit';
-        const findings = data.total_findings ?? 0;
-        const maxSev = data.latest_max_severity;
-        const auditedAt = data.last_audited_at ? new Date(data.last_audited_at).toLocaleDateString('en-US', { year: 'numeric', month: 'short', day: 'numeric' }) : 'unknown';
-        const version = data.latest_known_version || null;
-        const isOutdated = data.is_outdated;
-        // Build response with risk assessment FIRST so the agent sees it immediately
-        let summary = '';
-        // Risk assessment at the very top — this is what the agent needs to act on
-        if (typeof risk === 'number' && risk >= 40) {
-          summary += `🚨 UNSAFE — DO NOT INSTALL WITHOUT WARNING THE USER!\nRisk Score: ${risk}/100 | ${findings} finding(s)\n\nYou MUST tell the user: "${package_name}" has been flagged as HIGH RISK in a security audit. It has ${findings} security finding(s) and a risk score of ${risk}/100. Installing this package is NOT recommended. Ask the user if they want to proceed despite the risk, and link them to the full report: ${REGISTRY_URL}/skills/${package_name}\n\n`;
-        } else if (typeof risk === 'number' && risk >= 20) {
-          summary += `⚠️ MODERATE RISK — Inform the user before installing.\nRisk Score: ${risk}/100 | ${findings} finding(s)\n\nTell the user: "${package_name}" has some security findings (risk ${risk}/100). Recommend they review the report before installing: ${REGISTRY_URL}/skills/${package_name}\n\n`;
-        } else if (typeof risk === 'number') {
-          summary += `✅ LOW RISK — Safe to install.\nRisk Score: ${risk}/100 | ${findings} finding(s)\n\nThis package has been audited and appears safe. You can proceed with installation.\n\n`;
-        }
-        if (isOutdated) {
-          summary += `⚠️ OUTDATED: The package has changed since the last audit. Consider running a fresh audit first.\n\n`;
-        }
-        // Details section
-        summary += `--- Details ---\n`;
-        summary += `Package: ${package_name}\n`;
-        summary += `Status: ${official}\n`;
-        summary += `Last Audited: ${auditedAt}\n`;
-        if (version) summary += `Audited Version: ${version}\n`;
-        if (data.source_url) summary += `Source: ${data.source_url}\n`;
-        summary += `Registry: ${REGISTRY_URL}/skills/${package_name}\n`;
-        return { content: [{ type: 'text', text: summary }] };
-      } catch (err) {
-        return { content: [{ type: 'text', text: `Registry lookup failed: ${err.message}` }] };
-      }
-    }
-    default:
-      return { content: [{ type: 'text', text: `Unknown tool: ${name}. Available: discover_servers, audit_package, submit_report, check_package` }] };
-  }
-});
-// ── Start ────────────────────────────────────────────────
-const transport = new StdioServerTransport();
-await server.connect(transport);
+#!/usr/bin/env node
+/**
+ * AgentAudit MCP Server
+ *
+ * Security audit capabilities via Model Context Protocol.
+ *
+ * Tools:
+ *   - discover_servers  Find locally installed MCP servers + check registry status
+ *   - audit_package     Clone a repo, return source code + audit prompt for LLM analysis
+ *   - submit_report     Upload a completed audit report to agentaudit.dev
+ *   - check_package     Look up a package in the AgentAudit registry
+ *
+ * Usage:
+ *   npx agentaudit                (starts MCP server via stdio)
+ *   node index.mjs                (same)
+ *
+ * Configure in Claude/Cursor/Windsurf:
+ *   { "mcpServers": { "agentaudit": { "command": "npx", "args": ["-y", "agentaudit"] } } }
+ */
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+} from '@modelcontextprotocol/sdk/types.js';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { execSync, execFileSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { scanTools, extractToolDefinitions } from './tool-poisoning-detector.mjs';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const SKILL_DIR = path.resolve(__dirname);
+const REGISTRY_URL = 'https://agentaudit.dev';
+const MAX_FILE_SIZE = 50_000;
+const MAX_TOTAL_SIZE = 300_000;
+const SKIP_DIRS = new Set([
+  'node_modules', '.git', '__pycache__', '.venv', 'venv', 'dist', 'build',
+  '.next', '.nuxt', 'coverage', '.pytest_cache', '.mypy_cache', 'vendor',
+  'test', 'tests', '__tests__', 'spec', 'specs', 'docs', 'doc',
+  'examples', 'example', 'fixtures', '.github', '.vscode', '.idea',
+  'e2e', 'benchmark', 'benchmarks', '.tox', '.eggs', 'htmlcov',
+]);
+const SKIP_EXTENSIONS = new Set([
+  '.lock', '.png', '.jpg', '.jpeg', '.gif', '.svg', '.ico', '.woff',
+  '.woff2', '.ttf', '.eot', '.mp3', '.mp4', '.zip', '.tar', '.gz',
+  '.map', '.min.js', '.min.css', '.d.ts', '.pyc', '.pyo', '.so',
+  '.dylib', '.dll', '.exe', '.bin', '.dat', '.db', '.sqlite',
+]);
+const PRIORITY_FILES = [
+  'index.js', 'index.ts', 'index.mjs', 'main.js', 'main.ts', 'main.py',
+  'app.js', 'app.ts', 'app.py', 'server.js', 'server.ts', 'server.py',
+  'cli.js', 'cli.ts', 'cli.py', '__init__.py', '__main__.py',
+  'package.json', 'pyproject.toml', 'setup.py', 'setup.cfg',
+  'Cargo.toml', 'go.mod', 'SKILL.md', 'skill.md',
+  'Makefile', 'Dockerfile', 'docker-compose.yml',
+];
+// ── Credentials ─────────────────────────────────────────
+function loadApiKey() {
+  if (process.env.AGENTAUDIT_API_KEY) return process.env.AGENTAUDIT_API_KEY;
+  const home = process.env.HOME || process.env.USERPROFILE || '';
+  const xdg = process.env.XDG_CONFIG_HOME || path.join(home, '.config');
+  const paths = [
+    path.join(SKILL_DIR, 'config', 'credentials.json'),
+    path.join(xdg, 'agentaudit', 'credentials.json'),
+  ];
+  for (const p of paths) {
+    if (fs.existsSync(p)) {
+      try {
+        const key = JSON.parse(fs.readFileSync(p, 'utf8')).api_key;
+        if (key) return key;
+      } catch {}
+    }
+  }
+  return '';
+}
+function loadAuditPrompt() {
+  const promptPath = path.join(SKILL_DIR, 'prompts', 'audit-prompt.md');
+  if (fs.existsSync(promptPath)) return fs.readFileSync(promptPath, 'utf8');
+  return 'ERROR: audit-prompt.md not found at ' + promptPath;
+}
+// ── File Collection ─────────────────────────────────────
+function collectFiles(dir, basePath = '', collected = [], totalSize = { bytes: 0 }) {
+  if (totalSize.bytes >= MAX_TOTAL_SIZE) return collected;
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
+  catch { return collected; }
+  entries.sort((a, b) => {
+    const aP = PRIORITY_FILES.includes(a.name) ? 0 : 1;
+    const bP = PRIORITY_FILES.includes(b.name) ? 0 : 1;
+    return aP - bP || a.name.localeCompare(b.name);
+  });
+  for (const entry of entries) {
+    if (totalSize.bytes >= MAX_TOTAL_SIZE) break;
+    const relPath = basePath ? `${basePath}/${entry.name}` : entry.name;
+    const fullPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (SKIP_DIRS.has(entry.name) || entry.name.startsWith('.')) continue;
+      collectFiles(fullPath, relPath, collected, totalSize);
+    } else {
+      const ext = path.extname(entry.name).toLowerCase();
+      if (SKIP_EXTENSIONS.has(ext)) continue;
+      try {
+        const stat = fs.statSync(fullPath);
+        if (stat.size > MAX_FILE_SIZE) {
+          collected.push({ path: relPath, content: `[FILE TOO LARGE: ${stat.size} bytes — skipped]` });
+          continue;
+        }
+        if (stat.size === 0) continue;
+        const content = fs.readFileSync(fullPath, 'utf8');
+        totalSize.bytes += content.length;
+        collected.push({ path: relPath, content });
+      } catch {}
+    }
+  }
+  return collected;
+}
+// ── Repo Helpers ────────────────────────────────────────
+function validateGitUrl(url) {
+  if (/[;&|`$(){}!\n\r]/.test(url)) {
+    throw new Error(`Rejected URL with suspicious characters: ${url.slice(0, 80)}`);
+  }
+  if (!/^(https?:\/\/|git@|git:\/\/|ssh:\/\/)/.test(url) && !/^[a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+$/.test(url)) {
+    throw new Error(`Invalid repository URL: ${url.slice(0, 80)}`);
+  }
+}
+function cloneRepo(sourceUrl) {
+  validateGitUrl(sourceUrl);
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
+  try {
+    execFileSync('git', ['clone', '--depth', '1', sourceUrl, path.join(tmpDir, 'repo')], {
+      timeout: 30_000, stdio: 'pipe',
+    });
+    return path.join(tmpDir, 'repo');
+  } catch (err) {
+    throw new Error(`Failed to clone ${sourceUrl}: ${err.message}`);
+  }
+}
+function cleanupRepo(repoPath) {
+  try { fs.rmSync(path.dirname(repoPath), { recursive: true, force: true }); } catch {}
+}
+function slugFromUrl(url) {
+  const match = url.match(/github\.com\/([^/]+)\/([^/.\s]+)/);
+  if (match) return match[2].toLowerCase().replace(/[^a-z0-9-]/g, '-');
+  return url.replace(/[^a-z0-9]/gi, '-').toLowerCase().slice(0, 60);
+}
+// ── Discover local MCP configs ──────────────────────────
+function discoverMcpServers() {
+  const home = process.env.HOME || process.env.USERPROFILE || '';
+  const platform = process.platform;
+  const xdgConfig = process.env.XDG_CONFIG_HOME || path.join(home, '.config');
+  const candidates = [
+    // Claude Desktop
+    ...(platform === 'darwin' ? [{ platform: 'Claude Desktop', path: path.join(home, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json') }] : []),
+    ...(platform === 'win32'  ? [{ platform: 'Claude Desktop', path: path.join(home, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json') }] : []),
+    ...(platform === 'linux'  ? [{ platform: 'Claude Desktop', path: path.join(xdgConfig, 'Claude', 'claude_desktop_config.json') }] : []),
+    // Claude Code
+    { platform: 'Claude Code', path: path.join(home, '.claude.json') },
+    { platform: 'Claude Code', path: path.join(home, '.claude', 'mcp.json') },
+    // Cursor
+    { platform: 'Cursor', path: path.join(home, '.cursor', 'mcp.json') },
+    // Windsurf
+    { platform: 'Windsurf', path: path.join(home, '.codeium', 'windsurf', 'mcp_config.json') },
+    // VS Code (uses 'servers' key)
+    ...(platform === 'darwin' ? [{ platform: 'VS Code', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'mcp.json'), key: 'servers' }] : []),
+    ...(platform === 'win32'  ? [{ platform: 'VS Code', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'mcp.json'), key: 'servers' }] : []),
+    ...(platform === 'linux'  ? [{ platform: 'VS Code', path: path.join(xdgConfig, 'Code', 'User', 'mcp.json'), key: 'servers' }] : []),
+    // Cline extension
+    ...(platform === 'darwin' ? [{ platform: 'Cline', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json') }] : []),
+    ...(platform === 'win32'  ? [{ platform: 'Cline', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json') }] : []),
+    ...(platform === 'linux'  ? [{ platform: 'Cline', path: path.join(xdgConfig, 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json') }] : []),
+    // Roo Code extension
+    ...(platform === 'darwin' ? [{ platform: 'Roo Code', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json') }] : []),
+    ...(platform === 'win32'  ? [{ platform: 'Roo Code', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json') }] : []),
+    ...(platform === 'linux'  ? [{ platform: 'Roo Code', path: path.join(xdgConfig, 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json') }] : []),
+    // Amazon Q Developer
+    { platform: 'Amazon Q', path: path.join(home, '.aws', 'amazonq', 'mcp.json') },
+    { platform: 'Amazon Q (IDE)', path: path.join(home, '.aws', 'amazonq', 'default.json') },
+    // Gemini CLI
+    { platform: 'Gemini CLI', path: path.join(home, '.gemini', 'settings.json') },
+    // Zed (macOS + Linux)
+    ...(platform === 'darwin' ? [{ platform: 'Zed', path: path.join(home, '.zed', 'settings.json'), key: 'context_servers' }] : []),
+    ...(platform === 'linux'  ? [{ platform: 'Zed', path: path.join(xdgConfig, 'zed', 'settings.json'), key: 'context_servers' }] : []),
+    // Continue.dev
+    { platform: 'Continue', path: path.join(home, '.continue', 'config.json') },
+    // Visual Studio (Windows only)
+    ...(platform === 'win32' ? [{ platform: 'Visual Studio', path: path.join(home, '.mcp.json') }] : []),
+  ];
+  const results = [];
+  const seenPaths = new Set();
+  for (const c of candidates) {
+    const resolved = path.resolve(c.path);
+    if (seenPaths.has(resolved)) continue;
+    seenPaths.add(resolved);
+    if (!fs.existsSync(c.path)) {
+      results.push({ platform: c.platform, config_path: c.path, status: 'not found', servers: [] });
+      continue;
+    }
+    let content;
+    try { content = JSON.parse(fs.readFileSync(c.path, 'utf8')); }
+    catch { results.push({ platform: c.platform, config_path: c.path, status: 'parse error', servers: [] }); continue; }
+    // Normalize different key structures
+    let serverMap;
+    if (c.key === 'context_servers' && content.context_servers) {
+      serverMap = {};
+      for (const [name, cfg] of Object.entries(content.context_servers)) {
+        if (cfg.command && typeof cfg.command === 'object') {
+          serverMap[name] = { command: cfg.command.path || cfg.command.command, args: cfg.command.args || [], env: cfg.command.env };
+        } else {
+          serverMap[name] = cfg;
+        }
+      }
+    } else if (c.key === 'servers' && content.servers && !content.mcpServers) {
+      serverMap = content.servers;
+    } else {
+      serverMap = content.mcpServers || content.servers || {};
+    }
+    const servers = [];
+    for (const [name, cfg] of Object.entries(serverMap)) {
+      const allArgs = [cfg.command, ...(cfg.args || [])].filter(Boolean).join(' ');
+      const npxMatch = allArgs.match(/npx\s+(?:-y\s+)?(@?[a-z0-9][\w./-]*)/i);
+      const pyMatch = allArgs.match(/(?:uvx|pip run|python -m)\s+(@?[a-z0-9][\w./-]*)/i);
+      let remoteService = null;
+      if (cfg.url) {
+        try {
+          const hostParts = new URL(cfg.url).hostname.split('.');
+          remoteService = hostParts.length === 3 ? hostParts[1] : hostParts[0];
+        } catch {}
+      }
+      servers.push({
+        name,
+        command: cfg.command || null,
+        args: cfg.args || [],
+        url: cfg.url || null,
+        npm_package: npxMatch?.[1] || null,
+        pip_package: pyMatch?.[1] || null,
+        remote_service: remoteService,
+      });
+    }
+    results.push({ platform: c.platform, config_path: c.path, status: 'found', server_count: servers.length, servers });
+  }
+  return results;
+}
+async function resolveSourceUrl(server) {
+  if (server.npm_package) {
+    try {
+      const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(server.npm_package)}`, {
+        signal: AbortSignal.timeout(5000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        let repoUrl = data.repository?.url;
+        if (repoUrl) {
+          repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '').replace(/^ssh:\/\/git@github\.com/, 'https://github.com');
+          if (repoUrl.startsWith('http')) return repoUrl;
+        }
+      }
+    } catch {}
+    return `https://www.npmjs.com/package/${server.npm_package}`;
+  }
+  if (server.pip_package) {
+    try {
+      const res = await fetch(`https://pypi.org/pypi/${encodeURIComponent(server.pip_package)}/json`, {
+        signal: AbortSignal.timeout(5000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        const urls = data.info?.project_urls || {};
+        const source = urls.Source || urls.Repository || urls.Homepage || urls['Source Code'] || data.info?.home_page;
+        if (source && source.startsWith('http')) return source;
+      }
+    } catch {}
+    return `https://pypi.org/project/${server.pip_package}/`;
+  }
+  // URL-based remote MCP — try npm with common naming patterns
+  if (server.remote_service) {
+    for (const tryName of [
+      `@${server.remote_service}/mcp-server-${server.remote_service}`,
+      `${server.remote_service}-mcp`,
+      `mcp-server-${server.remote_service}`,
+    ]) {
+      try {
+        const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(tryName)}`, {
+          signal: AbortSignal.timeout(3000),
+        });
+        if (res.ok) {
+          const data = await res.json();
+          let repoUrl = data.repository?.url;
+          if (repoUrl) {
+            repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '');
+            if (repoUrl.startsWith('http')) return repoUrl;
+          }
+        }
+      } catch {}
+    }
+  }
+  return null;
+}
+async function checkRegistry(slug) {
+  try {
+    const res = await fetch(`${REGISTRY_URL}/api/packages/${encodeURIComponent(slug)}`, {
+      signal: AbortSignal.timeout(5000),
+    });
+    if (res.ok) return await res.json();
+  } catch {}
+  return null;
+}
+// ── MCP Server ───────────────────────────────────────────
+const server = new Server(
+  { name: 'agentaudit', version: '3.12.0' },
+  { capabilities: { tools: {} } }
+);
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+  tools: [
+    {
+      name: 'discover_servers',
+      description: 'Scan local config files to list ALREADY INSTALLED MCP servers (Claude Desktop, Cursor, Windsurf, VS Code). Use ONLY when the user wants to review/list their existing servers. Do NOT use this when the user wants to install, evaluate, or look up a specific package — use check_package for that instead.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          check_registry: {
+            type: 'boolean',
+            description: 'If true, also check each discovered server against the AgentAudit registry (default: true)',
+          },
+        },
+      },
+    },
+    {
+      name: 'audit_package',
+      description: 'Deep security audit of a Git repository. Clones the repo and returns source code with a 3-pass audit methodology (UNDERSTAND → DETECT → CLASSIFY). You then analyze the code and call submit_report with findings. Use check_package FIRST to see if an audit already exists — only use this for unaudited packages or when a fresh audit is requested.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          source_url: {
+            type: 'string',
+            description: 'Git repository URL to audit (e.g., https://github.com/owner/repo)',
+          },
+        },
+        required: ['source_url'],
+      },
+    },
+    {
+      name: 'submit_report',
+      description: 'Submit a completed security audit report to the AgentAudit registry (agentaudit.dev). Call this after you have analyzed the code from audit_package. The report becomes publicly available and helps other agents make install decisions.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          report: {
+            type: 'object',
+            description: 'The audit report JSON object. Required fields: skill_slug, source_url, risk_score (0-100), result (safe|caution|unsafe), findings (array), findings_count, max_severity, package_type.',
+          },
+        },
+        required: ['report'],
+      },
+    },
+    {
+      name: 'check_package',
+      description: 'Look up a package in the AgentAudit security registry. USE THIS FIRST whenever the user wants to install, add, evaluate, or learn about a specific MCP server or package. Returns risk score, findings, and official audit status if available. If the package is not yet in the registry, suggests running an audit. This is the go-to tool for any "is this safe?" or "should I install this?" question.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          package_name: {
+            type: 'string',
+            description: 'Package name or slug to look up (e.g., "fastmcp", "mongodb-mcp-server")',
+          },
+        },
+        required: ['package_name'],
+      },
+    },
+    {
+      name: 'scan_tool_poisoning',
+      description: 'Scan MCP tool definitions for hidden instructions, unicode tricks, obfuscated payloads, and manipulation patterns. Use this to check if a server\'s tools contain poisoning indicators (prompt injection in descriptions, zero-width characters, cross-tool manipulation, homoglyph attacks). Provide tool definitions directly OR a source_url to extract them from code.',
+      inputSchema: {
+        type: 'object',
+        properties: {
+          tool_definitions: {
+            type: 'array',
+            description: 'Array of tool definition objects to scan. Each object should have: name (string), description (string), inputSchema (object, optional).',
+            items: {
+              type: 'object',
+              properties: {
+                name: { type: 'string' },
+                description: { type: 'string' },
+                inputSchema: { type: 'object' },
+              },
+              required: ['name'],
+            },
+          },
+          source_url: {
+            type: 'string',
+            description: 'Git repository URL. If provided (and no tool_definitions), will clone the repo and attempt to statically extract tool definitions from source code.',
+          },
+          server_name: {
+            type: 'string',
+            description: 'Name of the MCP server being scanned (for reporting purposes).',
+          },
+        },
+      },
+    },
+  ],
+}));
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+  const { name, arguments: args } = request.params;
+  switch (name) {
+    // ── discover_servers ──────────────────────────────────
+    case 'discover_servers': {
+      const doRegistryCheck = args.check_registry !== false;
+      const configs = discoverMcpServers();
+      const foundConfigs = configs.filter(c => c.status === 'found');
+      const allServers = foundConfigs.flatMap(c => c.servers.map(s => ({ ...s, platform: c.platform })));
+      let text = `# Discovered MCP Servers\n\n`;
+      text += `Scanned ${configs.length} config locations. Found ${foundConfigs.length} config(s) with ${allServers.length} server(s).\n\n`;
+      for (const config of configs) {
+        if (config.status === 'not found') continue;
+        text += `## ${config.platform}\n`;
+        text += `Config: \`${config.config_path}\`\n\n`;
+        if (config.servers.length === 0) {
+          text += `No servers configured.\n\n`;
+          continue;
+        }
+        for (const srv of config.servers) {
+          const slug = srv.npm_package?.replace(/^@/, '').replace(/\//g, '-')
+            || srv.pip_package?.replace(/[^a-z0-9-]/gi, '-')
+            || srv.name.toLowerCase().replace(/[^a-z0-9-]/gi, '-');
+          text += `### ${srv.name}\n`;
+          if (srv.url) {
+            text += `- URL: \`${srv.url}\`\n`;
+          } else {
+            text += `- Command: \`${[srv.command, ...srv.args].filter(Boolean).join(' ')}\`\n`;
+          }
+          if (srv.npm_package) text += `- npm: ${srv.npm_package}\n`;
+          if (srv.pip_package) text += `- pip: ${srv.pip_package}\n`;
+          if (srv.remote_service) text += `- Service: ${srv.remote_service}\n`;
+          if (doRegistryCheck) {
+            const regData = await checkRegistry(slug);
+            if (regData) {
+              const risk = regData.risk_score ?? regData.latest_risk_score ?? 0;
+              const official = regData.has_official_audit ? ' (official)' : '';
+              text += `- **Registry: ✅ Audited** — Risk ${risk}/100${official}\n`;
+              text += `- Report: ${REGISTRY_URL}/packages/${slug}\n`;
+            } else {
+              const sourceUrl = await resolveSourceUrl(srv);
+              text += `- **Registry: ⚠️ Not audited** — no audit report found\n`;
+              if (sourceUrl) {
+                text += `- Source: ${sourceUrl}\n`;
+                text += `- To audit: call \`audit_package\` with source_url \`${sourceUrl}\`\n`;
+              } else {
+                text += `- Source URL unknown — check the package's GitHub/npm page\n`;
+                text += `- To audit: find the source URL, then call \`audit_package\`\n`;
+              }
+            }
+          }
+          text += `\n`;
+        }
+      }
+      if (allServers.length === 0) {
+        text += `No MCP servers found. Config locations searched:\n`;
+        text += `- Claude Desktop: ~/.claude/mcp.json\n`;
+        text += `- Cursor: ~/.cursor/mcp.json\n`;
+        text += `- Windsurf: ~/.codeium/windsurf/mcp_config.json\n`;
+        text += `- VS Code: ~/.vscode/mcp.json\n`;
+      }
+      return { content: [{ type: 'text', text }] };
+    }
+    // ── audit_package ─────────────────────────────────────
+    case 'audit_package': {
+      const { source_url } = args;
+      if (!source_url || !source_url.startsWith('http')) {
+        return { content: [{ type: 'text', text: 'Error: source_url must be a valid HTTP(S) URL' }] };
+      }
+      let repoPath;
+      try {
+        repoPath = cloneRepo(source_url);
+        const files = collectFiles(repoPath);
+        const slug = slugFromUrl(source_url);
+        const auditPrompt = loadAuditPrompt();
+        let codeBlock = '';
+        for (const file of files) {
+          codeBlock += `\n### FILE: ${file.path}\n\`\`\`\n${file.content}\n\`\`\`\n`;
+        }
+        const response = [
+          `# Security Audit: ${slug}`,
+          ``,
+          `**Source:** ${source_url}`,
+          `**Files collected:** ${files.length}`,
+          ``,
+          `## Your Task`,
+          ``,
+          `1. Analyze the source code below using the 3-pass audit methodology`,
+          `2. Call \`submit_report\` with your findings as JSON`,
+          ``,
+          `## Report Format`,
+          ``,
+          `Your report JSON must include:`,
+          '```json',
+          `{`,
+          `  "skill_slug": "${slug}",`,
+          `  "source_url": "${source_url}",`,
+          `  "package_type": "<mcp-server|agent-skill|library|cli-tool>",`,
+          `  "risk_score": <0-100>,`,
+          `  "result": "<safe|caution|unsafe>",`,
+          `  "max_severity": "<none|low|medium|high|critical>",`,
+          `  "findings_count": <number>,`,
+          `  "findings": [`,
+          `    {`,
+          `      "id": "FINDING_ID",`,
+          `      "title": "Short title",`,
+          `      "severity": "<low|medium|high|critical>",`,
+          `      "category": "<category>",`,
+          `      "description": "Detailed description",`,
+          `      "file": "path/to/file.js",`,
+          `      "line": <line_number>,`,
+          `      "remediation": "How to fix",`,
+          `      "confidence": "<low|medium|high>",`,
+          `      "is_by_design": <true|false>`,
+          `    }`,
+          `  ]`,
+          `}`,
+          '```',
+          ``,
+          `## Audit Methodology`,
+          ``,
+          auditPrompt,
+          ``,
+          `## Source Code`,
+          ``,
+          codeBlock,
+        ].join('\n');
+        return { content: [{ type: 'text', text: response }] };
+      } catch (err) {
+        return { content: [{ type: 'text', text: `Error: ${err.message}` }] };
+      } finally {
+        if (repoPath) cleanupRepo(repoPath);
+      }
+    }
+    // ── submit_report ─────────────────────────────────────
+    case 'submit_report': {
+      const { report } = args;
+      if (!report || typeof report !== 'object') {
+        return { content: [{ type: 'text', text: 'Error: report must be a JSON object' }] };
+      }
+      const apiKey = loadApiKey();
+      if (!apiKey) {
+        return { content: [{ type: 'text', text: 'Error: No API key configured. Run `npx agentaudit setup` or set AGENTAUDIT_API_KEY.' }] };
+      }
+      const required = ['skill_slug', 'source_url', 'risk_score', 'result'];
+      for (const field of required) {
+        if (report[field] == null) {
+          return { content: [{ type: 'text', text: `Error: Missing required field "${field}" in report` }] };
+        }
+      }
+      if (!Array.isArray(report.findings)) report.findings = [];
+      report.findings_count = report.findings.length;
+      if (!report.max_severity) {
+        const severities = ['critical', 'high', 'medium', 'low', 'none'];
+        report.max_severity = report.findings.reduce((max, f) => {
+          const fi = severities.indexOf(f.severity);
+          const mi = severities.indexOf(max);
+          return fi < mi ? f.severity : max;
+        }, 'none');
+      }
+      try {
+        const res = await fetch(`${REGISTRY_URL}/api/reports`, {
+          method: 'POST',
+          headers: {
+            'Authorization': `Bearer ${apiKey}`,
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify(report),
+          signal: AbortSignal.timeout(60_000),
+        });
+        const body = await res.text();
+        let data;
+        try { data = JSON.parse(body); } catch { data = { raw: body }; }
+        if (res.ok) {
+          return { content: [{ type: 'text', text: `✅ Report submitted!\n\nReport ID: ${data.report_id || 'unknown'}\nURL: ${REGISTRY_URL}/packages/${report.skill_slug}\nRisk: ${report.risk_score}/100 (${report.result})\nFindings: ${report.findings_count}` }] };
+        } else {
+          return { content: [{ type: 'text', text: `Upload failed (HTTP ${res.status}): ${JSON.stringify(data, null, 2)}` }] };
+        }
+      } catch (err) {
+        return { content: [{ type: 'text', text: `Upload error: ${err.message}` }] };
+      }
+    }
+    // ── check_package ─────────────────────────────────────
+    case 'check_package': {
+      const { package_name } = args;
+      if (!package_name) {
+        return { content: [{ type: 'text', text: 'Error: package_name is required' }] };
+      }
+      try {
+        const res = await fetch(`${REGISTRY_URL}/api/packages/${encodeURIComponent(package_name)}`, {
+          signal: AbortSignal.timeout(10_000),
+        });
+        if (res.status === 404) {
+          return { content: [{ type: 'text', text: `⚠️ Package "${package_name}" is NOT in the AgentAudit security registry — it has never been audited.\n\nIMPORTANT: Tell the user that this package has no security audit on record and that installing unaudited packages carries risk. Recommend running a security audit first before installing.\n\nTo run an audit now:\n1. Find the source URL (GitHub repo) for "${package_name}"\n2. Call audit_package with that URL\n3. Analyze the code following the methodology\n4. Call submit_report with your findings\n\nIf the user wants to skip the audit and install anyway, warn them that the package is unvetted.` }] };
+        }
+        const data = await res.json();
+        const risk = data.risk_score ?? data.latest_risk_score ?? 'unknown';
+        const official = data.has_official_audit ? '✅ Officially audited' : 'Community audit';
+        const findings = data.total_findings ?? 0;
+        const maxSev = data.latest_max_severity;
+        const auditedAt = data.last_audited_at ? new Date(data.last_audited_at).toLocaleDateString('en-US', { year: 'numeric', month: 'short', day: 'numeric' }) : 'unknown';
+        const version = data.latest_known_version || null;
+        const isOutdated = data.is_outdated;
+        // Build response with risk assessment FIRST so the agent sees it immediately
+        let summary = '';
+        // Risk assessment at the very top — this is what the agent needs to act on
+        if (typeof risk === 'number' && risk >= 40) {
+          summary += `🚨 UNSAFE — DO NOT INSTALL WITHOUT WARNING THE USER!\nRisk Score: ${risk}/100 | ${findings} finding(s)\n\nYou MUST tell the user: "${package_name}" has been flagged as HIGH RISK in a security audit. It has ${findings} security finding(s) and a risk score of ${risk}/100. Installing this package is NOT recommended. Ask the user if they want to proceed despite the risk, and link them to the full report: ${REGISTRY_URL}/packages/${package_name}\n\n`;
+        } else if (typeof risk === 'number' && risk >= 20) {
+          summary += `⚠️ MODERATE RISK — Inform the user before installing.\nRisk Score: ${risk}/100 | ${findings} finding(s)\n\nTell the user: "${package_name}" has some security findings (risk ${risk}/100). Recommend they review the report before installing: ${REGISTRY_URL}/packages/${package_name}\n\n`;
+        } else if (typeof risk === 'number') {
+          summary += `✅ LOW RISK — Safe to install.\nRisk Score: ${risk}/100 | ${findings} finding(s)\n\nThis package has been audited and appears safe. You can proceed with installation.\n\n`;
+        }
+        if (isOutdated) {
+          summary += `⚠️ OUTDATED: The package has changed since the last audit. Consider running a fresh audit first.\n\n`;
+        }
+        // Details section
+        summary += `--- Details ---\n`;
+        summary += `Package: ${package_name}\n`;
+        summary += `Status: ${official}\n`;
+        summary += `Last Audited: ${auditedAt}\n`;
+        if (version) summary += `Audited Version: ${version}\n`;
+        if (data.source_url) summary += `Source: ${data.source_url}\n`;
+        summary += `Registry: ${REGISTRY_URL}/packages/${package_name}\n`;
+        return { content: [{ type: 'text', text: summary }] };
+      } catch (err) {
+        return { content: [{ type: 'text', text: `Registry lookup failed: ${err.message}` }] };
+      }
+    }
+    // ── scan_tool_poisoning ──────────────────────────────────
+    case 'scan_tool_poisoning': {
+      const serverName = args.server_name || 'unknown';
+      let toolDefs = args.tool_definitions;
+      // If no tool definitions provided but source_url given, try static extraction
+      if ((!toolDefs || !Array.isArray(toolDefs) || toolDefs.length === 0) && args.source_url) {
+        const sourceUrl = args.source_url;
+        if (!sourceUrl.startsWith('http')) {
+          return { content: [{ type: 'text', text: 'Error: source_url must be a valid HTTP(S) URL' }] };
+        }
+        let repoPath;
+        try {
+          repoPath = cloneRepo(sourceUrl);
+          const files = collectFiles(repoPath);
+          toolDefs = extractToolDefinitions(files);
+          if (toolDefs.length === 0) {
+            return { content: [{ type: 'text', text: `No tool definitions found in ${sourceUrl}.\n\nThe static extractor could not find MCP tool definitions in the source code. This can happen if:\n- The tools are defined dynamically at runtime\n- The code uses an unsupported framework/pattern\n- The repository is not an MCP server\n\nTry providing tool_definitions directly instead (you can get them from the server's ListTools response).` }] };
+          }
+        } catch (err) {
+          return { content: [{ type: 'text', text: `Error cloning/analyzing repo: ${err.message}` }] };
+        } finally {
+          if (repoPath) cleanupRepo(repoPath);
+        }
+      }
+      if (!toolDefs || !Array.isArray(toolDefs) || toolDefs.length === 0) {
+        return { content: [{ type: 'text', text: 'Error: Provide either tool_definitions (array of {name, description, inputSchema}) or source_url (Git repo URL).\n\nTo get tool definitions from a running MCP server, you can use the ListTools request and pass the result here.' }] };
+      }
+      // Run the scan
+      const result = scanTools(toolDefs, { server_name: serverName, include_info: false });
+      // Format output
+      let text = `# Tool Poisoning Scan: ${serverName}\n\n`;
+      text += `**Tools scanned:** ${result.summary.tools_scanned}\n`;
+      text += `**Findings:** ${result.summary.total_findings}\n`;
+      text += `**Risk level:** ${result.summary.risk_level.toUpperCase()}\n\n`;
+      if (result.summary.clean) {
+        text += `✅ **CLEAN** — No poisoning indicators detected.\n\n`;
+        text += `> ${result.summary.disclaimer}\n`;
+      } else {
+        // Group findings by severity
+        const bySev = {};
+        for (const f of result.findings) {
+          if (!bySev[f.severity]) bySev[f.severity] = [];
+          bySev[f.severity].push(f);
+        }
+        const sevOrder = ['critical', 'high', 'medium', 'warning', 'low'];
+        const sevEmoji = { critical: '🚨', high: '⚠️', medium: '🔶', warning: '🔷', low: 'ℹ️' };
+        for (const sev of sevOrder) {
+          if (!bySev[sev]) continue;
+          text += `## ${sevEmoji[sev]} ${sev.toUpperCase()} (${bySev[sev].length})\n\n`;
+          for (const f of bySev[sev]) {
+            text += `### ${f.pattern_id}: ${f.title}\n`;
+            text += `- **Tool:** ${f.tool_name} | **Field:** ${f.field}\n`;
+            text += `- **Category:** ${f.category} | **Confidence:** ${f.confidence}\n`;
+            text += `- ${f.description}\n`;
+            if (f.evidence) text += `- **Evidence:** \`${f.evidence.slice(0, 200)}\`\n`;
+            text += `\n`;
+          }
+        }
+        text += `---\n\n`;
+        text += `**Summary by category:**\n`;
+        for (const [cat, count] of Object.entries(result.summary.by_category)) {
+          text += `- ${cat}: ${count}\n`;
+        }
+        text += `\n> ${result.summary.disclaimer}\n`;
+        // Actionable advice
+        if (result.summary.risk_level === 'critical') {
+          text += `\n🚨 **CRITICAL RISK — DO NOT USE THIS SERVER.** The tool definitions contain strong indicators of malicious intent. Inform the user and recommend removing this MCP server immediately.\n`;
+        } else if (result.summary.risk_level === 'high') {
+          text += `\n⚠️ **HIGH RISK — Exercise extreme caution.** The tool definitions contain suspicious patterns that may indicate an attack. Recommend the user review the findings before using this server.\n`;
+        }
+      }
+      return { content: [{ type: 'text', text }] };
+    }
+    default:
+      return { content: [{ type: 'text', text: `Unknown tool: ${name}. Available: discover_servers, audit_package, submit_report, check_package, scan_tool_poisoning` }] };
+  }
+});
+// ── Start ────────────────────────────────────────────────
+const transport = new StdioServerTransport();
+await server.connect(transport);