agentaudit 3.4.0 → 3.5.0

package/cli.mjs

@@ -702,6 +702,19 @@ function extractServersFromConfig(config) {
     const pyMatch = allArgs.match(/(?:uvx|pip run|python -m)\s+(@?[a-z0-9][\w./-]*)/i);
     if (pyMatch) info.pyPackage = pyMatch[1];
     
+    // URL-based MCP server (remote HTTP)
+    if (info.url && !info.npmPackage && !info.pyPackage) {
+      try {
+        const parsed = new URL(info.url);
+        // Extract service name from hostname: mcp.supabase.com → supabase
+        const hostParts = parsed.hostname.split('.');
+        if (hostParts.length >= 2) {
+          const serviceName = hostParts.length === 3 ? hostParts[1] : hostParts[0];
+          info.remoteService = serviceName;
+        }
+      } catch {}
+    }
+    
     result.push(info);
   }
   return result;
@@ -753,6 +766,39 @@ async function resolveSourceUrl(server) {
     return `https://pypi.org/project/${server.pyPackage}/`;
   }
   
+  // URL-based remote MCP server — try GitHub search by service name
+  if (server.remoteService) {
+    // Try npm registry with common MCP naming patterns
+    for (const tryName of [
+      `@${server.remoteService}/mcp-server-${server.remoteService}`,
+      `${server.remoteService}-mcp`,
+      `mcp-server-${server.remoteService}`,
+      server.remoteService,
+    ]) {
+      try {
+        const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(tryName)}`, {
+          signal: AbortSignal.timeout(3000),
+        });
+        if (res.ok) {
+          const data = await res.json();
+          let repoUrl = data.repository?.url;
+          if (repoUrl) {
+            repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '').replace(/^ssh:\/\/git@github\.com/, 'https://github.com');
+            if (repoUrl.startsWith('http')) return repoUrl;
+          }
+        }
+      } catch {}
+    }
+  }
+  
+  // Last resort: if server has a url, show it as context
+  if (server.url) {
+    try {
+      const parsed = new URL(server.url);
+      return `https://github.com/search?q=${encodeURIComponent(parsed.hostname + ' MCP')}&type=repositories`;
+    } catch {}
+  }
+  
   return null;
 }
 
@@ -821,6 +867,7 @@ async function discoverCommand() {
       let sourceLabel = '';
       if (server.npmPackage) sourceLabel = `${c.dim}npm:${server.npmPackage}${c.reset}`;
       else if (server.pyPackage) sourceLabel = `${c.dim}pip:${server.pyPackage}${c.reset}`;
+      else if (server.url) sourceLabel = `${c.dim}${server.url.length > 60 ? server.url.slice(0, 57) + '...' : server.url}${c.reset}`;
       else if (server.command) sourceLabel = `${c.dim}${[server.command, ...server.args.slice(0, 2)].join(' ')}${c.reset}`;
       
       if (regData) {

package/index.mjs

@@ -176,12 +176,21 @@ function discoverMcpServers() {
       const allArgs = [cfg.command, ...(cfg.args || [])].filter(Boolean).join(' ');
       const npxMatch = allArgs.match(/npx\s+(?:-y\s+)?(@?[a-z0-9][\w./-]*)/i);
       const pyMatch = allArgs.match(/(?:uvx|pip run|python -m)\s+(@?[a-z0-9][\w./-]*)/i);
+      let remoteService = null;
+      if (cfg.url) {
+        try {
+          const hostParts = new URL(cfg.url).hostname.split('.');
+          remoteService = hostParts.length === 3 ? hostParts[1] : hostParts[0];
+        } catch {}
+      }
       servers.push({
         name,
         command: cfg.command || null,
         args: cfg.args || [],
+        url: cfg.url || null,
         npm_package: npxMatch?.[1] || null,
         pip_package: pyMatch?.[1] || null,
+        remote_service: remoteService,
       });
     }
     results.push({ platform: c.platform, config_path: c.path, status: 'found', server_count: servers.length, servers });
@@ -221,6 +230,28 @@ async function resolveSourceUrl(server) {
     } catch {}
     return `https://pypi.org/project/${server.pip_package}/`;
   }
+  // URL-based remote MCP — try npm with common naming patterns
+  if (server.remote_service) {
+    for (const tryName of [
+      `@${server.remote_service}/mcp-server-${server.remote_service}`,
+      `${server.remote_service}-mcp`,
+      `mcp-server-${server.remote_service}`,
+    ]) {
+      try {
+        const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(tryName)}`, {
+          signal: AbortSignal.timeout(3000),
+        });
+        if (res.ok) {
+          const data = await res.json();
+          let repoUrl = data.repository?.url;
+          if (repoUrl) {
+            repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '');
+            if (repoUrl.startsWith('http')) return repoUrl;
+          }
+        }
+      } catch {}
+    }
+  }
   return null;
 }
 
@@ -332,9 +363,14 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
             || srv.name.toLowerCase().replace(/[^a-z0-9-]/gi, '-');
 
           text += `### ${srv.name}\n`;
-          text += `- Command: \`${[srv.command, ...srv.args].join(' ')}\`\n`;
+          if (srv.url) {
+            text += `- URL: \`${srv.url}\`\n`;
+          } else {
+            text += `- Command: \`${[srv.command, ...srv.args].filter(Boolean).join(' ')}\`\n`;
+          }
           if (srv.npm_package) text += `- npm: ${srv.npm_package}\n`;
           if (srv.pip_package) text += `- pip: ${srv.pip_package}\n`;
+          if (srv.remote_service) text += `- Service: ${srv.remote_service}\n`;
 
           if (doRegistryCheck) {
             const regData = await checkRegistry(slug);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.4.0",
+  "version": "3.5.0",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {