npm - auxiliar-mcp - Versions diffs - 0.7.0 → 0.7.1 - Mend

auxiliar-mcp 0.7.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/data/event-sources.d.ts +47 -0
package/dist/data/event-sources.js +126 -0
package/dist/data/risks.js +5 -2
package/dist/tools/recommend.d.ts +6 -0
package/dist/tools/recommend.js +40 -0
package/package.json +4 -1

package/dist/data/event-sources.d.ts ADDED Viewed

@@ -0,0 +1,47 @@
+/**
+ * Event-source feed URLs for the service-event scanner (Phase 1 pilot).
+ *
+ * One entry per pilot service. Each service lists zero-or-more
+ * machine-readable feeds we monitor daily. Source types:
+ *
+ *   - "status":    Statuspage.io (or equivalent) incident/history RSS
+ *   - "changelog": Vendor product changelog RSS/Atom
+ *   - "security":  Vendor security-bulletin RSS/Atom (rare but prized)
+ *   - "releases":  GitHub releases Atom (OSS projects)
+ *
+ * Phase 1 scope is detector-only — URLs here are data for the Python
+ * scanner (`src/auxiliar/scanner/`) to fetch daily. The config is
+ * intentionally versioned in-repo (not auto-discovered) so changes are
+ * reviewable and a noisy feed can be dropped with a single commit.
+ *
+ * Verification status: URLs below are the ones we expect each vendor
+ * publishes; they MUST be smoke-tested by the detector's first
+ * production run and any 404s/parse errors logged. A failing fetch is
+ * NOT a false positive — it's a missing positive, tracked separately in
+ * the scanner summary.
+ *
+ * Adding a service: add an entry, redeploy, wait 24h, confirm the
+ * source shows up in the next scanner-report.md. Removing is cheap
+ * (delete the entry; cursor rows become orphans and can be cleaned up
+ * later).
+ *
+ * This file is written by humans, read by the Python scanner via the
+ * build step (`scripts/build-service-api.py` will export it as JSON for
+ * Python — Phase 1 scanner reads the JSON snapshot so we don't need a
+ * TS runtime in the Lambda).
+ */
+export type EventSourceType = "status" | "changelog" | "security" | "releases";
+export interface EventSource {
+    type: EventSourceType;
+    url: string;
+    /** Human-readable note about the feed — why we picked it, caveats. */
+    note?: string;
+}
+export interface ServiceEventSources {
+    /** Slug matching content/service/<slug>.md and mcp/src/data/risks.ts keys. */
+    slug: string;
+    /** Human-readable service name. */
+    name: string;
+    sources: EventSource[];
+}
+export declare const eventSources: ServiceEventSources[];

package/dist/data/event-sources.js ADDED Viewed

@@ -0,0 +1,126 @@
+/**
+ * Event-source feed URLs for the service-event scanner (Phase 1 pilot).
+ *
+ * One entry per pilot service. Each service lists zero-or-more
+ * machine-readable feeds we monitor daily. Source types:
+ *
+ *   - "status":    Statuspage.io (or equivalent) incident/history RSS
+ *   - "changelog": Vendor product changelog RSS/Atom
+ *   - "security":  Vendor security-bulletin RSS/Atom (rare but prized)
+ *   - "releases":  GitHub releases Atom (OSS projects)
+ *
+ * Phase 1 scope is detector-only — URLs here are data for the Python
+ * scanner (`src/auxiliar/scanner/`) to fetch daily. The config is
+ * intentionally versioned in-repo (not auto-discovered) so changes are
+ * reviewable and a noisy feed can be dropped with a single commit.
+ *
+ * Verification status: URLs below are the ones we expect each vendor
+ * publishes; they MUST be smoke-tested by the detector's first
+ * production run and any 404s/parse errors logged. A failing fetch is
+ * NOT a false positive — it's a missing positive, tracked separately in
+ * the scanner summary.
+ *
+ * Adding a service: add an entry, redeploy, wait 24h, confirm the
+ * source shows up in the next scanner-report.md. Removing is cheap
+ * (delete the entry; cursor rows become orphans and can be cleaned up
+ * later).
+ *
+ * This file is written by humans, read by the Python scanner via the
+ * build step (`scripts/build-service-api.py` will export it as JSON for
+ * Python — Phase 1 scanner reads the JSON snapshot so we don't need a
+ * TS runtime in the Lambda).
+ */
+export const eventSources = [
+    {
+        slug: "vercel",
+        name: "Vercel",
+        sources: [
+            { type: "status", url: "https://www.vercel-status.com/history.rss" },
+            { type: "changelog", url: "https://vercel.com/changelog/feed.xml" },
+            {
+                type: "security",
+                url: "https://vercel.com/kb/bulletin",
+                note: "Ground-truth fixture source (April 2026 incident). HTML page, not RSS — detector polls with low-frequency hash comparison.",
+            },
+        ],
+    },
+    {
+        slug: "stripe",
+        name: "Stripe",
+        sources: [
+            { type: "status", url: "https://status.stripe.com/history.rss" },
+            { type: "changelog", url: "https://stripe.com/blog/feed.rss" },
+        ],
+    },
+    {
+        slug: "supabase",
+        name: "Supabase",
+        sources: [
+            { type: "status", url: "https://status.supabase.com/history.rss" },
+            { type: "changelog", url: "https://supabase.com/changelog/feed.xml" },
+        ],
+    },
+    {
+        slug: "neon",
+        name: "Neon",
+        sources: [
+            { type: "status", url: "https://neonstatus.com/history.rss" },
+            { type: "changelog", url: "https://neon.tech/changelog/feed.xml" },
+        ],
+    },
+    {
+        slug: "clerk",
+        name: "Clerk",
+        sources: [
+            { type: "status", url: "https://status.clerk.com/history.rss" },
+            { type: "changelog", url: "https://clerk.com/changelog/feed.xml" },
+        ],
+    },
+    {
+        slug: "auth0",
+        name: "Auth0",
+        sources: [
+            { type: "status", url: "https://status.auth0.com/history.rss" },
+            {
+                type: "security",
+                url: "https://auth0.com/docs/secure/security-bulletins/rss",
+                note: "Auth0 maintains a dedicated security-bulletin feed — historically reliable.",
+            },
+        ],
+    },
+    {
+        slug: "railway",
+        name: "Railway",
+        sources: [
+            { type: "status", url: "https://status.railway.com/history.rss" },
+            { type: "changelog", url: "https://blog.railway.com/feed.xml" },
+        ],
+    },
+    {
+        slug: "render",
+        name: "Render",
+        sources: [
+            { type: "status", url: "https://status.render.com/history.rss" },
+            { type: "changelog", url: "https://render.com/changelog/rss.xml" },
+        ],
+    },
+    {
+        slug: "resend",
+        name: "Resend",
+        sources: [
+            { type: "status", url: "https://resend-status.com/history.rss" },
+            { type: "changelog", url: "https://resend.com/changelog/feed.xml" },
+        ],
+    },
+    {
+        slug: "authjs",
+        name: "Auth.js",
+        sources: [
+            {
+                type: "releases",
+                url: "https://github.com/nextauthjs/next-auth/releases.atom",
+                note: "OSS project — GitHub releases is the only structured feed. CVEs land here as security-labelled releases.",
+            },
+        ],
+    },
+];

package/dist/data/risks.js CHANGED Viewed

@@ -312,12 +312,15 @@ export const risks = {
     "vercel": {
         provider: "Vercel",
         risks: [
+            { severity: "CRITICAL", title: "Active security incident (April 2026)", detail: "Vercel disclosed on 2026-04-19 that a compromise of Context.ai (a third-party AI tool used by a Vercel employee) was escalated to their internal systems via the employee's Google Workspace. A limited subset of customers had credentials compromised; environment variables not marked 'sensitive' on affected accounts may have been accessed. Vercel recommends rotating non-sensitive env vars as a priority, enabling the 'sensitive env vars' feature, reviewing recent deployments, and rotating Deployment Protection tokens. Investigation ongoing; services remain operational. Full advisory: https://vercel.com/kb/bulletin/vercel-april-2026-security-incident" },
             { severity: "HIGH", title: "Bandwidth overage shock", detail: "Vercel charges starting at $0.15/GB for bandwidth beyond your plan's included usage. The Pro plan includes $20 of usage credit, but a viral post or product launch can still generate surprise charges. " },
             { severity: "MEDIUM", title: "Hobby tier is non-commercial", detail: "The free Hobby plan explicitly prohibits commercial use. Any revenue-generating app needs the $20/month Pro plan." },
             { severity: "MEDIUM", title: "Framework lock-in", detail: "Advanced features (ISR, edge middleware, image optimization) are deeply integrated with Next.js. Migrating to another platform means losing these optimizations." },
             { severity: "LOW", title: "Cold starts on serverless functions", detail: "Serverless functions can have cold starts of 200-500ms. Edge functions are faster but have runtime limitations (no Node.js APIs)." },
         ],
-        recent_changes: [],
-        verified_date: "2026-03-30",
+        recent_changes: [
+            { date: "2026-04-19", change: "Security incident disclosed — Context.ai supply-chain compromise pivoted into Vercel internal systems via employee Google Workspace. Limited-subset customer credentials affected. See: https://vercel.com/kb/bulletin/vercel-april-2026-security-incident" },
+        ],
+        verified_date: "2026-04-20",
     },
 };

package/dist/tools/recommend.d.ts CHANGED Viewed

@@ -30,6 +30,12 @@ interface Recommendation {
         reason: string;
         trade_off: string;
     }>;
+    community: {
+        total_reports: number;
+        success_rate: string;
+        avg_integration_time: string | null;
+        recommendation_rate: string | null;
+    } | null;
     data_source: string;
 }
 export declare function recommendService(params: RecommendParams): Promise<Recommendation>;

package/dist/tools/recommend.js CHANGED Viewed

@@ -72,12 +72,46 @@ export async function recommendService(params) {
             mcp_install: null,
             mcp_note: null,
             alternatives: [],
+            community: null,
             data_source: "auxiliar.ai bundled data",
         };
     }
+    // Fetch community feedback for all services in this category (non-blocking, best-effort)
+    const communityStats = {};
+    try {
+        const feedbackPromises = category.services.map(async (svc) => {
+            try {
+                const resp = await fetch(`https://auxiliar.ai/api/feedback?service=${svc.slug}`, { signal: AbortSignal.timeout(3000) });
+                const data = await resp.json();
+                if (data.stats)
+                    communityStats[svc.slug] = data.stats;
+            }
+            catch { }
+        });
+        await Promise.all(feedbackPromises);
+    }
+    catch { }
     // Score each service based on constraints
     const scored = category.services.map((svc) => {
         let score = svc.default_score || 5;
+        // Community feedback boost/penalty
+        // Verified reports have 1.5x weight, anonymous reports have 1.0x weight
+        const feedback = communityStats[svc.slug];
+        if (feedback) {
+            const verifiedReports = feedback.verified_reports || 0;
+            const anonymousReports = feedback.total_reports - verifiedReports;
+            const weightedReports = anonymousReports * 1.0 + verifiedReports * 1.5;
+            const successRate = feedback.total_reports > 0 ? (feedback.outcomes.success / feedback.total_reports) : 0;
+            if (weightedReports >= 3 && successRate >= 0.8)
+                score += 2;
+            if (weightedReports >= 3 && successRate < 0.5)
+                score -= 3;
+            if (weightedReports >= 5)
+                score += 1; // bonus for well-tested services
+            // Extra boost for verified credibility
+            if (verifiedReports >= 2 && successRate >= 0.8)
+                score += 1;
+        }
         // Budget filter
         if (params.budget === "free" && svc.has_free_tier)
             score += 3;
@@ -269,6 +303,12 @@ export async function recommendService(params) {
             reason: a.choose_if,
             trade_off: a.avoid_if,
         })),
+        community: communityStats[top.slug] ? {
+            total_reports: communityStats[top.slug].total_reports,
+            success_rate: communityStats[top.slug].success_rate,
+            avg_integration_time: communityStats[top.slug].avg_integration_time,
+            recommendation_rate: communityStats[top.slug].recommendation_rate,
+        } : null,
         data_source: `auxiliar.ai bundled data, last updated ${top.last_reviewed}`,
     };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "auxiliar-mcp",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "description": "MCP server that keeps your AI agent's infrastructure knowledge current. Chrome-verified pricing, risk flags, compatibility checks, and setup guides for 74 cloud services.",
   "type": "module",
   "main": "dist/server.js",
@@ -20,11 +20,14 @@
   },
   "keywords": [
     "mcp",
+    "mcp-server",
     "model-context-protocol",
     "ai-agent",
     "claude-code",
     "cursor",
+    "windsurf",
     "cloud-services",
+    "pricing",
     "developer-tools",
     "neon",
     "resend",