blackveil-dns 2.6.4 → 2.10.0

package/README.md

@@ -26,7 +26,7 @@ Open-source DNS & email security scanner for Claude, Cursor, VS Code, and MCP cl
 
 **Claude Desktop** (one-click install):
 
-Download the [Blackveil DNS extension](https://github.com/MadaBurns/bv-claude-dns/releases/latest/download/bv-claude-dns.mcpb) and open it — all 44 tools available instantly. [Verify your download](https://blackveilsecurity.com/extensions/claude-dns#install).
+Download the [Blackveil DNS extension](https://github.com/MadaBurns/bv-claude-dns/releases/latest/download/bv-claude-dns.mcpb) and open it — all 51 tools available instantly. [Verify your download](https://blackveilsecurity.com/extensions/claude-dns#install).
 
 **Claude Code** (one command):
 
@@ -82,7 +82,7 @@ Transport support:
 ## Tools
 
 ```
-  44 MCP tools · 7 prompts · 6 resources
+  51 MCP tools · 7 prompts · 6 resources
 
   Email Auth           Infrastructure        Brand & Threats       Meta
  ────────────         ────────────────       ─────────────────    ──────────────────────
@@ -111,10 +111,12 @@ Transport support:
 
 ## Quality & Reliability
 
-The server is continuously validated using a **comprehensive chaos test suite** (ported from `claude-code-py`) that covers all 9 detected MCP client types:
+The server is continuously validated using a **comprehensive chaos test suite** that covers all detected MCP client types:
 
-- **Interactive clients**: `claude_code`, `cursor`, `vscode`, `claude_desktop`, `windsurf` (auto-format: `compact`)
-- **Non-interactive clients**: `mcp_remote`, `blackveil_dns_action`, `bv_claude_dns_proxy`, `unknown` (auto-format: `full`)
+- **Interactive clients**: `claude_mobile`, `claude_code`, `cursor`, `vscode`, `claude_desktop`, `windsurf` (auto-format: `compact`)
+- **Non-interactive clients**: `mcp_remote`, `blackveil_dns_action`, `bv_claude_dns_proxy`, `bv_load_test`, `unknown` (auto-format: `full`)
+
+The `bv_load_test` class identifies internal load/chaos/tranco-scan traffic so it stays out of real-client analytics segments.
 
 The test suite ensures session stability, authentication precedence, and transport-specific edge cases across Streamable HTTP and Legacy SSE.
 
@@ -154,7 +156,7 @@ Run the chaos tests locally: `python3 scripts/chaos/chaos-test-clients.py`
   └──────────────────────────┘
 ```
 
-- **Generic Scoring Engine**: Architectural core ported from `claude-code-py` for cross-language consistency
+- **Generic Scoring Engine**: Runtime-agnostic, string-keyed three-tier scoring with configurable weights
 - **WASM Policy Engine**: High-performance permission and token checks via `bv-wasm-core`
 - **Reliable Sessions**: Hardened tombstone logic prevents race-condition revival of terminated sessions
 - **Adaptive Scoring**: Durable Object telemetry adjusts weights based on real-world distributions
@@ -164,11 +166,13 @@ Run the chaos tests locally: `python3 scripts/chaos/chaos-test-clients.py`
 
 ## Client setup
 
-The free tier requires no authentication. If you have an API key, you can use either:
+The free tier requires no authentication. Authenticated requests bypass per-IP rate limits and follow your tier's daily quota. Three authentication methods are supported:
+
 - **Header**: `Authorization: Bearer <KEY>`
-- **Query Param**: `?api_key=<KEY>`
+- **Query Param**: `?api_key=<KEY>` (for clients that can't send custom headers — Smithery, Claude Code)
+- **OAuth 2.1**: authorization-code flow with PKCE, discovered via `/.well-known/oauth-authorization-server` — used by the Claude mobile custom connector.
 
-For full hosted setup examples, stdio usage, and legacy fallback endpoints, see [**docs/client-setup.md**](docs/client-setup.md).
+For full hosted setup examples, stdio usage, OAuth setup, and legacy fallback endpoints, see [**docs/client-setup.md**](docs/client-setup.md).
 
 ---
 
@@ -185,6 +189,28 @@ For full hosted setup examples, stdio usage, and legacy fallback endpoints, see
 
 ---
 
+## Example prompts
+
+These demonstrate core functionality — paste any of them into Claude with the Blackveil DNS connector enabled:
+
+| Prompt | What it does |
+|--------|-------------|
+| `Scan blackveilsecurity.com and tell me what needs fixing` | Full security audit — score, grade, prioritized findings |
+| `Compare the email security of google.com and microsoft.com` | Side-by-side comparison of two domains' postures |
+| `Generate a DMARC record for example.com with reject policy` | Produces a ready-to-publish DNS record |
+| `What attack paths exist for example.com?` | Enumerates spoofing, takeover, and hijack vectors |
+| `Map example.com's compliance against NIST 800-177` | Maps findings to compliance framework controls |
+
+---
+
+## Support
+
+- **Bug reports & feature requests:** [GitHub Issues](https://github.com/MadaBurns/bv-mcp/issues)
+- **Security vulnerabilities:** [security@blackveilsecurity.com](mailto:security@blackveilsecurity.com) (see [SECURITY.md](SECURITY.md))
+- **General questions:** [GitHub Discussions](https://github.com/MadaBurns/bv-mcp/discussions)
+
+---
+
 ## Responsible use
 
 This tool is intended for **authorized security assessments** of domains you own or have explicit permission to test. Do not use it for unauthorized reconnaissance, harassment, or any activity that violates applicable laws. Findings from attack simulation, spoofability, and subdomain discovery tools should be used to **improve your own security posture**, not to exploit others.
@@ -197,6 +223,6 @@ If you discover a vulnerability in a third-party domain, please follow [coordina
 
 Built and maintained by [**BLACKVEIL**](https://blackveilsecurity.com) — NZ-owned cybersecurity consultancy.
 
-BUSL-1.1 License (converts to MIT on 2030-03-17)
+[Privacy Policy](https://www.blackveilsecurity.com/privacy) · [License](LICENSE) (BUSL-1.1 → MIT on 2030-03-17)
 
 </div>

package/dist/index.d.ts

@@ -46,6 +46,7 @@ declare const RecordType: {
     readonly DNSKEY: 48;
     readonly DS: 43;
     readonly RRSIG: 46;
+    readonly NSEC3PARAM: 51;
     readonly PTR: 12;
     readonly SRV: 33;
     readonly HTTPS: 65;
@@ -191,7 +192,7 @@ declare function sanitizeDomain(input: string): string;
 declare function sanitizeInput(input: string, maxLength?: number): string;
 
 /** Server version — keep in sync with package.json */
-declare const SERVER_VERSION = "2.6.4";
+declare const SERVER_VERSION = "2.10.0";
 
 /**
  * Map of every tool name to its Zod argument schema.
@@ -257,6 +258,10 @@ declare function checkDmarc(domain: string, dnsOptions?: QueryDnsOptions): Promi
  * Verifies the AD (Authenticated Data) flag, checks for DNSKEY/DS records,
  * and audits algorithm and digest type security.
  * Augments results with dnssecSource metadata: 'domain_configured' or 'tld_inherited'.
+ *
+ * When the primary resolver reports AD=false but DNSKEY+DS records exist ("validation failing"),
+ * fires a confirmation probe to Google DoH. If Google says AD=true (edge flap), re-runs the
+ * check with the corrected flag to avoid score instability.
  */
 declare function checkDnssec(domain: string, dnsOptions?: QueryDnsOptions): Promise<CheckResult>;
 
@@ -291,6 +296,10 @@ declare function checkNs(domain: string, dnsOptions?: QueryDnsOptions): Promise<
  * Check SPF records for a domain.
  * Looks for v=spf1 TXT records and validates their configuration.
  * Recursively expands include chains to compute true DNS lookup count.
+ *
+ * Top-level DNS failures (timeout, DoH HTTP error, invalid response) are
+ * converted to a high-severity finding so callers receive a structured
+ * CheckResult instead of a thrown error.
  */
 declare function checkSpf(domain: string, dnsOptions?: QueryDnsOptions): Promise<CheckResult>;