blackveil-dns 2.9.2 → 2.10.0

package/README.md

@@ -82,7 +82,7 @@ Transport support:
 ## Tools
 
 ```
-  44 MCP tools · 7 prompts · 6 resources
+  51 MCP tools · 7 prompts · 6 resources
 
   Email Auth           Infrastructure        Brand & Threats       Meta
  ────────────         ────────────────       ─────────────────    ──────────────────────
@@ -111,10 +111,12 @@ Transport support:
 
 ## Quality & Reliability
 
-The server is continuously validated using a **comprehensive chaos test suite** that covers all 9 detected MCP client types:
+The server is continuously validated using a **comprehensive chaos test suite** that covers all detected MCP client types:
 
-- **Interactive clients**: `claude_code`, `cursor`, `vscode`, `claude_desktop`, `windsurf` (auto-format: `compact`)
-- **Non-interactive clients**: `mcp_remote`, `blackveil_dns_action`, `bv_claude_dns_proxy`, `unknown` (auto-format: `full`)
+- **Interactive clients**: `claude_mobile`, `claude_code`, `cursor`, `vscode`, `claude_desktop`, `windsurf` (auto-format: `compact`)
+- **Non-interactive clients**: `mcp_remote`, `blackveil_dns_action`, `bv_claude_dns_proxy`, `bv_load_test`, `unknown` (auto-format: `full`)
+
+The `bv_load_test` class identifies internal load/chaos/tranco-scan traffic so it stays out of real-client analytics segments.
 
 The test suite ensures session stability, authentication precedence, and transport-specific edge cases across Streamable HTTP and Legacy SSE.
 
@@ -187,6 +189,28 @@ For full hosted setup examples, stdio usage, OAuth setup, and legacy fallback en
 
 ---
 
+## Example prompts
+
+These demonstrate core functionality — paste any of them into Claude with the Blackveil DNS connector enabled:
+
+| Prompt | What it does |
+|--------|-------------|
+| `Scan blackveilsecurity.com and tell me what needs fixing` | Full security audit — score, grade, prioritized findings |
+| `Compare the email security of google.com and microsoft.com` | Side-by-side comparison of two domains' postures |
+| `Generate a DMARC record for example.com with reject policy` | Produces a ready-to-publish DNS record |
+| `What attack paths exist for example.com?` | Enumerates spoofing, takeover, and hijack vectors |
+| `Map example.com's compliance against NIST 800-177` | Maps findings to compliance framework controls |
+
+---
+
+## Support
+
+- **Bug reports & feature requests:** [GitHub Issues](https://github.com/MadaBurns/bv-mcp/issues)
+- **Security vulnerabilities:** [security@blackveilsecurity.com](mailto:security@blackveilsecurity.com) (see [SECURITY.md](SECURITY.md))
+- **General questions:** [GitHub Discussions](https://github.com/MadaBurns/bv-mcp/discussions)
+
+---
+
 ## Responsible use
 
 This tool is intended for **authorized security assessments** of domains you own or have explicit permission to test. Do not use it for unauthorized reconnaissance, harassment, or any activity that violates applicable laws. Findings from attack simulation, spoofability, and subdomain discovery tools should be used to **improve your own security posture**, not to exploit others.

package/dist/index.d.ts

@@ -192,7 +192,7 @@ declare function sanitizeDomain(input: string): string;
 declare function sanitizeInput(input: string, maxLength?: number): string;
 
 /** Server version — keep in sync with package.json */
-declare const SERVER_VERSION = "2.9.2";
+declare const SERVER_VERSION = "2.10.0";
 
 /**
  * Map of every tool name to its Zod argument schema.
@@ -296,6 +296,10 @@ declare function checkNs(domain: string, dnsOptions?: QueryDnsOptions): Promise<
  * Check SPF records for a domain.
  * Looks for v=spf1 TXT records and validates their configuration.
  * Recursively expands include chains to compute true DNS lookup count.
+ *
+ * Top-level DNS failures (timeout, DoH HTTP error, invalid response) are
+ * converted to a high-severity finding so callers receive a structured
+ * CheckResult instead of a thrown error.
  */
 declare function checkSpf(domain: string, dnsOptions?: QueryDnsOptions): Promise<CheckResult>;
 

package/dist/index.js

@@ -2,7 +2,7 @@ import { z } from 'zod';
 import { PROFILE_WEIGHTS, buildCheckResult, createFinding, detectDomainContext, getProfileWeights, computeScanScore, scoreToGrade } from '@blackveil/dns-checks/scoring';
 export { CATEGORY_DISPLAY_WEIGHTS, SEVERITY_PENALTIES, buildCheckResult, computeCategoryScore, computeScanScore, createFinding, detectDomainContext, getProfileWeights, inferFindingConfidence, scoreToGrade } from '@blackveil/dns-checks/scoring';
 import * as punycode from 'punycode/';
-import { checkBIMI, checkCAA, checkDKIM, checkDMARC, checkDNSSEC, checkMTASTS, checkMX, createFinding as createFinding$1, checkNS, checkSPF, checkSSL, checkSubdomainTakeover as checkSubdomainTakeover$1, checkTLSRPT, buildCheckResult as buildCheckResult$1, checkSubdomailing as checkSubdomailing$1, checkSVCBHTTPS, checkDANEHTTPS, checkDANE, checkHTTPSecurity, parseDmarcTags } from '@blackveil/dns-checks';
+import { checkBIMI, checkCAA, checkDKIM, checkDMARC, checkDNSSEC, checkMTASTS, checkMX, createFinding as createFinding$1, checkNS, checkSPF, checkSSL, checkSubdomainTakeover as checkSubdomainTakeover$1, checkTLSRPT, buildCheckResult as buildCheckResult$1, checkSubdomailing as checkSubdomailing$1, checkSVCBHTTPS, checkDANEHTTPS, checkDANE, parseDmarcTags, checkHTTPSecurity } from '@blackveil/dns-checks';
 export { parseDmarcTags } from '@blackveil/dns-checks';
 import 'cloudflare:workers';
 import 'drizzle-orm';
@@ -587,7 +587,7 @@ function sanitizeInput(input, maxLength = 500) {
 }
 
 // src/lib/server-version.ts
-var SERVER_VERSION = "2.9.2";
+var SERVER_VERSION = "2.10.0";
 var DomainSchema = z.string().min(1).max(253);
 z.string().regex(/^[0-9a-f]{64}$/);
 var DkimSelectorSchema = z.string().transform((s) => s.trim().toLowerCase()).pipe(z.string().max(63).regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/));
@@ -2028,11 +2028,29 @@ async function checkNs(domain, dnsOptions) {
   );
 }
 async function checkSpf(domain, dnsOptions) {
-  return checkSPF(
-    domain,
-    makeQueryDNS(dnsOptions),
-    { timeout: dnsOptions?.timeoutMs ?? 5e3 }
-  );
+  try {
+    return await checkSPF(
+      domain,
+      makeQueryDNS(dnsOptions),
+      { timeout: dnsOptions?.timeoutMs ?? 5e3 }
+    );
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    const isTimeout = /timed? out|timeout/i.test(message);
+    return buildCheckResult("spf", [
+      createFinding(
+        "spf",
+        isTimeout ? "SPF check timed out" : "SPF check could not complete",
+        "high",
+        isTimeout ? `DNS lookup for the domain timed out before the SPF record could be resolved: ${message}` : `DNS lookup failed before the SPF record could be resolved: ${message}`,
+        {
+          errorKind: isTimeout ? "timeout" : "dns_error",
+          confidence: "heuristic",
+          missingControl: true
+        }
+      )
+    ]);
+  }
 }
 async function checkSsl(domain) {
   return checkSSL(domain, fetch, { timeout: HTTPS_TIMEOUT_MS });
@@ -3205,7 +3223,31 @@ async function fetchBodyForWafDetection(url, timeoutMs) {
     return "";
   }
 }
+var TOTAL_BUDGET_MS = 1e4;
 async function checkHttpSecurity(domain) {
+  let budgetTimeoutId;
+  const budgetExceeded = new Promise((resolve) => {
+    budgetTimeoutId = setTimeout(() => resolve("budget_exceeded"), TOTAL_BUDGET_MS);
+  });
+  try {
+    const raced = await Promise.race([checkHttpSecurityInner(domain), budgetExceeded]);
+    if (raced === "budget_exceeded") {
+      const finding = createFinding(
+        "http_security",
+        "HTTP security check timed out",
+        "high",
+        `Could not complete HTTP security header analysis for ${domain} within ${TOTAL_BUDGET_MS}ms. Host was likely unreachable or extremely slow.`,
+        { missingControl: true, confidence: "heuristic", errorKind: "timeout" }
+      );
+      const base = buildCheckResult("http_security", [finding]);
+      return { ...base, score: 0, passed: false, checkStatus: "timeout" };
+    }
+    return raced;
+  } finally {
+    if (budgetTimeoutId !== void 0) clearTimeout(budgetTimeoutId);
+  }
+}
+async function checkHttpSecurityInner(domain) {
   const dualResult = await dualFetchHeaders(domain, HTTPS_TIMEOUT_MS);
   if (dualResult) {
     const headersForWaf = dualResult.headers;