curatedmcp 2.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 CuratedMCP
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,175 @@
+# @curatedmcp/launcher
+
+[![npm version](https://img.shields.io/npm/v/@curatedmcp/launcher?color=brightgreen)](https://www.npmjs.com/package/@curatedmcp/launcher)
+[![npm downloads](https://img.shields.io/npm/dm/@curatedmcp/launcher)](https://www.npmjs.com/package/@curatedmcp/launcher)
+[![CI](https://github.com/oneprofile-dev/mcp-launcher/actions/workflows/test.yml/badge.svg)](https://github.com/oneprofile-dev/mcp-launcher/actions/workflows/test.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![Node.js ≥18](https://img.shields.io/node/v/@curatedmcp/launcher)](https://nodejs.org)
+
+> **The MCP Hub.** One config that bridges every AI agent (Claude, Cursor, Windsurf, Copilot, Gemini) to every MCP server you register.
+
+```bash
+npx @curatedmcp/launcher init
+```
+
+**Plug it in once. Add servers anytime. Use them in any AI agent.**
+
+---
+
+## Why
+
+If you use MCP servers across multiple AI clients, you've felt this pain:
+
+- You configure GitHub MCP in Claude Desktop. Then you switch to Cursor and have to do it again.
+- You add five servers to Claude. Want them in Windsurf too? Edit a different config file.
+- A new AI agent ships? Re-paste every server config from scratch.
+
+**Launcher fixes that.** It's one MCP entry that fans out to every server you've added, in every AI client.
+
+```
+   Claude   Cursor   Windsurf   Copilot   Gemini
+       \      \      |      /      /
+        ┌──────────────────────────┐
+        │  @curatedmcp/launcher    │   ← one config in each agent
+        │  (the MCP hub)           │
+        └────┬──────┬──────┬───────┘
+             │      │      │
+          GitHub  Postgres  Stripe   ← `launcher add`'d once, available everywhere
+```
+
+---
+
+## Install (60 seconds)
+
+### 1. Add Launcher to your AI client
+
+Drop this entry into your MCP config:
+
+```json
+{
+  "mcpServers": {
+    "curatedmcp": {
+      "command": "npx",
+      "args": ["-y", "@curatedmcp/launcher"]
+    }
+  }
+}
+```
+
+Config file location:
+
+| Client          | Path                                                                  |
+| --------------- | --------------------------------------------------------------------- |
+| Claude Desktop  | `~/Library/Application Support/Claude/claude_desktop_config.json` (mac) / `%APPDATA%\Claude\claude_desktop_config.json` (win) |
+| Cursor          | `~/.cursor/mcp.json`                                                  |
+| Windsurf        | `~/.codeium/windsurf/mcp_config.json`                                 |
+| Claude Code     | `~/.claude/mcp.json` (or `.claude/mcp.json` per-project)              |
+
+### 2. Add servers to your stack
+
+```bash
+npx @curatedmcp/launcher add github
+# Prompts for GITHUB_TOKEN
+
+npx @curatedmcp/launcher add postgres --env DATABASE_URL=postgres://...
+npx @curatedmcp/launcher list
+```
+
+### 3. Restart your AI client
+
+Tools appear with a `<slug>__` prefix:
+
+- `github__create_issue`
+- `postgres__query`
+- `filesystem__read_file`
+
+That's it. Add more servers any time — just `add` and restart.
+
+---
+
+## CLI Reference
+
+```
+launcher                      # Run as MCP server (used by AI clients)
+launcher init                 # Print the config snippet for your AI client
+launcher add <slug>           # Add a server from the CuratedMCP catalog
+  --env KEY=value             # Pre-supply env vars (otherwise prompted)
+launcher remove <slug>        # Remove a server from your stack
+launcher list                 # Show your stack
+launcher --version            # Print version
+launcher --help               # Print help
+```
+
+---
+
+## How it works
+
+1. Your AI client launches `npx @curatedmcp/launcher` over stdio (one MCP entry, like any other).
+2. Launcher reads `~/.curatedmcp/stack.json` and **spawns each registered server as a child process** over stdio.
+3. On `tools/list`, Launcher **aggregates** every child's tools and returns them prefixed with the server's slug.
+4. On `tools/call`, Launcher **routes** the request to the matching child by name prefix and forwards the response unchanged.
+
+This makes Launcher invisible to the agent — it sees one MCP server with all the tools — while behind the scenes you've got N independent processes, isolated, each with its own credentials.
+
+---
+
+## Config file
+
+`~/.curatedmcp/stack.json` — plain JSON, hand-editable, version-controllable:
+
+```json
+{
+  "version": 1,
+  "entries": [
+    {
+      "slug": "github",
+      "name": "GitHub",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-github"],
+      "env": { "GITHUB_TOKEN": "ghp_xxxxxxxxxxxx" },
+      "addedAt": "2026-05-01T10:14:00.000Z"
+    }
+  ]
+}
+```
+
+Set `"disabled": true` on an entry to skip it without removing it.
+
+---
+
+## In-agent discovery
+
+Launcher itself exposes 5 discovery tools to your AI client, so you can ask the agent:
+
+> "Find me an MCP server for Postgres."
+> "What's the best Stripe MCP?"
+> "Add the Postgres MCP server to my stack."
+
+The agent uses `search_servers`, `get_server_details`, and `add_to_stack` to do all of that without you leaving the chat.
+
+---
+
+## Privacy
+
+- **All config is local** at `~/.curatedmcp/stack.json`. No cloud sync, no account.
+- **Anonymous telemetry only** (event names like "search", "add"). Disable with `--no-telemetry` or `CURATOR_TELEMETRY=false`.
+- A persistent UUID is stored at `~/.curatedmcp/launcher.json` for de-duplication.
+
+---
+
+## Compatibility
+
+- Works with Claude Desktop, Claude Code, Cursor, Windsurf, Copilot, Gemini, OpenAI Agents — anything that supports MCP over stdio.
+- Node.js ≥ 18.
+- Single dependency: `@modelcontextprotocol/sdk`.
+
+---
+
+## Links
+
+- 🌐 [curatedmcp.com/launcher](https://curatedmcp.com/launcher)
+- 📚 [Marketplace](https://curatedmcp.com/marketplace)
+- 🐙 [GitHub](https://github.com/curatedmcp/launcher)
+- 💬 [Issues](https://github.com/curatedmcp/launcher/issues)
+
+MIT licensed.

package/dist/audit/catalog.d.ts

@@ -0,0 +1,5 @@
+export declare function getCatalog(): Promise<{
+    slugs: Set<string>;
+    npm: Set<string>;
+}>;
+//# sourceMappingURL=catalog.d.ts.map

package/dist/audit/catalog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog.d.ts","sourceRoot":"","sources":["../../src/audit/catalog.ts"],"names":[],"mappings":"AA0DA,wBAAsB,UAAU,IAAI,OAAO,CAAC;IAAE,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,CAAA;CAAE,CAAC,CAkBpF"}

package/dist/audit/catalog.js

@@ -0,0 +1,69 @@
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import * as https from "https";
+const CATALOG_URL = "https://www.curatedmcp.com/api/catalog";
+const CACHE_DIR = path.join(os.homedir(), ".curatedmcp");
+const CACHE_FILE = path.join(CACHE_DIR, "catalog.json");
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+function readCache() {
+    try {
+        const raw = fs.readFileSync(CACHE_FILE, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+function writeCache(data) {
+    try {
+        if (!fs.existsSync(CACHE_DIR))
+            fs.mkdirSync(CACHE_DIR, { recursive: true });
+        fs.writeFileSync(CACHE_FILE, JSON.stringify(data), "utf-8");
+    }
+    catch {
+        // Cache write failure is non-fatal
+    }
+}
+function fetchCatalog() {
+    return new Promise((resolve) => {
+        const req = https.get(CATALOG_URL, { timeout: 5000 }, (res) => {
+            let body = "";
+            res.on("data", (chunk) => { body += chunk.toString(); });
+            res.on("end", () => {
+                try {
+                    const json = JSON.parse(body);
+                    resolve(Array.isArray(json.servers) ? json.servers : []);
+                }
+                catch {
+                    resolve([]);
+                }
+            });
+        });
+        req.on("error", () => resolve([]));
+        req.on("timeout", () => { req.destroy(); resolve([]); });
+    });
+}
+export async function getCatalog() {
+    // Check cache first
+    const cached = readCache();
+    if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
+        return buildSets(cached.servers);
+    }
+    // Fetch fresh
+    const servers = await fetchCatalog();
+    if (servers.length > 0) {
+        writeCache({ fetchedAt: Date.now(), servers });
+        return buildSets(servers);
+    }
+    // Fall back to stale cache if fetch failed
+    if (cached)
+        return buildSets(cached.servers);
+    return { slugs: new Set(), npm: new Set() };
+}
+function buildSets(servers) {
+    const slugs = new Set(servers.map((s) => s.slug.toLowerCase()));
+    const npm = new Set(servers.filter((s) => s.npm).map((s) => s.npm));
+    return { slugs, npm };
+}
+//# sourceMappingURL=catalog.js.map

package/dist/audit/index.d.ts

@@ -0,0 +1,10 @@
+import type { AuditReport } from "./types.js";
+export type { AuditReport, AnalyzedServer } from "./types.js";
+/**
+ * Run a full MCP security scan of the local machine.
+ * Pure data — no printing — so callers (CLI display, sync forwarding) decide output.
+ */
+export declare function runAudit(opts?: {
+    offline?: boolean;
+}): Promise<AuditReport>;
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAkB,MAAM,YAAY,CAAC;AAE9D,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE9D;;;GAGG;AACH,wBAAsB,QAAQ,CAC5B,IAAI,GAAE;IAAE,OAAO,CAAC,EAAE,OAAO,CAAA;CAAO,GAC/B,OAAO,CAAC,WAAW,CAAC,CAyBtB"}

package/dist/audit/index.js

@@ -0,0 +1,32 @@
+import { scanConfigs } from "./scanner.js";
+import { analyzeServer } from "./risk.js";
+import { getCatalog } from "./catalog.js";
+/**
+ * Run a full MCP security scan of the local machine.
+ * Pure data — no printing — so callers (CLI display, sync forwarding) decide output.
+ */
+export async function runAudit(opts = {}) {
+    const catalog = opts.offline
+        ? { slugs: new Set(), npm: new Set() }
+        : await getCatalog();
+    const configFiles = scanConfigs();
+    const allServers = [];
+    const foundFiles = [];
+    for (const { filePath, servers } of configFiles) {
+        if (servers.length > 0)
+            foundFiles.push(filePath);
+        for (const server of servers) {
+            allServers.push(analyzeServer(server, catalog.slugs, catalog.npm));
+        }
+    }
+    return {
+        scannedAt: new Date().toLocaleString(),
+        configFiles: foundFiles,
+        totalServers: allServers.length,
+        high: allServers.filter((s) => s.level === "HIGH"),
+        medium: allServers.filter((s) => s.level === "MEDIUM"),
+        verified: allServers.filter((s) => s.level === "VERIFIED"),
+        unverified: allServers.filter((s) => s.level === "LOW"),
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/audit/report.d.ts

@@ -0,0 +1,6 @@
+import type { AuditReport } from "./types.js";
+export declare function printReport(report: AuditReport, opts?: {
+    synced?: boolean;
+}): Promise<void>;
+export declare function printJson(report: AuditReport): void;
+//# sourceMappingURL=report.d.ts.map

package/dist/audit/report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../src/audit/report.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAkB,MAAM,YAAY,CAAC;AAqB9D,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,IAAI,GAAE;IAAE,MAAM,CAAC,EAAE,OAAO,CAAA;CAAO,GAC9B,OAAO,CAAC,IAAI,CAAC,CA8Df;AAaD,wBAAgB,SAAS,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI,CAEnD"}

package/dist/audit/report.js

@@ -0,0 +1,79 @@
+// Chalk is ESM-only in v5, imported dynamically.
+let chalk;
+async function getChalk() {
+    if (!chalk) {
+        const m = await import("chalk");
+        chalk = m.default;
+    }
+    return chalk;
+}
+const FLAG_LABELS = {
+    FILE_SYSTEM_ACCESS: "FILE_SYSTEM_ACCESS",
+    KEYCHAIN_ACCESS: "KEYCHAIN_ACCESS",
+    CREDENTIAL_IN_ENV: "CREDENTIAL_IN_ENV",
+    NETWORK_ACCESS: "NETWORK_ACCESS",
+    UNVERIFIED: "UNVERIFIED",
+};
+export async function printReport(report, opts = {}) {
+    const c = await getChalk();
+    console.log("\n" + c.bold("MCP Security Audit") + c.dim(` — ${report.scannedAt}`));
+    console.log(c.dim("━".repeat(50)));
+    console.log();
+    if (report.configFiles.length === 0) {
+        console.log(c.yellow("No MCP configuration files found on this machine."));
+        console.log(c.dim("Install Claude Desktop, Cursor, or Claude Code to get started."));
+        console.log();
+        return;
+    }
+    console.log(c.dim(`Found ${report.configFiles.length} config file${report.configFiles.length !== 1 ? "s" : ""}. ` +
+        `${report.totalServers} server${report.totalServers !== 1 ? "s" : ""} detected.`));
+    for (const f of report.configFiles) {
+        console.log(c.dim(`  ✓ ${f}`));
+    }
+    console.log();
+    if (report.high.length > 0) {
+        console.log(c.red.bold(`HIGH RISK (${report.high.length})`));
+        for (const s of report.high)
+            printServer(c, s, "red");
+        console.log();
+    }
+    if (report.medium.length > 0) {
+        console.log(c.yellow.bold(`MEDIUM RISK (${report.medium.length})`));
+        for (const s of report.medium)
+            printServer(c, s, "yellow");
+        console.log();
+    }
+    if (report.unverified.length > 0) {
+        console.log(c.dim(`UNVERIFIED (${report.unverified.length}) — not in the CuratedMCP catalog`));
+        for (const s of report.unverified) {
+            console.log(c.dim(`  ? ${s.name}`));
+            console.log(c.dim(`    ${s.sourceFile}`));
+        }
+        console.log();
+    }
+    if (report.verified.length > 0) {
+        console.log(c.green(`VERIFIED (${report.verified.length})`));
+        const names = report.verified.map((s) => s.name).join(", ");
+        console.log(c.dim(`  ✓ ${names}`));
+        console.log();
+    }
+    console.log(c.dim("─".repeat(50)));
+    if (opts.synced) {
+        console.log(c.green("  ✓ Scan synced to your CuratedMCP account."));
+    }
+    else {
+        console.log(c.dim("  Sign in to sync scans & get alerts:  ") + c.cyan("curatedmcp login"));
+    }
+    console.log();
+}
+function printServer(c, s, color) {
+    const flagStr = s.flags.map((f) => FLAG_LABELS[f]).join(", ");
+    console.log(c[color](`  ⚠ ${s.name}`) + c.dim(` — ${flagStr}`));
+    console.log(c.dim(`    ${s.sourceFile}`));
+    if (s.command)
+        console.log(c.dim(`    ${s.command}`));
+}
+export function printJson(report) {
+    console.log(JSON.stringify(report, null, 2));
+}
+//# sourceMappingURL=report.js.map

package/dist/audit/risk.d.ts

@@ -0,0 +1,3 @@
+import type { MCPServerEntry, AnalyzedServer } from "./types.js";
+export declare function analyzeServer(server: MCPServerEntry, verifiedSlugs: Set<string>, verifiedNpm: Set<string>): AnalyzedServer;
+//# sourceMappingURL=risk.d.ts.map

package/dist/audit/risk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk.d.ts","sourceRoot":"","sources":["../../src/audit/risk.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAuB,cAAc,EAAE,MAAM,YAAY,CAAC;AAkBtF,wBAAgB,aAAa,CAC3B,MAAM,EAAE,cAAc,EACtB,aAAa,EAAE,GAAG,CAAC,MAAM,CAAC,EAC1B,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,GACvB,cAAc,CAyDhB"}

package/dist/audit/risk.js

@@ -0,0 +1,68 @@
+const CREDENTIAL_PATTERN = /SECRET|TOKEN|PASSWORD|KEY|APIKEY|API_KEY|PRIVATE|AUTH/i;
+const FILESYSTEM_ARGS = /--allow-write|--allow-read|--allow-all|\/Users|\/home|\/var|C:\\/i;
+const KEYCHAIN_CMDS = /keychain|security\s+find|secret-tool|kwallet/i;
+const NETWORK_CMDS = /curl|wget|fetch|http/i;
+function extractNpmPackage(command, args) {
+    if (!command)
+        return undefined;
+    // "npx -y @scope/pkg" or "npx pkg"
+    if (command === "npx" && args?.length) {
+        const pkg = args.find((a) => !a.startsWith("-"));
+        return pkg;
+    }
+    // "node /path/to/script" — not an npm package
+    return undefined;
+}
+export function analyzeServer(server, verifiedSlugs, verifiedNpm) {
+    const flags = [];
+    const cmdLine = [server.command, ...(server.args ?? [])].join(" ");
+    const npmPackage = extractNpmPackage(server.command, server.args);
+    // File system access
+    if (FILESYSTEM_ARGS.test(cmdLine)) {
+        flags.push("FILE_SYSTEM_ACCESS");
+    }
+    // Keychain access
+    if (KEYCHAIN_CMDS.test(cmdLine)) {
+        flags.push("KEYCHAIN_ACCESS");
+    }
+    // Credentials in env block
+    if (server.env) {
+        const envKeys = Object.keys(server.env).join(" ");
+        if (CREDENTIAL_PATTERN.test(envKeys)) {
+            flags.push("CREDENTIAL_IN_ENV");
+        }
+    }
+    // Network access (non-npx commands that fetch data)
+    if (server.command !== "npx" && server.command !== "node" && NETWORK_CMDS.test(cmdLine)) {
+        flags.push("NETWORK_ACCESS");
+    }
+    // Unverified — not in catalog
+    const isVerified = verifiedSlugs.has(server.name.toLowerCase()) ||
+        (npmPackage != null && verifiedNpm.has(npmPackage));
+    if (!isVerified) {
+        flags.push("UNVERIFIED");
+    }
+    // Determine overall level
+    let level;
+    if (flags.some((f) => f !== "UNVERIFIED") && flags.includes("UNVERIFIED")) {
+        level = "HIGH";
+    }
+    else if (flags.some((f) => f !== "UNVERIFIED")) {
+        level = "MEDIUM"; // has risk flags but is a verified server
+    }
+    else if (flags.includes("UNVERIFIED")) {
+        level = "LOW"; // unknown server but no other flags
+    }
+    else {
+        level = "VERIFIED";
+    }
+    return {
+        name: server.name,
+        sourceFile: server.sourceFile,
+        command: [server.command, ...(server.args ?? [])].filter(Boolean).join(" ") || undefined,
+        flags,
+        level,
+        ...(npmPackage ? { npmPackage } : {}),
+    };
+}
+//# sourceMappingURL=risk.js.map

package/dist/audit/scanner.d.ts

@@ -0,0 +1,8 @@
+import type { MCPServerEntry } from "./types.js";
+interface ConfigFile {
+    filePath: string;
+    servers: MCPServerEntry[];
+}
+export declare function scanConfigs(): ConfigFile[];
+export {};
+//# sourceMappingURL=scanner.d.ts.map

package/dist/audit/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/audit/scanner.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,UAAU,UAAU;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,cAAc,EAAE,CAAC;CAC3B;AAgED,wBAAgB,WAAW,IAAI,UAAU,EAAE,CAS1C"}

package/dist/audit/scanner.js

@@ -0,0 +1,69 @@
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+// All known MCP config locations, keyed by platform
+function getConfigPaths() {
+    const home = os.homedir();
+    const platform = process.platform;
+    const appdata = process.env.APPDATA ?? "";
+    const paths = [
+        // Claude Code — user-level
+        path.join(home, ".claude", "mcp.json"),
+        // Claude Code — project-level (current working directory)
+        path.join(process.cwd(), ".claude", "mcp.json"),
+    ];
+    if (platform === "darwin" || platform === "linux") {
+        paths.push(
+        // Claude Desktop (macOS)
+        path.join(home, "Library", "Application Support", "Claude", "claude_desktop_config.json"), 
+        // Cursor (macOS/Linux)
+        path.join(home, ".cursor", "mcp.json"), 
+        // Windsurf (macOS/Linux)
+        path.join(home, ".codeium", "windsurf", "mcp_config.json"));
+    }
+    if (platform === "win32") {
+        paths.push(
+        // Claude Desktop (Windows)
+        path.join(appdata, "Claude", "claude_desktop_config.json"), 
+        // Cursor (Windows)
+        path.join(appdata, ".cursor", "mcp.json"), 
+        // Windsurf (Windows)
+        path.join(appdata, "Codeium", "Windsurf", "mcp_config.json"));
+    }
+    return paths;
+}
+function parseConfig(filePath) {
+    try {
+        const raw = fs.readFileSync(filePath, "utf-8");
+        const json = JSON.parse(raw);
+        const servers = json.mcpServers ?? {};
+        return Object.entries(servers).map(([name, def]) => {
+            const d = def;
+            return {
+                name,
+                command: typeof d.command === "string" ? d.command : undefined,
+                args: Array.isArray(d.args) ? d.args : undefined,
+                env: typeof d.env === "object" && d.env !== null
+                    ? d.env
+                    : undefined,
+                url: typeof d.url === "string" ? d.url : undefined,
+                type: typeof d.type === "string" ? d.type : undefined,
+                sourceFile: filePath,
+            };
+        });
+    }
+    catch {
+        return [];
+    }
+}
+export function scanConfigs() {
+    const results = [];
+    for (const filePath of getConfigPaths()) {
+        if (fs.existsSync(filePath)) {
+            const servers = parseConfig(filePath);
+            results.push({ filePath, servers });
+        }
+    }
+    return results;
+}
+//# sourceMappingURL=scanner.js.map

package/dist/audit/types.d.ts

@@ -0,0 +1,29 @@
+export type RiskFlag = "FILE_SYSTEM_ACCESS" | "KEYCHAIN_ACCESS" | "CREDENTIAL_IN_ENV" | "NETWORK_ACCESS" | "UNVERIFIED";
+export type RiskLevel = "HIGH" | "MEDIUM" | "LOW" | "VERIFIED";
+export interface MCPServerEntry {
+    name: string;
+    command?: string;
+    args?: string[];
+    env?: Record<string, string>;
+    url?: string;
+    type?: string;
+    sourceFile: string;
+}
+export interface AnalyzedServer {
+    name: string;
+    sourceFile: string;
+    command?: string;
+    flags: RiskFlag[];
+    level: RiskLevel;
+    npmPackage?: string;
+}
+export interface AuditReport {
+    scannedAt: string;
+    configFiles: string[];
+    totalServers: number;
+    high: AnalyzedServer[];
+    medium: AnalyzedServer[];
+    verified: AnalyzedServer[];
+    unverified: AnalyzedServer[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/audit/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/audit/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,QAAQ,GAChB,oBAAoB,GACpB,iBAAiB,GACjB,mBAAmB,GACnB,gBAAgB,GAChB,YAAY,CAAC;AAEjB,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,UAAU,CAAC;AAE/D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,KAAK,EAAE,SAAS,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,cAAc,EAAE,CAAC;IACvB,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,UAAU,EAAE,cAAc,EAAE,CAAC;CAC9B"}

package/dist/audit/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth.d.ts

@@ -0,0 +1,23 @@
+export declare const API_URL: string;
+export interface StoredAuth {
+    token: string;
+    userId?: string;
+    email?: string;
+    savedAt: string;
+}
+export interface WhoAmI {
+    userId: string;
+    email?: string | null;
+    teams: {
+        slug: string;
+        name: string;
+        role: string;
+    }[];
+}
+export declare function loadAuth(): StoredAuth | null;
+export declare function getToken(): string | null;
+export declare function saveAuth(auth: StoredAuth): void;
+export declare function clearAuth(): void;
+/** Validate a token against the control plane. Returns identity + teams or null. */
+export declare function whoami(token: string): Promise<WhoAmI | null>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,OAAO,QACyC,CAAC;AAK9D,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,MAAM;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACvD;AAED,wBAAgB,QAAQ,IAAI,UAAU,GAAG,IAAI,CAM5C;AAED,wBAAgB,QAAQ,IAAI,MAAM,GAAG,IAAI,CAExC;AAED,wBAAgB,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI,CAQ/C;AAED,wBAAgB,SAAS,IAAI,IAAI,CAMhC;AAED,oFAAoF;AACpF,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAWlE"}