guardrail-mcp 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { registerScanTool } from "./tools/scan.js";
+import { registerStatusTool } from "./tools/status.js";
+import { registerIssuesTool } from "./tools/issues.js";
+import { registerFixTool } from "./tools/fix.js";
+const server = new McpServer({
+    name: "guardrail-mcp",
+    version: "0.1.0",
+});
+registerScanTool(server);
+registerStatusTool(server);
+registerIssuesTool(server);
+registerFixTool(server);
+const transport = new StdioServerTransport();
+await server.connect(transport);

package/dist/lib/api-client.d.ts

@@ -0,0 +1,10 @@
+export declare class ApiClient {
+    private baseUrl;
+    private projectKey;
+    constructor();
+    isConfigured(): boolean;
+    getConfigError(): string;
+    post<T = unknown>(path: string, body: unknown): Promise<T>;
+    get<T = unknown>(path: string): Promise<T>;
+}
+export declare const apiClient: ApiClient;

package/dist/lib/api-client.js

@@ -0,0 +1,70 @@
+const API_URL = process.env.GUARDRAIL_API_URL || "https://guardrail-seven.vercel.app";
+const PROJECT_KEY = process.env.GUARDRAIL_PROJECT_KEY;
+export class ApiClient {
+    baseUrl;
+    projectKey;
+    constructor() {
+        this.baseUrl = API_URL;
+        this.projectKey = PROJECT_KEY;
+    }
+    isConfigured() {
+        return !!this.projectKey;
+    }
+    getConfigError() {
+        return [
+            "GUARDRAIL_PROJECT_KEY is not set.",
+            "",
+            "To configure, add this to your Claude Code MCP settings:",
+            "",
+            '{',
+            '  "mcpServers": {',
+            '    "guardrail": {',
+            '      "command": "npx",',
+            '      "args": ["-y", "guardrail-mcp@latest"],',
+            '      "env": {',
+            '        "GUARDRAIL_PROJECT_KEY": "gr_sk_your_key_here"',
+            "      }",
+            "    }",
+            "  }",
+            "}",
+            "",
+            "Get your project key from: https://guardrail-seven.vercel.app → Project Settings → MCP Connection",
+        ].join("\n");
+    }
+    async post(path, body) {
+        if (!this.projectKey) {
+            throw new Error(this.getConfigError());
+        }
+        const res = await fetch(`${this.baseUrl}${path}`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${this.projectKey}`,
+            },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+            const data = await res.json().catch(() => ({}));
+            throw new Error(data.error ||
+                `API error: ${res.status} ${res.statusText}`);
+        }
+        return res.json();
+    }
+    async get(path) {
+        if (!this.projectKey) {
+            throw new Error(this.getConfigError());
+        }
+        const res = await fetch(`${this.baseUrl}${path}`, {
+            headers: {
+                Authorization: `Bearer ${this.projectKey}`,
+            },
+        });
+        if (!res.ok) {
+            const data = await res.json().catch(() => ({}));
+            throw new Error(data.error ||
+                `API error: ${res.status} ${res.statusText}`);
+        }
+        return res.json();
+    }
+}
+export const apiClient = new ApiClient();

package/dist/lib/checks.d.ts

@@ -0,0 +1,8 @@
+import type { RepoFile } from "./local-scanner.js";
+export interface CheckResult {
+    check_key: string;
+    category: "payment" | "auth" | "secrets" | "infra" | "legal";
+    status: "pass" | "fail";
+    severity: "critical" | "warning";
+}
+export declare function runAllChecks(files: RepoFile[]): CheckResult[];

package/dist/lib/checks.js

@@ -0,0 +1,239 @@
+function isEnvFile(path) {
+    const name = path.split("/").pop() || "";
+    return name.startsWith(".env");
+}
+function isSourceFile(file) {
+    const ext = file.path.split(".").pop()?.toLowerCase();
+    return (!isEnvFile(file.path) &&
+        ["js", "ts", "tsx", "jsx", "mjs", "cjs", "py", "rb", "go"].includes(ext || ""));
+}
+function getSourceFiles(files) {
+    return files.filter(isSourceFile);
+}
+function anyFileMatches(files, pattern) {
+    return files.some((f) => pattern.test(f.content));
+}
+function allContent(files) {
+    return files.map((f) => f.content).join("\n");
+}
+const checkStripeKeyExposed = (files) => {
+    const result = {
+        check_key: "stripe_key_exposed",
+        category: "payment",
+        status: "pass",
+        severity: "critical",
+    };
+    const pattern = /(?:sk_live_|sk_test_|rk_live_|rk_test_)[a-zA-Z0-9]{20,}/;
+    const sourceFiles = getSourceFiles(files);
+    if (anyFileMatches(sourceFiles, pattern)) {
+        result.status = "fail";
+    }
+    return result;
+};
+const checkWebhookNoVerify = (files) => {
+    const result = {
+        check_key: "webhook_no_verify",
+        category: "payment",
+        status: "pass",
+        severity: "warning",
+    };
+    const sourceFiles = getSourceFiles(files);
+    const webhookPattern = /webhook/i;
+    const hasWebhook = sourceFiles.some((f) => webhookPattern.test(f.path)) ||
+        anyFileMatches(sourceFiles, webhookPattern);
+    if (!hasWebhook)
+        return result;
+    const verifyPatterns = [
+        /constructEvent/,
+        /verify.*signature/i,
+        /timingSafeEqual/,
+        /svix/i,
+        /hmac/i,
+        /webhook.*secret/i,
+    ];
+    const content = allContent(sourceFiles);
+    const hasVerify = verifyPatterns.some((p) => p.test(content));
+    if (!hasVerify) {
+        result.status = "fail";
+    }
+    return result;
+};
+const checkPasswordPlaintext = (files) => {
+    const result = {
+        check_key: "password_plaintext",
+        category: "auth",
+        status: "pass",
+        severity: "critical",
+    };
+    const sourceFiles = getSourceFiles(files);
+    const content = allContent(sourceFiles);
+    const plaintextPatterns = [
+        /password\s*[:=]\s*(?:req|request|body|input|data|params)\./i,
+        /\.create\([^)]*password:\s*(?:req|request|body|input|data|params)\./i,
+        /INSERT.*password.*VALUES.*\$\{/i,
+        /password\s*=\s*(?:req|request|body|input)\./i,
+    ];
+    const hashPatterns = [
+        /bcrypt/i,
+        /argon2/i,
+        /scrypt/i,
+        /pbkdf2/i,
+        /hashPassword/i,
+        /hash\s*\(/,
+        /createHash/,
+    ];
+    const hasPlaintext = plaintextPatterns.some((p) => p.test(content));
+    if (!hasPlaintext)
+        return result;
+    const hasHash = hashPatterns.some((p) => p.test(content));
+    if (!hasHash) {
+        result.status = "fail";
+    }
+    return result;
+};
+const checkNoRateLimit = (files) => {
+    const result = {
+        check_key: "no_rate_limit",
+        category: "auth",
+        status: "pass",
+        severity: "warning",
+    };
+    const authRoutePattern = /\/(api|pages\/api)\/.*(login|signin|sign-in|auth|register|signup)/i;
+    const hasAuthEndpoint = files.some((f) => authRoutePattern.test(f.path));
+    if (!hasAuthEndpoint)
+        return result;
+    const content = allContent(getSourceFiles(files));
+    const rateLimitPatterns = [
+        /ratelimit/i,
+        /rate[_-]?limit/i,
+        /throttle/i,
+        /RateLimiter/i,
+        /upstash.*ratelimit/i,
+        /status:\s*429/,
+        /too.many.requests/i,
+        /rate.limited/i,
+    ];
+    const hasRateLimit = rateLimitPatterns.some((p) => p.test(content));
+    if (!hasRateLimit) {
+        result.status = "fail";
+    }
+    return result;
+};
+const checkEnvNotGitignored = (files) => {
+    const result = {
+        check_key: "env_not_gitignored",
+        category: "secrets",
+        status: "pass",
+        severity: "critical",
+    };
+    const gitignore = files.find((f) => f.path === ".gitignore");
+    if (!gitignore) {
+        result.status = "fail";
+        return result;
+    }
+    const envPatterns = [/^\.env$/m, /^\.env\.local$/m, /^\.env\*$/m, /^\.env\.\*$/m];
+    const hasEnvRule = envPatterns.some((p) => p.test(gitignore.content));
+    if (!hasEnvRule) {
+        result.status = "fail";
+        return result;
+    }
+    const committedEnv = files.some((f) => isEnvFile(f.path) &&
+        !f.path.includes(".example") &&
+        !f.path.includes(".sample") &&
+        f.path !== ".gitignore");
+    if (committedEnv) {
+        result.status = "fail";
+    }
+    return result;
+};
+const checkApiKeyHardcoded = (files) => {
+    const result = {
+        check_key: "api_key_hardcoded",
+        category: "secrets",
+        status: "pass",
+        severity: "critical",
+    };
+    const sourceFiles = files.filter((f) => isSourceFile(f) &&
+        !f.path.includes(".example") &&
+        !f.path.includes(".test.") &&
+        !f.path.includes(".spec.") &&
+        !f.path.includes("__test__") &&
+        !f.path.includes("__tests__"));
+    const patterns = [
+        /(?:api[_-]?key|apikey|secret[_-]?key|access[_-]?token)\s*[:=]\s*["'][a-zA-Z0-9_\-]{20,}["']/i,
+        /AKIA[0-9A-Z]{16}/,
+        /sk-[a-zA-Z0-9]{32,}/,
+        /SG\.[a-zA-Z0-9_\-]{22}\.[a-zA-Z0-9_\-]{43}/,
+        /ghp_[a-zA-Z0-9]{36}/,
+        /glpat-[a-zA-Z0-9\-_]{20}/,
+        /re_[a-zA-Z0-9]{20,}/,
+    ];
+    for (const file of sourceFiles) {
+        for (const pattern of patterns) {
+            if (pattern.test(file.content)) {
+                result.status = "fail";
+                return result;
+            }
+        }
+    }
+    return result;
+};
+const checkNoHttps = (files) => {
+    const result = {
+        check_key: "no_https",
+        category: "infra",
+        status: "pass",
+        severity: "warning",
+    };
+    const hasVercel = files.some((f) => f.path === "vercel.json");
+    const hasNetlify = files.some((f) => f.path === "netlify.toml");
+    const pkgJson = files.find((f) => f.path === "package.json");
+    if (hasVercel || hasNetlify)
+        return result;
+    if (pkgJson) {
+        const content = pkgJson.content;
+        if (/vercel|netlify|railway/i.test(content) &&
+            (/"scripts"/.test(content) || /"dependencies"/.test(content))) {
+            return result;
+        }
+    }
+    const content = allContent(getSourceFiles(files));
+    if (/strict-transport-security/i.test(content))
+        return result;
+    const insecurePattern = /http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0|::1)[a-zA-Z]/;
+    if (insecurePattern.test(content)) {
+        result.status = "fail";
+    }
+    return result;
+};
+const checkNoPrivacyPolicy = (files) => {
+    const result = {
+        check_key: "no_privacy_policy",
+        category: "legal",
+        status: "pass",
+        severity: "warning",
+    };
+    const hasPrivacyFile = files.some((f) => /privacy/i.test(f.path));
+    if (hasPrivacyFile)
+        return result;
+    const content = allContent(files);
+    if (/(?:href|to)=["'][^"']*privacy/i.test(content))
+        return result;
+    if (/privacy\s*policy/i.test(content))
+        return result;
+    result.status = "fail";
+    return result;
+};
+const ALL_CHECKS = [
+    checkStripeKeyExposed,
+    checkWebhookNoVerify,
+    checkPasswordPlaintext,
+    checkNoRateLimit,
+    checkEnvNotGitignored,
+    checkApiKeyHardcoded,
+    checkNoHttps,
+    checkNoPrivacyPolicy,
+];
+export function runAllChecks(files) {
+    return ALL_CHECKS.map((check) => check(files));
+}

package/dist/lib/grade.d.ts

@@ -0,0 +1,11 @@
+import type { CheckResult } from "./checks.js";
+export type ScanGrade = "A" | "B" | "C" | "D" | "F";
+export interface GradeResult {
+    grade: ScanGrade;
+    summary: string;
+    passCount: number;
+    failCount: number;
+    criticalCount: number;
+    warningCount: number;
+}
+export declare function calculateGrade(results: CheckResult[]): GradeResult;

package/dist/lib/grade.js

@@ -0,0 +1,40 @@
+const GRADE_SUMMARIES = {
+    A: "All clear — looking good!",
+    B: "Almost there — one thing to check",
+    C: "A few things need fixing",
+    D: "Several issues found",
+    F: "Critical issues need attention",
+};
+export function calculateGrade(results) {
+    const passCount = results.filter((r) => r.status === "pass").length;
+    const failCount = results.length - passCount;
+    const criticalCount = results.filter((r) => r.status === "fail" && r.severity === "critical").length;
+    const warningCount = results.filter((r) => r.status === "fail" && r.severity === "warning").length;
+    let grade;
+    if (criticalCount >= 2 || passCount <= 2) {
+        grade = "F";
+    }
+    else if (passCount <= 4) {
+        grade = "D";
+    }
+    else if (passCount <= 7 && criticalCount <= 1) {
+        grade = "C";
+    }
+    else if (passCount === 7 && criticalCount === 0) {
+        grade = "B";
+    }
+    else if (passCount === 8) {
+        grade = "A";
+    }
+    else {
+        grade = "C";
+    }
+    return {
+        grade,
+        summary: GRADE_SUMMARIES[grade],
+        passCount,
+        failCount,
+        criticalCount,
+        warningCount,
+    };
+}

package/dist/lib/local-scanner.d.ts

@@ -0,0 +1,5 @@
+export interface RepoFile {
+    path: string;
+    content: string;
+}
+export declare function scanLocalDirectory(dir: string): Promise<RepoFile[]>;

package/dist/lib/local-scanner.js

@@ -0,0 +1,88 @@
+import { readdir, readFile } from "node:fs/promises";
+import { join, relative, extname } from "node:path";
+const INCLUDE_EXTENSIONS = new Set([
+    ".js", ".ts", ".tsx", ".jsx", ".mjs", ".cjs",
+    ".py", ".rb", ".go", ".rs",
+    ".json", ".toml", ".yaml", ".yml",
+]);
+const INCLUDE_EXACT = new Set([
+    ".gitignore", ".env", ".env.local", ".env.production", ".env.development",
+    ".env.example", "package.json", "next.config.js", "next.config.ts",
+    "next.config.mjs", "vercel.json", "netlify.toml", "railway.json",
+    "Dockerfile", "docker-compose.yml", "docker-compose.yaml",
+]);
+const EXCLUDE_DIRS = new Set([
+    "node_modules", ".next", "dist", "build", "vendor", ".git",
+    "__pycache__", ".cache", "coverage", ".turbo", ".vercel",
+]);
+const MAX_FILES = 50;
+function shouldIncludeFile(filePath) {
+    const parts = filePath.split("/");
+    // Check exclusions
+    for (const part of parts) {
+        if (EXCLUDE_DIRS.has(part))
+            return false;
+    }
+    const fileName = parts[parts.length - 1];
+    // Exact match
+    if (INCLUDE_EXACT.has(fileName))
+        return true;
+    // .env files
+    if (fileName.startsWith(".env"))
+        return true;
+    // Extension match
+    const ext = extname(fileName);
+    if (ext && INCLUDE_EXTENSIONS.has(ext))
+        return true;
+    return false;
+}
+function priorityScore(filePath) {
+    if (filePath === ".gitignore" ||
+        filePath.startsWith(".env") ||
+        filePath === "package.json")
+        return 0;
+    if (filePath === "vercel.json" ||
+        filePath === "netlify.toml" ||
+        filePath.startsWith("next.config"))
+        return 1;
+    if (filePath.includes("/api/") || filePath.includes("/pages/api/"))
+        return 2;
+    if (filePath.includes("auth") ||
+        filePath.includes("login") ||
+        filePath.includes("signup"))
+        return 3;
+    if (filePath.startsWith("src/") ||
+        filePath.startsWith("app/") ||
+        filePath.startsWith("pages/"))
+        return 4;
+    return 5;
+}
+export async function scanLocalDirectory(dir) {
+    const entries = await readdir(dir, { recursive: true, withFileTypes: true });
+    const filePaths = [];
+    for (const entry of entries) {
+        if (!entry.isFile())
+            continue;
+        const fullPath = join(entry.parentPath || entry.path, entry.name);
+        const relPath = relative(dir, fullPath).replace(/\\/g, "/");
+        if (shouldIncludeFile(relPath)) {
+            filePaths.push(relPath);
+        }
+    }
+    // Sort by priority and limit
+    const sorted = filePaths
+        .sort((a, b) => priorityScore(a) - priorityScore(b))
+        .slice(0, MAX_FILES);
+    // Read file contents
+    const files = [];
+    for (const relPath of sorted) {
+        try {
+            const content = await readFile(join(dir, relPath), "utf-8");
+            files.push({ path: relPath, content });
+        }
+        catch {
+            // Skip unreadable files
+        }
+    }
+    return files;
+}

package/dist/tools/fix.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function registerFixTool(server: McpServer): void;

package/dist/tools/fix.js

@@ -0,0 +1,55 @@
+import { z } from "zod";
+import { apiClient } from "../lib/api-client.js";
+export function registerFixTool(server) {
+    server.tool("guardrail_fix", "Get detailed fix instructions for a specific security issue. Includes step-by-step guide with code examples and AI prompts you can use.", {
+        check_key: z
+            .string()
+            .describe('The check_key of the issue to fix (e.g. "api_key_hardcoded", "stripe_key_exposed"). Get this from guardrail_issues.'),
+    }, async ({ check_key }) => {
+        if (!apiClient.isConfigured()) {
+            return {
+                content: [
+                    { type: "text", text: apiClient.getConfigError() },
+                ],
+            };
+        }
+        try {
+            const data = await apiClient.get(`/api/mcp/issues?check_key=${encodeURIComponent(check_key)}`);
+            const guide = data.guide;
+            const lines = [];
+            lines.push(`Fix: ${guide.title}`);
+            lines.push(`Severity: ${guide.severity}`);
+            lines.push("");
+            lines.push(`Why it matters: ${guide.why}`);
+            lines.push("");
+            lines.push("Steps:");
+            for (let i = 0; i < guide.steps.length; i++) {
+                const step = guide.steps[i];
+                lines.push(`${i + 1}. ${step.instruction}`);
+                if (step.code) {
+                    lines.push(`   ${step.code}`);
+                }
+                lines.push("");
+            }
+            if (guide.aiPrompts.length > 0) {
+                lines.push("AI Prompts (copy & paste to fix automatically):");
+                for (const prompt of guide.aiPrompts) {
+                    lines.push(`  "${prompt.text}"`);
+                }
+            }
+            return {
+                content: [{ type: "text", text: lines.join("\n") }],
+            };
+        }
+        catch (err) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: `Failed to get fix guide: ${err instanceof Error ? err.message : "Unknown error"}`,
+                    },
+                ],
+            };
+        }
+    });
+}

package/dist/tools/issues.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function registerIssuesTool(server: McpServer): void;

package/dist/tools/issues.js

@@ -0,0 +1,49 @@
+import { apiClient } from "../lib/api-client.js";
+export function registerIssuesTool(server) {
+    server.tool("guardrail_issues", "List all security issues found in the latest scan. Shows each issue's severity, category, and description.", {}, async () => {
+        if (!apiClient.isConfigured()) {
+            return {
+                content: [
+                    { type: "text", text: apiClient.getConfigError() },
+                ],
+            };
+        }
+        try {
+            const data = await apiClient.get("/api/mcp/issues");
+            if (data.issues.length === 0) {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: `No issues found! Your project has a grade of ${data.grade}.\n\nAll security checks passed.`,
+                        },
+                    ],
+                };
+            }
+            const lines = [];
+            lines.push(`${data.issues.length} issue${data.issues.length > 1 ? "s" : ""} found (Grade: ${data.grade}):`);
+            lines.push("");
+            for (let i = 0; i < data.issues.length; i++) {
+                const issue = data.issues[i];
+                lines.push(`${i + 1}. [${issue.severity}] ${issue.title}`);
+                lines.push(`   Category: ${issue.category}`);
+                lines.push(`   ${issue.description}`);
+                lines.push(`   Fix: use guardrail_fix with check_key="${issue.check_key}"`);
+                lines.push("");
+            }
+            return {
+                content: [{ type: "text", text: lines.join("\n") }],
+            };
+        }
+        catch (err) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: `Failed to get issues: ${err instanceof Error ? err.message : "Unknown error"}`,
+                    },
+                ],
+            };
+        }
+    });
+}

package/dist/tools/scan.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function registerScanTool(server: McpServer): void;

package/dist/tools/scan.js

@@ -0,0 +1,101 @@
+import { z } from "zod";
+import { scanLocalDirectory } from "../lib/local-scanner.js";
+import { runAllChecks } from "../lib/checks.js";
+import { calculateGrade } from "../lib/grade.js";
+import { apiClient } from "../lib/api-client.js";
+const CHECK_LABELS = {
+    stripe_key_exposed: "Stripe secret key exposed in code",
+    webhook_no_verify: "Webhook signature not verified",
+    password_plaintext: "Password stored in plaintext",
+    no_rate_limit: "No rate limiting on auth endpoints",
+    env_not_gitignored: ".env file not in .gitignore",
+    api_key_hardcoded: "API key hardcoded in source code",
+    no_https: "HTTPS not configured",
+    no_privacy_policy: "No privacy policy found",
+};
+export function registerScanTool(server) {
+    server.tool("guardrail_scan", "Scan your local project directory for security issues. Checks for exposed API keys, hardcoded secrets, missing rate limiting, and more. Results are saved to your GuardRail dashboard.", {
+        directory: z
+            .string()
+            .optional()
+            .describe("Directory to scan. Defaults to the current working directory."),
+    }, async ({ directory }) => {
+        const dir = directory || process.cwd();
+        // 1. Scan local files
+        const files = await scanLocalDirectory(dir);
+        if (files.length === 0) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: `No scannable files found in ${dir}. Make sure you're in a project directory with source code files (.js, .ts, .py, etc.).`,
+                    },
+                ],
+            };
+        }
+        // 2. Run checks locally
+        const checkResults = runAllChecks(files);
+        const gradeResult = calculateGrade(checkResults);
+        // 3. Try to save to API (non-blocking)
+        let savedToCloud = false;
+        let sdkConnected = false;
+        try {
+            if (apiClient.isConfigured()) {
+                const result = await apiClient.post("/api/mcp/scan", {
+                    checkResults,
+                    grade: gradeResult.grade,
+                    passCount: gradeResult.passCount,
+                    failCount: gradeResult.failCount,
+                    criticalCount: gradeResult.criticalCount,
+                    warningCount: gradeResult.warningCount,
+                    summary: gradeResult.summary,
+                    filesScanned: files.length,
+                });
+                savedToCloud = true;
+                sdkConnected = result?.sdkConnected ?? false;
+            }
+        }
+        catch {
+            // API save failed, but local results are still valid
+        }
+        // 4. Format output
+        const failedChecks = checkResults.filter((r) => r.status === "fail");
+        const lines = [];
+        lines.push(`Scan complete! Grade: ${gradeResult.grade}`);
+        lines.push(`${gradeResult.passCount}/${checkResults.length} checks passed`);
+        lines.push("");
+        if (failedChecks.length === 0) {
+            lines.push("All checks passed! Your code looks secure.");
+        }
+        else {
+            lines.push(`${failedChecks.length} issue${failedChecks.length > 1 ? "s" : ""} found:`);
+            lines.push("");
+            for (const check of failedChecks) {
+                const label = CHECK_LABELS[check.check_key] || check.check_key;
+                lines.push(`- [${check.severity}] ${label}`);
+            }
+            lines.push("");
+            lines.push("Use guardrail_fix with check_key to get detailed fix steps.");
+        }
+        if (savedToCloud) {
+            lines.push("");
+            lines.push("Results saved to your GuardRail dashboard.");
+        }
+        else if (!apiClient.isConfigured()) {
+            lines.push("");
+            lines.push("Note: Set GUARDRAIL_PROJECT_KEY to save results to your dashboard.");
+        }
+        lines.push("");
+        lines.push(`Files scanned: ${files.length}`);
+        // SDK setup prompt (only when API saved and SDK not connected)
+        if (savedToCloud && !sdkConnected) {
+            lines.push("");
+            lines.push("---");
+            lines.push("Want real-time protection? Install the Guardrail SDK to detect brute force attacks, suspicious logins, and traffic spikes while your app runs.");
+            lines.push("  npm install guardrail-sdk");
+        }
+        return {
+            content: [{ type: "text", text: lines.join("\n") }],
+        };
+    });
+}

package/dist/tools/status.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function registerStatusTool(server: McpServer): void;

package/dist/tools/status.js

@@ -0,0 +1,49 @@
+import { apiClient } from "../lib/api-client.js";
+export function registerStatusTool(server) {
+    server.tool("guardrail_status", "Get the current security status of your GuardRail project including the latest scan grade, uptime, and SSL certificate status.", {}, async () => {
+        if (!apiClient.isConfigured()) {
+            return {
+                content: [
+                    { type: "text", text: apiClient.getConfigError() },
+                ],
+            };
+        }
+        try {
+            const data = await apiClient.get("/api/mcp/status");
+            const lines = [];
+            lines.push(`Project: ${data.project.name}`);
+            if (data.latestScan) {
+                lines.push("");
+                lines.push(`Grade: ${data.latestScan.grade} (${data.latestScan.summary})`);
+                lines.push(`Checks: ${data.latestScan.passedChecks}/${data.latestScan.totalChecks} passed`);
+                lines.push(`Last scan: ${data.latestScan.scannedAt} (${data.latestScan.source})`);
+            }
+            else {
+                lines.push("");
+                lines.push("No scans yet. Run guardrail_scan to scan your project.");
+            }
+            if (data.monitoring) {
+                lines.push("");
+                if (data.monitoring.uptimePercentage != null) {
+                    lines.push(`Uptime: ${data.monitoring.uptimePercentage}% (${data.monitoring.uptimeStatus})`);
+                }
+                if (data.monitoring.sslDaysRemaining != null) {
+                    lines.push(`SSL: ${data.monitoring.sslDaysRemaining}d remaining (${data.monitoring.sslStatus})`);
+                }
+            }
+            return {
+                content: [{ type: "text", text: lines.join("\n") }],
+            };
+        }
+        catch (err) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: `Failed to get status: ${err instanceof Error ? err.message : "Unknown error"}`,
+                    },
+                ],
+            };
+        }
+    });
+}

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "guardrail-mcp",
+  "version": "0.1.0",
+  "description": "GuardRail MCP server for Claude Code — security scanning from your editor",
+  "type": "module",
+  "bin": "./dist/index.js",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.11.0",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "typescript": "^5.7.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "license": "MIT"
+}