ledd-mcp-audit-server 2.0.0

package/CHANGELOG.md

@@ -0,0 +1,22 @@
+# Changelog
+
+## 2.0.0 (2026-03-15)
+
+### Breaking Changes
+- Scan engine moved to private API service. This package is now a thin MCP/CLI proxy.
+- Published package renamed to `ledd-mcp-audit-server` to avoid npm namespace collisions while keeping the CLI command as `mcp-audit-server`.
+- Removed `lib/` directory and all in-process scan modules.
+- Requires access to a private audit API.
+
+### Added
+- Tool spoofing detection (CWE-290) — duplicate tool names, namespace collision
+- Rug pull detection (CWE-829) — unpinned packages, version drift
+- Credential hygiene checks — inline secrets, missing rotation
+- 9 MCP tools for comprehensive agent security auditing
+- CLI with formatted output and --json mode
+- Rate limiting on MCP server (30 req/min)
+- `AGENT_SECURITY_BASE_URL` for hosted HTTPS backends
+
+### Removed
+- All in-process scan modules (moved to a private backend)
+- Direct dependencies on better-sqlite3, express, uuid

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ledd Consulting
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/MIGRATION.md

@@ -0,0 +1,49 @@
+# Migration Guide
+
+This package replaces the ambiguous `mcp-server-agent-security` name for the thin MCP/CLI proxy.
+
+## What Changed
+
+- Old package name: `mcp-server-agent-security`
+- New package name: `ledd-mcp-audit-server`
+- Preferred CLI: `mcp-audit-server`
+
+## Upgrade
+
+```bash
+npm uninstall mcp-server-agent-security
+npm install ledd-mcp-audit-server
+```
+
+If you launch the MCP proxy through `npx`, update your client config:
+
+```json
+{
+  "mcpServers": {
+    "mcp-audit-server": {
+      "command": "npx",
+      "args": ["-y", "ledd-mcp-audit-server", "--mcp"]
+    }
+  }
+}
+```
+
+## Package Split
+
+The old package name was overloaded across two different repos. The split is now:
+
+- private audit engine: proprietary backend, rules, storage, and remediation logic
+- `ledd-mcp-audit-server`: thin MCP/CLI proxy that forwards to that private audit API
+
+Use `ledd-mcp-audit-server` when you want the public client package. It installs the `mcp-audit-server` CLI and should be configured against your hosted or licensed private audit API.
+
+## Publisher Checklist
+
+1. Publish this package under the new name: `npm publish`
+2. Deprecate the old package name:
+
+```bash
+npm deprecate mcp-server-agent-security@"*" "Deprecated: use ledd-mcp-audit-server. The audit backend is now private and licensed separately."
+```
+
+3. Update the public README to point users to your hosted API or sales contact, not to a public engine package.

package/README.md

@@ -0,0 +1,125 @@
+# mcp-audit-server
+
+Thin MCP server and CLI proxy for AI agent and MCP security auditing. It connects to a private audit API to analyze MCP configurations, test prompt injection resistance, trace data flows, scan packages, and generate security policies.
+
+This package is a thin proxy. All scan logic lives in a private backend operated by you or your provider. For hosted deployments, set `AGENT_SECURITY_BASE_URL` to your HTTPS API origin.
+
+Hosted backend access is not bundled with this package. If you want managed access or a licensed private deployment, contact [Ledd Consulting](https://leddconsulting.com).
+
+## Install
+
+```bash
+npm install ledd-mcp-audit-server
+```
+
+Install package: `ledd-mcp-audit-server`
+CLI command after install: `mcp-audit-server`
+
+The old package name `mcp-server-agent-security` is retired. See [MIGRATION.md](./MIGRATION.md) for upgrade steps and the deprecation plan.
+
+## Usage as MCP Server
+
+Add to your MCP client configuration (Claude Desktop, Cursor, etc.):
+
+```json
+{
+  "mcpServers": {
+    "mcp-audit-server": {
+      "command": "npx",
+      "args": ["-y", "ledd-mcp-audit-server", "--mcp"]
+    }
+  }
+}
+```
+
+The server exposes 9 tools over stdio:
+
+| Tool | Description |
+|------|-------------|
+| `audit_mcp_config` | Static analysis of MCP config JSON for privilege, auth, transport, and launch risks |
+| `audit_mcp_server` | Active probing of a running MCP server over stdio (requires `AGENT_SECURITY_ADMIN_MODE=1`) |
+| `audit_prompt_injection` | Tests a system prompt against a 30+ payload injection catalog |
+| `audit_agent_dataflow` | Traces PII and secret exposure through an agent's tool pipeline |
+| `scan_mcp_package` | Scans an npm MCP package for dependency vulnerabilities and dangerous patterns |
+| `generate_report` | Combines multiple audit results into a composite report with executive summary |
+| `fix_mcp_config` | Auto-remediates config issues: removes unsafe flags, upgrades transport, redacts secrets |
+| `harden_system_prompt` | Appends injection-resistant guardrails to a system prompt |
+| `generate_policy` | Generates an enforceable JSON security policy from an MCP config |
+
+## Usage as CLI
+
+The CLI forwards commands to the private audit API.
+
+```bash
+# Audit an MCP configuration file
+mcp-audit-server scan-config ./claude_desktop_config.json
+
+# Probe a live MCP server (requires AGENT_SECURITY_ADMIN_MODE=1)
+mcp-audit-server scan-server npx -y @modelcontextprotocol/server-filesystem /tmp
+
+# Scan an npm package for vulnerabilities
+mcp-audit-server scan-package @modelcontextprotocol/server-shell
+
+# Test a system prompt for injection vulnerabilities
+mcp-audit-server scan-injection ./system-prompt.txt
+
+# Trace data flows through an MCP config
+mcp-audit-server scan-dataflow ./claude_desktop_config.json
+
+# Auto-fix security issues in an MCP config
+mcp-audit-server fix-config ./claude_desktop_config.json
+
+# Harden a system prompt against injection
+mcp-audit-server harden-prompt ./system-prompt.txt
+
+# Generate a security policy from an MCP config
+mcp-audit-server generate-policy ./claude_desktop_config.json
+
+# Retrieve a previous audit report
+mcp-audit-server report <audit-id>
+
+# Output raw JSON instead of formatted tables
+mcp-audit-server scan-config ./config.json --json
+
+# Start in MCP stdio server mode
+mcp-audit-server --mcp
+```
+
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `AGENT_SECURITY_BASE_URL` | (none) | Full audit API origin, e.g. `https://audit.example.com` |
+| `AGENT_SECURITY_HOST` | `127.0.0.1` | Audit API host |
+| `AGENT_SECURITY_PORT` | `3091` | Audit API port |
+| `AGENT_SECURITY_API_KEY` | (none) | API key for authenticated access |
+| `AGENT_SECURITY_ADMIN_MODE` | (none) | Set to `1` to enable active server probing |
+
+## What It Detects
+
+- **Tool spoofing** -- duplicate tool names, namespace collision (CWE-290)
+- **Rug pull** -- unpinned packages, version drift (CWE-829)
+- **Prompt injection** -- direct override, instruction hijacking, role-play escape, delimiter injection, encoding bypass, multilingual injection
+- **Privilege escalation** -- overprivileged tools, shell execution without allowlists, unrestricted filesystem access
+- **Data exfiltration** -- PII leakage through tool pipelines, outbound network paths
+- **Insecure transport** -- missing TLS, plaintext credentials in config
+- **Missing auth** -- unauthenticated MCP servers, missing API key requirements
+- **Shell injection** -- arbitrary command execution via tool configurations
+- **Path traversal** -- unrestricted filesystem scope in tool arguments
+- **SQL injection** -- raw SQL patterns in tool definitions
+- **Rate limiting** -- missing request throttling on exposed tools
+- **Package vulnerabilities** -- known CVEs in npm MCP package dependencies
+- **Credential exposure** -- inline secrets, missing rotation policies
+
+## Requirements
+
+- Node.js >= 18
+- Access to a private audit API. Use `AGENT_SECURITY_BASE_URL` for hosted HTTPS deployments, or `AGENT_SECURITY_HOST` and `AGENT_SECURITY_PORT` for local/private-network deployments.
+
+## License
+
+MIT
+
+---
+
+Built by [Ledd Consulting](https://leddconsulting.com)

package/cli.js

@@ -0,0 +1,346 @@
+#!/usr/bin/env node
+
+const fs = require("fs");
+const path = require("path");
+const { BASE_URL } = require("./index");
+
+const API_KEY = process.env.AGENT_SECURITY_API_KEY || "";
+
+function printUsage() {
+  process.stderr.write(
+    [
+      "Usage:",
+      "  mcp-audit-server scan-config <file>         Audit an MCP config file",
+      "  mcp-audit-server scan-server <command> [args...]  Probe a running MCP server",
+      "  mcp-audit-server scan-package <name>         Audit an npm package",
+      "  mcp-audit-server scan-injection <file>       Test a system prompt for injection vulnerabilities",
+      "  mcp-audit-server scan-dataflow <file>        Trace data flows through an MCP config",
+      "  mcp-audit-server fix-config <file>           Auto-fix security issues in an MCP config",
+      "  mcp-audit-server harden-prompt <file>        Harden a system prompt against injection",
+      "  mcp-audit-server generate-policy <file>      Generate a security policy from an MCP config",
+      "  mcp-audit-server report <id>                 Retrieve an audit report by ID",
+      "",
+      "Flags:",
+      "  --mcp            Start the MCP stdio server (for use with MCP clients)",
+      "  --help, -h       Show this help message",
+      "  --version, -v    Show version number",
+      "  --json           Output raw JSON instead of formatted tables",
+      "",
+      "Environment Variables:",
+      "  AGENT_SECURITY_BASE_URL        Full audit API origin, e.g. https://audit.example.com",
+      "  AGENT_SECURITY_HOST            Server host (default: 127.0.0.1)",
+      "  AGENT_SECURITY_PORT            Server port (default: 3091)",
+      "  AGENT_SECURITY_API_KEY         API key for remote access (optional)",
+      "  AGENT_SECURITY_ADMIN_MODE      Enable active server probing (set to \"1\")"
+    ].join("\n") + "\n"
+  );
+}
+
+async function callApi(method, pathname, payload) {
+  const headers = {
+    "content-type": "application/json"
+  };
+  if (API_KEY) {
+    headers["x-api-key"] = API_KEY;
+  }
+
+  const response = await fetch(`${BASE_URL}${pathname}`, {
+    method,
+    headers,
+    body: payload ? JSON.stringify(payload) : undefined
+  });
+
+  let body;
+  try {
+    body = await response.json();
+  } catch (parseError) {
+    throw new Error(`Request failed with status ${response.status} (non-JSON response).`);
+  }
+  if (!response.ok) {
+    throw new Error(body && body.error ? body.error : `Request failed with status ${response.status}`);
+  }
+
+  return body;
+}
+
+function formatReport(report) {
+  console.table([
+    {
+      id: report.id,
+      type: report.type || "",
+      target: report.target || "",
+      status: report.status,
+      score: report.score,
+      grade: report.grade
+    }
+  ]);
+
+  if (report.findingsSummary) {
+    console.table([report.findingsSummary]);
+  }
+
+  if (Array.isArray(report.findings) && report.findings.length) {
+    console.table(report.findings.map((finding) => ({
+      severity: finding.severity,
+      source: finding.source,
+      cwe: finding.cwe,
+      confidence: finding.confidence,
+      location: finding.location || "",
+      description: finding.description
+    })));
+  } else {
+    process.stdout.write("No findings.\n");
+  }
+}
+
+function formatFixConfig(result) {
+  process.stdout.write(`Original findings: ${result.original_findings}\n`);
+  process.stdout.write(`Changes applied: ${result.changes_applied}\n`);
+  process.stdout.write(`Remaining findings: ${result.remaining_findings}\n\n`);
+
+  if (Array.isArray(result.changes) && result.changes.length) {
+    console.table(result.changes.map((change) => ({
+      server: change.server,
+      action: change.action,
+      severity: change.severity,
+      detail: change.detail
+    })));
+  } else {
+    process.stdout.write("No changes needed.\n");
+  }
+
+  if (result.fixed_config) {
+    process.stdout.write("\nFixed config:\n");
+    process.stdout.write(JSON.stringify(result.fixed_config, null, 2) + "\n");
+  }
+}
+
+function formatHardenPrompt(result) {
+  process.stdout.write(`Action: ${result.action}\n`);
+  process.stdout.write(`Before score: ${result.before_score}\n`);
+  process.stdout.write(`After score: ${result.after_score}\n`);
+
+  if (result.improvement !== undefined) {
+    process.stdout.write(`Improvement: +${result.improvement}\n`);
+  }
+
+  if (Array.isArray(result.guardrails_added) && result.guardrails_added.length) {
+    process.stdout.write("\nGuardrails added:\n");
+    console.table(result.guardrails_added.map((g) => ({
+      control: g.control,
+      label: g.label
+    })));
+  }
+
+  if (result.hardened_prompt) {
+    process.stdout.write("\nHardened prompt:\n");
+    process.stdout.write(result.hardened_prompt + "\n");
+  }
+}
+
+function formatGeneratePolicy(result) {
+  process.stdout.write(`Rules generated: ${result.rule_count}\n`);
+  process.stdout.write(`Servers covered: ${result.servers_covered}\n`);
+
+  if (result.policy) {
+    if (Array.isArray(result.policy.rules) && result.policy.rules.length) {
+      console.table(result.policy.rules.map((rule) => ({
+        server: rule.server,
+        rule: rule.rule,
+        action: rule.action,
+        description: rule.description
+      })));
+    }
+
+    process.stdout.write("\nFull policy:\n");
+    process.stdout.write(JSON.stringify(result.policy, null, 2) + "\n");
+  }
+
+  if (result.usage) {
+    process.stdout.write("\n" + result.usage + "\n");
+  }
+}
+
+async function main() {
+  const [, , command, ...args] = process.argv;
+  const jsonMode = process.argv.includes("--json");
+
+  try {
+    if (command === "--help" || command === "-h") {
+      printUsage();
+      return;
+    }
+
+    if (command === "--version" || command === "-v") {
+      const pkg = require("./package.json");
+      process.stdout.write(pkg.version + "\n");
+      return;
+    }
+
+    if (command === "scan-config") {
+      const filePath = args[0];
+      if (!filePath) {
+        throw new Error("scan-config requires a file path.");
+      }
+
+      const absolutePath = path.resolve(process.cwd(), filePath);
+      const config = await fs.promises.readFile(absolutePath, "utf8");
+      const report = await callApi("POST", "/audit/config", { config });
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(report, null, 2) + "\n");
+      } else {
+        formatReport(report);
+      }
+      return;
+    }
+
+    if (command === "scan-server") {
+      const targetCommand = args[0];
+      if (!targetCommand) {
+        throw new Error("scan-server requires a command.");
+      }
+
+      const report = await callApi("POST", "/audit/server", {
+        command: targetCommand,
+        args: args.slice(1)
+      });
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(report, null, 2) + "\n");
+      } else {
+        formatReport(report);
+      }
+      return;
+    }
+
+    if (command === "scan-package") {
+      const packageName = args[0];
+      if (!packageName) {
+        throw new Error("scan-package requires a package name.");
+      }
+
+      const report = await callApi("POST", "/audit/package", {
+        package_name: packageName
+      });
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(report, null, 2) + "\n");
+      } else {
+        formatReport(report);
+      }
+      return;
+    }
+
+    if (command === "scan-injection") {
+      const filePath = args[0];
+      if (!filePath) {
+        throw new Error("scan-injection requires a file path.");
+      }
+
+      const absolutePath = path.resolve(process.cwd(), filePath);
+      const systemPrompt = await fs.promises.readFile(absolutePath, "utf8");
+      const report = await callApi("POST", "/audit/injection", { system_prompt: systemPrompt });
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(report, null, 2) + "\n");
+      } else {
+        formatReport(report);
+      }
+      return;
+    }
+
+    if (command === "scan-dataflow") {
+      const filePath = args[0];
+      if (!filePath) {
+        throw new Error("scan-dataflow requires a file path.");
+      }
+
+      const absolutePath = path.resolve(process.cwd(), filePath);
+      const mcpConfig = await fs.promises.readFile(absolutePath, "utf8");
+      const report = await callApi("POST", "/audit/dataflow", { mcp_config: mcpConfig });
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(report, null, 2) + "\n");
+      } else {
+        formatReport(report);
+      }
+      return;
+    }
+
+    if (command === "fix-config") {
+      const filePath = args[0];
+      if (!filePath) {
+        throw new Error("fix-config requires a file path.");
+      }
+
+      const absolutePath = path.resolve(process.cwd(), filePath);
+      const config = await fs.promises.readFile(absolutePath, "utf8");
+      const result = await callApi("POST", "/fix/config", { config });
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+      } else {
+        formatFixConfig(result.findings || result);
+      }
+      return;
+    }
+
+    if (command === "harden-prompt") {
+      const filePath = args[0];
+      if (!filePath) {
+        throw new Error("harden-prompt requires a file path.");
+      }
+
+      const absolutePath = path.resolve(process.cwd(), filePath);
+      const systemPrompt = await fs.promises.readFile(absolutePath, "utf8");
+      const result = await callApi("POST", "/fix/prompt", { system_prompt: systemPrompt });
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+      } else {
+        formatHardenPrompt(result.findings || result);
+      }
+      return;
+    }
+
+    if (command === "generate-policy") {
+      const filePath = args[0];
+      if (!filePath) {
+        throw new Error("generate-policy requires a file path.");
+      }
+
+      const absolutePath = path.resolve(process.cwd(), filePath);
+      const mcpConfig = await fs.promises.readFile(absolutePath, "utf8");
+      const result = await callApi("POST", "/fix/policy", { mcp_config: mcpConfig });
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+      } else {
+        formatGeneratePolicy(result.findings || result);
+      }
+      return;
+    }
+
+    if (command === "report") {
+      const reportId = args[0];
+      if (!reportId) {
+        throw new Error("report requires an audit id.");
+      }
+
+      const report = await callApi("GET", `/report/${encodeURIComponent(reportId)}`);
+      if (jsonMode) {
+        process.stdout.write(JSON.stringify(report, null, 2) + "\n");
+      } else {
+        formatReport(report);
+      }
+      return;
+    }
+
+    printUsage();
+    process.exitCode = 1;
+  } catch (error) {
+    process.stderr.write(`${error.message}\n`);
+    process.exitCode = 1;
+  }
+}
+
+if (require.main === module) {
+  if (process.argv.includes("--mcp")) {
+    require("./mcp/index.js");
+  } else {
+    main();
+  }
+}

package/index.js

@@ -0,0 +1,50 @@
+/**
+ * mcp-audit-server — public entry point
+ *
+ * This package is a thin MCP interface to a private audit API.
+ * By default it targets a local API on http://127.0.0.1:3091, but hosted
+ * deployments should prefer AGENT_SECURITY_BASE_URL with an https:// origin.
+ *
+ * Start the MCP server:   node mcp/index.js
+ * Use the CLI:            node cli.js scan-config <file>
+ */
+
+const net = require("net");
+
+const PORT = Number.parseInt(process.env.AGENT_SECURITY_PORT || "", 10) || 3091;
+const HOST = process.env.AGENT_SECURITY_HOST || "127.0.0.1";
+
+function formatHostForUrl(host) {
+  const value = String(host || "").trim();
+  if (!value) {
+    return "127.0.0.1";
+  }
+
+  if (value.startsWith("[") && value.endsWith("]")) {
+    return value;
+  }
+
+  return net.isIP(value) === 6 ? `[${value}]` : value;
+}
+
+function resolveBaseUrl(options = {}) {
+  const configuredBaseUrl = typeof options.baseUrl === "string" ? options.baseUrl.trim() : "";
+  if (configuredBaseUrl) {
+    if (!/^https?:\/\//i.test(configuredBaseUrl)) {
+      throw new Error("AGENT_SECURITY_BASE_URL must start with http:// or https://.");
+    }
+    return configuredBaseUrl.replace(/\/+$/, "");
+  }
+
+  const host = typeof options.host === "string" ? options.host : HOST;
+  const port = Number.isInteger(options.port) ? options.port : PORT;
+  return `http://${formatHostForUrl(host)}:${port}`;
+}
+
+const BASE_URL = resolveBaseUrl({
+  baseUrl: process.env.AGENT_SECURITY_BASE_URL,
+  host: HOST,
+  port: PORT
+});
+
+module.exports = { PORT, HOST, BASE_URL, formatHostForUrl, resolveBaseUrl };

package/mcp/index.js

@@ -0,0 +1,270 @@
+/**
+ * MCP server for agent-security — thin proxy to the private audit API.
+ *
+ * All scan logic runs on a private audit API.
+ * This MCP server only exposes tool definitions and forwards requests.
+ */
+
+const AUDIT_API_KEY = process.env.AGENT_SECURITY_API_KEY || "";
+const { BASE_URL: AUDIT_BASE_URL } = require("../index");
+const { version: APP_VERSION } = require("../package.json");
+
+const MCP_MAX_REQUESTS_PER_MINUTE = 30;
+const MCP_WINDOW_MS = 60_000;
+let mcpRequestCount = 0;
+let mcpWindowStart = Date.now();
+
+const toolDefinitions = [
+  {
+    name: "audit_mcp_config",
+    description: "Perform static analysis on raw MCP config JSON and identify privilege, auth, transport, and launch risks.",
+    inputSchema: {
+      type: "object",
+      properties: { config: { type: "string", description: "Raw MCP config JSON." } },
+      required: ["config"]
+    }
+  },
+  {
+    name: "audit_mcp_server",
+    description: "Launch a target MCP server over stdio, enumerate tools, and run active security probes against its exposed tools. Requires AGENT_SECURITY_ADMIN_MODE=1.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        command: { type: "string" },
+        args: { type: "array", items: { type: "string" } },
+        env: { type: "object", additionalProperties: { type: "string" } }
+      },
+      required: ["command"]
+    }
+  },
+  {
+    name: "audit_prompt_injection",
+    description: "Perform a static prompt-hardening review against a 30+ payload prompt-injection catalog.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        system_prompt: { type: "string" },
+        tools: { type: "array", items: { type: "string" } }
+      },
+      required: ["system_prompt"]
+    }
+  },
+  {
+    name: "audit_agent_dataflow",
+    description: "Infer tagged-data exposure and exfiltration paths from MCP config and observed tool capabilities.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        mcp_config: { type: "string" },
+        test_pii: { type: "string" }
+      },
+      required: ["mcp_config"]
+    }
+  },
+  {
+    name: "scan_mcp_package",
+    description: "Scan an npm MCP package for dependency vulnerabilities, dangerous patterns, and permission issues.",
+    inputSchema: {
+      type: "object",
+      properties: { package_name: { type: "string" } },
+      required: ["package_name"]
+    }
+  },
+  {
+    name: "generate_report",
+    description: "Combine multiple stored audit jobs into a composite report with deduplicated findings and an executive summary.",
+    inputSchema: {
+      type: "object",
+      properties: { audit_ids: { type: "array", items: { type: "string" } } },
+      required: ["audit_ids"]
+    }
+  },
+  {
+    name: "fix_mcp_config",
+    description: "Auto-remediate security issues in an MCP config: remove unsafe flags, strip shell wrappers, upgrade transport to TLS, redact inline secrets, add auth placeholders, and constrain filesystem scope.",
+    inputSchema: {
+      type: "object",
+      properties: { config: { type: "string", description: "Raw MCP config JSON to fix." } },
+      required: ["config"]
+    }
+  },
+  {
+    name: "harden_system_prompt",
+    description: "Analyze a system prompt for injection vulnerabilities and return a hardened version with security guardrails appended.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        system_prompt: { type: "string", description: "The system prompt to harden." },
+        tools: { type: "array", items: { type: "string" }, description: "Tool names available to the agent." }
+      },
+      required: ["system_prompt"]
+    }
+  },
+  {
+    name: "generate_policy",
+    description: "Generate a JSON security policy from an MCP config that can be enforced by a proxy or middleware.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        mcp_config: { type: "string", description: "Raw MCP config JSON." },
+        allowed_destinations: { type: "array", items: { type: "string" } },
+        allowed_paths: { type: "array", items: { type: "string" } }
+      },
+      required: ["mcp_config"]
+    }
+  }
+];
+
+// Route table: MCP tool name → private API endpoint
+const toolRoutes = {
+  audit_mcp_config:      { method: "POST", path: "/audit/config",    body: (a) => ({ config: a.config }) },
+  audit_mcp_server:      { method: "POST", path: "/audit/server",    body: (a) => ({ command: a.command, args: a.args, env: a.env }) },
+  audit_prompt_injection: { method: "POST", path: "/audit/injection", body: (a) => ({ system_prompt: a.system_prompt, tools: a.tools }) },
+  audit_agent_dataflow:  { method: "POST", path: "/audit/dataflow",  body: (a) => ({ mcp_config: a.mcp_config, test_pii: a.test_pii }) },
+  scan_mcp_package:      { method: "POST", path: "/audit/package",   body: (a) => ({ package_name: a.package_name }) },
+  fix_mcp_config:        { method: "POST", path: "/fix/config",      body: (a) => ({ config: a.config }) },
+  harden_system_prompt:  { method: "POST", path: "/fix/prompt",      body: (a) => ({ system_prompt: a.system_prompt, tools: a.tools }) },
+  generate_policy:       { method: "POST", path: "/fix/policy",      body: (a) => ({ mcp_config: a.mcp_config, allowed_destinations: a.allowed_destinations, allowed_paths: a.allowed_paths }) },
+};
+
+async function callAuditApi(method, apiPath, payload) {
+  const headers = { "Content-Type": "application/json" };
+  if (AUDIT_API_KEY) {
+    headers["x-api-key"] = AUDIT_API_KEY;
+  }
+
+  const response = await fetch(`${AUDIT_BASE_URL}${apiPath}`, {
+    method,
+    headers,
+    body: payload ? JSON.stringify(payload) : undefined,
+  });
+
+  const text = await response.text();
+  let body;
+  try {
+    body = JSON.parse(text);
+  } catch {
+    return { error: `Audit API returned non-JSON (status ${response.status}): ${text.slice(0, 200)}` };
+  }
+
+  if (!response.ok) {
+    return { error: body.error || `Audit API returned status ${response.status}` };
+  }
+
+  return body;
+}
+
+function checkMcpRateLimit() {
+  const now = Date.now();
+  if (now - mcpWindowStart > MCP_WINDOW_MS) {
+    mcpRequestCount = 0;
+    mcpWindowStart = now;
+  }
+  mcpRequestCount++;
+  return mcpRequestCount <= MCP_MAX_REQUESTS_PER_MINUTE;
+}
+
+async function runAuditTool(toolName, args) {
+  if (!checkMcpRateLimit()) {
+    return { error: "Rate limit exceeded. Try again later." };
+  }
+
+  const safeArgs = args && typeof args === "object" && !Array.isArray(args) ? args : {};
+
+  // generate_report: fetch individual reports by ID
+  if (toolName === "generate_report") {
+    const ids = Array.isArray(safeArgs.audit_ids) ? safeArgs.audit_ids.map(String) : [];
+    if (ids.length === 0) {
+      return { error: "audit_ids must be a non-empty array." };
+    }
+    if (ids.length > 25) {
+      return { error: "audit_ids must contain at most 25 entries." };
+    }
+    if (ids.length === 1) {
+      return callAuditApi("GET", `/report/${encodeURIComponent(ids[0])}`);
+    }
+    const results = await Promise.all(ids.map((id) => callAuditApi("GET", `/report/${encodeURIComponent(id)}`)));
+    return { reports: results };
+  }
+
+  const route = toolRoutes[toolName];
+  if (!route) {
+    return { error: `Unknown tool: ${toolName}` };
+  }
+
+  return callAuditApi(route.method, route.path, route.body(safeArgs));
+}
+
+function importFirst(candidates) {
+  for (const id of candidates) {
+    try {
+      return require(id);
+    } catch {}
+  }
+  throw new Error(`Could not import any of: ${candidates.join(", ")}`);
+}
+
+async function main() {
+  const serverModule = importFirst([
+    "@modelcontextprotocol/sdk/server/index.js",
+    "@modelcontextprotocol/sdk/dist/esm/server/index.js",
+    "@modelcontextprotocol/sdk/dist/server/index.js",
+  ]);
+  const stdioModule = importFirst([
+    "@modelcontextprotocol/sdk/server/stdio.js",
+    "@modelcontextprotocol/sdk/dist/esm/server/stdio.js",
+    "@modelcontextprotocol/sdk/dist/server/stdio.js",
+  ]);
+  const typesModule = importFirst([
+    "@modelcontextprotocol/sdk/types.js",
+    "@modelcontextprotocol/sdk/dist/esm/types.js",
+    "@modelcontextprotocol/sdk/dist/types.js",
+  ]);
+
+  const Server = serverModule.Server || (serverModule.default && serverModule.default.Server);
+  const StdioServerTransport = stdioModule.StdioServerTransport || (stdioModule.default && stdioModule.default.StdioServerTransport);
+  const { ListToolsRequestSchema, CallToolRequestSchema } = typesModule;
+
+  if (!Server || !StdioServerTransport || !ListToolsRequestSchema || !CallToolRequestSchema) {
+    throw new Error("Unable to load the MCP server SDK classes.");
+  }
+
+  const server = new Server(
+    { name: "mcp-audit-server", version: APP_VERSION || "0.0.0" },
+    { capabilities: { tools: {} } }
+  );
+
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: toolDefinitions,
+  }));
+
+  server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    try {
+      const toolName = request?.params?.name || "";
+      const args = request?.params?.arguments || {};
+      const result = await runAuditTool(toolName, args);
+      const isToolError = Boolean(result?.error);
+      return {
+        ...(isToolError ? { isError: true } : {}),
+        content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+      };
+    } catch (error) {
+      return {
+        isError: true,
+        content: [{ type: "text", text: JSON.stringify({ error: error.message }, null, 2) }],
+      };
+    }
+  });
+
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+
+if (require.main === module) {
+  main().catch((error) => {
+    process.stderr.write(`${error.stack || error.message}\n`);
+    process.exit(1);
+  });
+}
+
+module.exports = { main, runAuditTool };

package/mcp/server.json

@@ -0,0 +1,47 @@
+{
+  "name": "mcp-audit-server",
+  "version": "2.0.0",
+  "description": "Audit and remediate AI agent and MCP server security vulnerabilities, prompt injection risk, and data exfiltration paths.",
+  "command": "node",
+  "args": [
+    "mcp/index.js"
+  ],
+  "tools": [
+    {
+      "name": "audit_mcp_config",
+      "description": "Static analysis of raw MCP config JSON."
+    },
+    {
+      "name": "audit_mcp_server",
+      "description": "Active probing of a running MCP server over stdio."
+    },
+    {
+      "name": "audit_prompt_injection",
+      "description": "Prompt-injection resistance analysis for a system prompt and tool set."
+    },
+    {
+      "name": "audit_agent_dataflow",
+      "description": "Capability-based PII and exfiltration path tracing."
+    },
+    {
+      "name": "scan_mcp_package",
+      "description": "npm package scan for dependencies, dangerous patterns, and permission issues."
+    },
+    {
+      "name": "generate_report",
+      "description": "Combine multiple stored audits into a single executive report."
+    },
+    {
+      "name": "fix_mcp_config",
+      "description": "Auto-remediate MCP config security issues and return a hardened config."
+    },
+    {
+      "name": "harden_system_prompt",
+      "description": "Harden a system prompt with injection-resistant guardrails."
+    },
+    {
+      "name": "generate_policy",
+      "description": "Generate an enforceable JSON security policy from MCP config."
+    }
+  ]
+}

package/package.json

@@ -0,0 +1,49 @@
+{
+  "name": "ledd-mcp-audit-server",
+  "version": "2.0.0",
+  "description": "MCP server interface for AI agent and MCP security auditing — config analysis, prompt injection testing, tool probing, data flow tracing",
+  "type": "commonjs",
+  "main": "index.js",
+  "bin": {
+    "mcp-audit-server": "cli.js"
+  },
+  "scripts": {
+    "mcp:start": "node mcp/index.js",
+    "mcp": "node mcp/index.js",
+    "test": "node --test test/*.test.js"
+  },
+  "keywords": [
+    "mcp",
+    "security",
+    "audit",
+    "ai-agent",
+    "prompt-injection",
+    "mcp-server",
+    "llm-security"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/joepangallo/mcp-audit-server.git"
+  },
+  "homepage": "https://github.com/joepangallo/mcp-audit-server#readme",
+  "bugs": {
+    "url": "https://github.com/joepangallo/mcp-audit-server/issues"
+  },
+  "author": "Ledd Consulting <leddconsulting@gmail.com>",
+  "files": [
+    "index.js",
+    "cli.js",
+    "CHANGELOG.md",
+    "MIGRATION.md",
+    "mcp/",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.17.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "license": "MIT"
+}