ledd-mcp-audit-server 2.0.0 → 2.0.2

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## 2.0.2 (2026-03-19)
+
+### Added
+- Added official MCP Registry metadata with `mcpName` and root `server.json`.
+- Added registry-ready environment variable metadata for `AGENT_SECURITY_API_KEY` and optional `AGENT_SECURITY_BASE_URL`.
+
+### Changed
+- Published package now includes `server.json` for registry/discovery tooling.
+
+## 2.0.1 (2026-03-19)
+
+### Added
+- Managed hosted flow now auto-targets `https://mcpaudit.metaltorque.dev` when `AGENT_SECURITY_API_KEY` is set and no explicit endpoint override is configured.
+- Clearer CLI and MCP auth guidance when the proxy receives a `401 Unauthorized` response.
+- MCP client and CLI docs now show the API-key based hosted setup directly.
+
+### Changed
+- Updated the recommended MCP configuration to pass `AGENT_SECURITY_API_KEY` via the client `env` block.
+
 ## 2.0.0 (2026-03-15)
 
 ### Breaking Changes

package/MIGRATION.md

@@ -22,12 +22,17 @@ If you launch the MCP proxy through `npx`, update your client config:
   "mcpServers": {
     "mcp-audit-server": {
       "command": "npx",
-      "args": ["-y", "ledd-mcp-audit-server", "--mcp"]
+      "args": ["-y", "ledd-mcp-audit-server", "--mcp"],
+      "env": {
+        "AGENT_SECURITY_API_KEY": "your-issued-api-key"
+      }
     }
   }
 }
 ```
 
+If `AGENT_SECURITY_API_KEY` is set and no endpoint override is provided, the proxy will automatically target `https://mcpaudit.metaltorque.dev`. For self-hosted backends, also set `AGENT_SECURITY_BASE_URL`.
+
 ## Package Split
 
 The old package name was overloaded across two different repos. The split is now:

package/README.md

@@ -2,7 +2,15 @@
 
 Thin MCP server and CLI proxy for AI agent and MCP security auditing. It connects to a private audit API to analyze MCP configurations, test prompt injection resistance, trace data flows, scan packages, and generate security policies.
 
-This package is a thin proxy. All scan logic lives in a private backend operated by you or your provider. For hosted deployments, set `AGENT_SECURITY_BASE_URL` to your HTTPS API origin.
+This package is a thin proxy. All scan logic lives in a private backend operated by you or your provider.
+
+Managed hosted flow:
+- set `AGENT_SECURITY_API_KEY`
+- the package will automatically target `https://mcpaudit.metaltorque.dev`
+
+Self-hosted or private-network flow:
+- set `AGENT_SECURITY_BASE_URL` to your HTTPS API origin
+- or set `AGENT_SECURITY_HOST` and `AGENT_SECURITY_PORT` for a loopback/private deployment
 
 Hosted backend access is not bundled with this package. If you want managed access or a licensed private deployment, contact [Ledd Consulting](https://leddconsulting.com).
 
@@ -26,12 +34,17 @@ Add to your MCP client configuration (Claude Desktop, Cursor, etc.):
   "mcpServers": {
     "mcp-audit-server": {
       "command": "npx",
-      "args": ["-y", "ledd-mcp-audit-server", "--mcp"]
+      "args": ["-y", "ledd-mcp-audit-server", "--mcp"],
+      "env": {
+        "AGENT_SECURITY_API_KEY": "your-issued-api-key"
+      }
     }
   }
 }
 ```
 
+For a self-hosted backend, add `AGENT_SECURITY_BASE_URL` to that same `env` block.
+
 The server exposes 9 tools over stdio:
 
 | Tool | Description |
@@ -51,6 +64,9 @@ The server exposes 9 tools over stdio:
 The CLI forwards commands to the private audit API.
 
 ```bash
+# Hosted quick start
+export AGENT_SECURITY_API_KEY=your-issued-api-key
+
 # Audit an MCP configuration file
 mcp-audit-server scan-config ./claude_desktop_config.json
 
@@ -85,14 +101,17 @@ mcp-audit-server scan-config ./config.json --json
 mcp-audit-server --mcp
 ```
 
+For a self-hosted backend, also set `AGENT_SECURITY_BASE_URL=https://your-audit-host`.
+
 ## Environment Variables
 
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `AGENT_SECURITY_BASE_URL` | (none) | Full audit API origin, e.g. `https://audit.example.com` |
-| `AGENT_SECURITY_HOST` | `127.0.0.1` | Audit API host |
-| `AGENT_SECURITY_PORT` | `3091` | Audit API port |
-| `AGENT_SECURITY_API_KEY` | (none) | API key for authenticated access |
+| `AGENT_SECURITY_HOST` | `127.0.0.1` | Self-hosted/private-network audit API host |
+| `AGENT_SECURITY_PORT` | `3091` | Self-hosted/private-network audit API port |
+| `AGENT_SECURITY_API_KEY` | (none) | API key for authenticated access. If set with no endpoint overrides, the package uses `https://mcpaudit.metaltorque.dev` |
+| `AGENT_SECURITY_REQUEST_TIMEOUT_MS` | `15000` | Request timeout for CLI and MCP proxy calls |
 | `AGENT_SECURITY_ADMIN_MODE` | (none) | Set to `1` to enable active server probing |
 
 ## What It Detects
@@ -114,7 +133,7 @@ mcp-audit-server --mcp
 ## Requirements
 
 - Node.js >= 18
-- Access to a private audit API. Use `AGENT_SECURITY_BASE_URL` for hosted HTTPS deployments, or `AGENT_SECURITY_HOST` and `AGENT_SECURITY_PORT` for local/private-network deployments.
+- Access to a private audit API. The managed hosted default is `https://mcpaudit.metaltorque.dev` when `AGENT_SECURITY_API_KEY` is set. Use `AGENT_SECURITY_BASE_URL` for other hosted HTTPS deployments, or `AGENT_SECURITY_HOST` and `AGENT_SECURITY_PORT` for local/private-network deployments.
 
 ## License
 

package/cli.js

@@ -2,9 +2,12 @@
 
 const fs = require("fs");
 const path = require("path");
-const { BASE_URL } = require("./index");
+const { BASE_URL, DEFAULT_HOSTED_BASE_URL } = require("./index");
 
 const API_KEY = process.env.AGENT_SECURITY_API_KEY || "";
+const ADMIN_MODE_ENABLED = process.env.AGENT_SECURITY_ADMIN_MODE === "1";
+const REQUEST_TIMEOUT_MS = Number.parseInt(process.env.AGENT_SECURITY_REQUEST_TIMEOUT_MS || "", 10) || 15_000;
+const SCAN_SERVER_REQUIRES_ADMIN_MESSAGE = "scan-server requires AGENT_SECURITY_ADMIN_MODE=1.";
 
 function printUsage() {
   process.stderr.write(
@@ -27,15 +30,29 @@ function printUsage() {
       "  --json           Output raw JSON instead of formatted tables",
       "",
       "Environment Variables:",
-      "  AGENT_SECURITY_BASE_URL        Full audit API origin, e.g. https://audit.example.com",
-      "  AGENT_SECURITY_HOST            Server host (default: 127.0.0.1)",
-      "  AGENT_SECURITY_PORT            Server port (default: 3091)",
-      "  AGENT_SECURITY_API_KEY         API key for remote access (optional)",
+      `  AGENT_SECURITY_BASE_URL        Full audit API origin, e.g. https://audit.example.com`,
+      "  AGENT_SECURITY_HOST            Self-hosted/private-network host (default: 127.0.0.1)",
+      "  AGENT_SECURITY_PORT            Self-hosted/private-network port (default: 3091)",
+      `  AGENT_SECURITY_API_KEY         API key; if set without endpoint overrides, ${DEFAULT_HOSTED_BASE_URL} is used`,
+      "  AGENT_SECURITY_REQUEST_TIMEOUT_MS  Request timeout in milliseconds (default: 15000)",
       "  AGENT_SECURITY_ADMIN_MODE      Enable active server probing (set to \"1\")"
     ].join("\n") + "\n"
   );
 }
 
+function buildUnauthorizedMessage(baseMessage) {
+  const message = typeof baseMessage === "string" && baseMessage.trim() ? baseMessage.trim() : "Unauthorized.";
+  if (API_KEY) {
+    return message;
+  }
+
+  if (BASE_URL === DEFAULT_HOSTED_BASE_URL) {
+    return `${message} Set AGENT_SECURITY_API_KEY to use the hosted audit API at ${DEFAULT_HOSTED_BASE_URL}.`;
+  }
+
+  return `${message} Set AGENT_SECURITY_API_KEY for ${BASE_URL} access.`;
+}
+
 async function callApi(method, pathname, payload) {
   const headers = {
     "content-type": "application/json"
@@ -44,11 +61,24 @@ async function callApi(method, pathname, payload) {
     headers["x-api-key"] = API_KEY;
   }
 
-  const response = await fetch(`${BASE_URL}${pathname}`, {
-    method,
-    headers,
-    body: payload ? JSON.stringify(payload) : undefined
-  });
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+  let response;
+  try {
+    response = await fetch(`${BASE_URL}${pathname}`, {
+      method,
+      headers,
+      body: payload ? JSON.stringify(payload) : undefined,
+      signal: controller.signal
+    });
+  } catch (error) {
+    if (error && error.name === "AbortError") {
+      throw new Error(`Request timed out after ${REQUEST_TIMEOUT_MS}ms.`);
+    }
+    throw new Error(error && error.message ? error.message : "Request failed.");
+  } finally {
+    clearTimeout(timer);
+  }
 
   let body;
   try {
@@ -57,12 +87,47 @@ async function callApi(method, pathname, payload) {
     throw new Error(`Request failed with status ${response.status} (non-JSON response).`);
   }
   if (!response.ok) {
+    if (response.status === 401) {
+      throw new Error(buildUnauthorizedMessage(body && body.error));
+    }
     throw new Error(body && body.error ? body.error : `Request failed with status ${response.status}`);
   }
 
   return body;
 }
 
+function parseCliArgs(argv) {
+  const input = Array.isArray(argv) ? argv : [];
+  let jsonMode = false;
+  let command = "";
+  const commandArgs = [];
+
+  for (const rawArg of input) {
+    const arg = String(rawArg || "");
+    if (!command) {
+      if (arg === "--json") {
+        jsonMode = true;
+        continue;
+      }
+      command = arg;
+      continue;
+    }
+
+    if (arg === "--json") {
+      jsonMode = true;
+      continue;
+    }
+
+    commandArgs.push(arg);
+  }
+
+  return {
+    command,
+    args: commandArgs,
+    jsonMode
+  };
+}
+
 function formatReport(report) {
   console.table([
     {
@@ -162,8 +227,8 @@ function formatGeneratePolicy(result) {
 }
 
 async function main() {
-  const [, , command, ...args] = process.argv;
-  const jsonMode = process.argv.includes("--json");
+  const parsedArgs = parseCliArgs(process.argv.slice(2));
+  const { command, args, jsonMode } = parsedArgs;
 
   try {
     if (command === "--help" || command === "-h") {
@@ -195,6 +260,10 @@ async function main() {
     }
 
     if (command === "scan-server") {
+      if (!ADMIN_MODE_ENABLED) {
+        throw new Error(SCAN_SERVER_REQUIRES_ADMIN_MESSAGE);
+      }
+
       const targetCommand = args[0];
       if (!targetCommand) {
         throw new Error("scan-server requires a command.");
@@ -339,8 +408,19 @@ async function main() {
 
 if (require.main === module) {
   if (process.argv.includes("--mcp")) {
-    require("./mcp/index.js");
+    require("./mcp/index.js").main().catch((error) => {
+      process.stderr.write(`${error.stack || error.message}\n`);
+      process.exit(1);
+    });
   } else {
     main();
   }
 }
+
+module.exports = {
+  main,
+  testOnly: {
+    buildUnauthorizedMessage,
+    parseCliArgs
+  }
+};

package/index.js

@@ -1,9 +1,10 @@
 /**
  * mcp-audit-server — public entry point
  *
- * This package is a thin MCP interface to a private audit API.
- * By default it targets a local API on http://127.0.0.1:3091, but hosted
- * deployments should prefer AGENT_SECURITY_BASE_URL with an https:// origin.
+ * This package is a thin MCP interface to a private audit API. Local/self-hosted
+ * deployments can target a loopback API on http://127.0.0.1:3091, while the
+ * managed hosted flow auto-targets https://mcpaudit.metaltorque.dev when an
+ * API key is present and no explicit endpoint override is set.
  *
  * Start the MCP server:   node mcp/index.js
  * Use the CLI:            node cli.js scan-config <file>
@@ -11,17 +12,55 @@
 
 const net = require("net");
 
-const PORT = Number.parseInt(process.env.AGENT_SECURITY_PORT || "", 10) || 3091;
-const HOST = process.env.AGENT_SECURITY_HOST || "127.0.0.1";
+const DEFAULT_HOSTED_BASE_URL = "https://mcpaudit.metaltorque.dev";
+const RAW_BASE_URL = process.env.AGENT_SECURITY_BASE_URL;
+const RAW_HOST = process.env.AGENT_SECURITY_HOST;
+const RAW_PORT = process.env.AGENT_SECURITY_PORT;
+const RAW_API_KEY = process.env.AGENT_SECURITY_API_KEY || "";
 
-function formatHostForUrl(host) {
+const PORT = Number.parseInt(RAW_PORT || "", 10) || 3091;
+const HOST = RAW_HOST || "127.0.0.1";
+
+function normalizeHostToken(host) {
   const value = String(host || "").trim();
   if (!value) {
-    return "127.0.0.1";
+    return "";
   }
 
   if (value.startsWith("[") && value.endsWith("]")) {
-    return value;
+    return value.slice(1, -1).trim();
+  }
+
+  return value;
+}
+
+function isLoopbackHost(host) {
+  const normalized = normalizeHostToken(host).toLowerCase();
+  if (!normalized) {
+    return false;
+  }
+
+  if (normalized === "localhost") {
+    return true;
+  }
+
+  if (net.isIP(normalized) === 4) {
+    return /^127(?:\.\d{1,3}){3}$/.test(normalized);
+  }
+
+  if (net.isIP(normalized) === 6) {
+    return normalized === "::1" ||
+      normalized === "0:0:0:0:0:0:0:1" ||
+      /^::ffff:127(?:\.\d{1,3}){3}$/.test(normalized);
+  }
+
+  return false;
+}
+
+function formatHostForUrl(host) {
+  const value = normalizeHostToken(host);
+  if (!value) {
+    return "127.0.0.1";
   }
 
   return net.isIP(value) === 6 ? `[${value}]` : value;
@@ -30,21 +69,53 @@ function formatHostForUrl(host) {
 function resolveBaseUrl(options = {}) {
   const configuredBaseUrl = typeof options.baseUrl === "string" ? options.baseUrl.trim() : "";
   if (configuredBaseUrl) {
-    if (!/^https?:\/\//i.test(configuredBaseUrl)) {
+    let parsed;
+    try {
+      parsed = new URL(configuredBaseUrl);
+    } catch (error) {
+      throw new Error("AGENT_SECURITY_BASE_URL must be a valid http:// or https:// URL.");
+    }
+
+    const protocol = parsed.protocol.toLowerCase();
+    if (protocol !== "http:" && protocol !== "https:") {
       throw new Error("AGENT_SECURITY_BASE_URL must start with http:// or https://.");
     }
+    if (protocol === "http:" && !isLoopbackHost(parsed.hostname)) {
+      throw new Error("AGENT_SECURITY_BASE_URL must use https:// for non-loopback hosts.");
+    }
     return configuredBaseUrl.replace(/\/+$/, "");
   }
 
-  const host = typeof options.host === "string" ? options.host : HOST;
+  if (options.useHostedDefault) {
+    return DEFAULT_HOSTED_BASE_URL;
+  }
+
+  const host = typeof options.host === "string" && options.host.trim()
+    ? options.host
+    : HOST;
   const port = Number.isInteger(options.port) ? options.port : PORT;
+  if (!isLoopbackHost(host)) {
+    throw new Error("Use AGENT_SECURITY_BASE_URL with an https:// origin for non-loopback audit hosts.");
+  }
   return `http://${formatHostForUrl(host)}:${port}`;
 }
 
 const BASE_URL = resolveBaseUrl({
-  baseUrl: process.env.AGENT_SECURITY_BASE_URL,
-  host: HOST,
-  port: PORT
+  baseUrl: RAW_BASE_URL,
+  host: RAW_HOST,
+  port: PORT,
+  useHostedDefault: !String(RAW_BASE_URL || "").trim() &&
+    RAW_HOST === undefined &&
+    RAW_PORT === undefined &&
+    Boolean(RAW_API_KEY)
 });
 
-module.exports = { PORT, HOST, BASE_URL, formatHostForUrl, resolveBaseUrl };
+module.exports = {
+  PORT,
+  HOST,
+  BASE_URL,
+  DEFAULT_HOSTED_BASE_URL,
+  formatHostForUrl,
+  isLoopbackHost,
+  resolveBaseUrl
+};

package/mcp/index.js

@@ -6,8 +6,10 @@
  */
 
 const AUDIT_API_KEY = process.env.AGENT_SECURITY_API_KEY || "";
-const { BASE_URL: AUDIT_BASE_URL } = require("../index");
+const { BASE_URL: AUDIT_BASE_URL, DEFAULT_HOSTED_BASE_URL } = require("../index");
 const { version: APP_VERSION } = require("../package.json");
+const REQUEST_TIMEOUT_MS = Number.parseInt(process.env.AGENT_SECURITY_REQUEST_TIMEOUT_MS || "", 10) || 15_000;
+const ACTIVE_SERVER_PROBING_DISABLED_MESSAGE = "Active server probing is disabled unless AGENT_SECURITY_ADMIN_MODE=1.";
 
 const MCP_MAX_REQUESTS_PER_MINUTE = 30;
 const MCP_WINDOW_MS = 60_000;
@@ -133,11 +135,24 @@ async function callAuditApi(method, apiPath, payload) {
     headers["x-api-key"] = AUDIT_API_KEY;
   }
 
-  const response = await fetch(`${AUDIT_BASE_URL}${apiPath}`, {
-    method,
-    headers,
-    body: payload ? JSON.stringify(payload) : undefined,
-  });
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+  let response;
+  try {
+    response = await fetch(`${AUDIT_BASE_URL}${apiPath}`, {
+      method,
+      headers,
+      body: payload ? JSON.stringify(payload) : undefined,
+      signal: controller.signal,
+    });
+  } catch (error) {
+    if (error && error.name === "AbortError") {
+      return { error: `Audit API request timed out after ${REQUEST_TIMEOUT_MS}ms.` };
+    }
+    return { error: error && error.message ? error.message : "Audit API request failed." };
+  } finally {
+    clearTimeout(timer);
+  }
 
   const text = await response.text();
   let body;
@@ -148,6 +163,19 @@ async function callAuditApi(method, apiPath, payload) {
   }
 
   if (!response.ok) {
+    if (response.status === 401) {
+      const baseMessage = body && body.error ? body.error : "Unauthorized.";
+      if (!AUDIT_API_KEY && AUDIT_BASE_URL === DEFAULT_HOSTED_BASE_URL) {
+        return {
+          error: `${baseMessage} Set AGENT_SECURITY_API_KEY to use the hosted audit API at ${DEFAULT_HOSTED_BASE_URL}.`
+        };
+      }
+      if (!AUDIT_API_KEY) {
+        return {
+          error: `${baseMessage} Set AGENT_SECURITY_API_KEY for ${AUDIT_BASE_URL} access.`
+        };
+      }
+    }
     return { error: body.error || `Audit API returned status ${response.status}` };
   }
 
@@ -164,6 +192,126 @@ function checkMcpRateLimit() {
   return mcpRequestCount <= MCP_MAX_REQUESTS_PER_MINUTE;
 }
 
+function isAdminModeEnabled() {
+  return process.env.AGENT_SECURITY_ADMIN_MODE === "1";
+}
+
+const severityPenalty = {
+  critical: 20,
+  high: 12,
+  medium: 6,
+  low: 2,
+  info: 0
+};
+
+function dedupeFindings(findings) {
+  const deduped = [];
+  const seen = new Set();
+
+  for (const finding of Array.isArray(findings) ? findings : []) {
+    if (!finding || typeof finding !== "object") {
+      continue;
+    }
+    const key = JSON.stringify([
+      finding.severity || "",
+      finding.source || "",
+      finding.cwe || "",
+      finding.location || "",
+      finding.description || ""
+    ]);
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    deduped.push(finding);
+  }
+
+  return deduped;
+}
+
+function summarizeFindings(findings) {
+  const summary = {
+    total: 0,
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    info: 0
+  };
+
+  for (const finding of findings) {
+    summary.total += 1;
+    if (Object.prototype.hasOwnProperty.call(summary, finding.severity)) {
+      summary[finding.severity] += 1;
+    }
+  }
+
+  return summary;
+}
+
+function calculateScore(findings) {
+  let score = 100;
+  for (const finding of findings) {
+    score -= severityPenalty[finding.severity] || 0;
+  }
+  return Math.max(0, Math.min(100, Math.round(score)));
+}
+
+function calculateGrade(score) {
+  if (score >= 97) return "A+";
+  if (score >= 93) return "A";
+  if (score >= 90) return "A-";
+  if (score >= 87) return "B+";
+  if (score >= 83) return "B";
+  if (score >= 80) return "B-";
+  if (score >= 77) return "C+";
+  if (score >= 73) return "C";
+  if (score >= 70) return "C-";
+  if (score >= 67) return "D+";
+  if (score >= 63) return "D";
+  if (score >= 60) return "D-";
+  return "F";
+}
+
+function buildExecutiveSummary(summary, score, grade, count) {
+  if (!summary.total) {
+    return `Composite report completed with no findings. Score ${score}/100 (${grade}).`;
+  }
+
+  const severityParts = [];
+  for (const severity of ["critical", "high", "medium", "low", "info"]) {
+    if (summary[severity]) {
+      severityParts.push(`${summary[severity]} ${severity}`);
+    }
+  }
+
+  return [
+    `Composite report generated from ${count} audit${count === 1 ? "" : "s"} with score ${score}/100 (${grade}).`,
+    `${summary.total} deduplicated finding${summary.total === 1 ? "" : "s"} identified${severityParts.length ? ` including ${severityParts.join(", ")}` : ""}.`
+  ].join(" ");
+}
+
+function combineReports(reports, sourceAuditIds) {
+  const findings = dedupeFindings(reports.flatMap((report) => Array.isArray(report.findings) ? report.findings : []));
+  const score = calculateScore(findings);
+  const grade = calculateGrade(score);
+  const findingsSummary = summarizeFindings(findings);
+
+  return {
+    id: sourceAuditIds.join(","),
+    type: "report",
+    target: sourceAuditIds.join(", "),
+    status: "completed",
+    score,
+    grade,
+    findings,
+    findingsSummary,
+    sourceAuditIds,
+    executiveSummary: buildExecutiveSummary(findingsSummary, score, grade, reports.length),
+    generatedAt: new Date().toISOString()
+  };
+}
+
 async function runAuditTool(toolName, args) {
   if (!checkMcpRateLimit()) {
     return { error: "Rate limit exceeded. Try again later." };
@@ -183,8 +331,16 @@ async function runAuditTool(toolName, args) {
     if (ids.length === 1) {
       return callAuditApi("GET", `/report/${encodeURIComponent(ids[0])}`);
     }
-    const results = await Promise.all(ids.map((id) => callAuditApi("GET", `/report/${encodeURIComponent(id)}`)));
-    return { reports: results };
+    const reports = await Promise.all(ids.map((id) => callAuditApi("GET", `/report/${encodeURIComponent(id)}`)));
+    const errors = reports.filter((report) => report && report.error);
+    if (errors.length) {
+      return { error: errors[0].error };
+    }
+    return combineReports(reports, ids);
+  }
+
+  if (toolName === "audit_mcp_server" && !isAdminModeEnabled()) {
+    return { error: ACTIVE_SERVER_PROBING_DISABLED_MESSAGE };
   }
 
   const route = toolRoutes[toolName];
@@ -267,4 +423,12 @@ if (require.main === module) {
   });
 }
 
-module.exports = { main, runAuditTool };
+module.exports = {
+  main,
+  runAuditTool,
+  testOnly: {
+    ACTIVE_SERVER_PROBING_DISABLED_MESSAGE,
+    combineReports,
+    toolDefinitions
+  }
+};

package/mcp/server.json

@@ -1,7 +1,7 @@
 {
   "name": "mcp-audit-server",
-  "version": "2.0.0",
-  "description": "Audit and remediate AI agent and MCP server security vulnerabilities, prompt injection risk, and data exfiltration paths.",
+  "version": "2.0.2",
+  "description": "Audit and remediate AI agent and MCP server security vulnerabilities, prompt injection risk, and data exfiltration paths through a hosted audit backend.",
   "command": "node",
   "args": [
     "mcp/index.js"

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "ledd-mcp-audit-server",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "description": "MCP server interface for AI agent and MCP security auditing — config analysis, prompt injection testing, tool probing, data flow tracing",
+  "mcpName": "io.github.joepangallo/mcp-audit-server",
   "type": "commonjs",
   "main": "index.js",
   "bin": {
@@ -35,6 +36,7 @@
     "cli.js",
     "CHANGELOG.md",
     "MIGRATION.md",
+    "server.json",
     "mcp/",
     "README.md",
     "LICENSE"
@@ -42,6 +44,9 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.17.0"
   },
+  "overrides": {
+    "hono": "^4.12.7"
+  },
   "engines": {
     "node": ">=18"
   },

package/server.json

@@ -0,0 +1,36 @@
+{
+  "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
+  "name": "io.github.joepangallo/mcp-audit-server",
+  "description": "MCP server interface for AI agent and MCP security auditing — config analysis, prompt injection testing, tool probing, data flow tracing",
+  "repository": {
+    "url": "https://github.com/joepangallo/mcp-audit-server",
+    "source": "github"
+  },
+  "version": "2.0.2",
+  "packages": [
+    {
+      "registryType": "npm",
+      "identifier": "ledd-mcp-audit-server",
+      "version": "2.0.2",
+      "transport": {
+        "type": "stdio"
+      },
+      "environmentVariables": [
+        {
+          "description": "API key for the managed hosted audit backend",
+          "isRequired": true,
+          "format": "string",
+          "isSecret": true,
+          "name": "AGENT_SECURITY_API_KEY"
+        },
+        {
+          "description": "Optional HTTPS API origin for self-hosted or private deployments",
+          "isRequired": false,
+          "format": "string",
+          "isSecret": false,
+          "name": "AGENT_SECURITY_BASE_URL"
+        }
+      ]
+    }
+  ]
+}