mcp-security-scanner 1.0.0

package/dist/deps/typosquat-checker.js

@@ -0,0 +1,84 @@
+import { POPULAR_PACKAGES } from "../data/popular-packages.js";
+import { levenshtein, isKeyboardAdjacent, isVowelSwap, isSeparatorConfusion, isScopeSquatting } from "../utils/levenshtein.js";
+export function checkTyposquatting(depNames) {
+    const matches = [];
+    for (const dep of depNames) {
+        // Skip if it IS a popular package
+        if (POPULAR_PACKAGES.includes(dep))
+            continue;
+        // Strip scope for comparison
+        const depBase = dep.replace(/^@[^/]+\//, "");
+        for (const popular of POPULAR_PACKAGES) {
+            const popBase = popular.replace(/^@[^/]+\//, "");
+            // Skip exact match
+            if (depBase === popBase)
+                continue;
+            // Levenshtein distance <= 2
+            const dist = levenshtein(depBase.toLowerCase(), popBase.toLowerCase());
+            if (dist > 0 && dist <= 2) {
+                matches.push({
+                    dependency: dep,
+                    target: popular,
+                    method: `levenshtein (distance: ${dist})`,
+                    distance: dist,
+                });
+                continue;
+            }
+            // Keyboard adjacent
+            if (isKeyboardAdjacent(depBase.toLowerCase(), popBase.toLowerCase())) {
+                matches.push({
+                    dependency: dep,
+                    target: popular,
+                    method: "keyboard-adjacent substitution",
+                });
+                continue;
+            }
+            // Vowel swap
+            if (isVowelSwap(depBase.toLowerCase(), popBase.toLowerCase())) {
+                matches.push({
+                    dependency: dep,
+                    target: popular,
+                    method: "vowel swap",
+                });
+                continue;
+            }
+            // Separator confusion
+            if (isSeparatorConfusion(depBase.toLowerCase(), popBase.toLowerCase())) {
+                matches.push({
+                    dependency: dep,
+                    target: popular,
+                    method: "separator confusion",
+                });
+                continue;
+            }
+        }
+        // Scope squatting (check against all scoped popular packages)
+        if (dep.startsWith("@")) {
+            for (const popular of POPULAR_PACKAGES) {
+                if (popular.startsWith("@") && isScopeSquatting(dep, popular)) {
+                    matches.push({
+                        dependency: dep,
+                        target: popular,
+                        method: "scope squatting",
+                    });
+                }
+            }
+        }
+    }
+    return matches;
+}
+export function typosquatFindings(matches, filePath) {
+    return matches.map((m, i) => ({
+        id: `DEP-TYPO-${String(i + 1).padStart(3, "0")}`,
+        title: `Potential Typosquat: "${m.dependency}" → "${m.target}"`,
+        severity: "high",
+        owasp_mcp: "MCP04",
+        owasp_mcp_title: "Supply Chain & Dependency Vulnerabilities",
+        category: "deps",
+        file: filePath,
+        evidence: `"${m.dependency}" is similar to popular package "${m.target}" (method: ${m.method})`,
+        remediation: `Verify that "${m.dependency}" is the intended package. If not, replace with "${m.target}".`,
+        cwe: "CWE-1357",
+    }));
+}
+//# sourceMappingURL=typosquat-checker.js.map

package/dist/deps/typosquat-checker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"typosquat-checker.js","sourceRoot":"","sources":["../../src/deps/typosquat-checker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,WAAW,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAU/H,MAAM,UAAU,kBAAkB,CAAC,QAAkB;IACnD,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,kCAAkC;QAClC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,SAAS;QAE7C,6BAA6B;QAC7B,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAE7C,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;YAEjD,mBAAmB;YACnB,IAAI,OAAO,KAAK,OAAO;gBAAE,SAAS;YAElC,4BAA4B;YAC5B,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;YACvE,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;gBAC1B,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE,GAAG;oBACf,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,0BAA0B,IAAI,GAAG;oBACzC,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,oBAAoB;YACpB,IAAI,kBAAkB,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBACrE,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE,GAAG;oBACf,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,gCAAgC;iBACzC,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,aAAa;YACb,IAAI,WAAW,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC9D,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE,GAAG;oBACf,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,YAAY;iBACrB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,sBAAsB;YACtB,IAAI,oBAAoB,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBACvE,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU,EAAE,GAAG;oBACf,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,qBAAqB;iBAC9B,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;gBACvC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,gBAAgB,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;oBAC9D,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU,EAAE,GAAG;wBACf,MAAM,EAAE,OAAO;wBACf,MAAM,EAAE,iBAAiB;qBAC1B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAyB,EAAE,QAAgB;IAC3E,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QAC5B,EAAE,EAAE,YAAY,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;QAChD,KAAK,EAAE,yBAAyB,CAAC,CAAC,UAAU,QAAQ,CAAC,CAAC,MAAM,GAAG;QAC/D,QAAQ,EAAE,MAAe;QACzB,SAAS,EAAE,OAAgB;QAC3B,eAAe,EAAE,2CAA2C;QAC5D,QAAQ,EAAE,MAAe;QACzB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,IAAI,CAAC,CAAC,UAAU,oCAAoC,CAAC,CAAC,MAAM,cAAc,CAAC,CAAC,MAAM,GAAG;QAC/F,WAAW,EAAE,gBAAgB,CAAC,CAAC,UAAU,oDAAoD,CAAC,CAAC,MAAM,IAAI;QACzG,GAAG,EAAE,UAAU;KAChB,CAAC,CAAC,CAAC;AACN,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,315 @@
+#!/usr/bin/env node
+import { homedir } from "node:os";
+import { join, resolve } from "node:path";
+import { mkdir, writeFile } from "node:fs/promises";
+import { startMcpStdio } from "./protocol/mcp-server.js";
+import { allTools } from "./protocol/tools.js";
+import { discoverConfigs } from "./config/mcp-config-parser.js";
+// ─── Build ToolContext ───
+async function buildToolContext() {
+    const pinDir = join(homedir(), ".mcp-security-scanner", "pins");
+    await mkdir(pinDir, { recursive: true });
+    return {
+        config: {
+            pinDir,
+        },
+    };
+}
+// ─── Tool Categories for --list display ───
+const TOOL_CATEGORIES = [
+    { category: "Runtime Inspection", prefix: "rt_" },
+    { category: "Static Analysis", prefix: "sast_" },
+    { category: "Config Audit", prefix: "cfg_" },
+    { category: "Dependency Analysis", prefix: "dep_" },
+    { category: "Report & Compliance", prefix: "report_" },
+    { category: "Meta", prefix: "scanner_" },
+];
+function categorize(toolName) {
+    for (const { category, prefix } of TOOL_CATEGORIES) {
+        if (toolName.startsWith(prefix))
+            return category;
+    }
+    return "Other";
+}
+// ─── CLI: --help ───
+function printHelp() {
+    console.log(`mcp-security-scanner — MCP Server Security Scanner
+
+USAGE:
+  mcp-security-scanner                    Start MCP server on stdio
+  mcp-security-scanner --help             Show this help message
+  mcp-security-scanner --list             List all ${allTools.length} tools grouped by category
+  mcp-security-scanner --tool NAME '{}'   Run a single tool with JSON args
+
+SCAN SHORTCUTS:
+  mcp-security-scanner --scan-server "node server.js"     Runtime: 11 checks
+  mcp-security-scanner --scan-source ./src                SAST: 12 checks
+  mcp-security-scanner --scan-config ~/config.json        Config: 7 checks
+  mcp-security-scanner --scan-deps .                      Deps: 7 checks
+  mcp-security-scanner --full-audit ./my-mcp-server       ALL checks combined
+
+OUTPUT CONTROL:
+  --report json|markdown|sarif            Report format (default: json)
+  --output FILE                           Write to file (default: stdout)
+  --severity critical,high                Filter by minimum severity
+  --owasp MCP03,MCP05                     Filter by OWASP category
+
+TOOL PINNING:
+  --pin "node server.js" --pin-name NAME  Pin tool definitions
+  --verify-pin "node server.js" --pin-name NAME  Verify against pin
+
+CONFIG DISCOVERY:
+  --discover                              Find all MCP configs on system
+
+CATEGORIES:
+  rt_*      Runtime Inspection (11)  — Live server analysis
+  sast_*    Static Analysis (12)     — AST-based code scanning
+  cfg_*     Config Audit (7)         — MCP config file audit
+  dep_*     Dependency Analysis (7)  — Lockfile & supply chain
+  report_*  Report (4)               — Multi-format reports
+  scanner_* Meta (2)                 — Check listing & OWASP map
+
+OWASP MCP Top 10:
+  MCP01  Excessive Privilege & Token Mismanagement
+  MCP02  Tool & Scope Mismanagement
+  MCP03  Tool Poisoning via Description Injection
+  MCP04  Supply Chain & Dependency Vulnerabilities
+  MCP05  Command Injection & Code Execution
+  MCP06  Context & Tool Shadowing
+  MCP07  Insufficient Authentication & Transport Security
+  MCP08  Insufficient Logging & Error Handling
+  MCP09  Shadow Servers & Unauthorized MCP Endpoints
+  MCP10  Context Over-sharing & Data Exposure
+`);
+}
+// ─── CLI: --list ───
+function printToolList() {
+    const grouped = new Map();
+    for (const tool of allTools) {
+        const cat = categorize(tool.name);
+        if (!grouped.has(cat))
+            grouped.set(cat, []);
+        grouped.get(cat).push(tool);
+    }
+    console.log(`\nmcp-security-scanner — ${allTools.length} tools\n`);
+    for (const [category, tools] of grouped) {
+        console.log(`━━━ ${category} (${tools.length}) ━━━`);
+        for (const tool of tools) {
+            const schemaKeys = Object.keys(tool.schema);
+            const params = schemaKeys.length > 0 ? `(${schemaKeys.join(", ")})` : "()";
+            console.log(`  ${tool.name}${params}`);
+            console.log(`    ${tool.description.split(".")[0]}.`);
+        }
+        console.log();
+    }
+}
+// ─── CLI: --tool ───
+async function runSingleTool(toolName, argsJson) {
+    const tool = allTools.find((t) => t.name === toolName);
+    if (!tool) {
+        console.error(`Unknown tool: ${toolName}`);
+        console.error(`Run --list to see all ${allTools.length} available tools.`);
+        process.exit(1);
+    }
+    let parsedArgs;
+    try {
+        parsedArgs = JSON.parse(argsJson);
+    }
+    catch {
+        console.error(`Invalid JSON: ${argsJson}`);
+        process.exit(1);
+    }
+    const ctx = await buildToolContext();
+    try {
+        const result = await tool.execute(parsedArgs, ctx);
+        for (const item of result.content) {
+            console.log(item.text);
+        }
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+    }
+}
+// ─── CLI helpers ───
+function getArg(args, flag) {
+    const idx = args.indexOf(flag);
+    if (idx === -1 || idx + 1 >= args.length)
+        return undefined;
+    return args[idx + 1];
+}
+async function runToolAndOutput(toolName, toolArgs, outputPath) {
+    const tool = allTools.find((t) => t.name === toolName);
+    if (!tool) {
+        console.error(`Internal error: tool "${toolName}" not found.`);
+        process.exit(1);
+    }
+    const ctx = await buildToolContext();
+    const result = await tool.execute(toolArgs, ctx);
+    const output = result.content.map((c) => c.text).join("\n");
+    if (outputPath) {
+        await writeFile(outputPath, output, "utf8");
+        console.log(`Report written to ${outputPath}`);
+    }
+    else {
+        console.log(output);
+    }
+}
+// ─── Main ───
+async function main() {
+    const args = process.argv.slice(2);
+    if (args.includes("--help") || args.includes("-h")) {
+        printHelp();
+        return;
+    }
+    if (args.includes("--list") || args.includes("-l")) {
+        printToolList();
+        return;
+    }
+    // --tool NAME '{json}'
+    const toolIdx = args.indexOf("--tool");
+    if (toolIdx !== -1) {
+        const toolName = args[toolIdx + 1];
+        const toolArgs = args[toolIdx + 2] ?? "{}";
+        if (!toolName) {
+            console.error("--tool requires a tool name. Run --list to see available tools.");
+            process.exit(1);
+        }
+        await runSingleTool(toolName, toolArgs);
+        return;
+    }
+    // --discover
+    if (args.includes("--discover")) {
+        const configs = await discoverConfigs();
+        if (configs.length === 0) {
+            console.log("No MCP configuration files found.");
+            return;
+        }
+        console.log(`Found ${configs.length} MCP configuration file(s):\n`);
+        for (const cfg of configs) {
+            console.log(`${cfg.client}: ${cfg.path}`);
+            console.log(`  Servers: ${cfg.servers.length}`);
+            for (const s of cfg.servers) {
+                console.log(`    - ${s.name}: ${s.command ?? s.url ?? "unknown"}`);
+            }
+            console.log();
+        }
+        return;
+    }
+    const outputPath = getArg(args, "--output");
+    const reportFormat = getArg(args, "--report") ?? "json";
+    // --full-audit PATH [--command CMD] [--report FORMAT] [--output FILE]
+    const fullAuditIdx = args.indexOf("--full-audit");
+    if (fullAuditIdx !== -1) {
+        const path = args[fullAuditIdx + 1];
+        if (!path) {
+            console.error("--full-audit requires a project directory path.");
+            process.exit(1);
+        }
+        const command = getArg(args, "--command");
+        const cmdArgs = getArg(args, "--args");
+        const toolArgs = {
+            path: resolve(path),
+            report_format: reportFormat,
+        };
+        if (command) {
+            toolArgs.command = command;
+            if (cmdArgs)
+                toolArgs.args = cmdArgs.split(",");
+        }
+        await runToolAndOutput("report_full_audit", toolArgs, outputPath);
+        return;
+    }
+    // --scan-source PATH
+    const scanSourceIdx = args.indexOf("--scan-source");
+    if (scanSourceIdx !== -1) {
+        const path = args[scanSourceIdx + 1];
+        if (!path) {
+            console.error("--scan-source requires a directory path.");
+            process.exit(1);
+        }
+        await runToolAndOutput("sast_scan_directory", { path: resolve(path) }, outputPath);
+        return;
+    }
+    // --scan-deps PATH
+    const scanDepsIdx = args.indexOf("--scan-deps");
+    if (scanDepsIdx !== -1) {
+        const path = args[scanDepsIdx + 1];
+        if (!path) {
+            console.error("--scan-deps requires a directory path.");
+            process.exit(1);
+        }
+        // Run multiple dep checks
+        const ctx = await buildToolContext();
+        const results = [];
+        for (const name of ["dep_audit_lockfile", "dep_check_typosquatting", "dep_check_unpinned", "dep_check_install_scripts", "dep_check_mcp_sdk_version"]) {
+            const tool = allTools.find((t) => t.name === name);
+            try {
+                const r = await tool.execute({ path: resolve(path) }, ctx);
+                results.push(`── ${name} ──\n${r.content.map(c => c.text).join("\n")}\n`);
+            }
+            catch (err) {
+                results.push(`── ${name} ── ERROR: ${err.message}\n`);
+            }
+        }
+        const output = results.join("\n");
+        if (outputPath) {
+            await writeFile(outputPath, output, "utf8");
+            console.log(`Written to ${outputPath}`);
+        }
+        else
+            console.log(output);
+        return;
+    }
+    // --scan-config PATH
+    const scanConfigIdx = args.indexOf("--scan-config");
+    if (scanConfigIdx !== -1) {
+        const path = args[scanConfigIdx + 1];
+        if (!path) {
+            console.error("--scan-config requires a config file path.");
+            process.exit(1);
+        }
+        await runToolAndOutput("cfg_audit_mcp_config", { path: resolve(path) }, outputPath);
+        return;
+    }
+    // --scan-server "command args..."
+    const scanServerIdx = args.indexOf("--scan-server");
+    if (scanServerIdx !== -1) {
+        const cmdStr = args[scanServerIdx + 1];
+        if (!cmdStr) {
+            console.error("--scan-server requires a command string.");
+            process.exit(1);
+        }
+        const parts = cmdStr.split(/\s+/);
+        const command = parts[0];
+        const cmdArgs = parts.slice(1);
+        const ctx = await buildToolContext();
+        const results = [];
+        for (const name of ["rt_inspect_server", "rt_check_tool_poisoning", "rt_check_ansi_injection", "rt_check_unicode_steganography", "rt_check_scope_creep", "rt_check_tool_shadowing", "rt_check_cross_origin", "rt_check_resource_exposure"]) {
+            const tool = allTools.find((t) => t.name === name);
+            try {
+                const r = await tool.execute({ command, args: cmdArgs }, ctx);
+                results.push(`── ${name} ──\n${r.content.map(c => c.text).join("\n")}\n`);
+            }
+            catch (err) {
+                results.push(`── ${name} ── ERROR: ${err.message}\n`);
+            }
+        }
+        const output = results.join("\n");
+        if (outputPath) {
+            await writeFile(outputPath, output, "utf8");
+            console.log(`Written to ${outputPath}`);
+        }
+        else
+            console.log(output);
+        return;
+    }
+    // Default: start MCP server on stdio
+    const ctx = await buildToolContext();
+    await startMcpStdio(ctx);
+}
+main().catch((err) => {
+    console.error("Fatal error:", err);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,4BAA4B;AAE5B,KAAK,UAAU,gBAAgB;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAChE,MAAM,KAAK,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEzC,OAAO;QACL,MAAM,EAAE;YACN,MAAM;SACP;KACF,CAAC;AACJ,CAAC;AAED,6CAA6C;AAE7C,MAAM,eAAe,GAA2C;IAC9D,EAAE,QAAQ,EAAE,oBAAoB,EAAE,MAAM,EAAE,KAAK,EAAE;IACjD,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE;IAChD,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE;IAC5C,EAAE,QAAQ,EAAE,qBAAqB,EAAE,MAAM,EAAE,MAAM,EAAE;IACnD,EAAE,QAAQ,EAAE,qBAAqB,EAAE,MAAM,EAAE,SAAS,EAAE;IACtD,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE;CACzC,CAAC;AAEF,SAAS,UAAU,CAAC,QAAgB;IAClC,KAAK,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;QACnD,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,QAAQ,CAAC;IACnD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,sBAAsB;AAEtB,SAAS,SAAS;IAChB,OAAO,CAAC,GAAG,CAAC;;;;;qDAKuC,QAAQ,CAAC,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0CnE,CAAC,CAAC;AACH,CAAC;AAED,sBAAsB;AAEtB,SAAS,aAAa;IACpB,MAAM,OAAO,GAAG,IAAI,GAAG,EAA2B,CAAC;IAEnD,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,4BAA4B,QAAQ,CAAC,MAAM,UAAU,CAAC,CAAC;IAEnE,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,OAAO,QAAQ,KAAK,KAAK,CAAC,MAAM,OAAO,CAAC,CAAC;QACrD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;YAC3E,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,IAAI,GAAG,MAAM,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC;AACH,CAAC;AAED,sBAAsB;AAEtB,KAAK,UAAU,aAAa,CAAC,QAAgB,EAAE,QAAgB;IAC7D,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IACvD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,iBAAiB,QAAQ,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,mBAAmB,CAAC,CAAC;QAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,UAAmC,CAAC;IACxC,IAAI,CAAC;QACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,KAAK,CAAC,iBAAiB,QAAQ,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,gBAAgB,EAAE,CAAC;IAErC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QACnD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,UAAW,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,sBAAsB;AAEtB,SAAS,MAAM,CAAC,IAAc,EAAE,IAAY;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC3D,OAAO,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,QAAgB,EAChB,QAAiC,EACjC,UAAmB;IAEnB,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IACvD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,yBAAyB,QAAQ,cAAc,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,gBAAgB,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE5D,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,qBAAqB,UAAU,EAAE,CAAC,CAAC;IACjD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED,eAAe;AAEf,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,SAAS,EAAE,CAAC;QACZ,OAAO;IACT,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,aAAa,EAAE,CAAC;QAChB,OAAO;IACT,CAAC;IAED,uBAAuB;IACvB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,OAAO,KAAK,CAAC,CAAC,EAAE,CAAC;QACnB,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,CAAC,KAAK,CAAC,iEAAiE,CAAC,CAAC;YACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,MAAM,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACxC,OAAO;IACT,CAAC;IAED,aAAa;IACb,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;YACjD,OAAO;QACT,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,SAAS,OAAO,CAAC,MAAM,+BAA+B,CAAC,CAAC;QACpE,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;YAChD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;gBAC5B,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,IAAI,SAAS,EAAE,CAAC,CAAC;YACrE,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAC5C,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC;IAExD,sEAAsE;IACtE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAClD,IAAI,YAAY,KAAK,CAAC,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACvC,MAAM,QAAQ,GAA4B;YACxC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC;YACnB,aAAa,EAAE,YAAY;SAC5B,CAAC;QACF,IAAI,OAAO,EAAE,CAAC;YACZ,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;YAC3B,IAAI,OAAO;gBAAE,QAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC;QACD,MAAM,gBAAgB,CAAC,mBAAmB,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;QAClE,OAAO;IACT,CAAC;IAED,qBAAqB;IACrB,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACpD,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,EAAE,CAAC;YAAC,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;YAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAAC,CAAC;QAC1F,MAAM,gBAAgB,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;QACnF,OAAO;IACT,CAAC;IAED,mBAAmB;IACnB,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAChD,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,EAAE,CAAC;YAAC,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAAC,CAAC;QACxF,0BAA0B;QAC1B,MAAM,GAAG,GAAG,MAAM,gBAAgB,EAAE,CAAC;QACrC,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,CAAC,oBAAoB,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,2BAA2B,EAAE,2BAA2B,CAAC,EAAE,CAAC;YACrJ,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAE,CAAC;YACpD,IAAI,CAAC;gBACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;gBAC3D,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5E,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,cAAe,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,UAAU,EAAE,CAAC;YAAC,MAAM,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;YAAC,OAAO,CAAC,GAAG,CAAC,cAAc,UAAU,EAAE,CAAC,CAAC;QAAC,CAAC;;YACpG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO;IACT,CAAC;IAED,qBAAqB;IACrB,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACpD,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,EAAE,CAAC;YAAC,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAAC,CAAC;QAC5F,MAAM,gBAAgB,CAAC,sBAAsB,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;QACpF,OAAO;IACT,CAAC;IAED,kCAAkC;IAClC,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACpD,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;YAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAAC,CAAC;QAC5F,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,MAAM,gBAAgB,EAAE,CAAC;QACrC,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,MAAM,IAAI,IAAI,CAAC,mBAAmB,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,gCAAgC,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,4BAA4B,CAAC,EAAE,CAAC;YAC3O,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAE,CAAC;YACpD,IAAI,CAAC;gBACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;gBAC9D,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5E,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,cAAe,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,UAAU,EAAE,CAAC;YAAC,MAAM,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;YAAC,OAAO,CAAC,GAAG,CAAC,cAAc,UAAU,EAAE,CAAC,CAAC;QAAC,CAAC;;YACpG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO;IACT,CAAC;IAED,qCAAqC;IACrC,MAAM,GAAG,GAAG,MAAM,gBAAgB,EAAE,CAAC;IACrC,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IACnC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/meta/sources.d.ts

@@ -0,0 +1,3 @@
+import type { ToolDef } from "../types/index.js";
+export declare const metaTools: ToolDef[];
+//# sourceMappingURL=sources.d.ts.map

package/dist/meta/sources.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sources.d.ts","sourceRoot":"","sources":["../../src/meta/sources.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAoDjD,eAAO,MAAM,SAAS,EAAE,OAAO,EAA6C,CAAC"}

package/dist/meta/sources.js

@@ -0,0 +1,43 @@
+import { text } from "../types/index.js";
+import { OWASP_MCP_TOP10 } from "../data/owasp-mcp-top10.js";
+const scannerListChecks = {
+    name: "scanner_list_checks",
+    description: "List all security checks available in mcp-security-scanner with name, description, OWASP MCP Top 10 mapping, severity range, and category.",
+    schema: {},
+    async execute() {
+        const checks = [
+            { category: "Runtime Inspection (rt_)", count: 11, owasp: "MCP02,MCP03,MCP06,MCP07,MCP10", description: "Connect to live MCP servers, inspect tool definitions, detect poisoning, verify pins" },
+            { category: "Static Analysis (sast_)", count: 12, owasp: "MCP01,MCP05,MCP08", description: "AST-based code scanning: command injection, SSRF, path traversal, code execution, secrets, crypto" },
+            { category: "Config Audit (cfg_)", count: 7, owasp: "MCP01,MCP07,MCP09,MCP10", description: "Parse MCP configs, scan env files, detect shadow servers, check transport security" },
+            { category: "Dependency Analysis (dep_)", count: 7, owasp: "MCP04", description: "Lockfile audit, typosquatting detection, install scripts, SDK version check" },
+            { category: "Report & Compliance (report_)", count: 4, owasp: "ALL", description: "Generate markdown, SARIF, JSON reports. Full audit orchestrator." },
+            { category: "Meta (scanner_)", count: 2, owasp: "ALL", description: "Check listing, OWASP MCP mapping" },
+        ];
+        const total = checks.reduce((sum, c) => sum + c.count, 0);
+        let output = `mcp-security-scanner — ${total} security checks\n\n`;
+        for (const c of checks) {
+            output += `━━━ ${c.category} — ${c.count} tools ━━━\n`;
+            output += `  OWASP: ${c.owasp}\n`;
+            output += `  ${c.description}\n\n`;
+        }
+        return text(output.trim());
+    },
+};
+const scannerOwaspMapping = {
+    name: "scanner_owasp_mapping",
+    description: "Display the full OWASP MCP Top 10 with ID, title, description, remediation guidance, CWE mappings, and external references.",
+    schema: {},
+    async execute() {
+        let output = "OWASP MCP Top 10 — Security Categories\n\n";
+        for (const cat of OWASP_MCP_TOP10) {
+            output += `━━━ ${cat.id}: ${cat.title} ━━━\n`;
+            output += `  ${cat.description}\n`;
+            output += `  Remediation: ${cat.remediation}\n`;
+            output += `  CWE: ${cat.cwe.join(", ")}\n`;
+            output += `  References: ${cat.references.join(", ")}\n\n`;
+        }
+        return text(output.trim());
+    },
+};
+export const metaTools = [scannerListChecks, scannerOwaspMapping];
+//# sourceMappingURL=sources.js.map

package/dist/meta/sources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sources.js","sourceRoot":"","sources":["../../src/meta/sources.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAQ,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAE7D,MAAM,iBAAiB,GAAY;IACjC,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EACT,4IAA4I;IAC9I,MAAM,EAAE,EAAE;IACV,KAAK,CAAC,OAAO;QACX,MAAM,MAAM,GAAG;YACb,EAAE,QAAQ,EAAE,0BAA0B,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,+BAA+B,EAAE,WAAW,EAAE,sFAAsF,EAAE;YAChM,EAAE,QAAQ,EAAE,yBAAyB,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,WAAW,EAAE,mGAAmG,EAAE;YAChM,EAAE,QAAQ,EAAE,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,WAAW,EAAE,oFAAoF,EAAE;YAClL,EAAE,QAAQ,EAAE,4BAA4B,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,6EAA6E,EAAE;YAChK,EAAE,QAAQ,EAAE,+BAA+B,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,kEAAkE,EAAE;YACtJ,EAAE,QAAQ,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,kCAAkC,EAAE;SACzG,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC1D,IAAI,MAAM,GAAG,0BAA0B,KAAK,sBAAsB,CAAC;QAEnE,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,IAAI,OAAO,CAAC,CAAC,QAAQ,MAAM,CAAC,CAAC,KAAK,cAAc,CAAC;YACvD,MAAM,IAAI,YAAY,CAAC,CAAC,KAAK,IAAI,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,MAAM,CAAC;QACrC,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7B,CAAC;CACF,CAAC;AAEF,MAAM,mBAAmB,GAAY;IACnC,IAAI,EAAE,uBAAuB;IAC7B,WAAW,EACT,6HAA6H;IAC/H,MAAM,EAAE,EAAE;IACV,KAAK,CAAC,OAAO;QACX,IAAI,MAAM,GAAG,4CAA4C,CAAC;QAE1D,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YAClC,MAAM,IAAI,OAAO,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,KAAK,QAAQ,CAAC;YAC9C,MAAM,IAAI,KAAK,GAAG,CAAC,WAAW,IAAI,CAAC;YACnC,MAAM,IAAI,kBAAkB,GAAG,CAAC,WAAW,IAAI,CAAC;YAChD,MAAM,IAAI,UAAU,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;YAC3C,MAAM,IAAI,iBAAiB,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;QAC7D,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,SAAS,GAAc,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC"}

package/dist/protocol/mcp-server.d.ts

@@ -0,0 +1,4 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { ToolContext } from "../types/index.js";
+export declare function startMcpStdio(ctx: ToolContext): Promise<McpServer>;
+//# sourceMappingURL=mcp-server.d.ts.map

package/dist/protocol/mcp-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.d.ts","sourceRoot":"","sources":["../../src/protocol/mcp-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAGpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AA8BrD,wBAAsB,aAAa,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,SAAS,CAAC,CAMxE"}

package/dist/protocol/mcp-server.js

@@ -0,0 +1,32 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { allTools } from "./tools.js";
+function createMcpServer(ctx) {
+    const server = new McpServer({
+        name: "mcp-security-scanner",
+        version: "0.1.0",
+    });
+    for (const tool of allTools) {
+        server.tool(tool.name, tool.description, tool.schema, async (args) => {
+            try {
+                const result = await tool.execute(args, ctx);
+                return result;
+            }
+            catch (err) {
+                return {
+                    content: [{ type: "text", text: `Error: ${err.message}` }],
+                    isError: true,
+                };
+            }
+        });
+    }
+    return server;
+}
+export async function startMcpStdio(ctx) {
+    const server = createMcpServer(ctx);
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error("[mcp-security-scanner] MCP server started on stdio");
+    return server;
+}
+//# sourceMappingURL=mcp-server.js.map

package/dist/protocol/mcp-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.js","sourceRoot":"","sources":["../../src/protocol/mcp-server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAGtC,SAAS,eAAe,CAAC,GAAgB;IACvC,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,MAAM,EACX,KAAK,EAAE,IAA6B,EAAE,EAAE;YACtC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;gBAC7C,OAAO,MAAa,CAAC;YACvB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,UAAW,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC9E,OAAO,EAAE,IAAI;iBACP,CAAC;YACX,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAgB;IAClD,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACpE,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/protocol/tools.d.ts

@@ -0,0 +1,3 @@
+import type { ToolDef } from "../types/index.js";
+export declare const allTools: ToolDef[];
+//# sourceMappingURL=tools.d.ts.map

package/dist/protocol/tools.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools.d.ts","sourceRoot":"","sources":["../../src/protocol/tools.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAQjD,eAAO,MAAM,QAAQ,EAAE,OAAO,EAa7B,CAAC"}

package/dist/protocol/tools.js

@@ -0,0 +1,21 @@
+import { metaTools } from "../meta/sources.js";
+import { runtimeTools } from "../runtime/index.js";
+import { staticTools } from "../static/index.js";
+import { configTools } from "../config/index.js";
+import { depsTools } from "../deps/index.js";
+import { reportTools } from "../report/index.js";
+export const allTools = [
+    // Runtime Inspection (11)
+    ...runtimeTools,
+    // Static Analysis (12)
+    ...staticTools,
+    // Config Audit (7)
+    ...configTools,
+    // Dependency Analysis (7)
+    ...depsTools,
+    // Report & Compliance (4)
+    ...reportTools,
+    // Meta (2)
+    ...metaTools,
+];
+//# sourceMappingURL=tools.js.map

package/dist/protocol/tools.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools.js","sourceRoot":"","sources":["../../src/protocol/tools.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,MAAM,CAAC,MAAM,QAAQ,GAAc;IACjC,0BAA0B;IAC1B,GAAG,YAAY;IACf,uBAAuB;IACvB,GAAG,WAAW;IACd,mBAAmB;IACnB,GAAG,WAAW;IACd,0BAA0B;IAC1B,GAAG,SAAS;IACZ,0BAA0B;IAC1B,GAAG,WAAW;IACd,WAAW;IACX,GAAG,SAAS;CACb,CAAC"}

package/dist/report/index.d.ts

@@ -0,0 +1,3 @@
+import type { ToolDef } from "../types/index.js";
+export declare const reportTools: ToolDef[];
+//# sourceMappingURL=index.d.ts.map

package/dist/report/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/report/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAgSjD,eAAO,MAAM,WAAW,EAAE,OAAO,EAKhC,CAAC"}