npm - mcpman - Versions diffs - 0.1.1 → 0.3.0 - Mend

mcpman 0.1.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +68 -2
package/dist/chunk-6X6Q6UZC.js +141 -0
package/dist/index.cjs +1769 -356
package/dist/index.js +1479 -308
package/dist/trust-scorer-LYC6KZCD.js +77 -0
package/dist/vault-service-UTZAV6N6.js +29 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,7 +1,9 @@
 # mcpman
-![npm version](https://img.shields.io/npm/v/mcpman)
-![license](https://img.shields.io/npm/l/mcpman)
+[![npm version](https://img.shields.io/npm/v/mcpman)](https://www.npmjs.com/package/mcpman)
+[![npm downloads](https://img.shields.io/npm/dm/mcpman)](https://www.npmjs.com/package/mcpman)
+[![GitHub stars](https://img.shields.io/github/stars/tranhoangtu-it/mcpman)](https://github.com/tranhoangtu-it/mcpman)
+[![license](https://img.shields.io/npm/l/mcpman)](https://github.com/tranhoangtu-it/mcpman/blob/main/LICENSE)
 ![node](https://img.shields.io/node/v/mcpman)
 **The package manager for MCP servers.**
@@ -33,6 +35,10 @@ mcpman install @modelcontextprotocol/server-filesystem
 - **Registry-aware** — resolves packages from npm, Smithery, or GitHub URLs
 - **Lockfile** — tracks installed servers in `mcpman.lock` for reproducible setups
 - **Health checks** — verifies runtimes, env vars, and server connectivity with `doctor`
+- **Encrypted secrets** — store API keys in an AES-256 encrypted vault instead of plaintext JSON; auto-loads during install
+- **Config sync** — keep server configs consistent across all your AI clients; `--remove` cleans extras
+- **Security audit** — scan servers for vulnerabilities with trust scoring; `--fix` auto-updates vulnerable packages
+- **Auto-update** — get notified when server updates are available
 - **Interactive prompts** — guided installation with env var configuration
 - **No extra daemon** — pure CLI, works anywhere Node ≥ 20 runs
@@ -92,6 +98,61 @@ Scaffold an `mcpman.lock` file in the current directory for project-scoped serve
 mcpman init
 ```
+### `secrets`
+Manage encrypted secrets for MCP servers (API keys, tokens, etc.).
+```sh
+mcpman secrets set my-server OPENAI_API_KEY=sk-...
+mcpman secrets list my-server
+mcpman secrets remove my-server OPENAI_API_KEY
+```
+Secrets are stored in `~/.mcpman/vault.enc` using AES-256-CBC encryption with PBKDF2 key derivation. During `install`, vault secrets are auto-loaded to pre-fill env vars, and new credentials can be saved after installation.
+### `sync`
+Sync MCP server configs across all detected AI clients.
+```sh
+mcpman sync              # sync all servers to all clients
+mcpman sync --dry-run    # preview changes without applying
+mcpman sync --source cursor  # use Cursor config as source of truth
+mcpman sync --remove     # remove servers not in lockfile from clients
+```
+**Options:**
+- `--dry-run` — preview changes without applying
+- `--source <client>` — use a specific client config as source of truth
+- `--remove` — remove extra servers from clients that aren't tracked in lockfile
+- `--yes` — skip confirmation prompts
+### `audit [server]`
+Scan installed servers for security vulnerabilities and compute trust scores.
+```sh
+mcpman audit             # audit all servers
+mcpman audit my-server   # audit specific server
+mcpman audit --json      # machine-readable output
+mcpman audit --fix       # auto-update vulnerable servers
+mcpman audit --fix --yes # auto-update without confirmation
+```
+Trust score (0–100) based on: vulnerability count, download velocity, package age, publish frequency, and maintainer signals.
+The `--fix` flag checks for newer versions of vulnerable npm packages, updates them, and re-scans to verify the fixes.
+### `update [server]`
+Check for and apply updates to installed MCP servers.
+```sh
+mcpman update            # update all servers
+mcpman update my-server  # update specific server
+mcpman update --check    # check only, don't apply
+```
 ---
 ## Comparison
@@ -101,6 +162,11 @@ mcpman init
 | Multi-client support | All 4 clients | Claude only | Limited |
 | Lockfile | `mcpman.lock` | None | None |
 | Health checks | Runtime + env + process | None | None |
+| Encrypted secrets | AES-256 vault | None | None |
+| Config sync | Cross-client + `--remove` | None | None |
+| Security audit | Trust scoring + auto-fix | None | None |
+| CI/CD | GitHub Actions | None | None |
+| Auto-update | Version check + notify | None | None |
 | Registry sources | npm + Smithery + GitHub | Smithery only | npm only |
 | Interactive setup | Yes | Partial | No |
 | Project-scoped | Yes (`init`) | No | No |

package/dist/chunk-6X6Q6UZC.js ADDED Viewed

@@ -0,0 +1,141 @@
+#!/usr/bin/env node
+// src/core/vault-service.ts
+import crypto from "crypto";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import * as p from "@clack/prompts";
+var _cachedPassword = null;
+process.on("exit", () => {
+  _cachedPassword = null;
+});
+function getVaultPath() {
+  return path.join(os.homedir(), ".mcpman", "vault.enc");
+}
+function readVault(vaultPath = getVaultPath()) {
+  const empty = { version: 1, servers: {} };
+  try {
+    const raw = fs.readFileSync(vaultPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== 1 || typeof parsed.servers !== "object") return empty;
+    return parsed;
+  } catch {
+    return empty;
+  }
+}
+function writeVault(data, vaultPath = getVaultPath()) {
+  const dir = path.dirname(vaultPath);
+  fs.mkdirSync(dir, { recursive: true });
+  const tmp = `${vaultPath}.tmp`;
+  fs.writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 384 });
+  if (process.platform !== "win32") {
+    fs.chmodSync(tmp, 384);
+  }
+  fs.renameSync(tmp, vaultPath);
+  if (process.platform !== "win32") {
+    fs.chmodSync(vaultPath, 384);
+  }
+}
+function encrypt(value, password2) {
+  const salt = crypto.randomBytes(16);
+  const key = crypto.pbkdf2Sync(password2, salt, 1e5, 32, "sha256");
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+  const encrypted = Buffer.concat([cipher.update(value, "utf-8"), cipher.final()]);
+  return {
+    salt: salt.toString("hex"),
+    iv: iv.toString("hex"),
+    data: encrypted.toString("hex")
+  };
+}
+function decrypt(entry, password2) {
+  const salt = Buffer.from(entry.salt, "hex");
+  const key = crypto.pbkdf2Sync(password2, salt, 1e5, 32, "sha256");
+  const iv = Buffer.from(entry.iv, "hex");
+  const decipher = crypto.createDecipheriv("aes-256-cbc", key, iv);
+  const decrypted = Buffer.concat([
+    decipher.update(Buffer.from(entry.data, "hex")),
+    decipher.final()
+    // throws ERR_OSSL_BAD_DECRYPT on wrong password
+  ]);
+  return decrypted.toString("utf-8");
+}
+async function getMasterPassword(confirm = false) {
+  if (_cachedPassword) return _cachedPassword;
+  const password2 = await p.password({
+    message: "Enter vault master password:",
+    validate: (v) => v.length < 8 ? "Password must be at least 8 characters" : void 0
+  });
+  if (p.isCancel(password2)) {
+    p.cancel("Vault access cancelled.");
+    process.exit(0);
+  }
+  if (confirm) {
+    const confirm2 = await p.password({ message: "Confirm master password:" });
+    if (p.isCancel(confirm2) || confirm2 !== password2) {
+      p.cancel("Passwords do not match.");
+      process.exit(1);
+    }
+  }
+  _cachedPassword = password2;
+  return _cachedPassword;
+}
+function clearPasswordCache() {
+  _cachedPassword = null;
+}
+function setSecret(server, key, value, password2, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  if (!vault.servers[server]) vault.servers[server] = {};
+  vault.servers[server][key] = encrypt(value, password2);
+  writeVault(vault, vaultPath);
+}
+function getSecret(server, key, password2, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  const entry = vault.servers[server]?.[key];
+  if (!entry) return null;
+  return decrypt(entry, password2);
+}
+function getSecretsForServer(server, password2, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  const entries = vault.servers[server];
+  if (!entries) return {};
+  const result = {};
+  for (const [k, entry] of Object.entries(entries)) {
+    result[k] = decrypt(entry, password2);
+  }
+  return result;
+}
+function removeSecret(server, key, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  if (vault.servers[server]) {
+    delete vault.servers[server][key];
+    if (Object.keys(vault.servers[server]).length === 0) {
+      delete vault.servers[server];
+    }
+    writeVault(vault, vaultPath);
+  }
+}
+function listSecrets(server, vaultPath = getVaultPath()) {
+  const vault = readVault(vaultPath);
+  const entries = server ? vault.servers[server] ? { [server]: vault.servers[server] } : {} : vault.servers;
+  return Object.entries(entries).map(([srv, keys]) => ({
+    server: srv,
+    keys: Object.keys(keys)
+  }));
+}
+export {
+  getVaultPath,
+  readVault,
+  writeVault,
+  encrypt,
+  decrypt,
+  getMasterPassword,
+  clearPasswordCache,
+  setSecret,
+  getSecret,
+  getSecretsForServer,
+  removeSecret,
+  listSecrets
+};