npm - mcpman - Versions diffs - 0.2.0 → 0.3.0 - Mend

mcpman 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -35,6 +35,10 @@ mcpman install @modelcontextprotocol/server-filesystem
 - **Registry-aware** — resolves packages from npm, Smithery, or GitHub URLs
 - **Lockfile** — tracks installed servers in `mcpman.lock` for reproducible setups
 - **Health checks** — verifies runtimes, env vars, and server connectivity with `doctor`
+- **Encrypted secrets** — store API keys in an AES-256 encrypted vault instead of plaintext JSON; auto-loads during install
+- **Config sync** — keep server configs consistent across all your AI clients; `--remove` cleans extras
+- **Security audit** — scan servers for vulnerabilities with trust scoring; `--fix` auto-updates vulnerable packages
+- **Auto-update** — get notified when server updates are available
 - **Interactive prompts** — guided installation with env var configuration
 - **No extra daemon** — pure CLI, works anywhere Node ≥ 20 runs
@@ -94,6 +98,61 @@ Scaffold an `mcpman.lock` file in the current directory for project-scoped serve
 mcpman init
 ```
+### `secrets`
+Manage encrypted secrets for MCP servers (API keys, tokens, etc.).
+```sh
+mcpman secrets set my-server OPENAI_API_KEY=sk-...
+mcpman secrets list my-server
+mcpman secrets remove my-server OPENAI_API_KEY
+```
+Secrets are stored in `~/.mcpman/vault.enc` using AES-256-CBC encryption with PBKDF2 key derivation. During `install`, vault secrets are auto-loaded to pre-fill env vars, and new credentials can be saved after installation.
+### `sync`
+Sync MCP server configs across all detected AI clients.
+```sh
+mcpman sync              # sync all servers to all clients
+mcpman sync --dry-run    # preview changes without applying
+mcpman sync --source cursor  # use Cursor config as source of truth
+mcpman sync --remove     # remove servers not in lockfile from clients
+```
+**Options:**
+- `--dry-run` — preview changes without applying
+- `--source <client>` — use a specific client config as source of truth
+- `--remove` — remove extra servers from clients that aren't tracked in lockfile
+- `--yes` — skip confirmation prompts
+### `audit [server]`
+Scan installed servers for security vulnerabilities and compute trust scores.
+```sh
+mcpman audit             # audit all servers
+mcpman audit my-server   # audit specific server
+mcpman audit --json      # machine-readable output
+mcpman audit --fix       # auto-update vulnerable servers
+mcpman audit --fix --yes # auto-update without confirmation
+```
+Trust score (0–100) based on: vulnerability count, download velocity, package age, publish frequency, and maintainer signals.
+The `--fix` flag checks for newer versions of vulnerable npm packages, updates them, and re-scans to verify the fixes.
+### `update [server]`
+Check for and apply updates to installed MCP servers.
+```sh
+mcpman update            # update all servers
+mcpman update my-server  # update specific server
+mcpman update --check    # check only, don't apply
+```
 ---
 ## Comparison
@@ -103,6 +162,11 @@ mcpman init
 | Multi-client support | All 4 clients | Claude only | Limited |
 | Lockfile | `mcpman.lock` | None | None |
 | Health checks | Runtime + env + process | None | None |
+| Encrypted secrets | AES-256 vault | None | None |
+| Config sync | Cross-client + `--remove` | None | None |
+| Security audit | Trust scoring + auto-fix | None | None |
+| CI/CD | GitHub Actions | None | None |
+| Auto-update | Version check + notify | None | None |
 | Registry sources | npm + Smithery + GitHub | Smithery only | npm only |
 | Interactive setup | Yes | Partial | No |
 | Project-scoped | Yes (`init`) | No | No |