policylayer 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +82 -0
- package/package.json +1 -1
package/README.md
ADDED
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
# policylayer
|
|
2
|
+
|
|
3
|
+
Scan your MCP config. See what your AI agent can do. Get a shareable report.
|
|
4
|
+
|
|
5
|
+
## Quick start
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
npx -y policylayer scan
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
That's it. The CLI finds your MCP config, analyses it against 115+ known servers, and prints a report URL.
|
|
12
|
+
|
|
13
|
+
## What it does
|
|
14
|
+
|
|
15
|
+
1. **Finds your config** -- checks `.mcp.json`, `~/.claude.json`, Claude Desktop, Cursor, VS Code, Windsurf, and Codex configs automatically
|
|
16
|
+
2. **Strips secrets** -- only server names and package identifiers are sent. API keys, tokens, env vars, and file paths are removed before anything leaves your machine
|
|
17
|
+
3. **Sends to the scan API** -- analyses your servers against a database of 2,500+ tools with severity classifications
|
|
18
|
+
4. **Prints a report URL** -- permanent, shareable, no login required
|
|
19
|
+
|
|
20
|
+
## Commands
|
|
21
|
+
|
|
22
|
+
### `policylayer scan`
|
|
23
|
+
|
|
24
|
+
Scan your MCP configuration.
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
npx -y policylayer scan
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
**Options:**
|
|
31
|
+
|
|
32
|
+
| Flag | Description |
|
|
33
|
+
|------|-------------|
|
|
34
|
+
| `--config <path>` | Path to a specific config file (skips auto-detection) |
|
|
35
|
+
| `--dry-run` | Show the stripped payload without sending it |
|
|
36
|
+
| `--api-url <url>` | Override the scan API URL (default: `https://policylayer.com/api/scan`) |
|
|
37
|
+
|
|
38
|
+
### Examples
|
|
39
|
+
|
|
40
|
+
```bash
|
|
41
|
+
# Auto-detect config and scan
|
|
42
|
+
npx -y policylayer scan
|
|
43
|
+
|
|
44
|
+
# Scan a specific config file
|
|
45
|
+
npx -y policylayer scan --config .mcp.json
|
|
46
|
+
|
|
47
|
+
# See what would be sent (nothing leaves your machine)
|
|
48
|
+
npx -y policylayer scan --dry-run
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
## Config detection
|
|
52
|
+
|
|
53
|
+
The CLI searches these paths in order and uses the first one found:
|
|
54
|
+
|
|
55
|
+
| Client | Path |
|
|
56
|
+
|--------|------|
|
|
57
|
+
| Claude Code (project) | `.mcp.json` |
|
|
58
|
+
| Claude Code (user) | `~/.claude.json` |
|
|
59
|
+
| Claude Desktop | `~/Library/Application Support/Claude/claude_desktop_config.json` |
|
|
60
|
+
| Cursor | `.cursor/mcp.json` |
|
|
61
|
+
| VS Code | `.vscode/settings.json` |
|
|
62
|
+
| Windsurf | `~/.codeium/windsurf/mcp_config.json` |
|
|
63
|
+
| Codex (project) | `.codex/config.toml` |
|
|
64
|
+
| Codex (user) | `~/.codex/config.toml` |
|
|
65
|
+
|
|
66
|
+
## Privacy
|
|
67
|
+
|
|
68
|
+
The CLI **never sends** your raw config. Before anything leaves your machine:
|
|
69
|
+
|
|
70
|
+
- Environment variables are stripped
|
|
71
|
+
- Auth tokens (`sk-`, `ghp_`, `ict_`, Bearer tokens, etc.) are removed
|
|
72
|
+
- Absolute file paths are removed
|
|
73
|
+
- Command flags are removed
|
|
74
|
+
- Only server names and npm package identifiers are sent
|
|
75
|
+
|
|
76
|
+
Use `--dry-run` to see exactly what would be sent.
|
|
77
|
+
|
|
78
|
+
## Links
|
|
79
|
+
|
|
80
|
+
- [Example report](https://policylayer.com/scan/report/65545482-5d1d-472f-9fca-472ff1181d0d)
|
|
81
|
+
- [Scan your config online](https://policylayer.com/scan)
|
|
82
|
+
- [Intercept](https://github.com/policylayer/intercept) -- enforce limits on every MCP tool call
|