npm - raven-mcp - Versions diffs - 1.0.0 → 1.1.1 - Mend

raven-mcp 1.0.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/SECURITY.md +74 -0
package/dist/index.js +972 -0
package/dist/index.js.map +1 -1
package/package.json +9 -5
package/scripts/postinstall.cjs +37 -0
package/src/data/principles/component-architecture.json +103 -0
package/src/data/principles/mobile-ux.json +180 -0
package/src/data/principles/responsive-layout.json +95 -0
package/src/data/tokens/registry.json +57 -12
package/src/data/tokens/systems/airbnb.json +187 -0
package/src/data/tokens/systems/apple-hig.json +152 -0
package/src/data/tokens/systems/github-primer.json +154 -0
package/src/data/tokens/systems/material-design.json +235 -0
package/src/data/tokens/systems/notion.json +160 -0
package/src/data/tokens/systems/shadcn.json +162 -0
package/src/data/tokens/systems/spotify.json +155 -0
package/src/data/tokens/systems/supabase.json +179 -0
package/src/data/tokens/systems/tailwind.json +279 -0
package/src/data/tokens/systems/vercel.json +145 -0

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,74 @@
+# Security Policy — Raven MCP
+## Data Flow
+Raven MCP runs entirely locally. Here is the complete data flow:
+```
+Claude (prompt) → MCP Protocol (stdio) → Raven MCP (local process) → Response (text)
+```
+### What Raven reads
+- User prompts passed via the MCP protocol from Claude Code or Claude Desktop
+- Static JSON files bundled in the package (design principles, patterns, tokens)
+### What Raven returns
+- Text responses (JSON) containing design principles, patterns, tokens, and evaluations
+- All responses are returned via stdio to the calling MCP client (Claude)
+### What Raven does NOT do
+- No network requests during tool execution — all data is local JSON loaded at startup
+- No file system reads beyond its own bundled data files
+- No logging of user prompts, code, or design artifacts
+- No collection of PII or customer data
+- No external API calls, database connections, or cloud service integrations
+- No access to environment variables, secrets, or credentials during tool execution
+### Optional telemetry (postinstall only)
+On `npm install`, an optional postinstall script sends a single HTTPS POST to `ravenmcp.ai/api/welcome` containing:
+- Node.js version
+- OS platform and architecture
+- Timestamp
+**No user data, prompts, code, or design artifacts are sent.** This telemetry is limited to install-time only and never runs during tool execution.
+**To disable:** Set `RAVEN_NO_TELEMETRY=1` before install:
+```bash
+RAVEN_NO_TELEMETRY=1 npm install raven-mcp
+```
+## Dependencies
+### Runtime
+| Package | Purpose | License |
+|---------|---------|---------|
+| `@modelcontextprotocol/sdk` | MCP protocol implementation | MIT |
+| `zod` | Input validation | MIT |
+### Dev-only (not shipped)
+| Package | Purpose | License |
+|---------|---------|---------|
+| `typescript` | Build | Apache-2.0 |
+| `tsx` | Dev server | MIT |
+| `@types/node` | Type definitions | MIT |
+| `resend` | Email (dev testing only) | MIT |
+Zero transitive runtime dependencies beyond the two listed above.
+## License
+MIT — see [LICENSE](./LICENSE).
+## Reporting Vulnerabilities
+Email security concerns to andrew@ravenmcp.ai. Response within 48 hours.
+## Enterprise / Compliance Use
+For enterprise environments requiring:
+- Telemetry disabled: set `RAVEN_NO_TELEMETRY=1`
+- Version pinning: lock to a specific version in `package.json`
+- SBOM: generate with `npm sbom --sbom-format cyclonedx`
+- Audit: run `npm audit` — zero known vulnerabilities as of v1.1.0
+Raven MCP is designed for local-only, air-gapped use. No network access is required after installation.