npm - shieldapi-mcp - Versions diffs - 1.0.0 → 1.0.2 - Mend

shieldapi-mcp 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -64,7 +64,6 @@ Add to `.cursor/mcp.json`:
 |----------|---------|-------------|
 | `SHIELDAPI_URL` | `https://shield.vainplex.dev` | API base URL |
 | `SHIELDAPI_WALLET_PRIVATE_KEY` | *(none)* | EVM private key for USDC payments. If not set, uses free demo mode. |
-| `SHIELDAPI_NETWORK` | `base` | Network for payments (Base mainnet) |
 ## Demo Mode

package/dist/index.js CHANGED Viewed

@@ -8,8 +8,46 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { z } from 'zod';
-const { SHIELDAPI_URL = 'https://shield.vainplex.dev', SHIELDAPI_WALLET_PRIVATE_KEY, SHIELDAPI_NETWORK = 'base', } = process.env;
+const { SHIELDAPI_URL = 'https://shield.vainplex.dev', SHIELDAPI_WALLET_PRIVATE_KEY, } = process.env;
 const demoMode = !SHIELDAPI_WALLET_PRIVATE_KEY;
+const TOOLS = {
+    check_url: {
+        description: 'Check a URL for malware, phishing, and other threats. Uses URLhaus + heuristic analysis.',
+        param: 'url',
+        paramDesc: 'The URL to check (e.g. https://example.com)',
+        endpoint: 'check-url',
+    },
+    check_password: {
+        description: 'Check if a password hash (SHA-1) has been exposed in known data breaches via HIBP.',
+        param: 'hash',
+        paramDesc: 'SHA-1 hash of the password (40 hex chars)',
+        endpoint: 'check-password',
+    },
+    check_password_range: {
+        description: 'Look up a SHA-1 hash prefix in the HIBP k-Anonymity database.',
+        param: 'prefix',
+        paramDesc: 'First 5 characters of the SHA-1 password hash',
+        endpoint: 'check-password-range',
+    },
+    check_domain: {
+        description: 'Check domain reputation: DNS records, blacklists (Spamhaus, SpamCop, SORBS), SPF/DMARC, SSL.',
+        param: 'domain',
+        paramDesc: 'Domain name to check (e.g. example.com)',
+        endpoint: 'check-domain',
+    },
+    check_ip: {
+        description: 'Check IP reputation: blacklists, Tor exit node detection, reverse DNS.',
+        param: 'ip',
+        paramDesc: 'IPv4 address to check (e.g. 8.8.8.8)',
+        endpoint: 'check-ip',
+    },
+    check_email: {
+        description: 'Check if an email address has been exposed in known data breaches via HIBP.',
+        param: 'email',
+        paramDesc: 'Email address to check',
+        endpoint: 'check-email',
+    },
+};
 // --- x402 payment setup (lazy, only if wallet configured) ---
 let paymentFetch = fetch;
 async function initPaymentFetch() {
@@ -44,10 +82,19 @@ async function callShieldApi(endpoint, params) {
     const response = await paymentFetch(url.toString());
     if (!response.ok) {
         const body = await response.text();
-        throw new Error(`ShieldAPI ${endpoint} failed (${response.status}): ${body}`);
+        throw new Error(`ShieldAPI ${endpoint} failed (${response.status}): ${body.substring(0, 200)}`);
     }
     return response.json();
 }
+function detectTargetType(target) {
+    if (target.includes('@'))
+        return { email: target };
+    if (/^\d+\.\d+\.\d+\.\d+$/.test(target))
+        return { ip: target };
+    if (target.startsWith('http://') || target.startsWith('https://'))
+        return { url: target };
+    return { domain: target };
+}
 function formatResult(data) {
     return {
         content: [{ type: 'text', text: JSON.stringify(data, null, 2) }],
@@ -56,16 +103,14 @@ function formatResult(data) {
 // --- MCP Server ---
 const server = new McpServer({
     name: 'ShieldAPI',
-    version: '1.0.0',
+    version: '1.0.2',
 });
-// Tools
-server.tool('check_url', 'Check a URL for malware, phishing, and other threats. Uses URLhaus + heuristic analysis.', { url: z.string().describe('The URL to check (e.g. https://example.com)') }, async ({ url }) => formatResult(await callShieldApi('check-url', { url })));
-server.tool('check_password', 'Check if a password hash (SHA-1) has been exposed in known data breaches via HIBP.', { hash: z.string().describe('SHA-1 hash of the password (40 hex chars)') }, async ({ hash }) => formatResult(await callShieldApi('check-password', { hash })));
-server.tool('check_password_range', 'Look up a SHA-1 hash prefix in the HIBP k-Anonymity database.', { prefix: z.string().describe('First 5 characters of the SHA-1 password hash') }, async ({ prefix }) => formatResult(await callShieldApi('check-password-range', { prefix })));
-server.tool('check_domain', 'Check domain reputation: DNS records, blacklists (Spamhaus, SpamCop, SORBS), SPF/DMARC, SSL.', { domain: z.string().describe('Domain name to check (e.g. example.com)') }, async ({ domain }) => formatResult(await callShieldApi('check-domain', { domain })));
-server.tool('check_ip', 'Check IP reputation: blacklists, Tor exit node detection, reverse DNS.', { ip: z.string().describe('IPv4 address to check (e.g. 8.8.8.8)') }, async ({ ip }) => formatResult(await callShieldApi('check-ip', { ip })));
-server.tool('check_email', 'Check if an email address has been exposed in known data breaches via HIBP.', { email: z.string().describe('Email address to check') }, async ({ email }) => formatResult(await callShieldApi('check-email', { email })));
-server.tool('full_scan', 'Run all security checks on a target (URL, domain, IP, or email). Most comprehensive scan.', { target: z.string().describe('Target to scan — URL, domain, IP address, or email') }, async ({ target }) => formatResult(await callShieldApi('full-scan', { target })));
+// Register standard tools from config
+for (const [name, def] of Object.entries(TOOLS)) {
+    server.tool(name, def.description, { [def.param]: z.string().describe(def.paramDesc) }, async (params) => formatResult(await callShieldApi(def.endpoint, params)));
+}
+// full_scan is special — single 'target' param mapped to the correct server param
+server.tool('full_scan', 'Run all security checks on a target (URL, domain, IP, or email). Most comprehensive scan.', { target: z.string().describe('Target to scan — URL, domain, IP address, or email') }, async ({ target }) => formatResult(await callShieldApi('full-scan', detectTargetType(target))));
 // --- Start ---
 async function main() {
     await initPaymentFetch();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "shieldapi-mcp",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "MCP server for ShieldAPI",
   "main": "dist/index.js",
   "bin": {
@@ -8,6 +8,7 @@
   },
   "scripts": {
     "build": "tsc",
+    "test": "vitest run",
     "start": "node dist/index.js"
   },
   "keywords": [
@@ -31,7 +32,8 @@
   },
   "devDependencies": {
     "@types/node": "^20.11.24",
-    "typescript": "^5.3.3"
+    "typescript": "^5.3.3",
+    "vitest": "^4.0.18"
   },
   "type": "module"
 }

package/src/index.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 /**
  * ShieldAPI MCP Server
- *
+ *
  * Exposes ShieldAPI security intelligence as native MCP tools.
  * Handles x402 USDC micropayments automatically, with demo fallback.
  */
@@ -13,18 +13,65 @@ import { z } from 'zod';
 const {
   SHIELDAPI_URL = 'https://shield.vainplex.dev',
   SHIELDAPI_WALLET_PRIVATE_KEY,
-  SHIELDAPI_NETWORK = 'base',
 } = process.env;
 const demoMode = !SHIELDAPI_WALLET_PRIVATE_KEY;
+// --- Tool definitions (single source of truth) ---
+interface ToolDef {
+  description: string;
+  param: string;
+  paramDesc: string;
+  endpoint: string;
+}
+const TOOLS: Record<string, ToolDef> = {
+  check_url: {
+    description: 'Check a URL for malware, phishing, and other threats. Uses URLhaus + heuristic analysis.',
+    param: 'url',
+    paramDesc: 'The URL to check (e.g. https://example.com)',
+    endpoint: 'check-url',
+  },
+  check_password: {
+    description: 'Check if a password hash (SHA-1) has been exposed in known data breaches via HIBP.',
+    param: 'hash',
+    paramDesc: 'SHA-1 hash of the password (40 hex chars)',
+    endpoint: 'check-password',
+  },
+  check_password_range: {
+    description: 'Look up a SHA-1 hash prefix in the HIBP k-Anonymity database.',
+    param: 'prefix',
+    paramDesc: 'First 5 characters of the SHA-1 password hash',
+    endpoint: 'check-password-range',
+  },
+  check_domain: {
+    description: 'Check domain reputation: DNS records, blacklists (Spamhaus, SpamCop, SORBS), SPF/DMARC, SSL.',
+    param: 'domain',
+    paramDesc: 'Domain name to check (e.g. example.com)',
+    endpoint: 'check-domain',
+  },
+  check_ip: {
+    description: 'Check IP reputation: blacklists, Tor exit node detection, reverse DNS.',
+    param: 'ip',
+    paramDesc: 'IPv4 address to check (e.g. 8.8.8.8)',
+    endpoint: 'check-ip',
+  },
+  check_email: {
+    description: 'Check if an email address has been exposed in known data breaches via HIBP.',
+    param: 'email',
+    paramDesc: 'Email address to check',
+    endpoint: 'check-email',
+  },
+};
 // --- x402 payment setup (lazy, only if wallet configured) ---
 let paymentFetch: typeof fetch = fetch;
 async function initPaymentFetch(): Promise<void> {
   if (demoMode) return;
   const { wrapFetchWithPayment, x402Client } = await import('@x402/fetch');
   const { ExactEvmScheme, toClientEvmSigner } = await import('@x402/evm');
   const { createWalletClient, http, publicActions } = await import('viem');
@@ -63,11 +110,18 @@ async function callShieldApi(endpoint: string, params: Record<string, string>):
   const response = await paymentFetch(url.toString());
   if (!response.ok) {
     const body = await response.text();
-    throw new Error(`ShieldAPI ${endpoint} failed (${response.status}): ${body}`);
+    throw new Error(`ShieldAPI ${endpoint} failed (${response.status}): ${body.substring(0, 200)}`);
   }
   return response.json();
 }
+function detectTargetType(target: string): Record<string, string> {
+  if (target.includes('@')) return { email: target };
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(target)) return { ip: target };
+  if (target.startsWith('http://') || target.startsWith('https://')) return { url: target };
+  return { domain: target };
+}
 function formatResult(data: unknown): { content: Array<{ type: 'text'; text: string }> } {
   return {
     content: [{ type: 'text' as const, text: JSON.stringify(data, null, 2) }],
@@ -78,58 +132,25 @@ function formatResult(data: unknown): { content: Array<{ type: 'text'; text: str
 const server = new McpServer({
   name: 'ShieldAPI',
-  version: '1.0.0',
+  version: '1.0.2',
 });
-// Tools
-server.tool(
-  'check_url',
-  'Check a URL for malware, phishing, and other threats. Uses URLhaus + heuristic analysis.',
-  { url: z.string().describe('The URL to check (e.g. https://example.com)') },
-  async ({ url }) => formatResult(await callShieldApi('check-url', { url }))
-);
-server.tool(
-  'check_password',
-  'Check if a password hash (SHA-1) has been exposed in known data breaches via HIBP.',
-  { hash: z.string().describe('SHA-1 hash of the password (40 hex chars)') },
-  async ({ hash }) => formatResult(await callShieldApi('check-password', { hash }))
-);
-server.tool(
-  'check_password_range',
-  'Look up a SHA-1 hash prefix in the HIBP k-Anonymity database.',
-  { prefix: z.string().describe('First 5 characters of the SHA-1 password hash') },
-  async ({ prefix }) => formatResult(await callShieldApi('check-password-range', { prefix }))
-);
-server.tool(
-  'check_domain',
-  'Check domain reputation: DNS records, blacklists (Spamhaus, SpamCop, SORBS), SPF/DMARC, SSL.',
-  { domain: z.string().describe('Domain name to check (e.g. example.com)') },
-  async ({ domain }) => formatResult(await callShieldApi('check-domain', { domain }))
-);
-server.tool(
-  'check_ip',
-  'Check IP reputation: blacklists, Tor exit node detection, reverse DNS.',
-  { ip: z.string().describe('IPv4 address to check (e.g. 8.8.8.8)') },
-  async ({ ip }) => formatResult(await callShieldApi('check-ip', { ip }))
-);
-server.tool(
-  'check_email',
-  'Check if an email address has been exposed in known data breaches via HIBP.',
-  { email: z.string().describe('Email address to check') },
-  async ({ email }) => formatResult(await callShieldApi('check-email', { email }))
-);
+// Register standard tools from config
+for (const [name, def] of Object.entries(TOOLS)) {
+  server.tool(
+    name,
+    def.description,
+    { [def.param]: z.string().describe(def.paramDesc) },
+    async (params) => formatResult(await callShieldApi(def.endpoint, params as Record<string, string>))
+  );
+}
+// full_scan is special — single 'target' param mapped to the correct server param
 server.tool(
   'full_scan',
   'Run all security checks on a target (URL, domain, IP, or email). Most comprehensive scan.',
   { target: z.string().describe('Target to scan — URL, domain, IP address, or email') },
-  async ({ target }) => formatResult(await callShieldApi('full-scan', { target }))
+  async ({ target }) => formatResult(await callShieldApi('full-scan', detectTargetType(target)))
 );
 // --- Start ---

package/test/index.test.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import { describe, it, expect } from 'vitest';
+// Import the helpers we need to test by re-implementing them here
+// (since they're not exported — we test the logic, not the module wiring)
+function detectTargetType(target: string): Record<string, string> {
+  if (target.includes('@')) return { email: target };
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(target)) return { ip: target };
+  if (target.startsWith('http://') || target.startsWith('https://')) return { url: target };
+  return { domain: target };
+}
+function formatResult(data: unknown): { content: Array<{ type: 'text'; text: string }> } {
+  return {
+    content: [{ type: 'text' as const, text: JSON.stringify(data, null, 2) }],
+  };
+}
+function buildUrl(base: string, endpoint: string, params: Record<string, string>, demo: boolean): string {
+  const url = new URL(`${base}/api/${endpoint}`);
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value);
+  }
+  if (demo) {
+    url.searchParams.set('demo', 'true');
+  }
+  return url.toString();
+}
+describe('detectTargetType', () => {
+  it('detects email addresses', () => {
+    expect(detectTargetType('user@example.com')).toEqual({ email: 'user@example.com' });
+  });
+  it('detects IPv4 addresses', () => {
+    expect(detectTargetType('8.8.8.8')).toEqual({ ip: '8.8.8.8' });
+    expect(detectTargetType('192.168.1.1')).toEqual({ ip: '192.168.1.1' });
+  });
+  it('detects HTTP URLs', () => {
+    expect(detectTargetType('https://example.com/path')).toEqual({ url: 'https://example.com/path' });
+    expect(detectTargetType('http://malware.site')).toEqual({ url: 'http://malware.site' });
+  });
+  it('falls back to domain for everything else', () => {
+    expect(detectTargetType('example.com')).toEqual({ domain: 'example.com' });
+    expect(detectTargetType('sub.domain.org')).toEqual({ domain: 'sub.domain.org' });
+  });
+  it('does not match partial IPs as IP', () => {
+    expect(detectTargetType('8.8.8')).toEqual({ domain: '8.8.8' });
+    expect(detectTargetType('999.999.999.999')).toEqual({ ip: '999.999.999.999' }); // regex matches format, validation is server-side
+  });
+});
+describe('formatResult', () => {
+  it('wraps data as MCP text content', () => {
+    const result = formatResult({ risk_score: 42 });
+    expect(result.content).toHaveLength(1);
+    expect(result.content[0].type).toBe('text');
+    expect(JSON.parse(result.content[0].text)).toEqual({ risk_score: 42 });
+  });
+  it('handles arrays', () => {
+    const result = formatResult([1, 2, 3]);
+    expect(JSON.parse(result.content[0].text)).toEqual([1, 2, 3]);
+  });
+  it('handles null', () => {
+    const result = formatResult(null);
+    expect(result.content[0].text).toBe('null');
+  });
+});
+describe('buildUrl', () => {
+  const base = 'https://shield.vainplex.dev';
+  it('constructs correct URL with params', () => {
+    const url = buildUrl(base, 'check-url', { url: 'https://evil.com' }, false);
+    expect(url).toBe('https://shield.vainplex.dev/api/check-url?url=https%3A%2F%2Fevil.com');
+  });
+  it('adds demo flag', () => {
+    const url = buildUrl(base, 'check-domain', { domain: 'example.com' }, true);
+    expect(url).toContain('domain=example.com');
+    expect(url).toContain('demo=true');
+  });
+  it('handles multiple params for full-scan', () => {
+    const url = buildUrl(base, 'full-scan', { email: 'a@b.com', domain: 'b.com' }, false);
+    expect(url).toContain('email=a%40b.com');
+    expect(url).toContain('domain=b.com');
+  });
+  it('encodes special characters', () => {
+    const url = buildUrl(base, 'check-password', { hash: 'AABBCC' }, false);
+    expect(url).toBe('https://shield.vainplex.dev/api/check-password?hash=AABBCC');
+  });
+});