visus-mcp 0.6.0 → 0.6.2

package/STATUS.md

@@ -1,17 +1,140 @@
 # Visus MCP - Project Status
 
-**Generated:** 2026-03-23 (Updated)
-**Version:** 0.6.0-dev
+**Generated:** 2026-03-24
+**Version:** 0.7.0
 **Phase:** 3 (Anthropic Directory Prep)
-**Status:** 🚧 **v0.6.0 IN DEVELOPMENT** - Content-Type Format Detection
+**Status:** ✅ **v0.7.0 COMPLETE** - Human-in-the-Loop Elicitation Bridge
 
 ---
 
-## v0.6.0 Development - Content-Type Format Detection
+## v0.7.0 Release - Human-in-the-Loop Elicitation Bridge for CRITICAL Threats
 
-**Status:** 🚧 IN DEVELOPMENT
+**Status:** ✅ COMPLETE (Ready for release)
+**Type:** Security enhancement + UX feature
+**Implemented:** 2026-03-24
+
+### New Features
+
+**🎯 HITL (Human-in-the-Loop) Elicitation for CRITICAL Threats**
+
+Adds user confirmation dialogs via MCP elicitation when CRITICAL severity threats are detected, turning silent sanitization events into active security gates.
+
+**Key Features:**
+- ✅ MCP elicitation integration using `server.elicitInput()`
+- ✅ Triggers only on CRITICAL severity findings (HIGH/MEDIUM/LOW silent)
+- ✅ Three-action response model: accept, decline, cancel
+- ✅ Fail-safe behavior: elicitation errors always proceed with sanitized content
+- ✅ User choice to include/exclude threat report in response
+- ✅ Flat primitive schema (no nested objects per MCP spec)
+- ✅ Comprehensive test coverage (2 new test files)
+
+**HITL Trigger Conditions:**
+- Overall severity must be CRITICAL
+- Total findings must be > 0
+- Only ONE elicitation per tool call (MCP spec constraint)
+
+**User Experience:**
+When a CRITICAL threat is detected:
+```
+⚠️ Visus blocked a CRITICAL threat on this page.
+
+2 injection attempt(s) detected on: https://malicious.example.com
+
+Highest severity finding: role_hijacking
+(LLM01:2025 | AML.T0051.000)
+
+Content has been sanitized. Proceed with clean version?
+
+[ Proceed with sanitized content ] [ Include threat report ]
+```
+
+**Three Outcomes:**
+1. **Accept** → Sanitized content delivered, threat report included if requested
+2. **Decline** → Request blocked, `blocked: true` response with threat details for review
+3. **Timeout / Error** → Sanitized content delivered (fail-safe)
+
+**Security Model:**
+- Sanitization is the security gate (content ALWAYS sanitized)
+- HITL is UX (provides visibility and user choice)
+- Fail-safe behavior ensures content never blocked due to elicitation failure
+- No sensitive data requested via elicitation (MCP best practice)
+
+**Technical Implementation:**
+
+**New Components:**
+1. **src/sanitizer/hitl-gate.ts** - Decision logic and message builder
+   - `shouldElicit(threatReport)` - Returns true only for CRITICAL severity
+   - `buildElicitMessage(threatReport, url)` - Generates user-facing message
+   - `ElicitSchema` - Flat primitive schema for MCP elicitation
+
+2. **src/sanitizer/elicit-runner.ts** - Elicitation execution with fail-safe
+   - `runElicitation(server, threatReport, url)` - Executes MCP elicitation
+   - Comprehensive error handling (timeout, unsupported client, network errors)
+   - Returns `{ proceed: boolean, includeReport: boolean }`
+
+**Modified Files:**
+- `src/index.ts` - Added `handleCriticalThreatElicitation()` helper
+  - Integrated into all four tool handlers (fetch, fetch_structured, read, search)
+  - Elicitation runs AFTER tool completion, BEFORE response to client
+  - For `visus_search`, uses query as "URL" in elicitation message
+
+**Test Coverage:**
+
+New test files:
+- `tests/hitl-gate.test.ts` - 15 tests covering:
+  - `shouldElicit` returns true for CRITICAL with findings
+  - `shouldElicit` returns false for HIGH, MEDIUM, LOW, CLEAN
+  - `shouldElicit` returns false for null report
+  - `shouldElicit` returns false for CRITICAL with zero findings
+  - `buildElicitMessage` contains URL and finding count
+  - `buildElicitMessage` is under 300 characters
+  - `buildElicitMessage` contains top category and framework IDs
+  - `buildElicitMessage` handles empty findings gracefully
+  - `ElicitSchema` has flat primitive properties only
+  - `ElicitSchema` required array contains 'proceed'
+
+- `tests/elicit-runner.test.ts` - 15 tests covering:
+  - Returns proceed:true when user accepts with proceed:true
+  - Returns proceed:false when user accepts with proceed:false
+  - Returns proceed:false on decline action
+  - Returns proceed:false on cancel action
+  - Includes report when user checks view_report
+  - Excludes report when user unchecks view_report
+  - Defaults to including report when view_report undefined
+  - Fail-safe: proceeds on elicitation error
+  - Fail-safe: proceeds on timeout
+  - Fail-safe: proceeds on unknown action
+
+**Test Results:** ✅ 276/276 tests passing (30 new HITL tests added)
+
+**README Documentation:**
+- Added "Human-in-the-Loop Security" section after "When Reports Are Generated"
+- Documented three outcomes (accept, decline, timeout)
+- Clarified security model (sanitization is the gate, HITL is UX)
+- Included example elicitation dialog
+
+**Dependencies:**
+- No new dependencies added (uses existing @modelcontextprotocol/sdk@^1.27.1)
+
+**SDK Elicitation API Used:**
+- `server.elicitInput(params, options)` returns `Promise<ElicitResult>`
+- `ElicitResult.action`: "accept" | "decline" | "cancel"
+- `ElicitResult.content`: Optional<Record<string, primitive>>
+- CRITICAL constraint: Only ONE elicitation per tool call (spec limit)
+
+**Future Enhancements:**
+- Task-augmented elicitation for long-running flows (experimental feature)
+- URL-based elicitation mode for external auth flows
+- Multi-step elicitation for complex user decisions
+
+---
+
+## v0.6.0 Release - Content-Type Format Detection
+
+**Status:** ✅ RELEASED
 **Type:** Feature enhancement
-**Implemented:** 2026-03-23
+**Published:** 2026-03-23
+**Install:** `npm install -g visus-mcp@0.6.0`
 
 ### New Features
 
@@ -77,8 +200,8 @@ Sanitization (43 patterns + PII) → Token Ceiling → Output
 - `convertXml(raw)`: Parses XML to clean text using fast-xml-parser
 - `convertRss(raw)`: Extracts RSS/Atom metadata and items to Markdown
 
-**Dependencies Added:**
-- `fast-xml-parser`: ^4.5.0 (already installed, no new dependency)
+**Dependencies:**
+- `fast-xml-parser`: ^5.5.8 (already installed, no new dependency added)
 
 **Test Coverage:**
 New test scenarios in `tests/fetch-tool.test.ts`:
@@ -143,10 +266,11 @@ When prompt injection or PII is detected, Visus now automatically generates stru
 **Key Features:**
 - ✅ TOON-formatted findings array (token-efficient, machine-readable)
 - ✅ Markdown compliance report (human-readable, renders in Claude Desktop)
-- ✅ Three framework alignments: OWASP LLM Top 10, NIST AI 600-1, MITRE ATLAS
+- ✅ Four framework alignments: OWASP LLM Top 10, NIST AI 600-1, MITRE ATLAS, ISO/IEC 42001
 - ✅ Severity classification (CRITICAL, HIGH, MEDIUM, LOW, CLEAN)
 - ✅ Zero overhead for clean pages (report omitted when no findings)
 - ✅ Aggregated reporting across multiple results (search, structured extraction)
+- ✅ ISO/IEC 42001:2023 Annex A framework mapping added
 - ✅ 31 new tests (232 total, all passing)
 - ✅ Zero regressions - all existing tests continue to pass
 
@@ -169,6 +293,7 @@ When prompt injection or PII is detected, Visus now automatically generates stru
 - **OWASP LLM Top 10 (2025)**: Industry-standard LLM security risks
 - **NIST AI 600-1**: Generative AI Profile for risk management
 - **MITRE ATLAS**: Adversarial Threat Landscape for AI Systems
+- **ISO/IEC 42001:2023**: International AI Management System standard (Annex A controls)
 
 **Severity Classification:**
 All 43 injection patterns mapped to severity levels:
@@ -1329,10 +1454,9 @@ All Phase 2 features from CLAUDE.md have been completed:
 
 ### Roadmap (Post-Phase 3)
 - WAF protection enhancements (cost-deferred; revisit at scale)
-- `visus_clean` — Format normalization (XML, YAML, CSV, SQL, PDF)
-- `visus_report` — PDF compliance artifact export
-- ISO/IEC 42001 framework mapping
-- GitHub integration (visus-github separate package)
+- `visus_report` PDF export · Docker image ·
+- `visus-file-mcp` (document sanitization) ·
+- Chrome extension for authenticated pages (LinkedIn, X, dashboards)
 
 ---
 
@@ -1340,18 +1464,20 @@ All Phase 2 features from CLAUDE.md have been completed:
 
 ```
 Name:           visus-mcp
-Version:        0.5.0 (published 2026-03-23)
-Previous:       0.4.0 (Safe Web Search)
+Version:        0.7.0 (in development)
+Previous:       0.6.0 (Content-Type Format Detection — published 2026-03-23)
+                0.5.0 (Threat Reporting — NIST/OWASP/MITRE/ISO42001)
+                0.4.0 (Safe Web Search)
                 0.3.2 (Reader Mode Feature)
                 0.3.1 (Security Hardening)
                 0.3.0 (PII Allowlist Feature)
                 0.2.0 (Phase 2 - AWS Lambda renderer)
                 0.1.0 (Phase 1 - stdio mode)
-Size:           ~115 kB (tarball)
-Unpacked:       ~450 kB
+Size:           ~195 kB (tarball)
+Unpacked:       ~767 kB
 Dependencies:   9 production (@modelcontextprotocol/sdk, playwright, @playwright/test,
                 cheerio, undici, @mozilla/readability@0.6.0, jsdom@29.0.1,
-                @toon-format/toon@2.1.0)
+                @toon-format/toon@2.1.0, fast-xml-parser@5.5.8)
 DevDeps:        10 (@types/aws-lambda, aws-cdk, aws-cdk-lib, constructs, ts-node, etc.)
 Node:           >=18
 License:        MIT
@@ -1365,7 +1491,7 @@ npm URL:        https://www.npmjs.com/package/visus-mcp
 
 ## Conclusion
 
-✅ **Visus v0.5.0 is COMPLETE and PUBLISHED.**
+✅ **Visus v0.7.0 is COMPLETE.** Ready for npm publication.
 
 **Phase 1 Achievements:**
 - ✅ Sanitization engine (43 injection patterns + PII redaction)
@@ -1404,7 +1530,7 @@ npm URL:        https://www.npmjs.com/package/visus-mcp
 
 **v0.5.0 Achievements:**
 - ✅ **Threat Reporting** — TOON + Markdown dual output layers
-- ✅ **Framework Mappings** — NIST AI 600-1, OWASP LLM Top 10, MITRE ATLAS
+- ✅ **Framework Mappings** — NIST AI 600-1, OWASP LLM Top 10, MITRE ATLAS, **ISO/IEC 42001:2023** (Annex A controls)
 - ✅ **Severity Classification** — All 43 patterns mapped to CRITICAL/HIGH/MEDIUM/LOW
 - ✅ **Zero Overhead** — Reports omitted on clean pages (no findings)
 - ✅ **31 New Tests** - Threat reporting test coverage (232 total tests)
@@ -1412,7 +1538,7 @@ npm URL:        https://www.npmjs.com/package/visus-mcp
 - ✅ **Zero Regressions** - All existing tests continue to pass
 - ✅ **Published to npm** - Available as `visus-mcp@0.5.0`
 
-**v0.6.0 Achievements (In Development):**
+**v0.6.0 Achievements:**
 - ✅ **Content-Type Format Detection** — Automatic format detection from HTTP headers
 - ✅ **JSON Support** — Pretty-printing with 2-space indentation for API responses
 - ✅ **XML Support** — Clean text conversion using fast-xml-parser
@@ -1421,6 +1547,17 @@ npm URL:        https://www.npmjs.com/package/visus-mcp
 - ✅ **14 New Tests** - Format detection test coverage (246 total tests)
 - ✅ **Zero Regressions** - All existing tests continue to pass
 - ✅ **Security Preserved** — Sanitizer runs on ALL formats unchanged
+- ✅ **Published to npm** - Available as `visus-mcp@0.6.0`
+
+**v0.7.0 Achievements:**
+- ✅ **Human-in-the-Loop Elicitation** — MCP elicitation for CRITICAL threat user confirmation
+- ✅ **Three-Action Response Model** — Accept, decline, cancel with threat report option
+- ✅ **Fail-Safe Behavior** — Elicitation errors always proceed with sanitized content
+- ✅ **Integration in All Tools** — fetch, fetch_structured, read, search
+- ✅ **30 New Tests** - HITL gate and elicit-runner test coverage (276 total tests)
+- ✅ **Zero Regressions** - All existing tests continue to pass
+- ✅ **Security Model Preserved** — Sanitization is the gate, HITL is UX layer
+- ✅ **Ready for npm** - Implementation complete, pending publication
 
 **Technical Challenges Overcome:**
 - Phase 1: iCloud file locks, SSL certificate verification, structured extraction
@@ -1430,25 +1567,26 @@ npm URL:        https://www.npmjs.com/package/visus-mcp
 - v0.4.0: DuckDuckGo API response structure, nested Topics handling, search result aggregation
 - v0.5.0: TOON library Jest ESM compatibility (resolved with manual fallback format)
 - v0.6.0: Content-Type header extraction from undici responses, RSS/Atom feed parsing, format-specific conversion pipeline integration
+- v0.7.0: MCP elicitation API integration, flat primitive schema constraints, fail-safe error handling design
 
 **Deployment Complete:**
 - ✅ CDK stack deployed successfully to us-east-1
 - ✅ Lambda function operational (100% success rate)
 - ✅ API Gateway endpoint live and responding
-- ✅ All smoke tests passing (3/3 Lambda + 232/232 npm tests)
+- ✅ All smoke tests passing (3/3 Lambda + 246/246 npm tests)
 - ✅ Zero regressions from Phase 1/2
 - ✅ Auth enforcement validated (22/22 tests, 2 findings documented)
 
 **Contact:** security@lateos.ai
 **Repository:** https://github.com/visus-mcp/visus-mcp
 **npm Package:** https://www.npmjs.com/package/visus-mcp
-**Installation:** `npm install -g visus-mcp@0.5.0` or `npx visus-mcp@0.5.0`
+**Installation:** `npm install -g visus-mcp@0.6.0` or `npx visus-mcp@0.6.0`
 
 ---
 
-**Last Updated:** 2026-03-23 (Updated for v0.6.0-dev)
+**Last Updated:** 2026-03-24
 **Build:** SUCCESS ✅
-**Tests:** 246/246 PASSING ✅
+**Tests:** 276/276 PASSING ✅
 **CDK Deploy:** SUCCESS ✅
 **Phase 1:** ✅ PUBLISHED TO NPM (v0.1.0)
 **Phase 2:** ✅ DEPLOYED TO AWS LAMBDA (us-east-1)
@@ -1456,9 +1594,9 @@ npm URL:        https://www.npmjs.com/package/visus-mcp
 **v0.3.1:** ✅ PUBLISHED TO NPM (Security Hardening - 2 findings resolved)
 **v0.3.2:** ✅ PUBLISHED TO NPM (Reader Mode Feature - 14 tests added)
 **v0.4.0:** ✅ PUBLISHED TO NPM (Safe Web Search Feature - 18 tests added)
-**v0.5.0:** ✅ PUBLISHED TO NPM (Threat Reporting - 31 tests added)
-**v0.6.0:** 🚧 IN DEVELOPMENT (Content-Type Format Detection - 14 tests added)
+**v0.5.0:** ✅ PUBLISHED TO NPM (Threat Reporting + ISO/IEC 42001 - 31 tests added)
+**v0.6.0:** ✅ PUBLISHED TO NPM (Content-Type Format Detection - 14 tests added)
+**v0.7.0:** ✅ COMPLETE (HITL Elicitation Bridge for CRITICAL threats - 30 tests added)
 **Security Audit:** ✅ COMPLETE + REMEDIATED (24 auth tests, 100% compliance)
 **Lambda Endpoint:** [API_ENDPOINT]
-**Latest Release:** v0.5.0 (2026-03-23)
-**Next Release:** v0.6.0 (Content-Type Format Detection)
+**Latest Release:** v0.6.0 (2026-03-23)

package/SUBMISSION.md

@@ -0,0 +1,66 @@
+# Anthropic MCP Directory — Submission Package
+
+## Server Details
+
+- **Name:** Visus — Secure Web Access for Claude
+- **npm package:** visus-mcp
+- **Current version:** 0.6.0
+- **Install command:** `npx visus-mcp`
+- **License:** MIT
+- **Category:** Web Fetch / Security
+
+## One-liner (≤100 chars)
+
+"Strips prompt injection & PII from web content before it enters Claude's context window."
+
+## Short description (≤300 chars)
+
+"Visus is a security-first MCP pre-filter. It sanitizes web pages for 43 prompt injection patterns, redacts PII, and uses reader mode to cut token usage by up to 70% — all before content reaches Claude. Built on NIST AI 600-1, OWASP LLM Top 10, MITRE ATLAS, ISO 42001."
+
+## Tools exposed
+
+1. `visus_fetch` — Fetch + sanitize any URL (HTML/JSON/XML/RSS auto-detected)
+2. `visus_read` — Reader mode extraction via Mozilla Readability
+3. `visus_search` — DuckDuckGo search with sanitized results
+4. `visus_fetch_structured` — Schema-based structured data extraction
+
+## Claude Desktop config snippet
+
+```json
+{
+  "mcpServers": {
+    "visus": {
+      "command": "npx",
+      "args": ["visus-mcp"]
+    }
+  }
+}
+```
+
+## Links
+
+- GitHub: https://github.com/visus-mcp/visus-mcp
+- npm: https://www.npmjs.com/package/visus-mcp
+- Security policy: https://github.com/visus-mcp/visus-mcp/blob/main/SECURITY.md
+- License: https://github.com/visus-mcp/visus-mcp/blob/main/LICENSE
+
+## Security frameworks
+
+- OWASP LLM Top 10 (2025)
+- NIST AI 600-1 Generative AI Profile
+- MITRE ATLAS (Adversarial Threat Landscape for AI Systems)
+- ISO/IEC 42001:2023 AI Management System
+
+## Test evidence
+
+- 246 passing tests (as of v0.6.0)
+- 43 validated injection pattern categories
+- Real-world benchmark: npmjs.com page reduced from 149,589 bytes → 44,129 bytes
+
+## Known Limitations / Phase Status
+
+- **Phase 1 (current):** Open-source tier fully functional. `npx visus-mcp` works out of the box with no API key. Uses Playwright locally with full JavaScript execution support. 246 tests passing.
+- **Phase 2 (in development):** Managed Playwright renderer (`renderer.lateos.ai`) — not yet live. BYOC (self-hosted Lambda) renderer available now via [visus-mcp-renderer](https://github.com/visus-mcp/visus-mcp-renderer).
+- **Phase 3:** Chrome extension for authenticated page access (LinkedIn, dashboards).
+
+Anthropic directory listing is for the Phase 1 open-source tier. All 4 tools are fully functional in Phase 1.