buzzberg-mcp 0.1.0b1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. buzzberg_mcp-0.1.0b1/.github/ISSUE_TEMPLATE/bug_report.md +20 -0
  2. buzzberg_mcp-0.1.0b1/.github/ISSUE_TEMPLATE/feature_request.md +10 -0
  3. buzzberg_mcp-0.1.0b1/.github/ISSUE_TEMPLATE/security.md +11 -0
  4. buzzberg_mcp-0.1.0b1/.github/workflows/ci.yml +55 -0
  5. buzzberg_mcp-0.1.0b1/.github/workflows/release.yml +34 -0
  6. buzzberg_mcp-0.1.0b1/.gitignore +11 -0
  7. buzzberg_mcp-0.1.0b1/CHANGELOG.md +13 -0
  8. buzzberg_mcp-0.1.0b1/INSTALL.md +164 -0
  9. buzzberg_mcp-0.1.0b1/LICENSE +21 -0
  10. buzzberg_mcp-0.1.0b1/PKG-INFO +105 -0
  11. buzzberg_mcp-0.1.0b1/README.md +80 -0
  12. buzzberg_mcp-0.1.0b1/SECURITY.md +75 -0
  13. buzzberg_mcp-0.1.0b1/TOOLS.md +302 -0
  14. buzzberg_mcp-0.1.0b1/buzzberg_mcp/__init__.py +5 -0
  15. buzzberg_mcp-0.1.0b1/buzzberg_mcp/__main__.py +4 -0
  16. buzzberg_mcp-0.1.0b1/buzzberg_mcp/cli.py +166 -0
  17. buzzberg_mcp-0.1.0b1/buzzberg_mcp/constants.py +19 -0
  18. buzzberg_mcp-0.1.0b1/buzzberg_mcp/installers.py +328 -0
  19. buzzberg_mcp-0.1.0b1/examples/add_to_watchlist.md +5 -0
  20. buzzberg_mcp-0.1.0b1/examples/compare_speakers.md +6 -0
  21. buzzberg_mcp-0.1.0b1/examples/get_portfolio.md +5 -0
  22. buzzberg_mcp-0.1.0b1/examples/get_price.md +5 -0
  23. buzzberg_mcp-0.1.0b1/examples/get_recent_content.md +5 -0
  24. buzzberg_mcp-0.1.0b1/examples/get_sentiment.md +5 -0
  25. buzzberg_mcp-0.1.0b1/examples/get_sentiment_divergence.md +5 -0
  26. buzzberg_mcp-0.1.0b1/examples/get_speaker_profile.md +5 -0
  27. buzzberg_mcp-0.1.0b1/examples/get_ticker_info.md +6 -0
  28. buzzberg_mcp-0.1.0b1/examples/get_ticker_mentions.md +5 -0
  29. buzzberg_mcp-0.1.0b1/examples/get_top_speaker_signals.md +6 -0
  30. buzzberg_mcp-0.1.0b1/examples/get_top_speakers.md +5 -0
  31. buzzberg_mcp-0.1.0b1/examples/read_ticker_content.md +5 -0
  32. buzzberg_mcp-0.1.0b1/examples/remove_from_watchlist.md +5 -0
  33. buzzberg_mcp-0.1.0b1/examples/save_trade_idea.md +5 -0
  34. buzzberg_mcp-0.1.0b1/examples/search_content.md +6 -0
  35. buzzberg_mcp-0.1.0b1/examples/search_trade_ideas.md +6 -0
  36. buzzberg_mcp-0.1.0b1/pyproject.toml +53 -0
  37. buzzberg_mcp-0.1.0b1/security-controls.json +21 -0
  38. buzzberg_mcp-0.1.0b1/sessions/contrarian-scan.md +6 -0
  39. buzzberg_mcp-0.1.0b1/sessions/crypto-vs-stocks-sentiment.md +5 -0
  40. buzzberg_mcp-0.1.0b1/sessions/morning-briefing.md +6 -0
  41. buzzberg_mcp-0.1.0b1/sessions/new-watchlist-from-signals.md +6 -0
  42. buzzberg_mcp-0.1.0b1/sessions/ticker-deep-dive.md +6 -0
  43. buzzberg_mcp-0.1.0b1/tests/test_atomic_write.py +19 -0
  44. buzzberg_mcp-0.1.0b1/tests/test_cli.py +60 -0
  45. buzzberg_mcp-0.1.0b1/tests/test_docs.py +32 -0
  46. buzzberg_mcp-0.1.0b1/tests/test_installers.py +99 -0
  47. buzzberg_mcp-0.1.0b1/tests/test_key_handling.py +54 -0
  48. buzzberg_mcp-0.1.0b1/tools_manifest.json +405 -0
@@ -0,0 +1,20 @@
1
+ ---
2
+ name: Bug report
3
+ about: Report an installer or documentation bug
4
+ title: "[bug] "
5
+ labels: bug
6
+ ---
7
+
8
+ ## What happened?
9
+
10
+ ## Client
11
+
12
+ Claude Desktop / Claude Code / Cursor / Cline / Continue.dev / other:
13
+
14
+ ## Installer version
15
+
16
+ `buzzberg-mcp version`:
17
+
18
+ ## Notes
19
+
20
+ Do not paste API keys or client config files containing Bearer tokens.
@@ -0,0 +1,10 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest an installer or documentation improvement
4
+ title: "[feature] "
5
+ labels: enhancement
6
+ ---
7
+
8
+ ## What should change?
9
+
10
+ ## Why does it matter?
@@ -0,0 +1,11 @@
1
+ ---
2
+ name: Security report
3
+ about: Do not file public vulnerability reports
4
+ title: "[security] do not use public issues"
5
+ labels: security
6
+ ---
7
+
8
+ Please email security reports to security@buzzberg.ai.
9
+
10
+ Do not include secrets, API keys, exploit details, or vulnerability reports in a
11
+ public GitHub issue.
@@ -0,0 +1,55 @@
1
+ name: CI
2
+
3
+ on:
4
+ pull_request:
5
+ push:
6
+ branches: [main]
7
+
8
+ permissions:
9
+ contents: read
10
+
11
+ jobs:
12
+ test:
13
+ runs-on: ubuntu-latest
14
+ steps:
15
+ - name: Checkout
16
+ # actions/checkout v4.2.2
17
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
18
+ - name: Set up Python
19
+ # actions/setup-python v5.6.0
20
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
21
+ with:
22
+ python-version: "3.12"
23
+ - name: Install dev dependencies
24
+ run: python -m pip install --upgrade pip && python -m pip install -e ".[dev]"
25
+ - name: Ruff
26
+ run: ruff check .
27
+ - name: Mypy
28
+ run: mypy buzzberg_mcp
29
+ - name: Pytest
30
+ run: pytest
31
+ - name: Validate public docs
32
+ run: |
33
+ python - <<'PY'
34
+ import json, pathlib, re, sys
35
+ root = pathlib.Path(".")
36
+ manifest = json.loads((root / "tools_manifest.json").read_text())
37
+ expected = {tool["name"] for tool in manifest["tools"]}
38
+ headings = set(re.findall(r"^## ([a-z_]+)$", (root / "TOOLS.md").read_text(), re.M))
39
+ if headings != expected:
40
+ print("TOOLS.md mismatch")
41
+ print("missing:", sorted(expected - headings))
42
+ print("extra:", sorted(headings - expected))
43
+ sys.exit(1)
44
+ forbidden = re.compile("|".join(["n1" + "fan", r"github\.com/n1" + "fan", r"ghcr\.io/n1" + "fan"]))
45
+ bad = []
46
+ for path in root.rglob("*"):
47
+ if path.is_dir() or ".git" in path.parts or "__pycache__" in path.parts or ".pytest_cache" in path.parts:
48
+ continue
49
+ text = path.read_text(encoding="utf-8", errors="ignore")
50
+ if forbidden.search(text):
51
+ bad.append(str(path))
52
+ if bad:
53
+ print("Forbidden references:", bad)
54
+ sys.exit(1)
55
+ PY
@@ -0,0 +1,34 @@
1
+ name: Release
2
+
3
+ on:
4
+ push:
5
+ tags:
6
+ - "v*"
7
+
8
+ permissions:
9
+ contents: read
10
+ id-token: write
11
+
12
+ jobs:
13
+ publish:
14
+ runs-on: ubuntu-latest
15
+ environment:
16
+ name: pypi
17
+ steps:
18
+ - name: Checkout
19
+ # actions/checkout v4.2.2
20
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
21
+ - name: Set up Python
22
+ # actions/setup-python v5.6.0
23
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
24
+ with:
25
+ python-version: "3.12"
26
+ - name: Install build dependencies
27
+ run: python -m pip install --upgrade pip && python -m pip install build==1.2.2.post1 twine==6.1.0
28
+ - name: Build
29
+ run: python -m build
30
+ - name: Check distributions
31
+ run: python -m twine check dist/*
32
+ - name: Publish to PyPI
33
+ # pypa/gh-action-pypi-publish v1.13.0 peeled commit
34
+ uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
@@ -0,0 +1,11 @@
1
+ .env
2
+ *.key
3
+ __pycache__/
4
+ *.py[cod]
5
+ .pytest_cache/
6
+ .mypy_cache/
7
+ .ruff_cache/
8
+ dist/
9
+ build/
10
+ *.egg-info/
11
+ *.buzzberg.bak.*
@@ -0,0 +1,13 @@
1
+ # Changelog
2
+
3
+ ## Beta Period
4
+
5
+ SemVer is not guaranteed before `1.0.0`. Breaking changes will be documented
6
+ here and announced to active beta users.
7
+
8
+ ## 0.1.0b1
9
+
10
+ - Initial private beta installer package.
11
+ - Adds stdlib-only client config writers for Claude Desktop, Claude Code,
12
+ Cursor, Cline, and Continue.dev.
13
+ - Adds public SECURITY.md, TOOLS.md, examples, and release workflow skeleton.
@@ -0,0 +1,164 @@
1
+ # Install Buzzberg MCP
2
+
3
+ ## Recommended Install
4
+
5
+ ```bash
6
+ pip install buzzberg-mcp
7
+ buzzberg-mcp setup
8
+ ```
9
+
10
+ For one client:
11
+
12
+ ```bash
13
+ buzzberg-mcp setup --client cursor
14
+ ```
15
+
16
+ For all detected clients:
17
+
18
+ ```bash
19
+ buzzberg-mcp setup --all
20
+ ```
21
+
22
+ The installer reads your key through a hidden prompt by default. For password
23
+ managers, use stdin:
24
+
25
+ ```bash
26
+ pass show buzzberg/mcp | buzzberg-mcp setup --key-stdin --client claude-desktop
27
+ ```
28
+
29
+ Dry-runs do not need a real key and never print a plaintext key:
30
+
31
+ ```bash
32
+ buzzberg-mcp setup --dry-run --client claude-desktop
33
+ ```
34
+
35
+ ## Paranoid Path
36
+
37
+ This path lets you inspect the wheel before installing it. It is the path for
38
+ "read before running"; a normal `pip install` may run package build/install code
39
+ by design.
40
+
41
+ ```bash
42
+ pip download --only-binary :all: --no-deps buzzberg-mcp -d /tmp/bz
43
+ python -m zipfile -l /tmp/bz/buzzberg_mcp-*.whl
44
+ python -m pip install /tmp/bz/buzzberg_mcp-*.whl
45
+ ```
46
+
47
+ Attestation verification is optional. The exact `pypi-attestations verify`
48
+ command will be copied here after it passes the Test PyPI smoke test.
49
+
50
+ ## Manual Install
51
+
52
+ Use this path if your security policy forbids installing packages. Add the
53
+ Buzzberg server to your client config manually.
54
+
55
+ Transport: `sse`
56
+ URL: `https://mcp.buzzberg.ai/sse`
57
+ Header: `Authorization: Bearer <key from Profile -> MCP Access>`
58
+
59
+ ### Claude Desktop
60
+
61
+ macOS:
62
+ `~/Library/Application Support/Claude/claude_desktop_config.json`
63
+
64
+ Windows:
65
+ `%APPDATA%/Claude/claude_desktop_config.json`
66
+
67
+ Linux:
68
+ `~/.config/Claude/claude_desktop_config.json`
69
+
70
+ ```json
71
+ {
72
+ "mcpServers": {
73
+ "buzzberg": {
74
+ "url": "https://mcp.buzzberg.ai/sse",
75
+ "headers": {
76
+ "Authorization": "Bearer <BUZZBERG_MCP_API_KEY>"
77
+ }
78
+ }
79
+ }
80
+ }
81
+ ```
82
+
83
+ ### Claude Code
84
+
85
+ ```bash
86
+ claude mcp add --transport sse buzzberg https://mcp.buzzberg.ai/sse \
87
+ --header "Authorization: Bearer $BUZZBERG_MCP_API_KEY"
88
+ ```
89
+
90
+ ### Claude Mobile
91
+
92
+ Use URL `https://mcp.buzzberg.ai/sse` and header
93
+ `Authorization: Bearer <BUZZBERG_MCP_API_KEY>` where the mobile integration UI
94
+ supports custom headers. If headers are unavailable, use Desktop, Code, Cursor,
95
+ or Cline during private beta.
96
+
97
+ ### Cursor
98
+
99
+ Settings -> MCP Servers -> Add new:
100
+
101
+ ```json
102
+ {
103
+ "mcpServers": {
104
+ "buzzberg": {
105
+ "url": "https://mcp.buzzberg.ai/sse",
106
+ "headers": {
107
+ "Authorization": "Bearer <BUZZBERG_MCP_API_KEY>"
108
+ }
109
+ }
110
+ }
111
+ }
112
+ ```
113
+
114
+ ### Cline
115
+
116
+ VS Code -> Cline -> Settings -> Edit MCP Settings. Add the same `mcpServers`
117
+ block used for Cursor.
118
+
119
+ ### Continue.dev
120
+
121
+ Edit `~/.continue/config.json`:
122
+
123
+ ```json
124
+ {
125
+ "experimental": {
126
+ "modelContextProtocolServers": [
127
+ {
128
+ "name": "buzzberg",
129
+ "transport": {
130
+ "type": "sse",
131
+ "url": "https://mcp.buzzberg.ai/sse",
132
+ "headers": {
133
+ "Authorization": "Bearer <BUZZBERG_MCP_API_KEY>"
134
+ }
135
+ }
136
+ }
137
+ ]
138
+ }
139
+ }
140
+ ```
141
+
142
+ ### Agent SDK
143
+
144
+ ```python
145
+ from claude_agent_sdk import ClaudeAgentOptions
146
+
147
+ options = ClaudeAgentOptions(
148
+ mcp_servers={
149
+ "buzzberg": {
150
+ "type": "sse",
151
+ "url": "https://mcp.buzzberg.ai/sse",
152
+ "headers": {"Authorization": f"Bearer {KEY}"},
153
+ }
154
+ },
155
+ allowed_tools=["mcp__buzzberg__*"],
156
+ )
157
+ ```
158
+
159
+ ## Troubleshooting
160
+
161
+ - Tools do not appear: fully quit and reopen the client, then validate JSON.
162
+ - 401 Unauthorized: revoke and recreate the key in Profile -> MCP Access.
163
+ - Connection timeout: corporate networks sometimes block SSE.
164
+ - Health check: `curl https://mcp.buzzberg.ai/health` should return `{"status":"ok"}`.
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Buzzberg
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,105 @@
1
+ Metadata-Version: 2.4
2
+ Name: buzzberg-mcp
3
+ Version: 0.1.0b1
4
+ Summary: Buzzberg MCP installer for Claude / Cursor / Cline / Continue.dev
5
+ Project-URL: Homepage, https://buzzberg.ai
6
+ Project-URL: Repository, https://github.com/buzzberg-ai/buzzberg-mcp
7
+ Project-URL: Issues, https://github.com/buzzberg-ai/buzzberg-mcp/issues
8
+ Author: Buzzberg
9
+ License-Expression: MIT
10
+ License-File: LICENSE
11
+ Classifier: Development Status :: 4 - Beta
12
+ Classifier: Environment :: Console
13
+ Classifier: Intended Audience :: Financial and Insurance Industry
14
+ Classifier: Programming Language :: Python :: 3
15
+ Classifier: Programming Language :: Python :: 3 :: Only
16
+ Classifier: Topic :: Utilities
17
+ Requires-Python: >=3.10
18
+ Provides-Extra: dev
19
+ Requires-Dist: build==1.2.2.post1; extra == 'dev'
20
+ Requires-Dist: mypy==1.15.0; extra == 'dev'
21
+ Requires-Dist: pytest==8.3.5; extra == 'dev'
22
+ Requires-Dist: ruff==0.11.2; extra == 'dev'
23
+ Requires-Dist: twine==6.1.0; extra == 'dev'
24
+ Description-Content-Type: text/markdown
25
+
26
+ # Buzzberg MCP
27
+
28
+ ![status](https://img.shields.io/badge/status-private--beta-orange)
29
+
30
+ > Private Beta: the MCP contract can change before broader beta. See
31
+ > [CHANGELOG.md](CHANGELOG.md) for breaking changes.
32
+
33
+ Buzzberg MCP connects Claude, Cursor, Cline, Continue.dev, and other MCP clients
34
+ to Buzzberg market intelligence: trade ideas, sentiment, speakers, prices, and
35
+ watchlist actions for your own Buzzberg account.
36
+
37
+ ## Quickstart
38
+
39
+ ```bash
40
+ pip install buzzberg-mcp
41
+ buzzberg-mcp setup
42
+ ```
43
+
44
+ The setup command uses an interactive hidden prompt for your key. Get a personal
45
+ key from `https://buzzberg.ai -> Profile -> MCP Access`.
46
+
47
+ ## What Your Key Can Do
48
+
49
+ | Action | Allowed? |
50
+ |---|---|
51
+ | Read public trade ideas, sentiment, and prices | Yes |
52
+ | Add/remove tickers in your watchlist | Yes |
53
+ | Save trade ideas to your account | Yes |
54
+ | Server sees tool-call arguments Claude sends | Yes* |
55
+ | See another user's watchlist or saved ideas | No |
56
+ | Change another user's watchlist or saved ideas | No |
57
+ | Place trades on an exchange | No |
58
+ | See your full Claude conversation | No |
59
+ | Access your X, broker, or other accounts | No |
60
+ | Download files from your computer | No |
61
+
62
+ *Buzzberg receives only MCP requests and tool arguments selected by your client,
63
+ not your full Claude transcript. Avoid putting sensitive private text into tool
64
+ arguments.
65
+
66
+ ## Supported Clients
67
+
68
+ | Client | Status |
69
+ |---|---|
70
+ | Claude Desktop | Supported |
71
+ | Claude Code | Supported via SSE beta transport |
72
+ | Cursor | Supported |
73
+ | Cline | Supported |
74
+ | Continue.dev | Supported |
75
+ | Claude Mobile | Works only where custom headers are available |
76
+ | Agent SDK | Manual config supported |
77
+
78
+ Private beta currently uses SSE at `https://mcp.buzzberg.ai/sse`. Streamable
79
+ HTTP `/mcp` ships before broader beta; `/sse` will remain for legacy clients for
80
+ a migration window.
81
+
82
+ ## Tools
83
+
84
+ Buzzberg exposes 17 tools. See [TOOLS.md](TOOLS.md) for signatures and examples.
85
+
86
+ ## Trust And Verification
87
+
88
+ The normal path is `pip install buzzberg-mcp`. pip uses HTTPS and package hashes
89
+ from the index for download integrity, but pip does not automatically verify
90
+ Sigstore attestations.
91
+
92
+ Buzzberg releases use PyPI Trusted Publishing through GitHub OIDC. Attestations
93
+ are available for manual verification; the exact command will be published after
94
+ the Test PyPI smoke test confirms the working `pypi-attestations` syntax.
95
+
96
+ Read more in [SECURITY.md](SECURITY.md).
97
+
98
+ ## Links
99
+
100
+ - [INSTALL.md](INSTALL.md)
101
+ - [SECURITY.md](SECURITY.md)
102
+ - [TOOLS.md](TOOLS.md)
103
+ - [examples](examples)
104
+ - [sessions](sessions)
105
+ - [CHANGELOG.md](CHANGELOG.md)
@@ -0,0 +1,80 @@
1
+ # Buzzberg MCP
2
+
3
+ ![status](https://img.shields.io/badge/status-private--beta-orange)
4
+
5
+ > Private Beta: the MCP contract can change before broader beta. See
6
+ > [CHANGELOG.md](CHANGELOG.md) for breaking changes.
7
+
8
+ Buzzberg MCP connects Claude, Cursor, Cline, Continue.dev, and other MCP clients
9
+ to Buzzberg market intelligence: trade ideas, sentiment, speakers, prices, and
10
+ watchlist actions for your own Buzzberg account.
11
+
12
+ ## Quickstart
13
+
14
+ ```bash
15
+ pip install buzzberg-mcp
16
+ buzzberg-mcp setup
17
+ ```
18
+
19
+ The setup command uses an interactive hidden prompt for your key. Get a personal
20
+ key from `https://buzzberg.ai -> Profile -> MCP Access`.
21
+
22
+ ## What Your Key Can Do
23
+
24
+ | Action | Allowed? |
25
+ |---|---|
26
+ | Read public trade ideas, sentiment, and prices | Yes |
27
+ | Add/remove tickers in your watchlist | Yes |
28
+ | Save trade ideas to your account | Yes |
29
+ | Server sees tool-call arguments Claude sends | Yes* |
30
+ | See another user's watchlist or saved ideas | No |
31
+ | Change another user's watchlist or saved ideas | No |
32
+ | Place trades on an exchange | No |
33
+ | See your full Claude conversation | No |
34
+ | Access your X, broker, or other accounts | No |
35
+ | Download files from your computer | No |
36
+
37
+ *Buzzberg receives only MCP requests and tool arguments selected by your client,
38
+ not your full Claude transcript. Avoid putting sensitive private text into tool
39
+ arguments.
40
+
41
+ ## Supported Clients
42
+
43
+ | Client | Status |
44
+ |---|---|
45
+ | Claude Desktop | Supported |
46
+ | Claude Code | Supported via SSE beta transport |
47
+ | Cursor | Supported |
48
+ | Cline | Supported |
49
+ | Continue.dev | Supported |
50
+ | Claude Mobile | Works only where custom headers are available |
51
+ | Agent SDK | Manual config supported |
52
+
53
+ Private beta currently uses SSE at `https://mcp.buzzberg.ai/sse`. Streamable
54
+ HTTP `/mcp` ships before broader beta; `/sse` will remain for legacy clients for
55
+ a migration window.
56
+
57
+ ## Tools
58
+
59
+ Buzzberg exposes 17 tools. See [TOOLS.md](TOOLS.md) for signatures and examples.
60
+
61
+ ## Trust And Verification
62
+
63
+ The normal path is `pip install buzzberg-mcp`. pip uses HTTPS and package hashes
64
+ from the index for download integrity, but pip does not automatically verify
65
+ Sigstore attestations.
66
+
67
+ Buzzberg releases use PyPI Trusted Publishing through GitHub OIDC. Attestations
68
+ are available for manual verification; the exact command will be published after
69
+ the Test PyPI smoke test confirms the working `pypi-attestations` syntax.
70
+
71
+ Read more in [SECURITY.md](SECURITY.md).
72
+
73
+ ## Links
74
+
75
+ - [INSTALL.md](INSTALL.md)
76
+ - [SECURITY.md](SECURITY.md)
77
+ - [TOOLS.md](TOOLS.md)
78
+ - [examples](examples)
79
+ - [sessions](sessions)
80
+ - [CHANGELOG.md](CHANGELOG.md)
@@ -0,0 +1,75 @@
1
+ # Security Policy
2
+
3
+ ## Reporting
4
+
5
+ Email security issues to `security@buzzberg.ai`. We acknowledge reports within
6
+ 72 hours. Please do not file public GitHub issues for vulnerabilities.
7
+
8
+ ## Threat Model
9
+
10
+ Buzzberg MCP is a hosted remote MCP server. The public package in this repo is
11
+ an installer and documentation package; it is not the server implementation.
12
+
13
+ - Confused deputy: the server resolves each Bearer key to a server-side user
14
+ context. Write tools use that context and do not accept user-id overrides.
15
+ - Token passthrough: Buzzberg MCP keys are not passed to downstream market-data
16
+ providers.
17
+ - Session hijacking: there is no server-side session cookie for MCP. Each request
18
+ authenticates with a Bearer key.
19
+ - SSRF: tool inputs are not arbitrary outbound HTTP URLs.
20
+ - Local installer compromise: installer code is public in this repo and releases
21
+ are published with PyPI Trusted Publishing through GitHub OIDC.
22
+
23
+ See [security-controls.json](security-controls.json) for the sanitized public
24
+ mapping of scope claims to enforcement mechanisms.
25
+
26
+ ## What Your Key Can And Cannot Do
27
+
28
+ | Action | Allowed? |
29
+ |---|---|
30
+ | Read public trade ideas, sentiment, and prices | Yes |
31
+ | Add/remove tickers in your watchlist | Yes |
32
+ | Save trade ideas to your account | Yes |
33
+ | Server sees tool-call arguments Claude sends | Yes |
34
+ | See another user's watchlist or saved ideas | No |
35
+ | Change another user's watchlist or saved ideas | No |
36
+ | Place trades on an exchange | No |
37
+ | See your full Claude conversation | No |
38
+ | Access your X, broker, or other accounts | No |
39
+ | Download files from your computer | No |
40
+
41
+ ## Key Storage
42
+
43
+ MCP keys are generated as `bzb_` plus a high-entropy random value from
44
+ `secrets.token_urlsafe(32)`. Buzzberg stores a SHA-256 hash of the key, not the
45
+ raw key. SHA-256 is appropriate here because the secret is random and high
46
+ entropy; this is not a low-entropy password.
47
+
48
+ ## Logging
49
+
50
+ Buzzberg stores `last_used_at` per key and standard HTTP access logs such as
51
+ path, status, IP, and response time. Buzzberg does not intentionally log request
52
+ bodies, tool arguments, or MCP response payloads. Per-tool audit logs are on the
53
+ roadmap but are not present in this beta.
54
+
55
+ ## What The Server Can See
56
+
57
+ The server receives MCP requests and tool arguments sent by your client. Tool
58
+ arguments are visible to Buzzberg. The server does not receive your full Claude
59
+ conversation unless your client chooses to include text from that conversation
60
+ inside a tool argument.
61
+
62
+ ## Key Lifecycle
63
+
64
+ Create keys in Buzzberg Profile -> MCP Access. Revoke keys from the same page.
65
+ Revoked keys stop authenticating once their `revoked_at` timestamp is set.
66
+
67
+ If the server is compromised, Buzzberg will revoke all active MCP keys, require
68
+ re-issue, and email active MCP users within 72 hours.
69
+
70
+ ## Attestation Verification
71
+
72
+ pip does not automatically verify Sigstore attestations. Buzzberg releases use
73
+ PyPI Trusted Publishing through GitHub OIDC, and attestations are available for
74
+ manual verification. The exact `pypi-attestations verify` command will be added
75
+ after the Test PyPI smoke test validates the working syntax.