crowdsec-local-mcp 0.7.0.post1.dev0__tar.gz → 0.8.0.post1.dev0__tar.gz

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: crowdsec-local-mcp
-Version: 0.7.0.post1.dev0
+Version: 0.8.0.post1.dev0
 Summary: An MCP exposing prompts and tools to help users write WAF rules, scenarios etc.
 License-Expression: MIT
 Classifier: Development Status :: 4 - Beta

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/manifest.json

@@ -55,6 +55,10 @@
       "name": "generate_waf_tests",
       "description": "Get the WAF test generation prompt for producing config.yaml and adapted Nuclei templates"
     },
+    {
+      "name": "get_waf_pr_prompt",
+      "description": "Get the WAF PR preparation prompt for writing test assets and drafting a PR comment"
+    },
     {
       "name": "run_waf_tests",
       "description": "Start the WAF harness and execute the provided nuclei test template against it"
@@ -71,6 +75,10 @@
       "name": "deploy_waf_rule",
       "description": "Get deployment instructions for CrowdSec WAF rules"
     },
+    {
+      "name": "prepare_waf_pr",
+      "description": "Write the generated WAF rule and AppSec test assets into a local CrowdSec hub clone, and optionally add the rule to the appsec-virtual-patching collection"
+    },
     {
       "name": "fetch_nuclei_exploit",
       "description": "Retrieve nuclei templates from the official repository for a CVE to help with generation of WAF rules"

crowdsec_local_mcp-0.8.0.post1.dev0/src/crowdsec_local_mcp/_version.py

@@ -0,0 +1 @@
+__version__ = "0.8.0.post1.dev0"

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/src/crowdsec_local_mcp/compose/waf-test/nginx/Dockerfile

@@ -13,8 +13,13 @@ RUN apt-get update && apt-get install -y \
     curl
 
 RUN wget -O - https://openresty.org/package/pubkey.gpg | gpg --dearmor -o /usr/share/keyrings/openresty.gpg
-RUN echo "deb [arch=amd64 signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/ubuntu $(lsb_release -sc) main"| tee /etc/apt/sources.list.d/openresty.list
-RUN echo "deb [arch=arm64 signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/arm64/ubuntu $(lsb_release -sc) main"| tee /etc/apt/sources.list.d/openresty.list
+# Use TARGETARCH to select the right repository
+ARG TARGETARCH
+RUN if [ "$TARGETARCH" = "amd64" ]; then \
+        echo "deb [arch=amd64 signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/ubuntu $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/openresty.list; \
+    elif [ "$TARGETARCH" = "arm64" ]; then \
+        echo "deb [arch=arm64 signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/arm64/ubuntu $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/openresty.list; \
+    fi
 RUN curl -s https://install.crowdsec.net |  bash
 
 RUN apt update

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/src/crowdsec_local_mcp/mcp_waf.py

@@ -28,6 +28,7 @@ WAF_PROMPT_FILE = PROMPTS_DIR / "prompt-waf.txt"
 WAF_EXAMPLES_FILE = PROMPTS_DIR / "prompt-waf-examples.txt"
 WAF_DEPLOY_FILE = PROMPTS_DIR / "prompt-waf-deploy.txt"
 WAF_TESTS_PROMPT_FILE = PROMPTS_DIR / "prompt-waf-tests.txt"
+WAF_PR_PROMPT_FILE = PROMPTS_DIR / "prompt-waf-pr.txt"
 
 CROWDSEC_SCHEMAS_DIR = SCRIPT_DIR / "yaml-schemas"
 WAF_SCHEMA_FILE = CROWDSEC_SCHEMAS_DIR / "appsec_rules_schema.yaml"
@@ -35,18 +36,8 @@ WAF_SCHEMA_FILE = CROWDSEC_SCHEMAS_DIR / "appsec_rules_schema.yaml"
 WAF_TEST_COMPOSE_DIR = SCRIPT_DIR / "compose" / "waf-test"
 WAF_TEST_COMPOSE_FILE = WAF_TEST_COMPOSE_DIR / "docker-compose.yml"
 WAF_TEST_RULE_PATH = WAF_TEST_COMPOSE_DIR / "rules" / "current-rule.yaml"
-WAF_TEST_APPSEC_TEMPLATE = (
-    WAF_TEST_COMPOSE_DIR
-    / "crowdsec"
-    / "appsec-configs"
-    / "mcp-appsec.yaml.template"
-)
-WAF_TEST_APPSEC_CONFIG = (
-    WAF_TEST_COMPOSE_DIR
-    / "crowdsec"
-    / "appsec-configs"
-    / "mcp-appsec.yaml"
-)
+WAF_TEST_APPSEC_TEMPLATE = WAF_TEST_COMPOSE_DIR / "crowdsec" / "appsec-configs" / "mcp-appsec.yaml.template"
+WAF_TEST_APPSEC_CONFIG = WAF_TEST_COMPOSE_DIR / "crowdsec" / "appsec-configs" / "mcp-appsec.yaml"
 WAF_RULE_NAME_PLACEHOLDER = "__PLACEHOLDER_FOR_USER_RULE__"
 WAF_TEST_PROJECT_NAME = "crowdsec-mcp-waf"
 WAF_TEST_NETWORK_NAME = f"{WAF_TEST_PROJECT_NAME}_waf-net"
@@ -83,11 +74,7 @@ def _collect_compose_logs(services: list[str] | None = None, tail_lines: int = 2
         check=False,
     )
 
-    combined = "\n".join(
-        part.strip()
-        for part in ((result.stdout or ""), (result.stderr or ""))
-        if part
-    ).strip()
+    combined = "\n".join(part.strip() for part in ((result.stdout or ""), (result.stderr or "")) if part).strip()
 
     if not combined:
         return ""
@@ -99,9 +86,7 @@ def _collect_compose_logs(services: list[str] | None = None, tail_lines: int = 2
     return "\n".join(lines)
 
 
-def _run_compose_command(
-    args: list[str], capture_output: bool = True, check: bool = True
-) -> subprocess.CompletedProcess:
+def _run_compose_command(args: list[str], capture_output: bool = True, check: bool = True) -> subprocess.CompletedProcess:
     """Run a docker compose command inside the WAF test harness directory."""
     base_cmd = ensure_docker_compose_cli()
     full_cmd = base_cmd + ["-p", WAF_TEST_PROJECT_NAME, "-f", str(WAF_TEST_COMPOSE_FILE)] + args
@@ -117,10 +102,7 @@ def _run_compose_command(
         )
     except (FileNotFoundError, PermissionError) as error:
         LOGGER.error("Compose command failed to start: %s", error)
-        raise RuntimeError(
-            "Docker Compose is required but could not be executed. "
-            "Install Docker and ensure the current user can run `docker compose` commands."
-        ) from error
+        raise RuntimeError("Docker Compose is required but could not be executed. Install Docker and ensure the current user can run `docker compose` commands.") from error
     except subprocess.CalledProcessError as error:
         stdout = (error.stdout or "").strip()
         stderr = (error.stderr or "").strip()
@@ -132,14 +114,10 @@ def _run_compose_command(
             error.returncode,
             combined.splitlines()[0] if combined else "no output",
         )
-        raise RuntimeError(
-            f"docker compose {' '.join(args)} failed (exit code {error.returncode}):\n{combined}"
-        ) from error
+        raise RuntimeError(f"docker compose {' '.join(args)} failed (exit code {error.returncode}):\n{combined}") from error
 
 
-def _run_compose_exec(
-    args: list[str], capture_output: bool = True, check: bool = True
-) -> subprocess.CompletedProcess:
+def _run_compose_exec(args: list[str], capture_output: bool = True, check: bool = True) -> subprocess.CompletedProcess:
     """Run docker compose exec against the CrowdSec container."""
     exec_args = ["exec", "-T"] + args
     return _run_compose_command(exec_args, capture_output=capture_output, check=check)
@@ -149,9 +127,7 @@ def _teardown_compose_stack(check: bool = True) -> None:
     """Stop the compose stack and ensure any supervising process is terminated."""
     global _COMPOSE_STACK_PROCESS
     if not WAF_TEST_COMPOSE_FILE.exists():
-        LOGGER.warning(
-            "Requested stack teardown but compose file %s is missing", WAF_TEST_COMPOSE_FILE
-        )
+        LOGGER.warning("Requested stack teardown but compose file %s is missing", WAF_TEST_COMPOSE_FILE)
         _COMPOSE_STACK_PROCESS = None
         return
 
@@ -163,9 +139,7 @@ def _teardown_compose_stack(check: bool = True) -> None:
             try:
                 _COMPOSE_STACK_PROCESS.wait(timeout=15)
             except subprocess.TimeoutExpired:
-                LOGGER.warning(
-                    "Compose stack process did not exit in time; terminating forcefully"
-                )
+                LOGGER.warning("Compose stack process did not exit in time; terminating forcefully")
                 _COMPOSE_STACK_PROCESS.kill()
                 _COMPOSE_STACK_PROCESS.wait(timeout=5)
         _COMPOSE_STACK_PROCESS = None
@@ -183,14 +157,9 @@ def _wait_for_crowdsec_ready(timeout: int = 90) -> None:
                 _COMPOSE_STACK_PROCESS = None
                 logs = _collect_compose_logs(["crowdsec", "nginx", "backend"])
                 log_section = f"\n\nService logs:\n{logs}" if logs else ""
-                raise RuntimeError(
-                    "WAF stack exited while waiting for CrowdSec to become ready"
-                    f" (exit code {exit_code}).{log_section}"
-                )
+                raise RuntimeError(f"WAF stack exited while waiting for CrowdSec to become ready (exit code {exit_code}).{log_section}")
         try:
-            result = _run_compose_exec(
-                ["crowdsec", "cscli", "lapi", "status"], capture_output=True, check=False
-            )
+            result = _run_compose_exec(["crowdsec", "cscli", "lapi", "status"], capture_output=True, check=False)
             if isinstance(result, subprocess.CompletedProcess) and result.returncode == 0:
                 LOGGER.info("CrowdSec API is ready")
                 return
@@ -264,10 +233,7 @@ def _run_nuclei_container(
 
     if result.returncode != 0:
         LOGGER.error("Nuclei container exited with code %s", result.returncode)
-        failure = (
-            f"Nuclei container exited with status {result.returncode}."
-            + (f"\n\n{detail_text}" if detail_text else "")
-        )
+        failure = f"Nuclei container exited with status {result.returncode}." + (f"\n\n{detail_text}" if detail_text else "")
         return (False, failure)
 
     matches: list[dict[str, Any]] = []
@@ -290,10 +256,7 @@ def _run_nuclei_container(
         if unmatched_lines:
             info_lines.append("Nuclei produced output but no matches were recorded:\n" + "\n".join(unmatched_lines))
         else:
-            info_lines.append(
-                "Nuclei completed successfully but reported zero matches. "
-                "The WAF rule likely did not block the request (missing HTTP 403)."
-            )
+            info_lines.append("Nuclei completed successfully but reported zero matches. The WAF rule likely did not block the request (missing HTTP 403).")
         if stderr:
             info_lines.append(f"stderr:\n{stderr}")
         return (False, "\n\n".join(info_lines))
@@ -306,9 +269,7 @@ def _run_nuclei_container(
         url = match.get("matched-at") or match.get("matchedAt") or target_url
         summary_lines.append(f" - {template_id} matched at {url}")
     if unmatched_lines:
-        summary_lines.append(
-            "Additional nuclei output:\n" + "\n".join(unmatched_lines)
-        )
+        summary_lines.append("Additional nuclei output:\n" + "\n".join(unmatched_lines))
     if stderr:
         summary_lines.append(f"stderr:\n{stderr}")
     return (True, "\n".join(summary_lines))
@@ -479,9 +440,7 @@ def _validate_waf_rule(rule_yaml: str) -> list[types.TextContent]:
     ]
 
 
-def _analyze_rule_item(
-    rule_item: Any, rule_path: str, warnings: list[str]
-) -> tuple[bool, bool]:
+def _analyze_rule_item(rule_item: Any, rule_path: str, warnings: list[str]) -> tuple[bool, bool]:
     """Recursively inspect rule items, track operator usage, and record warnings."""
     if not isinstance(rule_item, dict):
         return (False, False)
@@ -493,9 +452,7 @@ def _analyze_rule_item(
     contains_or = has_or
 
     if has_and and has_or:
-        warnings.append(
-            f"{location} mixes 'and' and 'or' operators at the same level; split them into separate nested blocks"
-        )
+        warnings.append(f"{location} mixes 'and' and 'or' operators at the same level; split them into separate nested blocks")
 
     if has_and:
         for i, sub_rule in enumerate(rule_item["and"]):
@@ -523,20 +480,13 @@ def _analyze_rule_item(
             match_type = match.get("type", "")
             match_value = match.get("value", "")
 
-            if (
-                match_type in CASE_SENSITIVE_MATCH_TYPES
-                and isinstance(match_value, str)
-                and any(c.isupper() for c in match_value)
-            ):
+            if match_type in CASE_SENSITIVE_MATCH_TYPES and isinstance(match_value, str) and any(c.isupper() for c in match_value):
                 transforms = rule_item.get("transform", [])
-                has_lowercase = (
-                    "lowercase" in transforms if isinstance(transforms, list) else False
-                )
+                has_lowercase = "lowercase" in transforms if isinstance(transforms, list) else False
 
                 if not has_lowercase:
                     warnings.append(
-                        f"Match at {location} uses '{match_type}' with uppercase letters "
-                        f"but no 'lowercase' transform - consider adding lowercase transform for case-insensitive matching"
+                        f"Match at {location} uses '{match_type}' with uppercase letters but no 'lowercase' transform - consider adding lowercase transform for case-insensitive matching"
                     )
 
             if isinstance(match_value, str):
@@ -544,9 +494,7 @@ def _analyze_rule_item(
                 sql_keywords = [kw for kw in SQL_KEYWORD_INDICATORS if kw in lower_value]
                 if sql_keywords:
                     keywords_str = ", ".join(sorted(set(sql_keywords)))
-                    warnings.append(
-                        f"Match at {location} contains SQL keyword(s) ({keywords_str}); instead of keyword blacklisting, detect escaping characters like quotes or semicolons"
-                    )
+                    warnings.append(f"Match at {location} contains SQL keyword(s) ({keywords_str}); instead of keyword blacklisting, detect escaping characters like quotes or semicolons")
 
                 transforms = rule_item.get("transform", [])
                 if isinstance(transforms, list) and "urldecode" in transforms:
@@ -590,9 +538,7 @@ def lint_waf_rule(rule_yaml: str) -> list[types.TextContent]:
         name = parsed.get("name", "")
         if isinstance(name, str):
             if name.startswith("crowdsecurity/"):
-                warnings.append(
-                    "Rule name starts with 'crowdsecurity/' which is reserved for official CrowdSec rules; consider using your own namespace"
-                )
+                warnings.append("Rule name starts with 'crowdsecurity/' which is reserved for official CrowdSec rules; consider using your own namespace")
         else:
             warnings.append("Field 'name' should be a string")
 
@@ -600,9 +546,7 @@ def lint_waf_rule(rule_yaml: str) -> list[types.TextContent]:
         for i, rule in enumerate(parsed["rules"]):
             rule_has_and, rule_has_or = _analyze_rule_item(rule, f"[{i}]", warnings)
             if rule_has_and and rule_has_or:
-                warnings.append(
-                    f"rules[{i}] uses both 'and' and 'or' operators somewhere in the block; CrowdSec cannot mix them in one rule, split the logic into separate rules"
-                )
+                warnings.append(f"rules[{i}] uses both 'and' and 'or' operators somewhere in the block; CrowdSec cannot mix them in one rule, split the logic into separate rules")
 
     result_lines: list[str] = []
 
@@ -644,9 +588,7 @@ def _tool_get_waf_top_level_prompt(_: dict[str, Any] | None) -> list[types.TextC
         ]
     except FileNotFoundError as exc:
         LOGGER.error("WAF top-level prompt file not found at %s", WAF_TOP_LEVEL_PROMPT_FILE)
-        raise FileNotFoundError(
-            f"WAF top-level prompt file not found at {WAF_TOP_LEVEL_PROMPT_FILE}"
-        ) from exc
+        raise FileNotFoundError(f"WAF top-level prompt file not found at {WAF_TOP_LEVEL_PROMPT_FILE}") from exc
     except Exception as exc:
         LOGGER.error("Error loading WAF top-level prompt: %s", exc)
         raise RuntimeError(f"Error reading WAF top-level prompt file: {exc!s}") from exc
@@ -701,10 +643,7 @@ def _tool_generate_waf_rule(arguments: dict[str, Any] | None) -> list[types.Text
             bool(nuclei_template),
         )
         if nuclei_template:
-            combined_prompt += (
-                "\n\n### Input Nuclei Template to Process:\n"
-                f"```yaml\n{nuclei_template}\n```"
-            )
+            combined_prompt += f"\n\n### Input Nuclei Template to Process:\n```yaml\n{nuclei_template}\n```"
 
         return [
             types.TextContent(
@@ -735,17 +674,10 @@ def _tool_generate_waf_tests(arguments: dict[str, Any] | None) -> list[types.Tex
         combined_prompt = tests_prompt
 
         if rule_filename:
-            combined_prompt += (
-                "\n\n### Rule Under Test\n"
-                f"The detection rule produced earlier is stored at: {rule_filename}\n"
-                "Use this exact path in the config.yaml `appsec-rules` list."
-            )
+            combined_prompt += f"\n\n### Rule Under Test\nThe detection rule produced earlier is stored at: {rule_filename}\nUse this exact path in the config.yaml `appsec-rules` list."
 
         if nuclei_template:
-            combined_prompt += (
-                "\n\n### Input Nuclei Template to Adapt:\n"
-                f"```yaml\n{nuclei_template}\n```"
-            )
+            combined_prompt += f"\n\n### Input Nuclei Template to Adapt:\n```yaml\n{nuclei_template}\n```"
 
         return [
             types.TextContent(
@@ -761,6 +693,19 @@ def _tool_generate_waf_tests(arguments: dict[str, Any] | None) -> list[types.Tex
         raise RuntimeError(f"Error generating WAF test prompt: {exc!s}") from exc
 
 
+def _tool_get_waf_pr_prompt(_: dict[str, Any] | None) -> list[types.TextContent]:
+    try:
+        LOGGER.info("Serving WAF PR prompt content")
+        prompt_content = WAF_PR_PROMPT_FILE.read_text(encoding="utf-8")
+        return [types.TextContent(type="text", text=prompt_content)]
+    except FileNotFoundError as exc:
+        LOGGER.error("WAF PR prompt file not found at %s", WAF_PR_PROMPT_FILE)
+        raise FileNotFoundError(f"WAF PR prompt file not found at {WAF_PR_PROMPT_FILE}") from exc
+    except Exception as exc:
+        LOGGER.error("Error reading WAF PR prompt: %s", exc)
+        raise RuntimeError(f"Error reading WAF PR prompt: {exc!s}") from exc
+
+
 def _tool_validate_waf_rule(arguments: dict[str, Any] | None) -> list[types.TextContent]:
     if not arguments or "rule_yaml" not in arguments:
         LOGGER.warning("Validation request missing 'rule_yaml' argument")
@@ -805,6 +750,156 @@ def _tool_deploy_waf_rule(_: dict[str, Any] | None) -> list[types.TextContent]:
         raise RuntimeError(f"Error reading WAF deployment guide: {exc!s}") from exc
 
 
+def _is_relative_to(base: Path, target: Path) -> bool:
+    try:
+        target.relative_to(base)
+    except ValueError:
+        return False
+    return True
+
+def _require_non_empty_str(value: Any, field: str, message: str | None = None) -> str:
+    if not isinstance(value, str) or not value.strip():
+        raise ValueError(message or f"'{field}' must be a non-empty string")
+    return value.strip()
+
+
+def _parse_collection_name(collection_name: str) -> tuple[str, str]:
+    normalized = collection_name.strip().lstrip("/")
+    if normalized.count("/") != 1:
+        raise ValueError("'collection_name' must be in the format 'author/name'")
+    author, name = normalized.split("/", 1)
+    if not author or not name:
+        raise ValueError("'collection_name' must be in the format 'author/name'")
+    return author, name
+
+
+def _load_yaml_mapping(payload: str, error_context: str) -> dict[str, Any]:
+    try:
+        parsed = yaml.safe_load(payload) or {}
+    except yaml.YAMLError as exc:
+        raise RuntimeError(f"Failed to parse {error_context}: {exc}") from exc
+    if not isinstance(parsed, dict):
+        raise RuntimeError(f"{error_context} must be a mapping")
+    return parsed
+
+
+def _update_collection_with_rule(
+    summary_lines: list[str],
+    hub_root: Path,
+    collection_name: str,
+    rule_yaml: str,
+) -> None:
+    author, name = _parse_collection_name(collection_name)
+    collection_file = (hub_root / "collections" / author / f"{name}.yaml").resolve()
+    if not _is_relative_to(hub_root, collection_file):
+        raise ValueError("Resolved collection path escapes the hub directory")
+    if not collection_file.exists():
+        summary_lines.append(f"- Warning: collection file not found at {collection_file}. Add the rule manually.")
+        return
+
+    collection_payload = _load_yaml_mapping(
+        collection_file.read_text(encoding="utf-8"),
+        f"collection YAML at {collection_file}",
+    )
+    appsec_rules = collection_payload.get("appsec-rules")
+    if appsec_rules is None:
+        appsec_rules = []
+        collection_payload["appsec-rules"] = appsec_rules
+    if not isinstance(appsec_rules, list):
+        raise RuntimeError("'appsec-rules' in the collection file must be a list")
+
+    rule_payload = _load_yaml_mapping(rule_yaml, "rule YAML to read the rule name")
+    rule_name = rule_payload.get("name")
+    if not isinstance(rule_name, str) or not rule_name.strip():
+        raise RuntimeError("Rule YAML must include a non-empty 'name' field to update the collection")
+    rule_name = rule_name.strip()
+
+    if rule_name in appsec_rules:
+        summary_lines.append("- Collection already includes the rule; no update needed")
+        return
+
+    appsec_rules.append(rule_name)
+    collection_file.write_text(
+        yaml.safe_dump(collection_payload, sort_keys=False),
+        encoding="utf-8",
+    )
+    summary_lines.append(f"- Updated collection: added {rule_name} to {collection_file}")
+
+def _tool_prepare_waf_pr(arguments: dict[str, Any] | None) -> list[types.TextContent]:
+    if not arguments:
+        LOGGER.warning("prepare_waf_pr called without arguments")
+        raise ValueError("Missing arguments payload")
+
+    hub_dir = _require_non_empty_str(
+        arguments.get("hub_dir"),
+        "hub_dir",
+        "'hub_dir' must be a non-empty string pointing to a local CrowdSec hub clone",
+    )
+    rule_yaml = _require_non_empty_str(
+        arguments.get("rule_yaml"),
+        "rule_yaml",
+        "'rule_yaml' must be a non-empty string containing the WAF rule",
+    )
+    test_config_yaml = _require_non_empty_str(
+        arguments.get("test_config_yaml"),
+        "test_config_yaml",
+        "'test_config_yaml' must be a non-empty string containing the test config.yaml",
+    )
+    test_nuclei_yaml = _require_non_empty_str(
+        arguments.get("test_nuclei_yaml"),
+        "test_nuclei_yaml",
+        "'test_nuclei_yaml' must be a non-empty string containing the adapted nuclei template",
+    )
+    rule_filename = _require_non_empty_str(arguments.get("rule_filename"), "rule_filename")
+    nuclei_filename = _require_non_empty_str(arguments.get("nuclei_filename"), "nuclei_filename")
+    collection_name = arguments.get("collection_name")
+    if collection_name is not None and (not isinstance(collection_name, str) or not collection_name.strip()):
+        raise ValueError("'collection_name' must be a non-empty string when provided")
+
+    hub_path = Path(hub_dir).expanduser()
+    hub_root = hub_path.resolve()
+    if not hub_path.exists() or not hub_path.is_dir():
+        raise ValueError(f"hub_dir does not exist or is not a directory: {hub_path}")
+
+    rule_rel_path = Path(rule_filename.strip())
+
+    rule_path = (hub_path / rule_rel_path).resolve()
+    if not _is_relative_to(hub_root, rule_path):
+        raise ValueError("Resolved rule path escapes the hub directory")
+
+    rule_path.parent.mkdir(parents=True, exist_ok=True)
+    rule_path.write_text(rule_yaml, encoding="utf-8")
+
+    test_dir_name = rule_path.stem
+    tests_root = (hub_path / ".appsec-tests" / test_dir_name).resolve()
+    if not _is_relative_to(hub_root, tests_root):
+        raise ValueError("Resolved test path escapes the hub directory")
+    tests_root.mkdir(parents=True, exist_ok=True)
+
+    nuclei_file = nuclei_filename.strip()
+    if not nuclei_file.endswith(".yaml"):
+        nuclei_file = f"{nuclei_file}.yaml"
+
+    config_path = tests_root / "config.yaml"
+    nuclei_path = tests_root / nuclei_file
+    config_path.write_text(test_config_yaml, encoding="utf-8")
+    nuclei_path.write_text(test_nuclei_yaml, encoding="utf-8")
+
+    summary_lines = [
+        "Prepared PR assets in the hub clone:",
+        f"- Rule: {rule_path}",
+        f"- Test config: {config_path}",
+        f"- Test nuclei: {nuclei_path}",
+    ]
+
+    if collection_name:
+        _update_collection_with_rule(summary_lines, hub_root, collection_name, rule_yaml)
+    else:
+        summary_lines.append("- Warning: rule not added to appsec-virtual-patching collection. Remember to add it before opening the PR.")
+
+    return [types.TextContent(type="text", text="\n".join(summary_lines))]
+
+
 def _tool_manage_waf_stack(arguments: dict[str, Any] | None) -> list[types.TextContent]:
     try:
         if not arguments:
@@ -830,9 +925,7 @@ def _tool_manage_waf_stack(arguments: dict[str, Any] | None) -> list[types.TextC
 
             if not target_url:
                 LOGGER.error("WAF stack start returned no target URL and no explicit error")
-                raise RuntimeError(
-                    "WAF stack start error: stack did not return a service URL and reported no specific error."
-                )
+                raise RuntimeError("WAF stack start error: stack did not return a service URL and reported no specific error.")
 
             return [
                 types.TextContent(
@@ -956,6 +1049,7 @@ def _tool_run_waf_tests(arguments: dict[str, Any] | None) -> list[types.TextCont
             except Exception as stop_exc:  # pragma: no cover - best effort cleanup
                 LOGGER.warning("Failed to stop WAF stack during cleanup: %s", stop_exc)
 
+
 def _search_repo_for_cve(repo_path: Path, cve: str) -> list[Path]:
     """Return files whose name contains the CVE identifier (case-insensitive)."""
     lower_token = cve.lower()
@@ -1002,9 +1096,7 @@ def _tool_fetch_nuclei_exploit(arguments: dict[str, Any] | None) -> list[types.T
 
             if repo_path.exists():
                 if not (repo_path / ".git").exists():
-                    raise RuntimeError(
-                        f"Destination {repo_path} exists but is not a git repository"
-                    )
+                    raise RuntimeError(f"Destination {repo_path} exists but is not a git repository")
                 git_cmd = ["git", "-C", str(repo_path), "pull", "--ff-only"]
             else:
                 git_cmd = ["git", "clone", "--depth", "1", cleaned_url, str(repo_path)]
@@ -1038,9 +1130,7 @@ def _tool_fetch_nuclei_exploit(arguments: dict[str, Any] | None) -> list[types.T
                 except OSError as read_err:
                     findings.append(f"    (failed to read {relative_path}: {read_err})")
                     continue
-                rendered_templates.append(
-                    f"### {cleaned_url} :: {relative_path}\n```yaml\n{file_contents}\n```"
-                )
+                rendered_templates.append(f"### {cleaned_url} :: {relative_path}\n```yaml\n{file_contents}\n```")
                 total_files += 1
 
         if total_files == 0:
@@ -1049,10 +1139,7 @@ def _tool_fetch_nuclei_exploit(arguments: dict[str, Any] | None) -> list[types.T
             return [
                 types.TextContent(
                     type="text",
-                    text=(
-                        f"No files containing {cve} were found in the provided repositories."
-                        f"{detail_section}"
-                    ),
+                    text=(f"No files containing {cve} were found in the provided repositories.{detail_section}"),
                 )
             ]
 
@@ -1099,9 +1186,7 @@ def _tool_curl_waf_endpoint(arguments: dict[str, Any] | None) -> list[types.Text
         if not path.startswith("/"):
             if "://" in path:
                 parsed = urllib.parse.urlparse(path)
-                path = urllib.parse.urlunparse(
-                    ("", "", parsed.path or "/", parsed.params, parsed.query, parsed.fragment)
-                )
+                path = urllib.parse.urlunparse(("", "", parsed.path or "/", parsed.params, parsed.query, parsed.fragment))
             else:
                 path = "/" + path
 
@@ -1109,9 +1194,7 @@ def _tool_curl_waf_endpoint(arguments: dict[str, Any] | None) -> list[types.Text
             LOGGER.warning("curl_waf_endpoint received non-string body payload")
             raise ValueError("'body' must be a string when provided")
 
-        LOGGER.info(
-            "curl_waf_endpoint executing %s request to %s (timeout=%s)", method, path, timeout
-        )
+        LOGGER.info("curl_waf_endpoint executing %s request to %s (timeout=%s)", method, path, timeout)
         try:
             response = requests.request(
                 method=method,
@@ -1124,12 +1207,7 @@ def _tool_curl_waf_endpoint(arguments: dict[str, Any] | None) -> list[types.Text
             raise RuntimeError(f"HTTP request failed: {req_err}") from req_err
 
         header_lines = "\n".join(f"{k}: {v}" for k, v in response.headers.items())
-        response_text = (
-            f">>> {method} http://localhost:8081{path}\n"
-            f"Status: {response.status_code}\n"
-            f"Headers:\n{header_lines}\n\n"
-            f"Body:\n{response.text}"
-        )
+        response_text = f">>> {method} http://localhost:8081{path}\nStatus: {response.status_code}\nHeaders:\n{header_lines}\n\nBody:\n{response.text}"
 
         LOGGER.info(
             "curl_waf_endpoint completed with status %s for %s %s",
@@ -1154,10 +1232,12 @@ WAF_TOOL_HANDLERS: dict[str, ToolHandler] = {
     "get_waf_prompt": _tool_get_waf_prompt,
     "get_waf_examples": _tool_get_waf_examples,
     "generate_waf_rule": _tool_generate_waf_rule,
+    "get_waf_pr_prompt": _tool_get_waf_pr_prompt,
     "generate_waf_tests": _tool_generate_waf_tests,
     "validate_waf_rule": _tool_validate_waf_rule,
     "lint_waf_rule": _tool_lint_waf_rule,
     "deploy_waf_rule": _tool_deploy_waf_rule,
+    "prepare_waf_pr": _tool_prepare_waf_pr,
     "fetch_nuclei_exploit": _tool_fetch_nuclei_exploit,
     "manage_waf_stack": _tool_manage_waf_stack,
     "run_waf_tests": _tool_run_waf_tests,
@@ -1224,6 +1304,15 @@ WAF_TOOLS: list[types.Tool] = [
             "additionalProperties": False,
         },
     ),
+    types.Tool(
+        name="get_waf_pr_prompt",
+        description="Get the WAF PR preparation prompt for writing test assets and drafting a PR comment",
+        inputSchema={
+            "type": "object",
+            "properties": {},
+            "additionalProperties": False,
+        },
+    ),
     types.Tool(
         name="run_waf_tests",
         description="Start the WAF harness and execute the provided nuclei test template against it."
@@ -1283,6 +1372,52 @@ WAF_TOOLS: list[types.Tool] = [
             "additionalProperties": False,
         },
     ),
+    types.Tool(
+        name="prepare_waf_pr",
+        description=("Help prepare a pull request in a local clone of the CrowdSec hub repository by adding the generated WAF rule and associated test files."),
+        inputSchema={
+            "type": "object",
+            "properties": {
+                "hub_dir": {
+                    "type": "string",
+                    "description": "Path to the local clone of the CrowdSec hub repository",
+                },
+                "rule_yaml": {
+                    "type": "string",
+                    "description": "Generated WAF rule YAML content",
+                },
+                "test_config_yaml": {
+                    "type": "string",
+                    "description": "Generated AppSec test config.yaml content",
+                },
+                "test_nuclei_yaml": {
+                    "type": "string",
+                    "description": "Generated adapted nuclei template content",
+                },
+                "rule_filename": {
+                    "type": "string",
+                    "description": "Relative path (from hub root) for the rule file",
+                },
+                "nuclei_filename": {
+                    "type": "string",
+                    "description": "Filename for the nuclei test template",
+                },
+                "collection_name": {
+                    "type": "string",
+                    "description": "Target collection in the format author/name (mapped to collections/author/name.yaml)",
+                },
+            },
+            "required": [
+                "hub_dir",
+                "rule_yaml",
+                "test_config_yaml",
+                "test_nuclei_yaml",
+                "rule_filename",
+                "nuclei_filename",
+            ],
+            "additionalProperties": False,
+        },
+    ),
     types.Tool(
         name="fetch_nuclei_exploit",
         description="Retrieve nuclei templates from the official repository for a CVE to help with generation of WAF rules",
@@ -1386,6 +1521,12 @@ WAF_RESOURCES: list[types.Resource] = [
         description="Instructions for producing config.yaml and adapted Nuclei templates for WAF testing",
         mimeType="text/plain",
     ),
+    types.Resource(
+        uri="file://prompts/prompt-waf-pr.txt",
+        name="WAF PR Preparation Prompt",
+        description="Short guidance for preparing WAF PR assets and drafting a PR comment",
+        mimeType="text/plain",
+    ),
 ]
 
 WAF_RESOURCE_READERS: dict[str, Callable[[], str]] = {
@@ -1394,6 +1535,7 @@ WAF_RESOURCE_READERS: dict[str, Callable[[], str]] = {
     "file://prompts/prompt-waf-examples.txt": lambda: WAF_EXAMPLES_FILE.read_text(encoding="utf-8"),
     "file://prompts/prompt-waf-deploy.txt": lambda: WAF_DEPLOY_FILE.read_text(encoding="utf-8"),
     "file://prompts/prompt-waf-tests.txt": lambda: WAF_TESTS_PROMPT_FILE.read_text(encoding="utf-8"),
+    "file://prompts/prompt-waf-pr.txt": lambda: WAF_PR_PROMPT_FILE.read_text(encoding="utf-8"),
 }
 
 REGISTRY.register_tools(WAF_TOOL_HANDLERS, WAF_TOOLS)

crowdsec_local_mcp-0.8.0.post1.dev0/src/crowdsec_local_mcp/prompts/prompt-waf-pr.txt

@@ -0,0 +1,10 @@
+You are preparing a CrowdSec WAF pull request in a local hub clone.
+
+Use these instructions as the authoritative spec for the test assets you must add. Create the required files under `.appsec-tests/<test_name>/` and ensure `config.yaml` references the exact rule path that was generated.
+
+When the files are ready, draft a short PR comment the user can paste. The comment should include:
+- A one-line summary of the rule and tests added.
+- A list of files added or updated.
+- How to run or validate the tests (short, practical guidance).
+
+Return only the PR comment text, ready to paste, with no extra explanations.

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/src/crowdsec_local_mcp/prompts/prompt-waf-tests.txt

@@ -8,6 +8,14 @@ You are an expert in generating automated test assets for the CrowdSec WAF harne
      - `./appsec-rules/crowdsecurity/base-config.yaml`  
      - The path to the generated rule (e.g. `./appsec-rules/crowdsecurity/vpatch-CVE-2020-17496.yaml`).  
    - `nuclei_template` is the filename of the adapted Nuclei template (e.g. `CVE-2020-17496.yaml`).
+   - The path in `appsec-rules` is relative to the hub root, because the rule is not on the hub yet.
+   - Use this template and replace the placeholders only:
+     ```
+     appsec-rules:
+       - ./appsec-rules/crowdsecurity/base-config.yaml
+       - <PUT_THE_NEW_RULE_PATH_HERE>
+     nuclei_template: <PUT_THE_TEST_TEMPLATE_FILENAME_HERE>
+     ```
 
 2. **Adapted Nuclei Template**  
    - Preserve the original request structure that exercises the vulnerability.  
@@ -27,6 +35,10 @@ You are an expert in generating automated test assets for the CrowdSec WAF harne
    - Respect YAML indentation (two spaces) and quote strings that contain special characters.  
    - Mirror the case and structure of URIs, headers, and payloads from the input template.  
    - Provide helpful inline comments only when strictly necessary to explain intentional failures.
+   - Place test assets in the hub under `.appsec-tests/<test_name>/`:
+     - `config.yaml`
+     - `<test_name>.yaml` (the adapted nuclei template)
+   - If the rule is for virtual patching, use `CVE-YYYY-XYZ` as the test name and `vpatch-CVE-YYYY-XYZ` as the rule name.
 
 ## Output Format
 

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/src/crowdsec_local_mcp/prompts/prompt-waf-top-level.txt

@@ -26,6 +26,8 @@ Once you have successfully generated and validated a WAF rule, propose the user
  - Create and validate a test for the rule - allows contribution to the hub:
     - Use tool `generate_waf_tests` to get instructions on test creation
     - Use tool `run_waf_tests` to run and validate the tests
-    - Once done, you can suggest the user to open a PR to https://github.com/crowdsecurity/hub/
+    - Once done, suggest help preparing a PR
+    - Use tool `get_waf_pr_prompt` to guide PR preparation and draft a PR comment
+    - Use tool `prepare_waf_pr` to write the rule and test assets into a local hub clone
  - Help the user to deploy the rule on his setup:
     - Use tool `deploy_waf_rule` to get detailed instructions and  guide the user.

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/src/crowdsec_local_mcp.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: crowdsec-local-mcp
-Version: 0.7.0.post1.dev0
+Version: 0.8.0.post1.dev0
 Summary: An MCP exposing prompts and tools to help users write WAF rules, scenarios etc.
 License-Expression: MIT
 Classifier: Development Status :: 4 - Beta

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/src/crowdsec_local_mcp.egg-info/SOURCES.txt

@@ -45,6 +45,7 @@ src/crowdsec_local_mcp/prompts/prompt-scenario-examples.txt
 src/crowdsec_local_mcp/prompts/prompt-scenario.txt
 src/crowdsec_local_mcp/prompts/prompt-waf-deploy.txt
 src/crowdsec_local_mcp/prompts/prompt-waf-examples.txt
+src/crowdsec_local_mcp/prompts/prompt-waf-pr.txt
 src/crowdsec_local_mcp/prompts/prompt-waf-tests.txt
 src/crowdsec_local_mcp/prompts/prompt-waf-top-level.txt
 src/crowdsec_local_mcp/prompts/prompt-waf.txt

{crowdsec_local_mcp-0.7.0.post1.dev0 → crowdsec_local_mcp-0.8.0.post1.dev0}/uv.lock

@@ -147,6 +147,7 @@ dev = [
     { name = "basedpyright" },
     { name = "pytest" },
     { name = "ruff" },
+    { name = "setuptools-scm" },
     { name = "types-pyyaml" },
     { name = "types-requests" },
 ]
@@ -164,6 +165,7 @@ dev = [
     { name = "basedpyright", specifier = ">=1.25.0" },
     { name = "pytest", specifier = ">=8.3.0" },
     { name = "ruff", specifier = ">=0.9.3" },
+    { name = "setuptools-scm", specifier = ">=8" },
     { name = "types-pyyaml", specifier = ">=6.0.12.20241230" },
     { name = "types-requests", specifier = ">=2.32.0.20241016" },
 ]
@@ -627,6 +629,28 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/b8/81/4b6387be7014858d924b843530e1b2a8e531846807516e9bea2ee0936bf7/ruff-0.14.1-py3-none-win_arm64.whl", hash = "sha256:e3b443c4c9f16ae850906b8d0a707b2a4c16f8d2f0a7fe65c475c5886665ce44", size = 12436636 },
 ]
 
+[[package]]
+name = "setuptools"
+version = "80.9.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/18/5d/3bf57dcd21979b887f014ea83c24ae194cfcd12b9e0fda66b957c69d1fca/setuptools-80.9.0.tar.gz", hash = "sha256:f36b47402ecde768dbfafc46e8e4207b4360c654f1f3bb84475f0a28628fb19c", size = 1319958 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/a3/dc/17031897dae0efacfea57dfd3a82fdd2a2aeb58e0ff71b77b87e44edc772/setuptools-80.9.0-py3-none-any.whl", hash = "sha256:062d34222ad13e0cc312a4c02d73f059e86a4acbfbdea8f8f76b28c99f306922", size = 1201486 },
+]
+
+[[package]]
+name = "setuptools-scm"
+version = "9.2.2"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "packaging" },
+    { name = "setuptools" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/7b/b1/19587742aad604f1988a8a362e660e8c3ac03adccdb71c96d86526e5eb62/setuptools_scm-9.2.2.tar.gz", hash = "sha256:1c674ab4665686a0887d7e24c03ab25f24201c213e82ea689d2f3e169ef7ef57", size = 203385 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/3d/ea/ac2bf868899d0d2e82ef72d350d97a846110c709bacf2d968431576ca915/setuptools_scm-9.2.2-py3-none-any.whl", hash = "sha256:30e8f84d2ab1ba7cb0e653429b179395d0c33775d54807fc5f1dd6671801aef7", size = 62975 },
+]
+
 [[package]]
 name = "sniffio"
 version = "1.3.1"

crowdsec_local_mcp-0.7.0.post1.dev0/src/crowdsec_local_mcp/_version.py

@@ -1 +0,0 @@
-__version__ = "0.7.0.post1.dev0"