hvtracker-mcp 0.1.0__tar.gz

hvtracker_mcp-0.1.0/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2026 YugantM
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

hvtracker_mcp-0.1.0/PKG-INFO

@@ -0,0 +1,132 @@
+Metadata-Version: 2.4
+Name: hvtracker-mcp
+Version: 0.1.0
+Summary: MCP server for HVTracker trust checks.
+Author: YugantM
+License-Expression: MIT
+Project-URL: Homepage, https://hvtracker.net
+Project-URL: Repository, https://github.com/YugantM/hvtracker-mcp
+Project-URL: Issues, https://github.com/YugantM/hvtracker-mcp/issues
+Keywords: mcp,model-context-protocol,ai-agents,trust,supply-chain
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcp>=1.27.2
+Requires-Dist: requests>=2.32.0
+Provides-Extra: dev
+Requires-Dist: build>=1.2.0; extra == "dev"
+Requires-Dist: pytest>=9.0.0; extra == "dev"
+Requires-Dist: ruff>=0.15.0; extra == "dev"
+Requires-Dist: twine>=6.0.0; extra == "dev"
+Dynamic: license-file
+
+# HVTracker MCP
+
+MCP server for checking supply-chain trust before connecting to AI agents,
+frameworks, or MCP servers.
+
+The hosted remote server is:
+
+```json
+{
+  "mcpServers": {
+    "hvtracker": {
+      "url": "https://hvtracker.net/mcp"
+    }
+  }
+}
+```
+
+This repository also provides a local stdio package for clients that prefer
+package-based installation.
+
+<!-- mcp-name: io.github.yugantm/hvtracker-mcp -->
+
+## Tools
+
+- `verify_mcp_server`: pre-connect trust verdict for an MCP server, package, GitHub repo, or agent name.
+- `check_agent_trust`: compact trust profile for a tracked AI agent or framework.
+- `search_agents`: search the HVTracker registry by name, repo, description, or category.
+
+## Local Install
+
+With npm:
+
+```bash
+npm install -g hvtracker-mcp
+```
+
+With PyPI:
+
+```bash
+python3 -m pip install hvtracker-mcp
+```
+
+Example MCP client config:
+
+```json
+{
+  "mcpServers": {
+    "hvtracker": {
+      "command": "hvtracker-mcp"
+    }
+  }
+}
+```
+
+## Development
+
+```bash
+python3 -m pip install -e ".[dev]"
+python3 -m pytest
+hvtracker-mcp
+```
+
+Use a different HVTracker base URL while testing:
+
+```bash
+HVTRACKER_BASE_URL=http://localhost:8080 hvtracker-mcp
+```
+
+## Registry Publishing
+
+The official MCP Registry manifest is `server.json`.
+
+```bash
+mcp-publisher login github
+mcp-publisher publish
+```
+
+In GitHub Actions, run the "Publish MCP Registry" workflow after the npm,
+PyPI, and GHCR packages for the same version are live.
+
+The server name is:
+
+```text
+io.github.yugantm/hvtracker-mcp
+```
+
+## Claude Desktop Extension
+
+Tagged releases build an `.mcpb` bundle for Claude Desktop from `manifest.json`.
+To build it locally:
+
+```bash
+npm ci --omit=dev
+npx @anthropic-ai/mcpb@2.1.2 pack
+```
+
+## Privacy
+
+HVTracker MCP sends the user-supplied search string or server identifier to
+`https://hvtracker.net` to fetch public trust data. It does not require an API
+key and does not write to user systems. See the HVTracker site for current data
+and methodology, and see `PRIVACY.md` for the repository privacy note.

hvtracker_mcp-0.1.0/README.md

@@ -0,0 +1,102 @@
+# HVTracker MCP
+
+MCP server for checking supply-chain trust before connecting to AI agents,
+frameworks, or MCP servers.
+
+The hosted remote server is:
+
+```json
+{
+  "mcpServers": {
+    "hvtracker": {
+      "url": "https://hvtracker.net/mcp"
+    }
+  }
+}
+```
+
+This repository also provides a local stdio package for clients that prefer
+package-based installation.
+
+<!-- mcp-name: io.github.yugantm/hvtracker-mcp -->
+
+## Tools
+
+- `verify_mcp_server`: pre-connect trust verdict for an MCP server, package, GitHub repo, or agent name.
+- `check_agent_trust`: compact trust profile for a tracked AI agent or framework.
+- `search_agents`: search the HVTracker registry by name, repo, description, or category.
+
+## Local Install
+
+With npm:
+
+```bash
+npm install -g hvtracker-mcp
+```
+
+With PyPI:
+
+```bash
+python3 -m pip install hvtracker-mcp
+```
+
+Example MCP client config:
+
+```json
+{
+  "mcpServers": {
+    "hvtracker": {
+      "command": "hvtracker-mcp"
+    }
+  }
+}
+```
+
+## Development
+
+```bash
+python3 -m pip install -e ".[dev]"
+python3 -m pytest
+hvtracker-mcp
+```
+
+Use a different HVTracker base URL while testing:
+
+```bash
+HVTRACKER_BASE_URL=http://localhost:8080 hvtracker-mcp
+```
+
+## Registry Publishing
+
+The official MCP Registry manifest is `server.json`.
+
+```bash
+mcp-publisher login github
+mcp-publisher publish
+```
+
+In GitHub Actions, run the "Publish MCP Registry" workflow after the npm,
+PyPI, and GHCR packages for the same version are live.
+
+The server name is:
+
+```text
+io.github.yugantm/hvtracker-mcp
+```
+
+## Claude Desktop Extension
+
+Tagged releases build an `.mcpb` bundle for Claude Desktop from `manifest.json`.
+To build it locally:
+
+```bash
+npm ci --omit=dev
+npx @anthropic-ai/mcpb@2.1.2 pack
+```
+
+## Privacy
+
+HVTracker MCP sends the user-supplied search string or server identifier to
+`https://hvtracker.net` to fetch public trust data. It does not require an API
+key and does not write to user systems. See the HVTracker site for current data
+and methodology, and see `PRIVACY.md` for the repository privacy note.

hvtracker_mcp-0.1.0/pyproject.toml

@@ -0,0 +1,54 @@
+[build-system]
+requires = ["setuptools>=69", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "hvtracker-mcp"
+version = "0.1.0"
+description = "MCP server for HVTracker trust checks."
+readme = "README.md"
+requires-python = ">=3.10"
+license = "MIT"
+authors = [
+  { name = "YugantM" }
+]
+keywords = ["mcp", "model-context-protocol", "ai-agents", "trust", "supply-chain"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Developers",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Topic :: Security",
+  "Topic :: Software Development :: Libraries :: Python Modules"
+]
+dependencies = [
+  "mcp>=1.27.2",
+  "requests>=2.32.0"
+]
+
+[project.optional-dependencies]
+dev = [
+  "build>=1.2.0",
+  "pytest>=9.0.0",
+  "ruff>=0.15.0",
+  "twine>=6.0.0"
+]
+
+[project.scripts]
+hvtracker-mcp = "hvtracker_mcp.server:main"
+
+[project.urls]
+Homepage = "https://hvtracker.net"
+Repository = "https://github.com/YugantM/hvtracker-mcp"
+Issues = "https://github.com/YugantM/hvtracker-mcp/issues"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.ruff]
+line-length = 100
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

hvtracker_mcp-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

hvtracker_mcp-0.1.0/src/hvtracker_mcp/__init__.py

@@ -0,0 +1,4 @@
+"""HVTracker MCP package."""
+
+__version__ = "0.1.0"
+

hvtracker_mcp-0.1.0/src/hvtracker_mcp/__main__.py

@@ -0,0 +1,6 @@
+from .server import main
+
+
+if __name__ == "__main__":
+    main()
+

hvtracker_mcp-0.1.0/src/hvtracker_mcp/server.py

@@ -0,0 +1,150 @@
+"""Standalone HVTracker MCP server.
+
+The hosted production endpoint is https://hvtracker.net/mcp. This package is
+the local stdio distribution path: it exposes the same user-facing tools and
+delegates verdicts/searches to HVTracker's public HTTPS API.
+"""
+
+from __future__ import annotations
+
+import argparse
+import os
+from typing import Any
+
+import requests
+from mcp.server.fastmcp import FastMCP
+from mcp.types import ToolAnnotations
+
+from . import __version__
+
+DEFAULT_BASE_URL = "https://hvtracker.net"
+BASE_URL = os.environ.get("HVTRACKER_BASE_URL", DEFAULT_BASE_URL).rstrip("/")
+TIMEOUT_SECONDS = float(os.environ.get("HVTRACKER_TIMEOUT_SECONDS", "20"))
+
+mcp = FastMCP("hvtracker", instructions="Check trust signals for AI agents and MCP servers.")
+READ_ONLY = ToolAnnotations(readOnlyHint=True, destructiveHint=False, idempotentHint=True, openWorldHint=True)
+
+
+def _api_get(path: str, params: dict[str, Any] | None = None) -> dict[str, Any]:
+    url = f"{BASE_URL}{path}"
+    response = requests.get(
+        url,
+        params=params,
+        timeout=TIMEOUT_SECONDS,
+        headers={"User-Agent": f"hvtracker-mcp/{__version__}"},
+    )
+    response.raise_for_status()
+    payload = response.json()
+    if not isinstance(payload, dict):
+        raise ValueError(f"Unexpected response shape from {url}")
+    return payload
+
+
+def _agent_profile(agent: dict[str, Any]) -> dict[str, Any]:
+    slug = agent.get("slug")
+    return {
+        "tracked": True,
+        "name": agent.get("name"),
+        "repo": agent.get("repo"),
+        "trust_score": agent.get("trust_score"),
+        "evidence_grade": agent.get("evidence_grade"),
+        "rank": agent.get("rank"),
+        "category": agent.get("category"),
+        "has_provenance": agent.get("has_provenance"),
+        "scorecard_score": agent.get("scorecard_score"),
+        "mcp_server_support": (agent.get("mcp_server_support") or {}).get("status"),
+        "profile_url": f"{BASE_URL}/agents/{slug}/" if slug else None,
+    }
+
+
+@mcp.tool(title="Verify MCP Server", annotations=READ_ONLY)
+def verify_mcp_server(server: str) -> dict[str, Any]:
+    """Pre-connect trust verdict for an MCP server or AI agent.
+
+    Pass a GitHub owner/repo, GitHub URL, npm/PyPI package, display name, slug,
+    or MCP server URL. Unknown servers return trusted=false because HVTracker has
+    no independent evidence, not because harm is proven.
+    """
+    try:
+        return _api_get("/api/v1/mcp/verify", {"server": server})
+    except Exception as exc:
+        return {
+            "server": server,
+            "tracked": False,
+            "trusted": False,
+            "error": str(exc),
+            "reasons": ["HVTracker could not fetch a verdict right now."],
+        }
+
+
+@mcp.tool(title="Check Agent Trust", annotations=READ_ONLY)
+def check_agent_trust(name_or_repo: str) -> dict[str, Any]:
+    """Get the HVTracker trust profile for a tracked AI agent or framework."""
+    verdict = verify_mcp_server(name_or_repo)
+    if not verdict.get("tracked"):
+        return {
+            "query": name_or_repo,
+            "tracked": False,
+            "trusted": False,
+            "message": "Not in the HVTracker registry; treat as unverified.",
+            "submit_url": f"{BASE_URL}/submit",
+            "verdict": verdict,
+        }
+    slug = verdict.get("slug")
+    return {
+        "query": name_or_repo,
+        "tracked": True,
+        "trusted": verdict.get("trusted"),
+        "repo": verdict.get("resolved"),
+        "slug": slug,
+        "trust_score": verdict.get("trust_score"),
+        "evidence_grade": verdict.get("grade"),
+        "confidence": verdict.get("confidence"),
+        "mcp_server_support": verdict.get("mcp_server_support"),
+        "tool_permissions": verdict.get("tool_permissions") or [],
+        "profile_url": f"{BASE_URL}/agents/{slug}/" if slug else None,
+        "reasons": verdict.get("reasons") or [],
+    }
+
+
+@mcp.tool(title="Search Agents", annotations=READ_ONLY)
+def search_agents(query: str = "", category: str = "", limit: int = 10) -> dict[str, Any]:
+    """Search tracked AI agents and frameworks by name, repo, or description."""
+    try:
+        data = _api_get("/api/v1/agents")
+    except Exception as exc:
+        return {"count": 0, "results": [], "error": str(exc)}
+
+    ql = (query or "").strip().lower()
+    cl = (category or "").strip().lower()
+    matches = []
+    for agent in data.get("agents", []):
+        haystack = " ".join(
+            str(agent.get(key) or "") for key in ("name", "repo", "description", "slug")
+        ).lower()
+        if ql and ql not in haystack:
+            continue
+        if cl and (agent.get("category") or "").lower() != cl:
+            continue
+        matches.append(_agent_profile(agent))
+
+    matches.sort(key=lambda row: (row["trust_score"] is None, -(row["trust_score"] or 0)))
+    limit = max(1, min(int(limit or 10), 50))
+    return {"count": len(matches), "results": matches[:limit]}
+
+
+def main(argv: list[str] | None = None) -> None:
+    parser = argparse.ArgumentParser(description="Run the HVTracker MCP server.")
+    parser.add_argument(
+        "--transport",
+        choices=["stdio", "streamable-http"],
+        default=os.environ.get("HVTRACKER_MCP_TRANSPORT", "stdio"),
+        help="Transport to run. Use stdio for local MCP clients.",
+    )
+    args = parser.parse_args(argv)
+    mcp.run(transport=args.transport)
+
+
+if __name__ == "__main__":
+    main()
+

hvtracker_mcp-0.1.0/src/hvtracker_mcp.egg-info/PKG-INFO

@@ -0,0 +1,132 @@
+Metadata-Version: 2.4
+Name: hvtracker-mcp
+Version: 0.1.0
+Summary: MCP server for HVTracker trust checks.
+Author: YugantM
+License-Expression: MIT
+Project-URL: Homepage, https://hvtracker.net
+Project-URL: Repository, https://github.com/YugantM/hvtracker-mcp
+Project-URL: Issues, https://github.com/YugantM/hvtracker-mcp/issues
+Keywords: mcp,model-context-protocol,ai-agents,trust,supply-chain
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcp>=1.27.2
+Requires-Dist: requests>=2.32.0
+Provides-Extra: dev
+Requires-Dist: build>=1.2.0; extra == "dev"
+Requires-Dist: pytest>=9.0.0; extra == "dev"
+Requires-Dist: ruff>=0.15.0; extra == "dev"
+Requires-Dist: twine>=6.0.0; extra == "dev"
+Dynamic: license-file
+
+# HVTracker MCP
+
+MCP server for checking supply-chain trust before connecting to AI agents,
+frameworks, or MCP servers.
+
+The hosted remote server is:
+
+```json
+{
+  "mcpServers": {
+    "hvtracker": {
+      "url": "https://hvtracker.net/mcp"
+    }
+  }
+}
+```
+
+This repository also provides a local stdio package for clients that prefer
+package-based installation.
+
+<!-- mcp-name: io.github.yugantm/hvtracker-mcp -->
+
+## Tools
+
+- `verify_mcp_server`: pre-connect trust verdict for an MCP server, package, GitHub repo, or agent name.
+- `check_agent_trust`: compact trust profile for a tracked AI agent or framework.
+- `search_agents`: search the HVTracker registry by name, repo, description, or category.
+
+## Local Install
+
+With npm:
+
+```bash
+npm install -g hvtracker-mcp
+```
+
+With PyPI:
+
+```bash
+python3 -m pip install hvtracker-mcp
+```
+
+Example MCP client config:
+
+```json
+{
+  "mcpServers": {
+    "hvtracker": {
+      "command": "hvtracker-mcp"
+    }
+  }
+}
+```
+
+## Development
+
+```bash
+python3 -m pip install -e ".[dev]"
+python3 -m pytest
+hvtracker-mcp
+```
+
+Use a different HVTracker base URL while testing:
+
+```bash
+HVTRACKER_BASE_URL=http://localhost:8080 hvtracker-mcp
+```
+
+## Registry Publishing
+
+The official MCP Registry manifest is `server.json`.
+
+```bash
+mcp-publisher login github
+mcp-publisher publish
+```
+
+In GitHub Actions, run the "Publish MCP Registry" workflow after the npm,
+PyPI, and GHCR packages for the same version are live.
+
+The server name is:
+
+```text
+io.github.yugantm/hvtracker-mcp
+```
+
+## Claude Desktop Extension
+
+Tagged releases build an `.mcpb` bundle for Claude Desktop from `manifest.json`.
+To build it locally:
+
+```bash
+npm ci --omit=dev
+npx @anthropic-ai/mcpb@2.1.2 pack
+```
+
+## Privacy
+
+HVTracker MCP sends the user-supplied search string or server identifier to
+`https://hvtracker.net` to fetch public trust data. It does not require an API
+key and does not write to user systems. See the HVTracker site for current data
+and methodology, and see `PRIVACY.md` for the repository privacy note.

hvtracker_mcp-0.1.0/src/hvtracker_mcp.egg-info/SOURCES.txt

@@ -0,0 +1,13 @@
+LICENSE
+README.md
+pyproject.toml
+src/hvtracker_mcp/__init__.py
+src/hvtracker_mcp/__main__.py
+src/hvtracker_mcp/server.py
+src/hvtracker_mcp.egg-info/PKG-INFO
+src/hvtracker_mcp.egg-info/SOURCES.txt
+src/hvtracker_mcp.egg-info/dependency_links.txt
+src/hvtracker_mcp.egg-info/entry_points.txt
+src/hvtracker_mcp.egg-info/requires.txt
+src/hvtracker_mcp.egg-info/top_level.txt
+tests/test_server.py

hvtracker_mcp-0.1.0/src/hvtracker_mcp.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

hvtracker_mcp-0.1.0/src/hvtracker_mcp.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+hvtracker-mcp = hvtracker_mcp.server:main

hvtracker_mcp-0.1.0/src/hvtracker_mcp.egg-info/requires.txt

@@ -0,0 +1,8 @@
+mcp>=1.27.2
+requests>=2.32.0
+
+[dev]
+build>=1.2.0
+pytest>=9.0.0
+ruff>=0.15.0
+twine>=6.0.0

hvtracker_mcp-0.1.0/src/hvtracker_mcp.egg-info/top_level.txt

@@ -0,0 +1 @@
+hvtracker_mcp

hvtracker_mcp-0.1.0/tests/test_server.py

@@ -0,0 +1,74 @@
+import asyncio
+
+from hvtracker_mcp import server
+
+
+def test_verify_mcp_server_delegates_to_api(monkeypatch):
+    def fake_get(path, params=None):
+        assert path == "/api/v1/mcp/verify"
+        assert params == {"server": "langchain-ai/langgraph"}
+        return {"tracked": True, "trusted": True, "resolved": "langchain-ai/langgraph"}
+
+    monkeypatch.setattr(server, "_api_get", fake_get)
+    assert server.verify_mcp_server("langchain-ai/langgraph")["trusted"] is True
+
+
+def test_check_agent_trust_maps_verdict(monkeypatch):
+    monkeypatch.setattr(
+        server,
+        "verify_mcp_server",
+        lambda query: {
+            "tracked": True,
+            "trusted": True,
+            "resolved": "langchain-ai/langgraph",
+            "slug": "langgraph",
+            "trust_score": 92.8,
+            "grade": "A",
+            "confidence": 1.0,
+            "mcp_server_support": "none",
+            "tool_permissions": ["code"],
+            "reasons": ["Build provenance present."],
+        },
+    )
+    result = server.check_agent_trust("LangGraph")
+    assert result["repo"] == "langchain-ai/langgraph"
+    assert result["profile_url"].endswith("/agents/langgraph/")
+
+
+def test_search_agents_filters_and_sorts(monkeypatch):
+    monkeypatch.setattr(
+        server,
+        "_api_get",
+        lambda path: {
+            "agents": [
+                {
+                    "name": "Lower",
+                    "repo": "example/lower",
+                    "slug": "lower",
+                    "trust_score": 40,
+                    "evidence_grade": "C",
+                    "category": "Coding Agents",
+                    "description": "agent",
+                },
+                {
+                    "name": "Higher",
+                    "repo": "example/higher",
+                    "slug": "higher",
+                    "trust_score": 90,
+                    "evidence_grade": "A",
+                    "category": "Coding Agents",
+                    "description": "agent",
+                },
+            ]
+        },
+    )
+    result = server.search_agents(query="example", category="Coding Agents")
+    assert result["count"] == 2
+    assert [row["name"] for row in result["results"]] == ["Higher", "Lower"]
+
+
+def test_tools_have_read_only_annotations():
+    tools = {tool.name: tool for tool in asyncio.run(server.mcp.list_tools())}
+    assert set(tools) == {"verify_mcp_server", "check_agent_trust", "search_agents"}
+    assert tools["verify_mcp_server"].annotations.readOnlyHint is True
+