intercept-mcp 0.2.2__tar.gz

intercept_mcp-0.2.2/.gitignore

@@ -0,0 +1,260 @@
+# Custom
+.idea/
+.claude/settings.local.json
+.playwright-mcp/
+.superpowers/
+
+# Log directory (keep .gitkeep, ignore everything else)
+logs/*
+!logs/.gitkeep
+
+# Redis dump files
+*.rdb
+
+# UV lock file (each service manages its own dependencies)
+uv.lock
+
+# SQLite databases (catch-all — no .db files should be tracked)
+*.db
+*.db-journal
+*.db-wal
+*.db-shm
+
+# Local data directories (cloned repos, reports, etc.)
+**/data/clones/
+**/data/reports/
+
+# Playwright
+playwright-report/
+test-results/
+**/e2e/screenshots/*.png
+
+# Node.js / Next.js
+node_modules/
+.pnp
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/versions
+.next/
+out/
+*.tsbuildinfo
+next-env.d.ts
+.vercel
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+.pnpm-debug.log*
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+/lib/
+/lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+coverage/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+#poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+#pdm.lock
+#pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+#pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# Abstra
+# Abstra is an AI-powered process automation framework.
+# Ignore directories containing user credentials, local state, and settings.
+# Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#  you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Cursor
+#  Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
+#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
+#  refer to https://docs.cursor.com/context/ignore-files
+.cursorignore
+.cursorindexingignore
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+.DS_Store
+**/.DS_Store

intercept_mcp-0.2.2/PKG-INFO

@@ -0,0 +1,119 @@
+Metadata-Version: 2.4
+Name: intercept-mcp
+Version: 0.2.2
+Summary: MCP server exposing Intercept supply chain security data to MCP-compatible clients.
+Project-URL: Homepage, https://intercept.hijacksecurity.com
+Project-URL: Documentation, https://intercept.hijacksecurity.com/docs
+Project-URL: Repository, https://github.com/hijacksecurity/Intercept
+Author-email: Hijack Security <support@hijacksecurity.com>
+License: Proprietary
+Keywords: intercept,mcp,model-context-protocol,sast,security
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Requires-Python: >=3.11
+Requires-Dist: ftfy>=6.2.0
+Requires-Dist: httpx>=0.28.0
+Requires-Dist: mcp>=1.27.0
+Requires-Dist: pydantic>=2.10.0
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.24.0; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0.0; extra == 'dev'
+Requires-Dist: pytest-xdist>=3.5.0; extra == 'dev'
+Requires-Dist: pytest>=8.3.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# intercept-mcp
+
+Model Context Protocol (MCP) server that exposes an [Intercept](https://intercept.hijacksecurity.com) tenant's repositories, findings, scans, and resolutions to MCP-compatible AI clients.
+
+## Installation
+
+```bash
+uvx intercept-mcp
+```
+
+## Configuration
+
+| Variable | Required | Default |
+|---|---|---|
+| `INTERCEPT_MCP_API_KEY` | yes | — |
+| `INTERCEPT_API_URL` | no | `https://intercept.hijacksecurity.com` |
+
+`INTERCEPT_MCP_API_KEY` is a personal-scope API key, generated from the Intercept web UI: **Settings → Integrations → Generate MCP API Key**. The value starts with `hsk_`.
+
+`INTERCEPT_API_URL` defaults to Intercept production. Override with the URL provided by your Intercept administrator for other environments.
+
+## Claude Code configuration
+
+Export the key from your shell profile (`~/.zshrc`, `~/.bashrc`):
+
+```bash
+export INTERCEPT_MCP_API_KEY=hsk_xxxxxxxx
+```
+
+Then add the server to your MCP client config:
+
+```json
+{
+  "mcpServers": {
+    "intercept": {
+      "command": "uvx",
+      "args": ["intercept-mcp"]
+    }
+  }
+}
+```
+
+Restart the client. Verify with `claude mcp list`.
+
+If you prefer to keep the key in the client config instead of the shell:
+
+```json
+{
+  "mcpServers": {
+    "intercept": {
+      "command": "uvx",
+      "args": ["intercept-mcp"],
+      "env": {
+        "INTERCEPT_MCP_API_KEY": "hsk_xxxxxxxx"
+      }
+    }
+  }
+}
+```
+
+## Tools
+
+| Name | Description |
+|---|---|
+| `list_repositories` | List repositories in the current tenant. |
+| `get_repository` | Get a repository by ID. |
+| `get_repository_posture` | Get the posture evaluation for a repository. |
+| `list_findings` | List findings by type (sast, secrets, container, iac, pipeline, sbom_vuln), filtered by repository, severity, or open status. |
+| `get_sast_finding` | Get a SAST finding by ID. |
+| `get_finding` | Deprecated alias for `get_sast_finding`. Prefer `get_sast_finding`. |
+| `get_secrets_finding` | Get a secret finding by ID. |
+| `get_container_file` | Get a Dockerfile by ID with its nested security findings. |
+| `get_iac_file` | Get an IaC file by ID with its nested security findings. |
+| `get_pipeline` | Get a CI/CD pipeline by ID with its actions and findings. |
+| `get_sbom_vuln_finding` | Get an SBOM vulnerability (dependency) finding by ID. |
+| `list_scans` | List scans, optionally filtered by repository. |
+| `get_scan` | Get a scan by ID. |
+| `list_organizations` | List organizations in the current tenant. |
+| `get_organization` | Get an organization by slug. |
+| `get_tenant_posture_summary` | Get the tenant-wide posture summary (score, grade, category breakdown). |
+| `update_finding_status` | Update the status and optional note on a finding resolution. |
+| `bulk_update_finding_status` | Bulk-update the status and optional note on up to 500 finding resolutions. |
+| `comment_on_finding` | Attach a note to a finding resolution without changing its status. |
+| `trigger_scan` | Trigger a new scan for a repository. |
+
+## License
+
+Proprietary — Hijack Security.

intercept_mcp-0.2.2/README.md

@@ -0,0 +1,88 @@
+# intercept-mcp
+
+Model Context Protocol (MCP) server that exposes an [Intercept](https://intercept.hijacksecurity.com) tenant's repositories, findings, scans, and resolutions to MCP-compatible AI clients.
+
+## Installation
+
+```bash
+uvx intercept-mcp
+```
+
+## Configuration
+
+| Variable | Required | Default |
+|---|---|---|
+| `INTERCEPT_MCP_API_KEY` | yes | — |
+| `INTERCEPT_API_URL` | no | `https://intercept.hijacksecurity.com` |
+
+`INTERCEPT_MCP_API_KEY` is a personal-scope API key, generated from the Intercept web UI: **Settings → Integrations → Generate MCP API Key**. The value starts with `hsk_`.
+
+`INTERCEPT_API_URL` defaults to Intercept production. Override with the URL provided by your Intercept administrator for other environments.
+
+## Claude Code configuration
+
+Export the key from your shell profile (`~/.zshrc`, `~/.bashrc`):
+
+```bash
+export INTERCEPT_MCP_API_KEY=hsk_xxxxxxxx
+```
+
+Then add the server to your MCP client config:
+
+```json
+{
+  "mcpServers": {
+    "intercept": {
+      "command": "uvx",
+      "args": ["intercept-mcp"]
+    }
+  }
+}
+```
+
+Restart the client. Verify with `claude mcp list`.
+
+If you prefer to keep the key in the client config instead of the shell:
+
+```json
+{
+  "mcpServers": {
+    "intercept": {
+      "command": "uvx",
+      "args": ["intercept-mcp"],
+      "env": {
+        "INTERCEPT_MCP_API_KEY": "hsk_xxxxxxxx"
+      }
+    }
+  }
+}
+```
+
+## Tools
+
+| Name | Description |
+|---|---|
+| `list_repositories` | List repositories in the current tenant. |
+| `get_repository` | Get a repository by ID. |
+| `get_repository_posture` | Get the posture evaluation for a repository. |
+| `list_findings` | List findings by type (sast, secrets, container, iac, pipeline, sbom_vuln), filtered by repository, severity, or open status. |
+| `get_sast_finding` | Get a SAST finding by ID. |
+| `get_finding` | Deprecated alias for `get_sast_finding`. Prefer `get_sast_finding`. |
+| `get_secrets_finding` | Get a secret finding by ID. |
+| `get_container_file` | Get a Dockerfile by ID with its nested security findings. |
+| `get_iac_file` | Get an IaC file by ID with its nested security findings. |
+| `get_pipeline` | Get a CI/CD pipeline by ID with its actions and findings. |
+| `get_sbom_vuln_finding` | Get an SBOM vulnerability (dependency) finding by ID. |
+| `list_scans` | List scans, optionally filtered by repository. |
+| `get_scan` | Get a scan by ID. |
+| `list_organizations` | List organizations in the current tenant. |
+| `get_organization` | Get an organization by slug. |
+| `get_tenant_posture_summary` | Get the tenant-wide posture summary (score, grade, category breakdown). |
+| `update_finding_status` | Update the status and optional note on a finding resolution. |
+| `bulk_update_finding_status` | Bulk-update the status and optional note on up to 500 finding resolutions. |
+| `comment_on_finding` | Attach a note to a finding resolution without changing its status. |
+| `trigger_scan` | Trigger a new scan for a repository. |
+
+## License
+
+Proprietary — Hijack Security.

intercept_mcp-0.2.2/VERSION

@@ -0,0 +1 @@
+0.2.2

intercept_mcp-0.2.2/intercept_mcp/__init__.py

@@ -0,0 +1,16 @@
+"""intercept-mcp: MCP server for the Intercept platform."""
+
+from pathlib import Path
+
+
+def _read_version() -> str:
+    here = Path(__file__).parent
+    for candidate in (here / "VERSION", here.parent / "VERSION"):
+        if candidate.exists():
+            return candidate.read_text(encoding="utf-8").strip()
+    return "0.0.0+unknown"
+
+
+__version__ = _read_version()
+
+__all__ = ["__version__"]

intercept_mcp-0.2.2/intercept_mcp/client.py

@@ -0,0 +1,175 @@
+"""HTTP client for the Intercept REST API."""
+
+from __future__ import annotations
+
+import asyncio
+from typing import Any
+
+import httpx
+
+from intercept_mcp import __version__
+
+DEFAULT_BASE_URL = "https://intercept.hijacksecurity.com"
+_CONNECT_TIMEOUT = 30.0
+_READ_TIMEOUT = 60.0
+_MAX_429_RETRIES = 3
+
+
+class InterceptApiError(Exception):
+    """Raised when the Intercept API returns a non-2xx response."""
+
+    def __init__(self, status_code: int, message: str) -> None:
+        super().__init__(message)
+        self.status_code = status_code
+        self.message = message
+
+
+def _redact_headers(headers: dict[str, str] | httpx.Headers) -> dict[str, str]:
+    """Return a copy of `headers` with credential-bearing values replaced by `[REDACTED]`."""
+    redacted: dict[str, str] = {}
+    for key, value in dict(headers).items():
+        lk = key.lower()
+        if lk in ("authorization", "x-api-key", "cookie", "set-cookie"):
+            redacted[key] = "[REDACTED]"
+        else:
+            redacted[key] = value
+    return redacted
+
+
+class InterceptApiClient:
+    """Async HTTP client for the Intercept API."""
+
+    def __init__(
+        self,
+        api_key: str,
+        base_url: str = DEFAULT_BASE_URL,
+        *,
+        transport: httpx.AsyncBaseTransport | None = None,
+    ) -> None:
+        if not api_key:
+            raise ValueError("api_key must be a non-empty string")
+        self._api_key = api_key
+        self._base_url = base_url.rstrip("/")
+        self._client = httpx.AsyncClient(
+            base_url=self._base_url,
+            timeout=httpx.Timeout(connect=_CONNECT_TIMEOUT, read=_READ_TIMEOUT, write=_READ_TIMEOUT, pool=_READ_TIMEOUT),
+            headers={
+                "X-API-Key": api_key,
+                "User-Agent": f"intercept-mcp/{__version__}",
+                "Accept": "application/json",
+            },
+            transport=transport,
+        )
+
+    @property
+    def base_url(self) -> str:
+        return self._base_url
+
+    async def aclose(self) -> None:
+        await self._client.aclose()
+
+    async def __aenter__(self) -> "InterceptApiClient":
+        return self
+
+    async def __aexit__(self, exc_type, exc, tb) -> None:
+        await self.aclose()
+
+    async def request(
+        self,
+        method: str,
+        path: str,
+        *,
+        params: dict[str, Any] | None = None,
+        json: dict[str, Any] | None = None,
+    ) -> Any:
+        """Issue an HTTP request and return the parsed JSON body.
+
+        Raises `InterceptApiError` on non-2xx responses. Retries up to
+        `_MAX_429_RETRIES` times on 429, honoring `Retry-After`.
+        """
+        clean_params = (
+            {k: v for k, v in params.items() if v is not None} if params else None
+        )
+
+        attempts = 0
+        while True:
+            response = await self._client.request(
+                method,
+                path,
+                params=clean_params,
+                json=json,
+            )
+
+            if response.status_code == 429 and attempts < _MAX_429_RETRIES:
+                retry_after = _parse_retry_after(response.headers.get("Retry-After"))
+                attempts += 1
+                await asyncio.sleep(retry_after)
+                continue
+
+            if response.is_success:
+                if response.status_code == 204 or not response.content:
+                    return None
+                try:
+                    return response.json()
+                except ValueError as exc:
+                    raise InterceptApiError(
+                        response.status_code,
+                        f"Intercept API returned non-JSON body: {exc}",
+                    ) from exc
+
+            raise InterceptApiError(
+                response.status_code,
+                _format_error(response),
+            )
+
+
+def _parse_retry_after(value: str | None) -> float:
+    """Parse a numeric `Retry-After` header into seconds. Falls back to 1.0s."""
+    if value is None:
+        return 1.0
+    try:
+        return max(0.0, float(value))
+    except (TypeError, ValueError):
+        return 1.0
+
+
+def _format_error(response: httpx.Response) -> str:
+    """Translate an HTTP error response into a short, readable message."""
+    code = response.status_code
+    detail = _extract_detail(response)
+    if code == 401:
+        return (
+            "authentication failed: INTERCEPT_MCP_API_KEY is missing or invalid. "
+            "Generate a personal-scope key from Settings -> Integrations."
+        )
+    if code == 403:
+        return f"permission denied{_suffix(detail)}"
+    if code == 404:
+        return f"not found{_suffix(detail)}"
+    if code == 422:
+        return f"validation error{_suffix(detail)}"
+    if code == 429:
+        retry = response.headers.get("Retry-After", "?")
+        return f"rate limited, retry after {retry}s"
+    if 500 <= code < 600:
+        return f"server error {code}{_suffix(detail)}"
+    return f"HTTP {code}{_suffix(detail)}"
+
+
+def _extract_detail(response: httpx.Response) -> str | None:
+    """Pull `detail` from a JSON error body, or return None."""
+    try:
+        body = response.json()
+    except ValueError:
+        return None
+    if isinstance(body, dict):
+        detail = body.get("detail")
+        if isinstance(detail, str):
+            return detail
+        if detail is not None:
+            return str(detail)
+    return None
+
+
+def _suffix(detail: str | None) -> str:
+    return f": {detail}" if detail else ""