prufa-mcp 0.1.0__tar.gz

prufa_mcp-0.1.0/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

prufa_mcp-0.1.0/PKG-INFO

@@ -0,0 +1,148 @@
+Metadata-Version: 2.4
+Name: prufa-mcp
+Version: 0.1.0
+Summary: The QA agent for your vibe-coded app. Apache-2.0 MCP server.
+Author-email: Prufa <team@prufa.dev>
+License: Apache-2.0
+Project-URL: Homepage, https://prufa.dev
+Project-URL: Repository, https://github.com/prufa-dev/prufa-mcp
+Project-URL: Issues, https://github.com/prufa-dev/prufa-mcp/issues
+Keywords: mcp,qa,testing,browser-automation,vibe-coding,ai-agents
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcp>=1.0.0
+Requires-Dist: httpx>=0.27.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0.0; extra == "dev"
+Requires-Dist: build>=1.0.0; extra == "dev"
+Requires-Dist: twine>=5.0.0; extra == "dev"
+Dynamic: license-file
+
+# prufa-mcp — the QA agent for your vibe-coded app
+
+> "Median 5 hours from vulnerability disclosure to mass automated exploitation."
+> — [Patchstack 2026 State of WordPress Security](https://www.propellermediaworks.com/blog/web-security-ai-hackers-risk-vibe-coding)
+
+Vibe-coded apps ship faster than humans can review. Prufa is the agent that
+audits them — tracking pixels, broken flows, consent violations, console errors —
+before the 5-hour window opens.
+
+## 30-second demo
+
+![Prufa running on a vibe-coded Next.js app](assets/demo.gif)
+
+> The demo GIF will land in v0.2. Until then, see "What you get" below for
+> the live call shape, and `examples/` for runnable scripts.
+
+## Quickstart
+
+```bash
+pip install prufa-mcp
+# or
+npm install -g prufa-mcp  # (npm mirror — not yet published, see Task 1.11)
+```
+
+Then in your `.mcp.json` (Claude Code, Cursor, Cline, Continue, etc.):
+
+```json
+{
+  "mcpServers": {
+    "prufa": {
+      "command": "prufa-mcp",
+      "env": {
+        "PRUFA_API_TOKEN": "your-prufa-api-key"
+      }
+    }
+  }
+}
+```
+
+Get a free API key at [prufa.dev](https://prufa.dev) — the first audit is free, no card required.
+
+Then in your agent:
+
+```
+> audit https://my-vibe-coded-app.com
+> run prufa on my staging deploy and show me the criticals
+> check my landing page for broken tracking pixels
+```
+
+## What you get (the OSS surface)
+
+| Tool | What it does |
+|---|---|
+| `prufa_run_audit` | One call → runs a public-page audit, returns findings JSON |
+| `prufa_get_report` | Fetches a shareable report for a completed audit |
+
+That's it. The audit primitive is small. The hosted product at
+[prufa.dev](https://prufa.dev) is where the value compounds — scheduling,
+alerting, team workflows, and the human-readable HTML report.
+
+## Why open source
+
+Same shape as [Stagehand](https://github.com/browserbase/stagehand) (free) →
+[Browserbase](https://www.browserbase.com) (paid). Open the primitive. The
+hosted tier earns the right to be paid by being the thing that scales.
+
+## Examples
+
+- `examples/nextjs-app/` — audit a deployed Next.js app
+- `examples/vite-spa/` — audit a Vite SPA
+- `examples/stripe-checkout/` — audit a Stripe-checkout page (focuses on payment-flow verification)
+
+Each example is a copy-pasteable demo. Clone, set `PRUFA_API_TOKEN`, run.
+
+## GitHub Action
+
+Add PR-time audits to any repo:
+
+```yaml
+# .github/workflows/prufa-scan.yml
+name: Prufa scan
+on: [pull_request]
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install prufa-mcp
+      - name: Run audit
+        env:
+          PRUFA_API_TOKEN: ${{ secrets.PRUFA_API_TOKEN }}
+        run: |
+          python -c "
+          import asyncio, json, sys
+          from prufa_mcp.audit import run_audit
+          result = asyncio.run(run_audit(url='${{ secrets.STAGING_URL }}', wait=True))
+          print(json.dumps(result, indent=2))
+          criticals = [f for f in result.get('findings', []) if f.get('severity') == 'critical']
+          if criticals:
+              print(f'::error::Prufa found {len(criticals)} critical finding(s)', file=sys.stderr)
+              sys.exit(1)
+          "
+```
+
+See `examples/prufa-scan.yml` for the full template.
+
+## SLO
+
+The hosted audit API targets a 30-second p95 for `wait=true` on public pages.
+The OSS server is a thin client — it does no audit work itself, so its only
+SLO is "responds to MCP `list_tools` and `call_tool` within 1 second."
+
+## License
+
+Apache-2.0. See [LICENSE](LICENSE).

prufa_mcp-0.1.0/README.md

@@ -0,0 +1,118 @@
+# prufa-mcp — the QA agent for your vibe-coded app
+
+> "Median 5 hours from vulnerability disclosure to mass automated exploitation."
+> — [Patchstack 2026 State of WordPress Security](https://www.propellermediaworks.com/blog/web-security-ai-hackers-risk-vibe-coding)
+
+Vibe-coded apps ship faster than humans can review. Prufa is the agent that
+audits them — tracking pixels, broken flows, consent violations, console errors —
+before the 5-hour window opens.
+
+## 30-second demo
+
+![Prufa running on a vibe-coded Next.js app](assets/demo.gif)
+
+> The demo GIF will land in v0.2. Until then, see "What you get" below for
+> the live call shape, and `examples/` for runnable scripts.
+
+## Quickstart
+
+```bash
+pip install prufa-mcp
+# or
+npm install -g prufa-mcp  # (npm mirror — not yet published, see Task 1.11)
+```
+
+Then in your `.mcp.json` (Claude Code, Cursor, Cline, Continue, etc.):
+
+```json
+{
+  "mcpServers": {
+    "prufa": {
+      "command": "prufa-mcp",
+      "env": {
+        "PRUFA_API_TOKEN": "your-prufa-api-key"
+      }
+    }
+  }
+}
+```
+
+Get a free API key at [prufa.dev](https://prufa.dev) — the first audit is free, no card required.
+
+Then in your agent:
+
+```
+> audit https://my-vibe-coded-app.com
+> run prufa on my staging deploy and show me the criticals
+> check my landing page for broken tracking pixels
+```
+
+## What you get (the OSS surface)
+
+| Tool | What it does |
+|---|---|
+| `prufa_run_audit` | One call → runs a public-page audit, returns findings JSON |
+| `prufa_get_report` | Fetches a shareable report for a completed audit |
+
+That's it. The audit primitive is small. The hosted product at
+[prufa.dev](https://prufa.dev) is where the value compounds — scheduling,
+alerting, team workflows, and the human-readable HTML report.
+
+## Why open source
+
+Same shape as [Stagehand](https://github.com/browserbase/stagehand) (free) →
+[Browserbase](https://www.browserbase.com) (paid). Open the primitive. The
+hosted tier earns the right to be paid by being the thing that scales.
+
+## Examples
+
+- `examples/nextjs-app/` — audit a deployed Next.js app
+- `examples/vite-spa/` — audit a Vite SPA
+- `examples/stripe-checkout/` — audit a Stripe-checkout page (focuses on payment-flow verification)
+
+Each example is a copy-pasteable demo. Clone, set `PRUFA_API_TOKEN`, run.
+
+## GitHub Action
+
+Add PR-time audits to any repo:
+
+```yaml
+# .github/workflows/prufa-scan.yml
+name: Prufa scan
+on: [pull_request]
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install prufa-mcp
+      - name: Run audit
+        env:
+          PRUFA_API_TOKEN: ${{ secrets.PRUFA_API_TOKEN }}
+        run: |
+          python -c "
+          import asyncio, json, sys
+          from prufa_mcp.audit import run_audit
+          result = asyncio.run(run_audit(url='${{ secrets.STAGING_URL }}', wait=True))
+          print(json.dumps(result, indent=2))
+          criticals = [f for f in result.get('findings', []) if f.get('severity') == 'critical']
+          if criticals:
+              print(f'::error::Prufa found {len(criticals)} critical finding(s)', file=sys.stderr)
+              sys.exit(1)
+          "
+```
+
+See `examples/prufa-scan.yml` for the full template.
+
+## SLO
+
+The hosted audit API targets a 30-second p95 for `wait=true` on public pages.
+The OSS server is a thin client — it does no audit work itself, so its only
+SLO is "responds to MCP `list_tools` and `call_tool` within 1 second."
+
+## License
+
+Apache-2.0. See [LICENSE](LICENSE).

prufa_mcp-0.1.0/prufa_mcp/__init__.py

@@ -0,0 +1,2 @@
+"""Prufa MCP — the QA agent for your vibe-coded app."""
+__version__ = "0.1.0"

prufa_mcp-0.1.0/prufa_mcp/audit.py

@@ -0,0 +1,57 @@
+"""Thin client for Prufa's hosted audit API.
+
+The OSS MCP server is a thin client. Real audit execution, deterministic
+checks (BeaconEvent analyzers, consent rules), Playwright orchestration,
+and the human-readable report live in the hosted product. This file
+proxies audit-trigger and report-fetch calls to that hosted API.
+"""
+from __future__ import annotations
+
+import os
+from typing import Any
+
+import httpx
+
+
+PRUFA_API_BASE = os.environ.get("PRUFA_API_BASE", "https://app.prufa.dev")
+PRUFA_API_TOKEN = os.environ.get("PRUFA_API_TOKEN", "")
+
+
+async def run_audit(*, url: str, wait: bool = True) -> dict[str, Any]:
+    """Trigger a public-page audit on a URL."""
+    if not PRUFA_API_TOKEN:
+        return {
+            "error": "missing_token",
+            "hint": "Set PRUFA_API_TOKEN to a Prufa API key. Run `prufa-mcp setup` for a guided flow.",
+            "docs": "https://prufa.dev/docs/mcp",
+        }
+
+    headers = {"Authorization": f"Bearer {PRUFA_API_TOKEN}", "Idempotency-Key": f"mcp-{url}"}
+    timeout = 120.0 if wait else 10.0
+    async with httpx.AsyncClient(timeout=timeout) as client:
+        response = await client.post(
+            f"{PRUFA_API_BASE}/api/v1/audits",
+            json={"url": url, "wait": wait},
+            headers=headers,
+        )
+        response.raise_for_status()
+        return response.json()
+
+
+async def get_report(*, report_id: str) -> dict[str, Any]:
+    """Fetch a shareable report for a completed audit."""
+    if not PRUFA_API_TOKEN:
+        return {
+            "error": "missing_token",
+            "hint": "Set PRUFA_API_TOKEN to a Prufa API key.",
+            "docs": "https://prufa.dev/docs/mcp",
+        }
+
+    headers = {"Authorization": f"Bearer {PRUFA_API_TOKEN}"}
+    async with httpx.AsyncClient(timeout=30.0) as client:
+        response = await client.get(
+            f"{PRUFA_API_BASE}/api/v1/reports/{report_id}",
+            headers=headers,
+        )
+        response.raise_for_status()
+        return response.json()

prufa_mcp-0.1.0/prufa_mcp/server.py

@@ -0,0 +1,115 @@
+"""Prufa MCP server — the QA agent for your vibe-coded app.
+
+Apache-2.0. See LICENSE in the repo root.
+"""
+from __future__ import annotations
+
+import argparse
+import asyncio
+import json
+import sys
+from typing import Any
+
+from mcp.server import Server
+from mcp.server.stdio import stdio_server
+from mcp.types import Tool, TextContent
+
+from prufa_mcp.audit import run_audit, get_report
+
+
+server = Server("prufa-mcp")
+
+
+OSS_TOOLS: list[Tool] = [
+    Tool(
+        name="prufa_run_audit",
+        description=(
+            "Run a public-page QA audit on a URL. Returns findings JSON: "
+            "tracking pixels, broken flows, consent violations, console errors, "
+            "compliance signals. Rate-limited; one call returns one audit."
+        ),
+        inputSchema={
+            "type": "object",
+            "properties": {
+                "url": {
+                    "type": "string",
+                    "description": "The public URL to audit. Must be authorized for the workspace.",
+                },
+                "wait": {
+                    "type": "boolean",
+                    "default": True,
+                    "description": "Block until the audit completes (recommended for agents).",
+                },
+            },
+            "required": ["url"],
+        },
+    ),
+    Tool(
+        name="prufa_get_report",
+        description=(
+            "Fetch a shareable report for a completed audit. Returns the report URL "
+            "and a summary of findings. Rate-limited."
+        ),
+        inputSchema={
+            "type": "object",
+            "properties": {
+                "report_id": {
+                    "type": "string",
+                    "description": "The report ID returned by prufa_run_audit.",
+                },
+            },
+            "required": ["report_id"],
+        },
+    ),
+]
+
+
+@server.list_tools()
+async def list_tools() -> list[Tool]:
+    return OSS_TOOLS
+
+
+@server.call_tool()
+async def call_tool(name: str, arguments: dict[str, Any]) -> list[TextContent]:
+    if name == "prufa_run_audit":
+        result = await run_audit(
+            url=arguments["url"],
+            wait=arguments.get("wait", True),
+        )
+    elif name == "prufa_get_report":
+        result = await get_report(report_id=arguments["report_id"])
+    else:
+        return [TextContent(type="text", text=json.dumps({"error": f"unknown tool: {name}"}))]
+
+    return [TextContent(type="text", text=json.dumps(result, indent=2))]
+
+
+def main() -> None:
+    """Sync entrypoint for the console_scripts system.
+
+    Wraps :func:`_amain` in :func:`asyncio.run` so the `prufa-mcp` console
+    script (which doesn't await coroutines) works correctly.
+    """
+    asyncio.run(_amain())
+
+
+async def _amain() -> None:
+    parser = argparse.ArgumentParser(description="Prufa MCP server (OSS)")
+    parser.add_argument(
+        "--transport",
+        choices=["stdio"],
+        default="stdio",
+        help="Transport. Only stdio is supported in the OSS build.",
+    )
+    args = parser.parse_args()
+
+    if args.transport != "stdio":
+        print("Only stdio transport is supported in the OSS build", file=sys.stderr)
+        sys.exit(2)
+
+    async with stdio_server() as (read_stream, write_stream):
+        await server.run(read_stream, write_stream, server.create_initialization_options())
+
+
+if __name__ == "__main__":
+    main()

prufa_mcp-0.1.0/prufa_mcp.egg-info/PKG-INFO

@@ -0,0 +1,148 @@
+Metadata-Version: 2.4
+Name: prufa-mcp
+Version: 0.1.0
+Summary: The QA agent for your vibe-coded app. Apache-2.0 MCP server.
+Author-email: Prufa <team@prufa.dev>
+License: Apache-2.0
+Project-URL: Homepage, https://prufa.dev
+Project-URL: Repository, https://github.com/prufa-dev/prufa-mcp
+Project-URL: Issues, https://github.com/prufa-dev/prufa-mcp/issues
+Keywords: mcp,qa,testing,browser-automation,vibe-coding,ai-agents
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcp>=1.0.0
+Requires-Dist: httpx>=0.27.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0.0; extra == "dev"
+Requires-Dist: build>=1.0.0; extra == "dev"
+Requires-Dist: twine>=5.0.0; extra == "dev"
+Dynamic: license-file
+
+# prufa-mcp — the QA agent for your vibe-coded app
+
+> "Median 5 hours from vulnerability disclosure to mass automated exploitation."
+> — [Patchstack 2026 State of WordPress Security](https://www.propellermediaworks.com/blog/web-security-ai-hackers-risk-vibe-coding)
+
+Vibe-coded apps ship faster than humans can review. Prufa is the agent that
+audits them — tracking pixels, broken flows, consent violations, console errors —
+before the 5-hour window opens.
+
+## 30-second demo
+
+![Prufa running on a vibe-coded Next.js app](assets/demo.gif)
+
+> The demo GIF will land in v0.2. Until then, see "What you get" below for
+> the live call shape, and `examples/` for runnable scripts.
+
+## Quickstart
+
+```bash
+pip install prufa-mcp
+# or
+npm install -g prufa-mcp  # (npm mirror — not yet published, see Task 1.11)
+```
+
+Then in your `.mcp.json` (Claude Code, Cursor, Cline, Continue, etc.):
+
+```json
+{
+  "mcpServers": {
+    "prufa": {
+      "command": "prufa-mcp",
+      "env": {
+        "PRUFA_API_TOKEN": "your-prufa-api-key"
+      }
+    }
+  }
+}
+```
+
+Get a free API key at [prufa.dev](https://prufa.dev) — the first audit is free, no card required.
+
+Then in your agent:
+
+```
+> audit https://my-vibe-coded-app.com
+> run prufa on my staging deploy and show me the criticals
+> check my landing page for broken tracking pixels
+```
+
+## What you get (the OSS surface)
+
+| Tool | What it does |
+|---|---|
+| `prufa_run_audit` | One call → runs a public-page audit, returns findings JSON |
+| `prufa_get_report` | Fetches a shareable report for a completed audit |
+
+That's it. The audit primitive is small. The hosted product at
+[prufa.dev](https://prufa.dev) is where the value compounds — scheduling,
+alerting, team workflows, and the human-readable HTML report.
+
+## Why open source
+
+Same shape as [Stagehand](https://github.com/browserbase/stagehand) (free) →
+[Browserbase](https://www.browserbase.com) (paid). Open the primitive. The
+hosted tier earns the right to be paid by being the thing that scales.
+
+## Examples
+
+- `examples/nextjs-app/` — audit a deployed Next.js app
+- `examples/vite-spa/` — audit a Vite SPA
+- `examples/stripe-checkout/` — audit a Stripe-checkout page (focuses on payment-flow verification)
+
+Each example is a copy-pasteable demo. Clone, set `PRUFA_API_TOKEN`, run.
+
+## GitHub Action
+
+Add PR-time audits to any repo:
+
+```yaml
+# .github/workflows/prufa-scan.yml
+name: Prufa scan
+on: [pull_request]
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install prufa-mcp
+      - name: Run audit
+        env:
+          PRUFA_API_TOKEN: ${{ secrets.PRUFA_API_TOKEN }}
+        run: |
+          python -c "
+          import asyncio, json, sys
+          from prufa_mcp.audit import run_audit
+          result = asyncio.run(run_audit(url='${{ secrets.STAGING_URL }}', wait=True))
+          print(json.dumps(result, indent=2))
+          criticals = [f for f in result.get('findings', []) if f.get('severity') == 'critical']
+          if criticals:
+              print(f'::error::Prufa found {len(criticals)} critical finding(s)', file=sys.stderr)
+              sys.exit(1)
+          "
+```
+
+See `examples/prufa-scan.yml` for the full template.
+
+## SLO
+
+The hosted audit API targets a 30-second p95 for `wait=true` on public pages.
+The OSS server is a thin client — it does no audit work itself, so its only
+SLO is "responds to MCP `list_tools` and `call_tool` within 1 second."
+
+## License
+
+Apache-2.0. See [LICENSE](LICENSE).

prufa_mcp-0.1.0/prufa_mcp.egg-info/SOURCES.txt

@@ -0,0 +1,13 @@
+LICENSE
+README.md
+pyproject.toml
+prufa_mcp/__init__.py
+prufa_mcp/audit.py
+prufa_mcp/server.py
+prufa_mcp.egg-info/PKG-INFO
+prufa_mcp.egg-info/SOURCES.txt
+prufa_mcp.egg-info/dependency_links.txt
+prufa_mcp.egg-info/entry_points.txt
+prufa_mcp.egg-info/requires.txt
+prufa_mcp.egg-info/top_level.txt
+tests/test_audit.py

prufa_mcp-0.1.0/prufa_mcp.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

prufa_mcp-0.1.0/prufa_mcp.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+prufa-mcp = prufa_mcp.server:main

prufa_mcp-0.1.0/prufa_mcp.egg-info/requires.txt

@@ -0,0 +1,7 @@
+mcp>=1.0.0
+httpx>=0.27.0
+
+[dev]
+pytest>=8.0.0
+build>=1.0.0
+twine>=5.0.0

prufa_mcp-0.1.0/prufa_mcp.egg-info/top_level.txt

@@ -0,0 +1 @@
+prufa_mcp

prufa_mcp-0.1.0/pyproject.toml

@@ -0,0 +1,52 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "prufa-mcp"
+version = "0.1.0"
+description = "The QA agent for your vibe-coded app. Apache-2.0 MCP server."
+readme = "README.md"
+license = { text = "Apache-2.0" }
+requires-python = ">=3.10"
+authors = [
+  { name = "Prufa", email = "team@prufa.dev" },
+]
+keywords = ["mcp", "qa", "testing", "browser-automation", "vibe-coding", "ai-agents"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: Apache Software License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Topic :: Software Development :: Quality Assurance",
+  "Topic :: Software Development :: Testing",
+]
+dependencies = [
+    "mcp>=1.0.0",
+    "httpx>=0.27.0",
+]
+
+[project.optional-dependencies]
+dev = [
+  "pytest>=8.0.0",
+  "build>=1.0.0",
+  "twine>=5.0.0",
+]
+
+[project.scripts]
+prufa-mcp = "prufa_mcp.server:main"
+
+[project.urls]
+Homepage = "https://prufa.dev"
+Repository = "https://github.com/prufa-dev/prufa-mcp"
+Issues = "https://github.com/prufa-dev/prufa-mcp/issues"
+
+[tool.setuptools]
+packages = ["prufa_mcp"]
+
+[tool.pytest.ini_options]
+addopts = "-q"
+testpaths = ["tests"]

prufa_mcp-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

prufa_mcp-0.1.0/tests/test_audit.py

@@ -0,0 +1,24 @@
+"""Smoke test: the server returns a clear missing_token error without a token."""
+from __future__ import annotations
+
+import asyncio
+
+import pytest
+
+from prufa_mcp.audit import get_report, run_audit
+
+
+def test_run_audit_missing_token(monkeypatch: pytest.MonkeyPatch) -> None:
+    """Without PRUFA_API_TOKEN, run_audit returns a clear missing_token error."""
+    monkeypatch.delenv("PRUFA_API_TOKEN", raising=False)
+    result = asyncio.run(run_audit(url="https://example.com", wait=False))
+    assert result["error"] == "missing_token", f"Expected missing_token, got {result}"
+    assert "PRUFA_API_TOKEN" in result["hint"], "Hint should mention the env var"
+
+
+def test_get_report_missing_token(monkeypatch: pytest.MonkeyPatch) -> None:
+    """Without PRUFA_API_TOKEN, get_report returns a clear missing_token error."""
+    monkeypatch.delenv("PRUFA_API_TOKEN", raising=False)
+    result = asyncio.run(get_report(report_id="rep_test123"))
+    assert result["error"] == "missing_token", f"Expected missing_token, got {result}"
+    assert "PRUFA_API_TOKEN" in result["hint"], "Hint should mention the env var"