Skip to content

feat: initial threat-intelligence-mcp server (NVD/OSV/GHSA correlation)#3

Open
CSOAI-ORG wants to merge 1 commit into
mainfrom
feat/initial-server-pyproject
Open

feat: initial threat-intelligence-mcp server (NVD/OSV/GHSA correlation)#3
CSOAI-ORG wants to merge 1 commit into
mainfrom
feat/initial-server-pyproject

Conversation

@CSOAI-ORG

Copy link
Copy Markdown
Owner

Summary

Initial 0.1.0 release of the <flagship-name>-mcp Python MCP server, ported from the gold-standard pattern used by eu-ai-act-compliance-mcp and soc2-compliance-ai-mcp.

This converts the repo from an empty shell (.gitignore + LICENSE + package.json only) into a real PyPI + GHCR + Smithery + MCP-Registry package.

What changed

  • server.py — FastMCP server with 4-5 tools (flagship-specific)
  • pyproject.toml — hatchling, only-include = ["server.py"], mcp>=1.0.0 loose pin
  • smithery.yaml — declarative tool list
  • README.md, package.json, server.json, .well-known/mcp/server-card.json — MEOK-fleet tokens
  • tests/test_server.py + auth_middleware.py — ported from gold-standard (sys.path made repo-relative, no ~/clawd/... hardcode)
  • .github/workflows/{ci,test,mcp-smithery-publish}.yml — CI on Python 3.10/3.11 (test) and 3.11/3.12 (ci), Smithery publish on release: published
  • Dockerfile.glamapython:3.14-slim + uv running mcp-wrapper.py

Verification (local)

python3 -m py_compile server.py
python3 -c "import server; print(list(server.mcp._tool_manager._tools.keys()))"
pip install build && python3 -m build --wheel
pytest tests/ -v

All 4 flagships locally: 4 passed, 1 skipped. Wheels contain only server.py.

Pin convention

This repo pins mcp>=1.0.0 (loose) because the gateway does pip install -r requirements-gateway.txt "${PKG}", and pip's exact-pin-takes-precedence means the gateway can pin exactly without conflict.

Follow-ups (not in this PR)

  • User runs python3 -m build && twine upload dist/* after merge (requires ~/.pypirc token).
  • Once 4 flagship PRs land, extend meok-compliance-gateway/.github/workflows/build-push.yml matrix to add the 4 new flagships (separate PR to the gateway).
  • After first GHCR push, user flips each package to public in the GHCR UI (1-click, ~30 sec each).

Test plan

  • CI green (Test MCP Server workflow, Python 3.10/3.11)
  • CI green (CI workflow, Python 3.11/3.12)
  • Wheel built from PR contains only server.py

🤖 Generated with Claude Code

Initial 0.1.0 release:
- server.py — FastMCP with NVD/OSV/GHSA|pyjadx+ILSpy|pyjadx+androguard|cedarpy+opa tools
- pyproject.toml — hatchling, only-include=[server.py], mcp>=1.0.0
- smithery.yaml — declarative tool list
- README.md, package.json, server.json, .well-known/mcp/server-card.json — MEOK-fleet tokens
- tests/test_server.py + auth_middleware.py — ported from gold-standard
- .github/workflows/{ci,test,mcp-smithery-publish}.yml — on push/PR and release
- Dockerfile.glama — python:3.14-slim + uv, runs mcp-wrapper.py

Tools exposed:
  - cve_lookup, match_endpoints_to_cves, severity_routing, cve_list_recent
  - decompile_java, decompile_dotnet, scan_hardcoded_secrets, extract_endpoints
  - decompile_apk, extract_endpoints, find_api_calls, scan_hardcoded_secrets, apk_metadata
  - evaluate_cedar, validate_cedar, evaluate_rego, policy_diff

Verified locally: pytest 4 passed/1 skipped; wheel contains only server.py.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant