AI Agent Template MCP Server

Instructions

Implementation Reference

• src/tools/validators/security-validator.ts:13-52 (handler)

  Main handler function that performs comprehensive security checks on code, including hardcoded secrets, injections, XSS, auth issues, data exposure, and more. Returns SecurityCheckResult with violations and recommendations.
  export async function checkSecurityCompliance( code: string, sensitiveOperations?: string[] ): Promise<SecurityCheckResult> { const result: SecurityCheckResult = { secure: true, violations: [], recommendations: [], }; // Check for hardcoded secrets checkHardcodedSecrets(code, result); // Check for injection vulnerabilities checkInjectionVulnerabilities(code, result); // Check for XSS vulnerabilities checkXSSVulnerabilities(code, result); // Check authentication/authorization checkAuthIssues(code, result); // Check for sensitive data exposure checkDataExposure(code, result); // Check specific sensitive operations if provided if (sensitiveOperations) { checkSensitiveOperations(code, sensitiveOperations, result); } // Additional security checks checkGeneralSecurity(code, result); // Determine if code is secure result.secure = result.violations.filter(v => v.severity === 'critical' || v.severity === 'high' ).length === 0; return result; }
• src/tools/index.ts:102-120 (registration)

  Tool registration and dispatch handler in the MCP server. Parses input arguments using Zod schema and calls the checkSecurityCompliance function.
  case 'check_security_compliance': { const params = z.object({ code: z.string(), sensitiveOperations: z.array(z.string()).optional(), }).parse(args); const result = await checkSecurityCompliance( params.code, params.sensitiveOperations ); return { content: [ { type: 'text', text: JSON.stringify(result, null, 2), }, ], }; }
• src/tools/tool-definitions.ts:80-100 (schema)

  MCP tool definition including name, description, and input schema for listing and validation.
  name: 'check_security_compliance', description: 'Check code for security vulnerabilities and compliance', inputSchema: { type: 'object', properties: { code: { type: 'string', description: 'Code to check for security issues', }, checkTypes: { type: 'array', items: { type: 'string', enum: ['secrets', 'injection', 'xss', 'auth', 'crypto', 'validation'], }, description: 'Types of security checks to perform', }, }, required: ['code'], }, },
• src/tools/validators/security-validator.ts:54-108 (helper)

  Helper function to detect hardcoded secrets like API keys, passwords, tokens using regex patterns.
  function checkHardcodedSecrets(code: string, result: SecurityCheckResult) { const secretPatterns = [ { pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*["']([^"']+)["']/gi, message: 'Hardcoded API key detected', severity: 'critical' as const, }, { pattern: /(?:password|passwd|pwd)\s*[:=]\s*["']([^"']+)["']/gi, message: 'Hardcoded password detected', severity: 'critical' as const, }, { pattern: /(?:secret|token)\s*[:=]\s*["']([^"']+)["']/gi, message: 'Hardcoded secret/token detected', severity: 'critical' as const, }, { pattern: /(?:private[_-]?key)\s*[:=]\s*["']([^"']+)["']/gi, message: 'Hardcoded private key detected', severity: 'critical' as const, }, { pattern: /mongodb:\/\/[^/\s]+:[^@\s]+@/gi, message: 'Hardcoded database credentials in connection string', severity: 'critical' as const, }, ]; const lines = code.split('\n'); secretPatterns.forEach(({ pattern, message, severity }) => { let match; while ((match = pattern.exec(code)) !== null) { const lineNumber = code.substring(0, match.index).split('\n').length; // Skip if it's clearly a placeholder or example const value = match[1] || match[0]; if (value.includes('process.env') || value.includes('YOUR_') || value.includes('EXAMPLE_') || value === 'xxxxxxxx') { continue; } result.violations.push({ severity, type: 'hardcoded-secret', message, line: lineNumber, suggestion: 'Use environment variables: process.env.VARIABLE_NAME', }); } }); }