Metadata-Version: 2.4
Name: xone-mcp-risk-index
Version: 0.3.0
Summary: Evidence-backed MCP server risk signal catalog and local CLI.
Author: X-One-AI
License-Expression: MIT
Project-URL: Homepage, https://github.com/X-One-AI/mcp-risk-index
Project-URL: Repository, https://github.com/X-One-AI/mcp-risk-index
Project-URL: Issues, https://github.com/X-One-AI/mcp-risk-index/issues
Keywords: mcp,security,ai,catalog,risk
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: PyYAML>=6.0.1
Provides-Extra: dev
Requires-Dist: build>=1.2.2; extra == "dev"
Requires-Dist: pytest>=8.0; extra == "dev"
Dynamic: license-file

# mcp-risk-index

Languages: English | [中文](./README.zh-CN.md)

An open risk index for common MCP servers, permissions, commands, and maintenance signals.

## Status

`v0.3.0` - local catalog validation, strict review checks, and rendering CLI.

## Purpose

Convert `mcp-audit` rule experience into a reusable public data asset without unsupported claims.

## First Production Surface

Versioned data catalog with evidence-backed entries and a deterministic local CLI.

After PyPI publication:

```bash
python3 -m pip install xone-mcp-risk-index
mcp-risk-index init --output mcp-risk-index.catalog.yml
mcp-risk-index validate --catalog mcp-risk-index.catalog.yml --strict
mcp-risk-index render --catalog mcp-risk-index.catalog.yml --format markdown --output mcp-risk-index.md
mcp-risk-index render --catalog mcp-risk-index.catalog.yml --format json --output mcp-risk-index.json
```

After Homebrew tap update:

```bash
brew install x-one-ai/tap/mcp-risk-index
mcp-risk-index --version
```

From a source checkout, you can also validate the bundled catalog:

```bash
mcp-risk-index validate --catalog data/catalog.yml --strict
mcp-risk-index render --catalog data/catalog.yml --format markdown --output mcp-risk-index.md
mcp-risk-index render --catalog data/catalog.yml --format json --output mcp-risk-index.json
```

For local development:

```bash
python3 -m pip install -e '.[dev]'
python3 -m pytest tests -q
```

## Catalog Contract

The bundled catalog uses `mcp-risk-index.catalog.v1`. Each entry records identity, package, launch command, permissions, maintenance facts, review-level risk signals, evidence, and limitations.

Review levels are prompts for human inspection:

- `info`: useful context
- `review`: inspect before adoption
- `high-review`: require explicit owner approval

They are not safety scores.

Strict validation requires production review governance fields such as `maintenance.source_checked_at` and a GitHub repository source.

## Required Evidence

- server identity
- permission profile
- command/package signals
- maintenance signals
- evidence links

## Non-Goals

- no subjective ranking without evidence
- no broad repo health clone
- no security claims without criteria
- no absolute safe/unsafe labels

## OPT Operating Model

This project references the shared One Person Team workflow through [ops/opt-overlay.md](./ops/opt-overlay.md). Project-specific constraints live under [ops/constraints](./ops/constraints), and evolvable local skills live under [ops/skills](./ops/skills).

## Blocked Inputs

Inputs that require user or real-world data are recorded in `../x-one-skipped-inputs.md` and should not block foundation work.

## Docs

- [Product Foundation](./docs/product-foundation.md)
- [Catalog Governance](./docs/catalog-governance.md)
- [Publishing](./docs/publishing.md)
- [Homebrew Packaging](./docs/homebrew.md)
- [Catalog Design](./docs/superpowers/specs/2026-06-13-catalog-design.md)
- [OPT Overlay](./ops/opt-overlay.md)
- [Production Constraints](./ops/constraints/production.md)
- [Main Entry Constraints](./ops/constraints/main-entry.md)
- [Skill Evolution](./ops/skills/evolution.md)
