Metadata-Version: 2.4
Name: plexicus-mcp
Version: 0.1.0
Summary: Plexicus ASPM MCP server — security findings, scans and AI remediations in your IDE
Project-URL: Homepage, https://plexicus.ai
Project-URL: Documentation, https://docs.plexicus.ai
Author-email: Plexicus <info@plexicus.com>
License-Expression: MIT
Keywords: aspm,claude,cursor,mcp,plexicus,sast,security
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Requires-Python: >=3.10
Requires-Dist: httpx>=0.27
Requires-Dist: mcp>=1.2.0
Provides-Extra: dev
Requires-Dist: pytest-asyncio>=0.24; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Requires-Dist: ruff>=0.6; extra == 'dev'
Description-Content-Type: text/markdown

# plexicus-mcp

MCP (Model Context Protocol) server for [Plexicus](https://plexicus.ai), the AI-powered
Application Security Posture Management (ASPM) platform. It brings your security findings,
scans and AI-generated remediations directly into Claude Code, Cursor, VS Code, Windsurf or
any MCP-compatible client — so your coding agent can find, understand and fix vulnerabilities
without leaving the IDE.

Unlike the rest of this monorepo, this directory is not a Docker service: it is a standalone
Python package published to PyPI that runs on the developer's machine and talks to the
Plexicus REST API.

## Quick start

1. Generate an API token in the Plexicus console: **Settings → API Tokens**.
2. Add the server to your client:

**Claude Code**

```bash
claude mcp add plexicus \
  -e PLEXICUS_API_TOKEN=<your-token> \
  -e PLEXICUS_API_URL=https://api.app.plexicus.ai \
  -- uvx plexicus-mcp
```

**Cursor / VS Code / Windsurf (JSON config)**

```json
{
  "mcpServers": {
    "plexicus": {
      "command": "uvx",
      "args": ["plexicus-mcp"],
      "env": {
        "PLEXICUS_API_TOKEN": "<your-token>",
        "PLEXICUS_API_URL": "https://api.app.plexicus.ai"
      }
    }
  }
}
```

No `uv`? Use `pipx run plexicus-mcp` or `pip install plexicus-mcp` + command `plexicus-mcp`.

## Configuration

| Variable | Required | Default | Description |
|---|---|---|---|
| `PLEXICUS_API_TOKEN` | yes | — | API token from Settings → API Tokens |
| `PLEXICUS_API_URL` | no | `https://api.app.plexicus.ai` | Base URL of your Plexicus API (self-hosted deployments) |

## What it exposes

**Tools**

| Tool | Description |
|---|---|
| `get_current_repository` | Map the workspace git remote to its Plexicus repository |
| `list_repositories` / `get_repository` | Browse registered repositories with severity counts |
| `list_findings` / `get_finding` | Query findings (severity, status, CWE, text search, pagination) |
| `request_scan` / `get_scan_status` | Launch a scan and follow its progress |
| `generate_remediation` / `get_remediation` | Ask the AI remediation engine for a fix and fetch it |
| `get_security_posture` | Account-wide severity totals and worst repositories |

**Prompts** — `fix_finding`, `triage_findings`, `security_review`: guided workflows the agent
can follow end-to-end (read finding → generate remediation → apply diff → verify).

**Resources** — `plexicus://repositories` and `plexicus://repositories/{id}/findings` as JSON.

Every tool returns `{"markdown": ..., "data": ...}`: a human-readable digest plus the raw API
payload for follow-up automation.

## Example session

> *"What critical security issues does this repo have?"* — the agent calls
> `get_current_repository`, then `list_findings(severity="critical")`.
>
> *"Fix the SQL injection one"* — the agent uses the `fix_finding` prompt: reads the finding,
> requests an AI remediation, applies the diff to your workspace and runs the tests.

## Development

```bash
cd mcp
pip install -e ".[dev]"
pytest
ruff check .
```

## Releasing

Releases are published to PyPI by the Forgejo workflow `.forgejo/workflows/publish-mcp.yml`
when a `mcp-v*` tag is pushed (e.g. `mcp-v0.1.0`). Bump `version` in `pyproject.toml` and
`__version__` in `src/plexicus_mcp/__init__.py` first.
