mcpscan v0.1.0-alpha.2

mcpscan v0.1.0-alpha.2

Validation-driven alpha patch for mcpscan.

This release tightens scanner behavior based on manual testing against real MCP servers and improves field-readiness ergonomics.

Fixed

• Reduced MCP-030 false positives by requiring actual command/code execution semantics.
  • search_nodes(query) and generic memory/search tools no longer trigger command/code injection findings.
• Fixed MCP-010 false negative for network fetch capability.
  • fetch(url) now reports outbound network request capability as dangerous capability exposure.
• Improved CLI ergonomics:
  • clearer message for unsupported local config/path scanning
  • rejects --header with stdio commands instead of silently ignoring it
  • clearer dead remote URL connection/refused errors
• Added validation docs for:
  • stale/global install troubleshooting
  • memory/filesystem/fetch validation notes
  • safe validation workflow

Validated manually

• Memory MCP server: Grade A, 0 findings after MCP-030 tuning
• Filesystem MCP server: MCP-010 findings on file read/write/edit capability tools
• Fetch MCP server: MCP-010 finding on outbound network request capability

Still deferred

• MCP-002 baseline/tool definition drift
• SSE integration testing
• MCP config-file scanning
• terminal inventory view

Verification

• ruff check
• pytest
• bash scripts/validation_smoke.sh
• python -m mcpscan --help
• python -m mcpscan list-checks