@boldsec/mcp
v0.12.0
Published
BoLD MCP server: connect, wire, and verify BoLD authorization monitoring (BOLA/IDOR, BFLA, BOPLA mass-assignment, tenant isolation, missing-auth) from your AI editor (Claude, Cursor, Codex). Metadata only; never reaches a verdict.
Maintainers
Readme
@boldsec/mcp
The BoLD MCP server — connect, wire, and verify BoLD live BOLA/IDOR monitoring from your AI editor (Claude Desktop, Cursor, Codex). Your editor's AI assistant reads your repo and wires BoLD for you; you review every change.
- Metadata only. BoLD receives only request metadata, never your code or your users' data. This server reads nothing and uploads nothing; it just talks to the BoLD API on your behalf.
- Never reaches a verdict. The MCP only connects / lists / shows coverage / explains wiring. BoLD's engine owns every verdict; no tool here decides "vulnerable" or "safe".
- You stay in control. The assistant proposes diffs; you approve them. Nothing is committed for you.
Setup
One command signs you in and wires the editors you pick:
npx @boldsec/mcp@latest connectThe @latest matters: it always runs the newest published server, so your editor picks up new
authorization checks (BFLA, BOPLA, and beyond) instead of relaunching a stale cached build. The
wiring it writes launches the server the same way, so it stays current on its own.
It opens your browser to approve (no token to copy), then writes a secret-free entry into each
editor you choose (Claude Code, Cursor, Claude Desktop, VS Code, Codex, Windsurf). Your token is
stored privately at ~/.boldsec/credentials.json (mode 0600), never in the editor config, so a
committed config leaks nothing.
npx @boldsec/mcp@latest status— confirm you are connected and the token still works.npx @boldsec/mcp@latest wire— re-run just the editor wiring (e.g. to add another editor, or to refresh an editor that is still launching an older cached build).npx @boldsec/mcp@latest disconnect— revoke the token and remove the entry.
Manual / CI setup
Prefer to set it up by hand, or wiring a machine with no browser? Mint a personal access token
(starts with blt_) in BoLD under Settings, then add the server to your editor's MCP config:
{
"mcpServers": {
"bold": {
"command": "npx",
"args": ["-y", "@boldsec/mcp@latest"],
"env": { "BOLD_TOKEN": "blt_your_token_here" }
}
}
}BOLD_API_URL is optional (defaults to https://api.boldsec.io). The token is a secret: it is sent
only in the Authorization header and is never logged or echoed.
Tools
- bold_connect_app(name, base_url) — returns the steps to connect an app. The ingest key is a secret you copy from the BoLD web app and set yourself; this tool NEVER returns it, so the key never enters the assistant's context.
- bold_list_monitors() — your connected apps and whether each is watching or waiting.
- bold_coverage(monitor_id) — the routes BoLD has actually seen traffic on. Reports only observed routes; never implies coverage of an unwired route (not an all-clear).
- bold_wiring_guide(stack?) — step-by-step wiring instructions for the current repo, including how
to write
resolveCallerIdfor your auth, and the rule to leave theTODOif unsure. - bold_check_resolver(caller_id, owner_id) — a sanity check that the id your resolver returns has the same shape as your object's owner field. Flags a gross mismatch; never asserts a resolver is correct (a shape match is necessary, not sufficient).
- bold_bfla_guide() — how to declare privileged routes (function-level authorization / BFLA) with
the
privilegedflag and run a BFLA check. Relays information only; BoLD's engine reaches the verdict. - bold_bopla_guide() — how to declare write-protected fields (mass assignment / BOPLA) with
sensitiveFieldsso the live lead fires and the active check has something to confirm. Names only, never a value. Relays information only; BoLD's engine reaches the verdict. - bold_prepare_bfla_check(base_url, routes) — prepare a BFLA check; returns a one-time browser link where you paste two test sessions. Credentials never pass through the assistant.
- bold_bfla_status(pending_id) — read the sealed BFLA result; relays BoLD's summary verbatim.
- bold_prepare_bopla_check(base_url, routes) — prepare a BOPLA check of your declared write-protected fields; returns a one-time browser link where you paste one test session. BoLD escalates on its own throwaway object. Credentials never pass through the assistant.
- bold_bopla_status(pending_id) — read the sealed BOPLA result; relays BoLD's summary verbatim.
What a session looks like
"Connect this app to BoLD and wire it up."
The assistant calls bold_connect_app (which tells you to create the monitor and set the two env vars
yourself in the BoLD web app — the ingest key never touches the assistant), then bold_wiring_guide,
then wraps your routes with @boldsec/next, writes resolveCallerId from your repo's auth (or leaves
the TODO and asks you if it cannot tell), and finally calls bold_coverage so you can watch the
routes light up. You review and approve every diff, and you alone handle the ingest key.
