Sample audit

jackjin1997/douban-mcp

A public example of the output included in the $1,000 Agent/MCP Audit Sprint. This sample is based on commit 452db35dc9a80742a3be243531beeb8edb88a080 dated 2026-05-10.

ScopeMCP server, CLI, auth, write tools, SSE

Primary riskRemote exposure and operator write-mode assumptions

OutputRanked findings with fix plan

Executive Summary

`douban-mcp` has a solid agent-facing shape: one tool registry feeds CLI and MCP surfaces, write tools are opt-in, write actions are marked destructive, and common cookie values are redacted in structured logs. The main launch risk is not a missing code primitive; it is operator exposure. Remote SSE mode, write enablement, and cookie readiness should be documented and tested as explicit deployment states before broader distribution.

Scope

MCP server registration and tool metadata
CLI and stdio/SSE entry points
Cookie and write-action handling
Secret redaction and error boundaries
Tests and launch documentation surface

Boundary Map

Area	Evidence	Risk Notes
Tool registry	`src/tools/registry.ts`	Single source for CLI/MCP tools reduces schema drift.
MCP registration	`src/server.ts`	Zod object shape is passed to SDK; handlers parse args before execution.
Write tools	`src/tools/mutation.ts`	`destructiveHint` is present; tools require auth and env-level enablement.
Cookie handling	`src/auth/CookieManager.ts`	`dbcl2` identifies login; `ck` token is required before writes.
Remote transport	`src/server-entry.ts`	SSE mode starts an HTTP server on the requested port with no app-level auth.
Error handling	`src/tools/_boundary.ts`	Known domain errors are mapped; unknown errors are logged through pino redaction.

Findings

HighRemote SSE deployment policy is underspecified

Evidence: src/server-entry.ts starts an HTTP server when --transport sse is selected and logs SSE listening on http://localhost:${opts.port}/sse.

Impact: In container, tunnel, or reverse-proxy deployments, the same command can become remotely reachable. If authenticated write tools are enabled, a connected client can mutate the account.

Fix: Bind explicitly to loopback for local mode or document the current binding behavior. Add README deployment language and a transport/write-mode launch checklist.

MedWrite enablement is safe by code path, but operator confirmation is too implicit

Evidence: Mutation tools are registered only when enableWrite is true, and server-entry.ts refuses write mode without a cookie.

Impact: Operators may not understand that enabling writes lets a connected MCP client mutate a real account.

Fix: Keep write mode omitted or explicitly false in examples. Add a short write-mode checklist to every MCP setup path.

LowCookie readiness should distinguish login from write-token readiness

Evidence: CookieManager.hasLogin() checks dbcl2, while write methods separately require ck.

Impact: Diagnostics can report a cookie as valid even when write actions will fail due to a missing write token.

Fix: Add hasWriteToken() and update doctor output to show login readiness and write readiness separately.

Positive Signals

src/utils/logger.ts defines redaction paths for common cookie locations under config, request, response, and serialized error shapes.
HtmlDataSource locks write operations for the process after 401/403 risk-control responses.
shareToFeed defaults false in the mutation schema.
The README clearly warns about account risk and write mode requirements.
The project includes unit, integration, e2e, stdio, and CLI tests.

Priority Fix Plan

Document and test SSE exposure assumptions before promoting remote usage.
Add write-mode checklist to all MCP client setup examples.
Split doctor diagnostics into login readiness and write readiness.
Add registry tests for mutation tool absence/presence by env state.
Normalize top-level CLI bootstrap errors.

Example Validation Commands

pnpm test __tests__/unit/tools/registry.test.ts
pnpm test __tests__/integration/server-bootstrap.test.ts
pnpm test __tests__/e2e/stdio.test.ts
pnpm typecheck

What the Paid Sprint Adds

The paid sprint goes deeper than this public sample: live local reproduction where possible, a full threat/risk table, issue-ready fix text, test cases written to match the repository's stack, and a launch handoff for the owner.

Start an audit Back to offer