Aigently MCP Server

Open-souSecurely feeds real security refreshed rules into Cursor, Claude Code, and Windsurf — zero config, no API key.

Documentation

The open-source CVE catalog, pipeline, and MCP server behind aigent.ly. Every day, CI ingests fresh CVEs from five public threat sources, enriches them with AI-generated coding patterns, and commits ready-to-use security rules directly into this repo — formatted for Cursor, Claude Code, Windsurf, GitHub Copilot, and Cline.

"We open-sourced everything the community needs — the data, the pipeline, the stack registry. The web app that runs aigent.ly is private. Because a security product should practice what it preaches."

How it works

CVE published  →  pipeline detects it  →  Claude generates safe-code patterns
    →  rule committed to this repo  →  your IDE enforces it while you type

AI coding assistants write production code fast. They don't know which CVEs affect your stack today, or how to write around them. Aigent.ly bridges that gap: it turns a live CVE feed into IDE rules that travel with your project, enforced at generation time — not discovered at audit time.

Repository layout

Path	Contents
`packages/catalog-data/`	Live threat snapshots — JSON committed daily by CI
`packages/mcp-server/`	MCP server (`@aigently/mcp-server`) — exposes catalog to AI agents
`packages/db/`	Drizzle schema shared between the pipeline and the web app
`packages/mvp-catalog/`	Stack registry — add a stack entry here to onboard it
`packages/api-client/`	TypeScript client generated from the OpenAPI spec
`pipeline/scripts/`	`sync`, `amplify`, `summarize`, `synthesize`, `export` — the full pipeline
`.github/workflows/sync-threats.yml`	Daily CI: ingest CVEs → AI guardrails → commit

Quick start

No API keys needed. CI commits fresh snapshots daily — just clone and use.

git clone https://github.com/aelbuni/aigently-catalog
cd aigently-catalog
npm install

cp pipeline/.env.example pipeline/.env   # default DATABASE_URL matches docker-compose
npm run db:setup                          # start Postgres, migrate, seed

Use via MCP (recommended)

Add to your IDE's MCP config — works with Claude Code, Cursor, Windsurf, Copilot, and Cline:

{
  "mcpServers": {
    "aigently": {
      "command": "npx",
      "args": ["-y", "@aigently/mcp-server@latest"]
    }
  }
}

The MCP server reads static JSON from packages/catalog-data/ — no database or API keys required.

Available tools

Tool	Description
`get_security_context`	Detect your stack and return relevant rules and top CVEs
`compose_guardrail`	Generate an IDE-ready rules file for your stack
`search_threats`	Full-text and faceted CVE search
`get_threat`	Full CVE detail with AI-generated safe-code patterns
`detect_project_stack`	Identify stack from a file list

Threat intelligence pipeline

Sources

The pipeline aggregates five public threat sources and normalizes them into a single schema:

Source	Contribution
NVD (NIST)	Authoritative CVE registry. Fills in CVSS scores and CWE IDs after deduplication.
CISA KEV	US government list of CVEs actively exploited in the wild. Sets `isActivelyExploited` as a hard prioritization signal.
GHSA (GitHub)	Advisory database across npm, pip, RubyGems, Maven, Go, Swift, and more.
OSV (Google)	Open-source vulnerability database. Queried per stack — scoped to packages your stacks use.
npm Audit	Direct package advisory scan per stack. Catches advisories not yet reflected in OSV or GHSA.

Pipeline stages

Daily CI run (GitHub Actions, 06:00 UTC)

  Ingest     npm Audit + OSV + GHSA → raw advisories
  Enrich     CISA KEV flags + NVD severity/CWE fill-in
  Filter     CVEs published after 2023-01-01 (CISA KEV always included)
  Persist    write threats + stack associations to Postgres

  Amplify    Claude: 2–4 ALWAYS/NEVER patterns per CVE
  Summarize  Claude: cluster CVEs into per-stack rule docs
  Synthesize Claude: merge into guardrail blocks (patterns + deps)
  Export     write JSON snapshots to packages/catalog-data/

  Commit     auto-push catalog-data/ to this repo

AI enrichment

Each new CVE goes through three Claude passes before it becomes an IDE rule:

Amplify — Generates 2–4 ALWAYS/NEVER statements specific to the CVE's attack vector, plus a one-sentence risk summary.
Summarize — Clusters CVEs by attack vector into per-stack rule documents with ALWAYS/NEVER/WARN/CONFIRM directives.
Synthesize — Merges rules per stack into two pre-built guardrail blocks: patterns (safe-coding directives) and deps (dependency advisories).

Supported stacks

Next.js · Express · NestJS · Nuxt · React SPA · FastAPI · Django · Ruby on Rails · Go · iOS · Android

To add a stack: open packages/mvp-catalog/src/stack-registry.ts, add a StackConfig entry, open a PR.

Run the pipeline locally

# pipeline/.env — add your keys:
ANTHROPIC_API_KEY=...   # required for amplify, summarize, synthesize
GITHUB_TOKEN=...        # required for GHSA source
NVD_API_KEY=...         # optional — increases NVD rate limit 10×

npm run sync:threats           # ingest CVEs from all five sources
npm run amplify:threats        # Claude: ALWAYS/NEVER patterns per CVE
npm run summarize:rules        # Claude: cluster into per-stack rule docs
npm run synthesize:guardrails  # Claude: pre-build guardrail blocks
npm run export:catalog         # write JSON to packages/catalog-data/

Reference

All scripts

Script	Purpose
`npm run db:up`	Start Postgres via Docker Compose
`npm run db:setup`	First-time setup: start Postgres + migrate + seed
`npm run db:migrate`	Apply Drizzle migrations
`npm run db:seed`	Full catalog seed
`npm run db:seed:upsert`	Non-destructive upsert
`npm run sync:threats`	Ingest CVEs from all five sources
`npm run amplify:threats`	AI-generate patterns for new threats
`npm run summarize:rules`	AI-cluster CVEs into rule summaries
`npm run synthesize:guardrails`	Pre-build per-stack guardrail blocks
`npm run export:catalog`	Export DB → `packages/catalog-data/` JSON

Environment variables

Variable	Required	Purpose
`DATABASE_URL`	Always	Postgres connection string
`ANTHROPIC_API_KEY`	AI steps	Claude API access
`GITHUB_TOKEN`	Sync	GitHub advisory source (GHSA)
`NVD_API_KEY`	Optional	10× NVD rate limit

Prerequisites

Node.js 22+
Docker (for local Postgres)
Anthropic API key (AI pipeline steps only)

Contributing

PRs are welcome. The highest-value contributions are:

New stacks — add to packages/mvp-catalog/src/stack-registry.ts
CVE curation — improve mustLines, ruleContext, or alwaysPin in packages/catalog-data/seed-master.json
Pattern quality — open an issue if an ALWAYS/NEVER line is wrong or too generic
New threat sources — add a module under pipeline/scripts/lib/sources/

See CONTRIBUTING.md for full guidelines.

License

Apache 2.0 — threat data sourced from public domain (NVD, CISA KEV, GHSA, OSV).

Aigent.ly and the Aigent.ly logo are trademarks of Aigently, Inc.