# bv-mcp

> Open-source DNS & email security scanner. One MCP endpoint, 57 checks, zero install. Cloudflare Workers.

- **URL**: https://www.freshcrate.ai/projects/bv-mcp
- **Author**: MadaBurns
- **Category**: MCP Servers
- **Latest version**: `v3.15.1` (2026-06-06)
- **License**: NOASSERTION
- **Source**: https://github.com/MadaBurns/bv-mcp
- **Homepage**: https://blackveilsecurity.com
- **Language**: TypeScript
- **GitHub**: 5 stars, 5 forks
- **Registry**: github (`MadaBurns/bv-mcp`)
- **Tags**: `agentic`, `ai`, `ai-tools`, `cloudflare-workers`, `cybersecurity`, `dkim`, `dmarc`, `dns-security`, `typescript`

## Description

Open-source DNS & email security scanner. One MCP endpoint, 57 checks, zero install. Cloudflare Workers.

## Recent releases

| Version | Date | Urgency | Changes |
| --- | --- | --- | --- |
| `v3.15.1` | 2026-06-06 | High | Patch release: six bug fixes from an adversarial bug-hunt sweep, each gated behind a failing-before / passing-after test (#376). No tools added or removed (still 79); `SCORING_MODEL_VERSION` stays `1.2.0`. One scoring change is RFC-correctness (first item) with narrow, documented impact.  ### Fixed  - **SPF `redirect=` now counts toward the RFC 7208 §4.6.4 10-lookup budget** (`packages/dns-checks` `analyzeSpfLookupBudget`). It was excluded (citing §6.1's modifier classification), undercounting |
| `v3.5.0` | 2026-05-30 | High | Scoring-contract recalibration aligning email-authentication and DNS-integrity severities with NIST SP 800-81r3, plus a new impersonation-aware DMARC escalation. Scores and finding severities shift for some domains — see notes below.  ### Changed  - **DMARC and SPF severities recalibrated down to reflect standalone risk.** "No DMARC record found" is now **high** (was critical) and "DMARC policy set to none" is now **medium** (was high); SPF "Too many DNS lookups" (>10 lookups → `PermError`) is |
| `v2.27.0` | 2026-05-23 | High | ### Added  - **Per-IP rate limit on `POST /oauth/register`** (#193) — DCR was publicly reachable (`ENABLE_OAUTH=true`) with no per-IP gate. 10 registrations/min, 30/hr per `cf-connecting-ip`; returns HTTP 429 + `retry-after` header (OAuth 2.1 convention — not MCP JSON-RPC `-32029`). KV fixed-window pattern mirrors `tokenRateExceeded` in `src/oauth/token.ts`. Legitimate first-time DCR usage is single-digit per IP per day, so 10/min absorbs retries without enabling enumeration. Resolves `TODO(pha |
| `v2.21.4` | 2026-05-16 | High | ### Security - Removed tracked internal tenant and commercial planning documents from the public repository. - Scrubbed customer-placeholder references from docs, comments, and chaos output. - Tightened gitleaks coverage for customer-name placeholders while allowing timestamp-shaped SQL seed values.  ### Changed - Restricted the root npm package publish surface to `dist`, `LICENSE`, and `README.md` so npm releases do not include repo internals, tests, scripts, workflows, docs, or build caches. |
| `v2.13.0` | 2026-05-12 | High | Release 2.13.0 |
| `v2.10.2` | 2026-05-06 | High | ### Fixed - **OAuth consent endpoint critical bug** — endpoint required authentication before rendering consent page, causing 100% registration failure (302 redirects to `/sign-in` instead of showing consent form). Fixed by switching from `requireUserWithTenants` (throwing) to optional `getAuthenticatedUser` (non-throwing), allowing public access with two-state UI rendering. Verified live: HTTP 200, all 9 MCP clients passing, chaos test 58/58 (100%). Expected registration success improvement: 0 |
| `v2.10.1` | 2026-04-25 | High | ### Fixed - **CI: Security workflow** — replaced `gitleaks/gitleaks-action@v2` with a self-installed pinned binary (`gitleaks 8.30.1`). The repo's Actions allowlist (`patterns_allowed: ["MadaBurns/*"]`) had been silently rejecting the third-party action since 2026-04-22, causing every Security run to `startup_failure` with 0 jobs created. Replicates the action's incremental scan behavior — PRs scan `base..head`, pushes scan `before..sha` (fallback `HEAD~1..HEAD` for fresh branches).  ### Securi |
| `v2.9.2` | 2026-04-21 | High | Release 2.9.2 |
| `v2.9.1` | 2026-04-19 | High | ### Changed - **Dev dependencies**: bumped `wrangler` to `^4.83.0`. - **Repo tooling**: added `.intent/` workspace config and new harness scripts (`scripts/context-usage-test.py`, `scripts/conversation-sim.py`, `scripts/output-usage-test.py`) plus tranco scan-result snapshots under `scripts/`. Dev-only; no runtime or published-package impact. - **`.gitignore`**: removed duplicate `.mcp.json` entry. |
| `v2.9.0` | 2026-04-19 | High | Release v2.9.0 |

## Dependency audit

- **Score**: 96/100
- **Total deps**: 21
- **Resolved**: 21
- **Unresolved**: 0
- **License conflicts**: 0
- **Warnings**: 2
- **Scanned**: 2026-05-25

## Citation

- HTML: https://www.freshcrate.ai/projects/bv-mcp
- Markdown: https://www.freshcrate.ai/projects/bv-mcp.md
- Dependencies JSON: https://www.freshcrate.ai/api/projects/bv-mcp/deps

_Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._