Login

u/arananet

I built a free tool to audit your MCP servers for security issues (OWASP MCP Top 10 + A2A/UCP compliance)
▲ 3 r/OpenSourceeAI+1 crossposts

I built a free tool to audit your MCP servers for security issues (OWASP MCP Top 10 + A2A/UCP compliance)

Hey all,

If you're running MCP servers, A2A agents, or UCP endpoints, either locally or in production, you might want to know what you're inadvertently exposing.

I built Protocol Guard, an open-source web scanner for AI agent protocols.

Why it matters:

Most MCP servers are set up by devs who care about functionality, not security. The scanner catches things like:

Tools whose description fields contain hidden instructions that could manipulate the LLM using the server (tool poisoning, OWASP MCP03)

Servers that accept unauthenticated requests and expose all tools to anyone

Tool parameters that accept unconstrained shell command strings (command injection — MCP05)

Sensitive file path patterns in tool names/descriptions (.ssh, .env, id_rsa, passwd)

Framework/version fingerprinting in serverInfo fields

Missing TLS, HSTS, and other security headers

A2A agent cards with prompt injection patterns in their description fields

You just paste your server URL (or agent card URL), optionally add auth credentials, and get a structured report with OWASP and MSSS control mappings.

It's fully stateless, your server URL and credentials are never stored.

Repo: github.com/arananet/protocol-guard

Would love feedback from people running MCP setups, especially if you find false positives or detection gaps.

u/arananet — 2 days ago
▲ 16 r/Commodore

My extremely modded A1200

​

A few years back I built a customized A1200 by the time mechanical keyboard was just a dream for Amiga fans.

Built with mech kb, gotek and accelerator.

u/arananet — 3 days ago
▲ 2 r/u_arananet+1 crossposts

I built a free, open-source GEO auditor that tells you how visible your site is to AI agents (ChatGPT, Claude, Perplexity, Gemini)

Traditional SEO tools tell you how Google's classic crawler sees your site. But AI search is different, GPTBot, ClaudeBot, and Perplexity's crawler don't rank pages, they cite them. So I built a tool that audits the signals that actually matter for AI citability.

What it does:

It runs 14 parallel audit agents against any URL and scores it across three effort tiers:

Quick Win — robots.txt AI crawler access, llms.txt presence, sitemap freshness, canonical/hreflang

Editorial — AI citability (answer-block density, filler-phrase detection, E-E-A-T signals, PAA optimization, tone)

Development — Schema depth (20 priority types including SpeakableSpecification, QAPage, ClaimReview), entity authority, structural GEO

It also has an Oracle governance layer that cross-validates all 14 agent outputs after the fact, flags contradictions, and annotates results with confidence levels. Plus WAF detection/bypass for sites behind Cloudflare or Imperva.

What I learned building it:

The GEO research (Princeton KDD 2024) found that sourced statistics give a +37% citation lift, expert quotes +30%, and keyword stuffing actively hurts you by ~10%. Meanwhile Google's own AI optimization guide (just published) makes clear that llms.txt and special AI markup don't matter for Google, but they do matter for other agents and RAG pipelines, which the tool also checks.

Stack: Next.js 14, Playwright headless Chromium, Cheerio, Cloudflare Workers AI (free tier for semantic NLP). CLI batch auditor included for scanning multiple URLs to Markdown/PDF.

Repo: github.com/arananet/agentic-auditor

Happy to answer questions about the architecture or the GEO research backing each metric.

reddit.com
u/arananet — 4 days ago
▲ 2 r/u_arananet+1 crossposts

I built an offline-first PWA for perceptual vision training (the science kind, not eye-yoga)

A bit of background before the pitch: presbyopia (the "I need reading glasses at 45" problem) is mechanical, the crystalline lens stiffens. No app fixes that. But contrast sensitivity, crowding resistance, and reading speed are cortical, they live in the visual processing pipeline downstream of the lens, and there's a solid body of peer-reviewed research showing that pipeline is trainable in adults (Polat et al. 2012, Levi 2008, Calabrèse et al. 2014).

That's what Foveal Forge targets. Not the lens. The brain.

What it does:

A 12-minute adaptive daily session with four drills:

  • D1 — Fixation stability (1 min): attentional warm-up, fixation cross on neutral gray
  • D2 — Gabor contrast sensitivity (4 min): lateral-masking Gabor patches at 3, 6, and 12 cycles/degree with collinear flankers. 3-down-1-up staircase converging on your personal contrast threshold per spatial frequency
  • D3 — Saccade + crowding (3 min): Sloan letter triplets at random eccentricities up to 8°, 150ms exposure + mask. Adaptive crowding spacing staircase (Bouma's law baseline)
  • D4 — Reading fluency / RSVP (2.5 min): rapid serial visual presentation starting at 200 WPM, +5% on correct comprehension, −10% on failure, clamped to [80–600] WPM

Everything adapts to your performance in real time. Results are tracked over sessions so you can see threshold curves move.

Technical posture:

  • Fully offline-first PWA — no backend, no accounts, no telemetry. All data lives in IndexedDB on your device
  • Vite + React 18 + TypeScript (strict mode, noUncheckedIndexedAccessexactOptionalPropertyTypes)
  • Tailwind CSS v4, Zustand for session state
  • Gabor patches rendered via Canvas 2D with physical pixel precision for HiDPI displays
  • Web Audio API for auditory feedback (synthesised tones, no audio files)
  • 61 unit tests (Vitest), spec-driven development with a declarative SKILL.md protocol contract

Demo: https://foveal-forge-production.up.railway.app

Repo: https://github.com/arananet/foveal-forge

What I'm looking for:

This is a pre-alpha solo build and I'm genuinely open to collaborators, especially people with:

  • Background in psychophysics, vision science, or optometry who can validate/challenge the protocol
  • Experience with perceptual learning paradigms (staircase implementations, threshold estimation)
  • Interest in offline-first PWAs or Canvas-based stimulus rendering
  • Accessibility expertise (users have impaired near vision by definition — a11y is non-negotiable here)

The codebase has a strict CLAUDE.md contract and a declarative protocol spec (SKILL.md) — contributions go spec-first, then implementation.

One explicit non-goal: this will never claim to cure or reverse presbyopia. Every user-facing claim must trace to a citation. That's not changing.

Happy to answer questions about the psychophysics implementation, the staircase math, or the PWA architecture.

u/arananet — 6 days ago
▲ 9 r/u_arananet+2 crossposts

OpenSpec template — spec-driven dev for fork-and-go

GitHub repo:

https://github.com/arananet/openspec-template

Template I use for every new project. Core rule: every feature/bugfix needs a YAML spec (acceptance criteria + test plan) before code. Enforced by a pre-commit hook, a deterministic CI check, and an agentic spec-vs-code review.

Setup is one command (bash setup.sh).

When you open the fork in Claude Code, it reads CLAUDE.md, interviews you for project details, customizes the README, and scaffolds your first spec. Same instructions apply to Codex CLI and Copilot via AGENTS.md and .github/copilot-instructions.md.

What's in the box: CodeQL, gitleaks, dep-review, OSSF Scorecard, SBOM + cosign signing + SLSA provenance on releases, DCO, doc-drift check, lint stack, Dependabot auto-merge for patches, cost-capped AI workflows, optional CODEOWNER-gated issue auto-fix agent.

Local scripts/openspec CLI (pure bash) handles scaffold/check — no external dependency.

MIT, feedback welcome.

u/arananet — 14 days ago