← Back to Daily Builds

Daily build note · June 1, 2026

Agent ToolScope Audit Kit

A packaging layer around MCP ToolScope that turns its local scan outputs into a client-ready fixed-scope audit offer: outreach copy, intake checklist, executive summary, risk register...

AI Tools Build note published Public demo coming soon

What shipped

This build compounds the parent MCP ToolScope scanner into a sellable audit packaging layer:

  • Added python -m mcp_toolscope audit-bundle.
  • Added mcp_toolscope/audit_bundle.py to consume toolscope-reports/toolscope.json.
  • Generated a deterministic client packet with executive summary, risk register, remediation menu, starter allowlist, 60-minute handoff agenda, implementation options, prospect one-pager, and JSON bundle summary.
  • Added unit coverage for the bundle generator.
  • Added root-level verify.sh that runs tests, creates /tmp/toolscope-audit-demo, scans it, validates artifacts, generates the audit bundle, and checks required service-offer content.
  • Updated README with a "Sellable Audit Demo" and the $3,500 fixed-scope positioning.

Architecture

  • Reused the parent scanner package shape, CLI entrypoint, seeded sample workspace, deterministic classifier, JSON report, Markdown report, and starter allowlist.
  • Kept the new packaging layer downstream of toolscope.json so it does not duplicate discovery or classification logic.
  • Used Python standard library only.
  • Rendered Markdown with explicit string templates for easy human inspection and deterministic smoke checks.
  • Kept the service packet local and file-based; no network, secrets, OAuth, browser, database, or external services are required.

Trimmed scope

The MVP deliberately omits:

  • Hosted dashboard or SaaS workflow.
  • Runtime enforcement, approval proxy behavior, or Agent Action Gate implementation.
  • MCP Risk Diff and CI baseline comparison logic.
  • Live MCP protocol introspection.
  • OAuth, billing, login, or connector API calls.
  • LLM-generated audit copy.

Limitations

  • The bundle quality depends on the scanner's current keyword classifier and report schema.
  • Owner, log, credential, and intended-agent gaps are inferred from local metadata only.
  • The starter allowlist is a review artifact, not enforcement.
  • The prospect one-pager is a reusable service artifact, not a generated sales email.
  • The current smoke test covers the seeded workspace and deterministic content checks, not every real-world MCP config variant.

Verification

Run:

``bash bash verify.sh ``

The verifier creates a fresh /tmp/toolscope-audit-demo, writes toolscope-reports/toolscope.json, generates /tmp/toolscope-audit-demo/audit-bundle/, and checks the required audit packet language.

Suggested next steps

  • Add a --strict mode that fails when critical tools lack owners or logs.
  • Add a later diff command that compares two toolscope.json files for CI review.
  • Add more sample workspaces for agency, internal admin, and production app scenarios.
  • Add optional client metadata fields for industry, audit date, and reviewer.
  • Turn the audit packet into a small static HTML/PDF export once the Markdown content proves useful in sales calls.