better readme

Author: StuMason

.cursor/mcp.json.bak renamed to .cursor/mcp.json

@@ -1,9 +1,9 @@
 {
     "mcpServers": {
         "firecrawl": {
-            "command": "node",
+            "command": "npx",
             "args": [
-                "/Users/stuartmason/Code/JeredBlu/get-mcp-keys.js",
+                "@masonator/get-mcp-keys",
                 "npx",
                 "-y",
                 "firecrawl-mcp"

.cursor/rules/coding-best-practices.md

@@ -3,10 +3,7 @@
     "node": true,
     "es2021": true
   },
-  "extends": [
-    "standard",
-    "plugin:security/recommended"
-  ],
+  "extends": ["standard"],
   "plugins": ["security"],
   "parserOptions": {
     "ecmaVersion": "latest"
@@ -18,14 +15,10 @@
     "indent": ["error", 2],
     "quotes": ["error", "single"],
     "object-curly-spacing": ["error", "always"],
-    "security/detect-object-injection": "warn",
-    "security/detect-non-literal-require": "warn",
-    "security/detect-non-literal-fs-filename": "warn",
     "security/detect-eval-with-expression": "error",
-    "security/detect-no-csrf-before-method-override": "error",
+    "security/detect-non-literal-fs-filename": "warn",
     "security/detect-buffer-noassert": "error",
-    "security/detect-child-process": "warn",
-    "security/detect-disable-mustache-escape": "error",
-    "security/detect-new-buffer": "error"
+    "security/detect-possible-timing-attacks": "warn",
+    "security/detect-no-csrf-before-method-override": "error"
   }
 } 

.cursor/rules/database-rules.md

@@ -25,6 +25,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history for all branches and tags
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -61,9 +63,7 @@ jobs:
         uses: trufflesecurity/trufflehog@main
         with:
           path: ./
-          base: ${{ github.event.repository.default_branch }}
-          head: HEAD
-          extra_args: --debug --only-verified
+          extra_args: --only-verified --no-git
 
       # OSSAR Scan
       - name: Run OSSAR
@@ -86,18 +86,11 @@ jobs:
         uses: actions/dependency-review-action@v3
         if: github.event_name == 'pull_request'
 
-      # Software Bill of Materials (SBOM) Generation
-      - name: Generate SBOM
-        uses: CycloneDX/gh-node-module-generatebom@master
-        with:
-          output: bom.xml
-          
-      # Results Processing
-      - name: Upload SBOM
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
-        with:
-          name: bom
-          path: bom.xml
+      # Generate and Upload SBOM
+      - name: Generate and Upload SBOM
+        run: |
+          npx @cyclonedx/bom -o bom.xml
+          echo "Generated SBOM at bom.xml"
           
   security-matrix:
     needs: security-checks

.cursor/rules/documentation-and-techstack.md

@@ -1,53 +1,61 @@
-# Get MCP Keys
+# 🔐 get-mcp-keys
 
-Cursor (perhaps other ai tools too?) allow you to create project specific MCP servers in the `./cursor/mcp.json` file.
+**Stop accidentally committing API keys to your repos!**
 
-However, that means it's in the repo, so likely will end up commiting your env variables...
+## The Problem
+
+When using Cursor AI (and other AI coding assistants) with MCP servers, you need API keys in your `./cursor/mcp.json` file:
 
 ```json
 {
-    "mcpServers": {
-        "firecrawl": {
-            "command": "npx",
-            "args": [
-                "-y",
-                "firecrawl-mcp"
-            ],
-            "env": {
-                "FIRECRAWL_API_KEY": "oops-this-shouldnt-be-in-the-repo"
-            }
-        }
+  "mcpServers": {
+    "firecrawl": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "firecrawl-mcp"
+      ],
+      "env": {
+        "FIRECRAWL_API_KEY": "sk_live_ohno-this-should-NOT-be-in-git" // 💀
+      }
     }
+  }
 }
 ```
 
-In an effort to stop this, what I want to do here is have an rc file in the users home directory that contains the MCP Server envs you use. 
+**This is a security nightmare waiting to happen.** One accidental commit and your keys are exposed in your Git history.
+
+## 💯 The Solution
 
-> The MCP Server envs your using are likely user specific, so it makes sense to have them in your home directory. Will need to look at this again for when different projects are using different environment variables
+`get-mcp-keys` loads your API keys from a secure file in your home directory, keeping them out of your repositories entirely.
 
-so something like:
+## ⚡ Quick Start
 
-create the .mcprc file in the users home directory:
+### 1. Create a `.mcprc` file in your home directory
 
 ```bash
 touch ~/.mcprc
+chmod 600 ~/.mcprc  # Make it readable only by you
 ```
 
-add the following to the .mcprc file:
+### 3. Add your API keys to the file
 
 ```bash
-FIRECRAWL_API_KEY="oops-this-shouldnt-be-in-the-repo"
+# ~/.mcprc
+FIRECRAWL_API_KEY="your_actual_api_key_here"
+BRAVE_API_KEY="another_secret_key_here"
+# Add any other MCP server keys you use
 ```
 
-Then run this command before you run the mcp server, it would look something like this:
+### 4. Update your MCP configuration to use get-mcp-keys
 
 ```json
 {
   "mcpServers": {
     "firecrawl": {
       "command": "npx",
       "args": [
-        "@masonator/get-mcp-keys",
+        "@masonator/get-mcp-keys", // 🔐
         "npx",
         "-y",
         "firecrawl-mcp"
@@ -57,4 +65,36 @@ Then run this command before you run the mcp server, it would look something lik
 }
 ```
 
-This would run the `get-mcp-keys` command first, grab the envs from the .mcprc file, and then run the `npx firecrawl-mcp` command with the envs it's grabbed.
+**That's it!** The `get-mcp-keys` utility will:
+
+- Load your API keys from `~/.mcprc`
+- Inject them as environment variables
+- Run your MCP server command with the keys available
+
+## 🛡️ Security
+
+- Your API keys stay in your home directory
+- Keys are never committed to repositories
+- Keys are loaded only when needed
+- Debug output shows only first/last few characters of keys
+
+## 🧰 Supported MCP Servers
+
+Works with any MCP server that needs environment variables, including:
+
+- FireCrawl
+- Brave Search
+- Supabase
+- And any other MCP servers you configure!
+
+## 🔍 How It Works
+
+`get-mcp-keys` reads your `.mcprc` file, adds those environment variables to the current environment, and then executes whatever command you specify after it in the args list. It's simple yet effective!
+
+## 📋 License
+
+MIT
+
+---
+
+⭐ If this saved you from committing your keys, star the repo!