SbD MCP Server v0.9.0 — Software Bundle (npm package + GitHub source, ICSME 2026)

Offline-reproducible software bundle for the SbD MCP Server (v0.9.0), an ontology-grounded retrieval tool that exposes the Security-by-Design Theory-of-Everything (SbD-ToE) knowledge graph to GenAI coding assistants through the Model Context Protocol (MCP). The server grounds model output in a curated, versioned ontology of AppSec Core-typed security requirements rather than relying on parametric memory alone.

This item archives the tool itself in two complementary forms — the canonical npm package tarball (runnable) and the full GitHub source bundle (inspectable) — so that the v0.9.0 demonstration state remains reproducible independently of the upstream registries.

FILES

sbd-toe-mcp-0.9.0.tgz                    4,183,175 bytes
  SHA-256: c0dc7b432007f4d1e0058183f2a85a1d06c4d5cfb640f8d2781dc3d749e912aa
  Role:    canonical npm package tarball (runtime distribution only).
  Install offline:
      npm install ./sbd-toe-mcp-0.9.0.tgz
  Or install from npm registry:
      npx @shiftleftpt/sbd-toe-mcp
sbd-toe-mcp-v0.9.0-bundle.tar.gz         4,376,388 bytes
  SHA-256: 533d8185d02356e68c06b395b0cc864dd318c176e27d202c45e6d5f82a4d0407
  Role:    full GitHub repository snapshot at tag v0.9.0, including
           TypeScript source, tests, build scripts, and CI configuration
           that are not shipped in the npm tarball.

MANIFEST.txt                             ~4 KB
  Role:    full provenance record — SHA-256 checksums, file sizes, origin
           URLs, and release metadata for every artefact referenced by
           this bundle and by the companion Media item.

SHASUMS.txt                              ~270 bytes
  Role:    shasum -c -a 256 compatible checksum file for the two software
           bundles above. Verify with:
               shasum -a 256 -c SHASUMS.txt

RUNTIME

Node.js >= 20.9.0

VERIFICATION

After download, all files can be verified in one shot:
    shasum -a 256 -c SHASUMS.txt
Expected output:
    sbd-toe-mcp-0.9.0.tgz: OK
    sbd-toe-mcp-v0.9.0-bundle.tar.gz: OK

RELATED MATERIALS

npm package (live registry, v0.9.0):
  https://www.npmjs.com/package/@shiftleftpt/sbd-toe-mcp

GitHub repository:
  https://github.com/Shiftleftpt/sbd-toe-mcp-poc

GitHub release v0.9.0 (immutable, 2026-05-21):
  https://github.com/Shiftleftpt/sbd-toe-mcp-poc/releases/tag/v0.9.0

Demonstration screencast (companion Figshare item, type Media — DOI to be added once minted):
  end-to-end walkthrough of installation, MCP client configuration, and a
  representative secure-coding session.

OSF registration (ICSME 2026 Tool Demonstration — DOI to be added once minted):
  contains the registered demonstration state including this software
  bundle and the screencast.

Companion paper:
  ICSME 2026 — Tool Demonstration submission (DOI to be added once accepted).

LICENCE

Code:    Apache-2.0
Content: CC-BY-SA-4.0

AUTHOR

Pedro Farinha — Shiftleft - Secure Software Engineering, Lda.
ORCID: 0009-0001-0569-9020