Skip to content

docs(mcp): add Cursor and Codex setup#8

Merged
icloudza merged 2 commits into
icloudza:mainfrom
1494389516:cursor-codex-mcp-docs
May 12, 2026
Merged

docs(mcp): add Cursor and Codex setup#8
icloudza merged 2 commits into
icloudza:mainfrom
1494389516:cursor-codex-mcp-docs

Conversation

@1494389516

@1494389516 1494389516 commented May 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add a project-scoped Cursor MCP config at .cursor/mcp.json.
  • Add a Codex config.toml example at examples/mcp/codex.config.toml.
  • Document Cursor/Codex MCP-only usage, verification, and non-Claude prompting discipline.
  • Align stale marketplace, README, and CONTRIBUTING counts with v0.9.5: 25 tools, 95 fingerprints, 14 subcommands, 146 native assertions.

Tests

  • JSON validation for .cursor/mcp.json, .claude-plugin/marketplace.json, .claude-plugin/plugin.json, and .mcp.json.
  • TOML validation for examples/mcp/codex.config.toml.
  • MCP smoke test: initialize plus tools/list returns 25 tools.
  • python3 -m unittest discover -s tests/python -v: 83 tests passed.
  • ./tools/search/tests/run_tests.sh: PASS=146 FAIL=0.

qq and others added 2 commits May 12, 2026 12:50
docs(mcp): add Cursor and Codex setup
e9dfe10
@icloudza
docs(mcp): scrub 'X-Sign' from prompt example (v0.9.4 brand hygiene)
c72c6f7 
PR icloudza#8 introduced an example prompt that referenced 'X-Sign' as the target
header. X-Sign is from the same TikTok/ByteDance signing header family
(X-Gorgon / X-Khronos / X-Argus / X-Ladon) that v0.9.4 scrubbed across
SKILL docs, code comments, schemas, and test fixtures.

CHANGELOG v0.9.4 mandates going forward:
  "no new commit / SKILL / comment / schema description / test fixture
  may introduce specific app or product names."

Replaced with the generic 'request signing header' so the prompt example
stays algorithm-domain-agnostic. The rest of PR icloudza#8 (Cursor/Codex MCP
configs, mcp-clients.md, marketplace + README + CONTRIBUTING count
alignment) is unchanged and already passes 146 native + 83 python tests.

Background reference: CHANGELOG.md → [0.9.4] section, "Brand hygiene"
audit trail.
@icloudza

icloudza commented May 12, 2026

Copy link
Copy Markdown
Owner

@1494389516 PR 整体高质量,所有数字 / JSON / TOML 都核对过,native 146 + python 83 测试全绿。已直接在你 branch 上加了一个小 fixup commit (c72c6f7)。

唯一改动:docs/mcp-clients.md:102X-Sign 改成 the request signing header

原因:X-Sign 是 TikTok / ByteDance 签名头家族 (X-Gorgon / X-Khronos / X-Argus / X-Ladon) 同源命名。v0.9.4 brand hygiene 刚把这个 family 在 21 处 SKILL / code / fixture 里清洗干净,policy 明文要求:

Going forward, no new commit / SKILL / comment / schema description / test fixture may introduce specific app or product names. Use generic identifiers (app_main, lib_net, target_sign, production trace) in their place.

参考: CHANGELOG.md 的 [0.9.4] section。

这条规则适用于所有未来的贡献。你的 PR 其余部分(Cursor/Codex MCP 配置、mcp-clients.md 整体结构、marketplace + README + CONTRIBUTING 的 stale 数字对齐)我审过都没问题,等 CI 绿就 ready to merge

感谢提交 —— 双语 docs + 数字独立核校 + bilingual 中文说明 段的完整度都很到位。

@icloudza icloudza merged commit 084d683 into icloudza:main May 12, 2026
2 checks passed
icloudza added a commit that referenced this pull request May 13, 2026
@icloudza
feat(1.2.0): trace_function + trace_immseq + R9 + 5 gate refinements
db8af04 
Two new MCP tools (26 → 28) targeting OLLVM-flattened binary analysis:

- trace_function: PC-level invocation analyzer. Given a function entry
  PC, returns per-invocation (entry_line, caller_pc, args[x0..x7],
  ret_line, ret_x0/x1, subcall_sites, exit_kind). Call-depth counter
  handles nested subcalls; PC sanity guard catches tail-call exits.
  Replaces manual trace_search + trace_context loop for stripped
  helper functions (HMAC dispatcher, generate_nsig).

- trace_immseq: anchor-driven prev_reg sequence extraction. For
  OLLVM-flattened transforms, anchor on a per-iteration constant
  (e.g. mov w8, #0x1b) and read prev_val byte-by-byte to reconstruct
  consumed tables in execution order. XHS v2.2.13 retro: 128 anchor
  hits across two inlined generate_nsig copies recovered MAT_A → D
  byte-by-byte with mutual corroboration.

R9 (trace prev/new semantics): formalized in critical-rules.md and
discipline.py reminder pool. `regN=X -> regN=Y` means X is the OLD
value before the write, NOT what the instruction read. Single most
common LLM misread in obfuscated code.

FIX #8 (algorithm-name guard, server/hypothesis.py): conclude(>=medium)
on a statement naming a standard primitive (X25519/AES/HKDF/SHA-256/
MD5/SM4/...) now requires at least one supporting evidence item from
trace_cryptoinstr/trace_constscan/trace_immseq/trace_function. Catches
"I read 32B, therefore ECDH" failure mode.

Loosened five over-strict gates:
- trace_search limit 100 → 500
- B2 same-args rule exempts hint-driven fallback paths
- Cross-session [H<n>] references → non-blocking warning_unresolved_h_refs
- FIX #8 keyword tightened (HMAC/GMAC/CMAC removed — they're constructions)
- FIX #8 evidence tools widened to include immseq + function

Methodology updates:
- skills/trace-analysis: new "OLLVM extraction" + "trace_function" sections
- agents/binary-static-inspector: RVA 容错 + static-blocked-trace-pivot
  recommendation format + MikuCffHelper workflow integration note

Tests: 128 → 149 PASS (+21 new test_trace_function.py covering parse
helpers, R9-aware reg_state extraction, after-arrow ret reg capture,
bl/blr regex disambiguation).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@1494389516 @icloudza