~/mcp/cursor

> mcp / cursor

cursor supports streamable-http mcp servers natively, so no local bridge is needed — point it at the url and restart.

config

$ ~/.cursor/mcp.json
{
  "mcpServers": {
    "drwho.me": {
      "url": "https://drwho.me/mcp/mcp"
    }
  }
}

Cursor hot-reloads mcp.json changes on most platforms. If the tools don't appear, restart Cursor. Project-scoped configs can also live at .cursor/mcp.json inside the workspace root.

tools advertised (21)

  • ip_lookupResolve an IPv4 or IPv6 address to its geolocation, ASN, org name, and city/country. Use when you need network or location context for a raw IP address; prefer dns_lookup or dossier_dns for hostname resolution. Queries ipinfo.io with a server-side token — the token is never exposed to callers. Returns a JSON object with fields ip, city, region, country, org, loc, and timezone. On failure, returns an error string describing what went wrong. (try in browser)
  • dns_lookupResolve a single DNS record type (A, AAAA, MX, TXT, NS, CNAME, SOA, CAA, or SRV) and return the raw answers. Use for quick, targeted lookups of one record type; prefer dossier_dns for a full multi-type DNS audit in parallel, or dossier_full for a complete domain health check. Queries Cloudflare DoH (1.1.1.1/dns-query) over HTTPS, follows CNAME chains, 5 s timeout. Returns a JSON array of answer objects with name, type, and data fields. On error, returns a string describing the DNS failure. (try in browser)
  • dossier_dnsFetch a domain's full DNS profile — A, AAAA, NS, SOA, CAA, and TXT records — all in parallel. Use as the first step of a domain audit or when you need a comprehensive DNS snapshot in one call; prefer dns_lookup for a single record type, or dossier_full for all 10 dossier checks at once. Fires six Cloudflare DoH (1.1.1.1) queries concurrently, each with a 5 s timeout. Returns a CheckResult discriminated union: on success, {status:"ok", records:{a, aaaa, ns, soa, caa, txt}}; on failure, {status:"error", reason}. (try in browser)
  • dossier_mxLook up a domain's MX (mail exchanger) records and return them sorted ascending by priority. Use when verifying inbound-mail routing or as a precursor to SPF or DMARC checks; prefer dns_lookup with type=MX if you only need the raw DNS answer without the ranked view. Queries Cloudflare DoH (1.1.1.1), follows CNAME aliases, 5 s timeout. Returns a CheckResult discriminated union: on success, {status:"ok", records:[{exchange, priority},...]} sorted by priority; on failure, {status:"error", reason}. (try in browser)
  • dossier_spfRetrieve and parse a domain's SPF record, decomposing it into mechanisms and qualifiers. Use to verify email sender policy, debug delivery failures, or check the 10-lookup limit; pair with dossier_dmarc for full email-auth coverage, or use dns_lookup with type=TXT for the raw record only. Fetches TXT records via Cloudflare DoH (1.1.1.1), 5 s timeout, locates the v=spf1 record and parses all mechanisms. Returns a CheckResult: on success, {status:"ok", raw, mechanisms:[{type, value, qualifier},...], lookupCount}; on failure, {status:"error", reason}. (try in browser)
  • dossier_dmarcRetrieve and parse a domain's DMARC policy from its _dmarc.<domain> TXT record, returning all tags. Use to audit email authentication policy, verify the p (policy) and rua (reporting) settings, or confirm alignment mode; pair with dossier_spf and dossier_dkim for complete email-auth coverage. Queries _dmarc.<domain> via Cloudflare DoH (1.1.1.1), 5 s timeout; parses each tag=value pair. Returns a CheckResult: on success, {status:"ok", raw, tags:{p, rua, ruf, adkim, aspf,...}}; on failure, {status:"error", reason}. (try in browser)
  • dossier_dkimProbe a domain's DKIM public keys by querying <selector>._domainkey.<domain> for each selector. Use to verify signing configuration or discover active selectors; supply selectors when you know the ESP's selector, or omit to probe six common selectors (default, google, k1, selector1, selector2, mxvault). Issues parallel Cloudflare DoH (1.1.1.1) TXT queries per selector, 5 s timeout each. Returns a CheckResult: {status:"ok", found:[{selector, publicKey, raw},...], notFound:[...]} or {status:"error", reason}. (try in browser)
  • dossier_tlsFetch and inspect the TLS certificate presented by a domain on port 443, returning chain details and validity period. Use to verify certificate expiry, issuer, Subject Alternative Names, or detect mismatched or self-signed certs; not a full cipher-suite scanner. Performs a TLS handshake from the server edge, 5 s timeout; extracts the leaf certificate. Returns a CheckResult: on success, {status:"ok", subject, issuer, validFrom, validTo, daysRemaining, sans, fingerprint}; on failure, {status:"error", reason}. (try in browser)
  • dossier_redirectsTrace the full HTTP redirect chain starting from https://<domain>/, recording each hop's status code and destination URL. Use to debug redirect loops, verify HTTP→HTTPS upgrades, or audit link shorteners; stops at 10 hops to prevent infinite loops. Follows Location headers with fetch (no auto-redirect), 5 s per hop. Returns a CheckResult: on success, {status:"ok", hops:[{url, statusCode, redirectsTo},...], final}; on failure, {status:"error", reason}. (try in browser)
  • dossier_headersFetch https://<domain>/ and return all HTTP response headers, with an audit highlighting missing or misconfigured security headers. Use to review CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy; for redirect tracing use dossier_redirects instead. Single GET via fetch, 5 s timeout, captures raw response headers before any redirect is followed. Returns a CheckResult: on success, {status:"ok", headers:{...}, securityAudit:[{header, present, value},...]}; on failure, {status:"error", reason}. (try in browser)
  • dossier_corsSend a CORS preflight OPTIONS request to https://<domain>/ and return the access-control-* response headers. Use to verify CORS policy for a specific origin-method pair, or to check whether a domain allows cross-origin requests; provide origin and method to simulate a precise preflight, or omit to use defaults (origin: https://drwho.me, method: GET). Single OPTIONS request via fetch, 5 s timeout. Returns a CheckResult: on success, {status:"ok", headers:{access-control-allow-origin,...}}; on failure, {status:"error", reason}. (try in browser)
  • dossier_web_surfaceSnapshot a domain's public web surface: robots.txt, sitemap.xml, and the home-page <head> metadata (title, description, OpenGraph, Twitter cards). Use for SEO audits, content discovery, or verifying metadata before sharing; for HTTP headers use dossier_headers, for redirect behavior use dossier_redirects. Fetches /, /robots.txt, and /sitemap.xml concurrently via HTTPS, 5 s each; parses <head> with a lightweight HTML parser. Returns a composite CheckResult: {status:"ok", meta:{title, description, og, twitter}, robots, sitemapPresent} or {status:"error", reason}. (try in browser)
  • user_agent_parseParse a User-Agent header string into structured browser, OS, device type, and rendering-engine components. Use to identify client capabilities from a raw UA string, e.g. when analysing server logs or request headers; does not perform any network lookups — entirely local parsing. Runs synchronously using the ua-parser-js library with no external calls. Returns a JSON object with browser.name, browser.version, os.name, os.version, device.type, device.vendor, and engine.name fields; unknown fields are empty strings. (try in browser)
  • json_formatValidate and pretty-print a JSON string at a configurable indent width (2 or 4 spaces). Use to detect parse errors in raw JSON or to normalize minified JSON for readability; for schema validation or data transformation, apply your own logic. Runs JSON.parse + JSON.stringify locally with no network calls. On success, returns the formatted JSON string. On parse failure, returns an error message describing the position and nature of the syntax error. (try in browser)
  • base64_encodeEncode a UTF-8 plaintext string to standard Base64 (RFC 4648 §4, +/= alphabet). Use when you need to embed binary-safe text in HTTP headers, data URIs, or JSON payloads; note this tool uses the standard alphabet — replace + with - and / with _ manually if URL-safe Base64 is required. Pure local encoding with no network calls. Returns the Base64-encoded string as plain text. Always succeeds for valid UTF-8 input. (try in browser)
  • base64_decodeDecode a Base64 or Base64url string back to its original UTF-8 plaintext. Use to inspect encoded payloads, credentials, or embedded data; accepts both standard (+/) and URL-safe (-_) alphabets, with or without trailing = padding. Pure local decode with no network calls; validates that the result is valid UTF-8. Returns the decoded string on success. On failure (invalid Base64 or non-UTF-8 bytes), returns an error message describing what went wrong. (try in browser)
  • url_encodePercent-encode an arbitrary string so it is safe to embed as a URL component (query value, path segment, or fragment). Use to escape characters like &, =, #, spaces, and non-ASCII before appending to a URL; uses encodeURIComponent semantics, so / is encoded — do not pass a full URL, only the component that needs escaping. Pure local transform with no network calls. Returns the percent-encoded string as plain text. Always succeeds. (try in browser)
  • url_decodeDecode a percent-encoded URL component back to its original string. Use to read query parameters, path segments, or form-encoded values containing %XX sequences; accepts both +-as-space (form encoding) and %20 representations. Pure local decode via decodeURIComponent with no network calls. Returns the decoded string on success. On failure (malformed %XX sequence or invalid UTF-8), returns an error message describing the problem. (try in browser)
  • jwt_decodeDecode a JWT (JSON Web Token) into its header, payload, and raw signature without verifying the cryptographic signature. Use to inspect token claims (sub, exp, iat, aud, etc.) or debug auth flows; do NOT use the decoded claims for access-control decisions since the signature is not validated. Splits on ".", base64url-decodes each segment, and JSON-parses header and payload — no network calls, no key lookup. Returns JSON with header, payload, and signature fields. On malformed input, returns an error message. (try in browser)
  • uuid_generateGenerate a single UUID in either v4 (random) or v7 (time-ordered, Unix-ms prefix) format. Use v4 for general-purpose identifiers; use v7 when UUIDs must sort chronologically by creation time (e.g. database primary keys or distributed tracing). Both versions use cryptographically random bits in their non-timestamp positions. Uses Node.js crypto.randomUUID() for v4 and a spec-compliant implementation for v7; no network calls. Returns a UUID string in canonical xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx format. (try in browser)
  • dossier_fullRun all 10 Domain Dossier checks — dns, mx, spf, dmarc, dkim, tls, redirects, headers, cors, web-surface — in parallel and return all results in a single response. Use when you need a comprehensive domain health snapshot in one call; counts as ONE paywall call regardless of how many checks run. For a single focused check, prefer the individual dossier_* tools to minimise latency. Fires all 10 checks concurrently via Cloudflare DoH or direct HTTPS, 5 s per-check timeout. Returns a JSON object keyed by check id (dns, mx, etc.), each value a CheckResult discriminated union ({status:"ok",...} or {status:"error", reason}).

example prompts

  • “check the dns for the domain in this config file.”
  • “decode the base64 string on line 42 of this file.”
  • “what's the security-headers posture of the url in my env var?”