@ansvar/ch-farm-safety-mcp 0.1.0

package/.github/workflows/check-freshness.yml

@@ -0,0 +1,53 @@
+name: Check Data Freshness
+
+on:
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  freshness:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+      - run: npm ci
+
+      - name: Check freshness
+        id: check
+        run: |
+          OUTPUT=$(npm run freshness:check --silent 2>&1 || true)
+          echo "$OUTPUT"
+          if echo "$OUTPUT" | grep -q '"status":"stale"'; then
+            echo "stale=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "stale=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Open issue if stale
+        if: steps.check.outputs.stale == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const existing = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: 'data-freshness',
+              state: 'open',
+            });
+            if (existing.data.length === 0) {
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: 'Data is stale — re-ingestion needed',
+                body: 'The `check_data_freshness` tool reports data is older than 90 days.\n\nRun `gh workflow run ingest.yml` or `npm run ingest:full` to refresh.',
+                labels: ['data-freshness'],
+              });
+            }

package/.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: CI
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+      - run: npm ci
+      - run: npm run typecheck
+      - run: npm run lint
+      - run: npm test

package/.github/workflows/codeql.yml

@@ -0,0 +1,30 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "30 4 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: [javascript-typescript]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - uses: github/codeql-action/autobuild@v3
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

package/.github/workflows/ghcr-build.yml

@@ -0,0 +1,45 @@
+name: Build and Push to GHCR
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: build-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ch-farm-safety-mcp
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ${{ env.REGISTRY }}/ansvar-systems/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=sha,prefix=sha-,format=short
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

package/.github/workflows/gitleaks.yml

@@ -0,0 +1,24 @@
+name: Gitleaks
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install gitleaks
+        run: |
+          curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.18.4/gitleaks_8.18.4_linux_x64.tar.gz | tar xz
+          sudo mv gitleaks /usr/local/bin/
+      - name: Run gitleaks
+        run: gitleaks detect --source . --verbose

package/.github/workflows/ingest.yml

@@ -0,0 +1,67 @@
+name: Ingest Data
+
+on:
+  workflow_dispatch:
+    inputs:
+      mode:
+        description: "Ingestion mode"
+        required: true
+        default: "incremental"
+        type: choice
+        options:
+          - incremental
+          - full
+          - diff-only
+  schedule:
+    - cron: "0 3 1 * *"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  ingest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+      - run: npm ci
+
+      - name: Run ingestion
+        run: |
+          case "${{ inputs.mode || 'incremental' }}" in
+            full)      npm run ingest:full ;;
+            diff-only) npm run ingest:diff ;;
+            *)         npm run ingest ;;
+          esac
+
+      - name: Update coverage.json
+        run: npm run coverage:update
+
+      - name: Check for changes
+        id: changes
+        run: |
+          if git diff --quiet data/; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create PR
+        if: steps.changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          branch: auto/ingest-update
+          title: "data: update Swiss farm safety data"
+          body: |
+            Automated data ingestion run.
+
+            Mode: `${{ inputs.mode || 'incremental' }}`
+            Date: `${{ github.event.repository.updated_at }}`
+
+            Review the data changes in `data/` before merging.
+          commit-message: "data: update Swiss farm safety data"
+          delete-branch: true

package/.github/workflows/publish.yml

@@ -0,0 +1,24 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+      - run: npm ci
+      - run: npm run build
+      - run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/CHANGELOG.md

@@ -0,0 +1,23 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+Format based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+## [0.1.0] - 2026-04-05
+
+### Added
+
+- Initial release with 10 tools for Swiss farm workplace safety
+- `search_safety_rules` with tiered FTS5 search (phrase, AND, prefix, stemmed, OR, LIKE fallback)
+- `get_risk_assessment_requirements` for EKAS/VUV obligations by activity type
+- `get_machinery_safety` for ROPS, Gurtpflicht, MFK, PTO requirements
+- `get_chemical_safety` for MAK exposure limits, PPE, storage rules
+- `get_young_worker_rules` for Jugendarbeitsschutz restrictions (ArGV 5)
+- `get_accident_reporting` for deadlines, forms, insurer by severity
+- `search_bul_guidance` for BUL/SPAA documents and campaigns
+- `about`, `list_sources`, `check_data_freshness` metadata tools
+- Streamable HTTP transport for remote access
+- Docker image with non-root user and health check
+- CI/CD: GHCR build, npm publish, CodeQL, Gitleaks, freshness check
+- Data from BUL/SPAA, Suva, EKAS, Agriss, SECO

package/CODEOWNERS

@@ -0,0 +1 @@
+* @ansvar-systems/mcp-team

package/COVERAGE.md

@@ -0,0 +1,54 @@
+# Coverage — ch-farm-safety-mcp
+
+## Jurisdiction
+
+Switzerland (CH)
+
+## Data Summary
+
+| Table | Records | Description |
+|-------|---------|-------------|
+| safety_rules | 30 | BUL lebenswichtige Regeln, Suva requirements, EKAS guidelines |
+| risk_assessments | 7 | Risk assessment obligations per activity type (VUV/EKAS) |
+| machinery_safety | 10 | ROPS, Gurtpflicht, MFK, PTO guards by machine type |
+| chemical_safety | 7 | MAK exposure limits, PPE, storage rules by substance |
+| young_worker_rules | 5 | Jugendarbeitsschutz restrictions by age group (ArGV 5) |
+| accident_reporting | 5 | Reporting deadlines, forms, insurer by severity |
+| bul_guidance | 15 | BUL/SPAA guidance documents, fact sheets, campaigns |
+| **Total** | **79** | |
+
+## Safety Areas (search_safety_rules topics)
+
+- `maschinen` -- agricultural machinery (Traktor, Maehdrescher, Motorsaege)
+- `tiere` -- livestock handling (Rinder, Pferde, Schweine)
+- `wald` -- forestry work (Holzerei, Baumfaellen)
+- `hoehe` -- working at height (Silo, Dach, Leiter)
+- `chemie` -- chemical exposure (PSM, Duenger)
+- `silogas` -- silo gas hazards (CO2, NO2)
+- `allgemein` -- general farm safety
+
+## Legal Framework Covered
+
+| Law/Regulation | Abbreviation | Scope |
+|----------------|-------------|-------|
+| Arbeitsgesetz | ArG (SR 822.11) | Working conditions, young worker protection |
+| Verordnung ueber die Verhuetung von Unfaellen | VUV (SR 832.30) | Accident prevention obligations |
+| Unfallversicherungsgesetz | UVG (SR 832.20) | Accident insurance, reporting obligations |
+| Chemikalien-Risikoreduktions-Verordnung | ChemRRV (SR 814.81) | PSM application, chemical handling |
+| Maschinenverordnung | MaschV (SR 819.14) | Machinery safety certification |
+| Jugendarbeitsschutzverordnung | ArGV 5 (SR 822.115) | Young worker restrictions |
+| EKAS Richtlinie 6508 | ASA | Systematic safety work, Branchenloesung |
+
+## Data Sources
+
+- **BUL/SPAA** -- Beratungsstelle fuer Unfallverhuetung in der Landwirtschaft (bul.ch)
+- **Suva** -- Schweizerische Unfallversicherungsanstalt (suva.ch)
+- **EKAS** -- Eidg. Koordinationskommission fuer Arbeitssicherheit (ekas.admin.ch)
+- **Agriss** -- Unfallstatistik Schweizer Landwirtschaft (BUL/Agroscope)
+- **SECO** -- Staatssekretariat fuer Wirtschaft (Jugendarbeitsschutz)
+
+## Staleness Threshold
+
+90 days. Check with `check_data_freshness` tool or `npm run freshness:check`.
+
+Last ingest: 2026-04-05

package/DISCLAIMER.md

@@ -0,0 +1,51 @@
+# Haftungsausschluss / Disclaimer
+
+## Deutsch
+
+Die in diesem MCP-Server bereitgestellten Daten dienen ausschliesslich der Information und ersetzen keine professionelle Sicherheitsberatung.
+
+Die Inhalte basieren auf oeffentlich zugaenglichen Dokumenten der folgenden Stellen:
+
+- **BUL/SPAA** -- Beratungsstelle fuer Unfallverhuetung in der Landwirtschaft
+- **Suva** -- Schweizerische Unfallversicherungsanstalt
+- **EKAS** -- Eidgenoessische Koordinationskommission fuer Arbeitssicherheit
+- **Agriss** -- Unfallstatistik Schweizer Landwirtschaft (BUL / Agroscope)
+- **SECO** -- Staatssekretariat fuer Wirtschaft (Jugendarbeitsschutz)
+
+Die rechtlich verbindlichen Texte sind die amtlichen Publikationen in der Systematischen Rechtssammlung (SR), insbesondere:
+
+- Arbeitsgesetz (ArG, SR 822.11)
+- Verordnung ueber die Verhuetung von Unfaellen und Berufskrankheiten (VUV, SR 832.30)
+- Unfallversicherungsgesetz (UVG, SR 832.20)
+- Chemikalien-Risikoreduktions-Verordnung (ChemRRV, SR 814.81)
+- Jugendarbeitsschutzverordnung (ArGV 5, SR 822.115)
+
+Vor der Umsetzung von Sicherheitsmassnahmen ist stets die BUL/SPAA, die Suva oder eine qualifizierte Sicherheitsfachperson beizuziehen. Betriebsspezifische Risikobeurteilungen gemaess VUV Art. 3-10 und der EKAS Branchenloesung Landwirtschaft sind eigenstaendig durchzufuehren.
+
+Ansvar Systems uebernimmt keine Haftung fuer die Richtigkeit, Vollstaendigkeit oder Aktualitaet der bereitgestellten Daten.
+
+---
+
+## English
+
+The data provided by this MCP server is for informational purposes only and does not constitute professional safety advice.
+
+Content is derived from publicly available documents published by:
+
+- **BUL/SPAA** -- Swiss Advisory Service for Accident Prevention in Agriculture
+- **Suva** -- Swiss National Accident Insurance Fund
+- **EKAS** -- Federal Coordination Commission for Occupational Safety
+- **Agriss** -- Swiss Agricultural Accident Statistics (BUL / Agroscope)
+- **SECO** -- State Secretariat for Economic Affairs (Young Worker Protection)
+
+The legally binding texts are the official publications in the Swiss Systematic Collection of Federal Legislation (SR), including:
+
+- Employment Act (ArG, SR 822.11)
+- Ordinance on the Prevention of Accidents and Occupational Diseases (VUV, SR 832.30)
+- Accident Insurance Act (UVG, SR 832.20)
+- Chemical Risk Reduction Ordinance (ChemRRV, SR 814.81)
+- Young Workers Protection Ordinance (ArGV 5, SR 822.115)
+
+Always consult BUL/SPAA, Suva, or a qualified safety professional before implementing safety measures. Farm-specific risk assessments as required by VUV Art. 3-10 and the EKAS sector solution for agriculture must be conducted independently.
+
+Ansvar Systems accepts no liability for the accuracy, completeness, or currency of the data provided.

package/Dockerfile

@@ -0,0 +1,26 @@
+FROM node:20-slim AS builder
+RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY tsconfig.json ./
+COPY src/ src/
+RUN npm run build
+
+FROM node:20-slim
+RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
+RUN addgroup --system --gid 1001 nodejs && \
+    adduser --system --uid 1001 nodejs
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --omit=dev && npm cache clean --force && apt-get purge -y python3 make g++ && apt-get autoremove -y
+COPY --from=builder /app/dist dist/
+COPY data/ data/
+RUN chown -R nodejs:nodejs /app/data
+USER nodejs
+ENV NODE_ENV=production
+ENV PORT=3000
+EXPOSE 3000
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD node -e "require('http').get('http://localhost:' + process.env.PORT + '/health', (r) => { process.exit(r.statusCode === 200 ? 0 : 1) })"
+CMD ["node", "dist/http-server.js"]

package/LICENSE

@@ -0,0 +1,17 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+   Copyright 2026 Ansvar Systems

package/PRIVACY.md

@@ -0,0 +1,25 @@
+# Privacy Policy
+
+## Data Processing
+
+This MCP server processes **no personal data**. It serves pre-ingested, publicly available Swiss farm safety information.
+
+## What This Server Does Not Do
+
+- Does not collect, store, or transmit user queries
+- Does not use cookies, tracking pixels, or analytics
+- Does not require authentication or user accounts
+- Does not log IP addresses or request metadata beyond standard HTTP server logs
+- Does not process any data subject to GDPR, nDSG (Swiss Data Protection Act), or any other privacy regulation
+
+## Data Sources
+
+All data is sourced from public-sector publications by BUL/SPAA, Suva, EKAS, Agriss, and SECO. No personal data is included in the dataset.
+
+## Remote Endpoint
+
+The Streamable HTTP endpoint at `mcp.ansvar.eu` is proxied through Cloudflare. Cloudflare may process connection metadata (IP, TLS fingerprint) according to their privacy policy. Ansvar Systems does not access or retain this metadata.
+
+## Contact
+
+For privacy questions: **privacy@ansvar.eu**

package/README.md

@@ -0,0 +1,129 @@
+# Switzerland Farm Safety MCP
+
+Machine-readable Swiss farm workplace safety data via the [Model Context Protocol](https://modelcontextprotocol.io).
+
+Covers BUL/SPAA safety rules (lebenswichtige Regeln), Suva occupational safety requirements, EKAS Branchenloesung Landwirtschaft, Agriss accident statistics, machinery safety (ROPS, MFK, PTO guards), chemical exposure (PSM, MAK values), young worker restrictions (Jugendarbeitsschutz), and accident reporting obligations.
+
+## Quick Start
+
+### npx (stdio — zero install)
+
+```bash
+npx -y @ansvar/ch-farm-safety-mcp
+```
+
+### Docker
+
+```bash
+docker run -p 3000:3000 ghcr.io/ansvar-systems/ch-farm-safety-mcp:latest
+```
+
+### Streamable HTTP (remote)
+
+```
+https://mcp.ansvar.eu/ch-farm-safety/mcp
+```
+
+No authentication required. Rate-limited to fair use.
+
+### Claude Desktop / Cursor
+
+Add to your MCP client config:
+
+```json
+{
+  "mcpServers": {
+    "ch-farm-safety": {
+      "command": "npx",
+      "args": ["-y", "@ansvar/ch-farm-safety-mcp"]
+    }
+  }
+}
+```
+
+Or use the remote endpoint:
+
+```json
+{
+  "mcpServers": {
+    "ch-farm-safety": {
+      "url": "https://mcp.ansvar.eu/ch-farm-safety/mcp"
+    }
+  }
+}
+```
+
+## Tools
+
+10 tools covering Swiss farm workplace safety:
+
+| Tool | Description |
+|------|-------------|
+| `about` | Server metadata: name, version, coverage, data sources |
+| `list_sources` | All data sources with authority, URL, license, freshness |
+| `check_data_freshness` | Last ingest date, staleness status, refresh command |
+| `search_safety_rules` | FTS5 search across BUL/Suva/EKAS safety rules |
+| `get_risk_assessment_requirements` | Risk assessment obligations per farm activity (EKAS/VUV) |
+| `get_machinery_safety` | ROPS, Gurtpflicht, MFK, PTO guard requirements by machine type |
+| `get_chemical_safety` | MAK exposure limits, PPE, storage rules by substance |
+| `get_young_worker_rules` | Jugendarbeitsschutz restrictions by age group |
+| `get_accident_reporting` | Reporting deadlines, forms, insurer by severity |
+| `search_bul_guidance` | BUL/SPAA guidance documents, fact sheets, campaigns |
+
+Full tool documentation: [TOOLS.md](TOOLS.md)
+
+## Data Sources
+
+| Source | Authority | Coverage |
+|--------|-----------|----------|
+| [BUL/SPAA](https://www.bul.ch) | Beratungsstelle fuer Unfallverhuetung in der Landwirtschaft | Lebenswichtige Regeln, Merkblaetter, Safe@Work |
+| [Suva](https://www.suva.ch/de-ch/praevention/nach-branche/landwirtschaft) | Schweizerische Unfallversicherungsanstalt | MAK values, PPE, accident reporting |
+| [EKAS](https://www.ekas.admin.ch) | Eidg. Koordinationskommission fuer Arbeitssicherheit | Branchenloesung Landwirtschaft, ASA concept |
+| [Agriss](https://www.bul.ch/de/themen/unfallstatistik) | BUL / Agroscope | Farm accident statistics |
+| [SECO](https://www.seco.admin.ch/seco/de/home/Arbeit/Arbeitsbedingungen/jugendarbeitsschutz.html) | Staatssekretariat fuer Wirtschaft | Young worker protection (ArGV 5) |
+
+Coverage details: [COVERAGE.md](COVERAGE.md)
+
+## Development
+
+```bash
+npm install
+npm run build
+npm test
+npm run lint
+```
+
+### Ingestion
+
+```bash
+npm run ingest          # incremental update
+npm run ingest:full     # force full re-ingestion
+npm run ingest:fetch    # fetch sources only (no DB write)
+npm run ingest:diff     # show changes without applying
+```
+
+### Freshness
+
+```bash
+npm run freshness:check
+```
+
+Data staleness threshold: 90 days. The `check-freshness.yml` workflow runs weekly and opens an issue if data is stale.
+
+## Legal
+
+This server provides Swiss farm safety data for informational purposes only. It does not constitute professional safety advice. Always consult BUL/SPAA, Suva, or a qualified safety professional (Sicherheitsfachperson) before implementing safety measures.
+
+See [DISCLAIMER.md](DISCLAIMER.md) for the full bilingual disclaimer.
+
+## License
+
+Apache-2.0 -- see [LICENSE](LICENSE).
+
+Data sourced from BUL/SPAA, Suva, EKAS, Agriss, and SECO under Swiss public-sector information principles.
+
+## Links
+
+- [Ansvar Open Agriculture](https://ansvar.eu/open-agriculture)
+- [MCP Network](https://ansvar.ai/mcp)
+- [SECURITY.md](SECURITY.md) | [PRIVACY.md](PRIVACY.md) | [CHANGELOG.md](CHANGELOG.md)

package/SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.1.x   | Yes       |
+
+## Reporting a Vulnerability
+
+Report security vulnerabilities to **security@ansvar.eu**.
+
+Do **not** open a public GitHub issue for security vulnerabilities.
+
+We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
+
+## Security Measures
+
+- **Read-only database:** The SQLite database is mounted read-only in production containers.
+- **No client data:** This server does not store, process, or transmit client data. All data is pre-ingested public-sector information.
+- **No authentication secrets:** The server requires no API keys, tokens, or credentials.
+- **Container isolation:** Production runs as a non-root user (`nodejs`, UID 1001) with memory limits.
+- **Dependency scanning:** GitHub CodeQL and Gitleaks run on every push and pull request.
+- **GHCR image builds:** Images are built via CI/CD only, signed with GitHub Actions OIDC provenance.
+- **npm provenance:** Published packages include npm provenance attestation.