@ateam-ai/mcp 0.3.31 → 0.3.33

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ateam-ai/mcp",
-  "version": "0.3.31",
+  "version": "0.3.33",
   "mcpName": "io.github.ariekogan/ateam-mcp",
   "description": "A-Team MCP Server — build, validate, and deploy multi-agent solutions from any AI environment",
   "type": "module",

package/src/http.js

@@ -182,9 +182,24 @@ export function startHttpServer(port = 3100) {
   const mcpAuthOptional = [autoInjectToken, optionalBearerAuth];
 
   // ─── CORS — required for browser-based MCP clients ──────────────
+  // Origin allowlist (round 014 security hardening).
+  // ATEAM_CORS_ALLOWED_ORIGINS env = comma-separated list, or "*" / unset for
+  // wildcard (default — preserves compat with third-party MCP clients).
+  // When set, Origin must match exactly; otherwise no ACAO header is sent.
+  const CORS_ALLOWED_LIST = String(process.env.ATEAM_CORS_ALLOWED_ORIGINS || "*")
+    .split(",").map((s) => s.trim()).filter(Boolean);
+  const CORS_ALLOW_ANY = CORS_ALLOWED_LIST.includes("*");
+  function resolveOrigin(req) {
+    const o = req.headers?.origin;
+    if (CORS_ALLOW_ANY) return o || "*";
+    if (o && CORS_ALLOWED_LIST.includes(o)) return o;
+    return null;
+  }
   for (const path of MCP_PATHS) {
     app.use(path, (req, res, next) => {
-      res.setHeader("Access-Control-Allow-Origin", "*");
+      const origin = resolveOrigin(req);
+      if (origin) res.setHeader("Access-Control-Allow-Origin", origin);
+      if (!CORS_ALLOW_ANY) res.setHeader("Vary", "Origin");
       res.setHeader("Access-Control-Allow-Methods", "POST, GET, DELETE, OPTIONS");
       res.setHeader("Access-Control-Allow-Headers", "content-type, mcp-session-id, authorization");
       res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id");

package/src/tools.js

@@ -2288,19 +2288,38 @@ const handlers = {
         }),
       };
     }
+    // Pull through the underlying error/message instead of fabricating "0/0/0
+    // success-shaped" output. Old wrapper hid backend errors (e.g. validator
+    // failures from sentinel files in user repos) and reported `total: 0` with
+    // no clue why — the agent was left thinking redeploy was a no-op when in
+    // fact it was a hard failure.
+    const failedCount = !result.ok
+      ? (result.failed ?? (result.skills?.length ? result.skills.filter(s => s.ok === false).length : 1))
+      : (result.failed || 0);
+    const deployedCount = result.deployed ?? (result.ok ? (skill_id ? 1 : (result.skills?.filter(s => s.ok !== false).length || 0)) : 0);
+    const totalCount = result.total ?? (deployedCount + failedCount);
+
     return {
       ok: result.ok,
       solution_id,
       ...(skill_id && { skill_id }),
-      deployed: result.deployed || (result.ok ? 1 : 0),
-      failed: result.failed || 0,
-      total: result.total || (result.ok ? 1 : 0),
+      deployed: deployedCount,
+      failed: failedCount,
+      total: totalCount,
       skills: result.skills || [],
+      // Surface the underlying error when the request failed — the most
+      // common cause is a validator failure (e.g. broken connector source
+      // in the GitHub repo), and hiding it makes diagnosis impossible.
+      ...(!result.ok && result.error && { error: result.error }),
+      ...(!result.ok && result.details && { details: result.details }),
+      ...(!result.ok && result.hint && { hint: result.hint }),
       message: result.ok
         ? skill_id
           ? `Re-deployed skill "${skill_id}" successfully.`
-          : `Re-deployed ${result.deployed || 0} skill(s) successfully.`
-        : `Re-deploy had ${result.failed || 0} failure(s). Check skills array for details.`,
+          : `Re-deployed ${deployedCount} skill(s) successfully.`
+        : (result.error
+            ? `Re-deploy failed: ${result.error}${result.hint ? ` — ${result.hint}` : ''}`
+            : `Re-deploy had ${failedCount} failure(s). Check skills array or call the underlying endpoint with verbose:true.`),
     };
   },