@atoms-tech/atoms-mcp 0.1.0

package/dist/middleware/rate-limiter.d.ts

@@ -0,0 +1,21 @@
+/**
+ * In-memory per-user rate limiting for MCP tool calls.
+ *
+ * Default: 60 requests/minute. Configurable via ATOMS_RATE_LIMIT_RPM env var.
+ * Uses sliding window algorithm.
+ */
+/**
+ * Check if a user has exceeded their rate limit.
+ * Returns { allowed: true } or { allowed: false, retryAfterSeconds }.
+ */
+export declare function checkRateLimit(userId: string): {
+    allowed: true;
+} | {
+    allowed: false;
+    retryAfterSeconds: number;
+};
+/**
+ * Clear rate limit state. Useful for testing.
+ */
+export declare function clearRateLimits(): void;
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/middleware/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limiter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,GACb;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAA;CAAE,CA0BnE;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}

package/dist/middleware/rate-limiter.js

@@ -0,0 +1,43 @@
+/**
+ * In-memory per-user rate limiting for MCP tool calls.
+ *
+ * Default: 60 requests/minute. Configurable via ATOMS_RATE_LIMIT_RPM env var.
+ * Uses sliding window algorithm.
+ */
+const DEFAULT_RPM = 60;
+const WINDOW_MS = 60_000; // 1 minute
+const windows = new Map();
+/**
+ * Check if a user has exceeded their rate limit.
+ * Returns { allowed: true } or { allowed: false, retryAfterSeconds }.
+ */
+export function checkRateLimit(userId) {
+    const rpm = parseInt(process.env.ATOMS_RATE_LIMIT_RPM ?? "", 10) || DEFAULT_RPM;
+    const now = Date.now();
+    const cutoff = now - WINDOW_MS;
+    let window = windows.get(userId);
+    if (!window) {
+        window = { timestamps: [] };
+        windows.set(userId, window);
+    }
+    // Prune old timestamps
+    window.timestamps = window.timestamps.filter((t) => t > cutoff);
+    if (window.timestamps.length >= rpm) {
+        // Calculate when the oldest request in the window expires
+        const oldestInWindow = window.timestamps[0];
+        const retryAfterMs = oldestInWindow + WINDOW_MS - now;
+        return {
+            allowed: false,
+            retryAfterSeconds: Math.ceil(retryAfterMs / 1000),
+        };
+    }
+    window.timestamps.push(now);
+    return { allowed: true };
+}
+/**
+ * Clear rate limit state. Useful for testing.
+ */
+export function clearRateLimits() {
+    windows.clear();
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/middleware/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/middleware/rate-limiter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,WAAW;AAMrC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAsB,CAAC;AAE9C;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,MAAc;IAEd,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,WAAW,CAAC;IAChF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,GAAG,GAAG,SAAS,CAAC;IAE/B,IAAI,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,uBAAuB;IACvB,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;IAEhE,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;QACpC,0DAA0D;QAC1D,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAE,CAAC;QAC7C,MAAM,YAAY,GAAG,cAAc,GAAG,SAAS,GAAG,GAAG,CAAC;QACtD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,iBAAiB,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;SAClD,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC"}

package/dist/middleware/validator.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Input validation for MCP tool parameters.
+ *
+ * All LLM-generated inputs are untrusted. Validate everything.
+ * Pattern ported from Polarion MCP middleware/input_validator.py.
+ */
+export declare function validateProjectId(id: string): string;
+export declare function validateItemId(id: string): string;
+export declare function validateQuery(query: string): string;
+export declare function validateLimit(limit: number, max: number): number;
+export declare function validateOffset(offset: number): number;
+export declare function validateTitle(title: string): string;
+export declare function validateItemType(type: string): string;
+export declare function validateRelationshipType(type: string): string;
+export declare function sanitizeText(text: string): string;
+/**
+ * Custom validation error with a clean message for LLM consumption.
+ */
+export declare class ValidationError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=validator.d.ts.map

package/dist/middleware/validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../src/middleware/validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAQpD;AAED,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAajD;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQnD;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAKhE;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAKrD;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQnD;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQrD;AAED,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQ7D;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAMjD;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B"}

package/dist/middleware/validator.js

@@ -0,0 +1,91 @@
+/**
+ * Input validation for MCP tool parameters.
+ *
+ * All LLM-generated inputs are untrusted. Validate everything.
+ * Pattern ported from Polarion MCP middleware/input_validator.py.
+ */
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const ITEM_ID_REGEX = /^[A-Z]+-\d{5}$/;
+const SAFE_TEXT_REGEX = /^[^<>&;'"\\]+$/;
+export function validateProjectId(id) {
+    if (!id || typeof id !== "string") {
+        throw new ValidationError("project_id is required");
+    }
+    if (!UUID_REGEX.test(id)) {
+        throw new ValidationError("project_id must be a valid UUID");
+    }
+    return id;
+}
+export function validateItemId(id) {
+    if (!id || typeof id !== "string") {
+        throw new ValidationError("item_id is required");
+    }
+    if (id.length > 20) {
+        throw new ValidationError("item_id exceeds maximum length");
+    }
+    if (!ITEM_ID_REGEX.test(id)) {
+        throw new ValidationError("item_id must match format: PREFIX-NNNNN (e.g., REQ-00001, TC-00050)");
+    }
+    return id;
+}
+export function validateQuery(query) {
+    if (!query || typeof query !== "string") {
+        throw new ValidationError("query is required");
+    }
+    if (query.length > 1000) {
+        throw new ValidationError("query exceeds maximum length of 1000 characters");
+    }
+    return query.trim();
+}
+export function validateLimit(limit, max) {
+    if (typeof limit !== "number" || !Number.isInteger(limit)) {
+        throw new ValidationError("limit must be an integer");
+    }
+    return Math.max(1, Math.min(limit, max));
+}
+export function validateOffset(offset) {
+    if (typeof offset !== "number" || !Number.isInteger(offset)) {
+        throw new ValidationError("offset must be an integer");
+    }
+    return Math.max(0, offset);
+}
+export function validateTitle(title) {
+    if (!title || typeof title !== "string") {
+        throw new ValidationError("title is required");
+    }
+    if (title.length > 500) {
+        throw new ValidationError("title exceeds maximum length of 500 characters");
+    }
+    return title.trim();
+}
+export function validateItemType(type) {
+    const validTypes = ["requirement", "test-case", "note", "table"];
+    if (!validTypes.includes(type)) {
+        throw new ValidationError(`type must be one of: ${validTypes.join(", ")}. Got: '${type}'`);
+    }
+    return type;
+}
+export function validateRelationshipType(type) {
+    const validTypes = ["parent", "child", "related", "verifies", "verified_by"];
+    if (!validTypes.includes(type)) {
+        throw new ValidationError(`relationship type must be one of: ${validTypes.join(", ")}. Got: '${type}'`);
+    }
+    return type;
+}
+export function sanitizeText(text) {
+    // Strip potential XSS/injection characters from free-text fields
+    return text
+        .replace(/[<>&]/g, "")
+        .replace(/\\/g, "")
+        .trim();
+}
+/**
+ * Custom validation error with a clean message for LLM consumption.
+ */
+export class ValidationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "ValidationError";
+    }
+}
+//# sourceMappingURL=validator.js.map

package/dist/middleware/validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.js","sourceRoot":"","sources":["../../src/middleware/validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,UAAU,GAAG,iEAAiE,CAAC;AACrF,MAAM,aAAa,GAAG,gBAAgB,CAAC;AACvC,MAAM,eAAe,GAAG,gBAAgB,CAAC;AAEzC,MAAM,UAAU,iBAAiB,CAAC,EAAU;IAC1C,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,eAAe,CAAC,wBAAwB,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,eAAe,CAAC,iCAAiC,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,EAAU;IACvC,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,eAAe,CAAC,qBAAqB,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACnB,MAAM,IAAI,eAAe,CAAC,gCAAgC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,eAAe,CACvB,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,eAAe,CAAC,mBAAmB,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QACxB,MAAM,IAAI,eAAe,CAAC,iDAAiD,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,GAAW;IACtD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,eAAe,CAAC,0BAA0B,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,eAAe,CAAC,2BAA2B,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,eAAe,CAAC,mBAAmB,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACvB,MAAM,IAAI,eAAe,CAAC,gDAAgD,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,UAAU,GAAG,CAAC,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACjE,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,eAAe,CACvB,wBAAwB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,GAAG,CAChE,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,IAAY;IACnD,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IAC7E,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,eAAe,CACvB,qCAAqC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,GAAG,CAC7E,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,iEAAiE;IACjE,OAAO,IAAI;SACR,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;SACrB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;SAClB,IAAI,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF"}

package/dist/server.d.ts

@@ -0,0 +1,14 @@
+/**
+ * ATOMS MCP Server — Tool registration and initialization.
+ *
+ * Registers all 10 tools with the MCP SDK using server.registerTool().
+ * Tools are implemented in separate files under src/tools/.
+ *
+ * Naming: atoms_{action}_{resource} (snake_case with service prefix)
+ * Server name: atoms-mcp-server (follows {service}-mcp-server convention)
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare const server: McpServer;
+/** Expose session ID for change_history writes */
+export declare function getMcpSessionId(): string;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAQpE,eAAO,MAAM,MAAM,WAGjB,CAAC;AA6EH,kDAAkD;AAClD,wBAAgB,eAAe,IAAI,MAAM,CAExC"}