npm - @cyanheads/cdc-health-mcp-server - Versions diffs - 0.6.4 → 0.6.5 - Mend

@cyanheads/cdc-health-mcp-server 0.6.4 → 0.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.mcpbignore ADDED Viewed

@@ -0,0 +1,10 @@
+.env*
+.mcpregistry_*
+.claude/
+Dockerfile
+bun.lock
+bunfig.toml
+wrangler.toml
+biome.json
+tsconfig*.json
+vitest.config.ts

package/CLAUDE.md CHANGED Viewed

@@ -1,8 +1,9 @@
 # Agent Protocol
 **Server:** cdc-health-statistics-mcp-server
-**Version:** 0.6.4
-**Framework:** [@cyanheads/mcp-ts-core](https://www.npmjs.com/package/@cyanheads/mcp-ts-core)
+**Version:** 0.6.5
+**Framework:** [@cyanheads/mcp-ts-core](https://www.npmjs.com/package/@cyanheads/mcp-ts-core) `^0.9.6`
+**Engines:** Bun ≥1.3.2, Node ≥24.0.0
 > **Read the framework docs first:** `node_modules/@cyanheads/mcp-ts-core/CLAUDE.md` contains the full API reference — builders, Context, error codes, exports, patterns. This file covers server-specific conventions only.
@@ -64,8 +65,9 @@ When the user asks what to do next, what's left, or needs direction, suggest rel
 5. **Add tests** — scaffold tests for existing definitions using the `add-test` skill
 6. **Field-test definitions** — exercise tools/resources/prompts with real inputs using the `field-test` skill, get a report of issues and pain points
 7. **Run `devcheck`** — lint, format, typecheck, and security audit
-8. **Run the `polish-docs-meta` skill** — finalize README, CHANGELOG, metadata, and agent protocol for shipping
-9. **Run the `maintenance` skill** — sync skills and dependencies after framework updates
+8. **Run the `security-pass` skill** — audit handlers for MCP-specific security gaps: output injection, scope blast radius, input sinks, tenant isolation
+9. **Run the `polish-docs-meta` skill** — finalize README, CHANGELOG, metadata, and agent protocol for shipping
+10. **Run the `maintenance` skill** — investigate changelogs, adopt upstream changes, and sync skills after `bun update --latest`
 Tailor suggestions to what's actually missing or stale — don't recite the full list every time.
@@ -73,7 +75,7 @@ Tailor suggestions to what's actually missing or stale — don't recite the full
 ## Core Rules
-- **Logic throws, framework catches.** Tool/resource handlers are pure — throw on failure, no `try/catch`. The framework catches, classifies, and formats. Prefer typed error contracts (`errors[]` + `ctx.fail`) for declared failure modes; fall back to error factories (`notFound()`, `validationError()`, etc.) for ad-hoc throws.
+- **Logic throws, framework catches.** Tool/resource handlers are pure — throw on failure, no `try/catch`. Plain `Error` is fine; the framework catches, classifies, and formats. Use error factories (`notFound()`, `validationError()`, etc.) when the error code matters.
 - **Use `ctx.log`** for request-scoped logging. No `console` calls.
 - **Use `ctx.state`** for tenant-scoped storage. Never access persistence directly.
 - **Check `ctx.elicit` / `ctx.sample`** for presence before calling.
@@ -285,7 +287,7 @@ src/
 Skills are modular instructions in `skills/` at the project root. Read them directly when a task matches — e.g., `skills/add-tool/SKILL.md` when adding a tool.
-**Agent skill directory:** Copy skills into the directory your agent discovers (Claude Code: `.claude/skills/`, others: equivalent). This makes skills available as context without needing to reference `skills/` paths manually. After framework updates, re-copy to pick up changes.
+**Agent skill directory:** Copy skills into the directory your agent discovers (Claude Code: `.claude/skills/`, others: equivalent). Skills then load as context without referencing `skills/` paths. After framework updates, run the `maintenance` skill — Phase B re-syncs the agent directory.
 Available skills:
@@ -299,17 +301,17 @@ Available skills:
 | `add-prompt` | Scaffold a new prompt definition |
 | `add-service` | Scaffold a new service integration |
 | `add-test` | Scaffold test file for a tool, resource, or service |
-| `field-test` | Exercise tools/resources/prompts via live HTTP + JSON-RPC, report findings |
+| `field-test` | Exercise tools/resources/prompts with real inputs, verify behavior, report issues |
 | `tool-defs-analysis` | Read-only audit of definition language across the surface (10 categories) |
 | `polish-docs-meta` | Finalize docs, README, metadata, and agent protocol for shipping |
 | `security-pass` | Eight-axis security audit before release (injection, scope, input sinks, leakage, etc.) |
 | `release-and-publish` | Post-wrapup ship workflow — npm, MCP Registry, GHCR |
-| `maintenance` | Investigate, adopt, and verify dependency updates (framework changelog review + skill/script sync) |
+| `maintenance` | Investigate changelogs, adopt upstream changes, sync skills to agent dirs |
 | `migrate-mcp-ts-template` | Migrate a fork of mcp-ts-template to depend on the framework as a package |
 | `report-issue-framework` | File a bug or feature request against `@cyanheads/mcp-ts-core` via `gh` CLI |
 | `report-issue-local` | File a bug or feature request against this server's own repo via `gh` CLI |
 | `api-auth` | Auth modes, scopes, JWT/OAuth |
-| `api-canvas` | DataCanvas Tier 3 SQL/analytical workspace + `spillover()` helper (opt-in via CANVAS_PROVIDER_TYPE) |
+| `api-canvas` | DataCanvas: register tabular data, run SQL, export, plus the `spillover()` helper for big result sets — Tier 3 opt-in |
 | `api-config` | AppConfig, parseConfig, parseEnvConfig, env vars |
 | `api-context` | Context interface, logger, state, progress |
 | `api-errors` | McpError, JsonRpcErrorCode, typed error contracts, error patterns |
@@ -317,7 +319,7 @@ Available skills:
 | `api-services` | LLM, Speech, Graph services |
 | `api-telemetry` | OTel catalog: spans, metrics, completion logs, env config, cardinality rules |
 | `api-testing` | createMockContext, test patterns |
-| `api-utils` | Formatting, parsing, security, pagination, scheduling |
+| `api-utils` | Formatting, parsing, security, pagination, scheduling, telemetry helpers |
 | `api-workers` | Cloudflare Workers runtime |
 When you complete a skill's checklist, check the boxes and add a completion timestamp at the end (e.g., `Completed: 2026-03-11`).
@@ -331,15 +333,49 @@ When you complete a skill's checklist, check the boxes and add a completion time
 | `bun run build` | Compile TypeScript |
 | `bun run rebuild` | Clean + build |
 | `bun run clean` | Remove build artifacts |
-| `bun run devcheck` | Lint + format + typecheck + security |
+| `bun run devcheck` | Lint + format + typecheck + security + changelog sync |
+| `bun run audit:refresh` | Delete `bun.lock`, reinstall, and re-audit. Use when `devcheck` flags a transitive advisory — stale lockfile can mask already-patched deps. If advisory survives, it's real. |
 | `bun run tree` | Generate directory structure doc |
 | `bun run format` | Auto-fix formatting |
+| `bun run list-skills` | Print skill index from project `skills/` |
+| `bun run bundle` | Build and pack as `.mcpb` for one-click Claude Desktop install |
+| `bun run changelog:build` | Regenerate `CHANGELOG.md` from `changelog/*.md` |
+| `bun run changelog:check` | Verify `CHANGELOG.md` is in sync (used by devcheck) |
 | `bun run test` | Run tests |
 | `bun run start:stdio` | Production mode (stdio) — `bun run rebuild && bun run start:stdio` for dev smoke-tests |
 | `bun run start:http` | Production mode (HTTP) — `bun run rebuild && bun run start:http` for dev smoke-tests |
 ---
+## Bundling
+`bun run bundle` produces a `.mcpb` extension bundle for one-click install in Claude Desktop. MCPB is stdio-only — HTTP deployments are unaffected. Delete `manifest.json` and `.mcpbignore` to skip; `lint:packaging` skips cleanly when `manifest.json` is absent.
+**Adding an env var requires both files:** `server.json` (`environmentVariables[]`) and `manifest.json` (`mcp_config.env` + `user_config`). `lint:packaging` (wired into `devcheck`) verifies alignment.
+---
+## Changelog
+Directory-based, grouped by minor series. Source of truth: `changelog/<major.minor>.x/<version>.md` — one file per release. `changelog/template.md` is a pristine format reference — never edit or move it. `CHANGELOG.md` is a navigation index regenerated by `bun run changelog:build` — devcheck hard-fails on drift; never hand-edit it.
+Each per-version file opens with YAML frontmatter:
+```markdown
+---
+summary: "One-line headline, ≤350 chars"
+breaking: false
+security: false
+---
+# 0.7.0 — YYYY-MM-DD
+...
+```
+**Section order** (Keep a Changelog): Added, Changed, Deprecated, Removed, Fixed, Security. Include only sections with entries.
+---
 ## Imports
 ```ts
@@ -359,9 +395,11 @@ import { getSocrataService } from '@/services/socrata/socrata-service.js';
 - [ ] Optional nested objects: handler guards for empty inner values from form-based clients (`if (input.obj?.field && ...)`, not just `if (input.obj)`). When regex/length constraints matter, use `z.union([z.literal(''), z.string().regex(...).describe(...)])` — literal variants are exempt from `describe-on-fields`.
 - [ ] JSDoc `@fileoverview` + `@module` on every file
 - [ ] `ctx.log` for logging, `ctx.state` for storage
-- [ ] Handlers throw on failure — typed `errors[]` + `ctx.fail` for declared modes, factories or `Error` for ad-hoc; no try/catch
+- [ ] Handlers throw on failure — error factories or plain `Error`, no try/catch
 - [ ] `format()` renders all data the LLM needs — different clients forward different surfaces (Claude Code → `structuredContent`, Claude Desktop → `content[]`); both must carry the same data
-- [ ] Service-thrown errors carry contract `reason` via `data: { reason }` on factory calls when applicable
+- [ ] If wrapping external API: raw/domain/output schemas reviewed against real upstream sparsity/nullability before finalizing required vs optional fields
+- [ ] If wrapping external API: normalization and `format()` preserve uncertainty; do not fabricate facts from missing upstream data
+- [ ] If wrapping external API: tests include at least one sparse payload case with omitted upstream fields
 - [ ] Registered in `createApp()` arrays (directly or via barrel exports)
 - [ ] Tests use `createMockContext()` from `@cyanheads/mcp-ts-core/testing`
 - [ ] `bun run devcheck` passes

package/README.md CHANGED Viewed

@@ -1,15 +1,21 @@
 <div align="center">
   <h1>@cyanheads/cdc-health-mcp-server</h1>
-  <p><b>MCP server for the CDC Open Data portal. Search ~1,487 public health datasets, inspect schemas, and execute SoQL queries across disease surveillance, mortality, vaccinations, behavioral risk, and more. STDIO or Streamable HTTP.</b>
+  <p><b>Discover and query CDC public health datasets via the Socrata SODA API via MCP. STDIO or Streamable HTTP.</b>
   <div>3 Tools • 2 Resources • 1 Prompt</div>
   </p>
 </div>
 <div align="center">
-[![npm](https://img.shields.io/npm/v/@cyanheads/cdc-health-mcp-server?style=flat-square&logo=npm&logoColor=white)](https://www.npmjs.com/package/@cyanheads/cdc-health-mcp-server) [![Version](https://img.shields.io/badge/Version-0.6.4-blue.svg?style=flat-square)](./CHANGELOG.md) [![Framework](https://img.shields.io/badge/Built%20on-@cyanheads/mcp--ts--core-259?style=flat-square)](https://www.npmjs.com/package/@cyanheads/mcp-ts-core) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/)
+[![Version](https://img.shields.io/badge/Version-0.6.5-blue.svg?style=flat-square)](./CHANGELOG.md) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Docker](https://img.shields.io/badge/Docker-ghcr.io-2496ED?style=flat-square&logo=docker&logoColor=white)](https://github.com/users/cyanheads/packages/container/package/cdc-health-mcp-server) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![npm](https://img.shields.io/npm/v/@cyanheads/cdc-health-mcp-server?style=flat-square&logo=npm&logoColor=white)](https://www.npmjs.com/package/@cyanheads/cdc-health-mcp-server) [![TypeScript](https://img.shields.io/badge/TypeScript-^6.0.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.3.2-blueviolet.svg?style=flat-square)](https://bun.sh/)
-[![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![TypeScript](https://img.shields.io/badge/TypeScript-^6.0.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.3.2-blueviolet.svg?style=flat-square)](https://bun.sh/)
+</div>
+<div align="center">
+[![Install in Claude Desktop](https://img.shields.io/badge/Install_in-Claude_Desktop-D97757?style=for-the-badge&logo=anthropic&logoColor=white)](https://github.com/cyanheads/cdc-health-mcp-server/releases/latest/download/cdc-health-mcp-server.mcpb) [![Install in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=cdc-health-mcp-server&config=eyJjb21tYW5kIjogIm5weCIsICJhcmdzIjogWyIteSIsICJAY3lhbmhlYWRzL2NkYy1oZWFsdGgtbWNwLXNlcnZlckBsYXRlc3QiXSwgImVudiI6IHsiTUNQX1RSQU5TUE9SVF9UWVBFIjogInN0ZGlvIiwgIk1DUF9MT0dfTEVWRUwiOiAiaW5mbyJ9fQ==) [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install_Server-0098FF?style=for-the-badge&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode:mcp/install?%7B%22name%22%3A%20%22cdc-health-mcp-server%22%2C%20%22command%22%3A%20%22npx%22%2C%20%22args%22%3A%20%5B%22-y%22%2C%20%22%40cyanheads/cdc-health-mcp-server%40latest%22%5D%2C%20%22env%22%3A%20%7B%22MCP_TRANSPORT_TYPE%22%3A%20%22stdio%22%2C%20%22MCP_LOG_LEVEL%22%3A%20%22info%22%7D%7D)
+[![Framework](https://img.shields.io/badge/Built%20on-@cyanheads/mcp--ts--core-67E8F9?style=flat-square)](https://www.npmjs.com/package/@cyanheads/mcp-ts-core)
 </div>

package/manifest.json ADDED Viewed

@@ -0,0 +1,40 @@
+{
+  "manifest_version": "0.3",
+  "name": "cdc-health-mcp-server",
+  "version": "0.6.5",
+  "description": "Discover and query CDC public health datasets via the Socrata SODA API.",
+  "author": { "name": "cyanheads" },
+  "server": {
+    "type": "node",
+    "entry_point": "dist/index.js",
+    "mcp_config": {
+      "command": "node",
+      "args": ["${__dirname}/dist/index.js"],
+      "env": {
+        "MCP_TRANSPORT_TYPE": "stdio",
+        "MCP_AUTH_MODE": "none",
+        "NODE_ENV": "production"
+      }
+    }
+  },
+  "compatibility": {
+    "runtimes": { "node": ">=24.0.0" }
+  },
+  "tools_generated": true,
+  "prompts_generated": true,
+  "user_config": {
+    "CDC_APP_TOKEN": {
+      "title": "Socrata App Token",
+      "type": "string",
+      "description": "Optional app token for higher CDC Open Data rate limits.",
+      "required": false
+    },
+    "MCP_LOG_LEVEL": {
+      "title": "Log Level",
+      "type": "string",
+      "description": "Minimum log level for output (debug, info, warn, error).",
+      "required": false,
+      "default": "info"
+    }
+  }
+}

package/package.json CHANGED Viewed

@@ -1,14 +1,23 @@
 {
   "name": "@cyanheads/cdc-health-mcp-server",
-  "version": "0.6.4",
-  "description": "MCP server for discovering and querying CDC public health datasets via the Socrata SODA API.",
+  "version": "0.6.5",
+  "description": "Discover and query CDC public health datasets via the Socrata SODA API via MCP. STDIO or Streamable HTTP.",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "bin": {
     "cdc-health-mcp-server": "dist/index.js"
   },
-  "files": ["dist/", "README.md", "LICENSE", "CLAUDE.md", "Dockerfile", "server.json"],
+  "files": [
+    "dist/",
+    "README.md",
+    "LICENSE",
+    "CLAUDE.md",
+    "Dockerfile",
+    "server.json",
+    "manifest.json",
+    ".mcpbignore"
+  ],
   "scripts": {
     "build": "bun scripts/build.ts",
     "rebuild": "bun scripts/clean.ts && bun scripts/build.ts",
@@ -17,6 +26,13 @@
     "tree": "bun scripts/tree.ts",
     "format": "biome check --write --unsafe .",
     "lint:mcp": "bun scripts/lint-mcp.ts",
+    "lint:packaging": "bun scripts/lint-packaging.ts",
+    "list-skills": "bun scripts/list-skills.ts",
+    "audit:refresh": "rm -f bun.lock && bun install && bun audit",
+    "bundle": "bun run build && npx -y @anthropic-ai/mcpb pack . dist/cdc-health-mcp-server.mcpb",
+    "publish-mcp": "bun run build && npm publish --access public",
+    "changelog:build": "bun scripts/build-changelog.ts",
+    "changelog:check": "bun scripts/check-docs-sync.ts",
     "test": "vitest run",
     "start:stdio": "MCP_TRANSPORT_TYPE=stdio node dist/index.js",
     "start:http": "MCP_TRANSPORT_TYPE=http node dist/index.js"
@@ -61,18 +77,19 @@
     "access": "public"
   },
   "dependencies": {
-    "@cyanheads/mcp-ts-core": "^0.9.1",
-    "pino-pretty": "^13.1.3"
+    "@cyanheads/mcp-ts-core": "^0.9.6",
+    "pino-pretty": "^13.1.3",
+    "zod": "^4.4.3"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.15",
     "@opentelemetry/api": "^1.9.1",
-    "@types/node": "^25.8.0",
-    "@vitest/coverage-istanbul": "^4.1.6",
+    "@types/node": "^25.9.1",
+    "@vitest/coverage-istanbul": "^4.1.7",
     "depcheck": "^1.4.7",
     "ignore": "^7.0.5",
     "tsc-alias": "^1.8.17",
     "typescript": "^6.0.3",
-    "vitest": "^4.1.6"
+    "vitest": "^4.1.7"
   }
 }

package/server.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.cyanheads/cdc-health-mcp-server",
-  "description": "MCP server for discovering and querying CDC public health datasets via the Socrata SODA API.",
+  "description": "Discover and query CDC public health datasets via the Socrata SODA API.",
   "repository": {
     "url": "https://github.com/cyanheads/cdc-health-mcp-server",
     "source": "github"
   },
-  "version": "0.6.4",
+  "version": "0.6.5",
   "remotes": [
     {
       "type": "streamable-http",
@@ -19,7 +19,7 @@
       "registryBaseUrl": "https://registry.npmjs.org",
       "identifier": "@cyanheads/cdc-health-mcp-server",
       "runtimeHint": "node",
-      "version": "0.6.4",
+      "version": "0.6.5",
       "packageArguments": [
         {
           "type": "positional",
@@ -54,7 +54,7 @@
       "registryBaseUrl": "https://registry.npmjs.org",
       "identifier": "@cyanheads/cdc-health-mcp-server",
       "runtimeHint": "node",
-      "version": "0.6.4",
+      "version": "0.6.5",
       "packageArguments": [
         {
           "type": "positional",