@cyanheads/git-mcp-server 2.0.6 → 2.0.8

package/README.md

@@ -2,7 +2,7 @@
 
 [![TypeScript](https://img.shields.io/badge/TypeScript-^5.8.3-blue.svg)](https://www.typescriptlang.org/)
 [![Model Context Protocol](https://img.shields.io/badge/MCP%20SDK-^1.11.0-green.svg)](https://modelcontextprotocol.io/)
-[![Version](https://img.shields.io/badge/Version-2.0.6-blue.svg)](./CHANGELOG.md)
+[![Version](https://img.shields.io/badge/Version-2.0.8-blue.svg)](./CHANGELOG.md)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Status](https://img.shields.io/badge/Status-Stable-green.svg)](https://github.com/cyanheads/git-mcp-server/issues)
 [![GitHub](https://img.shields.io/github/stars/cyanheads/git-mcp-server?style=social)](https://github.com/cyanheads/git-mcp-server)
@@ -16,7 +16,9 @@ Built on the [`cyanheads/mcp-ts-template`](https://github.com/cyanheads/mcp-ts-t
 ## Table of Contents
 
 | [Overview](#overview) | [Features](#features) | [Installation](#installation) |
+
 | [Configuration](#configuration) | [Project Structure](#project-structure) |
+
 | [Tools](#tools) | [Resources](#resources) | [Development](#development) | [License](#license) |
 
 ## Overview
@@ -68,7 +70,7 @@ Leverages the robust utilities provided by the `mcp-ts-template`:
 
 1.  Install the package globally:
     ```bash
-    npm install git-mcp-server
+    npm install @cyanheads/git-mcp-server
     ```
 
 ### Install from Source
@@ -97,11 +99,12 @@ Configure the server using environment variables. Create a `.env` file in the pr
 | Variable              | Description                                                                                                                           | Default     |
 | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
 | `MCP_TRANSPORT_TYPE`  | Transport mechanism: `stdio` or `http`.                                                                                               | `stdio`     |
-| `MCP_HTTP_PORT`       | Port for the HTTP server (if `MCP_TRANSPORT_TYPE=http`). Retries next ports if busy.                                                  | `3000`      |
+| `MCP_HTTP_PORT`       | Port for the HTTP server (if `MCP_TRANSPORT_TYPE=http`). Retries next ports if busy.                                                  | `3010`      |
 | `MCP_HTTP_HOST`       | Host address for the HTTP server (if `MCP_TRANSPORT_TYPE=http`).                                                                      | `127.0.0.1` |
 | `MCP_ALLOWED_ORIGINS` | Comma-separated list of allowed origins for CORS (if `MCP_TRANSPORT_TYPE=http`).                                                      | (none)      |
 | `MCP_LOG_LEVEL`       | Logging level (`debug`, `info`, `notice`, `warning`, `error`, `crit`, `alert`, `emerg`). Inherited from template.                     | `info`      |
 | `GIT_SIGN_COMMITS`    | Set to `"true"` to enable signing attempts for commits made by the `git_commit` tool. Requires server-side Git/key setup (see below). | `false`     |
+| `MCP_AUTH_SECRET_KEY` | Secret key for signing/verifying authentication tokens (required if auth is enabled in the future).                                   | `''`        |
 
 ### MCP Client Settings
 
@@ -176,7 +179,7 @@ The Git MCP Server provides a suite of tools for interacting with Git repositori
 | `git_status`            | Gets repository status (branch, staged, modified, untracked files).                                      | `path?`                                                                                                         |
 | `git_tag`               | Manages tags (list, create annotated/lightweight, delete).                                               | `path?`, `mode`, `tagName?`, `message?`, `commitRef?`, `annotate?`                                              |
 
-_Note: The `path` parameter for most tools defaults to the session's working directory if set via `git_set_working_dir`, otherwise it defaults to the server's CWD._
+_Note: The `path` parameter for most tools defaults to the session's working directory if set via `git_set_working_dir`._
 
 ## Resources
 

package/dist/mcp-server/tools/gitAdd/logic.js

@@ -44,7 +44,7 @@ export async function addGitFiles(input, context // Add getter to context
             logger.debug(`Using session working directory: ${targetPath}`, { ...context, operation, sessionId: context.sessionId });
         }
         // Sanitize the resolved path
-        const sanitizedPath = sanitization.sanitizePath(targetPath);
+        const sanitizedPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized repository path', { ...context, operation, sanitizedPath });
         targetPath = sanitizedPath; // Use the sanitized path going forward
     }

package/dist/mcp-server/tools/gitBranch/logic.js

@@ -56,7 +56,7 @@ export async function gitBranchLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitCheckout/logic.js

@@ -41,7 +41,7 @@ export async function checkoutGit(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitCherryPick/logic.js

@@ -47,7 +47,7 @@ export async function gitCherryPickLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitClean/logic.js

@@ -55,7 +55,7 @@ export async function gitCleanLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitClone/logic.js

@@ -33,7 +33,7 @@ export async function gitCloneLogic(input, context) {
     let sanitizedRepoUrl;
     try {
         // Sanitize the target path (must be absolute)
-        sanitizedTargetPath = sanitization.sanitizePath(input.targetPath);
+        sanitizedTargetPath = sanitization.sanitizePath(input.targetPath, { allowAbsolute: true });
         logger.debug('Sanitized target path', { ...context, operation, sanitizedTargetPath });
         // Basic sanitization/validation for URL (Zod already checks format)
         // Further sanitization might be needed depending on how it's used in the shell command

package/dist/mcp-server/tools/gitCommit/logic.js

@@ -50,7 +50,7 @@ export async function commitGitChanges(input, context // Add getter to context
             logger.debug(`Using session working directory: ${targetPath}`, { ...context, operation, sessionId: context.sessionId });
         }
         // Sanitize the resolved path
-        const sanitizedPath = sanitization.sanitizePath(targetPath);
+        const sanitizedPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath });
         targetPath = sanitizedPath; // Use the sanitized path going forward
     }

package/dist/mcp-server/tools/gitDiff/logic.js

@@ -48,7 +48,7 @@ export async function diffGitChanges(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitFetch/logic.js

@@ -41,7 +41,7 @@ export async function fetchGitRemote(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitInit/logic.js

@@ -31,7 +31,7 @@ export async function gitInitLogic(input, context) {
     let targetPath;
     try {
         // Sanitize the provided absolute path
-        targetPath = sanitization.sanitizePath(input.path);
+        targetPath = sanitization.sanitizePath(input.path, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
         // Ensure the target directory exists before trying to init inside it
         // git init creates the directory if it doesn't exist, but we might want to ensure the parent exists

package/dist/mcp-server/tools/gitInit/registration.js

@@ -55,11 +55,11 @@ export const registerGitInitTool = async (server) => {
                 let resolvedPath;
                 try {
                     if (path.isAbsolute(inputPath)) {
-                        resolvedPath = sanitization.sanitizePath(inputPath);
+                        resolvedPath = sanitization.sanitizePath(inputPath, { allowAbsolute: true });
                         logger.debug(`Using absolute path: ${resolvedPath}`, requestContext);
                     }
                     else if (sessionWorkingDirectory) {
-                        resolvedPath = sanitization.sanitizePath(path.resolve(sessionWorkingDirectory, inputPath));
+                        resolvedPath = sanitization.sanitizePath(path.resolve(sessionWorkingDirectory, inputPath), { allowAbsolute: true });
                         logger.debug(`Resolved relative path '${inputPath}' to absolute path: ${resolvedPath} using session CWD`, requestContext);
                     }
                     else {

package/dist/mcp-server/tools/gitLog/logic.js

@@ -56,7 +56,7 @@ export async function logGitHistory(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitPull/logic.js

@@ -44,7 +44,7 @@ export async function pullGitChanges(input, context) {
             logger.debug(`Using session working directory: ${targetPath}`, { ...context, operation, sessionId: context.sessionId });
         }
         // Sanitize the resolved path
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitPush/logic.js

@@ -45,7 +45,7 @@ export async function pushGitChanges(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitRebase/logic.js

@@ -55,7 +55,7 @@ export async function gitRebaseLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitRemote/logic.js

@@ -42,7 +42,7 @@ export async function gitRemoteLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath); // Sanitize the final resolved path
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true }); // Sanitize the final resolved path
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitReset/logic.js

@@ -44,7 +44,7 @@ export async function resetGitState(input, context) {
             }
             targetPath = workingDir;
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitSetWorkingDir/logic.js

@@ -26,9 +26,9 @@ export async function gitSetWorkingDirLogic(input, context // Assuming context p
     logger.info('Executing git_set_working_dir logic', { ...context, operation, inputPath: input.path });
     let sanitizedPath;
     try {
-        // Sanitize the path. By default, sanitizePath allows absolute paths.
+        // Sanitize the path. Must explicitly allow absolute paths for this tool.
         // It normalizes and checks for traversal issues.
-        sanitizedPath = sanitization.sanitizePath(input.path);
+        sanitizedPath = sanitization.sanitizePath(input.path, { allowAbsolute: true });
         logger.debug(`Sanitized path: ${sanitizedPath}`, { ...context, operation });
     }
     catch (error) {

package/dist/mcp-server/tools/gitShow/logic.js

@@ -41,7 +41,7 @@ export async function gitShowLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitStash/logic.js

@@ -47,7 +47,7 @@ export async function gitStashLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/dist/mcp-server/tools/gitStatus/logic.js

@@ -160,7 +160,7 @@ export async function getGitStatus(input, context // Add getter to context
             logger.debug(`Using session working directory: ${targetPath}`, { ...context, operation, sessionId: context.sessionId });
         }
         // Sanitize the resolved path
-        const sanitizedPath = sanitization.sanitizePath(targetPath);
+        const sanitizedPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath });
         targetPath = sanitizedPath; // Use the sanitized path going forward
     }

package/dist/mcp-server/tools/gitTag/logic.js

@@ -55,7 +55,7 @@ export async function gitTagLogic(input, context) {
         else {
             logger.debug(`Using provided path: ${targetPath}`, { ...context, operation });
         }
-        targetPath = sanitization.sanitizePath(targetPath);
+        targetPath = sanitization.sanitizePath(targetPath, { allowAbsolute: true });
         logger.debug('Sanitized path', { ...context, operation, sanitizedPath: targetPath });
     }
     catch (error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanheads/git-mcp-server",
-  "version": "2.0.6",
+  "version": "2.0.8",
   "description": "An MCP (Model Context Protocol) server providing tools to interact with Git repositories. Enables LLMs and AI agents to perform Git operations like clone, commit, push, pull, branch, diff, log, status, and more via the MCP standard.",
   "type": "module",
   "license": "Apache-2.0",
@@ -38,7 +38,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.11.0",
     "@types/jsonwebtoken": "^9.0.9",
-    "@types/node": "^22.15.9",
+    "@types/node": "^22.15.15",
     "@types/sanitize-html": "^2.16.0",
     "@types/validator": "^13.15.0",
     "chrono-node": "^2.8.0",