@cyanheads/mcp-ts-core 0.10.10 → 0.10.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -182,12 +182,14 @@ Handlers receive a unified `ctx` object. Key properties:
182
182
  | Property | Description |
183
183
  |:---------|:------------|
184
184
  | `ctx.log` | Request-scoped logger — `.debug()`, `.info()`, `.notice()`, `.warning()`, `.error()`. Auto-correlates requestId, traceId, tenantId. |
185
- | `ctx.state` | Tenant-scoped KV — `.get(key)`, `.set(key, value, { ttl? })`, `.delete(key)`, `.list(prefix, { cursor, limit })`. Accepts any serializable value. |
185
+ | `ctx.state` | Tenant-scoped KV — `.get(key)`, `.set(key, value, { ttl? })`, `.delete(key)`, `.getMany(keys)`, `.list(prefix, { cursor, limit })`. Accepts any serializable value. |
186
186
  | `ctx.elicit` | Ask user for structured input — form call `(message, schema)` or `.url(message, url)` for an external link. **Check for presence first:** `if (ctx.elicit) { ... }` |
187
+ | `ctx.enrich` | Success-path agent context (empty-result notices, query echo, pagination totals) — `ctx.enrich(...)` or `.notice()` / `.total()` / `.echo()` / `.truncated()`. Reaches `structuredContent` and `content[]`; lands only when the definition declares an `enrichment` block (no-op otherwise). |
188
+ | `ctx.content` | Non-text content blocks — `.image(data, mimeType)`, `.audio(data, mimeType)`, or `ctx.content(block)` for a raw block. Prepended to `content[]` after `format()`; never enters `structuredContent`. |
187
189
  | `ctx.signal` | `AbortSignal` for cancellation. |
188
190
  | `ctx.progress` | Task progress (present when `task: true`) — `.setTotal(n)`, `.increment()`, `.update(message)`. |
189
191
  | `ctx.requestId` | Unique request ID. |
190
- | `ctx.tenantId` | Tenant ID from JWT or `'default'` for stdio. |
192
+ | `ctx.tenantId` | Tenant ID from JWT; `'default'` for stdio or HTTP with auth off. |
191
193
 
192
194
  ---
193
195
 
@@ -195,7 +197,7 @@ Handlers receive a unified `ctx` object. Key properties:
195
197
 
196
198
  Handlers throw — the framework catches, classifies, and formats.
197
199
 
198
- **Recommended: typed error contract.** Declare `errors: [{ reason, code, when, recovery, retryable? }]` on `tool()` / `resource()` to receive `ctx.fail(reason, …)` typed against the reason union. TypeScript catches typos at compile time, `data.reason` is auto-populated for observability, linter enforces conformance against the handler body. `recovery` is required descriptive metadata for the agent's next move ( 5 words, lint-validated); for the wire `data.recovery.hint` (mirrored into `content[]` text), pass explicitly at the throw site when dynamic context matters: `ctx.fail('reason', msg, { recovery: { hint: '...' } })`. Baseline codes (`InternalError`, `ServiceUnavailable`, `Timeout`, `ValidationError`, `SerializationError`) bubble freely and don't need declaring.
200
+ **Recommended: typed error contract.** Declare `errors: [{ reason, code, when, recovery, retryable? }]` on `tool()` / `resource()` to receive `ctx.fail(reason, …)` typed against the reason union. TypeScript catches typos at compile time, `data.reason` is auto-populated for observability, linter enforces conformance against the handler body. `recovery` is required (≥ 5 words, lint-validated) — the single source of truth for the agent's next move. Pass `ctx.recoveryFor('reason')` as the throw's data to put it on the wire (`data.recovery.hint`, mirrored into `content[]` text); override with an explicit `{ recovery: { hint: '...' } }` when dynamic runtime context matters. Baseline codes (`InternalError`, `ServiceUnavailable`, `Timeout`, `ValidationError`, `SerializationError`) bubble freely and don't need declaring.
199
201
 
200
202
  ```ts
201
203
  import { JsonRpcErrorCode } from '@cyanheads/mcp-ts-core/errors';
@@ -207,7 +209,7 @@ errors: [
207
209
  ],
208
210
  async handler(input, ctx) {
209
211
  const item = await db.find(input.id);
210
- if (!item) throw ctx.fail('no_match', `No item ${input.id}`);
212
+ if (!item) throw ctx.fail('no_match', `No item ${input.id}`, ctx.recoveryFor('no_match'));
211
213
  return item;
212
214
  }
213
215
  ```
@@ -270,7 +272,7 @@ src/
270
272
 
271
273
  ## Skills
272
274
 
273
- Skills are modular instructions in `skills/` at the project root. Read them directly when a task matches — e.g., `skills/add-tool/SKILL.md` when adding a tool.
275
+ Skills are modular instructions in `skills/` at the project root. Read them directly when a task matches — e.g., `skills/add-tool/SKILL.md` when adding a tool. `bun run list-skills` prints the full registry.
274
276
 
275
277
  **Agent skill directory:** Copy skills into the directory your agent discovers (Claude Code: `.claude/skills/`, others: equivalent). Skills then load as context without referencing `skills/` paths. After framework updates, run the `maintenance` skill — Phase B re-syncs the agent directory.
276
278
 
@@ -290,7 +292,6 @@ Available skills:
290
292
  | `tool-defs-analysis` | Read-only audit of MCP definition language across the surface — voice, leaks, defaults, recovery hints, output descriptions |
291
293
  | `security-pass` | Audit server for MCP-flavored security gaps: output injection, scope blast radius, input sinks, tenant isolation |
292
294
  | `code-simplifier` | Post-session cleanup against `git diff` — modernize syntax, consolidate duplication, align with the codebase |
293
- | `devcheck` | Lint, format, typecheck, audit |
294
295
  | `polish-docs-meta` | Finalize docs, README, metadata, and agent protocol for shipping |
295
296
  | `git-wrapup` | Land working-tree changes as a versioned commit + annotated tag — version bump, changelog, verify, tag. Local only. |
296
297
  | `release-and-publish` | Push + npm + MCP Registry + GH Release + Docker. Picks up from `git-wrapup` |
@@ -298,12 +299,14 @@ Available skills:
298
299
  | `orchestrations` | Chain task skills into a gated multi-phase pipeline — build-out, QA-fix, update-ship — when you can spawn sub-agents |
299
300
  | `report-issue-framework` | File a bug or feature request against `@cyanheads/mcp-ts-core` via `gh` CLI |
300
301
  | `report-issue-local` | File a bug or feature request against this server's own repo via `gh` CLI |
302
+ | `techniques` | Catalog of response/data-shaping techniques — overflow handling, payload shaping, retrieval patterns |
301
303
  | `api-auth` | Auth modes, scopes, JWT/OAuth |
302
304
  | `api-canvas` | DataCanvas: register tabular data, run SQL, export, plus the `spillover()` helper for big result sets — Tier 3 opt-in |
303
305
  | `api-config` | AppConfig, parseConfig, env vars |
304
306
  | `api-context` | Context interface, logger, state, progress |
305
307
  | `api-errors` | McpError, JsonRpcErrorCode, error patterns |
306
308
  | `api-linter` | Definition linter rule catalog — invoked by `bun run lint:mcp` and `devcheck` |
309
+ | `api-mirror` | MirrorService: persistent self-refreshing local mirror (embedded SQLite + FTS5) of a bulk upstream dataset — Tier 3 opt-in |
307
310
  | `api-services` | LLM, Speech, Graph services |
308
311
  | `api-testing` | createMockContext, test patterns |
309
312
  | `api-utils` | Formatting, parsing, security, pagination, scheduling, telemetry helpers |
@@ -322,20 +325,23 @@ When you complete a skill's checklist, check the boxes and add a completion time
322
325
 
323
326
  | Command | Purpose |
324
327
  |:--------|:--------|
325
- | `npm run build` | Compile TypeScript |
326
- | `npm run rebuild` | Clean + build |
327
- | `npm run clean` | Remove build artifacts |
328
- | `npm run devcheck` | Lint + format + typecheck + security + changelog sync |
328
+ | `bun run build` | Compile TypeScript |
329
+ | `bun run rebuild` | Clean + build |
330
+ | `bun run clean` | Remove build artifacts |
331
+ | `bun run devcheck` | Lint + format + typecheck + security + changelog sync |
329
332
  | `bun run audit:refresh` | Delete `bun.lock`, reinstall, and re-run `bun audit`. Use when `devcheck` flags a transitive advisory — Bun's `update` is sticky on transitive resolutions, so the advisory may be a stale-lockfile false positive. If it survives the refresh, it's real. |
330
- | `npm run tree` | Generate directory structure doc |
331
- | `npm run format` | Auto-fix formatting (safe fixes only) |
332
- | `npm run format:unsafe` | Also apply Biome's unsafe autofixes — review the diff; they can change behavior |
333
- | `npm test` | Run tests |
334
- | `npm run start:stdio` | Production mode (stdio) |
335
- | `npm run start:http` | Production mode (HTTP) |
336
- | `npm run changelog:build` | Regenerate `CHANGELOG.md` from `changelog/*.md` |
337
- | `npm run changelog:check` | Verify `CHANGELOG.md` is in sync (used by devcheck) |
338
- | `npm run bundle` | Build, pack, and clean a `.mcpb` for one-click Claude Desktop install |
333
+ | `bun run lint:mcp` | Run the MCP definition linter standalone (rule catalog: `api-linter` skill) |
334
+ | `bun run lint:packaging` | Packaging surface checks — `server.json`/`manifest.json` env-var parity (run by devcheck) |
335
+ | `bun run list-skills` | Print the skill registry |
336
+ | `bun run tree` | Generate directory structure doc |
337
+ | `bun run format` | Auto-fix formatting (safe fixes only) |
338
+ | `bun run format:unsafe` | Also apply Biome's unsafe autofixes — review the diff; they can change behavior |
339
+ | `bun run test` | Run tests (Vitest — use `bun run test`, not `bun test`) |
340
+ | `bun run start:stdio` | Production mode (stdio) |
341
+ | `bun run start:http` | Production mode (HTTP) |
342
+ | `bun run changelog:build` | Regenerate `CHANGELOG.md` from `changelog/*.md` |
343
+ | `bun run changelog:check` | Verify `CHANGELOG.md` is in sync (used by devcheck) |
344
+ | `bun run bundle` | Build, pack, and clean a `.mcpb` for one-click Claude Desktop install |
339
345
 
340
346
  ---
341
347
 
@@ -359,14 +365,14 @@ Each per-version file opens with YAML frontmatter:
359
365
  ---
360
366
  summary: "One-line headline, ≤350 chars" # required — powers the rollup index
361
367
  breaking: false # optional — true flags breaking changes
362
- security: false # optional — true flags security fixes
368
+ security: false # optional — true ONLY for a source-code security fix, never a dependency CVE bump
363
369
  ---
364
370
 
365
371
  # 0.1.0 — YYYY-MM-DD
366
372
  ...
367
373
  ```
368
374
 
369
- `breaking: true` renders a `· ⚠️ Breaking` badge — use it when consumers must update code on upgrade (signature changes, removed APIs, config renames). `security: true` renders a `· 🛡️ Security` badge and pairs with a `## Security` body section. When both are set, badges render `· ⚠️ Breaking · 🛡️ Security`.
375
+ `breaking: true` renders a `· ⚠️ Breaking` badge — use it when consumers must update code on upgrade (signature changes, removed APIs, config renames). `security: true` renders a `· 🛡️ Security` badge and pairs with a `## Security` body section — set it only for a security fix in this server's *own source code*, never for a routine dependency or transitive CVE bump (record those under `## Dependencies`). When both are set, badges render `· ⚠️ Breaking · 🛡️ Security`.
370
376
 
371
377
  `agent-notes` is an optional free-form field for maintenance agents processing the release downstream. Content here won't appear in the rendered CHANGELOG — it's consumed by agents running the `maintenance` skill. Use it for adoption instructions that don't fit the human-facing sections: new files to create, fields to populate, one-time migration steps. Omit entirely when there's nothing to say.
372
378
 
@@ -15,9 +15,11 @@ summary: ""
15
15
  # usage. Flagged as `Breaking` in the rollup.
16
16
  breaking: false
17
17
 
18
- # Set `true` if this release contains any security fix. Pairs with the
19
- # `## Security` section below. Flagged as `Security` in the rollup so
20
- # users can triage upgrade urgency at a glance.
18
+ # Set `true` ONLY for a security fix in THIS project's own source code — a
19
+ # vulnerability or hardening in code you ship. A dependency or transitive CVE
20
+ # bump is routine maintenance, NOT a security release: record it under
21
+ # `## Dependencies` (with the advisory ID) and leave this `false`. When true,
22
+ # pairs with the `## Security` section below and flags `Security` in the rollup.
21
23
  security: false
22
24
 
23
25
  # Optional free-form notes for maintenance agents processing this release.
@@ -62,8 +62,8 @@
62
62
  "zod": "{{ZOD_VERSION}}"
63
63
  },
64
64
  "devDependencies": {
65
- "@biomejs/biome": "2.4.16",
66
- "@types/node": "25.9.3",
65
+ "@biomejs/biome": "2.5.2",
66
+ "@types/node": "26.1.0",
67
67
  "depcheck": "^1.4.7",
68
68
  "ignore": "^7.0.5",
69
69
  "tsc-alias": "^1.8.17",