@cyanheads/mcp-ts-core 0.10.5 → 0.10.6

package/AGENTS.md

@@ -1,7 +1,7 @@
 # Developer Protocol
 
 **Package:** `@cyanheads/mcp-ts-core`
-**Version:** 0.10.5
+**Version:** 0.10.6
 **Engines:** Bun ≥1.3.0, Node ≥24.0.0
 **MCP SDK:** `@modelcontextprotocol/sdk` ^1.29.0
 **Zod:** ^4.4.3

package/CLAUDE.md

@@ -1,7 +1,7 @@
 # Developer Protocol
 
 **Package:** `@cyanheads/mcp-ts-core`
-**Version:** 0.10.5
+**Version:** 0.10.6
 **Engines:** Bun ≥1.3.0, Node ≥24.0.0
 **MCP SDK:** `@modelcontextprotocol/sdk` ^1.29.0
 **Zod:** ^4.4.3

package/changelog/0.10.x/0.10.5.md

@@ -1,5 +1,5 @@
 ---
-summary: "mcpTest fixture-based Vitest subpath; platform-native utils sweep under Node≥24/Bun≥1.3 (AbortSignal.any, Uint8Array base64, Symbol.Dispose, performance.now); workerd R2/D1 storage suites; typecheck project with @ts-expect-error negative cases; R2 list cap fix"
+summary: "mcpTest fixture-based Vitest subpath; platform-native utils sweep under Node≥24/Bun≥1.3 (AbortSignal.any, Uint8Array base64, Symbol.dispose, performance.now); workerd R2/D1 storage suites; typecheck project with @ts-expect-error negative cases; R2 list cap fix"
 breaking: false
 security: false
 agent-notes: |
@@ -19,8 +19,8 @@ agent-notes: |
 - **`CanvasRegistry[Symbol.asyncDispose]`** — enables `await using registry = new CanvasRegistry(...)`. ([#216](https://github.com/cyanheads/mcp-ts-core/issues/216))
 - **Workerd R2 storage suite** (`tests/worker/storage-r2.worker.test.ts`) — set/get/delete/list/TTL exercised through the worker handler via miniflare `r2Buckets` binding. ([#228](https://github.com/cyanheads/mcp-ts-core/issues/228))
 - **Workerd D1 storage suite** (`tests/worker/storage-d1.worker.test.ts`) — set/get/delete/list/TTL exercised through the worker handler via miniflare `d1Databases` binding. ([#228](https://github.com/cyanheads/mcp-ts-core/issues/228))
-- **Encoding worker tests** (`tests/worker/encoding.worker.test.ts`) — `arrayBufferToBase64` / `base64ToString` verified in the workerd runtime. ([#228](https://github.com/cyanheads/mcp-ts-core/issues/228))
-- **`skills/api-workers` `v1.3`** — documents the `r2Buckets` / `d1Databases` miniflare binding pattern for workerd storage tests. ([#228](https://github.com/cyanheads/mcp-ts-core/issues/228))
+- **Encoding worker tests** (`tests/worker/encoding.worker.test.ts`) — `arrayBufferToBase64` / `base64ToString` verified in the workerd runtime. ([#216](https://github.com/cyanheads/mcp-ts-core/issues/216))
+- **`skills/api-workers` `v1.5`** — documents the `r2Buckets` / `d1Databases` miniflare binding pattern for workerd storage tests. ([#228](https://github.com/cyanheads/mcp-ts-core/issues/228))
 - **`skills/api-testing` `v1.5`** — documents `mcpTest`, `McpTestFixtures`, and the `./testing/vitest` subpath. ([#227](https://github.com/cyanheads/mcp-ts-core/issues/227))
 
 ## Changed
@@ -34,12 +34,12 @@ agent-notes: |
 - **`templates/tests/tools/echo.tool.test.ts`** — updated to use `mcpTest` from `@cyanheads/mcp-ts-core/testing/vitest`. ([#227](https://github.com/cyanheads/mcp-ts-core/issues/227))
 - **`export-map` allowlist test** — updated to include the `./testing/vitest` subpath. ([#227](https://github.com/cyanheads/mcp-ts-core/issues/227))
 - **`optional-peer-deps` test** — adds an integration-entrypoint exemption for `./testing/vitest` (its `vitest` peer is expected). ([#227](https://github.com/cyanheads/mcp-ts-core/issues/227))
-- **`worker-runtime.fixture`** — expanded with `r2Buckets` / `d1Databases` miniflare bindings for storage test suites. ([#228](https://github.com/cyanheads/mcp-ts-core/issues/228))
+- **`worker-runtime.fixture`** — adds `storage_set` / `storage_get` / `storage_delete` / `storage_list` probe tools backing the workerd storage suites; the miniflare `r2Buckets` / `d1Databases` bindings live in `vitest.worker.ts`. ([#228](https://github.com/cyanheads/mcp-ts-core/issues/228))
 
 ## Fixed
 
 - **R2 `list()` cap** — `limit + 1` page-probe clamped to `R2_MAX_LIST_LIMIT = 1000`; R2 rejects requests above this cap. At the limit, pagination falls back to `listed.truncated` for has-more detection. ([#228](https://github.com/cyanheads/mcp-ts-core/issues/228))
-- **`lintCappedListTruncation` allowlist check** — guarded with `Array.isArray()` before calling `.includes()`; previously crashed on non-array `truncationAllowlist` values.
+- **`lintCappedListTruncation` allowlist check** — truthiness guard replaced with `Array.isArray()` before calling `.includes()` (lint conformance; behavior unchanged).
 
 ## Deprecated
 

package/changelog/0.10.x/0.10.6.md

@@ -0,0 +1,37 @@
+---
+summary: "Post-pack bundle cleaner strips dependency-shipped agent docs; packaging linter adds post-bundle content and entrypoint identity checks; template scaffolds name/title pair"
+breaking: false
+security: false
+agent-notes: |
+  New file to sync: `scripts/clean-mcpb.ts` is now listed in `package.json` `files[]` and is invoked by the template `bundle` script after `mcpb pack`. Consumer servers that previously added the clean-mcpb script manually should verify their `bundle` script matches the template (`bun run build && npx -y @anthropic-ai/mcpb pack . dist/{{PACKAGE_NAME}}.mcpb && bun run scripts/clean-mcpb.ts dist/{{PACKAGE_NAME}}.mcpb`).
+
+  The `bundle` step for newly-scaffolded servers now includes the clean step automatically. Existing servers using the old `bundle` script (without `scripts/clean-mcpb.ts`) should update `package.json` to match the template.
+
+  Identity adoption (check 9): add explicit `name: '<unscoped-package-name>'` and `title: '<unscoped-package-name>'` to `createApp()` / `createWorkerHandler()` in `src/index.ts` (and `src/worker.ts` if present). `devcheck` now warns when the pair is partial and errors when a literal is set to the wrong value. Run `bun run lint:packaging` to confirm.
+
+  `templates/manifest.json` no longer includes an empty `repository` stub — `mcpb pack` rejects it on fresh scaffolds. Existing servers: remove `"repository": { "type": "git", "url": "" }` from `manifest.json` if present.
+
+  Re-sync the `skills/polish-docs-meta` skill (now v2.7) — it documents the `name`/`title` identity requirement and the updated `bundle` script description.
+---
+
+# 0.10.6 — 2026-06-11
+
+## Added
+
+- **`scripts/clean-mcpb.ts`** — post-pack bundle cleaner: runs `mcpb clean` (dev-dependency prune + manifest validation), then strips `node_modules/**` agent-doc entries (`skills/`, `.claude/`, `.agents/` trees and `SKILL.md` files) that root-anchored `.mcpbignore` patterns cannot reach. Batched `zip -d -nw` for literal matching; re-lists and asserts zero matches remain. ([#230](https://github.com/cyanheads/mcp-ts-core/issues/230))
+- **`lint-packaging.ts` check 8** — post-bundle content guard: lists `.mcpb` files under `dist/` with `unzip -Z1` and flags any `node_modules/**` agent-doc entries, directing to `scripts/clean-mcpb.ts`. Cross-script regex `AGENT_DOC_ENTRY` is exported from both files; a unit test asserts they are identical. ([#230](https://github.com/cyanheads/mcp-ts-core/issues/230))
+- **`lint-packaging.ts` check 9** — identity checks: `name`/`title` string literals in `createApp()` / `createWorkerHandler()` (`src/index.ts`, `src/worker.ts`) and `manifest.json` `display_name` must equal the unscoped `package.json` name; partial `name`/`title` pair warns without failing. Line-based brace-depth parser excludes nested object literals (setup bodies, extension configs) to avoid false positives. ([#231](https://github.com/cyanheads/mcp-ts-core/issues/231))
+- **`scripts/clean-mcpb.ts` added to `package.json` `files[]`** — exported in the npm package so consumer servers can reference it via the framework install. ([#230](https://github.com/cyanheads/mcp-ts-core/issues/230))
+
+## Changed
+
+- **`templates/package.json` `bundle` script** — appended `&& bun run scripts/clean-mcpb.ts dist/{{PACKAGE_NAME}}.mcpb` after `mcpb pack`; newly-scaffolded servers get the clean step automatically. ([#230](https://github.com/cyanheads/mcp-ts-core/issues/230))
+- **`templates/src/index.ts`** — scaffolded `createApp()` now includes an explicit `name: '{{PACKAGE_NAME}}'` / `title: '{{PACKAGE_NAME}}'` identity pair, so new servers pass check 9 out of the box. ([#231](https://github.com/cyanheads/mcp-ts-core/issues/231))
+- **`templates/manifest.json`** — removed empty `repository: { type: "git", url: "" }` stub; `mcpb pack` rejects a blank URL on fresh scaffolds. ([#230](https://github.com/cyanheads/mcp-ts-core/issues/230))
+- **`skills/polish-docs-meta` v2.7** — adds the `name`/`title` identity requirement (`createApp()` / `createWorkerHandler()` must match the unscoped package name; `lint:packaging` enforces) and updates the `bundle` script description to reflect the clean step. ([#231](https://github.com/cyanheads/mcp-ts-core/issues/231))
+- **`skills/orchestrations` v1.3** — Phase 4 close-loop wording: each shipped issue gets exactly one what-landed comment (concrete changes + version), then a bare close; bare "Fixed in v\<version\>." trailer replaced by the fuller comment-then-close pattern that also covers enhancements. ([#230](https://github.com/cyanheads/mcp-ts-core/issues/230))
+- **`templates/CLAUDE.md` / `templates/AGENTS.md`** — `bundle` command description updated to reflect the clean step.
+- **`lint-packaging.ts` `checkBundleContent`** — refactored to accept raw `.mcpbignore` content (string) instead of a file path, enabling direct unit testing without filesystem fixtures; `main()` still reads the file and passes the string.
+- **`lint-packaging.ts` `KNOWN_DEV_DIRS` / `CRITICAL_RUNTIME_PATHS`** — exported for cross-module use and unit test access.
+- **`tests/unit/scripts/lint-packaging.test.ts`** — rewritten to import `checkBundleContent`, `checkBundleEntries`, `checkEntrypointIdentity`, `checkManifestIdentity` from the real script; no inline logic mirror. ([#230](https://github.com/cyanheads/mcp-ts-core/issues/230), [#231](https://github.com/cyanheads/mcp-ts-core/issues/231))
+- **`tests/unit/scripts/clean-mcpb.test.ts`** (new) — imports `AGENT_DOC_ENTRY` and `filterAgentDocEntries` from the real `scripts/clean-mcpb.ts`; covers match/keep/near-miss/order cases plus the cross-script sync assertion. ([#230](https://github.com/cyanheads/mcp-ts-core/issues/230))

package/dist/logs/combined.log

@@ -0,0 +1,8 @@
+{"level":40,"time":1781209564918,"env":"testing","version":"0.10.6","pid":48621,"transport":"http","requestId":"LASBX-RIEWV","timestamp":"2026-06-11T20:26:04.918Z","operation":"TransportManager.start","component":"HttpTransportSetup","msg":"MCP_ALLOWED_ORIGINS is not set — CORS is wildcard for CLI clients; browser Origin headers are restricted to loopback. Set MCP_ALLOWED_ORIGINS for production deployments accepting remote browser origins."}
+{"level":40,"time":1781209567046,"env":"testing","version":"0.10.6","pid":48621,"component":"HttpTransport","requestId":"OSGGV-UYTJ4","timestamp":"2026-06-11T20:26:07.046Z","operation":"HttpRpcRequest","sessionId":"not-a-real-session-1781209567045","msg":"Session validation failed - invalid or hijacked session"}
+{"level":50,"time":1781209571208,"env":"testing","version":"0.0.0-test","pid":48800,"requestId":"4QZIB-ASBOA","timestamp":"2026-06-11T20:26:11.207Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"87dfc0a1ba692591b1e5da5dabd7cdd49ce892c67e4c79bb8e96cb04679d7d3d","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"87dfc0a1ba692591b1e5da5dabd7cdd49ce892c67e4c79bb8e96cb04679d7d3d","toolName":"scoped_echo","requestId":"4QZIB-ASBOA","timestamp":"2026-06-11T20:26:11.207Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (file:///Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:54)\n    at withRequiredScopes (file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:283:17\n    at McpServer.executeToolHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:233:42)\n    at file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43\n    at async wrappedHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js:125:32)"},"stack":"McpError: Insufficient permissions.\n    at ErrorHandler.handleError (file:///Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:19)\n    at file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:324:26\n    at McpServer.executeToolHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:233:42)\n    at file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43\n    at async wrappedHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js:125:32)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1781209571217,"env":"testing","version":"0.0.0-test","pid":48800,"requestId":"XO135-J8PA0","timestamp":"2026-06-11T20:26:11.216Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"a6686259851faf1c145f82876f3441bd48445a032e3048b878d7c630901a1777","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"a6686259851faf1c145f82876f3441bd48445a032e3048b878d7c630901a1777","toolName":"scoped_echo","requestId":"XO135-J8PA0","timestamp":"2026-06-11T20:26:11.216Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (file:///Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:54)\n    at withRequiredScopes (file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:283:17\n    at McpServer.executeToolHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:233:42)\n    at file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43\n    at async wrappedHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js:125:32)"},"stack":"McpError: Insufficient permissions.\n    at ErrorHandler.handleError (file:///Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:19)\n    at file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:324:26\n    at McpServer.executeToolHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:233:42)\n    at file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43\n    at async wrappedHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js:125:32)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1781209584779,"env":"testing","version":"0.0.0-test","pid":49130,"requestId":"V3FOX-QXTR8","timestamp":"2026-06-11T20:26:24.778Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"b6231acc40fa0bfd377fd144250ade5c96a6f23385360c133635d0fd3ec6596b","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"b6231acc40fa0bfd377fd144250ade5c96a6f23385360c133635d0fd3ec6596b","toolName":"scoped_echo","requestId":"V3FOX-QXTR8","timestamp":"2026-06-11T20:26:24.778Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:283:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:324:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1781209584786,"env":"testing","version":"0.0.0-test","pid":49130,"requestId":"7G9CX-A4TMR","timestamp":"2026-06-11T20:26:24.786Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"0766a5d191de861c515f741834955c90f2761a08ac8dc84bdc1d70b1d7034134","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"0766a5d191de861c515f741834955c90f2761a08ac8dc84bdc1d70b1d7034134","toolName":"scoped_echo","requestId":"7G9CX-A4TMR","timestamp":"2026-06-11T20:26:24.786Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:283:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:324:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":40,"time":1781209585283,"env":"testing","version":"0.10.6","pid":49133,"transport":"http","requestId":"6YT5B-SCXYV","timestamp":"2026-06-11T20:26:25.282Z","operation":"TransportManager.start","component":"HttpTransportSetup","msg":"MCP_ALLOWED_ORIGINS is not set — CORS is wildcard for CLI clients; browser Origin headers are restricted to loopback. Set MCP_ALLOWED_ORIGINS for production deployments accepting remote browser origins."}
+{"level":40,"time":1781209587210,"env":"testing","version":"0.10.6","pid":49133,"component":"HttpTransport","requestId":"WPW2S-K0V65","timestamp":"2026-06-11T20:26:27.210Z","operation":"HttpRpcRequest","sessionId":"not-a-real-session-1781209587210","msg":"Session validation failed - invalid or hijacked session"}

package/dist/logs/error.log

@@ -0,0 +1,4 @@
+{"level":50,"time":1781209571208,"env":"testing","version":"0.0.0-test","pid":48800,"requestId":"4QZIB-ASBOA","timestamp":"2026-06-11T20:26:11.207Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"87dfc0a1ba692591b1e5da5dabd7cdd49ce892c67e4c79bb8e96cb04679d7d3d","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"87dfc0a1ba692591b1e5da5dabd7cdd49ce892c67e4c79bb8e96cb04679d7d3d","toolName":"scoped_echo","requestId":"4QZIB-ASBOA","timestamp":"2026-06-11T20:26:11.207Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (file:///Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:54)\n    at withRequiredScopes (file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:283:17\n    at McpServer.executeToolHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:233:42)\n    at file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43\n    at async wrappedHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js:125:32)"},"stack":"McpError: Insufficient permissions.\n    at ErrorHandler.handleError (file:///Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:19)\n    at file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:324:26\n    at McpServer.executeToolHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:233:42)\n    at file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43\n    at async wrappedHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js:125:32)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1781209571217,"env":"testing","version":"0.0.0-test","pid":48800,"requestId":"XO135-J8PA0","timestamp":"2026-06-11T20:26:11.216Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"a6686259851faf1c145f82876f3441bd48445a032e3048b878d7c630901a1777","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"a6686259851faf1c145f82876f3441bd48445a032e3048b878d7c630901a1777","toolName":"scoped_echo","requestId":"XO135-J8PA0","timestamp":"2026-06-11T20:26:11.216Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (file:///Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:54)\n    at withRequiredScopes (file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:283:17\n    at McpServer.executeToolHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:233:42)\n    at file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43\n    at async wrappedHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js:125:32)"},"stack":"McpError: Insufficient permissions.\n    at ErrorHandler.handleError (file:///Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:19)\n    at file:///Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:324:26\n    at McpServer.executeToolHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:233:42)\n    at file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43\n    at async wrappedHandler (file:///Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/index.js:125:32)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1781209584779,"env":"testing","version":"0.0.0-test","pid":49130,"requestId":"V3FOX-QXTR8","timestamp":"2026-06-11T20:26:24.778Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"b6231acc40fa0bfd377fd144250ade5c96a6f23385360c133635d0fd3ec6596b","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"b6231acc40fa0bfd377fd144250ade5c96a6f23385360c133635d0fd3ec6596b","toolName":"scoped_echo","requestId":"V3FOX-QXTR8","timestamp":"2026-06-11T20:26:24.778Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:283:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:324:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1781209584786,"env":"testing","version":"0.0.0-test","pid":49130,"requestId":"7G9CX-A4TMR","timestamp":"2026-06-11T20:26:24.786Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"0766a5d191de861c515f741834955c90f2761a08ac8dc84bdc1d70b1d7034134","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"0766a5d191de861c515f741834955c90f2761a08ac8dc84bdc1d70b1d7034134","toolName":"scoped_echo","requestId":"7G9CX-A4TMR","timestamp":"2026-06-11T20:26:24.786Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:283:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:324:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanheads/mcp-ts-core",
-  "version": "0.10.5",
+  "version": "0.10.6",
   "mcpName": "io.github.cyanheads/mcp-ts-core",
   "description": "Agent-native TypeScript framework for building MCP servers. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers.",
   "main": "dist/core/index.js",
@@ -14,6 +14,7 @@
     "scripts/check-framework-antipatterns.ts",
     "scripts/check-skill-versions.ts",
     "scripts/check-skills-sync.ts",
+    "scripts/clean-mcpb.ts",
     "scripts/clean.ts",
     "scripts/devcheck.ts",
     "scripts/lint-mcp.ts",

package/scripts/clean-mcpb.ts

@@ -0,0 +1,118 @@
+#!/usr/bin/env node
+/**
+ * @fileoverview Post-pack MCPB bundle cleaner. Runs after `mcpb pack` (wired
+ * into the `bundle` package script) to remove bundle content the pack step
+ * cannot exclude:
+ *
+ *   1. `mcpb clean <bundle>` — official dev-dependency prune + manifest
+ *      validation (a measured real-world bundle dropped 61 MB → 12.9 MB).
+ *   2. Exact-name strip of agent-doc entries nested under `node_modules/` —
+ *      dependency-shipped `skills/`, `.claude/`, `.agents/` trees and stray
+ *      `SKILL.md` files. Root-anchored `.mcpbignore` patterns cannot reach
+ *      these by design (issues #146/#207); this is issue #230.
+ *   3. Re-list and assert zero matching entries remain.
+ *
+ * Entry names are passed to `zip -d` with `-nw` (no-wildcard) so they match
+ * literally — bracketed runtime filenames like `pages/[slug].js` exist in
+ * real packages and must not glob. Bundles are unsigned in this flow; if
+ * `mcpb sign` is ever adopted, this script must run before signing.
+ *
+ * Usage: `bun run scripts/clean-mcpb.ts dist/<name>.mcpb`
+ *
+ * @module scripts/clean-mcpb
+ */
+import { execFileSync } from 'node:child_process';
+import { existsSync, statSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+/**
+ * Agent-doc entries under `node_modules/` that must not ship in a bundle.
+ * KEEP IN SYNC with `AGENT_DOC_ENTRY` in `scripts/lint-packaging.ts`
+ * (post-bundle content check) — a unit test asserts the two are identical.
+ */
+export const AGENT_DOC_ENTRY =
+  /^node_modules\/.*(?:\/skills\/|\/\.claude\/|\/\.agents\/|\/SKILL\.md$)/;
+
+/** Filter a bundle entry listing down to the agent-doc entries to strip. */
+export function filterAgentDocEntries(entries: string[]): string[] {
+  return entries.filter((entry) => AGENT_DOC_ENTRY.test(entry));
+}
+
+/** Listing a 12k-entry bundle exceeds execFileSync's 1 MB default buffer. */
+const MAX_LIST_BUFFER = 64 * 1024 * 1024;
+
+/** `zip -d` argv batch size — stays clear of ARG_MAX with long entry names. */
+const DELETE_BATCH = 200;
+
+function listEntries(bundle: string): string[] {
+  return execFileSync('unzip', ['-Z1', bundle], { encoding: 'utf-8', maxBuffer: MAX_LIST_BUFFER })
+    .split('\n')
+    .filter((line) => line.length > 0);
+}
+
+function run(cmd: string, args: string[]): void {
+  execFileSync(cmd, args, { stdio: 'inherit' });
+}
+
+function mb(bytes: number): string {
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
+function main(): void {
+  const bundleArg = process.argv[2];
+  if (!bundleArg) {
+    console.error('Usage: clean-mcpb.ts <bundle.mcpb> — run after `mcpb pack`.');
+    process.exit(1);
+  }
+  const bundle = resolve(bundleArg);
+  if (!existsSync(bundle)) {
+    console.error(`No bundle at ${bundle} — run \`mcpb pack\` first (see the \`bundle\` script).`);
+    process.exit(1);
+  }
+
+  const sizeBefore = statSync(bundle).size;
+
+  // 1. Official prune: removes dev dependencies, validates the manifest.
+  try {
+    run('npx', ['-y', '@anthropic-ai/mcpb', 'clean', bundle]);
+  } catch {
+    console.error('✗ `mcpb clean` failed — bundle left as packed.');
+    process.exit(1);
+  }
+
+  // 2. Exact-name strip of dependency-shipped agent docs.
+  let doomed: string[] = [];
+  try {
+    doomed = filterAgentDocEntries(listEntries(bundle));
+    for (let i = 0; i < doomed.length; i += DELETE_BATCH) {
+      run('zip', ['-q', '-d', '-nw', bundle, ...doomed.slice(i, i + DELETE_BATCH)]);
+    }
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === 'ENOENT') {
+      console.error(
+        '✗ Info-ZIP `zip`/`unzip` not found on PATH — required for the agent-doc strip.',
+      );
+    } else {
+      console.error(`✗ Agent-doc strip failed: ${err instanceof Error ? err.message : err}`);
+    }
+    process.exit(1);
+  }
+
+  // 3. Verify: zero matching entries remain.
+  const remaining = filterAgentDocEntries(listEntries(bundle));
+  if (remaining.length > 0) {
+    console.error(`✗ ${remaining.length} agent-doc entries still present after strip, e.g.:`);
+    for (const entry of remaining.slice(0, 5)) console.error(`    ${entry}`);
+    process.exit(1);
+  }
+
+  const sizeAfter = statSync(bundle).size;
+  console.log(
+    `Bundle cleaned: ${mb(sizeBefore)} → ${mb(sizeAfter)} (${doomed.length} agent-doc entries stripped).`,
+  );
+}
+
+if (process.argv[1] && resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+  main();
+}

package/scripts/lint-packaging.ts

@@ -2,7 +2,8 @@
 /**
  * @fileoverview MCPB packaging linter — validates env var alignment between
  * `manifest.json` (MCPB bundle install UX) and `server.json` (MCP Registry
- * discovery) for stdio packages, and guards against bundle-content mistakes.
+ * discovery) for stdio packages, and guards against bundle-content and
+ * identity mistakes.
  *
  * Used by devcheck and as a standalone script: `bun run lint:packaging` /
  * `npm run lint:packaging`.
@@ -22,17 +23,26 @@
  *      `node_modules/x/skills/` (runtime path bypass, issues #172/#207).
  *   7. Bundle-content guard: `.mcpbignore` patterns must not strip critical
  *      runtime package paths (e.g. `node_modules/@opentelemetry/api/build/src/`).
+ *   8. Post-bundle content: a built `.mcpb` under `dist/` must contain zero
+ *      `node_modules/**` agent-doc entries (dependency-shipped `skills/`,
+ *      `.claude/`, `.agents/`, `SKILL.md`) — unreachable by root-anchored
+ *      `.mcpbignore` patterns; `scripts/clean-mcpb.ts` strips them at bundle
+ *      time (issue #230).
+ *   9. Identity: `name`/`title` literals in `createApp()` /
+ *      `createWorkerHandler()` (src/index.ts, src/worker.ts) and manifest
+ *      `display_name` must equal the unscoped package name; a partial
+ *      `name`/`title` pair warns without failing (issue #231).
  *
- * Checks 1–2 run with `manifest.json` alone; 3–4 require `server.json`.
- * Checks 5–7 run when `.mcpbignore` is present (silently skip otherwise).
- *
- * Skips cleanly when `manifest.json` is absent — consumers who deleted it for
- * an HTTP-only deploy should not fail this check.
+ * Every check skips cleanly when its input is absent — consumers who deleted
+ * `manifest.json` for an HTTP-only deploy, or who haven't built a bundle,
+ * should not fail the checks that need those files.
  *
  * @module scripts/lint-packaging
  */
-import { existsSync, readFileSync } from 'node:fs';
-import { resolve } from 'node:path';
+import { execFileSync } from 'node:child_process';
+import { existsSync, readdirSync, readFileSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
 
 interface ServerJsonEnvVar {
   default?: string;
@@ -56,6 +66,7 @@ interface ManifestUserConfigEntry {
 }
 
 interface Manifest {
+  display_name?: unknown;
   name?: string;
   server?: { mcp_config?: { env?: Record<string, string> } };
   user_config?: Record<string, ManifestUserConfigEntry>;
@@ -69,20 +80,31 @@ const USER_CONFIG_REF = /^\$\{user_config\.([\w-]+)\}$/;
  * stripping nested runtime paths like `node_modules/x/skills/`. Keep in step
  * with the directory entries in `templates/_.mcpbignore`.
  */
-const KNOWN_DEV_DIRS = ['skills/', '.agents/', '.claude/'];
+export const KNOWN_DEV_DIRS = ['skills/', '.agents/', '.claude/'];
 
 /**
  * Critical runtime paths that must NOT be stripped by any `.mcpbignore` pattern.
  * These are sampled representative paths — enough to catch a bare `skills/`
  * pattern accidentally stripping `node_modules/…/skills/`.
  */
-const CRITICAL_RUNTIME_PATHS = [
+export const CRITICAL_RUNTIME_PATHS = [
   'node_modules/@opentelemetry/api/build/src/',
   'node_modules/@modelcontextprotocol/sdk/dist/',
   'node_modules/@cyanheads/mcp-ts-core/dist/',
   'dist/index.js',
 ];
 
+/**
+ * Agent-doc entries under `node_modules/` that must not ship in a bundle.
+ * KEEP IN SYNC with `AGENT_DOC_ENTRY` in `scripts/clean-mcpb.ts` (the strip
+ * step this check verifies) — a unit test asserts the two are identical.
+ */
+export const AGENT_DOC_ENTRY =
+  /^node_modules\/.*(?:\/skills\/|\/\.claude\/|\/\.agents\/|\/SKILL\.md$)/;
+
+/** The canonical in-code identity pair — both must equal the unscoped package name. */
+const IDENTITY_PAIR = ['name', 'title'] as const;
+
 function tryReadJson<T>(path: string): T | undefined {
   try {
     if (!existsSync(path)) return;
@@ -94,7 +116,7 @@ function tryReadJson<T>(path: string): T | undefined {
 }
 
 /**
- * Run bundle-content checks (5–7) against the .mcpbignore patterns.
+ * Run bundle-content checks (5–7) against raw `.mcpbignore` content.
  *
  * Uses the `ignore` package (already a devDependency in scaffolded servers)
  * to evaluate which paths survive the ignore rules. Returns an array of error
@@ -105,20 +127,32 @@ function tryReadJson<T>(path: string): T | undefined {
  * devDependencies (`^7.0.5`) and is therefore available in the server's
  * `node_modules` when `bun run lint:packaging` is invoked there.
  */
-async function checkBundleContent(mcpbignorePath: string): Promise<string[]> {
+interface IgnoreMatcher {
+  add(patterns: string[]): IgnoreMatcher;
+  ignores(path: string): boolean;
+}
+
+/**
+ * The `ignore` package's factory, typed structurally — the CJS interop shape
+ * of `import('ignore')` differs between the script and test tsconfig programs,
+ * so naming the module's own types breaks one or the other.
+ */
+type IgnoreFactory = (options?: unknown) => IgnoreMatcher;
+
+export async function checkBundleContent(raw: string): Promise<string[]> {
   const errors: string[] = [];
 
-  let createIgnore: typeof import('ignore')['default'];
+  let createIgnore: IgnoreFactory;
   try {
     // Dynamic import so the rest of the linter still runs when `ignore` is absent.
-    createIgnore = ((await import('ignore')) as typeof import('ignore')).default;
+    const mod: unknown = await import('ignore');
+    createIgnore = ((mod as { default?: unknown }).default ?? mod) as IgnoreFactory;
   } catch {
     // `ignore` not installed — skip the guard without failing (e.g. in a minimal
     // CI environment that omits devDependencies).
     return errors;
   }
 
-  const raw = readFileSync(mcpbignorePath, 'utf-8');
   const lines = raw
     .split('\n')
     .map((l) => l.trim())
@@ -180,81 +214,291 @@ async function checkBundleContent(mcpbignorePath: string): Promise<string[]> {
   return errors;
 }
 
-async function main(): Promise<void> {
-  const manifestPath = resolve('manifest.json');
-  if (!existsSync(manifestPath)) {
-    console.log('No manifest.json — skipping lint:packaging.');
-    process.exit(0);
-  }
+/**
+ * Check 8: a built bundle must contain zero `node_modules/**` agent-doc
+ * entries. `scripts/clean-mcpb.ts` (wired into the `bundle` script) strips
+ * them after `mcpb pack`.
+ */
+export function checkBundleEntries(entries: string[], bundleLabel: string): string[] {
+  const offending = entries.filter((entry) => AGENT_DOC_ENTRY.test(entry));
+  if (offending.length === 0) return [];
+  const sample = offending
+    .slice(0, 5)
+    .map((entry) => `\n      ${entry}`)
+    .join('');
+  return [
+    `${bundleLabel} contains ${offending.length} node_modules agent-doc entries ` +
+      `(dependency-shipped skills/, .claude/, .agents/, SKILL.md) — re-run the \`bundle\` ` +
+      `script (scripts/clean-mcpb.ts strips them):${sample}`,
+  ];
+}
+
+/**
+ * Collect the direct (depth-1) property lines of the options object passed to
+ * `createApp()` / `createWorkerHandler()`. Returns undefined when no call with
+ * an inline options object exists (e.g. the framework's bare `createApp()`
+ * dev entry).
+ *
+ * Line-based, no AST: nested object literals (a `setup(core) { … }` body,
+ * `extensions: { … }`) are excluded by brace-depth tracking so an inner
+ * `name:`/`title:` key can't false-positive the identity check. Reliable for
+ * the template-scaffolded entrypoint shape with single-line string literals.
+ */
+function identityCandidateLines(source: string): string[] | undefined {
+  const call = source.match(/\b(?:createApp|createWorkerHandler)\s*\(\s*\{/);
+  if (call?.index === undefined) return;
 
-  const manifest = tryReadJson<Manifest>(manifestPath);
-  if (!manifest) {
-    console.error('manifest.json is unreadable or malformed.');
-    process.exit(1);
+  const lines: string[] = [];
+  let depth = 0;
+  let lineStartDepth = 0;
+  let buf = '';
+  let inString: string | undefined;
+  let inBlockComment = false;
+
+  const flush = (): void => {
+    const trimmed = buf.trim();
+    if (
+      lineStartDepth === 1 &&
+      trimmed.length > 0 &&
+      !trimmed.startsWith('//') &&
+      !trimmed.startsWith('*')
+    ) {
+      lines.push(trimmed);
+    }
+    buf = '';
+  };
+
+  for (let i = call.index + call[0].length - 1; i < source.length; i++) {
+    const ch = source[i] as string;
+    if (ch === '\n') {
+      flush();
+      lineStartDepth = depth;
+      continue;
+    }
+    buf += ch;
+    if (inBlockComment) {
+      if (ch === '/' && source[i - 1] === '*') inBlockComment = false;
+      continue;
+    }
+    if (inString) {
+      if (ch === '\\') {
+        buf += source[i + 1] ?? '';
+        i++;
+        continue;
+      }
+      if (ch === inString) inString = undefined;
+      continue;
+    }
+    if (ch === '/' && source[i + 1] === '/') {
+      const nl = source.indexOf('\n', i);
+      const end = nl === -1 ? source.length : nl;
+      buf += source.slice(i + 1, end);
+      i = end - 1;
+      continue;
+    }
+    if (ch === '/' && source[i + 1] === '*') {
+      inBlockComment = true;
+      continue;
+    }
+    if (ch === "'" || ch === '"' || ch === '`') {
+      inString = ch;
+      continue;
+    }
+    if (ch === '{' || ch === '(' || ch === '[') {
+      depth++;
+    } else if (ch === '}' || ch === ')' || ch === ']') {
+      depth--;
+      if (depth === 0) {
+        flush();
+        return lines;
+      }
+    }
   }
+  flush();
+  return lines;
+}
 
+/**
+ * Check 9 (entrypoint surface): `name`/`title` literals passed to
+ * `createApp()` / `createWorkerHandler()` must equal the unscoped package
+ * name. A partial pair (one or both missing) warns without failing — explicit
+ * `name` also keeps scoped npm names out of the served `server_name`.
+ */
+export function checkEntrypointIdentity(
+  source: string,
+  unscopedName: string,
+  fileLabel: string,
+): { errors: string[]; warnings: string[] } {
   const errors: string[] = [];
+  const warnings: string[] = [];
 
-  if (manifest.name?.includes('/')) {
-    errors.push(
-      `manifest.json "name" contains a scope prefix ("${manifest.name}") — use the bare package name (e.g. "${manifest.name.split('/').pop()}")`,
-    );
+  const optionLines = identityCandidateLines(source);
+  if (!optionLines) return { errors, warnings };
+
+  const present = new Set<string>();
+  for (const field of IDENTITY_PAIR) {
+    const fieldRe = new RegExp(`^['"\`]?${field}['"\`]?\\s*:`);
+    const literalRe = new RegExp(`^['"\`]?${field}['"\`]?\\s*:\\s*(['"\`])((?:(?!\\1).)*)\\1`);
+    for (const line of optionLines) {
+      if (!fieldRe.test(line)) continue;
+      present.add(field);
+      const literal = line.match(literalRe)?.[2];
+      if (literal !== undefined && literal !== unscopedName) {
+        errors.push(
+          `${fileLabel} sets ${field}: "${literal}" — must equal the unscoped package name ` +
+            `"${unscopedName}" (display identity is the machine name on every surface)`,
+        );
+      }
+    }
   }
 
-  const userConfig = manifest.user_config ?? {};
-  for (const [key, entry] of Object.entries(userConfig)) {
-    if (typeof entry !== 'object' || entry === null) continue;
-    const missing = (['title', 'type'] as const).filter(
-      (f) => typeof entry[f] !== 'string' || (entry[f] as string).length === 0,
+  const missing = IDENTITY_PAIR.filter((field) => !present.has(field));
+  if (missing.length > 0) {
+    warnings.push(
+      `${fileLabel} identity pair is partial — missing: ${missing.join(', ')} ` +
+        `(set both name and title to the unscoped package name "${unscopedName}")`,
     );
-    if (missing.length > 0) {
-      errors.push(
-        `manifest.json user_config["${key}"] is missing required field(s): ${missing.join(', ')} — mcpb pack will reject this`,
-      );
-    }
   }
 
-  const serverJson = tryReadJson<ServerJson>(resolve('server.json'));
-  if (serverJson) {
-    const manifestEnv = manifest.server?.mcp_config?.env ?? {};
-    const manifestEnvKeys = new Set(Object.keys(manifestEnv));
+  return { errors, warnings };
+}
 
-    const manifestUserConfigKeys = new Set(
-      Object.entries(manifestEnv)
-        .filter(([, v]) => typeof v === 'string' && USER_CONFIG_REF.test(v))
-        .map(([k]) => k),
-    );
+/** Check 9 (manifest surface): `display_name`, when present, must be the unscoped package name. */
+export function checkManifestIdentity(manifest: Manifest, unscopedName: string): string[] {
+  if (typeof manifest.display_name === 'string' && manifest.display_name !== unscopedName) {
+    return [
+      `manifest.json "display_name" is "${manifest.display_name}" — must equal the unscoped ` +
+        `package name "${unscopedName}"`,
+    ];
+  }
+  return [];
+}
 
-    const stdioEnvVars = (serverJson.packages ?? [])
-      .filter((p) => p.transport?.type === 'stdio')
-      .flatMap((p) => p.environmentVariables ?? []);
-    const stdioEnvNames = new Set(stdioEnvVars.map((v) => v.name));
-    const requiredStdioEnvNames = new Set(
-      stdioEnvVars.filter((v) => v.isRequired === true && v.default == null).map((v) => v.name),
-    );
+async function main(): Promise<void> {
+  const errors: string[] = [];
+  const warnings: string[] = [];
+  const notes: string[] = [];
+
+  const pkg = tryReadJson<{ name?: string }>(resolve('package.json'));
+  const unscopedName = pkg?.name?.split('/').pop();
 
-    const missingInServerJson = [...manifestUserConfigKeys].filter((k) => !stdioEnvNames.has(k));
-    const missingInManifest = [...requiredStdioEnvNames].filter((k) => !manifestEnvKeys.has(k));
+  // ── Manifest-dependent checks (1–4 + manifest identity) ──
+  const manifestPath = resolve('manifest.json');
+  let manifest: Manifest | undefined;
+  if (existsSync(manifestPath)) {
+    manifest = tryReadJson<Manifest>(manifestPath);
+    if (!manifest) {
+      console.error('manifest.json is unreadable or malformed.');
+      process.exit(1);
+    }
 
-    if (missingInServerJson.length > 0) {
+    if (manifest.name?.includes('/')) {
       errors.push(
-        `manifest.json references user_config env var(s) not advertised in server.json stdio environmentVariables[]: ${missingInServerJson.join(', ')}`,
+        `manifest.json "name" contains a scope prefix ("${manifest.name}") — use the bare package name (e.g. "${manifest.name.split('/').pop()}")`,
       );
     }
-    if (missingInManifest.length > 0) {
-      errors.push(
-        `server.json declares required stdio env var(s) without default missing from manifest.json mcp_config.env: ${missingInManifest.join(', ')}`,
+
+    const userConfig = manifest.user_config ?? {};
+    for (const [key, entry] of Object.entries(userConfig)) {
+      if (typeof entry !== 'object' || entry === null) continue;
+      const missing = (['title', 'type'] as const).filter(
+        (f) => typeof entry[f] !== 'string' || (entry[f] as string).length === 0,
       );
+      if (missing.length > 0) {
+        errors.push(
+          `manifest.json user_config["${key}"] is missing required field(s): ${missing.join(', ')} — mcpb pack will reject this`,
+        );
+      }
     }
+
+    const serverJson = tryReadJson<ServerJson>(resolve('server.json'));
+    if (serverJson) {
+      const manifestEnv = manifest.server?.mcp_config?.env ?? {};
+      const manifestEnvKeys = new Set(Object.keys(manifestEnv));
+
+      const manifestUserConfigKeys = new Set(
+        Object.entries(manifestEnv)
+          .filter(([, v]) => typeof v === 'string' && USER_CONFIG_REF.test(v))
+          .map(([k]) => k),
+      );
+
+      const stdioEnvVars = (serverJson.packages ?? [])
+        .filter((p) => p.transport?.type === 'stdio')
+        .flatMap((p) => p.environmentVariables ?? []);
+      const stdioEnvNames = new Set(stdioEnvVars.map((v) => v.name));
+      const requiredStdioEnvNames = new Set(
+        stdioEnvVars.filter((v) => v.isRequired === true && v.default == null).map((v) => v.name),
+      );
+
+      const missingInServerJson = [...manifestUserConfigKeys].filter((k) => !stdioEnvNames.has(k));
+      const missingInManifest = [...requiredStdioEnvNames].filter((k) => !manifestEnvKeys.has(k));
+
+      if (missingInServerJson.length > 0) {
+        errors.push(
+          `manifest.json references user_config env var(s) not advertised in server.json stdio environmentVariables[]: ${missingInServerJson.join(', ')}`,
+        );
+      }
+      if (missingInManifest.length > 0) {
+        errors.push(
+          `server.json declares required stdio env var(s) without default missing from manifest.json mcp_config.env: ${missingInManifest.join(', ')}`,
+        );
+      }
+    }
+
+    if (unscopedName) {
+      errors.push(...checkManifestIdentity(manifest, unscopedName));
+    }
+  } else {
+    notes.push('No manifest.json — skipping manifest/server.json alignment checks.');
   }
 
-  // Bundle-content guard (checks 5–7).
+  // ── Bundle-content guard (checks 5–7) ──
   const mcpbignorePath = resolve('.mcpbignore');
   if (existsSync(mcpbignorePath)) {
-    const bundleErrors = await checkBundleContent(mcpbignorePath);
-    errors.push(...bundleErrors);
+    errors.push(...(await checkBundleContent(readFileSync(mcpbignorePath, 'utf-8'))));
   }
 
+  // ── Post-bundle content check (8) ──
+  const distDir = resolve('dist');
+  if (existsSync(distDir)) {
+    for (const file of readdirSync(distDir).filter((f) => f.endsWith('.mcpb'))) {
+      try {
+        const listing = execFileSync('unzip', ['-Z1', join(distDir, file)], {
+          encoding: 'utf-8',
+          maxBuffer: 64 * 1024 * 1024,
+        });
+        errors.push(
+          ...checkBundleEntries(
+            listing.split('\n').filter((line) => line.length > 0),
+            `dist/${file}`,
+          ),
+        );
+      } catch (err) {
+        if ((err as NodeJS.ErrnoException).code === 'ENOENT') {
+          notes.push(`unzip not available — skipping bundle content check for dist/${file}.`);
+        } else {
+          errors.push(
+            `failed to list entries of dist/${file}: ${err instanceof Error ? err.message : err}`,
+          );
+        }
+      }
+    }
+  }
+
+  // ── Entrypoint identity check (9) ──
+  if (unscopedName) {
+    for (const entry of ['src/index.ts', 'src/worker.ts']) {
+      const entryPath = resolve(entry);
+      if (!existsSync(entryPath)) continue;
+      const result = checkEntrypointIdentity(readFileSync(entryPath, 'utf-8'), unscopedName, entry);
+      errors.push(...result.errors);
+      warnings.push(...result.warnings);
+    }
+  }
+
+  for (const note of notes) console.log(note);
+  for (const warning of warnings) console.warn(`  ⚠ ${warning}`);
+
   if (errors.length === 0) {
     console.log('Packaging alignment OK.');
     process.exit(0);
@@ -263,4 +507,6 @@ async function main(): Promise<void> {
   process.exit(1);
 }
 
-await main();
+if (process.argv[1] && resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+  await main();
+}

package/skills/orchestrations/SKILL.md

@@ -4,7 +4,7 @@ description: >
   Pick and run a multi-phase workflow that chains foundational task skills (`git-wrapup`, `release-and-publish`, `maintenance`, `field-test`, `setup`, etc.) end-to-end. Routes user intent to a workflow file under `workflows/` — greenfield builds, maintenance + release, field-test + fix, or known-work + release. Single source for the universal rules (no commits without authorization, no destructive git, no marketing language), the orchestrator posture (own the goal, ground sub-agents in primary sources, verify against the goal), and the sub-agent strategy (orient block, parallel fanout, isolation, normalization) that apply across every workflow. Sub-agents are an optional capability — workflows run linearly when fanout isn't available.
 metadata:
   author: cyanheads
-  version: "1.2"
+  version: "1.3"
   audience: external
   type: workflow
 ---

package/skills/orchestrations/workflows/fix-wrapup-release.md

@@ -63,7 +63,7 @@ Each phase's Objective column is the goal state per target — the verifiable en
 | 1b | Fix | Per target: targeted issues fixed in source, tests updated/added, `devcheck` + `rebuild` + `test` green, each fixed issue commented with fix details, working tree dirty for review | parallel fanout (one sub-agent per target — hard constraint) | **barrier** — orchestrator reviews diffs before verify (explicit gate in checklist) |
 | 2 | Verify | Per target: full diff cold-reviewed; simplified if warranted; each fix re-exercised against the running server with actual tool output in the summary | parallel fanout | **barrier** — orchestrator reviews simplified diff and verified outputs; release authorization required |
 | 3 | Wrap-up + release | Per target: fixes split into per-file commits with a release commit on top; annotated tag; published per repo visibility; tag annotation is structured markdown with issue backlinks | parallel fanout (Bash git only) | gate-free |
-| 4 | Issue cleanup | Every GH issue that shipped a fix closed with "Fixed in v\<version\>" comment | orchestrator (serial) | — |
+| 4 | Issue cleanup | Every shipped issue closed (reason: completed) carrying exactly one what-landed comment that cites the version | orchestrator (serial) | — |
 
 Phase 1a is conditional — only runs when the input is a handoff document or otherwise unvalidated. When the input is already tracked GH issues, skip directly to Phase 1b. The release portion of Phase 3 is conditional on user authorization to ship.
 
@@ -137,14 +137,18 @@ The tag annotation and changelog cover ALL fixes — the commit split is about g
 **Tag annotations** are for end users — internal dev cleanup (lockfile refreshes, linter fixes, build config) belongs in commit bodies, not the tag annotation.
 
 ### Phase 4: Issue cleanup
-Close issues that shipped fixes — only those. Skipped issues stay open.
+Close issues that shipped — only those. Skipped issues stay open.
+
+Each issue gets exactly ONE substantive comment recording what landed — concrete changes, file paths, and the version — written either by the fix sub-agent (Phase 1b) or by the orchestrator here. Then close without an additional comment:
 
 ```bash
-for n in <fixed-issue-numbers>; do
-  gh issue close "$n" -R "<owner>/<repo>" --reason completed --comment "Fixed in v<version>."
+for n in <shipped-issue-numbers>; do
+  gh issue close "$n" -R "<owner>/<repo>" --reason completed
 done
 ```
 
+If no what-landed comment exists yet, the version belongs in that one comment ("Shipped in v\<version\>: …"). Never stack a bare "Fixed in v\<version\>" trailer on top of an existing summary — it duplicates the record, and "fixed" misdescribes enhancements (enhancements ship/land; only bugs are fixed).
+
 ## Workflow-specific gotchas
 
 | # | Gotcha | Mitigation |
@@ -170,6 +174,6 @@ done
 - [ ] Orchestrator gate after Phase 2: simplified diff reviewed, field-test claims verified
 - [ ] Phase 3: version bumped, fix commits + release commit, annotated tag per target — scope matches private/public status
 - [ ] Phase 3: published per scope (push, npm if public, MCP Registry if applicable, GH release, Docker if applicable)
-- [ ] Phase 4: fixed issues closed; skipped issues remain open
+- [ ] Phase 4: shipped issues closed, one what-landed comment each; skipped issues remain open
 - [ ] Post-workflow verification: `git ls-remote --tags origin`, `npm view <pkg>@<version>` if public, GH release artifacts attached
 - [ ] Tag/release quality review: tag subject omits version number, structured markdown, no marketing adjectives, issue backlinks present

package/skills/polish-docs-meta/SKILL.md

@@ -4,7 +4,7 @@ description: >
   Finalize documentation and project metadata for a ship-ready MCP server. Use after implementation is complete, tests pass, and devcheck is clean. Safe to run at any stage — each step checks current state and only acts on what still needs work.
 metadata:
   author: cyanheads
-  version: "2.6"
+  version: "2.7"
   audience: external
   type: workflow
 ---
@@ -76,6 +76,8 @@ Key fields: `name`, `description`, `repository`, `author`, `homepage`, `bugs`, `
 
 **`name` must communicate the server's domain at a glance.** See `references/package-meta.md` for the naming convention — ambiguous abbreviations and acronym-only names fail the scannability test for humans and agents alike.
 
+**`name` and `title` in `createApp()` / `createWorkerHandler()` must match the unscoped `package.json` `name`** — display identity is the machine name on every surface; `lint:packaging` (run by `devcheck`) enforces the match and warns when the pair is partial. `description` is never duplicated into the entrypoint — `package.json` is the canonical source (the framework derives the served description from it).
+
 **`description` is the canonical source.** Every other surface (README header, `server.json`, Dockerfile OCI label, GitHub repo description) derives from it. Write it here first, then propagate.
 
 ### 6. `server.json`
@@ -193,7 +195,7 @@ If the project ships as an `.mcpb` bundle for Claude Desktop (check for `manifes
 
 **`package.json` scripts:**
 
-- `bundle` — builds the `.mcpb` (e.g., `mcpb pack --output dist/`)
+- `bundle` — builds the `.mcpb` (`mcpb pack`, then `scripts/clean-mcpb.ts` prunes dev deps and strips dependency-shipped agent docs)
 - `lint:packaging` — validates `manifest.json` ↔ `server.json` env var consistency (run by `devcheck`)
 
 **Cross-file consistency:**

package/templates/AGENTS.md

@@ -335,13 +335,13 @@ When you complete a skill's checklist, check the boxes and add a completion time
 | `npm run start:http` | Production mode (HTTP) |
 | `npm run changelog:build` | Regenerate `CHANGELOG.md` from `changelog/*.md` |
 | `npm run changelog:check` | Verify `CHANGELOG.md` is in sync (used by devcheck) |
-| `npm run bundle` | Build and pack as `.mcpb` for one-click Claude Desktop install |
+| `npm run bundle` | Build, pack, and clean a `.mcpb` for one-click Claude Desktop install |
 
 ---
 
 ## Bundling
 
-`npm run bundle` produces a `.mcpb` extension bundle for one-click install in Claude Desktop. MCPB is stdio-only — HTTP and Cloudflare Workers deployments are unaffected. Consumers who don't need it can delete `manifest.json` and `.mcpbignore`; `lint:packaging` skips cleanly.
+`npm run bundle` produces a `.mcpb` extension bundle for one-click install in Claude Desktop. The pack step is followed by `scripts/clean-mcpb.ts`, which prunes dev dependencies (`mcpb clean`) and strips dependency-shipped agent docs (`node_modules/**` `skills/`, `.claude/`, `.agents/`, `SKILL.md`) that root-anchored `.mcpbignore` patterns cannot reach. MCPB is stdio-only — HTTP and Cloudflare Workers deployments are unaffected. Consumers who don't need it can delete `manifest.json` and `.mcpbignore`; `lint:packaging` skips cleanly.
 
 **Adding an env var requires both files:** `server.json` (registry discovery, `environmentVariables[]`) and `manifest.json` (bundle install UX, `mcp_config.env` + `user_config`). `lint:packaging` (run by `devcheck`) verifies the env var names match.
 

package/templates/CLAUDE.md

@@ -335,13 +335,13 @@ When you complete a skill's checklist, check the boxes and add a completion time
 | `npm run start:http` | Production mode (HTTP) |
 | `npm run changelog:build` | Regenerate `CHANGELOG.md` from `changelog/*.md` |
 | `npm run changelog:check` | Verify `CHANGELOG.md` is in sync (used by devcheck) |
-| `npm run bundle` | Build and pack as `.mcpb` for one-click Claude Desktop install |
+| `npm run bundle` | Build, pack, and clean a `.mcpb` for one-click Claude Desktop install |
 
 ---
 
 ## Bundling
 
-`npm run bundle` produces a `.mcpb` extension bundle for one-click install in Claude Desktop. MCPB is stdio-only — HTTP and Cloudflare Workers deployments are unaffected. Consumers who don't need it can delete `manifest.json` and `.mcpbignore`; `lint:packaging` skips cleanly.
+`npm run bundle` produces a `.mcpb` extension bundle for one-click install in Claude Desktop. The pack step is followed by `scripts/clean-mcpb.ts`, which prunes dev dependencies (`mcpb clean`) and strips dependency-shipped agent docs (`node_modules/**` `skills/`, `.claude/`, `.agents/`, `SKILL.md`) that root-anchored `.mcpbignore` patterns cannot reach. MCPB is stdio-only — HTTP and Cloudflare Workers deployments are unaffected. Consumers who don't need it can delete `manifest.json` and `.mcpbignore`; `lint:packaging` skips cleanly.
 
 **Adding an env var requires both files:** `server.json` (registry discovery, `environmentVariables[]`) and `manifest.json` (bundle install UX, `mcp_config.env` + `user_config`). `lint:packaging` (run by `devcheck`) verifies the env var names match.
 

package/templates/manifest.json

@@ -22,6 +22,5 @@
   },
   "tools_generated": true,
   "prompts_generated": true,
-  "repository": { "type": "git", "url": "" },
   "user_config": {}
 }

package/templates/package.json

@@ -30,7 +30,7 @@
     "format:unsafe": "biome check --write --unsafe .",
     "lint:mcp": "bun run scripts/lint-mcp.ts",
     "lint:packaging": "bun run scripts/lint-packaging.ts",
-    "bundle": "bun run build && npx -y @anthropic-ai/mcpb pack . dist/{{PACKAGE_NAME}}.mcpb",
+    "bundle": "bun run build && npx -y @anthropic-ai/mcpb pack . dist/{{PACKAGE_NAME}}.mcpb && bun run scripts/clean-mcpb.ts dist/{{PACKAGE_NAME}}.mcpb",
     "changelog:build": "bun run scripts/build-changelog.ts",
     "changelog:check": "bun run scripts/build-changelog.ts --check",
     "release:github": "bun run scripts/release-github.ts",

package/templates/src/index.ts

@@ -12,6 +12,8 @@ import { echoAppUiResource } from './mcp-server/resources/definitions/echo-app-u
 import { echoPrompt } from './mcp-server/prompts/definitions/echo.prompt.js';
 
 await createApp({
+  name: '{{PACKAGE_NAME}}',
+  title: '{{PACKAGE_NAME}}',
   tools: [echoTool, echoAppTool],
   resources: [echoResource, echoAppUiResource],
   prompts: [echoPrompt],