npm - @cyanheads/mcp-ts-core - Versions diffs - 0.6.9 → 0.6.10 - Mend

@cyanheads/mcp-ts-core 0.6.9 → 0.6.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CLAUDE.md +3 -3
package/README.md +2 -2
package/changelog/0.6.x/0.6.10.md +21 -0
package/dist/logs/combined.log +4 -0
package/dist/logs/error.log +4 -0
package/dist/logs/interactions.log +0 -0
package/package.json +5 -5
package/skills/polish-docs-meta/references/package-meta.md +1 -1
package/skills/release-and-publish/SKILL.md +150 -0
package/skills/setup/SKILL.md +64 -14
package/skills/release/SKILL.md +0 -142

package/CLAUDE.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # Agent Protocol
-**Package:** `@cyanheads/mcp-ts-core` · **Version:** 0.6.9
+**Package:** `@cyanheads/mcp-ts-core` · **Version:** 0.6.10
 **npm:** [@cyanheads/mcp-ts-core](https://www.npmjs.com/package/@cyanheads/mcp-ts-core) · **Docker:** [ghcr.io/cyanheads/mcp-ts-core](https://ghcr.io/cyanheads/mcp-ts-core)
 > **Developer note:** Never assume. Read related files and docs before making changes. Read full file content for context. Never edit a file before reading it.
@@ -468,7 +468,7 @@ Detailed method signatures, options, and examples live in skill files. Read the
 | `polish-docs-meta` | `skills/polish-docs-meta/SKILL.md` | Finalize docs, README, metadata, and agent protocol for shipping |
 | `report-issue-framework` | `skills/report-issue-framework/SKILL.md` | File a bug or feature request against `@cyanheads/mcp-ts-core` via `gh` CLI |
 | `report-issue-local` | `skills/report-issue-local/SKILL.md` | File a bug or feature request against this server's own repo via `gh` CLI |
-| `release` | `skills/release/SKILL.md` | Version bump, changelog, publish workflow |
+| `release-and-publish` | `skills/release-and-publish/SKILL.md` | Post-wrapup ship workflow: verification gate, push, publish to npm/MCP Registry/GHCR |
 | `maintenance` | `skills/maintenance/SKILL.md` | Dependency updates, housekeeping tasks |
 | `migrate-mcp-ts-template` | `skills/migrate-mcp-ts-template/SKILL.md` | Migrate legacy template fork to package dependency |
@@ -563,7 +563,7 @@ Pre-release versions (`0.6.0-beta.1`, `0.6.0-rc.1`, etc.) are consolidated as `#
 ## Publishing
-Run the `release` skill first — it verifies version consistency across all files, changelog completeness, skill version bumps, and runs the final check suite. It ends by presenting these irreversible publish commands:
+Run the `release-and-publish` skill — it runs the verification gate (`devcheck`, `rebuild`, `test:all`), pushes commits and tags, and publishes to every applicable destination. The full reference:
 ```bash
 bun publish --access public

package/README.md CHANGED Viewed

@@ -5,7 +5,7 @@
 <div align="center">
-[![Version](https://img.shields.io/badge/Version-0.6.9-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--11--25-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-11-25/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE)
+[![Version](https://img.shields.io/badge/Version-0.6.10-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--11--25-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-11-25/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE)
 [![TypeScript](https://img.shields.io/badge/TypeScript-^6.0.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.3.2-blueviolet.svg?style=flat-square)](https://bun.sh/)
@@ -43,7 +43,7 @@ bun install
 You get a scaffolded project with `CLAUDE.md`, Agent Skills, and a `src/` tree ready for your tools. Infrastructure — transports, auth, storage, telemetry, lifecycle, linting — lives in `node_modules`. What's left is domain: which APIs to wrap, which workflows to expose.
-Start your coding agent (Claude Code, Codex, Cursor), describe the system you want to expose, and it drives the build. The included skills cover the full cycle: `setup`, `design-mcp-server`, scaffolding, testing, release.
+Start your coding agent (Claude Code, Codex, Cursor), describe the system you want to expose, and it drives the build. The included skills cover the full cycle: `setup`, `design-mcp-server`, scaffolding, testing, `release-and-publish`.
 ### What you get

package/changelog/0.6.x/0.6.10.md ADDED Viewed

@@ -0,0 +1,21 @@
+---
+summary: Rename release skill to release-and-publish with an end-to-end ship workflow, expand setup skill scaffolding docs, and bump @cloudflare/workers-types, @supabase/supabase-js, and vite
+breaking: false
+---
+# 0.6.10 — 2026-04-23
+Rework the release workflow into a post-wrapup publisher and expand the setup skill to match what `init` actually scaffolds. No library API changes.
+## Changed
+- **`release` skill renamed to `release-and-publish`** and rewritten as a post-wrapup shipping workflow (version bumps, changelog, commits, and tagging are assumed done by the git wrapup protocol). The skill now runs the verification gate (`devcheck`, `rebuild`, `test:all`), pushes commits and tags, then publishes to npm, the MCP Registry, and GHCR — halting on the first non-zero exit and reporting partial state so the user can resume manually. Audience flipped from `internal` to `external`; version bumped to `2.0`.
+- **`setup` skill expanded** — project tree listing now reflects everything `init` actually creates (configs, Dockerfile, `.vscode/`, `server.json`, starter tests, app-tool + app-resource pair). Added a "Changelog Convention" section and a "Next Steps" progression through `design-mcp-server` → scaffolding skills → `add-test` → `field-test` → `polish-docs-meta` → `maintenance`. Version bumped to `1.5`.
+- **`publish-mcp` script** now logs into the MCP Publisher with a Keychain-stored GitHub PAT before publishing: `mcp-publisher login github -token "$(security find-generic-password -a "$USER" -s mcp-publisher-github-pat -w)" && mcp-publisher publish`. Matches the flow documented in the `release-and-publish` skill.
+- **Agent protocol references updated** — `CLAUDE.md`, `AGENTS.md`, `README.md`, and `skills/polish-docs-meta/references/package-meta.md` now point at `release-and-publish` instead of the old `release` skill.
+## Dependencies
+- `@cloudflare/workers-types` `^4.20260422.1` → `^4.20260423.1`
+- `@supabase/supabase-js` `^2.104.0` → `^2.104.1`
+- `vite` `8.0.9` → `8.0.10`

package/dist/logs/combined.log ADDED Viewed

@@ -0,0 +1,4 @@
+{"level":50,"time":1776955661645,"env":"testing","version":"0.0.0-test","pid":87698,"requestId":"H425Q-YZMFD","timestamp":"2026-04-23T14:47:41.643Z","operation":"HandleToolRequest","input":{"message":"blocked"},"critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"6d54688d1f715b37c579af1c10830fb526330c8eb39f929290a28bb4cebbc41e","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant"},"errorData":{"sessionId":"6d54688d1f715b37c579af1c10830fb526330c8eb39f929290a28bb4cebbc41e","toolName":"scoped_echo","input":{"message":"blocked"},"requestId":"H425Q-YZMFD","timestamp":"2026-04-23T14:47:41.643Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:61:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:68:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:168:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:101:42)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1776955662508,"env":"testing","version":"0.6.10","pid":87732,"requestId":"RD7TQ-YRWS5","timestamp":"2026-04-23T14:47:42.507Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"RD7TQ-YRWS5","timestamp":"2026-04-23T14:47:42.507Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:119:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:82:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:168:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
+{"level":50,"time":1776955662525,"env":"testing","version":"0.6.10","pid":87732,"requestId":"UHB72-SFY34","timestamp":"2026-04-23T14:47:42.524Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"UHB72-SFY34","timestamp":"2026-04-23T14:47:42.524Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:56:11)\n    at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:168:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
+{"level":50,"time":1776955662529,"env":"testing","version":"0.6.10","pid":87732,"requestId":"TCIU4-1PP9W","timestamp":"2026-04-23T14:47:42.529Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"TCIU4-1PP9W","timestamp":"2026-04-23T14:47:42.529Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:119:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:82:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:168:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}

package/dist/logs/error.log ADDED Viewed

@@ -0,0 +1,4 @@
+{"level":50,"time":1776955661645,"env":"testing","version":"0.0.0-test","pid":87698,"requestId":"H425Q-YZMFD","timestamp":"2026-04-23T14:47:41.643Z","operation":"HandleToolRequest","input":{"message":"blocked"},"critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"6d54688d1f715b37c579af1c10830fb526330c8eb39f929290a28bb4cebbc41e","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant"},"errorData":{"sessionId":"6d54688d1f715b37c579af1c10830fb526330c8eb39f929290a28bb4cebbc41e","toolName":"scoped_echo","input":{"message":"blocked"},"requestId":"H425Q-YZMFD","timestamp":"2026-04-23T14:47:41.643Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:61:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:68:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:168:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:101:42)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1776955662508,"env":"testing","version":"0.6.10","pid":87732,"requestId":"RD7TQ-YRWS5","timestamp":"2026-04-23T14:47:42.507Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"RD7TQ-YRWS5","timestamp":"2026-04-23T14:47:42.507Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:119:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:82:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:168:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
+{"level":50,"time":1776955662525,"env":"testing","version":"0.6.10","pid":87732,"requestId":"UHB72-SFY34","timestamp":"2026-04-23T14:47:42.524Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"UHB72-SFY34","timestamp":"2026-04-23T14:47:42.524Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:56:11)\n    at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:168:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
+{"level":50,"time":1776955662529,"env":"testing","version":"0.6.10","pid":87732,"requestId":"TCIU4-1PP9W","timestamp":"2026-04-23T14:47:42.529Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"TCIU4-1PP9W","timestamp":"2026-04-23T14:47:42.529Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:119:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:82:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:168:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}

package/dist/logs/interactions.log ADDED Viewed

File without changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyanheads/mcp-ts-core",
-  "version": "0.6.9",
+  "version": "0.6.10",
   "mcpName": "io.github.cyanheads/mcp-ts-core",
   "description": "Agent-native TypeScript framework for building MCP servers. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers.",
   "main": "dist/core/index.js",
@@ -146,7 +146,7 @@
     "audit:fix": "bun audit --fix",
     "changelog:build": "bun run scripts/build-changelog.ts",
     "changelog:check": "bun run scripts/build-changelog.ts --check",
-    "publish-mcp": "bunx mcp-publisher publish"
+    "publish-mcp": "mcp-publisher login github -token \"$(security find-generic-password -a \"$USER\" -s mcp-publisher-github-pat -w)\" && mcp-publisher publish"
   },
   "resolutions": {
     "brace-expansion": "1.1.14",
@@ -160,7 +160,7 @@
   },
   "devDependencies": {
     "@biomejs/biome": "2.4.12",
-    "@cloudflare/workers-types": "^4.20260422.1",
+    "@cloudflare/workers-types": "^4.20260423.1",
     "@hono/otel": "^1.1.1",
     "@opentelemetry/instrumentation-http": "^0.215.0",
     "@opentelemetry/exporter-metrics-otlp-http": "^0.215.0",
@@ -171,7 +171,7 @@
     "@opentelemetry/sdk-node": "^0.215.0",
     "@opentelemetry/sdk-trace-node": "^2.7.0",
     "@opentelemetry/semantic-conventions": "^1.40.0",
-    "@supabase/supabase-js": "^2.104.0",
+    "@supabase/supabase-js": "^2.104.1",
     "@types/bun": "^1.3.13",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^25.6.0",
@@ -202,7 +202,7 @@
     "typescript": "^6.0.3",
     "unpdf": "^1.6.0",
     "validator": "^13.15.35",
-    "vite": "8.0.9",
+    "vite": "8.0.10",
     "vitest": "^4.1.5"
   },
   "keywords": [

package/skills/polish-docs-meta/references/package-meta.md CHANGED Viewed

@@ -7,7 +7,7 @@ Fields that may still be empty or generic from scaffolding. Check each one and f
 | Field | Default / Scaffolded | What It Should Be |
 |:------|:---------------------|:------------------|
 | `name` | `{{PACKAGE_NAME}}` (substituted by init) | Verify it's correct. Use scoped name if publishing (`@org/my-server`). |
-| `version` | `0.1.0` | Keep for initial development. Bump via the `release` skill. |
+| `version` | `0.1.0` | Keep for initial development. Bump via the `release-and-publish` skill. |
 | `mcpName` | _(often missing)_ | Reverse-domain identifier: `"io.github.{owner}/{repo}"`. Used in `server.json` `name` field and Dockerfile OCI labels. |
 | `description` | `""` (empty) | One sentence: what the server does and what it wraps. Appears on npm and in `npm search`. |
 | `repository` | _(often missing)_ | `{ "type": "git", "url": "git+https://github.com/org/repo.git" }` |

package/skills/release-and-publish/SKILL.md ADDED Viewed

@@ -0,0 +1,150 @@
+---
+name: release-and-publish
+description: >
+  Ship a release end-to-end across every registry the project targets (npm, MCP Registry, GHCR). Runs the final verification gate, pushes commits and tags, then publishes to each applicable destination. Assumes git wrapup (version bumps, changelog, commit, annotated tag) is already complete — this skill is the post-wrapup publish workflow. Halts and alerts the user on the first failure.
+metadata:
+  author: cyanheads
+  version: "2.0"
+  audience: external
+  type: workflow
+---
+## Preconditions
+This skill runs **after** git wrapup. By the time it's invoked:
+- `package.json` version is bumped
+- `changelog/<major.minor>.x/<version>.md` is authored
+- `CHANGELOG.md` is regenerated
+- README and every version-bearing file is in sync
+- Release commit (`chore: release v<version>`) exists
+- Annotated tag (`v<version>`) exists locally
+- Working tree is clean
+If any are missing, halt and tell the user to finish wrapup first. Do not attempt to redo wrapup work from inside this skill.
+## Failure Protocol
+**Stop on the first non-zero exit.** No retries, no remediation from inside the skill. Report to the user:
+1. Which step failed
+2. The exact error output
+3. Which destinations already received the release (npm published? tag pushed? etc.) so they know the partial state
+The user fixes locally and re-invokes, or runs the remaining steps manually. Publishes hard-fail with "version already exists" if replayed — that's the signal the step already succeeded.
+## Steps
+### 1. Sanity-check wrapup outputs
+Read `package.json` → capture `version`. Then verify:
+```bash
+git status --porcelain          # must be empty — clean working tree
+git describe --exact-match --tags HEAD 2>&1   # must equal v<version>
+git rev-parse --abbrev-ref HEAD  # note the branch name for step 3
+```
+If working tree is dirty or HEAD isn't on `v<version>`, halt.
+### 2. Run the verification gate
+All three must succeed. Use `test:all` if the script exists in `package.json`, otherwise fall back to `test`:
+```bash
+bun run devcheck
+bun run rebuild
+bun run test:all        # or `bun run test` if no test:all
+```
+Any non-zero exit → halt with the failing command's output.
+### 3. Push to origin
+```bash
+git push
+git push --tags
+```
+If the remote rejects either push, halt.
+### 4. Publish to npm
+```bash
+bun publish --access public
+```
+`bun publish` uses whatever npm auth the user has configured in `~/.npmrc`. If 2FA is enabled on the npm account, the command will prompt for an OTP or open a browser — that's expected; the user completes it interactively.
+**Friction reducers (optional, configure once):**
+| Option | How |
+|:--|:--|
+| **npm granular access token** with "Bypass 2FA for publish" | Generate at npmjs.com → replace `_authToken` in `~/.npmrc` → no OTP prompt at all |
+| **1Password CLI TOTP injection** (requires `brew install --cask 1password-cli` + signed-in `op`) | `bun publish --access public --otp="$(op item get 'npm' --otp)"` |
+Halt on publish error other than "version already exists" (which means this step already ran).
+### 5. Publish to MCP Registry
+Only if `server.json` exists at the repo root (otherwise skip).
+```bash
+bun run publish-mcp
+```
+If `publish-mcp` isn't defined in `package.json`, add it (macOS):
+```json
+"publish-mcp": "mcp-publisher login github -token \"$(security find-generic-password -a \"$USER\" -s mcp-publisher-github-pat -w)\" && mcp-publisher publish"
+```
+Prereq: a GitHub PAT with `read:org` + `read:user` scopes stored in Keychain under the service name `mcp-publisher-github-pat`:
+```bash
+security add-generic-password -a "$USER" -s mcp-publisher-github-pat -w
+# paste PAT at the silent prompt
+```
+Halt on any publisher error other than "cannot publish duplicate version".
+### 6. Publish Docker image
+Only if `Dockerfile` exists at the repo root (otherwise skip).
+Derive:
+- `OWNER/REPO` from `git remote get-url origin` (strip `.git`, handle both `https://github.com/<owner>/<repo>` and `git@github.com:<owner>/<repo>` forms)
+- `VERSION` from `package.json` (step 1)
+```bash
+docker buildx build --platform linux/amd64,linux/arm64 \
+  -t ghcr.io/<OWNER>/<REPO>:<VERSION> \
+  -t ghcr.io/<OWNER>/<REPO>:latest \
+  --push .
+```
+If the project uses a non-GHCR registry or a custom image name, respect the project's convention. Halt on build or push failure.
+### 7. Report the deployed artifacts
+Print clickable URLs for every destination that succeeded:
+- npm: `https://www.npmjs.com/package/<package.json#name>/v/<version>`
+- MCP Registry: `https://registry.modelcontextprotocol.io/v0/servers?search=<package.json#mcpName>`
+- GHCR: `ghcr.io/<OWNER>/<REPO>:<VERSION>`
+Skip any destination that was skipped in its step.
+## Checklist
+- [ ] Working tree clean; HEAD tagged `v<version>`
+- [ ] `bun run devcheck` passes
+- [ ] `bun run rebuild` succeeds
+- [ ] `bun run test:all` (or `test`) passes
+- [ ] `git push` succeeds
+- [ ] `git push --tags` succeeds
+- [ ] `bun publish --access public` succeeds
+- [ ] `bun run publish-mcp` succeeds (if `server.json` present)
+- [ ] Docker buildx multi-arch push succeeds (if `Dockerfile` present)
+- [ ] Deployed artifact URLs reported to the user

package/skills/setup/SKILL.md CHANGED Viewed

@@ -4,7 +4,7 @@ description: >
   Post-init orientation for an MCP server built on @cyanheads/mcp-ts-core. Use after running `@cyanheads/mcp-ts-core init` to understand the project structure, conventions, and skill sync model. Also use when onboarding to an existing project for the first time.
 metadata:
   author: cyanheads
-  version: "1.4"
+  version: "1.5"
   audience: external
   type: workflow
 ---
@@ -29,19 +29,39 @@ For the full framework API, read `node_modules/@cyanheads/mcp-ts-core/CLAUDE.md`
 What `init` actually creates:
 ```text
-CLAUDE.md                                       # Agent protocol (project-specific)
-AGENTS.md                                       # Alternate agent protocol file — keep the one your agent uses
-.github/ISSUE_TEMPLATE/                         # GitHub issue templates (bug report, feature request)
-skills/                                         # Project skills (source of truth)
+CLAUDE.md                                       # Agent protocol — Claude Code
+AGENTS.md                                       # Agent protocol — other agents (Codex, Cursor, etc.)
+package.json                                    # Starter deps + scripts (placeholders substituted on init)
+tsconfig.json                                   # TypeScript config
+tsconfig.build.json                             # Build-only TS config
+vitest.config.ts                                # Test runner config
+biome.json                                      # Lint + format config
+devcheck.config.json                            # Which devcheck steps to run
+Dockerfile                                      # Starter multi-stage image
+.dockerignore
+.env.example                                    # Copy to .env and fill in
+.gitignore
+.github/ISSUE_TEMPLATE/                         # Bug / feature-request issue forms
+.vscode/                                        # Recommended extensions + editor settings
+server.json                                     # MCP Registry publishing metadata
+changelog/template.md                           # Format reference for per-version changelog files
+scripts/                                        # build, clean, devcheck, lint-mcp, build-changelog, tree, check-docs-sync
+skills/                                         # External skills copied from the package (source of truth)
 src/
   index.ts                                      # createApp() entry point
   mcp-server/
     tools/definitions/
-      echo.tool.ts                              # Echo tool (starter — replace when ready)
+      echo.tool.ts                              # Standard tool starter
+      echo-app.app-tool.ts                      # UI-enabled app tool starter (pairs with echo-app-ui resource)
     resources/definitions/
-      echo.resource.ts                          # Echo resource (starter — replace when ready)
+      echo.resource.ts                          # Standard resource starter
+      echo-app-ui.app-resource.ts               # UI resource paired with echo-app app tool
     prompts/definitions/
-      echo.prompt.ts                            # Echo prompt (starter — replace when ready)
+      echo.prompt.ts                            # Prompt starter
+tests/
+  tools/echo.tool.test.ts                       # Starter tests (one per echo definition)
+  resources/echo.resource.test.ts
+  prompts/echo.prompt.test.ts
 ```
 Add these as needed:
@@ -59,11 +79,24 @@ src/
 ## Scaffolded Echo Definitions
-The init creates echo definitions for tools, resources, and prompts. They're functional examples with inline comments explaining conventions. After init:
+The init creates five echo definitions plus matching starter tests:
-1. Clean up what you don't need. If your server has no prompts, the echo prompt definition and its registration in `src/index.ts` can go. Same for resources.
-2. Rename and replace what you keep. The echo definitions show the pattern — swap them out for your real tools/resources/prompts.
-3. Definitions register directly in `src/index.ts`. No barrel files, just import and add to the arrays.
+| File | Demonstrates |
+|:--|:--|
+| `echo.tool.ts` | Standard MCP tool: input/output Zod schemas, `handler`, `format` |
+| `echo-app.app-tool.ts` | MCP App tool — same as a tool, but emits a UI (`ui_app://` link) for clients that render MCP Apps |
+| `echo.resource.ts` | Standard MCP resource with a parameterised URI template |
+| `echo-app-ui.app-resource.ts` | UI resource served to MCP App clients; paired with `echo-app.app-tool.ts` |
+| `echo.prompt.ts` | Prompt template (pure message generator) |
+| `tests/**/echo.*.test.ts` | Starter tests using `createMockContext` — edit alongside the definitions |
+After init:
+1. **Clean up what you don't need.** If your server has no prompts, delete the echo prompt and its registration in `src/index.ts`. Same for resources, or the app-tool pair if you're not targeting UI-capable clients.
+2. **Rename and replace what you keep.** The echo definitions and their tests show the pattern — swap them out for your real tools/resources/prompts.
+3. **Definitions register directly in `src/index.ts`.** No barrel files, just import and add to the `tools` / `resources` / `prompts` arrays.
+See the `add-tool`, `add-app-tool`, `add-resource`, `add-prompt`, and `add-test` skills for the scaffolding patterns when you start adding real definitions.
 ## Conventions
@@ -71,7 +104,7 @@ The init creates echo definitions for tools, resources, and prompts. They're fun
 |:-----------|:-----|
 | File names | kebab-case |
 | Tool/resource/prompt names | snake_case, prefixed with server name (e.g. `tasks_fetch_list`) |
-| File suffixes | `.tool.ts`, `.resource.ts`, `.prompt.ts` |
+| File suffixes | `.tool.ts`, `.resource.ts`, `.prompt.ts`, `.app-tool.ts` (UI-enabled), `.app-resource.ts` (paired UI resource) |
 | Imports (framework) | `@cyanheads/mcp-ts-core` and subpaths |
 | Imports (server code) | `@/` path alias for `src/` |
@@ -97,6 +130,23 @@ After `bun install`, complete these one-time setup tasks:
 2. **Initialize git** — `git init && git add -A && git commit -m "chore: scaffold from @cyanheads/mcp-ts-core"`
 3. **Verify agent protocol placeholders** — if the `init` CLI was run without a `[name]` argument, `{{PACKAGE_NAME}}` may remain as a literal in `CLAUDE.md`/`AGENTS.md` and `package.json`. Replace it with the actual server name.
+## Changelog Convention
+`changelog/template.md` ships as a **format reference** — never edit, rename, or move it. For each release, author a per-version file at `changelog/<major.minor>.x/<version>.md` (e.g. `changelog/0.1.x/0.1.0.md`) with YAML frontmatter (`summary:` + optional `breaking:`) and grouped sections (Added / Changed / Fixed / Removed). Then regenerate the rollup with `bun run changelog:build` — `CHANGELOG.md` is an auto-generated navigation index, never hand-edited. See the `release-and-publish` skill for the full release flow.
+## Next Steps
+The included skills form a rough progression — not a rigid sequence, but the typical flow through a new server:
+1. **`design-mcp-server`** — map the domain into tools, resources, and services before writing any definitions
+2. **`add-tool`** / **`add-app-tool`** / **`add-resource`** / **`add-prompt`** / **`add-service`** — scaffold each piece as you go
+3. **`add-test`** — pair tests with each definition (or retrofit later)
+4. **`field-test`** — exercise the built surface with real and adversarial inputs; produces a report of issues and pain points
+5. **`polish-docs-meta`** — finalize README, metadata, and agent protocol before shipping
+6. **`maintenance`** — after `bun update --latest`, investigate upstream changelogs and re-sync skills
+Skip or reorder as the project calls for it. The agent protocol's "What's Next?" section is the authoritative map once the first session is over.
 ## Checklist
 - [ ] Agent protocol file selected — keep one authoritative file (`CLAUDE.md` or `AGENTS.md`)
@@ -106,4 +156,4 @@ After `bun install`, complete these one-time setup tasks:
 - [ ] Skills copied to agent directory (`cp -R skills/* .claude/skills/` or equivalent)
 - [ ] Project structure understood (definitions directories, entry point)
 - [ ] `bun run devcheck` passes
-- [ ] If new server: proceed to `design-mcp-server` skill to plan the tool surface
+- [ ] Next: if new server, move on to `design-mcp-server` to plan the tool surface

package/skills/release/SKILL.md DELETED Viewed

@@ -1,142 +0,0 @@
----
-name: release
-description: >
-  Verify release readiness and publish. The git wrapup protocol handles version bumps, changelog, README, commits, and tagging during the coding session. This skill verifies nothing was missed, runs final checks, and presents the irreversible publish commands.
-metadata:
-  author: cyanheads
-  version: "1.5"
-  audience: internal
-  type: workflow
----
-## Context
-By the time this skill runs, the git wrapup protocol should have already handled: changelog entry, version bumps, README updates, atomic commits, and an annotated tag. This skill is the **final verification gate** before irreversible publish commands. Its job is to catch anything the wrapup missed or got wrong — not to redo the work.
-## Steps
-### 1. Confirm the Target Version
-Read `package.json` to get the version. This is the source of truth. If the user hasn't decided on the bump level yet (patch/minor/major), ask now — but usually this was already set during wrapup.
-### 2. Verify Version Consistency
-The wrapup protocol bumps versions, but sometimes a file gets missed. **Search for the old version string** across the repo and verify the new version appears in all required locations:
-| File | What to Verify |
-|:-----|:---------------|
-| `package.json` | `version` field |
-| `server.json` | Root `version` + `version` in each `packages[]` entry (3 total) |
-| `CLAUDE.md` | Version in the header (`**Version:** X.Y.Z`) |
-| `README.md` | Version badge (`Version-X.Y.Z-blue`) and any other version references |
-| `templates/CLAUDE.md` | `**Version:** X.Y.Z` in the header |
-| `templates/AGENTS.md` | Same — these files are identical |
-Fix any mismatches. A grep for the **old** version is the fastest way to find stragglers.
-### 3. Finalize the Per-Version Changelog File
-The changelog is directory-based, grouped by minor series using the `.x` semver-wildcard convention: per-version files live at `changelog/<major.minor>.x/<version>.md` (e.g. `changelog/0.5.x/0.5.4.md`), and `CHANGELOG.md` is an auto-generated rollup (`bun run changelog:build`). `changelog/template.md` is a **pristine format reference** — never edited, never moved, never renamed. At release time, you're authoring (or finalizing) the per-version file for the version being shipped.
-Create or finalize `changelog/<series>/<version>.md`:
-1. Determine the series: `0.5.5` → `0.5.x/`. Create the directory if it doesn't exist: `mkdir -p changelog/<series>`
-2. If the file doesn't exist yet, scaffold it by copying the structure of `changelog/template.md` into the new path. Do **not** `git mv` or otherwise rename `template.md` itself — it stays where it is.
-3. Set the H1: `# <version> — <date>` (em-dash, ISO date)
-4. **Fill in the frontmatter** at the top of the file:
-   - `summary:` — one-line headline, ≤250 chars, no markdown. Write it like a GitHub Release title. Required.
-   - `breaking:` — set to `true` if this release requires consumer code changes (API removal, signature change, config rename). Defaults to `false`. Renders `· ⚠️ Breaking` in the rollup when true.
-5. Verify content:
-   - Sections grouped correctly (Added / Changed / Fixed / Removed)
-   - Accurately reflects what shipped — cross-reference with `git log` since the last tag
-   - If this release absorbed pre-release versions (e.g., `0.6.0-beta.1`), consolidate their entries as `##`/`###` sub-headers inside this file (they share this version's frontmatter — no separate files)
-   - **Issue/PR references use full URLs**, not bare `#NN`. GitHub's auto-link only renders inside its own UI; these files are read from `node_modules` too, where bare `#NN` is dead text. Use `[#38](https://github.com/<owner>/<repo>/issues/38)` (or `/pull/NN` for PRs). Only link numbers verified via `gh issue view NN` / `gh pr view NN` — never speculate on future numbers, since GitHub will happily resolve `#42` to whatever unrelated item already owns 42 and pull its title into timeline previews.
-6. Regenerate the rollup: `bun run changelog:build` — warnings about missing summaries are expected during the legacy-file backfill period but should not include this release
-Never hand-edit `CHANGELOG.md` — it's a build artifact. Devcheck's `Changelog Sync` step will fail if it drifts. Never edit `changelog/template.md` — it's the format reference, not a worksheet.
-### 4. Verify README.md
-Beyond the version badge, confirm:
-- Feature counts (tool count, resource count, etc.) match reality if the surface area changed
-- Descriptions and capability lists reflect new features
-- MCP SDK version badge is current if the dependency was bumped
-- Code examples still match current APIs
-### 5. Verify Skill Versions
-For any skills whose `SKILL.md` was modified in this release cycle, confirm `metadata.version` in their YAML frontmatter was bumped. This is how the `maintenance` skill detects updates — if the version didn't bump, consumers won't get the new content on `bun update`.
-### 6. Verify `docs/tree.md`
-If the file structure changed, regenerate and confirm it's current:
-```bash
-bun run tree
-```
-Skip if no structural changes occurred.
-### 7. Run Final Checks
-All must pass:
-```bash
-bun run devcheck
-bun run test
-bun run build
-```
-### 8. Verify Commit and Tag
-Confirm a clean release commit and annotated tag exist:
-- Commit message: `chore: release v{{VERSION}}`
-- Annotated tag: `v{{VERSION}}` with a concise summary of key changes
-If the wrapup created the commit and tag already, verify they're correct. If not, create them now.
-Tag message examples:
-```text
-v0.2.0: Cloudflare Workers support, task tools, Graph service
-v0.1.7: OTel instrumentation refactor, lighter semconv
-v0.1.6: Error factory functions, auto-classification patterns
-```
-### 9. Stop and Present Publish Commands
-The following commands are irreversible. Present them to the user for manual execution:
-```bash
-# Push commit and tag
-git push && git push --tags
-# Publish to npm
-bun publish --access public
-# Build and push Docker image
-docker buildx build --platform linux/amd64,linux/arm64 \
-  -t ghcr.io/cyanheads/mcp-ts-core:{{VERSION}} \
-  -t ghcr.io/cyanheads/mcp-ts-core:latest \
-  --push .
-# Publish MCP listing (if applicable)
-mcp-publisher publish
-```
-## Pre-Publish Checklist
-- [ ] Version consistent across all files (package.json, server.json ×3, CLAUDE.md, README.md, templates)
-- [ ] No stale old-version references found in repo
-- [ ] `changelog/<major.minor>.x/<version>.md` created/finalized with concrete version, date, and frontmatter; `CHANGELOG.md` regenerated via `bun run changelog:build`; `changelog/template.md` untouched
-- [ ] README.md current — feature counts, badges, descriptions, examples
-- [ ] Modified skill versions bumped in YAML frontmatter
-- [ ] `docs/tree.md` current (if structure changed)
-- [ ] `bun run devcheck` passes
-- [ ] `bun run test` passes
-- [ ] `bun run build` succeeds
-- [ ] Clean release commit exists
-- [ ] Annotated git tag exists with summary message
-- [ ] User presented with publish commands (push, npm, Docker, mcp-publisher)