npm - @delega-dev/mcp - Versions diffs - 1.0.5 → 1.0.7 - Mend

@delega-dev/mcp 1.0.5 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -34,9 +34,16 @@ Add to your MCP client config (e.g. Claude Desktop `claude_desktop_config.json`)
 |----------|---------|-------------|
 | `DELEGA_API_URL` | `http://127.0.0.1:18890` | Delega API endpoint |
 | `DELEGA_AGENT_KEY` | (none) | Agent API key for authenticated requests |
+| `DELEGA_REVEAL_AGENT_KEYS` | `0` | Set to `1` only if you want MCP tool output to print full agent API keys |
 For the hosted tier, use `https://api.delega.dev` as the URL.
+## Security Notes
+- Non-local `DELEGA_API_URL` values must use `https://`.
+- Agent keys are passed through environment variables rather than command-line arguments, which avoids process-list leakage.
+- MCP tool output redacts full agent API keys by default. Set `DELEGA_REVEAL_AGENT_KEYS=1` only when you explicitly want them printed back to the client.
 ## Tools
 | Tool | Description |

package/dist/index.js CHANGED Viewed

@@ -7,14 +7,22 @@ import { z } from "zod";
 // src/delega-client.ts
 var DEFAULT_BASE_URL = "http://127.0.0.1:18890";
+var LOCAL_API_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1"]);
+function normalizeBaseUrl(rawUrl) {
+  const parsed = new URL(rawUrl);
+  if (parsed.protocol !== "https:" && !LOCAL_API_HOSTS.has(parsed.hostname)) {
+    throw new Error("Delega API URL must use HTTPS unless it points to localhost");
+  }
+  return rawUrl.replace(/\/+$/, "");
+}
 var DelegaClient = class {
   baseUrl;
   agentKey;
   pathPrefix;
   constructor(baseUrl, agentKey) {
-    this.baseUrl = (baseUrl || DEFAULT_BASE_URL).replace(/\/+$/, "");
+    this.baseUrl = normalizeBaseUrl(baseUrl || DEFAULT_BASE_URL);
     this.agentKey = agentKey;
-    this.pathPrefix = this.baseUrl.includes("api.delega.dev") ? "/v1" : "/api";
+    this.pathPrefix = new URL(this.baseUrl).hostname === "api.delega.dev" ? "/v1" : "/api";
   }
   async request(method, path, body, query) {
     const url = new URL(path, this.baseUrl);
@@ -130,11 +138,21 @@ function formatTask(t) {
 function formatProject(p) {
   return `[#${p.id}] ${p.name}`;
 }
+function maskApiKey(key) {
+  if (key.length <= 12) return key;
+  return `${key.slice(0, 8)}...${key.slice(-4)}`;
+}
 function formatAgent(a) {
   const lines = [];
   lines.push(`[#${a.id}] ${a.name}${a.display_name ? ` (${a.display_name})` : ""}`);
   if (a.description) lines.push(`  Description: ${a.description}`);
-  if (a.api_key) lines.push(`  API Key: ${a.api_key}`);
+  if (a.api_key) {
+    if (process.env.DELEGA_REVEAL_AGENT_KEYS === "1") {
+      lines.push(`  API Key: ${a.api_key}`);
+    } else {
+      lines.push(`  API Key Preview: ${maskApiKey(a.api_key)}`);
+    }
+  }
   if (a.permissions?.length) lines.push(`  Permissions: ${a.permissions.join(", ")}`);
   if (a.active !== void 0) lines.push(`  Active: ${a.active ? "yes" : "no"}`);
   return lines.join("\n");
@@ -169,7 +187,7 @@ server.tool(
   "get_task",
   "Get full details of a specific task including subtasks",
   {
-    task_id: z.number().int().describe("The task ID")
+    task_id: z.union([z.string(), z.number()]).describe("The task ID (use the ID from list_tasks, e.g. '3a7d...')")
   },
   async ({ task_id }) => {
     try {
@@ -208,7 +226,7 @@ server.tool(
   "update_task",
   "Update an existing task's fields",
   {
-    task_id: z.number().int().describe("The task ID to update"),
+    task_id: z.union([z.string(), z.number()]).describe("The task ID to update"),
     content: z.string().optional().describe("New task title / content"),
     description: z.string().optional().describe("New description"),
     labels: z.array(z.string()).optional().describe("New labels"),
@@ -233,7 +251,7 @@ server.tool(
   "complete_task",
   "Mark a task as completed",
   {
-    task_id: z.number().int().describe("The task ID to complete")
+    task_id: z.union([z.string(), z.number()]).describe("The task ID to complete")
   },
   async ({ task_id }) => {
     try {
@@ -253,7 +271,7 @@ server.tool(
   "delete_task",
   "Delete a task permanently",
   {
-    task_id: z.number().int().describe("The task ID to delete")
+    task_id: z.union([z.string(), z.number()]).describe("The task ID to delete")
   },
   async ({ task_id }) => {
     try {
@@ -270,7 +288,7 @@ server.tool(
   "add_comment",
   "Add a comment to a task",
   {
-    task_id: z.number().int().describe("The task ID to comment on"),
+    task_id: z.union([z.string(), z.number()]).describe("The task ID to comment on"),
     content: z.string().describe("Comment text"),
     author: z.string().optional().describe("Comment author name")
   },
@@ -361,12 +379,11 @@ server.tool(
   async (params) => {
     try {
       const agent = await client.registerAgent(params);
+      const warning = process.env.DELEGA_REVEAL_AGENT_KEYS === "1" ? "\n\n\u26A0\uFE0F Save the API key \u2014 it won't be shown again." : "\n\nAPI keys are redacted by default in MCP output. Set DELEGA_REVEAL_AGENT_KEYS=1 to reveal them.";
       return {
         content: [{ type: "text", text: `Agent registered:
-${formatAgent(agent)}
-\u26A0\uFE0F Save the API key \u2014 it won't be shown again.` }]
+${formatAgent(agent)}${warning}` }]
       };
     } catch (e) {
       return { content: [{ type: "text", text: `Error: ${e.message}` }], isError: true };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@delega-dev/mcp",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "mcpName": "io.github.delega-dev/delega",
   "description": "MCP server for Delega — task infrastructure for AI agents",
   "type": "module",