@geanatz/cortex-mcp 5.0.1 → 5.0.3

package/README.md

@@ -9,6 +9,7 @@ An MCP (Model Context Protocol) server for managing task-based workflows with ar
 - **File-Based Storage** - All data stored in `.cortex/` directory with no database required
 - **In-Memory Caching** - High-performance caching layer with TTL for frequently accessed tasks
 - **Structured Logging** - Comprehensive logging with configurable levels
+- **Production Ready** - Path traversal protection, input validation, size limits, error handling
 
 ## Installation
 
@@ -84,10 +85,10 @@ Or for global mode:
 ```
 Tool: create_task
 Parameters:
-  - workingDirectory: path where tasks are stored
-  - details: task description (generates task ID)
+  - workingDirectory: path where tasks are stored (absolute path, required)
+  - details: task description (generates task ID), max 2000 characters
   - status (optional): pending | in_progress | done
-  - tags (optional): categorization tags
+  - tags (optional): categorization tags, max 20 tags, max 50 chars each
 ```
 
 ### Managing Subtasks
@@ -101,6 +102,7 @@ Parameters:
   - addSubtask: { details: "Subtask description", status: "pending" }
   - updateSubtask: { id: "1", status: "done" }
   - removeSubtaskId: "1"
+  - actualHours (optional): number, max 10000 hours
 ```
 
 ### Managing Artifacts
@@ -115,11 +117,12 @@ Each task can have artifacts for 5 phases:
 ```
 Tools: create_{phase}, update_{phase}, delete_{phase}
 Parameters:
-  - workingDirectory: project directory
+  - workingDirectory: project directory (absolute path)
   - taskId: which task to attach artifact to
-  - content: markdown content
+  - content: markdown content, max 10MB
   - status: pending | in-progress | completed | failed | skipped
-  - retries, error: optional metadata
+  - retries (optional): integer, max 100
+  - error (optional): error message, max 10,000 characters
 ```
 
 ## Storage Format
@@ -166,12 +169,12 @@ Tasks are stored in `.cortex/tasks/{number}-{slug}/` directories:
 ```typescript
 interface Task {
   id: string;                    // Task ID (e.g., "001-implement-auth")
-  details: string;               // Full task description
+  details: string;               // Full task description (max 2000 chars)
   status: 'pending' | 'in_progress' | 'done';
   createdAt: string;             // ISO 8601 timestamp
   updatedAt: string;             // Last modification timestamp
-  tags?: string[];               // Categorization tags
-  actualHours?: number;          // Time tracking
+  tags?: string[];               // Categorization tags (max 20, max 50 chars each)
+  actualHours?: number;          // Time tracking (max 10000 hours)
   subtasks: Subtask[];           // Array of subtasks
 }
 ```
@@ -180,7 +183,7 @@ interface Task {
 ```typescript
 interface Subtask {
   id: string;                    // Simple ID ("1", "2", etc.)
-  details: string;               // Subtask description
+  details: string;               // Subtask description (max 1000 chars)
   status: 'pending' | 'in_progress' | 'done';
 }
 ```
@@ -193,10 +196,10 @@ interface Artifact {
     status: 'pending' | 'in-progress' | 'completed' | 'failed' | 'skipped';
     createdAt: string;            // ISO 8601
     updatedAt: string;            // ISO 8601
-    retries?: number;             // Attempt count
-    error?: string;               // Error message if status=failed
+    retries?: number;             // Attempt count (max 100)
+    error?: string;               // Error message (max 10000 chars)
   }
-  content: string;               // Markdown content
+  content: string;               // Markdown content (max 10MB)
 }
 ```
 
@@ -234,9 +237,41 @@ interface Artifact {
 ### Command-Line Flags
 - `--claude` - Use global directory mode (~/.cortex/)
 
+### Security Considerations
+
+This server implements several security measures:
+
+1. **Path Traversal Protection**: All paths are validated to prevent `../` sequences and directory escape
+2. **Input Validation**: All inputs are validated using Zod schemas with strict limits
+3. **Size Limits**: 
+   - Task details: max 2000 characters
+   - Artifact content: max 10MB
+   - Tags: max 20 tags, max 50 characters each
+   - Error messages: max 10,000 characters
+4. **Working Directory Validation**: Must be absolute paths without traversal sequences
+5. **Atomic File Writes**: Uses temp files and atomic rename to prevent data corruption
+6. **Safe Error Messages**: Internal paths are not exposed in error messages
+
+### Validation Limits
+
+| Field | Limit |
+|-------|-------|
+| Task ID | 100 characters |
+| Task details | 2000 characters |
+| Subtask details | 1000 characters |
+| Tags | 20 tags max, 50 chars each |
+| Actual hours | Max 10,000 |
+| Artifact content | 10MB max |
+| Error messages | 10,000 characters max |
+| Retries | Max 100 |
+| Working directory path | 4096 characters max |
+
 ## Development
 
 ```bash
+# Install dependencies
+npm install
+
 # Build TypeScript
 npm run build
 
@@ -258,15 +293,45 @@ npm start
 - **No circular dependencies** - Easy to understand data flow
 - **Abstract storage** - File-based implementation, easily extensible
 - **MCP-compliant** - Full compliance with Model Context Protocol specification
+- **Security-first** - Path validation, input sanitization, size limits
+
+## Error Handling
+
+The server uses a comprehensive error handling strategy:
+
+- **AppError hierarchy** - Typed errors with context
+- **Zod validation** - Schema validation at the boundary
+- **Graceful degradation** - Continues operating on non-fatal errors
+- **Structured logging** - All errors logged with context to stderr
+- **Safe shutdown** - SIGINT/SIGTERM handlers for graceful exit
+
+## Troubleshooting
+
+### Connection closed errors
+- Check that the working directory exists and is accessible
+- Verify the working directory is an absolute path
+- Ensure no path traversal sequences (../) in workingDirectory
+
+### Permission denied errors
+- Verify write permissions to the working directory
+- Check if the .cortex directory is owned by the current user
+
+### Storage not initializing
+- Ensure the path is an absolute path (not relative)
+- Check that parent directories exist and are writable
 
 ## Version
 
-Current version: **5.0.0**
+Current version: **5.0.2**
 
-- v5.0.0: Simplified model - subtasks stored inline, removed dependencies, removed move_task
-- v4.0.0: Complete refactor with artifact support and optimized build
-- v3.x: Legacy memory features (deprecated)
-- v1.x: Initial implementation
+### Changelog
+
+- **v5.0.2**: Security hardening - path traversal protection, input validation, size limits
+- **v5.0.1**: Added error handlers for connection stability
+- **v5.0.0**: Simplified model - subtasks stored inline, removed dependencies, removed move_task
+- **v4.0.0**: Complete refactor with artifact support and optimized build
+- **v3.x**: Legacy memory features (deprecated)
+- **v1.x**: Initial implementation
 
 ## License
 
@@ -278,4 +343,16 @@ Geanatz
 
 ## Contributing
 
-Contributions welcome!
+Contributions welcome! Please ensure:
+- Code follows existing patterns
+- All inputs are validated
+- Security considerations are addressed
+- Tests pass (when test suite is added)
+
+## Security
+
+For security issues, please email directly rather than opening a public issue.
+
+### Reporting Vulnerabilities
+
+If you discover a security vulnerability, please report it responsibly by contacting the maintainer directly.

package/dist/features/task-management/tools/artifacts/index.js

@@ -4,7 +4,7 @@ import { createErrorResponse } from '../../../../utils/response-builder.js';
 import { createLogger } from '../../../../utils/logger.js';
 import { ARTIFACT_PHASES, OPERATION_DESCRIPTIONS, PHASE_DESCRIPTIONS } from '../../models/artifact.js';
 import { withErrorHandling } from '../../tools/base/handlers.js';
-import { workingDirectorySchema, taskIdSchema } from '../../tools/base/schemas.js';
+import { createWorkingDirectorySchema, taskIdSchema, artifactContentSchema, artifactErrorSchema, retriesSchema } from '../../tools/base/schemas.js';
 const logger = createLogger('artifact-tools');
 function createCreateHandler(phase, config, createStorage) {
     return async (params) => {
@@ -131,7 +131,7 @@ function createDeleteHandler(phase, config, createStorage) {
 }
 export function createArtifactTools(config, createStorage) {
     const tools = [];
-    const wdSchema = workingDirectorySchema.describe(getWorkingDirectoryDescription(config));
+    const wdSchema = createWorkingDirectorySchema(getWorkingDirectoryDescription(config));
     for (const phase of ARTIFACT_PHASES) {
         tools.push({
             name: `create_${phase}`,
@@ -139,10 +139,10 @@ export function createArtifactTools(config, createStorage) {
             parameters: {
                 workingDirectory: wdSchema,
                 taskId: taskIdSchema.describe('The ID of the task to create the artifact for'),
-                content: z.string().describe(`Markdown content for the ${phase} artifact. ${PHASE_DESCRIPTIONS[phase]}`),
+                content: artifactContentSchema.describe(`Markdown content for the ${phase} artifact. ${PHASE_DESCRIPTIONS[phase]}`),
                 status: z.enum(['pending', 'in-progress', 'completed', 'failed', 'skipped']).optional().describe('Status of this phase (defaults to "completed")'),
-                retries: z.number().min(0).optional().describe('Number of retry attempts for this phase'),
-                error: z.string().optional().describe('Error message if status is "failed"')
+                retries: retriesSchema.optional().describe('Number of retry attempts for this phase'),
+                error: artifactErrorSchema.optional().describe('Error message if status is "failed"')
             },
             handler: withErrorHandling(createCreateHandler(phase, config, createStorage))
         });
@@ -152,10 +152,10 @@ export function createArtifactTools(config, createStorage) {
             parameters: {
                 workingDirectory: wdSchema,
                 taskId: taskIdSchema.describe('The ID of the task to update the artifact for'),
-                content: z.string().optional().describe(`Updated markdown content for the ${phase} artifact`),
+                content: artifactContentSchema.optional().describe(`Updated markdown content for the ${phase} artifact`),
                 status: z.enum(['pending', 'in-progress', 'completed', 'failed', 'skipped']).optional().describe('Updated status of this phase'),
-                retries: z.number().min(0).optional().describe('Updated number of retry attempts'),
-                error: z.string().optional().describe('Updated error message')
+                retries: retriesSchema.optional().describe('Updated number of retry attempts'),
+                error: artifactErrorSchema.optional().describe('Updated error message')
             },
             handler: withErrorHandling(createUpdateHandler(phase, config, createStorage))
         });

package/dist/features/task-management/tools/base/schemas.d.ts

@@ -1,3 +1,35 @@
 import { z } from 'zod';
-export declare const workingDirectorySchema: z.ZodString;
+export declare function createWorkingDirectorySchema(description?: string): z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
+export declare const workingDirectorySchema: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
+/**
+ * Task ID schema
+ */
 export declare const taskIdSchema: z.ZodString;
+/**
+ * Task details schema
+ */
+export declare const taskDetailsSchema: z.ZodString;
+/**
+ * Subtask details schema
+ */
+export declare const subtaskDetailsSchema: z.ZodString;
+/**
+ * Tags schema
+ */
+export declare const tagsSchema: z.ZodArray<z.ZodString, "many">;
+/**
+ * Actual hours schema
+ */
+export declare const actualHoursSchema: z.ZodNumber;
+/**
+ * Artifact content schema
+ */
+export declare const artifactContentSchema: z.ZodEffects<z.ZodString, string, string>;
+/**
+ * Artifact error schema
+ */
+export declare const artifactErrorSchema: z.ZodString;
+/**
+ * Retries schema
+ */
+export declare const retriesSchema: z.ZodNumber;

package/dist/features/task-management/tools/base/schemas.js

@@ -1,6 +1,79 @@
 import { z } from 'zod';
 import { ValidationLimits } from '../../../../utils/validation.js';
-export const workingDirectorySchema = z.string().min(1, 'Working directory is required');
+import { validateWorkingDirectory, containsPathTraversal } from '../../../../utils/path-security.js';
+// Base schemas without descriptions (for internal use)
+const baseWorkingDirectorySchema = z.string()
+    .min(1, 'Working directory is required')
+    .max(ValidationLimits.MAX_WORKING_DIRECTORY_LENGTH, 'Working directory path is too long')
+    .refine((path) => !containsPathTraversal(path), 'Working directory cannot contain path traversal sequences (..)')
+    .refine((path) => {
+    try {
+        validateWorkingDirectory(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}, 'Working directory must be an absolute path without traversal sequences');
+// Export schema builder function
+export function createWorkingDirectorySchema(description) {
+    if (description) {
+        return baseWorkingDirectorySchema.describe(description);
+    }
+    return baseWorkingDirectorySchema;
+}
+// For backward compatibility
+export const workingDirectorySchema = baseWorkingDirectorySchema;
+/**
+ * Task ID schema
+ */
 export const taskIdSchema = z.string()
     .min(1, 'Task ID is required')
-    .max(ValidationLimits.TASK_ID_MAX_LENGTH);
+    .max(ValidationLimits.TASK_ID_MAX_LENGTH, `Task ID must be ${ValidationLimits.TASK_ID_MAX_LENGTH} characters or less`);
+/**
+ * Task details schema
+ */
+export const taskDetailsSchema = z.string()
+    .min(ValidationLimits.TASK_DETAILS_MIN_LENGTH, 'Task details cannot be empty')
+    .max(ValidationLimits.TASK_DETAILS_MAX_LENGTH, `Task details must be ${ValidationLimits.TASK_DETAILS_MAX_LENGTH} characters or less`);
+/**
+ * Subtask details schema
+ */
+export const subtaskDetailsSchema = z.string()
+    .min(1, 'Subtask details cannot be empty')
+    .max(ValidationLimits.SUBTASK_DETAILS_MAX_LENGTH, `Subtask details must be ${ValidationLimits.SUBTASK_DETAILS_MAX_LENGTH} characters or less`);
+/**
+ * Tags schema
+ */
+export const tagsSchema = z.array(z.string()
+    .min(ValidationLimits.TAG_MIN_LENGTH, 'Tag cannot be empty')
+    .max(ValidationLimits.TAG_MAX_LENGTH, `Tag must be ${ValidationLimits.TAG_MAX_LENGTH} characters or less`))
+    .max(ValidationLimits.MAX_TAGS, `Cannot have more than ${ValidationLimits.MAX_TAGS} tags`);
+/**
+ * Actual hours schema
+ */
+export const actualHoursSchema = z.number()
+    .min(0, 'Actual hours cannot be negative')
+    .max(ValidationLimits.MAX_ACTUAL_HOURS, `Actual hours cannot exceed ${ValidationLimits.MAX_ACTUAL_HOURS}`)
+    .finite('Actual hours must be a finite number');
+/**
+ * Artifact content schema
+ */
+export const artifactContentSchema = z.string()
+    .min(1, 'Content cannot be empty')
+    .refine((content) => {
+    const byteLength = Buffer.byteLength(content, 'utf-8');
+    return byteLength <= ValidationLimits.ARTIFACT_CONTENT_MAX_LENGTH;
+}, `Content exceeds maximum size of ${ValidationLimits.ARTIFACT_CONTENT_MAX_LENGTH} bytes (10MB)`);
+/**
+ * Artifact error schema
+ */
+export const artifactErrorSchema = z.string()
+    .max(ValidationLimits.ARTIFACT_ERROR_MAX_LENGTH, `Error message cannot exceed ${ValidationLimits.ARTIFACT_ERROR_MAX_LENGTH} characters`);
+/**
+ * Retries schema
+ */
+export const retriesSchema = z.number()
+    .int('Retries must be an integer')
+    .min(0, 'Retries cannot be negative')
+    .max(ValidationLimits.MAX_RETRIES, `Retries cannot exceed ${ValidationLimits.MAX_RETRIES}`);

package/dist/features/task-management/tools/tasks/index.js

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { ARTIFACT_PHASES } from '../../models/artifact.js';
 import { withErrorHandling } from '../base/handlers.js';
-import { workingDirectorySchema } from '../base/schemas.js';
+import { createWorkingDirectorySchema } from '../base/schemas.js';
 import { getWorkingDirectoryDescription } from '../../../../utils/storage-config.js';
 import { createLogger } from '../../../../utils/logger.js';
 const logger = createLogger('task-tools');
@@ -43,7 +43,7 @@ function countDoneSubtasks(task) {
  * Each tool creates its own storage instance per-call using the provided factory.
  */
 export function createTaskTools(config, createStorage) {
-    const wdSchema = workingDirectorySchema.describe(getWorkingDirectoryDescription(config));
+    const wdSchema = createWorkingDirectorySchema(getWorkingDirectoryDescription(config));
     return [
         createListTasksTool(wdSchema, config, createStorage),
         createCreateTaskTool(wdSchema, config, createStorage),

package/dist/utils/index.d.ts

@@ -10,3 +10,4 @@ export * from './response-builder.js';
 export * from './cache.js';
 export * from './logger.js';
 export * from './version.js';
+export * from './path-security.js';

package/dist/utils/index.js

@@ -10,3 +10,4 @@ export * from './response-builder.js';
 export * from './cache.js';
 export * from './logger.js';
 export * from './version.js';
+export * from './path-security.js';

package/dist/utils/path-security.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Secure path utilities to prevent path traversal attacks
+ */
+/**
+ * Validate that a path doesn't contain traversal sequences
+ * Blocks paths containing .. or null bytes
+ */
+export declare function containsPathTraversal(filePath: string): boolean;
+/**
+ * Securely resolve a path within a base directory
+ * Throws if the resolved path escapes the base directory
+ *
+ * @param baseDir - The allowed base directory
+ * @param targetPath - The path to resolve (can be relative)
+ * @returns The resolved path (guaranteed to be within baseDir)
+ * @throws Error if path escapes baseDir
+ */
+export declare function resolveSecurePath(baseDir: string, targetPath: string): string;
+/**
+ * Validate that a working directory path is safe
+ * - Must be absolute
+ * - Must not contain traversal sequences
+ * - Must not be empty
+ *
+ * @param workingDirectory - The path to validate
+ * @returns Normalized absolute path
+ * @throws Error if path is invalid
+ */
+export declare function validateWorkingDirectory(workingDirectory: string): string;

package/dist/utils/path-security.js

@@ -0,0 +1,74 @@
+/**
+ * Secure path utilities to prevent path traversal attacks
+ */
+import { resolve, normalize, sep } from 'path';
+/**
+ * Validate that a path doesn't contain traversal sequences
+ * Blocks paths containing .. or null bytes
+ */
+export function containsPathTraversal(filePath) {
+    // Check for null bytes (null byte injection)
+    if (filePath.includes('\0')) {
+        return true;
+    }
+    // Normalize the path and check if it contains parent directory references
+    const normalized = normalize(filePath);
+    // Check for .. components in the path
+    const parts = normalized.split(sep);
+    return parts.some(part => part === '..');
+}
+/**
+ * Securely resolve a path within a base directory
+ * Throws if the resolved path escapes the base directory
+ *
+ * @param baseDir - The allowed base directory
+ * @param targetPath - The path to resolve (can be relative)
+ * @returns The resolved path (guaranteed to be within baseDir)
+ * @throws Error if path escapes baseDir
+ */
+export function resolveSecurePath(baseDir, targetPath) {
+    // Reject paths with traversal attempts
+    if (containsPathTraversal(targetPath)) {
+        throw new Error(`Path traversal detected: ${targetPath}`);
+    }
+    // Resolve the path
+    const resolvedPath = resolve(baseDir, targetPath);
+    const resolvedBase = resolve(baseDir);
+    // Ensure the resolved path is within the base directory
+    // Add trailing separator to base to prevent partial matches
+    const baseWithSep = resolvedBase.endsWith(sep) ? resolvedBase : resolvedBase + sep;
+    if (!resolvedPath.startsWith(baseWithSep) && resolvedPath !== resolvedBase) {
+        throw new Error(`Path escapes base directory: ${targetPath}`);
+    }
+    return resolvedPath;
+}
+/**
+ * Validate that a working directory path is safe
+ * - Must be absolute
+ * - Must not contain traversal sequences
+ * - Must not be empty
+ *
+ * @param workingDirectory - The path to validate
+ * @returns Normalized absolute path
+ * @throws Error if path is invalid
+ */
+export function validateWorkingDirectory(workingDirectory) {
+    if (!workingDirectory || workingDirectory.trim().length === 0) {
+        throw new Error('Working directory is required');
+    }
+    // Check for traversal sequences
+    if (containsPathTraversal(workingDirectory)) {
+        throw new Error('Working directory cannot contain path traversal sequences (..)');
+    }
+    const normalized = normalize(workingDirectory);
+    // On Windows, check for absolute path (starts with drive letter or \\)
+    // On Unix, check for absolute path (starts with /)
+    const isWindows = process.platform === 'win32';
+    const isAbsolute = isWindows
+        ? /^[a-zA-Z]:[\\/]|^\\\\/.test(normalized)
+        : normalized.startsWith('/');
+    if (!isAbsolute) {
+        throw new Error('Working directory must be an absolute path');
+    }
+    return normalized;
+}

package/dist/utils/validation.d.ts

@@ -6,4 +6,23 @@ export declare const ValidationLimits: {
     readonly MAX_TAGS: 20;
     readonly MAX_DEPENDENCIES: 50;
     readonly TASK_ID_MAX_LENGTH: 100;
+    readonly ARTIFACT_CONTENT_MAX_LENGTH: number;
+    readonly ARTIFACT_ERROR_MAX_LENGTH: 10000;
+    readonly SUBTASK_DETAILS_MAX_LENGTH: 1000;
+    readonly MAX_ACTUAL_HOURS: 10000;
+    readonly MAX_RETRIES: 100;
+    readonly MAX_WORKING_DIRECTORY_LENGTH: 4096;
+    readonly MAX_CACHE_ENTRY_SIZE: number;
 };
+/**
+ * Validate that a number is within safe integer range
+ */
+export declare function isSafeNumber(value: number): boolean;
+/**
+ * Validate hours value
+ */
+export declare function validateHours(value: number): boolean;
+/**
+ * Validate content size
+ */
+export declare function validateContentSize(content: string, maxSize: number): boolean;

package/dist/utils/validation.js

@@ -1,9 +1,50 @@
 export const ValidationLimits = {
+    // Task fields
     TASK_DETAILS_MAX_LENGTH: 2000,
     TASK_DETAILS_MIN_LENGTH: 1,
+    // Tags
     TAG_MAX_LENGTH: 50,
     TAG_MIN_LENGTH: 1,
     MAX_TAGS: 20,
+    // Dependencies (not used in simplified model but kept for compatibility)
     MAX_DEPENDENCIES: 50,
+    // Task ID
     TASK_ID_MAX_LENGTH: 100,
+    // Artifact content - prevent DoS via huge content
+    ARTIFACT_CONTENT_MAX_LENGTH: 10 * 1024 * 1024, // 10MB max
+    ARTIFACT_ERROR_MAX_LENGTH: 10000, // 10KB max for error messages
+    // Subtask details
+    SUBTASK_DETAILS_MAX_LENGTH: 1000,
+    // Time tracking
+    MAX_ACTUAL_HOURS: 10000, // Max 10,000 hours (reasonable limit)
+    // Retry attempts
+    MAX_RETRIES: 100, // Reasonable max for retry attempts
+    // Working directory
+    MAX_WORKING_DIRECTORY_LENGTH: 4096, // Max path length on most systems
+    // Cache
+    MAX_CACHE_ENTRY_SIZE: 1024 * 1024, // 1MB max per cache entry
 };
+/**
+ * Validate that a number is within safe integer range
+ */
+export function isSafeNumber(value) {
+    return Number.isFinite(value) &&
+        value >= Number.MIN_SAFE_INTEGER &&
+        value <= Number.MAX_SAFE_INTEGER;
+}
+/**
+ * Validate hours value
+ */
+export function validateHours(value) {
+    return isSafeNumber(value) &&
+        value >= 0 &&
+        value <= ValidationLimits.MAX_ACTUAL_HOURS;
+}
+/**
+ * Validate content size
+ */
+export function validateContentSize(content, maxSize) {
+    // Use Buffer to get accurate byte length for unicode
+    const byteLength = Buffer.byteLength(content, 'utf-8');
+    return byteLength <= maxSize;
+}

package/dist/utils/version.js

@@ -26,10 +26,10 @@ export function getVersion() {
                 continue;
             }
         }
-        return '5.0.0'; // Fallback version — keep in sync with package.json
+        return '5.0.2'; // Fallback version — keep in sync with package.json
     }
     catch {
-        return '5.0.0'; // Fallback version — keep in sync with package.json
+        return '5.0.2'; // Fallback version — keep in sync with package.json
     }
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geanatz/cortex-mcp",
-  "version": "5.0.1",
+  "version": "5.0.3",
   "description": "An MCP server for task-based orchestration workflows with phase artifacts for agentic development",
   "main": "dist/index.js",
   "type": "module",
@@ -11,7 +11,9 @@
     "build": "tsc",
     "dev": "tsc --watch",
     "start": "node dist/index.js",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "test": "echo \"No tests specified\" && exit 0",
+    "lint": "echo \"No linter configured\" && exit 0"
   },
   "keywords": [
     "mcp",
@@ -22,7 +24,9 @@
     "file-storage",
     "productivity",
     "ai-tools",
-    "opencode"
+    "opencode",
+    "claude",
+    "cursor"
   ],
   "author": "Geanatz",
   "license": "MIT",
@@ -39,8 +43,12 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/geanatz/cortex-mcp.git"
+    "url": "git+https://github.com/geanatz/cortex-mcp.git"
   },
+  "bugs": {
+    "url": "https://github.com/geanatz/cortex-mcp/issues"
+  },
+  "homepage": "https://github.com/geanatz/cortex-mcp#readme",
   "files": [
     "dist/**/*",
     "!dist/.tsbuildinfo",