@luanpdd/kit-mcp 1.12.1 → 1.13.0

package/README.md

@@ -28,9 +28,9 @@ Inspired by [vinilana/dotcontext](https://github.com/vinilana/dotcontext) — se
 ```
 kit-mcp/
 ├── kit/                        ← bundled brownfield workflow (PT-BR)
-│   ├── agents/                 19 agents (planner, executor, verifier, debugger,
+│   ├── agents/                 47 agents (planner, executor, verifier, debugger,
 │   │                                      ui-auditor, codebase-mapper, …)
-│   ├── commands/               60 slash-commands (/novo-marco, /planejar-fase,
+│   ├── commands/               87 slash-commands (/novo-marco, /planejar-fase,
 │   │                                              /executar-fase, /publicar, …)
 │   ├── framework/              workflows + templates + bin libs the agents use
 │   ├── hooks/                  workflow guards, prompt guards, statusline
@@ -59,7 +59,7 @@ kit-mcp/
 
 ### About the bundled workflow
 
-The bundled `kit/` is an opinionated **brownfield planning workflow** in Portuguese — milestones, phases, requirements, planning, execution with atomic commits and checkpoints, retrospective auditing. Installing `@luanpdd/kit-mcp` and syncing into your IDE gives you all 60+ slash-commands, 24+ agents, plus the framework templates that they delegate into.
+The bundled `kit/` is an opinionated **brownfield planning workflow** in Portuguese — milestones, phases, requirements, planning, execution with atomic commits and checkpoints, retrospective auditing. Installing `@luanpdd/kit-mcp` and syncing into your IDE gives you all 87+ slash-commands, 47+ agents, plus the framework templates that they delegate into.
 
 If that's not what you want, point `--kit-root` at your own folder and ignore everything under `kit/` — the infrastructure (registry, sync, gates, forensics, MCP server) works the same regardless of what kit you load.
 
@@ -175,8 +175,8 @@ A production engineering layer derived from *Site Reliability Engineering: How G
 
 ```bash
 # Browse what's bundled
-npx -y @luanpdd/kit-mcp kit list-agents     # 19 agents
-npx -y @luanpdd/kit-mcp kit list-commands   # 60 commands
+npx -y @luanpdd/kit-mcp kit list-agents     # 47 agents
+npx -y @luanpdd/kit-mcp kit list-commands   # 87 commands
 npx -y @luanpdd/kit-mcp sync targets        # supported IDEs
 
 # Install into your project for Claude Code
@@ -239,9 +239,9 @@ In non-TTY mode (pipes, CI), animations degrade to linear status lines automatic
 ### `kit kit ...` — browse the kit
 
 ```bash
-kit kit list-agents               # 19 agents (bundled workflow)
-kit kit list-commands             # 60 commands (bundled workflow)
-kit kit list-skills               # 1 skill (example only — bring your own)
+kit kit list-agents               # 47 agents (bundled workflow)
+kit kit list-commands             # 87 commands (bundled workflow)
+kit kit list-skills               # 49 skills (bundled workflow)
 kit kit get agent planner
 kit kit search "milestone"        # fuzzy match across all kinds
 ```
@@ -627,9 +627,9 @@ npm run test:all          # both
 Plus the original quick smokes:
 
 ```bash
-node bin/cli.js kit list-agents | head -5         # 19 bundled agents
+node bin/cli.js kit list-agents | head -5         # 47 bundled agents
 node bin/cli.js sync targets                      # 8 IDEs
-node bin/cli.js gates list                        # 5 gates
+node bin/cli.js gates list                        # 20 gates
 node bin/cli.js install dry-run claude-code --via npx
 ```
 

package/kit/agents/codebase-mapper.md

@@ -3,12 +3,6 @@ name: codebase-mapper
 description: Explora a codebase e escreve docs de análise estruturados. Invocado por /mapear-codebase com foco (tech, arch, quality, concerns). Reduz carga de contexto do orquestrador.
 tools: Read, Bash, Grep, Glob, Write
 color: cyan
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/debugger.md

@@ -4,12 +4,6 @@ description: Investiga bugs usando método científico, gerencia sessões de deb
 tools: Read, Write, Edit, Bash, Grep, Glob, WebSearch
 permissionMode: acceptEdits
 color: orange
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/executor.md

@@ -4,12 +4,6 @@ description: Executa planos framework com commits atômicos, tratamento de desvi
 tools: Read, Write, Edit, Bash, Grep, Glob
 permissionMode: acceptEdits
 color: yellow
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/phase-researcher.md

@@ -3,12 +3,6 @@ name: phase-researcher
 description: Pesquisa como implementar uma fase antes do planejamento. Produz RESEARCH.md consumido pelo planner. Invocado pelo orquestrador /planejar-fase.
 tools: Read, Write, Bash, Grep, Glob, WebSearch, WebFetch, mcp__context7__*, mcp__firecrawl__*, mcp__exa__*
 color: cyan
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/planner.md

@@ -3,12 +3,6 @@ name: planner
 description: Cria planos de fase executáveis com decomposição de tarefas, análise de dependências e verificação orientada a objetivos. Acionado pelo orquestrador /planejar-fase.
 tools: Read, Write, Bash, Glob, Grep, WebFetch, mcp__context7__*
 color: green
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/project-researcher.md

@@ -3,12 +3,6 @@ name: project-researcher
 description: Pesquisa ecossistema do domínio antes do roadmap. Produz arquivos em .planning/research/ consumidos pelo roadmapper. Invocado por /novo-projeto ou /novo-marco.
 tools: Read, Write, Bash, Grep, Glob, WebSearch, WebFetch, mcp__context7__*, mcp__firecrawl__*, mcp__exa__*
 color: cyan
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/research-synthesizer.md

@@ -3,12 +3,6 @@ name: research-synthesizer
 description: Sintetiza outputs de agentes pesquisadores paralelos em SUMMARY.md. Invocado por /novo-projeto após 4 agentes pesquisadores concluírem.
 tools: Read, Write, Bash
 color: purple
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/roadmapper.md

@@ -3,12 +3,6 @@ name: roadmapper
 description: Cria roadmaps de projeto com divisão de fases, mapeamento de requisitos, derivação de critérios de sucesso e validação de cobertura. Invocado pelo orquestrador /novo-projeto.
 tools: Read, Write, Bash, Glob, Grep
 color: purple
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/ui-auditor.md

@@ -3,12 +3,6 @@ name: ui-auditor
 description: Auditoria visual retroativa de 6 pilares do código frontend implementado. Produz UI-REVIEW.md pontuado. Invocado pelo orquestrador /revisar-ui.
 tools: Read, Write, Bash, Grep, Glob
 color: "#F472B6"
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/ui-researcher.md

@@ -3,12 +3,6 @@ name: ui-researcher
 description: Produz contrato de design UI-SPEC.md para fases frontend. Lê artefatos upstream, detecta estado do sistema de design, faz apenas perguntas não respondidas. Invocado pelo orquestrador /fase-ui.
 tools: Read, Write, Bash, Grep, Glob, WebSearch, WebFetch, mcp__context7__*, mcp__firecrawl__*, mcp__exa__*
 color: "#E879F9"
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/agents/verifier.md

@@ -3,12 +3,6 @@ name: verifier
 description: Verifica atingimento do objetivo da fase via análise reversa. Checa se codebase entrega o prometido, não só task completion. Cria VERIFICATION.md.
 tools: Read, Write, Bash, Grep, Glob
 color: green
-# hooks:
-#   PostToolUse:
-#     - matcher: "Write|Edit"
-#       hooks:
-#         - type: command
-#           command: "npx eslint --fix $FILE 2>/dev/null || true"
 ---
 
 <output_style>

package/kit/hooks/check-update.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 // hook-version: 1.30.0
+// SEC-13-05: flush-before-exit category = E (parent returns after spawn unref; child uses sync fs writes) — no fix needed
 // Check for framework updates in background, write result to cache
 // Called by SessionStart hook - runs once per session
 
@@ -42,6 +43,9 @@ if (!fs.existsSync(cacheDir)) {
 }
 
 // Run check in background (spawn background process, windowsHide prevents console flash)
+// SEC-13-05: parent process retorna imediatamente após child.unref() — não
+// há buffered I/O no parent. Child usa fs.writeFileSync (sync), sem race.
+// Categoria E na taxonomia da Phase 80.
 const child = spawn(process.execPath, ['-e', `
   const fs = require('fs');
   const path = require('path');

package/kit/hooks/context-monitor.js

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
-// hook-version: 1.30.0
+// hook-version: 1.30.1
+// SEC-13-05: flush-before-exit category = A (stdout.write + immediate exit)
+// Fix applied: process.stdout.write(payload, () => process.exit(0)) on warning path.
 // Context Monitor - PostToolUse/AfterTool hook (Gemini uses AfterTool)
 // Reads context metrics from the statusline bridge file and injects
 // warnings when context usage is high. This makes the AGENT aware of
@@ -148,7 +150,12 @@ process.stdin.on('end', () => {
       }
     };
 
-    process.stdout.write(JSON.stringify(output));
+    // SEC-13-05: aguardar flush do stdout antes do exit. Sem callback, em
+    // pipes lentos (CI/Windows/Git Bash) o JSON pode ser dropado quando o
+    // process termina antes do kernel drenar o buffer.
+    process.stdout.write(JSON.stringify(output), () => {
+      process.exit(0);
+    });
   } catch (e) {
     // Silent fail -- never block tool execution
     process.exit(0);

package/kit/hooks/post-apply-migration.js

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
-// hook-version: 1.4.0
+// hook-version: 1.4.1
+// SEC-13-05: flush-before-exit category = A (stderr.write + immediate exit)
+// Fix applied: process.stderr.write(summary, () => process.exit(0)) on success path.
 // kit-mcp · Post-apply Migration Hook (PostToolUse)
 //
 // Triggers automatically AFTER a successful Supabase MCP apply_migration call.
@@ -104,12 +106,18 @@ process.stdin.on('end', () => {
     }
 
     // The final advisory printed back to Claude (and to the user via stderr)
+    // SEC-13-05: aguardar flush do stderr antes do exit. Sem callback, o
+    // resumo final pode ser dropado em pipes lentos (CI/Windows). Os outros
+    // process.stderr.write intermediários (linhas ~71/87/93/100) NÃO precisam
+    // do callback porque o process continua executando após eles — o event
+    // loop drena o buffer naturalmente antes do próximo write.
     if (mirroredPath || stubPath) {
       const lines = ['[post-apply-migration] resumo:'];
       if (mirroredPath) lines.push(`  • SQL: ${path.relative(projectRoot, mirroredPath)}`);
       if (stubPath)     lines.push(`  • Stub: ${path.relative(vault, stubPath)}`);
       lines.push('  → cofre Obsidian: edite o stub e commite quando puder.');
-      process.stderr.write(lines.join('\n') + '\n');
+      process.stderr.write(lines.join('\n') + '\n', () => process.exit(0));
+      return;
     }
 
     process.exit(0);

package/kit/hooks/prompt-guard.js

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
-// hook-version: 1.30.0
+// hook-version: 1.30.1
+// SEC-13-05: flush-before-exit category = A (stdout.write + immediate exit)
+// Fix applied: process.stdout.write(payload, () => process.exit(0)) on warning path.
 // framework Prompt Injection Guard — PreToolUse hook
 // Scans file content being written to .planning/ for prompt injection patterns.
 // Defense-in-depth: catches injected instructions before they enter agent context.
@@ -88,7 +90,12 @@ process.stdin.on('end', () => {
       },
     };
 
-    process.stdout.write(JSON.stringify(output));
+    // SEC-13-05: aguardar flush do stdout antes do exit. Sem callback, em
+    // pipes lentos (CI/Windows/Git Bash) o JSON pode ser dropado quando o
+    // process termina antes do kernel drenar o buffer.
+    process.stdout.write(JSON.stringify(output), () => {
+      process.exit(0);
+    });
   } catch {
     // Silent fail — never block tool execution
     process.exit(0);

package/kit/hooks/statusline.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 // hook-version: 1.30.0
+// SEC-13-05: flush-before-exit category = C (no process.exit, natural termination flushes) — no fix needed
 // Claude Code Statusline - Edition
 // Shows: model | current task | directory | context usage
 
@@ -107,6 +108,11 @@ process.stdin.on('end', () => {
     }
 
     // Output
+    // SEC-13-05: statusline termina naturalmente após este write — Node
+    // garante o flush antes do process exit quando não há process.exit
+    // explícito. NÃO converter para process.stdout.write(x, callback) +
+    // process.exit() — isso introduziria um early-exit que poderia
+    // truncar saída em casos onde o write é maior que o buffer do pipe.
     const dirname = path.basename(dir);
     if (task) {
       process.stdout.write(`${updateNotice}\x1b[2m${model}\x1b[0m │ \x1b[1m${task}\x1b[0m │ \x1b[2m${dirname}\x1b[0m${ctx}`);

package/kit/hooks/workflow-guard.js

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
-// hook-version: 1.30.0
+// hook-version: 1.30.1
+// SEC-13-05: flush-before-exit category = A (stdout.write + immediate exit)
+// Fix applied: process.stdout.write(payload, () => process.exit(0)) on warning path.
 // framework Workflow Guard — PreToolUse hook
 // Detects when Claude attempts file edits outside a framework workflow context
 // (no active / command or Task subagent) and injects an advisory warning.
@@ -86,7 +88,12 @@ process.stdin.on('end', () => {
       }
     };
 
-    process.stdout.write(JSON.stringify(output));
+    // SEC-13-05: aguardar flush do stdout antes do exit. Sem callback, em
+    // pipes lentos (CI/Windows/Git Bash) o JSON pode ser dropado quando o
+    // process termina antes do kernel drenar o buffer.
+    process.stdout.write(JSON.stringify(output), () => {
+      process.exit(0);
+    });
   } catch (e) {
     // Silent fail — never block tool execution
     process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@luanpdd/kit-mcp",
-  "version": "1.12.1",
+  "version": "1.13.0",
   "description": "Generic infrastructure to ship YOUR personal kit of agents/commands/skills as an MCP server, with cross-IDE sync (Claude Code, Cursor, Codex, Gemini, Windsurf, Antigravity, Copilot, Trae).",
   "type": "module",
   "bin": {
@@ -16,7 +16,6 @@
     "kit/",
     "gates/",
     "README.md",
-    "CHANGELOG.md",
     "LICENSE"
   ],
   "keywords": [

package/src/cli/index.js

@@ -18,7 +18,7 @@ import { fileURLToPath } from 'node:url';
 import path from 'node:path';
 import { listKit, searchKit, findItem } from '../core/kit.js';
 import { listTargets } from '../core/registry.js';
-import { syncTo, statusOf, removeFrom } from '../core/sync.js';
+import { syncTo, statusOf, removeFrom, summarize } from '../core/sync.js';
 import { watchKit, detectExistingTargets } from '../core/watch.js';
 import { listGates, getGate, gatesForStage } from '../core/gates.js';
 import { runGate } from '../core/gate-runner.js';
@@ -148,7 +148,10 @@ function fail(msg) {
 }
 
 function slim(x) {
-  return { kind: x.kind, name: x.name, description: x.description };
+  // PERF-13-01: cap description at SUMMARY_MAX_CHARS via shared summarize()
+  // helper from src/core/sync.js — keeps cross-surface behavior identical
+  // (CLI listing == MCP listing). Full text remains in each item's source file.
+  return { kind: x.kind, name: x.name, description: summarize(x.description) };
 }
 
 // --- kit ---

package/src/core/replays.js

@@ -17,15 +17,55 @@ import fs from 'node:fs/promises';
 
 const REPLAY_DIR_REL = path.join('.planning', 'replays');
 
+// SEC-13-02: replayId path traversal guard. The MCP forensics tool exposes
+// load-replay/annotate-replay/record-replay actions; without sanitization,
+// a malicious replayId like '../../../etc/passwd' would read/write files
+// outside .planning/replays/.
+//
+// Strategy: allowlist regex (no slashes, no '..', no NUL) + post-resolve assertion
+// that the final path stays inside REPLAY_DIR_REL.
+const REPLAY_ID_RE = /^[A-Za-z0-9_.-]+$/;
+
+function validateReplayId(id) {
+  if (typeof id !== 'string' || !id) {
+    throw new Error('invalid replay id: must be a non-empty string');
+  }
+  if (id === '.' || id === '..' || id.includes('..')) {
+    throw new Error('invalid replay id: traversal sequences not allowed');
+  }
+  if (!REPLAY_ID_RE.test(id)) {
+    throw new Error(`invalid replay id: only [A-Za-z0-9_.-] allowed, got ${JSON.stringify(id)}`);
+  }
+  return id;
+}
+
+function assertPathInside(filePath, baseDir) {
+  const resolved = path.resolve(filePath);
+  const base = path.resolve(baseDir);
+  // Ensure resolved is base or a child of base (handle trailing-sep edge case).
+  if (resolved !== base && !resolved.startsWith(base + path.sep)) {
+    throw new Error('invalid replay id: resolved path escapes replay directory');
+  }
+  return resolved;
+}
+
 export async function recordReplay(payload, opts = {}) {
   const projectRoot = path.resolve(opts.projectRoot ?? process.cwd());
   const dir = path.join(projectRoot, REPLAY_DIR_REL);
   await fs.mkdir(dir, { recursive: true });
 
   const ts   = new Date().toISOString().replace(/[:.]/g, '-');
-  const slug = [payload.phase, payload.plan, payload.agent].filter(Boolean).join('-') || 'unknown';
+  // SEC-13-02: validate each slug component independently before concat
+  const slugParts = [payload.phase, payload.plan, payload.agent].filter(Boolean);
+  for (const part of slugParts) {
+    validateReplayId(String(part));
+  }
+  const slug = slugParts.join('-') || 'unknown';
   const id   = `${ts}-${slug}`;
+  // Re-validate the full id (defense in depth — ts is well-formed but cheap to check)
+  validateReplayId(id);
   const file = path.join(dir, `${id}.json`);
+  assertPathInside(file, dir);
 
   const record = { id, recorded_at: new Date().toISOString(), ...payload };
   await fs.writeFile(file, JSON.stringify(record, null, 2), 'utf8');
@@ -49,15 +89,21 @@ export async function listReplays(opts = {}) {
 }
 
 export async function loadReplay(id, opts = {}) {
+  validateReplayId(id);
   const projectRoot = path.resolve(opts.projectRoot ?? process.cwd());
-  const file = path.join(projectRoot, REPLAY_DIR_REL, `${id}.json`);
+  const dir = path.join(projectRoot, REPLAY_DIR_REL);
+  const file = path.join(dir, `${id}.json`);
+  assertPathInside(file, dir);
   const raw  = await fs.readFile(file, 'utf8');
   return JSON.parse(raw);
 }
 
 export async function annotateReplay(id, outcome, opts = {}) {
+  validateReplayId(id);
   const projectRoot = path.resolve(opts.projectRoot ?? process.cwd());
-  const file = path.join(projectRoot, REPLAY_DIR_REL, `${id}.json`);
+  const dir = path.join(projectRoot, REPLAY_DIR_REL);
+  const file = path.join(dir, `${id}.json`);
+  assertPathInside(file, dir);
   const r = JSON.parse(await fs.readFile(file, 'utf8'));
   r.outcome = { ...(r.outcome ?? {}), ...outcome, annotated_at: new Date().toISOString() };
   await fs.writeFile(file, JSON.stringify(r, null, 2), 'utf8');

package/src/core/sync.js

@@ -257,8 +257,10 @@ See: [\`${rel}\`](${rel})
 // own file under kit/ — duplicating them here costs tokens in every Claude
 // Code session. Cap each line at ~80 chars; users can `kit get <name>` for the
 // full description.
-const SUMMARY_MAX_CHARS = 80;
-function summarize(desc) {
+// PERF-13-01: exported so slim() in src/mcp-server/index.js and src/cli/index.js
+// can reuse the same cap (single source of truth — no duplicated constants).
+export const SUMMARY_MAX_CHARS = 80;
+export function summarize(desc) {
   if (!desc) return '';
   const flat = desc.replace(/\s+/g, ' ').trim();
   if (flat.length <= SUMMARY_MAX_CHARS) return flat;

package/src/mcp-server/index.js

@@ -12,9 +12,13 @@ import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { CallToolRequestSchema, ListToolsRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+
 import { listKit, searchKit, findItem } from '../core/kit.js';
 import { listTargets } from '../core/registry.js';
-import { syncTo, statusOf, removeFrom } from '../core/sync.js';
+import { syncTo, statusOf, removeFrom, summarize } from '../core/sync.js';
 import { detectReverse, applyReverse } from '../core/reverse-sync.js';
 import { listGates, getGate, gatesForStage } from '../core/gates.js';
 import { runGate } from '../core/gate-runner.js';
@@ -125,6 +129,23 @@ const TOOLS = [
   },
 ];
 
+// DRIFT-13-03: read version from package.json at module load (NOT inside
+// createServer — re-reading on every call adds zero value). Same pattern as
+// bin/cli.js:43-51. Both files are 2 levels deep from repo root, so the
+// '..', '..' resolution works identically. Falls back to 'unknown' if the
+// package.json lookup fails (unusual install layout).
+function readPkgVersion() {
+  try {
+    const here = path.dirname(fileURLToPath(import.meta.url));
+    const pkgPath = path.resolve(here, '..', '..', 'package.json');
+    return JSON.parse(readFileSync(pkgPath, 'utf8')).version;
+  } catch {
+    return 'unknown';
+  }
+}
+
+export const PKG_VERSION = readPkgVersion();
+
 // --- handlers ---
 
 async function handleKit(args) {
@@ -200,12 +221,14 @@ async function handleGates(args) {
     case 'get':       return getGate(args.id);
     case 'for-stage': return gatesForStage(args.stage);
     case 'run':
-      return withAutoSpawn(args, 'gates.run', () =>
-        runGate(args.id, {
-          projectRoot: args.projectRoot,
-          yes: true,            // MCP context: never prompt
-          interactive: false,   // MCP never prompts
-        }));
+      // SEC-13-01: MCP transport must never execute shell — runGate spawns bash with
+      // arbitrary content from gates/*.md (which reverse-sync can rewrite). Even with
+      // {yes: true}, this skips the interactive "y/N before exec" promise. The CLI
+      // entry point (`kit gates run <id>` via bin/cli.js) preserves the prompt and
+      // remains the only path to executing gates.
+      return {
+        error: 'MCP gates.run requires interactive TTY confirmation; use `kit gates run` from CLI instead.',
+      };
     default: return { error: `Unknown action: ${args.action}` };
   }
 }
@@ -255,14 +278,16 @@ const HANDLERS = {
 function slim(x) {
   // absPath omitted by design — list-* tools are AI-consumed in tight context budgets.
   // Use action=get to fetch the absPath (and content) for a specific item.
-  return { kind: x.kind, name: x.name, description: x.description };
+  // PERF-13-01 (TOK-02): truncate description via SUMMARY_MAX_CHARS (80) cap shared
+  // with src/core/sync.js — full description lives in each item's file under kit/.
+  return { kind: x.kind, name: x.name, description: summarize(x.description) };
 }
 
 // --- server bootstrap ---
 
 export async function createServer() {
   const server = new Server(
-    { name: 'kit-mcp', version: '0.1.0' },
+    { name: 'kit-mcp', version: PKG_VERSION },
     { capabilities: { tools: {} } }
   );