npm - @mandujs/mcp - Versions diffs - 0.18.3 → 0.18.4 - Mend

@mandujs/mcp 0.18.3 → 0.18.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mandujs/mcp",
-  "version": "0.18.3",
+  "version": "0.18.4",
   "description": "Mandu MCP Server - Agent-native interface for Mandu framework operations",
   "type": "module",
   "main": "./src/index.ts",

package/src/activity-monitor.ts CHANGED Viewed

@@ -7,7 +7,7 @@
 import fs from "fs";
 import path from "path";
-import { spawn, type ChildProcess } from "child_process";
+import type { Subprocess } from "bun";
 const TOOL_ICONS: Record<string, string> = {
   // Spec
@@ -266,7 +266,7 @@ function writeDefaultConfig(projectRoot: string, config: Required<MonitorConfig>
 export class ActivityMonitor {
   private logFile = "";
   private logStream: fs.WriteStream | null = null;
-  private tailProcess: ChildProcess | null = null;
+  private tailProcess: Subprocess | null = null;
   private projectRoot: string;
   private config: Required<MonitorConfig>;
   private outputFormat: MonitorOutputFormat;
@@ -813,9 +813,9 @@ export class ActivityMonitor {
   private openTerminal(): void {
     try {
       if (process.platform === "win32") {
-        this.tailProcess = spawn(
-          "cmd",
+        this.tailProcess = Bun.spawn(
           [
+            "cmd",
             "/c",
             "start",
             "Mandu Activity Monitor",
@@ -824,22 +824,19 @@ export class ActivityMonitor {
             "-Command",
             `[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; chcp 65001 | Out-Null; Get-Content '${this.logFile}' -Wait -Encoding UTF8`,
           ],
-          { cwd: this.projectRoot, detached: true, stdio: "ignore" }
+          { cwd: this.projectRoot, stdio: ["ignore", "ignore", "ignore"] }
         );
       } else if (process.platform === "darwin") {
-        this.tailProcess = spawn(
-          "osascript",
-          ["-e", `tell application "Terminal" to do script "tail -f '${this.logFile}'"`],
-          { detached: true, stdio: "ignore" }
+        this.tailProcess = Bun.spawn(
+          ["osascript", "-e", `tell application "Terminal" to do script "tail -f '${this.logFile}'"`],
+          { stdio: ["ignore", "ignore", "ignore"] }
         );
       } else {
-        this.tailProcess = spawn(
-          "x-terminal-emulator",
-          ["-e", `tail -f '${this.logFile}'`],
-          { cwd: this.projectRoot, detached: true, stdio: "ignore" }
+        this.tailProcess = Bun.spawn(
+          ["x-terminal-emulator", "-e", `tail -f '${this.logFile}'`],
+          { cwd: this.projectRoot, stdio: ["ignore", "ignore", "ignore"] }
         );
       }
-      this.tailProcess?.unref();
     } catch {
       // Terminal auto-open failed silently
     }

package/src/server.ts CHANGED Viewed

@@ -322,7 +322,10 @@ export class ManduMcpServer {
  * 리소스 패턴 매칭
  */
 function matchResourcePattern(pattern: string, uri: string): boolean {
-  const regexPattern = pattern.replace(/\{[^}]+\}/g, "([^/]+)");
+  const regexPattern = pattern
+    .split(/\{[^}]+\}/)
+    .map(part => part.replace(/[.+*?^${}()|[\]\\]/g, "\\$&"))
+    .join("([^/]+)");
   const regex = new RegExp(`^${regexPattern}$`);
   return regex.test(uri);
 }
@@ -332,10 +335,16 @@ function matchResourcePattern(pattern: string, uri: string): boolean {
  */
 function extractResourceParams(pattern: string, uri: string): Record<string, string> {
   const paramNames: string[] = [];
-  const regexPattern = pattern.replace(/\{([^}]+)\}/g, (_, name) => {
-    paramNames.push(name);
-    return "([^/]+)";
-  });
+  const regexPattern = pattern
+    .split(/\{([^}]+)\}/)
+    .map((part, index) => {
+      if (index % 2 === 1) {
+        paramNames.push(part);
+        return "([^/]+)";
+      }
+      return part.replace(/[.+*?^${}()|[\]\\]/g, "\\$&");
+    })
+    .join("");
   const regex = new RegExp(`^${regexPattern}$`);
   const match = uri.match(regex);

package/src/tools/brain.ts CHANGED Viewed

@@ -26,7 +26,7 @@ import {
   generateJsonStatus,
   initializeArchitectureAnalyzer,
   getArchitectureAnalyzer,
-} from "../../../core/src/index.js";
+} from "@mandujs/core";
 import { getProjectPaths } from "../utils/project.js";
 export const brainToolDefinitions: Tool[] = [

package/src/tools/project.ts CHANGED Viewed

@@ -22,23 +22,36 @@ type DevServerState = {
 };
 let devServerState: DevServerState | null = null;
+let devServerStarting = false;
 function trimOutput(text: string, maxChars: number = 4000): string {
   if (text.length <= maxChars) return text;
   return text.slice(-maxChars);
 }
-async function runCommand(cmd: string[], cwd: string) {
+const COMMAND_TIMEOUT_MS = 120_000; // 2 minutes
+async function runCommand(cmd: string[], cwd: string, timeoutMs: number = COMMAND_TIMEOUT_MS) {
   const proc = spawn(cmd, {
     cwd,
     stdout: "pipe",
     stderr: "pipe",
   });
-  const [stdout, stderr, exitCode] = await Promise.all([
-    new Response(proc.stdout).text(),
-    new Response(proc.stderr).text(),
-    proc.exited,
+  const timeoutPromise = new Promise<never>((_, reject) =>
+    setTimeout(() => {
+      proc.kill();
+      reject(new Error(`Command timed out after ${timeoutMs}ms: ${cmd.join(" ")}`));
+    }, timeoutMs)
+  );
+  const [stdout, stderr, exitCode] = await Promise.race([
+    Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ]),
+    timeoutPromise,
   ]);
   return {
@@ -192,6 +205,16 @@ export function projectTools(projectRoot: string, server?: Server, monitor?: Act
       await fs.mkdir(baseDir, { recursive: true });
+      // Runtime whitelist validation for spawn arguments
+      const VALID_CSS = ["tailwind", "panda", "none"];
+      const VALID_UI = ["shadcn", "ark", "none"];
+      if (css !== undefined && !VALID_CSS.includes(css)) {
+        return { success: false, error: `Invalid css value: ${css}. Must be one of: ${VALID_CSS.join(", ")}` };
+      }
+      if (ui !== undefined && !VALID_UI.includes(ui)) {
+        return { success: false, error: `Invalid ui value: ${ui}. Must be one of: ${VALID_UI.join(", ")}` };
+      }
       const initArgs = ["@mandujs/cli", "init", name];
       if (minimal) {
         initArgs.push("--minimal");
@@ -201,7 +224,16 @@ export function projectTools(projectRoot: string, server?: Server, monitor?: Act
         if (theme) initArgs.push("--theme");
       }
-      const initResult = await runCommand(["bunx", ...initArgs], baseDir);
+      let initResult: { exitCode: number | null; stdout: string; stderr: string };
+      try {
+        initResult = await runCommand(["bunx", ...initArgs], baseDir);
+      } catch (err) {
+        return {
+          success: false,
+          step: "init",
+          error: err instanceof Error ? err.message : String(err),
+        };
+      }
       if (initResult.exitCode !== 0) {
         return {
           success: false,
@@ -216,7 +248,16 @@ export function projectTools(projectRoot: string, server?: Server, monitor?: Act
       let installResult: { exitCode: number | null; stdout: string; stderr: string } | null = null;
       if (install !== false) {
-        installResult = await runCommand(["bun", "install"], projectDir);
+        try {
+          installResult = await runCommand(["bun", "install"], projectDir);
+        } catch (err) {
+          return {
+            success: false,
+            step: "install",
+            projectDir,
+            error: err instanceof Error ? err.message : String(err),
+          };
+        }
         if (installResult.exitCode !== 0) {
           return {
             success: false,
@@ -253,53 +294,60 @@ export function projectTools(projectRoot: string, server?: Server, monitor?: Act
     mandu_dev_start: async (args: Record<string, unknown>) => {
       const { cwd } = args as { cwd?: string };
-      if (devServerState) {
+      if (devServerState || devServerStarting) {
         return {
           success: false,
-          message: "Dev server is already running",
-          pid: devServerState.process.pid,
-          cwd: devServerState.cwd,
+          message: devServerStarting
+            ? "Dev server is starting up, please wait"
+            : "Dev server is already running",
+          pid: devServerState?.process.pid,
+          cwd: devServerState?.cwd,
         };
       }
-      const targetDir = cwd ? path.resolve(projectRoot, cwd) : projectRoot;
-      const proc = spawn(["bun", "run", "dev"], {
-        cwd: targetDir,
-        stdout: "pipe",
-        stderr: "pipe",
-        stdin: "ignore",
-      });
-      const state: DevServerState = {
-        process: proc,
-        cwd: targetDir,
-        startedAt: new Date(),
-        output: [],
-        maxLines: 50,
-      };
-      devServerState = state;
+      devServerStarting = true;
+      try {
+        const targetDir = cwd ? path.resolve(projectRoot, cwd) : projectRoot;
+        const proc = spawn(["bun", "run", "dev"], {
+          cwd: targetDir,
+          stdout: "pipe",
+          stderr: "pipe",
+          stdin: "ignore",
+        });
+        const state: DevServerState = {
+          process: proc,
+          cwd: targetDir,
+          startedAt: new Date(),
+          output: [],
+          maxLines: 50,
+        };
+        devServerState = state;
+        consumeStream(proc.stdout, state, "stdout", server).catch(() => {});
+        consumeStream(proc.stderr, state, "stderr", server).catch(() => {});
-      consumeStream(proc.stdout, state, "stdout", server).catch(() => {});
-      consumeStream(proc.stderr, state, "stderr", server).catch(() => {});
+        proc.exited.then(() => {
+          if (devServerState?.process === proc) {
+            devServerState = null;
+          }
+        }).catch(() => {});
-      proc.exited.then(() => {
-        if (devServerState?.process === proc) {
-          devServerState = null;
+        if (monitor) {
+          monitor.logEvent("dev", `Dev server started (${targetDir})`);
         }
-      }).catch(() => {});
-      if (monitor) {
-        monitor.logEvent("dev", `Dev server started (${targetDir})`);
+        return {
+          success: true,
+          pid: proc.pid,
+          cwd: targetDir,
+          startedAt: state.startedAt.toISOString(),
+          message: "Dev server started",
+        };
+      } finally {
+        devServerStarting = false;
       }
-      return {
-        success: true,
-        pid: proc.pid,
-        cwd: targetDir,
-        startedAt: state.startedAt.toISOString(),
-        message: "Dev server started",
-      };
     },
     mandu_dev_stop: async () => {

package/src/utils/project.ts CHANGED Viewed

@@ -54,7 +54,7 @@ export function getProjectPaths(rootDir: string) {
 export function isInsideProject(filePath: string, rootDir: string): boolean {
   const resolved = path.resolve(filePath);
   const root = path.resolve(rootDir);
-  return resolved.startsWith(root);
+  return resolved === root || resolved.startsWith(root + path.sep);
 }
 /**
@@ -73,7 +73,9 @@ export async function readJsonFile<T>(filePath: string): Promise<T | null> {
 }
 /**
- * Write JSON file safely
+ * Write JSON file safely.
+ * Note: Callers are responsible for ensuring filePath is within the project root.
+ * All internal callers use paths derived from getProjectPaths() which are scoped to projectRoot.
  */
 export async function writeJsonFile(filePath: string, data: unknown): Promise<void> {
   const dir = path.dirname(filePath);