@master4n/master-cli 3.0.4 → 3.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +11 -1
  2. package/SECURITY.md +1 -1
  3. package/bin/index.js +2 -2
  4. package/bin/index.js.map +1 -1
  5. package/bin/utility/mcp-server.d.ts +8 -1
  6. package/llms.txt +3 -2
  7. package/package.json +1 -1
package/README.md CHANGED
@@ -64,7 +64,7 @@ toolkit over the [Model Context Protocol](https://modelcontextprotocol.io)
64
64
  // e.g. .mcp.json / claude_desktop_config.json / any MCP client
65
65
  {
66
66
  "mcpServers": {
67
- "mfn": { "command": "npx", "args": ["-y", "@master4n/master-cli", "mcp"] }
67
+ "mfn": { "command": "npx", "args": ["-y", "@master4n/master-cli@latest", "mcp"] }
68
68
  }
69
69
  }
70
70
  ```
@@ -75,6 +75,16 @@ included), and `mfn_help` (per-command flags). `update` is deny-listed so an
75
75
  MCP-only client can never install packages. `mfn mcp --json` describes the
76
76
  server without starting it.
77
77
 
78
+ An [Agent Skill](./skills/mfn/SKILL.md) ships at `skills/mfn/SKILL.md` — a
79
+ portable SKILL.md (YAML frontmatter + usage guide) that teaches any coding
80
+ agent (Claude Code, Roo, Cline, …) the full command catalog, output contract,
81
+ recipes, and gotchas. `.claude/skills/mfn` symlinks to it so Claude Code
82
+ auto-discovers it in this repo; point other agents at the file directly.
83
+
84
+ This repo ships a [`.mcp.json`](./.mcp.json) with exactly this wiring, so
85
+ cloning it gives Claude Code (and any client honouring project-scope MCP
86
+ config) the `mfn` server automatically.
87
+
78
88
  ## Quick start
79
89
 
80
90
  ```sh
package/SECURITY.md CHANGED
@@ -40,7 +40,7 @@ use any flag that exists:
40
40
  | --------- | -------- | ---------------- |
41
41
  | **Sensitive-path refusal** (`SensitivePath`, exit 2) | `lines` `json` `schema` `diff` `freq` `regex -f` `hash -f` | Returning the CONTENT of credential stores: `~/.ssh`, `~/.aws`, `~/.gnupg`, `~/.kube`, `.env*`, `*.pem`, `*.key`, `id_rsa*`, `.npmrc`, `.netrc`, `shadow`, … An agent's context window is a log that never rotates. `hash -f` is included because a digest of a low-entropy secrets file can be brute-forced offline. |
42
42
  | **Clipboard secret redaction** | `clip` (read) | Passwords/tokens pasted through the clipboard (password managers). Secret-shaped content (private-key blocks, JWTs, AWS/GitHub/Slack/Google/npm/`sk-` tokens) is withheld with `redacted:true`. |
43
- | **Env value scanning** | `env` | Redacts by NAME pattern (key/token/secret/…) **and** by VALUE shape — an innocently named variable holding a JWT is still redacted. `mfn env` with no names lists names only. |
43
+ | **Env value scanning** | `env` | Redacts by NAME pattern (key/token/secret/…) **and** by VALUE shape — an innocently named variable holding a JWT is still redacted. The mask is uniform (`••••` + length): no prefix/suffix characters are ever revealed. `mfn env` with no names lists names only. |
44
44
  | **Dotenv never reads values** | `dotenv` | Compares KEY presence between `.env` and `.env.example`; values are never parsed, stored, or returned. |
45
45
  | **Cloud-metadata block** (`BlockedTarget`, exit 2) | `http` `wait -u` | SSRF credential theft via `169.254.169.254`, `metadata.google.internal`, Alibaba/AWS v6 endpoints. Localhost stays allowed — probing your own dev server is the point. |
46
46
  | **Session-cookie redaction** | `http` | `set-cookie` response headers are replaced with `[redacted: session cookie]`. |