@mcptoolshop/ai-loadout 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +9 -0
- package/README.md +12 -1
- package/SECURITY.md +35 -0
- package/dist/types.d.ts +1 -0
- package/dist/validate.js +3 -0
- package/logo.png +0 -0
- package/package.json +4 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 1.0.1 — 2026-03-06
|
|
4
|
+
|
|
5
|
+
- Add `hint` field to `ValidationIssue` (Tier 1 error shape compliance)
|
|
6
|
+
- Add hints to key validation issues (MISSING_ID, MISSING_PATH, EMPTY_KEYWORDS)
|
|
7
|
+
- Add SECURITY.md with threat model
|
|
8
|
+
- Expand README security section with threat model table
|
|
9
|
+
- Add logo
|
|
10
|
+
- Include SECURITY.md and logo.png in npm package
|
|
11
|
+
|
|
3
12
|
## 1.0.0 — 2026-03-06
|
|
4
13
|
|
|
5
14
|
Initial release.
|
package/README.md
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
<p align="center">
|
|
2
|
-
<img src="
|
|
2
|
+
<img src="logo.png" width="400" alt="ai-loadout">
|
|
3
3
|
</p>
|
|
4
4
|
|
|
5
5
|
<p align="center">
|
|
@@ -176,6 +176,17 @@ import type {
|
|
|
176
176
|
|
|
177
177
|
This package is a pure data library. It does not access the filesystem, make network requests, or collect telemetry. All I/O is the consumer's responsibility.
|
|
178
178
|
|
|
179
|
+
### Threat Model
|
|
180
|
+
|
|
181
|
+
| Threat | Mitigation |
|
|
182
|
+
|--------|------------|
|
|
183
|
+
| Malformed frontmatter input | `parseFrontmatter()` returns `null` on invalid input — no exceptions, no eval |
|
|
184
|
+
| Prototype pollution | Hand-rolled parser uses plain object literals, no `JSON.parse` of untrusted nested structures |
|
|
185
|
+
| Index with bad data | `validateIndex()` catches structural issues before they propagate |
|
|
186
|
+
| Regex DoS | No user-supplied regex — patterns are matched as plain string lookups |
|
|
187
|
+
|
|
188
|
+
See [SECURITY.md](SECURITY.md) for the full security policy.
|
|
189
|
+
|
|
179
190
|
---
|
|
180
191
|
|
|
181
192
|
Built by [MCP Tool Shop](https://mcp-tool-shop.github.io/)
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Attack Surface
|
|
4
|
+
|
|
5
|
+
`@mcptoolshop/ai-loadout` is a **pure data library**. It has:
|
|
6
|
+
|
|
7
|
+
- **No filesystem access** — does not read or write files
|
|
8
|
+
- **No network access** — makes no HTTP requests, opens no sockets
|
|
9
|
+
- **No code execution** — no `eval`, `Function()`, or dynamic imports
|
|
10
|
+
- **No telemetry** — collects and transmits nothing
|
|
11
|
+
- **No native dependencies** — pure TypeScript, zero production deps
|
|
12
|
+
|
|
13
|
+
All I/O is the consumer's responsibility. This package only transforms data structures in memory.
|
|
14
|
+
|
|
15
|
+
## Input Validation
|
|
16
|
+
|
|
17
|
+
The `parseFrontmatter()` function processes untrusted text input. It uses simple string splitting — no YAML parser, no regex-based evaluation, no prototype pollution vectors.
|
|
18
|
+
|
|
19
|
+
The `validateIndex()` function checks structural integrity of index objects. It does not execute or interpret any field values.
|
|
20
|
+
|
|
21
|
+
## Supported Versions
|
|
22
|
+
|
|
23
|
+
| Version | Supported |
|
|
24
|
+
|---------|-----------|
|
|
25
|
+
| 1.x | Yes |
|
|
26
|
+
|
|
27
|
+
## Reporting a Vulnerability
|
|
28
|
+
|
|
29
|
+
If you discover a security issue, please email **64996768+mcp-tool-shop@users.noreply.github.com** with:
|
|
30
|
+
|
|
31
|
+
- Description of the vulnerability
|
|
32
|
+
- Steps to reproduce
|
|
33
|
+
- Impact assessment
|
|
34
|
+
|
|
35
|
+
We will respond within 7 days and aim to release a fix within 14 days for confirmed issues.
|
package/dist/types.d.ts
CHANGED
package/dist/validate.js
CHANGED
|
@@ -51,6 +51,7 @@ export function validateIndex(index) {
|
|
|
51
51
|
severity: "error",
|
|
52
52
|
code: "MISSING_ID",
|
|
53
53
|
message: "Entry is missing an id field",
|
|
54
|
+
hint: "Every entry needs a unique kebab-case id",
|
|
54
55
|
});
|
|
55
56
|
continue;
|
|
56
57
|
}
|
|
@@ -79,6 +80,7 @@ export function validateIndex(index) {
|
|
|
79
80
|
severity: "error",
|
|
80
81
|
code: "MISSING_PATH",
|
|
81
82
|
message: `Entry "${entry.id}" has no path`,
|
|
83
|
+
hint: "Set path to the relative file location (e.g. .claude/rules/my-rule.md)",
|
|
82
84
|
entryId: entry.id,
|
|
83
85
|
});
|
|
84
86
|
}
|
|
@@ -114,6 +116,7 @@ export function validateIndex(index) {
|
|
|
114
116
|
severity: "error",
|
|
115
117
|
code: "EMPTY_KEYWORDS",
|
|
116
118
|
message: `Domain entry "${entry.id}" has no keywords — cannot be routed`,
|
|
119
|
+
hint: "Add keywords to frontmatter so the matcher can find this entry",
|
|
117
120
|
entryId: entry.id,
|
|
118
121
|
});
|
|
119
122
|
}
|
package/logo.png
ADDED
|
Binary file
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mcptoolshop/ai-loadout",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.1",
|
|
4
4
|
"description": "Context-aware knowledge router for AI agents. Dispatch table, frontmatter spec, keyword matcher, token estimator.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -21,7 +21,9 @@
|
|
|
21
21
|
"dist",
|
|
22
22
|
"README.md",
|
|
23
23
|
"CHANGELOG.md",
|
|
24
|
-
"LICENSE"
|
|
24
|
+
"LICENSE",
|
|
25
|
+
"SECURITY.md",
|
|
26
|
+
"logo.png"
|
|
25
27
|
],
|
|
26
28
|
"keywords": [
|
|
27
29
|
"ai",
|