npm - @mrrlin-dev/mcp - Versions diffs - 0.2.5 → 0.3.0 - Mend

@mrrlin-dev/mcp 0.2.5 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bin.cjs +998 -298
package/dist/prompts/report-issue.md +32 -12
package/package.json +4 -4

package/dist/prompts/report-issue.md CHANGED Viewed

@@ -105,31 +105,51 @@ short, ask **once**, and **skip any question the hint + log already answered**:
 If the user gives short or partial answers, accept them and move on. Never block
 the report on a perfect answer.
-### 4. Package the report (in ENGLISH)
+### 4. Package the report (in ENGLISH) — every string passes through `mrrlin-mcp redact`
 Translate the user's answers to English. Build a plain-text report. Keep the whole
 thing under **4096 characters** (Telegram's per-message limit) — trim the log
 excerpt first if needed, keeping the error lines over the context lines.
+**Hard rule:** every free-form string going into the report — the user's hint,
+their answers, the log excerpt — passes through the shipped scrubber first.
+There is no "but the log is already redacted by the logger" exception: the hint
+and the user's answers come from outside the logger, so they MUST be scrubbed
+here. Run each through:
+```bash
+HINT_REDACTED=$(printf %s "$USER_HINT_RAW" | mrrlin-mcp redact)
+EXCERPT_REDACTED=$(mrrlin-mcp redact < /tmp/excerpt-raw.txt)
+# (repeat for each user answer)
+```
+`mrrlin-mcp redact` reads stdin and writes the redacted bytes to stdout
+(empty input → empty output, exit 0). It uses the same regex set as the
+bridge logger (Bearer/JWT/GitHub-PAT/long-hex/long-base64). It is best-effort,
+not a guarantee — but it is the floor below which raw text is never allowed.
+Use the redacted versions to fill the template:
 ```
 🛠️ Mrrlin issue report
 When (UTC): <iso timestamp of the report>
 Mrrlin MCP: v<version if known>  |  OS: <platform>  |  Node: <version>
-▶ User hint (verbatim):
-<the text the operator passed with /report-issue, untranslated; "(none)" if absent>
+▶ User hint (verbatim, post-redaction):
+<HINT_REDACTED; "(none)" if absent>
 ▶ What the user was doing:
-<their answer, in English>
+<their answer, in English, post-redaction>
 ▶ Expected result:
-<their answer, or "(obvious from context: ...)", or "(not provided)">
+<their answer, post-redaction; or "(obvious from context: ...)"; or "(not provided)">
 ▶ Actual result / symptom:
-<their answer, in English>
+<their answer, in English, post-redaction>
-▶ Errors from bridge log (<filename>, matched by: <hint substring | sessionId | tail-fallback>):
-<the extracted error lines, verbatim — already redacted>
+▶ Errors from bridge log (<filename>, search strategy: <hint-driven | tail-fallback>):
+matched on: "<the exact line that triggered the cluster, truncated to 80 chars; or '(no hint provided)' for tail-fallback>"
+<EXCERPT_REDACTED — first the error lines, then the surrounding context>
 ▶ Context:
 session=<sessionId>  spanIds=<...>  window=<first ts>..<last ts>
@@ -180,10 +200,10 @@ why). Don't dump the raw report or the token back at them — just confirm.
 ## Rules
-- The operator's hint drives log search. Tail-only mode is the **fallback**, not the default.
-- Always include the verbatim hint in the report (under "User hint"), so the channel reader can see what was originally pasted before any translation.
+- **Every string going into the Telegram body comes out of `mrrlin-mcp redact`** — the user's hint, every translated user answer, the log excerpt. If your pipeline has a path that builds the body from raw text, you are doing it wrong. The bridge logger already redacts what it writes; the hint and the user's answers do NOT come from the logger and must be scrubbed here.
+- The operator's hint drives log search. Tail-fallback is the explicit fallback when no hint is provided.
+- `matched on:` must contain the literal line that triggered the cluster (truncated to 80 chars), so the channel reader can verify the match instead of trusting an LLM assertion.
 - Ask the user in their language; write the report in English. Skip any question the hint + log already answered.
 - Hide the mechanics: never surface the token, the log path, or the curl command to the user.
-- Forward log lines as-is — they're already secret-redacted. Do not paste anything that looks like a live token even if you see one.
 - One report = one `sendMessage` POST. Keep it under 4096 chars; use `sendDocument` only for the optional full log.
-- If anything is missing (no log match, vague answers), still send the best report you can rather than giving up — and say in the report which signal you actually matched on.
+- If anything is missing (no log match, vague answers), still send the best report you can rather than giving up — and say in the report which search strategy you used and what `matched on:` you found.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mrrlin-dev/mcp",
-  "version": "0.2.5",
+  "version": "0.3.0",
   "type": "module",
   "bin": {
     "mrrlin-mcp": "dist/bin.cjs"
@@ -20,12 +20,12 @@
     "@types/ws": "^8.18.1",
     "esbuild": "^0.24.0",
     "tsx": "^4.22.3",
-    "@mrrlin/client": "0.0.0",
     "@mrrlin/director-e2e": "0.0.0",
+    "@mrrlin/client": "0.0.0",
+    "@mrrlin/wiki": "0.0.0",
     "@mrrlin/codex-client": "0.0.0",
     "@mrrlin/schemas": "0.0.0",
-    "@mrrlin/tsconfig": "0.0.0",
-    "@mrrlin/wiki": "0.0.0"
+    "@mrrlin/tsconfig": "0.0.0"
   },
   "dependencies": {
     "@iarna/toml": "^2.2.5",