npm - @mtaap/mcp - Versions diffs - 0.2.7 → 0.2.10 - Mend

@mtaap/mcp 0.2.7 → 0.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -518,19 +518,6 @@ report_error -> abandon_task -> list_tasks -> assign_task (retry or pick differe
 3. Use the tools from your AI agent
-## Development
-```bash
-# Build
-pnpm build
-# Watch mode
-pnpm dev
-# Run locally
-COLLAB_API_KEY=your-key COLLAB_BASE_URL=https://collab.mtaap.de pnpm start
-```
 ## Troubleshooting
 ### "COLLAB_API_KEY is required"
@@ -553,16 +540,6 @@ Ensure your firewall allows outbound connections to your Collab instance. The se
 The MCP API is rate limited to 100 requests per minute. If you exceed this limit, you'll receive a 429 error with a `Retry-After` header indicating when you can retry.
-## Publishing
-This package is published as `@mtaap/mcp` to npm.
-```bash
-# Build and publish
-pnpm build
-npm publish
-```
 ## License
 Proprietary - See LICENSE file for details.

package/dist/cli.js CHANGED Viewed

@@ -162,12 +162,19 @@ var VALID_TRANSITIONS = {
   [TaskState.DONE]: []
 };
+// ../../packages/core/dist/config/deployment.js
+var config = {
+  deploymentMode: process.env.DEPLOYMENT_MODE || "saas"
+};
+var isSaas = config.deploymentMode === "saas";
+var isOnPrem = config.deploymentMode === "onprem";
 // ../../packages/core/dist/version.js
 var VERSION2 = "0.1.0";
 // ../../packages/core/dist/config/index.js
 var DEPLOYMENT_MODE = process.env.DEPLOYMENT_MODE || "saas";
-var config = {
+var config2 = {
   version: VERSION2,
   deploymentMode: DEPLOYMENT_MODE,
   billing: {
@@ -252,9 +259,9 @@ var config = {
   }
 };
 var DEFAULT_SEAT_LIMITS = {
-  [PricingTier.FREE]: config.pricing.defaultSeats.FREE,
-  [PricingTier.PRO]: config.pricing.defaultSeats.PRO,
-  [PricingTier.ENTERPRISE]: config.pricing.defaultSeats.ENTERPRISE
+  [PricingTier.FREE]: config2.pricing.defaultSeats.FREE,
+  [PricingTier.PRO]: config2.pricing.defaultSeats.PRO,
+  [PricingTier.ENTERPRISE]: config2.pricing.defaultSeats.ENTERPRISE
 };
 // ../../packages/core/dist/types/index.js
@@ -420,6 +427,7 @@ var ListTasksInputSchema = import_zod2.z.object({
   includeArchived: import_zod2.z.boolean().optional()
 });
 var cuidOrPrefixedId = import_zod2.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
+var gitBranchName = import_zod2.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
 var GetTaskInputSchema = import_zod2.z.object({
   taskId: cuidOrPrefixedId
 });
@@ -634,7 +642,7 @@ var UpdateTaskMCPInputSchema = import_zod2.z.object({
 var ReportBranchInputSchema = import_zod2.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  branchName: import_zod2.z.string().min(1).max(100)
+  branchName: gitBranchName
 });
 var ReportPRInputSchema = import_zod2.z.object({
   projectId: cuidOrPrefixedId,
@@ -941,6 +949,12 @@ var errorTrackerInstance = new NoOpErrorTracker();
 // src/api-client.ts
 var DEFAULT_TIMEOUT = 3e4;
+function sanitizeForLogging(str) {
+  let sanitized = str.replace(/\bcollab_[a-zA-Z0-9_-]+\b/gi, "[REDACTED_API_KEY]");
+  sanitized = sanitized.replace(/\bBearer\s+[a-zA-Z0-9._-]+\b/gi, "Bearer [REDACTED]");
+  sanitized = sanitized.replace(/([?&](api_?key|token|auth|key|secret)=)[^&\s]+/gi, "$1[REDACTED]");
+  return sanitized;
+}
 var ApiError = class extends Error {
   constructor(message, code, status, details) {
     super(message);
@@ -956,11 +970,11 @@ var MCPApiClient = class {
   timeout;
   debug;
   authContext = null;
-  constructor(config2) {
-    this.baseUrl = config2.baseUrl.replace(/\/$/, "");
-    this.apiKey = config2.apiKey;
-    this.timeout = config2.timeout ?? DEFAULT_TIMEOUT;
-    this.debug = config2.debug ?? false;
+  constructor(config3) {
+    this.baseUrl = config3.baseUrl.replace(/\/$/, "");
+    this.apiKey = config3.apiKey;
+    this.timeout = config3.timeout ?? DEFAULT_TIMEOUT;
+    this.debug = config3.debug ?? false;
   }
   /**
    * Make an HTTP request to the API
@@ -970,7 +984,7 @@ var MCPApiClient = class {
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), this.timeout);
     if (this.debug) {
-      console.error(`[mcp-api] ${method} ${url}`);
+      console.error(`[mcp-api] ${method} ${sanitizeForLogging(path)}`);
     }
     try {
       const response = await fetch(url, {
@@ -1005,8 +1019,9 @@ var MCPApiClient = class {
           408
         );
       }
+      const rawMessage = error instanceof Error ? error.message : "Unknown error";
       throw new ApiError(
-        error instanceof Error ? error.message : "Unknown error",
+        sanitizeForLogging(rawMessage),
         "NETWORK_ERROR",
         0
       );
@@ -2192,22 +2207,76 @@ function handleApiError(error) {
     isError: true
   };
 }
+var ActiveTaskSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  projectId: import_zod3.z.string().min(1),
+  branchName: import_zod3.z.string().optional(),
+  startedAt: import_zod3.z.string().optional()
+});
 async function checkActiveTask() {
   const fs = await import("fs");
   const path = await import("path");
-  const activeTaskPath = path.join(process.cwd(), ".collab", "active-task.json");
+  const cwd = process.cwd();
+  const collabDir = path.join(cwd, ".collab");
+  const activeTaskPath = path.join(collabDir, "active-task.json");
   try {
-    await fs.promises.access(activeTaskPath);
+    const resolvedPath = path.resolve(activeTaskPath);
+    const resolvedCollabDir = path.resolve(collabDir);
+    if (!resolvedPath.startsWith(resolvedCollabDir + path.sep) && resolvedPath !== resolvedCollabDir) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid active task path"
+      };
+    }
+    const stats = await fs.promises.lstat(activeTaskPath);
+    if (stats.isSymbolicLink()) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Symlinks not allowed for active task file"
+      };
+    }
+    if (!stats.isFile()) {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
     const content = await fs.promises.readFile(activeTaskPath, "utf-8");
-    const activeTask = JSON.parse(content);
+    let parsed;
+    try {
+      parsed = JSON.parse(content);
+    } catch {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid JSON in active task file"
+      };
+    }
+    const validationResult = ActiveTaskSchema.safeParse(parsed);
+    if (!validationResult.success) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Active task file has invalid structure"
+      };
+    }
     return {
       hasActiveTask: true,
-      task: activeTask
+      task: validationResult.data
     };
-  } catch {
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
     return {
       hasActiveTask: false,
-      task: null
+      task: null,
+      error: "Failed to read active task file"
     };
   }
 }