@mtaap/mcp 0.2.7 → 0.2.8

package/README.md

@@ -518,19 +518,6 @@ report_error -> abandon_task -> list_tasks -> assign_task (retry or pick differe
 
 3. Use the tools from your AI agent
 
-## Development
-
-```bash
-# Build
-pnpm build
-
-# Watch mode
-pnpm dev
-
-# Run locally
-COLLAB_API_KEY=your-key COLLAB_BASE_URL=https://collab.mtaap.de pnpm start
-```
-
 ## Troubleshooting
 
 ### "COLLAB_API_KEY is required"
@@ -553,16 +540,6 @@ Ensure your firewall allows outbound connections to your Collab instance. The se
 
 The MCP API is rate limited to 100 requests per minute. If you exceed this limit, you'll receive a 429 error with a `Retry-After` header indicating when you can retry.
 
-## Publishing
-
-This package is published as `@mtaap/mcp` to npm.
-
-```bash
-# Build and publish
-pnpm build
-npm publish
-```
-
 ## License
 
 Proprietary - See LICENSE file for details.

package/dist/cli.js

@@ -420,6 +420,7 @@ var ListTasksInputSchema = import_zod2.z.object({
   includeArchived: import_zod2.z.boolean().optional()
 });
 var cuidOrPrefixedId = import_zod2.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
+var gitBranchName = import_zod2.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
 var GetTaskInputSchema = import_zod2.z.object({
   taskId: cuidOrPrefixedId
 });
@@ -634,7 +635,7 @@ var UpdateTaskMCPInputSchema = import_zod2.z.object({
 var ReportBranchInputSchema = import_zod2.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  branchName: import_zod2.z.string().min(1).max(100)
+  branchName: gitBranchName
 });
 var ReportPRInputSchema = import_zod2.z.object({
   projectId: cuidOrPrefixedId,
@@ -941,6 +942,12 @@ var errorTrackerInstance = new NoOpErrorTracker();
 
 // src/api-client.ts
 var DEFAULT_TIMEOUT = 3e4;
+function sanitizeForLogging(str) {
+  let sanitized = str.replace(/\bcollab_[a-zA-Z0-9_-]+\b/gi, "[REDACTED_API_KEY]");
+  sanitized = sanitized.replace(/\bBearer\s+[a-zA-Z0-9._-]+\b/gi, "Bearer [REDACTED]");
+  sanitized = sanitized.replace(/([?&](api_?key|token|auth|key|secret)=)[^&\s]+/gi, "$1[REDACTED]");
+  return sanitized;
+}
 var ApiError = class extends Error {
   constructor(message, code, status, details) {
     super(message);
@@ -970,7 +977,7 @@ var MCPApiClient = class {
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), this.timeout);
     if (this.debug) {
-      console.error(`[mcp-api] ${method} ${url}`);
+      console.error(`[mcp-api] ${method} ${sanitizeForLogging(path)}`);
     }
     try {
       const response = await fetch(url, {
@@ -1005,8 +1012,9 @@ var MCPApiClient = class {
           408
         );
       }
+      const rawMessage = error instanceof Error ? error.message : "Unknown error";
       throw new ApiError(
-        error instanceof Error ? error.message : "Unknown error",
+        sanitizeForLogging(rawMessage),
         "NETWORK_ERROR",
         0
       );
@@ -2192,22 +2200,76 @@ function handleApiError(error) {
     isError: true
   };
 }
+var ActiveTaskSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  projectId: import_zod3.z.string().min(1),
+  branchName: import_zod3.z.string().optional(),
+  startedAt: import_zod3.z.string().optional()
+});
 async function checkActiveTask() {
   const fs = await import("fs");
   const path = await import("path");
-  const activeTaskPath = path.join(process.cwd(), ".collab", "active-task.json");
+  const cwd = process.cwd();
+  const collabDir = path.join(cwd, ".collab");
+  const activeTaskPath = path.join(collabDir, "active-task.json");
   try {
-    await fs.promises.access(activeTaskPath);
+    const resolvedPath = path.resolve(activeTaskPath);
+    const resolvedCollabDir = path.resolve(collabDir);
+    if (!resolvedPath.startsWith(resolvedCollabDir + path.sep) && resolvedPath !== resolvedCollabDir) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid active task path"
+      };
+    }
+    const stats = await fs.promises.lstat(activeTaskPath);
+    if (stats.isSymbolicLink()) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Symlinks not allowed for active task file"
+      };
+    }
+    if (!stats.isFile()) {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
     const content = await fs.promises.readFile(activeTaskPath, "utf-8");
-    const activeTask = JSON.parse(content);
+    let parsed;
+    try {
+      parsed = JSON.parse(content);
+    } catch {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid JSON in active task file"
+      };
+    }
+    const validationResult = ActiveTaskSchema.safeParse(parsed);
+    if (!validationResult.success) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Active task file has invalid structure"
+      };
+    }
     return {
       hasActiveTask: true,
-      task: activeTask
+      task: validationResult.data
     };
-  } catch {
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
     return {
       hasActiveTask: false,
-      task: null
+      task: null,
+      error: "Failed to read active task file"
     };
   }
 }