npm - @mtaap/mcp - Versions diffs - 0.2.7 → 0.2.8 - Mend

@mtaap/mcp 0.2.7 → 0.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -429,6 +429,7 @@ var ListTasksInputSchema = import_zod2.z.object({
   includeArchived: import_zod2.z.boolean().optional()
 });
 var cuidOrPrefixedId = import_zod2.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
+var gitBranchName = import_zod2.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
 var GetTaskInputSchema = import_zod2.z.object({
   taskId: cuidOrPrefixedId
 });
@@ -643,7 +644,7 @@ var UpdateTaskMCPInputSchema = import_zod2.z.object({
 var ReportBranchInputSchema = import_zod2.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  branchName: import_zod2.z.string().min(1).max(100)
+  branchName: gitBranchName
 });
 var ReportPRInputSchema = import_zod2.z.object({
   projectId: cuidOrPrefixedId,
@@ -950,6 +951,12 @@ var errorTrackerInstance = new NoOpErrorTracker();
 // src/api-client.ts
 var DEFAULT_TIMEOUT = 3e4;
+function sanitizeForLogging(str) {
+  let sanitized = str.replace(/\bcollab_[a-zA-Z0-9_-]+\b/gi, "[REDACTED_API_KEY]");
+  sanitized = sanitized.replace(/\bBearer\s+[a-zA-Z0-9._-]+\b/gi, "Bearer [REDACTED]");
+  sanitized = sanitized.replace(/([?&](api_?key|token|auth|key|secret)=)[^&\s]+/gi, "$1[REDACTED]");
+  return sanitized;
+}
 var ApiError = class extends Error {
   constructor(message, code, status, details) {
     super(message);
@@ -979,7 +986,7 @@ var MCPApiClient = class {
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), this.timeout);
     if (this.debug) {
-      console.error(`[mcp-api] ${method} ${url}`);
+      console.error(`[mcp-api] ${method} ${sanitizeForLogging(path)}`);
     }
     try {
       const response = await fetch(url, {
@@ -1014,8 +1021,9 @@ var MCPApiClient = class {
           408
         );
       }
+      const rawMessage = error instanceof Error ? error.message : "Unknown error";
       throw new ApiError(
-        error instanceof Error ? error.message : "Unknown error",
+        sanitizeForLogging(rawMessage),
         "NETWORK_ERROR",
         0
       );
@@ -2201,22 +2209,76 @@ function handleApiError(error) {
     isError: true
   };
 }
+var ActiveTaskSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  projectId: import_zod3.z.string().min(1),
+  branchName: import_zod3.z.string().optional(),
+  startedAt: import_zod3.z.string().optional()
+});
 async function checkActiveTask() {
   const fs = await import("fs");
   const path = await import("path");
-  const activeTaskPath = path.join(process.cwd(), ".collab", "active-task.json");
+  const cwd = process.cwd();
+  const collabDir = path.join(cwd, ".collab");
+  const activeTaskPath = path.join(collabDir, "active-task.json");
   try {
-    await fs.promises.access(activeTaskPath);
+    const resolvedPath = path.resolve(activeTaskPath);
+    const resolvedCollabDir = path.resolve(collabDir);
+    if (!resolvedPath.startsWith(resolvedCollabDir + path.sep) && resolvedPath !== resolvedCollabDir) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid active task path"
+      };
+    }
+    const stats = await fs.promises.lstat(activeTaskPath);
+    if (stats.isSymbolicLink()) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Symlinks not allowed for active task file"
+      };
+    }
+    if (!stats.isFile()) {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
     const content = await fs.promises.readFile(activeTaskPath, "utf-8");
-    const activeTask = JSON.parse(content);
+    let parsed;
+    try {
+      parsed = JSON.parse(content);
+    } catch {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid JSON in active task file"
+      };
+    }
+    const validationResult = ActiveTaskSchema.safeParse(parsed);
+    if (!validationResult.success) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Active task file has invalid structure"
+      };
+    }
     return {
       hasActiveTask: true,
-      task: activeTask
+      task: validationResult.data
     };
-  } catch {
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
     return {
       hasActiveTask: false,
-      task: null
+      task: null,
+      error: "Failed to read active task file"
     };
   }
 }