npm - @rapay/mcp-server - Versions diffs - 1.2.0 → 1.2.1 - Mend

@rapay/mcp-server 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/handlers.js CHANGED Viewed

@@ -399,9 +399,33 @@ function parseCliError(error) {
  */
 async function executeCliCommand(args, timeoutMs = 30000) {
     return new Promise((resolve, reject) => {
+        // Security: Only pass necessary environment variables to CLI subprocess
+        // This prevents leaking secrets from MCP server environment to CLI
+        // CLI needs: PATH (to find executables), HOME/USERPROFILE (for config files),
+        // RAPAY_* (explicit Ra Pay configuration), and keyring-related vars
+        const safeEnv = {
+            PATH: process.env.PATH,
+            HOME: process.env.HOME,
+            USERPROFILE: process.env.USERPROFILE, // Windows equivalent of HOME
+            TMPDIR: process.env.TMPDIR,
+            TEMP: process.env.TEMP,
+            TMP: process.env.TMP,
+            // Allow explicit Ra Pay config overrides
+            RAPAY_API_URL: process.env.RAPAY_API_URL,
+            RAPAY_CONFIG_DIR: process.env.RAPAY_CONFIG_DIR,
+            // Keyring access (Linux)
+            DBUS_SESSION_BUS_ADDRESS: process.env.DBUS_SESSION_BUS_ADDRESS,
+            XDG_RUNTIME_DIR: process.env.XDG_RUNTIME_DIR,
+            // Windows credential manager
+            APPDATA: process.env.APPDATA,
+            LOCALAPPDATA: process.env.LOCALAPPDATA,
+            // Windows system variables (required by libuv for spawn)
+            SYSTEMROOT: process.env.SYSTEMROOT,
+            WINDIR: process.env.WINDIR,
+        };
         const child = spawn(CLI_PATH, args, {
             stdio: ["pipe", "pipe", "pipe"],
-            env: { ...process.env }, // Inherit environment for keyring access
+            env: safeEnv,
             // cross-spawn handles Windows .cmd wrappers automatically
         });
         let stdout = "";

package/dist/index.d.ts CHANGED Viewed

@@ -13,5 +13,5 @@
  * - Privacy preserved (dumb pipe model intact)
  * - No blockers
  */
-export declare const SERVER_VERSION = "1.2.0";
+export declare const SERVER_VERSION = "1.2.1";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.js CHANGED Viewed

@@ -23,7 +23,7 @@ import { checkForUpdates } from "./version-check.js";
  * Server metadata
  */
 const SERVER_NAME = "rapay-mcp";
-export const SERVER_VERSION = "1.2.0";
+export const SERVER_VERSION = "1.2.1";
 /**
  * Initialize MCP server
  */

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rapay/mcp-server",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Ra Pay MCP Server for Claude Desktop and Claude Code - AI Agent Payment Infrastructure",
   "type": "module",
   "main": "dist/index.js",