@selfagency/beans-mcp 0.1.1 → 0.1.3

package/.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

package/.github/workflows/test.yml

@@ -8,6 +8,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   test:
     runs-on: ubuntu-latest

package/CHANGELOG.md

@@ -7,6 +7,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.3] - 2026-02-27
+
+**Full Changelog**: https://github.com/selfagency/beans-mcp/compare/v0.1.2...v0.1.3
+
+_Source: changes from v0.1.2 to v0.1.3._
+
+
+## [0.1.2] - 2026-02-27
+
+## What's Changed
+* feat: support body updates and de-duplicate MCP results by @selfagency in https://github.com/selfagency/beans-mcp/pull/1
+
+## New Contributors
+* @selfagency made their first contribution in https://github.com/selfagency/beans-mcp/pull/1
+
+**Full Changelog**: https://github.com/selfagency/beans-mcp/compare/v0.1.1...v0.1.2
+
+_Source: changes from v0.1.1 to v0.1.2._
+
+
 ## [0.1.1] - 2026-02-25
 
 **Full Changelog**: https://github.com/selfagency/beans-mcp/compare/v0.1.0...v0.1.1

package/codeql/codeql-custom-queries-actions/README.md

@@ -0,0 +1,14 @@
+# Custom CodeQL Queries (GitHub Actions)
+
+This pack adds repository-specific hardening checks for workflow security.
+
+## Queries
+
+- `queries/strict-external-action-pinning.ql`
+  - Flags external `uses:` steps that are not pinned to a full 40-character commit SHA.
+- `queries/github-script-without-tojson.ql`
+  - Flags `actions/github-script` steps whose `script` argument does not appear to use `toJson(...)`.
+
+## Why these checks
+
+These checks focus on practical workflow hardening against supply-chain and interpolation risks while keeping alerts actionable.

package/codeql/codeql-custom-queries-actions/codeql-pack.lock.yml

@@ -0,0 +1,32 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/actions-all:
+    version: 0.4.27
+  codeql/concepts:
+    version: 0.0.15
+  codeql/controlflow:
+    version: 2.0.25
+  codeql/dataflow:
+    version: 2.0.25
+  codeql/javascript-all:
+    version: 2.6.21
+  codeql/mad:
+    version: 1.0.41
+  codeql/regex:
+    version: 1.0.41
+  codeql/ssa:
+    version: 2.0.17
+  codeql/threat-models:
+    version: 1.0.41
+  codeql/tutorial:
+    version: 1.0.41
+  codeql/typetracking:
+    version: 2.0.25
+  codeql/util:
+    version: 2.0.28
+  codeql/xml:
+    version: 1.0.41
+  codeql/yaml:
+    version: 1.0.41
+compiled: false

package/codeql/codeql-custom-queries-actions/codeql-pack.yml

@@ -0,0 +1,7 @@
+---
+library: false
+warnOnImplicitThis: false
+name: getting-started/codeql-extra-queries-actions
+version: 1.0.0
+dependencies:
+  codeql/actions-all: ^0.4.27

package/codeql/codeql-custom-queries-actions/qlpack.yml

@@ -0,0 +1,6 @@
+library: false
+warnOnImplicitThis: false
+name: selfagency/beans-vscode-codeql-extra-queries-actions
+version: 1.0.0
+dependencies:
+  codeql/actions-all: ^0.4.27

package/codeql/codeql-custom-queries-actions/queries/github-script-without-tojson.ql

@@ -0,0 +1,18 @@
+/**
+ * @name github-script step without toJson hardening
+ * @description Inline scripts passed to actions/github-script should use toJson when handling expression values.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision medium
+ * @id actions/custom/github-script-without-tojson
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-116
+ */
+
+import actions
+
+from UsesStep step
+where step.getCallee() = "actions/github-script"
+select step,
+  "Review this github-script step for safe interpolation, validation, and least-privilege token use."

package/codeql/codeql-custom-queries-actions/queries/strict-external-action-pinning.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Uses step not pinned to a full commit SHA
+ * @description Detects workflow/action `uses:` steps that are not pinned to a 40-character commit SHA.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id actions/custom/strict-external-action-pinning
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-829
+ */
+
+import actions
+
+from UsesStep uses
+where not uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
+select uses,
+  "Action version is not pinned to a full commit SHA; review and pin to an immutable revision."

package/codeql/codeql-custom-queries-javascript/README.md

@@ -0,0 +1,14 @@
+# Custom CodeQL Queries (JavaScript / TypeScript)
+
+This pack adds repository-specific hardening checks for Node.js/TypeScript code.
+
+## Queries
+
+- `queries/child-process-shell-apis.ql`
+  - Flags `exec`/`execSync` usage outside tests.
+- `queries/innerhtml-assignment.ql`
+  - Flags assignment to `innerHTML` outside tests.
+
+## Why these checks
+
+These checks focus on high-signal security hotspots that often benefit from stricter review in extensions and tooling codebases.

package/codeql/codeql-custom-queries-javascript/codeql-pack.lock.yml

@@ -0,0 +1,30 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/concepts:
+    version: 0.0.15
+  codeql/controlflow:
+    version: 2.0.25
+  codeql/dataflow:
+    version: 2.0.25
+  codeql/javascript-all:
+    version: 2.6.21
+  codeql/mad:
+    version: 1.0.41
+  codeql/regex:
+    version: 1.0.41
+  codeql/ssa:
+    version: 2.0.17
+  codeql/threat-models:
+    version: 1.0.41
+  codeql/tutorial:
+    version: 1.0.41
+  codeql/typetracking:
+    version: 2.0.25
+  codeql/util:
+    version: 2.0.28
+  codeql/xml:
+    version: 1.0.41
+  codeql/yaml:
+    version: 1.0.41
+compiled: false

package/codeql/codeql-custom-queries-javascript/codeql-pack.yml

@@ -0,0 +1,7 @@
+---
+library: false
+warnOnImplicitThis: false
+name: getting-started/codeql-extra-queries-javascript
+version: 1.0.0
+dependencies:
+  codeql/javascript-all: ^2.6.21

package/codeql/codeql-custom-queries-javascript/qlpack.yml

@@ -0,0 +1,6 @@
+library: false
+warnOnImplicitThis: false
+name: selfagency/beans-vscode-codeql-extra-queries-javascript
+version: 1.0.0
+dependencies:
+  codeql/javascript-all: ^2.6.21

package/codeql/codeql-custom-queries-javascript/queries/child-process-shell-apis.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Use of shell-based child_process APIs
+ * @description Calls to exec/execSync run through a shell and are riskier than argument-array alternatives.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/custom/child-process-shell-apis
+ * @tags security
+ *       external/cwe/cwe-078
+ */
+
+import javascript
+
+private predicate inUserSource(InvokeExpr call) {
+  not call.getTopLevel().getFile().getRelativePath().regexpMatch("(^|.*/)(test|tests|__tests__|mocks?)/.*")
+}
+
+from CallExpr call
+where
+  inUserSource(call) and
+  not call.getCallee() instanceof PropAccess and
+  call.getCalleeName() = ["exec", "execSync"]
+select call,
+  "Shell-based process execution ($@) is harder to secure. Prefer execFile/spawn with argument arrays and strict input validation.",
+  call,
+  call.getCalleeName()

package/codeql/codeql-custom-queries-javascript/queries/innerhtml-assignment.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Assignment to innerHTML
+ * @description Assigning to innerHTML can introduce XSS risk if any untrusted content reaches the sink.
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @id js/custom/innerhtml-assignment
+ * @tags security
+ *       external/cwe/cwe-079
+ */
+
+import javascript
+
+private predicate inUserSource(AssignExpr assign) {
+  not assign.getTopLevel().getFile().getRelativePath().regexpMatch("(^|.*/)(test|tests|__tests__|mocks?)/.*")
+}
+
+from AssignExpr assign, PropAccess lhs
+where
+  inUserSource(assign) and
+  lhs = assign.getLhs() and
+  lhs.getPropertyName() = "innerHTML"
+select assign,
+  "Assignment to innerHTML can be unsafe. Prefer textContent or sanitization before rendering HTML."

package/dist/beans-mcp-server.cjs

@@ -22735,8 +22735,7 @@ function isPathWithinRoot(root, target) {
 }
 function makeTextAndStructured(value) {
   return {
-    content: [{ type: "text", text: JSON.stringify(value, null, 2) }],
-    structuredContent: value
+    content: [{ type: "text", text: JSON.stringify(value, null, 2) }]
   };
 }
 var import_node_path;
@@ -22920,6 +22919,9 @@ Output: ${stdout.slice(0, 1e3)}`
         if (updates.blockedBy) {
           updateInput.addBlockedBy = updates.blockedBy;
         }
+        if (updates.body !== void 0) {
+          updateInput.body = updates.body;
+        }
         const { data, errors } = await this.executeGraphQL(UPDATE_BEAN_MUTATION, {
           id: beanId,
           input: updateInput
@@ -31197,6 +31199,91 @@ var MAX_PATH_LENGTH = 1024;
 
 // src/server/BeansMcpServer.ts
 init_utils();
+
+// package.json
+var package_default = {
+  name: "@selfagency/beans-mcp",
+  version: "0.1.3",
+  private: false,
+  description: "MCP (Model Context Protocol) server for Beans issue tracker",
+  author: {
+    name: "Daniel Sieradski",
+    email: "daniel@self.agency",
+    url: "https://self.agency"
+  },
+  homepage: "https://github.com/hmans/beans",
+  bugs: {
+    url: "https://github.com/selfagency/beans-mcp/issues"
+  },
+  repository: {
+    type: "git",
+    url: "git+https://github.com/selfagency/beans-mcp.git"
+  },
+  keywords: [
+    "beans",
+    "mcp",
+    "model-context-protocol",
+    "issue-tracker",
+    "ai"
+  ],
+  license: "MIT",
+  type: "module",
+  exports: {
+    ".": {
+      types: "./dist/index.d.ts",
+      import: "./dist/index.js",
+      require: "./dist/index.cjs"
+    }
+  },
+  main: "./dist/index.cjs",
+  module: "./dist/index.js",
+  types: "./dist/index.d.ts",
+  bin: {
+    "beans-mcp": "dist/beans-mcp-server.cjs"
+  },
+  scripts: {
+    build: "tsup",
+    format: "oxfmt",
+    "lint:fix": "oxlint --fix",
+    lint: "oxlint",
+    postbuild: "node ./scripts/write-dist-package.js",
+    prepare: "husky",
+    release: "zx ./scripts/release.js",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest",
+    test: "vitest run",
+    "type-check": "tsc --noEmit"
+  },
+  devDependencies: {
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@octokit/rest": "^22.0.1",
+    "@types/node": "^20.19.0",
+    "@vitest/coverage-v8": "^4.0.18",
+    "@vitest/ui": "4.0.18",
+    husky: "^9.1.7",
+    "lint-staged": "^16.2.7",
+    ora: "^9.3.0",
+    oxfmt: "^0.35.0",
+    oxlint: "^1.50.0",
+    "oxlint-tsgolint": "^0.15.0",
+    tsup: "8.5.1",
+    typescript: "^5.9.3",
+    vitest: "4.0.18",
+    zod: "4.3.6",
+    zx: "^8.8.5"
+  },
+  engines: {
+    node: ">=18"
+  },
+  "lint-staged": {
+    "src/**/*.ts": [
+      "pnpm run lint:fix",
+      "pnpm run format"
+    ]
+  }
+};
+
+// src/server/BeansMcpServer.ts
 async function getBeanById(backend, beanId) {
   try {
     const beans = await backend.list();
@@ -31251,7 +31338,8 @@ function updateHandler(backend) {
       parent: input.parent,
       clearParent: input.clearParent,
       blocking: input.blocking,
-      blockedBy: input.blockedBy
+      blockedBy: input.blockedBy,
+      body: input.body
     })
   });
 }
@@ -31410,7 +31498,8 @@ function registerTools(server, backend) {
         parent: external_exports3.string().max(MAX_ID_LENGTH).optional(),
         clearParent: external_exports3.boolean().optional(),
         blocking: external_exports3.array(external_exports3.string().max(MAX_ID_LENGTH)).optional(),
-        blockedBy: external_exports3.array(external_exports3.string().max(MAX_ID_LENGTH)).optional()
+        blockedBy: external_exports3.array(external_exports3.string().max(MAX_ID_LENGTH)).optional(),
+        body: external_exports3.string().max(MAX_DESCRIPTION_LENGTH).optional()
       }),
       annotations: {
         readOnlyHint: false,
@@ -31642,6 +31731,14 @@ async function startBeansMcpServer(argv, _resolveRoots) {
   const { workspaceRoot, workspaceExplicit, cliPath, port, logDir } = parseCliArgs(argv);
   process.env.BEANS_VSCODE_MCP_PORT = String(port);
   process.env.BEANS_MCP_PORT = String(port);
+  try {
+    const version2 = package_default.version ?? "0.0.0-dev";
+    const workspaceLabel = workspaceExplicit ? workspaceRoot : "(auto from roots)";
+    console.error(
+      `[beans-mcp] v${version2} starting (port=${port}, workspace=${workspaceLabel}, cli=${cliPath}, logDir=${logDir})`
+    );
+  } catch {
+  }
   const mutable = new MutableBackend(new BeansCliBackend2(workspaceRoot, cliPath, logDir));
   const { server } = await createBeansMcpServer({
     workspaceRoot,
@@ -31656,6 +31753,10 @@ async function startBeansMcpServer(argv, _resolveRoots) {
     const rootPath = await resolver(server);
     if (rootPath) {
       mutable.setInner(new BeansCliBackend2(rootPath, cliPath));
+      try {
+        console.error(`[beans-mcp] workspace resolved from roots: ${rootPath}`);
+      } catch {
+      }
     }
   }
 }