@skillsmith/mcp-server 0.1.0

package/dist/tests/webhooks/proxy-trust.security.test.js

@@ -0,0 +1,145 @@
+/**
+ * SMI-682: Security tests for X-Forwarded-For proxy trust validation
+ *
+ * These tests verify that the server only trusts X-Forwarded-For headers
+ * when explicitly configured and from trusted proxy sources.
+ */
+import { describe, it, expect } from 'vitest';
+// Import the getClientIp function directly from TypeScript source
+import { getClientIp } from '../../src/webhooks/webhook-endpoint.js';
+describe('X-Forwarded-For Proxy Trust (SMI-682)', () => {
+    function createMockRequest(headers, remoteAddress = '10.0.0.1') {
+        const socket = {
+            remoteAddress,
+        };
+        const req = {
+            headers,
+            socket,
+        };
+        return req;
+    }
+    describe('when trustProxy is false (default)', () => {
+        it('should ignore X-Forwarded-For header and use socket address', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: false,
+            };
+            const req = createMockRequest({ 'x-forwarded-for': '203.0.113.50' }, '10.0.0.1');
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('10.0.0.1');
+        });
+        it('should use socket address when no X-Forwarded-For present', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: false,
+            };
+            const req = createMockRequest({}, '192.168.1.100');
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('192.168.1.100');
+        });
+    });
+    describe('when trustProxy is true', () => {
+        it('should use X-Forwarded-For header value', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: true,
+            };
+            const req = createMockRequest({ 'x-forwarded-for': '203.0.113.50' }, '10.0.0.1');
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('203.0.113.50');
+        });
+        it('should use first IP from comma-separated X-Forwarded-For', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: true,
+            };
+            const req = createMockRequest({ 'x-forwarded-for': '203.0.113.50, 10.0.0.1, 192.168.1.1' }, '127.0.0.1');
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('203.0.113.50');
+        });
+        it('should fallback to socket address when no X-Forwarded-For', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: true,
+            };
+            const req = createMockRequest({}, '10.0.0.1');
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('10.0.0.1');
+        });
+    });
+    describe('when trustedProxies is configured', () => {
+        it('should trust X-Forwarded-For only from trusted proxy IPs', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: true,
+                trustedProxies: ['10.0.0.1', '10.0.0.2'],
+            };
+            // Request comes from trusted proxy
+            const req = createMockRequest({ 'x-forwarded-for': '203.0.113.50' }, '10.0.0.1');
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('203.0.113.50');
+        });
+        it('should NOT trust X-Forwarded-For from untrusted proxy IPs', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: true,
+                trustedProxies: ['10.0.0.1', '10.0.0.2'],
+            };
+            // Request comes from untrusted IP (potential attacker)
+            const req = createMockRequest({ 'x-forwarded-for': '203.0.113.50' }, '192.168.1.100' // Not in trusted list
+            );
+            const ip = getClientIp(req, config);
+            // Should use socket address, not spoofed header
+            expect(ip).toBe('192.168.1.100');
+        });
+        it('should prevent IP spoofing attacks from untrusted sources', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: true,
+                trustedProxies: ['10.0.0.1'],
+            };
+            // Attacker tries to spoof IP by setting X-Forwarded-For
+            const req = createMockRequest({ 'x-forwarded-for': '1.2.3.4' }, // Spoofed IP
+            '192.168.1.100' // Attacker's real IP (not trusted)
+            );
+            const ip = getClientIp(req, config);
+            // Attack should fail - use real socket address
+            expect(ip).toBe('192.168.1.100');
+            expect(ip).not.toBe('1.2.3.4');
+        });
+    });
+    describe('edge cases', () => {
+        it('should return "unknown" when socket has no remoteAddress', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: false,
+            };
+            const socket = {}; // No remoteAddress
+            const req = {
+                headers: {},
+                socket,
+            };
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('unknown');
+        });
+        it('should handle array X-Forwarded-For header', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: true,
+            };
+            const req = createMockRequest({ 'x-forwarded-for': ['203.0.113.50', '10.0.0.1'] }, '127.0.0.1');
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('203.0.113.50');
+        });
+        it('should trim whitespace from X-Forwarded-For values', () => {
+            const config = {
+                secret: 'test-secret',
+                trustProxy: true,
+            };
+            const req = createMockRequest({ 'x-forwarded-for': '  203.0.113.50  , 10.0.0.1  ' }, '127.0.0.1');
+            const ip = getClientIp(req, config);
+            expect(ip).toBe('203.0.113.50');
+        });
+    });
+});
+//# sourceMappingURL=proxy-trust.security.test.js.map

package/dist/tests/webhooks/proxy-trust.security.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-trust.security.test.js","sourceRoot":"","sources":["../../../tests/webhooks/proxy-trust.security.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAM,MAAM,QAAQ,CAAA;AAIjD,kEAAkE;AAClE,OAAO,EAAE,WAAW,EAA4B,MAAM,wCAAwC,CAAA;AAE9F,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;IACrD,SAAS,iBAAiB,CACxB,OAAsD,EACtD,gBAAwB,UAAU;QAElC,MAAM,MAAM,GAAG;YACb,aAAa;SACJ,CAAA;QAEX,MAAM,GAAG,GAAG;YACV,OAAO;YACP,MAAM;SACY,CAAA;QAEpB,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAClD,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;YACrE,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,KAAK;aAClB,CAAA;YAED,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,iBAAiB,EAAE,cAAc,EAAE,EAAE,UAAU,CAAC,CAAA;YAEhF,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC7B,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;YACnE,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,KAAK;aAClB,CAAA;YAED,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,EAAE,eAAe,CAAC,CAAA;YAElD,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAClC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,IAAI;aACjB,CAAA;YAED,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,iBAAiB,EAAE,cAAc,EAAE,EAAE,UAAU,CAAC,CAAA;YAEhF,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACjC,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;YAClE,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,IAAI;aACjB,CAAA;YAED,MAAM,GAAG,GAAG,iBAAiB,CAC3B,EAAE,iBAAiB,EAAE,qCAAqC,EAAE,EAC5D,WAAW,CACZ,CAAA;YAED,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACjC,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;YACnE,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,IAAI;aACjB,CAAA;YAED,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,EAAE,UAAU,CAAC,CAAA;YAE7C,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC7B,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;QACjD,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;YAClE,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,IAAI;gBAChB,cAAc,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;aACzC,CAAA;YAED,mCAAmC;YACnC,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,iBAAiB,EAAE,cAAc,EAAE,EAAE,UAAU,CAAC,CAAA;YAEhF,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACjC,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;YACnE,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,IAAI;gBAChB,cAAc,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;aACzC,CAAA;YAED,uDAAuD;YACvD,MAAM,GAAG,GAAG,iBAAiB,CAC3B,EAAE,iBAAiB,EAAE,cAAc,EAAE,EACrC,eAAe,CAAC,sBAAsB;aACvC,CAAA;YAED,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,gDAAgD;YAChD,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAClC,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;YACnE,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,IAAI;gBAChB,cAAc,EAAE,CAAC,UAAU,CAAC;aAC7B,CAAA;YAED,wDAAwD;YACxD,MAAM,GAAG,GAAG,iBAAiB,CAC3B,EAAE,iBAAiB,EAAE,SAAS,EAAE,EAAE,aAAa;YAC/C,eAAe,CAAC,mCAAmC;aACpD,CAAA;YAED,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,+CAA+C;YAC/C,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;YAChC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QAChC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;QAC1B,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;YAClE,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,KAAK;aAClB,CAAA;YAED,MAAM,MAAM,GAAG,EAAY,CAAA,CAAC,mBAAmB;YAC/C,MAAM,GAAG,GAAG;gBACV,OAAO,EAAE,EAAE;gBACX,MAAM;aACY,CAAA;YAEpB,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QAC5B,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;YACpD,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,IAAI;aACjB,CAAA;YAED,MAAM,GAAG,GAAG,iBAAiB,CAC3B,EAAE,iBAAiB,EAAE,CAAC,cAAc,EAAE,UAAU,CAAsB,EAAE,EACxE,WAAW,CACZ,CAAA;YAED,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACjC,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,MAAM,GAAwB;gBAClC,MAAM,EAAE,aAAa;gBACrB,UAAU,EAAE,IAAI;aACjB,CAAA;YAED,MAAM,GAAG,GAAG,iBAAiB,CAC3B,EAAE,iBAAiB,EAAE,8BAA8B,EAAE,EACrD,WAAW,CACZ,CAAA;YAED,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAEnC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACjC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/tests/webhooks/rate-limiter.security.test.d.ts

@@ -0,0 +1,8 @@
+/**
+ * SMI-681: Security tests for Rate Limiter memory leak prevention
+ *
+ * These tests verify that the rate limiter properly cleans up
+ * old entries to prevent memory leaks from storing stale IP data.
+ */
+export {};
+//# sourceMappingURL=rate-limiter.security.test.d.ts.map

package/dist/tests/webhooks/rate-limiter.security.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.security.test.d.ts","sourceRoot":"","sources":["../../../tests/webhooks/rate-limiter.security.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/dist/tests/webhooks/rate-limiter.security.test.js

@@ -0,0 +1,122 @@
+/**
+ * SMI-681: Security tests for Rate Limiter memory leak prevention
+ *
+ * These tests verify that the rate limiter properly cleans up
+ * old entries to prevent memory leaks from storing stale IP data.
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+// Import rate limiter functions directly from the TypeScript source
+import { createRateLimiter, isRateLimited, destroyRateLimiter, } from '../../src/webhooks/webhook-endpoint.js';
+describe('Rate Limiter Memory Leak Prevention (SMI-681)', () => {
+    beforeEach(() => {
+        vi.useFakeTimers();
+    });
+    afterEach(() => {
+        vi.useRealTimers();
+    });
+    describe('createRateLimiter', () => {
+        it('should create a rate limiter with cleanup timer', () => {
+            const limiter = createRateLimiter(100, 60000);
+            expect(limiter.requests).toBeInstanceOf(Map);
+            expect(limiter.limit).toBe(100);
+            expect(limiter.window).toBe(60000);
+            expect(limiter.cleanupTimer).toBeDefined();
+            destroyRateLimiter(limiter);
+        });
+    });
+    describe('periodic cleanup', () => {
+        it('should clean up old IPs after window period expires', () => {
+            const windowMs = 60000; // 1 minute
+            const limiter = createRateLimiter(100, windowMs);
+            // Add some requests from different IPs
+            isRateLimited(limiter, '192.168.1.1');
+            isRateLimited(limiter, '192.168.1.2');
+            isRateLimited(limiter, '192.168.1.3');
+            expect(limiter.requests.size).toBe(3);
+            // Advance time past the window
+            vi.advanceTimersByTime(windowMs + 1);
+            // After cleanup runs, old entries should be removed
+            expect(limiter.requests.size).toBe(0);
+            destroyRateLimiter(limiter);
+        });
+        it('should NOT clean up IPs with recent activity', () => {
+            const windowMs = 60000;
+            const limiter = createRateLimiter(100, windowMs);
+            // Add initial request
+            isRateLimited(limiter, '192.168.1.1');
+            // Advance time but not past window
+            vi.advanceTimersByTime(windowMs / 2);
+            // Add another request from same IP (keeps it active)
+            isRateLimited(limiter, '192.168.1.1');
+            // Add request from new IP
+            isRateLimited(limiter, '192.168.1.2');
+            // Advance to trigger cleanup
+            vi.advanceTimersByTime(windowMs + 1);
+            // Old IP without recent activity should be cleaned
+            // IPs with activity within window should remain
+            // Note: Due to timing, both might have recent entries
+            expect(limiter.requests.has('192.168.1.2')).toBe(true);
+            destroyRateLimiter(limiter);
+        });
+        it('should continuously clean up over multiple windows', () => {
+            const windowMs = 60000;
+            const limiter = createRateLimiter(100, windowMs);
+            // First wave of IPs
+            for (let i = 0; i < 100; i++) {
+                isRateLimited(limiter, `192.168.1.${i}`);
+            }
+            expect(limiter.requests.size).toBe(100);
+            // Advance past window, cleanup should run
+            vi.advanceTimersByTime(windowMs + 1);
+            expect(limiter.requests.size).toBe(0);
+            // Second wave of IPs
+            for (let i = 0; i < 50; i++) {
+                isRateLimited(limiter, `10.0.0.${i}`);
+            }
+            expect(limiter.requests.size).toBe(50);
+            // Advance past TWO windows to ensure cleanup runs after entries expire
+            // (cleanup runs at intervals, so first run may still see entries in window)
+            vi.advanceTimersByTime(windowMs * 2);
+            expect(limiter.requests.size).toBe(0);
+            destroyRateLimiter(limiter);
+        });
+    });
+    describe('destroyRateLimiter', () => {
+        it('should clear all state and stop cleanup timer', () => {
+            const limiter = createRateLimiter(100, 60000);
+            // Add some data
+            isRateLimited(limiter, '192.168.1.1');
+            isRateLimited(limiter, '192.168.1.2');
+            expect(limiter.requests.size).toBe(2);
+            // Destroy the limiter
+            destroyRateLimiter(limiter);
+            // All state should be cleared
+            expect(limiter.requests.size).toBe(0);
+            expect(limiter.cleanupTimer).toBeUndefined();
+        });
+        it('should be safe to call multiple times', () => {
+            const limiter = createRateLimiter(100, 60000);
+            destroyRateLimiter(limiter);
+            destroyRateLimiter(limiter); // Should not throw
+            expect(limiter.requests.size).toBe(0);
+        });
+    });
+    describe('memory growth prevention', () => {
+        it('should not grow memory unboundedly with many unique IPs', () => {
+            const windowMs = 1000; // 1 second for faster testing
+            const limiter = createRateLimiter(100, windowMs);
+            // Simulate many unique IPs over time
+            for (let batch = 0; batch < 10; batch++) {
+                for (let i = 0; i < 100; i++) {
+                    isRateLimited(limiter, `${batch}.${i}.0.1`);
+                }
+                // Advance time past window to trigger cleanup
+                vi.advanceTimersByTime(windowMs + 100);
+            }
+            // After all cleanups, map should be empty (no recent activity)
+            expect(limiter.requests.size).toBeLessThanOrEqual(100);
+            destroyRateLimiter(limiter);
+        });
+    });
+});
+//# sourceMappingURL=rate-limiter.security.test.js.map

package/dist/tests/webhooks/rate-limiter.security.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.security.test.js","sourceRoot":"","sources":["../../../tests/webhooks/rate-limiter.security.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAA;AAExE,oEAAoE;AACpE,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,kBAAkB,GAEnB,MAAM,wCAAwC,CAAA;AAE/C,QAAQ,CAAC,+CAA+C,EAAE,GAAG,EAAE;IAC7D,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAA;IACpB,CAAC,CAAC,CAAA;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,aAAa,EAAE,CAAA;IACpB,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAE7C,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAA;YAC5C,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC/B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAClC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAA;YAE1C,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAC7B,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;YAC7D,MAAM,QAAQ,GAAG,KAAK,CAAA,CAAC,WAAW;YAClC,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;YAEhD,uCAAuC;YACvC,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;YACrC,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;YACrC,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;YAErC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YAErC,+BAA+B;YAC/B,EAAE,CAAC,mBAAmB,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;YAEpC,oDAAoD;YACpD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YAErC,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAC7B,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,QAAQ,GAAG,KAAK,CAAA;YACtB,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;YAEhD,sBAAsB;YACtB,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;YAErC,mCAAmC;YACnC,EAAE,CAAC,mBAAmB,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;YAEpC,qDAAqD;YACrD,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;YAErC,0BAA0B;YAC1B,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;YAErC,6BAA6B;YAC7B,EAAE,CAAC,mBAAmB,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;YAEpC,mDAAmD;YACnD,gDAAgD;YAChD,sDAAsD;YACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAEtD,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAC7B,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,QAAQ,GAAG,KAAK,CAAA;YACtB,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;YAEhD,oBAAoB;YACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC7B,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,EAAE,CAAC,CAAA;YAC1C,CAAC;YACD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAEvC,0CAA0C;YAC1C,EAAE,CAAC,mBAAmB,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;YACpC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YAErC,qBAAqB;YACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC5B,aAAa,CAAC,OAAO,EAAE,UAAU,CAAC,EAAE,CAAC,CAAA;YACvC,CAAC;YACD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;YAEtC,uEAAuE;YACvE,4EAA4E;YAC5E,EAAE,CAAC,mBAAmB,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAA;YACpC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YAErC,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAC7B,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAE7C,gBAAgB;YAChB,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;YACrC,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;YAErC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YAErC,sBAAsB;YACtB,kBAAkB,CAAC,OAAO,CAAC,CAAA;YAE3B,8BAA8B;YAC9B,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACrC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,aAAa,EAAE,CAAA;QAC9C,CAAC,CAAC,CAAA;QAEF,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAE7C,kBAAkB,CAAC,OAAO,CAAC,CAAA;YAC3B,kBAAkB,CAAC,OAAO,CAAC,CAAA,CAAC,mBAAmB;YAE/C,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACvC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACxC,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAA,CAAC,8BAA8B;YACpD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;YAEhD,qCAAqC;YACrC,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC;gBACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC7B,aAAa,CAAC,OAAO,EAAE,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,CAAA;gBAC7C,CAAC;gBAED,8CAA8C;gBAC9C,EAAE,CAAC,mBAAmB,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAA;YACxC,CAAC;YAED,+DAA+D;YAC/D,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAA;YAEtD,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAC7B,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/vitest.config.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Vitest Configuration for Unit Tests
+ */
+declare const _default: import("vite").UserConfig;
+export default _default;
+//# sourceMappingURL=vitest.config.d.ts.map

package/dist/vitest.config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vitest.config.d.ts","sourceRoot":"","sources":["../vitest.config.ts"],"names":[],"mappings":"AAAA;;GAEG;;AAIH,wBAOE"}

package/dist/vitest.config.js

@@ -0,0 +1,13 @@
+/**
+ * Vitest Configuration for Unit Tests
+ */
+import { defineConfig } from 'vitest/config';
+export default defineConfig({
+    test: {
+        globals: true,
+        environment: 'node',
+        include: ['tests/**/*.test.ts'],
+        exclude: ['tests/integration/**/*.integration.test.ts'],
+    },
+});
+//# sourceMappingURL=vitest.config.js.map

package/dist/vitest.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vitest.config.js","sourceRoot":"","sources":["../vitest.config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAA;AAE5C,eAAe,YAAY,CAAC;IAC1B,IAAI,EAAE;QACJ,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,MAAM;QACnB,OAAO,EAAE,CAAC,oBAAoB,CAAC;QAC/B,OAAO,EAAE,CAAC,4CAA4C,CAAC;KACxD;CACF,CAAC,CAAA"}

package/package.json

@@ -0,0 +1,63 @@
+{
+  "name": "@skillsmith/mcp-server",
+  "version": "0.1.0",
+  "description": "MCP server for Skillsmith skill discovery",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": {
+    "skillsmith-mcp": "./dist/index.js"
+  },
+  "scripts": {
+    "prepublishOnly": "npm run build && npm run test",
+    "build": "tsc",
+    "dev": "tsx watch src/index.ts",
+    "start": "node dist/index.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:integration": "vitest run --config vitest.config.integration.ts"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.4",
+    "@skillsmith/core": "*",
+    "esbuild": "0.27.2"
+  },
+  "devDependencies": {
+    "tsx": "^4.6.0",
+    "vitest": "4.0.16",
+    "zod": "^3.25.0"
+  },
+  "peerDependencies": {
+    "@skillsmith/enterprise": "*"
+  },
+  "peerDependenciesMeta": {
+    "@skillsmith/enterprise": {
+      "optional": true
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/smith-horn-group/skillsmith.git",
+    "directory": "packages/mcp-server"
+  },
+  "homepage": "https://github.com/smith-horn-group/skillsmith#readme",
+  "bugs": {
+    "url": "https://github.com/smith-horn-group/skillsmith/issues"
+  },
+  "keywords": [
+    "claude",
+    "ai",
+    "skills",
+    "mcp",
+    "llm",
+    "anthropic",
+    "model-context-protocol"
+  ],
+  "engines": {
+    "node": ">=22.0.0"
+  }
+}