@socialneuron/mcp-server 1.6.0 → 1.6.1

package/CHANGELOG.md

@@ -2,6 +2,45 @@
 
 All notable changes to `@socialneuron/mcp-server` will be documented in this file.
 
+## [1.6.1] - 2026-03-22
+
+### Security
+- **Explicit body size limit**: `express.json({ limit: '50kb' })` prevents DoS via oversized payloads.
+- **Error message sanitization**: MCP POST catch block now uses `sanitizeError()` — no more internal paths or table names in error responses.
+- **PII removal**: Removed `email` from API key validation chain (7 files). Key validation no longer exposes user email addresses.
+- **Generation rate limiting**: Added explicit `generation` category at 20 req/min (previously fell back to `read` at 60/min).
+- **npm provenance**: Added `--provenance` flag and `id-token: write` permission to release workflow for supply chain verification.
+- **Security comment**: Documented that Edge Functions must not trust `x-internal-worker-call` header without Bearer token verification.
+
+### Fixed
+- **hono prototype pollution**: Updated transitive dependency to fix GHSA-v8w9-8mx6-g223.
+- `npm audit` now reports 0 vulnerabilities.
+
+### Added
+- 18 examples (8 REST curl, 5 TypeScript SDK, 4 CLI, 1 MCP prompts).
+- TypeScript SDK package (`packages/sdk/`) with 9 resource classes.
+- CLI tab completion and content generation commands.
+- SDK documentation and release workflow.
+
+## [1.6.0] - 2026-03-21
+
+### Added
+- **REST API layer**: Universal tool proxy at `POST /v1/tools/:name` — call any of the 52 MCP tools via standard HTTP REST. No MCP client required.
+- **OpenAPI 3.1 spec**: Auto-generated from TOOL_CATALOG at `/openapi.json` — always in sync with tools.
+- **15 convenience endpoints**: Resource-oriented routes for common operations (`/v1/credits`, `/v1/content/generate`, `/v1/posts`, etc.).
+- **Express HTTP transport**: New `dist/http.js` entry point for running as a standalone REST API server.
+- **MCP Registry metadata**: `server.json` with mcpName, endpoints, env, and auth configuration for registry discovery.
+- **Cursor Directory manifest**: Plugin manifest for Cursor IDE integration.
+
+### Fixed
+- **TS2345**: Cast Express route param to string for strict TypeScript compatibility.
+- **npm publish 404**: Removed `--provenance` flag from release workflow (incompatible with scoped packages on granular tokens).
+
+### Changed
+- Dual transport support: MCP (stdio) and HTTP (Express) from a single codebase.
+- SECURITY.md updated with v1.6.x in supported versions.
+- `docs/auth.md` domain reference corrected (`www.socialneuron.com` → `socialneuron.com`).
+
 ## [1.5.2] - 2026-03-20
 
 ### Added

package/dist/http.js

@@ -343,7 +343,6 @@ __export(supabase_exports, {
   CLOUD_SUPABASE_URL: () => CLOUD_SUPABASE_URL,
   getAuthMode: () => getAuthMode,
   getAuthenticatedApiKey: () => getAuthenticatedApiKey,
-  getAuthenticatedEmail: () => getAuthenticatedEmail,
   getAuthenticatedExpiresAt: () => getAuthenticatedExpiresAt,
   getAuthenticatedScopes: () => getAuthenticatedScopes,
   getDefaultProjectId: () => getDefaultProjectId,
@@ -431,7 +430,6 @@ async function initializeAuth() {
       _authMode = "api-key";
       authenticatedUserId = result.userId;
       authenticatedScopes = result.scopes && result.scopes.length > 0 ? result.scopes : ["mcp:read"];
-      authenticatedEmail = result.email || null;
       authenticatedExpiresAt = result.expiresAt || null;
       console.error(
         "[MCP] Authenticated via API key (prefix: " + apiKey.substring(0, 6) + "..." + apiKey.slice(-4) + ")"
@@ -487,9 +485,6 @@ function getMcpRunId() {
 function getAuthenticatedScopes() {
   return authenticatedScopes;
 }
-function getAuthenticatedEmail() {
-  return authenticatedEmail;
-}
 function getAuthenticatedExpiresAt() {
   return authenticatedExpiresAt;
 }
@@ -528,7 +523,7 @@ async function logMcpToolInvocation(args) {
   captureToolEvent(args).catch(() => {
   });
 }
-var SUPABASE_URL, SUPABASE_SERVICE_KEY, client2, _authMode, authenticatedUserId, authenticatedScopes, authenticatedEmail, authenticatedExpiresAt, authenticatedApiKey, MCP_RUN_ID, CLOUD_SUPABASE_URL, CLOUD_SUPABASE_ANON_KEY, projectIdCache;
+var SUPABASE_URL, SUPABASE_SERVICE_KEY, client2, _authMode, authenticatedUserId, authenticatedScopes, authenticatedExpiresAt, authenticatedApiKey, MCP_RUN_ID, CLOUD_SUPABASE_URL, CLOUD_SUPABASE_ANON_KEY, projectIdCache;
 var init_supabase = __esm({
   "src/lib/supabase.ts"() {
     "use strict";
@@ -540,7 +535,6 @@ var init_supabase = __esm({
     _authMode = "service-role";
     authenticatedUserId = null;
     authenticatedScopes = [];
-    authenticatedEmail = null;
     authenticatedExpiresAt = null;
     authenticatedApiKey = null;
     MCP_RUN_ID = randomUUID();
@@ -787,6 +781,8 @@ async function callEdgeFunction(functionName, body, options) {
 var CATEGORY_CONFIGS = {
   posting: { maxTokens: 30, refillRate: 30 / 60 },
   // 30 req/min
+  generation: { maxTokens: 20, refillRate: 20 / 60 },
+  // 20 req/min — AI content generation (mcp:write)
   screenshot: { maxTokens: 10, refillRate: 10 / 60 },
   // 10 req/min
   read: { maxTokens: 60, refillRate: 60 / 60 }
@@ -1363,6 +1359,18 @@ function sanitizeDbError(error) {
   }
   return "Database operation failed. Please try again.";
 }
+function sanitizeError(error) {
+  const msg = error instanceof Error ? error.message : typeof error === "string" ? error : "Unknown error";
+  if (process.env.NODE_ENV !== "production") {
+    console.error("[Error]", msg);
+  }
+  for (const [pattern, userMessage] of ERROR_PATTERNS) {
+    if (pattern.test(msg)) {
+      return userMessage;
+    }
+  }
+  return "An unexpected error occurred. Please try again.";
+}
 
 // src/tools/content.ts
 init_request_context();
@@ -9449,7 +9457,7 @@ async function verifyApiKey(apiKey, supabaseUrl, supabaseAnonKey) {
       clientId: "api-key",
       scopes: data.scopes ?? ["mcp:read"],
       expiresAt,
-      extra: { userId: data.userId, email: data.email }
+      extra: { userId: data.userId }
     };
   } catch (err) {
     clearTimeout(timer);
@@ -10521,7 +10529,7 @@ var cleanupInterval = setInterval(
 );
 var app = express();
 app.disable("x-powered-by");
-app.use(express.json());
+app.use(express.json({ limit: "50kb" }));
 app.set("trust proxy", 1);
 var ipBuckets = /* @__PURE__ */ new Map();
 var IP_RATE_MAX = 60;
@@ -10626,7 +10634,7 @@ async function authenticateRequest(req, res, next) {
     };
     next();
   } catch (err) {
-    const message = err instanceof Error ? err.message : "Token verification failed";
+    const message = sanitizeError(err);
     res.status(401).json({
       error: "invalid_token",
       error_description: message
@@ -10737,9 +10745,10 @@ app.post(
         () => transport.handleRequest(req, res, req.body)
       );
     } catch (err) {
-      const message = err instanceof Error ? err.message : "Internal server error";
-      console.error(`[MCP HTTP] POST /mcp error: ${message}`);
+      const rawMessage = err instanceof Error ? err.message : "Internal server error";
+      console.error(`[MCP HTTP] POST /mcp error: ${rawMessage}`);
       if (!res.headersSent) {
+        const message = sanitizeError(err);
         res.status(500).json({ jsonrpc: "2.0", error: { code: -32603, message } });
       }
     }

package/dist/index.js

@@ -350,7 +350,6 @@ __export(supabase_exports, {
   CLOUD_SUPABASE_URL: () => CLOUD_SUPABASE_URL,
   getAuthMode: () => getAuthMode,
   getAuthenticatedApiKey: () => getAuthenticatedApiKey,
-  getAuthenticatedEmail: () => getAuthenticatedEmail,
   getAuthenticatedExpiresAt: () => getAuthenticatedExpiresAt,
   getAuthenticatedScopes: () => getAuthenticatedScopes,
   getDefaultProjectId: () => getDefaultProjectId,
@@ -438,7 +437,6 @@ async function initializeAuth() {
       _authMode = "api-key";
       authenticatedUserId = result.userId;
       authenticatedScopes = result.scopes && result.scopes.length > 0 ? result.scopes : ["mcp:read"];
-      authenticatedEmail = result.email || null;
       authenticatedExpiresAt = result.expiresAt || null;
       console.error(
         "[MCP] Authenticated via API key (prefix: " + apiKey.substring(0, 6) + "..." + apiKey.slice(-4) + ")"
@@ -494,9 +492,6 @@ function getMcpRunId() {
 function getAuthenticatedScopes() {
   return authenticatedScopes;
 }
-function getAuthenticatedEmail() {
-  return authenticatedEmail;
-}
 function getAuthenticatedExpiresAt() {
   return authenticatedExpiresAt;
 }
@@ -535,7 +530,7 @@ async function logMcpToolInvocation(args) {
   captureToolEvent(args).catch(() => {
   });
 }
-var SUPABASE_URL, SUPABASE_SERVICE_KEY, client2, _authMode, authenticatedUserId, authenticatedScopes, authenticatedEmail, authenticatedExpiresAt, authenticatedApiKey, MCP_RUN_ID, CLOUD_SUPABASE_URL, CLOUD_SUPABASE_ANON_KEY, projectIdCache;
+var SUPABASE_URL, SUPABASE_SERVICE_KEY, client2, _authMode, authenticatedUserId, authenticatedScopes, authenticatedExpiresAt, authenticatedApiKey, MCP_RUN_ID, CLOUD_SUPABASE_URL, CLOUD_SUPABASE_ANON_KEY, projectIdCache;
 var init_supabase = __esm({
   "src/lib/supabase.ts"() {
     "use strict";
@@ -547,7 +542,6 @@ var init_supabase = __esm({
     _authMode = "service-role";
     authenticatedUserId = null;
     authenticatedScopes = [];
-    authenticatedEmail = null;
     authenticatedExpiresAt = null;
     authenticatedApiKey = null;
     MCP_RUN_ID = randomUUID();
@@ -2369,7 +2363,6 @@ async function handleInfo(args, asJson) {
       const result = await validateApiKey2(apiKey);
       if (result.valid) {
         info.auth = {
-          email: result.email || null,
           scopes: result.scopes || [],
           expiresAt: result.expiresAt || null
         };
@@ -2401,7 +2394,7 @@ async function handleInfo(args, asJson) {
     console.error("Auth: not configured");
   } else if (info.auth) {
     const auth = info.auth;
-    console.error(`Auth: ${auth.email ?? "authenticated"}`);
+    console.error("Auth: authenticated");
     console.error(`Scopes: ${auth.scopes.length > 0 ? auth.scopes.join(", ") : "none"}`);
     if (auth.expiresAt) {
       console.error(`Expires: ${auth.expiresAt}`);
@@ -3280,7 +3273,7 @@ async function runLoginPaste() {
   await saveSupabaseUrl(getDefaultSupabaseUrl2());
   console.error("");
   console.error("  API key saved securely.");
-  console.error(`  User: ${result.email || "unknown"}`);
+  console.error(`  User: ${result.userId || "unknown"}`);
   console.error(`  Scopes: ${result.scopes?.join(", ") || "mcp:full"}`);
   if (result.expiresAt) {
     const daysLeft = Math.ceil(
@@ -3429,7 +3422,6 @@ async function runWhoami(options) {
   if (asJson) {
     const payload = {
       ok: true,
-      email: result.email || null,
       userId: result.userId,
       keyPrefix: apiKey.substring(0, 12) + "...",
       scopes: result.scopes || ["mcp:full"],
@@ -3439,7 +3431,6 @@ async function runWhoami(options) {
     process.stdout.write(JSON.stringify(payload, null, 2) + "\n");
   } else {
     console.error("");
-    console.error(`  Email:    ${result.email || "(not available)"}`);
     console.error(`  User ID:  ${result.userId}`);
     console.error(`  Key:      ${apiKey.substring(0, 12)}...`);
     console.error(`  Scopes:   ${result.scopes?.join(", ") || "mcp:full"}`);
@@ -3482,7 +3473,7 @@ async function runHealthCheck(options) {
         checks.push({
           name: "Key Valid",
           ok: true,
-          detail: `User: ${result.email || result.userId}`
+          detail: `User: ${result.userId}`
         });
         checks.push({
           name: "Scopes",
@@ -3595,7 +3586,7 @@ async function runRepl() {
 Social Neuron CLI v${MCP_VERSION} \u2014 Interactive Mode
 `);
   process.stderr.write("Type a command, .help for help, or .exit to quit.\n\n");
-  let authEmail = null;
+  let authUserId = null;
   try {
     const { loadApiKey: loadApiKey2 } = await Promise.resolve().then(() => (init_credentials(), credentials_exports));
     const { validateApiKey: validateApiKey2 } = await Promise.resolve().then(() => (init_api_keys(), api_keys_exports));
@@ -3603,8 +3594,8 @@ Social Neuron CLI v${MCP_VERSION} \u2014 Interactive Mode
     if (key) {
       const result = await validateApiKey2(key);
       if (result.valid) {
-        authEmail = result.email || null;
-        process.stderr.write(`  Authenticated as: ${authEmail || "unknown"}
+        authUserId = result.userId || null;
+        process.stderr.write(`  Authenticated (user: ${authUserId || "unknown"})
 
 `);
       }
@@ -3638,7 +3629,7 @@ Social Neuron CLI v${MCP_VERSION} \u2014 Interactive Mode
     ".exit",
     ".clear"
   ];
-  const promptStr = authEmail ? `sn[${authEmail.split("@")[0]}]> ` : "sn> ";
+  const promptStr = authUserId ? `sn[${authUserId.substring(0, 8)}]> ` : "sn> ";
   const rl = createInterface2({
     input: process.stdin,
     output: process.stderr,
@@ -3829,6 +3820,8 @@ import { z } from "zod";
 var CATEGORY_CONFIGS = {
   posting: { maxTokens: 30, refillRate: 30 / 60 },
   // 30 req/min
+  generation: { maxTokens: 20, refillRate: 20 / 60 },
+  // 20 req/min — AI content generation (mcp:write)
   screenshot: { maxTokens: 10, refillRate: 10 / 60 },
   // 10 req/min
   read: { maxTokens: 60, refillRate: 60 / 60 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socialneuron/mcp-server",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "description": "MCP server for Social Neuron - AI content creation platform",
   "type": "module",
   "main": "dist/index.js",