@socialneuron/mcp-server 1.6.0 → 1.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +39 -0
- package/dist/http.js +2558 -160
- package/dist/index.js +2851 -175
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,45 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to `@socialneuron/mcp-server` will be documented in this file.
|
|
4
4
|
|
|
5
|
+
## [1.6.1] - 2026-03-22
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
- **Explicit body size limit**: `express.json({ limit: '50kb' })` prevents DoS via oversized payloads.
|
|
9
|
+
- **Error message sanitization**: MCP POST catch block now uses `sanitizeError()` — no more internal paths or table names in error responses.
|
|
10
|
+
- **PII removal**: Removed `email` from API key validation chain (7 files). Key validation no longer exposes user email addresses.
|
|
11
|
+
- **Generation rate limiting**: Added explicit `generation` category at 20 req/min (previously fell back to `read` at 60/min).
|
|
12
|
+
- **npm provenance**: Added `--provenance` flag and `id-token: write` permission to release workflow for supply chain verification.
|
|
13
|
+
- **Security comment**: Documented that Edge Functions must not trust `x-internal-worker-call` header without Bearer token verification.
|
|
14
|
+
|
|
15
|
+
### Fixed
|
|
16
|
+
- **hono prototype pollution**: Updated transitive dependency to fix GHSA-v8w9-8mx6-g223.
|
|
17
|
+
- `npm audit` now reports 0 vulnerabilities.
|
|
18
|
+
|
|
19
|
+
### Added
|
|
20
|
+
- 18 examples (8 REST curl, 5 TypeScript SDK, 4 CLI, 1 MCP prompts).
|
|
21
|
+
- TypeScript SDK package (`packages/sdk/`) with 9 resource classes.
|
|
22
|
+
- CLI tab completion and content generation commands.
|
|
23
|
+
- SDK documentation and release workflow.
|
|
24
|
+
|
|
25
|
+
## [1.6.0] - 2026-03-21
|
|
26
|
+
|
|
27
|
+
### Added
|
|
28
|
+
- **REST API layer**: Universal tool proxy at `POST /v1/tools/:name` — call any of the 52 MCP tools via standard HTTP REST. No MCP client required.
|
|
29
|
+
- **OpenAPI 3.1 spec**: Auto-generated from TOOL_CATALOG at `/openapi.json` — always in sync with tools.
|
|
30
|
+
- **15 convenience endpoints**: Resource-oriented routes for common operations (`/v1/credits`, `/v1/content/generate`, `/v1/posts`, etc.).
|
|
31
|
+
- **Express HTTP transport**: New `dist/http.js` entry point for running as a standalone REST API server.
|
|
32
|
+
- **MCP Registry metadata**: `server.json` with mcpName, endpoints, env, and auth configuration for registry discovery.
|
|
33
|
+
- **Cursor Directory manifest**: Plugin manifest for Cursor IDE integration.
|
|
34
|
+
|
|
35
|
+
### Fixed
|
|
36
|
+
- **TS2345**: Cast Express route param to string for strict TypeScript compatibility.
|
|
37
|
+
- **npm publish 404**: Removed `--provenance` flag from release workflow (incompatible with scoped packages on granular tokens).
|
|
38
|
+
|
|
39
|
+
### Changed
|
|
40
|
+
- Dual transport support: MCP (stdio) and HTTP (Express) from a single codebase.
|
|
41
|
+
- SECURITY.md updated with v1.6.x in supported versions.
|
|
42
|
+
- `docs/auth.md` domain reference corrected (`www.socialneuron.com` → `socialneuron.com`).
|
|
43
|
+
|
|
5
44
|
## [1.5.2] - 2026-03-20
|
|
6
45
|
|
|
7
46
|
### Added
|