@thedecipherist/mdd 1.8.2 → 1.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +3 -1
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -864,6 +864,7 @@ Every `.mdd/docs/<NN>-<feature-name>.md` file uses this YAML frontmatter:
864
864
  | `tags` | 4–8 domain-concept keywords surfaced in `.startup.md` so Claude can detect when a prompt relates to this feature (e.g. `[auth, jwt, login, sessions]`) |
865
865
  | `path` | Slash-delimited breadcrumb showing where this feature lives in the product (e.g. `Auth/Login`, `E-commerce/Cart/Checkout`). Used by dashboards and listing tools to group docs into a human-readable tree. Distinct from `depends_on` — this is for navigation, not build order. |
866
866
  | `known_issues` | Issues discovered during audits or implementation |
867
+ | `security_read_sites` | Optional. List of `file:line` entries where user-supplied file paths are read. Phase A1 cross-checks each against path-confinement calls - a listed site with no guard is a P1 finding. Leave empty or omit if the feature has no file-read attack surface. |
867
868
 
868
869
  **`depends_on` rules:**
869
870
  - Feature docs only - never list task docs (one-off, frozen, no ongoing contract)
@@ -1011,7 +1012,7 @@ MDD creates `.mdd/settings.json` on first run. It controls which rule files load
1011
1012
 
1012
1013
  **`phaseLogging: true` (default)** - Controls whether MDD writes phase timing data via `mdd-log-phase.sh`. Set to `false` to suppress all phase log output.
1013
1014
 
1014
- **`securityScan: false` (default)** - Enables the security rule generator. See the section below.
1015
+ **`securityScan: false` (default)** - Set to `true` to enable the security rule generator. See the section below.
1015
1016
 
1016
1017
  ### Stack-Specific Rule Files
1017
1018
 
@@ -1022,6 +1023,7 @@ mdd-rules-typescript.md # TypeScript-specific audit criteria and build checkli
1022
1023
  mdd-rules-express.md # Express error handling, middleware, route validation rules
1023
1024
  mdd-rules-jwt.md # JWT decode safety, expiry checks, secret validation
1024
1025
  mdd-rules-prisma.md # Prisma query safety, transaction patterns, migration checks
1026
+ mdd-rules-mcp.md # MCP tool input validation and rejection test enforcement
1025
1027
  ```
1026
1028
 
1027
1029
  Rules are additive - they append criteria to the existing phase rather than replacing anything. If a rule file doesn't exist for a stack entry, MDD warns once and continues. A misconfigured or missing `settings.json` never halts a session.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@thedecipherist/mdd",
3
- "version": "1.8.2",
3
+ "version": "1.8.3",
4
4
  "description": "MDD — Manual-Driven Development workflow for Claude Code",
5
5
  "type": "module",
6
6
  "bin": {