@vibecodetown/mcp-server 2.1.0

package/build/local-mode/work-order.js

@@ -0,0 +1,41 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { CurrentWorkOrderFileSchema } from "../generated/current_work_order_file.js";
+export function readCurrentWorkOrder(filePath) {
+    if (!fs.existsSync(filePath))
+        return null;
+    const raw = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+    return CurrentWorkOrderFileSchema.parse(raw);
+}
+export function createWorkOrderTemplate(topic) {
+    const now = new Date();
+    const ymd = now.toISOString().slice(0, 10).replace(/-/g, "");
+    const suffix = String(now.getTime() % 1000).padStart(3, "0");
+    return CurrentWorkOrderFileSchema.parse({
+        run_id: `wo-${ymd}-${suffix}`,
+        created_at: now.toISOString(),
+        topic: topic && topic.trim().length > 0 ? topic.trim() : "Work order created locally",
+        scope: {
+            include: ["src/**", "lib/**", "tests/**", "docs/**"],
+            exclude: [],
+        },
+        do_not_touch: ["config/**", ".env*", "secrets/**", "*.pem", "*.key"],
+        verify_criteria: [],
+    });
+}
+export function writeCurrentWorkOrder(filePath, workOrder, opts) {
+    fs.mkdirSync(path.dirname(filePath), { recursive: true });
+    if (fs.existsSync(filePath) && !opts?.overwrite) {
+        throw new Error(`Work order already exists: ${filePath} (use --force to overwrite)`);
+    }
+    fs.writeFileSync(filePath, JSON.stringify(workOrder, null, 2) + "\n", "utf-8");
+}
+export function archiveCurrentWorkOrder(workOrderFile, archiveDir) {
+    const wo = readCurrentWorkOrder(workOrderFile);
+    if (!wo)
+        return null;
+    fs.mkdirSync(archiveDir, { recursive: true });
+    const archivedPath = path.join(archiveDir, `${wo.run_id}.json`);
+    fs.renameSync(workOrderFile, archivedPath);
+    return { archivedPath };
+}

package/build/resources/index.js

@@ -0,0 +1,246 @@
+// adapters/mcp-ts/src/resources/index.ts
+// Resource templates for vibe:// URI scheme
+import { z } from "zod";
+import { existsSync, readFileSync, readdirSync } from "fs";
+import { join, resolve } from "path";
+// ============================================================
+// Resource URI Templates
+// ============================================================
+/**
+ * vibe://project/{runId} - Project state resource
+ * vibe://project/{runId}/intent - Intent document resource
+ * vibe://project/{runId}/bridge - Verification bridge resource
+ * vibe://project/{runId}/decisions - Decisions history resource
+ */
+// ============================================================
+// Path Resolution Utilities
+// ============================================================
+function getRunsDir() {
+    // Default to current working directory's runs folder
+    return resolve(process.cwd(), "runs");
+}
+function getRunPath(runId) {
+    return join(getRunsDir(), runId);
+}
+function readJsonFile(filePath) {
+    if (!existsSync(filePath)) {
+        return null;
+    }
+    const content = readFileSync(filePath, "utf-8");
+    return JSON.parse(content);
+}
+function readYamlOrJson(basePath, filename) {
+    const jsonPath = join(basePath, `${filename}.json`);
+    const yamlPath = join(basePath, `${filename}.yaml`);
+    if (existsSync(jsonPath)) {
+        return readJsonFile(jsonPath);
+    }
+    if (existsSync(yamlPath)) {
+        const content = readFileSync(yamlPath, "utf-8");
+        // Simple YAML parsing for our use case (key: value format)
+        // For complex YAML, would need yaml library
+        return { raw: content, format: "yaml" };
+    }
+    return null;
+}
+// ============================================================
+// Resource Content Schemas
+// ============================================================
+const projectStateSchema = z.object({
+    run_id: z.string(),
+    project_id: z.string(),
+    phase: z.string(),
+    mode: z.string(),
+    created_at: z.string(),
+    decisions_made: z.number(),
+    decisions_pending: z.number(),
+    last_review_status: z.enum(["GO", "FIX", "BLOCK"]).optional()
+});
+const intentDocumentSchema = z.object({
+    version: z.string(),
+    headline: z.string(),
+    scope: z.object({
+        include: z.array(z.string()),
+        exclude: z.array(z.string())
+    }),
+    verify_criteria: z.array(z.string()),
+    decisions: z.array(z.object({
+        decision_id: z.string(),
+        title: z.string(),
+        chosen: z.string()
+    }))
+});
+const bridgeSchema = z.object({
+    version: z.string().optional(),
+    intent: z.object({
+        headline: z.string(),
+        scope: z.object({
+            include: z.array(z.string()),
+            exclude: z.array(z.string())
+        }).optional()
+    }).optional(),
+    verify: z.object({
+        criteria: z.array(z.string()),
+        commands: z.array(z.string()).optional()
+    }).optional()
+});
+async function handleProjectState(runId) {
+    const runPath = getRunPath(runId);
+    const statePath = join(runPath, "state.json");
+    const state = readJsonFile(statePath);
+    if (!state) {
+        return {
+            contents: [{
+                    uri: `vibe://project/${runId}`,
+                    mimeType: "application/json",
+                    text: JSON.stringify({
+                        error: "NOT_FOUND",
+                        message: `Run "${runId}" not found`,
+                        run_id: runId
+                    }, null, 2)
+                }]
+        };
+    }
+    return {
+        contents: [{
+                uri: `vibe://project/${runId}`,
+                mimeType: "application/json",
+                text: JSON.stringify(state, null, 2)
+            }]
+    };
+}
+async function handleProjectIntent(runId) {
+    const runPath = getRunPath(runId);
+    const intentDir = join(runPath, "intent");
+    // Try to find intent document
+    const intent = readYamlOrJson(intentDir, "intent") ||
+        readYamlOrJson(runPath, "intent");
+    if (!intent) {
+        return {
+            contents: [{
+                    uri: `vibe://project/${runId}/intent`,
+                    mimeType: "application/json",
+                    text: JSON.stringify({
+                        error: "NOT_FOUND",
+                        message: `Intent document not found for run "${runId}"`,
+                        run_id: runId
+                    }, null, 2)
+                }]
+        };
+    }
+    return {
+        contents: [{
+                uri: `vibe://project/${runId}/intent`,
+                mimeType: "application/json",
+                text: JSON.stringify(intent, null, 2)
+            }]
+    };
+}
+async function handleProjectBridge(runId) {
+    const runPath = getRunPath(runId);
+    const handoffDir = join(runPath, "handoff");
+    const bridge = readYamlOrJson(handoffDir, "clinic_bridge") ||
+        readYamlOrJson(runPath, "clinic_bridge");
+    if (!bridge) {
+        return {
+            contents: [{
+                    uri: `vibe://project/${runId}/bridge`,
+                    mimeType: "application/json",
+                    text: JSON.stringify({
+                        error: "NOT_FOUND",
+                        message: `Bridge file not found for run "${runId}"`,
+                        run_id: runId,
+                        hint: "Run vibe_pm.create_work_order to generate bridge file"
+                    }, null, 2)
+                }]
+        };
+    }
+    return {
+        contents: [{
+                uri: `vibe://project/${runId}/bridge`,
+                mimeType: "application/json",
+                text: JSON.stringify(bridge, null, 2)
+            }]
+    };
+}
+async function handleProjectDecisions(runId) {
+    const runPath = getRunPath(runId);
+    const decisionsPath = join(runPath, "decisions.json");
+    const decisions = readJsonFile(decisionsPath);
+    if (!decisions) {
+        return {
+            contents: [{
+                    uri: `vibe://project/${runId}/decisions`,
+                    mimeType: "application/json",
+                    text: JSON.stringify({
+                        error: "NOT_FOUND",
+                        message: `Decisions not found for run "${runId}"`,
+                        run_id: runId,
+                        decisions: []
+                    }, null, 2)
+                }]
+        };
+    }
+    return {
+        contents: [{
+                uri: `vibe://project/${runId}/decisions`,
+                mimeType: "application/json",
+                text: JSON.stringify(decisions, null, 2)
+            }]
+    };
+}
+// ============================================================
+// Resource Registration
+// ============================================================
+/**
+ * Register all vibe:// resource templates
+ */
+export function registerVibeResources(server) {
+    // List available runs as resources
+    server.resource("vibe-projects", "vibe://projects", { mimeType: "application/json", description: "List all available Vibe PM runs" }, async () => {
+        const runsDir = getRunsDir();
+        let runs = [];
+        if (existsSync(runsDir)) {
+            runs = readdirSync(runsDir, { withFileTypes: true })
+                .filter(d => d.isDirectory())
+                .map(d => d.name)
+                .sort()
+                .reverse(); // Latest first
+        }
+        return {
+            contents: [{
+                    uri: "vibe://projects",
+                    mimeType: "application/json",
+                    text: JSON.stringify({
+                        runs_dir: runsDir,
+                        runs: runs.map(runId => ({
+                            run_id: runId,
+                            uri: `vibe://project/${runId}`,
+                            intent_uri: `vibe://project/${runId}/intent`,
+                            bridge_uri: `vibe://project/${runId}/bridge`
+                        }))
+                    }, null, 2)
+                }]
+        };
+    });
+}
+/**
+ * Register dynamic resources based on available runs
+ *
+ * Note: MCP SDK doesn't support resource templates directly.
+ * Resources are registered dynamically for each run found.
+ * Call this after runs are created to register new resources.
+ */
+export function registerVibeResourceTemplates(_server) {
+    // Resource templates are not supported in the current MCP SDK version.
+    // Dynamic resources should be registered using the resource() method
+    // when runs are discovered. This is a placeholder for future SDK support.
+    //
+    // To access run-specific resources, use:
+    // - vibe://projects to list all runs
+    // - Tools like vibe_pm.status to get run details
+}
+// ============================================================
+// Export
+// ============================================================
+export { projectStateSchema, intentDocumentSchema, bridgeSchema, getRunsDir, getRunPath };

package/build/security/input-validator.js

@@ -0,0 +1,119 @@
+// adapters/mcp-ts/src/security/input-validator.ts
+// Input validation for tool inputs
+import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
+/**
+ * Input size limits for various fields
+ */
+export const INPUT_LIMITS = {
+    projectBrief: 50_000,
+    additionalInstructions: 10_000,
+    targetPathsCount: 100,
+    singlePathLength: 500,
+    customInput: 5_000,
+    decisionNote: 2_000,
+    runIdLength: 128,
+    projectIdLength: 128,
+};
+/**
+ * Security-related error class
+ */
+export class SecurityError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = "SecurityError";
+    }
+}
+/**
+ * Validate string length against limits
+ *
+ * @throws McpError if validation fails
+ */
+export function validateStringLength(value, field, fieldName) {
+    if (value === undefined)
+        return;
+    const limit = INPUT_LIMITS[field];
+    if (value.length > limit) {
+        throw inputTooLargeError(fieldName, limit, value.length);
+    }
+}
+/**
+ * Validate array size
+ *
+ * @throws McpError if validation fails
+ */
+export function validateArraySize(arr, maxSize, fieldName) {
+    if (arr === undefined)
+        return;
+    if (arr.length > maxSize) {
+        throw inputTooLargeError(fieldName, maxSize, arr.length);
+    }
+}
+/**
+ * Validate each string in an array for length
+ */
+export function validateStringArray(arr, maxLength, fieldName) {
+    if (arr === undefined)
+        return;
+    for (let i = 0; i < arr.length; i++) {
+        if (arr[i].length > maxLength) {
+            throw inputTooLargeError(`${fieldName}[${i}]`, maxLength, arr[i].length);
+        }
+    }
+}
+/**
+ * Validate common tool input fields
+ *
+ * @throws McpError if any validation fails
+ */
+export function validateToolInput(input) {
+    // Validate string fields
+    validateStringLength(input.project_brief, "projectBrief", "project_brief");
+    validateStringLength(input.additional_instructions, "additionalInstructions", "additional_instructions");
+    validateStringLength(input.note, "decisionNote", "note");
+    validateStringLength(input.run_id, "runIdLength", "run_id");
+    validateStringLength(input.project_id, "projectIdLength", "project_id");
+    validateStringLength(input.custom_input, "customInput", "custom_input");
+    // Validate target_paths array
+    if (input.target_paths) {
+        validateArraySize(input.target_paths, INPUT_LIMITS.targetPathsCount, "target_paths");
+        validateStringArray(input.target_paths, INPUT_LIMITS.singlePathLength, "target_paths");
+    }
+}
+/**
+ * Validate briefing-specific input
+ */
+export function validateBriefingInput(input) {
+    validateStringLength(input.project_brief, "projectBrief", "project_brief");
+    validateStringLength(input.project_id, "projectIdLength", "project_id");
+    // project_brief is required and must not be empty
+    if (!input.project_brief || input.project_brief.trim().length === 0) {
+        throw new McpError(ErrorCode.InvalidParams, "[VALIDATION] project_brief is required and must not be empty");
+    }
+}
+/**
+ * Validate inspect_code-specific input
+ */
+export function validateInspectCodeInput(input) {
+    if (input.target_paths) {
+        validateArraySize(input.target_paths, INPUT_LIMITS.targetPathsCount, "target_paths");
+        validateStringArray(input.target_paths, INPUT_LIMITS.singlePathLength, "target_paths");
+    }
+    if (input.bridge_path) {
+        validateStringLength(input.bridge_path, "singlePathLength", "bridge_path");
+    }
+    if (input.run_id) {
+        validateStringLength(input.run_id, "runIdLength", "run_id");
+    }
+}
+/**
+ * Create InputTooLarge error
+ */
+export function inputTooLargeError(field, limit, actual) {
+    return new McpError(ErrorCode.InvalidParams, `[SECURITY] Input too large: ${field} exceeds limit (${actual} > ${limit})`, {
+        vibeCode: -32_062,
+        category: "SECURITY",
+        context: { field, limit, actual },
+    });
+}

package/build/security/path-policy.js

@@ -0,0 +1,289 @@
+// adapters/mcp-ts/src/security/path-policy.ts
+// Path validation and do_not_touch policy enforcement
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
+import { minimatch } from "minimatch";
+// ============================================================
+// Vibe-SDS Path Zones (Standard Directory Structure)
+// ============================================================
+/**
+ * Path zones for AI workspace control
+ * - BLACK: System only - AI cannot read or write
+ * - RED: Protected - AI cannot modify (auto do_not_touch)
+ * - YELLOW: Caution - AI can modify with warnings
+ * - GREEN: Free zone - AI workspace
+ */
+export const PATH_ZONES = {
+    /** System state - AI cannot access */
+    BLACK: [".vibe", ".vibe/**"],
+    /** Protected config - auto do_not_touch */
+    RED: ["config/**", ".env", ".env.*", "*.pem", "*.key", "credentials.*"],
+    /** Documentation - AI can modify with caution */
+    YELLOW: ["docs/**", "README.md", "*.md"],
+    /** AI workspace - free to modify */
+    GREEN: ["src/**", "tests/**", "lib/**", "scripts/**"],
+};
+const CONTROL_PLANE_BLACKLIST = [
+    "vibecoding_helper/**",
+    "adapters/**",
+    "engines/**",
+    "schemas/**",
+    "fixtures/**",
+    "policy/**",
+    "runs/**",
+    "config/semgrep/**",
+    "config/gitleaks/**",
+    "docs/ssot/**",
+    "docs/DEV_SPEC/implemented/**",
+    "scripts/generate-contracts.sh",
+    "scripts/generate-contract-lock.py",
+    "schemas/contracts.version.json",
+    "schemas/contracts.lock.json",
+];
+let cachedControlPlaneRepo = null;
+function isControlPlaneRepo() {
+    if (cachedControlPlaneRepo !== null)
+        return cachedControlPlaneRepo;
+    const cwd = process.cwd();
+    const hasSpec = fs.existsSync(path.join(cwd, "vibecoding_helper.spec"));
+    const hasLayout = fs.existsSync(path.join(cwd, "vibecoding_helper")) && fs.existsSync(path.join(cwd, "adapters", "mcp-ts"));
+    cachedControlPlaneRepo = hasSpec || hasLayout;
+    return cachedControlPlaneRepo;
+}
+/**
+ * Get the zone for a given path
+ */
+export function getPathZone(relativePath) {
+    const normalized = relativePath.replace(/\\/g, "/");
+    if (isControlPlaneRepo()) {
+        for (const pattern of CONTROL_PLANE_BLACKLIST) {
+            if (minimatch(normalized, pattern, { dot: true })) {
+                return "BLACK";
+            }
+        }
+    }
+    // Check zones in priority order: BLACK > RED > YELLOW > GREEN
+    for (const [zone, patterns] of Object.entries(PATH_ZONES)) {
+        for (const pattern of patterns) {
+            if (minimatch(normalized, pattern, { dot: true })) {
+                return zone;
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Check if a path is in a forbidden zone (BLACK or RED)
+ */
+export function isPathForbidden(relativePath) {
+    const zone = getPathZone(relativePath);
+    if (zone === "BLACK") {
+        return {
+            forbidden: true,
+            zone,
+            reason: "이 경로는 시스템 전용 영역입니다. AI가 접근할 수 없습니다.",
+        };
+    }
+    if (zone === "RED") {
+        return {
+            forbidden: true,
+            zone,
+            reason: "이 경로는 보호된 설정 파일입니다. 수정할 수 없습니다.",
+        };
+    }
+    return { forbidden: false, zone: zone ?? undefined };
+}
+export function validateWorkOrderPaths(relativePaths) {
+    const allowed = [];
+    const forbidden = [];
+    for (const p of relativePaths) {
+        const check = isPathForbidden(p);
+        if (check.forbidden && check.zone && check.reason) {
+            forbidden.push({ path: p, zone: check.zone, reason: check.reason });
+        }
+        else {
+            allowed.push(p);
+        }
+    }
+    return {
+        valid: forbidden.length === 0,
+        allowed,
+        forbidden,
+    };
+}
+// ============================================================
+// Dangerous Patterns (system-level protection)
+// ============================================================
+/**
+ * Dangerous path patterns that should always be blocked
+ */
+const DANGEROUS_PATTERNS = [
+    /\.\./, // Path traversal
+    /^\/etc\//, // System config
+    /^\/usr\//, // System binaries
+    /^\/bin\//, // Binaries
+    /^\/sbin\//, // System binaries
+    /^\/var\/log\//, // System logs
+    /^\/root\//, // Root home
+    /^\/home\/[^/]+\/\./, // Hidden files in home
+    /^C:\\Windows/i, // Windows system
+    /^C:\\Program Files/i, // Windows programs
+    /\.env$/i, // Environment files
+    /credentials\.json$/i, // Credential files
+    /\.pem$/i, // Private keys
+    /\.key$/i, // Key files
+    /id_rsa/i, // SSH keys
+];
+/**
+ * Normalize a path relative to a base path
+ *
+ * - Resolves relative paths
+ * - Prevents path traversal attacks
+ * - Returns normalized absolute path
+ *
+ * @throws McpError if path traversal is detected
+ */
+export function normalizePath(inputPath, basePath) {
+    const pathApi = getPathApi(basePath);
+    // Reject obvious path traversal
+    if (inputPath.includes("..")) {
+        throw pathTraversalError(inputPath);
+    }
+    // Resolve the path
+    const resolved = pathApi.isAbsolute(inputPath)
+        ? inputPath
+        : pathApi.resolve(basePath, inputPath);
+    // Normalize to remove any . or redundant separators
+    const normalized = pathApi.normalize(resolved);
+    // Verify the resolved path is within basePath
+    const normalizedBase = pathApi.resolve(basePath);
+    const relative = pathApi.relative(normalizedBase, normalized);
+    if (relative.startsWith("..") || pathApi.isAbsolute(relative)) {
+        throw pathTraversalError(inputPath);
+    }
+    // Check against dangerous patterns
+    for (const pattern of DANGEROUS_PATTERNS) {
+        if (pattern.test(normalized) || pattern.test(inputPath)) {
+            throw pathTraversalError(inputPath);
+        }
+    }
+    return normalized;
+}
+function getPathApi(basePath) {
+    // When tests pass POSIX-style base paths on Windows, path.resolve/relative will
+    // introduce drive letters (e.g., F:\home\...) and break determinism.
+    // Choose the path implementation based on the basePath style.
+    if (/^[A-Za-z]:[\\/]/.test(basePath) || basePath.includes("\\")) {
+        return path.win32;
+    }
+    if (basePath.startsWith("/")) {
+        return path.posix;
+    }
+    return path;
+}
+/**
+ * Check if a path matches any do_not_touch patterns
+ */
+export function matchesDoNotTouch(targetPath, patterns) {
+    for (const pattern of patterns) {
+        // Try minimatch glob matching
+        if (minimatch(targetPath, pattern, { dot: true, matchBase: true })) {
+            return pattern;
+        }
+        // Also check if pattern is a prefix (directory match)
+        const normalizedTarget = targetPath.replace(/\\/g, "/");
+        const normalizedPattern = pattern.replace(/\\/g, "/");
+        if (normalizedTarget.startsWith(normalizedPattern + "/") ||
+            normalizedTarget === normalizedPattern) {
+            return pattern;
+        }
+    }
+    return null;
+}
+/**
+ * Check multiple paths against do_not_touch patterns
+ *
+ * @returns Object with allowed paths and any violations
+ */
+export function checkDoNotTouch(targetPaths, doNotTouchPatterns, basePath) {
+    const allowed = [];
+    const violations = [];
+    const pathApi = getPathApi(basePath);
+    for (const targetPath of targetPaths) {
+        try {
+            const normalized = normalizePath(targetPath, basePath);
+            const relativePath = pathApi.relative(basePath, normalized);
+            const matchedPattern = matchesDoNotTouch(relativePath, doNotTouchPatterns);
+            if (matchedPattern) {
+                violations.push({
+                    path: targetPath,
+                    pattern: matchedPattern,
+                    normalizedPath: normalized,
+                });
+            }
+            else {
+                allowed.push(normalized);
+            }
+        }
+        catch (e) {
+            // Path normalization failed (traversal attack)
+            violations.push({
+                path: targetPath,
+                pattern: "PATH_TRAVERSAL",
+                normalizedPath: targetPath,
+            });
+        }
+    }
+    return { allowed, violations };
+}
+/**
+ * Pre-execution check that throws if any violations are found
+ *
+ * @throws McpError if any path violates do_not_touch or is a traversal attempt
+ */
+export function preExecutionCheck(targetPaths, doNotTouchPatterns, basePath) {
+    const { allowed, violations } = checkDoNotTouch(targetPaths, doNotTouchPatterns, basePath);
+    if (violations.length > 0) {
+        const firstViolation = violations[0];
+        if (firstViolation.pattern === "PATH_TRAVERSAL") {
+            throw pathTraversalError(firstViolation.path);
+        }
+        throw doNotTouchError(firstViolation.path, firstViolation.pattern);
+    }
+    return allowed;
+}
+/**
+ * Validate a single path without do_not_touch check (just traversal protection)
+ */
+export function validatePath(inputPath, basePath) {
+    return normalizePath(inputPath, basePath);
+}
+/**
+ * Validate multiple paths and return normalized versions
+ */
+export function validatePaths(inputPaths, basePath) {
+    return inputPaths.map((p) => normalizePath(p, basePath));
+}
+/**
+ * Create path traversal error
+ */
+export function pathTraversalError(inputPath) {
+    return new McpError(ErrorCode.InvalidParams, `[SECURITY] Path traversal detected: "${inputPath}"`, {
+        vibeCode: -32_061,
+        category: "SECURITY",
+        context: { path: inputPath },
+        recovery: "Use paths relative to the project directory without '..' sequences",
+    });
+}
+/**
+ * Create do_not_touch violation error
+ */
+export function doNotTouchError(inputPath, pattern) {
+    return new McpError(ErrorCode.InvalidParams, `[SECURITY] Path "${inputPath}" matches do_not_touch pattern "${pattern}"`, {
+        vibeCode: -32_063,
+        category: "SECURITY",
+        context: { path: inputPath, pattern },
+        recovery: "This path is protected and cannot be modified. Choose a different target.",
+    });
+}