npm - @vorim/mcp-server - Versions diffs - 1.1.4 → 1.1.6 - Mend

@vorim/mcp-server 1.1.4 → 1.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/build/index.js +89 -12
package/package.json +1 -1

package/build/index.js CHANGED Viewed

@@ -21,6 +21,18 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
+// SECURITY: The MCP server uses a single process-wide Vorim API key
+// taken from VORIM_API_KEY at startup. The stdio transport between
+// the MCP host (e.g. Claude Desktop) and this process carries NO
+// per-call auth — every tool call is attributed to the configured
+// key. Two consequences:
+//   1. Scope the key tightly. The key's scopes (audit:read,
+//      audit:write, agent:write, etc.) determine which MCP tools
+//      will actually work; a least-privilege scoped key reduces
+//      blast radius if the host environment is compromised.
+//   2. Do not share a key across MCP installations. Each user /
+//      machine should mint its own key so revocation surgically
+//      kills exactly one installation.
 const API_KEY = process.env.VORIM_API_KEY || "";
 const BASE_URL = (process.env.VORIM_BASE_URL || "https://api.vorim.ai").replace(/\/$/, "");
 if (!API_KEY) {
@@ -29,10 +41,25 @@ if (!API_KEY) {
 }
 // ─── HTTP Client ──────────────────────────────────────────────────────────
 // Read the package version once so the User-Agent string and the MCP
-// server's advertised version stay in sync with package.json.
-// require() works in the CommonJS build path; for the ESM-only build
-// we fall back to a constant that must match package.json.
-const MCP_VERSION = "1.1.4";
+// server's advertised version stay in sync with package.json. The
+// hardcoded fallback is the last-known version — operators see a
+// loud-fail if it ever drifts in CI because `npm test` re-reads
+// package.json and compares.
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname, join } from "node:path";
+function readMcpVersion() {
+    try {
+        const here = dirname(fileURLToPath(import.meta.url));
+        const pkgPath = join(here, "..", "package.json");
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+        if (typeof pkg.version === "string")
+            return pkg.version;
+    }
+    catch { /* fall through */ }
+    return "1.1.6"; // hardcoded fallback; bump alongside package.json
+}
+const MCP_VERSION = readMcpVersion();
 /**
  * URL-encode a user-supplied path segment. Agent ids, scopes, and
  * chain ids all reach the API via path interpolation; raw slashes or
@@ -52,7 +79,35 @@ async function vorimRequest(method, path, body) {
         },
         body: body ? JSON.stringify(body) : undefined,
     });
-    const json = await response.json();
+    // Hand out clearer error messages for the common cases an MCP user
+    // will see. Auth: the API key is wrong or revoked. Scope: the key
+    // is missing the scope this route requires (e.g. audit:write).
+    if (response.status === 401) {
+        throw new Error("Vorim API key is invalid, revoked, or expired. Check VORIM_API_KEY.");
+    }
+    if (response.status === 403) {
+        const j = await response.json().catch(() => ({}));
+        const err = j.error;
+        const code = err?.code;
+        if (code === "INSUFFICIENT_SCOPE") {
+            throw new Error(err?.message ||
+                "Vorim API key is missing the scope required for this operation. Mint a new key with the required scope and update VORIM_API_KEY.");
+        }
+        throw new Error(err?.message || "Vorim API rejected with 403");
+    }
+    // Be defensive about non-JSON 5xx bodies (nginx 502, gateway HTML).
+    // Without this, response.json() throws "Unexpected token <" and the
+    // user sees an unhelpful parser error.
+    let json;
+    try {
+        json = await response.json();
+    }
+    catch {
+        if (!response.ok) {
+            throw new Error(`Vorim API returned HTTP ${response.status} (non-JSON response — check upstream gateway)`);
+        }
+        throw new Error("Vorim API returned a non-JSON success response");
+    }
     if (!response.ok) {
         const err = json.error;
         throw new Error(err?.message || `HTTP ${response.status}`);
@@ -84,12 +139,21 @@ const server = new McpServer({
 server.registerTool("vorim_ping", {
     description: "Check Vorim AI API health and connectivity. Returns status, version, and service health.",
     inputSchema: {},
+    annotations: { readOnlyHint: true },
 }, async () => {
     const response = await fetch(`${BASE_URL}/health`, {
-        headers: { "User-Agent": "vorim-mcp-server/1.0.0" },
+        headers: { "User-Agent": `vorim-mcp-server/${MCP_VERSION}` },
     });
-    const data = await response.json();
-    return text(data);
+    if (!response.ok) {
+        throw new Error(`Vorim API health endpoint returned HTTP ${response.status}`);
+    }
+    try {
+        const data = await response.json();
+        return text(data);
+    }
+    catch {
+        throw new Error(`Vorim API returned a non-JSON health response (status ${response.status}); check upstream gateway`);
+    }
 });
 // ─── Agent Identity ───────────────────────────────────────────────────────
 server.registerTool("vorim_register_agent", {
@@ -235,11 +299,12 @@ server.registerTool("vorim_emit_event", {
     return text(data);
 });
 server.registerTool("vorim_export_audit", {
-    description: "Export a signed audit bundle for a date range. Returns events with a SHA-256 manifest for tamper-proof verification.",
+    description: "Export a signed audit bundle for a date range. Returns events with a SHA-256 manifest for tamper-proof verification. Window must be <= 90 days; the server returns 400 if from > to or the range exceeds the cap. The returned bundle has up to 1,000,000 events; if truncated, the response carries `truncated: true` and the caller should re-export a narrower window.",
     inputSchema: {
-        from: z.string().describe("Start date (ISO 8601)"),
-        to: z.string().describe("End date (ISO 8601)"),
+        from: z.string().describe("Start date in ISO 8601 (e.g. 2026-06-01T00:00:00Z)"),
+        to: z.string().describe("End date in ISO 8601 (must be on or after `from`; window <= 90 days)"),
     },
+    annotations: { readOnlyHint: true },
 }, async ({ from, to }) => {
     const result = await vorimPost("/audit/export", { from, to });
     return text(result);
@@ -254,7 +319,19 @@ server.registerTool("vorim_verify_trust", {
     const response = await fetch(`${BASE_URL}/v1/trust/verify/${encId(agent_id)}`, {
         headers: { "User-Agent": `vorim-mcp-server/${MCP_VERSION}` },
     });
-    const json = await response.json();
+    if (!response.ok) {
+        if (response.status === 404) {
+            throw new Error(`Agent ${agent_id} is not registered with Vorim`);
+        }
+        throw new Error(`Vorim trust endpoint returned HTTP ${response.status}`);
+    }
+    let json;
+    try {
+        json = await response.json();
+    }
+    catch {
+        throw new Error(`Vorim trust endpoint returned a non-JSON response (status ${response.status})`);
+    }
     return text(json.data || json);
 });
 // ─── Ephemeral Agents ────────────────────────────────────────────────────

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vorim/mcp-server",
-  "version": "1.1.4",
+  "version": "1.1.6",
   "mcpName": "io.github.Kzino/vorim-mcp-server",
   "description": "MCP server for Vorim AI — AI agent identity, permissions, and audit trails",
   "type": "module",