@yawlabs/mcp 0.63.1 → 0.64.1

package/CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to `@yawlabs/mcp` (formerly `@yawlabs/mcph`) are documented here. This project uses [semantic versioning](https://semver.org) and a script-gated release flow: `./release.sh <version>` runs lint + tests + build, bumps, tags, publishes to npm, and creates the GitHub release.
 
+## 0.63.2 -- release pipeline: publish npm from CI
+
+No changes to the package runtime or CLI -- this release exists to exercise the
+new CI-on-tag-push publish flow end to end. The published artifact is identical
+to 0.63.1 aside from the version bump.
+
+- **npm is now published from CI, not the workstation.** A new `publish-npm` job
+  in `release.yml` publishes `@yawlabs/mcp` on every `v*` tag using the org
+  `NPM_TOKEN` + `--provenance` (the repo and package are public), gated on the
+  binary build so npm and the GitHub Release stay in lockstep. It is idempotent:
+  a version already live is a clean skip, and an `EPUBLISHCONFLICT` from
+  registry read-replica lag is treated as success. `publish-registry` now
+  `needs: publish-npm`, so the MCP-registry verify can no longer race ahead of
+  the npm publish. `release.sh`'s hand-off detection was tightened to key on a
+  real `npm publish` / `NODE_AUTH_TOKEN` signal instead of the registry job's
+  `id-token: write` (the false positive that wedged the 0.63.0/0.63.1 runs).
+- **Registry job hardening.** `mcp-publisher` is pinned to a tagged release and
+  verified against its published sha256 before execution (was an unpinned
+  `curl .../latest | tar`), and the job pins its Node toolchain via `setup-node`.
+
 ## 0.63.1 -- CLI follow-ups: wire dead --dry-run/--stdin flags, fix completion drift, dedup probes
 
 Patch-level follow-ups on the 0.63.0 CLI hardening pass. All fixes; no behavior changes for callers who weren't already hitting the dead-flag bugs.

package/dist/{chunk-BTL5M3GN.js → chunk-SIMPWBWK.js}

@@ -2,17 +2,17 @@
 
 // src/team-sync.ts
 import { existsSync } from "fs";
-import { chmod, readFile, unlink as unlink2 } from "fs/promises";
+import { chmod as chmod2, readFile, unlink as unlink2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
 import { join } from "path";
 
 // src/atomic-write.ts
-import { mkdir, rename, unlink, writeFile } from "fs/promises";
+import { chmod, mkdir, rename, stat, unlink, writeFile } from "fs/promises";
 import path from "path";
-async function atomicWriteFile(filePath, contents, encoding = "utf8", mode) {
+async function atomicWriteFile(filePath, contents, encoding = "utf8", mode, dirMode) {
   const dir = path.dirname(filePath);
   const tmp = `${filePath}.tmp-${process.pid}-${Date.now()}`;
-  await mkdir(dir, { recursive: true });
+  await mkdirpWithMode(dir, dirMode);
   try {
     await writeFile(tmp, contents, mode === void 0 ? { encoding } : { encoding, mode });
     await rename(tmp, filePath);
@@ -21,6 +21,36 @@ async function atomicWriteFile(filePath, contents, encoding = "utf8", mode) {
     throw err;
   }
 }
+async function mkdirpWithMode(dir, dirMode) {
+  if (dirMode === void 0 || process.platform === "win32") {
+    await mkdir(dir, { recursive: true });
+    return;
+  }
+  const resolved = path.resolve(dir);
+  const toCreate = [];
+  let cursor = resolved;
+  while (true) {
+    let exists = true;
+    try {
+      await stat(cursor);
+    } catch {
+      exists = false;
+    }
+    if (exists) break;
+    toCreate.unshift(cursor);
+    const parent = path.dirname(cursor);
+    if (parent === cursor) break;
+    cursor = parent;
+  }
+  if (toCreate.length === 0) return;
+  await mkdir(resolved, { recursive: true });
+  for (const created of toCreate) {
+    try {
+      await chmod(created, dirMode);
+    } catch {
+    }
+  }
+}
 
 // src/logger.ts
 var LOG_LEVELS = { debug: 0, info: 1, warn: 2, error: 3 };
@@ -52,12 +82,24 @@ var CONFIG_DIRNAME = ".yaw-mcp";
 function userConfigDir(home = homedir()) {
   return path2.join(home, CONFIG_DIRNAME);
 }
+function normalizeForCompare(p) {
+  return process.platform === "win32" ? p.toLowerCase() : p;
+}
+function isUnderHome(dir, homeResolved) {
+  const dirKey = normalizeForCompare(dir);
+  const homeKey = normalizeForCompare(homeResolved);
+  if (dirKey === homeKey) return false;
+  const rel = path2.relative(homeResolved, dir);
+  const relNorm = normalizeForCompare(rel);
+  return relNorm !== "" && !relNorm.startsWith("..") && !path2.isAbsolute(rel);
+}
 async function findProjectConfigDir(start, home = homedir()) {
-  const homeResolved = path2.resolve(home);
+  const homeFallback = home && home.length > 0 ? home : process.env.USERPROFILE || homedir();
+  const homeResolved = path2.resolve(homeFallback);
   let dir = path2.resolve(start);
   let prev = "";
   while (dir !== prev) {
-    if (dir === homeResolved) return null;
+    if (!isUnderHome(dir, homeResolved)) return null;
     const candidate = path2.join(dir, CONFIG_DIRNAME);
     try {
       await access(candidate);
@@ -108,7 +150,8 @@ function resolveBaseUrl(env = process.env) {
 }
 function expMs(session) {
   const e = session.exp;
-  return e > 0 && e < 1e12 ? e * 1e3 : e;
+  if (typeof e !== "number" || !Number.isFinite(e) || e <= 0) return 0;
+  return e < 1e12 ? e * 1e3 : e;
 }
 var cachedState = null;
 function invalidateState() {
@@ -117,7 +160,7 @@ function invalidateState() {
 async function loadStoredState(filePath) {
   if (cachedState && cachedState.filePath === filePath) {
     const s = cachedState.state;
-    if (s && expMs(s.session) < Date.now()) {
+    if (s && expMs(s.session) <= Date.now()) {
       cachedState = { filePath, state: null };
       return null;
     }
@@ -130,11 +173,12 @@ async function loadStoredState(filePath) {
     if (!obj || typeof obj !== "object") parsed = null;
     else if (typeof obj.cookie !== "string" || !obj.cookie) parsed = null;
     else if (!obj.session || typeof obj.session !== "object") parsed = null;
+    else if (typeof obj.session.exp !== "number" || !Number.isFinite(obj.session.exp)) parsed = null;
     else parsed = obj;
   } catch {
     parsed = null;
   }
-  if (parsed && expMs(parsed.session) < Date.now()) {
+  if (parsed && expMs(parsed.session) <= Date.now()) {
     cachedState = { filePath, state: null };
     return null;
   }
@@ -144,10 +188,10 @@ async function loadStoredState(filePath) {
 async function saveStoredState(filePath, state) {
   cachedState = { filePath, state };
   try {
-    await atomicWriteFile(filePath, JSON.stringify(state, null, 2), "utf8", 384);
+    await atomicWriteFile(filePath, JSON.stringify(state, null, 2), "utf8", 384, 448);
     if (process.platform !== "win32") {
       try {
-        await chmod(filePath, 384);
+        await chmod2(filePath, 384);
       } catch {
       }
     }
@@ -208,12 +252,18 @@ async function signIn(key, opts = {}) {
   const trimmed = key.trim();
   if (!trimmed) throw new Error("License key is required.");
   const baseUrl = opts.baseUrl;
-  const post = await httpJson({
-    method: "POST",
-    path: "/api/team/session",
-    body: { key: trimmed },
-    baseUrl
-  });
+  let post;
+  try {
+    post = await httpJson({
+      method: "POST",
+      path: "/api/team/session",
+      body: { key: trimmed },
+      baseUrl
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new TeamSyncAuthError(`Sign in request failed: ${msg.replace(trimmed, "[redacted]")}`);
+  }
   if (post.status !== 200 || !post.cookie || !post.body.email || !post.body.role || !post.body.order_id) {
     if (post.body.error) log("warn", "team sign-in failed", { status: post.status, error: post.body.error });
     throw new TeamSyncAuthError("Sign in failed. Check your license key and try again.");