cf-memory-mcp 3.9.7 → 3.9.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -0
- package/bin/cf-memory-mcp.js +18 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -137,6 +137,12 @@ That deploys the active worker and applies the simplified D1 schema and required
|
|
|
137
137
|
- [bin/cf-memory-mcp.js](/Users/johnlam/cf-memory-mcp/bin/cf-memory-mcp.js)
|
|
138
138
|
- [bin/cf-memory-mcp-indexer.js](/Users/johnlam/cf-memory-mcp/bin/cf-memory-mcp-indexer.js)
|
|
139
139
|
|
|
140
|
+
## Security
|
|
141
|
+
|
|
142
|
+
The bridge (`bin/cf-memory-mcp.js`) reads local files for several tools — `get_file_content`, `refresh_files`, `find_stale_files`, `refresh_stale`, and the staleness annotation pass on `retrieve_context` results. Every one of those code paths confines file access to the resolved project root via `fs.realpathSync` + relative-path check, so absolute paths, `..` traversal, and in-root symlinks pointing outside are all rejected before any read. Locked in by the test suite under `tests/bridge.test.ts`.
|
|
143
|
+
|
|
144
|
+
If you find a path that escapes the project root despite this, please open an issue with a reproduction.
|
|
145
|
+
|
|
140
146
|
## Notes
|
|
141
147
|
|
|
142
148
|
- The simplified worker is the active product path.
|
package/bin/cf-memory-mcp.js
CHANGED
|
@@ -1168,7 +1168,24 @@ class CFMemoryMCP {
|
|
|
1168
1168
|
}
|
|
1169
1169
|
|
|
1170
1170
|
async handleIndexProject(message) {
|
|
1171
|
-
const
|
|
1171
|
+
const args = message.params?.arguments || {};
|
|
1172
|
+
const { project_path, project_name, include_patterns, exclude_patterns, force_reindex } = args;
|
|
1173
|
+
|
|
1174
|
+
// Boundary validation: bad inputs were producing unhelpful Node errors
|
|
1175
|
+
// ("path must be string"). Return a clean MCP error with the hint
|
|
1176
|
+
// instead so the model can self-correct.
|
|
1177
|
+
if (typeof project_path !== 'string' || !project_path.trim()) {
|
|
1178
|
+
process.stdout.write(JSON.stringify({
|
|
1179
|
+
jsonrpc: '2.0',
|
|
1180
|
+
id: message.id,
|
|
1181
|
+
result: { content: [{ type: 'text', text: JSON.stringify({
|
|
1182
|
+
error: 'project_path is required',
|
|
1183
|
+
hint: 'Pass project_path as an absolute or relative filesystem path to the project root (e.g., "/Users/me/code/myrepo" or ".").',
|
|
1184
|
+
}, null, 2) }] },
|
|
1185
|
+
}) + '\n');
|
|
1186
|
+
return;
|
|
1187
|
+
}
|
|
1188
|
+
|
|
1172
1189
|
const resolvedPath = path.resolve(project_path);
|
|
1173
1190
|
const name = project_name || path.basename(resolvedPath);
|
|
1174
1191
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cf-memory-mcp",
|
|
3
|
-
"version": "3.9.
|
|
3
|
+
"version": "3.9.8",
|
|
4
4
|
"description": "Cloudflare-hosted MCP server for code indexing, retrieval, and assistant memory with a direct remote MCP endpoint and local stdio bridge.",
|
|
5
5
|
"main": "bin/cf-memory-mcp.js",
|
|
6
6
|
"bin": {
|