converse-mcp-server 2.9.5 → 2.9.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "converse-mcp-server",
-  "version": "2.9.5",
+  "version": "2.9.6",
   "description": "Converse MCP Server - Converse with other LLMs with chat and consensus tools",
   "type": "module",
   "main": "src/index.js",

package/src/async/fileCache.js

@@ -11,6 +11,7 @@ import { promises as fs } from 'fs';
 import path from 'path';
 import { debugLog, debugError } from '../utils/console.js';
 import { ConverseMCPError, ERROR_CODES } from '../utils/errorHandler.js';
+import { isSafeIdSegment } from '../utils/idValidation.js';
 
 /**
  * File cache specific error class
@@ -149,6 +150,14 @@ export class FileCache extends FileCacheInterface {
    * @private
    */
   getJobDir(jobId) {
+    if (!isSafeIdSegment(jobId)) {
+      throw new FileCacheError(
+        'Job ID contains unsafe characters',
+        ERROR_CODES.VALIDATION_ERROR,
+        { jobId },
+      );
+    }
+
     const today = new Date().toISOString().split('T')[0]; // yyyy-mm-dd
     return path.join(this.baseDir, today, jobId);
   }
@@ -201,7 +210,15 @@ export class FileCache extends FileCacheInterface {
     if (!jobId || typeof jobId !== 'string') {
       throw new FileCacheError(
         'Job ID must be a non-empty string',
-        ERROR_CODES.CACHE_WRITE_FAILED,
+        ERROR_CODES.VALIDATION_ERROR,
+        { jobId },
+      );
+    }
+
+    if (!isSafeIdSegment(jobId)) {
+      throw new FileCacheError(
+        'Job ID contains unsafe characters',
+        ERROR_CODES.VALIDATION_ERROR,
         { jobId },
       );
     }
@@ -265,7 +282,15 @@ export class FileCache extends FileCacheInterface {
     if (!jobId || typeof jobId !== 'string') {
       throw new FileCacheError(
         'Job ID must be a non-empty string',
-        ERROR_CODES.CACHE_WRITE_FAILED,
+        ERROR_CODES.VALIDATION_ERROR,
+        { jobId },
+      );
+    }
+
+    if (!isSafeIdSegment(jobId)) {
+      throw new FileCacheError(
+        'Job ID contains unsafe characters',
+        ERROR_CODES.VALIDATION_ERROR,
         { jobId },
       );
     }
@@ -324,7 +349,15 @@ export class FileCache extends FileCacheInterface {
     if (!jobId || typeof jobId !== 'string') {
       throw new FileCacheError(
         'Job ID must be a non-empty string',
-        ERROR_CODES.CACHE_READ_FAILED,
+        ERROR_CODES.VALIDATION_ERROR,
+        { jobId },
+      );
+    }
+
+    if (!isSafeIdSegment(jobId)) {
+      throw new FileCacheError(
+        'Job ID contains unsafe characters',
+        ERROR_CODES.VALIDATION_ERROR,
         { jobId },
       );
     }

package/src/providers/openai.js

@@ -79,9 +79,9 @@ const SUPPORTED_MODELS = {
       'Fastest, most cost-efficient GPT-5 (400K context, 128K output) - Summarization, classification',
     aliases: ['gpt5-nano', 'gpt-5nano', 'gpt 5 nano', 'gpt-5-nano-2025-08-07'],
   },
-  'gpt-5-pro': {
-    modelName: 'gpt-5-pro',
-    friendlyName: 'OpenAI (GPT-5 Pro)',
+  'gpt-5.2-pro': {
+    modelName: 'gpt-5.2-pro',
+    friendlyName: 'OpenAI (GPT-5.2 Pro)',
     contextWindow: 400000,
     maxOutputTokens: 272000,
     supportsStreaming: false, // GPT-5 Pro doesn't support streaming
@@ -94,11 +94,12 @@ const SUPPORTED_MODELS = {
     description:
       'Most advanced reasoning model (400K context, 272K output) - Hardest problems, extended compute time (EXPENSIVE)',
     aliases: [
+      'gpt-5-pro',
       'gpt5-pro',
       'gpt-5pro',
       'gpt 5 pro',
       'gpt-5 pro',
-      'gpt-5-pro-2025-10-06',
+      'gpt-5.2-pro-2025-12-11',
     ],
   },
   o3: {

package/src/tools/checkStatus.js

@@ -17,6 +17,7 @@ import {
   formatJobListHumanReadable,
   formatConversationHistory,
 } from '../utils/formatStatus.js';
+import { isSafeIdSegment } from '../utils/idValidation.js';
 
 const logger = createLogger('check-status');
 
@@ -36,8 +37,22 @@ export async function checkStatusTool(args, dependencies) {
     const { continuation_id, full_history = false } = args;
 
     // Validate arguments
-    if (continuation_id && typeof continuation_id !== 'string') {
-      return createToolError('continuation_id must be a string');
+    if (continuation_id !== undefined) {
+      if (typeof continuation_id !== 'string') {
+        return createToolError('continuation_id must be a string');
+      }
+
+      if (continuation_id.length === 0) {
+        return createToolError(
+          'Invalid continuation_id: must be a non-empty string',
+        );
+      }
+
+      if (!isSafeIdSegment(continuation_id)) {
+        return createToolError(
+          'Invalid continuation_id: contains unsafe characters',
+        );
+      }
     }
 
     const asyncJobStore = getAsyncJobStore();

package/src/utils/idValidation.js

@@ -0,0 +1,32 @@
+/**
+ * ID validation helpers
+ *
+ * These are intentionally conservative and are primarily used to ensure IDs that
+ * are used as filesystem path segments cannot escape their intended directory.
+ */
+
+/**
+ * Check whether an ID is safe to use as a single filesystem path segment.
+ *
+ * Allowed characters: A–Z a–z 0–9 _ -
+ * Disallowed: path separators, dots, whitespace, and other punctuation.
+ *
+ * @param {unknown} id
+ * @param {object} [options]
+ * @param {number} [options.maxLength]
+ * @returns {boolean}
+ */
+export function isSafeIdSegment(id, options = {}) {
+  const { maxLength = 128 } = options;
+
+  if (typeof id !== 'string') {
+    return false;
+  }
+
+  if (id.length === 0 || id.length > maxLength) {
+    return false;
+  }
+
+  return /^[A-Za-z0-9_-]+$/.test(id);
+}
+