faf-mcp 2.1.1 → 2.1.3

package/dist/src/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/server.ts"],"names":[],"mappings":";;;;;;AAAA,wEAAmE;AACnE,wEAAiF;AACjF,oEAA6E;AAC7E,iEAA0J;AAC1J,oDAA0D;AAC1D,4CAAkD;AAClD,8DAA6D;AAC7D,sDAA8B;AAC9B,gDAAwB;AACxB,2DAAiD;AACjD,uCAAoC;AAWpC,MAAa,YAAY;IACf,MAAM,CAAS;IACf,eAAe,CAAqB;IACpC,WAAW,CAAiB;IAC5B,MAAM,CAAqB;IAC3B,UAAU,CAAO;IAEzB,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG;YACZ,IAAI,EAAE,IAAI;YACV,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,IAAI;YACV,GAAG,MAAM;SACV,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG,IAAI,iBAAM,CACtB;YACE,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,iBAAO;SACjB,EACD;YACE,YAAY,EAAE;gBACZ,SAAS,EAAE;oBACT,SAAS,EAAE,IAAI;oBACf,WAAW,EAAE,IAAI;iBAClB;gBACD,KAAK,EAAE;oBACL,WAAW,EAAE,IAAI;iBAClB;aACF;SACF,CACF,CAAC;QAEF,4CAA4C;QAC5C,MAAM,aAAa,GAAG,IAAI,iCAAgB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAEjE,IAAI,CAAC,eAAe,GAAG,IAAI,8BAAkB,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW,GAAG,IAAI,sBAAc,CAAC,aAAa,CAAC,CAAC;QAErD,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED;;oDAEgD;IAChD,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAEO,aAAa;QACnB,oBAAoB;QACpB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,qCAA0B,EAAE,KAAK,IAAI,EAAE;YACnE,OAAO,IAAI,CAAC,eAAe,CAAC,aAAa,EAAE,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,oCAAyB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YACzE,OAAO,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,gBAAgB;QAChB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,iCAAsB,EAAE,KAAK,IAAI,EAAE;YAC/D,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,gCAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YACrE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAC5C,OAAO,CAAC,MAAM,CAAC,IAAI,EACnB,OAAO,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAC/B,CAAC;gBAEF,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;oBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBACxC,OAAO,CAAC,KAAK,CAAC,QAAQ,OAAO,CAAC,MAAM,CAAC,IAAI,gBAAgB,QAAQ,IAAI,CAAC,CAAC;gBACzE,CAAC;gBAED,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,KAAc,EAAE,CAAC;gBACxB,MAAM,YAAY,GAAG,IAAA,wBAAO,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBACtE,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,YAAY,CAAC,CAAC;gBACtD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,aAAa;QACnB,MAAM,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC;QAEtB,2BAA2B;QAC3B,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACrB,GAAG,CAAC,GAAG,CAAC,IAAA,cAAI,EAAC;gBACX,MAAM,EAAE,IAAI;gBACZ,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACnC,cAAc,EAAE,CAAC,cAAc,EAAE,eAAe,EAAE,QAAQ,CAAC;aAC5D,CAAC,CAAC,CAAC;QACN,CAAC;QAED,wBAAwB;QACxB,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC/B,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,SAAS;gBACjB,OAAO,EAAE,iBAAO;gBAChB,SAAS,EAAE,UAAU;gBACrB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,YAAY,EAAE,iCAAiC;aAChD,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,uBAAuB;QACvB,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC7B,GAAG,CAAC,IAAI,CAAC;gBACP,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,iBAAO;gBAChB,WAAW,EAAE,qFAAqF;gBAClG,SAAS,EAAE,UAAU;gBACrB,YAAY,EAAE;oBACZ,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;oBACjD,KAAK,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE;iBAC7B;gBACD,KAAK,EAAE;oBACL,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW;oBAClD,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,WAAW;iBACnE;aACF,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAC;YAC7C,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACrC,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC;YAChD,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;YAEjC,0DAA0D;YAC1D,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;gBACjC,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;oBACtB,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;gBAClD,CAAC;gBAED,oDAAoD;gBACpD,MAAM,SAAS,GAAG,IAAI,2BAAkB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;gBACtD,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAErC,2BAA2B;gBAC3B,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;oBACnB,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;wBACtB,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;oBACzC,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,uDAAuD;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC;YACtC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,SAAS,CAAC;YAC3C,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;gBAC5C,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;oBACtB,OAAO,CAAC,KAAK,CAAC,8CAA8C,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;oBAC5E,OAAO,CAAC,KAAK,CAAC,wBAAwB,IAAI,IAAI,IAAI,MAAM,CAAC,CAAC;oBAC1D,OAAO,CAAC,KAAK,CAAC,wBAAwB,IAAI,IAAI,IAAI,SAAS,CAAC,CAAC;gBAC/D,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,uBAAuB;YACvB,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAc,EAAE,EAAE;gBAC7C,MAAM,YAAY,GAAG,IAAA,wBAAO,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,CAAC;gBAClF,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,YAAY,CAAC,CAAC;gBAClD,MAAM,KAAK,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBAC7B,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE;oBACzB,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;wBACtB,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;oBACtD,CAAC;oBACD,OAAO,EAAE,CAAC;gBACZ,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,aAAa;QACX,OAAO;YACL,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,iBAAO;YAChB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YACtB,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YACtB,YAAY,EAAE,2BAA2B;SAC1C,CAAC;IACJ,CAAC;CACF;AA7MD,oCA6MC"}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/server.ts"],"names":[],"mappings":";;;AAAA,wEAAmE;AACnE,wEAAiF;AACjF,iEAA8L;AAC9L,oDAA0D;AAC1D,4CAAkD;AAClD,8DAA6D;AAC7D,2DAAiD;AACjD,uCAAoC;AAWpC,MAAa,YAAY;IACf,MAAM,CAAS;IACf,eAAe,CAAqB;IACpC,WAAW,CAAiB;IAC5B,MAAM,CAAqB;IAEnC,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG;YACZ,IAAI,EAAE,IAAI;YACV,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,IAAI;YACV,GAAG,MAAM;SACV,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG,IAAI,iBAAM,CACtB;YACE,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,iBAAO;SACjB,EACD;YACE,YAAY,EAAE;gBACZ,sEAAsE;gBACtE,uEAAuE;gBACvE,0DAA0D;gBAC1D,SAAS,EAAE;oBACT,WAAW,EAAE,IAAI;iBAClB;gBACD,KAAK,EAAE;oBACL,WAAW,EAAE,IAAI;iBAClB;aACF;SACF,CACF,CAAC;QAEF,4CAA4C;QAC5C,MAAM,aAAa,GAAG,IAAI,iCAAgB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAEjE,IAAI,CAAC,eAAe,GAAG,IAAI,8BAAkB,CAAC,aAAa,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW,GAAG,IAAI,sBAAc,CAAC,aAAa,CAAC,CAAC;QAErD,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED;;oDAEgD;IAChD,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAEO,aAAa;QACnB,oBAAoB;QACpB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,qCAA0B,EAAE,KAAK,IAAI,EAAE;YACnE,OAAO,IAAI,CAAC,eAAe,CAAC,aAAa,EAAE,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,oCAAyB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YACzE,OAAO,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,0EAA0E;QAC1E,yEAAyE;QACzE,8EAA8E;QAC9E,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,6CAAkC,EAAE,KAAK,IAAI,EAAE;YAC3E,OAAO,EAAE,iBAAiB,EAAE,EAAE,EAAE,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,gBAAgB;QAChB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,iCAAsB,EAAE,KAAK,IAAI,EAAE;YAC/D,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,gCAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YACrE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAC5C,OAAO,CAAC,MAAM,CAAC,IAAI,EACnB,OAAO,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAC/B,CAAC;gBAEF,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;oBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBACxC,OAAO,CAAC,KAAK,CAAC,QAAQ,OAAO,CAAC,MAAM,CAAC,IAAI,gBAAgB,QAAQ,IAAI,CAAC,CAAC;gBACzE,CAAC;gBAED,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,KAAc,EAAE,CAAC;gBACxB,MAAM,YAAY,GAAG,IAAA,wBAAO,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;gBACtE,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,YAAY,CAAC,CAAC;gBACtD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAC;YAC7C,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACrC,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,6DAA6D;IAC/D,CAAC;IAED,aAAa;QACX,OAAO;YACL,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,iBAAO;YAChB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YACtB,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YACtB,YAAY,EAAE,2BAA2B;SAC1C,CAAC;IACJ,CAAC;CACF;AAxHD,oCAwHC"}

package/dist/src/utils/safe-path.d.ts

@@ -0,0 +1,66 @@
+/**
+ * safe-path.ts — confinement for caller-supplied `path` arguments.
+ *
+ * Several MCP tools (`refresh_faf`, `faf_score`, `faf_get_orchestration_policy`,
+ * `refresh_blend`, …) accept a `path` argument and read a `.faf` context file
+ * from it. Historically that path flowed straight through `path.resolve()` into
+ * `fs.readFileSync()` with no confinement, so an absolute path or `../` traversal
+ * could read ANY file the server uid can read (CWE-22 / CWE-73 / CWE-200) and
+ * have its contents echoed back — e.g. `refresh_faf({path:"~/.ssh/id_rsa"})`.
+ *
+ * This module is the single chokepoint that closes that. Two layers:
+ *
+ *   1. Context-file allow-list (ALWAYS ON) — this server's only job is reading
+ *      `.faf` / `.fafm` context files. When a caller path resolves to a *file*,
+ *      it must be one of those. That alone blocks the entire secret-disclosure
+ *      surface — `/etc/passwd`, `~/.ssh/id_rsa`, `~/.aws/credentials`, `.env`,
+ *      etc. are none of them `.faf` files — regardless of directory. A `.faf`
+ *      is a public project-context format, so reading one anywhere discloses no
+ *      secrets (a planted one only echoes what the attacker already wrote).
+ *
+ *   2. Root confinement (OPT-IN) — when `FAF_ALLOWED_ROOTS` is set (OS-path
+ *      delimited), the resolved path must additionally stay within one of those
+ *      roots. Off by default so legitimate `.faf` files outside $HOME (CI temp
+ *      fixtures, /opt, /srv, monorepos) keep working; operators who want a hard
+ *      directory boundary opt in.
+ *
+ * Layer 1 is the security boundary; layer 2 is defense-in-depth for locked-down
+ * deployments. Either way, `..` traversal and absolute paths can never reach a
+ * non-context file.
+ */
+export declare class PathConfinementError extends Error {
+    constructor(message: string);
+}
+/** True when `p`'s basename is a `.faf` / `.fafm` context file. */
+export declare function isFafContextFile(p: string): boolean;
+/** Opt-in allowed roots from `FAF_ALLOWED_ROOTS` (OS-delimited). Empty when
+ *  unset → root confinement is not enforced (the `.faf`-only rule still is). */
+export declare function allowedRoots(): string[];
+/**
+ * Roots for the general-purpose file tools (`faf_read` / `faf_write`). Unlike
+ * the `.faf` tools, these legitimately handle any file *type* — but they must
+ * still be confined to the project. Default root = the process cwd; override /
+ * extend with `FAF_ALLOWED_ROOTS`.
+ */
+export declare function fileOpRoots(): string[];
+/**
+ * Confine a general-purpose file read/write path: any file type, but it must
+ * stay within fileOpRoots(). Closes absolute-path escapes (`~/.ssh/id_rsa`),
+ * `..` traversal, and arbitrary writes outside the project. Throws
+ * PathConfinementError on violation. Returns the safe (symlink-canonical) path.
+ */
+export declare function confineFileOp(input: unknown): string;
+export interface ConfineOptions {
+    /** Override allowed roots (resolved internally). Defaults to allowedRoots()
+     *  (the opt-in `FAF_ALLOWED_ROOTS`). Empty = root confinement not enforced. */
+    roots?: string[];
+    /** When the resolved path is an existing file, require it be a `.faf`/`.fafm`
+     *  context file. Use for sinks that read the path verbatim. Default true. */
+    requireFafFile?: boolean;
+}
+/**
+ * Resolve and confine a caller-supplied path. Returns the safe absolute path,
+ * or throws PathConfinementError. Never reaches the filesystem read itself —
+ * callers do that with the returned value.
+ */
+export declare function confinePath(input: unknown, opts?: ConfineOptions): string;

package/dist/src/utils/safe-path.js

@@ -0,0 +1,203 @@
+"use strict";
+/**
+ * safe-path.ts — confinement for caller-supplied `path` arguments.
+ *
+ * Several MCP tools (`refresh_faf`, `faf_score`, `faf_get_orchestration_policy`,
+ * `refresh_blend`, …) accept a `path` argument and read a `.faf` context file
+ * from it. Historically that path flowed straight through `path.resolve()` into
+ * `fs.readFileSync()` with no confinement, so an absolute path or `../` traversal
+ * could read ANY file the server uid can read (CWE-22 / CWE-73 / CWE-200) and
+ * have its contents echoed back — e.g. `refresh_faf({path:"~/.ssh/id_rsa"})`.
+ *
+ * This module is the single chokepoint that closes that. Two layers:
+ *
+ *   1. Context-file allow-list (ALWAYS ON) — this server's only job is reading
+ *      `.faf` / `.fafm` context files. When a caller path resolves to a *file*,
+ *      it must be one of those. That alone blocks the entire secret-disclosure
+ *      surface — `/etc/passwd`, `~/.ssh/id_rsa`, `~/.aws/credentials`, `.env`,
+ *      etc. are none of them `.faf` files — regardless of directory. A `.faf`
+ *      is a public project-context format, so reading one anywhere discloses no
+ *      secrets (a planted one only echoes what the attacker already wrote).
+ *
+ *   2. Root confinement (OPT-IN) — when `FAF_ALLOWED_ROOTS` is set (OS-path
+ *      delimited), the resolved path must additionally stay within one of those
+ *      roots. Off by default so legitimate `.faf` files outside $HOME (CI temp
+ *      fixtures, /opt, /srv, monorepos) keep working; operators who want a hard
+ *      directory boundary opt in.
+ *
+ * Layer 1 is the security boundary; layer 2 is defense-in-depth for locked-down
+ * deployments. Either way, `..` traversal and absolute paths can never reach a
+ * non-context file.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PathConfinementError = void 0;
+exports.isFafContextFile = isFafContextFile;
+exports.allowedRoots = allowedRoots;
+exports.fileOpRoots = fileOpRoots;
+exports.confineFileOp = confineFileOp;
+exports.confinePath = confinePath;
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const fs = __importStar(require("fs"));
+class PathConfinementError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'PathConfinementError';
+    }
+}
+exports.PathConfinementError = PathConfinementError;
+/** True when `p`'s basename is a `.faf` / `.fafm` context file. */
+function isFafContextFile(p) {
+    const base = path.basename(p).toLowerCase();
+    return base === '.faf' || base.endsWith('.faf') || base.endsWith('.fafm');
+}
+/** Expand a leading `~` / `~/` for the CURRENT user only. `~otheruser` is left
+ *  literal (it will then fail the root check rather than reaching another home). */
+function expandTilde(p) {
+    if (p === '~')
+        return os.homedir();
+    if (p.startsWith('~/') || p.startsWith('~\\')) {
+        return path.join(os.homedir(), p.slice(2));
+    }
+    return p;
+}
+/** Opt-in allowed roots from `FAF_ALLOWED_ROOTS` (OS-delimited). Empty when
+ *  unset → root confinement is not enforced (the `.faf`-only rule still is). */
+function allowedRoots() {
+    const env = process.env.FAF_ALLOWED_ROOTS;
+    if (env && env.trim()) {
+        return env
+            .split(path.delimiter)
+            .map((r) => r.trim())
+            .filter(Boolean)
+            .map((r) => path.resolve(expandTilde(r)));
+    }
+    return [];
+}
+function withinRoots(resolved, roots) {
+    return roots.some((root) => resolved === root || resolved.startsWith(root + path.sep));
+}
+/**
+ * Symlink-canonical absolute path, tolerant of a not-yet-existing target
+ * (a `faf_write` to a new file). Resolves the nearest EXISTING ancestor through
+ * symlinks, then re-appends the missing tail — so a new file under /tmp matches
+ * a /private/tmp root on macOS instead of slipping past the confinement check.
+ */
+function canonicalize(input) {
+    let cur = path.resolve(input);
+    const tail = [];
+    for (;;) {
+        try {
+            const real = fs.realpathSync(cur);
+            return tail.length ? path.join(real, ...tail.reverse()) : real;
+        }
+        catch {
+            const parent = path.dirname(cur);
+            if (parent === cur)
+                return path.resolve(input); // hit filesystem root
+            tail.push(path.basename(cur));
+            cur = parent;
+        }
+    }
+}
+/**
+ * Roots for the general-purpose file tools (`faf_read` / `faf_write`). Unlike
+ * the `.faf` tools, these legitimately handle any file *type* — but they must
+ * still be confined to the project. Default root = the process cwd; override /
+ * extend with `FAF_ALLOWED_ROOTS`.
+ */
+function fileOpRoots() {
+    const opt = allowedRoots();
+    if (opt.length)
+        return opt;
+    // Default: the project (cwd) plus the OS temp dir(s) — legitimate scratch
+    // space for tools. Still blocks the high-value targets — $HOME secrets
+    // (~/.ssh, ~/.aws), /etc, and anything reached via ../ traversal.
+    const roots = [path.resolve(process.cwd()), os.tmpdir()];
+    // On macOS the canonical system temp (/tmp → /private/tmp) differs from
+    // os.tmpdir() (/var/folders/...); include it (roots are canonicalized later).
+    if (process.platform !== 'win32')
+        roots.push('/tmp');
+    return roots;
+}
+/**
+ * Confine a general-purpose file read/write path: any file type, but it must
+ * stay within fileOpRoots(). Closes absolute-path escapes (`~/.ssh/id_rsa`),
+ * `..` traversal, and arbitrary writes outside the project. Throws
+ * PathConfinementError on violation. Returns the safe (symlink-canonical) path.
+ */
+function confineFileOp(input) {
+    return confinePath(input, { requireFafFile: false, roots: fileOpRoots() });
+}
+/**
+ * Resolve and confine a caller-supplied path. Returns the safe absolute path,
+ * or throws PathConfinementError. Never reaches the filesystem read itself —
+ * callers do that with the returned value.
+ */
+function confinePath(input, opts = {}) {
+    if (typeof input !== 'string' || input.length === 0) {
+        throw new PathConfinementError('path must be a non-empty string');
+    }
+    if (input.includes('\0')) {
+        throw new PathConfinementError('path contains a null byte');
+    }
+    // Canonicalize THROUGH symlinks when the target exists. This closes the
+    // symlink bypass: a file named `project.faf` that is actually a symlink to
+    // `/etc/passwd` would pass a lexical name check but read the secret. We check
+    // the real target's name instead. Missing paths stay lexical (nothing to read
+    // yet — a directory walk or a downstream ENOENT handles them).
+    const resolved = canonicalize(expandTilde(input));
+    let isFile = false;
+    try {
+        isFile = fs.statSync(resolved).isFile();
+    }
+    catch {
+        isFile = false;
+    }
+    const roots = (opts.roots ?? allowedRoots()).map(canonicalize);
+    // Layer 2 (opt-in): enforce root confinement only when roots are configured.
+    if (roots.length > 0 && !withinRoots(resolved, roots)) {
+        throw new PathConfinementError(`path escapes FAF_ALLOWED_ROOTS: "${input}".`);
+    }
+    // Layer 1 (always on): a resolved *file* must be a `.faf`/`.fafm` context file.
+    const requireFaf = opts.requireFafFile ?? true;
+    if (requireFaf && isFile && !isFafContextFile(resolved)) {
+        throw new PathConfinementError(`refusing to read a non-context file via \`path\`: "${input}". ` +
+            `Only .faf / .fafm files (or a directory containing one) are allowed.`);
+    }
+    return resolved;
+}
+//# sourceMappingURL=safe-path.js.map

package/dist/src/utils/safe-path.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-path.js","sourceRoot":"","sources":["../../../src/utils/safe-path.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAcH,4CAGC;AAcD,oCAUC;AAkCD,kCAWC;AAQD,sCAEC;AAgBD,kCAsCC;AApJD,2CAA6B;AAC7B,uCAAyB;AACzB,uCAAyB;AAEzB,MAAa,oBAAqB,SAAQ,KAAK;IAC7C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AALD,oDAKC;AAED,mEAAmE;AACnE,SAAgB,gBAAgB,CAAC,CAAS;IACxC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5C,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC5E,CAAC;AAED;oFACoF;AACpF,SAAS,WAAW,CAAC,CAAS;IAC5B,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC,OAAO,EAAE,CAAC;IACnC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;gFACgF;AAChF,SAAgB,YAAY;IAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC1C,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;QACtB,OAAO,GAAG;aACP,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;aACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC;aACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB,EAAE,KAAe;IACpD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,KAAK,IAAI,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACzF,CAAC;AAED;;;;;GAKG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,SAAS,CAAC;QACR,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YAClC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,MAAM,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,sBAAsB;YACtE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,GAAG,GAAG,MAAM,CAAC;QACf,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,WAAW;IACzB,MAAM,GAAG,GAAG,YAAY,EAAE,CAAC;IAC3B,IAAI,GAAG,CAAC,MAAM;QAAE,OAAO,GAAG,CAAC;IAC3B,0EAA0E;IAC1E,uEAAuE;IACvE,kEAAkE;IAClE,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;IACzD,wEAAwE;IACxE,8EAA8E;IAC9E,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACrD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,KAAc;IAC1C,OAAO,WAAW,CAAC,KAAK,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;AAC7E,CAAC;AAWD;;;;GAIG;AACH,SAAgB,WAAW,CAAC,KAAc,EAAE,OAAuB,EAAE;IACnE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,oBAAoB,CAAC,iCAAiC,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,oBAAoB,CAAC,2BAA2B,CAAC,CAAC;IAC9D,CAAC;IAED,wEAAwE;IACxE,2EAA2E;IAC3E,8EAA8E;IAC9E,8EAA8E;IAC9E,+DAA+D;IAC/D,MAAM,QAAQ,GAAG,YAAY,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;IAClD,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,GAAG,KAAK,CAAC;IACjB,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAE/D,6EAA6E;IAC7E,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,oBAAoB,CAAC,oCAAoC,KAAK,IAAI,CAAC,CAAC;IAChF,CAAC;IAED,gFAAgF;IAChF,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC;IAC/C,IAAI,UAAU,IAAI,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,oBAAoB,CAC5B,sDAAsD,KAAK,KAAK;YAC9D,sEAAsE,CACzE,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "faf-mcp",
-  "version": "2.1.1",
+  "version": "2.1.3",
   "mcpName": "io.github.Wolfe-Jam/faf-mcp",
   "description": "Persistent Project Context for Cursor, IDEs and VS Code. IANA-registered .faf format, 25 MCP tools, 309 tests.",
   "icon": "./assets/icons/faf-icon-256.png",
@@ -102,14 +102,11 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",
-    "cors": "^2.8.5",
-    "express": "^4.21.0",
     "faf-cli": "^6.7.1",
+    "faf-scoring-kernel": "^2.0.3",
     "yaml": "^2.4.1"
   },
   "devDependencies": {
-    "@types/cors": "^2.8.19",
-    "@types/express": "^5.0.3",
     "@types/jsonwebtoken": "^9.0.5",
     "@types/node": "^20.11.0",
     "@typescript-eslint/eslint-plugin": "^7.0.0",

package/project.faf

@@ -11,11 +11,11 @@ stack:
   ui_library: slotignored
   state_management: slotignored
   backend: MCP SDK (TS)
-  api_type: MCP (stdio/HTTP-SSE)
+  api_type: MCP (stdio + Streamable HTTP)
   runtime: Node.js >=18
   database: slotignored
   connection: slotignored
-  hosting: Vercel
+  hosting: npm + Cloudflare edge
   build: TypeScript (tsc)
   cicd: GitHub Actions
   monorepo_tool: slotignored
@@ -29,7 +29,7 @@ human_context:
   who: Developers using Claude, Cursor, Windsurf, VS Code, Cline, and any MCP-compatible IDE
   what: Universal MCP server providing .faf context tools — 25 core + 36 advanced, interop with AGENTS.md, .cursorrules, GEMINI.md
   why: Eliminate the 20-minute AI context tax — give AI instant project understanding in 30 seconds
-  where: Vercel web (faf-mcp.vercel.app) · npm · MCP Registry · any MCP-compatible IDE — people get it how they wish
+  where: npm · MCP Registry · Cloudflare edge (ide.faf.one/mcp/v1) · any MCP-compatible IDE — people get it how they wish
   when: Production/Stable — v2.0.0 WJTTC certified (309/309 tests, 9 suites)
   how: npx faf-mcp or npm install -g faf-mcp, then add to your MCP config
 monorepo:

package/scripts/check-stylesheet-drift.mjs

@@ -21,7 +21,7 @@ import { dirname, join } from 'node:path';
 const ROOT = join(dirname(fileURLToPath(import.meta.url)), '..');
 
 const SOURCE = 'docs/style-source.html';
-const SURFACES = ['docs/index.html', 'api/index.ts'];
+const SURFACES = ['docs/index.html'];
 
 const OPEN = '/* === faf-mcp:stylesheet canonical';
 const CLOSE = '/* === /faf-mcp:stylesheet canonical === */';