npm - faf-mcp - Versions diffs - 2.1.2 → 2.1.3 - Mend

faf-mcp 2.1.2 → 2.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/CHANGELOG.md +14 -1
package/CLAUDE.md +3 -3
package/README.md +4 -4
package/dist/src/cli.js +2 -15
package/dist/src/cli.js.map +1 -1
package/dist/src/faf-core/commands/bi-sync.js +3 -2
package/dist/src/faf-core/commands/bi-sync.js.map +1 -1
package/dist/src/faf-core/inject.d.ts +19 -0
package/dist/src/faf-core/inject.js +57 -0
package/dist/src/faf-core/inject.js.map +1 -0
package/dist/src/faf-core/parsers/agents-parser.js +3 -2
package/dist/src/faf-core/parsers/agents-parser.js.map +1 -1
package/dist/src/faf-core/parsers/cursorrules-parser.js +6 -2
package/dist/src/faf-core/parsers/cursorrules-parser.js.map +1 -1
package/dist/src/faf-core/parsers/gemini-parser.js +3 -2
package/dist/src/faf-core/parsers/gemini-parser.js.map +1 -1
package/dist/src/handlers/championship-tools.js +11 -11
package/dist/src/handlers/championship-tools.js.map +1 -1
package/dist/src/handlers/fileHandler.js +31 -22
package/dist/src/handlers/fileHandler.js.map +1 -1
package/dist/src/handlers/tools.js +105 -127
package/dist/src/handlers/tools.js.map +1 -1
package/dist/src/server.d.ts +2 -4
package/dist/src/server.js +1 -92
package/dist/src/server.js.map +1 -1
package/dist/src/utils/safe-path.d.ts +66 -0
package/dist/src/utils/safe-path.js +203 -0
package/dist/src/utils/safe-path.js.map +1 -0
package/package.json +1 -5
package/project.faf +3 -3
package/scripts/check-stylesheet-drift.mjs +1 -1

package/dist/src/handlers/tools.js CHANGED Viewed

@@ -40,6 +40,7 @@ const os = __importStar(require("os"));
 const pathModule = __importStar(require("path"));
 const fuzzy_detector_1 = require("../utils/fuzzy-detector");
 const faf_file_finder_js_1 = require("../utils/faf-file-finder.js");
+const safe_path_1 = require("../utils/safe-path");
 const version_1 = require("../version");
 const path_resolver_1 = require("../utils/path-resolver");
 // v2.1.1: single-source scoring — same path the championship handler uses.
@@ -66,12 +67,10 @@ class FafToolHandler {
      */
     getProjectPath(explicitPath) {
         if (explicitPath) {
-            // Expand tilde
-            const expandedPath = explicitPath.startsWith('~')
-                ? pathModule.join(os.homedir(), explicitPath.slice(1))
-                : explicitPath;
-            // Resolve to absolute path
-            const resolvedPath = pathModule.resolve(expandedPath);
+            // Confine the caller-supplied path. A passed *file* must be a .faf/.fafm
+            // context file; absolute/`..` escapes to secrets are refused. Throws
+            // PathConfinementError, caught centrally in callTool() (CWE-22/73/200).
+            const resolvedPath = (0, safe_path_1.confinePath)(explicitPath);
             // If it's a file path, get the directory
             const projectDir = fs.existsSync(resolvedPath) && fs.statSync(resolvedPath).isFile()
                 ? pathModule.dirname(resolvedPath)
@@ -281,7 +280,7 @@ class FafToolHandler {
                 },
                 {
                     name: 'faf_read',
-                    description: 'Read content from any file on the local filesystem',
+                    description: 'Read a file within the project root (cwd / FAF_ALLOWED_ROOTS). Paths that escape the project are refused.',
                     annotations: {
                         title: 'Read .faf File',
                         readOnlyHint: true,
@@ -301,7 +300,7 @@ class FafToolHandler {
                 },
                 {
                     name: 'faf_write',
-                    description: 'Write content to any file on the local filesystem',
+                    description: 'Write a file within the project root (cwd / FAF_ALLOWED_ROOTS). Paths that escape the project are refused.',
                     annotations: {
                         title: 'Write .faf File',
                         readOnlyHint: false,
@@ -358,20 +357,9 @@ class FafToolHandler {
                         additionalProperties: false
                     }
                 },
-                {
-                    name: 'faf_chat',
-                    description: '🗣️ Natural language project.faf generation - Ask 6W questions (Who/What/Why/Where/When/How) to build complete human context 🧡⚡️',
-                    annotations: {
-                        title: 'Chat about FAF',
-                        readOnlyHint: true,
-                        openWorldHint: false
-                    },
-                    inputSchema: {
-                        type: 'object',
-                        properties: {},
-                        additionalProperties: false
-                    }
-                },
+                // faf_chat — DEPRECATED, un-advertised. The host IS the chat — a chat-shim
+                // tool is redundant. Dispatch keeps a deprecation stub (below). Fleet sweep —
+                // mirrors grok-faf-mcp + claude-faf-mcp's retire.
                 {
                     name: 'faf_friday',
                     description: '🎉 Friday Features - Chrome Extension detection, fuzzy matching & more! 🧡⚡️',
@@ -705,81 +693,91 @@ class FafToolHandler {
         if (!name || typeof name !== 'string') {
             throw new Error('Tool name must be a non-empty string');
         }
-        switch (name) {
-            case 'faf_status':
-                return await this.handleFafStatus(args);
-            case 'faf_score':
-                return await this.handleFafScore(args);
-            case 'faf_init':
-                return await this.handleFafInit(args);
-            case 'faf_trust':
-                return await this.handleFafTrust(args);
-            case 'faf_sync':
-                return await this.handleFafSync(args);
-            case 'faf_enhance':
-                return await this.handleFafEnhance(args);
-            case 'faf_bi_sync':
-                return await this.handleFafBiSync(args);
-            case 'faf_clear':
-                return await this.handleFafClear(args);
-            case 'faf_debug':
-                return await this.handleFafDebug(args);
-            case 'faf_about':
-                return await this.handleFafAbout(args);
-            case 'faf_what':
-                return await this.handleFafWhat(args);
-            case 'faf_read': {
-                // Handle faf_read specially to set context when reading project.faf files
-                const readResult = await fileHandler_1.fileHandlers.faf_read(args);
-                // If reading a project.faf file, set the session context
-                if (args?.path && (args.path.includes('project.faf') || args.path.endsWith('.faf'))) {
-                    this.getProjectPath(args.path);
+        try {
+            switch (name) {
+                case 'faf_status':
+                    return await this.handleFafStatus(args);
+                case 'faf_score':
+                    return await this.handleFafScore(args);
+                case 'faf_init':
+                    return await this.handleFafInit(args);
+                case 'faf_trust':
+                    return await this.handleFafTrust(args);
+                case 'faf_sync':
+                    return await this.handleFafSync(args);
+                case 'faf_enhance':
+                    return await this.handleFafEnhance(args);
+                case 'faf_bi_sync':
+                    return await this.handleFafBiSync(args);
+                case 'faf_clear':
+                    return await this.handleFafClear(args);
+                case 'faf_debug':
+                    return await this.handleFafDebug(args);
+                case 'faf_about':
+                    return await this.handleFafAbout(args);
+                case 'faf_what':
+                    return await this.handleFafWhat(args);
+                case 'faf_read': {
+                    // Handle faf_read specially to set context when reading project.faf files
+                    const readResult = await fileHandler_1.fileHandlers.faf_read(args);
+                    // If reading a project.faf file, set the session context
+                    if (args?.path && (args.path.includes('project.faf') || args.path.endsWith('.faf'))) {
+                        this.getProjectPath(args.path);
+                    }
+                    return readResult;
                 }
-                return readResult;
-            }
-            case 'faf_chat':
-                return await this.handleFafChat(args);
-            case 'faf_friday':
-                return await this.handleFafFriday(args);
-            case 'faf_write':
-                return await fileHandler_1.fileHandlers.faf_write(args);
-            case 'faf_list':
-                return await this.handleFafList(args);
-            case 'faf_guide':
-                return await this.handleFafGuide(args);
-            case 'faf_readme':
-                return await this.handleFafReadme(args);
-            case 'faf_human_add':
-                return await this.handleFafHumanAdd(args);
-            case 'faf_check':
-                return await this.handleFafCheck(args);
-            case 'faf_context':
-                return await this.handleFafContext(args);
-            case 'faf_go':
-                return await this.handleFafGo(args);
-            case 'faf_auto':
-                return await this.handleFafAuto(args);
-            case 'faf_dna':
-                return await this.handleFafDna(args);
-            case 'faf_formats':
-                return await this.handleFafFormats(args);
-            case 'faf_quick':
-                return await this.handleFafQuick(args);
-            case 'faf_doctor':
-                return await this.handleFafDoctor(args);
-            // v4.5.0 Interop tools
-            case 'faf_agents':
-                return await this.handleFafAgents(args);
-            case 'faf_cursor':
-                return await this.handleFafCursor(args);
-            case 'faf_gemini':
-                return await this.handleFafGemini(args);
-            case 'faf_conductor':
-                return await this.handleFafConductor(args);
-            case 'faf_git':
-                return await this.handleFafGit(args);
-            default:
-                throw new Error(`Unknown tool: ${name}`);
+                case 'faf_chat':
+                    return await this.handleFafChat(args);
+                case 'faf_friday':
+                    return await this.handleFafFriday(args);
+                case 'faf_write':
+                    return await fileHandler_1.fileHandlers.faf_write(args);
+                case 'faf_list':
+                    return await this.handleFafList(args);
+                case 'faf_guide':
+                    return await this.handleFafGuide(args);
+                case 'faf_readme':
+                    return await this.handleFafReadme(args);
+                case 'faf_human_add':
+                    return await this.handleFafHumanAdd(args);
+                case 'faf_check':
+                    return await this.handleFafCheck(args);
+                case 'faf_context':
+                    return await this.handleFafContext(args);
+                case 'faf_go':
+                    return await this.handleFafGo(args);
+                case 'faf_auto':
+                    return await this.handleFafAuto(args);
+                case 'faf_dna':
+                    return await this.handleFafDna(args);
+                case 'faf_formats':
+                    return await this.handleFafFormats(args);
+                case 'faf_quick':
+                    return await this.handleFafQuick(args);
+                case 'faf_doctor':
+                    return await this.handleFafDoctor(args);
+                // v4.5.0 Interop tools
+                case 'faf_agents':
+                    return await this.handleFafAgents(args);
+                case 'faf_cursor':
+                    return await this.handleFafCursor(args);
+                case 'faf_gemini':
+                    return await this.handleFafGemini(args);
+                case 'faf_conductor':
+                    return await this.handleFafConductor(args);
+                case 'faf_git':
+                    return await this.handleFafGit(args);
+                default:
+                    throw new Error(`Unknown tool: ${name}`);
+            }
+        }
+        catch (err) {
+            // Central catch for path-confinement violations from getProjectPath()
+            // (CWE-22/73/200). Anything else propagates unchanged.
+            if (err instanceof safe_path_1.PathConfinementError) {
+                return { content: [{ type: 'text', text: `PATH DENIED\n\n${err.message}` }], isError: true };
+            }
+            throw err;
         }
     }
     async handleFafStatus(args) {
@@ -1307,37 +1305,17 @@ ${debugInfo.permissions.fafError ? `   FAF Error: ${debugInfo.permissions.fafErr
         }
     }
     async handleFafChat(_args) {
-        try {
-            const result = await this.engineAdapter.callEngine('chat');
-            if (!result.success) {
-                return {
-                    content: [{
-                            type: 'text',
-                            text: `Error running faf chat: ${result.error || 'Unknown error'}`
-                        }],
-                    isError: true
-                };
-            }
-            // Format the response text
-            const responseText = typeof result.data === 'string'
-                ? result.data
-                : result.data?.output || JSON.stringify(result.data, null, 2);
-            return {
-                content: [{
-                        type: 'text',
-                        text: responseText
-                    }]
-            };
-        }
-        catch (error) {
-            return {
-                content: [{
-                        type: 'text',
-                        text: `Error running faf chat: ${error instanceof Error ? error.message : String(error)}`
-                    }],
-                isError: true
-            };
-        }
+        // DEPRECATED: the host IS the chat — a chat-shim MCP tool is redundant.
+        // Un-advertised in listTools; this stub stays so anyone still wired gets a
+        // clear signal, not a crash. The old body shelled `faf chat` via the engine
+        // subprocess (a command faf-cli no longer ships) — removing it ends that dead shell.
+        return {
+            content: [{
+                    type: 'text',
+                    text: 'faf_chat is retired — the host is your chat, just talk here. ' +
+                        'For FAF: faf_init / faf_score / faf_sync, or "ask questions" to build context.',
+                }],
+        };
     }
     async handleFafFriday(args) {
         const { test } = args || {};