general-coding-tools-mcp 1.0.0 → 1.0.1

package/dist/content.json.sha256

@@ -0,0 +1 @@
+3dd6626a96cf9447752a73c7ba0ce2c8fa696e640c3f55ebefb41e6788781af1

package/dist/index.js

@@ -7,16 +7,35 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { readFileSync, existsSync } from "fs";
+import { createHash } from "crypto";
 import { fileURLToPath } from "url";
 import { dirname, join } from "path";
 const __dirname = dirname(fileURLToPath(import.meta.url));
-// Load bundled content (generated by scripts/bundle-content.cjs)
+/** Escape HTML special chars so embedded user input cannot inject script if client renders as HTML. */
+function escapeForEmbedding(s) {
+    return s
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+// Load bundled content (generated by scripts/bundle-content.cjs); verify integrity via SHA-256
 function loadContent() {
     const contentPath = join(__dirname, "content.json");
+    const hashPath = join(__dirname, "content.json.sha256");
     if (!existsSync(contentPath)) {
         throw new Error("content.json not found. Run 'npm run build' from mcp-server to bundle Skills and Subagents.");
     }
-    return JSON.parse(readFileSync(contentPath, "utf8"));
+    const raw = readFileSync(contentPath, "utf8");
+    if (existsSync(hashPath)) {
+        const expectedHash = readFileSync(hashPath, "utf8").trim();
+        const actualHash = createHash("sha256").update(raw, "utf8").digest("hex");
+        if (expectedHash !== actualHash) {
+            throw new Error("content.json integrity check failed (hash mismatch). Rebuild with 'npm run build' or ensure the file was not modified.");
+        }
+    }
+    return JSON.parse(raw);
 }
 const DATA = loadContent();
 const RESOURCE_PREFIX = "general-coding-tools-mcp://";
@@ -85,14 +104,14 @@ server.registerTool("get_skill", {
     title: "Get skill content",
     description: "Get the full content of a skill by name (id). Use list_skills to see available names.",
     inputSchema: z.object({
-        name: z.string().describe("Skill id (e.g. systematic-debugging, correctness-audit)"),
+        name: z.string().max(200).describe("Skill id (e.g. systematic-debugging, correctness-audit)"),
         include_reference: z.boolean().optional().default(false).describe("Include REFERENCE.md if present"),
     }),
 }, async ({ name, include_reference }) => {
     const skill = DATA.skills.find((s) => s.id === name || s.name === name);
     if (!skill) {
         return {
-            content: [{ type: "text", text: `Unknown skill: ${name}. Use list_skills to see available skills.` }],
+            content: [{ type: "text", text: `Unknown skill: ${escapeForEmbedding(name)}. Use list_skills to see available skills.` }],
             isError: true,
         };
     }
@@ -107,13 +126,13 @@ server.registerTool("get_subagent", {
     title: "Get subagent content",
     description: "Get the full content of a subagent by name (id). Use list_subagents to see available names.",
     inputSchema: z.object({
-        name: z.string().describe("Subagent id (e.g. deep-research, update-docs, verifier)"),
+        name: z.string().max(200).describe("Subagent id (e.g. deep-research, update-docs, verifier)"),
     }),
 }, async ({ name }) => {
     const subagent = DATA.subagents.find((a) => a.id === name || a.name === name);
     if (!subagent) {
         return {
-            content: [{ type: "text", text: `Unknown subagent: ${name}. Use list_subagents to see available subagents.` }],
+            content: [{ type: "text", text: `Unknown subagent: ${escapeForEmbedding(name)}. Use list_subagents to see available subagents.` }],
             isError: true,
         };
     }
@@ -131,7 +150,8 @@ for (const s of DATA.skills) {
         },
     }, async ({ user_message }) => {
         const entry = DATA.content.skills[s.name];
-        const text = `I will follow the **${s.name}** skill.\n\n---\n\n${entry.content}\n\n---\n\nUser request: ${user_message ?? "(no message provided)"}`;
+        const safeMessage = escapeForEmbedding(String(user_message ?? "(no message provided)"));
+        const text = `I will follow the **${s.name}** skill.\n\n---\n\n${entry.content}\n\n---\n\nUser request: ${safeMessage}`;
         return {
             messages: [
                 { role: "user", content: { type: "text", text: String(user_message ?? "") } },
@@ -150,7 +170,8 @@ for (const a of DATA.subagents) {
         },
     }, async ({ user_message }) => {
         const entry = DATA.content.subagents[a.name];
-        const text = `I will follow the **${a.name}** subagent.\n\n---\n\n${entry.content}\n\n---\n\nUser request: ${user_message ?? "(no message provided)"}`;
+        const safeMessage = escapeForEmbedding(String(user_message ?? "(no message provided)"));
+        const text = `I will follow the **${a.name}** subagent.\n\n---\n\n${entry.content}\n\n---\n\nUser request: ${safeMessage}`;
         return {
             messages: [
                 { role: "user", content: { type: "text", text: String(user_message ?? "") } },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "general-coding-tools-mcp",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "MCP server exposing General Coding Tools (skills and subagents) for use in Cursor, Claude, and Smithery",
   "type": "module",
   "main": "dist/index.js",