isc-transforms-mcp 1.0.21 → 1.0.23

package/dist/allowlist.js

@@ -28,9 +28,16 @@ const RULES = [
     { method: "PATCH", pathPrefix: "/v2024/form-instances", modes: ["write"] } // patch-form-instance
 ];
 export function isAllowed(mode, method, path) {
-    return RULES.some(r => r.method === method &&
-        path.startsWith(r.pathPrefix) &&
-        r.modes.includes(mode));
+    return RULES.some(r => {
+        if (r.method !== method || !r.modes.includes(mode))
+            return false;
+        if (!path.startsWith(r.pathPrefix))
+            return false;
+        // Ensure prefix is followed by end-of-string, '/', or '?' to prevent
+        // matching unintended paths (e.g. /v3/transforms-evil matching /v3/transforms)
+        const rest = path.slice(r.pathPrefix.length);
+        return rest === "" || rest[0] === "/" || rest[0] === "?";
+    });
 }
 export function getAllowlist() {
     return RULES;

package/dist/redact.js

@@ -4,7 +4,14 @@ const SECRET_KEYS = new Set([
     "refresh_token",
     "client_secret",
     "secret",
-    "token"
+    "token",
+    "password",
+    "api_key",
+    "apikey",
+    "bearer",
+    "pat_client_secret",
+    "credential",
+    "credentials",
 ]);
 export function redactDeep(obj) {
     return redactAny(obj);

package/dist/transforms/lint.js

@@ -129,7 +129,8 @@ function checkRequired(spec, attrs) {
             continue;
         }
         const val = attrs?.[req];
-        if (val === undefined || val === null || (typeof val === "string" && val.length === 0)) {
+        // Empty string "" is intentional for fields like negativeCondition, positiveCondition, static.value
+        if (val === undefined || val === null) {
             push(msgs, "error", `Missing required attribute: ${req}.`, `attributes.${req}`);
         }
     }
@@ -276,25 +277,30 @@ function lintConditional(attrs) {
         return msgs;
     }
     // --- 2. Forbidden operators (using any of these throws IllegalArgumentException at runtime) ---
+    // If a forbidden operator is found, that is the root cause. Skip rules 3 and 4 to avoid
+    // duplicate errors (they would fire as consequences of the forbidden operator, not separate issues).
     const forbidden = /(!=|==|>=|<=|>|<|\bne\b|\bgt\b|\blt\b|\bge\b|\ble\b)/i;
-    if (forbidden.test(expr)) {
-        push(msgs, "error", `Unsupported operator in expression '${expr}'. ` +
-            "Only 'eq' is supported — using !=, ==, >, <, ne, gt, lt, ge, le throws IllegalArgumentException at runtime.", "attributes.expression");
+    const forbiddenOpFound = forbidden.test(expr);
+    if (forbiddenOpFound) {
+        push(msgs, "error", `Unsupported operator in expression: '${expr}'. Only 'eq' comparator is supported ` +
+            "(e.g., '$var eq value'). Using !=, ==, >, <, ne, gt, lt, ge, le throws IllegalArgumentException at runtime.", "attributes.expression");
     }
-    // --- 3. Must contain exactly one 'eq' ---
+    // --- 3. Must contain exactly one 'eq' (skip if forbidden operator already diagnosed) ---
     const eqMatches = expr.match(/\beq\b/gi) ?? [];
-    if (eqMatches.length === 0) {
-        push(msgs, "error", `Conditional expression must use the 'eq' comparator: '<ValueA> eq <ValueB>'. Got: '${expr}'.`, "attributes.expression");
-    }
-    else if (eqMatches.length > 1) {
-        push(msgs, "error", `Expression must contain exactly one 'eq'. Found ${eqMatches.length} occurrences in: '${expr}'. ` +
-            "Nest multiple conditions using separate conditional transforms if needed.", "attributes.expression");
+    if (!forbiddenOpFound) {
+        if (eqMatches.length === 0) {
+            push(msgs, "error", `Conditional expression must use the 'eq' comparator: '<ValueA> eq <ValueB>'. Got: '${expr}'.`, "attributes.expression");
+        }
+        else if (eqMatches.length > 1) {
+            push(msgs, "error", `Expression must contain exactly one 'eq'. Found ${eqMatches.length} occurrences in: '${expr}'. ` +
+                "Nest multiple conditions using separate conditional transforms if needed.", "attributes.expression");
+        }
     }
-    // --- 4. Both sides of 'eq' must be non-empty ---
+    // --- 4. Both sides of 'eq' must be non-empty (skip if forbidden operator already diagnosed) ---
     const parts = expr.split(/\beq\b/i);
     const valueA = parts[0]?.trim() ?? "";
     const valueB = parts[1]?.trim() ?? "";
-    if (parts.length !== 2 || valueA.length === 0 || valueB.length === 0) {
+    if (!forbiddenOpFound && (parts.length !== 2 || valueA.length === 0 || valueB.length === 0)) {
         push(msgs, "error", `Expression must follow '<ValueA> eq <ValueB>' with non-empty values on both sides. Got: '${expr}'.`, "attributes.expression");
     }
     // --- 5. Case-sensitivity info for literal operands ---
@@ -839,6 +845,13 @@ function lintDateFormat(attrs) {
                 "(expected tokens like y, M, d, H, h, m, s, S, Z). " +
                 `Valid named formats: ${Array.from(NAMED_FORMATS).join(", ")}.`, `attributes.${field}`);
         }
+        // Warn on uppercase Y (week-year) — a very common Java SimpleDateFormat mistake.
+        // YYYY = ISO 8601 week-based year (e.g. 2023-12-30 could become 2024); yyyy = calendar year.
+        if (/Y/.test(t) && !/^[A-Z][A-Z0-9_]+$/.test(t)) {
+            push(msgs, "warn", `${field} '${t}' contains uppercase 'Y' which is the ISO 8601 week-year in Java SimpleDateFormat, NOT the calendar year. ` +
+                "This is a common mistake: 'YYYY' for a December date can silently produce the following year's number. " +
+                "Use lowercase 'yyyy' for the calendar year (e.g., 'dd-MM-yyyy' instead of 'dd-MM-YYYY').", `attributes.${field}`);
+        }
     };
     checkFmt("inputFormat");
     checkFmt("outputFormat");
@@ -1313,9 +1326,20 @@ function lintStatic(attrs) {
         while ((m = refPattern.exec(value)) !== null) {
             vtlRefs.add(m[1]);
         }
+        // 3a. Detect VTL-local variables assigned via #set($var = ...) — these are internal
+        // VTL temporaries, NOT dynamic attributes that need to be defined in the attributes object.
+        const vtlLocalVars = new Set();
+        const setPattern = /#set\(\s*\$([A-Za-z_][A-Za-z0-9_]*)\s*[=\s]/g;
+        let sm;
+        while ((sm = setPattern.exec(value)) !== null) {
+            vtlLocalVars.add(sm[1]);
+        }
         if (vtlRefs.size > 0) {
-            // 4. Warn for each VTL reference that has no matching dynamic variable in attributes
+            // 4. Warn for each VTL reference that has no matching dynamic variable in attributes.
+            // Skip VTL-local variables (those assigned with #set inside the template itself).
             for (const varName of vtlRefs) {
+                if (vtlLocalVars.has(varName))
+                    continue; // #set local — not an attribute
                 if (!Object.prototype.hasOwnProperty.call(attrs, varName)) {
                     push(msgs, "warn", `VTL references $${varName} in value but no dynamic variable '${varName}' is defined in attributes. ` +
                         `Add a '${varName}' key to attributes with a static string or nested transform that supplies the value.`, `attributes.${varName}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "isc-transforms-mcp",
-  "version": "1.0.21",
+  "version": "1.0.23",
   "type": "module",
   "description": "MCP server for SailPoint Identity Security Cloud (ISC) Transform authoring — scaffold, strict lint, catalog, and safe upsert to live tenants.",
   "author": {
@@ -59,12 +59,15 @@
     "@modelcontextprotocol/sdk": "^1.0.0",
     "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
+    "cors": "^2.8.6",
     "dotenv": "^16.4.5",
     "express": "^4.22.1",
+    "express-rate-limit": "^8.3.1",
     "fast-json-patch": "^3.1.1",
     "zod": "^3.23.8"
   },
   "devDependencies": {
+    "@types/cors": "^2.8.19",
     "@types/express": "^4.17.25",
     "@types/node": "^22.10.0",
     "tsx": "^4.19.2",