keystone-cli 2.1.6 → 2.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +14 -3
  2. package/src/runner/mcp-client-audit.test.ts +19 -0
  3. package/src/runner/mcp-client.test.ts +14 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "keystone-cli",
3
- "version": "2.1.6",
3
+ "version": "2.1.7",
4
4
  "description": "A local-first, declarative, agentic workflow orchestrator built on Bun",
5
5
  "type": "module",
6
6
  "bin": {
@@ -16,7 +16,13 @@
16
16
  "format": "biome format --write .",
17
17
  "schema:generate": "bun run src/scripts/generate-schemas.ts"
18
18
  },
19
- "keywords": ["workflow", "orchestrator", "agentic", "automation", "bun"],
19
+ "keywords": [
20
+ "workflow",
21
+ "orchestrator",
22
+ "agentic",
23
+ "automation",
24
+ "bun"
25
+ ],
20
26
  "author": "Mark Hingston",
21
27
  "license": "MIT",
22
28
  "repository": {
@@ -24,7 +30,12 @@
24
30
  "url": "https://github.com/mhingston/keystone-cli.git"
25
31
  },
26
32
  "homepage": "https://github.com/mhingston/keystone-cli#readme",
27
- "files": ["src", "README.md", "LICENSE", "logo.png"],
33
+ "files": [
34
+ "src",
35
+ "README.md",
36
+ "LICENSE",
37
+ "logo.png"
38
+ ],
28
39
  "dependencies": {
29
40
  "@ast-grep/cli": "^0.40.3",
30
41
  "@ast-grep/napi": "^0.40.3",
package/src/runner/mcp-client-audit.test.ts CHANGED
@@ -2,6 +2,7 @@ import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from 'bun:te
2
2
  import * as child_process from 'node:child_process';
3
3
  import { MCPClient } from './mcp-client';
4
4
 
5
+ import * as dns from 'node:dns/promises';
5
6
  import { Readable, Writable } from 'node:stream';
6
7
 
7
8
  describe('MCPClient Audit Fixes', () => {
@@ -78,6 +79,24 @@ describe('MCPClient Audit Fixes', () => {
78
79
  });
79
80
 
80
81
  describe('MCPClient SSRF Protection', () => {
82
+ let lookupSpy: ReturnType<typeof spyOn>;
83
+ let fetchSpy: ReturnType<typeof spyOn>;
84
+
85
+ beforeEach(() => {
86
+ // Mock DNS lookup to return a public IP for api.example.com
87
+ lookupSpy = spyOn(dns, 'lookup').mockResolvedValue([
88
+ { address: '93.184.216.34', family: 4 }, // example.com's actual IP
89
+ ] as any);
90
+
91
+ // Mock fetch to prevent actual network calls
92
+ fetchSpy = spyOn(global, 'fetch').mockRejectedValue(new Error('Connection timeout'));
93
+ });
94
+
95
+ afterEach(() => {
96
+ lookupSpy.mockRestore();
97
+ fetchSpy.mockRestore();
98
+ });
99
+
81
100
  it('should reject localhost URLs', async () => {
82
101
  // Localhost is rejected regardless of protocol
83
102
  await expect(MCPClient.createRemote('http://localhost:8080/sse')).rejects.toThrow(
package/src/runner/mcp-client.test.ts CHANGED
@@ -1,5 +1,6 @@
1
1
  import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from 'bun:test';
2
2
  import * as child_process from 'node:child_process';
3
+ import * as dns from 'node:dns/promises';
3
4
  import { EventEmitter } from 'node:events';
4
5
  import { Readable, Writable } from 'node:stream';
5
6
  import { MCPClient } from './mcp-client';
@@ -123,6 +124,19 @@ describe('MCPClient', () => {
123
124
  });
124
125
 
125
126
  describe('SSE Transport', () => {
127
+ let lookupSpy: ReturnType<typeof spyOn>;
128
+
129
+ beforeEach(() => {
130
+ // Mock DNS lookup to return a public IP for api.example.com
131
+ lookupSpy = spyOn(dns, 'lookup').mockResolvedValue([
132
+ { address: '93.184.216.34', family: 4 }, // example.com's actual IP
133
+ ] as any);
134
+ });
135
+
136
+ afterEach(() => {
137
+ lookupSpy.mockRestore();
138
+ });
139
+
126
140
  it('should connect and receive endpoint', async () => {
127
141
  let controller: ReadableStreamDefaultController;
128
142
  const stream = new ReadableStream({