mcp-apply-patch 0.1.5 → 0.1.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-apply-patch",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "MCP server for structured file patching using V4A diffs. Create, update, and delete files in one atomic operation.",
   "license": "MIT",
   "repository": {

package/scripts/install.js

@@ -3,6 +3,7 @@ const fs = require("fs");
 const path = require("path");
 const { execSync } = require("child_process");
 const os = require("os");
+const crypto = require("crypto");
 
 const VERSION = require("../package.json").version;
 const REPO = "tuanhung303/apply-patch-mcp";
@@ -46,12 +47,25 @@ function download(url) {
   });
 }
 
+function verifySha256(filePath, expectedHex) {
+  const hash = crypto.createHash("sha256");
+  hash.update(fs.readFileSync(filePath));
+  const actual = hash.digest("hex");
+  if (actual !== expectedHex) {
+    throw new Error(
+      `SHA256 mismatch!\n  Expected: ${expectedHex}\n  Actual:   ${actual}\n  File: ${filePath}`
+    );
+  }
+}
+
 async function doInstall() {
   const platformKey = getPlatformKey();
   const isWindows = process.platform === "win32";
   const ext = isWindows ? ".zip" : ".tar.gz";
   const assetName = `apply-patch-mcp-v${VERSION}-${platformKey}${ext}`;
-  const url = `https://github.com/${REPO}/releases/download/v${VERSION}/${assetName}`;
+  const shaAssetName = `${assetName}.sha256`;
+  const assetUrl = `https://github.com/${REPO}/releases/download/v${VERSION}/${assetName}`;
+  const shaUrl = `https://github.com/${REPO}/releases/download/v${VERSION}/${shaAssetName}`;
 
   const cacheBinDir = path.join(os.homedir(), ".mcp-apply-patch", "bin");
   const binName = isWindows ? "apply-patch-mcp.exe" : "apply-patch-mcp";
@@ -66,14 +80,26 @@ async function doInstall() {
   console.error(`Downloading apply-patch-mcp v${VERSION} for ${platformKey}...`);
 
   try {
-    const data = await download(url);
+    // Download the binary and its SHA256 checksum in parallel
+    const [binaryData, shaData] = await Promise.all([
+      download(assetUrl),
+      download(shaUrl),
+    ]);
+
     const tmpFile = path.join(os.tmpdir(), assetName);
-    fs.writeFileSync(tmpFile, data);
+    const tmpShaFile = path.join(os.tmpdir(), shaAssetName);
+    fs.writeFileSync(tmpFile, binaryData);
+    fs.writeFileSync(tmpShaFile, shaData);
+
+    // Verify SHA256 checksum before extracting
+    const expectedSha256 = shaData.toString("utf-8").trim().split(/\s+/)[0];
+    console.error("Verifying SHA256 checksum...");
+    verifySha256(tmpFile, expectedSha256);
+    console.error("SHA256 checksum verified.");
 
     fs.mkdirSync(cacheBinDir, { recursive: true });
 
     if (isWindows) {
-      // For Windows, use PowerShell to extract zip
       execSync(`powershell -Command "Expand-Archive -Path '${tmpFile}' -DestinationPath '${cacheBinDir}' -Force"`, { stdio: "inherit" });
     } else {
       execSync(`tar xzf "${tmpFile}" -C "${cacheBinDir}"`, { stdio: "inherit" });
@@ -82,12 +108,17 @@ async function doInstall() {
     // Ensure executable permissions
     try { fs.chmodSync(binPath, 0o755); } catch (e) { /* ignore */ }
     try { fs.unlinkSync(tmpFile); } catch (e) { /* ignore */ }
+    try { fs.unlinkSync(tmpShaFile); } catch (e) { /* ignore */ }
 
     console.error(`apply-patch-mcp v${VERSION} installed to ${binPath}.`);
     return binPath;
   } catch (err) {
-    console.error(`Failed to download binary: ${err.message}`);
-    console.error(`URL: ${url}`);
+    if (err.message.includes("SHA256 mismatch")) {
+      console.error(`SECURITY: ${err.message}`);
+    } else {
+      console.error(`Failed to download binary: ${err.message}`);
+    }
+    console.error(`URL: ${assetUrl}`);
     console.error("You can build from source: cargo build --release");
     throw err;
   }