mcpick 0.0.7 → 0.0.8

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # mcpick
 
+## 0.0.8
+
+### Patch Changes
+
+- 219d5fd: Add scope support for MCP server installation with Claude
+  CLI integration and shell injection fixes
+
 ## 0.0.7
 
 ### Patch Changes

package/README.md

@@ -70,7 +70,7 @@ McPick provides an intuitive CLI menu to:
 ┌  McPick - MCP Server Configuration Manager
 │
 ◆  What would you like to do?
-│  ● Edit config (Toggle MCP servers on/off)
+│  ● Enable / Disable MCP servers (Toggle MCP servers on/off)
 │  ○ Backup config
 │  ○ Add MCP server
 │  ○ Restore from backup
@@ -80,6 +80,26 @@ McPick provides an intuitive CLI menu to:
 └
 ```
 
+### Scope Support
+
+MCPick supports the three MCP server scopes used by Claude Code:
+
+| Scope       | Description                          | Storage Location                              |
+| ----------- | ------------------------------------ | --------------------------------------------- |
+| **Local**   | Project-specific servers (default)   | `~/.claude.json` → `projects[cwd].mcpServers` |
+| **Project** | Shared via `.mcp.json` in repository | `.mcp.json` in project root                   |
+| **User**    | Global servers for all projects      | `~/.claude.json` → `mcpServers`               |
+
+When you select "Enable / Disable MCP servers", MCPick will:
+
+1. Ask which scope you want to edit
+2. Show servers already enabled for that scope (pre-checked)
+3. Use `claude mcp add/remove` CLI commands for Local and Project
+   scopes
+
+This integration ensures your changes are correctly applied to the
+right configuration location.
+
 ### Smart Server Management
 
 - **Auto-discovery**: Automatically imports servers from your existing
@@ -183,15 +203,25 @@ MCPick works with the standard Claude Code configuration format:
 
 - **Claude Config**: `~/.claude.json` (your main Claude Code
   configuration)
+- **Project Config**: `.mcp.json` (project-specific shared config,
+  committed to git)
 - **MCPick Registry**: `~/.claude/mcpick/servers.json` (MCPick's
   server database)
 - **Backups**: `~/.claude/mcpick/backups/` (MCP configuration backups)
 - **Profiles**: `~/.claude/mcpick/profiles/` (predefined server sets)
 
-> **Note**: If your MCP servers do not appear in MCPick, ensure they
-> are configured at the global level in Claude Code
-> (`~/.claude.json`), not at the project level (`.claude.json` in your
-> project directory). MCPick manages the global configuration file.
+#### MCP Server Storage by Scope
+
+| Scope   | Location                                                     | Use Case                           |
+| ------- | ------------------------------------------------------------ | ---------------------------------- |
+| Local   | `~/.claude.json` → `projects["/path/to/project"].mcpServers` | Personal project config            |
+| Project | `.mcp.json` in project root                                  | Shared team config (commit to git) |
+| User    | `~/.claude.json` → `mcpServers`                              | Global servers for all projects    |
+
+> **Note**: MCPick automatically detects servers in parent
+> directories. If you have local servers configured at
+> `/Users/you/projects` and run MCPick from
+> `/Users/you/projects/myapp`, it will find and display them.
 
 ## Safety Features
 

package/dist/commands/add-server.js

@@ -1,6 +1,7 @@
-import { confirm, note, select, text } from '@clack/prompts';
+import { confirm, log, note, select, text } from '@clack/prompts';
 import { add_server_to_registry } from '../core/registry.js';
 import { validate_mcp_server } from '../core/validation.js';
+import { add_mcp_via_cli, check_claude_cli, get_scope_options, get_scope_description, } from '../utils/claude-cli.js';
 function format_server_details(server) {
     const details = [`Name: ${server.name}`];
     if ('command' in server) {
@@ -23,7 +24,17 @@ function format_server_details(server) {
 }
 export async function add_server() {
     try {
-        // First, ask how they want to configure the server
+        // Check if Claude CLI is available
+        const cli_available = await check_claude_cli();
+        // First, ask where to install the server (scope)
+        const scope = await select({
+            message: 'Where should this server be installed?',
+            options: get_scope_options(),
+            initialValue: 'local',
+        });
+        if (typeof scope === 'symbol')
+            return;
+        // Then ask how they want to configure the server
         const config_method = await select({
             message: 'How would you like to add the server?',
             options: [
@@ -43,7 +54,7 @@ export async function add_server() {
         if (typeof config_method === 'symbol')
             return;
         if (config_method === 'json') {
-            return await add_server_from_json();
+            return await add_server_from_json(scope, cli_available);
         }
         const name = await text({
             message: 'Server name:',
@@ -181,21 +192,39 @@ export async function add_server() {
         }
         const validated_server = validate_mcp_server(server_data);
         const details = format_server_details(validated_server);
+        details.push(`Scope: ${get_scope_description(scope)}`);
         note(`Server to add:\n${details.join('\n')}`);
         const should_add = await confirm({
-            message: 'Add this server to the registry?',
+            message: 'Add this server?',
         });
         if (typeof should_add === 'symbol' || !should_add) {
             return;
         }
+        // Always add to registry for profile/backup management
         await add_server_to_registry(validated_server);
-        note(`Server "${validated_server.name}" added to registry successfully!`);
+        // Install via Claude CLI if available
+        if (cli_available) {
+            const result = await add_mcp_via_cli(validated_server, scope);
+            if (result.success) {
+                note(`Server "${validated_server.name}" installed successfully!\n` +
+                    `Scope: ${get_scope_description(scope)}\n` +
+                    `Also added to mcpick registry for profile management.`);
+            }
+            else {
+                log.warn(`CLI installation failed: ${result.error}\n` +
+                    `Server added to registry only. Use 'claude mcp add' manually.`);
+            }
+        }
+        else {
+            log.warn(`Claude CLI not found. Server added to registry only.\n` +
+                `Install Claude Code CLI and run 'claude mcp add' to activate.`);
+        }
     }
     catch (error) {
         throw new Error(`Failed to add server: ${error instanceof Error ? error.message : 'Unknown error'}`);
     }
 }
-async function add_server_from_json() {
+async function add_server_from_json(scope, cli_available) {
     const json_input = await text({
         message: 'Paste JSON configuration:',
         placeholder: '{ "name": "mcp-sqlite-tools", "command": "npx", "args": ["-y", "mcp-sqlite-tools"] }',
@@ -246,15 +275,33 @@ async function add_server_from_json() {
         }
         const validated_server = validate_mcp_server(server_data);
         const details = format_server_details(validated_server);
+        details.push(`Scope: ${get_scope_description(scope)}`);
         note(`Server to add:\n${details.join('\n')}`);
         const should_add = await confirm({
-            message: 'Add this server to the registry?',
+            message: 'Add this server?',
         });
         if (typeof should_add === 'symbol' || !should_add) {
             return;
         }
+        // Always add to registry for profile/backup management
         await add_server_to_registry(validated_server);
-        note(`Server "${validated_server.name}" added to registry successfully!`);
+        // Install via Claude CLI if available
+        if (cli_available) {
+            const result = await add_mcp_via_cli(validated_server, scope);
+            if (result.success) {
+                note(`Server "${validated_server.name}" installed successfully!\n` +
+                    `Scope: ${get_scope_description(scope)}\n` +
+                    `Also added to mcpick registry for profile management.`);
+            }
+            else {
+                log.warn(`CLI installation failed: ${result.error}\n` +
+                    `Server added to registry only. Use 'claude mcp add' manually.`);
+            }
+        }
+        else {
+            log.warn(`Claude CLI not found. Server added to registry only.\n` +
+                `Install Claude Code CLI and run 'claude mcp add' to activate.`);
+        }
     }
     catch (error) {
         throw new Error(`Failed to parse or validate JSON: ${error instanceof Error ? error.message : 'Unknown error'}`);

package/dist/commands/edit-config.js

@@ -1,8 +1,19 @@
-import { multiselect, note } from '@clack/prompts';
-import { create_config_from_servers, get_enabled_servers, read_claude_config, write_claude_config, } from '../core/config.js';
+import { log, multiselect, note, select } from '@clack/prompts';
+import { create_config_from_servers, get_enabled_servers, get_enabled_servers_for_scope, read_claude_config, write_claude_config, } from '../core/config.js';
 import { get_all_available_servers, sync_servers_to_registry, } from '../core/registry.js';
+import { add_mcp_via_cli, check_claude_cli, get_scope_description, get_scope_options, remove_mcp_via_cli, } from '../utils/claude-cli.js';
 export async function edit_config() {
     try {
+        // Check if Claude CLI is available
+        const cli_available = await check_claude_cli();
+        // Ask which scope to edit
+        const scope = await select({
+            message: 'Which configuration do you want to edit?',
+            options: get_scope_options(),
+            initialValue: 'local',
+        });
+        if (typeof scope === 'symbol')
+            return;
         const current_config = await read_claude_config();
         // If registry is empty but .claude.json has servers, populate registry from config
         let all_servers = await get_all_available_servers();
@@ -18,14 +29,15 @@ export async function edit_config() {
             note('No MCP servers found in .claude.json or registry. Add servers first.');
             return;
         }
-        const currently_enabled = Object.keys(current_config.mcpServers || {});
+        // Get currently enabled servers for the selected scope
+        const currently_enabled = await get_enabled_servers_for_scope(scope);
         const server_choices = all_servers.map((server) => ({
             value: server.name,
             label: server.name,
             hint: server.description || '',
         }));
         const selected_server_names = await multiselect({
-            message: 'Select MCP servers to enable (Toggle On/Off servers with spacebar):',
+            message: `Select MCP servers for ${get_scope_description(scope)}:`,
             options: server_choices,
             initialValues: currently_enabled,
             required: false,
@@ -34,11 +46,61 @@ export async function edit_config() {
             return;
         }
         const selected_servers = all_servers.filter((server) => selected_server_names.includes(server.name));
-        const new_config = create_config_from_servers(selected_servers);
-        await write_claude_config(new_config);
-        await sync_servers_to_registry(selected_servers);
-        note(`Configuration updated!\n` +
-            `Enabled servers: ${selected_servers.length}`);
+        // Determine which servers to add and remove
+        const servers_to_add = selected_server_names.filter((name) => !currently_enabled.includes(name));
+        const servers_to_remove = currently_enabled.filter((name) => !selected_server_names.includes(name));
+        // If CLI is available, use it for add/remove operations
+        if (cli_available && (scope === 'local' || scope === 'project')) {
+            let success_count = 0;
+            let error_count = 0;
+            // Add new servers
+            for (const name of servers_to_add) {
+                const server = all_servers.find((s) => s.name === name);
+                if (server) {
+                    const result = await add_mcp_via_cli(server, scope);
+                    if (result.success) {
+                        success_count++;
+                    }
+                    else {
+                        error_count++;
+                        log.warn(`Failed to add ${name}: ${result.error}`);
+                    }
+                }
+            }
+            // Remove servers
+            for (const name of servers_to_remove) {
+                const result = await remove_mcp_via_cli(name);
+                if (result.success) {
+                    success_count++;
+                }
+                else {
+                    error_count++;
+                    log.warn(`Failed to remove ${name}: ${result.error}`);
+                }
+            }
+            await sync_servers_to_registry(selected_servers);
+            if (error_count > 0) {
+                note(`Configuration updated with ${error_count} errors.\n` +
+                    `Scope: ${get_scope_description(scope)}\n` +
+                    `Added: ${servers_to_add.length}, Removed: ${servers_to_remove.length}`);
+            }
+            else {
+                note(`Configuration updated!\n` +
+                    `Scope: ${get_scope_description(scope)}\n` +
+                    `Enabled servers: ${selected_servers.length}`);
+            }
+        }
+        else {
+            // Fallback to direct file writing (user scope or no CLI)
+            const new_config = create_config_from_servers(selected_servers);
+            await write_claude_config(new_config);
+            await sync_servers_to_registry(selected_servers);
+            if (!cli_available && scope !== 'user') {
+                log.warn(`Claude CLI not available. Changes written to ~/.claude.json (user scope) instead of ${scope} scope.`);
+            }
+            note(`Configuration updated!\n` +
+                `Enabled servers: ${selected_servers.length}`);
+        }
     }
     catch (error) {
         throw new Error(`Failed to edit configuration: ${error instanceof Error ? error.message : 'Unknown error'}`);

package/dist/core/config.js

@@ -1,5 +1,5 @@
 import { access, readFile, writeFile } from 'node:fs/promises';
-import { get_claude_config_path } from '../utils/paths.js';
+import { get_claude_config_path, get_current_project_path, get_project_mcp_json_path, } from '../utils/paths.js';
 import { validate_claude_config } from './validation.js';
 export async function read_claude_config() {
     const config_path = get_claude_config_path();
@@ -51,4 +51,105 @@ export function create_config_from_servers(selected_servers) {
     });
     return { mcpServers: mcp_servers };
 }
+/**
+ * Read full Claude config including projects section
+ */
+async function read_claude_config_full() {
+    const config_path = get_claude_config_path();
+    try {
+        await access(config_path);
+        const config_content = await readFile(config_path, 'utf-8');
+        return JSON.parse(config_content);
+    }
+    catch (error) {
+        return { mcpServers: {}, projects: {} };
+    }
+}
+/**
+ * Read MCP servers for local scope (current project)
+ * Stored in ~/.claude.json -> projects[cwd].mcpServers
+ * Also searches parent directories since Claude CLI may store config at parent level
+ */
+async function read_local_mcp_servers() {
+    const { dirname } = await import('node:path');
+    const { homedir } = await import('node:os');
+    const full_config = await read_claude_config_full();
+    const home = homedir();
+    let current_dir = get_current_project_path();
+    // Search current directory and parents for local config
+    while (current_dir &&
+        current_dir !== '/' &&
+        current_dir.length >= home.length) {
+        const project_config = full_config.projects?.[current_dir];
+        if (project_config?.mcpServers &&
+            Object.keys(project_config.mcpServers).length > 0) {
+            return Object.keys(project_config.mcpServers);
+        }
+        current_dir = dirname(current_dir);
+    }
+    return [];
+}
+/**
+ * Read MCP servers from .mcp.json in current project (project scope)
+ */
+async function read_project_mcp_servers() {
+    const mcp_json_path = get_project_mcp_json_path();
+    try {
+        await access(mcp_json_path);
+        const content = await readFile(mcp_json_path, 'utf-8');
+        const parsed = JSON.parse(content);
+        const servers = parsed.mcpServers || {};
+        return Object.keys(servers);
+    }
+    catch (error) {
+        return [];
+    }
+}
+/**
+ * Read MCP servers from ~/.claude.json -> mcpServers (user scope)
+ */
+async function read_user_mcp_servers() {
+    const config = await read_claude_config();
+    return Object.keys(config.mcpServers || {});
+}
+/**
+ * Read MCP servers from .mcp.json files (project scope)
+ * Searches current directory and parents for .mcp.json
+ */
+async function find_and_read_project_mcp_json() {
+    const { dirname } = await import('node:path');
+    let current_dir = get_current_project_path();
+    const home = (await import('node:os')).homedir();
+    // Search upward for .mcp.json, stop at home or root
+    while (current_dir &&
+        current_dir !== '/' &&
+        current_dir.length >= home.length) {
+        const mcp_path = `${current_dir}/.mcp.json`;
+        try {
+            await access(mcp_path);
+            const content = await readFile(mcp_path, 'utf-8');
+            const parsed = JSON.parse(content);
+            const servers = parsed.mcpServers || {};
+            return Object.keys(servers);
+        }
+        catch {
+            // Not found, try parent
+        }
+        current_dir = dirname(current_dir);
+    }
+    return [];
+}
+/**
+ * Get currently enabled server names for a specific scope
+ */
+export async function get_enabled_servers_for_scope(scope) {
+    switch (scope) {
+        case 'local':
+            return read_local_mcp_servers();
+        case 'project':
+            return find_and_read_project_mcp_json();
+        case 'user':
+            return read_user_mcp_servers();
+    }
+}
 //# sourceMappingURL=config.js.map

package/dist/utils/claude-cli.js

@@ -0,0 +1,153 @@
+import { exec } from 'node:child_process';
+import { promisify } from 'node:util';
+const execAsync = promisify(exec);
+/**
+ * Check if Claude CLI is available
+ */
+export async function check_claude_cli() {
+    try {
+        await execAsync('claude --version');
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Escape a string for shell usage
+ */
+function shell_escape(str) {
+    // Replace single quotes with escaped version
+    return `'${str.replace(/'/g, "'\\''")}'`;
+}
+/**
+ * Validate environment variable key
+ * Must start with letter or underscore, contain only alphanumeric and underscores
+ */
+function is_valid_env_key(key) {
+    return /^[A-Za-z_][A-Za-z0-9_]*$/.test(key);
+}
+/**
+ * Build the claude mcp add command for a server
+ */
+function build_add_command(server, scope) {
+    const parts = ['claude', 'mcp', 'add'];
+    // Server name
+    parts.push(shell_escape(server.name));
+    // Transport type
+    const transport = server.type || 'stdio';
+    parts.push('--transport', transport);
+    // Scope
+    parts.push('--scope', scope);
+    // Handle different transport types
+    if (transport === 'stdio') {
+        // Environment variables (skip invalid keys to prevent injection)
+        if (server.env) {
+            for (const [key, value] of Object.entries(server.env)) {
+                if (is_valid_env_key(key)) {
+                    parts.push('-e', `${key}=${shell_escape(value)}`);
+                }
+            }
+        }
+        // Command and args (after --)
+        if ('command' in server && server.command) {
+            parts.push('--');
+            parts.push(shell_escape(server.command));
+            if (server.args && server.args.length > 0) {
+                parts.push(...server.args.map((arg) => shell_escape(arg)));
+            }
+        }
+    }
+    else {
+        // HTTP or SSE transport
+        if ('url' in server && server.url) {
+            parts.push(shell_escape(server.url));
+        }
+    }
+    return parts.join(' ');
+}
+/**
+ * Add an MCP server using Claude CLI
+ */
+export async function add_mcp_via_cli(server, scope) {
+    // Check if CLI is available
+    const cli_available = await check_claude_cli();
+    if (!cli_available) {
+        return {
+            success: false,
+            error: 'Claude CLI not found. Please install Claude Code CLI.',
+        };
+    }
+    const command = build_add_command(server, scope);
+    try {
+        await execAsync(command);
+        return { success: true };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : 'Unknown error';
+        return {
+            success: false,
+            error: `Failed to add server via CLI: ${message}`,
+        };
+    }
+}
+/**
+ * Remove an MCP server using Claude CLI
+ */
+export async function remove_mcp_via_cli(name) {
+    // Check if CLI is available
+    const cli_available = await check_claude_cli();
+    if (!cli_available) {
+        return {
+            success: false,
+            error: 'Claude CLI not found. Please install Claude Code CLI.',
+        };
+    }
+    try {
+        await execAsync(`claude mcp remove ${shell_escape(name)}`);
+        return { success: true };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : 'Unknown error';
+        return {
+            success: false,
+            error: `Failed to remove server via CLI: ${message}`,
+        };
+    }
+}
+/**
+ * Get the scope description for display
+ */
+export function get_scope_description(scope) {
+    switch (scope) {
+        case 'local':
+            return 'This project only (default)';
+        case 'project':
+            return 'Shared via .mcp.json (version controlled)';
+        case 'user':
+            return 'Global - all projects';
+    }
+}
+/**
+ * Get scope options for select prompt
+ */
+export function get_scope_options() {
+    return [
+        {
+            value: 'local',
+            label: 'Local',
+            hint: 'This project only (default)',
+        },
+        {
+            value: 'project',
+            label: 'Project',
+            hint: 'Shared via .mcp.json (git)',
+        },
+        {
+            value: 'user',
+            label: 'User (Global)',
+            hint: 'Available in all projects',
+        },
+    ];
+}
+//# sourceMappingURL=claude-cli.js.map

package/dist/utils/paths.js

@@ -60,4 +60,22 @@ export async function ensure_directory_exists(dir_path) {
         await mkdir(dir_path, { recursive: true });
     }
 }
+/**
+ * Get the current working directory (project path)
+ */
+export function get_current_project_path() {
+    return process.cwd();
+}
+/**
+ * Get the path to .mcp.json in the current project directory (project scope)
+ */
+export function get_project_mcp_json_path() {
+    return join(get_current_project_path(), '.mcp.json');
+}
+/**
+ * Get the path to the global .mcp.json in home directory (user scope)
+ */
+export function get_global_mcp_json_path() {
+    return join(homedir(), '.mcp.json');
+}
 //# sourceMappingURL=paths.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcpick",
-  "version": "0.0.7",
+  "version": "0.0.8",
   "description": "Dynamic MCP server configuration manager for Claude Code",
   "type": "module",
   "main": "./dist/index.js",