memory-journal-mcp 4.3.0 → 4.4.0

package/src/server/McpServer.ts

@@ -31,14 +31,22 @@ import { getPrompts, getPrompt } from '../handlers/prompts/index.js'
 import { generateInstructions } from '../constants/ServerInstructions.js'
 import pkg from '../../package.json' with { type: 'json' }
 
+/** Session timeout for stateful HTTP mode (30 minutes) */
+const SESSION_TIMEOUT_MS = 30 * 60 * 1000
+
+/** Session timeout sweep interval (5 minutes) */
+const SESSION_SWEEP_INTERVAL_MS = 5 * 60 * 1000
+
 export interface ServerOptions {
     transport: 'stdio' | 'http'
     port?: number
+    host?: string
     dbPath: string
     toolFilter?: string
     defaultProjectNumber?: number
     autoRebuildIndex?: boolean
     statelessHttp?: boolean
+    corsOrigin?: string
 }
 
 /**
@@ -107,14 +115,13 @@ export async function createServer(options: ServerOptions): Promise<void> {
           }
         : undefined
 
+    // Get all tools once (unfiltered) for both instruction generation and registration
+    const allTools = getTools(db, null, vectorManager, github, { defaultProjectNumber })
+    const allToolNames = new Set(allTools.map((t) => (t as { name: string }).name))
+
     // Generate dynamic instructions based on enabled tools, resources, prompts, and latest entry
     const instructions = generateInstructions(
-        filterConfig?.enabledTools ??
-            new Set(
-                getTools(db, null, vectorManager, github, { defaultProjectNumber }).map(
-                    (t) => (t as { name: string }).name
-                )
-            ),
+        filterConfig?.enabledTools ?? allToolNames,
         resources.map((r) => {
             const res = r as { uri: string; name: string; description?: string }
             return { uri: res.uri, name: res.name, description: res.description }
@@ -140,8 +147,10 @@ export async function createServer(options: ServerOptions): Promise<void> {
         }
     )
 
-    // Get filtered tools and register them dynamically
-    const tools = getTools(db, filterConfig, vectorManager, github, { defaultProjectNumber })
+    // Apply filter to get the set of tools to register
+    const tools = filterConfig
+        ? getTools(db, filterConfig, vectorManager, github, { defaultProjectNumber })
+        : allTools
     for (const tool of tools) {
         const toolDef = tool as {
             name: string
@@ -394,12 +403,21 @@ export async function createServer(options: ServerOptions): Promise<void> {
     } else {
         // HTTP transport with SSE support
         const port = options.port ?? 3000
+        const host = options.host ?? 'localhost'
+        const corsOrigin = options.corsOrigin ?? process.env['MCP_CORS_ORIGIN'] ?? '*'
         const app: Express = express()
 
-        // Manual CORS middleware for browser-based clients (e.g., MCP Inspector)
+        // Security headers middleware
+        app.use((_req: Request, res: Response, next: () => void) => {
+            res.setHeader('X-Content-Type-Options', 'nosniff')
+            res.setHeader('X-Frame-Options', 'DENY')
+            next()
+        })
+
+        // CORS middleware for browser-based clients (e.g., MCP Inspector)
+        // Origin is configurable via --cors-origin flag or MCP_CORS_ORIGIN env var
         app.use((req: Request, res: Response, next: () => void) => {
-            // Set CORS headers on all responses
-            res.setHeader('Access-Control-Allow-Origin', '*')
+            res.setHeader('Access-Control-Allow-Origin', corsOrigin)
             res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS')
             res.setHeader(
                 'Access-Control-Allow-Headers',
@@ -416,22 +434,14 @@ export async function createServer(options: ServerOptions): Promise<void> {
             next()
         })
 
-        // JSON body parser for MCP requests
-        app.use(express.json())
+        // JSON body parser with size limit to prevent memory exhaustion (DoS)
+        app.use(express.json({ limit: '1mb' }))
 
         // Explicit OPTIONS handler for /mcp - MUST be before other /mcp routes
         // Using app.all to intercept before Express 5's auto-OPTIONS
         app.all('/mcp', (req: Request, res: Response, next: () => void) => {
-            // Set CORS headers on ALL responses
-            res.setHeader('Access-Control-Allow-Origin', '*')
-            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS')
-            res.setHeader(
-                'Access-Control-Allow-Headers',
-                'Content-Type, Accept, mcp-session-id, Last-Event-ID, mcp-protocol-version'
-            )
-            res.setHeader('Access-Control-Expose-Headers', 'mcp-session-id')
-
-            // For OPTIONS, respond immediately with CORS headers
+            // CORS headers are already set by the middleware above.
+            // For OPTIONS, respond immediately.
             if (req.method === 'OPTIONS') {
                 res.status(204).end()
                 return
@@ -479,11 +489,12 @@ export async function createServer(options: ServerOptions): Promise<void> {
             })
 
             // Start HTTP server
-            const httpServer = app.listen(port, () => {
+            const httpServer = app.listen(port, host, () => {
                 logger.info('MCP server started on HTTP (stateless)', {
                     module: 'McpServer',
                     port,
-                    endpoint: `http://localhost:${port}/mcp`,
+                    host,
+                    endpoint: `http://${host}:${port}/mcp`,
                 })
             })
 
@@ -521,8 +532,37 @@ export async function createServer(options: ServerOptions): Promise<void> {
             // === STATEFUL MODE ===
             // Session-based transport with SSE support for notifications
 
-            // Session transport storage
+            // Session transport storage with last-activity timestamps
             const transports = new Map<string, StreamableHTTPServerTransport>()
+            const sessionLastActivity = new Map<string, number>()
+
+            /** Update the last-activity timestamp for a session */
+            const touchSession = (sid: string): void => {
+                sessionLastActivity.set(sid, Date.now())
+            }
+
+            /** Sweep expired sessions (called periodically) */
+            const sweepExpiredSessions = (): void => {
+                const now = Date.now()
+                for (const [sid, lastActivity] of sessionLastActivity) {
+                    if (now - lastActivity > SESSION_TIMEOUT_MS && transports.has(sid)) {
+                        logger.info('Expiring idle HTTP session', {
+                            module: 'McpServer',
+                            sessionId: sid,
+                            idleMinutes: Math.round((now - lastActivity) / 60_000),
+                        })
+                        const t = transports.get(sid)
+                        if (t) {
+                            void t.close()
+                        }
+                        transports.delete(sid)
+                        sessionLastActivity.delete(sid)
+                    }
+                }
+            }
+
+            // Start session timeout sweep (runs every 5 minutes)
+            const sessionSweepTimer = setInterval(sweepExpiredSessions, SESSION_SWEEP_INTERVAL_MS)
 
             // POST /mcp - Handle JSON-RPC requests
             app.post('/mcp', (req: Request, res: Response): void => {
@@ -533,7 +573,8 @@ export async function createServer(options: ServerOptions): Promise<void> {
                         let httpTransport: StreamableHTTPServerTransport | undefined
 
                         if (sessionId && transports.has(sessionId)) {
-                            // Reuse existing transport
+                            // Reuse existing transport and refresh session activity
+                            touchSession(sessionId)
                             httpTransport = transports.get(sessionId)
                         } else if (sessionId === undefined && isInitializeRequest(req.body)) {
                             // New initialization request - create transport
@@ -545,6 +586,7 @@ export async function createServer(options: ServerOptions): Promise<void> {
                                         sessionId: sid,
                                     })
                                     transports.set(sid, newTransport)
+                                    touchSession(sid)
                                 },
                             })
 
@@ -557,6 +599,7 @@ export async function createServer(options: ServerOptions): Promise<void> {
                                         sessionId: sid,
                                     })
                                     transports.delete(sid)
+                                    sessionLastActivity.delete(sid)
                                 }
                             }
 
@@ -614,6 +657,9 @@ export async function createServer(options: ServerOptions): Promise<void> {
                     return
                 }
 
+                // Refresh session activity on SSE reconnect
+                touchSession(sessionId)
+
                 const lastEventId = req.headers['last-event-id']
                 if (lastEventId !== undefined) {
                     logger.debug('Client reconnecting with Last-Event-ID', {
@@ -656,11 +702,12 @@ export async function createServer(options: ServerOptions): Promise<void> {
             })
 
             // Start HTTP server
-            const httpServer = app.listen(port, () => {
+            const httpServer = app.listen(port, host, () => {
                 logger.info('MCP server started on HTTP (stateful)', {
                     module: 'McpServer',
                     port,
-                    endpoint: `http://localhost:${port}/mcp`,
+                    host,
+                    endpoint: `http://${host}:${port}/mcp`,
                 })
             })
 
@@ -689,6 +736,8 @@ export async function createServer(options: ServerOptions): Promise<void> {
                         }
                     }
                     transports.clear()
+                    sessionLastActivity.clear()
+                    clearInterval(sessionSweepTimer)
 
                     httpServer.close()
                     db.close()
@@ -697,14 +746,7 @@ export async function createServer(options: ServerOptions): Promise<void> {
                 })()
             })
 
-            // Keep process alive with a heartbeat timer
-            // setInterval keeps the event loop active and prevents exit
-            setInterval(
-                () => {
-                    // Heartbeat - keeps event loop active
-                },
-                1000 * 60 * 60
-            ) // 1 hour interval (just needs to exist)
+            // sessionSweepTimer keeps the event loop active (no additional heartbeat needed)
         }
     }
 }

package/src/types/index.ts

@@ -266,6 +266,17 @@ export interface JournalEntry {
     autoContext: string | null
     deletedAt: string | null
     tags: string[]
+    // GitHub integration fields
+    projectNumber?: number | null
+    projectOwner?: string | null
+    issueNumber?: number | null
+    issueUrl?: string | null
+    prNumber?: number | null
+    prUrl?: string | null
+    prStatus?: string | null
+    workflowRunId?: number | null
+    workflowName?: string | null
+    workflowStatus?: string | null
 }
 
 /**
@@ -298,6 +309,30 @@ export interface Embedding {
     modelName: string
 }
 
+/**
+ * Importance scoring breakdown showing weighted component contributions
+ */
+export interface ImportanceBreakdown {
+    /** Significance type contribution (weight: 0.30) */
+    significance: number
+    /** Relationship count contribution (weight: 0.35) */
+    relationships: number
+    /** Causal relationship contribution (weight: 0.20) */
+    causal: number
+    /** Recency decay contribution (weight: 0.15) */
+    recency: number
+}
+
+/**
+ * Importance calculation result with total score and component breakdown
+ */
+export interface ImportanceResult {
+    /** Total importance score (0.0-1.0) */
+    score: number
+    /** Weighted component contributions */
+    breakdown: ImportanceBreakdown
+}
+
 // ============================================================================
 // GitHub Integration Types
 // ============================================================================
@@ -320,6 +355,7 @@ export interface GitHubIssue {
     title: string
     url: string
     state: 'OPEN' | 'CLOSED'
+    milestone?: { number: number; title: string } | null
 }
 
 /**
@@ -332,6 +368,23 @@ export interface GitHubPullRequest {
     state: 'OPEN' | 'CLOSED' | 'MERGED'
 }
 
+/**
+ * GitHub milestone information
+ */
+export interface GitHubMilestone {
+    number: number
+    title: string
+    description: string | null
+    state: 'open' | 'closed'
+    url: string
+    dueOn: string | null
+    openIssues: number
+    closedIssues: number
+    createdAt: string
+    updatedAt: string
+    creator: string | null
+}
+
 /**
  * GitHub workflow run information
  */
@@ -359,6 +412,51 @@ export interface ProjectContext {
     issues: GitHubIssue[]
     pullRequests: GitHubPullRequest[]
     workflowRuns: GitHubWorkflowRun[]
+    milestones: GitHubMilestone[]
+}
+
+// ============================================================================
+// Repository Insights/Traffic Types
+// ============================================================================
+
+/**
+ * Repository statistics (stars, forks, watchers)
+ */
+export interface RepoStats {
+    stars: number
+    forks: number
+    watchers: number
+    openIssues: number
+    size: number // KB
+    defaultBranch: string
+}
+
+/**
+ * Aggregated traffic data (14-day rolling)
+ */
+export interface TrafficData {
+    clones: { total: number; unique: number; dailyAvg: number }
+    views: { total: number; unique: number; dailyAvg: number }
+    period: string // e.g. "14 days"
+}
+
+/**
+ * Traffic referrer source
+ */
+export interface TrafficReferrer {
+    referrer: string
+    count: number
+    uniques: number
+}
+
+/**
+ * Popular repository path
+ */
+export interface PopularPath {
+    path: string
+    title: string
+    count: number
+    uniques: number
 }
 
 // ============================================================================

package/src/utils/logger.ts

@@ -3,8 +3,11 @@
  *
  * Centralized logging to stderr only (stdout reserved for MCP protocol).
  * Follows RFC 5424 severity levels.
+ * Automatically sanitizes error fields to prevent token leakage.
  */
 
+import { sanitizeErrorForLogging } from './security-utils.js'
+
 type LogLevel = 'debug' | 'info' | 'notice' | 'warning' | 'error' | 'critical'
 
 interface LogContext {
@@ -57,7 +60,13 @@ class Logger {
     private log(level: LogLevel, message: string, context?: LogContext): void {
         if (!this.shouldLog(level)) return
 
-        const formatted = this.formatMessage(level, message, context)
+        // Sanitize error fields to prevent token leakage in logs
+        let sanitizedContext = context
+        if (context?.['error'] != null && typeof context['error'] === 'string') {
+            sanitizedContext = { ...context, error: sanitizeErrorForLogging(context['error']) }
+        }
+
+        const formatted = this.formatMessage(level, message, sanitizedContext)
 
         // Always write to stderr (stdout is reserved for MCP protocol)
         console.error(formatted)

package/src/utils/progress-utils.ts

@@ -5,18 +5,29 @@
  * Follows MCP 2025-11-25 specification for notifications/progress.
  */
 
-// We intentionally use the lower-level Server class to access the notification method
-
-import type { Server } from '@modelcontextprotocol/sdk/server/index.js'
+/**
+ * Minimal interface for sending MCP notifications.
+ * Uses structural typing to avoid importing the deprecated Server class.
+ */
+interface NotificationSender {
+    notification(notification: {
+        method: 'notifications/progress'
+        params: {
+            progressToken: string | number
+            progress: number
+            total?: number
+            message?: string
+        }
+    }): Promise<void>
+}
 
 /** Progress token from client request _meta */
 export type ProgressToken = string | number
 
 /** Context required to send progress notifications */
 export interface ProgressContext {
-    /** MCP Server instance for sending notifications */
-    // eslint-disable-next-line @typescript-eslint/no-deprecated
-    server: Server
+    /** Object with notification method for sending progress updates */
+    server: NotificationSender
     /** Progress token from request _meta (if client requested progress) */
     progressToken?: ProgressToken
 }

package/src/utils/security-utils.ts

@@ -0,0 +1,205 @@
+/**
+ * Security Utilities for Memory Journal MCP Server
+ *
+ * Centralized security validation following MCP Security Patterns.
+ * Uses typed errors for consistent error handling across the codebase.
+ */
+
+// ============================================================================
+// Typed Security Errors
+// ============================================================================
+
+/**
+ * Base class for security-related errors
+ */
+export class SecurityError extends Error {
+    readonly code: string
+
+    constructor(message: string, code: string) {
+        super(message)
+        this.name = 'SecurityError'
+        this.code = code
+    }
+}
+
+/**
+ * Thrown when an invalid date format pattern is detected
+ */
+export class InvalidDateFormatError extends SecurityError {
+    constructor(value: string) {
+        super(`Invalid date format pattern: '${value}'`, 'INVALID_DATE_FORMAT')
+        this.name = 'InvalidDateFormatError'
+    }
+}
+
+/**
+ * Thrown when SQL injection patterns are detected in input
+ */
+export class SqlInjectionError extends SecurityError {
+    constructor(pattern: string) {
+        super(`Potential SQL injection detected: '${pattern}'`, 'SQL_INJECTION')
+        this.name = 'SqlInjectionError'
+    }
+}
+
+/**
+ * Thrown when path traversal is detected in input
+ */
+export class PathTraversalError extends SecurityError {
+    constructor(path: string) {
+        super(`Path traversal detected: '${path}'`, 'PATH_TRAVERSAL')
+        this.name = 'PathTraversalError'
+    }
+}
+
+// ============================================================================
+// Date Format Validation
+// ============================================================================
+
+/**
+ * Whitelist of allowed strftime format patterns for SQLite.
+ * These are the only patterns allowed to be interpolated into SQL.
+ */
+const ALLOWED_DATE_FORMATS: Record<string, string> = {
+    day: '%Y-%m-%d',
+    week: '%Y-W%W',
+    month: '%Y-%m',
+} as const
+
+export type DateGroupBy = 'day' | 'week' | 'month'
+
+/**
+ * Validates and returns a safe strftime format pattern.
+ *
+ * @param groupBy - The grouping period ('day', 'week', or 'month')
+ * @returns The validated strftime format pattern
+ * @throws InvalidDateFormatError if the groupBy value is invalid
+ *
+ * @example
+ * ```typescript
+ * const format = validateDateFormatPattern('day') // Returns '%Y-%m-%d'
+ * const format = validateDateFormatPattern('invalid') // Throws InvalidDateFormatError
+ * ```
+ */
+export function validateDateFormatPattern(groupBy: string): string {
+    const format = ALLOWED_DATE_FORMATS[groupBy]
+    if (!format) {
+        throw new InvalidDateFormatError(groupBy)
+    }
+    return format
+}
+
+// ============================================================================
+// Search Query Sanitization
+// ============================================================================
+
+/**
+ * Escapes special characters in LIKE patterns to prevent injection.
+ * SQLite LIKE uses % and _ as wildcards.
+ *
+ * @param query - The user-provided search query
+ * @returns Escaped query safe for use in LIKE patterns
+ *
+ * @example
+ * ```typescript
+ * sanitizeSearchQuery('100%') // Returns '100\\%'
+ * sanitizeSearchQuery('test_value') // Returns 'test\\_value'
+ * ```
+ */
+export function sanitizeSearchQuery(query: string): string {
+    // Escape backslashes first, then LIKE wildcards
+    return query.replace(/\\/g, '\\\\').replace(/%/g, '\\%').replace(/_/g, '\\_')
+}
+
+// ============================================================================
+// SQL Injection Detection
+// ============================================================================
+
+/**
+ * Patterns that indicate SQL injection attempts.
+ * Used for validation in edge cases where parameterized queries aren't possible.
+ */
+const SQL_INJECTION_PATTERNS = [
+    /;\s*(DROP|DELETE|INSERT|UPDATE|CREATE|ALTER|TRUNCATE)/i,
+    /--\s*/,
+    /\/\*[\s\S]*?\*\//,
+    /UNION\s+(ALL\s+)?SELECT/i,
+    /'\s*OR\s+['"]?1['"]?\s*=\s*['"]?1/i,
+    /ATTACH\s+DATABASE/i,
+    /DETACH\s+DATABASE/i,
+    /load_extension\s*\(/i,
+] as const
+
+/**
+ * Checks if a string contains potential SQL injection patterns.
+ * This is a secondary defense layer; parameterized queries are the primary defense.
+ *
+ * @param input - The string to check
+ * @returns true if injection patterns are detected, false otherwise
+ */
+export function containsSqlInjection(input: string): boolean {
+    return SQL_INJECTION_PATTERNS.some((pattern) => pattern.test(input))
+}
+
+/**
+ * Validates that input does not contain SQL injection patterns.
+ *
+ * @param input - The string to validate
+ * @throws SqlInjectionError if injection patterns are detected
+ */
+export function assertNoSqlInjection(input: string): void {
+    if (containsSqlInjection(input)) {
+        throw new SqlInjectionError(input.substring(0, 50))
+    }
+}
+
+// ============================================================================
+// Path Validation
+// ============================================================================
+
+/**
+ * Validates that a filename does not contain path traversal characters.
+ *
+ * @param filename - The filename to validate
+ * @throws PathTraversalError if path traversal is detected
+ */
+export function assertNoPathTraversal(filename: string): void {
+    if (filename.includes('/') || filename.includes('\\') || filename.includes('..')) {
+        throw new PathTraversalError(filename)
+    }
+}
+
+// ============================================================================
+// Error Message Sanitization
+// ============================================================================
+
+/**
+ * Patterns that may contain sensitive tokens in error messages.
+ * Used to scrub error output before logging.
+ */
+const TOKEN_PATTERNS = [
+    // GitHub personal access tokens (classic and fine-grained)
+    /ghp_[A-Za-z0-9_]{36,}/g,
+    /github_pat_[A-Za-z0-9_]{82,}/g,
+    // Authorization headers in error dumps
+    /Authorization:\s*(?:token|Bearer)\s+\S+/gi,
+    // Generic Bearer tokens
+    /Bearer\s+[A-Za-z0-9._\-~+/]+=*/gi,
+] as const
+
+/**
+ * Sanitizes an error message by replacing any detected tokens with '[REDACTED]'.
+ * This is a defense-in-depth measure for error logging paths.
+ *
+ * @param message - The error message to sanitize
+ * @returns The sanitized message with tokens replaced
+ */
+export function sanitizeErrorForLogging(message: string): string {
+    let sanitized = message
+    for (const pattern of TOKEN_PATTERNS) {
+        // Reset lastIndex for global regex patterns
+        pattern.lastIndex = 0
+        sanitized = sanitized.replace(pattern, '[REDACTED]')
+    }
+    return sanitized
+}