npm - midnight-mcp - Versions diffs - 0.2.19 → 0.2.20 - Mend

midnight-mcp 0.2.19 → 0.2.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/bin.js +3 -3
package/dist/{chunk-4CUN6SQZ.js → chunk-F4KM42XU.js} +41 -5
package/dist/{chunk-OYH7MAIC.js → chunk-RCQYFKD3.js} +4 -4
package/dist/db-VCUUBGDV.js +7 -0
package/dist/index.js +2 -2
package/package.json +1 -1
package/dist/db-3CCKZDB7.js +0 -7

package/dist/bin.js CHANGED Viewed

@@ -2,10 +2,10 @@
 import {
   startHttpServer,
   startServer
-} from "./chunk-4CUN6SQZ.js";
+} from "./chunk-F4KM42XU.js";
 import {
   setOutputFormat
-} from "./chunk-OYH7MAIC.js";
+} from "./chunk-RCQYFKD3.js";
 // src/bin.ts
 import { config } from "dotenv";
@@ -13,7 +13,7 @@ import { resolve } from "path";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 config({ path: resolve(process.cwd(), ".env") });
-var CURRENT_VERSION = "0.2.19";
+var CURRENT_VERSION = "0.2.20";
 process.on("uncaughtException", (error) => {
   console.error("Uncaught exception:", error);
   process.exit(1);

package/dist/{chunk-4CUN6SQZ.js → chunk-F4KM42XU.js} RENAMED Viewed

@@ -25,7 +25,7 @@ import {
   validateNumber,
   validateQuery,
   vectorStore
-} from "./chunk-OYH7MAIC.js";
+} from "./chunk-RCQYFKD3.js";
 // src/tools/search/schemas.ts
 import { z } from "zod";
@@ -1698,7 +1698,14 @@ var REPO_ALIASES = {
   lucentlabs: { owner: "statera-protocol", repo: "statera-protocol-midnight" },
   stablecoin: { owner: "statera-protocol", repo: "statera-protocol-midnight" },
   "midnight-bank": { owner: "nel349", repo: "midnight-bank" },
-  bank: { owner: "nel349", repo: "midnight-bank" }
+  bank: { owner: "nel349", repo: "midnight-bank" },
+  // Third-Party / Community (NOT official Midnight, not in midnight-awesome-dapps)
+  // effectstream is a multi-chain Web3 engine (EVM, Midnight, Bitcoin, Cardano,
+  // Avail, Celestia, NEAR). Only its Midnight pieces are relevant here:
+  // @effectstream/midnight-contracts and the evm-midnight-v2 / zswap-da templates.
+  // NOTE: repo currently has NO LICENSE — treat indexed content as reference only.
+  effectstream: { owner: "effectstream", repo: "effectstream" },
+  "effect-stream": { owner: "effectstream", repo: "effectstream" }
 };
 var EXAMPLES = [
   {
@@ -6930,6 +6937,19 @@ var transports = {
   streamable: {},
   sse: {}
 };
+function buildAllowlist(port) {
+  const hosts = [`127.0.0.1:${port}`, `localhost:${port}`];
+  const origins = hosts.flatMap((host) => [
+    `http://${host}`,
+    `https://${host}`
+  ]);
+  return { allowedHosts: hosts, allowedOrigins: origins };
+}
+function isRebindingBlocked(host, origin, allowedHosts, allowedOrigins) {
+  if (host && !allowedHosts.includes(host)) return true;
+  if (origin && !allowedOrigins.includes(origin)) return true;
+  return false;
+}
 async function closeTransports(transportMap) {
   const closePromises = Object.values(transportMap).map(
     (transport) => transport.close?.().catch(() => {
@@ -6940,6 +6960,7 @@ async function closeTransports(transportMap) {
 async function startHttpServer(port = 3e3) {
   const mcpServer = await initializeServer();
   const app = express();
+  const { allowedHosts, allowedOrigins } = buildAllowlist(port);
   app.use("/mcp", express.json());
   app.get("/health", (_req, res) => {
     res.json({
@@ -6956,6 +6977,10 @@ async function startHttpServer(port = 3e3) {
     } else if (!sessionId && isInitializeRequest(req.body)) {
       transport = new StreamableHTTPServerTransport({
         sessionIdGenerator: () => randomUUID(),
+        // Block DNS-rebinding attacks from browser pages (loopback allowlist).
+        enableDnsRebindingProtection: true,
+        allowedHosts,
+        allowedOrigins,
         onsessioninitialized: (newSessionId) => {
           transports.streamable[newSessionId] = transport;
           logger.debug(`New streamable session: ${newSessionId}`);
@@ -6993,9 +7018,20 @@ async function startHttpServer(port = 3e3) {
     }
     await transport.handleRequest(req, res, req.body);
   });
-  app.get("/sse", async (_req, res) => {
+  app.get("/sse", async (req, res) => {
+    const host = req.headers.host;
+    const origin = req.headers.origin;
+    if (isRebindingBlocked(host, origin, allowedHosts, allowedOrigins)) {
+      logger.warn(`Rejected SSE connection`, { host, origin });
+      res.status(403).send("Forbidden: invalid Host or Origin");
+      return;
+    }
     logger.debug("New SSE connection");
-    const transport = new SSEServerTransport("/messages", res);
+    const transport = new SSEServerTransport("/messages", res, {
+      enableDnsRebindingProtection: true,
+      allowedHosts,
+      allowedOrigins
+    });
     transports.sse[transport.sessionId] = transport;
     res.on("close", () => {
       delete transports.sse[transport.sessionId];
@@ -11253,4 +11289,4 @@ export {
   startServer,
   startHttpServer
 };
-//# sourceMappingURL=chunk-4CUN6SQZ.js.map
+//# sourceMappingURL=chunk-F4KM42XU.js.map

package/dist/{chunk-OYH7MAIC.js → chunk-RCQYFKD3.js} RENAMED Viewed

@@ -1624,7 +1624,7 @@ var releaseTracker = new ReleaseTracker();
 // src/utils/health.ts
 var startTime = Date.now();
-var VERSION = "0.2.19";
+var VERSION = "0.2.20";
 async function checkGitHubAPI() {
   const start = Date.now();
   try {
@@ -1652,7 +1652,7 @@ async function checkGitHubAPI() {
 }
 async function checkVectorStore() {
   try {
-    const { vectorStore: vectorStore2 } = await import("./db-3CCKZDB7.js");
+    const { vectorStore: vectorStore2 } = await import("./db-VCUUBGDV.js");
     if (vectorStore2) {
       return {
         status: "pass",
@@ -2128,7 +2128,7 @@ function serialize(data) {
 }
 // src/utils/version.ts
-var CURRENT_VERSION = "0.2.19";
+var CURRENT_VERSION = "0.2.20";
 // src/db/vectorStore.ts
 var VectorStore = class {
@@ -2351,4 +2351,4 @@ export {
   serialize,
   CURRENT_VERSION
 };
-//# sourceMappingURL=chunk-OYH7MAIC.js.map
+//# sourceMappingURL=chunk-RCQYFKD3.js.map

package/dist/db-VCUUBGDV.js ADDED Viewed

@@ -0,0 +1,7 @@
+import {
+  vectorStore
+} from "./chunk-RCQYFKD3.js";
+export {
+  vectorStore
+};
+//# sourceMappingURL=db-VCUUBGDV.js.map

package/dist/index.js CHANGED Viewed

@@ -9,10 +9,10 @@ import {
   promptDefinitions,
   startHttpServer,
   startServer
-} from "./chunk-4CUN6SQZ.js";
+} from "./chunk-F4KM42XU.js";
 import {
   logger
-} from "./chunk-OYH7MAIC.js";
+} from "./chunk-RCQYFKD3.js";
 export {
   allResources,
   allTools,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "midnight-mcp",
-  "version": "0.2.19",
+  "version": "0.2.20",
   "description": "Model Context Protocol Server for Midnight Blockchain Development",
   "type": "module",
   "main": "dist/index.js",

package/dist/db-3CCKZDB7.js DELETED Viewed

@@ -1,7 +0,0 @@
-import {
-  vectorStore
-} from "./chunk-OYH7MAIC.js";
-export {
-  vectorStore
-};
-//# sourceMappingURL=db-3CCKZDB7.js.map