npm - sdd-mcp-server - Versions diffs - 1.4.0 → 1.4.1 - Mend

sdd-mcp-server 1.4.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -6,7 +6,7 @@
 A Model Context Protocol (MCP) server implementing Spec-Driven Development (SDD) workflows for AI-agent CLIs and IDEs like Claude Code, Cursor, and others.
-> **✅ v1.3.11 Update**: AI-driven MCP server with language-agnostic workflow tools. CRITICAL FIX: sdd-steering now generates actual analyzed content instead of instruction templates. Fixed all hardcoded templates, made tools truly universal for any programming language/framework. Perfect for Spring Boot, React, Python, Go, and any other project!
+> ✅ v1.4.0 Update: Requirements, Design, and Tasks are now analysis-based on first run in MCP mode — no more template-first step. Steering remains analysis-backed with static exceptions (linus-review.md, commit.md). Works across JS/TS, Java, Python, Go, Ruby, PHP, Rust, .NET, and more.
 ## 🚀 Quick Start
@@ -43,7 +43,7 @@ npm run build
 npm start
 ```
-### Option 3: Docker (Secure Distroless Image)
+### Option 4: Docker (Secure Distroless Image)
 ```bash
 # Build distroless image locally
 docker build --target production -t sdd-mcp-server .
@@ -80,10 +80,11 @@ claude mcp add sdd "sdd-mcp-server" -s local
 claude mcp list
 # Should show: sdd: ✓ Connected
-# For development (faster startup):
+# For development (local repo):
 git clone https://github.com/yi-john-huang/sdd-mcp.git
 cd sdd-mcp
-claude mcp add sdd "$(pwd)/local-mcp-server.js" -s local
+# Use the dedicated MCP entry
+claude mcp add sdd "$(pwd)/mcp-server.js" -s local
 ```
 Manual configuration in `~/.claude.json`:
@@ -149,7 +150,7 @@ Once connected to your AI client, you can use these MCP tools:
 | `sdd-quality-check` | Code quality analysis | Linus-style 5-layer code review |
 | `sdd-context-load` | Load project context | Restore project memory and state |
 | `sdd-template-render` | Render templates | Generate files from templates |
-| `sdd-steering` | Create/update steering docs | Analyzes project to generate product.md, tech.md, structure.md with real content + static linus-review.md, commit.md |
+| `sdd-steering` | Create/update steering docs | Analyzes project to generate product.md, tech.md, structure.md with real content + static linus-review.md, commit.md, security-check.md |
 | `sdd-steering-custom` | Create custom steering docs | Add specialized guidance documents |
 | `sdd-validate-design` | Design quality validation | Interactive GO/NO-GO design review |
 | `sdd-validate-gap` | Implementation gap analysis | Analyze requirements vs codebase |
@@ -183,15 +184,26 @@ Once connected to your AI client, you can use these MCP tools:
 5. **Implement with TDD**
    ```
    Use sdd-spec-impl to execute tasks with TDD methodology
-   Use sdd-quality-check for code review and analysis
-   ```
+  Use sdd-quality-check for code review and analysis
+  ```
 6. **Monitor & Manage**
-   ```
-   Use sdd-status to check workflow progress
-   Use sdd-approve to approve workflow phases
-   Use sdd-context-load to restore project memory
-   ```
+  ```
+  Use sdd-status to check workflow progress
+  Use sdd-approve to approve workflow phases
+  Use sdd-context-load to restore project memory
+  ```
+## Upgrading to 1.4.0
+- What changed: In MCP mode, `sdd-requirements`, `sdd-design`, and `sdd-tasks` now generate analysis‑based documents on the first run (no more template‑first step). Steering remains analysis‑backed with static exceptions (`linus-review.md`, `commit.md`).
+- Upgrade commands:
+  - Prefer npx: `npx -y sdd-mcp-server@latest` (no install), or
+  - Global: `npm i -g sdd-mcp-server@1.4.0` and run `sdd-mcp-server`.
+- If you pinned a version in your MCP config, update it to `@latest` or `@1.4.0`.
+- If you previously scripted a second “update documents based on codebase” step, you can remove it — documents are analyzed on first generation now.
+- Fallbacks: If dynamic analysis fails, tools still write a minimal template with a clear warning header and error message; rerun after fixing the issue.
+- Requirements: Node.js >= 18.
 ## ⚙️ Configuration
@@ -326,7 +338,7 @@ claude mcp add sdd "sdd-mcp-server" -s local
 # Alternative: Use local development version for faster startup
 git clone https://github.com/yi-john-huang/sdd-mcp.git
 cd sdd-mcp
-claude mcp add sdd "$(pwd)/local-mcp-server.js" -s local
+claude mcp add sdd "$(pwd)/mcp-server.js" -s local
 ```
 **Issue: "Permission denied"**
@@ -335,13 +347,11 @@ claude mcp add sdd "$(pwd)/local-mcp-server.js" -s local
 sudo npm install -g sdd-mcp-server
 ```
-**Issue: "sdd-steering generates template content instead of analyzed content"**
+**Issue: "Only template content generated" (Resolved in v1.4.0)**
-If `sdd-steering` only generates template content, prompt your AI agent to analyze the actual codebase:
-```
-"Please update product.md / structure.md / tech.md based on codebase."
-```
-This will trigger the AI to analyze your actual project structure, dependencies, and technology stack to generate meaningful, project-specific content instead of generic templates.
+As of 1.4.0, `sdd-requirements`, `sdd-design`, `sdd-tasks`, and `sdd-steering` generate analysis-based documents on first run. If you still see a template:
+- Check the top warning header in the file — it includes the error that triggered fallback.
+- Fix the indicated issue (e.g., permission/path), then rerun the tool.
 ## 📖 Advanced Documentation
@@ -378,4 +388,4 @@ claude mcp add sdd "sdd-mcp-server"
 sdd-mcp-server
 ```
-Built for the AI development community 🤖✨
+Built for the AI development community 🤖✨

package/mcp-server.js CHANGED Viewed

@@ -1198,6 +1198,63 @@ Managed by \`/kiro:steering\` command. Updates here reflect command changes.
       }
       await fs.writeFile(agentsPath, agentsContent);
     }
+    // Ensure security-check.md exists (static)
+    const securityPath = path.join(steeringPath, 'security-check.md');
+    const securityExists = await fs.access(securityPath).then(() => true).catch(() => false);
+    if (!securityExists) {
+      const securityContent = `# Security Check (OWASP Top 10 Aligned)
+Use this checklist during code generation and review. Avoid OWASP Top 10 issues by design.
+## A01: Broken Access Control
+- Enforce least privilege; validate authorization on every request/path
+- No client-side trust; never rely on hidden fields or disabled UI
+## A02: Cryptographic Failures
+- Use HTTPS/TLS; do not roll your own crypto
+- Store secrets in env vars/secret stores; never commit secrets
+## A03: Injection
+- Use parameterized queries/ORM and safe template APIs
+- Sanitize/validate untrusted input; avoid string concatenation in queries
+## A04: Insecure Design
+- Threat model critical flows; add security requirements to design
+- Fail secure; disable features by default until explicitly enabled
+## A05: Security Misconfiguration
+- Disable debug modes in prod; set secure headers (CSP, HSTS, X-Content-Type-Options)
+- Pin dependencies and lock versions; no default credentials
+    ## A06: Vulnerable & Outdated Components
+    - Track SBOM/dependencies; run npm audit or a scanner regularly and patch
+    - Prefer maintained libraries; remove unused deps
+## A07: Identification & Authentication Failures
+- Use vetted auth (OIDC/OAuth2); enforce MFA where applicable
+- Secure session handling (HttpOnly, Secure, SameSite cookies)
+## A08: Software & Data Integrity Failures
+- Verify integrity of third-party artifacts; signed releases when possible
+- Protect CI/CD: signed commits/tags, restricted tokens, principle of least privilege
+## A09: Security Logging & Monitoring Failures
+- Log authz/authn events and errors without sensitive data
+- Add alerts for suspicious activity; retain logs per policy
+## A10: Server-Side Request Forgery (SSRF)
+- Validate/deny-list outbound destinations; no direct fetch to arbitrary URLs
+- Use network egress controls; fetch via vetted proxies when needed
+## General Practices
+- Validate inputs (schema, length, type) and outputs (encoding)
+- Handle errors without leaking stack traces or secrets
+- Use content security best practices for templates/HTML
+- Add security tests where feasible (authz, input validation)
+`;
+      await fs.writeFile(securityPath, securityContent);
+    }
     const mode = updateMode === 'update' ? 'Updated' : 'Created';
@@ -1216,6 +1273,7 @@ Managed by \`/kiro:steering\` command. Updates here reflect command changes.
 - \`.kiro/steering/structure.md\` - Project organization and architectural decisions (AI analysis template)
 - \`.kiro/steering/linus-review.md\` - Code review guidelines (full content)
 - \`.kiro/steering/commit.md\` - Commit message standards (full content)
+- \`.kiro/steering/security-check.md\` - Security checklist aligned to OWASP Top 10 (full content)
 - \`.kiro/steering/AGENTS.md\` - Universal AI agent workflow guidance
 **AI-Driven Approach**:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sdd-mcp-server",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "description": "MCP server for spec-driven development workflows across AI-agent CLIs and IDEs",
   "main": "dist/index.js",
   "bin": {