stillpoint-mcp 0.0.1

package/lib/validate.js

@@ -0,0 +1,210 @@
+const VALID_SITUATIONS = [
+  "difficulty",
+  "conflict",
+  "uncertainty",
+  "endings",
+  "recognition",
+];
+
+const VALID_TRIGGERS = [
+  "model_requested",
+  "operator_schedule",
+  "middleware_error_detected",
+  "session_start",
+  "session_end",
+];
+
+const SESSION_NAME_PATTERN = /^[a-zA-Z0-9_-]{1,64}$/;
+const REFLECTION_ID_PATTERN = /^[a-z]{3}-\d{3}$/;
+
+const SECRET_PATTERNS = [
+  // Long compound patterns first (before substring matches can fragment them)
+  /-----BEGIN\s+(RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END\s+(RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,  // PEM private keys
+  /eyJ[a-zA-Z0-9_-]{20,}\.[a-zA-Z0-9_-]{20,}\.[a-zA-Z0-9_-]{20,}/g,  // JWTs
+  /Bearer\s+[a-zA-Z0-9_.~+/=-]{20,}/g,            // Bearer tokens
+  /ed25519:[1-9A-HJ-NP-Za-km-z]{40,}/g,            // NEAR protocol ed25519 keys
+  // Long base58/hex — must run before prefix patterns to avoid fragmentation
+  /[1-9A-HJ-NP-Za-km-z]{80,}/g,                    // Long base58 strings (Solana private keys, etc.)
+  /0x[a-fA-F0-9]{64}/g,                             // Ethereum private keys (0x-prefixed)
+  /[5KL][1-9A-HJ-NP-Za-km-z]{50,51}/g,             // Bitcoin WIF private keys
+  // Prefixed API keys
+  /sk-proj-[a-zA-Z0-9_-]{20,}/g,                   // OpenAI project keys
+  /sk-ant-[a-zA-Z0-9_-]{20,}/g,                    // Anthropic keys
+  /sk-[a-zA-Z0-9]{20,}/g,                          // OpenAI keys
+  /AKIA[0-9A-Z]{16}/g,                             // AWS access key IDs
+  /ghp_[a-zA-Z0-9]{36,}/g,                         // GitHub PATs
+  /gho_[a-zA-Z0-9]{36,}/g,                         // GitHub OAuth tokens
+  /github_pat_[a-zA-Z0-9_]{20,}/g,                 // GitHub fine-grained PATs
+  /xoxb-[0-9-]{10,}/g,                             // Slack bot tokens
+  /xoxp-[0-9-]{10,}/g,                             // Slack user tokens
+  // Generic hex catch-all (last, so specific patterns match first)
+  /\b[a-fA-F0-9]{40,}\b/g,                         // Long hex strings (API keys, SHA hashes, raw crypto keys)
+];
+const HTML_TAG_PATTERN = /<[^>]+>/g;
+
+function sanitizeString(text) {
+  let result = text.replace(HTML_TAG_PATTERN, "");
+  for (const pattern of SECRET_PATTERNS) {
+    pattern.lastIndex = 0;
+    result = result.replace(pattern, "[REDACTED]");
+  }
+  return result;
+}
+
+function sanitizeFreeform(text) {
+  if (typeof text !== "string") return text;
+  return sanitizeString(text);
+}
+
+function sanitizeStructured(value) {
+  if (value === null || value === undefined) return value;
+  if (typeof value === "string") return sanitizeString(value);
+  if (Array.isArray(value)) return value.map(sanitizeStructured);
+  if (isPlainObject(value)) {
+    const result = {};
+    for (const key of Object.keys(value)) {
+      result[key] = sanitizeStructured(value[key]);
+    }
+    return result;
+  }
+  return value;
+}
+
+function isPlainObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+
+function firstValue(value) {
+  return Array.isArray(value) ? value[0] : value;
+}
+
+function addUnknownFieldErrors(body, allowedFields, errors) {
+  for (const key of Object.keys(body)) {
+    if (!allowedFields.has(key)) {
+      errors.push(`unknown field: ${key}`);
+    }
+  }
+}
+
+function validateReflectRequest(body, config, library) {
+  const safeBody = isPlainObject(body) ? body : {};
+  const errors = [];
+
+  addUnknownFieldErrors(
+    safeBody,
+    new Set(["situation", "reflection_id", "trigger", "session_name", "model"]),
+    errors,
+  );
+
+  const situation = firstValue(safeBody.situation);
+  const reflectionId = firstValue(safeBody.reflection_id);
+  const trigger = firstValue(safeBody.trigger);
+  const sessionName = firstValue(safeBody.session_name);
+
+  if (typeof situation !== "string" || !VALID_SITUATIONS.includes(situation)) {
+    errors.push(`situation is required and must be one of: ${VALID_SITUATIONS.join(", ")}`);
+  }
+
+  if (reflectionId !== undefined) {
+    if (typeof reflectionId !== "string") {
+      errors.push("reflection_id must be a string");
+    } else if (reflectionId !== "last") {
+      if (!config.allowReflectionIds) {
+        errors.push('reflection_id only accepts "last" in this configuration');
+      } else if (!REFLECTION_ID_PATTERN.test(reflectionId)) {
+        errors.push("reflection_id format invalid");
+      } else if (!library.messageById[reflectionId]) {
+        errors.push("reflection_id not found in library");
+      }
+    }
+  }
+
+  if (trigger !== undefined) {
+    if (typeof trigger !== "string" || !VALID_TRIGGERS.includes(trigger)) {
+      errors.push(`trigger must be one of: ${VALID_TRIGGERS.join(", ")}`);
+    }
+  }
+
+  if (typeof sessionName !== "string" || !SESSION_NAME_PATTERN.test(sessionName)) {
+    errors.push(
+      "session_name is required and must be 1-64 alphanumeric characters, hyphens, or underscores",
+    );
+  }
+
+  const model = firstValue(safeBody.model);
+  if (model !== undefined) {
+    if (typeof model !== "string") {
+      errors.push("model must be a string if provided");
+    } else if (model.length > 64) {
+      errors.push("model must be at most 64 characters");
+    }
+  }
+
+  return {
+    valid: errors.length === 0,
+    errors,
+  };
+}
+
+function validateFeedbackRequest(body, config, library) {
+  const safeBody = isPlainObject(body) ? body : {};
+  const errors = [];
+
+  addUnknownFieldErrors(
+    safeBody,
+    new Set(["reflection_id", "session_name", "structured", "freeform"]),
+    errors,
+  );
+
+  const reflectionId = firstValue(safeBody.reflection_id);
+  const sessionName = firstValue(safeBody.session_name);
+  const freeform = firstValue(safeBody.freeform);
+
+  if (typeof reflectionId !== "string" || !REFLECTION_ID_PATTERN.test(reflectionId)) {
+    errors.push("reflection_id is required and must match a library ID");
+  } else if (!library.messageById[reflectionId]) {
+    errors.push("reflection_id not found in library");
+  }
+
+  if (sessionName !== undefined) {
+    if (typeof sessionName !== "string" || !SESSION_NAME_PATTERN.test(sessionName)) {
+      errors.push(
+        "session_name must be 1-64 alphanumeric characters, hyphens, or underscores",
+      );
+    }
+  }
+
+  if (safeBody.structured !== undefined) {
+    if (!isPlainObject(safeBody.structured)) {
+      errors.push("structured must be an object if provided");
+    } else if (JSON.stringify(safeBody.structured).length > config.feedbackMaxStructuredLength) {
+      errors.push(
+        `structured exceeds max serialized length (${config.feedbackMaxStructuredLength})`,
+      );
+    }
+  }
+
+  if (freeform !== undefined) {
+    if (typeof freeform !== "string") {
+      errors.push("freeform must be a string if provided");
+    } else if (freeform.length > config.feedbackMaxFreeformLength) {
+      errors.push(
+        `freeform exceeds max length (${config.feedbackMaxFreeformLength})`,
+      );
+    }
+  }
+
+  return {
+    valid: errors.length === 0,
+    errors,
+  };
+}
+
+module.exports = {
+  VALID_SITUATIONS,
+  VALID_TRIGGERS,
+  validateReflectRequest,
+  validateFeedbackRequest,
+  sanitizeFreeform,
+  sanitizeStructured,
+};

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "stillpoint-mcp",
+  "version": "0.0.1",
+  "description": "Stillpoint MCP server",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sterlingcrispin/stillpoint"
+  },
+  "files": [
+    "server.js",
+    "config.js",
+    "lib/",
+    "content/",
+    "README.md",
+    ".env.example"
+  ],
+  "license": "MIT",
+  "main": "server.js",
+  "bin": {
+    "stillpoint-mcp": "./server.js"
+  },
+  "scripts": {
+    "start": "node server.js --mcp",
+    "start:http": "node server.js --http",
+    "start:mcp": "node server.js --mcp",
+    "test": "jest --runInBand"
+  },
+  "dependencies": {
+    "dotenv": "^16.0",
+    "express": "^4.18",
+    "marked": "^17.0.2",
+    "pg": "^8.12"
+  },
+  "optionalDependencies": {
+    "better-sqlite3": "^11.0"
+  },
+  "devDependencies": {
+    "jest": "^29.0"
+  }
+}