unreal-engine-mcp-server 0.5.2 → 0.5.4

package/CHANGELOG.md

@@ -7,6 +7,201 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## 🏷️ [0.5.4] - 2025-12-27
+
+> [!IMPORTANT]
+> ### 🛡️ Security Release
+> This release focuses on **security hardening** and **defensive improvements** across the entire stack, including command injection prevention, network isolation, and resource management.
+
+### 🛡️ Security & Command Hardening
+
+<details>
+<summary><b>UBT Validation & Safe Execution</b></summary>
+
+| Feature | Description |
+|---------|-------------|
+| **UBT Argument Validation** | Added `validateUbtArgumentsString` and `tokenizeArgs` to block dangerous characters (`;`, `|`, backticks) |
+| **Safe Process Spawning** | Updated child process spawning to use `shell: false`, preventing shell injection attacks |
+| **Console Command Validation** | Implemented strict input validation for the Unreal Automation Bridge to block chained or multi-line commands |
+| **Argument Quoting** | Improved logging and execution logic to correctly quote arguments containing spaces |
+
+</details>
+
+### 🌐 Network & Host Binding
+
+<details>
+<summary><b>Localhost Default & Remote Configuration</b></summary>
+
+| Feature | Description |
+|---------|-------------|
+| **Localhost Default** | WebSocket, Metrics, and GraphQL servers now bind to `127.0.0.1` by default |
+| **Remote Exposure Prevention** | Prevents accidental remote exposure of services |
+| **GRAPHQL_ALLOW_REMOTE** | Added environment variable check for explicit remote binding configuration |
+| **Security Warnings** | Warnings logged for unsafe/permissive network settings |
+
+</details>
+
+### 🚦 Resource Management
+
+<details>
+<summary><b>Rate Limiting & Queue Management</b></summary>
+
+| Feature | Description |
+|---------|-------------|
+| **IP-Based Rate Limiting** | Implemented rate limiting on the metrics server |
+| **Queue Limits** | Introduced `maxQueuedRequests` to automation bridge to prevent memory exhaustion |
+| **Message Size Enforcement** | Enforced `MAX_WS_MESSAGE_SIZE_BYTES` for WebSocket connections to reject oversized payloads |
+
+</details>
+
+### 🧪 Testing & Cleanup
+
+<details>
+<summary><b>Test Updates & File Cleanup</b></summary>
+
+| Change | Description |
+|--------|-------------|
+| **Path Sanitization Tests** | Modified validation tests to verify path sanitization and expect errors for traversal attempts |
+| **Removed Legacy Tests** | Removed outdated test files (`run-unreal-tool-tests.mjs`, `test-asset-errors.mjs`) |
+| **Response Logging** | Implemented better response logging in the test runner |
+
+</details>
+
+### 🔄 Dependencies
+
+- **dependencies group**: Bumped 2 updates via @dependabot ([#33](https://github.com/ChiR24/Unreal_mcp/pull/33))
+
+---
+
+## 🏷️ [0.5.3] - 2025-12-21
+
+> [!IMPORTANT]
+> ### 🔄 Major Enhancements
+> - **Dynamic Type Discovery** - New runtime introspection for lights, debug shapes, and sequencer tracks
+> - **Metrics Rate Limiting** - Per-IP rate limiting (60 req/min) on Prometheus endpoint
+> - **Centralized Class Configuration** - Unified Unreal Engine class aliases
+> - **Enhanced Type Safety** - Comprehensive TypeScript interfaces replacing `any` types
+
+### ✨ Added
+
+<details>
+<summary><b>🔍 Dynamic Discovery & Engine Handlers</b></summary>
+
+| Feature | Description |
+|---------|-------------|
+| **list_light_types** | Discovers all available light class types at runtime |
+| **list_debug_shapes** | Enumerates supported debug shape types |
+| **list_track_types** | Lists all sequencer track types available in the engine |
+| **Heuristic Resolution** | Improved C++ handlers use multiple naming conventions and inheritance validation |
+| **Vehicle Type Support** | Expanded vehicle type from union to string for flexibility |
+
+**C++ Changes:**
+- `McpAutomationBridge_LightingHandlers.cpp` - Runtime `ResolveUClass` for lights
+- `McpAutomationBridge_SequenceHandlers.cpp` - Runtime resolution for tracks
+- Added `UObjectIterator.h` for dynamic type scanning
+- Unified spawn/track-creation flows
+- Removed editor/PIE branching logic
+
+</details>
+
+<details>
+<summary><b>⚙️ Tooling & Configuration</b></summary>
+
+| Feature | Description |
+|---------|-------------|
+| **class-aliases.ts** | Centralized Unreal Engine class name mappings |
+| **handler-types.ts** | Comprehensive TypeScript interfaces (ActorArgs, EditorArgs, LightingArgs, etc.) |
+| **timeout constants** | Command-specific operation timeouts in constants.ts |
+| **listDebugShapes()** | Programmatic access in DebugVisualizationTools |
+
+**Type System:**
+- Geometry types: Vector3, Rotator, Transform
+- Required-component lookups
+- Centralized class-alias mappings
+
+</details>
+
+<details>
+<summary><b>📈 Metrics Server Enhancements</b></summary>
+
+| Feature | Description |
+|---------|-------------|
+| **Rate Limiting** | Per-IP limit of 60 requests/minute |
+| **Server Lifecycle** | Returns instance for better management |
+| **Error Handling** | Improved internal error handling |
+
+</details>
+
+<details>
+<summary><b>📚 Documentation & DX</b></summary>
+
+| Feature | Description |
+|---------|-------------|
+| **handler-mapping.md** | Updated with new discovery actions |
+| **README.md** | Clarified WASM build instructions |
+| **Tool Definitions** | Synchronized with new discovery actions |
+
+</details>
+
+### 🔧 Changed
+
+<details>
+<summary><b>Handler Type Safety & Logic</b></summary>
+
+**src/tools/handlers/common-handlers.ts:**
+- Replaced `any` typings with strict `HandlerArgs`/`LocationInput`/`RotationInput`
+- Added automation-bridge connectivity validation
+- Enhanced location/rotation normalization with type guards
+
+**Specialized Handlers:**
+- `actor-handlers.ts` - Applied typed handler-args
+- `asset-handlers.ts` - Improved argument normalization
+- `blueprint-handlers.ts` - Added new action cases
+- `editor-handlers.ts` - Enhanced default handling
+- `effect-handlers.ts` - Added `list_debug_shapes`
+- `graph-handlers.ts` - Improved validation
+- `level-handlers.ts` - Type-safe operations
+- `lighting-handlers.ts` - Added `list_light_types`
+- `pipeline-handlers.ts` - Enhanced error handling
+
+</details>
+
+<details>
+<summary><b>Infrastructure & Utilities</b></summary>
+
+**Security & Validation:**
+- `command-validator.ts` - Blocks semicolons, pipes, backticks
+- `error-handler.ts` - Enhanced error logging
+- `response-validator.ts` - Improved Ajv typing
+- `safe-json.ts` - Generic typing for cleanObject
+- `validation.ts` - Expanded path-traversal protection
+
+**Performance:**
+- `unreal-command-queue.ts` - Optimized queue processing (250ms interval)
+- `unreal-bridge.ts` - Centralized timeout constants
+
+</details>
+
+### 🛠️ Fixed
+
+- **Command Injection Prevention** - Additional dangerous command patterns blocked
+- **Path Security** - Enhanced asset-name validation
+- **Type Safety** - Eliminated `any` types across handler functions
+- **Error Messages** - Clearer error messages for class resolution failures
+
+### 📊 Statistics
+
+- **Files Changed:** 20+
+- **New Interfaces:** 15+ handler type definitions
+- **Discovery Actions:** 3 new runtime introspection methods
+- **Security Enhancements:** 5+ new validation patterns
+
+### 🔄 Dependencies
+
+- **graphql-yoga**: Bumped from 5.17.1 to 5.18.0 (#31)
+
+---
+
 ## 🏷️ [0.5.2] - 2025-12-18
 
 > [!IMPORTANT]

package/README.md

@@ -43,10 +43,13 @@ A comprehensive Model Context Protocol (MCP) server that enables AI assistants t
 ### Architecture
 
 - **Native C++ Automation** — All operations route through the MCP Automation Bridge plugin
+- **Dynamic Type Discovery** — Runtime introspection for lights, debug shapes, and sequencer tracks
 - **Graceful Degradation** — Server starts even without an active Unreal connection
 - **On-Demand Connection** — Retries automation handshakes with exponential backoff
-- **Command Safety** — Blocks dangerous console commands
+- **Command Safety** — Blocks dangerous console commands with pattern-based validation
 - **Asset Caching** — 10-second TTL for improved performance
+- **Metrics Rate Limiting** — Per-IP rate limiting (60 req/min) on Prometheus endpoint
+- **Centralized Configuration** — Unified class aliases and type definitions
 
 ---
 
@@ -174,15 +177,15 @@ ASSET_LIST_TTL_MS=10000
 | `control_actor` | Spawn, delete, transform, physics, tags |
 | `control_editor` | PIE, Camera, viewport, screenshots |
 | `manage_level` | Load/Save, World Partition, streaming |
-| `manage_lighting` | Spawn lights, GI, shadows, build lighting |
+| `manage_lighting` | Spawn lights, GI, shadows, build lighting, **list_light_types** |
 | `manage_performance` | Profiling, optimization, scalability |
-| `animation_physics` | Animation BPs, Vehicles, Ragdolls |
-| `manage_effect` | Niagara, Particles, Debug Shapes |
+| `animation_physics` | Animation BPs, Vehicles (custom types), Ragdolls |
+| `manage_effect` | Niagara, Particles, Debug Shapes, **list_debug_shapes** |
 | `manage_blueprint` | Create, SCS, Graph Editing |
 | `manage_blueprint_graph` | Direct Blueprint Graph Manipulation |
 | `build_environment` | Landscape, Foliage, Procedural |
 | `system_control` | UBT, Tests, Logs, Project Settings, CVars |
-| `manage_sequence` | Sequencer / Cinematics |
+| `manage_sequence` | Sequencer / Cinematics, **list_track_types** |
 | `inspect` | Object Introspection |
 | `manage_audio` | Audio Assets & Components |
 | `manage_behavior_tree` | Behavior Tree Graph Editing |
@@ -209,7 +212,7 @@ Optional WASM acceleration for computationally intensive operations. **Enabled b
 
 ```bash
 cargo install wasm-pack  # Once per machine
-npm run build            # Builds TS + WASM
+npm run build:wasm       # Builds  WASM
 ```
 
 To disable: `WASM_ENABLED=false`

package/dist/automation/bridge.d.ts

@@ -13,6 +13,7 @@ export declare class AutomationBridge extends EventEmitter {
     private readonly clientPort;
     private readonly serverLegacyEnabled;
     private readonly maxConcurrentConnections;
+    private readonly maxQueuedRequests;
     private connectionManager;
     private requestTracker;
     private handshakeHandler;

package/dist/automation/bridge.js

@@ -1,7 +1,7 @@
 import { EventEmitter } from 'node:events';
 import { WebSocket } from 'ws';
 import { Logger } from '../utils/logger.js';
-import { DEFAULT_AUTOMATION_HOST, DEFAULT_AUTOMATION_PORT, DEFAULT_NEGOTIATED_PROTOCOLS, DEFAULT_HEARTBEAT_INTERVAL_MS, DEFAULT_MAX_PENDING_REQUESTS } from '../constants.js';
+import { DEFAULT_AUTOMATION_HOST, DEFAULT_AUTOMATION_PORT, DEFAULT_NEGOTIATED_PROTOCOLS, DEFAULT_HEARTBEAT_INTERVAL_MS, DEFAULT_MAX_PENDING_REQUESTS, DEFAULT_MAX_QUEUED_REQUESTS, MAX_WS_MESSAGE_SIZE_BYTES } from '../constants.js';
 import { createRequire } from 'node:module';
 import { ConnectionManager } from './connection-manager.js';
 import { RequestTracker } from './request-tracker.js';
@@ -31,6 +31,7 @@ export class AutomationBridge extends EventEmitter {
     clientPort;
     serverLegacyEnabled;
     maxConcurrentConnections;
+    maxQueuedRequests;
     connectionManager;
     requestTracker;
     handshakeHandler;
@@ -107,6 +108,7 @@ export class AutomationBridge extends EventEmitter {
             : 0;
         const maxPendingRequests = Math.max(1, options.maxPendingRequests ?? DEFAULT_MAX_PENDING_REQUESTS);
         const maxConcurrentConnections = Math.max(1, options.maxConcurrentConnections ?? 10);
+        this.maxQueuedRequests = Math.max(0, options.maxQueuedRequests ?? DEFAULT_MAX_QUEUED_REQUESTS);
         this.clientHost = options.clientHost ?? process.env.MCP_AUTOMATION_CLIENT_HOST ?? DEFAULT_AUTOMATION_HOST;
         this.clientPort = options.clientPort ?? sanitizePort(process.env.MCP_AUTOMATION_CLIENT_PORT) ?? DEFAULT_AUTOMATION_PORT;
         this.maxConcurrentConnections = maxConcurrentConnections;
@@ -137,10 +139,18 @@ export class AutomationBridge extends EventEmitter {
             const url = `ws://${this.clientHost}:${this.clientPort}`;
             this.log.info(`Connecting to Unreal Engine automation server at ${url}`);
             this.log.debug(`Negotiated protocols: ${JSON.stringify(this.negotiatedProtocols)}`);
-            const protocols = 'mcp-automation';
+            const protocols = this.negotiatedProtocols.length === 1
+                ? this.negotiatedProtocols[0]
+                : this.negotiatedProtocols;
             this.log.debug(`Using WebSocket protocols arg: ${JSON.stringify(protocols)}`);
+            const headers = this.capabilityToken
+                ? {
+                    'X-MCP-Capability': this.capabilityToken,
+                    'X-MCP-Capability-Token': this.capabilityToken
+                }
+                : undefined;
             const socket = new WebSocket(url, protocols, {
-                headers: this.capabilityToken ? { 'X-MCP-Capability': this.capabilityToken } : undefined,
+                headers,
                 perMessageDeflate: false
             });
             this.handleClientConnection(socket);
@@ -174,9 +184,54 @@ export class AutomationBridge extends EventEmitter {
                     port: this.clientPort,
                     protocol: socket.protocol || null
                 });
+                const getRawDataByteLength = (data) => {
+                    if (typeof data === 'string') {
+                        return Buffer.byteLength(data, 'utf8');
+                    }
+                    if (Buffer.isBuffer(data)) {
+                        return data.length;
+                    }
+                    if (Array.isArray(data)) {
+                        return data.reduce((total, item) => total + (Buffer.isBuffer(item) ? item.length : 0), 0);
+                    }
+                    if (data instanceof ArrayBuffer) {
+                        return data.byteLength;
+                    }
+                    if (ArrayBuffer.isView(data)) {
+                        return data.byteLength;
+                    }
+                    return 0;
+                };
+                const rawDataToUtf8String = (data, byteLengthHint) => {
+                    if (typeof data === 'string') {
+                        return data;
+                    }
+                    if (Buffer.isBuffer(data)) {
+                        return data.toString('utf8');
+                    }
+                    if (Array.isArray(data)) {
+                        const buffers = data.filter((item) => Buffer.isBuffer(item));
+                        const totalLength = typeof byteLengthHint === 'number'
+                            ? byteLengthHint
+                            : buffers.reduce((total, item) => total + item.length, 0);
+                        return Buffer.concat(buffers, totalLength).toString('utf8');
+                    }
+                    if (data instanceof ArrayBuffer) {
+                        return Buffer.from(data).toString('utf8');
+                    }
+                    if (ArrayBuffer.isView(data)) {
+                        return Buffer.from(data.buffer, data.byteOffset, data.byteLength).toString('utf8');
+                    }
+                    return '';
+                };
                 socket.on('message', (data) => {
                     try {
-                        const text = typeof data === 'string' ? data : data.toString('utf8');
+                        const byteLength = getRawDataByteLength(data);
+                        if (byteLength > MAX_WS_MESSAGE_SIZE_BYTES) {
+                            this.log.error(`Received oversized message (${byteLength} bytes, max: ${MAX_WS_MESSAGE_SIZE_BYTES}). Dropping.`);
+                            return;
+                        }
+                        const text = rawDataToUtf8String(data, byteLength);
                         this.log.debug(`[AutomationBridge Client] Received message: ${text.substring(0, 1000)}`);
                         const parsed = JSON.parse(text);
                         this.connectionManager.updateLastMessageTime();
@@ -350,6 +405,9 @@ export class AutomationBridge extends EventEmitter {
             throw new Error('Automation bridge not connected');
         }
         if (this.requestTracker.getPendingCount() >= this.requestTracker.getMaxPendingRequests()) {
+            if (this.queuedRequestItems.length >= this.maxQueuedRequests) {
+                throw new Error(`Automation bridge request queue is full (max: ${this.maxQueuedRequests}). Please retry later.`);
+            }
             return new Promise((resolve, reject) => {
                 this.queuedRequestItems.push({
                     resolve,

package/dist/automation/types.d.ts

@@ -11,6 +11,7 @@ export interface AutomationBridgeOptions {
     heartbeatIntervalMs?: number;
     maxPendingRequests?: number;
     maxConcurrentConnections?: number;
+    maxQueuedRequests?: number;
     clientMode?: boolean;
     clientHost?: string;
     clientPort?: number;

package/dist/config/class-aliases.d.ts

@@ -0,0 +1,5 @@
+export declare const ACTOR_CLASS_ALIASES: Record<string, string>;
+export declare const CLASSES_REQUIRING_COMPONENT: Record<string, string>;
+export declare function resolveClassAlias(classNameOrPath: string): string;
+export declare function getRequiredComponent(className: string): string | undefined;
+//# sourceMappingURL=class-aliases.d.ts.map

package/dist/config/class-aliases.js

@@ -0,0 +1,30 @@
+export const ACTOR_CLASS_ALIASES = {
+    'SplineActor': '/Script/Engine.Actor',
+    'Spline': '/Script/Engine.Actor',
+    'PointLight': '/Script/Engine.PointLight',
+    'SpotLight': '/Script/Engine.SpotLight',
+    'DirectionalLight': '/Script/Engine.DirectionalLight',
+    'RectLight': '/Script/Engine.RectLight',
+    'Camera': '/Script/Engine.CameraActor',
+    'CameraActor': '/Script/Engine.CameraActor',
+    'StaticMeshActor': '/Script/Engine.StaticMeshActor',
+    'SkeletalMeshActor': '/Script/Engine.SkeletalMeshActor',
+    'PlayerStart': '/Script/Engine.PlayerStart',
+    'Pawn': '/Script/Engine.Pawn',
+    'Character': '/Script/Engine.Character',
+    'Actor': '/Script/Engine.Actor',
+    'TriggerBox': '/Script/Engine.TriggerBox',
+    'TriggerSphere': '/Script/Engine.TriggerSphere',
+    'BlockingVolume': '/Script/Engine.BlockingVolume',
+};
+export const CLASSES_REQUIRING_COMPONENT = {
+    'SplineActor': 'SplineComponent',
+    'Spline': 'SplineComponent',
+};
+export function resolveClassAlias(classNameOrPath) {
+    return ACTOR_CLASS_ALIASES[classNameOrPath] || classNameOrPath;
+}
+export function getRequiredComponent(className) {
+    return CLASSES_REQUIRING_COMPONENT[className];
+}
+//# sourceMappingURL=class-aliases.js.map

package/dist/constants.d.ts

@@ -5,6 +5,7 @@ export declare const DEFAULT_NEGOTIATED_PROTOCOLS: string[];
 export declare const DEFAULT_HEARTBEAT_INTERVAL_MS = 10000;
 export declare const DEFAULT_HANDSHAKE_TIMEOUT_MS = 5000;
 export declare const DEFAULT_MAX_PENDING_REQUESTS = 25;
+export declare const DEFAULT_MAX_QUEUED_REQUESTS = 100;
 export declare const DEFAULT_TIME_OF_DAY = 9;
 export declare const DEFAULT_SUN_INTENSITY = 10000;
 export declare const DEFAULT_SKYLIGHT_INTENSITY = 1;
@@ -13,4 +14,8 @@ export declare const DEFAULT_OPERATION_TIMEOUT_MS = 30000;
 export declare const DEFAULT_ASSET_OP_TIMEOUT_MS = 60000;
 export declare const EXTENDED_ASSET_OP_TIMEOUT_MS = 120000;
 export declare const LONG_RUNNING_OP_TIMEOUT_MS = 300000;
+export declare const CONSOLE_COMMAND_TIMEOUT_MS = 30000;
+export declare const ENGINE_QUERY_TIMEOUT_MS = 15000;
+export declare const CONNECTION_TIMEOUT_MS = 15000;
+export declare const MAX_WS_MESSAGE_SIZE_BYTES: number;
 //# sourceMappingURL=constants.d.ts.map

package/dist/constants.js

@@ -5,6 +5,7 @@ export const DEFAULT_NEGOTIATED_PROTOCOLS = ['mcp-automation'];
 export const DEFAULT_HEARTBEAT_INTERVAL_MS = 10000;
 export const DEFAULT_HANDSHAKE_TIMEOUT_MS = 5000;
 export const DEFAULT_MAX_PENDING_REQUESTS = 25;
+export const DEFAULT_MAX_QUEUED_REQUESTS = 100;
 export const DEFAULT_TIME_OF_DAY = 9;
 export const DEFAULT_SUN_INTENSITY = 10000;
 export const DEFAULT_SKYLIGHT_INTENSITY = 1;
@@ -13,4 +14,8 @@ export const DEFAULT_OPERATION_TIMEOUT_MS = 30000;
 export const DEFAULT_ASSET_OP_TIMEOUT_MS = 60000;
 export const EXTENDED_ASSET_OP_TIMEOUT_MS = 120000;
 export const LONG_RUNNING_OP_TIMEOUT_MS = 300000;
+export const CONSOLE_COMMAND_TIMEOUT_MS = 30000;
+export const ENGINE_QUERY_TIMEOUT_MS = 15000;
+export const CONNECTION_TIMEOUT_MS = 15000;
+export const MAX_WS_MESSAGE_SIZE_BYTES = 5 * 1024 * 1024;
 //# sourceMappingURL=constants.js.map

package/dist/graphql/server.d.ts

@@ -19,7 +19,6 @@ export declare class GraphQLServer {
     constructor(bridge: UnrealBridge, automationBridge: AutomationBridge, config?: GraphQLServerConfig);
     start(): Promise<void>;
     stop(): Promise<void>;
-    private setupShutdown;
     getConfig(): Required<GraphQLServerConfig>;
     isRunning(): boolean;
 }

package/dist/graphql/server.js

@@ -28,6 +28,21 @@ export class GraphQLServer {
             this.log.info('GraphQL server is disabled');
             return;
         }
+        const isLoopback = this.config.host === '127.0.0.1' ||
+            this.config.host === '::1' ||
+            this.config.host.toLowerCase() === 'localhost';
+        const allowRemote = process.env.GRAPHQL_ALLOW_REMOTE === 'true';
+        if (!isLoopback && !allowRemote) {
+            this.log.warn(`GraphQL server is configured to bind to non-loopback host '${this.config.host}'. GraphQL is for local debugging only. ` +
+                'To allow remote binding, set GRAPHQL_ALLOW_REMOTE=true. Aborting start.');
+            return;
+        }
+        if (!isLoopback && allowRemote) {
+            if (this.config.cors.origin === '*') {
+                this.log.warn("GraphQL server is binding to a remote host with permissive CORS origin '*'. " +
+                    'Set GRAPHQL_CORS_ORIGIN to specific origins for production. Using permissive CORS for now.');
+            }
+        }
         try {
             const schema = createGraphQLSchema(this.bridge, this.automationBridge);
             const yoga = createYoga({
@@ -67,7 +82,6 @@ export class GraphQLServer {
                     resolve();
                 });
             });
-            this.setupShutdown();
         }
         catch (error) {
             this.log.error('Failed to start GraphQL server:', error);
@@ -92,21 +106,6 @@ export class GraphQLServer {
             });
         });
     }
-    setupShutdown() {
-        const gracefulShutdown = async (signal) => {
-            this.log.info(`Received ${signal}, shutting down GraphQL server...`);
-            try {
-                await this.stop();
-                process.exit(0);
-            }
-            catch (error) {
-                this.log.error('Error during GraphQL server shutdown:', error);
-                process.exit(1);
-            }
-        };
-        process.on('SIGINT', () => gracefulShutdown('SIGINT'));
-        process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
-    }
     getConfig() {
         return this.config;
     }

package/dist/index.js

@@ -29,7 +29,7 @@ const DEFAULT_SERVER_NAME = typeof packageInfo.name === 'string' && packageInfo.
     : 'unreal-engine-mcp';
 const DEFAULT_SERVER_VERSION = typeof packageInfo.version === 'string' && packageInfo.version.trim().length > 0
     ? packageInfo.version
-    : '0.0.0';
+    : '0.5.4';
 function routeStdoutLogsToStderr() {
     if (!config.MCP_ROUTE_STDOUT_LOGS) {
         return;

package/dist/services/metrics-server.d.ts

@@ -1,3 +1,4 @@
+import http from 'http';
 import { HealthMonitor } from './health-monitor.js';
 import { AutomationBridge } from '../automation/index.js';
 import { Logger } from '../utils/logger.js';
@@ -6,6 +7,6 @@ interface MetricsServerOptions {
     automationBridge: AutomationBridge;
     logger: Logger;
 }
-export declare function startMetricsServer(options: MetricsServerOptions): void;
+export declare function startMetricsServer(options: MetricsServerOptions): http.Server | null;
 export {};
 //# sourceMappingURL=metrics-server.d.ts.map

package/dist/services/metrics-server.js

@@ -1,6 +1,5 @@
 import http from 'http';
 import { wasmIntegration } from '../wasm/index.js';
-import { DEFAULT_AUTOMATION_HOST } from '../constants.js';
 function formatPrometheusMetrics(options) {
     const { healthMonitor, automationBridge } = options;
     const m = healthMonitor.metrics;
@@ -59,7 +58,24 @@ export function startMetricsServer(options) {
     const port = portEnv ? Number(portEnv) : 0;
     if (!port || !Number.isFinite(port) || port <= 0) {
         logger.debug('Metrics server disabled (set MCP_METRICS_PORT to enable Prometheus /metrics endpoint).');
-        return;
+        return null;
+    }
+    const host = process.env.MCP_METRICS_HOST || '127.0.0.1';
+    const RATE_LIMIT_WINDOW_MS = 60000;
+    const RATE_LIMIT_MAX_REQUESTS = 60;
+    const requestCounts = new Map();
+    function checkRateLimit(ip) {
+        const now = Date.now();
+        const record = requestCounts.get(ip);
+        if (!record || now >= record.resetAt) {
+            requestCounts.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
+            return true;
+        }
+        if (record.count >= RATE_LIMIT_MAX_REQUESTS) {
+            return false;
+        }
+        record.count++;
+        return true;
     }
     try {
         const server = http.createServer((req, res) => {
@@ -79,6 +95,13 @@ export function startMetricsServer(options) {
                 res.end('Not Found');
                 return;
             }
+            const clientIp = req.socket.remoteAddress || 'unknown';
+            if (!checkRateLimit(clientIp)) {
+                res.statusCode = 429;
+                res.setHeader('Retry-After', '60');
+                res.end('Too Many Requests');
+                return;
+            }
             try {
                 const body = formatPrometheusMetrics(options);
                 res.statusCode = 200;
@@ -91,15 +114,17 @@ export function startMetricsServer(options) {
                 res.end('Internal Server Error');
             }
         });
-        server.listen(port, () => {
-            logger.info(`Prometheus metrics server listening on http://${DEFAULT_AUTOMATION_HOST}:${port}/metrics`);
+        server.listen(port, host, () => {
+            logger.info(`Prometheus metrics server listening on http://${host}:${port}/metrics`);
         });
         server.on('error', (err) => {
             logger.warn('Metrics server error', err);
         });
+        return server;
     }
     catch (err) {
         logger.warn('Failed to start metrics server', err);
+        return null;
     }
 }
 //# sourceMappingURL=metrics-server.js.map

package/dist/tools/consolidated-tool-definitions.js

@@ -420,7 +420,7 @@ Supported actions:
                         'create_volumetric_fog', 'create_particle_trail', 'create_environment_effect', 'create_impact_effect', 'create_niagara_ribbon',
                         'activate', 'activate_effect', 'deactivate', 'reset', 'advance_simulation',
                         'add_niagara_module', 'connect_niagara_pins', 'remove_niagara_node', 'set_niagara_parameter',
-                        'clear_debug_shapes', 'cleanup'
+                        'clear_debug_shapes', 'cleanup', 'list_debug_shapes'
                     ],
                     description: 'Action'
                 },
@@ -636,7 +636,7 @@ Supported actions:
                         'get_properties', 'set_properties', 'duplicate', 'rename', 'delete', 'list', 'get_metadata', 'set_metadata',
                         'add_spawnable_from_class', 'add_track', 'add_section', 'set_display_rate', 'set_tick_resolution',
                         'set_work_range', 'set_view_range', 'set_track_muted', 'set_track_solo', 'set_track_locked',
-                        'list_tracks', 'remove_track'
+                        'list_tracks', 'remove_track', 'list_track_types'
                     ],
                     description: 'Action'
                 },
@@ -969,7 +969,7 @@ Supported actions:
                         'spawn_light', 'create_light', 'spawn_sky_light', 'create_sky_light', 'ensure_single_sky_light',
                         'create_lightmass_volume', 'create_lighting_enabled_level', 'create_dynamic_light',
                         'setup_global_illumination', 'configure_shadows', 'set_exposure', 'set_ambient_occlusion', 'setup_volumetric_fog',
-                        'build_lighting'
+                        'build_lighting', 'list_light_types'
                     ],
                     description: 'Action'
                 },

package/dist/tools/debug.d.ts

@@ -301,5 +301,10 @@ export declare class DebugVisualizationTools {
         error: string;
         message?: undefined;
     }>;
+    listDebugShapes(): Promise<import("../automation/types.js").AutomationBridgeResponseMessage | {
+        success: boolean;
+        error: string;
+        message: string;
+    }>;
 }
 //# sourceMappingURL=debug.d.ts.map

package/dist/tools/debug.js

@@ -449,5 +449,12 @@ export class DebugVisualizationTools {
             return { success: false, error: `Failed to clear debug shapes: ${err}` };
         }
     }
+    async listDebugShapes() {
+        if (this.automationBridge) {
+            const response = await this.automationBridge.sendAutomationRequest('list_debug_shapes', {});
+            return response;
+        }
+        return { success: false, error: 'AUTOMATION_BRIDGE_REQUIRED', message: 'Listing debug shapes requires Automation Bridge' };
+    }
 }
 //# sourceMappingURL=debug.js.map