vcluster-yaml-mcp-server 1.0.0 → 1.0.2

package/README.md

@@ -71,11 +71,16 @@ The package also provides a standalone CLI for quick queries and validation with
 
 ```bash
 # Quick start with npx (no installation)
-npx -y vcluster-yaml-mcp-server vcluster-yaml query sync --format table
+npx -p vcluster-yaml-mcp-server vcluster-yaml query sync --format table
 
 # Or install globally
 npm install -g vcluster-yaml-mcp-server
 vcluster-yaml query sync --format table
+
+# Validate configurations with ease
+vcluster-yaml validate my-config.yaml
+cat my-config.yaml | vcluster-yaml validate -
+vcluster-yaml validate my-config.yaml --schema-version v0.24.0
 ```
 
 📖 **[Full CLI Documentation →](docs/CLI.md)**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vcluster-yaml-mcp-server",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "MCP server for querying vcluster YAML configurations using jq",
   "main": "src/index.js",
   "type": "module",
@@ -32,6 +32,7 @@
     "cli-table3": "^0.6.5",
     "commander": "^13.0.0",
     "express": "^4.18.2",
+    "express-rate-limit": "^8.1.0",
     "js-yaml": "^4.1.0",
     "node-fetch": "^3.3.2",
     "node-jq": "^6.0.1"
@@ -46,7 +47,6 @@
     "jsonschema": "^1.5.0",
     "strip-ansi": "^7.1.0",
     "supertest": "^7.1.4",
-    "vitest": "^3.2.4",
-    "z-schema": "^6.0.2"
+    "vitest": "^3.2.4"
   }
 }

package/src/cli-utils.js

@@ -0,0 +1,44 @@
+/**
+ * CLI utility functions
+ * Provides helpers for stdin reading and file operations
+ */
+
+import { readFile } from 'fs/promises';
+import { stdin } from 'process';
+
+/**
+ * Read content from stdin
+ * Used for piping content to CLI commands
+ * @returns {Promise<string>} The content read from stdin
+ */
+export async function readStdin() {
+  return new Promise((resolve, reject) => {
+    let data = '';
+
+    stdin.setEncoding('utf8');
+    stdin.on('data', chunk => data += chunk);
+    stdin.on('end', () => resolve(data));
+    stdin.on('error', reject);
+  });
+}
+
+/**
+ * Read content from a file or stdin based on the file argument
+ * @param {string|undefined} file - File path, '-' for stdin, or undefined for stdin
+ * @returns {Promise<{content: string, source: string}>} The content and its source
+ */
+export async function readContentSource(file) {
+  // Read from stdin if no file provided or file is '-'
+  if (!file || file === '-') {
+    const content = await readStdin();
+    return { content, source: 'stdin' };
+  }
+
+  // Read from file
+  try {
+    const content = await readFile(file, 'utf-8');
+    return { content, source: file };
+  } catch (error) {
+    throw new Error(`Cannot read file '${file}': ${error.message}`);
+  }
+}

package/src/cli.js

@@ -9,6 +9,7 @@
 import { Command } from 'commander';
 import { handleQuery, handleListVersions, handleValidate } from './cli-handlers.js';
 import { formatOutput } from './formatters.js';
+import { readContentSource } from './cli-utils.js';
 
 const program = new Command();
 
@@ -22,8 +23,14 @@ program
   .command('query <query>')
   .description('Search for vCluster configuration fields')
   .option('--file <file>', 'Configuration file to search', 'chart/values.yaml')
-  .option('--version <version>', 'vCluster version or branch', 'main')
+  .option('-s, --schema-version <version>', 'vCluster version or branch', 'main')
   .option('-f, --format <format>', 'Output format (json, yaml, table)', 'json')
+  .addHelpText('after', `
+Examples:
+  $ vcluster-yaml query sync
+  $ vcluster-yaml query sync --schema-version v0.24.0
+  $ vcluster-yaml query "controlPlane.replicas" --format table
+  `)
   .action(async (query, options) => {
     try {
       // Validate format option
@@ -32,9 +39,15 @@ program
         process.exit(1);
       }
 
+      // Add validation for empty query
+      if (!query || query.trim() === '') {
+        console.error(`Error: Query cannot be empty. Try 'vcluster-yaml query sync' or see examples with --help`);
+        process.exit(1);
+      }
+
       const result = await handleQuery(query, {
         file: options.file,
-        version: options.version
+        version: options.schemaVersion
       });
 
       if (!result.success) {
@@ -91,11 +104,22 @@ program
 
 // Validate command
 program
-  .command('validate <content>')
+  .command('validate [file]')
   .description('Validate vCluster configuration')
-  .option('--version <version>', 'vCluster version for schema', 'main')
+  .option('-s, --schema-version <version>', 'vCluster version for schema', 'main')
   .option('-f, --format <format>', 'Output format (json, yaml, table)', 'json')
-  .action(async (content, options) => {
+  .addHelpText('after', `
+Arguments:
+  file                   YAML file to validate (use '-' for stdin, omit to read from stdin)
+
+Examples:
+  $ vcluster-yaml validate vcluster.yaml
+  $ vcluster-yaml validate vcluster.yaml --schema-version v0.24.0
+  $ cat vcluster.yaml | vcluster-yaml validate -
+  $ vcluster-yaml validate - < vcluster.yaml
+  $ vcluster-yaml validate vcluster.yaml --format table
+  `)
+  .action(async (file, options) => {
     try {
       // Validate format option
       if (!['json', 'yaml', 'table'].includes(options.format)) {
@@ -103,8 +127,24 @@ program
         process.exit(1);
       }
 
+      // Read content from file or stdin
+      let content;
+      try {
+        const result = await readContentSource(file);
+        content = result.content;
+      } catch (error) {
+        console.error(`Error: ${error.message}`);
+        process.exit(1);
+      }
+
+      // Check for empty content
+      if (!content || content.trim() === '') {
+        console.error(`Error: No content to validate. Please provide a file path or pipe content via stdin.`);
+        process.exit(1);
+      }
+
       const result = await handleValidate(content, {
-        version: options.version
+        version: options.schemaVersion
       });
 
       // For validation, always output the result (even if not successful)

package/src/github.js

@@ -75,6 +75,16 @@ class GitHubClient {
 
   // Get file content from GitHub
   async getFileContent(path, ref = 'main') {
+    // Validate path - prevent path traversal
+    if (path.includes('..') || path.startsWith('/')) {
+      throw new Error('Invalid path: path traversal not allowed');
+    }
+
+    // Validate ref format (branch, tag, or commit SHA)
+    if (!/^[\w.\/-]+$/.test(ref)) {
+      throw new Error('Invalid ref format');
+    }
+
     const actualRef = ref;
     const cacheKey = `file:${actualRef}:${path}`;
     const cached = this.getFromCache(cacheKey);

package/src/http-server.js

@@ -3,16 +3,48 @@
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { createServer } from './server.js';
 import express from 'express';
+import rateLimit from 'express-rate-limit';
 import { requireApiKey } from './middleware/auth.js';
 
 const PORT = process.env.PORT || 3000;
 const REQUIRE_AUTH = process.env.REQUIRE_AUTH === 'true';
 
 const app = express();
-app.use(express.json());
+
+// Security headers
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.removeHeader('X-Powered-By');
+  next();
+});
+
+// Request size limiting
+app.use(express.json({
+  limit: '1mb',
+  strict: true
+}));
+
+// Rate limiting for general endpoints
+const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 500,
+  message: { error: 'Too many requests, please try again later' },
+  standardHeaders: true,
+  legacyHeaders: false
+});
+
+// Rate limiting for MCP endpoint (allows for interactive sessions)
+const mcpLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 1000,
+  message: { error: 'Too many requests to MCP endpoint, please try again later' },
+  standardHeaders: true,
+  legacyHeaders: false
+});
 
 // Health check endpoint
-app.get('/health', (_req, res) => {
+app.get('/health', apiLimiter, (_req, res) => {
   res.json({
     status: 'ok',
     name: 'vcluster-yaml-mcp-server',
@@ -56,8 +88,8 @@ const mcpHandler = async (req, res) => {
 };
 
 // Support both GET and POST for MCP endpoint
-app.get('/mcp', REQUIRE_AUTH ? requireApiKey : (req, res, next) => next(), mcpHandler);
-app.post('/mcp', REQUIRE_AUTH ? requireApiKey : (req, res, next) => next(), mcpHandler);
+app.get('/mcp', mcpLimiter, REQUIRE_AUTH ? requireApiKey : (req, res, next) => next(), mcpHandler);
+app.post('/mcp', mcpLimiter, REQUIRE_AUTH ? requireApiKey : (req, res, next) => next(), mcpHandler);
 
 app.listen(PORT, () => {
   console.log(`vcluster-yaml-mcp-server HTTP running on port ${PORT}`);

package/src/middleware/auth.js

@@ -1,4 +1,16 @@
-// Simple API key authentication middleware
+import crypto from 'crypto';
+
+// Timing-safe string comparison
+function secureCompare(a, b) {
+  if (!a || !b || a.length !== b.length) return false;
+  try {
+    return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+  } catch {
+    return false;
+  }
+}
+
+// API key authentication middleware with timing-safe comparison
 export function requireApiKey(req, res, next) {
   const authHeader = req.headers['authorization'];
 
@@ -10,9 +22,14 @@ export function requireApiKey(req, res, next) {
   }
 
   const token = authHeader.substring(7);
-  const validTokens = (process.env.VALID_API_KEYS || '').split(',');
+  const validTokens = (process.env.VALID_API_KEYS || '').split(',').filter(t => t.length > 0);
+
+  // Use timing-safe comparison to prevent timing attacks
+  const isValid = validTokens.some(validToken =>
+    validToken.length === token.length && secureCompare(validToken, token)
+  );
 
-  if (!validTokens.includes(token)) {
+  if (!isValid) {
     return res.status(403).json({
       error: 'Forbidden',
       message: 'Invalid API key'

package/src/server.js

@@ -1,7 +1,6 @@
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 import yaml from 'js-yaml';
-import jq from 'node-jq';
 import { githubClient } from './github.js';
 import { validateSnippet } from './snippet-validator.js';
 
@@ -591,77 +590,6 @@ export function createServer() {
           };
         }
 
-        case 'query-config': {
-          const version = args.version || 'main';
-          let yamlData;
-
-          // Load YAML data from GitHub or content
-          if (args.content) {
-            yamlData = yaml.load(args.content);
-          } else if (args.file) {
-            yamlData = await githubClient.getYamlContent(args.file, version);
-          } else {
-            // Default to chart/values.yaml
-            yamlData = await githubClient.getYamlContent('chart/values.yaml', version);
-          }
-          
-          // Convert YAML to JSON for jq processing
-          const jsonData = JSON.stringify(yamlData);
-          
-          // Run jq query
-          const options = {
-            input: 'string',
-            output: args.raw ? 'string' : 'json'
-          };
-          
-          const result = await jq.run(args.query, jsonData, options);
-          
-          return {
-            content: [
-              {
-                type: 'text',
-                text: typeof result === 'string' ? result : JSON.stringify(result, null, 2)
-              }
-            ]
-          };
-        }
-
-        case 'get-config-value': {
-          const version = args.version || 'main';
-          let yamlData;
-
-          // Load YAML data from GitHub or content
-          if (args.content) {
-            yamlData = yaml.load(args.content);
-          } else if (args.file) {
-            yamlData = await githubClient.getYamlContent(args.file, version);
-          } else {
-            yamlData = await githubClient.getYamlContent('config/values.yaml', version);
-          }
-          
-          // Convert dot notation to jq query
-          const jqQuery = '.' + args.path.split('.').map(part => {
-            // Handle array indices
-            if (/^\d+$/.test(part)) {
-              return `[${part}]`;
-            }
-            // Handle special characters in keys
-            return `["${part}"]`;
-          }).join('');
-          
-          const jsonData = JSON.stringify(yamlData);
-          const result = await jq.run(jqQuery, jsonData, { input: 'string', output: 'json' });
-          
-          return {
-            content: [
-              {
-                type: 'text',
-                text: `Value at ${args.path}: ${JSON.stringify(result, null, 2)}`
-              }
-            ]
-          };
-        }
-
         case 'extract-validation-rules': {
           const version = args.version || 'main';
           const fileName = args.file || 'chart/values.yaml';
@@ -756,67 +684,6 @@ export function createServer() {
           }
         }
 
-        case 'search-config': {
-          const version = args.version || 'main';
-          let yamlData;
-
-          // Load YAML data from GitHub or content
-          if (args.content) {
-            yamlData = yaml.load(args.content);
-          } else if (args.file) {
-            yamlData = await githubClient.getYamlContent(args.file, version);
-          } else {
-            yamlData = await githubClient.getYamlContent('config/values.yaml', version);
-          }
-
-          const searchTerm = args.search.toLowerCase();
-          const matches = [];
-
-          // Recursive search function
-          function searchObject(obj, path = '') {
-            if (obj && typeof obj === 'object') {
-              for (const [key, value] of Object.entries(obj)) {
-                const currentPath = path ? `${path}.${key}` : key;
-
-                // Check if key matches
-                if (key.toLowerCase().includes(searchTerm)) {
-                  if (args.keysOnly) {
-                    matches.push(`Key: ${currentPath}`);
-                  } else {
-                    matches.push(`Key: ${currentPath} = ${JSON.stringify(value)}`);
-                  }
-                }
-
-                // Check if value matches (if not keysOnly)
-                if (!args.keysOnly && value !== null && value !== undefined) {
-                  const valueStr = JSON.stringify(value).toLowerCase();
-                  if (valueStr.includes(searchTerm)) {
-                    matches.push(`Value at ${currentPath}: ${JSON.stringify(value)}`);
-                  }
-                }
-
-                // Recurse into objects
-                if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
-                  searchObject(value, currentPath);
-                }
-              }
-            }
-          }
-
-          searchObject(yamlData);
-
-          return {
-            content: [
-              {
-                type: 'text',
-                text: matches.length > 0
-                  ? `Found ${matches.length} match(es):\n${matches.join('\n')}`
-                  : `No matches found for "${args.search}"`
-              }
-            ]
-          };
-        }
-
         default:
           throw new Error(`Unknown tool: ${name}`);
       }

package/src/snippet-validator.js

@@ -190,6 +190,18 @@ function createAjvInstance() {
  */
 export function validateSnippet(snippetYaml, fullSchema, version, sectionHint = null) {
   const startTime = Date.now();
+  const MAX_YAML_SIZE = 1024 * 1024; // 1MB
+
+  // Check YAML size limit
+  if (snippetYaml.length > MAX_YAML_SIZE) {
+    return {
+      valid: false,
+      error: 'YAML exceeds 1MB limit',
+      size_bytes: snippetYaml.length,
+      max_size_bytes: MAX_YAML_SIZE,
+      elapsed_ms: Date.now() - startTime
+    };
+  }
 
   // Parse YAML
   let parsedSnippet;