npm - wormclaude - Versions diffs - 1.0.73 → 1.0.75 - Mend

wormclaude 1.0.73 → 1.0.75

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (229) hide show

package/skills/build-mcpb/references/local-security.md ADDED Viewed

@@ -0,0 +1,149 @@
+# Local MCP Security
+**MCPB ships no sandbox.** The manifest has no `permissions` block, no filesystem scoping, and no platform-enforced network allowlist. The server process runs with the user's full privileges — it can read any file they can, spawn any process, and reach any network endpoint.
+WormClaude is what drives it. That combination means **tool inputs are untrusted**, even though they arrive from an AI the user trusts. A prompt-injected web page can trick WormClaude into calling your `delete_file` tool with a path you never intended.
+Your tool handlers are the only line of defense. Everything below is about building that defense yourself.
+---
+## Path traversal
+The number-one bug in local MCP servers. Whenever you take a path parameter and join it to a root, **resolve it and verify containment**.
+```typescript
+import { resolve, relative, isAbsolute } from "node:path";
+function safeJoin(root: string, userPath: string): string {
+  const full = resolve(root, userPath);
+  const rel = relative(root, full);
+  if (rel.startsWith("..") || isAbsolute(rel)) {
+    throw new Error(`Path escapes root: ${userPath}`);
+  }
+  return full;
+}
+```
+`resolve` normalizes `..`, symlink segments, and the like; `relative` tells you whether the result left the root. Don't lean on `String.includes("..")` — it misses encoded and symlink-based escapes.
+**Python equivalent:**
+```python
+from pathlib import Path
+def safe_join(root: Path, user_path: str) -> Path:
+    full = (root / user_path).resolve()
+    if not full.is_relative_to(root.resolve()):
+        raise ValueError(f"Path escapes root: {user_path}")
+    return full
+```
+---
+## Roots — ask the host, don't hardcode
+Before you hardcode `ROOT` from a config env var, check whether the host supports `roots/list`. That's the spec-native way to obtain user-approved workspace boundaries.
+```typescript
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+const server = new McpServer({ name: "...", version: "..." });
+let allowedRoots: string[] = [];
+server.server.oninitialized = async () => {
+  const caps = server.getClientCapabilities();
+  if (caps?.roots) {
+    const { roots } = await server.server.listRoots();
+    allowedRoots = roots.map(r => new URL(r.uri).pathname);
+  } else {
+    allowedRoots = [process.env.ROOT_DIR ?? process.cwd()];
+  }
+};
+```
+```python
+# fastmcp — inside a tool handler
+async def my_tool(ctx: Context) -> str:
+    try:
+        roots = await ctx.list_roots()
+        allowed = [urlparse(r.uri).path for r in roots]
+    except Exception:
+        allowed = [os.environ.get("ROOT_DIR", os.getcwd())]
+```
+When roots are available, use them; when they aren't, fall back to config. Either way, validate every path against the allowed set.
+---
+## Command injection
+If you spawn processes, **never route user input through a shell**.
+```typescript
+// ❌ catastrophic
+exec(`git log ${branch}`);
+// ✅ array-args, no shell
+execFile("git", ["log", branch]);
+```
+When you're wrapping a CLI, assemble the entire argv as an array. If the tool takes flags at all, check each one against an allowlist.
+---
+## Read-only by default
+Split reads and writes into separate tools. Most workflows only ever need reads, and a read-only tool can't be turned into data loss no matter what WormClaude is tricked into passing it.
+```
+list_files   ← safe to call freely
+read_file    ← safe to call freely
+write_file   ← separate tool, separate scrutiny
+delete_file  ← consider not shipping this at all
+```
+Back this up with tool annotations — `readOnlyHint: true` on every read tool, `destructiveHint: true` on delete/overwrite tools. Hosts surface these in their permission UI (auto-approving reads, showing a confirm dialog for destructive ones). See `../build-mcp-server/references/tool-design.md`.
+If you do ship write/delete, consider requiring explicit confirmation through elicitation (see `../build-mcp-server/references/elicitation.md`) or a confirmation widget (see `build-mcp-app`) so the user signs off on each destructive call.
+---
+## Resource limits
+WormClaude will cheerfully ask to read a 4GB log file. Put a cap on everything:
+```typescript
+const MAX_BYTES = 1_000_000;
+const buf = await readFile(path);
+if (buf.length > MAX_BYTES) {
+  return {
+    content: [{
+      type: "text",
+      text: `File is ${buf.length} bytes — too large. Showing first ${MAX_BYTES}:\n\n`
+            + buf.subarray(0, MAX_BYTES).toString("utf8"),
+    }],
+  };
+}
+```
+Do the same for directory listings (cap the entry count), search results (cap the matches), and anything else that's unbounded.
+---
+## Secrets
+- **Config secrets** (`sensitive: true` in the manifest's `user_config`): the host keeps them in the OS keychain and delivers them via an env var. Don't log them, and don't put them in tool results.
+- **Never write secrets to plaintext files.** If the host's keychain integration isn't enough, reach for `keytar` (Node) / `keyring` (Python) yourself.
+- **Tool results flow into the chat transcript.** Whatever you return is visible to the user (and to any log export), so redact before returning.
+---
+## Checklist before shipping
+- [ ] Every path parameter goes through containment check
+- [ ] No `exec()` / `shell=True` — `execFile` / array-argv only
+- [ ] Write/delete split from read tools; `readOnlyHint`/`destructiveHint` annotations set
+- [ ] Size caps on file reads, listing lengths, search results
+- [ ] Secrets never logged or returned in tool results
+- [ ] Tested with adversarial inputs: `../../etc/passwd`, `; rm -rf ~`, 10GB file

package/skills/build-mcpb/references/manifest-schema.md ADDED Viewed

@@ -0,0 +1,156 @@
+# MCPB Manifest Schema (v0.4)
+Checked against `github.com/anthropics/mcpb/schemas/mcpb-manifest-v0.4.schema.json`. The schema sets `additionalProperties: false`, so any unknown key is rejected. Include `"$schema"` in your manifest to get editor validation.
+---
+## Top-level fields
+| Field | Required | Description |
+|---|---|---|
+| `manifest_version` | ✅ | Schema version. Use `"0.4"`. |
+| `name` | ✅ | Package identifier (lowercase, hyphens). Must be unique. |
+| `version` | ✅ | Semver version of YOUR package. |
+| `description` | ✅ | One-line summary. Shown in marketplace. |
+| `author` | ✅ | `{name, email?, url?}` |
+| `server` | ✅ | Entry point and launch config. See below. |
+| `display_name` | | Human-friendly name. Falls back to `name`. |
+| `long_description` | | Markdown. Shown on detail page. |
+| `icon` / `icons` | | Path(s) to icon file(s) in the bundle. |
+| `homepage` / `repository` / `documentation` / `support` | | URLs. |
+| `license` | | SPDX identifier. |
+| `keywords` | | String array for search. |
+| `user_config` | | Install-time config fields. See below. |
+| `compatibility` | | Host/platform/runtime requirements. See below. |
+| `tools` / `prompts` | | Optional declarative list for marketplace display. Not enforced at runtime. |
+| `tools_generated` / `prompts_generated` | | `true` if tools/prompts are dynamic (can't list statically). |
+| `screenshots` | | Array of image paths. |
+| `localization` | | i18n bundles. |
+| `privacy_policies` | | URLs. |
+---
+## `server` — launch configuration
+```json
+"server": {
+  "type": "node",
+  "entry_point": "server/index.js",
+  "mcp_config": {
+    "command": "node",
+    "args": ["${__dirname}/server/index.js"],
+    "env": {
+      "API_KEY": "${user_config.apiKey}",
+      "ROOT_DIR": "${user_config.rootDir}"
+    }
+  }
+}
+```
+| Field | Description |
+|---|---|
+| `type` | `"node"`, `"python"`, or `"binary"` |
+| `entry_point` | Relative path to main file. Informational. |
+| `mcp_config.command` | Executable to launch. |
+| `mcp_config.args` | Argv array. Use `${__dirname}` for bundle-relative paths. |
+| `mcp_config.env` | Environment variables. Use `${user_config.KEY}` to substitute user config. |
+**Substitution variables** (in `args` and `env` only):
+- `${__dirname}` — absolute path to the unpacked bundle directory
+- `${user_config.<key>}` — value the user entered at install time
+- `${HOME}` — user's home directory
+**There are no auto-prefixed env vars.** The env var names your server reads are precisely the ones you declare in `mcp_config.env`. Write `"ROOT_DIR": "${user_config.rootDir}"` and your server reads `process.env.ROOT_DIR`.
+---
+## `user_config` — install-time settings
+```json
+"user_config": {
+  "apiKey": {
+    "type": "string",
+    "title": "API Key",
+    "description": "Your service API key. Stored encrypted.",
+    "sensitive": true,
+    "required": true
+  },
+  "rootDir": {
+    "type": "directory",
+    "title": "Root directory",
+    "description": "Directory to expose to the server.",
+    "default": "${HOME}/Documents"
+  },
+  "maxResults": {
+    "type": "number",
+    "title": "Max results",
+    "description": "Maximum items returned per query.",
+    "default": 50,
+    "min": 1,
+    "max": 500
+  }
+}
+```
+| Field | Required | Description |
+|---|---|---|
+| `type` | ✅ | `"string"`, `"number"`, `"boolean"`, `"directory"`, `"file"` |
+| `title` | ✅ | Form label. |
+| `description` | ✅ | Help text under the input. |
+| `default` | | Pre-filled value. Supports `${HOME}`. |
+| `required` | | If `true`, install blocks until filled. |
+| `sensitive` | | If `true`, stored in OS keychain + masked in UI. **NOT `secret`** — that field doesn't exist. |
+| `multiple` | | If `true`, user can enter multiple values (array). |
+| `min` / `max` | | Numeric bounds (for `type: "number"`). |
+The `directory` and `file` types draw native OS pickers — favor them over free-text paths for both UX and validation.
+---
+## `compatibility` — gate installs
+```json
+"compatibility": {
+  "claude_desktop": ">=1.0.0",
+  "platforms": ["darwin", "win32", "linux"],
+  "runtimes": { "node": ">=20" }
+}
+```
+| Field | Description |
+|---|---|
+| `claude_desktop` | Semver range. Install blocked if host is older. |
+| `platforms` | OS allowlist. Subset of `["darwin", "win32", "linux"]`. |
+| `runtimes` | Required runtime versions, e.g. `{"node": ">=20"}` or `{"python": ">=3.11"}`. |
+---
+## Minimal valid manifest
+```json
+{
+  "$schema": "https://raw.githubusercontent.com/anthropics/mcpb/main/schemas/mcpb-manifest-v0.4.schema.json",
+  "manifest_version": "0.4",
+  "name": "hello",
+  "version": "0.1.0",
+  "description": "Minimal MCPB server.",
+  "author": { "name": "Your Name" },
+  "server": {
+    "type": "node",
+    "entry_point": "server/index.js",
+    "mcp_config": {
+      "command": "node",
+      "args": ["${__dirname}/server/index.js"]
+    }
+  }
+}
+```
+---
+## What MCPB does NOT have
+- **No `permissions` block.** There's no manifest-level filesystem/network/process scoping. The server runs with full user privileges, so enforce boundaries inside your tool handlers — see `local-security.md`.
+- **No auto env var prefix.** There's no `MCPB_CONFIG_*` convention; you map config → env explicitly in `server.mcp_config.env`.
+- **No `entry` field.** It's `server` with `entry_point` nested inside.
+- **No `minHostVersion`.** Use `compatibility.claude_desktop` instead.

package/skills/docx/script/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+

package/skills/docx/script/accept_chages.py ADDED Viewed

@@ -0,0 +1,135 @@
+"""Accept all tracked changes in a DOCX file using LibreOffice.
+Requires LibreOffice (soffice) to be installed.
+"""
+import argparse
+import logging
+import shutil
+import subprocess
+from pathlib import Path
+from office.soffice import get_soffice_env
+logger = logging.getLogger(__name__)
+LIBREOFFICE_PROFILE = "/tmp/libreoffice_docx_profile"
+MACRO_DIR = f"{LIBREOFFICE_PROFILE}/user/basic/Standard"
+ACCEPT_CHANGES_MACRO = """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
+<script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">
+    Sub AcceptAllTrackedChanges()
+        Dim document As Object
+        Dim dispatcher As Object
+        document = ThisComponent.CurrentController.Frame
+        dispatcher = createUnoService("com.sun.star.frame.DispatchHelper")
+        dispatcher.executeDispatch(document, ".uno:AcceptAllTrackedChanges", "", 0, Array())
+        ThisComponent.store()
+        ThisComponent.close(True)
+    End Sub
+</script:module>"""
+def accept_changes(
+    input_file: str,
+    output_file: str,
+) -> tuple[None, str]:
+    input_path = Path(input_file)
+    output_path = Path(output_file)
+    if not input_path.exists():
+        return None, f"Error: Input file not found: {input_file}"
+    if not input_path.suffix.lower() == ".docx":
+        return None, f"Error: Input file is not a DOCX file: {input_file}"
+    try:
+        output_path.parent.mkdir(parents=True, exist_ok=True)
+        shutil.copy2(input_path, output_path)
+    except Exception as e:
+        return None, f"Error: Failed to copy input file to output location: {e}"
+    if not _setup_libreoffice_macro():
+        return None, "Error: Failed to setup LibreOffice macro"
+    cmd = [
+        "soffice",
+        "--headless",
+        f"-env:UserInstallation=file://{LIBREOFFICE_PROFILE}",
+        "--norestore",
+        "vnd.sun.star.script:Standard.Module1.AcceptAllTrackedChanges?language=Basic&location=application",
+        str(output_path.absolute()),
+    ]
+    try:
+        result = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            timeout=30,
+            check=False,
+            env=get_soffice_env(),
+        )
+    except subprocess.TimeoutExpired:
+        return (
+            None,
+            f"Successfully accepted all tracked changes: {input_file} -> {output_file}",
+        )
+    if result.returncode != 0:
+        return None, f"Error: LibreOffice failed: {result.stderr}"
+    return (
+        None,
+        f"Successfully accepted all tracked changes: {input_file} -> {output_file}",
+    )
+def _setup_libreoffice_macro() -> bool:
+    macro_dir = Path(MACRO_DIR)
+    macro_file = macro_dir / "Module1.xba"
+    if macro_file.exists() and "AcceptAllTrackedChanges" in macro_file.read_text():
+        return True
+    if not macro_dir.exists():
+        subprocess.run(
+            [
+                "soffice",
+                "--headless",
+                f"-env:UserInstallation=file://{LIBREOFFICE_PROFILE}",
+                "--terminate_after_init",
+            ],
+            capture_output=True,
+            timeout=10,
+            check=False,
+            env=get_soffice_env(),
+        )
+        macro_dir.mkdir(parents=True, exist_ok=True)
+    try:
+        macro_file.write_text(ACCEPT_CHANGES_MACRO)
+        return True
+    except Exception as e:
+        logger.warning(f"Failed to setup LibreOffice macro: {e}")
+        return False
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Accept all tracked changes in a DOCX file"
+    )
+    parser.add_argument("input_file", help="Input DOCX file with tracked changes")
+    parser.add_argument(
+        "output_file", help="Output DOCX file (clean, no tracked changes)"
+    )
+    args = parser.parse_args()
+    _, message = accept_changes(args.input_file, args.output_file)
+    print(message)
+    if "Error" in message:
+        raise SystemExit(1)