Code Executor MCP Server

MIT License

1,618

105

code-executor-MCP

CHANGELOG.md•82.9 kB

# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ## [1.0.5] - 2025-11-23 ### 🚨 CRITICAL BUGFIX #4 **v1.0.4 CLI SETUP & DAILY SYNC BROKEN** #### Fixed - **CLI Setup Template Path Resolution** - Fixed "Template not found" error when running globally/via npx - **Error:** `Error: Template not found: .../templates/typescript-wrapper.hbs` - **Root Cause:** `WrapperGenerator` used `process.cwd()` to locate templates, which fails when running outside the package directory - **Fix:** Updated path resolution to use `import.meta.url` relative to the script location - **Files:** `src/cli/index.ts`, `src/cli/sync-wrappers-cli.ts` - **Daily Sync Scheduler Path** - Fixed "scriptPath must be absolute" error - **Error:** `Error: scriptPath must be absolute` - **Root Cause:** `SystemdScheduler` requires an absolute path to an executable file, but the wizard passed a command string (`npx ...`) - **Fix:** Wizard now generates a helper script (`~/.code-executor/daily-sync.sh`) and passes its absolute path to the scheduler - **Files:** `src/cli/index.ts` **⚠️ Critical:** v1.0.4 setup wizard and daily sync are broken for global/npx usage. Upgrade to v1.0.5 recommended. ## [1.0.4] - 2025-11-22 ### 🚨 CRITICAL BUGFIX #3 **v1.0.1, v1.0.2, AND v1.0.3 ALL BROKEN - Wrapper generation type mismatch** #### Fixed - **Wrapper Generator Type Mismatch** - Fixed type mismatch between templates and data structure - **Error:** Templates expect `inputSchema` but wizard provides `parameters` - **Root Cause:** v1.0.2 "fix" changed templates to use `this.inputSchema`, but wizard still provided `parameters` - **Impact:** ALL previous versions have 100% wrapper generation failure (different causes) - v1.0.1: Template bug (parameters → inputSchema) - v1.0.2: Missing templates in npm - v1.0.3: Type mismatch (parameters vs inputSchema) - **Fix:** Updated wizard and types to use `inputSchema` consistently - **Files Changed:** - `src/cli/wizard.ts:521` - Changed `parameters: tool.inputSchema` → `inputSchema: tool.inputSchema` - `src/cli/types.ts:243` - Changed `parameters:` → `inputSchema:` in ToolSchema interface - `src/cli/daily-sync.ts:375` - Changed `parameters:` → `inputSchema:` in conversion function - `tests/cli/wrapper-generator.test.ts` - Updated all test mocks to use `inputSchema` - **Tested:** All wrapper generator tests pass (21/21), daily sync tests pass (11/11) **⚠️ Critical:** v1.0.1, v1.0.2, and v1.0.3 are all broken. Upgrade to v1.0.4 immediately. ## [1.0.3] - 2025-11-22 ### 🚨 CRITICAL BUGFIX #2 **v1.0.1 AND v1.0.2 BOTH BROKEN - Templates not published to npm** #### Fixed - **Missing Templates in npm Package** - Added `templates/` directory to package.json files array - Root Cause: `package.json` files array excluded `templates/` directory - Impact: v1.0.1 and v1.0.2 users have NO templates → 100% wrapper generation failure - Fix: Added `"templates"` to files array in package.json - All wrapper generation now works correctly **⚠️ Critical:** v1.0.1 and v1.0.2 are completely broken. Upgrade to v1.0.3 immediately. ## [1.0.2] - 2025-11-22 ### 🚨 CRITICAL BUGFIX **v1.0.1 COMPLETELY BROKEN - All wrapper generation fails** #### Fixed - **Wrapper Generation Templates** - Fixed template schema mismatch causing 100% failure rate - **Error:** `"Cannot read properties of undefined (reading 'properties')"` - **Root Cause:** Templates expected `this.parameters.properties` but MCP tools provide `this.inputSchema.properties` - **Impact:** v1.0.1 users cannot generate any wrappers (0% success rate) - **Fix:** Changed all template references from `this.parameters` to `this.inputSchema` - **Files:** `templates/typescript-wrapper.hbs`, `templates/python-wrapper.hbs` - **Tested:** Wrapper generation now works correctly **Upgrade Immediately:** If you installed v1.0.1, upgrade to v1.0.2 to fix wrapper generation. ## [1.0.1] - 2025-11-22 ### 🚀 Phase 10: Daily Sync Scheduler Integration **Automated MCP wrapper synchronization with platform-native schedulers** #### Added - **Daily Sync Scheduler** - Automated wrapper regeneration based on schema hash changes - Platform-native scheduler integration (systemd timers on Linux, launchd on macOS, Task Scheduler on Windows) - Incremental updates: Only regenerates wrappers when MCP schemas change (SHA-256 hash comparison) - CLI wizard now installs and configures daily sync timers during setup - Manual sync command: `npm run sync-wrappers` or `npx code-executor-mcp sync-wrappers` - Files: `src/cli/sync-wrappers-cli.ts`, `src/cli/index.ts:266-310` - **Phase 10 Implementation** - Full MCP wrapper synchronization (#70) - `DailySyncService.computeCurrentSchemaHash()` - Fetches tools from MCPClientPool and computes SHA-256 hash - `DailySyncService.regenerateWrapper()` - Reconstructs MCPServerSelection and regenerates wrappers - Constructor simplified: Single injection point via `options.wrapperGenerator` (no dual injection) - Integration with MCPClientPool and SchemaCache for real-time schema fetching - File: `src/cli/daily-sync.ts` - **Integration Tests** - 21 new tests (100% pass rate) - 14 scheduler integration tests (`tests/cli/scheduler-integration.test.ts`) - Platform detection (Linux, macOS, Windows, unsupported) - Input validation (scriptPath, syncTime, timerName) - Security tests (path traversal, command injection prevention) - 7 sync-wrappers CLI tests (`tests/cli/sync-wrappers-cli.test.ts`) - SchemaCache constructor validation (positional parameters) - MCPClientPool and WrapperGenerator integration - Error handling and manifest management #### Fixed - **Security Enhancements** - Tool allowlisting and provider-specific model restrictions (#51, #69) - Server-level tool allowlist validation before execution - Requested tools validated against `security.allowedTools` config - Provider-specific model allowlists (`CODE_EXECUTOR_ALLOWED_MODELS_GEMINI`, `CODE_EXECUTOR_ALLOWED_MODELS_OPENAI`) - Denies execution with clear error message if tools not on allowlist - Files: `src/config/loader.ts`, `src/config/types.ts`, `src/executors/sandbox-executor.ts` - Tests: `tests/security-fixes.test.ts` (11 tests), `tests/issue-69.test.ts` (4 tests) - **Redis Cache Stability** - Graceful disconnect handling - No longer throws on disconnect - uses Promise.allSettled() instead of Promise.all() - Prevents "Redis connection is not open" errors during shutdown - File: `src/caching/redis-cache-provider.ts:215-227` - **MCP Client Pool** - Enhanced error handling for connection failures - Non-blocking failure reporting during initialization - Continues with partial MCP server availability - File: `src/mcp/client-pool.ts` - **Health Check Endpoint** - Fixed typo in endpoint path - Changed from `/helth` to `/health` - File: `src/core/server/health-check.ts:18` - **Sampling Detection** - Fixed sampling capability detection - Uses `createMessage()` method instead of `request()` - File: `src/core/server/sampling-bridge-server.ts` - **Hybrid Sampling Fallback** - Fixed provider initialization in MCP sampling mode - LLM provider now initialized unconditionally in `SamplingBridgeServer` constructor - Enables hybrid MCP/direct sampling with proper fallback - File: `src/core/server/sampling-bridge-server.ts:228-245` #### Changed - **CLI Wizard UX** - Added example to `.mcp.json` path prompt - Prompt now shows: `Path to project .mcp.json (e.g., ~/projects/your-project/.mcp.json, press Enter to skip):` - Helps users understand expected input format - File: `src/cli/wizard.ts:1241` - **DailySyncService Constructor** - Simplified dependency injection - Removed dual injection (constructor parameter + options parameter) - Now uses single injection point: `options.wrapperGenerator` - Cleaner API, less confusion - File: `src/cli/daily-sync.ts:125-145` ## [1.0.0] - 2025-01-20 ### 🎉 Major Release - MCP Sampling (Beta) **Breaking Changes:** None for typical usage (MCP server binary) ⚠️ **Internal Module Restructuring:** If you were importing internal modules directly (not recommended), import paths have changed: ```typescript // ❌ OLD (v0.x) - Deep imports from internal modules import { SchemaCache } from 'code-executor-mcp/src/schema-cache.js'; import { MCPProxyServer } from 'code-executor-mcp/src/mcp-proxy-server.js'; import { ContentFilter } from 'code-executor-mcp/src/content-filter.js'; // ✅ NEW (v1.0) - Organized directory structure import { SchemaCache } from 'code-executor-mcp/src/validation/schema-cache.js'; import { MCPProxyServer } from 'code-executor-mcp/src/core/server/mcp-proxy-server.js'; import { ContentFilter } from 'code-executor-mcp/src/validation/content-filter.js'; ``` **Migration:** Update import paths to new directory structure: - `caching/` - Cache providers (SchemaCache, LRUCacheProvider, RedisCacheProvider) - `config/` - Configuration (loader, discovery, schemas, types) - `core/handlers/` - Request handlers (health check, metrics, tool execution) - `core/middleware/` - HTTP middleware (auth, streaming proxy) - `core/server/` - Server components (MCP proxy, sampling bridge, graceful shutdown) - `executors/` - Code executors (Deno, Pyodide, Python, sandbox) - `validation/` - Validators (AJV, content filter, security, network security) - `security/` - Security controls (rate limiter, circuit breaker) - `sampling/` - Sampling providers (Anthropic, OpenAI, Gemini, Grok, Perplexity) **Note:** Most users are unaffected - this package is primarily used as an MCP server binary (`npx code-executor-mcp`), not as a library. Only affects advanced users doing deep imports. ### Added #### MCP Sampling - LLM-in-the-Loop Execution - **TypeScript Sampling API** - Simple `llm.ask(prompt)` and `llm.think({messages})` helpers in Deno sandbox - **Python Sampling API** - Equivalent API with Python conventions (`snake_case`, type hints) in Pyodide sandbox - **Ephemeral Bridge Server** - Secure HTTP bridge with random port (localhost-only), unique bearer token per execution - **Hybrid Architecture** - Automatic fallback: MCP SDK sampling (free) → Direct Anthropic API (paid) - **Real-Time Metrics** - Execution result includes `samplingCalls[]` and `samplingMetrics` (rounds, tokens, duration, quota) #### Security Controls - **Rate Limiting** - Configurable max rounds (default: 10) and tokens (default: 10,000) per execution - Returns 429 with quota remaining when exceeded - AsyncLock protected for concurrency safety - Prevents infinite loops and resource exhaustion - **Content Filtering** - Automatic detection and redaction of secrets/PII - **Secrets**: OpenAI keys (sk-...), GitHub tokens (ghp_...), AWS keys (AKIA*), JWT tokens (eyJ...) - **PII**: Emails, SSNs, credit card numbers - Redaction format: `[REDACTED_SECRET]` or `[REDACTED_PII]` - 98%+ test coverage on pattern detection - **System Prompt Allowlist** - Only pre-approved prompts accepted (security against prompt injection) - Default allowlist: empty string, "You are a helpful assistant", "You are a code analysis expert" - Returns 403 with truncated prompt (max 100 chars) when violated - **Bearer Token Authentication** - 256-bit cryptographically secure token per bridge session - Constant-time comparison (crypto.timingSafeEqual) prevents timing attacks - Unique token per execution, generated with crypto.randomBytes - **Localhost Binding** - Bridge server only accessible via 127.0.0.1 (no external network access) - **Graceful Shutdown** - Active requests drained before bridge server stops (max 5s wait) #### Audit & Observability - **Sampling Audit Logger** - All sampling calls logged to `~/.code-executor/audit-log.jsonl` - SHA-256 hashes of prompts/responses (no plaintext secrets in logs) - Timestamps, execution IDs, round numbers, model, token usage, duration - Content filter violations logged with type and count - AsyncLock protected for concurrent writes - **Comprehensive Metrics** - Per-execution statistics - Total rounds, total tokens, total duration - Average tokens per round - Quota remaining (rounds and tokens) #### Configuration - **SamplingConfig Schema** - Zod validation with environment variable overrides - `CODE_EXECUTOR_SAMPLING_ENABLED` (boolean, default: false) - `CODE_EXECUTOR_MAX_SAMPLING_ROUNDS` (integer, default: 10) - `CODE_EXECUTOR_MAX_SAMPLING_TOKENS` (integer, default: 10,000) - `CODE_EXECUTOR_SAMPLING_TIMEOUT_MS` (integer, default: 30,000ms) - `CODE_EXECUTOR_CONTENT_FILTERING` (boolean, default: true) - **Per-Execution Overrides** - Tool parameters override config/env vars - `enableSampling`, `maxSamplingRounds`, `maxSamplingTokens`, `samplingTimeoutMs` #### Docker Support - **Docker Detection** - Automatic `host.docker.internal` bridge URL when running in containers - **Environment Handling** - Checks for `/.dockerenv` file and Docker cgroup signatures #### Documentation - **docs/sampling.md** - Comprehensive 900+ line guide - What/Why/How sections with architecture diagrams - Quick start with TypeScript & Python examples - Complete API reference for both runtimes - Security model with threat matrix (8 security tests) - Configuration guide (env vars, config file, per-execution) - Troubleshooting guide (8 common errors with solutions) - Performance benchmarks (<50ms bridge startup, <100ms per-call overhead) - FAQ (15+ questions) - **README.md** - MCP Sampling (Beta) section added - **SECURITY.md** - Sampling security model documented - **docs/architecture.md** - MCP Sampling Architecture section ### Security #### Attack Test Coverage (95%+) All attack vectors tested and mitigated: - ✅ Infinite loop prevention (T112: `should_blockInfiniteLoop_when_userCodeCallsLlmAsk10PlusTimes`) - ✅ Token exhaustion blocking (T113: `should_blockTokenExhaustion_when_userCodeExceeds10kTokens`) - ✅ Prompt injection protection (T114: `should_blockPromptInjection_when_maliciousSystemPromptProvided`) - ✅ Secret leakage redaction (T115: `should_redactSecretLeakage_when_claudeResponseContainsAPIKey`) - ✅ Timing attack prevention (T116: `should_preventTimingAttack_when_invalidTokenProvided`) - ✅ Unauthorized access blocking (T014: `should_return401_when_invalidTokenProvided`) - ✅ External access prevention (T011: `should_bindLocalhostOnly_when_serverStarts`) - ✅ Concurrent access protection (3 additional tests for race conditions) ### Improved #### SOLID Principles Refactoring - **RateLimiter Class** - Extracted from SamplingBridgeServer (171 lines, SRP compliant) - Responsibilities reduced from 5 → 3 (Single Responsibility Principle) - AsyncLock protected for thread safety - Encapsulated quota tracking and metrics calculation - **Helper Functions** - `generateBearerToken()` and `validateSystemPrompt()` extracted - Improved testability and reusability - Clear security rationale documented in WHY comments - **Named Constants** - Magic numbers replaced with semantic names - `BEARER_TOKEN_BYTES = 32` (256-bit security) - `GRACEFUL_SHUTDOWN_MAX_WAIT_MS = 5000` - `MAX_SYSTEM_PROMPT_ERROR_LENGTH = 100` - `DEFAULT_MAX_TOKENS_PER_REQUEST = 1000` #### Code Quality - **WHY Comments** - Security rationale for critical decisions - Bearer token generation: 256-bit entropy, industry standard - Localhost binding: Prevents external network access - Timing-safe comparison: Prevents timing attacks on token validation - **JSDoc Coverage** - Complete documentation for all public APIs - SamplingBridgeServer: constructor, start(), stop(), getSamplingMetrics() - ContentFilter: scan(), filter(), hasViolations(), getSupportedPatterns() - Python LLM class: ask(), think() with type hints ### Performance - **Bridge Server Startup** - <50ms (target: <50ms) ✅ - **Per-Call Overhead** - ~60ms average (target: <100ms) ✅ - Token validation: ~5ms - Rate limit check: ~10ms - System prompt validation: ~5ms - Content filtering: ~15ms - HTTP overhead: ~25ms - **Memory Footprint** - ~15MB bridge server, ~500KB per sampling call ### Testing - **1152 Total Tests** - 97.4% pass rate (1122/1152 passing) - **Sampling Test Coverage**: - Bridge server: 15/15 tests passing - Content filter: 8/8 tests passing - TypeScript API: 4/4 tests passing - Python API: 3/3 tests passing - Config schema: 23/23 tests passing - Audit logging: 13/13 tests passing - Security attacks: 8/8 tests passing - **Total sampling tests: 74/74 passing (100%)** ### Fixed - **Pyodide Fake Timers** - Disabled fake timers for Python sampling tests - Root cause: Pyodide's event loop conflicts with vi.useFakeTimers() - Solution: Use real timers for Python executor tests - **AsyncLock RateLimiter** - Made `getSamplingMetrics()` async - Updated all callers to use `await` for metrics access - Prevents race conditions in quota calculation ## [0.9.1] - 2025-01-20 ### Added - 📂 **Project-Specific MCP Configuration** - Wizard now prompts for project `.mcp.json` path - Users with multiple projects can specify which project's MCP servers to configure - Project MCPs are merged with global AI tool MCPs (Claude Code, Cursor) - Clear source tracking: displays which MCPs come from project vs AI tools - Path validation prevents traversal attacks (restricted to home directory and current working directory) ### Fixed - 🐛 **Wrapper Regeneration Bug** - "Generate missing only" option now works correctly - **Root Cause**: `regenOption` parameter was collected but never passed to wrapper generator - **Impact**: All wrappers were regenerated even when selecting "missing only" option - **Fix**: Added file existence check before generation when `regenOption` is 'missing' - Wrappers are now skipped if they already exist (not overwritten) - 📊 **Misleading Success Messages** - Wrapper generation now shows accurate counts - **Before**: "Generated 1 wrapper(s)" even for skipped files - **After**: "Generated X wrapper(s), Skipped Y existing wrapper(s)" - Separate tracking for generated vs skipped wrappers ### Security - 🔒 **Path Traversal Protection** - Enhanced security for project MCP config paths - Validates all user-provided paths are within allowed directories - Prevents `../../../etc/passwd` style attacks - Resolves paths to absolute form before validation - All error handlers use proper type guards (`catch (error: unknown)`) ## [0.9.0] - 2025-11-19 ### Added - 🧙 **Interactive CLI Setup Wizard** - One-command setup for code-executor-mcp - Run `npm run setup` to automatically configure everything - **What it does**: - Discovers MCP servers from your AI tool configs (Claude Code: `~/.claude.json`, Cursor: `~/.cursor/mcp.json`) AND project config (`.mcp.json`) - Merges global and project MCP servers (project overrides global for duplicate names) - Generates TypeScript/Python wrappers for easy MCP tool access - Creates default configuration (or customize with interactive prompts) - Sets up optional daily sync to keep wrappers up-to-date - **Why wrappers?**: - Instead of: `callMCPTool('mcp__filesystem__read_file', { path: '...' })` - Use: `filesystem.readFile({ path: '...' })` - cleaner, type-safe, autocomplete - Generated from schemas with full JSDoc comments and TypeScript types - Eliminates manual tool name lookups and parameter guessing - **How they stay updated**: - Optional daily sync re-scans all configs (Claude Code: `~/.claude.json`, Cursor: `~/.cursor/mcp.json`, project: `.mcp.json`) for new/removed MCP servers - Regenerates wrappers automatically using platform schedulers: - **macOS**: launchd plist (runs at 4-6 AM) - **Linux**: systemd timer (runs at 4-6 AM) - **Windows**: Task Scheduler (runs at 4-6 AM) - Manual update anytime: `npm run setup` - **Zero configuration**: Press Enter to accept smart defaults (port 3333, 30s timeout, 30 req/min rate limit) - **Safe to re-run**: Detects existing configs and offers merge/reset/keep options - **Cross-platform**: Works on Linux, macOS, and Windows with platform-specific scheduler support - **AI tool support**: Claude Code and Cursor (more AI tools coming soon) ### Fixed - Fixed Claude Code config path detection (`~/.claude.json` now resolves correctly on all platforms) - Fixed MCP server discovery when config files are in custom locations (now prompts for path) - Fixed MCP server name validation to allow hyphens (#63 by @aleshchynskyi) - Fixes #62 ### Changed - Default proxy port changed from 3000 to 3333 (avoids common port conflicts) ## [0.8.2] - 2025-01-18 ### Fixed - 🐛 **Duplicate Tool Registration** - Eliminated duplicate MCP tools caused by alias system - **Root Cause**: `registerToolWithAliases()` method registered both primary names (`run-typescript-code`, `run-python-code`) AND aliases (`executeTypescript`, `executePython`), exposing 5 tools instead of 3 - **Impact**: - Progressive disclosure violated: Token budget doubled (~1.2k → ~1.2k actual, but 5 tools vs 3 tools) - User confusion: Unclear which tool name to use - Architecture violation: Docs specify 3 canonical tools - **Fix**: Removed `registerToolWithAliases()` method (YAGNI principle), registered tools once with canonical names - Tool names: `executeTypescript`, `executePython`, `health` (3 tools) - Updated error messages in `src/deno-checker.ts` - Updated verification script `scripts/verify-progressive-disclosure.ts` - Updated test script `test-outputschema.mjs` - **Benefits**: - ✅ Progressive disclosure restored: 3 tools, ~681 tokens - ✅ Canonical naming: Clear, consistent tool names (camelCase) - ✅ YAGNI applied: Removed unused abstraction - ✅ Zero regressions: All 762 tests passing - **Files**: - Modified: `src/index.ts` (removed `registerToolWithAliases()`, lines 130-158) - Modified: `src/deno-checker.ts` (updated error messages) - Modified: `scripts/verify-progressive-disclosure.ts` (updated verification) - Modified: `test-outputschema.mjs` (updated test assertions) - **Tests**: 762/762 passing, zero failures ### Refactored - 🏗️ **God Object Refactor (SMELL-001)** - Extracted 4 handler classes from MCPProxyServer following Single Responsibility Principle - **Issue**: [#42](https://github.com/aberemia24/code-executor-MCP/issues/42) - **Root Cause**: `MCPProxyServer` class grew to 793 lines with 7 different responsibilities (HTTP Routing, Authentication, Rate Limiting, Allowlist Validation, Discovery, Metrics, Audit Logging) - **Impact**: - Maintenance burden: HIGH (multiple reasons to change) - Testing complexity: HIGH (many responsibilities to test) - SOLID violation: Single Responsibility Principle violated - **Fix**: Extracted handler classes with TDD approach - Created `MetricsRequestHandler` for GET /metrics endpoint (77 lines, 8 tests) - Created `HealthCheckHandler` for GET /health endpoint - NEW (106 lines, 14 tests) - Created `DiscoveryRequestHandler` for GET /mcp/tools endpoint (260 lines, 16 tests) - Created `ToolExecutionHandler` for POST / endpoint (213 lines, 20 tests) - Created `IRequestHandler` interface for handler abstraction - Reduced `MCPProxyServer` from 793 → 408 lines (48.5% reduction) - Authentication validated ONCE in MCPProxyServer before routing to handlers - **Benefits**: - ✅ Single Responsibility: Each handler manages one endpoint - ✅ Testability: Isolated unit tests per handler (58 new tests) - ✅ Maintainability: Changes isolated to one handler class - ✅ Follows SOLID principles (SRP, DIP, ISP) - ✅ Zero behavioral changes (pure refactoring) - **Files**: - Created: `src/handlers/` (5 files, ~656 total lines) - Created: `tests/handlers/` (4 files, ~881 total lines) - Modified: `src/mcp-proxy-server.ts` (793 → 408 lines, -385 lines) - **Tests**: 58 new handler tests, 747 total tests (100% pass rate) ### Added - 🆕 **GET /health Endpoint** - Health check endpoint for monitoring and debugging (part of SMELL-001) - Returns JSON status: healthy (boolean), timestamp, uptime, mcpClients stats, schemaCache stats - Useful for Kubernetes liveness/readiness probes, Docker health checks, load balancers - Always returns 200 (load balancers check response body for health status) ### Fixed - 🔒 **TOCTOU Vulnerability Fix (SEC-006)** - Eliminated race condition in temp file integrity check - **Issue**: [#44](https://github.com/aberemia24/code-executor-MCP/issues/44) - **Root Cause**: Re-reading temp file after write created TOCTOU race window where attacker could modify file between write and hash verification - **Impact**: - Security risk: Time-of-check-time-of-use race condition - Attack vector: Attacker modifies file in microsecond window - Likelihood: VERY LOW (requires local access, UUID filename knowledge, microsecond timing) - Overall risk: LOW (theoretical concern with existing mitigations) - **Fix**: Eliminate re-read entirely - Hash original code BEFORE writing (no filesystem access needed) - Write temp file atomically with `fs.writeFile()` - Execute immediately (no re-read = no race window) - Reduced attack window from milliseconds to zero - **Benefits**: - ✅ Eliminates TOCTOU race condition entirely - ✅ Simpler code (removed 10 lines of re-read logic) - ✅ Faster execution (one less filesystem read) - ✅ Same security guarantee (hash verification) - **Files**: `src/sandbox-executor.ts` (lines 85-97, simplified) - **Tests**: All existing sandbox tests pass (zero regressions) - 🧪 **Test Isolation Fix** - Fixed config test failure caused by `.code-executor.json` override - **Issue**: `skip-dangerous-pattern-check.test.ts` failing because project config file has `skipDangerousPatternCheck: true` - **Root Cause**: Test deleted env var but didn't override config file setting - **Fix**: Explicitly set `CODE_EXECUTOR_SKIP_DANGEROUS_PATTERNS='false'` in default test to override config file (env var takes precedence) - **Impact**: 100% test pass rate (689/689 non-skipped tests) - **Files**: `tests/skip-dangerous-pattern-check.test.ts` (1 line change) - 🛡️ **Type-Safe Error Handling (TYPE-001)** - Replaced unsafe error casts with runtime type guards - **Issue**: [#43](https://github.com/aberemia24/code-executor-MCP/issues/43) - **Root Cause**: Multiple files used unsafe error type casting (`error as Error`, `error as NodeJS.ErrnoException`) without runtime type guards, violating TypeScript strict mode best practices - **Impact**: - Type safety violation: Unsafe casts bypass compiler safety checks - Runtime risk: Can crash if error is unexpected type (string, number, object) - Lost error context: Pattern `error instanceof Error ? error.message : String(error)` loses stack traces, error codes, and custom properties - **Fix**: Runtime type guard system - Created type guard functions in `src/utils.ts`: `isError()`, `isErrnoException()`, `normalizeError()` - Enhanced `normalizeError()` with function overloading (optional context parameter) - Objects now JSON.stringify'd instead of `.toString()` (better debugging) - Replaced all unsafe casts in `mcp-client-pool.ts` (2 instances), `schema-cache.ts` (4 instances), `audit-logger.ts` (3 instances) - Updated `formatErrorResponse()` to use type guard - **Benefits**: - ✅ Type-safe error handling (no unsafe casts) - ✅ Runtime validation prevents crashes - ✅ Better error messages (JSON serialization vs `[object Object]`) - ✅ Preserves stack traces and error properties - ✅ Complies with TypeScript strict mode - **Files**: `src/utils.ts` (+95), `src/mcp-client-pool.ts` (2 fixes), `src/schema-cache.ts` (4 fixes), `src/audit-logger.ts` (3 fixes) - **Tests**: 28 comprehensive type guard tests (all passing) - 🔧 **Environment Variable Validation (SEC-002)** - Replaced direct process.env access with Zod validation - **Issue**: [#41](https://github.com/aberemia24/code-executor-MCP/issues/41) - **Root Cause**: `MCPClientPool` constructor used direct `process.env.POOL_*` access with `parseInt()` - **Impact**: - Standards violation: `coding-standards.md` requires Zod validation for all env vars - Type safety risk: `parseInt()` can return NaN with invalid input (no validation) - No bounds checking: Could accept 0, negative, or excessive values (1M+) - **Fix**: Zod-based configuration system - Created `PoolConfigSchema` in `config-types.ts` with bounds validation - Added `getPoolConfig()` function in `config.ts` for type-safe env var parsing - Updated `MCPClientPool` constructor to use validated config - Enforces constraints: maxConcurrent (1-1000), queueSize (1-1000), timeoutMs (1s-5min) - **Benefits**: - ✅ Prevents NaN bugs from invalid environment variables - ✅ Enforces bounds checking (no invalid values) - ✅ Self-documenting configuration schema - ✅ Type-safe parsing (numbers, not strings) - ✅ Complies with project coding standards - **Files**: `src/config-types.ts` (+28), `src/config.ts` (+33), `src/mcp-client-pool.ts` (refactored constructor) - **Tests**: 25 comprehensive validation tests (all passing) - 🔒 **CRITICAL: Race Condition in Queue Polling Loop (SEC-001)** - Replaced polling with event-driven pattern - **Issue**: [#40](https://github.com/aberemia24/code-executor-MCP/issues/40) - **Root Cause**: `waitForQueueSlot()` used infinite `while(true)` loop with 100ms polling - **Impact**: - FIFO violation: Re-enqueuing non-matching requests caused request starvation - Memory leak: Accumulated setTimeout timers never cleaned up - CPU waste: Continuous polling at 10 Hz per queued request - **Fix**: Event-driven notification using EventEmitter - Added `queueSlotEmitter` property to MCPClientPool - Modified `waitForQueueSlot()` to wait for `slot-${requestId}` event - Modified `processNextQueuedRequest()` to emit event after dequeue - Added explicit timeout protection (30s default, configurable) - Cleanup event listeners on timeout to prevent memory leaks - **Benefits**: - ✅ Preserves FIFO ordering (no re-enqueuing) - ✅ No memory leaks (timers cleaned up properly) - ✅ Zero CPU overhead (event-driven vs polling) - ✅ Explicit timeout protection - **Files**: `src/mcp-client-pool.ts` (lines 12, 73, 88, 494-540) - **Tests**: 623/624 passing, no regressions ## [0.8.0] - 2025-11-17 ### ⚠️ BREAKING CHANGES **🚨 ATTENTION: This release contains breaking changes that require action** - **Native Python executor removed entirely** The insecure subprocess-based Python executor has been completely removed due to CVSS 9.8 vulnerability (#50) - **`PYTHON_SANDBOX_READY=true` environment variable now REQUIRED** Python execution will return a security warning unless this env var is explicitly set ```bash export PYTHON_SANDBOX_READY=true # REQUIRED for Python execution ``` - **Pure Python only** (no native C extensions) Libraries requiring C extensions must be WASM-compiled (numpy, pandas available via Pyodide) - **Migration required for existing Python users** See Migration Guide below for step-by-step instructions --- ### 🔒 SECURITY - CRITICAL Python Executor Fix #### ✅ RESOLVED: Issues #50/#59 - Pyodide WebAssembly Sandbox **Original Vulnerability** (#50): - Native Python executor had **ZERO sandbox isolation** - Full filesystem access (could read /etc/passwd, SSH keys, credentials) - Full network access (SSRF to localhost services, cloud metadata endpoints) - Process spawning capability - Pattern-based blocking easily bypassed via string concatenation - CVSS: 9.8 (CRITICAL) **Solution Implemented** (#59): - Replaced insecure subprocess.spawn with **Pyodide WebAssembly runtime** - Same security model as Deno (WASM VM, no native syscalls) - Virtual filesystem (host files completely inaccessible) - Network restricted to authenticated localhost MCP proxy only - Industry-proven approach (Pydantic, JupyterLite, Google Colab, VS Code) **Implementation**: - Phase 1: Security gate with `PYTHON_SANDBOX_READY` environment variable - Phase 2: Complete Pyodide executor (`src/pyodide-executor.ts`) - Phase 3: Comprehensive security tests (13 tests covering all boundaries) - Two-phase execution: inject MCP tools → execute user code - Global Pyodide cache (~2-3s first load, <100ms cached) - Discovery functions: `discover_mcp_tools()`, `get_tool_schema()`, `search_tools()` **Security Boundaries**: 1. ✅ WebAssembly VM - no syscall access 2. ✅ Virtual FS - host filesystem isolated 3. ✅ Network - only localhost MCP proxy (bearer auth) 4. ✅ MCP proxy - tool allowlist enforced 5. ✅ Timeout - promise rejection (SIGKILL equivalent) **Performance**: - Initialization: ~2-3s (first run), <100ms (cached) - Python execution: ~50-200ms (WASM overhead acceptable for security) - Memory overhead: ~20MB (WASM module + Python runtime) **Migration Guide**: ```bash # Enable Pyodide sandbox (REQUIRED) export PYTHON_SANDBOX_READY=true # Config (.code-executor.json) { "executors": { "python": { "enabled": true } } } ``` **Limitations** (acceptable for security): - Pure Python only (no native C extensions unless WASM-compiled) - 10-30% slower than native Python (WASM overhead) - No multiprocessing/threading (use async/await) - 4GB memory limit (WASM 32-bit addressing) **Testing**: - 13 comprehensive security tests - Filesystem isolation verified - Network isolation verified - Timeout enforcement verified - Manual end-to-end verification passed **Documentation**: - Updated SECURITY.md with Pyodide security model - Updated README.md with usage instructions and examples - Updated docs/architecture.md with Pyodide design - Created PYODIDE-STATUS.md with complete implementation status **References**: - Pydantic mcp-run-python: https://github.com/pydantic/mcp-run-python - Pyodide docs: https://pyodide.org/ - Issues: #50 (vulnerability), #59 (solution) ### Refactored - 🏗️ **God Object Refactor (SMELL-001)** - Extracted 4 handler classes from MCPProxyServer following Single Responsibility Principle - **Issue**: [#42](https://github.com/aberemia24/code-executor-MCP/issues/42) - **Root Cause**: `MCPProxyServer` class grew to 793 lines with 7 different responsibilities (HTTP Routing, Authentication, Rate Limiting, Allowlist Validation, Discovery, Metrics, Audit Logging) - **Impact**: - Maintenance burden: HIGH (multiple reasons to change) - Testing complexity: HIGH (many responsibilities to test) - SOLID violation: Single Responsibility Principle violated - **Fix**: Extracted handler classes with TDD approach - Created `MetricsRequestHandler` for GET /metrics endpoint (77 lines, 8 tests) - Created `HealthCheckHandler` for GET /health endpoint - NEW (106 lines, 14 tests) - Created `DiscoveryRequestHandler` for GET /mcp/tools endpoint (260 lines, 16 tests) - Created `ToolExecutionHandler` for POST / endpoint (213 lines, 20 tests) - Created `IRequestHandler` interface for handler abstraction - Reduced `MCPProxyServer` from 793 → 408 lines (48.5% reduction) - Authentication validated ONCE in MCPProxyServer before routing to handlers - **Benefits**: - ✅ Single Responsibility: Each handler manages one endpoint - ✅ Testability: Isolated unit tests per handler (58 new tests) - ✅ Maintainability: Changes isolated to one handler class - ✅ Follows SOLID principles (SRP, DIP, ISP) - ✅ Zero behavioral changes (pure refactoring) - **Files**: - Created: `src/handlers/` (5 files, ~656 total lines) - Created: `tests/handlers/` (4 files, ~881 total lines) - Modified: `src/mcp-proxy-server.ts` (793 → 408 lines, -385 lines) - **Tests**: 58 new handler tests, 747 total tests (100% pass rate) ### Added - 🆕 **GET /health Endpoint** - Health check endpoint for monitoring and debugging (part of SMELL-001) - Returns JSON status: healthy (boolean), timestamp, uptime, mcpClients stats, schemaCache stats - Useful for Kubernetes liveness/readiness probes, Docker health checks, load balancers - Always returns 200 (load balancers check response body for health status) ### Fixed - 🔧 **PR #45 Review Improvements** - Addressed code review feedback from SEC-001 queue polling fix - **Issue**: Multiple minor issues identified in PR review - **Improvements**: 1. **EventEmitter Memory Management** - Added `setMaxListeners()` in MCPClientPool constructor - Prevents false-positive warnings when queue exceeds Node.js default (10 listeners) - Set to queue size (200) to match maximum concurrent queued requests - WHY: Large queues (200+ requests) would trigger EventEmitter warnings without this 2. **EventEmitter Cleanup on Shutdown** - Added `removeAllListeners()` in `disconnect()` method - Prevents memory leaks from pending event listeners during shutdown - Ensures clean shutdown without dangling event handlers - WHY: Queued requests waiting for slot notifications need explicit cleanup 3. **Race Condition Prevention** - Reordered listener registration before timeout in `waitForQueueSlot()` - Registers event listener FIRST, then sets timeout (previously reversed) - Prevents theoretical race where event could be emitted between timeout and listener setup - WHY: Missed notifications would cause request hangs (very low probability but possible) 4. **High-Concurrency Tests** - Added test suite for >10 concurrent listeners (T070) - Tests 50 concurrent requests (well above Node.js default threshold) - Verifies `setMaxListeners()` prevents warnings with large queues - Validates proper listener cleanup after event emission 5. **Config Validation Error Messages** - Improved error handling in `getPoolConfig()` - Added `parseEnvInt()` helper with explicit NaN detection - Wraps Zod errors with user-friendly messages and environment variable hints - Provides clear guidance: "Check POOL_MAX_CONCURRENT (1-1000), POOL_QUEUE_SIZE (1-1000), POOL_QUEUE_TIMEOUT_MS (1000-300000)" - WHY: `parseInt('invalid')` returns NaN silently, causing confusing Zod errors downstream - **Benefits**: - ✅ Prevents EventEmitter warnings in production (high-load scenarios) - ✅ Eliminates memory leaks from shutdown - ✅ Closes theoretical race condition window - ✅ Better test coverage for high-concurrency scenarios - ✅ Clearer error messages for config validation - **Files**: - Modified: `src/mcp-client-pool.ts` (+8 lines: setMaxListeners, removeAllListeners, reordered waitForQueueSlot) - Modified: `src/config.ts` (+34 lines: parseEnvInt helper, Zod error wrapping, import z) - Modified: `tests/queue-polling-race-fix.test.ts` (+56 lines: High Concurrency T070 tests) - **Tests**: 2 new high-concurrency tests, 751 total tests (100% pass rate) - 🔒 **TOCTOU Vulnerability Fix (SEC-006)** - Eliminated race condition in temp file integrity check - **Issue**: [#44](https://github.com/aberemia24/code-executor-MCP/issues/44) - **Root Cause**: Re-reading temp file after write created TOCTOU race window where attacker could modify file between write and hash verification - **Impact**: - Security risk: Time-of-check-time-of-use race condition - Attack vector: Attacker modifies file in microsecond window - Likelihood: VERY LOW (requires local access, UUID filename knowledge, microsecond timing) - Overall risk: LOW (theoretical concern with existing mitigations) - **Fix**: Eliminate re-read entirely - Hash original code BEFORE writing (no filesystem access needed) - Write temp file atomically with `fs.writeFile()` - Execute immediately (no re-read = no race window) - Reduced attack window from milliseconds to zero - **Benefits**: - ✅ Eliminates TOCTOU race condition entirely - ✅ Simpler code (removed 10 lines of re-read logic) - ✅ Faster execution (one less filesystem read) - ✅ Same security guarantee (hash verification) - **Files**: `src/sandbox-executor.ts` (lines 85-97, simplified) - **Tests**: All existing sandbox tests pass (zero regressions) - 🧪 **Test Isolation Fix** - Fixed config test failure caused by `.code-executor.json` override - **Issue**: `skip-dangerous-pattern-check.test.ts` failing because project config file has `skipDangerousPatternCheck: true` - **Root Cause**: Test deleted env var but didn't override config file setting - **Fix**: Explicitly set `CODE_EXECUTOR_SKIP_DANGEROUS_PATTERNS='false'` in default test to override config file (env var takes precedence) - **Impact**: 100% test pass rate (689/689 non-skipped tests) - **Files**: `tests/skip-dangerous-pattern-check.test.ts` (1 line change) - 🛡️ **Type-Safe Error Handling (TYPE-001)** - Replaced unsafe error casts with runtime type guards - **Issue**: [#43](https://github.com/aberemia24/code-executor-MCP/issues/43) - **Root Cause**: Multiple files used unsafe error type casting (`error as Error`, `error as NodeJS.ErrnoException`) without runtime type guards, violating TypeScript strict mode best practices - **Impact**: - Type safety violation: Unsafe casts bypass compiler safety checks - Runtime risk: Can crash if error is unexpected type (string, number, object) - Lost error context: Pattern `error instanceof Error ? error.message : String(error)` loses stack traces, error codes, and custom properties - **Fix**: Runtime type guard system - Created type guard functions in `src/utils.ts`: `isError()`, `isErrnoException()`, `normalizeError()` - Enhanced `normalizeError()` with function overloading (optional context parameter) - Objects now JSON.stringify'd instead of `.toString()` (better debugging) - Replaced all unsafe casts in `mcp-client-pool.ts` (2 instances), `schema-cache.ts` (4 instances), `audit-logger.ts` (3 instances) - Updated `formatErrorResponse()` to use type guard - **Benefits**: - ✅ Type-safe error handling (no unsafe casts) - ✅ Runtime validation prevents crashes - ✅ Better error messages (JSON serialization vs `[object Object]`) - ✅ Preserves stack traces and error properties - ✅ Complies with TypeScript strict mode - **Files**: `src/utils.ts` (+95), `src/mcp-client-pool.ts` (2 fixes), `src/schema-cache.ts` (4 fixes), `src/audit-logger.ts` (3 fixes) - **Tests**: 28 comprehensive type guard tests (all passing) - 🔧 **Environment Variable Validation (SEC-002)** - Replaced direct process.env access with Zod validation - **Issue**: [#41](https://github.com/aberemia24/code-executor-MCP/issues/41) - **Root Cause**: `MCPClientPool` constructor used direct `process.env.POOL_*` access with `parseInt()` - **Impact**: - Standards violation: `coding-standards.md` requires Zod validation for all env vars - Type safety risk: `parseInt()` can return NaN with invalid input (no validation) - No bounds checking: Could accept 0, negative, or excessive values (1M+) - **Fix**: Zod-based configuration system - Created `PoolConfigSchema` in `config-types.ts` with bounds validation - Added `getPoolConfig()` function in `config.ts` for type-safe env var parsing - Updated `MCPClientPool` constructor to use validated config - Enforces constraints: maxConcurrent (1-1000), queueSize (1-1000), timeoutMs (1s-5min) - **Benefits**: - ✅ Prevents NaN bugs from invalid environment variables - ✅ Enforces bounds checking (no invalid values) - ✅ Self-documenting configuration schema - ✅ Type-safe parsing (numbers, not strings) - ✅ Complies with project coding standards - **Files**: `src/config-types.ts` (+28), `src/config.ts` (+33), `src/mcp-client-pool.ts` (refactored constructor) - **Tests**: 25 comprehensive validation tests (all passing) - 🔒 **CRITICAL: Race Condition in Queue Polling Loop (SEC-001)** - Replaced polling with event-driven pattern - **Issue**: [#40](https://github.com/aberemia24/code-executor-MCP/issues/40) - **Root Cause**: `waitForQueueSlot()` used infinite `while(true)` loop with 100ms polling - **Impact**: - FIFO violation: Re-enqueuing non-matching requests caused request starvation - Memory leak: Accumulated setTimeout timers never cleaned up - CPU waste: Continuous polling at 10 Hz per queued request - **Fix**: Event-driven notification using EventEmitter - Added `queueSlotEmitter` property to MCPClientPool - Modified `waitForQueueSlot()` to wait for `slot-${requestId}` event - Modified `processNextQueuedRequest()` to emit event after dequeue - Added explicit timeout protection (30s default, configurable) - Cleanup event listeners on timeout to prevent memory leaks - **Benefits**: - ✅ Preserves FIFO ordering (no re-enqueuing) - ✅ No memory leaks (timers cleaned up properly) - ✅ Zero CPU overhead (event-driven vs polling) - ✅ Explicit timeout protection - **Files**: `src/mcp-client-pool.ts` (lines 12, 73, 88, 494-540) - **Tests**: 623/624 passing, no regressions ## [0.7.4] - 2025-11-16 ### Security - 🔒 **CRITICAL: Python Environment Variable Leakage (VULN-003)** - Fixed subprocess credential exposure - **CVSS Score**: 7.5 (High) - **Vulnerability**: Python executor inherited all parent environment variables - **Impact**: Untrusted code could access AWS credentials, database URLs, API keys from parent process - **Fix**: Added `env: {}` to Python spawn call to clear environment inheritance - **Testing**: 3 comprehensive security tests verify AWS, DATABASE_URL, and generic secrets are blocked - **Credit**: @guillegarciac for discovery and fix - **Files**: `src/python-executor.ts:141`, `tests/security/python-env-isolation.test.ts` ### Fixed - 🐛 **CRITICAL: Global MCP Config Discovery** - Fixed `MCP_CONFIG_PATH` blocking global config merging - **Root Cause**: `findAllMCPConfigs()` had early return when `MCP_CONFIG_PATH` env var was set - **Impact**: Global MCPs in `~/.claude.json` were completely ignored when project `.mcp.json` existed - **Fix**: Removed early return, now searches all locations even with `MCP_CONFIG_PATH` set - **Result**: Global + Project MCPs now properly merged (e.g., voice-mode from global + filesystem/zen from project) - **Verification**: Tested with 3 global + 7 project servers, all 10 discovered (excluding self) ### Added - 🔧 **Multi-Config Discovery Architecture** - Proper global + project MCP config merging - Added `findAllMCPConfigs()` method to discover all config files - Added `getAllMCPConfigPaths()` wrapper in config.ts - Updated `MCPClientPool.initialize()` to load and merge multiple configs - Search order: `~/.claude.json` (global) → `.mcp.json` (project) → explicit path (highest priority) - Later configs override earlier ones for servers with same name ## [0.7.2] - 2025-11-15 ### Added - 🔍 **Global MCP Configuration Support** - Added `~/.claude.json` to MCP config search paths - Now searches `~/.claude.json` for global MCP server configurations - Search order: `.mcp.json` (project) → `~/.claude.json` (global) → `~/.config/claude-code/mcp.json` → macOS locations - Enables discovery of globally configured MCP servers in Claude Code's settings file - Backward compatible with existing configurations ## [0.7.1] - 2025-11-14 ### Fixed - 🔧 **MCP SDK Upgrade (v1.0.4 → v1.22.0)** - Native outputSchema protocol support - Updated handler signatures: `(params)` → `(args, extra)` for v1.22.0 API - Added `RequestHandlerExtra` import for request context support - All 3 tools (run-typescript-code, run-python-code, health) migrated - OutputSchema now properly exposed via tools/list protocol response - **Resolves #28**: AI agents can now see response structure without trial execution ### Changed - 📦 **Handler API Migration** - v1.22.0 breaking changes - Handlers now receive `(args, extra)` instead of `(params)` - Added `RequestHandlerExtra<any, any>` type for request context - Maintained Zod runtime validation (zero functional changes) ### Technical Details - MCP SDK v1.22.0 natively exposes outputSchema in protocol (confirmed via standalone test) - All 620 tests passing, zero regressions - Handler signature changes required by v1.22.0 API - Runtime validation unchanged (Zod schemas still enforced) ### Known Limitations Removed - ~~MCP SDK Protocol Gap~~ - **RESOLVED** in v1.22.0 - OutputSchema is now fully functional in the protocol - All tools expose response structure via tools/list ## [0.6.0] - 2025-11-14 ### Added - ✨ **outputSchema Support (MCP Spec Compliance)** - Response structure schemas for all tools - All 3 code-executor tools now include `outputSchema` field (Zod schemas) - `run-typescript-code`, `run-python-code`: `ExecutionResultSchema` defines response structure - `health`: `HealthCheckOutputSchema` defines health check response - Enables AI agents to understand tool response format without trial execution - MCP SDK native support (using `ZodRawShape` format) - Graceful fallback: optional field, no breaking changes for legacy tools - 🔍 **Discovery System Enhancement** - outputSchema propagated through all layers - `ToolSchema` interface extended with `outputSchema?: JSONSchema7` - `CachedToolSchema` interface includes `outputSchema` field - `MCPClientPool.getToolSchema()` returns `outputSchema` when available - `MCPClientPool.listAllToolSchemas()` includes `outputSchema` in discovery response - ✅ **Test Coverage** - Comprehensive outputSchema validation tests - Schema structure tests for ExecutionResult and HealthCheck - ZodRawShape format validation (MCP SDK compatibility) - Backward compatibility tests for legacy tools without outputSchema ### Changed - 📦 **Type Definitions** - Extended interfaces to support outputSchema - `src/types.ts`: `CachedToolSchema` with optional `outputSchema` field - `src/types/discovery.ts`: `ToolSchema` with optional `outputSchema?: JSONSchema7` - `src/mcp-client-pool.ts`: Propagates outputSchema in schema retrieval methods ### Technical Details - Uses existing `ExecutionResultSchema` from `src/schemas.ts` (Zod → ZodRawShape via `.shape`) - Zero breaking changes (outputSchema is optional everywhere) - Backward compatible with MCP servers lacking outputSchema - Aligns with official MCP SDK example patterns ### Known Limitations - **MCP SDK Protocol Gap**: The MCP SDK (v1.21.1) does not yet expose `outputSchema` via the `tools/list` protocol, even though it accepts it during tool registration. Our implementation is correct and ready for when the SDK adds protocol support. Third-party tools will gracefully return `outputSchema: undefined` until then. - **Workaround**: Code-executor's own 3 tools have `outputSchema` defined and work correctly for direct tool inspection (our code sees them internally) ## [0.5.1] - 2025-11-14 ### Note This is the actual v0.5.0 release. The v0.5.0 version number was blocked by npm registry (likely due to a previous unpublished version), so we published as v0.5.1 instead. All features and changes listed below are identical to the intended v0.5.0 release. ### Added - Production Infrastructure (Phases 3-8) - ✨ **Circuit Breaker Pattern** - Prevent cascade failures - 5-failure threshold → 30s cooldown (matches K8s + AWS timings) - Metrics: circuit_breaker_state, circuit_breaker_failures_total - ✨ **Connection Pool Overflow Queue** - Backpressure handling - FIFO queue (200 requests, 30s timeout) - Metrics: pool_queue_depth, pool_queue_wait_seconds - ✨ **Graceful Shutdown** - Zero-downtime K8s deployments - SIGTERM/SIGINT handling, 30s drain timeout - Health check coordination - ✨ **Prometheus Metrics** - Production telemetry - Counters, histograms, gauges on /metrics endpoint - http_requests_total, tool_calls_total, http_request_duration_seconds - ✨ **Audit Logging** - JSONL structured logs - Daily rotation, 7-day retention - Correlation IDs for distributed tracing - ✨ **CLI Formatter** - Human-friendly output - Color-coded status (GREEN/RED/YELLOW) - Integrated into tool responses - ✨ **Tool Aliases** - Modern naming - New: run-typescript-code, run-python-code - Legacy: executeTypescript, executePython (preserved) - ✨ **Tool Call Tracking** - Observability - Per-tool metrics: duration, status, errors - Aggregated summaries in ExecutionResult ### Added - ✨ **TypeScript Definitions Export (US12)** - Package now exports .d.ts files for type-safe imports - `tsconfig.json`: `declaration: true`, `declarationMap: true` enabled - `package.json`: `"types": "dist/index.d.ts"` field added - Enables type-safe imports: `import { RedisCacheProvider } from 'code-executor-mcp'` - All public APIs have complete TypeScript definitions - README.md updated with TypeScript usage examples - ✨ **Improved AJV Validation Errors (US13)** - User-friendly error messages with actionable suggestions - `AjvErrorFormatter` class transforms verbose AJV errors into readable guidance - Includes field name, expected type, actual value, and "Try this..." suggestions - Example: "Expected string for param 'model', got number 42. Try wrapping in quotes: '42'" - Integrated into `SchemaValidator.validate()` via `formattedError` property - Backwards compatible (raw AJV errors still included in response) - ✨ **Redis Distributed Cache (US14)** - Horizontal scaling support for multi-instance deployments - `RedisCacheProvider` implements `ICacheProvider` for distributed caching - Write-through LRU cache for fast reads (zero network latency) - Graceful fallback to LRU on Redis connection failure (eventual consistency model) - Periodic reconnection attempts (60s interval default, configurable via `REDIS_RECONNECT_INTERVAL_MS`) - Automatic switchback to Redis after successful reconnection - Docker Compose Redis service added (256MB memory limit, LRU eviction policy) - Configuration via `CACHE_BACKEND` env var (redis|lru) and `REDIS_URL` ### Changed - 📦 **Dependencies** - Added `redis@^4.7.1` for distributed caching support - 📖 **Docker Compose** - Redis service added with security hardening (resource limits, read-only filesystem, health checks) ### Testing - ✅ 14 new tests for Phase 7 features (451 total tests passing) - ✅ AjvErrorFormatter: 9 tests, 100% coverage on error formatting logic - ✅ RedisCacheProvider: 14 tests, 90% coverage on LRU fallback path - ✅ All Phase 7 tests passing with zero failures ### Technical Details - **TypeScript Definitions**: Full .d.ts generation for all public APIs (tsconfig.json declaration mode) - **Error Formatting**: AJV error transformation with field-level suggestions and examples - **Redis Integration**: Fire-and-forget async writes, write-through LRU cache, periodic reconnection - **Fallback Strategy**: LRU cache serves as both performance optimization and resilience mechanism - **TTL Consistency**: Redis TTL matches LRU cache (24h default) for consistent behavior ### Benefits - **🎯 Type Safety** - Consumers get IntelliSense and compile-time validation - **📋 Better DX** - User-friendly error messages reduce debugging time - **🚀 Horizontal Scaling** - Multiple server instances can share Redis cache - **🔒 Resilience** - Graceful degradation to LRU when Redis unavailable - **⚡ Zero Read Latency** - Write-through cache eliminates network calls on reads ## [0.4.4] - 2025-11-13 ### Fixed - 🐛 **MCP Tool Name Validation** - Allow uppercase letters in server names and hyphens in tool names (#27) - Fixes 40/84 tools (48%) that were previously rejected - Now supports: Linear, Notion, GitHub (uppercase), Context7 (hyphens) - Pattern: `/^mcp__[a-zA-Z0-9_]+__[a-zA-Z0-9_-]+$/` - 🐛 **Claude Code Review Workflow** - Fixed authentication errors - Added `github_token` and `anthropic_api_key` parameters - Changed `pull-requests` permission to `write` ### Changed - 📋 **Tests** - Updated validation tests for new regex pattern - Added 4 new test cases for uppercase and hyphen support - All 34 tests passing ### Impact - **Before:** 44/84 MCP tools usable (52%) - **After:** 84/84 MCP tools usable (100%) ### Contributors - @nateGeorge - MCP tool name validation fix ## [0.4.3] - 2025-11-13 ### Added - ✨ **Optional Dangerous Pattern Check** - New `skipDangerousPatternCheck` parameter for code executors - Added to `executeTypescript` and `executePython` tool parameters - Allows bypassing dangerous pattern validation when needed (e.g., trusted code execution) - Configurable via `.code-executor.json` using `shouldSkipDangerousPatternCheck` function - Supports both per-execution override and global configuration - Default: `false` (validation enabled for security) ### Fixed - 🐛 **Test Suite** - Fixed hanging sandbox discovery function tests - Updated test assertions from RED phase (failure expectations) to GREEN phase (success expectations) - Discovery functions were already implemented but tests expected failure - All 13 tests in `sandbox-executor-discovery.test.ts` now pass successfully - Test execution completes in 1220ms with no hangs or timeouts - 🐛 **Docker Security** - Enhanced test coverage for dangerous pattern checks - Added 7 new tests for `skipDangerousPatternCheck` functionality - Validates that skip parameter works with hybrid skip logic (config + param) - Tests cover both TypeScript and Python executors ### Security - ⚠️ **Security Trade-off** - Dangerous pattern check can now be bypassed intentionally - **Use Case**: Trusted environments where pattern check causes false positives - **Mitigation**: Parameter defaults to `false` (validation enabled), explicit opt-in required - **Recommendation**: Only use when executing trusted code in controlled environments - Audit logs still track all executions regardless of validation setting ### Testing - ✅ All sandbox discovery function tests passing (13 tests, 1220ms) - ✅ 7 new tests for optional dangerous pattern check feature - ✅ Security tests updated to cover skip parameter scenarios - ✅ Integration tests validate hybrid skip logic (config + param override) ### Technical Details - **Config Option**: `shouldSkipDangerousPatternCheck(code: string): boolean` function in config - **Tool Parameter**: `skipDangerousPatternCheck?: boolean` on executeTypescript/executePython - **Hybrid Logic**: Parameter overrides config setting if provided - **Backward Compatible**: Feature is optional, defaults maintain existing security behavior ### Benefits - **🎯 Flexibility** - Trusted code can bypass validation without disabling security globally - **🔧 Debugging** - Easier to test code that triggers false positives - **🔒 Security Default** - Validation enabled by default, explicit opt-in required for bypass ## [0.4.2] - 2025-11-12 ### Fixed - 🐛 **npm Package Completeness** - Re-published with complete dist/ directory - v0.4.1 was published without compiled TypeScript (only 4 files: LICENSE, README, SECURITY, package.json) - v0.4.2 includes full dist/ directory with all compiled JavaScript and type definitions - Root cause: Used `--ignore-scripts` which skipped build step ### Technical Details - **Files Published**: All dist/*.js, dist/*.d.ts, dist/*.map files now included - **Build Process**: Ensured `npm run build` completes before publish - **Verification**: Confirmed dist/index.js exists and is executable ## [0.4.1] - 2025-11-12 ### Changed - 🐳 **Multi-Stage Docker Build** - Eliminated manual pre-build step requirement - Stage 1 (builder): Compile TypeScript with all dependencies inside container - Stage 2 (production): Copy artifacts from builder, install only prod dependencies - Docker build now fully reproducible (no host environment dependencies) - Standard workflow: `git clone → docker build` (no npm run build required) - 📖 **Docker Documentation** - Updated README.md installation instructions - Removed manual `npm run build` pre-build step from Docker workflow - Added clear indication that multi-stage build handles compilation automatically - Simplified Docker instructions (3 commands: clone, cd, docker-compose up) ### Fixed - 🐛 **Docker Reproducibility** - Build no longer depends on host having TypeScript/dev dependencies - 🐛 **CI/CD Workflow** - Eliminated extra manual build step before Docker build ### Benefits - **✅ Single Command** - `docker build .` or `docker-compose up -d` (fully reproducible) - **📦 Smaller Image** - Builder stage discarded after compilation (~10MB overhead vs dev deps) - **🔒 Security Maintained** - All existing security hardening preserved (non-root, resource limits, read-only filesystem) - **🚀 CI/CD Friendly** - No manual pre-build step to remember - **🎯 Standard Workflow** - Works on fresh systems (git clone → docker build) ### Technical Details - **Builder Stage**: node:22-alpine + npm ci (all deps) + TypeScript compilation - **Production Stage**: node:22-alpine + artifacts from builder + npm ci --omit=dev - **Build Verification**: Added test to ensure dist/index.js exists after compilation - **Layer Caching**: Package files copied before source for optimal layer reuse - **Security**: Non-root user (codeexec:1001), resource limits, read-only filesystem, Deno/Python sandboxes ## [0.4.0] - 2025-11-11 ### Added - ✨ **In-Sandbox MCP Tool Discovery** - AI agents can now discover, search, and inspect MCP tools dynamically - `discoverMCPTools(options?)` - Fetch all available tool schemas from connected MCP servers - `getToolSchema(toolName)` - Retrieve full JSON Schema for a specific tool - `searchTools(query, limit?)` - Search tools by keywords with result limiting (default: 10) - Single round-trip workflow: discover → inspect → execute in one `executeTypescript` call - Functions injected into sandbox as `globalThis` (not exposed as top-level MCP tools) - ✨ **HTTP Discovery Endpoint** - New GET /mcp/tools endpoint on MCP Proxy Server - Query parameters: `?q=keyword1+keyword2` for filtering (OR logic, case-insensitive) - Bearer token authentication required (same as callMCPTool endpoint) - Rate limiting: 30 req/60s (same as execution endpoint) - Audit logging: All discovery requests logged with search terms and result counts - ✨ **Parallel MCP Query Infrastructure** - Query all MCP servers simultaneously for O(1) latency - `Promise.all` pattern for parallel queries (not sequential) - Resilient aggregation (partial failures don't block other servers) - Performance: 50-100ms first call (populates cache), <5ms cached (24h TTL) - Schema Cache integration: Reuses existing LRU cache with disk persistence ### 💡 Zero Token Cost **Discovery functions consume ZERO tokens** - they're injected into the sandbox, not exposed as top-level MCP tools: - AI agents see only 3 tools: `executeTypescript`, `executePython`, `health` (~560 tokens) - Discovery functions (`discoverMCPTools`, `getToolSchema`, `searchTools`) are **hidden** - available only inside sandbox code - **Result**: 98% token savings maintained (141k → 1.6k tokens), no regression ### Changed - ⚡ **Performance** - Discovery latency meets <100ms P95 target for 3 MCP servers - Parallel queries: O(1) amortized complexity (max of all queries, not sum) - Schema Cache: 20× faster on cache hits (100ms → 5ms) - Timeout strategy: 500ms fast fail (no hanging, clear error messages) - 📖 **System Prompt** - Updated executeTypescript tool description with discovery functions - Documented all three discovery functions with signatures and return types - Added proactive workflow example (search → inspect → execute) - Usage examples for each function with real-world scenarios - 📖 **Documentation** - Comprehensive architecture documentation - New `docs/architecture.md` with component diagrams and data flows - Discovery system section with performance characteristics - Security trade-off documented (discovery bypasses allowlist for read-only metadata) ### Fixed - 🐛 **Template Literal Bug** - Discovery functions not interpolating variables - `src/sandbox-executor.ts:219,233` - Changed single quotes to escaped backticks for URL/token interpolation - Impact: Discovery endpoint was unreachable (literal `${proxyPort}` instead of actual port number) - 🐛 **Response Parsing Bug** - Discovery endpoint returning wrapped object instead of array - `src/sandbox-executor.ts:253-255` - Extract `tools` array from `{ tools: [...] }` wrapper - Impact: `discoverMCPTools()` returned undefined instead of tool array - 🐛 **Wrapper Parsing Errors** - JSDoc comments breaking sandbox execution - `src/sandbox-executor.ts:159-168` - Disabled broken wrapper code (YAGNI with progressive disclosure) - Impact: All Playwright tool calls failing with parsing errors - Users now call `callMCPTool()` directly after discovery (cleaner, explicit, no bugs) - 🐛 **Test Timeout Configuration** - Integration tests missing required `timeoutMs` parameter - `tests/discovery-integration.test.ts` - Added `timeoutMs: 10000` to all `SandboxOptions` - Impact: Tests failing with `NaN` duration display ### Security - 🔒 **Intentional Security Exception** - Discovery bypasses tool allowlist (BY DESIGN) - **Rationale**: AI agents need to know what tools exist (self-service discovery) - **Mitigation**: Two-tier security model (discovery=read-only metadata, execution=enforces allowlist) - **Risk Assessment**: LOW - tool schemas are non-sensitive metadata, no code execution - **Controls**: Bearer token auth + rate limiting + audit logging + query validation - 🔒 **Query Validation** - Search queries validated to prevent injection attacks - Max 100 characters - Alphanumeric + spaces/hyphens/underscores only - Clear error messages on validation failure - 🔒 **Audit Logging** - All discovery requests logged with context - Action: 'discovery' (distinguishes from 'callMCPTool') - Search terms, result count, timestamp, success/failure status ### Testing - ✅ 95%+ coverage on discovery endpoint tests (12 new tests) - ✅ 90%+ coverage on MCP Client Pool discovery tests (6 new tests) - ✅ 90%+ coverage on sandbox discovery function tests (7 new tests) - ✅ 85%+ coverage on integration tests (4 new tests) - ✅ All 29 new discovery tests passing - ✅ End-to-end workflow validated (discover → inspect → execute) ### Technical Details - **Progressive Disclosure Preservation**: Token usage maintained at ~560 tokens (3 tools, no increase) - **Discovery Functions**: Injected into sandbox via `globalThis` (hidden from top-level MCP tool list) - **Parallel Queries**: Promise.all pattern queries all MCP servers simultaneously (O(1) amortized) - **Timeout Strategy**: 500ms timeout on sandbox→proxy calls (fast fail, no retries) - **Schema Cache Integration**: Reuses existing LRU cache (max 1000 entries, 24h TTL, disk-persisted) - **Performance**: First call 50-100ms (cache population), subsequent <5ms (cache hit), meets <100ms P95 target - **Version Bump**: MINOR (v0.3.4 → v0.4.0) - Additive feature, backward compatible, no breaking changes ### Benefits - **🎯 Self-Service Discovery** - AI agents no longer stuck without tool documentation - **⚡ Single Round-Trip** - Discover + inspect + execute in one call (no context switching) - **🔒 Security Balanced** - Read-only discovery with execution allowlist enforcement - **📉 98% Token Savings Maintained** - Progressive disclosure preserved (~560 tokens, 3 tools) - **🚀 O(1) Latency** - Parallel queries scale independently of MCP server count ## [0.3.4] - 2024-11-10 ### Fixed - 🐛 **Memory Leak** - Replaced unbounded Map with LRU cache (7GB → <100MB in tests) - `src/schema-cache.ts` - Replaced `Map<string, CachedSchema>` with `LRUCacheProvider` (max 1000 entries) - `src/schema-cache.test.ts` - Mocked `fs.writeFile`/`fs.mkdir` to prevent I/O accumulation during tests - `vitest.config.ts` - Changed pool from `forks` to `threads` for better memory management - 🐛 **Race Condition** - Added request deduplication for concurrent schema fetches - `src/schema-cache.ts` - Added `inFlight: Map<string, Promise<ToolSchema>>` to prevent duplicate network calls - Concurrent requests for same tool now share single fetch promise - 🐛 **Type Safety** - Fixed deprecated TypeScript generic constraint - `src/lru-cache-provider.ts` - Changed `V extends {}` to `V extends object` (TypeScript 5.x compatibility) - 🐛 **Resilience** - Fixed stale cache configuration for error fallback - `src/lru-cache-provider.ts` - Set `allowStale: true` to match stale-on-error pattern ### Added - ✨ **Cache Abstraction** - Strategy pattern for cache backend flexibility - `src/cache-provider.ts` - `ICacheProvider<K, V>` interface for LRU/Redis swap - `src/lru-cache-provider.ts` - LRU cache implementation with automatic eviction - Dependency Inversion: SchemaCache depends on interface, not concrete implementation - ✨ **Documentation** - Release workflow guide - `docs/release-workflow.md` - Concise patch/minor/major release instructions (30 lines) - Referenced in `CLAUDE.md` for easy access ### Changed - ⚡ **Performance** - Schema cache bounded memory with automatic LRU eviction - Max 1000 schemas in cache (prevents unbounded growth) - Least recently used schemas evicted automatically - TTL-based expiration (24h) handled by LRU cache - ⚡ **Test Speed** - Schema cache tests 95% faster (6824ms → 309ms) - Mocked fs operations eliminate actual disk I/O - Removed 500ms cleanup delays (no longer needed) ### Testing - ✅ All 229 tests passing (100% pass rate) - ✅ Build: lint, typecheck, build all PASS - ✅ Memory bounded: LRU cache prevents heap exhaustion - ✅ Concurrency safe: Request deduplication prevents race conditions ### Technical Details - **Memory Management**: LRU cache (lru-cache@11.0.2) with max 1000 entries + 24h TTL - **Concurrency**: In-flight promise tracking prevents duplicate concurrent fetches - **Flexibility**: ICacheProvider interface enables future Redis backend - **Resilience**: Stale cache allowed on fetch failures for better availability ### Benefits - **🎯 98% Memory Reduction** - 7GB → <100MB in tests (unbounded → bounded cache) - **⚡ 95% Faster Tests** - Schema cache tests: 6824ms → 309ms - **🔒 Zero Race Conditions** - Request deduplication prevents duplicate network calls - **🏗️ Future-Proof** - Strategy pattern enables Redis swap for horizontal scaling ## [0.3.3] - 2024-11-10 ### Fixed - 🐛 **Type Safety** - Eliminated all unjustified `any` types (5 → 2, 60% reduction) - `src/mcp-client-pool.ts:309` - Changed return type from inline `any` to `ToolSchema` type - `src/schema-validator.ts:35,108` - Changed `params: any` to `params: unknown` for proper external input handling - `src/schema-cache.ts:27-31` - Documented JSON Schema `any` types with ESLint comments and justification - 🐛 **Runtime Safety** - Removed all non-null assertions (6 → 0) - `src/mcp-proxy-server.ts:159-169` - Added explicit `!this.server` null check with proper error handling - `src/network-security.ts:134-141` - Added explicit array index undefined checks in SSRF protection code - `src/network-security.ts:195` - Replaced non-null assertion with optional chaining `match?.[1]` - `src/streaming-proxy.ts:46-56` - Added explicit `!this.server` null check with proper error handling - 🐛 **Build Configuration** - Fixed ESLint parsing errors for test files - Created `tsconfig.eslint.json` with separate linting configuration that includes test files - Updated `eslint.config.mjs` to use `tsconfig.eslint.json` for proper test file parsing - 🐛 **Test Stability** - Fixed test memory cleanup pattern - Added 100ms delay in `afterEach` hook to wait for async disk writes (fire-and-forget pattern) - Prevents worker timeout during cleanup in schema cache tests ### Security - 🔒 **Type Safety** - All external input now typed as `unknown` instead of `any` (enforces validation-before-use pattern) - 🔒 **Runtime Safety** - Added 6 explicit null checks to prevent potential runtime crashes - 🔒 **SSRF Protection** - Enhanced network-security.ts with explicit undefined checks in IP normalization ### Testing - ✅ All 219 tests passing (100% pass rate) - ✅ 98%+ coverage maintained on validation modules - ✅ Zero TypeScript errors (strict mode compliant) - ✅ Zero ESLint errors (5 warnings in unrelated files) ### Technical Details - **Type Safety**: `unknown` type correctly used for external input with AJV runtime validation - **Runtime Safety**: Explicit null checks replace unsafe non-null assertions (`!`) - **Build Quality**: Separate `tsconfig.eslint.json` allows linting test files without compilation errors - **Test Quality**: Consistent cleanup pattern prevents worker timeout issues ### Benefits - **🎯 60% Reduction** in unjustified `any` types - **🔒 Zero Unsafe Assertions** - All non-null assertions replaced with explicit guards - **✅ 100% Test Pass Rate** - All 219 tests passing with improved stability - **⚡ Clean Build** - Zero TypeScript/ESLint errors, strict mode compliant ## [0.3.2] - 2024-11-10 ### Fixed - 🐛 **Code Quality** - Fixed all ESLint errors (11 → 0) - Removed unused error variables in catch blocks - Removed unused imports (ExecuteTypescriptInput, ExecutePythonInput, spawn, extractServerName, isBlockedHost) - ESLint now passes with 0 errors (15 warnings remain as technical debt) ### Changed - 📖 **Documentation** - De-emphasized TypeScript wrappers in README - Moved wrappers to "Advanced Features" section at bottom - Marked as "Optional, Not Recommended" - Clarified that runtime validation is the recommended approach - Wrappers still available for users who prefer compile-time checks ## [0.3.1] - 2024-11-10 ### Added - ✨ **Deep Recursive Validation** - AJV-based JSON Schema validation (replaces shallow validation) - Validates nested objects recursively - Array item type validation - Constraint enforcement (min/max, minLength/maxLength, patterns) - Enum validation - Integer vs number type distinction - Clear, actionable error messages with schema details - ✨ **Schema Cache Mutex** - AsyncLock-based thread-safe disk writes - Prevents race conditions on concurrent disk writes - Mutex-locked cache persistence - Survives restarts with disk-persisted cache - ✨ **Comprehensive Test Suite** - 34 new tests for validation and caching - 22 tests for SchemaValidator (98.27% coverage) - 12 tests for SchemaCache (74% coverage) - Covers nested objects, arrays, constraints, enums, race conditions - All edge cases tested (type mismatches, missing params, TTL expiration) ### Changed - 🔧 **SchemaValidator** - Replaced ~150 lines of custom validation with AJV library - Removed helper methods: `getType()`, `typesMatch()`, `formatExpectedType()` - Now uses industry-standard AJV validator with strict mode - Deep validation on all parameters and nested structures - 🔧 **SchemaCache** - Added mutex lock for thread-safe disk operations - `saveToDisk()` now wrapped with AsyncLock - Constructor accepts optional `cachePath` parameter (for testing) - All concurrent writes serialized ### Fixed - 🐛 **Validation Bypass** - Nested objects can no longer bypass validation - 🐛 **Cache Race Condition** - Concurrent disk writes no longer corrupt cache file - 🐛 **Zero Test Coverage** - Now 98%+ coverage on validation modules ### Security - 🔒 **Deep Validation** - All nested parameters validated against JSON Schema - 🔒 **Type Safety** - Integer/number distinction enforced - 🔒 **Constraint Enforcement** - min/max, length, pattern validation ### Testing - ✅ 139 tests passing (was 105) - **+34 new tests** - ✅ 98.27% coverage on SchemaValidator - ✅ 74% coverage on SchemaCache - ✅ All validation edge cases covered ### Dependencies - 📦 **ajv** ^8.17.1 - JSON Schema validator - 📦 **async-lock** ^1.4.1 - Mutex for disk I/O - 📦 **@types/async-lock** ^1.4.2 (dev) ### Technical Details - **Validation**: Deep recursive validation with AJV (replaces shallow custom validator) - **Caching**: Mutex-locked disk persistence (prevents race conditions) - **Test Coverage**: 98%+ on validation, 74% on cache, 34 new tests - **Error Messages**: AJV-generated, schema-aware, actionable ### Benefits - **🎯 100% Validation Accuracy** - No bypass via nested objects/arrays - **🔒 Zero Cache Corruption** - Mutex-locked disk writes - **📚 Self-Documenting Errors** - Schema shown on validation failure - **⚡ Zero Token Overhead** - Validation server-side, schemas disk-cached - **🔐 Deep Validation** - Nested objects, arrays, constraints, enums, patterns ## [0.3.0] - 2024-11-09 ### Added - ✨ **Wrapper Utilities Template** - Production-ready shared utilities for all MCP wrappers - Type-safe `MCPGlobalThis` interface (no more `globalThis as any`) - `callMCPToolSafe()` - Error handling wrapper with context - `parseMCPResult<T>()` - Generic typed JSON parsing - `parseStringResult()`, `parseArrayResult<T>()` - Result normalization - `isMCPGlobalThis()`, `getMCPCaller()` - Type guards - `normalizeError()` - Consistent error formatting ### Changed - 🔧 **Wrapper Templates** - Updated all templates to use shared utilities - `zen-wrapper-template.ts` - Now uses `callMCPToolSafe()` and `parseMCPResult()` - `filesystem-wrapper-template.ts` - Enhanced error handling and DRY patterns - All templates now have 100% error handling coverage - No more `(globalThis as any)` - fully type-safe - Removed date references (was "January 2025", now generic) ### Improved - 📖 **Documentation** - Complete rewrite of `CREATING_WRAPPERS.md` - Step 1: Copy utilities template (REQUIRED) - Updated all examples to use new pattern - Added benefits section (error handling, type safety, DRY) - Updated best practices (5 new sections) - All code examples now production-ready ### Benefits - **100% Error Handling** - All wrapper calls wrapped with context - **95% Type Safety** - MCPGlobalThis interface eliminates `any` types - **90% DRY Compliance** - Shared utilities eliminate duplication - **Production Ready** - Battle-tested patterns from internal codebase ## [0.2.0] - 2024-11-09 ### Added - ✨ **HTTP/SSE Transport Support** - Connect to remote MCP servers (Linear, GitHub, etc.) - StreamableHTTP transport (modern, bidirectional) - SSE (Server-Sent Events) transport fallback - Authentication via HTTP headers (Bearer tokens, custom headers) - Automatic transport fallback (StreamableHTTP → SSE) - ✨ **Multi-Transport Architecture** - Unified dispatcher for STDIO and HTTP transports - ✨ **Process Cleanup** - Graceful shutdown for STDIO servers (SIGTERM → SIGKILL) ### Changed - 🔧 **Type System** - Split `MCPServerConfig` into `StdioServerConfig` and `HttpServerConfig` - 🔧 **Client Pool** - Enhanced connection logic with transport-specific handlers - 📖 **Documentation** - Added HTTP/SSE configuration examples to README ### Technical Details - **Transports**: STDIO (local processes) + StreamableHTTP/SSE (remote servers) - **Authentication**: Full HTTP header support for OAuth/token-based auth - **Fallback**: Automatic StreamableHTTP → SSE transition - **Cleanup**: Graceful process termination with 2-second timeout ## [0.1.0] - 2024-11-09 ### Added - ✨ **TypeScript Executor** - Deno sandbox with fine-grained permissions - ✨ **Python Executor** - Subprocess execution with MCP access (optional) - ✨ **Progressive Disclosure** - 98% token savings (1,600 vs 150,000 tokens) - ✨ **Configuration Discovery** - Auto-search .code-executor.json in 4 locations - ✨ **Rate Limiting** - Token bucket algorithm (30 req/min default) - ✨ **Security Hardening** - Dangerous pattern detection (JS/TS + Python) - ✨ **Enhanced Audit Logging** - Code hash, length, memory usage, executor type - ✨ **Connection Pooling** - Max 100 concurrent executions - ✨ **Secret Management** - env:VAR_NAME pattern for secure config - ✨ **MCP Proxy Server** - Shared between TypeScript and Python executors ### Security - 🔒 Sandbox isolation (Deno for TypeScript, subprocess for Python) - 🔒 Tool allowlist validation - 🔒 Path validation (read/write restrictions) - 🔒 Network restrictions (localhost-only default) - 🔒 Dangerous pattern blocking (eval, exec, __import__, pickle.loads, etc.) - 🔒 Comprehensive audit trail ### Documentation - 📖 Comprehensive README (484 lines) - 📖 Security policy (SECURITY.md) - Responsible disclosure - 📖 Contributing guidelines (CONTRIBUTING.md) - Code quality standards - 📖 License (MIT) - 📖 Release guide (RELEASE.md) ### Testing - ✅ 105 tests passing - ✅ 90%+ code coverage - ✅ TypeScript strict mode - ✅ GitHub Actions CI/CD - ✅ Automated npm publishing ### Technical Details - **Node.js**: 22.x or higher required - **Deno**: Required for TypeScript execution - **Python**: 3.9+ (optional, for Python execution) - **Dependencies**: @modelcontextprotocol/sdk, zod, ws - **Build**: TypeScript 5.x with strict mode - **Tests**: Vitest 4.0 ### Architecture - Config discovery with priority chain - Token bucket rate limiter - Security validator with pattern detection - MCP client pool with graceful degradation - Connection pooling with FIFO queue - Shared MCP proxy server (DRY principle) ### Breaking Changes None - Initial release ### Migration Guide First release - no migration needed. See installation instructions in [README.md](README.md). --- ## Release Process See [RELEASE.md](RELEASE.md) for the complete release process. ## Support - **Issues**: https://github.com/aberemia24/code-executor-MCP/issues - **Email**: aberemia@gmail.com - **Documentation**: https://github.com/aberemia24/code-executor-MCP#readme

Latest Blog Posts

The 50MB Markdown Files That Broke Our Server
By punkpeye on December 3, 2025.
react
react-router
node-js
OpenTelemetry for Model Context Protocol (MCP) Analytics and Agent Observability
By Om-Shree-0709 on November 29, 2025.
observability
mcp
opentelemetry
Securing Enterprise AI Agents with Unique Identities in the Model Context Protocol (MCP)
By Om-Shree-0709 on November 27, 2025.

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/aberemia24/code-executor-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server