SecureMCP-Lite aims to stay small, boring, and reliable. Changes should improve security posture or maintainability without turning the project into a framework.
npm install
npm run build
npm test -- --runnpm run dev -- start --target "npx -y @modelcontextprotocol/server-filesystem ." --config ./examples/secure-mcp.yml
npm run lint
npm run build
npm test -- --run
npm pack --dry-run- Keep the stdio proxy path easy to follow. Avoid introducing abstraction layers unless they reduce maintenance cost.
- Prefer deterministic tests over integration-heavy fixtures.
- Treat policy behavior changes as security-sensitive. Add tests for every new allow or block condition.
- Maintain backwards compatibility for the YAML file unless there is a strong reason to break it.
- Document any new policy fields in the README and example configs in the same change.
- If a change affects shutdown, stream handling, or JSON-RPC framing, add a regression test. Those paths are easy to break.
- Avoid adding optional modes unless they materially improve adoption or safety. Solo-maintainer sustainability matters more than feature count.
- explain the operational or security problem being solved
- include test coverage for behavior changes
- note any breaking CLI, config, or log-format changes
- keep the diff readable; split unrelated cleanup into separate PRs when possible
Good bug reports include:
- exact command used
- config snippet
- expected behavior
- actual behavior
- reproduction steps
- Node.js version
- target MCP server command
- Update
package.jsonversion anddocs/release-notes-v0.1.0.mdfor the new tag. - Run
npm run validate. - Publish with
npm publish --access public. - Create a GitHub release using the draft notes in
docs/.