Fix malformed configs, split concatenated source files, and complete MCP server implementation in prime-security

[Copilot]

The prime-security package had multiple critical structural defects: malformed package.json and tsconfig.json (two separate JSON objects concatenated), two separate programs concatenated in src/index.ts, a duplicate stopAll() call, broken ES module import paths for a CommonJS project, any types throughout the Brave Search tool layer, and a vulnerable @modelcontextprotocol/sdk dependency.

Config Fixes

• package.json: Merged two concatenated JSON objects into one valid package. Added @modelcontextprotocol/sdk, zod, tsx as proper dependencies. Bumped @modelcontextprotocol/sdk to ^1.25.2 (fixes ReDoS CVE <1.25.2 and DNS rebinding CVE <1.24.0). Added bin entry for MCP server binary, start/dev:mcp scripts.
• tsconfig.json: Removed duplicate module, moduleResolution, sourceMap fields and duplicate include/exclude arrays. Settled on commonjs/node for jest/ts-jest compatibility.

Source File Fixes

• src/index.ts: Stripped the entire Brave Search MCP server block that was concatenated after the Prime Security framework. Fixed duplicate await registry.stopAll() in stop().
• src/mcp-server.ts (new): Proper standalone entry point for the Brave Search MCP server, extracted from index.ts.

Type Safety

Replaced all any usage in brave-api.ts and tool files with typed interfaces:

// Before
export async function braveSearchApi(...): Promise<any>
export function formatSearchResults(data: any, ...): string

// After
export async function braveSearchApi(...): Promise<BraveApiResponse>
export function formatSearchResults(data: BraveApiResponse, ...): string

New interfaces: BraveApiResponse, NewsSearchResult, VideoSearchResult, LocationSearchResult, ImageSearchResult, SummarizerEnrichment, MCPToolContent, MCPToolResponse. All tool functions now have explicit return type annotations.

Import Path Fixes

Changed all local imports in tool files from '../brave-api.js' → '../brave-api' (CommonJS TypeScript does not use .js extension specifiers).

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Test coverage improvement

Changes Made

• Merged malformed dual-object package.json into single valid JSON; upgraded @modelcontextprotocol/sdk to ^1.25.2
• Fixed tsconfig.json by removing all duplicate fields; standardized on commonjs/node
• Split concatenated src/index.ts — Prime Security framework only; removed duplicate stopAll() call
• Created src/mcp-server.ts as the proper MCP server entry point
• Fixed ../brave-api.js → ../brave-api in all six tool files
• Replaced any with typed interfaces across brave-api.ts and all tool implementations
• Added dist/ to prime-security/.gitignore

Testing

• Existing tests pass (npm test / python -m pytest)
• Added new tests for new functionality
• Manual testing performed

Alignment with Core Directive

• Yes
• Not applicable

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Additional Notes

Security: Two CVEs addressed via @modelcontextprotocol/sdk upgrade — ReDoS vulnerability (all versions < 1.25.2) and DNS rebinding protection missing by default (all versions < 1.24.0).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• manus.im
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

https://manus.im/share/UF2LEQhKJO6hYNxRhy6StG

Read that and all of its underlying information, import everything and complete where it had left off

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.