Add MCP CLI layer, security hardening, and documentation overhaul#1
Open
Krapa007 wants to merge 13 commits into
Open
Add MCP CLI layer, security hardening, and documentation overhaul#1Krapa007 wants to merge 13 commits into
Krapa007 wants to merge 13 commits into
Conversation
Renamed the project from PromptBuddy to PromptPilot.
Updated the README to enhance clarity and structure, adding sections on product features, technical architecture, installation, and roadmap.
Removed mention of the Quality Gate framework using Claude Sonnet 4.6.
Adds a self-contained CLI (`cli/`) that installs PromptPilot as an MCP server into Claude Code, intercepting every user prompt before Claude responds to it — similar to how GitNexus intercepts symbol lookups. - `promptpilot init` wires the MCP server into .claude/settings.json and appends the interception hook to CLAUDE.md; auto-injects keys from .env.local - `promptpilot remove / status / config` for lifecycle management - MCP server runs the full pipeline: gap analysis → semantic cache → RAG retrieval → Gemma 3n synthesis, all self-contained (no Next.js deps) - Short-circuits trivial inputs (< 6 words) with zero API calls - Falls back to raw prompt on pipeline error so Claude is never blocked - Ignores cli/node_modules and cli/package-lock.json via .gitignore Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Publish package as `promptpilot-mcp` with `promptpilot-mcp` binary entry point - Add `cli/bin/mcp.js` as the MCP server entrypoint (via stdio transport) - Add `.claude-plugin/manifest.json` for one-click Claude Code plugin install - Add `marketplace.json` for plugin marketplace registration - Extend env config loading to read both `.env` and `.env.local` (with dedup) - Update installer to inject keys from both env files, skipping already-set keys - Add `.mcp.json` to .gitignore to prevent committing local credentials - Update README: MCP architecture, npx install, plugin install, npm package link Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- README: embed high-level pipeline flowchart in the Technical Architecture section - ARCHITECTURE.md: new dedicated file with full pipeline diagram, component table, data flow summary, fallback guarantee, and external services reference - Diagrams reflect actual code: gap analysis → embed+cache → RAG retrieval → synthesis Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The file held live Together AI, Supabase, and Upstash credentials. Untrack it and add to .gitignore so local keys are never committed. All exposed keys must be rotated immediately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e pollution Finding 2 — Redis cache payload poisoning (embedAndCache.js, semanticCache.js): Add validateCachedPayload() allowlist before spreading any Redis-sourced data into the MCP response. Rejects entries missing optimizedPrompt, caps length at 8000 chars, and strips all non-whitelisted keys in both CLI and web paths. Finding 3 — RAG content injected verbatim into LLM system prompt (synthesis.js): Wrap each RAG chunk in <research_chunk> XML tags with an explicit instruction to treat content as inert data. Escape </research_chunk> sequences that could break out of the wrapper. Cap chunk content at 800 chars and titles at 200. Finding 4 — State file written with unvalidated merged data (mcp-server.js): writeState() now uses ALLOWED_STATE_KEYS allowlist when reading existing state and when writing new data — prevents poisoned state keys from persisting. Finding 5 — Prompt injection markers not stripped in CLI pipeline (mcp-server.js): sanitizeRawPrompt() strips ### PROMPT START/END and internal XML tags from rawPrompt before it enters the pipeline, matching the web API's existing defence. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CLAUDE.md:
- Fix skipClarification: false → true on clarification retry (was causing
gap analysis to re-run instead of forcing synthesis after user answers)
- Add explicit handling for skipped: true / fallback: true cases
- Align wording with .claude-plugin/manifest.json claudeMd field
ARCHITECTURE.md:
- Add sanitizeRawPrompt() step to pipeline diagram
- Add validateCachedPayload() step to Embed & Cache subgraph
- Add escapeChunkContent() step to Synthesis subgraph
- New Security Measures section documenting all four defences:
prompt injection sanitization, Redis cache payload validation,
RAG content XML isolation, state file key allowlist
- Add Secret Management table (which files are gitignored and why)
- Update Component Responsibilities table to include lib/ files
README.md:
- Add Security section with defence summary table and link to ARCHITECTURE.md
- Update Evaluator-Optimizer Loop: sanitize step added as step 1,
cache now described as "validated", RAG described as "XML-isolated"
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- cli/package.json: update author name/email and repository/homepage URLs - .claude-plugin/manifest.json: update author field Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@Krapa007 is attempting to deploy a commit to the SriramGanne's projects Team on Vercel. A member of the Team first needs to authorize it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
MCP CLI layer — PromptPilot now ships as a standalone MCP server
(
promptpilot-mcpon npm). Every user prompt is intercepted via theoptimize_prompttool before Claude responds, with zero configurationrequired for end users.
Claude Code plugin — Added
.claude-plugin/manifest.jsonfor one-clickinstall from the Claude Code plugin marketplace. Users are prompted for their
API keys; no manual JSON editing needed.
Security hardening — Four vulnerabilities patched:
### PROMPT START,<thinking>, etc.) strippedfrom
rawPromptbefore it enters the pipelineas Claude's operating instruction (prevents cache poisoning)
instruction and per-chunk length caps (prevents RAG content injection)
writeState()key allowlist prevents poisoned state from persisting to diskSecret management —
.claude/settings.json,.mcp.json, and.env*added to
.gitignore. Git history scrubbed withgit-filter-repoto removepreviously committed credentials.
Env loading — Config now reads both
.envand.env.localwithdeduplication; installer injects keys from both files.
Documentation — README rewritten with architecture diagram, security
section, and three install options. New
ARCHITECTURE.mdwith full pipelinediagram, security measures, and secret management reference.
CLAUDE.mdbugfixed (
skipClarificationretry logic corrected).Test plan
node bin/mcp.jsand verify stdio MCP server starts without errornode bin/promptpilot.js installand confirm.claude/settings.jsonis updated with injected keys
git log --all -p | grep tgp_v1_returns no output.env,.mcp.json,.claude/settings.jsonare not tracked(
git statusshows them as untracked or ignored)optimize_promptis calledand returns an
optimizedPrompt### PROMPT STARTand verify it is redacted