{ "canonical_name": "cyanheads/mcp-ts-template", "compilation_id": "pack_bbb9a9d061e14b138885852230bcffd0", "created_at": "2026-05-22T15:42:58.567525+00:00", "created_by": "project-pack-compiler", "feedback": { "carrier_selection_notes": [ "viable_asset_types=mcp_config, recipe, host_instruction, eval, preflight", "recommended_asset_types=mcp_config, recipe, host_instruction, eval, preflight" ], "evidence_delta": { "confirmed_claims": [ "identity_anchor_present", "capability_and_host_targets_present", "install_path_declared_or_better" ], "missing_required_fields": [], "must_verify_forwarded": [ "Run or inspect `npx mcp-ts-template` in an isolated environment.", "Confirm the project exposes the claimed capability to at least one target host." ], "quickstart_execution_scope": "allowlisted_sandbox_smoke", "sandbox_command": "npx mcp-ts-template", "sandbox_container_image": "node:22-slim", "sandbox_execution_backend": "docker", "sandbox_planner_decision": "deterministic_isolated_install", "sandbox_validation_id": "sbx_4c5ac287e70d4680930a80e901647f39" }, "feedback_event_type": "project_pack_compilation_feedback", "learning_candidate_reasons": [], "template_gaps": [] }, "identity": { "canonical_id": "project_a2ab6a912cb42e773e0bef41ce8d615e", "canonical_name": "cyanheads/mcp-ts-template", "homepage_url": null, "license": "unknown", "repo_url": "https://github.com/cyanheads/mcp-ts-template", "slug": "mcp-ts-template", "source_packet_id": "phit_194b8dd5c57a49369aa3b84b4522feae", "source_validation_id": "dval_62eaa06aa04c46cca18efab77c591267" }, "merchandising": { "best_for": "需要工具连接与集成能力,并使用 mcp_host的用户", "github_forks": null, "github_stars": null, "one_liner_en": "TypeScript template for building MCP servers with declarative tooling, observability, and auth.", "one_liner_zh": "TypeScript template for building MCP servers with declarative tooling, observability, and auth.", "primary_category": { "category_id": "tool-integrations", "confidence": "high", "name_en": "Tool Integrations", "name_zh": "工具连接与集成", "reason": "matched_keywords:mcp, server, github" }, "target_user": "使用 mcp_host 等宿主 AI 的用户", "title_en": "mcp-ts-template", "title_zh": "mcp-ts-template 能力包", "visible_tags": [ { "label_en": "MCP Tools", "label_zh": "MCP 工具", "source": "repo_evidence_project_characteristics", "tag_id": "product_domain-mcp-tools", "type": "product_domain" }, { "label_en": "Knowledge Base Q&A", "label_zh": "知识库问答", "source": "repo_evidence_project_characteristics", "tag_id": "user_job-knowledge-base-q-a", "type": "user_job" }, { "label_en": "Workflow Automation", "label_zh": "流程自动化", "source": "repo_evidence_project_characteristics", "tag_id": "core_capability-workflow-automation", "type": "core_capability" }, { "label_en": "Node-based Workflow", "label_zh": "节点式流程编排", "source": "repo_evidence_project_characteristics", "tag_id": "workflow_pattern-node-based-workflow", "type": "workflow_pattern" }, { "label_en": "Local-first", "label_zh": "本地优先", "source": "repo_evidence_project_characteristics", "tag_id": "selection_signal-local-first", "type": "selection_signal" } ] }, "packet_id": "phit_194b8dd5c57a49369aa3b84b4522feae", "page_model": { "artifacts": { "artifact_slug": "mcp-ts-template", "files": [ "PROJECT_PACK.json", "QUICK_START.md", "PROMPT_PREVIEW.md", "HUMAN_MANUAL.md", "AI_CONTEXT_PACK.md", "BOUNDARY_RISK_CARD.md", "PITFALL_LOG.md", "REPO_INSPECTION.json", "REPO_INSPECTION.md", "CAPABILITY_CONTRACT.json", "EVIDENCE_INDEX.json", "CLAIM_GRAPH.json" ], "required_files": [ "PROJECT_PACK.json", "QUICK_START.md", "PROMPT_PREVIEW.md", "HUMAN_MANUAL.md", "AI_CONTEXT_PACK.md", "BOUNDARY_RISK_CARD.md", "PITFALL_LOG.md", "REPO_INSPECTION.json" ] }, "detail": { "capability_source": "Project Hit Packet + DownstreamValidationResult", "commands": [ { "command": "npx mcp-ts-template", "label": "Node.js / npx · 官方安装入口", "source": "https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9", "verified": true } ], "display_tags": [ "MCP 工具", "知识库问答", "流程自动化", "节点式流程编排", "本地优先" ], "eyebrow": "工具连接与集成", "glance": [ { "body": "判断自己是不是目标用户。", "label": "最适合谁", "value": "需要工具连接与集成能力,并使用 mcp_host的用户" }, { "body": "先理解能力边界,再决定是否继续。", "label": "核心价值", "value": "TypeScript template for building MCP servers with declarative tooling, observability, and auth." }, { "body": "未完成验证前保持审慎。", "label": "继续前", "value": "publish to Doramagic.ai project surfaces" } ], "guardrail_source": "Boundary & Risk Card", "guardrails": [ { "body": "Prompt Preview 只展示流程,不证明项目已安装或运行。", "label": "Check 1", "value": "不要把试用当真实运行" }, { "body": "mcp_host", "label": "Check 2", "value": "确认宿主兼容" }, { "body": "publish to Doramagic.ai project surfaces", "label": "Check 3", "value": "先隔离验证" } ], "mode": "mcp_config, recipe, host_instruction, eval, preflight", "pitfall_log": { "items": [ { "body": "GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap", "category": "安装坑", "evidence": [ "community_evidence:github | cevd_b652b8d6139f43c1bcf51562afed3525 | https://github.com/cyanheads/mcp-ts-core/issues/50 | 来源讨论提到 docker 相关条件,需在安装/试用前复核。" ], "severity": "high", "suggested_check": "来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。", "title": "来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap", "user_impact": "可能增加新用户试用和生产接入成本。" }, { "body": "GitHub 社区证据显示该项目存在一个配置相关的待验证问题:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model", "category": "配置坑", "evidence": [ "community_evidence:github | cevd_3d3b719431cb499f914e169e6dce21b2 | https://github.com/cyanheads/mcp-ts-core/issues/135 | 来源讨论提到 node 相关条件,需在安装/试用前复核。" ], "severity": "high", "suggested_check": "来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。", "title": "来源证据:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model", "user_impact": "可能增加新用户试用和生产接入成本。" }, { "body": "GitHub 社区证据显示该项目存在一个配置相关的待验证问题:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)", "category": "配置坑", "evidence": [ "community_evidence:github | cevd_ed2fba370b864c57980fcc78c30fa336 | https://github.com/cyanheads/mcp-ts-core/issues/66 | 来源类型 github_issue 暴露的待验证使用条件。" ], "severity": "high", "suggested_check": "来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。", "title": "来源证据:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)", "user_impact": "可能阻塞安装或首次运行。" }, { "body": "Developers should check this security_permissions risk before relying on the project: feat(auth): add RFC 7662 Token Introspection as a third auth strategy", "category": "安全/权限坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_79b989da05ab81a148513987aa506d71 | https://github.com/cyanheads/mcp-ts-core/issues/139 | feat(auth): add RFC 7662 Token Introspection as a third auth strategy" ], "severity": "high", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: feat(auth): add RFC 7662 Token Introspection as a third auth strategy. Context: Source discussion did not expose a precise runtime context.", "title": "失败模式:security_permissions: feat(auth): add RFC 7662 Token Introspection as a third auth strategy", "user_impact": "Developers may expose sensitive permissions or credentials: feat(auth): add RFC 7662 Token Introspection as a third auth strategy" }, { "body": "Developers should check this installation risk before relying on the project: feat(templates): MCPB bundle packaging for scaffolded servers", "category": "安装坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_22c10ce8863043b0adf9a54a6f51d108 | https://github.com/cyanheads/mcp-ts-core/issues/137 | feat(templates): MCPB bundle packaging for scaffolded servers" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: feat(templates): MCPB bundle packaging for scaffolded servers. Context: Observed when using node, docker, windows, macos", "title": "失败模式:installation: feat(templates): MCPB bundle packaging for scaffolded servers", "user_impact": "Developers may fail before the first successful local run: feat(templates): MCPB bundle packaging for scaffolded servers" }, { "body": "GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries", "category": "安装坑", "evidence": [ "community_evidence:github | cevd_9f6a4823d56640848bd04ac60d2856af | https://github.com/cyanheads/mcp-ts-core/issues/126 | 来源讨论提到 macos 相关条件,需在安装/试用前复核。" ], "severity": "medium", "suggested_check": "来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。", "title": "来源证据:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurio…", "user_impact": "可能增加新用户试用和生产接入成本。" }, { "body": "Developers should check this configuration risk before relying on the project: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_5c7acd2f18c877d832b1a859cd234468 | https://github.com/cyanheads/mcp-ts-core/issues/136 | Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini. Context: Source discussion did not expose a precise runtime context.", "title": "失败模式:configuration: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini", "user_impact": "Developers may misconfigure credentials, environment, or host setup: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini" }, { "body": "Developers should check this configuration risk before relying on the project: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_7d40e777d2ccdbab34bc3b3d1402bd71 | https://github.com/cyanheads/mcp-ts-core/issues/120 | bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter. Context: Source discussion did not expose a precise runtime context.", "title": "失败模式:configuration: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBod...", "user_impact": "Developers may misconfigure credentials, environment, or host setup: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter" }, { "body": "Developers should check this configuration risk before relying on the project: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_41ff925fb40ebff8720b5c65f8b20ece | https://github.com/cyanheads/mcp-ts-core/issues/124 | bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings. Context: Observed when using node", "title": "失败模式:configuration: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 rel...", "user_impact": "Developers may misconfigure credentials, environment, or host setup: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings" }, { "body": "Developers should check this configuration risk before relying on the project: changelog: raise summary cap from 250 → 350 chars", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_5d2f31e619abdbc2e753d5c67819c1a8 | https://github.com/cyanheads/mcp-ts-core/issues/129 | changelog: raise summary cap from 250 → 350 chars" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: changelog: raise summary cap from 250 → 350 chars. Context: Source discussion did not expose a precise runtime context.", "title": "失败模式:configuration: changelog: raise summary cap from 250 → 350 chars", "user_impact": "Developers may misconfigure credentials, environment, or host setup: changelog: raise summary cap from 250 → 350 chars" }, { "body": "Developers should check this configuration risk before relying on the project: docs(api-canvas): add minimum-viable spillover server recipe as the default", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_44db3da73c060fc8e7affa9e6c321749 | https://github.com/cyanheads/mcp-ts-core/issues/138 | docs(api-canvas): add minimum-viable spillover server recipe as the default" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: docs(api-canvas): add minimum-viable spillover server recipe as the default. Context: Source discussion did not expose a precise runtime context.", "title": "失败模式:configuration: docs(api-canvas): add minimum-viable spillover server recipe as the default", "user_impact": "Developers may misconfigure credentials, environment, or host setup: docs(api-canvas): add minimum-viable spillover server recipe as the default" }, { "body": "Developers should check this configuration risk before relying on the project: feat(docs/skills): codify agent-observed correctness across response design surface", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_a5a5f36d76023182a160cd1189430916 | https://github.com/cyanheads/mcp-ts-core/issues/131 | feat(docs/skills): codify agent-observed correctness across response design surface" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: feat(docs/skills): codify agent-observed correctness across response design surface. Context: Source discussion did not expose a precise runtime context.", "title": "失败模式:configuration: feat(docs/skills): codify agent-observed correctness across response design surface", "user_impact": "Developers may misconfigure credentials, environment, or host setup: feat(docs/skills): codify agent-observed correctness across response design surface" }, { "body": "Developers should check this configuration risk before relying on the project: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_008c058324c5476cab1114c3b507a398 | https://github.com/cyanheads/mcp-ts-core/issues/141 | feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`. Context: Source discussion did not expose a precise runtime context.", "title": "失败模式:configuration: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-ne...", "user_impact": "Developers may misconfigure credentials, environment, or host setup: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`" }, { "body": "Developers should check this configuration risk before relying on the project: feat(linter,docs): cross-vendor JSON Schema portability rules", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_442715f721a7d8f0d431a38068bdcfcd | https://github.com/cyanheads/mcp-ts-core/issues/132 | feat(linter,docs): cross-vendor JSON Schema portability rules" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: feat(linter,docs): cross-vendor JSON Schema portability rules. Context: Observed when using python", "title": "失败模式:configuration: feat(linter,docs): cross-vendor JSON Schema portability rules", "user_impact": "Developers may misconfigure credentials, environment, or host setup: feat(linter,docs): cross-vendor JSON Schema portability rules" }, { "body": "Developers should check this configuration risk before relying on the project: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_94fb8f4bb9c19f4e783136fcde3ed772 | https://github.com/cyanheads/mcp-ts-core/issues/130 | feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs. Context: Source discussion did not expose a precise runtime context.", "title": "失败模式:configuration: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs", "user_impact": "Developers may misconfigure credentials, environment, or host setup: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs" }, { "body": "Developers should check this configuration risk before relying on the project: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)", "category": "配置坑", "evidence": [ "failure_mode_cluster:github_issue | fmev_e38ad2dfdd02625b61bb0948c324e842 | https://github.com/cyanheads/mcp-ts-core/issues/134 | feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)" ], "severity": "medium", "suggested_check": "Before packaging this project, run the relevant install/config/quickstart check for: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch). Context: Observed when using node, cuda", "title": "失败模式:configuration: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)", "user_impact": "Developers may misconfigure credentials, environment, or host setup: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)" } ], "source": "ProjectPitfallLog + ProjectHitPacket + validation + community signals", "summary": "发现 38 个潜在踩坑项,其中 4 个为 high/blocking;最高优先级:安装坑 - 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap。", "title": "踩坑日志" }, "snapshot": { "contributors": null, "forks": null, "license": "unknown", "note": "站点快照,非实时质量证明;用于开工前背景判断。", "stars": null }, "source_url": "https://github.com/cyanheads/mcp-ts-template", "steps": [ { "body": "不安装项目,先体验能力节奏。", "code": "preview", "title": "先试 Prompt" }, { "body": "理解输入、输出、失败模式和边界。", "code": "manual", "title": "读说明书" }, { "body": "把上下文交给宿主 AI 继续工作。", "code": "context", "title": "带给 AI" }, { "body": "进入主力环境前先完成安装入口与风险边界验证。", "code": "verify", "title": "沙箱验证" } ], "subtitle": "TypeScript template for building MCP servers with declarative tooling, observability, and auth.", "title": "mcp-ts-template 能力包", "trial_prompt": "# mcp-ts-template - Prompt Preview\n\n> Copy the prompt below into your AI host before installing anything.\n> Its purpose is to let you safely feel the project's workflow, not to claim the project has already run.\n\n## Copy this prompt\n\n```text\nYou are using an independent Doramagic capability pack for cyanheads/mcp-ts-template.\n\nProject:\n- Name: mcp-ts-template\n- Repository: https://github.com/cyanheads/mcp-ts-template\n- Summary: TypeScript template for building MCP servers with declarative tooling, observability, and auth.\n- Host target: mcp_host\n\nGoal:\nHelp me evaluate this project for the following task without installing it yet: TypeScript template for building MCP servers with declarative tooling, observability, and auth.\n\nBefore taking action:\n1. Restate my task, success standard, and boundary.\n2. Identify whether the next step requires tools, browser access, network access, filesystem access, credentials, package installation, or host configuration.\n3. Use only the Doramagic Project Pack, the upstream repository, and the source-linked evidence listed below.\n4. If a real command, install step, API call, file write, or host integration is required, mark it as \"requires post-install verification\" and ask for approval first.\n5. If evidence is missing, say \"evidence is missing\" instead of filling the gap.\n\nPreviewable capabilities:\n- Capability 1: Use the source-backed project context to guide one small, checkable workflow step.\n\nCapabilities that require post-install verification:\n- Capability 1: Use the source-backed project context to guide one small, checkable workflow step.\n\nCore service flow:\n1. overview: Repository Overview. Produce one small intermediate artifact and wait for confirmation.\n2. entrypoints: Entrypoints and Runtime Surface. Produce one small intermediate artifact and wait for confirmation.\n3. architecture: Architecture Evidence Map. Produce one small intermediate artifact and wait for confirmation.\n4. operations: Operations and Verification Boundaries. Produce one small intermediate artifact and wait for confirmation.\n\nSource-backed evidence to keep in mind:\n- https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9\n- skills/add-app-tool/SKILL.md\n- skills/add-export/SKILL.md\n- skills/add-prompt/SKILL.md\n- skills/add-provider/SKILL.md\n- skills/add-resource/SKILL.md\n- skills/add-service/SKILL.md\n- skills/add-test/SKILL.md\n- skills/add-tool/SKILL.md\n- skills/api-auth/SKILL.md\n\nFirst response rules:\n1. Start Step 1 only.\n2. Explain the one service action you will perform first.\n3. Ask exactly three questions about my target workflow, success standard, and sandbox boundary.\n4. Stop and wait for my answers.\n\nStep 1 follow-up protocol:\n- After I answer the first three questions, stay in Step 1.\n- Produce six parts only: clarified task, success standard, boundary conditions, two or three options, tradeoffs for each option, and one recommendation.\n- End by asking whether I confirm the recommendation.\n- Do not move to Step 2 until I explicitly confirm.\n\nConversation rules:\n- Advance one step at a time and wait for confirmation after each small artifact.\n- Write outputs as recommendations or planned checks, not as completed execution.\n- Do not claim tests passed, files changed, commands ran, APIs were called, or the project was installed.\n- If the user asks for execution, first provide the sandbox setup, expected output, rollback, and approval checkpoint.\n```\n", "voices": [ { "body": "来源平台:github。github/github_issue: feat(tool): flatten SDK input-validation error text and move issues to e(https://github.com/cyanheads/mcp-ts-core/issues/66);github/github_issue: feat(tool): first-class support for discriminated-union tool inputs (mul(https://github.com/cyanheads/mcp-ts-core/issues/142);github/github_issue: bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on h(https://github.com/cyanheads/mcp-ts-core/issues/50);github/github_issue: feat(linter): `schema-properties-need-type` — flag typeless leaves misse(https://github.com/cyanheads/mcp-ts-core/issues/141);github/github_issue: docs(api-canvas): add minimum-viable spillover server recipe as the defa(https://github.com/cyanheads/mcp-ts-core/issues/138);github/github_issue: feat(auth): add RFC 7662 Token Introspection as a third auth strategy(https://github.com/cyanheads/mcp-ts-core/issues/139);github/github_issue: feat(templates): MCPB bundle packaging for scaffolded servers(https://github.com/cyanheads/mcp-ts-core/issues/137);github/github_issue: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Ge(https://github.com/cyanheads/mcp-ts-core/issues/136);github/github_issue: bug(transport): list_changed notifications silently dropped under HTTP p(https://github.com/cyanheads/mcp-ts-core/issues/135);github/github_issue: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP (https://github.com/cyanheads/mcp-ts-core/issues/134);github/github_issue: feat(linter,docs): cross-vendor JSON Schema portability rules(https://github.com/cyanheads/mcp-ts-core/issues/132);github/github_issue: feat(docs/skills): codify agent-observed correctness across response des(https://github.com/cyanheads/mcp-ts-core/issues/131)。这些是项目级外部声音,不作为单独质量证明。", "items": [ { "kind": "github_issue", "source": "github", "title": "feat(tool): flatten SDK input-validation error text and move issues to e", "url": "https://github.com/cyanheads/mcp-ts-core/issues/66" }, { "kind": "github_issue", "source": "github", "title": "feat(tool): first-class support for discriminated-union tool inputs (mul", "url": "https://github.com/cyanheads/mcp-ts-core/issues/142" }, { "kind": "github_issue", "source": "github", "title": "bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on h", "url": "https://github.com/cyanheads/mcp-ts-core/issues/50" }, { "kind": "github_issue", "source": "github", "title": "feat(linter): `schema-properties-need-type` — flag typeless leaves misse", "url": "https://github.com/cyanheads/mcp-ts-core/issues/141" }, { "kind": "github_issue", "source": "github", "title": "docs(api-canvas): add minimum-viable spillover server recipe as the defa", "url": "https://github.com/cyanheads/mcp-ts-core/issues/138" }, { "kind": "github_issue", "source": "github", "title": "feat(auth): add RFC 7662 Token Introspection as a third auth strategy", "url": "https://github.com/cyanheads/mcp-ts-core/issues/139" }, { "kind": "github_issue", "source": "github", "title": "feat(templates): MCPB bundle packaging for scaffolded servers", "url": "https://github.com/cyanheads/mcp-ts-core/issues/137" }, { "kind": "github_issue", "source": "github", "title": "Connect card: active-tab styling, default to Claude, add Codex/Cursor/Ge", "url": "https://github.com/cyanheads/mcp-ts-core/issues/136" }, { "kind": "github_issue", "source": "github", "title": "bug(transport): list_changed notifications silently dropped under HTTP p", "url": "https://github.com/cyanheads/mcp-ts-core/issues/135" }, { "kind": "github_issue", "source": "github", "title": "feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP ", "url": "https://github.com/cyanheads/mcp-ts-core/issues/134" }, { "kind": "github_issue", "source": "github", "title": "feat(linter,docs): cross-vendor JSON Schema portability rules", "url": "https://github.com/cyanheads/mcp-ts-core/issues/132" }, { "kind": "github_issue", "source": "github", "title": "feat(docs/skills): codify agent-observed correctness across response des", "url": "https://github.com/cyanheads/mcp-ts-core/issues/131" } ], "status": "已收录 12 条来源", "title": "社区讨论" } ] }, "homepage_card": { "category": "工具连接与集成", "desc": "TypeScript template for building MCP servers with declarative tooling, observability, and auth.", "effort": "安装已验证", "forks": null, "icon": "link", "name": "mcp-ts-template 能力包", "risk": "可发布", "slug": "mcp-ts-template", "stars": null, "tags": [ "MCP 工具", "知识库问答", "流程自动化", "节点式流程编排", "本地优先" ], "thumb": "gray", "type": "MCP 配置" }, "manual": { "markdown": "# https://github.com/cyanheads/mcp-ts-template Project Manual\n\nGenerated on: 2026-05-22 15:39:59 UTC\n\n## Table of Contents\n\n- [Repository Overview](#overview)\n- [Entrypoints and Runtime Surface](#entrypoints)\n- [Architecture Evidence Map](#architecture)\n- [Operations and Verification Boundaries](#operations)\n\n\n\n## Repository Overview\n\n### Related Pages\n\nRelated topics: [Entrypoints and Runtime Surface](#entrypoints), [Architecture Evidence Map](#architecture), [Operations and Verification Boundaries](#operations)\n\n
\nRelevant source files\n\nThe following source files were used to generate this page:\n\n- [Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)\n- [README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)\n- [package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)\n- [skills/README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/README.md)\n- [templates/Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/Dockerfile)\n- [templates/package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/package.json)\n- [skills/polish-docs-meta/references/readme.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/polish-docs-meta/references/readme.md)\n- [src/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/index.ts)\n- [src/cli/init.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/cli/init.ts)\n- [src/config/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/index.ts)\n- [src/config/parseEnvConfig.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/parseEnvConfig.ts)\n- [src/core/app.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/core/app.ts)\n
\n\n# Repository Overview\n\nThis page is generated from repository evidence because the Human Wiki provider was unavailable. It intentionally limits itself to README and file-tree facts.\n\n## README Evidence\n\n
\n

@cyanheads/mcp-ts-core

\n

Agent-native TypeScript framework for building MCP servers. Build tools, not infrastructure. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers.

\n
\n\n
\n\n[![Version](https://img.shields.io/badge/Version-0.9.1-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--11--25-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-11-25/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE)\n\n[![TypeScript](https://img.shields.io/badge/TypeScript-^6.0.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.3.0%2B-blueviolet.svg?style=flat-square)](https://bun.sh/)\n\n
\n\n---\n\n## What is this?\n\n`@cyanheads/mcp-ts-core` is the infrastructure layer for TypeScript MCP servers. Install it as a dependency — don't fork it. Your agent collaborates with you to design and build the tools, resources, and prompts for your server.\n\nThe framework handles the plumbing: transports, auth, config, logging, telemetry, & more. Define your domain logic with the builders and let the framework take care of the rest.\n\n```ts\nimport { createApp, tool, z } from '@cyanheads/mcp-ts-core';\n\nconst greet = tool('greet', {\n description: 'Greet someone by name and return a personalized message.',\n annotations: { readOnlyHint: true },\n input: z.object({\n name: z.string().describe('Name of the person to greet'),\n }),\n output: z.object({\n message: z.string().describe('The greeting message'),\n }),\n errors: [\n {\n reason: 'name_blocked',\n code: JsonRpcErrorCode.Forbidden,\n when: 'The provided name is on the configured block list.',\n recovery: 'Use a different name.',\n },\n ],\n handler: async (input, ctx) => {\n if (isBlocked(input.name)) throw ctx.fail('name_blocked', `\"${input.name}\" is blocked`);\n return { message: `Hello, ${input.name}!` };\n },\n});\n\nawait createApp({ tools: [greet] });\n```\n\nThat's a complete MCP server. Every tool cal\n\n[excerpt truncated]\n\n## Selected Source Inventory\n\n- `Dockerfile`\n- `README.md`\n- `package.json`\n- `skills/README.md`\n- `templates/Dockerfile`\n- `templates/package.json`\n- `skills/polish-docs-meta/references/readme.md`\n- `src/index.ts`\n- `src/cli/init.ts`\n- `src/config/index.ts`\n- `src/config/parseEnvConfig.ts`\n- `src/core/app.ts`\n\n| File | Evidence role | Size |\n|---|---|---|\n| `Dockerfile` | repository evidence | 4057 bytes |\n| `README.md` | README/product and usage evidence | 15590 bytes |\n| `package.json` | package/runtime metadata | 11594 bytes |\n| `skills/README.md` | documentation evidence | 2004 bytes |\n| `templates/Dockerfile` | repository evidence | 3517 bytes |\n| `templates/package.json` | package/runtime metadata | 1625 bytes |\n| `skills/polish-docs-meta/references/readme.md` | documentation evidence | 18454 bytes |\n| `src/index.ts` | implementation surface | 270 bytes |\n| `src/cli/init.ts` | implementation surface | 9118 bytes |\n| `src/config/index.ts` | implementation surface | 26418 bytes |\n| `src/config/parseEnvConfig.ts` | implementation surface | 2729 bytes |\n| `src/core/app.ts` | implementation surface | 24448 bytes |\n\nSource: `[README.md:1-120]()`\n\n---\n\n\n\n## Entrypoints and Runtime Surface\n\n### Related Pages\n\nRelated topics: [Repository Overview](#overview), [Architecture Evidence Map](#architecture), [Operations and Verification Boundaries](#operations)\n\n
\nRelevant source files\n\nThe following source files were used to generate this page:\n\n- [Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)\n- [README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)\n- [package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)\n- [skills/README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/README.md)\n- [templates/Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/Dockerfile)\n- [templates/package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/package.json)\n- [skills/polish-docs-meta/references/readme.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/polish-docs-meta/references/readme.md)\n- [src/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/index.ts)\n- [src/cli/init.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/cli/init.ts)\n- [src/config/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/index.ts)\n- [src/config/parseEnvConfig.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/parseEnvConfig.ts)\n- [src/core/app.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/core/app.ts)\n
\n\n# Entrypoints and Runtime Surface\n\nThe files below are the highest-signal candidates for how the project is installed, started, configured, or embedded. Treat this as an evidence map, not an inferred API contract.\n\n| File | Evidence role | Size |\n|---|---|---|\n| `Dockerfile` | repository evidence | 4057 bytes |\n| `README.md` | README/product and usage evidence | 15590 bytes |\n| `package.json` | package/runtime metadata | 11594 bytes |\n| `skills/README.md` | documentation evidence | 2004 bytes |\n| `templates/Dockerfile` | repository evidence | 3517 bytes |\n| `templates/package.json` | package/runtime metadata | 1625 bytes |\n| `skills/polish-docs-meta/references/readme.md` | documentation evidence | 18454 bytes |\n| `src/index.ts` | implementation surface | 270 bytes |\n| `src/cli/init.ts` | implementation surface | 9118 bytes |\n| `src/config/index.ts` | implementation surface | 26418 bytes |\n| `src/config/parseEnvConfig.ts` | implementation surface | 2729 bytes |\n| `src/core/app.ts` | implementation surface | 24448 bytes |\n\nSource: `[Dockerfile:1-120](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)`\n\n---\n\n\n\n## Architecture Evidence Map\n\n### Related Pages\n\nRelated topics: [Repository Overview](#overview), [Entrypoints and Runtime Surface](#entrypoints), [Operations and Verification Boundaries](#operations)\n\n
\nRelevant source files\n\nThe following source files were used to generate this page:\n\n- [Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)\n- [README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)\n- [package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)\n- [skills/README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/README.md)\n- [templates/Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/Dockerfile)\n- [templates/package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/package.json)\n- [skills/polish-docs-meta/references/readme.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/polish-docs-meta/references/readme.md)\n- [src/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/index.ts)\n- [src/cli/init.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/cli/init.ts)\n- [src/config/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/index.ts)\n- [src/config/parseEnvConfig.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/parseEnvConfig.ts)\n- [src/core/app.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/core/app.ts)\n
\n\n# Architecture Evidence Map\n\nThis section maps source paths into likely architectural areas based on repository layout only. Claims that require execution are intentionally not made here.\n\n- `.`: `Dockerfile`, `README.md`, `package.json`\n- `skills`: `skills/README.md`, `skills/polish-docs-meta/references/readme.md`\n- `src`: `src/index.ts`, `src/cli/init.ts`, `src/config/index.ts`, `src/config/parseEnvConfig.ts`, `src/core/app.ts`\n- `templates`: `templates/Dockerfile`, `templates/package.json`\n\nSource: `[README.md:1-120](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)`\n\n---\n\n\n\n## Operations and Verification Boundaries\n\n### Related Pages\n\nRelated topics: [Repository Overview](#overview), [Entrypoints and Runtime Surface](#entrypoints), [Architecture Evidence Map](#architecture)\n\n
\nRelevant source files\n\nThe following source files were used to generate this page:\n\n- [Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)\n- [README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)\n- [package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)\n- [skills/README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/README.md)\n- [templates/Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/Dockerfile)\n- [templates/package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/package.json)\n- [skills/polish-docs-meta/references/readme.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/polish-docs-meta/references/readme.md)\n- [src/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/index.ts)\n- [src/cli/init.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/cli/init.ts)\n- [src/config/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/index.ts)\n- [src/config/parseEnvConfig.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/parseEnvConfig.ts)\n- [src/core/app.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/core/app.ts)\n
\n\n# Operations and Verification Boundaries\n\nOperational guidance is limited to files that are present in the repository. Before using this project in an agent workflow, verify install, quickstart, and runtime behavior in a sandbox.\n\n- Containerization signal: `Dockerfile`\n- Documentation signal: `README.md`\n- Runtime/package signal: `package.json`\n- Documentation signal: `skills/README.md`\n- Containerization signal: `templates/Dockerfile`\n- Runtime/package signal: `templates/package.json`\n- Documentation signal: `skills/polish-docs-meta/references/readme.md`\n- Source inspection signal: `src/index.ts`\n- Source inspection signal: `src/cli/init.ts`\n- Source inspection signal: `src/config/index.ts`\n\nSource: `[package.json:1-120](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)`\n\n---\n\n---\n\n## Doramagic Pitfall Log\n\nProject: cyanheads/mcp-ts-template\n\nSummary: Found 38 potential pitfall items; 4 are high/blocking. Highest priority: installation - 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap.\n\n## 1. installation · 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_b652b8d6139f43c1bcf51562afed3525 | https://github.com/cyanheads/mcp-ts-core/issues/50 | 来源讨论提到 docker 相关条件,需在安装/试用前复核。\n\n## 2. configuration · 来源证据:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_3d3b719431cb499f914e169e6dce21b2 | https://github.com/cyanheads/mcp-ts-core/issues/135 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 3. configuration · 来源证据:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)\n- User impact: 可能阻塞安装或首次运行。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_ed2fba370b864c57980fcc78c30fa336 | https://github.com/cyanheads/mcp-ts-core/issues/66 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 4. security_permissions · 失败模式:security_permissions: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: Developers should check this security_permissions risk before relying on the project: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- User impact: Developers may expose sensitive permissions or credentials: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(auth): add RFC 7662 Token Introspection as a third auth strategy. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: Do not recommend enabling privileged or credential-bearing paths until the source-backed risk is reviewed: https://github.com/cyanheads/mcp-ts-core/issues/139\n- Evidence: failure_mode_cluster:github_issue | fmev_79b989da05ab81a148513987aa506d71 | https://github.com/cyanheads/mcp-ts-core/issues/139 | feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n\n## 5. installation · 失败模式:installation: feat(templates): MCPB bundle packaging for scaffolded servers\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this installation risk before relying on the project: feat(templates): MCPB bundle packaging for scaffolded servers\n- User impact: Developers may fail before the first successful local run: feat(templates): MCPB bundle packaging for scaffolded servers\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(templates): MCPB bundle packaging for scaffolded servers. Context: Observed when using node, docker, windows, macos\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_22c10ce8863043b0adf9a54a6f51d108 | https://github.com/cyanheads/mcp-ts-core/issues/137 | feat(templates): MCPB bundle packaging for scaffolded servers\n\n## 6. installation · 来源证据:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurio…\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_9f6a4823d56640848bd04ac60d2856af | https://github.com/cyanheads/mcp-ts-core/issues/126 | 来源讨论提到 macos 相关条件,需在安装/试用前复核。\n\n## 7. configuration · 失败模式:configuration: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- User impact: Developers may misconfigure credentials, environment, or host setup: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_5c7acd2f18c877d832b1a859cd234468 | https://github.com/cyanheads/mcp-ts-core/issues/136 | Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n\n## 8. configuration · 失败模式:configuration: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBod...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- User impact: Developers may misconfigure credentials, environment, or host setup: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_7d40e777d2ccdbab34bc3b3d1402bd71 | https://github.com/cyanheads/mcp-ts-core/issues/120 | bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n\n## 9. configuration · 失败模式:configuration: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 rel...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- User impact: Developers may misconfigure credentials, environment, or host setup: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings. Context: Observed when using node\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_41ff925fb40ebff8720b5c65f8b20ece | https://github.com/cyanheads/mcp-ts-core/issues/124 | bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n\n## 10. configuration · 失败模式:configuration: changelog: raise summary cap from 250 → 350 chars\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: changelog: raise summary cap from 250 → 350 chars\n- User impact: Developers may misconfigure credentials, environment, or host setup: changelog: raise summary cap from 250 → 350 chars\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: changelog: raise summary cap from 250 → 350 chars. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_5d2f31e619abdbc2e753d5c67819c1a8 | https://github.com/cyanheads/mcp-ts-core/issues/129 | changelog: raise summary cap from 250 → 350 chars\n\n## 11. configuration · 失败模式:configuration: docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: docs(api-canvas): add minimum-viable spillover server recipe as the default\n- User impact: Developers may misconfigure credentials, environment, or host setup: docs(api-canvas): add minimum-viable spillover server recipe as the default\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: docs(api-canvas): add minimum-viable spillover server recipe as the default. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_44db3da73c060fc8e7affa9e6c321749 | https://github.com/cyanheads/mcp-ts-core/issues/138 | docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n## 12. configuration · 失败模式:configuration: feat(docs/skills): codify agent-observed correctness across response design surface\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(docs/skills): codify agent-observed correctness across response design surface\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(docs/skills): codify agent-observed correctness across response design surface\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(docs/skills): codify agent-observed correctness across response design surface. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_a5a5f36d76023182a160cd1189430916 | https://github.com/cyanheads/mcp-ts-core/issues/131 | feat(docs/skills): codify agent-observed correctness across response design surface\n\n## 13. configuration · 失败模式:configuration: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-ne...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_008c058324c5476cab1114c3b507a398 | https://github.com/cyanheads/mcp-ts-core/issues/141 | feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n\n## 14. configuration · 失败模式:configuration: feat(linter,docs): cross-vendor JSON Schema portability rules\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(linter,docs): cross-vendor JSON Schema portability rules\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(linter,docs): cross-vendor JSON Schema portability rules\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(linter,docs): cross-vendor JSON Schema portability rules. Context: Observed when using python\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_442715f721a7d8f0d431a38068bdcfcd | https://github.com/cyanheads/mcp-ts-core/issues/132 | feat(linter,docs): cross-vendor JSON Schema portability rules\n\n## 15. configuration · 失败模式:configuration: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_94fb8f4bb9c19f4e783136fcde3ed772 | https://github.com/cyanheads/mcp-ts-core/issues/130 | feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n## 16. configuration · 失败模式:configuration: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch). Context: Observed when using node, cuda\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_e38ad2dfdd02625b61bb0948c324e842 | https://github.com/cyanheads/mcp-ts-core/issues/134 | feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n## 17. configuration · 失败模式:configuration: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools). Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_de75bb8a294c55ed56f1bb44faf7bd37 | https://github.com/cyanheads/mcp-ts-core/issues/142 | feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n## 18. configuration · 来源证据:feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_22e974aafd5649c7b4e239b2a07a33ec | https://github.com/cyanheads/mcp-ts-core/issues/134 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 19. capability · 能力判断依赖假设\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: README/documentation is current enough for a first validation pass.\n- User impact: 假设不成立时,用户拿不到承诺的能力。\n- Suggested check: 将假设转成下游验证清单。\n- Guardrail action: 假设必须转成验证项;没有验证结果前不能写成事实。\n- Evidence: capability.assumptions | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | README/documentation is current enough for a first validation pass.\n\n## 20. runtime · 失败模式:runtime: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this runtime risk before relying on the project: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- User impact: Developers may hit a documented source-backed failure mode: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model. Context: Observed when using node\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_c771a0d6f06fc6e6e023bd2f45ada5a3 | https://github.com/cyanheads/mcp-ts-core/issues/135 | bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n\n## 21. runtime · 失败模式:runtime: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasin...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this runtime risk before relying on the project: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- User impact: Developers may hit a documented source-backed failure mode: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries. Context: Observed when using macos\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_e7737d7800a604e87586603a0d3fe8d5 | https://github.com/cyanheads/mcp-ts-core/issues/126 | bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n\n## 22. maintenance · 失败模式:migration: bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this migration risk before relying on the project: bug(utils): logger rate-limit map only sweeps when suppression triggered\n- User impact: Developers may hit a documented source-backed failure mode: bug(utils): logger rate-limit map only sweeps when suppression triggered\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): logger rate-limit map only sweeps when suppression triggered. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_0716f10fda662c3e061d6b59d0f45b12 | https://github.com/cyanheads/mcp-ts-core/issues/115 | bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n## 23. maintenance · 来源证据:bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个维护/版本相关的待验证问题:bug(utils): logger rate-limit map only sweeps when suppression triggered\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8fb7b505af3f480c95c67b34c105329e | https://github.com/cyanheads/mcp-ts-core/issues/115 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 24. maintenance · 维护活跃度未知\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: 未记录 last_activity_observed。\n- User impact: 新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。\n- Suggested check: 补 GitHub 最近 commit、release、issue/PR 响应信号。\n- Guardrail action: 维护活跃度未知时,推荐强度不能标为高信任。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | last_activity_observed missing\n\n## 25. security_permissions · 下游验证发现风险项\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: no_demo\n- User impact: 下游已经要求复核,不能在页面中弱化。\n- Suggested check: 进入安全/权限治理复核队列。\n- Guardrail action: 下游风险存在时必须保持 review/recommendation 降级。\n- Evidence: downstream_validation.risk_items | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | no_demo; severity=medium\n\n## 26. security_permissions · 存在评分风险\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: no_demo\n- User impact: 风险会影响是否适合普通用户安装。\n- Suggested check: 把风险写入边界卡,并确认是否需要人工复核。\n- Guardrail action: 评分风险必须进入边界卡,不能只作为内部分数。\n- Evidence: risks.scoring_risks | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | no_demo; severity=medium\n\n## 27. security_permissions · 来源证据:bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_5df71519e99747a0a028db7767bd9b86 | https://github.com/cyanheads/mcp-ts-core/issues/120 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 28. security_permissions · 来源证据:bug(utils): unbounded label cardinality on mcp.ratelimit.rejections counter\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(utils): unbounded label cardinality on mcp.ratelimit.rejections counter\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_c1d184e56e66446085332f42b7500be4 | https://github.com/cyanheads/mcp-ts-core/issues/114 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 29. security_permissions · 来源证据:bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_a6e8146b33d0467584baf5d0c8d433c8 | https://github.com/cyanheads/mcp-ts-core/issues/124 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 30. security_permissions · 来源证据:changelog: raise summary cap from 250 → 350 chars\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:changelog: raise summary cap from 250 → 350 chars\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_d2eeeaa093654bed9869dc412630cb74 | https://github.com/cyanheads/mcp-ts-core/issues/129 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 31. security_permissions · 来源证据:docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:docs(api-canvas): add minimum-viable spillover server recipe as the default\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_d5b1c38bbee5494abc71a7f891389997 | https://github.com/cyanheads/mcp-ts-core/issues/138 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 32. security_permissions · 来源证据:feat(docs/skills): codify agent-observed correctness across response design surface\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(docs/skills): codify agent-observed correctness across response design surface\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8db18d54bc9948a28dcf10fd5207d1fa | https://github.com/cyanheads/mcp-ts-core/issues/131 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 33. security_permissions · 来源证据:feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_680ec4f7c0ff4c8c9f29762e8c8e2520 | https://github.com/cyanheads/mcp-ts-core/issues/141 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 34. security_permissions · 来源证据:feat(linter,docs): cross-vendor JSON Schema portability rules\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(linter,docs): cross-vendor JSON Schema portability rules\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_69d95636c7024bf2bb5d8aad01b7ab6d | https://github.com/cyanheads/mcp-ts-core/issues/132 | 来源讨论提到 python 相关条件,需在安装/试用前复核。\n\n## 35. security_permissions · 来源证据:feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_0280b913a8284f73ad4ac3932a76ebd5 | https://github.com/cyanheads/mcp-ts-core/issues/130 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 36. security_permissions · 来源证据:feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8a3ab16a17764a828dc447d9462d875c | https://github.com/cyanheads/mcp-ts-core/issues/142 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 37. maintenance · issue/PR 响应质量未知\n\n- Severity: low\n- Evidence strength: source_linked\n- Finding: issue_or_pr_quality=unknown。\n- User impact: 用户无法判断遇到问题后是否有人维护。\n- Suggested check: 抽样最近 issue/PR,判断是否长期无人处理。\n- Guardrail action: issue/PR 响应未知时,必须提示维护风险。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | issue_or_pr_quality=unknown\n\n## 38. maintenance · 发布节奏不明确\n\n- Severity: low\n- Evidence strength: source_linked\n- Finding: release_recency=unknown。\n- User impact: 安装命令和文档可能落后于代码,用户踩坑概率升高。\n- Suggested check: 确认最近 release/tag 和 README 安装命令是否一致。\n- Guardrail action: 发布节奏未知或过期时,安装说明必须标注可能漂移。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | release_recency=unknown\n\n\n", "markdown_key": "mcp-ts-template", "pages": "draft", "source_refs": [ { "evidence_id": "mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9", "kind": "mcp_registry", "supports_claim_ids": [ "claim_identity", "claim_distribution", "claim_capability" ], "url": "https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9" } ], "summary": "DeepWiki/Human Wiki output with a Doramagic pitfall appendix.", "title": "mcp-ts-template 说明书", "toc": [ "https://github.com/cyanheads/mcp-ts-template Project Manual", "Table of Contents", "Repository Overview", "README Evidence", "What is this?", "Selected Source Inventory", "Entrypoints and Runtime Surface", "Architecture Evidence Map", "Doramagic 踩坑日志" ] } }, "quality_gate": { "blocking_gaps": [], "category_confidence": "medium", "compile_status": "ready_for_review", "five_assets_present": true, "install_sandbox_verified": true, "missing_evidence": [], "next_action": "publish to Doramagic.ai project surfaces", "prompt_preview_boundary_ok": true, "publish_status": "publishable", "quick_start_verified": true, "repo_clone_verified": true, "repo_commit": "aead657d6c1f1569e39325f6d4622e61c09f6e5e", "repo_inspection_error": null, "repo_inspection_files": [ "Dockerfile", "package.json", "README.md", "docs/tree.md", "docs/telemetry/dashboards.md", "docs/telemetry/mcp-ts-core-dashboard.json", "docs/telemetry/observability.md", "docs/mcp-specification/2025-11-25/architecture.md", "docs/mcp-specification/2025-11-25/key-changes.md", "docs/mcp-specification/2025-11-25/specification.md", "docs/mcp-specification/2025-11-25/schema-reference.md", "docs/mcp-specification/2025-06-18/utils/pagination.md", "docs/mcp-specification/2025-06-18/utils/ping.md", "docs/mcp-specification/2025-06-18/utils/logging.md", "docs/mcp-specification/2025-06-18/utils/progress.md", "docs/mcp-specification/2025-06-18/utils/completion.md", "docs/mcp-specification/2025-06-18/utils/cancellation.md", "docs/mcp-specification/2025-06-18/core/authorization.md", "docs/mcp-specification/2025-06-18/core/overview.md", "docs/mcp-specification/2025-06-18/core/transports.md", "docs/mcp-specification/2025-06-18/core/lifecycle.md", "docs/mcp-specification/2025-06-18/best-practices/security.md", "docs/mcp-specification/2025-11-25/extensions/overview.md", "docs/mcp-specification/2025-11-25/extensions/auth-overview.md", "docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md", "docs/mcp-specification/2025-11-25/extensions/apps-overview.md", "docs/mcp-specification/2025-11-25/extensions/auth-enterprise-managed.md", "docs/mcp-specification/2025-11-25/extensions/client-matrix.md", "docs/mcp-specification/2025-11-25/extensions/apps-build.md", "docs/mcp-specification/2025-11-25/server/tools.md", "docs/mcp-specification/2025-11-25/server/overview.md", "docs/mcp-specification/2025-11-25/server/utilities.md", "docs/mcp-specification/2025-11-25/server/prompts.md", "docs/mcp-specification/2025-11-25/server/resources.md", "docs/mcp-specification/2025-11-25/utils/tasks.md", "docs/mcp-specification/2025-11-25/utils/ping.md", "docs/mcp-specification/2025-11-25/utils/progress.md", "docs/mcp-specification/2025-11-25/utils/cancellation.md", "docs/mcp-specification/2025-11-25/client/elicitation.md", "docs/mcp-specification/2025-11-25/client/roots.md" ], "repo_inspection_verified": true, "review_reasons": [], "tag_count_ok": true, "unsupported_claims": [] }, "schema_version": "0.1", "user_assets": { "ai_context_pack": { "asset_id": "ai_context_pack", "filename": "AI_CONTEXT_PACK.md", "markdown": "# @cyanheads/mcp-ts-core - Doramagic AI Context Pack\n\n> 定位:安装前体验与判断资产。它帮助宿主 AI 有一个好的开始,但不代表已经安装、执行或验证目标项目。\n\n## 充分原则\n\n- **充分原则,不是压缩原则**:AI Context Pack 应该充分到让宿主 AI 在开工前理解项目价值、能力边界、使用入口、风险和证据来源;它可以分层组织,但不以最短摘要为目标。\n- **压缩策略**:只压缩噪声和重复内容,不压缩会影响判断和开工质量的上下文。\n\n## 给宿主 AI 的使用方式\n\n你正在读取 Doramagic 为 @cyanheads/mcp-ts-core 编译的 AI Context Pack。请把它当作开工前上下文:帮助用户理解适合谁、能做什么、如何开始、哪些必须安装后验证、风险在哪里。不要声称你已经安装、运行或执行了目标项目。\n\n## Claim 消费规则\n\n- **事实来源**:Repo Evidence + Claim/Evidence Graph;Human Wiki 只提供显著性、术语和叙事结构。\n- **事实最低状态**:`supported`\n- `supported`:可以作为项目事实使用,但回答中必须引用 claim_id 和证据路径。\n- `weak`:只能作为低置信度线索,必须要求用户继续核实。\n- `inferred`:只能用于风险提示或待确认问题,不能包装成项目事实。\n- `unverified`:不得作为事实使用,应明确说证据不足。\n- `contradicted`:必须展示冲突来源,不得替用户强行选择一个版本。\n\n## 它最适合谁\n\n- **正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**:README 或插件配置提到多个宿主 AI。 证据:`README.md` Claim:`clm_0003` supported 0.86\n- **希望把专业流程带进宿主 AI 的用户**:仓库包含 Skill 文档。 证据:`skills/add-app-tool/SKILL.md`, `skills/add-export/SKILL.md`, `skills/add-prompt/SKILL.md`, `skills/add-provider/SKILL.md` 等 Claim:`clm_0004` supported 0.86\n\n## 它能做什么\n\n- **AI Skill / Agent 指令资产库**(可做安装前预览):项目包含可被宿主 AI 读取的 Skill 或 Agent 指令文件,可用于把专业流程带入 Claude、Codex、Cursor 等宿主。 证据:`skills/add-app-tool/SKILL.md`, `skills/add-export/SKILL.md`, `skills/add-prompt/SKILL.md`, `skills/add-provider/SKILL.md` 等 Claim:`clm_0001` supported 0.86\n- **命令行启动或安装流程**(需要安装后验证):项目文档中存在可执行命令,真实使用需要在本地或宿主环境中运行这些命令。 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md`, `docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md`, `skills/field-test/SKILL.md`, `skills/polish-docs-meta/references/readme.md` Claim:`clm_0002` supported 0.86\n\n## 怎么开始\n\n- `/plugin marketplace add modelcontextprotocol/ext-apps` 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0005` supported 0.86\n- `/plugin install mcp-apps@modelcontextprotocol-ext-apps` 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0006` supported 0.86\n- `npx skills add modelcontextprotocol/ext-apps` 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0007` supported 0.86\n- `git clone https://github.com/modelcontextprotocol/ext-apps.git` 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0008` supported 0.86\n- `npm install && npm run build && npm run serve` 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0009` supported 0.86\n- `npm install @modelcontextprotocol/ext-apps @modelcontextprotocol/sdk` 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0010` supported 0.86\n- `npm install -D typescript vite vite-plugin-singlefile express cors @types/express @types/cors tsx` 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0011` supported 0.86\n- `npx cloudflared tunnel --url http://localhost:3001` 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0012` supported 0.86\n- `npm install @modelcontextprotocol/client` 证据:`docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md` Claim:`clm_0013` supported 0.86\n- `pip install mcp` 证据:`docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md` Claim:`clm_0014` supported 0.86\n\n## 继续前判断卡\n\n- **当前建议**:先做权限沙盒试用\n- **为什么**:项目存在安装命令、宿主配置或本地写入线索,不建议直接进入主力环境,应先在隔离环境试装。\n\n### 30 秒判断\n\n- **现在怎么做**:先做权限沙盒试用\n- **最小安全下一步**:先跑 Prompt Preview;若仍要安装,只在隔离环境试装\n- **先别相信**:工具权限边界不能在安装前相信。\n- **继续会触碰**:命令执行、宿主 AI 配置、本地环境或项目文件\n\n### 现在可以相信\n\n- **适合人群线索:正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**(supported):有 supported claim 或项目证据支撑,但仍不等于真实安装效果。 证据:`README.md` Claim:`clm_0003` supported 0.86\n- **适合人群线索:希望把专业流程带进宿主 AI 的用户**(supported):有 supported claim 或项目证据支撑,但仍不等于真实安装效果。 证据:`skills/add-app-tool/SKILL.md`, `skills/add-export/SKILL.md`, `skills/add-prompt/SKILL.md`, `skills/add-provider/SKILL.md` 等 Claim:`clm_0004` supported 0.86\n- **能力存在:AI Skill / Agent 指令资产库**(supported):可以相信项目包含这类能力线索;是否适合你的具体任务仍要试用或安装后验证。 证据:`skills/add-app-tool/SKILL.md`, `skills/add-export/SKILL.md`, `skills/add-prompt/SKILL.md`, `skills/add-provider/SKILL.md` 等 Claim:`clm_0001` supported 0.86\n- **能力存在:命令行启动或安装流程**(supported):可以相信项目包含这类能力线索;是否适合你的具体任务仍要试用或安装后验证。 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md`, `docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md`, `skills/field-test/SKILL.md`, `skills/polish-docs-meta/references/readme.md` Claim:`clm_0002` supported 0.86\n- **存在 Quick Start / 安装命令线索**(supported):可以相信项目文档出现过启动或安装入口;不要因此直接在主力环境运行。 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md` Claim:`clm_0005` supported 0.86\n\n### 现在还不能相信\n\n- **工具权限边界不能在安装前相信。**(unverified):MCP/tool 类项目通常会触碰文件、网络、浏览器或外部 API,必须真实检查权限和日志。\n- **真实输出质量不能在安装前相信。**(unverified):Prompt Preview 只能展示引导方式,不能证明真实项目中的结果质量。\n- **宿主 AI 版本兼容性不能在安装前相信。**(unverified):Claude、Cursor、Codex、Gemini 等宿主加载规则和版本差异必须在真实环境验证。\n- **不会污染现有宿主 AI 行为,不能直接相信。**(inferred):Skill、plugin、AGENTS/CLAUDE/GEMINI 指令可能改变宿主 AI 的默认行为。 证据:`AGENTS.md`, `CLAUDE.md`, `skills/add-app-tool/SKILL.md`, `skills/add-export/SKILL.md` 等\n- **可安全回滚不能默认相信。**(unverified):除非项目明确提供卸载和恢复说明,否则必须先在隔离环境验证。\n- **真实安装后是否与用户当前宿主 AI 版本兼容?**(unverified):兼容性只能通过实际宿主环境验证。\n- **项目输出质量是否满足用户具体任务?**(unverified):安装前预览只能展示流程和边界,不能替代真实评测。\n- **安装命令是否需要网络、权限或全局写入?**(unverified):这影响企业环境和个人环境的安装风险。 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md`\n\n### 继续会触碰什么\n\n- **命令执行**:包管理器、网络下载、本地插件目录、项目配置或用户主目录。 原因:运行第一条命令就可能产生环境改动;必须先判断是否值得跑。 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md`, `docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md`, `skills/field-test/SKILL.md`, `skills/polish-docs-meta/references/readme.md`\n- **宿主 AI 配置**:Claude/Codex/Cursor/Gemini/OpenCode 等宿主的 plugin、Skill 或规则加载配置。 原因:宿主配置会改变 AI 后续工作方式,可能和用户已有规则冲突。 证据:`AGENTS.md`, `CLAUDE.md`, `skills/add-app-tool/SKILL.md`, `skills/add-export/SKILL.md` 等\n- **本地环境或项目文件**:安装结果、插件缓存、项目配置或本地依赖目录。 原因:安装前无法证明写入范围和回滚方式,需要隔离验证。 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md`, `docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md`, `skills/field-test/SKILL.md`, `skills/polish-docs-meta/references/readme.md`\n- **宿主 AI 上下文**:AI Context Pack、Prompt Preview、Skill 路由、风险规则和项目事实。 原因:导入上下文会影响宿主 AI 后续判断,必须避免把未验证项包装成事实。\n\n### 最小安全下一步\n\n- **先跑 Prompt Preview**:用安装前交互式试用判断工作方式是否匹配,不需要授权或改环境。(适用:任何项目都适用,尤其是输出质量未知时。)\n- **只在隔离目录或测试账号试装**:避免安装命令污染主力宿主 AI、真实项目或用户主目录。(适用:存在命令执行、插件配置或本地写入线索时。)\n- **先备份宿主 AI 配置**:Skill、plugin、规则文件可能改变 Claude/Cursor/Codex 的默认行为。(适用:存在插件 manifest、Skill 或宿主规则入口时。)\n- **安装后只验证一个最小任务**:先验证加载、兼容、输出质量和回滚,再决定是否深用。(适用:准备从试用进入真实工作流时。)\n\n### 退出方式\n\n- **保留安装前状态**:记录原始宿主配置和项目状态,后续才能判断是否可恢复。\n- **准备移除宿主 plugin / Skill / 规则入口**:如果试装后行为异常,可以把宿主 AI 恢复到试装前状态。\n- **记录安装命令和写入路径**:没有明确卸载说明时,至少要知道哪些目录或配置需要手动清理。\n- **如果没有回滚路径,不进入主力环境**:不可回滚是继续前阻断项,不应靠信任或运气继续。\n\n## 哪些只能预览\n\n- 解释项目适合谁和能做什么\n- 基于项目文档演示典型对话流程\n- 帮助用户判断是否值得安装或继续研究\n\n## 哪些必须安装后验证\n\n- 真实安装 Skill、插件或 CLI\n- 执行脚本、修改本地文件或访问外部服务\n- 验证真实输出质量、性能和兼容性\n\n## 边界与风险判断卡\n\n- **把安装前预览误认为真实运行**:用户可能高估项目已经完成的配置、权限和兼容性验证。 处理方式:明确区分 prompt_preview_can_do 与 runtime_required。 Claim:`clm_0017` inferred 0.45\n- **命令执行会修改本地环境**:安装命令可能写入用户主目录、宿主插件目录或项目配置。 处理方式:先在隔离环境或测试账号中运行。 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md`, `docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md`, `skills/field-test/SKILL.md`, `skills/polish-docs-meta/references/readme.md` Claim:`clm_0018` supported 0.86\n- **待确认**:真实安装后是否与用户当前宿主 AI 版本兼容?。原因:兼容性只能通过实际宿主环境验证。\n- **待确认**:项目输出质量是否满足用户具体任务?。原因:安装前预览只能展示流程和边界,不能替代真实评测。\n- **待确认**:安装命令是否需要网络、权限或全局写入?。原因:这影响企业环境和个人环境的安装风险。\n\n## 开工前工作上下文\n\n### 加载顺序\n\n- 先读取 how_to_use.host_ai_instruction,建立安装前判断资产的边界。\n- 读取 claim_graph_summary,确认事实来自 Claim/Evidence Graph,而不是 Human Wiki 叙事。\n- 再读取 intended_users、capabilities 和 quick_start_candidates,判断用户是否匹配。\n- 需要执行具体任务时,优先查 role_skill_index,再查 evidence_index。\n- 遇到真实安装、文件修改、网络访问、性能或兼容性问题时,转入 risk_card 和 boundaries.runtime_required。\n\n### 任务路由\n\n- **AI Skill / Agent 指令资产库**:先基于 role_skill_index / evidence_index 帮用户挑选可用角色、Skill 或工作流。 边界:可做安装前 Prompt 体验。 证据:`skills/add-app-tool/SKILL.md`, `skills/add-export/SKILL.md`, `skills/add-prompt/SKILL.md`, `skills/add-provider/SKILL.md` 等 Claim:`clm_0001` supported 0.86\n- **命令行启动或安装流程**:先说明这是安装后验证能力,再给出安装前检查清单。 边界:必须真实安装或运行后验证。 证据:`docs/mcp-specification/2025-11-25/extensions/apps-build.md`, `docs/mcp-specification/2025-11-25/extensions/auth-oauth-client-credentials.md`, `skills/field-test/SKILL.md`, `skills/polish-docs-meta/references/readme.md` Claim:`clm_0002` supported 0.86\n\n### 上下文规模\n\n- 文件总数:636\n- 重要文件覆盖:40/636\n- 证据索引条目:80\n- 角色 / Skill 条目:30\n\n### 证据不足时的处理\n\n- **missing_evidence**:说明证据不足,要求用户提供目标文件、README 段落或安装后验证记录;不要补全事实。\n- **out_of_scope_request**:说明该任务超出当前 AI Context Pack 证据范围,并建议用户先查看 Human Manual 或真实安装后验证。\n- **runtime_request**:给出安装前检查清单和命令来源,但不要替用户执行命令或声称已执行。\n- **source_conflict**:同时展示冲突来源,标记为待核实,不要强行选择一个版本。\n\n## Prompt Recipes\n\n### 适配判断\n\n- 目标:判断这个项目是否适合用户当前任务。\n- 预期输出:适配结论、关键理由、证据引用、安装前可预览内容、必须安装后验证内容、下一步建议。\n\n```text\n请基于 @cyanheads/mcp-ts-core 的 AI Context Pack,先问我 3 个必要问题,然后判断它是否适合我的任务。回答必须包含:适合谁、能做什么、不能做什么、是否值得安装、证据来自哪里。所有项目事实必须引用 evidence_refs、source_paths 或 claim_id。\n```\n\n### 安装前体验\n\n- 目标:让用户在安装前感受核心工作流,同时避免把预览包装成真实能力或营销承诺。\n- 预期输出:一段带边界标签的体验剧本、安装后验证清单和谨慎建议;不含真实运行承诺或强营销表述。\n\n```text\n请把 @cyanheads/mcp-ts-core 当作安装前体验资产,而不是已安装工具或真实运行环境。\n\n请严格输出四段:\n1. 先问我 3 个必要问题。\n2. 给出一段“体验剧本”:用 [安装前可预览]、[必须安装后验证]、[证据不足] 三种标签展示它可能如何引导工作流。\n3. 给出安装后验证清单:列出哪些能力只有真实安装、真实宿主加载、真实项目运行后才能确认。\n4. 给出谨慎建议:只能说“值得继续研究/试装”“先补充信息后再判断”或“不建议继续”,不得替项目背书。\n\n硬性边界:\n- 不要声称已经安装、运行、执行测试、修改文件或产生真实结果。\n- 不要写“自动适配”“确保通过”“完美适配”“强烈建议安装”等承诺性表达。\n- 如果描述安装后的工作方式,必须使用“如果安装成功且宿主正确加载 Skill,它可能会……”这种条件句。\n- 体验剧本只能写成“示例台词/假设流程”:使用“可能会询问/可能会建议/可能会展示”,不要写“已写入、已生成、已通过、正在运行、正在生成”。\n- Prompt Preview 不负责给安装命令;如用户准备试装,只能提示先阅读 Quick Start 和 Risk Card,并在隔离环境验证。\n- 所有项目事实必须来自 supported claim、evidence_refs 或 source_paths;inferred/unverified 只能作风险或待确认项。\n\n```\n\n### 角色 / Skill 选择\n\n- 目标:从项目里的角色或 Skill 中挑选最匹配的资产。\n- 预期输出:候选角色或 Skill 列表,每项包含适用场景、证据路径、风险边界和是否需要安装后验证。\n\n```text\n请读取 role_skill_index,根据我的目标任务推荐 3-5 个最相关的角色或 Skill。每个推荐都要说明适用场景、可能输出、风险边界和 evidence_refs。\n```\n\n### 风险预检\n\n- 目标:安装或引入前识别环境、权限、规则冲突和质量风险。\n- 预期输出:环境、权限、依赖、许可、宿主冲突、质量风险和未知项的检查清单。\n\n```text\n请基于 risk_card、boundaries 和 quick_start_candidates,给我一份安装前风险预检清单。不要替我执行命令,只说明我应该检查什么、为什么检查、失败会有什么影响。\n```\n\n### 宿主 AI 开工指令\n\n- 目标:把项目上下文转成一次对话开始前的宿主 AI 指令。\n- 预期输出:一段边界明确、证据引用明确、适合复制给宿主 AI 的开工前指令。\n\n```text\n请基于 @cyanheads/mcp-ts-core 的 AI Context Pack,生成一段我可以粘贴给宿主 AI 的开工前指令。这段指令必须遵守 not_runtime=true,不能声称项目已经安装、运行或产生真实结果。\n```\n\n\n## 角色 / Skill 索引\n\n- 共索引 30 个角色 / Skill / 项目文档条目。\n\n- **add-app-tool**(skill): 激活提示:当用户任务与“add-app-tool”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/add-app-tool/SKILL.md`\n- **add-export**(skill): 激活提示:当用户任务与“add-export”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/add-export/SKILL.md`\n- **add-prompt**(skill): 激活提示:当用户任务与“add-prompt”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/add-prompt/SKILL.md`\n- **add-provider**(skill): 激活提示:当用户任务与“add-provider”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/add-provider/SKILL.md`\n- **add-resource**(skill): 激活提示:当用户任务与“add-resource”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/add-resource/SKILL.md`\n- **add-service**(skill): 激活提示:当用户任务与“add-service”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/add-service/SKILL.md`\n- **add-test**(skill): 激活提示:当用户任务与“add-test”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/add-test/SKILL.md`\n- **add-tool**(skill): 激活提示:当用户任务与“add-tool”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/add-tool/SKILL.md`\n- **api-auth**(skill): 激活提示:当用户任务与“api-auth”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-auth/SKILL.md`\n- **api-canvas**(skill): 激活提示:当用户任务与“api-canvas”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-canvas/SKILL.md`\n- **api-config**(skill): 激活提示:当用户任务与“api-config”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-config/SKILL.md`\n- **api-context**(skill): 激活提示:当用户任务与“api-context”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-context/SKILL.md`\n- **api-errors**(skill): 激活提示:当用户任务与“api-errors”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-errors/SKILL.md`\n- **api-linter**(skill): 激活提示:当用户任务与“api-linter”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-linter/SKILL.md`\n- **api-services**(skill): 激活提示:当用户任务与“api-services”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-services/SKILL.md`\n- **api-telemetry**(skill): 激活提示:当用户任务与“api-telemetry”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-telemetry/SKILL.md`\n- **api-testing**(skill): 激活提示:当用户任务与“api-testing”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-testing/SKILL.md`\n- **api-utils**(skill): 激活提示:当用户任务与“api-utils”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-utils/SKILL.md`\n- **api-workers**(skill): 激活提示:当用户任务与“api-workers”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/api-workers/SKILL.md`\n- **design-mcp-server**(skill): 激活提示:当用户任务与“design-mcp-server”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/design-mcp-server/SKILL.md`\n- **field-test**(skill): 激活提示:当用户任务与“field-test”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/field-test/SKILL.md`\n- **maintenance**(skill): 激活提示:当用户任务与“maintenance”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/maintenance/SKILL.md`\n- **migrate-mcp-ts-template**(skill): 激活提示:当用户任务与“migrate-mcp-ts-template”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/migrate-mcp-ts-template/SKILL.md`\n- **polish-docs-meta**(skill): 激活提示:当用户任务与“polish-docs-meta”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/polish-docs-meta/SKILL.md`\n- **release-and-publish**(skill): 激活提示:当用户任务与“release-and-publish”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/release-and-publish/SKILL.md`\n- **report-issue-framework**(skill): 激活提示:当用户任务与“report-issue-framework”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/report-issue-framework/SKILL.md`\n- **report-issue-local**(skill): 激活提示:当用户任务与“report-issue-local”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/report-issue-local/SKILL.md`\n- **security-pass**(skill): 激活提示:当用户任务与“security-pass”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/security-pass/SKILL.md`\n- **setup**(skill): 激活提示:当用户任务与“setup”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/setup/SKILL.md`\n- **tool-defs-analysis**(skill): 激活提示:当用户任务与“tool-defs-analysis”描述的流程高度相关时,先用它做安装前体验,再决定是否安装。 证据:`skills/tool-defs-analysis/SKILL.md`\n\n## 证据索引\n\n- 共索引 80 条证据。\n\n- **Developer Protocol**(documentation):Package: @cyanheads/mcp-ts-core Version: 0.9.1 Engines: Bun ≥1.3.0, Node ≥24.0.0 MCP SDK: @modelcontextprotocol/sdk ^1.29.0 Zod: ^4.4.3 GitHub: cyanheads/mcp-ts-core https://github.com/cyanheads/mcp-ts-core npm: @cyanheads/mcp-ts-core https://www.npmjs.com/package/@cyanheads/mcp-ts-core Docker: ghcr.io/cyanheads/mcp-ts-core https://ghcr.io/cyanheads/mcp-ts-core 证据:`AGENTS.md`\n- **Developer Protocol**(documentation):Package: @cyanheads/mcp-ts-core Version: 0.9.1 Engines: Bun ≥1.3.0, Node ≥24.0.0 MCP SDK: @modelcontextprotocol/sdk ^1.29.0 Zod: ^4.4.3 GitHub: cyanheads/mcp-ts-core https://github.com/cyanheads/mcp-ts-core npm: @cyanheads/mcp-ts-core https://www.npmjs.com/package/@cyanheads/mcp-ts-core Docker: ghcr.io/cyanheads/mcp-ts-core https://ghcr.io/cyanheads/mcp-ts-core 证据:`CLAUDE.md`\n- **What is this?**(documentation):@cyanheads/mcp-ts-core Agent-native TypeScript framework for building MCP servers. Build tools, not infrastructure. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers. 证据:`README.md`\n- **Skills**(documentation):Agent Skills for @cyanheads/mcp-ts-core . Each subdirectory contains a SKILL.md following the Agent Skills specification https://agentskills.io/specification . 证据:`skills/README.md`\n- **Developer Protocol**(documentation):Server: {{PACKAGE NAME}} Version: 0.1.0 Framework: @cyanheads/mcp-ts-core https://www.npmjs.com/package/@cyanheads/mcp-ts-core ^{{FRAMEWORK VERSION}} Engines: Bun ≥1.3.0, Node ≥24.0.0 MCP SDK: @modelcontextprotocol/sdk {{MCP SDK VERSION}} Zod: {{ZOD VERSION}} 证据:`templates/AGENTS.md`\n- **Developer Protocol**(documentation):Server: {{PACKAGE NAME}} Version: 0.1.0 Framework: @cyanheads/mcp-ts-core https://www.npmjs.com/package/@cyanheads/mcp-ts-core ^{{FRAMEWORK VERSION}} Engines: Bun ≥1.3.0, Node ≥24.0.0 MCP SDK: @modelcontextprotocol/sdk {{MCP SDK VERSION}} Zod: {{ZOD VERSION}} 证据:`templates/CLAUDE.md`\n- **README.md Conventions for MCP Servers**(documentation):README.md Conventions for MCP Servers 证据:`skills/polish-docs-meta/references/readme.md`\n- **Package**(package_manifest):{ \"name\": \"@cyanheads/mcp-ts-core\", \"version\": \"0.9.1\", \"mcpName\": \"io.github.cyanheads/mcp-ts-core\", \"description\": \"Agent-native TypeScript framework for building MCP servers. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers.\", \"main\": \"dist/core/index.js\", \"types\": \"dist/core/index.d.ts\", \"files\": \"changelog/\", \"dist/\", \"scripts/build-changelog.ts\", \"scripts/build.ts\", \"scripts/check-docs-sync.ts\", \"scripts/check-framework-antipatterns.ts\", \"scripts/check-skills-sync.ts\", \"scripts/clean.ts\", \"scripts/devcheck.ts\", \"scripts/lint-mcp.ts\", \"scripts/split-changelog.ts\", \"scripts/tree.ts\", \"skills/\", \"templates/\",… 证据:`package.json`\n- **Package**(package_manifest):{ \"name\": \"{{PACKAGE NAME}}\", \"version\": \"0.1.0\", \"description\": \"\", \"type\": \"module\", \"main\": \"dist/index.js\", \"types\": \"dist/index.d.ts\", \"bin\": { \"{{PACKAGE NAME}}\": \"dist/index.js\" }, \"files\": \"changelog/\", \"dist/\", \"README.md\", \"LICENSE\", \"CLAUDE.md\", \"AGENTS.md\", \"Dockerfile\", \"server.json\" , \"scripts\": { \"build\": \"tsx scripts/build.ts\", \"rebuild\": \"tsx scripts/clean.ts && tsx scripts/build.ts\", \"clean\": \"tsx scripts/clean.ts\", \"devcheck\": \"tsx scripts/devcheck.ts\", \"tree\": \"tsx scripts/tree.ts\", \"format\": \"biome check --write --unsafe .\", \"lint:mcp\": \"tsx scripts/lint-mcp.ts\", \"changelog:build\": \"tsx scripts/build-changelog.ts\", \"changelog:check\": \"tsx scripts/build-changelog.ts --ch… 证据:`templates/package.json`\n- **When to Use**(skill_instruction):App tools are rarely the right choice . Reach for one only when all of the following hold: 证据:`skills/add-app-tool/SKILL.md`\n- **Context**(skill_instruction):Subpath exports are defined in package.json under the exports field. Each subpath maps to a source entry point that gets compiled to dist/ . The exports catalog in CLAUDE.md must stay in sync with package.json . 证据:`skills/add-export/SKILL.md`\n- **Context**(skill_instruction):Prompts use the prompt builder from @cyanheads/mcp-ts-core . Each prompt lives in src/mcp-server/prompts/definitions/ with a .prompt.ts suffix and is registered into createApp in src/index.ts . Some repos later add definitions/index.ts barrels; match the project's current pattern. 证据:`skills/add-prompt/SKILL.md`\n- **Context**(skill_instruction):Providers implement interfaces defined in core. They are selected at runtime via config e.g., STORAGE PROVIDER TYPE . Tier 3 providers lazy-load their dependencies to keep the core bundle small. 证据:`skills/add-provider/SKILL.md`\n- **Context**(skill_instruction):Resources use the resource builder from @cyanheads/mcp-ts-core . Each resource lives in src/mcp-server/resources/definitions/ with a .resource.ts suffix and is registered into createApp in src/index.ts . Some repos later add definitions/index.ts barrels; follow the pattern already used by the project. 证据:`skills/add-resource/SKILL.md`\n- **Context**(skill_instruction):Services use the init/accessor pattern: initialized once in createApp 's setup callback, then accessed at request time via a lazy getter. Each service lives in src/services/ domain / with an init function and accessor. 证据:`skills/add-service/SKILL.md`\n- **Context**(skill_instruction):Tests use Vitest and createMockContext from @cyanheads/mcp-ts-core/testing . If the repo already has tests, match the existing layout. If the repo has no existing tests, create a root tests/ directory that mirrors the src/ structure e.g. tests/mcp-server/tools/definitions/echo.tool.test.ts for src/mcp-server/tools/definitions/echo.tool.ts . 证据:`skills/add-test/SKILL.md`\n- **Context**(skill_instruction):Tools use the tool builder from @cyanheads/mcp-ts-core . Each tool lives in src/mcp-server/tools/definitions/ with a .tool.ts suffix and is registered into createApp in src/index.ts . Some larger repos later add definitions/index.ts barrels; match the pattern already used by the project you're editing. 证据:`skills/add-tool/SKILL.md`\n- **Overview**(skill_instruction):The framework handles auth at the handler factory level — tools and resources declare required scopes declaratively, and the framework enforces them before calling the handler. No try/catch or manual scope checking required for the common case. 证据:`skills/api-auth/SKILL.md`\n- **Overview**(skill_instruction):DataCanvas is a primitive for storage stashes, canvas computes . The existing IStorageProvider is a key/value abstraction — it can stash blobs but exposes no analytical surface. DataCanvas is the analytical surface: register tabular data from upstream APIs, run SQL across multiple registered tables, and export results as CSV/Parquet/JSON. 证据:`skills/api-canvas/SKILL.md`\n- **Overview**(skill_instruction):Configuration has two layers: core config managed by the framework, env-driven and server config your own Zod schema for domain-specific env vars . Never merge them. 证据:`skills/api-config/SKILL.md`\n- **Overview**(skill_instruction):Every tool and resource handler receives a single Context ctx argument. It provides request identity, structured logging, tenant-scoped storage, optional protocol capabilities elicitation, sampling , cancellation, and task progress — all auto-correlated to the current request. 证据:`skills/api-context/SKILL.md`\n- **Overview**(skill_instruction):Error handling in @cyanheads/mcp-ts-core follows a strict layered pattern: tool and resource handlers throw McpError freely no try/catch , the handler factory catches and normalizes all errors, and services use ErrorHandler.tryCatch for graceful recovery. 证据:`skills/api-errors/SKILL.md`\n- **Overview**(skill_instruction):The linter validates tool, resource, and prompt definitions against the MCP spec and framework conventions. It runs in three places: 证据:`skills/api-linter/SKILL.md`\n- **Overview**(skill_instruction):Service interfaces are deferred from core's public exports — they remain in downstream servers until shared by 2+ servers. These are documented here for core contributors and servers that use the built-in providers. 证据:`skills/api-services/SKILL.md`\n- **Overview**(skill_instruction):The framework auto-instruments every tool, resource, prompt, storage, LLM, speech, and graph call — each gets its own span and the standard counters/histograms. HTTP server requests pick up spans from HttpInstrumentation or @hono/otel on the HTTP transport . Auth checks, session lifecycle, and task lifecycle are tracked as metrics only — auth decorates the active HTTP span with attributes, sessions and tasks emit counters. 证据:`skills/api-telemetry/SKILL.md`\n- **Overview**(skill_instruction):Tests target handler behavior directly — call handler input, ctx , assert on the return value or thrown error. The framework's handler factory try/catch, formatting, telemetry is not involved. Use createMockContext from @cyanheads/mcp-ts-core/testing to construct the ctx argument. 证据:`skills/api-testing/SKILL.md`\n- **Overview**(skill_instruction):Utility exports from @cyanheads/mcp-ts-core/utils . Utilities with complex APIs have dedicated reference files; simpler utilities are documented inline below. 证据:`skills/api-utils/SKILL.md`\n- **Overview**(skill_instruction):@cyanheads/mcp-ts-core/worker exports createWorkerHandler — the Workers entry point. It wraps tool/resource/prompt registries into a per-request McpServer factory that integrates with the Cloudflare Workers runtime. 证据:`skills/api-workers/SKILL.md`\n- **When to Use**(skill_instruction):- User says \"I want to build a MCP server\" - User has an API, database, or system they want to expose to LLMs - User wants to plan tools before scaffolding - Existing server needs a new capability area design the addition, not just a single tool 证据:`skills/design-mcp-server/SKILL.md`\n- **Context**(skill_instruction):Unit tests add-test skill verify handler logic with mocked context. Field testing exercises the real HTTP transport with real JSON-RPC: starts the server, calls initialize , surfaces the catalog, runs inputs, and checks what a client actually sees. It catches what unit tests miss — awkward input shapes, unhelpful errors, missing format output, drift between structuredContent and content , edge-case surprises. 证据:`skills/field-test/SKILL.md`\n- **When to Use**(skill_instruction):- After running bun update --latest yourself and wanting to review the impact Mode B — typical - To run the whole flow end-to-end — outdated check → update → investigate → adopt → verify Mode A - Periodically, to check for skill drift from the package 证据:`skills/maintenance/SKILL.md`\n- **Context**(skill_instruction):Before @cyanheads/mcp-ts-core was published as a package, users built servers by forking/cloning the mcp-ts-template repo. Those forks carry the full framework source code in their src/ and use @/ path aliases to import framework internals alongside their own server code. 证据:`skills/migrate-mcp-ts-template/SKILL.md`\n- **When to Use**(skill_instruction):- Server implementation is functionally complete tools, resources, prompts, services all working - bun run devcheck passes, tests pass - You're preparing for first commit, first release, or making the repo public - User says \"polish\", \"polish docs\", \"finalize\", \"make it ship-ready\", \"clean up docs\", or similar - Re-running after adding/removing tools, resources, or other surface area changes 证据:`skills/polish-docs-meta/SKILL.md`\n- **Preconditions**(skill_instruction):This skill runs after git wrapup. By the time it's invoked: 证据:`skills/release-and-publish/SKILL.md`\n- **When to Use**(skill_instruction):You've isolated a problem to @cyanheads/mcp-ts-core itself — not your server code, not a misconfiguration, not a missing peer dependency. Typical triggers: 证据:`skills/report-issue-framework/SKILL.md`\n- **When to Use**(skill_instruction):The bug is in this server's code, not in @cyanheads/mcp-ts-core . Typical triggers: 证据:`skills/report-issue-local/SKILL.md`\n- **Context**(skill_instruction):An MCP server is a new attack surface with unique properties — tool output feeds back into the LLM's context, scopes gate what the model can do on the user's behalf, and per-request state must stay tenant-scoped. This skill walks a server through eight axes shaped around what the server builder actually controls. Framework-level concerns transport, JSON-RPC parsing, auto-correlation, error classification are out of scope — mcp-ts-core handles those. 证据:`skills/security-pass/SKILL.md`\n- **Context**(skill_instruction):This skill assumes bunx @cyanheads/mcp-ts-core init name has already run. The CLI created the project's CLAUDE.md and AGENTS.md for different agents, copied external skills to skills/ , and scaffolded the directory structure with echo definitions as starting points. This skill covers what was created and what to do next. 证据:`skills/setup/SKILL.md`\n- **Context**(skill_instruction):Every string in a tool/resource/prompt definition is part of an LLM-facing API contract. The model reads the description, every parameter .describe , the output schema, the recovery hints — and decides what to call and how. Definition language drifts: an internal mapping leaks into a parameter doc during a fix, a self-referential output description survives a refactor, a default that suited the developer at scaffold time stays after the typical call shape changes. 证据:`skills/tool-defs-analysis/SKILL.md`\n- **License**(source_file):Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ 证据:`LICENSE`\n- **mcp-ts-core - Directory Structure**(documentation):Note: This tree excludes files and directories matched by .gitignore and default patterns. 证据:`docs/tree.md`\n- **Security Best Practices**(documentation):This document provides security considerations for the Model Context Protocol MCP , complementing the MCP Authorization specification. This document identifies security risks, attack vectors, and best practices specific to MCP implementations. 证据:`docs/mcp-specification/2025-06-18/best-practices/security.md`\n- **Authorization**(documentation):The Model Context Protocol provides authorization capabilities at the transport level, enabling MCP clients to make requests to restricted MCP servers on behalf of resource owners. This specification defines the authorization flow for HTTP-based transports. 证据:`docs/mcp-specification/2025-06-18/core/authorization.md`\n- **Lifecycle**(documentation):The Model Context Protocol MCP defines a rigorous lifecycle for client-server connections that ensures proper capability negotiation and state management. 证据:`docs/mcp-specification/2025-06-18/core/lifecycle.md`\n- **Overview**(documentation):The Model Context Protocol consists of several key components that work together: 证据:`docs/mcp-specification/2025-06-18/core/overview.md`\n- **Transports**(documentation):MCP uses JSON-RPC to encode messages. JSON-RPC messages MUST be UTF-8 encoded. 证据:`docs/mcp-specification/2025-06-18/core/transports.md`\n- **Cancellation**(documentation):The Model Context Protocol MCP supports optional cancellation of in-progress requests through notification messages. Either side can send a cancellation notification to indicate that a previously-issued request should be terminated. 证据:`docs/mcp-specification/2025-06-18/utils/cancellation.md`\n- **Completion**(documentation):The Model Context Protocol MCP provides a standardized way for servers to offer argument autocompletion suggestions for prompts and resource URIs. This enables rich, IDE-like experiences where users receive contextual suggestions while entering argument values. 证据:`docs/mcp-specification/2025-06-18/utils/completion.md`\n- **Logging**(documentation):The Model Context Protocol MCP provides a standardized way for servers to send structured log messages to clients. Clients can control logging verbosity by setting minimum log levels, with servers sending notifications containing severity levels, optional logger names, and arbitrary JSON-serializable data. 证据:`docs/mcp-specification/2025-06-18/utils/logging.md`\n- **Pagination**(documentation):The Model Context Protocol MCP supports paginating list operations that may return large result sets. Pagination allows servers to yield results in smaller chunks rather than all at once. 证据:`docs/mcp-specification/2025-06-18/utils/pagination.md`\n- **Ping**(documentation):The Model Context Protocol includes an optional ping mechanism that allows either party to verify that their counterpart is still responsive and the connection is alive. 证据:`docs/mcp-specification/2025-06-18/utils/ping.md`\n- **Progress**(documentation):The Model Context Protocol MCP supports optional progress tracking for long-running operations through notification messages. Either side can send progress notifications to provide updates about operation status. 证据:`docs/mcp-specification/2025-06-18/utils/progress.md`\n- **Core Components**(documentation):Title: Architecture - Model Context Protocol 证据:`docs/mcp-specification/2025-11-25/architecture.md`\n- **User Interaction Model**(documentation):Title: Elicitation - Model Context Protocol 证据:`docs/mcp-specification/2025-11-25/client/elicitation.md`\n- **Roots - Model Context Protocol**(documentation):Title: Roots - Model Context Protocol 证据:`docs/mcp-specification/2025-11-25/client/roots.md`\n- **Sampling - Model Context Protocol**(documentation):Title: Sampling - Model Context Protocol 证据:`docs/mcp-specification/2025-11-25/client/sampling.md`\n- **Authorization - Model Context Protocol**(documentation):Title: Authorization - Model Context Protocol 证据:`docs/mcp-specification/2025-11-25/core/authorization.md`\n- **Lifecycle - Model Context Protocol**(documentation):Title: Lifecycle - Model Context Protocol 证据:`docs/mcp-specification/2025-11-25/core/lifecycle.md`\n- **Overview - Model Context Protocol**(documentation):Title: Overview - Model Context Protocol 证据:`docs/mcp-specification/2025-11-25/core/overview.md`\n- **Transports - Model Context Protocol**(documentation):Title: Transports - Model Context Protocol 证据:`docs/mcp-specification/2025-11-25/core/transports.md`\n- 其余 20 条证据见 `AI_CONTEXT_PACK.json` 或 `EVIDENCE_INDEX.json`。\n\n## 宿主 AI 必须遵守的规则\n\n- **把本资产当作开工前上下文,而不是运行环境。**:AI Context Pack 只包含证据化项目理解,不包含目标项目的可执行状态。 证据:`AGENTS.md`, `CLAUDE.md`, `README.md`\n- **回答用户时区分可预览内容与必须安装后才能验证的内容。**:安装前体验的消费者价值来自降低误装和误判,而不是伪装成真实运行。 证据:`AGENTS.md`, `CLAUDE.md`, `README.md`\n\n## 用户开工前应该回答的问题\n\n- 你准备在哪个宿主 AI 或本地环境中使用它?\n- 你只是想先体验工作流,还是准备真实安装?\n- 你最在意的是安装成本、输出质量、还是和现有规则的冲突?\n\n## 验收标准\n\n- 所有能力声明都能回指到 evidence_refs 中的文件路径。\n- AI_CONTEXT_PACK.md 没有把预览包装成真实运行。\n- 用户能在 3 分钟内看懂适合谁、能做什么、如何开始和风险边界。\n\n---\n\n## Doramagic Context Augmentation\n\nThe following material strengthens the Repomix/AI Context Pack body. Human Manual is only a reading skeleton; pitfall logs become hard operating constraints for the host AI.\n\n## Human Manual Skeleton\n\nUsage rule: this is only a reading path and salience signal, not factual authority. Concrete facts must still come from repo evidence / Claim Graph.\n\nHard rules for the host AI:\n- Do not treat page titles, order, summaries, or importance as project facts.\n- When explaining the Human Manual skeleton, state that it is only a reading path / salience signal.\n- Capability, installation, compatibility, runtime status, and risk judgments must cite repo evidence, source paths, or Claim Graph.\n\n- **Repository Overview**:importance `high`\n - source_paths: Dockerfile, README.md, package.json, skills/README.md, templates/Dockerfile\n- **Entrypoints and Runtime Surface**:importance `high`\n - source_paths: Dockerfile, README.md, package.json, skills/README.md, templates/Dockerfile\n- **Architecture Evidence Map**:importance `high`\n - source_paths: Dockerfile, README.md, package.json, skills/README.md, templates/Dockerfile\n- **Operations and Verification Boundaries**:importance `high`\n - source_paths: Dockerfile, README.md, package.json, skills/README.md, templates/Dockerfile\n\n## Repo Inspection Evidence\n\n- repo_clone_verified: true\n- repo_inspection_verified: true\n- repo_commit: `aead657d6c1f1569e39325f6d4622e61c09f6e5e`\n- inspected_files: `Dockerfile`, `package.json`, `README.md`, `docs/tree.md`, `docs/telemetry/dashboards.md`, `docs/telemetry/mcp-ts-core-dashboard.json`, `docs/telemetry/observability.md`, `docs/mcp-specification/2025-11-25/architecture.md`, `docs/mcp-specification/2025-11-25/key-changes.md`, `docs/mcp-specification/2025-11-25/specification.md`, `docs/mcp-specification/2025-11-25/schema-reference.md`, `docs/mcp-specification/2025-06-18/utils/pagination.md`, `docs/mcp-specification/2025-06-18/utils/ping.md`, `docs/mcp-specification/2025-06-18/utils/logging.md`, `docs/mcp-specification/2025-06-18/utils/progress.md`, `docs/mcp-specification/2025-06-18/utils/completion.md`, `docs/mcp-specification/2025-06-18/utils/cancellation.md`, `docs/mcp-specification/2025-06-18/core/authorization.md`, `docs/mcp-specification/2025-06-18/core/overview.md`, `docs/mcp-specification/2025-06-18/core/transports.md`\n\nHard rules for the host AI:\n- Without repo_clone_verified=true, do not claim the source code has been read.\n- Without repo_inspection_verified=true, do not turn README/docs/package observations into facts.\n- Without quick_start_verified=true, do not claim the Quick Start has been successfully run.\n\n## Doramagic Pitfall Constraints\n\nThese rules come from Doramagic discovery, validation, or compilation pitfalls. The host AI must treat them as operating constraints, not general background notes.\n\n### Constraint 1: 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap\n\n- Trigger: GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap\n- Host AI rule: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Why it matters: 可能增加新用户试用和生产接入成本。\n- Evidence: community_evidence:github | cevd_b652b8d6139f43c1bcf51562afed3525 | https://github.com/cyanheads/mcp-ts-core/issues/50 | 来源讨论提到 docker 相关条件,需在安装/试用前复核。\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 2: 来源证据:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n\n- Trigger: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- Host AI rule: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Why it matters: 可能增加新用户试用和生产接入成本。\n- Evidence: community_evidence:github | cevd_3d3b719431cb499f914e169e6dce21b2 | https://github.com/cyanheads/mcp-ts-core/issues/135 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 3: 来源证据:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)\n\n- Trigger: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)\n- Host AI rule: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Why it matters: 可能阻塞安装或首次运行。\n- Evidence: community_evidence:github | cevd_ed2fba370b864c57980fcc78c30fa336 | https://github.com/cyanheads/mcp-ts-core/issues/66 | 来源类型 github_issue 暴露的待验证使用条件。\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 4: 失败模式:security_permissions: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n\n- Trigger: Developers should check this security_permissions risk before relying on the project: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: feat(auth): add RFC 7662 Token Introspection as a third auth strategy. Context: Source discussion did not expose a precise runtime context.\n- Why it matters: Developers may expose sensitive permissions or credentials: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- Evidence: failure_mode_cluster:github_issue | fmev_79b989da05ab81a148513987aa506d71 | https://github.com/cyanheads/mcp-ts-core/issues/139 | feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 5: 失败模式:installation: feat(templates): MCPB bundle packaging for scaffolded servers\n\n- Trigger: Developers should check this installation risk before relying on the project: feat(templates): MCPB bundle packaging for scaffolded servers\n- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: feat(templates): MCPB bundle packaging for scaffolded servers. Context: Observed when using node, docker, windows, macos\n- Why it matters: Developers may fail before the first successful local run: feat(templates): MCPB bundle packaging for scaffolded servers\n- Evidence: failure_mode_cluster:github_issue | fmev_22c10ce8863043b0adf9a54a6f51d108 | https://github.com/cyanheads/mcp-ts-core/issues/137 | feat(templates): MCPB bundle packaging for scaffolded servers\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 6: 来源证据:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurio…\n\n- Trigger: GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- Host AI rule: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Why it matters: 可能增加新用户试用和生产接入成本。\n- Evidence: community_evidence:github | cevd_9f6a4823d56640848bd04ac60d2856af | https://github.com/cyanheads/mcp-ts-core/issues/126 | 来源讨论提到 macos 相关条件,需在安装/试用前复核。\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 7: 失败模式:configuration: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n\n- Trigger: Developers should check this configuration risk before relying on the project: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini. Context: Source discussion did not expose a precise runtime context.\n- Why it matters: Developers may misconfigure credentials, environment, or host setup: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- Evidence: failure_mode_cluster:github_issue | fmev_5c7acd2f18c877d832b1a859cd234468 | https://github.com/cyanheads/mcp-ts-core/issues/136 | Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 8: 失败模式:configuration: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBod...\n\n- Trigger: Developers should check this configuration risk before relying on the project: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter. Context: Source discussion did not expose a precise runtime context.\n- Why it matters: Developers may misconfigure credentials, environment, or host setup: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- Evidence: failure_mode_cluster:github_issue | fmev_7d40e777d2ccdbab34bc3b3d1402bd71 | https://github.com/cyanheads/mcp-ts-core/issues/120 | bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 9: 失败模式:configuration: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 rel...\n\n- Trigger: Developers should check this configuration risk before relying on the project: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings. Context: Observed when using node\n- Why it matters: Developers may misconfigure credentials, environment, or host setup: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- Evidence: failure_mode_cluster:github_issue | fmev_41ff925fb40ebff8720b5c65f8b20ece | https://github.com/cyanheads/mcp-ts-core/issues/124 | bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n\n### Constraint 10: 失败模式:configuration: changelog: raise summary cap from 250 → 350 chars\n\n- Trigger: Developers should check this configuration risk before relying on the project: changelog: raise summary cap from 250 → 350 chars\n- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: changelog: raise summary cap from 250 → 350 chars. Context: Source discussion did not expose a precise runtime context.\n- Why it matters: Developers may misconfigure credentials, environment, or host setup: changelog: raise summary cap from 250 → 350 chars\n- Evidence: failure_mode_cluster:github_issue | fmev_5d2f31e619abdbc2e753d5c67819c1a8 | https://github.com/cyanheads/mcp-ts-core/issues/129 | changelog: raise summary cap from 250 → 350 chars\n- Hard boundary: do not present this pitfall as solved, verified, or safe to ignore unless later validation evidence explicitly closes it.\n", "summary": "Context and operating boundaries for host AI agents.", "title": "AI Context Pack" }, "boundary_risk_card": { "asset_id": "boundary_risk_card", "filename": "BOUNDARY_RISK_CARD.md", "markdown": "# Boundary & Risk Card\n\nProject: cyanheads/mcp-ts-template\n\n## Doramagic Trial Decision\n\nCurrent decision: it can enter pre-publication recommendation checks. First use should still start with least privilege, a temporary directory, and reversible configuration.\n\n## What The User Can Do Now\n\n- Read the Human Manual first to understand the project purpose and main workflows.\n- Use Prompt Preview for pre-install exploration; it validates interaction shape, not real execution.\n- Run official Quick Start commands only inside an isolated environment, not a primary setup.\n\n## Do Not Do Yet\n\n- Do not treat Prompt Preview as a real project execution result.\n- Do not treat metadata-only validation as sandbox installation validation.\n- Do not describe unverified capabilities as supported, working, or safe to install.\n- Do not provide production data, private files, real secrets, or primary host configuration on first trial.\n\n## Pre-Install Checklist\n\n- Host AI match: mcp_host\n- Official installation entry status: official entry point found\n- Isolated temporary directory, temporary host, or container validation: required\n- Configuration rollback path: required\n- API keys, network access, file access, or host configuration changes: treat as high risk until confirmed\n- Installation command, actual output, and failure logs: must be recorded\n\n## Current Blockers\n\n- No blockers.\n\n## Project-Specific Pitfalls\n\n- 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap (high): 可能增加新用户试用和生产接入成本。 Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- 来源证据:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model (high): 可能增加新用户试用和生产接入成本。 Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- 来源证据:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55) (high): 可能阻塞安装或首次运行。 Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- 失败模式:security_permissions: feat(auth): add RFC 7662 Token Introspection as a third auth strategy (high): Developers may expose sensitive permissions or credentials: feat(auth): add RFC 7662 Token Introspection as a third auth strategy Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(auth): add RFC 7662 Token Introspection as a third auth strategy. Context: Source discussion did not expose a precise runtime context.\n- 失败模式:installation: feat(templates): MCPB bundle packaging for scaffolded servers (medium): Developers may fail before the first successful local run: feat(templates): MCPB bundle packaging for scaffolded servers Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(templates): MCPB bundle packaging for scaffolded servers. Context: Observed when using node, docker, windows, macos\n\n## Risk And Permission Notes\n\n- no_demo: medium\n\n## Evidence Gaps\n\n- No structured evidence gaps are currently visible.\n", "summary": "Installation, permission, validation, and pre-recommendation risks.", "title": "Boundary & Risk Card" }, "human_manual": { "asset_id": "human_manual", "filename": "HUMAN_MANUAL.md", "markdown": "# https://github.com/cyanheads/mcp-ts-template Project Manual\n\nGenerated on: 2026-05-22 15:39:59 UTC\n\n## Table of Contents\n\n- [Repository Overview](#overview)\n- [Entrypoints and Runtime Surface](#entrypoints)\n- [Architecture Evidence Map](#architecture)\n- [Operations and Verification Boundaries](#operations)\n\n\n\n## Repository Overview\n\n### Related Pages\n\nRelated topics: [Entrypoints and Runtime Surface](#entrypoints), [Architecture Evidence Map](#architecture), [Operations and Verification Boundaries](#operations)\n\n
\nRelevant source files\n\nThe following source files were used to generate this page:\n\n- [Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)\n- [README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)\n- [package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)\n- [skills/README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/README.md)\n- [templates/Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/Dockerfile)\n- [templates/package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/package.json)\n- [skills/polish-docs-meta/references/readme.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/polish-docs-meta/references/readme.md)\n- [src/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/index.ts)\n- [src/cli/init.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/cli/init.ts)\n- [src/config/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/index.ts)\n- [src/config/parseEnvConfig.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/parseEnvConfig.ts)\n- [src/core/app.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/core/app.ts)\n
\n\n# Repository Overview\n\nThis page is generated from repository evidence because the Human Wiki provider was unavailable. It intentionally limits itself to README and file-tree facts.\n\n## README Evidence\n\n
\n

@cyanheads/mcp-ts-core

\n

Agent-native TypeScript framework for building MCP servers. Build tools, not infrastructure. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers.

\n
\n\n
\n\n[![Version](https://img.shields.io/badge/Version-0.9.1-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--11--25-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-11-25/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE)\n\n[![TypeScript](https://img.shields.io/badge/TypeScript-^6.0.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.3.0%2B-blueviolet.svg?style=flat-square)](https://bun.sh/)\n\n
\n\n---\n\n## What is this?\n\n`@cyanheads/mcp-ts-core` is the infrastructure layer for TypeScript MCP servers. Install it as a dependency — don't fork it. Your agent collaborates with you to design and build the tools, resources, and prompts for your server.\n\nThe framework handles the plumbing: transports, auth, config, logging, telemetry, & more. Define your domain logic with the builders and let the framework take care of the rest.\n\n```ts\nimport { createApp, tool, z } from '@cyanheads/mcp-ts-core';\n\nconst greet = tool('greet', {\n description: 'Greet someone by name and return a personalized message.',\n annotations: { readOnlyHint: true },\n input: z.object({\n name: z.string().describe('Name of the person to greet'),\n }),\n output: z.object({\n message: z.string().describe('The greeting message'),\n }),\n errors: [\n {\n reason: 'name_blocked',\n code: JsonRpcErrorCode.Forbidden,\n when: 'The provided name is on the configured block list.',\n recovery: 'Use a different name.',\n },\n ],\n handler: async (input, ctx) => {\n if (isBlocked(input.name)) throw ctx.fail('name_blocked', `\"${input.name}\" is blocked`);\n return { message: `Hello, ${input.name}!` };\n },\n});\n\nawait createApp({ tools: [greet] });\n```\n\nThat's a complete MCP server. Every tool cal\n\n[excerpt truncated]\n\n## Selected Source Inventory\n\n- `Dockerfile`\n- `README.md`\n- `package.json`\n- `skills/README.md`\n- `templates/Dockerfile`\n- `templates/package.json`\n- `skills/polish-docs-meta/references/readme.md`\n- `src/index.ts`\n- `src/cli/init.ts`\n- `src/config/index.ts`\n- `src/config/parseEnvConfig.ts`\n- `src/core/app.ts`\n\n| File | Evidence role | Size |\n|---|---|---|\n| `Dockerfile` | repository evidence | 4057 bytes |\n| `README.md` | README/product and usage evidence | 15590 bytes |\n| `package.json` | package/runtime metadata | 11594 bytes |\n| `skills/README.md` | documentation evidence | 2004 bytes |\n| `templates/Dockerfile` | repository evidence | 3517 bytes |\n| `templates/package.json` | package/runtime metadata | 1625 bytes |\n| `skills/polish-docs-meta/references/readme.md` | documentation evidence | 18454 bytes |\n| `src/index.ts` | implementation surface | 270 bytes |\n| `src/cli/init.ts` | implementation surface | 9118 bytes |\n| `src/config/index.ts` | implementation surface | 26418 bytes |\n| `src/config/parseEnvConfig.ts` | implementation surface | 2729 bytes |\n| `src/core/app.ts` | implementation surface | 24448 bytes |\n\nSource: `[README.md:1-120]()`\n\n---\n\n\n\n## Entrypoints and Runtime Surface\n\n### Related Pages\n\nRelated topics: [Repository Overview](#overview), [Architecture Evidence Map](#architecture), [Operations and Verification Boundaries](#operations)\n\n
\nRelevant source files\n\nThe following source files were used to generate this page:\n\n- [Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)\n- [README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)\n- [package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)\n- [skills/README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/README.md)\n- [templates/Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/Dockerfile)\n- [templates/package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/package.json)\n- [skills/polish-docs-meta/references/readme.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/polish-docs-meta/references/readme.md)\n- [src/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/index.ts)\n- [src/cli/init.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/cli/init.ts)\n- [src/config/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/index.ts)\n- [src/config/parseEnvConfig.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/parseEnvConfig.ts)\n- [src/core/app.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/core/app.ts)\n
\n\n# Entrypoints and Runtime Surface\n\nThe files below are the highest-signal candidates for how the project is installed, started, configured, or embedded. Treat this as an evidence map, not an inferred API contract.\n\n| File | Evidence role | Size |\n|---|---|---|\n| `Dockerfile` | repository evidence | 4057 bytes |\n| `README.md` | README/product and usage evidence | 15590 bytes |\n| `package.json` | package/runtime metadata | 11594 bytes |\n| `skills/README.md` | documentation evidence | 2004 bytes |\n| `templates/Dockerfile` | repository evidence | 3517 bytes |\n| `templates/package.json` | package/runtime metadata | 1625 bytes |\n| `skills/polish-docs-meta/references/readme.md` | documentation evidence | 18454 bytes |\n| `src/index.ts` | implementation surface | 270 bytes |\n| `src/cli/init.ts` | implementation surface | 9118 bytes |\n| `src/config/index.ts` | implementation surface | 26418 bytes |\n| `src/config/parseEnvConfig.ts` | implementation surface | 2729 bytes |\n| `src/core/app.ts` | implementation surface | 24448 bytes |\n\nSource: `[Dockerfile:1-120](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)`\n\n---\n\n\n\n## Architecture Evidence Map\n\n### Related Pages\n\nRelated topics: [Repository Overview](#overview), [Entrypoints and Runtime Surface](#entrypoints), [Operations and Verification Boundaries](#operations)\n\n
\nRelevant source files\n\nThe following source files were used to generate this page:\n\n- [Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)\n- [README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)\n- [package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)\n- [skills/README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/README.md)\n- [templates/Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/Dockerfile)\n- [templates/package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/package.json)\n- [skills/polish-docs-meta/references/readme.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/polish-docs-meta/references/readme.md)\n- [src/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/index.ts)\n- [src/cli/init.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/cli/init.ts)\n- [src/config/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/index.ts)\n- [src/config/parseEnvConfig.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/parseEnvConfig.ts)\n- [src/core/app.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/core/app.ts)\n
\n\n# Architecture Evidence Map\n\nThis section maps source paths into likely architectural areas based on repository layout only. Claims that require execution are intentionally not made here.\n\n- `.`: `Dockerfile`, `README.md`, `package.json`\n- `skills`: `skills/README.md`, `skills/polish-docs-meta/references/readme.md`\n- `src`: `src/index.ts`, `src/cli/init.ts`, `src/config/index.ts`, `src/config/parseEnvConfig.ts`, `src/core/app.ts`\n- `templates`: `templates/Dockerfile`, `templates/package.json`\n\nSource: `[README.md:1-120](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)`\n\n---\n\n\n\n## Operations and Verification Boundaries\n\n### Related Pages\n\nRelated topics: [Repository Overview](#overview), [Entrypoints and Runtime Surface](#entrypoints), [Architecture Evidence Map](#architecture)\n\n
\nRelevant source files\n\nThe following source files were used to generate this page:\n\n- [Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/Dockerfile)\n- [README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/README.md)\n- [package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)\n- [skills/README.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/README.md)\n- [templates/Dockerfile](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/Dockerfile)\n- [templates/package.json](https://github.com/cyanheads/mcp-ts-template/blob/main/templates/package.json)\n- [skills/polish-docs-meta/references/readme.md](https://github.com/cyanheads/mcp-ts-template/blob/main/skills/polish-docs-meta/references/readme.md)\n- [src/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/index.ts)\n- [src/cli/init.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/cli/init.ts)\n- [src/config/index.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/index.ts)\n- [src/config/parseEnvConfig.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/config/parseEnvConfig.ts)\n- [src/core/app.ts](https://github.com/cyanheads/mcp-ts-template/blob/main/src/core/app.ts)\n
\n\n# Operations and Verification Boundaries\n\nOperational guidance is limited to files that are present in the repository. Before using this project in an agent workflow, verify install, quickstart, and runtime behavior in a sandbox.\n\n- Containerization signal: `Dockerfile`\n- Documentation signal: `README.md`\n- Runtime/package signal: `package.json`\n- Documentation signal: `skills/README.md`\n- Containerization signal: `templates/Dockerfile`\n- Runtime/package signal: `templates/package.json`\n- Documentation signal: `skills/polish-docs-meta/references/readme.md`\n- Source inspection signal: `src/index.ts`\n- Source inspection signal: `src/cli/init.ts`\n- Source inspection signal: `src/config/index.ts`\n\nSource: `[package.json:1-120](https://github.com/cyanheads/mcp-ts-template/blob/main/package.json)`\n\n---\n\n---\n\n## Doramagic Pitfall Log\n\nProject: cyanheads/mcp-ts-template\n\nSummary: Found 38 potential pitfall items; 4 are high/blocking. Highest priority: installation - 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap.\n\n## 1. installation · 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_b652b8d6139f43c1bcf51562afed3525 | https://github.com/cyanheads/mcp-ts-core/issues/50 | 来源讨论提到 docker 相关条件,需在安装/试用前复核。\n\n## 2. configuration · 来源证据:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_3d3b719431cb499f914e169e6dce21b2 | https://github.com/cyanheads/mcp-ts-core/issues/135 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 3. configuration · 来源证据:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)\n- User impact: 可能阻塞安装或首次运行。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_ed2fba370b864c57980fcc78c30fa336 | https://github.com/cyanheads/mcp-ts-core/issues/66 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 4. security_permissions · 失败模式:security_permissions: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: Developers should check this security_permissions risk before relying on the project: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- User impact: Developers may expose sensitive permissions or credentials: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(auth): add RFC 7662 Token Introspection as a third auth strategy. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: Do not recommend enabling privileged or credential-bearing paths until the source-backed risk is reviewed: https://github.com/cyanheads/mcp-ts-core/issues/139\n- Evidence: failure_mode_cluster:github_issue | fmev_79b989da05ab81a148513987aa506d71 | https://github.com/cyanheads/mcp-ts-core/issues/139 | feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n\n## 5. installation · 失败模式:installation: feat(templates): MCPB bundle packaging for scaffolded servers\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this installation risk before relying on the project: feat(templates): MCPB bundle packaging for scaffolded servers\n- User impact: Developers may fail before the first successful local run: feat(templates): MCPB bundle packaging for scaffolded servers\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(templates): MCPB bundle packaging for scaffolded servers. Context: Observed when using node, docker, windows, macos\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_22c10ce8863043b0adf9a54a6f51d108 | https://github.com/cyanheads/mcp-ts-core/issues/137 | feat(templates): MCPB bundle packaging for scaffolded servers\n\n## 6. installation · 来源证据:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurio…\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_9f6a4823d56640848bd04ac60d2856af | https://github.com/cyanheads/mcp-ts-core/issues/126 | 来源讨论提到 macos 相关条件,需在安装/试用前复核。\n\n## 7. configuration · 失败模式:configuration: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- User impact: Developers may misconfigure credentials, environment, or host setup: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_5c7acd2f18c877d832b1a859cd234468 | https://github.com/cyanheads/mcp-ts-core/issues/136 | Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n\n## 8. configuration · 失败模式:configuration: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBod...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- User impact: Developers may misconfigure credentials, environment, or host setup: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_7d40e777d2ccdbab34bc3b3d1402bd71 | https://github.com/cyanheads/mcp-ts-core/issues/120 | bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n\n## 9. configuration · 失败模式:configuration: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 rel...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- User impact: Developers may misconfigure credentials, environment, or host setup: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings. Context: Observed when using node\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_41ff925fb40ebff8720b5c65f8b20ece | https://github.com/cyanheads/mcp-ts-core/issues/124 | bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n\n## 10. configuration · 失败模式:configuration: changelog: raise summary cap from 250 → 350 chars\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: changelog: raise summary cap from 250 → 350 chars\n- User impact: Developers may misconfigure credentials, environment, or host setup: changelog: raise summary cap from 250 → 350 chars\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: changelog: raise summary cap from 250 → 350 chars. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_5d2f31e619abdbc2e753d5c67819c1a8 | https://github.com/cyanheads/mcp-ts-core/issues/129 | changelog: raise summary cap from 250 → 350 chars\n\n## 11. configuration · 失败模式:configuration: docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: docs(api-canvas): add minimum-viable spillover server recipe as the default\n- User impact: Developers may misconfigure credentials, environment, or host setup: docs(api-canvas): add minimum-viable spillover server recipe as the default\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: docs(api-canvas): add minimum-viable spillover server recipe as the default. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_44db3da73c060fc8e7affa9e6c321749 | https://github.com/cyanheads/mcp-ts-core/issues/138 | docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n## 12. configuration · 失败模式:configuration: feat(docs/skills): codify agent-observed correctness across response design surface\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(docs/skills): codify agent-observed correctness across response design surface\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(docs/skills): codify agent-observed correctness across response design surface\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(docs/skills): codify agent-observed correctness across response design surface. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_a5a5f36d76023182a160cd1189430916 | https://github.com/cyanheads/mcp-ts-core/issues/131 | feat(docs/skills): codify agent-observed correctness across response design surface\n\n## 13. configuration · 失败模式:configuration: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-ne...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_008c058324c5476cab1114c3b507a398 | https://github.com/cyanheads/mcp-ts-core/issues/141 | feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n\n## 14. configuration · 失败模式:configuration: feat(linter,docs): cross-vendor JSON Schema portability rules\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(linter,docs): cross-vendor JSON Schema portability rules\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(linter,docs): cross-vendor JSON Schema portability rules\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(linter,docs): cross-vendor JSON Schema portability rules. Context: Observed when using python\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_442715f721a7d8f0d431a38068bdcfcd | https://github.com/cyanheads/mcp-ts-core/issues/132 | feat(linter,docs): cross-vendor JSON Schema portability rules\n\n## 15. configuration · 失败模式:configuration: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_94fb8f4bb9c19f4e783136fcde3ed772 | https://github.com/cyanheads/mcp-ts-core/issues/130 | feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n## 16. configuration · 失败模式:configuration: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch). Context: Observed when using node, cuda\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_e38ad2dfdd02625b61bb0948c324e842 | https://github.com/cyanheads/mcp-ts-core/issues/134 | feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n## 17. configuration · 失败模式:configuration: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools). Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_de75bb8a294c55ed56f1bb44faf7bd37 | https://github.com/cyanheads/mcp-ts-core/issues/142 | feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n## 18. configuration · 来源证据:feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_22e974aafd5649c7b4e239b2a07a33ec | https://github.com/cyanheads/mcp-ts-core/issues/134 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 19. capability · 能力判断依赖假设\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: README/documentation is current enough for a first validation pass.\n- User impact: 假设不成立时,用户拿不到承诺的能力。\n- Suggested check: 将假设转成下游验证清单。\n- Guardrail action: 假设必须转成验证项;没有验证结果前不能写成事实。\n- Evidence: capability.assumptions | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | README/documentation is current enough for a first validation pass.\n\n## 20. runtime · 失败模式:runtime: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this runtime risk before relying on the project: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- User impact: Developers may hit a documented source-backed failure mode: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model. Context: Observed when using node\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_c771a0d6f06fc6e6e023bd2f45ada5a3 | https://github.com/cyanheads/mcp-ts-core/issues/135 | bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n\n## 21. runtime · 失败模式:runtime: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasin...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this runtime risk before relying on the project: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- User impact: Developers may hit a documented source-backed failure mode: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries. Context: Observed when using macos\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_e7737d7800a604e87586603a0d3fe8d5 | https://github.com/cyanheads/mcp-ts-core/issues/126 | bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n\n## 22. maintenance · 失败模式:migration: bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this migration risk before relying on the project: bug(utils): logger rate-limit map only sweeps when suppression triggered\n- User impact: Developers may hit a documented source-backed failure mode: bug(utils): logger rate-limit map only sweeps when suppression triggered\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): logger rate-limit map only sweeps when suppression triggered. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_0716f10fda662c3e061d6b59d0f45b12 | https://github.com/cyanheads/mcp-ts-core/issues/115 | bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n## 23. maintenance · 来源证据:bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个维护/版本相关的待验证问题:bug(utils): logger rate-limit map only sweeps when suppression triggered\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8fb7b505af3f480c95c67b34c105329e | https://github.com/cyanheads/mcp-ts-core/issues/115 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 24. maintenance · 维护活跃度未知\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: 未记录 last_activity_observed。\n- User impact: 新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。\n- Suggested check: 补 GitHub 最近 commit、release、issue/PR 响应信号。\n- Guardrail action: 维护活跃度未知时,推荐强度不能标为高信任。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | last_activity_observed missing\n\n## 25. security_permissions · 下游验证发现风险项\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: no_demo\n- User impact: 下游已经要求复核,不能在页面中弱化。\n- Suggested check: 进入安全/权限治理复核队列。\n- Guardrail action: 下游风险存在时必须保持 review/recommendation 降级。\n- Evidence: downstream_validation.risk_items | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | no_demo; severity=medium\n\n## 26. security_permissions · 存在评分风险\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: no_demo\n- User impact: 风险会影响是否适合普通用户安装。\n- Suggested check: 把风险写入边界卡,并确认是否需要人工复核。\n- Guardrail action: 评分风险必须进入边界卡,不能只作为内部分数。\n- Evidence: risks.scoring_risks | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | no_demo; severity=medium\n\n## 27. security_permissions · 来源证据:bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_5df71519e99747a0a028db7767bd9b86 | https://github.com/cyanheads/mcp-ts-core/issues/120 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 28. security_permissions · 来源证据:bug(utils): unbounded label cardinality on mcp.ratelimit.rejections counter\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(utils): unbounded label cardinality on mcp.ratelimit.rejections counter\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_c1d184e56e66446085332f42b7500be4 | https://github.com/cyanheads/mcp-ts-core/issues/114 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 29. security_permissions · 来源证据:bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_a6e8146b33d0467584baf5d0c8d433c8 | https://github.com/cyanheads/mcp-ts-core/issues/124 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 30. security_permissions · 来源证据:changelog: raise summary cap from 250 → 350 chars\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:changelog: raise summary cap from 250 → 350 chars\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_d2eeeaa093654bed9869dc412630cb74 | https://github.com/cyanheads/mcp-ts-core/issues/129 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 31. security_permissions · 来源证据:docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:docs(api-canvas): add minimum-viable spillover server recipe as the default\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_d5b1c38bbee5494abc71a7f891389997 | https://github.com/cyanheads/mcp-ts-core/issues/138 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 32. security_permissions · 来源证据:feat(docs/skills): codify agent-observed correctness across response design surface\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(docs/skills): codify agent-observed correctness across response design surface\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8db18d54bc9948a28dcf10fd5207d1fa | https://github.com/cyanheads/mcp-ts-core/issues/131 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 33. security_permissions · 来源证据:feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_680ec4f7c0ff4c8c9f29762e8c8e2520 | https://github.com/cyanheads/mcp-ts-core/issues/141 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 34. security_permissions · 来源证据:feat(linter,docs): cross-vendor JSON Schema portability rules\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(linter,docs): cross-vendor JSON Schema portability rules\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_69d95636c7024bf2bb5d8aad01b7ab6d | https://github.com/cyanheads/mcp-ts-core/issues/132 | 来源讨论提到 python 相关条件,需在安装/试用前复核。\n\n## 35. security_permissions · 来源证据:feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_0280b913a8284f73ad4ac3932a76ebd5 | https://github.com/cyanheads/mcp-ts-core/issues/130 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 36. security_permissions · 来源证据:feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8a3ab16a17764a828dc447d9462d875c | https://github.com/cyanheads/mcp-ts-core/issues/142 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 37. maintenance · issue/PR 响应质量未知\n\n- Severity: low\n- Evidence strength: source_linked\n- Finding: issue_or_pr_quality=unknown。\n- User impact: 用户无法判断遇到问题后是否有人维护。\n- Suggested check: 抽样最近 issue/PR,判断是否长期无人处理。\n- Guardrail action: issue/PR 响应未知时,必须提示维护风险。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | issue_or_pr_quality=unknown\n\n## 38. maintenance · 发布节奏不明确\n\n- Severity: low\n- Evidence strength: source_linked\n- Finding: release_recency=unknown。\n- User impact: 安装命令和文档可能落后于代码,用户踩坑概率升高。\n- Suggested check: 确认最近 release/tag 和 README 安装命令是否一致。\n- Guardrail action: 发布节奏未知或过期时,安装说明必须标注可能漂移。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | release_recency=unknown\n\n\n", "summary": "DeepWiki/Human Wiki output with a Doramagic pitfall appendix.", "title": "Human Manual" }, "pitfall_log": { "asset_id": "pitfall_log", "filename": "PITFALL_LOG.md", "markdown": "# Pitfall Log\n\nProject: cyanheads/mcp-ts-template\n\nSummary: Found 38 potential pitfall items; 4 are high/blocking. Highest priority: installation - 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap.\n\n## 1. installation · 来源证据:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(transport): HTTP per-request McpServer cleanup leaks ~30 KB/req on heap\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_b652b8d6139f43c1bcf51562afed3525 | https://github.com/cyanheads/mcp-ts-core/issues/50 | 来源讨论提到 docker 相关条件,需在安装/试用前复核。\n\n## 2. configuration · 来源证据:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_3d3b719431cb499f914e169e6dce21b2 | https://github.com/cyanheads/mcp-ts-core/issues/135 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 3. configuration · 来源证据:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:feat(tool): flatten SDK input-validation error text and move issues to error.data (follow-up to #55)\n- User impact: 可能阻塞安装或首次运行。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_ed2fba370b864c57980fcc78c30fa336 | https://github.com/cyanheads/mcp-ts-core/issues/66 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 4. security_permissions · 失败模式:security_permissions: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n\n- Severity: high\n- Evidence strength: source_linked\n- Finding: Developers should check this security_permissions risk before relying on the project: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- User impact: Developers may expose sensitive permissions or credentials: feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(auth): add RFC 7662 Token Introspection as a third auth strategy. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: Do not recommend enabling privileged or credential-bearing paths until the source-backed risk is reviewed: https://github.com/cyanheads/mcp-ts-core/issues/139\n- Evidence: failure_mode_cluster:github_issue | fmev_79b989da05ab81a148513987aa506d71 | https://github.com/cyanheads/mcp-ts-core/issues/139 | feat(auth): add RFC 7662 Token Introspection as a third auth strategy\n\n## 5. installation · 失败模式:installation: feat(templates): MCPB bundle packaging for scaffolded servers\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this installation risk before relying on the project: feat(templates): MCPB bundle packaging for scaffolded servers\n- User impact: Developers may fail before the first successful local run: feat(templates): MCPB bundle packaging for scaffolded servers\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(templates): MCPB bundle packaging for scaffolded servers. Context: Observed when using node, docker, windows, macos\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_22c10ce8863043b0adf9a54a6f51d108 | https://github.com/cyanheads/mcp-ts-core/issues/137 | feat(templates): MCPB bundle packaging for scaffolded servers\n\n## 6. installation · 来源证据:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurio…\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题:bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_9f6a4823d56640848bd04ac60d2856af | https://github.com/cyanheads/mcp-ts-core/issues/126 | 来源讨论提到 macos 相关条件,需在安装/试用前复核。\n\n## 7. configuration · 失败模式:configuration: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- User impact: Developers may misconfigure credentials, environment, or host setup: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_5c7acd2f18c877d832b1a859cd234468 | https://github.com/cyanheads/mcp-ts-core/issues/136 | Connect card: active-tab styling, default to Claude, add Codex/Cursor/Gemini\n\n## 8. configuration · 失败模式:configuration: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBod...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- User impact: Developers may misconfigure credentials, environment, or host setup: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_7d40e777d2ccdbab34bc3b3d1402bd71 | https://github.com/cyanheads/mcp-ts-core/issues/120 | bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n\n## 9. configuration · 失败模式:configuration: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 rel...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- User impact: Developers may misconfigure credentials, environment, or host setup: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings. Context: Observed when using node\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_41ff925fb40ebff8720b5c65f8b20ece | https://github.com/cyanheads/mcp-ts-core/issues/124 | bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n\n## 10. configuration · 失败模式:configuration: changelog: raise summary cap from 250 → 350 chars\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: changelog: raise summary cap from 250 → 350 chars\n- User impact: Developers may misconfigure credentials, environment, or host setup: changelog: raise summary cap from 250 → 350 chars\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: changelog: raise summary cap from 250 → 350 chars. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_5d2f31e619abdbc2e753d5c67819c1a8 | https://github.com/cyanheads/mcp-ts-core/issues/129 | changelog: raise summary cap from 250 → 350 chars\n\n## 11. configuration · 失败模式:configuration: docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: docs(api-canvas): add minimum-viable spillover server recipe as the default\n- User impact: Developers may misconfigure credentials, environment, or host setup: docs(api-canvas): add minimum-viable spillover server recipe as the default\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: docs(api-canvas): add minimum-viable spillover server recipe as the default. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_44db3da73c060fc8e7affa9e6c321749 | https://github.com/cyanheads/mcp-ts-core/issues/138 | docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n## 12. configuration · 失败模式:configuration: feat(docs/skills): codify agent-observed correctness across response design surface\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(docs/skills): codify agent-observed correctness across response design surface\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(docs/skills): codify agent-observed correctness across response design surface\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(docs/skills): codify agent-observed correctness across response design surface. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_a5a5f36d76023182a160cd1189430916 | https://github.com/cyanheads/mcp-ts-core/issues/131 | feat(docs/skills): codify agent-observed correctness across response design surface\n\n## 13. configuration · 失败模式:configuration: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-ne...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_008c058324c5476cab1114c3b507a398 | https://github.com/cyanheads/mcp-ts-core/issues/141 | feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n\n## 14. configuration · 失败模式:configuration: feat(linter,docs): cross-vendor JSON Schema portability rules\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(linter,docs): cross-vendor JSON Schema portability rules\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(linter,docs): cross-vendor JSON Schema portability rules\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(linter,docs): cross-vendor JSON Schema portability rules. Context: Observed when using python\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_442715f721a7d8f0d431a38068bdcfcd | https://github.com/cyanheads/mcp-ts-core/issues/132 | feat(linter,docs): cross-vendor JSON Schema portability rules\n\n## 15. configuration · 失败模式:configuration: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_94fb8f4bb9c19f4e783136fcde3ed772 | https://github.com/cyanheads/mcp-ts-core/issues/130 | feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n## 16. configuration · 失败模式:configuration: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch). Context: Observed when using node, cuda\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_e38ad2dfdd02625b61bb0948c324e842 | https://github.com/cyanheads/mcp-ts-core/issues/134 | feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n## 17. configuration · 失败模式:configuration: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this configuration risk before relying on the project: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- User impact: Developers may misconfigure credentials, environment, or host setup: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools). Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_de75bb8a294c55ed56f1bb44faf7bd37 | https://github.com/cyanheads/mcp-ts-core/issues/142 | feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n## 18. configuration · 来源证据:feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题:feat(telemetry): wire Worker-native OTel exporter (sdk-trace-web + OTLP fetch)\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_22e974aafd5649c7b4e239b2a07a33ec | https://github.com/cyanheads/mcp-ts-core/issues/134 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 19. capability · 能力判断依赖假设\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: README/documentation is current enough for a first validation pass.\n- User impact: 假设不成立时,用户拿不到承诺的能力。\n- Suggested check: 将假设转成下游验证清单。\n- Guardrail action: 假设必须转成验证项;没有验证结果前不能写成事实。\n- Evidence: capability.assumptions | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | README/documentation is current enough for a first validation pass.\n\n## 20. runtime · 失败模式:runtime: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this runtime risk before relying on the project: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- User impact: Developers may hit a documented source-backed failure mode: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model. Context: Observed when using node\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_c771a0d6f06fc6e6e023bd2f45ada5a3 | https://github.com/cyanheads/mcp-ts-core/issues/135 | bug(transport): list_changed notifications silently dropped under HTTP per-request McpServer model\n\n## 21. runtime · 失败模式:runtime: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasin...\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this runtime risk before relying on the project: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- User impact: Developers may hit a documented source-backed failure mode: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries. Context: Observed when using macos\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_e7737d7800a604e87586603a0d3fe8d5 | https://github.com/cyanheads/mcp-ts-core/issues/126 | bug(utils): fetchWithTimeout collapses every non-ok HTTP status to ServiceUnavailable, erasing codes and causing spurious retries\n\n## 22. maintenance · 失败模式:migration: bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: Developers should check this migration risk before relying on the project: bug(utils): logger rate-limit map only sweeps when suppression triggered\n- User impact: Developers may hit a documented source-backed failure mode: bug(utils): logger rate-limit map only sweeps when suppression triggered\n- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: bug(utils): logger rate-limit map only sweeps when suppression triggered. Context: Source discussion did not expose a precise runtime context.\n- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.\n- Evidence: failure_mode_cluster:github_issue | fmev_0716f10fda662c3e061d6b59d0f45b12 | https://github.com/cyanheads/mcp-ts-core/issues/115 | bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n## 23. maintenance · 来源证据:bug(utils): logger rate-limit map only sweeps when suppression triggered\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个维护/版本相关的待验证问题:bug(utils): logger rate-limit map only sweeps when suppression triggered\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8fb7b505af3f480c95c67b34c105329e | https://github.com/cyanheads/mcp-ts-core/issues/115 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 24. maintenance · 维护活跃度未知\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: 未记录 last_activity_observed。\n- User impact: 新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。\n- Suggested check: 补 GitHub 最近 commit、release、issue/PR 响应信号。\n- Guardrail action: 维护活跃度未知时,推荐强度不能标为高信任。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | last_activity_observed missing\n\n## 25. security_permissions · 下游验证发现风险项\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: no_demo\n- User impact: 下游已经要求复核,不能在页面中弱化。\n- Suggested check: 进入安全/权限治理复核队列。\n- Guardrail action: 下游风险存在时必须保持 review/recommendation 降级。\n- Evidence: downstream_validation.risk_items | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | no_demo; severity=medium\n\n## 26. security_permissions · 存在评分风险\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: no_demo\n- User impact: 风险会影响是否适合普通用户安装。\n- Suggested check: 把风险写入边界卡,并确认是否需要人工复核。\n- Guardrail action: 评分风险必须进入边界卡,不能只作为内部分数。\n- Evidence: risks.scoring_risks | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | no_demo; severity=medium\n\n## 27. security_permissions · 来源证据:bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(utils): fetchWithTimeout attaches full upstream HTTP error body to error.data.responseBody — no cap, no MIME filter\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_5df71519e99747a0a028db7767bd9b86 | https://github.com/cyanheads/mcp-ts-core/issues/120 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 28. security_permissions · 来源证据:bug(utils): unbounded label cardinality on mcp.ratelimit.rejections counter\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(utils): unbounded label cardinality on mcp.ratelimit.rejections counter\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_c1d184e56e66446085332f42b7500be4 | https://github.com/cyanheads/mcp-ts-core/issues/114 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 29. security_permissions · 来源证据:bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:bug(worker): Workers compatibility — runtime detection broken under nodejs_compat, plus 8 related findings\n- User impact: 可能增加新用户试用和生产接入成本。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_a6e8146b33d0467584baf5d0c8d433c8 | https://github.com/cyanheads/mcp-ts-core/issues/124 | 来源讨论提到 node 相关条件,需在安装/试用前复核。\n\n## 30. security_permissions · 来源证据:changelog: raise summary cap from 250 → 350 chars\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:changelog: raise summary cap from 250 → 350 chars\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_d2eeeaa093654bed9869dc412630cb74 | https://github.com/cyanheads/mcp-ts-core/issues/129 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 31. security_permissions · 来源证据:docs(api-canvas): add minimum-viable spillover server recipe as the default\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:docs(api-canvas): add minimum-viable spillover server recipe as the default\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_d5b1c38bbee5494abc71a7f891389997 | https://github.com/cyanheads/mcp-ts-core/issues/138 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 32. security_permissions · 来源证据:feat(docs/skills): codify agent-observed correctness across response design surface\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(docs/skills): codify agent-observed correctness across response design surface\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8db18d54bc9948a28dcf10fd5207d1fa | https://github.com/cyanheads/mcp-ts-core/issues/131 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 33. security_permissions · 来源证据:feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(linter): `schema-properties-need-type` — flag typeless leaves missed by `schema-anyof-needs-type`\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_680ec4f7c0ff4c8c9f29762e8c8e2520 | https://github.com/cyanheads/mcp-ts-core/issues/141 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 34. security_permissions · 来源证据:feat(linter,docs): cross-vendor JSON Schema portability rules\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(linter,docs): cross-vendor JSON Schema portability rules\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_69d95636c7024bf2bb5d8aad01b7ab6d | https://github.com/cyanheads/mcp-ts-core/issues/132 | 来源讨论提到 python 相关条件,需在安装/试用前复核。\n\n## 35. security_permissions · 来源证据:feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(skill): polish-docs-meta should recommend linking OTEL_ENABLED to framework telemetry docs\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_0280b913a8284f73ad4ac3932a76ebd5 | https://github.com/cyanheads/mcp-ts-core/issues/130 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 36. security_permissions · 来源证据:feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n\n- Severity: medium\n- Evidence strength: source_linked\n- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:feat(tool): first-class support for discriminated-union tool inputs (multi-mode tools)\n- User impact: 可能影响授权、密钥配置或安全边界。\n- Suggested check: 来源问题仍为 open,Pack Agent 需要复核是否仍影响当前版本。\n- Guardrail action: 不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- Evidence: community_evidence:github | cevd_8a3ab16a17764a828dc447d9462d875c | https://github.com/cyanheads/mcp-ts-core/issues/142 | 来源类型 github_issue 暴露的待验证使用条件。\n\n## 37. maintenance · issue/PR 响应质量未知\n\n- Severity: low\n- Evidence strength: source_linked\n- Finding: issue_or_pr_quality=unknown。\n- User impact: 用户无法判断遇到问题后是否有人维护。\n- Suggested check: 抽样最近 issue/PR,判断是否长期无人处理。\n- Guardrail action: issue/PR 响应未知时,必须提示维护风险。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | issue_or_pr_quality=unknown\n\n## 38. maintenance · 发布节奏不明确\n\n- Severity: low\n- Evidence strength: source_linked\n- Finding: release_recency=unknown。\n- User impact: 安装命令和文档可能落后于代码,用户踩坑概率升高。\n- Suggested check: 确认最近 release/tag 和 README 安装命令是否一致。\n- Guardrail action: 发布节奏未知或过期时,安装说明必须标注可能漂移。\n- Evidence: evidence.maintainer_signals | mcp_registry:io.github.cyanheads/mcp-ts-template:3.0.9 | https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9 | release_recency=unknown\n", "summary": "Identity, installation, configuration, runtime, and safety pitfalls before user trial.", "title": "Pitfall Log" }, "prompt_preview": { "asset_id": "prompt_preview", "filename": "PROMPT_PREVIEW.md", "markdown": "# mcp-ts-template - Prompt Preview\n\n> Copy the prompt below into your AI host before installing anything.\n> Its purpose is to let you safely feel the project's workflow, not to claim the project has already run.\n\n## Copy this prompt\n\n```text\nYou are using an independent Doramagic capability pack for cyanheads/mcp-ts-template.\n\nProject:\n- Name: mcp-ts-template\n- Repository: https://github.com/cyanheads/mcp-ts-template\n- Summary: TypeScript template for building MCP servers with declarative tooling, observability, and auth.\n- Host target: mcp_host\n\nGoal:\nHelp me evaluate this project for the following task without installing it yet: TypeScript template for building MCP servers with declarative tooling, observability, and auth.\n\nBefore taking action:\n1. Restate my task, success standard, and boundary.\n2. Identify whether the next step requires tools, browser access, network access, filesystem access, credentials, package installation, or host configuration.\n3. Use only the Doramagic Project Pack, the upstream repository, and the source-linked evidence listed below.\n4. If a real command, install step, API call, file write, or host integration is required, mark it as \"requires post-install verification\" and ask for approval first.\n5. If evidence is missing, say \"evidence is missing\" instead of filling the gap.\n\nPreviewable capabilities:\n- Capability 1: Use the source-backed project context to guide one small, checkable workflow step.\n\nCapabilities that require post-install verification:\n- Capability 1: Use the source-backed project context to guide one small, checkable workflow step.\n\nCore service flow:\n1. overview: Repository Overview. Produce one small intermediate artifact and wait for confirmation.\n2. entrypoints: Entrypoints and Runtime Surface. Produce one small intermediate artifact and wait for confirmation.\n3. architecture: Architecture Evidence Map. Produce one small intermediate artifact and wait for confirmation.\n4. operations: Operations and Verification Boundaries. Produce one small intermediate artifact and wait for confirmation.\n\nSource-backed evidence to keep in mind:\n- https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9\n- skills/add-app-tool/SKILL.md\n- skills/add-export/SKILL.md\n- skills/add-prompt/SKILL.md\n- skills/add-provider/SKILL.md\n- skills/add-resource/SKILL.md\n- skills/add-service/SKILL.md\n- skills/add-test/SKILL.md\n- skills/add-tool/SKILL.md\n- skills/api-auth/SKILL.md\n\nFirst response rules:\n1. Start Step 1 only.\n2. Explain the one service action you will perform first.\n3. Ask exactly three questions about my target workflow, success standard, and sandbox boundary.\n4. Stop and wait for my answers.\n\nStep 1 follow-up protocol:\n- After I answer the first three questions, stay in Step 1.\n- Produce six parts only: clarified task, success standard, boundary conditions, two or three options, tradeoffs for each option, and one recommendation.\n- End by asking whether I confirm the recommendation.\n- Do not move to Step 2 until I explicitly confirm.\n\nConversation rules:\n- Advance one step at a time and wait for confirmation after each small artifact.\n- Write outputs as recommendations or planned checks, not as completed execution.\n- Do not claim tests passed, files changed, commands ran, APIs were called, or the project was installed.\n- If the user asks for execution, first provide the sandbox setup, expected output, rollback, and approval checkpoint.\n```\n", "summary": "不安装项目也能感受能力节奏的安全试用 Prompt。", "title": "Prompt Preview / 安装前试用 Prompt" }, "quick_start": { "asset_id": "quick_start", "filename": "QUICK_START.md", "markdown": "# Quick Start\n\nProject: cyanheads/mcp-ts-template\n\n## Official Entry Points\n\n### Node.js / npx · 官方安装入口\n\n```bash\nnpx mcp-ts-template\n```\n\nSource:https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9\n\n## Sources\n\n- mcp_registry: https://registry.modelcontextprotocol.io/v0.1/servers/io.github.cyanheads%2Fmcp-ts-template/versions/3.0.9\n", "summary": "Entry points extracted from official README or installation documentation.", "title": "Quick Start" } }, "validation_id": "dval_62eaa06aa04c46cca18efab77c591267" }