npm · server-everything2026.1.26

Evidence

* - Markdown (.md) files are served as mime type "text/markdown"

 * - Text (.txt) files are served as mime type "text/plain"

 * - JSON (.json) files are served as mime type "application/json"

 *

 * @param server

 */

export const registerFileResources = (server) => {

RemediationAI

The problem is that `registerFileResources` performs filesystem operations (readdirSync, readFileSync, statSync) but its JSDoc description does not disclose these I/O side effects, violating the principle of transparent capability declaration. Update the JSDoc comment for `registerFileResources` to explicitly document that it performs filesystem reads on the docs/ directory and returns file contents. This fix ensures that anyone reviewing the tool definition or the MCP manifest can see exactly what filesystem operations occur. Verify by running `npm run build` and checking that the generated manifest or tool schema now includes filesystem operation warnings in the description field.

Evidence

* - Markdown (.md) files are served as mime type "text/markdown"

 * - Text (.txt) files are served as mime type "text/plain"

 * - JSON (.json) files are served as mime type "application/json"

 *

 * @param server

 */

export const registerFileResources = (server) => {

RemediationAI

The problem is that file contents from the docs/ directory are returned verbatim without any provenance markers or content boundaries, making the LLM unable to distinguish between trusted server logic and potentially untrusted file content, enabling indirect prompt injection. Wrap each file's content with explicit provenance markers (e.g., `[FILE: filename.md] {content} [/FILE]`) in the `readFileSync` return value within `registerFileResources`, and add a security note to the tool description stating that file content is user-supplied and should be treated as untrusted input. This fix allows the LLM to recognize and isolate external content boundaries. Verify by reading a test file through the tool and confirming that the response includes clear delimiters around the file content.

Evidence

],

  "scripts": {

    "build": "tsc && shx cp -r docs dist/ && shx chmod +x dist/*.js",

    "prepare": "npm run build",

    "watch": "tsc --watch",

    "start:stdio": "node dist/index.js stdio",

    "start:sse": "node dist/index.js sse",

RemediationAI

The problem is that the `prepare` script in package.json runs `npm run build` automatically on every install, executing arbitrary code (TypeScript compilation, file copying, chmod) without explicit user consent, which is a supply-chain attack vector. Remove the `"prepare": "npm run build"` line from the scripts section in package.json and document in the README that developers must manually run `npm run build` after installation. This fix ensures that code execution only happens when explicitly requested by the developer. Verify by running `npm install` in a clean directory and confirming that the dist/ folder is not automatically created.

Evidence

# Everything MCP Server

**[Architecture](docs/architecture.md)

| [Project Structure](docs/structure.md)

| [Startup Process](docs/startup.md)

| [Server Features](docs/features.md)

| [Extension Points](docs/extension.md)

| [How It Works](docs/how-it-works.md)**

This MCP server attempts to exercise all the features of the MCP protocol. It is not intended to be a useful server, but rather a test server for builders of MCP clients. It implements prompts, tools, resources, sampling, and more to show

RemediationAI

The problem is that the MCP server manifest does not declare any authentication or authorization mechanism, making it unclear whether the server is protected by network-layer auth, host-level isolation, or no auth at all, which complicates security audits. Add an explicit `auth` field to the server configuration (in server/index.js or the MCP manifest) that documents the actual authentication model—for example, `"auth": "network-layer-only"` or `"auth": "none-host-isolation-required"`—and update the README to clearly state the security assumptions. This fix enables reviewers to understand the threat model and verify that appropriate controls are in place. Verify by checking that the MCP manifest or server startup logs now include the auth declaration.

RemediationAI

The problem is that the server advertises `listChanged: true` (dynamic tool list capability) but does not include per-tool integrity fields (version, etag, sha256, or digest) in tool responses, allowing an attacker to swap or modify tools at runtime without detection. Add a `version` or `sha256` field to each tool object returned by the tool list handler in server/index.js, and increment or recompute it whenever the tool definition changes. This fix allows clients to detect unauthorized tool modifications by comparing integrity hashes. Verify by calling the tool list endpoint twice and confirming that each tool includes a consistent hash that changes only when the tool definition is intentionally updated.