Ryan Malloy
c9de63cf29
Some checks failed
Test Dashboard / test-and-dashboard (push) Has been cancelled
Margaret Hamilton pre-publish review found 5 blockers + 9 flags. All
correctness/security issues fixed; H6 (connection pooling perf) deferred.
caching.py — comprehensive hardening:
- B3: base64.b64decode now uses validate=True (no silent mangling)
- B4: MCP_ALLOW_LOCAL_FILES evaluated per request, not at import
- B5: extension allowlist + 0o700 temp dir + 0o600 files + O_EXCL writes
- B2+H5: MCP_MAX_UPLOAD_BYTES / MCP_MAX_DOWNLOAD_BYTES caps (50MB default),
enforced pre-decode and during chunked downloads
- H1: env var parsing strip()+lower(), truthy set {true,1,yes,on}
- H3: UUID-based unique temp paths replace SHA-prefix collision risk
- H7: ZIP magic bytes disambiguated via [Content_Types].xml peek
- H8: stronger CSV heuristic (commas/tabs + UTF-8 + no NULs)
- H9: specific exceptions in cache I/O with logged warnings
- New: upload_cleanup_scope() context manager + ContextVar tracker
decorators.py:
- cleanup_temp_uploads decorator wraps tool methods, auto-cleans temp
upload files on return OR exception (B1+H4)
validation.py:
- OfficeFileError.__init__ scrubs /tmp/mcp_office_uploads/ paths from
messages so server paths never leak to HTTP callers (H2)
mixins/{universal,word,excel}.py:
- @cleanup_temp_uploads applied to all 19 tool methods that resolve files
tests/test_security_hardening.py:
- 24 new tests, one per Hamilton finding, prove fixes work and catch
regressions. Including end-to-end: temp file created → exists during
scope → gone after scope exit (success AND exception paths)
pyproject.toml:
- version 0.1.0 → 2026.05.22 (CalVer per CLAUDE.md convention)
- URLs updated GitHub → git.supported.systems/MCP/mcwaddams
- Belt-and-suspenders sdist exclude list (defends against future
include-list edits accidentally shipping CLAUDE.md, .env, etc.)
222 lines
4.8 KiB
TOML
222 lines
4.8 KiB
TOML
[project]
|
|
name = "mcwaddams"
|
|
version = "2026.05.22"
|
|
description = "MCP server for Microsoft Office document processing. Named for Milton Waddams, who was relocated to the basement with boxes of legacy documents."
|
|
authors = [{name = "Ryan Malloy", email = "ryan@supported.systems"}]
|
|
readme = "README.md"
|
|
license = {text = "MIT"}
|
|
requires-python = ">=3.11"
|
|
keywords = ["mcp", "office", "docx", "xlsx", "pptx", "word", "excel", "powerpoint", "document", "processing", "milton", "legacy"]
|
|
classifiers = [
|
|
"Development Status :: 4 - Beta",
|
|
"Intended Audience :: Developers",
|
|
"License :: OSI Approved :: MIT License",
|
|
"Programming Language :: Python :: 3",
|
|
"Programming Language :: Python :: 3.11",
|
|
"Programming Language :: Python :: 3.12",
|
|
"Topic :: Office/Business :: Office Suites",
|
|
"Topic :: Text Processing",
|
|
"Topic :: Software Development :: Libraries :: Python Modules",
|
|
]
|
|
|
|
dependencies = [
|
|
"fastmcp>=0.5.0",
|
|
"python-docx>=1.1.0",
|
|
"openpyxl>=3.1.0",
|
|
"python-pptx>=1.0.0",
|
|
"mammoth>=1.6.0",
|
|
"xlrd>=2.0.0",
|
|
"xlwt>=1.3.0",
|
|
"pandas>=2.0.0",
|
|
"olefile>=0.47",
|
|
"msoffcrypto-tool>=5.4.0",
|
|
"lxml>=4.9.0",
|
|
"pillow>=10.0.0",
|
|
"beautifulsoup4>=4.12.0",
|
|
"aiohttp>=3.9.0",
|
|
"aiofiles>=23.2.0",
|
|
"chardet>=5.0.0",
|
|
"xlsxwriter>=3.1.0",
|
|
]
|
|
|
|
[project.optional-dependencies]
|
|
dev = [
|
|
"pytest>=7.4.0",
|
|
"pytest-asyncio>=0.21.0",
|
|
"pytest-cov>=4.1.0",
|
|
"black>=23.0.0",
|
|
"ruff>=0.1.0",
|
|
"mypy>=1.5.0",
|
|
"types-beautifulsoup4",
|
|
"types-pillow",
|
|
"types-chardet",
|
|
]
|
|
nlp = [
|
|
"nltk>=3.8",
|
|
"spacy>=3.7",
|
|
"textstat>=0.7",
|
|
]
|
|
conversion = [
|
|
"pypandoc>=1.11",
|
|
]
|
|
enhanced = [
|
|
"python-magic>=0.4.0",
|
|
]
|
|
|
|
[project.urls]
|
|
Homepage = "https://mcwaddams.l.supported.systems"
|
|
Repository = "https://git.supported.systems/MCP/mcwaddams"
|
|
Issues = "https://git.supported.systems/MCP/mcwaddams/issues"
|
|
|
|
[project.scripts]
|
|
mcwaddams = "mcwaddams.server:main"
|
|
|
|
[build-system]
|
|
requires = ["hatchling"]
|
|
build-backend = "hatchling.build"
|
|
|
|
[tool.hatch.build.targets.wheel]
|
|
packages = ["src/mcwaddams"]
|
|
|
|
[tool.hatch.build.targets.sdist]
|
|
# Belt: only ship what's listed here.
|
|
include = [
|
|
"/src",
|
|
"/README.md",
|
|
"/LICENSE",
|
|
]
|
|
# Suspenders: even if a file matches an include glob, drop it if it matches here.
|
|
# These guard against accidental inclusion if the include list grows.
|
|
exclude = [
|
|
"CLAUDE.md",
|
|
".env",
|
|
".env.*",
|
|
".mcp.json",
|
|
".pytest_cache",
|
|
".ruff_cache",
|
|
".mypy_cache",
|
|
"htmlcov",
|
|
"dist",
|
|
"build",
|
|
"reports",
|
|
"audits",
|
|
"tests",
|
|
"examples",
|
|
"docs",
|
|
"ADVANCED_TOOLS_PLAN.md",
|
|
"IMPLEMENTATION_STATUS.md",
|
|
"QUICKSTART_DASHBOARD.md",
|
|
"TESTING_STRATEGY.md",
|
|
"*.docx",
|
|
"*.xlsx",
|
|
"*.pptx",
|
|
"*.doc",
|
|
"*.xls",
|
|
"*.ppt",
|
|
"*.json",
|
|
"Dockerfile",
|
|
"docker-compose.yml",
|
|
"Makefile",
|
|
"uv.lock",
|
|
]
|
|
|
|
# Code quality tools
|
|
[tool.black]
|
|
line-length = 88
|
|
target-version = ["py311"]
|
|
include = '\.pyi?$'
|
|
extend-exclude = '''
|
|
/(
|
|
# directories
|
|
\.eggs
|
|
| \.git
|
|
| \.hg
|
|
| \.mypy_cache
|
|
| \.tox
|
|
| \.venv
|
|
| build
|
|
| dist
|
|
)/
|
|
'''
|
|
|
|
[tool.ruff]
|
|
target-version = "py311"
|
|
line-length = 88
|
|
select = [
|
|
"E", # pycodestyle errors
|
|
"W", # pycodestyle warnings
|
|
"F", # pyflakes
|
|
"I", # isort
|
|
"B", # flake8-bugbear
|
|
"C4", # flake8-comprehensions
|
|
"UP", # pyupgrade
|
|
]
|
|
ignore = [
|
|
"E501", # line too long, handled by black
|
|
"B008", # do not perform function calls in argument defaults
|
|
"C901", # too complex
|
|
]
|
|
|
|
[tool.ruff.per-file-ignores]
|
|
"__init__.py" = ["F401"]
|
|
|
|
[tool.mypy]
|
|
python_version = "3.11"
|
|
check_untyped_defs = true
|
|
disallow_any_generics = true
|
|
disallow_incomplete_defs = true
|
|
disallow_untyped_defs = true
|
|
no_implicit_optional = true
|
|
warn_redundant_casts = true
|
|
warn_unused_ignores = true
|
|
warn_return_any = true
|
|
strict_equality = true
|
|
|
|
[tool.pytest.ini_options]
|
|
minversion = "7.0"
|
|
addopts = [
|
|
"--strict-markers",
|
|
"--strict-config",
|
|
"--cov=mcwaddams",
|
|
"--cov-report=term-missing",
|
|
"--cov-report=html",
|
|
"--cov-report=xml",
|
|
]
|
|
testpaths = ["tests"]
|
|
python_files = ["test_*.py"]
|
|
python_classes = ["Test*"]
|
|
python_functions = ["test_*"]
|
|
markers = [
|
|
"slow: marks tests as slow (deselect with '-m \"not slow\"')",
|
|
"integration: marks tests as integration tests",
|
|
"unit: marks tests as unit tests",
|
|
]
|
|
|
|
[tool.coverage.run]
|
|
source = ["src/mcwaddams"]
|
|
omit = [
|
|
"*/tests/*",
|
|
"*/test_*",
|
|
]
|
|
|
|
[tool.coverage.report]
|
|
exclude_lines = [
|
|
"pragma: no cover",
|
|
"def __repr__",
|
|
"if self.debug:",
|
|
"if settings.DEBUG",
|
|
"raise AssertionError",
|
|
"raise NotImplementedError",
|
|
"if 0:",
|
|
"if __name__ == .__main__.:",
|
|
"class .*\\bProtocol\\):",
|
|
"@(abc\\.)?abstractmethod",
|
|
]
|
|
|
|
[dependency-groups]
|
|
dev = [
|
|
"pytest>=8.4.1",
|
|
"pytest-asyncio>=1.1.0",
|
|
"pytest-cov>=6.2.1",
|
|
]
|