Scaffold TypeScript project for v1.0 npx migration (#118)

* chore: pin GitHub Actions to full commit SHAs

Pins all third-party actions (actions/checkout, astral-sh/setup-uv,
codecov/codecov-action, codecov/test-results-action, docker/login-action,
actions/upload-artifact, actions/download-artifact,
pypa/gh-action-pypi-publish, softprops/action-gh-release) to immutable
commit SHAs to prevent supply-chain attacks via tag mutation.
Original tag names retained as inline comments.

* build(deps): bump starlette in the uv group across 1 directory (#117)

Bumps the uv group with 1 update in the / directory: [starlette](https://github.com/Kludex/starlette).


Updates `starlette` from 1.0.0 to 1.0.1
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@1.0.0...1.0.1)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.0.1
  dependency-type: direct:production
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: add cross-platform validation to ci.yaml (#89)

* restructure cross-platform job

* unavailable runner clean up

* added matrix

* fold macOS cross-platform jobs into test matrix

* use docker/setup-docker-action for macOS Docker setup and drop missing pytest-timeout flag

* removed docker-build matrix entry

* fixed race conditions in test_basic_echo_command

* use select() in executor instead of non-blocking read

* _before_slave_close(slave_fd) hook added

* replace one-shot select drain with background drain loop on macOS

* docs: pin README install URLs to v0.5.2 and update release skill

Pin all git+https://github.com/luarss/openroad-mcp URLs in README to
@v0.5.2 to prevent supply chain attacks. Update release skill to cover
README and MCP manifests in future releases.

* chore: pin MCP manifest git URLs to v0.5.2

Also fix @ escaping in release skill perl command to prevent array
interpolation mangling future version strings.

* docs(skill): add note on opting out of version pinning

* docs: add Goose, Cody, Codex CLI, PearAI, CodeBuddy, Hermes Agent to README

Add support matrix entries and installation sections for six additional
MCP-compatible agents.

* chore: remove editor MCP manifest files from repo

Users are responsible for configuring their own editor MCP settings.
Install instructions remain in README. Also update release skill to
no longer stage these files.

* fix(skill): fix perl command to update all README URL formats on release

Old command only matched bare quoted URLs. New command handles:
- JSON/TOML quoted (existing @vX.Y.Z tags and bare URLs)
- YAML unquoted list items (Goose, Hermes Agent configs)
Also fixes delimiter clash: use ! instead of | to avoid conflict with
the | inside the lookahead (?="|$).

* docs: add GitHub Copilot CLI, Oh My Pi, OpenClaw, AstrBot, DeepCode, nanobot, Crush, Reasonix

Add support matrix entries and installation sections for 8 additional
MCP-compatible agents from the community list.

* chore: release v0.5.3

* adds the typescript/ directory as the foundation for migrating the OpenROAD MCP server from python/uvx to typeScript/npx.

* fixed symlink bypass, CI will now fail if no test files match the glob, for tsconfig new config extends the base, changed the workflow to include the main as well

* fix(deps): upgrade urllib3 2.6.3 -> 2.7.0 (CVE sensitive header forwarding)

* chore: migrate all luarss refs to The-OpenROAD-Project org (#120)

* chore: migrate all luarss refs to The-OpenROAD-Project org

Replace github.com/luarss/openroad-mcp with The-OpenROAD-Project,
ghcr.io/luarss with ghcr.io/the-openroad-project, and MCP name
io.github.luarss with io.github.the-openroad-project across all
source files (README, CHANGELOG, ROADMAP, server.json, Makefile,
docker-publish.yml, release.yml).

Closes part of #119.

* fix: update author email to it-support@precisioninno.com

Part of migration issue #119 (§3 PyPI Package).

* chore: release v0.5.4

* chore: release v0.5.5

* chore(skills): enforce PR workflow and org migration in release skill (#121)

* chore(skills): enforce PR workflow and org migration in release skill

Never push directly to main; always open a release/vX.Y.Z branch and
request @vvbandeira as reviewer. Also updates all repo refs from
luarss/openroad-mcp to The-OpenROAD-Project/openroad-mcp.

* chore: update remaining luarss refs to The-OpenROAD-Project

Updates install URL in .claude/settings.json and stale issue link in
tests/performance/test_response_sizes.py.

* fixed path bug for .. as the prefix

* added test tsconfig

* pinned version for the workflow

* dead code cleanup

* added ansi decoder and session config

* added tests for session config and ansi decoder

* updated ts config

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Shui Song Luar <song@zimalabs.ai>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Song Luar <jluar@precisioninno.com>

Author: 3 people

.claude/settings.json

@@ -4,7 +4,7 @@
       "command": "uvx",
       "args": [
         "--from",
-        "git+https://github.com/luarss/openroad-mcp",
+        "git+https://github.com/The-OpenROAD-Project/openroad-mcp",
         "openroad-mcp"
       ]
     }

.claude/skills/release/SKILL.md

@@ -29,7 +29,8 @@ project. It ensures every file that references the version gets updated consiste
 - **Version source**: `pyproject.toml` `[project] version`
 - **Changelog format**: Keep a Changelog
 - **Commit style**: Conventional Commits (`feat:`, `fix:`, `chore:`, etc.)
-- **GitHub repo**: `luarss/openroad-mcp`
+- **GitHub repo**: `The-OpenROAD-Project/openroad-mcp`
+- **Release gatekeeper**: @vvbandeira (org member) — must approve and merge all releases
 
 ## Workflow
 
@@ -83,7 +84,7 @@ Read each commit message and sort into Keep a Changelog categories:
 
 For each commit, format the changelog entry as:
 ```
-- Description ([#PR](https://github.com/luarss/openroad-mcp/pull/PR))
+- Description ([#PR](https://github.com/The-OpenROAD-Project/openroad-mcp/pull/PR))
 ```
 
 Use the PR number from the commit message if present. For commits without a PR
@@ -99,15 +100,57 @@ one breaks the release consistency.
 **server.json** — Update all three version references:
 - Top-level `"version": "X.Y.Z"`
 - PyPI package `"version": "X.Y.Z"`
-- OCI identifier `"identifier": "ghcr.io/luarss/openroad-mcp:X.Y.Z"`
+- OCI identifier `"identifier": "ghcr.io/The-OpenROAD-Project/openroad-mcp:X.Y.Z"`
+
+**MCP manifest files and README** — These files use `git+https://github.com/The-OpenROAD-Project/openroad-mcp`
+without a version pin. Update every occurrence to pin to the release tag, which
+prevents supply chain attacks by ensuring users install a known, reviewed commit:
+
+Change:
+```
+"git+https://github.com/The-OpenROAD-Project/openroad-mcp"
+```
+To:
+```
+"git+https://github.com/The-OpenROAD-Project/openroad-mcp@vX.Y.Z"
+```
+
+Use a single perl pass that handles all three URL patterns in the README:
+- JSON/TOML quoted: `"git+https://...openroad-mcp@v0.5.3"`
+- YAML unquoted list item: `- git+https://...openroad-mcp@v0.5.3` (end of line)
+- Bare (first-time pin): `"git+https://...openroad-mcp"`
+
+```bash
+perl -i -pe 's!git\+https://github\.com/The-OpenROAD-Project/openroad-mcp(?:\@v[\d.]+)?(?="|$)!git+https://github.com/The-OpenROAD-Project/openroad-mcp\@vX.Y.Z!g' README.md
+```
+
+The `!` delimiter avoids clashing with the `|` inside the lookahead `(?="|$)`.
+The lookahead matches either a closing quote (JSON/TOML) or end of line (YAML),
+so all config formats are covered.
+
+After updating, verify all pinned URLs show the new tag:
+```bash
+grep "The-OpenROAD-Project/openroad-mcp@" README.md
+```
+Every line should show `@vX.Y.Z`. Also confirm no bare URLs remain:
+```bash
+grep 'The-OpenROAD-Project/openroad-mcp"' README.md
+```
+That should return no output.
+
+> **Side note for users:** If you always want the latest version and prefer not
+> to pin, omit the `@vX.Y.Z` suffix and use the bare URL:
+> `git+https://github.com/The-OpenROAD-Project/openroad-mcp`. This trades supply chain
+> safety for convenience — acceptable for local/dev setups, not recommended
+> for shared or production environments.
 
 **uv.lock** — Regenerate by running `uv lock`. Do NOT hand-edit this file.
 
 **CHANGELOG.md** — Add new section before the previous version's section.
 Today's date goes in the header. Add the link at the bottom:
 
 ```
-[X.Y.Z]: https://github.com/luarss/openroad-mcp/releases/tag/vX.Y.Z
+[X.Y.Z]: https://github.com/The-OpenROAD-Project/openroad-mcp/releases/tag/vX.Y.Z
 ```
 
 **ROADMAP.md** — Find the "Version Milestones" table and add a new row for
@@ -125,12 +168,12 @@ python -m pytest --tb=short -q
 If tests fail, report the failures to the user before proceeding. Do not commit
 a broken release.
 
-### Step 6: Create the release commit
+### Step 6: Create the release commit and open a PR
 
 Stage only the release-related files:
 
 ```bash
-git add CHANGELOG.md ROADMAP.md pyproject.toml server.json uv.lock
+git add CHANGELOG.md ROADMAP.md pyproject.toml server.json uv.lock README.md
 ```
 
 Commit with the message:
@@ -139,17 +182,45 @@ Commit with the message:
 chore: release vX.Y.Z
 ```
 
-Do NOT push unless the user explicitly asks. The commit stays local for review.
+Then push to a dedicated release branch and open a PR:
+
+```bash
+git checkout -b release/vX.Y.Z
+git push -u origin release/vX.Y.Z
+gh pr create \
+  --title "chore: release vX.Y.Z" \
+  --body "$(cat <<'EOF'
+## Release vX.Y.Z
+
+See [CHANGELOG.md](CHANGELOG.md) for full details.
+
+/cc @vvbandeira — please review and merge when ready.
+EOF
+)" \
+  --reviewer vvbandeira
+```
+
+**NEVER push directly to `main`.** The decision to merge and tag belongs exclusively
+to @vvbandeira. Once the PR is open, report the PR URL to the user and stop — do not
+merge, squash, or tag.
 
 ## Important details
 
+- **Never push to `main` directly.** Always use a `release/vX.Y.Z` branch and open a PR.
+- **@vvbandeira must review and merge** — request them as a reviewer on every release PR.
 - Always use `uv lock` to regenerate the lockfile rather than editing it manually
 - The CHANGELOG date format is ISO: `YYYY-MM-DD`
 - Version tags use a `v` prefix: `v0.4.0` (but the version in files has no prefix)
 - Check for ALL files referencing the old version by running:
   ```
-  grep -r "0\.3\.0" --include="*.toml" --include="*.json" --include="*.lock" --include="*.md"
+  grep -r "OLD_VERSION" --include="*.toml" --include="*.json" --include="*.lock" --include="*.md"
   ```
+  (replace `OLD_VERSION` with the actual previous version, e.g. `0\.5\.2`)
   before committing, to catch any missed references
+- Also verify the README git URLs were updated:
+  ```
+  grep "openroad-mcp@" README.md
+  ```
+  All occurrences should show the new `@vX.Y.Z` tag
 - If `server.json` doesn't exist, skip it (some repos may not have it)
 - If `ROADMAP.md` doesn't exist or has no version table, skip it

.cursor/mcp.json

@@ -14,15 +14,27 @@ env:
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 30
     strategy:
+      fail-fast: false
       matrix:
+        os: [ubuntu-latest]
         test-type: [lint, core, interactive, integration, tools]
+        include:
+          - os: ubuntu-22.04
+            test-type: core
+          - os: ubuntu-24.04
+            test-type: core
+          - os: macos-14
+            test-type: core
+          - os: macos-14
+            test-type: host-pty
+            pytest-args: -x
 
     steps:
-    - uses: actions/checkout@v4
-    - uses: astral-sh/setup-uv@v6
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+    - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
     - run: make sync
 
     - name: Run lint
@@ -45,13 +57,17 @@ jobs:
       if: matrix.test-type == 'tools'
       run: make test-tools
 
+    - name: Run host-PTY integration tests
+      if: matrix.test-type == 'host-pty'
+      run: uv run pytest tests/integration ${{ matrix.pytest-args || '' }}
+
   nightly:
     runs-on: ubuntu-latest
     timeout-minutes: 45
     if: github.event_name == 'schedule' || github.event_name == 'pull_request'
     steps:
-    - uses: actions/checkout@v4
-    - uses: astral-sh/setup-uv@v6
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+    - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
     - run: make sync
     - run: make test-performance
 
@@ -60,16 +76,16 @@ jobs:
     timeout-minutes: 20
     needs: test
     steps:
-    - uses: actions/checkout@v4
-    - uses: astral-sh/setup-uv@v6
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+    - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
     - run: make sync
     - run: make test-coverage
-    - uses: codecov/codecov-action@v4
+    - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
       with:
         file: ./coverage.xml
         token: ${{ secrets.CODECOV_TOKEN }}
     - name: Upload test results to Codecov
       if: ${{ !cancelled() }}
-      uses: codecov/test-results-action@v1
+      uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1
       with:
         token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/ci.yaml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Run Ubuntu setup script
         run: bash scripts/setup-ubuntu.sh
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Run macOS setup script
         run: bash scripts/setup-macos.sh

.github/workflows/cross-platform.yml

@@ -18,10 +18,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -33,7 +33,7 @@ jobs:
       - name: Tag and push Docker image
         run: |
           ORFS_VER=$(make --no-print-directory print-ORFS_VERSION)
-          IMAGE=ghcr.io/luarss/openroad-mcp
+          IMAGE=ghcr.io/the-openroad-project/openroad-mcp
           SEMVER="${IMAGE_TAG#v}"
           docker tag $IMAGE:$ORFS_VER $IMAGE:"$IMAGE_TAG"
           docker tag $IMAGE:$ORFS_VER $IMAGE:"$SEMVER"

.github/workflows/docker-publish.yml

@@ -15,10 +15,10 @@ jobs:
     name: Run tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
 
       - name: Install dependencies
         run: make sync
@@ -34,16 +34,16 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
 
       - name: Build package
         run: uv build
 
       - name: Upload dist artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: dist
           path: dist/
@@ -52,23 +52,23 @@ jobs:
     name: Publish to PyPI
     needs: build
     runs-on: ubuntu-latest
-    environment: pypi
+    environment: pypi1
     steps:
       - name: Download dist artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: dist
           path: dist/
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
 
   github-release:
     name: Create GitHub Release
     needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Extract changelog for this version
         id: changelog
@@ -81,13 +81,13 @@ jobs:
           echo "EOF" >> $GITHUB_OUTPUT
 
       - name: Download dist artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: dist
           path: dist/
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
         with:
           body: ${{ steps.changelog.outputs.notes }}
           files: dist/*
@@ -110,13 +110,13 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Update server.json version
         run: |
           VERSION="${GITHUB_REF_NAME#v}"
           sed -i "s/\"version\": \"[^\"]*\"/\"version\": \"$VERSION\"/g" server.json
-          sed -i "s|ghcr.io/luarss/openroad-mcp:[^\"]*|ghcr.io/luarss/openroad-mcp:$VERSION|g" server.json
+          sed -i "s|ghcr.io/the-openroad-project/openroad-mcp:[^\"]*|ghcr.io/the-openroad-project/openroad-mcp:$VERSION|g" server.json
 
       - name: Install mcp-publisher
         run: |

.github/workflows/release.yml

@@ -0,0 +1,27 @@
+name: TypeScript CI
+
+on:
+  push:
+    branches: [main, "feat/ts-migration**"]
+    paths: ["typescript/**"]
+  pull_request:
+    branches: [main, "feat/ts-migration**"]
+    paths: ["typescript/**"]
+
+jobs:
+  ts-check:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: typescript
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.4.0
+        with:
+          node-version: "22"
+          cache: "npm"
+          cache-dependency-path: typescript/package-lock.json
+      - run: npm ci
+      - run: npm run typecheck
+      - run: npm run lint
+      - run: npm run test