chore: upgrade MCP SDK to v1.27.1 (security fix) (#29)

* fix: create per-session McpServer instance in HTTP mode

The singleton McpServer was shared across all HTTP sessions, causing
"Already connected to a transport" crash on the second connection.
Each session now gets its own McpServer instance with tools replayed
from stored config. Stdio mode unchanged (1:1 by nature).

Closes #27

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: upgrade MCP SDK to v1.27.1 and add smoke tests

- Upgrade @modelcontextprotocol/sdk ^1.11.0 → ^1.27.1
  - Fixes GHSA-345p-7cg4-v4c7 (cross-client response data leakage)
  - Protocol.connect() now enforces single-transport-per-instance
- Upgrade zod ^3.24.2 → ^3.25.0 (now a peer dep of SDK v1.23+)
- Pin @types/express to v4 (compatible with our express v4 dep)
- Add smoke test suite (tests/smoke.test.ts):
  - Session initialization
  - Tool listing (all 7 tools)
  - Geocode tool call (when API key provided)
  - Multi-session concurrency (3 parallel sessions)
  - Run: npx tsx tests/smoke.test.ts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: add CI/CD workflows, ESLint, Prettier and npm scripts

- Add GitHub Actions CI workflow (build/lint/test on PR)
- Add GitHub Actions release workflow (E2E test + auto bump + npm publish on merge to main)
- Add ESLint 9 flat config with TypeScript and Prettier integration
- Add Prettier config matching existing code style
- Add npm scripts: test, test:e2e, lint, format, format:check
- Format all source files with Prettier
- Fix prefer-const and no-empty lint errors

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: cablate

.github/workflows/ci.yml

@@ -0,0 +1,23 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - run: npm ci
+      - run: npm run build
+      - run: npm run lint
+      - run: npm run format:check
+
+      - name: Smoke Test
+        run: npm test

.github/workflows/release.yml

@@ -0,0 +1,48 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  release:
+    # Skip automated version bump commits
+    if: "!contains(github.event.head_commit.message, 'chore: release')"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+
+      - run: npm ci
+      - run: npm run build
+      - run: npm run lint
+
+      - name: E2E Tests
+        run: npm run test:e2e
+        env:
+          GOOGLE_MAPS_API_KEY: ${{ secrets.GOOGLE_MAPS_API_KEY }}
+
+      - name: Bump version
+        run: npm version patch --no-git-tag-version
+
+      - name: Publish to npm
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Commit version bump & tag
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add package.json package-lock.json
+          git commit -m "chore: release v${VERSION}"
+          git tag "v${VERSION}"
+          git push
+          git push --tags

.prettierrc

@@ -0,0 +1,7 @@
+{
+  "semi": true,
+  "singleQuote": false,
+  "tabWidth": 2,
+  "trailingComma": "es5",
+  "printWidth": 120
+}

eslint.config.js

@@ -0,0 +1,16 @@
+import eslint from "@eslint/js";
+import tseslint from "typescript-eslint";
+import prettierConfig from "eslint-config-prettier";
+
+export default tseslint.config(
+  { ignores: ["dist/", "test-new-api.js"] },
+  eslint.configs.recommended,
+  ...tseslint.configs.recommended,
+  prettierConfig,
+  {
+    rules: {
+      "@typescript-eslint/no-explicit-any": "warn",
+      "@typescript-eslint/no-unused-vars": ["warn", { argsIgnorePattern: "^_" }],
+    },
+  }
+);