Skip to content

Commit e493588

Browse files
committed
Merge branch 'feat/v1.9.0-master-pr' - v1.9.0 Release
MCP Server v1.9.0 delivering MCP streaming protocol with progress notifications, Piscina-based worker thread pool, Streamable HTTP transport, upstream v10.20.0 sync, comprehensive security dependency updates, and 689 tests (up from 563). Features: #13 streaming, #15 workers, HTTP transport, #26 upstream sync Security: #43 qs, #45/#52 SDK, #50 diff, #51 lodash, #16 Trivy, #19 grunt-chmod Maintenance: #14 test coverage, #20 dead code removal
2 parents 65e9eed + 60d3b9d commit e493588

37 files changed

Lines changed: 23704 additions & 432 deletions

.github/workflows/security-scan.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@ jobs:
117117
format: 'table'
118118
severity: ${{ steps.severity.outputs.level }}
119119
vuln-type: 'os,library'
120-
exit-code: '0'
120+
exit-code: '1'
121121

122122
dependency-scan:
123123
name: Dependency Vulnerability Scan

CHANGELOG.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
## [1.9.0] - 2026-02-05
11+
12+
### Added
13+
- **MCP Streaming Protocol** (closes #13): `executeWithStreamingProgress()` sends `notifications/progress` via MCP SDK progress token mechanism
14+
- **Worker Thread Pool with Piscina** (closes #15): CPU-intensive operations offloaded to worker threads with configurable pool size
15+
- **Streamable HTTP Transport**: Transport factory supporting stdio (default) or HTTP via `CYBERCHEF_TRANSPORT=http`
16+
- **`cyberchef_worker_stats` tool**: Monitor worker pool utilization at runtime
17+
- New `src/node/transports.mjs` transport factory (stdio/HTTP)
18+
- New `src/node/worker.mjs` worker thread script for Piscina
19+
- New `src/node/worker-pool.mjs` worker pool manager
20+
- New test files: handler-dispatch, config-variations, worker-pool, transports
21+
- 9 new environment variables for transport, worker pool, and worker routing configuration
22+
23+
### Changed
24+
- **Upstream Sync v10.20.0** (closes #26): Merged 10 modified operations (Argon2, DeriveEVPKey, Filter, FindReplace, JSONBeautify, PHPDeserialize, RAKE, Register, RegularExpression, Subsection)
25+
- **Test Suites**: 126 new tests (total: 689 tests, all passing) (closes #14)
26+
- **Coverage Thresholds**: Raised to 75% lines/stmts, 90% functions, 70% branches
27+
- **Coverage**: 75.64% lines, 71.98% branches, 91.5% functions
28+
29+
### Security
30+
- `@modelcontextprotocol/sdk` ^1.22.0 -> ^1.26.0 (fixes #45, #52)
31+
- `lodash` ^4.17.21 -> ^4.17.23 (fixes #51)
32+
- `diff` ^5.2.0 -> ^5.2.2 (fixes #50)
33+
- `qs >=6.14.1` override added (fixes #43)
34+
- Trivy container scan now fails CI on vulnerabilities (closes #16)
35+
- `grunt-chmod` replaced with native `fs.chmod` (closes #19)
36+
- **elliptic (#46):** No fix available - documented for tracking
37+
38+
### Removed
39+
- Dead `BufferPool` class code from mcp-server.mjs (closes #20)
40+
- Commented-out `CPU_INTENSIVE_OPERATIONS` set (moved to worker-pool.mjs)
41+
1042
## [1.8.0] - 2025-12-17
1143

1244
### Added

CLAUDE.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,13 @@ Guidance for Claude Code when working with this repository.
44

55
## Project Overview
66

7-
**CyberChef MCP Server** (v1.8.0) - Fork of GCHQ CyberChef wrapping the Node.js API into an MCP server. Exposes 300+ operations (encryption, encoding, compression, forensics) as AI assistant tools.
7+
**CyberChef MCP Server** (v1.9.0) - Fork of GCHQ CyberChef wrapping the Node.js API into an MCP server. Exposes 300+ operations (encryption, encoding, compression, forensics) as AI assistant tools.
88

99
| Metric | Value |
1010
|--------|-------|
11-
| MCP Version | 1.8.0 |
12-
| Tests | 563 (100% passing) |
13-
| Coverage | 74.97% lines, 90.39% functions |
11+
| MCP Version | 1.9.0 |
12+
| Tests | 689 (100% passing) |
13+
| Coverage | 75.64% lines, 91.5% functions |
1414

1515
**Focus:** MCP server (`src/node/mcp-server.mjs`), not the web app.
1616

@@ -38,7 +38,7 @@ npm start # Dev server with hot reload
3838
npm run build # Production build
3939
npm run lint # ESLint (zero errors required)
4040
npm test # Core unit tests
41-
npm run test:mcp # MCP server tests (563 tests)
41+
npm run test:mcp # MCP server tests (689 tests)
4242
npm run test:coverage # Coverage report (thresholds: 70% lines/functions)
4343
npm run testnodeconsumer # Test CJS/ESM consumers
4444
```
@@ -131,5 +131,5 @@ git tag -a v1.x.x -F docs/releases/v1.x.x.md && git push origin v1.x.x
131131
| Guides | `docs/guides/commands.md` (MCP tools), `user_guide.md` (installation) |
132132
| Planning | `docs/planning/ROADMAP.md`, `docs/planning/phases/overview.md` |
133133
| Security | `docs/security/audit.md` |
134-
| Releases | `docs/releases/v1.8.0.md` (latest), `v1.7.3.md`, `v1.7.2.md`, `v1.7.1.md`, `v1.7.0.md` ... `v1.0.0.md` |
134+
| Releases | `docs/releases/v1.9.0.md` (latest), `v1.8.0.md`, `v1.7.3.md`, `v1.7.2.md`, `v1.7.1.md`, `v1.7.0.md` ... `v1.0.0.md` |
135135
| Internal | `docs/internal/tech-debt-analysis-v1.6.1.md` (project health: 8.9/10) |

Gruntfile.js

Lines changed: 35 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -73,13 +73,46 @@ module.exports = function (grunt) {
7373
});
7474

7575

76+
grunt.registerTask("chmod",
77+
"Sets file permissions on build output using native fs",
78+
function() {
79+
const done = this.async();
80+
const fs = require("fs");
81+
const buildPath = path.resolve("build");
82+
/**
83+
* Recursively sets 755 permissions on a directory and its contents.
84+
*
85+
* @param {string} dir - Directory path to chmod
86+
*/
87+
function chmodRecursive(dir) {
88+
if (!fs.existsSync(dir)) return;
89+
const entries = fs.readdirSync(dir, { withFileTypes: true });
90+
for (const entry of entries) {
91+
const fullPath = path.join(dir, entry.name);
92+
fs.chmodSync(fullPath, 0o755);
93+
if (entry.isDirectory()) {
94+
chmodRecursive(fullPath);
95+
}
96+
}
97+
fs.chmodSync(dir, 0o755);
98+
}
99+
try {
100+
chmodRecursive(buildPath);
101+
grunt.log.ok("Set permissions 755 on build/**/*");
102+
done();
103+
} catch (err) {
104+
grunt.log.error("chmod failed: " + err.message);
105+
done(false);
106+
}
107+
});
108+
109+
76110
// Load tasks provided by each plugin
77111
grunt.loadNpmTasks("grunt-eslint");
78112
grunt.loadNpmTasks("grunt-webpack");
79113
grunt.loadNpmTasks("grunt-contrib-clean");
80114
grunt.loadNpmTasks("grunt-contrib-copy");
81115
grunt.loadNpmTasks("grunt-contrib-watch");
82-
grunt.loadNpmTasks("grunt-chmod");
83116
grunt.loadNpmTasks("grunt-exec");
84117
grunt.loadNpmTasks("grunt-concurrent");
85118
grunt.loadNpmTasks("grunt-contrib-connect");
@@ -318,14 +351,7 @@ module.exports = function (grunt) {
318351
]
319352
}
320353
},
321-
chmod: {
322-
build: {
323-
options: {
324-
mode: "755",
325-
},
326-
src: ["build/**/*", "build/"]
327-
}
328-
},
354+
// chmod replaced by custom 'chmod' task registered below
329355
watch: {
330356
config: {
331357
files: ["src/core/operations/**/*", "!src/core/operations/index.mjs"],

README.md

Lines changed: 50 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ This project provides a **Model Context Protocol (MCP)** server interface for **
44

55
By running this server, you enable AI assistants (like Claude, Cursor AI, and others) to natively utilize CyberChef's extensive library of 463 data manipulation operations—including encryption, encoding, compression, and forensic analysis—as executable tools.
66

7-
**Latest Release:** v1.8.0 | [Release Notes](docs/releases/v1.8.0.md) | [Security Policy](SECURITY.md) | [Security Fixes Report](docs/security/SECURITY_FIX_REPORT.md)
7+
**Latest Release:** v1.9.0 | [Release Notes](docs/releases/v1.9.0.md) | [Security Policy](SECURITY.md) | [Security Fixes Report](docs/security/SECURITY_FIX_REPORT.md)
88

99
![CyberChef MCP Banner](images/CyberChef-MCP_Banner-Logo.jpg)
1010

@@ -64,19 +64,25 @@ The server exposes CyberChef operations as MCP tools:
6464
- Shows deprecation warnings triggered in current session
6565
- Reports session duration, suppression status, and v2 compatibility mode
6666
- Lists all 8 deprecation codes (DEP001-DEP008) with details
67+
* **Worker Thread Pool** (v1.9.0): CPU-intensive operations offloaded to worker threads
68+
* `cyberchef_worker_stats` - Monitor worker pool utilization, active/completed tasks, and pool configuration
69+
* Enable with `ENABLE_WORKERS=true` environment variable
70+
* Configurable pool size, idle timeout, and minimum input size for worker routing
6771

6872
### Technical Highlights
6973
* **Dockerized**: Runs as a lightweight, self-contained Docker container based on Chainguard distroless Node.js 22 (~90MB compressed, 70% smaller attack surface than traditional images).
7074
* **Dual-Registry Publishing**: Images published to both Docker Hub and GitHub Container Registry (GHCR) for maximum accessibility and Docker Scout health score optimization.
7175
* **Supply Chain Attestations**: SBOM and provenance attestations attached to Docker Hub images for enhanced security transparency and compliance (SLSA Build Level 3).
72-
* **Stdio Transport**: Communicates via standard input/output, making it easy to integrate with CLI-based MCP clients.
76+
* **Dual Transport** (v1.9.0): Stdio (default) or Streamable HTTP via `CYBERCHEF_TRANSPORT=http` for browser and remote clients.
77+
* **MCP Streaming with Progress** (v1.9.0): Operations send `notifications/progress` via the MCP SDK progress token mechanism for real-time status updates during long-running tasks.
78+
* **Worker Thread Pool** (v1.9.0): Piscina-based worker threads offload CPU-intensive operations (AES, Blowfish, bcrypt, scrypt, PBKDF2, etc.) to prevent event loop blocking. Configurable pool size and routing thresholds.
7379
* **Schema Validation**: All inputs are validated against schemas derived from CyberChef's internal type system using `zod`.
7480
* **Modern Node.js**: Fully compatible with Node.js v22+ with automated compatibility patches.
7581
* **Recipe Management** (v1.6.0): Save and reuse multi-operation workflows with full CRUD operations, import/export in multiple formats (JSON/YAML/URL/CyberChef), recipe composition with nesting support, and curated library of 25+ production-ready recipes across 5 categories. See [Recipe Management Guide](docs/guides/recipe_management.md) for details.
7682
* **Advanced Features** (v1.7.0): Enterprise-grade capabilities with batch processing (parallel/sequential execution of up to 100 operations), privacy-first telemetry collection (disabled by default, no input/output data captured), sliding window rate limiting for resource protection, enhanced caching with inspection tools, and resource quota tracking (concurrent operations, data sizes). All features are configurable via environment variables with secure defaults. See [Release Notes](docs/releases/v1.7.0.md) for details.
7783
* **Enhanced Observability** (v1.5.0): Structured JSON logging with Pino for production monitoring, comprehensive error handling with actionable recovery suggestions, automatic retry logic with exponential backoff, request correlation with UUID tracking, circuit breaker pattern for cascading failure prevention, and streaming infrastructure for progressive results on large operations. See [Release Notes](docs/releases/v1.5.0.md) for details.
7884
* **Performance Optimized** (v1.4.0): LRU cache for operation results (100MB default), automatic streaming for large inputs (10MB+ threshold), configurable resource limits (100MB max input, 30s timeout), memory monitoring, and comprehensive benchmark suite. See [Performance Tuning Guide](docs/architecture/performance-tuning.md) for configuration options.
79-
* **Upstream Sync Automation** (v1.3.0): Automated monitoring of upstream CyberChef releases every 6 hours, one-click synchronization workflow, comprehensive validation test suite with 563 tests, and emergency rollback mechanism.
85+
* **Upstream Sync Automation** (v1.3.0): Automated monitoring of upstream CyberChef releases every 6 hours, one-click synchronization workflow, comprehensive validation test suite with 689 tests, and emergency rollback mechanism.
8086
* **Security Hardened** (v1.4.5+): Chainguard distroless base image with zero-CVE baseline, non-root execution (UID 65532), automated Trivy vulnerability scanning with build-fail thresholds, dual SBOM strategy (Docker Scout attestations + CycloneDX), read-only filesystem support, SLSA Build Level 3 provenance, and 7-day SLA for critical CVE patches. Fixed 11 of 12 code scanning vulnerabilities including critical cryptographic randomness weakness and 7 ReDoS vulnerabilities. See [Security Policy](SECURITY.md) and [Security Fixes Report](docs/security/SECURITY_FIX_REPORT.md) for details.
8187
* **Production Ready**: Comprehensive CI/CD with CodeQL v4, automated testing, and dual-registry container publishing (Docker Hub + GHCR) with complete supply chain attestations.
8288

@@ -109,17 +115,17 @@ For environments without direct GHCR access, download the pre-built Docker image
109115
1. **Download the tarball** (approximately 90MB compressed):
110116
```bash
111117
# Download from GitHub Releases
112-
wget https://github.com/doublegate/CyberChef-MCP/releases/download/v1.8.0/cyberchef-mcp-v1.8.0-docker-image.tar.gz
118+
wget https://github.com/doublegate/CyberChef-MCP/releases/download/v1.9.0/cyberchef-mcp-v1.9.0-docker-image.tar.gz
113119
```
114120

115121
2. **Load the image into Docker:**
116122
```bash
117-
docker load < cyberchef-mcp-v1.8.0-docker-image.tar.gz
123+
docker load < cyberchef-mcp-v1.9.0-docker-image.tar.gz
118124
```
119125

120126
3. **Tag for easier usage:**
121127
```bash
122-
docker tag ghcr.io/doublegate/cyberchef-mcp_v1:v1.8.0 cyberchef-mcp
128+
docker tag ghcr.io/doublegate/cyberchef-mcp_v1:v1.9.0 cyberchef-mcp
123129
```
124130

125131
4. **Run the server:**
@@ -264,12 +270,23 @@ CYBERCHEF_MAX_CONCURRENT_OPS=10 # Maximum concurrent operations
264270
V2_COMPATIBILITY_MODE=false # Enable v2.0.0 behavior preview (elevates warnings to errors)
265271
CYBERCHEF_SUPPRESS_DEPRECATIONS=false # Suppress deprecation warnings
266272
273+
# Transport (v1.9.0+)
274+
CYBERCHEF_TRANSPORT=stdio # Transport type: stdio or http
275+
CYBERCHEF_HTTP_PORT=3000 # HTTP transport port
276+
CYBERCHEF_HTTP_HOST=127.0.0.1 # HTTP transport bind address
277+
278+
# Worker Thread Pool (v1.9.0+)
279+
CYBERCHEF_WORKER_MIN_THREADS=1 # Minimum worker threads
280+
CYBERCHEF_WORKER_MAX_THREADS=4 # Maximum worker threads
281+
CYBERCHEF_WORKER_IDLE_TIMEOUT=30000 # Worker idle timeout in milliseconds
282+
CYBERCHEF_WORKER_MIN_INPUT_SIZE=1024 # Minimum input size for worker routing (bytes)
283+
267284
# Performance (v1.4.0+)
268285
CYBERCHEF_MAX_INPUT_SIZE=104857600 # Maximum input size (100MB)
269286
CYBERCHEF_OPERATION_TIMEOUT=30000 # Operation timeout in milliseconds (30s)
270287
CYBERCHEF_STREAMING_THRESHOLD=10485760 # Streaming threshold (10MB)
271288
CYBERCHEF_ENABLE_STREAMING=true # Enable streaming for large operations
272-
CYBERCHEF_ENABLE_WORKERS=false # Enable worker threads (disabled by default, not yet implemented)
289+
CYBERCHEF_ENABLE_WORKERS=false # Enable worker threads (disabled by default)
273290
CYBERCHEF_CACHE_MAX_SIZE=104857600 # Cache maximum size (100MB)
274291
CYBERCHEF_CACHE_MAX_ITEMS=1000 # Cache maximum items
275292
```
@@ -321,6 +338,24 @@ docker run -i --rm \
321338
ghcr.io/doublegate/cyberchef-mcp_v1:latest
322339
```
323340

341+
**Worker Thread Pool for CPU-Intensive Operations (v1.9.0+)**
342+
```bash
343+
docker run -i --rm \
344+
-e ENABLE_WORKERS=true \
345+
-e CYBERCHEF_WORKER_MAX_THREADS=8 \
346+
-e CYBERCHEF_WORKER_IDLE_TIMEOUT=60000 \
347+
ghcr.io/doublegate/cyberchef-mcp_v1:latest
348+
```
349+
350+
**HTTP Transport for Browser/Remote Clients (v1.9.0+)**
351+
```bash
352+
docker run --rm -p 3000:3000 \
353+
-e CYBERCHEF_TRANSPORT=http \
354+
-e CYBERCHEF_HTTP_PORT=3000 \
355+
-e CYBERCHEF_HTTP_HOST=0.0.0.0 \
356+
ghcr.io/doublegate/cyberchef-mcp_v1:latest
357+
```
358+
324359
For detailed performance tuning guidance, see the [Performance Tuning Guide](docs/architecture/performance-tuning.md).
325360

326361
### Performance Benchmarks
@@ -480,7 +515,7 @@ CyberChef MCP Server has a comprehensive development roadmap spanning **19 relea
480515
|-------|----------|----------|-------|--------|
481516
| **Phase 1: Foundation** | v1.2.0 - v1.4.6 | Q4 2025 - Q1 2026 | Security hardening, upstream sync, performance | **Completed** |
482517
| **Phase 2: Enhancement** | v1.5.0 - v1.7.3 | Q2 2026 | Streaming, recipe management, batch processing | **Completed** |
483-
| **Phase 3: Maturity** | v1.8.0 - v2.0.0 | Q3 2026 | API stabilization, external tool integration, v2.0.0 | **v1.8.0 Released** |
518+
| **Phase 3: Maturity** | v1.8.0 - v2.0.0 | Q3 2026 | API stabilization, external tool integration, v2.0.0 | **v1.9.0 Released** |
484519
| **Phase 4: Expansion** | v2.1.0 - v2.3.0 | Q4 2026 | Multi-modal, advanced transports, plugins | Planned |
485520
| **Phase 5: Enterprise** | v2.4.0 - v2.6.0 | Q1 2027 | OAuth 2.1, RBAC, Kubernetes, observability | Planned |
486521
| **Phase 6: Evolution** | v2.7.0 - v3.0.0 | Q2-Q3 2027 | Edge deployment, AI-native features, v3.0.0 | Planned |
@@ -546,6 +581,7 @@ Detailed documentation is organized in the [`docs/`](docs/) directory:
546581
* [**Security Fixes Report**](docs/security/SECURITY_FIX_REPORT.md): Detailed report of 11 vulnerability fixes (ReDoS and cryptographic weaknesses)
547582
* [**Security Fixes Summary**](docs/security/SECURITY_FIXES_SUMMARY.md): Quick reference for recent security improvements
548583
* [**v2.0.0 Breaking Changes**](docs/v2.0.0-breaking-changes.md): Comprehensive migration guide for v2.0.0 with deprecation codes, examples, and FAQ
584+
* [**Release Notes v1.9.0**](docs/releases/v1.9.0.md): MCP streaming, worker thread pool, HTTP transport, upstream v10.20.0, security updates, 689 tests
549585
* [**Release Notes v1.8.0**](docs/releases/v1.8.0.md): Breaking changes preparation - deprecation warnings, migration preview tool, v2.0.0 compatibility mode
550586
* [**Release Notes v1.7.3**](docs/releases/v1.7.3.md): Reference documentation and v2.0.0 integration planning - 42 new documentation files, comprehensive security tool reference
551587
* [**Release Notes v1.7.2**](docs/releases/v1.7.2.md): CI improvements, test expansion, documentation updates - enhanced workflows, 150 new tests, corrected metrics
@@ -631,7 +667,7 @@ All workflows use the latest CodeQL Action v4 for security scanning and SARIF up
631667
# Run all tests (requires Node.js 22+)
632668
npm test
633669
634-
# Run MCP validation test suite (563 tests with Vitest)
670+
# Run MCP validation test suite (689 tests with Vitest)
635671
npm run test:mcp
636672
637673
# Run MCP tests with coverage report
@@ -652,11 +688,11 @@ npm run lint
652688
```
653689

654690
**Test Coverage:**
655-
The MCP server maintains comprehensive test coverage across 15 test suites:
656-
- **563 total tests** covering all MCP server components (increased from 493 in v1.7.2)
657-
- **Coverage thresholds**: 70% lines/statements/functions, 65% branches
658-
- **Current coverage**: 74.97% lines, 74.97% statements, 90.39% functions, 71.62% branches
659-
- Test suites: coverage-improvement, deprecation, errors, logger, mcp-server, migration-preview, real-server-handlers, recipe-manager, recipe-storage, recipe-validator, retry, server-integration, streaming, v1.7.0, validation
691+
The MCP server maintains comprehensive test coverage across 19 test suites:
692+
- **689 total tests** covering all MCP server components (increased from 563 in v1.8.0)
693+
- **Coverage thresholds**: 75% lines/statements, 90% functions, 70% branches
694+
- **Current coverage**: 75.64% lines, 75.7% statements, 91.5% functions, 71.98% branches
695+
- Test suites: config-variations, coverage-improvement, deprecation, errors, handler-dispatch, logger, mcp-server, migration-preview, real-server-handlers, recipe-manager, recipe-storage, recipe-validator, retry, server-integration, streaming, transports, v1.7.0, validation, worker-pool
660696
- Note: Coverage variation occurs as new features are added; mcp-server.mjs currently has lower coverage due to extensive integration code
661697

662698
## Contributing

0 commit comments

Comments
 (0)