Fix security vulnerabilities identified by CodeQL

- Fix information exposure: return generic error instead of stack traces in sse.ts
- Add missing rate limiting to root route in index.ts

Author: bhosmer-ant

mcp-server/src/handlers/sse.ts

@@ -88,7 +88,7 @@ export async function handleMessage(req: Request, res: Response) {
 
     body = JSON.stringify(req.body);
   } catch (error) {
-    res.status(400).json(error);
+    res.status(400).json({ error: "Bad request" });
     logger.error('Bad POST request', error as Error, {
       sessionId,
       contentType: req.headers['content-type']

mcp-server/src/index.ts

@@ -229,7 +229,7 @@ app.get("/styles.css", staticFileRateLimit, (req, res) => {
 });
 
 // Splash page
-app.get("/", (req, res) => {
+app.get("/", staticFileRateLimit, (req, res) => {
   const splashPath = path.join(__dirname, "static", "index.html");
   res.sendFile(splashPath);
 });