chore(cursor): harden MCP SSE config, tighten settings, and improve CI gates

haz3141 · haz3141 · commit 60423e172248 · 2025-09-06T20:12:56.000-04:00
diff --git a/.cursor/environment.json b/.cursor/environment.json
@@ -1,6 +1,7 @@
 {
   "commands": {
-    "dev:mcp": "uvicorn mcp-server.server:app --reload --host 127.0.0.1 --port 8000",
+    "dev:mcp": "uvicorn mcp_server.server:app --reload --host 127.0.0.1 --port 8765",
+    "health": "curl -fsS http://127.0.0.1:8765/healthz || curl -fsS http://127.0.0.1:8765/ | head -n 1",
     "test": "pytest -q",
     "test:security": "pytest lab/security/tests/ -v",
     "test:integration": "pytest lab/tests/ -v",
@@ -11,11 +12,11 @@
     "lint": "ruff check .",
     "format": "ruff format . && black .",
     "format:check": "ruff format --check . && black --check .",
-    "docs:check": "find docs/ -name '*.md' -exec grep -L '<!-- Version:' {} \\;",
-    "health": "curl -s http://127.0.0.1:8000/health | jq ."
+    "docs:check": "find docs/ -name '*.md' -exec grep -L '<!-- Version:' {} \\;"
   },
   "environment": {
     "PYTHONPATH": ".",
-    "LOG_LEVEL": "INFO"
+    "LOG_LEVEL": "INFO",
+    "GUARDIAN_ALLOW_TOOLS": "health,tools/search_docs,tools/summarize"
   }
 }
diff --git a/.cursor/mcp.json b/.cursor/mcp.json
@@ -1,7 +1,8 @@
 [
   {
     "name": "lab-server",
-    "url": "http://127.0.0.1:8000",
+    "url": "http://127.0.0.1:8765/sse",
+    "method": "sse",
     "allowTools": [
       "search_docs",
       "summarize",
@@ -13,6 +14,7 @@
       "audit_by_tool"
     ],
     "timeout": 30,
-    "retries": 3
+    "retries": 3,
+    "gracePeriodSec": 2
   }
 ]
diff --git a/.cursor/settings.json b/.cursor/settings.json
@@ -5,5 +5,26 @@
   "contextWindow": 128000,
   "includeCodeContext": true,
   "includeGitContext": true,
-  "includeTerminalContext": true
+  "includeTerminalContext": true,
+  "includePaths": [
+    "app/",
+    "lab/",
+    "mcp_server/",
+    "docs/",
+    "tests/",
+    "evidence/",
+    ".github/workflows/"
+  ],
+  "excludePaths": [
+    "node_modules/",
+    ".venv/",
+    "__pycache__/",
+    "*.pyc",
+    "data/",
+    "logs/",
+    ".coverage",
+    "coverage.xml",
+    "evidence/**/artifacts/**"
+  ],
+  "contextCap": 50000
 }
diff --git a/.cursorignore b/.cursorignore
@@ -0,0 +1,60 @@
+# Large datasets and temporary files
+data/**
+*.ipynb_checkpoints/
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Coverage files
+.coverage
+coverage.xml
+.coverage.*
+
+# Test cache
+.pytest_cache/
+.mypy_cache/
+
+# Logs
+logs/
+*.log
+
+# Environment files
+.env
+.env.local
+.env.*.local
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Node modules
+node_modules/
+
+# Evidence artifacts
+evidence/**/artifacts/**
+
+# Git
+.git/
diff --git a/.github/workflows/cursor-audit.yml b/.github/workflows/cursor-audit.yml
@@ -0,0 +1,54 @@
+name: Cursor MCP Audit
+
+on:
+  pull_request:
+    paths:
+      - '.cursor/**'
+      - '.vscode/**'
+      - '.cursorignore'
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run pre-commit
+        uses: pre-commit/action@v3.0.0
+
+      - name: MCP Server Health Check
+        run: |
+          uvicorn mcp_server.server:app --host 127.0.0.1 --port 8765 --log-level info &
+          SERVER_PID=$!
+          sleep 5
+          curl -fsS http://127.0.0.1:8765/healthz || curl -fS http://127.0.0.1:8765/ >/dev/null
+          kill $SERVER_PID
+        timeout-minutes: 2
+
+      - name: Validate Cursor Configs (JSON)
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          jq empty .cursor/mcp.json
+          jq empty .cursor/settings.json
+          jq empty .cursor/environment.json
+          jq empty .vscode/settings.json
+
+      - name: Check PR Size (≤300 changed LOC)
+        run: |
+          MERGE_BASE=$(git merge-base origin/${{ github.base_ref }} HEAD)
+          CHANGED_LINES=$(git diff --numstat "$MERGE_BASE"...HEAD | awk '{add+=$1; del+=$2} END {print add+del}')
+          echo "Changed LOC: $CHANGED_LINES"
+          if [ "${CHANGED_LINES:-0}" -gt 300 ]; then
+            echo "PR size exceeds 300 LOC limit: $CHANGED_LINES"
+            exit 1
+          fi

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,8 @@`
`1`	`1`	`[`
`2`	`2`	`{`
`3`	`3`	`"name": "lab-server",`
`4`		`- "url": "http://127.0.0.1:8000",`
	`4`	`+ "url": "http://127.0.0.1:8765/sse",`
	`5`	`+ "method": "sse",`
`5`	`6`	`"allowTools": [`
`6`	`7`	`"search_docs",`
`7`	`8`	`"summarize",`
`@@ -13,6 +14,7 @@`
`13`	`14`	`"audit_by_tool"`
`14`	`15`	`],`
`15`	`16`	`"timeout": 30,`
`16`		`- "retries": 3`
	`17`	`+ "retries": 3,`
	`18`	`+ "gracePeriodSec": 2`
`17`	`19`	`}`
`18`	`20`	`]`