Do not allow decofile/release endpoints

Signed-off-by: Marcos Candeia <[email protected]>

Author: mcandeia

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@deco/mcp",
-  "version": "0.3.2",
+  "version": "0.3.3",
   "exports": "./mod.ts",
   "tasks": {
     "check": "deno fmt && deno lint && deno check mod.ts"

mcp/server.ts

@@ -282,6 +282,7 @@ function registerTools<TManifest extends AppManifest>(
   });
 }
 
+const UNAUTHORIZED_PATHS = ["/live/release", "/.decofile"];
 const MESSAGES_ENDPOINT = "/mcp/messages";
 export function mcpServer<TManifest extends AppManifest>(
   deco: Deco<TManifest>,
@@ -346,6 +347,9 @@ export function mcpServer<TManifest extends AppManifest>(
       transport.close(); // Close the transport after handling the message
       return response;
     }
+    if (UNAUTHORIZED_PATHS.some((p) => path.startsWith(p))) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
     await next();
   };
 }

mcp/utils.ts

@@ -29,7 +29,7 @@ export function dereferenceSchema(
     const referencedSchema = definitions[refId];
 
     // Save the original schema metadata (excluding $ref)
-    const { $ref, ...originalMetadata } = schema;
+    const { $ref: _, ...originalMetadata } = schema;
 
     // Merge the original metadata with the dereferenced schema
     return {