Skip to content

Security hardening: token validation, docs, release guide#8

Open
MikkohChen wants to merge 8 commits intotaskade:mainfrom
MikkohChen:security-hardening
Open

Security hardening: token validation, docs, release guide#8
MikkohChen wants to merge 8 commits intotaskade:mainfrom
MikkohChen:security-hardening

Conversation

@MikkohChen
Copy link

@MikkohChen MikkohChen commented Dec 19, 2025
edited by cursor bot
Loading

Security Hardening Implementation

Summary

Security-first hardening for Taskade MCP Server: token validation, HTTPS warning, and operational documentation.

Changes

  • Security: validate TASKADE_API_KEY (missing/empty/short) and refuse unsafe startup
  • Security: HTTPS warning when running in HTTP mode
  • Docs: SECURITY.md, .env.example, Claude Desktop + Cursor config guides, RELEASING.md
  • Tooling: pnpm-based workflow enforced by packageManager

QA Results (Local)

Check Result
pnpm -C packages/server run build ✅ PASS
pnpm run lint ✅ PASS
Token validation (missing) ✅ PASS
Token validation (invalid/short) ✅ PASS
HTTPS warning output ✅ PASS

Deferred (Intentional)

⚠️ CI workflow yarn→pnpm migration deferred to avoid upstream conflict:

  • .github/workflows/release.yml uses yarn install
  • .github/workflows/force-release.yml uses yarn install
  • Repo enforces pnpm via packageManager field
  • Recommend: separate PR for CI fix after upstream alignment

Testing

pnpm install
pnpm -C packages/server run build
pnpm run lint

Files Changed

File Type
packages/server/.env.example New
SECURITY.md New
packages/server/src/cli.ts Modified (token validation)
packages/server/src/http.ts Modified (HTTPS warning)
docs/CLAUDE_DESKTOP_CONFIG.md New
docs/CURSOR_SSE_CONFIG.md New
docs/RELEASING.md New
README.md Modified (security + docs sections)

Note

Validates TASKADE_API_KEY and warns on HTTP/SSE, adds security/integration/release docs, and adopts pnpm workspace/tooling.

  • Security (Server):
    • Validate TASKADE_API_KEY in packages/server/src/cli.ts (exit on missing/empty/short).
    • Add startup HTTPS/SSE warning and require access_token in packages/server/src/http.ts.
  • Docs:
    • Add SECURITY.md, docs/CLAUDE_DESKTOP_CONFIG.md, docs/CURSOR_SSE_CONFIG.md, and docs/RELEASING.md.
    • Update README.md with Documentation and Security sections; add .env.example for TASKADE_API_KEY.
  • Build/Tooling:
    • Adopt pnpm: set root packageManager, add pnpm-workspace.yaml, and update server build script to use pnpm.

Written by Cursor Bugbot for commit 6b7b168. This will update automatically on new commits. Configure here.

@changeset-bot
Copy link

changeset-bot bot commented Dec 19, 2025

⚠️ No Changeset found

Latest commit: 6b7b168

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MikkohChen