feat(MCP): enhance Desktop Extension with validation and fixes

 Security & Configuration:
  - Security: Replace execSync with execFileSync to prevent command injection
  - Detect and handle unexpanded ${user_config.*} template variables
  - Require fully qualified paths in Extension Mode (file/directory pickers)
  - Auto-detect qsv binary from PATH with version validation (>= 13.0.0)

  Bug Fixes:
  - Fix tool schema: remove duplicate 'input' parameter (conflicted with 'input_file')
  - Add METADATA_CACHE_TTL_MS and QSV_VALIDATION_TIMEOUT_MS constants
  - Improve version regex to support pre-release versions (e.g., 13.0.0-mimalloc)

  Extension Mode Enhancements:
  - Validate qsv binary path on every config change (server restart)
  - Provide Extension Mode-specific error messages and fix instructions
  - Enhanced initialization logging with clear success/failure indicators

  Testing:
  - Add comprehensive integration tests (tests/qsv-integration.test.ts)
  - 10 tests covering qsv commands: count, headers, select, search, stats, sort, frequency
  - Test filesystem metadata caching and error handling

  All 27 MCP tools now working correctly in Claude Desktop Extension.

Author: jqnatividad

.claude/skills/manifest.json

@@ -39,7 +39,6 @@
       "args": ["${__dirname}/server/mcp-server.js"],
       "env": {
         "QSV_MCP_BIN_PATH": "${user_config.qsv_path}",
-        "QSV_MCP_WORKING_DIR": "${user_config.working_dir}",
         "QSV_MCP_ALLOWED_DIRS": "${user_config.allowed_dirs}",
         "QSV_MCP_TIMEOUT_MS": "${user_config.timeout_ms}",
         "QSV_MCP_MAX_OUTPUT_SIZE": "${user_config.max_output_size}",
@@ -52,7 +51,6 @@
         "win32": {
           "env": {
             "QSV_MCP_BIN_PATH": "${user_config.qsv_path}",
-            "QSV_MCP_WORKING_DIR": "${user_config.working_dir}",
             "QSV_MCP_ALLOWED_DIRS": "${user_config.allowed_dirs}"
           }
         }
@@ -61,17 +59,16 @@
   },
   "user_config": {
     "qsv_path": {
-      "type": "string",
+      "type": "file",
       "title": "qsv Binary Path",
-      "description": "Path to qsv executable. Install qsv first from: https://github.com/dathere/qsv#installation",
-      "required": false,
-      "default": "qsv"
+      "description": "Full path to qsv executable. Click 'Browse' to locate it (usually /usr/local/bin/qsv or /opt/homebrew/bin/qsv on macOS). Install from: https://github.com/dathere/qsv#installation",
+      "required": true
     },
     "working_dir": {
       "type": "directory",
       "title": "Default Working Directory",
-      "description": "Directory where qsv commands run by default. Leave empty to use Downloads folder automatically. Extension only accesses files within this directory and allowed directories below.",
-      "required": false
+      "description": "Directory where qsv commands run by default. Click 'Browse' to select your Downloads folder or another directory. Extension only accesses files within this directory and allowed directories below.",
+      "required": true
     },
     "allowed_dirs": {
       "type": "directory",

.claude/skills/qsv-mcp-server.mcpb

@@ -9,6 +9,11 @@ import { homedir, tmpdir } from 'os';
 import { join } from 'path';
 import { execSync, execFileSync } from 'child_process';
 
+/**
+ * Timeout for qsv binary validation commands in milliseconds (5 seconds)
+ */
+const QSV_VALIDATION_TIMEOUT_MS = 5000;
+
 /**
  * Expand template variables in strings
  * Supports: ${HOME}, ${USERPROFILE}, ${DESKTOP}, ${DOCUMENTS}, ${DOWNLOADS}, ${TEMP}, ${TMPDIR}
@@ -96,6 +101,12 @@ function parseFloatEnv(envVar: string, defaultValue: number, min?: number, max?:
   return parsed;
 }
 
+/**
+ * Regular expression to detect unexpanded template variables from Claude Desktop
+ * Matches ${user_config.*} patterns that indicate an empty/unset configuration field
+ */
+const UNEXPANDED_TEMPLATE_REGEX = /\$\{user_config\.[^}]+\}/;
+
 /**
  * Get string from environment variable with default
  * Expands template variables like ${HOME}, ${USERPROFILE}, etc.
@@ -106,7 +117,7 @@ function getStringEnv(envVar: string, defaultValue: string): string {
   const value = process.env[envVar];
   // Treat empty string, null, undefined, or unexpanded template as missing - use default
   // Unexpanded template happens when Claude Desktop config field is empty
-  if (!value || value.trim() === '' || value.includes('${user_config.')) {
+  if (!value || value.trim() === '' || UNEXPANDED_TEMPLATE_REGEX.test(value)) {
     return expandTemplateVars(defaultValue);
   }
   return expandTemplateVars(value);
@@ -184,10 +195,14 @@ function detectQsvBinaryPath(): string | null {
 
 /**
  * Parse version string from qsv --version output
- * Example: "qsv 0.135.0" -> "0.135.0"
+ * Examples:
+ *   "qsv 0.135.0" -> "0.135.0"
+ *   "qsv 0.135.0-alpha.1" -> "0.135.0-alpha.1"
+ *   "qsv 0.135.0+build.123" -> "0.135.0+build.123"
  */
 function parseQsvVersion(versionOutput: string): string | null {
-  const match = versionOutput.match(/qsv\s+(\d+\.\d+\.\d+)/);
+  // Match semantic version with optional pre-release and build metadata
+  const match = versionOutput.match(/qsv\s+(\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?)/);
   return match ? match[1] : null;
 }
 
@@ -218,7 +233,7 @@ export function validateQsvBinary(binPath: string): QsvValidationResult {
     const result = execFileSync(binPath, ['--version'], {
       encoding: 'utf8',
       stdio: ['ignore', 'pipe', 'pipe'],
-      timeout: 5000 // 5 second timeout
+      timeout: QSV_VALIDATION_TIMEOUT_MS
     });
 
     const version = parseQsvVersion(result);
@@ -254,16 +269,26 @@ export function validateQsvBinary(binPath: string): QsvValidationResult {
 
 /**
  * Initialize qsv binary path with auto-detection and validation
+ *
+ * This function runs at server startup and validates the qsv binary.
+ * In Extension Mode, Claude Desktop restarts the server whenever the user
+ * changes the qsv binary path setting, so validation occurs on every change.
+ *
  * Priority:
- * 1. Explicit QSV_MCP_BIN_PATH environment variable
- * 2. Auto-detected path from system PATH
- * 3. Fall back to 'qsv' (will likely fail validation if not in PATH)
+ * 1. Explicit QSV_MCP_BIN_PATH environment variable (user-configured path)
+ * 2. Auto-detected path from system PATH (via which/where command)
+ * 3. Fall back to 'qsv' (legacy MCP mode only)
+ *
+ * In Extension Mode, always requires a fully qualified path and valid qsv binary
+ * (version >= 13.0.0). Invalid paths or versions will fail validation with clear
+ * error messages shown in server logs.
  */
 function initializeQsvBinaryPath(): { path: string; validation: QsvValidationResult } {
+  const inExtensionMode = getBooleanEnv('MCPB_EXTENSION_MODE', false);
   const explicitPath = process.env['QSV_MCP_BIN_PATH'];
 
-  // If user explicitly configured a path, use it
-  if (explicitPath) {
+  // If user explicitly configured a path (non-empty), use it
+  if (explicitPath && explicitPath.trim() !== '' && !UNEXPANDED_TEMPLATE_REGEX.test(explicitPath)) {
     const expanded = expandTemplateVars(explicitPath);
     const validation = validateQsvBinary(expanded);
     return { path: expanded, validation };
@@ -274,12 +299,26 @@ function initializeQsvBinaryPath(): { path: string; validation: QsvValidationRes
   if (detectedPath) {
     const validation = validateQsvBinary(detectedPath);
     if (validation.valid) {
+      // In extension mode, ensure path is fully qualified
       return { path: detectedPath, validation };
     }
-    // Detected but invalid - fall through to default
+    // Detected but invalid version - continue to fallback
+  }
+
+  // Extension mode requires fully qualified, valid qsv binary
+  if (inExtensionMode) {
+    return {
+      path: detectedPath || 'qsv',
+      validation: {
+        valid: false,
+        error: detectedPath
+          ? `qsv binary found at ${detectedPath} but version validation failed. Please install qsv ${MINIMUM_QSV_VERSION} or higher from https://github.com/dathere/qsv#installation`
+          : `qsv binary not found in PATH. Extension mode requires qsv to be installed. Please install from https://github.com/dathere/qsv#installation and ensure it's in your system PATH.`,
+      },
+    };
   }
 
-  // Fall back to 'qsv' (will work if in PATH, otherwise will fail)
+  // Legacy MCP mode: Fall back to 'qsv' (will work if in PATH, otherwise will fail)
   const fallbackPath = 'qsv';
   const validation = validateQsvBinary(fallbackPath);
   return { path: fallbackPath, validation };
@@ -330,7 +369,7 @@ export const config = {
   allowedDirs: (() => {
     const envValue = process.env['QSV_MCP_ALLOWED_DIRS'];
     // Treat empty, undefined, or unexpanded template as empty array
-    if (!envValue || envValue.trim() === '' || envValue.includes('${user_config.')) {
+    if (!envValue || envValue.trim() === '' || UNEXPANDED_TEMPLATE_REGEX.test(envValue)) {
       return [];
     }
 

.claude/skills/src/config.ts

@@ -12,6 +12,11 @@ import type { McpResource, McpResourceContent, FileInfo, FileMetadata } from './
 import { formatBytes } from './utils.js';
 import { config } from './config.js';
 
+/**
+ * Cache expiration time in milliseconds (1 minute)
+ */
+const METADATA_CACHE_TTL_MS = 60000;
+
 export interface FilesystemConfig {
   /**
    * Working directory for relative paths (defaults to process.cwd())
@@ -261,7 +266,7 @@ export class FilesystemResourceProvider {
     if (cached) {
       const age = Date.now() - cached.cachedAt;
       // Cache for 60 seconds
-      if (age < 60000) {
+      if (age < METADATA_CACHE_TTL_MS) {
         console.error(`[Filesystem] Using cached metadata for ${basename(filePath)} (age: ${Math.round(age / 1000)}s)`);
         return cached;
       }
@@ -324,7 +329,19 @@ export class FilesystemResourceProvider {
   }
 
   /**
-   * Run a qsv command and return stdout
+   * Execute a qsv command and return its stdout output
+   *
+   * @param args - Command arguments to pass to qsv binary
+   * @returns Promise resolving to the command's stdout output
+   * @throws Error if the command fails or exits with non-zero code
+   *
+   * @remarks
+   * This method spawns the qsv binary specified in config and accumulates
+   * stdout/stderr output in memory. For commands that may produce large
+   * outputs, consider adding size limits or streaming mechanisms.
+   *
+   * Note: This method does not set a timeout, so it may hang indefinitely
+   * if the qsv process becomes unresponsive.
    */
   private async runQsvCommand(args: string[]): Promise<string> {
     return new Promise((resolve, reject) => {

.claude/skills/src/mcp-filesystem.ts

@@ -13,8 +13,6 @@ import {
   ListResourcesRequestSchema,
   ListToolsRequestSchema,
   ReadResourceRequestSchema,
-  ListPromptsRequestSchema,
-  GetPromptRequestSchema,
 } from '@modelcontextprotocol/sdk/types.js';
 
 import { SkillLoader } from './loader.js';
@@ -90,10 +88,17 @@ class QsvMcpServer {
    * Initialize the server and register handlers
    */
   async initialize(): Promise<void> {
+    console.error('');
+    console.error('='.repeat(60));
+    console.error('QSV MCP SERVER INITIALIZATION');
+    console.error('='.repeat(60));
+    console.error('');
+
     // Load all skills
-    console.error('Loading QSV skills...');
+    console.error('[Init] Loading QSV skills...');
     const skills = await this.loader.loadAll();
-    console.error(`Loaded ${skills.size} skills`);
+    console.error(`[Init] ✓ Loaded ${skills.size} skills`);
+    console.error('');
 
     // Validate qsv binary
     this.logQsvValidation();
@@ -102,22 +107,21 @@ class QsvMcpServer {
     await this.checkForUpdates();
 
     // Register tool handlers
-    console.error('About to register tool handlers...');
+    console.error('[Init] Registering tool handlers...');
     this.registerToolHandlers();
-    console.error('Tool handlers registered');
+    console.error('[Init] ✓ Tool handlers registered');
+    console.error('');
 
     // Register resource handlers
-    console.error('About to register resource handlers...');
+    console.error('[Init] Registering resource handlers...');
     this.registerResourceHandlers();
-    console.error('Resource handlers registered');
-
-    // Prompts converted to tools (qsv_welcome and qsv_examples)
-    // Prompt handlers no longer needed
-    // console.error('About to register prompt handlers...');
-    // this.registerPromptHandlers();
-    // console.error('Prompt handlers registered');
+    console.error('[Init] ✓ Resource handlers registered');
+    console.error('');
 
-    console.error('QSV MCP Server initialized successfully');
+    console.error('='.repeat(60));
+    console.error('✅ QSV MCP SERVER READY');
+    console.error('='.repeat(60));
+    console.error('');
   }
 
   /**
@@ -137,13 +141,23 @@ class QsvMcpServer {
       console.error('❌ qsv binary validation FAILED');
       console.error(`   ${validation.error}`);
       console.error('');
-      console.error('⚠️  The MCP server may not function correctly without a valid qsv binary');
+      console.error('⚠️  The extension will not function without a valid qsv binary');
       console.error('');
-      console.error('To fix this:');
-      console.error('   1. Install qsv from: https://github.com/dathere/qsv#installation');
-      console.error('   2. Ensure qsv is in your PATH, or');
-      console.error('   3. Set QSV_MCP_BIN_PATH to the absolute path of your qsv binary');
-      console.error('   4. Restart the MCP server or Claude Desktop');
+
+      if (config.isExtensionMode) {
+        console.error('To fix this in Claude Desktop:');
+        console.error('   1. Install qsv from: https://github.com/dathere/qsv#installation');
+        console.error('   2. Ensure qsv is in your system PATH');
+        console.error('   3. Open Claude Desktop Settings > Extensions > qsv');
+        console.error(`   4. Update "qsv Binary Path" to the correct path (or leave as "qsv" if in PATH)`);
+        console.error('   5. Save settings (extension will auto-restart and re-validate)');
+      } else {
+        console.error('To fix this:');
+        console.error('   1. Install qsv from: https://github.com/dathere/qsv#installation');
+        console.error('   2. Ensure qsv is in your PATH, or');
+        console.error('   3. Set QSV_MCP_BIN_PATH to the absolute path of your qsv binary');
+        console.error('   4. Restart the MCP server');
+      }
       console.error('');
     }
   }
@@ -224,13 +238,15 @@ class QsvMcpServer {
           if (skill) {
             const toolDef = createToolDefinition(skill);
             tools.push(toolDef);
+            console.error(`[Server] ✓ Loaded tool: ${toolDef.name}`);
           } else {
-            console.error(`Warning: Failed to load skill ${skillName}`);
+            console.error(`[Server] ✗ Failed to load skill: ${skillName}`);
           }
         } catch (error) {
-          console.error(`Error creating tool definition for ${skillName}:`, error);
+          console.error(`[Server] ✗ Error creating tool definition for ${skillName}:`, error);
         }
       }
+      console.error(`[Server] Loaded ${tools.length} common command tools`);
 
       // Add generic qsv_command tool
       console.error('[Server] Adding generic command tool...');
@@ -311,9 +327,13 @@ class QsvMcpServer {
         },
       });
 
-      console.error(`Registered ${tools.length} tools`);
+      console.error(`[Server] Registered ${tools.length} tools`);
+      console.error(`[Server] Tool names: ${tools.map(t => t.name).join(', ')}`);
+
+      const response = { tools };
+      console.error(`[Server] Returning ${response.tools.length} tools to client`);
 
-        return { tools };
+        return response;
       });
       console.error('[Server] Tool handlers registered successfully');
     } catch (error) {

.claude/skills/src/mcp-server.ts

@@ -18,6 +18,11 @@ import { formatBytes, findSimilarFiles } from './utils.js';
  */
 const AUTO_INDEX_SIZE_MB = 10;
 
+/**
+ * Maximum number of files to show in welcome message
+ */
+const MAX_WELCOME_FILES = 10;
+
 /**
  * Commands that always return full CSV data and should use temp files
  */
@@ -304,6 +309,11 @@ export function createToolDefinition(skill: QsvSkill): McpToolDefinition {
   // Add positional arguments
   if (skill.command.args && Array.isArray(skill.command.args)) {
     for (const arg of skill.command.args) {
+      // Skip 'input' argument - we already have 'input_file' which maps to this
+      if (arg.name === 'input') {
+        continue;
+      }
+
       properties[arg.name] = {
         type: mapArgumentType(arg.type),
         description: arg.description,
@@ -916,8 +926,7 @@ export async function handleWelcomeTool(filesystemProvider?: FilesystemProviderE
       const { resources } = await filesystemProvider.listFiles(undefined, false);
 
       if (resources.length > 0) {
-        const maxFiles = 10;
-        const filesToShow = resources.slice(0, maxFiles);
+        const filesToShow = resources.slice(0, MAX_WELCOME_FILES);
         const workingDir = filesystemProvider.getWorkingDirectory();
 
         fileListingSection = `\n## 📁 Available Files in Your Working Directory
@@ -950,11 +959,13 @@ I found ${resources.length} file${resources.length !== 1 ? 's' : ''} in \`${work
           fileListingSection += `| ${fileName} | ${fileSize} | ${fileType} | ${fileDate} |\n`;
         });
 
-        if (resources.length > maxFiles) {
-          fileListingSection += `\n_... and ${resources.length - maxFiles} more file${resources.length - maxFiles !== 1 ? 's' : ''}_\n`;
+        if (resources.length > MAX_WELCOME_FILES) {
+          fileListingSection += `\n_... and ${resources.length - MAX_WELCOME_FILES} more file${resources.length - MAX_WELCOME_FILES !== 1 ? 's' : ''}_\n`;
         }
 
-        fileListingSection += `\n**Tip:** Use these file names in qsv commands, for example:\n- \`qsv_stats with input_file: "${filesToShow[0].name}"\`\n- \`qsv_headers with input_file: "${filesToShow[0].name}"\`\n`;
+        if (filesToShow.length > 0) {
+          fileListingSection += `\n**Tip:** Use these file names in qsv commands, for example:\n- \`qsv_stats with input_file: "${filesToShow[0].name}"\`\n- \`qsv_headers with input_file: "${filesToShow[0].name}"\`\n`;
+        }
       }
     } catch (error) {
       console.error('Error listing files for welcome tool:', error);