v0.3.2 — Cross-platform paths and security hardening
·
56 commits
to main
since this release
Immutable
release. Only release title and notes can be modified.
What's fixed
Cross-platform config paths (TODO #4)
Cursor and Windsurf store MCP configs in home-relative directories on all platforms — including Windows. The previous code incorrectly routed them through `%APPDATA%`, causing silent detection failures for Windows users with Cursor or Windsurf installed.
| Client | macOS | Linux | Windows (before) | Windows (now) |
|---|---|---|---|---|
| Claude Desktop | `~/Library/Application Support/Claude/` | `~/.config/Claude/` | `%APPDATA%\Claude\` | `%APPDATA%\Claude\` ✓ |
| Cursor | `~/.cursor/` | `~/.cursor/` | `%APPDATA%\.cursor\` ✗ | `~/.cursor/` ✓ |
| VS Code | `~/Library/Application Support/Code/User/` | `~/.config/Code/User/` | `%APPDATA%\Code\User\` | `%APPDATA%\Code\User\` ✓ |
| Windsurf | `~/.codeium/windsurf/` | `~/.codeium/windsurf/` | `%APPDATA%\.codeium\windsurf\` ✗ | `~/.codeium/windsurf/` ✓ |
Security hardening
- APPDATA traversal guard: `%APPDATA%` is now validated as an absolute Windows path via `path.win32.isAbsolute()` before use. Relative or traversal values (e.g. `../../etc`) fall back to homedir. Regression test added.
- Consistent clientId validation: `mcpm install --client ` now validates the client name against the known list before casting, matching the pattern used in other commands. Unknown client names fail fast with a clear error listing valid values.
Tests
822 tests passing.