Security fixes, new MCP tools, and quality improvements#1
Open
tomehb wants to merge 6 commits intoDatanoiseTV:mainfrom
Open
Security fixes, new MCP tools, and quality improvements#1tomehb wants to merge 6 commits intoDatanoiseTV:mainfrom
tomehb wants to merge 6 commits intoDatanoiseTV:mainfrom
Conversation
- Migrate from CommonJS to ESM (Node16 module system) - Add --context CLI flag for custom translation instructions - Add context parameter to MCP tools for cultural adaptation - Update default Gemini model to gemini-3-flash-preview - Add GEMINI_MODEL and OPENAI_MODEL environment variable support - Rewrite README with MCP-first focus and cultural adaptation examples - Support multi-language translation in single MCP call Examples of context usage: - "Use Latin American Spanish, informal tone" - "Adapt idioms for Japanese culture" - "Target audience: medical professionals" 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add detect_language tool for source language detection - Add validate_translation tool for translation completeness verification - Add translate_string tool for single string translations - Add fork notice and prominent funding link for original developer - Document all 5 MCP tools in README 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The MCP server requires the translator-ai CLI to be globally available. Added clear instructions explaining npm link is required after building. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
All MCP tools now display which AI provider and model was used: - translate_json: Shows provider/model on success and error - translate_multiple: Shows provider/model in output - detect_language: Shows provider/model with detected language - translate_string: Shows provider/model with translation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security (CRITICAL): - Replace exec() with execFile() to prevent command injection attacks - Add input validation for file paths (path traversal prevention) - Add language code validation (format verification) - Add context validation (length limits) - Use argument arrays instead of string interpolation in shell commands Bug Fixes: - Fix uninitialized variable in ollama.ts extraction strategies - Remove outdated @ts-ignore in gemini.ts (responseMimeType now in types) Configuration: - Rename jest.config.js to jest.config.cjs for ESM compatibility 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Path Validation:
- Remove overly aggressive shell metacharacter blocking that rejected {lang} placeholder
- Since we use execFile (not exec), shell metacharacters are safe
Jest Configuration:
- Add moduleNameMapper to resolve .js imports to .ts files
- Configure ts-jest with CommonJS mode for test compatibility
- Fix npm start to use compiled dist instead of ts-node
Test Fixes:
- Update geminiModel tests to expect gemini-3-flash-preview (new default)
- Update multiFile integration tests to match current output format
All 139 tests now pass.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR includes critical security fixes, new features, and quality improvements for the translator-ai MCP server.
Security Fixes (Critical)
Command Injection Vulnerability - The MCP server used
exec()with string interpolation, allowing arbitrary command execution:Changes:
New Features
3 New MCP Tools
Context Parameter
Provider/Model Info
Bug Fixes
Configuration & Tests
Documentation
Attribution
This PR was developed with AI assistance (Claude Code). All changes have been human-reviewed and tested