add(plugin): mcp-server-dev — skills for building MCP servers

Three skills guiding developers through MCP server design:
- build-mcp-server: entry-point decision guide (remote HTTP vs MCPB vs local)
- build-mcp-app: interactive UI widgets rendered in chat
- build-mcpb: bundled local servers with runtime

Includes reference files for scaffolds, tool design, auth (DCR/CIMD),
widget templates, manifest schema, and local security hardening.

plugins/mcp-server-dev/skills/build-mcpb/SKILL.md

@@ -0,0 +1,179 @@
+---
+name: build-mcpb
+description: This skill should be used when the user wants to "package an MCP server", "bundle an MCP", "make an MCPB", "ship a local MCP server", "distribute a local MCP", discusses ".mcpb files", mentions bundling a Node or Python runtime with their MCP server, or needs an MCP server that interacts with the local filesystem, desktop apps, or OS and must be installable without the user having Node/Python set up.
+version: 0.1.0
+---
+
+# Build an MCPB (Bundled Local MCP Server)
+
+MCPB is a local MCP server **packaged with its runtime**. The user installs one file; it runs without needing Node, Python, or any toolchain on their machine. It's the sanctioned way to distribute local MCP servers.
+
+**Use MCPB when the server must run on the user's machine** — reading local files, driving a desktop app, talking to localhost services, OS-level APIs. If your server only hits cloud APIs, you almost certainly want a remote HTTP server instead (see `build-mcp-server`). Don't pay the MCPB packaging tax for something that could be a URL.
+
+---
+
+## What an MCPB bundle contains
+
+```
+my-server.mcpb              (zip archive)
+├── manifest.json           ← identity, entry point, permissions, config schema
+├── server/                 ← your MCP server code
+│   ├── index.js
+│   └── node_modules/       ← bundled dependencies (or vendored)
+├── runtime/                ← optional: pinned Node/Python if not using host's
+└── icon.png
+```
+
+The host reads `manifest.json`, launches the entry point as a **stdio** MCP server, and pipes messages. From your code's perspective it's identical to a local stdio server — the only difference is packaging.
+
+---
+
+## Manifest
+
+```json
+{
+  "name": "local-files",
+  "version": "0.1.0",
+  "description": "Read, search, and watch files on the local filesystem.",
+  "entry": {
+    "type": "node",
+    "main": "server/index.js"
+  },
+  "permissions": {
+    "filesystem": { "read": true, "write": false },
+    "network": false
+  },
+  "config": {
+    "rootDir": {
+      "type": "string",
+      "description": "Directory to expose. Defaults to ~/Documents.",
+      "default": "~/Documents"
+    }
+  }
+}
+```
+
+**`entry.type`** — `node`, `python`, or `binary`. Determines which bundled/host runtime launches `main`.
+
+**`permissions`** — declared upfront and shown to the user at install. Request the minimum. Broad permissions (`filesystem.write: true`, `network: true`) trigger scarier consent UI and more scrutiny.
+
+**`config`** — user-settable values surfaced in the host's settings UI. Your server reads them from env vars (`MCPB_CONFIG_<KEY>`).
+
+---
+
+## Server code: same as local stdio
+
+The server itself is a standard stdio MCP server. Nothing MCPB-specific in the tool logic.
+
+```typescript
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+import { readFile, readdir } from "node:fs/promises";
+import { join } from "node:path";
+import { homedir } from "node:os";
+
+const ROOT = (process.env.MCPB_CONFIG_ROOTDIR ?? "~/Documents")
+  .replace(/^~/, homedir());
+
+const server = new McpServer({ name: "local-files", version: "0.1.0" });
+
+server.tool(
+  "list_files",
+  "List files in a directory under the configured root.",
+  { path: z.string().default(".") },
+  async ({ path }) => {
+    const entries = await readdir(join(ROOT, path), { withFileTypes: true });
+    const list = entries.map(e => ({ name: e.name, dir: e.isDirectory() }));
+    return { content: [{ type: "text", text: JSON.stringify(list, null, 2) }] };
+  },
+);
+
+server.tool(
+  "read_file",
+  "Read a file's contents. Path is relative to the configured root.",
+  { path: z.string() },
+  async ({ path }) => {
+    const text = await readFile(join(ROOT, path), "utf8");
+    return { content: [{ type: "text", text }] };
+  },
+);
+
+const transport = new StdioServerTransport();
+await server.connect(transport);
+```
+
+**Sandboxing is your job.** The manifest permissions gate what the *host* allows the process to do, but don't rely on that alone — validate paths, refuse to escape `ROOT`, etc. See `references/local-security.md`.
+
+---
+
+## Build pipeline
+
+### Node
+
+```bash
+npm install
+npx esbuild src/index.ts --bundle --platform=node --outfile=server/index.js
+# or: copy node_modules wholesale if native deps resist bundling
+npx @modelcontextprotocol/mcpb pack . -o my-server.mcpb
+```
+
+`mcpb pack` zips the directory, validates `manifest.json`, and optionally pulls a pinned Node runtime into `runtime/`.
+
+### Python
+
+```bash
+pip install -t server/vendor -r requirements.txt
+npx @modelcontextprotocol/mcpb pack . -o my-server.mcpb --runtime python3.12
+```
+
+Vendor dependencies into a subdirectory and prepend it to `sys.path` in your entry script. Native extensions (numpy, etc.) must be built for each target platform — `mcpb pack --multiarch` cross-builds, but it's slow; avoid native deps if you can.
+
+---
+
+## Permissions: request the minimum
+
+The install prompt shows what you ask for. Every extra permission is friction.
+
+| Need | Request |
+|---|---|
+| Read files in one directory | `filesystem.read: true` + enforce root in code |
+| Write files | `filesystem.write: true` — justify in description |
+| Call a local HTTP service | `network: { "allow": ["localhost:*"] }` |
+| Call the internet | `network: true` — but ask yourself why this isn't a remote server |
+| Spawn processes | `process.spawn: true` — highest scrutiny |
+
+If you find yourself requesting `network: true` to hit a cloud API, stop — that's a remote server wearing an MCPB costume. The user gains nothing from running it locally.
+
+---
+
+## MCPB + UI widgets
+
+MCPB servers can serve UI resources exactly like remote MCP apps — the widget mechanism is transport-agnostic. A local file picker that browses the actual disk, a dialog that controls a native app, etc.
+
+Widget authoring is covered in the **`build-mcp-app`** skill; it works the same here. The only difference is where the server runs.
+
+---
+
+## Testing
+
+```bash
+# Run the server directly over stdio, poke it with the inspector
+npx @modelcontextprotocol/inspector node server/index.js
+
+# Pack and validate
+npx @modelcontextprotocol/mcpb pack . -o test.mcpb
+npx @modelcontextprotocol/mcpb validate test.mcpb
+
+# Install into Claude desktop for end-to-end
+npx @modelcontextprotocol/mcpb install test.mcpb
+```
+
+Test on a machine **without** your dev toolchain before shipping. "Works on my machine" failures in MCPB almost always trace to a dependency that wasn't actually bundled.
+
+---
+
+## Reference files
+
+- `references/manifest-schema.md` — full `manifest.json` field reference
+- `references/local-security.md` — path traversal, sandboxing, least privilege

plugins/mcp-server-dev/skills/build-mcpb/references/local-security.md

@@ -0,0 +1,111 @@
+# Local MCP Security
+
+An MCPB server runs as the user, with whatever permissions the manifest was granted. Claude drives it. That combination means: **tool inputs are untrusted**, even though they come from an AI the user trusts. A prompt-injected web page can make Claude call your `delete_file` tool with a path you didn't intend.
+
+Defense in depth. Manifest permissions are the outer wall; validation in your tool handlers is the inner wall.
+
+---
+
+## Path traversal
+
+The #1 bug in local MCP servers. If you take a path parameter and join it to a root, **resolve and check containment**.
+
+```typescript
+import { resolve, relative, isAbsolute } from "node:path";
+
+function safeJoin(root: string, userPath: string): string {
+  const full = resolve(root, userPath);
+  const rel = relative(root, full);
+  if (rel.startsWith("..") || isAbsolute(rel)) {
+    throw new Error(`Path escapes root: ${userPath}`);
+  }
+  return full;
+}
+```
+
+`resolve` normalizes `..`, symlink segments, etc. `relative` tells you if the result left the root. Don't just `String.includes("..")` — that misses encoded and symlink-based escapes.
+
+**Python equivalent:**
+
+```python
+from pathlib import Path
+
+def safe_join(root: Path, user_path: str) -> Path:
+    full = (root / user_path).resolve()
+    if not full.is_relative_to(root.resolve()):
+        raise ValueError(f"Path escapes root: {user_path}")
+    return full
+```
+
+---
+
+## Command injection
+
+If you spawn processes, **never pass user input through a shell**.
+
+```typescript
+// ❌ catastrophic
+exec(`git log ${branch}`);
+
+// ✅ array-args, no shell
+execFile("git", ["log", branch]);
+```
+
+If you're wrapping a CLI, build the full argv as an array. Validate each flag against an allowlist if the tool accepts flags at all.
+
+---
+
+## Read-only by default
+
+Split read and write into separate tools. Most workflows only need read. A tool that's read-only can't be weaponized into data loss no matter what Claude is tricked into calling it with.
+
+```
+list_files   ← safe to call freely
+read_file    ← safe to call freely
+write_file   ← separate tool, separate permission, separate scrutiny
+delete_file  ← consider not shipping this at all
+```
+
+If you ship write/delete, consider requiring a confirmation widget (see `build-mcp-app`) so the user explicitly approves each destructive call.
+
+---
+
+## Resource limits
+
+Claude will happily ask to read a 4GB log file. Cap everything:
+
+```typescript
+const MAX_BYTES = 1_000_000;
+const buf = await readFile(path);
+if (buf.length > MAX_BYTES) {
+  return {
+    content: [{
+      type: "text",
+      text: `File is ${buf.length} bytes — too large. Showing first ${MAX_BYTES}:\n\n`
+            + buf.subarray(0, MAX_BYTES).toString("utf8"),
+    }],
+  };
+}
+```
+
+Same for directory listings (cap entry count), search results (cap matches), and anything else unbounded.
+
+---
+
+## Secrets
+
+- **Config secrets** (`secret: true` in manifest): host stores in OS keychain, delivers via env var. Don't log them. Don't include them in tool results.
+- **Never store secrets in plaintext files.** If the host's keychain integration isn't enough, use `keytar` (Node) / `keyring` (Python) yourself.
+- **Tool results flow into the chat transcript.** Anything you return, the user (and any log export) can see. Redact before returning.
+
+---
+
+## Checklist before shipping
+
+- [ ] Every path parameter goes through containment check
+- [ ] No `exec()` / `shell=True` — `execFile` / array-argv only
+- [ ] Write/delete split from read tools
+- [ ] Size caps on file reads, listing lengths, search results
+- [ ] Manifest permissions match actual code behavior (no over-requesting)
+- [ ] Secrets never logged or returned in tool results
+- [ ] Tested with adversarial inputs: `../../etc/passwd`, `; rm -rf ~`, 10GB file

plugins/mcp-server-dev/skills/build-mcpb/references/manifest-schema.md

@@ -0,0 +1,132 @@
+# MCPB Manifest Schema
+
+Every `.mcpb` bundle has a `manifest.json` at its root. The host validates it before install.
+
+---
+
+## Top-level fields
+
+| Field | Type | Required | Notes |
+|---|---|---|---|
+| `name` | string | ✅ | Unique identifier. Lowercase, hyphens only. Shown in settings. |
+| `version` | string | ✅ | Semver. Host compares for update prompts. |
+| `description` | string | ✅ | One line. Shown in the install prompt. |
+| `entry` | object | ✅ | How to launch the server — see below. |
+| `permissions` | object | ✅ | What the server needs — see below. |
+| `config` | object | — | User-settable values surfaced in settings UI. |
+| `icon` | string | — | Path to PNG inside the bundle. 256×256 recommended. |
+| `homepage` | string | — | URL shown in settings. |
+| `minHostVersion` | string | — | Refuse install on older hosts. |
+
+---
+
+## `entry`
+
+```json
+{ "type": "node", "main": "server/index.js" }
+```
+
+| `type` | `main` points at | Runtime resolution |
+|---|---|---|
+| `node` | `.js` or `.mjs` file | `runtime/node` if present, else host-bundled Node |
+| `python` | `.py` file | `runtime/python` if present, else host-bundled Python |
+| `binary` | executable | Run directly. Must be built per-platform. |
+
+**`args`** (optional array) — extra argv passed to the entry. Rarely needed.
+
+**`env`** (optional object) — static env vars set at launch. For user-configurable values use `config` instead.
+
+---
+
+## `permissions`
+
+```json
+{
+  "filesystem": { "read": true, "write": false },
+  "network": { "allow": ["localhost:*", "127.0.0.1:*"] },
+  "process": { "spawn": false }
+}
+```
+
+### `filesystem`
+
+| Value | Meaning |
+|---|---|
+| `false` or omitted | No filesystem access beyond the bundle itself |
+| `{ "read": true }` | Read anywhere the OS user can |
+| `{ "read": true, "write": true }` | Read and write |
+
+There's no path scoping at the manifest level — scope in your code. The manifest permission is a coarse consent gate, not a sandbox.
+
+### `network`
+
+| Value | Meaning |
+|---|---|
+| `false` or omitted | No network (most local-first servers) |
+| `{ "allow": ["host:port", ...] }` | Allowlisted destinations. `*` wildcards ports. |
+| `true` | Unrestricted. Heavy scrutiny — explain why in `description`. |
+
+### `process`
+
+| Value | Meaning |
+|---|---|
+| `false` or omitted | Can't spawn child processes |
+| `{ "spawn": true }` | Can spawn. Needed for wrapping CLIs. |
+| `{ "spawn": true, "allow": ["git", "ffmpeg"] }` | Spawn only allowlisted binaries |
+
+---
+
+## `config`
+
+User-editable settings, surfaced in the host UI. Each key becomes an env var: `MCPB_CONFIG_<UPPERCASE_KEY>`.
+
+```json
+{
+  "config": {
+    "rootDir": {
+      "type": "string",
+      "description": "Directory to expose",
+      "default": "~/Documents"
+    },
+    "maxFileSize": {
+      "type": "number",
+      "description": "Skip files larger than this (MB)",
+      "default": 10,
+      "min": 1,
+      "max": 500
+    },
+    "includeHidden": {
+      "type": "boolean",
+      "description": "Include dotfiles in listings",
+      "default": false
+    },
+    "apiKey": {
+      "type": "string",
+      "description": "Optional API key for the sync feature",
+      "secret": true
+    }
+  }
+}
+```
+
+**`type`** — `string`, `number`, `boolean`. Enums: use `string` with `"enum": ["a", "b", "c"]`.
+
+**`secret: true`** — host masks the value in UI and stores it in the OS keychain instead of a plain config file.
+
+**`required: true`** — host blocks server launch until the user sets it. Use sparingly — a server that won't start until configured is a bad first-run experience.
+
+---
+
+## Minimal valid manifest
+
+```json
+{
+  "name": "hello",
+  "version": "0.1.0",
+  "description": "Minimal MCPB server.",
+  "entry": { "type": "node", "main": "server/index.js" },
+  "permissions": {}
+}
+```
+
+Empty `permissions` means no filesystem, no network, no spawn — pure computation only. Valid, if unusual.