add MCP server for runtime resource lookup

[KhaiTrang1995]

Summary

Changes

MCP server exposes loop-engineering patterns, skills, state, budget,
and safety docs as queryable resources via Model Context Protocol.
Agents can query what they need on-demand instead of prompt stuffing.

Resources: registry, config, budget, run-log, safety, patterns/{id},
skills/{name}, state/{file}

Tools: list_patterns, list_skills, list_state_files, get_pattern,
get_skill, get_state, recommend_pattern, estimate_cost

Includes 16 tests, CI gate integration, and MCP config example.

Checklist (from CONTRIBUTING)

• All required sections present for patterns
• Links work from README, patterns/README, starters/README, docs/index
• No secrets, tokens, internal company URLs
• STATE.md* examples use .example suffix
• Safety-related content references docs/safety.md
• Ran node tools/loop-audit/dist/cli.js . (or on the starter) and addressed findings

Testing / Dogfood

• loop-audit passes on affected starters or this repo
• Manual review of generated state / skill output

Screenshots / Examples (if UI or command output)

---

This template enforces the high bar this reference is known for.

[cobusgreyling]

Thanks, CI passed. This is a large addition so I need a bit more time to review the MCP server code before approving. Will follow up soon.

[KhaiTrang1995]

Thanks for the heads-up! Take your time with the review.
By the way, I just noticed that zod hasn't been added to the dependencies yet. I'll push a quick fix for this right away.

[cobusgreyling]

Strong contribution — MCP runtime lookup is exactly the right direction for reducing prompt stuffing. Not merge-ready yet; a few gaps to close first.

What's good:

• zod is now in dependencies ✓ (fixes the issue you flagged)
• Committed dist/ matches loop-audit / loop-init convention ✓
• CI gate wired in scripts/ci-validate-gates.sh + root test:mcp-server ✓
• 16 tests + example config at examples/mcp/loop-engineering.mcp.json ✓
• Resource surface (registry, patterns, skills, state, budget, safety) is well-scoped

Required before merge:

1. Path traversal guard on user-supplied IDs — loadPatternDoc(root, patternId) does path.join(root, 'patterns', \${patternId}.md`)with no validation. ApatternIdlike../READMEcould escape. Add an allowlist check againstregistry.yamlids (you already load the registry) or reject any id containing/, \, or ..`.

2. Same for get_skill / skill name args — validate against listSkills() results before reading.

3. README / discoverability cross-links — add loop-mcp-server to:

   • root README.md Quick Links table
   • docs/primitives-matrix.md (MCP row — "reference server ships with this repo")
   • examples/README.md

4. npm publish path — other tools ship as @cobusgreyling/loop-* on npm. Either:

   • add a release workflow for @cobusgreyling/loop-mcp-server, or
   • document clearly as "run from repo / npx github:" only for v1 (and say so in README)

5. Complete the PR checklist — several boxes still unchecked in the description.

Nice-to-have (can follow in a fast follow PR):

• recommend_pattern tool: document decision logic or add tests for each picker branch
• estimate_cost tool: delegate to loop-cost logic or note it's approximate
• Consider LOOP_PROJECT_ROOT validation (resolve + ensure expected markers like patterns/registry.yaml exist)

Rebase on latest main when ready — happy to re-review quickly once the path guards and README links land.

[cobusgreyling]

Thanks again for this — I rebased your branch onto latest main and pushed the path-guard + discoverability fixes to #87 (fix/pr-72-mcp-path-guards).

What landed on top of your work:

• loadPatternDoc / loadState now allowlist IDs and reject .. / path separators
• 2 regression tests in tools/mcp-server/test/server.test.mjs
• README / primitives matrix / examples cross-links
• Repo-only v1 install note (npm publish can follow)

If #87 merges, you'll get full credit in the merge commit. Happy to co-author or adjust anything — shout if you'd prefer to cherry-pick b1252e8 onto your branch instead.

[cobusgreyling]

Superseded by #87 (merged) — path guards + docs included. Thanks @KhaiTrang1995!