fix: address code review findings from quality gate

- Guard response.json() with try-catch for non-JSON responses (502s, CDN errors)
- Add AbortSignal.timeout(30s) to prevent hanging on unresponsive API
- Validate VALIDKIT_API_URL requires https:// to prevent SSRF
- Only send Content-Type header on POST requests (not GET)
- Fix isDirectRun detection using import.meta.url (works with npx/symlinks)
- Change tsconfig module/moduleResolution to Node16 for correct ESM resolution
- Add 4 new tests covering all fixes (34 total, 100% coverage)

Author: jesse-validkit

src/index.test.ts

@@ -467,7 +467,7 @@ describe('ValidKit MCP Server', () => {
       );
     });
 
-    it('GET requests do not include body', async () => {
+    it('GET requests do not include body or Content-Type', async () => {
       const { client } = await createTestClient();
       mockFetchResponse(200, { used: 0, limit: 1000 });
 
@@ -478,6 +478,66 @@ describe('ValidKit MCP Server', () => {
 
       const callArgs = mockFetch.mock.calls[0][1];
       expect(callArgs.body).toBeUndefined();
+      expect(callArgs.headers['Content-Type']).toBeUndefined();
+    });
+
+    it('POST requests include Content-Type', async () => {
+      const { client } = await createTestClient();
+      mockFetchResponse(200, { email: 'a@b.com', valid: true });
+
+      await client.callTool({
+        name: 'validate_email',
+        arguments: { email: 'a@b.com' },
+      });
+
+      const callArgs = mockFetch.mock.calls[0][1];
+      expect(callArgs.headers['Content-Type']).toBe('application/json');
+    });
+
+    it('rejects non-https VALIDKIT_API_URL', async () => {
+      process.env.VALIDKIT_API_URL = 'http://evil.com';
+      const { client } = await createTestClient();
+
+      const result = await client.callTool({
+        name: 'validate_email',
+        arguments: { email: 'test@gmail.com' },
+      });
+
+      expect(result.isError).toBe(true);
+      expect(getText(result)).toContain('must use https://');
+    });
+
+    it('handles non-JSON API response gracefully', async () => {
+      const { client } = await createTestClient();
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 502,
+        json: async () => {
+          throw new SyntaxError('Unexpected token <');
+        },
+      });
+
+      const result = await client.callTool({
+        name: 'validate_email',
+        arguments: { email: 'test@gmail.com' },
+      });
+
+      expect(result.isError).toBe(true);
+      expect(getText(result)).toContain('Non-JSON response');
+      expect(getText(result)).toContain('502');
+    });
+
+    it('includes abort signal for timeout', async () => {
+      const { client } = await createTestClient();
+      mockFetchResponse(200, { email: 'a@b.com', valid: true });
+
+      await client.callTool({
+        name: 'validate_email',
+        arguments: { email: 'a@b.com' },
+      });
+
+      const callArgs = mockFetch.mock.calls[0][1];
+      expect(callArgs.signal).toBeDefined();
     });
 
     it('missing API key error on bulk endpoint', async () => {

src/index.ts

@@ -1,12 +1,20 @@
 #!/usr/bin/env node
+import { fileURLToPath } from 'node:url';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { z } from 'zod';
 
 export const VERSION = '1.1.0';
+const REQUEST_TIMEOUT_MS = 30_000;
 
 export function getApiBaseUrl(): string {
-  return process.env.VALIDKIT_API_URL || 'https://api.validkit.com';
+  const url = process.env.VALIDKIT_API_URL || 'https://api.validkit.com';
+  if (!url.startsWith('https://')) {
+    throw new Error(
+      `VALIDKIT_API_URL must use https:// (got "${url}")`
+    );
+  }
+  return url;
 }
 
 export function getApiKey(): string {
@@ -28,15 +36,26 @@ export async function callApi(
 
   const response = await fetch(`${getApiBaseUrl()}${path}`, {
     method,
+    signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
     headers: {
       'X-API-Key': apiKey,
-      'Content-Type': 'application/json',
       'User-Agent': `validkit-mcp/${VERSION}`,
+      ...(body !== undefined ? { 'Content-Type': 'application/json' } : {}),
     },
     ...(body !== undefined ? { body: JSON.stringify(body) } : {}),
   });
 
-  const data = await response.json();
+  let data: unknown;
+  try {
+    data = await response.json();
+  } catch {
+    data = {
+      error: {
+        message: `Non-JSON response (HTTP ${response.status})`,
+      },
+    };
+  }
+
   return { ok: response.ok, status: response.status, data };
 }
 
@@ -224,11 +243,8 @@ async function main() {
   await server.connect(transport);
 }
 
-// Only auto-start when run directly (not when imported by tests)
-const isDirectRun =
-  process.argv[1] &&
-  (process.argv[1].endsWith('/index.js') ||
-    process.argv[1].endsWith('/index.ts'));
+const currentFile = fileURLToPath(import.meta.url);
+const isDirectRun = process.argv[1] === currentFile;
 
 if (isDirectRun) {
   main().catch((error) => {

tsconfig.json

@@ -1,15 +1,15 @@
 {
   "compilerOptions": {
     "target": "ES2022",
-    "module": "ES2022",
+    "module": "Node16",
     "lib": ["ES2022"],
     "outDir": "./dist",
     "rootDir": "./src",
     "strict": true,
     "esModuleInterop": true,
     "skipLibCheck": true,
     "forceConsistentCasingInFileNames": true,
-    "moduleResolution": "bundler",
+    "moduleResolution": "Node16",
     "resolveJsonModule": true,
     "declaration": true,
     "declarationMap": true,