M117 closeout — MCP pinning + hook property tests

Issue	Deliverable	Tests
#1462	`/ork:doctor` warns when HIGH-tier MCP servers in `.mcp.json` resolve to `@latest`	18 / 18 (bash)
#1452	`fast-check` property tests for 9 hook handlers + input validator (200 inputs each)	11 / 11 (vitest)

Issue

Deliverable

Tests

#1462

/ork:doctor warns when HIGH-tier MCP servers in .mcp.json resolve to @latest

18 / 18 (bash)

#1452

fast-check property tests for 9 hook handlers + input validator (200 inputs each)

11 / 11 (vitest)

MCP pinning check — interactive

Paste a .mcp.json below to see what /ork:doctor would emit. The classifier runs locally in this page (same logic as src/skills/doctor/scripts/check-mcp-pinning.sh).

Click Run check.

Tier source-of-truth

Tier	Criteria	Packages
HIGH	Pre-1.0 upstream, API may change without notice	`@21st-dev/magic`, `agentation-mcp`
MED	Active upstream, semver, used in many skills	`@upstash/context7-mcp`, `tavily-mcp`, `fal-ai-mcp`
LOW	Stable API, calendar-versioned	`@modelcontextprotocol/server-sequential-thinking`, `@modelcontextprotocol/server-memory`

Tier

Criteria

Packages

HIGH

Pre-1.0 upstream, API may change without notice

@21st-dev/magic, agentation-mcp

MED

Active upstream, semver, used in many skills

@upstash/context7-mcp, tavily-mcp, fal-ai-mcp

LOW

Stable API, calendar-versioned

@modelcontextprotocol/server-sequential-thinking, @modelcontextprotocol/server-memory

Reference: src/skills/mcp-patterns/references/mcp-version-matrix.md (audit closed by #1446).

Hook property tests (#1452)

Layer	Coverage
Hooks under property test	`dangerousCommandBlocker`, `defaultTimeoutSetter`, `errorPatternWarner`, `compoundCommandValidator`, `securityPatternValidator`, `contentSecretScanner`, `fileGuard`, `tldrSummary`, `failureHandler`
Validator under property test	`validateHookInput` over arbitrary `unknown`
Inputs per assertion	200 generated `HookInput` shapes
Invariant	Handler returns a valid `HookResult` with `continue: boolean`
Runner	`npm run test:property` (separate config: `vitest.property.config.ts`)
CI	`.github/workflows/property-tests.yml` on `src/hooks/**` changes

Layer

Coverage

Hooks under property test

dangerousCommandBlocker, defaultTimeoutSetter, errorPatternWarner, compoundCommandValidator, securityPatternValidator, contentSecretScanner, fileGuard, tldrSummary, failureHandler

Validator under property test

validateHookInput over arbitrary unknown

Inputs per assertion

200 generated HookInput shapes

Invariant

Handler returns a valid HookResult with continue: boolean

Runner

npm run test:property (separate config: vitest.property.config.ts)

.github/workflows/property-tests.yml on src/hooks/** changes

Note: The first run revealed real defensive-coding gaps in 5 hooks where array-typed file_path caused a TypeError. CC 2.1.85 fixes this at the runtime input validator and our floor is 2.1.117, so production traffic is safe. The arbitrary is tightened to the CC contract; #1497 tracks the hook-side hardening (M119).

Test plan results

tests/skills/test-mcp-pinning-check.sh 18 / 18 passing npm run test:property 11 / 11 passing (863 ms) npm test (regular vitest) 7909 / 7909 passing (property tests excluded) npm run typecheck clean npm run test:agents | manifests | skills clean npm run build plugins/ rebuilt

M117 closeout · `chore/m117-closeout`

What ships

MCP pinning check — interactive

Tier source-of-truth

Hook property tests (#1452)

Test plan results

M117 closeout · chore/m117-closeout

What ships

MCP pinning check — interactive

Tier source-of-truth

Hook property tests (#1452)

Test plan results

M117 closeout · `chore/m117-closeout`