fix: Update asset paths in project.json for testing and UI libraries

[frontegg-david]

Summary by CodeRabbit

• Chores
  • Adjusted build asset paths so package READMEs are included from their library subfolders during builds.
  • Simplified a CLI package’s declared dependencies (removed several runtime packages and added tslib).
  • Updated SDK and runtime dependency versions across packages (modelcontextprotocol, vectoria, enclave-vm, esbuild).
  • Upgraded validation/runtime helper used by CLI generation (zod -> v4).
  • Switched README image references to remote raw URLs for logo assets.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Updated build asset paths for two libs and bumped/removed various package versions across multiple library manifests; no source-code logic or runtime control-flow changes.

Changes

Cohort / File(s)	Change Summary
Build-tsc asset path alignment libs/testing/project.json, libs/ui/project.json	targets.build-tsc.options.assets entries changed to reference library-scoped README paths ("README.md" → "libs/testing/README.md", "README.md" → "libs/ui/README.md").
UI package dependency bumps libs/ui/package.json	Updated dependencies: enclave-vm ^1.0.1 → ^1.0.3, esbuild ^0.24.0 → ^0.27.1.
CLI manifest dependency changes libs/cli/package.json	Removed @frontmcp/sdk, @frontmcp/plugins, @frontmcp/adapters and added tslib@^2.3.0.
CLI create command update libs/cli/src/commands/create.ts	Bumped zod reference from ^3.x to ^4.0.0 in dependency declarations.
Cross-repo dependency bumps package.json, libs/sdk/package.json, libs/adapters/package.json, libs/testing/package.json, libs/plugins/package.json	Updated @modelcontextprotocol/sdk 1.23.0 → 1.24.3; vectoriadb → ^2.0.1 where present; small bumps for ast-guard and enclave-vm in libs/plugins/package.json.
Misc packaging metadata libs/testing/package.json, libs/cli/package.json, README.md	README image URL changes to raw GitHub URLs; minor dependency alignment across test/packaging manifests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Verify libs/testing/README.md and libs/ui/README.md exist at the new paths used by build assets.
• Confirm removal of @frontmcp/* deps from libs/cli/package.json doesn't break published CLI behavior or consumers.
• Check compatibility of @modelcontextprotocol/sdk@1.24.3, vectoriadb@^2.0.1, and esbuild@^0.27.1 with dependent build scripts and runtime use.
• Review zod bump in libs/cli/src/commands/create.ts for any API differences affecting create flow.

Possibly related PRs

• fix(ci): Reversed version 0.3 due to bug in publishing workflow and fixed it #33 — CI/workflow updates handling libs/**/README.md asset paths (aligns with asset path changes).
• fix(readme): Fix repo README and adjust publication readme content #49 — Changes to README handling and project.json asset entries for libraries.
• fix: Update asset paths in project.json for testing and UI libraries #101 — Directly adjusts the same libs/testing/project.json and libs/ui/project.json asset path entries and touches libs/ui dependencies.

Poem

🐰 I hopped through package trees at night,
Swapped README paths to keep things tight,
Nudged a few versions up with care,
Quietly pruned deps from here and there,
Carrots, commits, and a tidy repo delight. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: updating asset paths in project.json files for testing and UI libraries, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6c41f6d and 28e1552.

📒 Files selected for processing (1)

• README.md (1 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e3bb81e and 9e6971a.

📒 Files selected for processing (1)

• libs/cli/package.json (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

libs/**

⚙️ CodeRabbit configuration file

libs/**: Contains publishable SDK libraries. Review for API correctness, breaking changes, and consistency with docs. When public APIs change, ensure there is a matching docs/draft/docs/** update (not direct edits under docs/docs/**).

Files:

• libs/cli/package.json

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

libs/cli/src/commands/create.ts (1)

62-68: Zod v4 force-upgrade silently breaks existing Zod v3 projects without warning.

Running frontmcp create in an existing directory with package.json will unconditionally override zod to ^4.0.0 (lines 115 and 62-68 after merge at lines 109-117). This is required because @frontmcp/sdk, @frontmcp/plugins, and @frontmcp/adapters all declare zod: '^4.0.0' as a peerDependency. However, Zod v4 introduces breaking changes from v3 including error API consolidation, ZodError model changes, string validator renames (e.g., .email(), .uuid() replace older patterns), and function schema API changes. A developer running frontmcp create in a project with existing Zod v3 code will experience runtime failures without warning or migration guidance.

Either document this Zod v4 requirement prominently in setup/migration guides, add a runtime warning when overriding an existing Zod installation, or provide migration context in the scaffolded project template.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 963d22f and 3b856d1.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (6)

• libs/adapters/package.json (1 hunks)
• libs/cli/package.json (1 hunks)
• libs/cli/src/commands/create.ts (2 hunks)
• libs/sdk/package.json (1 hunks)
• libs/testing/package.json (1 hunks)
• package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• libs/cli/package.json

🧰 Additional context used

📓 Path-based instructions (3)

libs/**

⚙️ CodeRabbit configuration file

libs/**: Contains publishable SDK libraries. Review for API correctness, breaking changes, and consistency with docs. When public APIs change, ensure there is a matching docs/draft/docs/** update (not direct edits under docs/docs/**).

Files:

• libs/testing/package.json
• libs/sdk/package.json
• libs/cli/src/commands/create.ts
• libs/adapters/package.json

**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.ts: Enable strict TypeScript mode with no any types without strong justification - use unknown instead for generic type defaults
Avoid non-null assertions (!) - use proper error handling and throw specific errors instead
Use specific error classes with MCP error codes instead of generic errors
Use type parameters with constraints instead of unconstrained generics, and prefer unknown over any for generic type defaults
Follow the preset pattern for hierarchical configurations across the codebase

Files:

• libs/cli/src/commands/create.ts

libs/{sdk,adapters,plugins,cli}/src/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

libs/{sdk,adapters,plugins,cli}/src/**/*.ts: Return strictly typed MCP protocol responses (GetPromptResult, ReadResourceResult, etc.) instead of unknown for execute() and read() methods
Validate URIs per RFC 3986 at metadata level using Zod validation with custom refinements
Use getCapabilities() for dynamic capability exposure instead of hardcoding capabilities in adapters
Use changeScope instead of scope for change event properties to avoid confusion with the Scope class
Validate hooks match their entry type and fail fast with InvalidHookFlowError for unsupported flows
Don't mutate rawInput in flows - use state.set() for managing flow state instead

Files:

• libs/cli/src/commands/create.ts

🧠 Learnings (2)

📚 Learning: 2025-12-01T00:33:33.644Z

Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T00:33:33.644Z
Learning: Use FrontMCP's TypeScript-first schema validation framework philosophy - all types should align with MCP protocol definitions

Applied to files:

• libs/sdk/package.json
• libs/adapters/package.json

📚 Learning: 2025-12-01T00:33:33.644Z

Learnt from: CR
Repo: agentfront/frontmcp PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-01T00:33:33.644Z
Learning: Applies to libs/{sdk,adapters,plugins,cli}/src/**/*.ts : Validate URIs per RFC 3986 at metadata level using Zod validation with custom refinements

Applied to files:

• libs/cli/src/commands/create.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (3)

package.json (1)

19-30: Dependency bump to MCP SDK 1.24.3 is safe—no breaking changes.
The version includes security fixes, express dependency updates, and HTTP connection handling improvements. Workspace-wide alignment looks intentional.

libs/testing/package.json (1)

89-93: MCP SDK version 1.24.3 is a maintenance release with no breaking changes to client behavior.

The changelog for 1.24.3 contains only bug fixes and security patches (HTTP connection handling, SSE stream fixes, dependency updates) with no changes to client connection, initialization, or tool-call behavior. E2E test helpers will continue to work without modification.

libs/adapters/package.json (1)

35-42: No action needed — MCP SDK 1.24.3 contains only bug fixes and dependency updates with no breaking TypeScript type changes. The adapter correctly returns FrontMcpAdapterResponse (properly typed) and imports MCP SDK types like AuthInfo without issues.