chore(template): sync from mcp-ecosystem

[jack-arturo]

Sync shared workflow/config/template baselines from verygoodplugins/mcp-ecosystem.

• Source commit: 04bc391
• Sync date: 2026-04-22
• Applied workflow and config templates with scripts/apply-templates.sh --force
• Re-aligned shared dependency baselines with scripts/sync-template-baseline.mjs

This PR is generated from the ecosystem source of truth to reduce per-repo Dependabot drift.

[Copilot]

Pull request overview

Syncs shared workflow/config/template baselines from verygoodplugins/mcp-ecosystem to reduce drift across repositories and standardize automation/tooling.

Changes:

• Adds/updates GitHub workflows (CodeQL v4, release-please manifest-based release flow, PR title enforcement, Dependabot auto-merge).
• Updates tooling configuration (new Vitest config, new ESLint flat config, Prettier settings).
• Re-aligns devDependency version baselines in package.json.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
vitest.config.ts	Adds a Vitest configuration (coverage + node environment).
package.json	Updates devDependency baseline versions.
eslint.config.mjs	Adds an additional ESLint flat config template.
.prettierrc	Updates formatting defaults (tabWidth, trailingComma).
.github/workflows/security.yml	Bumps CodeQL actions to v4.
.github/workflows/release-please.yml	Switches to manifest/config-file based release-please and updates npm publish job.
.github/workflows/pr-title.yml	Enforces Conventional Commit-style PR titles on main.
.github/workflows/dependabot-auto-merge.yml	Adds automation to approve + enable auto-merge for Dependabot PRs.
.github/dependabot.yml	Updates grouping/ignore strategy for dependency updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

release-please-action is configured to use manifest-file and config-file, but neither .release-please-manifest.json nor release-please-config.json exists in the repository. This will cause the workflow to fail at runtime; add these files (or revert to release-type: node config) before merging.

Suggested change

	manifest-file: ".release-please-manifest.json"
	config-file: "release-please-config.json"
	release-type: node

[Copilot]

The workflow now requires secrets.RELEASE_PLEASE_TOKEN. If this secret isn’t configured for the repo/org, releases will stop working. Consider falling back to GITHUB_TOKEN when the secret is absent, or document/enforce provisioning of RELEASE_PLEASE_TOKEN as part of the template sync.

Suggested change

	token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
	token: ${{ secrets.RELEASE_PLEASE_TOKEN || github.token }}

[Copilot]

package.json updates multiple devDependency versions, but package-lock.json is not updated accordingly. Because CI/security workflows use npm ci, the install will fail due to lockfile/package.json mismatch; regenerate and commit an updated package-lock.json for these version changes.

[Copilot]

typescript-eslint is pinned to ^8.20.0 while @typescript-eslint/eslint-plugin/@typescript-eslint/parser are ^8.50.1. These packages are typically version-coupled; mixing versions can cause ESLint config/runtime incompatibilities. Align the typescript-eslint and @typescript-eslint/* package versions to the same release line.

Suggested change

	"typescript-eslint": "^8.20.0"
	"typescript-eslint": "^8.50.1"

[Copilot]

This repo already has an eslint.config.js flat config. Adding a second flat config (eslint.config.mjs) with different rule/plugin settings is likely to cause confusion about which config is authoritative (ESLint will prefer eslint.config.js by default). Consider removing this file or replacing the existing config in a single location.

Suggested change

	// ESLint flat config for VGP MCP servers
	// Requires: eslint ^9.0.0, typescript-eslint ^8.0.0
	import eslint from '@eslint/js';
	import tseslint from 'typescript-eslint';
	export default tseslint.config(
	eslint.configs.recommended,
	...tseslint.configs.recommended,
	{
	files: ['src/**/*.ts'],
	rules: {
	// MCP stdio servers must not write to stdout outside the protocol.
	'no-console': ['error', { allow: ['error', 'warn'] }],
	// Allow unused vars prefixed with underscore
	'@typescript-eslint/no-unused-vars': [
	'error',
	{ argsIgnorePattern: '^_', varsIgnorePattern: '^_' },
	],
	// Allow explicit any in some cases (MCP tools often need flexibility)
	'@typescript-eslint/no-explicit-any': 'warn',
	},
	},
	{
	ignores: ['dist/', 'node_modules/', '**/*.js', '**/*.mjs', '**/*.cjs'],
	}
	);
	// Delegate to the repository's authoritative ESLint flat config.
	import config from './eslint.config.js';
	export default config;

[Copilot]

A vitest.config.ts is added, but the repo doesn’t declare vitest (or @vitest/coverage-v8) in dependencies and npm test does not invoke Vitest. Either add the required devDependencies and scripts (e.g., test/test:coverage) or remove the unused config to avoid confusion.

Suggested change

	import { defineConfig } from 'vitest/config';
	export default defineConfig({
	test: {
	globals: true,
	environment: 'node',
	coverage: {
	provider: 'v8',
	reporter: ['text', 'json', 'html'],
	exclude: ['node_modules/', 'dist/', 'tests/', '*.config.*'],
	},
	},
	});
	// Vitest configuration was removed because the repository does not declare
	// the required Vitest dependencies or invoke Vitest from its test scripts.
	// Leaving a live `vitest.config.ts` in place would be misleading.
	export {};