feat: implement server, middleware, tests, and lint config

.eslintrc.cjs

@@ -0,0 +1,7 @@
+module.exports = {
+  root: true,
+  parser: '@typescript-eslint/parser',
+  plugins: ['@typescript-eslint'],
+  extends: ['eslint:recommended', 'plugin:@typescript-eslint/recommended'],
+  env: { node: true, es2022: true },
+};

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,31 @@
+---
+name: Bug report
+about: Something isn't working correctly
+title: '[Bug] '
+labels: bug
+assignees: ''
+---
+
+## Describe the bug
+A clear and concise description of what the bug is.
+
+## To reproduce
+Minimal code to reproduce the issue:
+```ts
+// paste here
+```
+
+## Expected behaviour
+What you expected to happen.
+
+## Actual behaviour
+What actually happened.
+
+## Environment
+- OS: [e.g. Ubuntu 22.04]
+- Node.js version: [e.g. 20.11.0]
+- Package version: [e.g. 0.0.1]
+- Transport: [stdio / sse / http]
+
+## Additional context
+Any other context or stack traces.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,25 @@
+---
+name: Feature request
+about: Suggest an improvement or new capability
+title: '[Feature] '
+labels: enhancement
+assignees: ''
+---
+
+## Problem statement
+What problem does this feature solve?
+
+## Proposed solution
+Describe the solution you'd like.
+
+## API sketch (optional)
+How would you expect to use this feature?
+```ts
+// example usage
+```
+
+## Alternatives considered
+Any alternative approaches you've considered.
+
+## Additional context
+Any other context, links, or references.

.github/workflows/ci.yml

@@ -24,13 +24,14 @@ jobs:
       - name: Install dependencies
         run: npm install --include=dev
 
+      - name: Type check
+        run: npx tsc --noEmit
+
       - name: Lint
         run: npm run lint
-        continue-on-error: true  # Lint tooling not yet configured — remove once ESLint is wired up
 
       - name: Test
         run: npm test
-        continue-on-error: true  # Test suite not yet written — remove once tests exist
 
       - name: Build
         run: npm run build

CHANGELOG.md

@@ -1,13 +1,19 @@
-# Changelog
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
+     1|# Changelog
+     2|
+     3|All notable changes to this project will be documented in this file.
+     4|
+     5|The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+     6|and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+     7|
 ## [Unreleased]
 
 ### Added
 - Initial scaffold: project structure, TypeScript configuration, and package metadata.
-
-[Unreleased]: https://github.com/HailBytes/mcp-server-template/compare/HEAD...HEAD
+- Added `StdioTransport` — newline-delimited JSON-RPC over stdin/stdout.
+- Added `withTimeout` / `ToolTimeoutError` for tool execution timeouts.
+- Added `burstLimit` support to `RateLimiter` (5-second sub-window enforcement).
+- Added `echo-server` and `authenticated-server` example scripts under `src/examples/`.
+- Added `SECURITY.md` with vulnerability reporting guidance and production hardening tips.
+    12|
+    13|[Unreleased]: https://github.com/HailBytes/mcp-server-template/compare/HEAD...HEAD
+    14|

SECURITY.md

@@ -0,0 +1,53 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Status             |
+| ------- | ------------------ |
+| 0.0.x   | Incubation — not yet supported |
+
+This project is in early incubation. No version is currently receiving security
+patches on a guaranteed timeline. Once a stable release is published this table
+will be updated accordingly.
+
+## Reporting a Vulnerability
+
+**Please do NOT open a public GitHub issue to report a security vulnerability.**
+
+Instead, send a detailed report to **security@hailbytes.com** including:
+
+- A description of the vulnerability and its potential impact.
+- Steps to reproduce or a proof-of-concept.
+- Affected versions (if known).
+- Any suggested mitigations or fixes you may have.
+
+You can expect an acknowledgement within **48 hours**. We will work with you to
+understand and address the issue and, where appropriate, coordinate a public
+disclosure timeline.
+
+## Security Considerations When Using This Template
+
+When building production servers on top of this template, keep the following
+hardening guidelines in mind:
+
+- **Rotate secrets regularly.** API keys and JWT secrets embedded in
+  configuration should be stored in a secrets manager (e.g. AWS Secrets Manager,
+  HashiCorp Vault) and rotated on a scheduled basis. Never commit credentials to
+  source control.
+
+- **Use full JWT verification in production.** The bundled JWT middleware
+  performs only a presence check. Replace it with a robust library (e.g.
+  [`jose`](https://github.com/panva/jose) or
+  [`jsonwebtoken`](https://github.com/auth0/node-jsonwebtoken)) that verifies the
+  signature, expiry (`exp`), issuer (`iss`), and audience (`aud`) claims against
+  your identity provider.
+
+- **Configure rate limits appropriate to your workload.** The default values
+  are illustrative. Tune `requestsPerMinute` and `burstLimit` based on expected
+  traffic patterns, and consider per-user as well as global limits to prevent
+  abuse.
+
+- **Enable TLS for all network-facing transports.** When exposing an MCP server
+  over HTTP or SSE, terminate TLS at the load balancer or reverse proxy layer and
+  ensure all client-to-server communication is encrypted in transit. Never expose
+  an unencrypted transport to the public internet.

jest.config.cjs

@@ -0,0 +1,14 @@
+// jest.config.cjs — CommonJS Jest config (required because package.json has "type":"module")
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  testMatch: ['**/__tests__/**/*.test.ts'],
+  forceExit: true,
+  moduleNameMapper: {
+    // Strip .js extensions so ts-jest can resolve .ts source files
+    '^(\\.{1,2}/.*)\\.js$': '$1',
+  },
+  transform: {
+    '^.+\\.tsx?$': ['ts-jest', { tsconfig: { module: 'CommonJS' } }],
+  },
+};