PR #326 review identified incomplete AI-generated article stubs, a path traversal vulnerability, inconsistent error handling, and a schema drift between the metadata file and its writer.

Placeholder content (10 language files)

news/2026-02-19-opposition-motions-{ar,de,es,fi,fr,he,ja,ko,nl,zh}.html — Political Analysis and Outlook sections contain <p>...</p> stubs. Replaced with full translated content matching the English source.

Security: payloadPath path traversal (mcp-client.js:568)

Server-controlled payloadPath was passed directly to fs.readFileSync with no validation — arbitrary local file read. Fixed by resolving and validating the path is within an allow-listed directory before reading:

const ALLOWED_PAYLOAD_DIR = path.resolve('/tmp/mcp-payloads');
const resolvedPath = path.resolve(parsed.payloadPath);
if (!resolvedPath.startsWith(ALLOWED_PAYLOAD_DIR + path.sep)) {
  throw new Error(`Unsafe payloadPath rejected: ${parsed.payloadPath}`);
}

Case-insensitive 'Too Many Requests' check (mcp-client.js:547)

Session re-init check used errorMsg.includes('Too Many Requests') (mixed case) while the catch block already used .toLowerCase(). Normalized to .toLowerCase().includes('too many requests').

Metadata schema drift (generate-news-enhanced.js:751)

last-generation.json was written with old keys (timestamp, types, languagesGenerated) while the file on disk uses the new schema (lastGeneration, articleTypes, articlesGenerated). Updated the writer to emit the current schema.

initializeSession() — unguarded notifications/initialized fetch (mcp-client.js:699)

Second fetch call had no signal (could hang) and no response.ok check (silent failure). Added controller.signal and a warning log on non-2xx response.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.