Strip operator-private files from sdist + add structural defense

The PII audit run before this publish caught three files that have been leaking operator-specific paths to PyPI in v2.1.6, v2.1.7, and v2.2.0: - claude_desktop_config.json (personal Claude Desktop config snapshot) - mcp-pdf-tools-launcher.sh (obsolete — uvx replaces it) - mcp-config-example.json (had hardcoded /home/rpm path + old package name) Fix: - Delete the personal config and obsolete launcher - Sanitize the example to use uvx with the [markdown] extra (matches docs) - Add [tool.hatch.build.targets.sdist] exclude block per ~/.claude/rules/python.md to prevent recurrence — covers dev artifacts, fixture PDFs, internal architecture notes, and CI scripts Side benefit: sdist size dropped from 2.4 MB to 304 KB (8× reduction), mostly from excluding examples/*.pdf and the tests/ fixture PDF. The /home/rpm leaks in prior versions are not credentials, just operator paths — not yanking. Going forward the unpacked-sdist grep is mandatory before each publish.
2026-05-05 17:38:13 -06:00 · 2026-05-05 17:38:13 -06:00 · 4090c788a2
commit 4090c788a2
parent 48c44e941c
4 changed files with 32 additions and 23 deletions
--- a/claude_desktop_config.json
+++ b/claude_desktop_config.json
@ -1,16 +0,0 @@
-{
-  "mcpServers": {
-    "pdf-tools": {
-      "command": "uv",
-      "args": [
-        "--directory",
-        "/home/rpm/claude/mcp-pdf-tools",
-        "run",
-        "mcp-pdf-tools"
-      ],
-      "env": {
-        "PDF_TEMP_DIR": "/tmp/mcp-pdf-processing"
-      }
-    }
-  }
-}
--- a/mcp-config-example.json
+++ b/mcp-config-example.json
@ -1,9 +1,11 @@
 {
  "mcpServers": {
    "pdf-tools": {
-      "command": "uv",
-      "args": ["run", "--directory", "/home/rpm/claude/mcp-pdf-tools", "mcp-pdf-tools"],
-      "env": {}
+      "command": "uvx",
+      "args": ["--from", "mcp-pdf[markdown]", "mcp-pdf"],
+      "env": {
+        "PDF_TEMP_DIR": "/tmp/mcp-pdf-processing"
+      }
    }
  }
 }
--- a/mcp-pdf-tools-launcher.sh
+++ b/mcp-pdf-tools-launcher.sh
@ -1,3 +0,0 @@
-#!/bin/bash
-cd /home/rpm/claude/mcp-pdf-tools
-exec uv run mcp-pdf-tools "$@"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -99,6 +99,32 @@ dev = [
 requires = ["hatchling"]
 build-backend = "hatchling.build"

+# Keep dev-only artifacts out of the sdist that ships to PyPI.
+# (The PII audit also runs against the unpacked sdist before each publish —
+# see ~/.claude/rules/python.md.)
+[tool.hatch.build.targets.sdist]
+exclude = [
+  "CLAUDE.md",          # operator-private project context
+  ".env", ".env.local", # never ship credentials
+  ".mcp.json",          # contains local filesystem paths
+  ".pytest_cache/",
+  ".ruff_cache/",
+  "build/",
+  "dist/",
+  "examples/page_001.png",
+  "examples/*.pdf",     # demo PDFs are large + not needed by end users
+  "examples/test_demo.*",
+  "tests/CopperSprings_DigitalPortfolio.pdf",  # large fixture PDF
+  "test_security_features.py",
+  "test_integration.py",
+  "MCPMIXIN_*.md",      # internal architecture/migration notes
+  "MCP_DOCX_TOOLS_PLAN.md",
+  "claude-mcp-manager", # personal helper script
+  "run-mcp-server.sh",
+  "docker-compose.yml",
+  "Dockerfile",
+]
+
 [tool.pytest.ini_options]
 asyncio_mode = "auto"
 addopts = "-v --tb=short"