fix: declare mcp dep, add createRequire banner, fix atlas-data resolution for bundled runners

[jithin23-kv]

Problem

@keyvaluesystems/agent-opfor-sdk was unpublishable in its current state for three reasons:

1. @modelcontextprotocol/sdk was used at runtime but not declared as a dependency — consumers would get "Cannot find module" on install.
2. The ESM bundle inlines CJS packages (e.g. yaml) that call require() at runtime. Without a createRequire shim in the banner, esbuild's stub throws "Dynamic require of … is not supported".
3. When core/atlas.ts is bundled into a runner, tsup flattens the file to <pkg>/dist/*.js, moving atlas-data/ one level closer. The resolver only checked 2 levels up (correct for the standalone core package) and 3 levels up (monorepo dev), missing the bundled-runner layout — causing ATLAS.yaml to not be found at runtime.

Solution

• runners/sdk/package.json — added @modelcontextprotocol/sdk: ^1.29.0 to dependencies. tsup leaves these as bare imports in the output; the SDK must be present in the consumer's node_modules.
• runners/sdk/tsup.config.ts — added a banner.js injecting createRequire(import.meta.url) into the ESM output. Mirrors the identical fix already in the cli and mcp esbuild bundles.
• core/src/standards/atlas.ts — extended atlasYamlPath() to try three candidates in order: here/../atlas-data/ (bundled runner, new), here/../../atlas-data/ (published core package), here/../../../third_party/atlas-data/dist/ (monorepo dev). Falls back to the last candidate if none exist.

Verified with npm run build (clean), npm pack --dry-run (atlas-data ships at package root), and a runtime import() smoke test (all six public exports resolve without errors).

Checklist

• npm run build passes
• npm run typecheck passes
• npm run build:catalog:check passes (if evaluators or suites changed)
• Tested against a local target (if evaluator added or changed)
• No secrets, .env, or .opfor/ artifacts committed
• PR title follows <type>: <what changed> — e.g. feat: add SSRF evaluator

Evaluator checklist (skip if no evaluator added)

• id is unique across all evaluators
• pass_criteria and fail_criteria are specific, not vague
• severity matches actual risk (critical = RCE / data breach)
• standards mapping is correct
• .test.yaml fixture included

Summary by CodeRabbit

• Bug Fixes
  • Improved support for additional ATLAS YAML layout locations, making path lookup more reliable across bundled runner setups.
  • Enhanced bundled SDK compatibility so packages that use CommonJS-style loading work correctly in ESM builds.

[coderabbitai]

Warning

Review limit reached

@jithin23-kv, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 47 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6277c0ea-61df-4286-b93c-e96316ce433e

📥 Commits

Reviewing files that changed from the base of the PR and between f206652 and 6188677.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• core/src/standards/atlas.ts

Walkthrough

Adds @modelcontextprotocol/sdk as a dependency to runners/sdk with an ESM-to-CommonJS createRequire shim injected via tsup's banner.js. Separately, atlasYamlPath() in core/src/standards/atlas.ts is extended from two to three candidate path layouts, returning the first existing path.

Changes

MCP SDK dependency and ESM/CJS shim

Layer / File(s)	Summary
MCP SDK dependency and ESM/CJS shim runners/sdk/package.json, runners/sdk/tsup.config.ts	Adds @modelcontextprotocol/sdk ^1.29.0 to dependencies and injects a createRequire-based require shim via banner.js in the tsup config to support CJS require() calls in the ESM bundle.

Atlas YAML path resolution

Layer / File(s)	Summary
Three-candidate atlas YAML resolution core/src/standards/atlas.ts	atlasYamlPath() now builds three candidate paths (package-local, monorepo, bundled-runner) and returns the first existing file, falling back to the last candidate.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The PR description is mostly just the template with placeholders and lacks a real problem and solution summary.	Add concrete Problem and Solution sections describing the bundled-runner issue, the dependency change, and the atlas path-resolution fix.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title names the main changes: MCP dependency declaration, createRequire shim, and atlas-data resolution fixes for bundled runners.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/declare-package-resolutions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@core/src/standards/atlas.ts`:
- Around line 38-43: The fallback in atlasFilePath currently returns the
monorepo third_party candidate even when no ATLAS.yaml exists, which makes
downstream errors point packaged users at the wrong fix. Update atlasFilePath to
return only an existing path (or null/undefined) after checking the candidates
array, and adjust the caller/error handling that uses atlasFilePath so it
reports an actionable message for the selected layout instead of forcing the
monorepo submodule path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cdd05332-d4b0-405c-b008-6b34ad58e95f

📥 Commits

Reviewing files that changed from the base of the PR and between 4c955a0 and f206652.

📒 Files selected for processing (3)

• core/src/standards/atlas.ts
• runners/sdk/package.json
• runners/sdk/tsup.config.ts