feat(filesystem): ignore dot-prefixed hidden directories by default (#2219)

[DEM-YU]

Fixes #2219

Description

This PR addresses issue #2219 by ensuring that the filesystem server ignores dot-prefixed hidden files and directories (such as .git, .terraform, .env) by default. This significantly reduces unnecessary token consumption and mitigates potential security risks associated with exposing hidden environment variables or repository histories to the LLM.

Introduced a new environment variable MCP_FILESYSTEM_INCLUDE_HIDDEN. By default, this is evaluated as false. Users can opt-in to the legacy behavior by setting MCP_FILESYSTEM_INCLUDE_HIDDEN=true.

Publishing Your Server

(Not applicable, modifying existing server)

Server Details

• Server: filesystem
• Changes to: tools (list_directory, list_directory_with_sizes, search_files) and general directory tree parsing logic (buildTree).

Motivation and Context

Dot-prefixed directories (especially .git and .terraform) can grow enormous. When an LLM agent uses the filesystem search tools on a project root, returning these hidden directories massively inflates token usage without adding much value for project analysis. It also introduces a security risk by potentially exposing sensitive local environment variables.

How Has This Been Tested?

• Added __tests__/hidden-files.test.ts to validate the includeHidden boolean flag logic via vi.mock.
• Added __tests__/hidden-tree.test.ts to validate the buildTree recursive exclusion using a real temporary directory.
• Ran all 154 tests locally across 9 test files, all passed successfully.

Breaking Changes

There are no breaking changes to the protocol schema itself. However, clients relying on reading hidden files via this server will now need to explicitly set the MCP_FILESYSTEM_INCLUDE_HIDDEN=true environment variable.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Protocol Documentation
• My changes follows MCP security best practices
• I have updated the server's README accordingly
• I have tested this with an LLM client
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have documented all environment variables and configuration options

Additional context

Added a console.error initialization log to inform the user of the current hidden-file visibility state, ensuring it does not disrupt the MCP stdout protocol communication.