@aexol/spectral 0.2.10 → 0.2.12

package/dist/mcp/mcp-auth-flow.js

@@ -6,7 +6,7 @@
 import { auth as runSdkAuth, UnauthorizedError, } from "@modelcontextprotocol/sdk/client/auth.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import open from "open";
-import { McpOAuthProvider } from "./mcp-oauth-provider.js";
+import { McpOAuthProvider, setOAuthCallbackPort } from "./mcp-oauth-provider.js";
 import { ensureCallbackServer, waitForCallback, cancelPendingCallback, stopCallbackServer, } from "./mcp-callback-server.js";
 import { getAuthForUrl, isTokenExpired, hasStoredTokens, clearAllCredentials, updateOAuthState, getOAuthState, clearOAuthState, } from "./mcp-auth.js";
 // Track pending transports for auth completion
@@ -21,6 +21,22 @@ function generateState() {
         .map((b) => b.toString(16).padStart(2, "0"))
         .join("");
 }
+/**
+ * Extract the port from a redirect URI. Returns undefined if no explicit port is set.
+ */
+function parseRedirectPort(redirectUri) {
+    try {
+        const url = new URL(redirectUri);
+        if (url.port) {
+            return parseInt(url.port, 10);
+        }
+        // No explicit port - return undefined to use default
+        return undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
 /**
  * Extract OAuth configuration from a ServerEntry.
  */
@@ -34,6 +50,7 @@ function extractOAuthConfig(definition) {
         clientId: definition.oauth?.clientId,
         clientSecret: definition.oauth?.clientSecret,
         scope: definition.oauth?.scope,
+        redirectUri: definition.oauth?.redirectUri,
     };
 }
 /**
@@ -56,7 +73,16 @@ export async function startAuth(serverName, serverUrl, definition) {
     }
     // Start the callback server.
     // Pre-registered OAuth clients require an exact redirect URI, so enforce strict port binding.
-    await ensureCallbackServer({ strictPort: Boolean(config.clientId) });
+    // When a custom redirectUri is specified, also use strict port binding and set the port.
+    const hasCustomRedirect = Boolean(config.redirectUri);
+    const redirectPort = hasCustomRedirect ? parseRedirectPort(config.redirectUri) : undefined;
+    if (redirectPort) {
+        setOAuthCallbackPort(redirectPort);
+    }
+    await ensureCallbackServer({
+        strictPort: Boolean(config.clientId) || hasCustomRedirect,
+        preferredPort: redirectPort,
+    });
     const oauthState = generateState();
     await updateOAuthState(serverName, oauthState);
     let capturedUrl;

package/dist/mcp/mcp-callback-server.js

@@ -5,7 +5,7 @@
  * Uses Node.js http module for compatibility.
  */
 import { createServer } from "http";
-import { OAUTH_CALLBACK_PATH, getConfiguredOAuthCallbackPort, getOAuthCallbackPort, setOAuthCallbackPort, } from "./mcp-oauth-provider.js";
+import { getConfiguredOAuthCallbackPort, getOAuthCallbackPort, setOAuthCallbackPort, } from "./mcp-oauth-provider.js";
 // HTML templates for callback responses
 const HTML_SUCCESS = `<!DOCTYPE html>
 <html>
@@ -57,16 +57,17 @@ const MAX_PORT_SCAN_ATTEMPTS = 25;
  */
 function handleRequest(req, res) {
     const url = new URL(req.url || "/", `http://${req.headers.host}`);
-    // Only handle the callback path
-    if (url.pathname !== OAUTH_CALLBACK_PATH) {
-        res.writeHead(404, { "Content-Type": "text/plain" });
-        res.end("Not found");
-        return;
-    }
     const code = url.searchParams.get("code");
     const state = url.searchParams.get("state");
     const error = url.searchParams.get("error");
     const errorDescription = url.searchParams.get("error_description");
+    // Accept callbacks on any path that carries OAuth query params.
+    // This supports custom redirectUri paths configured per-server.
+    if (!code && !state && !error) {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not found");
+        return;
+    }
     // Enforce state parameter presence for CSRF protection
     if (!state) {
         const errorMsg = "Missing required state parameter - potential CSRF attack";
@@ -116,7 +117,7 @@ function handleRequest(req, res) {
  * If strictPort is false, scans forward for an available local port.
  */
 export async function ensureCallbackServer(options = {}) {
-    const configuredPort = getConfiguredOAuthCallbackPort();
+    const configuredPort = options.preferredPort ?? getConfiguredOAuthCallbackPort();
     const strictPort = options.strictPort === true;
     if (server) {
         if (!strictPort || getOAuthCallbackPort() === configuredPort)

package/dist/mcp/mcp-oauth-provider.js

@@ -46,11 +46,13 @@ export class McpOAuthProvider {
     }
     /**
      * The redirect URL for OAuth callbacks.
-     * This must match the redirect_uri in client metadata.
+     * Uses configured redirectUri if provided, otherwise falls back to default.
      */
     get redirectUrl() {
         if (this.usesClientCredentials)
             return undefined;
+        if (this.config.redirectUri)
+            return this.config.redirectUri;
         return `http://localhost:${getOAuthCallbackPort()}${OAUTH_CALLBACK_PATH}`;
     }
     /**

package/dist/mcp/server-manager.js

@@ -43,33 +43,33 @@ export class McpServerManager {
     async createConnection(name, definition) {
         const client = this.createClient(name);
         let transport;
-        if (definition.command) {
-            let command = definition.command;
-            let args = definition.args ?? [];
-            if (command === "npx" || command === "npm") {
-                const resolved = await resolveNpxBinary(command, args);
-                if (resolved) {
-                    command = resolved.isJs ? "node" : resolved.binPath;
-                    args = resolved.isJs ? [resolved.binPath, ...resolved.extraArgs] : resolved.extraArgs;
-                    logger.debug(`${name} resolved to ${resolved.binPath} (skipping npm parent)`);
+        try {
+            if (definition.command) {
+                let command = definition.command;
+                let args = definition.args ?? [];
+                if (command === "npx" || command === "npm") {
+                    const resolved = await resolveNpxBinary(command, args);
+                    if (resolved) {
+                        command = resolved.isJs ? "node" : resolved.binPath;
+                        args = resolved.isJs ? [resolved.binPath, ...resolved.extraArgs] : resolved.extraArgs;
+                        logger.debug(`${name} resolved to ${resolved.binPath} (skipping npm parent)`);
+                    }
                 }
+                transport = new StdioClientTransport({
+                    command,
+                    args,
+                    env: resolveEnv(definition.env),
+                    cwd: resolveConfigPath(definition.cwd),
+                    stderr: definition.debug ? "inherit" : "ignore",
+                });
+            }
+            else if (definition.url) {
+                // HTTP transport with fallback
+                transport = await this.createHttpTransport(definition, name);
+            }
+            else {
+                throw new Error(`Server ${name} has no command or url`);
             }
-            transport = new StdioClientTransport({
-                command,
-                args,
-                env: resolveEnv(definition.env),
-                cwd: resolveConfigPath(definition.cwd),
-                stderr: definition.debug ? "inherit" : "ignore",
-            });
-        }
-        else if (definition.url) {
-            // HTTP transport with fallback
-            transport = await this.createHttpTransport(definition, name);
-        }
-        else {
-            throw new Error(`Server ${name} has no command or url`);
-        }
-        try {
             await client.connect(transport);
             this.attachAdapterNotificationHandlers(name, client);
             // Discover tools and resources
@@ -89,14 +89,17 @@ export class McpServerManager {
             };
         }
         catch (error) {
-            // Check for UnauthorizedError - server requires OAuth
-            if (error instanceof UnauthorizedError && supportsOAuth(definition)) {
-                // Clean up both client and transport before reporting needs-auth.
-                await client.close().catch(() => { });
+            // Clean up client and transport on any error.
+            await client.close().catch(() => { });
+            if (transport) {
                 await transport.close().catch(() => { });
+            }
+            // Check for UnauthorizedError — server requires OAuth.
+            // This can fire from createHttpTransport probe or client.connect.
+            if (error instanceof UnauthorizedError && supportsOAuth(definition)) {
                 return {
                     client,
-                    transport,
+                    transport: transport,
                     definition,
                     tools: [],
                     resources: [],
@@ -105,9 +108,6 @@ export class McpServerManager {
                     status: "needs-auth",
                 };
             }
-            // Clean up both client and transport on any error
-            await client.close().catch(() => { });
-            await transport.close().catch(() => { });
             throw error;
         }
     }
@@ -140,6 +140,7 @@ export class McpServerManager {
                 clientId: definition.oauth?.clientId,
                 clientSecret: definition.oauth?.clientSecret,
                 scope: definition.oauth?.scope,
+                redirectUri: definition.oauth?.redirectUri,
             };
             authProvider = new McpOAuthProvider(serverName, definition.url, oauthConfig, {
                 onRedirect: async (_authUrl) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aexol/spectral",
-  "version": "0.2.10",
+  "version": "0.2.12",
   "description": "Always-on coding agent for Aexol — branded pi wrapper with relay-based browser access.",
   "type": "module",
   "private": false,