@agent-native/core 0.17.2 → 0.18.1

package/dist/mcp/server.js

@@ -1,180 +1,11 @@
-import * as jose from "jose";
 import { getH3App } from "../server/framework-request-handler.js";
 import { defineEventHandler, setResponseStatus, getMethod, getRequestHeader, } from "h3";
 import { readBody } from "../server/h3-helpers.js";
-import { runWithRequestContext } from "../server/request-context.js";
-// ---------------------------------------------------------------------------
-// Auth — reuses the same pattern as A2A (Bearer token or JWT)
-// ---------------------------------------------------------------------------
-function getAccessTokens() {
-    const single = process.env.ACCESS_TOKEN;
-    const multi = process.env.ACCESS_TOKENS;
-    const tokens = [];
-    if (single)
-        tokens.push(single);
-    if (multi) {
-        tokens.push(...multi
-            .split(",")
-            .map((t) => t.trim())
-            .filter(Boolean));
-    }
-    return tokens;
-}
-/**
- * Verify the inbound auth header. Returns:
- *   - { authed: true, identity } when verified — `identity` may be empty
- *     when authed via a static ACCESS_TOKEN (no caller email available).
- *   - { authed: false } on rejection.
- *
- * When A2A_SECRET is set we extract the JWT's `sub` (caller email) and
- * `org_domain` claims so the MCP endpoint can wrap tool runs in
- * `runWithRequestContext({ userEmail, orgId })`. Without that wrap, the
- * MCP endpoint loses tenant identity and downstream `accessFilter` /
- * `resolveCredential` calls fall back to platform-wide defaults.
- */
-async function verifyAuth(authHeader) {
-    // No auth configured → allow (dev mode), but no identity to propagate.
-    const accessTokens = getAccessTokens();
-    const hasA2ASecret = !!process.env.A2A_SECRET;
-    if (accessTokens.length === 0 && !hasA2ASecret) {
-        return { authed: true };
-    }
-    if (!authHeader?.startsWith("Bearer "))
-        return { authed: false };
-    const token = authHeader.slice(7);
-    // Try JWT via A2A_SECRET
-    if (hasA2ASecret) {
-        try {
-            const { payload } = await jose.jwtVerify(token, new TextEncoder().encode(process.env.A2A_SECRET));
-            return {
-                authed: true,
-                identity: {
-                    userEmail: typeof payload.sub === "string" ? payload.sub : undefined,
-                    orgDomain: typeof payload.org_domain === "string"
-                        ? payload.org_domain
-                        : undefined,
-                },
-            };
-        }
-        catch {
-            // Not a valid JWT — fall through to token check
-        }
-    }
-    // Try ACCESS_TOKEN / ACCESS_TOKENS exact match (no per-caller identity).
-    if (accessTokens.length > 0 && accessTokens.includes(token)) {
-        return { authed: true };
-    }
-    return { authed: false };
-}
-async function resolveOrgIdFromDomain(orgDomain) {
-    if (!orgDomain)
-        return undefined;
-    try {
-        const { resolveOrgByDomain } = await import("../org/context.js");
-        const org = await resolveOrgByDomain(orgDomain);
-        return org?.orgId ?? undefined;
-    }
-    catch {
-        return undefined;
-    }
-}
-// ---------------------------------------------------------------------------
-// MCP Server creation — converts ActionEntry registry to MCP tools
-// ---------------------------------------------------------------------------
-async function createMCPServerForRequest(config, identity) {
-    const { Server } = await import("@modelcontextprotocol/sdk/server/index.js");
-    const { ListToolsRequestSchema, CallToolRequestSchema } = await import("@modelcontextprotocol/sdk/types.js");
-    const server = new Server({ name: config.name, version: config.version ?? "1.0.0" }, { capabilities: { tools: {} } });
-    // Resolve orgId once per request (DB lookup) so subsequent wraps are
-    // synchronous. The caller identity may be undefined for ACCESS_TOKEN
-    // auth — in that case we run with no userEmail/orgId, which makes
-    // downstream tools that require per-user scope return empty results
-    // rather than cross-tenant data (the safe default).
-    const orgIdPromise = resolveOrgIdFromDomain(identity?.orgDomain);
-    /**
-     * Wrap a callback in `runWithRequestContext({ userEmail, orgId }, fn)`.
-     * Both the tools/list and tools/call handlers go through this so
-     * downstream `accessFilter`, `resolveCredential`, and per-user MCP
-     * visibility checks see the verified caller's identity.
-     */
-    async function withCallerContext(fn) {
-        const orgId = await orgIdPromise;
-        return runWithRequestContext({ userEmail: identity?.userEmail, orgId }, fn);
-    }
-    // tools/list — return all actions + ask-agent meta-tool. Wrapped in the
-    // request context so per-user MCP visibility (mcp-client/visibility.ts)
-    // applies to the listing too.
-    server.setRequestHandler(ListToolsRequestSchema, async () => {
-        return withCallerContext(async () => {
-            const tools = Object.entries(config.actions).map(([name, entry]) => ({
-                name,
-                description: entry.tool.description ?? name,
-                inputSchema: entry.tool.parameters ?? {
-                    type: "object",
-                    properties: {},
-                },
-            }));
-            if (config.askAgent) {
-                tools.push({
-                    name: "ask-agent",
-                    description: "Send a natural-language message to the app's AI agent and get a response. " +
-                        "Use this for complex, multi-step tasks that require the agent's reasoning " +
-                        "and full context about the app.",
-                    inputSchema: {
-                        type: "object",
-                        properties: {
-                            message: {
-                                type: "string",
-                                description: "The message to send to the agent",
-                            },
-                        },
-                        required: ["message"],
-                    },
-                });
-            }
-            return { tools };
-        });
-    });
-    // tools/call — dispatch to action registry or ask-agent. Wrapped in the
-    // request context so the action's `run(args)` and `askAgent()` execute
-    // with the verified caller's identity, not the platform default.
-    server.setRequestHandler(CallToolRequestSchema, async (request) => {
-        return withCallerContext(async () => {
-            const { name, arguments: args } = request.params;
-            if (name === "ask-agent" && config.askAgent) {
-                const message = args?.message ?? "";
-                try {
-                    const result = await config.askAgent(message);
-                    return { content: [{ type: "text", text: result }] };
-                }
-                catch (err) {
-                    return {
-                        content: [{ type: "text", text: `Error: ${err.message}` }],
-                        isError: true,
-                    };
-                }
-            }
-            const entry = config.actions[name];
-            if (!entry) {
-                return {
-                    content: [{ type: "text", text: `Unknown tool: ${name}` }],
-                    isError: true,
-                };
-            }
-            try {
-                const result = await entry.run(args ?? {});
-                return { content: [{ type: "text", text: result }] };
-            }
-            catch (err) {
-                return {
-                    content: [{ type: "text", text: `Error: ${err.message}` }],
-                    isError: true,
-                };
-            }
-        });
-    });
-    return server;
-}
+import { createMCPServerForRequest, verifyAuth, getAccessTokens, resolveOrgIdFromDomain, buildLinkArtifacts, } from "./build-server.js";
+// Re-export the shared MCP server builder + types so the stdio transport and
+// any (future) external importer of `@agent-native/core/mcp` keep resolving
+// against `./server.js` exactly as before this refactor.
+export { createMCPServerForRequest, verifyAuth, getAccessTokens, resolveOrgIdFromDomain, buildLinkArtifacts, };
 // ---------------------------------------------------------------------------
 // mountMCP — register MCP Streamable HTTP endpoint on H3/Nitro
 // ---------------------------------------------------------------------------
@@ -200,10 +31,14 @@ export function mountMCP(nitroApp, config, routePrefix = "/_agent-native") {
             return;
         }
         const method = getMethod(event);
-        // Auth check — also extracts the caller's identity from the JWT so
-        // downstream tools run inside `runWithRequestContext`.
+        // Auth check — extracts the caller's identity from the JWT (`sub`),
+        // or, on the static-token / dev-open path, from the forwarded
+        // `X-Agent-Native-Owner-Email` hint the stdio proxy sends (the
+        // `agent-native mcp install` flow). Without this the install flow
+        // would run every tool unscoped (userEmail === undefined).
         const authHeader = getRequestHeader(event, "authorization");
-        const authResult = await verifyAuth(authHeader);
+        const ownerEmailHeader = getRequestHeader(event, "x-agent-native-owner-email");
+        const authResult = await verifyAuth(authHeader, ownerEmailHeader);
         if (!authResult.authed) {
             setResponseStatus(event, 401);
             return { error: "Unauthorized" };
@@ -228,7 +63,22 @@ export function mountMCP(nitroApp, config, routePrefix = "/_agent-native") {
         const transport = new StreamableHTTPServerTransport({
             sessionIdGenerator: undefined, // stateless
         });
-        const server = await createMCPServerForRequest(config, authResult.identity);
+        // Derive the running app's origin so relative deep links become
+        // absolute URLs the external agent can open (same approach as A2A).
+        const forwardedProto = getRequestHeader(event, "x-forwarded-proto");
+        const host = getRequestHeader(event, "host");
+        const proto = forwardedProto?.split(",")[0]?.trim() ||
+            (host && /^(localhost|127\.0\.0\.1)(:|$)/.test(host)
+                ? "http"
+                : "https");
+        const origin = host ? `${proto}://${host}` : undefined;
+        const targetHeader = getRequestHeader(event, "x-agent-native-open-target")?.toLowerCase();
+        const target = targetHeader === "desktop" ||
+            targetHeader === "terminal" ||
+            targetHeader === "browser"
+            ? targetHeader
+            : undefined;
+        const server = await createMCPServerForRequest(config, authResult.identity, { origin, target });
         await server.connect(transport);
         // Delegate to the transport — it writes directly to the Node response.
         // MCP's HTTP transport requires Node streams; this route is Node-only.
@@ -238,7 +88,22 @@ export function mountMCP(nitroApp, config, routePrefix = "/_agent-native") {
             setResponseStatus(event, 501);
             return { error: "MCP requires Node runtime" };
         }
-        await transport.handleRequest(nodeReq, nodeRes, body);
+        try {
+            await transport.handleRequest(nodeReq, nodeRes, body);
+        }
+        catch (err) {
+            // The SDK transport writes directly to the Node response. If the
+            // socket is already closed/ended (client disconnected, or the host
+            // stream layer also flushed), Node throws ERR_STREAM_WRITE_AFTER_END
+            // *after* the MCP payload was already delivered correctly. Swallow
+            // that benign post-flush write so an external agent disconnecting
+            // mid-stream can never take down the server process; rethrow
+            // anything else.
+            if (err?.code !== "ERR_STREAM_WRITE_AFTER_END")
+                throw err;
+            if (process.env.DEBUG)
+                console.log("[mcp] ignored post-flush ERR_STREAM_WRITE_AFTER_END (client disconnected)");
+        }
         // Prevent H3 from double-writing the response
         event._handled = true;
     }));

package/dist/mcp/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AA4BrE,8EAA8E;AAC9E,8DAA8D;AAC9D,8EAA8E;AAE9E,SAAS,eAAe;IACtB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CACT,GAAG,KAAK;aACL,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,KAAK,UAAU,UAAU,CACvB,UAA8B;IAE9B,uEAAuE;IACvE,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IAC9C,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/C,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC1B,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACjE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAElC,yBAAyB;IACzB,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,UAAW,CAAC,CAClD,CAAC;YACF,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE;oBACR,SAAS,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;oBACpE,SAAS,EACP,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ;wBACpC,CAAC,CAAE,OAAO,CAAC,UAAqB;wBAChC,CAAC,CAAC,SAAS;iBAChB;aACF,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,gDAAgD;QAClD,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5D,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC1B,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,SAA6B;IAE7B,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACjE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAChD,OAAO,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,mEAAmE;AACnE,8EAA8E;AAE9E,KAAK,UAAU,yBAAyB,CACtC,MAAiB,EACjB,QAAuC;IAEvC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAC7E,MAAM,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,GACrD,MAAM,MAAM,CAAC,oCAAoC,CAAC,CAAC;IAErD,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,OAAO,EAAE,EACzD,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAC;IAEF,qEAAqE;IACrE,qEAAqE;IACrE,kEAAkE;IAClE,oEAAoE;IACpE,oDAAoD;IACpD,MAAM,YAAY,GAAG,sBAAsB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEjE;;;;;OAKG;IACH,KAAK,UAAU,iBAAiB,CAAI,EAAoB;QACtD,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC;QACjC,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,EACzC,EAAE,CACW,CAAC;IAClB,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QAC1D,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;gBACnE,IAAI;gBACJ,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,IAAI;gBAC3C,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI;oBACpC,IAAI,EAAE,QAAiB;oBACvB,UAAU,EAAE,EAAE;iBACf;aACF,CAAC,CAAC,CAAC;YAEJ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,WAAW;oBACjB,WAAW,EACT,4EAA4E;wBAC5E,4EAA4E;wBAC5E,iCAAiC;oBACnC,WAAW,EAAE;wBACX,IAAI,EAAE,QAAiB;wBACvB,UAAU,EAAE;4BACV,OAAO,EAAE;gCACP,IAAI,EAAE,QAAQ;gCACd,WAAW,EAAE,kCAAkC;6BAChD;yBACF;wBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;qBACtB;iBACF,CAAC,CAAC;YACL,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QACrE,OAAO,iBAAiB,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;YAEjD,IAAI,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC5C,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;gBACvD,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,OAAO;wBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;wBAC1D,OAAO,EAAE,IAAI;qBACd,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAE,IAA+B,IAAI,EAAE,CAAC,CAAC;gBACvE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;YACvD,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;oBAC1D,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,+DAA+D;AAC/D,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,GAAG,CAAC;QAC5C,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,OAAO,EAAE,CAAC;YACZ,kEAAkE;YAClE,qEAAqE;YACrE,WAAW;YACX,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAEhC,mEAAmE;QACnE,uDAAuD;QACvD,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YACvB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,0CAA0C;QAC1C,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACrB,+DAA+D;YAC/D,iEAAiE;QACnE,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnE,kDAAkD;QAClD,MAAM,EAAE,6BAA6B,EAAE,GACrC,MAAM,MAAM,CAAC,oDAAoD,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;YAClD,kBAAkB,EAAE,SAAS,EAAE,YAAY;SAC5C,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,MAAM,EACN,UAAU,CAAC,QAAQ,CACpB,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEhC,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,OAAO,GACV,KAAa,CAAC,IAAI,EAAE,GAAG,IAAK,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC;QACrE,MAAM,OAAO,GACV,KAAa,CAAC,IAAI,EAAE,GAAG,IAAK,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC;QACrE,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QAChD,CAAC;QACD,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAEtD,8CAA8C;QAC7C,KAAa,CAAC,QAAQ,GAAG,IAAI,CAAC;IACjC,CAAC,CAAC,CACH,CAAC;IAEF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;QACnB,OAAO,CAAC,GAAG,CACT,+BAA+B,WAAW,SAAS,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,SAAS,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,GAAG,CACvI,CAAC;AACN,CAAC","sourcesContent":["import * as jose from \"jose\";\nimport { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n  defineEventHandler,\n  setResponseStatus,\n  getMethod,\n  getRequestHeader,\n} from \"h3\";\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { runWithRequestContext } from \"../server/request-context.js\";\n\nexport interface MCPConfig {\n  /** App name shown in MCP server info */\n  name: string;\n  /** App description */\n  description: string;\n  /** Version string (default \"1.0.0\") */\n  version?: string;\n  /** Action registry — same as agent chat and A2A */\n  actions: Record<string, ActionEntry>;\n  /** Handler for the ask-agent meta-tool — runs the full agent loop */\n  askAgent?: (message: string) => Promise<string>;\n}\n\n/**\n * Identity extracted from a verified MCP bearer token / JWT. Used to wrap\n * `entry.run()` and `config.askAgent()` calls in `runWithRequestContext`\n * so downstream tools (db-query, accessFilter, resolveCredential) honour\n * per-user / per-org scoping. Without this wrap the MCP endpoint would\n * silently bypass tenant isolation. See finding #6 in\n * /tmp/security-audit/12-mcp-a2a-agent.md.\n */\ninterface MCPCallerIdentity {\n  userEmail: string | undefined;\n  orgDomain: string | undefined;\n}\n\n// ---------------------------------------------------------------------------\n// Auth — reuses the same pattern as A2A (Bearer token or JWT)\n// ---------------------------------------------------------------------------\n\nfunction getAccessTokens(): string[] {\n  const single = process.env.ACCESS_TOKEN;\n  const multi = process.env.ACCESS_TOKENS;\n  const tokens: string[] = [];\n  if (single) tokens.push(single);\n  if (multi) {\n    tokens.push(\n      ...multi\n        .split(\",\")\n        .map((t) => t.trim())\n        .filter(Boolean),\n    );\n  }\n  return tokens;\n}\n\n/**\n * Verify the inbound auth header. Returns:\n *   - { authed: true, identity } when verified — `identity` may be empty\n *     when authed via a static ACCESS_TOKEN (no caller email available).\n *   - { authed: false } on rejection.\n *\n * When A2A_SECRET is set we extract the JWT's `sub` (caller email) and\n * `org_domain` claims so the MCP endpoint can wrap tool runs in\n * `runWithRequestContext({ userEmail, orgId })`. Without that wrap, the\n * MCP endpoint loses tenant identity and downstream `accessFilter` /\n * `resolveCredential` calls fall back to platform-wide defaults.\n */\nasync function verifyAuth(\n  authHeader: string | undefined,\n): Promise<{ authed: boolean; identity?: MCPCallerIdentity }> {\n  // No auth configured → allow (dev mode), but no identity to propagate.\n  const accessTokens = getAccessTokens();\n  const hasA2ASecret = !!process.env.A2A_SECRET;\n  if (accessTokens.length === 0 && !hasA2ASecret) {\n    return { authed: true };\n  }\n\n  if (!authHeader?.startsWith(\"Bearer \")) return { authed: false };\n  const token = authHeader.slice(7);\n\n  // Try JWT via A2A_SECRET\n  if (hasA2ASecret) {\n    try {\n      const { payload } = await jose.jwtVerify(\n        token,\n        new TextEncoder().encode(process.env.A2A_SECRET!),\n      );\n      return {\n        authed: true,\n        identity: {\n          userEmail: typeof payload.sub === \"string\" ? payload.sub : undefined,\n          orgDomain:\n            typeof payload.org_domain === \"string\"\n              ? (payload.org_domain as string)\n              : undefined,\n        },\n      };\n    } catch {\n      // Not a valid JWT — fall through to token check\n    }\n  }\n\n  // Try ACCESS_TOKEN / ACCESS_TOKENS exact match (no per-caller identity).\n  if (accessTokens.length > 0 && accessTokens.includes(token)) {\n    return { authed: true };\n  }\n\n  return { authed: false };\n}\n\nasync function resolveOrgIdFromDomain(\n  orgDomain: string | undefined,\n): Promise<string | undefined> {\n  if (!orgDomain) return undefined;\n  try {\n    const { resolveOrgByDomain } = await import(\"../org/context.js\");\n    const org = await resolveOrgByDomain(orgDomain);\n    return org?.orgId ?? undefined;\n  } catch {\n    return undefined;\n  }\n}\n\n// ---------------------------------------------------------------------------\n// MCP Server creation — converts ActionEntry registry to MCP tools\n// ---------------------------------------------------------------------------\n\nasync function createMCPServerForRequest(\n  config: MCPConfig,\n  identity: MCPCallerIdentity | undefined,\n) {\n  const { Server } = await import(\"@modelcontextprotocol/sdk/server/index.js\");\n  const { ListToolsRequestSchema, CallToolRequestSchema } =\n    await import(\"@modelcontextprotocol/sdk/types.js\");\n\n  const server = new Server(\n    { name: config.name, version: config.version ?? \"1.0.0\" },\n    { capabilities: { tools: {} } },\n  );\n\n  // Resolve orgId once per request (DB lookup) so subsequent wraps are\n  // synchronous. The caller identity may be undefined for ACCESS_TOKEN\n  // auth — in that case we run with no userEmail/orgId, which makes\n  // downstream tools that require per-user scope return empty results\n  // rather than cross-tenant data (the safe default).\n  const orgIdPromise = resolveOrgIdFromDomain(identity?.orgDomain);\n\n  /**\n   * Wrap a callback in `runWithRequestContext({ userEmail, orgId }, fn)`.\n   * Both the tools/list and tools/call handlers go through this so\n   * downstream `accessFilter`, `resolveCredential`, and per-user MCP\n   * visibility checks see the verified caller's identity.\n   */\n  async function withCallerContext<T>(fn: () => Promise<T>): Promise<T> {\n    const orgId = await orgIdPromise;\n    return runWithRequestContext(\n      { userEmail: identity?.userEmail, orgId },\n      fn,\n    ) as Promise<T>;\n  }\n\n  // tools/list — return all actions + ask-agent meta-tool. Wrapped in the\n  // request context so per-user MCP visibility (mcp-client/visibility.ts)\n  // applies to the listing too.\n  server.setRequestHandler(ListToolsRequestSchema, async () => {\n    return withCallerContext(async () => {\n      const tools = Object.entries(config.actions).map(([name, entry]) => ({\n        name,\n        description: entry.tool.description ?? name,\n        inputSchema: entry.tool.parameters ?? {\n          type: \"object\" as const,\n          properties: {},\n        },\n      }));\n\n      if (config.askAgent) {\n        tools.push({\n          name: \"ask-agent\",\n          description:\n            \"Send a natural-language message to the app's AI agent and get a response. \" +\n            \"Use this for complex, multi-step tasks that require the agent's reasoning \" +\n            \"and full context about the app.\",\n          inputSchema: {\n            type: \"object\" as const,\n            properties: {\n              message: {\n                type: \"string\",\n                description: \"The message to send to the agent\",\n              },\n            },\n            required: [\"message\"],\n          },\n        });\n      }\n\n      return { tools };\n    });\n  });\n\n  // tools/call — dispatch to action registry or ask-agent. Wrapped in the\n  // request context so the action's `run(args)` and `askAgent()` execute\n  // with the verified caller's identity, not the platform default.\n  server.setRequestHandler(CallToolRequestSchema, async (request: any) => {\n    return withCallerContext(async () => {\n      const { name, arguments: args } = request.params;\n\n      if (name === \"ask-agent\" && config.askAgent) {\n        const message = args?.message ?? \"\";\n        try {\n          const result = await config.askAgent(message);\n          return { content: [{ type: \"text\", text: result }] };\n        } catch (err: any) {\n          return {\n            content: [{ type: \"text\", text: `Error: ${err.message}` }],\n            isError: true,\n          };\n        }\n      }\n\n      const entry = config.actions[name];\n      if (!entry) {\n        return {\n          content: [{ type: \"text\", text: `Unknown tool: ${name}` }],\n          isError: true,\n        };\n      }\n\n      try {\n        const result = await entry.run((args as Record<string, string>) ?? {});\n        return { content: [{ type: \"text\", text: result }] };\n      } catch (err: any) {\n        return {\n          content: [{ type: \"text\", text: `Error: ${err.message}` }],\n          isError: true,\n        };\n      }\n    });\n  });\n\n  return server;\n}\n\n// ---------------------------------------------------------------------------\n// mountMCP — register MCP Streamable HTTP endpoint on H3/Nitro\n// ---------------------------------------------------------------------------\n\n/**\n * Mount an MCP remote server on an H3/Nitro app.\n *\n * Endpoint: `{routePrefix}/mcp` (default `/_agent-native/mcp`)\n *\n * Uses stateless Streamable HTTP transport — no in-memory sessions,\n * compatible with serverless deployments.\n *\n * Auth: Bearer token matching ACCESS_TOKEN/ACCESS_TOKENS or JWT via A2A_SECRET.\n * No auth required when neither is configured (dev mode).\n */\nexport function mountMCP(\n  nitroApp: any,\n  config: MCPConfig,\n  routePrefix = \"/_agent-native\",\n): void {\n  getH3App(nitroApp).use(\n    `${routePrefix}/mcp`,\n    defineEventHandler(async (event) => {\n      const pathname = event.url?.pathname || \"/\";\n      const subpath = pathname.replace(/^\\/+/, \"\").replace(/\\/+$/, \"\");\n      if (subpath) {\n        // Let management/status routes mounted under /_agent-native/mcp/*\n        // handle their own requests instead of treating them as MCP protocol\n        // traffic.\n        return;\n      }\n\n      const method = getMethod(event);\n\n      // Auth check — also extracts the caller's identity from the JWT so\n      // downstream tools run inside `runWithRequestContext`.\n      const authHeader = getRequestHeader(event, \"authorization\");\n      const authResult = await verifyAuth(authHeader);\n      if (!authResult.authed) {\n        setResponseStatus(event, 401);\n        return { error: \"Unauthorized\" };\n      }\n\n      // Stateless mode: only POST is meaningful\n      if (method === \"DELETE\") {\n        setResponseStatus(event, 204);\n        return \"\";\n      }\n\n      if (method === \"GET\") {\n        // SSE stream endpoint — not used in stateless mode but the SDK\n        // handles it gracefully. Let it through for protocol compliance.\n      }\n\n      if (method !== \"POST\" && method !== \"GET\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n\n      // Read body for POST (GET has no body)\n      const body = method === \"POST\" ? await readBody(event) : undefined;\n\n      // Create per-request stateless transport + server\n      const { StreamableHTTPServerTransport } =\n        await import(\"@modelcontextprotocol/sdk/server/streamableHttp.js\");\n      const transport = new StreamableHTTPServerTransport({\n        sessionIdGenerator: undefined, // stateless\n      });\n      const server = await createMCPServerForRequest(\n        config,\n        authResult.identity,\n      );\n      await server.connect(transport);\n\n      // Delegate to the transport — it writes directly to the Node response.\n      // MCP's HTTP transport requires Node streams; this route is Node-only.\n      const nodeReq =\n        (event as any).node?.req ?? (event as any).req?.runtime?.node?.req;\n      const nodeRes =\n        (event as any).node?.res ?? (event as any).req?.runtime?.node?.res;\n      if (!nodeReq || !nodeRes) {\n        setResponseStatus(event, 501);\n        return { error: \"MCP requires Node runtime\" };\n      }\n      await transport.handleRequest(nodeReq, nodeRes, body);\n\n      // Prevent H3 from double-writing the response\n      (event as any)._handled = true;\n    }),\n  );\n\n  if (process.env.DEBUG)\n    console.log(\n      `[mcp] Mounted MCP server at ${routePrefix}/mcp (${Object.keys(config.actions).length} tools${config.askAgent ? \" + ask-agent\" : \"\"})`,\n    );\n}\n"]}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,wCAAwC,CAAC;AAClE,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,SAAS,EACT,gBAAgB,GACjB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GAInB,MAAM,mBAAmB,CAAC;AAE3B,6EAA6E;AAC7E,4EAA4E;AAC5E,yDAAyD;AACzD,OAAO,EACL,yBAAyB,EACzB,UAAU,EACV,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GACnB,CAAC;AAGF,8EAA8E;AAC9E,+DAA+D;AAC/D,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAa,EACb,MAAiB,EACjB,WAAW,GAAG,gBAAgB;IAE9B,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,GAAG,WAAW,MAAM,EACpB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,GAAG,CAAC;QAC5C,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,OAAO,EAAE,CAAC;YACZ,kEAAkE;YAClE,qEAAqE;YACrE,WAAW;YACX,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAEhC,oEAAoE;QACpE,8DAA8D;QAC9D,+DAA+D;QAC/D,kEAAkE;QAClE,2DAA2D;QAC3D,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;QAC5D,MAAM,gBAAgB,GAAG,gBAAgB,CACvC,KAAK,EACL,4BAA4B,CAC7B,CAAC;QACF,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QAClE,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YACvB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,0CAA0C;QAC1C,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACrB,+DAA+D;YAC/D,iEAAiE;QACnE,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnE,kDAAkD;QAClD,MAAM,EAAE,6BAA6B,EAAE,GACrC,MAAM,MAAM,CAAC,oDAAoD,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;YAClD,kBAAkB,EAAE,SAAS,EAAE,YAAY;SAC5C,CAAC,CAAC;QACH,gEAAgE;QAChE,oEAAoE;QACpE,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACpE,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,KAAK,GACT,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;YACrC,CAAC,IAAI,IAAI,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAClD,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,OAAO,CAAC,CAAC;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QACvD,MAAM,YAAY,GAAG,gBAAgB,CACnC,KAAK,EACL,4BAA4B,CAC7B,EAAE,WAAW,EAAE,CAAC;QACjB,MAAM,MAAM,GACV,YAAY,KAAK,SAAS;YAC1B,YAAY,KAAK,UAAU;YAC3B,YAAY,KAAK,SAAS;YACxB,CAAC,CAAE,YAAyC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAEhB,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,MAAM,EACN,UAAU,CAAC,QAAQ,EACnB,EAAE,MAAM,EAAE,MAAM,EAAE,CACnB,CAAC;QACF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEhC,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,OAAO,GACV,KAAa,CAAC,IAAI,EAAE,GAAG,IAAK,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC;QACrE,MAAM,OAAO,GACV,KAAa,CAAC,IAAI,EAAE,GAAG,IAAK,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC;QACrE,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC;QAChD,CAAC;QACD,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,iEAAiE;YACjE,mEAAmE;YACnE,qEAAqE;YACrE,mEAAmE;YACnE,kEAAkE;YAClE,6DAA6D;YAC7D,iBAAiB;YACjB,IAAI,GAAG,EAAE,IAAI,KAAK,4BAA4B;gBAAE,MAAM,GAAG,CAAC;YAC1D,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;gBACnB,OAAO,CAAC,GAAG,CACT,2EAA2E,CAC5E,CAAC;QACN,CAAC;QAED,8CAA8C;QAC7C,KAAa,CAAC,QAAQ,GAAG,IAAI,CAAC;IACjC,CAAC,CAAC,CACH,CAAC;IAEF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;QACnB,OAAO,CAAC,GAAG,CACT,+BAA+B,WAAW,SAAS,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,SAAS,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,GAAG,CACvI,CAAC;AACN,CAAC","sourcesContent":["import { getH3App } from \"../server/framework-request-handler.js\";\nimport {\n  defineEventHandler,\n  setResponseStatus,\n  getMethod,\n  getRequestHeader,\n} from \"h3\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  createMCPServerForRequest,\n  verifyAuth,\n  getAccessTokens,\n  resolveOrgIdFromDomain,\n  buildLinkArtifacts,\n  type MCPConfig,\n  type MCPCallerIdentity,\n  type MCPRequestMeta,\n} from \"./build-server.js\";\n\n// Re-export the shared MCP server builder + types so the stdio transport and\n// any (future) external importer of `@agent-native/core/mcp` keep resolving\n// against `./server.js` exactly as before this refactor.\nexport {\n  createMCPServerForRequest,\n  verifyAuth,\n  getAccessTokens,\n  resolveOrgIdFromDomain,\n  buildLinkArtifacts,\n};\nexport type { MCPConfig, MCPCallerIdentity, MCPRequestMeta };\n\n// ---------------------------------------------------------------------------\n// mountMCP — register MCP Streamable HTTP endpoint on H3/Nitro\n// ---------------------------------------------------------------------------\n\n/**\n * Mount an MCP remote server on an H3/Nitro app.\n *\n * Endpoint: `{routePrefix}/mcp` (default `/_agent-native/mcp`)\n *\n * Uses stateless Streamable HTTP transport — no in-memory sessions,\n * compatible with serverless deployments.\n *\n * Auth: Bearer token matching ACCESS_TOKEN/ACCESS_TOKENS or JWT via A2A_SECRET.\n * No auth required when neither is configured (dev mode).\n */\nexport function mountMCP(\n  nitroApp: any,\n  config: MCPConfig,\n  routePrefix = \"/_agent-native\",\n): void {\n  getH3App(nitroApp).use(\n    `${routePrefix}/mcp`,\n    defineEventHandler(async (event) => {\n      const pathname = event.url?.pathname || \"/\";\n      const subpath = pathname.replace(/^\\/+/, \"\").replace(/\\/+$/, \"\");\n      if (subpath) {\n        // Let management/status routes mounted under /_agent-native/mcp/*\n        // handle their own requests instead of treating them as MCP protocol\n        // traffic.\n        return;\n      }\n\n      const method = getMethod(event);\n\n      // Auth check — extracts the caller's identity from the JWT (`sub`),\n      // or, on the static-token / dev-open path, from the forwarded\n      // `X-Agent-Native-Owner-Email` hint the stdio proxy sends (the\n      // `agent-native mcp install` flow). Without this the install flow\n      // would run every tool unscoped (userEmail === undefined).\n      const authHeader = getRequestHeader(event, \"authorization\");\n      const ownerEmailHeader = getRequestHeader(\n        event,\n        \"x-agent-native-owner-email\",\n      );\n      const authResult = await verifyAuth(authHeader, ownerEmailHeader);\n      if (!authResult.authed) {\n        setResponseStatus(event, 401);\n        return { error: \"Unauthorized\" };\n      }\n\n      // Stateless mode: only POST is meaningful\n      if (method === \"DELETE\") {\n        setResponseStatus(event, 204);\n        return \"\";\n      }\n\n      if (method === \"GET\") {\n        // SSE stream endpoint — not used in stateless mode but the SDK\n        // handles it gracefully. Let it through for protocol compliance.\n      }\n\n      if (method !== \"POST\" && method !== \"GET\") {\n        setResponseStatus(event, 405);\n        return { error: \"Method not allowed\" };\n      }\n\n      // Read body for POST (GET has no body)\n      const body = method === \"POST\" ? await readBody(event) : undefined;\n\n      // Create per-request stateless transport + server\n      const { StreamableHTTPServerTransport } =\n        await import(\"@modelcontextprotocol/sdk/server/streamableHttp.js\");\n      const transport = new StreamableHTTPServerTransport({\n        sessionIdGenerator: undefined, // stateless\n      });\n      // Derive the running app's origin so relative deep links become\n      // absolute URLs the external agent can open (same approach as A2A).\n      const forwardedProto = getRequestHeader(event, \"x-forwarded-proto\");\n      const host = getRequestHeader(event, \"host\");\n      const proto =\n        forwardedProto?.split(\",\")[0]?.trim() ||\n        (host && /^(localhost|127\\.0\\.0\\.1)(:|$)/.test(host)\n          ? \"http\"\n          : \"https\");\n      const origin = host ? `${proto}://${host}` : undefined;\n      const targetHeader = getRequestHeader(\n        event,\n        \"x-agent-native-open-target\",\n      )?.toLowerCase();\n      const target =\n        targetHeader === \"desktop\" ||\n        targetHeader === \"terminal\" ||\n        targetHeader === \"browser\"\n          ? (targetHeader as MCPRequestMeta[\"target\"])\n          : undefined;\n\n      const server = await createMCPServerForRequest(\n        config,\n        authResult.identity,\n        { origin, target },\n      );\n      await server.connect(transport);\n\n      // Delegate to the transport — it writes directly to the Node response.\n      // MCP's HTTP transport requires Node streams; this route is Node-only.\n      const nodeReq =\n        (event as any).node?.req ?? (event as any).req?.runtime?.node?.req;\n      const nodeRes =\n        (event as any).node?.res ?? (event as any).req?.runtime?.node?.res;\n      if (!nodeReq || !nodeRes) {\n        setResponseStatus(event, 501);\n        return { error: \"MCP requires Node runtime\" };\n      }\n      try {\n        await transport.handleRequest(nodeReq, nodeRes, body);\n      } catch (err: any) {\n        // The SDK transport writes directly to the Node response. If the\n        // socket is already closed/ended (client disconnected, or the host\n        // stream layer also flushed), Node throws ERR_STREAM_WRITE_AFTER_END\n        // *after* the MCP payload was already delivered correctly. Swallow\n        // that benign post-flush write so an external agent disconnecting\n        // mid-stream can never take down the server process; rethrow\n        // anything else.\n        if (err?.code !== \"ERR_STREAM_WRITE_AFTER_END\") throw err;\n        if (process.env.DEBUG)\n          console.log(\n            \"[mcp] ignored post-flush ERR_STREAM_WRITE_AFTER_END (client disconnected)\",\n          );\n      }\n\n      // Prevent H3 from double-writing the response\n      (event as any)._handled = true;\n    }),\n  );\n\n  if (process.env.DEBUG)\n    console.log(\n      `[mcp] Mounted MCP server at ${routePrefix}/mcp (${Object.keys(config.actions).length} tools${config.askAgent ? \" + ask-agent\" : \"\"})`,\n    );\n}\n"]}

package/dist/mcp/stdio.d.ts

@@ -0,0 +1,44 @@
+/**
+ * MCP **stdio** transport for the `agent-native mcp serve` command.
+ *
+ * This is the binary external coding agents (Claude Code, Claude Cowork,
+ * Codex) actually launch — they speak MCP over a child process's stdio, not
+ * HTTP. We expose the agent-native app's MCP surface over stdio in two modes:
+ *
+ *   - **proxy (default)** — connect an MCP `Client` over
+ *     `StreamableHTTPClientTransport` to the *already-running* local app's
+ *     `http://127.0.0.1:<port>/_agent-native/mcp`, and run a stdio `Server`
+ *     that forwards `tools/list` + `tools/call` to it. The live app is the
+ *     single source of truth: HMR'd actions, the real registry, correct
+ *     per-request deep links, and tenant scoping all come for free. If the
+ *     app isn't running, we wait briefly for it (the workspace gateway boots
+ *     it lazily on first request).
+ *
+ *   - **standalone (`--standalone`)** — no running server, no HMR. Build the
+ *     MCP server in-process from `autoDiscoverActions(cwd)` +
+ *     `createMCPServerForRequest`, connected straight to a
+ *     `StdioServerTransport`. Useful in CI / when nothing is serving.
+ *
+ * Node-only: imports `node:*` and the SDK stdio/http transports. Never part
+ * of the serverless bundle.
+ */
+export interface RunMCPStdioOptions {
+    /** App id to bridge to (workspace). Optional in a single-app project. */
+    appId?: string;
+    /** Explicit port of the running app's dev server. Overrides discovery. */
+    port?: number;
+    /** Skip the HTTP proxy and build the server in-process from disk. */
+    standalone?: boolean;
+    /** Working directory (defaults to process.cwd()). */
+    cwd?: string;
+    /** Env (defaults to process.env). */
+    env?: NodeJS.ProcessEnv;
+    /** Max ms to wait for the running app before failing (proxy mode). */
+    waitForAppMs?: number;
+}
+/**
+ * Entry point for `agent-native mcp serve`. Defaults to proxy mode; pass
+ * `standalone: true` to build the server from disk with no running app.
+ */
+export declare function runMCPStdio(opts?: RunMCPStdioOptions): Promise<void>;
+//# sourceMappingURL=stdio.d.ts.map

package/dist/mcp/stdio.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio.d.ts","sourceRoot":"","sources":["../../src/mcp/stdio.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAIH,MAAM,WAAW,kBAAkB;IACjC,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,0EAA0E;IAC1E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,qDAAqD;IACrD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAqMD;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAef"}

package/dist/mcp/stdio.js

@@ -0,0 +1,209 @@
+/**
+ * MCP **stdio** transport for the `agent-native mcp serve` command.
+ *
+ * This is the binary external coding agents (Claude Code, Claude Cowork,
+ * Codex) actually launch — they speak MCP over a child process's stdio, not
+ * HTTP. We expose the agent-native app's MCP surface over stdio in two modes:
+ *
+ *   - **proxy (default)** — connect an MCP `Client` over
+ *     `StreamableHTTPClientTransport` to the *already-running* local app's
+ *     `http://127.0.0.1:<port>/_agent-native/mcp`, and run a stdio `Server`
+ *     that forwards `tools/list` + `tools/call` to it. The live app is the
+ *     single source of truth: HMR'd actions, the real registry, correct
+ *     per-request deep links, and tenant scoping all come for free. If the
+ *     app isn't running, we wait briefly for it (the workspace gateway boots
+ *     it lazily on first request).
+ *
+ *   - **standalone (`--standalone`)** — no running server, no HMR. Build the
+ *     MCP server in-process from `autoDiscoverActions(cwd)` +
+ *     `createMCPServerForRequest`, connected straight to a
+ *     `StdioServerTransport`. Useful in CI / when nothing is serving.
+ *
+ * Node-only: imports `node:*` and the SDK stdio/http transports. Never part
+ * of the serverless bundle.
+ */
+import { resolveLocalAppOrigin } from "./workspace-resolve.js";
+const MCP_SUBPATH = "/_agent-native/mcp";
+function log(msg) {
+    // stderr only — stdout is the MCP protocol channel and must stay clean.
+    process.stderr.write(`[mcp] ${msg}\n`);
+}
+/**
+ * Owner identity the installer wrote into the client config's env. Passed
+ * through to the HTTP MCP endpoint as a JWT/identity bearer (when present)
+ * so tool runs stay tenant-scoped. For local dev with a static ACCESS_TOKEN
+ * the email is informational; for hosted JWT auth the token already carries
+ * `sub`, so we only add an `X-Agent-Native-Owner-Email` hint header.
+ */
+function authHeaders(env) {
+    const headers = {};
+    const token = env.ACCESS_TOKEN || env.AGENT_NATIVE_MCP_TOKEN;
+    if (token)
+        headers["Authorization"] = `Bearer ${token}`;
+    const owner = env.AGENT_NATIVE_OWNER_EMAIL;
+    if (owner)
+        headers["X-Agent-Native-Owner-Email"] = owner;
+    return headers;
+}
+async function probeOrigin(origin, timeoutMs = 800) {
+    try {
+        const res = await fetch(`${origin}${MCP_SUBPATH}`, {
+            method: "GET",
+            signal: AbortSignal.timeout(timeoutMs),
+        });
+        // Any HTTP response (even 401/405/406) means the server is up.
+        return res.status > 0;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Proxy mode: stdio Server ⇄ HTTP Client to the running app.
+ *
+ * We register the standard `tools/list` and `tools/call` handlers on the
+ * stdio server and forward them verbatim to the upstream HTTP MCP server via
+ * the SDK `Client`. The upstream owns tool definitions, results, and the
+ * appended deep-link block / `_meta`, so nothing is duplicated here.
+ */
+async function runProxy(opts) {
+    const { origin, appId } = await resolveLocalAppOrigin({
+        cwd: opts.cwd,
+        env: opts.env,
+        appId: opts.appId,
+        port: opts.port,
+    });
+    const env = opts.env ?? process.env;
+    const target = `${origin}${MCP_SUBPATH}`;
+    // Wait for the app to come up. The workspace gateway lazily boots an app's
+    // dev server on first request, so a fresh `mcp serve` may briefly race the
+    // boot. Hit the gateway path too so the lazy start is triggered.
+    const deadline = Date.now() + (opts.waitForAppMs ?? 60_000);
+    let up = await probeOrigin(origin);
+    if (!up) {
+        log(`Waiting for ${appId} at ${origin} …`);
+        while (!up && Date.now() < deadline) {
+            await new Promise((r) => setTimeout(r, 750));
+            up = await probeOrigin(origin);
+        }
+    }
+    if (!up) {
+        throw new Error(`Timed out waiting for the local app at ${origin}. Start it with ` +
+            `\`agent-native dev\` (or \`agent-native workspace-dev\`), or run ` +
+            `\`agent-native mcp serve --standalone\` to build the server from disk.`);
+    }
+    const { Client } = await import("@modelcontextprotocol/sdk/client/index.js");
+    const { StreamableHTTPClientTransport } = await import("@modelcontextprotocol/sdk/client/streamableHttp.js");
+    const { Server } = await import("@modelcontextprotocol/sdk/server/index.js");
+    const { StdioServerTransport } = await import("@modelcontextprotocol/sdk/server/stdio.js");
+    const { ListToolsRequestSchema, CallToolRequestSchema } = await import("@modelcontextprotocol/sdk/types.js");
+    // --- Upstream HTTP client -------------------------------------------------
+    const clientTransport = new StreamableHTTPClientTransport(new URL(target), {
+        requestInit: { headers: authHeaders(env) },
+    });
+    const client = new Client({ name: "agent-native-mcp-proxy", version: "1.0.0" }, { capabilities: {} });
+    await client.connect(clientTransport);
+    log(`Proxying stdio ⇄ ${target} (app: ${appId})`);
+    // --- Downstream stdio server ---------------------------------------------
+    const server = new Server({ name: `agent-native-${appId}`, version: "1.0.0" }, { capabilities: { tools: {} } });
+    server.setRequestHandler(ListToolsRequestSchema, async (request) => {
+        return client.listTools(request.params);
+    });
+    server.setRequestHandler(CallToolRequestSchema, async (request) => {
+        // Forward the call verbatim; the upstream appends the deep-link block.
+        return client.callTool(request.params);
+    });
+    const stdioTransport = new StdioServerTransport();
+    await server.connect(stdioTransport);
+    // Keep the proxy alive until the client/transport closes.
+    await new Promise((resolve) => {
+        const done = () => resolve();
+        stdioTransport.onclose = done;
+        clientTransport.onclose = done;
+        process.once("SIGINT", done);
+        process.once("SIGTERM", done);
+    });
+    try {
+        await client.close();
+    }
+    catch {
+        // best-effort
+    }
+}
+/**
+ * Standalone mode: build the MCP server in-process from disk.
+ *
+ * No running server, no HMR — actions are discovered via
+ * `autoDiscoverActions(cwd)` and the shared `createMCPServerForRequest`
+ * builder is reused so behavior (tools, deep links, builtin cross-app tools)
+ * matches the HTTP mount exactly.
+ */
+async function runStandalone(opts) {
+    const cwd = opts.cwd ?? process.cwd();
+    const env = opts.env ?? process.env;
+    const { resolveLocalAppOrigin } = await import("./workspace-resolve.js");
+    let appId = opts.appId ?? "app";
+    let origin;
+    try {
+        const resolved = await resolveLocalAppOrigin({
+            cwd,
+            env,
+            appId: opts.appId,
+            port: opts.port,
+        });
+        appId = resolved.appId;
+        // Origin is best-effort here (server may not be running) — still useful
+        // so a `link` builder's relative deep link becomes an absolute URL.
+        origin = resolved.origin;
+    }
+    catch {
+        // No workspace / can't resolve — fall back to a bare app id.
+    }
+    const { autoDiscoverActions } = await import("../server/action-discovery.js");
+    const { createMCPServerForRequest } = await import("./build-server.js");
+    const { StdioServerTransport } = await import("@modelcontextprotocol/sdk/server/stdio.js");
+    const actions = await autoDiscoverActions(cwd);
+    log(`Standalone: discovered ${Object.keys(actions).length} action(s) in ${cwd}`);
+    const server = await createMCPServerForRequest({
+        name: appId.charAt(0).toUpperCase() + appId.slice(1),
+        appId,
+        description: `Agent-native ${appId} app (standalone MCP)`,
+        actions,
+        // No askAgent in standalone — there is no running engine/runtime here.
+        // builtin cross-app tools stay on so `list_apps` / `open_app` /
+        // `create_workspace_app` / `list_templates` still work from disk.
+    }, 
+    // No verified identity in standalone (no inbound auth header). Runs with
+    // platform-default scope, same as a tokenless local HTTP mount.
+    undefined, { origin });
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    await new Promise((resolve) => {
+        const done = () => resolve();
+        transport.onclose = done;
+        process.once("SIGINT", done);
+        process.once("SIGTERM", done);
+    });
+}
+/**
+ * Entry point for `agent-native mcp serve`. Defaults to proxy mode; pass
+ * `standalone: true` to build the server from disk with no running app.
+ */
+export async function runMCPStdio(opts = {}) {
+    if (opts.standalone) {
+        await runStandalone(opts);
+        return;
+    }
+    try {
+        await runProxy(opts);
+    }
+    catch (err) {
+        // Proxy couldn't reach a running app — surface a clear, actionable
+        // message on stderr. We do NOT silently fall back to standalone: the
+        // caller asked for the live registry; auto-falling-back would hide a
+        // broken dev server and serve stale tools.
+        log(`Proxy mode failed: ${err?.message ?? err}`);
+        throw err;
+    }
+}
+//# sourceMappingURL=stdio.js.map

package/dist/mcp/stdio.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/mcp/stdio.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAiB/D,MAAM,WAAW,GAAG,oBAAoB,CAAC;AAEzC,SAAS,GAAG,CAAC,GAAW;IACtB,wEAAwE;IACxE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,WAAW,CAAC,GAAsB;IACzC,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,sBAAsB,CAAC;IAC7D,IAAI,KAAK;QAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,KAAK,EAAE,CAAC;IACxD,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,CAAC;IAC3C,IAAI,KAAK;QAAE,OAAO,CAAC,4BAA4B,CAAC,GAAG,KAAK,CAAC;IACzD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,MAAc,EAAE,SAAS,GAAG,GAAG;IACxD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,GAAG,WAAW,EAAE,EAAE;YACjD,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC;SACvC,CAAC,CAAC;QACH,+DAA+D;QAC/D,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,QAAQ,CAAC,IAAwB;IAC9C,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,qBAAqB,CAAC;QACpD,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IACpC,MAAM,MAAM,GAAG,GAAG,MAAM,GAAG,WAAW,EAAE,CAAC;IAEzC,2EAA2E;IAC3E,2EAA2E;IAC3E,iEAAiE;IACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC,CAAC;IAC5D,IAAI,EAAE,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,GAAG,CAAC,eAAe,KAAK,OAAO,MAAM,IAAI,CAAC,CAAC;QAC3C,OAAO,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;YAC7C,EAAE,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,KAAK,CACb,0CAA0C,MAAM,kBAAkB;YAChE,mEAAmE;YACnE,wEAAwE,CAC3E,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAC7E,MAAM,EAAE,6BAA6B,EAAE,GACrC,MAAM,MAAM,CAAC,oDAAoD,CAAC,CAAC;IACrE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAC7E,MAAM,EAAE,oBAAoB,EAAE,GAC5B,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAC5D,MAAM,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,GACrD,MAAM,MAAM,CAAC,oCAAoC,CAAC,CAAC;IAErD,6EAA6E;IAC7E,MAAM,eAAe,GAAG,IAAI,6BAA6B,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE;QACzE,WAAW,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE;KAC3C,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,OAAO,EAAE,EACpD,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;IACF,MAAM,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACtC,GAAG,CAAC,oBAAoB,MAAM,UAAU,KAAK,GAAG,CAAC,CAAC;IAElD,4EAA4E;IAC5E,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,gBAAgB,KAAK,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,EACnD,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAC;IAEF,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QACtE,OAAO,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAY,EAAE,EAAE;QACrE,uEAAuE;QACvE,OAAO,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAClD,MAAM,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAErC,0DAA0D;IAC1D,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;QAC7B,cAAc,CAAC,OAAO,GAAG,IAAI,CAAC;QAC9B,eAAe,CAAC,OAAO,GAAG,IAAI,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,aAAa,CAAC,IAAwB;IACnD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IAEpC,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IACzE,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC;IAChC,IAAI,MAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC;YAC3C,GAAG;YACH,GAAG;YACH,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC,CAAC;QACH,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QACvB,wEAAwE;QACxE,oEAAoE;QACpE,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;IAC/D,CAAC;IAED,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;IAC9E,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACxE,MAAM,EAAE,oBAAoB,EAAE,GAC5B,MAAM,MAAM,CAAC,2CAA2C,CAAC,CAAC;IAE5D,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAC/C,GAAG,CACD,0BAA0B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,iBAAiB,GAAG,EAAE,CAC5E,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C;QACE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;QACpD,KAAK;QACL,WAAW,EAAE,gBAAgB,KAAK,uBAAuB;QACzD,OAAO;QACP,uEAAuE;QACvE,gEAAgE;QAChE,kEAAkE;KACnE;IACD,yEAAyE;IACzE,gEAAgE;IAChE,SAAS,EACT,EAAE,MAAM,EAAE,CACX,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;QAC7B,SAAS,CAAC,OAAO,GAAG,IAAI,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAA2B,EAAE;IAE7B,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,MAAM,aAAa,CAAC,IAAI,CAAC,CAAC;QAC1B,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,mEAAmE;QACnE,qEAAqE;QACrE,qEAAqE;QACrE,2CAA2C;QAC3C,GAAG,CAAC,sBAAsB,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC,CAAC;QACjD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC","sourcesContent":["/**\n * MCP **stdio** transport for the `agent-native mcp serve` command.\n *\n * This is the binary external coding agents (Claude Code, Claude Cowork,\n * Codex) actually launch — they speak MCP over a child process's stdio, not\n * HTTP. We expose the agent-native app's MCP surface over stdio in two modes:\n *\n *   - **proxy (default)** — connect an MCP `Client` over\n *     `StreamableHTTPClientTransport` to the *already-running* local app's\n *     `http://127.0.0.1:<port>/_agent-native/mcp`, and run a stdio `Server`\n *     that forwards `tools/list` + `tools/call` to it. The live app is the\n *     single source of truth: HMR'd actions, the real registry, correct\n *     per-request deep links, and tenant scoping all come for free. If the\n *     app isn't running, we wait briefly for it (the workspace gateway boots\n *     it lazily on first request).\n *\n *   - **standalone (`--standalone`)** — no running server, no HMR. Build the\n *     MCP server in-process from `autoDiscoverActions(cwd)` +\n *     `createMCPServerForRequest`, connected straight to a\n *     `StdioServerTransport`. Useful in CI / when nothing is serving.\n *\n * Node-only: imports `node:*` and the SDK stdio/http transports. Never part\n * of the serverless bundle.\n */\n\nimport { resolveLocalAppOrigin } from \"./workspace-resolve.js\";\n\nexport interface RunMCPStdioOptions {\n  /** App id to bridge to (workspace). Optional in a single-app project. */\n  appId?: string;\n  /** Explicit port of the running app's dev server. Overrides discovery. */\n  port?: number;\n  /** Skip the HTTP proxy and build the server in-process from disk. */\n  standalone?: boolean;\n  /** Working directory (defaults to process.cwd()). */\n  cwd?: string;\n  /** Env (defaults to process.env). */\n  env?: NodeJS.ProcessEnv;\n  /** Max ms to wait for the running app before failing (proxy mode). */\n  waitForAppMs?: number;\n}\n\nconst MCP_SUBPATH = \"/_agent-native/mcp\";\n\nfunction log(msg: string): void {\n  // stderr only — stdout is the MCP protocol channel and must stay clean.\n  process.stderr.write(`[mcp] ${msg}\\n`);\n}\n\n/**\n * Owner identity the installer wrote into the client config's env. Passed\n * through to the HTTP MCP endpoint as a JWT/identity bearer (when present)\n * so tool runs stay tenant-scoped. For local dev with a static ACCESS_TOKEN\n * the email is informational; for hosted JWT auth the token already carries\n * `sub`, so we only add an `X-Agent-Native-Owner-Email` hint header.\n */\nfunction authHeaders(env: NodeJS.ProcessEnv): Record<string, string> {\n  const headers: Record<string, string> = {};\n  const token = env.ACCESS_TOKEN || env.AGENT_NATIVE_MCP_TOKEN;\n  if (token) headers[\"Authorization\"] = `Bearer ${token}`;\n  const owner = env.AGENT_NATIVE_OWNER_EMAIL;\n  if (owner) headers[\"X-Agent-Native-Owner-Email\"] = owner;\n  return headers;\n}\n\nasync function probeOrigin(origin: string, timeoutMs = 800): Promise<boolean> {\n  try {\n    const res = await fetch(`${origin}${MCP_SUBPATH}`, {\n      method: \"GET\",\n      signal: AbortSignal.timeout(timeoutMs),\n    });\n    // Any HTTP response (even 401/405/406) means the server is up.\n    return res.status > 0;\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Proxy mode: stdio Server ⇄ HTTP Client to the running app.\n *\n * We register the standard `tools/list` and `tools/call` handlers on the\n * stdio server and forward them verbatim to the upstream HTTP MCP server via\n * the SDK `Client`. The upstream owns tool definitions, results, and the\n * appended deep-link block / `_meta`, so nothing is duplicated here.\n */\nasync function runProxy(opts: RunMCPStdioOptions): Promise<void> {\n  const { origin, appId } = await resolveLocalAppOrigin({\n    cwd: opts.cwd,\n    env: opts.env,\n    appId: opts.appId,\n    port: opts.port,\n  });\n  const env = opts.env ?? process.env;\n  const target = `${origin}${MCP_SUBPATH}`;\n\n  // Wait for the app to come up. The workspace gateway lazily boots an app's\n  // dev server on first request, so a fresh `mcp serve` may briefly race the\n  // boot. Hit the gateway path too so the lazy start is triggered.\n  const deadline = Date.now() + (opts.waitForAppMs ?? 60_000);\n  let up = await probeOrigin(origin);\n  if (!up) {\n    log(`Waiting for ${appId} at ${origin} …`);\n    while (!up && Date.now() < deadline) {\n      await new Promise((r) => setTimeout(r, 750));\n      up = await probeOrigin(origin);\n    }\n  }\n  if (!up) {\n    throw new Error(\n      `Timed out waiting for the local app at ${origin}. Start it with ` +\n        `\\`agent-native dev\\` (or \\`agent-native workspace-dev\\`), or run ` +\n        `\\`agent-native mcp serve --standalone\\` to build the server from disk.`,\n    );\n  }\n\n  const { Client } = await import(\"@modelcontextprotocol/sdk/client/index.js\");\n  const { StreamableHTTPClientTransport } =\n    await import(\"@modelcontextprotocol/sdk/client/streamableHttp.js\");\n  const { Server } = await import(\"@modelcontextprotocol/sdk/server/index.js\");\n  const { StdioServerTransport } =\n    await import(\"@modelcontextprotocol/sdk/server/stdio.js\");\n  const { ListToolsRequestSchema, CallToolRequestSchema } =\n    await import(\"@modelcontextprotocol/sdk/types.js\");\n\n  // --- Upstream HTTP client -------------------------------------------------\n  const clientTransport = new StreamableHTTPClientTransport(new URL(target), {\n    requestInit: { headers: authHeaders(env) },\n  });\n  const client = new Client(\n    { name: \"agent-native-mcp-proxy\", version: \"1.0.0\" },\n    { capabilities: {} },\n  );\n  await client.connect(clientTransport);\n  log(`Proxying stdio ⇄ ${target} (app: ${appId})`);\n\n  // --- Downstream stdio server ---------------------------------------------\n  const server = new Server(\n    { name: `agent-native-${appId}`, version: \"1.0.0\" },\n    { capabilities: { tools: {} } },\n  );\n\n  server.setRequestHandler(ListToolsRequestSchema, async (request: any) => {\n    return client.listTools(request.params);\n  });\n\n  server.setRequestHandler(CallToolRequestSchema, async (request: any) => {\n    // Forward the call verbatim; the upstream appends the deep-link block.\n    return client.callTool(request.params);\n  });\n\n  const stdioTransport = new StdioServerTransport();\n  await server.connect(stdioTransport);\n\n  // Keep the proxy alive until the client/transport closes.\n  await new Promise<void>((resolve) => {\n    const done = () => resolve();\n    stdioTransport.onclose = done;\n    clientTransport.onclose = done;\n    process.once(\"SIGINT\", done);\n    process.once(\"SIGTERM\", done);\n  });\n\n  try {\n    await client.close();\n  } catch {\n    // best-effort\n  }\n}\n\n/**\n * Standalone mode: build the MCP server in-process from disk.\n *\n * No running server, no HMR — actions are discovered via\n * `autoDiscoverActions(cwd)` and the shared `createMCPServerForRequest`\n * builder is reused so behavior (tools, deep links, builtin cross-app tools)\n * matches the HTTP mount exactly.\n */\nasync function runStandalone(opts: RunMCPStdioOptions): Promise<void> {\n  const cwd = opts.cwd ?? process.cwd();\n  const env = opts.env ?? process.env;\n\n  const { resolveLocalAppOrigin } = await import(\"./workspace-resolve.js\");\n  let appId = opts.appId ?? \"app\";\n  let origin: string | undefined;\n  try {\n    const resolved = await resolveLocalAppOrigin({\n      cwd,\n      env,\n      appId: opts.appId,\n      port: opts.port,\n    });\n    appId = resolved.appId;\n    // Origin is best-effort here (server may not be running) — still useful\n    // so a `link` builder's relative deep link becomes an absolute URL.\n    origin = resolved.origin;\n  } catch {\n    // No workspace / can't resolve — fall back to a bare app id.\n  }\n\n  const { autoDiscoverActions } = await import(\"../server/action-discovery.js\");\n  const { createMCPServerForRequest } = await import(\"./build-server.js\");\n  const { StdioServerTransport } =\n    await import(\"@modelcontextprotocol/sdk/server/stdio.js\");\n\n  const actions = await autoDiscoverActions(cwd);\n  log(\n    `Standalone: discovered ${Object.keys(actions).length} action(s) in ${cwd}`,\n  );\n\n  const server = await createMCPServerForRequest(\n    {\n      name: appId.charAt(0).toUpperCase() + appId.slice(1),\n      appId,\n      description: `Agent-native ${appId} app (standalone MCP)`,\n      actions,\n      // No askAgent in standalone — there is no running engine/runtime here.\n      // builtin cross-app tools stay on so `list_apps` / `open_app` /\n      // `create_workspace_app` / `list_templates` still work from disk.\n    },\n    // No verified identity in standalone (no inbound auth header). Runs with\n    // platform-default scope, same as a tokenless local HTTP mount.\n    undefined,\n    { origin },\n  );\n\n  const transport = new StdioServerTransport();\n  await server.connect(transport);\n\n  await new Promise<void>((resolve) => {\n    const done = () => resolve();\n    transport.onclose = done;\n    process.once(\"SIGINT\", done);\n    process.once(\"SIGTERM\", done);\n  });\n}\n\n/**\n * Entry point for `agent-native mcp serve`. Defaults to proxy mode; pass\n * `standalone: true` to build the server from disk with no running app.\n */\nexport async function runMCPStdio(\n  opts: RunMCPStdioOptions = {},\n): Promise<void> {\n  if (opts.standalone) {\n    await runStandalone(opts);\n    return;\n  }\n  try {\n    await runProxy(opts);\n  } catch (err: any) {\n    // Proxy couldn't reach a running app — surface a clear, actionable\n    // message on stderr. We do NOT silently fall back to standalone: the\n    // caller asked for the live registry; auto-falling-back would hide a\n    // broken dev server and serve stale tools.\n    log(`Proxy mode failed: ${err?.message ?? err}`);\n    throw err;\n  }\n}\n"]}