@agent-tasks/mcp-bridge 0.1.0

package/README.md

@@ -0,0 +1,45 @@
+# @agent-tasks/mcp-bridge
+
+Zero-setup MCP bridge for [agent-tasks](https://agent-tasks.opentriologue.ai) — distributes the governed backend as a single `npx` command so any MCP-capable client (Claude Code, triologue, …) can claim, transition, and inspect tasks without touching REST.
+
+See the [agent-tasks positioning README](https://github.com/LanNguyenSi/agent-tasks#readme) for where this sits in the Project OS pipeline.
+
+## Quickstart
+
+```sh
+npx -y @agent-tasks/mcp-bridge login --token "$MY_TOKEN"        # store once (or run plain 'login' for an interactive masked prompt)
+claude mcp add agent-tasks -- npx -y @agent-tasks/mcp-bridge    # register with Claude Code
+```
+
+That's it — the agent now sees `tasks_*`, `signals_*`, and `projects_*` tools. All governance (claim gates, preconditions, review locks, audit trails) is enforced by the remote backend; the bridge is a thin stdio transport with a token cache.
+
+> **Note:** passing `--token` on the command line may end up in shell history. Prefer the interactive `login` prompt (input is masked) when possible. For non-interactive use from a secret manager, pipe stdin — e.g. `pass show agent-tasks | agent-tasks-mcp-bridge login` — rather than putting the token on the command line.
+
+## Commands
+
+| Command  | What it does                                                        |
+| -------- | ------------------------------------------------------------------- |
+| *(none)* | Start the MCP server over stdio (default — used by MCP clients)     |
+| `login`  | Validate a token against the backend, store it in the keychain      |
+| `logout` | Remove the stored token                                             |
+| `status` | Check that the stored token is still valid                          |
+
+## Token storage
+
+1. `AGENT_TASKS_TOKEN` env var (if set, wins; cannot be overwritten by `login`)
+2. OS keychain via `keytar` (macOS Keychain, Windows Credential Vault, libsecret)
+3. File fallback at `${XDG_CONFIG_HOME:-~/.config}/agent-tasks/bridge-token` (mode `0600`) — used when the keytar native module is unavailable
+
+## Overriding the backend
+
+```sh
+AGENT_TASKS_BASE_URL=https://staging.example.com npx -y @agent-tasks/mcp-bridge
+```
+
+## Uninstalling
+
+`npm uninstall` / removing the `npx` cache does **not** delete the token from the OS keychain. Run `agent-tasks-mcp-bridge logout` first, or delete the keychain entry for service `agent-tasks-mcp-bridge` manually.
+
+## License
+
+Same as the parent repo.

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,83 @@
+#!/usr/bin/env node
+import { runStdioServer, DEFAULT_BASE_URL } from "@agent-tasks/mcp-server";
+import { resolveTokenStore } from "./token-store.js";
+import { runLogin, runLogout, runStatus } from "./login.js";
+const USAGE = `agent-tasks-mcp-bridge — zero-setup MCP bridge for agent-tasks
+
+Usage:
+  agent-tasks-mcp-bridge            Start MCP server over stdio (default)
+  agent-tasks-mcp-bridge login [--token <t>]
+                                    Store a token in the OS keychain (or file fallback)
+  agent-tasks-mcp-bridge logout     Remove the stored token
+  agent-tasks-mcp-bridge status     Validate the stored token against the backend
+  agent-tasks-mcp-bridge --help     Show this help
+
+Environment:
+  AGENT_TASKS_TOKEN     If set, used directly (takes precedence over stored token)
+  AGENT_TASKS_BASE_URL  Override backend base URL (default: ${DEFAULT_BASE_URL})
+`;
+function parseArgs(argv) {
+    if (argv.length === 0)
+        return { command: "serve" };
+    const [first, ...rest] = argv;
+    if (first === "--help" || first === "-h" || first === "help") {
+        return { command: "help" };
+    }
+    if (first === "login") {
+        let tokenFlag;
+        for (let i = 0; i < rest.length; i++) {
+            const arg = rest[i];
+            if (arg === "--token") {
+                tokenFlag = rest[i + 1];
+                i++;
+            }
+            else if (arg?.startsWith("--token=")) {
+                tokenFlag = arg.slice("--token=".length);
+            }
+        }
+        return { command: "login", tokenFlag };
+    }
+    if (first === "logout")
+        return { command: "logout" };
+    if (first === "status")
+        return { command: "status" };
+    if (first === "serve")
+        return { command: "serve" };
+    throw new Error(`Unknown command: ${first}. Run with --help for usage.`);
+}
+async function main() {
+    const args = parseArgs(process.argv.slice(2));
+    if (args.command === "help") {
+        process.stdout.write(USAGE);
+        return;
+    }
+    const baseUrl = process.env.AGENT_TASKS_BASE_URL ?? DEFAULT_BASE_URL;
+    const store = await resolveTokenStore();
+    if (args.command === "login") {
+        await runLogin({ baseUrl, store, tokenFromArg: args.tokenFlag });
+        return;
+    }
+    if (args.command === "logout") {
+        await runLogout(store);
+        return;
+    }
+    if (args.command === "status") {
+        await runStatus(baseUrl, store);
+        return;
+    }
+    const token = await store.get();
+    if (!token) {
+        throw new Error("No token available. Run 'agent-tasks-mcp-bridge login' or set AGENT_TASKS_TOKEN.");
+    }
+    await runStdioServer({ token, baseUrl });
+}
+function sanitize(msg) {
+    return msg.replace(/(https?:\/\/[^\s?]+)\?[^\s]*/gi, "$1?[redacted]");
+}
+main().catch((err) => {
+    const raw = err instanceof Error ? err.message : String(err);
+    // eslint-disable-next-line no-console
+    console.error("[agent-tasks-mcp-bridge] fatal:", sanitize(raw));
+    process.exit(1);
+});
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5D,MAAM,KAAK,GAAG;;;;;;;;;;;;8DAYgD,gBAAgB;CAC7E,CAAC;AAOF,SAAS,SAAS,CAAC,IAAc;IAC/B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IACnD,MAAM,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;IAC9B,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAC7B,CAAC;IACD,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACtB,IAAI,SAA6B,CAAC;QAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACtB,SAAS,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACxB,CAAC,EAAE,CAAC;YACN,CAAC;iBAAM,IAAI,GAAG,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACvC,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IACzC,CAAC;IACD,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrD,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrD,IAAI,KAAK,KAAK,OAAO;QAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IACnD,MAAM,IAAI,KAAK,CAAC,oBAAoB,KAAK,8BAA8B,CAAC,CAAC;AAC3E,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9C,IAAI,IAAI,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,gBAAgB,CAAC;IACrE,MAAM,KAAK,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAExC,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;QAC7B,MAAM,QAAQ,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QACjE,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;QACvB,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAChC,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,kFAAkF,CACnF,CAAC;IACJ,CAAC;IACD,MAAM,cAAc,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,OAAO,GAAG,CAAC,OAAO,CAAC,gCAAgC,EAAE,eAAe,CAAC,CAAC;AACxE,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC7D,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/login.d.ts

@@ -0,0 +1,9 @@
+import type { TokenStore } from "./token-store.js";
+export interface LoginOptions {
+    baseUrl: string;
+    store: TokenStore;
+    tokenFromArg?: string | undefined;
+}
+export declare function runLogin(options: LoginOptions): Promise<void>;
+export declare function runLogout(store: TokenStore): Promise<void>;
+export declare function runStatus(baseUrl: string, store: TokenStore): Promise<void>;

package/dist/login.js

@@ -0,0 +1,174 @@
+import { stdin as input, stderr, stdout } from "node:process";
+/**
+ * Read a token from stdin with real character masking.
+ *
+ * On a TTY: put stdin in raw mode, read byte-by-byte, echo `*` per printable
+ * char, handle Backspace/Ctrl-C/Enter. On failure (non-TTY, no setRawMode,
+ * exception mid-read) we fall back to a line read with a visibility warning —
+ * fake masking is worse than honest echo.
+ */
+function promptHiddenToken() {
+    return new Promise((resolve, reject) => {
+        if (!input.isTTY || typeof input.setRawMode !== "function") {
+            stderr.write("warning: stdin is not a TTY — reading one line without masking.\n");
+            let buf = "";
+            let settled = false;
+            const detach = () => {
+                input.off("data", onData);
+                input.off("end", onEnd);
+                input.off("error", onErr);
+            };
+            const settle = (err, value) => {
+                if (settled)
+                    return;
+                settled = true;
+                detach();
+                if (err)
+                    reject(err);
+                else
+                    resolve((value ?? "").trim());
+            };
+            const onData = (chunk) => {
+                buf += chunk.toString("utf8");
+                const nl = buf.indexOf("\n");
+                if (nl >= 0)
+                    settle(null, buf.slice(0, nl));
+            };
+            const onEnd = () => settle(null, buf);
+            const onErr = (err) => settle(err);
+            input.on("data", onData);
+            input.on("end", onEnd);
+            input.on("error", onErr);
+            input.resume();
+            return;
+        }
+        stderr.write("Paste your agent-tasks token (hidden): ");
+        input.setRawMode(true);
+        input.resume();
+        input.setEncoding("utf8");
+        let entered = "";
+        let settled = false;
+        const cleanup = (err, value) => {
+            if (settled)
+                return;
+            settled = true;
+            input.off("data", onKey);
+            try {
+                input.setRawMode(false);
+            }
+            catch {
+                // ignore
+            }
+            input.pause();
+            stderr.write("\n");
+            if (err)
+                reject(err);
+            else
+                resolve((value ?? "").trim());
+        };
+        const onKey = (chunk) => {
+            for (const ch of chunk) {
+                const code = ch.charCodeAt(0);
+                if (ch === "\r" || ch === "\n") {
+                    cleanup(null, entered);
+                    return;
+                }
+                if (code === 3) {
+                    // Ctrl-C
+                    cleanup(new Error("Login cancelled"));
+                    return;
+                }
+                if (code === 4) {
+                    // Ctrl-D (EOF)
+                    cleanup(entered.length === 0 ? new Error("Login cancelled") : null, entered);
+                    return;
+                }
+                if (code === 127 || code === 8) {
+                    // Backspace / DEL
+                    if (entered.length > 0) {
+                        entered = entered.slice(0, -1);
+                        stderr.write("\b \b");
+                    }
+                    continue;
+                }
+                if (code < 32)
+                    continue; // ignore other control chars
+                entered += ch;
+                stderr.write("*");
+            }
+        };
+        input.on("data", onKey);
+    });
+}
+function sanitizeForLog(message) {
+    // Strip query strings from any URL to avoid leaking accidentally-embedded secrets.
+    return message.replace(/(https?:\/\/[^\s?]+)\?[^\s]*/gi, "$1?[redacted]");
+}
+async function validateToken(baseUrl, token) {
+    let res;
+    try {
+        res = await fetch(`${baseUrl.replace(/\/$/, "")}/api/projects/available`, {
+            headers: { Authorization: `Bearer ${token}`, Accept: "application/json" },
+        });
+    }
+    catch (err) {
+        throw new Error(`Token validation request failed: ${sanitizeForLog(err.message)}`);
+    }
+    if (!res.ok) {
+        throw new Error(`Token validation failed: HTTP ${res.status}. Check the token and base URL.`);
+    }
+    // Sanity check the body shape so an accidentally-public endpoint cannot
+    // silently accept a bogus token.
+    const body = (await res.json().catch(() => null));
+    const ok = Array.isArray(body) ||
+        (body !== null && typeof body === "object" && "projects" in body);
+    if (!ok) {
+        throw new Error("Token validation response did not match expected shape; refusing to store.");
+    }
+}
+export async function runLogin(options) {
+    if (options.store.kind === "env") {
+        stderr.write("AGENT_TASKS_TOKEN is set in the environment; login is not needed (and cannot overwrite an env token). Unset it first to store in the keychain.\n");
+        return;
+    }
+    const token = options.tokenFromArg && options.tokenFromArg.length > 0
+        ? options.tokenFromArg
+        : await promptHiddenToken();
+    if (!token) {
+        throw new Error("No token provided.");
+    }
+    if (/\s/.test(token)) {
+        throw new Error("Token contains whitespace or newlines — pasted input may have been truncated. Re-run login and ensure the whole token is on a single line.");
+    }
+    if (token.length < 16) {
+        throw new Error("Token is suspiciously short (<16 chars) — refusing to store. Check that the whole token was captured.");
+    }
+    await validateToken(options.baseUrl, token);
+    await options.store.set(token);
+    stderr.write(`Token stored via ${options.store.kind} store. Run 'agent-tasks-mcp-bridge status' to verify.\n`);
+}
+export async function runLogout(store) {
+    if (store.kind === "env") {
+        stderr.write("Token is provided by AGENT_TASKS_TOKEN env var; unset it in your shell to log out. Nothing to clear in the keychain.\n");
+        return;
+    }
+    await store.clear();
+    stderr.write("Token cleared.\n");
+}
+export async function runStatus(baseUrl, store) {
+    const token = await store.get();
+    if (!token) {
+        stderr.write(`No token stored (${store.kind}). Run 'login' first.\n`);
+        process.exitCode = 1;
+        return;
+    }
+    try {
+        await validateToken(baseUrl, token);
+        stdout.write(`ok (store: ${store.kind})\n`);
+    }
+    catch (err) {
+        stderr.write(`Token present (${store.kind}) but validation failed: ${sanitizeForLog(err.message)}\n`);
+        process.exitCode = 1;
+    }
+}
+//# sourceMappingURL=login.js.map

package/dist/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../src/login.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,IAAI,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAS9D;;;;;;;GAOG;AACH,SAAS,iBAAiB;IACxB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,OAAO,KAAK,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YAC3D,MAAM,CAAC,KAAK,CACV,mEAAmE,CACpE,CAAC;YACF,IAAI,GAAG,GAAG,EAAE,CAAC;YACb,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,MAAM,MAAM,GAAG,GAAG,EAAE;gBAClB,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC1B,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACxB,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAC5B,CAAC,CAAC;YACF,MAAM,MAAM,GAAG,CAAC,GAAiB,EAAE,KAAc,EAAE,EAAE;gBACnD,IAAI,OAAO;oBAAE,OAAO;gBACpB,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM,EAAE,CAAC;gBACT,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACrC,CAAC,CAAC;YACF,MAAM,MAAM,GAAG,CAAC,KAAa,EAAE,EAAE;gBAC/B,GAAG,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBAC9B,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC7B,IAAI,EAAE,IAAI,CAAC;oBAAE,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YAC9C,CAAC,CAAC;YACF,MAAM,KAAK,GAAG,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACtC,MAAM,KAAK,GAAG,CAAC,GAAU,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC1C,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACzB,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvB,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YACzB,KAAK,CAAC,MAAM,EAAE,CAAC;YACf,OAAO;QACT,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACxD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACvB,KAAK,CAAC,MAAM,EAAE,CAAC;QACf,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAE1B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,MAAM,OAAO,GAAG,CAAC,GAAiB,EAAE,KAAc,EAAE,EAAE;YACpD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YACzB,IAAI,CAAC;gBACH,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,KAAK,CAAC,KAAK,EAAE,CAAC;YACd,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACnB,IAAI,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;gBAChB,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACrC,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,CAAC,KAAa,EAAE,EAAE;YAC9B,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;gBACvB,MAAM,IAAI,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;gBAC9B,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;oBAC/B,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;oBACvB,OAAO;gBACT,CAAC;gBACD,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,SAAS;oBACT,OAAO,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;oBACtC,OAAO;gBACT,CAAC;gBACD,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,eAAe;oBACf,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;oBAC7E,OAAO;gBACT,CAAC;gBACD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBAC/B,kBAAkB;oBAClB,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACvB,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;wBAC/B,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;oBACxB,CAAC;oBACD,SAAS;gBACX,CAAC;gBACD,IAAI,IAAI,GAAG,EAAE;oBAAE,SAAS,CAAC,6BAA6B;gBACtD,OAAO,IAAI,EAAE,CAAC;gBACd,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC,CAAC;QAEF,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,OAAe;IACrC,mFAAmF;IACnF,OAAO,OAAO,CAAC,OAAO,CAAC,gCAAgC,EAAE,eAAe,CAAC,CAAC;AAC5E,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,OAAe,EAAE,KAAa;IACzD,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,yBAAyB,EAAE;YACxE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SAC1E,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,oCAAoC,cAAc,CAAE,GAAa,CAAC,OAAO,CAAC,EAAE,CAC7E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,iCAAiC,GAAG,CAAC,MAAM,iCAAiC,CAC7E,CAAC;IACJ,CAAC;IACD,wEAAwE;IACxE,iCAAiC;IACjC,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAY,CAAC;IAC7D,MAAM,EAAE,GACN,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QACnB,CAAC,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,UAAU,IAAK,IAAe,CAAC,CAAC;IAChF,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,KAAK,CACb,4EAA4E,CAC7E,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,OAAqB;IAClD,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACjC,MAAM,CAAC,KAAK,CACV,kJAAkJ,CACnJ,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GACT,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;QACrD,CAAC,CAAC,OAAO,CAAC,YAAY;QACtB,CAAC,CAAC,MAAM,iBAAiB,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,4IAA4I,CAC7I,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,uGAAuG,CACxG,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC5C,MAAM,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,CAAC,KAAK,CACV,oBAAoB,OAAO,CAAC,KAAK,CAAC,IAAI,0DAA0D,CACjG,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAiB;IAC/C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACzB,MAAM,CAAC,KAAK,CACV,wHAAwH,CACzH,CAAC;QACF,OAAO;IACT,CAAC;IACD,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAe,EACf,KAAiB;IAEjB,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,KAAK,CAAC,oBAAoB,KAAK,CAAC,IAAI,yBAAyB,CAAC,CAAC;QACtE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,cAAc,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CACV,kBAAkB,KAAK,CAAC,IAAI,4BAA4B,cAAc,CAAE,GAAa,CAAC,OAAO,CAAC,IAAI,CACnG,CAAC;QACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC"}

package/dist/token-store.d.ts

@@ -0,0 +1,42 @@
+export interface TokenStore {
+    kind: "keytar" | "file" | "env";
+    get(): Promise<string | null>;
+    set(token: string): Promise<void>;
+    clear(): Promise<void>;
+}
+declare class EnvStore implements TokenStore {
+    private readonly value;
+    readonly kind: "env";
+    constructor(value: string);
+    get(): Promise<string>;
+    set(): Promise<void>;
+    clear(): Promise<void>;
+}
+declare class KeytarStore implements TokenStore {
+    private readonly keytar;
+    readonly kind: "keytar";
+    constructor(keytar: any);
+    get(): Promise<any>;
+    set(token: string): Promise<void>;
+    clear(): Promise<void>;
+}
+declare function fileStorePath(): string;
+declare class FileStore implements TokenStore {
+    private readonly path;
+    readonly kind: "file";
+    constructor(path: string);
+    get(): Promise<string | null>;
+    set(token: string): Promise<void>;
+    clear(): Promise<void>;
+}
+export declare function resolveTokenStore(options?: {
+    envToken?: string | undefined;
+    filePath?: string;
+}): Promise<TokenStore>;
+export declare const __testing: {
+    FileStore: typeof FileStore;
+    EnvStore: typeof EnvStore;
+    KeytarStore: typeof KeytarStore;
+    fileStorePath: typeof fileStorePath;
+};
+export {};

package/dist/token-store.js

@@ -0,0 +1,108 @@
+import { mkdir, readFile, writeFile, rm, chmod, rename } from "node:fs/promises";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+const SERVICE = "agent-tasks-mcp-bridge";
+const ACCOUNT = "default";
+class EnvStore {
+    value;
+    kind = "env";
+    constructor(value) {
+        this.value = value;
+    }
+    async get() {
+        return this.value;
+    }
+    async set() {
+        throw new Error("Token was provided via AGENT_TASKS_TOKEN env var; refusing to overwrite. Unset the env var to use the keychain store.");
+    }
+    async clear() {
+        throw new Error("Token was provided via AGENT_TASKS_TOKEN env var; nothing to clear in the keychain.");
+    }
+}
+class KeytarStore {
+    keytar;
+    kind = "keytar";
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    constructor(keytar) {
+        this.keytar = keytar;
+    }
+    async get() {
+        return (await this.keytar.getPassword(SERVICE, ACCOUNT)) ?? null;
+    }
+    async set(token) {
+        await this.keytar.setPassword(SERVICE, ACCOUNT, token);
+    }
+    async clear() {
+        await this.keytar.deletePassword(SERVICE, ACCOUNT);
+    }
+}
+function fileStorePath() {
+    const xdg = process.env.XDG_CONFIG_HOME;
+    const base = xdg && xdg.length > 0 ? xdg : join(homedir(), ".config");
+    return join(base, "agent-tasks", "bridge-token");
+}
+class FileStore {
+    path;
+    kind = "file";
+    constructor(path) {
+        this.path = path;
+    }
+    async get() {
+        try {
+            const content = await readFile(this.path, "utf8");
+            const trimmed = content.trim();
+            return trimmed.length > 0 ? trimmed : null;
+        }
+        catch (err) {
+            if (err.code === "ENOENT")
+                return null;
+            throw err;
+        }
+    }
+    async set(token) {
+        const dir = dirname(this.path);
+        await mkdir(dir, { recursive: true, mode: 0o700 });
+        await chmod(dir, 0o700).catch(() => {
+            // best-effort on filesystems without POSIX perms (e.g., some Windows)
+        });
+        const tmp = `${this.path}.${process.pid}.tmp`;
+        await writeFile(tmp, token, { encoding: "utf8", mode: 0o600 });
+        await chmod(tmp, 0o600).catch(() => {
+            // best-effort
+        });
+        await rename(tmp, this.path);
+    }
+    async clear() {
+        try {
+            await rm(this.path);
+        }
+        catch (err) {
+            if (err.code !== "ENOENT")
+                throw err;
+        }
+    }
+}
+export async function resolveTokenStore(options) {
+    const envToken = options?.envToken ?? process.env.AGENT_TASKS_TOKEN;
+    if (envToken && envToken.length > 0) {
+        return new EnvStore(envToken);
+    }
+    try {
+        const mod = (await import("keytar"));
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const keytar = mod.getPassword ? mod : mod.default;
+        if (keytar?.getPassword) {
+            // Runtime probe: on Linux without libsecret-1 at runtime, keytar
+            // imports cleanly but throws on first call. Probe here so we can
+            // fall through to FileStore before returning a broken store.
+            await keytar.getPassword(SERVICE, ACCOUNT);
+            return new KeytarStore(keytar);
+        }
+    }
+    catch {
+        // keytar native module failed to load or probe — fall through to file store
+    }
+    return new FileStore(options?.filePath ?? fileStorePath());
+}
+export const __testing = { FileStore, EnvStore, KeytarStore, fileStorePath };
+//# sourceMappingURL=token-store.js.map

package/dist/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../src/token-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACjF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,MAAM,OAAO,GAAG,wBAAwB,CAAC;AACzC,MAAM,OAAO,GAAG,SAAS,CAAC;AAS1B,MAAM,QAAQ;IAEiB;IADpB,IAAI,GAAG,KAAc,CAAC;IAC/B,YAA6B,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAC9C,KAAK,CAAC,GAAG;QACP,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IACD,KAAK,CAAC,GAAG;QACP,MAAM,IAAI,KAAK,CACb,uHAAuH,CACxH,CAAC;IACJ,CAAC;IACD,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,KAAK,CACb,qFAAqF,CACtF,CAAC;IACJ,CAAC;CACF;AAED,MAAM,WAAW;IAGc;IAFpB,IAAI,GAAG,QAAiB,CAAC;IAClC,8DAA8D;IAC9D,YAA6B,MAAW;QAAX,WAAM,GAAN,MAAM,CAAK;IAAG,CAAC;IAC5C,KAAK,CAAC,GAAG;QACP,OAAO,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,IAAI,IAAI,CAAC;IACnE,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,KAAa;QACrB,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IACzD,CAAC;IACD,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;CACF;AAED,SAAS,aAAa;IACpB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IACxC,MAAM,IAAI,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IACtE,OAAO,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,SAAS;IAEgB;IADpB,IAAI,GAAG,MAAe,CAAC;IAChC,YAA6B,IAAY;QAAZ,SAAI,GAAJ,IAAI,CAAQ;IAAG,CAAC;IAC7C,KAAK,CAAC,GAAG;QACP,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAClD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;YAC/B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAClE,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,KAAa;QACrB,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,MAAM,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;YACjC,sEAAsE;QACxE,CAAC,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,MAAM,CAAC;QAC9C,MAAM,SAAS,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,MAAM,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;YACjC,cAAc;QAChB,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IACD,KAAK,CAAC,KAAK;QACT,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,GAAG,CAAC;QAClE,CAAC;IACH,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAGvC;IACC,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACpE,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,CAGlC,CAAC;QACF,8DAA8D;QAC9D,MAAM,MAAM,GAAQ,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAE,GAAW,CAAC,OAAO,CAAC;QACjE,IAAI,MAAM,EAAE,WAAW,EAAE,CAAC;YACxB,iEAAiE;YACjE,iEAAiE;YACjE,6DAA6D;YAC7D,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC3C,OAAO,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,4EAA4E;IAC9E,CAAC;IAED,OAAO,IAAI,SAAS,CAAC,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC"}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@agent-tasks/mcp-bridge",
+  "version": "0.1.0",
+  "description": "Zero-setup MCP bridge for agent-tasks: npx-distributable wrapper around @agent-tasks/mcp-server with interactive login and OS-keychain token storage",
+  "homepage": "https://github.com/LanNguyenSi/agent-tasks/tree/master/mcp-bridge#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/LanNguyenSi/agent-tasks.git",
+    "directory": "mcp-bridge"
+  },
+  "bugs": {
+    "url": "https://github.com/LanNguyenSi/agent-tasks/issues"
+  },
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "agent-tasks-mcp-bridge": "./dist/cli.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "npm run build --workspace=mcp-server --prefix .. && tsx src/cli.ts",
+    "start": "node dist/cli.js",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@agent-tasks/mcp-server": "0.1.0"
+  },
+  "optionalDependencies": {
+    "keytar": "^7.9.0"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.6.0",
+    "vitest": "^2.1.0"
+  },
+  "engines": {
+    "node": ">=22",
+    "npm": ">=8"
+  }
+}