@agents-at-scale/ark 0.1.63 → 0.1.64

package/dist/commands/mcp/authClient.d.ts

@@ -0,0 +1,37 @@
+export interface AuthStartResponse {
+    auth_id: string;
+    authorization_url: string;
+    flow_expires_at: string;
+}
+export interface AuthStatusResponse {
+    state: 'pending' | 'authorized' | 'failed' | 'expired';
+    expires_at?: string | null;
+    message?: string | null;
+    controller_state?: string | null;
+    controller_message?: string | null;
+}
+export interface AuthLogoutResponse {
+    cleared_keys?: string[];
+    deleted?: boolean;
+    noop?: boolean;
+}
+export interface AuthStartBody {
+    force?: boolean;
+    scope?: string[];
+}
+export interface AuthLogoutBody {
+    keep_client?: boolean;
+    delete_secret?: boolean;
+}
+export declare class AuthHttpError extends Error {
+    status: number;
+    body: string;
+    constructor(status: number, body: string);
+}
+export declare class McpAuthClient {
+    private baseUrl;
+    constructor(baseUrl: string);
+    start(name: string, namespace: string, body: AuthStartBody): Promise<AuthStartResponse>;
+    status(name: string, namespace: string, authId: string): Promise<AuthStatusResponse>;
+    logout(name: string, namespace: string, body: AuthLogoutBody): Promise<AuthLogoutResponse>;
+}

package/dist/commands/mcp/authClient.js

@@ -0,0 +1,47 @@
+export class AuthHttpError extends Error {
+    status;
+    body;
+    constructor(status, body) {
+        super(`HTTP ${status}: ${body}`);
+        this.status = status;
+        this.body = body;
+    }
+}
+export class McpAuthClient {
+    baseUrl;
+    constructor(baseUrl) {
+        this.baseUrl = baseUrl;
+    }
+    async start(name, namespace, body) {
+        const url = `${this.baseUrl}/v1/mcp-servers/${encodeURIComponent(name)}/auth/start?namespace=${encodeURIComponent(namespace)}`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(body),
+        });
+        if (!response.ok) {
+            throw new AuthHttpError(response.status, await response.text());
+        }
+        return (await response.json());
+    }
+    async status(name, namespace, authId) {
+        const url = `${this.baseUrl}/v1/mcp-servers/${encodeURIComponent(name)}/auth/status?namespace=${encodeURIComponent(namespace)}&auth_id=${encodeURIComponent(authId)}`;
+        const response = await fetch(url);
+        if (!response.ok) {
+            throw new AuthHttpError(response.status, await response.text());
+        }
+        return (await response.json());
+    }
+    async logout(name, namespace, body) {
+        const url = `${this.baseUrl}/v1/mcp-servers/${encodeURIComponent(name)}/auth/logout?namespace=${encodeURIComponent(namespace)}`;
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(body),
+        });
+        if (!response.ok) {
+            throw new AuthHttpError(response.status, await response.text());
+        }
+        return (await response.json());
+    }
+}

package/dist/commands/mcp/index.d.ts

@@ -0,0 +1,3 @@
+import { Command } from 'commander';
+import type { ArkConfig } from '../../lib/config.js';
+export declare function createMcpCommand(_config: ArkConfig): Command;

package/dist/commands/mcp/index.js

@@ -0,0 +1,43 @@
+import { Command } from 'commander';
+import { runLogin } from './login.js';
+import { runLogout } from './logout.js';
+export function createMcpCommand(_config) {
+    const mcp = new Command('mcp');
+    mcp.description('manage MCP servers');
+    const auth = new Command('auth');
+    auth.description('manage MCP server authorization');
+    auth
+        .command('login <server-name>')
+        .description('start an OAuth flow for an MCPServer via ark-api')
+        .option('-n, --namespace <namespace>', 'namespace of the MCPServer')
+        .option('--force', 'bypass the Authorized preflight and force fresh client registration')
+        .option('--no-open', 'do not open a browser; print the URL only')
+        .option('--timeout <duration>', 'how long to wait for authorization to complete (e.g. 60s, 5m, 1h)')
+        .option('--scope <scope>', 'space- or comma-separated list of OAuth scopes to request')
+        .action(async (serverName, options) => {
+        const exitCode = await runLogin(serverName, {
+            namespace: options.namespace,
+            force: options.force,
+            open: options.open,
+            timeout: options.timeout,
+            scope: options.scope,
+        });
+        process.exit(exitCode);
+    });
+    auth
+        .command('logout <server-name>')
+        .description('clear OAuth state for an MCPServer via ark-api')
+        .option('-n, --namespace <namespace>', 'namespace of the MCPServer')
+        .option('--keep-client', 'preserve cached client_id/client_secret in the Secret')
+        .option('--delete-secret', 'delete the entire token Secret')
+        .action(async (serverName, options) => {
+        const exitCode = await runLogout(serverName, {
+            namespace: options.namespace,
+            keepClient: options.keepClient,
+            deleteSecret: options.deleteSecret,
+        });
+        process.exit(exitCode);
+    });
+    mcp.addCommand(auth);
+    return mcp;
+}

package/dist/commands/mcp/login.d.ts

@@ -0,0 +1,21 @@
+import { McpAuthClient } from './authClient.js';
+export interface LoginOptions {
+    namespace?: string;
+    force?: boolean;
+    open?: boolean;
+    timeout?: string;
+    scope?: string;
+}
+export interface LoginDeps {
+    buildClient: (baseUrl: string) => McpAuthClient;
+    openBrowser: (url: string) => Promise<unknown>;
+    resolveNs: (explicit?: string) => string;
+    startProxy: () => Promise<{
+        baseUrl: string;
+        stop: () => void;
+    }>;
+    sleep: (ms: number) => Promise<void>;
+    now: () => number;
+}
+export declare const defaultDeps: LoginDeps;
+export declare function runLogin(serverName: string, options: LoginOptions, deps?: LoginDeps): Promise<number>;

package/dist/commands/mcp/login.js

@@ -0,0 +1,106 @@
+import open from 'open';
+import output from '../../lib/output.js';
+import { ArkApiProxy } from '../../lib/arkApiProxy.js';
+import { loadConfig } from '../../lib/config.js';
+import { resolveNamespace } from './namespace.js';
+import { parseTimeoutDuration } from './timeout.js';
+import { AuthHttpError, McpAuthClient } from './authClient.js';
+export const defaultDeps = {
+    buildClient: (baseUrl) => new McpAuthClient(baseUrl),
+    openBrowser: (url) => open(url),
+    resolveNs: (explicit) => resolveNamespace(explicit),
+    startProxy: async () => {
+        const config = loadConfig();
+        const proxy = new ArkApiProxy(undefined, config.services?.reusePortForwards ?? false);
+        const client = await proxy.start();
+        return {
+            baseUrl: client.getBaseUrl(),
+            stop: () => proxy.stop(),
+        };
+    },
+    sleep: (ms) => new Promise((resolve) => setTimeout(resolve, ms)),
+    now: () => Date.now(),
+};
+const POLL_INTERVAL_MS = 2000;
+const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000;
+export async function runLogin(serverName, options, deps = defaultDeps) {
+    let timeoutMs = DEFAULT_TIMEOUT_MS;
+    if (options.timeout !== undefined) {
+        try {
+            timeoutMs = parseTimeoutDuration(options.timeout);
+        }
+        catch (err) {
+            output.error('mcp auth failed:', err.message);
+            return 1;
+        }
+    }
+    const namespace = deps.resolveNs(options.namespace);
+    const body = {};
+    if (options.force)
+        body.force = true;
+    if (options.scope) {
+        body.scope = options.scope.split(/[\s,]+/).filter((s) => s.length > 0);
+    }
+    const proxy = await deps.startProxy();
+    try {
+        const client = deps.buildClient(proxy.baseUrl);
+        let startResponse;
+        try {
+            startResponse = await client.start(serverName, namespace, body);
+        }
+        catch (err) {
+            if (err instanceof AuthHttpError) {
+                output.error('mcp auth failed:', err.body || `HTTP ${err.status}`);
+            }
+            else {
+                output.error('mcp auth failed:', err.message);
+            }
+            return 1;
+        }
+        console.log(`Authorization URL: ${startResponse.authorization_url}`);
+        if (options.open !== false) {
+            try {
+                await deps.openBrowser(startResponse.authorization_url);
+            }
+            catch {
+                // ignore — URL is already printed
+            }
+        }
+        const deadline = deps.now() + timeoutMs;
+        while (deps.now() < deadline) {
+            let status;
+            try {
+                status = await client.status(serverName, namespace, startResponse.auth_id);
+            }
+            catch (err) {
+                if (err instanceof AuthHttpError) {
+                    output.error('mcp auth failed:', err.body || `HTTP ${err.status}`);
+                }
+                else {
+                    output.error('mcp auth failed:', err.message);
+                }
+                return 1;
+            }
+            if (status.state === 'authorized') {
+                if (status.expires_at) {
+                    output.success(`authorized (token expires at ${status.expires_at})`);
+                }
+                else {
+                    output.success('authorized');
+                }
+                return 0;
+            }
+            if (status.state === 'failed' || status.state === 'expired') {
+                const reason = status.message || status.state;
+                output.error('mcp auth failed:', reason);
+                return 1;
+            }
+            await deps.sleep(POLL_INTERVAL_MS);
+        }
+        output.error('mcp auth failed:', 'timed out waiting for authorization');
+        return 1;
+    }
+    finally {
+        proxy.stop();
+    }
+}

package/dist/commands/mcp/logout.d.ts

@@ -0,0 +1,16 @@
+import { McpAuthClient } from './authClient.js';
+export interface LogoutOptions {
+    namespace?: string;
+    keepClient?: boolean;
+    deleteSecret?: boolean;
+}
+export interface LogoutDeps {
+    buildClient: (baseUrl: string) => McpAuthClient;
+    resolveNs: (explicit?: string) => string;
+    startProxy: () => Promise<{
+        baseUrl: string;
+        stop: () => void;
+    }>;
+}
+export declare const defaultLogoutDeps: LogoutDeps;
+export declare function runLogout(serverName: string, options: LogoutOptions, deps?: LogoutDeps): Promise<number>;

package/dist/commands/mcp/logout.js

@@ -0,0 +1,65 @@
+import output from '../../lib/output.js';
+import { ArkApiProxy } from '../../lib/arkApiProxy.js';
+import { loadConfig } from '../../lib/config.js';
+import { resolveNamespace } from './namespace.js';
+import { AuthHttpError, McpAuthClient } from './authClient.js';
+export const defaultLogoutDeps = {
+    buildClient: (baseUrl) => new McpAuthClient(baseUrl),
+    resolveNs: (explicit) => resolveNamespace(explicit),
+    startProxy: async () => {
+        const config = loadConfig();
+        const proxy = new ArkApiProxy(undefined, config.services?.reusePortForwards ?? false);
+        const client = await proxy.start();
+        return {
+            baseUrl: client.getBaseUrl(),
+            stop: () => proxy.stop(),
+        };
+    },
+};
+export async function runLogout(serverName, options, deps = defaultLogoutDeps) {
+    if (options.keepClient && options.deleteSecret) {
+        output.error('mcp auth failed:', '--keep-client and --delete-secret are mutually exclusive');
+        return 1;
+    }
+    const namespace = deps.resolveNs(options.namespace);
+    const body = {};
+    if (options.keepClient)
+        body.keep_client = true;
+    if (options.deleteSecret)
+        body.delete_secret = true;
+    const proxy = await deps.startProxy();
+    try {
+        const client = deps.buildClient(proxy.baseUrl);
+        let response;
+        try {
+            response = await client.logout(serverName, namespace, body);
+        }
+        catch (err) {
+            if (err instanceof AuthHttpError) {
+                if (err.status === 404) {
+                    output.error('mcp auth failed:', 'MCPServer not found');
+                }
+                else {
+                    output.error('mcp auth failed:', err.body || `HTTP ${err.status}`);
+                }
+                return 1;
+            }
+            output.error('mcp auth failed:', err.message);
+            return 1;
+        }
+        if (response.noop) {
+            output.success('logout: nothing to clear');
+        }
+        else if (response.deleted) {
+            output.success('logout: secret deleted');
+        }
+        else {
+            const keys = response.cleared_keys ?? [];
+            output.success(`logout: cleared ${keys.length} key(s)`);
+        }
+        return 0;
+    }
+    finally {
+        proxy.stop();
+    }
+}

package/dist/commands/mcp/namespace.d.ts

@@ -0,0 +1 @@
+export declare function resolveNamespace(explicit?: string): string;

package/dist/commands/mcp/namespace.js

@@ -0,0 +1,17 @@
+import { KubeConfig } from '@kubernetes/client-node';
+export function resolveNamespace(explicit) {
+    if (explicit && explicit.length > 0) {
+        return explicit;
+    }
+    const kc = new KubeConfig();
+    kc.loadFromDefault();
+    const contextName = kc.getCurrentContext();
+    if (!contextName) {
+        return 'default';
+    }
+    const ctx = kc.getContextObject(contextName);
+    if (ctx && ctx.namespace && ctx.namespace.length > 0) {
+        return ctx.namespace;
+    }
+    return 'default';
+}

package/dist/commands/mcp/timeout.d.ts

@@ -0,0 +1 @@
+export declare function parseTimeoutDuration(input: string): number;

package/dist/commands/mcp/timeout.js

@@ -0,0 +1,23 @@
+export function parseTimeoutDuration(input) {
+    const match = input.match(/^(\d+(?:\.\d+)?)(ms|s|m|h)$/);
+    if (!match) {
+        throw new Error(`invalid --timeout value: ${input} (expected Go duration such as 60s, 5m, 1h)`);
+    }
+    const value = parseFloat(match[1]);
+    if (!isFinite(value) || value <= 0) {
+        throw new Error(`invalid --timeout value: ${input} (must be a positive duration)`);
+    }
+    const unit = match[2];
+    switch (unit) {
+        case 'ms':
+            return value;
+        case 's':
+            return value * 1000;
+        case 'm':
+            return value * 60 * 1000;
+        case 'h':
+            return value * 60 * 60 * 1000;
+        default:
+            throw new Error(`invalid --timeout unit: ${unit}`);
+    }
+}

package/dist/index.js

@@ -18,6 +18,7 @@ import { createGenerateCommand } from './commands/generate/index.js';
 import { createImportCommand } from './commands/import/index.js';
 import { createInstallCommand } from './commands/install/index.js';
 import { createMarketplaceCommand } from './commands/marketplace/index.js';
+import { createMcpCommand } from './commands/mcp/index.js';
 import { createMemoryCommand } from './commands/memory/index.js';
 import { createModelsCommand } from './commands/models/index.js';
 import { createQueryCommand } from './commands/query/index.js';
@@ -53,6 +54,7 @@ async function main() {
     program.addCommand(createImportCommand(config));
     program.addCommand(createInstallCommand(config));
     program.addCommand(createMarketplaceCommand(config));
+    program.addCommand(createMcpCommand(config));
     program.addCommand(createMemoryCommand(config));
     program.addCommand(createModelsCommand(config));
     program.addCommand(createQueryCommand(config));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agents-at-scale/ark",
-  "version": "0.1.63",
+  "version": "0.1.64",
   "description": "Ark CLI - Interactive terminal interface for ARK agents",
   "main": "dist/index.js",
   "type": "module",
@@ -72,19 +72,20 @@
     "@types/react": "^19.1.13",
     "@typescript-eslint/eslint-plugin": "^8.56.0",
     "@typescript-eslint/parser": "^8.56.0",
-    "@vitest/coverage-v8": "^3.2.4",
+    "@vitest/coverage-v8": "^4.1.8",
     "eslint": "^10.0.0",
     "globals": "^16.2.0",
     "prettier": "^3.6.2",
     "ts-node": "^10.9.2",
     "tsx": "^4.20.5",
     "typescript": "^5.7.2",
-    "vitest": "^3.2.4"
+    "vitest": "^4.1.8"
   },
   "engines": {
     "node": ">=18.0.0"
   },
   "overrides": {
+    "brace-expansion": ">=5.0.6",
     "minimatch": "^10.2.3",
     "rollup": "4.59.0",
     "hono": "^4.12.18",
@@ -92,6 +93,7 @@
     "flatted": "^3.4.2",
     "tar": "^7.5.11",
     "express-rate-limit": "^8.3.0",
-    "fast-uri": "^3.1.1"
+    "fast-uri": "^3.1.1",
+    "ws": "^8.20.1"
   }
 }

package/templates/mcp-server/Dockerfile

@@ -63,7 +63,7 @@ ENTRYPOINT [ "/bin/bash", "-c", "mcp-proxy --debug --port 8080 --host 0.0.0.0 --
 {{- end }}
 
 {{- else if eq .Values.technology "go" }}
-FROM golang:latest AS go-builder
+FROM golang:1.26.3-alpine AS go-builder
 {{- if .Values.packageSource }}
 {{- if eq .Values.packageSource "go-install" }}
 RUN go install {{ .Values.packageName }}@latest

package/templates/tool/uv.lock

@@ -48,14 +48,14 @@ wheels = [
 
 [[package]]
 name = "authlib"
-version = "1.6.11"
+version = "1.6.12"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "cryptography" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/28/10/b325d58ffe86815b399334a101e63bc6fa4e1953921cb23703b48a0a0220/authlib-1.6.11.tar.gz", hash = "sha256:64db35b9b01aeccb4715a6c9a6613a06f2bd7be2ab9d2eb89edd1dfc7580a38f", size = 165359, upload-time = "2026-04-16T07:22:50.279Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d3/30/6691fdc63b35f54a5a65e04fa1e59d827f4d4e8f4a39678ba7d3088ce0c8/authlib-1.6.12.tar.gz", hash = "sha256:0656d8482f28fc8221929d5f35b2bde5d13e10555ebc06b4561b0d622e83b1bd", size = 165368, upload-time = "2026-05-04T08:11:31.826Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/57/2f/55fca558f925a51db046e5b929deb317ddb05afed74b22d89f4eca578980/authlib-1.6.11-py2.py3-none-any.whl", hash = "sha256:c8687a9a26451c51a34a06fa17bb97cb15bba46a6a626755e2d7f50da8bff3e3", size = 244469, upload-time = "2026-04-16T07:22:48.413Z" },
+    { url = "https://files.pythonhosted.org/packages/cd/51/9b0b5cd4cf683a02db937a6f9bbebcdc9c56558a7bb3763ce7d3512103c3/authlib-1.6.12-py2.py3-none-any.whl", hash = "sha256:e9229ad7fde610b139dd12f5edbe97eab9ee78bfb85691247e767727850b99ab", size = 244473, upload-time = "2026-05-04T08:11:30.354Z" },
 ]
 
 [[package]]
@@ -384,11 +384,11 @@ wheels = [
 
 [[package]]
 name = "idna"
-version = "3.10"
+version = "3.15"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/f1/70/7703c29685631f5a7590aa73f1f1d3fa9a380e654b86af429e0934a32f7d/idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9", size = 190490, upload-time = "2024-09-15T18:07:39.745Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/82/77/7b3966d0b9d1d31a36ddf1746926a11dface89a83409bf1483f0237aa758/idna-3.15.tar.gz", hash = "sha256:ca962446ea538f7092a95e057da437618e886f4d349216d2b1e294abfdb65fdc", size = 199245, upload-time = "2026-05-12T22:45:57.011Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3", size = 70442, upload-time = "2024-09-15T18:07:37.964Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/23/408243171aa9aaba178d3e2559159c24c1171a641aa83b67bdd3394ead8e/idna-3.15-py3-none-any.whl", hash = "sha256:048adeaf8c2d788c40fee287673ccaa74c24ffd8dcf09ffa555a2fbb59f10ac8", size = 72340, upload-time = "2026-05-12T22:45:55.733Z" },
 ]
 
 [[package]]