npm - @aiwerk/mcp-bridge - Versions diffs - 1.7.0 → 1.7.2 - Mend

@aiwerk/mcp-bridge 1.7.0 → 1.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/bin/mcp-bridge.js +2 -2
package/dist/src/config.js +5 -1
package/dist/src/embeddings.js +7 -1
package/dist/src/mcp-router.d.ts +1 -1
package/dist/src/security.d.ts +2 -1
package/dist/src/security.js +2 -1
package/dist/src/standalone-server.d.ts +1 -0
package/dist/src/standalone-server.js +16 -4
package/dist/src/transport-sse.d.ts +1 -1
package/dist/src/transport-sse.js +9 -15
package/dist/src/types.js +5 -2
package/package.json +1 -1

package/dist/bin/mcp-bridge.js CHANGED Viewed

@@ -153,7 +153,7 @@ All logs go to stderr. Stdout is reserved for the MCP protocol (stdio mode).
 function cmdInit(logger) {
     initConfigDir(logger);
 }
-function cmdCatalog(logger, offline) {
+function cmdCatalog(logger) {
     const catalogPath = join(PACKAGE_ROOT, "servers", "index.json");
     if (!existsSync(catalogPath)) {
         logger.error("Server catalog not found");
@@ -303,7 +303,7 @@ async function main() {
             cmdInit(logger);
             break;
         case "catalog":
-            cmdCatalog(logger, args.offline);
+            cmdCatalog(logger);
             break;
         case "servers":
             cmdServers(logger, args.configPath);

package/dist/src/config.js CHANGED Viewed

@@ -108,7 +108,11 @@ export function loadConfig(options = {}) {
     }
     // Read and parse config
     const rawConfig = JSON.parse(readFileSync(configPath, "utf-8"));
-    // Resolve ${VAR} placeholders using .env + process.env
+    // Merge order: .env file values take priority over process.env for config resolution.
+    // This is intentional: .env is the user-controlled secrets file, process.env may have
+    // stale or system-level values. Note: dotenv loads .env INTO process.env without
+    // overwriting (opposite direction), but our config resolver uses this merged map
+    // where .env wins.
     const mergedEnv = { ...dotEnv };
     for (const [k, v] of Object.entries(process.env)) {
         if (mergedEnv[k] === undefined)

package/dist/src/embeddings.js CHANGED Viewed

@@ -84,7 +84,13 @@ export class OpenAIEmbedding {
             .map((item) => item.embedding);
     }
     dimensions() {
-        return 1536;
+        if (this.model.includes("3-large"))
+            return 3072;
+        if (this.model.includes("3-small"))
+            return 1536;
+        if (this.model.includes("ada-002"))
+            return 1536;
+        return 1536; // safe default
     }
 }
 export class OllamaEmbedding {

package/dist/src/mcp-router.d.ts CHANGED Viewed

@@ -81,7 +81,7 @@ export declare class McpRouter {
     private readonly maxConcurrent;
     private readonly states;
     private intentRouter;
-    private readonly promotion;
+    private promotion;
     constructor(servers: Record<string, McpServerConfig>, clientConfig: McpClientConfig, logger: Logger, transportRefs?: Partial<RouterTransportRefs>);
     static generateDescription(servers: Record<string, McpServerConfig>): string;
     dispatch(server?: string, action?: string, tool?: string, params?: any): Promise<RouterDispatchResponse>;

package/dist/src/security.d.ts CHANGED Viewed

@@ -23,6 +23,7 @@ export declare function applyMaxResultSize(result: any, serverConfig: McpServerC
  */
 export declare function applyTrustLevel(result: any, serverName: string, serverConfig: McpServerConfig): any;
 /**
- * Full security pipeline: truncate → sanitize → trust-tag
+ * Full security pipeline: truncate → trust-tag (which includes sanitize for trust="sanitize")
+ * Note: sanitization only runs when trust="sanitize". trust="untrusted" wraps without sanitizing.
  */
 export declare function processResult(result: any, serverName: string, serverConfig: McpServerConfig, clientConfig: McpClientConfig): any;

package/dist/src/security.js CHANGED Viewed

@@ -117,7 +117,8 @@ export function applyTrustLevel(result, serverName, serverConfig) {
     }
 }
 /**
- * Full security pipeline: truncate → sanitize → trust-tag
+ * Full security pipeline: truncate → trust-tag (which includes sanitize for trust="sanitize")
+ * Note: sanitization only runs when trust="sanitize". trust="untrusted" wraps without sanitizing.
  */
 export function processResult(result, serverName, serverConfig, clientConfig) {
     let processed = applyMaxResultSize(result, serverConfig, clientConfig);

package/dist/src/standalone-server.d.ts CHANGED Viewed

@@ -9,6 +9,7 @@ export declare class StandaloneServer {
     private logger;
     private router;
     private initialized;
+    private lspMode;
     private directTools;
     private directConnections;
     constructor(config: BridgeConfig, logger: Logger);

package/dist/src/standalone-server.js CHANGED Viewed

@@ -14,6 +14,7 @@ export class StandaloneServer {
     logger;
     router = null;
     initialized = false;
+    lspMode = false;
     // Direct mode state
     directTools = [];
     directConnections = new Map();
@@ -45,9 +46,12 @@ export class StandaloneServer {
                 progress = false;
                 // If we're reading an LSP body, check if we have enough bytes
                 if (lspContentLength >= 0 && lspHeadersDone) {
-                    if (buffer.length >= lspContentLength) {
-                        const body = buffer.slice(0, lspContentLength);
-                        buffer = buffer.slice(lspContentLength);
+                    const bufferBytes = Buffer.byteLength(buffer, "utf8");
+                    if (bufferBytes >= lspContentLength) {
+                        // Extract exactly lspContentLength bytes (LSP spec defines Content-Length in bytes)
+                        const bodyBuffer = Buffer.from(buffer, "utf8").slice(0, lspContentLength);
+                        const body = bodyBuffer.toString("utf8");
+                        buffer = buffer.substring(body.length);
                         lspContentLength = -1;
                         lspHeadersDone = false;
                         const trimmed = body.trim();
@@ -80,6 +84,7 @@ export class StandaloneServer {
                 }
                 if (trimmed.startsWith("Content-Length:")) {
                     // Start of LSP-framed message
+                    this.lspMode = true;
                     const lengthStr = trimmed.slice("Content-Length:".length).trim();
                     const length = parseInt(lengthStr, 10);
                     if (!isNaN(length) && length > 0) {
@@ -135,7 +140,14 @@ export class StandaloneServer {
         });
     }
     writeResponse(stdout, response) {
-        stdout.write(JSON.stringify(response) + "\n");
+        const json = JSON.stringify(response);
+        if (this.lspMode) {
+            const byteLength = Buffer.byteLength(json, "utf8");
+            stdout.write(`Content-Length: ${byteLength}\r\n\r\n${json}`);
+        }
+        else {
+            stdout.write(json + "\n");
+        }
     }
     /** Handle a single MCP JSON-RPC request. */
     async handleRequest(request) {

package/dist/src/transport-sse.d.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import { BaseTransport } from "./transport-base.js";
 export declare class SseTransport extends BaseTransport {
     private endpointUrl;
     private sseAbortController;
-    private currentDataBuffer;
+    private resolvedHeaders;
     protected get transportName(): string;
     connect(): Promise<void>;
     private _onEndpointReceived;

package/dist/src/transport-sse.js CHANGED Viewed

@@ -3,15 +3,15 @@ import { BaseTransport, resolveEnvRecord, warnIfNonTlsRemoteUrl } from "./transp
 export class SseTransport extends BaseTransport {
     endpointUrl = null;
     sseAbortController = null;
-    currentDataBuffer = [];
+    resolvedHeaders = null;
     get transportName() { return "SSE"; }
     async connect() {
         if (!this.config.url) {
             throw new Error("SSE transport requires URL");
         }
         warnIfNonTlsRemoteUrl(this.config.url, this.logger);
-        // Validate that all header env vars resolve (fail fast)
-        resolveEnvRecord(this.config.headers || {}, "header");
+        // Resolve headers once and cache for all subsequent requests
+        this.resolvedHeaders = resolveEnvRecord(this.config.headers || {}, "header");
         if (this.sseAbortController) {
             this.sseAbortController.abort();
         }
@@ -36,10 +36,8 @@ export class SseTransport extends BaseTransport {
     async startEventStream() {
         if (!this.config.url)
             return;
-        const headers = resolveEnvRecord({
-            ...this.config.headers,
-            "Accept": "text/event-stream"
-        }, "header");
+        const base = this.resolvedHeaders ?? resolveEnvRecord(this.config.headers || {}, "header");
+        const headers = { ...base, "Accept": "text/event-stream" };
         try {
             const response = await fetch(this.config.url, {
                 method: "GET",
@@ -132,10 +130,8 @@ export class SseTransport extends BaseTransport {
         if (!this.connected || !this.endpointUrl) {
             throw new Error("SSE transport not connected or no endpoint URL");
         }
-        const headers = resolveEnvRecord({
-            ...this.config.headers,
-            "Content-Type": "application/json"
-        }, "header");
+        const base = this.resolvedHeaders ?? resolveEnvRecord(this.config.headers || {}, "header");
+        const headers = { ...base, "Content-Type": "application/json" };
         const response = await fetch(this.endpointUrl, {
             method: "POST",
             headers,
@@ -158,10 +154,8 @@ export class SseTransport extends BaseTransport {
                 reject(new Error(`Request timeout after ${requestTimeout}ms`));
             }, requestTimeout);
             this.pendingRequests.set(id, { resolve, reject, timeout });
-            const headers = resolveEnvRecord({
-                ...this.config.headers,
-                "Content-Type": "application/json"
-            }, "header");
+            const base = this.resolvedHeaders ?? resolveEnvRecord(this.config.headers || {}, "header");
+            const headers = { ...base, "Content-Type": "application/json" };
             // The response arrives via the SSE stream (handleMessage), not from this fetch.
             // The fetch only confirms the server accepted the request (HTTP 200).
             // If the fetch fails, we reject immediately; otherwise we wait for the SSE stream.

package/dist/src/types.js CHANGED Viewed

@@ -1,5 +1,8 @@
-let globalRequestId = 1;
+let globalRequestId = 0;
 export function nextRequestId() {
-    globalRequestId = (globalRequestId + 1) % Number.MAX_SAFE_INTEGER;
+    globalRequestId++;
+    if (globalRequestId >= Number.MAX_SAFE_INTEGER) {
+        globalRequestId = 1;
+    }
     return globalRequestId;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aiwerk/mcp-bridge",
-  "version": "1.7.0",
+  "version": "1.7.2",
   "description": "Standalone MCP server that multiplexes multiple MCP servers into one interface",
   "type": "module",
   "main": "./dist/src/index.js",