@aiwerk/mcp-bridge 2.0.0 → 2.1.1

package/README.md

@@ -1,6 +1,6 @@
 # @aiwerk/mcp-bridge
 
-[![Tests](https://github.com/AIWerk/mcp-bridge/actions/workflows/test.yml/badge.svg)](https://github.com/AIWerk/mcp-bridge/actions/workflows/test.yml)
+[![CI](https://github.com/AIWerk/mcp-bridge/actions/workflows/ci.yml/badge.svg)](https://github.com/AIWerk/mcp-bridge/actions/workflows/ci.yml)
 [![npm version](https://img.shields.io/npm/v/@aiwerk/mcp-bridge.svg)](https://www.npmjs.com/package/@aiwerk/mcp-bridge)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
@@ -17,6 +17,12 @@ Most AI agents connect to MCP servers one-by-one. With 10+ servers, that's 10+ c
 - **Intent routing**: say what you need in plain language, the bridge finds the right tool
 - **Schema compression**: tool descriptions compressed ~57%, full schema on demand
 - **Security layer**: trust levels, tool deny/allow lists, result size limits
+- **HTTP auth**: bearer token, custom headers, and **OAuth2 Client Credentials** with automatic token management
+- **Result caching**: LRU cache with per-tool TTL overrides
+- **Batch calls**: parallel multi-tool execution via `action=batch`
+- **Multi-server resolution**: automatic tool disambiguation when multiple servers provide the same tool
+- **Configurable retries**: exponential backoff for transient errors
+- **Graceful shutdown**: clean process termination and connection cleanup
 - **Direct mode**: all tools registered individually with automatic prefixing
 - **3 transports**: stdio, SSE, streamable-http
 - **Built-in catalog**: 14 pre-configured servers, install with one command
@@ -363,6 +369,35 @@ When `action="call"` is used without `server=`, mcp-bridge can resolve collision
 | `sse` | `url`, `headers` | Remote SSE servers |
 | `streamable-http` | `url`, `headers` | Modern HTTP-based servers |
 
+### Authentication
+
+SSE and streamable-HTTP transports support three auth methods:
+
+**Bearer token:**
+```json
+{ "auth": { "type": "bearer", "token": "${MY_API_TOKEN}" } }
+```
+
+**Custom headers:**
+```json
+{ "auth": { "type": "header", "headers": { "X-API-Key": "${MY_KEY}" } } }
+```
+
+**OAuth2 Client Credentials** (automatic token management):
+```json
+{
+  "auth": {
+    "type": "oauth2",
+    "clientId": "${CLIENT_ID}",
+    "clientSecret": "${CLIENT_SECRET}",
+    "tokenUrl": "https://provider.com/oauth/token",
+    "scopes": ["read", "write"]
+  }
+}
+```
+
+OAuth2 features: automatic token acquisition, caching with expiry-aware refresh, single-attempt 401 retry, env var substitution in credentials.
+
 ### Environment variables
 
 Secrets go in `~/.mcp-bridge/.env` (chmod 600 on init):
@@ -459,6 +494,36 @@ const result = await router.dispatch("todoist", "call", "find-tasks", { query: "
                         └──────────────────────────────────────────────┘
 ```
 
+## Security Limitations
+
+The built-in security layer (trust levels, tool filters, result sanitization) provides **baseline protection** for common threats:
+
+- Prompt injection patterns (known strings)
+- Oversized responses
+- Unauthorized tool access
+
+**What it does NOT cover:**
+- Unicode obfuscation / homoglyph attacks
+- Sophisticated multi-step injection chains
+- Content-level PII detection
+
+For production deployments with high security requirements, consider adding an external content filtering layer (e.g., guardrails, PII redaction service) between the bridge and your application.
+
+## Roadmap
+
+| Status | Feature | Version |
+|--------|---------|---------|
+| ✅ | Smart Router v2 (intent, cache, batch, resolution) | 1.9.0 |
+| ✅ | HTTP auth (bearer, headers) | 2.0.0 |
+| ✅ | Configurable retries + graceful shutdown | 2.0.0 |
+| ✅ | OAuth2 Client Credentials | 2.1.0 |
+| 🔜 | Hosted bridge (bridge.aiwerk.ch) | planned |
+| 🔜 | Remote catalog integration | planned |
+| 🔜 | OpenTelemetry / Prometheus metrics | planned |
+| 🔜 | PII redaction | planned |
+
+See [docs/hosted-bridge-spec.md](docs/hosted-bridge-spec.md) for the hosted bridge architecture.
+
 ## Related
 
 - **[@aiwerk/openclaw-mcp-bridge](https://github.com/AIWerk/openclaw-mcp-bridge)** — OpenClaw plugin wrapper (uses this package as core)

package/dist/bin/mcp-bridge.js

@@ -267,7 +267,7 @@ async function cmdServe(args, logger) {
         process.exit(1);
     }
     // HTTP modes: require auth
-    if ((args.sse || args.http) && !config.http?.auth?.token) {
+    if ((args.sse || args.http) && !config.http?.auth) {
         logger.error("HTTP auth not configured. Set http.auth in config or use stdio mode.");
         process.exit(1);
     }

package/dist/src/index.d.ts

@@ -1,7 +1,9 @@
-export { BaseTransport, resolveEnvVars, resolveEnvRecord, resolveArgs, resolveAuthHeaders, resolveServerHeaders, warnIfNonTlsRemoteUrl } from "./transport-base.js";
+export { BaseTransport, resolveEnvVars, resolveEnvRecord, resolveArgs, resolveAuthHeaders, resolveAuthHeadersAsync, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export { StdioTransport } from "./transport-stdio.js";
 export { SseTransport } from "./transport-sse.js";
 export { StreamableHttpTransport } from "./transport-streamable-http.js";
+export { OAuth2TokenManager } from "./oauth2-token-manager.js";
+export type { OAuth2Config } from "./oauth2-token-manager.js";
 export { McpRouter } from "./mcp-router.js";
 export type { RouterToolHint, RouterServerStatus, RouterDispatchResponse, RouterTransportRefs } from "./mcp-router.js";
 export { ResultCache, createResultCacheKey, stableStringify } from "./result-cache.js";
@@ -15,6 +17,6 @@ export type { Logger, McpServerConfig, McpClientConfig, HttpAuthConfig, RetryCon
 export { nextRequestId } from "./types.js";
 export { pickRegisteredToolName } from "./tool-naming.js";
 export { StandaloneServer } from "./standalone-server.js";
-export { checkForUpdate, getUpdateNotice, runUpdate, resetNoticeFlag } from "./update-checker.js";
-export type { UpdateInfo } from "./update-checker.js";
+export { checkForUpdate, checkPluginUpdate, getUpdateNotice, runUpdate, resetNoticeFlag } from "./update-checker.js";
+export type { UpdateInfo, PluginUpdateInfo } from "./update-checker.js";
 export { filterServers, buildFilteredDescription } from "./smart-filter.js";

package/dist/src/index.js

@@ -1,9 +1,10 @@
 // Core exports for @aiwerk/mcp-bridge
 // Transport classes
-export { BaseTransport, resolveEnvVars, resolveEnvRecord, resolveArgs, resolveAuthHeaders, resolveServerHeaders, warnIfNonTlsRemoteUrl } from "./transport-base.js";
+export { BaseTransport, resolveEnvVars, resolveEnvRecord, resolveArgs, resolveAuthHeaders, resolveAuthHeadersAsync, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export { StdioTransport } from "./transport-stdio.js";
 export { SseTransport } from "./transport-sse.js";
 export { StreamableHttpTransport } from "./transport-streamable-http.js";
+export { OAuth2TokenManager } from "./oauth2-token-manager.js";
 // Router
 export { McpRouter } from "./mcp-router.js";
 // Result cache
@@ -21,6 +22,6 @@ export { pickRegisteredToolName } from "./tool-naming.js";
 // Standalone server
 export { StandaloneServer } from "./standalone-server.js";
 // Update checker
-export { checkForUpdate, getUpdateNotice, runUpdate, resetNoticeFlag } from "./update-checker.js";
+export { checkForUpdate, checkPluginUpdate, getUpdateNotice, runUpdate, resetNoticeFlag } from "./update-checker.js";
 // Smart filter
 export { filterServers, buildFilteredDescription } from "./smart-filter.js";

package/dist/src/mcp-router.d.ts

@@ -1,4 +1,5 @@
 import { McpClientConfig, McpServerConfig, McpTransport, Logger } from "./types.js";
+import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 type RouterErrorCode = "unknown_server" | "unknown_tool" | "connection_failed" | "mcp_error" | "invalid_params";
 interface RouterBatchResult {
     server: string;
@@ -92,9 +93,9 @@ export type RouterDispatchResponse = {
     code?: number;
 };
 export interface RouterTransportRefs {
-    sse: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>) => McpTransport;
+    sse: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager) => McpTransport;
     stdio: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>) => McpTransport;
-    streamableHttp: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>) => McpTransport;
+    streamableHttp: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager) => McpTransport;
 }
 export declare class McpRouter {
     private readonly servers;
@@ -107,6 +108,7 @@ export declare class McpRouter {
     private readonly maxBatchSize;
     private readonly states;
     private readonly toolResolver;
+    private readonly tokenManager;
     private intentRouter;
     private promotion;
     constructor(servers: Record<string, McpServerConfig>, clientConfig: McpClientConfig, logger: Logger, transportRefs?: Partial<RouterTransportRefs>);

package/dist/src/mcp-router.js

@@ -9,6 +9,7 @@ import { isToolAllowed, processResult } from "./security.js";
 import { AdaptivePromotion } from "./adaptive-promotion.js";
 import { ResultCache, createResultCacheKey } from "./result-cache.js";
 import { ToolResolver } from "./tool-resolution.js";
+import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 const DEFAULT_IDLE_TIMEOUT_MS = 10 * 60 * 1000;
 const DEFAULT_MAX_CONCURRENT = 5;
 const DEFAULT_MAX_BATCH_SIZE = 10;
@@ -24,6 +25,7 @@ export class McpRouter {
     maxBatchSize;
     states = new Map();
     toolResolver;
+    tokenManager;
     intentRouter = null;
     promotion = null;
     constructor(servers, clientConfig, logger, transportRefs) {
@@ -46,6 +48,7 @@ export class McpRouter {
             : null;
         this.maxBatchSize = clientConfig.maxBatchSize ?? DEFAULT_MAX_BATCH_SIZE;
         this.toolResolver = new ToolResolver(Object.keys(servers));
+        this.tokenManager = new OAuth2TokenManager(logger);
         if (clientConfig.adaptivePromotion?.enabled) {
             this.promotion = new AdaptivePromotion(clientConfig.adaptivePromotion, logger);
         }
@@ -487,6 +490,7 @@ export class McpRouter {
             this.intentRouter.clearIndex();
         }
         this.resultCache?.invalidate();
+        this.tokenManager.clear();
     }
     async ensureConnected(server) {
         let state = this.states.get(server);
@@ -590,13 +594,13 @@ export class McpRouter {
             this.resultCache?.invalidate(`${serverName}:`);
         };
         if (serverConfig.transport === "sse") {
-            return new this.transportRefs.sse(serverConfig, this.clientConfig, this.logger, onReconnected);
+            return new this.transportRefs.sse(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager);
         }
         if (serverConfig.transport === "stdio") {
             return new this.transportRefs.stdio(serverConfig, this.clientConfig, this.logger, onReconnected);
         }
         if (serverConfig.transport === "streamable-http") {
-            return new this.transportRefs.streamableHttp(serverConfig, this.clientConfig, this.logger, onReconnected);
+            return new this.transportRefs.streamableHttp(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager);
         }
         throw new Error(`Unsupported transport: ${serverConfig.transport}`);
     }

package/dist/src/oauth2-token-manager.d.ts

@@ -0,0 +1,20 @@
+import type { Logger } from "./types.js";
+export interface OAuth2Config {
+    clientId: string;
+    clientSecret: string;
+    tokenUrl: string;
+    scopes?: string[];
+    audience?: string;
+}
+export declare class OAuth2TokenManager {
+    private readonly logger;
+    private readonly tokenCache;
+    private readonly inflight;
+    constructor(logger: Logger);
+    getToken(config: OAuth2Config): Promise<string>;
+    invalidate(tokenUrl: string, clientId: string): void;
+    clear(): void;
+    private makeKey;
+    private fetchToken;
+    private exchangeToken;
+}

package/dist/src/oauth2-token-manager.js

@@ -0,0 +1,98 @@
+const DEFAULT_EXPIRES_IN_SECONDS = 3600;
+const EXPIRY_BUFFER_SECONDS = 60;
+export class OAuth2TokenManager {
+    logger;
+    tokenCache = new Map();
+    inflight = new Map();
+    constructor(logger) {
+        this.logger = logger;
+    }
+    async getToken(config) {
+        const key = this.makeKey(config.tokenUrl, config.clientId);
+        const now = Date.now();
+        const cached = this.tokenCache.get(key);
+        if (cached && cached.expiresAt > now) {
+            return cached.accessToken;
+        }
+        const existingInflight = this.inflight.get(key);
+        if (existingInflight) {
+            return existingInflight;
+        }
+        const requestPromise = this.fetchToken(config, cached)
+            .then((token) => {
+            this.tokenCache.set(key, token);
+            return token.accessToken;
+        })
+            .finally(() => {
+            this.inflight.delete(key);
+        });
+        this.inflight.set(key, requestPromise);
+        return requestPromise;
+    }
+    invalidate(tokenUrl, clientId) {
+        const key = this.makeKey(tokenUrl, clientId);
+        this.tokenCache.delete(key);
+        this.inflight.delete(key);
+    }
+    clear() {
+        this.tokenCache.clear();
+        this.inflight.clear();
+    }
+    makeKey(tokenUrl, clientId) {
+        return `${tokenUrl}::${clientId}`;
+    }
+    async fetchToken(config, cached) {
+        if (cached?.refreshToken) {
+            try {
+                return await this.exchangeToken(config, {
+                    grant_type: "refresh_token",
+                    refresh_token: cached.refreshToken,
+                });
+            }
+            catch (error) {
+                this.logger.warn("[mcp-bridge] OAuth2 refresh token exchange failed, falling back to client_credentials:", error);
+            }
+        }
+        return this.exchangeToken(config, {
+            grant_type: "client_credentials",
+        });
+    }
+    async exchangeToken(config, grant) {
+        const formData = new URLSearchParams();
+        formData.set("grant_type", grant.grant_type);
+        formData.set("client_id", config.clientId);
+        formData.set("client_secret", config.clientSecret);
+        if (grant.grant_type === "refresh_token") {
+            formData.set("refresh_token", grant.refresh_token);
+        }
+        if (config.scopes?.length) {
+            formData.set("scope", config.scopes.join(" "));
+        }
+        if (config.audience) {
+            formData.set("audience", config.audience);
+        }
+        const response = await fetch(config.tokenUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            body: formData.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`OAuth2 token exchange failed: HTTP ${response.status}`);
+        }
+        const payload = (await response.json());
+        if (!payload.access_token) {
+            throw new Error("OAuth2 token exchange response missing access_token");
+        }
+        const expiresIn = Number.isFinite(payload.expires_in)
+            ? Number(payload.expires_in)
+            : DEFAULT_EXPIRES_IN_SECONDS;
+        const expiresAt = Date.now() + Math.max(0, expiresIn - EXPIRY_BUFFER_SECONDS) * 1000;
+        return {
+            accessToken: payload.access_token,
+            expiresAt,
+            refreshToken: payload.refresh_token,
+        };
+    }
+}

package/dist/src/standalone-server.d.ts

@@ -10,6 +10,7 @@ export declare class StandaloneServer {
     private router;
     private initialized;
     private lspMode;
+    private readonly tokenManager;
     private directTools;
     private directConnections;
     constructor(config: BridgeConfig, logger: Logger);

package/dist/src/standalone-server.js

@@ -4,6 +4,7 @@ import { pickRegisteredToolName } from "./tool-naming.js";
 import { SseTransport } from "./transport-sse.js";
 import { StdioTransport } from "./transport-stdio.js";
 import { StreamableHttpTransport } from "./transport-streamable-http.js";
+import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 /**
  * Standalone MCP server that wraps the router.
  * Implements the MCP protocol (initialize, tools/list, tools/call)
@@ -15,12 +16,14 @@ export class StandaloneServer {
     router = null;
     initialized = false;
     lspMode = false;
+    tokenManager;
     // Direct mode state
     directTools = [];
     directConnections = new Map();
     constructor(config, logger) {
         this.config = config;
         this.logger = logger;
+        this.tokenManager = new OAuth2TokenManager(logger);
         if (this.isRouterMode()) {
             this.router = new McpRouter(config.servers || {}, config, logger);
         }
@@ -400,11 +403,11 @@ export class StandaloneServer {
         };
         switch (serverConfig.transport) {
             case "sse":
-                return new SseTransport(serverConfig, this.config, this.logger, onReconnected);
+                return new SseTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager);
             case "stdio":
                 return new StdioTransport(serverConfig, this.config, this.logger, onReconnected);
             case "streamable-http":
-                return new StreamableHttpTransport(serverConfig, this.config, this.logger, onReconnected);
+                return new StreamableHttpTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager);
             default:
                 throw new Error(`Unsupported transport: ${serverConfig.transport}`);
         }
@@ -424,6 +427,7 @@ export class StandaloneServer {
             }
         }
         this.directConnections.clear();
+        this.tokenManager.clear();
         this.logger.info("[mcp-bridge] Shutdown complete");
     }
 }

package/dist/src/transport-base.d.ts

@@ -1,4 +1,5 @@
 import { McpTransport, McpRequest, McpResponse, McpServerConfig, McpClientConfig, Logger, JsonRpcMessage } from "./types.js";
+import type { OAuth2Config, OAuth2TokenManager } from "./oauth2-token-manager.js";
 export type PendingRequest = {
     resolve: (value: McpResponse) => void;
     reject: (reason: Error) => void;
@@ -74,10 +75,13 @@ export declare function resolveArgs(args: string[], extraEnv?: Record<string, st
  * Resolve auth config into HTTP headers.
  */
 export declare function resolveAuthHeaders(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Record<string, string>;
+export declare function resolveOAuth2Config(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): OAuth2Config;
+export declare function resolveAuthHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Promise<Record<string, string>>;
 /**
  * Resolve server headers and merge auth headers (auth takes precedence).
  */
 export declare function resolveServerHeaders(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Record<string, string>;
+export declare function resolveServerHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Promise<Record<string, string>>;
 /**
  * Warn if a URL uses non-TLS HTTP to a remote (non-localhost) host.
  */

package/dist/src/transport-base.js

@@ -169,7 +169,35 @@ export function resolveAuthHeaders(config, extraEnv, envFallback) {
         const token = resolveEnvVars(config.auth.token, "auth token", extraEnv, envFallback);
         return { Authorization: `Bearer ${token}` };
     }
-    return resolveEnvRecord(config.auth.headers, "auth header", extraEnv, envFallback);
+    if (config.auth.type === "header") {
+        return resolveEnvRecord(config.auth.headers, "auth header", extraEnv, envFallback);
+    }
+    throw new Error("[mcp-bridge] OAuth2 auth requires async header resolution via resolveAuthHeadersAsync");
+}
+export function resolveOAuth2Config(config, extraEnv, envFallback) {
+    if (!config.auth || config.auth.type !== "oauth2") {
+        throw new Error("[mcp-bridge] resolveOAuth2Config called for non-oauth2 auth config");
+    }
+    const scopes = config.auth.scopes?.map((scope, index) => resolveEnvVars(scope, `oauth2 scope[${index}]`, extraEnv, envFallback));
+    return {
+        clientId: resolveEnvVars(config.auth.clientId, "oauth2 clientId", extraEnv, envFallback),
+        clientSecret: resolveEnvVars(config.auth.clientSecret, "oauth2 clientSecret", extraEnv, envFallback),
+        tokenUrl: resolveEnvVars(config.auth.tokenUrl, "oauth2 tokenUrl", extraEnv, envFallback),
+        ...(scopes && scopes.length > 0 ? { scopes } : {}),
+        ...(config.auth.audience
+            ? { audience: resolveEnvVars(config.auth.audience, "oauth2 audience", extraEnv, envFallback) }
+            : {}),
+    };
+}
+export async function resolveAuthHeadersAsync(config, tokenManager, extraEnv, envFallback) {
+    if (!config.auth)
+        return {};
+    if (config.auth.type === "oauth2") {
+        const oauth2Config = resolveOAuth2Config(config, extraEnv, envFallback);
+        const token = await tokenManager.getToken(oauth2Config);
+        return { Authorization: `Bearer ${token}` };
+    }
+    return resolveAuthHeaders(config, extraEnv, envFallback);
 }
 /**
  * Resolve server headers and merge auth headers (auth takes precedence).
@@ -179,6 +207,11 @@ export function resolveServerHeaders(config, extraEnv, envFallback) {
     const auth = resolveAuthHeaders(config, extraEnv, envFallback);
     return { ...base, ...auth };
 }
+export async function resolveServerHeadersAsync(config, tokenManager, extraEnv, envFallback) {
+    const base = resolveEnvRecord(config.headers || {}, "header", extraEnv, envFallback);
+    const auth = await resolveAuthHeadersAsync(config, tokenManager, extraEnv, envFallback);
+    return { ...base, ...auth };
+}
 /**
  * Warn if a URL uses non-TLS HTTP to a remote (non-localhost) host.
  */

package/dist/src/transport-sse.d.ts

@@ -1,13 +1,20 @@
-import { McpRequest, McpResponse } from "./types.js";
+import { Logger, McpClientConfig, McpRequest, McpResponse, McpServerConfig } from "./types.js";
+import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 import { BaseTransport } from "./transport-base.js";
 export declare class SseTransport extends BaseTransport {
     private endpointUrl;
     private sseAbortController;
     private resolvedHeaders;
     private pendingRequestControllers;
+    private readonly tokenManager;
     protected get transportName(): string;
+    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager);
     connect(): Promise<void>;
     private _onEndpointReceived;
+    private getBaseHeaders;
+    private refreshResolvedHeaders;
+    private invalidateOAuth2Token;
+    private fetchWithOAuthRetry;
     private startEventStream;
     private processEventLine;
     sendNotification(notification: any): Promise<void>;

package/dist/src/transport-sse.js

@@ -1,18 +1,23 @@
 import { nextRequestId } from "./types.js";
-import { BaseTransport, resolveServerHeaders, warnIfNonTlsRemoteUrl } from "./transport-base.js";
+import { OAuth2TokenManager } from "./oauth2-token-manager.js";
+import { BaseTransport, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export class SseTransport extends BaseTransport {
     endpointUrl = null;
     sseAbortController = null;
     resolvedHeaders = null;
     pendingRequestControllers = new Map();
+    tokenManager;
     get transportName() { return "SSE"; }
+    constructor(config, clientConfig, logger, onReconnected, tokenManager) {
+        super(config, clientConfig, logger, onReconnected);
+        this.tokenManager = tokenManager ?? new OAuth2TokenManager(logger);
+    }
     async connect() {
         if (!this.config.url) {
             throw new Error("SSE transport requires URL");
         }
         warnIfNonTlsRemoteUrl(this.config.url, this.logger);
-        // Resolve headers once and cache for all subsequent requests
-        this.resolvedHeaders = resolveServerHeaders(this.config);
+        await this.refreshResolvedHeaders();
         if (this.sseAbortController) {
             this.sseAbortController.abort();
         }
@@ -24,7 +29,7 @@ export class SseTransport extends BaseTransport {
         });
         // Fire and forget the stream reader
         this.startEventStream().catch((error) => {
-            if (error instanceof Error && error.name !== 'AbortError') {
+            if (error instanceof Error && error.name !== "AbortError") {
                 this.logger.error("[mcp-bridge] SSE stream error:", error.message);
                 this.scheduleReconnect();
             }
@@ -34,16 +39,58 @@ export class SseTransport extends BaseTransport {
         this.backoffDelay = this.clientConfig.reconnectIntervalMs || 30000;
     }
     _onEndpointReceived = null;
+    async getBaseHeaders(forceRefresh = false) {
+        if (this.config.auth?.type === "oauth2") {
+            if (forceRefresh) {
+                this.invalidateOAuth2Token();
+            }
+            return this.refreshResolvedHeaders();
+        }
+        if (!this.resolvedHeaders) {
+            this.resolvedHeaders = resolveServerHeaders(this.config, undefined, this.clientConfig.envFallback);
+        }
+        return this.resolvedHeaders;
+    }
+    async refreshResolvedHeaders() {
+        if (this.config.auth?.type === "oauth2") {
+            this.resolvedHeaders = await resolveServerHeadersAsync(this.config, this.tokenManager, undefined, this.clientConfig.envFallback);
+        }
+        else {
+            this.resolvedHeaders = resolveServerHeaders(this.config, undefined, this.clientConfig.envFallback);
+        }
+        return this.resolvedHeaders;
+    }
+    invalidateOAuth2Token() {
+        if (this.config.auth?.type !== "oauth2") {
+            return;
+        }
+        const oauth2Config = resolveOAuth2Config(this.config, undefined, this.clientConfig.envFallback);
+        this.tokenManager.invalidate(oauth2Config.tokenUrl, oauth2Config.clientId);
+    }
+    async fetchWithOAuthRetry(url, init) {
+        const response = await fetch(url, init);
+        if (response.status !== 401 || this.config.auth?.type !== "oauth2") {
+            return response;
+        }
+        this.logger.warn("[mcp-bridge] SSE request returned 401, invalidating OAuth2 token and retrying once");
+        const refreshedBase = await this.getBaseHeaders(true);
+        const retryHeaders = {
+            ...refreshedBase,
+            ...Object.fromEntries(Array.from(new Headers(init.headers).entries()).filter(([key]) => key.toLowerCase() !== "authorization")),
+            Authorization: refreshedBase.Authorization,
+        };
+        return fetch(url, { ...init, headers: retryHeaders });
+    }
     async startEventStream() {
         if (!this.config.url)
             return;
-        const base = this.resolvedHeaders ?? resolveServerHeaders(this.config);
-        const headers = { ...base, "Accept": "text/event-stream" };
+        const base = await this.getBaseHeaders();
+        const headers = { ...base, Accept: "text/event-stream" };
         try {
-            const response = await fetch(this.config.url, {
+            const response = await this.fetchWithOAuthRetry(this.config.url, {
                 method: "GET",
                 headers,
-                signal: this.sseAbortController?.signal
+                signal: this.sseAbortController?.signal,
             });
             if (!response.ok) {
                 throw new Error(`SSE connection failed: HTTP ${response.status}`);
@@ -60,7 +107,7 @@ export class SseTransport extends BaseTransport {
                 if (done)
                     break;
                 buffer += decoder.decode(value, { stream: true });
-                const lines = buffer.split('\n');
+                const lines = buffer.split("\n");
                 buffer = lines.pop() || "";
                 for (const line of lines) {
                     this.processEventLine(line, state);
@@ -71,7 +118,7 @@ export class SseTransport extends BaseTransport {
             this.scheduleReconnect();
         }
         catch (error) {
-            if (error instanceof Error && error.name === 'AbortError')
+            if (error instanceof Error && error.name === "AbortError")
                 return;
             this.logger.error("SSE stream error:", error);
             this.scheduleReconnect();
@@ -131,12 +178,12 @@ export class SseTransport extends BaseTransport {
         if (!this.connected || !this.endpointUrl) {
             throw new Error("SSE transport not connected or no endpoint URL");
         }
-        const base = this.resolvedHeaders ?? resolveServerHeaders(this.config);
+        const base = await this.getBaseHeaders();
         const headers = { ...base, "Content-Type": "application/json" };
-        const response = await fetch(this.endpointUrl, {
+        const response = await this.fetchWithOAuthRetry(this.endpointUrl, {
             method: "POST",
             headers,
-            body: JSON.stringify(notification)
+            body: JSON.stringify(notification),
         });
         if (!response.ok) {
             this.logger.warn(`[mcp-bridge] SSE notification got HTTP ${response.status}`);
@@ -157,33 +204,35 @@ export class SseTransport extends BaseTransport {
                 reject(new Error(`Request timeout after ${requestTimeout}ms`));
             }, requestTimeout);
             this.pendingRequests.set(id, { resolve, reject, timeout });
-            const base = this.resolvedHeaders ?? resolveServerHeaders(this.config);
-            const headers = { ...base, "Content-Type": "application/json" };
             const abortController = new AbortController();
             this.pendingRequestControllers.set(id, abortController);
             // The response arrives via the SSE stream (handleMessage), not from this fetch.
             // The fetch only confirms the server accepted the request (HTTP 200).
             // If the fetch fails, we reject immediately; otherwise we wait for the SSE stream.
-            fetch(this.endpointUrl, {
-                method: "POST",
-                headers,
-                body: JSON.stringify(requestWithId),
-                signal: abortController.signal
-            })
-                .then((response) => {
-                this.pendingRequestControllers.delete(id);
-                if (!response.ok) {
+            (async () => {
+                try {
+                    const base = await this.getBaseHeaders();
+                    const headers = { ...base, "Content-Type": "application/json" };
+                    const response = await this.fetchWithOAuthRetry(this.endpointUrl, {
+                        method: "POST",
+                        headers,
+                        body: JSON.stringify(requestWithId),
+                        signal: abortController.signal,
+                    });
+                    this.pendingRequestControllers.delete(id);
+                    if (!response.ok) {
+                        clearTimeout(timeout);
+                        this.pendingRequests.delete(id);
+                        reject(new Error(`HTTP ${response.status}`));
+                    }
+                }
+                catch (error) {
+                    this.pendingRequestControllers.delete(id);
                     clearTimeout(timeout);
                     this.pendingRequests.delete(id);
-                    reject(new Error(`HTTP ${response.status}`));
+                    reject(error);
                 }
-            })
-                .catch((error) => {
-                this.pendingRequestControllers.delete(id);
-                clearTimeout(timeout);
-                this.pendingRequests.delete(id);
-                reject(error);
-            });
+            })();
         });
     }
     isSameOrigin(url) {

package/dist/src/transport-streamable-http.d.ts

@@ -1,11 +1,18 @@
-import { McpRequest, McpResponse } from "./types.js";
+import { Logger, McpClientConfig, McpRequest, McpResponse, McpServerConfig } from "./types.js";
+import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 import { BaseTransport } from "./transport-base.js";
 export declare class StreamableHttpTransport extends BaseTransport {
     private sessionId?;
     private resolvedHeaders;
     private pendingRequestControllers;
+    private readonly tokenManager;
     protected get transportName(): string;
+    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager);
     connect(): Promise<void>;
+    private getBaseHeaders;
+    private refreshResolvedHeaders;
+    private invalidateOAuth2Token;
+    private fetchWithOAuthRetry;
     sendRequest(request: McpRequest): Promise<McpResponse>;
     sendNotification(notification: any): Promise<void>;
     private probeServer;

package/dist/src/transport-streamable-http.js

@@ -1,22 +1,69 @@
 import { nextRequestId } from "./types.js";
-import { BaseTransport, resolveServerHeaders, warnIfNonTlsRemoteUrl } from "./transport-base.js";
+import { OAuth2TokenManager } from "./oauth2-token-manager.js";
+import { BaseTransport, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export class StreamableHttpTransport extends BaseTransport {
     sessionId;
     resolvedHeaders = null;
     pendingRequestControllers = new Map();
+    tokenManager;
     get transportName() { return "streamable-http"; }
+    constructor(config, clientConfig, logger, onReconnected, tokenManager) {
+        super(config, clientConfig, logger, onReconnected);
+        this.tokenManager = tokenManager ?? new OAuth2TokenManager(logger);
+    }
     async connect() {
         if (!this.config.url) {
             throw new Error("Streamable HTTP transport requires URL");
         }
         warnIfNonTlsRemoteUrl(this.config.url, this.logger);
-        // Validate that all header/auth env vars resolve (fail fast)
-        this.resolvedHeaders = resolveServerHeaders(this.config);
+        await this.refreshResolvedHeaders();
         await this.probeServer();
         this.connected = true;
         this.backoffDelay = this.clientConfig.reconnectIntervalMs || 30000;
         this.logger.info(`[mcp-bridge] Streamable HTTP transport ready for ${this.config.url}`);
     }
+    async getBaseHeaders(forceRefresh = false) {
+        if (this.config.auth?.type === "oauth2") {
+            if (forceRefresh) {
+                this.invalidateOAuth2Token();
+            }
+            return this.refreshResolvedHeaders();
+        }
+        if (!this.resolvedHeaders) {
+            this.resolvedHeaders = resolveServerHeaders(this.config, undefined, this.clientConfig.envFallback);
+        }
+        return this.resolvedHeaders;
+    }
+    async refreshResolvedHeaders() {
+        if (this.config.auth?.type === "oauth2") {
+            this.resolvedHeaders = await resolveServerHeadersAsync(this.config, this.tokenManager, undefined, this.clientConfig.envFallback);
+        }
+        else {
+            this.resolvedHeaders = resolveServerHeaders(this.config, undefined, this.clientConfig.envFallback);
+        }
+        return this.resolvedHeaders;
+    }
+    invalidateOAuth2Token() {
+        if (this.config.auth?.type !== "oauth2") {
+            return;
+        }
+        const oauth2Config = resolveOAuth2Config(this.config, undefined, this.clientConfig.envFallback);
+        this.tokenManager.invalidate(oauth2Config.tokenUrl, oauth2Config.clientId);
+    }
+    async fetchWithOAuthRetry(url, init) {
+        const response = await fetch(url, init);
+        if (response.status !== 401 || this.config.auth?.type !== "oauth2") {
+            return response;
+        }
+        this.logger.warn("[mcp-bridge] Streamable HTTP request returned 401, invalidating OAuth2 token and retrying once");
+        const refreshedBase = await this.getBaseHeaders(true);
+        const retryHeaders = {
+            ...refreshedBase,
+            ...Object.fromEntries(Array.from(new Headers(init.headers).entries()).filter(([key]) => key.toLowerCase() !== "authorization")),
+            Authorization: refreshedBase.Authorization,
+        };
+        return fetch(url, { ...init, headers: retryHeaders });
+    }
     async sendRequest(request) {
         if (!this.connected || !this.config.url) {
             throw new Error("Streamable HTTP transport not connected");
@@ -34,108 +81,111 @@ export class StreamableHttpTransport extends BaseTransport {
             }, requestTimeout);
             this.pendingRequests.set(id, { resolve, reject, timeout });
             this.pendingRequestControllers.set(id, abortController);
-            const base = this.resolvedHeaders ?? resolveServerHeaders(this.config);
-            const headers = {
-                ...base,
-                "Accept": "application/json, text/event-stream",
-                "Content-Type": "application/json"
-            };
-            if (this.sessionId) {
-                headers["mcp-session-id"] = this.sessionId;
-            }
-            fetch(this.config.url, {
-                method: "POST",
-                headers,
-                body: JSON.stringify(requestWithId),
-                signal: abortController.signal
-            })
-                .then(async (response) => {
-                this.pendingRequestControllers.delete(id);
-                const responseSessionId = response.headers.get("mcp-session-id");
-                if (responseSessionId) {
-                    this.sessionId = responseSessionId;
-                }
-                if (!response.ok) {
-                    clearTimeout(timeout);
-                    this.pendingRequests.delete(id);
-                    reject(new Error(`HTTP ${response.status}: ${response.statusText}`));
-                    return;
-                }
+            (async () => {
                 try {
-                    const contentType = response.headers.get("content-type") || "";
-                    let jsonResponse;
-                    if (contentType.includes("text/event-stream")) {
-                        const text = await response.text();
-                        const lines = text.split('\n');
-                        // SSE event boundary parsing: collect data lines, dispatch on empty line
-                        let dataBuffer = [];
-                        const dispatch = () => {
-                            if (dataBuffer.length === 0)
-                                return;
-                            const data = dataBuffer.join("\n");
-                            dataBuffer = [];
-                            try {
-                                this.handleMessage(JSON.parse(data));
-                            }
-                            catch { /* skip malformed events */ }
-                        };
-                        let hasData = false;
-                        for (const line of lines) {
-                            const trimmed = line.trim();
-                            if (trimmed.startsWith("data:")) {
-                                dataBuffer.push(trimmed.substring(5).trimStart());
-                                hasData = true;
+                    const base = await this.getBaseHeaders();
+                    const headers = {
+                        ...base,
+                        Accept: "application/json, text/event-stream",
+                        "Content-Type": "application/json",
+                    };
+                    if (this.sessionId) {
+                        headers["mcp-session-id"] = this.sessionId;
+                    }
+                    const response = await this.fetchWithOAuthRetry(this.config.url, {
+                        method: "POST",
+                        headers,
+                        body: JSON.stringify(requestWithId),
+                        signal: abortController.signal,
+                    });
+                    this.pendingRequestControllers.delete(id);
+                    const responseSessionId = response.headers.get("mcp-session-id");
+                    if (responseSessionId) {
+                        this.sessionId = responseSessionId;
+                    }
+                    if (!response.ok) {
+                        clearTimeout(timeout);
+                        this.pendingRequests.delete(id);
+                        reject(new Error(`HTTP ${response.status}: ${response.statusText}`));
+                        return;
+                    }
+                    try {
+                        const contentType = response.headers.get("content-type") || "";
+                        if (contentType.includes("text/event-stream")) {
+                            const text = await response.text();
+                            const lines = text.split("\n");
+                            // SSE event boundary parsing: collect data lines, dispatch on empty line
+                            let dataBuffer = [];
+                            const dispatch = () => {
+                                if (dataBuffer.length === 0)
+                                    return;
+                                const data = dataBuffer.join("\n");
+                                dataBuffer = [];
+                                try {
+                                    this.handleMessage(JSON.parse(data));
+                                }
+                                catch {
+                                    // skip malformed events
+                                }
+                            };
+                            let hasData = false;
+                            for (const line of lines) {
+                                const trimmed = line.trim();
+                                if (trimmed.startsWith("data:")) {
+                                    dataBuffer.push(trimmed.substring(5).trimStart());
+                                    hasData = true;
+                                }
+                                else if (trimmed === "" && dataBuffer.length > 0) {
+                                    dispatch();
+                                }
                             }
-                            else if (trimmed === "" && dataBuffer.length > 0) {
-                                dispatch();
+                            // Dispatch any trailing data (server may omit final empty line)
+                            dispatch();
+                            if (!hasData) {
+                                throw new Error("No data lines in SSE response");
                             }
                         }
-                        // Dispatch any trailing data (server may omit final empty line)
-                        dispatch();
-                        if (!hasData) {
-                            throw new Error("No data lines in SSE response");
+                        else {
+                            this.handleMessage(await response.json());
                         }
                     }
-                    else {
-                        this.handleMessage(await response.json());
+                    catch (error) {
+                        clearTimeout(timeout);
+                        this.pendingRequests.delete(id);
+                        reject(new Error("Failed to parse response: " + (error instanceof Error ? error.message : String(error))));
                     }
                 }
                 catch (error) {
+                    this.pendingRequestControllers.delete(id);
                     clearTimeout(timeout);
                     this.pendingRequests.delete(id);
-                    reject(new Error("Failed to parse response: " + (error instanceof Error ? error.message : String(error))));
-                }
-            })
-                .catch(error => {
-                this.pendingRequestControllers.delete(id);
-                clearTimeout(timeout);
-                this.pendingRequests.delete(id);
-                if (error.name === 'TypeError' && error.message.includes('fetch')) {
-                    this.logger.error("Connection error, scheduling reconnect:", error.message);
-                    this.scheduleReconnect();
+                    if (error instanceof Error && error.name === "TypeError" && error.message.includes("fetch")) {
+                        this.logger.error("Connection error, scheduling reconnect:", error.message);
+                        this.scheduleReconnect();
+                    }
+                    reject(error);
                 }
-                reject(error);
-            });
+            })();
         });
     }
     async sendNotification(notification) {
         if (!this.connected || !this.config.url) {
             throw new Error("Streamable HTTP transport not connected");
         }
-        const base = this.resolvedHeaders ?? resolveServerHeaders(this.config);
+        const base = await this.getBaseHeaders();
         const headers = {
             ...base,
-            "Accept": "application/json, text/event-stream",
-            "Content-Type": "application/json"
+            Accept: "application/json, text/event-stream",
+            "Content-Type": "application/json",
         };
         if (this.sessionId) {
             headers["mcp-session-id"] = this.sessionId;
         }
         try {
-            const response = await fetch(this.config.url, {
+            const response = await this.fetchWithOAuthRetry(this.config.url, {
                 method: "POST",
                 headers,
-                body: JSON.stringify(notification)
+                body: JSON.stringify(notification),
             });
             const responseSessionId = response.headers.get("mcp-session-id");
             if (responseSessionId) {
@@ -146,7 +196,7 @@ export class StreamableHttpTransport extends BaseTransport {
             }
         }
         catch (error) {
-            if (error instanceof Error && error.name === 'TypeError' && error.message.includes('fetch')) {
+            if (error instanceof Error && error.name === "TypeError" && error.message.includes("fetch")) {
                 this.logger.error("Connection error during notification, scheduling reconnect:", error.message);
                 this.scheduleReconnect();
             }
@@ -157,11 +207,11 @@ export class StreamableHttpTransport extends BaseTransport {
         if (!this.config.url)
             return;
         try {
-            const headers = this.resolvedHeaders ?? resolveServerHeaders(this.config);
-            const optionsResponse = await fetch(this.config.url, { method: "OPTIONS", headers });
+            const headers = await this.getBaseHeaders();
+            const optionsResponse = await this.fetchWithOAuthRetry(this.config.url, { method: "OPTIONS", headers });
             if (optionsResponse.ok)
                 return;
-            const headResponse = await fetch(this.config.url, { method: "HEAD", headers });
+            const headResponse = await this.fetchWithOAuthRetry(this.config.url, { method: "HEAD", headers });
             if (!headResponse.ok) {
                 this.logger.warn(`[mcp-bridge] Streamable HTTP server probe: OPTIONS ${optionsResponse.status}, HEAD ${headResponse.status} (non-blocking, connection continues)`);
             }
@@ -180,11 +230,11 @@ export class StreamableHttpTransport extends BaseTransport {
         // Send DELETE request if we have a session to clean up
         if (this.sessionId && this.config.url) {
             try {
-                const base = this.resolvedHeaders ?? resolveServerHeaders(this.config);
+                const base = await this.getBaseHeaders();
                 const headers = { ...base, "mcp-session-id": this.sessionId };
-                await fetch(this.config.url, {
+                await this.fetchWithOAuthRetry(this.config.url, {
                     method: "DELETE",
-                    headers
+                    headers,
                 });
                 this.sessionId = undefined;
                 this.logger.info("Streamable HTTP session cleaned up");

package/dist/src/types.d.ts

@@ -10,6 +10,13 @@ export type HttpAuthConfig = {
 } | {
     type: "header";
     headers: Record<string, string>;
+} | {
+    type: "oauth2";
+    clientId: string;
+    clientSecret: string;
+    tokenUrl: string;
+    scopes?: string[];
+    audience?: string;
 };
 export interface RetryConfig {
     maxAttempts?: number;
@@ -130,9 +137,6 @@ export interface McpServerConnection {
 /** Bridge-level config loaded from ~/.mcp-bridge/config.json */
 export interface BridgeConfig extends McpClientConfig {
     http?: {
-        auth?: {
-            type: "bearer";
-            token: string;
-        };
+        auth?: HttpAuthConfig;
     };
 }

package/dist/src/update-checker.d.ts

@@ -6,11 +6,22 @@ export interface UpdateInfo {
     updateCommand: string;
     updateCommandParts: string[];
 }
+export interface PluginUpdateInfo {
+    pluginName: string;
+    currentVersion: string;
+    latestVersion: string;
+    updateAvailable: boolean;
+}
 /**
  * Check npm registry for a newer version. Non-blocking, best-effort.
  * Caches result for the lifetime of the process.
  */
 export declare function checkForUpdate(logger: Logger): Promise<UpdateInfo>;
+/**
+ * Check if a wrapper plugin (e.g. openclaw-mcp-bridge) has an update.
+ * The caller passes the installed plugin version; we check npm for the latest.
+ */
+export declare function checkPluginUpdate(pluginName: string, installedVersion: string, logger: Logger): Promise<PluginUpdateInfo>;
 /**
  * Build the notice string to inject into the first tool response.
  * Returns empty string if no update or already delivered.

package/dist/src/update-checker.js

@@ -1,7 +1,9 @@
 import { execFileSync, execFile } from "child_process";
 import { PACKAGE_VERSION } from "./protocol.js";
 const PACKAGE_NAME = "@aiwerk/mcp-bridge";
+const PLUGIN_PACKAGE_NAME = "@aiwerk/openclaw-mcp-bridge";
 let cachedUpdateInfo = null;
+let cachedPluginUpdateInfo = null;
 let noticeDelivered = false;
 /**
  * Check npm registry for a newer version. Non-blocking, best-effort.
@@ -42,16 +44,59 @@ export async function checkForUpdate(logger) {
     }
     return cachedUpdateInfo;
 }
+/**
+ * Check if a wrapper plugin (e.g. openclaw-mcp-bridge) has an update.
+ * The caller passes the installed plugin version; we check npm for the latest.
+ */
+export async function checkPluginUpdate(pluginName, installedVersion, logger) {
+    if (cachedPluginUpdateInfo)
+        return cachedPluginUpdateInfo;
+    try {
+        const latest = await npmViewVersionOf(pluginName, logger);
+        const updateAvailable = latest !== installedVersion && isNewer(latest, installedVersion);
+        cachedPluginUpdateInfo = {
+            pluginName,
+            currentVersion: installedVersion,
+            latestVersion: latest,
+            updateAvailable,
+        };
+        if (updateAvailable) {
+            logger.info(`[mcp-bridge] Plugin update available: ${pluginName} ${installedVersion} → ${latest}`);
+        }
+    }
+    catch (err) {
+        logger.warn(`[mcp-bridge] Plugin version check failed: ${err instanceof Error ? err.message : err}`);
+        cachedPluginUpdateInfo = {
+            pluginName,
+            currentVersion: installedVersion,
+            latestVersion: installedVersion,
+            updateAvailable: false,
+        };
+    }
+    return cachedPluginUpdateInfo;
+}
 /**
  * Build the notice string to inject into the first tool response.
  * Returns empty string if no update or already delivered.
  */
 export function getUpdateNotice() {
-    if (noticeDelivered || !cachedUpdateInfo?.updateAvailable)
+    const coreUpdate = cachedUpdateInfo?.updateAvailable;
+    const pluginUpdate = cachedPluginUpdateInfo?.updateAvailable;
+    if (noticeDelivered || (!coreUpdate && !pluginUpdate))
         return "";
     noticeDelivered = true;
-    return (`\n\n---\nUpdate available: ${cachedUpdateInfo.currentVersion} → ${cachedUpdateInfo.latestVersion}\n` +
-        `Run: ${cachedUpdateInfo.updateCommand}`);
+    const lines = ["\n\n---"];
+    if (coreUpdate) {
+        lines.push(`Core update: ${cachedUpdateInfo.currentVersion} → ${cachedUpdateInfo.latestVersion}`);
+    }
+    if (pluginUpdate) {
+        lines.push(`Plugin update: ${cachedPluginUpdateInfo.pluginName} ${cachedPluginUpdateInfo.currentVersion} → ${cachedPluginUpdateInfo.latestVersion}`);
+    }
+    const installCmd = cachedPluginUpdateInfo?.pluginName
+        ? `openclaw plugins install ${cachedPluginUpdateInfo.pluginName}`
+        : cachedUpdateInfo.updateCommand;
+    lines.push(`Run: ${installCmd}`);
+    return lines.join("\n");
 }
 /**
  * Reset the notice flag (for testing).
@@ -89,8 +134,11 @@ export async function runUpdate(logger) {
 }
 // --- helpers ---
 function npmViewVersion(_logger) {
+    return npmViewVersionOf(PACKAGE_NAME, _logger);
+}
+function npmViewVersionOf(packageName, _logger) {
     return new Promise((resolve, reject) => {
-        execFile("npm", ["view", PACKAGE_NAME, "version"], { encoding: "utf-8", timeout: 10_000 }, (err, stdout) => {
+        execFile("npm", ["view", packageName, "version"], { encoding: "utf-8", timeout: 10_000 }, (err, stdout) => {
             if (err)
                 return reject(err);
             const ver = (stdout ?? "").trim();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aiwerk/mcp-bridge",
-  "version": "2.0.0",
+  "version": "2.1.1",
   "description": "Standalone MCP server that multiplexes multiple MCP servers into one interface",
   "type": "module",
   "main": "./dist/src/index.js",
@@ -45,13 +45,21 @@
     "test": "node --import tsx --test tests/*.test.ts",
     "typecheck": "tsc --noEmit",
     "prepublishOnly": "npm run build",
-    "validate-recipe": "npx tsx bin/validate-recipe.ts"
+    "validate-recipe": "npx tsx bin/validate-recipe.ts",
+    "lint": "eslint src/",
+    "format": "prettier --write src/",
+    "format:check": "prettier --check src/"
   },
   "dependencies": {
     "@sinclair/typebox": "^0.34.0"
   },
   "devDependencies": {
+    "@eslint/js": "^10.0.1",
     "@types/node": "^22.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.57.0",
+    "@typescript-eslint/parser": "^8.57.0",
+    "eslint": "^10.0.3",
+    "prettier": "^3.8.1",
     "tsx": "^4.0.0",
     "typescript": "^5.7.0"
   }

package/servers/imap-email/recipe.json

@@ -0,0 +1,45 @@
+{
+  "id": "imap-email",
+  "schemaVersion": 2,
+  "name": "IMAP Email",
+  "description": "Email tools for any IMAP/SMTP provider - list, read, search, send, manage emails",
+  "recipeVersion": "1.0.0",
+  "metadata": {
+    "category": "communication",
+    "tags": ["email", "imap", "smtp", "inbox"],
+    "country": "global",
+    "language": "en",
+    "homepage": "https://github.com/AIWerk/mcp-server-imap",
+    "license": "MIT",
+    "pricing": "free",
+    "maturity": "beta"
+  },
+  "transports": [
+    {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@aiwerk/mcp-server-imap"],
+      "env": {
+        "IMAP_HOST": "${IMAP_HOST}",
+        "IMAP_PORT": "${IMAP_PORT}",
+        "IMAP_USER": "${IMAP_USER}",
+        "IMAP_PASS": "${IMAP_PASS}",
+        "SMTP_HOST": "${SMTP_HOST}",
+        "SMTP_PORT": "${SMTP_PORT}",
+        "SMTP_SEND_ENABLED": "${SMTP_SEND_ENABLED}"
+      }
+    }
+  ],
+  "auth": {
+    "required": true,
+    "type": "api-key",
+    "envVars": ["IMAP_HOST", "IMAP_USER", "IMAP_PASS"],
+    "instructions": "Set your IMAP server hostname, username (email), and password. For Gmail use an App Password. Set SMTP_SEND_ENABLED=true to enable email sending.",
+    "bootstrap": "env-only"
+  },
+  "capabilities": {
+    "toolCount": 10,
+    "toolNames": ["email_list", "email_read", "email_search", "email_folders", "email_move", "email_flag", "email_delete", "email_send", "email_reply", "email_attachment"],
+    "sideEffects": "external-write"
+  }
+}