@aiwerk/mcp-bridge 2.7.2 → 2.7.4

package/dist/src/adaptive-promotion.js

@@ -70,7 +70,7 @@ export class AdaptivePromotion {
                     server: entry.server,
                     tool: entry.tool,
                     callCount: recentCalls.length,
-                    lastCall: Math.max(...entry.callTimestamps)
+                    lastCall: entry.callTimestamps.reduce((a, b) => a > b ? a : b, 0)
                 });
             }
         }
@@ -85,7 +85,7 @@ export class AdaptivePromotion {
             entry.callTimestamps = entry.callTimestamps.filter(t => t > windowCutoff);
             // Remove entire entry if no calls within decay period
             const lastCall = entry.callTimestamps.length > 0
-                ? Math.max(...entry.callTimestamps)
+                ? entry.callTimestamps.reduce((a, b) => a > b ? a : b, 0)
                 : 0;
             if (lastCall === 0 || lastCall < decayCutoff) {
                 this.usage.delete(k);

package/dist/src/mcp-router.js

@@ -252,10 +252,10 @@ export class McpRouter {
                     return { server, action: "call", tool, result: cachedResult };
                 }
             }
-            // Rate limit check BEFORE markUsed — rejected calls should not keep connection alive
-            const rateLimitResult = this.rateLimiter.checkAndIncrement(server, serverConfig.rateLimit);
-            if (!rateLimitResult.allowed) {
-                return this.error("mcp_error", rateLimitResult.error || "Rate limit reached");
+            // Rate limit: check BEFORE call, increment AFTER success
+            const rateLimitCheck = this.rateLimiter.checkLimit(server, serverConfig.rateLimit);
+            if (!rateLimitCheck.allowed) {
+                return this.error("mcp_error", rateLimitCheck.error || "Rate limit reached");
             }
             this.markUsed(server);
             const callOutcome = await this.callToolWithRetry(server, tool, params ?? {}, state.transport);
@@ -263,6 +263,8 @@ export class McpRouter {
             if (response.error) {
                 return this.error("mcp_error", response.error.message, undefined, response.error.code);
             }
+            // Only increment usage counter on successful calls
+            const rateLimitIncrement = this.rateLimiter.increment(server, serverConfig.rateLimit);
             // Record usage for adaptive promotion
             if (this.promotion) {
                 this.promotion.recordCall(server, tool);
@@ -278,7 +280,7 @@ export class McpRouter {
                 action: "call",
                 tool,
                 result,
-                ...(rateLimitResult.warning ? { warning: rateLimitResult.warning } : {}),
+                ...(rateLimitIncrement.warning ? { warning: rateLimitIncrement.warning } : {}),
                 ...(callOutcome.retries > 0 ? { retries: callOutcome.retries } : {})
             };
         }

package/dist/src/rate-limiter.d.ts

@@ -10,7 +10,15 @@ export interface RateLimitResult {
 export declare class RateLimiter {
     private readonly usageDir;
     constructor(usageDir?: string);
+    /**
+     * Check if a call is allowed (without incrementing). Use with increment() after success.
+     */
     checkLimit(serverId: string, config?: RateLimitConfig): RateLimitResult;
+    /**
+     * Increment usage counters after a successful call. Returns warning if near limit.
+     */
+    increment(serverId: string, config?: RateLimitConfig): RateLimitResult;
+    /** @deprecated Use checkLimit() + increment() separately. Kept for backward compatibility. */
     checkAndIncrement(serverId: string, config?: RateLimitConfig): RateLimitResult;
     getUsage(serverId: string): {
         daily: number;

package/dist/src/rate-limiter.js

@@ -21,6 +21,9 @@ export class RateLimiter {
     constructor(usageDir) {
         this.usageDir = usageDir ?? join(homedir(), ".mcp-bridge", "usage");
     }
+    /**
+     * Check if a call is allowed (without incrementing). Use with increment() after success.
+     */
     checkLimit(serverId, config) {
         const dailyLimit = isPositiveLimit(config?.maxCallsPerDay) ? config.maxCallsPerDay : undefined;
         const monthlyLimit = isPositiveLimit(config?.maxCallsPerMonth) ? config.maxCallsPerMonth : undefined;
@@ -45,29 +48,19 @@ export class RateLimiter {
         }
         return { allowed: true };
     }
-    checkAndIncrement(serverId, config) {
+    /**
+     * Increment usage counters after a successful call. Returns warning if near limit.
+     */
+    increment(serverId, config) {
         const dailyLimit = isPositiveLimit(config?.maxCallsPerDay) ? config.maxCallsPerDay : undefined;
         const monthlyLimit = isPositiveLimit(config?.maxCallsPerMonth) ? config.maxCallsPerMonth : undefined;
         if (!dailyLimit && !monthlyLimit) {
             return { allowed: true };
         }
-        // Single loadUsage call — check + increment in one pass (avoids double file read)
         const { usage, changed } = this.loadUsage(serverId);
         if (changed) {
             this.saveUsage(serverId, usage);
         }
-        if (dailyLimit && usage.daily.count >= dailyLimit) {
-            return {
-                allowed: false,
-                error: `❌ Rate limit reached for ${serverId}: ${usage.daily.count}/${dailyLimit} daily calls used. Resets at midnight UTC. To adjust: mcp-bridge limit ${serverId} --daily ${nextSuggestedLimit(dailyLimit)}. To check usage: mcp-bridge usage. To disable limit: mcp-bridge limit ${serverId} --daily 0`
-            };
-        }
-        if (monthlyLimit && usage.monthly.count >= monthlyLimit) {
-            return {
-                allowed: false,
-                error: `❌ Rate limit reached for ${serverId}: ${usage.monthly.count}/${monthlyLimit} monthly calls used. Resets on the 1st of each month at midnight UTC. To adjust: mcp-bridge limit ${serverId} --monthly ${nextSuggestedLimit(monthlyLimit)}. To check usage: mcp-bridge usage. To disable limit: mcp-bridge limit ${serverId} --monthly 0`
-            };
-        }
         usage.daily.count += 1;
         usage.monthly.count += 1;
         this.saveUsage(serverId, usage);
@@ -85,6 +78,13 @@ export class RateLimiter {
         }
         return { allowed: true };
     }
+    /** @deprecated Use checkLimit() + increment() separately. Kept for backward compatibility. */
+    checkAndIncrement(serverId, config) {
+        const check = this.checkLimit(serverId, config);
+        if (!check.allowed)
+            return check;
+        return this.increment(serverId, config);
+    }
     getUsage(serverId) {
         const { usage, changed } = this.loadUsage(serverId);
         if (changed) {

package/dist/src/token-store.js

@@ -54,7 +54,7 @@ export class FileTokenStore {
     }
     tokenPath(serverName) {
         // Sanitize server name to prevent path traversal
-        const safe = serverName.replace(/[^a-zA-Z0-9_-]/g, "_");
+        const safe = encodeURIComponent(serverName);
         return join(this.tokensDir, `${safe}.json`);
     }
     ensureDir() {

package/dist/src/transport-sse.js

@@ -259,6 +259,7 @@ export class SseTransport extends BaseTransport {
             this.sseAbortController.abort();
             this.sseAbortController = null;
         }
+        this.endpointUrl = null;
         for (const [, controller] of this.pendingRequestControllers) {
             controller.abort();
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aiwerk/mcp-bridge",
-  "version": "2.7.2",
+  "version": "2.7.4",
   "description": "Standalone MCP server that multiplexes multiple MCP servers into one interface",
   "type": "module",
   "main": "./dist/src/index.js",
@@ -44,7 +44,7 @@
     "build": "tsc",
     "test": "node --import tsx --test tests/*.test.ts",
     "typecheck": "tsc --noEmit",
-    "prepublishOnly": "tsc && bash scripts/validate-recipes.sh",
+    "prepublishOnly": "tsc && bash scripts/validate-recipes.sh && node -e \"const v=require('./package.json').version;const fs=require('fs');const cl=fs.readFileSync('CHANGELOG.md','utf8');if(!cl.includes('['+v+']')){console.error('ERROR: CHANGELOG.md missing entry for v'+v);process.exit(1)}\"",
     "validate-recipe": "npx tsx bin/validate-recipe.ts",
     "lint": "eslint src/",
     "format": "prettier --write src/",

package/scripts/install-server.sh

@@ -317,7 +317,32 @@ elif [[ -f "$ENV_VARS_FILE" ]] && [[ -s "$ENV_VARS_FILE" ]]; then
     ENV_VAR_NAME="$(head -n 1 "$ENV_VARS_FILE" | tr -d '[:space:]')"
 fi
 
-if [[ -n "$ENV_VAR_NAME" ]]; then
+# Check if this is an OAuth2 Authorization Code server (browser login, not API key)
+OAUTH2_AUTH_CODE="false"
+if [[ "$RECIPE_FORMAT" == "v2" ]]; then
+    OAUTH2_AUTH_CODE=$(python3 -c "
+import json, sys
+with open(sys.argv[1]) as f:
+    r = json.load(f)
+auth = r.get('auth', {})
+# OAuth2 auth code: explicitly requires grantType=authorization_code
+# and no envVars (login via browser, not API key)
+if auth.get('type') == 'oauth2' and auth.get('grantType') == 'authorization_code':
+    if not auth.get('envVars'):
+        print('true')
+    else:
+        print('false')
+else:
+    print('false')
+" "$RECIPE_FILE" 2>/dev/null)
+fi
+
+if [[ "$OAUTH2_AUTH_CODE" == "true" ]]; then
+    echo ""
+    echo "🔐 This server uses OAuth2 browser login (no API key needed)."
+    echo "After config is saved, we'll open your browser for authentication."
+    SKIP_TOKEN_PROMPT="true"
+elif [[ -n "$ENV_VAR_NAME" ]]; then
     TOKEN_URL="$(get_token_url)"
     [[ -n "$TOKEN_URL" ]] && echo "Get your API token here: ${TOKEN_URL}"
 
@@ -416,7 +441,38 @@ with open(config_path, "w", encoding="utf-8") as f:
 print(f"✅ Configuration merged for: {server_name} (recipe {recipe_format})")
 PY
 
-# 5. Gateway restart
+# 5. OAuth2 browser login (if applicable)
+if [[ "$OAUTH2_AUTH_CODE" == "true" ]]; then
+    echo ""
+    echo "🔐 Starting OAuth2 login for ${SERVER_TITLE}..."
+
+    # Find the mcp-bridge CLI
+    MCP_BRIDGE_BIN=""
+    if command -v mcp-bridge &>/dev/null; then
+        MCP_BRIDGE_BIN="mcp-bridge"
+    elif [[ -x "$(dirname "$0")/../dist/bin/mcp-bridge.js" ]]; then
+        MCP_BRIDGE_BIN="node $(dirname "$0")/../dist/bin/mcp-bridge.js"
+    elif command -v npx &>/dev/null; then
+        MCP_BRIDGE_BIN="npx @aiwerk/mcp-bridge"
+    fi
+
+    if [[ -n "$MCP_BRIDGE_BIN" ]]; then
+        # Detect if we have a browser available
+        if command -v xdg-open &>/dev/null || command -v open &>/dev/null || command -v wslview &>/dev/null; then
+            echo "Opening browser for authentication..."
+            $MCP_BRIDGE_BIN auth login "$SERVER_NAME"
+        else
+            echo "No browser detected (headless environment)."
+            echo "Using device code flow — follow the instructions below:"
+            $MCP_BRIDGE_BIN auth login "$SERVER_NAME" --device-code
+        fi
+    else
+        echo "⚠️  mcp-bridge CLI not found. Run manually after install:"
+        echo "   mcp-bridge auth login ${SERVER_NAME}"
+    fi
+fi
+
+# 6. Gateway restart
 echo ""
 echo "✅ ${SERVER_TITLE} MCP Server installed."
 echo "Restart mcp-bridge to pick up the new server configuration."