@aiwerk/mcp-bridge 2.7.6 → 2.8.2

package/README.md

@@ -27,7 +27,7 @@ Most AI agents connect to MCP servers one-by-one. With 10+ servers, that's 10+ c
 - **Graceful shutdown**: clean process termination and connection cleanup
 - **Direct mode**: all tools registered individually with automatic prefixing
 - **3 transports**: stdio, SSE, streamable-http
-- **Built-in catalog**: 14 pre-configured servers, install with one command
+- **Built-in catalog**: 14 pre-configured servers, install with one command (bundled servers deprecated — use [MCP Catalog](https://catalog.aiwerk.ch) with 104+ recipes instead)
 - **Zero config secrets in files**: `${ENV_VAR}` resolution from `.env`
 
 ## Install
@@ -87,6 +87,80 @@ npx @aiwerk/mcp-bridge validate-recipe ./recipe.json
 
 `config.json` (v1) remains supported, but `recipe.json` (v2) is the recommended format going forward.
 
+## Catalog Integration (v2.8.0+)
+
+mcp-bridge now fetches recipes from [catalog.aiwerk.ch](https://catalog.aiwerk.ch) instead of relying on bundled recipe files.
+
+### How it works
+1. **First run**: Automatically downloads the top 15 most popular recipes
+2. **On-demand**: When you install a server, it checks the catalog first
+3. **Offline**: Falls back to local cache if catalog is unreachable
+
+### API
+```typescript
+import { CatalogClient, bootstrapCatalog, mergeRecipesIntoConfig } from '@aiwerk/mcp-bridge';
+
+// Bootstrap: download top recipes
+await bootstrapCatalog();
+
+// Or use the client directly
+const client = new CatalogClient();
+const recipe = await client.resolve('todoist');
+const results = await client.search('email');
+```
+
+### Catalog & Auto-Merge Options
+
+Two config options control catalog behavior:
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `catalog` | `boolean` | `true` | Whether `bootstrapCatalog()` fetches recipes from the remote catalog |
+| `autoMerge` | `boolean` | `false` | Whether `mergeRecipesIntoConfig()` auto-merges cached recipes into your config |
+
+```json
+{
+  "catalog": true,
+  "autoMerge": true,
+  "servers": { ... }
+}
+```
+
+- **`autoMerge` defaults to `false`** (opt-in) — cached recipes are **not** automatically added to your server list unless you explicitly enable it. This prevents servers without required credentials from being silently activated.
+- **`catalog` defaults to `true`** — recipe discovery from [catalog.aiwerk.ch](https://catalog.aiwerk.ch) is enabled by default. Set to `false` to skip all remote fetching.
+
+> **Breaking change (v2.9.0):** Previously, all cached recipes whose env vars were present were auto-merged. Now you must set `"autoMerge": true` to restore that behavior.
+
+### Multiple instances of the same server
+
+Auto-discovery uses the recipe name as the config key (e.g., `gohighlevel`). If you need **multiple instances** of the same server with different credentials (e.g., two GoHighLevel subaccounts), configure them manually:
+
+```json
+// config.json or openclaw.json
+{
+  "ghl-client-a": {
+    "transport": "streamable-http",
+    "url": "https://services.leadconnectorhq.com/mcp/",
+    "headers": {
+      "Authorization": "Bearer ${GHL_TOKEN_A}",
+      "locationId": "${GHL_LOCATION_A}"
+    }
+  },
+  "ghl-client-b": {
+    "transport": "streamable-http",
+    "url": "https://services.leadconnectorhq.com/mcp/",
+    "headers": {
+      "Authorization": "Bearer ${GHL_TOKEN_B}",
+      "locationId": "${GHL_LOCATION_B}"
+    }
+  }
+}
+```
+
+Use **unique env var names** (e.g., `GHL_TOKEN_A` instead of `GHL_PIT_TOKEN`) to prevent auto-discovery from adding a duplicate third entry. Manual config always takes priority over auto-discovered recipes.
+
+> **Note**: The bundled `servers/` directory is deprecated and will be removed in v3.0.0.
+
 ## Use with Cursor / Windsurf
 
 Add to your MCP config:
@@ -595,7 +669,7 @@ For production deployments with high security requirements, consider adding an e
 | ✅ | OAuth2 Device Code flow (headless) | 2.6.0 |
 | 🔜 | Auto-discovery (zero-config server registration) | planned |
 | 🔜 | Hosted bridge (bridge.aiwerk.ch) | planned |
-| 🔜 | Remote catalog integration | planned |
+| ✅ | Remote catalog integration | 2.8.0 |
 | 🔜 | OpenTelemetry / Prometheus metrics | planned |
 | 🔜 | PII redaction | planned |
 

package/dist/bin/mcp-bridge.js

@@ -4,7 +4,7 @@ import { join, dirname, resolve, extname } from "path";
 import { fileURLToPath } from "url";
 import { platform, homedir } from "os";
 import { execFileSync } from "child_process";
-import { loadConfig, initConfigDir } from "../src/config.js";
+import { loadConfig, initConfigDir, warnDeprecatedBundledRecipes } from "../src/config.js";
 import { StandaloneServer } from "../src/standalone-server.js";
 import { PACKAGE_VERSION } from "../src/protocol.js";
 import { checkForUpdate, runUpdate } from "../src/update-checker.js";
@@ -554,6 +554,8 @@ async function cmdServe(args, logger) {
         logger.error("HTTP auth not configured. Set http.auth in config or use stdio mode.");
         process.exit(1);
     }
+    // Warn about deprecated bundled recipes (v2.8.0+)
+    warnDeprecatedBundledRecipes(logger);
     const server = new StandaloneServer(config, logger);
     // Graceful shutdown
     const shutdown = async () => {

package/dist/src/catalog-client.d.ts

@@ -0,0 +1,102 @@
+/**
+ * CatalogClient — REST client for the AIWerk MCP Catalog API.
+ *
+ * Default endpoint: https://catalog.aiwerk.ch
+ * Supports local file caching with offline fallback.
+ */
+import type { Logger } from "./types.js";
+export interface CatalogSearchResult {
+    name: string;
+    description?: string;
+    category?: string;
+    quality?: number;
+    [key: string]: unknown;
+}
+export interface CatalogRecipe {
+    name: string;
+    description?: string;
+    transport?: "stdio" | "sse" | "streamable-http";
+    command?: string;
+    args?: string[];
+    env?: Record<string, string>;
+    url?: string;
+    headers?: Record<string, string>;
+    transports?: Array<{
+        type: "stdio" | "sse" | "streamable-http";
+        command?: string;
+        args?: string[];
+        env?: Record<string, string>;
+        url?: string;
+        headers?: Record<string, string>;
+    }>;
+    install?: {
+        npm?: {
+            package: string;
+            version?: string;
+        };
+        docker?: {
+            image: string;
+        };
+    };
+    auth?: {
+        type: string;
+        required?: boolean;
+        envVars?: string[];
+    };
+    [key: string]: unknown;
+}
+export declare class CatalogError extends Error {
+    constructor(message: string);
+}
+/**
+ * CatalogClient — REST client for the AIWerk MCP Catalog API.
+ *
+ * NOTE: File I/O operations (readCache, writeCache, etc.) are intentionally
+ * synchronous. This is acceptable for CLI tools and bridge startup, but
+ * should be converted to async if used in hot paths (e.g., per-request).
+ */
+export declare class CatalogClient {
+    private baseUrl;
+    private cacheDir;
+    private logger;
+    private staleMs;
+    constructor(opts?: {
+        baseUrl?: string;
+        cacheDir?: string;
+        logger?: Logger;
+        staleDays?: number;
+    });
+    private fetchJson;
+    private cachePath;
+    private readCache;
+    private writeCache;
+    private isCacheStale;
+    /** Search for recipes by keyword. */
+    search(query: string): Promise<CatalogSearchResult[]>;
+    /** List recipes with optional filtering. */
+    list(opts?: {
+        limit?: number;
+        category?: string;
+        sort?: string;
+        hostedSafe?: boolean;
+    }): Promise<{
+        results: CatalogSearchResult[];
+        total: number;
+    }>;
+    /** Download a recipe from the catalog and cache it locally. */
+    download(name: string): Promise<CatalogRecipe>;
+    /**
+     * Resolve a recipe — returns cached if available, otherwise fetches from catalog.
+     * Falls back to cache when the catalog is unreachable (offline mode).
+     */
+    resolve(name: string): Promise<CatalogRecipe>;
+    /**
+     * Bootstrap by downloading the top N most popular recipes.
+     * Skips already-cached recipes unless they are stale.
+     */
+    bootstrap(limit?: number, hostedSafe?: boolean): Promise<string[]>;
+    /** Synchronously read a recipe from local cache. Returns null if not cached. */
+    getCached(name: string): CatalogRecipe | null;
+    /** List all recipe names in the local cache. */
+    listCached(): string[];
+}

package/dist/src/catalog-client.js

@@ -0,0 +1,194 @@
+/**
+ * CatalogClient — REST client for the AIWerk MCP Catalog API.
+ *
+ * Default endpoint: https://catalog.aiwerk.ch
+ * Supports local file caching with offline fallback.
+ */
+import { existsSync, mkdirSync, readFileSync, writeFileSync, readdirSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+// ── Error ────────────────────────────────────────────────────────────────────
+export class CatalogError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "CatalogError";
+    }
+}
+// ── Helpers ──────────────────────────────────────────────────────────────────
+const TIMEOUT_MS = 5_000;
+const noop = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+// ── CatalogClient ────────────────────────────────────────────────────────────
+/**
+ * CatalogClient — REST client for the AIWerk MCP Catalog API.
+ *
+ * NOTE: File I/O operations (readCache, writeCache, etc.) are intentionally
+ * synchronous. This is acceptable for CLI tools and bridge startup, but
+ * should be converted to async if used in hot paths (e.g., per-request).
+ */
+export class CatalogClient {
+    baseUrl;
+    cacheDir;
+    logger;
+    staleMs;
+    constructor(opts) {
+        this.baseUrl = (opts?.baseUrl ?? "https://catalog.aiwerk.ch").replace(/\/+$/, "");
+        this.cacheDir = opts?.cacheDir ?? join(homedir(), ".mcp-bridge", "recipes");
+        this.logger = opts?.logger ?? noop;
+        this.staleMs = (opts?.staleDays ?? 7) * 24 * 60 * 60 * 1000;
+    }
+    // ── Private helpers ──────────────────────────────────────────────────────
+    async fetchJson(path) {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);
+        try {
+            const res = await fetch(`${this.baseUrl}${path}`, {
+                headers: { accept: "application/json" },
+                signal: controller.signal,
+            });
+            if (res.status === 404) {
+                const name = path.split("/").filter(Boolean).pop() ?? path;
+                throw new CatalogError(`Recipe not found: ${name}`);
+            }
+            if (!res.ok) {
+                throw new CatalogError(`Catalog HTTP ${res.status}: ${await res.text().catch(() => "")}`);
+            }
+            return (await res.json());
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    cachePath(name) {
+        return join(this.cacheDir, name, "recipe.json");
+    }
+    readCache(name) {
+        const p = this.cachePath(name);
+        if (!existsSync(p))
+            return null;
+        try {
+            return JSON.parse(readFileSync(p, "utf-8"));
+        }
+        catch {
+            return null;
+        }
+    }
+    writeCache(name, data) {
+        const dir = join(this.cacheDir, name);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        writeFileSync(this.cachePath(name), JSON.stringify(data, null, 2), "utf-8");
+    }
+    isCacheStale(name) {
+        const p = this.cachePath(name);
+        if (!existsSync(p))
+            return true;
+        try {
+            const stat = statSync(p);
+            return Date.now() - stat.mtimeMs > this.staleMs;
+        }
+        catch {
+            return true;
+        }
+    }
+    // ── Public API ───────────────────────────────────────────────────────────
+    /** Search for recipes by keyword. */
+    async search(query) {
+        const encoded = encodeURIComponent(query);
+        return this.fetchJson(`/api/search?q=${encoded}`);
+    }
+    /** List recipes with optional filtering. */
+    async list(opts) {
+        const params = new URLSearchParams();
+        if (opts?.limit != null)
+            params.set("limit", String(opts.limit));
+        if (opts?.category)
+            params.set("category", opts.category);
+        if (opts?.sort)
+            params.set("sort", opts.sort);
+        if (opts?.hostedSafe)
+            params.set("hostedSafe", "true");
+        const qs = params.toString();
+        return this.fetchJson(`/api/recipes${qs ? `?${qs}` : ""}`);
+    }
+    /** Download a recipe from the catalog and cache it locally. */
+    async download(name) {
+        const recipe = await this.fetchJson(`/api/recipes/${encodeURIComponent(name)}/download`);
+        this.writeCache(name, recipe);
+        return recipe;
+    }
+    /**
+     * Resolve a recipe — returns cached if available, otherwise fetches from catalog.
+     * Falls back to cache when the catalog is unreachable (offline mode).
+     */
+    async resolve(name) {
+        const cached = this.readCache(name);
+        if (cached && !this.isCacheStale(name))
+            return cached;
+        try {
+            const recipe = await this.fetchJson(`/api/recipes/${encodeURIComponent(name)}/download`);
+            this.writeCache(name, recipe);
+            return recipe;
+        }
+        catch (err) {
+            if (err instanceof CatalogError && err.message.startsWith("Recipe not found:")) {
+                throw err;
+            }
+            if (cached) {
+                this.logger.warn(`Catalog unreachable for "${name}", using cached version`);
+                return cached;
+            }
+            throw new CatalogError(`Cannot resolve recipe "${name}": catalog unreachable and no local cache`);
+        }
+    }
+    /**
+     * Bootstrap by downloading the top N most popular recipes.
+     * Skips already-cached recipes unless they are stale.
+     */
+    async bootstrap(limit = 15, hostedSafe = false) {
+        const { results } = await this.list({ limit, sort: "popular", hostedSafe });
+        const names = [];
+        const toDownload = [];
+        for (const entry of results) {
+            const name = entry.name;
+            if (!this.isCacheStale(name)) {
+                names.push(name);
+                continue;
+            }
+            toDownload.push(name);
+        }
+        const BATCH_SIZE = 5;
+        for (let i = 0; i < toDownload.length; i += BATCH_SIZE) {
+            const batch = toDownload.slice(i, i + BATCH_SIZE);
+            const results = await Promise.allSettled(batch.map(async (name) => {
+                await this.download(name);
+                return name;
+            }));
+            for (const r of results) {
+                if (r.status === "fulfilled") {
+                    names.push(r.value);
+                }
+                else {
+                    this.logger.warn(`Failed to download recipe: ${r.reason}`);
+                }
+            }
+        }
+        return names;
+    }
+    /** Synchronously read a recipe from local cache. Returns null if not cached. */
+    getCached(name) {
+        return this.readCache(name);
+    }
+    /** List all recipe names in the local cache. */
+    listCached() {
+        if (!existsSync(this.cacheDir))
+            return [];
+        return readdirSync(this.cacheDir, { withFileTypes: true })
+            .filter((d) => d.isDirectory() && existsSync(join(this.cacheDir, d.name, "recipe.json")))
+            .map((d) => d.name);
+    }
+}

package/dist/src/config.d.ts

@@ -24,7 +24,39 @@ export interface LoadConfigOptions {
  * 4. Validate required fields
  */
 export declare function loadConfig(options?: LoadConfigOptions): BridgeConfig;
+/**
+ * Warn about deprecated bundled recipes.
+ * In v2.8.0, bundled servers/ recipes are deprecated in favor of catalog.
+ * They will be removed in v3.0.0.
+ */
+export declare function warnDeprecatedBundledRecipes(logger: Logger): void;
 /** Get the default config directory path. */
 export declare function getConfigDir(configPath?: string): string;
 /** Initialize the config directory with template files. */
 export declare function initConfigDir(logger: Logger): void;
+/**
+ * Bootstrap the local recipe cache from the catalog.
+ * Downloads top N popular recipes if cache is empty or force=true.
+ * Returns array of recipe names now cached. Never throws on network errors.
+ */
+export declare function bootstrapCatalog(options?: {
+    logger?: Logger;
+    cacheDir?: string;
+    catalogUrl?: string;
+    limit?: number;
+    force?: boolean;
+    requireCleanAudit?: boolean;
+    catalog?: boolean;
+}): Promise<string[]>;
+/**
+ * Merge cached catalog recipes into a BridgeConfig.
+ * Only adds recipes whose required env vars are all present in process.env.
+ * Never overwrites manually configured servers.
+ *
+ * IMPORTANT: Must be called AFTER loadConfig() / dotenv, since env var
+ * checks rely on process.env being fully populated.
+ */
+export declare function mergeRecipesIntoConfig(config: BridgeConfig, options?: {
+    cacheDir?: string;
+    logger?: Logger;
+}): BridgeConfig;

package/dist/src/config.js

@@ -3,6 +3,7 @@ import { join, extname } from "path";
 import { homedir } from "os";
 import { resolveEnvVars } from "./transport-base.js";
 import { randomBytes } from "crypto";
+import { CatalogClient } from "./catalog-client.js";
 const DEFAULT_CONFIG_DIR = join(homedir(), ".mcp-bridge");
 const DEFAULT_CONFIG_FILE = "config.json";
 const DEFAULT_ENV_FILE = ".env";
@@ -153,6 +154,18 @@ export function loadConfig(options = {}) {
     }
     return config;
 }
+/**
+ * Warn about deprecated bundled recipes.
+ * In v2.8.0, bundled servers/ recipes are deprecated in favor of catalog.
+ * They will be removed in v3.0.0.
+ */
+export function warnDeprecatedBundledRecipes(logger) {
+    const catalogClient = new CatalogClient({ logger });
+    const cached = catalogClient.listCached();
+    if (cached.length === 0) {
+        logger.info('[mcp-bridge] Tip: Run bootstrapCatalog() to fetch recipes from catalog.aiwerk.ch (replaces bundled servers/)');
+    }
+}
 /** Get the default config directory path. */
 export function getConfigDir(configPath) {
     if (!configPath)
@@ -205,3 +218,186 @@ export function initConfigDir(logger) {
     }
     logger.info(`Config directory ready: ${dir}`);
 }
+// ── Catalog bootstrap ─────────────────────────────────────────────────────────
+const noopLogger = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+/**
+ * Extract the depAudit value from a catalog recipe's metadata.verification field.
+ * Returns null if not present.
+ */
+function getDepAudit(recipe) {
+    const meta = recipe.metadata;
+    const verification = meta?.verification;
+    const depAudit = verification?.depAudit;
+    return typeof depAudit === "string" ? depAudit : null;
+}
+/**
+ * Bootstrap the local recipe cache from the catalog.
+ * Downloads top N popular recipes if cache is empty or force=true.
+ * Returns array of recipe names now cached. Never throws on network errors.
+ */
+export async function bootstrapCatalog(options) {
+    // If catalog is explicitly disabled, skip fetching
+    if (options?.catalog === false) {
+        const logger = options?.logger ?? noopLogger;
+        logger.info("[mcp-bridge] Catalog discovery disabled (catalog: false), skipping bootstrap");
+        return [];
+    }
+    const logger = options?.logger ?? noopLogger;
+    const cacheDir = options?.cacheDir ?? join(homedir(), ".mcp-bridge", "recipes");
+    const requireCleanAudit = options?.requireCleanAudit ?? false;
+    const client = new CatalogClient({
+        baseUrl: options?.catalogUrl,
+        cacheDir,
+        logger,
+    });
+    // Check if cache already has recipes
+    if (!options?.force) {
+        const cached = client.listCached();
+        if (cached.length > 0) {
+            logger.debug(`Recipe cache already has ${cached.length} recipes, skipping bootstrap`);
+            return cached;
+        }
+    }
+    try {
+        return await client.bootstrap(options?.limit ?? 15, requireCleanAudit);
+    }
+    catch (err) {
+        logger.warn(`Catalog unreachable during bootstrap: ${err instanceof Error ? err.message : err}`);
+        return [];
+    }
+}
+/**
+ * Merge cached catalog recipes into a BridgeConfig.
+ * Only adds recipes whose required env vars are all present in process.env.
+ * Never overwrites manually configured servers.
+ *
+ * IMPORTANT: Must be called AFTER loadConfig() / dotenv, since env var
+ * checks rely on process.env being fully populated.
+ */
+export function mergeRecipesIntoConfig(config, options) {
+    const logger = options?.logger ?? noopLogger;
+    // autoMerge defaults to false (opt-in) — only merge when explicitly enabled
+    if (config.autoMerge !== true) {
+        logger.debug("[mcp-bridge] Auto-merge disabled (autoMerge is not true), skipping recipe merge");
+        return config;
+    }
+    const cacheDir = options?.cacheDir ?? join(homedir(), ".mcp-bridge", "recipes");
+    const client = new CatalogClient({ cacheDir, logger });
+    const names = client.listCached();
+    if (names.length === 0)
+        return config;
+    const servers = { ...config.servers };
+    const requireCleanAudit = config.security?.requireCleanAudit ?? false;
+    for (const name of names) {
+        // Never overwrite manually configured servers
+        if (servers[name])
+            continue;
+        const recipe = client.getCached(name);
+        if (!recipe)
+            continue;
+        // Check depAudit security policy
+        const depAudit = getDepAudit(recipe);
+        const auditOk = depAudit === null || depAudit === "clean" || depAudit === "not-applicable";
+        if (!auditOk) {
+            if (requireCleanAudit) {
+                logger.warn(`⚠️ Skipping server "${name}": has known security advisories (depAudit: ${depAudit}). Set security.requireCleanAudit=false to allow.`);
+                continue;
+            }
+            else {
+                logger.info(`ℹ️ Server "${name}" has known advisories (depAudit: ${depAudit}). Set security.requireCleanAudit=true to block.`);
+            }
+        }
+        const converted = recipeToServerConfig(recipe);
+        if (!converted) {
+            logger.debug(`Skipping recipe "${name}": unsupported format`);
+            continue;
+        }
+        // Check that all required env vars are available
+        const requiredVars = collectRequiredEnvVars(recipe);
+        const missing = requiredVars.filter((v) => !process.env[v]);
+        if (missing.length > 0) {
+            logger.debug(`Skipping recipe "${name}": missing env vars: ${missing.join(", ")}`);
+            continue;
+        }
+        servers[name] = converted;
+        logger.debug(`Added catalog recipe "${name}" to config`);
+    }
+    return { ...config, servers };
+}
+/** Convert a catalog recipe JSON to McpServerConfig, or null if unsupported. */
+function recipeToServerConfig(recipe) {
+    // v2 recipe: has transports array
+    if (Array.isArray(recipe.transports) && recipe.transports.length > 0) {
+        const t = recipe.transports[0];
+        if (t.type === "stdio") {
+            return {
+                transport: "stdio",
+                description: recipe.description,
+                command: t.command,
+                args: t.args,
+                env: t.env,
+            };
+        }
+        if (t.type === "sse" || t.type === "streamable-http") {
+            return {
+                transport: t.type,
+                description: recipe.description,
+                url: t.url,
+                headers: t.headers,
+            };
+        }
+        return null;
+    }
+    // v1 recipe: has transport string
+    if (recipe.transport === "stdio") {
+        return {
+            transport: "stdio",
+            description: recipe.description,
+            command: recipe.command,
+            args: recipe.args,
+            env: recipe.env,
+        };
+    }
+    if (recipe.transport === "sse" || recipe.transport === "streamable-http") {
+        return {
+            transport: recipe.transport,
+            description: recipe.description,
+            url: recipe.url,
+            headers: recipe.headers,
+        };
+    }
+    return null;
+}
+/** Collect all env var names required by a recipe. */
+function collectRequiredEnvVars(recipe) {
+    const vars = new Set();
+    // From auth.envVars
+    if (Array.isArray(recipe.auth?.envVars)) {
+        for (const v of recipe.auth.envVars)
+            vars.add(v);
+    }
+    // From env object: extract ${VAR} references
+    const envObj = Array.isArray(recipe.transports)
+        ? recipe.transports[0]?.env
+        : recipe.env;
+    if (envObj && typeof envObj === "object") {
+        for (const val of Object.values(envObj)) {
+            if (typeof val === "string") {
+                const matches = val.matchAll(/\$\{([^}]+)\}/g);
+                for (const m of matches)
+                    vars.add(m[1]);
+            }
+        }
+    }
+    // If auth is explicitly required but no env vars were found,
+    // return a placeholder to prevent auto-registration without credentials
+    if (recipe.auth?.required === true && vars.size === 0) {
+        vars.add("__AUTH_REQUIRED__");
+    }
+    return [...vars];
+}

package/dist/src/index.d.ts

@@ -18,7 +18,7 @@ export { ToolResolver } from "./tool-resolution.js";
 export type { ToolResolutionResult, ToolResolutionCandidate } from "./tool-resolution.js";
 export { convertJsonSchemaToTypeBox, createToolParameters, setTypeBoxLoader, setSchemaLogger } from "./schema-convert.js";
 export { initializeProtocol, fetchToolsList, PACKAGE_VERSION } from "./protocol.js";
-export { loadConfig, parseEnvFile, initConfigDir, getConfigDir } from "./config.js";
+export { loadConfig, parseEnvFile, initConfigDir, getConfigDir, bootstrapCatalog, mergeRecipesIntoConfig, warnDeprecatedBundledRecipes } from "./config.js";
 export type { Logger, McpServerConfig, McpClientConfig, HttpAuthConfig, RetryConfig, McpTool, McpRequest, McpCallRequest, McpResponse, JsonRpcMessage, McpTransport, McpServerConnection, BridgeConfig, RequestIdState, RequestIdGenerator, } from "./types.js";
 export { nextRequestId } from "./types.js";
 export { pickRegisteredToolName } from "./tool-naming.js";
@@ -26,3 +26,7 @@ export { StandaloneServer } from "./standalone-server.js";
 export { checkForUpdate, checkPluginUpdate, getUpdateNotice, runUpdate, resetNoticeFlag } from "./update-checker.js";
 export type { UpdateInfo, PluginUpdateInfo } from "./update-checker.js";
 export { filterServers, buildFilteredDescription } from "./smart-filter.js";
+export { CatalogClient, CatalogError } from "./catalog-client.js";
+export type { CatalogRecipe, CatalogSearchResult } from "./catalog-client.js";
+export { RecipeCache } from "./recipe-cache.js";
+export type { CachedRecipe } from "./recipe-cache.js";