@alcyone-labs/arg-parser 2.6.0 → 2.7.0

package/dist/index.mjs

@@ -12,6 +12,7 @@ var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "acce
 var __flags, _throwForDuplicateFlags, _appName, _appCommandName, _subCommandName, _parameters, _handler, _throwForDuplicateFlags2, _description, _handleErrors, _autoExit, _parentParser, _lastParseResult, _inheritParentFlags, _subCommands, _flagManager, _dxtGenerator, _configurationManager, _fuzzyMode, _mcpResourcesManager, _mcpPromptsManager, _mcpNotificationsManager, _ArgParserBase_instances, _identifyCommandChainAndParsers_fn, _handleGlobalChecks_fn, _validateMandatoryFlags_fn, _applyDefaultValues_fn, _prepareAndExecuteHandler_fn, parseFlags_fn, _enableFuzzyMode_fn, displayErrorAndExit_fn, _printRecursiveToConsole_fn, _buildRecursiveString_fn, _buildRecursiveJson_fn, _handleSaveToEnvFlag_fn, _handleBuildDxtFlag_fn, _handleMcpServeFlag_fn, _resolveLoggerConfigForServe_fn, _getMcpServerConfiguration_fn, _startUnifiedMcpServer_fn, _findAllMcpSubCommands_fn, _parseMcpTransportOptions_fn, _ArgParser_instances, _resolveLoggerConfig_fn, registerToolAsSubCommand_fn, _startSingleTransport_fn, processAsyncHandlerPromise_fn, _hasDate, _hasTime, _offset;
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { fileURLToPath } from "node:url";
 import { createRegExp, anyOf as anyOf$1, oneOrMore, char } from "magic-regexp";
 import { getTsconfig, createPathsMatcher } from "get-tsconfig";
 import { z } from "zod";
@@ -3911,22 +3912,41 @@ const _ArgParserBase = class _ArgParserBase {
       console.log("--- End Configuration Dump ---\\n");
     }
   }
+  /**
+   * Detects if the current script is being executed directly (not imported)
+   * Uses a robust method that works across different environments and sandboxes
+   * @param importMetaUrl The import.meta.url from the calling script (optional)
+   * @returns true if the script is being executed directly, false if imported
+   */
+  static isExecutedDirectly(importMetaUrl) {
+    try {
+      if (importMetaUrl) {
+        const currentFile = fileURLToPath(importMetaUrl);
+        const executedFile = path.resolve(process.argv[1]);
+        return currentFile === executedFile;
+      }
+      if (typeof process !== "undefined" && process.argv && process.argv[1]) {
+        return false;
+      }
+      return false;
+    } catch {
+      return false;
+    }
+  }
   async parse(processArgs, options) {
-    var _a, _b;
+    var _a;
     debug.log("ArgParserBase.parse() called with args:", processArgs);
+    const shouldCheckAutoExecution = (options == null ? void 0 : options.importMetaUrl) && (options == null ? void 0 : options.autoExecute) !== false;
+    if (shouldCheckAutoExecution) {
+      const isDirectExecution = _ArgParserBase.isExecutedDirectly(options.importMetaUrl);
+      if (!isDirectExecution) {
+        debug.log("Auto-execution enabled but script is imported, skipping execution");
+        return {};
+      }
+    }
     if (processArgs === void 0) {
       if (typeof process !== "undefined" && process.argv && Array.isArray(process.argv)) {
         processArgs = process.argv.slice(2);
-        const isCliMode = !__privateGet(this, _parentParser) && !!__privateGet(this, _appCommandName);
-        const isMcpMode = (options == null ? void 0 : options.isMcp) || ((_a = globalThis.console) == null ? void 0 : _a.mcpError);
-        if (isCliMode && !isMcpMode) {
-          console.warn(
-            `Warning: parse() called without arguments. Auto-detected Node.js environment and using process.argv.slice(2).`
-          );
-          console.warn(
-            `For explicit control, call parse(process.argv.slice(2)) instead.`
-          );
-        }
       } else {
         throw new Error(
           "parse() called without arguments in non-Node.js environment. Please provide arguments explicitly: parse(['--flag', 'value'])"
@@ -3951,7 +3971,7 @@ const _ArgParserBase = class _ArgParserBase {
         commandChain: identifiedCommandChain,
         parserChain: identifiedParserChain
       } = __privateMethod(this, _ArgParserBase_instances, _identifyCommandChainAndParsers_fn).call(this, processArgs, this, [], [this]);
-      const saveToEnvResult = __privateMethod(_b = identifiedFinalParser, _ArgParserBase_instances, _handleSaveToEnvFlag_fn).call(_b, processArgs, identifiedParserChain);
+      const saveToEnvResult = __privateMethod(_a = identifiedFinalParser, _ArgParserBase_instances, _handleSaveToEnvFlag_fn).call(_a, processArgs, identifiedParserChain);
       if (saveToEnvResult !== false) {
         return saveToEnvResult === true ? {} : saveToEnvResult;
       }
@@ -5270,7 +5290,10 @@ _startUnifiedMcpServer_fn = async function(mcpServerConfig, transportOptions) {
     const finalTransportOptions = {
       port: transportOptions.port,
       host: transportOptions.host || "localhost",
-      path: transportOptions.path || "/mcp"
+      path: transportOptions.path || "/mcp",
+      // Pass-through for streamable-http only; harmlessly ignored for others
+      cors: transportOptions.cors,
+      auth: transportOptions.auth
     };
     await mcpParser.startMcpServerWithTransport(
       serverInfo,
@@ -5378,6 +5401,27 @@ _parseMcpTransportOptions_fn = function(processArgs) {
           i++;
         }
         break;
+      // Streamable HTTP extras (accept JSON string)
+      case "--s-mcp-cors":
+        if (nextArg && !nextArg.startsWith("-")) {
+          try {
+            options.cors = JSON.parse(nextArg);
+          } catch {
+            options.cors = nextArg;
+          }
+          i++;
+        }
+        break;
+      case "--s-mcp-auth":
+        if (nextArg && !nextArg.startsWith("-")) {
+          try {
+            options.auth = JSON.parse(nextArg);
+          } catch {
+            options.auth = nextArg;
+          }
+          i++;
+        }
+        break;
       // Backward compatibility: support old flags but with deprecation warning
       case "--transport":
       case "--port":
@@ -7415,6 +7459,34 @@ Migration guide: https://github.com/alcyone-labs/arg-parser/blob/main/docs/MCP-M
   parseAsync(processArgs, options) {
     return this.parse(processArgs, options);
   }
+  /**
+   * Convenience method for auto-execution: only runs if the script is executed directly (not imported).
+   * This eliminates the need for boilerplate code to check if the script is being run directly.
+   *
+   * @param importMetaUrl Pass import.meta.url from your script for reliable detection
+   * @param processArgs Optional arguments to parse (defaults to process.argv.slice(2))
+   * @param options Additional parse options
+   * @returns Promise that resolves to the parse result, or empty object if script is imported
+   *
+   * @example
+   * ```typescript
+   * // At the bottom of your CLI script:
+   * await cli.parseIfExecutedDirectly(import.meta.url);
+   *
+   * // With error handling:
+   * await cli.parseIfExecutedDirectly(import.meta.url).catch((error) => {
+   *   console.error("Fatal error:", error instanceof Error ? error.message : String(error));
+   *   process.exit(1);
+   * });
+   * ```
+   */
+  async parseIfExecutedDirectly(importMetaUrl, processArgs, options) {
+    return this.parse(processArgs, {
+      ...options,
+      autoExecute: true,
+      importMetaUrl
+    });
+  }
   addMcpSubCommand(subCommandName = "mcp-server", serverInfo, optionsOrToolOptions) {
     console.warn(`[DEPRECATED] addMcpSubCommand() is deprecated and will be removed in v2.0.
 Please use withMcp() to configure server metadata and the --s-mcp-serve system flag instead.
@@ -7693,6 +7765,7 @@ registerToolAsSubCommand_fn = function(toolConfig) {
   });
 };
 _startSingleTransport_fn = async function(server, serverInfo, transportConfig, logPath) {
+  var _a, _b, _c, _d, _e, _f;
   const resolvedLogPath = resolveLogPath(logPath || "./logs/mcp.log");
   const logger2 = createMcpLogger("MCP Transport", resolvedLogPath);
   try {
@@ -7736,10 +7809,142 @@ _startSingleTransport_fn = async function(server, serverInfo, transportConfig, l
         const express = (await import("express")).default;
         const app = express();
         app.use(express.json());
+        try {
+          (_c = (_b = (_a = this._mcpServerConfig) == null ? void 0 : _a.httpServer) == null ? void 0 : _b.configureExpress) == null ? void 0 : _c.call(_b, app);
+        } catch (e) {
+        }
         const port = transportConfig.port || 3e3;
         const path2 = transportConfig.path || "/mcp";
+        if (transportConfig.cors) {
+          const cors = transportConfig.cors;
+          const allowMethods = ((_d = cors.methods) == null ? void 0 : _d.join(", ")) || "GET,POST,PUT,PATCH,DELETE,OPTIONS";
+          const allowHeaders = (req) => {
+            var _a2;
+            return ((_a2 = cors.headers) == null ? void 0 : _a2.join(", ")) || req.headers["access-control-request-headers"] || "Content-Type, Authorization, MCP-Session-Id";
+          };
+          const exposed = ((_e = cors.exposedHeaders) == null ? void 0 : _e.join(", ")) || void 0;
+          const resolveOrigin = (req) => {
+            const reqOrigin = req.headers.origin;
+            const origins = cors.origins ?? "*";
+            if (origins === "*") return cors.credentials ? reqOrigin : "*";
+            if (!reqOrigin) return void 0;
+            const list = Array.isArray(origins) ? origins : [origins];
+            for (const o of list) {
+              if (typeof o === "string" && o === reqOrigin) return reqOrigin;
+              if (o instanceof RegExp && o.test(reqOrigin)) return reqOrigin;
+            }
+            return void 0;
+          };
+          const applyCorsHeaders = (req, res) => {
+            const origin = resolveOrigin(req);
+            if (origin) res.setHeader("Access-Control-Allow-Origin", origin);
+            if (cors.credentials) res.setHeader("Access-Control-Allow-Credentials", "true");
+            res.setHeader("Vary", "Origin");
+            res.setHeader("Access-Control-Allow-Methods", allowMethods);
+            const hdrs = allowHeaders(req);
+            if (hdrs) res.setHeader("Access-Control-Allow-Headers", hdrs);
+            if (exposed) res.setHeader("Access-Control-Expose-Headers", exposed);
+            if (typeof cors.maxAge === "number") res.setHeader("Access-Control-Max-Age", String(cors.maxAge));
+          };
+          app.options(path2, (req, res) => {
+            applyCorsHeaders(req, res);
+            res.status(204).end();
+          });
+          app.use((req, res, next) => {
+            if (req.path === path2) applyCorsHeaders(req, res);
+            next();
+          });
+        }
+        if ((_f = transportConfig.auth) == null ? void 0 : _f.customMiddleware) {
+          app.use(transportConfig.auth.customMiddleware);
+        }
+        const authOpts = transportConfig.auth;
+        const shouldRequireAuthFor = (req) => {
+          if (!authOpts) return false;
+          const reqPath = req.path;
+          const pub = authOpts.publicPaths || [];
+          const prot = authOpts.protectedPaths;
+          if (pub.includes(reqPath)) return false;
+          if (prot && !prot.includes(reqPath)) return false;
+          return authOpts.required !== false;
+        };
+        const base64urlDecode = (s) => Buffer.from(s.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+        const verifyJwt = async (token) => {
+          if (!(authOpts == null ? void 0 : authOpts.jwt)) return false;
+          const [h, p, sig] = token.split(".");
+          if (!h || !p || !sig) return false;
+          const header = JSON.parse(base64urlDecode(h).toString("utf8"));
+          const payload = JSON.parse(base64urlDecode(p).toString("utf8"));
+          const alg = header.alg;
+          if (authOpts.jwt.algorithms && !authOpts.jwt.algorithms.includes(alg)) return false;
+          const data2 = Buffer.from(`${h}.${p}`);
+          const signature = base64urlDecode(sig);
+          if (alg === "HS256") {
+            const secret = authOpts.jwt.secret;
+            if (!secret) return false;
+            const hmac = (await import("node:crypto")).createHmac("sha256", secret).update(data2).digest();
+            if (!hmac.equals(signature)) return false;
+          } else if (alg === "RS256") {
+            const crypto = await import("node:crypto");
+            let key = authOpts.jwt.publicKey;
+            if (!key && authOpts.jwt.getPublicKey) {
+              key = await authOpts.jwt.getPublicKey(header, payload);
+            }
+            if (!key) return false;
+            const verify = crypto.createVerify("RSA-SHA256");
+            verify.update(data2);
+            verify.end();
+            const ok = verify.verify(key, signature);
+            if (!ok) return false;
+          } else {
+            return false;
+          }
+          if (authOpts.jwt.audience) {
+            const allowed = Array.isArray(authOpts.jwt.audience) ? authOpts.jwt.audience : [authOpts.jwt.audience];
+            if (!allowed.includes(payload.aud)) return false;
+          }
+          if (authOpts.jwt.issuer) {
+            const allowed = Array.isArray(authOpts.jwt.issuer) ? authOpts.jwt.issuer : [authOpts.jwt.issuer];
+            if (!allowed.includes(payload.iss)) return false;
+          }
+          const nowSec = Math.floor(Date.now() / 1e3);
+          const tol = authOpts.jwt.clockToleranceSec || 0;
+          if (payload.nbf && nowSec + tol < payload.nbf) return false;
+          if (payload.exp && nowSec - tol >= payload.exp) return false;
+          return true;
+        };
+        const authenticate = async (req) => {
+          if (!authOpts) return true;
+          const authz = req.headers.authorization;
+          const token = (authz == null ? void 0 : authz.startsWith("Bearer ")) ? authz.slice(7) : void 0;
+          if (!token) {
+            if (authOpts.validator) return !!await authOpts.validator(req, token);
+            return false;
+          }
+          if (authOpts.scheme === "jwt" || authOpts.jwt) {
+            const ok = await verifyJwt(token);
+            if (!ok) return false;
+          } else if (authOpts.scheme === "bearer" || !authOpts.scheme) {
+            if (authOpts.allowedTokens && !authOpts.allowedTokens.includes(token)) {
+              if (authOpts.validator) return !!await authOpts.validator(req, token);
+              return false;
+            }
+          }
+          if (authOpts.validator) {
+            const ok = await authOpts.validator(req, token);
+            if (!ok) return false;
+          }
+          return true;
+        };
         const transports = {};
         app.all(path2, async (req, res) => {
+          if (shouldRequireAuthFor(req)) {
+            const ok = await authenticate(req);
+            if (!ok) {
+              res.status(401).json({ error: "Unauthorized" });
+              return;
+            }
+          }
           const sessionId = req.headers["mcp-session-id"];
           let transport;
           if (sessionId && transports[sessionId]) {
@@ -7752,9 +7957,7 @@ _startSingleTransport_fn = async function(server, serverInfo, transportConfig, l
               }
             });
             transport.onclose = () => {
-              if (transport.sessionId) {
-                delete transports[transport.sessionId];
-              }
+              if (transport.sessionId) delete transports[transport.sessionId];
             };
             await server.connect(transport);
           }