@alcyone-labs/arg-parser 2.6.0 → 2.7.1

package/dist/index.cjs

@@ -35,6 +35,7 @@ var __flags, _throwForDuplicateFlags, _appName, _appCommandName, _subCommandName
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const fs = require("node:fs");
 const path = require("node:path");
+const node_url = require("node:url");
 const magicRegexp = require("magic-regexp");
 const getTsconfig = require("get-tsconfig");
 const zod = require("zod");
@@ -3952,22 +3953,41 @@ const _ArgParserBase = class _ArgParserBase {
       console.log("--- End Configuration Dump ---\\n");
     }
   }
+  /**
+   * Detects if the current script is being executed directly (not imported)
+   * Uses a robust method that works across different environments and sandboxes
+   * @param importMetaUrl The import.meta.url from the calling script (optional)
+   * @returns true if the script is being executed directly, false if imported
+   */
+  static isExecutedDirectly(importMetaUrl) {
+    try {
+      if (importMetaUrl) {
+        const currentFile = node_url.fileURLToPath(importMetaUrl);
+        const executedFile = path__namespace.resolve(process.argv[1]);
+        return currentFile === executedFile;
+      }
+      if (typeof process !== "undefined" && process.argv && process.argv[1]) {
+        return false;
+      }
+      return false;
+    } catch {
+      return false;
+    }
+  }
   async parse(processArgs, options) {
-    var _a, _b;
+    var _a;
     debug.log("ArgParserBase.parse() called with args:", processArgs);
+    const shouldCheckAutoExecution = (options == null ? void 0 : options.importMetaUrl) && (options == null ? void 0 : options.autoExecute) !== false;
+    if (shouldCheckAutoExecution) {
+      const isDirectExecution = _ArgParserBase.isExecutedDirectly(options.importMetaUrl);
+      if (!isDirectExecution) {
+        debug.log("Auto-execution enabled but script is imported, skipping execution");
+        return {};
+      }
+    }
     if (processArgs === void 0) {
       if (typeof process !== "undefined" && process.argv && Array.isArray(process.argv)) {
         processArgs = process.argv.slice(2);
-        const isCliMode = !__privateGet(this, _parentParser) && !!__privateGet(this, _appCommandName);
-        const isMcpMode = (options == null ? void 0 : options.isMcp) || ((_a = globalThis.console) == null ? void 0 : _a.mcpError);
-        if (isCliMode && !isMcpMode) {
-          console.warn(
-            `Warning: parse() called without arguments. Auto-detected Node.js environment and using process.argv.slice(2).`
-          );
-          console.warn(
-            `For explicit control, call parse(process.argv.slice(2)) instead.`
-          );
-        }
       } else {
         throw new Error(
           "parse() called without arguments in non-Node.js environment. Please provide arguments explicitly: parse(['--flag', 'value'])"
@@ -3992,7 +4012,7 @@ const _ArgParserBase = class _ArgParserBase {
         commandChain: identifiedCommandChain,
         parserChain: identifiedParserChain
       } = __privateMethod(this, _ArgParserBase_instances, _identifyCommandChainAndParsers_fn).call(this, processArgs, this, [], [this]);
-      const saveToEnvResult = __privateMethod(_b = identifiedFinalParser, _ArgParserBase_instances, _handleSaveToEnvFlag_fn).call(_b, processArgs, identifiedParserChain);
+      const saveToEnvResult = __privateMethod(_a = identifiedFinalParser, _ArgParserBase_instances, _handleSaveToEnvFlag_fn).call(_a, processArgs, identifiedParserChain);
       if (saveToEnvResult !== false) {
         return saveToEnvResult === true ? {} : saveToEnvResult;
       }
@@ -5156,10 +5176,12 @@ _handleMcpServeFlag_fn = async function(processArgs, _mcpServeIndex) {
     if (typeof loggerConfig === "string") {
       mcpLogger = mcpLoggerModule.createMcpLogger("MCP Serve", loggerConfig);
     } else {
-      mcpLogger = mcpLoggerModule.createMcpLogger(
-        loggerConfig.prefix || "MCP Serve",
-        loggerConfig.logToFile
-      );
+      mcpLogger = mcpLoggerModule.createMcpLogger({
+        prefix: loggerConfig.prefix || "MCP Serve",
+        logToFile: loggerConfig.logToFile,
+        level: loggerConfig.level,
+        mcpMode: loggerConfig.mcpMode ?? true
+      });
     }
     debug.log("Created MCP logger, about to hijack console");
     globalThis.console = mcpLogger;
@@ -5311,7 +5333,10 @@ _startUnifiedMcpServer_fn = async function(mcpServerConfig, transportOptions) {
     const finalTransportOptions = {
       port: transportOptions.port,
       host: transportOptions.host || "localhost",
-      path: transportOptions.path || "/mcp"
+      path: transportOptions.path || "/mcp",
+      // Pass-through for streamable-http only; harmlessly ignored for others
+      cors: transportOptions.cors,
+      auth: transportOptions.auth
     };
     await mcpParser.startMcpServerWithTransport(
       serverInfo,
@@ -5419,6 +5444,27 @@ _parseMcpTransportOptions_fn = function(processArgs) {
           i++;
         }
         break;
+      // Streamable HTTP extras (accept JSON string)
+      case "--s-mcp-cors":
+        if (nextArg && !nextArg.startsWith("-")) {
+          try {
+            options.cors = JSON.parse(nextArg);
+          } catch {
+            options.cors = nextArg;
+          }
+          i++;
+        }
+        break;
+      case "--s-mcp-auth":
+        if (nextArg && !nextArg.startsWith("-")) {
+          try {
+            options.auth = JSON.parse(nextArg);
+          } catch {
+            options.auth = nextArg;
+          }
+          i++;
+        }
+        break;
       // Backward compatibility: support old flags but with deprecation warning
       case "--transport":
       case "--port":
@@ -6992,7 +7038,7 @@ Migration guide: https://github.com/alcyone-labs/arg-parser/blob/main/docs/MCP-M
         `After deduplication: ${uniqueTools.length} unique tools`
       );
       uniqueTools.forEach((tool) => {
-        var _a2, _b2, _c2, _d, _e, _f;
+        var _a2, _b2, _c2, _d, _e, _f, _g;
         logger.mcpError(`Registering tool: ${tool.name}`);
         let zodSchema;
         const toolFromUnified = Array.from(this._tools.values()).find(
@@ -7108,6 +7154,29 @@ Migration guide: https://github.com/alcyone-labs/arg-parser/blob/main/docs/MCP-M
             inputSchema: mcpCompatibleSchema
           });
         }
+        if (tool.outputSchema && this.supportsOutputSchemas()) {
+          const convertedOutputSchema = createOutputSchema(tool.outputSchema);
+          toolConfig.outputSchema = convertedOutputSchema;
+          if (process.env["MCP_DEBUG"]) {
+            console.error(
+              `[MCP Debug] Including outputSchema for tool '${tool.name}':`,
+              typeof tool.outputSchema
+            );
+            console.error(
+              `[MCP Debug] Converted outputSchema constructor:`,
+              (_g = convertedOutputSchema == null ? void 0 : convertedOutputSchema.constructor) == null ? void 0 : _g.name
+            );
+            console.error(
+              `[MCP Debug] supportsOutputSchemas():`,
+              this.supportsOutputSchemas()
+            );
+          }
+        } else if (process.env["MCP_DEBUG"]) {
+          console.error(
+            `[MCP Debug] NOT including outputSchema for tool '${tool.name}':`,
+            `hasOutputSchema=${!!tool.outputSchema}, supportsOutputSchemas=${this.supportsOutputSchemas()}`
+          );
+        }
         const simpleExecute = async (args) => {
           if (process.env["MCP_DEBUG"]) {
             console.error(
@@ -7456,6 +7525,34 @@ Migration guide: https://github.com/alcyone-labs/arg-parser/blob/main/docs/MCP-M
   parseAsync(processArgs, options) {
     return this.parse(processArgs, options);
   }
+  /**
+   * Convenience method for auto-execution: only runs if the script is executed directly (not imported).
+   * This eliminates the need for boilerplate code to check if the script is being run directly.
+   *
+   * @param importMetaUrl Pass import.meta.url from your script for reliable detection
+   * @param processArgs Optional arguments to parse (defaults to process.argv.slice(2))
+   * @param options Additional parse options
+   * @returns Promise that resolves to the parse result, or empty object if script is imported
+   *
+   * @example
+   * ```typescript
+   * // At the bottom of your CLI script:
+   * await cli.parseIfExecutedDirectly(import.meta.url);
+   *
+   * // With error handling:
+   * await cli.parseIfExecutedDirectly(import.meta.url).catch((error) => {
+   *   console.error("Fatal error:", error instanceof Error ? error.message : String(error));
+   *   process.exit(1);
+   * });
+   * ```
+   */
+  async parseIfExecutedDirectly(importMetaUrl, processArgs, options) {
+    return this.parse(processArgs, {
+      ...options,
+      autoExecute: true,
+      importMetaUrl
+    });
+  }
   addMcpSubCommand(subCommandName = "mcp-server", serverInfo, optionsOrToolOptions) {
     console.warn(`[DEPRECATED] addMcpSubCommand() is deprecated and will be removed in v2.0.
 Please use withMcp() to configure server metadata and the --s-mcp-serve system flag instead.
@@ -7734,6 +7831,7 @@ registerToolAsSubCommand_fn = function(toolConfig) {
   });
 };
 _startSingleTransport_fn = async function(server, serverInfo, transportConfig, logPath) {
+  var _a, _b, _c, _d, _e, _f;
   const resolvedLogPath = resolveLogPath(logPath || "./logs/mcp.log");
   const logger = simpleMcpLogger.createMcpLogger("MCP Transport", resolvedLogPath);
   try {
@@ -7776,11 +7874,153 @@ _startSingleTransport_fn = async function(server, serverInfo, transportConfig, l
         const { StreamableHTTPServerTransport: StreamableHTTPServerTransport2 } = await Promise.resolve().then(() => streamableHttp);
         const express = (await import("express")).default;
         const app = express();
+        app.disable("x-powered-by");
         app.use(express.json());
+        app.get("/favicon.ico", (_req, res) => {
+          const favicon = `<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16">
+              <rect width="16" height="16" fill="white"/>
+              <circle cx="8" cy="8" r="4" fill="red"/>
+            </svg>`;
+          res.setHeader("Content-Type", "image/svg+xml");
+          res.setHeader("Cache-Control", "public, max-age=86400");
+          res.send(favicon);
+        });
+        try {
+          (_c = (_b = (_a = this._mcpServerConfig) == null ? void 0 : _a.httpServer) == null ? void 0 : _b.configureExpress) == null ? void 0 : _c.call(_b, app);
+        } catch (e) {
+        }
         const port = transportConfig.port || 3e3;
         const path2 = transportConfig.path || "/mcp";
+        if (transportConfig.cors) {
+          const cors = transportConfig.cors;
+          const allowMethods = ((_d = cors.methods) == null ? void 0 : _d.join(", ")) || "GET,POST,PUT,PATCH,DELETE,OPTIONS";
+          const allowHeaders = (req) => {
+            var _a2;
+            return ((_a2 = cors.headers) == null ? void 0 : _a2.join(", ")) || req.headers["access-control-request-headers"] || "Content-Type, Authorization, MCP-Session-Id";
+          };
+          const exposed = ((_e = cors.exposedHeaders) == null ? void 0 : _e.join(", ")) || void 0;
+          const resolveOrigin = (req) => {
+            const reqOrigin = req.headers.origin;
+            const origins = cors.origins ?? "*";
+            if (origins === "*") return cors.credentials ? reqOrigin : "*";
+            if (!reqOrigin) return void 0;
+            const list = Array.isArray(origins) ? origins : [origins];
+            for (const o of list) {
+              if (typeof o === "string" && o === reqOrigin) return reqOrigin;
+              if (o instanceof RegExp && o.test(reqOrigin)) return reqOrigin;
+            }
+            return void 0;
+          };
+          const applyCorsHeaders = (req, res) => {
+            const origin = resolveOrigin(req);
+            if (origin) res.setHeader("Access-Control-Allow-Origin", origin);
+            if (cors.credentials) res.setHeader("Access-Control-Allow-Credentials", "true");
+            res.setHeader("Vary", "Origin");
+            res.setHeader("Access-Control-Allow-Methods", allowMethods);
+            const hdrs = allowHeaders(req);
+            if (hdrs) res.setHeader("Access-Control-Allow-Headers", hdrs);
+            if (exposed) res.setHeader("Access-Control-Expose-Headers", exposed);
+            if (typeof cors.maxAge === "number") res.setHeader("Access-Control-Max-Age", String(cors.maxAge));
+          };
+          app.options(path2, (req, res) => {
+            applyCorsHeaders(req, res);
+            res.status(204).end();
+          });
+          app.use((req, res, next) => {
+            if (req.path === path2) applyCorsHeaders(req, res);
+            next();
+          });
+        }
+        if ((_f = transportConfig.auth) == null ? void 0 : _f.customMiddleware) {
+          app.use(transportConfig.auth.customMiddleware);
+        }
+        const authOpts = transportConfig.auth;
+        const shouldRequireAuthFor = (req) => {
+          if (!authOpts) return false;
+          const reqPath = req.path;
+          const pub = authOpts.publicPaths || [];
+          const prot = authOpts.protectedPaths;
+          if (pub.includes(reqPath)) return false;
+          if (prot && !prot.includes(reqPath)) return false;
+          return authOpts.required !== false;
+        };
+        const base64urlDecode = (s) => Buffer.from(s.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+        const verifyJwt = async (token) => {
+          if (!(authOpts == null ? void 0 : authOpts.jwt)) return false;
+          const [h, p, sig] = token.split(".");
+          if (!h || !p || !sig) return false;
+          const header = JSON.parse(base64urlDecode(h).toString("utf8"));
+          const payload = JSON.parse(base64urlDecode(p).toString("utf8"));
+          const alg = header.alg;
+          if (authOpts.jwt.algorithms && !authOpts.jwt.algorithms.includes(alg)) return false;
+          const data2 = Buffer.from(`${h}.${p}`);
+          const signature = base64urlDecode(sig);
+          if (alg === "HS256") {
+            const secret = authOpts.jwt.secret;
+            if (!secret) return false;
+            const hmac = (await import("node:crypto")).createHmac("sha256", secret).update(data2).digest();
+            if (!hmac.equals(signature)) return false;
+          } else if (alg === "RS256") {
+            const crypto = await import("node:crypto");
+            let key = authOpts.jwt.publicKey;
+            if (!key && authOpts.jwt.getPublicKey) {
+              key = await authOpts.jwt.getPublicKey(header, payload);
+            }
+            if (!key) return false;
+            const verify = crypto.createVerify("RSA-SHA256");
+            verify.update(data2);
+            verify.end();
+            const ok = verify.verify(key, signature);
+            if (!ok) return false;
+          } else {
+            return false;
+          }
+          if (authOpts.jwt.audience) {
+            const allowed = Array.isArray(authOpts.jwt.audience) ? authOpts.jwt.audience : [authOpts.jwt.audience];
+            if (!allowed.includes(payload.aud)) return false;
+          }
+          if (authOpts.jwt.issuer) {
+            const allowed = Array.isArray(authOpts.jwt.issuer) ? authOpts.jwt.issuer : [authOpts.jwt.issuer];
+            if (!allowed.includes(payload.iss)) return false;
+          }
+          const nowSec = Math.floor(Date.now() / 1e3);
+          const tol = authOpts.jwt.clockToleranceSec || 0;
+          if (payload.nbf && nowSec + tol < payload.nbf) return false;
+          if (payload.exp && nowSec - tol >= payload.exp) return false;
+          return true;
+        };
+        const authenticate = async (req) => {
+          if (!authOpts) return true;
+          const authz = req.headers.authorization;
+          const token = (authz == null ? void 0 : authz.startsWith("Bearer ")) ? authz.slice(7) : void 0;
+          if (!token) {
+            if (authOpts.validator) return !!await authOpts.validator(req, token);
+            return false;
+          }
+          if (authOpts.scheme === "jwt" || authOpts.jwt) {
+            const ok = await verifyJwt(token);
+            if (!ok) return false;
+          } else if (authOpts.scheme === "bearer" || !authOpts.scheme) {
+            if (authOpts.allowedTokens && !authOpts.allowedTokens.includes(token)) {
+              if (authOpts.validator) return !!await authOpts.validator(req, token);
+              return false;
+            }
+          }
+          if (authOpts.validator) {
+            const ok = await authOpts.validator(req, token);
+            if (!ok) return false;
+          }
+          return true;
+        };
         const transports = {};
         app.all(path2, async (req, res) => {
+          if (shouldRequireAuthFor(req)) {
+            const ok = await authenticate(req);
+            if (!ok) {
+              res.status(401).json({ error: "Unauthorized" });
+              return;
+            }
+          }
           const sessionId = req.headers["mcp-session-id"];
           let transport;
           if (sessionId && transports[sessionId]) {
@@ -7793,9 +8033,7 @@ _startSingleTransport_fn = async function(server, serverInfo, transportConfig, l
               }
             });
             transport.onclose = () => {
-              if (transport.sessionId) {
-                delete transports[transport.sessionId];
-              }
+              if (transport.sessionId) delete transports[transport.sessionId];
             };
             await server.connect(transport);
           }