npm - @atezer/figma-mcp-bridge - Versions diffs - 1.2.2 → 1.3.0 - Mend

@atezer/figma-mcp-bridge 1.2.2 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md +40 -9
package/README.md +8 -10
package/dist/cloudflare/index.js +4 -243
package/dist/core/plugin-bridge-server.d.ts +16 -0
package/dist/core/plugin-bridge-server.d.ts.map +1 -1
package/dist/core/plugin-bridge-server.js +49 -12
package/dist/core/plugin-bridge-server.js.map +1 -1
package/dist/local-plugin-only.d.ts.map +1 -1
package/dist/local-plugin-only.js +69 -6
package/dist/local-plugin-only.js.map +1 -1
package/f-mcp-plugin/README.md +0 -8
package/f-mcp-plugin/manifest.json +2 -4
package/f-mcp-plugin/ui.html +193 -450
package/package.json +7 -3
package/dist/cloudflare/cloud-cors.js +0 -40
package/dist/cloudflare/cloud-mode-kv.js +0 -86
package/dist/cloudflare/cloud-mode-routes.js +0 -97
package/dist/cloudflare/cloud-relay-session.js +0 -141

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@atezer/figma-mcp-bridge",
-	"version": "1.2.2",
+	"version": "1.3.0",
 	"description": "F-MCP ATezer: MCP server and Figma plugin bridge for Claude/Cursor. No REST token required.",
 	"type": "module",
 	"main": "dist/local.js",
@@ -36,8 +36,7 @@
 		"cf-typegen": "wrangler types",
 		"type-check": "tsc --noEmit",
 		"validate:fmcp-skills": "node scripts/validate-fmcp-skills-tools.mjs",
-		"check-ports": "bash scripts/check-ports.sh",
-		"smoke:cloud": "node scripts/smoke-fmcp-cloud.mjs"
+		"check-ports": "bash scripts/check-ports.sh"
 	},
 	"keywords": [
 		"mcp",
@@ -60,6 +59,11 @@
 	"engines": {
 		"node": ">=18.0.0"
 	},
+	"overrides": {
+		"agents": {
+			"@modelcontextprotocol/sdk": "1.25.3"
+		}
+	},
 	"dependencies": {
 		"@cloudflare/puppeteer": "^1.0.4",
 		"@modelcontextprotocol/sdk": "^1.25.3",

package/dist/cloudflare/cloud-cors.js DELETED Viewed

@@ -1,40 +0,0 @@
-/**
- * CORS allowlist for Cloud Mode + remote MCP (claude.ai, v0, Lovable, etc.).
- */
-const DEFAULT_ALLOWED_ORIGINS = [
-    "https://claude.ai",
-    "https://www.claude.ai",
-    "https://v0.dev",
-    "https://www.v0.dev",
-    "https://lovable.dev",
-    "https://www.lovable.dev",
-];
-export function getAllowedCorsOrigin(request, extra) {
-    const origin = request.headers.get("Origin");
-    if (!origin)
-        return null;
-    const set = new Set([...DEFAULT_ALLOWED_ORIGINS, ...(extra ?? [])]);
-    return set.has(origin) ? origin : null;
-}
-export function corsHeaders(request, extraOrigins) {
-    const o = getAllowedCorsOrigin(request, extraOrigins);
-    const base = {
-        "Access-Control-Allow-Methods": "GET, POST, DELETE, OPTIONS",
-        "Access-Control-Allow-Headers": "Content-Type, Accept, Authorization, mcp-session-id, Mcp-Protocol-Version, mcp-protocol-version",
-        "Access-Control-Expose-Headers": "mcp-session-id",
-        "Access-Control-Max-Age": "86400",
-    };
-    if (o)
-        base["Access-Control-Allow-Origin"] = o;
-    else
-        base["Access-Control-Allow-Origin"] = "*";
-    return base;
-}
-export function withCors(request, response, extraOrigins) {
-    const h = new Headers(response.headers);
-    const ch = corsHeaders(request, extraOrigins);
-    for (const [k, v] of Object.entries(ch)) {
-        h.set(k, v);
-    }
-    return new Response(response.body, { status: response.status, headers: h });
-}

package/dist/cloudflare/cloud-mode-kv.js DELETED Viewed

@@ -1,86 +0,0 @@
-/**
- * Cloud Mode pairing / bind / rate-limit helpers (KV: reuses OAUTH_STATE binding).
- * Key prefixes are reserved to avoid collisions with OAuth state tokens (64+ hex).
- */
-export const FMCP_PAIR_PREFIX = "fmcp_pair:";
-export const FMCP_BIND_PREFIX = "fmcp_bind:";
-export const FMCP_RL_PREFIX = "fmcp_rl:";
-export const PAIRING_TTL_SEC = 300;
-export const BIND_TTL_SEC = 86400;
-export const PAIRING_CODE_LENGTH = 6;
-const CODE_CHARS = "23456789ABCDEFGHJKMNPQRSTVWXYZ";
-export function generatePairingCode() {
-    let out = "";
-    const arr = new Uint8Array(PAIRING_CODE_LENGTH);
-    crypto.getRandomValues(arr);
-    for (let i = 0; i < PAIRING_CODE_LENGTH; i++) {
-        out += CODE_CHARS[arr[i] % CODE_CHARS.length];
-    }
-    return out;
-}
-export function generatePairingSecret() {
-    const a = new Uint8Array(16);
-    crypto.getRandomValues(a);
-    return Array.from(a, (b) => b.toString(16).padStart(2, "0")).join("");
-}
-export async function putPairing(kv, code, record) {
-    await kv.put(`${FMCP_PAIR_PREFIX}${code}`, JSON.stringify(record), {
-        expirationTtl: PAIRING_TTL_SEC,
-    });
-}
-export async function getPairing(kv, code) {
-    const raw = await kv.get(`${FMCP_PAIR_PREFIX}${code}`, "text");
-    if (!raw)
-        return null;
-    try {
-        return JSON.parse(raw);
-    }
-    catch {
-        return null;
-    }
-}
-export async function deletePairing(kv, code) {
-    await kv.delete(`${FMCP_PAIR_PREFIX}${code}`);
-}
-export async function putBind(kv, mcpSessionId, record) {
-    await kv.put(`${FMCP_BIND_PREFIX}${mcpSessionId}`, JSON.stringify(record), {
-        expirationTtl: BIND_TTL_SEC,
-    });
-}
-export async function getBind(kv, mcpSessionId) {
-    const raw = await kv.get(`${FMCP_BIND_PREFIX}${mcpSessionId}`, "text");
-    if (!raw)
-        return null;
-    try {
-        return JSON.parse(raw);
-    }
-    catch {
-        return null;
-    }
-}
-export async function deleteBind(kv, mcpSessionId) {
-    await kv.delete(`${FMCP_BIND_PREFIX}${mcpSessionId}`);
-}
-export async function rateLimitAllow(kv, key, limit, windowSec) {
-    const now = Date.now();
-    const raw = await kv.get(key, "text");
-    let stamps = [];
-    if (raw) {
-        try {
-            stamps = JSON.parse(raw).t ?? [];
-        }
-        catch {
-            stamps = [];
-        }
-    }
-    const windowMs = windowSec * 1000;
-    stamps = stamps.filter((ts) => now - ts < windowMs);
-    if (stamps.length >= limit)
-        return false;
-    stamps.push(now);
-    await kv.put(key, JSON.stringify({ t: stamps }), { expirationTtl: Math.max(windowSec * 2, 120) });
-    return true;
-}
-export function clientIp(request) {
-    return request.headers.get("CF-Connecting-IP") || request.headers.get("X-Forwarded-For")?.split(",")[0]?.trim() || "unknown";
-}

package/dist/cloudflare/cloud-mode-routes.js DELETED Viewed

@@ -1,97 +0,0 @@
-/**
- * HTTP + WebSocket routes for FMCP Cloud Mode (pairing, plugin bridge).
- */
-import { corsHeaders, getAllowedCorsOrigin, withCors } from "./cloud-cors.js";
-import { clientIp, FMCP_RL_PREFIX, generatePairingCode, generatePairingSecret, PAIRING_TTL_SEC, putPairing, rateLimitAllow, getPairing, } from "./cloud-mode-kv.js";
-const PAIRING_HTTP_LIMIT = 20;
-const PAIRING_HTTP_WINDOW_SEC = 60;
-function json(data, status = 200, request) {
-    const headers = { "Content-Type": "application/json" };
-    if (request)
-        Object.assign(headers, corsHeaders(request));
-    return new Response(JSON.stringify(data), { status, headers });
-}
-function baseUrl(request) {
-    const u = new URL(request.url);
-    return `${u.protocol}//${u.host}`;
-}
-export async function handleCloudModeRoutes(request, env) {
-    const url = new URL(request.url);
-    if (url.pathname === "/fmcp-cloud/plugin") {
-        if (request.method === "OPTIONS") {
-            return new Response(null, { headers: corsHeaders(request) });
-        }
-        if (request.headers.get("Upgrade") !== "websocket") {
-            return json({ error: "expected_websocket_upgrade" }, 426, request);
-        }
-        const code = url.searchParams.get("code")?.trim().toUpperCase();
-        const secret = url.searchParams.get("secret");
-        if (!code || !secret) {
-            return json({ error: "missing_code_or_secret" }, 400, request);
-        }
-        const pair = await getPairing(env.OAUTH_STATE, code);
-        if (!pair || pair.secret !== secret) {
-            return json({ error: "invalid_or_expired_pairing" }, 401, request);
-        }
-        const id = env.FMCP_RELAY.idFromName(`pair:${code}`);
-        const res = await env.FMCP_RELAY.get(id).fetch(request);
-        return withCors(request, res);
-    }
-    if (url.pathname === "/fmcp-cloud/pairing") {
-        if (request.method === "OPTIONS") {
-            return new Response(null, { headers: corsHeaders(request) });
-        }
-        if (request.method !== "POST") {
-            return json({ error: "method_not_allowed" }, 405, request);
-        }
-        const token = env.FMCP_PAIRING_TOKEN;
-        if (token) {
-            const auth = request.headers.get("Authorization");
-            const expected = `Bearer ${token}`;
-            if (auth !== expected) {
-                return json({ error: "unauthorized" }, 401, request);
-            }
-        }
-        const ip = clientIp(request);
-        const rlKey = `${FMCP_RL_PREFIX}pair:${ip}`;
-        const ok = await rateLimitAllow(env.OAUTH_STATE, rlKey, PAIRING_HTTP_LIMIT, PAIRING_HTTP_WINDOW_SEC);
-        if (!ok) {
-            return json({ error: "rate_limited" }, 429, request);
-        }
-        const code = generatePairingCode();
-        const secret = generatePairingSecret();
-        const record = { secret, createdAt: Date.now() };
-        await putPairing(env.OAUTH_STATE, code, record);
-        const origin = baseUrl(request);
-        const wsProto = url.protocol === "https:" ? "wss:" : "ws:";
-        const wsHost = url.host;
-        const pluginWsUrl = `${wsProto}//${wsHost}/fmcp-cloud/plugin?code=${encodeURIComponent(code)}&secret=${encodeURIComponent(secret)}`;
-        return json({
-            ok: true,
-            code,
-            secret,
-            expiresInSeconds: PAIRING_TTL_SEC,
-            pluginWebSocketUrl: pluginWsUrl,
-            hint: "Paste code and secret into F-MCP plugin Cloud Mode, or share code + secret with your AI to call fmcp_cloud_bind.",
-        }, 200, request);
-    }
-    if (url.pathname === "/fmcp-cloud/health") {
-        return json({ ok: true, cloudMode: true }, 200, request);
-    }
-    return null;
-}
-/** Merge restrictive CORS onto MCP / SSE responses when Origin matches allowlist. */
-export function maybeTightenMcpCors(request, response) {
-    const origin = request.headers.get("Origin");
-    if (!origin)
-        return response;
-    const allowed = getAllowedCorsOrigin(request);
-    if (!allowed)
-        return response;
-    const h = new Headers(response.headers);
-    h.set("Access-Control-Allow-Origin", allowed);
-    if (!h.has("Access-Control-Expose-Headers")) {
-        h.set("Access-Control-Expose-Headers", "mcp-session-id");
-    }
-    return new Response(response.body, { status: response.status, headers: h });
-}

package/dist/cloudflare/cloud-relay-session.js DELETED Viewed

@@ -1,141 +0,0 @@
-/**
- * FMCP Cloud Mode — per-pairing-code Durable Object.
- * Holds the Figma plugin WebSocket and forwards PluginBridge RPC to the plugin.
- */
-const RPC_TIMEOUT_MS = 120_000;
-export class FmcpRelaySession {
-    constructor(ctx, env) {
-        this.ctx = ctx;
-        this.pending = new Map();
-        this.env = env;
-    }
-    relayNameFromId() {
-        return this.ctx.id.toString();
-    }
-    async fetch(request) {
-        const url = new URL(request.url);
-        if (request.method === "POST" && url.pathname.endsWith("/disconnect")) {
-            for (const s of this.ctx.getWebSockets()) {
-                try {
-                    s.close(1000, "disconnect");
-                }
-                catch {
-                    /* ignore */
-                }
-            }
-            return Response.json({ ok: true, closed: true });
-        }
-        if (request.method === "POST" && url.pathname.endsWith("/rpc")) {
-            return this.handleRpc(request);
-        }
-        if (request.method === "GET" && url.pathname.endsWith("/status")) {
-            const sockets = this.ctx.getWebSockets();
-            const connected = sockets.length > 0;
-            return Response.json({
-                ok: true,
-                pluginConnected: connected,
-                relayId: this.relayNameFromId(),
-            });
-        }
-        if (request.headers.get("Upgrade") !== "websocket") {
-            return new Response("Not found", { status: 404 });
-        }
-        const pair = new WebSocketPair();
-        const [client, server] = Object.values(pair);
-        this.ctx.acceptWebSocket(server);
-        return new Response(null, { status: 101, webSocket: client });
-    }
-    async handleRpc(request) {
-        let body;
-        try {
-            body = (await request.json());
-        }
-        catch {
-            return Response.json({ ok: false, error: "invalid_json" }, { status: 400 });
-        }
-        const method = body.method;
-        if (!method || typeof method !== "string") {
-            return Response.json({ ok: false, error: "missing_method" }, { status: 400 });
-        }
-        const sockets = this.ctx.getWebSockets();
-        if (!sockets || sockets.length === 0) {
-            return Response.json({ ok: false, error: "plugin_not_connected" }, { status: 503 });
-        }
-        const ws = sockets[0];
-        const id = `req_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
-        const payload = JSON.stringify({
-            id,
-            method,
-            params: body.params ?? {},
-        });
-        try {
-            const result = await new Promise((resolve, reject) => {
-                const timeout = setTimeout(() => {
-                    this.pending.delete(id);
-                    reject(new Error(`Plugin bridge request '${method}' timed out after ${RPC_TIMEOUT_MS}ms`));
-                }, RPC_TIMEOUT_MS);
-                this.pending.set(id, { resolve, reject, timeout });
-                ws.send(payload);
-            });
-            return Response.json({ ok: true, result });
-        }
-        catch (e) {
-            const msg = e instanceof Error ? e.message : String(e);
-            return Response.json({ ok: false, error: msg }, { status: 500 });
-        }
-    }
-    async webSocketMessage(ws, message) {
-        const text = typeof message === "string" ? message : new TextDecoder().decode(message);
-        let msg;
-        try {
-            msg = JSON.parse(text);
-        }
-        catch {
-            return;
-        }
-        const t = msg.type;
-        if (t === "pong" || t === "keepalive")
-            return;
-        if (t === "ready") {
-            try {
-                ws.send(JSON.stringify({
-                    type: "welcome",
-                    bridgeVersion: "cloud-1.0.0",
-                    port: 0,
-                    clientId: `cloud_${Date.now()}`,
-                    multiClient: false,
-                }));
-            }
-            catch {
-                /* ignore */
-            }
-            return;
-        }
-        const mid = msg.id;
-        if (mid && this.pending.has(mid)) {
-            const p = this.pending.get(mid);
-            this.pending.delete(mid);
-            clearTimeout(p.timeout);
-            if (msg.error) {
-                p.reject(new Error(String(msg.error)));
-            }
-            else {
-                p.resolve(msg.result);
-            }
-        }
-    }
-    async webSocketClose(_ws, _code, _reason, _wasClean) {
-        for (const [rid, p] of this.pending) {
-            clearTimeout(p.timeout);
-            p.reject(new Error("Plugin disconnected"));
-            this.pending.delete(rid);
-        }
-    }
-    async webSocketError(_ws, _error) {
-        for (const [rid, p] of this.pending) {
-            clearTimeout(p.timeout);
-            p.reject(new Error("Plugin WebSocket error"));
-            this.pending.delete(rid);
-        }
-    }
-}