npm - @cloudgrid-io/mcp - Versions diffs - 0.2.0 → 0.2.3 - Mend

@cloudgrid-io/mcp 0.2.0 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cloudgrid-io/mcp",
-  "version": "0.2.0",
+  "version": "0.2.3",
   "description": "MCP server for CloudGrid. Two editions: a local stdio server (full toolset) and a hosted web server (light, CLI-free toolset) over MCP Streamable HTTP.",
   "type": "module",
   "bin": {

package/src/auth.js CHANGED Viewed

@@ -14,8 +14,16 @@ import { mkdir, writeFile, chmod, readFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { join } from "node:path";
+// Base for server-to-API calls. On a hosted deployment this is the in-cluster
+// service address (CLOUDGRID_API_URL), which is fast but NOT reachable by a browser.
 const API_BASE = (process.env.CLOUDGRID_API_URL || "https://api.cloudgrid.io").replace(/\/+$/, "");
+// Base for URLs handed to the user's browser (the sign-in link). Must be public,
+// regardless of the internal API address. Defaults to the public host.
+const PUBLIC_API_BASE = (
+  process.env.CLOUDGRID_PUBLIC_API_URL || "https://api.cloudgrid.io"
+).replace(/\/+$/, "");
 export function cloudgridHome() {
   return process.env.CLOUDGRID_HOME || join(homedir(), ".cloudgrid");
 }
@@ -28,8 +36,9 @@ export function newLoginCode() {
   return randomUUID();
 }
+// The sign-in URL the user opens in a browser — always the public host.
 export function buildLoginUrl(code) {
-  return `${API_BASE}/auth/login?code=${encodeURIComponent(code)}`;
+  return `${PUBLIC_API_BASE}/auth/login?code=${encodeURIComponent(code)}`;
 }
 // One poll. Returns { status: 'not_started' | 'pending' | 'authenticated' | 'expired', jwt? }.

package/src/index.js CHANGED Viewed

@@ -25,7 +25,7 @@ const ctx = {
   savedLocationNote: () => `Credentials saved to ${credentialsPath()}.`,
 };
-const server = new McpServer({ name: "cloudgrid-mcp", version: "0.2.0" });
+const server = new McpServer({ name: "cloudgrid-mcp", version: "0.2.2" });
 registerTools(server, ctx);
 const transport = new StdioServerTransport();

package/src/tools.js CHANGED Viewed

@@ -120,6 +120,15 @@ async function runDrop(ctx, { html, path: filePath, filename, anonymous, org })
     }
   }
+  // Anonymous path on a hosted server: present the trusted-server credential so the
+  // platform keys the anon-drop cap on the per-user id instead of the shared cluster
+  // egress IP. A missing/bad secret silently falls back to the IP cap server-side, so
+  // this is safe to send whenever configured. Only the web edition sets ctx.trustedServer.
+  if (!headers["Authorization"] && ctx.trustedServer?.secret && ctx.trustedServer?.endUserId) {
+    headers["X-CloudGrid-Trusted-Server-Auth"] = ctx.trustedServer.secret;
+    headers["X-CloudGrid-Trusted-Server-End-User"] = ctx.trustedServer.endUserId;
+  }
   const form = new FormData();
   form.append("artifact", new Blob([bytes], { type }), name);
   if (orgSlug) form.append("org_slug", orgSlug);

package/src/web.js CHANGED Viewed

@@ -17,8 +17,15 @@ import { registerTools, decodeJwt } from "./tools.js";
 const PORT = Number(process.env.PORT || 8080);
-// A web session: identity lives in memory for the session's lifetime only.
-function makeWebContext() {
+// The trusted-server credential, if this host is provisioned as one. Sent on
+// anonymous drops so the platform keys the anon-drop cap on the per-user id rather
+// than the shared cluster egress IP. Missing/bad secret falls back to the IP cap
+// server-side, so it is safe to leave unset.
+const TRUSTED_SERVER_SECRET = process.env.MCP_TRUSTED_SERVER_SECRET || null;
+// A web session: identity lives in memory for the session's lifetime only. The
+// session id doubles as the stable, opaque end-user id for the trusted-server cap.
+function makeWebContext(sessionId) {
   let sessionToken = null;
   return {
     edition: "web",
@@ -33,6 +40,9 @@ function makeWebContext() {
       return decodeJwt(jwt);
     },
     savedLocationNote: () => "You are signed in for this session.",
+    trustedServer: TRUSTED_SERVER_SECRET
+      ? { secret: TRUSTED_SERVER_SECRET, endUserId: sessionId }
+      : null,
   };
 }
@@ -57,9 +67,12 @@ app.post("/mcp", async (req, res) => {
       });
       return;
     }
-    // New session: fresh server + per-session identity context.
+    // New session: fresh server + per-session identity context. Generate the session
+    // id up front so it is also the trusted-server end-user id. (Distinct name from the
+    // incoming `sessionId` header above.)
+    const newSessionId = randomUUID();
     transport = new StreamableHTTPServerTransport({
-      sessionIdGenerator: () => randomUUID(),
+      sessionIdGenerator: () => newSessionId,
       onsessioninitialized: (sid) => {
         transports[sid] = transport;
       },
@@ -67,8 +80,8 @@ app.post("/mcp", async (req, res) => {
     transport.onclose = () => {
       if (transport.sessionId) delete transports[transport.sessionId];
     };
-    const server = new McpServer({ name: "cloudgrid-mcp-web", version: "0.2.0" });
-    registerTools(server, makeWebContext());
+    const server = new McpServer({ name: "cloudgrid-mcp-web", version: "0.2.2" });
+    registerTools(server, makeWebContext(newSessionId));
     await server.connect(transport);
   }