@cyanheads/git-mcp-server 2.1.2 → 2.1.4

package/dist/mcp-server/transports/stdioTransport.js

@@ -1,5 +1,5 @@
 /**
- * Handles the setup and connection for the Stdio MCP transport.
+ * @fileoverview Handles the setup and connection for the Stdio MCP transport.
  * Implements the MCP Specification 2025-03-26 for stdio transport.
  * This transport communicates directly over standard input (stdin) and
  * standard output (stdout), typically used when the MCP server is launched
@@ -15,79 +15,49 @@
  * controlling the server process. This implementation follows that guideline.
  *
  * @see {@link https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-03-26/basic/authorization.mdx | MCP Authorization Specification}
+ * @module src/mcp-server/transports/stdioTransport
  */
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-// Import core utilities: ErrorHandler for centralized error management and logger for logging.
 import { ErrorHandler, logger } from "../../utils/index.js";
-// --- Stdio Session State ---
-// Since stdio typically involves a single, persistent connection managed by a parent,
-// we manage a single working directory state for the entire process.
-let currentWorkingDirectory = undefined; // Initialize as undefined
 /**
- * Gets the current working directory set for the stdio session.
- * @returns {string | undefined} The current working directory path or undefined if not set.
- */
-export function getStdioWorkingDirectory() {
-    return currentWorkingDirectory;
-}
-/**
- * Sets the working directory for the stdio session.
- * @param {string} dir - The new working directory path.
- */
-export function setStdioWorkingDirectory(dir) {
-    currentWorkingDirectory = dir;
-    logger.info(`Stdio working directory set to: ${dir}`, {
-        operation: "setStdioWorkingDirectory",
-    });
-}
-/**
- * Connects a given McpServer instance to the Stdio transport. (Asynchronous)
- * Initializes the SDK's StdioServerTransport, which handles reading newline-delimited
- * JSON-RPC messages from process.stdin and writing corresponding messages to process.stdout,
- * adhering to the MCP stdio transport specification.
+ * Connects a given `McpServer` instance to the Stdio transport.
+ * This function initializes the SDK's `StdioServerTransport`, which manages
+ * communication over `process.stdin` and `process.stdout` according to the
+ * MCP stdio transport specification.
  *
- * MCP Spec Points Covered by SDK's StdioServerTransport:
+ * MCP Spec Points Covered by SDK's `StdioServerTransport`:
  * - Reads JSON-RPC messages (requests, notifications, responses, batches) from stdin.
  * - Writes JSON-RPC messages to stdout.
  * - Handles newline delimiters and ensures no embedded newlines in output messages.
  * - Ensures only valid MCP messages are written to stdout.
  *
- * Note: Logging via the `logger` utility MAY result in output to stderr, which is
+ * Logging via the `logger` utility MAY result in output to stderr, which is
  * permitted by the spec for logging purposes.
  *
- * @param {McpServer} server - The McpServer instance containing the core logic (tools, resources).
- * @param {Record<string, any>} context - Logging context for correlation.
- * @returns {Promise<void>} A promise that resolves when the connection is successfully established.
- * @throws {Error} Throws an error if the connection fails during setup (e.g., issues connecting server to transport).
+ * @param server - The `McpServer` instance.
+ * @param parentContext - The logging and tracing context from the calling function.
+ * @returns A promise that resolves when the Stdio transport is successfully connected.
+ * @throws {Error} If the connection fails during setup.
  */
-export async function connectStdioTransport(server, context) {
-    // Add a specific operation name to the context for better log filtering.
+export async function connectStdioTransport(server, parentContext) {
     const operationContext = {
-        ...context,
+        ...parentContext,
         operation: "connectStdioTransport",
         transportType: "Stdio",
     };
     logger.debug("Attempting to connect stdio transport...", operationContext);
     try {
         logger.debug("Creating StdioServerTransport instance...", operationContext);
-        // Instantiate the transport provided by the SDK for standard I/O communication.
-        // This class encapsulates the logic for reading from stdin and writing to stdout
-        // according to the MCP stdio spec.
         const transport = new StdioServerTransport();
         logger.debug("Connecting McpServer instance to StdioServerTransport...", operationContext);
-        // Establish the link between the server's core logic and the transport layer.
-        // This internally starts the necessary listeners on process.stdin.
         await server.connect(transport);
-        // Log successful connection. The server is now ready to process messages via stdio.
         logger.info("MCP Server connected and listening via stdio transport.", operationContext);
-        // Use logger.notice for startup message to ensure MCP compliance and proper handling by clients.
-        logger.notice(`\n🚀 MCP Server running in STDIO mode.\n   (MCP Spec: 2025-03-26 Stdio Transport)\n`, operationContext);
+        if (process.stdout.isTTY) {
+            console.log(`\n🚀 MCP Server running in STDIO mode.\n   (MCP Spec: 2025-03-26 Stdio Transport)\n`);
+        }
     }
     catch (err) {
-        // Catch and handle any critical errors during the transport connection setup.
-        // Mark as critical because the server cannot function without a connected transport.
         ErrorHandler.handleError(err, { ...operationContext, critical: true });
-        // Rethrow the error to signal the failure to the calling code (e.g., the main server startup).
-        throw err;
+        throw err; // Re-throw after handling to allow caller to react if necessary
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanheads/git-mcp-server",
-  "version": "2.1.2",
+  "version": "2.1.4",
   "description": "An MCP (Model Context Protocol) server enabling LLMs and AI agents to interact with Git repositories. Provides tools for comprehensive Git operations including clone, commit, branch, diff, log, status, push, pull, merge, rebase, worktree, tag management, and more, via the MCP standard. STDIO & HTTP.",
   "main": "dist/index.js",
   "files": [
@@ -35,21 +35,23 @@
     "clean": "ts-node --esm scripts/clean.ts"
   },
   "dependencies": {
-    "@modelcontextprotocol/inspector": "^0.14.1",
-    "@modelcontextprotocol/sdk": "^1.12.3",
-    "@types/jsonwebtoken": "^9.0.9",
-    "@types/node": "^24.0.1",
+    "@hono/node-server": "^1.14.4",
+    "@modelcontextprotocol/inspector": "^0.14.3",
+    "@modelcontextprotocol/sdk": "^1.13.0",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/node": "^24.0.3",
     "@types/sanitize-html": "^2.16.0",
-    "@types/validator": "^13.15.1",
+    "@types/validator": "^13.15.2",
     "chalk": "^5.4.1",
     "chrono-node": "2.8.0",
     "cli-table3": "^0.6.5",
     "dotenv": "^16.5.0",
     "express": "^5.1.0",
+    "hono": "^4.8.2",
     "ignore": "^7.0.5",
     "jose": "^6.0.11",
     "jsonwebtoken": "^9.0.2",
-    "openai": "^5.3.0",
+    "openai": "^5.6.0",
     "partial-json": "^0.1.7",
     "sanitize-html": "^2.17.0",
     "tiktoken": "^1.0.21",
@@ -59,7 +61,7 @@
     "winston": "^3.17.0",
     "winston-daily-rotate-file": "^5.0.0",
     "yargs": "^18.0.0",
-    "zod": "^3.25.64"
+    "zod": "^3.25.67"
   },
   "keywords": [
     "typescript",

package/dist/mcp-server/transports/authentication/authMiddleware.js

@@ -1,167 +0,0 @@
-/**
- * @fileoverview MCP Authentication Middleware for Bearer Token Validation (JWT).
- *
- * This middleware validates JSON Web Tokens (JWT) passed via the 'Authorization' header
- * using the 'Bearer' scheme (e.g., "Authorization: Bearer <your_token>").
- * It verifies the token's signature and expiration using the secret key defined
- * in the configuration (`config.mcpAuthSecretKey`).
- *
- * If the token is valid, an object conforming to the MCP SDK's `AuthInfo` type
- * (expected to contain `token`, `clientId`, and `scopes`) is attached to `req.auth`.
- * If the token is missing, invalid, or expired, it sends an HTTP 401 Unauthorized response.
- *
- * @see {@link https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-03-26/basic/authorization.mdx | MCP Authorization Specification}
- * @module src/mcp-server/transports/authentication/authMiddleware
- */
-import jwt from "jsonwebtoken";
-import { config, environment } from "../../../config/index.js";
-import { logger, requestContextService } from "../../../utils/index.js";
-// Startup Validation: Validate secret key presence on module load.
-if (environment === "production" && !config.security.mcpAuthSecretKey) {
-    logger.fatal("CRITICAL: MCP_AUTH_SECRET_KEY is not set in production environment. Authentication cannot proceed securely.");
-    throw new Error("MCP_AUTH_SECRET_KEY must be set in production environment for JWT authentication.");
-}
-else if (!config.security.mcpAuthSecretKey) {
-    logger.warning("MCP_AUTH_SECRET_KEY is not set. Authentication middleware will bypass checks (DEVELOPMENT ONLY). This is insecure for production.");
-}
-/**
- * Express middleware for verifying JWT Bearer token authentication.
- */
-export function mcpAuthMiddleware(req, res, next) {
-    const context = requestContextService.createRequestContext({
-        operation: "mcpAuthMiddleware",
-        method: req.method,
-        path: req.path,
-    });
-    logger.debug("Running MCP Authentication Middleware (Bearer Token Validation)...", context);
-    // Development Mode Bypass
-    if (!config.security.mcpAuthSecretKey) {
-        if (environment !== "production") {
-            logger.warning("Bypassing JWT authentication: MCP_AUTH_SECRET_KEY is not set (DEVELOPMENT ONLY).", context);
-            // Populate req.auth strictly according to SDK's AuthInfo
-            req.auth = {
-                token: "dev-mode-placeholder-token",
-                clientId: "dev-client-id",
-                scopes: ["dev-scope"],
-            };
-            // Log dev mode details separately, not attaching to req.auth if not part of AuthInfo
-            logger.debug("Dev mode auth object created.", {
-                ...context,
-                authDetails: req.auth,
-            });
-            return next();
-        }
-        else {
-            logger.error("FATAL: MCP_AUTH_SECRET_KEY is missing in production. Cannot bypass auth.", context);
-            res.status(500).json({
-                error: "Server configuration error: Authentication key missing.",
-            });
-            return;
-        }
-    }
-    const authHeader = req.headers.authorization;
-    if (!authHeader || !authHeader.startsWith("Bearer ")) {
-        logger.warning("Authentication failed: Missing or malformed Authorization header (Bearer scheme required).", context);
-        res.status(401).json({
-            error: "Unauthorized: Missing or invalid authentication token format.",
-        });
-        return;
-    }
-    const tokenParts = authHeader.split(" ");
-    if (tokenParts.length !== 2 || tokenParts[0] !== "Bearer" || !tokenParts[1]) {
-        logger.warning("Authentication failed: Malformed Bearer token.", context);
-        res
-            .status(401)
-            .json({ error: "Unauthorized: Malformed authentication token." });
-        return;
-    }
-    const rawToken = tokenParts[1];
-    try {
-        const decoded = jwt.verify(rawToken, config.security.mcpAuthSecretKey);
-        if (typeof decoded === "string") {
-            logger.warning("Authentication failed: JWT decoded to a string, expected an object payload.", context);
-            res
-                .status(401)
-                .json({ error: "Unauthorized: Invalid token payload format." });
-            return;
-        }
-        // Extract and validate fields for SDK's AuthInfo
-        const clientIdFromToken = typeof decoded.cid === "string"
-            ? decoded.cid
-            : typeof decoded.client_id === "string"
-                ? decoded.client_id
-                : undefined;
-        if (!clientIdFromToken) {
-            logger.warning("Authentication failed: JWT 'cid' or 'client_id' claim is missing or not a string.", { ...context, jwtPayloadKeys: Object.keys(decoded) });
-            res.status(401).json({
-                error: "Unauthorized: Invalid token, missing client identifier.",
-            });
-            return;
-        }
-        let scopesFromToken;
-        if (Array.isArray(decoded.scp) &&
-            decoded.scp.every((s) => typeof s === "string")) {
-            scopesFromToken = decoded.scp;
-        }
-        else if (typeof decoded.scope === "string" &&
-            decoded.scope.trim() !== "") {
-            scopesFromToken = decoded.scope.split(" ").filter((s) => s);
-            if (scopesFromToken.length === 0 && decoded.scope.trim() !== "") {
-                // handles case " " -> [""]
-                scopesFromToken = [decoded.scope.trim()];
-            }
-            else if (scopesFromToken.length === 0 && decoded.scope.trim() === "") {
-                // If scope is an empty string, treat as no scopes rather than erroring, or use a default.
-                // Depending on strictness, could also error here. For now, allow empty array if scope was empty string.
-                logger.debug("JWT 'scope' claim was an empty string, resulting in empty scopes array.", context);
-            }
-        }
-        else {
-            // If scopes are strictly mandatory and not found or invalid format
-            logger.warning("Authentication failed: JWT 'scp' or 'scope' claim is missing, not an array of strings, or not a valid space-separated string. Assigning default empty array.", { ...context, jwtPayloadKeys: Object.keys(decoded) });
-            scopesFromToken = []; // Default to empty array if scopes are mandatory but not found/invalid
-            // Or, if truly mandatory and must be non-empty:
-            // res.status(401).json({ error: "Unauthorized: Invalid token, missing or invalid scopes." });
-            // return;
-        }
-        // Construct req.auth with only the properties defined in SDK's AuthInfo
-        // All other claims from 'decoded' are not part of req.auth for type safety.
-        req.auth = {
-            token: rawToken,
-            clientId: clientIdFromToken,
-            scopes: scopesFromToken,
-        };
-        // Log separately if other JWT claims like 'sub' (sessionId) are needed for app logic
-        const subClaimForLogging = typeof decoded.sub === "string" ? decoded.sub : undefined;
-        logger.debug("JWT verified successfully. AuthInfo attached to request.", {
-            ...context,
-            mcpSessionIdContext: subClaimForLogging,
-            clientId: req.auth.clientId,
-            scopes: req.auth.scopes,
-        });
-        next();
-    }
-    catch (error) {
-        let errorMessage = "Invalid token";
-        if (error instanceof jwt.TokenExpiredError) {
-            errorMessage = "Token expired";
-            logger.warning("Authentication failed: Token expired.", {
-                ...context,
-                expiredAt: error.expiredAt,
-            });
-        }
-        else if (error instanceof jwt.JsonWebTokenError) {
-            errorMessage = `Invalid token: ${error.message}`;
-            logger.warning(`Authentication failed: ${errorMessage}`, { ...context });
-        }
-        else if (error instanceof Error) {
-            errorMessage = `Verification error: ${error.message}`;
-            logger.error("Authentication failed: Unexpected error during token verification.", { ...context, error: error.message });
-        }
-        else {
-            errorMessage = "Unknown verification error";
-            logger.error("Authentication failed: Unexpected non-error exception during token verification.", { ...context, error });
-        }
-        res.status(401).json({ error: `Unauthorized: ${errorMessage}.` });
-    }
-}