@deadragdoll/tellymcp 0.0.13 → 0.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. package/.env.example.client +5 -1
  2. package/.env.example.gateway +16 -1
  3. package/CHANGELOG.md +30 -0
  4. package/README-ru.md +14 -0
  5. package/README.md +14 -0
  6. package/TOOLS.md +182 -10
  7. package/config/templates/env.both.template +15 -2
  8. package/config/templates/env.client.template +5 -2
  9. package/config/templates/env.gateway.template +15 -2
  10. package/dist/cli.js +28 -1
  11. package/dist/services/features/telegram-mcp/browser.service.js +18 -0
  12. package/dist/services/features/telegram-mcp/file-content.service.js +94 -0
  13. package/dist/services/features/telegram-mcp/gateway-delivery.service.js +5 -1
  14. package/dist/services/features/telegram-mcp/gateway-socket.service.js +43 -11
  15. package/dist/services/features/telegram-mcp/mcp-http.service.js +1 -0
  16. package/dist/services/features/telegram-mcp/mcp-server.service.js +18 -0
  17. package/dist/services/features/telegram-mcp/src/app/bootstrap/runtime.js +9 -1
  18. package/dist/services/features/telegram-mcp/src/app/config/env.js +119 -2
  19. package/dist/services/features/telegram-mcp/src/app/http.js +139 -99
  20. package/dist/services/features/telegram-mcp/src/app/oauthFacade.js +642 -0
  21. package/dist/services/features/telegram-mcp/src/app/webapp/assets.js +151 -170
  22. package/dist/services/features/telegram-mcp/src/app/webapp/auth.js +96 -99
  23. package/dist/services/features/telegram-mcp/src/entities/request/model/schema.js +62 -19
  24. package/dist/services/features/telegram-mcp/src/features/browser/model/browserAttachActiveTabTool.js +28 -0
  25. package/dist/services/features/telegram-mcp/src/features/browser/model/browserAttachTabTool.js +28 -0
  26. package/dist/services/features/telegram-mcp/src/features/browser/model/browserDetachTabTool.js +28 -0
  27. package/dist/services/features/telegram-mcp/src/features/browser/model/browserListAttachedInstancesTool.js +1 -1
  28. package/dist/services/features/telegram-mcp/src/features/browser/model/browserListTabsTool.js +1 -1
  29. package/dist/services/features/telegram-mcp/src/features/browser/model/browserService.js +410 -27
  30. package/dist/services/features/telegram-mcp/src/features/browser-attach/model/browserRecordingBundle.js +37 -3
  31. package/dist/services/features/telegram-mcp/src/features/browser-attach/model/firefoxAttachRegistry.js +7 -6
  32. package/dist/services/features/telegram-mcp/src/features/browser-attach/model/firefoxAttachServer.js +214 -37
  33. package/dist/services/features/telegram-mcp/src/features/browser-attach/model/types.js +186 -0
  34. package/dist/services/features/telegram-mcp/src/features/collaboration/model/collaborationService.js +2 -0
  35. package/dist/services/features/telegram-mcp/src/features/collaboration/model/sendPartnerFileService.js +6 -3
  36. package/dist/services/features/telegram-mcp/src/features/distributed-client/model/gatewayClientAccess.js +4 -1
  37. package/dist/services/features/telegram-mcp/src/features/distributed-gateway/model/gatewayHttpService.js +33 -35
  38. package/dist/services/features/telegram-mcp/src/features/file-content/model/getFileListTool.js +33 -0
  39. package/dist/services/features/telegram-mcp/src/features/file-content/model/getFileService.js +327 -0
  40. package/dist/services/features/telegram-mcp/src/features/file-content/model/getFileTool.js +81 -0
  41. package/dist/services/features/telegram-mcp/src/features/file-content/model/temporaryFileLinkStore.js +307 -0
  42. package/dist/services/features/telegram-mcp/src/features/file-content/model/workspaceFilePolicy.js +115 -0
  43. package/dist/services/features/telegram-mcp/src/features/notify/model/notifyService.js +5 -1
  44. package/dist/services/features/telegram-mcp/src/shared/integrations/telegram/transport.js +3 -0
  45. package/dist/services/features/telegram-mcp/src/shared/integrations/telegram/transportFileHandoffActions.js +6 -3
  46. package/dist/services/features/telegram-mcp/src/shared/integrations/terminal/client.js +29 -6
  47. package/dist/services/features/telegram-mcp/src/shared/integrations/terminal/ptyRegistry.js +100 -2
  48. package/dist/services/features/telegram-mcp/src/shared/lib/bodyLimits.js +63 -0
  49. package/dist/services/features/telegram-mcp/src/shared/lib/gatewayAuth.js +13 -0
  50. package/dist/services/features/telegram-mcp/src/shared/lib/time/localTimestamp.js +21 -0
  51. package/docs/CHAT_CONNECTOR.md +134 -0
  52. package/docs/STANDALONE-ru.md +13 -0
  53. package/docs/STANDALONE.md +13 -0
  54. package/package.json +5 -3
  55. package/packages/chrome-attach-extension/dist/background.js +572 -163
  56. package/packages/chrome-attach-extension/dist/manifest.json +2 -1
  57. package/packages/chrome-attach-extension/dist/options.js +15 -2
  58. package/packages/chrome-attach-extension/dist/recorder-content.js +14 -1
  59. package/packages/chrome-attach-extension/dist/recorder-page.js +34 -18
  60. package/packages/firefox-attach-extension/dist/background.js +413 -33
  61. package/packages/firefox-attach-extension/dist/manifest.json +0 -12
  62. package/packages/firefox-attach-extension/dist/options.js +14 -1
  63. package/packages/firefox-attach-extension/dist/recorder-content.js +14 -1
  64. package/packages/firefox-attach-extension/dist/recorder-page.js +34 -18
@@ -54,6 +54,8 @@ exports.resizePtyTarget = resizePtyTarget;
54
54
  exports.subscribePtyTarget = subscribePtyTarget;
55
55
  exports.stopPtyTarget = stopPtyTarget;
56
56
  exports.stopAllPtyTargets = stopAllPtyTargets;
57
+ const node_fs_1 = __importDefault(require("node:fs"));
58
+ const node_os_1 = __importDefault(require("node:os"));
57
59
  const node_path_1 = __importDefault(require("node:path"));
58
60
  const node_pty_1 = require("node-pty");
59
61
  const XtermHeadless = __importStar(require("@xterm/headless"));
@@ -73,6 +75,97 @@ function buildExitLine(record) {
73
75
  }
74
76
  return `${parts.join(" ")}]`;
75
77
  }
78
+ function sanitizeFileNameSegment(value) {
79
+ const sanitized = value.trim().replace(/[^a-zA-Z0-9._-]+/gu, "-");
80
+ return sanitized || "session";
81
+ }
82
+ function shellSingleQuote(value) {
83
+ return `'${value.replace(/'/gu, `'\\''`)}'`;
84
+ }
85
+ function buildContextPromptPrefix(record) {
86
+ return `[TELLY ${record.sessionId}]`;
87
+ }
88
+ function buildContextEnv(record) {
89
+ return {
90
+ ...process.env,
91
+ TELLYMCP_TERMINAL_CONTEXT: "1",
92
+ TELLYMCP_SESSION_ID: record.sessionId,
93
+ TELLYMCP_TERMINAL_TARGET: record.target,
94
+ TELLYMCP_TERMINAL_CWD: record.cwd,
95
+ };
96
+ }
97
+ function prepareBashLaunch(record) {
98
+ const tempDir = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "tellymcp-pty-bash-"));
99
+ const rcPath = node_path_1.default.join(tempDir, `${sanitizeFileNameSegment(record.sessionId)}.bashrc`);
100
+ const promptPrefix = buildContextPromptPrefix(record);
101
+ const script = [
102
+ 'if [ -r "$HOME/.profile" ]; then . "$HOME/.profile"; fi',
103
+ 'if [ -r "$HOME/.bashrc" ]; then . "$HOME/.bashrc"; fi',
104
+ `export TELLYMCP_TERMINAL_CONTEXT=${shellSingleQuote("1")}`,
105
+ `export TELLYMCP_SESSION_ID=${shellSingleQuote(record.sessionId)}`,
106
+ `export TELLYMCP_TERMINAL_TARGET=${shellSingleQuote(record.target)}`,
107
+ `export TELLYMCP_TERMINAL_CWD=${shellSingleQuote(record.cwd)}`,
108
+ `PS1=${shellSingleQuote(`${promptPrefix} \\u@\\h:\\w\\$ `)}`,
109
+ ].join("\n");
110
+ node_fs_1.default.writeFileSync(rcPath, `${script}\n`, "utf8");
111
+ return {
112
+ args: ["--rcfile", rcPath, "-i"],
113
+ env: buildContextEnv(record),
114
+ tempPaths: [tempDir],
115
+ };
116
+ }
117
+ function prepareZshLaunch(record) {
118
+ const tempDir = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "tellymcp-pty-zsh-"));
119
+ const promptPrefix = buildContextPromptPrefix(record);
120
+ node_fs_1.default.writeFileSync(node_path_1.default.join(tempDir, ".zshenv"), [
121
+ 'if [[ -r "$HOME/.zshenv" ]]; then source "$HOME/.zshenv"; fi',
122
+ `export TELLYMCP_TERMINAL_CONTEXT=${shellSingleQuote("1")}`,
123
+ `export TELLYMCP_SESSION_ID=${shellSingleQuote(record.sessionId)}`,
124
+ `export TELLYMCP_TERMINAL_TARGET=${shellSingleQuote(record.target)}`,
125
+ `export TELLYMCP_TERMINAL_CWD=${shellSingleQuote(record.cwd)}`,
126
+ "",
127
+ ].join("\n"), "utf8");
128
+ node_fs_1.default.writeFileSync(node_path_1.default.join(tempDir, ".zshrc"), [
129
+ 'if [[ -r "$HOME/.zprofile" ]]; then source "$HOME/.zprofile"; fi',
130
+ 'if [[ -r "$HOME/.zshrc" ]]; then source "$HOME/.zshrc"; fi',
131
+ `PROMPT=${shellSingleQuote(`${promptPrefix} %n@%m:%~%# `)}`,
132
+ "RPROMPT=''",
133
+ "",
134
+ ].join("\n"), "utf8");
135
+ return {
136
+ args: ["-i"],
137
+ env: {
138
+ ...buildContextEnv(record),
139
+ ZDOTDIR: tempDir,
140
+ },
141
+ tempPaths: [tempDir],
142
+ };
143
+ }
144
+ function prepareShellLaunch(record) {
145
+ const shellName = getShellDisplayName(record.shell).toLowerCase();
146
+ if (shellName === "bash") {
147
+ return prepareBashLaunch(record);
148
+ }
149
+ if (shellName === "zsh") {
150
+ return prepareZshLaunch(record);
151
+ }
152
+ return {
153
+ args: [],
154
+ env: buildContextEnv(record),
155
+ tempPaths: [],
156
+ };
157
+ }
158
+ function cleanupRecordTempPaths(record) {
159
+ for (const tempPath of record.tempPaths) {
160
+ try {
161
+ node_fs_1.default.rmSync(tempPath, { recursive: true, force: true });
162
+ }
163
+ catch {
164
+ // ignore cleanup failures
165
+ }
166
+ }
167
+ record.tempPaths = [];
168
+ }
76
169
  function createHeadlessTerminal(config) {
77
170
  return new XtermHeadless.Terminal({
78
171
  cols: config.cols,
@@ -97,13 +190,16 @@ function createSessionRecord(config, input) {
97
190
  pendingWrite: Promise.resolve(),
98
191
  pty: null,
99
192
  exited: false,
193
+ tempPaths: [],
100
194
  };
101
- const pty = (0, node_pty_1.spawn)(record.shell, [], {
195
+ const launch = prepareShellLaunch(record);
196
+ record.tempPaths = [...launch.tempPaths];
197
+ const pty = (0, node_pty_1.spawn)(record.shell, launch.args, {
102
198
  name: "xterm-color",
103
199
  cols: record.cols,
104
200
  rows: record.rows,
105
201
  cwd: record.cwd,
106
- env: process.env,
202
+ env: launch.env,
107
203
  });
108
204
  pty.onData((data) => {
109
205
  record.pendingWrite = record.pendingWrite.then(() => new Promise((resolve) => {
@@ -115,6 +211,7 @@ function createSessionRecord(config, input) {
115
211
  record.exited = true;
116
212
  record.exitCode = exitCode;
117
213
  record.signal = signal;
214
+ cleanupRecordTempPaths(record);
118
215
  record.pendingWrite = record.pendingWrite.then(() => new Promise((resolve) => {
119
216
  record.terminal.writeln(buildExitLine(record), resolve);
120
217
  }));
@@ -533,6 +630,7 @@ function stopPtyTarget(target) {
533
630
  record.pty?.kill();
534
631
  record.pty = null;
535
632
  record.exited = true;
633
+ cleanupRecordTempPaths(record);
536
634
  record.terminal.dispose();
537
635
  return true;
538
636
  }
@@ -0,0 +1,63 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.readLimitedJsonBody = exports.assertSerializedBodySize = exports.assertStringBodySize = exports.assertBodySize = exports.isBodySizeLimitError = exports.BodySizeLimitError = exports.MAX_BASE64_SOURCE_SIZE_BYTES = exports.MAX_BODY_SIZE_BYTES = exports.MAX_BODY_SIZE = void 0;
4
+ exports.MAX_BODY_SIZE = 16;
5
+ exports.MAX_BODY_SIZE_BYTES = exports.MAX_BODY_SIZE * 1024 * 1024;
6
+ exports.MAX_BASE64_SOURCE_SIZE_BYTES = Math.floor((exports.MAX_BODY_SIZE_BYTES * 3) / 4);
7
+ class BodySizeLimitError extends Error {
8
+ actualBytes;
9
+ maxBytes;
10
+ statusCode = 413;
11
+ constructor(actualBytes, maxBytes = exports.MAX_BODY_SIZE_BYTES) {
12
+ const maxMiB = maxBytes / (1024 * 1024);
13
+ super(`Body size ${actualBytes} bytes exceeds the ${maxMiB} MiB limit.`);
14
+ this.actualBytes = actualBytes;
15
+ this.maxBytes = maxBytes;
16
+ this.name = "BodySizeLimitError";
17
+ }
18
+ }
19
+ exports.BodySizeLimitError = BodySizeLimitError;
20
+ const isBodySizeLimitError = (error) => error instanceof BodySizeLimitError;
21
+ exports.isBodySizeLimitError = isBodySizeLimitError;
22
+ const assertBodySize = (actualBytes, maxBytes = exports.MAX_BODY_SIZE_BYTES) => {
23
+ if (actualBytes > maxBytes) {
24
+ throw new BodySizeLimitError(actualBytes, maxBytes);
25
+ }
26
+ };
27
+ exports.assertBodySize = assertBodySize;
28
+ const assertStringBodySize = (value, maxBytes = exports.MAX_BODY_SIZE_BYTES) => {
29
+ (0, exports.assertBodySize)(Buffer.byteLength(value, "utf8"), maxBytes);
30
+ };
31
+ exports.assertStringBodySize = assertStringBodySize;
32
+ const assertSerializedBodySize = (value) => {
33
+ if (value === undefined) {
34
+ return;
35
+ }
36
+ (0, exports.assertStringBodySize)(JSON.stringify(value));
37
+ };
38
+ exports.assertSerializedBodySize = assertSerializedBodySize;
39
+ const readLimitedJsonBody = async (req) => {
40
+ const contentLength = req.headers["content-length"];
41
+ if (typeof contentLength === "string" && /^\d+$/u.test(contentLength)) {
42
+ (0, exports.assertBodySize)(Number(contentLength));
43
+ }
44
+ const chunks = [];
45
+ let totalBytes = 0;
46
+ for await (const chunk of req) {
47
+ const buffer = Buffer.isBuffer(chunk)
48
+ ? chunk
49
+ : Buffer.from(chunk);
50
+ totalBytes += buffer.byteLength;
51
+ (0, exports.assertBodySize)(totalBytes);
52
+ chunks.push(buffer);
53
+ }
54
+ if (chunks.length === 0) {
55
+ return undefined;
56
+ }
57
+ const raw = Buffer.concat(chunks, totalBytes).toString("utf8").trim();
58
+ if (!raw) {
59
+ return undefined;
60
+ }
61
+ return JSON.parse(raw);
62
+ };
63
+ exports.readLimitedJsonBody = readLimitedJsonBody;
@@ -0,0 +1,13 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.isGatewayAuthorizationValid = isGatewayAuthorizationValid;
4
+ const node_crypto_1 = require("node:crypto");
5
+ function digest(value) {
6
+ return (0, node_crypto_1.createHash)("sha256").update(value, "utf8").digest();
7
+ }
8
+ function isGatewayAuthorizationValid(authorization, authToken) {
9
+ if (typeof authorization !== "string" || !authToken) {
10
+ return false;
11
+ }
12
+ return (0, node_crypto_1.timingSafeEqual)(digest(authorization), digest(`Bearer ${authToken}`));
13
+ }
@@ -0,0 +1,21 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.formatLocalTimestamp = formatLocalTimestamp;
4
+ exports.formatLocalDateSegment = formatLocalDateSegment;
5
+ exports.formatLocalTimeSegment = formatLocalTimeSegment;
6
+ exports.formatLocalTimestampForFileName = formatLocalTimestampForFileName;
7
+ function padNumber(value, length = 2) {
8
+ return String(value).padStart(length, "0");
9
+ }
10
+ function formatLocalTimestamp(date = new Date()) {
11
+ return `${date.getFullYear()}-${padNumber(date.getMonth() + 1)}-${padNumber(date.getDate())}T${padNumber(date.getHours())}:${padNumber(date.getMinutes())}:${padNumber(date.getSeconds())}.${padNumber(date.getMilliseconds(), 3)}`;
12
+ }
13
+ function formatLocalDateSegment(date = new Date()) {
14
+ return `${date.getFullYear()}-${padNumber(date.getMonth() + 1)}-${padNumber(date.getDate())}`;
15
+ }
16
+ function formatLocalTimeSegment(date = new Date()) {
17
+ return `${padNumber(date.getHours())}-${padNumber(date.getMinutes())}-${padNumber(date.getSeconds())}`;
18
+ }
19
+ function formatLocalTimestampForFileName(date = new Date()) {
20
+ return formatLocalTimestamp(date).replace(/[:.]/gu, "-");
21
+ }
@@ -0,0 +1,134 @@
1
+ # ChatGPT and Claude connector
2
+
3
+ TellyMCP can expose its Streamable HTTP MCP endpoint to ChatGPT and Claude
4
+ through an OAuth 2.0 authorization-code facade with PKCE. The facade coexists
5
+ with `MCP_HTTP_BEARER_TOKEN`; existing internal clients can continue to use the
6
+ static bearer token.
7
+
8
+ ## Configure the gateway
9
+
10
+ Add the following to the gateway environment file:
11
+
12
+ ```bash
13
+ TELLYMCP_PUBLIC_URL=https://mcp.example.com/api
14
+ TELLYMCP_OAUTH_ISSUER=https://mcp.example.com/api
15
+ TELLYMCP_OAUTH_AUDIENCE=https://mcp.example.com/api
16
+ TELLYMCP_MAGIC_TOKEN=replace_with_a_private_human_login_token
17
+ TELLYMCP_OAUTH_PRIVATE_KEY_PEM="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
18
+ ```
19
+
20
+ Generate the stable signing key with:
21
+
22
+ ```bash
23
+ tellymcp oauth key
24
+ ```
25
+
26
+ The command prints a dotenv-ready `TELLYMCP_OAUTH_PRIVATE_KEY_PEM` assignment.
27
+ If the private key is omitted, TellyMCP generates an ephemeral key and existing
28
+ OAuth access tokens stop working after a restart.
29
+
30
+ For a hashed magic token, configure
31
+ `TELLYMCP_MAGIC_TOKEN_HASH=sha256:<64-hex-digest>` instead of the raw token.
32
+ Never configure both forms.
33
+
34
+ Optional restrictions:
35
+
36
+ ```bash
37
+ TELLYMCP_OAUTH_CLIENT_ID=tellymcp
38
+ TELLYMCP_OAUTH_CLIENT_SECRET=replace_with_client_secret
39
+ TELLYMCP_ALLOWED_REDIRECT_URIS=https://chatgpt.com/connector/oauth/...,https://claude.ai/api/mcp/auth_callback
40
+ TELLYMCP_AUTH_CODE_TTL_SECONDS=300
41
+ TELLYMCP_OAUTH_SCOPES=tellymcp:read tellymcp:write
42
+ TELLYMCP_OAUTH_KEY_ID=tellymcp-oauth
43
+ ```
44
+
45
+ OAuth is enabled when a connector identity, credential, redirect, or signing-key
46
+ setting is present. `TELLYMCP_PUBLIC_URL` and one magic-token form are then
47
+ required. Redirect URIs are matched exactly when the allowlist is configured.
48
+
49
+ ## Reverse proxy
50
+
51
+ Proxy all `/api/` routes to TellyMCP and disable response buffering on
52
+ `/api/mcp`. Claude also needs root path-insertion discovery routes such as:
53
+
54
+ ```text
55
+ /.well-known/oauth-authorization-server/api
56
+ /.well-known/openid-configuration/api
57
+ /.well-known/oauth-protected-resource/api/mcp
58
+ ```
59
+
60
+ The complete Nginx example is in `docs/tellymcp.gw.conf`.
61
+
62
+ ## Connect the chat host
63
+
64
+ Use the concrete MCP endpoint in the host's `Connection` field:
65
+
66
+ ```text
67
+ https://mcp.example.com/api/mcp
68
+ ```
69
+
70
+ Do not enter `https://mcp.example.com/api` as the connection URL. That URL is
71
+ the OAuth issuer/audience base, not an MCP endpoint. With the correct
72
+ connection URL, discovery may legitimately show two related resources:
73
+
74
+ ```text
75
+ OAuth issuer/audience: https://mcp.example.com/api
76
+ MCP resource: https://mcp.example.com/api/mcp
77
+ ```
78
+
79
+ For the production deployment used while implementing this feature, the
80
+ working ChatGPT values are:
81
+
82
+ ```text
83
+ Connection: https://drd.undoo.ru/api/mcp
84
+ Authorization server base: https://drd.undoo.ru/api
85
+ Resource: https://drd.undoo.ru/api/mcp
86
+ OIDC configuration URL: https://drd.undoo.ru/.well-known/openid-configuration/api
87
+ ```
88
+
89
+ The `/api` suffix in the root discovery URL is expected RFC 8414
90
+ path-insertion behavior for an issuer whose path is `/api`.
91
+
92
+ Do not give the host `MCP_HTTP_BEARER_TOKEN` or the magic token. The magic token
93
+ is entered only into the authorization page opened by the host. If a client ID
94
+ or client secret is configured in the host, it must match the gateway values.
95
+
96
+ TellyMCP tool names already use Claude-compatible letters, digits, and
97
+ underscores, and the tools publish output schemas.
98
+
99
+ ## Verify before connecting
100
+
101
+ ```bash
102
+ curl -fsS https://mcp.example.com/api/.well-known/oauth-protected-resource/mcp
103
+ curl -fsS https://mcp.example.com/api/.well-known/oauth-authorization-server
104
+ curl -fsS https://mcp.example.com/.well-known/oauth-authorization-server/api
105
+ curl -fsS https://mcp.example.com/api/.well-known/jwks.json
106
+ curl -i https://mcp.example.com/api/mcp
107
+ ```
108
+
109
+ The last response must be `401` and include a `WWW-Authenticate` header whose
110
+ `resource_metadata` value points to the protected-resource metadata endpoint.
111
+
112
+ Access tokens are RS256 JWTs without `exp`, matching the trusted internal
113
+ connector model. Authorization codes remain short-lived, PKCE-bound, and
114
+ one-time-use. Failed magic-token attempts are rate-limited per source address.
115
+
116
+ ## Diagnostics
117
+
118
+ OAuth discovery, authorization, token exchange, MCP `initialize`, and
119
+ `tools/list` milestones are logged at `info`. Rejections are logged at `warn`
120
+ without credentials, authorization codes, PKCE verifiers, or access tokens.
121
+ When OAuth is enabled, every HTTP request and completed response is also logged
122
+ with its normalized path, status, user agent, content types, MCP session id,
123
+ and whether an Authorization header was present. Header values and tokens are
124
+ never logged.
125
+
126
+ The production Nginx sample writes connector traffic to:
127
+
128
+ ```text
129
+ /var/log/nginx/tellymcp.access.log
130
+ /var/log/nginx/tellymcp.error.log
131
+ ```
132
+
133
+ If refresh stops after OAuth metadata and never logs an MCP `initialize`, first
134
+ verify that the host's `Connection` value ends in `/api/mcp`.
@@ -65,6 +65,7 @@ DB_NAME=
65
65
  GATEWAY_PUBLIC_URL=https://your-domain.example/api/gateway
66
66
  GATEWAY_WS_URL=wss://your-domain.example/api/gateway/ws
67
67
  GATEWAY_TOKEN=change_me_gateway_token
68
+ GATEWAY_AUTH_TOKEN=put_strong_shared_transport_token_here
68
69
  ROOT_PREFIX=/api
69
70
  PORT=8080
70
71
  DISTRIBUTED_MODE=gateway
@@ -83,9 +84,15 @@ DISTRIBUTED_MODE=client
83
84
  GATEWAY_PUBLIC_URL=https://your-domain.example/api/gateway
84
85
  GATEWAY_WS_URL=wss://your-domain.example/api/gateway/ws
85
86
  GATEWAY_TOKEN=change_me_gateway_token
87
+ GATEWAY_AUTH_TOKEN=put_strong_shared_transport_token_here
86
88
  GATEWAY_USER_UUID=put_owner_uuid_here
87
89
  ```
88
90
 
91
+ Используйте один и тот же стойкий `GATEWAY_AUTH_TOKEN` на gateway и всех клиентах.
92
+ Не смешивайте его с `GATEWAY_TOKEN`: последний разделяет данные gateway по scope,
93
+ но не аутентифицирует HTTP- или WebSocket-транспорт. Сгенерируйте токен один раз,
94
+ например командой `openssl rand -hex 32`, и не используйте пример значения выше.
95
+
89
96
  Для первого запуска также желательно задать:
90
97
 
91
98
  ```env
@@ -164,9 +171,15 @@ TELEGRAM_WEBHOOK_SECRET=change_me_webhook_secret
164
171
 
165
172
  - `/api/telegram/webhook`
166
173
  - `/api/gateway`
174
+ - `/api/files` для короткоживущих upload/download запросов `get_file(type="url")`
167
175
  - `/api/webapp`
168
176
  - `/api/healthz`
169
177
 
178
+ Отдельный `location ^~ /api/files/` рекомендуется, хотя для самой маршрутизации
179
+ он не обязателен. В нём следует отключить access log, потому что путь содержит
180
+ токен, задать `client_max_body_size 32m` и отключить buffering запросов и
181
+ ответов. Канонический блок приведён в `nginx/tellymcp.gw.conf`.
182
+
170
183
  ## 8. MCP
171
184
 
172
185
  Локальный client-mode MCP endpoint:
@@ -65,6 +65,7 @@ DB_NAME=
65
65
  GATEWAY_PUBLIC_URL=https://your-domain.example/api/gateway
66
66
  GATEWAY_WS_URL=wss://your-domain.example/api/gateway/ws
67
67
  GATEWAY_TOKEN=change_me_gateway_token
68
+ GATEWAY_AUTH_TOKEN=put_strong_shared_transport_token_here
68
69
  ROOT_PREFIX=/api
69
70
  PORT=8080
70
71
  DISTRIBUTED_MODE=gateway
@@ -83,9 +84,15 @@ DISTRIBUTED_MODE=client
83
84
  GATEWAY_PUBLIC_URL=https://your-domain.example/api/gateway
84
85
  GATEWAY_WS_URL=wss://your-domain.example/api/gateway/ws
85
86
  GATEWAY_TOKEN=change_me_gateway_token
87
+ GATEWAY_AUTH_TOKEN=put_strong_shared_transport_token_here
86
88
  GATEWAY_USER_UUID=put_owner_uuid_here
87
89
  ```
88
90
 
91
+ Use the same strong `GATEWAY_AUTH_TOKEN` on the gateway and every client. Keep it
92
+ separate from `GATEWAY_TOKEN`, which scopes gateway data but does not authenticate
93
+ the HTTP or WebSocket transport. Generate it once, for example with
94
+ `openssl rand -hex 32`, and do not use the illustrative value above.
95
+
89
96
  For the first run, also set:
90
97
 
91
98
  ```env
@@ -164,9 +171,15 @@ If nginx already proxies `location /api/ { ... }` to the standalone listener, th
164
171
 
165
172
  - `/api/telegram/webhook`
166
173
  - `/api/gateway`
174
+ - `/api/files` for short-lived `get_file(type="url")` uploads and downloads
167
175
  - `/api/webapp`
168
176
  - `/api/healthz`
169
177
 
178
+ A dedicated `location ^~ /api/files/` is recommended, though not required for
179
+ routing. It should disable access logs because the path contains a token, set
180
+ `client_max_body_size 32m`, and disable proxy request/response buffering. See
181
+ `nginx/tellymcp.gw.conf` for the canonical block.
182
+
170
183
  ## 8. MCP
171
184
 
172
185
  Local client-mode MCP:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@deadragdoll/tellymcp",
3
- "version": "0.0.13",
3
+ "version": "0.0.14",
4
4
  "description": "TellyMCP - Telegram control plane for MCP-connected coding agents",
5
5
  "main": "dist/services/features/telegram-mcp/runtime.service.js",
6
6
  "bin": {
@@ -17,6 +17,7 @@
17
17
  "README-ru.md",
18
18
  "docs/STANDALONE.md",
19
19
  "docs/STANDALONE-ru.md",
20
+ "docs/CHAT_CONNECTOR.md",
20
21
  "VERSION.md",
21
22
  "CHANGELOG.md",
22
23
  "TOOLS.md",
@@ -76,7 +77,8 @@
76
77
  "dependencies": {
77
78
  "@grammyjs/menu": "^1.3.1",
78
79
  "@grammyjs/storage-redis": "^2.5.1",
79
- "@modelcontextprotocol/sdk": "^1.18.1",
80
+ "@modelcontextprotocol/sdk": "^1.29.0",
81
+ "@xterm/addon-fit": "0.10.0",
80
82
  "@xterm/headless": "5.5.0",
81
83
  "@xterm/xterm": "5.5.0",
82
84
  "amqplib": "0.10.9",
@@ -96,7 +98,7 @@
96
98
  "pino-pretty": "^13.1.3",
97
99
  "playwright": "^1.60.0",
98
100
  "socks-proxy-agent": "^8.0.5",
99
- "ws": "8.20.1",
101
+ "ws": "8.21.0",
100
102
  "zod": "4.4.3"
101
103
  },
102
104
  "devDependencies": {