@deadragdoll/tellymcp 0.0.13 → 0.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (86) hide show
  1. package/.env.example.client +23 -39
  2. package/.env.example.gateway +52 -61
  3. package/CHANGELOG.md +57 -0
  4. package/README-ru.md +80 -6
  5. package/README.md +80 -6
  6. package/TOOLS.md +219 -10
  7. package/config/templates/env.both.template +19 -7
  8. package/config/templates/env.client.template +9 -19
  9. package/config/templates/env.gateway.template +19 -31
  10. package/dist/cli.js +252 -47
  11. package/dist/configureServer.js +966 -0
  12. package/dist/envMigration.js +316 -0
  13. package/dist/moleculer.config.js +1 -3
  14. package/dist/services/features/telegram-mcp/approval.service.js +1 -1
  15. package/dist/services/features/telegram-mcp/browser.service.js +18 -0
  16. package/dist/services/features/telegram-mcp/collaboration.service.js +2 -2
  17. package/dist/services/features/telegram-mcp/ensuredb.service.js +1 -1
  18. package/dist/services/features/telegram-mcp/file-content.service.js +94 -0
  19. package/dist/services/features/telegram-mcp/gateway-delivery.service.js +5 -1
  20. package/dist/services/features/telegram-mcp/gateway-socket.service.js +43 -11
  21. package/dist/services/features/telegram-mcp/gateway.service.js +1 -1
  22. package/dist/services/features/telegram-mcp/mcp-http.service.js +1 -0
  23. package/dist/services/features/telegram-mcp/mcp-server.service.js +20 -0
  24. package/dist/services/features/telegram-mcp/session-context.service.js +25 -1
  25. package/dist/services/features/telegram-mcp/src/app/bootstrap/runtime.js +79 -67
  26. package/dist/services/features/telegram-mcp/src/app/config/env.js +129 -38
  27. package/dist/services/features/telegram-mcp/src/app/config/environmentContract.js +66 -0
  28. package/dist/services/features/telegram-mcp/src/app/http.js +139 -99
  29. package/dist/services/features/telegram-mcp/src/app/oauthFacade.js +642 -0
  30. package/dist/services/features/telegram-mcp/src/app/webapp/assets.js +151 -170
  31. package/dist/services/features/telegram-mcp/src/app/webapp/auth.js +96 -99
  32. package/dist/services/features/telegram-mcp/src/entities/request/model/schema.js +88 -19
  33. package/dist/services/features/telegram-mcp/src/features/browser/model/browserAttachActiveTabTool.js +28 -0
  34. package/dist/services/features/telegram-mcp/src/features/browser/model/browserAttachTabTool.js +28 -0
  35. package/dist/services/features/telegram-mcp/src/features/browser/model/browserDetachTabTool.js +28 -0
  36. package/dist/services/features/telegram-mcp/src/features/browser/model/browserListAttachedInstancesTool.js +1 -1
  37. package/dist/services/features/telegram-mcp/src/features/browser/model/browserListTabsTool.js +1 -1
  38. package/dist/services/features/telegram-mcp/src/features/browser/model/browserService.js +412 -29
  39. package/dist/services/features/telegram-mcp/src/features/browser-attach/model/browserRecordingBundle.js +37 -3
  40. package/dist/services/features/telegram-mcp/src/features/browser-attach/model/firefoxAttachRegistry.js +7 -6
  41. package/dist/services/features/telegram-mcp/src/features/browser-attach/model/firefoxAttachServer.js +214 -37
  42. package/dist/services/features/telegram-mcp/src/features/browser-attach/model/types.js +186 -0
  43. package/dist/services/features/telegram-mcp/src/features/collaboration/model/collaborationService.js +2 -0
  44. package/dist/services/features/telegram-mcp/src/features/collaboration/model/gatewaySessionsService.js +5 -5
  45. package/dist/services/features/telegram-mcp/src/features/collaboration/model/sendPartnerFileService.js +6 -3
  46. package/dist/services/features/telegram-mcp/src/features/distributed-client/model/gatewayClientAccess.js +5 -2
  47. package/dist/services/features/telegram-mcp/src/features/distributed-client/model/gatewayCollaborationBackend.js +4 -4
  48. package/dist/services/features/telegram-mcp/src/features/distributed-gateway/model/gatewayHttpService.js +33 -36
  49. package/dist/services/features/telegram-mcp/src/features/distributed-gateway/model/remoteConsoleActionClient.js +4 -3
  50. package/dist/services/features/telegram-mcp/src/features/file-content/model/getFileListTool.js +33 -0
  51. package/dist/services/features/telegram-mcp/src/features/file-content/model/getFileService.js +327 -0
  52. package/dist/services/features/telegram-mcp/src/features/file-content/model/getFileTool.js +81 -0
  53. package/dist/services/features/telegram-mcp/src/features/file-content/model/temporaryFileLinkStore.js +307 -0
  54. package/dist/services/features/telegram-mcp/src/features/file-content/model/workspaceFilePolicy.js +115 -0
  55. package/dist/services/features/telegram-mcp/src/features/notify/model/notifyService.js +9 -5
  56. package/dist/services/features/telegram-mcp/src/features/session-context/model/getRuntimeDiagnosticsTool.js +30 -0
  57. package/dist/services/features/telegram-mcp/src/features/session-context/model/sessionContextService.js +169 -7
  58. package/dist/services/features/telegram-mcp/src/shared/integrations/memory/processLocalStateStore.js +260 -0
  59. package/dist/services/features/telegram-mcp/src/shared/integrations/object-storage/minioExchangeStore.js +1 -1
  60. package/dist/services/features/telegram-mcp/src/shared/integrations/telegram/transport.js +4 -1
  61. package/dist/services/features/telegram-mcp/src/shared/integrations/telegram/transportConsoleRegistry.js +2 -2
  62. package/dist/services/features/telegram-mcp/src/shared/integrations/telegram/transportFileHandoffActions.js +6 -3
  63. package/dist/services/features/telegram-mcp/src/shared/integrations/telegram/transportMessageFlow.js +1 -1
  64. package/dist/services/features/telegram-mcp/src/shared/integrations/telegram/transportProjectState.js +2 -2
  65. package/dist/services/features/telegram-mcp/src/shared/integrations/terminal/client.js +29 -6
  66. package/dist/services/features/telegram-mcp/src/shared/integrations/terminal/ptyRegistry.js +100 -2
  67. package/dist/services/features/telegram-mcp/src/shared/lib/bodyLimits.js +63 -0
  68. package/dist/services/features/telegram-mcp/src/shared/lib/gatewayAuth.js +13 -0
  69. package/dist/services/features/telegram-mcp/src/shared/lib/gatewayScope.js +5 -5
  70. package/dist/services/features/telegram-mcp/src/shared/lib/project-identity/projectIdentity.js +10 -0
  71. package/dist/services/features/telegram-mcp/src/shared/lib/time/localTimestamp.js +21 -0
  72. package/docs/CHAT_CONNECTOR.md +134 -0
  73. package/docs/STANDALONE-ru.md +41 -3
  74. package/docs/STANDALONE.md +41 -3
  75. package/package.json +5 -3
  76. package/packages/chrome-attach-extension/dist/background.js +572 -163
  77. package/packages/chrome-attach-extension/dist/manifest.json +2 -1
  78. package/packages/chrome-attach-extension/dist/options.js +15 -2
  79. package/packages/chrome-attach-extension/dist/recorder-content.js +14 -1
  80. package/packages/chrome-attach-extension/dist/recorder-page.js +34 -18
  81. package/packages/firefox-attach-extension/dist/background.js +413 -33
  82. package/packages/firefox-attach-extension/dist/manifest.json +0 -12
  83. package/packages/firefox-attach-extension/dist/options.js +14 -1
  84. package/packages/firefox-attach-extension/dist/recorder-content.js +14 -1
  85. package/packages/firefox-attach-extension/dist/recorder-page.js +34 -18
  86. package/scripts/postinstall.js +33 -1
@@ -54,6 +54,8 @@ exports.resizePtyTarget = resizePtyTarget;
54
54
  exports.subscribePtyTarget = subscribePtyTarget;
55
55
  exports.stopPtyTarget = stopPtyTarget;
56
56
  exports.stopAllPtyTargets = stopAllPtyTargets;
57
+ const node_fs_1 = __importDefault(require("node:fs"));
58
+ const node_os_1 = __importDefault(require("node:os"));
57
59
  const node_path_1 = __importDefault(require("node:path"));
58
60
  const node_pty_1 = require("node-pty");
59
61
  const XtermHeadless = __importStar(require("@xterm/headless"));
@@ -73,6 +75,97 @@ function buildExitLine(record) {
73
75
  }
74
76
  return `${parts.join(" ")}]`;
75
77
  }
78
+ function sanitizeFileNameSegment(value) {
79
+ const sanitized = value.trim().replace(/[^a-zA-Z0-9._-]+/gu, "-");
80
+ return sanitized || "session";
81
+ }
82
+ function shellSingleQuote(value) {
83
+ return `'${value.replace(/'/gu, `'\\''`)}'`;
84
+ }
85
+ function buildContextPromptPrefix(record) {
86
+ return `[TELLY ${record.sessionId}]`;
87
+ }
88
+ function buildContextEnv(record) {
89
+ return {
90
+ ...process.env,
91
+ TELLYMCP_TERMINAL_CONTEXT: "1",
92
+ TELLYMCP_SESSION_ID: record.sessionId,
93
+ TELLYMCP_TERMINAL_TARGET: record.target,
94
+ TELLYMCP_TERMINAL_CWD: record.cwd,
95
+ };
96
+ }
97
+ function prepareBashLaunch(record) {
98
+ const tempDir = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "tellymcp-pty-bash-"));
99
+ const rcPath = node_path_1.default.join(tempDir, `${sanitizeFileNameSegment(record.sessionId)}.bashrc`);
100
+ const promptPrefix = buildContextPromptPrefix(record);
101
+ const script = [
102
+ 'if [ -r "$HOME/.profile" ]; then . "$HOME/.profile"; fi',
103
+ 'if [ -r "$HOME/.bashrc" ]; then . "$HOME/.bashrc"; fi',
104
+ `export TELLYMCP_TERMINAL_CONTEXT=${shellSingleQuote("1")}`,
105
+ `export TELLYMCP_SESSION_ID=${shellSingleQuote(record.sessionId)}`,
106
+ `export TELLYMCP_TERMINAL_TARGET=${shellSingleQuote(record.target)}`,
107
+ `export TELLYMCP_TERMINAL_CWD=${shellSingleQuote(record.cwd)}`,
108
+ `PS1=${shellSingleQuote(`${promptPrefix} \\u@\\h:\\w\\$ `)}`,
109
+ ].join("\n");
110
+ node_fs_1.default.writeFileSync(rcPath, `${script}\n`, "utf8");
111
+ return {
112
+ args: ["--rcfile", rcPath, "-i"],
113
+ env: buildContextEnv(record),
114
+ tempPaths: [tempDir],
115
+ };
116
+ }
117
+ function prepareZshLaunch(record) {
118
+ const tempDir = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "tellymcp-pty-zsh-"));
119
+ const promptPrefix = buildContextPromptPrefix(record);
120
+ node_fs_1.default.writeFileSync(node_path_1.default.join(tempDir, ".zshenv"), [
121
+ 'if [[ -r "$HOME/.zshenv" ]]; then source "$HOME/.zshenv"; fi',
122
+ `export TELLYMCP_TERMINAL_CONTEXT=${shellSingleQuote("1")}`,
123
+ `export TELLYMCP_SESSION_ID=${shellSingleQuote(record.sessionId)}`,
124
+ `export TELLYMCP_TERMINAL_TARGET=${shellSingleQuote(record.target)}`,
125
+ `export TELLYMCP_TERMINAL_CWD=${shellSingleQuote(record.cwd)}`,
126
+ "",
127
+ ].join("\n"), "utf8");
128
+ node_fs_1.default.writeFileSync(node_path_1.default.join(tempDir, ".zshrc"), [
129
+ 'if [[ -r "$HOME/.zprofile" ]]; then source "$HOME/.zprofile"; fi',
130
+ 'if [[ -r "$HOME/.zshrc" ]]; then source "$HOME/.zshrc"; fi',
131
+ `PROMPT=${shellSingleQuote(`${promptPrefix} %n@%m:%~%# `)}`,
132
+ "RPROMPT=''",
133
+ "",
134
+ ].join("\n"), "utf8");
135
+ return {
136
+ args: ["-i"],
137
+ env: {
138
+ ...buildContextEnv(record),
139
+ ZDOTDIR: tempDir,
140
+ },
141
+ tempPaths: [tempDir],
142
+ };
143
+ }
144
+ function prepareShellLaunch(record) {
145
+ const shellName = getShellDisplayName(record.shell).toLowerCase();
146
+ if (shellName === "bash") {
147
+ return prepareBashLaunch(record);
148
+ }
149
+ if (shellName === "zsh") {
150
+ return prepareZshLaunch(record);
151
+ }
152
+ return {
153
+ args: [],
154
+ env: buildContextEnv(record),
155
+ tempPaths: [],
156
+ };
157
+ }
158
+ function cleanupRecordTempPaths(record) {
159
+ for (const tempPath of record.tempPaths) {
160
+ try {
161
+ node_fs_1.default.rmSync(tempPath, { recursive: true, force: true });
162
+ }
163
+ catch {
164
+ // ignore cleanup failures
165
+ }
166
+ }
167
+ record.tempPaths = [];
168
+ }
76
169
  function createHeadlessTerminal(config) {
77
170
  return new XtermHeadless.Terminal({
78
171
  cols: config.cols,
@@ -97,13 +190,16 @@ function createSessionRecord(config, input) {
97
190
  pendingWrite: Promise.resolve(),
98
191
  pty: null,
99
192
  exited: false,
193
+ tempPaths: [],
100
194
  };
101
- const pty = (0, node_pty_1.spawn)(record.shell, [], {
195
+ const launch = prepareShellLaunch(record);
196
+ record.tempPaths = [...launch.tempPaths];
197
+ const pty = (0, node_pty_1.spawn)(record.shell, launch.args, {
102
198
  name: "xterm-color",
103
199
  cols: record.cols,
104
200
  rows: record.rows,
105
201
  cwd: record.cwd,
106
- env: process.env,
202
+ env: launch.env,
107
203
  });
108
204
  pty.onData((data) => {
109
205
  record.pendingWrite = record.pendingWrite.then(() => new Promise((resolve) => {
@@ -115,6 +211,7 @@ function createSessionRecord(config, input) {
115
211
  record.exited = true;
116
212
  record.exitCode = exitCode;
117
213
  record.signal = signal;
214
+ cleanupRecordTempPaths(record);
118
215
  record.pendingWrite = record.pendingWrite.then(() => new Promise((resolve) => {
119
216
  record.terminal.writeln(buildExitLine(record), resolve);
120
217
  }));
@@ -533,6 +630,7 @@ function stopPtyTarget(target) {
533
630
  record.pty?.kill();
534
631
  record.pty = null;
535
632
  record.exited = true;
633
+ cleanupRecordTempPaths(record);
536
634
  record.terminal.dispose();
537
635
  return true;
538
636
  }
@@ -0,0 +1,63 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.readLimitedJsonBody = exports.assertSerializedBodySize = exports.assertStringBodySize = exports.assertBodySize = exports.isBodySizeLimitError = exports.BodySizeLimitError = exports.MAX_BASE64_SOURCE_SIZE_BYTES = exports.MAX_BODY_SIZE_BYTES = exports.MAX_BODY_SIZE = void 0;
4
+ exports.MAX_BODY_SIZE = 16;
5
+ exports.MAX_BODY_SIZE_BYTES = exports.MAX_BODY_SIZE * 1024 * 1024;
6
+ exports.MAX_BASE64_SOURCE_SIZE_BYTES = Math.floor((exports.MAX_BODY_SIZE_BYTES * 3) / 4);
7
+ class BodySizeLimitError extends Error {
8
+ actualBytes;
9
+ maxBytes;
10
+ statusCode = 413;
11
+ constructor(actualBytes, maxBytes = exports.MAX_BODY_SIZE_BYTES) {
12
+ const maxMiB = maxBytes / (1024 * 1024);
13
+ super(`Body size ${actualBytes} bytes exceeds the ${maxMiB} MiB limit.`);
14
+ this.actualBytes = actualBytes;
15
+ this.maxBytes = maxBytes;
16
+ this.name = "BodySizeLimitError";
17
+ }
18
+ }
19
+ exports.BodySizeLimitError = BodySizeLimitError;
20
+ const isBodySizeLimitError = (error) => error instanceof BodySizeLimitError;
21
+ exports.isBodySizeLimitError = isBodySizeLimitError;
22
+ const assertBodySize = (actualBytes, maxBytes = exports.MAX_BODY_SIZE_BYTES) => {
23
+ if (actualBytes > maxBytes) {
24
+ throw new BodySizeLimitError(actualBytes, maxBytes);
25
+ }
26
+ };
27
+ exports.assertBodySize = assertBodySize;
28
+ const assertStringBodySize = (value, maxBytes = exports.MAX_BODY_SIZE_BYTES) => {
29
+ (0, exports.assertBodySize)(Buffer.byteLength(value, "utf8"), maxBytes);
30
+ };
31
+ exports.assertStringBodySize = assertStringBodySize;
32
+ const assertSerializedBodySize = (value) => {
33
+ if (value === undefined) {
34
+ return;
35
+ }
36
+ (0, exports.assertStringBodySize)(JSON.stringify(value));
37
+ };
38
+ exports.assertSerializedBodySize = assertSerializedBodySize;
39
+ const readLimitedJsonBody = async (req) => {
40
+ const contentLength = req.headers["content-length"];
41
+ if (typeof contentLength === "string" && /^\d+$/u.test(contentLength)) {
42
+ (0, exports.assertBodySize)(Number(contentLength));
43
+ }
44
+ const chunks = [];
45
+ let totalBytes = 0;
46
+ for await (const chunk of req) {
47
+ const buffer = Buffer.isBuffer(chunk)
48
+ ? chunk
49
+ : Buffer.from(chunk);
50
+ totalBytes += buffer.byteLength;
51
+ (0, exports.assertBodySize)(totalBytes);
52
+ chunks.push(buffer);
53
+ }
54
+ if (chunks.length === 0) {
55
+ return undefined;
56
+ }
57
+ const raw = Buffer.concat(chunks, totalBytes).toString("utf8").trim();
58
+ if (!raw) {
59
+ return undefined;
60
+ }
61
+ return JSON.parse(raw);
62
+ };
63
+ exports.readLimitedJsonBody = readLimitedJsonBody;
@@ -0,0 +1,13 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.isGatewayAuthorizationValid = isGatewayAuthorizationValid;
4
+ const node_crypto_1 = require("node:crypto");
5
+ function digest(value) {
6
+ return (0, node_crypto_1.createHash)("sha256").update(value, "utf8").digest();
7
+ }
8
+ function isGatewayAuthorizationValid(authorization, authToken) {
9
+ if (typeof authorization !== "string" || !authToken) {
10
+ return false;
11
+ }
12
+ return (0, node_crypto_1.timingSafeEqual)(digest(authorization), digest(`Bearer ${authToken}`));
13
+ }
@@ -1,7 +1,7 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.normalizeGatewayToken = normalizeGatewayToken;
4
- exports.gatewayTokenToScopeKey = gatewayTokenToScopeKey;
4
+ exports.gatewayScopeTokenToScopeKey = gatewayScopeTokenToScopeKey;
5
5
  exports.resolveGatewayScopeKey = resolveGatewayScopeKey;
6
6
  const node_crypto_1 = require("node:crypto");
7
7
  function normalizeGatewayToken(value) {
@@ -11,13 +11,13 @@ function normalizeGatewayToken(value) {
11
11
  const token = value.trim();
12
12
  return token ? token : null;
13
13
  }
14
- function gatewayTokenToScopeKey(token) {
14
+ function gatewayScopeTokenToScopeKey(token) {
15
15
  return (0, node_crypto_1.createHash)("sha256").update(token).digest("hex");
16
16
  }
17
17
  function resolveGatewayScopeKey(input) {
18
- const gatewayToken = normalizeGatewayToken(input.gateway_token);
19
- if (gatewayToken) {
20
- return gatewayTokenToScopeKey(gatewayToken);
18
+ const gatewayScopeToken = normalizeGatewayToken(input.gateway_token);
19
+ if (gatewayScopeToken) {
20
+ return gatewayScopeTokenToScopeKey(gatewayScopeToken);
21
21
  }
22
22
  const scopeKey = normalizeGatewayToken(input.scope_key);
23
23
  return scopeKey;
@@ -117,6 +117,10 @@ function readSessionMarkerState(inputCwd, logger) {
117
117
  parsed.last_notified_tools_hash.trim()
118
118
  ? { lastNotifiedToolsHash: parsed.last_notified_tools_hash.trim() }
119
119
  : {}),
120
+ ...(typeof parsed.gateway_client_uuid === "string" &&
121
+ parsed.gateway_client_uuid.trim()
122
+ ? { gatewayClientUuid: parsed.gateway_client_uuid.trim() }
123
+ : {}),
120
124
  ...(typeof parsed.updated_at === "string" && parsed.updated_at.trim()
121
125
  ? { updatedAt: parsed.updated_at.trim() }
122
126
  : {}),
@@ -166,6 +170,12 @@ function writeSessionMarkerState(input) {
166
170
  : current?.lastNotifiedToolsHash
167
171
  ? { last_notified_tools_hash: current.lastNotifiedToolsHash }
168
172
  : {}),
173
+ ...(typeof input.gatewayClientUuid === "string" &&
174
+ input.gatewayClientUuid.trim()
175
+ ? { gateway_client_uuid: input.gatewayClientUuid.trim() }
176
+ : current?.gatewayClientUuid
177
+ ? { gateway_client_uuid: current.gatewayClientUuid }
178
+ : {}),
169
179
  created_at: now,
170
180
  updated_at: now,
171
181
  ...(current ? { first_seen_local_session_id: current.localSessionId } : {}),
@@ -0,0 +1,21 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.formatLocalTimestamp = formatLocalTimestamp;
4
+ exports.formatLocalDateSegment = formatLocalDateSegment;
5
+ exports.formatLocalTimeSegment = formatLocalTimeSegment;
6
+ exports.formatLocalTimestampForFileName = formatLocalTimestampForFileName;
7
+ function padNumber(value, length = 2) {
8
+ return String(value).padStart(length, "0");
9
+ }
10
+ function formatLocalTimestamp(date = new Date()) {
11
+ return `${date.getFullYear()}-${padNumber(date.getMonth() + 1)}-${padNumber(date.getDate())}T${padNumber(date.getHours())}:${padNumber(date.getMinutes())}:${padNumber(date.getSeconds())}.${padNumber(date.getMilliseconds(), 3)}`;
12
+ }
13
+ function formatLocalDateSegment(date = new Date()) {
14
+ return `${date.getFullYear()}-${padNumber(date.getMonth() + 1)}-${padNumber(date.getDate())}`;
15
+ }
16
+ function formatLocalTimeSegment(date = new Date()) {
17
+ return `${padNumber(date.getHours())}-${padNumber(date.getMinutes())}-${padNumber(date.getSeconds())}`;
18
+ }
19
+ function formatLocalTimestampForFileName(date = new Date()) {
20
+ return formatLocalTimestamp(date).replace(/[:.]/gu, "-");
21
+ }
@@ -0,0 +1,134 @@
1
+ # ChatGPT and Claude connector
2
+
3
+ TellyMCP can expose its Streamable HTTP MCP endpoint to ChatGPT and Claude
4
+ through an OAuth 2.0 authorization-code facade with PKCE. The facade coexists
5
+ with `MCP_HTTP_BEARER_TOKEN`; existing internal clients can continue to use the
6
+ static bearer token.
7
+
8
+ ## Configure the gateway
9
+
10
+ Add the following to the gateway environment file:
11
+
12
+ ```bash
13
+ TELLYMCP_PUBLIC_URL=https://mcp.example.com/api
14
+ TELLYMCP_OAUTH_ISSUER=https://mcp.example.com/api
15
+ TELLYMCP_OAUTH_AUDIENCE=https://mcp.example.com/api
16
+ TELLYMCP_MAGIC_TOKEN=replace_with_a_private_human_login_token
17
+ TELLYMCP_OAUTH_PRIVATE_KEY_PEM="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
18
+ ```
19
+
20
+ Generate the stable signing key with:
21
+
22
+ ```bash
23
+ tellymcp oauth key
24
+ ```
25
+
26
+ The command prints a dotenv-ready `TELLYMCP_OAUTH_PRIVATE_KEY_PEM` assignment.
27
+ If the private key is omitted, TellyMCP generates an ephemeral key and existing
28
+ OAuth access tokens stop working after a restart.
29
+
30
+ For a hashed magic token, configure
31
+ `TELLYMCP_MAGIC_TOKEN_HASH=sha256:<64-hex-digest>` instead of the raw token.
32
+ Never configure both forms.
33
+
34
+ Optional restrictions:
35
+
36
+ ```bash
37
+ TELLYMCP_OAUTH_CLIENT_ID=tellymcp
38
+ TELLYMCP_OAUTH_CLIENT_SECRET=replace_with_client_secret
39
+ TELLYMCP_ALLOWED_REDIRECT_URIS=https://chatgpt.com/connector/oauth/...,https://claude.ai/api/mcp/auth_callback
40
+ TELLYMCP_AUTH_CODE_TTL_SECONDS=300
41
+ TELLYMCP_OAUTH_SCOPES=tellymcp:read tellymcp:write
42
+ TELLYMCP_OAUTH_KEY_ID=tellymcp-oauth
43
+ ```
44
+
45
+ OAuth is enabled when a connector identity, credential, redirect, or signing-key
46
+ setting is present. `TELLYMCP_PUBLIC_URL` and one magic-token form are then
47
+ required. Redirect URIs are matched exactly when the allowlist is configured.
48
+
49
+ ## Reverse proxy
50
+
51
+ Proxy all `/api/` routes to TellyMCP and disable response buffering on
52
+ `/api/mcp`. Claude also needs root path-insertion discovery routes such as:
53
+
54
+ ```text
55
+ /.well-known/oauth-authorization-server/api
56
+ /.well-known/openid-configuration/api
57
+ /.well-known/oauth-protected-resource/api/mcp
58
+ ```
59
+
60
+ The complete Nginx example is in `docs/tellymcp.gw.conf`.
61
+
62
+ ## Connect the chat host
63
+
64
+ Use the concrete MCP endpoint in the host's `Connection` field:
65
+
66
+ ```text
67
+ https://mcp.example.com/api/mcp
68
+ ```
69
+
70
+ Do not enter `https://mcp.example.com/api` as the connection URL. That URL is
71
+ the OAuth issuer/audience base, not an MCP endpoint. With the correct
72
+ connection URL, discovery may legitimately show two related resources:
73
+
74
+ ```text
75
+ OAuth issuer/audience: https://mcp.example.com/api
76
+ MCP resource: https://mcp.example.com/api/mcp
77
+ ```
78
+
79
+ For the production deployment used while implementing this feature, the
80
+ working ChatGPT values are:
81
+
82
+ ```text
83
+ Connection: https://drd.undoo.ru/api/mcp
84
+ Authorization server base: https://drd.undoo.ru/api
85
+ Resource: https://drd.undoo.ru/api/mcp
86
+ OIDC configuration URL: https://drd.undoo.ru/.well-known/openid-configuration/api
87
+ ```
88
+
89
+ The `/api` suffix in the root discovery URL is expected RFC 8414
90
+ path-insertion behavior for an issuer whose path is `/api`.
91
+
92
+ Do not give the host `MCP_HTTP_BEARER_TOKEN` or the magic token. The magic token
93
+ is entered only into the authorization page opened by the host. If a client ID
94
+ or client secret is configured in the host, it must match the gateway values.
95
+
96
+ TellyMCP tool names already use Claude-compatible letters, digits, and
97
+ underscores, and the tools publish output schemas.
98
+
99
+ ## Verify before connecting
100
+
101
+ ```bash
102
+ curl -fsS https://mcp.example.com/api/.well-known/oauth-protected-resource/mcp
103
+ curl -fsS https://mcp.example.com/api/.well-known/oauth-authorization-server
104
+ curl -fsS https://mcp.example.com/.well-known/oauth-authorization-server/api
105
+ curl -fsS https://mcp.example.com/api/.well-known/jwks.json
106
+ curl -i https://mcp.example.com/api/mcp
107
+ ```
108
+
109
+ The last response must be `401` and include a `WWW-Authenticate` header whose
110
+ `resource_metadata` value points to the protected-resource metadata endpoint.
111
+
112
+ Access tokens are RS256 JWTs without `exp`, matching the trusted internal
113
+ connector model. Authorization codes remain short-lived, PKCE-bound, and
114
+ one-time-use. Failed magic-token attempts are rate-limited per source address.
115
+
116
+ ## Diagnostics
117
+
118
+ OAuth discovery, authorization, token exchange, MCP `initialize`, and
119
+ `tools/list` milestones are logged at `info`. Rejections are logged at `warn`
120
+ without credentials, authorization codes, PKCE verifiers, or access tokens.
121
+ When OAuth is enabled, every HTTP request and completed response is also logged
122
+ with its normalized path, status, user agent, content types, MCP session id,
123
+ and whether an Authorization header was present. Header values and tokens are
124
+ never logged.
125
+
126
+ The production Nginx sample writes connector traffic to:
127
+
128
+ ```text
129
+ /var/log/nginx/tellymcp.access.log
130
+ /var/log/nginx/tellymcp.error.log
131
+ ```
132
+
133
+ If refresh stops after OAuth metadata and never logs an MCP `initialize`, first
134
+ verify that the host's `Connection` value ends in `/api/mcp`.
@@ -24,7 +24,17 @@
24
24
  ## 1. Установка
25
25
 
26
26
  ```bash
27
- npm install -g @deadragdoll/tellymcp
27
+ sudo apt install -y python3 make g++
28
+ npm config set ignore-scripts false
29
+ npm install -g @deadragdoll/tellymcp --foreground-scripts
30
+ ```
31
+
32
+ На Linux native addon `node-pty` собирается локально; для Linux ARM64 это
33
+ обязательно, потому что зависимость не поставляет подходящий готовый binary.
34
+ Если после предыдущей установки `pty.node` отсутствует, выполни:
35
+
36
+ ```bash
37
+ npm rebuild -g @deadragdoll/tellymcp --foreground-scripts
28
38
  ```
29
39
 
30
40
  Опционально:
@@ -64,7 +74,8 @@ DB_PASSWORD=
64
74
  DB_NAME=
65
75
  GATEWAY_PUBLIC_URL=https://your-domain.example/api/gateway
66
76
  GATEWAY_WS_URL=wss://your-domain.example/api/gateway/ws
67
- GATEWAY_TOKEN=change_me_gateway_token
77
+ GATEWAY_SCOPE_TOKEN=change_me_scope_token
78
+ GATEWAY_AUTH_TOKEN=put_strong_shared_transport_token_here
68
79
  ROOT_PREFIX=/api
69
80
  PORT=8080
70
81
  DISTRIBUTED_MODE=gateway
@@ -82,10 +93,19 @@ DISTRIBUTED_MODE=gateway
82
93
  DISTRIBUTED_MODE=client
83
94
  GATEWAY_PUBLIC_URL=https://your-domain.example/api/gateway
84
95
  GATEWAY_WS_URL=wss://your-domain.example/api/gateway/ws
85
- GATEWAY_TOKEN=change_me_gateway_token
96
+ GATEWAY_SCOPE_TOKEN=change_me_scope_token
97
+ GATEWAY_AUTH_TOKEN=put_strong_shared_transport_token_here
86
98
  GATEWAY_USER_UUID=put_owner_uuid_here
87
99
  ```
88
100
 
101
+ На машине agent/client Redis не нужен. Временное runtime-состояние хранится
102
+ локально, а стабильный gateway client UUID — в `.mcpsession.json`.
103
+
104
+ Используйте один и тот же стойкий `GATEWAY_AUTH_TOKEN` на gateway и всех клиентах.
105
+ Не смешивайте его с `GATEWAY_SCOPE_TOKEN`: последний разделяет данные gateway по scope,
106
+ но не аутентифицирует HTTP- или WebSocket-транспорт. Сгенерируйте токен один раз,
107
+ например командой `openssl rand -hex 32`, и не используйте пример значения выше.
108
+
89
109
  Для первого запуска также желательно задать:
90
110
 
91
111
  ```env
@@ -164,9 +184,15 @@ TELEGRAM_WEBHOOK_SECRET=change_me_webhook_secret
164
184
 
165
185
  - `/api/telegram/webhook`
166
186
  - `/api/gateway`
187
+ - `/api/files` для короткоживущих upload/download запросов `get_file(type="url")`
167
188
  - `/api/webapp`
168
189
  - `/api/healthz`
169
190
 
191
+ Отдельный `location ^~ /api/files/` рекомендуется, хотя для самой маршрутизации
192
+ он не обязателен. В нём следует отключить access log, потому что путь содержит
193
+ токен, задать `client_max_body_size 32m` и отключить buffering запросов и
194
+ ответов. Канонический блок приведён в `nginx/tellymcp.gw.conf`.
195
+
170
196
  ## 8. MCP
171
197
 
172
198
  Локальный client-mode MCP endpoint:
@@ -179,10 +205,22 @@ http://127.0.0.1:8787/mcp
179
205
 
180
206
  ## 9. Проверки
181
207
 
208
+ Настройка dotenv через локальный web-конфигуратор:
209
+
210
+ ```bash
211
+ tellymcp configure
212
+ ```
213
+
182
214
  ```bash
183
215
  tellymcp doctor --env .env
184
216
  ```
185
217
 
218
+ Перед запуском старый env можно нормализовать командой:
219
+
220
+ ```bash
221
+ tellymcp migrate-env ./old.env > ./.migrated-env
222
+ ```
223
+
186
224
  Разрушительная очистка:
187
225
 
188
226
  ```bash
@@ -24,7 +24,17 @@ The recommended topology is:
24
24
  ## 1. Install
25
25
 
26
26
  ```bash
27
- npm install -g @deadragdoll/tellymcp
27
+ sudo apt install -y python3 make g++
28
+ npm config set ignore-scripts false
29
+ npm install -g @deadragdoll/tellymcp --foreground-scripts
30
+ ```
31
+
32
+ Linux installs compile the native `node-pty` addon locally; this is required on
33
+ Linux ARM64 because the dependency does not ship a matching prebuilt binary.
34
+ If `pty.node` is missing after an earlier install, run:
35
+
36
+ ```bash
37
+ npm rebuild -g @deadragdoll/tellymcp --foreground-scripts
28
38
  ```
29
39
 
30
40
  Optional:
@@ -64,7 +74,8 @@ DB_PASSWORD=
64
74
  DB_NAME=
65
75
  GATEWAY_PUBLIC_URL=https://your-domain.example/api/gateway
66
76
  GATEWAY_WS_URL=wss://your-domain.example/api/gateway/ws
67
- GATEWAY_TOKEN=change_me_gateway_token
77
+ GATEWAY_SCOPE_TOKEN=change_me_scope_token
78
+ GATEWAY_AUTH_TOKEN=put_strong_shared_transport_token_here
68
79
  ROOT_PREFIX=/api
69
80
  PORT=8080
70
81
  DISTRIBUTED_MODE=gateway
@@ -82,10 +93,19 @@ Minimum client settings:
82
93
  DISTRIBUTED_MODE=client
83
94
  GATEWAY_PUBLIC_URL=https://your-domain.example/api/gateway
84
95
  GATEWAY_WS_URL=wss://your-domain.example/api/gateway/ws
85
- GATEWAY_TOKEN=change_me_gateway_token
96
+ GATEWAY_SCOPE_TOKEN=change_me_scope_token
97
+ GATEWAY_AUTH_TOKEN=put_strong_shared_transport_token_here
86
98
  GATEWAY_USER_UUID=put_owner_uuid_here
87
99
  ```
88
100
 
101
+ The agent/client machine does not need Redis. Its transient runtime state is
102
+ local, while the stable gateway client UUID is stored in `.mcpsession.json`.
103
+
104
+ Use the same strong `GATEWAY_AUTH_TOKEN` on the gateway and every client. Keep it
105
+ separate from `GATEWAY_SCOPE_TOKEN`, which scopes gateway data but does not authenticate
106
+ the HTTP or WebSocket transport. Generate it once, for example with
107
+ `openssl rand -hex 32`, and do not use the illustrative value above.
108
+
89
109
  For the first run, also set:
90
110
 
91
111
  ```env
@@ -164,9 +184,15 @@ If nginx already proxies `location /api/ { ... }` to the standalone listener, th
164
184
 
165
185
  - `/api/telegram/webhook`
166
186
  - `/api/gateway`
187
+ - `/api/files` for short-lived `get_file(type="url")` uploads and downloads
167
188
  - `/api/webapp`
168
189
  - `/api/healthz`
169
190
 
191
+ A dedicated `location ^~ /api/files/` is recommended, though not required for
192
+ routing. It should disable access logs because the path contains a token, set
193
+ `client_max_body_size 32m`, and disable proxy request/response buffering. See
194
+ `nginx/tellymcp.gw.conf` for the canonical block.
195
+
170
196
  ## 8. MCP
171
197
 
172
198
  Local client-mode MCP:
@@ -179,10 +205,22 @@ Use the MCP HTTP endpoint exposed by `tellymcp run`.
179
205
 
180
206
  ## 9. Health Checks
181
207
 
208
+ Guided dotenv setup:
209
+
210
+ ```bash
211
+ tellymcp configure
212
+ ```
213
+
182
214
  ```bash
183
215
  tellymcp doctor --env .env
184
216
  ```
185
217
 
218
+ Normalize a legacy env before startup:
219
+
220
+ ```bash
221
+ tellymcp migrate-env ./old.env > ./.migrated-env
222
+ ```
223
+
186
224
  Destructive cleanup:
187
225
 
188
226
  ```bash
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@deadragdoll/tellymcp",
3
- "version": "0.0.13",
3
+ "version": "0.0.15",
4
4
  "description": "TellyMCP - Telegram control plane for MCP-connected coding agents",
5
5
  "main": "dist/services/features/telegram-mcp/runtime.service.js",
6
6
  "bin": {
@@ -17,6 +17,7 @@
17
17
  "README-ru.md",
18
18
  "docs/STANDALONE.md",
19
19
  "docs/STANDALONE-ru.md",
20
+ "docs/CHAT_CONNECTOR.md",
20
21
  "VERSION.md",
21
22
  "CHANGELOG.md",
22
23
  "TOOLS.md",
@@ -76,7 +77,8 @@
76
77
  "dependencies": {
77
78
  "@grammyjs/menu": "^1.3.1",
78
79
  "@grammyjs/storage-redis": "^2.5.1",
79
- "@modelcontextprotocol/sdk": "^1.18.1",
80
+ "@modelcontextprotocol/sdk": "^1.29.0",
81
+ "@xterm/addon-fit": "0.10.0",
80
82
  "@xterm/headless": "5.5.0",
81
83
  "@xterm/xterm": "5.5.0",
82
84
  "amqplib": "0.10.9",
@@ -96,7 +98,7 @@
96
98
  "pino-pretty": "^13.1.3",
97
99
  "playwright": "^1.60.0",
98
100
  "socks-proxy-agent": "^8.0.5",
99
- "ws": "8.20.1",
101
+ "ws": "8.21.0",
100
102
  "zod": "4.4.3"
101
103
  },
102
104
  "devDependencies": {