@decocms/mesh-sdk 1.2.1 → 1.2.2

package/src/lib/default-model.ts

@@ -0,0 +1,96 @@
+import type { AiProviderModel, ProviderId } from "../types/ai-providers";
+
+/**
+ * Preferred default models for each well-known provider.
+ *
+ * Each entry is an ordered list of candidate model ID strings — lower indexes
+ * have higher priority. The selector first tries exact matches across the full
+ * list, then falls back to substring matches in the same priority order.
+ */
+export const DEFAULT_MODEL_PREFERENCES: Partial<Record<ProviderId, string[]>> =
+  {
+    anthropic: ["claude-sonnet-4-6", "claude-sonnet", "claude"],
+    openrouter: [
+      "anthropic/claude-opus-4.6",
+      "anthropic/claude-4.6-opus",
+      "anthropic/claude-sonnet-4-6",
+      "anthropic/claude-sonnet",
+      "anthropic/claude",
+    ],
+    deco: [
+      "anthropic/claude-haiku-4-5",
+      "anthropic/claude-haiku",
+      "anthropic/claude",
+    ],
+    google: ["gemini-3-flash"],
+    "claude-code": [
+      "claude-code:sonnet",
+      "claude-code:opus",
+      "claude-code:haiku",
+    ],
+  };
+
+/**
+ * Preferred fast/cheap models per provider — used for lightweight tasks
+ * like title generation where latency and cost matter more than capability.
+ */
+export const FAST_MODEL_PREFERENCES: Partial<Record<ProviderId, string[]>> = {
+  anthropic: ["claude-haiku-4-5", "claude-haiku"],
+  openrouter: [
+    "qwen/qwen3.5-flash",
+    "anthropic/claude-haiku-4.5",
+    "anthropic/claude-haiku",
+    "google/gemini-3-flash",
+  ],
+  deco: ["qwen/qwen3.5-flash", "anthropic/claude-haiku"],
+  google: ["gemini-2.5-flash", "gemini-3-flash"],
+};
+
+/**
+ * Return the preferred fast model ID for a given provider.
+ * Returns the first candidate or `null` if no preference is configured.
+ */
+export function getFastModel(providerId: ProviderId): string | null {
+  const candidates = FAST_MODEL_PREFERENCES[providerId];
+  return candidates?.[0] ?? null;
+}
+
+/**
+ * Select the best default model from a loaded list for a given provider.
+ *
+ * Resolution order:
+ *   1. Exact `modelId` match — walk candidates in priority order.
+ *   2. Substring match — walk candidates in priority order, return the first
+ *      model whose `modelId` contains the candidate string.
+ *   3. First model in the list.
+ *   4. `null` if the list is empty.
+ *
+ * @param models      Full model list returned by the provider for this key.
+ * @param providerId  The provider that owns the key.
+ * @param keyId       Credential key ID to attach — mirrors what
+ *                    `handleModelSelect` does on explicit user selection.
+ */
+export function selectDefaultModel(
+  models: AiProviderModel[],
+  providerId: ProviderId,
+  keyId?: string,
+): AiProviderModel | null {
+  if (models.length === 0) return null;
+
+  const candidates = DEFAULT_MODEL_PREFERENCES[providerId] ?? [];
+
+  const withKey = (model: AiProviderModel): AiProviderModel =>
+    keyId !== undefined ? { ...model, keyId } : model;
+
+  for (const candidate of candidates) {
+    const exact = models.find((m) => m.modelId === candidate);
+    if (exact) return withKey(exact);
+  }
+
+  for (const candidate of candidates) {
+    const partial = models.find((m) => m.modelId.includes(candidate));
+    if (partial) return withKey(partial);
+  }
+
+  return withKey(models[0] as AiProviderModel);
+}

package/src/lib/mcp-oauth.ts

@@ -35,6 +35,47 @@ function hashServerUrl(url: string): string {
   return Math.abs(hash).toString(16);
 }
 
+/**
+ * Override origin for OAuth redirect URIs.
+ * Set via `setOAuthRedirectOrigin()` when the browser runs behind a proxy
+ * (e.g. tokyo.localhost) that external OAuth servers may not accept.
+ */
+let _oauthRedirectOrigin: string | null = null;
+
+/**
+ * Set a custom origin for OAuth redirect URIs.
+ * Call this at app init with the server's internal URL (e.g. http://localhost:3000)
+ * so that external OAuth servers accept the redirect URI.
+ */
+export function setOAuthRedirectOrigin(origin: string): void {
+  _oauthRedirectOrigin = origin;
+}
+
+/**
+ * Get the origin to use for OAuth redirect URIs.
+ * Returns the override if set, otherwise falls back to window.location.origin.
+ */
+function getOAuthRedirectOrigin(): string {
+  return _oauthRedirectOrigin ?? window.location.origin;
+}
+
+/**
+ * Check if we're in a local dev environment (localhost or .localhost subdomain).
+ */
+function isLocalDev(): boolean {
+  try {
+    const hostname = window.location.hostname;
+    return (
+      hostname === "localhost" ||
+      hostname.endsWith(".localhost") ||
+      hostname === "127.0.0.1" ||
+      hostname === "::1"
+    );
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Global in-memory store for active OAuth sessions.
  */
@@ -89,7 +130,7 @@ class McpOAuthProvider implements OAuthClientProvider {
   constructor(options: McpOAuthProviderOptions) {
     this.serverUrl = options.serverUrl;
     this._redirectUrl =
-      options.callbackUrl ?? `${window.location.origin}/oauth/callback`;
+      options.callbackUrl ?? `${getOAuthRedirectOrigin()}/oauth/callback`;
     this._windowMode = options.windowMode ?? "popup";
 
     // Build scope string if provided
@@ -153,8 +194,7 @@ class McpOAuthProvider implements OAuthClientProvider {
       // Open in new tab - uses localStorage for cross-tab communication
       const tab = window.open(authorizationUrl.toString(), "_blank");
       if (!tab) {
-        // Fallback: navigate current window (will lose state, but works)
-        window.location.href = authorizationUrl.toString();
+        throw new Error("Tab was blocked");
       }
     } else {
       // Open in popup (default)
@@ -170,9 +210,11 @@ class McpOAuthProvider implements OAuthClientProvider {
       );
 
       if (!popup) {
-        throw new Error(
-          "OAuth popup was blocked. Please allow popups for this site and try again.",
-        );
+        // Popup was blocked - fallback to new tab (uses localStorage for communication)
+        const tab = window.open(authorizationUrl.toString(), "_blank");
+        if (!tab) {
+          throw new Error("Popup was blocked");
+        }
       }
     }
   }
@@ -273,6 +315,10 @@ export async function authenticateMcp(params: {
     windowMode: params.windowMode,
   });
 
+  // Object to hold the abort function - using an object wrapper so TypeScript
+  // properly tracks mutations inside closures
+  const oauthAbort: { fn: ((error: Error) => void) | null } = { fn: null };
+
   try {
     // Wait for OAuth callback message from popup and handle token exchange
     // Uses both postMessage (primary) and localStorage (fallback for when opener is lost)
@@ -300,6 +346,14 @@ export async function authenticateMcp(params: {
           }
         };
 
+        // Expose abort function so we can clean up if auth() throws
+        oauthAbort.fn = (error: Error) => {
+          if (resolved) return;
+          resolved = true;
+          cleanup();
+          reject(error);
+        };
+
         const processCallback = async (data: {
           success: boolean;
           code?: string;
@@ -379,7 +433,9 @@ export async function authenticateMcp(params: {
 
         // Primary: Listen for postMessage from popup
         const handleMessage = async (event: MessageEvent) => {
-          if (event.origin !== window.location.origin) return;
+          // In local dev, accept messages from any origin because the popup
+          // runs at localhost:PORT while the opener may be at *.localhost (proxy)
+          if (!isLocalDev() && event.origin !== window.location.origin) return;
           if (event.data?.type === "mcp:oauth:callback") {
             await processCallback(event.data);
           }
@@ -408,6 +464,10 @@ export async function authenticateMcp(params: {
       },
     );
 
+    // Attach a no-op catch to prevent unhandled rejection if auth() throws
+    // (we'll abort the promise properly in the catch block, but this is a safety net)
+    oauthCompletePromise.catch(() => {});
+
     // Start the auth flow
     const result: AuthResult = await auth(provider, { serverUrl });
 
@@ -450,6 +510,11 @@ export async function authenticateMcp(params: {
       error: null,
     };
   } catch (error) {
+    // Abort the OAuth promise to trigger cleanup (clear timeout, remove event listeners)
+    // This prevents unhandled promise rejections and lingering listeners
+    if (oauthAbort.fn) {
+      oauthAbort.fn(error instanceof Error ? error : new Error(String(error)));
+    }
     return {
       token: null,
       tokenInfo: null,
@@ -477,7 +542,10 @@ function sendCallbackData(
 ): boolean {
   // Try postMessage first (primary method)
   if (window.opener && !window.opener.closed) {
-    window.opener.postMessage(data, window.location.origin);
+    // In local dev, use "*" because the popup (localhost:PORT) and opener
+    // (*.localhost proxy) are different origins — targeted postMessage would be silently dropped
+    const targetOrigin = isLocalDev() ? "*" : window.location.origin;
+    window.opener.postMessage(data, targetOrigin);
     return true;
   }
 
@@ -638,8 +706,11 @@ async function checkOAuthTokenStatus(
   try {
     const path = `/api/connections/${connectionId}/oauth-token/status`;
     const url = apiBaseUrl ? new URL(path, apiBaseUrl).href : path;
+    const currentOrigin = getCurrentOrigin();
+    const isSameOrigin =
+      !apiBaseUrl || new URL(apiBaseUrl).origin === currentOrigin;
     const response = await fetch(url, {
-      credentials: apiBaseUrl ? "omit" : "include", // Don't send cookies for cross-origin
+      credentials: isSameOrigin ? "include" : "omit", // Don't send cookies for cross-origin
     });
     if (!response.ok) {
       return { hasToken: false };

package/src/lib/query-keys.ts

@@ -57,6 +57,7 @@ export const KEYS = {
   ) => ["mcp", "client", orgId, connectionId, token, meshUrl] as const,
 
   // MCP client-based queries (scoped by client instance)
+  // Note: client can be null/undefined for skip queries that shouldn't execute
   mcpToolsList: (client: unknown) =>
     ["mcp", "client", client, "tools"] as const,
   mcpResourcesList: (client: unknown) =>

package/src/lib/server-client-bridge.ts

@@ -0,0 +1,146 @@
+/**
+ * Server-Client Bridge
+ *
+ * Creates an MCP Server that delegates all requests to an MCP Client.
+ * This allows using a Client as if it were a Server, useful for proxying
+ * or bridging between different transport layers.
+ *
+ * ## Usage
+ *
+ * ```ts
+ * import { createServerFromClient } from "@decocms/mesh-sdk";
+ * import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+ * import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
+ *
+ * const client = new Client(...);
+ * await client.connect(clientTransport);
+ *
+ * const server = createServerFromClient(
+ *   client,
+ *   { name: "proxy-server", version: "1.0.0" }
+ * );
+ *
+ * const transport = new WebStandardStreamableHTTPServerTransport({});
+ * await server.connect(transport);
+ *
+ * // Handle requests via transport.handleRequest(req)
+ * ```
+ */
+
+import type { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type {
+  Implementation,
+  ServerCapabilities,
+} from "@modelcontextprotocol/sdk/types.js";
+import {
+  CallToolRequestSchema,
+  GetPromptRequestSchema,
+  ListPromptsRequestSchema,
+  ListResourcesRequestSchema,
+  ListResourceTemplatesRequestSchema,
+  ListToolsRequestSchema,
+  ReadResourceRequestSchema,
+} from "@modelcontextprotocol/sdk/types.js";
+
+/**
+ * Options for creating a server from a client
+ */
+export interface ServerFromClientOptions {
+  /**
+   * Server capabilities. If not provided, uses client.getServerCapabilities()
+   */
+  capabilities?: ServerCapabilities;
+  /**
+   * Server instructions. If not provided, uses client.getInstructions()
+   */
+  instructions?: string;
+  /**
+   * Timeout in milliseconds for tool calls forwarded to the client.
+   * If not provided, the MCP SDK default (60s) is used.
+   */
+  toolCallTimeoutMs?: number;
+}
+
+/**
+ * Creates an MCP Server that delegates all requests to the provided Client.
+ *
+ * @param client - The MCP Client to delegate requests to
+ * @param serverInfo - Server metadata (ImplementationSchema-compatible: name, version, title, description, icons, websiteUrl)
+ * @param options - Optional server configuration (capabilities and instructions)
+ * @returns An MCP Server instance configured to delegate to the client
+ */
+export function createServerFromClient(
+  client: Client,
+  serverInfo: Implementation,
+  options?: ServerFromClientOptions,
+): McpServer {
+  // Get capabilities from client if not provided
+  const capabilities = options?.capabilities ?? client.getServerCapabilities();
+
+  // Get instructions from client if not provided
+  const instructions = options?.instructions ?? client.getInstructions();
+
+  // Create MCP server with capabilities and instructions
+  const server = new McpServer(serverInfo, {
+    capabilities,
+    instructions,
+  });
+
+  // Set up request handlers that delegate to client methods
+
+  // Tools handlers
+  // Strip outputSchema from tools so downstream clients (e.g. the browser's
+  // MCP Client) don't cache validators and reject structuredContent that
+  // doesn't perfectly match the downstream server's declared schema.
+  // A proxy should pass through responses as-is — validation is the
+  // responsibility of the originating server, not intermediaries.
+  server.server.setRequestHandler(ListToolsRequestSchema, async () => {
+    const result = await client.listTools();
+    return {
+      ...result,
+      tools: result.tools.map(({ outputSchema: _, ...tool }) => tool),
+    };
+  });
+
+  server.server.setRequestHandler(CallToolRequestSchema, (request) =>
+    client.callTool(
+      request.params,
+      undefined,
+      options?.toolCallTimeoutMs
+        ? { timeout: options.toolCallTimeoutMs }
+        : undefined,
+    ),
+  );
+
+  // Resources handlers (only if capabilities include resources)
+  if (capabilities?.resources) {
+    server.server.setRequestHandler(ListResourcesRequestSchema, () =>
+      client.listResources(),
+    );
+
+    server.server.setRequestHandler(ReadResourceRequestSchema, (request) =>
+      client.readResource(request.params),
+    );
+
+    server.server.setRequestHandler(ListResourceTemplatesRequestSchema, () =>
+      client.listResourceTemplates(),
+    );
+  }
+
+  // Prompts handlers (only if capabilities include prompts)
+  if (capabilities?.prompts) {
+    server.server.setRequestHandler(ListPromptsRequestSchema, () =>
+      client.listPrompts(),
+    );
+
+    server.server.setRequestHandler(GetPromptRequestSchema, (request) =>
+      client.getPrompt({
+        ...request.params,
+        arguments: request.params.arguments ?? {},
+      }),
+    );
+  }
+
+  return server;
+}

package/src/lib/usage.test.ts

@@ -0,0 +1,163 @@
+/**
+ * Usage utilities tests
+ */
+
+import { describe, expect, test } from "bun:test";
+import {
+  addUsage,
+  calculateUsageStats,
+  emptyUsageStats,
+  sanitizeProviderMetadata,
+} from "./usage";
+
+describe("sanitizeProviderMetadata", () => {
+  test("allows only safe fields", () => {
+    const metadata = {
+      openrouter: {
+        usage: { inputTokens: 10, outputTokens: 20, cost: 0.001 },
+        cost: 0.001,
+        model: "gpt-4",
+        internal_id: "should-be-stripped",
+        debug_info: "should-be-stripped",
+      },
+    };
+
+    const result = sanitizeProviderMetadata(metadata);
+
+    expect(result).toEqual({
+      openrouter: {
+        usage: { inputTokens: 10, outputTokens: 20, cost: 0.001 },
+        cost: 0.001,
+        model: "gpt-4",
+      },
+    });
+  });
+
+  test("strips sensitive fields", () => {
+    const metadata = {
+      provider: {
+        api_key: "secret",
+        user_id: "user_123",
+        usage: { totalTokens: 100 },
+      },
+    };
+
+    const result = sanitizeProviderMetadata(metadata);
+
+    expect(result).toEqual({
+      provider: {
+        usage: { totalTokens: 100 },
+      },
+    });
+  });
+
+  test("handles nested objects", () => {
+    const metadata = {
+      openrouter: {
+        usage: { inputTokens: 5, outputTokens: 10 },
+        nested: { sensitive: "data" },
+      },
+    };
+
+    const result = sanitizeProviderMetadata(metadata);
+
+    expect(result).toEqual({
+      openrouter: {
+        usage: { inputTokens: 5, outputTokens: 10 },
+      },
+    });
+  });
+
+  test("returns undefined for empty input", () => {
+    expect(sanitizeProviderMetadata(undefined)).toBeUndefined();
+    expect(sanitizeProviderMetadata({})).toBeUndefined();
+  });
+
+  test("handles non-object provider data", () => {
+    const metadata = {
+      provider: "string-value",
+      other: null,
+    };
+
+    const result = sanitizeProviderMetadata(metadata);
+
+    expect(result).toBeUndefined();
+  });
+});
+
+describe("calculateUsageStats", () => {
+  test("sums message-level usage correctly", () => {
+    const messages = [
+      {
+        metadata: {
+          usage: { totalTokens: 1000, inputTokens: 500, outputTokens: 500 },
+        },
+      },
+      {
+        metadata: {
+          usage: { totalTokens: 500, inputTokens: 200, outputTokens: 300 },
+        },
+      },
+    ];
+
+    const result = calculateUsageStats(messages);
+
+    expect(result.totalTokens).toBe(1500);
+    expect(result.inputTokens).toBe(700);
+    expect(result.outputTokens).toBe(800);
+  });
+
+  test("handles missing metadata gracefully", () => {
+    const messages = [
+      { metadata: { usage: { totalTokens: 100 } } },
+      { metadata: {} },
+      { metadata: undefined },
+      {},
+    ];
+
+    const result = calculateUsageStats(messages);
+
+    expect(result.totalTokens).toBe(100);
+  });
+
+  test("returns empty stats for empty messages", () => {
+    const result = calculateUsageStats([]);
+
+    expect(result).toEqual(emptyUsageStats());
+  });
+});
+
+describe("addUsage", () => {
+  test("adds usage fields correctly", () => {
+    const acc = emptyUsageStats();
+    const step = {
+      inputTokens: 100,
+      outputTokens: 200,
+      reasoningTokens: 50,
+      totalTokens: 350,
+    };
+
+    const result = addUsage(acc, step);
+
+    expect(result.inputTokens).toBe(100);
+    expect(result.outputTokens).toBe(200);
+    expect(result.reasoningTokens).toBe(50);
+    expect(result.totalTokens).toBe(350);
+  });
+
+  test("handles undefined fields", () => {
+    const acc = { ...emptyUsageStats(), inputTokens: 10 };
+    const step = { outputTokens: 20 };
+
+    const result = addUsage(acc, step);
+
+    expect(result.inputTokens).toBe(10);
+    expect(result.outputTokens).toBe(20);
+  });
+
+  test("returns accumulated when step is null", () => {
+    const acc = { ...emptyUsageStats(), totalTokens: 100 };
+    const result = addUsage(acc, null);
+    expect(result).toBe(acc);
+  });
+});