@decocms/mesh-sdk 1.2.1 → 1.2.3

package/src/lib/mcp-oauth.ts

@@ -35,6 +35,47 @@ function hashServerUrl(url: string): string {
   return Math.abs(hash).toString(16);
 }
 
+/**
+ * Override origin for OAuth redirect URIs.
+ * Set via `setOAuthRedirectOrigin()` when the browser runs behind a proxy
+ * (e.g. tokyo.localhost) that external OAuth servers may not accept.
+ */
+let _oauthRedirectOrigin: string | null = null;
+
+/**
+ * Set a custom origin for OAuth redirect URIs.
+ * Call this at app init with the server's internal URL (e.g. http://localhost:3000)
+ * so that external OAuth servers accept the redirect URI.
+ */
+export function setOAuthRedirectOrigin(origin: string): void {
+  _oauthRedirectOrigin = origin;
+}
+
+/**
+ * Get the origin to use for OAuth redirect URIs.
+ * Returns the override if set, otherwise falls back to window.location.origin.
+ */
+function getOAuthRedirectOrigin(): string {
+  return _oauthRedirectOrigin ?? window.location.origin;
+}
+
+/**
+ * Check if we're in a local dev environment (localhost or .localhost subdomain).
+ */
+function isLocalDev(): boolean {
+  try {
+    const hostname = window.location.hostname;
+    return (
+      hostname === "localhost" ||
+      hostname.endsWith(".localhost") ||
+      hostname === "127.0.0.1" ||
+      hostname === "::1"
+    );
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Global in-memory store for active OAuth sessions.
  */
@@ -89,7 +130,7 @@ class McpOAuthProvider implements OAuthClientProvider {
   constructor(options: McpOAuthProviderOptions) {
     this.serverUrl = options.serverUrl;
     this._redirectUrl =
-      options.callbackUrl ?? `${window.location.origin}/oauth/callback`;
+      options.callbackUrl ?? `${getOAuthRedirectOrigin()}/oauth/callback`;
     this._windowMode = options.windowMode ?? "popup";
 
     // Build scope string if provided
@@ -153,8 +194,7 @@ class McpOAuthProvider implements OAuthClientProvider {
       // Open in new tab - uses localStorage for cross-tab communication
       const tab = window.open(authorizationUrl.toString(), "_blank");
       if (!tab) {
-        // Fallback: navigate current window (will lose state, but works)
-        window.location.href = authorizationUrl.toString();
+        throw new Error("Tab was blocked");
       }
     } else {
       // Open in popup (default)
@@ -170,9 +210,11 @@ class McpOAuthProvider implements OAuthClientProvider {
       );
 
       if (!popup) {
-        throw new Error(
-          "OAuth popup was blocked. Please allow popups for this site and try again.",
-        );
+        // Popup was blocked - fallback to new tab (uses localStorage for communication)
+        const tab = window.open(authorizationUrl.toString(), "_blank");
+        if (!tab) {
+          throw new Error("Popup was blocked");
+        }
       }
     }
   }
@@ -216,6 +258,10 @@ export interface OAuthTokenInfo {
   clientId: string | null;
   clientSecret: string | null;
   tokenEndpoint: string | null;
+  /** OIDC ID token (JWT) returned by some providers (e.g. Google). Contains user identity claims like email. */
+  idToken: string | null;
+  /** OIDC userinfo endpoint URL from authorization server metadata. Can be called with the access token to retrieve user identity. */
+  userinfoEndpoint: string | null;
 }
 
 /**
@@ -236,6 +282,7 @@ interface FullTokenResult {
   clientId: string | null;
   clientSecret: string | null;
   tokenEndpoint: string | null;
+  userinfoEndpoint: string | null;
 }
 
 /**
@@ -251,6 +298,8 @@ interface FullTokenResult {
  */
 export async function authenticateMcp(params: {
   connectionId: string;
+  /** Organization slug — used to build the org-scoped /api/:org/mcp/... URL. */
+  orgSlug?: string;
   /** Mesh server URL - optional, defaults to window.location.origin (for external apps, provide your Mesh server URL) */
   meshUrl?: string;
   clientName?: string;
@@ -263,7 +312,10 @@ export async function authenticateMcp(params: {
   windowMode?: OAuthWindowMode;
 }): Promise<AuthenticateMcpResult> {
   const baseUrl = params.meshUrl ?? window.location.origin;
-  const serverUrl = new URL(`/mcp/${params.connectionId}`, baseUrl);
+  const path = params.orgSlug
+    ? `/api/${encodeURIComponent(params.orgSlug)}/mcp/${params.connectionId}`
+    : `/mcp/${params.connectionId}`;
+  const serverUrl = new URL(path, baseUrl);
   const provider = new McpOAuthProvider({
     serverUrl: serverUrl.href,
     clientName: params.clientName,
@@ -273,6 +325,10 @@ export async function authenticateMcp(params: {
     windowMode: params.windowMode,
   });
 
+  // Object to hold the abort function - using an object wrapper so TypeScript
+  // properly tracks mutations inside closures
+  const oauthAbort: { fn: ((error: Error) => void) | null } = { fn: null };
+
   try {
     // Wait for OAuth callback message from popup and handle token exchange
     // Uses both postMessage (primary) and localStorage (fallback for when opener is lost)
@@ -300,6 +356,14 @@ export async function authenticateMcp(params: {
           }
         };
 
+        // Expose abort function so we can clean up if auth() throws
+        oauthAbort.fn = (error: Error) => {
+          if (resolved) return;
+          resolved = true;
+          cleanup();
+          reject(error);
+        };
+
         const processCallback = async (data: {
           success: boolean;
           code?: string;
@@ -370,6 +434,11 @@ export async function authenticateMcp(params: {
                   ? (clientInfo.client_secret as string)
                   : null,
               tokenEndpoint: authServerMetadata?.token_endpoint ?? null,
+              userinfoEndpoint:
+                (authServerMetadata?.userinfo_endpoint as
+                  | string
+                  | null
+                  | undefined) ?? null,
             });
           } catch (err) {
             cleanup();
@@ -379,7 +448,9 @@ export async function authenticateMcp(params: {
 
         // Primary: Listen for postMessage from popup
         const handleMessage = async (event: MessageEvent) => {
-          if (event.origin !== window.location.origin) return;
+          // In local dev, accept messages from any origin because the popup
+          // runs at localhost:PORT while the opener may be at *.localhost (proxy)
+          if (!isLocalDev() && event.origin !== window.location.origin) return;
           if (event.data?.type === "mcp:oauth:callback") {
             await processCallback(event.data);
           }
@@ -408,11 +479,16 @@ export async function authenticateMcp(params: {
       },
     );
 
+    // Attach a no-op catch to prevent unhandled rejection if auth() throws
+    // (we'll abort the promise properly in the catch block, but this is a safety net)
+    oauthCompletePromise.catch(() => {});
+
     // Start the auth flow
     const result: AuthResult = await auth(provider, { serverUrl });
 
     if (result === "REDIRECT") {
       const fullResult = await oauthCompletePromise;
+      const rawTokens = fullResult.tokens as unknown as Record<string, unknown>;
       return {
         token: fullResult.tokens.access_token,
         tokenInfo: {
@@ -423,6 +499,9 @@ export async function authenticateMcp(params: {
           clientId: fullResult.clientId,
           clientSecret: fullResult.clientSecret,
           tokenEndpoint: fullResult.tokenEndpoint,
+          userinfoEndpoint: fullResult.userinfoEndpoint,
+          idToken:
+            typeof rawTokens.id_token === "string" ? rawTokens.id_token : null,
         },
         error: null,
       };
@@ -431,6 +510,7 @@ export async function authenticateMcp(params: {
     // If we got here without redirect, check for tokens
     const tokens = provider.tokens();
     const clientInfo = provider.clientInformation();
+    const rawTokens = tokens as unknown as Record<string, unknown> | null;
     return {
       token: tokens?.access_token || null,
       tokenInfo: tokens
@@ -445,11 +525,21 @@ export async function authenticateMcp(params: {
                 ? (clientInfo.client_secret as string)
                 : null,
             tokenEndpoint: null, // Would need to be passed through
+            userinfoEndpoint: null,
+            idToken:
+              rawTokens && typeof rawTokens.id_token === "string"
+                ? rawTokens.id_token
+                : null,
           }
         : null,
       error: null,
     };
   } catch (error) {
+    // Abort the OAuth promise to trigger cleanup (clear timeout, remove event listeners)
+    // This prevents unhandled promise rejections and lingering listeners
+    if (oauthAbort.fn) {
+      oauthAbort.fn(error instanceof Error ? error : new Error(String(error)));
+    }
     return {
       token: null,
       tokenInfo: null,
@@ -477,7 +567,10 @@ function sendCallbackData(
 ): boolean {
   // Try postMessage first (primary method)
   if (window.opener && !window.opener.closed) {
-    window.opener.postMessage(data, window.location.origin);
+    // In local dev, use "*" because the popup (localhost:PORT) and opener
+    // (*.localhost proxy) are different origins — targeted postMessage would be silently dropped
+    const targetOrigin = isLocalDev() ? "*" : window.location.origin;
+    window.opener.postMessage(data, targetOrigin);
     return true;
   }
 
@@ -612,14 +705,32 @@ function getCurrentOrigin(): string | undefined {
 }
 
 /**
- * Extract connection ID from MCP proxy URL
+ * Extract connection ID from MCP proxy URL.
+ * Supports both legacy `/mcp/:id` and org-scoped `/api/:org/mcp/:id` paths.
  */
 function extractConnectionIdFromUrl(url: string): string | null {
   try {
     // Use current origin as base for relative URLs (browser only)
     const base = getCurrentOrigin();
     const urlObj = base ? new URL(url, base) : new URL(url);
-    const match = urlObj.pathname.match(/^\/mcp\/([^/]+)/);
+    const orgScoped = urlObj.pathname.match(/^\/api\/[^/]+\/mcp\/([^/]+)/);
+    if (orgScoped) return orgScoped[1] ?? null;
+    const legacy = urlObj.pathname.match(/^\/mcp\/([^/]+)/);
+    return legacy?.[1] ?? null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Extract org slug from an org-scoped MCP proxy URL (`/api/:org/mcp/...`).
+ * Returns null for legacy `/mcp/...` URLs.
+ */
+function extractOrgSlugFromUrl(url: string): string | null {
+  try {
+    const base = getCurrentOrigin();
+    const urlObj = base ? new URL(url, base) : new URL(url);
+    const match = urlObj.pathname.match(/^\/api\/([^/]+)\/mcp\//);
     return match?.[1] ?? null;
   } catch {
     return null;
@@ -629,17 +740,22 @@ function extractConnectionIdFromUrl(url: string): string | null {
 /**
  * Check if connection has a stored OAuth token
  * @param connectionId - The connection ID to check
+ * @param orgSlug - Organization slug used to build the org-scoped path
  * @param apiBaseUrl - Base URL for the API call (optional, defaults to relative path)
  */
 async function checkOAuthTokenStatus(
   connectionId: string,
+  orgSlug: string,
   apiBaseUrl?: string,
 ): Promise<{ hasToken: boolean }> {
   try {
-    const path = `/api/connections/${connectionId}/oauth-token/status`;
+    const path = `/api/${encodeURIComponent(orgSlug)}/connections/${connectionId}/oauth-token/status`;
     const url = apiBaseUrl ? new URL(path, apiBaseUrl).href : path;
+    const currentOrigin = getCurrentOrigin();
+    const isSameOrigin =
+      !apiBaseUrl || new URL(apiBaseUrl).origin === currentOrigin;
     const response = await fetch(url, {
-      credentials: apiBaseUrl ? "omit" : "include", // Don't send cookies for cross-origin
+      credentials: isSameOrigin ? "include" : "omit", // Don't send cookies for cross-origin
     });
     if (!response.ok) {
       return { hasToken: false };
@@ -653,17 +769,21 @@ async function checkOAuthTokenStatus(
 
 /**
  * Check if an MCP connection is authenticated and whether it supports OAuth
- * @param params.url - The MCP URL to check
+ * @param params.url - The org-scoped MCP URL to check (`/api/:org/mcp/...`)
  * @param params.token - Authorization token (optional)
+ * @param params.orgId - Organization ID (deprecated; org is now resolved from the URL path)
  * @param params.meshUrl - Mesh server URL for API calls (optional, defaults to URL origin)
  */
 export async function isConnectionAuthenticated({
   url,
   token,
+  orgId: _orgId,
   meshUrl,
 }: {
   url: string;
   token: string | null;
+  /** @deprecated Org is resolved from the URL path; this is kept for call-site compatibility. */
+  orgId?: string;
   /** Mesh server URL for API calls - optional, defaults to extracting from url parameter */
   meshUrl?: string;
 }): Promise<McpAuthStatus> {
@@ -695,6 +815,7 @@ export async function isConnectionAuthenticated({
 
     // Extract connection ID for OAuth token status check
     const connectionId = extractConnectionIdFromUrl(url);
+    const orgSlug = extractOrgSlugFromUrl(url);
     // Determine base URL for API calls (meshUrl > URL origin > current origin)
     // Use current origin as base for relative URLs (browser only)
     const base = getCurrentOrigin();
@@ -703,9 +824,10 @@ export async function isConnectionAuthenticated({
 
     if (response.ok) {
       // Check if we have an OAuth token stored for this connection
-      const oauthStatus = connectionId
-        ? await checkOAuthTokenStatus(connectionId, apiBaseUrl)
-        : { hasToken: false };
+      const oauthStatus =
+        connectionId && orgSlug
+          ? await checkOAuthTokenStatus(connectionId, orgSlug, apiBaseUrl)
+          : { hasToken: false };
 
       return {
         isAuthenticated: true,

package/src/lib/query-keys.ts

@@ -15,10 +15,10 @@ export const KEYS = {
   threads: (locator: string) => ["threads", locator] as const,
   virtualMcpThreads: (locator: string, virtualMcpId: string) =>
     ["threads", locator, "virtual-mcp", virtualMcpId] as const,
-  thread: (locator: string, threadId: string) =>
-    ["thread", locator, threadId] as const,
-  threadMessages: (locator: string, threadId: string) =>
-    ["thread-messages", locator, threadId] as const,
+  thread: (locator: string, taskId: string) =>
+    ["thread", locator, taskId] as const,
+  threadMessages: (locator: string, taskId: string) =>
+    ["thread-messages", locator, taskId] as const,
   messages: (locator: string) => ["messages", locator] as const,
 
   // Organizations list
@@ -57,6 +57,7 @@ export const KEYS = {
   ) => ["mcp", "client", orgId, connectionId, token, meshUrl] as const,
 
   // MCP client-based queries (scoped by client instance)
+  // Note: client can be null/undefined for skip queries that shouldn't execute
   mcpToolsList: (client: unknown) =>
     ["mcp", "client", client, "tools"] as const,
   mcpResourcesList: (client: unknown) =>
@@ -80,6 +81,10 @@ export const KEYS = {
   // Models list (scoped by organization)
   modelsList: (orgId: string) => ["models-list", orgId] as const,
 
+  // Virtual MCP last-used info (most recent thread per agent)
+  virtualMcpLastUsed: (orgId: string, ids: string[]) =>
+    ["virtual-mcp", "last-used", orgId, ids] as const,
+
   // Collections (scoped by connection)
   connectionCollections: (connectionId: string) =>
     [connectionId, "collections", "discovery"] as const,
@@ -148,6 +153,13 @@ export const KEYS = {
     owner: string | null | undefined,
     repo: string | null | undefined,
   ) => ["github-readme", owner, repo] as const,
+  githubBranches: (
+    orgId: string,
+    orgSlug: string,
+    connectionId: string | null | undefined,
+    owner: string,
+    repo: string,
+  ) => ["github-branches", orgId, orgSlug, connectionId, owner, repo] as const,
 
   // Monitoring queries
   monitoringStats: () => ["monitoring", "stats"] as const,
@@ -175,4 +187,8 @@ export const KEYS = {
 
   // User data
   user: (userId: string) => ["user", userId] as const,
+
+  // Registry app lookup (by app ID)
+  registryApp: (orgId: string, appId: string) =>
+    ["registry-app", orgId, appId] as const,
 } as const;

package/src/lib/server-client-bridge.ts

@@ -0,0 +1,4 @@
+export {
+  createServerFromClient,
+  type ServerFromClientOptions,
+} from "@decocms/mcp-utils";

package/src/lib/usage.test.ts

@@ -0,0 +1,229 @@
+/**
+ * Usage utilities tests
+ */
+
+import { describe, expect, test } from "bun:test";
+import {
+  addUsage,
+  calculateUsageStats,
+  emptyUsageStats,
+  sanitizeProviderMetadata,
+} from "./usage";
+
+describe("sanitizeProviderMetadata", () => {
+  test("allows only safe fields", () => {
+    const metadata = {
+      openrouter: {
+        usage: { inputTokens: 10, outputTokens: 20, cost: 0.001 },
+        cost: 0.001,
+        model: "gpt-4",
+        internal_id: "should-be-stripped",
+        debug_info: "should-be-stripped",
+      },
+    };
+
+    const result = sanitizeProviderMetadata(metadata);
+
+    expect(result).toEqual({
+      openrouter: {
+        usage: { inputTokens: 10, outputTokens: 20, cost: 0.001 },
+        cost: 0.001,
+        model: "gpt-4",
+      },
+    });
+  });
+
+  test("strips sensitive fields", () => {
+    const metadata = {
+      provider: {
+        api_key: "secret",
+        user_id: "user_123",
+        usage: { totalTokens: 100 },
+      },
+    };
+
+    const result = sanitizeProviderMetadata(metadata);
+
+    expect(result).toEqual({
+      provider: {
+        usage: { totalTokens: 100 },
+      },
+    });
+  });
+
+  test("handles nested objects", () => {
+    const metadata = {
+      openrouter: {
+        usage: { inputTokens: 5, outputTokens: 10 },
+        nested: { sensitive: "data" },
+      },
+    };
+
+    const result = sanitizeProviderMetadata(metadata);
+
+    expect(result).toEqual({
+      openrouter: {
+        usage: { inputTokens: 5, outputTokens: 10 },
+      },
+    });
+  });
+
+  test("returns undefined for empty input", () => {
+    expect(sanitizeProviderMetadata(undefined)).toBeUndefined();
+    expect(sanitizeProviderMetadata({})).toBeUndefined();
+  });
+
+  test("handles non-object provider data", () => {
+    const metadata = {
+      provider: "string-value",
+      other: null,
+    };
+
+    const result = sanitizeProviderMetadata(metadata);
+
+    expect(result).toBeUndefined();
+  });
+});
+
+describe("calculateUsageStats", () => {
+  test("sums message-level usage correctly", () => {
+    const messages = [
+      {
+        metadata: {
+          usage: { totalTokens: 1000, inputTokens: 500, outputTokens: 500 },
+        },
+      },
+      {
+        metadata: {
+          usage: { totalTokens: 500, inputTokens: 200, outputTokens: 300 },
+        },
+      },
+    ];
+
+    const result = calculateUsageStats(messages);
+
+    expect(result.totalTokens).toBe(1500);
+    expect(result.inputTokens).toBe(700);
+    expect(result.outputTokens).toBe(800);
+  });
+
+  test("handles missing metadata gracefully", () => {
+    const messages = [
+      { metadata: { usage: { totalTokens: 100 } } },
+      { metadata: {} },
+      { metadata: undefined },
+      {},
+    ];
+
+    const result = calculateUsageStats(messages);
+
+    expect(result.totalTokens).toBe(100);
+  });
+
+  test("returns empty stats for empty messages", () => {
+    const result = calculateUsageStats([]);
+
+    expect(result).toEqual(emptyUsageStats());
+  });
+});
+
+describe("addUsage", () => {
+  test("adds usage fields correctly", () => {
+    const acc = emptyUsageStats();
+    const step = {
+      inputTokens: 100,
+      outputTokens: 200,
+      reasoningTokens: 50,
+      totalTokens: 350,
+    };
+
+    const result = addUsage(acc, step);
+
+    expect(result.inputTokens).toBe(100);
+    expect(result.outputTokens).toBe(200);
+    expect(result.reasoningTokens).toBe(50);
+    expect(result.totalTokens).toBe(350);
+  });
+
+  test("handles undefined fields", () => {
+    const acc = { ...emptyUsageStats(), inputTokens: 10 };
+    const step = { outputTokens: 20 };
+
+    const result = addUsage(acc, step);
+
+    expect(result.inputTokens).toBe(10);
+    expect(result.outputTokens).toBe(20);
+  });
+
+  test("returns accumulated when step is null", () => {
+    const acc = { ...emptyUsageStats(), totalTokens: 100 };
+    const result = addUsage(acc, null);
+    expect(result).toBe(acc);
+  });
+
+  test("accumulates cache tokens from inputTokenDetails", () => {
+    const acc = emptyUsageStats();
+    const step = {
+      inputTokens: 1000,
+      outputTokens: 50,
+      inputTokenDetails: {
+        cacheReadTokens: 800,
+        cacheWriteTokens: 100,
+      },
+    };
+    const result = addUsage(acc, step);
+    expect(result.cacheReadTokens).toBe(800);
+    expect(result.cacheWriteTokens).toBe(100);
+  });
+
+  test("falls back to cachedInputTokens when inputTokenDetails is absent", () => {
+    const acc = emptyUsageStats();
+    const step = {
+      inputTokens: 1000,
+      outputTokens: 50,
+      cachedInputTokens: 600,
+    };
+    const result = addUsage(acc, step);
+    expect(result.cacheReadTokens).toBe(600);
+    expect(result.cacheWriteTokens).toBe(0);
+  });
+
+  test("inputTokenDetails takes precedence over cachedInputTokens", () => {
+    const acc = emptyUsageStats();
+    const step = {
+      inputTokens: 1000,
+      cachedInputTokens: 999, // would be wrong
+      inputTokenDetails: { cacheReadTokens: 800, cacheWriteTokens: 0 },
+    };
+    const result = addUsage(acc, step);
+    expect(result.cacheReadTokens).toBe(800);
+  });
+});
+
+describe("calculateUsageStats — cache fields", () => {
+  test("sums cache read/write across messages", () => {
+    const messages = [
+      {
+        metadata: {
+          usage: {
+            inputTokens: 100,
+            outputTokens: 50,
+            inputTokenDetails: { cacheReadTokens: 80, cacheWriteTokens: 10 },
+          },
+        },
+      },
+      {
+        metadata: {
+          usage: {
+            inputTokens: 200,
+            outputTokens: 25,
+            inputTokenDetails: { cacheReadTokens: 150 },
+          },
+        },
+      },
+    ];
+    const result = calculateUsageStats(messages);
+    expect(result.cacheReadTokens).toBe(230);
+    expect(result.cacheWriteTokens).toBe(10);
+  });
+});