@decocms/runtime 1.4.0 → 1.6.0

package/README.md

@@ -39,7 +39,7 @@ const greetTool = createTool({
 
 // Create the MCP server
 export default withRuntime({
-  tools: [() => greetTool],
+  tools: [greetTool],
 });
 ```
 
@@ -154,21 +154,11 @@ const getUserDataTool = createPrivateTool({
 
 ### Registering Tools
 
-Tools can be registered in multiple ways:
+Pass an array of tool instances created with `createTool()` / `createPrivateTool()`:
 
 ```typescript
 export default withRuntime({
-  // Option 1: Array of tool factories
-  tools: [
-    () => greetTool,
-    () => calculateTool,
-    (env) => createDynamicTool(env),
-  ],
-  
-  // Option 2: Single function returning array
-  tools: async (env) => {
-    return [greetTool, calculateTool];
-  },
+  tools: [greetTool, calculateTool],
 });
 ```
 
@@ -358,10 +348,10 @@ export default withRuntime({
   },
   
   tools: [
-    (env) => createTool({
+    createTool({
       id: "query",
       inputSchema: z.object({ sql: z.string() }),
-      execute: async ({ runtimeContext }) => {
+      execute: async ({ context, runtimeContext }) => {
         // Access resolved bindings from state
         const { database } = runtimeContext.env.MESH_REQUEST_CONTEXT.state;
         return database.QUERY({ sql: context.sql });
@@ -451,7 +441,7 @@ const channelTools = impl(WellKnownBindings.Channel, [
 ]);
 
 export default withRuntime({
-  tools: [() => channelTools].flat(),
+  tools: channelTools,
 });
 ```
 
@@ -648,16 +638,9 @@ const statusResource = createResource({
 
 // Export the MCP server
 export default withRuntime({
-  tools: [
-    () => echoTool,
-    () => getProfileTool,
-  ],
-  prompts: [
-    () => analyzePrompt,
-  ],
-  resources: [
-    () => statusResource,
-  ],
+  tools: [echoTool, getProfileTool],
+  prompts: [analyzePrompt],
+  resources: [statusResource],
   cors: {
     origin: "*",
     credentials: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/runtime",
-  "version": "1.4.0",
+  "version": "1.6.0",
   "type": "module",
   "scripts": {
     "check": "tsc --noEmit",

package/src/bindings.ts

@@ -161,7 +161,10 @@ export const AgentOf = () =>
     thinking: AgentModelInfoSchema.optional(),
     coding: AgentModelInfoSchema.optional(),
     fast: AgentModelInfoSchema.optional(),
-    toolApprovalLevel: z.enum(["auto", "readonly", "plan"]).default("auto"),
+    toolApprovalLevel: z.enum(["auto", "readonly"]).default("auto"),
+    mode: z
+      .enum(["default", "plan", "web-search", "gen-image"])
+      .default("default"),
     temperature: z.number().default(0.5),
   });
 

package/src/decopilot.ts

@@ -31,7 +31,9 @@ export interface AgentBindingConfig {
   thinking?: AgentModelInfo;
   coding?: AgentModelInfo;
   fast?: AgentModelInfo;
-  toolApprovalLevel?: "auto" | "readonly" | "plan";
+  toolApprovalLevel?: "auto" | "readonly";
+  /** Decopilot stream mode — default, plan, web-search, gen-image */
+  mode?: "default" | "plan" | "web-search" | "gen-image";
   temperature?: number;
 }
 
@@ -45,7 +47,9 @@ export interface AgentStreamParams {
   thinking?: AgentModelInfo;
   coding?: AgentModelInfo;
   fast?: AgentModelInfo;
-  toolApprovalLevel?: "auto" | "readonly" | "plan";
+  toolApprovalLevel?: "auto" | "readonly";
+  /** Decopilot stream mode — default, plan, web-search, gen-image */
+  mode?: "default" | "plan" | "web-search" | "gen-image";
   temperature?: number;
   memory?: { windowSize: number; thread_id: string };
   thread_id?: string;
@@ -126,6 +130,7 @@ export async function streamAgent(
     agent: { id: agentId },
     temperature: params.temperature ?? config.temperature,
     toolApprovalLevel: params.toolApprovalLevel ?? config.toolApprovalLevel,
+    mode: params.mode ?? config.mode ?? "default",
     ...(params.memory ? { memory: params.memory } : {}),
     ...(params.thread_id ? { thread_id: params.thread_id } : {}),
   };
@@ -188,6 +193,7 @@ export function createDecopilotClient(options: DecopilotClientOptions) {
         coding: request.coding,
         fast: request.fast,
         toolApprovalLevel: request.toolApprovalLevel,
+        mode: request.mode,
         temperature: request.temperature,
       };
       return streamAgent(streamUrl, token, config, request, opts);

package/src/index.ts

@@ -8,6 +8,7 @@ import {
 } from "./bindings.ts";
 import { type CORSOptions, handlePreflight, withCORS } from "./cors.ts";
 import { createOAuthHandlers } from "./oauth.ts";
+export { OAuthInvalidGrantError } from "./oauth.ts";
 import { State } from "./state.ts";
 import {
   createMCPServer,

package/src/oauth.test.ts

@@ -0,0 +1,96 @@
+import { describe, it, expect } from "bun:test";
+import { createOAuthHandlers, OAuthInvalidGrantError } from "./oauth.ts";
+import type { OAuthConfig } from "./tools.ts";
+
+const baseConfig = (
+  refreshToken?: OAuthConfig["refreshToken"],
+): OAuthConfig => ({
+  mode: "PKCE",
+  authorizationServer: "https://upstream.example.com",
+  authorizationUrl: () => "https://upstream.example.com/authorize",
+  exchangeCode: async () => ({
+    access_token: "at",
+    token_type: "Bearer",
+  }),
+  refreshToken,
+});
+
+const buildTokenRequest = (body: Record<string, string>) =>
+  new Request("https://mcp.example.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams(body).toString(),
+  });
+
+describe("OAuth /token refresh handler", () => {
+  it("returns 400 invalid_grant when refreshToken throws OAuthInvalidGrantError", async () => {
+    const handlers = createOAuthHandlers(
+      baseConfig(async () => {
+        throw new OAuthInvalidGrantError(
+          "invalid_grant",
+          "refresh token revoked",
+        );
+      }),
+    );
+
+    const response = await handlers.handleToken(
+      buildTokenRequest({
+        grant_type: "refresh_token",
+        refresh_token: "rt",
+      }),
+    );
+
+    expect(response.status).toBe(400);
+    const body = (await response.json()) as {
+      error: string;
+      error_description?: string;
+    };
+    expect(body.error).toBe("invalid_grant");
+    expect(body.error_description).toBe("refresh token revoked");
+  });
+
+  it("returns 500 server_error when refreshToken throws a generic error", async () => {
+    const handlers = createOAuthHandlers(
+      baseConfig(async () => {
+        throw new Error("upstream is down");
+      }),
+    );
+
+    const response = await handlers.handleToken(
+      buildTokenRequest({
+        grant_type: "refresh_token",
+        refresh_token: "rt",
+      }),
+    );
+
+    expect(response.status).toBe(500);
+    const body = (await response.json()) as { error: string };
+    expect(body.error).toBe("server_error");
+  });
+
+  it("forwards the new token on success", async () => {
+    const handlers = createOAuthHandlers(
+      baseConfig(async () => ({
+        access_token: "fresh",
+        token_type: "Bearer",
+        refresh_token: "rt2",
+        expires_in: 3600,
+      })),
+    );
+
+    const response = await handlers.handleToken(
+      buildTokenRequest({
+        grant_type: "refresh_token",
+        refresh_token: "rt",
+      }),
+    );
+
+    expect(response.status).toBe(200);
+    const body = (await response.json()) as {
+      access_token: string;
+      refresh_token?: string;
+    };
+    expect(body.access_token).toBe("fresh");
+    expect(body.refresh_token).toBe("rt2");
+  });
+});

package/src/oauth.ts

@@ -1,5 +1,28 @@
 import type { OAuthClient, OAuthConfig, OAuthParams } from "./tools.ts";
 
+/**
+ * Thrown by `OAuthConfig.refreshToken` (or `exchangeCode`) implementations
+ * when the upstream OAuth provider says the grant itself is permanently
+ * invalid — e.g. GitHub returns `400 invalid_grant` because the user
+ * revoked the app or the refresh_token was rotated out from under us.
+ *
+ * The `/token` handler maps this to an RFC-6749-compliant
+ * `400 {"error":"invalid_grant",...}` response, so callers can tell apart
+ * "the user needs to reconnect" from a transient upstream 5xx (which the
+ * outer catch maps to a 500). Throwing a plain `Error` from `refreshToken`
+ * will be treated as transient and surface as 500.
+ */
+export class OAuthInvalidGrantError extends Error {
+  readonly error: string;
+  readonly errorDescription?: string;
+  constructor(error = "invalid_grant", errorDescription?: string) {
+    super(errorDescription ?? error);
+    this.name = "OAuthInvalidGrantError";
+    this.error = error;
+    this.errorDescription = errorDescription;
+  }
+}
+
 /**
  * Generate a cryptographically secure random token
  */
@@ -338,8 +361,30 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
           );
         }
 
-        // Call the external provider to refresh the token
-        const newTokenResponse = await oauth.refreshToken(refresh_token);
+        // Call the external provider to refresh the token. We catch
+        // `OAuthInvalidGrantError` here (not in the outer catch) so we can
+        // map it to a spec-compliant 400 instead of letting all errors fall
+        // through to a generic 500. Any other thrown error is treated as
+        // transient and surfaces from the outer catch as 500.
+        let newTokenResponse: Awaited<
+          ReturnType<NonNullable<OAuthConfig["refreshToken"]>>
+        >;
+        try {
+          newTokenResponse = await oauth.refreshToken(refresh_token);
+        } catch (err) {
+          if (err instanceof OAuthInvalidGrantError) {
+            return Response.json(
+              {
+                error: err.error,
+                ...(err.errorDescription
+                  ? { error_description: err.errorDescription }
+                  : {}),
+              },
+              { status: 400 },
+            );
+          }
+          throw err;
+        }
 
         const tokenResponse: Record<string, unknown> = {
           access_token: newTokenResponse.access_token,

package/src/tools.ts

@@ -8,6 +8,7 @@ import {
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { WebStandardStreamableHTTPServerTransport as HttpServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 import type {
+  CallToolResult,
   GetPromptResult,
   Implementation,
   ToolAnnotations,
@@ -957,6 +958,22 @@ export const createMCPServer = <
             ctx,
           );
 
+          if (
+            result != null &&
+            typeof result === "object" &&
+            "content" in result &&
+            Array.isArray(result.content) &&
+            result.content.every(
+              (item: unknown) =>
+                item != null &&
+                typeof item === "object" &&
+                "type" in item &&
+                typeof (item as Record<string, unknown>).type === "string",
+            )
+          ) {
+            return result as CallToolResult;
+          }
+
           return {
             structuredContent: result as Record<string, unknown>,
             content: [

package/src/triggers.ts

@@ -156,7 +156,7 @@ class TriggerStateManager {
  *
  * // In withRuntime:
  * export default withRuntime({
- *   tools: [() => triggers.tools()],
+ *   tools: triggers.tools(),
  * });
  *
  * // In webhook handler: