@decocms/runtime 1.5.0 → 1.6.1

package/README.md

@@ -39,7 +39,7 @@ const greetTool = createTool({
 
 // Create the MCP server
 export default withRuntime({
-  tools: [() => greetTool],
+  tools: [greetTool],
 });
 ```
 
@@ -154,21 +154,11 @@ const getUserDataTool = createPrivateTool({
 
 ### Registering Tools
 
-Tools can be registered in multiple ways:
+Pass an array of tool instances created with `createTool()` / `createPrivateTool()`:
 
 ```typescript
 export default withRuntime({
-  // Option 1: Array of tool factories
-  tools: [
-    () => greetTool,
-    () => calculateTool,
-    (env) => createDynamicTool(env),
-  ],
-  
-  // Option 2: Single function returning array
-  tools: async (env) => {
-    return [greetTool, calculateTool];
-  },
+  tools: [greetTool, calculateTool],
 });
 ```
 
@@ -358,10 +348,10 @@ export default withRuntime({
   },
   
   tools: [
-    (env) => createTool({
+    createTool({
       id: "query",
       inputSchema: z.object({ sql: z.string() }),
-      execute: async ({ runtimeContext }) => {
+      execute: async ({ context, runtimeContext }) => {
         // Access resolved bindings from state
         const { database } = runtimeContext.env.MESH_REQUEST_CONTEXT.state;
         return database.QUERY({ sql: context.sql });
@@ -451,7 +441,7 @@ const channelTools = impl(WellKnownBindings.Channel, [
 ]);
 
 export default withRuntime({
-  tools: [() => channelTools].flat(),
+  tools: channelTools,
 });
 ```
 
@@ -648,16 +638,9 @@ const statusResource = createResource({
 
 // Export the MCP server
 export default withRuntime({
-  tools: [
-    () => echoTool,
-    () => getProfileTool,
-  ],
-  prompts: [
-    () => analyzePrompt,
-  ],
-  resources: [
-    () => statusResource,
-  ],
+  tools: [echoTool, getProfileTool],
+  prompts: [analyzePrompt],
+  resources: [statusResource],
   cors: {
     origin: "*",
     credentials: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/runtime",
-  "version": "1.5.0",
+  "version": "1.6.1",
   "type": "module",
   "scripts": {
     "check": "tsc --noEmit",

package/src/index.ts

@@ -8,6 +8,7 @@ import {
 } from "./bindings.ts";
 import { type CORSOptions, handlePreflight, withCORS } from "./cors.ts";
 import { createOAuthHandlers } from "./oauth.ts";
+export { OAuthInvalidGrantError } from "./oauth.ts";
 import { State } from "./state.ts";
 import {
   createMCPServer,

package/src/oauth.test.ts

@@ -0,0 +1,96 @@
+import { describe, it, expect } from "bun:test";
+import { createOAuthHandlers, OAuthInvalidGrantError } from "./oauth.ts";
+import type { OAuthConfig } from "./tools.ts";
+
+const baseConfig = (
+  refreshToken?: OAuthConfig["refreshToken"],
+): OAuthConfig => ({
+  mode: "PKCE",
+  authorizationServer: "https://upstream.example.com",
+  authorizationUrl: () => "https://upstream.example.com/authorize",
+  exchangeCode: async () => ({
+    access_token: "at",
+    token_type: "Bearer",
+  }),
+  refreshToken,
+});
+
+const buildTokenRequest = (body: Record<string, string>) =>
+  new Request("https://mcp.example.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams(body).toString(),
+  });
+
+describe("OAuth /token refresh handler", () => {
+  it("returns 400 invalid_grant when refreshToken throws OAuthInvalidGrantError", async () => {
+    const handlers = createOAuthHandlers(
+      baseConfig(async () => {
+        throw new OAuthInvalidGrantError(
+          "invalid_grant",
+          "refresh token revoked",
+        );
+      }),
+    );
+
+    const response = await handlers.handleToken(
+      buildTokenRequest({
+        grant_type: "refresh_token",
+        refresh_token: "rt",
+      }),
+    );
+
+    expect(response.status).toBe(400);
+    const body = (await response.json()) as {
+      error: string;
+      error_description?: string;
+    };
+    expect(body.error).toBe("invalid_grant");
+    expect(body.error_description).toBe("refresh token revoked");
+  });
+
+  it("returns 500 server_error when refreshToken throws a generic error", async () => {
+    const handlers = createOAuthHandlers(
+      baseConfig(async () => {
+        throw new Error("upstream is down");
+      }),
+    );
+
+    const response = await handlers.handleToken(
+      buildTokenRequest({
+        grant_type: "refresh_token",
+        refresh_token: "rt",
+      }),
+    );
+
+    expect(response.status).toBe(500);
+    const body = (await response.json()) as { error: string };
+    expect(body.error).toBe("server_error");
+  });
+
+  it("forwards the new token on success", async () => {
+    const handlers = createOAuthHandlers(
+      baseConfig(async () => ({
+        access_token: "fresh",
+        token_type: "Bearer",
+        refresh_token: "rt2",
+        expires_in: 3600,
+      })),
+    );
+
+    const response = await handlers.handleToken(
+      buildTokenRequest({
+        grant_type: "refresh_token",
+        refresh_token: "rt",
+      }),
+    );
+
+    expect(response.status).toBe(200);
+    const body = (await response.json()) as {
+      access_token: string;
+      refresh_token?: string;
+    };
+    expect(body.access_token).toBe("fresh");
+    expect(body.refresh_token).toBe("rt2");
+  });
+});

package/src/oauth.ts

@@ -1,5 +1,28 @@
 import type { OAuthClient, OAuthConfig, OAuthParams } from "./tools.ts";
 
+/**
+ * Thrown by `OAuthConfig.refreshToken` (or `exchangeCode`) implementations
+ * when the upstream OAuth provider says the grant itself is permanently
+ * invalid — e.g. GitHub returns `400 invalid_grant` because the user
+ * revoked the app or the refresh_token was rotated out from under us.
+ *
+ * The `/token` handler maps this to an RFC-6749-compliant
+ * `400 {"error":"invalid_grant",...}` response, so callers can tell apart
+ * "the user needs to reconnect" from a transient upstream 5xx (which the
+ * outer catch maps to a 500). Throwing a plain `Error` from `refreshToken`
+ * will be treated as transient and surface as 500.
+ */
+export class OAuthInvalidGrantError extends Error {
+  readonly error: string;
+  readonly errorDescription?: string;
+  constructor(error = "invalid_grant", errorDescription?: string) {
+    super(errorDescription ?? error);
+    this.name = "OAuthInvalidGrantError";
+    this.error = error;
+    this.errorDescription = errorDescription;
+  }
+}
+
 /**
  * Generate a cryptographically secure random token
  */
@@ -338,8 +361,30 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
           );
         }
 
-        // Call the external provider to refresh the token
-        const newTokenResponse = await oauth.refreshToken(refresh_token);
+        // Call the external provider to refresh the token. We catch
+        // `OAuthInvalidGrantError` here (not in the outer catch) so we can
+        // map it to a spec-compliant 400 instead of letting all errors fall
+        // through to a generic 500. Any other thrown error is treated as
+        // transient and surfaces from the outer catch as 500.
+        let newTokenResponse: Awaited<
+          ReturnType<NonNullable<OAuthConfig["refreshToken"]>>
+        >;
+        try {
+          newTokenResponse = await oauth.refreshToken(refresh_token);
+        } catch (err) {
+          if (err instanceof OAuthInvalidGrantError) {
+            return Response.json(
+              {
+                error: err.error,
+                ...(err.errorDescription
+                  ? { error_description: err.errorDescription }
+                  : {}),
+              },
+              { status: 400 },
+            );
+          }
+          throw err;
+        }
 
         const tokenResponse: Record<string, unknown> = {
           access_token: newTokenResponse.access_token,

package/src/tools.ts

@@ -7,14 +7,16 @@ import {
 } from "@decocms/bindings";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { WebStandardStreamableHTTPServerTransport as HttpServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
-import type {
-  CallToolResult,
-  GetPromptResult,
-  Implementation,
-  ToolAnnotations,
+import {
+  ListToolsRequestSchema,
+  type CallToolResult,
+  type GetPromptResult,
+  type Implementation,
+  type ListToolsResult,
+  type ToolAnnotations,
 } from "@modelcontextprotocol/sdk/types.js";
 import { z } from "zod";
-import type { ZodRawShape, ZodSchema, ZodTypeAny } from "zod";
+import type { ZodSchema, ZodTypeAny } from "zod";
 import { BindingRegistry, injectBindingSchemas } from "./bindings.ts";
 import { Event, type EventHandlers } from "./events.ts";
 import type { DefaultEnv, User } from "./index.ts";
@@ -823,6 +825,12 @@ export const createMCPServer = <
   let cached: Registrations | null = null;
   let inflightResolve: Promise<Registrations> | null = null;
 
+  // The MCP SDK's `tools/list` handler runs `toJsonSchemaCompat()` for every
+  // registered tool on every request. For MCPs with hundreds of tools that
+  // dominates per-request latency (seconds, not ms). Cache the rendered
+  // payload across requests within the isolate.
+  let cachedListToolsResult: ListToolsResult | null = null;
+
   let _warnedFactoryDeprecation = false;
   const warnFactoryDeprecation = () => {
     if (!_warnedFactoryDeprecation) {
@@ -940,15 +948,19 @@ export const createMCPServer = <
           _meta: tool._meta,
           description: tool.description,
           annotations: tool.annotations,
+          // Pass the full ZodObject (not its `.shape`) so the SDK skips
+          // `objectFromShape(...)` (a fresh `z.object(shape)` per tool) inside
+          // `_createRegisteredTool`. The SDK's `getZodSchemaObject` returns
+          // an already-built object as-is.
           inputSchema:
             tool.inputSchema && "shape" in tool.inputSchema
-              ? (tool.inputSchema.shape as ZodRawShape)
-              : z.object({}).shape,
+              ? (tool.inputSchema as ZodTypeAny)
+              : z.object({}),
           outputSchema:
             tool.outputSchema &&
             typeof tool.outputSchema === "object" &&
             "shape" in tool.outputSchema
-              ? (tool.outputSchema.shape as ZodRawShape)
+              ? (tool.outputSchema as ZodTypeAny)
               : undefined,
         },
         async (args) => {
@@ -1078,6 +1090,38 @@ export const createMCPServer = <
     const registrations = await resolveRegistrations(bindings);
     registerAll(server, registrations);
 
+    // Wrap the SDK-installed `tools/list` handler so the rendered payload is
+    // computed once per isolate and reused across requests. The MCP Server
+    // itself can't be shared across requests (its transport is single-use, see
+    // `Protocol.connect`), so each request still spins up a fresh Server +
+    // Transport — but the listTools render is by far the dominant cost for
+    // large tool surfaces, and it's pure of request-scoped state.
+    const innerHandlers = (
+      server.server as unknown as {
+        _requestHandlers: Map<
+          string,
+          (req: unknown, extra: unknown) => Promise<unknown>
+        >;
+      }
+    )._requestHandlers;
+    const sdkListToolsHandler = innerHandlers.get(
+      ListToolsRequestSchema.shape.method.value,
+    );
+    if (sdkListToolsHandler) {
+      innerHandlers.set(
+        ListToolsRequestSchema.shape.method.value,
+        async (req, extra) => {
+          if (!cachedListToolsResult) {
+            cachedListToolsResult = (await sdkListToolsHandler(
+              req,
+              extra,
+            )) as ListToolsResult;
+          }
+          return cachedListToolsResult;
+        },
+      );
+    }
+
     return { server, ...registrations };
   };
 

package/src/triggers.ts

@@ -156,7 +156,7 @@ class TriggerStateManager {
  *
  * // In withRuntime:
  * export default withRuntime({
- *   tools: [() => triggers.tools()],
+ *   tools: triggers.tools(),
  * });
  *
  * // In webhook handler: