@easonwumac/computer-linker 0.1.2

package/dist/oauth-provider.js

@@ -0,0 +1,325 @@
+import { randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname } from "node:path";
+import { AccessDeniedError, InvalidGrantError, InvalidRequestError, InvalidTokenError, } from "@modelcontextprotocol/sdk/server/auth/errors.js";
+import { checkResourceAllowed, resourceUrlFromServerUrl } from "@modelcontextprotocol/sdk/shared/auth-utils.js";
+const CODE_TTL_MS = 5 * 60 * 1000;
+export class OAuthStateStore {
+    statePath;
+    clients = new Map();
+    accessTokens = new Map();
+    refreshTokens = new Map();
+    constructor(statePath) {
+        this.statePath = statePath;
+        const state = statePath ? readOAuthState(statePath) : emptyOAuthState();
+        for (const client of state.clients)
+            this.clients.set(client.client_id, client);
+        for (const [token, record] of Object.entries(state.accessTokens))
+            this.accessTokens.set(token, record);
+        for (const [token, record] of Object.entries(state.refreshTokens))
+            this.refreshTokens.set(token, record);
+        this.pruneExpiredTokens();
+    }
+    getClient(clientId) {
+        return this.clients.get(clientId);
+    }
+    registerClient(client) {
+        const registered = {
+            ...client,
+            client_id: `lp_client_${randomUUID()}`,
+            client_id_issued_at: Math.floor(Date.now() / 1000),
+        };
+        this.clients.set(registered.client_id, registered);
+        this.save();
+        return registered;
+    }
+    getAccessToken(token) {
+        this.pruneExpiredTokens();
+        return this.accessTokens.get(token);
+    }
+    setAccessToken(token, record) {
+        this.accessTokens.set(token, record);
+        this.save();
+    }
+    deleteAccessToken(token) {
+        if (this.accessTokens.delete(token))
+            this.save();
+    }
+    getRefreshToken(token) {
+        this.pruneExpiredTokens();
+        return this.refreshTokens.get(token);
+    }
+    setRefreshToken(token, record) {
+        this.refreshTokens.set(token, record);
+        this.save();
+    }
+    deleteRefreshToken(token) {
+        if (this.refreshTokens.delete(token))
+            this.save();
+    }
+    pruneExpiredTokens() {
+        const now = Math.floor(Date.now() / 1000);
+        let changed = false;
+        for (const [token, record] of this.accessTokens) {
+            if (record.expiresAt < now) {
+                this.accessTokens.delete(token);
+                changed = true;
+            }
+        }
+        for (const [token, record] of this.refreshTokens) {
+            if (record.expiresAt < now) {
+                this.refreshTokens.delete(token);
+                changed = true;
+            }
+        }
+        if (changed)
+            this.save();
+    }
+    save() {
+        if (!this.statePath)
+            return;
+        mkdirSync(dirname(this.statePath), { recursive: true });
+        writeFileSync(this.statePath, JSON.stringify({
+            version: 1,
+            clients: Array.from(this.clients.values()),
+            accessTokens: Object.fromEntries(this.accessTokens),
+            refreshTokens: Object.fromEntries(this.refreshTokens),
+        }, null, 2) + "\n", { mode: 0o600 });
+    }
+}
+export class LocalPortOAuthProvider {
+    config;
+    clientsStore;
+    codes = new Map();
+    resourceServerUrl;
+    constructor(config, mcpServerUrl, options = {}) {
+        this.config = config;
+        this.clientsStore = new OAuthStateStore(options.statePath);
+        this.resourceServerUrl = resourceUrlFromServerUrl(mcpServerUrl);
+    }
+    async authorize(client, params, res) {
+        if (params.resource && !checkResourceAllowed({ requestedResource: params.resource, configuredResource: this.resourceServerUrl })) {
+            throw new InvalidRequestError("Invalid OAuth resource");
+        }
+        if (!requestedScopesAllowed(params.scopes ?? this.config.scopes, this.config.scopes)) {
+            throw new InvalidRequestError("Requested scope is not supported");
+        }
+        if (!client.redirect_uris.includes(params.redirectUri)) {
+            throw new InvalidRequestError("Unregistered redirect_uri");
+        }
+        if (res.req.method !== "POST") {
+            res.status(200).setHeader("Content-Type", "text/html; charset=utf-8");
+            res.send(authorizeHtml({ client, params }));
+            return;
+        }
+        const providedToken = String(res.req.body?.owner_token ?? "");
+        if (!safeEquals(providedToken, this.config.ownerToken)) {
+            res.status(401).setHeader("Content-Type", "text/html; charset=utf-8");
+            res.send(authorizeHtml({ client, params, error: "Owner token was not accepted." }));
+            return;
+        }
+        const code = `lp_code_${randomUUID()}`;
+        this.codes.set(code, {
+            clientId: client.client_id,
+            params,
+            expiresAtMs: Date.now() + CODE_TTL_MS,
+        });
+        const redirectUrl = new URL(params.redirectUri);
+        redirectUrl.searchParams.set("code", code);
+        if (params.state !== undefined)
+            redirectUrl.searchParams.set("state", params.state);
+        res.redirect(302, redirectUrl.href);
+    }
+    async challengeForAuthorizationCode(client, authorizationCode) {
+        return this.validCodeRecord(client, authorizationCode).params.codeChallenge;
+    }
+    async exchangeAuthorizationCode(client, authorizationCode, _codeVerifier, redirectUri, resource) {
+        const record = this.validCodeRecord(client, authorizationCode);
+        if (redirectUri && redirectUri !== record.params.redirectUri) {
+            throw new InvalidGrantError("redirect_uri does not match authorization request");
+        }
+        if (resource && !checkResourceAllowed({ requestedResource: resource, configuredResource: this.resourceServerUrl })) {
+            throw new InvalidGrantError("Invalid resource");
+        }
+        this.codes.delete(authorizationCode);
+        return this.issueTokens(client.client_id, record.params.scopes ?? this.config.scopes, resource ?? record.params.resource);
+    }
+    async exchangeRefreshToken(client, refreshToken, scopes, resource) {
+        const record = this.clientsStore.getRefreshToken(refreshToken);
+        if (!record || record.clientId !== client.client_id || record.expiresAt < Math.floor(Date.now() / 1000)) {
+            throw new InvalidGrantError("Invalid refresh token");
+        }
+        if (resource && !checkResourceAllowed({ requestedResource: resource, configuredResource: this.resourceServerUrl })) {
+            throw new InvalidGrantError("Invalid resource");
+        }
+        const requestedScopes = scopes ?? record.scopes;
+        if (!requestedScopes.every((scope) => record.scopes.includes(scope))) {
+            throw new AccessDeniedError("Refresh token cannot grant requested scopes");
+        }
+        this.clientsStore.deleteRefreshToken(refreshToken);
+        return this.issueTokens(client.client_id, requestedScopes, resource ?? toUrl(record.resource));
+    }
+    async verifyAccessToken(token) {
+        const record = this.clientsStore.getAccessToken(token);
+        if (!record || record.expiresAt < Math.floor(Date.now() / 1000)) {
+            throw new InvalidTokenError("Invalid or expired access token");
+        }
+        return {
+            token,
+            clientId: record.clientId,
+            scopes: record.scopes,
+            expiresAt: record.expiresAt,
+            resource: toUrl(record.resource),
+        };
+    }
+    async revokeToken(_client, request) {
+        this.clientsStore.deleteAccessToken(request.token);
+        this.clientsStore.deleteRefreshToken(request.token);
+    }
+    validCodeRecord(client, authorizationCode) {
+        const record = this.codes.get(authorizationCode);
+        if (!record || record.clientId !== client.client_id || record.expiresAtMs < Date.now()) {
+            throw new InvalidGrantError("Invalid authorization code");
+        }
+        return record;
+    }
+    issueTokens(clientId, scopes, resource) {
+        const now = Math.floor(Date.now() / 1000);
+        const accessToken = randomToken();
+        const refreshToken = randomToken();
+        const accessExpiresAt = now + this.config.accessTokenTtlSeconds;
+        const refreshExpiresAt = now + this.config.refreshTokenTtlSeconds;
+        const resourceHref = resource?.href;
+        this.clientsStore.setAccessToken(accessToken, {
+            clientId,
+            scopes,
+            expiresAt: accessExpiresAt,
+            resource: resourceHref,
+        });
+        this.clientsStore.setRefreshToken(refreshToken, {
+            clientId,
+            scopes,
+            expiresAt: refreshExpiresAt,
+            resource: resourceHref,
+        });
+        return {
+            access_token: accessToken,
+            token_type: "bearer",
+            expires_in: this.config.accessTokenTtlSeconds,
+            refresh_token: refreshToken,
+            scope: scopes.join(" "),
+        };
+    }
+}
+function readOAuthState(path) {
+    if (!existsSync(path))
+        return emptyOAuthState();
+    try {
+        const parsed = JSON.parse(readFileSync(path, "utf8"));
+        return {
+            version: 1,
+            clients: Array.isArray(parsed.clients) ? parsed.clients : [],
+            accessTokens: parsed.accessTokens && typeof parsed.accessTokens === "object" ? parsed.accessTokens : {},
+            refreshTokens: parsed.refreshTokens && typeof parsed.refreshTokens === "object" ? parsed.refreshTokens : {},
+        };
+    }
+    catch (error) {
+        const reason = error instanceof Error ? error.message : String(error);
+        throw new Error(`Unable to read OAuth state ${path}: ${reason}`);
+    }
+}
+function emptyOAuthState() {
+    return {
+        version: 1,
+        clients: [],
+        accessTokens: {},
+        refreshTokens: {},
+    };
+}
+function requestedScopesAllowed(requested, supported) {
+    return requested.every((scope) => supported.includes(scope));
+}
+function randomToken() {
+    return randomBytes(32).toString("base64url");
+}
+function safeEquals(a, b) {
+    const left = Buffer.from(a);
+    const right = Buffer.from(b);
+    if (left.byteLength !== right.byteLength)
+        return false;
+    return timingSafeEqual(left, right);
+}
+function toUrl(value) {
+    return value ? new URL(value) : undefined;
+}
+function htmlEscape(value) {
+    return value
+        .replaceAll("&", "&amp;")
+        .replaceAll("<", "&lt;")
+        .replaceAll(">", "&gt;")
+        .replaceAll('"', "&quot;")
+        .replaceAll("'", "&#39;");
+}
+function authorizeHtml(params) {
+    const clientName = params.client.client_name ?? params.client.client_id;
+    const scopes = params.params.scopes?.join(" ") || "computer-linker";
+    const resource = params.params.resource?.href ?? "Computer Linker MCP endpoint";
+    const error = params.error ? `<p class="error">${htmlEscape(params.error)}</p>` : "";
+    const fields = authorizationFormFields(params.client, params.params);
+    const hiddenFields = Object.entries(fields)
+        .filter((entry) => entry[1] !== undefined)
+        .map(([name, value]) => `<input type="hidden" name="${htmlEscape(name)}" value="${htmlEscape(value)}" />`)
+        .join("\n");
+    return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Connect Computer Linker</title>
+    <style>
+      body { font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; margin: 0; background: #111827; color: #f9fafb; }
+      main { max-width: 440px; margin: 12vh auto; padding: 28px; background: #020617; border: 1px solid #334155; border-radius: 12px; }
+      h1 { margin: 0 0 12px; font-size: 26px; }
+      p, dd { color: #cbd5e1; line-height: 1.5; }
+      dl { padding: 14px; background: #0f172a; border-radius: 10px; }
+      dt { color: #94a3b8; font-size: 12px; text-transform: uppercase; }
+      dd { margin: 4px 0 12px; word-break: break-word; }
+      label { display: block; margin: 18px 0 8px; font-weight: 700; }
+      input { box-sizing: border-box; width: 100%; padding: 12px; border-radius: 8px; border: 1px solid #475569; background: #111827; color: #f9fafb; font-size: 16px; }
+      button { margin-top: 16px; width: 100%; border: 0; border-radius: 8px; padding: 12px; font-weight: 800; background: #38bdf8; color: #020617; }
+      .error { color: #fecaca; background: #7f1d1d; border-radius: 8px; padding: 10px; }
+      .warning { color: #fde68a; }
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>Connect Computer Linker</h1>
+      <p class="warning">Only approve this if you intentionally want this MCP client to control the configured workspaces on this computer.</p>
+      ${error}
+      <dl>
+        <dt>Client</dt><dd>${htmlEscape(clientName)}</dd>
+        <dt>Scope</dt><dd>${htmlEscape(scopes)}</dd>
+        <dt>Resource</dt><dd>${htmlEscape(resource)}</dd>
+      </dl>
+      <form method="post">
+        ${hiddenFields}
+        <label for="owner_token">Owner token</label>
+        <input id="owner_token" name="owner_token" type="password" autocomplete="current-password" required autofocus />
+        <button type="submit">Authorize Computer Linker</button>
+      </form>
+    </main>
+  </body>
+</html>`;
+}
+function authorizationFormFields(client, params) {
+    return {
+        response_type: "code",
+        client_id: client.client_id,
+        redirect_uri: params.redirectUri,
+        code_challenge: params.codeChallenge,
+        code_challenge_method: "S256",
+        scope: params.scopes?.join(" "),
+        state: params.state,
+        resource: params.resource?.href,
+    };
+}

package/dist/package-metadata.d.ts

@@ -0,0 +1,7 @@
+export interface PackageMetadata {
+    name: string;
+    version: string;
+}
+export declare function packageMetadata(): PackageMetadata;
+export declare function computerLinkerVersion(): string;
+export declare const workspaceLinkerVersion: typeof computerLinkerVersion;

package/dist/package-metadata.js

@@ -0,0 +1,24 @@
+import { readFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+let cachedPackageMetadata;
+export function packageMetadata() {
+    if (cachedPackageMetadata)
+        return cachedPackageMetadata;
+    const packageJsonPath = resolve(dirname(fileURLToPath(import.meta.url)), "..", "package.json");
+    try {
+        const value = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+        cachedPackageMetadata = {
+            name: typeof value.name === "string" && value.name.trim() ? value.name : "@easonwumac/computer-linker",
+            version: typeof value.version === "string" && value.version.trim() ? value.version : "unknown",
+        };
+    }
+    catch {
+        cachedPackageMetadata = { name: "@easonwumac/computer-linker", version: "unknown" };
+    }
+    return cachedPackageMetadata;
+}
+export function computerLinkerVersion() {
+    return packageMetadata().version;
+}
+export const workspaceLinkerVersion = computerLinkerVersion;

package/dist/permissions.d.ts

@@ -0,0 +1,43 @@
+export interface PathPermissions {
+    read: boolean;
+    write: boolean;
+    shell: boolean;
+    codex: boolean;
+    screen?: boolean;
+}
+export interface WorkspacePolicy {
+    maxRuntimeSeconds?: number;
+    maxOutputBytes?: number;
+    allowedCommands?: string[];
+    deniedCommands?: string[];
+}
+export interface ExposedPathConfig {
+    id: string;
+    name: string;
+    path: string;
+    permissions: PathPermissions;
+    policy?: WorkspacePolicy;
+}
+export interface LocalPortConfig {
+    machineId?: string;
+    machineName: string;
+    host?: string;
+    port?: number;
+    publicBaseUrl?: string;
+    publicMcpOnly?: boolean;
+    ownerToken?: string;
+    workspaces: ExposedPathConfig[];
+}
+export interface ResolvedExposedPath extends ExposedPathConfig {
+    path: string;
+}
+export declare class PermissionDeniedError extends Error {
+    constructor(message: string);
+}
+export declare function defaultConfig(): LocalPortConfig;
+export declare function expandHomePath(path: string): string;
+export declare function normalizeConfig(config: LocalPortConfig): LocalPortConfig;
+export declare function generateMachineId(): string;
+export declare function isPathInsideRoot(path: string, root: string): boolean;
+export declare function findExposedPath(config: LocalPortConfig, path: string): ResolvedExposedPath;
+export declare function assertPermission(exposedPath: ResolvedExposedPath, permission: keyof PathPermissions): void;

package/dist/permissions.js

@@ -0,0 +1,150 @@
+import { randomUUID } from "node:crypto";
+import { homedir, hostname } from "node:os";
+import { relative, resolve, sep } from "node:path";
+export class PermissionDeniedError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "PermissionDeniedError";
+    }
+}
+export function defaultConfig() {
+    return {
+        machineId: generateMachineId(),
+        machineName: hostname().trim() || "local-computer",
+        host: "127.0.0.1",
+        port: 3939,
+        publicBaseUrl: undefined,
+        publicMcpOnly: false,
+        ownerToken: undefined,
+        workspaces: [
+            {
+                id: "current",
+                name: "Current directory",
+                path: process.cwd(),
+                permissions: {
+                    read: true,
+                    write: true,
+                    shell: true,
+                    codex: false,
+                    screen: false,
+                },
+            },
+        ],
+    };
+}
+export function expandHomePath(path) {
+    if (path === "~")
+        return homedir();
+    if (path.startsWith("~/") || path.startsWith("~\\")) {
+        return resolve(homedir(), path.slice(2));
+    }
+    return path;
+}
+export function normalizeConfig(config) {
+    const workspaces = config.workspaces.map((entry) => ({
+        ...entry,
+        id: entry.id.trim(),
+        name: entry.name.trim() || entry.id.trim(),
+        path: resolve(expandHomePath(entry.path)),
+        permissions: {
+            read: Boolean(entry.permissions.read),
+            write: Boolean(entry.permissions.write),
+            shell: Boolean(entry.permissions.shell),
+            codex: Boolean(entry.permissions.codex),
+            screen: Boolean(entry.permissions.screen),
+        },
+        policy: normalizeWorkspacePolicy(entry.policy),
+    }));
+    assertUniqueWorkspaceIds(workspaces);
+    return {
+        machineId: config.machineId?.trim() || generateMachineId(),
+        machineName: config.machineName?.trim() || hostname().trim() || "local-computer",
+        host: config.host?.trim() || "127.0.0.1",
+        port: normalizePort(config.port),
+        publicBaseUrl: config.publicBaseUrl?.trim() || undefined,
+        publicMcpOnly: Boolean(config.publicMcpOnly),
+        ownerToken: config.ownerToken?.trim() || undefined,
+        workspaces,
+    };
+}
+function normalizeWorkspacePolicy(policy) {
+    if (!policy)
+        return undefined;
+    const normalized = {};
+    const maxRuntimeSeconds = normalizePositiveInteger(policy.maxRuntimeSeconds, 24 * 60 * 60);
+    const maxOutputBytes = normalizePositiveInteger(policy.maxOutputBytes, 10 * 1024 * 1024);
+    const allowedCommands = normalizeStringList(policy.allowedCommands);
+    const deniedCommands = normalizeStringList(policy.deniedCommands);
+    if (maxRuntimeSeconds !== undefined)
+        normalized.maxRuntimeSeconds = maxRuntimeSeconds;
+    if (maxOutputBytes !== undefined)
+        normalized.maxOutputBytes = maxOutputBytes;
+    if (allowedCommands.length > 0)
+        normalized.allowedCommands = allowedCommands;
+    if (deniedCommands.length > 0)
+        normalized.deniedCommands = deniedCommands;
+    return Object.keys(normalized).length > 0 ? normalized : undefined;
+}
+function normalizePositiveInteger(value, max) {
+    return Number.isInteger(value) && value !== undefined && value > 0 ? Math.min(value, max) : undefined;
+}
+function normalizeStringList(value) {
+    if (!Array.isArray(value))
+        return [];
+    const seen = new Set();
+    const normalized = [];
+    for (const item of value) {
+        const text = typeof item === "string" ? item.trim().replace(/\s+/g, " ") : "";
+        if (!text || seen.has(text))
+            continue;
+        seen.add(text);
+        normalized.push(text);
+    }
+    return normalized.slice(0, 100);
+}
+export function generateMachineId() {
+    return `machine_${randomUUID()}`;
+}
+function assertUniqueWorkspaceIds(workspaces) {
+    const seen = new Set();
+    for (const workspace of workspaces) {
+        if (!workspace.id)
+            throw new Error("Workspace id is required");
+        if (seen.has(workspace.id))
+            throw new Error(`Duplicate workspace id: ${workspace.id}`);
+        seen.add(workspace.id);
+    }
+}
+function normalizePort(port) {
+    if (port === undefined)
+        return 3939;
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        throw new Error(`Invalid port: ${port}`);
+    }
+    return port;
+}
+export function isPathInsideRoot(path, root) {
+    const resolvedPath = resolve(expandHomePath(path));
+    const resolvedRoot = resolve(expandHomePath(root));
+    const relationship = relative(resolvedRoot, resolvedPath);
+    return (relationship === "" ||
+        (!relationship.startsWith("..") && relationship !== ".." && !relationship.includes(`..${sep}`)));
+}
+export function findExposedPath(config, path) {
+    const resolvedPath = resolve(expandHomePath(path));
+    const match = config.workspaces
+        .filter((entry) => isPathInsideRoot(resolvedPath, entry.path))
+        .sort((a, b) => resolve(expandHomePath(b.path)).length - resolve(expandHomePath(a.path)).length)[0];
+    if (!match) {
+        throw new PermissionDeniedError(`Path is outside exposed paths: ${path}`);
+    }
+    return {
+        ...match,
+        path: resolve(expandHomePath(match.path)),
+    };
+}
+export function assertPermission(exposedPath, permission) {
+    if (exposedPath.permissions[permission])
+        return;
+    throw new PermissionDeniedError(`${permission} permission is disabled for exposed path ${exposedPath.id} (${exposedPath.path})`);
+}

package/dist/platform-shell.d.ts

@@ -0,0 +1,28 @@
+export interface ShellCommand {
+    command: string;
+    args: string[];
+    windowsVerbatimArguments?: boolean;
+}
+export declare function shellCommand(command: string, options?: {
+    platform?: NodeJS.Platform;
+    shell?: string;
+    comSpec?: string;
+}): ShellCommand;
+export declare function resolveExecutableCommand(command: string, options?: {
+    platform?: NodeJS.Platform;
+    env?: NodeJS.ProcessEnv;
+}): string;
+export declare function executableCommand(command: string, args: string[], options?: {
+    platform?: NodeJS.Platform;
+    env?: NodeJS.ProcessEnv;
+    shell?: string;
+    comSpec?: string;
+}): ShellCommand;
+export declare function windowsVerbatimArgumentsOption(command: ShellCommand): object;
+export declare function findExecutableCommand(command: string, options?: {
+    platform?: NodeJS.Platform;
+    env?: NodeJS.ProcessEnv;
+}): string | undefined;
+export declare function shouldRunExecutableThroughShell(command: string, options?: {
+    platform?: NodeJS.Platform;
+}): boolean;