npm - @elizaos/plugin-mcp - Versions diffs - 2.0.0-beta.1 → 2.0.11-beta.7 - Mend

@elizaos/plugin-mcp 2.0.0-beta.1 → 2.0.11-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +55 -226
package/dist/cjs/index.cjs +106 -28
package/dist/cjs/index.js.map +11 -11
package/dist/node/actions/mcp.d.ts.map +1 -1
package/dist/node/index.d.ts.map +1 -1
package/dist/node/index.js +106 -28
package/dist/node/index.js.map +11 -11
package/dist/node/prompts.d.ts +8 -8
package/dist/node/prompts.d.ts.map +1 -1
package/dist/node/routes-mcp.d.ts.map +1 -1
package/dist/node/service.d.ts +1 -0
package/dist/node/service.d.ts.map +1 -1
package/dist/node/types.d.ts +0 -4
package/dist/node/types.d.ts.map +1 -1
package/dist/node/utils/schemas.d.ts +0 -4
package/dist/node/utils/schemas.d.ts.map +1 -1
package/dist/node/utils/selection.d.ts.map +1 -1
package/package.json +18 -5

package/dist/node/actions/mcp.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../../../src/actions/mcp.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,MAAM,EAIX,KAAK,cAAc,EAEnB,KAAK,MAAM,EAGZ,MAAM,eAAe,CAAC;AAqBvB,eAAO,MAAM,kBAAkB,QAAQ,CAAC;AAExC,MAAM,MAAM,KAAK,GAAG,WAAW,GAAG,eAAe,GAAG,gBAAgB,GAAG,kBAAkB,CAAC;AAmU1F,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjD,KAAK,GAAG,IAAI,CAId;AAED,eAAO,MAAM,SAAS,EAAE,~~MA4JvB~~,CAAC"}
1	+ {"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../../../src/actions/mcp.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,MAAM,EAIX,KAAK,cAAc,EAEnB,KAAK,MAAM,EAGZ,MAAM,eAAe,CAAC;AAqBvB,eAAO,MAAM,kBAAkB,QAAQ,CAAC;AAExC,MAAM,MAAM,KAAK,GAAG,WAAW,GAAG,eAAe,GAAG,gBAAgB,GAAG,kBAAkB,CAAC;AAmU1F,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjD,KAAK,GAAG,IAAI,CAId;AAED,eAAO,MAAM,SAAS,EAAE,MA6JvB,CAAC"}

package/dist/node/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,MAAM,EAEZ,MAAM,eAAe,CAAC;AAoBvB,QAAA,MAAM,SAAS,EAAE,~~MAWhB~~,CAAC;AAEF,eAAe,SAAS,CAAC;AAEzB,OAAO,EAAE,eAAe,EAAE,KAAK,eAAe,EAAE,MAAM,iBAAiB,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,MAAM,EAEZ,MAAM,eAAe,CAAC;AAoBvB,QAAA,MAAM,SAAS,EAAE,MAgBhB,CAAC;AAEF,eAAe,SAAS,CAAC;AAEzB,OAAO,EAAE,eAAe,EAAE,KAAK,eAAe,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/node/index.js CHANGED Viewed

@@ -534,15 +534,15 @@ var resourceAnalysisTemplate = `{{{mcpProvider.text}}}
 # Prompt
-You are a helpful assistant responding to a user's request. You've just accessed the resource "{{{uri}}}" to help answer this request.
+Respond to the user's request using the resource "{{{uri}}}".
 Original user request: "{{{userMessage}}}"
 Resource metadata:
-{{{resourceMeta}}
+{{{resourceMeta}}}
 Resource content:
-{{{resourceContent}}
+{{{resourceContent}}}
 Instructions:
 1. Analyze how well the resource's content addresses the user's specific question or need
@@ -559,7 +559,7 @@ var resourceSelectionTemplate = `{{{mcpProvider.text}}}
 # Prompt
-You are an intelligent assistant helping select the right resource to address a user's request.
+Select the right resource to address the user's request.
 CRITICAL INSTRUCTIONS:
 1. You MUST specify both a valid serverName AND uri from the list above
@@ -602,7 +602,7 @@ var toolReasoningTemplate = `{{{mcpProvider.text}}}
 # Prompt
-You are a helpful assistant responding to a user's request. You've just used the "{{{toolName}}}" tool from the "{{{serverName}}}" server to help answer this request.
+Synthesize the result from the "{{{toolName}}}" tool into a response to the user's request.
 Original user request: "{{{userMessage}}}"
@@ -749,13 +749,11 @@ var ResourceSelectionSchema = {
   properties: {
     serverName: {
       type: "string",
-      minLength: 1,
-      errorMessage: "serverName must not be empty"
+      minLength: 1
     },
     uri: {
       type: "string",
-      minLength: 1,
-      errorMessage: "uri must not be empty"
+      minLength: 1
     },
     reasoning: {
       type: "string"
@@ -1159,13 +1157,11 @@ var toolSelectionNameSchema = {
   properties: {
     serverName: {
       type: "string",
-      minLength: 1,
-      errorMessage: "serverName must not be empty"
+      minLength: 1
     },
     toolName: {
       type: "string",
-      minLength: 1,
-      errorMessage: "toolName must not be empty"
+      minLength: 1
     },
     reasoning: {
       type: "string"
@@ -1211,7 +1207,7 @@ function validateToolSelectionName(parsed, state) {
   const data = basicResult.data;
   const mcpData = state.values.mcp ?? {};
   const server = mcpData[data.serverName];
-  if (!server || server.status !== "connected") {
+  if (server?.status !== "connected") {
     return {
       success: false,
       error: `Server "${data.serverName}" not found or not connected`
@@ -1384,8 +1380,16 @@ async function createToolSelectionName({
   callback,
   mcpProvider
 }) {
+  const stateWithMcp = {
+    ...state,
+    values: {
+      ...state.values,
+      mcp: state.values.mcp ?? mcpProvider.data.mcp,
+      mcpProvider
+    }
+  };
   const toolSelectionPrompt = composePromptFromState3({
-    state: { ...state, values: { ...state.values, mcpProvider } },
+    state: stateWithMcp,
     template: toolSelectionNameTemplate
   });
   const toolSelectionName = await runtime.useModel(ModelType4.TEXT_LARGE, {
@@ -1394,10 +1398,10 @@ async function createToolSelectionName({
   return await withModelRetry({
     runtime,
     message,
-    state,
+    state: stateWithMcp,
     callback,
     input: toolSelectionName,
-    validationFn: (parsed) => validateToolSelectionName(parsed, state),
+    validationFn: (parsed) => validateToolSelectionName(parsed, stateWithMcp),
     createFeedbackPromptFn: (originalResponse, errorMessage, composedState, userMessage) => createToolSelectionFeedbackPrompt(typeof originalResponse === "string" ? originalResponse : JSON.stringify(originalResponse), errorMessage, composedState, userMessage),
     failureMsg: "I'm having trouble figuring out the best way to help with your request."
   });
@@ -1884,6 +1888,7 @@ var provider = {
 // src/service.ts
 import { logger as logger2, Service } from "@elizaos/core";
+import { validateMcpServerConfig } from "@elizaos/security/mcp-server-config";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
@@ -1984,15 +1989,28 @@ class McpService extends Service {
     }
     return;
   }
+  async filterValidatedServerConfigs(serverConfigs) {
+    const validated = {};
+    for (const [name, config] of Object.entries(serverConfigs)) {
+      const rejection = await validateMcpServerConfig(config);
+      if (rejection) {
+        logger2.error({ server: name, rejection }, "Skipping MCP server with invalid or unsafe config");
+        continue;
+      }
+      validated[name] = config;
+    }
+    return validated;
+  }
   async updateServerConnections(serverConfigs) {
+    const safeConfigs = await this.filterValidatedServerConfigs(serverConfigs);
     const currentNames = new Set(this.connections.keys());
-    const newNames = new Set(Object.keys(serverConfigs));
+    const newNames = new Set(Object.keys(safeConfigs));
     for (const name of currentNames) {
       if (!newNames.has(name)) {
         await this.deleteConnection(name);
       }
     }
-    const connectionPromises = Object.entries(serverConfigs).map(async ([name, config]) => {
+    const connectionPromises = Object.entries(safeConfigs).map(async ([name, config]) => {
       const currentConnection = this.connections.get(name);
       if (!currentConnection) {
         await this.initializeConnection(name, config);
@@ -2138,9 +2156,16 @@ class McpService extends Service {
   async deleteConnection(name) {
     const connection = this.connections.get(name);
     if (connection) {
-      await connection.transport.close();
-      await connection.client.close();
+      const closeResults = await Promise.allSettled([
+        connection.transport.close(),
+        connection.client.close()
+      ]);
       this.connections.delete(name);
+      for (const result of closeResults) {
+        if (result.status === "rejected") {
+          logger2.warn({ error: result.reason, serverName: name }, `Failed to close MCP connection resource for "${name}"`);
+        }
+      }
     }
     const state = this.connectionStates.get(name);
     if (state) {
@@ -2158,6 +2183,17 @@ class McpService extends Service {
     if (!config.command) {
       throw new Error(`Missing command for stdio MCP server ${name}`);
     }
+    const rejection = await validateMcpServerConfig({
+      type: "stdio",
+      command: config.command,
+      args: config.args,
+      env: config.env,
+      cwd: config.cwd,
+      timeoutInMillis: config.timeoutInMillis
+    });
+    if (rejection) {
+      throw new Error(`MCP stdio server "${name}" rejected at spawn: ${rejection}`);
+    }
     return new StdioClientTransport({
       command: config.command,
       args: config.args ? [...config.args] : undefined,
@@ -2173,6 +2209,13 @@ class McpService extends Service {
     if (!config.url) {
       throw new Error(`Missing URL for HTTP MCP server ${name}`);
     }
+    const rejection = await validateMcpServerConfig({
+      type: config.type,
+      url: config.url
+    });
+    if (rejection) {
+      throw new Error(`MCP remote server "${name}" rejected at connect: ${rejection}`);
+    }
     return new SSEClientTransport(new URL(config.url));
   }
   appendErrorMessage(connection, error) {
@@ -2364,12 +2407,17 @@ async function getMcpServerDetails(name) {
 }
 // src/routes-mcp.ts
+var MCP_MARKETPLACE_QUERY_MAX_LENGTH = 200;
+var MCP_MARKETPLACE_SERVER_NAME_MAX_LENGTH = 200;
 function parseClampedInteger(value, options = {}) {
   const raw = value == null ? "" : value.trim();
   if (!raw)
     return Number.isFinite(options.fallback) ? options.fallback : undefined;
-  const parsed = Number.parseInt(raw, 10);
-  if (!Number.isFinite(parsed)) {
+  if (!/^[+-]?\d+$/.test(raw)) {
+    return Number.isFinite(options.fallback) ? options.fallback : undefined;
+  }
+  const parsed = Number(raw);
+  if (!Number.isSafeInteger(parsed)) {
     return Number.isFinite(options.fallback) ? options.fallback : undefined;
   }
   if (options.min !== undefined && parsed < options.min)
@@ -2378,10 +2426,23 @@ function parseClampedInteger(value, options = {}) {
     return options.max;
   return parsed;
 }
+function normalizeBoundedString(value, maxLength, label) {
+  const normalized = value.trim();
+  if (normalized.length > maxLength) {
+    throw new RangeError(`${label} must be ${maxLength} characters or fewer`);
+  }
+  return normalized;
+}
 async function handleMcpRoutes(ctx) {
   const { req, res, method, pathname, url, state, json, error, readJsonBody } = ctx;
   if (method === "GET" && pathname === "/api/mcp/marketplace/search") {
-    const query = url.searchParams.get("q") ?? "";
+    let query;
+    try {
+      query = normalizeBoundedString(url.searchParams.get("q") ?? "", MCP_MARKETPLACE_QUERY_MAX_LENGTH, "Marketplace search query");
+    } catch (err) {
+      error(res, err instanceof Error ? err.message : String(err), 400);
+      return true;
+    }
     const limitStr = url.searchParams.get("limit");
     const limit = limitStr ? parseClampedInteger(limitStr, { min: 1, max: 50, fallback: 30 }) : 30;
     try {
@@ -2396,14 +2457,21 @@ async function handleMcpRoutes(ctx) {
     const serverName = ctx.decodePathComponent(pathname.slice("/api/mcp/marketplace/details/".length), res, "server name");
     if (serverName === null)
       return true;
-    if (!serverName.trim()) {
+    let normalizedServerName;
+    try {
+      normalizedServerName = normalizeBoundedString(serverName, MCP_MARKETPLACE_SERVER_NAME_MAX_LENGTH, "Server name");
+    } catch (err) {
+      error(res, err instanceof Error ? err.message : String(err), 400);
+      return true;
+    }
+    if (!normalizedServerName) {
       error(res, "Server name is required", 400);
       return true;
     }
     try {
-      const details = await getMcpServerDetails(serverName);
+      const details = await getMcpServerDetails(normalizedServerName);
       if (!details) {
-        error(res, `MCP server "${serverName}" not found`, 404);
+        error(res, `MCP server "${normalizedServerName}" not found`, 404);
         return true;
       }
       json(res, { ok: true, server: details });
@@ -2491,6 +2559,12 @@ async function handleMcpRoutes(ctx) {
         error(res, "servers must be a JSON object", 400);
         return true;
       }
+      for (const serverName of Object.keys(body.servers)) {
+        if (ctx.isBlockedObjectKey(serverName)) {
+          error(res, 'Invalid server name: "__proto__", "constructor", and "prototype" are reserved', 400);
+          return true;
+        }
+      }
       const mcpRejection = await ctx.resolveMcpServersRejection(body.servers);
       if (mcpRejection) {
         error(res, mcpRejection, 400);
@@ -2558,6 +2632,10 @@ var mcpPlugin = {
   init: async (_config, _runtime) => {
     logger4.info("Initializing MCP plugin...");
   },
+  async dispose(runtime) {
+    const svc = runtime.getService(McpService.serviceType);
+    await svc?.stop();
+  },
   services: [McpService],
   actions: [...promoteSubactionsToActions(withMcpContext(mcpAction))],
   providers: [provider]
@@ -2568,4 +2646,4 @@ export {
   src_default as default
 };
-//# debugId=BAE4A5B3EC26EDA264756E2164756E21
+//# debugId=52D6DFF1F6887D8364756E2164756E21