@evantahler/mcpcli 0.1.1

package/src/client/http.ts

@@ -0,0 +1,99 @@
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+import { dim } from "ansis";
+import type { HttpServerConfig } from "../config/schemas.ts";
+
+type FetchLike = (url: string | URL, init?: RequestInit) => Promise<Response>;
+
+export function createHttpTransport(
+  config: HttpServerConfig,
+  authProvider?: OAuthClientProvider,
+  verbose = false,
+  showSecrets = false,
+): StreamableHTTPClientTransport {
+  const requestInit: RequestInit = {};
+  if (config.headers) {
+    requestInit.headers = config.headers;
+  }
+
+  return new StreamableHTTPClientTransport(new URL(config.url), {
+    authProvider,
+    requestInit: Object.keys(requestInit).length > 0 ? requestInit : undefined,
+    fetch: verbose ? createDebugFetch(showSecrets) : undefined,
+  });
+}
+
+function createDebugFetch(showSecrets: boolean): FetchLike {
+  const isTTY = process.stderr.isTTY ?? false;
+  const fmt = (s: string) => (isTTY ? dim(s) : s);
+
+  return async (url, init) => {
+    const start = performance.now();
+
+    // Request
+    log(fmt(`> ${init?.method ?? "GET"} ${url}`));
+    logHeaders(">", init?.headers, fmt, showSecrets);
+    log(fmt(">"));
+    if (init?.body) {
+      logBody(String(init.body), fmt);
+    }
+
+    const response = await fetch(url, init);
+    const elapsed = Math.round(performance.now() - start);
+
+    // Response
+    log(fmt(`< ${response.status} ${response.statusText} (${elapsed}ms)`));
+    logHeaders("<", response.headers, fmt, showSecrets);
+    log(fmt("<"));
+
+    return response;
+  };
+}
+
+function log(line: string) {
+  process.stderr.write(line + "\n");
+}
+
+function logHeaders(
+  prefix: string,
+  headers: HeadersInit | Headers | undefined,
+  fmt: (s: string) => string,
+  showSecrets: boolean,
+) {
+  if (!headers) return;
+
+  const format = (key: string, value: string) =>
+    fmt(`${prefix} ${key}: ${showSecrets ? value : maskSensitive(key, value)}`);
+
+  if (headers instanceof Headers) {
+    headers.forEach((value, key) => log(format(key, value)));
+  } else if (Array.isArray(headers)) {
+    for (const [key, value] of headers) {
+      log(format(key, value));
+    }
+  } else {
+    for (const [key, value] of Object.entries(headers)) {
+      log(format(key, value));
+    }
+  }
+}
+
+function logBody(body: string, fmt: (s: string) => string) {
+  try {
+    const formatted = JSON.stringify(JSON.parse(body), null, 2);
+    for (const line of formatted.split("\n")) {
+      log(fmt(line));
+    }
+  } catch {
+    log(fmt(body));
+  }
+}
+
+function maskSensitive(key: string, value: string): string {
+  const lower = key.toLowerCase();
+  if (lower === "authorization" || lower === "cookie" || lower === "set-cookie") {
+    if (value.length <= 12) return value;
+    return value.slice(0, 12) + "...";
+  }
+  return value;
+}

package/src/client/manager.ts

@@ -0,0 +1,204 @@
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import type { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";
+import picomatch from "picomatch";
+import type { Tool, ServerConfig, ServersFile, AuthFile } from "../config/schemas.ts";
+import { isStdioServer, isHttpServer } from "../config/schemas.ts";
+import { createStdioTransport } from "./stdio.ts";
+import { createHttpTransport } from "./http.ts";
+import { McpOAuthProvider } from "./oauth.ts";
+
+export interface ToolWithServer {
+  server: string;
+  tool: Tool;
+}
+
+export interface ServerError {
+  server: string;
+  message: string;
+}
+
+export class ServerManager {
+  private clients = new Map<string, Client>();
+  private transports = new Map<string, Transport>();
+  private oauthProviders = new Map<string, McpOAuthProvider>();
+  private servers: ServersFile;
+  private configDir: string;
+  private auth: AuthFile;
+  private concurrency: number;
+  private verbose: boolean;
+  private showSecrets: boolean;
+
+  constructor(
+    servers: ServersFile,
+    configDir: string,
+    auth: AuthFile,
+    concurrency = 5,
+    verbose = false,
+    showSecrets = false,
+  ) {
+    this.servers = servers;
+    this.configDir = configDir;
+    this.auth = auth;
+    this.concurrency = concurrency;
+    this.verbose = verbose;
+    this.showSecrets = showSecrets;
+  }
+
+  /** Get or create a connected client for a server */
+  async getClient(serverName: string): Promise<Client> {
+    const existing = this.clients.get(serverName);
+    if (existing) return existing;
+
+    const config = this.servers.mcpServers[serverName];
+    if (!config) {
+      throw new Error(`Unknown server: "${serverName}"`);
+    }
+
+    // Auto-refresh expired OAuth tokens before connecting to HTTP servers
+    if (isHttpServer(config)) {
+      const provider = this.getOrCreateOAuthProvider(serverName);
+      if (!provider.isComplete()) {
+        throw new Error(`Not authenticated with "${serverName}". Run: mcpcli auth ${serverName}`);
+      }
+      try {
+        await provider.refreshIfNeeded(config.url);
+      } catch {
+        // If refresh fails, continue — the transport will send the existing token
+      }
+    }
+
+    const transport = this.createTransport(serverName, config);
+    this.transports.set(serverName, transport);
+
+    const client = new Client({ name: "mcpcli", version: "0.1.0" });
+    await client.connect(transport);
+    this.clients.set(serverName, client);
+
+    return client;
+  }
+
+  private getOrCreateOAuthProvider(serverName: string): McpOAuthProvider {
+    let provider = this.oauthProviders.get(serverName);
+    if (!provider) {
+      provider = new McpOAuthProvider({
+        serverName,
+        configDir: this.configDir,
+        auth: this.auth,
+      });
+      this.oauthProviders.set(serverName, provider);
+    }
+    return provider;
+  }
+
+  private createTransport(serverName: string, config: ServerConfig): Transport {
+    if (isStdioServer(config)) {
+      return createStdioTransport(config);
+    }
+    if (isHttpServer(config)) {
+      // Only pass the OAuth provider if the server already has tokens.
+      // Without tokens, passing the provider causes the SDK transport to
+      // auto-trigger the browser OAuth flow on 401, which fails because
+      // there's no callback server running. Users must run `mcpcli auth <server>` first.
+      const provider = this.getOrCreateOAuthProvider(serverName);
+      return createHttpTransport(
+        config,
+        provider.isComplete() ? provider : undefined,
+        this.verbose,
+        this.showSecrets,
+      );
+    }
+    throw new Error("Invalid server config");
+  }
+
+  /** List tools for a single server, applying allowedTools/disabledTools filters */
+  async listTools(serverName: string): Promise<Tool[]> {
+    const client = await this.getClient(serverName);
+    const result = await client.listTools();
+    const config = this.servers.mcpServers[serverName]!;
+    return filterTools(result.tools, config.allowedTools, config.disabledTools);
+  }
+
+  /** List tools across all configured servers */
+  async getAllTools(): Promise<{ tools: ToolWithServer[]; errors: ServerError[] }> {
+    const serverNames = Object.keys(this.servers.mcpServers);
+    const tools: ToolWithServer[] = [];
+    const errors: ServerError[] = [];
+
+    // Process in batches of `concurrency`
+    for (let i = 0; i < serverNames.length; i += this.concurrency) {
+      const batch = serverNames.slice(i, i + this.concurrency);
+      const batchResults = await Promise.allSettled(
+        batch.map(async (name) => {
+          const serverTools = await this.listTools(name);
+          return serverTools.map((tool) => ({ server: name, tool }));
+        }),
+      );
+
+      for (let j = 0; j < batchResults.length; j++) {
+        const result = batchResults[j]!;
+        if (result.status === "fulfilled") {
+          tools.push(...result.value);
+        } else {
+          const name = batch[j]!;
+          const message =
+            result.reason instanceof Error ? result.reason.message : String(result.reason);
+          errors.push({ server: name, message });
+        }
+      }
+    }
+
+    return { tools, errors };
+  }
+
+  /** Call a tool on a specific server */
+  async callTool(
+    serverName: string,
+    toolName: string,
+    args: Record<string, unknown> = {},
+  ): Promise<unknown> {
+    const client = await this.getClient(serverName);
+    return client.callTool({ name: toolName, arguments: args });
+  }
+
+  /** Get the schema for a specific tool */
+  async getToolSchema(serverName: string, toolName: string): Promise<Tool | undefined> {
+    const tools = await this.listTools(serverName);
+    return tools.find((t) => t.name === toolName);
+  }
+
+  /** Get all server names */
+  getServerNames(): string[] {
+    return Object.keys(this.servers.mcpServers);
+  }
+
+  /** Disconnect all clients */
+  async close(): Promise<void> {
+    const closePromises = [...this.clients.entries()].map(async ([name, client]) => {
+      try {
+        await client.close();
+      } catch {
+        // Ignore close errors
+      }
+      this.clients.delete(name);
+      this.transports.delete(name);
+    });
+    await Promise.allSettled(closePromises);
+  }
+}
+
+/** Apply allowedTools/disabledTools glob filters to a tool list */
+function filterTools(tools: Tool[], allowedTools?: string[], disabledTools?: string[]): Tool[] {
+  let filtered = tools;
+
+  if (allowedTools && allowedTools.length > 0) {
+    const isAllowed = picomatch(allowedTools);
+    filtered = filtered.filter((t) => isAllowed(t.name));
+  }
+
+  if (disabledTools && disabledTools.length > 0) {
+    const isDisabled = picomatch(disabledTools);
+    filtered = filtered.filter((t) => !isDisabled(t.name));
+  }
+
+  return filtered;
+}

package/src/client/oauth.ts

@@ -0,0 +1,263 @@
+import { exec } from "child_process";
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+import { auth, refreshAuthorization } from "@modelcontextprotocol/sdk/client/auth.js";
+import type {
+  OAuthClientMetadata,
+  OAuthClientInformationMixed,
+  OAuthTokens,
+} from "@modelcontextprotocol/sdk/shared/auth.js";
+import type { AuthFile } from "../config/schemas.ts";
+import { saveAuth } from "../config/loader.ts";
+
+export class McpOAuthProvider implements OAuthClientProvider {
+  private serverName: string;
+  private configDir: string;
+  private auth: AuthFile;
+  private _codeVerifier?: string;
+  private _callbackPort = 0;
+
+  constructor(opts: { serverName: string; configDir: string; auth: AuthFile }) {
+    this.serverName = opts.serverName;
+    this.configDir = opts.configDir;
+    this.auth = opts.auth;
+  }
+
+  get redirectUrl(): string {
+    return `http://127.0.0.1:${this._callbackPort}/callback`;
+  }
+
+  get clientMetadata(): OAuthClientMetadata {
+    return {
+      redirect_uris: [`http://127.0.0.1:${this._callbackPort}/callback`],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      client_name: "mcpcli",
+      token_endpoint_auth_method: "none",
+    };
+  }
+
+  clientInformation(): OAuthClientInformationMixed | undefined {
+    const entry = this.auth[this.serverName];
+    // During an active auth flow, return client_info even if incomplete.
+    // For normal usage (transport), the manager checks isComplete() separately.
+    return entry?.client_info;
+  }
+
+  async saveClientInformation(info: OAuthClientInformationMixed): Promise<void> {
+    if (!this.auth[this.serverName]) {
+      this.auth[this.serverName] = { tokens: {} as OAuthTokens };
+    }
+    this.auth[this.serverName]!.client_info = info;
+    await saveAuth(this.configDir, this.auth);
+  }
+
+  tokens(): OAuthTokens | undefined {
+    return this.auth[this.serverName]?.tokens;
+  }
+
+  async saveTokens(tokens: OAuthTokens): Promise<void> {
+    if (!this.auth[this.serverName]) {
+      this.auth[this.serverName] = { tokens };
+    } else {
+      this.auth[this.serverName]!.tokens = tokens;
+    }
+
+    // Compute expires_at from expires_in
+    if (tokens.expires_in) {
+      const expiresAt = new Date(Date.now() + tokens.expires_in * 1000);
+      this.auth[this.serverName]!.expires_at = expiresAt.toISOString();
+    }
+
+    // Mark auth as complete — tokens have been successfully obtained
+    this.auth[this.serverName]!.complete = true;
+
+    await saveAuth(this.configDir, this.auth);
+  }
+
+  async redirectToAuthorization(url: URL): Promise<void> {
+    const urlStr = url.toString();
+
+    if (process.stderr.isTTY) {
+      const { dim } = await import("ansis");
+      process.stderr.write(`${dim(urlStr)}\n`);
+    }
+
+    const cmd =
+      process.platform === "darwin"
+        ? `open "${urlStr}"`
+        : process.platform === "win32"
+          ? `start "${urlStr}"`
+          : `xdg-open "${urlStr}"`;
+
+    return new Promise((resolve, reject) => {
+      exec(cmd, (err) => (err ? reject(err) : resolve()));
+    });
+  }
+
+  async saveCodeVerifier(v: string): Promise<void> {
+    this._codeVerifier = v;
+  }
+
+  codeVerifier(): string {
+    if (!this._codeVerifier) {
+      throw new Error("Code verifier not set");
+    }
+    return this._codeVerifier;
+  }
+
+  async invalidateCredentials(
+    scope: "all" | "client" | "tokens" | "verifier" | "discovery",
+  ): Promise<void> {
+    const entry = this.auth[this.serverName];
+    if (!entry) return;
+
+    switch (scope) {
+      case "all":
+        delete this.auth[this.serverName];
+        break;
+      case "client":
+        delete entry.client_info;
+        break;
+      case "tokens":
+        delete this.auth[this.serverName];
+        // Re-create entry without tokens but keep client_info
+        if (entry.client_info) {
+          this.auth[this.serverName] = {
+            tokens: {} as OAuthTokens,
+            client_info: entry.client_info,
+          };
+        }
+        break;
+      case "verifier":
+        this._codeVerifier = undefined;
+        return; // No need to persist
+      case "discovery":
+        return; // Nothing to clear locally
+    }
+
+    await saveAuth(this.configDir, this.auth);
+  }
+
+  /** Whether the auth flow completed successfully (tokens were obtained) */
+  isComplete(): boolean {
+    return !!this.auth[this.serverName]?.complete;
+  }
+
+  /** Clear any incomplete auth state from a previously cancelled flow */
+  async clearIncomplete(): Promise<void> {
+    const entry = this.auth[this.serverName];
+    if (entry && !entry.complete) {
+      delete this.auth[this.serverName];
+      await saveAuth(this.configDir, this.auth);
+    }
+  }
+
+  setCallbackPort(port: number): void {
+    this._callbackPort = port;
+  }
+
+  isExpired(): boolean {
+    const entry = this.auth[this.serverName];
+    if (!entry?.expires_at) return false;
+    return new Date(entry.expires_at) <= new Date();
+  }
+
+  hasRefreshToken(): boolean {
+    const tokens = this.auth[this.serverName]?.tokens;
+    return !!tokens?.refresh_token;
+  }
+
+  async refreshIfNeeded(serverUrl: string): Promise<void> {
+    if (!this.isExpired()) return;
+
+    if (!this.hasRefreshToken()) {
+      throw new Error(
+        `Token expired for "${this.serverName}" and no refresh token available. Run: mcpcli auth ${this.serverName}`,
+      );
+    }
+
+    const clientInfo = this.clientInformation();
+    if (!clientInfo) {
+      throw new Error(
+        `No client information for "${this.serverName}". Run: mcpcli auth ${this.serverName}`,
+      );
+    }
+
+    const tokens = await refreshAuthorization(serverUrl, {
+      clientInformation: clientInfo,
+      refreshToken: this.auth[this.serverName]!.tokens.refresh_token!,
+    });
+
+    await this.saveTokens(tokens);
+  }
+}
+
+/** Start a local callback server to receive the OAuth authorization code */
+export function startCallbackServer(): {
+  server: ReturnType<typeof Bun.serve>;
+  authCodePromise: Promise<string>;
+} {
+  let resolveCode: (code: string) => void;
+  let rejectCode: (err: Error) => void;
+
+  const authCodePromise = new Promise<string>((resolve, reject) => {
+    resolveCode = resolve;
+    rejectCode = reject;
+  });
+
+  const server = Bun.serve({
+    port: 0,
+    fetch(req) {
+      const url = new URL(req.url);
+      if (url.pathname !== "/callback") {
+        return new Response("Not found", { status: 404 });
+      }
+
+      const error = url.searchParams.get("error");
+      if (error) {
+        const desc = url.searchParams.get("error_description") || error;
+        rejectCode!(new Error(`OAuth error: ${desc}`));
+        return new Response(
+          "<html><body><h1>Authentication Failed</h1><p>You can close this window.</p></body></html>",
+          { headers: { "Content-Type": "text/html" } },
+        );
+      }
+
+      const code = url.searchParams.get("code");
+      if (!code) {
+        rejectCode!(new Error("No authorization code received"));
+        return new Response(
+          "<html><body><h1>Error</h1><p>No authorization code received.</p></body></html>",
+          { headers: { "Content-Type": "text/html" } },
+        );
+      }
+
+      resolveCode!(code);
+      return new Response(
+        "<html><body><h1>Authenticated!</h1><p>You can close this window.</p></body></html>",
+        { headers: { "Content-Type": "text/html" } },
+      );
+    },
+  });
+
+  return { server, authCodePromise };
+}
+
+/** Run a full OAuth authorization flow for an HTTP MCP server */
+export async function runOAuthFlow(serverUrl: string, provider: McpOAuthProvider): Promise<void> {
+  // Clear any leftover state from a previously cancelled auth flow
+  await provider.clearIncomplete();
+
+  const { server, authCodePromise } = startCallbackServer();
+  try {
+    provider.setCallbackPort(server.port);
+
+    const result = await auth(provider, { serverUrl });
+    if (result === "REDIRECT") {
+      const code = await authCodePromise;
+      await auth(provider, { serverUrl, authorizationCode: code });
+    }
+  } finally {
+    server.stop();
+  }
+}

package/src/client/stdio.ts

@@ -0,0 +1,12 @@
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import type { StdioServerConfig } from "../config/schemas.ts";
+
+export function createStdioTransport(config: StdioServerConfig): StdioClientTransport {
+  return new StdioClientTransport({
+    command: config.command,
+    args: config.args,
+    env: config.env ? { ...process.env, ...config.env } : undefined,
+    cwd: config.cwd,
+    stderr: "pipe",
+  });
+}

package/src/commands/auth.ts

@@ -0,0 +1,106 @@
+import type { Command } from "commander";
+import { getContext } from "../context.ts";
+import { isHttpServer } from "../config/schemas.ts";
+import { saveAuth } from "../config/loader.ts";
+import { McpOAuthProvider, runOAuthFlow } from "../client/oauth.ts";
+import { startSpinner } from "../output/spinner.ts";
+
+export function registerAuthCommand(program: Command) {
+  program
+    .command("auth <server>")
+    .description("authenticate with an HTTP MCP server")
+    .option("-s, --status", "check auth status and token TTL")
+    .option("-r, --refresh", "force token refresh")
+    .action(async (server: string, options: { status?: boolean; refresh?: boolean }) => {
+      const { config, formatOptions } = await getContext(program);
+
+      const serverConfig = config.servers.mcpServers[server];
+      if (!serverConfig) {
+        console.error(`Unknown server: "${server}"`);
+        process.exit(1);
+      }
+      if (!isHttpServer(serverConfig)) {
+        console.error(
+          `Server "${server}" is not an HTTP server — OAuth only applies to HTTP servers`,
+        );
+        process.exit(1);
+      }
+
+      const provider = new McpOAuthProvider({
+        serverName: server,
+        configDir: config.configDir,
+        auth: config.auth,
+      });
+
+      if (options.status) {
+        showStatus(server, provider);
+        return;
+      }
+
+      if (options.refresh) {
+        const spinner = startSpinner(`Refreshing token for "${server}"…`, formatOptions);
+        try {
+          await provider.refreshIfNeeded(serverConfig.url);
+          spinner.success(`Token refreshed for "${server}"`);
+        } catch (err) {
+          spinner.error(`Refresh failed: ${err instanceof Error ? err.message : err}`);
+          process.exit(1);
+        }
+        return;
+      }
+
+      // Default: full OAuth flow
+      const spinner = startSpinner(`Authenticating with "${server}"…`, formatOptions);
+      try {
+        await runOAuthFlow(serverConfig.url, provider);
+        spinner.success(`Authenticated with "${server}"`);
+      } catch (err) {
+        spinner.error(`Authentication failed: ${err instanceof Error ? err.message : err}`);
+        process.exit(1);
+      }
+    });
+}
+
+export function registerDeauthCommand(program: Command) {
+  program
+    .command("deauth <server>")
+    .description("remove stored authentication for a server")
+    .action(async (server: string) => {
+      const { config } = await getContext(program);
+
+      if (!config.auth[server]) {
+        console.log(`No auth stored for "${server}"`);
+        return;
+      }
+
+      delete config.auth[server];
+      await saveAuth(config.configDir, config.auth);
+      console.log(`Deauthenticated "${server}"`);
+    });
+}
+
+function showStatus(server: string, provider: McpOAuthProvider) {
+  if (!provider.isComplete()) {
+    console.log(`${server}: not authenticated`);
+    return;
+  }
+
+  const expired = provider.isExpired();
+  const hasRefresh = provider.hasRefreshToken();
+  const status = expired ? "expired" : "authenticated";
+
+  console.log(`${server}: ${status}`);
+  if (hasRefresh) {
+    console.log("  refresh token: present");
+  }
+
+  if (!expired) {
+    // Show TTL if we have expires_at from the auth entry
+    const entry = provider["auth"][server];
+    if (entry?.expires_at) {
+      const remaining = new Date(entry.expires_at).getTime() - Date.now();
+      const minutes = Math.round(remaining / 60000);
+      console.log(`  expires in: ${minutes} minutes`);
+    }
+  }
+}