@evantahler/mcpx 0.15.0

package/.claude/worktrees/elastic-jennings/src/client/http.ts

@@ -0,0 +1,100 @@
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+import { dim } from "ansis";
+import type { HttpServerConfig } from "../config/schemas.ts";
+import { logger } from "../output/logger.ts";
+
+type FetchLike = (url: string | URL, init?: RequestInit) => Promise<Response>;
+
+export function createHttpTransport(
+  config: HttpServerConfig,
+  authProvider?: OAuthClientProvider,
+  verbose = false,
+  showSecrets = false,
+): StreamableHTTPClientTransport {
+  const requestInit: RequestInit = {};
+  if (config.headers) {
+    requestInit.headers = config.headers;
+  }
+
+  return new StreamableHTTPClientTransport(new URL(config.url), {
+    authProvider,
+    requestInit: Object.keys(requestInit).length > 0 ? requestInit : undefined,
+    fetch: verbose ? createDebugFetch(showSecrets) : undefined,
+  });
+}
+
+function createDebugFetch(showSecrets: boolean): FetchLike {
+  const isTTY = process.stderr.isTTY ?? false;
+  const fmt = (s: string) => (isTTY ? dim(s) : s);
+
+  return async (url, init) => {
+    const start = performance.now();
+
+    // Request
+    log(fmt(`> ${init?.method ?? "GET"} ${url}`));
+    logHeaders(">", init?.headers, fmt, showSecrets);
+    log(fmt(">"));
+    if (init?.body) {
+      logBody(String(init.body), fmt);
+    }
+
+    const response = await fetch(url, init);
+    const elapsed = Math.round(performance.now() - start);
+
+    // Response
+    log(fmt(`< ${response.status} ${response.statusText} (${elapsed}ms)`));
+    logHeaders("<", response.headers, fmt, showSecrets);
+    log(fmt("<"));
+
+    return response;
+  };
+}
+
+function log(line: string) {
+  logger.writeRaw(line + "\n");
+}
+
+function logHeaders(
+  prefix: string,
+  headers: HeadersInit | Headers | undefined,
+  fmt: (s: string) => string,
+  showSecrets: boolean,
+) {
+  if (!headers) return;
+
+  const format = (key: string, value: string) =>
+    fmt(`${prefix} ${key}: ${showSecrets ? value : maskSensitive(key, value)}`);
+
+  if (headers instanceof Headers) {
+    headers.forEach((value, key) => log(format(key, value)));
+  } else if (Array.isArray(headers)) {
+    for (const [key, value] of headers) {
+      log(format(key, value));
+    }
+  } else {
+    for (const [key, value] of Object.entries(headers)) {
+      log(format(key, value));
+    }
+  }
+}
+
+function logBody(body: string, fmt: (s: string) => string) {
+  try {
+    const formatted = JSON.stringify(JSON.parse(body), null, 2);
+    for (const line of formatted.split("\n")) {
+      log(fmt(line));
+    }
+  } catch {
+    log(fmt(body));
+  }
+}
+
+function maskSensitive(key: string, value: string): string {
+  const lower = key.toLowerCase();
+  if (lower === "authorization" || lower === "cookie" || lower === "set-cookie") {
+    if (value.length <= 12) return value;
+    return value.slice(0, 12) + "...";
+  }
+  return value;
+}

package/.claude/worktrees/elastic-jennings/src/client/manager.ts

@@ -0,0 +1,266 @@
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import type { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";
+import picomatch from "picomatch";
+import type { Tool, ServerConfig, ServersFile, AuthFile } from "../config/schemas.ts";
+import { isStdioServer, isHttpServer } from "../config/schemas.ts";
+import { createStdioTransport } from "./stdio.ts";
+import { createHttpTransport } from "./http.ts";
+import { McpOAuthProvider } from "./oauth.ts";
+
+export interface ToolWithServer {
+  server: string;
+  tool: Tool;
+}
+
+export interface ServerError {
+  server: string;
+  message: string;
+}
+
+export interface ServerManagerOptions {
+  servers: ServersFile;
+  configDir: string;
+  auth: AuthFile;
+  concurrency?: number;
+  verbose?: boolean;
+  showSecrets?: boolean;
+  timeout?: number; // ms, default 1_800_000 (30 min)
+  maxRetries?: number; // default 3
+}
+
+export class ServerManager {
+  private clients = new Map<string, Client>();
+  private transports = new Map<string, Transport>();
+  private oauthProviders = new Map<string, McpOAuthProvider>();
+  private servers: ServersFile;
+  private configDir: string;
+  private auth: AuthFile;
+  private concurrency: number;
+  private verbose: boolean;
+  private showSecrets: boolean;
+  private timeout: number;
+  private maxRetries: number;
+
+  constructor(opts: ServerManagerOptions) {
+    this.servers = opts.servers;
+    this.configDir = opts.configDir;
+    this.auth = opts.auth;
+    this.concurrency = opts.concurrency ?? 5;
+    this.verbose = opts.verbose ?? false;
+    this.showSecrets = opts.showSecrets ?? false;
+    this.timeout = opts.timeout ?? 1_800_000;
+    this.maxRetries = opts.maxRetries ?? 3;
+  }
+
+  /** Get or create a connected client for a server */
+  async getClient(serverName: string): Promise<Client> {
+    const existing = this.clients.get(serverName);
+    if (existing) return existing;
+
+    const config = this.servers.mcpServers[serverName];
+    if (!config) {
+      throw new Error(`Unknown server: "${serverName}"`);
+    }
+
+    // Auto-refresh expired OAuth tokens before connecting to HTTP servers
+    if (isHttpServer(config)) {
+      const provider = this.getOrCreateOAuthProvider(serverName);
+      if (!provider.isComplete()) {
+        throw new Error(`Not authenticated with "${serverName}". Run: mcpcli auth ${serverName}`);
+      }
+      try {
+        await provider.refreshIfNeeded(config.url);
+      } catch {
+        // If refresh fails, continue — the transport will send the existing token
+      }
+    }
+
+    const transport = this.createTransport(serverName, config);
+    this.transports.set(serverName, transport);
+
+    const client = new Client({ name: "mcpcli", version: "0.1.0" });
+    await this.withTimeout(client.connect(transport), `connect(${serverName})`);
+    this.clients.set(serverName, client);
+
+    return client;
+  }
+
+  private getOrCreateOAuthProvider(serverName: string): McpOAuthProvider {
+    let provider = this.oauthProviders.get(serverName);
+    if (!provider) {
+      provider = new McpOAuthProvider({
+        serverName,
+        configDir: this.configDir,
+        auth: this.auth,
+      });
+      this.oauthProviders.set(serverName, provider);
+    }
+    return provider;
+  }
+
+  private createTransport(serverName: string, config: ServerConfig): Transport {
+    if (isStdioServer(config)) {
+      return createStdioTransport(config);
+    }
+    if (isHttpServer(config)) {
+      // Only pass the OAuth provider if the server already has tokens.
+      // Without tokens, passing the provider causes the SDK transport to
+      // auto-trigger the browser OAuth flow on 401, which fails because
+      // there's no callback server running. Users must run `mcpcli auth <server>` first.
+      const provider = this.getOrCreateOAuthProvider(serverName);
+      return createHttpTransport(
+        config,
+        provider.isComplete() ? provider : undefined,
+        this.verbose,
+        this.showSecrets,
+      );
+    }
+    throw new Error("Invalid server config");
+  }
+
+  /** Race a promise against a timeout */
+  private withTimeout<T>(promise: Promise<T>, label: string): Promise<T> {
+    if (this.timeout <= 0) return promise;
+    let timer: ReturnType<typeof setTimeout>;
+    return Promise.race([
+      promise.finally(() => clearTimeout(timer)),
+      new Promise<never>((_, reject) => {
+        timer = setTimeout(
+          () => reject(new Error(`${label}: timed out after ${this.timeout / 1000}s`)),
+          this.timeout,
+        );
+        timer.unref();
+      }),
+    ]);
+  }
+
+  /** Retry a function up to maxRetries times, clearing cached client between attempts */
+  private async withRetry<T>(fn: () => Promise<T>, label: string, serverName?: string): Promise<T> {
+    let lastError: Error | undefined;
+    for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
+      try {
+        return await fn();
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt < this.maxRetries && serverName) {
+          // Clear cached client so next attempt reconnects fresh
+          try {
+            await this.clients.get(serverName)?.close();
+          } catch {
+            // ignore close errors
+          }
+          this.clients.delete(serverName);
+          this.transports.delete(serverName);
+        }
+      }
+    }
+    throw lastError;
+  }
+
+  /** List tools for a single server, applying allowedTools/disabledTools filters */
+  async listTools(serverName: string): Promise<Tool[]> {
+    return this.withRetry(
+      async () => {
+        const client = await this.getClient(serverName);
+        const result = await this.withTimeout(client.listTools(), `listTools(${serverName})`);
+        const config = this.servers.mcpServers[serverName]!;
+        return filterTools(result.tools, config.allowedTools, config.disabledTools);
+      },
+      `listTools(${serverName})`,
+      serverName,
+    );
+  }
+
+  /** List tools across all configured servers */
+  async getAllTools(): Promise<{ tools: ToolWithServer[]; errors: ServerError[] }> {
+    const serverNames = Object.keys(this.servers.mcpServers);
+    const tools: ToolWithServer[] = [];
+    const errors: ServerError[] = [];
+
+    // Process in batches of `concurrency`
+    for (let i = 0; i < serverNames.length; i += this.concurrency) {
+      const batch = serverNames.slice(i, i + this.concurrency);
+      const batchResults = await Promise.allSettled(
+        batch.map(async (name) => {
+          const serverTools = await this.listTools(name);
+          return serverTools.map((tool) => ({ server: name, tool }));
+        }),
+      );
+
+      for (let j = 0; j < batchResults.length; j++) {
+        const result = batchResults[j]!;
+        if (result.status === "fulfilled") {
+          tools.push(...result.value);
+        } else {
+          const name = batch[j]!;
+          const message =
+            result.reason instanceof Error ? result.reason.message : String(result.reason);
+          errors.push({ server: name, message });
+        }
+      }
+    }
+
+    return { tools, errors };
+  }
+
+  /** Call a tool on a specific server */
+  async callTool(
+    serverName: string,
+    toolName: string,
+    args: Record<string, unknown> = {},
+  ): Promise<unknown> {
+    return this.withRetry(
+      async () => {
+        const client = await this.getClient(serverName);
+        return this.withTimeout(
+          client.callTool({ name: toolName, arguments: args }),
+          `callTool(${serverName}/${toolName})`,
+        );
+      },
+      `callTool(${serverName}/${toolName})`,
+      serverName,
+    );
+  }
+
+  /** Get the schema for a specific tool */
+  async getToolSchema(serverName: string, toolName: string): Promise<Tool | undefined> {
+    const tools = await this.listTools(serverName);
+    return tools.find((t) => t.name === toolName);
+  }
+
+  /** Get all server names */
+  getServerNames(): string[] {
+    return Object.keys(this.servers.mcpServers);
+  }
+
+  /** Disconnect all clients */
+  async close(): Promise<void> {
+    const closePromises = [...this.clients.entries()].map(async ([name, client]) => {
+      try {
+        await client.close();
+      } catch {
+        // Ignore close errors
+      }
+      this.clients.delete(name);
+      this.transports.delete(name);
+    });
+    await Promise.allSettled(closePromises);
+  }
+}
+
+/** Apply allowedTools/disabledTools glob filters to a tool list */
+function filterTools(tools: Tool[], allowedTools?: string[], disabledTools?: string[]): Tool[] {
+  let filtered = tools;
+
+  if (allowedTools && allowedTools.length > 0) {
+    const isAllowed = picomatch(allowedTools);
+    filtered = filtered.filter((t) => isAllowed(t.name));
+  }
+
+  if (disabledTools && disabledTools.length > 0) {
+    const isDisabled = picomatch(disabledTools);
+    filtered = filtered.filter((t) => !isDisabled(t.name));
+  }
+
+  return filtered;
+}

package/.claude/worktrees/elastic-jennings/src/client/oauth.ts

@@ -0,0 +1,299 @@
+import { exec } from "child_process";
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+import {
+  auth,
+  discoverOAuthServerInfo,
+  refreshAuthorization,
+} from "@modelcontextprotocol/sdk/client/auth.js";
+import type {
+  OAuthClientMetadata,
+  OAuthClientInformationMixed,
+  OAuthTokens,
+} from "@modelcontextprotocol/sdk/shared/auth.js";
+import type { AuthFile } from "../config/schemas.ts";
+import { saveAuth } from "../config/loader.ts";
+import type { FormatOptions } from "../output/formatter.ts";
+import { logger } from "../output/logger.ts";
+
+export class McpOAuthProvider implements OAuthClientProvider {
+  private serverName: string;
+  private configDir: string;
+  private auth: AuthFile;
+  private _codeVerifier?: string;
+  private _callbackPort = 0;
+
+  constructor(opts: { serverName: string; configDir: string; auth: AuthFile }) {
+    this.serverName = opts.serverName;
+    this.configDir = opts.configDir;
+    this.auth = opts.auth;
+  }
+
+  get redirectUrl(): string {
+    return `http://127.0.0.1:${this._callbackPort}/callback`;
+  }
+
+  get clientMetadata(): OAuthClientMetadata {
+    return {
+      redirect_uris: [`http://127.0.0.1:${this._callbackPort}/callback`],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      client_name: "mcpcli",
+      token_endpoint_auth_method: "none",
+    };
+  }
+
+  clientInformation(): OAuthClientInformationMixed | undefined {
+    const entry = this.auth[this.serverName];
+    // During an active auth flow, return client_info even if incomplete.
+    // For normal usage (transport), the manager checks isComplete() separately.
+    return entry?.client_info;
+  }
+
+  async saveClientInformation(info: OAuthClientInformationMixed): Promise<void> {
+    if (!this.auth[this.serverName]) {
+      this.auth[this.serverName] = { tokens: {} as OAuthTokens };
+    }
+    this.auth[this.serverName]!.client_info = info;
+    await saveAuth(this.configDir, this.auth);
+  }
+
+  tokens(): OAuthTokens | undefined {
+    return this.auth[this.serverName]?.tokens;
+  }
+
+  async saveTokens(tokens: OAuthTokens): Promise<void> {
+    if (!this.auth[this.serverName]) {
+      this.auth[this.serverName] = { tokens };
+    } else {
+      this.auth[this.serverName]!.tokens = tokens;
+    }
+
+    // Compute expires_at from expires_in
+    if (tokens.expires_in) {
+      const expiresAt = new Date(Date.now() + tokens.expires_in * 1000);
+      this.auth[this.serverName]!.expires_at = expiresAt.toISOString();
+    }
+
+    // Mark auth as complete — tokens have been successfully obtained
+    this.auth[this.serverName]!.complete = true;
+
+    await saveAuth(this.configDir, this.auth);
+  }
+
+  async redirectToAuthorization(url: URL): Promise<void> {
+    const urlStr = url.toString();
+
+    logger.info(urlStr);
+
+    const cmd =
+      process.platform === "darwin"
+        ? `open "${urlStr}"`
+        : process.platform === "win32"
+          ? `start "${urlStr}"`
+          : `xdg-open "${urlStr}"`;
+
+    return new Promise((resolve, reject) => {
+      exec(cmd, (err) => (err ? reject(err) : resolve()));
+    });
+  }
+
+  async saveCodeVerifier(v: string): Promise<void> {
+    this._codeVerifier = v;
+  }
+
+  codeVerifier(): string {
+    if (!this._codeVerifier) {
+      throw new Error("Code verifier not set");
+    }
+    return this._codeVerifier;
+  }
+
+  async invalidateCredentials(
+    scope: "all" | "client" | "tokens" | "verifier" | "discovery",
+  ): Promise<void> {
+    const entry = this.auth[this.serverName];
+    if (!entry) return;
+
+    switch (scope) {
+      case "all":
+        delete this.auth[this.serverName];
+        break;
+      case "client":
+        delete entry.client_info;
+        break;
+      case "tokens":
+        delete this.auth[this.serverName];
+        // Re-create entry without tokens but keep client_info
+        if (entry.client_info) {
+          this.auth[this.serverName] = {
+            tokens: {} as OAuthTokens,
+            client_info: entry.client_info,
+          };
+        }
+        break;
+      case "verifier":
+        this._codeVerifier = undefined;
+        return; // No need to persist
+      case "discovery":
+        return; // Nothing to clear locally
+    }
+
+    await saveAuth(this.configDir, this.auth);
+  }
+
+  /** Whether the auth flow completed successfully (tokens were obtained) */
+  isComplete(): boolean {
+    return !!this.auth[this.serverName]?.complete;
+  }
+
+  /** Clear any incomplete auth state from a previously cancelled flow */
+  async clearIncomplete(): Promise<void> {
+    const entry = this.auth[this.serverName];
+    if (entry && !entry.complete) {
+      delete this.auth[this.serverName];
+      await saveAuth(this.configDir, this.auth);
+    }
+  }
+
+  setCallbackPort(port: number): void {
+    this._callbackPort = port;
+  }
+
+  isExpired(): boolean {
+    const entry = this.auth[this.serverName];
+    if (!entry?.expires_at) return false;
+    return new Date(entry.expires_at) <= new Date();
+  }
+
+  hasRefreshToken(): boolean {
+    const tokens = this.auth[this.serverName]?.tokens;
+    return !!tokens?.refresh_token;
+  }
+
+  async refreshIfNeeded(serverUrl: string): Promise<void> {
+    if (!this.isExpired()) return;
+
+    if (!this.hasRefreshToken()) {
+      throw new Error(
+        `Token expired for "${this.serverName}" and no refresh token available. Run: mcpcli auth ${this.serverName}`,
+      );
+    }
+
+    const clientInfo = this.clientInformation();
+    if (!clientInfo) {
+      throw new Error(
+        `No client information for "${this.serverName}". Run: mcpcli auth ${this.serverName}`,
+      );
+    }
+
+    const tokens = await refreshAuthorization(serverUrl, {
+      clientInformation: clientInfo,
+      refreshToken: this.auth[this.serverName]!.tokens.refresh_token!,
+    });
+
+    await this.saveTokens(tokens);
+
+    logger.info(`Token refreshed for "${this.serverName}"`);
+  }
+}
+
+/** Start a local callback server to receive the OAuth authorization code */
+export function startCallbackServer(): {
+  server: ReturnType<typeof Bun.serve>;
+  authCodePromise: Promise<string>;
+} {
+  let resolveCode: (code: string) => void;
+  let rejectCode: (err: Error) => void;
+
+  const authCodePromise = new Promise<string>((resolve, reject) => {
+    resolveCode = resolve;
+    rejectCode = reject;
+  });
+
+  const server = Bun.serve({
+    port: 0,
+    fetch(req) {
+      const url = new URL(req.url);
+      if (url.pathname !== "/callback") {
+        return new Response("Not found", { status: 404 });
+      }
+
+      const error = url.searchParams.get("error");
+      if (error) {
+        const desc = url.searchParams.get("error_description") || error;
+        rejectCode!(new Error(`OAuth error: ${desc}`));
+        return new Response(
+          "<html><body><h1>Authentication Failed</h1><p>You can close this window.</p></body></html>",
+          { headers: { "Content-Type": "text/html" } },
+        );
+      }
+
+      const code = url.searchParams.get("code");
+      if (!code) {
+        rejectCode!(new Error("No authorization code received"));
+        return new Response(
+          "<html><body><h1>Error</h1><p>No authorization code received.</p></body></html>",
+          { headers: { "Content-Type": "text/html" } },
+        );
+      }
+
+      resolveCode!(code);
+      return new Response(
+        "<html><body><h1>Authenticated!</h1><p>You can close this window.</p></body></html>",
+        { headers: { "Content-Type": "text/html" } },
+      );
+    },
+  });
+
+  return { server, authCodePromise };
+}
+
+/** Probe for OAuth support and run the auth flow if the server supports it.
+ * Returns true if auth ran, false if server doesn't support OAuth (silent skip). */
+export async function tryOAuthIfSupported(
+  serverName: string,
+  serverUrl: string,
+  configDir: string,
+  auth: AuthFile,
+  formatOptions: FormatOptions,
+): Promise<boolean> {
+  let oauthSupported: boolean;
+  try {
+    const info = await discoverOAuthServerInfo(serverUrl);
+    oauthSupported = info.authorizationServerMetadata !== undefined;
+  } catch {
+    return false;
+  }
+
+  if (!oauthSupported) return false;
+
+  const provider = new McpOAuthProvider({ serverName, configDir, auth });
+  const spinner = logger.startSpinner(`Authenticating with "${serverName}"…`, formatOptions);
+  try {
+    await runOAuthFlow(serverUrl, provider);
+    spinner.success(`Authenticated with "${serverName}"`);
+    return true;
+  } catch (err) {
+    spinner.error(`Authentication failed: ${err instanceof Error ? err.message : err}`);
+    throw err;
+  }
+}
+
+/** Run a full OAuth authorization flow for an HTTP MCP server */
+export async function runOAuthFlow(serverUrl: string, provider: McpOAuthProvider): Promise<void> {
+  // Clear any leftover state from a previously cancelled auth flow
+  await provider.clearIncomplete();
+
+  const { server, authCodePromise } = startCallbackServer();
+  try {
+    provider.setCallbackPort(server.port);
+
+    const result = await auth(provider, { serverUrl });
+    if (result === "REDIRECT") {
+      const code = await authCodePromise;
+      await auth(provider, { serverUrl, authorizationCode: code });
+    }
+  } finally {
+    server.stop();
+  }
+}

package/.claude/worktrees/elastic-jennings/src/client/stdio.ts

@@ -0,0 +1,12 @@
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import type { StdioServerConfig } from "../config/schemas.ts";
+
+export function createStdioTransport(config: StdioServerConfig): StdioClientTransport {
+  return new StdioClientTransport({
+    command: config.command,
+    args: config.args,
+    env: config.env ? { ...process.env, ...config.env } : undefined,
+    cwd: config.cwd,
+    stderr: "pipe",
+  });
+}