@hubfluencer/mcp 0.1.0

package/dist/login.js

@@ -0,0 +1,377 @@
+#!/usr/bin/env node
+var __create = Object.create;
+var __getProtoOf = Object.getPrototypeOf;
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __toESM = (mod, isNodeMode, target) => {
+  target = mod != null ? __create(__getProtoOf(mod)) : {};
+  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
+  for (let key of __getOwnPropNames(mod))
+    if (!__hasOwnProp.call(to, key))
+      __defProp(to, key, {
+        get: () => mod[key],
+        enumerable: true
+      });
+  return to;
+};
+var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+
+// src/login.ts
+import { chmod, mkdir, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
+
+// src/core.ts
+import { createHash } from "node:crypto";
+import { isAbsolute, resolve, sep } from "node:path";
+function isPrivateOrMetadataHost(hostname) {
+  let host = hostname.trim().toLowerCase();
+  if (host.startsWith("[") && host.endsWith("]"))
+    host = host.slice(1, -1);
+  const zone = host.indexOf("%");
+  if (zone !== -1)
+    host = host.slice(0, zone);
+  const v4 = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(host);
+  if (v4) {
+    const o = v4.slice(1).map(Number);
+    if (o.some((n) => n > 255))
+      return false;
+    return isPrivateV4(o[0], o[1]);
+  }
+  if (host.includes(":")) {
+    const mapped = /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/.exec(host);
+    if (mapped) {
+      const o = mapped[1].split(".").map(Number);
+      if (!o.some((n) => n > 255) && isPrivateV4(o[0], o[1])) {
+        return true;
+      }
+    }
+    if (host === "::1" || host === "::")
+      return true;
+    if (host === "::ffff:0:0")
+      return true;
+    if (/^f[cd]/.test(host))
+      return true;
+    if (/^fe[89ab]/.test(host))
+      return true;
+    return false;
+  }
+  return false;
+}
+function isPrivateV4(a, b) {
+  if (a === 127)
+    return true;
+  if (a === 10)
+    return true;
+  if (a === 172 && b >= 16 && b <= 31)
+    return true;
+  if (a === 192 && b === 168)
+    return true;
+  if (a === 169 && b === 254)
+    return true;
+  if (a === 0)
+    return true;
+  return false;
+}
+function assertSafeFetchUrl(url, opts = {}) {
+  let u;
+  try {
+    u = new URL(url);
+  } catch {
+    throw new Error(`Invalid Hubfluencer URL: ${url}`);
+  }
+  const host = u.hostname;
+  const isLoopback = host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "[::1]";
+  if (u.protocol === "https:") {
+    if (isPrivateOrMetadataHost(host)) {
+      throw new Error(`Refusing to use a Hubfluencer URL pointing at a private/internal host (${host}). ` + "Use the public https endpoint.");
+    }
+    return u;
+  }
+  if (opts.allowLoopback && isLoopback)
+    return u;
+  throw new Error(`Refusing to use an insecure Hubfluencer URL (${u.protocol}//${host}). ` + "Use an https URL (or localhost for local development).");
+}
+function asRecord(v) {
+  return v && typeof v === "object" ? v : {};
+}
+function normalizeStatus(kind, slug, data) {
+  const d = asRecord(data);
+  const latest = asRecord(d.latest_render);
+  const videoUrl = latest.video_url ?? null;
+  if (kind === "short") {
+    const stage = d.stage ?? "unknown";
+    return {
+      kind,
+      slug,
+      stage,
+      terminal: stage === "video_ready" || stage === "failed",
+      ready: stage === "video_ready",
+      video_url: videoUrl,
+      error: d.error_message ?? null
+    };
+  }
+  const autopilot = d.autopilot_status ?? "unknown";
+  const renderStatus = latest.status ?? null;
+  const ready = renderStatus === "completed" && Boolean(videoUrl);
+  const terminal = ready || autopilot === "failed" || autopilot === "cancelled" || renderStatus === "failed";
+  return {
+    kind,
+    slug,
+    stage: autopilot,
+    terminal,
+    ready,
+    video_url: videoUrl,
+    error: d.autopilot_error_message ?? null
+  };
+}
+function idemKey(...parts) {
+  return createHash("sha256").update(parts.join("|")).digest("hex").slice(0, 32);
+}
+function resolveSavePath(savePath) {
+  const base = resolve(process.env.HUBFLUENCER_OUTPUT_DIR || process.cwd());
+  const target = isAbsolute(savePath) ? resolve(savePath) : resolve(base, savePath);
+  if (!target.toLowerCase().endsWith(".mp4")) {
+    throw new Error("save_path must end in .mp4");
+  }
+  if (target !== base && !target.startsWith(base + sep)) {
+    throw new Error(`save_path must be inside ${base} (set HUBFLUENCER_OUTPUT_DIR to change). Refusing to write to ${target}.`);
+  }
+  return target;
+}
+function inferKind(prompt) {
+  const p = prompt.toLowerCase();
+  const wantsShort = /\b(short|quick|simple|snappy|single[- ]?clip|one[- ]?clip|teaser)\b/.test(p) || /(rapide|simple|court|clip unique|tease?r)/.test(p);
+  if (wantsShort)
+    return "short";
+  const wantsEditor = /\b(ads?|advert|advertisement|commercial|promo|campaign|launch|brand|story|stories|multi[- ]?scene|scenes?|narrat|explainer|chapters?|episodes?|testimonial|showcase|walkthrough|demo|spot)\b/.test(p) || /(pub(licit[ée])?|annonce|campagne|histoire|multi[- ]?sc[eè]ne|sc[eè]nes?|raconte|chapitres?|[eé]pisodes?|explicat|lancement|t[eé]moignage|d[eé]mo|vitrine)/.test(p);
+  return wantsEditor ? "editor" : "short";
+}
+
+// src/credentials.ts
+import { readFileSync, statSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+var CREDENTIALS_PATH = process.env.HUBFLUENCER_CREDENTIALS || join(homedir(), ".hubfluencer", "credentials.json");
+function readStoredCredentials() {
+  let raw;
+  try {
+    raw = readFileSync(CREDENTIALS_PATH, "utf8");
+  } catch {
+    return {};
+  }
+  if (process.platform !== "win32") {
+    try {
+      const mode = statSync(CREDENTIALS_PATH).mode;
+      if (mode & 63) {
+        console.error(`Warning: ${CREDENTIALS_PATH} is accessible to other users ` + `(mode ${(mode & 511).toString(8)}). Run: chmod 600 ${CREDENTIALS_PATH}`);
+      }
+    } catch {}
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+
+// src/client.ts
+function makeError(status, body) {
+  let message = `Hubfluencer API error (HTTP ${status})`;
+  let code;
+  if (body && typeof body === "object") {
+    const b = body;
+    const errVal = b.error;
+    if (typeof errVal === "string") {
+      if (/^[a-z][a-z0-9_]*$/.test(errVal)) {
+        code = errVal;
+        message = b.message || errVal;
+      } else {
+        message = b.message || errVal;
+      }
+    } else if (errVal && typeof errVal === "object") {
+      const e = errVal;
+      code = e.code || undefined;
+      message = e.message || message;
+    } else if (typeof b.message === "string") {
+      message = b.message;
+    }
+  }
+  const err = new Error(message);
+  err.status = status;
+  err.code = code;
+  err.body = body;
+  return err;
+}
+function assertSafeBaseUrl(baseUrl) {
+  assertSafeFetchUrl(baseUrl, { allowLoopback: true });
+}
+
+class HubfluencerClient {
+  baseUrl;
+  token;
+  constructor(baseUrl, token) {
+    this.baseUrl = baseUrl;
+    this.token = token;
+    this.baseUrl = baseUrl.replace(/\/+$/, "").replace(/\/api$/, "");
+    assertSafeBaseUrl(this.baseUrl);
+  }
+  async request(method, path, opts = {}) {
+    const url = new URL(`${this.baseUrl}/api${path}`);
+    if (opts.query) {
+      for (const [k, v] of Object.entries(opts.query)) {
+        if (v !== undefined)
+          url.searchParams.set(k, String(v));
+      }
+    }
+    const headers = {
+      authorization: `Bearer ${this.token}`,
+      accept: "application/json"
+    };
+    if (opts.body !== undefined)
+      headers["content-type"] = "application/json";
+    if (opts.idempotencyKey)
+      headers["idempotency-key"] = opts.idempotencyKey;
+    let res;
+    try {
+      res = await fetch(url, {
+        method,
+        headers,
+        body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,
+        signal: AbortSignal.timeout(60000)
+      });
+    } catch (e) {
+      if (e instanceof Error && (e.name === "TimeoutError" || e.name === "AbortError")) {
+        throw new Error(`Request to ${method} ${path} timed out after 60s.`);
+      }
+      throw e instanceof Error ? new Error(`Network error on ${method} ${path}: ${e.message}`) : e;
+    }
+    if (res.status === 204)
+      return;
+    const text = await res.text();
+    let parsed;
+    if (text) {
+      try {
+        parsed = JSON.parse(text);
+      } catch {
+        parsed = text;
+      }
+    }
+    if (!res.ok)
+      throw makeError(res.status, parsed);
+    return parsed;
+  }
+  get(path, query) {
+    return this.request("GET", path, { query });
+  }
+  post(path, body, idempotencyKey) {
+    return this.request("POST", path, { body, idempotencyKey });
+  }
+  patch(path, body, idempotencyKey) {
+    return this.request("PATCH", path, { body, idempotencyKey });
+  }
+  put(path, body, idempotencyKey) {
+    return this.request("PUT", path, { body, idempotencyKey });
+  }
+  del(path) {
+    return this.request("DELETE", path);
+  }
+}
+function clientFromEnv() {
+  const stored = readStoredCredentials();
+  const token = process.env.HUBFLUENCER_API_TOKEN || stored.token;
+  const baseUrl = process.env.HUBFLUENCER_BASE_URL || stored.base_url || "https://hubfluencer.com";
+  if (!token) {
+    throw new Error("Not connected to Hubfluencer. Run `hubfluencer-login` to connect, or set " + "HUBFLUENCER_API_TOKEN (create one in the app: Settings → Access tokens).");
+  }
+  return new HubfluencerClient(baseUrl, token);
+}
+
+// src/login.ts
+var BASE = (process.env.HUBFLUENCER_BASE_URL || "https://hubfluencer.com").replace(/\/+$/, "").replace(/\/api$/, "");
+assertSafeBaseUrl(BASE);
+var MAX_POLLS = 120;
+var sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+async function main() {
+  const clientName = process.argv[2] || "Claude Code";
+  const startRes = await fetch(`${BASE}/api/agent-link/start`, {
+    method: "POST",
+    headers: { "content-type": "application/json", accept: "application/json" },
+    body: JSON.stringify({
+      client_name: clientName,
+      scopes: ["video:generate", "video:read"]
+    })
+  });
+  if (!startRes.ok) {
+    console.error(`Could not start login (HTTP ${startRes.status}). Check HUBFLUENCER_BASE_URL.`);
+    process.exit(1);
+  }
+  const start = await startRes.json();
+  const url = start.verification_uri_complete || start.verification_uri;
+  console.error(`
+Connect this agent to Hubfluencer:
+`);
+  console.error(`  1. Open:   ${url}`);
+  console.error(`  2. Confirm code:  ${start.user_code}`);
+  console.error(`  3. Click Approve (you'll need to be signed in).
+`);
+  console.error("Waiting for approval…");
+  let intervalMs = Math.max(2, start.interval ?? 5) * 1000;
+  const MAX_INTERVAL_MS = 30000;
+  for (let i = 0;i < MAX_POLLS; i++) {
+    await sleep(intervalMs);
+    const pollRes = await fetch(`${BASE}/api/agent-link/poll`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify({ device_code: start.device_code })
+    });
+    const body = await pollRes.json().catch(() => ({}));
+    if (pollRes.ok && body.status === "approved" && body.token) {
+      await storeToken(body.token);
+      console.error(`
+✓ Connected. Access token saved to ${CREDENTIALS_PATH}.`);
+      console.error(`  Revoke anytime in the app: Settings → Access tokens.
+`);
+      return;
+    }
+    if (body.status === "slow_down") {
+      intervalMs = Math.min(intervalMs + 5000, MAX_INTERVAL_MS);
+      continue;
+    }
+    if (body.status === "pending")
+      continue;
+    console.error(`
+✗ ${body.error || body.status || `HTTP ${pollRes.status}`}. Run login again.`);
+    process.exit(1);
+  }
+  console.error(`
+✗ Timed out waiting for approval. Run login again.`);
+  process.exit(1);
+}
+async function storeToken(token) {
+  const dir = dirname(CREDENTIALS_PATH);
+  await mkdir(dir, { recursive: true, mode: 448 });
+  await writeFile(CREDENTIALS_PATH, JSON.stringify({ token, base_url: BASE }, null, 2), {
+    mode: 384
+  });
+  try {
+    await chmod(CREDENTIALS_PATH, 384);
+    await chmod(dir, 448);
+  } catch {}
+}
+main().catch((e) => {
+  console.error("Fatal:", e instanceof Error ? e.message : String(e));
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@hubfluencer/mcp",
+  "version": "0.1.0",
+  "description": "Model Context Protocol server for Hubfluencer — let AI agents generate post-ready shorts and editor ads.",
+  "license": "MIT",
+  "author": "Monocursive <contact@monocursive.com>",
+  "private": false,
+  "type": "module",
+  "bin": {
+    "hubfluencer-mcp": "./dist/index.js",
+    "hubfluencer-login": "./dist/login.js"
+  },
+  "main": "./dist/index.js",
+  "files": [
+    "dist",
+    "src",
+    "tsconfig.json",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "dev": "bun run src/index.ts",
+    "build": "rm -rf dist && bun build src/index.ts src/login.ts --target node --outdir dist",
+    "prepublishOnly": "bun run build",
+    "start": "node dist/index.js",
+    "test": "bun test",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "lint": "biome check src",
+    "release": "bun run typecheck && bun run lint && bun test && npm publish --access public"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "typescript": "^5.9.3"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "hubfluencer",
+    "ai",
+    "video",
+    "ads",
+    "claude"
+  ]
+}

package/src/client.ts

@@ -0,0 +1,206 @@
+/**
+ * Thin REST client for the Hubfluencer API.
+ *
+ * Auth: forwards an opaque bearer token (a Personal Access Token from
+ * `POST /api/tokens`, or a session token from `POST /api/sign-in`) verbatim
+ * as `Authorization: Bearer <token>`. The token is NOT a JWT — never decode it.
+ */
+
+import { assertSafeFetchUrl } from "./core.js";
+import { readStoredCredentials } from "./credentials.js";
+
+export interface HubfluencerError extends Error {
+	status: number;
+	code?: string;
+	body?: unknown;
+}
+
+function makeError(status: number, body: unknown): HubfluencerError {
+	// The API's error envelope is not fully uniform; pull a message/code out of
+	// whatever shape we got.
+	let message = `Hubfluencer API error (HTTP ${status})`;
+	let code: string | undefined;
+
+	if (body && typeof body === "object") {
+		const b = body as Record<string, unknown>;
+		const errVal = b.error;
+		if (typeof errVal === "string") {
+			// `error` carries two different things across the API: a machine-stable
+			// snake_case code an agent can branch on (e.g. "credits_insufficient",
+			// "editor_voice_stale", "batch_generation_active"), OR — in a handful of
+			// older clauses — a full English sentence. Only treat it as a `code` when
+			// it actually looks like a token; otherwise it's the human message. Without
+			// this guard a sentence becomes a bogus `code` and is rendered as the
+			// message twice, and downstream tools can't reliably switch on `err.code`.
+			if (/^[a-z][a-z0-9_]*$/.test(errVal)) {
+				code = errVal;
+				message = (b.message as string) || errVal;
+			} else {
+				message = (b.message as string) || errVal;
+			}
+		} else if (errVal && typeof errVal === "object") {
+			const e = errVal as Record<string, unknown>;
+			code = (e.code as string) || undefined;
+			message = (e.message as string) || message;
+		} else if (typeof b.message === "string") {
+			message = b.message;
+		}
+	}
+
+	const err = new Error(message) as HubfluencerError;
+	err.status = status;
+	err.code = code;
+	err.body = body;
+	return err;
+}
+
+/**
+ * Refuses to send the bearer token over an insecure, malformed, or
+ * internal-pointing base URL. The token is a long-lived credential; an
+ * `http://` host (or a tampered `base_url` in credentials.json /
+ * HUBFLUENCER_BASE_URL pointing somewhere unexpected) would leak it in
+ * cleartext or to the wrong origin. Delegates to the shared `assertSafeFetchUrl`
+ * guard: https required (loopback http allowed for local dev), and any
+ * private/link-local/metadata IP literal refused even over https so the token
+ * can't be redirected to an internal host (e.g. 169.254.169.254, 10.x, ::1).
+ */
+export function assertSafeBaseUrl(baseUrl: string): void {
+	assertSafeFetchUrl(baseUrl, { allowLoopback: true });
+}
+
+export interface RequestOptions {
+	body?: unknown;
+	/** Sent as the `Idempotency-Key` header on chargeable POSTs. */
+	idempotencyKey?: string;
+	query?: Record<string, string | number | undefined>;
+}
+
+export class HubfluencerClient {
+	constructor(
+		private readonly baseUrl: string,
+		private readonly token: string,
+	) {
+		// Normalize to the bare origin: the REST API lives under `/api`, which
+		// request() always prepends. Tolerate a base that already ends in `/api`
+		// (older docs/env values) so we never produce a `/api/api/...` URL.
+		this.baseUrl = baseUrl.replace(/\/+$/, "").replace(/\/api$/, "");
+		// Never forward the bearer token over an insecure/unexpected origin.
+		assertSafeBaseUrl(this.baseUrl);
+	}
+
+	async request<T = unknown>(
+		method: string,
+		path: string,
+		opts: RequestOptions = {},
+	): Promise<T> {
+		// Every tool passes a bare API path (e.g. "/editor/:slug"); the API is
+		// mounted under "/api" on the app host (https://hubfluencer.com), so add
+		// it here in one place rather than in every call site.
+		const url = new URL(`${this.baseUrl}/api${path}`);
+		if (opts.query) {
+			for (const [k, v] of Object.entries(opts.query)) {
+				if (v !== undefined) url.searchParams.set(k, String(v));
+			}
+		}
+
+		const headers: Record<string, string> = {
+			authorization: `Bearer ${this.token}`,
+			accept: "application/json",
+		};
+		if (opts.body !== undefined) headers["content-type"] = "application/json";
+		if (opts.idempotencyKey) headers["idempotency-key"] = opts.idempotencyKey;
+
+		// Bound every API call so a hung connection fails the tool cleanly
+		// instead of blocking the agent indefinitely (fetch has no default
+		// timeout). All endpoints return quickly — generation runs async server
+		// side, so 60s is generous headroom.
+		let res: Response;
+		try {
+			res = await fetch(url, {
+				method,
+				headers,
+				body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,
+				signal: AbortSignal.timeout(60_000),
+			});
+		} catch (e) {
+			if (
+				e instanceof Error &&
+				(e.name === "TimeoutError" || e.name === "AbortError")
+			) {
+				throw new Error(`Request to ${method} ${path} timed out after 60s.`);
+			}
+			throw e instanceof Error
+				? new Error(`Network error on ${method} ${path}: ${e.message}`)
+				: e;
+		}
+
+		if (res.status === 204) return undefined as T;
+
+		const text = await res.text();
+		let parsed: unknown;
+		if (text) {
+			try {
+				parsed = JSON.parse(text);
+			} catch {
+				parsed = text;
+			}
+		}
+
+		if (!res.ok) throw makeError(res.status, parsed);
+		return parsed as T;
+	}
+
+	get<T = unknown>(path: string, query?: RequestOptions["query"]): Promise<T> {
+		return this.request<T>("GET", path, { query });
+	}
+
+	post<T = unknown>(
+		path: string,
+		body?: unknown,
+		idempotencyKey?: string,
+	): Promise<T> {
+		return this.request<T>("POST", path, { body, idempotencyKey });
+	}
+
+	patch<T = unknown>(
+		path: string,
+		body?: unknown,
+		idempotencyKey?: string,
+	): Promise<T> {
+		return this.request<T>("PATCH", path, { body, idempotencyKey });
+	}
+
+	put<T = unknown>(
+		path: string,
+		body?: unknown,
+		idempotencyKey?: string,
+	): Promise<T> {
+		return this.request<T>("PUT", path, { body, idempotencyKey });
+	}
+
+	del<T = unknown>(path: string): Promise<T> {
+		return this.request<T>("DELETE", path);
+	}
+}
+
+/**
+ * Builds a client from the environment, falling back to the device-link
+ * credential file (written by `hubfluencer-login`). Throws a clear, actionable
+ * error if no token is available.
+ */
+export function clientFromEnv(): HubfluencerClient {
+	const stored = readStoredCredentials();
+	const token = process.env.HUBFLUENCER_API_TOKEN || stored.token;
+	const baseUrl =
+		process.env.HUBFLUENCER_BASE_URL ||
+		stored.base_url ||
+		"https://hubfluencer.com";
+
+	if (!token) {
+		throw new Error(
+			"Not connected to Hubfluencer. Run `hubfluencer-login` to connect, or set " +
+				"HUBFLUENCER_API_TOKEN (create one in the app: Settings → Access tokens).",
+		);
+	}
+	return new HubfluencerClient(baseUrl, token);
+}