npm - @imazhar101/salesforce-mcp-jsforce - Versions diffs - 0.1.0 - Mend

@imazhar101/salesforce-mcp-jsforce 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 imazhar101
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,104 @@
+# salesforce-mcp-jsforce
+A **lite, single-org** [Model Context Protocol](https://modelcontextprotocol.io) server for Salesforce, built on [jsforce](https://github.com/jsforce/jsforce).
+- **Bring your own token.** The server never stores a client secret, username, or password. You authenticate once with OAuth; it holds only an access token + instance URL.
+- **Two ways to run.** Locally over **stdio** (for Claude Code and other MCP clients) or as a **dedicated streamable-HTTP server** where each request carries its own token.
+- **Safe to host & open-source.** No org-specific config, no multi-environment credential matrix, no destructive metadata tooling. Optional read-only mode.
+## Tools
+| Tool | Mode | Description |
+| --- | --- | --- |
+| `salesforce_identity` | read | Identity of the supplied token (token validity check) |
+| `salesforce_query` | read | Run a SOQL query |
+| `salesforce_search` | read | Run a SOSL full-text search |
+| `salesforce_list_objects` | read | List sObjects + key metadata |
+| `salesforce_describe_object` | read | Trimmed describe of an sObject |
+| `salesforce_get_record` | read | Retrieve a record by Id |
+| `salesforce_create_record` | write | Create a record |
+| `salesforce_update_record` | write | Update a record |
+| `salesforce_delete_record` | write | Delete a record |
+Set `SF_READONLY=1` to register the read tools only.
+## Quick start
+```bash
+npm install -g @imazhar101/salesforce-mcp-jsforce
+# 1. Log in (PKCE against your External Client App)
+salesforce-mcp-jsforce login --client-id <ECA_CONSUMER_KEY>
+#   sandbox: add --login-url https://test.salesforce.com
+# 2. Use it from Claude Code
+claude mcp add salesforce -- npx -y @imazhar101/salesforce-mcp-jsforce
+```
+`login` opens a browser, completes the OAuth handshake, saves the token to
+`~/.config/salesforce-mcp-jsforce/token.json`, and prints ready-to-paste config.
+## Credentials
+**stdio** — one of:
+- `SF_ACCESS_TOKEN` + `SF_INSTANCE_URL` environment variables, or
+- the token file written by `login` (read automatically).
+**HTTP** — per request, via headers:
+- `X-SF-Access-Token`
+- `X-SF-Instance-Url`
+- `X-SF-Api-Version` (optional)
+## Run as a dedicated HTTP server
+```bash
+PORT=3000 salesforce-mcp-jsforce http
+```
+Stateless streamable-HTTP at `POST /mcp`; health probe at `GET /health`. Each
+request is handled by a throwaway server instance keyed to its own token — no
+caller state is shared. Put it behind TLS; the access token is a live credential.
+```bash
+curl -s http://localhost:3000/mcp \
+  -H 'content-type: application/json' \
+  -H 'accept: application/json, text/event-stream' \
+  -H "X-SF-Access-Token: $SF_ACCESS_TOKEN" \
+  -H "X-SF-Instance-Url: $SF_INSTANCE_URL" \
+  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
+```
+## Environment variables
+| Var | Default | Purpose |
+| --- | --- | --- |
+| `SF_ACCESS_TOKEN` | — | stdio access token |
+| `SF_INSTANCE_URL` | — | stdio instance URL |
+| `SF_API_VERSION` | `62.0` | REST API version |
+| `SF_READONLY` | off | `1` strips write tools |
+| `SF_LOGIN_URL` | `https://login.salesforce.com` | OAuth host (sandbox: `test.salesforce.com`) |
+| `SF_CLIENT_ID` | — | ECA consumer key for `login` |
+| `SF_CLIENT_SECRET` | — | only for confidential apps |
+| `SF_SCOPE` | `api refresh_token` | OAuth scopes |
+| `PORT` | `3000` | HTTP host port |
+## Security model
+- The token grants exactly the permissions of the user who authorized it — the server adds no privilege.
+- In HTTP mode no credentials are persisted; the token lives only for the duration of one request.
+- In stdio mode the saved token file is written `chmod 600`.
+- Tokens are never logged.
+## Build from source
+```bash
+npm install
+npm run build
+node dist/index.js --help
+```
+## License
+MIT

package/dist/auth.d.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import type { IncomingHttpHeaders } from "node:http";
+/**
+ * The only credentials this server ever handles: an already-issued access
+ * token plus the org's instance URL. We never see a client secret, username,
+ * or password — that is the whole point of the BYO-token model.
+ */
+export interface SfCredentials {
+    accessToken: string;
+    instanceUrl: string;
+    apiVersion?: string;
+    /** Optional, only persisted by `login` so the token can be silently renewed. */
+    refreshToken?: string;
+    clientId?: string;
+    loginUrl?: string;
+}
+/** A function the server calls (lazily, per request) to obtain credentials. */
+export type CredentialResolver = () => SfCredentials;
+export declare class MissingCredentialsError extends Error {
+    constructor(message: string);
+}
+/** stdio: read SF_ACCESS_TOKEN + SF_INSTANCE_URL from the environment. */
+export declare function credsFromEnv(): SfCredentials | null;
+/** stdio: read a token previously saved by the `login` command. */
+export declare function credsFromFile(): SfCredentials | null;
+/**
+ * HTTP: pull the per-request token off the headers. This is what makes the
+ * hosted server stateless — each caller brings their own token and gets data
+ * scoped to their own Salesforce permissions.
+ */
+export declare function credsFromHeaders(headers: IncomingHttpHeaders): SfCredentials | null;
+/** stdio resolver: env wins, then the saved token file. */
+export declare function resolveStdioCredentials(): SfCredentials;
+/** Persist the token issued by `login` (chmod 600 — it is a live credential). */
+export declare function saveToken(creds: SfCredentials): void;
+export declare function tokenPath(): string;

package/dist/auth.js ADDED Viewed

@@ -0,0 +1,85 @@
+import fs from "node:fs";
+import path from "node:path";
+import { CONFIG_DIR, TOKEN_FILE, DEFAULT_API_VERSION } from "./config.js";
+export class MissingCredentialsError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "MissingCredentialsError";
+    }
+}
+/** stdio: read SF_ACCESS_TOKEN + SF_INSTANCE_URL from the environment. */
+export function credsFromEnv() {
+    const accessToken = process.env.SF_ACCESS_TOKEN;
+    const instanceUrl = process.env.SF_INSTANCE_URL;
+    if (!accessToken || !instanceUrl)
+        return null;
+    return {
+        accessToken,
+        instanceUrl,
+        apiVersion: process.env.SF_API_VERSION || DEFAULT_API_VERSION,
+    };
+}
+/** stdio: read a token previously saved by the `login` command. */
+export function credsFromFile() {
+    try {
+        const raw = fs.readFileSync(TOKEN_FILE, "utf8");
+        const data = JSON.parse(raw);
+        if (!data.accessToken || !data.instanceUrl)
+            return null;
+        return {
+            accessToken: data.accessToken,
+            instanceUrl: data.instanceUrl,
+            apiVersion: data.apiVersion || DEFAULT_API_VERSION,
+            refreshToken: data.refreshToken,
+            clientId: data.clientId,
+            loginUrl: data.loginUrl,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * HTTP: pull the per-request token off the headers. This is what makes the
+ * hosted server stateless — each caller brings their own token and gets data
+ * scoped to their own Salesforce permissions.
+ */
+export function credsFromHeaders(headers) {
+    const accessToken = header(headers, "x-sf-access-token");
+    const instanceUrl = header(headers, "x-sf-instance-url");
+    if (!accessToken || !instanceUrl)
+        return null;
+    return {
+        accessToken,
+        instanceUrl,
+        apiVersion: header(headers, "x-sf-api-version") || DEFAULT_API_VERSION,
+    };
+}
+function header(headers, name) {
+    const v = headers[name];
+    return Array.isArray(v) ? v[0] : v;
+}
+/** stdio resolver: env wins, then the saved token file. */
+export function resolveStdioCredentials() {
+    const creds = credsFromEnv() || credsFromFile();
+    if (!creds) {
+        throw new MissingCredentialsError("No Salesforce credentials found. Set SF_ACCESS_TOKEN + SF_INSTANCE_URL, " +
+            "or run `salesforce-mcp-jsforce login` first.");
+    }
+    return creds;
+}
+/** Persist the token issued by `login` (chmod 600 — it is a live credential). */
+export function saveToken(creds) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.writeFileSync(TOKEN_FILE, JSON.stringify(creds, null, 2), { mode: 0o600 });
+    try {
+        fs.chmodSync(TOKEN_FILE, 0o600);
+    }
+    catch {
+        /* best effort on platforms without chmod */
+    }
+}
+export function tokenPath() {
+    return path.normalize(TOKEN_FILE);
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAoB1E,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAChD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,0EAA0E;AAC1E,MAAM,UAAU,YAAY;IAC1B,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAChD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAChD,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO;QACL,WAAW;QACX,WAAW;QACX,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,mBAAmB;KAC9D,CAAC;AACJ,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,aAAa;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAChD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA2B,CAAC;QACvD,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QACxD,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,mBAAmB;YAClD,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAA4B;IAE5B,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACzD,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9C,OAAO;QACL,WAAW;QACX,WAAW;QACX,UAAU,EAAE,MAAM,CAAC,OAAO,EAAE,kBAAkB,CAAC,IAAI,mBAAmB;KACvE,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CAAC,OAA4B,EAAE,IAAY;IACxD,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,uBAAuB;IACrC,MAAM,KAAK,GAAG,YAAY,EAAE,IAAI,aAAa,EAAE,CAAC;IAChD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,uBAAuB,CAC/B,0EAA0E;YACxE,8CAA8C,CACjD,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,SAAS,CAAC,KAAoB;IAC5C,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9E,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,4CAA4C;IAC9C,CAAC;AACH,CAAC;AAED,MAAM,UAAU,SAAS;IACvB,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;AACpC,CAAC"}

package/dist/client.d.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import jsforce from "jsforce";
+import type { SfCredentials } from "./auth.js";
+/**
+ * Build a jsforce connection from BYO credentials. jsforce's constructor takes
+ * `{ accessToken, instanceUrl }` directly, which is exactly the per-request
+ * model — so a fresh connection per call is cheap and carries no shared state.
+ */
+export declare function makeConnection(creds: SfCredentials): jsforce.Connection;
+export type Conn = jsforce.Connection;
+/** Who does this token belong to? Cheapest possible token-validity check. */
+export declare function identity(conn: Conn): Promise<{
+    user_id: string;
+    organization_id: string;
+    username: string;
+    display_name: string;
+    email: string;
+    instance_url: string;
+    api_version: string;
+}>;
+export declare function soqlQuery(conn: Conn, soql: string): Promise<{
+    totalSize: number;
+    done: boolean;
+    nextRecordsUrl: string | null;
+    records: jsforce.Record[];
+}>;
+/** SOSL full-text search across objects. */
+export declare function soslSearch(conn: Conn, sosl: string): Promise<{
+    searchRecords: any[];
+}>;
+export declare function listObjects(conn: Conn): Promise<{
+    count: number;
+    sobjects: {
+        name: string;
+        label: string;
+        custom: boolean;
+        keyPrefix: jsforce.Optional<string>;
+        queryable: boolean;
+        createable: boolean;
+        updateable: boolean;
+        deletable: boolean;
+    }[];
+}>;
+/** Lean describe — the full payload is enormous, so we trim to the essentials. */
+export declare function describeObject(conn: Conn, objectName: string): Promise<{
+    name: string;
+    label: string;
+    keyPrefix: jsforce.Optional<string>;
+    custom: boolean;
+    createable: boolean;
+    updateable: boolean;
+    deletable: boolean;
+    queryable: boolean;
+    fields: {
+        name: string;
+        label: string;
+        type: string;
+        custom: boolean;
+        nillable: boolean;
+        updateable: boolean;
+        length: number | undefined;
+        referenceTo: string[] | undefined;
+        picklistValues: any[] | undefined;
+    }[];
+}>;
+export declare function getRecord(conn: Conn, objectName: string, recordId: string, fields?: string[]): Promise<any>;
+export declare function createRecord(conn: Conn, objectName: string, data: Record<string, unknown>): Promise<jsforce.SaveResult[]>;
+export declare function updateRecord(conn: Conn, objectName: string, recordId: string, data: Record<string, unknown>): Promise<jsforce.SaveResult[]>;
+export declare function deleteRecord(conn: Conn, objectName: string, recordId: string): Promise<jsforce.SaveResult>;

package/dist/client.js ADDED Viewed

@@ -0,0 +1,119 @@
+import jsforce from "jsforce";
+import { DEFAULT_API_VERSION } from "./config.js";
+/**
+ * Build a jsforce connection from BYO credentials. jsforce's constructor takes
+ * `{ accessToken, instanceUrl }` directly, which is exactly the per-request
+ * model — so a fresh connection per call is cheap and carries no shared state.
+ */
+export function makeConnection(creds) {
+    return new jsforce.Connection({
+        instanceUrl: creds.instanceUrl,
+        accessToken: creds.accessToken,
+        version: creds.apiVersion || DEFAULT_API_VERSION,
+    });
+}
+// ── Read operations ───────────────────────────────────────────────────────────
+/** Who does this token belong to? Cheapest possible token-validity check. */
+export async function identity(conn) {
+    const id = await conn.identity();
+    return {
+        user_id: id.user_id,
+        organization_id: id.organization_id,
+        username: id.username,
+        display_name: id.display_name,
+        email: id.email,
+        instance_url: conn.instanceUrl,
+        api_version: conn.version,
+    };
+}
+export async function soqlQuery(conn, soql) {
+    const result = await conn.query(soql);
+    return {
+        totalSize: result.totalSize,
+        done: result.done,
+        nextRecordsUrl: result.nextRecordsUrl ?? null,
+        records: stripAttributes(result.records),
+    };
+}
+/** SOSL full-text search across objects. */
+export async function soslSearch(conn, sosl) {
+    const result = await conn.search(sosl);
+    return { searchRecords: stripAttributes(result.searchRecords) };
+}
+export async function listObjects(conn) {
+    const g = await conn.describeGlobal();
+    return {
+        count: g.sobjects.length,
+        sobjects: g.sobjects.map((s) => ({
+            name: s.name,
+            label: s.label,
+            custom: s.custom,
+            keyPrefix: s.keyPrefix,
+            queryable: s.queryable,
+            createable: s.createable,
+            updateable: s.updateable,
+            deletable: s.deletable,
+        })),
+    };
+}
+/** Lean describe — the full payload is enormous, so we trim to the essentials. */
+export async function describeObject(conn, objectName) {
+    const d = await conn.sobject(objectName).describe();
+    return {
+        name: d.name,
+        label: d.label,
+        keyPrefix: d.keyPrefix,
+        custom: d.custom,
+        createable: d.createable,
+        updateable: d.updateable,
+        deletable: d.deletable,
+        queryable: d.queryable,
+        fields: d.fields.map((f) => ({
+            name: f.name,
+            label: f.label,
+            type: f.type,
+            custom: f.custom,
+            nillable: f.nillable,
+            updateable: f.updateable,
+            length: f.length || undefined,
+            referenceTo: f.referenceTo?.length ? f.referenceTo : undefined,
+            picklistValues: f.picklistValues?.length
+                ? f.picklistValues.filter((p) => p.active).map((p) => p.value)
+                : undefined,
+        })),
+    };
+}
+export async function getRecord(conn, objectName, recordId, fields) {
+    if (fields && fields.length) {
+        const rows = await conn
+            .sobject(objectName)
+            .find({ Id: recordId }, fields)
+            .limit(1)
+            .execute();
+        return stripAttributes(rows)[0] ?? null;
+    }
+    const rec = await conn.sobject(objectName).retrieve(recordId);
+    return stripAttributes([rec])[0] ?? null;
+}
+// ── Write operations (omitted in read-only mode) ───────────────────────────────
+export async function createRecord(conn, objectName, data) {
+    return conn.sobject(objectName).create(data);
+}
+export async function updateRecord(conn, objectName, recordId, data) {
+    return conn.sobject(objectName).update({ Id: recordId, ...data });
+}
+export async function deleteRecord(conn, objectName, recordId) {
+    return conn.sobject(objectName).destroy(recordId);
+}
+// ── helpers ────────────────────────────────────────────────────────────────────
+/** jsforce decorates every record with a noisy `attributes` block — drop it. */
+function stripAttributes(records) {
+    return records.map((r) => {
+        if (r && typeof r === "object" && "attributes" in r) {
+            const { attributes, ...rest } = r;
+            return rest;
+        }
+        return r;
+    });
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAAoB;IACjD,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC;QAC5B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,OAAO,EAAE,KAAK,CAAC,UAAU,IAAI,mBAAmB;KACjD,CAAC,CAAC;AACL,CAAC;AAID,iFAAiF;AAEjF,6EAA6E;AAC7E,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAU;IACvC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;IACjC,OAAO;QACL,OAAO,EAAE,EAAE,CAAC,OAAO;QACnB,eAAe,EAAE,EAAE,CAAC,eAAe;QACnC,QAAQ,EAAE,EAAE,CAAC,QAAQ;QACrB,YAAY,EAAE,EAAE,CAAC,YAAY;QAC7B,KAAK,EAAE,EAAE,CAAC,KAAK;QACf,YAAY,EAAE,IAAI,CAAC,WAAW;QAC9B,WAAW,EAAE,IAAI,CAAC,OAAO;KAC1B,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAU,EAAE,IAAY;IACtD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACtC,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,IAAI;QAC7C,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC;KACzC,CAAC;AACJ,CAAC;AAED,4CAA4C;AAC5C,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAU,EAAE,IAAY;IACvD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO,EAAE,aAAa,EAAE,eAAe,CAAC,MAAM,CAAC,aAAsB,CAAC,EAAE,CAAC;AAC3E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAU;IAC1C,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;IACtC,OAAO;QACL,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,MAAM;QACxB,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/B,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,SAAS,EAAE,CAAC,CAAC,SAAS;SACvB,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC;AAED,kFAAkF;AAClF,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAAU,EAAE,UAAkB;IACjE,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE,CAAC;IACpD,OAAO;QACL,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,UAAU,EAAE,CAAC,CAAC,UAAU;QACxB,UAAU,EAAE,CAAC,CAAC,UAAU;QACxB,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC3B,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,SAAS;YAC7B,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YAC9D,cAAc,EAAE,CAAC,CAAC,cAAc,EAAE,MAAM;gBACtC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC9D,CAAC,CAAC,SAAS;SACd,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAU,EACV,UAAkB,EAClB,QAAgB,EAChB,MAAiB;IAEjB,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,IAAI;aACpB,OAAO,CAAC,UAAU,CAAC;aACnB,IAAI,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC;aAC9B,KAAK,CAAC,CAAC,CAAC;aACR,OAAO,EAAE,CAAC;QACb,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9D,OAAO,eAAe,CAAC,CAAC,GAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AAClD,CAAC;AAED,kFAAkF;AAElF,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAU,EACV,UAAkB,EAClB,IAA6B;IAE7B,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,IAAW,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAU,EACV,UAAkB,EAClB,QAAgB,EAChB,IAA6B;IAE7B,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAS,CAAC,CAAC;AAC3E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAU,EACV,UAAkB,EAClB,QAAgB;IAEhB,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;AACpD,CAAC;AAED,kFAAkF;AAElF,gFAAgF;AAChF,SAAS,eAAe,CAAI,OAAY;IACtC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACvB,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,YAAY,IAAK,CAAS,EAAE,CAAC;YAC7D,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,GAAG,CAAQ,CAAC;YACzC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/config.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+/** Package identity (kept in sync with package.json). */
+export declare const PKG_NAME = "salesforce-mcp-jsforce";
+export declare const PKG_VERSION = "0.1.0";
+/** Salesforce REST API version used for all jsforce connections. */
+export declare const DEFAULT_API_VERSION: string;
+/**
+ * OAuth login host. Production: https://login.salesforce.com.
+ * Sandbox: https://test.salesforce.com (or your My Domain URL).
+ */
+export declare const DEFAULT_LOGIN_URL: string;
+/** Where the `login` command persists the issued token for stdio use. */
+export declare const CONFIG_DIR: string;
+export declare const TOKEN_FILE: string;
+/**
+ * Read-only mode strips all write tools (create/update/delete). Recommended
+ * for the publicly hosted server. Set SF_READONLY=1 to enable.
+ */
+export declare const READ_ONLY: boolean;

package/dist/config.js ADDED Viewed

@@ -0,0 +1,21 @@
+import os from "node:os";
+import path from "node:path";
+/** Package identity (kept in sync with package.json). */
+export const PKG_NAME = "salesforce-mcp-jsforce";
+export const PKG_VERSION = "0.1.0";
+/** Salesforce REST API version used for all jsforce connections. */
+export const DEFAULT_API_VERSION = process.env.SF_API_VERSION || "62.0";
+/**
+ * OAuth login host. Production: https://login.salesforce.com.
+ * Sandbox: https://test.salesforce.com (or your My Domain URL).
+ */
+export const DEFAULT_LOGIN_URL = process.env.SF_LOGIN_URL || "https://login.salesforce.com";
+/** Where the `login` command persists the issued token for stdio use. */
+export const CONFIG_DIR = process.env.SF_MCP_CONFIG_DIR || path.join(os.homedir(), ".config", PKG_NAME);
+export const TOKEN_FILE = path.join(CONFIG_DIR, "token.json");
+/**
+ * Read-only mode strips all write tools (create/update/delete). Recommended
+ * for the publicly hosted server. Set SF_READONLY=1 to enable.
+ */
+export const READ_ONLY = process.env.SF_READONLY === "1" || process.env.SF_READONLY === "true";
+//# sourceMappingURL=config.js.map

package/dist/config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,yDAAyD;AACzD,MAAM,CAAC,MAAM,QAAQ,GAAG,wBAAwB,CAAC;AACjD,MAAM,CAAC,MAAM,WAAW,GAAG,OAAO,CAAC;AAEnC,oEAAoE;AACpE,MAAM,CAAC,MAAM,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,MAAM,CAAC;AAExE;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAC5B,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,8BAA8B,CAAC;AAE7D,yEAAyE;AACzE,MAAM,CAAC,MAAM,UAAU,GACrB,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;AAChF,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;AAE9D;;;GAGG;AACH,MAAM,CAAC,MAAM,SAAS,GACpB,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,CAAC"}

package/dist/http.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * Dedicated, stateless streamable-HTTP host. Every request brings its own
+ * Salesforce token via headers, so we build a throwaway server + transport per
+ * request — nothing about one caller leaks into another.
+ *
+ * Headers: X-SF-Access-Token, X-SF-Instance-Url (X-SF-Api-Version optional).
+ */
+export declare function startHttp(port: number): Promise<void>;

package/dist/http.js ADDED Viewed

@@ -0,0 +1,89 @@
+import http from "node:http";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { buildServer } from "./server.js";
+import { credsFromHeaders, MissingCredentialsError } from "./auth.js";
+import { PKG_NAME, PKG_VERSION } from "./config.js";
+const MCP_PATH = "/mcp";
+function send(res, status, body) {
+    const text = JSON.stringify(body);
+    res.writeHead(status, { "content-type": "application/json" }).end(text);
+}
+async function readBody(req) {
+    const chunks = [];
+    for await (const chunk of req)
+        chunks.push(chunk);
+    if (!chunks.length)
+        return undefined;
+    return JSON.parse(Buffer.concat(chunks).toString("utf8"));
+}
+/**
+ * Dedicated, stateless streamable-HTTP host. Every request brings its own
+ * Salesforce token via headers, so we build a throwaway server + transport per
+ * request — nothing about one caller leaks into another.
+ *
+ * Headers: X-SF-Access-Token, X-SF-Instance-Url (X-SF-Api-Version optional).
+ */
+export async function startHttp(port) {
+    const server = http.createServer(async (req, res) => {
+        // Liveness probe for load balancers / container health checks.
+        if (req.method === "GET" && req.url === "/health") {
+            return send(res, 200, { status: "ok", name: PKG_NAME, version: PKG_VERSION });
+        }
+        if (!req.url || !req.url.startsWith(MCP_PATH)) {
+            return send(res, 404, { error: "Not found" });
+        }
+        if (req.method !== "POST") {
+            // Stateless mode does not support the GET/DELETE session endpoints.
+            return send(res, 405, {
+                jsonrpc: "2.0",
+                error: { code: -32000, message: "Method not allowed; POST to /mcp" },
+                id: null,
+            });
+        }
+        const creds = credsFromHeaders(req.headers);
+        if (!creds) {
+            return send(res, 401, {
+                jsonrpc: "2.0",
+                error: {
+                    code: -32001,
+                    message: "Missing credentials. Provide X-SF-Access-Token and X-SF-Instance-Url headers.",
+                },
+                id: null,
+            });
+        }
+        try {
+            const body = await readBody(req);
+            // Stateless: a fresh server + transport per request, no session id.
+            const mcp = buildServer(() => {
+                if (!creds)
+                    throw new MissingCredentialsError("No credentials");
+                return creds;
+            });
+            const transport = new StreamableHTTPServerTransport({
+                sessionIdGenerator: undefined,
+            });
+            res.on("close", () => {
+                transport.close();
+                mcp.close();
+            });
+            await mcp.connect(transport);
+            await transport.handleRequest(req, res, body);
+        }
+        catch (err) {
+            if (!res.headersSent) {
+                send(res, 500, {
+                    jsonrpc: "2.0",
+                    error: {
+                        code: -32603,
+                        message: err instanceof Error ? err.message : "Internal error",
+                    },
+                    id: null,
+                });
+            }
+        }
+    });
+    server.listen(port, () => {
+        console.error(`${PKG_NAME} v${PKG_VERSION} listening on http://0.0.0.0:${port}${MCP_PATH} (stateless, BYO token)`);
+    });
+}
+//# sourceMappingURL=http.js.map

package/dist/http.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"http.js","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACtE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,QAAQ,GAAG,MAAM,CAAC;AAExB,SAAS,IAAI,CAAC,GAAwB,EAAE,MAAc,EAAE,IAAa;IACnE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC1E,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,GAAyB;IAC/C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG;QAAE,MAAM,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC;IAC5D,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAY;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClD,+DAA+D;QAC/D,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1B,oEAAoE;YACpE,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,kCAAkC,EAAE;gBACpE,EAAE,EAAE,IAAI;aACT,CAAC,CAAC;QACL,CAAC;QAED,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;gBACpB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EACL,+EAA+E;iBAClF;gBACD,EAAE,EAAE,IAAI;aACT,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;YACjC,oEAAoE;YACpE,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,EAAE;gBAC3B,IAAI,CAAC,KAAK;oBAAE,MAAM,IAAI,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;gBAChE,OAAO,KAAK,CAAC;YACf,CAAC,CAAC,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;gBAClD,kBAAkB,EAAE,SAAS;aAC9B,CAAC,CAAC;YACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBACnB,SAAS,CAAC,KAAK,EAAE,CAAC;gBAClB,GAAG,CAAC,KAAK,EAAE,CAAC;YACd,CAAC,CAAC,CAAC;YACH,MAAM,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC7B,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;oBACb,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;qBAC/D;oBACD,EAAE,EAAE,IAAI;iBACT,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACvB,OAAO,CAAC,KAAK,CACX,GAAG,QAAQ,KAAK,WAAW,gCAAgC,IAAI,GAAG,QAAQ,yBAAyB,CACpG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/index.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ #!/usr/bin/env node
2	+ export {};

package/dist/index.js ADDED Viewed

@@ -0,0 +1,64 @@
+#!/usr/bin/env node
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { buildServer } from "./server.js";
+import { resolveStdioCredentials } from "./auth.js";
+import { runLogin } from "./oauth.js";
+import { startHttp } from "./http.js";
+import { PKG_NAME, PKG_VERSION } from "./config.js";
+async function runStdio() {
+    // Credentials are resolved lazily per tool call, so `tools/list` works even
+    // before a token is configured.
+    const server = buildServer(() => resolveStdioCredentials());
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error(`${PKG_NAME} v${PKG_VERSION} ready (stdio)`);
+}
+function printHelp() {
+    console.error(`${PKG_NAME} v${PKG_VERSION}
+Usage:
+  salesforce-mcp-jsforce               Run the MCP server over stdio (default)
+  salesforce-mcp-jsforce http          Run the dedicated streamable-HTTP server
+  salesforce-mcp-jsforce login         OAuth login (PKCE) and save a token
+stdio credentials (one of):
+  SF_ACCESS_TOKEN + SF_INSTANCE_URL    environment variables
+  ~/.config/${PKG_NAME}/token.json     written by \`login\`
+http credentials (per request):
+  X-SF-Access-Token, X-SF-Instance-Url headers
+Common env:
+  SF_API_VERSION   default 62.0
+  SF_READONLY=1    disable create/update/delete tools
+  SF_LOGIN_URL     default https://login.salesforce.com (sandbox: test.salesforce.com)
+`);
+}
+async function main() {
+    const [cmd, ...rest] = process.argv.slice(2);
+    switch (cmd) {
+        case "login":
+            await runLogin(rest);
+            return;
+        case "http": {
+            const port = Number(process.env.PORT || rest[0] || 3000);
+            await startHttp(port);
+            return;
+        }
+        case "-h":
+        case "--help":
+            printHelp();
+            return;
+        default:
+            if (process.env.SF_MCP_TRANSPORT === "http") {
+                await startHttp(Number(process.env.PORT || 3000));
+                return;
+            }
+            await runStdio();
+    }
+}
+main().catch((err) => {
+    console.error(`Fatal: ${err instanceof Error ? err.message : err}`);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEpD,KAAK,UAAU,QAAQ;IACrB,4EAA4E;IAC5E,gCAAgC;IAChC,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,uBAAuB,EAAE,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,GAAG,QAAQ,KAAK,WAAW,gBAAgB,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,CAAC,KAAK,CAAC,GAAG,QAAQ,KAAK,WAAW;;;;;;;;;cAS7B,QAAQ;;;;;;;;;CASrB,CAAC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE7C,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,OAAO;YACV,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;YACrB,OAAO;QACT,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;YACzD,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;YACtB,OAAO;QACT,CAAC;QACD,KAAK,IAAI,CAAC;QACV,KAAK,QAAQ;YACX,SAAS,EAAE,CAAC;YACZ,OAAO;QACT;YACE,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,MAAM,EAAE,CAAC;gBAC5C,MAAM,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC;gBAClD,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,EAAE,CAAC;IACrB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/oauth.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Run the authorization-code + PKCE flow against a Salesforce External Client
+ * App, exchange the code for a token, persist it, and print ready-to-paste
+ * Claude Code config. The gateway never sees the client secret in this model.
+ */
+export declare function runLogin(argv: string[]): Promise<void>;

package/dist/oauth.js ADDED Viewed

@@ -0,0 +1,142 @@
+import crypto from "node:crypto";
+import http from "node:http";
+import { URL } from "node:url";
+import { exec } from "node:child_process";
+import { DEFAULT_LOGIN_URL, DEFAULT_API_VERSION } from "./config.js";
+import { saveToken, tokenPath } from "./auth.js";
+function parseArgs(argv) {
+    const get = (flag) => {
+        const i = argv.indexOf(flag);
+        return i >= 0 ? argv[i + 1] : undefined;
+    };
+    const clientId = get("--client-id") || process.env.SF_CLIENT_ID;
+    if (!clientId) {
+        throw new Error("Missing client id. Pass --client-id <consumerKey> or set SF_CLIENT_ID " +
+            "(the consumer key of your Salesforce External Client App).");
+    }
+    return {
+        clientId,
+        clientSecret: get("--client-secret") || process.env.SF_CLIENT_SECRET,
+        loginUrl: get("--login-url") || DEFAULT_LOGIN_URL,
+        scope: get("--scope") || process.env.SF_SCOPE || "api refresh_token",
+        callbackPort: Number(get("--port") || process.env.SF_CALLBACK_PORT || 1717),
+    };
+}
+function pkce() {
+    const verifier = crypto.randomBytes(32).toString("base64url");
+    const challenge = crypto
+        .createHash("sha256")
+        .update(verifier)
+        .digest("base64url");
+    return { verifier, challenge };
+}
+function openBrowser(url) {
+    const cmd = process.platform === "darwin"
+        ? "open"
+        : process.platform === "win32"
+            ? "start"
+            : "xdg-open";
+    exec(`${cmd} "${url}"`, () => {
+        /* if it fails, the URL is already printed for manual use */
+    });
+}
+/**
+ * Run the authorization-code + PKCE flow against a Salesforce External Client
+ * App, exchange the code for a token, persist it, and print ready-to-paste
+ * Claude Code config. The gateway never sees the client secret in this model.
+ */
+export async function runLogin(argv) {
+    const opts = parseArgs(argv);
+    const { verifier, challenge } = pkce();
+    const redirectUri = `http://localhost:${opts.callbackPort}/callback`;
+    const state = crypto.randomBytes(16).toString("hex");
+    const authUrl = new URL(`${opts.loginUrl}/services/oauth2/authorize`);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("client_id", opts.clientId);
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("scope", opts.scope);
+    authUrl.searchParams.set("code_challenge", challenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    authUrl.searchParams.set("state", state);
+    const code = await new Promise((resolve, reject) => {
+        const server = http.createServer((req, res) => {
+            if (!req.url?.startsWith("/callback")) {
+                res.writeHead(404).end();
+                return;
+            }
+            const url = new URL(req.url, redirectUri);
+            const err = url.searchParams.get("error");
+            if (err) {
+                res.writeHead(400, { "content-type": "text/html" }).end(`<h2>Login failed</h2><p>${err}: ${url.searchParams.get("error_description") ?? ""}</p>`);
+                server.close();
+                reject(new Error(`OAuth error: ${err}`));
+                return;
+            }
+            if (url.searchParams.get("state") !== state) {
+                res.writeHead(400, { "content-type": "text/html" }).end("<h2>State mismatch</h2>");
+                server.close();
+                reject(new Error("OAuth state mismatch — possible CSRF, aborting."));
+                return;
+            }
+            const got = url.searchParams.get("code");
+            res.writeHead(200, { "content-type": "text/html" }).end("<h2>Authenticated ✓</h2><p>You can close this tab and return to your terminal.</p>");
+            server.close();
+            if (got)
+                resolve(got);
+            else
+                reject(new Error("No authorization code returned."));
+        });
+        server.listen(opts.callbackPort, () => {
+            console.error(`\nOpening Salesforce login in your browser…`);
+            console.error(`If it does not open, visit:\n${authUrl.toString()}\n`);
+            openBrowser(authUrl.toString());
+        });
+    });
+    // Exchange the code for a token (PKCE; secret only sent if provided).
+    const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        client_id: opts.clientId,
+        redirect_uri: redirectUri,
+        code_verifier: verifier,
+    });
+    if (opts.clientSecret)
+        body.set("client_secret", opts.clientSecret);
+    const resp = await fetch(`${opts.loginUrl}/services/oauth2/token`, {
+        method: "POST",
+        headers: { "content-type": "application/x-www-form-urlencoded" },
+        body,
+    });
+    const json = (await resp.json());
+    if (!resp.ok || !json.access_token) {
+        throw new Error(`Token exchange failed: ${json.error ?? resp.status} ${json.error_description ?? ""}`);
+    }
+    const creds = {
+        accessToken: json.access_token,
+        instanceUrl: json.instance_url,
+        apiVersion: DEFAULT_API_VERSION,
+        refreshToken: json.refresh_token,
+        clientId: opts.clientId,
+        loginUrl: opts.loginUrl,
+    };
+    saveToken(creds);
+    console.error(`\n✓ Logged in. Token saved to ${tokenPath()}`);
+    console.error(`  Instance: ${creds.instanceUrl}\n`);
+    console.error("Add to Claude Code (stdio) with:\n");
+    console.error("  claude mcp add salesforce -- npx -y @imazhar101/salesforce-mcp-jsforce\n");
+    console.error("…or paste into .mcp.json:\n");
+    console.error(JSON.stringify({
+        mcpServers: {
+            salesforce: {
+                command: "npx",
+                args: ["-y", "@imazhar101/salesforce-mcp-jsforce"],
+                env: {
+                    SF_ACCESS_TOKEN: creds.accessToken,
+                    SF_INSTANCE_URL: creds.instanceUrl,
+                },
+            },
+        },
+    }, null, 2));
+    console.error("\n(The token file is already read automatically, so the env block above is optional.)\n");
+}
+//# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth.js","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAsB,MAAM,WAAW,CAAC;AAUrE,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,EAAE;QAC3B,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1C,CAAC,CAAC;IACF,MAAM,QAAQ,GAAG,GAAG,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAChE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,wEAAwE;YACtE,4DAA4D,CAC/D,CAAC;IACJ,CAAC;IACD,OAAO;QACL,QAAQ;QACR,YAAY,EAAE,GAAG,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;QACpE,QAAQ,EAAE,GAAG,CAAC,aAAa,CAAC,IAAI,iBAAiB;QACjD,KAAK,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,mBAAmB;QACpE,YAAY,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,IAAI,CAAC;KAC5E,CAAC;AACJ,CAAC;AAED,SAAS,IAAI;IACX,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC9D,MAAM,SAAS,GAAG,MAAM;SACrB,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,QAAQ,CAAC;SAChB,MAAM,CAAC,WAAW,CAAC,CAAC;IACvB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,GAAG,GACP,OAAO,CAAC,QAAQ,KAAK,QAAQ;QAC3B,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO;YAC5B,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,UAAU,CAAC;IACnB,IAAI,CAAC,GAAG,GAAG,KAAK,GAAG,GAAG,EAAE,GAAG,EAAE;QAC3B,4DAA4D;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAc;IAC3C,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,CAAC;IACvC,MAAM,WAAW,GAAG,oBAAoB,IAAI,CAAC,YAAY,WAAW,CAAC;IACrE,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAErD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,QAAQ,4BAA4B,CAAC,CAAC;IACtE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAEzC,MAAM,IAAI,GAAG,MAAM,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC5C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;gBACtC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;gBACzB,OAAO;YACT,CAAC;YACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;YAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC1C,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACrD,2BAA2B,GAAG,KAAK,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,MAAM,CACzF,CAAC;gBACF,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,gBAAgB,GAAG,EAAE,CAAC,CAAC,CAAC;gBACzC,OAAO;YACT,CAAC;YACD,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC5C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;gBACnF,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC,CAAC;gBACrE,OAAO;YACT,CAAC;YACD,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACrD,oFAAoF,CACrF,CAAC;YACF,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,IAAI,GAAG;gBAAE,OAAO,CAAC,GAAG,CAAC,CAAC;;gBACjB,MAAM,CAAC,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,GAAG,EAAE;YACpC,OAAO,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;YAC7D,OAAO,CAAC,KAAK,CAAC,gCAAgC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACtE,WAAW,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,sEAAsE;IACtE,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI;QACJ,SAAS,EAAE,IAAI,CAAC,QAAQ;QACxB,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,QAAQ;KACxB,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,YAAY;QAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAEpE,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ,wBAAwB,EAAE;QACjE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA2B,CAAC;IAC3D,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CACb,0BAA0B,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,iBAAiB,IAAI,EAAE,EAAE,CACtF,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAkB;QAC3B,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,UAAU,EAAE,mBAAmB;QAC/B,YAAY,EAAE,IAAI,CAAC,aAAa;QAChC,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;KACxB,CAAC;IACF,SAAS,CAAC,KAAK,CAAC,CAAC;IAEjB,OAAO,CAAC,KAAK,CAAC,iCAAiC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,KAAK,CAAC,eAAe,KAAK,CAAC,WAAW,IAAI,CAAC,CAAC;IACpD,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACpD,OAAO,CAAC,KAAK,CAAC,4EAA4E,CAAC,CAAC;IAC5F,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;IAC7C,OAAO,CAAC,KAAK,CACX,IAAI,CAAC,SAAS,CACZ;QACE,UAAU,EAAE;YACV,UAAU,EAAE;gBACV,OAAO,EAAE,KAAK;gBACd,IAAI,EAAE,CAAC,IAAI,EAAE,oCAAoC,CAAC;gBAClD,GAAG,EAAE;oBACH,eAAe,EAAE,KAAK,CAAC,WAAW;oBAClC,eAAe,EAAE,KAAK,CAAC,WAAW;iBACnC;aACF;SACF;KACF,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;IACF,OAAO,CAAC,KAAK,CACX,yFAAyF,CAC1F,CAAC;AACJ,CAAC"}

package/dist/server.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { CredentialResolver } from "./auth.js";
+/**
+ * Build a fully wired MCP server. `getCreds` is invoked lazily, once per tool
+ * call — so `tools/list` works with no token present, and the HTTP host can
+ * hand each request its own per-caller credentials.
+ *
+ * @param readOnly when true, write tools are not registered at all.
+ */
+export declare function buildServer(getCreds: CredentialResolver, readOnly?: boolean): McpServer;

package/dist/server.js ADDED Viewed

@@ -0,0 +1,122 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+import { PKG_NAME, PKG_VERSION, READ_ONLY } from "./config.js";
+import * as sf from "./client.js";
+function ok(data) {
+    return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+}
+function fail(error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+        content: [{ type: "text", text: JSON.stringify({ error: message }, null, 2) }],
+        isError: true,
+    };
+}
+/**
+ * Build a fully wired MCP server. `getCreds` is invoked lazily, once per tool
+ * call — so `tools/list` works with no token present, and the HTTP host can
+ * hand each request its own per-caller credentials.
+ *
+ * @param readOnly when true, write tools are not registered at all.
+ */
+export function buildServer(getCreds, readOnly = READ_ONLY) {
+    const server = new McpServer({ name: PKG_NAME, version: PKG_VERSION }, { capabilities: { tools: {} } });
+    const conn = () => sf.makeConnection(getCreds());
+    // ── Read tools ───────────────────────────────────────────────────────────────
+    server.tool("salesforce_identity", "Return the identity (user, org, instance) of the supplied token. Use this to confirm the connection is authenticated.", {}, async () => {
+        try {
+            return ok(await sf.identity(conn()));
+        }
+        catch (e) {
+            return fail(e);
+        }
+    });
+    server.tool("salesforce_query", "Run a SOQL query and return matching records.", { soql: z.string().describe("A SOQL query, e.g. SELECT Id, Name FROM Account LIMIT 10") }, async ({ soql }) => {
+        try {
+            return ok(await sf.soqlQuery(conn(), soql));
+        }
+        catch (e) {
+            return fail(e);
+        }
+    });
+    server.tool("salesforce_search", "Run a SOSL full-text search across objects.", { sosl: z.string().describe("A SOSL search, e.g. FIND {Acme} IN ALL FIELDS RETURNING Account(Id, Name)") }, async ({ sosl }) => {
+        try {
+            return ok(await sf.soslSearch(conn(), sosl));
+        }
+        catch (e) {
+            return fail(e);
+        }
+    });
+    server.tool("salesforce_list_objects", "List all sObjects available in the org with their key metadata.", {}, async () => {
+        try {
+            return ok(await sf.listObjects(conn()));
+        }
+        catch (e) {
+            return fail(e);
+        }
+    });
+    server.tool("salesforce_describe_object", "Describe an sObject: its fields, types, picklist values, and references (trimmed payload).", { object_name: z.string().describe("API name of the object, e.g. Account or Custom__c") }, async ({ object_name }) => {
+        try {
+            return ok(await sf.describeObject(conn(), object_name));
+        }
+        catch (e) {
+            return fail(e);
+        }
+    });
+    server.tool("salesforce_get_record", "Retrieve a single record by Id, optionally limited to specific fields.", {
+        object_name: z.string().describe("API name of the object, e.g. Account"),
+        record_id: z.string().describe("The 15- or 18-char record Id"),
+        fields: z
+            .array(z.string())
+            .optional()
+            .describe("Optional list of field API names; omit for all fields"),
+    }, async ({ object_name, record_id, fields }) => {
+        try {
+            return ok(await sf.getRecord(conn(), object_name, record_id, fields));
+        }
+        catch (e) {
+            return fail(e);
+        }
+    });
+    // ── Write tools (skipped entirely in read-only mode) ──────────────────────────
+    if (!readOnly) {
+        server.tool("salesforce_create_record", "Create a new record on the given object.", {
+            object_name: z.string().describe("API name of the object, e.g. Contact"),
+            data: z
+                .record(z.any())
+                .describe("Field API name → value map for the new record"),
+        }, async ({ object_name, data }) => {
+            try {
+                return ok(await sf.createRecord(conn(), object_name, data));
+            }
+            catch (e) {
+                return fail(e);
+            }
+        });
+        server.tool("salesforce_update_record", "Update fields on an existing record.", {
+            object_name: z.string().describe("API name of the object"),
+            record_id: z.string().describe("The Id of the record to update"),
+            data: z.record(z.any()).describe("Field API name → new value map"),
+        }, async ({ object_name, record_id, data }) => {
+            try {
+                return ok(await sf.updateRecord(conn(), object_name, record_id, data));
+            }
+            catch (e) {
+                return fail(e);
+            }
+        });
+        server.tool("salesforce_delete_record", "Delete a record by Id.", {
+            object_name: z.string().describe("API name of the object"),
+            record_id: z.string().describe("The Id of the record to delete"),
+        }, async ({ object_name, record_id }) => {
+            try {
+                return ok(await sf.deleteRecord(conn(), object_name, record_id));
+            }
+            catch (e) {
+                return fail(e);
+            }
+        });
+    }
+    return server;
+}
+//# sourceMappingURL=server.js.map

package/dist/server.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE/D,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAOlC,SAAS,EAAE,CAAC,IAAa;IACvB,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;AAC9E,CAAC;AAED,SAAS,IAAI,CAAC,KAAc;IAC1B,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;QAC9E,OAAO,EAAE,IAAI;KACd,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,QAA4B,EAC5B,WAAoB,SAAS;IAE7B,MAAM,MAAM,GAAG,IAAI,SAAS,CAC1B,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,EACxC,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAC;IAEF,MAAM,IAAI,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEjD,gFAAgF;IAEhF,MAAM,CAAC,IAAI,CACT,qBAAqB,EACrB,uHAAuH,EACvH,EAAE,EACF,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,kBAAkB,EAClB,+CAA+C,EAC/C,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,0DAA0D,CAAC,EAAE,EACzF,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,6CAA6C,EAC7C,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2EAA2E,CAAC,EAAE,EAC1G,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,yBAAyB,EACzB,iEAAiE,EACjE,EAAE,EACF,KAAK,IAAI,EAAE;QACT,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAC1C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,4BAA4B,EAC5B,4FAA4F,EAC5F,EAAE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mDAAmD,CAAC,EAAE,EACzF,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;QACxB,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,cAAc,CAAC,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;QAC1D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,uBAAuB,EACvB,wEAAwE,EACxE;QACE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;QACxE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,8BAA8B,CAAC;QAC9D,MAAM,EAAE,CAAC;aACN,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;aACjB,QAAQ,EAAE;aACV,QAAQ,CAAC,uDAAuD,CAAC;KACrE,EACD,KAAK,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;QAC3C,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC,CACF,CAAC;IAEF,iFAAiF;IAEjF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,CAAC,IAAI,CACT,0BAA0B,EAC1B,0CAA0C,EAC1C;YACE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;YACxE,IAAI,EAAE,CAAC;iBACJ,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;iBACf,QAAQ,CAAC,+CAA+C,CAAC;SAC7D,EACD,KAAK,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,EAAE;YAC9B,IAAI,CAAC;gBACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC;YAC9D,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC;QACH,CAAC,CACF,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,0BAA0B,EAC1B,sCAAsC,EACtC;YACE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wBAAwB,CAAC;YAC1D,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;YAChE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,gCAAgC,CAAC;SACnE,EACD,KAAK,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,EAAE;YACzC,IAAI,CAAC;gBACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC;YACzE,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC;QACH,CAAC,CACF,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,0BAA0B,EAC1B,wBAAwB,EACxB;YACE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wBAAwB,CAAC;YAC1D,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;SACjE,EACD,KAAK,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,EAAE;YACnC,IAAI,CAAC;gBACH,OAAO,EAAE,CAAC,MAAM,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;YACnE,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,53 @@
+{
+  "name": "@imazhar101/salesforce-mcp-jsforce",
+  "version": "0.1.0",
+  "description": "A lite, single-org Salesforce MCP server built on jsforce. Bring-your-own OAuth token — no credentials stored server-side. Runs over stdio (Claude Code) or as a dedicated streamable-HTTP server.",
+  "type": "module",
+  "license": "MIT",
+  "author": "imazhar101",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/imazhar101/salesforce-mcp-jsforce.git"
+  },
+  "homepage": "https://github.com/imazhar101/salesforce-mcp-jsforce#readme",
+  "bugs": {
+    "url": "https://github.com/imazhar101/salesforce-mcp-jsforce/issues"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "salesforce",
+    "jsforce",
+    "claude",
+    "oauth"
+  ],
+  "main": "dist/index.js",
+  "bin": {
+    "salesforce-mcp-jsforce": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "login": "tsx src/index.ts login",
+    "http": "tsx src/index.ts http",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.0",
+    "jsforce": "^3.6.3",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "tsx": "^4.16.0",
+    "typescript": "^5.5.0"
+  }
+}