@ldraney/github-mcp 0.1.0

package/README.md

@@ -0,0 +1,131 @@
+# github-mcp
+
+A comprehensive GitHub MCP server with OAuth Device Flow authentication and 800+ endpoint coverage.
+
+## Features
+
+- **800+ GitHub API endpoints** as MCP tools (vs ~50 in official server)
+- **OAuth Device Flow** - No PAT management, just authenticate in browser
+- **OS Keychain storage** - Secure token storage via keytar
+- **Real-time webhooks** - GitHub events as MCP resources via smee.io
+- **npx installable** - No Docker required
+
+## Quick Start
+
+```bash
+npx github-mcp
+```
+
+On first run:
+1. Opens browser to github.com/login/device
+2. Enter the displayed code
+3. Token stored securely in OS keychain
+4. MCP server starts with all tools available
+
+## Installation
+
+```bash
+npm install -g github-mcp
+```
+
+Or run directly:
+
+```bash
+npx github-mcp
+```
+
+## Usage
+
+### As MCP Server
+
+Add to your Claude Desktop config:
+
+```json
+{
+  "mcpServers": {
+    "github": {
+      "command": "npx",
+      "args": ["github-mcp"]
+    }
+  }
+}
+```
+
+### CLI Commands
+
+```bash
+# Start server (default)
+github-mcp
+
+# Auth commands
+github-mcp auth login    # Trigger OAuth flow
+github-mcp auth logout   # Remove stored token
+github-mcp auth status   # Check auth status
+
+# With environment token (skips OAuth)
+GITHUB_TOKEN=ghp_xxx github-mcp
+```
+
+## Available Tools
+
+Tools are organized by GitHub API category:
+
+| Category | Examples |
+|----------|----------|
+| `github_repos_*` | list, get, create, delete |
+| `github_issues_*` | list, get, create, update, comment |
+| `github_pulls_*` | list, get, create, merge, review |
+| `github_users_*` | get, list, followers |
+| `github_actions_*` | workflows, runs, jobs |
+| `github_gists_*` | list, get, create |
+| ... | 38 categories total |
+
+## Webhook Events
+
+When webhooks are configured, events appear as MCP resources:
+
+```
+github://webhooks/push
+github://webhooks/pull_request
+github://webhooks/issues
+```
+
+### Setting Up Webhooks
+
+1. Server generates a smee.io channel on first run
+2. Add the channel URL as a webhook in your repo settings
+3. Events stream to the MCP server in real-time
+
+## Configuration
+
+Environment variables:
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| `GITHUB_TOKEN` | Skip OAuth, use this token | No |
+| `GITHUB_CLIENT_ID` | OAuth App client ID | For OAuth |
+| `SMEE_URL` | Custom smee.io channel | No |
+
+## Comparison with Official GitHub MCP
+
+| Feature | Official (Go) | github-mcp |
+|---------|---------------|------------|
+| Endpoints | ~50 | 800+ |
+| Auth | PAT only | OAuth Device Flow |
+| Webhooks | No | Yes (smee.io) |
+| Install | Docker | npx |
+| Token Storage | Manual | OS Keychain |
+
+## Development
+
+```bash
+git clone https://github.com/ldraney/github-mcp.git
+cd github-mcp
+npm install
+npm run build
+npm start
+```
+
+## License
+
+MIT

package/dist/auth/local-server.d.ts

@@ -0,0 +1,16 @@
+interface CallbackResult {
+    token: string;
+    scopes?: string;
+}
+/**
+ * Start a temporary HTTP server to receive OAuth callback
+ *
+ * @param expectedNonce - The nonce to validate against
+ * @returns Promise that resolves with token when callback is received
+ */
+export declare function startLocalCallbackServer(expectedNonce: string): Promise<{
+    port: number;
+    waitForCallback: () => Promise<CallbackResult>;
+    close: () => void;
+}>;
+export {};

package/dist/auth/local-server.js

@@ -0,0 +1,146 @@
+import http from 'node:http';
+import { URL } from 'node:url';
+/**
+ * Start a temporary HTTP server to receive OAuth callback
+ *
+ * @param expectedNonce - The nonce to validate against
+ * @returns Promise that resolves with token when callback is received
+ */
+export function startLocalCallbackServer(expectedNonce) {
+    return new Promise((resolveServer, rejectServer) => {
+        let callbackResolve;
+        let callbackReject;
+        const callbackPromise = new Promise((resolve, reject) => {
+            callbackResolve = resolve;
+            callbackReject = reject;
+        });
+        const server = http.createServer((req, res) => {
+            if (!req.url) {
+                res.writeHead(400);
+                res.end('Bad request');
+                return;
+            }
+            const url = new URL(req.url, `http://localhost`);
+            if (url.pathname !== '/callback') {
+                res.writeHead(404);
+                res.end('Not found');
+                return;
+            }
+            const token = url.searchParams.get('token');
+            const nonce = url.searchParams.get('nonce');
+            const scopes = url.searchParams.get('scope');
+            const error = url.searchParams.get('error');
+            if (error) {
+                res.writeHead(400, { 'Content-Type': 'text/html' });
+                res.end(`
+          <!DOCTYPE html>
+          <html>
+          <head><title>Auth Error</title></head>
+          <body>
+            <h1>Authentication Failed</h1>
+            <p>${error}</p>
+            <p>You can close this window.</p>
+          </body>
+          </html>
+        `);
+                callbackReject(new Error(error));
+                return;
+            }
+            if (!token) {
+                res.writeHead(400, { 'Content-Type': 'text/html' });
+                res.end(`
+          <!DOCTYPE html>
+          <html>
+          <head><title>Auth Error</title></head>
+          <body>
+            <h1>Authentication Failed</h1>
+            <p>No token received.</p>
+            <p>You can close this window.</p>
+          </body>
+          </html>
+        `);
+                callbackReject(new Error('No token received'));
+                return;
+            }
+            if (nonce !== expectedNonce) {
+                res.writeHead(400, { 'Content-Type': 'text/html' });
+                res.end(`
+          <!DOCTYPE html>
+          <html>
+          <head><title>Auth Error</title></head>
+          <body>
+            <h1>Authentication Failed</h1>
+            <p>Invalid nonce - possible CSRF attack.</p>
+            <p>You can close this window.</p>
+          </body>
+          </html>
+        `);
+                callbackReject(new Error('Nonce mismatch - possible CSRF attack'));
+                return;
+            }
+            // Success!
+            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.end(`
+        <!DOCTYPE html>
+        <html>
+        <head>
+          <title>Authentication Successful</title>
+          <style>
+            body {
+              font-family: system-ui, sans-serif;
+              display: flex;
+              justify-content: center;
+              align-items: center;
+              height: 100vh;
+              margin: 0;
+              background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            }
+            .card {
+              background: white;
+              padding: 40px;
+              border-radius: 16px;
+              box-shadow: 0 10px 40px rgba(0,0,0,0.2);
+              text-align: center;
+            }
+            .checkmark {
+              font-size: 64px;
+              margin-bottom: 20px;
+            }
+            h1 { color: #333; margin: 0 0 10px 0; }
+            p { color: #666; margin: 0; }
+          </style>
+        </head>
+        <body>
+          <div class="card">
+            <div class="checkmark">&#10003;</div>
+            <h1>Authenticated!</h1>
+            <p>You can close this window and return to your terminal.</p>
+          </div>
+        </body>
+        </html>
+      `);
+            callbackResolve({ token, scopes: scopes || undefined });
+        });
+        // Listen on random available port
+        server.listen(0, '127.0.0.1', () => {
+            const address = server.address();
+            if (!address || typeof address === 'string') {
+                rejectServer(new Error('Failed to get server port'));
+                return;
+            }
+            resolveServer({
+                port: address.port,
+                waitForCallback: () => callbackPromise,
+                close: () => server.close(),
+            });
+        });
+        server.on('error', (err) => {
+            rejectServer(err);
+        });
+        // Timeout after 5 minutes
+        setTimeout(() => {
+            callbackReject(new Error('Authentication timed out'));
+            server.close();
+        }, 5 * 60 * 1000);
+    });
+}

package/dist/auth/oauth-device-flow.d.ts

@@ -0,0 +1,20 @@
+export interface DeviceFlowVerification {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    expires_in: number;
+    interval: number;
+}
+/**
+ * Perform OAuth Device Flow authentication
+ */
+export declare function login(): Promise<string | null>;
+/**
+ * Remove stored credentials
+ */
+export declare function logout(): Promise<void>;
+/**
+ * Check and display authentication status
+ */
+export declare function getAuthStatus(): Promise<void>;
+//# sourceMappingURL=oauth-device-flow.d.ts.map

package/dist/auth/oauth-device-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-device-flow.d.ts","sourceRoot":"","sources":["../../src/auth/oauth-device-flow.ts"],"names":[],"mappings":"AAwBA,MAAM,WAAW,sBAAsB;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,wBAAsB,KAAK,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA4DpD;AAED;;GAEG;AACH,wBAAsB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAQ5C;AAED;;GAEG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CA2BnD"}

package/dist/auth/oauth-device-flow.js

@@ -0,0 +1,141 @@
+import { createOAuthDeviceAuth } from '@octokit/auth-oauth-device';
+import { Octokit } from '@octokit/rest';
+import { setToken, getToken, deleteToken } from './token-storage.js';
+// Default GitHub OAuth App client ID
+// Users should register their own OAuth App for production use
+const DEFAULT_CLIENT_ID = process.env.GITHUB_CLIENT_ID || 'Ov23liXXXXXXXXXXXXXX';
+// Scopes needed for full GitHub API access
+const SCOPES = [
+    'repo',
+    'read:org',
+    'read:user',
+    'user:email',
+    'read:project',
+    'write:discussion',
+    'gist',
+    'notifications',
+    'workflow',
+    'read:packages',
+    'admin:repo_hook',
+    'admin:org_hook',
+];
+/**
+ * Perform OAuth Device Flow authentication
+ */
+export async function login() {
+    const clientId = process.env.GITHUB_CLIENT_ID || DEFAULT_CLIENT_ID;
+    if (clientId === DEFAULT_CLIENT_ID || clientId.startsWith('Ov23liXXXX')) {
+        console.error('\n⚠️  No GITHUB_CLIENT_ID set. Please register an OAuth App:');
+        console.error('   1. Go to https://github.com/settings/developers');
+        console.error('   2. Click "New OAuth App"');
+        console.error('   3. Set callback URL to: http://localhost/callback');
+        console.error('   4. Enable "Device Flow" in the app settings');
+        console.error('   5. Set GITHUB_CLIENT_ID environment variable\n');
+        return null;
+    }
+    console.error('\n🔐 Starting GitHub OAuth Device Flow...\n');
+    try {
+        const auth = createOAuthDeviceAuth({
+            clientType: 'oauth-app',
+            clientId,
+            scopes: SCOPES,
+            onVerification: (verification) => {
+                console.error('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+                console.error('');
+                console.error('  📋 Your verification code:');
+                console.error('');
+                console.error(`     ${verification.user_code}`);
+                console.error('');
+                console.error('  🌐 Open this URL in your browser:');
+                console.error('');
+                console.error(`     ${verification.verification_uri}`);
+                console.error('');
+                console.error('  ⏳ Waiting for authorization...');
+                console.error('');
+                console.error('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+                // Try to open browser automatically
+                openBrowser(verification.verification_uri);
+            },
+        });
+        const { token } = await auth({ type: 'oauth' });
+        // Store token securely
+        await setToken(token);
+        // Verify token works
+        const octokit = new Octokit({ auth: token });
+        const { data: user } = await octokit.users.getAuthenticated();
+        console.error('');
+        console.error(`✅ Successfully authenticated as: ${user.login}`);
+        console.error('   Token stored securely in OS keychain');
+        console.error('');
+        return token;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : 'Unknown error';
+        console.error(`\n❌ Authentication failed: ${message}\n`);
+        return null;
+    }
+}
+/**
+ * Remove stored credentials
+ */
+export async function logout() {
+    const deleted = await deleteToken();
+    if (deleted) {
+        console.error('✅ Logged out. Token removed from keychain.');
+    }
+    else {
+        console.error('ℹ️  No stored credentials found.');
+    }
+}
+/**
+ * Check and display authentication status
+ */
+export async function getAuthStatus() {
+    const token = process.env.GITHUB_TOKEN || await getToken();
+    if (!token) {
+        console.error('❌ Not authenticated');
+        console.error('   Run: github-mcp auth login');
+        return;
+    }
+    try {
+        const octokit = new Octokit({ auth: token });
+        const { data: user } = await octokit.users.getAuthenticated();
+        console.error('✅ Authenticated');
+        console.error(`   User: ${user.login}`);
+        console.error(`   Name: ${user.name || 'Not set'}`);
+        console.error(`   Email: ${user.email || 'Not public'}`);
+        if (process.env.GITHUB_TOKEN) {
+            console.error('   Source: GITHUB_TOKEN environment variable');
+        }
+        else {
+            console.error('   Source: OS keychain');
+        }
+    }
+    catch (error) {
+        console.error('❌ Token is invalid or expired');
+        console.error('   Run: github-mcp auth login');
+    }
+}
+/**
+ * Open URL in default browser (cross-platform)
+ */
+function openBrowser(url) {
+    const { exec } = require('child_process');
+    const platform = process.platform;
+    let command;
+    if (platform === 'darwin') {
+        command = `open "${url}"`;
+    }
+    else if (platform === 'win32') {
+        command = `start "${url}"`;
+    }
+    else {
+        command = `xdg-open "${url}"`;
+    }
+    exec(command, (error) => {
+        if (error) {
+            // Silent fail - user can manually open the URL
+        }
+    });
+}
+//# sourceMappingURL=oauth-device-flow.js.map

package/dist/auth/oauth-device-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-device-flow.js","sourceRoot":"","sources":["../../src/auth/oauth-device-flow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAErE,qCAAqC;AACrC,+DAA+D;AAC/D,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,sBAAsB,CAAC;AAEjF,2CAA2C;AAC3C,MAAM,MAAM,GAAG;IACb,MAAM;IACN,UAAU;IACV,WAAW;IACX,YAAY;IACZ,cAAc;IACd,kBAAkB;IAClB,MAAM;IACN,eAAe;IACf,UAAU;IACV,eAAe;IACf,iBAAiB;IACjB,gBAAgB;CACjB,CAAC;AAUF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK;IACzB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,iBAAiB,CAAC;IAEnE,IAAI,QAAQ,KAAK,iBAAiB,IAAI,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACxE,OAAO,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAC9E,OAAO,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACpE,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC7C,OAAO,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;QACtE,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAChE,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;IAE7D,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,qBAAqB,CAAC;YACjC,UAAU,EAAE,WAAW;YACvB,QAAQ;YACR,MAAM,EAAE,MAAM;YACd,cAAc,EAAE,CAAC,YAAY,EAAE,EAAE;gBAC/B,OAAO,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;gBAChF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBAC9C,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,QAAQ,YAAY,CAAC,SAAS,EAAE,CAAC,CAAC;gBAChD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;gBACrD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,QAAQ,YAAY,CAAC,gBAAgB,EAAE,CAAC,CAAC;gBACvD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;gBAEhF,oCAAoC;gBACpC,WAAW,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC;YAC7C,CAAC;SACF,CAAC,CAAC;QAEH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEhD,uBAAuB;QACvB,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEtB,qBAAqB;QACrB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7C,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAE9D,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,oCAAoC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACzD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAElB,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QACzE,OAAO,CAAC,KAAK,CAAC,8BAA8B,OAAO,IAAI,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM;IAC1B,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;IAEpC,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAC9D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,QAAQ,EAAE,CAAC;IAE3D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACrC,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC/C,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7C,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAE9D,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACxC,OAAO,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,KAAK,IAAI,YAAY,EAAE,CAAC,CAAC;QAEzD,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAChE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC/C,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,OAAe,CAAC;IACpB,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,GAAG,SAAS,GAAG,GAAG,CAAC;IAC5B,CAAC;SAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,GAAG,UAAU,GAAG,GAAG,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,aAAa,GAAG,GAAG,CAAC;IAChC,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC,KAAmB,EAAE,EAAE;QACpC,IAAI,KAAK,EAAE,CAAC;YACV,+CAA+C;QACjD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/auth/oauth-flow.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Get existing token (from env or keychain)
+ */
+export declare function getToken(): Promise<string | null>;
+/**
+ * Start OAuth login flow
+ */
+export declare function login(): Promise<string | null>;
+/**
+ * Logout - remove stored token
+ */
+export declare function logout(): Promise<void>;
+/**
+ * Get authentication status
+ */
+export declare function getAuthStatus(): Promise<{
+    authenticated: boolean;
+    username?: string;
+    scopes?: string[];
+}>;

package/dist/auth/oauth-flow.js

@@ -0,0 +1,95 @@
+import crypto from 'node:crypto';
+import open from 'open';
+import { Octokit } from '@octokit/rest';
+import { startLocalCallbackServer } from './local-server.js';
+import { storeToken, retrieveToken, retrieveScopes, deleteToken } from './token-storage.js';
+// OAuth configuration
+const GITHUB_CLIENT_ID = process.env.GITHUB_CLIENT_ID || 'Ov23liEtc0pnj6t2b6Jr';
+const AUTH_BACKEND_URL = process.env.AUTH_BACKEND_URL || 'https://gh-mcp-auth.fly.dev';
+const OAUTH_SCOPES = 'repo,read:org,read:user,gist,notifications,workflow';
+/**
+ * Generate a cryptographically secure random nonce
+ */
+function generateNonce() {
+    return crypto.randomBytes(24).toString('base64url');
+}
+/**
+ * Get existing token (from env or keychain)
+ */
+export async function getToken() {
+    // Environment variable takes precedence
+    if (process.env.GITHUB_TOKEN) {
+        return process.env.GITHUB_TOKEN;
+    }
+    // Try keychain
+    return retrieveToken();
+}
+/**
+ * Start OAuth login flow
+ */
+export async function login() {
+    // Check environment first
+    if (process.env.GITHUB_TOKEN) {
+        console.log('Using GITHUB_TOKEN from environment');
+        return process.env.GITHUB_TOKEN;
+    }
+    const nonce = generateNonce();
+    // Start local callback server
+    const { port, waitForCallback, close } = await startLocalCallbackServer(nonce);
+    // Build OAuth URL
+    const state = `${port}:${nonce}`;
+    const authUrl = new URL('https://github.com/login/oauth/authorize');
+    authUrl.searchParams.set('client_id', GITHUB_CLIENT_ID);
+    authUrl.searchParams.set('redirect_uri', `${AUTH_BACKEND_URL}/callback`);
+    authUrl.searchParams.set('scope', OAUTH_SCOPES);
+    authUrl.searchParams.set('state', state);
+    console.log('Opening browser for GitHub authentication...');
+    console.log(`If browser doesn't open, visit: ${authUrl.toString()}`);
+    // Open browser
+    await open(authUrl.toString());
+    try {
+        // Wait for callback
+        console.log('Waiting for authentication...');
+        const { token, scopes } = await waitForCallback();
+        // Store in keychain
+        await storeToken(token, scopes);
+        console.log('Token stored securely in keychain.');
+        return token;
+    }
+    catch (error) {
+        console.error('Authentication failed:', error instanceof Error ? error.message : error);
+        return null;
+    }
+    finally {
+        close();
+    }
+}
+/**
+ * Logout - remove stored token
+ */
+export async function logout() {
+    await deleteToken();
+}
+/**
+ * Get authentication status
+ */
+export async function getAuthStatus() {
+    const token = await getToken();
+    if (!token) {
+        return { authenticated: false };
+    }
+    try {
+        const octokit = new Octokit({ auth: token });
+        const { data: user } = await octokit.users.getAuthenticated();
+        const scopes = await retrieveScopes();
+        return {
+            authenticated: true,
+            username: user.login,
+            scopes: scopes?.split(',') || undefined,
+        };
+    }
+    catch {
+        // Token might be invalid
+        return { authenticated: false };
+    }
+}

package/dist/auth/token-storage.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Store token securely in OS keychain
+ */
+export declare function storeToken(token: string, scopes?: string): Promise<void>;
+/**
+ * Retrieve token from OS keychain
+ */
+export declare function retrieveToken(): Promise<string | null>;
+/**
+ * Retrieve stored scopes
+ */
+export declare function retrieveScopes(): Promise<string | null>;
+/**
+ * Delete token from OS keychain
+ */
+export declare function deleteToken(): Promise<boolean>;

package/dist/auth/token-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-storage.d.ts","sourceRoot":"","sources":["../../src/auth/token-storage.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,wBAAsB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAE3D;AAED;;GAEG;AACH,wBAAsB,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAEvD;AAED;;GAEG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAEpD;AAED;;GAEG;AACH,wBAAsB,QAAQ,IAAI,OAAO,CAAC,OAAO,CAAC,CAGjD"}

package/dist/auth/token-storage.js

@@ -0,0 +1,33 @@
+import keytar from 'keytar';
+const SERVICE_NAME = 'github-mcp';
+const ACCOUNT_NAME = 'oauth-token';
+const SCOPE_ACCOUNT = 'oauth-scopes';
+/**
+ * Store token securely in OS keychain
+ */
+export async function storeToken(token, scopes) {
+    await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, token);
+    if (scopes) {
+        await keytar.setPassword(SERVICE_NAME, SCOPE_ACCOUNT, scopes);
+    }
+}
+/**
+ * Retrieve token from OS keychain
+ */
+export async function retrieveToken() {
+    return keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+}
+/**
+ * Retrieve stored scopes
+ */
+export async function retrieveScopes() {
+    return keytar.getPassword(SERVICE_NAME, SCOPE_ACCOUNT);
+}
+/**
+ * Delete token from OS keychain
+ */
+export async function deleteToken() {
+    const tokenDeleted = await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+    await keytar.deletePassword(SERVICE_NAME, SCOPE_ACCOUNT);
+    return tokenDeleted;
+}

package/dist/auth/token-storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-storage.js","sourceRoot":"","sources":["../../src/auth/token-storage.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,YAAY,GAAG,YAAY,CAAC;AAClC,MAAM,YAAY,GAAG,oBAAoB,CAAC;AAE1C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAAa;IAC1C,MAAM,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ;IAC5B,OAAO,MAAM,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,OAAO,MAAM,MAAM,CAAC,cAAc,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;AACjE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ;IAC5B,MAAM,KAAK,GAAG,MAAM,QAAQ,EAAE,CAAC;IAC/B,OAAO,KAAK,KAAK,IAAI,CAAC;AACxB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}