@lifeaitools/clauth 1.5.36 → 1.5.38

package/cli/commands/serve.js

@@ -17,6 +17,9 @@ import ora from "ora";
 import { execSync as execSyncTop } from "child_process";
 import Conf from "conf";
 import { getConfOptions } from "../conf-path.js";
+import { readdir, readFile, writeFile, rm, mkdir, stat, rename } from "node:fs/promises";
+import fg from "fast-glob";
+import { rgPath } from "@vscode/ripgrep";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
@@ -2913,8 +2916,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
       const base = oauthBase();
       const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "");
-      const resourcePath = suffix && ["/gws", "/clauth", "/mcp", "/sse"].includes("/" + suffix) ? "/" + suffix : "/sse";
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      const resourcePath = suffix && ["/gws", "/clauth", "/mcp", "/fs", "/sse"].includes("/" + suffix) ? "/" + suffix : "/sse";
+      res.writeHead(200, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
       return res.end(JSON.stringify({
         resource: `${base}${resourcePath}`,
         authorization_servers: [base],
@@ -2925,7 +2928,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
     if (reqPath === "/.well-known/oauth-authorization-server") {
       const base = oauthBase();
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      res.writeHead(200, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
       return res.end(JSON.stringify({
         issuer: base,
         authorization_endpoint: `${base}/authorize`,
@@ -2959,7 +2962,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       oauthClients.set(clientId, client);
       const logMsg = `[${new Date().toISOString()}] OAuth: registered public client ${clientId} (${client.client_name})\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(201, { "Content-Type": "application/json", ...CORS });
+      res.writeHead(201, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
       return res.end(JSON.stringify(client));
     }
 
@@ -3011,7 +3014,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
       const logMsg = `[${new Date().toISOString()}] OAuth: authorize → code for ${clientId}, redirect to ${redirect.origin}\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(302, { Location: redirect.toString(), ...CORS });
+      res.writeHead(302, { Location: redirect.toString(), "Cache-Control": "no-store", ...CORS });
       return res.end();
     }
 
@@ -3082,21 +3085,23 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
       const logMsg = `[${new Date().toISOString()}] OAuth: token issued for ${stored.client_id} (token=${accessToken.slice(0,8)}…)\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
-      res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+      res.writeHead(200, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
       return res.end(JSON.stringify({ access_token: accessToken, token_type: "Bearer", scope: "mcp:tools", expires_in: 86400 }));
     }
 
     // ── MCP path helpers ──
-    const MCP_PATHS = ["/mcp", "/gws", "/clauth"];
+    const MCP_PATHS = ["/mcp", "/gws", "/clauth", "/fs"];
     const isMcpPath = MCP_PATHS.includes(reqPath);
     function toolsForPath(p) {
       if (p === "/gws")    return MCP_TOOLS.filter(t => t.name.startsWith("gws_"));
       if (p === "/clauth") return MCP_TOOLS.filter(t => t.name.startsWith("clauth_"));
+      if (p === "/fs")     return MCP_TOOLS.filter(t => t.name.startsWith("fs_"));
       return MCP_TOOLS; // /mcp — all tools
     }
     function serverNameForPath(p) {
       if (p === "/gws")    return "gws";
       if (p === "/clauth") return "clauth";
+      if (p === "/fs")     return "fs";
       return "clauth";
     }
 
@@ -3112,7 +3117,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         const resourceMeta = `${base}/.well-known/oauth-protected-resource/${resourcePath}`;
         res.writeHead(401, {
           "Content-Type": "application/json",
-          "WWW-Authenticate": `Bearer resource_metadata="${resourceMeta}"`,
+          "WWW-Authenticate": `Bearer realm="MCP", resource_metadata="${resourceMeta}"`,
+          "Cache-Control": "no-store",
           ...CORS,
         });
         return res.end(JSON.stringify({
@@ -4781,6 +4787,26 @@ const ENV_MAP = {
   "gmail":            "GMAIL_CREDENTIALS",
 };
 
+// ── Filesystem service config ──
+const FS_MOUNTS = [
+  { name: "regen-root", path: "C:/Dev/regen-root", access: "rwd" },
+];
+
+function resolveInMount(requestedPath, mountName) {
+  const mount = FS_MOUNTS.find(m => m.name === mountName) || FS_MOUNTS[0];
+  if (!mount) return { error: "No filesystem mounts configured" };
+  const resolved = path.resolve(mount.path, requestedPath);
+  const normalized = path.normalize(resolved);
+  if (!normalized.startsWith(path.normalize(mount.path))) {
+    return { error: `Path escapes mount: ${requestedPath}` };
+  }
+  return { resolved: normalized, mount };
+}
+
+function checkAccess(mount, flag) {
+  return mount.access.includes(flag);
+}
+
 const MCP_TOOLS = [
   {
     name: "clauth_ping",
@@ -4958,6 +4984,105 @@ const MCP_TOOLS = [
       additionalProperties: false
     }
   },
+  // ── Filesystem tools ──
+  {
+    name: "fs_read",
+    description: "Read a file. Returns UTF-8 text with line numbers. Supports offset/limit for large files.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Relative path within mount (e.g. 'packages/ui/src/index.ts')" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+        offset: { type: "number", description: "Start line (0-based, default 0)" },
+        limit: { type: "number", description: "Max lines to return (default 500)" },
+      },
+      required: ["path"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_write",
+    description: "Write content to a file. Creates parent directories if needed. Overwrites existing file.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Relative path within mount" },
+        content: { type: "string", description: "File content to write" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+      },
+      required: ["path", "content"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_list",
+    description: "List directory contents with file type, size, and modification time.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Relative directory path (default: mount root)" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_grep",
+    description: "Search file contents using ripgrep. Returns matching lines with context. Spawns rg process.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        pattern: { type: "string", description: "Regex pattern to search for" },
+        path: { type: "string", description: "Relative path to search in (default: mount root)" },
+        glob: { type: "string", description: "File glob filter (e.g. '*.ts', '*.{js,tsx}')" },
+        context: { type: "number", description: "Lines of context around matches (default 0)" },
+        max_results: { type: "number", description: "Max matches (default 50)" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+      },
+      required: ["pattern"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_glob",
+    description: "Find files by glob pattern. Returns matching file paths relative to mount.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        pattern: { type: "string", description: "Glob pattern (e.g. '**/*.tsx', 'apps/*/package.json')" },
+        path: { type: "string", description: "Relative base path (default: mount root)" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+      },
+      required: ["pattern"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_delete",
+    description: "Delete a file or empty directory.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Relative path to delete" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+      },
+      required: ["path"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "fs_mkdir",
+    description: "Create a directory (recursive — creates parents if needed).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Relative directory path to create" },
+        mount: { type: "string", description: "Mount name (default: first mount)" },
+      },
+      required: ["path"],
+      additionalProperties: false,
+    },
+  },
 ];
 
 function writeTempSecret(service, value) {
@@ -5314,6 +5439,162 @@ async function handleMcpTool(vault, name, args) {
       } catch (err) { return mcpError(`gws failed: ${err.stderr || err.stdout || err.message}`); }
     }
 
+    // ── Filesystem tools ──────────────────────────────────────
+
+    case "fs_read": {
+      const r = resolveInMount(args.path, args.mount);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "r")) return mcpError("Read access denied on this mount");
+      try {
+        const content = await readFile(r.resolved, "utf8");
+        const lines = content.split("\n");
+        const offset = args.offset || 0;
+        const limit = args.limit || 500;
+        const slice = lines.slice(offset, offset + limit);
+        const numbered = slice.map((line, i) => `${offset + i + 1}\t${line}`).join("\n");
+        const header = `${r.resolved} (${lines.length} lines${offset > 0 ? `, showing ${offset + 1}-${Math.min(offset + limit, lines.length)}` : ""})`;
+        return mcpResult(`${header}\n${numbered}`);
+      } catch (err) {
+        if (err.code === "ENOENT") return mcpError(`File not found: ${args.path}`);
+        return mcpError(`Read failed: ${err.message}`);
+      }
+    }
+
+    case "fs_write": {
+      const r = resolveInMount(args.path, args.mount);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "w")) return mcpError("Write access denied on this mount");
+      try {
+        await mkdir(path.dirname(r.resolved), { recursive: true });
+        await writeFile(r.resolved, args.content, "utf8");
+        return mcpResult(`Written: ${args.path} (${Buffer.byteLength(args.content)} bytes)`);
+      } catch (err) {
+        return mcpError(`Write failed: ${err.message}`);
+      }
+    }
+
+    case "fs_list": {
+      const dirPath = args.path || ".";
+      const r = resolveInMount(dirPath, args.mount);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "r")) return mcpError("Read access denied on this mount");
+      try {
+        const entries = await readdir(r.resolved, { withFileTypes: true });
+        const results = [];
+        for (const entry of entries) {
+          try {
+            const s = await stat(path.join(r.resolved, entry.name));
+            results.push({
+              name: entry.name,
+              type: entry.isDirectory() ? "dir" : "file",
+              size: s.size,
+              modified: s.mtime.toISOString(),
+            });
+          } catch {
+            results.push({ name: entry.name, type: entry.isDirectory() ? "dir" : "file" });
+          }
+        }
+        return mcpResult(JSON.stringify(results, null, 2));
+      } catch (err) {
+        if (err.code === "ENOENT") return mcpError(`Directory not found: ${dirPath}`);
+        return mcpError(`List failed: ${err.message}`);
+      }
+    }
+
+    case "fs_grep": {
+      const searchPath = args.path || ".";
+      const r = resolveInMount(searchPath, args.mount);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "r")) return mcpError("Read access denied on this mount");
+
+      const maxResults = args.max_results || 50;
+      const rgArgs = [
+        "--no-heading", "--line-number", "--color", "never",
+        "--max-count", String(maxResults),
+      ];
+      if (args.context) rgArgs.push("-C", String(args.context));
+      if (args.glob) rgArgs.push("--glob", args.glob);
+      rgArgs.push(args.pattern, r.resolved);
+
+      return new Promise((resolve) => {
+        let output = "";
+        let killed = false;
+        const proc = spawnProc(rgPath, rgArgs, { timeout: 15000, windowsHide: true });
+
+        proc.stdout.on("data", (chunk) => {
+          output += chunk.toString();
+          if (output.length > 65536) { // 64KB cap
+            killed = true;
+            proc.kill();
+          }
+        });
+        proc.stderr.on("data", () => {}); // ignore stderr
+
+        proc.on("close", (code) => {
+          if (killed) {
+            resolve(mcpResult(output.slice(0, 65536) + "\n... (output truncated at 64KB)"));
+          } else if (code === 1) {
+            resolve(mcpResult("No matches found"));
+          } else if (output) {
+            // Make paths relative to mount
+            const mountNorm = r.mount.path.replace(/\\/g, "/");
+            const cleaned = output.replace(new RegExp(mountNorm.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + "/?", "g"), "");
+            resolve(mcpResult(cleaned));
+          } else {
+            resolve(mcpResult("No matches found"));
+          }
+        });
+
+        proc.on("error", (err) => {
+          resolve(mcpError(`Grep failed: ${err.message}`));
+        });
+      });
+    }
+
+    case "fs_glob": {
+      const basePath = args.path || ".";
+      const r = resolveInMount(basePath, args.mount);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "r")) return mcpError("Read access denied on this mount");
+      try {
+        const matches = await fg(args.pattern, {
+          cwd: r.resolved,
+          dot: false,
+          onlyFiles: true,
+          ignore: ["**/node_modules/**", "**/.git/**"],
+        });
+        if (matches.length === 0) return mcpResult("No files matched");
+        return mcpResult(matches.sort().join("\n"));
+      } catch (err) {
+        return mcpError(`Glob failed: ${err.message}`);
+      }
+    }
+
+    case "fs_delete": {
+      const r = resolveInMount(args.path, args.mount);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "d")) return mcpError("Delete access denied on this mount");
+      try {
+        await rm(r.resolved);
+        return mcpResult(`Deleted: ${args.path}`);
+      } catch (err) {
+        if (err.code === "ENOENT") return mcpError(`Not found: ${args.path}`);
+        return mcpError(`Delete failed: ${err.message}`);
+      }
+    }
+
+    case "fs_mkdir": {
+      const r = resolveInMount(args.path, args.mount);
+      if (r.error) return mcpError(r.error);
+      if (!checkAccess(r.mount, "w")) return mcpError("Write access denied on this mount");
+      try {
+        await mkdir(r.resolved, { recursive: true });
+        return mcpResult(`Created: ${args.path}`);
+      } catch (err) {
+        return mcpError(`Mkdir failed: ${err.message}`);
+      }
+    }
+
     default:
       return mcpError(`Unknown tool: ${name}`);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.36",
+  "version": "1.5.38",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {
@@ -19,7 +19,9 @@
     "conf": "^13.0.0",
     "inquirer": "^10.1.0",
     "node-fetch": "^3.3.2",
-    "ora": "^8.1.0"
+    "ora": "^8.1.0",
+    "@vscode/ripgrep": "^1.15.9",
+    "fast-glob": "^3.3.2"
   },
   "engines": {
     "node": ">=18.0.0"