npm - @loopops/mcp-server - Versions diffs - 2.7.0 → 2.9.0 - Mend

@loopops/mcp-server 2.7.0 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/api-client.js CHANGED Viewed

@@ -256,6 +256,63 @@ function persistRotatedRefreshToken(newToken) {
         }
     }
 }
+/**
+ * Build a useful error message when Okta rejects our refresh token. The
+ * generic answer ("token may be revoked or idle-expired") is the last
+ * resort — first we check whether settings.json is pointing at the wrong
+ * tenant or client, which is a much more common cause and one the user
+ * cannot diagnose from the bare 400.
+ *
+ * The Loop API exposes the tenant it actually authenticates against at
+ * `GET /api/mcp/tenant-info` (added 2026-04-29 alongside the
+ * trial-2194356 → integrator-4680962 migration). If that endpoint
+ * disagrees with our env vars, we report exactly which key is wrong and
+ * the one-shot fix command. Older webapp deployments will 404 the
+ * endpoint — we silently fall through to the generic message.
+ */
+async function diagnoseRefreshFailure(status, body) {
+    const head = `Okta refresh failed (HTTP ${status}). Detail: ${body.slice(0, 300)}`;
+    const generic = "Your refresh token may be revoked or idle-expired. Re-run " +
+        "`npx @loopops/mcp-cli@latest login` (the `@latest` pin bypasses the " +
+        "npx cache, which can serve a stale cli with old tenant defaults for " +
+        "up to 24h after a publish).";
+    if (!apiUrl)
+        return `${head}\n\n${generic}`;
+    try {
+        const apiBase = new URL(apiUrl).origin;
+        const tenantInfoUrl = `${apiBase}/api/mcp/tenant-info`;
+        const probe = await doFetch(tenantInfoUrl, { method: "GET", headers: { accept: "application/json" } }, 5_000);
+        if (!probe.ok)
+            return `${head}\n\n${generic}`;
+        const live = (await probe.json());
+        const issuerMismatch = !!live.issuer && live.issuer !== oktaIssuer;
+        const clientMismatch = !!live.clientId && live.clientId !== oktaClientId;
+        if (!issuerMismatch && !clientMismatch)
+            return `${head}\n\n${generic}`;
+        const lines = [
+            head,
+            "",
+            "DIAGNOSIS: your MCP config points at a tenant the Loop API does not recognise.",
+        ];
+        if (issuerMismatch) {
+            lines.push(`  OKTA_ISSUER on disk:    ${oktaIssuer}`);
+            lines.push(`  OKTA_ISSUER expected:   ${live.issuer}`);
+        }
+        if (clientMismatch) {
+            lines.push(`  OKTA_CLIENT_ID on disk:  ${oktaClientId}`);
+            lines.push(`  OKTA_CLIENT_ID expected: ${live.clientId}`);
+        }
+        lines.push("");
+        lines.push("Fix: `npx @loopops/mcp-cli@latest login`. The `@latest` pin is " +
+            "important — without it, npx may serve a cached older cli that " +
+            "writes the same wrong defaults right back to disk.");
+        return lines.join("\n");
+    }
+    catch {
+        // Network blip, DNS failure, or older webapp without the endpoint.
+        return `${head}\n\n${generic}`;
+    }
+}
 /**
  * Mint a fresh access token via Okta's /token endpoint. Updates the
  * in-memory cache AND (if Okta rotated the refresh token) persists the
@@ -298,7 +355,8 @@ async function refreshAccessTokenOnce() {
         }, DEFAULT_TIMEOUT_MS);
         if (!response.ok) {
             const body = await response.text().catch(() => "<unreadable>");
-            throw new OktaRefreshError(`Okta refresh failed (HTTP ${response.status}). Your refresh token may be revoked or idle-expired. Re-run \`npx @loopops/mcp-cli login\`. Detail: ${body.slice(0, 300)}`);
+            const diagnosis = await diagnoseRefreshFailure(response.status, body);
+            throw new OktaRefreshError(diagnosis);
         }
         const tokens = (await response.json());
         cachedAccessToken = tokens.access_token;

package/dist/tools/config.js CHANGED Viewed

@@ -343,4 +343,59 @@ export function registerConfigTools(server, allowed) {
             branch: z.string().optional().describe("Branch to read YAML from. Default: main."),
         }, safeTool(async ({ mode, dryRun, useAgent, branch }) => trpcMutation("mcp.assignTerritories", { mode, dryRun, useAgent, branch })));
     }
+    if (allowed.has("show_govern_config")) {
+        server.tool("show_govern_config", [
+            "Read a YAML file under `config/govern/`. Most-common use: viewing",
+            "`schedules` to see what crons exist + their enabled/disabled state.",
+            "Other files: `actions`, `agent`, `audit_config`, `compliance_rules`,",
+            "`health_monitoring`.",
+        ].join(" "), {
+            file: z
+                .enum([
+                "schedules",
+                "actions",
+                "agent",
+                "audit_config",
+                "compliance_rules",
+                "health_monitoring",
+            ])
+                .describe("Which file under config/govern/ to read. `schedules` is the cron table."),
+        }, safeTool(async (input) => trpcQuery("mcp.showGovernConfig", input)));
+    }
+    if (allowed.has("update_govern_config")) {
+        server.tool("update_govern_config", [
+            "Edit a Company Operations governance YAML config (config/govern/*.yaml)",
+            "by committing the new content to the repo via the GitHub API.",
+            "Most-common use: flipping a cron entry's `enabled: true/false` in",
+            "`schedules.yaml`. Workflow: read with show_govern_config, edit, send",
+            "back. Commit goes to target branch (default `main`); Vercel auto-deploys.",
+            "Schedule changes take effect at the next scheduler tick. Adding or",
+            "removing a schedule (not just toggling) also requires a matching",
+            "vercel.json edit.",
+        ].join(" "), {
+            file: z
+                .enum([
+                "schedules",
+                "actions",
+                "agent",
+                "audit_config",
+                "compliance_rules",
+                "health_monitoring",
+            ])
+                .describe("Which file under config/govern/ to update. `schedules` is the cron table."),
+            content: z
+                .string()
+                .min(1)
+                .describe("Full new YAML content. The tool replaces the file wholesale — read with show_govern_config first, edit, send back. Don't drop unrelated entries."),
+            message: z
+                .string()
+                .min(3)
+                .max(72)
+                .describe("Git commit message. Convention: `govern: <what changed and why>` (e.g. 'govern: disable cg_sync_clickhouse cron temporarily')."),
+            branch: z
+                .string()
+                .optional()
+                .describe("Target branch. Default: main. Pass a feature branch for review-before-merge."),
+        }, safeTool(async (input) => trpcMutation("mcp.updateGovernConfig", input)));
+    }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@loopops/mcp-server",
-  "version": "2.7.0",
+  "version": "2.9.0",
   "description": "Loop Operations MCP Server — AI skills for RevOps",
   "license": "UNLICENSED",
   "type": "module",