@lovable.dev/mcp-js 0.5.0

package/dist/protocols/mcp/index.cjs

@@ -0,0 +1,505 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/protocols/mcp/index.ts
+var mcp_exports = {};
+__export(mcp_exports, {
+  createMcpProtocolHandler: () => createMcpProtocolHandler
+});
+module.exports = __toCommonJS(mcp_exports);
+
+// src/protocols/mcp/protocol.ts
+var import_mcp = require("@modelcontextprotocol/sdk/server/mcp.js");
+var import_webStandardStreamableHttp = require("@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js");
+
+// src/core/http.ts
+var JSON_HEADERS = { "Content-Type": "application/json" };
+
+// src/core/promise.ts
+function cachedPromise(load) {
+  let settled = false;
+  let value;
+  return async () => {
+    if (settled)
+      return value;
+    const loaded = await load();
+    settled = true;
+    value = loaded;
+    return loaded;
+  };
+}
+
+// src/core/url.ts
+function trimTrailingSlash(value) {
+  return value.replace(/\/+$/, "");
+}
+function isLocalHTTPHost(hostname) {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]";
+}
+function urlSafetyProblem(url) {
+  const isAllowedHTTP = url.protocol === "http:" && isLocalHTTPHost(url.hostname);
+  if (url.protocol !== "https:" && !isAllowedHTTP) {
+    return "must use https://, except localhost development URLs";
+  }
+  if (url.username || url.password) {
+    return "must not include credentials";
+  }
+  if (url.search || url.hash) {
+    return "must not include query or fragment";
+  }
+  return void 0;
+}
+
+// src/core/validation.ts
+function parseSafeUrl(subject, raw, ErrorClass = Error) {
+  let url;
+  try {
+    url = new URL(raw);
+  } catch {
+    throw new ErrorClass(`${subject} must be an absolute URL`);
+  }
+  const problem = urlSafetyProblem(url);
+  if (problem) {
+    throw new ErrorClass(`${subject} ${problem}`);
+  }
+  return url;
+}
+
+// src/auth/discovery.ts
+var OAuthConfigurationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "OAuthConfigurationError";
+  }
+};
+var METADATA_FETCH_TIMEOUT_MS = 5e3;
+function issuerPath(url) {
+  const path = trimTrailingSlash(url.pathname);
+  return path === "" ? void 0 : path;
+}
+function pathInsertedOAuthMetadataUrls(url, path) {
+  return [
+    `${url.origin}/.well-known/oauth-authorization-server${path}`,
+    `${url.origin}/.well-known/openid-configuration${path}`
+  ];
+}
+function oauthMetadataUrlsForIssuer(issuer) {
+  const normalizedIssuer = trimTrailingSlash(issuer);
+  const url = new URL(normalizedIssuer);
+  const path = issuerPath(url);
+  if (!path) {
+    return [
+      `${normalizedIssuer}/.well-known/oauth-authorization-server`,
+      `${normalizedIssuer}/.well-known/openid-configuration`
+    ];
+  }
+  return [...pathInsertedOAuthMetadataUrls(url, path), `${normalizedIssuer}/.well-known/openid-configuration`];
+}
+async function fetchFirstValidOAuthServerMetadata(metadataUrls, expectedIssuer) {
+  const errors = [];
+  for (const url of metadataUrls) {
+    try {
+      return await fetchOAuthServerMetadata(url, expectedIssuer);
+    } catch (err) {
+      errors.push(`${url}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  throw new Error(`failed to discover OAuth server metadata (${errors.join("; ")})`);
+}
+async function fetchOAuthServerMetadata(url, expectedIssuer) {
+  const response = await fetch(url, { signal: AbortSignal.timeout(METADATA_FETCH_TIMEOUT_MS), redirect: "error" });
+  if (!response.ok) {
+    throw new Error(String(response.status));
+  }
+  const json = await response.json();
+  if (typeof json.issuer !== "string") {
+    throw new Error("missing issuer");
+  }
+  parseSafeUrl("discovered issuer", json.issuer);
+  if (trimTrailingSlash(json.issuer) !== expectedIssuer) {
+    throw new Error("issuer mismatch");
+  }
+  if (typeof json.jwks_uri !== "string") {
+    throw new Error("missing jwks_uri");
+  }
+  parseSafeUrl("discovered jwks_uri", json.jwks_uri);
+  return { issuer: json.issuer, jwks_uri: json.jwks_uri };
+}
+async function fetchIssuerOAuthServerMetadata(issuer) {
+  try {
+    return await fetchFirstValidOAuthServerMetadata(oauthMetadataUrlsForIssuer(issuer), issuer);
+  } catch (err) {
+    throw new OAuthConfigurationError(
+      `OAuth issuer discovery failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function createOAuthDiscoveryResolver(auth) {
+  const configuredIssuer = trimTrailingSlash(auth.issuer);
+  const oauthServerMetadata = cachedPromise(() => fetchIssuerOAuthServerMetadata(configuredIssuer));
+  return {
+    resolveIssuer: async () => configuredIssuer,
+    resolveJwksUri: async () => auth.jwksUri ?? (await oauthServerMetadata()).jwks_uri
+  };
+}
+
+// src/auth/metadata-path.ts
+var OAUTH_PROTECTED_RESOURCE_METADATA_PATH = "/.well-known/oauth-protected-resource";
+
+// src/auth/resource.ts
+function resolveProtectedResource(auth, request, options) {
+  if (auth.resource)
+    return trimTrailingSlash(auth.resource);
+  const path = resolveResourcePath(options.resourcePath, request);
+  const resourceURL = new URL(path, request.url);
+  resourceURL.search = "";
+  resourceURL.hash = "";
+  return trimTrailingSlash(resourceURL.toString());
+}
+function assertResourcePathShape(resourcePath) {
+  if (!resourcePath.startsWith("/") || resourcePath.startsWith("//") || resourcePath.includes("\\") || /(^|\/)\.\.(\/|$)/.test(resourcePath)) {
+    throw new Error(
+      `@lovable.dev/mcp-js: resourcePath must be an absolute path beginning with "/" without ".." segments or backslashes (got ${JSON.stringify(resourcePath)})`
+    );
+  }
+}
+function resolveResourcePath(resourcePath, request) {
+  if (resourcePath === void 0)
+    return new URL(request.url).pathname;
+  assertResourcePathShape(resourcePath);
+  return resourcePath;
+}
+
+// src/auth/verifier.ts
+var import_jose = require("jose");
+
+// src/auth/claims.ts
+function readString(value) {
+  return typeof value === "string" ? value : void 0;
+}
+function splitScopes(value) {
+  if (typeof value === "string")
+    return value.split(/\s+/).filter(Boolean);
+  if (Array.isArray(value))
+    return value.filter((entry) => typeof entry === "string" && entry.length > 0);
+  return [];
+}
+function stringClaim(claims, name) {
+  return readString(claims[name]);
+}
+
+// src/auth/verifier.ts
+var DEFAULT_JWT_ALGORITHMS = ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "EdDSA"];
+var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+var OAuthTokenError = class extends Error {
+  constructor(status, oauthError, message) {
+    super(message);
+    this.status = status;
+    this.oauthError = oauthError;
+    this.name = "OAuthTokenError";
+  }
+};
+function resolveAcceptedAudiences(auth, resource) {
+  return auth.acceptedAudiences ?? [resource];
+}
+function isJwksFetchFailure(err) {
+  if (err instanceof import_jose.errors.JWKSTimeout || err instanceof import_jose.errors.JWKSInvalid)
+    return true;
+  if (!(err instanceof import_jose.errors.JOSEError))
+    return err instanceof Error;
+  return err.code === "ERR_JOSE_GENERIC";
+}
+async function verifyJwtClaims(token, keySet, issuer, audience, auth) {
+  try {
+    const { payload } = await (0, import_jose.jwtVerify)(token, keySet, {
+      // `issuer` is trimmed of any trailing slash; accept both forms so a token whose
+      // `iss` carries the slash the AS publishes still verifies.
+      issuer: [issuer, `${issuer}/`],
+      audience: [...audience],
+      algorithms: auth.algorithms ? [...auth.algorithms] : DEFAULT_JWT_ALGORITHMS,
+      requiredClaims: ["sub", "exp"],
+      clockTolerance: auth.clockToleranceSeconds ?? DEFAULT_CLOCK_TOLERANCE_SECONDS
+    });
+    return payload;
+  } catch (err) {
+    if (isJwksFetchFailure(err)) {
+      throw new OAuthConfigurationError(`JWKS fetch failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    throw err;
+  }
+}
+function assertNonEmptySubject(claims) {
+  const sub = claims["sub"];
+  if (typeof sub !== "string" || sub.trim() === "") {
+    throw new OAuthTokenError(401, "invalid_token", "token subject claim must be a non-empty string");
+  }
+}
+function assertOAuthClientClaim(auth, clientId) {
+  if (auth.requireOAuthClientClaim !== false && !clientId) {
+    throw new OAuthTokenError(401, "invalid_token", "OAuth client claim is required");
+  }
+}
+function makeBearer(token) {
+  return Object.defineProperty({}, "token", { value: token, enumerable: false });
+}
+function buildMcpAuthContext(args) {
+  const { claims } = args;
+  return {
+    type: "oauth",
+    principal: {
+      claims,
+      issuer: args.issuer,
+      resource: args.resource,
+      acceptedAudiences: args.acceptedAudiences,
+      scopes: splitScopes(claims.scope),
+      sub: stringClaim(claims, "sub"),
+      email: stringClaim(claims, "email"),
+      clientId: stringClaim(claims, "client_id") ?? stringClaim(claims, "azp")
+    },
+    bearer: makeBearer(args.token)
+  };
+}
+function createOAuthTokenVerifier(auth, discovery) {
+  const loadRemoteJwksKeySet = cachedPromise(
+    () => discovery.resolveJwksUri().then((jwksURI) => (0, import_jose.createRemoteJWKSet)(new URL(jwksURI)))
+  );
+  return async (token, request, options) => {
+    const resource = resolveProtectedResource(auth, request, options);
+    const issuer = await discovery.resolveIssuer();
+    const acceptedAudiences = resolveAcceptedAudiences(auth, resource);
+    const claims = await verifyJwtClaims(token, await loadRemoteJwksKeySet(), issuer, acceptedAudiences, auth);
+    assertNonEmptySubject(claims);
+    const context = buildMcpAuthContext({ token, claims, issuer, resource, acceptedAudiences });
+    assertOAuthClientClaim(auth, context.principal.clientId);
+    return context;
+  };
+}
+
+// src/auth/authorize.ts
+function quoteAuthenticateParam(value) {
+  const sanitized = value.replace(/[\u0000-\u001F\u007F]/g, "");
+  return `"${sanitized.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+function resolveProtectedResourceMetadataUrl(auth, request) {
+  if (auth.protectedResourceMetadataUrl !== void 0)
+    return auth.protectedResourceMetadataUrl;
+  const base = auth.resource ?? request.url;
+  return new URL(OAUTH_PROTECTED_RESOURCE_METADATA_PATH, base).toString();
+}
+function wwwAuthenticateHeader(auth, request, params = {}) {
+  const values = [
+    `realm=${quoteAuthenticateParam("mcp")}`,
+    `resource_metadata=${quoteAuthenticateParam(resolveProtectedResourceMetadataUrl(auth, request))}`
+  ];
+  if (auth.requiredScopes && auth.requiredScopes.length > 0) {
+    values.push(`scope=${quoteAuthenticateParam(auth.requiredScopes.join(" "))}`);
+  }
+  if (params.error)
+    values.push(`error=${quoteAuthenticateParam(params.error)}`);
+  if (params.errorDescription)
+    values.push(`error_description=${quoteAuthenticateParam(params.errorDescription)}`);
+  return `Bearer ${values.join(", ")}`;
+}
+function challengeResponse(auth, request, status, oauthError, errorDescription) {
+  const headers = new Headers(JSON_HEADERS);
+  headers.set("WWW-Authenticate", wwwAuthenticateHeader(auth, request, { error: oauthError, errorDescription }));
+  headers.set("Cache-Control", "no-store");
+  return new Response(JSON.stringify({ error: status === 403 ? "forbidden" : "unauthorized" }), {
+    status,
+    headers
+  });
+}
+function oauthConfigurationErrorResponse() {
+  return new Response(JSON.stringify({ error: "oauth configuration error" }), {
+    status: 500,
+    headers: { ...JSON_HEADERS, "Cache-Control": "no-store" }
+  });
+}
+function parseBearerToken(request) {
+  const header = request.headers.get("Authorization");
+  if (!header)
+    return void 0;
+  const match = /^Bearer\s+(.+)$/i.exec(header.trim());
+  if (!match)
+    return void 0;
+  const token = match[1].trim();
+  if (token === "" || /\s/.test(token))
+    return void 0;
+  return token;
+}
+function getOAuthRuntime(mcp, options = {}) {
+  if (options.resourcePath !== void 0)
+    assertResourcePathShape(options.resourcePath);
+  const stableOptions = { resourcePath: options.resourcePath };
+  const auth = mcp.auth?.type === "oauth" ? mcp.auth : void 0;
+  if (!auth)
+    return { kind: "unconfigured", options: stableOptions };
+  const discovery = createOAuthDiscoveryResolver(auth);
+  return {
+    kind: "configured",
+    auth,
+    discovery,
+    verify: createOAuthTokenVerifier(auth, discovery),
+    options: stableOptions
+  };
+}
+function missingRequiredScopes(auth, scopes) {
+  const requiredScopes = auth.requiredScopes ?? [];
+  if (requiredScopes.length === 0)
+    return [];
+  const granted = new Set(scopes);
+  return requiredScopes.filter((scope) => !granted.has(scope));
+}
+function assertRequiredScopes(auth, context) {
+  if (missingRequiredScopes(auth, context.principal.scopes).length > 0) {
+    throw new OAuthTokenError(403, "insufficient_scope", "Additional OAuth scope is required");
+  }
+}
+function createRequestAuthorizer(mcp, options = {}) {
+  const runtime = getOAuthRuntime(mcp, options);
+  return {
+    async authorize(request) {
+      if (runtime.kind === "unconfigured")
+        return { ok: true };
+      const token = parseBearerToken(request);
+      if (!token)
+        return { ok: false, response: challengeResponse(runtime.auth, request, 401) };
+      try {
+        const auth = await runtime.verify(token, request, runtime.options);
+        assertRequiredScopes(runtime.auth, auth);
+        return { ok: true, auth };
+      } catch (err) {
+        if (err instanceof OAuthConfigurationError) {
+          return { ok: false, response: oauthConfigurationErrorResponse() };
+        }
+        if (err instanceof OAuthTokenError) {
+          return {
+            ok: false,
+            response: challengeResponse(runtime.auth, request, err.status, err.oauthError, err.message)
+          };
+        }
+        return {
+          ok: false,
+          response: challengeResponse(runtime.auth, request, 401, "invalid_token", "Invalid access token")
+        };
+      }
+    }
+  };
+}
+
+// src/auth/context.ts
+var ToolContext = class {
+  #auth;
+  constructor(auth) {
+    this.#auth = auth;
+  }
+  /** Whether the in-flight tool call carries a verified auth context. */
+  isAuthenticated() {
+    return this.#auth !== void 0;
+  }
+  /** The verified bearer token, or `undefined` when unauthenticated. Pass it to downstream APIs; never return or log it. */
+  getToken() {
+    return this.#auth?.bearer.token;
+  }
+  /** The verified user id (the token `sub`), or `undefined`. */
+  getUserId() {
+    return this.#auth?.principal.sub;
+  }
+  /** The verified user email, or `undefined` when absent. */
+  getUserEmail() {
+    return this.#auth?.principal.email;
+  }
+  /** The verified OAuth `client_id`, or `undefined`. */
+  getClientId() {
+    return this.#auth?.principal.clientId;
+  }
+  /** The verified OAuth scopes, or `undefined` when unauthenticated. */
+  getScopes() {
+    return this.#auth?.principal.scopes;
+  }
+  /** The verified token issuer, or `undefined`. */
+  getIssuer() {
+    return this.#auth?.principal.issuer;
+  }
+  /**
+   * The full verified JWT claims, or `undefined`. Use this for app/business
+   * authorization on issuer-specific claims that have no dedicated accessor.
+   */
+  getClaims() {
+    return this.#auth?.principal.claims;
+  }
+};
+
+// src/protocols/mcp/protocol.ts
+function adaptToolToSdkCallback(tool, auth) {
+  return async (first) => {
+    const args = tool.inputSchema ? first ?? {} : {};
+    let result;
+    try {
+      result = await tool.handler(args, new ToolContext(auth));
+    } catch {
+      return { content: [{ type: "text", text: "tool execution failed" }], isError: true };
+    }
+    if (result == null) {
+      return { content: [{ type: "text", text: `tool "${tool.name}" returned no result` }], isError: true };
+    }
+    return { content: result.content ?? [], structuredContent: result.structuredContent, isError: result.isError };
+  };
+}
+function createMcpProtocolHandler(mcp, options = {}) {
+  const authorizer = createRequestAuthorizer(mcp, options);
+  return async (request) => {
+    const authResult = await authorizer.authorize(request);
+    if (!authResult.ok)
+      return authResult.response;
+    try {
+      const server = new import_mcp.McpServer(
+        { name: mcp.name, version: mcp.version, title: mcp.title },
+        { instructions: mcp.instructions }
+      );
+      for (const tool of mcp.tools) {
+        server.registerTool(
+          tool.name,
+          {
+            title: tool.title,
+            description: tool.description,
+            inputSchema: tool.inputSchema,
+            outputSchema: tool.outputSchema,
+            annotations: tool.annotations
+          },
+          adaptToolToSdkCallback(tool, authResult.auth)
+        );
+      }
+      const transport = new import_webStandardStreamableHttp.WebStandardStreamableHTTPServerTransport({
+        sessionIdGenerator: void 0
+      });
+      await server.connect(transport);
+      return await transport.handleRequest(request);
+    } catch {
+      return Response.json(
+        { jsonrpc: "2.0", id: null, error: { code: -32603, message: "internal error" } },
+        { status: 500 }
+      );
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createMcpProtocolHandler
+});

package/dist/protocols/mcp/index.d.cts

@@ -0,0 +1,14 @@
+import { M as McpRuntimeOptions } from '../../authorize-DpTEIFvs.js';
+import { d as McpDefinition } from '../../types-zMlr1mOK.js';
+import 'zod';
+
+type McpProtocolHandler = (request: Request) => Promise<Response>;
+/**
+ * Build a Web-Standard request handler that serves the MCP protocol over
+ * streamable HTTP. A fresh `McpServer` + transport is constructed per
+ * request — the transport is stateless, so this is cheap and there is no
+ * cross-request state to leak.
+ */
+declare function createMcpProtocolHandler(mcp: McpDefinition, options?: McpRuntimeOptions): McpProtocolHandler;
+
+export { type McpProtocolHandler, createMcpProtocolHandler };

package/dist/protocols/mcp/index.d.ts

@@ -0,0 +1,14 @@
+import { M as McpRuntimeOptions } from '../../authorize-DpTEIFvs.js';
+import { d as McpDefinition } from '../../types-zMlr1mOK.js';
+import 'zod';
+
+type McpProtocolHandler = (request: Request) => Promise<Response>;
+/**
+ * Build a Web-Standard request handler that serves the MCP protocol over
+ * streamable HTTP. A fresh `McpServer` + transport is constructed per
+ * request — the transport is stateless, so this is cheap and there is no
+ * cross-request state to leak.
+ */
+declare function createMcpProtocolHandler(mcp: McpDefinition, options?: McpRuntimeOptions): McpProtocolHandler;
+
+export { type McpProtocolHandler, createMcpProtocolHandler };

package/dist/protocols/mcp/index.js

@@ -0,0 +1,10 @@
+import {
+  createMcpProtocolHandler
+} from "../../chunk-GLG5RZGE.js";
+import "../../chunk-MA5H6PSF.js";
+import "../../chunk-XEDRJFAR.js";
+import "../../chunk-QA3FWDUV.js";
+import "../../chunk-6DXGZZA4.js";
+export {
+  createMcpProtocolHandler
+};