@lovable.dev/mcp-js 0.5.0

package/dist/stacks/tanstack/vite.js

@@ -0,0 +1,263 @@
+import {
+  OAUTH_PROTECTED_RESOURCE_METADATA_PATH
+} from "../../chunk-6DXGZZA4.js";
+
+// src/stacks/tanstack/vite.ts
+import { lstatSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from "fs";
+import { dirname, join, relative, resolve, sep } from "path";
+var GENERATED_BANNER = "// AUTO-GENERATED by @lovable.dev/mcp-js \u2014 do not edit. Regenerated by the Vite plugin.\n// To take ownership, delete this banner line; the plugin then leaves the file alone.";
+function isFileMissing(err) {
+  return typeof err === "object" && err !== null && "code" in err && err.code === "ENOENT";
+}
+function normalizePath(p) {
+  return p.split(sep).join("/");
+}
+function assertContains(parent, child, label) {
+  if (child !== parent && !child.startsWith(parent + sep)) {
+    throw new Error(`@lovable.dev/mcp-js: ${label} must resolve under ${parent}, got ${child}`);
+  }
+}
+function wellKnownRouteFile(routesDir, urlPath) {
+  const segments = urlPath.replace(/^\//, "").split("/");
+  const fileSegments = segments.map((segment, index) => {
+    const escaped = segment.startsWith(".") ? `[${segment}]` : segment;
+    return index === segments.length - 1 ? `${escaped}.ts` : escaped;
+  });
+  return resolve(routesDir, ...fileSegments);
+}
+function resolveAllRoutes(projectRoot, routesDirOption, routeFileName) {
+  const routesDir = resolve(projectRoot, routesDirOption);
+  assertContains(projectRoot, routesDir, `routesDir "${routesDirOption}"`);
+  const mcpRouteFile = resolve(routesDir, routeFileName);
+  assertContains(routesDir, mcpRouteFile, `routeFileName "${routeFileName}"`);
+  return {
+    routesDir,
+    mcpRouteFile,
+    metadataRouteFile: wellKnownRouteFile(routesDir, OAUTH_PROTECTED_RESOURCE_METADATA_PATH),
+    listToolsRouteFile: resolve(routesDir, "[.mcp]", "list-tools.ts"),
+    invokeToolRouteFile: resolve(routesDir, "[.mcp]", "invoke-tool", "$tool.ts")
+  };
+}
+function assertUrlPathShape(urlPath) {
+  if (!urlPath.startsWith("/")) {
+    throw new Error(`@lovable.dev/mcp-js: path must start with "/", got "${urlPath}"`);
+  }
+  if (/\/{2,}/.test(urlPath)) {
+    throw new Error(`@lovable.dev/mcp-js: path "${urlPath}" contains empty segments ("//")`);
+  }
+  const trimmed = urlPath.replace(/^\/+/, "").replace(/\/+$/, "");
+  if (!trimmed) {
+    throw new Error(`@lovable.dev/mcp-js: path "${urlPath}" has no route segment`);
+  }
+  if (!/^[a-zA-Z0-9_\-/]+$/.test(trimmed)) {
+    throw new Error(`@lovable.dev/mcp-js: path "${urlPath}" contains unsupported characters`);
+  }
+  return trimmed;
+}
+function deriveRouteFileName(urlPath) {
+  return `${assertUrlPathShape(urlPath)}.ts`;
+}
+function canonicalUrlPath(urlPath) {
+  return `/${urlPath.replace(/^\/+/, "").replace(/\/+$/, "")}`;
+}
+function relativeImportSpecifier(routeFile, target) {
+  const rel = normalizePath(relative(dirname(routeFile), target));
+  const withoutExt = rel.replace(/\.ts$/, "");
+  return withoutExt.startsWith(".") ? withoutExt : `./${withoutExt}`;
+}
+function buildRouteSource(route, resourcePath, mcpEntry, projectRoot) {
+  const mcpImport = relativeImportSpecifier(route.file, mcpEntry);
+  const routeRel = normalizePath(relative(projectRoot, route.file));
+  const note = route.spaFallbackNote ? "      // ANY: TanStack returns SPA HTML for methods not in `handlers`; the SDK 405s instead.\n" : "";
+  return `${GENERATED_BANNER}
+// route: ${route.routeLiteral}
+// emitted to: ${routeRel}
+
+import { createFileRoute } from "@tanstack/react-router";
+
+import { ${route.handlerFactory} } from "@lovable.dev/mcp-js/stacks/tanstack";
+
+import mcp from "${mcpImport}";
+
+export const Route = createFileRoute("${route.routeLiteral}")({
+  server: {
+    handlers: {
+${note}      ANY: ${route.handlerFactory}(mcp, { resourcePath: "${resourcePath}" }),
+    },
+  },
+});
+`;
+}
+function hasGeneratedBanner(content) {
+  return content.replace(/\r\n/g, "\n").startsWith(GENERATED_BANNER);
+}
+function writeIfChanged(file, content) {
+  let existing;
+  try {
+    existing = readFileSync(file, "utf8");
+  } catch (err) {
+    if (!isFileMissing(err))
+      throw err;
+  }
+  if (existing !== void 0) {
+    if (!hasGeneratedBanner(existing)) {
+      throw new Error(
+        `@lovable.dev/mcp-js: refusing to overwrite user-authored route at ${file}. Delete it or move it first.`
+      );
+    }
+    if (existing === content)
+      return false;
+  }
+  mkdirSync(dirname(file), { recursive: true });
+  writeFileSync(file, content, "utf8");
+  return true;
+}
+function fileStartsWithBanner(file) {
+  try {
+    return hasGeneratedBanner(readFileSync(file, "utf8"));
+  } catch (err) {
+    if (isFileMissing(err))
+      return false;
+    throw err;
+  }
+}
+function findAdoptedFiles(routesDir) {
+  const adopted = [];
+  const visit = (dir) => {
+    let entries;
+    try {
+      entries = readdirSync(dir);
+    } catch (err) {
+      if (isFileMissing(err))
+        return;
+      throw err;
+    }
+    for (const entry of entries) {
+      const full = join(dir, entry);
+      let stat;
+      try {
+        stat = lstatSync(full);
+      } catch (err) {
+        if (isFileMissing(err))
+          continue;
+        throw err;
+      }
+      if (stat.isDirectory()) {
+        visit(full);
+      } else if (entry.endsWith(".ts") && fileStartsWithBanner(full)) {
+        adopted.push(full);
+      }
+    }
+  };
+  visit(routesDir);
+  return adopted;
+}
+function mcpPlugin(options = {}) {
+  const mcpEntryOption = options.mcpEntry ?? "src/lib/mcp/index.ts";
+  const routesDirOption = options.routesDir ?? "src/routes";
+  const rawUrlPath = options.path ?? "/mcp";
+  assertUrlPathShape(rawUrlPath);
+  const routeFileName = options.routeFileName ?? deriveRouteFileName(rawUrlPath);
+  const urlPath = canonicalUrlPath(rawUrlPath);
+  const emitRestRoutes = options.restRoutes !== false;
+  const emitProtectedResourceMetadataRoute = options.protectedResourceMetadataRoute !== false;
+  let projectRoot = process.cwd();
+  let mcpEntry = resolve(projectRoot, mcpEntryOption);
+  let { routesDir, mcpRouteFile, metadataRouteFile, listToolsRouteFile, invokeToolRouteFile } = resolveAllRoutes(
+    projectRoot,
+    routesDirOption,
+    routeFileName
+  );
+  const regenerate = () => {
+    let mcpEntryExists = true;
+    try {
+      lstatSync(mcpEntry);
+    } catch (err) {
+      if (!isFileMissing(err))
+        throw err;
+      mcpEntryExists = false;
+    }
+    const expected = /* @__PURE__ */ new Set();
+    if (mcpEntryExists) {
+      const routes = [
+        { file: mcpRouteFile, routeLiteral: urlPath, handlerFactory: "createTanStackMcpHandler" }
+      ];
+      if (emitProtectedResourceMetadataRoute) {
+        routes.push({
+          file: metadataRouteFile,
+          routeLiteral: OAUTH_PROTECTED_RESOURCE_METADATA_PATH,
+          handlerFactory: "createTanStackOAuthProtectedResourceMetadataHandler"
+        });
+      }
+      if (emitRestRoutes) {
+        routes.push(
+          {
+            file: listToolsRouteFile,
+            routeLiteral: "/.mcp/list-tools",
+            handlerFactory: "createTanStackListToolsHandler",
+            spaFallbackNote: true
+          },
+          {
+            file: invokeToolRouteFile,
+            routeLiteral: "/.mcp/invoke-tool/$tool",
+            handlerFactory: "createTanStackInvokeToolHandler",
+            spaFallbackNote: true
+          }
+        );
+      }
+      for (const route of routes) {
+        expected.add(route.file);
+        writeIfChanged(route.file, buildRouteSource(route, urlPath, mcpEntry, projectRoot));
+      }
+    }
+    for (const file of findAdoptedFiles(routesDir)) {
+      if (!expected.has(file)) {
+        try {
+          unlinkSync(file);
+        } catch (err) {
+          if (!isFileMissing(err))
+            throw err;
+        }
+      }
+    }
+  };
+  return {
+    name: "@lovable.dev/mcp-js",
+    configResolved(config) {
+      projectRoot = config.root;
+      mcpEntry = resolve(projectRoot, mcpEntryOption);
+      ({ routesDir, mcpRouteFile, metadataRouteFile, listToolsRouteFile, invokeToolRouteFile } = resolveAllRoutes(
+        projectRoot,
+        routesDirOption,
+        routeFileName
+      ));
+      regenerate();
+    },
+    configureServer(server) {
+      const watchedEntry = mcpEntry;
+      const onEntryChange = (file) => {
+        if (normalizePath(file) === normalizePath(watchedEntry)) {
+          regenerate();
+        }
+      };
+      server.watcher.on("add", onEntryChange);
+      server.watcher.on("change", onEntryChange);
+      server.watcher.on("unlink", onEntryChange);
+      server.watcher.once("close", () => {
+        server.watcher.off("add", onEntryChange);
+        server.watcher.off("change", onEntryChange);
+        server.watcher.off("unlink", onEntryChange);
+      });
+    },
+    buildStart() {
+      regenerate();
+    }
+  };
+}
+var vite_default = mcpPlugin;
+export {
+  assertUrlPathShape,
+  vite_default as default,
+  deriveRouteFileName,
+  mcpPlugin
+};

package/dist/types-zMlr1mOK.d.ts

@@ -0,0 +1,270 @@
+import { ZodRawShape as ZodRawShape$1, ZodType, TypeOf } from 'zod';
+
+type JwtClaims = Record<string, unknown> & {
+    iss?: string;
+    sub?: string;
+    aud?: string | string[];
+    exp?: number;
+    iat?: number;
+    nbf?: number;
+    scope?: string;
+    client_id?: string;
+    email?: string;
+};
+/**
+ * The safe-to-surface half of the auth context, reachable by tools only through
+ * `ToolContext` accessors (`getUserId()`, `getClaims()`, …). Carries no
+ * credential — the bearer is isolated in `OAuthBearer`.
+ */
+interface OAuthPrincipal {
+    claims: JwtClaims;
+    issuer: string;
+    resource: string;
+    acceptedAudiences: readonly string[];
+    scopes: string[];
+    sub?: string;
+    email?: string;
+    clientId?: string;
+}
+/**
+ * The raw bearer, isolated from the safe fields. Pass it only into outbound
+ * `fetch`/client construction; never return or log it — a leaked token stays
+ * valid at the AS until it expires. `token` is a non-enumerable property, so
+ * `JSON.stringify`, object spread, and `console.log` omit it by construction.
+ */
+interface OAuthBearer {
+    readonly token: string;
+}
+interface McpAuthContext {
+    type: "oauth";
+    principal: OAuthPrincipal;
+    bearer: OAuthBearer;
+}
+interface McpAuthConfig {
+    readonly type: "oauth";
+    readonly issuer: string;
+    readonly resource?: string;
+    readonly resourceName?: string;
+    readonly resourceDocumentation?: string;
+    /**
+     * Absolute URL of an externally hosted RFC 9728 protected-resource metadata
+     * document. When set, the SDK advertises this URL in the 401
+     * `WWW-Authenticate: resource_metadata` challenge and does not generate or
+     * serve its own metadata (the `/.well-known/oauth-protected-resource` handler
+     * 404s). Use it when the resource server already publishes its own PRM.
+     */
+    readonly protectedResourceMetadataUrl?: string;
+    readonly requireOAuthClientClaim?: boolean;
+    readonly acceptedAudiences?: readonly string[];
+    readonly requiredScopes?: readonly string[];
+    readonly jwksUri?: string;
+    readonly algorithms?: readonly string[];
+    readonly clockToleranceSeconds?: number;
+}
+
+/**
+ * The auth surface passed to every tool handler as its second argument. It wraps
+ * the verified per-request auth context in a private field, so the context — and
+ * the bearer token inside it — can't be read, enumerated, spread, or
+ * `JSON.stringify`'d off the instance; the accessors below are the only way out.
+ * `getToken()` is the single intentional escape hatch for the raw bearer.
+ */
+declare class ToolContext {
+    #private;
+    constructor(auth: McpAuthContext | undefined);
+    /** Whether the in-flight tool call carries a verified auth context. */
+    isAuthenticated(): boolean;
+    /** The verified bearer token, or `undefined` when unauthenticated. Pass it to downstream APIs; never return or log it. */
+    getToken(): string | undefined;
+    /** The verified user id (the token `sub`), or `undefined`. */
+    getUserId(): string | undefined;
+    /** The verified user email, or `undefined` when absent. */
+    getUserEmail(): string | undefined;
+    /** The verified OAuth `client_id`, or `undefined`. */
+    getClientId(): string | undefined;
+    /** The verified OAuth scopes, or `undefined` when unauthenticated. */
+    getScopes(): string[] | undefined;
+    /** The verified token issuer, or `undefined`. */
+    getIssuer(): string | undefined;
+    /**
+     * The full verified JWT claims, or `undefined`. Use this for app/business
+     * authorization on issuer-specific claims that have no dedicated accessor.
+     */
+    getClaims(): JwtClaims | undefined;
+}
+
+/**
+ * Any zod schema. Aliased to zod's `ZodType` (no generics) — non-deprecated
+ * in both v3 and v4. Use this when you need to type an individual schema;
+ * for the `{ text: z.string() }` shape passed to `defineTool`'s
+ * `inputSchema`, use `ZodRawShape`.
+ */
+type ZodSchema = ZodType;
+/**
+ * A raw zod shape (`{ text: z.string(), n: z.number() }`) — the format
+ * `defineTool`'s `inputSchema`/`outputSchema` expects.
+ */
+type ZodRawShape = ZodRawShape$1;
+/**
+ * Infer the parsed-output type of a zod raw shape — given
+ * `{ text: ZodString, n: ZodNumber }`, produces `{ text: string, n: number }`.
+ */
+type ShapeOutput<Shape extends ZodRawShape> = {
+    [K in keyof Shape]: Shape[K] extends ZodType ? TypeOf<Shape[K]> : unknown;
+};
+/**
+ * Per-content-block metadata. Distinct from `ToolAnnotations`, which
+ * decorates the tool as a whole — these decorate a single piece of
+ * content (an image, a text block, etc.) within the tool's result.
+ */
+interface ContentAnnotations {
+    /** Which side of the conversation the content is addressed at. */
+    audience?: ("user" | "assistant")[];
+    /** Higher = more important. Used by clients that summarise content. */
+    priority?: number;
+    /** ISO 8601 timestamp. */
+    lastModified?: string;
+}
+interface ContentBlockBase {
+    annotations?: ContentAnnotations;
+    _meta?: Record<string, unknown>;
+}
+interface TextContent extends ContentBlockBase {
+    type: "text";
+    text: string;
+}
+interface ImageContent extends ContentBlockBase {
+    type: "image";
+    data: string;
+    mimeType: string;
+}
+interface AudioContent extends ContentBlockBase {
+    type: "audio";
+    data: string;
+    mimeType: string;
+}
+interface EmbeddedTextResource extends ContentBlockBase {
+    type: "resource";
+    resource: {
+        uri: string;
+        mimeType?: string;
+        text: string;
+        _meta?: Record<string, unknown>;
+    };
+}
+interface EmbeddedBlobResource extends ContentBlockBase {
+    type: "resource";
+    resource: {
+        uri: string;
+        mimeType?: string;
+        blob: string;
+        _meta?: Record<string, unknown>;
+    };
+}
+type EmbeddedResource = EmbeddedTextResource | EmbeddedBlobResource;
+/**
+ * Optional icon entry on `ResourceLink`. Clients that display a resource
+ * with a glyph (file browsers, side panels, etc.) pick the best match by
+ * MIME type, `sizes`, and the active `theme`. All fields besides `src`
+ * are optional — `src` is typically a `file://`, `data:`, or `https:` URI.
+ */
+interface ResourceLinkIcon {
+    src: string;
+    mimeType?: string;
+    /** Space-separated dimension string, HTML `<link sizes>` convention (e.g. `"16x16 32x32"`). */
+    sizes?: string;
+    theme?: "light" | "dark";
+}
+interface ResourceLink extends ContentBlockBase {
+    type: "resource_link";
+    uri: string;
+    name: string;
+    title?: string;
+    description?: string;
+    mimeType?: string;
+    icons?: ResourceLinkIcon[];
+}
+/**
+ * A single content block in a tool result. Matches the MCP wire format
+ * for `tools/call` responses (`type: "text" | "image" | "audio" |
+ * "resource" | "resource_link"`).
+ */
+type ContentBlock = TextContent | ImageContent | AudioContent | EmbeddedResource | ResourceLink;
+/**
+ * The shape of `ToolHandlerResult.content` — an array of content blocks
+ * the tool returns to the caller.
+ */
+type ToolContent = ContentBlock[];
+/**
+ * Per-tool client hints (not enforcement). `annotations.title` is
+ * intentionally omitted — use `ToolDefinition.title`, which the MCP
+ * 2025-06-18+ spec promoted to top-level.
+ */
+interface ToolAnnotations {
+    /** Tool does not modify state. */
+    readOnlyHint?: boolean;
+    /** Tool may make irreversible changes. Only meaningful when readOnlyHint is false. */
+    destructiveHint?: boolean;
+    /** Calling N times has the same effect as calling once. */
+    idempotentHint?: boolean;
+    /** Tool interacts with external/unbounded systems (DB, network, third-party APIs). */
+    openWorldHint?: boolean;
+}
+interface ToolHandlerResult {
+    content?: ToolContent;
+    structuredContent?: Record<string, unknown>;
+    isError?: boolean;
+}
+
+interface ToolDefinition<TInput extends ZodRawShape | undefined = ZodRawShape | undefined, TOutput extends ZodRawShape | undefined = ZodRawShape | undefined> {
+    readonly name: string;
+    /** Human-readable display name shown to the user in MCP clients. Required. */
+    readonly title: string;
+    /** Prose read by the LLM to decide whether to call this tool. Required. */
+    readonly description: string;
+    readonly inputSchema?: TInput;
+    readonly outputSchema?: TOutput;
+    readonly annotations?: ToolAnnotations;
+    readonly handler: TInput extends ZodRawShape ? (args: ShapeOutput<TInput>, ctx: ToolContext) => ToolHandlerResult | Promise<ToolHandlerResult> : (args: Record<string, never> | undefined, ctx: ToolContext) => ToolHandlerResult | Promise<ToolHandlerResult>;
+}
+/**
+ * Type-erased element of `McpDefinition.tools`. Per-tool generic typing
+ * happens at the `defineTool` call site; see README §6 for the rationale.
+ */
+interface AnyToolDefinition {
+    readonly name: string;
+    readonly title: string;
+    readonly description: string;
+    readonly inputSchema?: ZodRawShape;
+    readonly outputSchema?: ZodRawShape;
+    readonly annotations?: ToolAnnotations;
+    readonly handler: (args: any, ctx: ToolContext) => ToolHandlerResult | Promise<ToolHandlerResult>;
+}
+/**
+ * Fields a caller supplies when constructing an MCP definition. Pass this
+ * shape to `defineMcp(...)` — its return type is the branded `McpDefinition`,
+ * which is the type every internal factory (`createInvokeToolHandler`,
+ * `createMcpProtocolHandler`, …) consumes. The brand forces consumers
+ * through `defineMcp`'s `assertUniqueNames` + freeze.
+ */
+interface McpDefinitionInput {
+    readonly name: string;
+    /** Human-readable display name shown to MCP clients. Required. */
+    readonly title: string;
+    readonly version: string;
+    readonly auth?: McpAuthConfig;
+    /**
+     * Server-level prose the LLM reads as context for all tools on this server.
+     * Required for the same reason `ToolDefinition.description` is — optional
+     * fields encourage drift in production agent behavior. Pass an explicit
+     * empty string to opt out.
+     */
+    readonly instructions: string;
+    readonly tools: readonly AnyToolDefinition[];
+}
+declare const McpDefinitionBrand: unique symbol;
+type McpDefinition = McpDefinitionInput & {
+    readonly [McpDefinitionBrand]: never;
+};
+
+export { type AudioContent as A, type ContentAnnotations as C, type EmbeddedBlobResource as E, type ImageContent as I, type JwtClaims as J, type McpAuthConfig as M, type ResourceLink as R, type TextContent as T, type ZodRawShape as Z, type ContentBlock as a, type EmbeddedResource as b, type EmbeddedTextResource as c, type McpDefinition as d, type McpDefinitionInput as e, type ResourceLinkIcon as f, type ToolAnnotations as g, type ToolContent as h, ToolContext as i, type ToolDefinition as j, type ToolHandlerResult as k, type ZodSchema as l };

package/package.json

@@ -0,0 +1,101 @@
+{
+  "name": "@lovable.dev/mcp-js",
+  "version": "0.5.0",
+  "description": "Author MCP servers for Lovable apps. Declare tools with defineTool, register them in defineMcp, and the framework adapter (TanStack today, Supabase Edge Functions next) emits the route(s) at build time.",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/lovablelabs/lovable.git",
+    "directory": "npm-packages/lovable-mcp-js"
+  },
+  "homepage": "https://github.com/lovablelabs/lovable/tree/main/npm-packages/lovable-mcp-js#readme",
+  "bugs": {
+    "url": "https://github.com/lovablelabs/lovable/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./protocols/mcp": {
+      "types": "./dist/protocols/mcp/index.d.ts",
+      "import": "./dist/protocols/mcp/index.js",
+      "require": "./dist/protocols/mcp/index.cjs"
+    },
+    "./protocols/oauth-metadata": {
+      "types": "./dist/protocols/oauth-metadata.d.ts",
+      "import": "./dist/protocols/oauth-metadata.js",
+      "require": "./dist/protocols/oauth-metadata.cjs"
+    },
+    "./protocols/rest": {
+      "types": "./dist/protocols/rest/index.d.ts",
+      "import": "./dist/protocols/rest/index.js",
+      "require": "./dist/protocols/rest/index.cjs"
+    },
+    "./stacks/tanstack": {
+      "types": "./dist/stacks/tanstack/index.d.ts",
+      "import": "./dist/stacks/tanstack/index.js",
+      "require": "./dist/stacks/tanstack/index.cjs"
+    },
+    "./stacks/tanstack/vite": {
+      "types": "./dist/stacks/tanstack/vite.d.ts",
+      "import": "./dist/stacks/tanstack/vite.js",
+      "require": "./dist/stacks/tanstack/vite.cjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "tanstack",
+    "vite",
+    "lovable"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "1.28.0",
+    "jose": "^6.2.2"
+  },
+  "peerDependencies": {
+    "vite": ">=5.0.0 <9.0.0",
+    "zod": ">=3.23.0"
+  },
+  "devDependencies": {
+    "@types/node": "22.13.13",
+    "rimraf": "^5.0.0",
+    "tsup": "^7.2.0",
+    "typescript": "^5.9.3",
+    "vite": "^7.3.1",
+    "vitest": "^4.1.5",
+    "zod": "^4.1.13"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts src/protocols/mcp/index.ts src/protocols/oauth-metadata.ts src/protocols/rest/index.ts src/stacks/tanstack/index.ts src/stacks/tanstack/vite.ts --format cjs,esm --dts --outDir dist",
+    "dev": "tsup src/index.ts src/protocols/mcp/index.ts src/protocols/oauth-metadata.ts src/protocols/rest/index.ts src/stacks/tanstack/index.ts src/stacks/tanstack/vite.ts --format cjs,esm --dts --watch",
+    "typecheck": "tsgo --noEmit",
+    "format": "oxfmt --write src/ tests/",
+    "format:check": "oxfmt --check src/ tests/",
+    "lint": "oxfmt --check src/ tests/ && oxlint -c ../../oxlint.config.ts src/ tests/",
+    "lint:fix": "oxfmt --write src/ tests/ && oxlint -c ../../oxlint.config.ts --fix src/ tests/",
+    "test": "vitest run --project unit",
+    "test:watch": "vitest --project unit",
+    "example:install": "bun link && cd example/tanstack && bun install && bun link @lovable.dev/mcp-js",
+    "example:oauth:install": "bun link && cd example/tanstack-supabase-oauth && bun install && bun link @lovable.dev/mcp-js",
+    "example:oauth:dev": "cd example/tanstack-supabase-oauth && bun --bun run dev",
+    "example:oauth:build": "cd example/tanstack-supabase-oauth && bun --bun run build",
+    "example:oauth:smoke": "node tests/integration/oauth-smoke.mjs",
+    "test:integration": "npm run build && npm run example:install && vitest run --project integration",
+    "test:integration:oauth": "npm run build && npm run example:oauth:install && vitest run --project integration-oauth",
+    "clean": "rimraf dist",
+    "pack:local": "npm run build && npm pack --pack-destination /tmp"
+  }
+}