@lpm-registry/mcp-server 0.1.0

package/lib/api.js

@@ -0,0 +1,145 @@
+// CRITICAL: Never use console.log() — it corrupts the MCP stdio transport
+
+import {
+	MAX_RETRIES,
+	REQUEST_TIMEOUT_MS,
+	RETRY_BACKOFF_MULTIPLIER,
+	RETRY_BASE_DELAY_MS,
+	RETRY_MAX_DELAY_MS,
+	RETRYABLE_STATUS_CODES,
+} from "./constants.js"
+
+function sleep(ms) {
+	return new Promise(resolve => setTimeout(resolve, ms))
+}
+
+function getBackoffDelay(attempt) {
+	const delay = RETRY_BASE_DELAY_MS * RETRY_BACKOFF_MULTIPLIER ** attempt
+	const jitter = delay * 0.1 * (Math.random() * 2 - 1)
+	return Math.min(delay + jitter, RETRY_MAX_DELAY_MS)
+}
+
+function parseRetryAfter(retryAfter) {
+	if (!retryAfter) return RETRY_BASE_DELAY_MS
+
+	const seconds = parseInt(retryAfter, 10)
+	if (!Number.isNaN(seconds)) return seconds * 1000
+
+	const date = new Date(retryAfter)
+	if (!Number.isNaN(date.getTime())) {
+		return Math.max(0, date.getTime() - Date.now())
+	}
+
+	return RETRY_BASE_DELAY_MS
+}
+
+/**
+ * Make a GET request with retry, timeout, and rate limit handling.
+ *
+ * @param {string} url - Full URL to fetch
+ * @param {string | null} token - Bearer token (null to skip auth header)
+ * @returns {Promise<{ok: boolean, status: number, data: *}>}
+ */
+export async function apiGet(url, token) {
+	const headers = {}
+	if (token) {
+		headers.Authorization = `Bearer ${token}`
+	}
+
+	let lastError = null
+
+	for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+		const controller = new AbortController()
+		const timeoutId = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS)
+
+		try {
+			const response = await fetch(url, {
+				method: "GET",
+				headers,
+				signal: controller.signal,
+			})
+
+			clearTimeout(timeoutId)
+
+			// No retry on auth errors
+			if (response.status === 401 || response.status === 403) {
+				const data = await response.json().catch(() => ({}))
+				return { ok: false, status: response.status, data }
+			}
+
+			// Rate limiting
+			if (response.status === 429) {
+				const retryAfter = response.headers.get("Retry-After")
+				const delayMs = parseRetryAfter(retryAfter)
+
+				if (attempt < MAX_RETRIES) {
+					await sleep(delayMs)
+					continue
+				}
+
+				return { ok: false, status: 429, data: { error: "Rate limited" } }
+			}
+
+			// Retryable server errors
+			if (
+				RETRYABLE_STATUS_CODES.includes(response.status) &&
+				attempt < MAX_RETRIES
+			) {
+				await sleep(getBackoffDelay(attempt))
+				continue
+			}
+
+			const data = await response.json().catch(() => ({}))
+			return { ok: response.ok, status: response.status, data }
+		} catch (error) {
+			clearTimeout(timeoutId)
+
+			lastError = error
+
+			if (attempt < MAX_RETRIES) {
+				await sleep(getBackoffDelay(attempt))
+				continue
+			}
+
+			if (error.name === "AbortError") {
+				return { ok: false, status: 0, data: { error: "Request timed out" } }
+			}
+
+			return {
+				ok: false,
+				status: 0,
+				data: { error: error.message || "Network error" },
+			}
+		}
+	}
+
+	return {
+		ok: false,
+		status: 0,
+		data: { error: lastError?.message || "Network error" },
+	}
+}
+
+/**
+ * GET from the registry API (/api/registry prefix).
+ *
+ * @param {string} path - Path after /api/registry (e.g., '/-/whoami')
+ * @param {string | null} token
+ * @param {string} baseUrl
+ * @returns {Promise<{ok: boolean, status: number, data: *}>}
+ */
+export function registryGet(path, token, baseUrl) {
+	return apiGet(`${baseUrl}/api/registry${path}`, token)
+}
+
+/**
+ * GET from the search API (/api/search prefix).
+ *
+ * @param {string} path - Path after /api/search (e.g., '/packages?q=react')
+ * @param {string | null} token
+ * @param {string} baseUrl
+ * @returns {Promise<{ok: boolean, status: number, data: *}>}
+ */
+export function searchGet(path, token, baseUrl) {
+	return apiGet(`${baseUrl}/api/search${path}`, token)
+}

package/lib/auth.js

@@ -0,0 +1,42 @@
+import {
+	DEFAULT_REGISTRY_URL,
+	KEYTAR_ACCOUNT_NAME,
+	KEYTAR_SERVICE_NAME,
+} from "./constants.js"
+
+/**
+ * Resolve the LPM auth token.
+ * Priority: LPM_TOKEN env var → OS keychain (via keytar) → null
+ *
+ * @returns {Promise<string | null>}
+ */
+export async function getToken() {
+	// 1. Environment variable (recommended for MCP configs)
+	if (process.env.LPM_TOKEN) {
+		return process.env.LPM_TOKEN
+	}
+
+	// 2. OS keychain (reads from same store as `lpm login`)
+	try {
+		const keytar = await import("keytar")
+		const token = await keytar.default.getPassword(
+			KEYTAR_SERVICE_NAME,
+			KEYTAR_ACCOUNT_NAME,
+		)
+		if (token) return token
+	} catch {
+		// keytar not available — this is expected in many environments
+	}
+
+	return null
+}
+
+/**
+ * Resolve the LPM registry base URL.
+ * Priority: LPM_REGISTRY_URL env var → default
+ *
+ * @returns {string}
+ */
+export function getBaseUrl() {
+	return process.env.LPM_REGISTRY_URL || DEFAULT_REGISTRY_URL
+}

package/lib/cache.js

@@ -0,0 +1,73 @@
+/**
+ * Simple in-memory cache with TTL support.
+ * Used to reduce API calls for repeated queries within an MCP session.
+ */
+export class MemoryCache {
+	constructor() {
+		this._store = new Map()
+	}
+
+	/**
+	 * Get a cached value. Returns undefined if missing or expired.
+	 * @param {string} key
+	 * @returns {*}
+	 */
+	get(key) {
+		const entry = this._store.get(key)
+		if (!entry) return undefined
+
+		if (Date.now() > entry.expiresAt) {
+			this._store.delete(key)
+			return undefined
+		}
+
+		return entry.value
+	}
+
+	/**
+	 * Store a value with a TTL. If ttlMs is 0 or falsy, this is a no-op.
+	 * @param {string} key
+	 * @param {*} value
+	 * @param {number} ttlMs
+	 */
+	set(key, value, ttlMs) {
+		if (!ttlMs) return
+
+		this._store.set(key, {
+			value,
+			expiresAt: Date.now() + ttlMs,
+		})
+	}
+
+	/**
+	 * Check if a valid (non-expired) entry exists.
+	 * @param {string} key
+	 * @returns {boolean}
+	 */
+	has(key) {
+		return this.get(key) !== undefined
+	}
+
+	/**
+	 * Remove a specific entry.
+	 * @param {string} key
+	 */
+	delete(key) {
+		this._store.delete(key)
+	}
+
+	/**
+	 * Remove all entries.
+	 */
+	clear() {
+		this._store.clear()
+	}
+
+	/**
+	 * Number of entries (including potentially expired ones).
+	 * @returns {number}
+	 */
+	get size() {
+		return this._store.size
+	}
+}

package/lib/cli.js

@@ -0,0 +1,99 @@
+import { execFile, execSync } from "node:child_process"
+
+const CLI_TIMEOUT_MS = 60_000
+
+/**
+ * Resolve the path to the `lpm` CLI binary.
+ *
+ * Resolution order:
+ * 1. LPM_CLI_PATH env var (explicit override)
+ * 2. `which lpm` (global install)
+ * 3. null (caller should handle fallback)
+ *
+ * @returns {string|null}
+ */
+export function resolveCli() {
+	// 1. Explicit override
+	const envPath = process.env.LPM_CLI_PATH
+	if (envPath) return envPath
+
+	// 2. Global install
+	try {
+		const result = execSync("which lpm", {
+			encoding: "utf-8",
+			timeout: 5_000,
+		}).trim()
+		if (result) return result
+	} catch {
+		// not found
+	}
+
+	return null
+}
+
+/**
+ * Run an LPM CLI command and return parsed JSON output.
+ *
+ * @param {string[]} args - CLI arguments (e.g., ['add', '@lpm.dev/owner.pkg', '--json'])
+ * @param {{ timeout?: number }} options
+ * @returns {Promise<{ success: boolean, data: object|null, error: string|null }>}
+ */
+export async function runCli(args, options = {}) {
+	const cliPath = resolveCli()
+
+	if (!cliPath) {
+		return {
+			success: false,
+			data: null,
+			error:
+				"LPM CLI not found. Install it with: npm install -g @lpm-registry/cli",
+		}
+	}
+
+	const timeout = options.timeout || CLI_TIMEOUT_MS
+
+	return new Promise(resolve => {
+		const _child = execFile(
+			cliPath,
+			args,
+			{
+				timeout,
+				maxBuffer: 10 * 1024 * 1024,
+				env: { ...process.env },
+			},
+			(err, stdout, stderr) => {
+				if (err && !stdout) {
+					// CLI failed without producing output
+					const message = err.killed
+						? `CLI command timed out after ${timeout / 1000}s`
+						: err.message || "CLI command failed"
+					resolve({ success: false, data: null, error: message })
+					return
+				}
+
+				// Try to parse JSON from stdout
+				try {
+					const data = JSON.parse(stdout)
+					resolve({
+						success: data.success !== false,
+						data,
+						error:
+							data.success === false
+								? data.errors?.[0] || "Command failed"
+								: null,
+					})
+				} catch {
+					// CLI produced output but not valid JSON
+					resolve({
+						success: false,
+						data: null,
+						error:
+							stderr?.trim() ||
+							stdout?.trim() ||
+							"CLI returned non-JSON output",
+					})
+				}
+			},
+		)
+	})
+}

package/lib/constants.js

@@ -0,0 +1,35 @@
+// CRITICAL: Never use console.log() in this package — it corrupts the MCP stdio transport
+
+export const DEFAULT_REGISTRY_URL = "https://lpm.dev"
+
+export const KEYTAR_SERVICE_NAME = "lpm-cli"
+export const KEYTAR_ACCOUNT_NAME = "auth-token"
+
+export const REQUEST_TIMEOUT_MS = 30_000
+export const MAX_RETRIES = 2
+export const RETRY_BASE_DELAY_MS = 1_000
+export const RETRY_MAX_DELAY_MS = 10_000
+export const RETRY_BACKOFF_MULTIPLIER = 2
+
+export const RETRYABLE_STATUS_CODES = [408, 429, 500, 502, 503, 504]
+
+export const CACHE_TTL = {
+	SHORT: 5 * 60 * 1000,
+	LONG: 60 * 60 * 1000,
+	NONE: 0,
+}
+
+export const ERROR_MESSAGES = {
+	noToken:
+		"No LPM token found. Set LPM_TOKEN environment variable or run `lpm login` first.",
+	unauthorized:
+		"Authentication failed. Your token may be expired or revoked. Run `lpm login` to re-authenticate.",
+	notFound: "Package not found. Check the name format: owner.package-name",
+	accessDenied: "Access denied. This package may be private.",
+	rateLimited: "Rate limited. Please wait and try again.",
+	networkError: "Cannot reach lpm.dev. Check your internet connection.",
+	timeout: "Request timed out. Try again later.",
+	invalidName:
+		"Invalid package name format. Expected: owner.package-name or @lpm.dev/owner.package-name",
+	searchNoParams: 'At least one of "query" or "category" is required.',
+}

package/lib/format.js

@@ -0,0 +1,67 @@
+import { ERROR_MESSAGES } from "./constants.js"
+
+/**
+ * Create a successful MCP tool response.
+ * @param {string} text
+ * @returns {{ content: Array<{ type: string, text: string }> }}
+ */
+export function textResponse(text) {
+	return {
+		content: [{ type: "text", text }],
+	}
+}
+
+/**
+ * Create an error MCP tool response.
+ * @param {string} message
+ * @returns {{ content: Array<{ type: string, text: string }>, isError: true }}
+ */
+export function errorResponse(message) {
+	return {
+		content: [{ type: "text", text: message }],
+		isError: true,
+	}
+}
+
+/**
+ * Create a successful MCP tool response with JSON data.
+ * @param {*} data
+ * @returns {{ content: Array<{ type: string, text: string }> }}
+ */
+export function jsonResponse(data) {
+	return textResponse(JSON.stringify(data, null, 2))
+}
+
+/**
+ * Parse a package name in 'owner.pkg' or '@lpm.dev/owner.pkg' format.
+ *
+ * @param {string} input
+ * @returns {{ owner: string, name: string }}
+ * @throws {Error} if the format is invalid
+ */
+export function parseName(input) {
+	if (!input || typeof input !== "string") {
+		throw new Error(ERROR_MESSAGES.invalidName)
+	}
+
+	let cleaned = input.trim()
+
+	// Strip @lpm.dev/ prefix
+	if (cleaned.startsWith("@lpm.dev/")) {
+		cleaned = cleaned.slice(9)
+	}
+
+	const dotIndex = cleaned.indexOf(".")
+	if (dotIndex < 1 || dotIndex >= cleaned.length - 1) {
+		throw new Error(ERROR_MESSAGES.invalidName)
+	}
+
+	const owner = cleaned.substring(0, dotIndex)
+	const name = cleaned.substring(dotIndex + 1)
+
+	if (!owner || !name) {
+		throw new Error(ERROR_MESSAGES.invalidName)
+	}
+
+	return { owner, name }
+}

package/lib/resolve-version.js

@@ -0,0 +1,49 @@
+import { existsSync, readFileSync } from "node:fs"
+import { dirname, join } from "node:path"
+
+/**
+ * Resolve the installed version of an LPM package from the local package.json.
+ * Walks up the directory tree to find the nearest package.json containing
+ * the requested package in dependencies or devDependencies.
+ *
+ * @param {string} packageName - Package name (owner.name or @lpm.dev/owner.name)
+ * @param {string} [cwd] - Starting directory (defaults to process.cwd())
+ * @returns {string | null} - Resolved version string or null if not found
+ */
+export function resolveInstalledVersion(packageName, cwd) {
+	// Normalize to @lpm.dev/ format for package.json lookup
+	const lpmName = packageName.startsWith("@lpm.dev/")
+		? packageName
+		: `@lpm.dev/${packageName}`
+
+	let dir = cwd || process.cwd()
+	const _root = dirname(dir) === dir ? dir : undefined
+
+	// Walk up directory tree (max 10 levels to avoid infinite loops)
+	for (let i = 0; i < 10; i++) {
+		const pkgPath = join(dir, "package.json")
+		if (existsSync(pkgPath)) {
+			try {
+				const pkg = JSON.parse(readFileSync(pkgPath, "utf8"))
+				const allDeps = {
+					...pkg.dependencies,
+					...pkg.devDependencies,
+				}
+
+				const version = allDeps[lpmName]
+				if (version) {
+					// Strip semver range chars (^, ~, >=, <=, >, <, =)
+					return version.replace(/^[\^~>=<]+/, "")
+				}
+			} catch {
+				// Invalid package.json, continue walking up
+			}
+		}
+
+		const parent = dirname(dir)
+		if (parent === dir) break // Reached filesystem root
+		dir = parent
+	}
+
+	return null
+}