@mhingston5/conduit 1.1.2 → 1.1.3

package/package.json

@@ -1,9 +1,12 @@
 {
   "name": "@mhingston5/conduit",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "type": "module",
   "description": "A secure Code Mode execution substrate for MCP agents",
   "main": "index.js",
+  "bin": {
+    "conduit": "./dist/index.js"
+  },
   "publishConfig": {
     "access": "public"
   },
@@ -47,11 +50,13 @@
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
     "axios": "^1.13.2",
+    "commander": "^14.0.2",
     "dotenv": "^17.2.3",
     "fastify": "^5.6.2",
     "isolated-vm": "^6.0.2",
     "js-yaml": "^4.1.1",
     "lru-cache": "^11.2.4",
+    "open": "^11.0.0",
     "p-limit": "^7.2.0",
     "pino": "^10.1.0",
     "pyodide": "^0.29.0",

package/src/auth.cmd.ts

@@ -0,0 +1,95 @@
+import Fastify from 'fastify';
+import axios from 'axios';
+import open from 'open';
+import { v4 as uuidv4 } from 'uuid';
+
+export interface AuthOptions {
+    authUrl: string;
+    tokenUrl: string;
+    clientId: string;
+    clientSecret: string;
+    scopes?: string;
+    port?: number;
+}
+
+export async function handleAuth(options: AuthOptions) {
+    const port = options.port || 3333;
+    const redirectUri = `http://localhost:${port}/callback`;
+    const state = uuidv4();
+
+    const fastify = Fastify();
+
+    return new Promise<void>((resolve, reject) => {
+        fastify.get('/callback', async (request, reply) => {
+            const { code, state: returnedState, error, error_description } = request.query as any;
+
+            if (error) {
+                reply.send(`Authentication failed: ${error} - ${error_description}`);
+                reject(new Error(`OAuth error: ${error}`));
+                return;
+            }
+
+            if (returnedState !== state) {
+                reply.send('Invalid state parameter');
+                reject(new Error('State mismatch'));
+                return;
+            }
+
+            try {
+                const response = await axios.post(options.tokenUrl, {
+                    grant_type: 'authorization_code',
+                    code,
+                    redirect_uri: redirectUri,
+                    client_id: options.clientId,
+                    client_secret: options.clientSecret,
+                });
+
+                const { refresh_token, access_token } = response.data;
+
+                console.log('\n--- Authentication Successful ---\n');
+                console.log('Use these values in your conduit.yaml:\n');
+                console.log('credentials:');
+                console.log('  type: oauth2');
+                console.log(`  clientId: ${options.clientId}`);
+                console.log(`  clientSecret: ${options.clientSecret}`);
+                console.log(`  tokenUrl: "${options.tokenUrl}"`);
+                console.log(`  refreshToken: "${refresh_token || 'N/A (No refresh token returned)'}"`);
+
+                if (!refresh_token) {
+                    console.log('\nWarning: No refresh token was returned. Ensure your app has "offline_access" scope or similar.');
+                }
+
+                console.log('\nRaw response data:', JSON.stringify(response.data, null, 2));
+
+                reply.send('Authentication successful! You can close this window and return to the terminal.');
+                resolve();
+            } catch (err: any) {
+                const msg = err.response?.data?.error_description || err.response?.data?.error || err.message;
+                reply.send(`Failed to exchange code for token: ${msg}`);
+                reject(new Error(`Token exchange failed: ${msg}`));
+            } finally {
+                setTimeout(() => fastify.close(), 1000);
+            }
+        });
+
+        fastify.listen({ port: port, host: '127.0.0.1' }, async (err) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+
+            const authUrl = new URL(options.authUrl);
+            authUrl.searchParams.append('client_id', options.clientId);
+            authUrl.searchParams.append('redirect_uri', redirectUri);
+            authUrl.searchParams.append('response_type', 'code');
+            authUrl.searchParams.append('state', state);
+            if (options.scopes) {
+                authUrl.searchParams.append('scope', options.scopes);
+            }
+
+            console.log(`Opening browser to: ${authUrl.toString()}`);
+            console.log('Waiting for callback...');
+            await open(authUrl.toString());
+        });
+    });
+}

package/src/core/config.service.ts

@@ -2,6 +2,7 @@ import { z } from 'zod';
 import dotenv from 'dotenv';
 import fs from 'node:fs';
 import path from 'node:path';
+import crypto from 'node:crypto';
 import yaml from 'js-yaml';
 
 // Silence dotenv logging
@@ -22,12 +23,14 @@ export const ResourceLimitsSchema = z.object({
 });
 
 export const UpstreamCredentialsSchema = z.object({
-    type: z.enum(['oauth2', 'apikey']), // Add other types as needed
+    type: z.enum(['oauth2', 'apiKey', 'bearer']), // Align with AuthType
     clientId: z.string().optional(),
     clientSecret: z.string().optional(),
     tokenUrl: z.string().optional(),
+    refreshToken: z.string().optional(),
     scopes: z.array(z.string()).optional(),
     apiKey: z.string().optional(),
+    bearerToken: z.string().optional(),
     headerName: z.string().optional(),
 });
 
@@ -63,7 +66,7 @@ export const ConfigSchema = z.object({
     secretRedactionPatterns: z.array(z.string()).default([
         '[A-Za-z0-9-_]{20,}', // Default pattern from spec
     ]),
-    ipcBearerToken: z.string().optional().default(() => Math.random().toString(36).substring(7)),
+    ipcBearerToken: z.string().optional().default(() => crypto.randomUUID()),
     maxConcurrent: z.number().default(10),
     denoMaxPoolSize: z.number().default(10),
     pyodideMaxPoolSize: z.number().default(3),

package/src/core/request.controller.ts

@@ -209,6 +209,7 @@ export class RequestController {
     }
 
     private async handleCallTool(params: any, context: ExecutionContext, id: string | number): Promise<JSONRPCResponse> {
+        if (!params) return this.errorResponse(id, -32602, 'Missing parameters');
         const { name, arguments: toolArgs } = params;
 
         // Route built-in tools to their specific handlers
@@ -226,6 +227,7 @@ export class RequestController {
     }
 
     private async handleExecuteTypeScript(params: any, context: ExecutionContext, id: string | number): Promise<JSONRPCResponse> {
+        if (!params) return this.errorResponse(id, -32602, 'Missing parameters');
         const { code, limits, allowedTools } = params;
 
         if (Array.isArray(allowedTools)) {
@@ -250,6 +252,7 @@ export class RequestController {
     }
 
     private async handleExecutePython(params: any, context: ExecutionContext, id: string | number): Promise<JSONRPCResponse> {
+        if (!params) return this.errorResponse(id, -32602, 'Missing parameters');
         const { code, limits, allowedTools } = params;
 
         if (Array.isArray(allowedTools)) {
@@ -299,6 +302,7 @@ export class RequestController {
     }
 
     private async handleExecuteIsolate(params: any, context: ExecutionContext, id: string | number): Promise<JSONRPCResponse> {
+        if (!params) return this.errorResponse(id, -32602, 'Missing parameters');
         const { code, limits, allowedTools } = params;
 
         if (Array.isArray(allowedTools)) {

package/src/core/security.service.ts

@@ -9,11 +9,11 @@ export type { Session };
 
 export class SecurityService implements IUrlValidator {
     private logger: Logger;
-    private ipcToken: string;
+    private ipcToken: string | undefined;
     private networkPolicy: NetworkPolicyService;
     private sessionManager: SessionManager;
 
-    constructor(logger: Logger, ipcToken: string) {
+    constructor(logger: Logger, ipcToken: string | undefined) {
         this.logger = logger;
         this.ipcToken = ipcToken;
         this.networkPolicy = new NetworkPolicyService(logger);
@@ -67,7 +67,7 @@ export class SecurityService implements IUrlValidator {
     }
 
 
-    getIpcToken(): string {
+    getIpcToken(): string | undefined {
         return this.ipcToken;
     }
 }

package/src/gateway/auth.service.ts

@@ -7,12 +7,10 @@ export interface UpstreamCredentials {
     type: AuthType;
     apiKey?: string;
     bearerToken?: string;
-    oauth2?: {
-        clientId: string;
-        clientSecret: string;
-        tokenUrl: string;
-        refreshToken: string;
-    };
+    clientId?: string;
+    clientSecret?: string;
+    tokenUrl?: string;
+    refreshToken?: string;
 }
 
 interface CachedToken {
@@ -45,10 +43,11 @@ export class AuthService {
     }
 
     private async getOAuth2Token(creds: UpstreamCredentials): Promise<string> {
-        if (!creds.oauth2) throw new Error('OAuth2 credentials missing');
+        if (!creds.tokenUrl || !creds.clientId) {
+            throw new Error('OAuth2 credentials missing required fields (tokenUrl, clientId)');
+        }
 
-        const { oauth2 } = creds;
-        const cacheKey = `${oauth2.clientId}:${oauth2.tokenUrl}`;
+        const cacheKey = `${creds.clientId}:${creds.tokenUrl}`;
 
         // Check cache first (with 30s buffer)
         const cached = this.tokenCache.get(cacheKey);
@@ -74,17 +73,18 @@ export class AuthService {
     }
 
     private async doRefresh(creds: UpstreamCredentials, cacheKey: string): Promise<string> {
-        const { oauth2 } = creds;
-        if (!oauth2) throw new Error('OAuth2 credentials missing');
+        if (!creds.tokenUrl || !creds.refreshToken || !creds.clientId || !creds.clientSecret) {
+            throw new Error('OAuth2 credentials missing required fields for refresh');
+        }
 
-        this.logger.info('Refreshing OAuth2 token');
+        this.logger.info({ tokenUrl: creds.tokenUrl, clientId: creds.clientId }, 'Refreshing OAuth2 token');
 
         try {
-            const response = await axios.post(oauth2.tokenUrl, {
+            const response = await axios.post(creds.tokenUrl, {
                 grant_type: 'refresh_token',
-                refresh_token: oauth2.refreshToken,
-                client_id: oauth2.clientId,
-                client_secret: oauth2.clientSecret,
+                refresh_token: creds.refreshToken,
+                client_id: creds.clientId,
+                client_secret: creds.clientSecret,
             });
 
             const { access_token, expires_in } = response.data;
@@ -97,8 +97,9 @@ export class AuthService {
 
             return `Bearer ${access_token}`;
         } catch (err: any) {
-            this.logger.error({ err: err.message }, 'Failed to refresh OAuth2 token');
-            throw new Error(`OAuth2 refresh failed: ${err.message}`);
+            const errorMsg = err.response?.data?.error_description || err.response?.data?.error || err.message;
+            this.logger.error({ err: errorMsg }, 'Failed to refresh OAuth2 token');
+            throw new Error(`OAuth2 refresh failed: ${errorMsg}`);
         }
     }
 }

package/src/index.ts

@@ -1,3 +1,4 @@
+import { Command } from 'commander';
 import { ConfigService } from './core/config.service.js';
 import { createLogger, loggerStorage } from './core/logger.js';
 import { SocketTransport } from './transport/socket.transport.js';
@@ -14,10 +15,56 @@ import { IsolateExecutor } from './executors/isolate.executor.js';
 import { ExecutorRegistry } from './core/registries/executor.registry.js';
 import { ExecutionService } from './core/execution.service.js';
 import { buildDefaultMiddleware } from './core/middleware/middleware.builder.js';
-async function main() {
-    // console.error('DEBUG: Starting Conduit main...');
+import { handleAuth } from './auth.cmd.js';
+
+const program = new Command();
+
+program
+    .name('conduit')
+    .description('A secure Code Mode execution substrate for MCP agents')
+    .version('1.0.0');
+
+program
+    .command('serve', { isDefault: true })
+    .description('Start the Conduit server')
+    .option('--stdio', 'Use stdio transport')
+    .action(async (options) => {
+        try {
+            await startServer();
+        } catch (err) {
+            console.error('Failed to start Conduit:', err);
+            process.exit(1);
+        }
+    });
+
+program
+    .command('auth')
+    .description('Help set up OAuth for an upstream MCP server')
+    .requiredOption('--client-id <id>', 'OAuth Client ID')
+    .requiredOption('--client-secret <secret>', 'OAuth Client Secret')
+    .requiredOption('--auth-url <url>', 'OAuth Authorization URL')
+    .requiredOption('--token-url <url>', 'OAuth Token URL')
+    .option('--scopes <scopes>', 'OAuth Scopes (comma separated)')
+    .option('--port <port>', 'Port for the local callback server', '3333')
+    .action(async (options) => {
+        try {
+            await handleAuth({
+                clientId: options.clientId,
+                clientSecret: options.clientSecret,
+                authUrl: options.authUrl,
+                tokenUrl: options.tokenUrl,
+                scopes: options.scopes,
+                port: parseInt(options.port, 10),
+            });
+            console.log('\nSuccess! Configuration generated.');
+        } catch (err: any) {
+            console.error('Authentication helper failed:', err.message);
+            process.exit(1);
+        }
+    });
+
+async function startServer() {
     const configService = new ConfigService();
-    // console.error('DEBUG: Config loaded');
     const logger = createLogger(configService);
 
     const otelService = new OtelService(logger);
@@ -78,7 +125,7 @@ async function main() {
             const port = configService.get('port');
             address = await transport.listen({ port });
         }
-        executionService.ipcAddress = address; // Update IPC address on ExecutionService instead of RequestController
+        executionService.ipcAddress = address;
 
         // Pre-warm workers
         await requestController.warmup();
@@ -102,7 +149,4 @@ async function main() {
     });
 }
 
-main().catch((err) => {
-    console.error('Failed to start Conduit:', err);
-    process.exit(1);
-});
+program.parse(process.argv);

package/src/transport/socket.transport.ts

@@ -1,4 +1,5 @@
 import net from 'node:net';
+import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
 import { Logger } from 'pino';
@@ -46,9 +47,13 @@ export class SocketTransport {
 
                 // Cleanup existing socket if needed (unlikely on Windows, but good for Unix)
                 if (os.platform() !== 'win32' && path.isAbsolute(socketPath)) {
-                    // We rely on caller or deployment to clean up, or error out. 
-                    // Trying to unlink here might be dangerous if we don't own it.
-                    // But strictly, we should just listen.
+                    try {
+                        fs.unlinkSync(socketPath);
+                    } catch (error: any) {
+                        if (error.code !== 'ENOENT') {
+                            this.logger.warn({ err: error, socketPath }, 'Failed to unlink socket before binding');
+                        }
+                    }
                 }
 
                 this.server.listen(socketPath, () => {

package/tests/auth.service.test.ts

@@ -25,13 +25,10 @@ describe('AuthService', () => {
     it('should refresh OAuth2 token when expired', async () => {
         const creds: any = {
             type: 'oauth2',
-            oauth2: {
-                clientId: 'id',
-                clientSecret: 'secret',
-                tokenUrl: 'http://token',
-                refreshToken: 'refresh',
-                expiresAt: Date.now() - 1000, // Expired
-            },
+            clientId: 'id',
+            clientSecret: 'secret',
+            tokenUrl: 'http://token',
+            refreshToken: 'refresh',
         };
 
         (axios.post as any).mockResolvedValue({
@@ -50,12 +47,10 @@ describe('AuthService', () => {
         // First call - will trigger refresh
         const creds: any = {
             type: 'oauth2',
-            oauth2: {
-                clientId: 'id',
-                clientSecret: 'secret',
-                tokenUrl: 'http://token',
-                refreshToken: 'refresh',
-            },
+            clientId: 'id',
+            clientSecret: 'secret',
+            tokenUrl: 'http://token',
+            refreshToken: 'refresh',
         };
 
         (axios.post as any).mockResolvedValue({

package/tests/config.service.test.ts

@@ -67,4 +67,35 @@ describe('ConfigService', () => {
         existsSpy.mockRestore();
         readSpy.mockRestore();
     });
+
+    it('should parse OAuth2 credentials correctly', () => {
+        const existsSpy = vi.spyOn(fs, 'existsSync').mockImplementation((p: any) => p.endsWith('conduit.test.yaml'));
+        const readSpy = vi.spyOn(fs, 'readFileSync').mockReturnValue(`
+upstreams:
+  - id: test-oauth
+    type: http
+    url: http://upstream
+    credentials:
+      type: oauth2
+      clientId: my-id
+      clientSecret: my-secret
+      tokenUrl: http://token
+      refreshToken: my-refresh
+`);
+
+        vi.stubEnv('CONFIG_FILE', 'conduit.test.yaml');
+        const configService = new ConfigService();
+        const upstreams = configService.get('upstreams');
+        expect(upstreams).toHaveLength(1);
+        expect(upstreams![0].credentials).toEqual({
+            type: 'oauth2',
+            clientId: 'my-id',
+            clientSecret: 'my-secret',
+            tokenUrl: 'http://token',
+            refreshToken: 'my-refresh'
+        });
+
+        existsSpy.mockRestore();
+        readSpy.mockRestore();
+    });
 });