@mhingston5/conduit 1.1.4 → 1.1.5

package/dist/pyodide.worker.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/executors/pyodide.worker.ts"],"sourcesContent":["import { parentPort, workerData } from 'node:worker_threads';\nimport { loadPyodide, type PyodideInterface } from 'pyodide';\nimport net from 'node:net';\n\nlet pyodide: PyodideInterface | null = null;\nlet currentStdout = '';\nlet currentStderr = '';\nlet totalOutputBytes = 0;\nlet totalLogEntries = 0;\nlet currentLimits: any = null;\n\nasync function init() {\n    if (pyodide) return pyodide;\n\n    pyodide = await loadPyodide({\n        stdout: (text) => {\n            if (currentLimits && (totalOutputBytes > (currentLimits.maxOutputBytes || 1024 * 1024) || totalLogEntries > (currentLimits.maxLogEntries || 10000))) {\n                return; // Stop processing logs once limit breached\n            }\n            currentStdout += text + '\\n';\n            totalOutputBytes += text.length + 1;\n            totalLogEntries++;\n        },\n        stderr: (text) => {\n            if (currentLimits && (totalOutputBytes > (currentLimits.maxOutputBytes || 1024 * 1024) || totalLogEntries > (currentLimits.maxLogEntries || 10000))) {\n                return; // Stop processing logs once limit breached\n            }\n            currentStderr += text + '\\n';\n            totalOutputBytes += text.length + 1;\n            totalLogEntries++;\n        },\n    });\n\n    return pyodide;\n}\n\nasync function handleTask(data: any) {\n    const { code, limits, ipcInfo, shim } = data;\n    currentStdout = '';\n    currentStderr = '';\n    totalOutputBytes = 0;\n    totalLogEntries = 0;\n    currentLimits = limits;\n\n    try {\n        const p = await init();\n\n        const sendIPCRequest = async (method: string, params: any) => {\n            if (!ipcInfo?.ipcAddress) throw new Error('Conduit IPC address not configured');\n\n            return new Promise((resolve, reject) => {\n                let client: net.Socket;\n\n                if (ipcInfo.ipcAddress.includes(':')) {\n                    const lastColon = ipcInfo.ipcAddress.lastIndexOf(':');\n                    const host = ipcInfo.ipcAddress.substring(0, lastColon);\n                    const port = ipcInfo.ipcAddress.substring(lastColon + 1);\n\n                    let targetHost = host.replace(/[\\[\\]]/g, '');\n                    if (targetHost === '0.0.0.0' || targetHost === '::' || targetHost === '::1' || targetHost === '') {\n                        targetHost = '127.0.0.1';\n                    }\n\n                    client = net.createConnection({\n                        host: targetHost,\n                        port: parseInt(port)\n                    });\n                } else {\n                    client = net.createConnection({ path: ipcInfo.ipcAddress });\n                }\n\n                const id = Math.random().toString(36).substring(7);\n                const request = {\n                    jsonrpc: '2.0',\n                    id,\n                    method,\n                    params: params || {},\n                    auth: { bearerToken: ipcInfo.ipcToken }\n                };\n\n                client.on('error', (err) => {\n                    reject(err);\n                    client.destroy();\n                });\n\n                client.write(JSON.stringify(request) + '\\n');\n\n                let buffer = '';\n                client.on('data', (data) => {\n                    buffer += data.toString();\n                    // Robust framing: read until we find a complete JSON object on a line\n                    const lines = buffer.split('\\n');\n                    buffer = lines.pop() || ''; // Keep the last partial line\n\n                    for (const line of lines) {\n                        if (!line.trim()) continue;\n                        try {\n                            const response = JSON.parse(line);\n                            if (response.id === id) {\n                                if (response.error) {\n                                    reject(new Error(response.error.message));\n                                } else {\n                                    resolve(response.result);\n                                }\n                                client.end();\n                                return;\n                            }\n                        } catch (e) {\n                            // If parse fails, it might be a partial line that we haven't seen the end of yet\n                            // but since we split by \\n, this shouldn't happen unless the \\n was inside the JSON.\n                            // However, Conduit ensures JSON-RPC is one line.\n                        }\n                    }\n                });\n\n                client.on('end', () => {\n                    if (buffer.trim()) {\n                        try {\n                            const response = JSON.parse(buffer);\n                            if (response.id === id) {\n                                if (response.error) {\n                                    reject(new Error(response.error.message));\n                                } else {\n                                    resolve(response.result);\n                                }\n                            }\n                        } catch (e) { }\n                    }\n                });\n            });\n        };\n\n        (p as any).globals.set('discover_mcp_tools_js', (options: any) => {\n            return sendIPCRequest('mcp_discover_tools', options);\n        });\n\n        (p as any).globals.set('call_mcp_tool_js', (name: string, args: any) => {\n            return sendIPCRequest('mcp_call_tool', { name, arguments: args });\n        });\n\n        if (shim) {\n            await p.runPythonAsync(shim);\n        }\n\n        const result = await p.runPythonAsync(code);\n\n        if (totalOutputBytes > (limits.maxOutputBytes || 1024 * 1024)) {\n            throw new Error('[LIMIT_OUTPUT]');\n        }\n        if (totalLogEntries > (limits.maxLogEntries || 10000)) {\n            throw new Error('[LIMIT_LOG]');\n        }\n\n        parentPort?.postMessage({\n            stdout: currentStdout,\n            stderr: currentStderr,\n            result: String(result),\n            success: true,\n        });\n    } catch (err: any) {\n        let isOutput = err.message.includes('[LIMIT_OUTPUT]');\n        let isLog = err.message.includes('[LIMIT_LOG]');\n\n        // Fallback: check counters if message doesn't match (e.g. wrapped in OSError)\n        if (!isOutput && !isLog && currentLimits) {\n            if (totalOutputBytes > (currentLimits.maxOutputBytes || 1024 * 1024)) {\n                isOutput = true;\n            }\n            // Check specific log limit breach\n            if (totalLogEntries > (currentLimits.maxLogEntries || 10000)) {\n                isLog = true;\n            }\n        }\n\n        parentPort?.postMessage({\n            stdout: currentStdout,\n            stderr: currentStderr,\n            error: err.message,\n            limitBreached: isOutput ? 'output' : (isLog ? 'log' : undefined),\n            success: false,\n        });\n    }\n}\n\nparentPort?.on('message', async (msg) => {\n    if (msg.type === 'execute') {\n        await handleTask(msg.data);\n    } else if (msg.type === 'ping') {\n        parentPort?.postMessage({ type: 'pong' });\n    }\n});\n\n// Signal ready\nparentPort?.postMessage({ type: 'ready' });\n\n"],"mappings":";AAAA,SAAS,kBAA8B;AACvC,SAAS,mBAA0C;AACnD,OAAO,SAAS;AAEhB,IAAI,UAAmC;AACvC,IAAI,gBAAgB;AACpB,IAAI,gBAAgB;AACpB,IAAI,mBAAmB;AACvB,IAAI,kBAAkB;AACtB,IAAI,gBAAqB;AAEzB,eAAe,OAAO;AAClB,MAAI,QAAS,QAAO;AAEpB,YAAU,MAAM,YAAY;AAAA,IACxB,QAAQ,CAAC,SAAS;AACd,UAAI,kBAAkB,oBAAoB,cAAc,kBAAkB,OAAO,SAAS,mBAAmB,cAAc,iBAAiB,OAAS;AACjJ;AAAA,MACJ;AACA,uBAAiB,OAAO;AACxB,0BAAoB,KAAK,SAAS;AAClC;AAAA,IACJ;AAAA,IACA,QAAQ,CAAC,SAAS;AACd,UAAI,kBAAkB,oBAAoB,cAAc,kBAAkB,OAAO,SAAS,mBAAmB,cAAc,iBAAiB,OAAS;AACjJ;AAAA,MACJ;AACA,uBAAiB,OAAO;AACxB,0BAAoB,KAAK,SAAS;AAClC;AAAA,IACJ;AAAA,EACJ,CAAC;AAED,SAAO;AACX;AAEA,eAAe,WAAW,MAAW;AACjC,QAAM,EAAE,MAAM,QAAQ,SAAS,KAAK,IAAI;AACxC,kBAAgB;AAChB,kBAAgB;AAChB,qBAAmB;AACnB,oBAAkB;AAClB,kBAAgB;AAEhB,MAAI;AACA,UAAM,IAAI,MAAM,KAAK;AAErB,UAAM,iBAAiB,OAAO,QAAgB,WAAgB;AAC1D,UAAI,CAAC,SAAS,WAAY,OAAM,IAAI,MAAM,oCAAoC;AAE9E,aAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACpC,YAAI;AAEJ,YAAI,QAAQ,WAAW,SAAS,GAAG,GAAG;AAClC,gBAAM,YAAY,QAAQ,WAAW,YAAY,GAAG;AACpD,gBAAM,OAAO,QAAQ,WAAW,UAAU,GAAG,SAAS;AACtD,gBAAM,OAAO,QAAQ,WAAW,UAAU,YAAY,CAAC;AAEvD,cAAI,aAAa,KAAK,QAAQ,WAAW,EAAE;AAC3C,cAAI,eAAe,aAAa,eAAe,QAAQ,eAAe,SAAS,eAAe,IAAI;AAC9F,yBAAa;AAAA,UACjB;AAEA,mBAAS,IAAI,iBAAiB;AAAA,YAC1B,MAAM;AAAA,YACN,MAAM,SAAS,IAAI;AAAA,UACvB,CAAC;AAAA,QACL,OAAO;AACH,mBAAS,IAAI,iBAAiB,EAAE,MAAM,QAAQ,WAAW,CAAC;AAAA,QAC9D;AAEA,cAAM,KAAK,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,CAAC;AACjD,cAAM,UAAU;AAAA,UACZ,SAAS;AAAA,UACT;AAAA,UACA;AAAA,UACA,QAAQ,UAAU,CAAC;AAAA,UACnB,MAAM,EAAE,aAAa,QAAQ,SAAS;AAAA,QAC1C;AAEA,eAAO,GAAG,SAAS,CAAC,QAAQ;AACxB,iBAAO,GAAG;AACV,iBAAO,QAAQ;AAAA,QACnB,CAAC;AAED,eAAO,MAAM,KAAK,UAAU,OAAO,IAAI,IAAI;AAE3C,YAAI,SAAS;AACb,eAAO,GAAG,QAAQ,CAACA,UAAS;AACxB,oBAAUA,MAAK,SAAS;AAExB,gBAAM,QAAQ,OAAO,MAAM,IAAI;AAC/B,mBAAS,MAAM,IAAI,KAAK;AAExB,qBAAW,QAAQ,OAAO;AACtB,gBAAI,CAAC,KAAK,KAAK,EAAG;AAClB,gBAAI;AACA,oBAAM,WAAW,KAAK,MAAM,IAAI;AAChC,kBAAI,SAAS,OAAO,IAAI;AACpB,oBAAI,SAAS,OAAO;AAChB,yBAAO,IAAI,MAAM,SAAS,MAAM,OAAO,CAAC;AAAA,gBAC5C,OAAO;AACH,0BAAQ,SAAS,MAAM;AAAA,gBAC3B;AACA,uBAAO,IAAI;AACX;AAAA,cACJ;AAAA,YACJ,SAAS,GAAG;AAAA,YAIZ;AAAA,UACJ;AAAA,QACJ,CAAC;AAED,eAAO,GAAG,OAAO,MAAM;AACnB,cAAI,OAAO,KAAK,GAAG;AACf,gBAAI;AACA,oBAAM,WAAW,KAAK,MAAM,MAAM;AAClC,kBAAI,SAAS,OAAO,IAAI;AACpB,oBAAI,SAAS,OAAO;AAChB,yBAAO,IAAI,MAAM,SAAS,MAAM,OAAO,CAAC;AAAA,gBAC5C,OAAO;AACH,0BAAQ,SAAS,MAAM;AAAA,gBAC3B;AAAA,cACJ;AAAA,YACJ,SAAS,GAAG;AAAA,YAAE;AAAA,UAClB;AAAA,QACJ,CAAC;AAAA,MACL,CAAC;AAAA,IACL;AAEA,IAAC,EAAU,QAAQ,IAAI,yBAAyB,CAAC,YAAiB;AAC9D,aAAO,eAAe,sBAAsB,OAAO;AAAA,IACvD,CAAC;AAED,IAAC,EAAU,QAAQ,IAAI,oBAAoB,CAAC,MAAc,SAAc;AACpE,aAAO,eAAe,iBAAiB,EAAE,MAAM,WAAW,KAAK,CAAC;AAAA,IACpE,CAAC;AAED,QAAI,MAAM;AACN,YAAM,EAAE,eAAe,IAAI;AAAA,IAC/B;AAEA,UAAM,SAAS,MAAM,EAAE,eAAe,IAAI;AAE1C,QAAI,oBAAoB,OAAO,kBAAkB,OAAO,OAAO;AAC3D,YAAM,IAAI,MAAM,gBAAgB;AAAA,IACpC;AACA,QAAI,mBAAmB,OAAO,iBAAiB,MAAQ;AACnD,YAAM,IAAI,MAAM,aAAa;AAAA,IACjC;AAEA,gBAAY,YAAY;AAAA,MACpB,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ,OAAO,MAAM;AAAA,MACrB,SAAS;AAAA,IACb,CAAC;AAAA,EACL,SAAS,KAAU;AACf,QAAI,WAAW,IAAI,QAAQ,SAAS,gBAAgB;AACpD,QAAI,QAAQ,IAAI,QAAQ,SAAS,aAAa;AAG9C,QAAI,CAAC,YAAY,CAAC,SAAS,eAAe;AACtC,UAAI,oBAAoB,cAAc,kBAAkB,OAAO,OAAO;AAClE,mBAAW;AAAA,MACf;AAEA,UAAI,mBAAmB,cAAc,iBAAiB,MAAQ;AAC1D,gBAAQ;AAAA,MACZ;AAAA,IACJ;AAEA,gBAAY,YAAY;AAAA,MACpB,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,OAAO,IAAI;AAAA,MACX,eAAe,WAAW,WAAY,QAAQ,QAAQ;AAAA,MACtD,SAAS;AAAA,IACb,CAAC;AAAA,EACL;AACJ;AAEA,YAAY,GAAG,WAAW,OAAO,QAAQ;AACrC,MAAI,IAAI,SAAS,WAAW;AACxB,UAAM,WAAW,IAAI,IAAI;AAAA,EAC7B,WAAW,IAAI,SAAS,QAAQ;AAC5B,gBAAY,YAAY,EAAE,MAAM,OAAO,CAAC;AAAA,EAC5C;AACJ,CAAC;AAGD,YAAY,YAAY,EAAE,MAAM,QAAQ,CAAC;","names":["data"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mhingston5/conduit",
-  "version": "1.1.4",
+  "version": "1.1.5",
   "type": "module",
   "description": "A secure Code Mode execution substrate for MCP agents",
   "main": "index.js",

package/src/auth.cmd.ts

@@ -2,22 +2,143 @@ import Fastify from 'fastify';
 import axios from 'axios';
 import open from 'open';
 import { v4 as uuidv4 } from 'uuid';
+import crypto from 'node:crypto';
 
 export interface AuthOptions {
-    authUrl: string;
-    tokenUrl: string;
+    authUrl?: string;
+    tokenUrl?: string;
     clientId: string;
-    clientSecret: string;
+    clientSecret?: string;
     scopes?: string;
     port?: number;
+    mcpUrl?: string;
+    usePkce?: boolean;
+}
+
+type DiscoveredOAuth = {
+    authUrl: string;
+    tokenUrl: string;
+    scopes?: string[];
+    resource?: string;
+};
+
+const AUTH_REQUEST_PAYLOAD = {
+    jsonrpc: '2.0',
+    id: 'conduit-auth',
+    method: 'initialize',
+    params: {
+        clientInfo: {
+            name: 'conduit-auth',
+            version: '1.0.0',
+        },
+    },
+};
+
+function base64UrlEncode(buffer: Buffer): string {
+    return buffer
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '');
+}
+
+function createCodeVerifier(): string {
+    return base64UrlEncode(crypto.randomBytes(32));
+}
+
+function createCodeChallenge(verifier: string): string {
+    return base64UrlEncode(crypto.createHash('sha256').update(verifier).digest());
+}
+
+function parseResourceMetadataHeader(headerValue: string | string[] | undefined): string | null {
+    if (!headerValue) return null;
+    const header = Array.isArray(headerValue) ? headerValue.join(',') : headerValue;
+    const match = header.match(/resource_metadata="([^"]+)"/i) || header.match(/resource_metadata=([^, ]+)/i);
+    return match ? match[1] : null;
+}
+
+async function discoverOAuthFromMcp(mcpUrl: string): Promise<DiscoveredOAuth> {
+    const attempts = [
+        () => axios.get(mcpUrl, { validateStatus: () => true }),
+        () => axios.post(mcpUrl, AUTH_REQUEST_PAYLOAD, { validateStatus: () => true }),
+    ];
+
+    let resourceMetadataUrl: string | null = null;
+    for (const attempt of attempts) {
+        const response = await attempt();
+        resourceMetadataUrl = parseResourceMetadataHeader(response.headers['www-authenticate']);
+        if (resourceMetadataUrl) break;
+    }
+
+    if (!resourceMetadataUrl) {
+        throw new Error('Unable to discover OAuth metadata (missing WWW-Authenticate resource_metadata)');
+    }
+
+    const metadataResponse = await axios.get(resourceMetadataUrl);
+    const metadata = metadataResponse.data as Record<string, any>;
+
+    let authUrl = metadata.authorization_endpoint as string | undefined;
+    let tokenUrl = metadata.token_endpoint as string | undefined;
+    let scopes = Array.isArray(metadata.scopes_supported) ? metadata.scopes_supported : undefined;
+    const resource = typeof metadata.resource === 'string' ? metadata.resource : undefined;
+
+    if (!authUrl || !tokenUrl) {
+        const authServer = (Array.isArray(metadata.authorization_servers) && metadata.authorization_servers[0]) || metadata.issuer;
+        if (!authServer) {
+            throw new Error('OAuth metadata did not include authorization server info');
+        }
+
+        const asMetadataUrl = new URL('/.well-known/oauth-authorization-server', authServer).toString();
+        const asMetadataResponse = await axios.get(asMetadataUrl);
+        const asMetadata = asMetadataResponse.data as Record<string, any>;
+
+        authUrl = authUrl || (asMetadata.authorization_endpoint as string | undefined);
+        tokenUrl = tokenUrl || (asMetadata.token_endpoint as string | undefined);
+        scopes = scopes || (Array.isArray(asMetadata.scopes_supported) ? asMetadata.scopes_supported : undefined);
+    }
+
+    if (!authUrl || !tokenUrl) {
+        throw new Error('OAuth discovery failed: missing authorization or token endpoint');
+    }
+
+    return { authUrl, tokenUrl, scopes, resource };
+}
+
+function normalizeScopes(rawScopes?: string): string | undefined {
+    if (!rawScopes) return undefined;
+    return rawScopes
+        .split(',')
+        .map(scope => scope.trim())
+        .filter(Boolean)
+        .join(' ');
 }
 
 export async function handleAuth(options: AuthOptions) {
     const port = options.port || 3333;
     const redirectUri = `http://localhost:${port}/callback`;
     const state = uuidv4();
+    const codeVerifier = options.usePkce ? createCodeVerifier() : undefined;
+    const codeChallenge = codeVerifier ? createCodeChallenge(codeVerifier) : undefined;
 
     const fastify = Fastify();
+    let resolvedScopes = normalizeScopes(options.scopes);
+    let resolvedAuthUrl = options.authUrl;
+    let resolvedTokenUrl = options.tokenUrl;
+    let resolvedResource: string | undefined;
+
+    if (options.mcpUrl) {
+        const discovered = await discoverOAuthFromMcp(options.mcpUrl);
+        resolvedAuthUrl = discovered.authUrl;
+        resolvedTokenUrl = discovered.tokenUrl;
+        resolvedResource = discovered.resource;
+        if (!resolvedScopes && discovered.scopes && discovered.scopes.length > 0) {
+            resolvedScopes = discovered.scopes.join(' ');
+        }
+    }
+
+    if (!resolvedAuthUrl || !resolvedTokenUrl) {
+        throw new Error('OAuth configuration missing authUrl or tokenUrl (set --mcp-url or provide both)');
+    }
 
     return new Promise<void>((resolve, reject) => {
         fastify.get('/callback', async (request, reply) => {
@@ -36,12 +157,26 @@ export async function handleAuth(options: AuthOptions) {
             }
 
             try {
-                const response = await axios.post(options.tokenUrl, {
-                    grant_type: 'authorization_code',
-                    code,
-                    redirect_uri: redirectUri,
-                    client_id: options.clientId,
-                    client_secret: options.clientSecret,
+                const body = new URLSearchParams();
+                body.set('grant_type', 'authorization_code');
+                body.set('code', code);
+                body.set('redirect_uri', redirectUri);
+                body.set('client_id', options.clientId);
+                if (options.clientSecret) {
+                    body.set('client_secret', options.clientSecret);
+                }
+                if (codeVerifier) {
+                    body.set('code_verifier', codeVerifier);
+                }
+                if (resolvedResource) {
+                    body.set('resource', resolvedResource);
+                }
+
+                const response = await axios.post(resolvedTokenUrl, body, {
+                    headers: {
+                        'Content-Type': 'application/x-www-form-urlencoded',
+                        'Accept': 'application/json',
+                    },
                 });
 
                 const { refresh_token, access_token } = response.data;
@@ -51,9 +186,14 @@ export async function handleAuth(options: AuthOptions) {
                 console.log('credentials:');
                 console.log('  type: oauth2');
                 console.log(`  clientId: ${options.clientId}`);
-                console.log(`  clientSecret: ${options.clientSecret}`);
-                console.log(`  tokenUrl: "${options.tokenUrl}"`);
+                if (options.clientSecret) {
+                    console.log(`  clientSecret: ${options.clientSecret}`);
+                }
+                console.log(`  tokenUrl: "${resolvedTokenUrl}"`);
                 console.log(`  refreshToken: "${refresh_token || 'N/A (No refresh token returned)'}"`);
+                if (resolvedScopes) {
+                    console.log(`  scopes: ["${resolvedScopes.split(' ').join('", "')}"]`);
+                }
 
                 if (!refresh_token) {
                     console.log('\nWarning: No refresh token was returned. Ensure your app has "offline_access" scope or similar.');
@@ -78,13 +218,20 @@ export async function handleAuth(options: AuthOptions) {
                 return;
             }
 
-            const authUrl = new URL(options.authUrl);
+            const authUrl = new URL(resolvedAuthUrl);
             authUrl.searchParams.append('client_id', options.clientId);
             authUrl.searchParams.append('redirect_uri', redirectUri);
             authUrl.searchParams.append('response_type', 'code');
             authUrl.searchParams.append('state', state);
-            if (options.scopes) {
-                authUrl.searchParams.append('scope', options.scopes);
+            if (resolvedScopes) {
+                authUrl.searchParams.append('scope', resolvedScopes);
+            }
+            if (codeChallenge) {
+                authUrl.searchParams.append('code_challenge', codeChallenge);
+                authUrl.searchParams.append('code_challenge_method', 'S256');
+            }
+            if (resolvedResource) {
+                authUrl.searchParams.append('resource', resolvedResource);
             }
 
             console.log(`Opening browser to: ${authUrl.toString()}`);

package/src/core/request.controller.ts

@@ -104,6 +104,9 @@ export class RequestController {
             case 'tools/list': // Standard MCP method name
             case 'mcp_discover_tools':
                 return this.handleDiscoverTools(params, context, id);
+            case 'resources/list':
+            case 'prompts/list':
+                return { jsonrpc: '2.0', id, result: { items: [] } };
             case 'mcp_list_tool_packages':
                 return this.handleListToolPackages(params, context, id);
             case 'mcp_list_tool_stubs':
@@ -215,17 +218,62 @@ export class RequestController {
         // Route built-in tools to their specific handlers
         switch (name) {
             case 'mcp_execute_typescript':
-                return this.handleExecuteTypeScript(toolArgs, context, id);
+                return this.handleExecuteToolCall('typescript', toolArgs, context, id);
             case 'mcp_execute_python':
-                return this.handleExecutePython(toolArgs, context, id);
+                return this.handleExecuteToolCall('python', toolArgs, context, id);
             case 'mcp_execute_isolate':
-                return this.handleExecuteIsolate(toolArgs, context, id);
+                return this.handleExecuteToolCall('isolate', toolArgs, context, id);
         }
 
         const response = await this.gatewayService.callTool(name, toolArgs, context);
         return { ...response, id };
     }
 
+    private formatExecutionResult(result: { stdout: string; stderr: string; exitCode: number | null }) {
+        const structured = {
+            stdout: result.stdout,
+            stderr: result.stderr,
+            exitCode: result.exitCode,
+        };
+        return {
+            content: [{
+                type: 'text',
+                text: JSON.stringify(structured),
+            }],
+            structuredContent: structured,
+        };
+    }
+
+    private async handleExecuteToolCall(
+        mode: 'typescript' | 'python' | 'isolate',
+        params: any,
+        context: ExecutionContext,
+        id: string | number
+    ): Promise<JSONRPCResponse> {
+        if (!params) return this.errorResponse(id, -32602, 'Missing parameters');
+        const { code, limits, allowedTools } = params;
+
+        if (Array.isArray(allowedTools)) {
+            context.allowedTools = allowedTools;
+        }
+
+        const result = mode === 'typescript'
+            ? await this.executionService.executeTypeScript(code, limits, context, allowedTools)
+            : mode === 'python'
+                ? await this.executionService.executePython(code, limits, context, allowedTools)
+                : await this.executionService.executeIsolate(code, limits, context, allowedTools);
+
+        if (result.error) {
+            return this.errorResponse(id, result.error.code, result.error.message);
+        }
+
+        return {
+            jsonrpc: '2.0',
+            id,
+            result: this.formatExecutionResult(result),
+        };
+    }
+
     private async handleExecuteTypeScript(params: any, context: ExecutionContext, id: string | number): Promise<JSONRPCResponse> {
         if (!params) return this.errorResponse(id, -32602, 'Missing parameters');
         const { code, limits, allowedTools } = params;

package/src/executors/pyodide.executor.ts

@@ -94,9 +94,15 @@ export class PyodideExecutor implements Executor {
     }
 
     private createWorker(limits?: ConduitResourceLimits): Worker {
-        let workerPath = path.resolve(__dirname, './pyodide.worker.js');
-        if (!fs.existsSync(workerPath)) {
-            workerPath = path.resolve(__dirname, './pyodide.worker.ts');
+        const candidates = [
+            path.resolve(__dirname, './pyodide.worker.js'),
+            path.resolve(__dirname, './pyodide.worker.ts'),
+            path.resolve(__dirname, './executors/pyodide.worker.js'),
+            path.resolve(__dirname, './executors/pyodide.worker.ts'),
+        ];
+        const workerPath = candidates.find(p => fs.existsSync(p));
+        if (!workerPath) {
+            throw new Error(`Pyodide worker not found. Tried: ${candidates.join(', ')}`);
         }
 
         return new Worker(workerPath, {
@@ -324,4 +330,3 @@ export class PyodideExecutor implements Executor {
         }
     }
 }
-

package/src/gateway/auth.service.ts

@@ -11,6 +11,7 @@ export interface UpstreamCredentials {
     clientSecret?: string;
     tokenUrl?: string;
     refreshToken?: string;
+    scopes?: string[];
 }
 
 interface CachedToken {
@@ -73,26 +74,35 @@ export class AuthService {
     }
 
     private async doRefresh(creds: UpstreamCredentials, cacheKey: string): Promise<string> {
-        if (!creds.tokenUrl || !creds.refreshToken || !creds.clientId || !creds.clientSecret) {
+        if (!creds.tokenUrl || !creds.refreshToken || !creds.clientId) {
             throw new Error('OAuth2 credentials missing required fields for refresh');
         }
 
         this.logger.info({ tokenUrl: creds.tokenUrl, clientId: creds.clientId }, 'Refreshing OAuth2 token');
 
         try {
-            const response = await axios.post(creds.tokenUrl, {
-                grant_type: 'refresh_token',
-                refresh_token: creds.refreshToken,
-                client_id: creds.clientId,
-                client_secret: creds.clientSecret,
+            const body = new URLSearchParams();
+            body.set('grant_type', 'refresh_token');
+            body.set('refresh_token', creds.refreshToken);
+            body.set('client_id', creds.clientId);
+            if (creds.clientSecret) {
+                body.set('client_secret', creds.clientSecret);
+            }
+
+            const response = await axios.post(creds.tokenUrl, body, {
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'Accept': 'application/json',
+                },
             });
 
             const { access_token, expires_in } = response.data;
+            const expiresInSeconds = Number(expires_in) || 3600;
 
             // Cache the token (don't mutate the input credentials)
             this.tokenCache.set(cacheKey, {
                 accessToken: access_token,
-                expiresAt: Date.now() + (expires_in * 1000),
+                expiresAt: Date.now() + (expiresInSeconds * 1000),
             });
 
             return `Bearer ${access_token}`;

package/src/gateway/gateway.service.ts

@@ -13,7 +13,7 @@ import addFormats from 'ajv-formats';
 const BUILT_IN_TOOLS: ToolSchema[] = [
     {
         name: 'mcp_execute_typescript',
-        description: 'Executes TypeScript code in a secure sandbox with access to `tools.*` SDK.',
+        description: 'Executes TypeScript code in a secure sandbox. Access MCP tools via the global `tools` object (e.g. `filesystem__list_directory` -> `await tools.filesystem.list_directory(...)`).',
         inputSchema: {
             type: 'object',
             properties: {
@@ -24,7 +24,7 @@ const BUILT_IN_TOOLS: ToolSchema[] = [
                 allowedTools: {
                     type: 'array',
                     items: { type: 'string' },
-                    description: 'Optional list of tools the script is allowed to call (e.g. ["github.*"]).'
+                    description: 'List of tool names (e.g. "filesystem.list_directory" or "filesystem.*") that the script is allowed to call.'
                 }
             },
             required: ['code']
@@ -32,7 +32,7 @@ const BUILT_IN_TOOLS: ToolSchema[] = [
     },
     {
         name: 'mcp_execute_python',
-        description: 'Executes Python code in a secure sandbox with access to `tools.*` SDK.',
+        description: 'Executes Python code in a secure sandbox. Access MCP tools via the global `tools` object (e.g. `filesystem__list_directory` -> `await tools.filesystem.list_directory(...)`).',
         inputSchema: {
             type: 'object',
             properties: {
@@ -43,7 +43,7 @@ const BUILT_IN_TOOLS: ToolSchema[] = [
                 allowedTools: {
                     type: 'array',
                     items: { type: 'string' },
-                    description: 'Optional list of tools the script is allowed to call (e.g. ["github.*"]).'
+                    description: 'List of tool names (e.g. "filesystem.list_directory" or "filesystem.*") that the script is allowed to call.'
                 }
             },
             required: ['code']
@@ -51,7 +51,7 @@ const BUILT_IN_TOOLS: ToolSchema[] = [
     },
     {
         name: 'mcp_execute_isolate',
-        description: 'Executes JavaScript code in a high-speed V8 isolate (no Deno/Node APIs).',
+        description: 'Executes JavaScript code in a high-speed V8 isolate. Access MCP tools via the global `tools` object (e.g. `await tools.filesystem.list_directory(...)`). No Deno/Node APIs. Use `console.log` for output.',
         inputSchema: {
             type: 'object',
             properties: {
@@ -62,7 +62,7 @@ const BUILT_IN_TOOLS: ToolSchema[] = [
                 allowedTools: {
                     type: 'array',
                     items: { type: 'string' },
-                    description: 'Optional list of tools the script is allowed to call.'
+                    description: 'List of tool names (e.g. "filesystem.list_directory" or "filesystem.*") that the script is allowed to call.'
                 }
             },
             required: ['code']
@@ -139,7 +139,7 @@ export class GatewayService {
             const response = await client.call({
                 jsonrpc: '2.0',
                 id: 'discovery',
-                method: 'list_tools',
+                method: 'tools/list',
             }, context);
 
             if (response.result?.tools) {
@@ -206,7 +206,7 @@ export class GatewayService {
                 const response = await client.call({
                     jsonrpc: '2.0',
                     id: 'discovery',
-                    method: 'list_tools', // Standard MCP method
+                    method: 'tools/list', // Standard MCP method
                 }, context);
 
                 if (response.result?.tools) {
@@ -319,7 +319,7 @@ export class GatewayService {
             response = await client.call({
                 jsonrpc: '2.0',
                 id: context.correlationId,
-                method: 'call_tool',
+                method: 'tools/call',
                 params: {
                     name: toolName,
                     arguments: params,
@@ -352,7 +352,7 @@ export class GatewayService {
                     const response = await client.call({
                         jsonrpc: '2.0',
                         id: 'health',
-                        method: 'list_tools',
+                        method: 'tools/list',
                     }, context);
                     upstreamStatus[id] = response.error ? 'degraded' : 'active';
                 } catch (err) {

package/src/gateway/upstream.client.ts

@@ -90,23 +90,31 @@ export class UpstreamClient {
             await this.ensureConnected();
 
             // Map GatewayService method names to SDK typed methods
-            if (request.method === 'list_tools') {
+            if (request.method === 'list_tools' || request.method === 'tools/list') {
                 const result = await this.mcpClient.listTools();
                 return {
                     jsonrpc: '2.0',
                     id: request.id,
                     result: result
                 };
-            } else if (request.method === 'call_tool') {
+            } else if (request.method === 'call_tool' || request.method === 'tools/call') {
                 const params = request.params as { name: string; arguments?: Record<string, unknown> };
                 const result = await this.mcpClient.callTool({
                     name: params.name,
                     arguments: params.arguments,
                 });
+                const normalizedResult = (result && Array.isArray((result as any).content))
+                    ? result
+                    : {
+                        content: [{
+                            type: 'text',
+                            text: typeof result === 'string' ? result : JSON.stringify(result ?? null),
+                        }],
+                    };
                 return {
                     jsonrpc: '2.0',
                     id: request.id,
-                    result: result
+                    result: normalizedResult
                 };
             } else {
                 // Fallback to generic request for other methods

package/src/index.ts

@@ -43,10 +43,12 @@ program
     .description('Help set up OAuth for an upstream MCP server')
     .requiredOption('--client-id <id>', 'OAuth Client ID')
     .requiredOption('--client-secret <secret>', 'OAuth Client Secret')
-    .requiredOption('--auth-url <url>', 'OAuth Authorization URL')
-    .requiredOption('--token-url <url>', 'OAuth Token URL')
+    .option('--auth-url <url>', 'OAuth Authorization URL')
+    .option('--token-url <url>', 'OAuth Token URL')
+    .option('--mcp-url <url>', 'MCP base URL (auto-discover OAuth metadata)')
     .option('--scopes <scopes>', 'OAuth Scopes (comma separated)')
     .option('--port <port>', 'Port for the local callback server', '3333')
+    .option('--pkce', 'Use PKCE for the authorization code flow')
     .action(async (options) => {
         try {
             await handleAuth({
@@ -54,8 +56,10 @@ program
                 clientSecret: options.clientSecret,
                 authUrl: options.authUrl,
                 tokenUrl: options.tokenUrl,
+                mcpUrl: options.mcpUrl,
                 scopes: options.scopes,
                 port: parseInt(options.port, 10),
+                usePkce: options.pkce || Boolean(options.mcpUrl),
             });
             console.log('\nSuccess! Configuration generated.');
         } catch (err: any) {
@@ -121,12 +125,25 @@ async function startServer() {
             transport = new StdioTransport(logger, requestController, concurrencyService);
             await transport.start();
             address = 'stdio';
+
+            // IMPORTANT: Even in stdio mode, we need a local socket for sandboxes to talk to
+            const internalTransport = new SocketTransport(logger, requestController, concurrencyService);
+            const internalPort = 0; // Random available port
+            const internalAddress = await internalTransport.listen({ port: internalPort });
+            executionService.ipcAddress = internalAddress;
+
+            // Register internal transport for shutdown
+            const originalShutdown = transport.close.bind(transport);
+            transport.close = async () => {
+                await originalShutdown();
+                await internalTransport.close();
+            };
         } else {
             transport = new SocketTransport(logger, requestController, concurrencyService);
             const port = configService.get('port');
             address = await transport.listen({ port });
+            executionService.ipcAddress = address;
         }
-        executionService.ipcAddress = address;
 
         // Pre-warm workers
         await requestController.warmup();

package/src/sdk/sdk-generator.ts

@@ -41,7 +41,7 @@ export class SDKGenerator {
             lines.push('const __allowedTools = null;');
         }
 
-        lines.push('const tools = {');
+        lines.push('const _tools = {');
 
         for (const [namespace, tools] of grouped.entries()) {
             // Validate namespace is a valid identifier
@@ -92,6 +92,18 @@ export class SDKGenerator {
         }
 
         lines.push('};');
+        lines.push(`
+const tools = new Proxy(_tools, {
+    get: (target, prop) => {
+        if (prop in target) return target[prop];
+        if (prop === 'then') return undefined;
+        if (typeof prop === 'string') {
+            throw new Error(\`Namespace '\${prop}' not found. It might be invalid, or all tools in it were disallowed.\`);
+        }
+        return undefined;
+    }
+});
+`);
         lines.push('(globalThis as any).tools = tools;');
 
         return lines.join('\n');
@@ -187,7 +199,7 @@ export class SDKGenerator {
             lines.push('const __allowedTools = null;');
         }
 
-        lines.push('const tools = {');
+        lines.push('const _tools = {');
 
         for (const [namespace, tools] of grouped.entries()) {
             const safeNamespace = this.isValidIdentifier(namespace) ? namespace : `["${this.escapeString(namespace)}"]`;
@@ -232,6 +244,18 @@ export class SDKGenerator {
         }
 
         lines.push('};');
+        lines.push(`
+const tools = new Proxy(_tools, {
+    get: (target, prop) => {
+        if (prop in target) return target[prop];
+        if (prop === 'then') return undefined;
+        if (typeof prop === 'string') {
+            throw new Error(\`Namespace '\${prop}' not found. It might be invalid, or all tools in it were disallowed.\`);
+        }
+        return undefined;
+    }
+});
+`);
 
         return lines.join('\n');
     }