@mhingston5/conduit 1.1.6 → 1.1.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mhingston5/conduit",
-  "version": "1.1.6",
+  "version": "1.1.7",
   "type": "module",
   "description": "A secure Code Mode execution substrate for MCP agents",
   "main": "index.js",

package/src/auth.cmd.ts

@@ -157,27 +157,39 @@ export async function handleAuth(options: AuthOptions) {
             }
 
             try {
-                const body = new URLSearchParams();
-                body.set('grant_type', 'authorization_code');
-                body.set('code', code);
-                body.set('redirect_uri', redirectUri);
-                body.set('client_id', options.clientId);
+                const payload: Record<string, string> = {
+                    grant_type: 'authorization_code',
+                    code,
+                    redirect_uri: redirectUri,
+                    client_id: options.clientId,
+                };
+
                 if (options.clientSecret) {
-                    body.set('client_secret', options.clientSecret);
+                    payload.client_secret = options.clientSecret;
                 }
                 if (codeVerifier) {
-                    body.set('code_verifier', codeVerifier);
+                    payload.code_verifier = codeVerifier;
                 }
                 if (resolvedResource) {
-                    body.set('resource', resolvedResource);
+                    payload.resource = resolvedResource;
                 }
 
-                const response = await axios.post(resolvedTokenUrl, body, {
-                    headers: {
-                        'Content-Type': 'application/x-www-form-urlencoded',
-                        'Accept': 'application/json',
-                    },
-                });
+                const tokenHostname = new URL(resolvedTokenUrl).hostname;
+                const useJson = tokenHostname === 'auth.atlassian.com';
+
+                const response = useJson
+                    ? await axios.post(resolvedTokenUrl, payload, {
+                        headers: {
+                            'Content-Type': 'application/json',
+                            'Accept': 'application/json',
+                        },
+                    })
+                    : await axios.post(resolvedTokenUrl, new URLSearchParams(payload), {
+                        headers: {
+                            'Content-Type': 'application/x-www-form-urlencoded',
+                            'Accept': 'application/json',
+                        },
+                    });
 
                 const { refresh_token, access_token } = response.data;
 

package/src/core/config.service.ts

@@ -29,6 +29,8 @@ export const UpstreamCredentialsSchema = z.object({
     tokenUrl: z.string().optional(),
     refreshToken: z.string().optional(),
     scopes: z.array(z.string()).optional(),
+    tokenRequestFormat: z.enum(['form', 'json']).optional(),
+    tokenParams: z.record(z.string(), z.string()).optional(),
     apiKey: z.string().optional(),
     bearerToken: z.string().optional(),
     headerName: z.string().optional(),
@@ -41,6 +43,20 @@ export const HttpUpstreamSchema = z.object({
     credentials: UpstreamCredentialsSchema.optional(),
 });
 
+export const StreamableHttpUpstreamSchema = z.object({
+    id: z.string(),
+    type: z.literal('streamableHttp'),
+    url: z.string(),
+    credentials: UpstreamCredentialsSchema.optional(),
+});
+
+export const SseUpstreamSchema = z.object({
+    id: z.string(),
+    type: z.literal('sse'),
+    url: z.string(),
+    credentials: UpstreamCredentialsSchema.optional(),
+});
+
 export const StdioUpstreamSchema = z.object({
     id: z.string(),
     type: z.literal('stdio'),
@@ -49,7 +65,12 @@ export const StdioUpstreamSchema = z.object({
     env: z.record(z.string(), z.string()).optional(),
 });
 
-export const UpstreamInfoSchema = z.union([HttpUpstreamSchema, StdioUpstreamSchema]);
+export const UpstreamInfoSchema = z.union([
+    HttpUpstreamSchema,
+    StreamableHttpUpstreamSchema,
+    SseUpstreamSchema,
+    StdioUpstreamSchema,
+]);
 
 export type ResourceLimits = z.infer<typeof ResourceLimitsSchema>;
 

package/src/gateway/auth.service.ts

@@ -12,6 +12,8 @@ export interface UpstreamCredentials {
     tokenUrl?: string;
     refreshToken?: string;
     scopes?: string[];
+    tokenRequestFormat?: 'form' | 'json';
+    tokenParams?: Record<string, string>;
 }
 
 interface CachedToken {
@@ -23,6 +25,8 @@ export class AuthService {
     private logger: Logger;
     // Cache tokens separately from credentials to avoid mutation
     private tokenCache = new Map<string, CachedToken>();
+    // Keep the latest refresh token in-memory (rotating tokens)
+    private refreshTokenCache = new Map<string, string>();
     // Prevent concurrent refresh requests for the same client
     private refreshLocks = new Map<string, Promise<string>>();
 
@@ -81,23 +85,56 @@ export class AuthService {
         this.logger.info({ tokenUrl: creds.tokenUrl, clientId: creds.clientId }, 'Refreshing OAuth2 token');
 
         try {
-            const body = new URLSearchParams();
-            body.set('grant_type', 'refresh_token');
-            body.set('refresh_token', creds.refreshToken);
-            body.set('client_id', creds.clientId);
+            const tokenUrl = creds.tokenUrl;
+            const cachedRefreshToken = this.refreshTokenCache.get(cacheKey);
+            const refreshToken = cachedRefreshToken || creds.refreshToken;
+
+            if (!refreshToken) {
+                throw new Error('OAuth2 credentials missing required fields for refresh');
+            }
+
+            const payload: Record<string, string> = {
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                client_id: creds.clientId,
+            };
+
             if (creds.clientSecret) {
-                body.set('client_secret', creds.clientSecret);
+                payload.client_secret = creds.clientSecret;
             }
 
-            const response = await axios.post(creds.tokenUrl, body, {
-                headers: {
-                    'Content-Type': 'application/x-www-form-urlencoded',
-                    'Accept': 'application/json',
-                },
-            });
+            if (creds.tokenParams) {
+                Object.assign(payload, creds.tokenParams);
+            }
 
-            const { access_token, expires_in } = response.data;
-            const expiresInSeconds = Number(expires_in) || 3600;
+            const requestFormat = (() => {
+                if (creds.tokenRequestFormat) return creds.tokenRequestFormat;
+                try {
+                    const hostname = new URL(tokenUrl).hostname;
+                    if (hostname === 'auth.atlassian.com') return 'json';
+                } catch {
+                    // ignore
+                }
+                return 'form';
+            })();
+
+            const response = requestFormat === 'json'
+                ? await axios.post(tokenUrl, payload, {
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Accept': 'application/json',
+                    },
+                })
+                : await axios.post(tokenUrl, new URLSearchParams(payload), {
+                    headers: {
+                        'Content-Type': 'application/x-www-form-urlencoded',
+                        'Accept': 'application/json',
+                    },
+                });
+
+            const { access_token, expires_in, refresh_token } = response.data;
+            const expiresInRaw = Number(expires_in);
+            const expiresInSeconds = Number.isFinite(expiresInRaw) ? expiresInRaw : 3600;
 
             // Cache the token (don't mutate the input credentials)
             this.tokenCache.set(cacheKey, {
@@ -105,6 +142,11 @@ export class AuthService {
                 expiresAt: Date.now() + (expiresInSeconds * 1000),
             });
 
+            // Some providers (e.g. Atlassian) rotate refresh tokens
+            if (typeof refresh_token === 'string' && refresh_token.length > 0) {
+                this.refreshTokenCache.set(cacheKey, refresh_token);
+            }
+
             return `Bearer ${access_token}`;
         } catch (err: any) {
             const errorMsg = err.response?.data?.error_description || err.response?.data?.error || err.message;

package/src/gateway/gateway.service.ts

@@ -144,15 +144,23 @@ export class GatewayService {
 
         let tools = this.schemaCache.get(packageId);
 
-        // Try manifest first if tools not cached
+        // Discover tools if not cached
         if (!tools) {
-            try {
-                // Try to get manifest FIRST
-                const manifest = await client.getManifest(context);
-                if (manifest && manifest.tools) {
-                    tools = manifest.tools as ToolSchema[];
-                } else {
-                    // Fall back to RPC discovery
+            // 1) Try to get manifest (if supported)
+            if (typeof (client as any).getManifest === 'function') {
+                try {
+                    const manifest = await (client as any).getManifest(context);
+                    if (manifest && manifest.tools) {
+                        tools = manifest.tools as ToolSchema[];
+                    }
+                } catch (e: any) {
+                    this.logger.debug({ upstreamId: packageId, err: e.message }, 'Manifest fetch failed (will fallback)');
+                }
+            }
+
+            // 2) Fall back to RPC discovery
+            if (!tools) {
+                try {
                     if (typeof (client as any).listTools === 'function') {
                         tools = await (client as any).listTools();
                     } else {
@@ -168,14 +176,14 @@ export class GatewayService {
                             this.logger.warn({ upstreamId: packageId, error: response.error }, 'Failed to discover tools via RPC');
                         }
                     }
+                } catch (e: any) {
+                    this.logger.error({ upstreamId: packageId, err: e.message }, 'Error during tool discovery');
                 }
+            }
 
-                if (tools && tools.length > 0) {
-                    this.schemaCache.set(packageId, tools);
-                    this.logger.info({ upstreamId: packageId, toolCount: tools.length }, 'Discovered tools from upstream');
-                }
-            } catch (e: any) {
-                this.logger.error({ upstreamId: packageId, err: e.message }, 'Error during tool discovery');
+            if (tools && tools.length > 0) {
+                this.schemaCache.set(packageId, tools);
+                this.logger.info({ upstreamId: packageId, toolCount: tools.length }, 'Discovered tools from upstream');
             }
         }
 

package/src/gateway/upstream.client.ts

@@ -7,6 +7,8 @@ import { IUrlValidator } from '../core/interfaces/url.validator.interface.js';
 
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
 import { z } from 'zod';
 
 export type UpstreamInfo = {
@@ -14,6 +16,8 @@ export type UpstreamInfo = {
     credentials?: UpstreamCredentials;
 } & (
         | { type?: 'http'; url: string }
+        | { type: 'streamableHttp'; url: string }
+        | { type: 'sse'; url: string }
         | { type: 'stdio'; command: string; args?: string[]; env?: Record<string, string> }
     );
 
@@ -23,7 +27,7 @@ export class UpstreamClient {
     private authService: AuthService;
     private urlValidator: IUrlValidator;
     private mcpClient?: Client;
-    private transport?: StdioClientTransport;
+    private transport?: StdioClientTransport | StreamableHTTPClientTransport | SSEClientTransport;
     private connected: boolean = false;
 
     constructor(logger: Logger, info: UpstreamInfo, authService: AuthService, urlValidator: IUrlValidator) {
@@ -51,13 +55,72 @@ export class UpstreamClient {
             }, {
                 capabilities: {},
             });
+            return;
+        }
+
+        if (this.info.type === 'streamableHttp') {
+            this.transport = new StreamableHTTPClientTransport(new URL(this.info.url), {
+                fetch: this.createAuthedFetch(),
+            });
+            this.mcpClient = new Client({
+                name: 'conduit-gateway',
+                version: '1.0.0',
+            }, {
+                capabilities: {},
+            });
+            return;
+        }
+
+        if (this.info.type === 'sse') {
+            this.mcpClient = new Client({
+                name: 'conduit-gateway',
+                version: '1.0.0',
+            }, {
+                capabilities: {},
+            });
         }
     }
 
-    private async ensureConnected() {
-        if (!this.mcpClient || !this.transport) return;
+    private createAuthedFetch() {
+        const creds = this.info.credentials;
+        if (!creds) return fetch;
+
+        return async (input: any, init: any = {}) => {
+            const headers = new Headers(init.headers || {});
+            const authHeaders = await this.authService.getAuthHeaders(creds);
+            for (const [k, v] of Object.entries(authHeaders)) {
+                headers.set(k, v);
+            }
+            return fetch(input, { ...init, headers });
+        };
+    }
+
+    private async ensureConnected() { 
+        if (!this.mcpClient) return;
+
+        if (!this.transport && this.info.type === 'sse') {
+            const authHeaders = this.info.credentials
+                ? await this.authService.getAuthHeaders(this.info.credentials)
+                : {};
+
+            this.transport = new SSEClientTransport(new URL(this.info.url), {
+                fetch: this.createAuthedFetch(),
+                eventSourceInit: { headers: authHeaders } as any,
+                requestInit: { headers: authHeaders },
+            });
+        }
+
+        if (!this.transport) return;
         if (this.connected) return;
 
+        if (this.info.type === 'streamableHttp' || this.info.type === 'sse') {
+            const securityResult = await this.urlValidator.validateUrl(this.info.url);
+            if (!securityResult.valid) {
+                this.logger.error({ url: this.info.url }, 'Blocked upstream URL (SSRF)');
+                throw new Error(securityResult.message || 'Forbidden URL');
+            }
+        }
+
         try {
             this.logger.debug('Connecting to upstream transport...');
             await this.mcpClient.connect(this.transport);
@@ -70,19 +133,23 @@ export class UpstreamClient {
     }
 
     async call(request: JSONRPCRequest, context: ExecutionContext): Promise<JSONRPCResponse> {
-        // Helper to determine type safely
-        const isStdio = (info: UpstreamInfo): info is { type: 'stdio'; command: string; args?: string[]; env?: Record<string, string>; id: string; credentials?: UpstreamCredentials } => info.type === 'stdio';
+        const usesMcpClientTransport = (info: UpstreamInfo): info is (
+            | { type: 'stdio'; command: string; args?: string[]; env?: Record<string, string> }
+            | { type: 'streamableHttp'; url: string }
+            | { type: 'sse'; url: string }
+        ) & { id: string; credentials?: UpstreamCredentials } =>
+            info.type === 'stdio' || info.type === 'streamableHttp' || info.type === 'sse';
 
-        if (isStdio(this.info)) {
-            return this.callStdio(request);
-        } else {
-            return this.callHttp(request, context as ExecutionContext);
+        if (usesMcpClientTransport(this.info)) {
+            return this.callMcpClient(request);
         }
+
+        return this.callHttp(request, context as ExecutionContext);
     }
 
-    private async callStdio(request: JSONRPCRequest): Promise<JSONRPCResponse> {
+    private async callMcpClient(request: JSONRPCRequest): Promise<JSONRPCResponse> {
         if (!this.mcpClient) {
-            return { jsonrpc: '2.0', id: request.id, error: { code: -32603, message: 'Stdio client not initialized' } };
+            return { jsonrpc: '2.0', id: request.id, error: { code: -32603, message: 'MCP client not initialized' } };
         }
 
         try {
@@ -128,13 +195,13 @@ export class UpstreamClient {
                 };
             }
         } catch (error: any) {
-            this.logger.error({ err: error }, 'Stdio call failed');
+            this.logger.error({ err: error }, 'MCP call failed');
             return {
                 jsonrpc: '2.0',
                 id: request.id,
                 error: {
                     code: error.code || -32603,
-                    message: error.message || 'Internal error in stdio transport'
+                    message: error.message || 'Internal error in MCP transport'
                 }
             };
         }
@@ -142,7 +209,9 @@ export class UpstreamClient {
 
     private async callHttp(request: JSONRPCRequest, context: ExecutionContext): Promise<JSONRPCResponse> {
         // Narrowing for TS
-        if (this.info.type === 'stdio') throw new Error('Unreachable');
+        if (this.info.type === 'stdio' || this.info.type === 'streamableHttp' || this.info.type === 'sse') {
+            throw new Error('Unreachable');
+        }
         const url = this.info.url;
 
         const headers: Record<string, string> = {
@@ -204,7 +273,7 @@ export class UpstreamClient {
         }
     }
     async getManifest(context: ExecutionContext): Promise<ToolManifest | null> {
-        if (this.info.type !== 'http') return null;
+        if (this.info.type && this.info.type !== 'http') return null;
 
         try {
             const baseUrl = this.info.url.replace(/\/$/, ''); // Remove trailing slash

package/tests/__snapshots__/assets.test.ts.snap

@@ -58,28 +58,30 @@ exports[`Asset Integrity (Golden Tests) > should match Python SDK snapshot 1`] =
 "# Generated SDK - Do not edit
 _allowed_tools = ["test__*","github__*"]
 
-class _ToolNamespace:
-    def __init__(self, methods):
-        for name, fn in methods.items():
-            setattr(self, name, fn)
+class _test_Namespace:
+    async def hello(self, args=None, **kwargs):
+        params = args if args is not None else kwargs
+        return await _internal_call_tool("test__hello", params)
+
+class _github_Namespace:
+    async def create_issue(self, args=None, **kwargs):
+        params = args if args is not None else kwargs
+        return await _internal_call_tool("github__create_issue", params)
 
 class _Tools:
     def __init__(self):
-        self.test = _ToolNamespace({
-            "hello": lambda args, n="test__hello": _internal_call_tool(n, args)
-        })
-        self.github = _ToolNamespace({
-            "create_issue": lambda args, n="github__create_issue": _internal_call_tool(n, args)
-        })
+        self.test = _test_Namespace()
+        self.github = _github_Namespace()
 
     def __getattr__(self, name):
         # Flat access fallback: search all namespaces
-        for ns in self.__dict__.values():
-            if isinstance(ns, _ToolNamespace) and hasattr(ns, name):
-                return getattr(ns, name)
+        for attr_name in dir(self):
+            attr = getattr(self, attr_name, None)
+            if attr and hasattr(attr, name):
+                return getattr(attr, name)
         raise AttributeError(f"Namespace or Tool '{name}' not found")
 
-    async def raw(self, name, args):
+    async def raw(self, name, args=None):
         """Call a tool by its full name (escape hatch for dynamic/unknown tools)"""
         normalized = name.replace(".", "__")
         if _allowed_tools is not None:
@@ -89,7 +91,7 @@ class _Tools:
             )
             if not allowed:
                 raise PermissionError(f"Tool {name} is not in the allowlist")
-        return await _internal_call_tool(normalized, args)
+        return await _internal_call_tool(normalized, args or {})
 
 tools = _Tools()"
 `;

package/tests/auth.service.test.ts

@@ -70,4 +70,61 @@ describe('AuthService', () => {
         expect(headers2['Authorization']).toBe('Bearer cached-access');
         expect(axios.post).toHaveBeenCalledTimes(1); // Still 1, not 2
     });
+
+    it('should send JSON token refresh for Atlassian token endpoint', async () => {
+        const creds: any = {
+            type: 'oauth2',
+            clientId: 'id',
+            clientSecret: 'secret',
+            tokenUrl: 'https://auth.atlassian.com/oauth/token',
+            refreshToken: 'refresh',
+        };
+
+        (axios.post as any).mockResolvedValue({
+            data: {
+                access_token: 'new-access',
+                expires_in: 0,
+            },
+        });
+
+        await authService.getAuthHeaders(creds);
+
+        const [, body, config] = (axios.post as any).mock.calls[0];
+        expect(body).toMatchObject({
+            grant_type: 'refresh_token',
+            refresh_token: 'refresh',
+            client_id: 'id',
+            client_secret: 'secret',
+        });
+        expect(config.headers['Content-Type']).toBe('application/json');
+    });
+
+    it('should include tokenParams and cache rotating refresh tokens', async () => {
+        const creds: any = {
+            type: 'oauth2',
+            clientId: 'id',
+            clientSecret: 'secret',
+            tokenUrl: 'https://auth.atlassian.com/oauth/token',
+            refreshToken: 'r1',
+            tokenRequestFormat: 'json',
+            tokenParams: { audience: 'api.atlassian.com' },
+        };
+
+        (axios.post as any)
+            .mockResolvedValueOnce({
+                data: { access_token: 'a1', expires_in: 0, refresh_token: 'r2' },
+            })
+            .mockResolvedValueOnce({
+                data: { access_token: 'a2', expires_in: 0 },
+            });
+
+        await authService.getAuthHeaders(creds);
+        await authService.getAuthHeaders(creds);
+
+        const firstBody = (axios.post as any).mock.calls[0][1];
+        expect(firstBody).toMatchObject({ refresh_token: 'r1', audience: 'api.atlassian.com' });
+
+        const secondBody = (axios.post as any).mock.calls[1][1];
+        expect(secondBody).toMatchObject({ refresh_token: 'r2', audience: 'api.atlassian.com' });
+    });
 });

package/tests/config.service.test.ts

@@ -81,6 +81,9 @@ upstreams:
       clientSecret: my-secret
       tokenUrl: http://token
       refreshToken: my-refresh
+      tokenRequestFormat: json
+      tokenParams:
+        audience: api.atlassian.com
 `);
 
         vi.stubEnv('CONFIG_FILE', 'conduit.test.yaml');
@@ -92,10 +95,35 @@ upstreams:
             clientId: 'my-id',
             clientSecret: 'my-secret',
             tokenUrl: 'http://token',
-            refreshToken: 'my-refresh'
+            refreshToken: 'my-refresh',
+            tokenRequestFormat: 'json',
+            tokenParams: { audience: 'api.atlassian.com' },
         });
 
         existsSpy.mockRestore();
         readSpy.mockRestore();
     });
+
+    it('should parse streamableHttp upstream correctly', () => {
+        const existsSpy = vi.spyOn(fs, 'existsSync').mockImplementation((p: any) => p.endsWith('conduit.test.yaml'));
+        const readSpy = vi.spyOn(fs, 'readFileSync').mockReturnValue(`
+upstreams:
+  - id: atlassian
+    type: streamableHttp
+    url: https://mcp.atlassian.com/v1/sse
+    credentials:
+      type: bearer
+      bearerToken: test-token
+`);
+
+        vi.stubEnv('CONFIG_FILE', 'conduit.test.yaml');
+        const configService = new ConfigService();
+        const upstreams = configService.get('upstreams');
+        expect(upstreams).toHaveLength(1);
+        expect(upstreams![0].type).toBe('streamableHttp');
+        expect((upstreams![0] as any).url).toBe('https://mcp.atlassian.com/v1/sse');
+
+        existsSpy.mockRestore();
+        readSpy.mockRestore();
+    });
 });