@onyxsecurity/mcp-gateway 1.0.44 → 1.0.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/bin/mcp-gateway.js +1 -1
  2. package/dist/index.js +1 -1
  3. package/dist/{main-82VoJqLE.js → main-CC1n-gTE.js} +2 -2
  4. package/dist/{main-82VoJqLE.js.map → main-CC1n-gTE.js.map} +1 -1
  5. package/dist/{normalizeUrl-C44zzDVH.js → normalizeUrl-BqkDm6T-.js} +2 -2
  6. package/dist/{normalizeUrl-C44zzDVH.js.map → normalizeUrl-BqkDm6T-.js.map} +1 -1
  7. package/package.json +1 -1
package/dist/bin/mcp-gateway.js CHANGED
@@ -1,3 +1,3 @@
1
1
  #!/usr/bin/env node
2
- import{hideBin as e,yargs_default as t}from"../helpers-DH8ZNg5N.js";const n=t(e(process.argv)).parserConfiguration({"populate--":!0,"unknown-options-as-args":!0}).option(`access-control-url`,{type:`string`}).option(`scanner-api-key`,{type:`string`}).option(`scanner-fail-open`,{type:`boolean`}).option(`scanner-timeout-ms`,{type:`number`}).option(`scanner-url`,{type:`string`}).help(!1).version(!1).parseSync();n.accessControlUrl&&(process.env.MCP_GATEWAY_ACCESS_CONTROL_URL=n.accessControlUrl),n.scannerApiKey&&(process.env.MCP_GATEWAY_SCANNER_API_KEY=n.scannerApiKey),n.scannerFailOpen!==void 0&&(process.env.MCP_GATEWAY_SCANNER_FAIL_OPEN=String(n.scannerFailOpen)),n.scannerTimeoutMs!==void 0&&(process.env.MCP_GATEWAY_SCANNER_TIMEOUT_MS=String(n.scannerTimeoutMs)),n.scannerUrl&&(process.env.MCP_GATEWAY_SCANNER_URL=n.scannerUrl);const{main:r}=await import(`../main-82VoJqLE.js`);await r();export{};
2
+ import{hideBin as e,yargs_default as t}from"../helpers-DH8ZNg5N.js";const n=t(e(process.argv)).parserConfiguration({"populate--":!0,"unknown-options-as-args":!0}).option(`access-control-url`,{type:`string`}).option(`scanner-api-key`,{type:`string`}).option(`scanner-fail-open`,{type:`boolean`}).option(`scanner-timeout-ms`,{type:`number`}).option(`scanner-url`,{type:`string`}).help(!1).version(!1).parseSync();n.accessControlUrl&&(process.env.MCP_GATEWAY_ACCESS_CONTROL_URL=n.accessControlUrl),n.scannerApiKey&&(process.env.MCP_GATEWAY_SCANNER_API_KEY=n.scannerApiKey),n.scannerFailOpen!==void 0&&(process.env.MCP_GATEWAY_SCANNER_FAIL_OPEN=String(n.scannerFailOpen)),n.scannerTimeoutMs!==void 0&&(process.env.MCP_GATEWAY_SCANNER_TIMEOUT_MS=String(n.scannerTimeoutMs)),n.scannerUrl&&(process.env.MCP_GATEWAY_SCANNER_URL=n.scannerUrl);const{main:r}=await import(`../main-CC1n-gTE.js`);await r();export{};
3
3
  //# sourceMappingURL=mcp-gateway.js.map
package/dist/index.js CHANGED
@@ -1,2 +1,2 @@
1
- import{Client as e,InMemoryEventStore as t,SSEClientTransport as n,Server as r,StdioServerTransport as i,StreamableHTTPClientTransport as a,config as o,normalizeUrl as s,proxyServer as c,startHTTPServer as l}from"./normalizeUrl-C44zzDVH.js";let u=function(e){return e.HTTPStream=`HTTPStream`,e.SSE=`SSE`,e}({});const d=async({initStdioServer:t,initStreamClient:l,serverType:d,transportOptions:f={},url:p})=>{let m=s(p),h;switch(d){case u.SSE:h=new n(new URL(m),f);break;default:h=new a(new URL(m),f)}let g=l?await l():new e({name:`mcp-gateway`,version:o.appVersion},{capabilities:{}});await g.connect(h);let _=g.getServerVersion(),v=g.getServerCapabilities(),y=t?await t():new r(_,{capabilities:v}),b=new i;return await y.connect(b),await c({authorizer:void 0,client:g,server:y,serverCapabilities:v}),y},f=(e,t)=>{let n=e.close.bind(e),r=e.onclose?.bind(e),i=e.onerror?.bind(e),a=e.onmessage?.bind(e),o=e.send.bind(e),s=e.start.bind(e);return e.close=async()=>(t({type:`close`}),n?.()),e.onclose=async()=>(t({type:`onclose`}),r?.()),e.onerror=async e=>(t({error:e,type:`onerror`}),i?.(e)),e.onmessage=async e=>(t({message:e,type:`onmessage`}),a?.(e)),e.send=async e=>(t({message:e,type:`send`}),o?.(e)),e.start=async()=>(t({type:`start`}),s?.()),e};export{t as InMemoryEventStore,u as ServerType,c as proxyServer,l as startHTTPServer,d as startStdioServer,f as tapTransport};
1
+ import{Client as e,InMemoryEventStore as t,SSEClientTransport as n,Server as r,StdioServerTransport as i,StreamableHTTPClientTransport as a,config as o,normalizeUrl as s,proxyServer as c,startHTTPServer as l}from"./normalizeUrl-BqkDm6T-.js";let u=function(e){return e.HTTPStream=`HTTPStream`,e.SSE=`SSE`,e}({});const d=async({initStdioServer:t,initStreamClient:l,serverType:d,transportOptions:f={},url:p})=>{let m=s(p),h;switch(d){case u.SSE:h=new n(new URL(m),f);break;default:h=new a(new URL(m),f)}let g=l?await l():new e({name:`mcp-gateway`,version:o.appVersion},{capabilities:{}});await g.connect(h);let _=g.getServerVersion(),v=g.getServerCapabilities(),y=t?await t():new r(_,{capabilities:v}),b=new i;return await y.connect(b),await c({authorizer:void 0,client:g,server:y,serverCapabilities:v}),y},f=(e,t)=>{let n=e.close.bind(e),r=e.onclose?.bind(e),i=e.onerror?.bind(e),a=e.onmessage?.bind(e),o=e.send.bind(e),s=e.start.bind(e);return e.close=async()=>(t({type:`close`}),n?.()),e.onclose=async()=>(t({type:`onclose`}),r?.()),e.onerror=async e=>(t({error:e,type:`onerror`}),i?.(e)),e.onmessage=async e=>(t({message:e,type:`onmessage`}),a?.(e)),e.send=async e=>(t({message:e,type:`send`}),o?.(e)),e.start=async()=>(t({type:`start`}),s?.()),e};export{t as InMemoryEventStore,u as ServerType,c as proxyServer,l as startHTTPServer,d as startStdioServer,f as tapTransport};
2
2
  //# sourceMappingURL=index.js.map
package/dist/{main-82VoJqLE.js → main-CC1n-gTE.js} RENAMED
@@ -1,4 +1,4 @@
1
- import{AccessControlBlockError as e,BUILD_TIME_CONFIG as t,Client as n,ConfigurationError as r,ProcessSpawnError as i,ProxyConnectionError as a,ReadBuffer as o,SSEClientTransport as s,Server as c,StdioServerTransport as l,StreamableHTTPClientTransport as u,TransportError as d,UnauthorizedError as f,addBreadcrumbSafe as p,addGlobalTags as m,captureExceptionSafe as h,compressClientInfo as g,config as _,createParser as v,discoverAuthorizationServerMetadata as y,discoverOAuthProtectedResourceMetadata as b,exchangeAuthorization as ee,getSessionData as te,initSentrySafe as ne,initializeTrafficMirror as re,logger as x,normalizeUrl as S,proxyServer as ie,refreshAuthorization as C,registerClient as w,serializeMessage as T,startAuthorization as E,startHTTPServer as ae}from"./normalizeUrl-C44zzDVH.js";import{hideBin as oe,yargs_default as se}from"./helpers-DH8ZNg5N.js";import"./pkce-ANRIC6ce.js";import{join as ce}from"node:path";import{platform as le}from"node:os";import{createHash as ue}from"node:crypto";import{createServer as de}from"node:http";import{setTimeout as D}from"node:timers";import fe from"node:util";import{execFile as pe,spawn as me}from"node:child_process";import{URL as he}from"node:url";import{chmod as ge,mkdir as _e,readFile as ve,rm as ye,writeFile as be}from"node:fs/promises";import{PassThrough as xe,Transform as Se}from"node:stream";var Ce=class extends Event{constructor(e,t){super(e),this.code=t?.code??void 0,this.message=t?.message??void 0}[Symbol.for(`nodejs.util.inspect.custom`)](e,t,n){return n(Te(this),t)}[Symbol.for(`Deno.customInspect`)](e,t){return e(Te(this),t)}};function we(e){let t=globalThis.DOMException;return typeof t==`function`?new t(e,`SyntaxError`):SyntaxError(e)}function O(e){return e instanceof Error?`errors`in e&&Array.isArray(e.errors)?e.errors.map(O).join(`, `):`cause`in e&&e.cause instanceof Error?`${e}: ${O(e.cause)}`:e.message:`${e}`}function Te(e){return{type:e.type,message:e.message,code:e.code,defaultPrevented:e.defaultPrevented,cancelable:e.cancelable,timeStamp:e.timeStamp}}var Ee=e=>{throw TypeError(e)},k=(e,t,n)=>t.has(e)||Ee(`Cannot `+n),A=(e,t,n)=>(k(e,t,`read from private field`),n?n.call(e):t.get(e)),j=(e,t,n)=>t.has(e)?Ee(`Cannot add the same private member more than once`):t instanceof WeakSet?t.add(e):t.set(e,n),M=(e,t,n,r)=>(k(e,t,`write to private field`),t.set(e,n),n),N=(e,t,n)=>(k(e,t,`access private method`),n),P,F,I,L,R,z,B,V,H,U,W,G,K,q,J,Y,X,De,Z,Oe,Q,ke,Ae,$=class extends EventTarget{constructor(e,t){super(),j(this,q),this.CONNECTING=0,this.OPEN=1,this.CLOSED=2,j(this,P),j(this,F),j(this,I),j(this,L),j(this,R),j(this,z),j(this,B),j(this,V,null),j(this,H),j(this,U),j(this,W,null),j(this,G,null),j(this,K,null),j(this,Y,async e=>{var t;A(this,U).reset();let{body:n,redirected:r,status:i,headers:a}=e;if(i===204){N(this,q,Q).call(this,`Server sent HTTP 204, not reconnecting`,204),this.close();return}if(r?M(this,I,new URL(e.url)):M(this,I,void 0),i!==200){N(this,q,Q).call(this,`Non-200 status code (${i})`,i);return}if(!(a.get(`content-type`)||``).startsWith(`text/event-stream`)){N(this,q,Q).call(this,`Invalid content type, expected "text/event-stream"`,i);return}if(A(this,P)===this.CLOSED)return;M(this,P,this.OPEN);let o=new Event(`open`);if((t=A(this,K))==null||t.call(this,o),this.dispatchEvent(o),typeof n!=`object`||!n||!(`getReader`in n)){N(this,q,Q).call(this,`Invalid response body, expected a web ReadableStream`,i),this.close();return}let s=new TextDecoder,c=n.getReader(),l=!0;do{let{done:e,value:t}=await c.read();t&&A(this,U).feed(s.decode(t,{stream:!e})),e&&(l=!1,A(this,U).reset(),N(this,q,ke).call(this))}while(l)}),j(this,X,e=>{M(this,H,void 0),!(e.name===`AbortError`||e.type===`aborted`)&&N(this,q,ke).call(this,O(e))}),j(this,Z,e=>{typeof e.id==`string`&&M(this,V,e.id);let t=new MessageEvent(e.event||`message`,{data:e.data,origin:A(this,I)?A(this,I).origin:A(this,F).origin,lastEventId:e.id||``});A(this,G)&&(!e.event||e.event===`message`)&&A(this,G).call(this,t),this.dispatchEvent(t)}),j(this,Oe,e=>{M(this,z,e)}),j(this,Ae,()=>{M(this,B,void 0),A(this,P)===this.CONNECTING&&N(this,q,J).call(this)});try{if(e instanceof URL)M(this,F,e);else if(typeof e==`string`)M(this,F,new URL(e,je()));else throw Error(`Invalid URL`)}catch{throw we(`An invalid or illegal string was specified`)}M(this,U,v({onEvent:A(this,Z),onRetry:A(this,Oe)})),M(this,P,this.CONNECTING),M(this,z,3e3),M(this,R,t?.fetch??globalThis.fetch),M(this,L,t?.withCredentials??!1),N(this,q,J).call(this)}get readyState(){return A(this,P)}get url(){return A(this,F).href}get withCredentials(){return A(this,L)}get onerror(){return A(this,W)}set onerror(e){M(this,W,e)}get onmessage(){return A(this,G)}set onmessage(e){M(this,G,e)}get onopen(){return A(this,K)}set onopen(e){M(this,K,e)}addEventListener(e,t,n){let r=t;super.addEventListener(e,r,n)}removeEventListener(e,t,n){let r=t;super.removeEventListener(e,r,n)}close(){A(this,B)&&clearTimeout(A(this,B)),A(this,P)!==this.CLOSED&&(A(this,H)&&A(this,H).abort(),M(this,P,this.CLOSED),M(this,H,void 0))}};P=new WeakMap,F=new WeakMap,I=new WeakMap,L=new WeakMap,R=new WeakMap,z=new WeakMap,B=new WeakMap,V=new WeakMap,H=new WeakMap,U=new WeakMap,W=new WeakMap,G=new WeakMap,K=new WeakMap,q=new WeakSet,J=function(){M(this,P,this.CONNECTING),M(this,H,new AbortController),A(this,R)(A(this,F),N(this,q,De).call(this)).then(A(this,Y)).catch(A(this,X))},Y=new WeakMap,X=new WeakMap,De=function(){let e={mode:`cors`,redirect:`follow`,headers:{Accept:`text/event-stream`,...A(this,V)?{"Last-Event-ID":A(this,V)}:void 0},cache:`no-store`,signal:A(this,H)?.signal};return`window`in globalThis&&(e.credentials=this.withCredentials?`include`:`same-origin`),e},Z=new WeakMap,Oe=new WeakMap,Q=function(e,t){var n;A(this,P)!==this.CLOSED&&M(this,P,this.CLOSED);let r=new Ce(`error`,{code:t,message:e});(n=A(this,W))==null||n.call(this,r),this.dispatchEvent(r)},ke=function(e,t){var n;if(A(this,P)===this.CLOSED)return;M(this,P,this.CONNECTING);let r=new Ce(`error`,{code:t,message:e});(n=A(this,W))==null||n.call(this,r),this.dispatchEvent(r),M(this,B,setTimeout(A(this,Ae),A(this,z)))},Ae=new WeakMap,$.CONNECTING=0,$.OPEN=1,$.CLOSED=2;function je(){let e=`document`in globalThis?globalThis.document:void 0;return e&&typeof e==`object`&&`baseURI`in e&&typeof e.baseURI==`string`?e.baseURI:void 0}var Me=class{client;enabled;lastBlockReason;serverName;constructor(e){this.enabled=e.enabled,this.client=e.client,this.serverName=e.serverName,x.info(`AccessControlAuthorizer initialized`,{enabled:this.enabled,hasClient:!!this.client,serverName:this.serverName})}getBlockReason(){return this.lastBlockReason?this.lastBlockReason:`MCP server${this.serverName?` '${this.serverName}'`:``} is not authorized for use in your organization and has been blocked by Onyx.`}async isAllowed(){if(!this.enabled)return!0;if(this.client)try{let e=await this.client.authorize();return e.action===`block`?(e.reason?this.lastBlockReason=e.reason:this.lastBlockReason=`MCP server${this.serverName?` '${this.serverName}'`:``} is not authorized for use in your organization and has been blocked by Onyx.`,!1):!0}catch(e){return x.error(`Access control authorization failed with unexpected error`,{error:String(e)}),!0}return x.warn(`No access control client configured, allowing by default`),!0}},Ne=class{clientInfoBase64;config;constructor(e){this.config=e,this.clientInfoBase64=this.getClientInfoBase64(),x.info(`AccessControlClient initialized`,{timeoutMs:e.timeoutMs,url:e.url})}async authorize(){try{let e=await this.sendAuthorizeRequest();return x.debug(`Access control check successful`,{action:e.action}),e}catch(e){return x.warn(`Access control check failed, failing open (allowing by default)`,{error:String(e)}),{action:`allow`}}}getClientInfoBase64(){return g(this.config.sessionData)}async sendAuthorizeRequest(){let e=new AbortController,t=setTimeout(()=>e.abort(),this.config.timeoutMs);try{let t=`${this.config.url}/${this.config.apiKey}/mcp/${this.clientInfoBase64}`,n=await fetch(t,{headers:{...this.config.headers},method:`POST`,signal:e.signal});if(!n.ok)throw Error(`Access control service returned ${n.status}: ${n.statusText}`);let r=await n.json();if(!r.action||![`allow`,`block`].includes(r.action))throw Error(`Invalid access control response format: action="${r.action}"`);return r}catch(e){throw e instanceof Error&&e.name===`AbortError`?Error(`Access control check timed out after ${this.config.timeoutMs}ms`):e}finally{clearTimeout(t)}}};async function Pe(e){let t=e.toString(),n=le(),r=Re(t);return new Promise((e,i)=>{let a,o;if(n===`win32`){let e=`Start-Process ${Ie(t)}`,n=Fe(e);a=Le(),o=[`-NoProfile`,`-NonInteractive`,`-ExecutionPolicy`,`Bypass`,`-EncodedCommand`,n]}else n===`darwin`?(a=`open`,o=[t]):(a=`xdg-open`,o=[t]);pe(a,o,(t,o,s)=>{if(t){let e={command:a,os:n,stderr:s,url:r};x.warn(`Failed to open browser automatically`,{...e,error:t.message}),h(t,e,{feature:`auth`,module:`browser`,operation:`openBrowser`});let o=Error(`Failed to open browser: ${t.message} (command: ${a}, os: ${n}, url: ${r})`);o.cause=t,i(o)}else x.debug(`Browser opened successfully`,{url:r}),e()})})}function Fe(e){return Buffer.from(e,`utf16le`).toString(`base64`)}function Ie(e){return`'${e.replaceAll(`'`,`''`)}'`}function Le(){return`${process.env.SYSTEMROOT||process.env.windir||`C:\\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`}function Re(e){try{let t=new URL(e);return t.search?`${t.protocol}//${t.host}${t.pathname}?[REDACTED]`:`${t.protocol}//${t.host}${t.pathname}`}catch{return`[INVALID_URL]`}}const ze=49152;function Be(){return Math.floor(Math.random()*(65535-ze+1))+ze}function Ve(e,t){return new Promise((n,r)=>{let i=t=>{e.removeListener(`listening`,a),r(t)},a=()=>{e.removeListener(`error`,i),n()};e.once(`error`,i),e.once(`listening`,a),e.listen(t,`127.0.0.1`)})}async function He(e={}){let{maxAttempts:t=5,preferredPort:n,timeoutMs:r=3e5}=e,i,a,o={},s=new Promise((e,t)=>{i=e,a=t}),c,l=de((e,t)=>{if(e.url===`/favicon.ico`){t.writeHead(404),t.end();return}if(!e.url?.startsWith(`/callback`)){t.writeHead(404),t.end(`Not Found`);return}try{let n=new he(e.url,`http://localhost:${c}`),r=n.searchParams.get(`code`),s=n.searchParams.get(`error`),u=n.searchParams.get(`error_description`),d=n.searchParams.get(`state`);if(s){x.error(`OAuth authorization error`,{error:s,errorDescription:u}),t.writeHead(400,{"Content-Type":`text/html`}),t.end(We(s,u||void 0)),clearTimeout(o.id),a(Error(`OAuth authorization failed: ${s}${u?` - ${u}`:``}`));return}if(!r){x.error(`OAuth callback missing authorization code`),t.writeHead(400,{"Content-Type":`text/html`}),t.end(We(`missing_code`,`No authorization code was provided`)),clearTimeout(o.id),a(Error(`OAuth callback missing authorization code`));return}x.info(`OAuth authorization code received`,{codePrefix:`${r.substring(0,10)}...`,hasState:!!d}),t.writeHead(200,{"Content-Type":`text/html`}),t.end(`<!DOCTYPE html>
1
+ import{AccessControlBlockError as e,BUILD_TIME_CONFIG as t,Client as n,ConfigurationError as r,ProcessSpawnError as i,ProxyConnectionError as a,ReadBuffer as o,SSEClientTransport as s,Server as c,StdioServerTransport as l,StreamableHTTPClientTransport as u,TransportError as d,UnauthorizedError as f,addBreadcrumbSafe as p,addGlobalTags as m,captureExceptionSafe as h,compressClientInfo as g,config as _,createParser as v,discoverAuthorizationServerMetadata as y,discoverOAuthProtectedResourceMetadata as b,exchangeAuthorization as ee,getSessionData as te,initSentrySafe as ne,initializeTrafficMirror as re,logger as x,normalizeUrl as S,proxyServer as ie,refreshAuthorization as C,registerClient as w,serializeMessage as T,startAuthorization as E,startHTTPServer as ae}from"./normalizeUrl-BqkDm6T-.js";import{hideBin as oe,yargs_default as se}from"./helpers-DH8ZNg5N.js";import"./pkce-ANRIC6ce.js";import{join as ce}from"node:path";import{platform as le}from"node:os";import{createHash as ue}from"node:crypto";import{createServer as de}from"node:http";import{setTimeout as D}from"node:timers";import fe from"node:util";import{execFile as pe,spawn as me}from"node:child_process";import{URL as he}from"node:url";import{chmod as ge,mkdir as _e,readFile as ve,rm as ye,writeFile as be}from"node:fs/promises";import{PassThrough as xe,Transform as Se}from"node:stream";var Ce=class extends Event{constructor(e,t){super(e),this.code=t?.code??void 0,this.message=t?.message??void 0}[Symbol.for(`nodejs.util.inspect.custom`)](e,t,n){return n(Te(this),t)}[Symbol.for(`Deno.customInspect`)](e,t){return e(Te(this),t)}};function we(e){let t=globalThis.DOMException;return typeof t==`function`?new t(e,`SyntaxError`):SyntaxError(e)}function O(e){return e instanceof Error?`errors`in e&&Array.isArray(e.errors)?e.errors.map(O).join(`, `):`cause`in e&&e.cause instanceof Error?`${e}: ${O(e.cause)}`:e.message:`${e}`}function Te(e){return{type:e.type,message:e.message,code:e.code,defaultPrevented:e.defaultPrevented,cancelable:e.cancelable,timeStamp:e.timeStamp}}var Ee=e=>{throw TypeError(e)},k=(e,t,n)=>t.has(e)||Ee(`Cannot `+n),A=(e,t,n)=>(k(e,t,`read from private field`),n?n.call(e):t.get(e)),j=(e,t,n)=>t.has(e)?Ee(`Cannot add the same private member more than once`):t instanceof WeakSet?t.add(e):t.set(e,n),M=(e,t,n,r)=>(k(e,t,`write to private field`),t.set(e,n),n),N=(e,t,n)=>(k(e,t,`access private method`),n),P,F,I,L,R,z,B,V,H,U,W,G,K,q,J,Y,X,De,Z,Oe,Q,ke,Ae,$=class extends EventTarget{constructor(e,t){super(),j(this,q),this.CONNECTING=0,this.OPEN=1,this.CLOSED=2,j(this,P),j(this,F),j(this,I),j(this,L),j(this,R),j(this,z),j(this,B),j(this,V,null),j(this,H),j(this,U),j(this,W,null),j(this,G,null),j(this,K,null),j(this,Y,async e=>{var t;A(this,U).reset();let{body:n,redirected:r,status:i,headers:a}=e;if(i===204){N(this,q,Q).call(this,`Server sent HTTP 204, not reconnecting`,204),this.close();return}if(r?M(this,I,new URL(e.url)):M(this,I,void 0),i!==200){N(this,q,Q).call(this,`Non-200 status code (${i})`,i);return}if(!(a.get(`content-type`)||``).startsWith(`text/event-stream`)){N(this,q,Q).call(this,`Invalid content type, expected "text/event-stream"`,i);return}if(A(this,P)===this.CLOSED)return;M(this,P,this.OPEN);let o=new Event(`open`);if((t=A(this,K))==null||t.call(this,o),this.dispatchEvent(o),typeof n!=`object`||!n||!(`getReader`in n)){N(this,q,Q).call(this,`Invalid response body, expected a web ReadableStream`,i),this.close();return}let s=new TextDecoder,c=n.getReader(),l=!0;do{let{done:e,value:t}=await c.read();t&&A(this,U).feed(s.decode(t,{stream:!e})),e&&(l=!1,A(this,U).reset(),N(this,q,ke).call(this))}while(l)}),j(this,X,e=>{M(this,H,void 0),!(e.name===`AbortError`||e.type===`aborted`)&&N(this,q,ke).call(this,O(e))}),j(this,Z,e=>{typeof e.id==`string`&&M(this,V,e.id);let t=new MessageEvent(e.event||`message`,{data:e.data,origin:A(this,I)?A(this,I).origin:A(this,F).origin,lastEventId:e.id||``});A(this,G)&&(!e.event||e.event===`message`)&&A(this,G).call(this,t),this.dispatchEvent(t)}),j(this,Oe,e=>{M(this,z,e)}),j(this,Ae,()=>{M(this,B,void 0),A(this,P)===this.CONNECTING&&N(this,q,J).call(this)});try{if(e instanceof URL)M(this,F,e);else if(typeof e==`string`)M(this,F,new URL(e,je()));else throw Error(`Invalid URL`)}catch{throw we(`An invalid or illegal string was specified`)}M(this,U,v({onEvent:A(this,Z),onRetry:A(this,Oe)})),M(this,P,this.CONNECTING),M(this,z,3e3),M(this,R,t?.fetch??globalThis.fetch),M(this,L,t?.withCredentials??!1),N(this,q,J).call(this)}get readyState(){return A(this,P)}get url(){return A(this,F).href}get withCredentials(){return A(this,L)}get onerror(){return A(this,W)}set onerror(e){M(this,W,e)}get onmessage(){return A(this,G)}set onmessage(e){M(this,G,e)}get onopen(){return A(this,K)}set onopen(e){M(this,K,e)}addEventListener(e,t,n){let r=t;super.addEventListener(e,r,n)}removeEventListener(e,t,n){let r=t;super.removeEventListener(e,r,n)}close(){A(this,B)&&clearTimeout(A(this,B)),A(this,P)!==this.CLOSED&&(A(this,H)&&A(this,H).abort(),M(this,P,this.CLOSED),M(this,H,void 0))}};P=new WeakMap,F=new WeakMap,I=new WeakMap,L=new WeakMap,R=new WeakMap,z=new WeakMap,B=new WeakMap,V=new WeakMap,H=new WeakMap,U=new WeakMap,W=new WeakMap,G=new WeakMap,K=new WeakMap,q=new WeakSet,J=function(){M(this,P,this.CONNECTING),M(this,H,new AbortController),A(this,R)(A(this,F),N(this,q,De).call(this)).then(A(this,Y)).catch(A(this,X))},Y=new WeakMap,X=new WeakMap,De=function(){let e={mode:`cors`,redirect:`follow`,headers:{Accept:`text/event-stream`,...A(this,V)?{"Last-Event-ID":A(this,V)}:void 0},cache:`no-store`,signal:A(this,H)?.signal};return`window`in globalThis&&(e.credentials=this.withCredentials?`include`:`same-origin`),e},Z=new WeakMap,Oe=new WeakMap,Q=function(e,t){var n;A(this,P)!==this.CLOSED&&M(this,P,this.CLOSED);let r=new Ce(`error`,{code:t,message:e});(n=A(this,W))==null||n.call(this,r),this.dispatchEvent(r)},ke=function(e,t){var n;if(A(this,P)===this.CLOSED)return;M(this,P,this.CONNECTING);let r=new Ce(`error`,{code:t,message:e});(n=A(this,W))==null||n.call(this,r),this.dispatchEvent(r),M(this,B,setTimeout(A(this,Ae),A(this,z)))},Ae=new WeakMap,$.CONNECTING=0,$.OPEN=1,$.CLOSED=2;function je(){let e=`document`in globalThis?globalThis.document:void 0;return e&&typeof e==`object`&&`baseURI`in e&&typeof e.baseURI==`string`?e.baseURI:void 0}var Me=class{client;enabled;lastBlockReason;serverName;constructor(e){this.enabled=e.enabled,this.client=e.client,this.serverName=e.serverName,x.info(`AccessControlAuthorizer initialized`,{enabled:this.enabled,hasClient:!!this.client,serverName:this.serverName})}getBlockReason(){return this.lastBlockReason?this.lastBlockReason:`MCP server${this.serverName?` '${this.serverName}'`:``} is not authorized for use in your organization and has been blocked by Onyx.`}async isAllowed(){if(!this.enabled)return!0;if(this.client)try{let e=await this.client.authorize();return e.action===`block`?(e.reason?this.lastBlockReason=e.reason:this.lastBlockReason=`MCP server${this.serverName?` '${this.serverName}'`:``} is not authorized for use in your organization and has been blocked by Onyx.`,!1):!0}catch(e){return x.error(`Access control authorization failed with unexpected error`,{error:String(e)}),!0}return x.warn(`No access control client configured, allowing by default`),!0}},Ne=class{clientInfoBase64;config;constructor(e){this.config=e,this.clientInfoBase64=this.getClientInfoBase64(),x.info(`AccessControlClient initialized`,{timeoutMs:e.timeoutMs,url:e.url})}async authorize(){try{let e=await this.sendAuthorizeRequest();return x.debug(`Access control check successful`,{action:e.action}),e}catch(e){return x.warn(`Access control check failed, failing open (allowing by default)`,{error:String(e)}),{action:`allow`}}}getClientInfoBase64(){return g(this.config.sessionData)}async sendAuthorizeRequest(){let e=new AbortController,t=setTimeout(()=>e.abort(),this.config.timeoutMs);try{let t=`${this.config.url}/${this.config.apiKey}/mcp/${this.clientInfoBase64}`,n=await fetch(t,{headers:{...this.config.headers},method:`POST`,signal:e.signal});if(!n.ok)throw Error(`Access control service returned ${n.status}: ${n.statusText}`);let r=await n.json();if(!r.action||![`allow`,`block`].includes(r.action))throw Error(`Invalid access control response format: action="${r.action}"`);return r}catch(e){throw e instanceof Error&&e.name===`AbortError`?Error(`Access control check timed out after ${this.config.timeoutMs}ms`):e}finally{clearTimeout(t)}}};async function Pe(e){let t=e.toString(),n=le(),r=Re(t);return new Promise((e,i)=>{let a,o;if(n===`win32`){let e=`Start-Process ${Ie(t)}`,n=Fe(e);a=Le(),o=[`-NoProfile`,`-NonInteractive`,`-ExecutionPolicy`,`Bypass`,`-EncodedCommand`,n]}else n===`darwin`?(a=`open`,o=[t]):(a=`xdg-open`,o=[t]);pe(a,o,(t,o,s)=>{if(t){let e={command:a,os:n,stderr:s,url:r};x.warn(`Failed to open browser automatically`,{...e,error:t.message}),h(t,e,{feature:`auth`,module:`browser`,operation:`openBrowser`});let o=Error(`Failed to open browser: ${t.message} (command: ${a}, os: ${n}, url: ${r})`);o.cause=t,i(o)}else x.debug(`Browser opened successfully`,{url:r}),e()})})}function Fe(e){return Buffer.from(e,`utf16le`).toString(`base64`)}function Ie(e){return`'${e.replaceAll(`'`,`''`)}'`}function Le(){return`${process.env.SYSTEMROOT||process.env.windir||`C:\\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`}function Re(e){try{let t=new URL(e);return t.search?`${t.protocol}//${t.host}${t.pathname}?[REDACTED]`:`${t.protocol}//${t.host}${t.pathname}`}catch{return`[INVALID_URL]`}}const ze=49152;function Be(){return Math.floor(Math.random()*(65535-ze+1))+ze}function Ve(e,t){return new Promise((n,r)=>{let i=t=>{e.removeListener(`listening`,a),r(t)},a=()=>{e.removeListener(`error`,i),n()};e.once(`error`,i),e.once(`listening`,a),e.listen(t,`127.0.0.1`)})}async function He(e={}){let{maxAttempts:t=5,preferredPort:n,timeoutMs:r=3e5}=e,i,a,o={},s=new Promise((e,t)=>{i=e,a=t}),c,l=de((e,t)=>{if(e.url===`/favicon.ico`){t.writeHead(404),t.end();return}if(!e.url?.startsWith(`/callback`)){t.writeHead(404),t.end(`Not Found`);return}try{let n=new he(e.url,`http://localhost:${c}`),r=n.searchParams.get(`code`),s=n.searchParams.get(`error`),u=n.searchParams.get(`error_description`),d=n.searchParams.get(`state`);if(s){x.error(`OAuth authorization error`,{error:s,errorDescription:u}),t.writeHead(400,{"Content-Type":`text/html`}),t.end(We(s,u||void 0)),clearTimeout(o.id),a(Error(`OAuth authorization failed: ${s}${u?` - ${u}`:``}`));return}if(!r){x.error(`OAuth callback missing authorization code`),t.writeHead(400,{"Content-Type":`text/html`}),t.end(We(`missing_code`,`No authorization code was provided`)),clearTimeout(o.id),a(Error(`OAuth callback missing authorization code`));return}x.info(`OAuth authorization code received`,{codePrefix:`${r.substring(0,10)}...`,hasState:!!d}),t.writeHead(200,{"Content-Type":`text/html`}),t.end(`<!DOCTYPE html>
2
2
  <html lang="en">
3
3
  <head>
4
4
  <meta charset="UTF-8">
@@ -138,4 +138,4 @@ import{AccessControlBlockError as e,BUILD_TIME_CONFIG as t,Client as n,Configura
138
138
  ❌ ACCESS DENIED`),console.error(`━`.repeat(60)),console.error(`
139
139
  This MCP server has been blocked by Onyx because it is not authorized by your organization's access control policy. Please contact your administrator if you believe this is an error.
140
140
  `),x.error(`MCP server blocked by access control policy`,{error:t.message,reason:t.reason}),D(()=>{process.exit(1)},1e3);return}let n=`Could not start the proxy: ${t}`;x.error(`Unhandled error occurred`,{error:n}),t instanceof Error?h(t,{args:s,command:o,proxyType:i,transport:d,url:u},{feature:`startup`,module:`cli`,operation:`initialize`,proxyType:i,transport:i===`remote`?d||`unknown`:`stdio`}):h(Error(n),{command:o,originalError:String(t),proxyType:i},{feature:`startup`,module:`cli`,operation:`initialize`}),D(()=>{process.exit(1)},1e3)}};export{ot as main};
141
- //# sourceMappingURL=main-82VoJqLE.js.map
141
+ //# sourceMappingURL=main-CC1n-gTE.js.map