@onyxsecurity/mcp-gateway 1.0.48 → 1.0.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/bin/mcp-gateway.js +1 -1
  2. package/dist/index.js +1 -1
  3. package/dist/{main-Dc7hWPe7.js → main-ChR3eaOT.js} +2 -2
  4. package/dist/{main-Dc7hWPe7.js.map → main-ChR3eaOT.js.map} +1 -1
  5. package/dist/{normalizeUrl-DWilbohl.js → normalizeUrl-DwqzAC5_.js} +2 -2
  6. package/dist/{normalizeUrl-DWilbohl.js.map → normalizeUrl-DwqzAC5_.js.map} +1 -1
  7. package/package.json +1 -1
package/dist/bin/mcp-gateway.js CHANGED
@@ -1,3 +1,3 @@
1
1
  #!/usr/bin/env node
2
- import{hideBin as e,yargs_default as t}from"../helpers-DH8ZNg5N.js";const n=t(e(process.argv)).parserConfiguration({"populate--":!0,"unknown-options-as-args":!0}).option(`access-control-url`,{type:`string`}).option(`scanner-api-key`,{type:`string`}).option(`scanner-fail-open`,{type:`boolean`}).option(`scanner-timeout-ms`,{type:`number`}).option(`scanner-url`,{type:`string`}).help(!1).version(!1).parseSync();n.accessControlUrl&&(process.env.MCP_GATEWAY_ACCESS_CONTROL_URL=n.accessControlUrl),n.scannerApiKey&&(process.env.MCP_GATEWAY_SCANNER_API_KEY=n.scannerApiKey),n.scannerFailOpen!==void 0&&(process.env.MCP_GATEWAY_SCANNER_FAIL_OPEN=String(n.scannerFailOpen)),n.scannerTimeoutMs!==void 0&&(process.env.MCP_GATEWAY_SCANNER_TIMEOUT_MS=String(n.scannerTimeoutMs)),n.scannerUrl&&(process.env.MCP_GATEWAY_SCANNER_URL=n.scannerUrl);const{main:r}=await import(`../main-Dc7hWPe7.js`);await r();export{};
2
+ import{hideBin as e,yargs_default as t}from"../helpers-DH8ZNg5N.js";const n=t(e(process.argv)).parserConfiguration({"populate--":!0,"unknown-options-as-args":!0}).option(`access-control-url`,{type:`string`}).option(`scanner-api-key`,{type:`string`}).option(`scanner-fail-open`,{type:`boolean`}).option(`scanner-timeout-ms`,{type:`number`}).option(`scanner-url`,{type:`string`}).help(!1).version(!1).parseSync();n.accessControlUrl&&(process.env.MCP_GATEWAY_ACCESS_CONTROL_URL=n.accessControlUrl),n.scannerApiKey&&(process.env.MCP_GATEWAY_SCANNER_API_KEY=n.scannerApiKey),n.scannerFailOpen!==void 0&&(process.env.MCP_GATEWAY_SCANNER_FAIL_OPEN=String(n.scannerFailOpen)),n.scannerTimeoutMs!==void 0&&(process.env.MCP_GATEWAY_SCANNER_TIMEOUT_MS=String(n.scannerTimeoutMs)),n.scannerUrl&&(process.env.MCP_GATEWAY_SCANNER_URL=n.scannerUrl);const{main:r}=await import(`../main-ChR3eaOT.js`);await r();export{};
3
3
  //# sourceMappingURL=mcp-gateway.js.map
package/dist/index.js CHANGED
@@ -1,2 +1,2 @@
1
- import{Client as e,InMemoryEventStore as t,SSEClientTransport as n,Server as r,StdioServerTransport as i,StreamableHTTPClientTransport as a,config as o,normalizeUrl as s,proxyServer as c,startHTTPServer as l}from"./normalizeUrl-DWilbohl.js";let u=function(e){return e.HTTPStream=`HTTPStream`,e.SSE=`SSE`,e}({});const d=async({initStdioServer:t,initStreamClient:l,serverType:d,transportOptions:f={},url:p})=>{let m=s(p),h;switch(d){case u.SSE:h=new n(new URL(m),f);break;default:h=new a(new URL(m),f)}let g=l?await l():new e({name:`mcp-gateway`,version:o.appVersion},{capabilities:{}});await g.connect(h);let _=g.getServerVersion(),v=g.getServerCapabilities(),y=t?await t():new r(_,{capabilities:v}),b=new i;return await y.connect(b),await c({authorizer:void 0,client:g,server:y,serverCapabilities:v}),y},f=(e,t)=>{let n=e.close.bind(e),r=e.onclose?.bind(e),i=e.onerror?.bind(e),a=e.onmessage?.bind(e),o=e.send.bind(e),s=e.start.bind(e);return e.close=async()=>(t({type:`close`}),n?.()),e.onclose=async()=>(t({type:`onclose`}),r?.()),e.onerror=async e=>(t({error:e,type:`onerror`}),i?.(e)),e.onmessage=async e=>(t({message:e,type:`onmessage`}),a?.(e)),e.send=async e=>(t({message:e,type:`send`}),o?.(e)),e.start=async()=>(t({type:`start`}),s?.()),e};export{t as InMemoryEventStore,u as ServerType,c as proxyServer,l as startHTTPServer,d as startStdioServer,f as tapTransport};
1
+ import{Client as e,InMemoryEventStore as t,SSEClientTransport as n,Server as r,StdioServerTransport as i,StreamableHTTPClientTransport as a,config as o,normalizeUrl as s,proxyServer as c,startHTTPServer as l}from"./normalizeUrl-DwqzAC5_.js";let u=function(e){return e.HTTPStream=`HTTPStream`,e.SSE=`SSE`,e}({});const d=async({initStdioServer:t,initStreamClient:l,serverType:d,transportOptions:f={},url:p})=>{let m=s(p),h;switch(d){case u.SSE:h=new n(new URL(m),f);break;default:h=new a(new URL(m),f)}let g=l?await l():new e({name:`mcp-gateway`,version:o.appVersion},{capabilities:{}});await g.connect(h);let _=g.getServerVersion(),v=g.getServerCapabilities(),y=t?await t():new r(_,{capabilities:v}),b=new i;return await y.connect(b),await c({authorizer:void 0,client:g,server:y,serverCapabilities:v}),y},f=(e,t)=>{let n=e.close.bind(e),r=e.onclose?.bind(e),i=e.onerror?.bind(e),a=e.onmessage?.bind(e),o=e.send.bind(e),s=e.start.bind(e);return e.close=async()=>(t({type:`close`}),n?.()),e.onclose=async()=>(t({type:`onclose`}),r?.()),e.onerror=async e=>(t({error:e,type:`onerror`}),i?.(e)),e.onmessage=async e=>(t({message:e,type:`onmessage`}),a?.(e)),e.send=async e=>(t({message:e,type:`send`}),o?.(e)),e.start=async()=>(t({type:`start`}),s?.()),e};export{t as InMemoryEventStore,u as ServerType,c as proxyServer,l as startHTTPServer,d as startStdioServer,f as tapTransport};
2
2
  //# sourceMappingURL=index.js.map
package/dist/{main-Dc7hWPe7.js → main-ChR3eaOT.js} RENAMED
@@ -1,4 +1,4 @@
1
- import{AccessControlBlockError as e,BUILD_TIME_CONFIG as t,Client as n,ConfigurationError as r,ProcessSpawnError as i,ProxyConnectionError as a,ReadBuffer as o,SSEClientTransport as s,Server as c,StdioServerTransport as l,StreamableHTTPClientTransport as u,TransportError as d,UnauthorizedError as f,addBreadcrumbSafe as p,addGlobalTags as m,captureExceptionSafe as h,compressClientInfo as g,config as _,createParser as v,discoverAuthorizationServerMetadata as y,discoverOAuthProtectedResourceMetadata as b,exchangeAuthorization as x,getSessionData as ee,initSentrySafe as te,initializeTrafficMirror as ne,logger as S,normalizeUrl as C,proxyServer as re,refreshAuthorization as ie,registerClient as w,serializeMessage as T,startAuthorization as E,startHTTPServer as ae}from"./normalizeUrl-DWilbohl.js";import{hideBin as oe,yargs_default as se}from"./helpers-DH8ZNg5N.js";import"./pkce-ANRIC6ce.js";import{join as D}from"node:path";import{platform as ce}from"node:os";import{createHash as le}from"node:crypto";import{createServer as ue}from"node:http";import{setTimeout as O}from"node:timers";import de from"node:util";import{execFile as fe,execSync as pe,spawn as me}from"node:child_process";import{URL as he}from"node:url";import{chmod as ge,mkdir as _e,readFile as ve,rm as ye,writeFile as be}from"node:fs/promises";import{PassThrough as xe,Transform as Se}from"node:stream";var Ce=class extends Event{constructor(e,t){super(e),this.code=t?.code??void 0,this.message=t?.message??void 0}[Symbol.for(`nodejs.util.inspect.custom`)](e,t,n){return n(Te(this),t)}[Symbol.for(`Deno.customInspect`)](e,t){return e(Te(this),t)}};function we(e){let t=globalThis.DOMException;return typeof t==`function`?new t(e,`SyntaxError`):SyntaxError(e)}function k(e){return e instanceof Error?`errors`in e&&Array.isArray(e.errors)?e.errors.map(k).join(`, `):`cause`in e&&e.cause instanceof Error?`${e}: ${k(e.cause)}`:e.message:`${e}`}function Te(e){return{type:e.type,message:e.message,code:e.code,defaultPrevented:e.defaultPrevented,cancelable:e.cancelable,timeStamp:e.timeStamp}}var Ee=e=>{throw TypeError(e)},A=(e,t,n)=>t.has(e)||Ee(`Cannot `+n),j=(e,t,n)=>(A(e,t,`read from private field`),n?n.call(e):t.get(e)),M=(e,t,n)=>t.has(e)?Ee(`Cannot add the same private member more than once`):t instanceof WeakSet?t.add(e):t.set(e,n),N=(e,t,n,r)=>(A(e,t,`write to private field`),t.set(e,n),n),P=(e,t,n)=>(A(e,t,`access private method`),n),F,I,L,R,z,B,V,H,U,W,G,K,q,J,Y,X,Z,De,Oe,ke,Q,Ae,je,$=class extends EventTarget{constructor(e,t){super(),M(this,J),this.CONNECTING=0,this.OPEN=1,this.CLOSED=2,M(this,F),M(this,I),M(this,L),M(this,R),M(this,z),M(this,B),M(this,V),M(this,H,null),M(this,U),M(this,W),M(this,G,null),M(this,K,null),M(this,q,null),M(this,X,async e=>{var t;j(this,W).reset();let{body:n,redirected:r,status:i,headers:a}=e;if(i===204){P(this,J,Q).call(this,`Server sent HTTP 204, not reconnecting`,204),this.close();return}if(r?N(this,L,new URL(e.url)):N(this,L,void 0),i!==200){P(this,J,Q).call(this,`Non-200 status code (${i})`,i);return}if(!(a.get(`content-type`)||``).startsWith(`text/event-stream`)){P(this,J,Q).call(this,`Invalid content type, expected "text/event-stream"`,i);return}if(j(this,F)===this.CLOSED)return;N(this,F,this.OPEN);let o=new Event(`open`);if((t=j(this,q))==null||t.call(this,o),this.dispatchEvent(o),typeof n!=`object`||!n||!(`getReader`in n)){P(this,J,Q).call(this,`Invalid response body, expected a web ReadableStream`,i),this.close();return}let s=new TextDecoder,c=n.getReader(),l=!0;do{let{done:e,value:t}=await c.read();t&&j(this,W).feed(s.decode(t,{stream:!e})),e&&(l=!1,j(this,W).reset(),P(this,J,Ae).call(this))}while(l)}),M(this,Z,e=>{N(this,U,void 0),!(e.name===`AbortError`||e.type===`aborted`)&&P(this,J,Ae).call(this,k(e))}),M(this,Oe,e=>{typeof e.id==`string`&&N(this,H,e.id);let t=new MessageEvent(e.event||`message`,{data:e.data,origin:j(this,L)?j(this,L).origin:j(this,I).origin,lastEventId:e.id||``});j(this,K)&&(!e.event||e.event===`message`)&&j(this,K).call(this,t),this.dispatchEvent(t)}),M(this,ke,e=>{N(this,B,e)}),M(this,je,()=>{N(this,V,void 0),j(this,F)===this.CONNECTING&&P(this,J,Y).call(this)});try{if(e instanceof URL)N(this,I,e);else if(typeof e==`string`)N(this,I,new URL(e,Me()));else throw Error(`Invalid URL`)}catch{throw we(`An invalid or illegal string was specified`)}N(this,W,v({onEvent:j(this,Oe),onRetry:j(this,ke)})),N(this,F,this.CONNECTING),N(this,B,3e3),N(this,z,t?.fetch??globalThis.fetch),N(this,R,t?.withCredentials??!1),P(this,J,Y).call(this)}get readyState(){return j(this,F)}get url(){return j(this,I).href}get withCredentials(){return j(this,R)}get onerror(){return j(this,G)}set onerror(e){N(this,G,e)}get onmessage(){return j(this,K)}set onmessage(e){N(this,K,e)}get onopen(){return j(this,q)}set onopen(e){N(this,q,e)}addEventListener(e,t,n){let r=t;super.addEventListener(e,r,n)}removeEventListener(e,t,n){let r=t;super.removeEventListener(e,r,n)}close(){j(this,V)&&clearTimeout(j(this,V)),j(this,F)!==this.CLOSED&&(j(this,U)&&j(this,U).abort(),N(this,F,this.CLOSED),N(this,U,void 0))}};F=new WeakMap,I=new WeakMap,L=new WeakMap,R=new WeakMap,z=new WeakMap,B=new WeakMap,V=new WeakMap,H=new WeakMap,U=new WeakMap,W=new WeakMap,G=new WeakMap,K=new WeakMap,q=new WeakMap,J=new WeakSet,Y=function(){N(this,F,this.CONNECTING),N(this,U,new AbortController),j(this,z)(j(this,I),P(this,J,De).call(this)).then(j(this,X)).catch(j(this,Z))},X=new WeakMap,Z=new WeakMap,De=function(){let e={mode:`cors`,redirect:`follow`,headers:{Accept:`text/event-stream`,...j(this,H)?{"Last-Event-ID":j(this,H)}:void 0},cache:`no-store`,signal:j(this,U)?.signal};return`window`in globalThis&&(e.credentials=this.withCredentials?`include`:`same-origin`),e},Oe=new WeakMap,ke=new WeakMap,Q=function(e,t){var n;j(this,F)!==this.CLOSED&&N(this,F,this.CLOSED);let r=new Ce(`error`,{code:t,message:e});(n=j(this,G))==null||n.call(this,r),this.dispatchEvent(r)},Ae=function(e,t){var n;if(j(this,F)===this.CLOSED)return;N(this,F,this.CONNECTING);let r=new Ce(`error`,{code:t,message:e});(n=j(this,G))==null||n.call(this,r),this.dispatchEvent(r),N(this,V,setTimeout(j(this,je),j(this,B)))},je=new WeakMap,$.CONNECTING=0,$.OPEN=1,$.CLOSED=2;function Me(){let e=`document`in globalThis?globalThis.document:void 0;return e&&typeof e==`object`&&`baseURI`in e&&typeof e.baseURI==`string`?e.baseURI:void 0}var Ne=class{client;enabled;lastBlockReason;serverName;constructor(e){this.enabled=e.enabled,this.client=e.client,this.serverName=e.serverName,S.info(`AccessControlAuthorizer initialized`,{enabled:this.enabled,hasClient:!!this.client,serverName:this.serverName})}getBlockReason(){return this.lastBlockReason?this.lastBlockReason:`MCP server${this.serverName?` '${this.serverName}'`:``} is not authorized for use in your organization and has been blocked by Onyx.`}async isAllowed(){if(!this.enabled)return!0;if(this.client)try{let e=await this.client.authorize();return e.action===`block`?(e.reason?this.lastBlockReason=e.reason:this.lastBlockReason=`MCP server${this.serverName?` '${this.serverName}'`:``} is not authorized for use in your organization and has been blocked by Onyx.`,!1):!0}catch(e){return S.error(`Access control authorization failed with unexpected error`,{error:String(e)}),!0}return S.warn(`No access control client configured, allowing by default`),!0}},Pe=class{clientInfoBase64;config;constructor(e){this.config=e,this.clientInfoBase64=this.getClientInfoBase64(),S.info(`AccessControlClient initialized`,{timeoutMs:e.timeoutMs,url:e.url})}async authorize(){try{let e=await this.sendAuthorizeRequest();return S.debug(`Access control check successful`,{action:e.action}),e}catch(e){return S.warn(`Access control check failed, failing open (allowing by default)`,{error:String(e)}),{action:`allow`}}}getClientInfoBase64(){return g(this.config.sessionData)}async sendAuthorizeRequest(){let e=new AbortController,t=setTimeout(()=>e.abort(),this.config.timeoutMs);try{let t=`${this.config.url}/${this.config.apiKey}/mcp/${this.clientInfoBase64}`,n=await fetch(t,{headers:{...this.config.headers},method:`POST`,signal:e.signal});if(!n.ok)throw Error(`Access control service returned ${n.status}: ${n.statusText}`);let r=await n.json();if(!r.action||![`allow`,`block`].includes(r.action))throw Error(`Invalid access control response format: action="${r.action}"`);return r}catch(e){throw e instanceof Error&&e.name===`AbortError`?Error(`Access control check timed out after ${this.config.timeoutMs}ms`):e}finally{clearTimeout(t)}}};async function Fe(e){let t=e.toString(),n=ce(),r=ze(t);return new Promise((e,i)=>{let a,o;if(n===`win32`){let e=`Start-Process ${Le(t)}`,n=Ie(e);a=Re(),o=[`-NoProfile`,`-NonInteractive`,`-ExecutionPolicy`,`Bypass`,`-EncodedCommand`,n]}else n===`darwin`?(a=`open`,o=[t]):(a=`xdg-open`,o=[t]);fe(a,o,(t,o,s)=>{if(t){let e={command:a,os:n,stderr:s,url:r};S.warn(`Failed to open browser automatically`,{...e,error:t.message}),h(t,e,{feature:`auth`,module:`browser`,operation:`openBrowser`});let o=Error(`Failed to open browser: ${t.message} (command: ${a}, os: ${n}, url: ${r})`);o.cause=t,i(o)}else S.debug(`Browser opened successfully`,{url:r}),e()})})}function Ie(e){return Buffer.from(e,`utf16le`).toString(`base64`)}function Le(e){return`'${e.replaceAll(`'`,`''`)}'`}function Re(){return`${process.env.SYSTEMROOT||process.env.windir||`C:\\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`}function ze(e){try{let t=new URL(e);return t.search?`${t.protocol}//${t.host}${t.pathname}?[REDACTED]`:`${t.protocol}//${t.host}${t.pathname}`}catch{return`[INVALID_URL]`}}const Be=49152;function Ve(){return Math.floor(Math.random()*(65535-Be+1))+Be}function He(e,t){return new Promise((n,r)=>{let i=t=>{e.removeListener(`listening`,a),r(t)},a=()=>{e.removeListener(`error`,i),n()};e.once(`error`,i),e.once(`listening`,a),e.listen(t,`127.0.0.1`)})}async function Ue(e={}){let{maxAttempts:t=5,preferredPort:n,timeoutMs:r=3e5}=e,i,a,o={},s=new Promise((e,t)=>{i=e,a=t}),c,l=ue((e,t)=>{if(e.url===`/favicon.ico`){t.writeHead(404),t.end();return}if(!e.url?.startsWith(`/callback`)){t.writeHead(404),t.end(`Not Found`);return}try{let n=new he(e.url,`http://localhost:${c}`),r=n.searchParams.get(`code`),s=n.searchParams.get(`error`),u=n.searchParams.get(`error_description`),d=n.searchParams.get(`state`);if(s){S.error(`OAuth authorization error`,{error:s,errorDescription:u}),t.writeHead(400,{"Content-Type":`text/html`}),t.end(Ge(s,u||void 0)),clearTimeout(o.id),a(Error(`OAuth authorization failed: ${s}${u?` - ${u}`:``}`));return}if(!r){S.error(`OAuth callback missing authorization code`),t.writeHead(400,{"Content-Type":`text/html`}),t.end(Ge(`missing_code`,`No authorization code was provided`)),clearTimeout(o.id),a(Error(`OAuth callback missing authorization code`));return}S.info(`OAuth authorization code received`,{codePrefix:`${r.substring(0,10)}...`,hasState:!!d}),t.writeHead(200,{"Content-Type":`text/html`}),t.end(`<!DOCTYPE html>
1
+ import{AccessControlBlockError as e,BUILD_TIME_CONFIG as t,Client as n,ConfigurationError as r,ProcessSpawnError as i,ProxyConnectionError as a,ReadBuffer as o,SSEClientTransport as s,Server as c,StdioServerTransport as l,StreamableHTTPClientTransport as u,TransportError as d,UnauthorizedError as f,addBreadcrumbSafe as p,addGlobalTags as m,captureExceptionSafe as h,compressClientInfo as g,config as _,createParser as v,discoverAuthorizationServerMetadata as y,discoverOAuthProtectedResourceMetadata as b,exchangeAuthorization as x,getSessionData as ee,initSentrySafe as te,initializeTrafficMirror as ne,logger as S,normalizeUrl as C,proxyServer as re,refreshAuthorization as ie,registerClient as w,serializeMessage as T,startAuthorization as E,startHTTPServer as ae}from"./normalizeUrl-DwqzAC5_.js";import{hideBin as oe,yargs_default as se}from"./helpers-DH8ZNg5N.js";import"./pkce-ANRIC6ce.js";import{join as D}from"node:path";import{platform as ce}from"node:os";import{createHash as le}from"node:crypto";import{createServer as ue}from"node:http";import{setTimeout as O}from"node:timers";import de from"node:util";import{execFile as fe,execSync as pe,spawn as me}from"node:child_process";import{URL as he}from"node:url";import{chmod as ge,mkdir as _e,readFile as ve,rm as ye,writeFile as be}from"node:fs/promises";import{PassThrough as xe,Transform as Se}from"node:stream";var Ce=class extends Event{constructor(e,t){super(e),this.code=t?.code??void 0,this.message=t?.message??void 0}[Symbol.for(`nodejs.util.inspect.custom`)](e,t,n){return n(Te(this),t)}[Symbol.for(`Deno.customInspect`)](e,t){return e(Te(this),t)}};function we(e){let t=globalThis.DOMException;return typeof t==`function`?new t(e,`SyntaxError`):SyntaxError(e)}function k(e){return e instanceof Error?`errors`in e&&Array.isArray(e.errors)?e.errors.map(k).join(`, `):`cause`in e&&e.cause instanceof Error?`${e}: ${k(e.cause)}`:e.message:`${e}`}function Te(e){return{type:e.type,message:e.message,code:e.code,defaultPrevented:e.defaultPrevented,cancelable:e.cancelable,timeStamp:e.timeStamp}}var Ee=e=>{throw TypeError(e)},A=(e,t,n)=>t.has(e)||Ee(`Cannot `+n),j=(e,t,n)=>(A(e,t,`read from private field`),n?n.call(e):t.get(e)),M=(e,t,n)=>t.has(e)?Ee(`Cannot add the same private member more than once`):t instanceof WeakSet?t.add(e):t.set(e,n),N=(e,t,n,r)=>(A(e,t,`write to private field`),t.set(e,n),n),P=(e,t,n)=>(A(e,t,`access private method`),n),F,I,L,R,z,B,V,H,U,W,G,K,q,J,Y,X,Z,De,Oe,ke,Q,Ae,je,$=class extends EventTarget{constructor(e,t){super(),M(this,J),this.CONNECTING=0,this.OPEN=1,this.CLOSED=2,M(this,F),M(this,I),M(this,L),M(this,R),M(this,z),M(this,B),M(this,V),M(this,H,null),M(this,U),M(this,W),M(this,G,null),M(this,K,null),M(this,q,null),M(this,X,async e=>{var t;j(this,W).reset();let{body:n,redirected:r,status:i,headers:a}=e;if(i===204){P(this,J,Q).call(this,`Server sent HTTP 204, not reconnecting`,204),this.close();return}if(r?N(this,L,new URL(e.url)):N(this,L,void 0),i!==200){P(this,J,Q).call(this,`Non-200 status code (${i})`,i);return}if(!(a.get(`content-type`)||``).startsWith(`text/event-stream`)){P(this,J,Q).call(this,`Invalid content type, expected "text/event-stream"`,i);return}if(j(this,F)===this.CLOSED)return;N(this,F,this.OPEN);let o=new Event(`open`);if((t=j(this,q))==null||t.call(this,o),this.dispatchEvent(o),typeof n!=`object`||!n||!(`getReader`in n)){P(this,J,Q).call(this,`Invalid response body, expected a web ReadableStream`,i),this.close();return}let s=new TextDecoder,c=n.getReader(),l=!0;do{let{done:e,value:t}=await c.read();t&&j(this,W).feed(s.decode(t,{stream:!e})),e&&(l=!1,j(this,W).reset(),P(this,J,Ae).call(this))}while(l)}),M(this,Z,e=>{N(this,U,void 0),!(e.name===`AbortError`||e.type===`aborted`)&&P(this,J,Ae).call(this,k(e))}),M(this,Oe,e=>{typeof e.id==`string`&&N(this,H,e.id);let t=new MessageEvent(e.event||`message`,{data:e.data,origin:j(this,L)?j(this,L).origin:j(this,I).origin,lastEventId:e.id||``});j(this,K)&&(!e.event||e.event===`message`)&&j(this,K).call(this,t),this.dispatchEvent(t)}),M(this,ke,e=>{N(this,B,e)}),M(this,je,()=>{N(this,V,void 0),j(this,F)===this.CONNECTING&&P(this,J,Y).call(this)});try{if(e instanceof URL)N(this,I,e);else if(typeof e==`string`)N(this,I,new URL(e,Me()));else throw Error(`Invalid URL`)}catch{throw we(`An invalid or illegal string was specified`)}N(this,W,v({onEvent:j(this,Oe),onRetry:j(this,ke)})),N(this,F,this.CONNECTING),N(this,B,3e3),N(this,z,t?.fetch??globalThis.fetch),N(this,R,t?.withCredentials??!1),P(this,J,Y).call(this)}get readyState(){return j(this,F)}get url(){return j(this,I).href}get withCredentials(){return j(this,R)}get onerror(){return j(this,G)}set onerror(e){N(this,G,e)}get onmessage(){return j(this,K)}set onmessage(e){N(this,K,e)}get onopen(){return j(this,q)}set onopen(e){N(this,q,e)}addEventListener(e,t,n){let r=t;super.addEventListener(e,r,n)}removeEventListener(e,t,n){let r=t;super.removeEventListener(e,r,n)}close(){j(this,V)&&clearTimeout(j(this,V)),j(this,F)!==this.CLOSED&&(j(this,U)&&j(this,U).abort(),N(this,F,this.CLOSED),N(this,U,void 0))}};F=new WeakMap,I=new WeakMap,L=new WeakMap,R=new WeakMap,z=new WeakMap,B=new WeakMap,V=new WeakMap,H=new WeakMap,U=new WeakMap,W=new WeakMap,G=new WeakMap,K=new WeakMap,q=new WeakMap,J=new WeakSet,Y=function(){N(this,F,this.CONNECTING),N(this,U,new AbortController),j(this,z)(j(this,I),P(this,J,De).call(this)).then(j(this,X)).catch(j(this,Z))},X=new WeakMap,Z=new WeakMap,De=function(){let e={mode:`cors`,redirect:`follow`,headers:{Accept:`text/event-stream`,...j(this,H)?{"Last-Event-ID":j(this,H)}:void 0},cache:`no-store`,signal:j(this,U)?.signal};return`window`in globalThis&&(e.credentials=this.withCredentials?`include`:`same-origin`),e},Oe=new WeakMap,ke=new WeakMap,Q=function(e,t){var n;j(this,F)!==this.CLOSED&&N(this,F,this.CLOSED);let r=new Ce(`error`,{code:t,message:e});(n=j(this,G))==null||n.call(this,r),this.dispatchEvent(r)},Ae=function(e,t){var n;if(j(this,F)===this.CLOSED)return;N(this,F,this.CONNECTING);let r=new Ce(`error`,{code:t,message:e});(n=j(this,G))==null||n.call(this,r),this.dispatchEvent(r),N(this,V,setTimeout(j(this,je),j(this,B)))},je=new WeakMap,$.CONNECTING=0,$.OPEN=1,$.CLOSED=2;function Me(){let e=`document`in globalThis?globalThis.document:void 0;return e&&typeof e==`object`&&`baseURI`in e&&typeof e.baseURI==`string`?e.baseURI:void 0}var Ne=class{client;enabled;lastBlockReason;serverName;constructor(e){this.enabled=e.enabled,this.client=e.client,this.serverName=e.serverName,S.info(`AccessControlAuthorizer initialized`,{enabled:this.enabled,hasClient:!!this.client,serverName:this.serverName})}getBlockReason(){return this.lastBlockReason?this.lastBlockReason:`MCP server${this.serverName?` '${this.serverName}'`:``} is not authorized for use in your organization and has been blocked by Onyx.`}async isAllowed(){if(!this.enabled)return!0;if(this.client)try{let e=await this.client.authorize();return e.action===`block`?(e.reason?this.lastBlockReason=e.reason:this.lastBlockReason=`MCP server${this.serverName?` '${this.serverName}'`:``} is not authorized for use in your organization and has been blocked by Onyx.`,!1):!0}catch(e){return S.error(`Access control authorization failed with unexpected error`,{error:String(e)}),!0}return S.warn(`No access control client configured, allowing by default`),!0}},Pe=class{clientInfoBase64;config;constructor(e){this.config=e,this.clientInfoBase64=this.getClientInfoBase64(),S.info(`AccessControlClient initialized`,{timeoutMs:e.timeoutMs,url:e.url})}async authorize(){try{let e=await this.sendAuthorizeRequest();return S.debug(`Access control check successful`,{action:e.action}),e}catch(e){return S.warn(`Access control check failed, failing open (allowing by default)`,{error:String(e)}),{action:`allow`}}}getClientInfoBase64(){return g(this.config.sessionData)}async sendAuthorizeRequest(){let e=new AbortController,t=setTimeout(()=>e.abort(),this.config.timeoutMs);try{let t=`${this.config.url}/${this.config.apiKey}/mcp/${this.clientInfoBase64}`,n=await fetch(t,{headers:{...this.config.headers},method:`POST`,signal:e.signal});if(!n.ok)throw Error(`Access control service returned ${n.status}: ${n.statusText}`);let r=await n.json();if(!r.action||![`allow`,`block`].includes(r.action))throw Error(`Invalid access control response format: action="${r.action}"`);return r}catch(e){throw e instanceof Error&&e.name===`AbortError`?Error(`Access control check timed out after ${this.config.timeoutMs}ms`):e}finally{clearTimeout(t)}}};async function Fe(e){let t=e.toString(),n=ce(),r=ze(t);return new Promise((e,i)=>{let a,o;if(n===`win32`){let e=`Start-Process ${Le(t)}`,n=Ie(e);a=Re(),o=[`-NoProfile`,`-NonInteractive`,`-ExecutionPolicy`,`Bypass`,`-EncodedCommand`,n]}else n===`darwin`?(a=`open`,o=[t]):(a=`xdg-open`,o=[t]);fe(a,o,(t,o,s)=>{if(t){let e={command:a,os:n,stderr:s,url:r};S.warn(`Failed to open browser automatically`,{...e,error:t.message}),h(t,e,{feature:`auth`,module:`browser`,operation:`openBrowser`});let o=Error(`Failed to open browser: ${t.message} (command: ${a}, os: ${n}, url: ${r})`);o.cause=t,i(o)}else S.debug(`Browser opened successfully`,{url:r}),e()})})}function Ie(e){return Buffer.from(e,`utf16le`).toString(`base64`)}function Le(e){return`'${e.replaceAll(`'`,`''`)}'`}function Re(){return`${process.env.SYSTEMROOT||process.env.windir||`C:\\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`}function ze(e){try{let t=new URL(e);return t.search?`${t.protocol}//${t.host}${t.pathname}?[REDACTED]`:`${t.protocol}//${t.host}${t.pathname}`}catch{return`[INVALID_URL]`}}const Be=49152;function Ve(){return Math.floor(Math.random()*(65535-Be+1))+Be}function He(e,t){return new Promise((n,r)=>{let i=t=>{e.removeListener(`listening`,a),r(t)},a=()=>{e.removeListener(`error`,i),n()};e.once(`error`,i),e.once(`listening`,a),e.listen(t,`127.0.0.1`)})}async function Ue(e={}){let{maxAttempts:t=5,preferredPort:n,timeoutMs:r=3e5}=e,i,a,o={},s=new Promise((e,t)=>{i=e,a=t}),c,l=ue((e,t)=>{if(e.url===`/favicon.ico`){t.writeHead(404),t.end();return}if(!e.url?.startsWith(`/callback`)){t.writeHead(404),t.end(`Not Found`);return}try{let n=new he(e.url,`http://localhost:${c}`),r=n.searchParams.get(`code`),s=n.searchParams.get(`error`),u=n.searchParams.get(`error_description`),d=n.searchParams.get(`state`);if(s){S.error(`OAuth authorization error`,{error:s,errorDescription:u}),t.writeHead(400,{"Content-Type":`text/html`}),t.end(Ge(s,u||void 0)),clearTimeout(o.id),a(Error(`OAuth authorization failed: ${s}${u?` - ${u}`:``}`));return}if(!r){S.error(`OAuth callback missing authorization code`),t.writeHead(400,{"Content-Type":`text/html`}),t.end(Ge(`missing_code`,`No authorization code was provided`)),clearTimeout(o.id),a(Error(`OAuth callback missing authorization code`));return}S.info(`OAuth authorization code received`,{codePrefix:`${r.substring(0,10)}...`,hasState:!!d}),t.writeHead(200,{"Content-Type":`text/html`}),t.end(`<!DOCTYPE html>
2
2
  <html lang="en">
3
3
  <head>
4
4
  <meta charset="UTF-8">
@@ -138,4 +138,4 @@ import{AccessControlBlockError as e,BUILD_TIME_CONFIG as t,Client as n,Configura
138
138
  ❌ ACCESS DENIED`),console.error(`━`.repeat(60)),console.error(`
139
139
  This MCP server has been blocked by Onyx because it is not authorized by your organization's access control policy. Please contact your administrator if you believe this is an error.
140
140
  `),S.error(`MCP server blocked by access control policy`,{error:t.message,reason:t.reason}),O(()=>{process.exit(1)},1e3);return}let n=`Could not start the proxy: ${t}`;S.error(`Unhandled error occurred`,{error:n}),t instanceof Error?h(t,{args:s,command:o,proxyType:i,transport:d,url:u},{feature:`startup`,module:`cli`,operation:`initialize`,proxyType:i,transport:i===`remote`?d||`unknown`:`stdio`}):h(Error(n),{command:o,originalError:String(t),proxyType:i},{feature:`startup`,module:`cli`,operation:`initialize`}),O(()=>{process.exit(1)},1e3)}};export{dt as main};
141
- //# sourceMappingURL=main-Dc7hWPe7.js.map
141
+ //# sourceMappingURL=main-ChR3eaOT.js.map