@open-loyalty/mcp-server 1.0.2 → 1.1.0

package/dist/client/http.d.ts

@@ -1,4 +1,9 @@
 import { AxiosInstance } from "axios";
+/**
+ * Redacts sensitive fields from data before logging.
+ * Replaces values of sensitive fields with "[REDACTED]".
+ */
+export declare function redactSensitiveData(data: unknown, depth?: number): unknown;
 export declare function resetHttpClient(): void;
 export declare function getAxiosInstance(): AxiosInstance;
 export declare function apiGet<T>(url: string): Promise<T>;

package/dist/client/http.js

@@ -1,5 +1,51 @@
 import axios from "axios";
 import { getConfig } from "../config.js";
+// Fields that may contain PII and should be redacted in logs
+const SENSITIVE_FIELDS = new Set([
+    "email",
+    "phone",
+    "password",
+    "token",
+    "apiToken",
+    "apiKey",
+    "secret",
+    "address",
+    "street",
+    "city",
+    "postalCode",
+    "loyaltyCardNumber",
+    "firstName",
+    "lastName",
+    "birthDate",
+    "gender",
+]);
+/**
+ * Redacts sensitive fields from data before logging.
+ * Replaces values of sensitive fields with "[REDACTED]".
+ */
+export function redactSensitiveData(data, depth = 0) {
+    // Prevent infinite recursion on deeply nested objects
+    if (depth > 10)
+        return "[MAX_DEPTH]";
+    if (data === null || data === undefined)
+        return data;
+    if (Array.isArray(data)) {
+        return data.map((item) => redactSensitiveData(item, depth + 1));
+    }
+    if (typeof data === "object") {
+        const redacted = {};
+        for (const [key, value] of Object.entries(data)) {
+            if (SENSITIVE_FIELDS.has(key)) {
+                redacted[key] = "[REDACTED]";
+            }
+            else {
+                redacted[key] = redactSensitiveData(value, depth + 1);
+            }
+        }
+        return redacted;
+    }
+    return data;
+}
 let client = null;
 // For testing: reset the client singleton
 export function resetHttpClient() {
@@ -13,16 +59,19 @@ function getClient() {
     if (client) {
         return client;
     }
-    const config = getConfig();
+    // Create client without baseURL - it will be set dynamically per request
+    // to support multi-tenant OAuth mode where each user has different API URLs
     client = axios.create({
-        baseURL: config.apiUrl,
         timeout: 30000,
         headers: {
             "Content-Type": "application/json",
         },
     });
     client.interceptors.request.use((requestConfig) => {
+        // Get current config (supports request-scoped overrides in OAuth mode)
         const cfg = getConfig();
+        // Set baseURL dynamically from current config (supports multi-tenant OAuth)
+        requestConfig.baseURL = cfg.apiUrl;
         requestConfig.headers.set("X-AUTH-TOKEN", cfg.apiToken);
         return requestConfig;
     }, (error) => {
@@ -33,7 +82,7 @@ function getClient() {
         if (error.response) {
             const status = error.response.status;
             const data = error.response.data;
-            console.error(`API Error [${status}]:`, JSON.stringify(data, null, 2));
+            console.error(`API Error [${status}]:`, JSON.stringify(redactSensitiveData(data), null, 2));
             if (status === 401) {
                 throw new Error("Authentication failed (401): Invalid or expired API token. " +
                     "Please check your OPENLOYALTY_API_TOKEN environment variable.");

package/dist/config.d.ts

@@ -14,7 +14,17 @@ declare const ConfigSchema: z.ZodObject<{
 }>;
 export type Config = z.infer<typeof ConfigSchema>;
 /**
- * Sets a config override for the current request (OAuth mode)
+ * Runs a function with a request-scoped config override (OAuth mode).
+ * This is thread-safe - concurrent requests each have their own isolated config.
+ */
+export declare function runWithConfig<T>(override: {
+    apiUrl: string;
+    apiToken: string;
+    storeCode: string;
+}, fn: () => T | Promise<T>): T | Promise<T>;
+/**
+ * @deprecated Use runWithConfig() instead for thread-safe config override.
+ * This is kept for backwards compatibility but is NOT safe for concurrent requests.
  */
 export declare function setConfigOverride(override: {
     apiUrl: string;
@@ -22,8 +32,12 @@ export declare function setConfigOverride(override: {
     storeCode: string;
 }): void;
 /**
- * Clears the config override after request completes
+ * @deprecated Use runWithConfig() instead - cleanup is automatic.
  */
 export declare function clearConfigOverride(): void;
+/**
+ * Gets the store code, falling back to default from config if not provided.
+ */
+export declare function getStoreCode(storeCode?: string): string;
 export declare function getConfig(): Config;
 export {};

package/dist/config.js

@@ -1,32 +1,50 @@
 import { z } from "zod";
+import { AsyncLocalStorage } from "async_hooks";
 const ConfigSchema = z.object({
     apiUrl: z.string().url(),
     apiToken: z.string().min(1),
     defaultStoreCode: z.string().min(1),
 });
 let config = null;
-// Per-request config override for OAuth mode
-let configOverride = null;
+// Request-scoped config storage using AsyncLocalStorage (thread-safe for concurrent requests)
+const configStorage = new AsyncLocalStorage();
 /**
- * Sets a config override for the current request (OAuth mode)
+ * Runs a function with a request-scoped config override (OAuth mode).
+ * This is thread-safe - concurrent requests each have their own isolated config.
  */
-export function setConfigOverride(override) {
-    configOverride = {
+export function runWithConfig(override, fn) {
+    const requestConfig = {
         apiUrl: override.apiUrl,
         apiToken: override.apiToken,
         defaultStoreCode: override.storeCode,
     };
+    return configStorage.run(requestConfig, fn);
+}
+/**
+ * @deprecated Use runWithConfig() instead for thread-safe config override.
+ * This is kept for backwards compatibility but is NOT safe for concurrent requests.
+ */
+export function setConfigOverride(override) {
+    // No-op - use runWithConfig instead
+    console.warn("setConfigOverride is deprecated and unsafe for concurrent requests. Use runWithConfig() instead.");
 }
 /**
- * Clears the config override after request completes
+ * @deprecated Use runWithConfig() instead - cleanup is automatic.
  */
 export function clearConfigOverride() {
-    configOverride = null;
+    // No-op - cleanup is automatic with runWithConfig
+}
+/**
+ * Gets the store code, falling back to default from config if not provided.
+ */
+export function getStoreCode(storeCode) {
+    return storeCode || getConfig().defaultStoreCode;
 }
 export function getConfig() {
-    // Return override if set (OAuth mode)
-    if (configOverride) {
-        return configOverride;
+    // Return request-scoped config if set (OAuth mode)
+    const requestConfig = configStorage.getStore();
+    if (requestConfig) {
+        return requestConfig;
     }
     if (config) {
         return config;

package/dist/http.js

@@ -2,11 +2,13 @@
 import "dotenv/config";
 import express from "express";
 import cors from "cors";
+import helmet from "helmet";
+import rateLimit from "express-rate-limit";
 import { randomUUID } from "crypto";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
 import { createServer, SERVER_INSTRUCTIONS } from "./server.js";
-import { getConfig, setConfigOverride, clearConfigOverride } from "./config.js";
+import { getConfig, runWithConfig } from "./config.js";
 import { createOAuthProvider, completeAuthorization, validateOpenLoyaltyCredentials, getClientConfig, } from "./auth/provider.js";
 // Check if OAuth mode is enabled
 const OAUTH_ENABLED = process.env.OAUTH_ENABLED === "true";
@@ -29,9 +31,63 @@ app.use(cors({
     allowedHeaders: ["Content-Type", "Authorization", "MCP-Session-Id", "MCP-Protocol-Version"],
     exposedHeaders: ["MCP-Session-Id"],
 }));
+// Security headers
+app.use(helmet({
+    contentSecurityPolicy: {
+        directives: {
+            defaultSrc: ["'self'"],
+            scriptSrc: ["'self'"],
+            styleSrc: ["'self'", "'unsafe-inline'"], // Allow inline styles for OAuth form
+            imgSrc: ["'self'", "data:"],
+            connectSrc: ["'self'"],
+            fontSrc: ["'self'"],
+            objectSrc: ["'none'"],
+            frameAncestors: ["'none'"],
+        },
+    },
+    crossOriginEmbedderPolicy: false, // Disable for CORS compatibility
+    crossOriginResourcePolicy: { policy: "cross-origin" }, // Allow cross-origin for API
+}));
+// Rate limiting - global limit
+const globalLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // 100 requests per window
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { error: "Too many requests, please try again later." },
+});
+// Stricter rate limiting for auth endpoints (brute-force protection)
+const authLimiter = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 10, // 10 requests per minute
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { error: "Too many authentication attempts, please try again later." },
+});
+app.use(globalLimiter);
 app.use(express.json());
 // Store transports by session ID for stateful connections
 const transports = new Map();
+// Session TTL management to prevent memory leaks
+const SESSION_TTL_MS = parseInt(process.env.SESSION_TTL_MS || String(30 * 60 * 1000), 10); // Default: 30 minutes
+const SESSION_CLEANUP_INTERVAL_MS = parseInt(process.env.SESSION_CLEANUP_INTERVAL_MS || String(60 * 1000), 10); // Default: 1 minute
+const sessionLastActivity = new Map();
+// Periodic cleanup of abandoned sessions
+const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [sessionId, lastActivity] of sessionLastActivity) {
+        if (now - lastActivity > SESSION_TTL_MS) {
+            const transport = transports.get(sessionId);
+            if (transport) {
+                transport.close();
+                transports.delete(sessionId);
+            }
+            sessionLastActivity.delete(sessionId);
+        }
+    }
+}, SESSION_CLEANUP_INTERVAL_MS);
+// Prevent cleanup interval from keeping the process alive
+cleanupInterval.unref();
 // Health check endpoint
 app.get("/health", (_req, res) => {
     res.json({ status: "ok", server: "openloyalty-mcp", oauth: OAUTH_ENABLED });
@@ -39,6 +95,10 @@ app.get("/health", (_req, res) => {
 // OAuth mode setup
 if (OAUTH_ENABLED) {
     const provider = createOAuthProvider(BASE_URL);
+    // Apply stricter rate limiting to auth endpoints
+    app.use("/authorize", authLimiter);
+    app.use("/token", authLimiter);
+    app.use("/register", authLimiter);
     // Add MCP SDK auth router (handles /.well-known/*, /authorize, /token, /register)
     app.use(mcpAuthRouter({
         provider,
@@ -46,7 +106,7 @@ if (OAUTH_ENABLED) {
         baseUrl: new URL(BASE_URL),
         serviceDocumentationUrl: new URL("https://github.com/OpenLoyalty/openloyalty-mcp"),
     }));
-    // Authorization form submission endpoint
+    // Authorization form submission endpoint (also rate limited via /authorize prefix)
     app.post("/authorize/submit", async (req, res) => {
         const { session_id, api_url, api_token, store_code } = req.body;
         if (!session_id || !api_url || !api_token || !store_code) {
@@ -88,9 +148,9 @@ if (OAUTH_ENABLED) {
                 res.status(401).json({ error: "Open Loyalty not configured. Please re-authorize." });
                 return;
             }
-            // Set config override for this request
-            setConfigOverride(config);
-            // Store clientId for cleanup
+            // Store config on request for use with runWithConfig() in handler
+            // This is thread-safe because each request has its own req object
+            req.oauthConfig = config;
             req.clientId = authInfo.clientId;
             next();
         }
@@ -103,73 +163,86 @@ if (OAUTH_ENABLED) {
     // Apply auth middleware to /mcp
     app.use("/mcp", authMiddleware);
 }
-// MCP endpoint - handles both initialization and messages
-app.all("/mcp", async (req, res) => {
+// Helper to handle MCP request processing
+async function handleMcpRequest(req, res) {
     const sessionId = req.headers["mcp-session-id"];
-    try {
-        // Handle GET requests for SSE streams
-        if (req.method === "GET") {
-            if (!sessionId || !transports.has(sessionId)) {
-                res.status(400).json({ error: "Invalid or missing session ID for SSE stream" });
-                return;
-            }
-            const transport = transports.get(sessionId);
-            await transport.handleRequest(req, res);
+    // Handle GET requests for SSE streams
+    if (req.method === "GET") {
+        if (!sessionId || !transports.has(sessionId)) {
+            res.status(400).json({ error: "Invalid or missing session ID for SSE stream" });
             return;
         }
-        // Handle DELETE requests for session cleanup
-        if (req.method === "DELETE") {
-            if (sessionId && transports.has(sessionId)) {
-                const transport = transports.get(sessionId);
-                await transport.close();
-                transports.delete(sessionId);
-                res.status(204).send();
-            }
-            else {
-                res.status(404).json({ error: "Session not found" });
-            }
-            return;
-        }
-        // Handle POST requests
-        if (req.method === "POST") {
-            // Check if this is an initialization request (no session ID)
-            if (!sessionId) {
-                // Create new session
-                const newSessionId = randomUUID();
-                const transport = new StreamableHTTPServerTransport({
-                    sessionIdGenerator: () => newSessionId,
-                });
-                // Create and connect server
-                const server = createServer();
-                await server.connect(transport);
-                // Store transport for future requests
-                transports.set(newSessionId, transport);
-                // Clean up on close
-                transport.onclose = () => {
-                    transports.delete(newSessionId);
-                };
-                // Handle the request
-                await transport.handleRequest(req, res, req.body);
-                return;
-            }
-            // Existing session - route to stored transport
+        const transport = transports.get(sessionId);
+        // Update last activity for TTL tracking
+        sessionLastActivity.set(sessionId, Date.now());
+        await transport.handleRequest(req, res);
+        return;
+    }
+    // Handle DELETE requests for session cleanup
+    if (req.method === "DELETE") {
+        if (sessionId && transports.has(sessionId)) {
             const transport = transports.get(sessionId);
-            if (!transport) {
-                res.status(404).json({ error: "Session not found. Initialize a new session first." });
-                return;
-            }
+            await transport.close();
+            transports.delete(sessionId);
+            sessionLastActivity.delete(sessionId);
+            res.status(204).send();
+        }
+        else {
+            res.status(404).json({ error: "Session not found" });
+        }
+        return;
+    }
+    // Handle POST requests
+    if (req.method === "POST") {
+        // Check if this is an initialization request (no session ID)
+        if (!sessionId) {
+            // Create new session
+            const newSessionId = randomUUID();
+            const transport = new StreamableHTTPServerTransport({
+                sessionIdGenerator: () => newSessionId,
+            });
+            // Create and connect server
+            const server = createServer();
+            await server.connect(transport);
+            // Store transport for future requests
+            transports.set(newSessionId, transport);
+            sessionLastActivity.set(newSessionId, Date.now());
+            // Clean up on close
+            transport.onclose = () => {
+                transports.delete(newSessionId);
+                sessionLastActivity.delete(newSessionId);
+            };
+            // Handle the request
             await transport.handleRequest(req, res, req.body);
             return;
         }
-        // Unsupported method
-        res.status(405).json({ error: "Method not allowed" });
+        // Existing session - route to stored transport
+        const transport = transports.get(sessionId);
+        if (!transport) {
+            res.status(404).json({ error: "Session not found. Initialize a new session first." });
+            return;
+        }
+        // Update last activity for TTL tracking
+        sessionLastActivity.set(sessionId, Date.now());
+        await transport.handleRequest(req, res, req.body);
+        return;
     }
-    finally {
-        // Clean up config override in OAuth mode
-        if (OAUTH_ENABLED) {
-            clearConfigOverride();
+    // Unsupported method
+    res.status(405).json({ error: "Method not allowed" });
+}
+// MCP endpoint - handles both initialization and messages
+app.all("/mcp", async (req, res) => {
+    // In OAuth mode, wrap request handling with runWithConfig for thread-safe config
+    if (OAUTH_ENABLED) {
+        const oauthConfig = req.oauthConfig;
+        if (oauthConfig) {
+            // Use runWithConfig for thread-safe, request-scoped config
+            await runWithConfig(oauthConfig, () => handleMcpRequest(req, res));
+            return;
         }
     }
+    // Non-OAuth mode or no config - use environment config
+    await handleMcpRequest(req, res);
 });
 // Server info endpoint
 app.get("/", (_req, res) => {

package/dist/server.js

@@ -1,5 +1,5 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { getAllTools, getToolHandler, toolMetadata } from "./tools/index.js";
+import { getAllTools, getToolHandler } from "./tools/index.js";
 import { OpenLoyaltyError } from "./utils/errors.js";
 const SERVER_INSTRUCTIONS = `
 Open Loyalty MCP Server - Complete Loyalty Program Management
@@ -279,12 +279,15 @@ export function createServer() {
     });
     const tools = getAllTools();
     for (const tool of tools) {
-        const metadata = toolMetadata[tool.name];
         server.registerTool(tool.name, {
-            title: metadata?.title,
+            title: tool.title,
             description: tool.description,
             inputSchema: tool.inputSchema,
-            annotations: metadata?.annotations,
+            annotations: {
+                readOnlyHint: tool.readOnly,
+                destructiveHint: tool.destructive,
+                openWorldHint: true,
+            },
         }, async (args) => {
             const handler = getToolHandler(tool.name);
             if (!handler) {
@@ -304,7 +307,7 @@ export function createServer() {
                     content: [
                         {
                             type: "text",
-                            text: result === undefined ? "Success" : JSON.stringify(result, null, 2),
+                            text: result === undefined ? "Success" : JSON.stringify(result, null, process.env.MCP_DEBUG === "true" ? 2 : undefined),
                         },
                     ],
                 };

package/dist/tools/achievement.d.ts

@@ -535,7 +535,9 @@ export declare function achievementListMemberAchievements(input: {
 }>;
 export declare const achievementToolDefinitions: readonly [{
     readonly name: "openloyalty_achievement_list";
+    readonly title: "List Achievements";
     readonly description: "List achievements. Achievements gamify member behavior by setting goals (e.g., 'Make 5 purchases this month'). Returns achievementId, name, active status, and associated badge. Use achievement_get for full rules and configuration.";
+    readonly readOnly: true;
     readonly inputSchema: {
         storeCode: z.ZodOptional<z.ZodString>;
         page: z.ZodOptional<z.ZodNumber>;
@@ -546,7 +548,9 @@ export declare const achievementToolDefinitions: readonly [{
     readonly handler: typeof achievementList;
 }, {
     readonly name: "openloyalty_achievement_create";
+    readonly title: "Create Achievement";
     readonly description: "Create achievement with rules that track member progress. Triggers: transaction (purchases), custom_event (custom actions), points_transfer, referral, etc. CompleteRule sets the goal: periodGoal (target value) with optional period (consecutive periods). Example - '5 purchases/month': rules: [{ trigger: 'transaction', completeRule: { periodGoal: 5, period: { value: 1, consecutive: 1 } } }]";
+    readonly readOnly: false;
     readonly inputSchema: {
         storeCode: z.ZodOptional<z.ZodString>;
         translations: z.ZodRecord<z.ZodString, z.ZodObject<{
@@ -739,7 +743,9 @@ export declare const achievementToolDefinitions: readonly [{
     readonly handler: typeof achievementCreate;
 }, {
     readonly name: "openloyalty_achievement_get";
+    readonly title: "Get Achievement Details";
     readonly description: "Get achievement details including all rules, conditions, activity period, limits, and completions count.";
+    readonly readOnly: true;
     readonly inputSchema: {
         storeCode: z.ZodOptional<z.ZodString>;
         achievementId: z.ZodString;
@@ -747,7 +753,9 @@ export declare const achievementToolDefinitions: readonly [{
     readonly handler: typeof achievementGet;
 }, {
     readonly name: "openloyalty_achievement_update";
+    readonly title: "Update Achievement";
     readonly description: "Update achievement configuration. Requires full achievement object (translations, rules). Use achievement_get first to retrieve current configuration.";
+    readonly readOnly: false;
     readonly inputSchema: {
         storeCode: z.ZodOptional<z.ZodString>;
         achievementId: z.ZodString;
@@ -941,7 +949,9 @@ export declare const achievementToolDefinitions: readonly [{
     readonly handler: typeof achievementUpdate;
 }, {
     readonly name: "openloyalty_achievement_patch";
+    readonly title: "Patch Achievement";
     readonly description: "Partial update of achievement. Use for simple changes like activating/deactivating or updating translations without providing full rules.";
+    readonly readOnly: false;
     readonly inputSchema: {
         storeCode: z.ZodOptional<z.ZodString>;
         achievementId: z.ZodString;
@@ -960,7 +970,9 @@ export declare const achievementToolDefinitions: readonly [{
     readonly handler: typeof achievementPatch;
 }, {
     readonly name: "openloyalty_achievement_get_member_progress";
+    readonly title: "Get Member Achievement Progress";
     readonly description: "Get member's progress on a specific achievement. Returns completedCount, and for each rule: periodGoal, currentPeriodValue, and consecutive period tracking.";
+    readonly readOnly: true;
     readonly inputSchema: {
         storeCode: z.ZodOptional<z.ZodString>;
         memberId: z.ZodString;
@@ -969,7 +981,9 @@ export declare const achievementToolDefinitions: readonly [{
     readonly handler: typeof achievementGetMemberProgress;
 }, {
     readonly name: "openloyalty_achievement_list_member_achievements";
+    readonly title: "List Member Achievements";
     readonly description: "List all achievements with member's progress. Returns each achievement's status, completion count, and per-rule progress. Use for displaying gamification dashboard.";
+    readonly readOnly: true;
     readonly inputSchema: {
         storeCode: z.ZodOptional<z.ZodString>;
         memberId: z.ZodString;