npm - @open-pencil/mcp - Versions diffs - 0.4.0 → 0.7.0 - Mend

@open-pencil/mcp 0.4.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/http.js CHANGED Viewed

@@ -1,45 +1,81 @@
 #!/usr/bin/env node
 import { randomUUID } from 'node:crypto';
 import { readFile } from 'node:fs/promises';
+import { resolve } from 'node:path';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
 import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';
 import { createServer } from './server.js';
 const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url), 'utf-8'));
+const port = parseInt(process.env.PORT ?? '3100', 10);
+const host = process.env.HOST ?? '127.0.0.1';
+const authToken = process.env.OPENPENCIL_MCP_AUTH_TOKEN?.trim() || null;
+const corsOrigin = process.env.OPENPENCIL_MCP_CORS_ORIGIN?.trim() || null;
+const fileRoot = resolve(process.env.OPENPENCIL_MCP_ROOT ?? process.cwd());
 const sessions = new Map();
 async function getOrCreateSession(sessionId) {
     if (sessionId && sessions.has(sessionId)) {
         return sessions.get(sessionId);
     }
     const id = sessionId ?? randomUUID();
-    const server = createServer(pkg.version);
+    const server = createServer(pkg.version, {
+        enableEval: false,
+        fileRoot
+    });
     const transport = new WebStandardStreamableHTTPServerTransport({ sessionIdGenerator: () => id });
     await server.connect(transport);
     sessions.set(id, { server, transport });
     return { server, transport };
 }
 const app = new Hono();
-app.use('*', cors({
-    origin: '*',
-    allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
-    allowHeaders: ['Content-Type', 'mcp-session-id', 'Last-Event-ID', 'mcp-protocol-version'],
-    exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
+if (corsOrigin) {
+    app.use('*', cors({
+        origin: corsOrigin,
+        allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
+        allowHeaders: [
+            'Content-Type',
+            'Authorization',
+            'x-mcp-token',
+            'mcp-session-id',
+            'Last-Event-ID',
+            'mcp-protocol-version'
+        ],
+        exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
+    }));
+}
+app.get('/health', (c) => c.json({
+    status: 'ok',
+    version: pkg.version,
+    authRequired: Boolean(authToken),
+    evalEnabled: false,
+    fileRoot
 }));
-app.get('/health', (c) => c.json({ status: 'ok', version: pkg.version, tools: 29 }));
 app.all('/mcp', async (c) => {
+    if (authToken) {
+        const authHeader = c.req.header('authorization');
+        const token = authHeader?.startsWith('Bearer ')
+            ? authHeader.slice('Bearer '.length)
+            : c.req.header('x-mcp-token');
+        if (token !== authToken) {
+            return c.json({ error: 'Unauthorized' }, 401);
+        }
+    }
     const sessionId = c.req.header('mcp-session-id') ?? undefined;
     const { transport } = await getOrCreateSession(sessionId);
     return transport.handleRequest(c.req.raw);
 });
-const port = parseInt(process.env.PORT ?? '3100', 10);
 const isBun = typeof globalThis.Bun !== 'undefined';
 if (isBun) {
-    Bun.serve({ fetch: app.fetch, port });
+    Bun.serve({ fetch: app.fetch, port, hostname: host });
 }
 else {
     const { serve } = await import('@hono/node-server');
-    serve({ fetch: app.fetch, port });
+    serve({ fetch: app.fetch, port, hostname: host });
 }
 console.log(`OpenPencil MCP server v${pkg.version}`);
-console.log(`  Health:  http://localhost:${port}/health`);
-console.log(`  MCP:     http://localhost:${port}/mcp`);
+console.log(`  Health:  http://${host}:${port}/health`);
+console.log(`  MCP:     http://${host}:${port}/mcp`);
+console.log(`  Auth:    ${authToken ? 'required (OPENPENCIL_MCP_AUTH_TOKEN)' : 'disabled'}`);
+console.log(`  CORS:    ${corsOrigin ?? 'disabled'}`);
+console.log(`  Eval:    disabled`);
+console.log(`  Root:    ${fileRoot}`);

package/dist/index.js CHANGED Viewed

File without changes

package/dist/server.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { readFile, writeFile } from 'node:fs/promises';
+import { isAbsolute, relative, resolve } from 'node:path';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { z } from 'zod';
 import { ALL_TOOLS, FigmaAPI, parseFigFile, computeAllLayouts, SceneGraph } from '@open-pencil/core';
@@ -29,8 +30,12 @@ function paramToZod(param) {
     const schema = typeMap[param.type]();
     return param.required ? schema : schema.optional();
 }
-export function createServer(version) {
+export function createServer(version, options = {}) {
     const server = new McpServer({ name: 'open-pencil', version });
+    const enableEval = options.enableEval ?? true;
+    const fileRoot = options.fileRoot === null || options.fileRoot === undefined
+        ? null
+        : resolve(options.fileRoot);
     let graph = null;
     let currentPageId = null;
     function makeFigma() {
@@ -41,6 +46,16 @@ export function createServer(version) {
             api.currentPage = api.wrapNode(currentPageId);
         return api;
     }
+    function resolveAndCheckPath(filePath) {
+        const resolved = resolve(filePath);
+        if (!fileRoot)
+            return resolved;
+        const rel = relative(fileRoot, resolved);
+        if (rel === '' || (!rel.startsWith('..') && !isAbsolute(rel))) {
+            return resolved;
+        }
+        throw new Error(`Path "${filePath}" is outside allowed root "${fileRoot}"`);
+    }
     function registerTool(def) {
         const shape = {};
         for (const [key, param] of Object.entries(def.params)) {
@@ -63,7 +78,8 @@ export function createServer(version) {
         inputSchema: z.object({ path: z.string().describe('Absolute path to a .fig file') })
     }, async ({ path: filePath }) => {
         try {
-            const buf = await readFile(filePath);
+            const path = resolveAndCheckPath(filePath);
+            const buf = await readFile(path);
             graph = await parseFigFile(buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength));
             computeAllLayouts(graph);
             const pages = graph.getPages();
@@ -82,9 +98,10 @@ export function createServer(version) {
             if (!graph)
                 throw new Error('No document loaded');
             const { exportFigFile } = await import('@open-pencil/core');
+            const path = resolveAndCheckPath(filePath);
             const data = await exportFigFile(graph);
-            await writeFile(filePath, new Uint8Array(data));
-            return ok({ saved: filePath, bytes: data.byteLength });
+            await writeFile(path, new Uint8Array(data));
+            return ok({ saved: path, bytes: data.byteLength });
         }
         catch (e) {
             return fail(e);
@@ -105,6 +122,8 @@ export function createServer(version) {
         }
     });
     for (const tool of ALL_TOOLS) {
+        if (!enableEval && tool.name === 'eval')
+            continue;
         registerTool(tool);
     }
     return server;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@open-pencil/mcp",
-  "version": "0.4.0",
+  "version": "0.7.0",
   "license": "MIT",
   "type": "module",
   "main": "./src/server.ts",
@@ -26,10 +26,10 @@
     "provenance": true
   },
   "dependencies": {
+    "@hono/node-server": "^1.19.9",
     "@modelcontextprotocol/sdk": "^1.25.2",
-    "@open-pencil/core": "^0.3.4",
+    "@open-pencil/core": "workspace:*",
     "canvaskit-wasm": "^0.40.0",
-    "@hono/node-server": "^1.19.9",
     "hono": "^4.11.4",
     "zod": "^3.25.0"
   },

package/src/http.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import { randomUUID } from 'node:crypto'
 import { readFile } from 'node:fs/promises'
+import { resolve } from 'node:path'
 import { Hono } from 'hono'
 import { cors } from 'hono/cors'
@@ -9,6 +10,11 @@ import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/
 import { createServer } from './server.js'
 const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url), 'utf-8'))
+const port = parseInt(process.env.PORT ?? '3100', 10)
+const host = process.env.HOST ?? '127.0.0.1'
+const authToken = process.env.OPENPENCIL_MCP_AUTH_TOKEN?.trim() || null
+const corsOrigin = process.env.OPENPENCIL_MCP_CORS_ORIGIN?.trim() || null
+const fileRoot = resolve(process.env.OPENPENCIL_MCP_ROOT ?? process.cwd())
 const sessions = new Map<string, { server: ReturnType<typeof createServer>; transport: WebStandardStreamableHTTPServerTransport }>()
@@ -18,7 +24,10 @@ async function getOrCreateSession(sessionId?: string) {
   }
   const id = sessionId ?? randomUUID()
-  const server = createServer(pkg.version)
+  const server = createServer(pkg.version, {
+    enableEval: false,
+    fileRoot
+  })
   const transport = new WebStandardStreamableHTTPServerTransport({ sessionIdGenerator: () => id })
   await server.connect(transport)
   sessions.set(id, { server, transport })
@@ -27,32 +36,62 @@ async function getOrCreateSession(sessionId?: string) {
 const app = new Hono()
-app.use('*', cors({
-  origin: '*',
-  allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
-  allowHeaders: ['Content-Type', 'mcp-session-id', 'Last-Event-ID', 'mcp-protocol-version'],
-  exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
-}))
+if (corsOrigin) {
+  app.use('*', cors({
+    origin: corsOrigin,
+    allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
+    allowHeaders: [
+      'Content-Type',
+      'Authorization',
+      'x-mcp-token',
+      'mcp-session-id',
+      'Last-Event-ID',
+      'mcp-protocol-version'
+    ],
+    exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
+  }))
+}
-app.get('/health', (c) => c.json({ status: 'ok', version: pkg.version, tools: 29 }))
+app.get('/health', (c) =>
+  c.json({
+    status: 'ok',
+    version: pkg.version,
+    authRequired: Boolean(authToken),
+    evalEnabled: false,
+    fileRoot
+  })
+)
 app.all('/mcp', async (c) => {
+  if (authToken) {
+    const authHeader = c.req.header('authorization')
+    const token =
+      authHeader?.startsWith('Bearer ')
+        ? authHeader.slice('Bearer '.length)
+        : c.req.header('x-mcp-token')
+    if (token !== authToken) {
+      return c.json({ error: 'Unauthorized' }, 401)
+    }
+  }
   const sessionId = c.req.header('mcp-session-id') ?? undefined
   const { transport } = await getOrCreateSession(sessionId)
   return transport.handleRequest(c.req.raw)
 })
-const port = parseInt(process.env.PORT ?? '3100', 10)
 const isBun = typeof globalThis.Bun !== 'undefined'
 if (isBun) {
-  Bun.serve({ fetch: app.fetch, port })
+  Bun.serve({ fetch: app.fetch, port, hostname: host })
 } else {
   const { serve } = await import('@hono/node-server')
-  serve({ fetch: app.fetch, port })
+  serve({ fetch: app.fetch, port, hostname: host })
 }
 console.log(`OpenPencil MCP server v${pkg.version}`)
-console.log(`  Health:  http://localhost:${port}/health`)
-console.log(`  MCP:     http://localhost:${port}/mcp`)
+console.log(`  Health:  http://${host}:${port}/health`)
+console.log(`  MCP:     http://${host}:${port}/mcp`)
+console.log(`  Auth:    ${authToken ? 'required (OPENPENCIL_MCP_AUTH_TOKEN)' : 'disabled'}`)
+console.log(`  CORS:    ${corsOrigin ?? 'disabled'}`)
+console.log(`  Eval:    disabled`)
+console.log(`  Root:    ${fileRoot}`)

package/src/server.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { readFile, writeFile } from 'node:fs/promises'
+import { isAbsolute, relative, resolve } from 'node:path'
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { z } from 'zod'
@@ -8,6 +9,10 @@ import { ALL_TOOLS, FigmaAPI, parseFigFile, computeAllLayouts, SceneGraph } from
 import type { ToolDef, ParamDef, ParamType } from '@open-pencil/core'
 type McpResult = { content: { type: 'text'; text: string }[]; isError?: boolean }
+export interface CreateServerOptions {
+  enableEval?: boolean
+  fileRoot?: string | null
+}
 function ok(data: unknown): McpResult {
   return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] }
@@ -39,8 +44,12 @@ function paramToZod(param: ParamDef): z.ZodTypeAny {
   return param.required ? schema : schema.optional()
 }
-export function createServer(version: string): McpServer {
+export function createServer(version: string, options: CreateServerOptions = {}): McpServer {
   const server = new McpServer({ name: 'open-pencil', version })
+  const enableEval = options.enableEval ?? true
+  const fileRoot = options.fileRoot === null || options.fileRoot === undefined
+    ? null
+    : resolve(options.fileRoot)
   let graph: SceneGraph | null = null
   let currentPageId: string | null = null
@@ -52,6 +61,16 @@ export function createServer(version: string): McpServer {
     return api
   }
+  function resolveAndCheckPath(filePath: string): string {
+    const resolved = resolve(filePath)
+    if (!fileRoot) return resolved
+    const rel = relative(fileRoot, resolved)
+    if (rel === '' || (!rel.startsWith('..') && !isAbsolute(rel))) {
+      return resolved
+    }
+    throw new Error(`Path "${filePath}" is outside allowed root "${fileRoot}"`)
+  }
   function registerTool(def: ToolDef) {
     const shape: Record<string, z.ZodTypeAny> = {}
     for (const [key, param] of Object.entries(def.params)) {
@@ -78,7 +97,8 @@ export function createServer(version: string): McpServer {
     },
     async ({ path: filePath }: { path: string }) => {
       try {
-        const buf = await readFile(filePath)
+        const path = resolveAndCheckPath(filePath)
+        const buf = await readFile(path)
         graph = await parseFigFile(buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength))
         computeAllLayouts(graph)
         const pages = graph.getPages()
@@ -100,9 +120,10 @@ export function createServer(version: string): McpServer {
       try {
         if (!graph) throw new Error('No document loaded')
         const { exportFigFile } = await import('@open-pencil/core')
+        const path = resolveAndCheckPath(filePath)
         const data = await exportFigFile(graph)
-        await writeFile(filePath, new Uint8Array(data))
-        return ok({ saved: filePath, bytes: data.byteLength })
+        await writeFile(path, new Uint8Array(data))
+        return ok({ saved: path, bytes: data.byteLength })
       } catch (e) {
         return fail(e)
       }
@@ -128,6 +149,7 @@ export function createServer(version: string): McpServer {
   )
   for (const tool of ALL_TOOLS) {
+    if (!enableEval && tool.name === 'eval') continue
     registerTool(tool)
   }