npm - @open-pencil/mcp - Versions diffs - 0.4.0 → 0.8.0 - Mend

@open-pencil/mcp 0.4.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/http.js CHANGED Viewed

@@ -1,45 +1,81 @@
 #!/usr/bin/env node
 import { randomUUID } from 'node:crypto';
 import { readFile } from 'node:fs/promises';
+import { resolve } from 'node:path';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
 import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';
 import { createServer } from './server.js';
 const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url), 'utf-8'));
+const port = parseInt(process.env.PORT ?? '3100', 10);
+const host = process.env.HOST ?? '127.0.0.1';
+const authToken = process.env.OPENPENCIL_MCP_AUTH_TOKEN?.trim() || null;
+const corsOrigin = process.env.OPENPENCIL_MCP_CORS_ORIGIN?.trim() || null;
+const fileRoot = resolve(process.env.OPENPENCIL_MCP_ROOT ?? process.cwd());
 const sessions = new Map();
 async function getOrCreateSession(sessionId) {
     if (sessionId && sessions.has(sessionId)) {
         return sessions.get(sessionId);
     }
     const id = sessionId ?? randomUUID();
-    const server = createServer(pkg.version);
+    const server = createServer(pkg.version, {
+        enableEval: false,
+        fileRoot
+    });
     const transport = new WebStandardStreamableHTTPServerTransport({ sessionIdGenerator: () => id });
     await server.connect(transport);
     sessions.set(id, { server, transport });
     return { server, transport };
 }
 const app = new Hono();
-app.use('*', cors({
-    origin: '*',
-    allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
-    allowHeaders: ['Content-Type', 'mcp-session-id', 'Last-Event-ID', 'mcp-protocol-version'],
-    exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
+if (corsOrigin) {
+    app.use('*', cors({
+        origin: corsOrigin,
+        allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
+        allowHeaders: [
+            'Content-Type',
+            'Authorization',
+            'x-mcp-token',
+            'mcp-session-id',
+            'Last-Event-ID',
+            'mcp-protocol-version'
+        ],
+        exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
+    }));
+}
+app.get('/health', (c) => c.json({
+    status: 'ok',
+    version: pkg.version,
+    authRequired: Boolean(authToken),
+    evalEnabled: false,
+    fileRoot
 }));
-app.get('/health', (c) => c.json({ status: 'ok', version: pkg.version, tools: 29 }));
 app.all('/mcp', async (c) => {
+    if (authToken) {
+        const authHeader = c.req.header('authorization');
+        const token = authHeader?.startsWith('Bearer ')
+            ? authHeader.slice('Bearer '.length)
+            : c.req.header('x-mcp-token');
+        if (token !== authToken) {
+            return c.json({ error: 'Unauthorized' }, 401);
+        }
+    }
     const sessionId = c.req.header('mcp-session-id') ?? undefined;
     const { transport } = await getOrCreateSession(sessionId);
     return transport.handleRequest(c.req.raw);
 });
-const port = parseInt(process.env.PORT ?? '3100', 10);
 const isBun = typeof globalThis.Bun !== 'undefined';
 if (isBun) {
-    Bun.serve({ fetch: app.fetch, port });
+    Bun.serve({ fetch: app.fetch, port, hostname: host });
 }
 else {
     const { serve } = await import('@hono/node-server');
-    serve({ fetch: app.fetch, port });
+    serve({ fetch: app.fetch, port, hostname: host });
 }
 console.log(`OpenPencil MCP server v${pkg.version}`);
-console.log(`  Health:  http://localhost:${port}/health`);
-console.log(`  MCP:     http://localhost:${port}/mcp`);
+console.log(`  Health:  http://${host}:${port}/health`);
+console.log(`  MCP:     http://${host}:${port}/mcp`);
+console.log(`  Auth:    ${authToken ? 'required (OPENPENCIL_MCP_AUTH_TOKEN)' : 'disabled'}`);
+console.log(`  CORS:    ${corsOrigin ?? 'disabled'}`);
+console.log(`  Eval:    disabled`);
+console.log(`  Root:    ${fileRoot}`);

package/dist/index.js CHANGED Viewed

File without changes

package/dist/server.js CHANGED Viewed

@@ -1,7 +1,8 @@
 import { readFile, writeFile } from 'node:fs/promises';
+import { isAbsolute, relative, resolve } from 'node:path';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { z } from 'zod';
-import { ALL_TOOLS, FigmaAPI, parseFigFile, computeAllLayouts, SceneGraph } from '@open-pencil/core';
+import { ALL_TOOLS, FigmaAPI, parseFigFile, computeAllLayouts, SceneGraph, renderNodesToImage, SkiaRenderer } from '@open-pencil/core';
 function ok(data) {
     return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] };
 }
@@ -29,8 +30,22 @@ function paramToZod(param) {
     const schema = typeMap[param.type]();
     return param.required ? schema : schema.optional();
 }
-export function createServer(version) {
+let ckInstance = null;
+async function getCanvasKit() {
+    if (ckInstance)
+        return ckInstance;
+    const CanvasKitInit = (await import('canvaskit-wasm/full')).default;
+    const ckPath = import.meta.resolve('canvaskit-wasm/full');
+    const binDir = new URL('.', ckPath).pathname;
+    ckInstance = await CanvasKitInit({ locateFile: (file) => binDir + file });
+    return ckInstance;
+}
+export function createServer(version, options = {}) {
     const server = new McpServer({ name: 'open-pencil', version });
+    const enableEval = options.enableEval ?? true;
+    const fileRoot = options.fileRoot === null || options.fileRoot === undefined
+        ? null
+        : resolve(options.fileRoot);
     let graph = null;
     let currentPageId = null;
     function makeFigma() {
@@ -39,8 +54,31 @@ export function createServer(version) {
         const api = new FigmaAPI(graph);
         if (currentPageId)
             api.currentPage = api.wrapNode(currentPageId);
+        api.exportImage = async (nodeIds, opts) => {
+            const ck = await getCanvasKit();
+            const surface = ck.MakeSurface(1, 1);
+            const renderer = new SkiaRenderer(ck, surface);
+            renderer.viewportWidth = 1;
+            renderer.viewportHeight = 1;
+            renderer.dpr = 1;
+            const pageId = currentPageId ?? graph.getPages()[0]?.id ?? graph.rootId;
+            return renderNodesToImage(ck, renderer, graph, pageId, nodeIds, {
+                scale: opts.scale ?? 1,
+                format: (opts.format ?? 'PNG')
+            });
+        };
         return api;
     }
+    function resolveAndCheckPath(filePath) {
+        const resolved = resolve(filePath);
+        if (!fileRoot)
+            return resolved;
+        const rel = relative(fileRoot, resolved);
+        if (rel === '' || (!rel.startsWith('..') && !isAbsolute(rel))) {
+            return resolved;
+        }
+        throw new Error(`Path "${filePath}" is outside allowed root "${fileRoot}"`);
+    }
     function registerTool(def) {
         const shape = {};
         for (const [key, param] of Object.entries(def.params)) {
@@ -50,6 +88,11 @@ export function createServer(version) {
         server.registerTool(def.name, { description: def.description, inputSchema: z.object(shape) }, async (args) => {
             try {
                 const result = await def.execute(makeFigma(), args);
+                if (result && typeof result === 'object' && 'base64' in result && 'mimeType' in result) {
+                    return {
+                        content: [{ type: 'image', data: result.base64, mimeType: result.mimeType }]
+                    };
+                }
                 return ok(result);
             }
             catch (e) {
@@ -63,7 +106,8 @@ export function createServer(version) {
         inputSchema: z.object({ path: z.string().describe('Absolute path to a .fig file') })
     }, async ({ path: filePath }) => {
         try {
-            const buf = await readFile(filePath);
+            const path = resolveAndCheckPath(filePath);
+            const buf = await readFile(path);
             graph = await parseFigFile(buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength));
             computeAllLayouts(graph);
             const pages = graph.getPages();
@@ -82,9 +126,10 @@ export function createServer(version) {
             if (!graph)
                 throw new Error('No document loaded');
             const { exportFigFile } = await import('@open-pencil/core');
+            const path = resolveAndCheckPath(filePath);
             const data = await exportFigFile(graph);
-            await writeFile(filePath, new Uint8Array(data));
-            return ok({ saved: filePath, bytes: data.byteLength });
+            await writeFile(path, new Uint8Array(data));
+            return ok({ saved: path, bytes: data.byteLength });
         }
         catch (e) {
             return fail(e);
@@ -105,6 +150,8 @@ export function createServer(version) {
         }
     });
     for (const tool of ALL_TOOLS) {
+        if (!enableEval && tool.name === 'eval')
+            continue;
         registerTool(tool);
     }
     return server;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@open-pencil/mcp",
-  "version": "0.4.0",
+  "version": "0.8.0",
   "license": "MIT",
   "type": "module",
   "main": "./src/server.ts",
@@ -26,10 +26,10 @@
     "provenance": true
   },
   "dependencies": {
+    "@hono/node-server": "^1.19.9",
     "@modelcontextprotocol/sdk": "^1.25.2",
-    "@open-pencil/core": "^0.3.4",
+    "@open-pencil/core": "^0.8.0",
     "canvaskit-wasm": "^0.40.0",
-    "@hono/node-server": "^1.19.9",
     "hono": "^4.11.4",
     "zod": "^3.25.0"
   },

package/src/http.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import { randomUUID } from 'node:crypto'
 import { readFile } from 'node:fs/promises'
+import { resolve } from 'node:path'
 import { Hono } from 'hono'
 import { cors } from 'hono/cors'
@@ -9,6 +10,11 @@ import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/
 import { createServer } from './server.js'
 const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url), 'utf-8'))
+const port = parseInt(process.env.PORT ?? '3100', 10)
+const host = process.env.HOST ?? '127.0.0.1'
+const authToken = process.env.OPENPENCIL_MCP_AUTH_TOKEN?.trim() || null
+const corsOrigin = process.env.OPENPENCIL_MCP_CORS_ORIGIN?.trim() || null
+const fileRoot = resolve(process.env.OPENPENCIL_MCP_ROOT ?? process.cwd())
 const sessions = new Map<string, { server: ReturnType<typeof createServer>; transport: WebStandardStreamableHTTPServerTransport }>()
@@ -18,7 +24,10 @@ async function getOrCreateSession(sessionId?: string) {
   }
   const id = sessionId ?? randomUUID()
-  const server = createServer(pkg.version)
+  const server = createServer(pkg.version, {
+    enableEval: false,
+    fileRoot
+  })
   const transport = new WebStandardStreamableHTTPServerTransport({ sessionIdGenerator: () => id })
   await server.connect(transport)
   sessions.set(id, { server, transport })
@@ -27,32 +36,62 @@ async function getOrCreateSession(sessionId?: string) {
 const app = new Hono()
-app.use('*', cors({
-  origin: '*',
-  allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
-  allowHeaders: ['Content-Type', 'mcp-session-id', 'Last-Event-ID', 'mcp-protocol-version'],
-  exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
-}))
+if (corsOrigin) {
+  app.use('*', cors({
+    origin: corsOrigin,
+    allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
+    allowHeaders: [
+      'Content-Type',
+      'Authorization',
+      'x-mcp-token',
+      'mcp-session-id',
+      'Last-Event-ID',
+      'mcp-protocol-version'
+    ],
+    exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
+  }))
+}
-app.get('/health', (c) => c.json({ status: 'ok', version: pkg.version, tools: 29 }))
+app.get('/health', (c) =>
+  c.json({
+    status: 'ok',
+    version: pkg.version,
+    authRequired: Boolean(authToken),
+    evalEnabled: false,
+    fileRoot
+  })
+)
 app.all('/mcp', async (c) => {
+  if (authToken) {
+    const authHeader = c.req.header('authorization')
+    const token =
+      authHeader?.startsWith('Bearer ')
+        ? authHeader.slice('Bearer '.length)
+        : c.req.header('x-mcp-token')
+    if (token !== authToken) {
+      return c.json({ error: 'Unauthorized' }, 401)
+    }
+  }
   const sessionId = c.req.header('mcp-session-id') ?? undefined
   const { transport } = await getOrCreateSession(sessionId)
   return transport.handleRequest(c.req.raw)
 })
-const port = parseInt(process.env.PORT ?? '3100', 10)
 const isBun = typeof globalThis.Bun !== 'undefined'
 if (isBun) {
-  Bun.serve({ fetch: app.fetch, port })
+  Bun.serve({ fetch: app.fetch, port, hostname: host })
 } else {
   const { serve } = await import('@hono/node-server')
-  serve({ fetch: app.fetch, port })
+  serve({ fetch: app.fetch, port, hostname: host })
 }
 console.log(`OpenPencil MCP server v${pkg.version}`)
-console.log(`  Health:  http://localhost:${port}/health`)
-console.log(`  MCP:     http://localhost:${port}/mcp`)
+console.log(`  Health:  http://${host}:${port}/health`)
+console.log(`  MCP:     http://${host}:${port}/mcp`)
+console.log(`  Auth:    ${authToken ? 'required (OPENPENCIL_MCP_AUTH_TOKEN)' : 'disabled'}`)
+console.log(`  CORS:    ${corsOrigin ?? 'disabled'}`)
+console.log(`  Eval:    disabled`)
+console.log(`  Root:    ${fileRoot}`)

package/src/server.ts CHANGED Viewed

@@ -1,13 +1,28 @@
 import { readFile, writeFile } from 'node:fs/promises'
+import { isAbsolute, relative, resolve } from 'node:path'
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { z } from 'zod'
-import { ALL_TOOLS, FigmaAPI, parseFigFile, computeAllLayouts, SceneGraph } from '@open-pencil/core'
-import type { ToolDef, ParamDef, ParamType } from '@open-pencil/core'
-type McpResult = { content: { type: 'text'; text: string }[]; isError?: boolean }
+import {
+  ALL_TOOLS,
+  FigmaAPI,
+  parseFigFile,
+  computeAllLayouts,
+  SceneGraph,
+  renderNodesToImage,
+  SkiaRenderer
+} from '@open-pencil/core'
+import type { ToolDef, ParamDef, ParamType, ExportFormat } from '@open-pencil/core'
+import type { CanvasKit } from 'canvaskit-wasm'
+type McpContent = { type: 'text'; text: string } | { type: 'image'; data: string; mimeType: string }
+type McpResult = { content: McpContent[]; isError?: boolean }
+export interface CreateServerOptions {
+  enableEval?: boolean
+  fileRoot?: string | null
+}
 function ok(data: unknown): McpResult {
   return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] }
@@ -39,8 +54,23 @@ function paramToZod(param: ParamDef): z.ZodTypeAny {
   return param.required ? schema : schema.optional()
 }
-export function createServer(version: string): McpServer {
+let ckInstance: CanvasKit | null = null
+async function getCanvasKit(): Promise<CanvasKit> {
+  if (ckInstance) return ckInstance
+  const CanvasKitInit = (await import('canvaskit-wasm/full')).default
+  const ckPath = import.meta.resolve('canvaskit-wasm/full')
+  const binDir = new URL('.', ckPath).pathname
+  ckInstance = await CanvasKitInit({ locateFile: (file: string) => binDir + file })
+  return ckInstance
+}
+export function createServer(version: string, options: CreateServerOptions = {}): McpServer {
   const server = new McpServer({ name: 'open-pencil', version })
+  const enableEval = options.enableEval ?? true
+  const fileRoot = options.fileRoot === null || options.fileRoot === undefined
+    ? null
+    : resolve(options.fileRoot)
   let graph: SceneGraph | null = null
   let currentPageId: string | null = null
@@ -49,9 +79,32 @@ export function createServer(version: string): McpServer {
     if (!graph) throw new Error('No document loaded. Use open_file or new_document first.')
     const api = new FigmaAPI(graph)
     if (currentPageId) api.currentPage = api.wrapNode(currentPageId)
+    api.exportImage = async (nodeIds, opts) => {
+      const ck = await getCanvasKit()
+      const surface = ck.MakeSurface(1, 1)!
+      const renderer = new SkiaRenderer(ck, surface)
+      renderer.viewportWidth = 1
+      renderer.viewportHeight = 1
+      renderer.dpr = 1
+      const pageId = currentPageId ?? graph!.getPages()[0]?.id ?? graph!.rootId
+      return renderNodesToImage(ck, renderer, graph!, pageId, nodeIds, {
+        scale: opts.scale ?? 1,
+        format: (opts.format ?? 'PNG') as ExportFormat
+      })
+    }
     return api
   }
+  function resolveAndCheckPath(filePath: string): string {
+    const resolved = resolve(filePath)
+    if (!fileRoot) return resolved
+    const rel = relative(fileRoot, resolved)
+    if (rel === '' || (!rel.startsWith('..') && !isAbsolute(rel))) {
+      return resolved
+    }
+    throw new Error(`Path "${filePath}" is outside allowed root "${fileRoot}"`)
+  }
   function registerTool(def: ToolDef) {
     const shape: Record<string, z.ZodTypeAny> = {}
     for (const [key, param] of Object.entries(def.params)) {
@@ -61,7 +114,12 @@ export function createServer(version: string): McpServer {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any -- dynamic schema from ToolDef params
     server.registerTool(def.name, { description: def.description, inputSchema: z.object(shape) } as any, async (args: any) => {
       try {
-        const result = await def.execute(makeFigma(), args as Record<string, unknown>)
+        const result = await def.execute(makeFigma(), args)
+        if (result && typeof result === 'object' && 'base64' in result && 'mimeType' in result) {
+          return {
+            content: [{ type: 'image' as const, data: result.base64 as string, mimeType: result.mimeType as string }]
+          }
+        }
         return ok(result)
       } catch (e) {
         return fail(e)
@@ -78,7 +136,8 @@ export function createServer(version: string): McpServer {
     },
     async ({ path: filePath }: { path: string }) => {
       try {
-        const buf = await readFile(filePath)
+        const path = resolveAndCheckPath(filePath)
+        const buf = await readFile(path)
         graph = await parseFigFile(buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength))
         computeAllLayouts(graph)
         const pages = graph.getPages()
@@ -100,9 +159,10 @@ export function createServer(version: string): McpServer {
       try {
         if (!graph) throw new Error('No document loaded')
         const { exportFigFile } = await import('@open-pencil/core')
+        const path = resolveAndCheckPath(filePath)
         const data = await exportFigFile(graph)
-        await writeFile(filePath, new Uint8Array(data))
-        return ok({ saved: filePath, bytes: data.byteLength })
+        await writeFile(path, new Uint8Array(data))
+        return ok({ saved: path, bytes: data.byteLength })
       } catch (e) {
         return fail(e)
       }
@@ -128,6 +188,7 @@ export function createServer(version: string): McpServer {
   )
   for (const tool of ALL_TOOLS) {
+    if (!enableEval && tool.name === 'eval') continue
     registerTool(tool)
   }