@open-pencil/mcp 0.8.0 → 0.11.0

package/package.json

@@ -1,12 +1,11 @@
 {
   "name": "@open-pencil/mcp",
-  "version": "0.8.0",
+  "version": "0.11.0",
   "license": "MIT",
   "type": "module",
   "main": "./src/server.ts",
   "bin": {
-    "openpencil-mcp": "./dist/index.js",
-    "openpencil-mcp-http": "./dist/http.js"
+    "openpencil-mcp": "./dist/index.js"
   },
   "files": [
     "src",
@@ -28,12 +27,13 @@
   "dependencies": {
     "@hono/node-server": "^1.19.9",
     "@modelcontextprotocol/sdk": "^1.25.2",
-    "@open-pencil/core": "^0.8.0",
-    "canvaskit-wasm": "^0.40.0",
+    "@open-pencil/core": "^0.11.0",
     "hono": "^4.11.4",
-    "zod": "^3.25.0"
+    "zod": "^4.3.6",
+    "ws": "^8.19.0"
   },
   "devDependencies": {
-    "@types/node": "^22.0.0"
+    "@types/node": "^22.0.0",
+    "@types/ws": "^8.18.1"
   }
 }

package/src/index.ts

@@ -1,12 +1,23 @@
 #!/usr/bin/env node
-import { readFile } from 'node:fs/promises'
+import { serve } from '@hono/node-server'
 
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
+import { startServer } from './server.js'
 
-import { createServer } from './server.js'
+const port = parseInt(process.env.PORT ?? '7600', 10)
+const wsPort = parseInt(process.env.WS_PORT ?? '7601', 10)
+const host = process.env.HOST ?? '127.0.0.1'
 
-const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url), 'utf-8'))
-const server = createServer(pkg.version)
+const { app, httpPort } = startServer({
+  httpPort: port,
+  wsPort,
+  enableEval: process.env.OPENPENCIL_MCP_EVAL === '1',
+  authToken: process.env.OPENPENCIL_MCP_AUTH_TOKEN?.trim() || null,
+  corsOrigin: process.env.OPENPENCIL_MCP_CORS_ORIGIN?.trim() || null
+})
 
-const transport = new StdioServerTransport()
-await server.connect(transport)
+serve({ fetch: app.fetch, port: httpPort, hostname: host })
+
+console.log(`OpenPencil MCP server`)
+console.log(`  HTTP:  http://${host}:${httpPort}`)
+console.log(`  WS:    ws://${host}:${wsPort}`)
+console.log(`  MCP:   http://${host}:${httpPort}/mcp`)

package/src/server.ts

@@ -1,40 +1,48 @@
-import { readFile, writeFile } from 'node:fs/promises'
-import { isAbsolute, relative, resolve } from 'node:path'
+import { randomUUID } from 'node:crypto'
+import { createRequire } from 'node:module'
 
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
+import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'
+import { Hono } from 'hono'
+import { cors } from 'hono/cors'
+import { WebSocketServer, type WebSocket } from 'ws'
 import { z } from 'zod'
 
 import {
   ALL_TOOLS,
-  FigmaAPI,
-  parseFigFile,
-  computeAllLayouts,
-  SceneGraph,
-  renderNodesToImage,
-  SkiaRenderer
+  CODEGEN_PROMPT,
+  buildComponent,
+  createElement,
+  resolveToTree
 } from '@open-pencil/core'
 
-import type { ToolDef, ParamDef, ParamType, ExportFormat } from '@open-pencil/core'
-import type { CanvasKit } from 'canvaskit-wasm'
+import type { ParamDef, ParamType } from '@open-pencil/core'
 
-type McpContent = { type: 'text'; text: string } | { type: 'image'; data: string; mimeType: string }
-type McpResult = { content: McpContent[]; isError?: boolean }
-export interface CreateServerOptions {
-  enableEval?: boolean
-  fileRoot?: string | null
+const require = createRequire(import.meta.url)
+const MCP_VERSION: string = (require('../package.json') as { version: string }).version
+
+type MCPContent = { type: 'text'; text: string } | { type: 'image'; data: string; mimeType: string }
+type MCPResult = { content: MCPContent[]; isError?: boolean }
+
+const RPC_TIMEOUT = 30_000
+
+interface PendingRequest {
+  resolve: (value: unknown) => void
+  reject: (error: Error) => void
+  timer: ReturnType<typeof setTimeout>
 }
 
-function ok(data: unknown): McpResult {
+function ok(data: unknown): MCPResult {
   return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] }
 }
 
-function fail(e: unknown): McpResult {
+function fail(e: unknown): MCPResult {
   const msg = e instanceof Error ? e.message : String(e)
   return { content: [{ type: 'text', text: JSON.stringify({ error: msg }) }], isError: true }
 }
 
-function paramToZod(param: ParamDef): z.ZodTypeAny {
-  const typeMap: Record<ParamType, () => z.ZodTypeAny> = {
+export function paramToZod(param: ParamDef): z.ZodType {
+  const typeMap: Record<ParamType, () => z.ZodType> = {
     string: () =>
       param.enum
         ? z.enum(param.enum as [string, ...string[]]).describe(param.description)
@@ -54,143 +62,270 @@ function paramToZod(param: ParamDef): z.ZodTypeAny {
   return param.required ? schema : schema.optional()
 }
 
-let ckInstance: CanvasKit | null = null
-
-async function getCanvasKit(): Promise<CanvasKit> {
-  if (ckInstance) return ckInstance
-  const CanvasKitInit = (await import('canvaskit-wasm/full')).default
-  const ckPath = import.meta.resolve('canvaskit-wasm/full')
-  const binDir = new URL('.', ckPath).pathname
-  ckInstance = await CanvasKitInit({ locateFile: (file: string) => binDir + file })
-  return ckInstance
+export interface ServerOptions {
+  httpPort?: number
+  wsPort?: number
+  enableEval?: boolean
+  authToken?: string | null
+  corsOrigin?: string | null
 }
 
-export function createServer(version: string, options: CreateServerOptions = {}): McpServer {
-  const server = new McpServer({ name: 'open-pencil', version })
-  const enableEval = options.enableEval ?? true
-  const fileRoot = options.fileRoot === null || options.fileRoot === undefined
-    ? null
-    : resolve(options.fileRoot)
-
-  let graph: SceneGraph | null = null
-  let currentPageId: string | null = null
-
-  function makeFigma(): FigmaAPI {
-    if (!graph) throw new Error('No document loaded. Use open_file or new_document first.')
-    const api = new FigmaAPI(graph)
-    if (currentPageId) api.currentPage = api.wrapNode(currentPageId)
-    api.exportImage = async (nodeIds, opts) => {
-      const ck = await getCanvasKit()
-      const surface = ck.MakeSurface(1, 1)!
-      const renderer = new SkiaRenderer(ck, surface)
-      renderer.viewportWidth = 1
-      renderer.viewportHeight = 1
-      renderer.dpr = 1
-      const pageId = currentPageId ?? graph!.getPages()[0]?.id ?? graph!.rootId
-      return renderNodesToImage(ck, renderer, graph!, pageId, nodeIds, {
-        scale: opts.scale ?? 1,
-        format: (opts.format ?? 'PNG') as ExportFormat
-      })
-    }
-    return api
+export function startServer(options: ServerOptions = {}) {
+  const httpPort = options.httpPort ?? 7600
+  const wsPort = options.wsPort ?? 7601
+  const enableEval = options.enableEval ?? false
+  const authToken = options.authToken ?? null
+  const corsOrigin = options.corsOrigin ?? null
+
+  const pending = new Map<string, PendingRequest>()
+  let browserWs: WebSocket | null = null
+  let browserToken: string | null = null
+
+  // --- WebSocket: browser connects here ---
+
+  function sendToBrowser(body: Record<string, unknown>): Promise<unknown> {
+    return new Promise((resolve, reject) => {
+      if (!browserWs || browserWs.readyState !== browserWs.OPEN) {
+        reject(new Error('OpenPencil app is not connected'))
+        return
+      }
+      const id = randomUUID()
+      const timer = setTimeout(() => {
+        pending.delete(id)
+        reject(new Error('RPC timeout (30s)'))
+      }, RPC_TIMEOUT)
+      pending.set(id, { resolve, reject, timer })
+      browserWs.send(JSON.stringify({ type: 'request', id, ...body }))
+    })
   }
 
-  function resolveAndCheckPath(filePath: string): string {
-    const resolved = resolve(filePath)
-    if (!fileRoot) return resolved
-    const rel = relative(fileRoot, resolved)
-    if (rel === '' || (!rel.startsWith('..') && !isAbsolute(rel))) {
-      return resolved
+  function handleBrowserMessage(data: string) {
+    try {
+      const msg = JSON.parse(data) as {
+        type: string
+        id?: string
+        token?: string
+        result?: unknown
+        error?: string
+        ok?: boolean
+      }
+      if (msg.type === 'register' && msg.token) {
+        browserToken = msg.token
+        return
+      }
+      if (msg.type === 'response' && msg.id) {
+        const req = pending.get(msg.id)
+        if (!req) return
+        pending.delete(msg.id)
+        clearTimeout(req.timer)
+        if (msg.ok === false) req.reject(new Error(msg.error ?? 'RPC failed'))
+        else {
+          const { type: _, id: __, ...payload } = msg
+          req.resolve(payload)
+        }
+      }
+    } catch (e) {
+      console.warn('Malformed automation message:', e)
     }
-    throw new Error(`Path "${filePath}" is outside allowed root "${fileRoot}"`)
   }
 
-  function registerTool(def: ToolDef) {
-    const shape: Record<string, z.ZodTypeAny> = {}
-    for (const [key, param] of Object.entries(def.params)) {
-      shape[key] = paramToZod(param)
+  function rejectAllPending(reason: string) {
+    for (const [id, req] of pending) {
+      clearTimeout(req.timer)
+      req.reject(new Error(reason))
+      pending.delete(id)
     }
+  }
 
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- dynamic schema from ToolDef params
-    server.registerTool(def.name, { description: def.description, inputSchema: z.object(shape) } as any, async (args: any) => {
-      try {
-        const result = await def.execute(makeFigma(), args)
-        if (result && typeof result === 'object' && 'base64' in result && 'mimeType' in result) {
-          return {
-            content: [{ type: 'image' as const, data: result.base64 as string, mimeType: result.mimeType as string }]
-          }
-        }
-        return ok(result)
-      } catch (e) {
-        return fail(e)
+  const wss = new WebSocketServer({ port: wsPort, host: '127.0.0.1' })
+
+  wss.on('connection', (ws) => {
+    if (browserWs && browserWs.readyState === WebSocket.OPEN) browserWs.close()
+    rejectAllPending('Browser reconnected')
+    browserWs = ws
+    browserToken = null
+
+    ws.on('message', (raw) => {
+      handleBrowserMessage(
+        typeof raw === 'string' ? raw : Buffer.from(raw as Buffer).toString('utf-8')
+      )
+    })
+
+    ws.on('close', () => {
+      if (browserWs === ws) {
+        browserWs = null
+        browserToken = null
+        rejectAllPending('Browser disconnected')
       }
     })
-  }
+  })
 
-  const register = server.registerTool.bind(server) as (...args: unknown[]) => void
-  register(
-    'open_file',
-    {
-      description: 'Open a .fig file for editing. Must be called before using other tools.',
-      inputSchema: z.object({ path: z.string().describe('Absolute path to a .fig file') })
-    },
-    async ({ path: filePath }: { path: string }) => {
-      try {
-        const path = resolveAndCheckPath(filePath)
-        const buf = await readFile(path)
-        graph = await parseFigFile(buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength))
-        computeAllLayouts(graph)
-        const pages = graph.getPages()
-        currentPageId = pages[0]?.id ?? null
-        return ok({ pages: pages.map((p) => ({ id: p.id, name: p.name })), currentPage: pages[0]?.name })
-      } catch (e) {
-        return fail(e)
+  // --- JSX preprocessing ---
+
+  function preprocessRpc(body: Record<string, unknown>): Record<string, unknown> {
+    if (body.command !== 'tool') return body
+    const args = body.args as { name?: string; args?: Record<string, unknown> } | undefined
+    if (args?.name !== 'render' || !args.args?.jsx) return body
+    try {
+      const Component = buildComponent(args.args.jsx as string)
+      const element = createElement(Component, null)
+      const tree = resolveToTree(element)
+      return {
+        ...body,
+        args: { ...args, args: { ...args.args, jsx: undefined, tree } }
       }
+    } catch (e) {
+      console.warn('JSX preprocessing failed, passing raw:', e instanceof Error ? e.message : e)
+      return body
     }
+  }
+
+  // --- HTTP server ---
+
+  const app = new Hono()
+
+  if (corsOrigin) {
+    app.use(
+      '*',
+      cors({
+        origin: corsOrigin,
+        allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
+        allowHeaders: [
+          'Content-Type',
+          'Authorization',
+          'x-mcp-token',
+          'mcp-session-id',
+          'Last-Event-ID',
+          'mcp-protocol-version'
+        ],
+        exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
+      })
+    )
+  } else {
+    app.use('*', cors())
+  }
+
+  app.get('/health', (c) =>
+    c.json({
+      status: browserWs ? 'ok' : 'no_app',
+      ...(browserWs && browserToken ? { token: browserToken } : {})
+    })
   )
 
-  register(
-    'save_file',
-    {
-      description: 'Save the current document to a .fig file.',
-      inputSchema: z.object({ path: z.string().describe('Absolute path to save the .fig file') })
-    },
-    async ({ path: filePath }: { path: string }) => {
-      try {
-        if (!graph) throw new Error('No document loaded')
-        const { exportFigFile } = await import('@open-pencil/core')
-        const path = resolveAndCheckPath(filePath)
-        const data = await exportFigFile(graph)
-        await writeFile(path, new Uint8Array(data))
-        return ok({ saved: path, bytes: data.byteLength })
-      } catch (e) {
-        return fail(e)
-      }
+  app.use('/rpc', async (c, next) => {
+    if (!browserWs || !browserToken) {
+      return c.json({ error: 'OpenPencil app is not connected. Is a document open?' }, 503)
     }
-  )
+    const auth = c.req.header('authorization')
+    const provided = auth?.startsWith('Bearer ') ? auth.slice(7) : null
+    if (provided !== browserToken) {
+      return c.json({ error: 'Unauthorized' }, 401)
+    }
+    return next()
+  })
 
-  register(
-    'new_document',
-    {
-      description: 'Create a new empty document with a blank page.',
-      inputSchema: z.object({})
-    },
-    async () => {
-      try {
-        graph = new SceneGraph()
-        const pages = graph.getPages()
-        currentPageId = pages[0]?.id ?? null
-        return ok({ page: pages[0]?.name, id: currentPageId })
-      } catch (e) {
-        return fail(e)
+  app.post('/rpc', async (c) => {
+    let body = await c.req.json().catch(() => null)
+    if (!body || typeof body !== 'object') {
+      return c.json({ error: 'Invalid request body' }, 400)
+    }
+    try {
+      body = preprocessRpc(body as Record<string, unknown>)
+      const result = await sendToBrowser(body as Record<string, unknown>)
+      return c.json(result)
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e)
+      return c.json({ ok: false, error: msg }, 502)
+    }
+  })
+
+  // --- MCP Streamable HTTP ---
+
+  type MCPTransport = { handleRequest: (r: Request) => Promise<Response> }
+  const mcpSessions = new Map<string, MCPTransport>()
+  const MAX_MCP_SESSIONS = 10
+
+  function createMCPSession(id: string): MCPTransport {
+    const mcpServer = new McpServer({ name: 'open-pencil', version: MCP_VERSION })
+    const register = mcpServer.registerTool.bind(mcpServer) as (...a: unknown[]) => void
+
+    for (const def of ALL_TOOLS) {
+      if (!enableEval && def.name === 'eval') continue
+      const shape: Record<string, z.ZodType> = {}
+      for (const [key, param] of Object.entries(def.params)) {
+        shape[key] = paramToZod(param)
       }
+      register(
+        def.name,
+        { description: def.description, inputSchema: z.object(shape) },
+        async (args: Record<string, unknown>) => {
+          try {
+            const result = await sendToBrowser({ command: 'tool', args: { name: def.name, args } })
+            const res = result as { ok?: boolean; result?: unknown; error?: string }
+            if (res.ok === false) return fail(new Error(res.error))
+            const r = res.result as Record<string, unknown> | undefined
+            if (r && 'base64' in r && 'mimeType' in r) {
+              return {
+                content: [
+                  {
+                    type: 'image' as const,
+                    data: r.base64 as string,
+                    mimeType: r.mimeType as string
+                  }
+                ]
+              }
+            }
+            return ok(r)
+          } catch (e) {
+            return fail(e)
+          }
+        }
+      )
     }
-  )
 
-  for (const tool of ALL_TOOLS) {
-    if (!enableEval && tool.name === 'eval') continue
-    registerTool(tool)
+    register(
+      'get_codegen_prompt',
+      {
+        description:
+          'Get design-to-code generation guidelines. Call before generating frontend code.',
+        inputSchema: z.object({})
+      },
+      async () => ok({ prompt: CODEGEN_PROMPT })
+    )
+
+    const transport = new WebStandardStreamableHTTPServerTransport({
+      sessionIdGenerator: () => id
+    })
+    void mcpServer.connect(transport)
+    mcpSessions.set(id, transport)
+    return transport
   }
 
-  return server
+  app.all('/mcp', async (c) => {
+    if (authToken) {
+      const auth = c.req.header('authorization')
+      const token = auth?.startsWith('Bearer ')
+        ? auth.slice('Bearer '.length)
+        : c.req.header('x-mcp-token')
+      if (token !== authToken) {
+        return c.json({ error: 'Unauthorized' }, 401)
+      }
+    }
+    const sessionId = c.req.header('mcp-session-id') ?? undefined
+    const existing = sessionId ? mcpSessions.get(sessionId) : undefined
+    if (!existing && mcpSessions.size >= MAX_MCP_SESSIONS) {
+      return c.json(
+        { error: 'Too many active MCP sessions' },
+        { status: 503, headers: { 'Retry-After': '5' } }
+      )
+    }
+    const transport = existing ?? createMCPSession(sessionId ?? randomUUID())
+    const response = await transport.handleRequest(c.req.raw)
+    if (c.req.method === 'DELETE' && sessionId) {
+      mcpSessions.delete(sessionId)
+    }
+    return response
+  })
+
+  return { app, wss, httpPort }
 }

package/dist/http.js

@@ -1,81 +0,0 @@
-#!/usr/bin/env node
-import { randomUUID } from 'node:crypto';
-import { readFile } from 'node:fs/promises';
-import { resolve } from 'node:path';
-import { Hono } from 'hono';
-import { cors } from 'hono/cors';
-import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';
-import { createServer } from './server.js';
-const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url), 'utf-8'));
-const port = parseInt(process.env.PORT ?? '3100', 10);
-const host = process.env.HOST ?? '127.0.0.1';
-const authToken = process.env.OPENPENCIL_MCP_AUTH_TOKEN?.trim() || null;
-const corsOrigin = process.env.OPENPENCIL_MCP_CORS_ORIGIN?.trim() || null;
-const fileRoot = resolve(process.env.OPENPENCIL_MCP_ROOT ?? process.cwd());
-const sessions = new Map();
-async function getOrCreateSession(sessionId) {
-    if (sessionId && sessions.has(sessionId)) {
-        return sessions.get(sessionId);
-    }
-    const id = sessionId ?? randomUUID();
-    const server = createServer(pkg.version, {
-        enableEval: false,
-        fileRoot
-    });
-    const transport = new WebStandardStreamableHTTPServerTransport({ sessionIdGenerator: () => id });
-    await server.connect(transport);
-    sessions.set(id, { server, transport });
-    return { server, transport };
-}
-const app = new Hono();
-if (corsOrigin) {
-    app.use('*', cors({
-        origin: corsOrigin,
-        allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
-        allowHeaders: [
-            'Content-Type',
-            'Authorization',
-            'x-mcp-token',
-            'mcp-session-id',
-            'Last-Event-ID',
-            'mcp-protocol-version'
-        ],
-        exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
-    }));
-}
-app.get('/health', (c) => c.json({
-    status: 'ok',
-    version: pkg.version,
-    authRequired: Boolean(authToken),
-    evalEnabled: false,
-    fileRoot
-}));
-app.all('/mcp', async (c) => {
-    if (authToken) {
-        const authHeader = c.req.header('authorization');
-        const token = authHeader?.startsWith('Bearer ')
-            ? authHeader.slice('Bearer '.length)
-            : c.req.header('x-mcp-token');
-        if (token !== authToken) {
-            return c.json({ error: 'Unauthorized' }, 401);
-        }
-    }
-    const sessionId = c.req.header('mcp-session-id') ?? undefined;
-    const { transport } = await getOrCreateSession(sessionId);
-    return transport.handleRequest(c.req.raw);
-});
-const isBun = typeof globalThis.Bun !== 'undefined';
-if (isBun) {
-    Bun.serve({ fetch: app.fetch, port, hostname: host });
-}
-else {
-    const { serve } = await import('@hono/node-server');
-    serve({ fetch: app.fetch, port, hostname: host });
-}
-console.log(`OpenPencil MCP server v${pkg.version}`);
-console.log(`  Health:  http://${host}:${port}/health`);
-console.log(`  MCP:     http://${host}:${port}/mcp`);
-console.log(`  Auth:    ${authToken ? 'required (OPENPENCIL_MCP_AUTH_TOKEN)' : 'disabled'}`);
-console.log(`  CORS:    ${corsOrigin ?? 'disabled'}`);
-console.log(`  Eval:    disabled`);
-console.log(`  Root:    ${fileRoot}`);

package/dist/index.js

@@ -1,8 +0,0 @@
-#!/usr/bin/env node
-import { readFile } from 'node:fs/promises';
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { createServer } from './server.js';
-const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url), 'utf-8'));
-const server = createServer(pkg.version);
-const transport = new StdioServerTransport();
-await server.connect(transport);

package/dist/server.js

@@ -1,158 +0,0 @@
-import { readFile, writeFile } from 'node:fs/promises';
-import { isAbsolute, relative, resolve } from 'node:path';
-import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-import { z } from 'zod';
-import { ALL_TOOLS, FigmaAPI, parseFigFile, computeAllLayouts, SceneGraph, renderNodesToImage, SkiaRenderer } from '@open-pencil/core';
-function ok(data) {
-    return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] };
-}
-function fail(e) {
-    const msg = e instanceof Error ? e.message : String(e);
-    return { content: [{ type: 'text', text: JSON.stringify({ error: msg }) }], isError: true };
-}
-function paramToZod(param) {
-    const typeMap = {
-        string: () => param.enum
-            ? z.enum(param.enum).describe(param.description)
-            : z.string().describe(param.description),
-        number: () => {
-            let s = z.number();
-            if (param.min !== undefined)
-                s = s.min(param.min);
-            if (param.max !== undefined)
-                s = s.max(param.max);
-            return s.describe(param.description);
-        },
-        boolean: () => z.boolean().describe(param.description),
-        color: () => z.string().describe(param.description),
-        'string[]': () => z.array(z.string()).min(1).describe(param.description)
-    };
-    const schema = typeMap[param.type]();
-    return param.required ? schema : schema.optional();
-}
-let ckInstance = null;
-async function getCanvasKit() {
-    if (ckInstance)
-        return ckInstance;
-    const CanvasKitInit = (await import('canvaskit-wasm/full')).default;
-    const ckPath = import.meta.resolve('canvaskit-wasm/full');
-    const binDir = new URL('.', ckPath).pathname;
-    ckInstance = await CanvasKitInit({ locateFile: (file) => binDir + file });
-    return ckInstance;
-}
-export function createServer(version, options = {}) {
-    const server = new McpServer({ name: 'open-pencil', version });
-    const enableEval = options.enableEval ?? true;
-    const fileRoot = options.fileRoot === null || options.fileRoot === undefined
-        ? null
-        : resolve(options.fileRoot);
-    let graph = null;
-    let currentPageId = null;
-    function makeFigma() {
-        if (!graph)
-            throw new Error('No document loaded. Use open_file or new_document first.');
-        const api = new FigmaAPI(graph);
-        if (currentPageId)
-            api.currentPage = api.wrapNode(currentPageId);
-        api.exportImage = async (nodeIds, opts) => {
-            const ck = await getCanvasKit();
-            const surface = ck.MakeSurface(1, 1);
-            const renderer = new SkiaRenderer(ck, surface);
-            renderer.viewportWidth = 1;
-            renderer.viewportHeight = 1;
-            renderer.dpr = 1;
-            const pageId = currentPageId ?? graph.getPages()[0]?.id ?? graph.rootId;
-            return renderNodesToImage(ck, renderer, graph, pageId, nodeIds, {
-                scale: opts.scale ?? 1,
-                format: (opts.format ?? 'PNG')
-            });
-        };
-        return api;
-    }
-    function resolveAndCheckPath(filePath) {
-        const resolved = resolve(filePath);
-        if (!fileRoot)
-            return resolved;
-        const rel = relative(fileRoot, resolved);
-        if (rel === '' || (!rel.startsWith('..') && !isAbsolute(rel))) {
-            return resolved;
-        }
-        throw new Error(`Path "${filePath}" is outside allowed root "${fileRoot}"`);
-    }
-    function registerTool(def) {
-        const shape = {};
-        for (const [key, param] of Object.entries(def.params)) {
-            shape[key] = paramToZod(param);
-        }
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- dynamic schema from ToolDef params
-        server.registerTool(def.name, { description: def.description, inputSchema: z.object(shape) }, async (args) => {
-            try {
-                const result = await def.execute(makeFigma(), args);
-                if (result && typeof result === 'object' && 'base64' in result && 'mimeType' in result) {
-                    return {
-                        content: [{ type: 'image', data: result.base64, mimeType: result.mimeType }]
-                    };
-                }
-                return ok(result);
-            }
-            catch (e) {
-                return fail(e);
-            }
-        });
-    }
-    const register = server.registerTool.bind(server);
-    register('open_file', {
-        description: 'Open a .fig file for editing. Must be called before using other tools.',
-        inputSchema: z.object({ path: z.string().describe('Absolute path to a .fig file') })
-    }, async ({ path: filePath }) => {
-        try {
-            const path = resolveAndCheckPath(filePath);
-            const buf = await readFile(path);
-            graph = await parseFigFile(buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength));
-            computeAllLayouts(graph);
-            const pages = graph.getPages();
-            currentPageId = pages[0]?.id ?? null;
-            return ok({ pages: pages.map((p) => ({ id: p.id, name: p.name })), currentPage: pages[0]?.name });
-        }
-        catch (e) {
-            return fail(e);
-        }
-    });
-    register('save_file', {
-        description: 'Save the current document to a .fig file.',
-        inputSchema: z.object({ path: z.string().describe('Absolute path to save the .fig file') })
-    }, async ({ path: filePath }) => {
-        try {
-            if (!graph)
-                throw new Error('No document loaded');
-            const { exportFigFile } = await import('@open-pencil/core');
-            const path = resolveAndCheckPath(filePath);
-            const data = await exportFigFile(graph);
-            await writeFile(path, new Uint8Array(data));
-            return ok({ saved: path, bytes: data.byteLength });
-        }
-        catch (e) {
-            return fail(e);
-        }
-    });
-    register('new_document', {
-        description: 'Create a new empty document with a blank page.',
-        inputSchema: z.object({})
-    }, async () => {
-        try {
-            graph = new SceneGraph();
-            const pages = graph.getPages();
-            currentPageId = pages[0]?.id ?? null;
-            return ok({ page: pages[0]?.name, id: currentPageId });
-        }
-        catch (e) {
-            return fail(e);
-        }
-    });
-    for (const tool of ALL_TOOLS) {
-        if (!enableEval && tool.name === 'eval')
-            continue;
-        registerTool(tool);
-    }
-    return server;
-}

package/src/http.ts

@@ -1,97 +0,0 @@
-#!/usr/bin/env node
-import { randomUUID } from 'node:crypto'
-import { readFile } from 'node:fs/promises'
-import { resolve } from 'node:path'
-
-import { Hono } from 'hono'
-import { cors } from 'hono/cors'
-import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'
-
-import { createServer } from './server.js'
-
-const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url), 'utf-8'))
-const port = parseInt(process.env.PORT ?? '3100', 10)
-const host = process.env.HOST ?? '127.0.0.1'
-const authToken = process.env.OPENPENCIL_MCP_AUTH_TOKEN?.trim() || null
-const corsOrigin = process.env.OPENPENCIL_MCP_CORS_ORIGIN?.trim() || null
-const fileRoot = resolve(process.env.OPENPENCIL_MCP_ROOT ?? process.cwd())
-
-const sessions = new Map<string, { server: ReturnType<typeof createServer>; transport: WebStandardStreamableHTTPServerTransport }>()
-
-async function getOrCreateSession(sessionId?: string) {
-  if (sessionId && sessions.has(sessionId)) {
-    return sessions.get(sessionId)!
-  }
-
-  const id = sessionId ?? randomUUID()
-  const server = createServer(pkg.version, {
-    enableEval: false,
-    fileRoot
-  })
-  const transport = new WebStandardStreamableHTTPServerTransport({ sessionIdGenerator: () => id })
-  await server.connect(transport)
-  sessions.set(id, { server, transport })
-  return { server, transport }
-}
-
-const app = new Hono()
-
-if (corsOrigin) {
-  app.use('*', cors({
-    origin: corsOrigin,
-    allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
-    allowHeaders: [
-      'Content-Type',
-      'Authorization',
-      'x-mcp-token',
-      'mcp-session-id',
-      'Last-Event-ID',
-      'mcp-protocol-version'
-    ],
-    exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
-  }))
-}
-
-app.get('/health', (c) =>
-  c.json({
-    status: 'ok',
-    version: pkg.version,
-    authRequired: Boolean(authToken),
-    evalEnabled: false,
-    fileRoot
-  })
-)
-
-app.all('/mcp', async (c) => {
-  if (authToken) {
-    const authHeader = c.req.header('authorization')
-    const token =
-      authHeader?.startsWith('Bearer ')
-        ? authHeader.slice('Bearer '.length)
-        : c.req.header('x-mcp-token')
-    if (token !== authToken) {
-      return c.json({ error: 'Unauthorized' }, 401)
-    }
-  }
-
-  const sessionId = c.req.header('mcp-session-id') ?? undefined
-  const { transport } = await getOrCreateSession(sessionId)
-  return transport.handleRequest(c.req.raw)
-})
-
-const isBun = typeof globalThis.Bun !== 'undefined'
-
-if (isBun) {
-  Bun.serve({ fetch: app.fetch, port, hostname: host })
-} else {
-  const { serve } = await import('@hono/node-server')
-  serve({ fetch: app.fetch, port, hostname: host })
-}
-
-console.log(`OpenPencil MCP server v${pkg.version}`)
-console.log(`  Health:  http://${host}:${port}/health`)
-console.log(`  MCP:     http://${host}:${port}/mcp`)
-console.log(`  Auth:    ${authToken ? 'required (OPENPENCIL_MCP_AUTH_TOKEN)' : 'disabled'}`)
-console.log(`  CORS:    ${corsOrigin ?? 'disabled'}`)
-console.log(`  Eval:    disabled`)
-console.log(`  Root:    ${fileRoot}`)