@openziti/ziti-mcp-server 0.1.0

package/dist/commands/init.d.ts

@@ -0,0 +1,45 @@
+import type { ClientType } from '../clients/types.js';
+/**
+ * Command options for the init command
+ */
+export interface InitOptions {
+    client: ClientType;
+    scopes?: string[];
+    tools: string[];
+    readOnly?: boolean;
+    zitiControllerHost?: string;
+    idpDomain?: string;
+    idpClientId?: string;
+    idpClientSecret?: string;
+}
+/**
+ * Initializes the OpenZiti MCP server with the specified client, tools and scopes.
+ *
+ * This function orchestrates the complete initialization process by:
+ * 1. Resolving and validating requested scopes
+ * 2. Obtaining authorization through the device flow
+ * 3. Configuring the selected client (Claude, Windsurf, Cursor, or VS Code)
+ *
+ * @param {InitOptions} options - Configuration options including:
+ *   - client: The target client type to configure ('claude', 'windsurf', or 'cursor')
+ *   - scopes: Optional scope patterns for authorization (will prompt if omitted)
+ *   - tools: Tool patterns to enable (e.g., ['ziti_list_*'])
+ *
+ * @returns {Promise<void>} A promise that resolves when initialization is complete
+ *
+ * @throws {Error} If authorization fails or client configuration encounters an error
+ *
+ * @example
+ * // Initialize with Claude client and all tools
+ * await init({ client: 'claude', tools: ['*'] });
+ *
+ * @example
+ * // Initialize with Windsurf client and specific tools
+ * await init({
+ *   client: 'windsurf',
+ *   tools: ['ziti_list_*', 'list_get_*'],
+ *   scopes: ['read:*']
+ * });
+ */
+declare const init: (options: InitOptions) => Promise<void>;
+export default init;

package/dist/commands/init.js

@@ -0,0 +1,133 @@
+import { clients } from '../clients/index.js';
+import { log, logError } from '../utils/logger.js';
+import { requestAuthorization } from '../auth/device-auth-flow.js';
+import { requestClientCredentialsAuthorization } from '../auth/client-credentials-flow.js';
+import { promptForScopeSelection } from '../utils/terminal.js';
+import { getAllScopes } from '../utils/scopes.js';
+import { Glob } from '../utils/glob.js';
+import chalk from 'chalk';
+import trackEvent from '../utils/analytics.js';
+/**
+ * Resolves scope patterns to actual scope values
+ *
+ * @param {string[] | undefined} scopePatterns - Scope patterns from command line
+ * @returns {Promise<string[]>} - The selected scopes
+ */
+async function resolveScopes(scopePatterns) {
+    // If no scopes provided, prompt user for selection
+    if (!scopePatterns?.length) {
+        return promptForScopeSelection();
+    }
+    const allAvailableScopes = getAllScopes();
+    const matchedScopes = new Set();
+    const invalidScopes = new Set();
+    // Match patterns against available scopes
+    for (const pattern of scopePatterns) {
+        let foundMatch = false;
+        const glob = new Glob(pattern);
+        for (const scope of allAvailableScopes) {
+            if (glob.matches(scope)) {
+                matchedScopes.add(scope);
+                foundMatch = true;
+            }
+        }
+        // Track non-wildcard patterns that didn't match anything
+        if (!glob.hasWildcards() && !foundMatch) {
+            invalidScopes.add(pattern);
+        }
+    }
+    // Handle invalid scopes
+    if (invalidScopes.size > 0) {
+        const errorMessage = `Error: The following scopes are not valid: ${Array.from(invalidScopes).join(', ')}`;
+        logError(errorMessage);
+        logError(chalk.yellow(`Valid scopes are: ${allAvailableScopes.join(', ')}`));
+        process.exit(1);
+    }
+    // Handle matched scopes
+    const matchedScopesArray = Array.from(matchedScopes);
+    if (matchedScopesArray.length === 0) {
+        log(chalk.yellow('No scopes matched the provided patterns, proceeding to scope selection.'));
+        return promptForScopeSelection();
+    }
+    return promptForScopeSelection(matchedScopesArray);
+}
+/**
+ * Configures the specified client with options
+ *
+ * @param {ClientType} clientType - Type of the client to configure
+ * @param {InitOptions} options - Configuration options
+ */
+async function configureClient(clientType, options) {
+    const manager = clients[clientType];
+    if (!manager) {
+        logError(`Invalid client type specified: ${clientType}`);
+        logError(`Available clients are: ${Object.keys(clients).join(', ')}`);
+        process.exit(1);
+    }
+    log(`Configuring ${manager.displayName} as client...`);
+    const clientOptions = {
+        tools: options.tools,
+        readOnly: options.readOnly,
+    };
+    await manager.configure(clientOptions);
+}
+/**
+ * Initializes the OpenZiti MCP server with the specified client, tools and scopes.
+ *
+ * This function orchestrates the complete initialization process by:
+ * 1. Resolving and validating requested scopes
+ * 2. Obtaining authorization through the device flow
+ * 3. Configuring the selected client (Claude, Windsurf, Cursor, or VS Code)
+ *
+ * @param {InitOptions} options - Configuration options including:
+ *   - client: The target client type to configure ('claude', 'windsurf', or 'cursor')
+ *   - scopes: Optional scope patterns for authorization (will prompt if omitted)
+ *   - tools: Tool patterns to enable (e.g., ['ziti_list_*'])
+ *
+ * @returns {Promise<void>} A promise that resolves when initialization is complete
+ *
+ * @throws {Error} If authorization fails or client configuration encounters an error
+ *
+ * @example
+ * // Initialize with Claude client and all tools
+ * await init({ client: 'claude', tools: ['*'] });
+ *
+ * @example
+ * // Initialize with Windsurf client and specific tools
+ * await init({
+ *   client: 'windsurf',
+ *   tools: ['ziti_list_*', 'list_get_*'],
+ *   scopes: ['read:*']
+ * });
+ */
+const init = async (options) => {
+    log('Initializing OpenZiti MCP server...');
+    log(`Configuring server with selected tools: ${options.tools.join(', ')}`);
+    if (options.readOnly) {
+        log('Running in read-only mode - only read operations will be available');
+    }
+    trackEvent.trackInit(options.client);
+    // Check if client credentials parameters are provided for Private Cloud authentication
+    const { zitiControllerHost, idpDomain, idpClientId, idpClientSecret } = options;
+    if (zitiControllerHost && idpDomain && idpClientId && idpClientSecret) {
+        // Client credentials flow for Private Cloud
+        log('Using client credentials flow for authentication');
+        await requestClientCredentialsAuthorization({
+            zitiControllerHost: zitiControllerHost,
+            idpDomain: idpDomain,
+            idpClientId: idpClientId,
+            idpClientSecret: idpClientSecret,
+        });
+    }
+    else {
+        // Device authorization flow for public cloud
+        log('Using device authorization flow for authentication');
+        // Handle scope resolution
+        const selectedScopes = await resolveScopes(options.scopes);
+        await requestAuthorization(selectedScopes);
+    }
+    // Configure the requested client
+    await configureClient(options.client, options);
+};
+export default init;
+//# sourceMappingURL=init.js.map

package/dist/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,qCAAqC,EAAE,MAAM,oCAAoC,CAAC;AAC3F,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,UAAU,MAAM,uBAAuB,CAAC;AAiB/C;;;;;GAKG;AACH,KAAK,UAAU,aAAa,CAAC,aAAwB;IACnD,mDAAmD;IACnD,IAAI,CAAC,aAAa,EAAE,MAAM,EAAE,CAAC;QAC3B,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,kBAAkB,GAAG,YAAY,EAAE,CAAC;IAC1C,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IACxC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,0CAA0C;IAC1C,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;QACpC,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;QAE/B,KAAK,MAAM,KAAK,IAAI,kBAAkB,EAAE,CAAC;YACvC,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACzB,UAAU,GAAG,IAAI,CAAC;YACpB,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;YACxC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,YAAY,GAAG,8CAA8C,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1G,QAAQ,CAAC,YAAY,CAAC,CAAC;QACvB,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,qBAAqB,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,wBAAwB;IACxB,MAAM,kBAAkB,GAAG,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACrD,IAAI,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,yEAAyE,CAAC,CAAC,CAAC;QAC7F,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;AACrD,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,eAAe,CAAC,UAAsB,EAAE,OAAoB;IACzE,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAEpC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,QAAQ,CAAC,kCAAkC,UAAU,EAAE,CAAC,CAAC;QACzD,QAAQ,CAAC,0BAA0B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,GAAG,CAAC,eAAe,OAAO,CAAC,WAAW,eAAe,CAAC,CAAC;IAEvD,MAAM,aAAa,GAAkB;QACnC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC;IAEF,MAAM,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,IAAI,GAAG,KAAK,EAAE,OAAoB,EAAiB,EAAE;IACzD,GAAG,CAAC,qCAAqC,CAAC,CAAC;IAC3C,GAAG,CAAC,2CAA2C,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3E,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAC5E,CAAC;IAED,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAErC,uFAAuF;IACvF,MAAM,EAAE,kBAAkB,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;IAEhF,IAAI,kBAAkB,IAAI,SAAS,IAAI,WAAW,IAAI,eAAe,EAAE,CAAC;QACtE,4CAA4C;QAC5C,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAExD,MAAM,qCAAqC,CAAC;YAC1C,kBAAkB,EAAE,kBAAkB;YACtC,SAAS,EAAE,SAAS;YACpB,WAAW,EAAE,WAAW;YACxB,eAAe,EAAE,eAAe;SACjC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,6CAA6C;QAC7C,GAAG,CAAC,oDAAoD,CAAC,CAAC;QAE1D,0BAA0B;QAC1B,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAE3D,MAAM,oBAAoB,CAAC,cAAc,CAAC,CAAC;IAC7C,CAAC;IAED,iCAAiC;IACjC,MAAM,eAAe,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC,CAAC;AAEF,eAAe,IAAI,CAAC"}

package/dist/commands/logout.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Command options for the logout command
+ */
+export type LogoutOptions = Record<string, never>;
+/**
+ * Removes all OpenZiti MCP related tokens from the system keychain
+ *
+ * @param {LogoutOptions} _options - Command options from commander (unused)
+ * @returns A promise that resolves when logout is complete
+ */
+declare function logout(_options?: LogoutOptions): Promise<void>;
+export default logout;

package/dist/commands/logout.js

@@ -0,0 +1,90 @@
+import chalk from 'chalk';
+import { log, logError } from '../utils/logger.js';
+import { cliOutput } from '../utils/terminal.js';
+import { keychain, KeychainItem } from '../utils/keychain.js';
+import { revokeRefreshToken } from '../auth/device-auth-flow.js';
+/**
+ * Maps technical keychain item names to user-friendly descriptions
+ * @param item - The keychain item key
+ * @returns A user-friendly description of the item
+ */
+const getItemDescription = (item) => {
+    const descriptions = {
+        [KeychainItem.TOKEN]: 'access token',
+        [KeychainItem.REFRESH_TOKEN]: 'refresh token',
+        [KeychainItem.ZITI_CONTROLLER_HOST]: 'Ziti Controller host',
+        [KeychainItem.DOMAIN]: 'domain information',
+        [KeychainItem.TOKEN_EXPIRES_AT]: 'token expiration',
+    };
+    return descriptions[item] ?? item;
+};
+/**
+ * Creates a formatted message for successful token removal
+ * @param successfulItems - Array of successfully removed items
+ * @returns A formatted success message
+ */
+const createSuccessMessage = (successfulItems) => {
+    if (successfulItems.length === 0)
+        return '';
+    const tokenNames = successfulItems.map((result) => getItemDescription(result.item));
+    return `${chalk.green('✓')} Successfully removed ${tokenNames.join(', ')} from your system keychain.\n`;
+};
+/**
+ * Creates a formatted message for items that failed to be removed
+ * @param failedItems - Array of items that failed to be removed
+ * @returns A formatted error message
+ */
+const createErrorMessage = (failedItems) => {
+    if (failedItems.length === 0)
+        return '';
+    const errorLines = failedItems.map((result) => `${chalk.red('✗')} ${getItemDescription(result.item)}: ${result.error?.message ?? 'Unknown error'}`);
+    return [
+        `${chalk.yellow('!')} Some credentials could not be removed and may require manual cleanup:`,
+        ...errorLines,
+        `\n${chalk.blue('i')} To manually remove credentials, use your system's keychain manager and search for 'ziti-mcp'.`,
+    ].join('\n');
+};
+/**
+ * Categorizes deletion results into successful and failed operations
+ * @param results - Array of keychain operation results
+ * @returns Object containing arrays of successful and failed operations
+ */
+const categorizeResults = (results) => {
+    return {
+        successful: results.filter((result) => result.success),
+        failed: results.filter((result) => !result.success),
+    };
+};
+/**
+ * Removes all OpenZiti MCP related tokens from the system keychain
+ *
+ * @param {LogoutOptions} _options - Command options from commander (unused)
+ * @returns A promise that resolves when logout is complete
+ */
+async function logout(_options) {
+    try {
+        log('Removing OpenZiti tokens from keychain');
+        cliOutput(`\n${chalk.blue('i')} Clearing authentication data...\n`);
+        log('Revoke refresh token if present');
+        await revokeRefreshToken();
+        // Delete all items from the keychain
+        const deletionResults = await keychain.clearAll();
+        const { successful, failed } = categorizeResults(deletionResults);
+        if (successful.length > 0) {
+            cliOutput(createSuccessMessage(successful));
+        }
+        else if (deletionResults.length === failed.length) {
+            cliOutput(`${chalk.yellow('!')} No OpenZiti MCP authentication data was found in your system keychain.\n`);
+        }
+        if (failed.length > 0) {
+            cliOutput(createErrorMessage(failed));
+        }
+    }
+    catch (error) {
+        logError('Error during logout:', error);
+        cliOutput(`\n${chalk.red('✗')} Failed to clear authentication data. ${error instanceof Error ? error.message : ''}\n`);
+        process.exit(1);
+    }
+}
+export default logout;
+//# sourceMappingURL=logout.js.map

package/dist/commands/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/commands/logout.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAgC,MAAM,sBAAsB,CAAC;AAC5F,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE;;;;GAIG;AACH,MAAM,kBAAkB,GAAG,CAAC,IAAY,EAAU,EAAE;IAClD,MAAM,YAAY,GAA2B;QAC3C,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,cAAc;QACpC,CAAC,YAAY,CAAC,aAAa,CAAC,EAAE,eAAe;QAC7C,CAAC,YAAY,CAAC,oBAAoB,CAAC,EAAE,sBAAsB;QAC3D,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,oBAAoB;QAC3C,CAAC,YAAY,CAAC,gBAAgB,CAAC,EAAE,kBAAkB;KACpD,CAAC;IACF,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AACpC,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,oBAAoB,GAAG,CAAC,eAA0C,EAAU,EAAE;IAClF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE5C,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACpF,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,yBAAyB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC;AAC1G,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,kBAAkB,GAAG,CAAC,WAAsC,EAAU,EAAE;IAC5E,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAExC,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAChC,CAAC,MAAM,EAAE,EAAE,CACT,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,IAAI,eAAe,EAAE,CACtG,CAAC;IAEF,OAAO;QACL,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,wEAAwE;QAC5F,GAAG,UAAU;QACb,KAAK,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,gGAAgG;KACrH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,iBAAiB,GAAG,CACxB,OAAkC,EAIlC,EAAE;IACF,OAAO;QACL,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC;QACtD,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;KACpD,CAAC;AACJ,CAAC,CAAC;AAOF;;;;;GAKG;AACH,KAAK,UAAU,MAAM,CAAC,QAAwB;IAC5C,IAAI,CAAC;QACH,GAAG,CAAC,wCAAwC,CAAC,CAAC;QAC9C,SAAS,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAEpE,GAAG,CAAC,iCAAiC,CAAC,CAAC;QACvC,MAAM,kBAAkB,EAAE,CAAC;QAE3B,qCAAqC;QACrC,MAAM,eAAe,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAClD,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAElE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,SAAS,CAAC,oBAAoB,CAAC,UAAU,CAAC,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,eAAe,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;YACpD,SAAS,CACP,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,2EAA2E,CAChG,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,SAAS,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;QACxC,SAAS,CACP,KAAK,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,yCAAyC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,CAC5G,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,eAAe,MAAM,CAAC"}

package/dist/commands/run.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Command options for the run command
+ */
+export interface RunOptions {
+    tools: string[];
+    readOnly?: boolean;
+}
+/**
+ * Main function to start server
+ *
+ * @param {RunOptions} options - Command options
+ * @returns {Promise<void>}
+ */
+declare const run: (options: RunOptions) => Promise<void>;
+export default run;

package/dist/commands/run.js

@@ -0,0 +1,94 @@
+import { startServer } from '../server.js';
+import trackEvent from '../utils/analytics.js';
+import { log, logError, logInfo } from '../utils/logger.js';
+import * as os from 'os';
+import { keychain } from '../utils/keychain.js';
+import { isTokenExpired } from '../auth/device-auth-flow.js';
+import chalk from 'chalk';
+/**
+ * Validates authorization preconditions before starting the server
+ *
+ * This function provides user-friendly validation with detailed CLI output
+ * and actionable guidance for resolving authentication issues. It forms the
+ * first layer of the MCP server's validation architecture:
+ *
+ * 1. Initial validation (here): Provides rich user feedback during startup
+ * 2. Server startup validation: Secondary checkpoint in `server.ts`
+ * 3. Continuous validation: During tool calls via the `validateConfig()` function
+ *
+ * Each layer serves a distinct purpose, creating a balance between security
+ * and developer experience. This function focuses on DX with detailed,
+ * human-readable feedback, while later validation layers provide ongoing
+ * security with more technical checks.
+ *
+ * @returns {Promise<boolean>} True if authorization is valid, false otherwise
+ */
+const validateAuthorization = async () => {
+    // Check if token exists
+    const token = await keychain.getToken();
+    if (!token) {
+        logError(`${chalk.red('Authorization Error:')} No valid authorization token found`);
+        logError(`${chalk.bold('Recommended actions:')}`);
+        logError(`1. Run ${chalk.cyan('npx @openziti/openziti-mcp-server init')} to authorize with your OpenZiti Controller`);
+        logError(`2. Use ${chalk.cyan('npx @openziti/openziti-mcp-server session')} to check your current session status`);
+        return false;
+    }
+    // Check if token is expired
+    const expired = await isTokenExpired();
+    if (expired) {
+        const expiresAt = await keychain.getTokenExpiresAt();
+        const expiryDate = expiresAt ? new Date(expiresAt).toLocaleString() : 'unknown';
+        logError(`${chalk.red('Authorization Error:')} Token has expired (on ${expiryDate})`);
+        logError(`${chalk.bold('Recommended actions:')}`);
+        logError(`1. Run ${chalk.cyan('npx @openziti/openziti-mcp-server init')} to refresh your authorization`);
+        logError(`2. Use ${chalk.cyan('npx @openziti/openziti-mcp-server session')} to check your current session details`);
+        return false;
+    }
+    // Check if domain exists
+    const domain = await keychain.getDomain();
+    if (!domain) {
+        logError(`${chalk.red('Authorization Error:')} No OpenZiti Controller host found in configuration`);
+        logError(`${chalk.bold('Recommended actions:')}`);
+        logError(`1. Run ${chalk.cyan('npx @openziti/openziti-mcp-server init')} to authorize with your OpenZiti Controller`);
+        logError(`2. Use ${chalk.cyan('npx @openziti/openziti-mcp-server session')} to check your current configuration`);
+        return false;
+    }
+    return true;
+};
+/**
+ * Main function to start server
+ *
+ * @param {RunOptions} options - Command options
+ * @returns {Promise<void>}
+ */
+const run = async (options) => {
+    try {
+        if (!process.env.HOME) {
+            process.env.HOME = os.homedir();
+            log(`Set HOME environment variable to ${process.env.HOME}`);
+        }
+        trackEvent.trackServerRun();
+        // Validate authorization before starting server
+        const isAuthorized = await validateAuthorization();
+        if (!isAuthorized) {
+            // Exit with code 1 (standard error code)
+            process.exit(1);
+        }
+        if (options.readOnly && options.tools.length === 1 && options.tools[0] === '*') {
+            logInfo('Starting server in read-only mode');
+        }
+        else if (options.readOnly) {
+            logInfo(`Starting server in read-only mode with tools matching the following pattern(s): ${options.tools.join(', ')} (--read-only has priority)`);
+        }
+        else {
+            logInfo(`Starting server with tools matching the following pattern(s): ${options.tools.join(', ')}`);
+        }
+        await startServer(options);
+    }
+    catch (error) {
+        logError('Fatal error starting server:', error);
+        process.exit(1);
+    }
+};
+export default run;
+//# sourceMappingURL=run.js.map

package/dist/commands/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,UAAU,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,KAAK,MAAM,OAAO,CAAC;AAU1B;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,qBAAqB,GAAG,KAAK,IAAsB,EAAE;IACzD,wBAAwB;IACxB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;IACxC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,QAAQ,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,sBAAsB,CAAC,qCAAqC,CAAC,CAAC;QACpF,QAAQ,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAClD,QAAQ,CACN,UAAU,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,6CAA6C,CAC5G,CAAC;QACF,QAAQ,CACN,UAAU,KAAK,CAAC,IAAI,CAAC,2CAA2C,CAAC,uCAAuC,CACzG,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4BAA4B;IAC5B,MAAM,OAAO,GAAG,MAAM,cAAc,EAAE,CAAC;IACvC,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,CAAC;QACrD,MAAM,UAAU,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QAChF,QAAQ,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,sBAAsB,CAAC,0BAA0B,UAAU,GAAG,CAAC,CAAC;QACtF,QAAQ,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAClD,QAAQ,CACN,UAAU,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,gCAAgC,CAC/F,CAAC;QACF,QAAQ,CACN,UAAU,KAAK,CAAC,IAAI,CAAC,2CAA2C,CAAC,wCAAwC,CAC1G,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,CAAC;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,QAAQ,CACN,GAAG,KAAK,CAAC,GAAG,CAAC,sBAAsB,CAAC,qDAAqD,CAC1F,CAAC;QACF,QAAQ,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;QAClD,QAAQ,CACN,UAAU,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,6CAA6C,CAC5G,CAAC;QACF,QAAQ,CACN,UAAU,KAAK,CAAC,IAAI,CAAC,2CAA2C,CAAC,sCAAsC,CACxG,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,GAAG,GAAG,KAAK,EAAE,OAAmB,EAAiB,EAAE;IACvD,IAAI,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;YAChC,GAAG,CAAC,oCAAoC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,UAAU,CAAC,cAAc,EAAE,CAAC;QAE5B,gDAAgD;QAChD,MAAM,YAAY,GAAG,MAAM,qBAAqB,EAAE,CAAC;QACnD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,yCAAyC;YACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC/E,OAAO,CAAC,mCAAmC,CAAC,CAAC;QAC/C,CAAC;aAAM,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC5B,OAAO,CACL,mFAAmF,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,6BAA6B,CACzI,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CACL,iEAAiE,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC5F,CAAC;QACJ,CAAC;QACD,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC;AAEF,eAAe,GAAG,CAAC"}

package/dist/commands/session.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Command options for the session command
+ */
+export type SessionOptions = Record<string, never>;
+/**
+ * Displays information about the current authentication session
+ *
+ * @param {SessionOptions} _options - Command options from commander (unused)
+ * @returns A promise that resolves when the display is complete
+ */
+declare function session(_options?: SessionOptions): Promise<void>;
+export default session;

package/dist/commands/session.js

@@ -0,0 +1,99 @@
+import chalk from 'chalk';
+import { keychain } from '../utils/keychain.js';
+import { cliOutput } from '../utils/terminal.js';
+import { log } from '../utils/logger.js';
+/**
+ * Formats a date for display in user-friendly format
+ * @param timestamp - The timestamp to format
+ * @returns A formatted date string
+ */
+const formatDate = (timestamp) => {
+    return new Date(timestamp).toLocaleString();
+};
+/**
+ * Creates a message for when no active session is found
+ * @returns A formatted message string
+ */
+const createNoSessionMessage = () => {
+    return [
+        `\n${chalk.yellow('!')} No active authentication session found.\n`,
+        `Run ${chalk.cyan('npx @openziti/openziti-mcp-server init')} to authenticate.\n`,
+    ].join('');
+};
+/**
+ * Creates a header for the session information display
+ * @param domain - The authenticated domain
+ * @returns A formatted header string
+ */
+const createSessionHeader = (zitiControllerHost, domain) => {
+    return [
+        `\n${chalk.green('✓')} Active authentication session:\n`,
+        `${chalk.bold('Ziti Controller Host:')} ${zitiControllerHost}\n`,
+        `${chalk.bold('Domain:')} ${domain}\n`,
+    ].join('');
+};
+/**
+ * Creates a message about token expiration status
+ * @param expiresAt - The timestamp when the token expires
+ * @returns A formatted expiration message
+ */
+const createExpirationMessage = (expiresAt) => {
+    const now = Date.now();
+    const expiresIn = expiresAt - now;
+    if (expiresIn > 0) {
+        const hoursRemaining = Math.floor(expiresIn / (1000 * 60 * 60));
+        return `${chalk.bold('Token expires:')} in ${hoursRemaining} hours (${formatDate(expiresAt)})\n`;
+    }
+    else {
+        return `${chalk.bold('Token status:')} ${chalk.red('Expired')} on ${formatDate(expiresAt)}\n`;
+    }
+};
+/**
+ * Creates a footer with logout instructions
+ * @returns A formatted instruction string
+ */
+const createLogoutInstructions = () => {
+    return `\nTo use different credentials, run ${chalk.cyan('npx @openziti/openziti-mcp-server logout')}\n`;
+};
+/**
+ * Creates an error message when session info can't be retrieved
+ * @returns A formatted error message
+ */
+const createErrorMessage = () => {
+    return `\n${chalk.red('✗')} Failed to retrieve session information.\n`;
+};
+/**
+ * Displays information about the current authentication session
+ *
+ * @param {SessionOptions} _options - Command options from commander (unused)
+ * @returns A promise that resolves when the display is complete
+ */
+async function session(_options) {
+    try {
+        log('Retrieving session information');
+        // Get session data from keychain
+        const token = await keychain.getToken();
+        const zitiControllerHost = await keychain.getZitiControllerHost();
+        const domain = await keychain.getDomain();
+        const expiresAt = await keychain.getTokenExpiresAt();
+        // Handle case where no session exists
+        if (!token || !zitiControllerHost || !domain) {
+            cliOutput(createNoSessionMessage());
+            return;
+        }
+        // Display session information
+        cliOutput(createSessionHeader(zitiControllerHost, domain));
+        // Add expiration information if available
+        if (expiresAt) {
+            cliOutput(createExpirationMessage(expiresAt));
+        }
+        // Add logout instructions
+        cliOutput(createLogoutInstructions());
+    }
+    catch (error) {
+        log('Error retrieving session information:', error);
+        cliOutput(createErrorMessage());
+    }
+}
+export default session;
+//# sourceMappingURL=session.js.map

package/dist/commands/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/commands/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,GAAG,EAAE,MAAM,oBAAoB,CAAC;AAEzC;;;;GAIG;AACH,MAAM,UAAU,GAAG,CAAC,SAAiB,EAAU,EAAE;IAC/C,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,EAAE,CAAC;AAC9C,CAAC,CAAC;AAEF;;;GAGG;AACH,MAAM,sBAAsB,GAAG,GAAW,EAAE;IAC1C,OAAO;QACL,KAAK,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,4CAA4C;QAClE,OAAO,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,qBAAqB;KACjF,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACb,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,mBAAmB,GAAG,CAAC,kBAA0B,EAAE,MAAc,EAAU,EAAE;IACjF,OAAO;QACL,KAAK,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,mCAAmC;QACxD,GAAG,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,IAAI,kBAAkB,IAAI;QAChE,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,MAAM,IAAI;KACvC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACb,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,uBAAuB,GAAG,CAAC,SAAiB,EAAU,EAAE;IAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,SAAS,GAAG,SAAS,GAAG,GAAG,CAAC;IAElC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;QAChE,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,OAAO,cAAc,WAAW,UAAU,CAAC,SAAS,CAAC,KAAK,CAAC;IACnG,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC;IAChG,CAAC;AACH,CAAC,CAAC;AAEF;;;GAGG;AACH,MAAM,wBAAwB,GAAG,GAAW,EAAE;IAC5C,OAAO,uCAAuC,KAAK,CAAC,IAAI,CAAC,0CAA0C,CAAC,IAAI,CAAC;AAC3G,CAAC,CAAC;AAEF;;;GAGG;AACH,MAAM,kBAAkB,GAAG,GAAW,EAAE;IACtC,OAAO,KAAK,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,4CAA4C,CAAC;AACzE,CAAC,CAAC;AAOF;;;;;GAKG;AACH,KAAK,UAAU,OAAO,CAAC,QAAyB;IAC9C,IAAI,CAAC;QACH,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAEtC,iCAAiC;QACjC,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACxC,MAAM,kBAAkB,GAAG,MAAM,QAAQ,CAAC,qBAAqB,EAAE,CAAC;QAClE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,CAAC;QAErD,sCAAsC;QACtC,IAAI,CAAC,KAAK,IAAI,CAAC,kBAAkB,IAAI,CAAC,MAAM,EAAE,CAAC;YAC7C,SAAS,CAAC,sBAAsB,EAAE,CAAC,CAAC;YACpC,OAAO;QACT,CAAC;QAED,8BAA8B;QAC9B,SAAS,CAAC,mBAAmB,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC;QAE3D,0CAA0C;QAC1C,IAAI,SAAS,EAAE,CAAC;YACd,SAAS,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,0BAA0B;QAC1B,SAAS,CAAC,wBAAwB,EAAE,CAAC,CAAC;IACxC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,GAAG,CAAC,uCAAuC,EAAE,KAAK,CAAC,CAAC;QACpD,SAAS,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAClC,CAAC;AACH,CAAC;AAED,eAAe,OAAO,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,105 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import chalk from 'chalk';
+import init from './commands/init.js';
+import run from './commands/run.js';
+import logout from './commands/logout.js';
+import session from './commands/session.js';
+import { logError } from './utils/logger.js';
+import { TOOLS } from './tools/index.js';
+import { validatePatterns } from './utils/tools.js';
+import { packageName, packageVersion } from './utils/package.js';
+// Set process title
+process.title = packageName;
+// Global error handlers
+['uncaughtException', 'unhandledRejection'].forEach((event) => {
+    process.on(event, (error) => {
+        logError(`${event}:`, error);
+        process.exit(1);
+    });
+});
+/**
+ * Parses and validates comma-separated tool patterns from command line input.
+ * This function processes a comma-delimited string of tool patterns,
+ * normalizes them by trimming whitespace, and validates each pattern
+ * against the available tools. If the input is empty, it returns a
+ * wildcard pattern ['*'] that matches all tools.
+ *
+ * @param {string} value - Raw command line input containing comma-separated patterns
+ * @returns {string[]} Array of validated tool pattern strings
+ * @throws {Error} If any pattern is invalid or doesn't match available tools
+ */
+function parseToolPatterns(value) {
+    if (!value)
+        return ['*'];
+    const patterns = value
+        .split(',')
+        .map((item) => item.trim())
+        .filter(Boolean);
+    // Validate the patterns against available tools
+    validatePatterns(patterns, TOOLS);
+    return patterns;
+}
+// Top-level CLI
+const program = new Command()
+    .name('ziti-mcp-server')
+    .description('OpenZiti MCP Server - Model Context Protocol server for OpenZiti Controller Management API')
+    .version(packageVersion)
+    .addHelpText('before', `
+${chalk.bold('OpenZiti MCP Server')}
+
+A Model Context Protocol (MCP) server implementation that integrates the OpenZiti Controller Management API 
+with Claude Desktop, enabling AI-assisted management of your OpenZiti network.`)
+    .addHelpText('after', `
+Examples:
+  npx ${packageName} init
+  npx ${packageName} init --tools 'ziti_*' --client claude
+  npx ${packageName} init --read-only --client claude
+  npx ${packageName} init --tools 'ziti_*_applications' --client windsurf
+  npx ${packageName} init --tools 'ziti_list_*,ziti_get_*' --client cursor
+  npx ${packageName} init --ziti-controller <ziti-controller> --idp-domain <idp-domain> --idp-client-id <idp-client-id> --idp-client-secret <idp-client-secret>
+  npx ${packageName} run
+  npx ${packageName} run --read-only
+  npx ${packageName} session
+  npx ${packageName} logout
+  
+  For more information, visit: https://github.com/openziti/openziti-mcp-server`);
+// Init command
+program
+    .command('init')
+    .description('Initialize the server (authenticate and configure)')
+    .option('--client <client>', 'Configure specific client (claude, windsurf, cursor, or vscode)', 'claude')
+    .option('--ziti-controller-host <ziti controller host>', 'Ziti controller (required for Ziti network authentication)')
+    .option('--idp-domain <idp domain>', 'IdP domain (required for Private Cloud authentication)')
+    .option('--idp-client-id <idp ClientId>', 'Client ID (required for Private Cloud authentication)')
+    .option('--idp-client-secret <idp Client Secret>', 'Client secret (required for Private Cloud authentication)')
+    .option('--scopes <scopes>', 'Comma-separated list of API scopes', (text) => text
+    .split(',')
+    .map((scope) => scope.trim())
+    .filter(Boolean))
+    .option('--tools <tools>', 'Comma-separated list of tools or glob patterns to enable (defaults to "*" if not provided)', parseToolPatterns, ['*'])
+    .option('--read-only', 'Only expose read-only tools (list and get operations)', false)
+    .action(init);
+// Run command
+program
+    .command('run')
+    .description('Start the MCP server')
+    .option('--tools <tools>', 'Comma-separated list of tools or glob patterns to enable (defaults to "*" if not provided)', parseToolPatterns, ['*'])
+    .option('--read-only', 'Only expose read-only tools (list and get operations)', false)
+    .action(run);
+// Logout command
+program
+    .command('logout')
+    .description('Remove all stored JWT tokens from the system keychain')
+    .action(logout);
+// Session command
+program
+    .command('session')
+    .description('Display current authentication session information')
+    .action(session);
+// Parse arguments and handle potential errors
+program.parseAsync().catch((error) => {
+    logError('Command execution error:', error);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,IAAI,MAAM,oBAAoB,CAAC;AACtC,OAAO,GAAG,MAAM,mBAAmB,CAAC;AACpC,OAAO,MAAM,MAAM,sBAAsB,CAAC;AAC1C,OAAO,OAAO,MAAM,uBAAuB,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEjE,oBAAoB;AACpB,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC;AAE5B,wBAAwB;AACxB,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;IAC5D,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;QAC1B,QAAQ,CAAC,GAAG,KAAK,GAAG,EAAE,KAAK,CAAC,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,SAAS,iBAAiB,CAAC,KAAa;IACtC,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAEzB,MAAM,QAAQ,GAAG,KAAK;SACnB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,OAAO,CAAC,CAAC;IAEnB,gDAAgD;IAChD,gBAAgB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAElC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gBAAgB;AAChB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE;KAC1B,IAAI,CAAC,iBAAiB,CAAC;KACvB,WAAW,CACV,4FAA4F,CAC7F;KACA,OAAO,CAAC,cAAc,CAAC;KACvB,WAAW,CACV,QAAQ,EACR;EACF,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC;;;+EAG4C,CAC5E;KACA,WAAW,CACV,OAAO,EACP;;QAEI,WAAW;QACX,WAAW;QACX,WAAW;QACX,WAAW;QACX,WAAW;QACX,WAAW;QACX,WAAW;QACX,WAAW;QACX,WAAW;QACX,WAAW;;+EAE4D,CAC5E,CAAC;AAEJ,eAAe;AACf,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,oDAAoD,CAAC;KACjE,MAAM,CACL,mBAAmB,EACnB,iEAAiE,EACjE,QAAQ,CACT;KACA,MAAM,CACL,+CAA+C,EAC/C,4DAA4D,CAC7D;KACA,MAAM,CAAC,2BAA2B,EAAE,wDAAwD,CAAC;KAC7F,MAAM,CAAC,gCAAgC,EAAE,uDAAuD,CAAC;KACjG,MAAM,CACL,yCAAyC,EACzC,2DAA2D,CAC5D;KACA,MAAM,CAAC,mBAAmB,EAAE,oCAAoC,EAAE,CAAC,IAAI,EAAE,EAAE,CAC1E,IAAI;KACD,KAAK,CAAC,GAAG,CAAC;KACV,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;KAC5B,MAAM,CAAC,OAAO,CAAC,CACnB;KACA,MAAM,CACL,iBAAiB,EACjB,4FAA4F,EAC5F,iBAAiB,EACjB,CAAC,GAAG,CAAC,CACN;KACA,MAAM,CAAC,aAAa,EAAE,uDAAuD,EAAE,KAAK,CAAC;KACrF,MAAM,CAAC,IAAI,CAAC,CAAC;AAEhB,cAAc;AACd,OAAO;KACJ,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,sBAAsB,CAAC;KACnC,MAAM,CACL,iBAAiB,EACjB,4FAA4F,EAC5F,iBAAiB,EACjB,CAAC,GAAG,CAAC,CACN;KACA,MAAM,CAAC,aAAa,EAAE,uDAAuD,EAAE,KAAK,CAAC;KACrF,MAAM,CAAC,GAAG,CAAC,CAAC;AAEf,iBAAiB;AACjB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,uDAAuD,CAAC;KACpE,MAAM,CAAC,MAAM,CAAC,CAAC;AAElB,kBAAkB;AAClB,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,oDAAoD,CAAC;KACjE,MAAM,CAAC,OAAO,CAAC,CAAC;AAEnB,8CAA8C;AAC9C,OAAO,CAAC,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACnC,QAAQ,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;IAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}