@ottocode/sdk 0.1.201 → 0.1.202

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ottocode/sdk",
-	"version": "0.1.201",
+	"version": "0.1.202",
 	"description": "AI agent SDK for building intelligent assistants - tree-shakable and comprehensive",
 	"author": "nitishxyz",
 	"license": "MIT",

package/src/config/src/paths.ts

@@ -35,29 +35,31 @@ export function getGlobalAuthPath(): string {
 	return joinPath(getGlobalConfigDir(), 'auth.json');
 }
 
-// Secure location for auth secrets (not in config dir or project)
-// - Linux: $XDG_STATE_HOME/otto/auth.json or ~/.local/state/otto/auth.json
-// - macOS: ~/Library/Application Support/otto/auth.json
-// - Windows: %APPDATA%\otto\auth.json
-export function getSecureAuthPath(): string {
+export function getSecureBaseDir(): string {
 	const platform = process.platform;
 	if (platform === 'darwin') {
-		return joinPath(
-			getHomeDir(),
-			'Library',
-			'Application Support',
-			'otto',
-			'auth.json',
-		);
+		return joinPath(getHomeDir(), 'Library', 'Application Support', 'otto');
 	}
 	if (platform === 'win32') {
 		const appData = (process.env.APPDATA || '').replace(/\\/g, '/');
 		const base = appData || joinPath(getHomeDir(), 'AppData', 'Roaming');
-		return joinPath(base, 'otto', 'auth.json');
+		return joinPath(base, 'otto');
 	}
 	const stateHome = (process.env.XDG_STATE_HOME || '').replace(/\\/g, '/');
 	const base = stateHome || joinPath(getHomeDir(), '.local', 'state');
-	return joinPath(base, 'otto', 'auth.json');
+	return joinPath(base, 'otto');
+}
+
+export function getSecureOAuthDir(): string {
+	return joinPath(getSecureBaseDir(), 'oauth');
+}
+
+// Secure location for auth secrets (not in config dir or project)
+// - Linux: $XDG_STATE_HOME/otto/auth.json or ~/.local/state/otto/auth.json
+// - macOS: ~/Library/Application Support/otto/auth.json
+// - Windows: %APPDATA%\otto\auth.json
+export function getSecureAuthPath(): string {
+	return joinPath(getSecureBaseDir(), 'auth.json');
 }
 
 // Global content under config dir

package/src/core/src/index.ts

@@ -133,6 +133,7 @@ export type {
 	MCPToolInfo,
 	MCPTransport,
 	MCPOAuthConfig,
+	MCPScope,
 	StoredOAuthData,
 	OttoOAuthProviderOptions,
 	CallbackResult,

package/src/core/src/mcp/index.ts

@@ -4,6 +4,7 @@ export type {
 	MCPServerStatus,
 	MCPTransport,
 	MCPOAuthConfig,
+	MCPScope,
 } from './types.ts';
 
 export { MCPClientWrapper, type MCPToolInfo } from './client.ts';

package/src/core/src/mcp/lifecycle.ts

@@ -1,5 +1,5 @@
 import { MCPServerManager } from './server-manager.ts';
-import type { MCPConfig, MCPServerConfig } from './types.ts';
+import type { MCPConfig, MCPServerConfig, MCPScope } from './types.ts';
 import { promises as fs } from 'node:fs';
 import { join } from 'node:path';
 
@@ -11,11 +11,15 @@ export function getMCPManager(): MCPServerManager | null {
 
 export async function initializeMCP(
 	config: MCPConfig,
+	projectRoot?: string,
 ): Promise<MCPServerManager> {
 	if (globalMCPManager) {
 		await globalMCPManager.stopAll();
 	}
 	globalMCPManager = new MCPServerManager();
+	if (projectRoot) {
+		globalMCPManager.setProjectRoot(projectRoot);
+	}
 	await globalMCPManager.startServers(config.servers);
 	return globalMCPManager;
 }
@@ -41,7 +45,7 @@ export async function loadMCPConfig(
 		const globalServers = await readMCPServersFromFile(globalPath);
 		for (const s of globalServers) {
 			seen.add(s.name);
-			servers.push(s);
+			servers.push({ ...s, scope: 'global' });
 		}
 	}
 
@@ -50,9 +54,9 @@ export async function loadMCPConfig(
 	for (const s of projectServers) {
 		if (seen.has(s.name)) {
 			const idx = servers.findIndex((existing) => existing.name === s.name);
-			if (idx >= 0) servers[idx] = s;
+			if (idx >= 0) servers[idx] = { ...s, scope: 'project' };
 		} else {
-			servers.push(s);
+			servers.push({ ...s, scope: 'project' });
 		}
 	}
 
@@ -81,11 +85,30 @@ async function readMCPServersFromFile(
 	}
 }
 
+function resolveConfigPath(
+	projectRoot: string,
+	globalConfigDir: string | undefined,
+	scope: MCPScope,
+): string {
+	if (scope === 'global' && globalConfigDir) {
+		return join(globalConfigDir, 'config.json');
+	}
+	return join(projectRoot, '.otto', 'config.json');
+}
+
+async function ensureConfigDir(configPath: string): Promise<void> {
+	const dir = configPath.replace(/[/\\][^/\\]+$/, '');
+	await fs.mkdir(dir, { recursive: true });
+}
+
 export async function addMCPServerToConfig(
 	projectRoot: string,
 	server: MCPServerConfig,
+	globalConfigDir?: string,
 ): Promise<void> {
-	const configPath = join(projectRoot, '.otto', 'config.json');
+	const scope: MCPScope = server.scope ?? 'global';
+	const configPath = resolveConfigPath(projectRoot, globalConfigDir, scope);
+
 	let json: Record<string, unknown> = {};
 	try {
 		const text = await fs.readFile(configPath, 'utf-8');
@@ -98,37 +121,48 @@ export async function addMCPServerToConfig(
 
 	const servers = mcp.servers as MCPServerConfig[];
 	const idx = servers.findIndex((s) => s.name === server.name);
+
+	const { scope: _scope, ...serverWithoutScope } = server;
 	if (idx >= 0) {
-		servers[idx] = server;
+		servers[idx] = serverWithoutScope;
 	} else {
-		servers.push(server);
+		servers.push(serverWithoutScope);
 	}
 
-	await fs.mkdir(join(projectRoot, '.otto'), { recursive: true });
+	await ensureConfigDir(configPath);
 	await fs.writeFile(configPath, JSON.stringify(json, null, '\t'), 'utf-8');
 }
 
 export async function removeMCPServerFromConfig(
 	projectRoot: string,
 	name: string,
+	globalConfigDir?: string,
 ): Promise<boolean> {
-	const configPath = join(projectRoot, '.otto', 'config.json');
-	let json: Record<string, unknown> = {};
-	try {
-		const text = await fs.readFile(configPath, 'utf-8');
-		json = JSON.parse(text);
-	} catch {
-		return false;
-	}
+	const paths = [
+		...(globalConfigDir ? [join(globalConfigDir, 'config.json')] : []),
+		join(projectRoot, '.otto', 'config.json'),
+	];
+
+	for (const configPath of paths) {
+		let json: Record<string, unknown> = {};
+		try {
+			const text = await fs.readFile(configPath, 'utf-8');
+			json = JSON.parse(text);
+		} catch {
+			continue;
+		}
 
-	const mcp = json.mcp as Record<string, unknown> | undefined;
-	if (!mcp || !Array.isArray(mcp.servers)) return false;
+		const mcp = json.mcp as Record<string, unknown> | undefined;
+		if (!mcp || !Array.isArray(mcp.servers)) continue;
 
-	const servers = mcp.servers as MCPServerConfig[];
-	const idx = servers.findIndex((s) => s.name === name);
-	if (idx < 0) return false;
+		const servers = mcp.servers as MCPServerConfig[];
+		const idx = servers.findIndex((s) => s.name === name);
+		if (idx < 0) continue;
 
-	servers.splice(idx, 1);
-	await fs.writeFile(configPath, JSON.stringify(json, null, '\t'), 'utf-8');
-	return true;
+		servers.splice(idx, 1);
+		await fs.writeFile(configPath, JSON.stringify(json, null, '\t'), 'utf-8');
+		return true;
+	}
+
+	return false;
 }

package/src/core/src/mcp/oauth/store.ts

@@ -1,5 +1,6 @@
 import { promises as fs } from 'node:fs';
 import { join } from 'node:path';
+import { getSecureOAuthDir } from '../../../../config/src/paths.ts';
 
 export interface StoredOAuthData {
 	tokens?: {
@@ -22,14 +23,7 @@ export class OAuthCredentialStore {
 	private storePath: string;
 
 	constructor(storePath?: string) {
-		this.storePath =
-			storePath ??
-			join(
-				process.env.HOME ?? process.env.USERPROFILE ?? '',
-				'.config',
-				'otto',
-				'oauth',
-			);
+		this.storePath = storePath ?? getSecureOAuthDir();
 	}
 
 	private filePath(serverName: string): string {

package/src/core/src/mcp/server-manager.ts

@@ -2,6 +2,7 @@ import { MCPClientWrapper, type MCPToolInfo } from './client.ts';
 import type { MCPServerConfig, MCPServerStatus } from './types.ts';
 import { OAuthCredentialStore } from './oauth/store.ts';
 import { OttoOAuthProvider } from './oauth/provider.ts';
+import { createHash } from 'node:crypto';
 
 type IndexedTool = {
 	server: string;
@@ -14,17 +15,36 @@ export class MCPServerManager {
 	private authProviders = new Map<string, OttoOAuthProvider>();
 	private pendingAuth = new Map<string, string>();
 	private oauthStore = new OAuthCredentialStore();
+	private serverScopes = new Map<string, 'global' | 'project'>();
 	private _started = false;
+	private projectRoot: string | null = null;
 
 	get started(): boolean {
 		return this._started;
 	}
 
+	setProjectRoot(projectRoot: string): void {
+		this.projectRoot = projectRoot;
+	}
+
+	private oauthKey(serverName: string): string {
+		const scope = this.serverScopes.get(serverName);
+		if (scope === 'project' && this.projectRoot) {
+			const hash = createHash('sha256')
+				.update(this.projectRoot)
+				.digest('hex')
+				.slice(0, 8);
+			return `${serverName}_proj_${hash}`;
+		}
+		return serverName;
+	}
+
 	async startServers(configs: MCPServerConfig[]): Promise<void> {
 		await this.stopAll();
 
 		for (const config of configs) {
 			if (config.disabled) continue;
+			this.serverScopes.set(config.name, config.scope ?? 'global');
 			await this.startSingleServer(config);
 		}
 		this._started = true;
@@ -38,7 +58,8 @@ export class MCPServerManager {
 			const hasStaticAuth =
 				config.headers?.Authorization || config.headers?.authorization;
 			if (!hasStaticAuth) {
-				const provider = new OttoOAuthProvider(config.name, this.oauthStore, {
+				const key = this.oauthKey(config.name);
+				const provider = new OttoOAuthProvider(key, this.oauthStore, {
 					clientId: config.oauth?.clientId,
 					callbackPort: config.oauth?.callbackPort,
 					scopes: config.oauth?.scopes,
@@ -104,6 +125,7 @@ export class MCPServerManager {
 		this.toolsMap.clear();
 		this.authProviders.clear();
 		this.pendingAuth.clear();
+		this.serverScopes.clear();
 		this._started = false;
 	}
 
@@ -137,8 +159,9 @@ export class MCPServerManager {
 				.filter(([, v]) => v.server === name)
 				.map(([k]) => k);
 			const config = client.serverConfig;
+			const key = this.oauthKey(name);
 			const _authenticated = this.oauthStore
-				.isAuthenticated(name)
+				.isAuthenticated(key)
 				.catch(() => false);
 
 			statuses.push({
@@ -161,8 +184,9 @@ export class MCPServerManager {
 				.filter(([, v]) => v.server === name)
 				.map(([k]) => k);
 			const config = client.serverConfig;
+			const key = this.oauthKey(name);
 			const authenticated = await this.oauthStore
-				.isAuthenticated(name)
+				.isAuthenticated(key)
 				.catch(() => false);
 
 			statuses.push({
@@ -194,7 +218,9 @@ export class MCPServerManager {
 		const transport = config.transport ?? 'stdio';
 		if (transport === 'stdio') return null;
 
-		const provider = new OttoOAuthProvider(config.name, this.oauthStore, {
+		this.serverScopes.set(config.name, config.scope ?? 'global');
+		const key = this.oauthKey(config.name);
+		const provider = new OttoOAuthProvider(key, this.oauthStore, {
 			clientId: config.oauth?.clientId,
 			callbackPort: config.oauth?.callbackPort,
 			scopes: config.oauth?.scopes,
@@ -272,7 +298,8 @@ export class MCPServerManager {
 	async getAuthStatus(
 		name: string,
 	): Promise<{ authenticated: boolean; expiresAt?: number }> {
-		const tokens = await this.oauthStore.loadTokens(name);
+		const key = this.oauthKey(name);
+		const tokens = await this.oauthStore.loadTokens(key);
 		if (!tokens?.access_token) return { authenticated: false };
 		return {
 			authenticated: true,
@@ -282,6 +309,7 @@ export class MCPServerManager {
 
 	async restartServer(config: MCPServerConfig): Promise<void> {
 		await this.stopServer(config.name);
+		this.serverScopes.set(config.name, config.scope ?? 'global');
 		await this.startSingleServer(config);
 	}
 

package/src/core/src/mcp/types.ts

@@ -1,4 +1,5 @@
 export type MCPTransport = 'stdio' | 'http' | 'sse';
+export type MCPScope = 'global' | 'project';
 
 export interface MCPOAuthConfig {
 	clientId?: string;
@@ -21,6 +22,8 @@ export interface MCPServerConfig {
 	oauth?: MCPOAuthConfig;
 
 	disabled?: boolean;
+
+	scope?: MCPScope;
 }
 
 export interface MCPConfig {

package/src/index.ts

@@ -171,6 +171,8 @@ export {
 	getGlobalToolsDir,
 	getGlobalCommandsDir,
 	getSecureAuthPath,
+	getSecureBaseDir,
+	getSecureOAuthDir,
 	getHomeDir,
 } from './config/src/paths.ts';
 export {
@@ -358,6 +360,7 @@ export type {
 	MCPToolInfo,
 	MCPTransport,
 	MCPOAuthConfig,
+	MCPScope,
 	StoredOAuthData,
 	OttoOAuthProviderOptions,
 	CallbackResult,