npm - @ottocode/server - Versions diffs - 0.1.206 → 0.1.208 - Mend

@ottocode/server 0.1.206 → 0.1.208

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +3 -3
package/src/routes/mcp.ts +200 -3
package/src/routes/sessions.ts +1 -1
package/src/runtime/message/service.ts +1 -1
package/src/runtime/tools/guards.ts +159 -0
package/src/tools/adapter.ts +40 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@ottocode/server",
-	"version": "0.1.206",
+	"version": "0.1.208",
 	"description": "HTTP API server for ottocode",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -49,8 +49,8 @@
 		"typecheck": "tsc --noEmit"
 	},
 	"dependencies": {
-		"@ottocode/sdk": "0.1.206",
-		"@ottocode/database": "0.1.206",
+		"@ottocode/sdk": "0.1.208",
+		"@ottocode/database": "0.1.208",
 		"drizzle-orm": "^0.44.5",
 		"hono": "^4.9.9",
 		"zod": "^4.1.8"

package/src/routes/mcp.ts CHANGED Viewed

@@ -8,6 +8,39 @@ import {
 	addMCPServerToConfig,
 	removeMCPServerFromConfig,
 } from '@ottocode/sdk';
+import {
+	authorizeCopilot,
+	pollForCopilotTokenOnce,
+	getAuth,
+	setAuth,
+} from '@ottocode/sdk';
+const GITHUB_COPILOT_HOSTS = [
+	'api.githubcopilot.com',
+	'copilot-proxy.githubusercontent.com',
+];
+function isGitHubCopilotUrl(url?: string): boolean {
+	if (!url) return false;
+	try {
+		const parsed = new URL(url);
+		return GITHUB_COPILOT_HOSTS.some(
+			(h) => parsed.hostname === h || parsed.hostname.endsWith(`.${h}`),
+		);
+	} catch {
+		return false;
+	}
+}
+const copilotMCPSessions = new Map<
+	string,
+	{
+		deviceCode: string;
+		interval: number;
+		serverName: string;
+		createdAt: number;
+	}
+>();
 export function registerMCPRoutes(app: Hono) {
 	app.get('/v1/mcp/servers', async (c) => {
@@ -30,6 +63,7 @@ export function registerMCPRoutes(app: Hono) {
 				authRequired: status?.authRequired ?? false,
 				authenticated: status?.authenticated ?? false,
 				scope: s.scope ?? 'global',
+				...(isGitHubCopilotUrl(s.url) ? { authType: 'copilot-device' } : {}),
 			};
 		});
@@ -148,6 +182,37 @@ export function registerMCPRoutes(app: Hono) {
 			const status = (await manager.getStatusAsync()).find(
 				(s) => s.name === name,
 			);
+			if (isGitHubCopilotUrl(serverConfig.url) && !status?.connected) {
+				const MCP_SCOPES =
+					'repo read:org read:packages gist notifications read:project security_events';
+				const existingAuth = await getAuth('copilot');
+				const hasMCPScopes =
+					existingAuth?.type === 'oauth' && existingAuth.scopes === MCP_SCOPES;
+				if (!existingAuth || existingAuth.type !== 'oauth' || !hasMCPScopes) {
+					const deviceData = await authorizeCopilot({ mcp: true });
+					const sessionId = crypto.randomUUID();
+					copilotMCPSessions.set(sessionId, {
+						deviceCode: deviceData.deviceCode,
+						interval: deviceData.interval,
+						serverName: name,
+						createdAt: Date.now(),
+					});
+					return c.json({
+						ok: true,
+						name,
+						connected: false,
+						authRequired: true,
+						authType: 'copilot-device',
+						sessionId,
+						userCode: deviceData.userCode,
+						verificationUri: deviceData.verificationUri,
+						interval: deviceData.interval,
+					});
+				}
+			}
 			return c.json({
 				ok: true,
 				name,
@@ -189,6 +254,48 @@ export function registerMCPRoutes(app: Hono) {
 			return c.json({ ok: false, error: `Server "${name}" not found` }, 404);
 		}
+		if (isGitHubCopilotUrl(serverConfig.url)) {
+			try {
+				const MCP_SCOPES =
+					'repo read:org read:packages gist notifications read:project security_events';
+				const existingAuth = await getAuth('copilot');
+				if (
+					existingAuth?.type === 'oauth' &&
+					existingAuth.refresh &&
+					existingAuth.scopes === MCP_SCOPES
+				) {
+					return c.json({
+						ok: true,
+						name,
+						authType: 'copilot-device',
+						authenticated: true,
+						message: 'Already authenticated with MCP scopes',
+					});
+				}
+				const deviceData = await authorizeCopilot({ mcp: true });
+				const sessionId = crypto.randomUUID();
+				copilotMCPSessions.set(sessionId, {
+					deviceCode: deviceData.deviceCode,
+					interval: deviceData.interval,
+					serverName: name,
+					createdAt: Date.now(),
+				});
+				return c.json({
+					ok: true,
+					name,
+					authType: 'copilot-device',
+					sessionId,
+					userCode: deviceData.userCode,
+					verificationUri: deviceData.verificationUri,
+					interval: deviceData.interval,
+				});
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				return c.json({ ok: false, error: msg }, 500);
+			}
+		}
 		try {
 			let manager = getMCPManager();
 			if (!manager) {
@@ -216,7 +323,66 @@ export function registerMCPRoutes(app: Hono) {
 	app.post('/v1/mcp/servers/:name/auth/callback', async (c) => {
 		const name = c.req.param('name');
 		const body = await c.req.json();
-		const { code } = body;
+		const { code, sessionId } = body;
+		if (sessionId) {
+			const session = copilotMCPSessions.get(sessionId);
+			if (!session || session.serverName !== name) {
+				return c.json({ ok: false, error: 'Session expired or invalid' }, 400);
+			}
+			try {
+				const result = await pollForCopilotTokenOnce(session.deviceCode);
+				if (result.status === 'complete') {
+					copilotMCPSessions.delete(sessionId);
+					await setAuth(
+						'copilot',
+						{
+							type: 'oauth',
+							refresh: result.accessToken,
+							access: result.accessToken,
+							expires: 0,
+							scopes:
+								'repo read:org read:packages gist notifications read:project security_events',
+						},
+						undefined,
+						'global',
+					);
+					const projectRoot = process.cwd();
+					const config = await loadMCPConfig(projectRoot, getGlobalConfigDir());
+					const serverConfig = config.servers.find((s) => s.name === name);
+					let mcpMgr = getMCPManager();
+					if (serverConfig) {
+						if (!mcpMgr) {
+							mcpMgr = await initializeMCP({ servers: [] }, projectRoot);
+						}
+						await mcpMgr.restartServer(serverConfig);
+					}
+					mcpMgr = getMCPManager();
+					const status = mcpMgr
+						? (await mcpMgr.getStatusAsync()).find((s) => s.name === name)
+						: undefined;
+					return c.json({
+						ok: true,
+						status: 'complete',
+						name,
+						connected: status?.connected ?? false,
+						tools: status?.tools ?? [],
+					});
+				}
+				if (result.status === 'pending') {
+					return c.json({ ok: true, status: 'pending' });
+				}
+				copilotMCPSessions.delete(sessionId);
+				return c.json({
+					ok: false,
+					status: 'error',
+					error: result.status === 'error' ? result.error : 'Unknown error',
+				});
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				return c.json({ ok: false, error: msg }, 500);
+			}
+		}
 		if (!code) {
 			return c.json({ ok: false, error: 'code is required' }, 400);
@@ -249,8 +415,21 @@ export function registerMCPRoutes(app: Hono) {
 	app.get('/v1/mcp/servers/:name/auth/status', async (c) => {
 		const name = c.req.param('name');
-		const manager = getMCPManager();
+		const projectRoot = process.cwd();
+		const config = await loadMCPConfig(projectRoot, getGlobalConfigDir());
+		const serverConfig = config.servers.find((s) => s.name === name);
+		if (serverConfig && isGitHubCopilotUrl(serverConfig.url)) {
+			try {
+				const auth = await getAuth('copilot');
+				const authenticated = auth?.type === 'oauth' && !!auth.refresh;
+				return c.json({ authenticated, authType: 'copilot-device' });
+			} catch {
+				return c.json({ authenticated: false, authType: 'copilot-device' });
+			}
+		}
+		const manager = getMCPManager();
 		if (!manager) {
 			return c.json({ authenticated: false });
 		}
@@ -265,8 +444,26 @@ export function registerMCPRoutes(app: Hono) {
 	app.delete('/v1/mcp/servers/:name/auth', async (c) => {
 		const name = c.req.param('name');
-		const manager = getMCPManager();
+		const projectRoot = process.cwd();
+		const config = await loadMCPConfig(projectRoot, getGlobalConfigDir());
+		const serverConfig = config.servers.find((s) => s.name === name);
+		if (serverConfig && isGitHubCopilotUrl(serverConfig.url)) {
+			try {
+				const { removeAuth } = await import('@ottocode/sdk');
+				await removeAuth('copilot');
+				const manager = getMCPManager();
+				if (manager) {
+					await manager.stopServer(name);
+				}
+				return c.json({ ok: true, name });
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				return c.json({ ok: false, error: msg }, 500);
+			}
+		}
+		const manager = getMCPManager();
 		if (!manager) {
 			return c.json({ ok: false, error: 'No MCP manager active' }, 400);
 		}

package/src/routes/sessions.ts CHANGED Viewed

@@ -800,7 +800,7 @@ export function registerSessionsRoutes(app: Hono) {
 			);
 			const { runSessionLoop } = await import('../runtime/agent/runner.ts');
-			const toolApprovalMode = cfg.defaults.toolApproval ?? 'auto';
+			const toolApprovalMode = cfg.defaults.toolApproval ?? 'dangerous';
 			enqueueAssistantRun(
 				{

package/src/runtime/message/service.ts CHANGED Viewed

@@ -168,7 +168,7 @@ export async function dispatchAssistantMessage(
 		);
 	}
-	const toolApprovalMode = cfg.defaults.toolApproval ?? 'auto';
+	const toolApprovalMode = cfg.defaults.toolApproval ?? 'dangerous';
 	enqueueAssistantRun(
 		{

package/src/runtime/tools/guards.ts ADDED Viewed

@@ -0,0 +1,159 @@
+export type GuardAction =
+	| { type: 'block'; reason: string }
+	| { type: 'approve'; reason: string }
+	| { type: 'allow' };
+export function guardToolCall(toolName: string, args: unknown): GuardAction {
+	const a = (args ?? {}) as Record<string, unknown>;
+	switch (toolName) {
+		case 'bash':
+			return guardBashCommand(String(a.cmd ?? ''));
+		case 'terminal':
+			return guardTerminal(a);
+		case 'read':
+			return guardReadPath(String(a.path ?? ''));
+		case 'write':
+		case 'edit':
+		case 'multiedit':
+			return guardWritePath(toolName, a);
+		default:
+			return { type: 'allow' };
+	}
+}
+function guardBashCommand(cmd: string): GuardAction {
+	const n = cmd.trim();
+	if (!n) return { type: 'allow' };
+	const blocked = checkBlockedCommand(n);
+	if (blocked) return { type: 'block', reason: blocked };
+	const approval = checkApprovalCommand(n);
+	if (approval) return { type: 'approve', reason: approval };
+	return { type: 'allow' };
+}
+function checkBlockedCommand(cmd: string): string | null {
+	if (isRecursiveDeleteRoot(cmd)) return 'Recursive delete of root filesystem';
+	if (isRecursiveDeleteHome(cmd)) return 'Recursive delete of home directory';
+	if (isForkBomb(cmd)) return 'Fork bomb detected';
+	if (isFilesystemFormat(cmd)) return 'Filesystem format command';
+	if (isRawDiskWrite(cmd)) return 'Raw disk write operation';
+	return null;
+}
+function isRecursiveDeleteRoot(cmd: string): boolean {
+	if (!/\brm\b/.test(cmd)) return false;
+	if (!hasRecursiveFlag(cmd)) return false;
+	return /\s\/(\s*$|\s*\*|\s*;|\s*&|\s*\|)/.test(cmd);
+}
+function isRecursiveDeleteHome(cmd: string): boolean {
+	if (!/\brm\b/.test(cmd)) return false;
+	if (!hasRecursiveFlag(cmd)) return false;
+	return /\s~\/?\s*($|\*|;|&|\|)/.test(cmd);
+}
+function hasRecursiveFlag(cmd: string): boolean {
+	return /-\w*[rR]|--recursive/.test(cmd);
+}
+function isForkBomb(cmd: string): boolean {
+	return /:\(\)\s*\{[^}]*:\s*\|\s*:/.test(cmd);
+}
+function isFilesystemFormat(cmd: string): boolean {
+	return /\bmkfs(\.\w+)?\s/.test(cmd);
+}
+function isRawDiskWrite(cmd: string): boolean {
+	if (/\bdd\b/.test(cmd) && /\bof=\/dev\//.test(cmd)) return true;
+	if (/>\s*\/dev\/[sv]d/.test(cmd)) return true;
+	return false;
+}
+function checkApprovalCommand(cmd: string): string | null {
+	if (/\brm\b/.test(cmd) && hasRecursiveFlag(cmd)) {
+		return 'Recursive delete command';
+	}
+	if (/\bsudo\b/.test(cmd)) {
+		return 'Privilege escalation (sudo)';
+	}
+	if (/\b(chmod|chown)\b/.test(cmd) && /(-\w*R|--recursive)/.test(cmd)) {
+		return 'Recursive permission/ownership change';
+	}
+	if (/\b(curl|wget)\b/.test(cmd) && /\|\s*(bash|sh|zsh)\b/.test(cmd)) {
+		return 'Remote code execution via pipe to shell';
+	}
+	if (/\bgit\s+push\b.*--force/.test(cmd)) {
+		return 'Force push to remote';
+	}
+	return null;
+}
+function guardTerminal(args: Record<string, unknown>): GuardAction {
+	const op = String(args.operation ?? '');
+	if (op === 'start' && typeof args.command === 'string') {
+		return guardBashCommand(args.command);
+	}
+	return { type: 'allow' };
+}
+const BLOCKED_READ_PATHS: Array<{ pattern: RegExp; reason: string }> = [
+	{ pattern: /^~?\/?\.ssh\/id_/, reason: 'SSH private key access' },
+	{ pattern: /^\/etc\/shadow$/, reason: 'System password hashes' },
+];
+const SENSITIVE_READ_PATHS: Array<{ pattern: RegExp; reason: string }> = [
+	{ pattern: /^\/etc\/passwd$/, reason: 'System password file' },
+	{ pattern: /^~?\/?\.ssh\//, reason: 'SSH directory access' },
+	{ pattern: /^~?\/?\.aws\//, reason: 'AWS credentials' },
+	{ pattern: /^~?\/?\.gnupg\//, reason: 'GPG keyring' },
+	{ pattern: /^~?\/?\.config\/gh\//, reason: 'GitHub CLI tokens' },
+	{ pattern: /^~?\/?\.npmrc$/, reason: 'npm auth tokens' },
+	{ pattern: /^~?\/?\.netrc$/, reason: 'Network credentials' },
+	{ pattern: /^~?\/?\.kube\//, reason: 'Kubernetes config' },
+	{ pattern: /^~?\/?\.docker\/config\.json$/, reason: 'Docker credentials' },
+];
+function guardReadPath(path: string): GuardAction {
+	if (!path) return { type: 'allow' };
+	const p = path.trim();
+	for (const { pattern, reason } of BLOCKED_READ_PATHS) {
+		if (pattern.test(p)) return { type: 'block', reason };
+	}
+	for (const { pattern, reason } of SENSITIVE_READ_PATHS) {
+		if (pattern.test(p)) return { type: 'approve', reason };
+	}
+	if (p.startsWith('/') || p.startsWith('~')) {
+		return { type: 'approve', reason: 'Reading path outside project root' };
+	}
+	return { type: 'allow' };
+}
+const SENSITIVE_WRITE_PATHS: Array<{ pattern: RegExp; reason: string }> = [
+	{ pattern: /(^|\/)\.env($|\.)/, reason: 'Writing to environment file' },
+	{ pattern: /(^|\/)\.git\/hooks\//, reason: 'Writing to git hooks' },
+];
+function guardWritePath(
+	toolName: string,
+	args: Record<string, unknown>,
+): GuardAction {
+	const path =
+		typeof args.path === 'string'
+			? args.path
+			: typeof args.filePath === 'string'
+				? args.filePath
+				: '';
+	if (!path) return { type: 'allow' };
+	const p = path.trim();
+	for (const { pattern, reason } of SENSITIVE_WRITE_PATHS) {
+		if (pattern.test(p)) return { type: 'approve', reason };
+	}
+	return { type: 'allow' };
+}

package/src/tools/adapter.ts CHANGED Viewed

@@ -17,6 +17,7 @@ import {
 	requiresApproval,
 	requestApproval,
 } from '../runtime/tools/approval.ts';
+import { guardToolCall } from '../runtime/tools/guards.ts';
 export type { ToolAdapterContext } from '../runtime/tools/context.ts';
@@ -38,6 +39,8 @@ type PendingCallMeta = {
 	stepIndex?: number;
 	args?: unknown;
 	approvalPromise?: Promise<boolean>;
+	blocked?: boolean;
+	blockReason?: string;
 };
 function getPendingQueue(
@@ -336,6 +339,19 @@ export function adaptTools(
 						args,
 					);
 				}
+				const guard = guardToolCall(name, args);
+				if (guard.type === 'block') {
+					meta.blocked = true;
+					meta.blockReason = guard.reason;
+				} else if (guard.type === 'approve' && !meta.approvalPromise) {
+					meta.approvalPromise = requestApproval(
+						ctx.sessionId,
+						ctx.messageId,
+						callId,
+						name,
+						args,
+					);
+				}
 				if (typeof base.onInputAvailable === 'function') {
 					// biome-ignore lint/suspicious/noExplicitAny: AI SDK types are complex
 					await base.onInputAvailable(options as any);
@@ -367,14 +383,36 @@ export function adaptTools(
 				const executeWithGuards = async (): Promise<ToolExecuteReturn> => {
 					try {
+						if (meta?.blocked) {
+							const blockedResult = {
+								ok: false,
+								error: `Blocked: ${meta.blockReason}`,
+								details: { reason: 'safety_guard' },
+							};
+							await persistToolErrorResult(blockedResult, {
+								callId: callIdFromQueue,
+								startTs: startTsFromQueue,
+								stepIndexForEvent,
+								args: meta?.args,
+							});
+							return blockedResult as ToolExecuteReturn;
+						}
 						// Await approval if it was requested in onInputAvailable
 						if (meta?.approvalPromise) {
 							const approved = await meta.approvalPromise;
 							if (!approved) {
-								return {
+								const rejectedResult = {
 									ok: false,
 									error: 'Tool execution rejected by user',
-								} as ToolExecuteReturn;
+									details: { reason: 'user_rejected' },
+								};
+								await persistToolErrorResult(rejectedResult, {
+									callId: callIdFromQueue,
+									startTs: startTsFromQueue,
+									stepIndexForEvent,
+									args: meta?.args,
+								});
+								return rejectedResult as ToolExecuteReturn;
 							}
 						}
 						// Handle session-relative paths and cwd tools