@padua/cli 2.0.24 → 2.2.0

package/README.md

@@ -54,15 +54,16 @@ The `init` command will:
 | | Status | Health check for all authentication services |
 | | Doctor | Configuration validation and diagnostics with fuzzy profile matching |
 | **Tunnel** | RDS | Secure tunnels to RDS/Aurora databases via SSM |
+| | LB | Port forwarding to internal ALB via SSM |
 | **Exec** | ECS | Interactive shell in running ECS containers via SSM |
-| **MCP** | Server | Built-in MCP server with 49 GitLab and Atlassian tools |
+| **MCP** | Server | Built-in MCP server with 51 tools — GitLab, Atlassian, and code execution |
 | | Daemon | Background process management via `padua login` |
 | | Diagnostics | MCP health checks via `padua doctor` |
 | | Migration | Token migration from legacy Go server |
 
 ## MCP Server
 
-`@padua/cli` v2 includes a built-in [MCP](https://modelcontextprotocol.io/) (Model Context Protocol) server that exposes 49 tools and 6 resource templates for GitLab and Atlassian. Any MCP-compatible client — Claude Code, Claude Desktop, Cursor, Windsurf, VS Code, etc. — can call these tools directly.
+`@padua/cli` v2 includes a built-in [MCP](https://modelcontextprotocol.io/) (Model Context Protocol) server that exposes 51 tools and 6 resource templates for GitLab, Atlassian, and code execution. Any MCP-compatible client — Claude Code, Claude Desktop, Cursor, Windsurf, VS Code, etc. — can call these tools directly.
 
 ### Setup
 
@@ -107,6 +108,8 @@ Steps 5-7 are non-blocking — if a provider fails, the rest of Padua still work
 - **Auth:** `Authorization: Bearer padua-mcp-local` (fixed token — the server only binds to localhost)
 - **Tokens:** OAuth tokens persisted to `~/.padua/tokens.db` (AES-256-GCM encrypted), proactively refreshed before expiry and lazily refreshed on tool calls
 - **Sessions:** Multi-session support — multiple Claude Code instances share the daemon concurrently, each with an independent session. Stale sessions are swept after 30 minutes, max 10 concurrent sessions with LRU eviction
+- **Response format:** All tools default to TOON (Token-Oriented Object Notation) for 40-60% token savings on list/search responses. Pass `"format": "json"` on any tool call to receive raw JSON instead
+- **Code mode:** `call_tool_chain` executes JavaScript in a secure V8 sandbox with all MCP tools available as synchronous namespaced functions (`gitlab.*`, `jira.*`, `confluence.*`). `search_tools` provides keyword search over all registered tools
 
 ### IDE Configuration
 
@@ -265,6 +268,13 @@ curl -X POST http://127.0.0.1:8919/mcp \
 | `atlassian_confluence_get_space` | Get space details by key |
 | `atlassian_confluence_search_content` | Search page content |
 
+#### Code Mode (2 tools)
+
+| Tool | Description |
+|------|-------------|
+| `call_tool_chain` | Execute JavaScript in a secure isolated-vm V8 sandbox with all MCP tools available as synchronous namespaced functions (`gitlab.*`, `jira.*`, `confluence.*`). Supports configurable timeout and memory limit. Use `__interfaces` or `__getToolInterface(name)` for tool schema introspection |
+| `search_tools` | Search registered MCP tools by keyword — matches against name and description, returns full schema information |
+
 ### Resource Templates
 
 Resources provide direct read access to specific entities by URI:
@@ -302,7 +312,7 @@ Returns:
     "atlassian": "ready"
   },
   "uptime": 3600,
-  "version": "2.0.23"
+  "version": "2.2.0"
 }
 ```
 
@@ -789,15 +799,27 @@ paws clear
 
 ## Tunnel Command
 
-Create secure tunnels to RDS databases via SSM Session Manager.
+Create secure tunnels to AWS resources via SSM Session Manager.
 
 Automatically reads `AWS_PROFILE` environment variable when no `--profile` flag is provided (works with `paws`).
 
+### Targets
+
+| Target | Description | System Required |
+|--------|-------------|-----------------|
+| `rds` | Tunnel to RDS/Aurora databases | Yes (e.g., `roma`, `padua-iam`) |
+| `lb` | Tunnel to internal ALB (`dev.int.paduasolutions.net:443`) | No |
+
 ### Basic Usage
 
 ```bash
+# RDS tunnel (requires system argument)
 padua tunnel roma rds                    # Interactive (prompts for port/cluster)
 padua tunnel roma rds -p paduafg-development  # Use specific profile
+
+# Load balancer tunnel (no system needed)
+padua tunnel lb                          # Interactive (prompts for port, default 8443)
+padua tunnel lb --local-port 9443        # Use specific local port
 ```
 
 ### Options
@@ -806,11 +828,11 @@ padua tunnel roma rds -p paduafg-development  # Use specific profile
 |------|-------------|
 | `-p, --profile <name>` | AWS profile to use |
 | `--local-port <port>` | Local port for the tunnel |
-| `--cluster <name>` | RDS cluster or instance name |
+| `--cluster <name>` | RDS cluster or instance name (RDS only) |
 | `-v, --verbose` | Show detailed output |
 | `--no-color` | Disable colored output |
 
-### System Configuration
+### RDS System Configuration
 
 Different systems use different EC2 instances as tunnel endpoints:
 
@@ -819,7 +841,22 @@ Different systems use different EC2 instances as tunnel endpoints:
 | roma | bastion-host | 3306 (MySQL) | roma-backend |
 | (others) | jumpbox | 5432 (PostgreSQL) | (none) |
 
-### Example Output
+### LB Tunnel Usage
+
+The internal ALB uses path-based routing for most services. Once the tunnel is running:
+
+```bash
+# Path-based services (most services)
+curl -k https://localhost:8443/echo/test
+curl -k https://localhost:8443/wealth-summaries/healthz
+curl -k https://localhost:8443/entity-management/api/v1/status
+
+# Host-based services (permify)
+curl -k https://localhost:8443/v1/permissions/check \
+  -H "Host: permify.dev.int.paduasolutions.net"
+```
+
+### Example Output (RDS)
 
 ```
 Checking port 3306 availability...
@@ -839,6 +876,30 @@ Starting tunnel...
 Press Ctrl+C to close the tunnel
 ```
 
+### Example Output (LB)
+
+```
+Checking port 8443 availability...
+✓ Port 8443 is available
+Looking up jumpbox instance...
+✓ Found instance: i-0abc123def456
+
+Starting tunnel...
+  Profile: paduafg-development
+  Local port: 8443
+  Remote: dev.int.paduasolutions.net:443
+  Via: i-0abc123def456 (jumpbox)
+
+Usage (path-based services):
+  curl -k https://localhost:8443/<service>/path
+  e.g. curl -k https://localhost:8443/echo/test
+
+Usage (host-based services like permify):
+  curl -k https://localhost:8443/path -H "Host: <service>.dev.int.paduasolutions.net"
+
+Press Ctrl+C to close the tunnel
+```
+
 ## Exec Command
 
 Open an interactive shell in a running ECS container via SSM Execute Command.

package/dist/commands/tunnel/index.d.ts

@@ -7,6 +7,6 @@ export declare const tunnelCommand: Command;
 /**
  * Handle the tunnel command
  */
-declare function handleTunnel(system: string, target: string, options: TunnelOptions): Promise<void>;
+declare function handleTunnel(system: string, target: string | undefined, options: TunnelOptions): Promise<void>;
 export { handleTunnel };
 //# sourceMappingURL=index.d.ts.map

package/dist/commands/tunnel/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/tunnel/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAI3C;;GAEG;AACH,eAAO,MAAM,aAAa,SASH,CAAC;AAExB;;GAEG;AACH,iBAAe,YAAY,CACzB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,IAAI,CAAC,CA8Cf;AAGD,OAAO,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/tunnel/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAK3C;;GAEG;AACH,eAAO,MAAM,aAAa,SASH,CAAC;AAExB;;GAEG;AACH,iBAAe,YAAY,CACzB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,IAAI,CAAC,CAqEf;AAGD,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/commands/tunnel/index.js

@@ -1,14 +1,15 @@
 import { Command } from 'commander';
 import chalk from 'chalk';
 import { startRdsTunnel } from './rds.js';
+import { startLbTunnel } from './lb.js';
 import { checkSessionManagerPlugin } from '../init/prerequisites.js';
 /**
  * Tunnel command - create secure tunnels to AWS resources via SSM
  */
 export const tunnelCommand = new Command('tunnel')
     .description('Create secure tunnels to AWS resources via SSM Session Manager')
-    .argument('<system>', 'Target system (e.g., roma, padua-iam)')
-    .argument('<target>', 'Target service type (rds)')
+    .argument('<system>', 'Target system (e.g., roma, padua-iam) or target type (lb)')
+    .argument('[target]', 'Target service type (rds, lb)')
     .option('-p, --profile <name>', 'AWS profile to use')
     .option('--local-port <port>', 'Local port for the tunnel')
     .option('--cluster <name>', 'RDS cluster or instance name')
@@ -33,8 +34,24 @@ async function handleTunnel(system, target, options) {
         }
         process.exit(1);
     }
+    // Smart target detection: if system is a valid target and no target provided
+    const validTargets = ['rds', 'lb'];
+    if (target === undefined && validTargets.includes(system.toLowerCase())) {
+        target = system;
+        system = '';
+    }
+    if (target === undefined) {
+        if (!noColor) {
+            console.error(chalk.red('Target is required.'));
+            console.error(chalk.gray(`Valid targets: ${validTargets.join(', ')}`));
+        }
+        else {
+            console.error('Target is required.');
+            console.error(`Valid targets: ${validTargets.join(', ')}`);
+        }
+        process.exit(1);
+    }
     // Validate target type
-    const validTargets = ['rds'];
     if (!validTargets.includes(target.toLowerCase())) {
         if (!noColor) {
             console.error(chalk.red(`Invalid target: ${target}`));
@@ -49,8 +66,14 @@ async function handleTunnel(system, target, options) {
     try {
         switch (target.toLowerCase()) {
             case 'rds':
+                if (!system) {
+                    throw new Error('System argument is required for RDS tunnels (e.g., padua tunnel roma rds)');
+                }
                 await startRdsTunnel(system, options);
                 break;
+            case 'lb':
+                await startLbTunnel(options);
+                break;
             default:
                 throw new Error(`Unsupported target: ${target}`);
         }

package/dist/commands/tunnel/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/tunnel/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,yBAAyB,EAAE,MAAM,0BAA0B,CAAC;AAErE;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC;KAC/C,WAAW,CAAC,gEAAgE,CAAC;KAC7E,QAAQ,CAAC,UAAU,EAAE,uCAAuC,CAAC;KAC7D,QAAQ,CAAC,UAAU,EAAE,2BAA2B,CAAC;KACjD,MAAM,CAAC,sBAAsB,EAAE,oBAAoB,CAAC;KACpD,MAAM,CAAC,qBAAqB,EAAE,2BAA2B,CAAC;KAC1D,MAAM,CAAC,kBAAkB,EAAE,8BAA8B,CAAC;KAC1D,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC;KAC/C,MAAM,CAAC,YAAY,EAAE,wBAAwB,CAAC;KAC9C,MAAM,CAAC,YAAY,CAAC,CAAC;AAExB;;GAEG;AACH,KAAK,UAAU,YAAY,CACzB,MAAc,EACd,MAAc,EACd,OAAsB;IAEtB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IAEzC,sBAAsB;IACtB,MAAM,QAAQ,GAAG,yBAAyB,EAAE,CAAC;IAC7C,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QACxB,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC,CAAC;YAC9E,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACnE,OAAO,CAAC,KAAK,CAAC,YAAY,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,uBAAuB;IACvB,MAAM,YAAY,GAAG,CAAC,KAAK,CAAC,CAAC;IAC7B,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC,CAAC;YACtD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,KAAK,CAAC,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,QAAQ,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;YAC7B,KAAK,KAAK;gBACR,MAAM,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBACtC,MAAM;YACR;gBACE,MAAM,IAAI,KAAK,CAAC,uBAAuB,MAAM,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAI,KAAe,CAAC,OAAO,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,sBAAsB;AACtB,OAAO,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/tunnel/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,yBAAyB,EAAE,MAAM,0BAA0B,CAAC;AAErE;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC;KAC/C,WAAW,CAAC,gEAAgE,CAAC;KAC7E,QAAQ,CAAC,UAAU,EAAE,2DAA2D,CAAC;KACjF,QAAQ,CAAC,UAAU,EAAE,+BAA+B,CAAC;KACrD,MAAM,CAAC,sBAAsB,EAAE,oBAAoB,CAAC;KACpD,MAAM,CAAC,qBAAqB,EAAE,2BAA2B,CAAC;KAC1D,MAAM,CAAC,kBAAkB,EAAE,8BAA8B,CAAC;KAC1D,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC;KAC/C,MAAM,CAAC,YAAY,EAAE,wBAAwB,CAAC;KAC9C,MAAM,CAAC,YAAY,CAAC,CAAC;AAExB;;GAEG;AACH,KAAK,UAAU,YAAY,CACzB,MAAc,EACd,MAA0B,EAC1B,OAAsB;IAEtB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IAEzC,sBAAsB;IACtB,MAAM,QAAQ,GAAG,yBAAyB,EAAE,CAAC;IAC7C,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QACxB,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC,CAAC;YAC9E,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACnE,OAAO,CAAC,KAAK,CAAC,YAAY,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,6EAA6E;IAC7E,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACnC,IAAI,MAAM,KAAK,SAAS,IAAI,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACxE,MAAM,GAAG,MAAM,CAAC;QAChB,MAAM,GAAG,EAAE,CAAC;IACd,CAAC;IAED,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;YAChD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACrC,OAAO,CAAC,KAAK,CAAC,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC,CAAC;YACtD,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,KAAK,CAAC,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,QAAQ,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;YAC7B,KAAK,KAAK;gBACR,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;gBAC/F,CAAC;gBACD,MAAM,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBACtC,MAAM;YACR,KAAK,IAAI;gBACP,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;gBAC7B,MAAM;YACR;gBACE,MAAM,IAAI,KAAK,CAAC,uBAAuB,MAAM,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAI,KAAe,CAAC,OAAO,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,sBAAsB;AACtB,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/commands/tunnel/lb.d.ts

@@ -0,0 +1,6 @@
+import { TunnelOptions } from './types.js';
+/**
+ * Start an LB tunnel via SSM Session Manager to the internal ALB
+ */
+export declare function startLbTunnel(options: TunnelOptions): Promise<void>;
+//# sourceMappingURL=lb.d.ts.map

package/dist/commands/tunnel/lb.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lb.d.ts","sourceRoot":"","sources":["../../../src/commands/tunnel/lb.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAW3C;;GAEG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CA+IzE"}

package/dist/commands/tunnel/lb.js

@@ -0,0 +1,148 @@
+import { spawn } from 'child_process';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { getInstanceIdByTag } from './aws.js';
+import { isPortAvailable, parsePort } from './port.js';
+import { getSubprocessEnv, sanitizeOutput } from '../login/utils.js';
+import { loadConfig } from '../login/config.js';
+import { getEffectiveProfile } from '../login/types.js';
+const ALB_REMOTE_HOST = 'dev.int.paduasolutions.net';
+const ALB_REMOTE_PORT = 443;
+const LB_DEFAULT_LOCAL_PORT = 8443;
+/**
+ * Start an LB tunnel via SSM Session Manager to the internal ALB
+ */
+export async function startLbTunnel(options) {
+    const noColor = options.noColor ?? false;
+    // Load config and get profile
+    const config = await loadConfig();
+    const profile = getEffectiveProfile({ profile: options.profile }, config ?? undefined);
+    // Step 1: Resolve local port
+    let localPort;
+    if (options.localPort) {
+        const parsed = parsePort(options.localPort);
+        if (!parsed) {
+            throw new Error(`Invalid port: ${options.localPort}`);
+        }
+        localPort = parsed;
+    }
+    else {
+        const portAnswer = await inquirer.prompt([
+            {
+                type: 'input',
+                name: 'port',
+                message: 'Local port for ALB tunnel:',
+                default: LB_DEFAULT_LOCAL_PORT.toString(),
+                validate: (input) => {
+                    const p = parsePort(input);
+                    if (!p)
+                        return 'Please enter a valid port number (1-65535)';
+                    return true;
+                },
+            },
+        ]);
+        localPort = parsePort(portAnswer.port);
+    }
+    // Step 2: Verify port availability
+    if (!noColor) {
+        console.log(chalk.gray(`Checking port ${localPort} availability...`));
+    }
+    const portAvailable = await isPortAvailable(localPort);
+    if (!portAvailable) {
+        throw new Error(`Port ${localPort} is already in use. Please choose a different port.`);
+    }
+    if (!noColor) {
+        console.log(chalk.green(`✓ Port ${localPort} is available`));
+    }
+    else {
+        console.log(`Port ${localPort} is available`);
+    }
+    // Step 3: Get jumpbox instance ID
+    if (!noColor) {
+        console.log(chalk.gray('Looking up jumpbox instance...'));
+    }
+    else {
+        console.log('Looking up jumpbox instance...');
+    }
+    const instanceId = getInstanceIdByTag('jumpbox', profile, options.verbose);
+    if (!noColor) {
+        console.log(chalk.green(`✓ Found instance: ${instanceId}`));
+    }
+    else {
+        console.log(`Found instance: ${instanceId}`);
+    }
+    // Step 4: Print tunnel summary
+    console.log('');
+    if (!noColor) {
+        console.log(chalk.cyan.bold('Starting tunnel...'));
+        console.log(chalk.gray(`  Profile: ${profile}`));
+        console.log(chalk.gray(`  Local port: ${localPort}`));
+        console.log(chalk.gray(`  Remote: ${ALB_REMOTE_HOST}:${ALB_REMOTE_PORT}`));
+        console.log(chalk.gray(`  Via: ${instanceId} (jumpbox)`));
+    }
+    else {
+        console.log('Starting tunnel...');
+        console.log(`  Profile: ${profile}`);
+        console.log(`  Local port: ${localPort}`);
+        console.log(`  Remote: ${ALB_REMOTE_HOST}:${ALB_REMOTE_PORT}`);
+        console.log(`  Via: ${instanceId} (jumpbox)`);
+    }
+    console.log('');
+    if (!noColor) {
+        console.log(chalk.cyan('Usage (path-based services):'));
+        console.log(chalk.gray(`  curl -k https://localhost:${localPort}/<service>/path`));
+        console.log(chalk.gray(`  e.g. curl -k https://localhost:${localPort}/echo/test`));
+        console.log('');
+        console.log(chalk.cyan('Usage (host-based services like permify):'));
+        console.log(chalk.gray(`  curl -k https://localhost:${localPort}/path -H "Host: <service>.${ALB_REMOTE_HOST}"`));
+    }
+    else {
+        console.log('Usage (path-based services):');
+        console.log(`  curl -k https://localhost:${localPort}/<service>/path`);
+        console.log(`  e.g. curl -k https://localhost:${localPort}/echo/test`);
+        console.log('');
+        console.log('Usage (host-based services like permify):');
+        console.log(`  curl -k https://localhost:${localPort}/path -H "Host: <service>.${ALB_REMOTE_HOST}"`);
+    }
+    console.log('');
+    if (!noColor) {
+        console.log(chalk.yellow('Press Ctrl+C to close the tunnel'));
+    }
+    else {
+        console.log('Press Ctrl+C to close the tunnel');
+    }
+    console.log('');
+    // Step 5: Start SSM session
+    const child = spawn('aws', [
+        'ssm',
+        'start-session',
+        '--target', instanceId,
+        '--document-name', 'AWS-StartPortForwardingSessionToRemoteHost',
+        '--parameters', `host="${ALB_REMOTE_HOST}",portNumber="${ALB_REMOTE_PORT}",localPortNumber="${localPort}"`,
+        '--profile', profile,
+    ], {
+        stdio: 'inherit',
+        env: { ...getSubprocessEnv(), AWS_PROFILE: profile },
+    });
+    // Handle process lifecycle
+    await new Promise((resolve, reject) => {
+        child.on('error', (error) => {
+            reject(new Error(`Failed to start SSM session: ${sanitizeOutput(error.message)}`));
+        });
+        child.on('exit', (code) => {
+            if (code !== 0 && code !== null) {
+                console.log('');
+                if (!noColor) {
+                    console.log(chalk.red(`Tunnel closed with exit code: ${code}`));
+                }
+                else {
+                    console.log(`Tunnel closed with exit code: ${code}`);
+                }
+            }
+        });
+        child.on('close', () => {
+            resolve();
+        });
+    });
+}
+//# sourceMappingURL=lb.js.map

package/dist/commands/tunnel/lb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lb.js","sourceRoot":"","sources":["../../../src/commands/tunnel/lb.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,QAAQ,MAAM,UAAU,CAAC;AAEhC,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,MAAM,eAAe,GAAG,4BAA4B,CAAC;AACrD,MAAM,eAAe,GAAG,GAAG,CAAC;AAC5B,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAEnC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAsB;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IAEzC,8BAA8B;IAC9B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE,MAAM,IAAI,SAAS,CAAC,CAAC;IAEvF,6BAA6B;IAC7B,IAAI,SAAiB,CAAC;IAEtB,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,iBAAiB,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,SAAS,GAAG,MAAM,CAAC;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACvC;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,MAAM;gBACZ,OAAO,EAAE,4BAA4B;gBACrC,OAAO,EAAE,qBAAqB,CAAC,QAAQ,EAAE;gBACzC,QAAQ,EAAE,CAAC,KAAa,EAAE,EAAE;oBAC1B,MAAM,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;oBAC3B,IAAI,CAAC,CAAC;wBAAE,OAAO,4CAA4C,CAAC;oBAC5D,OAAO,IAAI,CAAC;gBACd,CAAC;aACF;SACF,CAAC,CAAC;QACH,SAAS,GAAG,SAAS,CAAC,UAAU,CAAC,IAAI,CAAE,CAAC;IAC1C,CAAC;IAED,mCAAmC;IACnC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,SAAS,kBAAkB,CAAC,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;IACvD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,QAAQ,SAAS,qDAAqD,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,SAAS,eAAe,CAAC,CAAC,CAAC;IAC/D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,QAAQ,SAAS,eAAe,CAAC,CAAC;IAChD,CAAC;IAED,kCAAkC;IAClC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,UAAU,GAAG,kBAAkB,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,qBAAqB,UAAU,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,mBAAmB,UAAU,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,+BAA+B;IAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,SAAS,EAAE,CAAC,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,eAAe,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC;QAC3E,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,UAAU,YAAY,CAAC,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,iBAAiB,SAAS,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,aAAa,eAAe,IAAI,eAAe,EAAE,CAAC,CAAC;QAC/D,OAAO,CAAC,GAAG,CAAC,UAAU,UAAU,YAAY,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,+BAA+B,SAAS,iBAAiB,CAAC,CAAC,CAAC;QACnF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,oCAAoC,SAAS,YAAY,CAAC,CAAC,CAAC;QACnF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,+BAA+B,SAAS,6BAA6B,eAAe,GAAG,CAAC,CAAC,CAAC;IACnH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,+BAA+B,SAAS,iBAAiB,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,oCAAoC,SAAS,YAAY,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,+BAA+B,SAAS,6BAA6B,eAAe,GAAG,CAAC,CAAC;IACvG,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,kCAAkC,CAAC,CAAC,CAAC;IAChE,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,4BAA4B;IAC5B,MAAM,KAAK,GAAG,KAAK,CACjB,KAAK,EACL;QACE,KAAK;QACL,eAAe;QACf,UAAU,EAAE,UAAU;QACtB,iBAAiB,EAAE,4CAA4C;QAC/D,cAAc,EAAE,SAAS,eAAe,iBAAiB,eAAe,sBAAsB,SAAS,GAAG;QAC1G,WAAW,EAAE,OAAO;KACrB,EACD;QACE,KAAK,EAAE,SAAS;QAChB,GAAG,EAAE,EAAE,GAAG,gBAAgB,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE;KACrD,CACF,CAAC;IAEF,2BAA2B;IAC3B,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;YAC1B,MAAM,CAAC,IAAI,KAAK,CAAC,gCAAgC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,iCAAiC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAClE,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,GAAG,CAAC,iCAAiC,IAAI,EAAE,CAAC,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACrB,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/commands/tunnel/types.d.ts

@@ -4,7 +4,7 @@
 /**
  * Tunnel target types
  */
-export type TunnelTarget = 'rds' | 'opensearch' | 'ec2';
+export type TunnelTarget = 'rds' | 'opensearch' | 'ec2' | 'lb';
 /**
  * Options for the tunnel command
  */

package/dist/commands/tunnel/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/commands/tunnel/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,KAAK,GAAG,YAAY,GAAG,KAAK,CAAC;AAExD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,MAAM,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAMvD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,EAAE,YAGnC,CAAC;AAEF;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAE5D;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CA2B/E"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/commands/tunnel/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,KAAK,GAAG,YAAY,GAAG,KAAK,GAAG,IAAI,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,MAAM,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAMvD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,EAAE,YAGnC,CAAC;AAEF;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAE5D;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CA2B/E"}

package/dist/mcp/code-mode/executor.d.ts

@@ -0,0 +1,32 @@
+/**
+ * CodeExecutor — orchestrates the isolated-vm sandbox for code execution.
+ *
+ * Creates a fresh V8 isolate per execution, bridges all registered MCP tools
+ * as synchronous namespaced functions, captures console output, and disposes
+ * the isolate in a finally block.
+ *
+ * Security contract:
+ *   - No filesystem access: isolated-vm provides no fs module by default
+ *   - No network access: no require/import available inside the isolate
+ *   - No Node.js built-ins: the sandbox only has JS builtins + bridged tools
+ */
+import type { ToolEntry, ExecutionResult, ExecutionOptions } from './types.js';
+export declare class CodeExecutor {
+    private readonly tools;
+    constructor(tools: ToolEntry[]);
+    /**
+     * Execute caller-supplied JavaScript code in an isolated V8 sandbox.
+     *
+     * All registered MCP tools are available as synchronous functions inside
+     * the sandbox under their namespace (gitlab.*, jira.*, confluence.*).
+     *
+     * @param code     JavaScript/TypeScript code to execute.
+     * @param options  Execution options (timeout, memory limit).
+     * @returns        Execution result and captured console logs.
+     */
+    execute(code: string, options?: ExecutionOptions): Promise<ExecutionResult>;
+    private setupConsoleBridge;
+    private setupToolBridges;
+    private setupIntrospection;
+}
+//# sourceMappingURL=executor.d.ts.map

package/dist/mcp/code-mode/executor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../../src/mcp/code-mode/executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAM/E,qBAAa,YAAY;IACX,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,SAAS,EAAE;IAE/C;;;;;;;;;OASG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,eAAe,CAAC;YAkEvE,kBAAkB;YAmClB,gBAAgB;YAqDhB,kBAAkB;CAoBjC"}

package/dist/mcp/code-mode/executor.js

@@ -0,0 +1,173 @@
+/**
+ * CodeExecutor — orchestrates the isolated-vm sandbox for code execution.
+ *
+ * Creates a fresh V8 isolate per execution, bridges all registered MCP tools
+ * as synchronous namespaced functions, captures console output, and disposes
+ * the isolate in a finally block.
+ *
+ * Security contract:
+ *   - No filesystem access: isolated-vm provides no fs module by default
+ *   - No network access: no require/import available inside the isolate
+ *   - No Node.js built-ins: the sandbox only has JS builtins + bridged tools
+ */
+import ivm from 'isolated-vm';
+import { InterfaceGenerator } from './interface-generator.js';
+const DEFAULT_TIMEOUT_MS = 30_000;
+const DEFAULT_MEMORY_LIMIT_MB = 128;
+export class CodeExecutor {
+    tools;
+    constructor(tools) {
+        this.tools = tools;
+    }
+    /**
+     * Execute caller-supplied JavaScript code in an isolated V8 sandbox.
+     *
+     * All registered MCP tools are available as synchronous functions inside
+     * the sandbox under their namespace (gitlab.*, jira.*, confluence.*).
+     *
+     * @param code     JavaScript/TypeScript code to execute.
+     * @param options  Execution options (timeout, memory limit).
+     * @returns        Execution result and captured console logs.
+     */
+    async execute(code, options = {}) {
+        const timeout = options.timeout ?? DEFAULT_TIMEOUT_MS;
+        const memoryLimit = options.memoryLimitMb ?? DEFAULT_MEMORY_LIMIT_MB;
+        const logs = [];
+        const isolate = new ivm.Isolate({ memoryLimit });
+        try {
+            const context = await isolate.createContext();
+            const jail = context.global;
+            // Self-reference so sandboxed code can access `global.x = ...`
+            await jail.set('global', jail.derefInto());
+            await this.setupConsoleBridge(isolate, context, jail, logs);
+            await this.setupToolBridges(isolate, context, jail);
+            await this.setupIntrospection(isolate, context, jail);
+            // Wrap user code so we can extract a return value across the isolate boundary.
+            // The result is serialised as JSON to avoid transferring non-transferable objects.
+            const wrappedCode = `
+        (function() {
+          var __result = (function() {
+            ${code}
+          })();
+          return JSON.stringify({ __result: __result === undefined ? null : __result });
+        })()
+      `;
+            const script = await isolate.compileScript(wrappedCode);
+            const resultJson = await script.run(context, { timeout });
+            let result = null;
+            if (typeof resultJson === 'string') {
+                try {
+                    result = JSON.parse(resultJson).__result;
+                }
+                catch {
+                    result = resultJson;
+                }
+            }
+            else {
+                result = resultJson;
+            }
+            return { result, logs };
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            return {
+                result: null,
+                logs: [...logs, `[ERROR] Code execution failed: ${msg}`],
+            };
+        }
+        finally {
+            // Isolate may already be disposed (e.g. on OOM) — guard against double-dispose
+            try {
+                if (!isolate.isDisposed) {
+                    isolate.dispose();
+                }
+            }
+            catch {
+                // Ignore dispose errors — isolate is already gone
+            }
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Console bridge
+    // ---------------------------------------------------------------------------
+    async setupConsoleBridge(isolate, context, jail, logs) {
+        const makeHandler = (prefix) => new ivm.Reference((...args) => {
+            const parts = args.map(a => typeof a === 'object' && a !== null ? JSON.stringify(a, null, 2) : String(a));
+            const message = parts.join(' ');
+            logs.push(prefix ? `${prefix} ${message}` : message);
+        });
+        await jail.set('__logRef', makeHandler(''));
+        await jail.set('__warnRef', makeHandler('[WARN]'));
+        await jail.set('__errorRef', makeHandler('[ERROR]'));
+        const consoleScript = await isolate.compileScript(`
+      const __stringify = (a) => typeof a === 'object' && a !== null ? JSON.stringify(a, null, 2) : String(a);
+      global.console = {
+        log:   (...args) => __logRef.applySync(undefined, args.map(__stringify)),
+        warn:  (...args) => __warnRef.applySync(undefined, args.map(__stringify)),
+        error: (...args) => __errorRef.applySync(undefined, args.map(__stringify)),
+        info:  (...args) => __logRef.applySync(undefined, args.map(__stringify)),
+      };
+    `);
+        await consoleScript.run(context);
+    }
+    // ---------------------------------------------------------------------------
+    // Tool bridges
+    // ---------------------------------------------------------------------------
+    async setupToolBridges(isolate, context, jail) {
+        // Single reference handles all tool calls; tool name + args passed as JSON
+        const toolCallerRef = new ivm.Reference(async (toolName, argsJson) => {
+            const tool = this.tools.find(t => t.name === toolName);
+            if (!tool) {
+                return JSON.stringify({ success: false, error: `Tool '${toolName}' not found` });
+            }
+            try {
+                const args = JSON.parse(argsJson);
+                const result = await tool.handler(args);
+                return JSON.stringify({ success: true, result });
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                return JSON.stringify({ success: false, error: msg });
+            }
+        });
+        await jail.set('__callToolRef', toolCallerRef);
+        // Build namespace initialisation + per-tool wrapper code
+        const setupParts = [];
+        const seenNamespaces = new Set();
+        for (const tool of this.tools) {
+            const { namespace, functionName } = tool;
+            if (!seenNamespaces.has(namespace)) {
+                seenNamespaces.add(namespace);
+                setupParts.push(`global.${namespace} = global.${namespace} || {};`);
+            }
+            setupParts.push(`
+        global.${namespace}.${functionName} = function(args) {
+          var resultJson = __callToolRef.applySyncPromise(undefined, [${JSON.stringify(tool.name)}, JSON.stringify(args || {})]);
+          var parsed = JSON.parse(resultJson);
+          if (!parsed.success) throw new Error(parsed.error);
+          return parsed.result;
+        };
+      `);
+        }
+        const toolSetupScript = await isolate.compileScript(setupParts.join('\n'));
+        await toolSetupScript.run(context);
+    }
+    // ---------------------------------------------------------------------------
+    // Introspection helpers
+    // ---------------------------------------------------------------------------
+    async setupIntrospection(isolate, context, jail) {
+        const generator = new InterfaceGenerator(this.tools);
+        const allInterfaces = generator.generateAll();
+        const interfaceMap = generator.buildInterfaceMap();
+        await jail.set('__interfaces', allInterfaces);
+        await jail.set('__interfaceMapJson', JSON.stringify(interfaceMap));
+        const utilScript = await isolate.compileScript(`
+      global.__getToolInterface = function(toolName) {
+        var map = JSON.parse(__interfaceMapJson);
+        return map[toolName] || null;
+      };
+    `);
+        await utilScript.run(context);
+    }
+}
+//# sourceMappingURL=executor.js.map

package/dist/mcp/code-mode/executor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.js","sourceRoot":"","sources":["../../../src/mcp/code-mode/executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,GAAG,MAAM,aAAa,CAAC;AAE9B,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAE9D,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,uBAAuB,GAAG,GAAG,CAAC;AAEpC,MAAM,OAAO,YAAY;IACM;IAA7B,YAA6B,KAAkB;QAAlB,UAAK,GAAL,KAAK,CAAa;IAAG,CAAC;IAEnD;;;;;;;;;OASG;IACH,KAAK,CAAC,OAAO,CAAC,IAAY,EAAE,UAA4B,EAAE;QACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,kBAAkB,CAAC;QACtD,MAAM,WAAW,GAAG,OAAO,CAAC,aAAa,IAAI,uBAAuB,CAAC;QAErE,MAAM,IAAI,GAAa,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC;QAEjD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,aAAa,EAAE,CAAC;YAC9C,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;YAE5B,+DAA+D;YAC/D,MAAM,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YAE3C,MAAM,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;YAC5D,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;YACpD,MAAM,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;YAEtD,+EAA+E;YAC/E,mFAAmF;YACnF,MAAM,WAAW,GAAG;;;cAGZ,IAAI;;;;OAIX,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YAE1D,IAAI,MAAM,GAAY,IAAI,CAAC;YAC3B,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;gBACnC,IAAI,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC;gBAC3C,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,GAAG,UAAU,CAAC;gBACtB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,UAAU,CAAC;YACtB,CAAC;YAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,kCAAkC,GAAG,EAAE,CAAC;aACzD,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,+EAA+E;YAC/E,IAAI,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;oBACxB,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,kDAAkD;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,iBAAiB;IACjB,8EAA8E;IAEtE,KAAK,CAAC,kBAAkB,CAC9B,OAAoB,EACpB,OAAoB,EACpB,IAA8D,EAC9D,IAAc;QAEd,MAAM,WAAW,GAAG,CAAC,MAAc,EAAE,EAAE,CACrC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,GAAG,IAAe,EAAE,EAAE;YACvC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CACzB,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAC7E,CAAC;YACF,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEL,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5C,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;QACnD,MAAM,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC;QAErD,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC;;;;;;;;KAQjD,CAAC,CAAC;QACH,MAAM,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED,8EAA8E;IAC9E,eAAe;IACf,8EAA8E;IAEtE,KAAK,CAAC,gBAAgB,CAC5B,OAAoB,EACpB,OAAoB,EACpB,IAA8D;QAE9D,2EAA2E;QAC3E,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE,QAAgB,EAAE,QAAgB,EAAE,EAAE;YACnF,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;YACvD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,QAAQ,aAAa,EAAE,CAAC,CAAC;YACnF,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAA4B,CAAC;gBAC7D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBACxC,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YACnD,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7D,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YACxD,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,aAAa,CAAC,CAAC;QAE/C,yDAAyD;QACzD,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;QAEzC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;YAEzC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnC,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC9B,UAAU,CAAC,IAAI,CAAC,UAAU,SAAS,aAAa,SAAS,SAAS,CAAC,CAAC;YACtE,CAAC;YAED,UAAU,CAAC,IAAI,CAAC;iBACL,SAAS,IAAI,YAAY;wEAC8B,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;;;;;OAK1F,CAAC,CAAC;QACL,CAAC;QAED,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3E,MAAM,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,8EAA8E;IAC9E,wBAAwB;IACxB,8EAA8E;IAEtE,KAAK,CAAC,kBAAkB,CAC9B,OAAoB,EACpB,OAAoB,EACpB,IAA8D;QAE9D,MAAM,SAAS,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,MAAM,aAAa,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QAC9C,MAAM,YAAY,GAAG,SAAS,CAAC,iBAAiB,EAAE,CAAC;QAEnD,MAAM,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;QAC9C,MAAM,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;QAEnE,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC;;;;;KAK9C,CAAC,CAAC;QACH,MAAM,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;CACF"}