@phake/mcp 0.0.4 → 0.0.6

package/README.md

@@ -1,19 +1,33 @@
 # @phake/mcp
 
-A TypeScript library for building MCP (Model Context Protocol) servers, designed to run on Cloudflare Workers and Node.js.
+A TypeScript library for building [MCP (Model Context Protocol)](https://modelcontextprotocol.io) servers on Cloudflare Workers.
 
 [![npm](https://img.shields.io/npm/v/@phake/mcp?style=flat-square)](https://www.npmjs.com/package/@phake/mcp)
+[![license](https://img.shields.io/npm/l/@phake/mcp?style=flat-square)](LICENSE)
 
-## Features
+---
 
-- **Multi-runtime support** - Deploy to Cloudflare Workers (itty-router) or Node.js (Hono)
-- **OAuth 2.0 authentication** - Full PKCE flow with dynamic token resolution and proactive refresh
-- **5 auth strategies** - `oauth`, `bearer`, `api_key`, `custom`, `none`
-- **Tool registration** - Define and register MCP tools with Zod input/output schemas
-- **Session & token management** - Persistent storage with LRU eviction and TTL
-- **Multiple storage backends** - Cloudflare KV, SQLite, file-based, and in-memory
-- **CORS support** - Configurable CORS headers
-- **Type-safe** - Full TypeScript support with Zod validation
+- [Requirements](#requirements)
+- [Installation](#installation)
+- [Getting Started](#getting-started)
+- [Usage](#usage)
+  - [Defining Tools](#defining-tools)
+  - [Authenticated Tools](#authenticated-tools)
+  - [Authentication Strategies](#authentication-strategies)
+  - [Storage Backends](#storage-backends)
+- [API Reference](#api-reference)
+- [Endpoints](#endpoints)
+- [Configuration](#configuration)
+- [Contributing](#contributing)
+- [License](#license)
+
+---
+
+## Requirements
+
+- [Bun](https://bun.sh) or Node.js 20+
+- [Wrangler](https://developers.cloudflare.com/workers/wrangler/) CLI
+- A Cloudflare account with Workers and KV access
 
 ## Installation
 
@@ -21,80 +35,84 @@ A TypeScript library for building MCP (Model Context Protocol) servers, designed
 bun add @phake/mcp
 ```
 
-## Quick Start
+## Getting Started
 
-### Cloudflare Workers
+### 1. Create the KV namespace
 
-```typescript
-import { createMCPServer } from "@phake/mcp";
+```bash
+wrangler kv namespace create TOKENS
+```
 
-const server = createMCPServer({
-  adapter: "worker",
-  tools: [
-    // your tool definitions
-  ],
-});
+### 2. Bind it in your Wrangler config
 
-export default server;
+Use the namespace ID printed in the previous step.
+
+`wrangler.toml`
+```toml
+[[kv_namespaces]]
+binding = "TOKENS"
+id = "<your-kv-namespace-id>"
+```
+
+`wrangler.jsonc`
+```jsonc
+{
+  "kv_namespaces": [
+    {
+      "binding": "TOKENS",
+      "id": "<your-kv-namespace-id>"
+    }
+  ]
+}
 ```
 
-### Node.js
+### 3. Generate an encryption key
 
-```typescript
-import { createHttpApp, createAuthApp } from "@phake/mcp/runtime/node";
+Tokens at rest are encrypted with AES-256-GCM. Generate a 32-byte key:
 
-const { app, sessionStore } = createHttpApp({
-  tools: [
-    // your tool definitions
-  ],
-});
+```bash
+# OpenSSL
+openssl rand -base64 32 | tr '+/' '-_' | tr -d '='
 
-const authApp = createAuthApp({ sessionStore });
+# Node.js
+node -e "const {randomBytes}=require('crypto'); console.log(randomBytes(32).toString('base64url'))"
 ```
 
-## API
+### 4. Set the encryption key
 
-### `createMCPServer(options)`
+**Production** - add as a Wrangler secret:
 
-Creates an MCP server instance.
+```bash
+wrangler secret put RS_TOKENS_ENC_KEY
+# paste the generated key when prompted
+```
 
-| Option | Type | Description |
-|--------|------|-------------|
-| `adapter` | `"worker" \| "node"` | Runtime adapter |
-| `tools` | `SharedToolDefinition[]` | Array of tool definitions to register |
+**Local development** - add to `.dev.vars`:
 
-### Exports
+```ini
+RS_TOKENS_ENC_KEY=<your-generated-key>
+```
 
-| Module | Path |
-|--------|------|
-| Core | `@phake/mcp` |
-| Node runtime | `@phake/mcp/runtime/node` |
-| Worker runtime | `@phake/mcp/runtime/worker` |
+### 5. Create your Worker
 
-## Authentication Strategies
+```typescript
+import { createMCPServer } from "@phake/mcp";
 
-| Strategy | Description | Config Env Vars |
-|----------|-------------|-----------------|
-| `oauth` | Full OAuth 2.1 PKCE flow with RS token -> provider token mapping | `OAUTH_CLIENT_ID`, `OAUTH_CLIENT_SECRET`, `OAUTH_SCOPES`, `OAUTH_REDIRECT_URI`, `PROVIDER_CLIENT_ID`, `PROVIDER_CLIENT_SECRET`, `PROVIDER_ACCOUNTS_URL` |
-| `bearer` | Static Bearer token | `BEARER_TOKEN` |
-| `api_key` | Static API key in custom header (default: `x-api-key`) | `API_KEY`, `API_KEY_HEADER` |
-| `custom` | Arbitrary custom headers | `CUSTOM_HEADERS` |
-| `none` | No authentication required | - |
+const server = createMCPServer({
+  adapter: "worker",
+  tools: [
+    // your tool definitions
+  ],
+});
 
-## Storage Backends
+export default server;
+```
 
-| Backend | Stores | Key Features |
-|---------|--------|--------------|
-| `MemoryTokenStore` | Tokens, transactions, codes | TTL expiration, size limits (10K tokens), LRU eviction |
-| `MemorySessionStore` | Sessions | TTL (24h), size limit (10K), per-API-key limits (5) |
-| `KvTokenStore` | Tokens, transactions, codes | Cloudflare KV + memory fallback, AES-256-GCM encryption |
-| `KvSessionStore` | Sessions | Cloudflare KV + memory fallback, encryption, API-key indexing |
-| `FileTokenStore` | RS token mappings | JSON file persistence, AES-256-GCM encryption, secure permissions (0600) |
-| `SqliteSessionStore` | Sessions | SQLite via better-sqlite3 + Drizzle ORM, WAL mode, atomic transactions |
+## Usage
 
-## Creating Tools
+### Defining Tools
 
-Use `defineTool` to create a type-safe tool definition, then pass it to `tools` when creating the server.
+Use `defineTool` to create a type-safe tool, then pass it to `createMCPServer`.
 
 ```typescript
 import { z } from "zod";
@@ -125,14 +143,24 @@ const greetTool = defineTool({
 });
 ```
 
+**Tool definition fields:**
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `name` | `string` | Yes | Unique tool identifier |
+| `description` | `string` | Yes | Description shown to the LLM |
+| `inputSchema` | `ZodObject` | Yes | Zod schema for input validation |
+| `outputSchema` | `ZodRawShape` | No | Zod schema for structured output |
+| `handler` | `function` | Yes | `(args, context) => Promise<ToolResult>` |
+| `requiresAuth` | `boolean` | No | Reject calls without a provider token |
+| `title` | `string` | No | Human-readable display title |
+| `annotations` | `object` | No | MCP hints (`readOnlyHint`, `destructiveHint`, etc.) |
+
 ### Authenticated Tools
 
-Set `requiresAuth: true` to have the dispatcher automatically reject calls when no token is present. Use `context.resolvedHeaders` to call external APIs.
+Set `requiresAuth: true` to have the dispatcher automatically reject unauthenticated calls. Use `context.resolvedHeaders` to forward auth to external APIs.
 
 ```typescript
-import { defineTool } from "@phake/mcp";
-import { z } from "zod";
-
 const profileTool = defineTool({
   name: "get_profile",
   description: "Fetch the authenticated user's profile",
@@ -150,7 +178,44 @@ const profileTool = defineTool({
 });
 ```
 
-### Registering Tools
+**Available context properties:**
+
+| Property | Description |
+|----------|-------------|
+| `sessionId` | Current MCP session ID |
+| `providerToken` | Access token for external API calls |
+| `resolvedHeaders` | Ready-to-use auth headers for `fetch` |
+| `authStrategy` | Active auth strategy |
+| `signal` | `AbortSignal` for cancellation |
+
+### Authentication Strategies
+
+Set `AUTH_STRATEGY` in your environment (or let it be inferred from which keys are present):
+
+| Strategy | Description | Required env vars |
+|----------|-------------|-------------------|
+| `oauth` | Full OAuth 2.1 PKCE flow with RS token => provider token mapping | `OAUTH_CLIENT_ID`, `OAUTH_CLIENT_SECRET`, `OAUTH_SCOPES`, `OAUTH_REDIRECT_URI`, `PROVIDER_CLIENT_ID`, `PROVIDER_CLIENT_SECRET`, `PROVIDER_ACCOUNTS_URL` |
+| `bearer` | Static Bearer token | `BEARER_TOKEN` |
+| `api_key` | Static API key via header (default: `x-api-key`) | `API_KEY`, `API_KEY_HEADER` |
+| `custom` | Arbitrary custom request headers | `CUSTOM_HEADERS` |
+| `none` | No authentication | - |
+
+### Storage Backends
+
+| Backend | Use case | Notes |
+|---------|----------|-------|
+| `KvTokenStore` | Tokens, transactions, codes | Cloudflare KV + memory fallback, AES-256-GCM encryption |
+| `KvSessionStore` | Sessions | Cloudflare KV + memory fallback, encryption, API-key indexing |
+| `MemoryTokenStore` | Tokens, transactions, codes | TTL expiration, 10K token limit, LRU eviction |
+| `MemorySessionStore` | Sessions | TTL (24h), 10K limit, per-API-key limit (5) |
+| `FileTokenStore` | RS token mappings | File persistence, AES-256-GCM - **experimental** |
+| `SqliteSessionStore` | Sessions | SQLite + Drizzle ORM, WAL mode - **experimental** |
+
+## API Reference
+
+### `createMCPServer(options)`
+
+Creates an MCP server instance.
 
 ```typescript
 import { createMCPServer } from "@phake/mcp";
@@ -159,79 +224,34 @@ const server = createMCPServer({
   adapter: "worker",
   tools: [greetTool, profileTool],
 });
-```
-
-### Tool Handler Reference
 
-| Field | Type | Required | Description |
-|-------|------|----------|-------------|
-| `name` | `string` | Yes | Unique tool name |
-| `description` | `string` | Yes | Description shown to the LLM |
-| `inputSchema` | `ZodObject` | Yes | Zod schema for input validation |
-| `outputSchema` | `ZodRawShape` | No | Zod schema for structured output |
-| `handler` | `function` | Yes | `(args, context) => Promise<ToolResult>` |
-| `requiresAuth` | `boolean` | No | Reject calls without a provider token |
-| `title` | `string` | No | Human-readable display title |
-| `annotations` | `object` | No | MCP hints (`readOnlyHint`, `destructiveHint`, etc.) |
-
-The `context` object provides:
+export default server;
+```
 
-| Property | Description |
-|----------|-------------|
-| `sessionId` | Current MCP session ID |
-| `providerToken` | Access token for external API calls |
-| `resolvedHeaders` | Ready-to-use auth headers for `fetch` |
-| `authStrategy` | Active auth strategy |
-| `signal` | `AbortSignal` for cancellation |
+| Option | Type | Description |
+|--------|------|-------------|
+| `adapter` | `"worker"` | Runtime adapter |
+| `tools` | `SharedToolDefinition[]` | Tools to register |
 
-## Built-in Tools
+### Built-in Tools
 
 | Tool | Input | Output | Description |
 |------|-------|--------|-------------|
-| `echo` | `{ message, uppercase? }` | `{ echoed, length }` | Echoes back a message, optionally uppercased |
-| `health` | `{ verbose? }` | `{ status, timestamp, runtime, uptime? }` | Reports server health, uptime, runtime detection |
+| `echo` | `{ message, uppercase? }` | `{ echoed, length }` | Echoes back a message |
+| `health` | `{ verbose? }` | `{ status, timestamp, runtime, uptime? }` | Reports server health |
 
-## Project Structure
+### Package Exports
 
-```
-src/
-├── adapters/
-│   ├── http-node/           # Node.js adapter (Hono)
-│   │   ├── http/            # MCP server app, routes, middleware
-│   │   ├── routes.discovery.ts
-│   │   ├── routes.oauth.ts
-│   │   └── middleware.security.ts
-│   └── http-worker/         # Cloudflare Workers adapter (itty-router)
-│       ├── index.ts
-│       ├── mcp.handler.ts
-│       ├── routes.discovery.ts
-│       ├── routes.oauth.ts
-│       └── security.ts
-├── runtime/
-│   └── node/
-│       ├── capabilities.ts
-│       ├── context.ts
-│       ├── mcp.ts
-│       └── storage/
-│           ├── file.ts
-│           └── sqlite.ts
-├── shared/
-│   ├── auth/                # Authentication strategies
-│   ├── config/              # Environment configuration (40+ fields)
-│   ├── crypto/              # AES-256-GCM utilities
-│   ├── http/                # CORS, JSON-RPC responses
-│   ├── mcp/                 # Protocol dispatcher, security, server internals
-│   ├── oauth/               # Full OAuth 2.0 implementation (PKCE, CIMD, discovery)
-│   ├── services/            # HTTP client
-│   ├── storage/             # Token/session store interfaces and implementations
-│   ├── tools/               # Tool definitions, registry, execution
-│   ├── types/               # Shared type definitions
-│   └── utils/               # Base64, cancellation, logger, pagination, etc.
-├── mcp-server.ts            # Server factory
-└── index.ts                 # Main entry point
-```
+| Export | Path |
+|--------|------|
+| Core | `@phake/mcp` |
+| Worker runtime | `@phake/mcp/runtime/worker` |
+
+> **Node.js runtime** (`@phake/mcp/runtime/node`) is available but experimental and untested.
+
+## Endpoints
 
-## MCP Endpoints
+### MCP
 
 | Method | Path | Description |
 |--------|------|-------------|
@@ -240,7 +260,7 @@ src/
 | `DELETE` | `/mcp` | Session termination |
 | `GET` | `/health` | Health check |
 
-## OAuth Endpoints
+### OAuth
 
 | Path | Description |
 |------|-------------|
@@ -253,27 +273,57 @@ src/
 | `/revoke` | Token revocation |
 | `/register` | Dynamic client registration |
 
-## Scripts
+## Configuration
 
-| Command | Description |
-|---------|-------------|
-| `bun run build` | Build with Bun |
-| `bun run typecheck` | Run TypeScript type checking |
+All configuration is read from environment variables / Wrangler bindings.
 
-## Dependencies
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `TOKENS` | Yes | Cloudflare KV namespace binding for token/session storage |
+| `RS_TOKENS_ENC_KEY` | Yes | Base64url-encoded 32-byte AES-256-GCM encryption key |
+| `AUTH_STRATEGY` | No | `oauth` \| `bearer` \| `api_key` \| `custom` \| `none` (inferred if unset) |
+| `OAUTH_CLIENT_ID` | OAuth only | OAuth client ID |
+| `OAUTH_CLIENT_SECRET` | OAuth only | OAuth client secret |
+| `OAUTH_SCOPES` | OAuth only | Space-separated OAuth scopes |
+| `OAUTH_REDIRECT_URI` | OAuth only | Redirect URI after authorization |
+| `API_KEY` | api_key only | Static API key value |
+| `BEARER_TOKEN` | bearer only | Static Bearer token value |
+| `BASE_URL` | No | Base URL override (for reverse proxies) |
+| `LOG_LEVEL` | No | `debug` \| `info` \| `warning` \| `error` (default: `info`) |
 
-- `@modelcontextprotocol/sdk` - MCP protocol implementation
-- `zod` - Schema validation
-- `jose` - JWT and JWS/JWE
-- `oauth4webapi` - OAuth 2.0 for Web API
-- `itty-router` - Lightweight router (Workers)
-- `hono` / `@hono/node-server` - Node.js HTTP framework (optional)
-- `drizzle-orm` / `better-sqlite3` - Database layer (optional)
+## Contributing
 
-## Inspired By
+```bash
+# Install dependencies
+bun install
+
+# Build
+bun run build
+
+# Type check
+bun run typecheck
+```
+
+**Project structure:**
+
+```
+src/
+├── adapters/
+│   └── http-worker/    # Cloudflare Workers adapter
+├── shared/
+│   ├── auth/           # Authentication strategies
+│   ├── config/         # Environment configuration
+│   ├── crypto/         # AES-256-GCM utilities
+│   ├── mcp/            # Protocol dispatcher and server internals
+│   ├── oauth/          # OAuth 2.0 (PKCE, CIMD, discovery)
+│   ├── storage/        # Token/session store interfaces and implementations
+│   └── tools/          # Tool definitions, registry, execution
+├── mcp-server.ts       # Server factory
+└── index.ts            # Package entry point
+```
 
-This project was inspired by [streamable-mcp-server-template](https://github.com/iceener/streamable-mcp-server-template).
+Inspired by [streamable-mcp-server-template](https://github.com/iceener/streamable-mcp-server-template).
 
 ## License
 
-This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+[MIT](LICENSE)

package/dist/{index-ctd3bknx.js → index-qmejk5tj.js}

@@ -1278,7 +1278,6 @@ function registerTools(server, contextResolver) {
 
 // src/shared/mcp/dispatcher.ts
 import { z as z3 } from "zod";
-import { zodToJsonSchema } from "zod-to-json-schema";
 
 // src/runtime/node/capabilities.ts
 function buildCapabilities() {
@@ -1351,9 +1350,9 @@ async function handleToolsList(ctx) {
   const tools = (ctx.tools ?? sharedTools).map((tool) => ({
     name: tool.name,
     description: tool.description,
-    inputSchema: zodToJsonSchema(tool.inputSchema),
+    inputSchema: z3.toJSONSchema(tool.inputSchema),
     ...tool.outputSchema && {
-      outputSchema: zodToJsonSchema(z3.object(tool.outputSchema))
+      outputSchema: z3.toJSONSchema(z3.object(tool.outputSchema))
     },
     ...tool.annotations && { annotations: tool.annotations }
   }));
@@ -1760,7 +1759,7 @@ function buildUnauthorizedChallenge(args) {
   return {
     status: 401,
     headers: {
-      "WWW-Authenticate": `Bearer realm="MCP", authorization_uri="${resourceMd}"`,
+      "WWW-Authenticate": `Bearer realm="MCP", resource_metadata="${resourceMd}"`,
       "Mcp-Session-Id": args.sid
     },
     body: {
@@ -2942,6 +2941,12 @@ function attachDiscoveryRoutes(router, config) {
     const metadata = protectedResourceMetadata(here, sid);
     return jsonResponse(metadata);
   });
+  router.get("/.well-known/oauth-protected-resource/*", async (request) => {
+    const here = new URL(request.url);
+    const sid = here.searchParams.get("sid") ?? undefined;
+    const metadata = protectedResourceMetadata(here, sid);
+    return jsonResponse(metadata);
+  });
 }
 
 // src/adapters/http-worker/routes.oauth.ts

package/dist/index.js

@@ -82,7 +82,7 @@ import {
   withCancellation,
   withCors,
   workerDiscoveryStrategy
-} from "./index-ctd3bknx.js";
+} from "./index-qmejk5tj.js";
 // src/shared/config/env.ts
 function parseBoolean(value) {
   return String(value || "false").toLowerCase() === "true";

package/dist/mcp-server.d.ts

@@ -14,5 +14,9 @@ export interface MCPServer {
 }
 /**
  * Create an MCP server instance.
+ * @param {MCPServerOptions} options - Configuration options
+ * @param {string} options.adapter - Runtime adapter: 'worker' (Cloudflare Workers) or 'node' (Hono/Node.js)
+ * @param {SharedToolDefinition<any>[]} [options.tools] - Array of tools to register
+ * @returns {MCPServer} - MCP server instance
  */
 export declare function createMCPServer(options: MCPServerOptions): MCPServer;

package/dist/runtime/worker/index.js

@@ -2,7 +2,7 @@ import {
   createWorkerRouter,
   initializeWorkerStorage,
   shimProcessEnv
-} from "../../index-ctd3bknx.js";
+} from "../../index-qmejk5tj.js";
 export {
   shimProcessEnv,
   initializeWorkerStorage,

package/dist/shared/utils/elicitation.d.ts

@@ -108,8 +108,8 @@ export interface ElicitResult {
 }
 export declare const ElicitResultSchema: z.ZodObject<{
     action: z.ZodEnum<{
-        cancel: "cancel";
         accept: "accept";
+        cancel: "cancel";
         decline: "decline";
     }>;
     content: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@phake/mcp",
-	"version": "0.0.4",
+	"version": "0.0.6",
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/fuongz/phake-mcp"
@@ -37,8 +37,7 @@
 		"itty-router": "^5.0.23",
 		"jose": "^6.2.2",
 		"oauth4webapi": "^3.8.5",
-		"zod": "^4.3.6",
-		"zod-to-json-schema": "^3.25.2"
+		"zod": "^4.3.6"
 	},
 	"optionalDependencies": {
 		"@hono/node-server": "^1.19.12",
@@ -47,7 +46,6 @@
 		"hono": "^4.12.9"
 	},
 	"devDependencies": {
-		"@cloudflare/workers-types": "^4.20260401.1",
 		"@types/better-sqlite3": "^7.6.13",
 		"bun-types": "^1.3.11",
 		"typescript": "^6.0.2"