npm - @pharaoh-so/mcp - Versions diffs - 0.1.0 → 0.1.3 - Mend

@pharaoh-so/mcp 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md CHANGED Viewed

@@ -4,11 +4,28 @@ Stdio-to-SSE proxy for [Pharaoh](https://pharaoh.so) — enables Claude Code in
 ## Quick Start
+**Step 1 — Authenticate** (run in your terminal):
+```bash
+npx @pharaoh-so/mcp
+```
+This shows a device code and URL. Open the URL on any device (phone, laptop) to authorize. Credentials are saved to `~/.pharaoh/credentials.json` (valid for 7 days).
+**Step 2 — Add to Claude Code:**
+```bash
+claude mcp add pharaoh -- npx @pharaoh-so/mcp
+```
+If you previously added pharaoh as SSE, remove it first:
 ```bash
+claude mcp remove pharaoh
 claude mcp add pharaoh -- npx @pharaoh-so/mcp
 ```
-On first run, the proxy shows a device code and URL. Open the URL on any device (phone, laptop) to authorize. The proxy stores credentials at `~/.pharaoh/credentials.json` and reuses them until they expire (7 days).
+Verify with `claude mcp list` — it should show `pharaoh` as a **stdio** server, not SSE.
 ## How It Works

package/dist/auth.js CHANGED Viewed

@@ -90,4 +90,3 @@ export function printAuthSuccess(login, tenant, repoCount) {
 function sleep(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
-//# sourceMappingURL=auth.js.map

package/dist/credentials.js CHANGED Viewed

@@ -70,4 +70,3 @@ function isValidCredentials(value) {
         typeof obj.sse_url === "string" &&
         Array.isArray(obj.repos));
 }
-//# sourceMappingURL=credentials.js.map

package/dist/helpers.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Pure helper functions for the mcp-proxy CLI — no side effects on import.
+ * Separated from index.ts so tests can import without triggering main().
+ */
+import type { TokenResponse } from "./auth.js";
+import type { Credentials } from "./credentials.js";
+/** Write one or more lines to stderr. */
+export declare function printLines(...lines: string[]): void;
+/** Parse CLI arguments. */
+export declare function parseArgs(argv?: string[]): {
+    server: string;
+    logout: boolean;
+};
+export declare function printUsage(): void;
+/**
+ * Validate that a server-supplied SSE URL shares the same origin as the configured server.
+ * Prevents a compromised auth response from redirecting the Bearer token to an attacker's host.
+ * Falls back to `${server}/sse` if the URL is missing, malformed, or cross-origin.
+ */
+export declare function resolveSseUrl(tokenSseUrl: string | undefined, server: string): string;
+/** Convert a token response to storable credentials. */
+export declare function tokenToCredentials(token: TokenResponse, sseUrl: string): Credentials;
+/** Format remaining TTL as human-readable string (e.g. "5d 12h"). */
+export declare function formatTtl(expiresAt: string): string;
+/**
+ * Print setup instructions for Claude Code. Called in interactive mode
+ * after auth completes (or when credentials already exist).
+ */
+export declare function printSetupInstructions(): void;
+/** Format a credential identity string (e.g. "alice (my-org)"). */
+export declare function formatIdentity(creds: Credentials): string;
+/**
+ * Determine if credentials are valid for proxy use.
+ * Returns a diagnostic message if not, null if valid.
+ */
+export declare function validateCredentials(creds: Credentials | null): string | null;

package/dist/helpers.js ADDED Viewed

@@ -0,0 +1,124 @@
+import { isExpired } from "./credentials.js";
+const DEFAULT_SERVER = "https://mcp.pharaoh.so";
+/** Write one or more lines to stderr. */
+export function printLines(...lines) {
+    process.stderr.write(lines.join("\n") + "\n");
+}
+/** Parse CLI arguments. */
+export function parseArgs(argv = process.argv.slice(2)) {
+    let server = DEFAULT_SERVER;
+    let logout = false;
+    for (let i = 0; i < argv.length; i++) {
+        if (argv[i] === "--server" && argv[i + 1]) {
+            server = argv[i + 1];
+            i++;
+        }
+        else if (argv[i] === "--logout") {
+            logout = true;
+        }
+    }
+    // Strip trailing slash
+    server = server.replace(/\/+$/, "");
+    // Reject non-HTTPS servers (allow loopback addresses for local dev)
+    try {
+        const parsed = new URL(server);
+        const isLoopback = parsed.hostname === "localhost" ||
+            parsed.hostname === "127.0.0.1" ||
+            parsed.hostname === "[::1]";
+        if (parsed.protocol !== "https:" && !isLoopback) {
+            printLines(`Pharaoh: --server must use HTTPS (got ${parsed.protocol}//…). Use https:// or http://localhost for local dev.`);
+            process.exit(1);
+        }
+        if (parsed.protocol !== "https:" && isLoopback) {
+            printLines("⚠ Warning: using insecure HTTP over loopback — do not use in production.");
+        }
+    }
+    catch {
+        printLines(`Pharaoh: --server is not a valid URL: ${server}`);
+        process.exit(1);
+    }
+    return { server, logout };
+}
+export function printUsage() {
+    printLines("Usage: pharaoh-mcp [options]", "", "Options:", "  --server <url>  Pharaoh server URL (default: https://mcp.pharaoh.so)", "  --logout        Clear stored credentials and exit", "  --help, -h      Show this help", "", "Add to Claude Code:", "  claude mcp add pharaoh -- npx @pharaoh-so/mcp", "");
+}
+/**
+ * Validate that a server-supplied SSE URL shares the same origin as the configured server.
+ * Prevents a compromised auth response from redirecting the Bearer token to an attacker's host.
+ * Falls back to `${server}/sse` if the URL is missing, malformed, or cross-origin.
+ */
+export function resolveSseUrl(tokenSseUrl, server) {
+    const fallback = `${server}/sse`;
+    if (!tokenSseUrl)
+        return fallback;
+    try {
+        const sseOrigin = new URL(tokenSseUrl).origin;
+        const serverOrigin = new URL(server).origin;
+        if (sseOrigin !== serverOrigin) {
+            printLines(`Pharaoh: ignoring cross-origin sse_url (${sseOrigin} ≠ ${serverOrigin})`);
+            return fallback;
+        }
+        return tokenSseUrl;
+    }
+    catch {
+        return fallback;
+    }
+}
+/** Convert a token response to storable credentials. */
+export function tokenToCredentials(token, sseUrl) {
+    return {
+        version: 1,
+        access_token: token.access_token,
+        expires_at: new Date(Date.now() + token.expires_in * 1000).toISOString(),
+        expires_in: token.expires_in,
+        sse_url: sseUrl,
+        github_login: token.github_login ?? null,
+        tenant_name: token.tenant_name ?? null,
+        repos: token.repos ?? [],
+    };
+}
+/** Format remaining TTL as human-readable string (e.g. "5d 12h"). */
+export function formatTtl(expiresAt) {
+    const remainingMs = new Date(expiresAt).getTime() - Date.now();
+    if (remainingMs <= 0)
+        return "expired";
+    const hours = Math.floor(remainingMs / 3_600_000);
+    const days = Math.floor(hours / 24);
+    const remHours = hours % 24;
+    if (days > 0)
+        return `${days}d ${remHours}h`;
+    if (hours > 0)
+        return `${hours}h`;
+    return `${Math.floor(remainingMs / 60_000)}m`;
+}
+/**
+ * Print setup instructions for Claude Code. Called in interactive mode
+ * after auth completes (or when credentials already exist).
+ */
+export function printSetupInstructions() {
+    printLines("", "┌───────────────────────────────────────────────────────┐", "│  Next step: add Pharaoh to Claude Code                │", "│                                                       │", "│  If pharaoh is already registered (e.g. as SSE):      │", "│    claude mcp remove pharaoh                          │", "│                                                       │", "│  Then add as stdio proxy:                             │", "│    claude mcp add pharaoh -- npx @pharaoh-so/mcp     │", "│                                                       │", "│  Verify with:                                         │", "│    claude mcp list                                    │", "└───────────────────────────────────────────────────────┘", "");
+}
+/** Format a credential identity string (e.g. "alice (my-org)"). */
+export function formatIdentity(creds) {
+    return [
+        creds.github_login ?? "unknown",
+        creds.tenant_name ? `(${creds.tenant_name})` : null,
+    ]
+        .filter(Boolean)
+        .join(" ");
+}
+/**
+ * Determine if credentials are valid for proxy use.
+ * Returns a diagnostic message if not, null if valid.
+ */
+export function validateCredentials(creds) {
+    if (!creds || isExpired(creds)) {
+        return [
+            "Pharaoh: no valid credentials — cannot start proxy.",
+            "Run this command first to authenticate:",
+            "  npx @pharaoh-so/mcp",
+            "",
+        ].join("\n");
+    }
+    return null;
+}

package/dist/index.js CHANGED Viewed

@@ -5,171 +5,92 @@
  * Presents as an MCP server on stdio (for Claude Code) and relays messages
  * to a remote Pharaoh SSE server. Authenticates via RFC 8628 device flow
  * so the user can authorize on any device with a browser.
+ *
+ * Two modes determined by whether stdin is a TTY:
+ * - Interactive (TTY): authenticate, print setup instructions, exit.
+ * - Proxy (pipe):      require pre-existing credentials, bridge stdio ↔ SSE.
  */
 import { printActivationPrompt, printAuthSuccess, pollForToken, requestDeviceCode, } from "./auth.js";
-import { deleteCredentials, isExpired, readCredentials, writeCredentials, } from "./credentials.js";
+import { deleteCredentials, isExpired, readCredentials, writeCredentials } from "./credentials.js";
+import { formatIdentity, formatTtl, parseArgs, printLines, printSetupInstructions, printUsage, resolveSseUrl, tokenToCredentials, } from "./helpers.js";
 import { TokenExpiredError, TenantSuspendedError, startProxy } from "./proxy.js";
-const DEFAULT_SERVER = "https://mcp.pharaoh.so";
-/** Parse CLI arguments. */
-function parseArgs() {
+async function main() {
     const args = process.argv.slice(2);
-    let server = DEFAULT_SERVER;
-    let logout = false;
-    for (let i = 0; i < args.length; i++) {
-        if (args[i] === "--server" && args[i + 1]) {
-            server = args[i + 1];
-            i++;
-        }
-        else if (args[i] === "--logout") {
-            logout = true;
-        }
-        else if (args[i] === "--help" || args[i] === "-h") {
-            printUsage();
-            process.exit(0);
-        }
-    }
-    // Strip trailing slash
-    server = server.replace(/\/+$/, "");
-    return { server, logout };
-}
-function printUsage() {
-    process.stderr.write([
-        "Usage: pharaoh-mcp [options]",
-        "",
-        "Options:",
-        "  --server <url>  Pharaoh server URL (default: https://mcp.pharaoh.so)",
-        "  --logout        Clear stored credentials and exit",
-        "  --help, -h      Show this help",
-        "",
-        "Add to Claude Code:",
-        "  claude mcp add pharaoh -- npx @pharaoh-so/mcp",
-        "",
-    ].join("\n") + "\n");
-}
-/** Run the device flow and return a token response. */
-async function authenticate(server) {
-    const deviceCode = await requestDeviceCode(server);
-    printActivationPrompt(deviceCode.user_code, deviceCode.verification_uri);
-    return pollForToken(server, deviceCode.device_code, deviceCode.interval);
-}
-/**
- * Validate that a server-supplied SSE URL shares the same origin as the configured server.
- * Prevents a compromised auth response from redirecting the Bearer token to an attacker's host.
- * Falls back to `${server}/sse` if the URL is missing, malformed, or cross-origin.
- */
-function resolveSseUrl(tokenSseUrl, server) {
-    const fallback = `${server}/sse`;
-    if (!tokenSseUrl)
-        return fallback;
-    try {
-        const sseOrigin = new URL(tokenSseUrl).origin;
-        const serverOrigin = new URL(server).origin;
-        if (sseOrigin !== serverOrigin) {
-            process.stderr.write(`Pharaoh: ignoring cross-origin sse_url (${sseOrigin} ≠ ${serverOrigin})\n`);
-            return fallback;
-        }
-        return tokenSseUrl;
-    }
-    catch {
-        return fallback;
+    if (args.includes("--help") || args.includes("-h")) {
+        printUsage();
+        process.exit(0);
     }
-}
-/** Convert a token response to storable credentials. */
-function tokenToCredentials(token, sseUrl) {
-    return {
-        version: 1,
-        access_token: token.access_token,
-        expires_at: new Date(Date.now() + token.expires_in * 1000).toISOString(),
-        expires_in: token.expires_in,
-        sse_url: sseUrl,
-        github_login: token.github_login ?? null,
-        tenant_name: token.tenant_name ?? null,
-        repos: token.repos ?? [],
-    };
-}
-/** Format remaining TTL as human-readable string (e.g. "5d 12h"). */
-function formatTtl(expiresAt) {
-    const remainingMs = new Date(expiresAt).getTime() - Date.now();
-    if (remainingMs <= 0)
-        return "expired";
-    const hours = Math.floor(remainingMs / 3_600_000);
-    const days = Math.floor(hours / 24);
-    const remHours = hours % 24;
-    if (days > 0)
-        return `${days}d ${remHours}h`;
-    if (hours > 0)
-        return `${hours}h`;
-    return `${Math.floor(remainingMs / 60_000)}m`;
-}
-async function main() {
-    const { server, logout } = parseArgs();
-    // --logout: clear credentials and exit
+    const { server, logout } = parseArgs(args);
     if (logout) {
         deleteCredentials();
-        process.stderr.write("Pharaoh: credentials cleared\n");
+        printLines("Pharaoh: credentials cleared");
         process.exit(0);
     }
-    let creds = readCredentials();
-    // If we have valid credentials, try to connect directly
-    if (creds && !isExpired(creds)) {
-        process.stderr.write(`Pharaoh: token valid for ${formatTtl(creds.expires_at)} — connecting\n`);
-        try {
-            await startProxy(creds.sse_url, creds.access_token);
-            return;
-        }
-        catch (err) {
-            if (err instanceof TokenExpiredError) {
-                process.stderr.write("Pharaoh: token rejected by server — re-authenticating\n");
-                deleteCredentials();
-                creds = null;
-            }
-            else if (err instanceof TenantSuspendedError) {
-                process.stderr.write(`Pharaoh: ${err.message}\n`);
-                process.exit(1);
-            }
-            else {
-                throw err;
-            }
+    const creds = readCredentials();
+    const isInteractive = Boolean(process.stdin.isTTY);
+    // ── Interactive mode (user running in a terminal) ──
+    // Authenticate if needed, print setup instructions, and exit.
+    // The proxy is useless without Claude Code on the other end of stdin.
+    if (isInteractive) {
+        if (creds && !isExpired(creds)) {
+            printLines(`Pharaoh: authenticated as ${formatIdentity(creds)} — token valid for ${formatTtl(creds.expires_at)}, ${creds.repos.length} repo${creds.repos.length === 1 ? "" : "s"} connected`);
+            printSetupInstructions();
+            process.exit(0);
         }
-    }
-    // No valid credentials — run device flow
-    if (!creds || isExpired(creds)) {
-        process.stderr.write("Pharaoh: no valid credentials — starting device authorization\n");
-        const token = await authenticate(server);
+        // No valid credentials — run device flow
+        printLines("Pharaoh: no valid credentials — starting device authorization");
+        const deviceCode = await requestDeviceCode(server);
+        printActivationPrompt(deviceCode.user_code, deviceCode.verification_uri);
+        const token = await pollForToken(server, deviceCode.device_code, deviceCode.interval);
         if (token.provisional) {
-            process.stderr.write(`Pharaoh: provisional access — install the GitHub App to map your repos: ${token.install_url ?? ""}\n`);
+            printLines(`Pharaoh: provisional access — install the GitHub App to map your repos: ${token.install_url ?? ""}`);
         }
         const sseUrl = resolveSseUrl(token.sse_url, server);
-        creds = tokenToCredentials(token, sseUrl);
-        writeCredentials(creds);
+        const newCreds = tokenToCredentials(token, sseUrl);
+        writeCredentials(newCreds);
         printAuthSuccess(token.github_login ?? null, token.tenant_name ?? null, token.repos?.length ?? 0);
+        printSetupInstructions();
+        process.exit(0);
+    }
+    // ── Proxy mode (Claude Code spawned us as a stdio MCP server) ──
+    // If no credentials, we can't run the device flow (no TTY for user interaction).
+    if (!creds || isExpired(creds)) {
+        printLines("Pharaoh: no valid credentials — cannot start proxy.", "Run this command first to authenticate:", "  npx @pharaoh-so/mcp", "");
+        process.exit(1);
     }
-    // Start proxy with fresh credentials
+    // Valid credentials — start the proxy
+    printLines(`Pharaoh: token valid for ${formatTtl(creds.expires_at)} — connecting`);
     try {
         await startProxy(creds.sse_url, creds.access_token);
     }
     catch (err) {
         if (err instanceof TokenExpiredError) {
-            // Token expired during session — delete creds and re-auth
-            process.stderr.write("Pharaoh: session expired — re-authenticating\n");
+            printLines("Pharaoh: token expired or revoked.", "Run this command to re-authenticate:", "  npx @pharaoh-so/mcp", "");
             deleteCredentials();
-            const token = await authenticate(server);
-            const sseUrl = resolveSseUrl(token.sse_url, server);
-            creds = tokenToCredentials(token, sseUrl);
-            writeCredentials(creds);
-            await startProxy(creds.sse_url, creds.access_token);
-        }
-        else if (err instanceof TenantSuspendedError) {
-            process.stderr.write(`Pharaoh: ${err.message}\n`);
             process.exit(1);
         }
-        else {
-            throw err;
+        if (err instanceof TenantSuspendedError) {
+            printLines(`Pharaoh: ${err.message}`);
+            process.exit(1);
         }
+        throw err;
     }
 }
 main().catch((err) => {
-    process.stderr.write(`Pharaoh: fatal — ${err instanceof Error ? err.message : String(err)}\n`);
+    // Default: print only error name/code to avoid leaking tokens, internal URLs,
+    // or stack fragments that persist in CI logs. Full message behind PHARAOH_DEBUG.
+    if (process.env.PHARAOH_DEBUG === "1" && err instanceof Error) {
+        // Use main's comprehensive redaction patterns when showing the full message
+        const safeMsg = err.message
+            .replace(/Bearer\s+\S+/gi, "Bearer [REDACTED]")
+            .replace(/(?:phat|phrt|ghp|gho|ghs|ghu)_\S+/gi, "[REDACTED_TOKEN]")
+            .replace(/[?&](?:code|token|key|secret|password|state)=[^&\s]+/gi, "?[REDACTED_PARAM]")
+            .replace(/\b[0-9a-f]{32,}\b/gi, "[REDACTED_HEX]");
+        printLines(`Pharaoh: fatal — ${safeMsg}`);
+    }
+    else {
+        const label = err instanceof Error ? err.name : "Error";
+        printLines(`Pharaoh: fatal — ${label}. Set PHARAOH_DEBUG=1 for details.`);
+    }
     process.exit(1);
 });
-//# sourceMappingURL=index.js.map

package/dist/proxy.d.ts CHANGED Viewed

@@ -18,6 +18,10 @@ export declare function classifySSEError(err: Error): void;
  *   Claude Code → stdin → StdioServerTransport.onmessage → SSEClientTransport.send → POST /message
  *   Pharaoh → SSE stream → SSEClientTransport.onmessage → StdioServerTransport.send → stdout
  *
+ * CRITICAL ordering: SSE must be connected BEFORE stdio starts reading stdin.
+ * Otherwise the MCP `initialize` message arrives before the remote transport is ready,
+ * gets permanently lost ("send error — Not connected"), and the client times out.
+ *
  * On SSE disconnect, attempts reconnect with exponential backoff (5 retries, ~62s total).
  * Throws TokenExpiredError on 401, TenantSuspendedError on 403.
  */

package/dist/proxy.js CHANGED Viewed

@@ -67,6 +67,10 @@ function createSSETransport(sseUrl, token) {
  *   Claude Code → stdin → StdioServerTransport.onmessage → SSEClientTransport.send → POST /message
  *   Pharaoh → SSE stream → SSEClientTransport.onmessage → StdioServerTransport.send → stdout
  *
+ * CRITICAL ordering: SSE must be connected BEFORE stdio starts reading stdin.
+ * Otherwise the MCP `initialize` message arrives before the remote transport is ready,
+ * gets permanently lost ("send error — Not connected"), and the client times out.
+ *
  * On SSE disconnect, attempts reconnect with exponential backoff (5 retries, ~62s total).
  * Throws TokenExpiredError on 401, TenantSuspendedError on 403.
  */
@@ -74,6 +78,7 @@ export async function startProxy(sseUrl, token) {
     const stdio = new StdioServerTransport();
     let sse = createSSETransport(sseUrl, token);
     let reconnectAttempt = 0;
+    let stdioStarted = false;
     /** Wire up bidirectional message relay between the two transports. */
     function bridge(sseTransport) {
         stdio.onmessage = (msg) => {
@@ -89,22 +94,7 @@ export async function startProxy(sseUrl, token) {
     }
     /** Handle SSE errors — delegates to classifySSEError for 401/403 detection. */
     const handleSSEError = classifySSEError;
-    // Wire up initial bridge
-    bridge(sse);
-    // Handle SSE connection drops with reconnect
-    sse.onerror = (err) => {
-        try {
-            handleSSEError(err);
-        }
-        catch (typed) {
-            // TokenExpiredError or TenantSuspendedError — propagate via close
-            sse.close().catch(() => { });
-            throw typed;
-        }
-    };
-    // Start both transports
-    await stdio.start();
-    // Connect SSE with reconnect loop
+    // Connect SSE with reconnect loop — stdio starts AFTER first successful connection
     await connectWithReconnect();
     /** Attempt SSE connection with exponential backoff on failure. */
     async function connectWithReconnect() {
@@ -115,10 +105,17 @@ export async function startProxy(sseUrl, token) {
                     process.stderr.write(`Pharaoh: reconnecting in ${delay / 1000}s (attempt ${reconnectAttempt}/${BACKOFF_MS.length})...\n`);
                     await sleep(delay);
                     sse = createSSETransport(sseUrl, token);
-                    bridge(sse);
                 }
                 await sse.start();
                 reconnectAttempt = 0; // Reset on successful connection
+                // Bridge AFTER SSE is connected — messages can now be forwarded
+                bridge(sse);
+                // Start stdio AFTER first SSE connection — prevents initialize race
+                if (!stdioStarted) {
+                    process.stderr.write("Pharaoh: connected\n");
+                    await stdio.start();
+                    stdioStarted = true;
+                }
                 // Wait for close — this promise resolves when SSE disconnects
                 await new Promise((resolve, reject) => {
                     sse.onclose = () => resolve();
@@ -154,4 +151,3 @@ export async function startProxy(sseUrl, token) {
 function sleep(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
-//# sourceMappingURL=proxy.js.map

package/package.json CHANGED Viewed

@@ -1,28 +1,32 @@
 {
-	"name": "@pharaoh-so/mcp",
-	"version": "0.1.0",
-	"description": "Stdio-to-SSE proxy for Pharaoh MCP — enables headless environments (VPS, SSH, CI) via device flow auth",
-	"type": "module",
-	"main": "dist/index.js",
-	"bin": {
-		"pharaoh-mcp": "./dist/index.js"
-	},
-	"scripts": {
-		"build": "tsc && node -e \"const fs=require('fs'),f='dist/index.js',c=fs.readFileSync(f,'utf8');if(!c.startsWith('#!'))fs.writeFileSync(f,'#!/usr/bin/env node\\n'+c);fs.chmodSync(f,0o755)\"",
-		"typecheck": "tsc --noEmit",
-		"test": "vitest run",
-		"lint": "biome check src/"
-	},
-	"license": "MIT",
-	"engines": {
-		"node": ">=18"
-	},
-	"dependencies": {
-		"@modelcontextprotocol/sdk": "^1.26.0"
-	},
-	"devDependencies": {
-		"@biomejs/biome": "^2.3.15",
-		"typescript": "^5.9.3",
-		"vitest": "^4.0.18"
-	}
-}
+  "name": "@pharaoh-so/mcp",
+  "version": "0.1.3",
+  "description": "Stdio-to-SSE proxy for Pharaoh MCP — enables headless environments (VPS, SSH, CI) via device flow auth",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "pharaoh-mcp": "./dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^2.3.15",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  },
+  "scripts": {
+    "build": "tsc && node -e \"const fs=require('fs'),f='dist/index.js',c=fs.readFileSync(f,'utf8');if(!c.startsWith('#!'))fs.writeFileSync(f,'#!/usr/bin/env node\\n'+c);fs.chmodSync(f,0o755)\"",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "lint": "biome check src/"
+  }
+}

package/dist/auth.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA+BH;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAAe;IACtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,SAAS,EAAE;QAC5C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;KACxB,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CACjC,OAAe,EACf,UAAkB,EAClB,QAAgB;IAEhB,MAAM,SAAS,GAAG,8CAA8C,CAAC;IAEjE,OAAO,IAAI,EAAE,CAAC;QACb,+CAA+C;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC;QACtC,MAAM,KAAK,CAAC,QAAQ,GAAG,IAAI,GAAG,QAAQ,CAAC,CAAC;QAExC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,eAAe,EAAE;YAClD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;SACxE,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;QAC5C,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,CAAqB,CAAC;QAExF,IAAI,IAAI,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;YAC5C,SAAS;QACV,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;YAChC,gDAAgD;YAChD,QAAQ,IAAI,CAAC,CAAC;YACd,SAAS;QACV,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,iBAAiB,IAAI,EAAE,EAAE,CAAC,CAAC;IACxF,CAAC;AACF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB,EAAE,eAAuB;IAC9E,MAAM,KAAK,GAAG;QACb,EAAE;QACF,+CAA+C;QAC/C,gDAAgD;QAChD,gDAAgD;QAChD,aAAa,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG;QACnC,aAAa,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG;QAC1C,gDAAgD;QAChD,gDAAgD;QAChD,gDAAgD;QAChD,+CAA+C;QAC/C,EAAE;KACF,CAAC;IACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC/B,KAAoB,EACpB,MAAqB,EACrB,SAAiB;IAEjB,MAAM,KAAK,GAAa,CAAC,wBAAwB,CAAC,CAAC;IACnD,IAAI,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,MAAM,KAAK,EAAE,CAAC,CAAC;IACrC,IAAI,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,IAAI,MAAM,GAAG,CAAC,CAAC;IACtC,KAAK,CAAC,IAAI,CAAC,KAAK,SAAS,QAAQ,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,CAAC;IACzE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACxB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/dist/credentials.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACzF,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,wEAAwE;AACxE,MAAM,cAAc,GAAG,CAAC,CAAC;AAgBzB,oCAAoC;AACpC,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,kBAAkB,CAAC,CAAC;AAEzE;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,IAAI,GAAG,gBAAgB;IACtD,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACxC,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAC7C,OAAO,MAAM,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAkB,EAAE,IAAI,GAAG,gBAAgB;IAC3E,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAClD,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,iBAAiB,CAAC,IAAI,GAAG,gBAAgB;IACxD,IAAI,CAAC;QACJ,UAAU,CAAC,IAAI,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACR,yCAAyC;IAC1C,CAAC;AACF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,KAAkB;IAC3C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;IACvD,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;IAC3C,MAAM,QAAQ,GAAG,UAAU,GAAG,GAAG,CAAC;IAElC,OAAO,GAAG,IAAI,SAAS,GAAG,QAAQ,CAAC;AACpC,CAAC;AAED,+CAA+C;AAC/C,SAAS,kBAAkB,CAAC,KAAc;IACzC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC9D,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,OAAO,CACN,GAAG,CAAC,OAAO,KAAK,cAAc;QAC9B,OAAO,GAAG,CAAC,YAAY,KAAK,QAAQ;QACpC,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ;QAClC,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ;QAClC,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;QAC/B,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CACxB,CAAC;AACH,CAAC"}

package/dist/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;GAMG;AACH,OAAO,EACN,qBAAqB,EACrB,gBAAgB,EAChB,YAAY,EACZ,iBAAiB,GAEjB,MAAM,WAAW,CAAC;AACnB,OAAO,EAEN,iBAAiB,EACjB,SAAS,EACT,eAAe,EACf,gBAAgB,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAEjF,MAAM,cAAc,GAAG,wBAAwB,CAAC;AAEhD,2BAA2B;AAC3B,SAAS,SAAS;IACjB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,MAAM,GAAG,cAAc,CAAC;IAC5B,IAAI,MAAM,GAAG,KAAK,CAAC;IAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,UAAU,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC3C,MAAM,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACrB,CAAC,EAAE,CAAC;QACL,CAAC;aAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,UAAU,EAAE,CAAC;YACnC,MAAM,GAAG,IAAI,CAAC;QACf,CAAC;aAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACrD,UAAU,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACF,CAAC;IAED,uBAAuB;IACvB,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAEpC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AAC3B,CAAC;AAED,SAAS,UAAU;IAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CACnB;QACC,8BAA8B;QAC9B,EAAE;QACF,UAAU;QACV,wEAAwE;QACxE,qDAAqD;QACrD,kCAAkC;QAClC,EAAE;QACF,qBAAqB;QACrB,iDAAiD;QACjD,EAAE;KACF,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CACnB,CAAC;AACH,CAAC;AAED,uDAAuD;AACvD,KAAK,UAAU,YAAY,CAAC,MAAc;IACzC,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACnD,qBAAqB,CAAC,UAAU,CAAC,SAAS,EAAE,UAAU,CAAC,gBAAgB,CAAC,CAAC;IACzE,OAAO,YAAY,CAAC,MAAM,EAAE,UAAU,CAAC,WAAW,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC;AAC1E,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,WAA+B,EAAE,MAAc;IACrE,MAAM,QAAQ,GAAG,GAAG,MAAM,MAAM,CAAC;IACjC,IAAI,CAAC,WAAW;QAAE,OAAO,QAAQ,CAAC;IAClC,IAAI,CAAC;QACJ,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;QAC9C,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAC5C,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CACnB,2CAA2C,SAAS,MAAM,YAAY,KAAK,CAC3E,CAAC;YACF,OAAO,QAAQ,CAAC;QACjB,CAAC;QACD,OAAO,WAAW,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,QAAQ,CAAC;IACjB,CAAC;AACF,CAAC;AAED,wDAAwD;AACxD,SAAS,kBAAkB,CAAC,KAAoB,EAAE,MAAc;IAC/D,OAAO;QACN,OAAO,EAAE,CAAC;QACV,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,UAAU,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;QACxE,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,OAAO,EAAE,MAAM;QACf,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,IAAI;QACxC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;QACtC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,EAAE;KACxB,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,SAAS,SAAS,CAAC,SAAiB;IACnC,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC/D,IAAI,WAAW,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,SAAS,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;IACpC,MAAM,QAAQ,GAAG,KAAK,GAAG,EAAE,CAAC;IAC5B,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,GAAG,IAAI,KAAK,QAAQ,GAAG,CAAC;IAC7C,IAAI,KAAK,GAAG,CAAC;QAAE,OAAO,GAAG,KAAK,GAAG,CAAC;IAClC,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC;AAC/C,CAAC;AAED,KAAK,UAAU,IAAI;IAClB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;IAEvC,uCAAuC;IACvC,IAAI,MAAM,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,KAAK,GAAG,eAAe,EAAE,CAAC;IAE9B,wDAAwD;IACxD,IAAI,KAAK,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC/F,IAAI,CAAC;YACJ,MAAM,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;YACpD,OAAO;QACR,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;gBACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;gBAChF,iBAAiB,EAAE,CAAC;gBACpB,KAAK,GAAG,IAAI,CAAC;YACd,CAAC;iBAAM,IAAI,GAAG,YAAY,oBAAoB,EAAE,CAAC;gBAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;gBAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC;iBAAM,CAAC;gBACP,MAAM,GAAG,CAAC;YACX,CAAC;QACF,CAAC;IACF,CAAC;IAED,yCAAyC;IACzC,IAAI,CAAC,KAAK,IAAI,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iEAAiE,CAAC,CAAC;QACxF,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;QAEzC,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;YACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CACnB,2EAA2E,KAAK,CAAC,WAAW,IAAI,EAAE,IAAI,CACtG,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACpD,KAAK,GAAG,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1C,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAExB,gBAAgB,CACf,KAAK,CAAC,YAAY,IAAI,IAAI,EAC1B,KAAK,CAAC,WAAW,IAAI,IAAI,EACzB,KAAK,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC,CACxB,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC;QACJ,MAAM,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IACrD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;YACtC,0DAA0D;YAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;YACvE,iBAAiB,EAAE,CAAC;YACpB,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;YACzC,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACpD,KAAK,GAAG,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAC1C,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACxB,MAAM,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;QACrD,CAAC;aAAM,IAAI,GAAG,YAAY,oBAAoB,EAAE,CAAC;YAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;YAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;aAAM,CAAC;YACP,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;AACF,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC/F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC,CAAC,CAAC"}

package/dist/proxy.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"proxy.js","sourceRoot":"","sources":["../src/proxy.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AAEjF,+EAA+E;AAC/E,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC3C;QACC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IACjC,CAAC;CACD;AAED,uEAAuE;AACvE,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IAC9C,YAAY,OAAe;QAC1B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACpC,CAAC;CACD;AAED,8DAA8D;AAC9D,MAAM,UAAU,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAU;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;IAC9B,kDAAkD;IAClD,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;QACnB,MAAM,IAAI,GAAI,GAAyB,CAAC,IAAI,CAAC;QAC7C,IAAI,IAAI,KAAK,GAAG;YAAE,MAAM,IAAI,iBAAiB,EAAE,CAAC;QAChD,IAAI,IAAI,KAAK,GAAG;YAAE,MAAM,IAAI,oBAAoB,CAAC,GAAG,IAAI,kBAAkB,CAAC,CAAC;IAC7E,CAAC;IACD,2CAA2C;IAC3C,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,iBAAiB,EAAE,CAAC;IACvD,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,oBAAoB,CAAC,GAAG,IAAI,kBAAkB,CAAC,CAAC;AACpF,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,MAAc,EAAE,KAAa;IACxD,MAAM,UAAU,GAAG,UAAU,KAAK,EAAE,CAAC;IACrC,OAAO,IAAI,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE;QAC9C,eAAe,EAAE;YAChB,KAAK,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;gBACpB,MAAM,CAAC,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,OAAsB,CAAC,CAAC;gBACnD,CAAC,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;gBACnC,OAAO,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,EAAiB,CAAC,CAAC;YAC3D,CAAC;SACD;QACD,WAAW,EAAE;YACZ,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,EAAE;SACtC;KACD,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc,EAAE,KAAa;IAC7D,MAAM,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;IACzC,IAAI,GAAG,GAAG,kBAAkB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC5C,IAAI,gBAAgB,GAAG,CAAC,CAAC;IAEzB,sEAAsE;IACtE,SAAS,MAAM,CAAC,YAAgC;QAC/C,KAAK,CAAC,SAAS,GAAG,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACpC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACrG,CAAC,CAAC,CAAC;QACJ,CAAC,CAAC;QACF,YAAY,CAAC,SAAS,GAAG,CAAC,GAAG,EAAE,EAAE;YAChC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACvG,CAAC,CAAC,CAAC;QACJ,CAAC,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,MAAM,cAAc,GAAG,gBAAgB,CAAC;IAExC,yBAAyB;IACzB,MAAM,CAAC,GAAG,CAAC,CAAC;IAEZ,6CAA6C;IAC7C,GAAG,CAAC,OAAO,GAAG,CAAC,GAAG,EAAE,EAAE;QACrB,IAAI,CAAC;YACJ,cAAc,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,kEAAkE;YAClE,GAAG,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YAC5B,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC,CAAC;IAEF,wBAAwB;IACxB,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IAEpB,kCAAkC;IAClC,MAAM,oBAAoB,EAAE,CAAC;IAE7B,kEAAkE;IAClE,KAAK,UAAU,oBAAoB;QAClC,OAAO,gBAAgB,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;YAC9C,IAAI,CAAC;gBACJ,IAAI,gBAAgB,GAAG,CAAC,EAAE,CAAC;oBAC1B,MAAM,KAAK,GAAG,UAAU,CAAC,gBAAgB,GAAG,CAAC,CAAC,CAAC;oBAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CACnB,4BAA4B,KAAK,GAAG,IAAI,cAAc,gBAAgB,IAAI,UAAU,CAAC,MAAM,QAAQ,CACnG,CAAC;oBACF,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC;oBACnB,GAAG,GAAG,kBAAkB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;oBACxC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACb,CAAC;gBAED,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;gBAClB,gBAAgB,GAAG,CAAC,CAAC,CAAC,iCAAiC;gBAEvD,8DAA8D;gBAC9D,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBAC3C,GAAG,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;oBAC9B,GAAG,CAAC,OAAO,GAAG,CAAC,GAAG,EAAE,EAAE;wBACrB,IAAI,CAAC;4BACJ,cAAc,CAAC,GAAG,CAAC,CAAC;wBACrB,CAAC;wBAAC,OAAO,KAAK,EAAE,CAAC;4BAChB,MAAM,CAAC,KAAK,CAAC,CAAC;4BACd,OAAO;wBACR,CAAC;wBACD,2DAA2D;oBAC5D,CAAC,CAAC;gBACH,CAAC,CAAC,CAAC;gBAEH,iCAAiC;gBACjC,gBAAgB,EAAE,CAAC;YACpB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,IAAI,GAAG,YAAY,iBAAiB,IAAI,GAAG,YAAY,oBAAoB,EAAE,CAAC;oBAC7E,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;oBACpC,MAAM,GAAG,CAAC;gBACX,CAAC;gBACD,gBAAgB,EAAE,CAAC;gBACnB,IAAI,gBAAgB,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC;oBAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;oBAC5E,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;oBACpC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBAChE,CAAC;YACF,CAAC;QACF,CAAC;IACF,CAAC;AACF,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACxB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/src/auth.ts DELETED Viewed

@@ -1,143 +0,0 @@
-/**
- * Device flow client for Pharaoh MCP proxy (RFC 8628).
- * All user-visible output goes to stderr — stdout is reserved for JSON-RPC.
- */
-/** Response from POST /device. */
-export interface DeviceCodeResponse {
-	device_code: string;
-	user_code: string;
-	verification_uri: string;
-	verification_uri_complete: string;
-	expires_in: number;
-	interval: number;
-}
-/** Successful response from POST /device/token. */
-export interface TokenResponse {
-	access_token: string;
-	token_type: string;
-	expires_in: number;
-	sse_url: string;
-	github_login?: string;
-	tenant_name?: string;
-	repos?: string[];
-	provisional?: boolean;
-	install_url?: string;
-}
-/** Error response from POST /device/token while still waiting. */
-interface DeviceTokenError {
-	error: string;
-	error_description?: string;
-}
-/**
- * Request a device code from the Pharaoh server (RFC 8628 §3.1).
- * Returns the device code, user code, and verification URIs.
- */
-export async function requestDeviceCode(baseUrl: string): Promise<DeviceCodeResponse> {
-	const res = await fetch(`${baseUrl}/device`, {
-		method: "POST",
-		headers: { "Content-Type": "application/json" },
-		body: JSON.stringify({}),
-	});
-	if (!res.ok) {
-		const text = await res.text().catch(() => "");
-		throw new Error(`Device code request failed (${res.status}): ${text}`);
-	}
-	return (await res.json()) as DeviceCodeResponse;
-}
-/**
- * Poll for device authorization completion (RFC 8628 §3.5).
- * Blocks until the user authorizes, the code expires, or an error occurs.
- * Adds 1s jitter to the server-specified interval to avoid thundering herd.
- */
-export async function pollForToken(
-	baseUrl: string,
-	deviceCode: string,
-	interval: number,
-): Promise<TokenResponse> {
-	const grantType = "urn:ietf:params:oauth:grant-type:device_code";
-	while (true) {
-		// Wait interval + 0–1s jitter before each poll
-		const jitterMs = Math.random() * 1000;
-		await sleep(interval * 1000 + jitterMs);
-		const res = await fetch(`${baseUrl}/device/token`, {
-			method: "POST",
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ device_code: deviceCode, grant_type: grantType }),
-		});
-		if (res.ok) {
-			return (await res.json()) as TokenResponse;
-		}
-		const body = (await res.json().catch(() => ({ error: "unknown" }))) as DeviceTokenError;
-		if (body.error === "authorization_pending") {
-			continue;
-		}
-		if (body.error === "slow_down") {
-			// RFC 8628 §3.5: increase interval by 5 seconds
-			interval += 5;
-			continue;
-		}
-		if (body.error === "expired_token") {
-			throw new Error("Device code expired. Please try again.");
-		}
-		if (body.error === "access_denied") {
-			throw new Error("Authorization was denied.");
-		}
-		throw new Error(`Device token error: ${body.error} — ${body.error_description ?? ""}`);
-	}
-}
-/**
- * Print the device activation prompt to stderr.
- * Shows the user code and verification URI in a visible box.
- */
-export function printActivationPrompt(userCode: string, verificationUri: string): void {
-	const lines = [
-		"",
-		"┌───────────────────────────────────────────┐",
-		"│  Pharaoh — Device Authorization            │",
-		"│                                            │",
-		`│  Code:  ${userCode.padEnd(33)}│`,
-		`│  URL:   ${verificationUri.padEnd(33)}│`,
-		"│                                            │",
-		"│  Open the URL and enter the code to sign   │",
-		"│  in. You can do this on any device.        │",
-		"└───────────────────────────────────────────┘",
-		"",
-	];
-	process.stderr.write(lines.join("\n") + "\n");
-}
-/**
- * Print authentication success message to stderr.
- */
-export function printAuthSuccess(
-	login: string | null,
-	tenant: string | null,
-	repoCount: number,
-): void {
-	const parts: string[] = ["Pharaoh: authenticated"];
-	if (login) parts.push(`as ${login}`);
-	if (tenant) parts.push(`(${tenant})`);
-	parts.push(`— ${repoCount} repo${repoCount === 1 ? "" : "s"} connected`);
-	process.stderr.write(`${parts.join(" ")}\n`);
-}
-function sleep(ms: number): Promise<void> {
-	return new Promise((resolve) => setTimeout(resolve, ms));
-}

package/src/credentials.ts DELETED Viewed

@@ -1,92 +0,0 @@
-/**
- * Credential storage for Pharaoh MCP proxy — persists device flow tokens to ~/.pharaoh/credentials.json.
- * File permissions: 0600 (credentials.json), 0700 (~/.pharaoh/).
- */
-import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
-import { homedir } from "node:os";
-import { dirname, join } from "node:path";
-/** Current credential schema version — bump when the format changes. */
-const SCHEMA_VERSION = 1;
-/** Stored credential shape. */
-export interface Credentials {
-	version: typeof SCHEMA_VERSION;
-	access_token: string;
-	/** ISO 8601 timestamp when the token expires. */
-	expires_at: string;
-	/** Original TTL in seconds (from the token response). */
-	expires_in: number;
-	sse_url: string;
-	github_login: string | null;
-	tenant_name: string | null;
-	repos: string[];
-}
-/** Default credential file path. */
-const CREDENTIALS_PATH = join(homedir(), ".pharaoh", "credentials.json");
-/**
- * Read and parse stored credentials. Returns null if missing, unreadable,
- * malformed, or wrong schema version.
- */
-export function readCredentials(path = CREDENTIALS_PATH): Credentials | null {
-	try {
-		const raw = readFileSync(path, "utf-8");
-		const parsed: unknown = JSON.parse(raw);
-		if (!isValidCredentials(parsed)) return null;
-		return parsed;
-	} catch {
-		return null;
-	}
-}
-/**
- * Write credentials to disk with restrictive permissions.
- * Creates the parent directory (0700) if it doesn't exist.
- */
-export function writeCredentials(creds: Credentials, path = CREDENTIALS_PATH): void {
-	const dir = dirname(path);
-	if (!existsSync(dir)) {
-		mkdirSync(dir, { recursive: true, mode: 0o700 });
-	}
-	writeFileSync(path, JSON.stringify(creds, null, "\t"), { mode: 0o600 });
-}
-/** Delete the credential file. No-op if it doesn't exist. */
-export function deleteCredentials(path = CREDENTIALS_PATH): void {
-	try {
-		unlinkSync(path);
-	} catch {
-		// File doesn't exist — nothing to delete
-	}
-}
-/**
- * Check if credentials are expired or within 10% of expiry.
- * The 10% buffer prevents connecting with a token that will expire mid-session.
- */
-export function isExpired(creds: Credentials): boolean {
-	const expiresAt = new Date(creds.expires_at).getTime();
-	if (Number.isNaN(expiresAt)) return true;
-	const now = Date.now();
-	const totalTtlMs = creds.expires_in * 1000;
-	const bufferMs = totalTtlMs * 0.1;
-	return now >= expiresAt - bufferMs;
-}
-/** Type guard for valid credential objects. */
-function isValidCredentials(value: unknown): value is Credentials {
-	if (typeof value !== "object" || value === null) return false;
-	const obj = value as Record<string, unknown>;
-	return (
-		obj.version === SCHEMA_VERSION &&
-		typeof obj.access_token === "string" &&
-		typeof obj.expires_at === "string" &&
-		typeof obj.expires_in === "number" &&
-		typeof obj.sse_url === "string" &&
-		Array.isArray(obj.repos)
-	);
-}

package/src/index.ts DELETED Viewed

@@ -1,203 +0,0 @@
-#!/usr/bin/env node
-/**
- * @pharaoh-so/mcp — Stdio-to-SSE proxy for headless MCP environments.
- *
- * Presents as an MCP server on stdio (for Claude Code) and relays messages
- * to a remote Pharaoh SSE server. Authenticates via RFC 8628 device flow
- * so the user can authorize on any device with a browser.
- */
-import {
-	printActivationPrompt,
-	printAuthSuccess,
-	pollForToken,
-	requestDeviceCode,
-	type TokenResponse,
-} from "./auth.js";
-import {
-	type Credentials,
-	deleteCredentials,
-	isExpired,
-	readCredentials,
-	writeCredentials,
-} from "./credentials.js";
-import { TokenExpiredError, TenantSuspendedError, startProxy } from "./proxy.js";
-const DEFAULT_SERVER = "https://mcp.pharaoh.so";
-/** Parse CLI arguments. */
-function parseArgs(): { server: string; logout: boolean } {
-	const args = process.argv.slice(2);
-	let server = DEFAULT_SERVER;
-	let logout = false;
-	for (let i = 0; i < args.length; i++) {
-		if (args[i] === "--server" && args[i + 1]) {
-			server = args[i + 1];
-			i++;
-		} else if (args[i] === "--logout") {
-			logout = true;
-		} else if (args[i] === "--help" || args[i] === "-h") {
-			printUsage();
-			process.exit(0);
-		}
-	}
-	// Strip trailing slash
-	server = server.replace(/\/+$/, "");
-	return { server, logout };
-}
-function printUsage(): void {
-	process.stderr.write(
-		[
-			"Usage: pharaoh-mcp [options]",
-			"",
-			"Options:",
-			"  --server <url>  Pharaoh server URL (default: https://mcp.pharaoh.so)",
-			"  --logout        Clear stored credentials and exit",
-			"  --help, -h      Show this help",
-			"",
-			"Add to Claude Code:",
-			"  claude mcp add pharaoh -- npx @pharaoh-so/mcp",
-			"",
-		].join("\n") + "\n",
-	);
-}
-/** Run the device flow and return a token response. */
-async function authenticate(server: string): Promise<TokenResponse> {
-	const deviceCode = await requestDeviceCode(server);
-	printActivationPrompt(deviceCode.user_code, deviceCode.verification_uri);
-	return pollForToken(server, deviceCode.device_code, deviceCode.interval);
-}
-/**
- * Validate that a server-supplied SSE URL shares the same origin as the configured server.
- * Prevents a compromised auth response from redirecting the Bearer token to an attacker's host.
- * Falls back to `${server}/sse` if the URL is missing, malformed, or cross-origin.
- */
-function resolveSseUrl(tokenSseUrl: string | undefined, server: string): string {
-	const fallback = `${server}/sse`;
-	if (!tokenSseUrl) return fallback;
-	try {
-		const sseOrigin = new URL(tokenSseUrl).origin;
-		const serverOrigin = new URL(server).origin;
-		if (sseOrigin !== serverOrigin) {
-			process.stderr.write(
-				`Pharaoh: ignoring cross-origin sse_url (${sseOrigin} ≠ ${serverOrigin})\n`,
-			);
-			return fallback;
-		}
-		return tokenSseUrl;
-	} catch {
-		return fallback;
-	}
-}
-/** Convert a token response to storable credentials. */
-function tokenToCredentials(token: TokenResponse, sseUrl: string): Credentials {
-	return {
-		version: 1,
-		access_token: token.access_token,
-		expires_at: new Date(Date.now() + token.expires_in * 1000).toISOString(),
-		expires_in: token.expires_in,
-		sse_url: sseUrl,
-		github_login: token.github_login ?? null,
-		tenant_name: token.tenant_name ?? null,
-		repos: token.repos ?? [],
-	};
-}
-/** Format remaining TTL as human-readable string (e.g. "5d 12h"). */
-function formatTtl(expiresAt: string): string {
-	const remainingMs = new Date(expiresAt).getTime() - Date.now();
-	if (remainingMs <= 0) return "expired";
-	const hours = Math.floor(remainingMs / 3_600_000);
-	const days = Math.floor(hours / 24);
-	const remHours = hours % 24;
-	if (days > 0) return `${days}d ${remHours}h`;
-	if (hours > 0) return `${hours}h`;
-	return `${Math.floor(remainingMs / 60_000)}m`;
-}
-async function main(): Promise<void> {
-	const { server, logout } = parseArgs();
-	// --logout: clear credentials and exit
-	if (logout) {
-		deleteCredentials();
-		process.stderr.write("Pharaoh: credentials cleared\n");
-		process.exit(0);
-	}
-	let creds = readCredentials();
-	// If we have valid credentials, try to connect directly
-	if (creds && !isExpired(creds)) {
-		process.stderr.write(`Pharaoh: token valid for ${formatTtl(creds.expires_at)} — connecting\n`);
-		try {
-			await startProxy(creds.sse_url, creds.access_token);
-			return;
-		} catch (err) {
-			if (err instanceof TokenExpiredError) {
-				process.stderr.write("Pharaoh: token rejected by server — re-authenticating\n");
-				deleteCredentials();
-				creds = null;
-			} else if (err instanceof TenantSuspendedError) {
-				process.stderr.write(`Pharaoh: ${err.message}\n`);
-				process.exit(1);
-			} else {
-				throw err;
-			}
-		}
-	}
-	// No valid credentials — run device flow
-	if (!creds || isExpired(creds)) {
-		process.stderr.write("Pharaoh: no valid credentials — starting device authorization\n");
-		const token = await authenticate(server);
-		if (token.provisional) {
-			process.stderr.write(
-				`Pharaoh: provisional access — install the GitHub App to map your repos: ${token.install_url ?? ""}\n`,
-			);
-		}
-		const sseUrl = resolveSseUrl(token.sse_url, server);
-		creds = tokenToCredentials(token, sseUrl);
-		writeCredentials(creds);
-		printAuthSuccess(
-			token.github_login ?? null,
-			token.tenant_name ?? null,
-			token.repos?.length ?? 0,
-		);
-	}
-	// Start proxy with fresh credentials
-	try {
-		await startProxy(creds.sse_url, creds.access_token);
-	} catch (err) {
-		if (err instanceof TokenExpiredError) {
-			// Token expired during session — delete creds and re-auth
-			process.stderr.write("Pharaoh: session expired — re-authenticating\n");
-			deleteCredentials();
-			const token = await authenticate(server);
-			const sseUrl = resolveSseUrl(token.sse_url, server);
-			creds = tokenToCredentials(token, sseUrl);
-			writeCredentials(creds);
-			await startProxy(creds.sse_url, creds.access_token);
-		} else if (err instanceof TenantSuspendedError) {
-			process.stderr.write(`Pharaoh: ${err.message}\n`);
-			process.exit(1);
-		} else {
-			throw err;
-		}
-	}
-}
-main().catch((err) => {
-	process.stderr.write(`Pharaoh: fatal — ${err instanceof Error ? err.message : String(err)}\n`);
-	process.exit(1);
-});

package/src/proxy.ts DELETED Viewed

@@ -1,168 +0,0 @@
-/**
- * Stdio ↔ SSE proxy — bridges a local MCP stdio connection to a remote Pharaoh SSE server.
- * Uses SDK transports on both ends: StdioServerTransport (local) and SSEClientTransport (remote).
- */
-import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
-import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-/** Thrown when the remote server returns 401 — token is expired or revoked. */
-export class TokenExpiredError extends Error {
-	constructor() {
-		super("Token expired or revoked (401)");
-		this.name = "TokenExpiredError";
-	}
-}
-/** Thrown when the remote server returns 403 — tenant is suspended. */
-export class TenantSuspendedError extends Error {
-	constructor(message: string) {
-		super(message);
-		this.name = "TenantSuspendedError";
-	}
-}
-/** Backoff schedule for reconnect attempts (milliseconds). */
-const BACKOFF_MS = [2000, 4000, 8000, 16000, 32000];
-/**
- * Classify an SSE error — detect 401/403 and throw typed errors.
- * Exported for testability; used internally by the reconnect loop.
- */
-export function classifySSEError(err: Error): void {
-	const msg = err.message ?? "";
-	// SseError from SDK includes the HTTP status code
-	if ("code" in err) {
-		const code = (err as { code?: number }).code;
-		if (code === 401) throw new TokenExpiredError();
-		if (code === 403) throw new TenantSuspendedError(msg || "Tenant suspended");
-	}
-	// Fallback: check message for status codes
-	if (msg.includes("401")) throw new TokenExpiredError();
-	if (msg.includes("403")) throw new TenantSuspendedError(msg || "Tenant suspended");
-}
-/**
- * Create an SSEClientTransport with Bearer token auth.
- * Injects the Authorization header into both the SSE connection (via custom fetch)
- * and POST requests (via requestInit).
- */
-function createSSETransport(sseUrl: string, token: string): SSEClientTransport {
-	const authHeader = `Bearer ${token}`;
-	return new SSEClientTransport(new URL(sseUrl), {
-		eventSourceInit: {
-			fetch: (url, init) => {
-				const h = new Headers(init.headers as HeadersInit);
-				h.set("Authorization", authHeader);
-				return fetch(url, { ...init, headers: h } as RequestInit);
-			},
-		},
-		requestInit: {
-			headers: { Authorization: authHeader },
-		},
-	});
-}
-/**
- * Start the stdio ↔ SSE proxy. Blocks until the connection is permanently closed.
- *
- * Message flow:
- *   Claude Code → stdin → StdioServerTransport.onmessage → SSEClientTransport.send → POST /message
- *   Pharaoh → SSE stream → SSEClientTransport.onmessage → StdioServerTransport.send → stdout
- *
- * On SSE disconnect, attempts reconnect with exponential backoff (5 retries, ~62s total).
- * Throws TokenExpiredError on 401, TenantSuspendedError on 403.
- */
-export async function startProxy(sseUrl: string, token: string): Promise<void> {
-	const stdio = new StdioServerTransport();
-	let sse = createSSETransport(sseUrl, token);
-	let reconnectAttempt = 0;
-	/** Wire up bidirectional message relay between the two transports. */
-	function bridge(sseTransport: SSEClientTransport): void {
-		stdio.onmessage = (msg) => {
-			sseTransport.send(msg).catch((err) => {
-				process.stderr.write(`Pharaoh: send error — ${err instanceof Error ? err.message : String(err)}\n`);
-			});
-		};
-		sseTransport.onmessage = (msg) => {
-			stdio.send(msg).catch((err) => {
-				process.stderr.write(`Pharaoh: stdout error — ${err instanceof Error ? err.message : String(err)}\n`);
-			});
-		};
-	}
-	/** Handle SSE errors — delegates to classifySSEError for 401/403 detection. */
-	const handleSSEError = classifySSEError;
-	// Wire up initial bridge
-	bridge(sse);
-	// Handle SSE connection drops with reconnect
-	sse.onerror = (err) => {
-		try {
-			handleSSEError(err);
-		} catch (typed) {
-			// TokenExpiredError or TenantSuspendedError — propagate via close
-			sse.close().catch(() => {});
-			throw typed;
-		}
-	};
-	// Start both transports
-	await stdio.start();
-	// Connect SSE with reconnect loop
-	await connectWithReconnect();
-	/** Attempt SSE connection with exponential backoff on failure. */
-	async function connectWithReconnect(): Promise<void> {
-		while (reconnectAttempt <= BACKOFF_MS.length) {
-			try {
-				if (reconnectAttempt > 0) {
-					const delay = BACKOFF_MS[reconnectAttempt - 1];
-					process.stderr.write(
-						`Pharaoh: reconnecting in ${delay / 1000}s (attempt ${reconnectAttempt}/${BACKOFF_MS.length})...\n`,
-					);
-					await sleep(delay);
-					sse = createSSETransport(sseUrl, token);
-					bridge(sse);
-				}
-				await sse.start();
-				reconnectAttempt = 0; // Reset on successful connection
-				// Wait for close — this promise resolves when SSE disconnects
-				await new Promise<void>((resolve, reject) => {
-					sse.onclose = () => resolve();
-					sse.onerror = (err) => {
-						try {
-							handleSSEError(err);
-						} catch (typed) {
-							reject(typed);
-							return;
-						}
-						// Non-fatal error — SSE will auto-close, onclose will fire
-					};
-				});
-				// SSE closed — attempt reconnect
-				reconnectAttempt++;
-			} catch (err) {
-				if (err instanceof TokenExpiredError || err instanceof TenantSuspendedError) {
-					await stdio.close().catch(() => {});
-					throw err;
-				}
-				reconnectAttempt++;
-				if (reconnectAttempt > BACKOFF_MS.length) {
-					process.stderr.write("Pharaoh: max reconnect attempts reached — exiting\n");
-					await stdio.close().catch(() => {});
-					throw new Error("SSE connection failed after maximum retries");
-				}
-			}
-		}
-	}
-}
-function sleep(ms: number): Promise<void> {
-	return new Promise((resolve) => setTimeout(resolve, ms));
-}

package/tsconfig.json DELETED Viewed

@@ -1,18 +0,0 @@
-{
-	"compilerOptions": {
-		"target": "ES2022",
-		"module": "NodeNext",
-		"moduleResolution": "NodeNext",
-		"outDir": "dist",
-		"rootDir": "src",
-		"strict": true,
-		"esModuleInterop": true,
-		"skipLibCheck": true,
-		"forceConsistentCasingInFileNames": true,
-		"declaration": true,
-		"sourceMap": true,
-		"resolveJsonModule": true
-	},
-	"include": ["src/**/*.ts"],
-	"exclude": ["node_modules", "dist"]
-}