npm - @productbrain/mcp - Versions diffs - 0.0.1-beta.15 → 0.0.1-beta.151 - Mend

@productbrain/mcp 0.0.1-beta.15 → 0.0.1-beta.151

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/dist/chunk-ML7BPLBX.js +15321 -0
package/dist/chunk-ML7BPLBX.js.map +1 -0
package/dist/chunk-X3S5UTTZ.js +363 -0
package/dist/chunk-X3S5UTTZ.js.map +1 -0
package/dist/cli/index.js +1 -1
package/dist/http.js +262 -29
package/dist/http.js.map +1 -1
package/dist/index.js +56 -31
package/dist/index.js.map +1 -1
package/dist/{setup-GZ5OZ5OP.js → setup-I6KRGWFC.js} +36 -104
package/dist/setup-I6KRGWFC.js.map +1 -0
package/dist/views/src/entry-cards/index.html +227 -0
package/dist/views/src/graph-constellation/index.html +254 -0
package/package.json +6 -3
package/dist/chunk-3QNBVXRP.js +0 -4543
package/dist/chunk-3QNBVXRP.js.map +0 -1
package/dist/chunk-47LO6K2R.js +0 -1423
package/dist/chunk-47LO6K2R.js.map +0 -1
package/dist/chunk-XBMI6QHR.js +0 -100
package/dist/chunk-XBMI6QHR.js.map +0 -1
package/dist/setup-GZ5OZ5OP.js.map +0 -1
package/dist/smart-capture-4DNBNMRG.js +0 -14
package/dist/smart-capture-4DNBNMRG.js.map +0 -1

package/dist/http.js CHANGED Viewed

@@ -1,15 +1,16 @@
 import {
   SERVER_VERSION,
-  createProductBrainServer
-} from "./chunk-3QNBVXRP.js";
-import {
   bootstrapHttp,
+  createProductBrainServer,
+  hashKey,
+  initFeatureFlags,
   runWithAuth
-} from "./chunk-47LO6K2R.js";
+} from "./chunk-ML7BPLBX.js";
 import {
+  getPostHogClient,
   initAnalytics,
   shutdownAnalytics
-} from "./chunk-XBMI6QHR.js";
+} from "./chunk-X3S5UTTZ.js";
 // src/http.ts
 import { createHash, randomUUID } from "crypto";
@@ -19,19 +20,21 @@ import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
 import rateLimit from "express-rate-limit";
 bootstrapHttp();
 initAnalytics();
-var PORT = parseInt(process.env.PORT ?? process.env.MCP_PORT ?? "3000", 10);
+initFeatureFlags(getPostHogClient());
+var PORT = parseInt(process.env.PORT ?? process.env.MCP_PORT ?? "3002", 10);
 function baseUrl(req) {
   const proto = req.headers["x-forwarded-proto"] ?? req.protocol ?? "http";
   const host = req.headers.host ?? `localhost:${PORT}`;
   return `${proto}://${host}`;
 }
 var app = express();
+app.set("trust proxy", 1);
 app.use(express.json());
 var ALLOWED_ORIGINS = process.env.CORS_ORIGINS?.split(",").map((o) => o.trim()).filter(Boolean);
 app.use((_req, res, next) => {
   const origin = _req.headers.origin;
-  if (!ALLOWED_ORIGINS || origin && ALLOWED_ORIGINS.includes(origin)) {
-    res.setHeader("Access-Control-Allow-Origin", origin ?? "*");
+  if (ALLOWED_ORIGINS && origin && ALLOWED_ORIGINS.includes(origin)) {
+    res.setHeader("Access-Control-Allow-Origin", origin);
   }
   res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
   res.setHeader(
@@ -62,17 +65,33 @@ app.get("/.well-known/oauth-authorization-server", (req, res) => {
     token_endpoint: `${base}/oauth/token`,
     registration_endpoint: `${base}/register`,
     response_types_supported: ["code"],
-    grant_types_supported: ["authorization_code"],
+    grant_types_supported: ["authorization_code", "refresh_token"],
     code_challenge_methods_supported: ["S256"],
     token_endpoint_auth_methods_supported: ["none"],
     scopes_supported: ["mcp:tools", "mcp:resources"]
   });
 });
+var authLimiter = rateLimit({
+  windowMs: 6e4,
+  max: 20,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: "Too many auth requests. Try again later." }
+});
 var registeredClients = /* @__PURE__ */ new Map();
+var MAX_REGISTERED_CLIENTS = 500;
 app.post(
   "/register",
+  authLimiter,
   express.json(),
   (req, res) => {
+    if (registeredClients.size >= MAX_REGISTERED_CLIENTS) {
+      res.status(503).json({
+        error: "server_error",
+        error_description: "Registration limit reached. Try again later."
+      });
+      return;
+    }
     const { redirect_uris, client_name } = req.body;
     if (!Array.isArray(redirect_uris) || redirect_uris.length === 0) {
       res.status(400).json({
@@ -100,6 +119,12 @@ app.post(
   }
 );
 var pendingCodes = /* @__PURE__ */ new Map();
+var ACCESS_TOKEN_TTL = 3600;
+var ACCESS_TOKEN_TTL_MS = ACCESS_TOKEN_TTL * 1e3;
+var REFRESH_TOKEN_TTL_MS = 90 * 24 * 60 * 6e4;
+var refreshTokens = /* @__PURE__ */ new Map();
+var accessTokens = /* @__PURE__ */ new Map();
+var MAX_ACCESS_TOKENS = 1e3;
 setInterval(() => {
   const now = Date.now();
   for (const [code, auth] of pendingCodes) {
@@ -108,6 +133,23 @@ setInterval(() => {
   for (const [id, client] of registeredClients) {
     if (now - client.registeredAt > 24 * 60 * 6e4) registeredClients.delete(id);
   }
+  for (const [token, entry] of refreshTokens) {
+    if (now - entry.createdAt > REFRESH_TOKEN_TTL_MS) refreshTokens.delete(token);
+  }
+  for (const [token, entry] of accessTokens) {
+    if (now - entry.createdAt > ACCESS_TOKEN_TTL_MS) accessTokens.delete(token);
+  }
+  for (const [ip, rec] of authFailures) {
+    if (rec.blockedUntil < now && rec.firstFailure + AUTH_FAILURE_WINDOW_MS < now) {
+      authFailures.delete(ip);
+    }
+  }
+  if (authFailures.size > MAX_AUTH_FAILURE_ENTRIES) {
+    const sorted = [...authFailures.entries()].sort((a, b) => a[1].firstFailure - b[1].firstFailure);
+    for (let i = 0; i < sorted.length - MAX_AUTH_FAILURE_ENTRIES; i++) {
+      authFailures.delete(sorted[i][0]);
+    }
+  }
 }, 6e4);
 function esc(s) {
   return String(s ?? "").replace(
@@ -115,8 +157,8 @@ function esc(s) {
     (c) => ({ "&": "&amp;", '"': "&quot;", "<": "&lt;", ">": "&gt;" })[c]
   );
 }
-app.get("/authorize", (req, res) => {
-  const { redirect_uri, code_challenge, code_challenge_method, state } = req.query;
+app.get("/authorize", authLimiter, (req, res) => {
+  const { redirect_uri, code_challenge, code_challenge_method, state, client_id } = req.query;
   res.type("html").send(`<!DOCTYPE html>
 <html lang="en"><head>
 <meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
@@ -145,6 +187,7 @@ button:hover{background:#6d28d9}
   <input type="hidden" name="code_challenge" value="${esc(code_challenge)}">
   <input type="hidden" name="code_challenge_method" value="${esc(code_challenge_method)}">
   <input type="hidden" name="state" value="${esc(state)}">
+  <input type="hidden" name="client_id" value="${esc(client_id)}">
   <label for="k">API Key</label>
   <input type="password" id="k" name="api_key" placeholder="pb_sk_\u2026" required autofocus>
   <p class="err" id="e">Key must start with pb_sk_</p>
@@ -158,13 +201,29 @@ e.preventDefault();document.getElementById("e").style.display="block"}}</script>
 });
 app.post(
   "/authorize",
+  authLimiter,
   express.urlencoded({ extended: false }),
   (req, res) => {
-    const { api_key, redirect_uri, code_challenge, state } = req.body;
+    const { api_key, redirect_uri, code_challenge, state, client_id } = req.body;
     if (!api_key?.startsWith("pb_sk_")) {
       res.status(400).send("Invalid API key");
       return;
     }
+    if (!client_id || !registeredClients.has(client_id)) {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "Unknown or missing client_id"
+      });
+      return;
+    }
+    const client = registeredClients.get(client_id);
+    if (!client.redirect_uris.includes(redirect_uri)) {
+      res.status(400).json({
+        error: "invalid_request",
+        error_description: "redirect_uri does not match any registered redirect for this client"
+      });
+      return;
+    }
     const code = randomUUID();
     pendingCodes.set(code, {
       apiKey: api_key,
@@ -178,12 +237,53 @@ app.post(
     res.redirect(302, url.toString());
   }
 );
+function issueTokens(apiKey) {
+  const opaqueToken = `pb_at_${randomUUID()}`;
+  const now = Date.now();
+  if (accessTokens.size >= MAX_ACCESS_TOKENS) {
+    let oldestKey = "";
+    let oldestTime = Infinity;
+    for (const [k, v] of accessTokens) {
+      if (v.createdAt < oldestTime) {
+        oldestTime = v.createdAt;
+        oldestKey = k;
+      }
+    }
+    if (oldestKey) accessTokens.delete(oldestKey);
+  }
+  accessTokens.set(opaqueToken, { apiKey, createdAt: now });
+  const refreshToken = `pb_rt_${randomUUID()}`;
+  refreshTokens.set(refreshToken, { apiKey, createdAt: now });
+  return {
+    access_token: opaqueToken,
+    token_type: "Bearer",
+    expires_in: ACCESS_TOKEN_TTL,
+    refresh_token: refreshToken
+  };
+}
 app.post(
   "/oauth/token",
+  authLimiter,
   express.urlencoded({ extended: false }),
   express.json(),
   (req, res) => {
-    const { grant_type, code, code_verifier, redirect_uri } = req.body;
+    const { grant_type, code, code_verifier, redirect_uri, refresh_token } = req.body;
+    if (grant_type === "refresh_token") {
+      const entry = refreshTokens.get(refresh_token);
+      if (!entry) {
+        res.status(400).json({ error: "invalid_grant", error_description: "Invalid refresh token" });
+        return;
+      }
+      if (Date.now() - entry.createdAt > REFRESH_TOKEN_TTL_MS) {
+        refreshTokens.delete(refresh_token);
+        res.status(400).json({ error: "invalid_grant", error_description: "Refresh token expired" });
+        return;
+      }
+      const apiKey = entry.apiKey;
+      refreshTokens.delete(refresh_token);
+      res.json(issueTokens(apiKey));
+      return;
+    }
     if (grant_type !== "authorization_code") {
       res.status(400).json({ error: "unsupported_grant_type" });
       return;
@@ -203,11 +303,7 @@ app.post(
       return;
     }
     pendingCodes.delete(code);
-    res.json({
-      access_token: pending.apiKey,
-      token_type: "Bearer",
-      expires_in: 3600
-    });
+    res.json(issueTokens(pending.apiKey));
   }
 );
 var mcpLimiter = rateLimit({
@@ -217,16 +313,46 @@ var mcpLimiter = rateLimit({
   legacyHeaders: false,
   message: { error: "Too many requests. Try again later." }
 });
+var authFailures = /* @__PURE__ */ new Map();
+var AUTH_FAILURE_MAX = 10;
+var AUTH_FAILURE_WINDOW_MS = 5 * 6e4;
+var AUTH_BLOCK_DURATION_MS = 15 * 6e4;
+var MAX_AUTH_FAILURE_ENTRIES = 1e4;
+function checkAuthBlock(ip) {
+  const rec = authFailures.get(ip);
+  if (!rec) return false;
+  return rec.blockedUntil > Date.now();
+}
+function recordAuthFailure(ip) {
+  const now = Date.now();
+  const rec = authFailures.get(ip);
+  if (!rec) {
+    authFailures.set(ip, { count: 1, firstFailure: now, blockedUntil: 0 });
+    return;
+  }
+  if (now - rec.firstFailure > AUTH_FAILURE_WINDOW_MS) {
+    rec.count = 1;
+    rec.firstFailure = now;
+    rec.blockedUntil = 0;
+  } else {
+    rec.count++;
+    if (rec.count >= AUTH_FAILURE_MAX) {
+      rec.blockedUntil = now + AUTH_BLOCK_DURATION_MS;
+    }
+  }
+}
 app.get("/health", (_req, res) => {
   res.json({ status: "ok", version: SERVER_VERSION, transport: "http" });
 });
 var sessions = /* @__PURE__ */ new Map();
 var SESSION_TTL_MS = 30 * 60 * 1e3;
 var MAX_SESSIONS = 200;
+var MAX_SESSIONS_PER_KEY = 5;
 function evictStaleSessions() {
   const now = Date.now();
   for (const [id, entry] of sessions) {
     if (now - entry.lastAccess > SESSION_TTL_MS) {
+      logSessionLifecycle("session_deleted", id, "ttl");
       entry.transport.close().catch(() => {
       });
       sessions.delete(id);
@@ -237,6 +363,7 @@ function evictStaleSessions() {
       (a, b) => a[1].lastAccess - b[1].lastAccess
     );
     for (let i = 0; i < sorted.length - MAX_SESSIONS; i++) {
+      logSessionLifecycle("session_deleted", sorted[i][0], "eviction");
       sorted[i][1].transport.close().catch(() => {
       });
       sessions.delete(sorted[i][0]);
@@ -248,7 +375,20 @@ function extractBearerKey(req) {
   const header = req.headers?.authorization;
   if (typeof header !== "string" || !header.startsWith("Bearer ")) return null;
   const token = header.slice(7).trim();
-  return token.startsWith("pb_sk_") ? token : null;
+  if (token.startsWith("pb_sk_")) {
+    return token;
+  }
+  if (token.startsWith("pb_at_")) {
+    const entry = accessTokens.get(token);
+    if (!entry) return null;
+    const now = Date.now();
+    if (now - entry.createdAt > ACCESS_TOKEN_TTL_MS) {
+      accessTokens.delete(token);
+      return null;
+    }
+    return entry.apiKey;
+  }
+  return null;
 }
 function send401(req, res) {
   const base = baseUrl(req);
@@ -257,43 +397,86 @@ function send401(req, res) {
     `Bearer resource_metadata="${base}/.well-known/oauth-protected-resource"`
   ).json({ error: "unauthorized" });
 }
-function logRequest(method, outcome, sessionId) {
+function logRequest(method, outcome, sessionId, durationMs) {
   const ts = (/* @__PURE__ */ new Date()).toISOString();
   const sid = sessionId ? ` session=${sessionId}` : "";
-  process.stderr.write(`[HTTP] ${ts} ${method} ${outcome}${sid}
+  const dur = durationMs != null ? ` duration=${durationMs}ms` : "";
+  process.stderr.write(`[HTTP] ${ts} ${method} ${outcome}${sid}${dur}
+`);
+}
+function logSessionLifecycle(event, sessionId, reason) {
+  const ts = (/* @__PURE__ */ new Date()).toISOString();
+  const r = reason ? ` reason=${reason}` : "";
+  process.stderr.write(`[HTTP] ${ts} ${event} session=${sessionId}${r}
 `);
 }
 app.post("/mcp", mcpLimiter, async (req, res) => {
+  const reqIp = req.ip ?? "unknown";
+  if (checkAuthBlock(reqIp)) {
+    res.status(429).json({ error: "Too many failed auth attempts. Try again later." });
+    return;
+  }
   const apiKey = extractBearerKey(req);
   if (!apiKey) {
     logRequest("POST", "auth_fail");
+    recordAuthFailure(reqIp);
     send401(req, res);
     return;
   }
   const sessionId = req.headers["mcp-session-id"];
+  const reqStart = Date.now();
   try {
     await runWithAuth({ apiKey }, async () => {
       if (sessionId && sessions.has(sessionId)) {
         const entry = sessions.get(sessionId);
+        if (entry.keyHash !== hashKey(apiKey)) {
+          res.status(403).json({
+            jsonrpc: "2.0",
+            error: { code: -32e3, message: "Session key mismatch" },
+            id: null
+          });
+          return;
+        }
         entry.lastAccess = Date.now();
         await entry.transport.handleRequest(req, res, req.body);
-        logRequest("POST", "ok", sessionId);
+        logRequest("POST", "ok", sessionId, Date.now() - reqStart);
       } else if (!sessionId && isInitializeRequest(req.body)) {
+        const keyH = hashKey(apiKey);
+        let keySessionCount = 0;
+        for (const entry of sessions.values()) {
+          if (entry.keyHash === keyH) keySessionCount++;
+        }
+        if (keySessionCount >= MAX_SESSIONS_PER_KEY) {
+          res.status(429).json({
+            jsonrpc: "2.0",
+            error: { code: -32e3, message: "Too many sessions for this API key" },
+            id: null
+          });
+          return;
+        }
         const transport = new StreamableHTTPServerTransport({
           sessionIdGenerator: () => randomUUID(),
           onsessioninitialized: (sid) => {
-            sessions.set(sid, { transport, lastAccess: Date.now() });
-            logRequest("POST", "ok", sid);
+            sessions.set(sid, { transport, lastAccess: Date.now(), keyHash: keyH });
+            logSessionLifecycle("session_created", sid);
           }
         });
         transport.onclose = () => {
           const sid = transport.sessionId;
-          if (sid) sessions.delete(sid);
+          if (sid) {
+            logSessionLifecycle("session_deleted", sid, "onclose");
+            sessions.delete(sid);
+          }
         };
         const server = createProductBrainServer();
         await server.connect(transport);
         await transport.handleRequest(req, res, req.body);
+        logRequest("POST", "ok", transport.sessionId ?? void 0, Date.now() - reqStart);
       } else {
+        process.stderr.write(
+          `[HTTP] ${(/* @__PURE__ */ new Date()).toISOString()} session_invalid no valid session ID (client may have omitted Mcp-Session-Id)
+`
+        );
         res.status(400).json({
           jsonrpc: "2.0",
           error: { code: -32e3, message: "Bad Request: no valid session ID provided" },
@@ -302,7 +485,7 @@ app.post("/mcp", mcpLimiter, async (req, res) => {
       }
     });
   } catch (err) {
-    logRequest("POST", "error", sessionId);
+    logRequest("POST", "error", sessionId, Date.now() - reqStart);
     if (!res.headersSent) {
       res.status(500).json({
         jsonrpc: "2.0",
@@ -313,9 +496,15 @@ app.post("/mcp", mcpLimiter, async (req, res) => {
   }
 });
 app.get("/mcp", mcpLimiter, async (req, res) => {
+  const reqIp = req.ip ?? "unknown";
+  if (checkAuthBlock(reqIp)) {
+    res.status(429).json({ error: "Too many failed auth attempts. Try again later." });
+    return;
+  }
   const apiKey = extractBearerKey(req);
   if (!apiKey) {
     logRequest("GET", "auth_fail");
+    recordAuthFailure(reqIp);
     send401(req, res);
     return;
   }
@@ -327,6 +516,14 @@ app.get("/mcp", mcpLimiter, async (req, res) => {
   try {
     await runWithAuth({ apiKey }, async () => {
       const entry = sessions.get(sessionId);
+      if (entry.keyHash !== hashKey(apiKey)) {
+        res.status(403).json({
+          jsonrpc: "2.0",
+          error: { code: -32e3, message: "Session key mismatch" },
+          id: null
+        });
+        return;
+      }
       entry.lastAccess = Date.now();
       await entry.transport.handleRequest(req, res);
       logRequest("GET", "ok", sessionId);
@@ -336,9 +533,15 @@ app.get("/mcp", mcpLimiter, async (req, res) => {
   }
 });
 app.delete("/mcp", mcpLimiter, async (req, res) => {
+  const reqIp = req.ip ?? "unknown";
+  if (checkAuthBlock(reqIp)) {
+    res.status(429).json({ error: "Too many failed auth attempts. Try again later." });
+    return;
+  }
   const apiKey = extractBearerKey(req);
   if (!apiKey) {
     logRequest("DELETE", "auth_fail");
+    recordAuthFailure(reqIp);
     send401(req, res);
     return;
   }
@@ -350,6 +553,14 @@ app.delete("/mcp", mcpLimiter, async (req, res) => {
   try {
     await runWithAuth({ apiKey }, async () => {
       const entry = sessions.get(sessionId);
+      if (entry.keyHash !== hashKey(apiKey)) {
+        res.status(403).json({
+          jsonrpc: "2.0",
+          error: { code: -32e3, message: "Session key mismatch" },
+          id: null
+        });
+        return;
+      }
       await entry.transport.handleRequest(req, res);
       logRequest("DELETE", "ok", sessionId);
     });
@@ -357,18 +568,40 @@ app.delete("/mcp", mcpLimiter, async (req, res) => {
     logRequest("DELETE", "error", sessionId);
   }
 });
-app.listen(PORT, "0.0.0.0", () => {
-  console.log(`Product Brain MCP HTTP server v${SERVER_VERSION} listening on port ${PORT}`);
+process.on("unhandledRejection", (reason) => {
+  const msg = reason instanceof Error ? reason.message : String(reason);
+  console.error(`[MCP HTTP] Unhandled rejection: ${msg}`);
+});
+process.on("uncaughtException", (err) => {
+  console.error(`[MCP HTTP] Uncaught exception: ${err.stack ?? err.message}`);
+  gracefulShutdown();
 });
+var shuttingDown = false;
 async function gracefulShutdown() {
+  if (shuttingDown) return;
+  shuttingDown = true;
+  setTimeout(() => process.exit(1), 3e3).unref();
   console.log("Shutting down...");
   for (const [, entry] of sessions) {
     await entry.transport.close().catch(() => {
     });
   }
-  await shutdownAnalytics();
+  try {
+    await shutdownAnalytics();
+  } catch {
+  }
   process.exit(0);
 }
+var LISTEN_HOST = "0.0.0.0";
+var httpServer = app.listen(PORT, LISTEN_HOST, () => {
+  console.log(
+    `Product Brain MCP HTTP server v${SERVER_VERSION} listening on ${LISTEN_HOST}:${PORT}`
+  );
+});
+httpServer.on("error", (err) => {
+  console.error(`[MCP HTTP] Server error: ${err.message}`);
+  process.exit(1);
+});
 process.on("SIGINT", gracefulShutdown);
 process.on("SIGTERM", gracefulShutdown);
 //# sourceMappingURL=http.js.map