@rubytech/create-maxy-code 0.1.351 → 0.1.353

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/package.json +2 -2
  2. package/payload/platform/config/brand.json +1 -1
  3. package/payload/platform/package-lock.json +76 -1
  4. package/payload/platform/plugins/.claude-plugin/marketplace.json +5 -0
  5. package/payload/platform/plugins/admin/hooks/lib/maxy-mcp-plugins.txt +1 -0
  6. package/payload/platform/plugins/admin/mcp/dist/__tests__/capabilities-here.test.js +27 -10
  7. package/payload/platform/plugins/admin/mcp/dist/__tests__/capabilities-here.test.js.map +1 -1
  8. package/payload/platform/plugins/admin/skills/agent-builder/references/agent-pattern.md +1 -1
  9. package/payload/platform/plugins/admin/skills/platform-architecture/SKILL.md +40 -2
  10. package/payload/platform/plugins/cloudflare/skills/calendar-site/SKILL.md +2 -2
  11. package/payload/platform/plugins/cloudflare/skills/calendar-site/template/public/booking.css +41 -0
  12. package/payload/platform/plugins/cloudflare/skills/calendar-site/template/public/booking.js +236 -47
  13. package/payload/platform/plugins/cloudflare/skills/calendar-site/template/public/index.html +6 -0
  14. package/payload/platform/plugins/connector/.claude-plugin/plugin.json +21 -0
  15. package/payload/platform/plugins/connector/PLUGIN.md +55 -0
  16. package/payload/platform/plugins/connector/lib/mcp-spawn-tee/index.js +193 -0
  17. package/payload/platform/plugins/connector/lib/mcp-spawn-tee/package.json +3 -0
  18. package/payload/platform/plugins/connector/mcp/dist/index.d.ts +2 -0
  19. package/payload/platform/plugins/connector/mcp/dist/index.d.ts.map +1 -0
  20. package/payload/platform/plugins/connector/mcp/dist/index.js +119 -0
  21. package/payload/platform/plugins/connector/mcp/dist/index.js.map +1 -0
  22. package/payload/platform/plugins/connector/mcp/dist/lib/call.d.ts +54 -0
  23. package/payload/platform/plugins/connector/mcp/dist/lib/call.d.ts.map +1 -0
  24. package/payload/platform/plugins/connector/mcp/dist/lib/call.js +157 -0
  25. package/payload/platform/plugins/connector/mcp/dist/lib/call.js.map +1 -0
  26. package/payload/platform/plugins/connector/mcp/dist/lib/redact.d.ts +10 -0
  27. package/payload/platform/plugins/connector/mcp/dist/lib/redact.d.ts.map +1 -0
  28. package/payload/platform/plugins/connector/mcp/dist/lib/redact.js +29 -0
  29. package/payload/platform/plugins/connector/mcp/dist/lib/redact.js.map +1 -0
  30. package/payload/platform/plugins/connector/mcp/dist/lib/ssrf.d.ts +29 -0
  31. package/payload/platform/plugins/connector/mcp/dist/lib/ssrf.d.ts.map +1 -0
  32. package/payload/platform/plugins/connector/mcp/dist/lib/ssrf.js +112 -0
  33. package/payload/platform/plugins/connector/mcp/dist/lib/ssrf.js.map +1 -0
  34. package/payload/platform/plugins/connector/mcp/dist/lib/store.d.ts +25 -0
  35. package/payload/platform/plugins/connector/mcp/dist/lib/store.d.ts.map +1 -0
  36. package/payload/platform/plugins/connector/mcp/dist/lib/store.js +63 -0
  37. package/payload/platform/plugins/connector/mcp/dist/lib/store.js.map +1 -0
  38. package/payload/platform/plugins/connector/mcp/dist/scripts/audit-connectors.d.ts +9 -0
  39. package/payload/platform/plugins/connector/mcp/dist/scripts/audit-connectors.d.ts.map +1 -0
  40. package/payload/platform/plugins/connector/mcp/dist/scripts/audit-connectors.js +63 -0
  41. package/payload/platform/plugins/connector/mcp/dist/scripts/audit-connectors.js.map +1 -0
  42. package/payload/platform/plugins/connector/mcp/package.json +20 -0
  43. package/payload/platform/plugins/docs/references/connector.md +33 -0
  44. package/payload/platform/plugins/docs/references/getting-started.md +1 -1
  45. package/payload/platform/scripts/check-agent-contract.mjs +97 -0
  46. package/payload/platform/services/claude-session-manager/dist/canonical-tool-names.generated.d.ts.map +1 -1
  47. package/payload/platform/services/claude-session-manager/dist/canonical-tool-names.generated.js +5 -0
  48. package/payload/platform/services/claude-session-manager/dist/canonical-tool-names.generated.js.map +1 -1
  49. package/payload/platform/templates/agents/admin/IDENTITY.md +4 -0
  50. package/payload/platform/templates/specialists/agents/citation-auditor.md +5 -1
  51. package/payload/platform/templates/specialists/agents/coding-assistant.md +8 -0
  52. package/payload/platform/templates/specialists/agents/compiled-truth-rewriter.md +4 -0
  53. package/payload/platform/templates/specialists/agents/content-producer.md +8 -0
  54. package/payload/platform/templates/specialists/agents/data-manager.md +9 -1
  55. package/payload/platform/templates/specialists/agents/database-operator.md +12 -0
  56. package/payload/platform/templates/specialists/agents/librarian.md +9 -1
  57. package/payload/platform/templates/specialists/agents/personal-assistant.md +8 -0
  58. package/payload/platform/templates/specialists/agents/project-manager.md +8 -0
  59. package/payload/platform/templates/specialists/agents/public-session-reviewer.md +9 -1
  60. package/payload/platform/templates/specialists/agents/research-assistant.md +8 -0
  61. package/payload/platform/templates/specialists/agents/typed-edge-classifier.md +4 -2
  62. package/payload/premium-plugins/writer-craft/agents/writer-craft--manuscript-reviewer.md +12 -0
  63. package/payload/server/public/assets/{AdminLoginScreens-B1cvICYI.js → AdminLoginScreens-CzdOQKyO.js} +1 -1
  64. package/payload/server/public/assets/{AdminShell-B-GeoG3j.js → AdminShell-CC-CuN6Y.js} +1 -1
  65. package/payload/server/public/assets/{Checkbox-DoGMXVpF.js → Checkbox-sQBc9xSy.js} +1 -1
  66. package/payload/server/public/assets/{OperatorConversations-CfG1EYyP.js → OperatorConversations-CA_2c3sp.js} +1 -1
  67. package/payload/server/public/assets/OperatorConversations-DPVKGsRS.css +1 -0
  68. package/payload/server/public/assets/{admin-DF9JDP6a.js → admin-qW6jM6l0.js} +1 -1
  69. package/payload/server/public/assets/admin-types-DJoj6VJv.js +1 -0
  70. package/payload/server/public/assets/{browser-Cyi6v8BS.js → browser-BsW6KaxZ.js} +1 -1
  71. package/payload/server/public/assets/calendar-BPAiN1cL.js +1 -0
  72. package/payload/server/public/assets/chat-DVD9yoVL.js +1 -0
  73. package/payload/server/public/assets/{data-CrJZjlQ1.js → data-D_cR_NCZ.js} +1 -1
  74. package/payload/server/public/assets/{graph-CutaO0w1.js → graph-CmpAy2WP.js} +1 -1
  75. package/payload/server/public/assets/{graph-labels-CH0sWvcA.js → graph-labels-C0SLq_VP.js} +1 -1
  76. package/payload/server/public/assets/{operator-CqKk6Twn.js → operator-CrjtJcEY.js} +1 -1
  77. package/payload/server/public/assets/page-Cf3fVDSo.js +32 -0
  78. package/payload/server/public/assets/{public-D5lkOp3H.js → public-BkNtvSYp.js} +1 -1
  79. package/payload/server/public/browser.html +4 -4
  80. package/payload/server/public/calendar.html +4 -4
  81. package/payload/server/public/chat.html +6 -6
  82. package/payload/server/public/data.html +4 -4
  83. package/payload/server/public/graph.html +6 -6
  84. package/payload/server/public/index.html +7 -7
  85. package/payload/server/public/operator.html +8 -8
  86. package/payload/server/public/public.html +6 -6
  87. package/payload/server/server.js +153 -83
  88. package/payload/server/public/assets/OperatorConversations-C8G6Gfgu.css +0 -1
  89. package/payload/server/public/assets/admin-types-Dg11L4MQ.js +0 -1
  90. package/payload/server/public/assets/calendar-CA3_Dm8j.js +0 -1
  91. package/payload/server/public/assets/chat-C4hHkcTu.js +0 -1
  92. package/payload/server/public/assets/page-Bfm1FN4n.js +0 -30
@@ -1,13 +1,29 @@
1
1
  // Public booking page (calendar-site skill). Dependency-free.
2
2
  // 1. Fetch open slots from the brand tunnel free/busy endpoint.
3
- // 2. Let the visitor pick one, then collect name/email/note.
3
+ // 2. Page the horizon five days at a time, let the visitor pick a slot
4
+ // (and, when the operator allows it, extend to back-to-back slots).
4
5
  // 3. POST the booking to the same-origin Pages Function (/api/book → D1).
5
6
  (function () {
6
7
  'use strict'
7
8
 
8
- var DAYS_AHEAD = 14
9
- var apiBaseMeta = document.querySelector('meta[name="api-base"]')
10
- var apiBase = (apiBaseMeta && apiBaseMeta.getAttribute('content')) || ''
9
+ var WINDOW_DAYS = 5
10
+
11
+ function metaContent(name) {
12
+ var el = document.querySelector('meta[name="' + name + '"]')
13
+ return el ? el.getAttribute('content') : null
14
+ }
15
+
16
+ // Operator-set booking horizon. The skill rewrites the meta at assemble time;
17
+ // fall back to 14 only when it is absent or left unsubstituted, so pages
18
+ // assembled before this change behave exactly as they did.
19
+ var parsedDaysAhead = parseInt(metaContent('days-ahead'), 10)
20
+ var daysAhead = isFinite(parsedDaysAhead) && parsedDaysAhead > 0 ? parsedDaysAhead : 14
21
+
22
+ // Operator choice: may a visitor combine consecutive open slots into one
23
+ // longer booking? Anything other than the literal "true" is off.
24
+ var allowMultiSlot = metaContent('allow-multi-slot') === 'true'
25
+
26
+ var apiBase = metaContent('api-base') || ''
11
27
 
12
28
  var statusEl = document.getElementById('bk-status')
13
29
  var slotsEl = document.getElementById('bk-slots')
@@ -18,7 +34,12 @@
18
34
  var durationEl = document.getElementById('bk-duration')
19
35
  var backBtn = document.getElementById('bk-back')
20
36
 
21
- var chosenSlot = null
37
+ // The slots that share the chosen block's day, the index of the first slot
38
+ // in that block, and how many back-to-back slots it spans. count stays 1
39
+ // unless the operator enabled multi-slot bookings.
40
+ var block = null
41
+ // Extend/shorten controls, built lazily once and reused.
42
+ var multiControls = null
22
43
 
23
44
  function setStatus(msg) {
24
45
  statusEl.textContent = msg || ''
@@ -27,9 +48,57 @@
27
48
  function fmtDayHeading(d) {
28
49
  return d.toLocaleDateString([], { weekday: 'long', month: 'long', day: 'numeric' })
29
50
  }
51
+ function fmtShortDay(d) {
52
+ return d.toLocaleDateString([], { month: 'short', day: 'numeric' })
53
+ }
30
54
  function fmtTime(d) {
31
55
  return d.toLocaleTimeString([], { hour: 'numeric', minute: '2-digit' })
32
56
  }
57
+ function dayKey(d) {
58
+ return d.toDateString()
59
+ }
60
+ function startOfLocalDay(d) {
61
+ var x = new Date(d)
62
+ x.setHours(0, 0, 0, 0)
63
+ return x
64
+ }
65
+ function clear(el) {
66
+ while (el.firstChild) el.removeChild(el.firstChild)
67
+ }
68
+
69
+ // ---- horizon state, set once per free/busy load -------------------------
70
+ var allDays = [] // local-midnight Date per calendar day in the horizon
71
+ var slotsByDay = {} // dayKey -> ordered slot array
72
+ var windowStart = 0 // index into allDays, advances in WINDOW_DAYS steps
73
+
74
+ // The first and last slot of the chosen block — the single source of the
75
+ // block's index arithmetic, shared by the formatters and the submit payload.
76
+ function firstSlot() {
77
+ return block.daySlots[block.startIdx]
78
+ }
79
+ function lastSlot() {
80
+ return block.daySlots[block.startIdx + block.count - 1]
81
+ }
82
+ function blockStart() {
83
+ return new Date(firstSlot().start)
84
+ }
85
+ function blockEnd() {
86
+ return new Date(lastSlot().end)
87
+ }
88
+ // The slot immediately after the current block, if it is open and back-to-back.
89
+ function nextContiguousSlot() {
90
+ var next = block.daySlots[block.startIdx + block.count]
91
+ if (!next) return null
92
+ return next.start === lastSlot().end ? next : null
93
+ }
94
+
95
+ function fmtChosen() {
96
+ var start = blockStart()
97
+ if (block.count === 1) {
98
+ return fmtDayHeading(start) + ' at ' + fmtTime(start)
99
+ }
100
+ return fmtDayHeading(start) + ', ' + fmtTime(start) + ' – ' + fmtTime(blockEnd())
101
+ }
33
102
 
34
103
  function renderSlots(data) {
35
104
  var slots = (data && data.slots) || []
@@ -37,69 +106,184 @@
37
106
  durationEl.textContent = data.durationMins + ' minute meeting'
38
107
  }
39
108
  if (slots.length === 0) {
40
- setStatus('No open times in the next two weeks. Please check back later.')
109
+ setStatus('No open times in the next ' + daysAhead + ' day' + (daysAhead === 1 ? '' : 's') + '. Please check back later.')
41
110
  return
42
111
  }
43
112
  setStatus('')
44
113
 
45
- var byDay = {}
46
- var order = []
114
+ // The full calendar-day list for the horizon, today first. setDate keeps
115
+ // local midnight across DST, unlike adding fixed millisecond spans.
116
+ var today = startOfLocalDay(new Date())
117
+ allDays = []
118
+ for (var i = 0; i < daysAhead; i++) {
119
+ var d = new Date(today)
120
+ d.setDate(today.getDate() + i)
121
+ allDays.push(d)
122
+ }
123
+
124
+ slotsByDay = {}
47
125
  slots.forEach(function (s) {
48
- var start = new Date(s.start)
49
- var key = start.toDateString()
50
- if (!byDay[key]) {
51
- byDay[key] = []
52
- order.push(key)
53
- }
54
- byDay[key].push(s)
126
+ var k = dayKey(new Date(s.start))
127
+ if (!slotsByDay[k]) slotsByDay[k] = []
128
+ slotsByDay[k].push(s)
129
+ })
130
+ Object.keys(slotsByDay).forEach(function (k) {
131
+ slotsByDay[k].sort(function (a, b) {
132
+ return new Date(a.start) - new Date(b.start)
133
+ })
55
134
  })
56
135
 
57
- order.forEach(function (key) {
58
- var group = document.createElement('div')
59
- group.className = 'bk-day'
60
- var h = document.createElement('h2')
61
- h.className = 'bk-day-title'
62
- h.textContent = fmtDayHeading(new Date(key))
63
- group.appendChild(h)
64
-
65
- var row = document.createElement('div')
66
- row.className = 'bk-day-slots'
67
- byDay[key].forEach(function (s) {
68
- var btn = document.createElement('button')
69
- btn.type = 'button'
70
- btn.className = 'bk-slot'
71
- btn.textContent = fmtTime(new Date(s.start))
72
- btn.addEventListener('click', function () {
73
- chooseSlot(s)
74
- })
75
- row.appendChild(btn)
136
+ windowStart = 0
137
+ console.log('[booking] daysAhead=' + daysAhead + ' allowMultiSlot=' + allowMultiSlot + ' windowStart=' + windowStart)
138
+ renderWindow()
139
+ }
140
+
141
+ function renderWindow() {
142
+ clear(slotsEl)
143
+
144
+ var nav = document.createElement('div')
145
+ nav.className = 'bk-nav'
146
+
147
+ var back = document.createElement('button')
148
+ back.type = 'button'
149
+ back.className = 'bk-arrow'
150
+ back.setAttribute('aria-label', 'Previous days')
151
+ back.textContent = ''
152
+ back.disabled = windowStart === 0
153
+ back.addEventListener('click', function () {
154
+ windowStart = Math.max(0, windowStart - WINDOW_DAYS)
155
+ console.log('[booking] windowStart=' + windowStart)
156
+ renderWindow()
157
+ })
158
+
159
+ var label = document.createElement('span')
160
+ label.className = 'bk-nav-label'
161
+ var lastIdx = Math.min(windowStart + WINDOW_DAYS, allDays.length) - 1
162
+ label.textContent = fmtShortDay(allDays[windowStart]) + ' – ' + fmtShortDay(allDays[lastIdx])
163
+
164
+ var fwd = document.createElement('button')
165
+ fwd.type = 'button'
166
+ fwd.className = 'bk-arrow'
167
+ fwd.setAttribute('aria-label', 'Next days')
168
+ fwd.textContent = '›'
169
+ fwd.disabled = windowStart + WINDOW_DAYS >= allDays.length
170
+ fwd.addEventListener('click', function () {
171
+ // Reachable only when not disabled, so a full step always has room.
172
+ windowStart += WINDOW_DAYS
173
+ console.log('[booking] windowStart=' + windowStart)
174
+ renderWindow()
175
+ })
176
+
177
+ nav.appendChild(back)
178
+ nav.appendChild(label)
179
+ nav.appendChild(fwd)
180
+ slotsEl.appendChild(nav)
181
+
182
+ for (var i = windowStart; i < windowStart + WINDOW_DAYS && i < allDays.length; i++) {
183
+ slotsEl.appendChild(renderDayGroup(allDays[i]))
184
+ }
185
+ }
186
+
187
+ // One day's heading plus its slot buttons (or the empty note). Kept as its own
188
+ // function so each slot button closes over that day's own slot array — a shared
189
+ // loop-scoped var would leave every handler pointing at the last day rendered.
190
+ function renderDayGroup(day) {
191
+ var group = document.createElement('div')
192
+ group.className = 'bk-day'
193
+
194
+ var h = document.createElement('h2')
195
+ h.className = 'bk-day-title'
196
+ h.textContent = fmtDayHeading(day)
197
+ group.appendChild(h)
198
+
199
+ var daySlots = slotsByDay[dayKey(day)]
200
+ if (!daySlots || daySlots.length === 0) {
201
+ var note = document.createElement('p')
202
+ note.className = 'bk-day-empty'
203
+ note.textContent = 'No availability'
204
+ group.appendChild(note)
205
+ return group
206
+ }
207
+
208
+ var row = document.createElement('div')
209
+ row.className = 'bk-day-slots'
210
+ daySlots.forEach(function (s, idx) {
211
+ var btn = document.createElement('button')
212
+ btn.type = 'button'
213
+ btn.className = 'bk-slot'
214
+ btn.textContent = fmtTime(new Date(s.start))
215
+ btn.addEventListener('click', function () {
216
+ chooseSlot(daySlots, idx)
76
217
  })
77
- group.appendChild(row)
78
- slotsEl.appendChild(group)
218
+ row.appendChild(btn)
219
+ })
220
+ group.appendChild(row)
221
+ return group
222
+ }
223
+
224
+ function ensureMultiControls() {
225
+ if (multiControls) return multiControls
226
+ multiControls = document.createElement('div')
227
+ multiControls.className = 'bk-extend'
228
+
229
+ var shorten = document.createElement('button')
230
+ shorten.type = 'button'
231
+ shorten.className = 'bk-extend-btn'
232
+ shorten.id = 'bk-shorten'
233
+ shorten.textContent = '− Shorten'
234
+ shorten.addEventListener('click', function () {
235
+ if (block.count > 1) {
236
+ block.count--
237
+ refreshChosen()
238
+ }
79
239
  })
240
+
241
+ var extend = document.createElement('button')
242
+ extend.type = 'button'
243
+ extend.className = 'bk-extend-btn'
244
+ extend.id = 'bk-extend'
245
+ extend.textContent = '+ Add next slot'
246
+ extend.addEventListener('click', function () {
247
+ if (nextContiguousSlot()) {
248
+ block.count++
249
+ refreshChosen()
250
+ }
251
+ })
252
+
253
+ multiControls.appendChild(shorten)
254
+ multiControls.appendChild(extend)
255
+ chosenEl.insertAdjacentElement('afterend', multiControls)
256
+ return multiControls
257
+ }
258
+
259
+ function refreshChosen() {
260
+ chosenEl.textContent = fmtChosen()
261
+ if (!allowMultiSlot) return
262
+ ensureMultiControls()
263
+ document.getElementById('bk-shorten').disabled = block.count <= 1
264
+ document.getElementById('bk-extend').disabled = !nextContiguousSlot()
80
265
  }
81
266
 
82
- function chooseSlot(slot) {
83
- chosenSlot = slot
84
- var start = new Date(slot.start)
85
- chosenEl.textContent = fmtDayHeading(start) + ' at ' + fmtTime(start)
267
+ function chooseSlot(daySlots, idx) {
268
+ block = { daySlots: daySlots, startIdx: idx, count: 1 }
269
+ refreshChosen()
86
270
  slotsEl.hidden = true
87
271
  formEl.hidden = false
88
272
  }
89
273
 
90
274
  backBtn.addEventListener('click', function () {
91
- chosenSlot = null
275
+ block = null
92
276
  formEl.hidden = true
93
277
  slotsEl.hidden = false
94
278
  })
95
279
 
96
280
  formEl.addEventListener('submit', function (e) {
97
281
  e.preventDefault()
98
- if (!chosenSlot) return
282
+ if (!block) return
99
283
  var fd = new FormData(formEl)
100
284
  var payload = {
101
- slotStart: chosenSlot.start,
102
- slotEnd: chosenSlot.end,
285
+ slotStart: firstSlot().start,
286
+ slotEnd: lastSlot().end,
103
287
  name: fd.get('name'),
104
288
  email: fd.get('email'),
105
289
  note: fd.get('note'),
@@ -125,8 +309,7 @@
125
309
  }
126
310
  formEl.hidden = true
127
311
  doneEl.hidden = false
128
- var start = new Date(chosenSlot.start)
129
- doneMsg.textContent = 'Confirmed for ' + fmtDayHeading(start) + ' at ' + fmtTime(start) + '. A confirmation will follow by email.'
312
+ doneMsg.textContent = 'Confirmed for ' + fmtChosen() + '. A confirmation will follow by email.'
130
313
  })
131
314
  .catch(function (err) {
132
315
  submitBtn.disabled = false
@@ -137,8 +320,14 @@
137
320
 
138
321
  function load() {
139
322
  setStatus('Loading available times…')
323
+ // Fetch exactly the horizon the page renders: from now through the end of
324
+ // the last calendar day in [today, today + daysAhead). Bounding `to` to a
325
+ // local-midnight day edge (not now + daysAhead*24h) keeps the fetched range
326
+ // and the rendered `allDays` window in the same local frame, so no slot is
327
+ // returned for a day the window cannot show.
140
328
  var from = new Date()
141
- var to = new Date(from.getTime() + DAYS_AHEAD * 24 * 60 * 60 * 1000)
329
+ var to = startOfLocalDay(from)
330
+ to.setDate(to.getDate() + daysAhead)
142
331
  var url = apiBase + '/api/calendar/free-busy?from=' + encodeURIComponent(from.toISOString()) + '&to=' + encodeURIComponent(to.toISOString())
143
332
  fetch(url)
144
333
  .then(function (res) {
@@ -6,6 +6,12 @@
6
6
  <!-- The calendar-site skill rewrites the content of this tag to the brand
7
7
  tunnel origin that serves /api/calendar/free-busy. -->
8
8
  <meta name="api-base" content="__API_BASE__" />
9
+ <!-- Operator-set booking horizon (positive integer days). The skill rewrites
10
+ the content; booking.js falls back to 14 when it is left unsubstituted. -->
11
+ <meta name="days-ahead" content="__DAYS_AHEAD__" />
12
+ <!-- Operator choice: may a visitor combine consecutive open slots into one
13
+ longer booking? "true" or "false"; booking.js falls back to false. -->
14
+ <meta name="allow-multi-slot" content="__ALLOW_MULTI_SLOT__" />
9
15
  <title>Book a time</title>
10
16
  <link rel="stylesheet" href="/booking.css" />
11
17
  </head>
@@ -0,0 +1,21 @@
1
+ {
2
+ "name": "connector",
3
+ "description": "Generic credentialed connector — register a named REST API with a static credential, then make host-bound authenticated requests to it. Admin-driven.",
4
+ "version": "0.1.0",
5
+ "author": {
6
+ "name": "Rubytech LLC"
7
+ },
8
+ "mcpServers": {
9
+ "connector": {
10
+ "type": "stdio",
11
+ "command": "node",
12
+ "args": [
13
+ "${CLAUDE_PLUGIN_ROOT}/lib/mcp-spawn-tee/index.js",
14
+ "${CLAUDE_PLUGIN_ROOT}/mcp/dist/index.js"
15
+ ],
16
+ "env": {
17
+ "MCP_SPAWN_TEE_NAME": "connector"
18
+ }
19
+ }
20
+ }
21
+ }
@@ -0,0 +1,55 @@
1
+ ---
2
+ name: connector
3
+ description: "Generic credentialed connector — register a named REST API with a static credential, then make host-bound authenticated requests to it. Admin-driven."
4
+ tools:
5
+ - name: connector-register
6
+ publicAllowlist: false
7
+ adminAllowlist: true
8
+ - name: connector-call
9
+ publicAllowlist: false
10
+ adminAllowlist: true
11
+ - name: connector-list
12
+ publicAllowlist: false
13
+ adminAllowlist: true
14
+ - name: connector-deregister
15
+ publicAllowlist: false
16
+ adminAllowlist: true
17
+ metadata: {"platform":{"optional":true,"pluginKey":"connector"}}
18
+ mcp:
19
+ command: node
20
+ args:
21
+ - ${PLATFORM_ROOT}/lib/mcp-spawn-tee/dist/index.js
22
+ - ${PLATFORM_ROOT}/plugins/connector/mcp/dist/index.js
23
+ env:
24
+ MCP_SPAWN_TEE_NAME: connector
25
+ LOG_DIR: ${LOG_DIR}
26
+ PLATFORM_ROOT: ${PLATFORM_ROOT}
27
+ ACCOUNT_ID: ${ACCOUNT_ID}
28
+ SESSION_ID: ${SESSION_ID}
29
+ mcp-manifest: auto
30
+ ---
31
+
32
+ # Connector
33
+
34
+ A generic, credentialed bridge to any third-party REST API. Register an API once by name with its base URL and a static credential; the agent can then make authenticated requests to it without a bespoke plugin per integration. This is the capability that lets self-serve agent and skill authoring reach the long tail of niche APIs.
35
+
36
+ The credential is stored in the account's secrets file and is never returned by a tool or written to a log. Every request is confined to the registered API's host: a request aimed at any other host, at a private or loopback address, or a redirect that leaves the host, is refused.
37
+
38
+ ## Capabilities
39
+
40
+ - **connector-register** — store a named API's base URL and a static credential. The credential scheme is one of bearer, api-key-header (a named header), or basic. Returns the non-secret record only.
41
+ - **connector-call** — make a request (GET or a mutating method) to a registered connector. The credential is injected from the secret store; the request is host-bound and SSRF-guarded. Returns the status, redacted response headers, and the (size-capped) body.
42
+ - **connector-list** — the registered connectors for this account: names and base URLs only.
43
+ - **connector-deregister** — remove a connector and its stored credential.
44
+
45
+ ## Who can use it
46
+
47
+ These tools are admin-driven. The operator's admin agent registers connectors and makes calls; the tools are not granted to any specialist agent, given their reach (arbitrary authenticated outbound requests and a credential store). A vertical agent that needs an external API is served by the admin acting on its behalf.
48
+
49
+ ## Credentials and isolation
50
+
51
+ Credentials live only in this account's secrets directory (mode 0600), inside the brand-isolated install — the same store the other credentialed connectors use. Each connector is keyed by name and scoped to the account. A standing audit periodically confirms no stored credential has reached a log and that every registered connector still has its credential.
52
+
53
+ ## Scope
54
+
55
+ Static credentials only — OAuth client-credentials and refresh-token flows are a separate capability. HTTP(S) REST only; no GraphQL or SOAP transport. The business logic an operator layers on top of a connected API is authored as a skill, not part of this transport.
@@ -0,0 +1,193 @@
1
+ #!/usr/bin/env node
2
+ "use strict";
3
+ /**
4
+ * MCP spawn-tee — in-process stderr capture + lifecycle observability.
5
+ *
6
+ * Claude Code spawns each MCP server itself; the platform never holds a
7
+ * ChildProcess handle. This shim sits between Claude Code and the real MCP
8
+ * server: Claude Code runs `node <this> <real-entry>`, and the shim runs the
9
+ * real entry IN ITS OWN PROCESS via dynamic import() — one node runtime, not
10
+ * two. Before importing, it replaces process.stderr.write with a tee so every
11
+ * stderr byte the server writes is mirrored to the log sinks; stdin and stdout
12
+ * (the JSON-RPC channel) are never touched.
13
+ *
14
+ * Claude Code CLI → shim (this file) = node running <real-entry> in-process
15
+ * stdin/stdout : untouched (JSON-RPC channel)
16
+ * stderr : process.stderr.write teed → per-date + per-session + passthrough
17
+ *
18
+ * Destinations (Task 706) — unchanged:
19
+ * - `${LOG_DIR}/mcp-<name>-stderr-<date>.log` — per-date raw (back-compat;
20
+ * the in-process mcp-stderr-tee and the [mcp-init-error] probe read it).
21
+ * - `${LOG_DIR}/mcp-<name>-<SESSION_ID>.log` — per-session raw + lifecycle
22
+ * lines. Authoritative sink. Absent when SESSION_ID is unset (enumeration
23
+ * spawn) — then the per-date file is the fallback.
24
+ * - `server.log` via the loopback log-ingest route — best-effort mirror of
25
+ * the [mcp-helper] lifecycle lines.
26
+ *
27
+ * Lifecycle lines, correlation key `session=<id8> server=<name>` — unchanged:
28
+ * [mcp-helper] op=spawn ... pid= entry=
29
+ * [mcp-helper] op=boot ... head=<first stderr bytes>
30
+ * [mcp-helper] op=exit ... code= signal= lifetimeMs= stderr-tail=
31
+ *
32
+ * Process model (Task 989): the shim IS the server's process. op=exit fires
33
+ * from process.on("exit"), so it covers a normal exit, a non-zero exit, an
34
+ * uncaught throw (code 1), and a catchable-signal exit (SIGTERM/SIGINT/SIGHUP,
35
+ * whose handlers record the signal name). An external SIGKILL is uncatchable
36
+ * and leaves no op=exit line — the per-session stderr tail already on disk and
37
+ * Claude Code's own transport-drop are the evidence for that death mode.
38
+ *
39
+ * The shim never writes to fd 1 (stdout) — that is the JSON-RPC channel.
40
+ */
41
+ Object.defineProperty(exports, "__esModule", { value: true });
42
+ const node_fs_1 = require("node:fs");
43
+ const node_path_1 = require("node:path");
44
+ const node_url_1 = require("node:url");
45
+ const SERVER_NAME = process.env.MCP_SPAWN_TEE_NAME ?? "unknown";
46
+ const LOG_DIR = process.env.LOG_DIR;
47
+ const SESSION_ID = process.env.SESSION_ID;
48
+ const PLATFORM_PORT = process.env.PLATFORM_PORT;
49
+ const ENTRY = process.argv[2];
50
+ const SESSION_ID8 = SESSION_ID ? SESSION_ID.slice(0, 8) : "—";
51
+ const spawnStamp = Date.now();
52
+ // Per-session raw + lifecycle log (Task 706). Empty SESSION_ID (enumeration
53
+ // spawn) → undefined, and the per-date file is the fallback.
54
+ const perSessionPath = LOG_DIR && SESSION_ID
55
+ ? (0, node_path_1.resolve)(LOG_DIR, `mcp-${SERVER_NAME}-${SESSION_ID}.log`)
56
+ : undefined;
57
+ const perDatePath = LOG_DIR
58
+ ? (0, node_path_1.resolve)(LOG_DIR, `mcp-${SERVER_NAME}-stderr-${new Date(spawnStamp).toISOString().slice(0, 10)}.log`)
59
+ : undefined;
60
+ // Rolling tail of entry stderr for op=exit. Capped so a chatty server cannot
61
+ // grow the buffer without bound.
62
+ const TAIL_CAP = 2048;
63
+ let stderrTail = "";
64
+ let bootEmitted = false;
65
+ let exitEmitted = false;
66
+ let exitSignal;
67
+ // The real stderr writer, captured before the tee replaces it. Lifecycle lines
68
+ // and stderr passthrough both go through this so they are never re-teed into
69
+ // the per-date sink nor recursed back into the patched writer.
70
+ const rawStderrWrite = process.stderr.write.bind(process.stderr);
71
+ // LOG_DIR is created once, lazily, on the first successful append — not per
72
+ // chunk. teeWrite runs on the server's own stderr hot path now, so a per-call
73
+ // mkdirSync would be two syscalls per log line for nothing.
74
+ let logDirReady = false;
75
+ function appendSafe(path, data) {
76
+ if (!path || !LOG_DIR)
77
+ return;
78
+ try {
79
+ if (!logDirReady) {
80
+ (0, node_fs_1.mkdirSync)(LOG_DIR, { recursive: true });
81
+ logDirReady = true;
82
+ }
83
+ (0, node_fs_1.appendFileSync)(path, data);
84
+ }
85
+ catch {
86
+ /* unwritable destination — never mask primary output */
87
+ }
88
+ }
89
+ // Best-effort mirror of a lifecycle line to server.log via the loopback
90
+ // log-ingest route. Fire-and-forget: the per-session file is authoritative, so
91
+ // a dropped POST loses nothing. On the "exit" event the loop is stopping, so
92
+ // the op=exit mirror may not flush — the per-session line, written sync, holds.
93
+ function postToServerLog(suffix, level) {
94
+ if (!PLATFORM_PORT)
95
+ return;
96
+ try {
97
+ const ctrl = new AbortController();
98
+ const t = setTimeout(() => ctrl.abort(), 500);
99
+ t.unref?.(); // never let the abort timer keep the shim's event loop alive
100
+ void fetch(`http://127.0.0.1:${PLATFORM_PORT}/api/admin/log-ingest`, {
101
+ method: "POST",
102
+ headers: { "content-type": "application/json" },
103
+ body: JSON.stringify({ tag: "mcp-helper", level, line: suffix }),
104
+ signal: ctrl.signal,
105
+ }).then(() => clearTimeout(t)).catch(() => clearTimeout(t));
106
+ }
107
+ catch {
108
+ /* fetch threw synchronously — best-effort only */
109
+ }
110
+ }
111
+ // Emit one [mcp-helper] lifecycle line: authoritative per-session file (sync,
112
+ // survives process.exit), the shim's own stderr via the RAW writer (journald /
113
+ // Claude Code visibility, never re-teed), and a best-effort server.log mirror.
114
+ // `suffix` is the line body after the tag and carries no newline (the
115
+ // log-ingest route rejects newlines).
116
+ function emitLifecycle(suffix, level) {
117
+ const line = `[mcp-helper] ${suffix}\n`;
118
+ appendSafe(perSessionPath, line);
119
+ try {
120
+ rawStderrWrite(line);
121
+ }
122
+ catch { /* stderr closed */ }
123
+ postToServerLog(suffix, level);
124
+ }
125
+ if (!ENTRY) {
126
+ emitLifecycle(`op=error session=${SESSION_ID8} server=${SERVER_NAME} reason="no entry given (argv[2] missing)"`, "error");
127
+ process.exit(2);
128
+ }
129
+ // Replace process.stderr.write with a tee: mirror every server stderr byte to
130
+ // the per-date and per-session sinks, keep a rolling tail for op=exit, emit
131
+ // op=boot on the first bytes, then pass the write through to the real stderr.
132
+ const teeWrite = ((...args) => {
133
+ const chunk = args[0];
134
+ appendSafe(perDatePath, chunk); // per-date raw (back-compat)
135
+ appendSafe(perSessionPath, chunk); // per-session raw (Task 706)
136
+ const text = typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
137
+ stderrTail = (stderrTail + text).slice(-TAIL_CAP);
138
+ if (!bootEmitted) {
139
+ bootEmitted = true;
140
+ const head = text.split("\n")[0].slice(0, 200);
141
+ emitLifecycle(`op=boot session=${SESSION_ID8} server=${SERVER_NAME} head=${JSON.stringify(head)}`, "info");
142
+ }
143
+ return rawStderrWrite(...args); // passthrough
144
+ });
145
+ process.stderr.write = teeWrite;
146
+ // Catchable-signal handling. The shim drives the exit ONLY when it is the sole
147
+ // listener for the signal — i.e. the imported entry installed no handler of its
148
+ // own. In that case it records the signal (so op=exit carries signal=<sig>) and
149
+ // exits with 128+signum, mirroring the prior wrapper's exit-status convention.
150
+ //
151
+ // When the entry DID install a handler, the shim defers entirely and records
152
+ // nothing: the entry's handler decides the exit code, and op=exit reflects that
153
+ // exit verbatim. This matches the prior two-process model, where a child that
154
+ // caught the signal and exited cleanly was observed as code=0 signal=— (a clean
155
+ // self-exit), not as a signal death. Setting exitSignal here unconditionally
156
+ // would mislabel every graceful signal-driven shutdown as a signal kill.
157
+ function onSignal(sig, code) {
158
+ return () => {
159
+ if (process.listenerCount(sig) === 1) {
160
+ exitSignal = sig;
161
+ process.exit(code);
162
+ }
163
+ };
164
+ }
165
+ process.on("SIGTERM", onSignal("SIGTERM", 143));
166
+ process.on("SIGINT", onSignal("SIGINT", 130));
167
+ process.on("SIGHUP", onSignal("SIGHUP", 129));
168
+ // op=exit, emitted once from the process "exit" event. Sync-only — the loop is
169
+ // stopping. When a catchable signal caused the exit, report code=— signal=<sig>
170
+ // to match the prior wrapper's format; otherwise code=<exit code> signal=—.
171
+ process.on("exit", (code) => {
172
+ if (exitEmitted)
173
+ return;
174
+ exitEmitted = true;
175
+ const lifetimeMs = Date.now() - spawnStamp;
176
+ const tail = stderrTail.slice(-200);
177
+ const codeField = exitSignal ? "—" : String(code);
178
+ const level = exitSignal || code !== 0 ? "error" : "info";
179
+ emitLifecycle(`op=exit session=${SESSION_ID8} server=${SERVER_NAME} pid=${process.pid} ` +
180
+ `code=${codeField} signal=${exitSignal ?? "—"} lifetimeMs=${lifetimeMs} stderr-tail=${JSON.stringify(tail)}`, level);
181
+ });
182
+ emitLifecycle(`op=spawn session=${SESSION_ID8} server=${SERVER_NAME} pid=${process.pid} entry=${ENTRY}`, "info");
183
+ // Run the real MCP server in THIS process. Dynamic import() (not top-level
184
+ // await — this file compiles to CommonJS) loads the ESM entry; a load-time
185
+ // failure mirrors the old child spawn-error path (op=error, exit 127). The
186
+ // op=exit handler is suppressed on this path so op=error stays the sole record.
187
+ import((0, node_url_1.pathToFileURL)(ENTRY).href).catch((err) => {
188
+ const msg = err instanceof Error ? err.message : String(err);
189
+ exitEmitted = true;
190
+ emitLifecycle(`op=error session=${SESSION_ID8} server=${SERVER_NAME} reason=${JSON.stringify(`import error: ${msg}`)}`, "error");
191
+ process.exit(127);
192
+ });
193
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1,3 @@
1
+ {
2
+ "type": "commonjs"
3
+ }
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}