npm - @samanhappy/mcphub - Versions diffs - 1.0.5 → 1.0.6 - Mend

@samanhappy/mcphub 1.0.5 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/dist/services/hostedInternalAuth.js ADDED Viewed

@@ -0,0 +1,108 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+const SIGNATURE_HEADER = 'x-internal-signature';
+const TIMESTAMP_HEADER = 'x-internal-timestamp';
+const REPLAY_WINDOW_MS = 5 * 60 * 1000;
+const REDACTED_SIGNATURE_VALUE = '[REDACTED]';
+const REDACTED_SIGNATURE_FIELDS = new Set(['apiKey', 'apiKeyId']);
+export { SIGNATURE_HEADER, TIMESTAMP_HEADER, REPLAY_WINDOW_MS, REDACTED_SIGNATURE_VALUE };
+function isPlainObject(value) {
+    return Object.prototype.toString.call(value) === '[object Object]';
+}
+function normalizeSignatureObject(value) {
+    const normalized = {};
+    for (const key of Object.keys(value).sort((left, right) => left.localeCompare(right))) {
+        if (REDACTED_SIGNATURE_FIELDS.has(key)) {
+            // Sensitive credential values must never be read during signature canonicalization.
+            normalized[key] = REDACTED_SIGNATURE_VALUE;
+            continue;
+        }
+        normalized[key] = normalizeSignatureBody(value[key]);
+    }
+    return normalized;
+}
+function normalizeSignatureBody(value) {
+    if (Buffer.isBuffer(value)) {
+        return normalizeSignatureBody(value.toString('utf8'));
+    }
+    if (typeof value === 'string') {
+        if (!value)
+            return '';
+        try {
+            return normalizeSignatureBody(JSON.parse(value));
+        }
+        catch {
+            return value;
+        }
+    }
+    if (Array.isArray(value)) {
+        return value.map((item) => normalizeSignatureBody(item));
+    }
+    if (isPlainObject(value)) {
+        return normalizeSignatureObject(value);
+    }
+    return value;
+}
+export function serializeInternalRequestBodyForSignature(body) {
+    if (body === undefined || body === null || body === '') {
+        return '';
+    }
+    return JSON.stringify(normalizeSignatureBody(body));
+}
+function getSecret() {
+    const secret = process.env.INTERNAL_API_SECRET;
+    if (!secret || secret.length < 32) {
+        throw new Error('INTERNAL_API_SECRET is not configured or is shorter than 32 chars');
+    }
+    return secret;
+}
+function payload(timestamp, method, path, body) {
+    return `${timestamp}.${method.toUpperCase()}.${path}.${body}`;
+}
+export function signInternalRequest(method, path, body) {
+    const timestamp = Date.now().toString();
+    const serializedBody = serializeInternalRequestBodyForSignature(body);
+    const signature = createHmac('sha256', getSecret())
+        .update(payload(timestamp, method, path, serializedBody))
+        .digest('hex');
+    return { timestamp, signature: `sha256=${signature}` };
+}
+export function verifyInternalSignature(opts) {
+    if (!opts.timestamp || !opts.signature) {
+        return { ok: false, reason: 'missing_signature_headers' };
+    }
+    const ts = Number(opts.timestamp);
+    if (!Number.isFinite(ts)) {
+        return { ok: false, reason: 'bad_timestamp' };
+    }
+    if (Math.abs(Date.now() - ts) > REPLAY_WINDOW_MS) {
+        return { ok: false, reason: 'stale_timestamp' };
+    }
+    let secret;
+    try {
+        secret = getSecret();
+    }
+    catch {
+        return { ok: false, reason: 'secret_not_configured' };
+    }
+    const expected = 'sha256=' +
+        createHmac('sha256', secret)
+            .update(payload(opts.timestamp, opts.method, opts.path, serializeInternalRequestBodyForSignature(opts.body)))
+            .digest('hex');
+    const actualBuffer = Buffer.from(opts.signature);
+    const expectedBuffer = Buffer.from(expected);
+    if (actualBuffer.length !== expectedBuffer.length ||
+        !timingSafeEqual(actualBuffer, expectedBuffer)) {
+        return { ok: false, reason: 'bad_signature' };
+    }
+    return { ok: true };
+}
+export function verifyInternalExpressRequest(req, body) {
+    return verifyInternalSignature({
+        method: req.method,
+        path: req.path,
+        body,
+        timestamp: req.header(TIMESTAMP_HEADER),
+        signature: req.header(SIGNATURE_HEADER),
+    });
+}
+//# sourceMappingURL=hostedInternalAuth.js.map

package/dist/services/hostedInternalAuth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"hostedInternalAuth.js","sourceRoot":"","sources":["../../src/services/hostedInternalAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG1D,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;AAChD,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;AAChD,MAAM,gBAAgB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACvC,MAAM,wBAAwB,GAAG,YAAY,CAAC;AAC9C,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;AAElE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,CAAC;AAE1F,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,iBAAiB,CAAC;AACrE,CAAC;AAED,SAAS,wBAAwB,CAAC,KAA8B;IAC9D,MAAM,UAAU,GAA4B,EAAE,CAAC;IAE/C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QACtF,IAAI,yBAAyB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,oFAAoF;YACpF,UAAU,CAAC,GAAG,CAAC,GAAG,wBAAwB,CAAC;YAC3C,SAAS;QACX,CAAC;QAED,UAAU,CAAC,GAAG,CAAC,GAAG,sBAAsB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,sBAAsB,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,IAAI,CAAC;YACH,OAAO,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,wBAAwB,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,wCAAwC,CAAC,IAAc;IACrE,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,EAAE,EAAE,CAAC;QACvD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,OAAO,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,SAAS;IAChB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC/C,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,OAAO,CAAC,SAAiB,EAAE,MAAc,EAAE,IAAY,EAAE,IAAY;IAC5E,OAAO,GAAG,SAAS,IAAI,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;AAChE,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,MAAc,EACd,IAAY,EACZ,IAAc;IAEd,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACxC,MAAM,cAAc,GAAG,wCAAwC,CAAC,IAAI,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC;SAChD,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;SACxD,MAAM,CAAC,KAAK,CAAC,CAAC;IACjB,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,SAAS,EAAE,EAAE,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,IAMvC;IACC,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;QACvC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,gBAAgB,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAClD,CAAC;IAED,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,SAAS,EAAE,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,QAAQ,GACZ,SAAS;QACT,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;aACzB,MAAM,CACL,OAAO,CACL,IAAI,CAAC,SAAS,EACd,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,IAAI,EACT,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,CACpD,CACF;aACA,MAAM,CAAC,KAAK,CAAC,CAAC;IAEnB,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC7C,IACE,YAAY,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;QAC7C,CAAC,eAAe,CAAC,YAAY,EAAE,cAAc,CAAC,EAC9C,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,GAAY,EACZ,IAAc;IAEd,OAAO,uBAAuB,CAAC;QAC7B,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,IAAI;QACJ,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC;QACvC,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC;KACxC,CAAC,CAAC;AACL,CAAC"}

package/dist/services/hostedMode.js ADDED Viewed

@@ -0,0 +1,4 @@
+export function isHostedModeEnabled() {
+    return process.env.HUB_MODE === 'hosted';
+}
+//# sourceMappingURL=hostedMode.js.map

package/dist/services/hostedMode.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"hostedMode.js","sourceRoot":"","sources":["../../src/services/hostedMode.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,mBAAmB;IACjC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;AAC3C,CAAC"}

package/dist/services/hostedNodeIdentity.js ADDED Viewed

@@ -0,0 +1,8 @@
+import os from 'node:os';
+export function getHostedNodeIdentity() {
+    return {
+        clusterId: process.env.HUB_CLUSTER_ID || undefined,
+        nodeId: process.env.HUB_NODE_ID || os.hostname(),
+    };
+}
+//# sourceMappingURL=hostedNodeIdentity.js.map

package/dist/services/hostedNodeIdentity.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"hostedNodeIdentity.js","sourceRoot":"","sources":["../../src/services/hostedNodeIdentity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AAOzB,MAAM,UAAU,qBAAqB;IACnC,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,SAAS;QAClD,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,QAAQ,EAAE;KACjD,CAAC;AACJ,CAAC"}

package/dist/services/hostedRuntimeCatalogNames.js ADDED Viewed

@@ -0,0 +1,7 @@
+export function stripRuntimeToolName(serverSlug, publicToolName, nameSeparator) {
+    const prefix = `${serverSlug}${nameSeparator}`;
+    return publicToolName.startsWith(prefix)
+        ? publicToolName.slice(prefix.length)
+        : publicToolName;
+}
+//# sourceMappingURL=hostedRuntimeCatalogNames.js.map

package/dist/services/hostedRuntimeCatalogNames.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"hostedRuntimeCatalogNames.js","sourceRoot":"","sources":["../../src/services/hostedRuntimeCatalogNames.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,oBAAoB,CAClC,UAAkB,EAClB,cAAsB,EACtB,aAAqB;IAErB,MAAM,MAAM,GAAG,GAAG,UAAU,GAAG,aAAa,EAAE,CAAC;IAC/C,OAAO,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC;QACtC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC;QACrC,CAAC,CAAC,cAAc,CAAC;AACrB,CAAC"}

package/dist/services/hostedRuntimeCatalogService.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { getNameSeparator } from '../config/index.js';
+import { getServersInfo } from './mcpService.js';
+import { getHostedNodeIdentity } from './hostedNodeIdentity.js';
+import { stripRuntimeToolName } from './hostedRuntimeCatalogNames.js';
+export async function getHostedRuntimeCatalog() {
+    const identity = getHostedNodeIdentity();
+    const nameSeparator = getNameSeparator();
+    const servers = await getServersInfo();
+    return {
+        clusterId: identity.clusterId ?? 'default',
+        nodeId: identity.nodeId,
+        nameSeparator,
+        servers: servers.map((server) => ({
+            slug: server.name,
+            status: server.status,
+            enabled: server.enabled !== false,
+            description: server.config?.description ?? '',
+            version: server.version,
+            instructions: server.instructions,
+            error: server.error,
+            tools: server.tools.map((tool) => ({
+                name: stripRuntimeToolName(server.name, tool.name, nameSeparator),
+                publicName: tool.name,
+                description: tool.description ?? '',
+                inputSchema: tool.inputSchema ?? {},
+                enabled: tool.enabled !== false,
+            })),
+        })),
+    };
+}
+//# sourceMappingURL=hostedRuntimeCatalogService.js.map

package/dist/services/hostedRuntimeCatalogService.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"hostedRuntimeCatalogService.js","sourceRoot":"","sources":["../../src/services/hostedRuntimeCatalogService.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AA4BtE,MAAM,CAAC,KAAK,UAAU,uBAAuB;IAC3C,MAAM,QAAQ,GAAG,qBAAqB,EAAE,CAAC;IACzC,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,cAAc,EAAE,CAAC;IAEvC,OAAO;QACL,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,SAAS;QAC1C,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,aAAa;QACb,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChC,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO,KAAK,KAAK;YACjC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,IAAI,EAAE;YAC7C,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBACjC,IAAI,EAAE,oBAAoB,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC;gBACjE,UAAU,EAAE,IAAI,CAAC,IAAI;gBACrB,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;gBACnC,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;gBACnC,OAAO,EAAE,IAAI,CAAC,OAAO,KAAK,KAAK;aAChC,CAAC,CAAC;SACJ,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC"}

package/dist/services/mcpService.js CHANGED Viewed

@@ -22,6 +22,7 @@ import { initializeAllOAuthClients } from './oauthService.js';
 import { createOAuthProvider } from './mcpOAuthProvider.js';
 import { initSmartRoutingService, getSmartRoutingTools, handleSearchToolsRequest, handleDescribeToolRequest, isSmartRoutingGroup, } from './smartRoutingService.js';
 import { getActivityLoggingService } from './activityLoggingService.js';
+import { assertHostedToolAllowed, filterHostedTools, reserveHostedToolCall, settleHostedToolCall, } from './hostedAuthService.js';
 import { formatErrorForLogging, sanitizeStringForLogging, summarizeErrorForLogging, } from '../utils/serialization.js';
 const servers = {};
 import { setupClientKeepAlive } from './keepAliveService.js';
@@ -797,7 +798,26 @@ export const initializeClientsFromSettings = async (isInit, serverName, options)
                 nextServerInfos.push(serverInfo);
                 try {
                     // Create OpenAPI client instance
-                    openApiClient = new OpenAPIClient(expandedConf);
+                    openApiClient = new OpenAPIClient(expandedConf, {
+                        persistOAuth2Token: async (oauth2) => {
+                            const openapiConfig = {
+                                ...(expandedConf.openapi || {}),
+                                security: {
+                                    ...(expandedConf.openapi?.security || { type: 'oauth2' }),
+                                    type: 'oauth2',
+                                    oauth2: { ...oauth2 },
+                                },
+                            };
+                            expandedConf.openapi = openapiConfig;
+                            serverInfo.config = {
+                                ...expandedConf,
+                                openapi: openapiConfig,
+                            };
+                            await getServerDao().update(name, {
+                                openapi: openapiConfig,
+                            });
+                        },
+                    });
                     console.log(`Initializing OpenAPI server: ${name}...`);
                     // Perform async initialization
                     await openApiClient.initialize();
@@ -847,8 +867,9 @@ export const initializeClientsFromSettings = async (isInit, serverName, options)
             });
             // Get request options from server configuration, with fallbacks
             const serverRequestOptions = expandedConf.options || {};
+            const defaultRequestTimeout = Number(process.env.DEFAULT_REQUEST_TIMEOUT) || 60000;
             const requestOptions = {
-                timeout: serverRequestOptions.timeout || 60000,
+                timeout: serverRequestOptions.timeout || defaultRequestTimeout,
                 resetTimeoutOnProgress: serverRequestOptions.resetTimeoutOnProgress ?? true,
                 maxTotalTimeout: serverRequestOptions.maxTotalTimeout,
             };
@@ -1020,11 +1041,12 @@ export const registerAllTools = async (isInit, serverName, options) => {
 // Get all server information
 export const getServersInfo = async (page, limit, user) => {
     const dataService = getDataService();
-    // Get paginated or all server configurations from DAO
-    // If pagination is used with a non-admin user, filtering is already done at DAO level
+    const isNonAdminUser = Boolean(user && !user.isAdmin);
     const isPaginated = limit !== undefined && page !== undefined;
     const allServers = isPaginated
-        ? (await getServerDao().findAllPaginated(page, limit)).data
+        ? (isNonAdminUser
+            ? await getServerDao().findVisibleToUserPaginated(user.username, page, limit)
+            : await getServerDao().findAllPaginated(page, limit)).data
         : await getServerDao().findAll();
     // Ensure that servers recently added via DAO but not yet initialized in serverInfos
     // are still visible in the servers list. This avoids a race condition where
@@ -1059,15 +1081,16 @@ export const getServersInfo = async (page, limit, user) => {
             });
         }
     }
-    // Apply user filtering only when NOT using pagination (pagination already filtered at DAO level)
-    // Or when no pagination parameters provided (backward compatibility)
+    // Apply user filtering only when NOT using pagination.
+    // Paginated non-admin requests are filtered at DAO level; paginated admin requests
+    // should remain unfiltered as well.
     const shouldApplyUserFilter = !isPaginated;
     const filterServerInfos = shouldApplyUserFilter && dataService.filterData
         ? dataService.filterData(filteredServerInfos, user)
         : filteredServerInfos;
     const infos = filterServerInfos
         .filter((info) => requestedServerNames.has(info.name)) // Only include requested servers
-        .map(({ name, status, tools, prompts, resources, createTime, error, oauth }) => {
+        .map(({ name, version, instructions, owner, visibility, status, tools, prompts, resources, createTime, error, oauth, }) => {
         const serverConfig = allServers.find((server) => server.name === name);
         const enabled = serverConfig ? serverConfig.enabled !== false : true;
         const resolvedType = inferServerType(serverConfig);
@@ -1090,6 +1113,10 @@ export const getServersInfo = async (page, limit, user) => {
         });
         return {
             name,
+            version,
+            instructions,
+            owner,
+            visibility,
             status,
             error,
             tools: toolsWithEnabled,
@@ -1364,6 +1391,22 @@ export const handleCallToolRequest = async (request, extra) => {
     const keyId = bearerKeyContext.keyId || extra?.keyId || undefined;
     const keyName = bearerKeyContext.keyName || extra?.keyName || undefined;
     const sourceIp = requestContextService.getRequestContext()?.remoteAddress || undefined;
+    let hostedReservation = null;
+    const reserveHostedIfNeeded = async (serverName, toolName) => {
+        const hostedAuth = requestContextService.getHostedAuthContext();
+        assertHostedToolAllowed(hostedAuth, serverName, toolName);
+        hostedReservation = await reserveHostedToolCall(hostedAuth, serverName, toolName);
+    };
+    const settleHostedIfNeeded = async (input) => {
+        const reservation = hostedReservation;
+        hostedReservation = null;
+        await settleHostedToolCall(reservation, {
+            success: input.success,
+            latencyMs: Date.now() - startTime,
+            requestContent: input.requestContent,
+            responseContent: input.responseContent,
+        });
+    };
     try {
         // Special handling for smart routing tools
         if (request.params.name === 'search_tools') {
@@ -1441,7 +1484,13 @@ export const handleCallToolRequest = async (request, extra) => {
                         }
                     }
                 }
+                await reserveHostedIfNeeded(targetServerInfo.name, cleanToolName);
                 const result = await openApiClient.callTool(cleanToolName, finalArgs, passthroughHeaders);
+                await settleHostedIfNeeded({
+                    success: true,
+                    requestContent: finalArgs,
+                    responseContent: result,
+                });
                 console.log('OpenAPI tool invocation result', {
                     serverName: targetServerInfo.name,
                     toolName: cleanToolName,
@@ -1487,10 +1536,16 @@ export const handleCallToolRequest = async (request, extra) => {
             const cleanToolName = toolName.startsWith(prefix)
                 ? toolName.substring(prefix.length)
                 : toolName;
+            await reserveHostedIfNeeded(targetServerInfo.name, cleanToolName);
             const result = await callToolWithReconnect(targetServerInfo, {
                 name: cleanToolName,
                 arguments: finalArgs,
             }, targetServerInfo.options || {});
+            await settleHostedIfNeeded({
+                success: !result.isError,
+                requestContent: finalArgs,
+                responseContent: result,
+            });
             console.log('Tool invocation result', {
                 serverName: targetServerInfo.name,
                 toolName: cleanToolName,
@@ -1557,7 +1612,14 @@ export const handleCallToolRequest = async (request, extra) => {
                     }
                 }
             }
-            const result = await openApiClient.callTool(cleanToolName, request.params.arguments || {}, passthroughHeaders);
+            const finalArgs = request.params.arguments || {};
+            await reserveHostedIfNeeded(serverInfo.name, cleanToolName);
+            const result = await openApiClient.callTool(cleanToolName, finalArgs, passthroughHeaders);
+            await settleHostedIfNeeded({
+                success: true,
+                requestContent: finalArgs,
+                responseContent: result,
+            });
             console.log('OpenAPI tool invocation result', {
                 serverName: serverInfo.name,
                 toolName: cleanToolName,
@@ -1596,7 +1658,13 @@ export const handleCallToolRequest = async (request, extra) => {
         const cleanToolName = request.params.name.startsWith(prefix)
             ? request.params.name.substring(prefix.length)
             : request.params.name;
+        await reserveHostedIfNeeded(serverInfo.name, cleanToolName);
         const result = await callToolWithReconnect(serverInfo, { ...request.params, name: cleanToolName }, serverInfo.options || {});
+        await settleHostedIfNeeded({
+            success: !result.isError,
+            requestContent: request.params.arguments,
+            responseContent: result,
+        });
         console.log('Tool call result', {
             serverName: serverInfo.name,
             toolName: cleanToolName,
@@ -1623,6 +1691,11 @@ export const handleCallToolRequest = async (request, extra) => {
         console.error('Error handling CallToolRequest', summarizeErrorForLogging(error));
         // Log error activity
         const duration = Date.now() - startTime;
+        await settleHostedIfNeeded({
+            success: false,
+            requestContent: getActivityInputFromToolRequest(request),
+            responseContent: { error: formatErrorForLogging(error) },
+        });
         const activityToolName = getActivityToolNameFromRequest(request);
         const serverInfo = (typeof extra?.server === 'string' ? getServerByName(extra.server) : undefined) ||
             getServerByTool(activityToolName);
@@ -1931,7 +2004,8 @@ async function filterToolsByGroup(group, serverName, tools, serverConfig) {
             tools = tools.filter((tool) => allowedToolNames.includes(tool.name));
         }
     }
-    return tools;
+    const hostedAuth = RequestContextService.getInstance().getHostedAuthContext();
+    return filterHostedTools(hostedAuth, serverName, tools, getNameSeparator());
 }
 const normalizePromptNameForGroup = (serverName, promptName) => {
     const prefix = `${serverName}${getNameSeparator()}`;