@sassoftware/sas-score-mcp-serverjs 0.4.0 → 0.4.1-15

package/src/handleGetDelete.js

@@ -17,7 +17,7 @@ async function handleGetDelete(mcpServer, cache, req, h) {
      if (req.method === "GET") {
         // You can customize the response as needed
         console.error("[Note] Payload:", req.payload);
-        console.log("======================================================");
+        console.error("======================================================");
         await transport.handleRequest(req.raw.req, req.raw.res, req.payload);
         return h.abandon;
      }

package/src/oauthHandlers/authorize.js

@@ -0,0 +1,46 @@
+//authorize
+import { randomBytes, createHash } from "node:crypto";
+import baseUrl from "./baseUrl.js";
+
+function authorize(req, res, appContext, pkceStore, codeStore) {
+    const { response_type, redirect_uri, state, scope } = req.query;
+    console.error("===============================================================");
+    if (appContext.AUTHEXTERNAL === true) {
+        console.error('*************************************************************');
+        console.error("[Error] Received request for /authorize endpoint with external authorization expected");
+        console.error('*************************************************************');
+    }
+    console.error("[NOTE] query parameters:", { response_type, redirect_uri, state, scope });
+    if (response_type !== "code") {
+        return res.status(400).json({ error: "unsupported_response_type" });
+    }
+    if (!redirect_uri) {
+        return res.status(400).json({ error: "invalid_request", error_description: "redirect_uri is required" });
+    }
+
+    const codeVerifier = randomBytes(64).toString("base64url");
+    const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+    const ourState = randomBytes(16).toString("hex");
+
+    pkceStore.set(ourState, { codeVerifier, clientRedirectUri: redirect_uri, clientState: state, codeChallenge });
+
+    const callbackUri = appContext.mcpHost + '/callback';
+    console.error("[Note] callbackUri:", callbackUri);
+    let urlConfig = {
+        response_type: "code",
+        client_id: appContext.CLIENTID,
+        redirect_uri: callbackUri,
+        scope: "openid",
+        state: ourState,
+        code_challenge: codeChallenge,
+        code_challenge_method: "S256"
+    }
+    if (appContext.PKCE !== "TRUE") {
+        urlConfig.client_secret = appContext.CLIENTSECRET;
+    }
+    console.error("[Note] Params for SAS Viya authorization request:", urlConfig);
+    const params = new URLSearchParams(urlConfig);
+    console.error("================================================================");
+    return res.redirect(`${appContext.VIYA_SERVER}/SASLogon/oauth/authorize?${params}`);
+}
+export default authorize;

package/src/oauthHandlers/baseUrl.js

@@ -0,0 +1,8 @@
+function baseUrl(appContext) {
+    const protocol = appContext.HTTPS === "TRUE" ? "https" : "http";
+    //const host = "localhost";
+    const host = appContext.VIYA_SERVER;
+    return host;
+    return `${protocol}://${host}:${appContext.PORT}`;
+}
+export default baseUrl;

package/src/oauthHandlers/callback.js

@@ -0,0 +1,93 @@
+import baseUrl from "./baseUrl.js";
+import { Agent, fetch as undiciFetch } from "undici";
+import { randomUUID } from "node:crypto";
+async function callback(req, res, pkceStore, codeStore, appContext) {
+  console.error("===============================================================");
+  console.error("[Note] OAuth callback");
+  console.error(req.query);
+  const {code, state} = req.query;
+
+  console.error("[Note] query parameters:", code, state);
+  if (!code) {  
+    return res.status(400).send("Missing code parameter");
+  }
+
+  const pending = pkceStore.get(state);
+  if (!pending) {
+    return res.status(400).send("Invalid or expired state parameter");
+  }
+  pkceStore.delete(state);
+
+  // const callbackUri = `${baseUrl(appContext)}/callback`;
+  const callbackUri = appContext.mcpHost + '/callback';
+  console.error("[Note] callbackUri for token exchange:", callbackUri);
+  try {
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: appContext.CLIENTID,
+      code: code,
+      redirect_uri: callbackUri,
+      code_verifier: pending.codeVerifier
+    }).toString();
+   
+    console.error("[Note] Token request body:", body.toString());
+    let connectOpts = {
+      ca: appContext.contexts.viyaCert.ca,     // trust this CA
+      rejectUnauthorized: false  // or false, if you really want to bypass checks
+    }
+    const agent = new Agent({ connect: connectOpts });
+    console.error("[Note] Initiating token exchange with SAS Viya");
+    let clientID= appContext.CLIENTID;
+    let h = buildBasicAuthFromClientId(clientID);
+    console.error("[Note] Authorization header for token request:", h);
+    const response = await undiciFetch(`${appContext.VIYA_SERVER}/SASLogon/oauth/token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Accept": "application/json"
+      },
+      body: body,
+      dispatcher: agent,
+    });
+
+    if (!response.ok) {
+      const errText = await response.text();
+      console.error("[Error] SAS Viya token exchange failed:", errText);
+      return res.status(502).send("Token exchange with SAS Viya failed");
+    }
+
+    const tokens = await response.json();
+    console.error("[Note] Received tokens from SAS Viya:", tokens);
+    const ourCode = randomUUID();
+    codeStore.set(ourCode, {
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      expires_in: tokens.expires_in,
+    });
+
+    const redirectParams = new URLSearchParams({ code: ourCode , state: pending.clientState});
+    //pending.clientState is the original state from the MCP client, which we should pass back to it for correlation
+
+    // pending.clientRedirectUri is the original redirect URI from the MCP client, 
+    // which was part of the payload from the client to /oauth/authorize
+    // we trust since it was associated with the valid PKCE state
+    console.error("[Note] OAuth callback complete, redirecting to MCP client");
+    console.log(pending.clientRedirectUri.toString())
+    return res.redirect(`${pending.clientRedirectUri}?${redirectParams}`);
+  } catch (err) {
+    console.error("[Error] OAuth callback handler error:", err);
+    return res.status(500).send("Internal server error during token exchange");
+  }
+
+  function buildBasicAuthFromClientId(clientId) {
+    const raw = `${clientId}:`;   // empty client_secret
+    const encoded =
+      typeof btoa === "function"
+        ? btoa(raw)
+        : Buffer.from(raw).toString("base64");
+
+    return `Basic ${encoded}`;
+  }
+
+}
+export default callback;

package/src/oauthHandlers/getMetadata.js

@@ -0,0 +1,27 @@
+import baseUrl from "./baseUrl.js";
+function getMetadata(req, res, appEnvContext) {
+    let base = '';
+    let host = '';
+    if (appEnvContext.AUTHEXTERNAL === true) {
+        base = appEnvContext.VIYA_SERVER + '/SASLogon';
+        host = appEnvContext.VIYA_SERVER;
+    } else {
+        base = appEnvContext.mcpHost;
+        host = appEnvContext.mcpHost;
+    } 
+    console.error(`[Note] Base URL for Authorization Server Metadata: ${base}`);
+    let metadata = {
+        "issuer": host,
+        "authorization_endpoint": `${base}/oauth/authorize`,
+        "token_endpoint": `${base}/oauth/token`,
+        "response_types_supported": ["code"],
+        "grant_types_supported": ["authorization_code", "refresh_token"],
+        "code_challenge_methods_supported": ["S256"],
+        "scopes_supported": ["openid"]
+    };
+    console.error("===============================================================");
+    console.error("[Note] Authorization Server Metadata:", metadata);
+    console.error("===============================================================");
+    return metadata;
+};
+export default getMetadata;

package/src/oauthHandlers/index.js

@@ -0,0 +1,7 @@
+import authorize from "./authorize.js";
+import callback from "./callback.js";   
+import token from "./token.js";
+import getMetadata from "./getMetadata.js";
+import baseUrl from "./baseUrl.js";
+
+export { authorize, callback, token, getMetadata, baseUrl };

package/src/oauthHandlers/token.js

@@ -0,0 +1,37 @@
+function token(req, res, appContext, codeStore, cache) {
+  console.error("===============================================================");
+  console.error("[Note] at /token endpoint");
+  console.error("[Note] Request headers:", req.headers);
+  console.error("[Note] Handling token request with body:", req.body);
+
+  const { grant_type, code } = req.body;
+  console.error("[Note] OAuth token request received for code:", code);
+  console.error("[Note] Grant type:", grant_type);
+
+  const tokenData = codeStore.get(code);
+  if (!tokenData) {
+    return res.status(400).json({ error: "Invalid_code", error_description: "Invalid or expired authorization code" });
+  }
+  console.error("[Note] Retrieved token data for code:", Object.keys(tokenData));
+ 
+  let payload = {
+    access_token: code, // tokenData.access_token,
+    token_type: "Bearer",
+    expires_in: tokenData.expires_in,
+    scope: "openid" // You can include scopes if you have them, e.g., tokenData.scope
+   // scope: tokenData.scope,
+  };
+  let tokenlist = cache.get("tokenlist");
+  tokenData.refreshAt = Date.now() + tokenData.expires_in * 1000; // Set refresh time based on expires_in
+  tokenlist[code] = tokenData;
+  cache.set("tokenlist", tokenlist);
+
+  codeStore.delete(code); // Invalidate the code after use
+  console.error("[Note] Returning token to client");
+  console.error("[Note] Token sent to client:", JSON.stringify(payload, null, 2));
+ 
+  console.error("============================================================")
+  return res.status(200).json(payload);
+}
+
+export default token;

package/src/processHeaders.js

@@ -0,0 +1,88 @@
+import { start } from "node:repl";
+
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import baseUrl from "./oauthHandlers/baseUrl.js";
+function processHeaders(req, res, next, cache, appContext) {
+
+  // process any new header information
+  debugger;
+  console.error("=======================================================");
+  console.error("Processing headers for incoming request to /mcp endpoint");
+  // Allow different VIYA server per sessionid(user)
+  cache.del("headerCache");
+  let headerCache = {};
+  if (req.header("X-VIYA-SERVER") != null) {
+    console.error("[Note] Using user supplied VIYA server");
+    headerCache.VIYA_SERVER = req.header("X-VIYA-SERVER");
+  }
+
+  // fakeapi key since Viya does not support it
+  // not ideal for production, just for testing
+  const hdr2 = req.header("X-REFRESH-TOKEN");
+  if (hdr2 != null) {
+    headerCache.REFRESH_TOKEN = hdr2;
+    headerCache.AUTHFLOW = "refresh";
+    console.error("[Note] Using user supplied refresh token for authorization");
+  }
+
+  // Oauth flow
+  const hdr = req.header("Authorization");
+  //for now, ignore Authorization if authflow is not bearer
+  let token = (hdr != null) ? hdr.slice(7) : null;
+  //console.error("[Note] Authorization token", token);
+  debugger;
+  console.log('>>>',appContext.AUTHFLOW);
+  if (appContext.AUTHFLOW === 'bearer') {
+    debugger;
+    let startAuth = false;
+    console.error("[Note] appContext.AUTHEXTERNAL:", appContext.AUTHEXTERNAL);
+    if (appContext.AUTHEXTERNAL === true) {
+      console.error("[Note] Expecting external authorization"); 
+      if (token != null) {
+        console.error("[Note] Using user supplied token for authorization");
+        headerCache.bearerToken = token;
+      } else {
+        startAuth = true;
+      }
+    } else  if (token == null) {
+      console.error("[Note] No Authorization token provided in header.");
+       startAuth = true;
+    } else {
+      console.error("[Note] Checking token against cache", token);
+      let tokenlist = cache.get("tokenlist");
+      let tokenData = tokenlist[token];
+      if (tokenData == null) {
+        return res.status(403).json({
+          error: "unauthorized",
+          error_description: "[Error] Expired token. Clear token and try again."
+        });
+      } else {
+        token = tokenData.access_token;
+        headerCache.bearerToken = token;
+      }
+    }
+    if (startAuth === true) {
+      // start oauth flow process
+      console.error(`[Note] No Authorization header provided.
+                            Returning 401 to start the OAuth flow`); 
+      const base = appContext.mcpHost;
+      res.set(
+        "WWW-Authenticate",
+        `Bearer resource_metadata="${base}/.well-known/oauth-authorization-server", scope="openid"`
+      );
+      return res.status(401).json({
+        error: "unauthorized",
+        error_description: "Bearer token required."
+      });
+      // start auth flow process since no token provided in header and we are not configured for external token
+    }
+  }
+ // console.error("Header cache after processing:", headerCache);
+  cache.set("headerCache", headerCache);
+  next();
+}
+
+export default processHeaders;

package/src/toolHelpers/_listLibrary.js

@@ -12,7 +12,6 @@ async function _listLibrary(params) {
  
   const _ilistLibrary = async (params) => {
     let { server, limit, start, name, _appContext } = params;
-    console.error(_appContext);
     let config = {
       casServerName: _appContext.cas,
       computeContext: _appContext.sas,

package/src/toolHelpers/getLogonPayload.js

@@ -53,7 +53,6 @@ async function igetLogonPayload(_appContext) {
       token: _appContext.bearerToken,
       tokenType: "Bearer",
     };
-    console.error("[Note] Bearer token in logonPayload ", _appContext.bearerToken);
     return logonPayload;
   }
 
@@ -122,4 +121,9 @@ async function igetLogonPayload(_appContext) {
     return null;
   }
 }
+
+function isExpired(expiresAt, skewSeconds = 60) {
+  return Date.now() >= (expiresAt - skewSeconds * 1000);
+}
+
 export default getLogonPayload;

package/src/toolHelpers/readCerts.js

@@ -9,23 +9,23 @@ function getCerts(tlsdir) {
         return null;
     }
 
-    console.log(`[Note] Reading certs from directory: ` + tlsdir);
+    console.error(`[Note] Reading certs from directory: ` + tlsdir);
     if (fs.existsSync(tlsdir) === false) {
         console.error("[Warning] Specified cert dir does not exist: " + tlsdir);
         return null;
     }
 
     let listOfFiles = fs.readdirSync(tlsdir);
-    console.log("[Note] TLS/SSL files found: " + listOfFiles);
+    console.error("[Note] TLS/SSL files found: " + listOfFiles);
     let options = {};
     for(let i=0; i < listOfFiles.length; i++) {
         let fname = listOfFiles[i];
         let name = tlsdir + '/' + listOfFiles[i];
         let key = fname.split('.')[0];
-        console.log('Reading TLS file: ' + name + ' as key: ' + key);
+        console.error('Reading TLS file: ' + name + ' as key: ' + key);
         options[key] = fs.readFileSync(name, { encoding: 'utf8' });
     }
-    console.log('cert files', Object.keys(options));
+    console.error('cert files', Object.keys(options));
     
     return options;
    

package/src/toolHelpers/refreshTokenOauth.js

@@ -6,7 +6,7 @@
  //import getOpts from './getOpts.js';
  async function refreshTokenOauth(_appContext, oauthInfo ){
  
-    const url = `${process.env.VIYA_SERVER}/SASLogon/oauth/token`;
+   const url = `${_appContext.VIYA_SERVER}/SASLogon/oauth/token`;
     let opts = _appContext.contexts.appCert;
 
     const agent = new Agent({
@@ -23,10 +23,10 @@
     try {
       const response = await fetch(url, {
         method: 'POST',
+        dispatcher: agent,
         headers: {
           'Accept': 'application/json',
-          'Content-Type': 'application/x-www-form-urlencoded',
-          dispatcher: agent
+          'Content-Type': 'application/x-www-form-urlencoded'
         },
         body: body.toString()
       });

package/src/toolSet/.claude/settings.local.json

@@ -0,0 +1,13 @@
+{
+  "permissions": {
+    "allow": [
+      "mcp__sasmcp__sas-score-deva-score",
+      "mcp__sasmcp__sas-score-find-model",
+      "mcp__sasmcp__sas-score-model-info",
+      "Bash(cp \"C:/dev/github/7-skill-integration/.claude/skills/sas-read-and-score/SKILL.md\" \"C:/dev/github/7-skill-integration/skills/sas-read-and-score/SKILL.md\")",
+      "Bash(cp \"C:/dev/github/7-skill-integration/.claude/skills/sas-read-strategy/SKILL.md\" \"C:/dev/github/7-skill-integration/skills/sas-read-strategy/SKILL.md\")",
+      "Bash(cp \"C:/dev/github/7-skill-integration/.claude/skills/sas-score-workflow/SKILL.md\" \"C:/dev/github/7-skill-integration/skills/sas-score-workflow/SKILL.md\")",
+      "WebSearch"
+    ]
+  }
+}

package/src/toolSet/devaScore.js

@@ -1,61 +1,61 @@
-/*
- * Copyright © 2025, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
- * SPDX-License-Identifier: Apache-2.0
- */
-import {z} from 'zod';
-
-function devaScore(_appContext) {
-
-    let description = `
-deva-score — compute a numeric score based on two input values.
-
-USE when: calculate deva score, score these values, compute score for numbers
-DO NOT USE for: model scoring (use model-score), statistical calculations, data lookup
-
-PARAMETERS
-- a: number (required) — first input value
-- b: number (required) — second input value
-
-FORMULA: (a + b) * 42
-
-ROUTING RULES
-- "calculate deva score for 5 and 10" → { a: 5, b: 10 }
-- "score 1 and 2" → { a: 1, b: 2 }
-- "deva score a=3, b=7" → { a: 3, b: 7 }
-- Multiple numbers → chain calls left-to-right: call(first, second), then call(result, third)
-
-EXAMPLES
-- "Calculate deva score for 5 and 10" → { a: 5, b: 10 } returns 630
-- "Score 1 and 2" → { a: 1, b: 2 } returns 126
-- "Deva score 20 and 30" → { a: 20, b: 30 } returns 2100
-
-NEGATIVE EXAMPLES (do not route here)
-- "Score this customer with credit model" (use model-score)
-- "Calculate the mean of these values" (use run-sas-program or sas-query)
-- "Statistical analysis of numbers" (use sas-query)
-
-RESPONSE
-Returns { score: (a + b) * 42 }
-    `;
-    let spec = {
-        name: 'deva-score',
-        aliases: ['devaScore','deva score','deva_score'],
-        description: description,
-        schema: {
-            a: z.number(),
-            b: z.number()
-        },
-        handler: async ({ a, b }) => {
-            console.error( a, b);
-            let r = {score: (a + b) * 42};
-            console.error('deva score result', r);
-            return {
-                content: [{type: 'text', text: 'deva score result: ' + JSON.stringify(r)}],
-                structuredContent: r
-             };
-            }
-        }
-        
-    return spec;
-}
-export default devaScore;
+/*
+ * Copyright © 2025, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { z } from 'zod';
+
+function devaScore(_appContext) {
+
+    let description = `
+deva-score — compute a numeric score based on two input values.
+
+USE when: calculate deva score, score these values, compute score for numbers
+DO NOT USE for: model scoring (use model-score), statistical calculations, data lookup
+
+PARAMETERS
+- a: number (required) — first input value
+- b: number (required) — second input value
+
+FORMULA: (a + b) * 42
+
+ROUTING RULES
+- "calculate deva score for 5 and 10" → { a: 5, b: 10 }
+- "score 1 and 2" → { a: 1, b: 2 }
+- "deva score a=3, b=7" → { a: 3, b: 7 }
+- Multiple numbers → chain calls left-to-right: call(first, second), then call(result, third)
+
+EXAMPLES
+- "Calculate deva score for 5 and 10" → { a: 5, b: 10 } returns 630
+- "Score 1 and 2" → { a: 1, b: 2 } returns 126
+- "Deva score 20 and 30" → { a: 20, b: 30 } returns 2100
+
+NEGATIVE EXAMPLES (do not route here)
+- "Score this customer with credit model" (use model-score)
+- "Calculate the mean of these values" (use run-sas-program or sas-query)
+- "Statistical analysis of numbers" (use sas-query)
+
+RESPONSE
+Returns { score: (a + b) * 42 }
+    `;
+    let spec = {
+        name: 'deva-score',
+        description: description,
+        inputSchema: z.object({
+            a: z.number(),
+            b: z.number(),
+        }),
+        handler: async ({ a, b }) => {
+            console.error(a, b);
+            let r = { score: (a + b) * 42 };
+            console.error('deva score result', r);
+            return {
+                content: [{ type: 'text', text: 'deva score result: ' + JSON.stringify(r) }],
+                structuredContent: r
+            };
+        }
+    }
+
+    return spec;
+}
+export default devaScore;
+

package/src/toolSet/findJob.js

@@ -5,16 +5,7 @@
 import { z } from 'zod';
 import _listJobs from '../toolHelpers/_listJobs.js';
 function findJob(_appContext) {
-  let llmDescription= {
-  "purpose": "Map natural language requests to find a job in SAS Viya and return structured results.",
-  "param_mapping": {
-    "name": "required - single name. If missing, ask 'Which job name would you like to find?'.",
-    "_userPrompt": "the original user prompt that triggered this tool."
-
-  },
-  "response_schema": "{ jobs: Array<string|object> }",
-  "behavior": "Return only JSON matching response_schema when invoked by an LLM. If no matches, return { jobs: [] }"
-};
+  
   let description = `
 find-job — locate a specific SAS Viya job.
 
@@ -49,18 +40,20 @@ Returns { jobs: [] } if not found; { jobs: [name, ...] } if found. Never halluci
 
   let spec = {
     name: 'find-job',
-    aliases: ['findJob','find job','find_job'],
     description: description,
-    schema: {
-      name: z.string(),
-      _userPrompt: z.string()
-    },
-    required: ['name'],
+    inputSchema: z.object({
+      name: z.string()
+    }),
     handler: async (params) => {
       let r = await _listJobs(params);
       return r;
     }
   }
+    
+
+  /* correct spec for registerTool with inputSchema */
+  
   return spec;
 }
 export default findJob;
+

package/src/toolSet/findJobdef.js

@@ -49,12 +49,10 @@ Returns { jobdefs: [] } if not found; { jobdefs: [name, ...] } if found. Never h
 
   let spec = {
     name: 'find-jobdef',
-    aliases: ['findJobdef','find jobdef','find_jobdef'],
     description: description,
-    schema: {
-      name: z.string()
-    },
-    required: ['name'],
+    inputSchema: z.object({
+        name: z.string()
+    }),
     handler: async (params) => {
       let r = await _listJobdefs(params);
       return r;
@@ -63,3 +61,4 @@ Returns { jobdefs: [] } if not found; { jobdefs: [name, ...] } if found. Never h
   return spec;
 }
 export default findJobdef;
+