@sassoftware/sas-score-mcp-serverjs 1.0.1-9 → 1.1.1

package/scripts/refreshtoken.js

@@ -0,0 +1,58 @@
+/*
+* Copyright © 2025, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+* SPDX-License-Identifier: Apache-2.0
+*/
+import { Agent, fetch } from 'undici';
+import fs from "fs";
+
+refreshToken()
+.then (token => {
+  console.log(token);
+  fs.writeFileSync('token.txt', `"AUTHORIZATION": "Bearer ${token}"`, 'utf8');
+})
+.catch (err => {
+  console.error('[Error] Failed to refresh token: ', err);
+});
+async function refreshToken(){
+  let host = process.env.VIYA_SERVER;
+  let token = process.env.REFRESH_TOKEN;
+  let url = `${host}/SASLogon/oauth/token`;
+
+  let aconnect = {
+    rejectUnauthorized: false  // or false, if you really want to bypass checks
+  }
+
+  const agent = new Agent(aconnect);
+
+  console.error('[Info] Refreshing token...', token);
+  const ibody = {
+    grant_type: 'refresh_token',
+    refresh_token: token,
+    client_id: 'sas.cli'
+  };
+
+  let body = new URLSearchParams(ibody);
+  try {
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/x-www-form-urlencoded',
+        dispatcher: agent
+      },
+      body: body.toString()
+    });
+
+    if (!response.ok) {
+      const error = await response.text();
+      console.error('[Error] Failed to refresh token: ', error);
+      throw new Error(error);
+    }
+
+    const data = await response.json();
+    return data.access_token;
+  } catch (err) {
+    console.error('[Error] Failed to refresh token: ', err);
+    throw err;
+  }
+}

package/scripts/runListScr.mjs

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+import listScr from '../src/toolSet/listScr.js';
+
+async function run() {
+  const appContext = { brand: 'sas-score' };
+  const spec = listScr(appContext);
+  try {
+    const res = await spec.handler({});
+    console.log(JSON.stringify(res, null, 2));
+  } catch (err) {
+    console.error('Error running listScr:', err);
+    process.exit(1);
+  }
+}
+
+run();

package/src/createMcpServer.js

@@ -78,6 +78,7 @@ async function createMcpServer(cache, _appContext) {
   // Register the tools with brand prefix
   console.error(`[Note] Brand: ${_appContext.brand}`);
   let toolNames = [];
+  let totalDescription = 0;
   toolSet.forEach((tool, i) => {
     let toolName = _appContext.brand + '-' + tool.name;
     //tool.inputSchema.additionalProperties = false; // disallow extra properties 
@@ -85,12 +86,14 @@ async function createMcpServer(cache, _appContext) {
       description: tool.description,
       inputSchema: tool.inputSchema
     }
+    totalDescription += tool.description.length;``
     let toolHandler = wrapf(cache, tool.handler);
-  //  console.error(`[Note] Registering tool ${toolName} with config: ${JSON.stringify(config)}`);
     let r = mcpServer.registerTool(toolName, config, toolHandler);
     toolNames.push(toolName);
   });
+  console.error(`[Note]  Agent Mode: ${_appContext.agent}`);
   console.error(`[Note] Registered ${toolSet.length} tools: ${toolNames}`);
+  console.error(`[Note] Total description length: ${totalDescription} characters`); 
   cache.set("mcpServer", mcpServer);
   return mcpServer;
 }

package/src/expressMcpServer.js

@@ -9,6 +9,7 @@ import cors from "cors";
 import bodyParser from "body-parser";
 import selfsigned from "selfsigned";
 import openAPIJson from "./openAPIJson.js";
+import createMcpServer from "./createMcpServer.js";
 
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { randomUUID } from "node:crypto";
@@ -21,7 +22,7 @@ import processHeaders from "./processHeaders.js";
 
 // setup express server
 
-async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
+async function expressMcpServer(_mcpServer, cache, baseAppEnvContext) {
   // setup for change to persistence session
   cache.del("headerCache");
   const app = express();
@@ -50,6 +51,10 @@ async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
   const pkceStore = new Map(); // ourState -> { codeVerifier, clientRedirectUri, clientState }
   const codeStore = new Map(); // ourCode   -> { access_token, refresh_token, expires_in }
 
+  // Per-session transports — each initialize creates its own transport
+  const transports = new Map(); // sessionId -> transport
+  cache.set("transports", transports);
+
   app.get('/.well-known/oauth-protected-resource', (req, res) => {
     let payload = {
       resource: `${baseAppEnvContext.mcpHost}/mcp`,
@@ -152,67 +157,54 @@ async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
 
   // process mcp endpoint requests
   const handleRequest = async (req, res) => {
-    let transport = null;
-    let transports = cache.get("transports");
     console.error("=========================================================");
     console.error("Processing POST /mcp request");
-    if (transports == null) {
-      console.error("[Error] ***** transports cache is null. This is an error");
-      transports = {};
-      cache.set("transports", transports);
-    }
-
-    console.error("current transports in cache:", Object.keys(transports));
+    console.error("current active sessions:", transports.size);
     try {
 
       let sessionId = req.headers["mcp-session-id"];
       console.error("[Note]Incoming session ID:", sessionId);
       let body = (req.body == null) ? 'no body' : JSON.stringify(req.body);
       console.error('[Note] Payload is ', body);
-      if (/*!sessionId &&*/ isInitializeRequest(req.body)) {
-        // create transport
-        console.error("[Note] Initializing new transport for MCP session...");
-
-        transport = new StreamableHTTPServerTransport({
+     
+      if (isInitializeRequest(req.body)) {
+        console.error("[Note]>>>>>>>>>>>>>>>>>>>>>>>>>  Creating  new MCP server");
+        let mcpServer = await createMcpServer(cache, baseAppEnvContext);
+        // New session — create a dedicated transport
+        console.error("[Note] Initializing new session with fresh transport...");
+        const isInitRequest = req.body?.method === 'initialize';
+
+        const transport = new StreamableHTTPServerTransport({
           sessionIdGenerator: () => randomUUID(),
           enableJsonResponse: true,
-          enableDnsRebindingProtection: true,
-          onsessioninitialized: (sessionId) => {
-            // Store the transport by session ID
-            console.error('Session initialized');
-            console.error("[Note] Transport initialized with ID:", sessionId);
-            transports[sessionId] = transport;
+          onsessioninitialized: (newSessionId) => {
+            console.error("[Note] Session initialized with ID:", newSessionId);
+            transports.set(newSessionId, transport);
+            cache.set("transports", transports);
+            console.error("[Note] Total active sessions:", Object.keys(transports));
           },
         });
-        // Clean up transport when closed
         transport.onclose = () => {
-          if (transport.sessionId && transports[transport.sessionId]) {
-            delete transports[transport.sessionId];
+          if (transport.sessionId) {
+            console.error("[Note] Session closed, removing transport:", transport.sessionId);
+            transports.delete(transport.sessionId);
+            cache.del(transport.sessionId);
           }
         };
-        console.error("[Note] Connecting mcpServer to new transport...");
         await mcpServer.connect(transport);
-
-        // Save transport data and app context for use in tools
-        console.error('[Note] Connected to mcpServer');
-        cache.set("transports", transports);
         console.error("=======================================================");
         return await transport.handleRequest(req, res, req.body);
 
-        // cache transport
-
       } else if (sessionId != null) {
-        console.error('[Note] Incoming session ID:', sessionId);
-        transport = transports[sessionId];
-        console.error("[Note] Found transport:", transport != null);
-        if (transport == null) {
-          // this can happen if client is holding on to old session id 
-          console.error("[Error] No transport found for session ID:", sessionId, "Returning a 404 error with instructions for the user");
-          res.status(404).send(`Invalid or missing session ID ${sessionId}. Please ensure your MCP client is configured to use the correct session ID returned in the 'mcp-session-id' header of the response from the /mcp endpoint.`);
-          return;
+        const transport = transports.get(sessionId);
+        if (!transport) {
+          console.error("[Note] Unknown session ID:", sessionId);
+          return res.status(404).json({ jsonrpc: "2.0", error: { code: -32000, message: "Session not found. Please re-initialize." }, id: null });
         }
+        console.error('[Note] Incoming session ID:', sessionId);
+        console.error("[Note] Using transport for session ID:", sessionId);
 
-        // post the curren session - used to pass _appContext to tools
+        // post the current session - used to pass _appContext to tools
         cache.set("currentId", sessionId);
 
         // get app context for session
@@ -230,7 +222,6 @@ async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
           _appContext = Object.assign(_appContext, headerCache);
           cache.set(sessionId, _appContext);
         }
-        console.error("[Note] Using existing transport for session ID:", sessionId);
         console.error("==========================================================");
         await transport.handleRequest(req, res, req.body);
         return;
@@ -260,21 +251,28 @@ async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
     const sessionId = req.headers["mcp-session-id"];
     console.error("[Note] SessionId:", sessionId);
 
-    let transports = cache.get("transports");
-    let transport = (sessionId == null) ? null : transports[sessionId];
-    console.error("[Note] Transport found:", transport != null);
-    if (!sessionId || transport == null) {
-      res.status(404).send(`[Error] In ${req.method}: Invalid or missing session ID ${sessionId}`);
-      return;
+    if (!sessionId) {
+      console.error("[Note] No session ID on /DELETE — rejecting");
+      return res.status(400).json({ jsonrpc: "2.0", error: { code: -32000, message: "Bad Request: Mcp-Session-Id header is required" }, id: null });
     }
+
+    const transport = transports.get(sessionId);
+    if (!transport) {
+      console.error("[Note] Unknown session ID:", sessionId);
+      return res.status(404).json({ jsonrpc: "2.0", error: { code: -32000, message: "Session not found. Please re-initialize." }, id: null });
+    }
+
     if (req.method === "GET") {
+      console.error("[Note] calling transport.handleRequest for GET /mcp");
       await transport.handleRequest(req, res);
       return;
     }
-    if (req.method === "DELETE" && sessionId != null) {
+    if (req.method === "DELETE") {
       console.error("[Note] Deleting transport and cache for session ID:", sessionId);
-      delete transports[sessionId];
+      transports.delete(sessionId);
       cache.del(sessionId);
+      console.error("[Note] Deleted session ID:", sessionId);
+      console.error("[Note] Total active sessions:", Object.keys(transports));
       res.status(201).send(`[Info] Deleted session ${sessionId}`);
     }
   }

package/src/oauthHandlers/authorize.js

@@ -1,4 +1,7 @@
-//authorize
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 import { randomBytes, createHash } from "node:crypto";
 import baseUrl from "./baseUrl.js";
 

package/src/oauthHandlers/baseUrl.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 function baseUrl(appContext) {
     const protocol = appContext.HTTPS === "TRUE" ? "https" : "http";
     //const host = "localhost";

package/src/oauthHandlers/callback.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 import baseUrl from "./baseUrl.js";
 import { Agent, fetch as undiciFetch } from "undici";
 import { randomUUID } from "node:crypto";

package/src/oauthHandlers/getMetadata.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 import baseUrl from "./baseUrl.js";
 function getMetadata(req, res, appEnvContext) {
     let base = '';

package/src/oauthHandlers/index.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 import authorize from "./authorize.js";
 import callback from "./callback.js";   
 import token from "./token.js";

package/src/oauthHandlers/token.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 function token(req, res, appContext, codeStore, cache) {
   console.error("===============================================================");
   console.error("[Note] at /token endpoint");

package/src/openApi.yaml

@@ -1,121 +1,121 @@
-swagger: "2.0"
-info:
-  title: SAS Viya Sample MCP Server API
-  version: "1.0.0"
-  description: API for interacting with the SAS Viya Sample MCP Server.
-host: localhost:8080
-basePath: /
-schemes:
-  - http
-  - https
-consumes:
-  - application/json
-produces:
-  - application/json
-paths:
-  /health:
-    get:
-      summary: Health check
-      description: Returns health and version information.
-      responses:
-        200:
-          description: Health information
-          schema:
-            type: object
-            properties:
-              name:
-                type: string
-              version:
-                type: string
-              description:
-                type: string
-              endpoints:
-                type: object
-              usage:
-                type: string
-  /apiMeta:
-    get:
-      summary: API metadata
-      description: Returns the OpenAPI specification for this server.
-      responses:
-        200:
-          description: OpenAPI document
-          schema:
-            type: object
-  /mcp:
-    options:
-      summary: CORS preflight
-      description: CORS preflight endpoint.
-      responses:
-        204:
-          description: No Content
-    post:
-      summary: MCP request
-      description: Handles MCP JSON-RPC requests.
-      parameters:
-        - name: body
-          in: body
-          required: true
-          schema:
-            type: object
-        - name: Authorization
-          in: header
-          required: false
-          type: string
-          description: Bearer token for authentication
-        - name: X-VIYA-SERVER
-          in: header
-          required: false
-          type: string
-          description: Override VIYA server
-        - name: X-REFRESH-TOKEN
-          in: header
-          required: false
-          type: string
-          description: Refresh token for authentication
-        - name: mcp-session-id
-          in: header
-          required: false
-          type: string
-          description: Session ID
-      responses:
-        200:
-          description: MCP response
-          schema:
-            type: object
-        500:
-          description: Server error
-          schema:
-            type: object
-    get:
-      summary: Get MCP session
-      description: Retrieves information for an MCP session.
-      parameters:
-        - name: mcp-session-id
-          in: header
-          required: true
-          type: string
-          description: Session ID
-      responses:
-        200:
-          description: Session information
-          schema:
-            type: object
-        400:
-          description: Invalid or missing session ID
-    delete:
-      summary: Delete MCP session
-      description: Deletes an MCP session.
-      parameters:
-        - name: mcp-session-id
-          in: header
-          required: true
-          type: string
-          description: Session ID
-      responses:
-        200:
-          description: Session deleted
-          schema:
-            type: object
-        400:
-          description: Invalid or missing session ID
+swagger: "2.0"
+info:
+  title: SAS Viya Sample MCP Server API
+  version: "1.0.0"
+  description: API for interacting with the SAS Viya Sample MCP Server.
+host: localhost:8080
+basePath: /
+schemes:
+  - http
+  - https
+consumes:
+  - application/json
+produces:
+  - application/json
+paths:
+  /health:
+    get:
+      summary: Health check
+      description: Returns health and version information.
+      responses:
+        200:
+          description: Health information
+          schema:
+            type: object
+            properties:
+              name:
+                type: string
+              version:
+                type: string
+              description:
+                type: string
+              endpoints:
+                type: object
+              usage:
+                type: string
+  /apiMeta:
+    get:
+      summary: API metadata
+      description: Returns the OpenAPI specification for this server.
+      responses:
+        200:
+          description: OpenAPI document
+          schema:
+            type: object
+  /mcp:
+    options:
+      summary: CORS preflight
+      description: CORS preflight endpoint.
+      responses:
+        204:
+          description: No Content
+    post:
+      summary: MCP request
+      description: Handles MCP JSON-RPC requests.
+      parameters:
+        - name: body
+          in: body
+          required: true
+          schema:
+            type: object
+        - name: Authorization
+          in: header
+          required: false
+          type: string
+          description: Bearer token for authentication
+        - name: X-VIYA-SERVER
+          in: header
+          required: false
+          type: string
+          description: Override VIYA server
+        - name: X-REFRESH-TOKEN
+          in: header
+          required: false
+          type: string
+          description: Refresh token for authentication
+        - name: mcp-session-id
+          in: header
+          required: false
+          type: string
+          description: Session ID
+      responses:
+        200:
+          description: MCP response
+          schema:
+            type: object
+        500:
+          description: Server error
+          schema:
+            type: object
+    get:
+      summary: Get MCP session
+      description: Retrieves information for an MCP session.
+      parameters:
+        - name: mcp-session-id
+          in: header
+          required: true
+          type: string
+          description: Session ID
+      responses:
+        200:
+          description: Session information
+          schema:
+            type: object
+        400:
+          description: Invalid or missing session ID
+    delete:
+      summary: Delete MCP session
+      description: Deletes an MCP session.
+      parameters:
+        - name: mcp-session-id
+          in: header
+          required: true
+          type: string
+          description: Session ID
+      responses:
+        200:
+          description: Session deleted
+          schema:
+            type: object
+        400:
+          description: Invalid or missing session ID

package/src/processHeaders.js

@@ -1,5 +1,3 @@
-import { start } from "node:repl";
-
 /*
  * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
@@ -32,20 +30,25 @@ function processHeaders(req, res, next, cache, appContext) {
   const hdr = req.header("Authorization");
   //for now, ignore Authorization if authflow is not bearer
   let token = (hdr != null) ? hdr.slice(7) : null;
-  //console.error("[Note] Authorization token", token);
   debugger;
-  console.error('>>>',appContext.AUTHFLOW);
+  console.error('[Note} AUTHFLOW=',   appContext.AUTHFLOW);
+  console.error("[Note] External authorization :", appContext.AUTHEXTERNAL);
   if (appContext.AUTHFLOW === 'bearer') {
     debugger;
     let startAuth = false;
-    console.error("[Note] appContext.AUTHEXTERNAL:", appContext.AUTHEXTERNAL);
+    
     if (appContext.AUTHEXTERNAL === true) {
       console.error("[Note] Expecting external authorization"); 
       if (token != null) {
         console.error("[Note] Using user supplied token for authorization");
         headerCache.bearerToken = token;
       } else {
-        startAuth = true;
+        console.error("[Note] No Authorization token provided in header for external authorization.");
+        console.error("[Note] Returning 404 since we are configured for external token and no token provided in header.");
+        return res.status(404).json({
+          error: "unauthorized",
+          error_description: "[Error] Missing token for external authorization."
+        });
       }
     } else  if (token == null) {
       console.error("[Note] No Authorization token provided in header.");
@@ -55,7 +58,7 @@ function processHeaders(req, res, next, cache, appContext) {
       let tokenlist = cache.get("tokenlist");
       let tokenData = tokenlist[token];
       if (tokenData == null) {
-        return res.status(403).json({
+        return res.status(401).json({
           error: "unauthorized",
           error_description: "[Error] Expired token. Clear token and try again."
         });

package/src/setupSkills.js

@@ -19,27 +19,10 @@ function setupSkills(clientName,agentFolder) {
     if (agentFolder) {
         destination = path.join(destination, agentFolder);
     }
-    const source = path.join(__dirname, `../.skills` + '_' + clientName.toLowerCase());
+    const source = path.join(__dirname, `../.skills`);
     console.error("==================================================================");
     console.error(`           Copying ${source} to ${destination}...`);
 
-
-
-    // Copy agents folder if it exists
-     let agentsFromPath = path.join(__dirname, `../.agents`);
-     let agentsToPath = path.join(destination, 'agents');
-     copyFolderSync(agentsFromPath, agentsToPath);
-
-    // now  copy the skills folder to the destination
-    let toPath = path.join(destination, '.skills');
-    let fromPath = path.join(__dirname, `../.skills`);
-    copyFolderSync(fromPath, toPath);
-    
-    // Now copy instructions 
-    let instructionsFromPath = path.join(__dirname, `../.instructions`);
-    let instructionsToPath = destination;
-    copyFolderSync(instructionsFromPath, instructionsToPath);
-
     function copyFolderSync(from, to) {
         if (!fs.existsSync(from)) return [];
         if (!fs.existsSync(to)) fs.mkdirSync(to, { recursive: true });;