@sonoma-security/mcp-gateway 0.1.2 → 0.1.5

package/dist/auth/upstream-oauth-provider.js

@@ -0,0 +1,88 @@
+/**
+ * OAuthClientProvider implementation for upstream MCP servers.
+ *
+ * Implements the MCP SDK's OAuthClientProvider interface so the SDK's
+ * `auth()` orchestrator can handle the full OAuth flow (discovery, DCR,
+ * PKCE, authorization, token exchange, refresh) for any upstream server.
+ *
+ * Design: `redirectToAuthorization()` captures the URL instead of opening
+ * the browser directly. The caller (gateway) controls when/how to open it,
+ * enabling serial auth flows across multiple servers.
+ */
+const CLIENT_NAME = "Sonoma MCP Gateway";
+export class UpstreamOAuthProvider {
+    serverUrl;
+    store;
+    callbackPort;
+    _debug;
+    /** Captured authorization URL after `redirectToAuthorization` is called */
+    pendingAuthorizationUrl;
+    constructor(options) {
+        this.serverUrl = options.serverUrl;
+        this.store = options.store;
+        this.callbackPort = options.callbackPort;
+        this._debug = options.debug ?? false;
+    }
+    get redirectUrl() {
+        return `http://localhost:${this.callbackPort}/callback`;
+    }
+    get clientMetadata() {
+        return {
+            client_name: CLIENT_NAME,
+            redirect_uris: [this.redirectUrl],
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+            token_endpoint_auth_method: "none",
+        };
+    }
+    async clientInformation() {
+        return this.store.getClientInfo(this.serverUrl);
+    }
+    async saveClientInformation(info) {
+        this.store.saveClientInfo(this.serverUrl, info);
+    }
+    async tokens() {
+        return this.store.getTokens(this.serverUrl);
+    }
+    async saveTokens(tokens) {
+        this.store.saveTokens(this.serverUrl, tokens);
+    }
+    async redirectToAuthorization(authorizationUrl) {
+        // Capture the URL; caller will open the browser
+        this.pendingAuthorizationUrl = authorizationUrl;
+        this.log("Authorization URL captured (caller will open browser)");
+    }
+    async saveCodeVerifier(verifier) {
+        this.store.saveCodeVerifier(this.serverUrl, verifier);
+    }
+    async codeVerifier() {
+        const verifier = this.store.getCodeVerifier(this.serverUrl);
+        if (!verifier) {
+            throw new Error("No code verifier found for this server");
+        }
+        return verifier;
+    }
+    async invalidateCredentials(scope) {
+        switch (scope) {
+            case "all":
+                this.store.clearAll(this.serverUrl);
+                break;
+            case "client":
+                this.store.clearClientInfo(this.serverUrl);
+                break;
+            case "tokens":
+                this.store.clearTokens(this.serverUrl);
+                break;
+            case "verifier":
+                // Code verifier is transient; clearing it is optional
+                break;
+        }
+    }
+    log(msg) {
+        if (this._debug) {
+            // Security: msg is from developer code, not user input
+            console.error(`[upstream-oauth] ${msg}`); // nosemgrep: unsafe-formatstring
+        }
+    }
+}
+//# sourceMappingURL=upstream-oauth-provider.js.map

package/dist/auth/upstream-oauth-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"upstream-oauth-provider.js","sourceRoot":"","sources":["../../src/auth/upstream-oauth-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAUH,MAAM,WAAW,GAAG,oBAAoB,CAAC;AASzC,MAAM,OAAO,qBAAqB;IACf,SAAS,CAAS;IAClB,KAAK,CAAqB;IAC1B,YAAY,CAAS;IACrB,MAAM,CAAU;IAEjC,2EAA2E;IAC3E,uBAAuB,CAAkB;IAEzC,YAAY,OAAqC;QAC/C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACzC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC;IACvC,CAAC;IAED,IAAI,WAAW;QACb,OAAO,oBAAoB,IAAI,CAAC,YAAY,WAAW,CAAC;IAC1D,CAAC;IAED,IAAI,cAAc;QAChB,OAAO;YACL,WAAW,EAAE,WAAW;YACxB,aAAa,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC;YACjC,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YACpD,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,0BAA0B,EAAE,MAAM;SACnC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,OAAO,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,IAAiC;QAC3D,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,MAAmB;QAClC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,gBAAqB;QACjD,gDAAgD;QAChD,IAAI,CAAC,uBAAuB,GAAG,gBAAgB,CAAC;QAChD,IAAI,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,QAAgB;QACrC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC5D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,KAA+C;QACzE,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,KAAK;gBACR,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACpC,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAC3C,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACvC,MAAM;YACR,KAAK,UAAU;gBACb,sDAAsD;gBACtD,MAAM;QACV,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,GAAW;QACrB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,uDAAuD;YACvD,OAAO,CAAC,KAAK,CAAC,oBAAoB,GAAG,EAAE,CAAC,CAAC,CAAC,iCAAiC;QAC7E,CAAC;IACH,CAAC;CACF"}

package/dist/auth/upstream-oauth.d.ts

@@ -0,0 +1,31 @@
+/**
+ * OAuth flow orchestrator for upstream MCP servers.
+ *
+ * Uses the SDK's `auth()` function to handle discovery, DCR, PKCE,
+ * authorization, token exchange, and refresh. Opens the browser for
+ * user consent when needed, using a separate callback port from
+ * Sonoma's own auth (19843 vs 19842).
+ */
+import { UpstreamOAuthProvider } from "./upstream-oauth-provider.js";
+import type { UpstreamTokenStore } from "./upstream-token-store.js";
+export interface AuthenticateUpstreamOptions {
+    serverUrl: string;
+    serverName: string;
+    store: UpstreamTokenStore;
+    debug?: boolean;
+}
+/**
+ * Authenticate with an upstream MCP server that requires OAuth.
+ *
+ * Flow:
+ * 1. Create an OAuthClientProvider for this server
+ * 2. Call `auth()` which checks existing tokens / tries refresh
+ * 3. If "AUTHORIZED", tokens are ready
+ * 4. If "REDIRECT", open browser for user consent, wait for callback,
+ *    then complete the auth code exchange
+ *
+ * Returns the provider (which can be passed to transports for mid-session refresh).
+ * Throws if authentication fails.
+ */
+export declare function authenticateUpstream(options: AuthenticateUpstreamOptions): Promise<UpstreamOAuthProvider>;
+//# sourceMappingURL=upstream-oauth.d.ts.map

package/dist/auth/upstream-oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"upstream-oauth.d.ts","sourceRoot":"","sources":["../../src/auth/upstream-oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAMpE,MAAM,WAAW,2BAA2B;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,kBAAkB,CAAC;IAC1B,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,2BAA2B,GACnC,OAAO,CAAC,qBAAqB,CAAC,CA+DhC"}

package/dist/auth/upstream-oauth.js

@@ -0,0 +1,79 @@
+/**
+ * OAuth flow orchestrator for upstream MCP servers.
+ *
+ * Uses the SDK's `auth()` function to handle discovery, DCR, PKCE,
+ * authorization, token exchange, and refresh. Opens the browser for
+ * user consent when needed, using a separate callback port from
+ * Sonoma's own auth (19843 vs 19842).
+ */
+import { auth } from "@modelcontextprotocol/sdk/client/auth.js";
+import { UpstreamOAuthProvider } from "./upstream-oauth-provider.js";
+import { openBrowser } from "./client.js";
+import { startCallbackServer } from "./server.js";
+const UPSTREAM_CALLBACK_PORT = 19843;
+/**
+ * Authenticate with an upstream MCP server that requires OAuth.
+ *
+ * Flow:
+ * 1. Create an OAuthClientProvider for this server
+ * 2. Call `auth()` which checks existing tokens / tries refresh
+ * 3. If "AUTHORIZED", tokens are ready
+ * 4. If "REDIRECT", open browser for user consent, wait for callback,
+ *    then complete the auth code exchange
+ *
+ * Returns the provider (which can be passed to transports for mid-session refresh).
+ * Throws if authentication fails.
+ */
+export async function authenticateUpstream(options) {
+    const { serverUrl, serverName, store, debug = false } = options;
+    const log = (msg) => {
+        if (debug) {
+            // Security: msg is from developer code, not user input
+            console.error(`[upstream-oauth] ${msg}`); // nosemgrep: unsafe-formatstring
+        }
+    };
+    store.setServerName(serverUrl, serverName);
+    const provider = new UpstreamOAuthProvider({
+        serverUrl,
+        store,
+        callbackPort: UPSTREAM_CALLBACK_PORT,
+        debug,
+    });
+    // First auth() call: checks existing tokens, tries refresh, or initiates redirect
+    log(`Authenticating with ${serverName} (${serverUrl})...`);
+    const result = await auth(provider, { serverUrl });
+    if (result === "AUTHORIZED") {
+        log(`Already authorized with ${serverName}`);
+        return provider;
+    }
+    // result === "REDIRECT": provider captured the authorization URL
+    if (!provider.pendingAuthorizationUrl) {
+        throw new Error(`Auth flow returned REDIRECT but no authorization URL was captured for ${serverName}`);
+    }
+    const authUrl = provider.pendingAuthorizationUrl.toString();
+    console.error(`\nOpening browser to authenticate with ${serverName}...`);
+    console.error(`If browser doesn't open, visit:\n${authUrl}\n`);
+    // Start callback server and open browser
+    const callbackPromise = startCallbackServer({
+        port: UPSTREAM_CALLBACK_PORT,
+        debug,
+        serverName,
+    });
+    await openBrowser(authUrl);
+    // Wait for the authorization code
+    const callbackResult = await callbackPromise;
+    // State validation is handled internally by the MCP SDK's auth() function.
+    // The provider's codeVerifier storage implicitly binds the session.
+    log(`Received authorization code from ${serverName}`);
+    // Second auth() call: exchange the authorization code for tokens
+    const exchangeResult = await auth(provider, {
+        serverUrl,
+        authorizationCode: callbackResult.code,
+    });
+    if (exchangeResult !== "AUTHORIZED") {
+        throw new Error(`Token exchange failed for ${serverName}: unexpected result "${exchangeResult}"`);
+    }
+    log(`Successfully authenticated with ${serverName}`);
+    return provider;
+}
+//# sourceMappingURL=upstream-oauth.js.map

package/dist/auth/upstream-oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"upstream-oauth.js","sourceRoot":"","sources":["../../src/auth/upstream-oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,0CAA0C,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,sBAAsB,GAAG,KAAK,CAAC;AASrC;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAoC;IAEpC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAEhE,MAAM,GAAG,GAAG,CAAC,GAAW,EAAE,EAAE;QAC1B,IAAI,KAAK,EAAE,CAAC;YACV,uDAAuD;YACvD,OAAO,CAAC,KAAK,CAAC,oBAAoB,GAAG,EAAE,CAAC,CAAC,CAAC,iCAAiC;QAC7E,CAAC;IACH,CAAC,CAAC;IAEF,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAE3C,MAAM,QAAQ,GAAG,IAAI,qBAAqB,CAAC;QACzC,SAAS;QACT,KAAK;QACL,YAAY,EAAE,sBAAsB;QACpC,KAAK;KACN,CAAC,CAAC;IAEH,kFAAkF;IAClF,GAAG,CAAC,uBAAuB,UAAU,KAAK,SAAS,MAAM,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAEnD,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;QAC5B,GAAG,CAAC,2BAA2B,UAAU,EAAE,CAAC,CAAC;QAC7C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,iEAAiE;IACjE,IAAI,CAAC,QAAQ,CAAC,uBAAuB,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,yEAAyE,UAAU,EAAE,CAAC,CAAC;IACzG,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,uBAAuB,CAAC,QAAQ,EAAE,CAAC;IAC5D,OAAO,CAAC,KAAK,CAAC,0CAA0C,UAAU,KAAK,CAAC,CAAC;IACzE,OAAO,CAAC,KAAK,CAAC,oCAAoC,OAAO,IAAI,CAAC,CAAC;IAE/D,yCAAyC;IACzC,MAAM,eAAe,GAAG,mBAAmB,CAAC;QAC1C,IAAI,EAAE,sBAAsB;QAC5B,KAAK;QACL,UAAU;KACX,CAAC,CAAC;IACH,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;IAE3B,kCAAkC;IAClC,MAAM,cAAc,GAAG,MAAM,eAAe,CAAC;IAC7C,2EAA2E;IAC3E,oEAAoE;IACpE,GAAG,CAAC,oCAAoC,UAAU,EAAE,CAAC,CAAC;IAEtD,iEAAiE;IACjE,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE;QAC1C,SAAS;QACT,iBAAiB,EAAE,cAAc,CAAC,IAAI;KACvC,CAAC,CAAC;IAEH,IAAI,cAAc,KAAK,YAAY,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,6BAA6B,UAAU,wBAAwB,cAAc,GAAG,CAAC,CAAC;IACpG,CAAC;IAED,GAAG,CAAC,mCAAmC,UAAU,EAAE,CAAC,CAAC;IACrD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/auth/upstream-token-store.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Per-server token storage for upstream MCP servers that require OAuth.
+ *
+ * Stores credentials in ~/.sonoma/upstream-credentials.json, encrypted with
+ * the same AES-256-GCM scheme used for Sonoma gateway credentials.
+ * Each server is keyed by its URL origin (e.g., "https://mcp.sentry.dev").
+ */
+import type { OAuthTokens, OAuthClientInformationMixed } from "@modelcontextprotocol/sdk/shared/auth.js";
+export declare class UpstreamTokenStore {
+    private store;
+    private load;
+    private save;
+    private getServer;
+    getTokens(serverUrl: string): OAuthTokens | undefined;
+    saveTokens(serverUrl: string, tokens: OAuthTokens): void;
+    clearTokens(serverUrl: string): void;
+    getClientInfo(serverUrl: string): OAuthClientInformationMixed | undefined;
+    saveClientInfo(serverUrl: string, info: OAuthClientInformationMixed): void;
+    clearClientInfo(serverUrl: string): void;
+    getCodeVerifier(serverUrl: string): string | undefined;
+    saveCodeVerifier(serverUrl: string, verifier: string): void;
+    setServerName(serverUrl: string, name: string): void;
+    clearAll(serverUrl: string): void;
+    /** Clear credentials for every upstream server. */
+    clearAllServers(): void;
+}
+//# sourceMappingURL=upstream-token-store.d.ts.map

package/dist/auth/upstream-token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"upstream-token-store.d.ts","sourceRoot":"","sources":["../../src/auth/upstream-token-store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,2BAA2B,EAAE,MAAM,0CAA0C,CAAC;AAsBzG,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,KAAK,CAAwC;IAErD,OAAO,CAAC,IAAI;IAoBZ,OAAO,CAAC,IAAI;IAOZ,OAAO,CAAC,SAAS;IASjB,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAIrD,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,GAAG,IAAI;IAOxD,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAMpC,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,2BAA2B,GAAG,SAAS;IAIzE,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,2BAA2B,GAAG,IAAI;IAM1E,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAMxC,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAItD,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI;IAM3D,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAMpD,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAOjC,mDAAmD;IACnD,eAAe,IAAI,IAAI;CAIxB"}

package/dist/auth/upstream-token-store.js

@@ -0,0 +1,103 @@
+/**
+ * Per-server token storage for upstream MCP servers that require OAuth.
+ *
+ * Stores credentials in ~/.sonoma/upstream-credentials.json, encrypted with
+ * the same AES-256-GCM scheme used for Sonoma gateway credentials.
+ * Each server is keyed by its URL origin (e.g., "https://mcp.sentry.dev").
+ */
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { SONOMA_DIR, ensureSonomaDir, encrypt, decrypt } from "./crypto.js";
+const UPSTREAM_CREDENTIALS_PATH = join(SONOMA_DIR, "upstream-credentials.json");
+function getServerKey(serverUrl) {
+    const url = new URL(serverUrl);
+    return url.origin;
+}
+export class UpstreamTokenStore {
+    store = null;
+    load() {
+        if (this.store)
+            return this.store;
+        if (!existsSync(UPSTREAM_CREDENTIALS_PATH)) {
+            this.store = { servers: {} };
+            return this.store;
+        }
+        try {
+            const encryptedData = readFileSync(UPSTREAM_CREDENTIALS_PATH, "utf-8");
+            const decrypted = decrypt(encryptedData);
+            this.store = JSON.parse(decrypted);
+            return this.store;
+        }
+        catch {
+            // If decryption fails (e.g., machine changed), start fresh
+            this.store = { servers: {} };
+            return this.store;
+        }
+    }
+    save() {
+        ensureSonomaDir();
+        const data = JSON.stringify(this.load(), null, 2);
+        const encrypted = encrypt(data);
+        writeFileSync(UPSTREAM_CREDENTIALS_PATH, encrypted, { mode: 0o600 });
+    }
+    getServer(serverUrl) {
+        const store = this.load();
+        const key = getServerKey(serverUrl);
+        if (!store.servers[key]) {
+            store.servers[key] = {};
+        }
+        return store.servers[key];
+    }
+    getTokens(serverUrl) {
+        return this.getServer(serverUrl).tokens;
+    }
+    saveTokens(serverUrl, tokens) {
+        const server = this.getServer(serverUrl);
+        server.tokens = tokens;
+        server.lastAuthenticated = Date.now();
+        this.save();
+    }
+    clearTokens(serverUrl) {
+        const server = this.getServer(serverUrl);
+        delete server.tokens;
+        this.save();
+    }
+    getClientInfo(serverUrl) {
+        return this.getServer(serverUrl).clientInfo;
+    }
+    saveClientInfo(serverUrl, info) {
+        const server = this.getServer(serverUrl);
+        server.clientInfo = info;
+        this.save();
+    }
+    clearClientInfo(serverUrl) {
+        const server = this.getServer(serverUrl);
+        delete server.clientInfo;
+        this.save();
+    }
+    getCodeVerifier(serverUrl) {
+        return this.getServer(serverUrl).codeVerifier;
+    }
+    saveCodeVerifier(serverUrl, verifier) {
+        const server = this.getServer(serverUrl);
+        server.codeVerifier = verifier;
+        this.save();
+    }
+    setServerName(serverUrl, name) {
+        const server = this.getServer(serverUrl);
+        server.serverName = name;
+        this.save();
+    }
+    clearAll(serverUrl) {
+        const store = this.load();
+        const key = getServerKey(serverUrl);
+        delete store.servers[key];
+        this.save();
+    }
+    /** Clear credentials for every upstream server. */
+    clearAllServers() {
+        this.store = { servers: {} };
+        this.save();
+    }
+}
+//# sourceMappingURL=upstream-token-store.js.map

package/dist/auth/upstream-token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"upstream-token-store.js","sourceRoot":"","sources":["../../src/auth/upstream-token-store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE5E,MAAM,yBAAyB,GAAG,IAAI,CAAC,UAAU,EAAE,2BAA2B,CAAC,CAAC;AAchF,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/B,OAAO,GAAG,CAAC,MAAM,CAAC;AACpB,CAAC;AAED,MAAM,OAAO,kBAAkB;IACrB,KAAK,GAAmC,IAAI,CAAC;IAE7C,IAAI;QACV,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC;QAElC,IAAI,CAAC,UAAU,CAAC,yBAAyB,CAAC,EAAE,CAAC;YAC3C,IAAI,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,YAAY,CAAC,yBAAyB,EAAE,OAAO,CAAC,CAAC;YACvE,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;YACzC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAA4B,CAAC;YAC9D,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,IAAI,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IAEO,IAAI;QACV,eAAe,EAAE,CAAC;QAClB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAChC,aAAa,CAAC,yBAAyB,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;IAEO,SAAS,CAAC,SAAiB;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QAC1B,CAAC;QACD,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,SAAS,CAAC,SAAiB;QACzB,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;IAC1C,CAAC;IAED,UAAU,CAAC,SAAiB,EAAE,MAAmB;QAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;QACvB,MAAM,CAAC,iBAAiB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,WAAW,CAAC,SAAiB;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,OAAO,MAAM,CAAC,MAAM,CAAC;QACrB,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,aAAa,CAAC,SAAiB;QAC7B,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC;IAC9C,CAAC;IAED,cAAc,CAAC,SAAiB,EAAE,IAAiC;QACjE,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,eAAe,CAAC,SAAiB;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,OAAO,MAAM,CAAC,UAAU,CAAC;QACzB,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,eAAe,CAAC,SAAiB;QAC/B,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC;IAChD,CAAC;IAED,gBAAgB,CAAC,SAAiB,EAAE,QAAgB;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,YAAY,GAAG,QAAQ,CAAC;QAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,aAAa,CAAC,SAAiB,EAAE,IAAY;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,QAAQ,CAAC,SAAiB;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;QACpC,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,mDAAmD;IACnD,eAAe;QACb,IAAI,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;CACF"}

package/dist/cli.js

@@ -10,8 +10,8 @@
 import { parseArgs } from "node:util";
 import { readFileSync, existsSync } from "node:fs";
 import { McpGateway } from "./gateway.js";
-import { loadConfig, findClaudeDesktopConfig, loadFromParentConfig } from "./config.js";
-import { login, logout, getAuthStatus, ensureValidToken } from "./auth/index.js";
+import { loadConfig, findClaudeDesktopConfig, loadFromParentConfig, autoDetectConfig } from "./config.js";
+import { login, logout, getAuthStatus, ensureValidToken, UpstreamTokenStore } from "./auth/index.js";
 import { SonomaClient } from "./sonoma-client.js";
 const DEFAULT_SONOMA_ENDPOINT = "https://app.sonoma.dev";
 const MDM_CONFIG_PATH = "/usr/local/etc/sonoma/config";
@@ -121,6 +121,7 @@ async function main() {
             login: { type: "boolean" },
             logout: { type: "boolean" },
             status: { type: "boolean" },
+            reauth: { type: "boolean" },
             endpoint: { type: "string", short: "e" },
         },
         strict: true,
@@ -155,6 +156,12 @@ async function main() {
         }
         process.exit(0);
     }
+    // Clear upstream OAuth tokens (forces re-authentication on next connect)
+    if (values.reauth) {
+        const store = new UpstreamTokenStore();
+        store.clearAllServers();
+        console.error("Cleared all upstream OAuth credentials. Servers will re-authenticate on connect.");
+    }
     // Gateway mode
     let config;
     if (values["mcp-json-path"]) {
@@ -176,9 +183,18 @@ async function main() {
         config = loadConfig(claudeConfig);
     }
     else {
-        console.error("No config specified. Use --config, --mcp-json-path, or --auto");
-        printHelp();
-        process.exit(1);
+        // Auto-detect: search common MCP config locations for a Sonoma gateway entry
+        const detected = autoDetectConfig(values.debug);
+        if (detected) {
+            console.error(`Auto-detected config: ${detected.path} (gateway: ${detected.gatewayName})`);
+            config = loadFromParentConfig(detected.path, detected.gatewayName);
+        }
+        else {
+            console.error("No config found. Searched: ~/.cursor/mcp.json, Claude Desktop config");
+            console.error("Configure servers in your MCP config, or use --mcp-json-path <path>");
+            printHelp();
+            process.exit(1);
+        }
     }
     if (values.debug) {
         config.debug = true;
@@ -193,10 +209,12 @@ async function main() {
             gatewayEnabled: mdmConfig.gatewayEnabled,
         }));
     }
-    // Set endpoint priority: CLI flag > MDM gateway endpoint > default
-    // Note: sonomaEndpoint was set from --endpoint flag, defaults to DEFAULT_SONOMA_ENDPOINT
-    if (!config.sonomaEndpoint) {
-        config.sonomaEndpoint = values.endpoint || mdmConfig.gatewayEndpoint || sonomaEndpoint;
+    // Set endpoint priority: CLI flag > MDM gateway endpoint
+    // Note: We intentionally don't fall back to DEFAULT_SONOMA_ENDPOINT here
+    // If no endpoint is explicitly configured, the gateway runs in offline mode without auth
+    const explicitEndpoint = values.endpoint || mdmConfig.gatewayEndpoint || config.sonomaEndpoint;
+    if (explicitEndpoint) {
+        config.sonomaEndpoint = explicitEndpoint;
     }
     // Store org API key in config for gateway
     if (mdmConfig.apiKey) {
@@ -208,73 +226,83 @@ async function main() {
     // Determine auth mode from MDM config or policy
     // Default: user_id (prompt for OAuth login)
     let requiredAuthMode = mdmConfig.gatewayAuthMode || "user_id";
-    // Try to ensure we have a valid token (refreshes if expired)
-    // This handles the case where user has old/expired credentials
-    const hasValidToken = await ensureValidToken({
-        sonomaEndpoint: config.sonomaEndpoint,
-        debug: values.debug,
-    });
-    if (values.debug) {
-        console.error(`[cli] Token validation: ${hasValidToken ? "valid" : "invalid/missing"}`);
-    }
-    // Check auth status (now accurate after ensureValidToken)
-    let authStatus = getAuthStatus(config.sonomaEndpoint);
-    // Fetch policy to check if admin overrides auth mode
-    if (config.sonomaEndpoint && config.sonomaApiKey) {
-        const tempClient = new SonomaClient({
-            endpoint: config.sonomaEndpoint,
-            orgApiKey: config.sonomaApiKey,
+    // Only attempt authentication if a Sonoma endpoint is explicitly configured
+    // This allows the gateway to run in "offline" mode for local testing
+    let authStatus = { loggedIn: false, hasRefreshToken: false };
+    if (config.sonomaEndpoint) {
+        // Try to ensure we have a valid token (refreshes if expired)
+        // This handles the case where user has old/expired credentials
+        const hasValidToken = await ensureValidToken({
+            sonomaEndpoint: config.sonomaEndpoint,
             debug: values.debug,
         });
-        try {
-            const policy = await tempClient.fetchPolicy();
-            if (values.debug) {
-                console.error(`[cli] Policy: mode=${policy.mode}, authMode=${policy.gatewayAuthMode}`);
+        if (values.debug) {
+            console.error(`[cli] Token validation: ${hasValidToken ? "valid" : "invalid/missing"}`);
+        }
+        // Check auth status (now accurate after ensureValidToken)
+        authStatus = getAuthStatus(config.sonomaEndpoint);
+        // Fetch policy to check if admin overrides auth mode
+        if (config.sonomaApiKey) {
+            const tempClient = new SonomaClient({
+                endpoint: config.sonomaEndpoint,
+                orgApiKey: config.sonomaApiKey,
+                debug: values.debug,
+            });
+            try {
+                const policy = await tempClient.fetchPolicy();
+                if (values.debug) {
+                    console.error(`[cli] Policy: mode=${policy.mode}, authMode=${policy.gatewayAuthMode}`);
+                }
+                // Admin-set policy overrides MDM config
+                if (policy.gatewayAuthMode) {
+                    requiredAuthMode = policy.gatewayAuthMode;
+                }
             }
-            // Admin-set policy overrides MDM config
-            if (policy.gatewayAuthMode) {
-                requiredAuthMode = policy.gatewayAuthMode;
+            catch (error) {
+                if (values.debug) {
+                    console.error("[cli] Failed to fetch policy:", error);
+                }
+                // Continue anyway - will use MDM config or default
             }
         }
-        catch (error) {
-            if (values.debug) {
-                console.error("[cli] Failed to fetch policy:", error);
-            }
-            // Continue anyway - will use MDM config or default
+        if (values.debug) {
+            console.error(`[cli] Required auth mode: ${requiredAuthMode}`);
         }
-    }
-    if (values.debug) {
-        console.error(`[cli] Required auth mode: ${requiredAuthMode}`);
-    }
-    // Handle authentication based on required mode
-    if (requiredAuthMode === "user_id" && !authStatus.loggedIn) {
-        // User mode: require OAuth login
-        console.error("User authentication required for MCP visibility.");
-        console.error("Opening browser to login...");
-        console.error("");
-        await login({ sonomaEndpoint: config.sonomaEndpoint, debug: values.debug });
-        authStatus = getAuthStatus();
-        if (!authStatus.loggedIn) {
-            console.error("Login required but not completed. Exiting.");
-            process.exit(1);
+        // Handle authentication based on required mode
+        if (requiredAuthMode === "user_id" && !authStatus.loggedIn) {
+            // User mode: require OAuth login
+            console.error("User authentication required for MCP visibility.");
+            console.error("Opening browser to login...");
+            console.error("");
+            await login({ sonomaEndpoint: config.sonomaEndpoint, debug: values.debug });
+            authStatus = getAuthStatus();
+            if (!authStatus.loggedIn) {
+                console.error("Login required but not completed. Exiting.");
+                process.exit(1);
+            }
         }
-    }
-    else if (requiredAuthMode === "org_key" && !config.sonomaApiKey && !authStatus.loggedIn) {
-        // Org key mode but no key available - fall back to OAuth
-        console.error("No API key found. Opening browser to login...");
-        console.error("");
-        await login({ sonomaEndpoint: config.sonomaEndpoint, debug: values.debug });
-        authStatus = getAuthStatus();
-    }
-    if (values.debug) {
-        if (authStatus.loggedIn) {
-            console.error("[cli] Using OAuth token (user-linked telemetry)");
+        else if (requiredAuthMode === "org_key" && !config.sonomaApiKey && !authStatus.loggedIn) {
+            // Org key mode but no key available - fall back to OAuth
+            console.error("No API key found. Opening browser to login...");
+            console.error("");
+            await login({ sonomaEndpoint: config.sonomaEndpoint, debug: values.debug });
+            authStatus = getAuthStatus();
         }
-        else if (config.sonomaApiKey) {
-            console.error("[cli] Using org API key (device-level telemetry)");
+        if (values.debug) {
+            if (authStatus.loggedIn) {
+                console.error("[cli] Using OAuth token (user-linked telemetry)");
+            }
+            else if (config.sonomaApiKey) {
+                console.error("[cli] Using org API key (device-level telemetry)");
+            }
+            else {
+                console.error("[cli] Warning: No authentication available");
+            }
         }
-        else {
-            console.error("[cli] Warning: No authentication available");
+    }
+    else {
+        if (values.debug) {
+            console.error("[cli] No Sonoma endpoint configured - running in offline mode");
         }
     }
     const gateway = new McpGateway(config);
@@ -300,12 +328,18 @@ function printHelp() {
 @sonoma/mcp-gateway - Local MCP Gateway for tool-level visibility
 
 USAGE:
-  npx @sonoma/mcp-gateway [OPTIONS]
+  npx @sonoma-security/mcp-gateway [OPTIONS]
+
+  By default (no arguments), auto-detects config from:
+    - ~/.claude.json (Claude Code CLI)
+    - ~/.cursor/mcp.json (Cursor)
+    - ~/Library/Application Support/Claude/claude_desktop_config.json (Claude Desktop)
+    - ~/.codeium/windsurf/mcp_config.json (Windsurf)
 
 OPTIONS:
   -c, --config <path>      Path to gateway config JSON file
   --mcp-json-path <path>   Read servers from parent MCP config (single-file mode)
-  -a, --auto               Auto-detect Claude Desktop config
+  -a, --auto               Auto-detect Claude Desktop config only
   -d, --debug              Enable debug logging
   -h, --help               Show this help message
   -v, --version            Show version
@@ -314,16 +348,16 @@ AUTH OPTIONS:
   --login               Authenticate with Sonoma (opens browser)
   --logout              Clear stored credentials
   --status              Show authentication status
+  --reauth              Clear upstream OAuth tokens and re-authenticate
   -e, --endpoint <url>  Sonoma API endpoint (default: https://app.sonoma.dev)
 
-SINGLE-FILE CONFIG (recommended):
-  Configure in your Claude Desktop / Cursor config with nested "servers":
+QUICKSTART (zero-config):
+  Add to your ~/.cursor/mcp.json or Claude Desktop config:
   {
     "mcpServers": {
       "sonoma": {
         "command": "npx",
-        "args": ["@sonoma/mcp-gateway", "--mcp-json-path", "~/.cursor/mcp.json"],
-        "env": { "SONOMA_API_KEY": "your-key" },
+        "args": ["@sonoma-security/mcp-gateway"],
         "servers": {
           "filesystem": {
             "command": "npx",
@@ -334,23 +368,18 @@ SINGLE-FILE CONFIG (recommended):
     }
   }
 
-SEPARATE CONFIG FILE:
-  {
-    "servers": [
-      { "name": "filesystem", "command": "npx", "args": ["@modelcontextprotocol/server-filesystem", "/tmp"] }
-    ],
-    "sonomaEndpoint": "https://app.sonoma.dev"
-  }
+  The gateway auto-detects its config location - no --mcp-json-path needed!
+  On first run, it prompts for OAuth login. That's it.
 
 EXAMPLES:
-  # Single-file config (servers nested in Claude Desktop config)
-  npx @sonoma/mcp-gateway --mcp-json-path ~/.cursor/mcp.json
+  # Zero-config (auto-detects ~/.cursor/mcp.json or Claude Desktop)
+  npx @sonoma-security/mcp-gateway
 
-  # Separate config file
-  npx @sonoma/mcp-gateway --config ./my-servers.json
+  # Explicit path (if auto-detect doesn't work)
+  npx @sonoma-security/mcp-gateway --mcp-json-path ~/.cursor/mcp.json
 
-  # Auto-detect Claude Desktop config
-  npx @sonoma/mcp-gateway --auto
+  # Separate config file
+  npx @sonoma-security/mcp-gateway --config ./my-servers.json
 `);
 }
 main().catch((error) => {