@soundbi/sound-connect 0.1.0

package/dist/auth.js

@@ -0,0 +1,211 @@
+/**
+ * MSAL authentication module for the Sound Connect bridge (STORY-007, ADR-003, ADR-010).
+ *
+ * Implements:
+ *   - Device-code flow login (public client, Sound BI tenant)
+ *   - Keytar-backed OS-protected token cache (DPAPI on Windows, Keychain on macOS)
+ *   - Silent token acquisition with NO interactive fallback (STORY-010, ADR-011)
+ *   - Logout (clears cached token)
+ *
+ * ADR-010: MSAL token cache is stored ONLY in the OS credential store — never plaintext on disk.
+ * ADR-011: Fails closed — never silently proceeds unauthenticated.
+ *
+ * STORY-010: acquireTokenSilent() does NOT fall back to device-code flow when called from
+ * the MCP server process. The device-code prompt is invisible from a Claude-spawned stdio
+ * process — triggering it causes a silent hang. Instead, return null so tool calls can
+ * return a clear, actionable message directing the user to the separate `login` terminal
+ * command.
+ */
+import { PublicClientApplication, InteractionRequiredAuthError, } from '@azure/msal-node';
+import keytar from 'keytar';
+// ── Constants ──────────────────────────────────────────────────────────────────
+/** Sound BI tenant ID (ADR-003) */
+export const TENANT_ID = '2536810f-20e1-4911-a453-4409fd96db8a';
+/**
+ * Entra client ID for the Sound Connect bridge public client application.
+ * This must be created in the Sound BI tenant via app registration (ADR-003).
+ * Sourced from env SC_ENTRA_CLIENT_ID to allow override in tests / multiple environments.
+ * IMPORTANT: The actual clientId must be set before publishing. The default is a placeholder
+ * that will fail until replaced with a real app registration's client ID.
+ */
+export const CLIENT_ID = process.env['SC_ENTRA_CLIENT_ID'] ?? 'sound-connect-bridge-placeholder';
+/** OAuth scopes requested — openid/profile/offline_access + the backend API audience */
+export const DEFAULT_SCOPES = [
+    'openid',
+    'profile',
+    'offline_access',
+    // The backend API audience. Peers must have been granted access to this scope in the Entra app.
+    // Overridable via SC_AUTH_SCOPE for test environments.
+    process.env['SC_AUTH_SCOPE'] ?? 'api://sound-connect/.default',
+];
+/** Keytar service name — all entries for this bridge are grouped under this service */
+const KEYTAR_SERVICE = 'sound-connect-bridge';
+/** Keytar account key for the serialised MSAL cache blob */
+const KEYTAR_ACCOUNT_CACHE = 'msal-token-cache';
+// ── Keytar-backed MSAL cache plugin (ADR-010) ─────────────────────────────────
+/**
+ * Implements MSAL's ICachePlugin using the OS credential store (keytar).
+ * On Windows: DPAPI-encrypted credential store.
+ * On macOS: Keychain.
+ * On Linux: libsecret / kwallet.
+ *
+ * The cache is a JSON blob serialised by MSAL and stored as a single password entry.
+ * This means the token never touches a plaintext file (ADR-010 requirement).
+ */
+function buildKeytarCachePlugin() {
+    return {
+        async beforeCacheAccess(context) {
+            const serialised = await keytar.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT_CACHE);
+            if (serialised) {
+                context.tokenCache.deserialize(serialised);
+            }
+        },
+        async afterCacheAccess(context) {
+            if (context.cacheHasChanged) {
+                const serialised = context.tokenCache.serialize();
+                await keytar.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT_CACHE, serialised);
+            }
+        },
+    };
+}
+// ── MSAL public client factory ────────────────────────────────────────────────
+/**
+ * Constructs a MSAL PublicClientApplication bound to the Sound BI tenant.
+ * Cache is wired to keytar so tokens survive process restarts.
+ */
+export function buildMsalClient(cachePlugin) {
+    const config = {
+        auth: {
+            clientId: CLIENT_ID,
+            authority: `https://login.microsoftonline.com/${TENANT_ID}`,
+        },
+        cache: {
+            cachePlugin: cachePlugin ?? buildKeytarCachePlugin(),
+        },
+        system: {
+            // Suppress MSAL's internal logger noise to stderr by default.
+            // Set SC_MSAL_LOG_LEVEL=3 for verbose MSAL tracing when debugging.
+            loggerOptions: {
+                loggerCallback: (level, message, containsPii) => {
+                    if (containsPii)
+                        return; // never log PII
+                    const msalLogLevel = parseInt(process.env['SC_MSAL_LOG_LEVEL'] ?? '0', 10);
+                    if (level <= msalLogLevel) {
+                        process.stderr.write(`[msal] ${message}\n`);
+                    }
+                },
+                piiLoggingEnabled: false,
+            },
+        },
+    };
+    return new PublicClientApplication(config);
+}
+// ── Login (device-code flow) — TERMINAL ONLY (STORY-010) ─────────────────────
+/**
+ * Run the MSAL device-code flow.
+ *
+ * IMPORTANT (STORY-010, ADR-011): This function MUST be called only from the
+ * standalone `login` terminal subcommand — never from the MCP server path.
+ * stdout from a Claude-spawned stdio process is not reliably visible to the user,
+ * so a device-code prompt there would cause a silent hang.
+ *
+ * Prints the verification URL + user code to stdout in a human-readable format
+ * that is easy to copy from any terminal.
+ *
+ * On success returns the AuthenticationResult (contains access_token, account, etc.).
+ * On failure throws — caller is responsible for presenting the error.
+ */
+export async function login() {
+    const pca = buildMsalClient();
+    process.stdout.write('\n=== Sound Connect — Sign In ===\n\n');
+    const result = await pca.acquireTokenByDeviceCode({
+        scopes: DEFAULT_SCOPES,
+        deviceCodeCallback: (response) => {
+            process.stdout.write(`To sign in, open the following URL in a browser:\n\n`);
+            process.stdout.write(`  ${response.verificationUri}\n\n`);
+            process.stdout.write(`Then enter the code: ${response.userCode}\n\n`);
+            process.stdout.write(`Waiting for authentication...\n`);
+        },
+    });
+    if (!result) {
+        throw new Error('Device-code flow returned no token. Try again.');
+    }
+    const displayName = result.account?.username ?? result.account?.name ?? 'unknown';
+    process.stdout.write(`\nSigned in as: ${displayName}\n`);
+    process.stdout.write(`Token cached securely in the OS credential store.\n\n`);
+    return result;
+}
+// ── Silent token acquisition (MCP server path) ────────────────────────────────
+/**
+ * Attempt to acquire a token silently using the cached account.
+ *
+ * Returns null in any of these cases (caller must surface an actionable message):
+ *   - No cached accounts (user has never logged in, or has run `logout`)
+ *   - InteractionRequiredAuthError (refresh token expired / re-consent needed)
+ *
+ * STORY-010: This function deliberately does NOT fall back to device-code login.
+ * If the user needs to re-authenticate, they must run `npx @soundbi/sound-connect login`
+ * in a terminal — never from the MCP server process where stdout is invisible.
+ *
+ * On token expiry + successful silent refresh: returns a fresh AuthenticationResult.
+ * On any auth error that requires user interaction: returns null (fail closed, ADR-011).
+ */
+export async function acquireTokenSilent() {
+    const pca = buildMsalClient();
+    const accounts = await pca.getAllAccounts();
+    if (accounts.length === 0) {
+        return null;
+    }
+    // Use the first account (ADR-005: one client per bridge instance → one account).
+    const account = accounts[0];
+    try {
+        return await pca.acquireTokenSilent({
+            scopes: DEFAULT_SCOPES,
+            account,
+        });
+    }
+    catch (err) {
+        // MSAL throws InteractionRequiredAuthError when the refresh token has expired
+        // or the user needs to re-consent.
+        //
+        // STORY-010: We do NOT fall back to device-code here. Return null so the
+        // caller (MCP server) can surface the actionable "run login in a terminal" message.
+        if (err instanceof InteractionRequiredAuthError ||
+            (err instanceof Error && (err.message.includes('interaction_required') ||
+                err.message.includes('AADSTS')))) {
+            process.stderr.write('[sound-connect] Refresh token expired — run `npx @soundbi/sound-connect login` ' +
+                'in a terminal to re-authenticate.\n');
+            return null;
+        }
+        throw err;
+    }
+}
+// ── Logout ─────────────────────────────────────────────────────────────────────
+/**
+ * Clears the cached MSAL token from the OS credential store.
+ *
+ * After this call, `acquireTokenSilent()` will return null.
+ */
+export async function logout() {
+    // Remove the raw keytar entry — this is the OS-protected blob.
+    const deleted = await keytar.deletePassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT_CACHE);
+    if (!deleted) {
+        // Not an error — already logged out.
+        process.stdout.write('No stored credentials found. Already signed out.\n');
+        return;
+    }
+    process.stdout.write('Signed out. Token cleared from the OS credential store.\n');
+}
+// ── Helpers ────────────────────────────────────────────────────────────────────
+/**
+ * Returns true if a cached account exists (i.e. the user has logged in and
+ * the refresh token has not been explicitly deleted via logout).
+ *
+ * Does NOT validate that the token is still accepted by the backend.
+ */
+export async function hasStoredAccount() {
+    const pca = buildMsalClient();
+    const accounts = await pca.getAllAccounts();
+    return accounts.length > 0;
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EACL,uBAAuB,EAKvB,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,kFAAkF;AAElF,mCAAmC;AACnC,MAAM,CAAC,MAAM,SAAS,GAAG,sCAAsC,CAAC;AAEhE;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,kCAAkC,CAAC;AAEjG,wFAAwF;AACxF,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,QAAQ;IACR,SAAS;IACT,gBAAgB;IAChB,gGAAgG;IAChG,uDAAuD;IACvD,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,8BAA8B;CAC/D,CAAC;AAEF,uFAAuF;AACvF,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAE9C,4DAA4D;AAC5D,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AAEhD,iFAAiF;AAEjF;;;;;;;;GAQG;AACH,SAAS,sBAAsB;IAC7B,OAAO;QACL,KAAK,CAAC,iBAAiB,CAAC,OAAO;YAC7B,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,cAAc,EAAE,oBAAoB,CAAC,CAAC;YAClF,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,KAAK,CAAC,gBAAgB,CAAC,OAAO;YAC5B,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;gBAC5B,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;gBAClD,MAAM,MAAM,CAAC,WAAW,CAAC,cAAc,EAAE,oBAAoB,EAAE,UAAU,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,WAA0B;IACxD,MAAM,MAAM,GAAkB;QAC5B,IAAI,EAAE;YACJ,QAAQ,EAAE,SAAS;YACnB,SAAS,EAAE,qCAAqC,SAAS,EAAE;SAC5D;QACD,KAAK,EAAE;YACL,WAAW,EAAE,WAAW,IAAI,sBAAsB,EAAE;SACrD;QACD,MAAM,EAAE;YACN,8DAA8D;YAC9D,mEAAmE;YACnE,aAAa,EAAE;gBACb,cAAc,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE;oBAC9C,IAAI,WAAW;wBAAE,OAAO,CAAC,gBAAgB;oBACzC,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;oBAC3E,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;wBAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,OAAO,IAAI,CAAC,CAAC;oBAC9C,CAAC;gBACH,CAAC;gBACD,iBAAiB,EAAE,KAAK;aACzB;SACF;KACF,CAAC;IAEF,OAAO,IAAI,uBAAuB,CAAC,MAAM,CAAC,CAAC;AAC7C,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK;IACzB,MAAM,GAAG,GAAG,eAAe,EAAE,CAAC;IAE9B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAE9D,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,wBAAwB,CAAC;QAChD,MAAM,EAAE,cAAc;QACtB,kBAAkB,EAAE,CAAC,QAAQ,EAAE,EAAE;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YAC7E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,CAAC,eAAe,MAAM,CAAC,CAAC;YAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,QAAQ,CAAC,QAAQ,MAAM,CAAC,CAAC;YACtE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QAC1D,CAAC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,EAAE,QAAQ,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,SAAS,CAAC;IAClF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,WAAW,IAAI,CAAC,CAAC;IACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAE9E,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,GAAG,GAAG,eAAe,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,cAAc,EAAE,CAAC;IAE5C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iFAAiF;IACjF,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAgB,CAAC;IAE3C,IAAI,CAAC;QACH,OAAO,MAAM,GAAG,CAAC,kBAAkB,CAAC;YAClC,MAAM,EAAE,cAAc;YACtB,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,8EAA8E;QAC9E,mCAAmC;QACnC,EAAE;QACF,yEAAyE;QACzE,oFAAoF;QACpF,IACE,GAAG,YAAY,4BAA4B;YAC3C,CAAC,GAAG,YAAY,KAAK,IAAI,CACvB,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;gBAC5C,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAC/B,CAAC,EACF,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,iFAAiF;gBACjF,qCAAqC,CACtC,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,kFAAkF;AAElF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM;IAC1B,+DAA+D;IAC/D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,cAAc,EAAE,oBAAoB,CAAC,CAAC;IAElF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,qCAAqC;QACrC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;QAC3E,OAAO;IACT,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;AACpF,CAAC;AAED,kFAAkF;AAElF;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,GAAG,GAAG,eAAe,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,cAAc,EAAE,CAAC;IAC5C,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7B,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Config loader for the Sound Connect bridge (STORY-006, STORY-009, ADR-002, ADR-005, ADR-008).
+ *
+ * Resolution order (first wins):
+ *   1. CLI args: --backend-url <url> --client-slug <slug>
+ *   2. Env vars: SC_BACKEND_URL, SC_CLIENT_SLUG
+ *   3. .mcp.json `env` block (already in process.env when Claude Code launches the process)
+ *
+ * In practice, Claude Code injects the `env` block from .mcp.json into the process
+ * environment before spawning, so order 2 and 3 are the same mechanism.
+ *
+ * ADR-005 / STORY-009: The client slug is fixed at process start. There is NO tool or
+ * runtime command to switch clients in-session. A peer working N clients configures N
+ * bridge entries (one per workspace / .mcp.json entry).
+ */
+export interface BridgeConfig {
+    /** Base URL of the Sound Connect backend, e.g. https://my-client-forge.azurecontainerapps.io */
+    backendUrl: string;
+    /**
+     * Bound client slug for this bridge instance, e.g. "beacon" (ADR-005: one client per instance).
+     * Must be 3–50 chars, lowercase alphanumeric and hyphens only, no leading/trailing hyphens.
+     * Fixed at process start — cannot be changed in-session.
+     */
+    clientSlug: string;
+}
+/**
+ * Slug validation rule — mirrors the server-side constraint in registry.ts.
+ * 3–50 chars, lowercase alphanumeric and hyphens, no leading/trailing hyphens.
+ *
+ * STORY-009 AC2: if the bound slug is missing or does not match this pattern,
+ * the bridge refuses to start with a clear error.
+ */
+export declare const SLUG_PATTERN: RegExp;
+export declare function loadConfig(argv?: string[]): BridgeConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,MAAM,WAAW,YAAY;IAC3B,gGAAgG;IAChG,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,QAAsC,CAAC;AAchE,wBAAgB,UAAU,CAAC,IAAI,GAAE,MAAM,EAA0B,GAAG,YAAY,CA2C/E"}

package/dist/config.js

@@ -0,0 +1,66 @@
+/**
+ * Config loader for the Sound Connect bridge (STORY-006, STORY-009, ADR-002, ADR-005, ADR-008).
+ *
+ * Resolution order (first wins):
+ *   1. CLI args: --backend-url <url> --client-slug <slug>
+ *   2. Env vars: SC_BACKEND_URL, SC_CLIENT_SLUG
+ *   3. .mcp.json `env` block (already in process.env when Claude Code launches the process)
+ *
+ * In practice, Claude Code injects the `env` block from .mcp.json into the process
+ * environment before spawning, so order 2 and 3 are the same mechanism.
+ *
+ * ADR-005 / STORY-009: The client slug is fixed at process start. There is NO tool or
+ * runtime command to switch clients in-session. A peer working N clients configures N
+ * bridge entries (one per workspace / .mcp.json entry).
+ */
+/**
+ * Slug validation rule — mirrors the server-side constraint in registry.ts.
+ * 3–50 chars, lowercase alphanumeric and hyphens, no leading/trailing hyphens.
+ *
+ * STORY-009 AC2: if the bound slug is missing or does not match this pattern,
+ * the bridge refuses to start with a clear error.
+ */
+export const SLUG_PATTERN = /^[a-z0-9][a-z0-9-]{1,48}[a-z0-9]$/;
+function parseArgs(argv) {
+    const result = {};
+    for (let i = 0; i < argv.length; i++) {
+        if (argv[i] === '--backend-url' && argv[i + 1]) {
+            result.backendUrl = argv[++i];
+        }
+        else if (argv[i] === '--client-slug' && argv[i + 1]) {
+            result.clientSlug = argv[++i];
+        }
+    }
+    return result;
+}
+export function loadConfig(argv = process.argv.slice(2)) {
+    const fromArgs = parseArgs(argv);
+    const backendUrl = fromArgs.backendUrl ??
+        process.env['SC_BACKEND_URL'] ??
+        '';
+    const clientSlug = fromArgs.clientSlug ??
+        process.env['SC_CLIENT_SLUG'] ??
+        '';
+    if (!backendUrl) {
+        throw new Error('SC_BACKEND_URL is required. Set it via --backend-url <url>, ' +
+            'the SC_BACKEND_URL env var, or the env block in .mcp.json / claude_desktop_config.json.');
+    }
+    if (!clientSlug) {
+        throw new Error('SC_CLIENT_SLUG is required. Set it via --client-slug <slug>, ' +
+            'the SC_CLIENT_SLUG env var, or the env block in .mcp.json / claude_desktop_config.json.');
+    }
+    // STORY-009 AC2: Validate slug format. Mirrors the server-side constraint so a
+    // malformed slug is caught locally with a clear message rather than getting a
+    // cryptic 404/403 from the backend later.
+    if (!SLUG_PATTERN.test(clientSlug)) {
+        throw new Error(`SC_CLIENT_SLUG "${clientSlug}" is invalid. ` +
+            'Must be 3–50 chars, lowercase alphanumeric and hyphens only, no leading/trailing hyphens. ' +
+            'Example: "beacon" or "eye-south".');
+    }
+    // Normalise: strip trailing slash so every URL join is consistent.
+    return {
+        backendUrl: backendUrl.replace(/\/+$/, ''),
+        clientSlug,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAaH;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,mCAAmC,CAAC;AAEhE,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,MAAM,GAA0B,EAAE,CAAC;IACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,eAAe,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC/C,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAChC,CAAC;aAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,eAAe,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACtD,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,OAAiB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/D,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAEjC,MAAM,UAAU,GACd,QAAQ,CAAC,UAAU;QACnB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAC7B,EAAE,CAAC;IAEL,MAAM,UAAU,GACd,QAAQ,CAAC,UAAU;QACnB,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAC7B,EAAE,CAAC;IAEL,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,8DAA8D;YAC9D,yFAAyF,CAC1F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,+DAA+D;YAC/D,yFAAyF,CAC1F,CAAC;IACJ,CAAC;IAED,+EAA+E;IAC/E,8EAA8E;IAC9E,0CAA0C;IAC1C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CACb,mBAAmB,UAAU,gBAAgB;YAC7C,4FAA4F;YAC5F,mCAAmC,CACpC,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,OAAO;QACL,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QAC1C,UAAU;KACX,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+/**
+ * Sound Connect Bridge — entry point (STORY-006, STORY-007, STORY-010, ADR-002, ADR-008).
+ *
+ * Routes to:
+ *   - `login`  subcommand → device-code Entra login (STORY-007, ADR-003)
+ *   - `logout` subcommand → clear OS credential store (STORY-007, ADR-010)
+ *   - (default) → stdio MCP server (STORY-006)
+ *
+ * STORY-010 / ADR-011: The `login` subcommand is intentionally SEPARATE from the MCP
+ * server path. Claude spawns the MCP server with stdout used for the MCP framing
+ * protocol — a device-code prompt written to stdout there is invisible, causing a
+ * silent hang. Run `npx @soundbi/sound-connect login` from a terminal BEFORE starting
+ * Claude. The MCP server detects the missing token and returns a clear, actionable
+ * error on every tool call instead of blocking.
+ *
+ * Usage:
+ *   npx @soundbi/sound-connect login          # sign in once (terminal only)
+ *   npx @soundbi/sound-connect logout         # clear stored token
+ *   SC_BACKEND_URL=https://... SC_CLIENT_SLUG=beacon npx @soundbi/sound-connect
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;GAmBG"}

package/dist/index.js

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+/**
+ * Sound Connect Bridge — entry point (STORY-006, STORY-007, STORY-010, ADR-002, ADR-008).
+ *
+ * Routes to:
+ *   - `login`  subcommand → device-code Entra login (STORY-007, ADR-003)
+ *   - `logout` subcommand → clear OS credential store (STORY-007, ADR-010)
+ *   - (default) → stdio MCP server (STORY-006)
+ *
+ * STORY-010 / ADR-011: The `login` subcommand is intentionally SEPARATE from the MCP
+ * server path. Claude spawns the MCP server with stdout used for the MCP framing
+ * protocol — a device-code prompt written to stdout there is invisible, causing a
+ * silent hang. Run `npx @soundbi/sound-connect login` from a terminal BEFORE starting
+ * Claude. The MCP server detects the missing token and returns a clear, actionable
+ * error on every tool call instead of blocking.
+ *
+ * Usage:
+ *   npx @soundbi/sound-connect login          # sign in once (terminal only)
+ *   npx @soundbi/sound-connect logout         # clear stored token
+ *   SC_BACKEND_URL=https://... SC_CLIENT_SLUG=beacon npx @soundbi/sound-connect
+ */
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { loadConfig } from './config.js';
+import { registerBridgeTools } from './tools.js';
+import { login, logout, acquireTokenSilent } from './auth.js';
+// ── Subcommand dispatch ────────────────────────────────────────────────────────
+const subcommand = process.argv[2];
+if (subcommand === 'login') {
+    // Device-code login — interactive CLI flow, not the MCP server.
+    // STORY-010: This is the ONLY place login() may be called.
+    login()
+        .then(() => process.exit(0))
+        .catch((err) => {
+        process.stderr.write(`[sound-connect] Login failed: ${err.message}\n`);
+        process.exit(1);
+    });
+}
+else if (subcommand === 'logout') {
+    // Clear OS credential store.
+    logout()
+        .then(() => process.exit(0))
+        .catch((err) => {
+        process.stderr.write(`[sound-connect] Logout failed: ${err.message}\n`);
+        process.exit(1);
+    });
+}
+else {
+    // Default: start the stdio MCP server.
+    startMcpServer().catch((err) => {
+        process.stderr.write(`[sound-connect] Fatal: ${err.message}\n`);
+        process.exit(1);
+    });
+}
+// ── MCP server (STORY-006, STORY-010) ─────────────────────────────────────────
+async function startMcpServer() {
+    // Config errors go to stderr (not stdout — that belongs to the MCP protocol).
+    let config;
+    try {
+        config = loadConfig();
+    }
+    catch (err) {
+        process.stderr.write(`[sound-connect] Config error: ${err.message}\n`);
+        process.exit(1);
+    }
+    // STORY-010 / ADR-011: Check for a valid cached token at startup.
+    // acquireTokenSilent() never triggers device-code flow — it returns null if the
+    // user is not signed in or the refresh token has expired. Tool calls will surface
+    // an actionable message rather than hanging on an invisible prompt.
+    let isAuthenticated = false;
+    try {
+        const tokenResult = await acquireTokenSilent();
+        isAuthenticated = tokenResult !== null;
+    }
+    catch {
+        // Any unexpected error during token check → treat as unauthenticated (fail closed).
+        process.stderr.write('[sound-connect] Token check failed — proceeding unauthenticated.\n');
+    }
+    if (!isAuthenticated) {
+        process.stderr.write('[sound-connect] Not signed in. Run `npx @soundbi/sound-connect login` in a ' +
+            'terminal to authenticate, then restart Claude.\n');
+    }
+    const server = new McpServer({
+        name: `sound-connect [${config.clientSlug}]`,
+        version: '0.1.0',
+    });
+    registerBridgeTools(server, config, isAuthenticated);
+    const transport = new StdioServerTransport();
+    // Log startup info to stderr only — stdout is the MCP framing channel.
+    process.stderr.write(`[sound-connect] Starting bridge for client "${config.clientSlug}" ` +
+        `→ ${config.backendUrl} (authenticated: ${isAuthenticated})\n`);
+    await server.connect(transport);
+    // Keep process alive until stdin closes (the MCP client disconnects).
+    // StdioServerTransport reads from stdin; when it closes, the process can exit.
+    process.stdin.on('close', () => {
+        process.stderr.write('[sound-connect] stdin closed, shutting down.\n');
+        process.exit(0);
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAE9D,kFAAkF;AAElF,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAEnC,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;IAC3B,gEAAgE;IAChE,2DAA2D;IAC3D,KAAK,EAAE;SACJ,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;SAC3B,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAkC,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC;QAClF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACP,CAAC;KAAM,IAAI,UAAU,KAAK,QAAQ,EAAE,CAAC;IACnC,6BAA6B;IAC7B,MAAM,EAAE;SACL,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;SAC3B,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAmC,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACP,CAAC;KAAM,CAAC;IACN,uCAAuC;IACvC,cAAc,EAAE,CAAC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA2B,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC;QAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,iFAAiF;AAEjF,KAAK,UAAU,cAAc;IAC3B,8EAA8E;IAC9E,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,UAAU,EAAE,CAAC;IACxB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAkC,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC;QAClF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,kEAAkE;IAClE,gFAAgF;IAChF,kFAAkF;IAClF,oEAAoE;IACpE,IAAI,eAAe,GAAG,KAAK,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,kBAAkB,EAAE,CAAC;QAC/C,eAAe,GAAG,WAAW,KAAK,IAAI,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,oFAAoF;QACpF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;IAC7F,CAAC;IAED,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,6EAA6E;YAC7E,kDAAkD,CACnD,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,kBAAkB,MAAM,CAAC,UAAU,GAAG;QAC5C,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IAErD,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAE7C,uEAAuE;IACvE,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,+CAA+C,MAAM,CAAC,UAAU,IAAI;QACpE,KAAK,MAAM,CAAC,UAAU,oBAAoB,eAAe,KAAK,CAC/D,CAAC;IAEF,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,sEAAsE;IACtE,+EAA+E;IAC/E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}