@stigg/typescript-mcp 0.1.0-alpha.9 → 0.1.0-beta.1

package/src/http.ts

@@ -4,9 +4,10 @@ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { ClientOptions } from '@stigg/typescript';
 import express from 'express';
-import morgan from 'morgan';
-import morganBody from 'morgan-body';
+import pino from 'pino';
+import pinoHttp from 'pino-http';
 import { getStainlessApiKey, parseClientAuthHeaders } from './auth';
+import { getLogger } from './logger';
 import { McpOptions } from './options';
 import { initMcpServer, newMcpServer } from './server';
 
@@ -22,29 +23,72 @@ const newServer = async ({
   res: express.Response;
 }): Promise<McpServer | null> => {
   const stainlessApiKey = getStainlessApiKey(req, mcpOptions);
-  const server = await newMcpServer(stainlessApiKey);
+  const customInstructionsPath = mcpOptions.customInstructionsPath;
+  const server = await newMcpServer({ stainlessApiKey, customInstructionsPath });
 
-  try {
-    const authOptions = parseClientAuthHeaders(req, false);
+  const authOptions = parseClientAuthHeaders(req, false);
 
-    await initMcpServer({
-      server: server,
-      mcpOptions: mcpOptions,
-      clientOptions: {
-        ...clientOptions,
-        ...authOptions,
-      },
-      stainlessApiKey: stainlessApiKey,
-    });
-  } catch (error) {
-    res.status(401).json({
-      jsonrpc: '2.0',
-      error: {
-        code: -32000,
-        message: `Unauthorized: ${error instanceof Error ? error.message : error}`,
-      },
-    });
-    return null;
+  let upstreamClientEnvs: Record<string, string> | undefined;
+  const clientEnvsHeader = req.headers['x-stainless-mcp-client-envs'];
+  if (typeof clientEnvsHeader === 'string') {
+    try {
+      const parsed = JSON.parse(clientEnvsHeader);
+      if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+        upstreamClientEnvs = parsed;
+      }
+    } catch {
+      // Ignore malformed header
+    }
+  }
+
+  // Parse x-stainless-mcp-client-permissions header to override permission options
+  //
+  // Note: Permissions are best-effort and intended to prevent clients from doing unexpected things;
+  // they're not a hard security boundary, so we allow arbitrary, client-driven overrides.
+  //
+  // See the Stainless MCP documentation for more details.
+  let effectiveMcpOptions = mcpOptions;
+  const clientPermissionsHeader = req.headers['x-stainless-mcp-client-permissions'];
+  if (typeof clientPermissionsHeader === 'string') {
+    try {
+      const parsed = JSON.parse(clientPermissionsHeader);
+      if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+        effectiveMcpOptions = {
+          ...mcpOptions,
+          ...(typeof parsed.allow_http_gets === 'boolean' && { codeAllowHttpGets: parsed.allow_http_gets }),
+          ...(Array.isArray(parsed.allowed_methods) && { codeAllowedMethods: parsed.allowed_methods }),
+          ...(Array.isArray(parsed.blocked_methods) && { codeBlockedMethods: parsed.blocked_methods }),
+        };
+        getLogger().info(
+          { clientPermissions: parsed },
+          'Overriding code execution permissions from x-stainless-mcp-client-permissions header',
+        );
+      }
+    } catch (error) {
+      getLogger().warn({ error }, 'Failed to parse x-stainless-mcp-client-permissions header');
+    }
+  }
+
+  const mcpClientInfo =
+    typeof req.body?.params?.clientInfo?.name === 'string' ?
+      { name: req.body.params.clientInfo.name, version: String(req.body.params.clientInfo.version ?? '') }
+    : undefined;
+
+  await initMcpServer({
+    server: server,
+    mcpOptions: effectiveMcpOptions,
+    clientOptions: {
+      ...clientOptions,
+      ...authOptions,
+    },
+    stainlessApiKey: stainlessApiKey,
+    upstreamClientEnvs,
+    mcpSessionId: (req as any).mcpSessionId,
+    mcpClientInfo,
+  });
+
+  if (mcpClientInfo) {
+    getLogger().info({ mcpSessionId: (req as any).mcpSessionId, mcpClientInfo }, 'MCP client connected');
   }
 
   return server;
@@ -81,29 +125,74 @@ const del = async (req: express.Request, res: express.Response) => {
   });
 };
 
+const redactHeaders = (headers: Record<string, any>) => {
+  const hiddenHeaders = /auth|cookie|key|token|x-stainless-mcp-client-envs/i;
+  const filtered = { ...headers };
+  Object.keys(filtered).forEach((key) => {
+    if (hiddenHeaders.test(key)) {
+      filtered[key] = '[REDACTED]';
+    }
+  });
+  return filtered;
+};
+
 export const streamableHTTPApp = ({
   clientOptions = {},
   mcpOptions,
-  debug,
 }: {
   clientOptions?: ClientOptions;
   mcpOptions: McpOptions;
-  debug: boolean;
 }): express.Express => {
   const app = express();
   app.set('query parser', 'extended');
   app.use(express.json());
-
-  if (debug) {
-    morganBody(app, {
-      logAllReqHeader: true,
-      logAllResHeader: true,
-      logRequestBody: true,
-      logResponseBody: true,
-    });
-  } else {
-    app.use(morgan('combined'));
-  }
+  app.use((req: express.Request, res: express.Response, next: express.NextFunction) => {
+    const existing = req.headers['mcp-session-id'];
+    const sessionId = (Array.isArray(existing) ? existing[0] : existing) || crypto.randomUUID();
+    (req as any).mcpSessionId = sessionId;
+    const origWriteHead = res.writeHead.bind(res);
+    res.writeHead = function (statusCode: number, ...rest: any[]) {
+      res.setHeader('mcp-session-id', sessionId);
+      return origWriteHead(statusCode, ...rest);
+    } as typeof res.writeHead;
+    next();
+  });
+  app.use(
+    pinoHttp({
+      logger: getLogger(),
+      customProps: (req) => ({
+        mcpSessionId: (req as any).mcpSessionId,
+      }),
+      customLogLevel: (req, res) => {
+        if (res.statusCode >= 500) {
+          return 'error';
+        } else if (res.statusCode >= 400) {
+          return 'warn';
+        }
+        return 'info';
+      },
+      customSuccessMessage: function (req, res) {
+        return `Request ${req.method} to ${req.url} completed with status ${res.statusCode}`;
+      },
+      customErrorMessage: function (req, res, err) {
+        return `Request ${req.method} to ${req.url} errored with status ${res.statusCode}`;
+      },
+      serializers: {
+        req: pino.stdSerializers.wrapRequestSerializer((req) => {
+          return {
+            ...req,
+            headers: redactHeaders(req.raw.headers),
+          };
+        }),
+        res: pino.stdSerializers.wrapResponseSerializer((res) => {
+          return {
+            ...res,
+            headers: redactHeaders(res.headers),
+          };
+        }),
+      },
+    }),
+  );
 
   app.get('/health', async (req: express.Request, res: express.Response) => {
     res.status(200).send('OK');
@@ -117,22 +206,22 @@ export const streamableHTTPApp = ({
 
 export const launchStreamableHTTPServer = async ({
   mcpOptions,
-  debug,
   port,
 }: {
   mcpOptions: McpOptions;
-  debug: boolean;
   port: number | string | undefined;
 }) => {
-  const app = streamableHTTPApp({ mcpOptions, debug });
+  const app = streamableHTTPApp({ mcpOptions });
   const server = app.listen(port);
   const address = server.address();
 
+  const logger = getLogger();
+
   if (typeof address === 'string') {
-    console.error(`MCP Server running on streamable HTTP at ${address}`);
+    logger.info(`MCP Server running on streamable HTTP at ${address}`);
   } else if (address !== null) {
-    console.error(`MCP Server running on streamable HTTP on port ${address.port}`);
+    logger.info(`MCP Server running on streamable HTTP on port ${address.port}`);
   } else {
-    console.error(`MCP Server running on streamable HTTP on port ${port}`);
+    logger.info(`MCP Server running on streamable HTTP on port ${port}`);
   }
 };

package/src/index.ts

@@ -5,15 +5,20 @@ import { McpOptions, parseCLIOptions } from './options';
 import { launchStdioServer } from './stdio';
 import { launchStreamableHTTPServer } from './http';
 import type { McpTool } from './types';
+import { configureLogger, getLogger } from './logger';
 
 async function main() {
   const options = parseOptionsOrError();
+  configureLogger({
+    level: options.debug ? 'debug' : 'info',
+    pretty: options.logFormat === 'pretty',
+  });
 
   const selectedTools = await selectToolsOrError(options);
 
-  console.error(
-    `MCP Server starting with ${selectedTools.length} tools:`,
-    selectedTools.map((e) => e.tool.name),
+  getLogger().info(
+    { tools: selectedTools.map((e) => e.tool.name) },
+    `MCP Server starting with ${selectedTools.length} tools`,
   );
 
   switch (options.transport) {
@@ -23,8 +28,7 @@ async function main() {
     case 'http':
       await launchStreamableHTTPServer({
         mcpOptions: options,
-        debug: options.debug,
-        port: options.port ?? options.socket,
+        port: options.socket ?? options.port,
       });
       break;
   }
@@ -32,7 +36,8 @@ async function main() {
 
 if (require.main === module) {
   main().catch((error) => {
-    console.error('Fatal error in main():', error);
+    // Logger might not be initialized yet
+    console.error('Fatal error in main()', error);
     process.exit(1);
   });
 }
@@ -41,7 +46,8 @@ function parseOptionsOrError() {
   try {
     return parseCLIOptions();
   } catch (error) {
-    console.error('Error parsing options:', error);
+    // Logger is initialized after options, so use console.error here
+    console.error('Error parsing options', error);
     process.exit(1);
   }
 }
@@ -50,16 +56,12 @@ async function selectToolsOrError(options: McpOptions): Promise<McpTool[]> {
   try {
     const includedTools = selectTools(options);
     if (includedTools.length === 0) {
-      console.error('No tools match the provided filters.');
+      getLogger().error('No tools match the provided filters');
       process.exit(1);
     }
     return includedTools;
   } catch (error) {
-    if (error instanceof Error) {
-      console.error('Error filtering tools:', error.message);
-    } else {
-      console.error('Error filtering tools:', error);
-    }
+    getLogger().error({ error }, 'Error filtering tools');
     process.exit(1);
   }
 }

package/src/instructions.ts

@@ -0,0 +1,83 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+import fs from 'fs/promises';
+import { getLogger } from './logger';
+import { readEnv } from './util';
+
+const INSTRUCTIONS_CACHE_TTL_MS = 15 * 60 * 1000; // 15 minutes
+
+interface InstructionsCacheEntry {
+  fetchedInstructions: string;
+  fetchedAt: number;
+}
+
+const instructionsCache = new Map<string, InstructionsCacheEntry>();
+
+export async function getInstructions({
+  stainlessApiKey,
+  customInstructionsPath,
+}: {
+  stainlessApiKey?: string | undefined;
+  customInstructionsPath?: string | undefined;
+}): Promise<string> {
+  const now = Date.now();
+  const cacheKey = customInstructionsPath ?? stainlessApiKey ?? '';
+  const cached = instructionsCache.get(cacheKey);
+
+  if (cached && now - cached.fetchedAt <= INSTRUCTIONS_CACHE_TTL_MS) {
+    return cached.fetchedInstructions;
+  }
+
+  // Evict stale entries so the cache doesn't grow unboundedly.
+  for (const [key, entry] of instructionsCache) {
+    if (now - entry.fetchedAt > INSTRUCTIONS_CACHE_TTL_MS) {
+      instructionsCache.delete(key);
+    }
+  }
+
+  let fetchedInstructions: string;
+
+  if (customInstructionsPath) {
+    fetchedInstructions = await fetchLatestInstructionsFromFile(customInstructionsPath);
+  } else {
+    fetchedInstructions = await fetchLatestInstructionsFromApi(stainlessApiKey);
+  }
+
+  instructionsCache.set(cacheKey, { fetchedInstructions, fetchedAt: now });
+  return fetchedInstructions;
+}
+
+async function fetchLatestInstructionsFromFile(path: string): Promise<string> {
+  try {
+    return await fs.readFile(path, 'utf-8');
+  } catch (error) {
+    getLogger().error({ error, path }, 'Error fetching instructions from file');
+    throw error;
+  }
+}
+
+async function fetchLatestInstructionsFromApi(stainlessApiKey: string | undefined): Promise<string> {
+  // Setting the stainless API key is optional, but may be required
+  // to authenticate requests to the Stainless API.
+  const response = await fetch(
+    readEnv('CODE_MODE_INSTRUCTIONS_URL') ?? 'https://api.stainless.com/api/ai/instructions/stigg',
+    {
+      method: 'GET',
+      headers: { ...(stainlessApiKey && { Authorization: stainlessApiKey }) },
+    },
+  );
+
+  let instructions: string | undefined;
+  if (!response.ok) {
+    getLogger().warn(
+      'Warning: failed to retrieve MCP server instructions. Proceeding with default instructions...',
+    );
+
+    instructions =
+      '\n  This is the stigg MCP server.\n\n  Available tools:\n  - search_docs: Search SDK documentation to find the right methods and parameters.\n  - execute: Run TypeScript code against a pre-authenticated SDK client. Define an async run(client) function.\n\n  Workflow:\n  - If unsure about the API, call search_docs first.\n  - Write complete solutions in a single execute call when possible. For large datasets, use API filters to narrow results or paginate within a single execute block.\n  - If execute returns an error, read the error and fix your code rather than retrying the same approach.\n  - Variables do not persist between execute calls. Return or log all data you need.\n  - Individual HTTP requests to the API have a 30-second timeout. If a request times out, try a smaller query or add filters.\n  - Code execution has a total timeout of approximately 5 minutes. If your code times out, simplify it or break it into smaller steps.\n  ';
+  }
+
+  instructions ??= ((await response.json()) as { instructions: string }).instructions;
+
+  return instructions;
+}