@studiometa/forge-mcp 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/dist/auth.d.ts +12 -1
  2. package/dist/auth.d.ts.map +1 -1
  3. package/dist/auth.js +19 -1
  4. package/dist/auth.js.map +1 -1
  5. package/dist/crypto.d.ts +56 -0
  6. package/dist/crypto.d.ts.map +1 -0
  7. package/dist/crypto.js +110 -0
  8. package/dist/crypto.js.map +1 -0
  9. package/dist/{http-BMOiJdyw.js → http-CK8WsamV.js} +16 -4
  10. package/dist/http-CK8WsamV.js.map +1 -0
  11. package/dist/http.d.ts +1 -1
  12. package/dist/http.d.ts.map +1 -1
  13. package/dist/http.js +2 -2
  14. package/dist/index.js +1 -1
  15. package/dist/oauth.d.ts +118 -0
  16. package/dist/oauth.d.ts.map +1 -0
  17. package/dist/oauth.js +571 -0
  18. package/dist/oauth.js.map +1 -0
  19. package/dist/server.d.ts +24 -6
  20. package/dist/server.d.ts.map +1 -1
  21. package/dist/server.js +33 -9
  22. package/dist/server.js.map +1 -1
  23. package/dist/{version-D3OFS3DQ.js → version-BTMdX8xQ.js} +2 -2
  24. package/dist/{version-D3OFS3DQ.js.map → version-BTMdX8xQ.js.map} +1 -1
  25. package/package.json +9 -1
  26. package/dist/http-BMOiJdyw.js.map +0 -1
package/dist/server.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EAAgB,KAAK,MAAM,EAAE,MAAM,WAAW,CAAC;AAUtD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qDAAqD;IACrD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,IAAI,GAAE,MAAqB,EAC3B,IAAI,GAAE,MAAqB,EAC3B,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,MAAM,CAAC,CA8CjB"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,EAAgB,KAAK,MAAM,EAAE,MAAM,WAAW,CAAC;AAUtD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qDAAqD;IACrD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,IAAI,GAAE,MAAqB,EAC3B,IAAI,GAAE,MAAqB,EAC3B,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,MAAM,CAAC,CAoDjB"}
package/dist/server.js CHANGED
@@ -1,29 +1,47 @@
1
1
  #!/usr/bin/env node
2
2
  import { t as parseReadOnlyFlag } from "./flags-LFbdErsZ.js";
3
- import { t as VERSION } from "./version-D3OFS3DQ.js";
4
- import { a as SessionManager, n as createMcpRequestHandler, t as createHealthApp } from "./http-BMOiJdyw.js";
3
+ import { t as VERSION } from "./version-BTMdX8xQ.js";
4
+ import { a as SessionManager, n as createMcpRequestHandler, t as createHealthApp } from "./http-CK8WsamV.js";
5
5
  import { toNodeHandler } from "h3/node";
6
6
  import { createServer } from "node:http";
7
7
  /**
8
8
  * Forge MCP Server - HTTP Transport (Streamable HTTP)
9
9
  *
10
10
  * Implements the official MCP Streamable HTTP transport specification.
11
- * Credentials are passed via Bearer token in the Authorization header.
11
+ * Supports both raw Bearer tokens and OAuth 2.1 with PKCE for
12
+ * Claude Desktop compatibility.
12
13
  *
13
- * Token format: raw Forge API token
14
+ * Token formats:
15
+ * - Raw Forge API token (Bearer <token>)
16
+ * - Base64-encoded token from OAuth flow (Bearer base64(<token>))
17
+ *
18
+ * Environment variables:
19
+ * PORT - HTTP port (default: 3000)
20
+ * HOST - Bind address (default: 0.0.0.0)
21
+ * FORGE_READ_ONLY - Disable write operations (default: false)
22
+ * OAUTH_SECRET - AES-256-GCM encryption key for OAuth tokens.
23
+ * Required in production. A default is used if unset.
14
24
  *
15
25
  * Usage:
16
26
  * forge-mcp-server
17
27
  * forge-mcp-server --read-only
18
- * FORGE_READ_ONLY=true forge-mcp-server
28
+ * OAUTH_SECRET=my-secret forge-mcp-server
19
29
  * PORT=3000 forge-mcp-server
20
30
  *
21
31
  * Endpoints:
22
- * POST /mcp - MCP Streamable HTTP (JSON-RPC messages)
23
- * GET /mcp - MCP Streamable HTTP (SSE stream for server notifications)
24
- * DELETE /mcp - MCP Streamable HTTP (session termination)
32
+ * POST /mcp - MCP Streamable HTTP (JSON-RPC messages)
33
+ * GET /mcp - MCP Streamable HTTP (SSE stream for server notifications)
34
+ * DELETE /mcp - MCP Streamable HTTP (session termination)
25
35
  * GET / - Service info
26
36
  * GET /health - Health check
37
+ *
38
+ * OAuth 2.1 endpoints (for Claude Desktop):
39
+ * GET /.well-known/oauth-authorization-server - OAuth metadata (RFC 8414)
40
+ * GET /.well-known/oauth-protected-resource - Protected resource (RFC 9728)
41
+ * POST /register - Dynamic client registration (RFC 7591)
42
+ * GET /authorize - Login form
43
+ * POST /authorize - Process login
44
+ * POST /token - Token exchange (PKCE)
27
45
  */
28
46
  var DEFAULT_PORT = 3e3;
29
47
  var DEFAULT_HOST = "0.0.0.0";
@@ -57,7 +75,13 @@ function startHttpServer(port = DEFAULT_PORT, host = DEFAULT_HOST, options) {
57
75
  console.log("");
58
76
  console.log("Authentication:");
59
77
  console.log(" Bearer token in Authorization header");
60
- console.log(" Token format: your raw Forge API token");
78
+ console.log(" Token format: raw Forge API token or OAuth 2.1 access token");
79
+ console.log("");
80
+ console.log("OAuth 2.1 (Claude Desktop):");
81
+ console.log(` GET http://${displayHost}:${port}/.well-known/oauth-authorization-server`);
82
+ console.log(` POST http://${displayHost}:${port}/register`);
83
+ console.log(` GET http://${displayHost}:${port}/authorize`);
84
+ console.log(` POST http://${displayHost}:${port}/token`);
61
85
  if (readOnly) {
62
86
  console.log("");
63
87
  console.log("Mode: READ-ONLY (write operations disabled)");
package/dist/server.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.js","names":[],"sources":["../src/server.ts"],"sourcesContent":["#!/usr/bin/env node\n\n/**\n * Forge MCP Server - HTTP Transport (Streamable HTTP)\n *\n * Implements the official MCP Streamable HTTP transport specification.\n * Credentials are passed via Bearer token in the Authorization header.\n *\n * Token format: raw Forge API token\n *\n * Usage:\n * forge-mcp-server\n * forge-mcp-server --read-only\n * FORGE_READ_ONLY=true forge-mcp-server\n * PORT=3000 forge-mcp-server\n *\n * Endpoints:\n * POST /mcp - MCP Streamable HTTP (JSON-RPC messages)\n * GET /mcp - MCP Streamable HTTP (SSE stream for server notifications)\n * DELETE /mcp - MCP Streamable HTTP (session termination)\n * GET / - Service info\n * GET /health - Health check\n */\n\nimport { toNodeHandler } from \"h3/node\";\nimport { createServer, type Server } from \"node:http\";\n\nimport { createHealthApp, createMcpRequestHandler } from \"./http.ts\";\nimport { parseReadOnlyFlag } from \"./flags.ts\";\nimport { SessionManager } from \"./sessions.ts\";\nimport { VERSION } from \"./version.ts\";\n\nconst DEFAULT_PORT = 3000;\nconst DEFAULT_HOST = \"0.0.0.0\";\n\n/**\n * Options for the HTTP server.\n */\nexport interface HttpStartOptions {\n /** When true, forge_write tool is not registered. */\n readOnly?: boolean;\n}\n\n/**\n * Start the HTTP server with Streamable HTTP transport.\n */\nexport function startHttpServer(\n port: number = DEFAULT_PORT,\n host: string = DEFAULT_HOST,\n options?: HttpStartOptions,\n): Promise<Server> {\n return new Promise((resolve) => {\n const readOnly = options?.readOnly ?? false;\n const sessions = new SessionManager();\n const handleMcp = createMcpRequestHandler(sessions, { readOnly });\n const healthApp = createHealthApp();\n const healthHandler = toNodeHandler(healthApp);\n\n const server = createServer(async (req, res) => {\n const url = req.url ?? \"/\";\n\n // Route /mcp to MCP Streamable HTTP transport\n if (url === \"/mcp\" || url.startsWith(\"/mcp?\")) {\n await handleMcp(req, res);\n return;\n }\n\n // Everything else goes to h3 (health checks, service info)\n healthHandler(req, res);\n });\n\n server.listen(port, host, () => {\n const displayHost = host === \"0.0.0.0\" ? \"localhost\" : host;\n const mode = readOnly ? \" (read-only)\" : \"\";\n console.log(`Forge MCP server v${VERSION}${mode}`);\n console.log(`Node.js ${process.version}`);\n console.log(\"\");\n console.log(`Running at http://${displayHost}:${port}`);\n console.log(\"\");\n console.log(\"Endpoints:\");\n console.log(\n ` POST/GET/DELETE http://${displayHost}:${port}/mcp - MCP Streamable HTTP endpoint`,\n );\n console.log(` GET http://${displayHost}:${port}/health - Health check`);\n console.log(\"\");\n console.log(\"Authentication:\");\n console.log(\" Bearer token in Authorization header\");\n console.log(\" Token format: your raw Forge API token\");\n if (readOnly) {\n console.log(\"\");\n console.log(\"Mode: READ-ONLY (write operations disabled)\");\n }\n console.log(\"\");\n resolve(server);\n });\n });\n}\n\n// Start server when run directly\nconst isMainModule =\n import.meta.url === `file://${process.argv[1]}` ||\n process.argv[1]?.endsWith(\"/forge-mcp-server\") ||\n process.argv[1]?.endsWith(\"\\\\forge-mcp-server\");\n\nif (isMainModule) {\n const port = Number.parseInt(process.env.PORT || String(DEFAULT_PORT), 10);\n const host = process.env.HOST || DEFAULT_HOST;\n const readOnly = parseReadOnlyFlag();\n\n startHttpServer(port, host, { readOnly }).catch((error) => {\n console.error(\"Fatal error:\", error);\n process.exit(1);\n });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,IAAM,eAAe;AACrB,IAAM,eAAe;;;;AAarB,SAAgB,gBACd,OAAe,cACf,OAAe,cACf,SACiB;AACjB,QAAO,IAAI,SAAS,YAAY;EAC9B,MAAM,WAAW,SAAS,YAAY;EAEtC,MAAM,YAAY,wBADD,IAAI,gBAAgB,EACe,EAAE,UAAU,CAAC;EAEjE,MAAM,gBAAgB,cADJ,iBAAiB,CACW;EAE9C,MAAM,SAAS,aAAa,OAAO,KAAK,QAAQ;GAC9C,MAAM,MAAM,IAAI,OAAO;AAGvB,OAAI,QAAQ,UAAU,IAAI,WAAW,QAAQ,EAAE;AAC7C,UAAM,UAAU,KAAK,IAAI;AACzB;;AAIF,iBAAc,KAAK,IAAI;IACvB;AAEF,SAAO,OAAO,MAAM,YAAY;GAC9B,MAAM,cAAc,SAAS,YAAY,cAAc;GACvD,MAAM,OAAO,WAAW,iBAAiB;AACzC,WAAQ,IAAI,qBAAqB,UAAU,OAAO;AAClD,WAAQ,IAAI,WAAW,QAAQ,UAAU;AACzC,WAAQ,IAAI,GAAG;AACf,WAAQ,IAAI,qBAAqB,YAAY,GAAG,OAAO;AACvD,WAAQ,IAAI,GAAG;AACf,WAAQ,IAAI,aAAa;AACzB,WAAQ,IACN,4BAA4B,YAAY,GAAG,KAAK,qCACjD;AACD,WAAQ,IAAI,iBAAiB,YAAY,GAAG,KAAK,wBAAwB;AACzE,WAAQ,IAAI,GAAG;AACf,WAAQ,IAAI,kBAAkB;AAC9B,WAAQ,IAAI,yCAAyC;AACrD,WAAQ,IAAI,2CAA2C;AACvD,OAAI,UAAU;AACZ,YAAQ,IAAI,GAAG;AACf,YAAQ,IAAI,8CAA8C;;AAE5D,WAAQ,IAAI,GAAG;AACf,WAAQ,OAAO;IACf;GACF;;AASJ,IAJE,OAAO,KAAK,QAAQ,UAAU,QAAQ,KAAK,QAC3C,QAAQ,KAAK,IAAI,SAAS,oBAAoB,IAC9C,QAAQ,KAAK,IAAI,SAAS,qBAAqB,CAO/C,iBAJa,OAAO,SAAS,QAAQ,IAAI,QAAQ,OAAO,aAAa,EAAE,GAAG,EAC7D,QAAQ,IAAI,QAAQ,cAGL,EAAE,UAFb,mBAAmB,EAEI,CAAC,CAAC,OAAO,UAAU;AACzD,SAAQ,MAAM,gBAAgB,MAAM;AACpC,SAAQ,KAAK,EAAE;EACf"}
1
+ {"version":3,"file":"server.js","names":[],"sources":["../src/server.ts"],"sourcesContent":["#!/usr/bin/env node\n\n/**\n * Forge MCP Server - HTTP Transport (Streamable HTTP)\n *\n * Implements the official MCP Streamable HTTP transport specification.\n * Supports both raw Bearer tokens and OAuth 2.1 with PKCE for\n * Claude Desktop compatibility.\n *\n * Token formats:\n * - Raw Forge API token (Bearer <token>)\n * - Base64-encoded token from OAuth flow (Bearer base64(<token>))\n *\n * Environment variables:\n * PORT - HTTP port (default: 3000)\n * HOST - Bind address (default: 0.0.0.0)\n * FORGE_READ_ONLY - Disable write operations (default: false)\n * OAUTH_SECRET - AES-256-GCM encryption key for OAuth tokens.\n * Required in production. A default is used if unset.\n *\n * Usage:\n * forge-mcp-server\n * forge-mcp-server --read-only\n * OAUTH_SECRET=my-secret forge-mcp-server\n * PORT=3000 forge-mcp-server\n *\n * Endpoints:\n * POST /mcp - MCP Streamable HTTP (JSON-RPC messages)\n * GET /mcp - MCP Streamable HTTP (SSE stream for server notifications)\n * DELETE /mcp - MCP Streamable HTTP (session termination)\n * GET / - Service info\n * GET /health - Health check\n *\n * OAuth 2.1 endpoints (for Claude Desktop):\n * GET /.well-known/oauth-authorization-server - OAuth metadata (RFC 8414)\n * GET /.well-known/oauth-protected-resource - Protected resource (RFC 9728)\n * POST /register - Dynamic client registration (RFC 7591)\n * GET /authorize - Login form\n * POST /authorize - Process login\n * POST /token - Token exchange (PKCE)\n */\n\nimport { toNodeHandler } from \"h3/node\";\nimport { createServer, type Server } from \"node:http\";\n\nimport { createHealthApp, createMcpRequestHandler } from \"./http.ts\";\nimport { parseReadOnlyFlag } from \"./flags.ts\";\nimport { SessionManager } from \"./sessions.ts\";\nimport { VERSION } from \"./version.ts\";\n\nconst DEFAULT_PORT = 3000;\nconst DEFAULT_HOST = \"0.0.0.0\";\n\n/**\n * Options for the HTTP server.\n */\nexport interface HttpStartOptions {\n /** When true, forge_write tool is not registered. */\n readOnly?: boolean;\n}\n\n/**\n * Start the HTTP server with Streamable HTTP transport.\n */\nexport function startHttpServer(\n port: number = DEFAULT_PORT,\n host: string = DEFAULT_HOST,\n options?: HttpStartOptions,\n): Promise<Server> {\n return new Promise((resolve) => {\n const readOnly = options?.readOnly ?? false;\n const sessions = new SessionManager();\n const handleMcp = createMcpRequestHandler(sessions, { readOnly });\n const healthApp = createHealthApp();\n const healthHandler = toNodeHandler(healthApp);\n\n const server = createServer(async (req, res) => {\n const url = req.url ?? \"/\";\n\n // Route /mcp to MCP Streamable HTTP transport\n if (url === \"/mcp\" || url.startsWith(\"/mcp?\")) {\n await handleMcp(req, res);\n return;\n }\n\n // Everything else goes to h3 (health checks, service info)\n healthHandler(req, res);\n });\n\n server.listen(port, host, () => {\n const displayHost = host === \"0.0.0.0\" ? \"localhost\" : host;\n const mode = readOnly ? \" (read-only)\" : \"\";\n console.log(`Forge MCP server v${VERSION}${mode}`);\n console.log(`Node.js ${process.version}`);\n console.log(\"\");\n console.log(`Running at http://${displayHost}:${port}`);\n console.log(\"\");\n console.log(\"Endpoints:\");\n console.log(\n ` POST/GET/DELETE http://${displayHost}:${port}/mcp - MCP Streamable HTTP endpoint`,\n );\n console.log(` GET http://${displayHost}:${port}/health - Health check`);\n console.log(\"\");\n console.log(\"Authentication:\");\n console.log(\" Bearer token in Authorization header\");\n console.log(\" Token format: raw Forge API token or OAuth 2.1 access token\");\n console.log(\"\");\n console.log(\"OAuth 2.1 (Claude Desktop):\");\n console.log(` GET http://${displayHost}:${port}/.well-known/oauth-authorization-server`);\n console.log(` POST http://${displayHost}:${port}/register`);\n console.log(` GET http://${displayHost}:${port}/authorize`);\n console.log(` POST http://${displayHost}:${port}/token`);\n if (readOnly) {\n console.log(\"\");\n console.log(\"Mode: READ-ONLY (write operations disabled)\");\n }\n console.log(\"\");\n resolve(server);\n });\n });\n}\n\n// Start server when run directly\nconst isMainModule =\n import.meta.url === `file://${process.argv[1]}` ||\n process.argv[1]?.endsWith(\"/forge-mcp-server\") ||\n process.argv[1]?.endsWith(\"\\\\forge-mcp-server\");\n\nif (isMainModule) {\n const port = Number.parseInt(process.env.PORT || String(DEFAULT_PORT), 10);\n const host = process.env.HOST || DEFAULT_HOST;\n const readOnly = parseReadOnlyFlag();\n\n startHttpServer(port, host, { readOnly }).catch((error) => {\n console.error(\"Fatal error:\", error);\n process.exit(1);\n });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkDA,IAAM,eAAe;AACrB,IAAM,eAAe;;;;AAarB,SAAgB,gBACd,OAAe,cACf,OAAe,cACf,SACiB;AACjB,QAAO,IAAI,SAAS,YAAY;EAC9B,MAAM,WAAW,SAAS,YAAY;EAEtC,MAAM,YAAY,wBADD,IAAI,gBAAgB,EACe,EAAE,UAAU,CAAC;EAEjE,MAAM,gBAAgB,cADJ,iBAAiB,CACW;EAE9C,MAAM,SAAS,aAAa,OAAO,KAAK,QAAQ;GAC9C,MAAM,MAAM,IAAI,OAAO;AAGvB,OAAI,QAAQ,UAAU,IAAI,WAAW,QAAQ,EAAE;AAC7C,UAAM,UAAU,KAAK,IAAI;AACzB;;AAIF,iBAAc,KAAK,IAAI;IACvB;AAEF,SAAO,OAAO,MAAM,YAAY;GAC9B,MAAM,cAAc,SAAS,YAAY,cAAc;GACvD,MAAM,OAAO,WAAW,iBAAiB;AACzC,WAAQ,IAAI,qBAAqB,UAAU,OAAO;AAClD,WAAQ,IAAI,WAAW,QAAQ,UAAU;AACzC,WAAQ,IAAI,GAAG;AACf,WAAQ,IAAI,qBAAqB,YAAY,GAAG,OAAO;AACvD,WAAQ,IAAI,GAAG;AACf,WAAQ,IAAI,aAAa;AACzB,WAAQ,IACN,4BAA4B,YAAY,GAAG,KAAK,qCACjD;AACD,WAAQ,IAAI,iBAAiB,YAAY,GAAG,KAAK,wBAAwB;AACzE,WAAQ,IAAI,GAAG;AACf,WAAQ,IAAI,kBAAkB;AAC9B,WAAQ,IAAI,yCAAyC;AACrD,WAAQ,IAAI,gEAAgE;AAC5E,WAAQ,IAAI,GAAG;AACf,WAAQ,IAAI,8BAA8B;AAC1C,WAAQ,IAAI,iBAAiB,YAAY,GAAG,KAAK,yCAAyC;AAC1F,WAAQ,IAAI,iBAAiB,YAAY,GAAG,KAAK,WAAW;AAC5D,WAAQ,IAAI,iBAAiB,YAAY,GAAG,KAAK,YAAY;AAC7D,WAAQ,IAAI,iBAAiB,YAAY,GAAG,KAAK,QAAQ;AACzD,OAAI,UAAU;AACZ,YAAQ,IAAI,GAAG;AACf,YAAQ,IAAI,8CAA8C;;AAE5D,WAAQ,IAAI,GAAG;AACf,WAAQ,OAAO;IACf;GACF;;AASJ,IAJE,OAAO,KAAK,QAAQ,UAAU,QAAQ,KAAK,QAC3C,QAAQ,KAAK,IAAI,SAAS,oBAAoB,IAC9C,QAAQ,KAAK,IAAI,SAAS,qBAAqB,CAO/C,iBAJa,OAAO,SAAS,QAAQ,IAAI,QAAQ,OAAO,aAAa,EAAE,GAAG,EAC7D,QAAQ,IAAI,QAAQ,cAGL,EAAE,UAFb,mBAAmB,EAEI,CAAC,CAAC,OAAO,UAAU;AACzD,SAAQ,MAAM,gBAAgB,MAAM;AACpC,SAAQ,KAAK,EAAE;EACf"}
package/dist/{version-D3OFS3DQ.js → version-BTMdX8xQ.js} RENAMED
@@ -3464,7 +3464,7 @@ async function executeToolWithCredentials(name, args, credentials) {
3464
3464
  return errorResult(errorMessage);
3465
3465
  }
3466
3466
  }
3467
- const VERSION = "0.2.2";
3467
+ const VERSION = "0.2.3";
3468
3468
  export { INSTRUCTIONS as a, getTools as i, executeToolWithCredentials as n, STDIO_ONLY_TOOLS as r, VERSION as t };
3469
3469
 
3470
- //# sourceMappingURL=version-D3OFS3DQ.js.map
3470
+ //# sourceMappingURL=version-BTMdX8xQ.js.map