@szc-ft/mcp-szcd-client 0.16.0 → 0.18.0

package/commands/szcd-mcp-auth.md

@@ -0,0 +1,39 @@
+---
+description: 管理MCP服务器鉴权密钥（get/set/clear API Key）
+argument-hint: <get|set|clear> [--apiKey=xxx]
+---
+
+请帮我管理 szcd MCP 的鉴权配置。
+
+**交互流程**：
+
+1. **向用户询问要执行的操作**，提供以下选项：
+   - "查看鉴权配置" -> 执行 get
+   - "设置 API Key" -> 执行 set（需进一步追问参数）
+   - "清除 API Key" -> 执行 clear
+
+2. **根据用户选择执行**：
+
+   - **查看鉴权配置**：直接执行 `npx szcd-mcp-auth get`
+
+   - **设置 API Key**：向用户询问 API Key（由 MCP 服务端管理员提供），收集后执行：
+     ```bash
+     npx szcd-mcp-auth set --apiKey="<apiKey>"
+     ```
+
+   - **清除 API Key**：确认后执行 `npx szcd-mcp-auth clear`
+
+3. **命令回退**：如果 npx 不可用，依次尝试：
+   - `node $(npm root -g)/@szc-ft/mcp-szcd-client/scripts/update-auth.js <args>`
+   - `node /scity/zengzhijie/mcp/szcd-mcp-client/scripts/update-auth.js <args>`
+
+**配置字段说明**：
+- `MCP_API_KEY` — MCP 服务器鉴权密钥（敏感）
+  - 设置后，客户端连接时自动通过 `X-API-Key` 请求头传递
+  - 服务端需配置相同的 `MCP_API_KEY` 环境变量才会校验
+  - 未设置时，若服务端也未开启鉴权，客户端可正常连接
+
+配置保存在 `~/.szcd-mcp-config.json` 中，设置后重启 IDE/CLI 生效。
+
+当前配置:
+!`cat ~/.szcd-mcp-config.json 2>/dev/null | grep -E "MCP_API_KEY|MCP_SERVER" || echo "配置文件不存在"`

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@szc-ft/mcp-szcd-client",
-    "version": "0.16.0",
+    "version": "0.18.0",
     "description": "MCP client for szcd component library - auto-configures AI coding tools with MCP server, skills, agents and commands",
     "keywords": [
         "mcp",
@@ -24,7 +24,8 @@
         "szcd-mcp-setup": "scripts/postinstall.js",
         "szcd-mcp-update-url": "scripts/update-mcp-url.js",
         "szcd-mcp-coding-config": "scripts/update-coding-config.js",
-        "szcd-mcp-api-config": "scripts/update-api-config.js"
+        "szcd-mcp-api-config": "scripts/update-api-config.js",
+        "szcd-mcp-auth": "scripts/update-auth.js"
     },
     "files": [
         "mcp-proxy.js",
@@ -32,6 +33,7 @@
         "scripts/update-mcp-url.js",
         "scripts/update-coding-config.js",
         "scripts/update-api-config.js",
+        "scripts/update-auth.js",
         "scripts/lib/",
         "standard-skill/",
         "agents/",

package/qwen-extension/commands/szcd-mcp-auth.md

@@ -0,0 +1,39 @@
+---
+description: 管理MCP服务器鉴权密钥（get/set/clear API Key）
+argument-hint: <get|set|clear> [--apiKey=xxx]
+---
+
+请帮我管理 szcd MCP 的鉴权配置。
+
+**交互流程**：
+
+1. **向用户询问要执行的操作**，提供以下选项：
+   - "查看鉴权配置" -> 执行 get
+   - "设置 API Key" -> 执行 set（需进一步追问参数）
+   - "清除 API Key" -> 执行 clear
+
+2. **根据用户选择执行**：
+
+   - **查看鉴权配置**：直接执行 `npx szcd-mcp-auth get`
+
+   - **设置 API Key**：向用户询问 API Key（由 MCP 服务端管理员提供），收集后执行：
+     ```bash
+     npx szcd-mcp-auth set --apiKey="<apiKey>"
+     ```
+
+   - **清除 API Key**：确认后执行 `npx szcd-mcp-auth clear`
+
+3. **命令回退**：如果 npx 不可用，依次尝试：
+   - `node $(npm root -g)/@szc-ft/mcp-szcd-client/scripts/update-auth.js <args>`
+   - `node /scity/zengzhijie/mcp/szcd-mcp-client/scripts/update-auth.js <args>`
+
+**配置字段说明**：
+- `MCP_API_KEY` — MCP 服务器鉴权密钥（敏感）
+  - 设置后，客户端连接时自动通过 `X-API-Key` 请求头传递
+  - 服务端需配置相同的 `MCP_API_KEY` 环境变量才会校验
+  - 未设置时，若服务端也未开启鉴权，客户端可正常连接
+
+配置保存在 `~/.szcd-mcp-config.json` 中，设置后重启 IDE/CLI 生效。
+
+当前配置:
+!`cat ~/.szcd-mcp-config.json 2>/dev/null | grep -E "MCP_API_KEY|MCP_SERVER" || echo "配置文件不存在"`

package/qwen-extension/qwen-extension.json

@@ -1,6 +1,6 @@
 {
     "name": "szcd-component-helper",
-    "version": "0.16.0",
+    "version": "0.18.0",
     "description": "szcd 组件库 MCP 助手 — 查询组件信息、匹配需求、生成代码",
     "mcpServers": {
         "szcd-component-helper": {

package/qwen-extension/skills/szcd-component-helper/SKILL.md

@@ -19,7 +19,7 @@ compatibility:
 
 **重要说明**：这是一个客户端 skill，通过 MCP 协议（SSE 或 HTTP）连接到远程 MCP 服务器。服务器由管理员维护，包含源码和数据。
 
-**版本**：v0.16.0 - 新增 10 段网段本地网络兼容：api_tool 新增 parse_swagger_json action，客户端新增 local-api-tool 技能，遇到 10.x.x.x 网段自动在本地 curl 获取 Swagger JSON 再交由服务端解析
+**版本**：v0.18.0 - 新增 MCP 鉴权支持：postinstall 自动同步 API Key 到 IDE 配置，szcd-mcp-auth 命令支持 set/clear 并自动更新所有 IDE 的 mcp.json
 
 ## 架构说明
 

package/scripts/lib/claude-code.js

@@ -9,7 +9,7 @@ import fs from "node:fs";
 import path from "node:path";
 import os from "node:os";
 import { execSync } from "node:child_process";
-import { getClientConfigHeader as getClientConfigHeaderDirect } from "./common.js";
+import { getClientConfigHeader as getClientConfigHeaderDirect, getApiKey as getApiKeyDirect } from "./common.js";
 
 // ==================== 路径工具 ====================
 
@@ -55,16 +55,21 @@ function syncClaudeCodeConfig(deps) {
     if (!config.mcpServers) config.mcpServers = {};
 
     const current = config.mcpServers[serverName];
-    if (current && current.type === "http" && current.url === mcpUrl) {
+    const apiKey = deps.getApiKey ? deps.getApiKey() : "";
+    const needsApiKeyUpdate = apiKey && (!current || !current.headers || current.headers["X-API-Key"] !== apiKey);
+    if (current && current.type === "http" && current.url === mcpUrl && !needsApiKeyUpdate) {
         console.log(`✓ Claude Code ~/.claude.json already up-to-date: ${mcpUrl}`);
         return;
     }
 
     const clientConfigHeader = deps.getClientConfigHeader ? deps.getClientConfigHeader() : null;
+    const headers = {};
+    if (clientConfigHeader) headers["X-Client-Config"] = clientConfigHeader;
+    if (apiKey) headers["X-API-Key"] = apiKey;
     config.mcpServers[serverName] = {
         type: "http",
         url: mcpUrl,
-        ...(clientConfigHeader ? { headers: { "X-Client-Config": clientConfigHeader } } : {}),
+        ...(Object.keys(headers).length > 0 ? { headers } : {}),
     };
 
     fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
@@ -316,16 +321,21 @@ function syncClaudeCodeConfigDirect(targetUrl, serverName) {
     if (!config.mcpServers) config.mcpServers = {};
 
     const current = config.mcpServers[serverName];
-    if (current && current.type === "http" && current.url === mcpUrl) {
+    const apiKey = getApiKeyDirect();
+    const needsApiKeyUpdate = apiKey && (!current || !current.headers || current.headers["X-API-Key"] !== apiKey);
+    if (current && current.type === "http" && current.url === mcpUrl && !needsApiKeyUpdate) {
         console.log(`⏭️  Claude Code ~/.claude.json already up-to-date: ${mcpUrl}`);
         return;
     }
 
     const clientConfigHeader = getClientConfigHeaderDirect();
+    const headers = {};
+    if (clientConfigHeader) headers["X-Client-Config"] = clientConfigHeader;
+    if (apiKey) headers["X-API-Key"] = apiKey;
     config.mcpServers[serverName] = {
         type: "http",
         url: mcpUrl,
-        ...(clientConfigHeader ? { headers: { "X-Client-Config": clientConfigHeader } } : {}),
+        ...(Object.keys(headers).length > 0 ? { headers } : {}),
     };
 
     fs.writeFileSync(configPath, JSON.stringify(config, null, 2));

package/scripts/lib/common.js

@@ -209,6 +209,15 @@ export function encodeClientConfig(config) {
     return Buffer.from(JSON.stringify(config)).toString("base64");
 }
 
+/**
+ * 获取 MCP_API_KEY（从用户本地配置文件读取）
+ * 用于通过 X-API-Key Header 传递给 MCP 服务器鉴权
+ */
+export function getApiKey() {
+    const config = loadExistingConfig();
+    return config.MCP_API_KEY || "";
+}
+
 /**
  * 获取 X-Client-Config Header 值（便捷函数）
  * 返回 Base64 编码的字符串，或 null（无 CODING 配置时）
@@ -216,3 +225,20 @@ export function encodeClientConfig(config) {
 export function getClientConfigHeader() {
     return encodeClientConfig(loadClientCodingConfig());
 }
+
+/**
+ * 构建 MCP HTTP 请求的 headers 对象（包含 X-Client-Config 和 X-API-Key）
+ * @returns {Object} headers 对象，可能为空对象
+ */
+export function buildMcpHeaders() {
+    const headers = {};
+    const clientConfigHeader = getClientConfigHeader();
+    if (clientConfigHeader) {
+        headers["X-Client-Config"] = clientConfigHeader;
+    }
+    const apiKey = getApiKey();
+    if (apiKey) {
+        headers["X-API-Key"] = apiKey;
+    }
+    return Object.keys(headers).length > 0 ? headers : null;
+}

package/scripts/lib/qoder.js

@@ -29,7 +29,7 @@ import fs from "node:fs";
 import path from "node:path";
 import os from "node:os";
 import { execSync } from "node:child_process";
-import { getClientConfigHeader as _getClientConfigHeader } from "./common.js";
+import { getClientConfigHeader as _getClientConfigHeader, getApiKey as _getApiKey } from "./common.js";
 
 // ==================== 路径工具 ====================
 
@@ -150,14 +150,19 @@ function syncQoderSettings(deps) {
     if (!settings.mcpServers) settings.mcpServers = {};
 
     const clientConfigHeader = deps.getClientConfigHeader ? deps.getClientConfigHeader() : null;
+    const apiKey = deps.getApiKey ? deps.getApiKey() : "";
+    const headers = {};
+    if (clientConfigHeader) headers["X-Client-Config"] = clientConfigHeader;
+    if (apiKey) headers["X-API-Key"] = apiKey;
     const desiredConfig = {
         type: "http",
         url: mcpUrl,
-        ...(clientConfigHeader ? { headers: { "X-Client-Config": clientConfigHeader } } : {}),
+        ...(Object.keys(headers).length > 0 ? { headers } : {}),
     };
 
     const current = settings.mcpServers[serverName];
-    if (current && current.type === "http" && current.url === mcpUrl) {
+    const needsApiKeyUpdate = apiKey && (!current || !current.headers || current.headers["X-API-Key"] !== apiKey);
+    if (current && current.type === "http" && current.url === mcpUrl && !needsApiKeyUpdate) {
         console.log(`✓ Qoder ~/.qoder/settings.json already up-to-date: ${serverName} (${mcpUrl})`);
         return;
     }
@@ -366,10 +371,14 @@ function setupQoderProjectConfig(deps) {
     if (!settings.mcpServers) settings.mcpServers = {};
 
     const clientConfigHeader = deps.getClientConfigHeader ? deps.getClientConfigHeader() : null;
+    const _apiKey = deps.getApiKey ? deps.getApiKey() : "";
+    const _headers = {};
+    if (clientConfigHeader) _headers["X-Client-Config"] = clientConfigHeader;
+    if (_apiKey) _headers["X-API-Key"] = _apiKey;
     settings.mcpServers[serverName] = {
         type: "http",
         url: mcpUrl,
-        ...(clientConfigHeader ? { headers: { "X-Client-Config": clientConfigHeader } } : {}),
+        ...(Object.keys(_headers).length > 0 ? { headers: _headers } : {}),
     };
 
     writeJsonFile(projectSettingsPath, settings);
@@ -444,16 +453,21 @@ function syncQoderSettingsDirect(targetUrl, serverName) {
     if (!settings.mcpServers) settings.mcpServers = {};
 
     const current = settings.mcpServers[serverName];
-    if (current && current.type === "http" && current.url === mcpUrl) {
+    const _apiKey = _getApiKey();
+    const needsApiKeyUpdate = _apiKey && (!current || !current.headers || current.headers["X-API-Key"] !== _apiKey);
+    if (current && current.type === "http" && current.url === mcpUrl && !needsApiKeyUpdate) {
         console.log(`⏭️  Qoder ~/.qoder/settings.json already up-to-date: ${serverName} (${mcpUrl})`);
         return;
     }
 
     const clientConfigHeader = _getClientConfigHeader();
+    const _headers = {};
+    if (clientConfigHeader) _headers["X-Client-Config"] = clientConfigHeader;
+    if (_apiKey) _headers["X-API-Key"] = _apiKey;
     settings.mcpServers[serverName] = {
         type: "http",
         url: mcpUrl,
-        ...(clientConfigHeader ? { headers: { "X-Client-Config": clientConfigHeader } } : {}),
+        ...(Object.keys(_headers).length > 0 ? { headers: _headers } : {}),
     };
 
     writeJsonFile(settingsPath, settings);

package/scripts/lib/qwen-code.js

@@ -23,7 +23,7 @@ import fs from "node:fs";
 import path from "node:path";
 import os from "node:os";
 import { execSync } from "node:child_process";
-import { getClientConfigHeader as getClientConfigHeaderDirect } from "./common.js";
+import { getClientConfigHeader as getClientConfigHeaderDirect, getApiKey as getApiKeyDirect } from "./common.js";
 
 // ==================== 路径工具 ====================
 
@@ -314,13 +314,17 @@ function injectClientConfigHeader(serverName, clientConfigHeader) {
     if (!manifest.mcpServers || !manifest.mcpServers[serverName]) return;
 
     const entry = manifest.mcpServers[serverName];
-    if (entry.headers && entry.headers["X-Client-Config"] === clientConfigHeader) {
+    const _apiKey = getApiKeyDirect();
+    if (entry.headers && entry.headers["X-Client-Config"] === clientConfigHeader && entry.headers["X-API-Key"] === _apiKey) {
         return; // 已是最新
     }
 
-    entry.headers = { "X-Client-Config": clientConfigHeader };
+    const _headers = {};
+    if (clientConfigHeader) _headers["X-Client-Config"] = clientConfigHeader;
+    if (_apiKey) _headers["X-API-Key"] = _apiKey;
+    entry.headers = _headers;
     writeJsonFile(manifestPath, manifest);
-    console.log(`✓ Injected X-Client-Config header into extension qwen-extension.json`);
+    console.log(`✓ Injected X-Client-Config and X-API-Key headers into extension qwen-extension.json`);
 }
 
 /**
@@ -343,10 +347,11 @@ function syncExtensionConfig(targetUrl, serverName) {
 
     const mcpUrl = `${targetUrl}/mcp`;
     const clientConfigHeader = getClientConfigHeaderDirect();
+    const _apiKey = getApiKeyDirect();
     const entry = manifest.mcpServers[serverName];
     const headersUnchanged = clientConfigHeader
-        ? entry.headers && entry.headers["X-Client-Config"] === clientConfigHeader
-        : !entry.headers;
+        ? entry.headers && entry.headers["X-Client-Config"] === clientConfigHeader && entry.headers["X-API-Key"] === _apiKey
+        : !entry.headers || (!_apiKey && !entry.headers["X-API-Key"]);
     if (entry.type === "http" && entry.httpUrl === mcpUrl && headersUnchanged) {
         console.log(`⏭️  Extension qwen-extension.json already up-to-date: ${mcpUrl}`);
         return;
@@ -356,9 +361,12 @@ function syncExtensionConfig(targetUrl, serverName) {
     entry.httpUrl = mcpUrl;
     // 清理旧字段，避免冲突
     delete entry.url;
-    // 透传用户本地 CODING 配置
-    if (clientConfigHeader) {
-        entry.headers = { "X-Client-Config": clientConfigHeader };
+    // 透传用户本地 CODING 配置和 API Key
+    const _headers = {};
+    if (clientConfigHeader) _headers["X-Client-Config"] = clientConfigHeader;
+    if (_apiKey) _headers["X-API-Key"] = _apiKey;
+    if (Object.keys(_headers).length > 0) {
+        entry.headers = _headers;
     } else {
         delete entry.headers;
     }
@@ -396,10 +404,11 @@ export function setupQwenCode(deps) {
         extensionInstalled = installExtensionViaCopy(deps);
     }
 
-    // ---- 注入 X-Client-Config Header ----
+    // ---- 注入 X-Client-Config / X-API-Key Header ----
     if (extensionInstalled) {
         const clientConfigHeader = deps.getClientConfigHeader ? deps.getClientConfigHeader() : null;
-        if (clientConfigHeader) {
+        const apiKey = deps.getApiKey ? deps.getApiKey() : "";
+        if (clientConfigHeader || apiKey) {
             injectClientConfigHeader(deps.getMcpServerName(), clientConfigHeader);
         }
     }

package/scripts/lib/trae-cli.js

@@ -14,7 +14,7 @@ import fs from "node:fs";
 import path from "node:path";
 import os from "node:os";
 import { execSync } from "node:child_process";
-import { loadClientCodingConfig, encodeClientConfig } from "./common.js";
+import { loadClientCodingConfig, encodeClientConfig, getApiKey } from "./common.js";
 
 // ==================== 路径工具 ====================
 
@@ -89,8 +89,9 @@ export function syncTraeCliYaml(deps) {
 
     // 读取用户本地 CODING 配置，生成 X-Client-Config Header
     const clientConfigHeader = deps.getClientConfigHeader ? deps.getClientConfigHeader() : null;
-    const headersBlock = clientConfigHeader
-        ? `\n      headers:\n          X-Client-Config: ${clientConfigHeader}`
+    const apiKey = deps.getApiKey ? deps.getApiKey() : "";
+    const headersBlock = clientConfigHeader || apiKey
+        ? `\n      headers:${clientConfigHeader ? `\n          X-Client-Config: ${clientConfigHeader}` : ""}${apiKey ? `\n          X-API-Key: ${apiKey}` : ""}`
         : "";
 
     if (!fs.existsSync(yamlPath)) {
@@ -147,10 +148,12 @@ export function createTraeCliConfig(deps) {
         // 读取用户本地 CODING 配置，生成 X-Client-Config Header
         const codingConfig = loadClientCodingConfig();
         const clientConfigHeader = encodeClientConfig(codingConfig);
+        const apiKey = getApiKey();
         const jsonConfigObj = { type: "http", url: mcpUrl };
-        if (clientConfigHeader) {
-            jsonConfigObj.headers = { "X-Client-Config": clientConfigHeader };
-        }
+        const _headers = {};
+        if (clientConfigHeader) _headers["X-Client-Config"] = clientConfigHeader;
+        if (apiKey) _headers["X-API-Key"] = apiKey;
+        if (Object.keys(_headers).length > 0) jsonConfigObj.headers = _headers;
         const jsonConfig = JSON.stringify(jsonConfigObj);
 
         deps.safeExecSync(`trae-cli mcp remove ${serverName} 2>/dev/null`);

package/scripts/lib/trae-ide.js

@@ -13,7 +13,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import os from "node:os";
-import { getClientConfigHeader } from "./common.js";
+import { getClientConfigHeader, getApiKey } from "./common.js";
 
 // ==================== 路径工具 ====================
 
@@ -74,7 +74,9 @@ export function syncTraeCnMcpJson(deps) {
     if (!config.mcpServers) config.mcpServers = {};
 
     const current = config.mcpServers[serverName];
-    if (current && current.url === mcpUrl && current.type === "http") {
+    const apiKey = deps.getApiKey ? deps.getApiKey() : "";
+    const needsApiKeyUpdate = apiKey && (!current || !current.headers || current.headers["X-API-Key"] !== apiKey);
+    if (current && current.url === mcpUrl && current.type === "http" && !needsApiKeyUpdate) {
         console.log(`✓ Trae CN mcp.json already up-to-date: ${mcpUrl}`);
         return;
     }
@@ -84,9 +86,10 @@ export function syncTraeCnMcpJson(deps) {
         type: "http",
         url: mcpUrl,
     };
-    if (clientConfigHeader) {
-        serverConfig.headers = { "X-Client-Config": clientConfigHeader };
-    }
+    const headers = {};
+    if (clientConfigHeader) headers["X-Client-Config"] = clientConfigHeader;
+    if (apiKey) headers["X-API-Key"] = apiKey;
+    if (Object.keys(headers).length > 0) serverConfig.headers = headers;
 
     config.mcpServers[serverName] = serverConfig;
 
@@ -121,7 +124,9 @@ export function syncMcpUrl(targetUrl, serverName) {
     if (!config.mcpServers) config.mcpServers = {};
 
     const current = config.mcpServers[serverName];
-    if (current && current.url === mcpUrl && current.type === "http") {
+    const apiKey = getApiKey();
+    const needsApiKeyUpdate = apiKey && (!current || !current.headers || current.headers["X-API-Key"] !== apiKey);
+    if (current && current.url === mcpUrl && current.type === "http" && !needsApiKeyUpdate) {
         console.log(`⏭️  Trae CN mcp.json already up-to-date: ${mcpUrl}`);
         return;
     }
@@ -131,9 +136,10 @@ export function syncMcpUrl(targetUrl, serverName) {
         type: "http",
         url: mcpUrl,
     };
-    if (clientConfigHeader) {
-        serverConfig.headers = { "X-Client-Config": clientConfigHeader };
-    }
+    const headers = {};
+    if (clientConfigHeader) headers["X-Client-Config"] = clientConfigHeader;
+    if (apiKey) headers["X-API-Key"] = apiKey;
+    if (Object.keys(headers).length > 0) serverConfig.headers = headers;
 
     config.mcpServers[serverName] = serverConfig;
 

package/scripts/postinstall.js

@@ -34,6 +34,7 @@ const deps = {
     getMcpServerUrl: common.getMcpServerUrl,
     getMcpServerName: common.getMcpServerName,
     getClientConfigHeader: common.getClientConfigHeader,
+    getApiKey: common.getApiKey,
     safeExecSync: common.safeExecSync,
     isCommandAvailable: common.isCommandAvailable,
     ensureDirectory: common.ensureDirectory,
@@ -73,7 +74,7 @@ function createConfigTemplate() {
         MCP_SERVER_URL: common.getMcpServerUrl(),
         MCP_TIMEOUT: 30000,
         MCP_API_KEY: "",
-        _comment: "请修改 MCP_SERVER_URL 为您的 MCP 服务器地址",
+        _comment: "请修改 MCP_SERVER_URL 为您的 MCP 服务器地址；MCP_API_KEY 为服务端鉴权密钥（npx szcd-mcp-auth set --apiKey=xxx）",
     };
 
     common.writeFile(configPath, JSON.stringify(configContent, null, 2));

package/scripts/update-auth.js

@@ -0,0 +1,235 @@
+#!/usr/bin/env node
+
+/**
+ * szcd-mcp-auth - 管理 MCP 服务器鉴权密钥
+ *
+ * 用法:
+ *   npx szcd-mcp-auth get                         查看当前鉴权配置
+ *   npx szcd-mcp-auth set --apiKey=<key>           设置 API Key
+ *   npx szcd-mcp-auth clear                        清除 API Key（关闭鉴权）
+ *
+ * 配置保存在 ~/.szcd-mcp-config.json 中，字段名：
+ *   MCP_API_KEY — MCP 服务器鉴权密钥
+ *
+ * 客户端连接时通过 X-API-Key / Authorization: Bearer 请求头传递，
+ * 服务端校验通过后放行，否则返回 401。
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { fileURLToPath } from "node:url";
+import { syncMcpUrl as syncTraeIde } from "./lib/trae-ide.js";
+import { syncMcpUrl as syncClaudeCode } from "./lib/claude-code.js";
+import { syncMcpUrl as syncQwenCode } from "./lib/qwen-code.js";
+import { syncMcpUrl as syncQoder } from "./lib/qoder.js";
+import { getMcpServerUrl, getMcpServerName } from "./lib/common.js";
+
+// ==================== 工具函数 ====================
+
+function getHomeDir() {
+    if (os.platform() === "win32") {
+        return process.env.USERPROFILE || process.env.HOME || os.homedir();
+    }
+    return process.env.HOME || os.homedir();
+}
+
+function getConfigFilePath() {
+    return path.join(getHomeDir(), ".szcd-mcp-config.json");
+}
+
+function loadConfig() {
+    const configPath = getConfigFilePath();
+    try {
+        if (fs.existsSync(configPath)) {
+            return JSON.parse(fs.readFileSync(configPath, "utf8"));
+        }
+    } catch (error) {
+        console.error(`Failed to read config: ${error.message}`);
+    }
+    return {};
+}
+
+function saveConfig(config) {
+    const configPath = getConfigFilePath();
+    try {
+        fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+        return true;
+    } catch (error) {
+        console.error(`Failed to write config: ${error.message}`);
+        return false;
+    }
+}
+
+function maskKey(value) {
+    if (!value) return "(未设置)";
+    if (value.length <= 8) return "***";
+    return value.substring(0, 6) + "***" + value.substring(value.length - 4);
+}
+
+function parseArgs(argv) {
+    const args = {
+        action: null,
+        apiKey: null,
+    };
+    const positional = [];
+
+    for (let i = 2; i < argv.length; i++) {
+        const arg = argv[i];
+        if (arg.startsWith("--")) {
+            const eqIdx = arg.indexOf("=");
+            if (eqIdx !== -1) {
+                const key = arg.slice(2, eqIdx);
+                const value = arg.slice(eqIdx + 1);
+                if (key === "apiKey" || key === "api-key" || key === "key") args.apiKey = value;
+            }
+        } else {
+            positional.push(arg);
+        }
+    }
+
+    args.action = positional[0] || "get";
+    return args;
+}
+
+// ==================== 同步 IDE 配置 ====================
+
+function syncIdeConfigs() {
+    const serverUrl = getMcpServerUrl();
+    const serverName = getMcpServerName();
+    const results = [];
+
+    const syncFns = [
+        { name: "Trae CN", fn: syncTraeIde },
+        { name: "Claude Code", fn: syncClaudeCode },
+        { name: "Qwen Code", fn: syncQwenCode },
+        { name: "Qoder", fn: syncQoder },
+    ];
+
+    for (const { name, fn } of syncFns) {
+        try {
+            fn(serverUrl, serverName);
+            results.push(`  ✓ ${name}`);
+        } catch (e) {
+            results.push(`  ⏭️  ${name}: ${e.message}`);
+        }
+    }
+    return results;
+}
+
+// ==================== 命令实现 ====================
+
+function cmdGet() {
+    const config = loadConfig();
+
+    console.log(`\nMCP 鉴权配置 (${getConfigFilePath()})\n`);
+    console.log(`  MCP_API_KEY : ${maskKey(config.MCP_API_KEY)}`);
+    console.log(`  状态        : ${config.MCP_API_KEY ? "✅ 已开启鉴权" : "⚠️  未设置（服务端无鉴权时可忽略）"}`);
+    console.log(`\n  说明：`);
+    console.log(`  - 设置后，客户端连接时自动通过 X-API-Key 请求头传递`);
+    console.log(`  - 服务端需配置相同的 MCP_API_KEY 环境变量才会校验`);
+    console.log(`  - 用法: npx szcd-mcp-auth set --apiKey=your_api_key\n`);
+}
+
+function cmdSet(apiKey) {
+    if (!apiKey) {
+        console.error("\n❌ 缺少 --apiKey 参数。用法:");
+        console.error("   npx szcd-mcp-auth set --apiKey=your_api_key\n");
+        process.exit(1);
+    }
+
+    const config = loadConfig();
+    const old = maskKey(config.MCP_API_KEY);
+
+    config.MCP_API_KEY = apiKey;
+
+    if (saveConfig(config)) {
+        console.log(`\n✅ API Key 已保存。`);
+        console.log(`  MCP_API_KEY : ${old} → ${maskKey(apiKey)}`);
+        console.log(`  配置文件    : ${getConfigFilePath()}`);
+        console.log(`\n  🔄 同步 IDE 配置...`);
+        const results = syncIdeConfigs();
+        for (const r of results) console.log(r);
+        console.log(`\n  提示：重启 IDE 后生效。\n`);
+        return true;
+    }
+
+    console.log("\n❌ 保存配置失败。\n");
+    return false;
+}
+
+function cmdClear() {
+    const config = loadConfig();
+
+    if (!config.MCP_API_KEY) {
+        console.log("\n⚠️  当前未设置 API Key，无需清除。\n");
+        return false;
+    }
+
+    const old = maskKey(config.MCP_API_KEY);
+    delete config.MCP_API_KEY;
+
+    if (saveConfig(config)) {
+        console.log(`\n✅ API Key 已清除。`);
+        console.log(`  MCP_API_KEY : ${old} → (未设置)`);
+        console.log(`  配置文件    : ${getConfigFilePath()}`);
+        console.log(`\n  🔄 同步 IDE 配置...`);
+        const results = syncIdeConfigs();
+        for (const r of results) console.log(r);
+        console.log(`\n  提示：服务端若已开启鉴权，清除后客户端将无法连接。\n`);
+        return true;
+    }
+
+    console.log("\n❌ 清除配置失败。\n");
+    return false;
+}
+
+// ==================== 帮助信息 ====================
+
+function printHelp() {
+    console.log(`
+Usage: npx szcd-mcp-auth <command> [options]
+
+Commands:
+  get                          查看当前鉴权配置
+  set --apiKey=<key>           设置 MCP API Key
+  clear                        清除 API Key
+
+Options for 'set':
+  --apiKey=<string>            MCP 服务器鉴权密钥（由管理员提供）
+
+Examples:
+  npx szcd-mcp-auth get
+  npx szcd-mcp-auth set --apiKey=3f4ec52f5137dbf2b458d87a28a3948ea88149b1d506e106
+  npx szcd-mcp-auth clear
+
+Config file: ~/.szcd-mcp-config.json
+`);
+}
+
+// ==================== 主函数 ====================
+
+function main() {
+    const args = parseArgs(process.argv);
+
+    if (args.action === "help" || args.action === "-h" || args.action === "--help") {
+        printHelp();
+        process.exit(0);
+    }
+
+    if (args.action === "get") {
+        cmdGet();
+    } else if (args.action === "set") {
+        const ok = cmdSet(args.apiKey);
+        process.exit(ok ? 0 : 1);
+    } else if (args.action === "clear") {
+        const ok = cmdClear();
+        process.exit(ok ? 0 : 1);
+    } else {
+        console.error(`Unknown command: ${args.action}`);
+        printHelp();
+        process.exit(1);
+    }
+}
+
+main();

package/standard-skill/szcd-component-helper/SKILL.md

@@ -19,7 +19,7 @@ compatibility:
 
 **重要说明**：这是一个客户端 skill，通过 MCP 协议（SSE 或 HTTP）连接到远程 MCP 服务器。服务器由管理员维护，包含源码和数据。
 
-**版本**：v0.16.0 - 新增 10 段网段本地网络兼容：api_tool 新增 parse_swagger_json action，客户端新增 local-api-tool 技能，遇到 10.x.x.x 网段自动在本地 curl 获取 Swagger JSON 再交由服务端解析
+**版本**：v0.18.0 - 新增 MCP 鉴权支持：postinstall 自动同步 API Key 到 IDE 配置，szcd-mcp-auth 命令支持 set/clear 并自动更新所有 IDE 的 mcp.json
 
 ## 架构说明