@toolplex/client 0.1.34 → 0.1.35

package/dist/mcp-server/policy/policyEnforcer.d.ts

@@ -46,6 +46,15 @@ export declare class PolicyEnforcer {
      * @returns Filtered list with blocked servers removed
      */
     filterBlockedMcpServers<T>(servers: T[], getServerId: (item: T) => string): T[];
+    /**
+     * Applies both blocked and allowed server filtering.
+     * First removes blocked servers, then filters to allowed servers (if set).
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with policy applied
+     */
+    filterServersByPolicy<T>(servers: T[], getServerId: (item: T) => string): T[];
     /**
      * Get a reference to the CallToolObserver instance.
      */

package/dist/mcp-server/policy/policyEnforcer.js

@@ -84,6 +84,20 @@ export class PolicyEnforcer {
         }
         return this.serverPolicy.filterBlockedMcpServers(servers, getServerId);
     }
+    /**
+     * Applies both blocked and allowed server filtering.
+     * First removes blocked servers, then filters to allowed servers (if set).
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with policy applied
+     */
+    filterServersByPolicy(servers, getServerId) {
+        if (!this.serverPolicy) {
+            throw new Error("PolicyEnforcer not initialized");
+        }
+        return this.serverPolicy.filterServersByPolicy(servers, getServerId);
+    }
     /**
      * Get a reference to the CallToolObserver instance.
      */

package/dist/mcp-server/policy/serverPolicy.d.ts

@@ -11,6 +11,8 @@ export declare class ServerPolicy {
     enforceBlockedServerPolicy(serverId: string): void;
     /**
      * Validates that a server is allowed.
+     * - For org users: if allowlist is empty/null, NO servers are allowed
+     * - For non-org users: if allowlist is empty/null, all servers are allowed
      *
      * @throws Error if attempting to use a server not in the allowed list
      */
@@ -36,4 +38,23 @@ export declare class ServerPolicy {
      * @returns Filtered list with blocked servers removed
      */
     filterBlockedMcpServers<T>(servers: T[], getServerId: (item: T) => string): T[];
+    /**
+     * Filters servers to only include allowed servers (if allowlist is set).
+     * - For org users: if allowlist is empty/null, return NO servers (admin hasn't approved any)
+     * - For non-org users: if allowlist is empty/null, return all servers (no restrictions)
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with only allowed servers
+     */
+    filterToAllowedServers<T>(servers: T[], getServerId: (item: T) => string): T[];
+    /**
+     * Applies both blocked and allowed server filtering.
+     * First removes blocked servers, then filters to allowed servers (if set).
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with policy applied
+     */
+    filterServersByPolicy<T>(servers: T[], getServerId: (item: T) => string): T[];
 }

package/dist/mcp-server/policy/serverPolicy.js

@@ -15,14 +15,24 @@ export class ServerPolicy {
     }
     /**
      * Validates that a server is allowed.
+     * - For org users: if allowlist is empty/null, NO servers are allowed
+     * - For non-org users: if allowlist is empty/null, all servers are allowed
      *
      * @throws Error if attempting to use a server not in the allowed list
      */
     enforceAllowedServerPolicy(serverId) {
         const allowedServers = this.clientContext.permissions.allowed_mcp_servers;
-        if (allowedServers &&
-            allowedServers.length > 0 &&
-            !allowedServers.includes(serverId)) {
+        // If allowlist is empty/null
+        if (!allowedServers || allowedServers.length === 0) {
+            // For org users: empty allowlist means NO servers approved
+            if (this.clientContext.isOrgUser) {
+                throw new Error(`No tools have been approved for your organization yet. Please contact your admin to approve tools on the ToolPlex Dashboard.`);
+            }
+            // For non-org users: no restrictions
+            return;
+        }
+        // Check if server is in the allowlist
+        if (!allowedServers.includes(serverId)) {
             throw new Error(`Server "${serverId}" is not allowed for your account. Please adjust the Allowed MCP Servers permissions on the ToolPlex Dashboard if this is a mistake.`);
         }
     }
@@ -60,4 +70,39 @@ export class ServerPolicy {
     filterBlockedMcpServers(servers, getServerId) {
         return servers.filter((server) => !this.blockedMcpServersSet.has(getServerId(server)));
     }
+    /**
+     * Filters servers to only include allowed servers (if allowlist is set).
+     * - For org users: if allowlist is empty/null, return NO servers (admin hasn't approved any)
+     * - For non-org users: if allowlist is empty/null, return all servers (no restrictions)
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with only allowed servers
+     */
+    filterToAllowedServers(servers, getServerId) {
+        const allowedServers = this.clientContext.permissions.allowed_mcp_servers;
+        // If no allowlist configured
+        if (!allowedServers || allowedServers.length === 0) {
+            // For org users: empty allowlist means NO servers approved yet
+            if (this.clientContext.isOrgUser) {
+                return [];
+            }
+            // For non-org users: no restrictions, return all
+            return servers;
+        }
+        const allowedSet = new Set(allowedServers);
+        return servers.filter((server) => allowedSet.has(getServerId(server)));
+    }
+    /**
+     * Applies both blocked and allowed server filtering.
+     * First removes blocked servers, then filters to allowed servers (if set).
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with policy applied
+     */
+    filterServersByPolicy(servers, getServerId) {
+        const withoutBlocked = this.filterBlockedMcpServers(servers, getServerId);
+        return this.filterToAllowedServers(withoutBlocked, getServerId);
+    }
 }

package/dist/mcp-server/toolHandlers/initHandler.js

@@ -115,8 +115,13 @@ export async function handleInitialize(params) {
     else {
         await logger.debug("No session resume history provided (new session)");
     }
-    const allSucceeded = serverManagerInitResults.succeeded;
-    const allFailures = serverManagerInitResults.failures;
+    // Filter servers by policy (blocked + allowed)
+    const allSucceeded = policyEnforcer.filterServersByPolicy(serverManagerInitResults.succeeded, (s) => s.server_id);
+    // Also filter failures by policy
+    const failureEntries = Object.entries(serverManagerInitResults.failures);
+    const filteredFailureEntries = policyEnforcer.filterServersByPolicy(failureEntries, ([serverId]) => serverId);
+    const allFailures = Object.fromEntries(filteredFailureEntries);
+    await logger.info(`Filtered to ${allSucceeded.length} servers (policy enforced)`);
     // Initialize the serversCache with the succeeded servers
     serversCache.init(allSucceeded);
     await logger.debug(`Total successes: ${allSucceeded.length}, Total failures: ${Object.keys(allFailures).length}`);

package/dist/mcp-server/toolHandlers/listServersHandler.js

@@ -24,8 +24,8 @@ export async function handleListServers() {
                 continue;
             }
             if (parsed.data.servers && parsed.data.servers.length > 0) {
-                // Filter out blocked servers
-                const filteredServers = policyEnforcer.filterBlockedMcpServers(parsed.data.servers, (server) => server.server_id);
+                // Filter servers by policy (blocked + allowed)
+                const filteredServers = policyEnforcer.filterServersByPolicy(parsed.data.servers, (server) => server.server_id);
                 filteredServers.forEach((server) => {
                     // Add to allServers for cache update and structured response
                     allServers.push({

package/dist/mcp-server/toolHandlers/listToolsHandler.js

@@ -68,9 +68,9 @@ export async function handleListTools(params) {
                     await logger.error(`Invalid response from server manager: ${parsed.error}, runtime: ${runtime}`);
                     continue;
                 }
-                // Filter out blocked servers
+                // Filter servers by policy (blocked + allowed)
                 const serverEntries = Object.entries(parsed.data.tools);
-                const filteredEntries = policyEnforcer.filterBlockedMcpServers(serverEntries, ([serverId]) => serverId);
+                const filteredEntries = policyEnforcer.filterServersByPolicy(serverEntries, ([serverId]) => serverId);
                 for (const [serverId, serverTools] of filteredEntries) {
                     if (serverTools && serverTools.length > 0) {
                         allServerTools.push({

package/dist/src/mcp-server/policy/policyEnforcer.js

@@ -84,6 +84,20 @@ export class PolicyEnforcer {
         }
         return this.serverPolicy.filterBlockedMcpServers(servers, getServerId);
     }
+    /**
+     * Applies both blocked and allowed server filtering.
+     * First removes blocked servers, then filters to allowed servers (if set).
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with policy applied
+     */
+    filterServersByPolicy(servers, getServerId) {
+        if (!this.serverPolicy) {
+            throw new Error("PolicyEnforcer not initialized");
+        }
+        return this.serverPolicy.filterServersByPolicy(servers, getServerId);
+    }
     /**
      * Get a reference to the CallToolObserver instance.
      */

package/dist/src/mcp-server/policy/serverPolicy.js

@@ -15,14 +15,24 @@ export class ServerPolicy {
     }
     /**
      * Validates that a server is allowed.
+     * - For org users: if allowlist is empty/null, NO servers are allowed
+     * - For non-org users: if allowlist is empty/null, all servers are allowed
      *
      * @throws Error if attempting to use a server not in the allowed list
      */
     enforceAllowedServerPolicy(serverId) {
         const allowedServers = this.clientContext.permissions.allowed_mcp_servers;
-        if (allowedServers &&
-            allowedServers.length > 0 &&
-            !allowedServers.includes(serverId)) {
+        // If allowlist is empty/null
+        if (!allowedServers || allowedServers.length === 0) {
+            // For org users: empty allowlist means NO servers approved
+            if (this.clientContext.isOrgUser) {
+                throw new Error(`No tools have been approved for your organization yet. Please contact your admin to approve tools on the ToolPlex Dashboard.`);
+            }
+            // For non-org users: no restrictions
+            return;
+        }
+        // Check if server is in the allowlist
+        if (!allowedServers.includes(serverId)) {
             throw new Error(`Server "${serverId}" is not allowed for your account. Please adjust the Allowed MCP Servers permissions on the ToolPlex Dashboard if this is a mistake.`);
         }
     }
@@ -60,4 +70,39 @@ export class ServerPolicy {
     filterBlockedMcpServers(servers, getServerId) {
         return servers.filter((server) => !this.blockedMcpServersSet.has(getServerId(server)));
     }
+    /**
+     * Filters servers to only include allowed servers (if allowlist is set).
+     * - For org users: if allowlist is empty/null, return NO servers (admin hasn't approved any)
+     * - For non-org users: if allowlist is empty/null, return all servers (no restrictions)
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with only allowed servers
+     */
+    filterToAllowedServers(servers, getServerId) {
+        const allowedServers = this.clientContext.permissions.allowed_mcp_servers;
+        // If no allowlist configured
+        if (!allowedServers || allowedServers.length === 0) {
+            // For org users: empty allowlist means NO servers approved yet
+            if (this.clientContext.isOrgUser) {
+                return [];
+            }
+            // For non-org users: no restrictions, return all
+            return servers;
+        }
+        const allowedSet = new Set(allowedServers);
+        return servers.filter((server) => allowedSet.has(getServerId(server)));
+    }
+    /**
+     * Applies both blocked and allowed server filtering.
+     * First removes blocked servers, then filters to allowed servers (if set).
+     *
+     * @param servers List of objects containing server IDs
+     * @param getServerId Function that extracts the server ID from an object
+     * @returns Filtered list with policy applied
+     */
+    filterServersByPolicy(servers, getServerId) {
+        const withoutBlocked = this.filterBlockedMcpServers(servers, getServerId);
+        return this.filterToAllowedServers(withoutBlocked, getServerId);
+    }
 }

package/dist/src/mcp-server/toolHandlers/initHandler.js

@@ -115,8 +115,13 @@ export async function handleInitialize(params) {
     else {
         await logger.debug("No session resume history provided (new session)");
     }
-    const allSucceeded = serverManagerInitResults.succeeded;
-    const allFailures = serverManagerInitResults.failures;
+    // Filter servers by policy (blocked + allowed)
+    const allSucceeded = policyEnforcer.filterServersByPolicy(serverManagerInitResults.succeeded, (s) => s.server_id);
+    // Also filter failures by policy
+    const failureEntries = Object.entries(serverManagerInitResults.failures);
+    const filteredFailureEntries = policyEnforcer.filterServersByPolicy(failureEntries, ([serverId]) => serverId);
+    const allFailures = Object.fromEntries(filteredFailureEntries);
+    await logger.info(`Filtered to ${allSucceeded.length} servers (policy enforced)`);
     // Initialize the serversCache with the succeeded servers
     serversCache.init(allSucceeded);
     await logger.debug(`Total successes: ${allSucceeded.length}, Total failures: ${Object.keys(allFailures).length}`);

package/dist/version.d.ts

@@ -1 +1 @@
-export declare const version = "0.1.34";
+export declare const version = "0.1.35";

package/dist/version.js

@@ -1 +1 @@
-export const version = '0.1.34';
+export const version = '0.1.35';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@toolplex/client",
-  "version": "0.1.34",
+  "version": "0.1.35",
   "author": "ToolPlex LLC",
   "license": "SEE LICENSE IN LICENSE",
   "description": "The official ToolPlex client for AI agent tool discovery and execution",