@utaba/ucm-mcp-server 4.3.2 → 5.0.0

package/dist/clients/UcmLocalApiClient.d.ts

@@ -114,6 +114,40 @@ export declare class UcmLocalApiClient {
         limit?: number;
         offset?: number;
     }): Promise<string>;
+    /**
+     * Access a specific external connection
+     * Returns connection details, auth status, and available tool schemas
+     * Connection type is auto-detected by the server from the connectionId
+     */
+    accessConnection(connectionId: string): Promise<{
+        success: boolean;
+        connectionId: string;
+        connectionType: 'sharepoint' | 'remote-mcp';
+        connectionName: string;
+        isAuthenticated: boolean;
+        authRequired?: boolean;
+        loginUrl?: string;
+        tools?: any[];
+        markdown: string;
+    }>;
+    /**
+     * Call a tool on an external connection
+     * Executes a tool on a SharePoint connection or Remote MCP Server
+     * Connection type is auto-detected by the server from the connectionId
+     */
+    callRemoteTool(connectionId: string, toolName: string, args?: Record<string, any>): Promise<{
+        success: boolean;
+        connectionId: string;
+        connectionType: 'sharepoint' | 'remote-mcp';
+        toolName: string;
+        result?: any;
+        error?: string;
+        errorCode?: string;
+        authRequired?: boolean;
+        loginUrl?: string;
+        loginMessage?: string;
+        markdown: string;
+    }>;
     /**
      * Search SharePoint documents using Microsoft Search API
      * Uses V1 API - organizationId is auto-detected from auth token
@@ -159,7 +193,20 @@ export declare class UcmLocalApiClient {
      * Revoke SharePoint OnBehalfOf authorization for a connection
      * Deletes user's access tokens from Key Vault and database
      * Uses V1 API - organizationId is auto-detected from auth token
+     * @deprecated Use signOut with connectionType='sharepoint' instead
      */
     sharePointSignOut(connectionId: string): Promise<any>;
+    /**
+     * Unified OAuth sign out for any connection type
+     * Revokes user's OAuth authorization by deleting tokens from Key Vault and database
+     * @param connectionType - Type of connection: 'sharepoint' | 'remote-mcp'
+     * @param connectionId - Connection ID to revoke authorization for
+     */
+    signOut(connectionType: string, connectionId: string): Promise<any>;
+    /**
+     * List all user's active OAuth authorizations
+     * @param connectionType - Optional filter: 'sharepoint' | 'remote-mcp' | 'all' (default: 'all')
+     */
+    listAuthorizations(connectionType?: string): Promise<any>;
 }
 //# sourceMappingURL=UcmLocalApiClient.d.ts.map

package/dist/clients/UcmLocalApiClient.js

@@ -373,6 +373,30 @@ export class UcmLocalApiClient {
         const response = await client.get(url, { params });
         return response.data;
     }
+    /**
+     * Access a specific external connection
+     * Returns connection details, auth status, and available tool schemas
+     * Connection type is auto-detected by the server from the connectionId
+     */
+    async accessConnection(connectionId) {
+        const client = this.ensureClient();
+        const response = await client.get(`/api/v1/connections/${connectionId}`);
+        return response.data;
+    }
+    /**
+     * Call a tool on an external connection
+     * Executes a tool on a SharePoint connection or Remote MCP Server
+     * Connection type is auto-detected by the server from the connectionId
+     */
+    async callRemoteTool(connectionId, toolName, args) {
+        const client = this.ensureClient();
+        const body = {
+            toolName,
+            args: args || {}
+        };
+        const response = await client.post(`/api/v1/connections/${connectionId}/tools`, body);
+        return response.data;
+    }
     /**
      * Search SharePoint documents using Microsoft Search API
      * Uses V1 API - organizationId is auto-detected from auth token
@@ -450,11 +474,42 @@ export class UcmLocalApiClient {
      * Revoke SharePoint OnBehalfOf authorization for a connection
      * Deletes user's access tokens from Key Vault and database
      * Uses V1 API - organizationId is auto-detected from auth token
+     * @deprecated Use signOut with connectionType='sharepoint' instead
      */
     async sharePointSignOut(connectionId) {
         const client = this.ensureClient();
         const response = await client.post(`/api/v1/connections/sharepoint/signout`, { connectionId });
         return response.data;
     }
+    /**
+     * Unified OAuth sign out for any connection type
+     * Revokes user's OAuth authorization by deleting tokens from Key Vault and database
+     * @param connectionType - Type of connection: 'sharepoint' | 'remote-mcp'
+     * @param connectionId - Connection ID to revoke authorization for
+     */
+    async signOut(connectionType, connectionId) {
+        const client = this.ensureClient();
+        // Route to appropriate endpoint based on connection type
+        if (connectionType === 'sharepoint') {
+            const response = await client.post(`/api/v1/connections/sharepoint/signout`, { connectionId });
+            return response.data;
+        }
+        else if (connectionType === 'remote-mcp') {
+            // Remote MCP uses the oauth signout endpoint
+            const response = await client.post(`/api/v1/oauth/signout`, { connectionType, connectionId });
+            return response.data;
+        }
+        throw new Error(`Unsupported connection type: ${connectionType}`);
+    }
+    /**
+     * List all user's active OAuth authorizations
+     * @param connectionType - Optional filter: 'sharepoint' | 'remote-mcp' | 'all' (default: 'all')
+     */
+    async listAuthorizations(connectionType) {
+        const client = this.ensureClient();
+        const params = connectionType && connectionType !== 'all' ? { connectionType } : {};
+        const response = await client.get('/api/v1/oauth/authorizations', { params });
+        return response.data;
+    }
 }
 //# sourceMappingURL=UcmLocalApiClient.js.map

package/dist/server/ToolRegistry.js

@@ -21,13 +21,20 @@ import { CreateRepositoryTool } from '../tools/repository/CreateRepositoryTool.j
 import { GetRepositoryTool } from '../tools/repository/GetRepositoryTool.js';
 import { UpdateRepositoryTool } from '../tools/repository/UpdateRepositoryTool.js';
 import { DeleteRepositoryGuidanceTool } from '../tools/repository/DeleteRepositoryGuidanceTool.js';
-// Import SharePoint tools
+// Import connection/SharePoint tools
 import { SharePointListConnectionsTool as ListConnectionsTool } from '../tools/sharepoint/SharePointListConnectionsTool.js';
-import { SharePointSearchTool } from '../tools/sharepoint/SharePointSearchTool.js';
-import { SharePointListFoldersTool } from '../tools/sharepoint/SharePointListFoldersTool.js';
-import { SharePointReadFileTool } from '../tools/sharepoint/SharePointReadFileTool.js';
-import { SharePointReadRelatedFileTool } from '../tools/sharepoint/SharePointReadRelatedFileTool.js';
-import { SharePointSignOutTool } from '../tools/sharepoint/SharePointSignOutTool.js';
+// DEPRECATED: Legacy SharePoint tools - use ucm_call_remote_tool via unified gateway instead
+// Commented out 2026-02-13 - pending confirmation that unified gateway works correctly
+// import { SharePointSearchTool } from '../tools/sharepoint/SharePointSearchTool.js';
+// import { SharePointListFoldersTool } from '../tools/sharepoint/SharePointListFoldersTool.js';
+// import { SharePointReadFileTool } from '../tools/sharepoint/SharePointReadFileTool.js';
+// import { SharePointReadRelatedFileTool } from '../tools/sharepoint/SharePointReadRelatedFileTool.js';
+// Import unified authorization tools
+import { SignOutTool } from '../tools/authorization/SignOutTool.js';
+import { ListAuthorizationsTool } from '../tools/authorization/ListAuthorizationsTool.js';
+// Import connection tools
+import { AccessConnectionTool } from '../tools/connections/AccessConnectionTool.js';
+import { CallRemoteToolTool } from '../tools/connections/CallRemoteToolTool.js';
 export class ToolRegistry {
     ucmClient;
     logger;
@@ -66,13 +73,20 @@ export class ToolRegistry {
         this.registerTool(new GetRepositoryTool(this.ucmClient, this.logger, this.authorId));
         this.registerTool(new UpdateRepositoryTool(this.ucmClient, this.logger, this.authorId));
         this.registerTool(new DeleteRepositoryGuidanceTool(this.ucmClient, this.logger, this.authorId, this.baseUrl));
-        // Register SharePoint tools
+        // Register connection tools (ListConnectionsTool is unified - lists all connection types)
         this.registerTool(new ListConnectionsTool(this.ucmClient, this.logger, this.authorId));
-        this.registerTool(new SharePointSearchTool(this.ucmClient, this.logger, this.authorId));
-        this.registerTool(new SharePointListFoldersTool(this.ucmClient, this.logger, this.authorId));
-        this.registerTool(new SharePointReadFileTool(this.ucmClient, this.logger, this.authorId));
-        this.registerTool(new SharePointReadRelatedFileTool(this.ucmClient, this.logger, this.authorId));
-        this.registerTool(new SharePointSignOutTool(this.ucmClient, this.logger, this.authorId));
+        // DEPRECATED: Legacy SharePoint tools - use ucm_call_remote_tool via unified gateway instead
+        // Commented out 2026-02-13 - pending confirmation that unified gateway works correctly
+        // this.registerTool(new SharePointSearchTool(this.ucmClient, this.logger, this.authorId));
+        // this.registerTool(new SharePointListFoldersTool(this.ucmClient, this.logger, this.authorId));
+        // this.registerTool(new SharePointReadFileTool(this.ucmClient, this.logger, this.authorId));
+        // this.registerTool(new SharePointReadRelatedFileTool(this.ucmClient, this.logger, this.authorId));
+        // Register connection tools (unified gateway)
+        this.registerTool(new AccessConnectionTool(this.ucmClient, this.logger, this.authorId));
+        this.registerTool(new CallRemoteToolTool(this.ucmClient, this.logger, this.authorId));
+        // Register unified authorization tools
+        this.registerTool(new SignOutTool(this.ucmClient, this.logger, this.authorId));
+        this.registerTool(new ListAuthorizationsTool(this.ucmClient, this.logger, this.authorId));
         this.logger.info('ToolRegistry', `Registered ${this.tools.size} MCP tools`);
     }
     registerTool(tool) {

package/dist/tools/authorization/ListAuthorizationsTool.d.ts

@@ -0,0 +1,21 @@
+/**
+ * ListAuthorizationsTool - List all user's active OAuth authorizations
+ */
+import { BaseToolController } from '../base/BaseToolController.js';
+import { UcmLocalApiClient } from '../../clients/UcmLocalApiClient.js';
+import { ILogger } from '../../interfaces/ILogger.js';
+export declare class ListAuthorizationsTool extends BaseToolController {
+    constructor(ucmClient: UcmLocalApiClient, logger: ILogger, publishingAuthorId?: string);
+    get name(): string;
+    get description(): string;
+    get inputSchema(): any;
+    protected validateParams(params: any): void;
+    protected handleExecute(params: {
+        connectionType?: string;
+    }): Promise<any>;
+    /**
+     * Format authorizations response as markdown
+     */
+    private formatAuthorizationsResponse;
+}
+//# sourceMappingURL=ListAuthorizationsTool.d.ts.map

package/dist/tools/authorization/ListAuthorizationsTool.js

@@ -0,0 +1,146 @@
+/**
+ * ListAuthorizationsTool - List all user's active OAuth authorizations
+ */
+import { BaseToolController } from '../base/BaseToolController.js';
+import { McpError, McpErrorCode } from '../../utils/McpErrorHandler.js';
+export class ListAuthorizationsTool extends BaseToolController {
+    constructor(ucmClient, logger, publishingAuthorId) {
+        super(ucmClient, logger, publishingAuthorId);
+    }
+    get name() {
+        return 'ucm_list_authorizations';
+    }
+    get description() {
+        return 'List all your active OAuth authorizations across connection types. Shows which services you are currently authorized to access, with expiry info and connection details.';
+    }
+    get inputSchema() {
+        return {
+            type: 'object',
+            properties: {
+                connectionType: {
+                    type: 'string',
+                    enum: ['sharepoint', 'remote-mcp', 'all'],
+                    description: 'Filter by connection type. Default: "all"'
+                }
+            },
+            required: []
+        };
+    }
+    validateParams(params) {
+        super.validateParams(params);
+        // Validate connectionType if provided
+        if (params.connectionType) {
+            const validTypes = ['sharepoint', 'remote-mcp', 'all'];
+            if (!validTypes.includes(params.connectionType)) {
+                throw new McpError(McpErrorCode.InvalidParams, `connectionType must be one of: ${validTypes.join(', ')}`);
+            }
+        }
+    }
+    async handleExecute(params) {
+        const filter = params.connectionType || 'all';
+        this.logger.info('ListAuthorizationsTool', `Listing authorizations (filter: ${filter})`);
+        try {
+            // Call API to list authorizations
+            const result = await this.ucmClient.listAuthorizations(filter);
+            this.logger.info('ListAuthorizationsTool', 'Authorizations retrieved successfully', '', {
+                filter,
+                count: result.authorizations?.length || 0
+            });
+            // Return structured markdown response
+            const markdown = this.formatAuthorizationsResponse(result, filter);
+            return markdown;
+        }
+        catch (error) {
+            const sanitizedError = {
+                message: error?.message,
+                status: error?.response?.status,
+                data: error?.response?.data
+            };
+            this.logger.error('ListAuthorizationsTool', 'Failed to list authorizations', '', sanitizedError);
+            if (error instanceof McpError) {
+                throw error;
+            }
+            if (error.response) {
+                const status = error.response.status;
+                const errorData = error.response.data;
+                if (status === 401 || status === 403) {
+                    throw new McpError(McpErrorCode.InvalidRequest, `Access denied: ${errorData?.message || 'Not authorized'}`);
+                }
+                throw new McpError(McpErrorCode.InternalError, `API error: ${errorData?.message || error.message}`);
+            }
+            throw new McpError(McpErrorCode.InternalError, `Failed to list authorizations: ${error.message}`);
+        }
+    }
+    /**
+     * Format authorizations response as markdown
+     */
+    formatAuthorizationsResponse(result, filter) {
+        const lines = [];
+        const authorizations = result.authorizations || [];
+        lines.push('# Your OAuth Authorizations\n');
+        if (authorizations.length === 0) {
+            if (filter === 'all') {
+                lines.push('You have no active OAuth authorizations.\n');
+                lines.push('When you access services that require OAuth (like SharePoint or Remote MCP Servers), you will be prompted to authorize.');
+            }
+            else {
+                lines.push(`You have no active ${filter} authorizations.\n`);
+            }
+        }
+        else {
+            lines.push(`Found ${authorizations.length} active authorization(s)${filter !== 'all' ? ` for ${filter}` : ''}.\n`);
+            // Group by connection type
+            const grouped = new Map();
+            for (const auth of authorizations) {
+                const type = auth.connectionType || 'other';
+                if (!grouped.has(type)) {
+                    grouped.set(type, []);
+                }
+                grouped.get(type).push(auth);
+            }
+            const typeNames = {
+                'sharepoint': 'SharePoint Connections',
+                'remote-mcp': 'Remote MCP Servers'
+            };
+            for (const [type, auths] of grouped) {
+                const typeName = typeNames[type] || type;
+                lines.push(`## ${typeName}\n`);
+                for (const auth of auths) {
+                    const now = new Date();
+                    const refreshTokenExpiresAt = auth.refreshTokenExpiresAt ? new Date(auth.refreshTokenExpiresAt) : null;
+                    const accessTokenExpiresAt = auth.expiresAt ? new Date(auth.expiresAt) : null;
+                    // Authorization is expired only if refresh token has expired
+                    // Access token expiry doesn't matter - it will auto-refresh
+                    const isExpired = refreshTokenExpiresAt ? refreshTokenExpiresAt < now : false;
+                    const accessTokenExpired = accessTokenExpiresAt ? accessTokenExpiresAt < now : false;
+                    let status;
+                    if (isExpired) {
+                        status = '**Expired** (re-authorization required)';
+                    }
+                    else if (refreshTokenExpiresAt) {
+                        status = `Active (valid until ${refreshTokenExpiresAt.toISOString()} UTC)`;
+                    }
+                    else {
+                        // No refresh token expiry means it doesn't expire (e.g., Google)
+                        status = 'Active (does not expire)';
+                    }
+                    lines.push(`### ${auth.connectionName || auth.connectionId}`);
+                    lines.push(`- **Connection ID**: ${auth.connectionId}`);
+                    lines.push(`- **Provider**: ${auth.providerType || type}`);
+                    lines.push(`- **Status**: ${status}`);
+                    if (accessTokenExpired && !isExpired) {
+                        lines.push(`- **Note**: Access token expired but will auto-refresh on next use`);
+                    }
+                    if (auth.scopes) {
+                        lines.push(`- **Scopes**: ${auth.scopes}`);
+                    }
+                    lines.push('');
+                }
+            }
+            lines.push('\n## Actions\n');
+            lines.push('To revoke an authorization, use: `ucm_signout` with connectionType and connectionId');
+        }
+        return lines.join('\n');
+    }
+}
+//# sourceMappingURL=ListAuthorizationsTool.js.map

package/dist/tools/authorization/SignOutTool.d.ts

@@ -0,0 +1,23 @@
+/**
+ * SignOutTool - Unified OAuth sign out for all connection types
+ * Replaces SharePointSignOutTool with a unified tool supporting multiple connection types
+ */
+import { BaseToolController } from '../base/BaseToolController.js';
+import { UcmLocalApiClient } from '../../clients/UcmLocalApiClient.js';
+import { ILogger } from '../../interfaces/ILogger.js';
+export declare class SignOutTool extends BaseToolController {
+    constructor(ucmClient: UcmLocalApiClient, logger: ILogger, publishingAuthorId?: string);
+    get name(): string;
+    get description(): string;
+    get inputSchema(): any;
+    protected validateParams(params: any): void;
+    protected handleExecute(params: {
+        connectionType: string;
+        connectionId: string;
+    }): Promise<any>;
+    /**
+     * Format sign out response as markdown
+     */
+    private formatSignOutResponse;
+}
+//# sourceMappingURL=SignOutTool.d.ts.map

package/dist/tools/authorization/SignOutTool.js

@@ -0,0 +1,128 @@
+/**
+ * SignOutTool - Unified OAuth sign out for all connection types
+ * Replaces SharePointSignOutTool with a unified tool supporting multiple connection types
+ */
+import { BaseToolController } from '../base/BaseToolController.js';
+import { McpError, McpErrorCode } from '../../utils/McpErrorHandler.js';
+export class SignOutTool extends BaseToolController {
+    constructor(ucmClient, logger, publishingAuthorId) {
+        super(ucmClient, logger, publishingAuthorId);
+    }
+    get name() {
+        return 'ucm_signout';
+    }
+    get description() {
+        return 'Sign out from an OAuth-authorized connection. Revokes user-delegated permissions by deleting access tokens. Works for SharePoint OnBehalfOf connections and Remote MCP Servers with user-delegated OAuth.';
+    }
+    get inputSchema() {
+        return {
+            type: 'object',
+            properties: {
+                connectionType: {
+                    type: 'string',
+                    enum: ['sharepoint', 'remote-mcp'],
+                    description: 'Type of connection: "sharepoint" or "remote-mcp"'
+                },
+                connectionId: {
+                    type: 'string',
+                    description: 'Connection ID to revoke authorization for (get from ucm_list_authorizations or ucm_list_connections)',
+                    minLength: 36,
+                    maxLength: 36
+                }
+            },
+            required: ['connectionType', 'connectionId']
+        };
+    }
+    validateParams(params) {
+        super.validateParams(params);
+        // Validate connectionType
+        if (!params.connectionType || typeof params.connectionType !== 'string') {
+            throw new McpError(McpErrorCode.InvalidParams, 'connectionType is required and must be a string');
+        }
+        const validTypes = ['sharepoint', 'remote-mcp'];
+        if (!validTypes.includes(params.connectionType)) {
+            throw new McpError(McpErrorCode.InvalidParams, `connectionType must be one of: ${validTypes.join(', ')}`);
+        }
+        // Validate connectionId
+        if (!params.connectionId || typeof params.connectionId !== 'string') {
+            throw new McpError(McpErrorCode.InvalidParams, 'connectionId is required and must be a string');
+        }
+        if (params.connectionId.length !== 36) {
+            throw new McpError(McpErrorCode.InvalidParams, 'connectionId must be a valid UUID (36 characters)');
+        }
+    }
+    async handleExecute(params) {
+        this.logger.info('SignOutTool', `Revoking ${params.connectionType} authorization for connection ${params.connectionId}`);
+        try {
+            // Call unified API method
+            const result = await this.ucmClient.signOut(params.connectionType, params.connectionId);
+            this.logger.info('SignOutTool', 'Authorization revoked successfully', '', {
+                connectionType: params.connectionType,
+                connectionId: params.connectionId,
+                success: result.success
+            });
+            // Return structured markdown response
+            const markdown = this.formatSignOutResponse(params.connectionType, params.connectionId, result);
+            return markdown;
+        }
+        catch (error) {
+            // Sanitize error for logging to avoid circular reference issues
+            const sanitizedError = {
+                message: error?.message,
+                status: error?.response?.status,
+                data: error?.response?.data
+            };
+            this.logger.error('SignOutTool', 'Failed to revoke authorization', '', sanitizedError);
+            if (error instanceof McpError) {
+                throw error;
+            }
+            // Handle API errors
+            if (error.response) {
+                const status = error.response.status;
+                const errorData = error.response.data;
+                if (status === 401 || status === 403) {
+                    throw new McpError(McpErrorCode.InvalidRequest, `Access denied: ${errorData?.message || 'Not authorized to revoke authorization'}`);
+                }
+                if (status === 404) {
+                    throw new McpError(McpErrorCode.InvalidRequest, `Connection not found: ${errorData?.message || 'Connection does not exist'}`);
+                }
+                if (status === 400 && errorData?.error === 'INVALID_AUTH_TYPE') {
+                    throw new McpError(McpErrorCode.InvalidRequest, `Invalid operation: This connection does not use user-delegated authentication.`);
+                }
+                throw new McpError(McpErrorCode.InternalError, `API error: ${errorData?.message || error.message}`);
+            }
+            throw new McpError(McpErrorCode.InternalError, `Failed to revoke authorization: ${error.message}`);
+        }
+    }
+    /**
+     * Format sign out response as markdown
+     */
+    formatSignOutResponse(connectionType, connectionId, result) {
+        const lines = [];
+        const providerName = connectionType === 'sharepoint' ? 'SharePoint' : 'Remote MCP Server';
+        lines.push(`# ${providerName} Authorization Revoked\n`);
+        if (result.success) {
+            lines.push('✅ **Status**: Authorization successfully revoked\n');
+            lines.push(`**Connection ID**: ${result.connectionId || connectionId}\n`);
+            if (result.connectionName) {
+                lines.push(`**Connection Name**: ${result.connectionName}\n`);
+            }
+            if (result.revokedAt) {
+                lines.push(`**Revoked At**: ${new Date(result.revokedAt).toLocaleString()}\n`);
+            }
+            lines.push('\n## What This Means\n');
+            lines.push('- Your access tokens have been deleted from the system');
+            lines.push(`- You are now signed out of this ${providerName} connection`);
+            lines.push('- To access this service again, you will be prompted to re-authorize on next use\n');
+        }
+        else {
+            lines.push('⚠️ **Status**: Revocation failed or not needed\n');
+            lines.push(`**Message**: ${result.message}\n`);
+            if (result.details?.reason) {
+                lines.push(`**Reason**: ${result.details.reason}\n`);
+            }
+        }
+        return lines.join('\n');
+    }
+}
+//# sourceMappingURL=SignOutTool.js.map

package/dist/tools/connections/AccessConnectionTool.d.ts

@@ -0,0 +1,20 @@
+/**
+ * AccessConnectionTool
+ * Access a specific external connection, check auth status, and return available tool schemas.
+ *
+ * Phase 2 of Unified Connection Gateway Implementation
+ */
+import { BaseToolController } from '../base/BaseToolController.js';
+import { UcmLocalApiClient } from '../../clients/UcmLocalApiClient.js';
+import { ILogger } from '../../interfaces/ILogger.js';
+export declare class AccessConnectionTool extends BaseToolController {
+    constructor(ucmClient: UcmLocalApiClient, logger: ILogger, publishingAuthorId?: string);
+    get name(): string;
+    get description(): string;
+    get inputSchema(): any;
+    protected validateParams(params: any): void;
+    protected handleExecute(params: {
+        connectionId: string;
+    }): Promise<any>;
+}
+//# sourceMappingURL=AccessConnectionTool.d.ts.map

package/dist/tools/connections/AccessConnectionTool.js

@@ -0,0 +1,83 @@
+/**
+ * AccessConnectionTool
+ * Access a specific external connection, check auth status, and return available tool schemas.
+ *
+ * Phase 2 of Unified Connection Gateway Implementation
+ */
+import { BaseToolController } from '../base/BaseToolController.js';
+import { McpError, McpErrorCode } from '../../utils/McpErrorHandler.js';
+export class AccessConnectionTool extends BaseToolController {
+    constructor(ucmClient, logger, publishingAuthorId) {
+        super(ucmClient, logger, publishingAuthorId);
+    }
+    get name() {
+        return 'ucm_access_connection';
+    }
+    get description() {
+        return 'Access a specific external connection, check auth status, and return available tool schemas. Use this to see what tools are available for a connection before calling them.';
+    }
+    get inputSchema() {
+        return {
+            type: 'object',
+            properties: {
+                connectionId: {
+                    type: 'string',
+                    description: 'Connection ID (SharePoint connection or Remote MCP Server) from ucm_list_connections',
+                    minLength: 36,
+                    maxLength: 36
+                }
+            },
+            required: ['connectionId']
+        };
+    }
+    validateParams(params) {
+        super.validateParams(params);
+        // Validate connectionId
+        if (!params.connectionId || typeof params.connectionId !== 'string') {
+            throw new McpError(McpErrorCode.InvalidParams, 'connectionId is required and must be a string');
+        }
+        if (params.connectionId.length !== 36) {
+            throw new McpError(McpErrorCode.InvalidParams, 'connectionId must be a valid UUID (36 characters)');
+        }
+    }
+    async handleExecute(params) {
+        this.logger.info('AccessConnectionTool', `Accessing connection: ${params.connectionId}`);
+        try {
+            const result = await this.ucmClient.accessConnection(params.connectionId);
+            this.logger.info('AccessConnectionTool', 'Connection accessed successfully', '', {
+                connectionId: params.connectionId,
+                connectionType: result.connectionType,
+                isAuthenticated: result.isAuthenticated,
+                toolCount: result.tools?.length || 0
+            });
+            // Return the markdown content for AI consumption
+            return result.markdown;
+        }
+        catch (error) {
+            // Sanitize error for logging
+            const sanitizedError = {
+                message: error?.message,
+                status: error?.response?.status,
+                data: error?.response?.data
+            };
+            this.logger.error('AccessConnectionTool', 'Failed to access connection', '', sanitizedError);
+            if (error instanceof McpError) {
+                throw error;
+            }
+            // Handle API errors
+            if (error.response) {
+                const status = error.response.status;
+                const errorData = error.response.data;
+                if (status === 401 || status === 403) {
+                    throw new McpError(McpErrorCode.InvalidRequest, `Access denied: ${errorData?.message || 'Not authorized to access this connection'}`);
+                }
+                if (status === 404) {
+                    throw new McpError(McpErrorCode.InvalidParams, `Connection not found: ${params.connectionId}`);
+                }
+                throw new McpError(McpErrorCode.InternalError, `API error: ${errorData?.message || error.message}`);
+            }
+            throw new McpError(McpErrorCode.InternalError, `Failed to access connection: ${error.message}`);
+        }
+    }
+}
+//# sourceMappingURL=AccessConnectionTool.js.map

package/dist/tools/connections/CallRemoteToolTool.d.ts

@@ -0,0 +1,22 @@
+/**
+ * CallRemoteToolTool
+ * Execute a tool on an external connection (SharePoint or Remote MCP Server).
+ *
+ * Phase 3 of Unified Connection Gateway Implementation
+ */
+import { BaseToolController } from '../base/BaseToolController.js';
+import { UcmLocalApiClient } from '../../clients/UcmLocalApiClient.js';
+import { ILogger } from '../../interfaces/ILogger.js';
+export declare class CallRemoteToolTool extends BaseToolController {
+    constructor(ucmClient: UcmLocalApiClient, logger: ILogger, publishingAuthorId?: string);
+    get name(): string;
+    get description(): string;
+    get inputSchema(): any;
+    protected validateParams(params: any): void;
+    protected handleExecute(params: {
+        connectionId: string;
+        toolName: string;
+        args?: Record<string, any>;
+    }): Promise<any>;
+}
+//# sourceMappingURL=CallRemoteToolTool.d.ts.map

package/dist/tools/connections/CallRemoteToolTool.js

@@ -0,0 +1,103 @@
+/**
+ * CallRemoteToolTool
+ * Execute a tool on an external connection (SharePoint or Remote MCP Server).
+ *
+ * Phase 3 of Unified Connection Gateway Implementation
+ */
+import { BaseToolController } from '../base/BaseToolController.js';
+import { McpError, McpErrorCode } from '../../utils/McpErrorHandler.js';
+export class CallRemoteToolTool extends BaseToolController {
+    constructor(ucmClient, logger, publishingAuthorId) {
+        super(ucmClient, logger, publishingAuthorId);
+    }
+    get name() {
+        return 'ucm_call_remote_tool';
+    }
+    get description() {
+        return 'Call a tool on an external connection. Use ucm_access_connection first to see available tools and their schemas.';
+    }
+    get inputSchema() {
+        return {
+            type: 'object',
+            properties: {
+                connectionId: {
+                    type: 'string',
+                    description: 'Connection ID (SharePoint connection or Remote MCP Server) from ucm_list_connections',
+                    minLength: 36,
+                    maxLength: 36
+                },
+                toolName: {
+                    type: 'string',
+                    description: 'Name of the tool to call (see ucm_access_connection for available tools)',
+                    minLength: 1
+                },
+                args: {
+                    type: 'object',
+                    description: 'Tool arguments as key-value pairs (see ucm_access_connection for parameter schemas)'
+                }
+            },
+            required: ['connectionId', 'toolName']
+        };
+    }
+    validateParams(params) {
+        super.validateParams(params);
+        // Validate connectionId
+        if (!params.connectionId || typeof params.connectionId !== 'string') {
+            throw new McpError(McpErrorCode.InvalidParams, 'connectionId is required and must be a string');
+        }
+        if (params.connectionId.length !== 36) {
+            throw new McpError(McpErrorCode.InvalidParams, 'connectionId must be a valid UUID (36 characters)');
+        }
+        // Validate toolName
+        if (!params.toolName || typeof params.toolName !== 'string') {
+            throw new McpError(McpErrorCode.InvalidParams, 'toolName is required and must be a string');
+        }
+        // Validate args if provided
+        if (params.args !== undefined && typeof params.args !== 'object') {
+            throw new McpError(McpErrorCode.InvalidParams, 'args must be an object');
+        }
+    }
+    async handleExecute(params) {
+        this.logger.info('CallRemoteToolTool', `Calling tool ${params.toolName} on connection: ${params.connectionId}`);
+        try {
+            const result = await this.ucmClient.callRemoteTool(params.connectionId, params.toolName, params.args);
+            this.logger.info('CallRemoteToolTool', 'Tool executed successfully', '', {
+                connectionId: params.connectionId,
+                toolName: params.toolName,
+                success: result.success,
+                authRequired: result.authRequired || false
+            });
+            // Return the markdown content for AI consumption
+            return result.markdown;
+        }
+        catch (error) {
+            // Sanitize error for logging
+            const sanitizedError = {
+                message: error?.message,
+                status: error?.response?.status,
+                data: error?.response?.data
+            };
+            this.logger.error('CallRemoteToolTool', 'Failed to execute tool', '', sanitizedError);
+            if (error instanceof McpError) {
+                throw error;
+            }
+            // Handle API errors
+            if (error.response) {
+                const status = error.response.status;
+                const errorData = error.response.data;
+                if (status === 401 || status === 403) {
+                    throw new McpError(McpErrorCode.InvalidRequest, `Access denied: ${errorData?.message || 'Not authorized to access this connection'}`);
+                }
+                if (status === 404) {
+                    throw new McpError(McpErrorCode.InvalidParams, `Connection not found: ${params.connectionId}`);
+                }
+                if (status === 400) {
+                    throw new McpError(McpErrorCode.InvalidParams, `Invalid request: ${errorData?.message || errorData?.error || 'Invalid parameters'}`);
+                }
+                throw new McpError(McpErrorCode.InternalError, `API error: ${errorData?.message || error.message}`);
+            }
+            throw new McpError(McpErrorCode.InternalError, `Failed to execute tool: ${error.message}`);
+        }
+    }
+}
+//# sourceMappingURL=CallRemoteToolTool.js.map

package/dist/utils/SharePointErrorHandler.js

@@ -22,8 +22,8 @@ export class SharePointErrorHandler {
         };
         logger.error(toolName, 'SharePoint operation failed', '', sanitizedError);
         const serverError = error?.response?.data;
-        // Handle SharePoint authentication required (OnBehalfOf flow)
-        if (error?.response?.status === 401 && serverError?.error === 'SHAREPOINT_LOGIN_REQUIRED') {
+        // Handle OAuth authentication required (user-delegated flow)
+        if (error?.response?.status === 401 && serverError?.error === 'AUTH_REQUIRED') {
             const userMessage = serverError.message || 'To access SharePoint, please login then continue your conversation.';
             // loginUrl can be in serverError directly or in details (check both)
             const loginUrl = serverError.loginUrl || serverError.details?.loginUrl;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@utaba/ucm-mcp-server",
-  "version": "4.3.2",
+  "version": "5.0.0",
   "description": "Universal Context Manager MCP Server - AI Productivity Platform",
   "main": "dist/index.js",
   "type": "module",

package/package.json.backup

@@ -1,6 +1,6 @@
 {
   "name": "ucm-mcp-server",
-  "version": "4.3.2",
+  "version": "5.0.0",
   "description": "Universal Context Manager MCP Server - AI Productivity Platform",
   "main": "dist/index.js",
   "type": "module",