@wickedevolutions/abilities-mcp 1.3.1 → 1.5.3

package/lib/connection-pool.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const { SshTransport } = require('./transports/ssh-transport');
-const { resolveSiteKey, resolvePassword } = require('./config');
+const { resolveSiteKey, resolveSitePassword } = require('./config');
 
 // Incrementing counter for synthetic handshake IDs.
 // Avoids integer overflow from Date.now() (13-digit ms timestamps exceed
@@ -9,6 +9,23 @@ const { resolveSiteKey, resolvePassword } = require('./config');
 // Starting at 1000 to avoid collision with real request IDs (typically 1+).
 let _synthIdCounter = 1000;
 
+/**
+ * Build a TokenManager-shaped siteAuth object from a v2 OAuth site block.
+ * The OAuthHttpTransport and TokenManager use this shape.
+ */
+function _siteAuthFromConfig(siteId, siteConfig, asMetadata) {
+  return {
+    siteId,
+    tokenEndpoint: asMetadata && asMetadata.token_endpoint,
+    clientId: siteConfig.auth.client_id,
+    accessTokenRef: siteConfig.auth.access_token_ref,
+    refreshTokenRef: siteConfig.auth.refresh_token_ref,
+    accessTokenExpiresAt: siteConfig.auth.access_token_expires_at,
+    refreshTokenExpiresAt: siteConfig.auth.refresh_token_expires_at,
+    authStatus: siteConfig.auth_status || 'active',
+  };
+}
+
 /**
  * Connection Pool — manages one transport per site, lazily instantiated.
  *
@@ -21,12 +38,38 @@ let _synthIdCounter = 1000;
  */
 class ConnectionPool {
 
-  constructor(config, logger) {
+  /**
+   * @param {object} config
+   * @param {function} logger
+   * @param {object} [deps]                   Optional injection seam for tests
+   * @param {object} [deps.secretStore]       Defaults to KeychainSecretStore
+   * @param {object} [deps.tokenManager]      Defaults to a TokenManager built from secretStore
+   * @param {function} [deps.discover]        Defaults to lib/auth/discovery-client.discover
+   * @param {function} [deps.persistAuthStatus] (siteId, newStatus) => void
+   *                                          Persists to wp-sites.json. Defaults to
+   *                                          atomic write via config-migration._atomicWrite
+   *                                          when config._configPath is set.
+   * @param {boolean} [deps.allowInsecure]    For local-dev OAuth over HTTP
+   */
+  constructor(config, logger, deps = {}) {
     this.config = config;
     this.log = logger;
     this.transports = new Map();      // compositeKey -> Transport
     this.connecting = new Map();      // compositeKey -> Promise<Transport>
 
+    // OAuth-runtime deps. Built lazily so SSH-only / App-Password-only setups
+    // never load keytar or the auth modules at all.
+    this._deps = deps;
+    this._secretStore = deps.secretStore || null;
+    this._tokenManager = deps.tokenManager || null;
+    this._discover = deps.discover || null;
+    this._allowInsecure = !!deps.allowInsecure;
+    this._persistAuthStatus = deps.persistAuthStatus || null;
+
+    // Cache of OAuth AS metadata per site URL — avoids re-probing .well-known
+    // on every transport rebuild. Refreshed when the transport is recreated.
+    this._asMetadataCache = new Map();   // siteUrl -> { asMetadata, prMetadata }
+
     // Handshake cache — set after the default site completes init
     this.cachedInitRequest = null;
     this.cachedInitNotification = null;
@@ -98,7 +141,7 @@ class ConnectionPool {
    */
   async connectDefault(onMessage) {
     const key = this.config.defaultSite;
-    const transport = this._createTransport(key, null);
+    const transport = await this._createTransport(key, null);
     transport.onMessage = onMessage;
     await transport.connect();
     this.transports.set(key, transport);
@@ -145,6 +188,28 @@ class ConnectionPool {
     try {
       const { siteConfig } = resolveSiteKey(this.config, compositeKey);
 
+      // v2 OAuth site — probe the resource URL with HEAD. We do NOT mint a
+      // token here; this is just a reachability check, the real auth happens
+      // on first MCP request via OAuthHttpTransport.
+      if (siteConfig.auth && siteConfig.auth.method === 'oauth') {
+        const target = siteConfig.mcp_resource;
+        if (!target) {
+          return { status: 'unreachable', latencyMs: Date.now() - start, error: 'no mcp_resource configured' };
+        }
+        const mod = target.startsWith('https://') ? require('https') : require('http');
+        const url = new URL(target);
+        await new Promise((resolve, reject) => {
+          const req = mod.request({
+            hostname: url.hostname, port: url.port,
+            path: url.pathname, method: 'HEAD', timeout: 10000,
+          }, (res) => resolve(res.statusCode));
+          req.on('error', reject);
+          req.on('timeout', () => { req.destroy(); reject(new Error('timeout')); });
+          req.end();
+        });
+        return { status: 'reachable', latencyMs: Date.now() - start };
+      }
+
       if (siteConfig.transport === 'ssh') {
         const { execFileSync } = require('child_process');
         execFileSync('ssh', [
@@ -199,7 +264,7 @@ class ConnectionPool {
 
     this.log(`Lazy-connecting to site: ${compositeKey}`);
 
-    const transport = this._createTransport(compositeKey, subsiteUrl);
+    const transport = await this._createTransport(compositeKey, subsiteUrl);
 
     // Set up message callback — route responses back to main
     // The main entry will set this after getting the transport
@@ -220,10 +285,18 @@ class ConnectionPool {
     return transport;
   }
 
-  _createTransport(compositeKey, subsiteUrl) {
+  async _createTransport(compositeKey, subsiteUrl) {
     const { siteConfig, subsiteUrl: resolvedSubsiteUrl, resolvedEndpoint } = resolveSiteKey(this.config, compositeKey);
     const finalSubsiteUrl = subsiteUrl || resolvedSubsiteUrl;
 
+    // v2 OAuth dispatch — single branch per Issue #17 acceptance criteria.
+    // Sites with auth.method === 'oauth' use the OAuth-aware HTTP transport;
+    // every other site (App Password, SSH carrier-only) keeps the existing
+    // legacy code paths untouched.
+    if (siteConfig.auth && siteConfig.auth.method === 'oauth') {
+      return this._createOAuthHttpTransport(compositeKey, siteConfig);
+    }
+
     if (siteConfig.transport === 'ssh') {
       return new SshTransport({
         host: siteConfig.ssh.host,
@@ -236,13 +309,25 @@ class ConnectionPool {
     }
 
     if (siteConfig.transport === 'http') {
-      // HTTP transport — loaded lazily to avoid requiring it when only SSH is used
+      // HTTP transport — loaded lazily to avoid requiring it when only SSH is used.
+      // v2 apppassword sites resolve the secret from keychain via auth.password_ref;
+      // v1 sites fall through to the legacy synchronous resolver. KeychainSecretStore
+      // is only constructed when an apppassword path actually runs, preserving the
+      // "no keytar for SSH-only / v1-only setups" property.
       const { HttpTransport } = require('./transports/http-transport');
-      const password = resolvePassword(siteConfig.http);
+      const isV2AppPassword = siteConfig.auth
+        && siteConfig.auth.method === 'apppassword'
+        && siteConfig.auth.password_ref;
+      if (isV2AppPassword && !this._secretStore) {
+        const { KeychainSecretStore } = require('./auth/keychain-secret-store');
+        this._secretStore = new KeychainSecretStore();
+      }
+      const password = await resolveSitePassword(siteConfig, this._secretStore);
+      const username = (siteConfig.auth && siteConfig.auth.username) || siteConfig.http.username;
       return new HttpTransport({
         endpoint: resolvedEndpoint || siteConfig.http.endpoint,
-        username: siteConfig.http.username,
-        password: password,
+        username,
+        password,
         logger: this.log,
       });
     }
@@ -250,15 +335,133 @@ class ConnectionPool {
     throw new Error(`Unknown transport: ${siteConfig.transport}`);
   }
 
+  /**
+   * Build an OAuthHttpTransport for a v2 OAuth site. Lazily resolves AS
+   * metadata via the discovery client (passing capability-pin state per
+   * Appendix H.2.3 — pinned-then-404 throws CapabilityPinningError, which
+   * we let propagate so the bridge fails loud rather than silently
+   * downgrading to App Password).
+   */
+  async _createOAuthHttpTransport(compositeKey, siteConfig) {
+    const { OAuthHttpTransport } = require('./transports/oauth-http-transport');
+    const { TokenManager } = require('./auth/token-manager');
+    const { discover } = require('./auth/discovery-client');
+
+    if (!siteConfig.mcp_resource) {
+      throw new Error(
+        `Site "${compositeKey}" (oauth): no mcp_resource configured — ` +
+        `re-run \`abilities-mcp reauth ${compositeKey}\` to repopulate it`
+      );
+    }
+    if (!siteConfig.url) {
+      throw new Error(`Site "${compositeKey}" (oauth): no url configured`);
+    }
+
+    if (!this._secretStore) {
+      const { KeychainSecretStore } = require('./auth/keychain-secret-store');
+      this._secretStore = new KeychainSecretStore();
+    }
+    if (!this._tokenManager) {
+      this._tokenManager = new TokenManager({
+        secretStore: this._secretStore,
+        allowInsecure: this._allowInsecure,
+      });
+    }
+    const discoverFn = this._discover || discover;
+
+    let asMetadata = (this._asMetadataCache.get(siteConfig.url) || {}).asMetadata;
+    if (!asMetadata) {
+      const result = await discoverFn(siteConfig.url, {
+        pinned: !!siteConfig.oauth_capability_pinned,
+        pinnedFirstSeenAt: siteConfig.oauth_capability_pinned
+          && siteConfig.oauth_capability_pinned.first_seen_at,
+        allowInsecure: this._allowInsecure,
+      });
+      asMetadata = result.asMetadata;
+      this._asMetadataCache.set(siteConfig.url, {
+        asMetadata: result.asMetadata,
+        prMetadata: result.prMetadata,
+      });
+    }
+
+    if (!asMetadata || !asMetadata.token_endpoint) {
+      throw new Error(
+        `Site "${compositeKey}" (oauth): discovery did not yield a token_endpoint`
+      );
+    }
+
+    const siteAuth = _siteAuthFromConfig(compositeKey, siteConfig, asMetadata);
+
+    return new OAuthHttpTransport({
+      endpoint: siteConfig.mcp_resource,
+      tokenManager: this._tokenManager,
+      siteAuth,
+      onAuthStatusChange: (newStatus, info) => {
+        // In-memory update first so subsequent transport rebuilds see it.
+        try {
+          siteConfig.auth_status = newStatus;
+        } catch { /* siteConfig may be frozen in tests — ignore */ }
+        this.log(
+          `OAuth auth_status change: ${compositeKey} → ${newStatus} (${info && info.reason || 'unknown'})`
+        );
+        // Persist to wp-sites.json best-effort. A failure to write should
+        // not break the request path that triggered this change.
+        if (this._persistAuthStatus) {
+          Promise.resolve()
+            .then(() => this._persistAuthStatus(compositeKey, newStatus, info))
+            .catch((err) => this.log(`OAuth auth_status persist failed: ${err.message}`));
+        } else if (this.config && this.config._configPath) {
+          this._defaultPersistAuthStatus(compositeKey, newStatus)
+            .catch((err) => this.log(`OAuth auth_status persist failed: ${err.message}`));
+        }
+      },
+      logger: this.log,
+    });
+  }
+
+  /**
+   * Default auth_status persistor — atomic rewrite of wp-sites.json. Used
+   * when the pool was constructed without a custom persistAuthStatus.
+   */
+  async _defaultPersistAuthStatus(siteId, newStatus) {
+    const { _atomicWrite } = require('./auth/config-migration');
+    const fs = require('node:fs');
+    const filePath = this.config._configPath;
+    if (!filePath) return;
+    let raw;
+    try {
+      raw = await fs.promises.readFile(filePath, 'utf8');
+    } catch (err) {
+      throw new Error(`read ${filePath}: ${err.message}`);
+    }
+    let parsed;
+    try { parsed = JSON.parse(raw); }
+    catch (err) {
+      throw new Error(`parse ${filePath}: ${err.message}`);
+    }
+    if (parsed && parsed.sites && parsed.sites[siteId]) {
+      parsed.sites[siteId].auth_status = newStatus;
+      await _atomicWrite(filePath, parsed);
+    }
+  }
+
   /**
    * Check if a composite key resolves to the same HTTP endpoint as an
    * already-connected transport. Returns { key, transport } or null.
+   *
+   * Covers both v1 App-Password HTTP sites and v2 OAuth sites — the dedup
+   * target is whichever URL the eventual transport will POST to.
    */
   _findExistingHttpTransport(compositeKey) {
     const { siteConfig, resolvedEndpoint } = resolveSiteKey(this.config, compositeKey);
-    if (siteConfig.transport !== 'http') return null;
 
-    const targetEndpoint = resolvedEndpoint || siteConfig.http.endpoint;
+    let targetEndpoint = null;
+    if (siteConfig.auth && siteConfig.auth.method === 'oauth') {
+      targetEndpoint = siteConfig.mcp_resource;
+    } else if (siteConfig.transport === 'http') {
+      targetEndpoint = resolvedEndpoint || (siteConfig.http && siteConfig.http.endpoint);
+    }
+    if (!targetEndpoint) return null;
 
     for (const [key, transport] of this.transports) {
       if (transport.endpoint === targetEndpoint) {

package/lib/router.js

@@ -11,7 +11,8 @@ const { isBridgeTool, injectBridgeTools } = require('./bridge-tools');
  * - Route client messages to the correct transport
  * - Handle bridge tools locally (health, browse, load)
  * - Sanitize and enrich tools/list responses (annotations, site param, bridge tools)
- * - Handle resources/list and resources/read locally
+ * - Forward resources/list to WordPress and inject bridge resources
+ * - Handle resources/read locally for bridge URIs, forward others to WordPress
  * - Route tools/call to the correct site transport
  *
  * Copyright (C) 2026 Influencentricity | Wicked Evolutions
@@ -44,6 +45,9 @@ class McpRouter {
     this.clientProtocolVersion = null;
     this.initHandshakeComplete = false;
 
+    // Track pending resources/list request IDs for response interception
+    this.pendingResourcesListIds = new Set();
+
     // Default transport
     this.defaultTransport = null;
 
@@ -115,9 +119,12 @@ class McpRouter {
       return;
     }
 
-    // resources/list — handle locally
+    // resources/list — forward to WordPress, inject bridge resources on response
     if (msg.method === 'resources/list') {
-      this._handleResourcesList(msg);
+      if (msg.id !== undefined) {
+        this.pendingResourcesListIds.add(msg.id);
+      }
+      this._forwardToDefault(line);
       return;
     }
 
@@ -166,6 +173,16 @@ class McpRouter {
       return;
     }
 
+    // Inject bridge resources into resources/list responses
+    if (parsedMsg.id !== undefined && this.pendingResourcesListIds.has(parsedMsg.id)) {
+      this.pendingResourcesListIds.delete(parsedMsg.id);
+      if (!parsedMsg.error) {
+        this._injectBridgeResources(parsedMsg);
+      }
+      this.sendToClient(JSON.stringify(parsedMsg));
+      return;
+    }
+
     // Detect execute-ability error responses and convert to isError format
     if (parsedMsg.result && parsedMsg.result.content) {
       const content = parsedMsg.result.content;
@@ -388,22 +405,23 @@ class McpRouter {
   // Internal — resources
   // ---------------------------------------------------------------------------
 
-  _handleResourcesList(msg) {
-    const resources = [];
+  /**
+   * Inject bridge-owned resources into a resources/list response from WordPress.
+   * @param {object} msg - Parsed JSON-RPC response
+   */
+  _injectBridgeResources(msg) {
+    // Ensure result.resources array exists (WordPress may return empty or error)
+    if (!msg.result) msg.result = {};
+    if (!Array.isArray(msg.result.resources)) msg.result.resources = [];
 
     if (this.isMultiSite) {
-      resources.push({
+      msg.result.resources.push({
         uri: 'wp-abilities://sites',
         name: 'WordPress Sites',
         description: `Available WordPress sites: ${this.siteKeys.join(', ')}`,
         mimeType: 'application/json',
       });
     }
-
-    this.sendToClient(JSON.stringify({
-      jsonrpc: '2.0', id: msg.id,
-      result: { resources },
-    }));
   }
 
   _handleResourcesReadSites(msg) {