@wootsup/mcp 0.1.0 → 0.4.0

package/dist/auth/oauth-provider.js

@@ -1,232 +0,0 @@
-// src/auth/oauth-provider.ts — Phase 9.2.
-//
-// Minimal in-memory OAuth 2.0 Authorization-Code + PKCE + Dynamic Client
-// Registration (DCR) provider for the remote HTTP MCP transport.
-//
-// References:
-// - RFC 6749 (OAuth 2.0)
-// - RFC 7636 (PKCE)
-// - RFC 7591 (Dynamic Client Registration)
-// - workers-oauth-provider (Cloudflare reference, in-memory variant)
-//
-// Storage backend is process-local Maps with TTL-based expiry — the
-// hosted production service (mcp.wootsup.com) is expected to swap in a
-// persistent backend, but for unit/integration tests + the local DXT
-// bundle, in-memory is sufficient.
-//
-// Security notes:
-// - Tokens are 32 random bytes hex-encoded (no JWT — keeps the surface
-//   tiny and prevents misuse of unverified payloads).
-// - Authorization codes are 32 random bytes hex; single-use; bound to
-//   client_id + redirect_uri + code_challenge.
-// - PKCE S256 is REQUIRED; "plain" is rejected.
-// - On refresh, the old refresh token is invalidated (rotation).
-import { randomBytes, createHash, timingSafeEqual } from "node:crypto";
-// ── Helpers ────────────────────────────────────────────────────────────
-function randomId(prefix) {
-    return `${prefix}${randomBytes(12).toString("hex")}`;
-}
-function randomOpaque() {
-    return randomBytes(32).toString("hex");
-}
-/** Constant-time compare to thwart timing oracles on token / verifier lookups. */
-function safeEquals(a, b) {
-    const ba = Buffer.from(a);
-    const bb = Buffer.from(b);
-    if (ba.length !== bb.length)
-        return false;
-    return timingSafeEqual(ba, bb);
-}
-function s256(input) {
-    return createHash("sha256").update(input).digest("base64url");
-}
-// ── Factory ────────────────────────────────────────────────────────────
-export function createOAuthProvider(options = {}) {
-    const now = options.now ?? (() => Math.floor(Date.now() / 1000));
-    const codeTtl = options.codeTtlSeconds ?? 600;
-    const tokenTtl = options.tokenTtlSeconds ?? 86_400;
-    const refreshTtl = options.refreshTtlSeconds ?? 7 * 86_400;
-    const clients = new Map();
-    const codes = new Map();
-    const tokens = new Map();
-    const refreshes = new Map();
-    function registerClient(args) {
-        if (!Array.isArray(args.redirect_uris) || args.redirect_uris.length === 0) {
-            throw new Error("invalid_redirect_uri: at least one redirect_uri required");
-        }
-        for (const uri of args.redirect_uris) {
-            if (typeof uri !== "string" || uri.length === 0) {
-                throw new Error("invalid_redirect_uri");
-            }
-        }
-        const reg = {
-            client_id: randomId("cli_"),
-            client_id_issued_at: now(),
-            redirect_uris: [...args.redirect_uris],
-            client_name: args.client_name,
-            token_endpoint_auth_method: "none", // public client (mobile/native/AI)
-            grant_types: ["authorization_code", "refresh_token"],
-            response_types: ["code"],
-        };
-        clients.set(reg.client_id, reg);
-        return reg;
-    }
-    function getClient(client_id) {
-        return clients.get(client_id) ?? null;
-    }
-    function issueCode(args) {
-        const client = clients.get(args.client_id);
-        if (!client)
-            throw new Error("unknown_client");
-        if (!client.redirect_uris.includes(args.redirect_uri)) {
-            throw new Error("invalid_redirect_uri");
-        }
-        if (!args.code_challenge || typeof args.code_challenge !== "string") {
-            throw new Error("invalid_request: code_challenge required");
-        }
-        if (args.code_challenge_method !== "S256") {
-            // Reject "plain" — S256 is mandatory for safety.
-            throw new Error("invalid_request: code_challenge_method must be S256");
-        }
-        const code = randomId("code_");
-        codes.set(code, {
-            client_id: args.client_id,
-            redirect_uri: args.redirect_uri,
-            code_challenge: args.code_challenge,
-            code_challenge_method: args.code_challenge_method,
-            scope: args.scope,
-            expires_at: now() + codeTtl,
-            used: false,
-        });
-        return code;
-    }
-    function exchangeCode(args) {
-        const rec = codes.get(args.code);
-        if (!rec)
-            throw new Error("invalid_grant: code not found");
-        if (rec.used)
-            throw new Error("invalid_grant: code already used");
-        if (rec.expires_at < now())
-            throw new Error("invalid_grant: code expired");
-        if (rec.client_id !== args.client_id) {
-            throw new Error("invalid_grant: client_id mismatch");
-        }
-        if (rec.redirect_uri !== args.redirect_uri) {
-            throw new Error("invalid_grant: redirect_uri mismatch");
-        }
-        const challengeFromVerifier = s256(args.code_verifier);
-        if (!safeEquals(challengeFromVerifier, rec.code_challenge)) {
-            throw new Error("invalid_grant: code_verifier mismatch");
-        }
-        rec.used = true;
-        const accessToken = randomOpaque();
-        const refreshToken = randomOpaque();
-        tokens.set(accessToken, {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: now() + tokenTtl,
-        });
-        refreshes.set(refreshToken, {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: now() + refreshTtl,
-            revoked: false,
-        });
-        return {
-            access_token: accessToken,
-            refresh_token: refreshToken,
-            token_type: "Bearer",
-            expires_in: tokenTtl,
-            scope: rec.scope,
-        };
-    }
-    function refreshToken(args) {
-        const rec = refreshes.get(args.refresh_token);
-        if (!rec)
-            throw new Error("invalid_grant: refresh_token not found");
-        if (rec.revoked)
-            throw new Error("invalid_grant: refresh_token revoked");
-        if (rec.expires_at < now()) {
-            throw new Error("invalid_grant: refresh_token expired");
-        }
-        if (rec.client_id !== args.client_id) {
-            throw new Error("invalid_grant: client_id mismatch");
-        }
-        // Rotate: revoke the old refresh token, mint a new pair.
-        rec.revoked = true;
-        const accessToken = randomOpaque();
-        const newRefresh = randomOpaque();
-        tokens.set(accessToken, {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: now() + tokenTtl,
-        });
-        refreshes.set(newRefresh, {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: now() + refreshTtl,
-            revoked: false,
-        });
-        return {
-            access_token: accessToken,
-            refresh_token: newRefresh,
-            token_type: "Bearer",
-            expires_in: tokenTtl,
-            scope: rec.scope,
-        };
-    }
-    function verifyAccessToken(token) {
-        const rec = tokens.get(token);
-        if (!rec)
-            return null;
-        if (rec.expires_at < now())
-            return null;
-        return {
-            client_id: rec.client_id,
-            scope: rec.scope,
-            expires_at: rec.expires_at,
-        };
-    }
-    function sweep() {
-        const t = now();
-        let evicted = 0;
-        for (const [k, v] of codes) {
-            if (v.expires_at < t || v.used) {
-                codes.delete(k);
-                evicted++;
-            }
-        }
-        for (const [k, v] of tokens) {
-            if (v.expires_at < t) {
-                tokens.delete(k);
-                evicted++;
-            }
-        }
-        for (const [k, v] of refreshes) {
-            if (v.expires_at < t || v.revoked) {
-                refreshes.delete(k);
-                evicted++;
-            }
-        }
-        return evicted;
-    }
-    function stats() {
-        return {
-            clients: clients.size,
-            codes: codes.size,
-            tokens: tokens.size,
-            refreshes: refreshes.size,
-        };
-    }
-    return {
-        registerClient,
-        getClient,
-        issueCode,
-        exchangeCode,
-        refreshToken,
-        verifyAccessToken,
-        sweep,
-        stats,
-    };
-}
-//# sourceMappingURL=oauth-provider.js.map

package/dist/auth/oauth-provider.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../../src/auth/oauth-provider.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,EAAE;AACF,yEAAyE;AACzE,iEAAiE;AACjE,EAAE;AACF,cAAc;AACd,yBAAyB;AACzB,oBAAoB;AACpB,2CAA2C;AAC3C,qEAAqE;AACrE,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,qEAAqE;AACrE,mCAAmC;AACnC,EAAE;AACF,kBAAkB;AAClB,uEAAuE;AACvE,sDAAsD;AACtD,sEAAsE;AACtE,+CAA+C;AAC/C,gDAAgD;AAChD,iEAAiE;AAEjE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAmGvE,0EAA0E;AAE1E,SAAS,QAAQ,CAAC,MAAc;IAC9B,OAAO,GAAG,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACvD,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,kFAAkF;AAClF,SAAS,UAAU,CAAC,CAAS,EAAE,CAAS;IACtC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1B,IAAI,EAAE,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,eAAe,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,IAAI,CAAC,KAAa;IACzB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AAChE,CAAC;AAED,0EAA0E;AAE1E,MAAM,UAAU,mBAAmB,CACjC,UAAgC,EAAE;IAElC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,cAAc,IAAI,GAAG,CAAC;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,eAAe,IAAI,MAAM,CAAC;IACnD,MAAM,UAAU,GAAG,OAAO,CAAC,iBAAiB,IAAI,CAAC,GAAG,MAAM,CAAC;IAE3D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmC,CAAC;IAC3D,MAAM,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,MAAM,SAAS,GAAG,IAAI,GAAG,EAAyB,CAAC;IAEnD,SAAS,cAAc,CAAC,IAGvB;QACC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1E,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC9E,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACrC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QACD,MAAM,GAAG,GAA4B;YACnC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC;YAC3B,mBAAmB,EAAE,GAAG,EAAE;YAC1B,aAAa,EAAE,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC;YACtC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,0BAA0B,EAAE,MAAM,EAAE,mCAAmC;YACvE,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YACpD,cAAc,EAAE,CAAC,MAAM,CAAC;SACzB,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAChC,OAAO,GAAG,CAAC;IACb,CAAC;IAED,SAAS,SAAS,CAAC,SAAiB;QAClC,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;IACxC,CAAC;IAED,SAAS,SAAS,CAAC,IAAmB;QACpC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,cAAc,IAAI,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,IAAI,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAC1C,iDAAiD;YACjD,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC/B,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;YACd,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;YACjD,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,UAAU,EAAE,GAAG,EAAE,GAAG,OAAO;YAC3B,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS,YAAY,CAAC,IAAsB;QAC1C,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC3D,IAAI,GAAG,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAClE,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC3E,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,GAAG,CAAC,YAAY,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,MAAM,qBAAqB,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACvD,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;QAEhB,MAAM,WAAW,GAAG,YAAY,EAAE,CAAC;QACnC,MAAM,YAAY,GAAG,YAAY,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE;YACtB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,QAAQ;SAC7B,CAAC,CAAC;QACH,SAAS,CAAC,GAAG,CAAC,YAAY,EAAE;YAC1B,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,UAAU;YAC9B,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QAEH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,QAAQ;YACpB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,CAAC;IACJ,CAAC;IAED,SAAS,YAAY,CAAC,IAAiB;QACrC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC9C,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACpE,IAAI,GAAG,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACzE,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,yDAAyD;QACzD,GAAG,CAAC,OAAO,GAAG,IAAI,CAAC;QAEnB,MAAM,WAAW,GAAG,YAAY,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE;YACtB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,QAAQ;SAC7B,CAAC,CAAC;QACH,SAAS,CAAC,GAAG,CAAC,UAAU,EAAE;YACxB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,EAAE,GAAG,UAAU;YAC9B,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,UAAU;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,QAAQ;YACpB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,CAAC;IACJ,CAAC;IAED,SAAS,iBAAiB,CAAC,KAAa;QACtC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QACxC,OAAO;YACL,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,UAAU,EAAE,GAAG,CAAC,UAAU;SAC3B,CAAC;IACJ,CAAC;IAED,SAAS,KAAK;QACZ,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;QAChB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBAChB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC;YAC5B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;gBACrB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACjB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;gBAClC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBACpB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,SAAS,KAAK;QACZ,OAAO;YACL,OAAO,EAAE,OAAO,CAAC,IAAI;YACrB,KAAK,EAAE,KAAK,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,IAAI;YACnB,SAAS,EAAE,SAAS,CAAC,IAAI;SAC1B,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc;QACd,SAAS;QACT,SAAS;QACT,YAAY;QACZ,YAAY;QACZ,iBAAiB;QACjB,KAAK;QACL,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/server-http.d.ts

@@ -1,22 +0,0 @@
-#!/usr/bin/env node
-import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { type ModuleStatus } from "@getimo/mcp-toolkit";
-import { type McpHandler, type HttpTransportServer } from "./transports/http.js";
-import { type OAuthProvider } from "./auth/oauth-provider.js";
-export interface BootOptions {
-    /** TCP port. Default: process.env.APIMAPPER_HTTP_PORT or 8901. */
-    port?: number;
-    /** Public URL hint for OAuth metadata. */
-    publicBaseUrl?: string;
-    /** Pluggable MCP handler — defaults to a stub that returns the original JSON-RPC id with an empty result. */
-    mcpHandler?: McpHandler;
-}
-export interface BootedHttpServer extends HttpTransportServer {
-    oauth: OAuthProvider;
-}
-/** Test-only — exposes the server + module load status for assertions. */
-export declare function _testGetMcpServer(): {
-    server: McpServer | null;
-    modules: ModuleStatus[];
-};
-export declare function bootHttpServer(options?: BootOptions): Promise<BootedHttpServer>;

package/dist/server-http.js

@@ -1,159 +0,0 @@
-#!/usr/bin/env node
-// src/server-http.ts — Phase 9.2 HTTP entry point.
-//
-// Boots the http+OAuth transport for the API Mapper MCP server. Used by:
-//   - `npm run start:http` (local dev / staging)
-//   - the future hosted service at mcp.wootsup.com (Phase 10+)
-//
-// The MCP handler bridges incoming JSON-RPC requests to a real
-// SDK-managed McpServer via `createServer()` + `InMemoryTransport.createLinkedPair()`.
-// Each HTTP request is serialised through the in-memory transport pair so
-// the MCP server's full handler-registry runs (initialize, tools/list,
-// tools/call all dispatch correctly). Tests can pass their own handler
-// stub via `bootHttpServer({ mcpHandler })`.
-import { InMemoryTransport } from "@modelcontextprotocol/sdk/inMemory.js";
-import { loadModules } from "@getimo/mcp-toolkit";
-import { createHttpTransportServer } from "./transports/http.js";
-import { createOAuthProvider } from "./auth/oauth-provider.js";
-import { createServer } from "./index.js";
-import { apimapperRestModule } from "./modules/apimapper/index.js";
-const DEFAULT_PORT = (() => {
-    const env = process.env.APIMAPPER_HTTP_PORT;
-    const parsed = env ? Number.parseInt(env, 10) : NaN;
-    return Number.isFinite(parsed) ? parsed : 8901;
-})();
-/**
- * Default MCP handler — closes Phase 9.2 "deferred SDK binding" gap
- * (R7 audit finding 2026-05-18).
- *
- * Lazily boots a real McpServer + loads all api-mapper modules + connects
- * it to one end of an InMemoryTransport pair. The HTTP handler-callback
- * sends each incoming JSON-RPC request through the other end and awaits
- * the matching response by id.
- *
- * This makes the HTTP transport functionally equivalent to stdio:
- * initialize, tools/list, tools/call all dispatch through the same
- * McpServer instance + tool registry that the stdio transport uses.
- */
-let mcpHandlerSingleton = null;
-let mcpServerSingleton = null;
-let mcpModuleStatuses = [];
-async function getDefaultMcpHandler() {
-    if (mcpHandlerSingleton)
-        return mcpHandlerSingleton;
-    const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
-    const server = createServer();
-    mcpServerSingleton = server;
-    mcpModuleStatuses = await loadModules(server, [apimapperRestModule]);
-    await server.connect(serverTransport);
-    // The client end stays open for the lifetime of the HTTP server. Each
-    // HTTP request sends a JSON-RPC message in and registers a one-shot
-    // resolver keyed on the JSON-RPC id; the McpServer's reply lands on
-    // clientTransport.onmessage and resolves the matching pending promise.
-    await clientTransport.start();
-    const pending = new Map();
-    clientTransport.onmessage = (message) => {
-        const m = message;
-        if (m && m.id !== undefined && pending.has(m.id)) {
-            const resolve = pending.get(m.id);
-            pending.delete(m.id);
-            resolve(message);
-        }
-        // Server-initiated notifications (no id) are intentionally dropped —
-        // the HTTP transport is request/response only.
-    };
-    mcpHandlerSingleton = async (body) => {
-        const req = body;
-        // Notifications carry no id and expect no response. Forward + return
-        // 202-like empty body to caller.
-        if (req.id === undefined) {
-            try {
-                // eslint-disable-next-line @typescript-eslint/no-explicit-any -- SDK message type is broader
-                await clientTransport.send(body);
-            }
-            catch {
-                /* ignore — notification fire-and-forget */
-            }
-            return { jsonrpc: "2.0", result: { ok: true } };
-        }
-        // Request/response: register resolver, send, await reply.
-        return new Promise((resolve) => {
-            const timer = setTimeout(() => {
-                if (pending.has(req.id)) {
-                    pending.delete(req.id);
-                    resolve({
-                        jsonrpc: "2.0",
-                        id: req.id,
-                        error: { code: -32000, message: "HTTP→MCP dispatch timed out after 30s" },
-                    });
-                }
-            }, 30_000);
-            pending.set(req.id, (msg) => {
-                clearTimeout(timer);
-                resolve(msg);
-            });
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any -- SDK message type is broader
-            void clientTransport.send(body).catch((err) => {
-                clearTimeout(timer);
-                pending.delete(req.id);
-                resolve({
-                    jsonrpc: "2.0",
-                    id: req.id,
-                    error: { code: -32603, message: `dispatch failed: ${err.message}` },
-                });
-            });
-        });
-    };
-    return mcpHandlerSingleton;
-}
-/** Test-only — exposes the server + module load status for assertions. */
-export function _testGetMcpServer() {
-    return { server: mcpServerSingleton, modules: mcpModuleStatuses };
-}
-export async function bootHttpServer(options = {}) {
-    const port = options.port ?? DEFAULT_PORT;
-    const oauth = createOAuthProvider();
-    const mcpHandler = options.mcpHandler ?? (await getDefaultMcpHandler());
-    const transport = await createHttpTransportServer({
-        port,
-        oauth,
-        mcpHandler,
-        publicBaseUrl: options.publicBaseUrl,
-    });
-    return { ...transport, oauth };
-}
-// ── CLI entry ──────────────────────────────────────────────────────────
-// Only auto-boot when this file is executed as the process entrypoint
-// (i.e. `node dist/server-http.js`), never when imported by tests.
-const isEntry = (() => {
-    if (typeof process.argv[1] !== "string")
-        return false;
-    // import.meta.url is a file:// URL; argv[1] is a path. Map both to
-    // a comparable form.
-    try {
-        const argvUrl = new URL(`file://${process.argv[1]}`).href;
-        return argvUrl === import.meta.url;
-    }
-    catch {
-        return false;
-    }
-})();
-if (isEntry) {
-    bootHttpServer()
-        .then((s) => {
-        // eslint-disable-next-line no-console -- intentional startup log
-        console.error(`[apimapper-mcp] HTTP transport listening on ${s.url}`);
-        const shutdown = async () => {
-            await s.close();
-            process.exit(0);
-        };
-        process.on("SIGTERM", shutdown);
-        process.on("SIGINT", shutdown);
-    })
-        .catch((err) => {
-        // eslint-disable-next-line no-console -- intentional fatal log
-        console.error("[apimapper-mcp] HTTP boot failed:", err);
-        process.exit(1);
-    });
-}
-//# sourceMappingURL=server-http.js.map

package/dist/server-http.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"server-http.js","sourceRoot":"","sources":["../src/server-http.ts"],"names":[],"mappings":";AACA,mDAAmD;AACnD,EAAE;AACF,yEAAyE;AACzE,iDAAiD;AACjD,+DAA+D;AAC/D,EAAE;AACF,+DAA+D;AAC/D,uFAAuF;AACvF,0EAA0E;AAC1E,uEAAuE;AACvE,uEAAuE;AACvE,6CAA6C;AAE7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAE1E,OAAO,EAAE,WAAW,EAAqB,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,yBAAyB,EAA6C,MAAM,sBAAsB,CAAC;AAC5G,OAAO,EAAE,mBAAmB,EAAsB,MAAM,0BAA0B,CAAC;AACnF,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAenE,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACpD,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AACjD,CAAC,CAAC,EAAE,CAAC;AAEL;;;;;;;;;;;;GAYG;AACH,IAAI,mBAAmB,GAAsB,IAAI,CAAC;AAClD,IAAI,kBAAkB,GAAqB,IAAI,CAAC;AAChD,IAAI,iBAAiB,GAAmB,EAAE,CAAC;AAE3C,KAAK,UAAU,oBAAoB;IACjC,IAAI,mBAAmB;QAAE,OAAO,mBAAmB,CAAC;IAEpD,MAAM,CAAC,eAAe,EAAE,eAAe,CAAC,GAAG,iBAAiB,CAAC,gBAAgB,EAAE,CAAC;IAChF,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,kBAAkB,GAAG,MAAM,CAAC;IAC5B,iBAAiB,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE,CAAC,mBAAmB,CAAC,CAAC,CAAC;IACrE,MAAM,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACtC,sEAAsE;IACtE,oEAAoE;IACpE,oEAAoE;IACpE,uEAAuE;IACvE,MAAM,eAAe,CAAC,KAAK,EAAE,CAAC;IAE9B,MAAM,OAAO,GAAG,IAAI,GAAG,EAA2C,CAAC;IACnE,eAAe,CAAC,SAAS,GAAG,CAAC,OAAgB,EAAQ,EAAE;QACrD,MAAM,CAAC,GAAG,OAAmC,CAAC;QAC9C,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;YACjD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAE,CAAC;YACnC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACrB,OAAO,CAAC,OAAO,CAAC,CAAC;QACnB,CAAC;QACD,qEAAqE;QACrE,+CAA+C;IACjD,CAAC,CAAC;IAEF,mBAAmB,GAAG,KAAK,EAAE,IAAa,EAAoB,EAAE;QAC9D,MAAM,GAAG,GAAG,IAAqF,CAAC;QAElG,qEAAqE;QACrE,iCAAiC;QACjC,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,6FAA6F;gBAC7F,MAAM,eAAe,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,2CAA2C;YAC7C,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC;QAClD,CAAC;QAED,0DAA0D;QAC1D,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;YACtC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAG,CAAC,EAAE,CAAC;oBACzB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EAAG,CAAC,CAAC;oBACxB,OAAO,CAAC;wBACN,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,GAAG,CAAC,EAAE;wBACV,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,uCAAuC,EAAE;qBAC1E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,EAAE,MAAM,CAAC,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAG,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC3B,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,OAAO,CAAC,GAAG,CAAC,CAAC;YACf,CAAC,CAAC,CAAC;YACH,6FAA6F;YAC7F,KAAK,eAAe,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;gBAC1D,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EAAG,CAAC,CAAC;gBACxB,OAAO,CAAC;oBACN,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,GAAG,CAAC,EAAE;oBACV,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,oBAAoB,GAAG,CAAC,OAAO,EAAE,EAAE;iBACpE,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,iBAAiB;IAC/B,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;AACpE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,UAAuB,EAAE;IAEzB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,YAAY,CAAC;IAC1C,MAAM,KAAK,GAAG,mBAAmB,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,MAAM,oBAAoB,EAAE,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAAC;QAChD,IAAI;QACJ,KAAK;QACL,UAAU;QACV,aAAa,EAAE,OAAO,CAAC,aAAa;KACrC,CAAC,CAAC;IACH,OAAO,EAAE,GAAG,SAAS,EAAE,KAAK,EAAE,CAAC;AACjC,CAAC;AAED,0EAA0E;AAE1E,sEAAsE;AACtE,mEAAmE;AACnE,MAAM,OAAO,GAAG,CAAC,GAAG,EAAE;IACpB,IAAI,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACtD,mEAAmE;IACnE,qBAAqB;IACrB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC;QAC1D,OAAO,OAAO,KAAK,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC,CAAC,EAAE,CAAC;AAEL,IAAI,OAAO,EAAE,CAAC;IACZ,cAAc,EAAE;SACb,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QACV,iEAAiE;QACjE,OAAO,CAAC,KAAK,CACX,+CAA+C,CAAC,CAAC,GAAG,EAAE,CACvD,CAAC;QACF,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;YAC1B,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAChC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACjC,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtB,+DAA+D;QAC/D,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,CAAC,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/transports/http.d.ts

@@ -1,29 +0,0 @@
-import { type Server } from "node:http";
-import type { OAuthProvider } from "../auth/oauth-provider.js";
-export interface HttpAuthInfo {
-    client_id: string;
-    scope: string;
-}
-export type McpHandler = (body: unknown, authInfo: HttpAuthInfo | null) => Promise<unknown>;
-export interface HttpTransportOptions {
-    /** TCP port to bind. Use 0 for an ephemeral port. */
-    port: number;
-    /** OAuth provider state — typically a singleton per process. */
-    oauth: OAuthProvider;
-    /** MCP routing callback. Receives parsed JSON body + auth info. */
-    mcpHandler: McpHandler;
-    /**
-     * Public base URL used in OAuth metadata. Default: derived from the
-     * bound address (`http://127.0.0.1:<port>`).
-     */
-    publicBaseUrl?: string;
-}
-export interface HttpTransportServer {
-    /** http.Server instance. */
-    server: Server;
-    /** Resolved base URL (with port). */
-    url: string;
-    /** Stop accepting new connections + close existing keep-alives. */
-    close(): Promise<void>;
-}
-export declare function createHttpTransportServer(options: HttpTransportOptions): Promise<HttpTransportServer>;