@x-code-cli/core 0.2.10 → 0.3.1

package/dist/mcp/oauth/provider.js

@@ -0,0 +1,292 @@
+import { spawn } from 'node:child_process';
+import { debugLog } from '../../utils.js';
+import { startCallbackServer } from './callback-server.js';
+const CLIENT_METADATA_BASE = {
+    client_name: 'X-Code CLI',
+    client_uri: 'https://github.com/woai3c/x-code-cli',
+    grant_types: ['authorization_code', 'refresh_token'],
+    response_types: ['code'],
+    token_endpoint_auth_method: 'none',
+};
+/** Concrete provider, wired up to fetched persisted state + a callback
+ *  server that gets started on demand. Reused across multiple connect /
+ *  refresh attempts for the same server. */
+export class McpOAuthProvider {
+    opts;
+    /** Currently-running callback server. We keep a handle so a second
+     *  call to redirectToAuthorization (after a failed first attempt)
+     *  reuses the same port instead of opening another listener. */
+    callbackServer = null;
+    /** PKCE verifier — kept in memory only, replaced on each new flow. */
+    memoryCodeVerifier = null;
+    /** Pending callback that the SDK will consume via `finishAuth` on
+     *  the transport. Caller of `waitForAuthCode()` retrieves it. */
+    pendingCode = null;
+    /** Whether `redirectToAuthorization` should actually launch a browser.
+     *  Default false — booting the CLI with an HTTP MCP server that has
+     *  no stored token must NOT silently open a browser window. The flag
+     *  is flipped on for the duration of `connectWithOAuth` (driven by
+     *  `/mcp auth <name>`) and back off in `finally`. */
+    interactive = false;
+    constructor(opts) {
+        this.opts = opts;
+    }
+    /** Caller (client.ts:connectWithOAuth) toggles this around an
+     *  authenticated dance. Outside that window we stay passive. */
+    setInteractive(value) {
+        this.interactive = value;
+    }
+    /** Eagerly start the callback server, so the real loopback port is
+     *  available to `redirectUrl` and `clientMetadata.redirect_uris`
+     *  BEFORE the SDK constructs the dynamic-registration request.
+     *
+     *  Why this matters: Sentry (and any auth server that doesn't follow
+     *  RFC 8252 §7.3 strictly) validates the auth-URL `redirect_uri` against
+     *  the value the client registered with. If we register with the
+     *  port-less placeholder and then redirect to a concrete port, the
+     *  server replies "Invalid redirect URI" and the whole flow dies.
+     *  Pre-starting the server ensures registration and authorization use
+     *  the SAME concrete `http://127.0.0.1:<port>/callback`. */
+    async prepareForAuth() {
+        this.interactive = true;
+        await this.ensureCallbackServer();
+    }
+    // ── OAuthClientProvider ────────────────────────────────────────────────
+    get redirectUrl() {
+        // The SDK actually reads `redirectUrl` BEFORE `redirectToAuthorization`
+        // fires (e.g. while constructing the authorize URL during the very
+        // first connect attempt with no stored token). An earlier version
+        // threw here, which surfaced HTTP servers as `failed` instead of the
+        // intended `needs_auth` on the first launch after `/mcp add`.
+        //
+        // We return the same loopback placeholder `clientMetadata.redirect_uris`
+        // already uses. RFC 8252 §7.3 says authorisation servers MUST accept any
+        // port on a registered loopback redirect_uri, so the placeholder being
+        // port-less is fine for the registration roundtrip; `redirectToAuthorization`
+        // rewrites the actual `redirect_uri` query param with the real port
+        // right before launching the browser.
+        return this.callbackServer?.url ?? 'http://127.0.0.1/callback';
+    }
+    get clientMetadata() {
+        return {
+            ...CLIENT_METADATA_BASE,
+            // Filled in by redirectToAuthorization once the server is up.
+            // Until then the SDK may inspect this object during dynamic
+            // registration — we use a placeholder; the SDK will overwrite
+            // the registration response anyway.
+            redirect_uris: [this.callbackServer?.url ?? 'http://127.0.0.1/callback'],
+        };
+    }
+    async clientInformation() {
+        const stored = await this.opts.storage.get(this.opts.serverName);
+        return stored?.clientInformation;
+    }
+    async saveClientInformation(info) {
+        await this.opts.storage.setClientInformation(this.opts.serverName, this.opts.serverUrl, info);
+    }
+    async tokens() {
+        const stored = await this.opts.storage.get(this.opts.serverName);
+        return stored?.tokens;
+    }
+    async saveTokens(tokens) {
+        await this.opts.storage.setTokens(this.opts.serverName, this.opts.serverUrl, tokens);
+    }
+    saveCodeVerifier(codeVerifier) {
+        this.memoryCodeVerifier = codeVerifier;
+    }
+    codeVerifier() {
+        if (!this.memoryCodeVerifier) {
+            throw new Error('No PKCE verifier set — auth flow not in progress');
+        }
+        return this.memoryCodeVerifier;
+    }
+    async redirectToAuthorization(authorizationUrl) {
+        // Passive (boot) mode: the SDK is in the middle of a "lazy" first
+        // connect with no stored token. We must NOT open a browser window
+        // unprompted — every other MCP-aware CLI (Claude Code, Gemini,
+        // OpenCode) waits for explicit user action before doing that, and
+        // a CLI start-up that hijacks the user's browser is a hostile
+        // surprise. Returning here is enough: the SDK will throw
+        // UnauthorizedError next, the registry classifies it as
+        // `needs_auth`, and `/mcp auth <name>` can drive the real flow
+        // (after setInteractive(true) flips us into the interactive path
+        // below).
+        if (!this.interactive) {
+            return;
+        }
+        // Lazy-start the callback server right before we hand the auth URL
+        // to the browser, so the URL we advertise (via `redirectUrl`)
+        // matches what we'll listen on. We rebuild the auth URL with the
+        // updated redirect_uri reflecting our actual port.
+        await this.ensureCallbackServer();
+        authorizationUrl.searchParams.set('redirect_uri', this.callbackServer.url);
+        this.opts.onOpenBrowser?.(authorizationUrl.toString());
+        await openInBrowser(authorizationUrl.toString());
+        // Stash the pending callback so the caller can `await` it through
+        // `waitForAuthCode()` while the transport machinery handles the
+        // token-exchange step.
+        this.pendingCode = this.callbackServer.waitForCallback();
+    }
+    // ── Helpers used by /mcp auth handler ─────────────────────────────────
+    /** Block until the auth server has redirected back. Resolves with the
+     *  captured code; the caller then calls `transport.finishAuth(code)`
+     *  on the SDK's StreamableHTTPClientTransport.
+     *
+     *  We close the callback server here because we already have the code
+     *  — Sentry won't call us back again on this flow. But we leave
+     *  `memoryCodeVerifier` alive: the SDK reads it during
+     *  `transport.finishAuth(code)`, which the caller runs AFTER this
+     *  promise resolves. Nulling the verifier in this finally block was
+     *  the cause of "No PKCE verifier set — auth flow not in progress".
+     *  Cleanup of the verifier happens either via `cancel()` (abort
+     *  path) or naturally on the next `saveCodeVerifier(...)` call. */
+    async waitForAuthCode() {
+        if (!this.pendingCode) {
+            throw new Error('Auth flow not started — redirectToAuthorization was never invoked');
+        }
+        try {
+            return await this.pendingCode;
+        }
+        finally {
+            this.pendingCode = null;
+            this.callbackServer?.close();
+            this.callbackServer = null;
+        }
+    }
+    /** Drop any in-progress flow without saving. Safe to call any time. */
+    cancel() {
+        this.callbackServer?.close();
+        this.callbackServer = null;
+        this.pendingCode = null;
+        this.memoryCodeVerifier = null;
+    }
+    // ── internals ──────────────────────────────────────────────────────────
+    async ensureCallbackServer() {
+        if (this.callbackServer)
+            return;
+        this.callbackServer = await startCallbackServer();
+    }
+}
+/** Best-effort cross-platform `open <url>`. Detached so the CLI doesn't
+ *  block on the browser process; stdio piped to /dev/null so output
+ *  doesn't smear into our terminal UI. Failures are logged but never
+ *  thrown — the user can still copy/paste the URL by hand. */
+async function openInBrowser(url) {
+    try {
+        if (process.platform === 'win32') {
+            // We deliberately AVOID `cmd /c start` here. cmd.exe treats `&`
+            // as a command separator, so an OAuth URL like
+            //   https://x.com/auth?response_type=code&client_id=abc&code_challenge=...
+            // got silently truncated to `https://x.com/auth?response_type=code`
+            // — the user's browser landed on a URL with no client_id /
+            // redirect_uri / PKCE challenge and Sentry replied "Invalid
+            // redirect URI". Node's argv quoting doesn't quote `&` (it's not
+            // a Windows-native special char, only a cmd-builtin special char)
+            // so even passing the URL as a separate arg didn't save us.
+            //
+            // `rundll32 url.dll,FileProtocolHandler <url>` is the documented
+            // Win32 way to invoke the default browser's protocol handler.
+            // It bypasses cmd entirely, so `&` passes through verbatim.
+            spawnDetached('rundll32', ['url.dll,FileProtocolHandler', url]);
+            return;
+        }
+        if (process.platform === 'darwin') {
+            // macOS `open` is rock-solid for URLs, no quirks.
+            spawnDetached('open', [url]);
+            return;
+        }
+        // Linux / *BSD: no single command works everywhere. xdg-utils
+        // (`xdg-open`) is the de-facto standard but missing on minimal
+        // containers and many server distros; `gio open` covers newer
+        // GNOME stacks; `wslview` covers WSL → Windows browser (when
+        // xdg-open inside WSL doesn't reach the host); `kde-open` and
+        // `gnome-open` cover their respective legacy desktops.
+        //
+        // We try each in turn, falling through on ENOENT or non-zero exit.
+        // Failing silently with no opener would leave the user staring at
+        // the CLI scrollback wondering why nothing happened — we surface a
+        // `mcp.browser-open-no-opener` debug entry so the situation is at
+        // least diagnosable, and the CLI's "Opened …" line already gave
+        // them the URL to copy/paste by hand.
+        const candidates = [
+            ['xdg-open', [url]],
+            ['gio', ['open', url]],
+            ['wslview', [url]],
+            ['kde-open', [url]],
+            ['gnome-open', [url]],
+        ];
+        for (const [cmd, args] of candidates) {
+            if (await trySpawnOpener(cmd, args))
+                return;
+        }
+        debugLog('mcp.browser-open-no-opener', `no working URL opener found; advised user to copy/paste manually`);
+    }
+    catch (err) {
+        debugLog('mcp.browser-open-threw', String(err));
+    }
+}
+/** Fire a child process, detach, walk away. Used on Windows/macOS where
+ *  the command is known-good — failure-detection is just a debug log. */
+function spawnDetached(cmd, args) {
+    const child = spawn(cmd, args, { stdio: 'ignore', detached: true });
+    child.unref();
+    child.on('error', (err) => debugLog('mcp.browser-open-failed', String(err)));
+}
+/** Try one Linux URL opener candidate. Resolves true if the binary
+ *  exists and either exited cleanly OR is still alive after a brief
+ *  grace window (most openers exec into a browser and exit ~immediately,
+ *  but a few — notably wslview on cold start — fork and stay running for
+ *  a moment). Resolves false on ENOENT or non-zero exit, signalling the
+ *  caller to try the next candidate. */
+function trySpawnOpener(cmd, args) {
+    return new Promise((resolve) => {
+        let settled = false;
+        const settle = (ok) => {
+            if (settled)
+                return;
+            settled = true;
+            resolve(ok);
+        };
+        let child;
+        try {
+            child = spawn(cmd, args, { stdio: 'ignore', detached: true });
+        }
+        catch {
+            settle(false);
+            return;
+        }
+        child.on('error', () => settle(false));
+        child.on('exit', (code) => {
+            if (code === 0) {
+                child.unref();
+                settle(true);
+            }
+            else {
+                settle(false);
+            }
+        });
+        // Grace window for openers that fork-and-stay-alive. 500 ms is well
+        // under any user-perceptible delay yet covers the slowest reasonable
+        // launch path; anything still alive at this point is almost certainly
+        // the real browser-launching process.
+        setTimeout(() => {
+            if (!settled) {
+                child.unref();
+                settle(true);
+            }
+        }, 500);
+    });
+}
+/** Factory used by loader.ts. Returns undefined for stdio servers — the
+ *  loader skips OAuth construction for those. */
+export function createOAuthProviderFactory(storage, onOpenBrowser) {
+    return (serverName, serverUrl) => {
+        return new McpOAuthProvider({
+            serverName,
+            serverUrl,
+            storage,
+            onOpenBrowser: onOpenBrowser ? (url) => onOpenBrowser(serverName, url) : undefined,
+        });
+    };
+}
+//# sourceMappingURL=provider.js.map

package/dist/mcp/oauth/provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../../src/mcp/oauth/provider.ts"],"names":[],"mappings":"AA4BA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAA;AAE1C,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAA8B,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAGtF,MAAM,oBAAoB,GAA+C;IACvE,WAAW,EAAE,YAAY;IACzB,UAAU,EAAE,sCAAsC;IAClD,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;IACpD,cAAc,EAAE,CAAC,MAAM,CAAC;IACxB,0BAA0B,EAAE,MAAM;CACnC,CAAA;AAWD;;4CAE4C;AAC5C,MAAM,OAAO,gBAAgB;IAiBE;IAhB7B;;oEAEgE;IACxD,cAAc,GAAiC,IAAI,CAAA;IAC3D,sEAAsE;IAC9D,kBAAkB,GAAkB,IAAI,CAAA;IAChD;qEACiE;IACzD,WAAW,GAAqD,IAAI,CAAA;IAC5E;;;;yDAIqD;IAC7C,WAAW,GAAG,KAAK,CAAA;IAE3B,YAA6B,IAA2B;QAA3B,SAAI,GAAJ,IAAI,CAAuB;IAAG,CAAC;IAE5D;oEACgE;IAChE,cAAc,CAAC,KAAc;QAC3B,IAAI,CAAC,WAAW,GAAG,KAAK,CAAA;IAC1B,CAAC;IAED;;;;;;;;;;gEAU4D;IAC5D,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAA;QACvB,MAAM,IAAI,CAAC,oBAAoB,EAAE,CAAA;IACnC,CAAC;IAED,0EAA0E;IAE1E,IAAI,WAAW;QACb,wEAAwE;QACxE,mEAAmE;QACnE,kEAAkE;QAClE,qEAAqE;QACrE,8DAA8D;QAC9D,EAAE;QACF,yEAAyE;QACzE,yEAAyE;QACzE,uEAAuE;QACvE,8EAA8E;QAC9E,oEAAoE;QACpE,sCAAsC;QACtC,OAAO,IAAI,CAAC,cAAc,EAAE,GAAG,IAAI,2BAA2B,CAAA;IAChE,CAAC;IAED,IAAI,cAAc;QAChB,OAAO;YACL,GAAG,oBAAoB;YACvB,8DAA8D;YAC9D,4DAA4D;YAC5D,8DAA8D;YAC9D,oCAAoC;YACpC,aAAa,EAAE,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,IAAI,2BAA2B,CAAC;SACzE,CAAA;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAChE,OAAO,MAAM,EAAE,iBAAiB,CAAA;IAClC,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,IAAiC;QAC3D,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAC/F,CAAC;IAED,KAAK,CAAC,MAAM;QACV,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAChE,OAAO,MAAM,EAAE,MAAM,CAAA;IACvB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,MAAmB;QAClC,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;IACtF,CAAC;IAED,gBAAgB,CAAC,YAAoB;QACnC,IAAI,CAAC,kBAAkB,GAAG,YAAY,CAAA;IACxC,CAAC;IAED,YAAY;QACV,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;QACrE,CAAC;QACD,OAAO,IAAI,CAAC,kBAAkB,CAAA;IAChC,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,gBAAqB;QACjD,kEAAkE;QAClE,kEAAkE;QAClE,+DAA+D;QAC/D,kEAAkE;QAClE,8DAA8D;QAC9D,yDAAyD;QACzD,wDAAwD;QACxD,+DAA+D;QAC/D,iEAAiE;QACjE,UAAU;QACV,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,OAAM;QACR,CAAC;QAED,mEAAmE;QACnE,8DAA8D;QAC9D,iEAAiE;QACjE,mDAAmD;QACnD,MAAM,IAAI,CAAC,oBAAoB,EAAE,CAAA;QACjC,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,cAAe,CAAC,GAAG,CAAC,CAAA;QAE3E,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,CAAC,CAAA;QACtD,MAAM,aAAa,CAAC,gBAAgB,CAAC,QAAQ,EAAE,CAAC,CAAA;QAEhD,kEAAkE;QAClE,gEAAgE;QAChE,uBAAuB;QACvB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,cAAe,CAAC,eAAe,EAAE,CAAA;IAC3D,CAAC;IAED,yEAAyE;IAEzE;;;;;;;;;;;uEAWmE;IACnE,KAAK,CAAC,eAAe;QACnB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAA;QACtF,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,WAAW,CAAA;QAC/B,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,WAAW,GAAG,IAAI,CAAA;YACvB,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,CAAA;YAC5B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAA;QAC5B,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,MAAM;QACJ,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,CAAA;QAC5B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAA;QAC1B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAA;QACvB,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAA;IAChC,CAAC;IAED,0EAA0E;IAElE,KAAK,CAAC,oBAAoB;QAChC,IAAI,IAAI,CAAC,cAAc;YAAE,OAAM;QAC/B,IAAI,CAAC,cAAc,GAAG,MAAM,mBAAmB,EAAE,CAAA;IACnD,CAAC;CACF;AAED;;;8DAG8D;AAC9D,KAAK,UAAU,aAAa,CAAC,GAAW;IACtC,IAAI,CAAC;QACH,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,gEAAgE;YAChE,+CAA+C;YAC/C,2EAA2E;YAC3E,oEAAoE;YACpE,2DAA2D;YAC3D,4DAA4D;YAC5D,iEAAiE;YACjE,kEAAkE;YAClE,4DAA4D;YAC5D,EAAE;YACF,iEAAiE;YACjE,8DAA8D;YAC9D,4DAA4D;YAC5D,aAAa,CAAC,UAAU,EAAE,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC,CAAA;YAC/D,OAAM;QACR,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAClC,kDAAkD;YAClD,aAAa,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAA;YAC5B,OAAM;QACR,CAAC;QAED,8DAA8D;QAC9D,+DAA+D;QAC/D,8DAA8D;QAC9D,6DAA6D;QAC7D,8DAA8D;QAC9D,uDAAuD;QACvD,EAAE;QACF,mEAAmE;QACnE,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,gEAAgE;QAChE,sCAAsC;QACtC,MAAM,UAAU,GAA8B;YAC5C,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YACtB,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC;YAClB,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC,YAAY,EAAE,CAAC,GAAG,CAAC,CAAC;SACtB,CAAA;QACD,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,UAAU,EAAE,CAAC;YACrC,IAAI,MAAM,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC;gBAAE,OAAM;QAC7C,CAAC;QACD,QAAQ,CAAC,4BAA4B,EAAE,kEAAkE,CAAC,CAAA;IAC5G,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,QAAQ,CAAC,wBAAwB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;IACjD,CAAC;AACH,CAAC;AAED;yEACyE;AACzE,SAAS,aAAa,CAAC,GAAW,EAAE,IAAc;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;IACnE,KAAK,CAAC,KAAK,EAAE,CAAA;IACb,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,yBAAyB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AAC9E,CAAC;AAED;;;;;wCAKwC;AACxC,SAAS,cAAc,CAAC,GAAW,EAAE,IAAc;IACjD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,OAAO,GAAG,KAAK,CAAA;QACnB,MAAM,MAAM,GAAG,CAAC,EAAW,EAAE,EAAE;YAC7B,IAAI,OAAO;gBAAE,OAAM;YACnB,OAAO,GAAG,IAAI,CAAA;YACd,OAAO,CAAC,EAAE,CAAC,CAAA;QACb,CAAC,CAAA;QACD,IAAI,KAA+B,CAAA;QACnC,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,KAAK,CAAC,CAAA;YACb,OAAM;QACR,CAAC;QACD,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;QACtC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,KAAK,CAAC,KAAK,EAAE,CAAA;gBACb,MAAM,CAAC,IAAI,CAAC,CAAA;YACd,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,KAAK,CAAC,CAAA;YACf,CAAC;QACH,CAAC,CAAC,CAAA;QACF,oEAAoE;QACpE,qEAAqE;QACrE,sEAAsE;QACtE,sCAAsC;QACtC,UAAU,CAAC,GAAG,EAAE;YACd,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,KAAK,CAAC,KAAK,EAAE,CAAA;gBACb,MAAM,CAAC,IAAI,CAAC,CAAA;YACd,CAAC;QACH,CAAC,EAAE,GAAG,CAAC,CAAA;IACT,CAAC,CAAC,CAAA;AACJ,CAAC;AAED;iDACiD;AACjD,MAAM,UAAU,0BAA0B,CACxC,OAAwB,EACxB,aAAyD;IAEzD,OAAO,CAAC,UAAkB,EAAE,SAAiB,EAAoB,EAAE;QACjE,OAAO,IAAI,gBAAgB,CAAC;YAC1B,UAAU;YACV,SAAS;YACT,OAAO;YACP,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;SACnF,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}

package/dist/mcp/oauth/token-storage.d.ts

@@ -0,0 +1,42 @@
+import type { OAuthClientInformationFull, OAuthClientInformationMixed, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
+export interface StoredServerAuth {
+    /** Server URL — recorded so we can detect "this stored token belongs
+     *  to a different deployment" if the user repoints config later. */
+    url: string;
+    clientInformation?: OAuthClientInformationMixed;
+    tokens?: OAuthTokens;
+    /** UTC ISO timestamp when the most recent tokens were obtained. Used
+     *  to compute expiry locally because OAuth `expires_in` is relative
+     *  to issuance, not absolute. */
+    tokensIssuedAt?: string;
+}
+export declare class McpTokenStorage {
+    private cache;
+    get(serverName: string): Promise<StoredServerAuth | undefined>;
+    setClientInformation(serverName: string, url: string, info: OAuthClientInformationMixed): Promise<void>;
+    setTokens(serverName: string, url: string, tokens: OAuthTokens): Promise<void>;
+    clear(serverName: string): Promise<void>;
+    listServers(): Promise<Array<{
+        name: string;
+        url: string;
+        hasTokens: boolean;
+    }>>;
+    /** Compute the absolute expiry timestamp from issuedAt + expires_in.
+     *  Returns undefined when either is missing (some servers omit expiry —
+     *  in that case callers should optimistically use the token and let a
+     *  401 trigger refresh). */
+    static expiresAt(stored: StoredServerAuth | undefined): number | undefined;
+    /** True iff stored tokens exist AND look fresh enough to use
+     *  (i.e. won't expire in the next `skewMs` window). When expiry
+     *  isn't known we return true and let the next 401 drive a refresh. */
+    static isAccessTokenLikelyValid(stored: StoredServerAuth | undefined, skewMs?: number): boolean;
+    private ensureLoaded;
+    private flush;
+}
+export declare function getTokenStorage(): McpTokenStorage;
+/** Test hook — replace the singleton so unit tests don't touch
+ *  ~/.x-code/. Note that X_CODE_HOME also reroutes the file, so most
+ *  tests can just set that env var and avoid this hook. */
+export declare function setTokenStorageForTesting(s: McpTokenStorage | null): void;
+export type { OAuthClientInformationFull, OAuthClientInformationMixed, OAuthTokens };
+//# sourceMappingURL=token-storage.d.ts.map

package/dist/mcp/oauth/token-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-storage.d.ts","sourceRoot":"","sources":["../../../src/mcp/oauth/token-storage.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EACV,0BAA0B,EAC1B,2BAA2B,EAC3B,WAAW,EACZ,MAAM,0CAA0C,CAAA;AAWjD,MAAM,WAAW,gBAAgB;IAC/B;wEACoE;IACpE,GAAG,EAAE,MAAM,CAAA;IACX,iBAAiB,CAAC,EAAE,2BAA2B,CAAA;IAC/C,MAAM,CAAC,EAAE,WAAW,CAAA;IACpB;;qCAEiC;IACjC,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAID,qBAAa,eAAe;IAC1B,OAAO,CAAC,KAAK,CAAyB;IAEhC,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,SAAS,CAAC;IAK9D,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,2BAA2B,GAAG,OAAO,CAAC,IAAI,CAAC;IAQvG,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAS9E,KAAK,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQxC,WAAW,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAWtF;;;gCAG4B;IAC5B,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,gBAAgB,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS;IAS1E;;2EAEuE;IACvE,MAAM,CAAC,wBAAwB,CAAC,MAAM,EAAE,gBAAgB,GAAG,SAAS,EAAE,MAAM,SAAS,GAAG,OAAO;YASjF,YAAY;YAKZ,KAAK;CAcpB;AAmBD,wBAAgB,eAAe,IAAI,eAAe,CAGjD;AAED;;2DAE2D;AAC3D,wBAAgB,yBAAyB,CAAC,CAAC,EAAE,eAAe,GAAG,IAAI,GAAG,IAAI,CAEzE;AAED,YAAY,EAAE,0BAA0B,EAAE,2BAA2B,EAAE,WAAW,EAAE,CAAA"}

package/dist/mcp/oauth/token-storage.js

@@ -0,0 +1,121 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { debugLog, userXcodeDir } from '../../utils.js';
+function authFile() {
+    return path.join(userXcodeDir(), 'mcp-auth.json');
+}
+export class McpTokenStorage {
+    cache = null;
+    async get(serverName) {
+        await this.ensureLoaded();
+        return this.cache[serverName];
+    }
+    async setClientInformation(serverName, url, info) {
+        await this.ensureLoaded();
+        const entry = (this.cache[serverName] ??= { url });
+        entry.url = url;
+        entry.clientInformation = info;
+        await this.flush();
+    }
+    async setTokens(serverName, url, tokens) {
+        await this.ensureLoaded();
+        const entry = (this.cache[serverName] ??= { url });
+        entry.url = url;
+        entry.tokens = tokens;
+        entry.tokensIssuedAt = new Date().toISOString();
+        await this.flush();
+    }
+    async clear(serverName) {
+        await this.ensureLoaded();
+        if (this.cache[serverName]) {
+            delete this.cache[serverName];
+            await this.flush();
+        }
+    }
+    async listServers() {
+        await this.ensureLoaded();
+        return Object.entries(this.cache).map(([name, entry]) => ({
+            name,
+            url: entry.url,
+            hasTokens: !!entry.tokens,
+        }));
+    }
+    // ── helpers ────────────────────────────────────────────────────────────
+    /** Compute the absolute expiry timestamp from issuedAt + expires_in.
+     *  Returns undefined when either is missing (some servers omit expiry —
+     *  in that case callers should optimistically use the token and let a
+     *  401 trigger refresh). */
+    static expiresAt(stored) {
+        const t = stored?.tokens;
+        if (!t)
+            return undefined;
+        if (typeof t.expires_in !== 'number')
+            return undefined;
+        const issued = stored.tokensIssuedAt ? Date.parse(stored.tokensIssuedAt) : NaN;
+        if (Number.isNaN(issued))
+            return undefined;
+        return issued + t.expires_in * 1000;
+    }
+    /** True iff stored tokens exist AND look fresh enough to use
+     *  (i.e. won't expire in the next `skewMs` window). When expiry
+     *  isn't known we return true and let the next 401 drive a refresh. */
+    static isAccessTokenLikelyValid(stored, skewMs = 60_000) {
+        if (!stored?.tokens?.access_token)
+            return false;
+        const expiresAt = McpTokenStorage.expiresAt(stored);
+        if (expiresAt === undefined)
+            return true;
+        return Date.now() + skewMs < expiresAt;
+    }
+    // ── internals ──────────────────────────────────────────────────────────
+    async ensureLoaded() {
+        if (this.cache !== null)
+            return;
+        this.cache = await readFile();
+    }
+    async flush() {
+        if (!this.cache)
+            return;
+        try {
+            await fs.mkdir(userXcodeDir(), { recursive: true });
+            const tmp = authFile() + '.tmp';
+            await fs.writeFile(tmp, JSON.stringify(this.cache, null, 2) + '\n', {
+                encoding: 'utf-8',
+                mode: 0o600,
+            });
+            await fs.rename(tmp, authFile());
+        }
+        catch (err) {
+            debugLog('mcp.token-write-failed', String(err));
+        }
+    }
+}
+async function readFile() {
+    try {
+        const raw = await fs.readFile(authFile(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        // missing / malformed — start clean
+    }
+    return {};
+}
+/** Singleton instance. Wiring is simple: CLI startup constructs it once,
+ *  passes it to loadMcpServers (which threads it into per-server OAuth
+ *  providers) and to /mcp auth / /mcp logout handlers. */
+let globalInstance = null;
+export function getTokenStorage() {
+    if (!globalInstance)
+        globalInstance = new McpTokenStorage();
+    return globalInstance;
+}
+/** Test hook — replace the singleton so unit tests don't touch
+ *  ~/.x-code/. Note that X_CODE_HOME also reroutes the file, so most
+ *  tests can just set that env var and avoid this hook. */
+export function setTokenStorageForTesting(s) {
+    globalInstance = s;
+}
+//# sourceMappingURL=token-storage.js.map

package/dist/mcp/oauth/token-storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-storage.js","sourceRoot":"","sources":["../../../src/mcp/oauth/token-storage.ts"],"names":[],"mappings":"AA0BA,OAAO,EAAE,MAAM,kBAAkB,CAAA;AACjC,OAAO,IAAI,MAAM,WAAW,CAAA;AAE5B,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAEvD,SAAS,QAAQ;IACf,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,eAAe,CAAC,CAAA;AACnD,CAAC;AAgBD,MAAM,OAAO,eAAe;IAClB,KAAK,GAAqB,IAAI,CAAA;IAEtC,KAAK,CAAC,GAAG,CAAC,UAAkB;QAC1B,MAAM,IAAI,CAAC,YAAY,EAAE,CAAA;QACzB,OAAO,IAAI,CAAC,KAAM,CAAC,UAAU,CAAC,CAAA;IAChC,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,UAAkB,EAAE,GAAW,EAAE,IAAiC;QAC3F,MAAM,IAAI,CAAC,YAAY,EAAE,CAAA;QACzB,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAM,CAAC,UAAU,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;QACnD,KAAK,CAAC,GAAG,GAAG,GAAG,CAAA;QACf,KAAK,CAAC,iBAAiB,GAAG,IAAI,CAAA;QAC9B,MAAM,IAAI,CAAC,KAAK,EAAE,CAAA;IACpB,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,UAAkB,EAAE,GAAW,EAAE,MAAmB;QAClE,MAAM,IAAI,CAAC,YAAY,EAAE,CAAA;QACzB,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAM,CAAC,UAAU,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;QACnD,KAAK,CAAC,GAAG,GAAG,GAAG,CAAA;QACf,KAAK,CAAC,MAAM,GAAG,MAAM,CAAA;QACrB,KAAK,CAAC,cAAc,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;QAC/C,MAAM,IAAI,CAAC,KAAK,EAAE,CAAA;IACpB,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,UAAkB;QAC5B,MAAM,IAAI,CAAC,YAAY,EAAE,CAAA;QACzB,IAAI,IAAI,CAAC,KAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,KAAM,CAAC,UAAU,CAAC,CAAA;YAC9B,MAAM,IAAI,CAAC,KAAK,EAAE,CAAA;QACpB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,IAAI,CAAC,YAAY,EAAE,CAAA;QACzB,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACzD,IAAI;YACJ,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM;SAC1B,CAAC,CAAC,CAAA;IACL,CAAC;IAED,0EAA0E;IAE1E;;;gCAG4B;IAC5B,MAAM,CAAC,SAAS,CAAC,MAAoC;QACnD,MAAM,CAAC,GAAG,MAAM,EAAE,MAAM,CAAA;QACxB,IAAI,CAAC,CAAC;YAAE,OAAO,SAAS,CAAA;QACxB,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;YAAE,OAAO,SAAS,CAAA;QACtD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,CAAA;QAC9E,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;YAAE,OAAO,SAAS,CAAA;QAC1C,OAAO,MAAM,GAAG,CAAC,CAAC,UAAU,GAAG,IAAI,CAAA;IACrC,CAAC;IAED;;2EAEuE;IACvE,MAAM,CAAC,wBAAwB,CAAC,MAAoC,EAAE,MAAM,GAAG,MAAM;QACnF,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY;YAAE,OAAO,KAAK,CAAA;QAC/C,MAAM,SAAS,GAAG,eAAe,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;QACnD,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,IAAI,CAAA;QACxC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,SAAS,CAAA;IACxC,CAAC;IAED,0EAA0E;IAElE,KAAK,CAAC,YAAY;QACxB,IAAI,IAAI,CAAC,KAAK,KAAK,IAAI;YAAE,OAAM;QAC/B,IAAI,CAAC,KAAK,GAAG,MAAM,QAAQ,EAAE,CAAA;IAC/B,CAAC;IAEO,KAAK,CAAC,KAAK;QACjB,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAM;QACvB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;YACnD,MAAM,GAAG,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAA;YAC/B,MAAM,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE;gBAClE,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,KAAK;aACZ,CAAC,CAAA;YACF,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAA;QAClC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,wBAAwB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;QACjD,CAAC;IACH,CAAC;CACF;AAED,KAAK,UAAU,QAAQ;IACrB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,OAAO,CAAC,CAAA;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAA;QACzC,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACnE,OAAO,MAAmB,CAAA;QAC5B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oCAAoC;IACtC,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC;AAED;;0DAE0D;AAC1D,IAAI,cAAc,GAA2B,IAAI,CAAA;AACjD,MAAM,UAAU,eAAe;IAC7B,IAAI,CAAC,cAAc;QAAE,cAAc,GAAG,IAAI,eAAe,EAAE,CAAA;IAC3D,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;2DAE2D;AAC3D,MAAM,UAAU,yBAAyB,CAAC,CAAyB;IACjE,cAAc,GAAG,CAAC,CAAA;AACpB,CAAC"}

package/dist/mcp/permissions.d.ts

@@ -0,0 +1,28 @@
+/** In-memory mirror of the persisted file + a session-scoped set for
+ *  "this session only" allows. The persisted set is loaded lazily on
+ *  first check; the session set is cleared on construction and never
+ *  written to disk. */
+export declare class McpPermissionStore {
+    private persisted;
+    private session;
+    /** Pre-load the persisted file. Optional — checks lazy-load anyway. */
+    preload(): Promise<void>;
+    /** Returns true iff the user has already approved this tool (either
+     *  by "always allow" persisted, or by "this session" in-memory). */
+    isApproved(callableName: string): Promise<boolean>;
+    /** Mark this tool approved for the rest of the session only.
+     *  Not persisted. */
+    approveForSession(callableName: string): void;
+    /** Mark this tool approved permanently — writes to disk. Failure to
+     *  write is logged but never thrown; the worst case is the user has
+     *  to click "always allow" again next session. */
+    approvePermanently(callableName: string): Promise<void>;
+    private ensurePersistedLoaded;
+    private writePersisted;
+}
+/** Pull "yes" / "always" / "no" out of the existing askPermission
+ *  callback. The callback's contract returns one of those three strings;
+ *  we map them to a structured choice for our own callers. */
+export type McpPermissionDecision = 'allow-once' | 'allow-always' | 'deny';
+export declare function classifyDecision(raw: 'yes' | 'always' | 'no'): McpPermissionDecision;
+//# sourceMappingURL=permissions.d.ts.map

package/dist/mcp/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/mcp/permissions.ts"],"names":[],"mappings":"AA4BA;;;uBAGuB;AACvB,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,SAAS,CAA2B;IAC5C,OAAO,CAAC,OAAO,CAAoB;IAEnC,uEAAuE;IACjE,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAI9B;wEACoE;IAC9D,UAAU,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMxD;yBACqB;IACrB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI;IAI7C;;sDAEkD;IAC5C,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAgB/C,qBAAqB;YAKrB,cAAc;CAY7B;AAeD;;8DAE8D;AAC9D,MAAM,MAAM,qBAAqB,GAAG,YAAY,GAAG,cAAc,GAAG,MAAM,CAAA;AAE1E,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,KAAK,GAAG,QAAQ,GAAG,IAAI,GAAG,qBAAqB,CAIpF"}

package/dist/mcp/permissions.js

@@ -0,0 +1,105 @@
+// @x-code-cli/core — MCP tool permission gate
+//
+// Sits parallel to packages/core/src/permissions/index.ts (which gates
+// built-in writeFile / edit / shell). MCP tools live in their own pool
+// because:
+//   - their names are runtime-discovered, can't be enumerated in a
+//     static rules table;
+//   - the user's "this MCP tool is fine, don't ask again" decision is
+//     persisted per-tool to ~/.x-code/mcp-permissions.json, separate
+//     from any per-shell-prefix allow rules.
+//
+// Default policy: every MCP tool starts at "ask" and stays there until
+// the user picks "always allow". No name-based heuristics — MCP tools
+// are too varied for `list_/read_/search_` style classification to be
+// safe (some "list_*" tools mutate, some "create_*" tools are no-ops).
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { debugLog, userXcodeDir } from '../utils.js';
+function permissionsFile() {
+    return path.join(userXcodeDir(), 'mcp-permissions.json');
+}
+/** In-memory mirror of the persisted file + a session-scoped set for
+ *  "this session only" allows. The persisted set is loaded lazily on
+ *  first check; the session set is cleared on construction and never
+ *  written to disk. */
+export class McpPermissionStore {
+    persisted = null;
+    session = new Set();
+    /** Pre-load the persisted file. Optional — checks lazy-load anyway. */
+    async preload() {
+        await this.ensurePersistedLoaded();
+    }
+    /** Returns true iff the user has already approved this tool (either
+     *  by "always allow" persisted, or by "this session" in-memory). */
+    async isApproved(callableName) {
+        if (this.session.has(callableName))
+            return true;
+        await this.ensurePersistedLoaded();
+        return this.persisted.has(callableName);
+    }
+    /** Mark this tool approved for the rest of the session only.
+     *  Not persisted. */
+    approveForSession(callableName) {
+        this.session.add(callableName);
+    }
+    /** Mark this tool approved permanently — writes to disk. Failure to
+     *  write is logged but never thrown; the worst case is the user has
+     *  to click "always allow" again next session. */
+    async approvePermanently(callableName) {
+        await this.ensurePersistedLoaded();
+        if (this.persisted.has(callableName))
+            return;
+        this.persisted.add(callableName);
+        // Also reflect in the session set so the very next call doesn't
+        // race the disk write.
+        this.session.add(callableName);
+        try {
+            await this.writePersisted();
+        }
+        catch (err) {
+            debugLog('mcp.perm-write-failed', String(err));
+            // Best-effort: do NOT remove from in-memory set on failure —
+            // the user explicitly said yes, honour that for the session.
+        }
+    }
+    async ensurePersistedLoaded() {
+        if (this.persisted !== null)
+            return;
+        this.persisted = await readPersisted();
+    }
+    async writePersisted() {
+        if (!this.persisted)
+            return;
+        await fs.mkdir(userXcodeDir(), { recursive: true });
+        const tmp = permissionsFile() + '.tmp';
+        const payload = { alwaysAllow: [...this.persisted].sort() };
+        // 0600 — readable only by the user. Same posture as mcp-auth.json
+        // (and same caveat: Windows ignores the mode bits but file is in
+        // ~/.x-code so practical leakage is limited to other apps running
+        // as the same user).
+        await fs.writeFile(tmp, JSON.stringify(payload, null, 2) + '\n', { encoding: 'utf-8', mode: 0o600 });
+        await fs.rename(tmp, permissionsFile());
+    }
+}
+async function readPersisted() {
+    try {
+        const raw = await fs.readFile(permissionsFile(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed && Array.isArray(parsed.alwaysAllow)) {
+            return new Set(parsed.alwaysAllow.filter((s) => typeof s === 'string'));
+        }
+    }
+    catch {
+        // missing / malformed — start with empty allow list, degrade to all-ask
+    }
+    return new Set();
+}
+export function classifyDecision(raw) {
+    if (raw === 'always')
+        return 'allow-always';
+    if (raw === 'yes')
+        return 'allow-once';
+    return 'deny';
+}
+//# sourceMappingURL=permissions.js.map

package/dist/mcp/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/mcp/permissions.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,EAAE;AACF,uEAAuE;AACvE,uEAAuE;AACvE,WAAW;AACX,mEAAmE;AACnE,0BAA0B;AAC1B,sEAAsE;AACtE,qEAAqE;AACrE,6CAA6C;AAC7C,EAAE;AACF,uEAAuE;AACvE,sEAAsE;AACtE,sEAAsE;AACtE,uEAAuE;AACvE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AACjC,OAAO,IAAI,MAAM,WAAW,CAAA;AAE5B,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAEpD,SAAS,eAAe;IACtB,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,sBAAsB,CAAC,CAAA;AAC1D,CAAC;AAMD;;;uBAGuB;AACvB,MAAM,OAAO,kBAAkB;IACrB,SAAS,GAAuB,IAAI,CAAA;IACpC,OAAO,GAAG,IAAI,GAAG,EAAU,CAAA;IAEnC,uEAAuE;IACvE,KAAK,CAAC,OAAO;QACX,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAA;IACpC,CAAC;IAED;wEACoE;IACpE,KAAK,CAAC,UAAU,CAAC,YAAoB;QACnC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;YAAE,OAAO,IAAI,CAAA;QAC/C,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAA;QAClC,OAAO,IAAI,CAAC,SAAU,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IAC1C,CAAC;IAED;yBACqB;IACrB,iBAAiB,CAAC,YAAoB;QACpC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IAChC,CAAC;IAED;;sDAEkD;IAClD,KAAK,CAAC,kBAAkB,CAAC,YAAoB;QAC3C,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAA;QAClC,IAAI,IAAI,CAAC,SAAU,CAAC,GAAG,CAAC,YAAY,CAAC;YAAE,OAAM;QAC7C,IAAI,CAAC,SAAU,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACjC,gEAAgE;QAChE,uBAAuB;QACvB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QAC9B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,cAAc,EAAE,CAAA;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,uBAAuB,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;YAC9C,6DAA6D;YAC7D,6DAA6D;QAC/D,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,qBAAqB;QACjC,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI;YAAE,OAAM;QACnC,IAAI,CAAC,SAAS,GAAG,MAAM,aAAa,EAAE,CAAA;IACxC,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAM;QAC3B,MAAM,EAAE,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;QACnD,MAAM,GAAG,GAAG,eAAe,EAAE,GAAG,MAAM,CAAA;QACtC,MAAM,OAAO,GAAe,EAAE,WAAW,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,CAAA;QACvE,kEAAkE;QAClE,iEAAiE;QACjE,kEAAkE;QAClE,qBAAqB;QACrB,MAAM,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;QACpG,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,eAAe,EAAE,CAAC,CAAA;IACzC,CAAC;CACF;AAED,KAAK,UAAU,aAAa;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,eAAe,EAAE,EAAE,OAAO,CAAC,CAAA;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAA;QAC5C,IAAI,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YAChD,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAA;QACtF,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;IAC1E,CAAC;IACD,OAAO,IAAI,GAAG,EAAU,CAAA;AAC1B,CAAC;AAOD,MAAM,UAAU,gBAAgB,CAAC,GAA4B;IAC3D,IAAI,GAAG,KAAK,QAAQ;QAAE,OAAO,cAAc,CAAA;IAC3C,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,YAAY,CAAA;IACtC,OAAO,MAAM,CAAA;AACf,CAAC"}