@yawlabs/aws-mcp 0.9.8 → 0.9.10

package/dist/index.js

@@ -53570,6 +53570,14 @@ function killProc(proc, escalationMs = KILL_ESCALATION_MS) {
 // src/session.ts
 var sessionProfile;
 var sessionRegion;
+var PROFILE_NAME_RE = /^[A-Za-z0-9_+,.@:][A-Za-z0-9_+=,.@:-]{0,127}$/;
+var REGION_NAME_RE = /^[a-z][a-z0-9-]{2,30}$/;
+function isValidProfileName(name) {
+  return PROFILE_NAME_RE.test(name);
+}
+function isValidRegionName(name) {
+  return REGION_NAME_RE.test(name);
+}
 function getProfile() {
   return sessionProfile ?? process.env.AWS_PROFILE ?? "default";
 }
@@ -53580,13 +53588,25 @@ function setProfile(name) {
   if (!name?.trim()) {
     throw new Error("Profile name cannot be empty");
   }
-  sessionProfile = name.trim();
+  const trimmed = name.trim();
+  if (!isValidProfileName(trimmed)) {
+    throw new Error(
+      `Invalid profile name '${trimmed}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '=', no whitespace or shell metacharacters.`
+    );
+  }
+  sessionProfile = trimmed;
 }
 function setRegion(name) {
   if (!name?.trim()) {
     throw new Error("Region cannot be empty");
   }
-  sessionRegion = name.trim();
+  const trimmed = name.trim();
+  if (!isValidRegionName(trimmed)) {
+    throw new Error(
+      `Invalid region '${trimmed}'. Must match /^[a-z][a-z0-9-]{2,30}$/ (e.g. 'us-east-1', 'eu-west-3').`
+    );
+  }
+  sessionRegion = trimmed;
 }
 function clearProfile() {
   sessionProfile = void 0;
@@ -53672,6 +53692,20 @@ function runAwsCall(opts) {
   }
   const profile = opts.profile ?? getProfile();
   const region = opts.region ?? getRegion();
+  if (!isValidProfileName(profile)) {
+    return Promise.resolve({
+      ok: false,
+      kind: "bad_input",
+      error: `Invalid profile name '${profile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '='. Check the 'profile' arg or AWS_PROFILE env var.`
+    });
+  }
+  if (!isValidRegionName(region)) {
+    return Promise.resolve({
+      ok: false,
+      kind: "bad_input",
+      error: `Invalid region '${region}'. Must match /^[a-z][a-z0-9-]{2,30}$/ (e.g. 'us-east-1'). Check the 'region' arg or AWS_REGION / AWS_DEFAULT_REGION env var.`
+    });
+  }
   const outputFormat = opts.outputFormat ?? "json";
   const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
   const envCommand = process.env.AWS_MCP_TEST_AWS_COMMAND;
@@ -53844,9 +53878,11 @@ import {
   readFileSync,
   renameSync,
   statSync,
+  unlinkSync,
   writeSync
 } from "node:fs";
 import { platform } from "node:os";
+import { setTimeout as delay } from "node:timers/promises";
 function splitSections(text) {
   const sections = [];
   let current = { header: null, body: "" };
@@ -53927,24 +53963,95 @@ function upsertProfileIntoText(text, profile, creds) {
   return sections.map((s) => s.header === null ? s.body : `${s.header}
 ${s.body}`).join("").replace(/\n*$/, "\n");
 }
-function upsertProfile(path, profile, creds) {
-  const existing = existsSync(path) ? readFileSync(path, "utf-8") : "";
-  const nextText = upsertProfileIntoText(existing, profile, creds);
-  const tmpPath = `${path}.tmp-${process.pid}-${randomUUID()}`;
-  const fd = openSync(tmpPath, "w", 384);
+var LOCK_MAX_WAIT_MS = 1e4;
+var LOCK_STALE_AFTER_MS = 3e4;
+var LOCK_BASE_RETRY_MS = 25;
+var LOCK_MAX_RETRY_MS = 250;
+async function acquireLock(lockPath) {
+  const start = Date.now();
+  let attempt = 0;
+  while (true) {
+    if (Date.now() - start > LOCK_MAX_WAIT_MS) {
+      throw new Error(
+        `upsertProfile: failed to acquire lock at ${lockPath} after ${LOCK_MAX_WAIT_MS}ms. If a previous writer crashed, remove the lock file manually.`
+      );
+    }
+    let fd = null;
+    try {
+      fd = openSync(lockPath, "wx");
+    } catch (err) {
+      const code = err.code;
+      if (code !== "EEXIST") {
+        throw err;
+      }
+    }
+    if (fd !== null) {
+      try {
+        try {
+          writeSync(fd, `pid=${process.pid} time=${Date.now()}
+`);
+        } finally {
+          closeSync(fd);
+        }
+        return;
+      } catch (err) {
+        try {
+          unlinkSync(lockPath);
+        } catch {
+        }
+        throw err;
+      }
+    }
+    let shouldRetryImmediately = false;
+    try {
+      const st = statSync(lockPath);
+      if (Date.now() - st.mtimeMs > LOCK_STALE_AFTER_MS) {
+        try {
+          unlinkSync(lockPath);
+        } catch {
+        }
+        shouldRetryImmediately = true;
+      }
+    } catch {
+      shouldRetryImmediately = true;
+    }
+    if (shouldRetryImmediately) continue;
+    const cappedAttempt = Math.min(attempt, 8);
+    const baseDelay = Math.min(LOCK_BASE_RETRY_MS * (1 + cappedAttempt), LOCK_MAX_RETRY_MS);
+    await delay(baseDelay + Math.random() * baseDelay);
+    attempt++;
+  }
+}
+function releaseLock(lockPath) {
   try {
-    writeSync(fd, nextText);
-  } finally {
-    closeSync(fd);
+    unlinkSync(lockPath);
+  } catch {
   }
-  renameSync(tmpPath, path);
-  if (platform() !== "win32") {
-    let existingMode = 384;
-    if (existsSync(path)) {
-      const st = statSync(path);
-      existingMode = st.mode & 511;
+}
+async function upsertProfile(path, profile, creds) {
+  const lockPath = `${path}.lock`;
+  await acquireLock(lockPath);
+  try {
+    const existing = existsSync(path) ? readFileSync(path, "utf-8") : "";
+    const nextText = upsertProfileIntoText(existing, profile, creds);
+    const tmpPath = `${path}.tmp-${process.pid}-${randomUUID()}`;
+    const fd = openSync(tmpPath, "w", 384);
+    try {
+      writeSync(fd, nextText);
+    } finally {
+      closeSync(fd);
+    }
+    renameSync(tmpPath, path);
+    if (platform() !== "win32") {
+      let existingMode = 384;
+      if (existsSync(path)) {
+        const st = statSync(path);
+        existingMode = st.mode & 511;
+      }
+      if ((existingMode & 63) !== 0) chmodSync(path, 384);
     }
-    if ((existingMode & 63) !== 0) chmodSync(path, 384);
+  } finally {
+    releaseLock(lockPath);
   }
 }
 
@@ -53985,6 +54092,12 @@ var assumeTools = [
       const sourceProfile = i.sourceProfile || getProfile();
       const useRegion = i.region || getRegion();
       const targetProfile = resolveTargetProfile({ targetProfile: i.targetProfile, sessionName: i.sessionName });
+      if (!isValidProfileName(targetProfile)) {
+        return {
+          ok: false,
+          error: `Invalid targetProfile name '${targetProfile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '='. Pick a different targetProfile or sessionName.`
+        };
+      }
       const params = {
         RoleArn: i.roleArn,
         RoleSessionName: i.sessionName,
@@ -54020,7 +54133,7 @@ var assumeTools = [
         return { ok: false, error: "STS AssumeRole succeeded but returned incomplete credentials." };
       }
       const credentialsPath = join(homedir(), ".aws", "credentials");
-      upsertProfile(credentialsPath, targetProfile, {
+      await upsertProfile(credentialsPath, targetProfile, {
         aws_access_key_id: creds.AccessKeyId,
         aws_secret_access_key: creds.SecretAccessKey,
         aws_session_token: creds.SessionToken
@@ -54049,11 +54162,22 @@ import { join as join3 } from "node:path";
 
 // src/sso.ts
 import { spawn as spawn2 } from "node:child_process";
-import { randomUUID as randomUUID2 } from "node:crypto";
+import { createHash, randomUUID as randomUUID2 } from "node:crypto";
 import { StringDecoder as StringDecoder2 } from "node:string_decoder";
 var MAX_STDERR_BYTES = 5 * 1024 * 1024;
 var sessions = /* @__PURE__ */ new Map();
 var pendingStarts = /* @__PURE__ */ new Map();
+function dedupeKey(profile, opts) {
+  const payload = JSON.stringify({
+    profile,
+    command: opts.command ?? null,
+    prefixArgs: opts.prefixArgs ?? null,
+    urlWaitMs: opts.urlWaitMs ?? null,
+    sessionTtlMs: opts.sessionTtlMs ?? null,
+    env: opts.env ? Object.entries(opts.env).sort(([a], [b]) => a < b ? -1 : a > b ? 1 : 0) : null
+  });
+  return createHash("sha256").update(payload).digest("hex");
+}
 var URL_RE = /https:\/\/device\.sso[.\w-]*\.amazonaws\.com\/[^\s]*/;
 var CODE_RE = /\b([A-Z0-9]{4}-[A-Z0-9]{4})\b/;
 var URL_WAIT_MS = 15e3;
@@ -54065,13 +54189,20 @@ function _ttlKillswitchTick(s, proc, killFn = killProc) {
   killFn(proc);
 }
 function startSsoLogin(profile, opts = {}) {
-  const pending = pendingStarts.get(profile);
+  if (!isValidProfileName(profile)) {
+    return Promise.resolve({
+      ok: false,
+      error: `Invalid profile name '${profile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '='.`
+    });
+  }
+  const key = dedupeKey(profile, opts);
+  const pending = pendingStarts.get(key);
   if (pending) return pending;
   const promise2 = doStartSsoLogin(profile, opts);
-  pendingStarts.set(profile, promise2);
+  pendingStarts.set(key, promise2);
   void promise2.finally(() => {
-    if (pendingStarts.get(profile) === promise2) {
-      pendingStarts.delete(profile);
+    if (pendingStarts.get(key) === promise2) {
+      pendingStarts.delete(key);
     }
   });
   return promise2;
@@ -54722,7 +54853,6 @@ var import_node_html_parser = __toESM(require_dist2(), 1);
 var import_turndown = __toESM(require_turndown_cjs(), 1);
 import { randomUUID as randomUUID3 } from "node:crypto";
 var SEARCH_API_URL = "https://proxy.search.docs.aws.com/search";
-var SESSION_UUID = randomUUID3();
 var USER_AGENT = "@yawlabs/aws-mcp (https://github.com/YawLabs/aws-mcp)";
 var DOCS_URL_RE = /^https:\/\/docs\.aws\.amazon\.com\/[^\s]*\.html(?:[?#][^\s]*)?$/i;
 var DEFAULT_MAX_LENGTH = 5e3;
@@ -54730,12 +54860,21 @@ var MAX_MAX_LENGTH = 1e6;
 var DEFAULT_SEARCH_LIMIT = 10;
 var MAX_SEARCH_LIMIT = 50;
 var FETCH_TIMEOUT_MS = 3e4;
-var DOC_CACHE_MAX_ENTRIES = 16;
+var DOC_CACHE_MAX_ENTRIES = 64;
 var DOC_CACHE_TTL_MS = 5 * 6e4;
+var schemaWarned = false;
 function parseSearchResults(json2, limit) {
   if (!json2 || typeof json2 !== "object") return [];
   const suggestions = json2.suggestions;
-  if (!Array.isArray(suggestions)) return [];
+  if (!Array.isArray(suggestions)) {
+    if (!schemaWarned && Object.keys(json2).length > 0) {
+      schemaWarned = true;
+      console.warn(
+        "[aws-mcp] aws_docs_search: response from proxy.search.docs.aws.com is missing the expected 'suggestions' array. The undocumented backend shape may have changed; aws_docs_search will return empty results until parseSearchResults is updated."
+      );
+    }
+    return [];
+  }
   const out = [];
   for (const s of suggestions) {
     if (out.length >= limit) break;
@@ -54872,6 +55011,7 @@ function makeDocCache() {
 }
 function buildDocsTools(fetchImpl = fetch) {
   const docCache = makeDocCache();
+  const sessionUuid = randomUUID3();
   return [
     {
       name: "aws_docs_search",
@@ -54894,13 +55034,13 @@ function buildDocsTools(fetchImpl = fetch) {
         try {
           response = await fetchWithTimeout(
             fetchImpl,
-            `${SEARCH_API_URL}?session=${SESSION_UUID}`,
+            `${SEARCH_API_URL}?session=${sessionUuid}`,
             {
               method: "POST",
               headers: {
                 "Content-Type": "application/json",
                 "User-Agent": USER_AGENT,
-                "X-MCP-Session-Id": SESSION_UUID
+                "X-MCP-Session-Id": sessionUuid
               },
               body: JSON.stringify({
                 textQuery: { input: i.query },
@@ -55030,7 +55170,7 @@ function buildDocsTools(fetchImpl = fetch) {
 var docsTools = buildDocsTools();
 
 // src/tools/iam-simulate.ts
-var ARN_RE = /^arn:[a-z0-9-]{1,32}:[a-z0-9-]{0,32}:[a-z0-9-]{0,32}:[0-9]{0,32}:[^:\s][^\s]{0,1024}$/;
+var ARN_RE = /^arn:[a-z0-9-]{1,32}:[a-z0-9-]{1,32}:[a-z0-9-]{0,32}:(?:[0-9]{12})?:[^:\s][^\s]{0,1024}$/;
 var ACTION_RE = /^[a-z][a-z0-9-]{0,32}:[A-Za-z0-9*]{1,128}$/;
 var CONTEXT_KEY_TYPES = [
   "string",
@@ -55191,7 +55331,7 @@ var iamSimulateTools = [
 ];
 
 // src/tools/logs.ts
-var SINCE_RE = /^\d+[smhdw]$/i;
+var SINCE_RE = /^\d+[smhdw]$/;
 var LOG_GROUP_RE = /^[.A-Za-z0-9_/#][.\-_/#A-Za-z0-9]{0,511}$/;
 var LOG_STREAM_NAME_RE = /^[^-:*\s][^:*]{0,511}$/;
 function isValidLogStreamName(name) {
@@ -55231,7 +55371,7 @@ var logsTools = [
     },
     inputSchema: external_exports3.object({
       logGroupName: external_exports3.string().min(1).describe("Log group name, e.g. '/aws/lambda/my-fn' or '/aws/ecs/my-service'. No leading 'logs/'."),
-      since: external_exports3.string().regex(SINCE_RE, "since must match /^\\d+[smhdw]$/i, e.g. '5m', '2h', '1d'").optional().describe("Window to tail: '<number><s|m|h|d|w>'. Default '10m'. Example: '30m', '1h', '3d'."),
+      since: external_exports3.string().regex(SINCE_RE, "since must match /^\\d+[smhdw]$/ (lowercase units only), e.g. '5m', '2h', '1d'").optional().describe("Window to tail: '<number><s|m|h|d|w>'. Default '10m'. Example: '30m', '1h', '3d'."),
       filterPattern: external_exports3.string().optional().describe(
         `CloudWatch Logs filter pattern. E.g. 'ERROR', '"stack trace"', '[timestamp, request_id, level = ERROR, ...]'.`
       ),
@@ -56386,13 +56526,16 @@ async function runScript(opts, handlers = defaultScriptHandlers()) {
 ${opts.code}
 })()`;
   const started = Date.now();
-  let timer;
+  let timeoutReject;
   const timeoutPromise = new Promise((_, reject) => {
-    timer = setTimeout(() => {
-      reject(new Error(`Script timed out after ${Math.round(timeoutMs / 1e3)}s. Raise timeoutMs or trim the script.`));
-    }, timeoutMs);
+    timeoutReject = reject;
   });
-  if (timer && typeof timer.unref === "function") timer.unref();
+  const timer = setTimeout(() => {
+    timeoutReject(
+      new Error(`Script timed out after ${Math.round(timeoutMs / 1e3)}s. Raise timeoutMs or trim the script.`)
+    );
+  }, timeoutMs);
+  timer.unref();
   try {
     const evalResult = runInContext(wrappedSource, ctx, {
       timeout: timeoutMs,
@@ -56401,7 +56544,7 @@ ${opts.code}
     const data = await Promise.race([evalResult, timeoutPromise]);
     return { data, logs, truncatedLogs, durationMs: Date.now() - started };
   } finally {
-    if (timer) clearTimeout(timer);
+    clearTimeout(timer);
   }
 }
 var scriptTools = [
@@ -56520,7 +56663,7 @@ var sessionTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.9.8" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.9.10" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "version" || subcommand === "--version") {
   console.log(version2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/aws-mcp",
-  "version": "0.9.8",
+  "version": "0.9.10",
   "mcpName": "io.github.YawLabs/aws-mcp",
   "description": "AWS MCP server — call any AWS API from AI assistants, with first-class SSO re-login (no more 'browser won't open' dead ends)",
   "license": "MIT",