@yawlabs/aws-mcp 1.3.3 → 1.4.0

package/dist/index.js

@@ -30054,6 +30054,9 @@ var require_turndown_cjs = __commonJS({
   }
 });
 
+// src/index.ts
+import { pathToFileURL } from "node:url";
+
 // node_modules/zod/v3/helpers/util.js
 var util;
 (function(util2) {
@@ -50924,11 +50927,11 @@ var Protocol = class {
    *
    * The Protocol object assumes ownership of the Transport, replacing any callbacks that have already been set, and expects that it is the only user of the Transport instance going forward.
    */
-  async connect(transport2) {
+  async connect(transport) {
     if (this._transport) {
       throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");
     }
-    this._transport = transport2;
+    this._transport = transport;
     const _onclose = this.transport?.onclose;
     this._transport.onclose = () => {
       _onclose?.();
@@ -52518,8 +52521,8 @@ var McpServer = class {
    *
    * The `server` object assumes ownership of the Transport, replacing any callbacks that have already been set, and expects that it is the only user of the Transport instance going forward.
    */
-  async connect(transport2) {
-    return await this.server.connect(transport2);
+  async connect(transport) {
+    return await this.server.connect(transport);
   }
   /**
    * Closes the connection.
@@ -54207,6 +54210,8 @@ function doStartSsoLogin(profile, opts) {
           sessionId,
           verificationUrl: urlSeen,
           userCode: codeSeen,
+          // `|| "default"` is vestigial -- see the empty-profile note above;
+          // `profile` is always non-empty here (startSsoLogin rejects "").
           profile: profile || "default"
         });
       }
@@ -54307,7 +54312,7 @@ async function waitForLogin(sessionId) {
     return {
       ok: false,
       exitCode: null,
-      error: `No active login session with id '${sessionId}'. Call aws_login_start first.`
+      error: `No active login session with id '${sessionId}'. It may have already completed (waitForLogin is fire-once -- the session is dropped after the first call resolves) or it may never have started. If a prior aws_login_complete already returned success for this id, the login is done; run aws_whoami to confirm rather than starting over. Otherwise call aws_login_start first.`
     };
   }
   try {
@@ -54431,6 +54436,7 @@ var profilesTools = [
 
 // src/tools/auth.ts
 var MAX_SSO_CACHE_FILE_BYTES = 64 * 1024;
+var _startSsoLoginImpl = (profile) => startSsoLogin(profile);
 function findCachedSsoToken(cacheDir = join3(homedir3(), ".aws", "sso", "cache"), opts = {}) {
   try {
     const files = readdirSync(cacheDir).filter((f) => f.endsWith(".json"));
@@ -54462,6 +54468,14 @@ function findCachedSsoToken(cacheDir = join3(homedir3(), ".aws", "sso", "cache")
   }
   return null;
 }
+function projectSsoToken(cachedToken) {
+  if (!cachedToken) return null;
+  return {
+    expiresAt: cachedToken.expiresAt,
+    minutesLeft: cachedToken.minutesLeft,
+    startUrl: cachedToken.startUrl
+  };
+}
 function startUrlForProfile(profile) {
   try {
     const text = readFileSync3(join3(homedir3(), ".aws", "config"), "utf-8");
@@ -54526,11 +54540,7 @@ var authTools = [
           arn: identity.arn,
           profile: useProfile,
           region: useRegion,
-          ssoToken: cachedToken ? {
-            expiresAt: cachedToken.expiresAt,
-            minutesLeft: cachedToken.minutesLeft,
-            startUrl: cachedToken.startUrl
-          } : null
+          ssoToken: projectSsoToken(cachedToken)
         }
       };
     }
@@ -54565,7 +54575,7 @@ var authTools = [
           }
         };
       }
-      const result = await startSsoLogin(useProfile);
+      const result = await _startSsoLoginImpl(useProfile);
       if (!result.ok) {
         return {
           ok: false,
@@ -54630,7 +54640,7 @@ var authTools = [
           arn: identity.arn,
           profile: useProfile,
           region: useRegion,
-          ssoToken: cachedToken
+          ssoToken: projectSsoToken(cachedToken)
         }
       };
     }
@@ -54682,7 +54692,7 @@ var authTools = [
           }
         };
       }
-      const loginResult = await startSsoLogin(useProfile);
+      const loginResult = await _startSsoLoginImpl(useProfile);
       if (!loginResult.ok) {
         return { ok: false, error: loginResult.error, rawBody: loginResult.rawOutput };
       }
@@ -54750,7 +54760,14 @@ var callTools = [
         return {
           ok: false,
           error: result.error,
-          rawBody: result.rawStderr ?? result.rawStdout
+          // Treat an empty-string rawStderr as "no stderr" so a nonzero exit
+          // that wrote its diagnostic to stdout (rare but observed: some
+          // `aws` operations route through stdout when stderr is closed or
+          // when a wrapper script swallows stderr) still surfaces the
+          // stdout body. Pinned by call.test.ts -- the failure-shape
+          // contract is "diagnostic text first, stdout second" rather
+          // than "stderr always wins even when empty".
+          rawBody: result.rawStderr ? result.rawStderr : result.rawStdout
         };
       }
       return {
@@ -55321,6 +55338,12 @@ var logsTools = [
           }
         }
       }
+      if (i.logStreamNamePrefix && !isValidLogStreamName(i.logStreamNamePrefix)) {
+        return {
+          ok: false,
+          error: `Invalid logStreamNamePrefix '${i.logStreamNamePrefix}'. Must be 1-512 chars, not start with '-', and contain no ':', '*', or control characters.`
+        };
+      }
       const extraFlags = [i.logGroupName, "--format", "json", "--since", i.since ?? "10m"];
       if (i.filterPattern) extraFlags.push("--filter-pattern", i.filterPattern);
       if (i.logStreamNames && i.logStreamNames.length > 0) {
@@ -55358,6 +55381,87 @@ var logsTools = [
   }
 ];
 
+// src/tools/paginate.ts
+function extractNextToken(data) {
+  if (data && typeof data === "object" && "NextToken" in data) {
+    const token = data.NextToken;
+    if (typeof token === "string" && token.length > 0) return token;
+  }
+  return null;
+}
+function wrapQueryForPagination(userQuery) {
+  return `{NextToken: NextToken, items: ${userQuery}}`;
+}
+var paginateTools = [
+  {
+    name: "aws_paginate",
+    description: "Fetch one page of a paginated AWS list/describe operation. Identical to aws_call plus `maxItems` (page size) and `startingToken` (resume cursor). Returns the parsed response, a `nextToken` (null when the list is exhausted), and `hasMore`. Call again with the returned nextToken as startingToken until hasMore is false. Use this instead of aws_call for operations that might exceed the 5 MB stdout cap: list-objects-v2, describe-instances, describe-log-streams, list-roles, etc.",
+    annotations: {
+      title: "Fetch one page of a paginated AWS operation",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports3.object({
+      service: external_exports3.string().describe("AWS service in kebab-case: 's3api', 'ec2', 'iam', 'logs', etc."),
+      operation: external_exports3.string().describe("Paginated operation: 'list-objects-v2', 'describe-instances', 'list-roles', etc."),
+      params: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Operation parameters (PascalCase keys) passed via --cli-input-json."),
+      query: external_exports3.string().optional().describe(
+        "JMESPath expression to extract fields from each page (--query). The query is wrapped server-side as {NextToken, items: <query>} so pagination still works even when the projection drops NextToken; the handler unwraps `items` before returning."
+      ),
+      maxItems: external_exports3.number().int().positive().optional().describe("Items per page. Default 100. Lower this if hitting the 5 MB output cap."),
+      startingToken: external_exports3.string().optional().describe("Resume cursor from the previous call's `nextToken`. Omit for the first page."),
+      profile: external_exports3.string().optional().describe("Override session profile for this call."),
+      region: external_exports3.string().optional().describe("Override session region for this call."),
+      timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in milliseconds. Default 60000.")
+    }),
+    handler: async (input) => {
+      const i = input;
+      const maxItems = i.maxItems ?? 100;
+      const extraFlags = ["--max-items", String(maxItems)];
+      if (i.startingToken) {
+        extraFlags.push("--starting-token", i.startingToken);
+      }
+      const userQuery = i.query?.trim();
+      const queryWrapped = userQuery ? wrapQueryForPagination(userQuery) : void 0;
+      const result = await runAwsCall({
+        service: i.service,
+        operation: i.operation,
+        params: i.params,
+        query: queryWrapped,
+        profile: i.profile,
+        region: i.region,
+        outputFormat: "json",
+        timeoutMs: i.timeoutMs,
+        extraFlags
+      });
+      if (!result.ok) {
+        return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
+      }
+      let resultBody;
+      let nextToken;
+      if (queryWrapped) {
+        const wrapped = result.data ?? {};
+        nextToken = extractNextToken(wrapped);
+        resultBody = wrapped.items ?? null;
+      } else {
+        nextToken = extractNextToken(result.data);
+        resultBody = result.data;
+      }
+      return {
+        ok: true,
+        data: {
+          command: result.command,
+          result: resultBody,
+          nextToken,
+          hasMore: nextToken !== null
+        }
+      };
+    }
+  }
+];
+
 // src/tools/metrics.ts
 var SIMPLE_STATS = ["Average", "Sum", "Maximum", "Minimum", "SampleCount"];
 var EXTENDED_STAT_RE = /^(p|tm|tc|wm|pr|ts|iqm)(\d{1,3}(\.\d{1,3})?)?$/i;
@@ -55376,6 +55480,7 @@ function canonicalizeStatistic(s) {
 }
 var QUERY_ID_RE = /^[a-z][A-Za-z0-9_]*$/;
 var MAX_QUERIES = 100;
+var CLOUDWATCH_MAX_DATAPOINTS = 100800;
 var PERIOD_3H_MS = 3 * 60 * 60 * 1e3;
 var PERIOD_24H_MS = 24 * 60 * 60 * 1e3;
 var PERIOD_15D_MS = 15 * 24 * 60 * 60 * 1e3;
@@ -55471,7 +55576,7 @@ var metricsTools = [
       endTime: external_exports3.string().optional().describe("ISO 8601 timestamp or relative shorthand. Default 'now'."),
       scanBy: external_exports3.enum(["TimestampAscending", "TimestampDescending"]).optional().describe("Sort order for returned datapoints. Default 'TimestampDescending' (matches CloudWatch's default)."),
       maxDataPoints: external_exports3.number().int().positive().optional().describe(
-        "Soft cap on returned datapoints across all queries. CloudWatch's hard cap is ~100,800; lower this to keep response sizes manageable. Forwarded as CloudWatch's MaxDatapoints (single 'p') field; the camelCase schema name follows this server's convention."
+        "Target datapoint count. CloudWatch does not truncate to the first N points -- it widens (coarsens) the period server-side so the series aggregates down to fit this many points. CloudWatch's own ceiling is ~100,800; lower this to make CloudWatch return a coarser, smaller series. Forwarded as CloudWatch's MaxDatapoints (single 'p') field; the camelCase schema name follows this server's convention."
       ),
       nextToken: external_exports3.string().optional().describe(
         "Resume cursor from a previous call's `nextToken`. Omit for the first page. Forwarded as CloudWatch's NextToken; only meaningful when a prior call returned `hasMore: true`."
@@ -55543,6 +55648,23 @@ var metricsTools = [
           error: `endTime (${endDate.toISOString()}) must be after startTime (${startDate.toISOString()}).`
         };
       }
+      const rangeSeconds = (endDate.getTime() - startDate.getTime()) / 1e3;
+      for (const q of i.queries) {
+        if (q.period === void 0) continue;
+        if (q.period <= 0 || q.period % 60 !== 0) {
+          return {
+            ok: false,
+            error: `Query '${q.id}' has invalid period ${q.period}. CloudWatch requires period to be a positive multiple of 60 (seconds).`
+          };
+        }
+        const datapoints = Math.ceil(rangeSeconds / q.period);
+        if (datapoints > CLOUDWATCH_MAX_DATAPOINTS) {
+          return {
+            ok: false,
+            error: `Query '${q.id}' with period ${q.period}s over the requested range (${startDate.toISOString()} to ${endDate.toISOString()}) would request ${datapoints} datapoints, exceeding CloudWatch's per-request cap of ${CLOUDWATCH_MAX_DATAPOINTS}. Widen the period or narrow the time range.`
+          };
+        }
+      }
       const periodSeconds = pickAutoPeriodSeconds(startDate.getTime(), endDate.getTime());
       const metricDataQueries = buildMetricDataQueries(i.queries, periodSeconds);
       const params = {
@@ -55579,7 +55701,7 @@ var metricsTools = [
         code: m.Code,
         value: m.Value
       }));
-      const nextToken = typeof raw.NextToken === "string" && raw.NextToken.length > 0 ? raw.NextToken : null;
+      const nextToken = extractNextToken(raw);
       return {
         ok: true,
         data: {
@@ -55634,7 +55756,7 @@ var multiRegionTools = [
       service: external_exports3.string().describe("AWS service in kebab-case: 's3api', 'ec2', 'iam', etc."),
       operation: external_exports3.string().describe("Operation in kebab-case: 'describe-instances', 'list-buckets', etc."),
       regions: external_exports3.array(external_exports3.string().min(1)).min(1).max(MAX_REGIONS).describe(
-        `Region IDs (e.g. ['us-east-1','us-west-2','eu-west-1']). 1-${MAX_REGIONS}. Validated for argv-safety; bad region names fail per-region rather than poisoning the batch.`
+        `Region IDs (e.g. ['us-east-1','us-west-2','eu-west-1']). 1-${MAX_REGIONS}. Validated for argv-safety; a bad region name yields a clear per-region error and skips its CLI spawn (per-region isolation comes from each region being a separate call, not from this pre-check).`
       ),
       params: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Operation parameters (PascalCase keys) -- same shape as aws_call."),
       query: external_exports3.string().optional().describe("JMESPath expression for --query (server-side trimming per region)."),
@@ -55701,87 +55823,6 @@ var multiRegionTools = [
   }
 ];
 
-// src/tools/paginate.ts
-function extractNextToken(data) {
-  if (data && typeof data === "object" && "NextToken" in data) {
-    const token = data.NextToken;
-    if (typeof token === "string" && token.length > 0) return token;
-  }
-  return null;
-}
-function wrapQueryForPagination(userQuery) {
-  return `{NextToken: NextToken, items: ${userQuery}}`;
-}
-var paginateTools = [
-  {
-    name: "aws_paginate",
-    description: "Fetch one page of a paginated AWS list/describe operation. Identical to aws_call plus `maxItems` (page size) and `startingToken` (resume cursor). Returns the parsed response, a `nextToken` (null when the list is exhausted), and `hasMore`. Call again with the returned nextToken as startingToken until hasMore is false. Use this instead of aws_call for operations that might exceed the 5 MB stdout cap: list-objects-v2, describe-instances, describe-log-streams, list-roles, etc.",
-    annotations: {
-      title: "Fetch one page of a paginated AWS operation",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      service: external_exports3.string().describe("AWS service in kebab-case: 's3api', 'ec2', 'iam', 'logs', etc."),
-      operation: external_exports3.string().describe("Paginated operation: 'list-objects-v2', 'describe-instances', 'list-roles', etc."),
-      params: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Operation parameters (PascalCase keys) passed via --cli-input-json."),
-      query: external_exports3.string().optional().describe(
-        "JMESPath expression to extract fields from each page (--query). The query is wrapped server-side as {NextToken, items: <query>} so pagination still works even when the projection drops NextToken; the handler unwraps `items` before returning."
-      ),
-      maxItems: external_exports3.number().int().positive().optional().describe("Items per page. Default 100. Lower this if hitting the 5 MB output cap."),
-      startingToken: external_exports3.string().optional().describe("Resume cursor from the previous call's `nextToken`. Omit for the first page."),
-      profile: external_exports3.string().optional().describe("Override session profile for this call."),
-      region: external_exports3.string().optional().describe("Override session region for this call."),
-      timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in milliseconds. Default 60000.")
-    }),
-    handler: async (input) => {
-      const i = input;
-      const maxItems = i.maxItems ?? 100;
-      const extraFlags = ["--max-items", String(maxItems)];
-      if (i.startingToken) {
-        extraFlags.push("--starting-token", i.startingToken);
-      }
-      const userQuery = i.query?.trim();
-      const queryWrapped = userQuery ? wrapQueryForPagination(userQuery) : void 0;
-      const result = await runAwsCall({
-        service: i.service,
-        operation: i.operation,
-        params: i.params,
-        query: queryWrapped,
-        profile: i.profile,
-        region: i.region,
-        outputFormat: "json",
-        timeoutMs: i.timeoutMs,
-        extraFlags
-      });
-      if (!result.ok) {
-        return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
-      }
-      let resultBody;
-      let nextToken;
-      if (queryWrapped) {
-        const wrapped = result.data ?? {};
-        nextToken = typeof wrapped.NextToken === "string" && wrapped.NextToken.length > 0 ? wrapped.NextToken : null;
-        resultBody = wrapped.items ?? null;
-      } else {
-        nextToken = extractNextToken(result.data);
-        resultBody = result.data;
-      }
-      return {
-        ok: true,
-        data: {
-          command: result.command,
-          result: resultBody,
-          nextToken,
-          hasMore: nextToken !== null
-        }
-      };
-    }
-  }
-];
-
 // src/tools/resource.ts
 var TYPE_NAME_RE = /^[A-Z][A-Za-z0-9]*::[A-Z][A-Za-z0-9]*::[A-Z][A-Za-z0-9]*$/;
 function isValidIdentifier(id) {
@@ -56065,7 +56106,7 @@ var resourceTools = [
         const p = parseResourceProperties(d);
         return { identifier: p.Identifier, properties: p.Properties };
       });
-      const nextToken = typeof raw?.NextToken === "string" && raw.NextToken.length > 0 ? raw.NextToken : null;
+      const nextToken = extractNextToken(raw);
       return {
         ok: true,
         data: {
@@ -56755,10 +56796,10 @@ var scriptTools = [
     },
     inputSchema: external_exports3.object({
       code: external_exports3.string().min(1).describe(
-        "JavaScript snippet evaluated inside `(async () => { ... })()`. Use `return <value>` to surface a result. Bound globals: aws.call, aws.paginate, aws.paginateAll, aws.resource.{get,list,create,update,delete,status}, aws.logsTail, aws.metricsQuery, aws.iamSimulate, aws.multiRegion, aws.assumeRole, aws.docs.{search,read}, console (capture), JSON, Math, Date, Promise, Array, Object, String, Number, Boolean, Error, Intl, Atomics, SharedArrayBuffer, WebAssembly (compile blocked). Intentionally NOT bound (call as sibling MCP tools instead): aws_list_profiles, the auth/session tools, and aws_script itself. Shadowed (undefined): require, import, process, fs, fetch + family, BroadcastChannel, setTimeout/Interval, queueMicrotask, Buffer, global, globalThis. NOT available (ReferenceError if used): URL, URLSearchParams, TextEncoder, TextDecoder, crypto, structuredClone, EventTarget, MessageChannel, performance. eval/Function are disabled (codeGeneration off). Tool helpers throw on failure -- wrap in try/catch when you want to handle errors per-call."
+        "JavaScript snippet evaluated inside `(async () => { ... })()`. Use `return <value>` to surface a result. Bound globals: aws.call, aws.paginate, aws.paginateAll, aws.resource.{get,list,create,update,delete,status}, aws.logsTail, aws.metricsQuery, aws.iamSimulate, aws.multiRegion, aws.assumeRole, aws.docs.{search,read}, console (capture), JSON, Math, Date, Promise, Array, Object, String, Number, Boolean, Error, Intl, Atomics, SharedArrayBuffer, WebAssembly (compile blocked). Intentionally NOT bound (call as sibling MCP tools instead): aws_list_profiles, the auth/session tools, and aws_script itself. Shadowed (undefined): require, process, fetch + family, BroadcastChannel, setTimeout/Interval, queueMicrotask, Buffer, global, globalThis. NOT available (ReferenceError if used): URL, URLSearchParams, TextEncoder, TextDecoder, crypto, structuredClone, EventTarget, MessageChannel, performance, fs, import. eval/Function are disabled (codeGeneration off). Tool helpers throw on failure -- wrap in try/catch when you want to handle errors per-call."
       ),
       timeoutMs: external_exports3.number().int().positive().max(MAX_TIMEOUT_MS).optional().describe(
-        `Wall-clock timeout in milliseconds. Default ${DEFAULT_TIMEOUT_MS2}; max ${MAX_TIMEOUT_MS}. Covers evaluation plus every awaited aws.* call. On timeout the script stops being awaited and the tool returns an error, but any aws.* call already in flight is NOT cancelled -- it continues until its own per-call timeout (default 60s). Plan retries accordingly: a script that timed out mid 'resource.delete' may have completed the delete; re-issuing the same script can double-mutate.`
+        `Wall-clock timeout in milliseconds. Default ${DEFAULT_TIMEOUT_MS2}; max ${MAX_TIMEOUT_MS}. Best-effort across evaluation plus awaited aws.* calls -- it fires on synchronous spin before the first await and on async wall-clock once the script has yielded, but a synchronous infinite loop BETWEEN awaits can outrun the timer and is not guaranteed to be interrupted. On timeout the script stops being awaited and the tool returns an error, but any aws.* call already in flight is NOT cancelled -- it continues until its own per-call timeout (default 60s). Plan retries accordingly: a script that timed out mid 'resource.delete' may have completed the delete; re-issuing the same script can double-mutate.`
       )
     }),
     handler: async (input) => {
@@ -56807,12 +56848,32 @@ var sessionTools = [
           error: "Nothing to set \u2014 pass at least one of 'profile' or 'region'. Use aws_session_get to read current values."
         };
       }
-      try {
-        if (profile !== void 0) setProfile(profile);
-        if (region !== void 0) setRegion(region);
-      } catch (err) {
-        return { ok: false, error: err instanceof Error ? err.message : String(err) };
+      if (profile !== void 0) {
+        const trimmed = profile.trim();
+        if (!trimmed) {
+          return { ok: false, error: "Profile name cannot be empty" };
+        }
+        if (!isValidProfileName(trimmed)) {
+          return {
+            ok: false,
+            error: `Invalid profile name '${trimmed}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '=', no whitespace or shell metacharacters.`
+          };
+        }
+      }
+      if (region !== void 0) {
+        const trimmed = region.trim();
+        if (!trimmed) {
+          return { ok: false, error: "Region cannot be empty" };
+        }
+        if (!isValidRegionName(trimmed)) {
+          return {
+            ok: false,
+            error: `Invalid region '${trimmed}'. Must match /^[a-z][a-z0-9-]{2,30}$/ (e.g. 'us-east-1', 'eu-west-3').`
+          };
+        }
       }
+      if (profile !== void 0) setProfile(profile);
+      if (region !== void 0) setRegion(region);
       return { ok: true, data: getSessionState() };
     }
   },
@@ -56856,9 +56917,40 @@ var sessionTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "1.3.3" : (await null).createRequire(import.meta.url)("../package.json").version;
+function toMcpResult(response) {
+  if (!response.ok) {
+    const baseError = `Error: ${response.error || "Unknown error"}`;
+    const errorText = response.rawBody ? `${baseError}
+
+${response.rawBody}` : baseError;
+    return {
+      content: [{ type: "text", text: errorText }],
+      isError: true
+    };
+  }
+  const text = response.rawBody ?? JSON.stringify(response.data ?? { success: true }, null, 2);
+  return {
+    content: [{ type: "text", text }]
+  };
+}
+function errorToMcpResult(err, toolName) {
+  const message = err instanceof Error ? err.message : String(err);
+  const stack = err instanceof Error ? err.stack : void 0;
+  console.error(`[aws-mcp] handler '${toolName}' threw: ${message}`);
+  if (stack) console.error(stack);
+  return {
+    content: [{ type: "text", text: `Error: ${message}` }],
+    isError: true
+  };
+}
+var version2 = true ? "1.4.0" : (await null).createRequire(import.meta.url)("../package.json").version;
+var isEntryPoint = (() => {
+  const entry = process.argv[1];
+  if (!entry) return false;
+  return import.meta.url === pathToFileURL(entry).href;
+})();
 var subcommand = process.argv[2];
-if (subcommand === "version" || subcommand === "--version") {
+if (isEntryPoint && (subcommand === "version" || subcommand === "--version")) {
   console.log(version2);
   process.exit(0);
 }
@@ -56877,49 +56969,29 @@ var allTools = [
   ...docsTools,
   ...scriptTools
 ];
-var server = new McpServer({
-  name: "@yawlabs/aws-mcp",
-  version: version2
-});
-for (const tool of allTools) {
-  server.tool(
-    tool.name,
-    tool.description,
-    tool.inputSchema.shape,
-    tool.annotations,
-    async (input) => {
+if (isEntryPoint) {
+  const server = new McpServer({
+    name: "@yawlabs/aws-mcp",
+    version: version2
+  });
+  for (const tool of allTools) {
+    server.tool(tool.name, tool.description, tool.inputSchema.shape, tool.annotations, async (input) => {
       try {
-        const response = await tool.handler(input);
-        if (!response.ok) {
-          const baseError = `Error: ${response.error || "Unknown error"}`;
-          const errorText = response.rawBody ? `${baseError}
-
-${response.rawBody}` : baseError;
-          return {
-            content: [{ type: "text", text: errorText }],
-            isError: true
-          };
-        }
-        const text = response.rawBody ?? JSON.stringify(response.data ?? { success: true }, null, 2);
-        return {
-          content: [{ type: "text", text }]
-        };
+        return toMcpResult(await tool.handler(input));
       } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        const stack = err instanceof Error ? err.stack : void 0;
-        console.error(`[aws-mcp] handler '${tool.name}' threw: ${message}`);
-        if (stack) console.error(stack);
-        return {
-          content: [{ type: "text", text: `Error: ${message}` }],
-          isError: true
-        };
+        return errorToMcpResult(err, tool.name);
       }
-    }
-  );
+    });
+  }
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error(`@yawlabs/aws-mcp v${version2} ready (${allTools.length} tools)`);
 }
-var transport = new StdioServerTransport();
-await server.connect(transport);
-console.error(`@yawlabs/aws-mcp v${version2} ready (${allTools.length} tools)`);
+export {
+  allTools,
+  errorToMcpResult,
+  toMcpResult
+};
 /*! Bundled license information:
 
 he/he.js:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/aws-mcp",
-  "version": "1.3.3",
+  "version": "1.4.0",
   "mcpName": "io.github.YawLabs/aws-mcp",
   "description": "AWS MCP server — call any AWS API from AI assistants, with first-class SSO re-login (no more 'browser won't open' dead ends)",
   "license": "MIT",