apifm-admin-mcp 26.5.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,74 @@
+# apifm-admin-mcp
+
+`apifm-admin-mcp` is a stdio MCP server for AI agents that need to operate APIFM admin APIs through the [`apifm-admin`](https://www.npmjs.com/package/apifm-admin) SDK.
+
+It is designed for Kiro, Cursor, Claude Code, Codex, Windsurf, Trae, Qoder, and other MCP-compatible agents.
+
+## Security Model
+
+Secrets must not be pasted into model chat.
+
+This MCP exposes `apifm_admin_start_auth`, which returns a one-time localhost URL. The user enters Basic Authentication credentials, an existing `X-Token`, or username/email password login details in that local browser page. Those secrets stay in the local MCP process memory and are never part of MCP tool arguments.
+
+The generic API caller also rejects payloads and headers containing sensitive field names such as `pwd`, `password`, `token`, `x-token`, `authorization`, `secret`, or `key`.
+
+Accounts are in-memory only. Restarting the MCP server clears all tokens and credentials.
+
+## Install
+
+```bash
+npm install -g apifm-admin-mcp
+```
+
+The package depends on `apifm-admin` as a normal npm dependency. It does not bundle SDK source code, so newer compatible `apifm-admin` releases can add methods without requiring this MCP package to be regenerated.
+
+## MCP Configuration
+
+Use stdio:
+
+```json
+{
+  "mcpServers": {
+    "apifm-admin": {
+      "command": "npx",
+      "args": ["apifm-admin-mcp"]
+    }
+  }
+}
+```
+
+If installed globally:
+
+```json
+{
+  "mcpServers": {
+    "apifm-admin": {
+      "command": "apifm-admin-mcp"
+    }
+  }
+}
+```
+
+## Tools
+
+- `apifm_admin_start_auth`: Starts a local secure authorization page for Basic Auth, X-Token, username/password login, or email registration.
+- `apifm_admin_accounts`: Lists local account aliases without revealing secrets.
+- `apifm_admin_switch_account`: Switches the active account alias.
+- `apifm_admin_remove_account`: Clears an account alias and its in-memory secrets.
+- `apifm_admin_search_methods`: Searches methods dynamically from the installed `apifm-admin` SDK.
+- `apifm_admin_method_info`: Shows route, method, parameters, and usage for one SDK method.
+- `apifm_admin_call`: Calls any non-sensitive SDK method using the selected local account.
+
+## Example Agent Flow
+
+1. User: “登录我的后台账号并读取用户列表。”
+2. Agent calls `apifm_admin_start_auth` with `authType: "password"`.
+3. User opens the returned local URL and enters username/email and password there.
+4. Agent calls `apifm_admin_search_methods` with `query: "用户列表"`.
+5. Agent calls `apifm_admin_call` with the discovered method and a non-sensitive payload.
+
+## Local Check
+
+```bash
+npm run check
+```

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "apifm-admin-mcp",
+  "version": "26.5.1",
+  "description": "MCP server for safely operating APIFM admin APIs through the apifm-admin SDK.",
+  "type": "module",
+  "bin": {
+    "apifm-admin-mcp": "./src/index.js"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "start": "node ./src/index.js",
+    "check": "node ./src/self-check.js",
+    "prepublishOnly": "npm run check"
+  },
+  "keywords": [
+    "apifm",
+    "apifm-admin",
+    "mcp",
+    "model-context-protocol",
+    "cursor",
+    "claude-code",
+    "codex",
+    "windsurf",
+    "kiro"
+  ],
+  "author": "",
+  "license": "MIT",
+  "engines": {
+    "node": ">=20.11"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "apifm-admin": "^26.6.16",
+    "zod": "^4.4.3"
+  }
+}

package/src/accounts.js

@@ -0,0 +1,66 @@
+import crypto from 'node:crypto'
+import { createPublicAccount } from './security.js'
+
+const accounts = new Map()
+let activeAlias = ''
+
+export function normalizeAlias(alias) {
+  const clean = String(alias || '').trim()
+  if (!clean) {
+    return `admin-${crypto.randomUUID().slice(0, 8)}`
+  }
+  return clean
+}
+
+export function upsertAccount(input) {
+  const alias = normalizeAlias(input.alias)
+  const now = new Date().toISOString()
+  const existing = accounts.get(alias)
+  const account = {
+    alias,
+    authType: input.authType,
+    token: input.token || existing?.token || '',
+    basicAuth: input.basicAuth || existing?.basicAuth || '',
+    domains: input.domains || existing?.domains || {},
+    createdAt: existing?.createdAt || now,
+    updatedAt: now
+  }
+
+  accounts.set(alias, account)
+  activeAlias = alias
+  return createPublicAccount(account)
+}
+
+export function getAccount(alias) {
+  const selectedAlias = normalizeAlias(alias || activeAlias)
+  return accounts.get(selectedAlias) || null
+}
+
+export function setActiveAccount(alias) {
+  const account = accounts.get(normalizeAlias(alias))
+  if (!account) {
+    throw new Error(`Unknown account alias: ${alias}`)
+  }
+  activeAlias = account.alias
+  return createPublicAccount(account)
+}
+
+export function getActiveAlias() {
+  return activeAlias
+}
+
+export function listAccounts() {
+  return [...accounts.values()].map((account) => ({
+    ...createPublicAccount(account),
+    active: account.alias === activeAlias
+  }))
+}
+
+export function removeAccount(alias) {
+  const selectedAlias = normalizeAlias(alias)
+  const deleted = accounts.delete(selectedAlias)
+  if (activeAlias === selectedAlias) {
+    activeAlias = accounts.keys().next().value || ''
+  }
+  return deleted
+}

package/src/browser-auth.js

@@ -0,0 +1,289 @@
+import http from 'node:http'
+import crypto from 'node:crypto'
+import { once } from 'node:events'
+import { upsertAccount } from './accounts.js'
+import { getSdk, resetSdkConfig } from './sdk.js'
+
+const pendingSessions = new Map()
+
+export async function createAuthSession({ authType, alias = '', domains = {}, port = 0 }) {
+  const sessionId = crypto.randomUUID()
+  const createdAt = Date.now()
+  const expiresAt = createdAt + 10 * 60 * 1000
+  let server
+
+  server = http.createServer(async (req, res) => {
+    try {
+      const url = new URL(req.url, 'http://127.0.0.1')
+      if (url.pathname !== `/${sessionId}`) {
+        sendText(res, 404, 'Not found')
+        return
+      }
+
+      if (req.method === 'GET') {
+        sendHtml(res, renderForm({ authType, alias, sessionId, expiresAt }))
+        return
+      }
+
+      if (req.method !== 'POST') {
+        sendText(res, 405, 'Method not allowed')
+        return
+      }
+
+      const fields = await readForm(req)
+      const account = await finishAuth({ authType, alias, domains, fields })
+      pendingSessions.delete(sessionId)
+      sendHtml(res, renderSuccess(account))
+      setTimeout(() => server.close(), 250)
+    } catch (error) {
+      sendHtml(res, renderError(error))
+    }
+  })
+
+  server.on('close', () => pendingSessions.delete(sessionId))
+  server.listen(port, '127.0.0.1')
+  await once(server, 'listening')
+
+  const address = server.address()
+  const url = `http://127.0.0.1:${address.port}/${sessionId}`
+  pendingSessions.set(sessionId, { server, authType, alias, createdAt, expiresAt })
+  setTimeout(() => {
+    const pending = pendingSessions.get(sessionId)
+    if (pending) {
+      pending.server.close()
+      pendingSessions.delete(sessionId)
+    }
+  }, expiresAt - Date.now()).unref()
+
+  return {
+    url,
+    sessionId,
+    expiresAt: new Date(expiresAt).toISOString(),
+    message:
+      'Open this local URL in a browser and enter credentials there. Do not paste secrets into the chat.'
+  }
+}
+
+async function finishAuth({ authType, alias, domains, fields }) {
+  if (authType === 'basic') {
+    const username = required(fields.username, 'username')
+    const password = required(fields.password, 'password')
+    return upsertAccount({
+      alias: fields.alias || alias,
+      authType,
+      basicAuth: `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`,
+      domains
+    })
+  }
+
+  if (authType === 'x-token') {
+    return upsertAccount({
+      alias: fields.alias || alias,
+      authType,
+      token: required(fields.token, 'X-Token'),
+      domains
+    })
+  }
+
+  if (authType === 'password') {
+    const loginMode = fields.loginMode === 'email' ? 'email' : 'username'
+    const loginPayload =
+      loginMode === 'email'
+        ? {
+            email: required(fields.email, 'email'),
+            pwd: required(fields.password, 'password'),
+            rememberMe: true
+          }
+        : {
+            userName: required(fields.username, 'username'),
+            pwd: required(fields.password, 'password'),
+            rememberMe: true,
+            pdomain: fields.pdomain || undefined
+          }
+
+    const sdk = getSdk()
+    resetSdkConfig()
+    if (domains && Object.keys(domains).length) {
+      sdk.setDomains(domains)
+    }
+    const methodName = loginMode === 'email' ? 'loginAdminEmail' : 'loginAdminUserName'
+    if (typeof sdk[methodName] !== 'function') {
+      throw new Error(`apifm-admin does not expose ${methodName}`)
+    }
+    const result = await sdk[methodName](loginPayload)
+    const token = extractToken(result)
+    if (!token) {
+      throw new Error('Login succeeded but no X-Token was found in the SDK response.')
+    }
+    return upsertAccount({
+      alias: fields.alias || alias,
+      authType,
+      token,
+      domains
+    })
+  }
+
+  if (authType === 'register-email') {
+    const sdk = getSdk()
+    resetSdkConfig()
+    if (domains && Object.keys(domains).length) {
+      sdk.setDomains(domains)
+    }
+    const result = await sdk.registerAdminSaveEmail({
+      email: required(fields.email, 'email'),
+      pwd: required(fields.password, 'password'),
+      name: fields.name || undefined,
+      mailCode: fields.mailCode || fields.code || undefined
+    })
+    const token = extractToken(result)
+    return upsertAccount({
+      alias: fields.alias || alias,
+      authType,
+      token,
+      domains
+    })
+  }
+
+  throw new Error(`Unsupported auth type: ${authType}`)
+}
+
+function extractToken(response) {
+  const candidates = [
+    response?.data?.token,
+    response?.data?.xToken,
+    response?.data?.xtoken,
+    response?.data?.x_token,
+    response?.data?.['x-token'],
+    response?.token,
+    response?.xToken,
+    response?.xtoken
+  ]
+  return candidates.find((item) => typeof item === 'string' && item.trim()) || ''
+}
+
+function required(value, label) {
+  const clean = String(value || '').trim()
+  if (!clean) {
+    throw new Error(`${label} is required`)
+  }
+  return clean
+}
+
+async function readForm(req) {
+  const chunks = []
+  for await (const chunk of req) {
+    chunks.push(chunk)
+  }
+  const body = Buffer.concat(chunks).toString('utf8')
+  return Object.fromEntries(new URLSearchParams(body))
+}
+
+function sendHtml(res, html) {
+  res.writeHead(200, {
+    'content-type': 'text/html; charset=utf-8',
+    'cache-control': 'no-store'
+  })
+  res.end(html)
+}
+
+function sendText(res, status, text) {
+  res.writeHead(status, {
+    'content-type': 'text/plain; charset=utf-8',
+    'cache-control': 'no-store'
+  })
+  res.end(text)
+}
+
+function escapeHtml(value) {
+  return String(value ?? '')
+    .replaceAll('&', '&')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+}
+
+function renderForm({ authType, alias, expiresAt }) {
+  const fields = renderFields(authType)
+  return `<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>APIFM Admin MCP Authorization</title>
+  <style>
+    body { margin: 0; font: 15px/1.5 system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background: #f7f7f4; color: #202124; }
+    main { max-width: 560px; margin: 8vh auto; padding: 32px; background: #fff; border: 1px solid #deded8; border-radius: 8px; }
+    h1 { margin: 0 0 8px; font-size: 22px; }
+    p { margin: 0 0 20px; color: #5f6368; }
+    label { display: block; margin: 14px 0 6px; font-weight: 650; }
+    input, select { width: 100%; box-sizing: border-box; padding: 11px 12px; border: 1px solid #c7c7c0; border-radius: 6px; font: inherit; }
+    button { margin-top: 22px; width: 100%; padding: 12px 14px; border: 0; border-radius: 6px; background: #1f6feb; color: white; font: inherit; font-weight: 700; cursor: pointer; }
+    .note { margin-top: 18px; font-size: 13px; color: #6a6f75; }
+  </style>
+</head>
+<body>
+<main>
+  <h1>APIFM Admin MCP Authorization</h1>
+  <p>Secrets entered here stay inside this local MCP process memory and are not sent through the chat transcript.</p>
+  <form method="post" autocomplete="off">
+    <label for="alias">Account alias</label>
+    <input id="alias" name="alias" value="${escapeHtml(alias)}" placeholder="default-admin">
+    ${fields}
+    <button type="submit">Authorize</button>
+  </form>
+  <p class="note">This local page expires at ${escapeHtml(new Date(expiresAt).toLocaleString())}. Close it after authorization.</p>
+</main>
+</body>
+</html>`
+}
+
+function renderFields(authType) {
+  if (authType === 'basic') {
+    return `
+      <label for="username">Basic username</label>
+      <input id="username" name="username" required>
+      <label for="password">Basic password</label>
+      <input id="password" name="password" type="password" required>`
+  }
+  if (authType === 'x-token') {
+    return `
+      <label for="token">X-Token</label>
+      <input id="token" name="token" type="password" required>`
+  }
+  if (authType === 'password') {
+    return `
+      <label for="loginMode">Login mode</label>
+      <select id="loginMode" name="loginMode">
+        <option value="username">Username and password</option>
+        <option value="email">Email and password</option>
+      </select>
+      <label for="username">Username</label>
+      <input id="username" name="username">
+      <label for="email">Email</label>
+      <input id="email" name="email" type="email">
+      <label for="password">Password</label>
+      <input id="password" name="password" type="password" required>
+      <label for="pdomain">Private domain (optional)</label>
+      <input id="pdomain" name="pdomain">`
+  }
+  if (authType === 'register-email') {
+    return `
+      <label for="email">Email</label>
+      <input id="email" name="email" type="email" required>
+      <label for="password">Password</label>
+      <input id="password" name="password" type="password" required>
+      <label for="name">Name</label>
+      <input id="name" name="name">
+      <label for="mailCode">Email verification code</label>
+      <input id="mailCode" name="mailCode">`
+  }
+  return ''
+}
+
+function renderSuccess(account) {
+  return `<!doctype html><html lang="zh-CN"><meta charset="utf-8"><body style="font:16px system-ui;padding:40px"><h1>Authorized</h1><p>Account <strong>${escapeHtml(account.alias)}</strong> is ready. You can close this tab.</p></body></html>`
+}
+
+function renderError(error) {
+  return `<!doctype html><html lang="zh-CN"><meta charset="utf-8"><body style="font:16px system-ui;padding:40px"><h1>Authorization failed</h1><p>${escapeHtml(error.message)}</p><p>Go back, check the values, and submit again.</p></body></html>`
+}

package/src/index.js

@@ -0,0 +1,262 @@
+#!/usr/bin/env node
+
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
+import { z } from 'zod/v4'
+import { createAuthSession } from './browser-auth.js'
+import {
+  getAccount,
+  getActiveAlias,
+  listAccounts,
+  removeAccount,
+  setActiveAccount
+} from './accounts.js'
+import { containsSensitiveKey, redactSensitive } from './security.js'
+import {
+  getApiMetadata,
+  getMethodMetadata,
+  getSdk,
+  resetSdkConfig,
+  searchMethods,
+  summarizeMetadata
+} from './sdk.js'
+
+const VERSION = '26.5.1'
+
+const server = new McpServer(
+  {
+    name: 'apifm-admin-mcp',
+    version: VERSION
+  },
+  {
+    instructions: [
+      'Use this MCP server to operate APIFM admin APIs through the apifm-admin SDK.',
+      'Never ask users to paste passwords, Basic Authentication values, X-Token values, or API keys into chat.',
+      'Use apifm_admin_start_auth to collect secrets through a local browser page, then call APIs by account alias.',
+      'Use apifm_admin_search_methods before apifm_admin_call when the exact SDK method name is unknown.'
+    ].join('\n')
+  }
+)
+
+server.registerTool(
+  'apifm_admin_start_auth',
+  {
+    title: 'Start secure APIFM admin authorization',
+    description:
+      'Creates a localhost browser page for entering Basic Auth, X-Token, username/password, or email registration details. Secrets are stored only in this MCP process memory and must not be pasted into chat.',
+    inputSchema: z.object({
+      authType: z
+        .enum(['basic', 'x-token', 'password', 'register-email'])
+        .describe(
+          'basic = Basic Authentication, x-token = existing admin X-Token, password = username/email + password login, register-email = create admin account by email'
+        ),
+      alias: z.string().optional().describe('Friendly local account alias, for example prod or test-shop.'),
+      domains: z
+        .record(z.string(), z.string().url())
+        .optional()
+        .describe('Optional apifm-admin domain overrides by domainKey, for example {"common":"https://common.apifm.com"}.'),
+      port: z.number().int().min(0).max(65535).optional().describe('Optional localhost port. 0 chooses a free port.')
+    })
+  },
+  async ({ authType, alias, domains, port }) => {
+    const session = await createAuthSession({ authType, alias, domains, port })
+    return toolJson({
+      ...session,
+      safety: 'Open the URL yourself and enter secrets there. Do not paste secrets into the agent chat.'
+    })
+  }
+)
+
+server.registerTool(
+  'apifm_admin_accounts',
+  {
+    title: 'List APIFM admin accounts',
+    description: 'Lists local in-memory account aliases and the active account. Does not reveal secrets.',
+    inputSchema: z.object({})
+  },
+  async () =>
+    toolJson({
+      activeAlias: getActiveAlias(),
+      accounts: listAccounts()
+    })
+)
+
+server.registerTool(
+  'apifm_admin_switch_account',
+  {
+    title: 'Switch APIFM admin account',
+    description: 'Switches the active local account alias for later API calls. Does not reveal secrets.',
+    inputSchema: z.object({
+      alias: z.string().min(1)
+    })
+  },
+  async ({ alias }) => toolJson({ active: setActiveAccount(alias) })
+)
+
+server.registerTool(
+  'apifm_admin_remove_account',
+  {
+    title: 'Remove APIFM admin account',
+    description: 'Removes an in-memory account alias and its secrets from this MCP server process.',
+    inputSchema: z.object({
+      alias: z.string().min(1)
+    })
+  },
+  async ({ alias }) =>
+    toolJson({
+      removed: removeAccount(alias),
+      activeAlias: getActiveAlias()
+    })
+)
+
+server.registerTool(
+  'apifm_admin_search_methods',
+  {
+    title: 'Search apifm-admin SDK methods',
+    description:
+      'Searches the currently installed apifm-admin SDK method metadata and runtime exports. Use Chinese or English keywords such as 用户列表, login, register, order, userList.',
+    inputSchema: z.object({
+      query: z.string().optional(),
+      limit: z.number().int().min(1).max(100).optional()
+    })
+  },
+  async ({ query = '', limit = 20 }) =>
+    toolJson({
+      sdkMethodCount: getApiMetadata().length,
+      results: searchMethods(query, limit)
+    })
+)
+
+server.registerTool(
+  'apifm_admin_method_info',
+  {
+    title: 'Get apifm-admin SDK method info',
+    description: 'Returns metadata for one SDK method, including route, HTTP method, parameters, and return example.',
+    inputSchema: z.object({
+      methodName: z.string().min(1)
+    })
+  },
+  async ({ methodName }) => {
+    const meta = getMethodMetadata(methodName)
+    if (!meta) {
+      return toolError(`Unknown SDK method: ${methodName}`)
+    }
+    return toolJson(summarizeMetadata(meta))
+  }
+)
+
+server.registerTool(
+  'apifm_admin_call',
+  {
+    title: 'Call an APIFM admin API',
+    description:
+      'Calls any non-sensitive apifm-admin SDK method by name using the active or selected local account. Payload and headers must not contain passwords, tokens, Basic credentials, secrets, or API keys.',
+    inputSchema: z.object({
+      methodName: z.string().min(1).describe('apifm-admin SDK method name, for example userList.'),
+      payload: z.record(z.string(), z.any()).optional().describe('Non-sensitive SDK payload.'),
+      alias: z.string().optional().describe('Optional local account alias. Defaults to the active account.'),
+      domains: z
+        .record(z.string(), z.string().url())
+        .optional()
+        .describe('Optional per-call domain overrides by apifm-admin domainKey.'),
+      headers: z
+        .record(z.string(), z.string())
+        .optional()
+        .describe('Optional non-sensitive extra headers. Authorization and token headers are rejected.')
+    })
+  },
+  async ({ methodName, payload = {}, alias, domains, headers = {} }) => {
+    const sensitivePayloadPath = containsSensitiveKey(payload)
+    if (sensitivePayloadPath) {
+      return toolError(
+        `Refusing to call ${methodName}: payload contains a sensitive field at "${sensitivePayloadPath}". Use apifm_admin_start_auth for secrets.`
+      )
+    }
+    const sensitiveHeaderPath = containsSensitiveKey(headers)
+    if (sensitiveHeaderPath) {
+      return toolError(
+        `Refusing to call ${methodName}: headers contain a sensitive field at "${sensitiveHeaderPath}". Use apifm_admin_start_auth for secrets.`
+      )
+    }
+
+    const account = getAccount(alias)
+    if (!account) {
+      return toolError(
+        'No APIFM admin account is authorized. Call apifm_admin_start_auth first, then use the returned local browser URL.'
+      )
+    }
+
+    const sdk = getSdk()
+    if (typeof sdk[methodName] !== 'function') {
+      return toolError(`apifm-admin does not expose a function named ${methodName}. Search methods first.`)
+    }
+
+    resetSdkConfig()
+    const allDomains = { ...(account.domains || {}), ...(domains || {}) }
+    const sdkHeaders = { ...headers }
+    if (account.basicAuth) {
+      sdkHeaders.Authorization = account.basicAuth
+    }
+
+    sdk.setConfig({
+      token: account.token || '',
+      headers: sdkHeaders,
+      domains: allDomains
+    })
+
+    const result = await sdk[methodName](payload)
+    return toolJson({
+      methodName,
+      accountAlias: account.alias,
+      metadata: getMethodMetadata(methodName) ? summarizeMetadata(getMethodMetadata(methodName)) : null,
+      result: redactSensitive(result)
+    })
+  }
+)
+
+server.registerResource(
+  'apifm-admin-methods',
+  'apifm-admin://methods',
+  {
+    title: 'apifm-admin SDK methods',
+    description: 'Current runtime method metadata discovered from the installed apifm-admin SDK.',
+    mimeType: 'application/json'
+  },
+  async (uri) => ({
+    contents: [
+      {
+        uri: uri.href,
+        mimeType: 'application/json',
+        text: JSON.stringify(getApiMetadata().map(summarizeMetadata), null, 2)
+      }
+    ]
+  })
+)
+
+function toolJson(data) {
+  return {
+    content: [
+      {
+        type: 'text',
+        text: JSON.stringify(data, null, 2)
+      }
+    ],
+    structuredContent: data
+  }
+}
+
+function toolError(message) {
+  return {
+    isError: true,
+    content: [
+      {
+        type: 'text',
+        text: message
+      }
+    ],
+    structuredContent: { error: message }
+  }
+}
+
+const transport = new StdioServerTransport()
+await server.connect(transport)

package/src/sdk.js

@@ -0,0 +1,130 @@
+import apifmAdmin, { API_METADATA as EXPORTED_METADATA } from 'apifm-admin'
+
+const RESERVED_METHODS = new Set([
+  'getConfig',
+  'setConfig',
+  'setToken',
+  'setTokenGetter',
+  'setHeader',
+  'setHeaders',
+  'setDomain',
+  'setDomains',
+  'setRequestAdapter',
+  'getApiMetadata'
+])
+
+export function getSdk() {
+  return apifmAdmin?.default || apifmAdmin
+}
+
+export function getApiMetadata() {
+  const sdk = getSdk()
+  const metadata =
+    (typeof sdk.getApiMetadata === 'function' && sdk.getApiMetadata()) ||
+    EXPORTED_METADATA ||
+    []
+
+  const byName = new Map()
+  for (const item of metadata) {
+    if (item?.methodName) {
+      byName.set(item.methodName, item)
+    }
+  }
+
+  for (const [name, value] of Object.entries(sdk)) {
+    if (typeof value !== 'function' || RESERVED_METHODS.has(name) || byName.has(name)) {
+      continue
+    }
+    byName.set(name, {
+      methodName: name,
+      summary: 'SDK method discovered at runtime',
+      notes: '',
+      params: [],
+      usage: '',
+      route: '',
+      httpMethod: '',
+      domainKey: '',
+      baseUrl: '',
+      runtimeOnly: true
+    })
+  }
+
+  return [...byName.values()].sort((a, b) => a.methodName.localeCompare(b.methodName))
+}
+
+export function getMethodMetadata(methodName) {
+  return getApiMetadata().find((item) => item.methodName === methodName) || null
+}
+
+export function resetSdkConfig() {
+  const sdk = getSdk()
+  const config = typeof sdk.getConfig === 'function' ? sdk.getConfig() : {}
+
+  for (const key of Object.keys(config.headers || {})) {
+    sdk.setHeader(key, undefined)
+  }
+
+  for (const key of Object.keys(config.domains || {})) {
+    sdk.setDomain(key, undefined)
+  }
+
+  sdk.setToken('')
+  sdk.setTokenGetter(null)
+}
+
+export function searchMethods(query = '', limit = 20) {
+  const normalizedQuery = String(query || '').trim().toLowerCase()
+  const words = normalizedQuery.split(/\s+/).filter(Boolean)
+
+  const scored = getApiMetadata().map((meta) => {
+    const haystack = [
+      meta.methodName,
+      meta.rawMethodName,
+      meta.summary,
+      meta.notes,
+      meta.route,
+      meta.usage,
+      ...(meta.params || []).flatMap((param) => [param.name, param.type, param.description])
+    ]
+      .filter(Boolean)
+      .join(' ')
+      .toLowerCase()
+
+    if (!words.length) {
+      return { meta, score: 1 }
+    }
+
+    let score = 0
+    for (const word of words) {
+      if (meta.methodName?.toLowerCase() === word) score += 50
+      if (meta.methodName?.toLowerCase().includes(word)) score += 20
+      if (haystack.includes(word)) score += 5
+    }
+
+    return { meta, score }
+  })
+
+  return scored
+    .filter((item) => item.score > 0)
+    .sort((a, b) => b.score - a.score || a.meta.methodName.localeCompare(b.meta.methodName))
+    .slice(0, Math.max(1, Math.min(Number(limit) || 20, 100)))
+    .map((item) => summarizeMetadata(item.meta))
+}
+
+export function summarizeMetadata(meta) {
+  return {
+    methodName: meta.methodName,
+    summary: meta.summary || '',
+    notes: meta.notes || '',
+    route: meta.route || '',
+    httpMethod: meta.httpMethod || '',
+    domainKey: meta.domainKey || '',
+    params: (meta.params || []).map((param) => ({
+      name: param.name,
+      type: param.type,
+      description: param.description
+    })),
+    usage: meta.usage || '',
+    runtimeOnly: Boolean(meta.runtimeOnly)
+  }
+}

package/src/security.js

@@ -0,0 +1,79 @@
+export const SENSITIVE_KEY_PATTERN =
+  /(^|[_\-.])(password|passwd|pwd|secret|token|x-token|xtoken|authorization|auth|basic|apikey|api-key|key|merchantkey|merchant_key|access[_\-.]?token|refresh[_\-.]?token)($|[_\-.])/i
+
+export function containsSensitiveKey(value, path = []) {
+  if (!value || typeof value !== 'object') {
+    return null
+  }
+
+  if (Array.isArray(value)) {
+    for (let index = 0; index < value.length; index += 1) {
+      const found = containsSensitiveKey(value[index], [...path, String(index)])
+      if (found) return found
+    }
+    return null
+  }
+
+  for (const [key, child] of Object.entries(value)) {
+    const nextPath = [...path, key]
+    if (isSensitiveKey(key)) {
+      return nextPath.join('.')
+    }
+    const found = containsSensitiveKey(child, nextPath)
+    if (found) return found
+  }
+
+  return null
+}
+
+export function redactSensitive(value) {
+  if (!value || typeof value !== 'object') {
+    return value
+  }
+
+  if (Array.isArray(value)) {
+    return value.map((item) => redactSensitive(item))
+  }
+
+  return Object.fromEntries(
+    Object.entries(value).map(([key, child]) => [
+      key,
+      isSensitiveKey(key) ? '[REDACTED]' : redactSensitive(child)
+    ])
+  )
+}
+
+export function isSensitiveKey(key) {
+  const raw = String(key || '')
+  const compact = raw.toLowerCase().replace(/[^a-z0-9]/g, '')
+  return (
+    SENSITIVE_KEY_PATTERN.test(raw) ||
+    [
+      'pwd',
+      'password',
+      'passwd',
+      'secret',
+      'token',
+      'xtoken',
+      'authorization',
+      'auth',
+      'basic',
+      'apikey',
+      'merchantkey',
+      'accesstoken',
+      'refreshtoken'
+    ].some((word) => compact === word || compact.endsWith(word))
+  )
+}
+
+export function createPublicAccount(account) {
+  return {
+    alias: account.alias,
+    authType: account.authType,
+    createdAt: account.createdAt,
+    updatedAt: account.updatedAt,
+    domains: Object.keys(account.domains || {}),
+    hasToken: Boolean(account.token),
+    hasBasicAuth: Boolean(account.basicAuth)
+  }
+}

package/src/self-check.js

@@ -0,0 +1,60 @@
+import { Client } from '@modelcontextprotocol/sdk/client/index.js'
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js'
+
+const transport = new StdioClientTransport({
+  command: process.execPath,
+  args: ['./src/index.js'],
+  cwd: process.cwd(),
+  stderr: 'pipe'
+})
+
+const client = new Client({
+  name: 'apifm-admin-mcp-self-check',
+  version: '1.0.0'
+})
+
+try {
+  await client.connect(transport)
+
+  const tools = await client.listTools()
+  const names = tools.tools.map((tool) => tool.name)
+  const requiredTools = [
+    'apifm_admin_start_auth',
+    'apifm_admin_accounts',
+    'apifm_admin_search_methods',
+    'apifm_admin_method_info',
+    'apifm_admin_call'
+  ]
+  for (const name of requiredTools) {
+    if (!names.includes(name)) {
+      throw new Error(`Missing tool: ${name}`)
+    }
+  }
+
+  const search = await client.callTool({
+    name: 'apifm_admin_search_methods',
+    arguments: { query: '用户 列表', limit: 5 }
+  })
+  const searchData = JSON.parse(search.content[0].text)
+  if (!searchData.sdkMethodCount || !Array.isArray(searchData.results)) {
+    throw new Error('Method search did not return SDK metadata.')
+  }
+
+  const guard = await client.callTool({
+    name: 'apifm_admin_call',
+    arguments: {
+      methodName: 'loginAdminEmail',
+      payload: { email: 'demo@example.com', pwd: 'secret' }
+    }
+  })
+  if (!guard.isError) {
+    throw new Error('Sensitive payload guard did not reject password fields.')
+  }
+
+  await client.close()
+  console.log(`self-check passed: ${names.length} tools, ${searchData.sdkMethodCount} SDK methods discovered`)
+} catch (error) {
+  await client.close().catch(() => {})
+  console.error(error)
+  process.exitCode = 1
+}