asset-mcp 0.2.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,94 @@
+# asset-mcp
+
+给 Cursor 使用的 MCP Server（OAuth 标准流程骨架，零依赖版本）。
+
+## 功能
+
+- 暴露认证工具：`mcp_auth`（`methods/start/poll/status/logout`，仅 OAuth2 设备码）
+- 暴露身份工具：`auth.me`
+- 暴露查询工具：`assets.search`
+- 暴露业务工具：`assets.create`
+- 写操作权限由后端统一拦截（scope + RBAC + 资源级权限）
+
+## 运行
+
+```bash
+cd asset-mcp
+npm start
+```
+
+## 作为 npm 包使用
+
+```bash
+npx -y asset-mcp
+```
+
+## 发布到 npm
+
+```bash
+npm login
+npm publish --access public
+```
+
+> 如果包名已被占用，请先修改 `package.json` 里的 `name`（例如加组织作用域）。
+
+## 在 Cursor 中配置（示例）
+
+将 MCP 命令配置为：
+
+```bash
+npx -y asset-mcp
+```
+
+## 环境变量
+
+```bash
+export ASSET_MCP_BASE_URL="http://localhost:8080"
+export ASSET_MCP_CLIENT_ID="asset-mcp"
+export ASSET_MCP_SCOPES="assets.read assets.write"
+```
+
+可选项：
+
+- `ASSET_MCP_DEVICE_CODE_PATH`（默认 `/oauth/device/code`）
+- `ASSET_MCP_TOKEN_PATH`（默认 `/oauth/token`）
+- `ASSET_MCP_REVOKE_PATH`（默认 `/oauth/revoke`）
+
+## 标准授权流程（Device Code）
+
+1. 先调用 `mcp_auth`，参数：`{ "action": "start" }`
+2. 按返回的 `verificationUri + userCode` 去浏览器授权
+3. 再调用 `mcp_auth`，参数：`{ "action": "poll" }`
+4. 成功后用 `auth.me` 验证登录身份
+5. 然后可调用 `assets.create`
+
+可选先调 `mcp_auth`：`{ "action": "methods" }` 查看步骤说明。
+
+说明：登录**仅**走 OAuth2 设备码；用户在浏览器授权页输入账号密码，**不要**通过 MCP 传密码。
+
+## 工具入参（assets.search）
+
+- `assetType`: `"rule" | "skill" | "mcp" | "all"`（默认 `all`）
+- `keyword`: 关键词
+
+说明：
+
+- 查询条件只保留 `assetType + keyword`
+- `keyword` 直接透传平台后端，因此搜索逻辑与平台当前页面一致
+- 不开放分页参数，固定查询第 1 页、每类最多 10 条
+- `assetType=all` 时：`rule/skill/mcp` 各返回最多 10 条
+
+## 工具入参（assets.create）
+
+- `assetType`: `"rule" | "skill" | "mcp"`
+- `name`: 资产名称
+- `description`: 资产描述
+- `version`: 可选，默认 `v1.0`
+- `changeLog`: 可选，默认 `初始创建`
+- `content`: 可选（rule/skill）
+- `mcpType/configJson/toolsJson/remark`: 可选（mcp）
+
+## 说明
+
+- token 存储在用户目录 `~/.asset-mcp/tokens.json`
+- 建议上线时切换到系统钥匙串存储（如 macOS Keychain）

package/bin/asset-mcp.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../src/server.js'

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "asset-mcp",
+  "version": "0.2.1",
+  "license": "MIT",
+  "description": "MCP server for asset operations in Cursor",
+  "type": "module",
+  "main": "src/server.js",
+  "bin": {
+    "asset-mcp": "bin/asset-mcp.js"
+  },
+  "files": [
+    "bin",
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "start": "node src/server.js",
+    "check": "node --check src/server.js",
+    "prepublishOnly": "npm run check"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "mcp",
+    "cursor",
+    "asset"
+  ]
+}

package/src/backend.js

@@ -0,0 +1,184 @@
+import { apiUrl, config } from './config.js'
+import { getValidAccessToken, refreshAccessToken } from './oauth.js'
+
+async function parseJsonSafe(res) {
+  return res.json().catch(() => ({}))
+}
+
+async function requestWithToken(path, init = {}, retry = true) {
+  const token = await getValidAccessToken()
+  if (!token) {
+    throw new Error('未授权，请先调用 mcp_auth 完成登录')
+  }
+
+  const headers = {
+    'content-type': 'application/json',
+    authorization: `Bearer ${token}`,
+    ...(init.headers || {}),
+  }
+
+  const res = await fetch(apiUrl(path), { ...init, headers })
+  if (res.status === 401 && retry) {
+    await refreshAccessToken()
+    return requestWithToken(path, init, false)
+  }
+
+  const body = await parseJsonSafe(res)
+  if (!res.ok) {
+    throw new Error(body.message || `后端请求失败(${res.status})`)
+  }
+  if (body && body.code !== undefined && body.code !== 0) {
+    throw new Error(body.message || '业务请求失败')
+  }
+  return body.data
+}
+
+function toQueryString(params = {}) {
+  const parts = []
+  for (const [key, val] of Object.entries(params)) {
+    if (val === undefined || val === null || val === '') continue
+    if (Array.isArray(val)) {
+      for (const item of val) {
+        if (item === undefined || item === null || item === '') continue
+        parts.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(item))}`)
+      }
+      continue
+    }
+    parts.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(val))}`)
+  }
+  return parts.join('&')
+}
+
+/** 列表固定第一页、每页条数（MCP 不提供分页参数） */
+const LIST_PAGE = 1
+const LIST_PAGE_SIZE = 10
+
+/** 与后端 AssetQueryRequest 对齐的可选筛选（分页固定为第 1 页共 10 条） */
+function buildAssetListQuery(args = {}) {
+  const q = {
+    keyword: args.keyword,
+    page: LIST_PAGE,
+    pageSize: LIST_PAGE_SIZE,
+  }
+  if (args.mine === true) q.mine = true
+  if (args.status != null && args.status !== '') q.status = Number(args.status)
+  if (args.categoryId != null && args.categoryId !== '') q.categoryId = Number(args.categoryId)
+  if (Array.isArray(args.categoryIds) && args.categoryIds.length > 0) {
+    q.categoryIds = args.categoryIds.map(Number).filter(n => !Number.isNaN(n))
+  }
+  if (args.type) q.type = args.type
+  return q
+}
+
+async function getWithQuery(path, query = {}) {
+  const qs = toQueryString(query)
+  const target = qs ? `${path}?${qs}` : path
+  return requestWithToken(target, { method: 'GET' })
+}
+
+function clampPageResult(pageData, max = 10) {
+  if (!pageData || !Array.isArray(pageData.records)) return pageData
+  return {
+    ...pageData,
+    records: pageData.records.slice(0, max),
+  }
+}
+
+export async function whoAmI() {
+  return requestWithToken(config.api.mePath, { method: 'GET' })
+}
+
+export async function searchAssets(args = {}) {
+  const assetType = args.assetType || 'all'
+  const query = buildAssetListQuery(args)
+
+  if (assetType === 'rule') {
+    const pageData = await getWithQuery(config.api.assetsPath('rule'), query)
+    return {
+      assetType: 'rule',
+      page: clampPageResult(pageData, LIST_PAGE_SIZE),
+    }
+  }
+
+  if (assetType === 'skill') {
+    const pageData = await getWithQuery(config.api.assetsPath('skill'), query)
+    return {
+      assetType: 'skill',
+      page: clampPageResult(pageData, LIST_PAGE_SIZE),
+    }
+  }
+
+  if (assetType === 'mcp') {
+    const pageData = await getWithQuery(config.api.assetsPath('mcp'), query)
+    return {
+      assetType: 'mcp',
+      page: clampPageResult(pageData, LIST_PAGE_SIZE),
+    }
+  }
+
+  if (assetType === 'all') {
+    const [rules, skills, mcps] = await Promise.all([
+      getWithQuery(config.api.assetsPath('rule'), query),
+      getWithQuery(config.api.assetsPath('skill'), query),
+      getWithQuery(config.api.assetsPath('mcp'), query),
+    ])
+
+    return {
+      assetType: 'all',
+      rules: clampPageResult(rules, LIST_PAGE_SIZE),
+      skills: clampPageResult(skills, LIST_PAGE_SIZE),
+      mcps: clampPageResult(mcps, LIST_PAGE_SIZE),
+    }
+  }
+
+  throw new Error(`不支持的 assetType: ${assetType}`)
+}
+
+export async function createAsset(args) {
+  const common = {
+    description: args.description,
+    version: args.version || 'v1.0',
+    tags: Array.isArray(args.tags) ? args.tags : [],
+  }
+
+  if (args.assetType === 'rule') {
+    const payload = {
+      name: args.name,
+      ...common,
+      content: args.content || '',
+    }
+    return requestWithToken(config.api.assetsPath('rule'), {
+      method: 'POST',
+      body: JSON.stringify(payload),
+    })
+  }
+
+  if (args.assetType === 'skill') {
+    const payload = {
+      name: args.name,
+      ...common,
+      content: args.content || '',
+    }
+    return requestWithToken(config.api.assetsPath('skill'), {
+      method: 'POST',
+      body: JSON.stringify(payload),
+    })
+  }
+
+  if (args.assetType === 'mcp') {
+    const payload = {
+      name: args.name,
+      type: args.mcpType || 'local',
+      ...common,
+      configJson: args.configJson || '{}',
+      toolsJson: args.toolsJson || '[]',
+      remark: args.remark || '',
+    }
+    return requestWithToken(config.api.assetsPath('mcp'), {
+      method: 'POST',
+      body: JSON.stringify(payload),
+    })
+  }
+
+  throw new Error(`不支持的 assetType: ${args.assetType}`)
+}

package/src/config.js

@@ -0,0 +1,41 @@
+const DEFAULT_BASE_URL = 'http://localhost:8080'
+
+function readEnv(name, fallback = '') {
+  const v = process.env[name]
+  if (!v) return fallback
+  return v.trim()
+}
+
+function joinUrl(base, path) {
+  const b = base.endsWith('/') ? base.slice(0, -1) : base
+  const p = path.startsWith('/') ? path : `/${path}`
+  return `${b}${p}`
+}
+
+export const config = {
+  baseUrl: readEnv('ASSET_MCP_BASE_URL', DEFAULT_BASE_URL),
+  clientId: readEnv('ASSET_MCP_CLIENT_ID', 'asset-mcp'),
+  scopes: readEnv('ASSET_MCP_SCOPES', 'assets.read assets.write'),
+  oauth: {
+    deviceCodePath: readEnv('ASSET_MCP_DEVICE_CODE_PATH', '/oauth/device/code'),
+    tokenPath: readEnv('ASSET_MCP_TOKEN_PATH', '/oauth/token'),
+    revokePath: readEnv('ASSET_MCP_REVOKE_PATH', '/oauth/revoke'),
+  },
+  api: {
+    authRefreshPath: '/api/v1/auth/refresh',
+    authLogoutPath: '/api/v1/auth/logout',
+    /** 统一资产：GET 列表 / POST 创建，路径变量为 rule | skill | mcp */
+    assetsPath: (assetType) => `/api/v1/assets/${assetType}`,
+    /** 跨类型列表（query 可带 assetType / keyword / mine 等） */
+    assetsMarketPath: '/api/v1/assets',
+    mePath: '/api/v1/auth/me',
+  },
+}
+
+export function oauthUrl(path) {
+  return joinUrl(config.baseUrl, path)
+}
+
+export function apiUrl(path) {
+  return joinUrl(config.baseUrl, path)
+}

package/src/oauth.js

@@ -0,0 +1,127 @@
+import { config, oauthUrl } from './config.js'
+import { clearTokens, readTokens, writeTokens } from './token-store.js'
+
+function nowSec() {
+  return Math.floor(Date.now() / 1000)
+}
+
+function normalizeTokenResponse(data) {
+  const expiresIn = Number(data.expires_in || 900)
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    tokenType: data.token_type || 'Bearer',
+    scope: data.scope || config.scopes,
+    expiresAt: nowSec() + Math.max(60, expiresIn - 30),
+  }
+}
+
+function normalizePlatformLoginResponse(data) {
+  const expiresIn = Number(data.expiresIn || 900)
+  return {
+    accessToken: data.accessToken,
+    refreshToken: data.refreshToken,
+    tokenType: 'Bearer',
+    scope: config.scopes,
+    authMode: 'platform',
+    expiresAt: nowSec() + Math.max(60, expiresIn - 30),
+  }
+}
+
+async function postJson(url, body) {
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify(body),
+  })
+
+  const data = await res.json().catch(() => ({}))
+  if (!res.ok) {
+    throw new Error(data.message || `OAuth 请求失败(${res.status})`)
+  }
+  if (data && data.code !== undefined && data.code !== 0) {
+    throw new Error(data.message || '业务请求失败')
+  }
+  return data
+}
+
+export async function startDeviceAuthorization() {
+  const data = await postJson(oauthUrl(config.oauth.deviceCodePath), {
+    client_id: config.clientId,
+    scope: config.scopes,
+  })
+  return {
+    deviceCode: data.device_code,
+    userCode: data.user_code,
+    verificationUri: data.verification_uri,
+    verificationUriComplete: data.verification_uri_complete,
+    expiresIn: data.expires_in,
+    interval: data.interval || 5,
+  }
+}
+
+export async function pollDeviceToken(deviceCode) {
+  const data = await postJson(oauthUrl(config.oauth.tokenPath), {
+    grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+    device_code: deviceCode,
+    client_id: config.clientId,
+  })
+  const tokens = normalizeTokenResponse(data)
+  tokens.authMode = 'oauth'
+  await writeTokens(tokens)
+  return tokens
+}
+
+export async function refreshAccessToken() {
+  const current = await readTokens()
+  if (!current?.refreshToken) {
+    throw new Error('没有可用的 refresh_token，请重新授权')
+  }
+  if (current.authMode === 'platform') {
+    const data = await postJson(oauthUrl(config.api.authRefreshPath), {
+      refreshToken: current.refreshToken,
+    })
+    const merged = normalizePlatformLoginResponse(data.data ?? data)
+    await writeTokens(merged)
+    return merged
+  }
+  const data = await postJson(oauthUrl(config.oauth.tokenPath), {
+    grant_type: 'refresh_token',
+    refresh_token: current.refreshToken,
+    client_id: config.clientId,
+  })
+  const merged = normalizeTokenResponse({
+    ...data,
+    refresh_token: data.refresh_token || current.refreshToken,
+  })
+  merged.authMode = 'oauth'
+  await writeTokens(merged)
+  return merged
+}
+
+export async function revokeAndClearTokens() {
+  const current = await readTokens()
+  if (current?.refreshToken && current.authMode !== 'platform') {
+    try {
+      await postJson(oauthUrl(config.oauth.revokePath), {
+        token: current.refreshToken,
+        client_id: config.clientId,
+      })
+    } catch {
+      // revoke 失败不阻止本地清理
+    }
+  }
+  await clearTokens()
+}
+
+export async function getValidAccessToken() {
+  const current = await readTokens()
+  if (!current?.accessToken) {
+    return null
+  }
+  if (typeof current.expiresAt === 'number' && current.expiresAt > nowSec()) {
+    return current.accessToken
+  }
+  const refreshed = await refreshAccessToken()
+  return refreshed.accessToken
+}

package/src/server.js

@@ -0,0 +1,276 @@
+import readline from 'node:readline'
+import { createAsset, searchAssets, whoAmI } from './backend.js'
+import { readTokens } from './token-store.js'
+import { pollDeviceToken, revokeAndClearTokens, startDeviceAuthorization } from './oauth.js'
+
+const TOOL_DEFS = [
+  {
+    name: 'mcp_auth',
+    description:
+      '认证仅支持 OAuth2 设备码：start→用户在浏览器授权→poll；可先 action=methods 看步骤。另有 status / logout。需后端 /oauth/device/code 与 /oauth/token。',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        action: {
+          type: 'string',
+          enum: ['methods', 'start', 'poll', 'status', 'logout'],
+          description:
+            'methods=登录步骤说明；start=申请设备码；poll=换取令牌；status=是否已登录；logout=退出',
+        },
+        deviceCode: { type: 'string', description: 'poll 时可省略（沿用最近一次 start）' },
+      },
+      required: ['action'],
+    },
+  },
+  {
+    name: 'auth.me',
+    description: '查看当前登录用户信息',
+    inputSchema: {
+      type: 'object',
+      properties: {},
+      required: [],
+    },
+  },
+  {
+    name: 'assets.search',
+    description:
+      '查询资产（rule/skill/mcp/all），GET /api/v1/assets/{assetType}；固定每类最多 10 条（第 1 页），无分页参数',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        assetType: { type: 'string', enum: ['rule', 'skill', 'mcp', 'all'] },
+        keyword: { type: 'string' },
+        mine: { type: 'boolean', description: 'true 仅查当前用户自己的资产' },
+        status: { type: 'integer', description: '1私有 2审核中 3已发布 4已拒绝' },
+        categoryId: { type: 'integer' },
+        categoryIds: { type: 'array', items: { type: 'integer' } },
+        type: { type: 'string', description: '仅 mcp 有效：local / remote' },
+      },
+      required: [],
+    },
+  },
+  {
+    name: 'assets.create',
+    description: '创建资产（权限最终由后端拦截）',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        assetType: { type: 'string', enum: ['rule', 'skill', 'mcp'] },
+        name: { type: 'string', minLength: 1 },
+        description: { type: 'string', minLength: 1 },
+        version: { type: 'string' },
+        tags: { type: 'array', items: { type: 'string' } },
+        content: { type: 'string' },
+        mcpType: { type: 'string' },
+        configJson: { type: 'string' },
+        toolsJson: { type: 'string' },
+        remark: { type: 'string' },
+      },
+      required: [],
+    },
+  },
+]
+
+let latestDeviceCode = null
+
+function writeMessage(msg) {
+  process.stdout.write(`${JSON.stringify(msg)}\n`)
+}
+
+function makeTextResult(payload) {
+  const text = typeof payload === 'string' ? payload : JSON.stringify(payload, null, 2)
+  return { content: [{ type: 'text', text }] }
+}
+
+function ok(id, result) {
+  return { jsonrpc: '2.0', id, result }
+}
+
+function err(id, message) {
+  return {
+    jsonrpc: '2.0',
+    id,
+    error: { code: -32000, message },
+  }
+}
+
+function authMethodsPayload() {
+  return {
+    ok: true,
+    action: 'methods',
+    message: '登录资产管理平台仅支持 OAuth2 设备授权（RFC 8628）',
+    steps: [
+      '① mcp_auth action=start → 取得 userCode、verificationUri（或 verificationUriComplete）',
+      '② 用户在浏览器打开链接，完成授权（若页面要求输入用户码，使用返回的 userCode）',
+      '③ mcp_auth action=poll → 换取 access_token 并写入本地凭证',
+      '④ 可选：auth.me 或 mcp_auth action=status 校验',
+    ],
+    hint: '用户可说「我要登录资产管理平台」。勿使用账号密码调用 MCP；账号密码仅在浏览器授权页由用户自行输入。',
+  }
+}
+
+async function handleAuthTool(args = {}) {
+  const action = args.action
+  if (action === 'methods') {
+    return makeTextResult(authMethodsPayload())
+  }
+
+  if (action === 'start') {
+    const s = await startDeviceAuthorization()
+    latestDeviceCode = s.deviceCode
+    return makeTextResult({
+      ok: true,
+      action: 'start',
+      verificationUri: s.verificationUri,
+      verificationUriComplete: s.verificationUriComplete,
+      userCode: s.userCode,
+      deviceCode: s.deviceCode,
+      expiresIn: s.expiresIn,
+      interval: s.interval,
+      hint: '请在浏览器完成授权后，再调用 mcp_auth(action=poll)',
+    })
+  }
+
+  if (action === 'poll') {
+    const deviceCode = args.deviceCode || latestDeviceCode
+    if (!deviceCode) {
+      return makeTextResult({
+        ok: false,
+        action: 'poll',
+        message: '缺少 deviceCode，请先调用 mcp_auth(action=start)',
+      })
+    }
+    const token = await pollDeviceToken(deviceCode)
+    return makeTextResult({
+      ok: true,
+      action: 'poll',
+      message: '授权成功，已保存凭证',
+      scope: token.scope,
+      expiresAt: token.expiresAt,
+    })
+  }
+
+  if (action === 'status') {
+    const tokens = await readTokens()
+    return makeTextResult({
+      ok: true,
+      action: 'status',
+      authorized: Boolean(tokens?.accessToken),
+      expiresAt: tokens?.expiresAt || null,
+      scope: tokens?.scope || null,
+    })
+  }
+
+  if (action === 'logout') {
+    await revokeAndClearTokens()
+    return makeTextResult({
+      ok: true,
+      action: 'logout',
+      message: '已退出并清理本地凭证',
+    })
+  }
+
+  throw new Error('mcp_auth action 不支持')
+}
+
+async function handleAssetsCreate(args = {}) {
+  const missingFields = []
+  if (!args.assetType) missingFields.push('assetType')
+  if (!args.name) missingFields.push('name')
+  if (!args.description) missingFields.push('description')
+
+  if (missingFields.length > 0) {
+    return makeTextResult({
+      ok: false,
+      needMoreInput: true,
+      missingFields,
+      hint: '请按顺序补充：assetType -> name -> description',
+    })
+  }
+
+  const id = await createAsset(args)
+  return makeTextResult({
+    ok: true,
+    message: '资产创建成功',
+    data: {
+      id,
+      assetType: args.assetType,
+      name: args.name,
+      version: args.version || 'v1.0',
+    },
+  })
+}
+
+async function handleAssetsSearch(args = {}) {
+  const data = await searchAssets(args)
+  return makeTextResult({
+    ok: true,
+    message: '查询成功',
+    data,
+  })
+}
+
+async function handleToolCall(name, args) {
+  if (name === 'mcp_auth') return handleAuthTool(args)
+  if (name === 'auth.me') return makeTextResult(await whoAmI())
+  if (name === 'assets.search') return handleAssetsSearch(args)
+  if (name === 'assets.create') return handleAssetsCreate(args)
+  throw new Error(`未知工具: ${name}`)
+}
+
+async function handleRequest(req) {
+  const { id, method, params } = req
+
+  if (method === 'initialize') {
+    return ok(id, {
+      protocolVersion: '2024-11-05',
+      capabilities: { tools: {} },
+      serverInfo: { name: 'asset-mcp', version: '0.2.0' },
+    })
+  }
+
+  if (method === 'notifications/initialized') return null
+
+  if (method === 'tools/list') {
+    return ok(id, { tools: TOOL_DEFS })
+  }
+
+  if (method === 'tools/call') {
+    const toolName = params?.name
+    const args = params?.arguments || {}
+    try {
+      return ok(id, await handleToolCall(toolName, args))
+    } catch (e) {
+      return err(id, e instanceof Error ? e.message : 'tools/call 执行失败')
+    }
+  }
+
+  return err(id, `不支持的方法: ${method}`)
+}
+
+const rl = readline.createInterface({
+  input: process.stdin,
+  crlfDelay: Infinity,
+})
+
+rl.on('line', async line => {
+  if (!line.trim()) return
+  let req
+  try {
+    req = JSON.parse(line)
+  } catch {
+    writeMessage(err(null, '无效 JSON'))
+    return
+  }
+
+  const resp = await handleRequest(req)
+  if (resp) writeMessage(resp)
+})
+
+process.on('uncaughtException', e => {
+  process.stderr.write(`[asset-mcp] uncaughtException: ${e.message}\n`)
+})
+
+process.on('unhandledRejection', e => {
+  process.stderr.write(`[asset-mcp] unhandledRejection: ${String(e)}\n`)
+})

package/src/token-store.js

@@ -0,0 +1,33 @@
+import fs from 'node:fs/promises'
+import os from 'node:os'
+import path from 'node:path'
+
+const STORE_DIR = path.join(os.homedir(), '.asset-mcp')
+const STORE_FILE = path.join(STORE_DIR, 'tokens.json')
+
+async function ensureStoreDir() {
+  await fs.mkdir(STORE_DIR, { recursive: true })
+}
+
+export async function readTokens() {
+  try {
+    const raw = await fs.readFile(STORE_FILE, 'utf8')
+    return JSON.parse(raw)
+  } catch {
+    return null
+  }
+}
+
+export async function writeTokens(tokens) {
+  await ensureStoreDir()
+  const payload = JSON.stringify(tokens, null, 2)
+  await fs.writeFile(STORE_FILE, payload, { mode: 0o600 })
+}
+
+export async function clearTokens() {
+  try {
+    await fs.unlink(STORE_FILE)
+  } catch {
+    // ignore missing file
+  }
+}