backend-manager 5.6.3 → 5.7.0

package/src/mcp/client.js

@@ -2,6 +2,7 @@
  * BEM HTTP Client
  *
  * Makes authenticated HTTP calls to a running BEM server (local or production).
+ * Supports admin key auth (backendManagerKey) and user token auth (API key from OAuth flow).
  */
 const fetch = require('wonderful-fetch');
 
@@ -11,6 +12,7 @@ class BEMClient {
 
     this.baseUrl = (options.baseUrl || '').replace(/\/+$/, '');
     this.backendManagerKey = options.backendManagerKey || '';
+    this.userToken = options.userToken || '';
   }
 
   /**
@@ -35,24 +37,57 @@ class BEMClient {
       timeout: 120000,
     };
 
-    if (method === 'GET') {
-      // GET: auth + params go in query string
-      url.searchParams.set('backendManagerKey', this.backendManagerKey);
+    if (this.backendManagerKey) {
+      // Admin key auth — key in query/body (existing behavior)
+      if (method === 'GET') {
+        url.searchParams.set('backendManagerKey', this.backendManagerKey);
 
-      for (const [key, value] of Object.entries(params)) {
-        if (value === undefined || value === null) {
-          continue;
+        for (const [key, value] of Object.entries(params)) {
+          if (value === undefined || value === null) {
+            continue;
+          }
+
+          url.searchParams.set(key, typeof value === 'object' ? JSON.stringify(value) : value);
         }
+      } else {
+        fetchOptions.body = JSON.stringify({
+          backendManagerKey: this.backendManagerKey,
+          ...params,
+        });
+      }
+    } else if (this.userToken) {
+      // User token auth — Bearer header + authenticationToken param
+      fetchOptions.headers['Authorization'] = `Bearer ${this.userToken}`;
+
+      if (method === 'GET') {
+        url.searchParams.set('authenticationToken', this.userToken);
+
+        for (const [key, value] of Object.entries(params)) {
+          if (value === undefined || value === null) {
+            continue;
+          }
 
-        // Serialize objects/arrays as JSON strings for query params
-        url.searchParams.set(key, typeof value === 'object' ? JSON.stringify(value) : value);
+          url.searchParams.set(key, typeof value === 'object' ? JSON.stringify(value) : value);
+        }
+      } else {
+        fetchOptions.body = JSON.stringify({
+          authenticationToken: this.userToken,
+          ...params,
+        });
       }
     } else {
-      // POST/PUT/DELETE: auth + params go in body
-      fetchOptions.body = JSON.stringify({
-        backendManagerKey: this.backendManagerKey,
-        ...params,
-      });
+      // Unauthenticated
+      if (method === 'GET') {
+        for (const [key, value] of Object.entries(params)) {
+          if (value === undefined || value === null) {
+            continue;
+          }
+
+          url.searchParams.set(key, typeof value === 'object' ? JSON.stringify(value) : value);
+        }
+      } else {
+        fetchOptions.body = JSON.stringify(params);
+      }
     }
 
     const response = await fetch(url.toString(), fetchOptions);

package/src/mcp/handler.js

@@ -1,25 +1,34 @@
 /**
- * MCP HTTP Handler (Stateless + OAuth)
+ * MCP HTTP Handler (Stateless + OAuth + Role-Based Scoping)
  *
  * Routes all MCP-related requests:
  * - OAuth discovery (.well-known endpoints)
- * - OAuth authorize + token (wraps backendManagerKey as OAuth token)
- * - MCP protocol (stateless Streamable HTTP transport)
+ * - OAuth authorize + token (admin key auto-approve OR user sign-in via consumer website)
+ * - MCP protocol (stateless Streamable HTTP transport, role-filtered tools)
  *
  * Compatible with serverless environments like Firebase Functions.
- * No tokens stored — the backendManagerKey IS the access token.
  */
 const { Server } = require('@modelcontextprotocol/sdk/server/index.js');
 const { StreamableHTTPServerTransport } = require('@modelcontextprotocol/sdk/server/streamableHttp.js');
 const { ListToolsRequestSchema, CallToolRequestSchema } = require('@modelcontextprotocol/sdk/types.js');
-const tools = require('./tools.js');
+const builtinTools = require('./tools.js');
 const BEMClient = require('./client.js');
+const { resolveAuthInfo, filterToolsByRole, loadConsumerTools, buildToolMap } = require('./utils.js');
 const packageJSON = require('../../package.json');
 
-// Build tool lookup once
-const toolMap = {};
-for (const tool of tools) {
-  toolMap[tool.name] = tool;
+// Consumer tools are cached at module scope (loaded once per cold start)
+let _consumerToolsCache = null;
+let _consumerToolsCwd = null;
+
+function getConsumerTools(cwd) {
+  if (_consumerToolsCwd === cwd && _consumerToolsCache !== null) {
+    return _consumerToolsCache;
+  }
+
+  _consumerToolsCache = loadConsumerTools(cwd);
+  _consumerToolsCwd = cwd;
+
+  return _consumerToolsCache;
 }
 
 /**
@@ -33,27 +42,25 @@ for (const tool of tools) {
  */
 async function handleMcpRoute(req, res, options) {
   const { Manager, routePath } = options;
-  // Build base URL from the incoming request so discovery URLs match however the client reached us
-  // (ngrok, production domain, localhost, etc.)
   const protocol = req.headers['x-forwarded-proto'] || req.protocol || 'https';
   const host = req.headers['x-forwarded-host'] || req.headers.host || '';
   const baseUrl = `${protocol}://${host}`;
 
   // --- OAuth Discovery ---
+  // issuer = root (no path) so RFC 8414 discovery resolves to /.well-known/oauth-authorization-server
   if (routePath === '.well-known/oauth-protected-resource') {
     return sendJson(res, 200, {
       resource: `${baseUrl}/backend-manager/mcp`,
-      authorization_servers: [
-        `${baseUrl}/backend-manager/mcp`,
-      ],
+      authorization_servers: [baseUrl],
     });
   }
 
   if (routePath === '.well-known/oauth-authorization-server') {
     return sendJson(res, 200, {
-      issuer: `${baseUrl}/backend-manager/mcp`,
+      issuer: baseUrl,
       authorization_endpoint: `${baseUrl}/backend-manager/mcp/authorize`,
       token_endpoint: `${baseUrl}/backend-manager/mcp/token`,
+      registration_endpoint: `${baseUrl}/backend-manager/mcp/register`,
       response_types_supported: ['code'],
       grant_types_supported: ['authorization_code'],
       code_challenge_methods_supported: ['S256'],
@@ -61,9 +68,14 @@ async function handleMcpRoute(req, res, options) {
     });
   }
 
+  // --- OAuth Dynamic Client Registration (RFC 7591) ---
+  if (routePath === 'mcp/register') {
+    return handleRegister(req, res);
+  }
+
   // --- OAuth Authorize ---
   if (routePath === 'mcp/authorize') {
-    return handleAuthorize(req, res, options);
+    return handleAuthorize(req, res, options, baseUrl);
   }
 
   // --- OAuth Token ---
@@ -82,30 +94,38 @@ async function handleMcpRoute(req, res, options) {
 /**
  * OAuth Authorize
  *
- * If client_id matches the BEM key, auto-redirects immediately (no form).
- * Otherwise, shows a simple form to enter the key manually.
- *
- * To skip the manual step, set OAuth Client ID = YOUR_BEM_KEY in Claude Chat.
+ * Three paths:
+ * 1. client_id matches admin key → auto-redirect (no form, no sign-in)
+ * 2. No matching key → redirect to consumer's website for user sign-in
+ * 3. Fallback → show manual key entry form
  */
-function handleAuthorize(req, res, options) {
+function handleAuthorize(req, res, options, baseUrl) {
   const query = req.query || {};
   const { redirect_uri, state, client_id } = query;
   const Manager = options.Manager;
 
-  // Auto-approve if client_id matches the BEM key
-  if (isValidKey(client_id) && redirect_uri) {
-    const url = new URL(redirect_uri);
-    url.searchParams.set('code', client_id);
+  // Auto-approve if client_id matches the admin key
+  if (isAdminKey(client_id) && redirect_uri) {
+    return redirectWithCode(res, redirect_uri, client_id, state);
+  }
+
+  // Try to redirect to consumer's website for user sign-in
+  const consumerAuthUrl = resolveConsumerAuthUrl(Manager);
+
+  if (consumerAuthUrl && redirect_uri) {
+    const authUrl = new URL(consumerAuthUrl);
+    authUrl.searchParams.set('redirect_uri', redirect_uri);
     if (state) {
-      url.searchParams.set('state', state);
+      authUrl.searchParams.set('state', state);
     }
-    res.writeHead(302, { Location: url.toString() });
+    authUrl.searchParams.set('mcp', 'true');
+    res.writeHead(302, { Location: authUrl.toString() });
     res.end();
     return;
   }
 
+  // Fallback: show manual key entry form
   if (req.method === 'GET') {
-    // Show a simple authorize form (fallback when client_id is not the BEM key)
     const html = `<!DOCTYPE html>
 <html>
 <head>
@@ -151,7 +171,7 @@ function handleAuthorize(req, res, options) {
     const redirectUri = body.redirect_uri || '';
     const postState = body.state || '';
 
-    if (!isValidKey(key)) {
+    if (!isAdminKey(key)) {
       res.writeHead(403, { 'Content-Type': 'text/html' });
       res.end('<html><body style="background:#111;color:#e55;font-family:sans-serif;display:flex;align-items:center;justify-content:center;height:100vh"><h2>Invalid key. Go back and try again.</h2></body></html>');
       return;
@@ -161,24 +181,20 @@ function handleAuthorize(req, res, options) {
       return sendJson(res, 400, { error: 'Missing redirect_uri' });
     }
 
-    const url = new URL(redirectUri);
-    url.searchParams.set('code', key);
-    if (postState) {
-      url.searchParams.set('state', postState);
-    }
-
-    res.writeHead(302, { Location: url.toString() });
-    res.end();
-    return;
+    return redirectWithCode(res, redirectUri, key, postState);
   }
 
   sendJson(res, 405, { error: 'Method not allowed' });
 }
 
 /**
- * OAuth Token — exchanges the auth code (BEM key) for an access token (same BEM key)
+ * OAuth Token — exchanges an auth code for an access token.
+ *
+ * Two paths:
+ * 1. Code is the admin key → return it as access_token (existing behavior)
+ * 2. Code is a Firebase ID token → verify, look up user, return api.privateKey
  */
-function handleToken(req, res, options) {
+async function handleToken(req, res, options) {
   if (req.method !== 'POST') {
     return sendJson(res, 405, { error: 'Method not allowed' });
   }
@@ -187,45 +203,131 @@ function handleToken(req, res, options) {
   const code = body.code || body.client_secret || body.client_id || '';
   const Manager = options.Manager;
 
-  // The code, client_secret, or client_id IS the backendManagerKey — validate any
-  if (!isValidKey(code)) {
-    return sendJson(res, 401, {
-      error: 'invalid_grant',
-      error_description: 'Invalid authorization code.',
+  // Path 1: admin key
+  if (isAdminKey(code)) {
+    return sendJson(res, 200, {
+      access_token: code,
+      token_type: 'Bearer',
+      scope: 'tools',
     });
   }
 
-  // Return the key as the access token — no storage needed
-  sendJson(res, 200, {
-    access_token: code,
-    token_type: 'Bearer',
-    scope: 'tools',
+  // Path 2: Firebase ID token → exchange for user's API key
+  if (code) {
+    try {
+      const admin = Manager.libraries?.admin;
+
+      if (!admin) {
+        return sendJson(res, 500, {
+          error: 'server_error',
+          error_description: 'Firebase Admin not available.',
+        });
+      }
+
+      const decoded = await admin.auth().verifyIdToken(code);
+      const uid = decoded.uid;
+
+      const userDoc = await admin.firestore().doc(`users/${uid}`).get();
+
+      if (!userDoc.exists) {
+        return sendJson(res, 401, {
+          error: 'invalid_grant',
+          error_description: 'User not found.',
+        });
+      }
+
+      const userData = userDoc.data();
+      let apiKey = userData?.api?.privateKey;
+
+      // Generate an API key if the user doesn't have one
+      if (!apiKey) {
+        const { v4: uuidv4 } = require('uuid');
+        apiKey = `pk_${uuidv4().replace(/-/g, '')}`;
+
+        await admin.firestore().doc(`users/${uid}`).set(
+          { api: { privateKey: apiKey } },
+          { merge: true },
+        );
+      }
+
+      return sendJson(res, 200, {
+        access_token: apiKey,
+        token_type: 'Bearer',
+        scope: 'tools',
+      });
+    } catch (error) {
+      return sendJson(res, 401, {
+        error: 'invalid_grant',
+        error_description: error.message || 'Invalid authorization code.',
+      });
+    }
+  }
+
+  sendJson(res, 401, {
+    error: 'invalid_grant',
+    error_description: 'Missing authorization code.',
+  });
+}
+
+/**
+ * OAuth Dynamic Client Registration (RFC 7591)
+ * MCP clients register themselves before starting the auth flow.
+ * We accept any client and return a generated client_id.
+ */
+function handleRegister(req, res) {
+  if (req.method !== 'POST') {
+    return sendJson(res, 405, { error: 'Method not allowed' });
+  }
+
+  const body = req.body || {};
+  const { v4: uuidv4 } = require('uuid');
+  const clientId = `mcp_${uuidv4().replace(/-/g, '')}`;
+
+  sendJson(res, 201, {
+    client_id: clientId,
+    client_name: body.client_name || 'MCP Client',
+    redirect_uris: body.redirect_uris || [],
+    grant_types: ['authorization_code'],
+    response_types: ['code'],
+    token_endpoint_auth_method: 'none',
   });
 }
 
 /**
- * MCP Protocol — stateless Streamable HTTP transport
+ * MCP Protocol — stateless Streamable HTTP transport with role-based tool filtering
  */
 async function handleMcpProtocol(req, res, options) {
   const { Manager } = options;
 
-  // Authenticate via Bearer token
+  // Extract Bearer token
   const authHeader = req.headers.authorization || '';
-  const key = authHeader.replace(/^Bearer\s+/i, '');
+  const token = authHeader.replace(/^Bearer\s+/i, '');
 
-  if (!isValidKey(key)) {
-    // Return 401 with OAuth discovery hint
+  // No token → 401 to trigger the OAuth flow (MCP spec requires this)
+  if (!token) {
     const protocol = req.headers['x-forwarded-proto'] || req.protocol || 'https';
     const host = req.headers['x-forwarded-host'] || req.headers.host || '';
     const baseUrl = `${protocol}://${host}`;
     res.writeHead(401, {
       'Content-Type': 'application/json',
-      'WWW-Authenticate': `Bearer resource_metadata="${baseUrl}/backend-manager/.well-known/oauth-protected-resource"`,
+      'WWW-Authenticate': `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`,
     });
     res.end(JSON.stringify({ error: 'Unauthorized' }));
     return;
   }
 
+  // Classify the token
+  const authInfo = resolveAuthInfo(token);
+
+  // Load and merge consumer tools (consumer overrides win)
+  const cwd = Manager.cwd || '';
+  const consumerTools = getConsumerTools(cwd);
+  const toolMap = buildToolMap(builtinTools, consumerTools);
+  const allTools = Array.from(toolMap.values());
+
+  // Filter by role
+  const visibleTools = filterToolsByRole(allTools, authInfo.role);
+
   // Only POST supported in stateless mode
   if (req.method !== 'POST') {
     if (req.method === 'DELETE') {
@@ -239,9 +341,13 @@ async function handleMcpProtocol(req, res, options) {
     });
   }
 
-  // Determine the API URL for internal HTTP calls
-  const apiUrl = Manager.project?.apiUrl || 'http://localhost:5002';
-  const client = new BEMClient({ baseUrl: apiUrl, backendManagerKey: key });
+  // Build client with appropriate auth
+  const apiUrl = Manager.getApiUrl();
+  const client = new BEMClient({
+    baseUrl: apiUrl,
+    backendManagerKey: authInfo.role === 'admin' ? token : '',
+    userToken: authInfo.role === 'user' ? token : '',
+  });
 
   // Create a fresh stateless transport
   const transport = new StreamableHTTPServerTransport({
@@ -261,13 +367,15 @@ async function handleMcpProtocol(req, res, options) {
     },
   );
 
-  // List tools
+  // List tools — role-filtered
   server.setRequestHandler(ListToolsRequestSchema, async () => {
     return {
-      tools: tools.map((tool) => ({
+      tools: visibleTools.map((tool) => ({
         name: tool.name,
         description: tool.description,
         inputSchema: tool.inputSchema,
+        outputSchema: tool.outputSchema,
+        annotations: tool.annotations,
       })),
     };
   });
@@ -275,9 +383,10 @@ async function handleMcpProtocol(req, res, options) {
   // Call tools
   server.setRequestHandler(CallToolRequestSchema, async (request) => {
     const { name, arguments: args } = request.params;
-    const tool = toolMap[name];
+    const tool = toolMap.get(name);
 
-    if (!tool) {
+    // Defense-in-depth: tool must exist AND be in the visible set
+    if (!tool || !visibleTools.some((t) => t.name === name)) {
       return {
         content: [{ type: 'text', text: `Unknown tool: ${name}` }],
         isError: true,
@@ -285,6 +394,26 @@ async function handleMcpProtocol(req, res, options) {
     }
 
     try {
+      // Handler-based consumer tools execute directly
+      if (tool.handler && tool._consumer) {
+        const result = await tool.handler({
+          Manager,
+          assistant: Manager.assistant,
+          user: null,
+          params: args || {},
+          libraries: Manager.libraries,
+        });
+
+        const text = typeof result === 'string'
+          ? result
+          : JSON.stringify(result, null, 2);
+
+        return {
+          content: [{ type: 'text', text }],
+        };
+      }
+
+      // Route-based tools call via HTTP
       const response = await client.call(tool.method, tool.path, args || {});
 
       const text = typeof response === 'string'
@@ -300,7 +429,7 @@ async function handleMcpProtocol(req, res, options) {
         : error.message;
 
       return {
-        content: [{ type: 'text', text: `Error calling ${tool.path}: ${message}` }],
+        content: [{ type: 'text', text: `Error calling ${name}: ${message}` }],
         isError: true,
       };
     }
@@ -317,15 +446,39 @@ async function handleMcpProtocol(req, res, options) {
 
 // --- Helpers ---
 
-/**
- * Validate a key against the configured backendManagerKey.
- * Returns false if either the key or the config key is empty/missing.
- */
-function isValidKey(key) {
+function isAdminKey(key) {
   const configKey = process.env.BACKEND_MANAGER_KEY || '';
   return !!key && !!configKey && key === configKey;
 }
 
+function resolveConsumerAuthUrl(Manager) {
+  // Check backend-manager-config.json for explicit mcp.authUrl
+  const mcpConfig = Manager.config?.mcp || {};
+
+  if (mcpConfig.authUrl) {
+    return mcpConfig.authUrl;
+  }
+
+  // Use getWebsiteUrl() — auto-resolves to localhost in dev/testing, production otherwise
+  const websiteUrl = Manager.getWebsiteUrl ? Manager.getWebsiteUrl() : null;
+
+  if (websiteUrl) {
+    return `${websiteUrl.replace(/\/+$/, '')}/token`;
+  }
+
+  return null;
+}
+
+function redirectWithCode(res, redirectUri, code, state) {
+  const url = new URL(redirectUri);
+  url.searchParams.set('code', code);
+  if (state) {
+    url.searchParams.set('state', state);
+  }
+  res.writeHead(302, { Location: url.toString() });
+  res.end();
+}
+
 function sendJson(res, code, data) {
   res.writeHead(code, { 'Content-Type': 'application/json' });
   res.end(JSON.stringify(data));

package/src/mcp/index.js

@@ -1,13 +1,15 @@
 #!/usr/bin/env node
 
 /**
- * BEM MCP Server
+ * BEM MCP Server (Stdio Transport)
  *
  * Exposes Backend Manager routes as MCP tools so Claude (or any MCP client)
  * can interact with a running BEM instance — local or production.
  *
  * Usage:
- *   npx bm mcp
+ *   npx bm mcp                       # admin (uses BACKEND_MANAGER_KEY)
+ *   npx bm mcp --token <api-key>     # user-level (uses API key)
+ *   npx bm mcp                       # public-only (no key, no token)
  *
  * Environment variables:
  *   BEM_URL              - BEM server URL (default: http://localhost:5002)
@@ -17,7 +19,8 @@ const { Server } = require('@modelcontextprotocol/sdk/server/index.js');
 const { StdioServerTransport } = require('@modelcontextprotocol/sdk/server/stdio.js');
 const { ListToolsRequestSchema, CallToolRequestSchema } = require('@modelcontextprotocol/sdk/types.js');
 const BEMClient = require('./client.js');
-const tools = require('./tools.js');
+const builtinTools = require('./tools.js');
+const { resolveAuthInfo, filterToolsByRole, loadConsumerTools, buildToolMap } = require('./utils.js');
 const packageJSON = require('../../package.json');
 
 /**
@@ -25,6 +28,8 @@ const packageJSON = require('../../package.json');
  * @param {object} options
  * @param {string} options.baseUrl - BEM server URL
  * @param {string} options.backendManagerKey - Admin API key
+ * @param {string} options.userToken - User API key (for user-level connections)
+ * @param {string} options.cwd - Consumer project functions directory (for consumer tool discovery)
  */
 async function startServer(options) {
   options = options || {};
@@ -35,12 +40,30 @@ async function startServer(options) {
   const backendManagerKey = options.backendManagerKey
     || process.env.BACKEND_MANAGER_KEY
     || '';
+  const userToken = options.userToken || '';
 
-  if (!backendManagerKey) {
-    console.error('[BEM MCP] Warning: No BACKEND_MANAGER_KEY set. Admin routes will fail.');
+  // Determine auth role
+  const token = backendManagerKey || userToken || '';
+  const authInfo = resolveAuthInfo(token);
+
+  if (authInfo.role === 'public') {
+    console.error('[BEM MCP] No key or token set. Only public tools will be available.');
   }
 
-  const client = new BEMClient({ baseUrl, backendManagerKey });
+  // Build client with appropriate auth
+  const client = new BEMClient({
+    baseUrl,
+    backendManagerKey: authInfo.role === 'admin' ? token : '',
+    userToken: authInfo.role === 'user' ? token : '',
+  });
+
+  // Load and merge consumer tools (consumer overrides win)
+  const consumerTools = loadConsumerTools(options.cwd);
+  const toolMap = buildToolMap(builtinTools, consumerTools);
+  const allTools = Array.from(toolMap.values());
+
+  // Filter by role
+  const visibleTools = filterToolsByRole(allTools, authInfo.role);
 
   // Create the MCP server
   const server = new Server(
@@ -55,19 +78,15 @@ async function startServer(options) {
     },
   );
 
-  // Build a lookup map for tool definitions
-  const toolMap = {};
-  for (const tool of tools) {
-    toolMap[tool.name] = tool;
-  }
-
-  // Handle tools/list — return all tool definitions
+  // Handle tools/list — return role-filtered tool definitions
   server.setRequestHandler(ListToolsRequestSchema, async () => {
     return {
-      tools: tools.map((tool) => ({
+      tools: visibleTools.map((tool) => ({
         name: tool.name,
         description: tool.description,
         inputSchema: tool.inputSchema,
+        outputSchema: tool.outputSchema,
+        annotations: tool.annotations,
       })),
     };
   });
@@ -75,19 +94,26 @@ async function startServer(options) {
   // Handle tools/call — execute the requested tool
   server.setRequestHandler(CallToolRequestSchema, async (request) => {
     const { name, arguments: args } = request.params;
-    const tool = toolMap[name];
+    const tool = toolMap.get(name);
 
-    if (!tool) {
+    if (!tool || !visibleTools.some((t) => t.name === name)) {
       return {
         content: [{ type: 'text', text: `Unknown tool: ${name}` }],
         isError: true,
       };
     }
 
+    // Handler-based consumer tools require HTTP transport
+    if (tool.handler && !tool.path) {
+      return {
+        content: [{ type: 'text', text: `Tool "${name}" requires HTTP transport (handler-based tools cannot run over stdio).` }],
+        isError: true,
+      };
+    }
+
     try {
       const response = await client.call(tool.method, tool.path, args || {});
 
-      // Format the response for the LLM
       const text = typeof response === 'string'
         ? response
         : JSON.stringify(response, null, 2);
@@ -113,7 +139,11 @@ async function startServer(options) {
 
   // Log to stderr (stdout is reserved for MCP protocol)
   console.error(`[BEM MCP] Server running — connected to ${baseUrl}`);
-  console.error(`[BEM MCP] ${tools.length} tools available`);
+  console.error(`[BEM MCP] Role: ${authInfo.role} | ${visibleTools.length}/${allTools.length} tools available`);
+
+  if (consumerTools.length > 0) {
+    console.error(`[BEM MCP] ${consumerTools.length} consumer tool(s) loaded`);
+  }
 }
 
 // Allow direct execution or require