burn-mcp-server 1.2.0 → 1.4.0

package/dist/index.js

@@ -13,6 +13,7 @@ const SUPABASE_ANON_KEY = process.env.BURN_SUPABASE_ANON_KEY || 'sb_publishable_
 // Support both old JWT token (BURN_SUPABASE_TOKEN) and new long-lived MCP token (BURN_MCP_TOKEN)
 const MCP_TOKEN = process.env.BURN_MCP_TOKEN;
 const LEGACY_JWT = process.env.BURN_SUPABASE_TOKEN;
+const EXCHANGE_URL = process.env.BURN_MCP_EXCHANGE_URL || 'https://api.burn451.cloud/api/mcp-exchange';
 if (!MCP_TOKEN && !LEGACY_JWT) {
     console.error('Error: BURN_MCP_TOKEN environment variable is required.');
     console.error('Get your token from: Burn App → Settings → MCP Server → Generate Token');
@@ -30,31 +31,111 @@ const supabase = (0, supabase_js_1.createClient)(SUPABASE_URL, SUPABASE_ANON_KEY
 });
 // ---------------------------------------------------------------------------
 // Auth: exchange MCP token for a real Supabase session (auto-refreshes)
+// Caches session locally so exchange is only needed on first run or token expiry
 // ---------------------------------------------------------------------------
+const node_os_1 = require("node:os");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const SESSION_CACHE_DIR = (0, node_path_1.join)((0, node_os_1.homedir)(), '.burn');
+const SESSION_CACHE_FILE = (0, node_path_1.join)(SESSION_CACHE_DIR, 'mcp-session.json');
+function loadCachedSession() {
+    try {
+        const raw = (0, node_fs_1.readFileSync)(SESSION_CACHE_FILE, 'utf-8');
+        const data = JSON.parse(raw);
+        if (data.access_token && data.refresh_token)
+            return data;
+    }
+    catch { /* no cache or invalid */ }
+    return null;
+}
+function saveCachedSession(access_token, refresh_token) {
+    try {
+        (0, node_fs_1.mkdirSync)(SESSION_CACHE_DIR, { recursive: true });
+        (0, node_fs_1.writeFileSync)(SESSION_CACHE_FILE, JSON.stringify({ access_token, refresh_token }), { mode: 0o600 });
+    }
+    catch { /* non-fatal — next startup will re-exchange */ }
+}
 async function initAuth() {
     if (LEGACY_JWT)
         return; // legacy mode: JWT already set in headers above
-    // Call SECURITY DEFINER function — works with anon key, no JWT needed
-    const { data, error } = await supabase.rpc('get_mcp_session', { p_token: MCP_TOKEN });
-    if (error || !data || data.length === 0) {
-        console.error('Error: Invalid or revoked BURN_MCP_TOKEN.');
-        console.error('Generate a new token in Burn App → Settings → MCP Server → Generate Token');
-        process.exit(1);
+    // Step 1: Try cached session (avoids network call on every restart)
+    const cached = loadCachedSession();
+    if (cached) {
+        const { error } = await supabase.auth.setSession(cached);
+        if (!error) {
+            // Listen for token refresh so we keep the cache fresh
+            supabase.auth.onAuthStateChange((_event, session) => {
+                if (session?.access_token && session?.refresh_token) {
+                    saveCachedSession(session.access_token, session.refresh_token);
+                }
+            });
+            console.error('Burn MCP: restored session from cache (no network needed)');
+            return;
+        }
+        console.error('Burn MCP: cached session expired, re-exchanging...');
+    }
+    // Step 2: Exchange MCP token for a fresh Supabase session via Vercel API
+    try {
+        const resp = await fetch(EXCHANGE_URL, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ token: MCP_TOKEN }),
+        });
+        if (!resp.ok) {
+            const body = await resp.json().catch(() => ({}));
+            console.error(`Error: Token exchange failed (${resp.status}): ${body.error || 'Unknown'}`);
+            console.error('Tokens expire after 30 days. Generate a new one in Burn App → Settings → MCP Server.');
+            process.exit(1);
+        }
+        const { access_token, refresh_token } = await resp.json();
+        const { error: sessionError } = await supabase.auth.setSession({
+            access_token,
+            refresh_token,
+        });
+        if (sessionError) {
+            console.error('Error: Failed to set session.', sessionError.message);
+            process.exit(1);
+        }
+        // Cache for next startup + listen for refresh
+        saveCachedSession(access_token, refresh_token);
+        supabase.auth.onAuthStateChange((_event, session) => {
+            if (session?.access_token && session?.refresh_token) {
+                saveCachedSession(session.access_token, session.refresh_token);
+            }
+        });
+        console.error('Burn MCP: session exchanged and cached');
     }
-    const { refresh_token } = data[0];
-    const { error: refreshError } = await supabase.auth.refreshSession({ refresh_token });
-    if (refreshError) {
-        console.error('Error: Failed to refresh session with stored token.', refreshError.message);
+    catch (err) {
+        console.error('Error: Could not reach token exchange endpoint.', err.message);
+        console.error(`URL: ${EXCHANGE_URL}`);
         process.exit(1);
     }
-    // supabase client now has a valid session and will auto-refresh going forward
+}
+// ---------------------------------------------------------------------------
+// Rate limiter — simple sliding window (per MCP session, in-memory)
+// ---------------------------------------------------------------------------
+const RATE_LIMIT_WINDOW_MS = 60000; // 1 minute
+const RATE_LIMIT_MAX_CALLS = 30; // max tool calls per window
+const rateLimitLog = [];
+function checkRateLimit() {
+    const now = Date.now();
+    // Remove entries outside the window
+    while (rateLimitLog.length > 0 && rateLimitLog[0] < now - RATE_LIMIT_WINDOW_MS) {
+        rateLimitLog.shift();
+    }
+    if (rateLimitLog.length >= RATE_LIMIT_MAX_CALLS) {
+        const retryAfter = Math.ceil((rateLimitLog[0] + RATE_LIMIT_WINDOW_MS - now) / 1000);
+        return `Rate limit exceeded (${RATE_LIMIT_MAX_CALLS} calls/min). Retry after ${retryAfter}s.`;
+    }
+    rateLimitLog.push(now);
+    return null;
 }
 // ---------------------------------------------------------------------------
 // MCP Server
 // ---------------------------------------------------------------------------
 const server = new mcp_js_1.McpServer({
     name: 'burn-mcp-server',
-    version: '1.2.0',
+    version: '1.3.0',
 });
 // ---------------------------------------------------------------------------
 // Helper: standard text result
@@ -114,8 +195,17 @@ function metaSummary(row) {
     };
 }
 // ---------------------------------------------------------------------------
-// Tool handlers
+// Tool handlers (all wrapped with rate limiting)
 // ---------------------------------------------------------------------------
+/** Wrap a handler with rate limiting */
+function rateLimited(handler) {
+    return async (args) => {
+        const err = checkRateLimit();
+        if (err)
+            return textResult(err);
+        return handler(args);
+    };
+}
 async function handleSearchVault(args) {
     const { query, limit } = args;
     const { data, error } = await supabase
@@ -240,7 +330,7 @@ async function handleGetArticleContent(args) {
 // Vercel API base URL for content fetching
 // ---------------------------------------------------------------------------
 const API_BASE = process.env.BURN_API_URL || 'https://api.burn451.cloud';
-const API_KEY = 'burn451-2026-secret-key';
+const API_KEY = process.env.BURN_API_KEY || 'burn451-2026-secret-key';
 /** Detect platform from URL */
 function detectPlatform(url) {
     if (/x\.com|twitter\.com/i.test(url))
@@ -459,16 +549,16 @@ async function handleListVault(args) {
 // Register tools
 // ---------------------------------------------------------------------------
 // @ts-expect-error — MCP SDK 1.27 TS2589: type instantiation too deep with multiple .tool() calls
-server.tool('search_vault', 'Search your Burn Vault for bookmarks by keyword (searches title, tags, AI takeaway)', { query: zod_1.z.string().describe('Search keyword'), limit: zod_1.z.number().optional().describe('Max results (default 10)') }, handleSearchVault);
-server.tool('list_vault', 'List bookmarks in your Vault, optionally filtered by category', { limit: zod_1.z.number().optional().describe('Max results (default 20)'), category: zod_1.z.string().optional().describe('Filter by vault category') }, handleListVault);
-server.tool('list_sparks', 'List your Sparks (bookmarks you have read, with 30-day lifespan). Includes spark insight and expiry date.', { limit: zod_1.z.number().optional().describe('Max results (default 20)') }, handleListSparks);
-server.tool('search_sparks', 'Search your Sparks by keyword (searches title, tags, AI takeaway, spark insight)', { query: zod_1.z.string().describe('Search keyword'), limit: zod_1.z.number().optional().describe('Max results (default 10)') }, handleSearchSparks);
-server.tool('get_bookmark', 'Get full details of a single bookmark including AI analysis and extracted content', { id: zod_1.z.string().describe('Bookmark UUID') }, handleGetBookmark);
-server.tool('get_article_content', 'Get full article content and AI analysis for a bookmark by ID (same as get_bookmark)', { id: zod_1.z.string().describe('Bookmark UUID') }, handleGetArticleContent);
-server.tool('fetch_content', 'Fetch article/tweet content from a URL. Works with X.com (bypasses GFW via proxy), Reddit, YouTube, Bilibili, WeChat, and any web page. First checks Supabase cache, then fetches live.', { url: zod_1.z.string().describe('The URL to fetch content from') }, handleFetchContent);
-server.tool('list_categories', 'List all Vault categories with article counts', {}, handleListCategories);
-server.tool('get_collections', 'List all your Collections with article counts and AI overview themes', {}, handleGetCollections);
-server.tool('get_collection_overview', 'Get a Collection by name with its AI overview and linked bookmarks metadata', { name: zod_1.z.string().describe('Collection name') }, handleGetCollectionOverview);
+server.tool('search_vault', 'Search your Burn Vault for bookmarks by keyword (searches title, tags, AI takeaway)', { query: zod_1.z.string().describe('Search keyword'), limit: zod_1.z.number().optional().describe('Max results (default 10)') }, rateLimited(handleSearchVault));
+server.tool('list_vault', 'List bookmarks in your Vault, optionally filtered by category', { limit: zod_1.z.number().optional().describe('Max results (default 20)'), category: zod_1.z.string().optional().describe('Filter by vault category') }, rateLimited(handleListVault));
+server.tool('list_sparks', 'List your Sparks (bookmarks you have read, with 30-day lifespan). Includes spark insight and expiry date.', { limit: zod_1.z.number().optional().describe('Max results (default 20)') }, rateLimited(handleListSparks));
+server.tool('search_sparks', 'Search your Sparks by keyword (searches title, tags, AI takeaway, spark insight)', { query: zod_1.z.string().describe('Search keyword'), limit: zod_1.z.number().optional().describe('Max results (default 10)') }, rateLimited(handleSearchSparks));
+server.tool('get_bookmark', 'Get full details of a single bookmark including AI analysis and extracted content', { id: zod_1.z.string().describe('Bookmark UUID') }, rateLimited(handleGetBookmark));
+server.tool('get_article_content', 'Get full article content and AI analysis for a bookmark by ID (same as get_bookmark)', { id: zod_1.z.string().describe('Bookmark UUID') }, rateLimited(handleGetArticleContent));
+server.tool('fetch_content', 'Fetch article/tweet content from a URL. Works with X.com (bypasses GFW via proxy), Reddit, YouTube, Bilibili, WeChat, and any web page. First checks Supabase cache, then fetches live.', { url: zod_1.z.string().describe('The URL to fetch content from') }, rateLimited(handleFetchContent));
+server.tool('list_categories', 'List all Vault categories with article counts', {}, rateLimited(handleListCategories));
+server.tool('get_collections', 'List all your Collections with article counts and AI overview themes', {}, rateLimited(handleGetCollections));
+server.tool('get_collection_overview', 'Get a Collection by name with its AI overview and linked bookmarks metadata', { name: zod_1.z.string().describe('Collection name') }, rateLimited(handleGetCollectionOverview));
 // ---------------------------------------------------------------------------
 // Resource: burn://vault/bookmarks
 // ---------------------------------------------------------------------------

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "burn-mcp-server",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "MCP Server for Burn — access your Vault from Claude/Cursor",
   "main": "dist/index.js",
   "bin": {

package/src/index.ts

@@ -15,6 +15,7 @@ const SUPABASE_ANON_KEY = process.env.BURN_SUPABASE_ANON_KEY || 'sb_publishable_
 // Support both old JWT token (BURN_SUPABASE_TOKEN) and new long-lived MCP token (BURN_MCP_TOKEN)
 const MCP_TOKEN = process.env.BURN_MCP_TOKEN
 const LEGACY_JWT = process.env.BURN_SUPABASE_TOKEN
+const EXCHANGE_URL = process.env.BURN_MCP_EXCHANGE_URL || 'https://api.burn451.cloud/api/mcp-exchange'
 
 if (!MCP_TOKEN && !LEGACY_JWT) {
   console.error('Error: BURN_MCP_TOKEN environment variable is required.')
@@ -36,26 +37,114 @@ const supabase: SupabaseClient = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
 
 // ---------------------------------------------------------------------------
 // Auth: exchange MCP token for a real Supabase session (auto-refreshes)
+// Caches session locally so exchange is only needed on first run or token expiry
 // ---------------------------------------------------------------------------
 
+import { homedir } from 'node:os'
+import { readFileSync, writeFileSync, mkdirSync } from 'node:fs'
+import { join } from 'node:path'
+
+const SESSION_CACHE_DIR = join(homedir(), '.burn')
+const SESSION_CACHE_FILE = join(SESSION_CACHE_DIR, 'mcp-session.json')
+
+function loadCachedSession(): { access_token: string; refresh_token: string } | null {
+  try {
+    const raw = readFileSync(SESSION_CACHE_FILE, 'utf-8')
+    const data = JSON.parse(raw)
+    if (data.access_token && data.refresh_token) return data
+  } catch { /* no cache or invalid */ }
+  return null
+}
+
+function saveCachedSession(access_token: string, refresh_token: string): void {
+  try {
+    mkdirSync(SESSION_CACHE_DIR, { recursive: true })
+    writeFileSync(SESSION_CACHE_FILE, JSON.stringify({ access_token, refresh_token }), { mode: 0o600 })
+  } catch { /* non-fatal — next startup will re-exchange */ }
+}
+
 async function initAuth(): Promise<void> {
   if (LEGACY_JWT) return // legacy mode: JWT already set in headers above
 
-  // Call SECURITY DEFINER function — works with anon key, no JWT needed
-  const { data, error } = await supabase.rpc('get_mcp_session', { p_token: MCP_TOKEN })
-  if (error || !data || data.length === 0) {
-    console.error('Error: Invalid or revoked BURN_MCP_TOKEN.')
-    console.error('Generate a new token in Burn App → Settings → MCP Server → Generate Token')
-    process.exit(1)
+  // Step 1: Try cached session (avoids network call on every restart)
+  const cached = loadCachedSession()
+  if (cached) {
+    const { error } = await supabase.auth.setSession(cached)
+    if (!error) {
+      // Listen for token refresh so we keep the cache fresh
+      supabase.auth.onAuthStateChange((_event, session) => {
+        if (session?.access_token && session?.refresh_token) {
+          saveCachedSession(session.access_token, session.refresh_token)
+        }
+      })
+      console.error('Burn MCP: restored session from cache (no network needed)')
+      return
+    }
+    console.error('Burn MCP: cached session expired, re-exchanging...')
   }
 
-  const { refresh_token } = data[0]
-  const { error: refreshError } = await supabase.auth.refreshSession({ refresh_token })
-  if (refreshError) {
-    console.error('Error: Failed to refresh session with stored token.', refreshError.message)
+  // Step 2: Exchange MCP token for a fresh Supabase session via Vercel API
+  try {
+    const resp = await fetch(EXCHANGE_URL, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ token: MCP_TOKEN }),
+    })
+
+    if (!resp.ok) {
+      const body = await resp.json().catch(() => ({})) as any
+      console.error(`Error: Token exchange failed (${resp.status}): ${body.error || 'Unknown'}`)
+      console.error('Tokens expire after 30 days. Generate a new one in Burn App → Settings → MCP Server.')
+      process.exit(1)
+    }
+
+    const { access_token, refresh_token } = await resp.json() as any
+
+    const { error: sessionError } = await supabase.auth.setSession({
+      access_token,
+      refresh_token,
+    })
+    if (sessionError) {
+      console.error('Error: Failed to set session.', sessionError.message)
+      process.exit(1)
+    }
+
+    // Cache for next startup + listen for refresh
+    saveCachedSession(access_token, refresh_token)
+    supabase.auth.onAuthStateChange((_event, session) => {
+      if (session?.access_token && session?.refresh_token) {
+        saveCachedSession(session.access_token, session.refresh_token)
+      }
+    })
+    console.error('Burn MCP: session exchanged and cached')
+  } catch (err: any) {
+    console.error('Error: Could not reach token exchange endpoint.', err.message)
+    console.error(`URL: ${EXCHANGE_URL}`)
     process.exit(1)
   }
-  // supabase client now has a valid session and will auto-refresh going forward
+}
+
+// ---------------------------------------------------------------------------
+// Rate limiter — simple sliding window (per MCP session, in-memory)
+// ---------------------------------------------------------------------------
+
+const RATE_LIMIT_WINDOW_MS = 60_000 // 1 minute
+const RATE_LIMIT_MAX_CALLS = 30     // max tool calls per window
+
+const rateLimitLog: number[] = []
+
+function checkRateLimit(): string | null {
+  const now = Date.now()
+  // Remove entries outside the window
+  while (rateLimitLog.length > 0 && rateLimitLog[0] < now - RATE_LIMIT_WINDOW_MS) {
+    rateLimitLog.shift()
+  }
+  if (rateLimitLog.length >= RATE_LIMIT_MAX_CALLS) {
+    const retryAfter = Math.ceil((rateLimitLog[0] + RATE_LIMIT_WINDOW_MS - now) / 1000)
+    return `Rate limit exceeded (${RATE_LIMIT_MAX_CALLS} calls/min). Retry after ${retryAfter}s.`
+  }
+  rateLimitLog.push(now)
+  return null
 }
 
 // ---------------------------------------------------------------------------
@@ -64,7 +153,7 @@ async function initAuth(): Promise<void> {
 
 const server = new McpServer({
   name: 'burn-mcp-server',
-  version: '1.2.0',
+  version: '1.3.0',
 })
 
 // ---------------------------------------------------------------------------
@@ -130,9 +219,18 @@ function metaSummary(row: any): any {
 }
 
 // ---------------------------------------------------------------------------
-// Tool handlers
+// Tool handlers (all wrapped with rate limiting)
 // ---------------------------------------------------------------------------
 
+/** Wrap a handler with rate limiting */
+function rateLimited<T>(handler: (args: T) => Promise<{ content: { type: 'text'; text: string }[] }>) {
+  return async (args: T) => {
+    const err = checkRateLimit()
+    if (err) return textResult(err)
+    return handler(args)
+  }
+}
+
 async function handleSearchVault(args: { query: string; limit?: number }) {
   const { query, limit } = args
   const { data, error } = await supabase
@@ -279,7 +377,7 @@ async function handleGetArticleContent(args: { id: string }) {
 // ---------------------------------------------------------------------------
 
 const API_BASE = process.env.BURN_API_URL || 'https://api.burn451.cloud'
-const API_KEY = 'burn451-2026-secret-key'
+const API_KEY = process.env.BURN_API_KEY || 'burn451-2026-secret-key'
 
 /** Detect platform from URL */
 function detectPlatform(url: string): string {
@@ -525,70 +623,70 @@ server.tool(
   'search_vault',
   'Search your Burn Vault for bookmarks by keyword (searches title, tags, AI takeaway)',
   { query: z.string().describe('Search keyword'), limit: z.number().optional().describe('Max results (default 10)') },
-  handleSearchVault
+  rateLimited(handleSearchVault)
 )
 
 server.tool(
   'list_vault',
   'List bookmarks in your Vault, optionally filtered by category',
   { limit: z.number().optional().describe('Max results (default 20)'), category: z.string().optional().describe('Filter by vault category') },
-  handleListVault
+  rateLimited(handleListVault)
 )
 
 server.tool(
   'list_sparks',
   'List your Sparks (bookmarks you have read, with 30-day lifespan). Includes spark insight and expiry date.',
   { limit: z.number().optional().describe('Max results (default 20)') },
-  handleListSparks
+  rateLimited(handleListSparks)
 )
 
 server.tool(
   'search_sparks',
   'Search your Sparks by keyword (searches title, tags, AI takeaway, spark insight)',
   { query: z.string().describe('Search keyword'), limit: z.number().optional().describe('Max results (default 10)') },
-  handleSearchSparks
+  rateLimited(handleSearchSparks)
 )
 
 server.tool(
   'get_bookmark',
   'Get full details of a single bookmark including AI analysis and extracted content',
   { id: z.string().describe('Bookmark UUID') },
-  handleGetBookmark
+  rateLimited(handleGetBookmark)
 )
 
 server.tool(
   'get_article_content',
   'Get full article content and AI analysis for a bookmark by ID (same as get_bookmark)',
   { id: z.string().describe('Bookmark UUID') },
-  handleGetArticleContent
+  rateLimited(handleGetArticleContent)
 )
 
 server.tool(
   'fetch_content',
   'Fetch article/tweet content from a URL. Works with X.com (bypasses GFW via proxy), Reddit, YouTube, Bilibili, WeChat, and any web page. First checks Supabase cache, then fetches live.',
   { url: z.string().describe('The URL to fetch content from') },
-  handleFetchContent
+  rateLimited(handleFetchContent)
 )
 
 server.tool(
   'list_categories',
   'List all Vault categories with article counts',
   {},
-  handleListCategories
+  rateLimited(handleListCategories)
 )
 
 server.tool(
   'get_collections',
   'List all your Collections with article counts and AI overview themes',
   {},
-  handleGetCollections
+  rateLimited(handleGetCollections)
 )
 
 server.tool(
   'get_collection_overview',
   'Get a Collection by name with its AI overview and linked bookmarks metadata',
   { name: z.string().describe('Collection name') },
-  handleGetCollectionOverview
+  rateLimited(handleGetCollectionOverview)
 )
 
 // ---------------------------------------------------------------------------