chaimi-keep-mcp 3.4.0 → 3.5.0-beta.1

package/.env.example

@@ -0,0 +1,24 @@
+# 环境配置示例
+# 将此文件复制为 .env 并填入实际值
+
+# 环境选择：development 或 production
+NODE_ENV=production
+
+# API 签名密钥（生产环境建议使用强密钥）
+CHAIMI_API_SECRET=your-chaimi-api-secret-here
+
+# URL 加密密钥（用于解密云函数 URL）
+URL_ENCRYPT_KEY=your-url-encrypt-key-here
+
+# ====================
+# 开发环境配置
+# ====================
+# 开发环境的云函数 URL（仅 NODE_ENV=development 时使用）
+# MCP_HUB_URL=http://localhost:3000/mcpHub
+# MCP_OAUTH_URL=http://localhost:3000/mcpOAuth
+# MCP_PROMPT_URL=http://localhost:3000/mcpPrompt
+
+# ====================
+# 生产环境配置
+# ====================
+# 生产环境使用加密存储在代码中的 URL，无需在此配置

package/bin/cli.js

@@ -21,12 +21,7 @@ const serverPath = path.join(__dirname, '..', 'server.js');
 const DEFAULT_CHAIMI_CONFIG = {
   command: 'chaimi-keep-mcp',
   description: '柴米AI记账 MCP Server - 支持 AI 工具直接记账',
-  env: {
-    MCP_OAUTH_URL: 'https://cloud1-2gfe5jhjef06b85d-1412172089.ap-shanghai.app.tcloudbase.com/mcpOAuth',
-    MCP_HUB_URL: 'https://cloud1-2gfe5jhjef06b85d-1412172089.ap-shanghai.app.tcloudbase.com/mcpHub-mcp',
-    MCP_PROMPT_URL: 'https://cloud1-2gfe5jhjef06b85d-1412172089.ap-shanghai.app.tcloudbase.com/mcpPrompt'
-  },
-  // 首次授权时需要常驻运行，等待用户授权（3分钟轮询）
+  // 首次授权时需要常驻运行，等待用户授权（30分钟轮询）
   // 授权成功后进程自动退出，下次调用时 mcporter 会重新启动
   lifecycle: 'keep-alive'
 };

package/oauth.js

@@ -505,7 +505,11 @@ class FileTokenStorage extends TokenStorage {
         agentName: agentName || '柴米AI助手',
         updatedAt: new Date().toISOString()
       };
-      await this.fs.writeFile(agentNamePath, JSON.stringify(data, null, 2), 'utf8');
+      // 使用 JSON.stringify 并转义处理，确保中文正常显示（不转义为 \uXXXX）
+      const jsonStr = JSON.stringify(data, null, 2)
+        .replace(/\\u[\dA-F]{4}/gi, (match) => 
+          String.fromCharCode(parseInt(match.replace(/\\u/g, ''), 16)));
+      await this.fs.writeFile(agentNamePath, jsonStr, 'utf8');
       console.error('✅ Agent 名称已保存:', agentNamePath);
     } catch (err) {
       console.error('❌ 保存 Agent 名称失败:', err.message);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "chaimi-keep-mcp",
-  "version": "3.4.0",
+  "version": "3.5.0-beta.1",
   "description": "柴米AI记账 MCP Server - 支持 Claude、Cursor、OpenClaw、WorkBuddy 等 AI 工具直接记账",
   "main": "server.js",
   "bin": {

package/server.js

@@ -48,8 +48,11 @@ const { configManager } = require('./utils/config.js');
 // 导入校验工具
 const { validateDate } = require('./utils/validators.js');
 
-// API 签名密钥（用于验证请求来自合法 MCP Server）
-const CHAIMI_API_SECRET = 'chaimi-mcp-secret-2024';
+// 导入密钥管理工具
+const { getOrCreateSecretKey } = require('./utils/keyManager.js');
+
+// 导入加密工具
+const { encrypt, decrypt } = require('./utils/encryption.js');
 
 // ==================== 请求频率限制 ====================
 
@@ -138,36 +141,102 @@ function checkRateLimit(toolName) {
   return { allowed: true };
 }
 
-// URL 加密密钥
-const URL_ENCRYPT_KEY = 'chaimi-url-key-2024';
+// 获取 API 密钥（从环境变量或自动生成）
+let CHAIMI_API_SECRET = process.env.CHAIMI_API_SECRET;
+
+// ==================== 多环境配置 ====================
 
-// 加密的云函数 URL
+// 环境配置
+const ENV = process.env.NODE_ENV || 'production';
+
+// 加密的云函数 URL（开发和生产环境分开）
 const ENCRYPTED_URLS = {
-  hub: 'enc:v1:0b1c15191e53025a1100421e0148000057545156020903080f1d431054180f484819030203035158595043085d5801044c0502114c5b1e53441346150a01065811100d5e0e4b1a425f1f5f571320140b40044e05',
-  oauth: 'enc:v1:0b1c15191e53025a1100421e0148000057545156020903080f1d431054180f484819030203035158595043085d5801044c0502114c5b1e53441346150a01065811100d5e0e4b1a425f1f5f571327201c1901',
-  prompt: 'enc:v1:0b1c15191e53025a1100421e0148000057545156020903080f1d431054180f484819030203035158595043085d5801044c0502114c5b1e53441346150a01065811100d5e0e4b1a425f1f5f5713381306001959'
+  development: {
+    hub: 'enc:v2:d397243fce051c611175302dea8a7a54:8f0bc1dc6966e9149e8d3ecae2467830:cf61c7a159154d15aa1502deec2519931090ff791be67e89fd4e3b20322b2bea8071be02d768ec10abdc50b2d3e76df6dc44a6d46d61c2743acdef428205cc0e3534c93d94857cc91985db5fd69745053df05a87',
+    oauth: 'enc:v2:bff470f73af1723d6e320d39df72b342:eefb409dff5a4713931caa3886f9159c:18d0a711f31a5ba7e068e43d8bcce6b8fc56513d44ff3d90ab006063461b44025387e52cb2ce5ffe471a8a8f4b993879dcaa485dd1e845c647be134595467c4a00efc736d15abfcaa8d8cf460365fbf597e0',
+    prompt: 'enc:v2:a058c504374087a36417280f0bc4288d:ed5fc65a697c1254e8aeb9faa7119ec8:b8831fd319c35bc01554546827ce31bd04d2039fb87f0b6a19b35850ec228b6988b2103b1cc45a7bd21b117b299c5095a44e1ee4a4c2adb04e24a401e1271aff912503e2abb9cec03764b774df53e60b0686d3'
+  },
+  production: {
+    hub: 'enc:v2:500682dfbd51aff69852abe39430da35:3d57b5ac7f798c6770209159b6dfd9fb:7b9733f27208809b761090f7628f3799aac12c957cdd45b3d512eb4f1f1c18f626afd0b73b12982500122b11e373e0a2a71f14cb6c5966cf98af9ae4b9e79fb575d1e2f42ec403690d5c7dcc519e9eaec21865eb',
+    oauth: 'enc:v2:30adcae20bc1452e8e8c7eff088e8b61:b8bedcc9985d1e10185f8ae5c845cc9c:1b2206380eddcfc4d00ed920f20f838bfc664e2350591666db5a5c2b044a88165e0e7f04c58e2d4f0764bb9872aeaf625a91f7a19ce6909264115e7ce70b35c0c081eb4170cac869d3f8b576b7b4dc41580e',
+    prompt: 'enc:v2:beba836814161d59df3a2220ebc500ef:6023bde15c74be6bec641044a3f854de:4421b9f985a1914c06868c8577e57e26e3fd4fe4392c2c94862322fd30258eccae68fce6fd56e9a35427a724d3c22b735e9b5a822d05be098ae5e0662ea41c786e4acea12e4d80b598b543d346d7ccbdc32623'
+  }
 };
 
-// 解密 URL 函数
+// 解密 URL 函数（支持 AES-256-GCM）
 function decryptUrl(encrypted, key) {
-  const hex = encrypted.replace('enc:v1:', '');
-  let result = '';
-  for (let i = 0; i < hex.length; i += 2) {
-    const byte = parseInt(hex.substr(i, 2), 16);
-    result += String.fromCharCode(byte ^ key.charCodeAt((i / 2) % key.length));
+  if (!encrypted) return '';
+  
+  if (encrypted.startsWith('enc:v2:')) {
+    return decrypt(encrypted.replace('enc:v2:', ''), key);
+  }
+  
+  if (encrypted.startsWith('enc:v1:')) {
+    const urlEncryptKey = key || 'chaimi-url-key-2024';
+    const hex = encrypted.replace('enc:v1:', '');
+    let result = '';
+    for (let i = 0; i < hex.length; i += 2) {
+      const byte = parseInt(hex.substr(i, 2), 16);
+      result += String.fromCharCode(byte ^ urlEncryptKey.charCodeAt((i / 2) % urlEncryptKey.length));
+    }
+    return result;
   }
-  return result;
+  
+  return encrypted;
 }
 
-// 配置 - 微信云函数（运行时解密）
-const MCP_HUB_URL = process.env.MCP_HUB_URL || decryptUrl(ENCRYPTED_URLS.hub, URL_ENCRYPT_KEY);
-const MCP_PROMPT_URL = process.env.MCP_PROMPT_URL || decryptUrl(ENCRYPTED_URLS.prompt, URL_ENCRYPT_KEY);
-const MCP_OAUTH_URL = process.env.MCP_OAUTH_URL || decryptUrl(ENCRYPTED_URLS.oauth, URL_ENCRYPT_KEY);
+// ==================== URL 配置 ====================
 
-// Token 缓存
-let cachedToken = null;
+let MCP_HUB_URL;
+let MCP_PROMPT_URL;
+let MCP_OAUTH_URL;
+let tokenEncryptionKey;
+
+// 初始化配置
+async function initConfig() {
+  // 获取 URL 加密密钥
+  const urlEncryptKey = process.env.URL_ENCRYPT_KEY || 'd2e4168144a50c6d8d0c4692cd73331eb2bc1db0cd727afaf29ff9645d480e59';
+  
+  // 获取 Token 加密密钥
+  tokenEncryptionKey = getOrCreateSecretKey();
+  
+  // 获取 API 密钥
+  if (!CHAIMI_API_SECRET) {
+    CHAIMI_API_SECRET = process.env.CHAIMI_API_SECRET || 'chaimi-mcp-secret-2024';
+  }
+  
+  // 配置 URL
+  const envUrls = ENCRYPTED_URLS[ENV] || ENCRYPTED_URLS.production;
+  MCP_HUB_URL = process.env.MCP_HUB_URL || decryptUrl(envUrls.hub, urlEncryptKey);
+  MCP_PROMPT_URL = process.env.MCP_PROMPT_URL || decryptUrl(envUrls.prompt, urlEncryptKey);
+  MCP_OAUTH_URL = process.env.MCP_OAUTH_URL || decryptUrl(envUrls.oauth, urlEncryptKey);
+  
+  console.error(`✅ 已加载 ${ENV} 环境配置`);
+}
+
+// Token 缓存（加密存储）
+let cachedEncryptedToken = null;
 let tokenExpireTime = 0;
 
+// 获取解密的 Token
+function getCachedToken() {
+  if (!cachedEncryptedToken || !tokenEncryptionKey) return null;
+  try {
+    return decrypt(cachedEncryptedToken, tokenEncryptionKey);
+  } catch (e) {
+    return null;
+  }
+}
+
+// 设置加密的 Token
+function setCachedToken(token) {
+  if (!token || !tokenEncryptionKey) {
+    cachedEncryptedToken = null;
+    return;
+  }
+  cachedEncryptedToken = encrypt(token, tokenEncryptionKey);
+}
+
 // OAuth 管理器实例
 let oauthManager = null;
 
@@ -213,8 +282,8 @@ async function initOAuthManager() {
       // 检查 Token 是否过期（预留5分钟缓冲）
       const expiresAt = new Date(existingToken.expiresAt).getTime();
       if (expiresAt > Date.now() + 5 * 60 * 1000) {
-        // Token 有效，设置授权状态
-        cachedToken = existingToken.accessToken;
+        // Token 有效，设置授权状态（加密存储）
+        setCachedToken(existingToken.accessToken);
         tokenExpireTime = expiresAt;
         authState.isAuthorized = true;
         console.error('✅ 已从文件加载有效 Token，无需重新授权');
@@ -490,6 +559,7 @@ let lastRefreshTime = 0;
 
 async function getToken() {
   // 【优化1】优先检查内存中的 token 是否有效
+  const cachedToken = getCachedToken();
   if (cachedToken && tokenExpireTime > Date.now() + 5 * 60 * 1000) {
     if (Date.now() - lastRefreshTime < TOKEN_REFRESH_INTERVAL) {
       return cachedToken;
@@ -502,13 +572,13 @@ async function getToken() {
     if (existingToken && existingToken.accessToken && existingToken.expiresAt) {
       const expiresAt = new Date(existingToken.expiresAt).getTime();
       if (expiresAt > Date.now() + 5 * 60 * 1000) {
-        // Token 有效，直接使用
-        cachedToken = existingToken.accessToken;
+        // Token 有效，直接使用（加密存储）
+        setCachedToken(existingToken.accessToken);
         tokenExpireTime = expiresAt;
         authState.isAuthorized = true;
         lastRefreshTime = Date.now();
         console.error('✅ 已从文件加载有效 Token，无需重新授权');
-        return cachedToken;
+        return getCachedToken();
       } else {
         console.error('⏰ 保存的 Token 已过期，需要重新授权');
       }
@@ -532,8 +602,8 @@ async function getToken() {
         try {
           const token = await oauthManager.pollForTokenOnce(savedAuthState.deviceCode);
           if (token) {
-            // 授权成功
-            cachedToken = token.accessToken;
+            // 授权成功（加密存储）
+            setCachedToken(token.accessToken);
             tokenExpireTime = token.expiresAt;
             authState.isAuthorized = true;
             await oauthManager.tokenStorage.save(token);
@@ -543,7 +613,7 @@ async function getToken() {
             await oauthManager.clearAuthState();
             console.error('✅ 授权成功！可以继续使用记账功能');
             // 返回特殊标记，让上层知道这是刚完成授权的情况
-            throw new Error(`AUTH_JUST_COMPLETED:${cachedToken}`);
+            throw new Error(`AUTH_JUST_COMPLETED:${getCachedToken()}`);
           }
           // 用户还未授权，返回同一个验证码
           authState.deviceCode = savedAuthState.deviceCode;
@@ -573,11 +643,11 @@ async function getToken() {
 
   try {
     const oauthToken = await oauthManager.getValidToken();
-    cachedToken = oauthToken.accessToken;
+    setCachedToken(oauthToken.accessToken);
     tokenExpireTime = oauthToken.expiresAt;
     lastRefreshTime = Date.now();
     await oauthManager.clearAuthState();
-    return cachedToken;
+    return getCachedToken();
   } catch (err) {
     // Token 获取失败，可能需要重新授权
     authState.isAuthorized = false;
@@ -2363,6 +2433,7 @@ async function fetchAgentNameFromCloud(deviceCode) {
 }
 
 async function main() {
+  await initConfig();
   await initOAuthManager();
 
   const transport = new StdioServerTransport();
@@ -2433,8 +2504,8 @@ async function pollForAuthInBackground(deviceCode, interval) {
       const token = await oauthManager.pollForTokenOnce(deviceCode);
       
       if (token) {
-        // 授权成功
-        cachedToken = token.accessToken;
+        // 授权成功（加密存储）
+        setCachedToken(token.accessToken);
         tokenExpireTime = token.expiresAt;
         authState.isAuthorized = true;
         authState.isWaiting = false;

package/utils/encryption.js

@@ -0,0 +1,53 @@
+const crypto = require('crypto');
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+const TAG_LENGTH = 16;
+const SALT = 'chaimi-mcp-salt-2026';
+
+function encrypt(text, key) {
+  let derivedKey;
+  if (typeof key === 'string') {
+    derivedKey = crypto.scryptSync(key, SALT, 32);
+  } else {
+    derivedKey = key;
+  }
+
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, derivedKey, iv);
+
+  let encrypted = cipher.update(text, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+
+  const authTag = cipher.getAuthTag();
+
+  return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+}
+
+function decrypt(encryptedData, key) {
+  const parts = encryptedData.split(':');
+  if (parts.length !== 3) {
+    throw new Error('无效的加密格式');
+  }
+
+  let derivedKey;
+  if (typeof key === 'string') {
+    derivedKey = crypto.scryptSync(key, SALT, 32);
+  } else {
+    derivedKey = key;
+  }
+
+  const iv = Buffer.from(parts[0], 'hex');
+  const authTag = Buffer.from(parts[1], 'hex');
+  const encrypted = Buffer.from(parts[2], 'hex');
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, derivedKey, iv);
+  decipher.setAuthTag(authTag);
+
+  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+
+  return decrypted;
+}
+
+module.exports = { encrypt, decrypt };

package/utils/keyManager.js

@@ -0,0 +1,38 @@
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const KEY_FILE = path.join(os.homedir(), '.chaimi-keep', '.mcp-secret-key');
+const KEY_SIZE = 32; // 256 bits
+
+function getOrCreateSecretKey() {
+  // 1. 优先使用环境变量
+  if (process.env.MCP_SECRET_KEY) {
+    return Buffer.from(process.env.MCP_SECRET_KEY, 'hex');
+  }
+
+  // 2. 尝试从文件加载
+  if (fs.existsSync(KEY_FILE)) {
+    const keyHex = fs.readFileSync(KEY_FILE, 'utf8').trim();
+    return Buffer.from(keyHex, 'hex');
+  }
+
+  // 3. 自动生成新密钥
+  const newKey = crypto.randomBytes(KEY_SIZE);
+  const keyHex = newKey.toString('hex');
+
+  // 确保目录存在
+  const keyDir = path.dirname(KEY_FILE);
+  if (!fs.existsSync(keyDir)) {
+    fs.mkdirSync(keyDir, { recursive: true, mode: 0o700 });
+  }
+
+  // 写入文件，权限 0600
+  fs.writeFileSync(KEY_FILE, keyHex, { mode: 0o600 });
+
+  console.error('✅ 已自动生成安全密钥');
+  return newKey;
+}
+
+module.exports = { getOrCreateSecretKey, KEY_FILE };