company-dossier 0.1.0 → 0.2.1

package/README.md

@@ -99,6 +99,47 @@ Tool input:
 { "target": "acme.com", "sections": ["overview", "tech", "risk"] }
 ```
 
+## Remote MCP server
+
+In addition to the stdio server, `company-dossier` ships a **remote (HTTP) MCP
+server** over the MCP Streamable HTTP transport, exposing the same single tool,
+`build_dossier`. This is what you deploy so hosted assistants (ChatGPT Apps SDK,
+Claude connectors) can reach it over the network.
+
+Run it locally:
+
+```bash
+npx company-dossier-mcp-http
+# listening on http://0.0.0.0:8787  (override with PORT=...)
+```
+
+Endpoints: `POST/GET/DELETE /mcp` for the MCP session and `GET /health`
+(returns `{"status":"ok"}`). It listens on `process.env.PORT || 8787`.
+
+### Hosted endpoint
+
+Deploy it (see [`deploy/README.md`](deploy/README.md) for one-command steps to
+Render, Fly.io, or any Docker host) and point a subdomain at it. The hosted MCP
+endpoint is then:
+
+```
+https://mcp.companydossier.lol/mcp
+```
+
+**Claude connectors / Claude Desktop (custom connector):** add a remote MCP
+server with URL `https://mcp.companydossier.lol/mcp`. The `build_dossier` tool
+becomes available.
+
+**ChatGPT (Apps SDK / connectors):** add an MCP server pointing at
+`https://mcp.companydossier.lol/mcp`; ChatGPT discovers and calls the
+`build_dossier` tool.
+
+Tool input (same as the stdio server):
+
+```json
+{ "target": "acme.com", "sections": ["overview", "tech", "risk"] }
+```
+
 ## Output
 
 - A `<Company> DOSSIER/` folder with `README.md`, nine numbered markdown

package/dist/cli.js

@@ -6,6 +6,7 @@ import { promises as dns } from "dns";
 // src/utils.ts
 import * as fs from "fs";
 import * as path from "path";
+import { lookup } from "dns/promises";
 var USER_AGENT = "company-dossier/0.1 (+https://companydossier.lol)";
 function mkdirp(dirPath) {
   if (!fs.existsSync(dirPath)) {
@@ -22,18 +23,67 @@ function todayISO() {
 function titleCase(str) {
   return str.replace(/_/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
 }
+function isPrivateIp(ip) {
+  const v = ip.replace(/^\[|\]$/g, "").toLowerCase();
+  if (v.includes(":")) {
+    if (v === "::1" || v === "::") return true;
+    if (v.startsWith("fe80") || v.startsWith("fc") || v.startsWith("fd")) return true;
+    const m = v.match(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
+    if (m) return isPrivateIp(m[1]);
+    return false;
+  }
+  const p = v.split(".").map(Number);
+  if (p.length !== 4 || p.some((n) => Number.isNaN(n) || n < 0 || n > 255)) return true;
+  const [a, b] = p;
+  if (a === 10 || a === 127 || a === 0) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a === 192 && b === 0) return true;
+  return false;
+}
+async function assertPublicUrl(url) {
+  let u;
+  try {
+    u = new URL(url);
+  } catch {
+    throw new Error("Invalid URL");
+  }
+  if (u.protocol !== "http:" && u.protocol !== "https:") throw new Error(`Blocked protocol: ${u.protocol}`);
+  const host = u.hostname.toLowerCase();
+  if (host === "localhost" || host.endsWith(".localhost") || host.endsWith(".internal") || host.endsWith(".local")) {
+    throw new Error(`Blocked host: ${host}`);
+  }
+  if (/^[0-9.]+$/.test(host) || host.includes(":")) {
+    if (isPrivateIp(host)) throw new Error(`Blocked private address: ${host}`);
+    return;
+  }
+  const addrs = await lookup(host, { all: true });
+  for (const a of addrs) if (isPrivateIp(a.address)) throw new Error(`Blocked private address for ${host}: ${a.address}`);
+}
 async function fetchText(url, timeoutMs = 1e4) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
   try {
-    const resp = await fetch(url, {
-      signal: controller.signal,
-      headers: { "User-Agent": USER_AGENT }
-    });
-    if (!resp.ok) {
-      throw new Error(`HTTP ${resp.status}`);
+    let current = url;
+    for (let hop = 0; hop < 5; hop++) {
+      await assertPublicUrl(current);
+      const resp = await fetch(current, {
+        signal: controller.signal,
+        redirect: "manual",
+        headers: { "User-Agent": USER_AGENT }
+      });
+      if (resp.status >= 300 && resp.status < 400) {
+        const loc = resp.headers.get("location");
+        if (!loc) throw new Error(`HTTP ${resp.status} without Location`);
+        current = new URL(loc, current).toString();
+        continue;
+      }
+      if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+      return await resp.text();
     }
-    return await resp.text();
+    throw new Error("Too many redirects");
   } finally {
     clearTimeout(timer);
   }

package/dist/index.js

@@ -4,6 +4,7 @@ import * as path2 from "path";
 // src/utils.ts
 import * as fs from "fs";
 import * as path from "path";
+import { lookup } from "dns/promises";
 var USER_AGENT = "company-dossier/0.1 (+https://companydossier.lol)";
 function mkdirp(dirPath) {
   if (!fs.existsSync(dirPath)) {
@@ -23,18 +24,67 @@ function slugify(name) {
 function titleCase(str) {
   return str.replace(/_/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
 }
+function isPrivateIp(ip) {
+  const v = ip.replace(/^\[|\]$/g, "").toLowerCase();
+  if (v.includes(":")) {
+    if (v === "::1" || v === "::") return true;
+    if (v.startsWith("fe80") || v.startsWith("fc") || v.startsWith("fd")) return true;
+    const m = v.match(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
+    if (m) return isPrivateIp(m[1]);
+    return false;
+  }
+  const p = v.split(".").map(Number);
+  if (p.length !== 4 || p.some((n) => Number.isNaN(n) || n < 0 || n > 255)) return true;
+  const [a, b] = p;
+  if (a === 10 || a === 127 || a === 0) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a === 192 && b === 0) return true;
+  return false;
+}
+async function assertPublicUrl(url) {
+  let u;
+  try {
+    u = new URL(url);
+  } catch {
+    throw new Error("Invalid URL");
+  }
+  if (u.protocol !== "http:" && u.protocol !== "https:") throw new Error(`Blocked protocol: ${u.protocol}`);
+  const host = u.hostname.toLowerCase();
+  if (host === "localhost" || host.endsWith(".localhost") || host.endsWith(".internal") || host.endsWith(".local")) {
+    throw new Error(`Blocked host: ${host}`);
+  }
+  if (/^[0-9.]+$/.test(host) || host.includes(":")) {
+    if (isPrivateIp(host)) throw new Error(`Blocked private address: ${host}`);
+    return;
+  }
+  const addrs = await lookup(host, { all: true });
+  for (const a of addrs) if (isPrivateIp(a.address)) throw new Error(`Blocked private address for ${host}: ${a.address}`);
+}
 async function fetchText(url, timeoutMs = 1e4) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
   try {
-    const resp = await fetch(url, {
-      signal: controller.signal,
-      headers: { "User-Agent": USER_AGENT }
-    });
-    if (!resp.ok) {
-      throw new Error(`HTTP ${resp.status}`);
+    let current = url;
+    for (let hop = 0; hop < 5; hop++) {
+      await assertPublicUrl(current);
+      const resp = await fetch(current, {
+        signal: controller.signal,
+        redirect: "manual",
+        headers: { "User-Agent": USER_AGENT }
+      });
+      if (resp.status >= 300 && resp.status < 400) {
+        const loc = resp.headers.get("location");
+        if (!loc) throw new Error(`HTTP ${resp.status} without Location`);
+        current = new URL(loc, current).toString();
+        continue;
+      }
+      if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+      return await resp.text();
     }
-    return await resp.text();
+    throw new Error("Too many redirects");
   } finally {
     clearTimeout(timer);
   }