figmanage 1.2.0 → 1.2.3

package/dist/mcp.js

@@ -1,4 +1,5 @@
 import { createServer } from 'node:http';
+import { randomBytes } from 'node:crypto';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
@@ -75,12 +76,24 @@ export async function startMcpServer() {
     registerTools(server, config, enabledToolsets, readOnly);
     const httpPort = parseHttpPort(process.argv);
     if (httpPort) {
+        // Bearer token auth for HTTP transport
+        let httpToken = process.env.FIGMA_HTTP_TOKEN || '';
+        if (!httpToken) {
+            httpToken = randomBytes(32).toString('hex');
+            console.error(`Generated HTTP bearer token: ${httpToken}`);
+            console.error('Set FIGMA_HTTP_TOKEN to use a fixed token.');
+        }
         const transport = new StreamableHTTPServerTransport({
             sessionIdGenerator: undefined,
         });
         const httpServer = createServer(async (req, res) => {
             const url = new URL(req.url ?? '/', `http://localhost:${httpPort}`);
             if (url.pathname === '/mcp') {
+                const auth = req.headers.authorization || '';
+                if (auth !== `Bearer ${httpToken}`) {
+                    res.writeHead(401).end('Unauthorized');
+                    return;
+                }
                 await transport.handleRequest(req, res);
             }
             else {

package/dist/operations/compound-manager.js

@@ -459,13 +459,15 @@ export async function quarterlyDesignOpsReport(config, params) {
             params: { plan_parent_id: orgId, plan_type: 'organization' },
         }),
     ]);
-    // Paginate all members (cursor-based, max 500)
+    // Paginate all members (cursor-based)
+    const errors = [];
     const allMembers = [];
     let cursor;
-    const maxPages = 20;
+    let membersComplete = true;
+    const maxPages = 200; // safety cap: 200 * 50 = 10,000 members
     for (let page = 0; page < maxPages; page++) {
         try {
-            const params = { page_size: 25 };
+            const params = { page_size: 50 };
             if (cursor)
                 params.cursor = cursor;
             const res = await api.get(`/api/v2/orgs/${orgId}/org_users`, { params });
@@ -475,13 +477,19 @@ export async function quarterlyDesignOpsReport(config, params) {
                 break;
             allMembers.push(...batch);
             cursor = Array.isArray(meta.cursor) ? meta.cursor[0] : meta.cursor;
-            if (!cursor || batch.length < 25)
+            if (!cursor || batch.length < 50)
                 break;
         }
-        catch {
+        catch (e) {
+            membersComplete = false;
+            errors.push(`members: pagination stopped at page ${page + 1} of ${maxPages}, fetched ${allMembers.length} members (${e.response?.status || e.message})`);
             break;
         }
     }
+    if (cursor && allMembers.length >= maxPages * 50) {
+        membersComplete = false;
+        errors.push(`members: hit ${maxPages}-page safety cap at ${allMembers.length} members, org may have more`);
+    }
     // Process teams
     const teamsRaw = teamsResult.status === 'fulfilled'
         ? (teamsResult.value.data?.meta || teamsResult.value.data || [])
@@ -515,7 +523,6 @@ export async function quarterlyDesignOpsReport(config, params) {
         : 0;
     // Billing
     let billing = null;
-    const errors = [];
     if (ratesResult.status === 'fulfilled') {
         const prices = ratesResult.value.data?.meta?.product_prices || [];
         const seatProducts = new Set(['expert', 'developer', 'collaborator']);
@@ -611,6 +618,7 @@ export async function quarterlyDesignOpsReport(config, params) {
             total_teams: teams.length,
             total_members: allMembers.length,
             total_paid_seats: totalPaid,
+            members_complete: membersComplete,
         },
         seat_utilization: {
             active_paid: activePaid,

package/dist/operations/compound.d.ts

@@ -47,17 +47,7 @@ export declare function seatOptimization(config: AuthConfig, params: {
     org_id?: string;
     days_inactive: number;
     include_cost: boolean;
-}): Promise<{
-    summary: {
-        total_paid: number;
-        inactive_paid: number;
-        monthly_waste_cents: any;
-        annual_savings_cents: number;
-    };
-    seat_breakdown: any;
-    inactive_users: any[];
-    recommendations: string[];
-}>;
+}): Promise<Record<string, any>>;
 export declare function permissionAudit(config: AuthConfig, params: {
     scope_type: 'project' | 'team';
     scope_id: string;

package/dist/operations/compound.js

@@ -242,23 +242,36 @@ export async function seatOptimization(config, params) {
     const api = internalClient(config);
     const cutoff = Date.now() - days_inactive * 86400000;
     const paidKeys = new Set(['expert', 'developer', 'collaborator']);
-    // Paginate org members (cursor-based, max 500)
+    // Paginate org members (cursor-based)
     const allMembers = [];
-    const MAX_PAGES = 20;
+    const warnings = [];
+    let membersComplete = true;
+    const MAX_PAGES = 200; // safety cap: 200 * 50 = 10,000 members
     let cursor;
     for (let page = 0; page < MAX_PAGES; page++) {
-        const params = { page_size: 25 };
-        if (cursor)
-            params.cursor = cursor;
-        const res = await api.get(`/api/v2/orgs/${orgId}/org_users`, { params });
-        const meta = res.data?.meta || {};
-        const members = meta.users || [];
-        if (!Array.isArray(members) || members.length === 0)
-            break;
-        allMembers.push(...members);
-        cursor = Array.isArray(meta.cursor) ? meta.cursor[0] : meta.cursor;
-        if (!cursor || members.length < 25)
+        try {
+            const params = { page_size: 50 };
+            if (cursor)
+                params.cursor = cursor;
+            const res = await api.get(`/api/v2/orgs/${orgId}/org_users`, { params });
+            const meta = res.data?.meta || {};
+            const members = meta.users || [];
+            if (!Array.isArray(members) || members.length === 0)
+                break;
+            allMembers.push(...members);
+            cursor = Array.isArray(meta.cursor) ? meta.cursor[0] : meta.cursor;
+            if (!cursor || members.length < 50)
+                break;
+        }
+        catch (e) {
+            membersComplete = false;
+            warnings.push(`members: pagination stopped at page ${page + 1}, fetched ${allMembers.length} members (${e.response?.status || e.message})`);
             break;
+        }
+    }
+    if (cursor && allMembers.length >= MAX_PAGES * 50) {
+        membersComplete = false;
+        warnings.push(`members: hit ${MAX_PAGES}-page safety cap at ${allMembers.length} members, org may have more`);
     }
     // Fetch seat breakdown and optionally contract rates in parallel
     const parallelCalls = [
@@ -317,17 +330,21 @@ export async function seatOptimization(config, params) {
     if (monthlyWasteCents > 0) {
         recommendations.push(`Potential monthly savings: $${(monthlyWasteCents / 100).toFixed(2)} ($${((monthlyWasteCents * 12) / 100).toFixed(2)}/yr).`);
     }
-    return {
+    const result = {
         summary: {
             total_paid: totalPaid,
             inactive_paid: inactiveUsers.length,
             monthly_waste_cents: monthlyWasteCents,
             annual_savings_cents: monthlyWasteCents * 12,
+            members_complete: membersComplete,
         },
         seat_breakdown: seats,
         inactive_users: inactiveUsers,
         recommendations,
     };
+    if (warnings.length > 0)
+        result.warnings = warnings;
+    return result;
 }
 // -- permission_audit --
 export async function permissionAudit(config, params) {

package/dist/setup.js

@@ -1,279 +1,14 @@
 #!/usr/bin/env node
-import { execSync, execFileSync } from 'child_process';
-import { createDecipheriv, pbkdf2Sync } from 'crypto';
-import { copyFileSync, unlinkSync, mkdtempSync, mkdirSync, existsSync, rmdirSync, readFileSync, writeFileSync } from 'fs';
+import { execFileSync } from 'child_process';
+import { mkdirSync, existsSync, readFileSync, writeFileSync } from 'fs';
 import { join } from 'path';
-import { tmpdir, homedir, platform } from 'os';
-import axios from 'axios';
-const COOKIE_NAME = '__Host-figma.authn';
-// --- Platform-specific Chrome paths ---
-function getChromePaths() {
-    switch (platform()) {
-        case 'darwin':
-            return [join(homedir(), 'Library/Application Support/Google/Chrome')];
-        case 'linux':
-            return [
-                join(homedir(), '.config/google-chrome'),
-                join(homedir(), '.config/chromium'),
-            ];
-        case 'win32': {
-            const localAppData = process.env.LOCALAPPDATA || join(homedir(), 'AppData/Local');
-            return [join(localAppData, 'Google/Chrome/User Data')];
-        }
-        default:
-            return [];
-    }
-}
-// --- Chrome profile discovery ---
-function findChromeProfiles() {
-    const chromePaths = getChromePaths();
-    const profiles = [];
-    for (const base of chromePaths) {
-        if (!existsSync(base))
-            continue;
-        const defaultProfile = join(base, 'Default');
-        if (existsSync(join(defaultProfile, 'Cookies')))
-            profiles.push(defaultProfile);
-        for (let i = 1; i <= 20; i++) {
-            const profile = join(base, `Profile ${i}`);
-            if (existsSync(join(profile, 'Cookies')))
-                profiles.push(profile);
-        }
-    }
-    if (profiles.length === 0)
-        throw new Error('No Chrome profiles with Cookies found.');
-    return profiles;
-}
-// --- macOS cookie decryption ---
-function getMacDecryptionKey() {
-    const password = execFileSync('security', ['find-generic-password', '-w', '-s', 'Chrome Safe Storage'], { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
-    return pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1');
-}
-// --- Linux cookie decryption ---
-function getLinuxDecryptionKey() {
-    // Try GNOME Keyring first via secret-tool
-    try {
-        const password = execSync('secret-tool lookup application chrome', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
-        if (password)
-            return pbkdf2Sync(password, 'saltysalt', 1, 16, 'sha1');
-    }
-    catch {
-        // secret-tool not available or no entry
-    }
-    // Fall back to default Chrome password
-    return pbkdf2Sync('peanuts', 'saltysalt', 1, 16, 'sha1');
-}
-// --- Windows cookie decryption ---
-function getWindowsDecryptionKey(chromeBase) {
-    const localStatePath = join(chromeBase, 'Local State');
-    if (!existsSync(localStatePath)) {
-        throw new Error('Chrome Local State file not found. Cannot decrypt cookies on Windows.');
-    }
-    const localState = JSON.parse(readFileSync(localStatePath, 'utf-8'));
-    const encryptedKeyB64 = localState?.os_crypt?.encrypted_key;
-    if (!encryptedKeyB64) {
-        throw new Error('No encrypted_key in Chrome Local State.');
-    }
-    // The key is base64-encoded, with a 'DPAPI' prefix (5 bytes) before the actual DPAPI blob
-    const encryptedKey = Buffer.from(encryptedKeyB64, 'base64');
-    if (encryptedKey.toString('utf-8', 0, 5) !== 'DPAPI') {
-        throw new Error('Unexpected encrypted_key format (missing DPAPI prefix).');
-    }
-    const dpapiBlob = encryptedKey.slice(5).toString('base64');
-    // Use PowerShell to call DPAPI Unprotect
-    const psScript = `
-    Add-Type -AssemblyName System.Security
-    $blob = [Convert]::FromBase64String('${dpapiBlob}')
-    $dec = [Security.Cryptography.ProtectedData]::Unprotect($blob, $null, [Security.Cryptography.DataProtectionScope]::CurrentUser)
-    [Convert]::ToBase64String($dec)
-  `.trim().replace(/\n/g, '; ');
-    const decryptedB64 = execSync(`powershell -NoProfile -NonInteractive -Command "${psScript}"`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
-    return Buffer.from(decryptedB64, 'base64');
-}
-// --- Decryption ---
-function decryptCBC(encrypted, key) {
-    // v10 prefix = Chrome AES-128-CBC encryption (macOS and Linux)
-    if (encrypted.length > 3 && encrypted[0] === 0x76 && encrypted[1] === 0x31 && encrypted[2] === 0x30) {
-        const iv = Buffer.alloc(16, 0x20); // Chrome uses space (0x20) as IV
-        const decipher = createDecipheriv('aes-128-cbc', key, iv);
-        const decrypted = Buffer.concat([decipher.update(encrypted.slice(3)), decipher.final()]);
-        // Chrome may prepend binary metadata before the cookie value.
-        // The actual cookie is URL-encoded JSON starting with %7B or raw JSON starting with {
-        const str = decrypted.toString('binary');
-        const jsonStart = str.indexOf('%7B');
-        if (jsonStart >= 0)
-            return str.slice(jsonStart);
-        const rawJsonStart = str.indexOf('{');
-        if (rawJsonStart >= 0)
-            return str.slice(rawJsonStart);
-        throw new Error('Decrypted cookie data does not contain expected JSON value');
-    }
-    return encrypted.toString('utf-8');
-}
-function decryptWindows(encrypted, key) {
-    // Windows Chrome uses AES-256-GCM with v10 prefix
-    // Format: v10 (3 bytes) + nonce (12 bytes) + ciphertext + tag (16 bytes)
-    if (encrypted.length > 3 && encrypted[0] === 0x76 && encrypted[1] === 0x31 && encrypted[2] === 0x30) {
-        const nonce = encrypted.slice(3, 15);
-        const ciphertextWithTag = encrypted.slice(15);
-        const tag = ciphertextWithTag.slice(ciphertextWithTag.length - 16);
-        const ciphertext = ciphertextWithTag.slice(0, ciphertextWithTag.length - 16);
-        const decipher = createDecipheriv('aes-256-gcm', key, nonce);
-        decipher.setAuthTag(tag);
-        const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-        const str = decrypted.toString('utf-8');
-        const jsonStart = str.indexOf('%7B');
-        if (jsonStart >= 0)
-            return str.slice(jsonStart);
-        const rawJsonStart = str.indexOf('{');
-        if (rawJsonStart >= 0)
-            return str.slice(rawJsonStart);
-        throw new Error('Decrypted cookie data does not contain expected JSON value');
-    }
-    return encrypted.toString('utf-8');
-}
-// --- Cookie extraction ---
-function extractCookie(profilePath) {
-    const cookiesDb = join(profilePath, 'Cookies');
-    const tmpDir = mkdtempSync(join(tmpdir(), 'figmanage-'));
-    const tmpDb = join(tmpDir, 'Cookies');
-    // Copy DB + WAL/SHM (Chrome locks the original)
-    copyFileSync(cookiesDb, tmpDb);
-    for (const ext of ['-wal', '-shm']) {
-        const src = cookiesDb + ext;
-        if (existsSync(src))
-            copyFileSync(src, tmpDb + ext);
-    }
-    try {
-        // Query for the auth cookie -- could be on figma.com or www.figma.com
-        const sqliteBin = platform() === 'win32' ? 'sqlite3.exe' : 'sqlite3';
-        const hex = execSync(`${sqliteBin} "${tmpDb}" "SELECT hex(encrypted_value) FROM cookies WHERE name = '${COOKIE_NAME}' AND host_key LIKE '%figma.com' ORDER BY last_access_utc DESC LIMIT 1;"`, { encoding: 'utf-8' }).trim();
-        if (!hex)
-            throw new Error(`No ${COOKIE_NAME} cookie found. Are you logged into figma.com in Chrome?`);
-        const encrypted = Buffer.from(hex, 'hex');
-        const os = platform();
-        if (os === 'darwin') {
-            const key = getMacDecryptionKey();
-            return decryptCBC(encrypted, key);
-        }
-        else if (os === 'linux') {
-            const key = getLinuxDecryptionKey();
-            return decryptCBC(encrypted, key);
-        }
-        else if (os === 'win32') {
-            // Derive the chrome base from the profile path (go up one level from Default/Profile N)
-            const chromeBase = join(profilePath, '..');
-            const key = getWindowsDecryptionKey(chromeBase);
-            return decryptWindows(encrypted, key);
-        }
-        throw new Error(`Unsupported platform: ${os}`);
-    }
-    finally {
-        for (const f of [tmpDb, tmpDb + '-wal', tmpDb + '-shm']) {
-            try {
-                unlinkSync(f);
-            }
-            catch { }
-        }
-        try {
-            rmdirSync(tmpDir);
-        }
-        catch { }
-    }
-}
-// --- Figma API validation ---
-function parseCookieValue(raw) {
-    // Cookie value is JSON: {"userId":"token"} (may be URL-encoded)
-    let decoded = raw;
-    try {
-        decoded = decodeURIComponent(raw);
-    }
-    catch { }
-    try {
-        const parsed = JSON.parse(decoded);
-        const entries = Object.entries(parsed);
-        if (entries.length === 0)
-            throw new Error('Empty cookie JSON');
-        const [userId, token] = entries[0];
-        return { userId, token, cookieValue: raw };
-    }
-    catch {
-        throw new Error('Unexpected cookie format. Expected URL-encoded JSON with userId field.');
-    }
-}
-async function validateSession(cookieValue, userId) {
-    const headers = {
-        'Cookie': `${COOKIE_NAME}=${cookieValue}`,
-        'X-CSRF-Bypass': 'yes',
-        'X-Figma-User-Id': userId,
-    };
-    const res = await axios.get('https://www.figma.com/api/user/state', {
-        headers,
-        timeout: 15000,
-    });
-    if (res.data?.error !== false)
-        throw new Error('Session invalid');
-    const meta = res.data.meta || {};
-    const teams = (meta.teams || []).map((t) => ({ id: String(t.id), name: t.name }));
-    const orgs = (meta.orgs || []).map((o) => ({ id: String(o.id), name: o.name }));
-    // Try to find org_id: check orgs array, team_users, or follow the recents redirect
-    let orgId = '';
-    if (orgs.length > 0) {
-        orgId = orgs[0].id;
-    }
-    else {
-        // Figma redirects /files/recents-and-sharing to /files/{org_id}/recents-and-sharing
-        try {
-            const redirect = await axios.get('https://www.figma.com/files/recents-and-sharing', {
-                headers,
-                maxRedirects: 0,
-                validateStatus: (s) => s >= 200 && s < 400,
-                timeout: 10000,
-            });
-            // Check final URL for org_id pattern: /files/{org_id}/
-            const finalUrl = redirect.request?.res?.responseUrl || redirect.headers?.location || '';
-            const match = finalUrl.match(/\/files\/(\d+)\//);
-            if (match)
-                orgId = match[1];
-        }
-        catch (e) {
-            // Check redirect location header
-            const loc = e.response?.headers?.location || '';
-            const match = loc.match(/\/files\/(\d+)\//);
-            if (match)
-                orgId = match[1];
-        }
-    }
-    // If orgId found but no orgs entry, try to derive a name from the org's domain
-    if (orgId && orgs.length === 0) {
-        let name = orgId;
-        try {
-            const domRes = await axios.get(`https://www.figma.com/api/orgs/${orgId}/domains`, {
-                headers,
-                timeout: 10000,
-            });
-            const domains = domRes.data?.meta || [];
-            if (Array.isArray(domains) && domains.length > 0 && domains[0].domain) {
-                name = domains[0].domain;
-            }
-        }
-        catch { /* domain lookup optional */ }
-        orgs.push({ id: orgId, name });
-    }
-    return { orgId, orgs, teams };
-}
-// --- PAT validation ---
-async function validatePat(pat) {
-    const res = await axios.get('https://api.figma.com/v1/me', {
-        headers: { 'X-Figma-Token': pat },
-        timeout: 15000,
-    });
-    return res.data.handle || res.data.email || 'valid';
-}
+import { homedir, platform } from 'os';
+import { extractCookies, validateSession, validatePat } from './auth/cookie.js';
 // --- MCP client detection and registration ---
 function claudeCliAvailable() {
     try {
-        execSync('which claude 2>/dev/null || where claude 2>nul', {
+        const whichCmd = platform() === 'win32' ? 'where' : 'which';
+        execFileSync(whichCmd, ['claude'], {
             encoding: 'utf-8',
             stdio: ['pipe', 'pipe', 'pipe'],
         });
@@ -285,9 +20,20 @@ function claudeCliAvailable() {
 }
 function registerWithClaude(envVars) {
     try {
-        execSync('claude mcp remove figmanage -s user 2>/dev/null || true', { encoding: 'utf-8' });
-        const envFlags = Object.entries(envVars).map(([k, v]) => `--env ${k}=${v}`).join(' ');
-        execSync(`claude mcp add figmanage --transport stdio -s user ${envFlags} -- npx -y figmanage`, { encoding: 'utf-8' });
+        try {
+            execFileSync('claude', ['mcp', 'remove', 'figmanage', '-s', 'user'], {
+                encoding: 'utf-8',
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+        }
+        catch {
+            // Ignore if not previously registered
+        }
+        execFileSync('claude', [
+            'mcp', 'add', 'figmanage', '--transport', 'stdio', '-s', 'user',
+            ...Object.entries(envVars).flatMap(([k, v]) => ['--env', `${k}=${v}`]),
+            '--', 'npx', '-y', 'figmanage',
+        ], { encoding: 'utf-8' });
         return true;
     }
     catch {
@@ -414,17 +160,7 @@ async function setup() {
     console.log(`Reading Chrome cookies${promptLabel}...`);
     let accounts = [];
     try {
-        const profiles = findChromeProfiles();
-        for (const profilePath of profiles) {
-            try {
-                const rawCookie = extractCookie(profilePath);
-                const { userId, cookieValue } = parseCookieValue(rawCookie);
-                accounts.push({ userId, cookieValue, profile: profilePath.split(/[/\\]/).pop() });
-            }
-            catch {
-                // Profile doesn't have a Figma cookie
-            }
-        }
+        accounts = extractCookies();
     }
     catch (e) {
         if (os === 'win32') {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "figmanage",
   "mcpName": "io.github.dannykeane/figmanage",
-  "version": "1.2.0",
+  "version": "1.2.3",
   "description": "MCP server for managing your Figma workspace from the terminal.",
   "type": "module",
   "main": "dist/index.js",
@@ -40,8 +40,8 @@
   },
   "homepage": "https://github.com/dannykeane/figmanage#readme",
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.25.0",
-    "axios": "^1.7.0",
+    "@modelcontextprotocol/sdk": "^1.25.2",
+    "axios": "^1.13.5",
     "axios-retry": "^4.4.0",
     "commander": "^14.0.3",
     "zod": "^3.23.0"