kiwoom-mcp-server 0.16.0 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.en.md CHANGED
@@ -123,6 +123,11 @@ npm test # unit tests (no network required)
123
123
  | `ISA_ENABLED` | | `true` registers the `calc_isa_tax_status` tool. Default `false` (general-account-first) |
124
124
  | `ISA_TYPE` | | `GENERAL` (general, 2,000,000 KRW limit, default) or `SEOMIN` (low-income/farmer-fisher, 4,000,000 KRW). Only used when `ISA_ENABLED=true` |
125
125
  | `ISA_OPENED_ON` | | ISA account opening date `yyyy-MM-dd` — default aggregation start for `calc_isa_tax_status`. Only used when `ISA_ENABLED=true` |
126
+ | `MCP_TRANSPORT` | | `stdio` (default) or `http` — see [Remote access](#remote-access-http-mode--claudeai-webmobile) |
127
+ | `MCP_AUTH_TOKEN` | HTTP mode ✅ | Bearer token every `/mcp` request must present in HTTP mode |
128
+ | `MCP_HTTP_PORT` | | HTTP-mode port (default `8000`) |
129
+ | `MCP_HTTP_HOST` | | HTTP-mode bind address (default `127.0.0.1`) |
130
+ | `MCP_HTTP_NO_AUTH` | | `true` allows starting HTTP mode without auth (discouraged — see the security notes below) |
126
131
 
127
132
  The default is **general-account-first**: without extra config, only the market-data
128
133
  and account-inquiry tools are exposed. To use the tax-free-limit tool on an ISA
@@ -195,6 +200,38 @@ From source — app key from the project-root `.env`:
195
200
  claude mcp add kiwoom -- node /absolute/path/kiwoom-mcp-server/dist/index.js
196
201
  ```
197
202
 
203
+ ## Remote access (HTTP mode) — claude.ai web/mobile
204
+
205
+ claude.ai **custom connectors** (web/mobile) cannot attach to a local stdio server;
206
+ they need a **Streamable HTTP** MCP server reachable over public HTTPS. Start this
207
+ server in HTTP mode with the `--http` flag (or `MCP_TRANSPORT=http`):
208
+
209
+ ```sh
210
+ MCP_AUTH_TOKEN="$(openssl rand -hex 32)" npx -y kiwoom-mcp-server --http --port 8000
211
+ # endpoint: http://127.0.0.1:8000/mcp · health check: /healthz
212
+ ```
213
+
214
+ - **Auth is required by default.** Without `MCP_AUTH_TOKEN` the server refuses to
215
+ start — every `/mcp` request must carry `Authorization: Bearer <token>`. To run
216
+ without auth you must pass `--no-auth` explicitly; the account-inquiry tools are
217
+ then exposed as-is, so do that only on a trusted network or with a paper-trading
218
+ key (`KIWOOM_MODE=VIRTUAL`).
219
+ - The default bind is `127.0.0.1`, assuming a tunnel in front. To expose directly
220
+ (container/VPS), opt in with `--host 0.0.0.0`.
221
+ - Get a public HTTPS URL with e.g. [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/):
222
+ `cloudflared tunnel --url http://localhost:8000` (ephemeral URL — use a named
223
+ tunnel for anything permanent).
224
+ - Register on claude.ai under **Settings → Connectors → Add custom connector** with
225
+ `https://<your-domain>/mcp`. The bearer token can be supplied via the connector's
226
+ request-header settings (beta). A connector added once is available across the
227
+ web, mobile, and desktop clients.
228
+ - ⚠️ **Kiwoom API calls originate from wherever this server runs.** REAL mode is
229
+ bound to Kiwoom's designated-terminal (8050) IP registration, so running it
230
+ outside a registered IP (e.g. in the cloud) can fail auth. Validate remote
231
+ setups with a VIRTUAL key first.
232
+
233
+ The stdio behavior (Claude Desktop/Code) is unchanged when run without arguments.
234
+
198
235
  ## Smoke test
199
236
 
200
237
  You can verify over stdio without an MCP client:
package/README.md CHANGED
@@ -115,6 +115,11 @@ npm test # 단위 테스트 (네트워크 불필요)
115
115
  | `ISA_ENABLED` | | `true`면 `calc_isa_tax_status` tool 활성화. 기본값 `false`(일반 계좌 기준) |
116
116
  | `ISA_TYPE` | | `GENERAL`(일반형, 한도 200만원, 기본값) 또는 `SEOMIN`(서민형/농어민형, 400만원). `ISA_ENABLED=true`일 때만 사용 |
117
117
  | `ISA_OPENED_ON` | | ISA 계좌 개설일 `yyyy-MM-dd` — `calc_isa_tax_status` 집계 시작일 기본값. `ISA_ENABLED=true`일 때만 사용 |
118
+ | `MCP_TRANSPORT` | | `stdio`(기본값) 또는 `http` — [원격 연결](#원격-연결-http-모드--claudeai-웹모바일) 참조 |
119
+ | `MCP_AUTH_TOKEN` | HTTP 모드 ✅ | HTTP 모드에서 모든 `/mcp` 요청이 제시해야 하는 Bearer 토큰 |
120
+ | `MCP_HTTP_PORT` | | HTTP 모드 포트 (기본값 `8000`) |
121
+ | `MCP_HTTP_HOST` | | HTTP 모드 바인드 주소 (기본값 `127.0.0.1`) |
122
+ | `MCP_HTTP_NO_AUTH` | | `true`면 인증 없이 HTTP 모드 기동 허용 (비권장 — 아래 보안 주의 참조) |
118
123
 
119
124
  기본값은 **일반(비-ISA) 계좌 기준**입니다 — 별도 설정이 없으면 시장·계좌 조회 tool만
120
125
  노출됩니다. ISA 계좌를 연결해 비과세 한도 tool을 쓰려면 `ISA_ENABLED=true`로 켜고
@@ -186,6 +191,34 @@ claude mcp add kiwoom \
186
191
  claude mcp add kiwoom -- node /절대/경로/kiwoom-mcp-server/dist/index.js
187
192
  ```
188
193
 
194
+ ## 원격 연결 (HTTP 모드) — claude.ai 웹/모바일
195
+
196
+ claude.ai(웹/모바일)의 **커스텀 커넥터**는 로컬 stdio 서버에 직접 붙을 수 없고, 공개
197
+ HTTPS로 접근 가능한 **Streamable HTTP** MCP 서버가 필요합니다. `--http` 플래그(또는
198
+ `MCP_TRANSPORT=http`)로 이 서버를 HTTP 모드로 띄울 수 있습니다:
199
+
200
+ ```sh
201
+ MCP_AUTH_TOKEN="$(openssl rand -hex 32)" npx -y kiwoom-mcp-server --http --port 8000
202
+ # 엔드포인트: http://127.0.0.1:8000/mcp · 헬스체크: /healthz
203
+ ```
204
+
205
+ - **인증이 기본 필수입니다.** `MCP_AUTH_TOKEN`이 없으면 기동을 거부합니다 — 모든 `/mcp`
206
+ 요청에 `Authorization: Bearer <토큰>` 헤더가 있어야 합니다. 인증 없이 열려면
207
+ `--no-auth`를 명시해야 하며, 계좌 조회 도구가 그대로 노출되므로 신뢰할 수 있는
208
+ 네트워크나 모의투자(`KIWOOM_MODE=VIRTUAL`)에서만 사용하세요.
209
+ - 기본 바인드는 `127.0.0.1`입니다 — 터널을 앞에 두는 구성을 전제합니다. 컨테이너/서버에
210
+ 직접 노출하려면 `--host 0.0.0.0`을 명시하세요.
211
+ - 공개 HTTPS URL은 [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) 등으로 만듭니다:
212
+ `cloudflared tunnel --url http://localhost:8000` (임시 URL — 상시 운영은 named tunnel 권장).
213
+ - claude.ai 등록: **Settings → Connectors → Add custom connector**에
214
+ `https://<도메인>/mcp`를 입력합니다. Bearer 토큰은 Advanced settings의 요청 헤더
215
+ 설정(베타)으로 전달할 수 있습니다. 등록한 커넥터는 웹/모바일/데스크톱에서 공용입니다.
216
+ - ⚠️ **키움 API 호출은 이 서버가 실행되는 곳에서 나갑니다.** REAL 모드는 키움 지정단말기
217
+ 인증(8050)이 IP에 묶이므로, 등록된 IP가 아닌 곳(클라우드 등)에서 실행하면 인증 오류가
218
+ 날 수 있습니다. 원격 노출은 모의투자로 먼저 검증하세요.
219
+
220
+ 기존 stdio 동작(Claude Desktop/Code 연결)은 인자 없이 실행하면 그대로입니다.
221
+
189
222
  ## 동작 확인
190
223
 
191
224
  MCP 클라이언트 없이 stdio로 직접 확인할 수 있습니다:
package/dist/config.js CHANGED
@@ -41,7 +41,7 @@ const MODE_LABELS = {
41
41
  REAL: "실전투자",
42
42
  };
43
43
  let cached = null;
44
- function loadDotEnv() {
44
+ export function loadDotEnv() {
45
45
  // Claude Desktop launches this server with an arbitrary cwd, so resolve .env
46
46
  // relative to the project root (parent of dist/ or src/) first.
47
47
  const projectRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
package/dist/http.js ADDED
@@ -0,0 +1,135 @@
1
+ import { createHash, timingSafeEqual } from "node:crypto";
2
+ import http from "node:http";
3
+ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
4
+ import { createServer, SERVER_NAME, SERVER_VERSION } from "./server.js";
5
+ const DEFAULT_PORT = 8000;
6
+ const DEFAULT_HOST = "127.0.0.1";
7
+ const MCP_PATH = "/mcp";
8
+ const HEALTH_PATH = "/healthz";
9
+ /**
10
+ * Decides the transport from CLI args + env. Pure (unit-testable): pass
11
+ * process.argv.slice(2) and process.env. Defaults to stdio so existing
12
+ * Claude Desktop/Code installs are untouched; HTTP is strictly opt-in.
13
+ *
14
+ * The auth token is env-only (MCP_AUTH_TOKEN) — a CLI flag would leak the
15
+ * secret to `ps`. HTTP mode refuses to start without a token unless the
16
+ * operator explicitly passes --no-auth: this server fronts a brokerage
17
+ * account, so an unauthenticated public endpoint must be a deliberate act.
18
+ */
19
+ export function chooseTransport(argv, env) {
20
+ const flags = new Set();
21
+ const values = new Map();
22
+ for (let i = 0; i < argv.length; i += 1) {
23
+ const arg = argv[i];
24
+ if (arg === "--port" || arg === "--host") {
25
+ const value = argv[i + 1];
26
+ if (value === undefined || value.startsWith("--")) {
27
+ throw new Error(`${arg} 옵션에 값이 없습니다 (예: ${arg === "--port" ? "--port 8000" : "--host 127.0.0.1"}).`);
28
+ }
29
+ values.set(arg, value);
30
+ i += 1;
31
+ }
32
+ else if (arg === "--http" || arg === "--stdio" || arg === "--no-auth") {
33
+ flags.add(arg);
34
+ }
35
+ else {
36
+ throw new Error(`알 수 없는 옵션입니다: ${arg} (지원: --http, --stdio, --port <n>, --host <addr>, --no-auth)`);
37
+ }
38
+ }
39
+ const envTransport = env.MCP_TRANSPORT?.trim().toLowerCase();
40
+ if (envTransport !== undefined && envTransport !== "" && envTransport !== "stdio" && envTransport !== "http") {
41
+ throw new Error(`MCP_TRANSPORT 값이 잘못되었습니다: "${env.MCP_TRANSPORT}" (stdio 또는 http).`);
42
+ }
43
+ const wantsHttp = flags.has("--http") || (!flags.has("--stdio") && envTransport === "http");
44
+ if (!wantsHttp)
45
+ return { mode: "stdio" };
46
+ const portRaw = values.get("--port") ?? env.MCP_HTTP_PORT?.trim();
47
+ let port = DEFAULT_PORT;
48
+ if (portRaw !== undefined && portRaw !== "") {
49
+ port = Number(portRaw);
50
+ if (!Number.isInteger(port) || port < 0 || port > 65535) {
51
+ throw new Error(`포트가 잘못되었습니다: "${portRaw}" (0~65535 정수).`);
52
+ }
53
+ }
54
+ const host = values.get("--host") ?? (env.MCP_HTTP_HOST?.trim() || DEFAULT_HOST);
55
+ const allowNoAuth = flags.has("--no-auth") || env.MCP_HTTP_NO_AUTH?.trim().toLowerCase() === "true";
56
+ const authToken = env.MCP_AUTH_TOKEN?.trim() || undefined;
57
+ if (!authToken && !allowNoAuth) {
58
+ throw new Error("HTTP 모드에는 MCP_AUTH_TOKEN 환경변수가 필요합니다 (모든 /mcp 요청의 Bearer 토큰). " +
59
+ "인증 없이 열려면 --no-auth를 명시하세요 — 계좌 조회 도구가 인터넷에 그대로 노출되므로 " +
60
+ "신뢰할 수 있는 네트워크/모의투자(VIRTUAL) 환경에서만 권장합니다.");
61
+ }
62
+ return { mode: "http", options: { port, host, authToken, allowNoAuth } };
63
+ }
64
+ /** Timing-safe bearer-token check (hash first so lengths never short-circuit). */
65
+ export function isAuthorized(authorizationHeader, token) {
66
+ if (!authorizationHeader)
67
+ return false;
68
+ const match = /^Bearer\s+(.+)$/i.exec(authorizationHeader.trim());
69
+ if (!match)
70
+ return false;
71
+ const presented = createHash("sha256").update(match[1]).digest();
72
+ const expected = createHash("sha256").update(token).digest();
73
+ return timingSafeEqual(presented, expected);
74
+ }
75
+ function deny(res, status, message) {
76
+ res.writeHead(status, { "Content-Type": "application/json" }).end(JSON.stringify({
77
+ jsonrpc: "2.0",
78
+ error: { code: -32000, message },
79
+ id: null,
80
+ }));
81
+ }
82
+ /**
83
+ * Streamable HTTP endpoint for remote MCP clients (claude.ai custom
84
+ * connectors, Claude Desktop/mobile via the account-brokered connector).
85
+ * Stateless per the MCP spec: each request gets a fresh McpServer+transport
86
+ * pair; the expensive state (Kiwoom token cache, ka10099 master-list cache)
87
+ * lives at module level and is shared across requests.
88
+ */
89
+ export function createHttpServer(options) {
90
+ return http.createServer((req, res) => {
91
+ void handleRequest(req, res, options).catch((error) => {
92
+ console.error("HTTP request handling failed:", error);
93
+ if (!res.headersSent)
94
+ deny(res, 500, "internal server error");
95
+ });
96
+ });
97
+ }
98
+ async function handleRequest(req, res, options) {
99
+ const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
100
+ if (url.pathname === HEALTH_PATH) {
101
+ res.writeHead(200, { "Content-Type": "text/plain" }).end("ok");
102
+ return;
103
+ }
104
+ if (url.pathname !== MCP_PATH) {
105
+ deny(res, 404, `not found — MCP endpoint is ${MCP_PATH}`);
106
+ return;
107
+ }
108
+ if (options.authToken && !isAuthorized(req.headers.authorization, options.authToken)) {
109
+ deny(res, 401, "unauthorized — Authorization: Bearer <MCP_AUTH_TOKEN> 헤더가 필요합니다");
110
+ return;
111
+ }
112
+ const server = createServer();
113
+ const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined });
114
+ res.on("close", () => {
115
+ void transport.close();
116
+ void server.close();
117
+ });
118
+ await server.connect(transport);
119
+ await transport.handleRequest(req, res);
120
+ }
121
+ export async function startHttpServer(options) {
122
+ const server = createHttpServer(options);
123
+ await new Promise((resolve, reject) => {
124
+ server.once("error", reject);
125
+ server.listen(options.port, options.host, resolve);
126
+ });
127
+ const address = server.address();
128
+ const boundPort = typeof address === "object" && address ? address.port : options.port;
129
+ console.error(`${SERVER_NAME} v${SERVER_VERSION} listening on http://${options.host}:${boundPort}${MCP_PATH} ` +
130
+ `(auth: ${options.authToken ? "bearer token" : "NONE — --no-auth"})`);
131
+ if (!options.authToken) {
132
+ console.error("⚠️ 인증 없이 실행 중입니다. 이 서버는 계좌 조회 도구를 노출하므로 공개 네트워크에 직접 연결하지 마세요.");
133
+ }
134
+ return server;
135
+ }
package/dist/index.js CHANGED
@@ -1,7 +1,17 @@
1
1
  #!/usr/bin/env node
2
2
  import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
3
+ import { loadDotEnv } from "./config.js";
4
+ import { chooseTransport, startHttpServer } from "./http.js";
3
5
  import { createServer, SERVER_NAME, SERVER_VERSION } from "./server.js";
4
6
  async function main() {
7
+ // Load .env before reading MCP_* transport vars (credential validation stays
8
+ // lazy in getConfig). Real environment variables win over the file.
9
+ loadDotEnv();
10
+ const choice = chooseTransport(process.argv.slice(2), process.env);
11
+ if (choice.mode === "http") {
12
+ await startHttpServer(choice.options);
13
+ return;
14
+ }
5
15
  const server = createServer();
6
16
  const transport = new StdioServerTransport();
7
17
  await server.connect(transport);
package/dist/server.js CHANGED
@@ -27,7 +27,7 @@ import { registerTransactionsTool } from "./tools/transactions.js";
27
27
  import { registerViStocksTool } from "./tools/vi-stocks.js";
28
28
  import { registerWatchlistGroupsTool, registerWatchlistTool } from "./tools/watchlist.js";
29
29
  export const SERVER_NAME = "kiwoom-mcp-server";
30
- export const SERVER_VERSION = "0.16.0";
30
+ export const SERVER_VERSION = "0.17.0";
31
31
  export function createServer() {
32
32
  const server = new McpServer({
33
33
  name: SERVER_NAME,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "kiwoom-mcp-server",
3
- "version": "0.16.0",
3
+ "version": "0.17.0",
4
4
  "description": "Read-only MCP server exposing the Kiwoom Securities REST API (market data, account inquiry, ISA tax-allowance calculator) to Claude Desktop / Claude Code.",
5
5
  "private": false,
6
6
  "type": "module",