npm - llng-mcp - Versions diffs - 0.1.0 - Mend

llng-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (114) hide show

package/.github/workflows/ci.yml +77 -0
package/.prettierrc +7 -0
package/LICENSE +661 -0
package/README.md +502 -0
package/dist/__tests__/api-transport.test.d.ts +1 -0
package/dist/__tests__/api-transport.test.js +577 -0
package/dist/__tests__/api-transport.test.js.map +1 -0
package/dist/__tests__/config.test.d.ts +1 -0
package/dist/__tests__/config.test.js +472 -0
package/dist/__tests__/config.test.js.map +1 -0
package/dist/__tests__/integration/api-mode.test.d.ts +1 -0
package/dist/__tests__/integration/api-mode.test.js +199 -0
package/dist/__tests__/integration/api-mode.test.js.map +1 -0
package/dist/__tests__/integration/oidc-rp.test.d.ts +1 -0
package/dist/__tests__/integration/oidc-rp.test.js +120 -0
package/dist/__tests__/integration/oidc-rp.test.js.map +1 -0
package/dist/__tests__/integration/ssh-mode.test.d.ts +1 -0
package/dist/__tests__/integration/ssh-mode.test.js +101 -0
package/dist/__tests__/integration/ssh-mode.test.js.map +1 -0
package/dist/__tests__/k8s-transport.test.d.ts +1 -0
package/dist/__tests__/k8s-transport.test.js +254 -0
package/dist/__tests__/k8s-transport.test.js.map +1 -0
package/dist/__tests__/oidc-tools.test.d.ts +1 -0
package/dist/__tests__/oidc-tools.test.js +457 -0
package/dist/__tests__/oidc-tools.test.js.map +1 -0
package/dist/__tests__/registry.test.d.ts +1 -0
package/dist/__tests__/registry.test.js +96 -0
package/dist/__tests__/registry.test.js.map +1 -0
package/dist/__tests__/ssh-transport.test.d.ts +1 -0
package/dist/__tests__/ssh-transport.test.js +618 -0
package/dist/__tests__/ssh-transport.test.js.map +1 -0
package/dist/__tests__/tools.test.d.ts +1 -0
package/dist/__tests__/tools.test.js +525 -0
package/dist/__tests__/tools.test.js.map +1 -0
package/dist/config.d.ts +65 -0
package/dist/config.js +506 -0
package/dist/config.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.js +42 -0
package/dist/index.js.map +1 -0
package/dist/resources/documentation.d.ts +5 -0
package/dist/resources/documentation.js +56 -0
package/dist/resources/documentation.js.map +1 -0
package/dist/tools/cli-utilities.d.ts +3 -0
package/dist/tools/cli-utilities.js +187 -0
package/dist/tools/cli-utilities.js.map +1 -0
package/dist/tools/config.d.ts +6 -0
package/dist/tools/config.js +326 -0
package/dist/tools/config.js.map +1 -0
package/dist/tools/consents.d.ts +3 -0
package/dist/tools/consents.js +39 -0
package/dist/tools/consents.js.map +1 -0
package/dist/tools/instances.d.ts +3 -0
package/dist/tools/instances.js +14 -0
package/dist/tools/instances.js.map +1 -0
package/dist/tools/oidc-rp.d.ts +6 -0
package/dist/tools/oidc-rp.js +246 -0
package/dist/tools/oidc-rp.js.map +1 -0
package/dist/tools/oidc.d.ts +3 -0
package/dist/tools/oidc.js +343 -0
package/dist/tools/oidc.js.map +1 -0
package/dist/tools/secondfactors.d.ts +3 -0
package/dist/tools/secondfactors.js +62 -0
package/dist/tools/secondfactors.js.map +1 -0
package/dist/tools/sessions.d.ts +6 -0
package/dist/tools/sessions.js +300 -0
package/dist/tools/sessions.js.map +1 -0
package/dist/transport/api.d.ts +35 -0
package/dist/transport/api.js +327 -0
package/dist/transport/api.js.map +1 -0
package/dist/transport/interface.d.ts +50 -0
package/dist/transport/interface.js +2 -0
package/dist/transport/interface.js.map +1 -0
package/dist/transport/k8s.d.ts +41 -0
package/dist/transport/k8s.js +303 -0
package/dist/transport/k8s.js.map +1 -0
package/dist/transport/registry.d.ts +20 -0
package/dist/transport/registry.js +91 -0
package/dist/transport/registry.js.map +1 -0
package/dist/transport/ssh.d.ts +37 -0
package/dist/transport/ssh.js +353 -0
package/dist/transport/ssh.js.map +1 -0
package/docker-compose.test.yml +16 -0
package/eslint.config.js +21 -0
package/package.json +38 -0
package/src/__tests__/api-transport.test.ts +746 -0
package/src/__tests__/config.test.ts +587 -0
package/src/__tests__/integration/api-mode.test.ts +229 -0
package/src/__tests__/integration/oidc-rp.test.ts +138 -0
package/src/__tests__/integration/ssh-mode.test.ts +113 -0
package/src/__tests__/k8s-transport.test.ts +342 -0
package/src/__tests__/oidc-tools.test.ts +554 -0
package/src/__tests__/registry.test.ts +110 -0
package/src/__tests__/ssh-transport.test.ts +805 -0
package/src/__tests__/tools.test.ts +735 -0
package/src/config.ts +605 -0
package/src/index.ts +48 -0
package/src/resources/documentation.ts +65 -0
package/src/tools/cli-utilities.ts +207 -0
package/src/tools/config.ts +382 -0
package/src/tools/consents.ts +50 -0
package/src/tools/instances.ts +21 -0
package/src/tools/oidc-rp.ts +299 -0
package/src/tools/oidc.ts +434 -0
package/src/tools/secondfactors.ts +78 -0
package/src/tools/sessions.ts +342 -0
package/src/transport/api.ts +429 -0
package/src/transport/interface.ts +58 -0
package/src/transport/k8s.ts +367 -0
package/src/transport/registry.ts +105 -0
package/src/transport/ssh.ts +430 -0
package/tsconfig.json +16 -0
package/vitest.config.ts +8 -0
package/vitest.integration.config.ts +9 -0

package/src/tools/oidc.ts ADDED Viewed

@@ -0,0 +1,434 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+import { randomBytes, createHash } from "crypto";
+import { OidcConfig } from "../config.js";
+import { TransportRegistry } from "../transport/registry.js";
+// Cache for OIDC discovery documents, keyed by issuer with TTL
+const discoveryCache = new Map<string, { metadata: any; fetchedAt: number }>();
+const DISCOVERY_CACHE_TTL_MS = 3600_000; // 1 hour
+async function getDiscoveryMetadata(config: OidcConfig): Promise<any> {
+  const cached = discoveryCache.get(config.issuer);
+  if (cached && Date.now() - cached.fetchedAt < DISCOVERY_CACHE_TTL_MS) {
+    return cached.metadata;
+  }
+  const url = `${config.issuer}/.well-known/openid-configuration`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(
+      `Failed to fetch discovery metadata: ${response.status} ${response.statusText}`,
+    );
+  }
+  const metadata = await response.json();
+  discoveryCache.set(config.issuer, { metadata, fetchedAt: Date.now() });
+  return metadata;
+}
+function generateCodeVerifier(): string {
+  return randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier: string): string {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+function generateState(): string {
+  return randomBytes(16).toString("base64url");
+}
+function isUrlSafe(url: string): boolean {
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+      return false;
+    }
+    const hostname = parsed.hostname;
+    // Block private/link-local/loopback IPs
+    if (
+      hostname === "localhost" ||
+      hostname.startsWith("127.") ||
+      hostname === "[::1]" ||
+      hostname.startsWith("10.") ||
+      hostname.startsWith("192.168.") ||
+      hostname.startsWith("169.254.") ||
+      hostname.startsWith("0.") ||
+      /^172\.(1[6-9]|2\d|3[01])\./.test(hostname)
+    ) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function base64UrlDecode(str: string): string {
+  // Convert base64url to base64
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  // Add padding if needed
+  base64 += "=".repeat((4 - (base64.length % 4)) % 4);
+  return Buffer.from(base64, "base64").toString("utf-8");
+}
+export function registerOidcTools(server: McpServer, registry: TransportRegistry): void {
+  server.tool(
+    "llng_oidc_metadata",
+    "Fetch OIDC discovery metadata",
+    {
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const config = registry.getOidcConfig(params.instance);
+        if (!config) {
+          return { content: [{ type: "text", text: "Error: OIDC not configured" }], isError: true };
+        }
+        const metadata = await getDiscoveryMetadata(config);
+        return { content: [{ type: "text", text: JSON.stringify(metadata, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_oidc_authorize",
+    "Get authorization URL with PKCE",
+    {
+      scope: z.string().optional(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const config = registry.getOidcConfig(params.instance);
+        if (!config) {
+          return { content: [{ type: "text", text: "Error: OIDC not configured" }], isError: true };
+        }
+        const metadata = await getDiscoveryMetadata(config);
+        const codeVerifier = generateCodeVerifier();
+        const codeChallenge = generateCodeChallenge(codeVerifier);
+        const state = generateState();
+        const scope = params.scope || config.scope;
+        const authUrl = new URL(metadata.authorization_endpoint);
+        authUrl.searchParams.set("response_type", "code");
+        authUrl.searchParams.set("client_id", config.clientId);
+        authUrl.searchParams.set("redirect_uri", config.redirectUri);
+        authUrl.searchParams.set("scope", scope);
+        authUrl.searchParams.set("code_challenge", codeChallenge);
+        authUrl.searchParams.set("code_challenge_method", "S256");
+        authUrl.searchParams.set("state", state);
+        const result = {
+          url: authUrl.toString(),
+          code_verifier: codeVerifier,
+          state: state,
+        };
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_oidc_tokens",
+    "Exchange authorization code for tokens",
+    {
+      code: z.string(),
+      code_verifier: z.string(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const config = registry.getOidcConfig(params.instance);
+        if (!config) {
+          return { content: [{ type: "text", text: "Error: OIDC not configured" }], isError: true };
+        }
+        const metadata = await getDiscoveryMetadata(config);
+        const body = new URLSearchParams();
+        body.set("grant_type", "authorization_code");
+        body.set("code", params.code);
+        body.set("redirect_uri", config.redirectUri);
+        body.set("client_id", config.clientId);
+        body.set("code_verifier", params.code_verifier);
+        if (config.clientSecret) {
+          body.set("client_secret", config.clientSecret);
+        }
+        const response = await fetch(metadata.token_endpoint, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+          },
+          body: body.toString(),
+        });
+        const result = await response.json();
+        if (!response.ok) {
+          return {
+            content: [{ type: "text", text: `Error: ${JSON.stringify(result)}` }],
+            isError: true,
+          };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_oidc_userinfo",
+    "Get user info from OIDC provider",
+    {
+      access_token: z.string(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const config = registry.getOidcConfig(params.instance);
+        if (!config) {
+          return { content: [{ type: "text", text: "Error: OIDC not configured" }], isError: true };
+        }
+        const metadata = await getDiscoveryMetadata(config);
+        const response = await fetch(metadata.userinfo_endpoint, {
+          headers: {
+            Authorization: `Bearer ${params.access_token}`,
+          },
+        });
+        const result = await response.json();
+        if (!response.ok) {
+          return {
+            content: [{ type: "text", text: `Error: ${JSON.stringify(result)}` }],
+            isError: true,
+          };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_oidc_introspect",
+    "Introspect an access token",
+    {
+      token: z.string(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const config = registry.getOidcConfig(params.instance);
+        if (!config) {
+          return { content: [{ type: "text", text: "Error: OIDC not configured" }], isError: true };
+        }
+        const metadata = await getDiscoveryMetadata(config);
+        if (!metadata.introspection_endpoint) {
+          return {
+            content: [{ type: "text", text: "Error: Introspection endpoint not supported" }],
+            isError: true,
+          };
+        }
+        const body = new URLSearchParams();
+        body.set("token", params.token);
+        body.set("client_id", config.clientId);
+        if (config.clientSecret) {
+          body.set("client_secret", config.clientSecret);
+        }
+        const response = await fetch(metadata.introspection_endpoint, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+          },
+          body: body.toString(),
+        });
+        const result = await response.json();
+        if (!response.ok) {
+          return {
+            content: [{ type: "text", text: `Error: ${JSON.stringify(result)}` }],
+            isError: true,
+          };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_oidc_refresh",
+    "Refresh an access token",
+    {
+      refresh_token: z.string(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const config = registry.getOidcConfig(params.instance);
+        if (!config) {
+          return { content: [{ type: "text", text: "Error: OIDC not configured" }], isError: true };
+        }
+        const metadata = await getDiscoveryMetadata(config);
+        const body = new URLSearchParams();
+        body.set("grant_type", "refresh_token");
+        body.set("refresh_token", params.refresh_token);
+        body.set("client_id", config.clientId);
+        if (config.clientSecret) {
+          body.set("client_secret", config.clientSecret);
+        }
+        const response = await fetch(metadata.token_endpoint, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+          },
+          body: body.toString(),
+        });
+        const result = await response.json();
+        if (!response.ok) {
+          return {
+            content: [{ type: "text", text: `Error: ${JSON.stringify(result)}` }],
+            isError: true,
+          };
+        }
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_oidc_whoami",
+    "Decode ID token to show identity (WARNING: signature is NOT verified, for debugging only)",
+    {
+      id_token: z.string(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const config = registry.getOidcConfig(params.instance);
+        if (!config) {
+          return { content: [{ type: "text", text: "Error: OIDC not configured" }], isError: true };
+        }
+        const parts = params.id_token.split(".");
+        if (parts.length !== 3) {
+          return { content: [{ type: "text", text: "Error: Invalid JWT format" }], isError: true };
+        }
+        const payload = JSON.parse(base64UrlDecode(parts[1]));
+        const result = {
+          _warning:
+            "UNVERIFIED - JWT signature was NOT checked. Do not trust these claims for authorization decisions.",
+          ...payload,
+        };
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_oidc_check_auth",
+    "Check if a URL requires authentication (only public URLs allowed, private/internal IPs blocked)",
+    {
+      url: z.string().url(),
+      access_token: z.string(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const config = registry.getOidcConfig(params.instance);
+        if (!config) {
+          return { content: [{ type: "text", text: "Error: OIDC not configured" }], isError: true };
+        }
+        if (!isUrlSafe(params.url)) {
+          return {
+            content: [
+              {
+                type: "text",
+                text: "Error: URL must be a public HTTP(S) URL. Private, loopback, and link-local addresses are blocked.",
+              },
+            ],
+            isError: true,
+          };
+        }
+        const response = await fetch(params.url, {
+          headers: {
+            Authorization: `Bearer ${params.access_token}`,
+          },
+          redirect: "manual",
+        });
+        const result = {
+          status: response.status,
+          statusText: response.statusText,
+          headers: Object.fromEntries(response.headers.entries()),
+        };
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+}

package/src/tools/secondfactors.ts ADDED Viewed

@@ -0,0 +1,78 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+import { TransportRegistry } from "../transport/registry.js";
+export function registerSecondFactorTools(server: McpServer, registry: TransportRegistry): void {
+  server.tool(
+    "llng_2fa_list",
+    "List user's 2FA devices",
+    {
+      user: z.string(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const transport = registry.getTransport(params.instance);
+        const result = await transport.secondFactorsGet(params.user);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_2fa_delete",
+    "Delete specific 2FA device(s)",
+    {
+      user: z.string(),
+      ids: z.array(z.string()),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const transport = registry.getTransport(params.instance);
+        await transport.secondFactorsDelete(params.user, params.ids);
+        return {
+          content: [
+            { type: "text", text: `Successfully deleted ${params.ids.length} 2FA device(s)` },
+          ],
+        };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+  server.tool(
+    "llng_2fa_delType",
+    "Delete all 2FA devices of a given type",
+    {
+      user: z.string(),
+      type: z.string(),
+      instance: z.string().optional().describe("LLNG instance name (uses default if omitted)"),
+    },
+    async (params) => {
+      try {
+        const transport = registry.getTransport(params.instance);
+        await transport.secondFactorsDelType(params.user, params.type);
+        return {
+          content: [
+            { type: "text", text: `Successfully deleted all '${params.type}' 2FA devices` },
+          ],
+        };
+      } catch (e: unknown) {
+        return {
+          content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true,
+        };
+      }
+    },
+  );
+}