mcp-google-gsc 1.0.15 → 1.1.0

package/dist/auth-cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export declare function run(argv?: string[]): Promise<void>;

package/dist/auth-cli.js

@@ -0,0 +1,292 @@
+#!/usr/bin/env node
+import { google } from "googleapis";
+import http from "http";
+import promptsImport from "prompts";
+import { URL } from "url";
+import { writeStoredCredentials, credentialsFilePath, CREDENTIALS_FILE_VERSION } from "./credentials.js";
+import { EMBEDDED_CLIENT_ID, EMBEDDED_CLIENT_SECRET } from "./embedded-secrets.js";
+import { classifyError, GscAuthError } from "./errors.js";
+import { findFreeLoopbackPort, openBrowser } from "./platform.js";
+import { logger, withResilience } from "./resilience.js";
+const prompts = promptsImport.default ?? promptsImport;
+const OAUTH_SCOPE = "https://www.googleapis.com/auth/webmasters.readonly";
+const OAUTH_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+const OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token";
+function parseArgs(argv) {
+  const args = { help: false };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--help" || a === "-h") args.help = true;
+    else if (a === "--site-url" && argv[i + 1]) {
+      args.siteUrl = argv[++i];
+    }
+  }
+  return args;
+}
+function printHelp() {
+  process.stdout.write(
+    [
+      "mcp-gsc-auth -- authorize Claude to access your Google Search Console data",
+      "",
+      "Usage:",
+      "  npx mcp-gsc-auth",
+      "  npx mcp-gsc-auth --site-url https://example.com/",
+      "",
+      "Options:",
+      "  --site-url <url>   Skip the site picker and use this property directly",
+      "  -h, --help         Show this help",
+      "",
+      `Credentials are written to: ${credentialsFilePath}`,
+      ""
+    ].join("\n")
+  );
+}
+function buildAuthUrl(clientId, redirectUri, state) {
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: OAUTH_SCOPE,
+    access_type: "offline",
+    prompt: "consent",
+    state
+  });
+  return `${OAUTH_AUTH_URL}?${params.toString()}`;
+}
+async function waitForAuthorizationCode(port, expectedState, authUrl) {
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const finish = (fn) => {
+      if (settled) return;
+      settled = true;
+      fn();
+    };
+    const server = http.createServer((req, res) => {
+      if (!req.url) {
+        res.writeHead(404).end();
+        return;
+      }
+      const parsed = new URL(req.url, `http://127.0.0.1:${port}`);
+      const code = parsed.searchParams.get("code");
+      const state = parsed.searchParams.get("state");
+      const error = parsed.searchParams.get("error");
+      if (error) {
+        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(renderPage("Authorization was denied", `Google returned: ${escapeHtml(error)}. Close this tab and re-run the command.`));
+        finish(() => {
+          server.close();
+          reject(new GscAuthError(`OAuth denied: ${error}`));
+        });
+        return;
+      }
+      if (!code) {
+        res.writeHead(204).end();
+        return;
+      }
+      if (state !== expectedState) {
+        res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(renderPage("Security check failed", "The state parameter did not match. Please re-run the command."));
+        finish(() => {
+          server.close();
+          reject(new GscAuthError("OAuth state mismatch"));
+        });
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end(renderPage("Signed in successfully", "You can close this tab and return to the terminal."));
+      finish(() => {
+        setTimeout(() => server.close(), 200);
+        resolve({ code, state });
+      });
+    });
+    server.on("error", (err) => {
+      finish(() => reject(new Error(`Loopback server failed: ${err.message}`)));
+    });
+    server.listen(port, "127.0.0.1", () => {
+      process.stderr.write(`
+Opening your browser to sign in with Google...
+`);
+      process.stderr.write(`If it doesn't open automatically, visit:
+  ${authUrl}
+
+`);
+      openBrowser(authUrl).catch((err) => {
+        logger.warn({ err: err.message }, "openBrowser failed");
+      });
+    });
+    setTimeout(() => {
+      finish(() => {
+        server.close();
+        reject(new Error("Timed out waiting for OAuth callback (5 minutes)."));
+      });
+    }, 5 * 60 * 1e3);
+  });
+}
+function renderPage(title, body) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8"><title>${escapeHtml(title)}</title>
+  <style>body{font:15px -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;max-width:480px;margin:80px auto;padding:0 24px;color:#222}h1{font-size:22px;margin-bottom:12px}p{line-height:1.5}</style>
+</head>
+<body><h1>${escapeHtml(title)}</h1><p>${escapeHtml(body)}</p></body>
+</html>`;
+}
+function escapeHtml(s) {
+  return s.replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]);
+}
+async function exchangeCodeForTokens(code, clientId, clientSecret, redirectUri) {
+  return withResilience(async () => {
+    const body = new URLSearchParams({
+      code,
+      client_id: clientId,
+      client_secret: clientSecret,
+      redirect_uri: redirectUri,
+      grant_type: "authorization_code"
+    });
+    const res = await fetch(OAUTH_TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    const json = await res.json();
+    if (!res.ok || json.error) {
+      const err = new Error(
+        `Token exchange failed: ${json.error_description || json.error || res.statusText}`
+      );
+      err.status = res.status;
+      err.code = res.status;
+      throw err;
+    }
+    return json;
+  }, "oauth.exchangeCode");
+}
+async function enumerateSites(accessToken) {
+  const oauth2Client = new google.auth.OAuth2();
+  oauth2Client.setCredentials({ access_token: accessToken });
+  const svc = google.searchconsole({ version: "v1", auth: oauth2Client });
+  const resp = await withResilience(
+    () => svc.sites.list(),
+    "auth.listSites"
+  );
+  const sites = (resp.data.siteEntry || []).map((entry) => ({
+    siteUrl: entry.siteUrl || "",
+    permissionLevel: entry.permissionLevel || ""
+  }));
+  if (sites.length === 0) {
+    throw new GscAuthError(
+      "No Search Console properties found for this Google account. Make sure you signed in with an account that has access to at least one property."
+    );
+  }
+  return sites;
+}
+async function pickSite(sites, presetSiteUrl) {
+  if (presetSiteUrl) {
+    const match = sites.find((s) => s.siteUrl === presetSiteUrl);
+    if (!match) {
+      throw new Error(
+        `--site-url "${presetSiteUrl}" was not found among ${sites.length} accessible properties. Remove the flag to pick interactively.`
+      );
+    }
+    return match;
+  }
+  if (sites.length === 1) {
+    process.stderr.write(`
+Only one property accessible: ${sites[0].siteUrl}. Auto-selecting.
+`);
+    return sites[0];
+  }
+  const choices = sites.map((site) => ({
+    title: `${site.siteUrl}  (${site.permissionLevel})`,
+    value: site
+  }));
+  const response = await prompts(
+    {
+      type: "select",
+      name: "site",
+      message: "Which Search Console property should Claude use by default?",
+      choices,
+      initial: 0
+    },
+    {
+      onCancel: () => {
+        throw new Error("Cancelled by user");
+      }
+    }
+  );
+  if (!response.site) throw new Error("No site selected");
+  return response.site;
+}
+async function run(argv = process.argv.slice(2)) {
+  const args = parseArgs(argv);
+  if (args.help) {
+    printHelp();
+    return;
+  }
+  const clientId = process.env.GOOGLE_GSC_CLIENT_ID?.trim() || EMBEDDED_CLIENT_ID;
+  const clientSecret = process.env.GOOGLE_GSC_CLIENT_SECRET?.trim() || EMBEDDED_CLIENT_SECRET;
+  if (!clientId || !clientSecret) {
+    process.stderr.write(
+      "This build of mcp-gsc was published without embedded OAuth credentials.\nSet GOOGLE_GSC_CLIENT_ID and GOOGLE_GSC_CLIENT_SECRET in your environment.\n"
+    );
+    process.exit(2);
+  }
+  const port = await findFreeLoopbackPort();
+  const redirectUri = `http://127.0.0.1:${port}`;
+  const state = randomState();
+  const authUrl = buildAuthUrl(clientId, redirectUri, state);
+  process.stderr.write("\n=== mcp-gsc authentication ===\n");
+  const { code } = await waitForAuthorizationCode(port, state, authUrl);
+  process.stderr.write("Authorization code received. Exchanging for tokens...\n");
+  const tokens = await exchangeCodeForTokens(code, clientId, clientSecret, redirectUri);
+  if (!tokens.refresh_token) {
+    throw new GscAuthError(
+      "Google did not return a refresh token. This can happen if you previously granted consent to this app. Revoke access at https://myaccount.google.com/permissions and try again."
+    );
+  }
+  process.stderr.write("Tokens received. Fetching accessible Search Console properties...\n");
+  const sites = await enumerateSites(tokens.access_token);
+  const chosen = await pickSite(sites, args.siteUrl);
+  const stored = {
+    version: CREDENTIALS_FILE_VERSION,
+    refresh_token: tokens.refresh_token,
+    site_urls: sites.map((s) => s.siteUrl),
+    primary_site_url: chosen.siteUrl,
+    obtained_at: (/* @__PURE__ */ new Date()).toISOString(),
+    scopes: [OAUTH_SCOPE]
+  };
+  writeStoredCredentials(stored);
+  process.stderr.write(
+    [
+      "",
+      "Done.",
+      "",
+      `  Property:   ${chosen.siteUrl}`,
+      `  Permission: ${chosen.permissionLevel}`,
+      `  Saved to:   ${credentialsFilePath}`,
+      "",
+      "Next step: fully quit Claude Desktop (Cmd+Q / File > Exit) and reopen it.",
+      'Then try: "List my Search Console properties"',
+      ""
+    ].join("\n")
+  );
+}
+function randomState() {
+  const bytes = new Uint8Array(16);
+  globalThis.crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+const isMain = import.meta.url === `file://${process.argv[1]}` || process.argv[1]?.endsWith("/auth-cli.js") || process.argv[1]?.endsWith("\\auth-cli.js");
+if (isMain) {
+  run().catch((err) => {
+    const classified = classifyError(err);
+    process.stderr.write(`
+${classified.message}
+`);
+    process.exit(1);
+  });
+}
+export {
+  run
+};
+//# sourceMappingURL=auth-cli.js.map

package/dist/auth-cli.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/auth-cli.ts"],
+  "sourcesContent": ["#!/usr/bin/env node\n// ============================================\n// mcp-gsc-auth -- one-time OAuth + site selection\n// ============================================\n// Flow:\n//   1. Loopback HTTP listener on a free port\n//   2. Open browser to Google OAuth consent screen (webmasters.readonly scope)\n//   3. Exchange code for tokens\n//   4. Enumerate accessible GSC sites\n//   5. User picks which site to use as default\n//   6. Write credentials to ~/.config/mcp-gsc-nodejs/credentials.json\n\nimport { google } from \"googleapis\";\nimport http from \"http\";\nimport promptsImport from \"prompts\";\nimport { URL } from \"url\";\nimport { writeStoredCredentials, credentialsFilePath, CREDENTIALS_FILE_VERSION, type StoredCredentials } from \"./credentials.js\";\nimport { EMBEDDED_CLIENT_ID, EMBEDDED_CLIENT_SECRET } from \"./embedded-secrets.js\";\nimport { classifyError, GscAuthError } from \"./errors.js\";\nimport { findFreeLoopbackPort, openBrowser } from \"./platform.js\";\nimport { logger, withResilience } from \"./resilience.js\";\n\nconst prompts = (promptsImport as unknown as { default?: typeof promptsImport }).default ?? promptsImport;\n\nconst OAUTH_SCOPE = \"https://www.googleapis.com/auth/webmasters.readonly\";\nconst OAUTH_AUTH_URL = \"https://accounts.google.com/o/oauth2/v2/auth\";\nconst OAUTH_TOKEN_URL = \"https://oauth2.googleapis.com/token\";\n\ninterface CliArgs {\n  siteUrl?: string;\n  help: boolean;\n}\n\nfunction parseArgs(argv: string[]): CliArgs {\n  const args: CliArgs = { help: false };\n  for (let i = 0; i < argv.length; i++) {\n    const a = argv[i];\n    if (a === \"--help\" || a === \"-h\") args.help = true;\n    else if (a === \"--site-url\" && argv[i + 1]) {\n      args.siteUrl = argv[++i];\n    }\n  }\n  return args;\n}\n\nfunction printHelp(): void {\n  process.stdout.write(\n    [\n      \"mcp-gsc-auth -- authorize Claude to access your Google Search Console data\",\n      \"\",\n      \"Usage:\",\n      \"  npx mcp-gsc-auth\",\n      \"  npx mcp-gsc-auth --site-url https://example.com/\",\n      \"\",\n      \"Options:\",\n      \"  --site-url <url>   Skip the site picker and use this property directly\",\n      \"  -h, --help         Show this help\",\n      \"\",\n      `Credentials are written to: ${credentialsFilePath}`,\n      \"\",\n    ].join(\"\\n\"),\n  );\n}\n\n// ============================================\n// OAUTH: LOOPBACK REDIRECT FLOW\n// ============================================\n\nfunction buildAuthUrl(clientId: string, redirectUri: string, state: string): string {\n  const params = new URLSearchParams({\n    client_id: clientId,\n    redirect_uri: redirectUri,\n    response_type: \"code\",\n    scope: OAUTH_SCOPE,\n    access_type: \"offline\",\n    prompt: \"consent\",\n    state,\n  });\n  return `${OAUTH_AUTH_URL}?${params.toString()}`;\n}\n\ninterface AuthorizationCode {\n  code: string;\n  state: string;\n}\n\nasync function waitForAuthorizationCode(\n  port: number,\n  expectedState: string,\n  authUrl: string,\n): Promise<AuthorizationCode> {\n  return new Promise<AuthorizationCode>((resolve, reject) => {\n    let settled = false;\n    const finish = (fn: () => void) => {\n      if (settled) return;\n      settled = true;\n      fn();\n    };\n\n    const server = http.createServer((req, res) => {\n      if (!req.url) {\n        res.writeHead(404).end();\n        return;\n      }\n      const parsed = new URL(req.url, `http://127.0.0.1:${port}`);\n      const code = parsed.searchParams.get(\"code\");\n      const state = parsed.searchParams.get(\"state\");\n      const error = parsed.searchParams.get(\"error\");\n\n      if (error) {\n        res.writeHead(400, { \"Content-Type\": \"text/html; charset=utf-8\" });\n        res.end(renderPage(\"Authorization was denied\", `Google returned: ${escapeHtml(error)}. Close this tab and re-run the command.`));\n        finish(() => { server.close(); reject(new GscAuthError(`OAuth denied: ${error}`)); });\n        return;\n      }\n\n      if (!code) {\n        res.writeHead(204).end();\n        return;\n      }\n\n      if (state !== expectedState) {\n        res.writeHead(400, { \"Content-Type\": \"text/html; charset=utf-8\" });\n        res.end(renderPage(\"Security check failed\", \"The state parameter did not match. Please re-run the command.\"));\n        finish(() => { server.close(); reject(new GscAuthError(\"OAuth state mismatch\")); });\n        return;\n      }\n\n      res.writeHead(200, { \"Content-Type\": \"text/html; charset=utf-8\" });\n      res.end(renderPage(\"Signed in successfully\", \"You can close this tab and return to the terminal.\"));\n      finish(() => {\n        setTimeout(() => server.close(), 200);\n        resolve({ code, state });\n      });\n    });\n\n    server.on(\"error\", (err) => {\n      finish(() => reject(new Error(`Loopback server failed: ${err.message}`)));\n    });\n\n    server.listen(port, \"127.0.0.1\", () => {\n      process.stderr.write(`\\nOpening your browser to sign in with Google...\\n`);\n      process.stderr.write(`If it doesn't open automatically, visit:\\n  ${authUrl}\\n\\n`);\n      openBrowser(authUrl).catch((err) => {\n        logger.warn({ err: err.message }, \"openBrowser failed\");\n      });\n    });\n\n    setTimeout(() => {\n      finish(() => { server.close(); reject(new Error(\"Timed out waiting for OAuth callback (5 minutes).\")); });\n    }, 5 * 60 * 1000);\n  });\n}\n\nfunction renderPage(title: string, body: string): string {\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"utf-8\"><title>${escapeHtml(title)}</title>\n  <style>body{font:15px -apple-system,BlinkMacSystemFont,\"Segoe UI\",Roboto,sans-serif;max-width:480px;margin:80px auto;padding:0 24px;color:#222}h1{font-size:22px;margin-bottom:12px}p{line-height:1.5}</style>\n</head>\n<body><h1>${escapeHtml(title)}</h1><p>${escapeHtml(body)}</p></body>\n</html>`;\n}\n\nfunction escapeHtml(s: string): string {\n  return s.replace(/[&<>\"']/g, (c) => ({ \"&\": \"&amp;\", \"<\": \"&lt;\", \">\": \"&gt;\", '\"': \"&quot;\", \"'\": \"&#39;\" })[c]!);\n}\n\n// ============================================\n// TOKEN EXCHANGE\n// ============================================\n\ninterface TokenResponse {\n  access_token: string;\n  refresh_token: string;\n  expires_in: number;\n  scope: string;\n  token_type: string;\n}\n\nasync function exchangeCodeForTokens(\n  code: string,\n  clientId: string,\n  clientSecret: string,\n  redirectUri: string,\n): Promise<TokenResponse> {\n  return withResilience(async () => {\n    const body = new URLSearchParams({\n      code,\n      client_id: clientId,\n      client_secret: clientSecret,\n      redirect_uri: redirectUri,\n      grant_type: \"authorization_code\",\n    });\n    const res = await fetch(OAUTH_TOKEN_URL, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n      body: body.toString(),\n    });\n    const json = (await res.json()) as Record<string, unknown>;\n    if (!res.ok || json.error) {\n      const err = new Error(\n        `Token exchange failed: ${json.error_description || json.error || res.statusText}`,\n      );\n      (err as any).status = res.status;\n      (err as any).code = res.status;\n      throw err;\n    }\n    return json as unknown as TokenResponse;\n  }, \"oauth.exchangeCode\");\n}\n\n// ============================================\n// SITE ENUMERATION\n// ============================================\n\ninterface GscSite {\n  siteUrl: string;\n  permissionLevel: string;\n}\n\nasync function enumerateSites(accessToken: string): Promise<GscSite[]> {\n  const oauth2Client = new google.auth.OAuth2();\n  oauth2Client.setCredentials({ access_token: accessToken });\n\n  const svc = google.searchconsole({ version: \"v1\", auth: oauth2Client });\n  const resp = await withResilience(\n    () => svc.sites.list(),\n    \"auth.listSites\",\n  );\n\n  const sites = (resp.data.siteEntry || []).map((entry) => ({\n    siteUrl: entry.siteUrl || \"\",\n    permissionLevel: entry.permissionLevel || \"\",\n  }));\n\n  if (sites.length === 0) {\n    throw new GscAuthError(\n      \"No Search Console properties found for this Google account. \" +\n        \"Make sure you signed in with an account that has access to at least one property.\",\n    );\n  }\n\n  return sites;\n}\n\n// ============================================\n// PICKER\n// ============================================\n\nasync function pickSite(sites: GscSite[], presetSiteUrl?: string): Promise<GscSite> {\n  if (presetSiteUrl) {\n    const match = sites.find((s) => s.siteUrl === presetSiteUrl);\n    if (!match) {\n      throw new Error(\n        `--site-url \"${presetSiteUrl}\" was not found among ${sites.length} accessible properties. ` +\n          `Remove the flag to pick interactively.`,\n      );\n    }\n    return match;\n  }\n\n  if (sites.length === 1) {\n    process.stderr.write(`\\nOnly one property accessible: ${sites[0].siteUrl}. Auto-selecting.\\n`);\n    return sites[0];\n  }\n\n  const choices = sites.map((site) => ({\n    title: `${site.siteUrl}  (${site.permissionLevel})`,\n    value: site,\n  }));\n\n  const response = await prompts(\n    {\n      type: \"select\",\n      name: \"site\",\n      message: \"Which Search Console property should Claude use by default?\",\n      choices,\n      initial: 0,\n    },\n    {\n      onCancel: () => { throw new Error(\"Cancelled by user\"); },\n    },\n  );\n\n  if (!response.site) throw new Error(\"No site selected\");\n  return response.site as GscSite;\n}\n\n// ============================================\n// MAIN\n// ============================================\n\nexport async function run(argv: string[] = process.argv.slice(2)): Promise<void> {\n  const args = parseArgs(argv);\n  if (args.help) {\n    printHelp();\n    return;\n  }\n\n  const clientId = process.env.GOOGLE_GSC_CLIENT_ID?.trim() || EMBEDDED_CLIENT_ID;\n  const clientSecret = process.env.GOOGLE_GSC_CLIENT_SECRET?.trim() || EMBEDDED_CLIENT_SECRET;\n\n  if (!clientId || !clientSecret) {\n    process.stderr.write(\n      \"This build of mcp-gsc was published without embedded OAuth credentials.\\n\" +\n        \"Set GOOGLE_GSC_CLIENT_ID and GOOGLE_GSC_CLIENT_SECRET in your environment.\\n\",\n    );\n    process.exit(2);\n  }\n\n  const port = await findFreeLoopbackPort();\n  const redirectUri = `http://127.0.0.1:${port}`;\n  const state = randomState();\n  const authUrl = buildAuthUrl(clientId, redirectUri, state);\n\n  process.stderr.write(\"\\n=== mcp-gsc authentication ===\\n\");\n\n  const { code } = await waitForAuthorizationCode(port, state, authUrl);\n  process.stderr.write(\"Authorization code received. Exchanging for tokens...\\n\");\n\n  const tokens = await exchangeCodeForTokens(code, clientId, clientSecret, redirectUri);\n  if (!tokens.refresh_token) {\n    throw new GscAuthError(\n      \"Google did not return a refresh token. This can happen if you previously granted consent \" +\n        \"to this app. Revoke access at https://myaccount.google.com/permissions and try again.\",\n    );\n  }\n  process.stderr.write(\"Tokens received. Fetching accessible Search Console properties...\\n\");\n\n  const sites = await enumerateSites(tokens.access_token);\n  const chosen = await pickSite(sites, args.siteUrl);\n\n  const stored: StoredCredentials = {\n    version: CREDENTIALS_FILE_VERSION,\n    refresh_token: tokens.refresh_token,\n    site_urls: sites.map((s) => s.siteUrl),\n    primary_site_url: chosen.siteUrl,\n    obtained_at: new Date().toISOString(),\n    scopes: [OAUTH_SCOPE],\n  };\n  writeStoredCredentials(stored);\n\n  process.stderr.write(\n    [\n      \"\",\n      \"Done.\",\n      \"\",\n      `  Property:   ${chosen.siteUrl}`,\n      `  Permission: ${chosen.permissionLevel}`,\n      `  Saved to:   ${credentialsFilePath}`,\n      \"\",\n      \"Next step: fully quit Claude Desktop (Cmd+Q / File > Exit) and reopen it.\",\n      'Then try: \"List my Search Console properties\"',\n      \"\",\n    ].join(\"\\n\"),\n  );\n}\n\nfunction randomState(): string {\n  const bytes = new Uint8Array(16);\n  (globalThis.crypto as Crypto).getRandomValues(bytes);\n  return Array.from(bytes).map((b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n\n// ============================================\n// ENTRY\n// ============================================\n\nconst isMain =\n  import.meta.url === `file://${process.argv[1]}` ||\n  process.argv[1]?.endsWith(\"/auth-cli.js\") ||\n  process.argv[1]?.endsWith(\"\\\\auth-cli.js\");\n\nif (isMain) {\n  run().catch((err) => {\n    const classified = classifyError(err);\n    process.stderr.write(`\\n${classified.message}\\n`);\n    process.exit(1);\n  });\n}\n"],
+  "mappings": ";AAYA,SAAS,cAAc;AACvB,OAAO,UAAU;AACjB,OAAO,mBAAmB;AAC1B,SAAS,WAAW;AACpB,SAAS,wBAAwB,qBAAqB,gCAAwD;AAC9G,SAAS,oBAAoB,8BAA8B;AAC3D,SAAS,eAAe,oBAAoB;AAC5C,SAAS,sBAAsB,mBAAmB;AAClD,SAAS,QAAQ,sBAAsB;AAEvC,MAAM,UAAW,cAAgE,WAAW;AAE5F,MAAM,cAAc;AACpB,MAAM,iBAAiB;AACvB,MAAM,kBAAkB;AAOxB,SAAS,UAAU,MAAyB;AAC1C,QAAM,OAAgB,EAAE,MAAM,MAAM;AACpC,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAM,IAAI,KAAK,CAAC;AAChB,QAAI,MAAM,YAAY,MAAM,KAAM,MAAK,OAAO;AAAA,aACrC,MAAM,gBAAgB,KAAK,IAAI,CAAC,GAAG;AAC1C,WAAK,UAAU,KAAK,EAAE,CAAC;AAAA,IACzB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,YAAkB;AACzB,UAAQ,OAAO;AAAA,IACb;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,+BAA+B,mBAAmB;AAAA,MAClD;AAAA,IACF,EAAE,KAAK,IAAI;AAAA,EACb;AACF;AAMA,SAAS,aAAa,UAAkB,aAAqB,OAAuB;AAClF,QAAM,SAAS,IAAI,gBAAgB;AAAA,IACjC,WAAW;AAAA,IACX,cAAc;AAAA,IACd,eAAe;AAAA,IACf,OAAO;AAAA,IACP,aAAa;AAAA,IACb,QAAQ;AAAA,IACR;AAAA,EACF,CAAC;AACD,SAAO,GAAG,cAAc,IAAI,OAAO,SAAS,CAAC;AAC/C;AAOA,eAAe,yBACb,MACA,eACA,SAC4B;AAC5B,SAAO,IAAI,QAA2B,CAAC,SAAS,WAAW;AACzD,QAAI,UAAU;AACd,UAAM,SAAS,CAAC,OAAmB;AACjC,UAAI,QAAS;AACb,gBAAU;AACV,SAAG;AAAA,IACL;AAEA,UAAM,SAAS,KAAK,aAAa,CAAC,KAAK,QAAQ;AAC7C,UAAI,CAAC,IAAI,KAAK;AACZ,YAAI,UAAU,GAAG,EAAE,IAAI;AACvB;AAAA,MACF;AACA,YAAM,SAAS,IAAI,IAAI,IAAI,KAAK,oBAAoB,IAAI,EAAE;AAC1D,YAAM,OAAO,OAAO,aAAa,IAAI,MAAM;AAC3C,YAAM,QAAQ,OAAO,aAAa,IAAI,OAAO;AAC7C,YAAM,QAAQ,OAAO,aAAa,IAAI,OAAO;AAE7C,UAAI,OAAO;AACT,YAAI,UAAU,KAAK,EAAE,gBAAgB,2BAA2B,CAAC;AACjE,YAAI,IAAI,WAAW,4BAA4B,oBAAoB,WAAW,KAAK,CAAC,0CAA0C,CAAC;AAC/H,eAAO,MAAM;AAAE,iBAAO,MAAM;AAAG,iBAAO,IAAI,aAAa,iBAAiB,KAAK,EAAE,CAAC;AAAA,QAAG,CAAC;AACpF;AAAA,MACF;AAEA,UAAI,CAAC,MAAM;AACT,YAAI,UAAU,GAAG,EAAE,IAAI;AACvB;AAAA,MACF;AAEA,UAAI,UAAU,eAAe;AAC3B,YAAI,UAAU,KAAK,EAAE,gBAAgB,2BAA2B,CAAC;AACjE,YAAI,IAAI,WAAW,yBAAyB,+DAA+D,CAAC;AAC5G,eAAO,MAAM;AAAE,iBAAO,MAAM;AAAG,iBAAO,IAAI,aAAa,sBAAsB,CAAC;AAAA,QAAG,CAAC;AAClF;AAAA,MACF;AAEA,UAAI,UAAU,KAAK,EAAE,gBAAgB,2BAA2B,CAAC;AACjE,UAAI,IAAI,WAAW,0BAA0B,oDAAoD,CAAC;AAClG,aAAO,MAAM;AACX,mBAAW,MAAM,OAAO,MAAM,GAAG,GAAG;AACpC,gBAAQ,EAAE,MAAM,MAAM,CAAC;AAAA,MACzB,CAAC;AAAA,IACH,CAAC;AAED,WAAO,GAAG,SAAS,CAAC,QAAQ;AAC1B,aAAO,MAAM,OAAO,IAAI,MAAM,2BAA2B,IAAI,OAAO,EAAE,CAAC,CAAC;AAAA,IAC1E,CAAC;AAED,WAAO,OAAO,MAAM,aAAa,MAAM;AACrC,cAAQ,OAAO,MAAM;AAAA;AAAA,CAAoD;AACzE,cAAQ,OAAO,MAAM;AAAA,IAA+C,OAAO;AAAA;AAAA,CAAM;AACjF,kBAAY,OAAO,EAAE,MAAM,CAAC,QAAQ;AAClC,eAAO,KAAK,EAAE,KAAK,IAAI,QAAQ,GAAG,oBAAoB;AAAA,MACxD,CAAC;AAAA,IACH,CAAC;AAED,eAAW,MAAM;AACf,aAAO,MAAM;AAAE,eAAO,MAAM;AAAG,eAAO,IAAI,MAAM,mDAAmD,CAAC;AAAA,MAAG,CAAC;AAAA,IAC1G,GAAG,IAAI,KAAK,GAAI;AAAA,EAClB,CAAC;AACH;AAEA,SAAS,WAAW,OAAe,MAAsB;AACvD,SAAO;AAAA;AAAA;AAAA,iCAGwB,WAAW,KAAK,CAAC;AAAA;AAAA;AAAA,YAGtC,WAAW,KAAK,CAAC,WAAW,WAAW,IAAI,CAAC;AAAA;AAExD;AAEA,SAAS,WAAW,GAAmB;AACrC,SAAO,EAAE,QAAQ,YAAY,CAAC,OAAO,EAAE,KAAK,SAAS,KAAK,QAAQ,KAAK,QAAQ,KAAK,UAAU,KAAK,QAAQ,GAAG,CAAC,CAAE;AACnH;AAcA,eAAe,sBACb,MACA,UACA,cACA,aACwB;AACxB,SAAO,eAAe,YAAY;AAChC,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B;AAAA,MACA,WAAW;AAAA,MACX,eAAe;AAAA,MACf,cAAc;AAAA,MACd,YAAY;AAAA,IACd,CAAC;AACD,UAAM,MAAM,MAAM,MAAM,iBAAiB;AAAA,MACvC,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AACD,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,QAAI,CAAC,IAAI,MAAM,KAAK,OAAO;AACzB,YAAM,MAAM,IAAI;AAAA,QACd,0BAA0B,KAAK,qBAAqB,KAAK,SAAS,IAAI,UAAU;AAAA,MAClF;AACA,MAAC,IAAY,SAAS,IAAI;AAC1B,MAAC,IAAY,OAAO,IAAI;AACxB,YAAM;AAAA,IACR;AACA,WAAO;AAAA,EACT,GAAG,oBAAoB;AACzB;AAWA,eAAe,eAAe,aAAyC;AACrE,QAAM,eAAe,IAAI,OAAO,KAAK,OAAO;AAC5C,eAAa,eAAe,EAAE,cAAc,YAAY,CAAC;AAEzD,QAAM,MAAM,OAAO,cAAc,EAAE,SAAS,MAAM,MAAM,aAAa,CAAC;AACtE,QAAM,OAAO,MAAM;AAAA,IACjB,MAAM,IAAI,MAAM,KAAK;AAAA,IACrB;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,KAAK,aAAa,CAAC,GAAG,IAAI,CAAC,WAAW;AAAA,IACxD,SAAS,MAAM,WAAW;AAAA,IAC1B,iBAAiB,MAAM,mBAAmB;AAAA,EAC5C,EAAE;AAEF,MAAI,MAAM,WAAW,GAAG;AACtB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,SAAO;AACT;AAMA,eAAe,SAAS,OAAkB,eAA0C;AAClF,MAAI,eAAe;AACjB,UAAM,QAAQ,MAAM,KAAK,CAAC,MAAM,EAAE,YAAY,aAAa;AAC3D,QAAI,CAAC,OAAO;AACV,YAAM,IAAI;AAAA,QACR,eAAe,aAAa,yBAAyB,MAAM,MAAM;AAAA,MAEnE;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,WAAW,GAAG;AACtB,YAAQ,OAAO,MAAM;AAAA,gCAAmC,MAAM,CAAC,EAAE,OAAO;AAAA,CAAqB;AAC7F,WAAO,MAAM,CAAC;AAAA,EAChB;AAEA,QAAM,UAAU,MAAM,IAAI,CAAC,UAAU;AAAA,IACnC,OAAO,GAAG,KAAK,OAAO,MAAM,KAAK,eAAe;AAAA,IAChD,OAAO;AAAA,EACT,EAAE;AAEF,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS;AAAA,MACT;AAAA,MACA,SAAS;AAAA,IACX;AAAA,IACA;AAAA,MACE,UAAU,MAAM;AAAE,cAAM,IAAI,MAAM,mBAAmB;AAAA,MAAG;AAAA,IAC1D;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,KAAM,OAAM,IAAI,MAAM,kBAAkB;AACtD,SAAO,SAAS;AAClB;AAMA,eAAsB,IAAI,OAAiB,QAAQ,KAAK,MAAM,CAAC,GAAkB;AAC/E,QAAM,OAAO,UAAU,IAAI;AAC3B,MAAI,KAAK,MAAM;AACb,cAAU;AACV;AAAA,EACF;AAEA,QAAM,WAAW,QAAQ,IAAI,sBAAsB,KAAK,KAAK;AAC7D,QAAM,eAAe,QAAQ,IAAI,0BAA0B,KAAK,KAAK;AAErE,MAAI,CAAC,YAAY,CAAC,cAAc;AAC9B,YAAQ,OAAO;AAAA,MACb;AAAA,IAEF;AACA,YAAQ,KAAK,CAAC;AAAA,EAChB;AAEA,QAAM,OAAO,MAAM,qBAAqB;AACxC,QAAM,cAAc,oBAAoB,IAAI;AAC5C,QAAM,QAAQ,YAAY;AAC1B,QAAM,UAAU,aAAa,UAAU,aAAa,KAAK;AAEzD,UAAQ,OAAO,MAAM,oCAAoC;AAEzD,QAAM,EAAE,KAAK,IAAI,MAAM,yBAAyB,MAAM,OAAO,OAAO;AACpE,UAAQ,OAAO,MAAM,yDAAyD;AAE9E,QAAM,SAAS,MAAM,sBAAsB,MAAM,UAAU,cAAc,WAAW;AACpF,MAAI,CAAC,OAAO,eAAe;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,UAAQ,OAAO,MAAM,qEAAqE;AAE1F,QAAM,QAAQ,MAAM,eAAe,OAAO,YAAY;AACtD,QAAM,SAAS,MAAM,SAAS,OAAO,KAAK,OAAO;AAEjD,QAAM,SAA4B;AAAA,IAChC,SAAS;AAAA,IACT,eAAe,OAAO;AAAA,IACtB,WAAW,MAAM,IAAI,CAAC,MAAM,EAAE,OAAO;AAAA,IACrC,kBAAkB,OAAO;AAAA,IACzB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC,QAAQ,CAAC,WAAW;AAAA,EACtB;AACA,yBAAuB,MAAM;AAE7B,UAAQ,OAAO;AAAA,IACb;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA,iBAAiB,OAAO,OAAO;AAAA,MAC/B,iBAAiB,OAAO,eAAe;AAAA,MACvC,iBAAiB,mBAAmB;AAAA,MACpC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,EAAE,KAAK,IAAI;AAAA,EACb;AACF;AAEA,SAAS,cAAsB;AAC7B,QAAM,QAAQ,IAAI,WAAW,EAAE;AAC/B,EAAC,WAAW,OAAkB,gBAAgB,KAAK;AACnD,SAAO,MAAM,KAAK,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AAC9E;AAMA,MAAM,SACJ,YAAY,QAAQ,UAAU,QAAQ,KAAK,CAAC,CAAC,MAC7C,QAAQ,KAAK,CAAC,GAAG,SAAS,cAAc,KACxC,QAAQ,KAAK,CAAC,GAAG,SAAS,eAAe;AAE3C,IAAI,QAAQ;AACV,MAAI,EAAE,MAAM,CAAC,QAAQ;AACnB,UAAM,aAAa,cAAc,GAAG;AACpC,YAAQ,OAAO,MAAM;AAAA,EAAK,WAAW,OAAO;AAAA,CAAI;AAChD,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;",
+  "names": []
+}

package/dist/build-info.json

@@ -1 +1,5 @@
-{"sha":"c08a06d","builtAt":"2026-04-09T23:19:07.636Z"}
+{
+  "sha": "095fb88",
+  "builtAt": "2026-04-16T22:43:18.103Z",
+  "embeddedSecrets": true
+}

package/dist/credentials.d.ts

@@ -0,0 +1,21 @@
+export declare const CREDENTIALS_FILE_VERSION = 1;
+export interface StoredCredentials {
+    version: number;
+    refresh_token: string;
+    site_urls: string[];
+    primary_site_url?: string;
+    obtained_at: string;
+    scopes: string[];
+}
+export interface ResolvedOAuthCredentials {
+    client_id: string;
+    client_secret: string;
+    refresh_token: string;
+    site_urls: string[];
+    primary_site_url: string;
+    source: "env" | "file" | "mixed";
+}
+export declare function readStoredCredentials(filePath?: string): StoredCredentials | null;
+export declare function writeStoredCredentials(creds: StoredCredentials, filePath?: string): void;
+export declare function resolveOAuthCredentials(credsFilePath?: string): ResolvedOAuthCredentials;
+export { configDir, credentialsFilePath } from "./platform.js";

package/dist/credentials.js

@@ -0,0 +1,93 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync } from "fs";
+import path from "path";
+import { EMBEDDED_CLIENT_ID, EMBEDDED_CLIENT_SECRET } from "./embedded-secrets.js";
+import { credentialsFilePath } from "./platform.js";
+import { logger } from "./resilience.js";
+const CREDENTIALS_FILE_VERSION = 1;
+const envTrimmed = (key) => (process.env[key] || "").trim().replace(/^["']|["']$/g, "");
+function readStoredCredentials(filePath = credentialsFilePath) {
+  if (!existsSync(filePath)) return null;
+  try {
+    const raw = readFileSync(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== CREDENTIALS_FILE_VERSION) {
+      logger.warn(
+        { path: filePath, version: parsed.version, expected: CREDENTIALS_FILE_VERSION },
+        "Credentials file version mismatch"
+      );
+      return null;
+    }
+    return parsed;
+  } catch (err) {
+    logger.warn({ err, path: filePath }, "Failed to parse credentials file");
+    return null;
+  }
+}
+function writeStoredCredentials(creds, filePath = credentialsFilePath) {
+  const dir = path.dirname(filePath);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  writeFileSync(filePath, JSON.stringify(creds, null, 2), { encoding: "utf-8" });
+  try {
+    chmodSync(filePath, 384);
+  } catch {
+  }
+}
+function resolveOAuthCredentials(credsFilePath = credentialsFilePath) {
+  const client_id = envTrimmed("GOOGLE_GSC_CLIENT_ID") || EMBEDDED_CLIENT_ID;
+  const client_secret = envTrimmed("GOOGLE_GSC_CLIENT_SECRET") || EMBEDDED_CLIENT_SECRET;
+  const stored = readStoredCredentials(credsFilePath);
+  const envRefresh = envTrimmed("GOOGLE_GSC_REFRESH_TOKEN");
+  const envSiteUrl = envTrimmed("GOOGLE_GSC_SITE_URL");
+  const refresh_token = envRefresh || stored?.refresh_token || "";
+  const site_urls = stored?.site_urls || [];
+  const primary_site_url = envSiteUrl || stored?.primary_site_url || site_urls[0] || "";
+  const source = envRefresh && stored ? "mixed" : envRefresh ? "env" : stored ? "file" : "env";
+  const missing = [];
+  if (!client_id) missing.push("client_id");
+  if (!client_secret) missing.push("client_secret");
+  if (!refresh_token) missing.push("refresh_token");
+  if (missing.length > 0) {
+    throw new Error(buildMissingCredentialsMessage(missing, Boolean(stored)));
+  }
+  return { client_id, client_secret, refresh_token, site_urls, primary_site_url, source };
+}
+function buildMissingCredentialsMessage(missing, hasFile) {
+  const runAuth = "npx mcp-gsc-auth";
+  const lines = [
+    `Missing GSC OAuth credentials: ${missing.join(", ")}.`,
+    ``,
+    `To get started, run:`,
+    `    ${runAuth}`,
+    ``,
+    `This will open your browser, walk you through Google sign-in, let you pick which`,
+    `Search Console property to use, and save the result to:`,
+    `    ${credentialsFilePath}`
+  ];
+  if (hasFile) {
+    lines.push(
+      ``,
+      `A credentials file exists at ${credentialsFilePath} but is missing required fields.`,
+      `Re-run the auth helper to refresh it.`
+    );
+  }
+  lines.push(
+    ``,
+    `Advanced: you can bypass the auth helper by setting these env vars:`,
+    `  GOOGLE_GSC_CLIENT_ID, GOOGLE_GSC_CLIENT_SECRET, GOOGLE_GSC_REFRESH_TOKEN`,
+    ``,
+    `Or use a service account: set GOOGLE_APPLICATION_CREDENTIALS to a JSON key file.`
+  );
+  return lines.join("\n");
+}
+import { configDir as configDir2, credentialsFilePath as credentialsFilePath2 } from "./platform.js";
+export {
+  CREDENTIALS_FILE_VERSION,
+  configDir2 as configDir,
+  credentialsFilePath2 as credentialsFilePath,
+  readStoredCredentials,
+  resolveOAuthCredentials,
+  writeStoredCredentials
+};
+//# sourceMappingURL=credentials.js.map

package/dist/credentials.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/credentials.ts"],
+  "sourcesContent": ["// ============================================\n// CREDENTIAL LOADING & PERSISTENCE\n// ============================================\n// Priority order:\n//   1. config.json + service account (existing multi-client setups)\n//   2. GOOGLE_GSC_* env vars (explicit override)\n//   3. Per-user OAuth credentials file (written by mcp-gsc-auth)\n//   4. EMBEDDED_* constants (client_id, client_secret from build-time)\n\nimport { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync } from \"fs\";\nimport path from \"path\";\nimport { EMBEDDED_CLIENT_ID, EMBEDDED_CLIENT_SECRET } from \"./embedded-secrets.js\";\nimport { configDir, credentialsFilePath } from \"./platform.js\";\nimport { logger } from \"./resilience.js\";\n\nexport const CREDENTIALS_FILE_VERSION = 1;\n\nexport interface StoredCredentials {\n  version: number;\n  refresh_token: string;\n  site_urls: string[];\n  primary_site_url?: string;\n  obtained_at: string;\n  scopes: string[];\n}\n\nexport interface ResolvedOAuthCredentials {\n  client_id: string;\n  client_secret: string;\n  refresh_token: string;\n  site_urls: string[];\n  primary_site_url: string;\n  source: \"env\" | \"file\" | \"mixed\";\n}\n\nconst envTrimmed = (key: string): string =>\n  (process.env[key] || \"\").trim().replace(/^[\"']|[\"']$/g, \"\");\n\n// ============================================\n// FILE I/O\n// ============================================\n\nexport function readStoredCredentials(filePath: string = credentialsFilePath): StoredCredentials | null {\n  if (!existsSync(filePath)) return null;\n  try {\n    const raw = readFileSync(filePath, \"utf-8\");\n    const parsed = JSON.parse(raw);\n    if (parsed.version !== CREDENTIALS_FILE_VERSION) {\n      logger.warn(\n        { path: filePath, version: parsed.version, expected: CREDENTIALS_FILE_VERSION },\n        \"Credentials file version mismatch\",\n      );\n      return null;\n    }\n    return parsed as StoredCredentials;\n  } catch (err) {\n    logger.warn({ err, path: filePath }, \"Failed to parse credentials file\");\n    return null;\n  }\n}\n\nexport function writeStoredCredentials(\n  creds: StoredCredentials,\n  filePath: string = credentialsFilePath,\n): void {\n  const dir = path.dirname(filePath);\n  if (!existsSync(dir)) {\n    mkdirSync(dir, { recursive: true });\n  }\n  writeFileSync(filePath, JSON.stringify(creds, null, 2), { encoding: \"utf-8\" });\n  try {\n    chmodSync(filePath, 0o600);\n  } catch {\n    // Best-effort on POSIX\n  }\n}\n\n// ============================================\n// RESOLVE (read-time priority chain)\n// ============================================\n\nexport function resolveOAuthCredentials(\n  credsFilePath: string = credentialsFilePath,\n): ResolvedOAuthCredentials {\n  const client_id = envTrimmed(\"GOOGLE_GSC_CLIENT_ID\") || EMBEDDED_CLIENT_ID;\n  const client_secret = envTrimmed(\"GOOGLE_GSC_CLIENT_SECRET\") || EMBEDDED_CLIENT_SECRET;\n\n  const stored = readStoredCredentials(credsFilePath);\n  const envRefresh = envTrimmed(\"GOOGLE_GSC_REFRESH_TOKEN\");\n  const envSiteUrl = envTrimmed(\"GOOGLE_GSC_SITE_URL\");\n\n  const refresh_token = envRefresh || stored?.refresh_token || \"\";\n  const site_urls = stored?.site_urls || [];\n  const primary_site_url = envSiteUrl || stored?.primary_site_url || site_urls[0] || \"\";\n\n  const source: ResolvedOAuthCredentials[\"source\"] =\n    envRefresh && stored ? \"mixed\" : envRefresh ? \"env\" : stored ? \"file\" : \"env\";\n\n  const missing: string[] = [];\n  if (!client_id) missing.push(\"client_id\");\n  if (!client_secret) missing.push(\"client_secret\");\n  if (!refresh_token) missing.push(\"refresh_token\");\n\n  if (missing.length > 0) {\n    throw new Error(buildMissingCredentialsMessage(missing, Boolean(stored)));\n  }\n\n  return { client_id, client_secret, refresh_token, site_urls, primary_site_url, source };\n}\n\nfunction buildMissingCredentialsMessage(missing: string[], hasFile: boolean): string {\n  const runAuth = \"npx mcp-gsc-auth\";\n  const lines: string[] = [\n    `Missing GSC OAuth credentials: ${missing.join(\", \")}.`,\n    ``,\n    `To get started, run:`,\n    `    ${runAuth}`,\n    ``,\n    `This will open your browser, walk you through Google sign-in, let you pick which`,\n    `Search Console property to use, and save the result to:`,\n    `    ${credentialsFilePath}`,\n  ];\n  if (hasFile) {\n    lines.push(\n      ``,\n      `A credentials file exists at ${credentialsFilePath} but is missing required fields.`,\n      `Re-run the auth helper to refresh it.`,\n    );\n  }\n  lines.push(\n    ``,\n    `Advanced: you can bypass the auth helper by setting these env vars:`,\n    `  GOOGLE_GSC_CLIENT_ID, GOOGLE_GSC_CLIENT_SECRET, GOOGLE_GSC_REFRESH_TOKEN`,\n    ``,\n    `Or use a service account: set GOOGLE_APPLICATION_CREDENTIALS to a JSON key file.`,\n  );\n  return lines.join(\"\\n\");\n}\n\nexport { configDir, credentialsFilePath } from \"./platform.js\";\n"],
+  "mappings": "AASA,SAAS,YAAY,WAAW,cAAc,eAAe,iBAAiB;AAC9E,OAAO,UAAU;AACjB,SAAS,oBAAoB,8BAA8B;AAC3D,SAAoB,2BAA2B;AAC/C,SAAS,cAAc;AAEhB,MAAM,2BAA2B;AAoBxC,MAAM,aAAa,CAAC,SACjB,QAAQ,IAAI,GAAG,KAAK,IAAI,KAAK,EAAE,QAAQ,gBAAgB,EAAE;AAMrD,SAAS,sBAAsB,WAAmB,qBAA+C;AACtG,MAAI,CAAC,WAAW,QAAQ,EAAG,QAAO;AAClC,MAAI;AACF,UAAM,MAAM,aAAa,UAAU,OAAO;AAC1C,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,QAAI,OAAO,YAAY,0BAA0B;AAC/C,aAAO;AAAA,QACL,EAAE,MAAM,UAAU,SAAS,OAAO,SAAS,UAAU,yBAAyB;AAAA,QAC9E;AAAA,MACF;AACA,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,WAAO,KAAK,EAAE,KAAK,MAAM,SAAS,GAAG,kCAAkC;AACvE,WAAO;AAAA,EACT;AACF;AAEO,SAAS,uBACd,OACA,WAAmB,qBACb;AACN,QAAM,MAAM,KAAK,QAAQ,QAAQ;AACjC,MAAI,CAAC,WAAW,GAAG,GAAG;AACpB,cAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AAAA,EACpC;AACA,gBAAc,UAAU,KAAK,UAAU,OAAO,MAAM,CAAC,GAAG,EAAE,UAAU,QAAQ,CAAC;AAC7E,MAAI;AACF,cAAU,UAAU,GAAK;AAAA,EAC3B,QAAQ;AAAA,EAER;AACF;AAMO,SAAS,wBACd,gBAAwB,qBACE;AAC1B,QAAM,YAAY,WAAW,sBAAsB,KAAK;AACxD,QAAM,gBAAgB,WAAW,0BAA0B,KAAK;AAEhE,QAAM,SAAS,sBAAsB,aAAa;AAClD,QAAM,aAAa,WAAW,0BAA0B;AACxD,QAAM,aAAa,WAAW,qBAAqB;AAEnD,QAAM,gBAAgB,cAAc,QAAQ,iBAAiB;AAC7D,QAAM,YAAY,QAAQ,aAAa,CAAC;AACxC,QAAM,mBAAmB,cAAc,QAAQ,oBAAoB,UAAU,CAAC,KAAK;AAEnF,QAAM,SACJ,cAAc,SAAS,UAAU,aAAa,QAAQ,SAAS,SAAS;AAE1E,QAAM,UAAoB,CAAC;AAC3B,MAAI,CAAC,UAAW,SAAQ,KAAK,WAAW;AACxC,MAAI,CAAC,cAAe,SAAQ,KAAK,eAAe;AAChD,MAAI,CAAC,cAAe,SAAQ,KAAK,eAAe;AAEhD,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,IAAI,MAAM,+BAA+B,SAAS,QAAQ,MAAM,CAAC,CAAC;AAAA,EAC1E;AAEA,SAAO,EAAE,WAAW,eAAe,eAAe,WAAW,kBAAkB,OAAO;AACxF;AAEA,SAAS,+BAA+B,SAAmB,SAA0B;AACnF,QAAM,UAAU;AAChB,QAAM,QAAkB;AAAA,IACtB,kCAAkC,QAAQ,KAAK,IAAI,CAAC;AAAA,IACpD;AAAA,IACA;AAAA,IACA,OAAO,OAAO;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,mBAAmB;AAAA,EAC5B;AACA,MAAI,SAAS;AACX,UAAM;AAAA,MACJ;AAAA,MACA,gCAAgC,mBAAmB;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AACA,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO,MAAM,KAAK,IAAI;AACxB;AAEA,SAAS,aAAAA,YAAW,uBAAAC,4BAA2B;",
+  "names": ["configDir", "credentialsFilePath"]
+}

package/dist/embedded-secrets.d.ts

@@ -0,0 +1,3 @@
+export declare const EMBEDDED_CLIENT_ID: string;
+export declare const EMBEDDED_CLIENT_SECRET: string;
+export declare function hasEmbeddedSecrets(): boolean;

package/dist/embedded-secrets.js

@@ -0,0 +1,11 @@
+const EMBEDDED_CLIENT_ID = "557294086068-o7rb5neg65g28uf65j85q0h60cop40j9.apps.googleusercontent.com";
+const EMBEDDED_CLIENT_SECRET = "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";
+function hasEmbeddedSecrets() {
+  return EMBEDDED_CLIENT_ID.length > 10 && EMBEDDED_CLIENT_SECRET.length > 10;
+}
+export {
+  EMBEDDED_CLIENT_ID,
+  EMBEDDED_CLIENT_SECRET,
+  hasEmbeddedSecrets
+};
+//# sourceMappingURL=embedded-secrets.js.map

package/dist/embedded-secrets.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/embedded-secrets.ts"],
+  "sourcesContent": ["// ============================================\n// BUILD-TIME INJECTED SECRETS\n// ============================================\n// Replaced by esbuild --define at build time. In dev mode (tsx),\n// falls back to runtime env vars via credentials.ts.\n//\n// GSC only needs client_id + client_secret (no developer token).\n// Google Desktop OAuth client ID/secret are NOT true secrets per Google docs.\n\nexport const EMBEDDED_CLIENT_ID: string = process.env.EMBEDDED_CLIENT_ID || \"\";\nexport const EMBEDDED_CLIENT_SECRET: string = process.env.EMBEDDED_CLIENT_SECRET || \"\";\n\nexport function hasEmbeddedSecrets(): boolean {\n  return EMBEDDED_CLIENT_ID.length > 10 && EMBEDDED_CLIENT_SECRET.length > 10;\n}\n"],
+  "mappings": "AASO,MAAM,qBAA6B;AACnC,MAAM,yBAAiC;AAEvC,SAAS,qBAA8B;AAC5C,SAAO,mBAAmB,SAAS,MAAM,uBAAuB,SAAS;AAC3E;",
+  "names": []
+}

package/dist/errors.js

@@ -1,65 +1,58 @@
-// ============================================
-// TYPED ERRORS
-// ============================================
-export class GscAuthError extends Error {
-    cause;
-    constructor(message, cause) {
-        super(message);
-        this.cause = cause;
-        this.name = "GscAuthError";
-    }
+class GscAuthError extends Error {
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+    this.name = "GscAuthError";
+  }
 }
-export class GscRateLimitError extends Error {
-    retryAfterMs;
-    constructor(retryAfterMs, cause) {
-        super(`GSC rate limited, retry after ${retryAfterMs}ms`);
-        this.retryAfterMs = retryAfterMs;
-        this.name = "GscRateLimitError";
-        this.cause = cause;
-    }
+class GscRateLimitError extends Error {
+  constructor(retryAfterMs, cause) {
+    super(`GSC rate limited, retry after ${retryAfterMs}ms`);
+    this.retryAfterMs = retryAfterMs;
+    this.name = "GscRateLimitError";
+    this.cause = cause;
+  }
 }
-export class GscServiceError extends Error {
-    cause;
-    constructor(message, cause) {
-        super(message);
-        this.cause = cause;
-        this.name = "GscServiceError";
-    }
+class GscServiceError extends Error {
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+    this.name = "GscServiceError";
+  }
 }
-// ============================================
-// STARTUP CREDENTIAL VALIDATION
-// ============================================
-export function validateCredentials(credentialsFile) {
-    const missing = [];
-    if (!credentialsFile || credentialsFile.trim() === "") {
-        missing.push("credentials_file (in config.json or GOOGLE_APPLICATION_CREDENTIALS env var)");
-    }
-    else if (credentialsFile.trim().length > 0 && credentialsFile.trim().length < 5) {
-        // Basic format validation: path should have reasonable length > 5 chars
-        missing.push("credentials_file (format: path too short, expected length > 5)");
-    }
-    return { valid: missing.length === 0, missing };
+function validateCredentials(credentialsFile) {
+  const missing = [];
+  if (!credentialsFile || credentialsFile.trim() === "") {
+    missing.push("credentials_file (in config.json or GOOGLE_APPLICATION_CREDENTIALS env var)");
+  } else if (credentialsFile.trim().length > 0 && credentialsFile.trim().length < 5) {
+    missing.push("credentials_file (format: path too short, expected length > 5)");
+  }
+  return { valid: missing.length === 0, missing };
 }
-export function classifyError(error) {
-    const message = error?.message || String(error);
-    const status = error?.code || error?.status;
-    // Check response body for error objects (REST API can return errors in body on 200)
-    const bodyError = error?.response?.body?.error || error?.data?.error || error?.errors?.[0];
-    if (status === 401 ||
-        status === 403 ||
-        message.includes("invalid_grant") ||
-        message.includes("PERMISSION_DENIED") ||
-        message.includes("access_denied") ||
-        message.includes("Invalid credentials") ||
-        bodyError?.code === 403) {
-        return new GscAuthError(`GSC auth failed: ${message}. Check service account credentials and permissions.`, error);
-    }
-    if (status === 429 || message.includes("rateLimitExceeded") || message.includes("RESOURCE_EXHAUSTED")) {
-        const retryMs = 60_000;
-        return new GscRateLimitError(retryMs, error);
-    }
-    if (status >= 500 || message.includes("INTERNAL") || message.includes("UNAVAILABLE")) {
-        return new GscServiceError(`GSC API server error: ${message}`, error);
-    }
-    return error;
+function classifyError(error) {
+  const message = error?.message || String(error);
+  const status = error?.code || error?.status;
+  const bodyError = error?.response?.body?.error || error?.data?.error || error?.errors?.[0];
+  if (status === 401 || status === 403 || message.includes("invalid_grant") || message.includes("PERMISSION_DENIED") || message.includes("access_denied") || message.includes("Invalid credentials") || bodyError?.code === 403) {
+    return new GscAuthError(
+      `GSC auth failed: ${message}. Check service account credentials and permissions.`,
+      error
+    );
+  }
+  if (status === 429 || message.includes("rateLimitExceeded") || message.includes("RESOURCE_EXHAUSTED")) {
+    const retryMs = 6e4;
+    return new GscRateLimitError(retryMs, error);
+  }
+  if (status >= 500 || message.includes("INTERNAL") || message.includes("UNAVAILABLE")) {
+    return new GscServiceError(`GSC API server error: ${message}`, error);
+  }
+  return error;
 }
+export {
+  GscAuthError,
+  GscRateLimitError,
+  GscServiceError,
+  classifyError,
+  validateCredentials
+};
+//# sourceMappingURL=errors.js.map