mcp-multi-jira 0.1.0 → 0.1.1

package/dist/cli.js

@@ -8,7 +8,7 @@ import { loadConfig, removeAccount, setAccount, setTokenStore, } from "./config/
 import { RemoteSession } from "./mcp/remote-session.js";
 import { startLocalServer } from "./mcp/server.js";
 import { SessionManager } from "./mcp/session-manager.js";
-import { DEFAULT_SCOPES, getStaticClientInfoFromEnv, loginWithDynamicOAuth, } from "./oauth/atlassian.js";
+import { DEFAULT_SCOPES, getStaticClientInfoFromEnv, isInvalidGrantError, loginWithDynamicOAuth, refreshTokensIfNeeded, } from "./oauth/atlassian.js";
 import { createTokenStore, getAuthStatusForAlias, } from "./security/token-store.js";
 import { info, setLogTarget, warn } from "./utils/log.js";
 import { PACKAGE_VERSION } from "./version.js";
@@ -133,12 +133,61 @@ function formatAuthStatus(status) {
             return "needs login";
         case "expired":
             return "expired";
+        case "invalid":
+            return "needs relogin";
         case "locked":
             return "locked";
         default:
             return "unknown";
     }
 }
+function shouldVerifyRefresh(tokens) {
+    if (!tokens || tokens.refreshInvalid) {
+        return false;
+    }
+    if (!tokens.refreshToken) {
+        return false;
+    }
+    return tokens.expiresAt < Date.now() + 5 * 60 * 1000;
+}
+async function resolveAuthStatusForList(options) {
+    const status = await getAuthStatusForAlias({
+        alias: options.alias,
+        tokenStore: options.tokenStore,
+        storeKind: options.storeKind,
+        allowPrompt: options.allowPrompt,
+    });
+    if (status.status !== "ok") {
+        return status;
+    }
+    const tokens = await options.tokenStore.get(options.alias);
+    if (!shouldVerifyRefresh(tokens)) {
+        return status;
+    }
+    try {
+        await refreshTokensIfNeeded({
+            alias: options.alias,
+            tokenStore: options.tokenStore,
+            scopes: options.scopes,
+            staticClientInfo: options.staticClientInfo,
+        });
+        return status;
+    }
+    catch (err) {
+        if (tokens && isInvalidGrantError(err)) {
+            await options.tokenStore.set(options.alias, {
+                ...tokens,
+                refreshInvalid: true,
+            });
+            return {
+                status: "invalid",
+                reason: `Stored refresh token is invalid. Run \`mcp-multi-jira login ${options.alias}\` to reauthenticate this account.`,
+            };
+        }
+        warn(`Failed to refresh tokens for ${options.alias}: ${String(err)}`);
+        return status;
+    }
+}
 function isRecord(value) {
     return Boolean(value) && typeof value === "object";
 }
@@ -386,14 +435,18 @@ async function handleListAccounts() {
     }
     const storeKind = resolveTokenStoreFromConfig(config);
     const tokenStore = await createTokenStore({ store: storeKind });
+    const scopes = resolveScopes();
+    const staticClientInfo = getStaticClientInfoFromEnv();
     const statusMap = new Map();
     for (const account of accounts) {
         try {
-            const status = await getAuthStatusForAlias({
+            const status = await resolveAuthStatusForList({
                 alias: account.alias,
                 tokenStore,
                 storeKind,
                 allowPrompt: process.stdin.isTTY,
+                scopes,
+                staticClientInfo,
             });
             statusMap.set(account.alias, formatAuthStatus(status));
         }
@@ -440,6 +493,7 @@ async function handleServe(options) {
         return;
     }
     await manager.connectAll();
+    manager.startBackgroundRefresh();
     await startLocalServer(manager, PACKAGE_VERSION);
 }
 function warnTokenStoreOverride(config) {

package/dist/mcp/remote-session.js

@@ -2,7 +2,7 @@ import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import PQueue from "p-queue";
-import { MCP_SERVER_URL, MCP_SSE_URL, refreshTokensIfNeeded, } from "../oauth/atlassian.js";
+import { isInvalidGrantError, MCP_SERVER_URL, MCP_SSE_URL, refreshTokensIfNeeded, } from "../oauth/atlassian.js";
 import { debug, warn } from "../utils/log.js";
 import { PACKAGE_VERSION } from "../version.js";
 export class RemoteSession {
@@ -45,20 +45,68 @@ export class RemoteSession {
         }
         await this.loadPromise;
     }
+    async fetchRefreshedTokens() {
+        const alias = this.account.alias;
+        const refreshed = await refreshTokensIfNeeded({
+            alias,
+            tokenStore: this.tokenStore,
+            scopes: this.scopes,
+            staticClientInfo: this.staticClientInfo,
+        });
+        this.tokens = refreshed;
+        return refreshed;
+    }
+    async markRefreshTokenInvalid() {
+        if (!this.tokens || this.tokens.refreshInvalid) {
+            return;
+        }
+        const marked = { ...this.tokens, refreshInvalid: true };
+        await this.tokenStore.set(this.account.alias, marked);
+        this.tokens = marked;
+    }
+    async retryRefreshAfterReload(previousRefreshToken) {
+        const alias = this.account.alias;
+        const latest = await this.tokenStore.get(alias);
+        if (!latest?.refreshToken) {
+            return null;
+        }
+        if (latest.refreshToken === previousRefreshToken) {
+            return null;
+        }
+        this.tokens = latest;
+        try {
+            return await this.fetchRefreshedTokens();
+        }
+        catch (err) {
+            if (!isInvalidGrantError(err)) {
+                throw err;
+            }
+            return null;
+        }
+    }
+    async refreshTokensInner() {
+        const alias = this.account.alias;
+        const currentRefreshToken = this.tokens?.refreshToken;
+        try {
+            return await this.fetchRefreshedTokens();
+        }
+        catch (err) {
+            if (!isInvalidGrantError(err)) {
+                throw err;
+            }
+            const refreshed = await this.retryRefreshAfterReload(currentRefreshToken);
+            if (refreshed) {
+                return refreshed;
+            }
+            await this.markRefreshTokenInvalid();
+            throw new Error(`Stored refresh token is invalid for account ${alias}. Run \`mcp-multi-jira login ${alias}\` again.`);
+        }
+    }
     refreshTokens() {
         if (this.refreshPromise) {
             return this.refreshPromise;
         }
-        this.refreshPromise = (async () => {
-            const refreshed = await refreshTokensIfNeeded({
-                alias: this.account.alias,
-                tokenStore: this.tokenStore,
-                scopes: this.scopes,
-                staticClientInfo: this.staticClientInfo,
-            });
-            this.tokens = refreshed;
-            return refreshed;
-        })().finally(() => {
+        this.refreshPromise = this.refreshTokensInner().finally(() => {
             this.refreshPromise = null;
         });
         return this.refreshPromise;
@@ -72,13 +120,32 @@ export class RemoteSession {
     }
     async ensureValidTokens() {
         await this.ensureTokensLoaded();
+        if (!this.tokens) {
+            throw new Error("Missing tokens");
+        }
+        const now = Date.now();
+        if (this.tokens.refreshInvalid) {
+            if (this.tokens.expiresAt > now) {
+                return;
+            }
+            throw new Error(`Tokens for ${this.account.alias} have expired and the stored refresh token is invalid. Run login again.`);
+        }
         if (!this.tokenNeedsRefresh()) {
             return;
         }
-        if (!this.tokens?.refreshToken) {
+        if (!this.tokens.refreshToken) {
             throw new Error(`Tokens for ${this.account.alias} have expired and no refresh token is available.`);
         }
-        await this.refreshTokens();
+        if (this.tokens.expiresAt <= now) {
+            await this.refreshTokens();
+            return;
+        }
+        try {
+            await this.refreshTokens();
+        }
+        catch (err) {
+            warn(`[${this.account.alias}] Token refresh failed, continuing with existing access token: ${String(err)}`);
+        }
     }
     async connectStreamableHttp() {
         if (!this.tokens) {
@@ -183,6 +250,32 @@ export class RemoteSession {
             }
         });
     }
+    async refreshTokensInBackground() {
+        await this.ensureTokensLoaded();
+        if (!this.tokens) {
+            throw new Error("Missing tokens");
+        }
+        if (this.tokens.refreshInvalid) {
+            return;
+        }
+        if (!this.tokenNeedsRefresh()) {
+            return;
+        }
+        if (!this.tokens.refreshToken) {
+            return;
+        }
+        try {
+            await this.refreshTokens();
+        }
+        catch (err) {
+            const now = Date.now();
+            if (this.tokens.expiresAt > now) {
+                warn(`[${this.account.alias}] Background token refresh failed, continuing with existing access token: ${String(err)}`);
+                return;
+            }
+            throw err;
+        }
+    }
     async close() {
         await this.client.close();
     }

package/dist/mcp/session-manager.js

@@ -2,6 +2,18 @@ import { loadConfig } from "../config/store.js";
 import { getAuthStatusForAlias, } from "../security/token-store.js";
 import { warn } from "../utils/log.js";
 import { RemoteSession } from "./remote-session.js";
+const DEFAULT_BACKGROUND_REFRESH_INTERVAL_MS = 60_000;
+function resolveBackgroundRefreshIntervalMs() {
+    const raw = process.env.MCP_JIRA_BACKGROUND_REFRESH_INTERVAL_MS;
+    if (!raw) {
+        return DEFAULT_BACKGROUND_REFRESH_INTERVAL_MS;
+    }
+    const parsed = Number(raw);
+    if (!Number.isFinite(parsed) || parsed <= 0) {
+        return 0;
+    }
+    return Math.floor(parsed);
+}
 export class SessionManager {
     tokenStore;
     scopes;
@@ -9,6 +21,9 @@ export class SessionManager {
     tokenStoreKind;
     sessions = new Map();
     accounts = new Map();
+    backgroundRefreshTimer = null;
+    backgroundRefreshRunning = false;
+    backgroundRefreshStopped = false;
     constructor(tokenStore, scopes, staticClientInfo, tokenStoreKind) {
         this.tokenStore = tokenStore;
         this.scopes = scopes;
@@ -56,7 +71,64 @@ export class SessionManager {
             }
         });
     }
+    async refreshAllTokensOnce() {
+        for (const session of this.sessions.values()) {
+            try {
+                const status = await this.getAccountAuthStatus(session.account.alias, {
+                    allowPrompt: false,
+                });
+                if (status.status !== "ok") {
+                    continue;
+                }
+                await session.refreshTokensInBackground();
+            }
+            catch (err) {
+                warn(`[${session.account.alias}] Background token refresh failed: ${String(err)}`);
+            }
+        }
+    }
+    startBackgroundRefresh(options) {
+        if (this.backgroundRefreshTimer) {
+            return;
+        }
+        const intervalMs = options?.intervalMs ?? resolveBackgroundRefreshIntervalMs();
+        if (intervalMs <= 0) {
+            return;
+        }
+        this.backgroundRefreshStopped = false;
+        const schedule = (delay) => {
+            const timer = setTimeout(run, delay);
+            timer.unref?.();
+            this.backgroundRefreshTimer = timer;
+        };
+        const run = async () => {
+            if (this.backgroundRefreshStopped) {
+                return;
+            }
+            if (this.backgroundRefreshRunning) {
+                schedule(intervalMs);
+                return;
+            }
+            this.backgroundRefreshRunning = true;
+            try {
+                await this.refreshAllTokensOnce();
+            }
+            finally {
+                this.backgroundRefreshRunning = false;
+                schedule(intervalMs);
+            }
+        };
+        schedule(intervalMs);
+    }
+    stopBackgroundRefresh() {
+        this.backgroundRefreshStopped = true;
+        if (this.backgroundRefreshTimer) {
+            clearTimeout(this.backgroundRefreshTimer);
+            this.backgroundRefreshTimer = null;
+        }
+    }
     async closeAll() {
+        this.stopBackgroundRefresh();
         await Promise.all(Array.from(this.sessions.values()).map((session) => session.close()));
     }
 }

package/dist/oauth/atlassian.js

@@ -26,6 +26,17 @@ export function getStaticClientInfoFromEnv(options) {
     }
     return { clientId, clientSecret };
 }
+export function isInvalidGrantError(err) {
+    if (!err || typeof err !== "object") {
+        return false;
+    }
+    const name = err.name;
+    if (name === "InvalidGrantError") {
+        return true;
+    }
+    const message = String(err).toLowerCase();
+    return (message.includes("invalidgranterror") || message.includes("invalid_grant"));
+}
 function toTokenSet(tokens, fallbackScopes) {
     const scopes = tokens.scope
         ? tokens.scope.split(" ").filter(Boolean)
@@ -146,17 +157,54 @@ export class LocalOAuthProvider {
         return this.codeVerifierValue;
     }
 }
-export async function startCallbackServer(expectedState) {
-    const port = await getPort({ port: 3334 });
-    const redirectUri = `http://127.0.0.1:${port}/oauth/callback`;
+function extractRedirectUriFromClientInfo(clientInfo) {
+    if (!clientInfo || typeof clientInfo !== "object") {
+        return;
+    }
+    const redirectUris = clientInfo.redirect_uris;
+    if (!Array.isArray(redirectUris)) {
+        return;
+    }
+    const first = redirectUris[0];
+    if (typeof first !== "string" || first.length === 0) {
+        return;
+    }
+    return first;
+}
+export async function startCallbackServer(expectedState, options) {
+    let redirectUri = options?.redirectUri;
+    if (!redirectUri) {
+        const port = await getPort({ port: 3334 });
+        redirectUri = `http://127.0.0.1:${port}/oauth/callback`;
+    }
+    const redirectUrl = new URL(redirectUri);
+    if (redirectUrl.protocol !== "http:") {
+        throw new Error(`Invalid redirect URI protocol: ${redirectUri}`);
+    }
+    if (redirectUrl.pathname !== "/oauth/callback") {
+        throw new Error(`Invalid redirect URI path: ${redirectUri}`);
+    }
+    const port = Number(redirectUrl.port);
+    if (!port || Number.isNaN(port)) {
+        throw new Error(`Redirect URI must include an explicit port (e.g. http://127.0.0.1:3334/oauth/callback), got: ${redirectUri}`);
+    }
+    const hostname = redirectUrl.hostname;
     const server = http.createServer();
     let closed = false;
+    const sockets = new Set();
+    server.on("connection", (socket) => {
+        sockets.add(socket);
+        socket.on("close", () => sockets.delete(socket));
+    });
     const close = () => new Promise((resolve) => {
         if (closed) {
             resolve();
             return;
         }
         closed = true;
+        for (const socket of sockets) {
+            socket.destroy();
+        }
         server.close(() => resolve());
     });
     const codePromise = new Promise((resolve, reject) => {
@@ -176,7 +224,10 @@ export async function startCallbackServer(expectedState) {
                     reject(new Error("Invalid OAuth response"));
                     return;
                 }
-                res.writeHead(200, { "content-type": "text/plain" });
+                res.writeHead(200, {
+                    "content-type": "text/plain",
+                    connection: "close",
+                });
                 res.end("Authentication complete. You can return to the CLI.");
                 resolve(code);
             }
@@ -190,8 +241,21 @@ export async function startCallbackServer(expectedState) {
             }
         });
     });
-    await new Promise((resolve) => {
-        server.listen(port, "127.0.0.1", () => resolve());
+    await new Promise((resolve, reject) => {
+        const onError = (err) => {
+            reject(err);
+        };
+        server.once("error", onError);
+        server.listen(port, hostname, () => {
+            server.off("error", onError);
+            resolve();
+        });
+    }).catch((err) => {
+        const code = err.code;
+        if (code === "EADDRINUSE") {
+            throw new Error(`OAuth callback port ${port} is already in use (redirect URI: ${redirectUri}). Close the other process using it and retry.`);
+        }
+        throw err;
     });
     return { redirectUri, codePromise, close };
 }
@@ -203,9 +267,20 @@ export async function loginWithDynamicOAuth(options) {
         allowRedirect: true,
         staticClientInfo: options.staticClientInfo,
     });
-    const { redirectUri, codePromise, close } = await startCallbackServer(provider.getState());
+    const redirectUriFromEnv = process.env.MCP_JIRA_REDIRECT_URI;
+    let redirectUri = redirectUriFromEnv;
+    if (!redirectUri) {
+        if (options.staticClientInfo) {
+            redirectUri = "http://127.0.0.1:3334/oauth/callback";
+        }
+        else {
+            const clientInfo = await provider.clientInformation();
+            redirectUri = extractRedirectUriFromClientInfo(clientInfo);
+        }
+    }
+    const { redirectUri: callbackRedirectUri, codePromise, close, } = await startCallbackServer(provider.getState(), { redirectUri });
     try {
-        provider.setRedirectUrl(redirectUri);
+        provider.setRedirectUrl(callbackRedirectUri);
         const result = await auth(provider, {
             serverUrl: MCP_SERVER_URL,
             scope: options.scopes.join(" "),

package/dist/security/token-store.js

@@ -186,6 +186,12 @@ export async function getAuthStatusForAlias(options) {
             reason: "No tokens found. Run login to authenticate this account.",
         };
     }
+    if (tokens.refreshInvalid) {
+        return {
+            status: "invalid",
+            reason: `Stored refresh token is invalid. Run \`mcp-multi-jira login ${options.alias}\` to reauthenticate this account.`,
+        };
+    }
     if (tokens.expiresAt < Date.now() && !tokens.refreshToken) {
         return {
             status: "expired",

package/package.json

@@ -1,8 +1,13 @@
 {
   "name": "mcp-multi-jira",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Multi-account Jira MCP server",
   "license": "MIT",
+  "homepage": "https://github.com/iipanda/mcp-multi-jira#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/iipanda/mcp-multi-jira.git"
+  },
   "keywords": [
     "mcp",
     "model-context-protocol",

package/dist/mcp/mock.js

@@ -1,63 +0,0 @@
-const account = {
-    alias: "mock",
-    site: "mock://jira",
-    cloudId: "mock",
-};
-const tools = [
-    {
-        name: "mockEcho",
-        description: "Echoes arguments back as JSON.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                cloudId: { type: "string" },
-                jql: { type: "string" },
-            },
-            required: ["cloudId", "jql"],
-        },
-    },
-    {
-        name: "mockSecondTool",
-        description: "Second tool for pass-through tests.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                cloudId: { type: "string" },
-                query: { type: "string" },
-            },
-            required: ["cloudId", "query"],
-        },
-    },
-];
-const session = {
-    async listTools() {
-        return tools;
-    },
-    async callTool(_name, args) {
-        return {
-            content: [
-                {
-                    type: "text",
-                    text: JSON.stringify(args),
-                },
-            ],
-            structuredContent: args,
-        };
-    },
-};
-export function createMockSessionManager() {
-    return {
-        listAccounts() {
-            return [account];
-        },
-        getSession(alias) {
-            if (alias === account.alias) {
-                return session;
-            }
-            return null;
-        },
-        async getAccountAuthStatus() {
-            return { status: "ok" };
-        },
-    };
-}

package/dist/mcp/remoteSession.js

@@ -1,163 +0,0 @@
-import { Client } from "@modelcontextprotocol/sdk/client/index.js";
-import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
-import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
-import PQueue from "p-queue";
-import { MCP_SERVER_URL, MCP_SSE_URL, refreshTokensIfNeeded, } from "../oauth/atlassian.js";
-import { debug, warn } from "../utils/log.js";
-export class RemoteSession {
-    account;
-    tokenStore;
-    scopes;
-    staticClientInfo;
-    client;
-    connected = false;
-    queue;
-    tokens = null;
-    constructor(account, tokenStore, scopes, staticClientInfo) {
-        this.account = account;
-        this.tokenStore = tokenStore;
-        this.scopes = scopes;
-        this.staticClientInfo = staticClientInfo;
-        this.client = this.createClient();
-        this.queue = new PQueue({ concurrency: 4 });
-    }
-    createClient() {
-        return new Client({ name: "mcp-jira", version: "0.1.0" });
-    }
-    async loadTokens() {
-        const stored = await this.tokenStore.get(this.account.alias);
-        if (!stored) {
-            throw new Error(`No tokens found for account ${this.account.alias}. Run login first.`);
-        }
-        this.tokens = stored;
-    }
-    tokenNeedsRefresh() {
-        if (!this.tokens) {
-            return true;
-        }
-        const now = Date.now();
-        return this.tokens.expiresAt < now + 5 * 60 * 1000;
-    }
-    async ensureValidTokens() {
-        if (!this.tokens) {
-            await this.loadTokens();
-        }
-        if (this.tokenNeedsRefresh()) {
-            if (!this.tokens?.refreshToken) {
-                throw new Error(`Tokens for ${this.account.alias} have expired and no refresh token is available.`);
-            }
-            const refreshed = await refreshTokensIfNeeded({
-                alias: this.account.alias,
-                tokenStore: this.tokenStore,
-                scopes: this.scopes,
-                staticClientInfo: this.staticClientInfo,
-            });
-            this.tokens = refreshed;
-        }
-    }
-    async connectStreamableHttp() {
-        if (!this.tokens) {
-            throw new Error("Missing tokens");
-        }
-        const transport = new StreamableHTTPClientTransport(new URL(MCP_SERVER_URL), {
-            requestInit: {
-                headers: {
-                    authorization: `Bearer ${this.tokens.accessToken}`,
-                },
-            },
-        });
-        await this.client.connect(transport);
-        this.connected = true;
-    }
-    async connectSse() {
-        if (!this.tokens) {
-            throw new Error("Missing tokens");
-        }
-        const transport = new SSEClientTransport(new URL(MCP_SSE_URL), {
-            requestInit: {
-                headers: {
-                    authorization: `Bearer ${this.tokens.accessToken}`,
-                },
-            },
-            eventSourceInit: {
-                headers: {
-                    authorization: `Bearer ${this.tokens.accessToken}`,
-                },
-            },
-        });
-        await this.client.connect(transport);
-        this.connected = true;
-    }
-    async connect() {
-        await this.ensureValidTokens();
-        if (this.connected) {
-            return;
-        }
-        try {
-            await this.connectStreamableHttp();
-            debug(`[${this.account.alias}] Connected via Streamable HTTP`);
-        }
-        catch (err) {
-            warn(`[${this.account.alias}] Streamable HTTP failed, falling back to SSE: ${String(err)}`);
-            await this.connectSse();
-        }
-    }
-    async refreshAndReconnect() {
-        await this.ensureValidTokens();
-        await this.client.close();
-        this.client = this.createClient();
-        this.connected = false;
-        await this.connect();
-    }
-    shouldRefreshOnError(err) {
-        if (!err || typeof err !== "object") {
-            return false;
-        }
-        const code = err.code;
-        if (code === 401 || code === 403) {
-            return true;
-        }
-        const message = String(err);
-        return (message.toLowerCase().includes("unauthorized") ||
-            message.toLowerCase().includes("forbidden"));
-    }
-    async listTools() {
-        if (!this.connected) {
-            await this.connect();
-        }
-        const tools = [];
-        let cursor;
-        do {
-            const result = await this.client.listTools({ cursor });
-            tools.push(...result.tools);
-            cursor = result.nextCursor;
-        } while (cursor);
-        return tools;
-    }
-    async callTool(name, args) {
-        if (!this.connected) {
-            await this.connect();
-        }
-        return this.queue.add(async () => {
-            try {
-                return await this.client.callTool({
-                    name,
-                    arguments: args,
-                });
-            }
-            catch (err) {
-                if (this.shouldRefreshOnError(err)) {
-                    await this.refreshAndReconnect();
-                    return this.client.callTool({
-                        name,
-                        arguments: args,
-                    });
-                }
-                throw err;
-            }
-        });
-    }
-    async close() {
-        await this.client.close();
-    }
-}

package/dist/mcp/sessionManager.js

@@ -1,62 +0,0 @@
-import { loadConfig } from "../config/store.js";
-import { getAuthStatusForAlias } from "../security/tokenStore.js";
-import { RemoteSession } from "./remoteSession.js";
-import { warn } from "../utils/log.js";
-export class SessionManager {
-    tokenStore;
-    scopes;
-    staticClientInfo;
-    tokenStoreKind;
-    sessions = new Map();
-    accounts = new Map();
-    constructor(tokenStore, scopes, staticClientInfo, tokenStoreKind) {
-        this.tokenStore = tokenStore;
-        this.scopes = scopes;
-        this.staticClientInfo = staticClientInfo;
-        this.tokenStoreKind = tokenStoreKind;
-    }
-    async loadAll() {
-        const config = await loadConfig();
-        this.accounts = new Map(Object.values(config.accounts).map((account) => [account.alias, account]));
-        for (const account of this.accounts.values()) {
-            const session = new RemoteSession(account, this.tokenStore, this.scopes, this.staticClientInfo);
-            this.sessions.set(account.alias, session);
-        }
-    }
-    listAccounts() {
-        return Array.from(this.accounts.values());
-    }
-    getSession(alias) {
-        return this.sessions.get(alias) ?? null;
-    }
-    async getAccountAuthStatus(alias, options) {
-        return getAuthStatusForAlias({
-            alias,
-            tokenStore: this.tokenStore,
-            storeKind: this.tokenStoreKind,
-            allowPrompt: options?.allowPrompt ?? false,
-        });
-    }
-    async connectAll() {
-        const sessions = Array.from(this.sessions.values());
-        const results = await Promise.allSettled(sessions.map(async (session) => {
-            const status = await this.getAccountAuthStatus(session.account.alias, {
-                allowPrompt: false,
-            });
-            if (status.status !== "ok") {
-                warn(`[${session.account.alias}] Auth status ${status.status}. ${status.reason ?? "Run login."}`);
-                return;
-            }
-            await session.connect();
-        }));
-        results.forEach((result, index) => {
-            if (result.status === "rejected") {
-                const session = sessions[index];
-                warn(`[${session.account.alias}] Failed to connect: ${String(result.reason)}`);
-            }
-        });
-    }
-    async closeAll() {
-        await Promise.all(Array.from(this.sessions.values()).map((session) => session.close()));
-    }
-}

package/dist/oauth/clientInfoStore.js

@@ -1,29 +0,0 @@
-import crypto from "node:crypto";
-import path from "node:path";
-import { promises as fs } from "node:fs";
-import { configDir } from "../config/paths.js";
-import { atomicWrite, ensureDir } from "../utils/fs.js";
-function hashServerUrl(serverUrl) {
-    return crypto.createHash("sha256").update(serverUrl).digest("hex");
-}
-function clientInfoPath(serverUrl) {
-    return path.join(configDir(), "oauth", hashServerUrl(serverUrl), "client_info.json");
-}
-export async function readClientInfo(serverUrl) {
-    const filePath = clientInfoPath(serverUrl);
-    try {
-        const raw = await fs.readFile(filePath, "utf8");
-        return JSON.parse(raw);
-    }
-    catch (err) {
-        if (err.code === "ENOENT") {
-            return null;
-        }
-        throw err;
-    }
-}
-export async function writeClientInfo(serverUrl, info) {
-    const filePath = clientInfoPath(serverUrl);
-    await ensureDir(path.dirname(filePath));
-    await atomicWrite(filePath, JSON.stringify(info, null, 2));
-}

package/dist/security/tokenStore.js

@@ -1,204 +0,0 @@
-import crypto from "node:crypto";
-import { promises as fs } from "node:fs";
-import path from "node:path";
-import { password as promptPassword } from "@inquirer/prompts";
-import { plainTokenFilePath, tokenFilePath } from "../config/paths.js";
-import { ensureDir, atomicWrite } from "../utils/fs.js";
-const SERVICE_NAME = "mcp-jira";
-const TOKEN_ENV = "MCP_JIRA_TOKEN_PASSWORD";
-let cachedPassword = null;
-async function getMasterPassword(intent) {
-    if (cachedPassword !== null) {
-        return cachedPassword;
-    }
-    if (process.env[TOKEN_ENV] !== undefined) {
-        cachedPassword = process.env[TOKEN_ENV];
-        return cachedPassword;
-    }
-    if (!process.stdin.isTTY) {
-        throw new Error("Encrypted token store requires a password. Set MCP_JIRA_TOKEN_PASSWORD to run non-interactively.");
-    }
-    cachedPassword = await promptPassword({
-        message: intent === "read"
-            ? "Enter master password to unlock Jira tokens"
-            : "Create a master password to encrypt Jira tokens",
-        mask: "*",
-    });
-    return cachedPassword;
-}
-async function loadEncryptedFile(password) {
-    const filePath = tokenFilePath();
-    try {
-        const raw = await fs.readFile(filePath, "utf8");
-        const payload = JSON.parse(raw);
-        if (!payload.ciphertext) {
-            return {};
-        }
-        const salt = Buffer.from(payload.salt, "base64");
-        const iv = Buffer.from(payload.iv, "base64");
-        const tag = Buffer.from(payload.tag, "base64");
-        const ciphertext = Buffer.from(payload.ciphertext, "base64");
-        const key = crypto.scryptSync(password, salt, 32);
-        const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
-        decipher.setAuthTag(tag);
-        const decrypted = Buffer.concat([
-            decipher.update(ciphertext),
-            decipher.final(),
-        ]).toString("utf8");
-        return JSON.parse(decrypted);
-    }
-    catch (err) {
-        if (err.code === "ENOENT") {
-            return {};
-        }
-        throw err;
-    }
-}
-async function saveEncryptedFile(password, tokens) {
-    const salt = crypto.randomBytes(16);
-    const iv = crypto.randomBytes(12);
-    const key = crypto.scryptSync(password, salt, 32);
-    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
-    const plaintext = JSON.stringify(tokens);
-    const ciphertext = Buffer.concat([
-        cipher.update(plaintext, "utf8"),
-        cipher.final(),
-    ]);
-    const tag = cipher.getAuthTag();
-    const payload = {
-        version: 1,
-        salt: salt.toString("base64"),
-        iv: iv.toString("base64"),
-        tag: tag.toString("base64"),
-        ciphertext: ciphertext.toString("base64"),
-    };
-    await ensureDir(path.dirname(tokenFilePath()));
-    await atomicWrite(tokenFilePath(), JSON.stringify(payload, null, 2));
-}
-async function loadPlainFile() {
-    const filePath = plainTokenFilePath();
-    try {
-        const raw = await fs.readFile(filePath, "utf8");
-        return JSON.parse(raw);
-    }
-    catch (err) {
-        if (err.code === "ENOENT") {
-            return {};
-        }
-        throw err;
-    }
-}
-async function savePlainFile(tokens) {
-    await ensureDir(path.dirname(plainTokenFilePath()));
-    await atomicWrite(plainTokenFilePath(), JSON.stringify(tokens, null, 2));
-}
-class EncryptedFileTokenStore {
-    async get(alias) {
-        const password = await getMasterPassword("read");
-        const tokens = await loadEncryptedFile(password);
-        return tokens[alias] ?? null;
-    }
-    async set(alias, tokens) {
-        const password = await getMasterPassword("write");
-        const existing = await loadEncryptedFile(password);
-        existing[alias] = tokens;
-        await saveEncryptedFile(password, existing);
-    }
-    async remove(alias) {
-        const password = await getMasterPassword("read");
-        const existing = await loadEncryptedFile(password);
-        if (existing[alias]) {
-            delete existing[alias];
-            await saveEncryptedFile(password, existing);
-        }
-    }
-}
-class PlaintextTokenStore {
-    async get(alias) {
-        const tokens = await loadPlainFile();
-        return tokens[alias] ?? null;
-    }
-    async set(alias, tokens) {
-        const existing = await loadPlainFile();
-        existing[alias] = tokens;
-        await savePlainFile(existing);
-    }
-    async remove(alias) {
-        const existing = await loadPlainFile();
-        if (existing[alias]) {
-            delete existing[alias];
-            await savePlainFile(existing);
-        }
-    }
-}
-class KeytarTokenStore {
-    keytar;
-    constructor(keytar) {
-        this.keytar = keytar;
-    }
-    async get(alias) {
-        const raw = await this.keytar.getPassword(SERVICE_NAME, `tokens:${alias}`);
-        if (!raw) {
-            return null;
-        }
-        return JSON.parse(raw);
-    }
-    async set(alias, tokens) {
-        await this.keytar.setPassword(SERVICE_NAME, `tokens:${alias}`, JSON.stringify(tokens));
-    }
-    async remove(alias) {
-        await this.keytar.deletePassword(SERVICE_NAME, `tokens:${alias}`);
-    }
-}
-async function loadKeytar() {
-    try {
-        const mod = await import("keytar");
-        return mod.default ?? mod;
-    }
-    catch {
-        return null;
-    }
-}
-export async function getAuthStatusForAlias(options) {
-    const allowPrompt = options.allowPrompt ?? false;
-    if (options.storeKind === "encrypted" &&
-        !allowPrompt &&
-        process.env[TOKEN_ENV] === undefined) {
-        return {
-            status: "locked",
-            reason: "Encrypted token store is locked. Set MCP_JIRA_TOKEN_PASSWORD or login interactively.",
-        };
-    }
-    const tokens = await options.tokenStore.get(options.alias);
-    if (!tokens) {
-        return {
-            status: "missing",
-            reason: "No tokens found. Run login to authenticate this account.",
-        };
-    }
-    if (tokens.expiresAt < Date.now() && !tokens.refreshToken) {
-        return {
-            status: "expired",
-            reason: "Token expired and no refresh token available. Run login again.",
-        };
-    }
-    return { status: "ok" };
-}
-export async function createTokenStore(options) {
-    const useKeychain = options?.useKeychain;
-    let store = options?.store ?? "encrypted";
-    if (useKeychain) {
-        store = "keychain";
-    }
-    if (store === "keychain") {
-        const keytar = await loadKeytar();
-        if (!keytar) {
-            throw new Error("Keychain usage requested but keytar could not be loaded. Reinstall dependencies or switch token storage to plain/encrypted.");
-        }
-        return new KeytarTokenStore(keytar);
-    }
-    if (store === "plain") {
-        return new PlaintextTokenStore();
-    }
-    return new EncryptedFileTokenStore();
-}