mcp-multi-jira 0.1.0

package/dist/mcp/sessionManager.js

@@ -0,0 +1,62 @@
+import { loadConfig } from "../config/store.js";
+import { getAuthStatusForAlias } from "../security/tokenStore.js";
+import { RemoteSession } from "./remoteSession.js";
+import { warn } from "../utils/log.js";
+export class SessionManager {
+    tokenStore;
+    scopes;
+    staticClientInfo;
+    tokenStoreKind;
+    sessions = new Map();
+    accounts = new Map();
+    constructor(tokenStore, scopes, staticClientInfo, tokenStoreKind) {
+        this.tokenStore = tokenStore;
+        this.scopes = scopes;
+        this.staticClientInfo = staticClientInfo;
+        this.tokenStoreKind = tokenStoreKind;
+    }
+    async loadAll() {
+        const config = await loadConfig();
+        this.accounts = new Map(Object.values(config.accounts).map((account) => [account.alias, account]));
+        for (const account of this.accounts.values()) {
+            const session = new RemoteSession(account, this.tokenStore, this.scopes, this.staticClientInfo);
+            this.sessions.set(account.alias, session);
+        }
+    }
+    listAccounts() {
+        return Array.from(this.accounts.values());
+    }
+    getSession(alias) {
+        return this.sessions.get(alias) ?? null;
+    }
+    async getAccountAuthStatus(alias, options) {
+        return getAuthStatusForAlias({
+            alias,
+            tokenStore: this.tokenStore,
+            storeKind: this.tokenStoreKind,
+            allowPrompt: options?.allowPrompt ?? false,
+        });
+    }
+    async connectAll() {
+        const sessions = Array.from(this.sessions.values());
+        const results = await Promise.allSettled(sessions.map(async (session) => {
+            const status = await this.getAccountAuthStatus(session.account.alias, {
+                allowPrompt: false,
+            });
+            if (status.status !== "ok") {
+                warn(`[${session.account.alias}] Auth status ${status.status}. ${status.reason ?? "Run login."}`);
+                return;
+            }
+            await session.connect();
+        }));
+        results.forEach((result, index) => {
+            if (result.status === "rejected") {
+                const session = sessions[index];
+                warn(`[${session.account.alias}] Failed to connect: ${String(result.reason)}`);
+            }
+        });
+    }
+    async closeAll() {
+        await Promise.all(Array.from(this.sessions.values()).map((session) => session.close()));
+    }
+}

package/dist/mcp/types.js

@@ -0,0 +1 @@
+export {};

package/dist/oauth/atlassian.js

@@ -0,0 +1,272 @@
+import crypto from "node:crypto";
+import http from "node:http";
+import { URL } from "node:url";
+import { auth, discoverAuthorizationServerMetadata, discoverOAuthProtectedResourceMetadata, refreshAuthorization, selectResourceURL, } from "@modelcontextprotocol/sdk/client/auth.js";
+import getPort from "get-port";
+import open from "open";
+import { debug, info, warn } from "../utils/log.js";
+import { readClientInfo, writeClientInfo } from "./client-info-store.js";
+export const DEFAULT_SCOPES = [
+    "offline_access",
+    "read:jira-work",
+    "write:jira-work",
+    "read:jira-user",
+];
+export const MCP_SERVER_URL = process.env.MCP_JIRA_ENDPOINT ?? "https://mcp.atlassian.com/v1/mcp";
+export const MCP_SSE_URL = process.env.MCP_JIRA_SSE_ENDPOINT ?? "https://mcp.atlassian.com/v1/sse";
+export function getStaticClientInfoFromEnv(options) {
+    const clientId = options?.clientId ||
+        process.env.MCP_JIRA_CLIENT_ID ||
+        process.env.ATLASSIAN_CLIENT_ID;
+    const clientSecret = options?.clientSecret ||
+        process.env.MCP_JIRA_CLIENT_SECRET ||
+        process.env.ATLASSIAN_CLIENT_SECRET;
+    if (!clientId) {
+        return null;
+    }
+    return { clientId, clientSecret };
+}
+function toTokenSet(tokens, fallbackScopes) {
+    const scopes = tokens.scope
+        ? tokens.scope.split(" ").filter(Boolean)
+        : fallbackScopes;
+    const expiresIn = tokens.expires_in ?? 0;
+    return {
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        expiresAt: Date.now() + expiresIn * 1000,
+        scopes,
+        tokenType: tokens.token_type,
+    };
+}
+function toOAuthTokens(set) {
+    const expiresIn = Math.max(0, Math.floor((set.expiresAt - Date.now()) / 1000));
+    return {
+        access_token: set.accessToken,
+        refresh_token: set.refreshToken,
+        token_type: set.tokenType ?? "Bearer",
+        scope: set.scopes.join(" "),
+        expires_in: expiresIn,
+    };
+}
+export class LocalOAuthProvider {
+    alias;
+    tokenStore;
+    scopes;
+    allowRedirect;
+    staticClientInfo;
+    stateValue = crypto.randomUUID();
+    codeVerifierValue;
+    clientInfoCache;
+    redirectUrlValue;
+    constructor(options) {
+        this.alias = options.alias;
+        this.tokenStore = options.tokenStore;
+        this.scopes = options.scopes;
+        this.allowRedirect = options.allowRedirect;
+        this.staticClientInfo = options.staticClientInfo;
+    }
+    setRedirectUrl(url) {
+        this.redirectUrlValue = url;
+    }
+    getState() {
+        return this.stateValue;
+    }
+    get redirectUrl() {
+        return this.redirectUrlValue;
+    }
+    get clientMetadata() {
+        return {
+            redirect_uris: this.redirectUrlValue ? [this.redirectUrlValue] : [],
+            token_endpoint_auth_method: this.staticClientInfo?.clientSecret
+                ? "client_secret_post"
+                : "none",
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+            client_name: "mcp-jira",
+            client_uri: "https://github.com/",
+            scope: this.scopes.join(" "),
+        };
+    }
+    state() {
+        return this.stateValue;
+    }
+    async clientInformation() {
+        if (this.staticClientInfo) {
+            return {
+                client_id: this.staticClientInfo.clientId,
+                client_secret: this.staticClientInfo.clientSecret,
+                token_endpoint_auth_method: this.staticClientInfo.clientSecret
+                    ? "client_secret_post"
+                    : "none",
+            };
+        }
+        if (this.clientInfoCache !== undefined) {
+            return this.clientInfoCache ?? undefined;
+        }
+        const stored = await readClientInfo(MCP_SERVER_URL);
+        this.clientInfoCache = stored;
+        return stored ?? undefined;
+    }
+    async saveClientInformation(clientInfo) {
+        this.clientInfoCache = clientInfo;
+        await writeClientInfo(MCP_SERVER_URL, clientInfo);
+    }
+    async tokens() {
+        const tokens = await this.tokenStore.get(this.alias);
+        if (!tokens) {
+            return;
+        }
+        return toOAuthTokens(tokens);
+    }
+    async saveTokens(tokens) {
+        const set = toTokenSet(tokens, this.scopes);
+        await this.tokenStore.set(this.alias, set);
+    }
+    async redirectToAuthorization(authorizationUrl) {
+        if (!this.allowRedirect) {
+            throw new Error("Authorization required. Run `mcp-multi-jira login <alias>` to reauthenticate.");
+        }
+        info("Open the following URL in your browser to authorize:");
+        info(authorizationUrl.toString());
+        try {
+            await open(authorizationUrl.toString());
+        }
+        catch (err) {
+            warn(`Failed to open browser automatically: ${String(err)}`);
+        }
+    }
+    saveCodeVerifier(codeVerifier) {
+        this.codeVerifierValue = codeVerifier;
+    }
+    codeVerifier() {
+        if (!this.codeVerifierValue) {
+            throw new Error("Missing OAuth code verifier.");
+        }
+        return this.codeVerifierValue;
+    }
+}
+export async function startCallbackServer(expectedState) {
+    const port = await getPort({ port: 3334 });
+    const redirectUri = `http://127.0.0.1:${port}/oauth/callback`;
+    const server = http.createServer();
+    let closed = false;
+    const close = () => new Promise((resolve) => {
+        if (closed) {
+            resolve();
+            return;
+        }
+        closed = true;
+        server.close(() => resolve());
+    });
+    const codePromise = new Promise((resolve, reject) => {
+        server.on("request", (req, res) => {
+            try {
+                const url = new URL(req.url ?? "", redirectUri);
+                if (url.pathname !== "/oauth/callback") {
+                    res.writeHead(404);
+                    res.end("Not found");
+                    return;
+                }
+                const code = url.searchParams.get("code");
+                const state = url.searchParams.get("state");
+                if (!code || state !== expectedState) {
+                    res.writeHead(400);
+                    res.end("Invalid OAuth response.");
+                    reject(new Error("Invalid OAuth response"));
+                    return;
+                }
+                res.writeHead(200, { "content-type": "text/plain" });
+                res.end("Authentication complete. You can return to the CLI.");
+                resolve(code);
+            }
+            catch (err) {
+                reject(err);
+            }
+            finally {
+                setTimeout(() => {
+                    close().catch(() => undefined);
+                }, 100);
+            }
+        });
+    });
+    await new Promise((resolve) => {
+        server.listen(port, "127.0.0.1", () => resolve());
+    });
+    return { redirectUri, codePromise, close };
+}
+export async function loginWithDynamicOAuth(options) {
+    const provider = new LocalOAuthProvider({
+        alias: options.alias,
+        tokenStore: options.tokenStore,
+        scopes: options.scopes,
+        allowRedirect: true,
+        staticClientInfo: options.staticClientInfo,
+    });
+    const { redirectUri, codePromise, close } = await startCallbackServer(provider.getState());
+    try {
+        provider.setRedirectUrl(redirectUri);
+        const result = await auth(provider, {
+            serverUrl: MCP_SERVER_URL,
+            scope: options.scopes.join(" "),
+        });
+        if (result !== "REDIRECT") {
+            await close();
+            return;
+        }
+        const code = await codePromise;
+        await auth(provider, {
+            serverUrl: MCP_SERVER_URL,
+            authorizationCode: code,
+            scope: options.scopes.join(" "),
+        });
+    }
+    finally {
+        await close();
+    }
+}
+export async function refreshTokensIfNeeded(options) {
+    const existing = await options.tokenStore.get(options.alias);
+    if (!existing) {
+        throw new Error("Missing stored tokens.");
+    }
+    const now = Date.now();
+    if (existing.expiresAt > now + 5 * 60 * 1000) {
+        return existing;
+    }
+    if (!existing.refreshToken) {
+        throw new Error("No refresh token available. Please login again.");
+    }
+    const provider = new LocalOAuthProvider({
+        alias: options.alias,
+        tokenStore: options.tokenStore,
+        scopes: options.scopes,
+        allowRedirect: false,
+        staticClientInfo: options.staticClientInfo,
+    });
+    const clientInfo = await provider.clientInformation();
+    if (!clientInfo) {
+        throw new Error("Missing OAuth client registration. Please login again.");
+    }
+    let resourceMetadata;
+    try {
+        resourceMetadata =
+            await discoverOAuthProtectedResourceMetadata(MCP_SERVER_URL);
+    }
+    catch (err) {
+        debug(`Protected resource metadata lookup failed: ${String(err)}`);
+    }
+    const authServerUrl = resourceMetadata?.authorization_servers?.[0] ??
+        new URL("/", MCP_SERVER_URL);
+    const metadata = await discoverAuthorizationServerMetadata(authServerUrl);
+    const resource = await selectResourceURL(MCP_SERVER_URL, {}, resourceMetadata);
+    const refreshed = await refreshAuthorization(authServerUrl, {
+        metadata,
+        clientInformation: clientInfo,
+        refreshToken: existing.refreshToken,
+        resource,
+    });
+    const updated = toTokenSet(refreshed, options.scopes);
+    await options.tokenStore.set(options.alias, updated);
+    return updated;
+}

package/dist/oauth/client-info-store.js

@@ -0,0 +1,29 @@
+import crypto from "node:crypto";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { configDir } from "../config/paths.js";
+import { atomicWrite, ensureDir } from "../utils/fs.js";
+function hashServerUrl(serverUrl) {
+    return crypto.createHash("sha256").update(serverUrl).digest("hex");
+}
+function clientInfoPath(serverUrl) {
+    return path.join(configDir(), "oauth", hashServerUrl(serverUrl), "client_info.json");
+}
+export async function readClientInfo(serverUrl) {
+    const filePath = clientInfoPath(serverUrl);
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return null;
+        }
+        throw err;
+    }
+}
+export async function writeClientInfo(serverUrl, info) {
+    const filePath = clientInfoPath(serverUrl);
+    await ensureDir(path.dirname(filePath));
+    await atomicWrite(filePath, JSON.stringify(info, null, 2));
+}

package/dist/oauth/clientInfoStore.js

@@ -0,0 +1,29 @@
+import crypto from "node:crypto";
+import path from "node:path";
+import { promises as fs } from "node:fs";
+import { configDir } from "../config/paths.js";
+import { atomicWrite, ensureDir } from "../utils/fs.js";
+function hashServerUrl(serverUrl) {
+    return crypto.createHash("sha256").update(serverUrl).digest("hex");
+}
+function clientInfoPath(serverUrl) {
+    return path.join(configDir(), "oauth", hashServerUrl(serverUrl), "client_info.json");
+}
+export async function readClientInfo(serverUrl) {
+    const filePath = clientInfoPath(serverUrl);
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return null;
+        }
+        throw err;
+    }
+}
+export async function writeClientInfo(serverUrl, info) {
+    const filePath = clientInfoPath(serverUrl);
+    await ensureDir(path.dirname(filePath));
+    await atomicWrite(filePath, JSON.stringify(info, null, 2));
+}

package/dist/security/token-store.js

@@ -0,0 +1,214 @@
+import crypto from "node:crypto";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { password as promptPassword } from "@inquirer/prompts";
+import PQueue from "p-queue";
+import { plainTokenFilePath, tokenFilePath } from "../config/paths.js";
+import { atomicWrite, ensureDir } from "../utils/fs.js";
+const SERVICE_NAME = "mcp-jira";
+const TOKEN_ENV = "MCP_JIRA_TOKEN_PASSWORD";
+let cachedPassword = null;
+const fileStoreQueue = new PQueue({ concurrency: 1 });
+async function getMasterPassword(intent) {
+    if (cachedPassword !== null) {
+        return cachedPassword;
+    }
+    if (process.env[TOKEN_ENV] !== undefined) {
+        cachedPassword = process.env[TOKEN_ENV];
+        return cachedPassword;
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error("Encrypted token store requires a password. Set MCP_JIRA_TOKEN_PASSWORD to run non-interactively.");
+    }
+    cachedPassword = await promptPassword({
+        message: intent === "read"
+            ? "Enter master password to unlock Jira tokens"
+            : "Create a master password to encrypt Jira tokens",
+        mask: "*",
+    });
+    return cachedPassword;
+}
+async function loadEncryptedFile(password) {
+    const filePath = tokenFilePath();
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        const payload = JSON.parse(raw);
+        if (!payload.ciphertext) {
+            return {};
+        }
+        const salt = Buffer.from(payload.salt, "base64");
+        const iv = Buffer.from(payload.iv, "base64");
+        const tag = Buffer.from(payload.tag, "base64");
+        const ciphertext = Buffer.from(payload.ciphertext, "base64");
+        const key = crypto.scryptSync(password, salt, 32);
+        const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+        decipher.setAuthTag(tag);
+        const decrypted = Buffer.concat([
+            decipher.update(ciphertext),
+            decipher.final(),
+        ]).toString("utf8");
+        return JSON.parse(decrypted);
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return {};
+        }
+        throw err;
+    }
+}
+async function saveEncryptedFile(password, tokens) {
+    const salt = crypto.randomBytes(16);
+    const iv = crypto.randomBytes(12);
+    const key = crypto.scryptSync(password, salt, 32);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const plaintext = JSON.stringify(tokens);
+    const ciphertext = Buffer.concat([
+        cipher.update(plaintext, "utf8"),
+        cipher.final(),
+    ]);
+    const tag = cipher.getAuthTag();
+    const payload = {
+        version: 1,
+        salt: salt.toString("base64"),
+        iv: iv.toString("base64"),
+        tag: tag.toString("base64"),
+        ciphertext: ciphertext.toString("base64"),
+    };
+    await ensureDir(path.dirname(tokenFilePath()));
+    await atomicWrite(tokenFilePath(), JSON.stringify(payload, null, 2));
+}
+async function loadPlainFile() {
+    const filePath = plainTokenFilePath();
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return {};
+        }
+        throw err;
+    }
+}
+async function savePlainFile(tokens) {
+    await ensureDir(path.dirname(plainTokenFilePath()));
+    await atomicWrite(plainTokenFilePath(), JSON.stringify(tokens, null, 2));
+}
+class EncryptedFileTokenStore {
+    async get(alias) {
+        const password = await getMasterPassword("read");
+        const tokens = await loadEncryptedFile(password);
+        return tokens[alias] ?? null;
+    }
+    async set(alias, tokens) {
+        await fileStoreQueue.add(async () => {
+            const password = await getMasterPassword("write");
+            const existing = await loadEncryptedFile(password);
+            existing[alias] = tokens;
+            await saveEncryptedFile(password, existing);
+        });
+    }
+    async remove(alias) {
+        await fileStoreQueue.add(async () => {
+            const password = await getMasterPassword("read");
+            const existing = await loadEncryptedFile(password);
+            if (existing[alias]) {
+                delete existing[alias];
+                await saveEncryptedFile(password, existing);
+            }
+        });
+    }
+}
+class PlaintextTokenStore {
+    async get(alias) {
+        const tokens = await loadPlainFile();
+        return tokens[alias] ?? null;
+    }
+    async set(alias, tokens) {
+        await fileStoreQueue.add(async () => {
+            const existing = await loadPlainFile();
+            existing[alias] = tokens;
+            await savePlainFile(existing);
+        });
+    }
+    async remove(alias) {
+        await fileStoreQueue.add(async () => {
+            const existing = await loadPlainFile();
+            if (existing[alias]) {
+                delete existing[alias];
+                await savePlainFile(existing);
+            }
+        });
+    }
+}
+class KeytarTokenStore {
+    keytar;
+    constructor(keytar) {
+        this.keytar = keytar;
+    }
+    async get(alias) {
+        const raw = await this.keytar.getPassword(SERVICE_NAME, `tokens:${alias}`);
+        if (!raw) {
+            return null;
+        }
+        return JSON.parse(raw);
+    }
+    async set(alias, tokens) {
+        await this.keytar.setPassword(SERVICE_NAME, `tokens:${alias}`, JSON.stringify(tokens));
+    }
+    async remove(alias) {
+        await this.keytar.deletePassword(SERVICE_NAME, `tokens:${alias}`);
+    }
+}
+async function loadKeytar() {
+    try {
+        const mod = await import("keytar");
+        return mod.default ?? mod;
+    }
+    catch {
+        return null;
+    }
+}
+export async function getAuthStatusForAlias(options) {
+    const allowPrompt = options.allowPrompt ?? false;
+    if (options.storeKind === "encrypted" &&
+        !allowPrompt &&
+        process.env[TOKEN_ENV] === undefined) {
+        return {
+            status: "locked",
+            reason: "Encrypted token store is locked. Set MCP_JIRA_TOKEN_PASSWORD or login interactively.",
+        };
+    }
+    const tokens = await options.tokenStore.get(options.alias);
+    if (!tokens) {
+        return {
+            status: "missing",
+            reason: "No tokens found. Run login to authenticate this account.",
+        };
+    }
+    if (tokens.expiresAt < Date.now() && !tokens.refreshToken) {
+        return {
+            status: "expired",
+            reason: "Token expired and no refresh token available. Run login again.",
+        };
+    }
+    return { status: "ok" };
+}
+export async function createTokenStore(options) {
+    const useKeychain = options?.useKeychain;
+    let store = options?.store ?? "encrypted";
+    if (useKeychain) {
+        store = "keychain";
+    }
+    if (store === "keychain") {
+        const keytar = await loadKeytar();
+        if (!keytar) {
+            throw new Error("Keychain usage requested but keytar could not be loaded. Reinstall dependencies or switch token storage to plain/encrypted.");
+        }
+        return new KeytarTokenStore(keytar);
+    }
+    if (store === "plain") {
+        return new PlaintextTokenStore();
+    }
+    return new EncryptedFileTokenStore();
+}