mcp-multi-jira 0.1.0

package/dist/security/tokenStore.js

@@ -0,0 +1,204 @@
+import crypto from "node:crypto";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { password as promptPassword } from "@inquirer/prompts";
+import { plainTokenFilePath, tokenFilePath } from "../config/paths.js";
+import { ensureDir, atomicWrite } from "../utils/fs.js";
+const SERVICE_NAME = "mcp-jira";
+const TOKEN_ENV = "MCP_JIRA_TOKEN_PASSWORD";
+let cachedPassword = null;
+async function getMasterPassword(intent) {
+    if (cachedPassword !== null) {
+        return cachedPassword;
+    }
+    if (process.env[TOKEN_ENV] !== undefined) {
+        cachedPassword = process.env[TOKEN_ENV];
+        return cachedPassword;
+    }
+    if (!process.stdin.isTTY) {
+        throw new Error("Encrypted token store requires a password. Set MCP_JIRA_TOKEN_PASSWORD to run non-interactively.");
+    }
+    cachedPassword = await promptPassword({
+        message: intent === "read"
+            ? "Enter master password to unlock Jira tokens"
+            : "Create a master password to encrypt Jira tokens",
+        mask: "*",
+    });
+    return cachedPassword;
+}
+async function loadEncryptedFile(password) {
+    const filePath = tokenFilePath();
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        const payload = JSON.parse(raw);
+        if (!payload.ciphertext) {
+            return {};
+        }
+        const salt = Buffer.from(payload.salt, "base64");
+        const iv = Buffer.from(payload.iv, "base64");
+        const tag = Buffer.from(payload.tag, "base64");
+        const ciphertext = Buffer.from(payload.ciphertext, "base64");
+        const key = crypto.scryptSync(password, salt, 32);
+        const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+        decipher.setAuthTag(tag);
+        const decrypted = Buffer.concat([
+            decipher.update(ciphertext),
+            decipher.final(),
+        ]).toString("utf8");
+        return JSON.parse(decrypted);
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return {};
+        }
+        throw err;
+    }
+}
+async function saveEncryptedFile(password, tokens) {
+    const salt = crypto.randomBytes(16);
+    const iv = crypto.randomBytes(12);
+    const key = crypto.scryptSync(password, salt, 32);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const plaintext = JSON.stringify(tokens);
+    const ciphertext = Buffer.concat([
+        cipher.update(plaintext, "utf8"),
+        cipher.final(),
+    ]);
+    const tag = cipher.getAuthTag();
+    const payload = {
+        version: 1,
+        salt: salt.toString("base64"),
+        iv: iv.toString("base64"),
+        tag: tag.toString("base64"),
+        ciphertext: ciphertext.toString("base64"),
+    };
+    await ensureDir(path.dirname(tokenFilePath()));
+    await atomicWrite(tokenFilePath(), JSON.stringify(payload, null, 2));
+}
+async function loadPlainFile() {
+    const filePath = plainTokenFilePath();
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return {};
+        }
+        throw err;
+    }
+}
+async function savePlainFile(tokens) {
+    await ensureDir(path.dirname(plainTokenFilePath()));
+    await atomicWrite(plainTokenFilePath(), JSON.stringify(tokens, null, 2));
+}
+class EncryptedFileTokenStore {
+    async get(alias) {
+        const password = await getMasterPassword("read");
+        const tokens = await loadEncryptedFile(password);
+        return tokens[alias] ?? null;
+    }
+    async set(alias, tokens) {
+        const password = await getMasterPassword("write");
+        const existing = await loadEncryptedFile(password);
+        existing[alias] = tokens;
+        await saveEncryptedFile(password, existing);
+    }
+    async remove(alias) {
+        const password = await getMasterPassword("read");
+        const existing = await loadEncryptedFile(password);
+        if (existing[alias]) {
+            delete existing[alias];
+            await saveEncryptedFile(password, existing);
+        }
+    }
+}
+class PlaintextTokenStore {
+    async get(alias) {
+        const tokens = await loadPlainFile();
+        return tokens[alias] ?? null;
+    }
+    async set(alias, tokens) {
+        const existing = await loadPlainFile();
+        existing[alias] = tokens;
+        await savePlainFile(existing);
+    }
+    async remove(alias) {
+        const existing = await loadPlainFile();
+        if (existing[alias]) {
+            delete existing[alias];
+            await savePlainFile(existing);
+        }
+    }
+}
+class KeytarTokenStore {
+    keytar;
+    constructor(keytar) {
+        this.keytar = keytar;
+    }
+    async get(alias) {
+        const raw = await this.keytar.getPassword(SERVICE_NAME, `tokens:${alias}`);
+        if (!raw) {
+            return null;
+        }
+        return JSON.parse(raw);
+    }
+    async set(alias, tokens) {
+        await this.keytar.setPassword(SERVICE_NAME, `tokens:${alias}`, JSON.stringify(tokens));
+    }
+    async remove(alias) {
+        await this.keytar.deletePassword(SERVICE_NAME, `tokens:${alias}`);
+    }
+}
+async function loadKeytar() {
+    try {
+        const mod = await import("keytar");
+        return mod.default ?? mod;
+    }
+    catch {
+        return null;
+    }
+}
+export async function getAuthStatusForAlias(options) {
+    const allowPrompt = options.allowPrompt ?? false;
+    if (options.storeKind === "encrypted" &&
+        !allowPrompt &&
+        process.env[TOKEN_ENV] === undefined) {
+        return {
+            status: "locked",
+            reason: "Encrypted token store is locked. Set MCP_JIRA_TOKEN_PASSWORD or login interactively.",
+        };
+    }
+    const tokens = await options.tokenStore.get(options.alias);
+    if (!tokens) {
+        return {
+            status: "missing",
+            reason: "No tokens found. Run login to authenticate this account.",
+        };
+    }
+    if (tokens.expiresAt < Date.now() && !tokens.refreshToken) {
+        return {
+            status: "expired",
+            reason: "Token expired and no refresh token available. Run login again.",
+        };
+    }
+    return { status: "ok" };
+}
+export async function createTokenStore(options) {
+    const useKeychain = options?.useKeychain;
+    let store = options?.store ?? "encrypted";
+    if (useKeychain) {
+        store = "keychain";
+    }
+    if (store === "keychain") {
+        const keytar = await loadKeytar();
+        if (!keytar) {
+            throw new Error("Keychain usage requested but keytar could not be loaded. Reinstall dependencies or switch token storage to plain/encrypted.");
+        }
+        return new KeytarTokenStore(keytar);
+    }
+    if (store === "plain") {
+        return new PlaintextTokenStore();
+    }
+    return new EncryptedFileTokenStore();
+}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/dist/utils/fs.js

@@ -0,0 +1,28 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+export async function ensureDir(dir) {
+    await fs.mkdir(dir, { recursive: true });
+}
+export async function atomicWrite(filePath, contents) {
+    const dir = path.dirname(filePath);
+    const tempPath = path.join(dir, `.tmp-${Date.now()}-${process.pid}`);
+    await fs.writeFile(tempPath, contents, "utf8");
+    try {
+        await fs.rename(tempPath, filePath);
+    }
+    catch (err) {
+        try {
+            await fs.unlink(tempPath);
+        }
+        catch {
+            // ignore cleanup errors
+        }
+        throw err;
+    }
+}
+export async function backupFile(filePath) {
+    const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
+    const backupPath = `${filePath}.${timestamp}.bak`;
+    await fs.copyFile(filePath, backupPath);
+    return backupPath;
+}

package/dist/utils/log.js

@@ -0,0 +1,30 @@
+const debugEnabled = process.env.MCP_JIRA_DEBUG === "1" || process.env.MCP_JIRA_DEBUG === "true";
+let logTarget = process.env.MCP_JIRA_LOG_STDERR === "1" ||
+    process.env.MCP_JIRA_LOG_STDERR === "true"
+    ? "stderr"
+    : "stdout";
+export function setLogTarget(target) {
+    logTarget = target;
+}
+function logLine(message) {
+    if (logTarget === "stderr") {
+        console.error(message);
+        return;
+    }
+    console.log(message);
+}
+export function info(message) {
+    logLine(message);
+}
+export function warn(message) {
+    console.error(message);
+}
+export function error(message) {
+    console.error(message);
+}
+export function debug(message) {
+    if (!debugEnabled) {
+        return;
+    }
+    logLine(message);
+}

package/dist/version.js

@@ -0,0 +1,4 @@
+import { readFileSync } from "node:fs";
+const packageJsonUrl = new URL("../package.json", import.meta.url);
+const packageJson = JSON.parse(readFileSync(packageJsonUrl, "utf-8"));
+export const PACKAGE_VERSION = packageJson.version ?? "0.0.0";

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "mcp-multi-jira",
+  "version": "0.1.0",
+  "description": "Multi-account Jira MCP server",
+  "license": "MIT",
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "modelcontextprotocol",
+    "jira",
+    "atlassian",
+    "confluence",
+    "multi-account",
+    "oauth",
+    "router",
+    "proxy",
+    "cli",
+    "cursor",
+    "claude",
+    "codex",
+    "stdio"
+  ],
+  "bin": {
+    "mcp-multi-jira": "dist/cli.js"
+  },
+  "module": "src/cli.ts",
+  "type": "module",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "bun test",
+    "check": "biome check . --error-on-warnings",
+    "fix": "ultracite fix"
+  },
+  "dependencies": {
+    "@iarna/toml": "^2.2.5",
+    "@inquirer/prompts": "^8.1.0",
+    "@modelcontextprotocol/sdk": "^1.25.1",
+    "commander": "^14.0.2",
+    "get-port": "^7.1.0",
+    "keytar": "^7.9.0",
+    "open": "^11.0.0",
+    "p-queue": "^9.0.1",
+    "zod": "^4.2.1"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "2.3.10",
+    "@types/bun": "^1.3.5",
+    "@types/node": "^25.0.3",
+    "typescript": "^5.9.3",
+    "ultracite": "6.4.2"
+  }
+}